SignatureEncryptionTest xref


1   /**
2    * Licensed to the Apache Software Foundation (ASF) under one
3    * or more contributor license agreements. See the NOTICE file
4    * distributed with this work for additional information
5    * regarding copyright ownership. The ASF licenses this file
6    * to you under the Apache License, Version 2.0 (the
7    * "License"); you may not use this file except in compliance
8    * with the License. You may obtain a copy of the License at
9    *
10   * http://www.apache.org/licenses/LICENSE-2.0
11   *
12   * Unless required by applicable law or agreed to in writing,
13   * software distributed under the License is distributed on an
14   * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
15   * KIND, either express or implied. See the License for the
16   * specific language governing permissions and limitations
17   * under the License.
18   */
19  
20  package org.apache.ws.security.message;
21  
22  import org.apache.ws.security.WSConstants;
23  import org.apache.ws.security.WSDataRef;
24  import org.apache.ws.security.WSEncryptionPart;
25  import org.apache.ws.security.WSSConfig;
26  import org.apache.ws.security.WSSecurityEngine;
27  import org.apache.ws.security.WSSecurityEngineResult;
28  import org.apache.ws.security.common.KeystoreCallbackHandler;
29  import org.apache.ws.security.common.SOAPUtil;
30  import org.apache.ws.security.common.SecretKeyCallbackHandler;
31  import org.apache.ws.security.components.crypto.Crypto;
32  import org.apache.ws.security.components.crypto.CryptoFactory;
33  import org.apache.ws.security.util.WSSecurityUtil;
34  import org.w3c.dom.Document;
35  
36  import javax.security.auth.callback.CallbackHandler;
37  import javax.xml.crypto.dsig.SignatureMethod;
38  
39  import java.util.List;
40  import java.util.ArrayList;
41  
42  /**
43   * A set of tests for combined signature/encryption, verification/decryption.
44   * 
45   * @author Davanum Srinivas (dims@yahoo.com)
46   */
47  public class SignatureEncryptionTest extends org.junit.Assert {
48      private static final org.apache.commons.logging.Log LOG = 
49          org.apache.commons.logging.LogFactory.getLog(SignatureEncryptionTest.class);
50      private static final String SOAPMSG = 
51          "<?xml version=\"1.0\" encoding=\"UTF-8\"?>" 
52          + "<SOAP-ENV:Envelope "
53          +   "xmlns:SOAP-ENV=\"http://schemas.xmlsoap.org/soap/envelope/\" "
54          +   "xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\" "
55          +   "xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\">" 
56          +   "<SOAP-ENV:Body>" 
57          +       "<add xmlns=\"http://ws.apache.org/counter/counter_port_type\">" 
58          +           "<value xmlns=\"http://blah.com\">15</value>" 
59          +       "</add>" 
60          +   "</SOAP-ENV:Body>" 
61          + "</SOAP-ENV:Envelope>";
62  
63      private WSSecurityEngine secEngine = new WSSecurityEngine();
64      private CallbackHandler callbackHandler = new KeystoreCallbackHandler();
65      
66      private static final byte[] key = {
67          (byte)0x31, (byte)0xfd,
68          (byte)0xcb, (byte)0xda,
69          (byte)0xfb, (byte)0xcd,
70          (byte)0x6b, (byte)0xa8,
71          (byte)0xe6, (byte)0x19,
72          (byte)0xa7, (byte)0xbf,
73          (byte)0x51, (byte)0xf7,
74          (byte)0xc7, (byte)0x3e,
75          (byte)0x80, (byte)0xae,
76          (byte)0x98, (byte)0x51,
77          (byte)0xc8, (byte)0x51,
78          (byte)0x34, (byte)0x04,
79      };
80      private Crypto crypto = null;
81      
82      public SignatureEncryptionTest() throws Exception {
83          crypto = CryptoFactory.getInstance("wss40.properties");
84          WSSConfig.init();
85      }
86  
87      /**
88       * Test that encrypts and then signs a WS-Security envelope, then performs
89       * verification and decryption <p/>
90       * 
91       * @throws Exception
92       *             Thrown when there is any problem in signing, encryption,
93       *             decryption, or verification
94       */
95      @org.junit.Test
96      public void testEncryptionSigning() throws Exception {
97          WSSecEncrypt encrypt = new WSSecEncrypt();
98          WSSecSignature sign = new WSSecSignature();
99          encrypt.setUserInfo("wss40");
100         sign.setUserInfo("wss40", "security");
101         LOG.info("Before Encryption....");
102         Document doc = SOAPUtil.toSOAPPart(SOAPMSG);
103 
104         WSSecHeader secHeader = new WSSecHeader();
105         secHeader.insertSecurityHeader(doc);
106 
107         Document encryptedDoc = encrypt.build(doc, crypto, secHeader);
108         
109         if (LOG.isDebugEnabled()) {
110             LOG.debug("After Encryption....");
111             String outputString = 
112                 org.apache.ws.security.util.XMLUtils.PrettyDocumentToString(encryptedDoc);
113             LOG.debug(outputString);
114         }
115         
116         Document encryptedSignedDoc = sign.build(encryptedDoc, crypto, secHeader);
117         
118         if (LOG.isDebugEnabled()) {
119             LOG.debug("After Signing....");
120             String outputString = 
121                 org.apache.ws.security.util.XMLUtils.PrettyDocumentToString(encryptedSignedDoc);
122             LOG.debug(outputString);
123         }
124         verify(encryptedSignedDoc);
125     }
126     
127     
128     /**
129      * Test that encrypts and then signs a WS-Security envelope (including the 
130      * encrypted element), then performs verification and decryption <p/>
131      * 
132      * @throws Exception
133      *             Thrown when there is any problem in signing, encryption,
134      *             decryption, or verification
135      */
136     @SuppressWarnings("unchecked")
137     @org.junit.Test
138     public void testEncryptionElementSigning() throws Exception {
139         WSSecEncrypt encrypt = new WSSecEncrypt();
140         WSSecSignature sign = new WSSecSignature();
141         encrypt.setUserInfo("wss40");
142         sign.setUserInfo("wss40", "security");
143         LOG.info("Before Encryption....");
144         Document doc = SOAPUtil.toSOAPPart(SOAPMSG);
145 
146         WSSecHeader secHeader = new WSSecHeader();
147         secHeader.insertSecurityHeader(doc);
148 
149         List<WSEncryptionPart> encParts = new ArrayList<WSEncryptionPart>();
150         encParts.add(
151                 new WSEncryptionPart(
152                         "add",
153                         "http://ws.apache.org/counter/counter_port_type",
154                         "Element"));
155         encrypt.setParts(encParts);
156         
157         Document encryptedDoc = encrypt.build(doc, crypto, secHeader);
158         
159         if (LOG.isDebugEnabled()) {
160             LOG.debug("After Encryption....");
161             String outputString = 
162                 org.apache.ws.security.util.XMLUtils.PrettyDocumentToString(encryptedDoc);
163             LOG.debug(outputString);
164         }
165         
166         List<WSEncryptionPart> sigParts = new ArrayList<WSEncryptionPart>();
167         sigParts.add(
168                 new WSEncryptionPart(
169                         WSConstants.ENC_DATA_LN,
170                         WSConstants.ENC_NS,
171                         "Element"));
172         sign.setParts(sigParts);
173         
174         Document encryptedSignedDoc = sign.build(encryptedDoc, crypto, secHeader);
175         
176         if (LOG.isDebugEnabled()) {
177             LOG.debug("After Signing....");
178             String outputString = 
179                 org.apache.ws.security.util.XMLUtils.PrettyDocumentToString(encryptedSignedDoc);
180             LOG.debug(outputString);
181         }
182         
183         List<WSSecurityEngineResult> results = verify(encryptedSignedDoc);
184         
185         List<WSSecurityEngineResult> sigSecEngResults = new ArrayList<WSSecurityEngineResult>();
186         WSSecurityUtil.fetchAllActionResults(results, WSConstants.SIGN, sigSecEngResults);
187         
188         List<WSSecurityEngineResult> encSecEngResults = new ArrayList<WSSecurityEngineResult>();
189         WSSecurityUtil.fetchAllActionResults(results, WSConstants.ENCR, encSecEngResults);
190         
191         assertEquals(1, sigSecEngResults.size());
192         assertEquals(1, encSecEngResults.size());
193         
194         List<WSDataRef> sigDataRefs = 
195             (List<WSDataRef>)(sigSecEngResults.get(0)).get(
196                 WSSecurityEngineResult.TAG_DATA_REF_URIS
197             );
198         
199         List<WSDataRef> encDataRefs = 
200             (List<WSDataRef>)(encSecEngResults.get(0)).get(
201                 WSSecurityEngineResult.TAG_DATA_REF_URIS
202             );
203         
204         assertNotNull(sigDataRefs);
205         assertNotNull(encDataRefs);
206         assertEquals(1, sigDataRefs.size());
207         assertEquals(1, encDataRefs.size());
208         
209         assertNull(((WSDataRef) sigDataRefs.get(0))
210                 .getProtectedElement().getAttributeNodeNS(WSConstants.WSU_NS, "Id"));
211         
212         assertTrue(((WSDataRef) sigDataRefs.get(0)).getWsuId().contains(
213                 ((WSDataRef) encDataRefs.get(0)).getWsuId()));
214     }
215     
216     
217     /**
218      * Test that signs and then encrypts a WS-Security envelope, then performs
219      * decryption and verification <p/>
220      * 
221      * @throws Exception
222      *             Thrown when there is any problem in signing, encryption,
223      *             decryption, or verification
224      */
225     @org.junit.Test
226     public void testSigningEncryption() throws Exception {
227         WSSecEncrypt encrypt = new WSSecEncrypt();
228         WSSecSignature sign = new WSSecSignature();
229         encrypt.setUserInfo("wss40");
230         sign.setUserInfo("wss40", "security");
231         LOG.info("Before Encryption....");
232         Document doc = SOAPUtil.toSOAPPart(SOAPMSG);
233 
234         WSSecHeader secHeader = new WSSecHeader();
235         secHeader.insertSecurityHeader(doc);
236 
237         Document signedDoc = sign.build(doc, crypto, secHeader);
238         Document encryptedSignedDoc = encrypt.build(signedDoc, crypto, secHeader);
239         LOG.info("After Encryption....");
240         verify(encryptedSignedDoc);
241     }
242     
243     
244     /**
245      * Test that signs a SOAP Body, and then encrypts some data inside the SOAP Body.
246      * As the encryption adds a wsu:Id to the encrypted element, this test checks that
247      * verification still works ok.
248      */
249     @org.junit.Test
250     public void testWSS198() throws Exception {
251         WSSecEncrypt encrypt = new WSSecEncrypt();
252         WSSecSignature sign = new WSSecSignature();
253         encrypt.setUserInfo("wss40");
254         sign.setUserInfo("wss40", "security");
255         LOG.info("Before Encryption....");
256         Document doc = SOAPUtil.toSOAPPart(SOAPMSG);
257         
258         List<WSEncryptionPart> parts = new ArrayList<WSEncryptionPart>();
259         WSEncryptionPart encP =
260             new WSEncryptionPart(
261                 "add",
262                 "http://ws.apache.org/counter/counter_port_type",
263                 "");
264         parts.add(encP);
265         encrypt.setParts(parts);
266 
267         WSSecHeader secHeader = new WSSecHeader();
268         secHeader.insertSecurityHeader(doc);
269 
270         Document signedDoc = sign.build(doc, crypto, secHeader);
271         Document encryptedSignedDoc = encrypt.build(signedDoc, crypto, secHeader);
272         LOG.info("WSS198");
273         if (LOG.isDebugEnabled()) {
274             String outputString = 
275                 org.apache.ws.security.util.XMLUtils.PrettyDocumentToString(encryptedSignedDoc);
276             LOG.debug(outputString);
277         }
278         verify(encryptedSignedDoc);
279     }
280     
281     /**
282      * Test that first signs, then encrypts a WS-Security envelope.
283      * The test uses the IssuerSerial key identifier to get the keys for
284      * signature and encryption. Encryption uses 3DES.
285      * <p/>
286      * 
287      * @throws Exception Thrown when there is any problem in signing, encryption,
288      *                   decryption, or verification
289      */
290     @org.junit.Test
291     public void testSigningEncryptionIS3DES() throws Exception {
292         WSSecEncrypt encrypt = new WSSecEncrypt();
293         encrypt.setUserInfo("wss40");
294         encrypt.setKeyIdentifierType(WSConstants.ISSUER_SERIAL);
295         encrypt.setSymmetricEncAlgorithm(WSConstants.TRIPLE_DES);
296 
297         WSSecSignature sign = new WSSecSignature();
298         sign.setUserInfo("wss40", "security");
299         sign.setKeyIdentifierType(WSConstants.ISSUER_SERIAL);
300 
301         LOG.info("Before Sign/Encryption....");
302         Document doc = SOAPUtil.toSOAPPart(SOAPMSG);
303 
304         WSSecHeader secHeader = new WSSecHeader();
305         secHeader.insertSecurityHeader(doc);
306         
307         Document signedDoc = sign.build(doc, crypto, secHeader);
308         Document encryptedSignedDoc = encrypt.build(signedDoc, crypto, secHeader);
309         if (LOG.isDebugEnabled()) {
310             LOG.debug("Signed and encrypted message with IssuerSerial key identifier (both), 3DES:");
311             String outputString = 
312                 org.apache.ws.security.util.XMLUtils.PrettyDocumentToString(encryptedSignedDoc);
313             LOG.debug(outputString);
314         }
315         
316         LOG.info("After Sign/Encryption....");
317         verify(encryptedSignedDoc);
318     }
319     
320     /**
321      * Test that encrypts and signs a WS-Security envelope, then performs
322      * verification and decryption.
323      * <p/>
324      * 
325      * @throws Exception Thrown when there is any problem in signing, encryption,
326      *                   decryption, or verification
327      */
328     @org.junit.Test
329     public void testSigningEncryptionEmbedded() throws Exception {
330         WSSecEncrypt encrypt = new WSSecEncrypt();
331         WSSecSignature sign = new WSSecSignature();
332         
333         encrypt.setUserInfo("wss40");
334         encrypt.setKeyIdentifierType(WSConstants.EMBEDDED_KEYNAME);
335         encrypt.setSymmetricEncAlgorithm(WSConstants.TRIPLE_DES);        
336         encrypt.setKey(key);
337 
338         sign.setUserInfo("wss40", "security");
339         LOG.info("Before Encryption....");
340         Document doc = SOAPUtil.toSOAPPart(SOAPMSG);
341         encrypt.setDocument(doc);
342         WSSecHeader secHeader = new WSSecHeader();
343         secHeader.insertSecurityHeader(doc);                
344         Document signedDoc = sign.build(doc, crypto, secHeader);
345         Document encryptedSignedDoc = encrypt.build(signedDoc, crypto, secHeader);
346 
347         if (LOG.isDebugEnabled()) {
348             LOG.debug("Encrypted message, RSA-OAEP keytransport, 3DES:");
349             String outputString = 
350                 org.apache.ws.security.util.XMLUtils.PrettyDocumentToString(encryptedSignedDoc);
351             LOG.debug(outputString);
352         }
353         LOG.info("After Encryption....");
354         
355         SecretKeyCallbackHandler secretKeyCallbackHandler = new SecretKeyCallbackHandler();
356         secretKeyCallbackHandler.setOutboundSecret(key);
357         WSSecurityEngine engine = new WSSecurityEngine();
358         WSSConfig config = WSSConfig.getNewInstance();
359         config.setWsiBSPCompliant(false);
360         engine.setWssConfig(config);
361         engine.processSecurityHeader(doc, null, secretKeyCallbackHandler, crypto);
362         if (LOG.isDebugEnabled()) {
363             String outputString = 
364                 org.apache.ws.security.util.XMLUtils.PrettyDocumentToString(doc);
365             LOG.debug(outputString);
366         }
367     }
368     
369     /**
370      * Test signature created using an encrypted key
371      * SOAP Body is signed and encrypted. In the encryption, The ReferenceList element is 
372      * put into the Encrypted Key, as a child of the EncryptedKey. Signature is created 
373      * using the encrypted key. 
374      */
375     @org.junit.Test
376     public void testEncryptedKeySignature() throws Exception {
377         Document doc = SOAPUtil.toSOAPPart(SOAPMSG);
378         LOG.info("Before Sign/Encryption....");
379 
380         WSSecHeader secHeader = new WSSecHeader();
381         secHeader.insertSecurityHeader(doc);
382 
383         WSSecEncryptedKey encrKey = new WSSecEncryptedKey();
384         encrKey.setKeyIdentifierType(WSConstants.ISSUER_SERIAL);
385         encrKey.setUserInfo("wss40", "security");
386         encrKey.setSymmetricEncAlgorithm(WSConstants.AES_192);
387         encrKey.prepare(doc, crypto);   
388 
389         WSSecEncrypt encrypt = new WSSecEncrypt();
390         encrypt.setEncKeyId(encrKey.getId());
391         encrypt.setEphemeralKey(encrKey.getEphemeralKey());
392         encrypt.setSymmetricEncAlgorithm(WSConstants.TRIPLE_DES);
393         encrypt.setEncryptSymmKey(false);
394         encrypt.setEncryptedKeyElement(encrKey.getEncryptedKeyElement());
395 
396         WSSecSignature sign = new WSSecSignature();
397         sign.setKeyIdentifierType(WSConstants.CUSTOM_SYMM_SIGNING);
398         sign.setCustomTokenId(encrKey.getId());
399         sign.setSecretKey(encrKey.getEphemeralKey());
400         sign.setCustomTokenValueType(WSConstants.WSS_ENC_KEY_VALUE_TYPE);
401         sign.setSignatureAlgorithm(SignatureMethod.HMAC_SHA1);
402 
403         Document signedDoc = sign.build(doc, crypto, secHeader);
404         Document encryptedSignedDoc = encrypt.build(signedDoc, crypto, secHeader);
405 
406         if (LOG.isDebugEnabled()) {
407             LOG.debug("Signed and encrypted message with IssuerSerial key identifier (both), 3DES:");
408             String outputString = 
409                 org.apache.ws.security.util.XMLUtils.PrettyDocumentToString(encryptedSignedDoc);
410             LOG.debug(outputString);
411         }
412 
413         LOG.info("After Sign/Encryption....");
414         verify(encryptedSignedDoc);
415     }
416 
417 
418     /**
419      * Verifies the soap envelope <p/>
420      * 
421      * @param envelope
422      *
423      * @return the <code>WSSecurityEngineResult</code>s from processing
424      *
425      * @throws Exception
426      *             Thrown when there is a problem in verification
427      */
428     private List<WSSecurityEngineResult> verify(Document doc) throws Exception {
429         List<WSSecurityEngineResult> resultList = 
430             secEngine.processSecurityHeader(doc, null, callbackHandler, crypto);
431         if (LOG.isDebugEnabled()) {
432             String outputString = 
433                 org.apache.ws.security.util.XMLUtils.PrettyDocumentToString(doc);
434             LOG.debug(outputString);
435         }
436         
437         return resultList;
438     }
439 
440 }