1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19 package org.apache.wss4j.policy.stax.test;
20
21 import java.util.ArrayList;
22 import java.util.List;
23
24 import javax.xml.namespace.QName;
25
26 import org.apache.neethi.Assertion;
27 import org.apache.neethi.Policy;
28 import org.apache.neethi.builders.AssertionBuilder;
29 import org.apache.wss4j.common.ext.WSSecurityException;
30 import org.apache.wss4j.policy.SPConstants;
31 import org.apache.wss4j.policy.builders.AlgorithmSuiteBuilder;
32 import org.apache.wss4j.policy.model.AbstractSecurityAssertion;
33 import org.apache.wss4j.policy.model.AlgorithmSuite;
34 import org.apache.wss4j.policy.stax.PolicyViolationException;
35 import org.apache.wss4j.policy.stax.enforcer.PolicyEnforcer;
36 import org.apache.wss4j.stax.ext.WSSConstants;
37 import org.apache.wss4j.stax.securityEvent.OperationSecurityEvent;
38 import org.apache.xml.security.stax.securityEvent.AlgorithmSuiteSecurityEvent;
39 import org.junit.jupiter.api.Test;
40 import org.w3c.dom.Element;
41
42 import static org.junit.jupiter.api.Assertions.assertEquals;
43 import static org.junit.jupiter.api.Assertions.assertTrue;
44 import static org.junit.jupiter.api.Assertions.fail;
45
46 public class AlgorithmSuiteTest extends AbstractPolicyTestBase {
47
48 @Test
49 public void testAlgorithmSuitePolicy() throws Exception {
50 String policyString =
51 "<sp:AlgorithmSuite xmlns:sp=\"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702\">\n" +
52 "<wsp:Policy xmlns:wsp=\"http://schemas.xmlsoap.org/ws/2004/09/policy\">\n" +
53 "<sp:TripleDesRsa15/>\n" +
54 "</wsp:Policy>\n" +
55 "</sp:AlgorithmSuite>";
56 PolicyEnforcer policyEnforcer = buildAndStartPolicyEngine(policyString);
57
58 OperationSecurityEvent operationSecurityEvent = new OperationSecurityEvent();
59 operationSecurityEvent.setOperation(new QName("definitions"));
60 policyEnforcer.registerSecurityEvent(operationSecurityEvent);
61
62 AlgorithmSuiteSecurityEvent algorithmSuiteSecurityEvent = new AlgorithmSuiteSecurityEvent();
63 algorithmSuiteSecurityEvent.setAlgorithmURI("http://www.w3.org/2001/04/xmlenc#tripledes-cbc");
64 algorithmSuiteSecurityEvent.setKeyLength(192);
65 algorithmSuiteSecurityEvent.setAlgorithmUsage(WSSConstants.Enc);
66 policyEnforcer.registerSecurityEvent(algorithmSuiteSecurityEvent);
67 policyEnforcer.doFinal();
68 }
69
70 @Test
71 public void testAlgorithmSuitePolicyMultipleAssertionEventsNegative() throws Exception {
72 String policyString =
73 "<sp:AlgorithmSuite xmlns:sp=\"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702\">\n" +
74 "<wsp:Policy xmlns:wsp=\"http://schemas.xmlsoap.org/ws/2004/09/policy\">\n" +
75 "<sp:TripleDesRsa15/>\n" +
76 "</wsp:Policy>\n" +
77 "</sp:AlgorithmSuite>";
78 PolicyEnforcer policyEnforcer = buildAndStartPolicyEngine(policyString);
79
80 OperationSecurityEvent operationSecurityEvent = new OperationSecurityEvent();
81 operationSecurityEvent.setOperation(new QName("definitions"));
82 policyEnforcer.registerSecurityEvent(operationSecurityEvent);
83
84 AlgorithmSuiteSecurityEvent algorithmSuiteSecurityEvent = new AlgorithmSuiteSecurityEvent();
85 algorithmSuiteSecurityEvent.setAlgorithmURI("http://www.w3.org/2001/04/xmlenc#tripledes-cbc");
86 algorithmSuiteSecurityEvent.setKeyLength(192);
87 algorithmSuiteSecurityEvent.setAlgorithmUsage(WSSConstants.Enc);
88 policyEnforcer.registerSecurityEvent(algorithmSuiteSecurityEvent);
89 algorithmSuiteSecurityEvent.setAlgorithmURI("http://www.w3.org/2001/04/xmlenc#sha256");
90 algorithmSuiteSecurityEvent.setAlgorithmUsage(WSSConstants.SigDig);
91 try {
92 policyEnforcer.registerSecurityEvent(algorithmSuiteSecurityEvent);
93 fail("Exception expected");
94 } catch (WSSecurityException e) {
95 assertTrue(e.getCause() instanceof PolicyViolationException);
96 assertEquals(e.getCause().getMessage(),
97 "Digest algorithm http://www.w3.org/2001/04/xmlenc#sha256 does not meet policy");
98 assertEquals(e.getFaultCode(), WSSecurityException.INVALID_SECURITY);
99 }
100 }
101
102 @Test
103 public void testAlgorithmSuitePolicyNegative() throws Exception {
104 String policyString =
105 "<sp:AlgorithmSuite xmlns:sp=\"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702\">\n" +
106 "<wsp:Policy xmlns:wsp=\"http://schemas.xmlsoap.org/ws/2004/09/policy\">\n" +
107 "<sp:TripleDesRsa15/>\n" +
108 "</wsp:Policy>\n" +
109 "</sp:AlgorithmSuite>";
110 PolicyEnforcer policyEnforcer = buildAndStartPolicyEngine(policyString);
111
112 OperationSecurityEvent operationSecurityEvent = new OperationSecurityEvent();
113 operationSecurityEvent.setOperation(new QName("definitions"));
114 policyEnforcer.registerSecurityEvent(operationSecurityEvent);
115
116 AlgorithmSuiteSecurityEvent algorithmSuiteSecurityEvent = new AlgorithmSuiteSecurityEvent();
117 algorithmSuiteSecurityEvent.setAlgorithmURI("http://www.w3.org/2001/04/xmlenc#aes128-cbc");
118 algorithmSuiteSecurityEvent.setKeyLength(128);
119 algorithmSuiteSecurityEvent.setAlgorithmUsage(WSSConstants.Enc);
120 try {
121 policyEnforcer.registerSecurityEvent(algorithmSuiteSecurityEvent);
122 fail("Exception expected");
123 } catch (WSSecurityException e) {
124 assertTrue(e.getCause() instanceof PolicyViolationException);
125 assertEquals(e.getCause().getMessage(),
126 "Encryption algorithm http://www.w3.org/2001/04/xmlenc#aes128-cbc does not meet policy\n" +
127 "Symmetric encryption algorithm key length 128 does not meet policy");
128 assertEquals(e.getFaultCode(), WSSecurityException.INVALID_SECURITY);
129 }
130 }
131
132 @Test
133 public void testAlgorithmSuitePolicyAlternatives() throws Exception {
134 String policyString =
135 "<sp:AlgorithmSuite xmlns:sp=\"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702\">\n" +
136 "<wsp:Policy xmlns:wsp=\"http://schemas.xmlsoap.org/ws/2004/09/policy\">\n" +
137 "<wsp:ExactlyOne>\n" +
138 "<sp:Basic256/>\n" +
139 "<sp:TripleDesRsa15/>\n" +
140 "</wsp:ExactlyOne>\n" +
141 "</wsp:Policy>\n" +
142 "</sp:AlgorithmSuite>";
143 PolicyEnforcer policyEnforcer = buildAndStartPolicyEngine(policyString);
144
145 OperationSecurityEvent operationSecurityEvent = new OperationSecurityEvent();
146 operationSecurityEvent.setOperation(new QName("definitions"));
147 policyEnforcer.registerSecurityEvent(operationSecurityEvent);
148
149 AlgorithmSuiteSecurityEvent algorithmSuiteSecurityEvent = new AlgorithmSuiteSecurityEvent();
150 algorithmSuiteSecurityEvent.setAlgorithmURI("http://www.w3.org/2001/04/xmlenc#tripledes-cbc");
151 algorithmSuiteSecurityEvent.setKeyLength(192);
152 algorithmSuiteSecurityEvent.setAlgorithmUsage(WSSConstants.Enc);
153 policyEnforcer.registerSecurityEvent(algorithmSuiteSecurityEvent);
154 policyEnforcer.doFinal();
155 }
156
157 @Test
158 public void testAlgorithmSuitePolicyAlternativesNegative() throws Exception {
159 String policyString =
160 "<sp:AlgorithmSuite xmlns:sp=\"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702\">\n" +
161 "<wsp:Policy xmlns:wsp=\"http://schemas.xmlsoap.org/ws/2004/09/policy\">\n" +
162 "<wsp:ExactlyOne>\n" +
163 "<sp:Basic256/>\n" +
164 "<sp:TripleDesRsa15/>\n" +
165 "</wsp:ExactlyOne>\n" +
166 "</wsp:Policy>\n" +
167 "</sp:AlgorithmSuite>";
168 PolicyEnforcer policyEnforcer = buildAndStartPolicyEngine(policyString);
169
170 OperationSecurityEvent operationSecurityEvent = new OperationSecurityEvent();
171 operationSecurityEvent.setOperation(new QName("definitions"));
172 policyEnforcer.registerSecurityEvent(operationSecurityEvent);
173
174 AlgorithmSuiteSecurityEvent algorithmSuiteSecurityEvent = new AlgorithmSuiteSecurityEvent();
175 algorithmSuiteSecurityEvent.setAlgorithmURI("http://www.w3.org/2001/04/xmlenc#aes128-cbc");
176 algorithmSuiteSecurityEvent.setKeyLength(128);
177 algorithmSuiteSecurityEvent.setAlgorithmUsage(WSSConstants.Enc);
178 try {
179 policyEnforcer.registerSecurityEvent(algorithmSuiteSecurityEvent);
180 fail("Exception expected");
181 } catch (WSSecurityException e) {
182 assertTrue(e.getCause() instanceof PolicyViolationException);
183 assertEquals(e.getCause().getMessage(),
184 "Encryption algorithm http://www.w3.org/2001/04/xmlenc#aes128-cbc does not meet policy\n" +
185 "Symmetric encryption algorithm key length 128 does not meet policy");
186 assertEquals(e.getFaultCode(), WSSecurityException.INVALID_SECURITY);
187 }
188 }
189
190 @Test
191 public void testAES256GCMAlgorithmSuitePolicy() throws Exception {
192 String policyString =
193 "<sp:AlgorithmSuite xmlns:sp=\"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702\">\n" +
194 "<wsp:Policy xmlns:wsp=\"http://schemas.xmlsoap.org/ws/2004/09/policy\">\n" +
195 "<cxf:Basic256GCM xmlns:cxf=\"http://cxf.apache.org/custom/security-policy\"/>\n" +
196 "</wsp:Policy>\n" +
197 "</sp:AlgorithmSuite>";
198
199 class GCMAlgorithmSuite extends AlgorithmSuite {
200
201 GCMAlgorithmSuite(SPConstants.SPVersion version, Policy nestedPolicy) {
202 super(version, nestedPolicy);
203 }
204
205 @Override
206 protected AbstractSecurityAssertion cloneAssertion(Policy nestedPolicy) {
207 return new GCMAlgorithmSuite(getVersion(), nestedPolicy);
208 }
209
210 @Override
211 protected void parseCustomAssertion(Assertion assertion) {
212 String assertionName = assertion.getName().getLocalPart();
213 String assertionNamespace = assertion.getName().getNamespaceURI();
214 if (!"http://cxf.apache.org/custom/security-policy".equals(assertionNamespace)) {
215 return;
216 }
217
218 if ("Basic128GCM".equals(assertionName)) {
219 setAlgorithmSuiteType(new AlgorithmSuiteType(
220 "Basic128GCM",
221 SPConstants.SHA1,
222 WSSConstants.NS_XENC11_AES128_GCM,
223 SPConstants.KW_AES128,
224 SPConstants.KW_RSA_OAEP,
225 SPConstants.P_SHA1_L128,
226 SPConstants.P_SHA1_L128,
227 128, 128, 128, 256, 1024, 4096
228 ));
229 } else if ("Basic192GCM".equals(assertionName)) {
230 setAlgorithmSuiteType(new AlgorithmSuiteType(
231 "Basic192GCM",
232 SPConstants.SHA1,
233 WSSConstants.NS_XENC11_AES192_GCM,
234 SPConstants.KW_AES192,
235 SPConstants.KW_RSA_OAEP,
236 SPConstants.P_SHA1_L192,
237 SPConstants.P_SHA1_L192,
238 192, 192, 192, 256, 1024, 4096));
239 } else if ("Basic256GCM".equals(assertionName)) {
240 setAlgorithmSuiteType(new AlgorithmSuiteType(
241 "Basic256GCM",
242 SPConstants.SHA1,
243 WSSConstants.NS_XENC11_AES256_GCM,
244 SPConstants.KW_AES256,
245 SPConstants.KW_RSA_OAEP,
246 SPConstants.P_SHA1_L256,
247 SPConstants.P_SHA1_L192,
248 256, 192, 256, 256, 1024, 4096));
249 }
250 }
251 }
252
253 class GCMAlgorithmSuiteBuilder extends AlgorithmSuiteBuilder {
254 @Override
255 protected AlgorithmSuite createAlgorithmSuite(SPConstants.SPVersion version, Policy nestedPolicy) {
256 return new GCMAlgorithmSuite(version, nestedPolicy);
257 }
258 }
259
260 List<AssertionBuilder<Element>> customAssertionBuilders = new ArrayList<>();
261 customAssertionBuilders.add(new GCMAlgorithmSuiteBuilder());
262 PolicyEnforcer policyEnforcer = buildAndStartPolicyEngine(policyString, false, customAssertionBuilders);
263
264 OperationSecurityEvent operationSecurityEvent = new OperationSecurityEvent();
265 operationSecurityEvent.setOperation(new QName("definitions"));
266 policyEnforcer.registerSecurityEvent(operationSecurityEvent);
267
268 AlgorithmSuiteSecurityEvent algorithmSuiteSecurityEvent = new AlgorithmSuiteSecurityEvent();
269 algorithmSuiteSecurityEvent.setAlgorithmURI(WSSConstants.NS_XENC11_AES256_GCM);
270 algorithmSuiteSecurityEvent.setKeyLength(256);
271 algorithmSuiteSecurityEvent.setAlgorithmUsage(WSSConstants.Enc);
272 policyEnforcer.registerSecurityEvent(algorithmSuiteSecurityEvent);
273
274 algorithmSuiteSecurityEvent = new AlgorithmSuiteSecurityEvent();
275 algorithmSuiteSecurityEvent.setAlgorithmURI(WSSConstants.NS_XENC_AES256);
276 algorithmSuiteSecurityEvent.setKeyLength(256);
277 algorithmSuiteSecurityEvent.setAlgorithmUsage(WSSConstants.Enc);
278
279 try {
280 policyEnforcer.registerSecurityEvent(algorithmSuiteSecurityEvent);
281 fail("Exception expected");
282 } catch (Exception e) {
283 assertEquals(e.getCause().getMessage(), "Encryption algorithm http://www.w3.org/2001/04/xmlenc#aes256-cbc does not meet policy");
284 }
285 }
286 }