EncryptionPartsTest xref


1   /**
2    * Licensed to the Apache Software Foundation (ASF) under one
3    * or more contributor license agreements. See the NOTICE file
4    * distributed with this work for additional information
5    * regarding copyright ownership. The ASF licenses this file
6    * to you under the Apache License, Version 2.0 (the
7    * "License"); you may not use this file except in compliance
8    * with the License. You may obtain a copy of the License at
9    *
10   * http://www.apache.org/licenses/LICENSE-2.0
11   *
12   * Unless required by applicable law or agreed to in writing,
13   * software distributed under the License is distributed on an
14   * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
15   * KIND, either express or implied. See the License for the
16   * specific language governing permissions and limitations
17   * under the License.
18   */
19  
20  package org.apache.ws.security.message;
21  
22  import org.apache.ws.security.SOAPConstants;
23  import org.apache.ws.security.WSDataRef;
24  import org.apache.ws.security.WSEncryptionPart;
25  import org.apache.ws.security.WSSConfig;
26  import org.apache.ws.security.WSSecurityEngine;
27  import org.apache.ws.security.WSConstants;
28  import org.apache.ws.security.WSSecurityEngineResult;
29  import org.apache.ws.security.WSSecurityException;
30  import org.apache.ws.security.common.KeystoreCallbackHandler;
31  import org.apache.ws.security.common.SOAPUtil;
32  import org.apache.ws.security.components.crypto.Crypto;
33  import org.apache.ws.security.components.crypto.CryptoFactory;
34  import org.apache.ws.security.util.WSSecurityUtil;
35  import org.w3c.dom.Document;
36  import org.w3c.dom.Element;
37  
38  import javax.security.auth.callback.CallbackHandler;
39  import javax.xml.namespace.QName;
40  
41  import java.util.List;
42  import java.util.ArrayList;
43  
44  /**
45   * This is some unit tests for encryption using encryption using parts. Note that the "soapMsg" below
46   * has a custom header added.
47   */
48  public class EncryptionPartsTest extends org.junit.Assert {
49      private static final org.apache.commons.logging.Log LOG = 
50          org.apache.commons.logging.LogFactory.getLog(EncryptionPartsTest.class);
51      private static final String SOAPMSG = "<?xml version=\"1.0\" encoding=\"UTF-8\"?>" +
52              "<soapenv:Envelope xmlns:foo=\"urn:foo.bar\" xmlns:soapenv=\"http://schemas.xmlsoap.org/soap/envelope/\" xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\" xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\">" +
53              "   <soapenv:Header>" +
54              "       <foo:bar1>baz1</foo:bar1>" + 
55              "       <foo:foobar>baz</foo:foobar>" + 
56              "       <foo:bar2>baz2</foo:bar2>" +
57              "   </soapenv:Header>" +
58              "   <soapenv:Body>" +
59              "      <ns1:testMethod xmlns:ns1=\"http://axis/service/security/test6/LogTestService8\"></ns1:testMethod>" +
60              "   </soapenv:Body>" +
61              "</soapenv:Envelope>";
62      private static final String SOAPMSG_MULTIPLE = "<?xml version=\"1.0\" encoding=\"UTF-8\"?>" +
63          "<soapenv:Envelope xmlns:foo=\"urn:foo.bar\" xmlns:soapenv=\"http://schemas.xmlsoap.org/soap/envelope/\" xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\" xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\">" +
64          "   <soapenv:Header>" +
65          "       <foo:foobar>baz</foo:foobar>" + 
66          "   </soapenv:Header>" +
67          "   <soapenv:Body>" +
68          "      <ns1:testMethod xmlns:ns1=\"http://axis/service/security/test6/LogTestService8\">asf1</ns1:testMethod>" +
69          "      <ns1:testMethod xmlns:ns1=\"http://axis/service/security/test6/LogTestService8\">asf2</ns1:testMethod>" +
70          "   </soapenv:Body>" +
71          "</soapenv:Envelope>";
72  
73      private WSSecurityEngine secEngine = new WSSecurityEngine();
74      private CallbackHandler callbackHandler = new KeystoreCallbackHandler();
75      private Crypto crypto = null;
76      
77      public EncryptionPartsTest() throws Exception {
78          crypto = CryptoFactory.getInstance();
79          WSSConfig.init();
80      }
81  
82      /**
83       * Test encrypting a custom SOAP header
84       */
85      @SuppressWarnings("unchecked")
86      @org.junit.Test
87      public void testSOAPHeader() throws Exception {
88          WSSecEncrypt encrypt = new WSSecEncrypt();
89          encrypt.setUserInfo("16c73ab6-b892-458f-abf5-2f875f74882e", "security");
90          encrypt.setKeyIdentifierType(WSConstants.ISSUER_SERIAL);
91  
92          Document doc = SOAPUtil.toSOAPPart(SOAPMSG);
93          WSSecHeader secHeader = new WSSecHeader();
94          secHeader.insertSecurityHeader(doc);
95          
96          List<WSEncryptionPart> parts = new ArrayList<WSEncryptionPart>();
97          WSEncryptionPart encP =
98              new WSEncryptionPart(
99                  "foobar",
100                 "urn:foo.bar",
101                 "");
102         parts.add(encP);
103         encrypt.setParts(parts);
104         
105         Document encryptedDoc = encrypt.build(doc, crypto, secHeader);
106         
107         if (LOG.isDebugEnabled()) {
108             String outputString = 
109                 org.apache.ws.security.util.XMLUtils.PrettyDocumentToString(encryptedDoc);
110             LOG.debug(outputString);
111         }
112         
113         List<WSSecurityEngineResult> results = verify(encryptedDoc);
114         
115         QName name = new QName("urn:foo.bar", "foobar");
116         WSSecurityUtil.checkAllElementsProtected(results, WSConstants.ENCR, new QName[]{name});
117         try {
118             name = new QName("urn:foo.bar", "foobar2");
119             WSSecurityUtil.checkAllElementsProtected(results, WSConstants.ENCR, new QName[]{name});
120             fail("Failure expected on a wrong protected part");
121         } catch (WSSecurityException ex) {
122             // expected
123         }
124         try {
125             name = new QName("urn:foo.bar", "foobar");
126             WSSecurityUtil.checkAllElementsProtected(results, WSConstants.SIGN, new QName[]{name});
127             fail("Failure expected on a wrong action");
128         } catch (WSSecurityException ex) {
129             // expected
130         }
131         
132         WSSecurityEngineResult actionResult = 
133             WSSecurityUtil.fetchActionResult(results, WSConstants.ENCR);
134         assertTrue(actionResult != null);
135         assertFalse(actionResult.isEmpty());
136         final java.util.List<WSDataRef> refs =
137             (java.util.List<WSDataRef>) actionResult.get(WSSecurityEngineResult.TAG_DATA_REF_URIS);
138         
139         assertEquals(WSConstants.KEYTRANSPORT_RSAOEP, 
140                 actionResult.get(WSSecurityEngineResult.TAG_ENCRYPTED_KEY_TRANSPORT_METHOD));
141         
142         WSDataRef wsDataRef = (WSDataRef)refs.get(0);
143         String xpath = wsDataRef.getXpath();
144         assertEquals("/soapenv:Envelope/soapenv:Header/foo:foobar", xpath);
145         assertEquals(WSConstants.AES_128, wsDataRef.getAlgorithm());
146     }
147     
148     
149     /**
150      * Test encrypting a custom SOAP header using wsse11:EncryptedHeader
151      */
152     @SuppressWarnings("unchecked")
153     @org.junit.Test
154     public void testSOAPEncryptedHeader() throws Exception {
155         WSSecEncrypt encrypt = new WSSecEncrypt();
156         encrypt.setUserInfo("16c73ab6-b892-458f-abf5-2f875f74882e", "security");
157         encrypt.setKeyIdentifierType(WSConstants.ISSUER_SERIAL);
158 
159         Document doc = SOAPUtil.toSOAPPart(SOAPMSG);
160         WSSecHeader secHeader = new WSSecHeader();
161         secHeader.insertSecurityHeader(doc);
162         
163         List<WSEncryptionPart> parts = new ArrayList<WSEncryptionPart>();
164         WSEncryptionPart encP =
165             new WSEncryptionPart(
166                 "foobar",
167                 "urn:foo.bar",
168                 "Header");
169         parts.add(encP);
170         encrypt.setParts(parts);
171         
172         Document encryptedDoc = encrypt.build(doc, crypto, secHeader);
173         
174         String outputString = 
175             org.apache.ws.security.util.XMLUtils.PrettyDocumentToString(encryptedDoc);
176         if (LOG.isDebugEnabled()) {
177             LOG.debug(outputString);
178         }
179         assertTrue(outputString.indexOf("wsse11:EncryptedHeader") != -1);
180         assertTrue(outputString.indexOf("foo:foobar") == -1);
181         
182         List<WSSecurityEngineResult> results = verify(encryptedDoc);
183         
184         WSSecurityEngineResult actionResult =
185                 WSSecurityUtil.fetchActionResult(results, WSConstants.ENCR);
186         assertTrue(actionResult != null);
187         assertFalse(actionResult.isEmpty());
188         final java.util.List<WSDataRef> refs =
189             (java.util.List<WSDataRef>) actionResult.get(WSSecurityEngineResult.TAG_DATA_REF_URIS);
190         
191         assertEquals(WSConstants.KEYTRANSPORT_RSAOEP, 
192                 actionResult.get(WSSecurityEngineResult.TAG_ENCRYPTED_KEY_TRANSPORT_METHOD));
193         
194         WSDataRef wsDataRef = (WSDataRef)refs.get(0);
195         String xpath = wsDataRef.getXpath();
196         assertEquals("/soapenv:Envelope/soapenv:Header/foo:foobar", xpath);
197     }
198     
199     /**
200      * Test encrypting a custom SOAP header with a bad localname
201      */
202     @org.junit.Test
203     public void testBadLocalname() throws Exception {
204         WSSecEncrypt encrypt = new WSSecEncrypt();
205         encrypt.setUserInfo("16c73ab6-b892-458f-abf5-2f875f74882e", "security");
206         encrypt.setKeyIdentifierType(WSConstants.ISSUER_SERIAL);
207 
208         Document doc = SOAPUtil.toSOAPPart(SOAPMSG);
209 
210         WSSecHeader secHeader = new WSSecHeader();
211         secHeader.insertSecurityHeader(doc);
212         
213         List<WSEncryptionPart> parts = new ArrayList<WSEncryptionPart>();
214         WSEncryptionPart encP =
215             new WSEncryptionPart(
216                 "foobar2",
217                 "urn:foo.bar",
218                 "");
219         parts.add(encP);
220         encrypt.setParts(parts);
221         
222         try {
223             encrypt.build(doc, crypto, secHeader);
224             fail("Failure expected on a bad localname");
225         } catch (WSSecurityException ex) {
226             // expected
227         }
228     }
229     
230     
231     /**
232      * Test encrypting a custom SOAP header with a bad namespace
233      */
234     @org.junit.Test
235     public void testBadNamespace() throws Exception {
236         WSSecEncrypt encrypt = new WSSecEncrypt();
237         encrypt.setUserInfo("16c73ab6-b892-458f-abf5-2f875f74882e", "security");
238         encrypt.setKeyIdentifierType(WSConstants.ISSUER_SERIAL);
239 
240         Document doc = SOAPUtil.toSOAPPart(SOAPMSG);
241 
242         WSSecHeader secHeader = new WSSecHeader();
243         secHeader.insertSecurityHeader(doc);
244         
245         List<WSEncryptionPart> parts = new ArrayList<WSEncryptionPart>();
246         WSEncryptionPart encP =
247             new WSEncryptionPart(
248                 "foobar",
249                 "urn:foo.bar2",
250                 "");
251         parts.add(encP);
252         encrypt.setParts(parts);
253         
254         try {
255             encrypt.build(doc, crypto, secHeader);
256             fail("Failure expected on a bad namespace");
257         } catch (WSSecurityException ex) {
258             // expected
259         }
260     }
261     
262     
263     /**
264      * Test encrypting a custom SOAP header and the SOAP body
265      */
266     @org.junit.Test
267     public void testSOAPHeaderAndBody() throws Exception {
268         Document doc = SOAPUtil.toSOAPPart(SOAPMSG);
269         SOAPConstants soapConstants = 
270             WSSecurityUtil.getSOAPConstants(doc.getDocumentElement());
271         WSSecEncrypt encrypt = new WSSecEncrypt();
272         encrypt.setUserInfo("16c73ab6-b892-458f-abf5-2f875f74882e", "security");
273         encrypt.setKeyIdentifierType(WSConstants.ISSUER_SERIAL);
274 
275         WSSecHeader secHeader = new WSSecHeader();
276         secHeader.insertSecurityHeader(doc);
277         
278         List<WSEncryptionPart> parts = new ArrayList<WSEncryptionPart>();
279         WSEncryptionPart encP =
280             new WSEncryptionPart(
281                 soapConstants.getBodyQName().getLocalPart(),    // define the body
282                 soapConstants.getEnvelopeURI(),
283                 "");
284         parts.add(encP);
285         WSEncryptionPart encP2 =
286             new WSEncryptionPart(
287                 "foobar",
288                 "urn:foo.bar",
289                 "");
290         parts.add(encP2);
291         encrypt.setParts(parts);
292         
293         Document encryptedDoc = encrypt.build(doc, crypto, secHeader);
294         
295         if (LOG.isDebugEnabled()) {
296             String outputString = 
297                 org.apache.ws.security.util.XMLUtils.PrettyDocumentToString(encryptedDoc);
298             LOG.debug(outputString);
299         }
300         
301         List<WSSecurityEngineResult> results = verify(encryptedDoc);
302         
303         QName fooName = new QName("urn:foo.bar", "foobar");
304         QName bodyName = new QName(soapConstants.getEnvelopeURI(), "Body");
305         WSSecurityUtil.checkAllElementsProtected(results, WSConstants.ENCR, new QName[]{fooName});
306         WSSecurityUtil.checkAllElementsProtected(results, WSConstants.ENCR, new QName[]{bodyName});
307         WSSecurityUtil.checkAllElementsProtected(
308             results, 
309             WSConstants.ENCR, 
310             new QName[]{bodyName, fooName}
311         );
312         WSSecurityUtil.checkAllElementsProtected(
313             results, 
314             WSConstants.ENCR, 
315             new QName[]{fooName, bodyName}
316         );
317         try {
318             WSSecurityUtil.checkAllElementsProtected(
319                 results, 
320                 WSConstants.SIGN, 
321                 new QName[]{fooName, bodyName}
322             );
323             fail("Failure expected on a wrong action");
324         } catch (WSSecurityException ex) {
325             // expected
326         }
327         try {
328             QName headerName = new QName(soapConstants.getEnvelopeURI(), "Header");
329             WSSecurityUtil.checkAllElementsProtected(
330                 results, 
331                 WSConstants.ENCR, 
332                 new QName[]{fooName, bodyName, headerName}
333             );
334             fail("Failure expected on an unsatisfied requirement");
335         } catch (WSSecurityException ex) {
336             // expected
337         }
338     }
339     
340     
341     /**
342      * Test getting a DOM Element from WSEncryptionPart directly
343      */
344     @org.junit.Test
345     public void testEncryptionPartDOMElement() throws Exception {
346         Document doc = SOAPUtil.toSOAPPart(SOAPMSG);
347         SOAPConstants soapConstants = 
348             WSSecurityUtil.getSOAPConstants(doc.getDocumentElement());
349         WSSecEncrypt encrypt = new WSSecEncrypt();
350         encrypt.setUserInfo("16c73ab6-b892-458f-abf5-2f875f74882e", "security");
351         encrypt.setKeyIdentifierType(WSConstants.ISSUER_SERIAL);
352 
353         WSSecHeader secHeader = new WSSecHeader();
354         secHeader.insertSecurityHeader(doc);
355         
356         List<WSEncryptionPart> parts = new ArrayList<WSEncryptionPart>();
357         // Give wrong names to make sure it's picking up the element
358         WSEncryptionPart encP =
359             new WSEncryptionPart(
360                 "Incorrect Localname",
361                 "Incorrect N/S",
362                 "");
363         Element bodyElement = WSSecurityUtil.findBodyElement(doc);
364         assertTrue(bodyElement != null && "Body".equals(bodyElement.getLocalName()));
365         encP.setElement(bodyElement);
366         parts.add(encP);
367         encrypt.setParts(parts);
368         
369         Document encryptedDoc = encrypt.build(doc, crypto, secHeader);
370         
371         String outputString = 
372             org.apache.ws.security.util.XMLUtils.PrettyDocumentToString(encryptedDoc);
373         if (LOG.isDebugEnabled()) {
374             LOG.debug(outputString);
375         }
376         assertTrue (!outputString.contains("testMethod"));
377         List<WSSecurityEngineResult> results = verify(encryptedDoc);
378         
379         QName bodyName = new QName(soapConstants.getEnvelopeURI(), "Body");
380         WSSecurityUtil.checkAllElementsProtected(results, WSConstants.ENCR, new QName[]{bodyName});
381     }
382     
383     /**
384      * Test encrypting two SOAP Body elements with the same QName.
385      */
386     @org.junit.Test
387     public void testMultipleElements() throws Exception {
388         Document doc = SOAPUtil.toSOAPPart(SOAPMSG_MULTIPLE);
389         WSSecEncrypt encrypt = new WSSecEncrypt();
390         encrypt.setUserInfo("16c73ab6-b892-458f-abf5-2f875f74882e", "security");
391         encrypt.setKeyIdentifierType(WSConstants.ISSUER_SERIAL);
392 
393         WSSecHeader secHeader = new WSSecHeader();
394         secHeader.insertSecurityHeader(doc);
395         
396         List<WSEncryptionPart> parts = new ArrayList<WSEncryptionPart>();
397         WSEncryptionPart encP =
398             new WSEncryptionPart(
399                 "testMethod",
400                 "http://axis/service/security/test6/LogTestService8",
401                 "");
402         parts.add(encP);
403         encrypt.setParts(parts);
404         
405         Document encryptedDoc = encrypt.build(doc, crypto, secHeader);
406         
407         String outputString = 
408             org.apache.ws.security.util.XMLUtils.PrettyDocumentToString(encryptedDoc);
409         if (LOG.isDebugEnabled()) {
410             LOG.debug(outputString);
411         }
412         assertTrue(!outputString.contains("testMethod"));
413         
414         verify(encryptedDoc);
415         
416         outputString = 
417             org.apache.ws.security.util.XMLUtils.PrettyDocumentToString(encryptedDoc);
418         assertTrue(outputString.contains("asf1"));
419         assertTrue(outputString.contains("asf2"));
420     }
421     
422 
423     /**
424      * Verifies the soap envelope
425      * <p/>
426      * 
427      * @param doc 
428      * @throws Exception Thrown when there is a problem in verification
429      */
430     private List<WSSecurityEngineResult> verify(Document doc) throws Exception {
431         List<WSSecurityEngineResult> results = 
432             secEngine.processSecurityHeader(doc, null, callbackHandler, null, crypto);
433         if (LOG.isDebugEnabled()) {
434             LOG.debug("Verified and decrypted message:");
435             String outputString = 
436                 org.apache.ws.security.util.XMLUtils.PrettyDocumentToString(doc);
437             LOG.debug(outputString);
438         }
439         return results;
440     }
441 
442 }