1   /**
2    * Licensed to the Apache Software Foundation (ASF) under one
3    * or more contributor license agreements. See the NOTICE file
4    * distributed with this work for additional information
5    * regarding copyright ownership. The ASF licenses this file
6    * to you under the Apache License, Version 2.0 (the
7    * "License"); you may not use this file except in compliance
8    * with the License. You may obtain a copy of the License at
9    *
10   * http://www.apache.org/licenses/LICENSE-2.0
11   *
12   * Unless required by applicable law or agreed to in writing,
13   * software distributed under the License is distributed on an
14   * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
15   * KIND, either express or implied. See the License for the
16   * specific language governing permissions and limitations
17   * under the License.
18   */
19  
20  package org.apache.ws.security.message;
21  
22  import java.io.IOException;
23  
24  import javax.crypto.KeyGenerator;
25  import javax.crypto.SecretKey;
26  import javax.security.auth.callback.Callback;
27  import javax.security.auth.callback.CallbackHandler;
28  import javax.security.auth.callback.UnsupportedCallbackException;
29  import javax.xml.crypto.dsig.SignatureMethod;
30  
31  import org.apache.ws.security.WSConstants;
32  import org.apache.ws.security.WSPasswordCallback;
33  import org.apache.ws.security.WSSConfig;
34  import org.apache.ws.security.WSSecurityEngine;
35  import org.apache.ws.security.components.crypto.Crypto;
36  import org.apache.ws.security.components.crypto.CryptoFactory;
37  import org.apache.ws.security.common.CustomHandler;
38  import org.apache.ws.security.common.KeystoreCallbackHandler;
39  import org.apache.ws.security.common.SOAPUtil;
40  import org.apache.ws.security.common.SecretKeyCallbackHandler;
41  import org.apache.ws.security.handler.RequestData;
42  import org.apache.ws.security.handler.WSHandlerConstants;
43  import org.apache.ws.security.util.Base64;
44  import org.apache.ws.security.util.WSSecurityUtil;
45  import org.w3c.dom.Document;
46  
47  
48  /**
49   * Test symmetric key signature created using an encrypted key
50   * Demonstrates that Signature Crypto object can have null values when 
51   * calling processSecurityHeader method of WSSecurityEngine.
52   */
53  public class SymmetricSignatureTest extends org.junit.Assert implements CallbackHandler {
54      private static final org.apache.commons.logging.Log LOG = 
55          org.apache.commons.logging.LogFactory.getLog(SymmetricSignatureTest.class);
56      private WSSecurityEngine secEngine = new WSSecurityEngine();
57      private CallbackHandler callbackHandler = new KeystoreCallbackHandler();
58      private SecretKeyCallbackHandler secretKeyCallbackHandler = new SecretKeyCallbackHandler();
59      private byte[] keyData;
60      private Crypto crypto = null;
61      
62      public SymmetricSignatureTest() throws Exception {
63          WSSConfig.init();
64          crypto = CryptoFactory.getInstance("wss40.properties");
65      }
66  
67      /**
68       * Setup method
69       * <p/>
70       * 
71       * @throws Exception Thrown when there is a problem in setup
72       */
73      @org.junit.Before
74      public void setUp() throws Exception {
75          KeyGenerator keyGen = KeyGenerator.getInstance("AES");
76          keyGen.init(128);
77          SecretKey key = keyGen.generateKey();
78          keyData = key.getEncoded();
79      }
80  
81      /**
82       * Test signing a message body using a symmetric key with EncryptedKeySHA1
83       */
84      @org.junit.Test
85      public void testSymmetricSignatureSHA1() throws Exception {
86          Document doc = SOAPUtil.toSOAPPart(SOAPUtil.SAMPLE_SOAP_MSG);
87          
88          WSSecHeader secHeader = new WSSecHeader();
89          secHeader.insertSecurityHeader(doc);
90          
91          WSSecSignature sign = new WSSecSignature();
92          sign.setKeyIdentifierType(WSConstants.ENCRYPTED_KEY_SHA1_IDENTIFIER);
93          sign.setSecretKey(keyData);
94          sign.setSignatureAlgorithm(SignatureMethod.HMAC_SHA1);
95  
96          Document signedDoc = sign.build(doc, crypto, secHeader);
97          
98          byte[] encodedBytes = WSSecurityUtil.generateDigest(keyData);
99          String identifier = Base64.encode(encodedBytes);
100         secretKeyCallbackHandler.addSecretKey(identifier, keyData);
101         
102         if (LOG.isDebugEnabled()) {
103             LOG.debug("Signed symmetric message SHA1:");
104             String outputString = 
105                 org.apache.ws.security.util.XMLUtils.PrettyDocumentToString(signedDoc);
106             LOG.debug(outputString);
107         }
108 
109         secEngine.processSecurityHeader(doc, null, secretKeyCallbackHandler, null, crypto);
110     }
111     
112     
113     /**
114      * Test signing a message body using a symmetric key with Direct Reference to an
115      * EncryptedKey
116      */
117     @org.junit.Test
118     public void testSymmetricSignatureDR() throws Exception {
119         Document doc = SOAPUtil.toSOAPPart(SOAPUtil.SAMPLE_SOAP_MSG);
120         
121         WSSecHeader secHeader = new WSSecHeader();
122         secHeader.insertSecurityHeader(doc);
123         
124         WSSecEncryptedKey encrKey = new WSSecEncryptedKey();
125         encrKey.setKeyIdentifierType(WSConstants.ISSUER_SERIAL);
126         encrKey.setUserInfo("wss40", "security");
127         encrKey.setSymmetricEncAlgorithm(WSConstants.AES_192);
128         encrKey.prepare(doc, crypto);
129         
130         WSSecSignature sign = new WSSecSignature();
131         sign.setKeyIdentifierType(WSConstants.CUSTOM_SYMM_SIGNING);
132         sign.setCustomTokenId(encrKey.getId());
133         sign.setSecretKey(encrKey.getEphemeralKey());
134         sign.setSignatureAlgorithm(SignatureMethod.HMAC_SHA1);
135         sign.setCustomTokenValueType(WSConstants.WSS_ENC_KEY_VALUE_TYPE);
136 
137         Document signedDoc = sign.build(doc, crypto, secHeader);
138         encrKey.prependToHeader(secHeader);
139         
140         if (LOG.isDebugEnabled()) {
141             LOG.debug("Signed symmetric message DR:");
142             String outputString = 
143                 org.apache.ws.security.util.XMLUtils.PrettyDocumentToString(signedDoc);
144             LOG.debug(outputString);
145         }
146         
147         verify(signedDoc);
148     }
149 
150     /**
151      * Test that first signs, then encrypts a WS-Security envelope.
152      * <p/>
153      * 
154      * @throws Exception Thrown when there is any problem in signing, encryption,
155      *                   decryption, or verification
156      */
157     @org.junit.Test
158     public void testEncryptedKeySignature() throws Exception {
159         Document doc = SOAPUtil.toSOAPPart(SOAPUtil.SAMPLE_SOAP_MSG);
160         LOG.info("Before Sign/Encryption....");
161         
162         WSSecHeader secHeader = new WSSecHeader();
163         secHeader.insertSecurityHeader(doc);
164         
165         WSSecEncryptedKey encrKey = new WSSecEncryptedKey();
166         encrKey.setKeyIdentifierType(WSConstants.ISSUER_SERIAL);
167         encrKey.setUserInfo("wss40", "security");
168         encrKey.setSymmetricEncAlgorithm(WSConstants.AES_192);
169         encrKey.prepare(doc, crypto);   
170         
171         WSSecEncrypt encrypt = new WSSecEncrypt();
172         encrypt.setEncKeyId(encrKey.getId());
173         encrypt.setEphemeralKey(encrKey.getEphemeralKey());
174         encrypt.setSymmetricEncAlgorithm(WSConstants.TRIPLE_DES);
175         encrypt.setEncryptSymmKey(false);
176         encrypt.setEncryptedKeyElement(encrKey.getEncryptedKeyElement());
177 
178         WSSecSignature sign = new WSSecSignature();
179         sign.setKeyIdentifierType(WSConstants.CUSTOM_SYMM_SIGNING);
180         sign.setCustomTokenId(encrKey.getId());
181         sign.setCustomTokenValueType(WSConstants.WSS_ENC_KEY_VALUE_TYPE);
182         sign.setSecretKey(encrKey.getEphemeralKey());
183         sign.setSignatureAlgorithm(SignatureMethod.HMAC_SHA1);
184 
185         Document signedDoc = sign.build(doc, crypto, secHeader);
186         Document encryptedSignedDoc = encrypt.build(signedDoc, crypto, secHeader);
187 
188         if (LOG.isDebugEnabled()) {
189             LOG.debug("Signed and encrypted message with IssuerSerial key identifier (both), 3DES:");
190             String outputString = 
191                 org.apache.ws.security.util.XMLUtils.PrettyDocumentToString(encryptedSignedDoc);
192             LOG.debug(outputString);
193         }
194         
195         LOG.info("After Sign/Encryption....");
196         verify(encryptedSignedDoc);
197     }
198 
199     /**
200      * Test signing a message body using a symmetric key with EncryptedKeySHA1. 
201      * The request is generated using WSHandler, instead of coding it.
202      */
203     @org.junit.Test
204     public void testSymmetricSignatureSHA1Handler() throws Exception {
205         final WSSConfig cfg = WSSConfig.getNewInstance();
206         RequestData reqData = new RequestData();
207         reqData.setWssConfig(cfg);
208         java.util.Map<String, Object> messageContext = new java.util.TreeMap<String, Object>();
209         messageContext.put(WSHandlerConstants.SIG_KEY_ID, "EncryptedKeySHA1");
210         messageContext.put(WSHandlerConstants.SIG_ALGO, SignatureMethod.HMAC_SHA1);
211         messageContext.put(WSHandlerConstants.PW_CALLBACK_REF, this);
212         reqData.setMsgContext(messageContext);
213         reqData.setUsername("");
214         
215         final java.util.List<Integer> actions = new java.util.ArrayList<Integer>();
216         actions.add(Integer.valueOf(WSConstants.SIGN));
217         final Document doc = SOAPUtil.toSOAPPart(SOAPUtil.SAMPLE_SOAP_MSG);
218         CustomHandler handler = new CustomHandler();
219         handler.send(
220             WSConstants.SIGN, 
221             doc, 
222             reqData, 
223             actions,
224             true
225         );
226         
227         String outputString = 
228             org.apache.ws.security.util.XMLUtils.PrettyDocumentToString(doc);
229         if (LOG.isDebugEnabled()) {
230             LOG.debug(outputString);
231         }
232         
233         reqData = new RequestData();
234         reqData.setWssConfig(WSSConfig.getNewInstance());
235         messageContext = new java.util.TreeMap<String, Object>();
236         messageContext.put(WSHandlerConstants.PW_CALLBACK_REF, this);
237         reqData.setMsgContext(messageContext);
238         reqData.setUsername("");
239         
240         handler.receive(WSConstants.SIGN, reqData);
241         
242         secEngine.processSecurityHeader(doc, null, this, null, crypto);
243     }
244     
245     
246     /**
247      * Verifies the soap envelope
248      * <p/>
249      * 
250      * @param doc 
251      * @throws Exception Thrown when there is a problem in verification
252      */
253     private void verify(Document doc) throws Exception {
254         secEngine.processSecurityHeader(doc, null, callbackHandler, null, crypto);
255         if (LOG.isDebugEnabled()) {
256             LOG.debug("Verfied and decrypted message:");
257             String outputString = 
258                 org.apache.ws.security.util.XMLUtils.PrettyDocumentToString(doc);
259             LOG.debug(outputString);
260         }
261     }
262 
263     public void handle(Callback[] callbacks)
264         throws IOException, UnsupportedCallbackException {
265         for (int i = 0; i < callbacks.length; i++) {
266             if (callbacks[i] instanceof WSPasswordCallback) {
267                 WSPasswordCallback pc = (WSPasswordCallback) callbacks[i];
268                 /*
269                  * here call a function/method to lookup the password for
270                  * the given identifier (e.g. a user name or keystore alias)
271                  * e.g.: pc.setPassword(passStore.getPassword(pc.getIdentfifier))
272                  * for Testing we supply a fixed name here.
273                  */
274                 pc.setPassword("security");
275                 pc.setKey(keyData);
276             } else {
277                 throw new UnsupportedCallbackException(callbacks[i], "Unrecognized Callback");
278             }
279         }
280     }
281     
282 
283 }