1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19 package org.apache.wss4j.policy.stax.test;
20
21 import java.io.ByteArrayInputStream;
22 import java.io.ByteArrayOutputStream;
23 import java.io.IOException;
24 import java.io.InputStream;
25 import java.io.OutputStream;
26 import java.security.KeyStore;
27 import java.util.ArrayList;
28 import java.util.List;
29
30 import javax.xml.namespace.QName;
31 import javax.xml.stream.XMLStreamException;
32 import javax.xml.transform.Transformer;
33 import javax.xml.transform.TransformerFactory;
34 import javax.xml.transform.dom.DOMSource;
35 import javax.xml.transform.stream.StreamResult;
36
37 import org.apache.wss4j.common.bsp.BSPRule;
38 import org.apache.wss4j.common.crypto.CryptoType;
39 import org.apache.wss4j.common.crypto.Merlin;
40 import org.apache.wss4j.common.ext.WSSecurityException;
41 import org.apache.wss4j.common.saml.bean.Version;
42 import org.apache.wss4j.common.saml.builder.SAML2Constants;
43 import org.apache.wss4j.policy.stax.enforcer.PolicyEnforcer;
44 import org.apache.wss4j.policy.stax.enforcer.PolicyInputProcessor;
45 import org.apache.wss4j.stax.ext.WSSConstants;
46 import org.apache.wss4j.stax.ext.WSSConstants.UsernameTokenPasswordType;
47 import org.apache.wss4j.stax.ext.WSSSecurityProperties;
48 import org.apache.wss4j.stax.securityToken.WSSecurityTokenConstants;
49 import org.apache.wss4j.stax.test.CallbackHandlerImpl;
50 import org.apache.wss4j.stax.test.saml.SAMLCallbackHandlerImpl;
51 import org.apache.xml.security.stax.ext.SecurePart;
52 import org.junit.jupiter.api.Test;
53 import org.w3c.dom.Document;
54
55 import static org.junit.jupiter.api.Assertions.assertEquals;
56 import static org.junit.jupiter.api.Assertions.assertTrue;
57 import static org.junit.jupiter.api.Assertions.fail;
58
59 public class AsymmetricBindingIntegrationTest extends AbstractPolicyTestBase {
60
61 @Test
62 public void testIncludeTimestampPolicy() throws Exception {
63
64 String policyString =
65 "<wsp:ExactlyOne xmlns:wsp=\"http://schemas.xmlsoap.org/ws/2004/09/policy\" " +
66 "xmlns:sp=\"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702\">\n" +
67 " <wsp:All>\n" +
68 " <sp:AsymmetricBinding>\n" +
69 " <wsp:Policy>\n" +
70 " <sp:InitiatorToken>\n" +
71 " <wsp:Policy>\n" +
72 " <sp:X509Token sp:IncludeToken=\"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never\">\n" +
73 " <sp:IssuerName>CN=transmitter,OU=swssf,C=CH</sp:IssuerName>\n" +
74 " <wsp:Policy>\n" +
75 " <sp:WssX509V3Token11/>\n" +
76 " </wsp:Policy>\n" +
77 " </sp:X509Token>\n" +
78 " </wsp:Policy>\n" +
79 " </sp:InitiatorToken>\n" +
80 " <sp:RecipientToken>\n" +
81 " <wsp:Policy>\n" +
82 " <sp:X509Token sp:IncludeToken=\"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never\">\n" +
83 " <sp:IssuerName>CN=receiver,OU=swssf,C=CH</sp:IssuerName>\n" +
84 " <wsp:Policy>\n" +
85 " <sp:WssX509V3Token11/>\n" +
86 " </wsp:Policy>\n" +
87 " </sp:X509Token>\n" +
88 " </wsp:Policy>\n" +
89 " </sp:RecipientToken>\n" +
90 " <sp:AlgorithmSuite>\n" +
91 " <wsp:Policy>\n" +
92 " <sp:Basic256/>\n" +
93 " </wsp:Policy>\n" +
94 " </sp:AlgorithmSuite>\n" +
95 " <sp:Layout>\n" +
96 " <wsp:Policy>\n" +
97 " <sp:Lax/>\n" +
98 " </wsp:Policy>\n" +
99 " </sp:Layout>\n" +
100 " <sp:IncludeTimestamp/>\n" +
101 " </wsp:Policy>\n" +
102 " </sp:AsymmetricBinding>\n" +
103 " <sp:SignedParts>\n" +
104 " <sp:Body/>\n" +
105 " <sp:Header Name=\"Header1\" Namespace=\"...\"/>\n" +
106 " <sp:Header Namespace=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd\"/>\n" +
107 " </sp:SignedParts>\n" +
108 " <sp:SignedElements>\n" +
109 " <sp:XPath xmlns:wsu=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd\">wsu:Created</sp:XPath>\n" +
110 " </sp:SignedElements>\n" +
111 " <sp:EncryptedParts>\n" +
112 " <sp:Body/>\n" +
113 " <sp:Header Name=\"Header2\" Namespace=\"...\"/>\n" +
114 " <sp:Header Namespace=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd\"/>\n" +
115 " </sp:EncryptedParts>\n" +
116 " <sp:EncryptedElements>\n" +
117 " <sp:XPath xmlns:wsu=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd\">wsu:Created</sp:XPath>\n" +
118 " </sp:EncryptedElements>\n" +
119 " <sp:ContentEncryptedElements>\n" +
120 " <sp:XPath xmlns:wsu=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd\">wsu:Expires</sp:XPath>\n" +
121 " </sp:ContentEncryptedElements>\n" +
122 " </wsp:All>\n" +
123 " </wsp:ExactlyOne>";
124
125 WSSSecurityProperties outSecurityProperties = new WSSSecurityProperties();
126 outSecurityProperties.setCallbackHandler(new CallbackHandlerImpl());
127 outSecurityProperties.setEncryptionUser("receiver");
128 outSecurityProperties.loadEncryptionKeystore(this.getClass().getClassLoader().getResource("transmitter.jks"), "default".toCharArray());
129 outSecurityProperties.setSignatureUser("transmitter");
130 outSecurityProperties.loadSignatureKeyStore(this.getClass().getClassLoader().getResource("transmitter.jks"), "default".toCharArray());
131
132 outSecurityProperties.addSignaturePart(new SecurePart(WSSConstants.TAG_WSU_TIMESTAMP, SecurePart.Modifier.Element));
133 outSecurityProperties.addSignaturePart(new SecurePart(WSSConstants.TAG_SOAP11_BODY, SecurePart.Modifier.Element));
134 outSecurityProperties.addEncryptionPart(new SecurePart(WSSConstants.TAG_WSU_CREATED, SecurePart.Modifier.Element));
135 outSecurityProperties.addEncryptionPart(new SecurePart(WSSConstants.TAG_WSU_EXPIRES, SecurePart.Modifier.Content));
136 outSecurityProperties.addEncryptionPart(new SecurePart(WSSConstants.TAG_SOAP11_BODY, SecurePart.Modifier.Content));
137 List<WSSConstants.Action> actions = new ArrayList<>();
138 actions.add(WSSConstants.TIMESTAMP);
139 actions.add(WSSConstants.SIGNATURE);
140 actions.add(WSSConstants.ENCRYPTION);
141 outSecurityProperties.setActions(actions);
142
143 InputStream sourceDocument = this.getClass().getClassLoader().getResourceAsStream("testdata/plain-soap-1.1.xml");
144 ByteArrayOutputStream baos = doOutboundSecurity(outSecurityProperties, sourceDocument);
145
146 WSSSecurityProperties inSecurityProperties = new WSSSecurityProperties();
147 inSecurityProperties.setCallbackHandler(new CallbackHandlerImpl());
148 inSecurityProperties.loadSignatureVerificationKeystore(this.getClass().getClassLoader().getResource("receiver.jks"), "default".toCharArray());
149 inSecurityProperties.loadDecryptionKeystore(this.getClass().getClassLoader().getResource("receiver.jks"), "default".toCharArray());
150
151 PolicyEnforcer policyEnforcer = buildAndStartPolicyEngine(policyString);
152 inSecurityProperties.addInputProcessor(new PolicyInputProcessor(policyEnforcer, inSecurityProperties));
153
154 Document document = doInboundSecurity(inSecurityProperties, new ByteArrayInputStream(baos.toByteArray()), policyEnforcer);
155
156
157 Transformer transformer = TransformerFactory.newInstance().newTransformer();
158 transformer.transform(new DOMSource(document), new StreamResult(
159 new OutputStream() {
160 @Override
161 public void write(int b) throws IOException {
162
163 }
164 }
165 ));
166 }
167
168 @Test
169 public void testIncludeTimestampPolicy2ndAlternative() throws Exception {
170
171 String policyString =
172 "<wsp:ExactlyOne xmlns:wsp=\"http://schemas.xmlsoap.org/ws/2004/09/policy\" " +
173 "xmlns:sp=\"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702\">\n" +
174 " <wsp:All>\n" +
175 " <sp:AsymmetricBinding>\n" +
176 " <wsp:Policy>\n" +
177 " <wsp:ExactlyOne>\n" +
178 " <wsp:All>\n" +
179 " <sp:InitiatorToken>\n" +
180 " <wsp:Policy>\n" +
181 " <sp:X509Token sp:IncludeToken=\"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never\">\n" +
182 " <sp:IssuerName>CN=transmitter,OU=swssf,C=CH</sp:IssuerName>\n" +
183 " <wsp:Policy>\n" +
184 " <sp:WssX509V1Token11/>\n" +
185 " </wsp:Policy>\n" +
186 " </sp:X509Token>\n" +
187 " </wsp:Policy>\n" +
188 " </sp:InitiatorToken>\n" +
189 " <sp:RecipientToken>\n" +
190 " <wsp:Policy>\n" +
191 " <sp:X509Token sp:IncludeToken=\"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never\">\n" +
192 " <sp:IssuerName>CN=receiver,OU=swssf,C=CH</sp:IssuerName>\n" +
193 " <wsp:Policy>\n" +
194 " <sp:WssX509V3Token11/>\n" +
195 " </wsp:Policy>\n" +
196 " </sp:X509Token>\n" +
197 " </wsp:Policy>\n" +
198 " </sp:RecipientToken>\n" +
199 " <sp:AlgorithmSuite>\n" +
200 " <wsp:Policy>\n" +
201 " <sp:Basic256/>\n" +
202 " </wsp:Policy>\n" +
203 " </sp:AlgorithmSuite>\n" +
204 " <sp:Layout>\n" +
205 " <wsp:Policy>\n" +
206 " <sp:Lax/>\n" +
207 " </wsp:Policy>\n" +
208 " </sp:Layout>\n" +
209 " </wsp:All>\n" +
210 " <wsp:All>\n" +
211 " <sp:InitiatorToken>\n" +
212 " <wsp:Policy>\n" +
213 " <sp:X509Token sp:IncludeToken=\"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never\">\n" +
214 " <sp:IssuerName>CN=transmitter,OU=swssf,C=CH</sp:IssuerName>\n" +
215 " <wsp:Policy>\n" +
216 " <sp:WssX509V3Token11/>\n" +
217 " </wsp:Policy>\n" +
218 " </sp:X509Token>\n" +
219 " </wsp:Policy>\n" +
220 " </sp:InitiatorToken>\n" +
221 " <sp:RecipientToken>\n" +
222 " <wsp:Policy>\n" +
223 " <sp:X509Token sp:IncludeToken=\"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never\">\n" +
224 " <sp:IssuerName>CN=receiver,OU=swssf,C=CH</sp:IssuerName>\n" +
225 " <wsp:Policy>\n" +
226 " <sp:WssX509V3Token11/>\n" +
227 " </wsp:Policy>\n" +
228 " </sp:X509Token>\n" +
229 " </wsp:Policy>\n" +
230 " </sp:RecipientToken>\n" +
231 " <sp:AlgorithmSuite>\n" +
232 " <wsp:Policy>\n" +
233 " <sp:Basic256/>\n" +
234 " </wsp:Policy>\n" +
235 " </sp:AlgorithmSuite>\n" +
236 " <sp:Layout>\n" +
237 " <wsp:Policy>\n" +
238 " <sp:Lax/>\n" +
239 " </wsp:Policy>\n" +
240 " </sp:Layout>\n" +
241 " <sp:IncludeTimestamp/>\n" +
242 " </wsp:All>\n" +
243 " </wsp:ExactlyOne>\n" +
244 " </wsp:Policy>\n" +
245 " </sp:AsymmetricBinding>\n" +
246 " <sp:SignedParts>\n" +
247 " <sp:Body/>\n" +
248 " <sp:Header Name=\"Header1\" Namespace=\"...\"/>\n" +
249 " <sp:Header Namespace=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd\"/>\n" +
250 " </sp:SignedParts>\n" +
251 " <sp:SignedElements>\n" +
252 " <sp:XPath xmlns:wsu=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd\">wsu:Created</sp:XPath>\n" +
253 " </sp:SignedElements>\n" +
254 " <sp:EncryptedParts>\n" +
255 " <sp:Body/>\n" +
256 " <sp:Header Name=\"Header2\" Namespace=\"...\"/>\n" +
257 " <sp:Header Namespace=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd\"/>\n" +
258 " </sp:EncryptedParts>\n" +
259 " <sp:EncryptedElements>\n" +
260 " <sp:XPath xmlns:wsu=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd\">wsu:Created</sp:XPath>\n" +
261 " </sp:EncryptedElements>\n" +
262 " <sp:ContentEncryptedElements>\n" +
263 " <sp:XPath xmlns:wsu=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd\">wsu:Expires</sp:XPath>\n" +
264 " </sp:ContentEncryptedElements>\n" +
265 " </wsp:All>\n" +
266 " </wsp:ExactlyOne>";
267
268 WSSSecurityProperties outSecurityProperties = new WSSSecurityProperties();
269 outSecurityProperties.setCallbackHandler(new CallbackHandlerImpl());
270 outSecurityProperties.setEncryptionUser("receiver");
271 outSecurityProperties.loadEncryptionKeystore(this.getClass().getClassLoader().getResource("transmitter.jks"), "default".toCharArray());
272 outSecurityProperties.setSignatureUser("transmitter");
273 outSecurityProperties.loadSignatureKeyStore(this.getClass().getClassLoader().getResource("transmitter.jks"), "default".toCharArray());
274
275 outSecurityProperties.addSignaturePart(new SecurePart(WSSConstants.TAG_WSU_TIMESTAMP, SecurePart.Modifier.Element));
276 outSecurityProperties.addSignaturePart(new SecurePart(WSSConstants.TAG_SOAP11_BODY, SecurePart.Modifier.Element));
277 outSecurityProperties.addEncryptionPart(new SecurePart(WSSConstants.TAG_WSU_CREATED, SecurePart.Modifier.Element));
278 outSecurityProperties.addEncryptionPart(new SecurePart(WSSConstants.TAG_WSU_EXPIRES, SecurePart.Modifier.Content));
279 outSecurityProperties.addEncryptionPart(new SecurePart(WSSConstants.TAG_SOAP11_BODY, SecurePart.Modifier.Content));
280 List<WSSConstants.Action> actions = new ArrayList<>();
281 actions.add(WSSConstants.TIMESTAMP);
282 actions.add(WSSConstants.SIGNATURE);
283 actions.add(WSSConstants.ENCRYPTION);
284 outSecurityProperties.setActions(actions);
285
286 InputStream sourceDocument = this.getClass().getClassLoader().getResourceAsStream("testdata/plain-soap-1.1.xml");
287 ByteArrayOutputStream baos = doOutboundSecurity(outSecurityProperties, sourceDocument);
288
289 WSSSecurityProperties inSecurityProperties = new WSSSecurityProperties();
290 inSecurityProperties.setCallbackHandler(new CallbackHandlerImpl());
291 inSecurityProperties.loadSignatureVerificationKeystore(this.getClass().getClassLoader().getResource("receiver.jks"), "default".toCharArray());
292 inSecurityProperties.loadDecryptionKeystore(this.getClass().getClassLoader().getResource("receiver.jks"), "default".toCharArray());
293
294 PolicyEnforcer policyEnforcer = buildAndStartPolicyEngine(policyString);
295 inSecurityProperties.addInputProcessor(new PolicyInputProcessor(policyEnforcer, inSecurityProperties));
296
297 Document document = doInboundSecurity(inSecurityProperties, new ByteArrayInputStream(baos.toByteArray()), policyEnforcer);
298
299
300 Transformer transformer = TransformerFactory.newInstance().newTransformer();
301 transformer.transform(new DOMSource(document), new StreamResult(
302 new OutputStream() {
303 @Override
304 public void write(int b) throws IOException {
305
306 }
307 }
308 ));
309 }
310
311 @Test
312 public void testIncludeTimestampPolicyNegativeTest() throws Exception {
313
314 String policyString =
315 "<wsp:ExactlyOne xmlns:wsp=\"http://schemas.xmlsoap.org/ws/2004/09/policy\" " +
316 "xmlns:sp=\"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702\">\n" +
317 " <wsp:All>\n" +
318 " <sp:AsymmetricBinding>\n" +
319 " <wsp:Policy>\n" +
320 " <sp:InitiatorToken>\n" +
321 " <wsp:Policy>\n" +
322 " <sp:X509Token sp:IncludeToken=\"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never\">\n" +
323 " <sp:IssuerName>CN=transmitter,OU=swssf,C=CH</sp:IssuerName>\n" +
324 " <wsp:Policy>\n" +
325 " <sp:WssX509V3Token11/>\n" +
326 " </wsp:Policy>\n" +
327 " </sp:X509Token>\n" +
328 " </wsp:Policy>\n" +
329 " </sp:InitiatorToken>\n" +
330 " <sp:RecipientToken>\n" +
331 " <wsp:Policy>\n" +
332 " <sp:X509Token sp:IncludeToken=\"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never\">\n" +
333 " <sp:IssuerName>CN=receiver,OU=swssf,C=CH</sp:IssuerName>\n" +
334 " <wsp:Policy>\n" +
335 " <sp:WssX509V3Token11/>\n" +
336 " </wsp:Policy>\n" +
337 " </sp:X509Token>\n" +
338 " </wsp:Policy>\n" +
339 " </sp:RecipientToken>\n" +
340 " <sp:AlgorithmSuite>\n" +
341 " <wsp:Policy>\n" +
342 " <sp:Basic256/>\n" +
343 " </wsp:Policy>\n" +
344 " </sp:AlgorithmSuite>\n" +
345 " <sp:Layout>\n" +
346 " <wsp:Policy>\n" +
347 " <sp:Lax/>\n" +
348 " </wsp:Policy>\n" +
349 " </sp:Layout>\n" +
350 " </wsp:Policy>\n" +
351 " </sp:AsymmetricBinding>\n" +
352 " <sp:SignedParts>\n" +
353 " <sp:Body/>\n" +
354 " <sp:Header Name=\"Header1\" Namespace=\"...\"/>\n" +
355 " <sp:Header Namespace=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd\"/>\n" +
356 " </sp:SignedParts>\n" +
357 " <sp:SignedElements>\n" +
358 " <sp:XPath xmlns:wsu=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd\">wsu:Created</sp:XPath>\n" +
359 " </sp:SignedElements>\n" +
360 " <sp:EncryptedParts>\n" +
361 " <sp:Body/>\n" +
362 " <sp:Header Name=\"Header2\" Namespace=\"...\"/>\n" +
363 " <sp:Header Namespace=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd\"/>\n" +
364 " </sp:EncryptedParts>\n" +
365 " <sp:EncryptedElements>\n" +
366 " <sp:XPath xmlns:wsu=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd\">wsu:Created</sp:XPath>\n" +
367 " </sp:EncryptedElements>\n" +
368 " <sp:ContentEncryptedElements>\n" +
369 " <sp:XPath xmlns:wsu=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd\">wsu:Expires</sp:XPath>\n" +
370 " </sp:ContentEncryptedElements>\n" +
371 " </wsp:All>\n" +
372 " </wsp:ExactlyOne>";
373
374 WSSSecurityProperties outSecurityProperties = new WSSSecurityProperties();
375 outSecurityProperties.setCallbackHandler(new CallbackHandlerImpl());
376 outSecurityProperties.setEncryptionUser("receiver");
377 outSecurityProperties.loadEncryptionKeystore(this.getClass().getClassLoader().getResource("transmitter.jks"), "default".toCharArray());
378 outSecurityProperties.setSignatureUser("transmitter");
379 outSecurityProperties.loadSignatureKeyStore(this.getClass().getClassLoader().getResource("transmitter.jks"), "default".toCharArray());
380
381 outSecurityProperties.addSignaturePart(new SecurePart(WSSConstants.TAG_WSU_TIMESTAMP, SecurePart.Modifier.Element));
382 outSecurityProperties.addSignaturePart(new SecurePart(WSSConstants.TAG_SOAP11_BODY, SecurePart.Modifier.Element));
383 outSecurityProperties.addEncryptionPart(new SecurePart(WSSConstants.TAG_WSU_CREATED, SecurePart.Modifier.Element));
384 outSecurityProperties.addEncryptionPart(new SecurePart(WSSConstants.TAG_WSU_EXPIRES, SecurePart.Modifier.Content));
385 outSecurityProperties.addEncryptionPart(new SecurePart(WSSConstants.TAG_SOAP11_BODY, SecurePart.Modifier.Content));
386 List<WSSConstants.Action> actions = new ArrayList<>();
387 actions.add(WSSConstants.TIMESTAMP);
388 actions.add(WSSConstants.SIGNATURE);
389 actions.add(WSSConstants.ENCRYPTION);
390 outSecurityProperties.setActions(actions);
391
392 InputStream sourceDocument = this.getClass().getClassLoader().getResourceAsStream("testdata/plain-soap-1.1.xml");
393 ByteArrayOutputStream baos = doOutboundSecurity(outSecurityProperties, sourceDocument);
394
395 WSSSecurityProperties inSecurityProperties = new WSSSecurityProperties();
396 inSecurityProperties.setCallbackHandler(new CallbackHandlerImpl());
397 inSecurityProperties.loadSignatureVerificationKeystore(this.getClass().getClassLoader().getResource("receiver.jks"), "default".toCharArray());
398 inSecurityProperties.loadDecryptionKeystore(this.getClass().getClassLoader().getResource("receiver.jks"), "default".toCharArray());
399
400 PolicyEnforcer policyEnforcer = buildAndStartPolicyEngine(policyString);
401 inSecurityProperties.addInputProcessor(new PolicyInputProcessor(policyEnforcer, inSecurityProperties));
402
403 try {
404 Document document = doInboundSecurity(inSecurityProperties, new ByteArrayInputStream(baos.toByteArray()), policyEnforcer);
405
406
407 Transformer transformer = TransformerFactory.newInstance().newTransformer();
408 transformer.transform(new DOMSource(document), new StreamResult(
409 new OutputStream() {
410 @Override
411 public void write(int b) throws IOException {
412
413 }
414 }
415 ));
416 fail("Exception expected");
417 } catch (XMLStreamException e) {
418 assertTrue(e.getCause() instanceof WSSecurityException);
419 assertEquals(e.getCause().getMessage(),
420 "Timestamp must not be present");
421 assertEquals(((WSSecurityException) e.getCause()).getFaultCode(), WSSecurityException.INVALID_SECURITY);
422 }
423 }
424
425 @Test
426 public void testIncludeTimestampAndSignedUsernameSupportingTokenPolicy() throws Exception {
427
428 String policyString =
429 "<wsp:ExactlyOne xmlns:wsp=\"http://schemas.xmlsoap.org/ws/2004/09/policy\" " +
430 "xmlns:sp=\"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702\">\n" +
431 " <wsp:All>\n" +
432 " <sp:AsymmetricBinding>\n" +
433 " <wsp:Policy>\n" +
434 " <sp:InitiatorToken>\n" +
435 " <wsp:Policy>\n" +
436 " <sp:X509Token sp:IncludeToken=\"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never\">\n" +
437 " <sp:IssuerName>CN=transmitter,OU=swssf,C=CH</sp:IssuerName>\n" +
438 " <wsp:Policy>\n" +
439 " <sp:WssX509V3Token11/>\n" +
440 " </wsp:Policy>\n" +
441 " </sp:X509Token>\n" +
442 " </wsp:Policy>\n" +
443 " </sp:InitiatorToken>\n" +
444 " <sp:RecipientToken>\n" +
445 " <wsp:Policy>\n" +
446 " <sp:X509Token sp:IncludeToken=\"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never\">\n" +
447 " <sp:IssuerName>CN=receiver,OU=swssf,C=CH</sp:IssuerName>\n" +
448 " <wsp:Policy>\n" +
449 " <sp:WssX509V3Token11/>\n" +
450 " </wsp:Policy>\n" +
451 " </sp:X509Token>\n" +
452 " </wsp:Policy>\n" +
453 " </sp:RecipientToken>\n" +
454 " <sp:AlgorithmSuite>\n" +
455 " <wsp:Policy>\n" +
456 " <sp:Basic256/>\n" +
457 " </wsp:Policy>\n" +
458 " </sp:AlgorithmSuite>\n" +
459 " <sp:Layout>\n" +
460 " <wsp:Policy>\n" +
461 " <sp:Lax/>\n" +
462 " </wsp:Policy>\n" +
463 " </sp:Layout>\n" +
464 " <sp:IncludeTimestamp/>\n" +
465 " </wsp:Policy>\n" +
466 " </sp:AsymmetricBinding>\n" +
467 " <sp:SignedParts>\n" +
468 " <sp:Body/>\n" +
469 " <sp:Header Name=\"Header1\" Namespace=\"...\"/>\n" +
470 " <sp:Header Namespace=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd\"/>\n" +
471 " </sp:SignedParts>\n" +
472 " <sp:SignedElements>\n" +
473 " <sp:XPath xmlns:wsu=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd\">wsu:Created</sp:XPath>\n" +
474 " </sp:SignedElements>\n" +
475 " <sp:EncryptedParts>\n" +
476 " <sp:Body/>\n" +
477 " <sp:Header Name=\"Header2\" Namespace=\"...\"/>\n" +
478 " <sp:Header Namespace=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd\"/>\n" +
479 " </sp:EncryptedParts>\n" +
480 " <sp:EncryptedElements>\n" +
481 " <sp:XPath xmlns:wsu=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd\">wsu:Created</sp:XPath>\n" +
482 " </sp:EncryptedElements>\n" +
483 " <sp:ContentEncryptedElements>\n" +
484 " <sp:XPath xmlns:wsu=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd\">wsu:Expires</sp:XPath>\n" +
485 " </sp:ContentEncryptedElements>\n" +
486 " <sp:SignedSupportingTokens>\n" +
487 " <wsp:Policy>\n" +
488 " <sp:UsernameToken sp:IncludeToken=\"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient\">\n" +
489 " <wsp:Policy>\n" +
490 " <sp:NoPassword/>\n" +
491 " </wsp:Policy>\n" +
492 " </sp:UsernameToken>\n" +
493 " </wsp:Policy>\n" +
494 " </sp:SignedSupportingTokens>\n" +
495 " </wsp:All>\n" +
496 " </wsp:ExactlyOne>";
497
498 WSSSecurityProperties outSecurityProperties = new WSSSecurityProperties();
499 outSecurityProperties.setCallbackHandler(new CallbackHandlerImpl());
500 outSecurityProperties.setEncryptionUser("receiver");
501 outSecurityProperties.loadEncryptionKeystore(this.getClass().getClassLoader().getResource("transmitter.jks"), "default".toCharArray());
502 outSecurityProperties.setSignatureUser("transmitter");
503 outSecurityProperties.setTokenUser("transmitter");
504 outSecurityProperties.setUsernameTokenPasswordType(WSSConstants.UsernameTokenPasswordType.PASSWORD_NONE);
505 outSecurityProperties.loadSignatureKeyStore(this.getClass().getClassLoader().getResource("transmitter.jks"), "default".toCharArray());
506
507 outSecurityProperties.addSignaturePart(new SecurePart(WSSConstants.TAG_WSU_TIMESTAMP, SecurePart.Modifier.Element));
508 outSecurityProperties.addSignaturePart(new SecurePart(WSSConstants.TAG_SOAP11_BODY, SecurePart.Modifier.Element));
509 outSecurityProperties.addSignaturePart(new SecurePart(WSSConstants.TAG_WSSE_USERNAME_TOKEN, SecurePart.Modifier.Element));
510
511 outSecurityProperties.addEncryptionPart(new SecurePart(WSSConstants.TAG_WSU_CREATED, SecurePart.Modifier.Element));
512 outSecurityProperties.addEncryptionPart(new SecurePart(WSSConstants.TAG_WSU_EXPIRES, SecurePart.Modifier.Content));
513 outSecurityProperties.addEncryptionPart(new SecurePart(WSSConstants.TAG_SOAP11_BODY, SecurePart.Modifier.Content));
514 List<WSSConstants.Action> actions = new ArrayList<>();
515 actions.add(WSSConstants.USERNAMETOKEN);
516 actions.add(WSSConstants.TIMESTAMP);
517 actions.add(WSSConstants.SIGNATURE);
518 actions.add(WSSConstants.ENCRYPTION);
519 outSecurityProperties.setActions(actions);
520
521 InputStream sourceDocument = this.getClass().getClassLoader().getResourceAsStream("testdata/plain-soap-1.1.xml");
522 ByteArrayOutputStream baos = doOutboundSecurity(outSecurityProperties, sourceDocument);
523
524 WSSSecurityProperties inSecurityProperties = new WSSSecurityProperties();
525 inSecurityProperties.setCallbackHandler(new CallbackHandlerImpl());
526 inSecurityProperties.loadSignatureVerificationKeystore(this.getClass().getClassLoader().getResource("receiver.jks"), "default".toCharArray());
527 inSecurityProperties.loadDecryptionKeystore(this.getClass().getClassLoader().getResource("receiver.jks"), "default".toCharArray());
528
529 PolicyEnforcer policyEnforcer = buildAndStartPolicyEngine(policyString);
530 inSecurityProperties.addInputProcessor(new PolicyInputProcessor(policyEnforcer, inSecurityProperties));
531
532 Document document = doInboundSecurity(inSecurityProperties, new ByteArrayInputStream(baos.toByteArray()), policyEnforcer);
533
534
535 Transformer transformer = TransformerFactory.newInstance().newTransformer();
536 transformer.transform(new DOMSource(document), new StreamResult(
537 new OutputStream() {
538 @Override
539 public void write(int b) throws IOException {
540
541 }
542 }
543 ));
544 }
545
546 @Test
547 public void testIncludeTimestampAndSignedUsernameSupportingTokenPolicyNegativeTest() throws Exception {
548
549 String policyString =
550 "<wsp:ExactlyOne xmlns:wsp=\"http://schemas.xmlsoap.org/ws/2004/09/policy\" " +
551 "xmlns:sp=\"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702\">\n" +
552 " <wsp:All>\n" +
553 " <sp:AsymmetricBinding>\n" +
554 " <wsp:Policy>\n" +
555 " <sp:InitiatorToken>\n" +
556 " <wsp:Policy>\n" +
557 " <sp:X509Token sp:IncludeToken=\"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient\">\n" +
558 " <sp:IssuerName>CN=transmitter,OU=swssf,C=CH</sp:IssuerName>\n" +
559 " <wsp:Policy>\n" +
560 " <sp:WssX509V3Token11/>\n" +
561 " </wsp:Policy>\n" +
562 " </sp:X509Token>\n" +
563 " </wsp:Policy>\n" +
564 " </sp:InitiatorToken>\n" +
565 " <sp:RecipientToken>\n" +
566 " <wsp:Policy>\n" +
567 " <sp:X509Token sp:IncludeToken=\"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient\">\n" +
568 " <sp:IssuerName>CN=receiver,OU=swssf,C=CH</sp:IssuerName>\n" +
569 " <wsp:Policy>\n" +
570 " <sp:WssX509V3Token11/>\n" +
571 " </wsp:Policy>\n" +
572 " </sp:X509Token>\n" +
573 " </wsp:Policy>\n" +
574 " </sp:RecipientToken>\n" +
575 " <sp:AlgorithmSuite>\n" +
576 " <wsp:Policy>\n" +
577 " <sp:Basic256/>\n" +
578 " </wsp:Policy>\n" +
579 " </sp:AlgorithmSuite>\n" +
580 " <sp:Layout>\n" +
581 " <wsp:Policy>\n" +
582 " <sp:Lax/>\n" +
583 " </wsp:Policy>\n" +
584 " </sp:Layout>\n" +
585 " <sp:IncludeTimestamp/>\n" +
586 " </wsp:Policy>\n" +
587 " </sp:AsymmetricBinding>\n" +
588 " <sp:SignedParts>\n" +
589 " <sp:Body/>\n" +
590 " <sp:Header Name=\"Header1\" Namespace=\"...\"/>\n" +
591 " <sp:Header Namespace=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd\"/>\n" +
592 " </sp:SignedParts>\n" +
593 " <sp:SignedElements>\n" +
594 " <sp:XPath xmlns:wsu=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd\">wsu:Created</sp:XPath>\n" +
595 " </sp:SignedElements>\n" +
596 " <sp:EncryptedParts>\n" +
597 " <sp:Body/>\n" +
598 " <sp:Header Name=\"Header2\" Namespace=\"...\"/>\n" +
599 " <sp:Header Namespace=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd\"/>\n" +
600 " </sp:EncryptedParts>\n" +
601 " <sp:EncryptedElements>\n" +
602 " <sp:XPath xmlns:wsu=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd\">wsu:Created</sp:XPath>\n" +
603 " </sp:EncryptedElements>\n" +
604 " <sp:ContentEncryptedElements>\n" +
605 " <sp:XPath xmlns:wsu=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd\">wsu:Expires</sp:XPath>\n" +
606 " </sp:ContentEncryptedElements>\n" +
607 " <sp:SignedSupportingTokens>\n" +
608 " <wsp:Policy>\n" +
609 " <sp:UsernameToken sp:IncludeToken=\"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient\">\n" +
610 " <wsp:Policy>\n" +
611 " <sp:NoPassword/>\n" +
612 " </wsp:Policy>\n" +
613 " </sp:UsernameToken>\n" +
614 " </wsp:Policy>\n" +
615 " </sp:SignedSupportingTokens>\n" +
616 " </wsp:All>\n" +
617 " </wsp:ExactlyOne>";
618
619 WSSSecurityProperties outSecurityProperties = new WSSSecurityProperties();
620 outSecurityProperties.setCallbackHandler(new CallbackHandlerImpl());
621 outSecurityProperties.setEncryptionUser("receiver");
622 outSecurityProperties.loadEncryptionKeystore(this.getClass().getClassLoader().getResource("transmitter.jks"), "default".toCharArray());
623 outSecurityProperties.setSignatureUser("transmitter");
624 outSecurityProperties.setTokenUser("transmitter");
625 outSecurityProperties.setUsernameTokenPasswordType(WSSConstants.UsernameTokenPasswordType.PASSWORD_NONE);
626 outSecurityProperties.loadSignatureKeyStore(this.getClass().getClassLoader().getResource("transmitter.jks"), "default".toCharArray());
627
628
629 outSecurityProperties.addSignaturePart(new SecurePart(WSSConstants.TAG_SOAP11_BODY, SecurePart.Modifier.Element));
630
631
632 outSecurityProperties.addEncryptionPart(new SecurePart(WSSConstants.TAG_WSU_CREATED, SecurePart.Modifier.Element));
633 outSecurityProperties.addEncryptionPart(new SecurePart(WSSConstants.TAG_WSU_EXPIRES, SecurePart.Modifier.Content));
634 outSecurityProperties.addEncryptionPart(new SecurePart(WSSConstants.TAG_SOAP11_BODY, SecurePart.Modifier.Content));
635 List<WSSConstants.Action> actions = new ArrayList<>();
636 actions.add(WSSConstants.USERNAMETOKEN);
637 actions.add(WSSConstants.TIMESTAMP);
638 actions.add(WSSConstants.SIGNATURE);
639 actions.add(WSSConstants.ENCRYPTION);
640 outSecurityProperties.setActions(actions);
641
642 InputStream sourceDocument = this.getClass().getClassLoader().getResourceAsStream("testdata/plain-soap-1.1.xml");
643 ByteArrayOutputStream baos = doOutboundSecurity(outSecurityProperties, sourceDocument);
644
645 WSSSecurityProperties inSecurityProperties = new WSSSecurityProperties();
646 inSecurityProperties.setCallbackHandler(new CallbackHandlerImpl());
647 inSecurityProperties.loadSignatureVerificationKeystore(this.getClass().getClassLoader().getResource("receiver.jks"), "default".toCharArray());
648 inSecurityProperties.loadDecryptionKeystore(this.getClass().getClassLoader().getResource("receiver.jks"), "default".toCharArray());
649
650 PolicyEnforcer policyEnforcer = buildAndStartPolicyEngine(policyString);
651 inSecurityProperties.addInputProcessor(new PolicyInputProcessor(policyEnforcer, inSecurityProperties));
652
653 try {
654 Document document = doInboundSecurity(inSecurityProperties, new ByteArrayInputStream(baos.toByteArray()), policyEnforcer);
655
656
657 Transformer transformer = TransformerFactory.newInstance().newTransformer();
658 transformer.transform(new DOMSource(document), new StreamResult(
659 new OutputStream() {
660 @Override
661 public void write(int b) throws IOException {
662
663 }
664 }
665 ));
666 fail("Exception expected");
667 } catch (XMLStreamException e) {
668 assertTrue(e.getCause() instanceof WSSecurityException);
669 assertEquals(e.getCause().getMessage(),
670 "Element /{http://schemas.xmlsoap.org/soap/envelope/}Envelope/{http://schemas.xmlsoap.org/soap/envelope/}Header/{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd}Security/{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd}Timestamp must be signed");
671 assertEquals(((WSSecurityException) e.getCause()).getFaultCode(), WSSecurityException.INVALID_SECURITY);
672 }
673 }
674
675 @Test
676 public void testIncludeTimestampAndSignedUsernameSupportingTokenPolicyNegativeTest2() throws Exception {
677
678 String policyString =
679 "<wsp:ExactlyOne xmlns:wsp=\"http://schemas.xmlsoap.org/ws/2004/09/policy\" " +
680 "xmlns:sp=\"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702\">\n" +
681 " <wsp:All>\n" +
682 " <sp:AsymmetricBinding>\n" +
683 " <wsp:Policy>\n" +
684 " <sp:InitiatorToken>\n" +
685 " <wsp:Policy>\n" +
686 " <sp:X509Token sp:IncludeToken=\"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never\">\n" +
687 " <sp:IssuerName>CN=transmitter,OU=swssf,C=CH</sp:IssuerName>\n" +
688 " <wsp:Policy>\n" +
689 " <sp:WssX509V3Token11/>\n" +
690 " </wsp:Policy>\n" +
691 " </sp:X509Token>\n" +
692 " </wsp:Policy>\n" +
693 " </sp:InitiatorToken>\n" +
694 " <sp:RecipientToken>\n" +
695 " <wsp:Policy>\n" +
696 " <sp:X509Token sp:IncludeToken=\"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never\">\n" +
697 " <sp:IssuerName>CN=receiver,OU=swssf,C=CH</sp:IssuerName>\n" +
698 " <wsp:Policy>\n" +
699 " <sp:WssX509V3Token11/>\n" +
700 " </wsp:Policy>\n" +
701 " </sp:X509Token>\n" +
702 " </wsp:Policy>\n" +
703 " </sp:RecipientToken>\n" +
704 " <sp:AlgorithmSuite>\n" +
705 " <wsp:Policy>\n" +
706 " <sp:Basic256/>\n" +
707 " </wsp:Policy>\n" +
708 " </sp:AlgorithmSuite>\n" +
709 " <sp:Layout>\n" +
710 " <wsp:Policy>\n" +
711 " <sp:Lax/>\n" +
712 " </wsp:Policy>\n" +
713 " </sp:Layout>\n" +
714 " <sp:IncludeTimestamp/>\n" +
715 " </wsp:Policy>\n" +
716 " </sp:AsymmetricBinding>\n" +
717 " <sp:SignedParts>\n" +
718 " <sp:Body/>\n" +
719 " <sp:Header Name=\"Header1\" Namespace=\"...\"/>\n" +
720 " <sp:Header Namespace=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd\"/>\n" +
721 " </sp:SignedParts>\n" +
722 " <sp:SignedElements>\n" +
723 " <sp:XPath xmlns:wsu=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd\">wsu:Created</sp:XPath>\n" +
724 " </sp:SignedElements>\n" +
725 " <sp:EncryptedParts>\n" +
726 " <sp:Body/>\n" +
727 " <sp:Header Name=\"Header2\" Namespace=\"...\"/>\n" +
728 " <sp:Header Namespace=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd\"/>\n" +
729 " </sp:EncryptedParts>\n" +
730 " <sp:EncryptedElements>\n" +
731 " <sp:XPath xmlns:wsu=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd\">wsu:Created</sp:XPath>\n" +
732 " </sp:EncryptedElements>\n" +
733 " <sp:ContentEncryptedElements>\n" +
734 " <sp:XPath xmlns:wsu=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd\">wsu:Expires</sp:XPath>\n" +
735 " </sp:ContentEncryptedElements>\n" +
736 " <sp:SignedSupportingTokens>\n" +
737 " <wsp:Policy>\n" +
738 " <sp:UsernameToken sp:IncludeToken=\"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient\">\n" +
739 " <wsp:Policy>\n" +
740 " <sp:NoPassword/>\n" +
741 " </wsp:Policy>\n" +
742 " </sp:UsernameToken>\n" +
743 " </wsp:Policy>\n" +
744 " </sp:SignedSupportingTokens>\n" +
745 " </wsp:All>\n" +
746 " </wsp:ExactlyOne>";
747
748 WSSSecurityProperties outSecurityProperties = new WSSSecurityProperties();
749 outSecurityProperties.setCallbackHandler(new CallbackHandlerImpl());
750 outSecurityProperties.setEncryptionUser("receiver");
751 outSecurityProperties.loadEncryptionKeystore(this.getClass().getClassLoader().getResource("transmitter.jks"), "default".toCharArray());
752 outSecurityProperties.setSignatureUser("transmitter");
753 outSecurityProperties.setTokenUser("transmitter");
754 outSecurityProperties.setUsernameTokenPasswordType(WSSConstants.UsernameTokenPasswordType.PASSWORD_NONE);
755 outSecurityProperties.loadSignatureKeyStore(this.getClass().getClassLoader().getResource("transmitter.jks"), "default".toCharArray());
756
757 outSecurityProperties.addSignaturePart(new SecurePart(WSSConstants.TAG_WSU_TIMESTAMP, SecurePart.Modifier.Element));
758 outSecurityProperties.addSignaturePart(new SecurePart(WSSConstants.TAG_SOAP11_BODY, SecurePart.Modifier.Element));
759
760
761 outSecurityProperties.addEncryptionPart(new SecurePart(WSSConstants.TAG_WSU_CREATED, SecurePart.Modifier.Element));
762 outSecurityProperties.addEncryptionPart(new SecurePart(WSSConstants.TAG_WSU_EXPIRES, SecurePart.Modifier.Content));
763 outSecurityProperties.addEncryptionPart(new SecurePart(WSSConstants.TAG_SOAP11_BODY, SecurePart.Modifier.Content));
764 List<WSSConstants.Action> actions = new ArrayList<>();
765 actions.add(WSSConstants.USERNAMETOKEN);
766 actions.add(WSSConstants.TIMESTAMP);
767 actions.add(WSSConstants.SIGNATURE);
768 actions.add(WSSConstants.ENCRYPTION);
769 outSecurityProperties.setActions(actions);
770
771 InputStream sourceDocument = this.getClass().getClassLoader().getResourceAsStream("testdata/plain-soap-1.1.xml");
772 ByteArrayOutputStream baos = doOutboundSecurity(outSecurityProperties, sourceDocument);
773
774 WSSSecurityProperties inSecurityProperties = new WSSSecurityProperties();
775 inSecurityProperties.setCallbackHandler(new CallbackHandlerImpl());
776 inSecurityProperties.loadSignatureVerificationKeystore(this.getClass().getClassLoader().getResource("receiver.jks"), "default".toCharArray());
777 inSecurityProperties.loadDecryptionKeystore(this.getClass().getClassLoader().getResource("receiver.jks"), "default".toCharArray());
778
779 PolicyEnforcer policyEnforcer = buildAndStartPolicyEngine(policyString);
780 inSecurityProperties.addInputProcessor(new PolicyInputProcessor(policyEnforcer, inSecurityProperties));
781
782 try {
783 Document document = doInboundSecurity(inSecurityProperties, new ByteArrayInputStream(baos.toByteArray()), policyEnforcer);
784
785
786 Transformer transformer = TransformerFactory.newInstance().newTransformer();
787 transformer.transform(new DOMSource(document), new StreamResult(
788 new OutputStream() {
789 @Override
790 public void write(int b) throws IOException {
791
792 }
793 }
794 ));
795 fail("Exception expected");
796 } catch (XMLStreamException e) {
797 assertTrue(e.getCause() instanceof WSSecurityException);
798 assertEquals(e.getCause().getMessage(),
799 "Assertion {http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}UsernameToken not satisfied");
800 assertEquals(((WSSecurityException) e.getCause()).getFaultCode(), WSSecurityException.INVALID_SECURITY);
801 }
802 }
803
804 @Test
805 public void testIncludeTimestampAndProtectionOrderEncryptBeforeSignAndSignedUsernameSupportingTokenPolicyTest() throws Exception {
806
807 String policyString =
808 "<wsp:ExactlyOne xmlns:wsp=\"http://schemas.xmlsoap.org/ws/2004/09/policy\" " +
809 "xmlns:sp=\"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702\">\n" +
810 " <wsp:All>\n" +
811 " <sp:AsymmetricBinding>\n" +
812 " <wsp:Policy>\n" +
813 " <sp:InitiatorToken>\n" +
814 " <wsp:Policy>\n" +
815 " <sp:X509Token sp:IncludeToken=\"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never\">\n" +
816 " <sp:IssuerName>CN=transmitter,OU=swssf,C=CH</sp:IssuerName>\n" +
817 " <wsp:Policy>\n" +
818 " <sp:WssX509V3Token11/>\n" +
819 " </wsp:Policy>\n" +
820 " </sp:X509Token>\n" +
821 " </wsp:Policy>\n" +
822 " </sp:InitiatorToken>\n" +
823 " <sp:RecipientToken>\n" +
824 " <wsp:Policy>\n" +
825 " <sp:X509Token sp:IncludeToken=\"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never\">\n" +
826 " <sp:IssuerName>CN=receiver,OU=swssf,C=CH</sp:IssuerName>\n" +
827 " <wsp:Policy>\n" +
828 " <sp:WssX509V3Token11/>\n" +
829 " </wsp:Policy>\n" +
830 " </sp:X509Token>\n" +
831 " </wsp:Policy>\n" +
832 " </sp:RecipientToken>\n" +
833 " <sp:AlgorithmSuite>\n" +
834 " <wsp:Policy>\n" +
835 " <sp:Basic256/>\n" +
836 " </wsp:Policy>\n" +
837 " </sp:AlgorithmSuite>\n" +
838 " <sp:Layout>\n" +
839 " <wsp:Policy>\n" +
840 " <sp:Lax/>\n" +
841 " </wsp:Policy>\n" +
842 " </sp:Layout>\n" +
843 " <sp:IncludeTimestamp/>\n" +
844 " <sp:EncryptBeforeSigning/>\n" +
845 " </wsp:Policy>\n" +
846 " </sp:AsymmetricBinding>\n" +
847 " <sp:SignedParts>\n" +
848 " <sp:Body/>\n" +
849 " <sp:Header Name=\"Header1\" Namespace=\"...\"/>\n" +
850 " <sp:Header Namespace=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd\"/>\n" +
851 " </sp:SignedParts>\n" +
852 " <sp:SignedElements>\n" +
853 " <sp:XPath xmlns:wsu=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd\">wsu:Created</sp:XPath>\n" +
854 " </sp:SignedElements>\n" +
855 " <sp:EncryptedParts>\n" +
856 " <sp:Body/>\n" +
857 " </sp:EncryptedParts>\n" +
858 " <sp:SignedSupportingTokens>\n" +
859 " <wsp:Policy>\n" +
860 " <sp:UsernameToken sp:IncludeToken=\"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient\">\n" +
861 " <wsp:Policy>\n" +
862 " <sp:NoPassword/>\n" +
863 " </wsp:Policy>\n" +
864 " </sp:UsernameToken>\n" +
865 " </wsp:Policy>\n" +
866 " </sp:SignedSupportingTokens>\n" +
867 " </wsp:All>\n" +
868 " </wsp:ExactlyOne>";
869
870 WSSSecurityProperties outSecurityProperties = new WSSSecurityProperties();
871 outSecurityProperties.setCallbackHandler(new CallbackHandlerImpl());
872 outSecurityProperties.setEncryptionUser("receiver");
873 outSecurityProperties.loadEncryptionKeystore(this.getClass().getClassLoader().getResource("transmitter.jks"), "default".toCharArray());
874 outSecurityProperties.setSignatureUser("transmitter");
875 outSecurityProperties.setTokenUser("transmitter");
876 outSecurityProperties.setUsernameTokenPasswordType(WSSConstants.UsernameTokenPasswordType.PASSWORD_NONE);
877 outSecurityProperties.loadSignatureKeyStore(this.getClass().getClassLoader().getResource("transmitter.jks"), "default".toCharArray());
878
879 outSecurityProperties.addSignaturePart(new SecurePart(WSSConstants.TAG_WSU_TIMESTAMP, SecurePart.Modifier.Element));
880 outSecurityProperties.addSignaturePart(new SecurePart(WSSConstants.TAG_SOAP11_BODY, SecurePart.Modifier.Element));
881 outSecurityProperties.addSignaturePart(new SecurePart(WSSConstants.TAG_WSSE_USERNAME_TOKEN, SecurePart.Modifier.Element));
882
883
884
885 outSecurityProperties.addEncryptionPart(new SecurePart(WSSConstants.TAG_SOAP11_BODY, SecurePart.Modifier.Content));
886 List<WSSConstants.Action> actions = new ArrayList<>();
887 actions.add(WSSConstants.USERNAMETOKEN);
888 actions.add(WSSConstants.TIMESTAMP);
889 actions.add(WSSConstants.ENCRYPTION);
890 actions.add(WSSConstants.SIGNATURE);
891 outSecurityProperties.setActions(actions);
892
893 InputStream sourceDocument = this.getClass().getClassLoader().getResourceAsStream("testdata/plain-soap-1.1.xml");
894 ByteArrayOutputStream baos = doOutboundSecurity(outSecurityProperties, sourceDocument);
895
896 WSSSecurityProperties inSecurityProperties = new WSSSecurityProperties();
897 inSecurityProperties.setCallbackHandler(new CallbackHandlerImpl());
898 inSecurityProperties.loadSignatureVerificationKeystore(this.getClass().getClassLoader().getResource("receiver.jks"), "default".toCharArray());
899 inSecurityProperties.loadDecryptionKeystore(this.getClass().getClassLoader().getResource("receiver.jks"), "default".toCharArray());
900
901 PolicyEnforcer policyEnforcer = buildAndStartPolicyEngine(policyString);
902 inSecurityProperties.addInputProcessor(new PolicyInputProcessor(policyEnforcer, inSecurityProperties));
903
904 Document document = doInboundSecurity(inSecurityProperties, new ByteArrayInputStream(baos.toByteArray()), policyEnforcer);
905
906
907 Transformer transformer = TransformerFactory.newInstance().newTransformer();
908 transformer.transform(new DOMSource(document), new StreamResult(
909 new OutputStream() {
910 @Override
911 public void write(int b) throws IOException {
912
913 }
914 }
915 ));
916 }
917
918 @Test
919 public void testSignatureAlgorithmSuiteNegative() throws Exception {
920
921 String policyString =
922 "<wsp:ExactlyOne xmlns:wsp=\"http://schemas.xmlsoap.org/ws/2004/09/policy\" " +
923 "xmlns:sp=\"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702\">\n" +
924 " <wsp:All>\n" +
925 " <sp:AsymmetricBinding>\n" +
926 " <wsp:Policy>\n" +
927 " <sp:InitiatorToken>\n" +
928 " <wsp:Policy>\n" +
929 " <sp:X509Token sp:IncludeToken=\"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient\">\n" +
930 " <sp:IssuerName>CN=transmitter,OU=swssf,C=CH</sp:IssuerName>\n" +
931 " <wsp:Policy>\n" +
932 " <sp:WssX509V3Token11/>\n" +
933 " </wsp:Policy>\n" +
934 " </sp:X509Token>\n" +
935 " </wsp:Policy>\n" +
936 " </sp:InitiatorToken>\n" +
937 " <sp:RecipientToken>\n" +
938 " <wsp:Policy>\n" +
939 " <sp:X509Token sp:IncludeToken=\"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient\">\n" +
940 " <sp:IssuerName>CN=receiver,OU=swssf,C=CH</sp:IssuerName>\n" +
941 " <wsp:Policy>\n" +
942 " <sp:WssX509V3Token11/>\n" +
943 " </wsp:Policy>\n" +
944 " </sp:X509Token>\n" +
945 " </wsp:Policy>\n" +
946 " </sp:RecipientToken>\n" +
947 " <sp:AlgorithmSuite>\n" +
948 " <wsp:Policy>\n" +
949 " <sp:Basic256/>\n" +
950 " </wsp:Policy>\n" +
951 " </sp:AlgorithmSuite>\n" +
952 " <sp:Layout>\n" +
953 " <wsp:Policy>\n" +
954 " <sp:Lax/>\n" +
955 " </wsp:Policy>\n" +
956 " </sp:Layout>\n" +
957 " <sp:IncludeTimestamp/>\n" +
958 " <sp:ProtectTokens/>\n" +
959 " </wsp:Policy>\n" +
960 " </sp:AsymmetricBinding>\n" +
961 " <sp:SignedParts>\n" +
962 " <sp:Body/>\n" +
963 " <sp:Header Name=\"Header1\" Namespace=\"...\"/>\n" +
964 " <sp:Header Namespace=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd\"/>\n" +
965 " </sp:SignedParts>\n" +
966 " <sp:SignedElements>\n" +
967 " <sp:XPath xmlns:wsu=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd\">wsu:Created</sp:XPath>\n" +
968 " </sp:SignedElements>\n" +
969 " <sp:EncryptedParts>\n" +
970 " <sp:Body/>\n" +
971 " <sp:Header Name=\"Header2\" Namespace=\"...\"/>\n" +
972 " <sp:Header Namespace=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd\"/>\n" +
973 " </sp:EncryptedParts>\n" +
974 " <sp:EncryptedElements>\n" +
975 " <sp:XPath xmlns:wsu=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd\">wsu:Created</sp:XPath>\n" +
976 " </sp:EncryptedElements>\n" +
977 " <sp:ContentEncryptedElements>\n" +
978 " <sp:XPath xmlns:wsu=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd\">wsu:Expires</sp:XPath>\n" +
979 " </sp:ContentEncryptedElements>\n" +
980 " </wsp:All>\n" +
981 " </wsp:ExactlyOne>";
982
983 WSSSecurityProperties outSecurityProperties = new WSSSecurityProperties();
984 outSecurityProperties.setCallbackHandler(new CallbackHandlerImpl());
985 outSecurityProperties.setEncryptionUser("receiver");
986 outSecurityProperties.loadEncryptionKeystore(this.getClass().getClassLoader().getResource("transmitter.jks"), "default".toCharArray());
987 outSecurityProperties.setSignatureUser("transmitter");
988 outSecurityProperties.loadSignatureKeyStore(this.getClass().getClassLoader().getResource("transmitter.jks"), "default".toCharArray());
989 outSecurityProperties.setSignatureAlgorithm("http://www.w3.org/2001/04/xmldsig-more#rsa-sha512");
990
991 outSecurityProperties.addSignaturePart(new SecurePart(WSSConstants.TAG_WSU_TIMESTAMP, SecurePart.Modifier.Element));
992 outSecurityProperties.addSignaturePart(new SecurePart(WSSConstants.TAG_SOAP11_BODY, SecurePart.Modifier.Element));
993 outSecurityProperties.addEncryptionPart(new SecurePart(WSSConstants.TAG_WSU_CREATED, SecurePart.Modifier.Element));
994 outSecurityProperties.addEncryptionPart(new SecurePart(WSSConstants.TAG_WSU_EXPIRES, SecurePart.Modifier.Content));
995 outSecurityProperties.addEncryptionPart(new SecurePart(WSSConstants.TAG_SOAP11_BODY, SecurePart.Modifier.Content));
996 List<WSSConstants.Action> actions = new ArrayList<>();
997 actions.add(WSSConstants.TIMESTAMP);
998 actions.add(WSSConstants.SIGNATURE);
999 actions.add(WSSConstants.ENCRYPTION);
1000 outSecurityProperties.setActions(actions);
1001
1002 InputStream sourceDocument = this.getClass().getClassLoader().getResourceAsStream("testdata/plain-soap-1.1.xml");
1003 ByteArrayOutputStream baos = doOutboundSecurity(outSecurityProperties, sourceDocument);
1004
1005 WSSSecurityProperties inSecurityProperties = new WSSSecurityProperties();
1006 inSecurityProperties.setCallbackHandler(new CallbackHandlerImpl());
1007 inSecurityProperties.loadSignatureVerificationKeystore(this.getClass().getClassLoader().getResource("receiver.jks"), "default".toCharArray());
1008 inSecurityProperties.loadDecryptionKeystore(this.getClass().getClassLoader().getResource("receiver.jks"), "default".toCharArray());
1009 inSecurityProperties.addIgnoreBSPRule(BSPRule.R5421);
1010 inSecurityProperties.addIgnoreBSPRule(BSPRule.R5420);
1011
1012 PolicyEnforcer policyEnforcer = buildAndStartPolicyEngine(policyString);
1013 inSecurityProperties.addInputProcessor(new PolicyInputProcessor(policyEnforcer, inSecurityProperties));
1014
1015 try {
1016 Document document = doInboundSecurity(inSecurityProperties, new ByteArrayInputStream(baos.toByteArray()), policyEnforcer);
1017
1018
1019 Transformer transformer = TransformerFactory.newInstance().newTransformer();
1020 transformer.transform(new DOMSource(document), new StreamResult(
1021 new OutputStream() {
1022 @Override
1023 public void write(int b) throws IOException {
1024
1025 }
1026 }
1027 ));
1028 fail("Exception expected");
1029 } catch (XMLStreamException e) {
1030 assertTrue(e.getCause() instanceof WSSecurityException);
1031 assertEquals(e.getCause().getMessage(),
1032 "Asymmetric algorithm http://www.w3.org/2001/04/xmldsig-more#rsa-sha512 does not meet policy");
1033 assertEquals(((WSSecurityException) e.getCause()).getFaultCode(), WSSecurityException.INVALID_SECURITY);
1034 }
1035 }
1036
1037 @Test
1038 public void testC14NAlgorithmSuiteNegative() throws Exception {
1039
1040 String policyString =
1041 "<wsp:ExactlyOne xmlns:wsp=\"http://schemas.xmlsoap.org/ws/2004/09/policy\" " +
1042 "xmlns:sp=\"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702\">\n" +
1043 " <wsp:All>\n" +
1044 " <sp:AsymmetricBinding>\n" +
1045 " <wsp:Policy>\n" +
1046 " <sp:InitiatorToken>\n" +
1047 " <wsp:Policy>\n" +
1048 " <sp:X509Token sp:IncludeToken=\"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient\">\n" +
1049 " <sp:IssuerName>CN=transmitter,OU=swssf,C=CH</sp:IssuerName>\n" +
1050 " <wsp:Policy>\n" +
1051 " <sp:WssX509V3Token11/>\n" +
1052 " </wsp:Policy>\n" +
1053 " </sp:X509Token>\n" +
1054 " </wsp:Policy>\n" +
1055 " </sp:InitiatorToken>\n" +
1056 " <sp:RecipientToken>\n" +
1057 " <wsp:Policy>\n" +
1058 " <sp:X509Token sp:IncludeToken=\"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient\">\n" +
1059 " <sp:IssuerName>CN=receiver,OU=swssf,C=CH</sp:IssuerName>\n" +
1060 " <wsp:Policy>\n" +
1061 " <sp:WssX509V3Token11/>\n" +
1062 " </wsp:Policy>\n" +
1063 " </sp:X509Token>\n" +
1064 " </wsp:Policy>\n" +
1065 " </sp:RecipientToken>\n" +
1066 " <sp:AlgorithmSuite>\n" +
1067 " <wsp:Policy>\n" +
1068 " <sp:Basic256/>\n" +
1069 " </wsp:Policy>\n" +
1070 " </sp:AlgorithmSuite>\n" +
1071 " <sp:Layout>\n" +
1072 " <wsp:Policy>\n" +
1073 " <sp:Lax/>\n" +
1074 " </wsp:Policy>\n" +
1075 " </sp:Layout>\n" +
1076 " <sp:IncludeTimestamp/>\n" +
1077 " <sp:ProtectTokens/>\n" +
1078 " </wsp:Policy>\n" +
1079 " </sp:AsymmetricBinding>\n" +
1080 " <sp:SignedParts>\n" +
1081 " <sp:Body/>\n" +
1082 " <sp:Header Name=\"Header1\" Namespace=\"...\"/>\n" +
1083 " <sp:Header Namespace=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd\"/>\n" +
1084 " </sp:SignedParts>\n" +
1085 " <sp:SignedElements>\n" +
1086 " <sp:XPath xmlns:wsu=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd\">wsu:Created</sp:XPath>\n" +
1087 " </sp:SignedElements>\n" +
1088 " <sp:EncryptedParts>\n" +
1089 " <sp:Body/>\n" +
1090 " <sp:Header Name=\"Header2\" Namespace=\"...\"/>\n" +
1091 " <sp:Header Namespace=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd\"/>\n" +
1092 " </sp:EncryptedParts>\n" +
1093 " <sp:EncryptedElements>\n" +
1094 " <sp:XPath xmlns:wsu=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd\">wsu:Created</sp:XPath>\n" +
1095 " </sp:EncryptedElements>\n" +
1096 " <sp:ContentEncryptedElements>\n" +
1097 " <sp:XPath xmlns:wsu=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd\">wsu:Expires</sp:XPath>\n" +
1098 " </sp:ContentEncryptedElements>\n" +
1099 " </wsp:All>\n" +
1100 " </wsp:ExactlyOne>";
1101
1102 WSSSecurityProperties outSecurityProperties = new WSSSecurityProperties();
1103 outSecurityProperties.setCallbackHandler(new CallbackHandlerImpl());
1104 outSecurityProperties.setEncryptionUser("receiver");
1105 outSecurityProperties.loadEncryptionKeystore(this.getClass().getClassLoader().getResource("transmitter.jks"), "default".toCharArray());
1106 outSecurityProperties.setSignatureUser("transmitter");
1107 outSecurityProperties.loadSignatureKeyStore(this.getClass().getClassLoader().getResource("transmitter.jks"), "default".toCharArray());
1108 outSecurityProperties.setSignatureCanonicalizationAlgorithm("http://www.w3.org/2006/12/xml-c14n11");
1109
1110 outSecurityProperties.addSignaturePart(new SecurePart(WSSConstants.TAG_WSU_TIMESTAMP, SecurePart.Modifier.Element));
1111 outSecurityProperties.addSignaturePart(new SecurePart(WSSConstants.TAG_SOAP11_BODY, SecurePart.Modifier.Element));
1112 outSecurityProperties.addEncryptionPart(new SecurePart(WSSConstants.TAG_WSU_CREATED, SecurePart.Modifier.Element));
1113 outSecurityProperties.addEncryptionPart(new SecurePart(WSSConstants.TAG_WSU_EXPIRES, SecurePart.Modifier.Content));
1114 outSecurityProperties.addEncryptionPart(new SecurePart(WSSConstants.TAG_SOAP11_BODY, SecurePart.Modifier.Content));
1115 List<WSSConstants.Action> actions = new ArrayList<>();
1116 actions.add(WSSConstants.TIMESTAMP);
1117 actions.add(WSSConstants.SIGNATURE);
1118 actions.add(WSSConstants.ENCRYPTION);
1119 outSecurityProperties.setActions(actions);
1120
1121 InputStream sourceDocument = this.getClass().getClassLoader().getResourceAsStream("testdata/plain-soap-1.1.xml");
1122 ByteArrayOutputStream baos = doOutboundSecurity(outSecurityProperties, sourceDocument);
1123
1124 WSSSecurityProperties inSecurityProperties = new WSSSecurityProperties();
1125 inSecurityProperties.setCallbackHandler(new CallbackHandlerImpl());
1126 inSecurityProperties.loadSignatureVerificationKeystore(this.getClass().getClassLoader().getResource("receiver.jks"), "default".toCharArray());
1127 inSecurityProperties.loadDecryptionKeystore(this.getClass().getClassLoader().getResource("receiver.jks"), "default".toCharArray());
1128 inSecurityProperties.addIgnoreBSPRule(BSPRule.R5404);
1129 inSecurityProperties.addIgnoreBSPRule(BSPRule.R5423);
1130 inSecurityProperties.addIgnoreBSPRule(BSPRule.R5412);
1131
1132 PolicyEnforcer policyEnforcer = buildAndStartPolicyEngine(policyString);
1133 inSecurityProperties.addInputProcessor(new PolicyInputProcessor(policyEnforcer, inSecurityProperties));
1134
1135 try {
1136 Document document = doInboundSecurity(inSecurityProperties, new ByteArrayInputStream(baos.toByteArray()), policyEnforcer);
1137
1138
1139 Transformer transformer = TransformerFactory.newInstance().newTransformer();
1140 transformer.transform(new DOMSource(document), new StreamResult(
1141 new OutputStream() {
1142 @Override
1143 public void write(int b) throws IOException {
1144
1145 }
1146 }
1147 ));
1148 fail("Exception expected");
1149 } catch (XMLStreamException e) {
1150 assertTrue(e.getCause() instanceof WSSecurityException);
1151 assertEquals(e.getCause().getMessage(),
1152 "C14N algorithm http://www.w3.org/2006/12/xml-c14n11 does not meet policy");
1153 assertEquals(((WSSecurityException) e.getCause()).getFaultCode(), WSSecurityException.INVALID_SECURITY);
1154 }
1155 }
1156
1157 @Test
1158 public void testEncryptionAlgorithmSuiteNegative() throws Exception {
1159
1160 String policyString =
1161 "<wsp:ExactlyOne xmlns:wsp=\"http://schemas.xmlsoap.org/ws/2004/09/policy\" " +
1162 "xmlns:sp=\"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702\">\n" +
1163 " <wsp:All>\n" +
1164 " <sp:AsymmetricBinding>\n" +
1165 " <wsp:Policy>\n" +
1166 " <sp:InitiatorToken>\n" +
1167 " <wsp:Policy>\n" +
1168 " <sp:X509Token sp:IncludeToken=\"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient\">\n" +
1169 " <sp:IssuerName>CN=transmitter,OU=swssf,C=CH</sp:IssuerName>\n" +
1170 " <wsp:Policy>\n" +
1171 " <sp:WssX509V3Token11/>\n" +
1172 " </wsp:Policy>\n" +
1173 " </sp:X509Token>\n" +
1174 " </wsp:Policy>\n" +
1175 " </sp:InitiatorToken>\n" +
1176 " <sp:RecipientToken>\n" +
1177 " <wsp:Policy>\n" +
1178 " <sp:X509Token sp:IncludeToken=\"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient\">\n" +
1179 " <sp:IssuerName>CN=receiver,OU=swssf,C=CH</sp:IssuerName>\n" +
1180 " <wsp:Policy>\n" +
1181 " <sp:WssX509V3Token11/>\n" +
1182 " </wsp:Policy>\n" +
1183 " </sp:X509Token>\n" +
1184 " </wsp:Policy>\n" +
1185 " </sp:RecipientToken>\n" +
1186 " <sp:AlgorithmSuite>\n" +
1187 " <wsp:Policy>\n" +
1188 " <sp:Basic256/>\n" +
1189 " </wsp:Policy>\n" +
1190 " </sp:AlgorithmSuite>\n" +
1191 " <sp:Layout>\n" +
1192 " <wsp:Policy>\n" +
1193 " <sp:Lax/>\n" +
1194 " </wsp:Policy>\n" +
1195 " </sp:Layout>\n" +
1196 " <sp:IncludeTimestamp/>\n" +
1197 " <sp:ProtectTokens/>\n" +
1198 " </wsp:Policy>\n" +
1199 " </sp:AsymmetricBinding>\n" +
1200 " <sp:SignedParts>\n" +
1201 " <sp:Body/>\n" +
1202 " <sp:Header Name=\"Header1\" Namespace=\"...\"/>\n" +
1203 " <sp:Header Namespace=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd\"/>\n" +
1204 " </sp:SignedParts>\n" +
1205 " <sp:SignedElements>\n" +
1206 " <sp:XPath xmlns:wsu=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd\">wsu:Created</sp:XPath>\n" +
1207 " </sp:SignedElements>\n" +
1208 " <sp:EncryptedParts>\n" +
1209 " <sp:Body/>\n" +
1210 " <sp:Header Name=\"Header2\" Namespace=\"...\"/>\n" +
1211 " <sp:Header Namespace=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd\"/>\n" +
1212 " </sp:EncryptedParts>\n" +
1213 " <sp:EncryptedElements>\n" +
1214 " <sp:XPath xmlns:wsu=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd\">wsu:Created</sp:XPath>\n" +
1215 " </sp:EncryptedElements>\n" +
1216 " <sp:ContentEncryptedElements>\n" +
1217 " <sp:XPath xmlns:wsu=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd\">wsu:Expires</sp:XPath>\n" +
1218 " </sp:ContentEncryptedElements>\n" +
1219 " </wsp:All>\n" +
1220 " </wsp:ExactlyOne>";
1221
1222 WSSSecurityProperties outSecurityProperties = new WSSSecurityProperties();
1223 outSecurityProperties.setCallbackHandler(new CallbackHandlerImpl());
1224 outSecurityProperties.setEncryptionUser("receiver");
1225 outSecurityProperties.loadEncryptionKeystore(this.getClass().getClassLoader().getResource("transmitter.jks"), "default".toCharArray());
1226 outSecurityProperties.setEncryptionSymAlgorithm("http://www.w3.org/2001/04/xmlenc#tripledes-cbc");
1227 outSecurityProperties.setSignatureUser("transmitter");
1228 outSecurityProperties.loadSignatureKeyStore(this.getClass().getClassLoader().getResource("transmitter.jks"), "default".toCharArray());
1229
1230 outSecurityProperties.addSignaturePart(new SecurePart(WSSConstants.TAG_WSU_TIMESTAMP, SecurePart.Modifier.Element));
1231 outSecurityProperties.addSignaturePart(new SecurePart(WSSConstants.TAG_SOAP11_BODY, SecurePart.Modifier.Element));
1232 outSecurityProperties.addEncryptionPart(new SecurePart(WSSConstants.TAG_WSU_CREATED, SecurePart.Modifier.Element));
1233 outSecurityProperties.addEncryptionPart(new SecurePart(WSSConstants.TAG_WSU_EXPIRES, SecurePart.Modifier.Content));
1234 outSecurityProperties.addEncryptionPart(new SecurePart(WSSConstants.TAG_SOAP11_BODY, SecurePart.Modifier.Content));
1235 List<WSSConstants.Action> actions = new ArrayList<>();
1236 actions.add(WSSConstants.TIMESTAMP);
1237 actions.add(WSSConstants.SIGNATURE);
1238 actions.add(WSSConstants.ENCRYPTION);
1239 outSecurityProperties.setActions(actions);
1240
1241 InputStream sourceDocument = this.getClass().getClassLoader().getResourceAsStream("testdata/plain-soap-1.1.xml");
1242 ByteArrayOutputStream baos = doOutboundSecurity(outSecurityProperties, sourceDocument);
1243
1244 WSSSecurityProperties inSecurityProperties = new WSSSecurityProperties();
1245 inSecurityProperties.setCallbackHandler(new CallbackHandlerImpl());
1246 inSecurityProperties.loadSignatureVerificationKeystore(this.getClass().getClassLoader().getResource("receiver.jks"), "default".toCharArray());
1247 inSecurityProperties.loadDecryptionKeystore(this.getClass().getClassLoader().getResource("receiver.jks"), "default".toCharArray());
1248
1249 PolicyEnforcer policyEnforcer = buildAndStartPolicyEngine(policyString);
1250 inSecurityProperties.addInputProcessor(new PolicyInputProcessor(policyEnforcer, inSecurityProperties));
1251
1252 try {
1253 Document document = doInboundSecurity(inSecurityProperties, new ByteArrayInputStream(baos.toByteArray()), policyEnforcer);
1254
1255
1256 Transformer transformer = TransformerFactory.newInstance().newTransformer();
1257 transformer.transform(new DOMSource(document), new StreamResult(
1258 new OutputStream() {
1259 @Override
1260 public void write(int b) throws IOException {
1261
1262 }
1263 }
1264 ));
1265 fail("Exception expected");
1266 } catch (XMLStreamException e) {
1267 assertTrue(e.getCause() instanceof WSSecurityException);
1268 assertEquals(e.getCause().getMessage(),
1269 "Encryption algorithm http://www.w3.org/2001/04/xmlenc#tripledes-cbc does not meet policy\n" +
1270 "Symmetric encryption algorithm key length 192 does not meet policy");
1271 assertEquals(((WSSecurityException) e.getCause()).getFaultCode(), WSSecurityException.INVALID_SECURITY);
1272 }
1273 }
1274
1275 @Test
1276 public void testPolicyReenabledRSA15KeyTransportAlgorithm() throws Exception {
1277
1278 String policyString =
1279 "<wsp:ExactlyOne xmlns:wsp=\"http://schemas.xmlsoap.org/ws/2004/09/policy\" " +
1280 "xmlns:sp=\"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702\">\n" +
1281 " <wsp:All>\n" +
1282 " <sp:AsymmetricBinding>\n" +
1283 " <wsp:Policy>\n" +
1284 " <sp:InitiatorToken>\n" +
1285 " <wsp:Policy>\n" +
1286 " <sp:X509Token sp:IncludeToken=\"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never\">\n" +
1287 " <sp:IssuerName>CN=transmitter,OU=swssf,C=CH</sp:IssuerName>\n" +
1288 " <wsp:Policy>\n" +
1289 " <sp:WssX509V3Token11/>\n" +
1290 " </wsp:Policy>\n" +
1291 " </sp:X509Token>\n" +
1292 " </wsp:Policy>\n" +
1293 " </sp:InitiatorToken>\n" +
1294 " <sp:RecipientToken>\n" +
1295 " <wsp:Policy>\n" +
1296 " <sp:X509Token sp:IncludeToken=\"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never\">\n" +
1297 " <sp:IssuerName>CN=receiver,OU=swssf,C=CH</sp:IssuerName>\n" +
1298 " <wsp:Policy>\n" +
1299 " <sp:WssX509V3Token11/>\n" +
1300 " </wsp:Policy>\n" +
1301 " </sp:X509Token>\n" +
1302 " </wsp:Policy>\n" +
1303 " </sp:RecipientToken>\n" +
1304 " <sp:AlgorithmSuite>\n" +
1305 " <wsp:Policy>\n" +
1306 " <sp:Basic256Rsa15/>\n" +
1307 " </wsp:Policy>\n" +
1308 " </sp:AlgorithmSuite>\n" +
1309 " <sp:Layout>\n" +
1310 " <wsp:Policy>\n" +
1311 " <sp:Lax/>\n" +
1312 " </wsp:Policy>\n" +
1313 " </sp:Layout>\n" +
1314 " <sp:IncludeTimestamp/>\n" +
1315 " </wsp:Policy>\n" +
1316 " </sp:AsymmetricBinding>\n" +
1317 " <sp:SignedParts>\n" +
1318 " <sp:Body/>\n" +
1319 " <sp:Header Name=\"Header1\" Namespace=\"...\"/>\n" +
1320 " <sp:Header Namespace=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd\"/>\n" +
1321 " </sp:SignedParts>\n" +
1322 " <sp:SignedElements>\n" +
1323 " <sp:XPath xmlns:wsu=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd\">wsu:Created</sp:XPath>\n" +
1324 " </sp:SignedElements>\n" +
1325 " <sp:EncryptedParts>\n" +
1326 " <sp:Body/>\n" +
1327 " <sp:Header Name=\"Header2\" Namespace=\"...\"/>\n" +
1328 " <sp:Header Namespace=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd\"/>\n" +
1329 " </sp:EncryptedParts>\n" +
1330 " <sp:EncryptedElements>\n" +
1331 " <sp:XPath xmlns:wsu=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd\">wsu:Created</sp:XPath>\n" +
1332 " </sp:EncryptedElements>\n" +
1333 " <sp:ContentEncryptedElements>\n" +
1334 " <sp:XPath xmlns:wsu=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd\">wsu:Expires</sp:XPath>\n" +
1335 " </sp:ContentEncryptedElements>\n" +
1336 " </wsp:All>\n" +
1337 " </wsp:ExactlyOne>";
1338
1339 WSSSecurityProperties outSecurityProperties = new WSSSecurityProperties();
1340 outSecurityProperties.setCallbackHandler(new CallbackHandlerImpl());
1341 outSecurityProperties.setEncryptionUser("receiver");
1342 outSecurityProperties.loadEncryptionKeystore(this.getClass().getClassLoader().getResource("transmitter.jks"), "default".toCharArray());
1343 outSecurityProperties.setEncryptionKeyTransportAlgorithm("http://www.w3.org/2001/04/xmlenc#rsa-1_5");
1344 outSecurityProperties.setSignatureUser("transmitter");
1345 outSecurityProperties.loadSignatureKeyStore(this.getClass().getClassLoader().getResource("transmitter.jks"), "default".toCharArray());
1346
1347 outSecurityProperties.addSignaturePart(new SecurePart(WSSConstants.TAG_WSU_TIMESTAMP, SecurePart.Modifier.Element));
1348 outSecurityProperties.addSignaturePart(new SecurePart(WSSConstants.TAG_SOAP11_BODY, SecurePart.Modifier.Element));
1349 outSecurityProperties.addEncryptionPart(new SecurePart(WSSConstants.TAG_WSU_CREATED, SecurePart.Modifier.Element));
1350 outSecurityProperties.addEncryptionPart(new SecurePart(WSSConstants.TAG_WSU_EXPIRES, SecurePart.Modifier.Content));
1351 outSecurityProperties.addEncryptionPart(new SecurePart(WSSConstants.TAG_SOAP11_BODY, SecurePart.Modifier.Content));
1352 List<WSSConstants.Action> actions = new ArrayList<>();
1353 actions.add(WSSConstants.TIMESTAMP);
1354 actions.add(WSSConstants.SIGNATURE);
1355 actions.add(WSSConstants.ENCRYPTION);
1356 outSecurityProperties.setActions(actions);
1357
1358 InputStream sourceDocument = this.getClass().getClassLoader().getResourceAsStream("testdata/plain-soap-1.1.xml");
1359 ByteArrayOutputStream baos = doOutboundSecurity(outSecurityProperties, sourceDocument);
1360
1361 WSSSecurityProperties inSecurityProperties = new WSSSecurityProperties();
1362 inSecurityProperties.setCallbackHandler(new CallbackHandlerImpl());
1363 inSecurityProperties.loadSignatureVerificationKeystore(this.getClass().getClassLoader().getResource("receiver.jks"), "default".toCharArray());
1364 inSecurityProperties.loadDecryptionKeystore(this.getClass().getClassLoader().getResource("receiver.jks"), "default".toCharArray());
1365
1366 PolicyEnforcer policyEnforcer = buildAndStartPolicyEngine(policyString);
1367 inSecurityProperties.addInputProcessor(new PolicyInputProcessor(policyEnforcer, inSecurityProperties));
1368
1369 Document document = doInboundSecurity(inSecurityProperties, new ByteArrayInputStream(baos.toByteArray()), policyEnforcer);
1370
1371
1372 Transformer transformer = TransformerFactory.newInstance().newTransformer();
1373 transformer.transform(new DOMSource(document), new StreamResult(
1374 new OutputStream() {
1375 @Override
1376 public void write(int b) throws IOException {
1377
1378 }
1379 }
1380 ));
1381 }
1382
1383 @Test
1384 public void testSignatureProtectionPolicy() throws Exception {
1385
1386 String policyString =
1387 "<wsp:ExactlyOne xmlns:wsp=\"http://schemas.xmlsoap.org/ws/2004/09/policy\" " +
1388 "xmlns:sp=\"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702\">\n" +
1389 " <wsp:All>\n" +
1390 " <sp:AsymmetricBinding>\n" +
1391 " <wsp:Policy>\n" +
1392 " <sp:InitiatorToken>\n" +
1393 " <wsp:Policy>\n" +
1394 " <sp:X509Token sp:IncludeToken=\"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never\">\n" +
1395 " <sp:IssuerName>CN=transmitter,OU=swssf,C=CH</sp:IssuerName>\n" +
1396 " <wsp:Policy>\n" +
1397 " <sp:WssX509V3Token11/>\n" +
1398 " </wsp:Policy>\n" +
1399 " </sp:X509Token>\n" +
1400 " </wsp:Policy>\n" +
1401 " </sp:InitiatorToken>\n" +
1402 " <sp:RecipientToken>\n" +
1403 " <wsp:Policy>\n" +
1404 " <sp:X509Token sp:IncludeToken=\"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never\">\n" +
1405 " <sp:IssuerName>CN=receiver,OU=swssf,C=CH</sp:IssuerName>\n" +
1406 " <wsp:Policy>\n" +
1407 " <sp:WssX509V3Token11/>\n" +
1408 " </wsp:Policy>\n" +
1409 " </sp:X509Token>\n" +
1410 " </wsp:Policy>\n" +
1411 " </sp:RecipientToken>\n" +
1412 " <sp:AlgorithmSuite>\n" +
1413 " <wsp:Policy>\n" +
1414 " <sp:Basic256/>\n" +
1415 " </wsp:Policy>\n" +
1416 " </sp:AlgorithmSuite>\n" +
1417 " <sp:Layout>\n" +
1418 " <wsp:Policy>\n" +
1419 " <sp:Lax/>\n" +
1420 " </wsp:Policy>\n" +
1421 " </sp:Layout>\n" +
1422 " <sp:IncludeTimestamp/>\n" +
1423 " <sp:EncryptSignature/>\n" +
1424 " </wsp:Policy>\n" +
1425 " </sp:AsymmetricBinding>\n" +
1426 " <sp:SignedParts>\n" +
1427 " <sp:Body/>\n" +
1428 " <sp:Header Name=\"Header1\" Namespace=\"...\"/>\n" +
1429 " <sp:Header Namespace=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd\"/>\n" +
1430 " </sp:SignedParts>\n" +
1431 " <sp:SignedElements>\n" +
1432 " <sp:XPath xmlns:wsu=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd\">wsu:Created</sp:XPath>\n" +
1433 " </sp:SignedElements>\n" +
1434 " <sp:EncryptedParts>\n" +
1435 " <sp:Body/>\n" +
1436 " <sp:Header Name=\"Header2\" Namespace=\"...\"/>\n" +
1437 " <sp:Header Namespace=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd\"/>\n" +
1438 " </sp:EncryptedParts>\n" +
1439 " <sp:EncryptedElements>\n" +
1440 " <sp:XPath xmlns:wsu=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd\">wsu:Created</sp:XPath>\n" +
1441 " </sp:EncryptedElements>\n" +
1442 " <sp:ContentEncryptedElements>\n" +
1443 " <sp:XPath xmlns:wsu=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd\">wsu:Expires</sp:XPath>\n" +
1444 " </sp:ContentEncryptedElements>\n" +
1445 " </wsp:All>\n" +
1446 " </wsp:ExactlyOne>";
1447
1448 WSSSecurityProperties outSecurityProperties = new WSSSecurityProperties();
1449 outSecurityProperties.setCallbackHandler(new CallbackHandlerImpl());
1450 outSecurityProperties.setEncryptionUser("receiver");
1451 outSecurityProperties.loadEncryptionKeystore(this.getClass().getClassLoader().getResource("transmitter.jks"), "default".toCharArray());
1452 outSecurityProperties.setSignatureUser("transmitter");
1453 outSecurityProperties.loadSignatureKeyStore(this.getClass().getClassLoader().getResource("transmitter.jks"), "default".toCharArray());
1454
1455 outSecurityProperties.addSignaturePart(new SecurePart(WSSConstants.TAG_WSU_TIMESTAMP, SecurePart.Modifier.Element));
1456 outSecurityProperties.addSignaturePart(new SecurePart(WSSConstants.TAG_SOAP11_BODY, SecurePart.Modifier.Element));
1457 outSecurityProperties.addEncryptionPart(new SecurePart(WSSConstants.TAG_dsig_Signature, SecurePart.Modifier.Element));
1458 outSecurityProperties.addEncryptionPart(new SecurePart(WSSConstants.TAG_WSU_CREATED, SecurePart.Modifier.Element));
1459 outSecurityProperties.addEncryptionPart(new SecurePart(WSSConstants.TAG_WSU_EXPIRES, SecurePart.Modifier.Content));
1460 outSecurityProperties.addEncryptionPart(new SecurePart(WSSConstants.TAG_SOAP11_BODY, SecurePart.Modifier.Content));
1461 List<WSSConstants.Action> actions = new ArrayList<>();
1462 actions.add(WSSConstants.TIMESTAMP);
1463 actions.add(WSSConstants.SIGNATURE);
1464 actions.add(WSSConstants.ENCRYPTION);
1465 outSecurityProperties.setActions(actions);
1466
1467 InputStream sourceDocument = this.getClass().getClassLoader().getResourceAsStream("testdata/plain-soap-1.1.xml");
1468 ByteArrayOutputStream baos = doOutboundSecurity(outSecurityProperties, sourceDocument);
1469
1470 WSSSecurityProperties inSecurityProperties = new WSSSecurityProperties();
1471 inSecurityProperties.setCallbackHandler(new CallbackHandlerImpl());
1472 inSecurityProperties.loadSignatureVerificationKeystore(this.getClass().getClassLoader().getResource("receiver.jks"), "default".toCharArray());
1473 inSecurityProperties.loadDecryptionKeystore(this.getClass().getClassLoader().getResource("receiver.jks"), "default".toCharArray());
1474
1475 PolicyEnforcer policyEnforcer = buildAndStartPolicyEngine(policyString);
1476 inSecurityProperties.addInputProcessor(new PolicyInputProcessor(policyEnforcer, inSecurityProperties));
1477
1478 Document document = doInboundSecurity(inSecurityProperties, new ByteArrayInputStream(baos.toByteArray()), policyEnforcer);
1479
1480
1481 Transformer transformer = TransformerFactory.newInstance().newTransformer();
1482 transformer.transform(new DOMSource(document), new StreamResult(
1483 new OutputStream() {
1484 @Override
1485 public void write(int b) throws IOException {
1486
1487 }
1488 }
1489 ));
1490 }
1491
1492 @Test
1493 public void testSignatureProtectionPolicyNegative1() throws Exception {
1494
1495 String policyString =
1496 "<wsp:ExactlyOne xmlns:wsp=\"http://schemas.xmlsoap.org/ws/2004/09/policy\" " +
1497 "xmlns:sp=\"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702\">\n" +
1498 " <wsp:All>\n" +
1499 " <sp:AsymmetricBinding>\n" +
1500 " <wsp:Policy>\n" +
1501 " <sp:InitiatorToken>\n" +
1502 " <wsp:Policy>\n" +
1503 " <sp:X509Token sp:IncludeToken=\"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient\">\n" +
1504 " <sp:IssuerName>CN=transmitter,OU=swssf,C=CH</sp:IssuerName>\n" +
1505 " <wsp:Policy>\n" +
1506 " <sp:WssX509V3Token11/>\n" +
1507 " </wsp:Policy>\n" +
1508 " </sp:X509Token>\n" +
1509 " </wsp:Policy>\n" +
1510 " </sp:InitiatorToken>\n" +
1511 " <sp:RecipientToken>\n" +
1512 " <wsp:Policy>\n" +
1513 " <sp:X509Token sp:IncludeToken=\"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient\">\n" +
1514 " <sp:IssuerName>CN=receiver,OU=swssf,C=CH</sp:IssuerName>\n" +
1515 " <wsp:Policy>\n" +
1516 " <sp:WssX509V3Token11/>\n" +
1517 " </wsp:Policy>\n" +
1518 " </sp:X509Token>\n" +
1519 " </wsp:Policy>\n" +
1520 " </sp:RecipientToken>\n" +
1521 " <sp:AlgorithmSuite>\n" +
1522 " <wsp:Policy>\n" +
1523 " <sp:Basic256/>\n" +
1524 " </wsp:Policy>\n" +
1525 " </sp:AlgorithmSuite>\n" +
1526 " <sp:Layout>\n" +
1527 " <wsp:Policy>\n" +
1528 " <sp:Lax/>\n" +
1529 " </wsp:Policy>\n" +
1530 " </sp:Layout>\n" +
1531 " <sp:IncludeTimestamp/>\n" +
1532 " <sp:EncryptSignature/>\n" +
1533 " </wsp:Policy>\n" +
1534 " </sp:AsymmetricBinding>\n" +
1535 " <sp:SignedParts>\n" +
1536 " <sp:Body/>\n" +
1537 " <sp:Header Name=\"Header1\" Namespace=\"...\"/>\n" +
1538 " <sp:Header Namespace=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd\"/>\n" +
1539 " </sp:SignedParts>\n" +
1540 " <sp:SignedElements>\n" +
1541 " <sp:XPath xmlns:wsu=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd\">wsu:Created</sp:XPath>\n" +
1542 " </sp:SignedElements>\n" +
1543 " <sp:EncryptedParts>\n" +
1544 " <sp:Body/>\n" +
1545 " <sp:Header Name=\"Header2\" Namespace=\"...\"/>\n" +
1546 " <sp:Header Namespace=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd\"/>\n" +
1547 " </sp:EncryptedParts>\n" +
1548 " <sp:EncryptedElements>\n" +
1549 " <sp:XPath xmlns:wsu=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd\">wsu:Created</sp:XPath>\n" +
1550 " </sp:EncryptedElements>\n" +
1551 " <sp:ContentEncryptedElements>\n" +
1552 " <sp:XPath xmlns:wsu=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd\">wsu:Expires</sp:XPath>\n" +
1553 " </sp:ContentEncryptedElements>\n" +
1554 " </wsp:All>\n" +
1555 " </wsp:ExactlyOne>";
1556
1557 WSSSecurityProperties outSecurityProperties = new WSSSecurityProperties();
1558 outSecurityProperties.setCallbackHandler(new CallbackHandlerImpl());
1559 outSecurityProperties.setEncryptionUser("receiver");
1560 outSecurityProperties.loadEncryptionKeystore(this.getClass().getClassLoader().getResource("transmitter.jks"), "default".toCharArray());
1561 outSecurityProperties.setSignatureUser("transmitter");
1562 outSecurityProperties.loadSignatureKeyStore(this.getClass().getClassLoader().getResource("transmitter.jks"), "default".toCharArray());
1563
1564 outSecurityProperties.addSignaturePart(new SecurePart(WSSConstants.TAG_WSU_TIMESTAMP, SecurePart.Modifier.Element));
1565 outSecurityProperties.addSignaturePart(new SecurePart(WSSConstants.TAG_SOAP11_BODY, SecurePart.Modifier.Element));
1566 outSecurityProperties.addEncryptionPart(new SecurePart(WSSConstants.TAG_WSU_CREATED, SecurePart.Modifier.Element));
1567 outSecurityProperties.addEncryptionPart(new SecurePart(WSSConstants.TAG_WSU_EXPIRES, SecurePart.Modifier.Content));
1568 outSecurityProperties.addEncryptionPart(new SecurePart(WSSConstants.TAG_SOAP11_BODY, SecurePart.Modifier.Content));
1569 List<WSSConstants.Action> actions = new ArrayList<>();
1570 actions.add(WSSConstants.TIMESTAMP);
1571 actions.add(WSSConstants.SIGNATURE);
1572 actions.add(WSSConstants.ENCRYPTION);
1573 outSecurityProperties.setActions(actions);
1574
1575 InputStream sourceDocument = this.getClass().getClassLoader().getResourceAsStream("testdata/plain-soap-1.1.xml");
1576 ByteArrayOutputStream baos = doOutboundSecurity(outSecurityProperties, sourceDocument);
1577
1578 WSSSecurityProperties inSecurityProperties = new WSSSecurityProperties();
1579 inSecurityProperties.setCallbackHandler(new CallbackHandlerImpl());
1580 inSecurityProperties.loadSignatureVerificationKeystore(this.getClass().getClassLoader().getResource("receiver.jks"), "default".toCharArray());
1581 inSecurityProperties.loadDecryptionKeystore(this.getClass().getClassLoader().getResource("receiver.jks"), "default".toCharArray());
1582
1583 PolicyEnforcer policyEnforcer = buildAndStartPolicyEngine(policyString);
1584 inSecurityProperties.addInputProcessor(new PolicyInputProcessor(policyEnforcer, inSecurityProperties));
1585
1586 try {
1587 Document document = doInboundSecurity(inSecurityProperties, new ByteArrayInputStream(baos.toByteArray()), policyEnforcer);
1588
1589
1590 Transformer transformer = TransformerFactory.newInstance().newTransformer();
1591 transformer.transform(new DOMSource(document), new StreamResult(
1592 new OutputStream() {
1593 @Override
1594 public void write(int b) throws IOException {
1595
1596 }
1597 }
1598 ));
1599 fail("Exception expected");
1600 } catch (XMLStreamException e) {
1601 assertTrue(e.getCause() instanceof WSSecurityException);
1602 assertEquals(((WSSecurityException) e.getCause()).getFaultCode(), WSSecurityException.INVALID_SECURITY);
1603 }
1604 }
1605
1606 @Test
1607 public void testSignatureProtectionPolicyNegative2() throws Exception {
1608
1609 String policyString =
1610 "<wsp:ExactlyOne xmlns:wsp=\"http://schemas.xmlsoap.org/ws/2004/09/policy\" " +
1611 "xmlns:sp=\"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702\">\n" +
1612 " <wsp:All>\n" +
1613 " <sp:AsymmetricBinding>\n" +
1614 " <wsp:Policy>\n" +
1615 " <sp:InitiatorToken>\n" +
1616 " <wsp:Policy>\n" +
1617 " <sp:X509Token sp:IncludeToken=\"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never\">\n" +
1618 " <sp:IssuerName>CN=transmitter,OU=swssf,C=CH</sp:IssuerName>\n" +
1619 " <wsp:Policy>\n" +
1620 " <sp:WssX509V3Token11/>\n" +
1621 " </wsp:Policy>\n" +
1622 " </sp:X509Token>\n" +
1623 " </wsp:Policy>\n" +
1624 " </sp:InitiatorToken>\n" +
1625 " <sp:RecipientToken>\n" +
1626 " <wsp:Policy>\n" +
1627 " <sp:X509Token sp:IncludeToken=\"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never\">\n" +
1628 " <sp:IssuerName>CN=receiver,OU=swssf,C=CH</sp:IssuerName>\n" +
1629 " <wsp:Policy>\n" +
1630 " <sp:WssX509V3Token11/>\n" +
1631 " </wsp:Policy>\n" +
1632 " </sp:X509Token>\n" +
1633 " </wsp:Policy>\n" +
1634 " </sp:RecipientToken>\n" +
1635 " <sp:AlgorithmSuite>\n" +
1636 " <wsp:Policy>\n" +
1637 " <sp:Basic256/>\n" +
1638 " </wsp:Policy>\n" +
1639 " </sp:AlgorithmSuite>\n" +
1640 " <sp:Layout>\n" +
1641 " <wsp:Policy>\n" +
1642 " <sp:Lax/>\n" +
1643 " </wsp:Policy>\n" +
1644 " </sp:Layout>\n" +
1645 " <sp:IncludeTimestamp/>\n" +
1646 " </wsp:Policy>\n" +
1647 " </sp:AsymmetricBinding>\n" +
1648 " <sp:SignedParts>\n" +
1649 " <sp:Body/>\n" +
1650 " <sp:Header Name=\"Header1\" Namespace=\"...\"/>\n" +
1651 " <sp:Header Namespace=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd\"/>\n" +
1652 " </sp:SignedParts>\n" +
1653 " <sp:SignedElements>\n" +
1654 " <sp:XPath xmlns:wsu=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd\">wsu:Created</sp:XPath>\n" +
1655 " </sp:SignedElements>\n" +
1656 " <sp:EncryptedParts>\n" +
1657 " <sp:Body/>\n" +
1658 " <sp:Header Name=\"Header2\" Namespace=\"...\"/>\n" +
1659 " <sp:Header Namespace=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd\"/>\n" +
1660 " </sp:EncryptedParts>\n" +
1661 " <sp:EncryptedElements>\n" +
1662 " <sp:XPath xmlns:wsu=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd\">wsu:Created</sp:XPath>\n" +
1663 " </sp:EncryptedElements>\n" +
1664 " <sp:ContentEncryptedElements>\n" +
1665 " <sp:XPath xmlns:wsu=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd\">wsu:Expires</sp:XPath>\n" +
1666 " </sp:ContentEncryptedElements>\n" +
1667 " </wsp:All>\n" +
1668 " </wsp:ExactlyOne>";
1669
1670 WSSSecurityProperties outSecurityProperties = new WSSSecurityProperties();
1671 outSecurityProperties.setCallbackHandler(new CallbackHandlerImpl());
1672 outSecurityProperties.setEncryptionUser("receiver");
1673 outSecurityProperties.loadEncryptionKeystore(this.getClass().getClassLoader().getResource("transmitter.jks"), "default".toCharArray());
1674 outSecurityProperties.setSignatureUser("transmitter");
1675 outSecurityProperties.loadSignatureKeyStore(this.getClass().getClassLoader().getResource("transmitter.jks"), "default".toCharArray());
1676
1677 outSecurityProperties.addSignaturePart(new SecurePart(WSSConstants.TAG_WSU_TIMESTAMP, SecurePart.Modifier.Element));
1678 outSecurityProperties.addSignaturePart(new SecurePart(WSSConstants.TAG_SOAP11_BODY, SecurePart.Modifier.Element));
1679 outSecurityProperties.addEncryptionPart(new SecurePart(WSSConstants.TAG_dsig_Signature, SecurePart.Modifier.Element));
1680 outSecurityProperties.addEncryptionPart(new SecurePart(WSSConstants.TAG_WSU_CREATED, SecurePart.Modifier.Element));
1681 outSecurityProperties.addEncryptionPart(new SecurePart(WSSConstants.TAG_WSU_EXPIRES, SecurePart.Modifier.Content));
1682 outSecurityProperties.addEncryptionPart(new SecurePart(WSSConstants.TAG_SOAP11_BODY, SecurePart.Modifier.Content));
1683 List<WSSConstants.Action> actions = new ArrayList<>();
1684 actions.add(WSSConstants.TIMESTAMP);
1685 actions.add(WSSConstants.SIGNATURE);
1686 actions.add(WSSConstants.ENCRYPTION);
1687 outSecurityProperties.setActions(actions);
1688
1689 InputStream sourceDocument = this.getClass().getClassLoader().getResourceAsStream("testdata/plain-soap-1.1.xml");
1690 ByteArrayOutputStream baos = doOutboundSecurity(outSecurityProperties, sourceDocument);
1691
1692 WSSSecurityProperties inSecurityProperties = new WSSSecurityProperties();
1693 inSecurityProperties.setCallbackHandler(new CallbackHandlerImpl());
1694 inSecurityProperties.loadSignatureVerificationKeystore(this.getClass().getClassLoader().getResource("receiver.jks"), "default".toCharArray());
1695 inSecurityProperties.loadDecryptionKeystore(this.getClass().getClassLoader().getResource("receiver.jks"), "default".toCharArray());
1696
1697 PolicyEnforcer policyEnforcer = buildAndStartPolicyEngine(policyString);
1698 inSecurityProperties.addInputProcessor(new PolicyInputProcessor(policyEnforcer, inSecurityProperties));
1699
1700 try {
1701 Document document = doInboundSecurity(inSecurityProperties, new ByteArrayInputStream(baos.toByteArray()), policyEnforcer);
1702
1703
1704 Transformer transformer = TransformerFactory.newInstance().newTransformer();
1705 transformer.transform(new DOMSource(document), new StreamResult(
1706 new OutputStream() {
1707 @Override
1708 public void write(int b) throws IOException {
1709
1710 }
1711 }
1712 ));
1713 fail("Exception expected");
1714 } catch (XMLStreamException e) {
1715 assertTrue(e.getCause() instanceof WSSecurityException);
1716 assertEquals(e.getCause().getMessage(),
1717 "Element /{http://schemas.xmlsoap.org/soap/envelope/}Envelope/{http://schemas.xmlsoap.org/soap/envelope/}Header/{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd}Security/{http://www.w3.org/2000/09/xmldsig#}Signature must not be encrypted");
1718 assertEquals(((WSSecurityException) e.getCause()).getFaultCode(), WSSecurityException.INVALID_SECURITY);
1719 }
1720 }
1721
1722 @Test
1723 public void testEntireHeaderAndBodySignature() throws Exception {
1724
1725 String policyString =
1726 "<wsp:ExactlyOne xmlns:wsp=\"http://schemas.xmlsoap.org/ws/2004/09/policy\" " +
1727 "xmlns:sp=\"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702\">\n" +
1728 " <wsp:All>\n" +
1729 " <sp:AsymmetricBinding>\n" +
1730 " <wsp:Policy>\n" +
1731 " <sp:InitiatorToken>\n" +
1732 " <wsp:Policy>\n" +
1733 " <sp:X509Token sp:IncludeToken=\"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never\">\n" +
1734 " <sp:IssuerName>CN=transmitter,OU=swssf,C=CH</sp:IssuerName>\n" +
1735 " <wsp:Policy>\n" +
1736 " <sp:WssX509V3Token11/>\n" +
1737 " </wsp:Policy>\n" +
1738 " </sp:X509Token>\n" +
1739 " </wsp:Policy>\n" +
1740 " </sp:InitiatorToken>\n" +
1741 " <sp:RecipientToken>\n" +
1742 " <wsp:Policy>\n" +
1743 " <sp:X509Token sp:IncludeToken=\"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never\">\n" +
1744 " <sp:IssuerName>CN=receiver,OU=swssf,C=CH</sp:IssuerName>\n" +
1745 " <wsp:Policy>\n" +
1746 " <sp:WssX509V3Token11/>\n" +
1747 " </wsp:Policy>\n" +
1748 " </sp:X509Token>\n" +
1749 " </wsp:Policy>\n" +
1750 " </sp:RecipientToken>\n" +
1751 " <sp:AlgorithmSuite>\n" +
1752 " <wsp:Policy>\n" +
1753 " <sp:Basic256/>\n" +
1754 " </wsp:Policy>\n" +
1755 " </sp:AlgorithmSuite>\n" +
1756 " <sp:Layout>\n" +
1757 " <wsp:Policy>\n" +
1758 " <sp:Lax/>\n" +
1759 " </wsp:Policy>\n" +
1760 " </sp:Layout>\n" +
1761 " <sp:IncludeTimestamp/>\n" +
1762 " <sp:OnlySignEntireHeadersAndBody/>\n" +
1763 " </wsp:Policy>\n" +
1764 " </sp:AsymmetricBinding>\n" +
1765 " <sp:SignedParts>\n" +
1766 " <sp:Body/>\n" +
1767 " <sp:Header Name=\"Header1\" Namespace=\"...\"/>\n" +
1768 " <sp:Header Namespace=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd\"/>\n" +
1769 " </sp:SignedParts>\n" +
1770 " <sp:SignedElements>\n" +
1771 " <sp:XPath xmlns:soap=\"http://schemas.xmlsoap.org/soap/envelope/\" " +
1772 " xmlns:wsse=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd\" " +
1773 " xmlns:wsu=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd\">" +
1774 " /soap:Envelope/soap:Header/wsse:Security/wsu:Timestamp/wsu:Created" +
1775 " </sp:XPath>\n" +
1776 " </sp:SignedElements>\n" +
1777 " <sp:EncryptedParts>\n" +
1778 " <sp:Body/>\n" +
1779 " <sp:Header Name=\"Header2\" Namespace=\"...\"/>\n" +
1780 " <sp:Header Namespace=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd\"/>\n" +
1781 " </sp:EncryptedParts>\n" +
1782 " <sp:EncryptedElements>\n" +
1783 " <sp:XPath xmlns:soap=\"http://schemas.xmlsoap.org/soap/envelope/\" " +
1784 " xmlns:wsse=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd\" " +
1785 " xmlns:wsu=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd\">" +
1786 " /soap:Envelope/soap:Header/wsse:Security/wsu:Timestamp/wsu:Created" +
1787 " </sp:XPath>\n" +
1788 " </sp:EncryptedElements>\n" +
1789 " <sp:ContentEncryptedElements>\n" +
1790 " <sp:XPath xmlns:soap=\"http://schemas.xmlsoap.org/soap/envelope/\" " +
1791 " xmlns:wsse=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd\" " +
1792 " xmlns:wsu=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd\">" +
1793 " /soap:Envelope/soap:Header/wsse:Security/wsu:Timestamp/wsu:Expires" +
1794 " </sp:XPath>\n" +
1795 " </sp:ContentEncryptedElements>\n" +
1796 " </wsp:All>\n" +
1797 " </wsp:ExactlyOne>";
1798
1799 WSSSecurityProperties outSecurityProperties = new WSSSecurityProperties();
1800 outSecurityProperties.setCallbackHandler(new CallbackHandlerImpl());
1801 outSecurityProperties.setEncryptionUser("receiver");
1802 outSecurityProperties.loadEncryptionKeystore(this.getClass().getClassLoader().getResource("transmitter.jks"), "default".toCharArray());
1803 outSecurityProperties.setSignatureUser("transmitter");
1804 outSecurityProperties.loadSignatureKeyStore(this.getClass().getClassLoader().getResource("transmitter.jks"), "default".toCharArray());
1805
1806 outSecurityProperties.addSignaturePart(new SecurePart(WSSConstants.TAG_WSU_TIMESTAMP, SecurePart.Modifier.Element));
1807 outSecurityProperties.addSignaturePart(new SecurePart(WSSConstants.TAG_SOAP11_BODY, SecurePart.Modifier.Element));
1808 outSecurityProperties.addSignaturePart(new SecurePart(new QName("http://schemas.xmlsoap.org/wsdl/", "definitions"), SecurePart.Modifier.Element));
1809 outSecurityProperties.addEncryptionPart(new SecurePart(WSSConstants.TAG_WSU_CREATED, SecurePart.Modifier.Element));
1810 outSecurityProperties.addEncryptionPart(new SecurePart(WSSConstants.TAG_WSU_EXPIRES, SecurePart.Modifier.Content));
1811 outSecurityProperties.addEncryptionPart(new SecurePart(WSSConstants.TAG_SOAP11_BODY, SecurePart.Modifier.Content));
1812 List<WSSConstants.Action> actions = new ArrayList<>();
1813 actions.add(WSSConstants.TIMESTAMP);
1814 actions.add(WSSConstants.SIGNATURE);
1815 actions.add(WSSConstants.ENCRYPTION);
1816 outSecurityProperties.setActions(actions);
1817
1818 InputStream sourceDocument = this.getClass().getClassLoader().getResourceAsStream("testdata/plain-soap-1.1.xml");
1819 ByteArrayOutputStream baos = doOutboundSecurity(outSecurityProperties, sourceDocument);
1820
1821 WSSSecurityProperties inSecurityProperties = new WSSSecurityProperties();
1822 inSecurityProperties.setCallbackHandler(new CallbackHandlerImpl());
1823 inSecurityProperties.loadSignatureVerificationKeystore(this.getClass().getClassLoader().getResource("receiver.jks"), "default".toCharArray());
1824 inSecurityProperties.loadDecryptionKeystore(this.getClass().getClassLoader().getResource("receiver.jks"), "default".toCharArray());
1825
1826 PolicyEnforcer policyEnforcer = buildAndStartPolicyEngine(policyString);
1827 inSecurityProperties.addInputProcessor(new PolicyInputProcessor(policyEnforcer, inSecurityProperties));
1828
1829 Document document = doInboundSecurity(inSecurityProperties, new ByteArrayInputStream(baos.toByteArray()), policyEnforcer);
1830
1831
1832 Transformer transformer = TransformerFactory.newInstance().newTransformer();
1833 transformer.transform(new DOMSource(document), new StreamResult(
1834 new OutputStream() {
1835 @Override
1836 public void write(int b) throws IOException {
1837
1838 }
1839 }
1840 ));
1841 }
1842
1843 @Test
1844 public void testEntireHeaderAndBodySignatureNegative() throws Exception {
1845
1846 String policyString =
1847 "<wsp:ExactlyOne xmlns:wsp=\"http://schemas.xmlsoap.org/ws/2004/09/policy\" " +
1848 "xmlns:sp=\"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702\">\n" +
1849 " <wsp:All>\n" +
1850 " <sp:AsymmetricBinding>\n" +
1851 " <wsp:Policy>\n" +
1852 " <sp:InitiatorToken>\n" +
1853 " <wsp:Policy>\n" +
1854 " <sp:X509Token sp:IncludeToken=\"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never\">\n" +
1855 " <sp:IssuerName>CN=transmitter,OU=swssf,C=CH</sp:IssuerName>\n" +
1856 " <wsp:Policy>\n" +
1857 " <sp:WssX509V3Token11/>\n" +
1858 " </wsp:Policy>\n" +
1859 " </sp:X509Token>\n" +
1860 " </wsp:Policy>\n" +
1861 " </sp:InitiatorToken>\n" +
1862 " <sp:RecipientToken>\n" +
1863 " <wsp:Policy>\n" +
1864 " <sp:X509Token sp:IncludeToken=\"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never\">\n" +
1865 " <sp:IssuerName>CN=receiver,OU=swssf,C=CH</sp:IssuerName>\n" +
1866 " <wsp:Policy>\n" +
1867 " <sp:WssX509V3Token11/>\n" +
1868 " </wsp:Policy>\n" +
1869 " </sp:X509Token>\n" +
1870 " </wsp:Policy>\n" +
1871 " </sp:RecipientToken>\n" +
1872 " <sp:AlgorithmSuite>\n" +
1873 " <wsp:Policy>\n" +
1874 " <sp:Basic256/>\n" +
1875 " </wsp:Policy>\n" +
1876 " </sp:AlgorithmSuite>\n" +
1877 " <sp:Layout>\n" +
1878 " <wsp:Policy>\n" +
1879 " <sp:Lax/>\n" +
1880 " </wsp:Policy>\n" +
1881 " </sp:Layout>\n" +
1882 " <sp:IncludeTimestamp/>\n" +
1883 " <sp:OnlySignEntireHeadersAndBody/>\n" +
1884 " </wsp:Policy>\n" +
1885 " </sp:AsymmetricBinding>\n" +
1886 " <sp:EncryptedParts>\n" +
1887 " <sp:Body/>\n" +
1888 " <sp:Header Name=\"Header2\" Namespace=\"...\"/>\n" +
1889 " <sp:Header Namespace=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd\"/>\n" +
1890 " </sp:EncryptedParts>\n" +
1891 " <sp:EncryptedElements>\n" +
1892 " <sp:XPath xmlns:wsu=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd\">wsu:Created</sp:XPath>\n" +
1893 " </sp:EncryptedElements>\n" +
1894 " <sp:ContentEncryptedElements>\n" +
1895 " <sp:XPath xmlns:wsu=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd\">wsu:Expires</sp:XPath>\n" +
1896 " </sp:ContentEncryptedElements>\n" +
1897 " </wsp:All>\n" +
1898 " </wsp:ExactlyOne>";
1899
1900 WSSSecurityProperties outSecurityProperties = new WSSSecurityProperties();
1901 outSecurityProperties.setCallbackHandler(new CallbackHandlerImpl());
1902 outSecurityProperties.setEncryptionUser("receiver");
1903 outSecurityProperties.loadEncryptionKeystore(this.getClass().getClassLoader().getResource("transmitter.jks"), "default".toCharArray());
1904 outSecurityProperties.setSignatureUser("transmitter");
1905 outSecurityProperties.loadSignatureKeyStore(this.getClass().getClassLoader().getResource("transmitter.jks"), "default".toCharArray());
1906
1907 outSecurityProperties.addSignaturePart(new SecurePart(WSSConstants.TAG_WSU_TIMESTAMP, SecurePart.Modifier.Element));
1908 outSecurityProperties.addSignaturePart(new SecurePart(new QName("http://schemas.xmlsoap.org/wsdl/", "definitions"), SecurePart.Modifier.Element));
1909 outSecurityProperties.addEncryptionPart(new SecurePart(WSSConstants.TAG_WSU_CREATED, SecurePart.Modifier.Element));
1910 outSecurityProperties.addEncryptionPart(new SecurePart(WSSConstants.TAG_WSU_EXPIRES, SecurePart.Modifier.Content));
1911 outSecurityProperties.addEncryptionPart(new SecurePart(WSSConstants.TAG_SOAP11_BODY, SecurePart.Modifier.Content));
1912 List<WSSConstants.Action> actions = new ArrayList<>();
1913 actions.add(WSSConstants.TIMESTAMP);
1914 actions.add(WSSConstants.SIGNATURE);
1915 actions.add(WSSConstants.ENCRYPTION);
1916 outSecurityProperties.setActions(actions);
1917
1918 InputStream sourceDocument = this.getClass().getClassLoader().getResourceAsStream("testdata/plain-soap-1.1.xml");
1919 ByteArrayOutputStream baos = doOutboundSecurity(outSecurityProperties, sourceDocument);
1920
1921 WSSSecurityProperties inSecurityProperties = new WSSSecurityProperties();
1922 inSecurityProperties.setCallbackHandler(new CallbackHandlerImpl());
1923 inSecurityProperties.loadSignatureVerificationKeystore(this.getClass().getClassLoader().getResource("receiver.jks"), "default".toCharArray());
1924 inSecurityProperties.loadDecryptionKeystore(this.getClass().getClassLoader().getResource("receiver.jks"), "default".toCharArray());
1925
1926 PolicyEnforcer policyEnforcer = buildAndStartPolicyEngine(policyString);
1927 inSecurityProperties.addInputProcessor(new PolicyInputProcessor(policyEnforcer, inSecurityProperties));
1928
1929 try {
1930 Document document = doInboundSecurity(inSecurityProperties, new ByteArrayInputStream(baos.toByteArray()), policyEnforcer);
1931
1932
1933 Transformer transformer = TransformerFactory.newInstance().newTransformer();
1934 transformer.transform(new DOMSource(document), new StreamResult(
1935 new OutputStream() {
1936 @Override
1937 public void write(int b) throws IOException {
1938
1939 }
1940 }
1941 ));
1942 fail("Exception expected");
1943 } catch (XMLStreamException e) {
1944 assertTrue(e.getCause() instanceof WSSecurityException);
1945 assertEquals(e.getCause().getMessage(),
1946 "OnlySignEntireHeadersAndBody not fulfilled, offending element: " +
1947 "/{http://schemas.xmlsoap.org/soap/envelope/}Envelope/{http://schemas.xmlsoap.org/soap/envelope/}Body/{http://schemas.xmlsoap.org/wsdl/}definitions");
1948 assertEquals(((WSSecurityException) e.getCause()).getFaultCode(), WSSecurityException.INVALID_SECURITY);
1949 }
1950 }
1951
1952 @Test
1953 public void testEntireHeaderAndBodySignatureNegative2() throws Exception {
1954
1955 String policyString =
1956 "<wsp:ExactlyOne xmlns:wsp=\"http://schemas.xmlsoap.org/ws/2004/09/policy\" " +
1957 "xmlns:sp=\"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702\">\n" +
1958 " <wsp:All>\n" +
1959 " <sp:AsymmetricBinding>\n" +
1960 " <wsp:Policy>\n" +
1961 " <sp:InitiatorToken>\n" +
1962 " <wsp:Policy>\n" +
1963 " <sp:X509Token sp:IncludeToken=\"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never\">\n" +
1964 " <sp:IssuerName>CN=transmitter,OU=swssf,C=CH</sp:IssuerName>\n" +
1965 " <wsp:Policy>\n" +
1966 " <sp:WssX509V3Token11/>\n" +
1967 " </wsp:Policy>\n" +
1968 " </sp:X509Token>\n" +
1969 " </wsp:Policy>\n" +
1970 " </sp:InitiatorToken>\n" +
1971 " <sp:RecipientToken>\n" +
1972 " <wsp:Policy>\n" +
1973 " <sp:X509Token sp:IncludeToken=\"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never\">\n" +
1974 " <sp:IssuerName>CN=receiver,OU=swssf,C=CH</sp:IssuerName>\n" +
1975 " <wsp:Policy>\n" +
1976 " <sp:WssX509V3Token11/>\n" +
1977 " </wsp:Policy>\n" +
1978 " </sp:X509Token>\n" +
1979 " </wsp:Policy>\n" +
1980 " </sp:RecipientToken>\n" +
1981 " <sp:AlgorithmSuite>\n" +
1982 " <wsp:Policy>\n" +
1983 " <sp:Basic256/>\n" +
1984 " </wsp:Policy>\n" +
1985 " </sp:AlgorithmSuite>\n" +
1986 " <sp:Layout>\n" +
1987 " <wsp:Policy>\n" +
1988 " <sp:Lax/>\n" +
1989 " </wsp:Policy>\n" +
1990 " </sp:Layout>\n" +
1991 " <sp:IncludeTimestamp/>\n" +
1992 " <sp:OnlySignEntireHeadersAndBody/>\n" +
1993 " </wsp:Policy>\n" +
1994 " </sp:AsymmetricBinding>\n" +
1995 " <sp:EncryptedParts>\n" +
1996 " <sp:Body/>\n" +
1997 " <sp:Header Name=\"Header2\" Namespace=\"...\"/>\n" +
1998 " <sp:Header Namespace=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd\"/>\n" +
1999 " </sp:EncryptedParts>\n" +
2000 " <sp:EncryptedElements>\n" +
2001 " <sp:XPath xmlns:wsu=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd\">wsu:Created</sp:XPath>\n" +
2002 " </sp:EncryptedElements>\n" +
2003 " <sp:ContentEncryptedElements>\n" +
2004 " <sp:XPath xmlns:wsu=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd\">wsu:Expires</sp:XPath>\n" +
2005 " </sp:ContentEncryptedElements>\n" +
2006 " </wsp:All>\n" +
2007 " </wsp:ExactlyOne>";
2008
2009 WSSSecurityProperties outSecurityProperties = new WSSSecurityProperties();
2010 outSecurityProperties.setCallbackHandler(new CallbackHandlerImpl());
2011 outSecurityProperties.setEncryptionUser("receiver");
2012 outSecurityProperties.loadEncryptionKeystore(this.getClass().getClassLoader().getResource("transmitter.jks"), "default".toCharArray());
2013 outSecurityProperties.setSignatureUser("transmitter");
2014 outSecurityProperties.loadSignatureKeyStore(this.getClass().getClassLoader().getResource("transmitter.jks"), "default".toCharArray());
2015
2016 outSecurityProperties.addSignaturePart(new SecurePart(WSSConstants.TAG_WSU_TIMESTAMP, SecurePart.Modifier.Element));
2017 outSecurityProperties.addSignaturePart(new SecurePart(new QName("http://schemas.xmlsoap.org/wsdl/", "service"), SecurePart.Modifier.Element));
2018 outSecurityProperties.addEncryptionPart(new SecurePart(WSSConstants.TAG_WSU_CREATED, SecurePart.Modifier.Element));
2019 outSecurityProperties.addEncryptionPart(new SecurePart(WSSConstants.TAG_WSU_EXPIRES, SecurePart.Modifier.Content));
2020 outSecurityProperties.addEncryptionPart(new SecurePart(WSSConstants.TAG_SOAP11_BODY, SecurePart.Modifier.Content));
2021 List<WSSConstants.Action> actions = new ArrayList<>();
2022 actions.add(WSSConstants.TIMESTAMP);
2023 actions.add(WSSConstants.SIGNATURE);
2024 actions.add(WSSConstants.ENCRYPTION);
2025 outSecurityProperties.setActions(actions);
2026
2027 InputStream sourceDocument = this.getClass().getClassLoader().getResourceAsStream("testdata/plain-soap-1.1.xml");
2028 ByteArrayOutputStream baos = doOutboundSecurity(outSecurityProperties, sourceDocument);
2029
2030 WSSSecurityProperties inSecurityProperties = new WSSSecurityProperties();
2031 inSecurityProperties.setCallbackHandler(new CallbackHandlerImpl());
2032 inSecurityProperties.loadSignatureVerificationKeystore(this.getClass().getClassLoader().getResource("receiver.jks"), "default".toCharArray());
2033 inSecurityProperties.loadDecryptionKeystore(this.getClass().getClassLoader().getResource("receiver.jks"), "default".toCharArray());
2034
2035 PolicyEnforcer policyEnforcer = buildAndStartPolicyEngine(policyString);
2036 inSecurityProperties.addInputProcessor(new PolicyInputProcessor(policyEnforcer, inSecurityProperties));
2037
2038 try {
2039 Document document = doInboundSecurity(inSecurityProperties, new ByteArrayInputStream(baos.toByteArray()), policyEnforcer);
2040
2041
2042 Transformer transformer = TransformerFactory.newInstance().newTransformer();
2043 transformer.transform(new DOMSource(document), new StreamResult(
2044 new OutputStream() {
2045 @Override
2046 public void write(int b) throws IOException {
2047
2048 }
2049 }
2050 ));
2051 fail("Exception expected");
2052 } catch (XMLStreamException e) {
2053 assertTrue(e.getCause() instanceof WSSecurityException);
2054 assertEquals(e.getCause().getMessage(),
2055 "OnlySignEntireHeadersAndBody not fulfilled, offending element: " +
2056 "/{http://schemas.xmlsoap.org/soap/envelope/}Envelope/{http://schemas.xmlsoap.org/soap/envelope/}Header/{http://schemas.xmlsoap.org/wsdl/}definitions/{http://schemas.xmlsoap.org/wsdl/}service");
2057 assertEquals(((WSSecurityException) e.getCause()).getFaultCode(), WSSecurityException.INVALID_SECURITY);
2058 }
2059 }
2060
2061
2062
2063
2064
2065
2066
2067
2068
2069
2070
2071
2072
2073
2074
2075
2076
2077
2078
2079
2080
2081
2082
2083
2084
2085
2086
2087
2088
2089
2090
2091
2092
2093
2094
2095
2096
2097
2098
2099
2100
2101
2102
2103
2104
2105
2106
2107
2108
2109
2110
2111
2112
2113
2114
2115
2116
2117
2118
2119
2120
2121
2122
2123
2124
2125
2126
2127
2128
2129
2130
2131
2132
2133
2134
2135
2136
2137
2138
2139
2140
2141
2142
2143
2144
2145
2146
2147
2148
2149
2150
2151
2152
2153
2154
2155
2156
2157
2158
2159
2160
2161
2162
2163
2164
2165
2166
2167
2168
2169
2170
2171
2172
2173 @Test
2174 public void testTokenScenario() throws Exception {
2175
2176 String policyString =
2177 "<wsp:ExactlyOne xmlns:wsp=\"http://schemas.xmlsoap.org/ws/2004/09/policy\" " +
2178 "xmlns:sp=\"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702\">\n" +
2179 " <wsp:All>\n" +
2180 " <sp:AsymmetricBinding>\n" +
2181 " <wsp:Policy>\n" +
2182 " <sp:InitiatorToken>\n" +
2183 " <wsp:Policy>\n" +
2184 " <sp:SamlToken sp:IncludeToken=\" http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Always\">\n" +
2185 " <sp:IssuerName>www.example.com</sp:IssuerName>\n" +
2186 " <wsp:Policy xmlns:wsp=\"http://schemas.xmlsoap.org/ws/2004/09/policy\">\n" +
2187 " <sp:WssSamlV20Token11/>\n" +
2188 " </wsp:Policy>\n" +
2189 " </sp:SamlToken>\n" +
2190 " </wsp:Policy>\n" +
2191 " </sp:InitiatorToken>\n" +
2192 " <sp:RecipientToken>\n" +
2193 " <wsp:Policy>\n" +
2194 " <sp:X509Token sp:IncludeToken=\"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient\">\n" +
2195 " <sp:IssuerName>CN=receiver,OU=swssf,C=CH</sp:IssuerName>\n" +
2196 " <wsp:Policy>\n" +
2197 " <sp:RequireDerivedKeys/>\n" +
2198 " <sp:WssX509V3Token11/>\n" +
2199 " </wsp:Policy>\n" +
2200 " </sp:X509Token>\n" +
2201 " </wsp:Policy>\n" +
2202 " </sp:RecipientToken>\n" +
2203 " <sp:AlgorithmSuite>\n" +
2204 " <wsp:Policy>\n" +
2205 " <sp:Basic256/>\n" +
2206 " </wsp:Policy>\n" +
2207 " </sp:AlgorithmSuite>\n" +
2208 " <sp:IncludeTimestamp/>\n" +
2209 " </wsp:Policy>\n" +
2210 " </sp:AsymmetricBinding>\n" +
2211 " <sp:SignedSupportingTokens>\n" +
2212 " <wsp:Policy>\n" +
2213 " <sp:UsernameToken sp:IncludeToken=\" http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient\">\n" +
2214 " <wsp:Policy>\n" +
2215 " </wsp:Policy>\n" +
2216 " </sp:UsernameToken>\n" +
2217 " </wsp:Policy>\n" +
2218 " </sp:SignedSupportingTokens>\n" +
2219 " <sp:SignedParts>\n" +
2220 " <sp:Body/>\n" +
2221 " <sp:Header Name=\"Header1\" Namespace=\"...\"/>\n" +
2222 " <sp:Header Namespace=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd\"/>\n" +
2223 " </sp:SignedParts>\n" +
2224 " <sp:SignedElements>\n" +
2225 " <sp:XPath xmlns:soap=\"http://schemas.xmlsoap.org/soap/envelope/\" " +
2226 " xmlns:wsse=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd\" " +
2227 " xmlns:wsu=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd\">" +
2228 " /soap:Envelope/soap:Header/wsse:Security/wsu:Timestamp/wsu:Created" +
2229 " </sp:XPath>\n" +
2230 " </sp:SignedElements>\n" +
2231 " <sp:EncryptedParts>\n" +
2232 " <sp:Body/>\n" +
2233 " <sp:Header Name=\"Header2\" Namespace=\"...\"/>\n" +
2234 " <sp:Header Namespace=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd\"/>\n" +
2235 " </sp:EncryptedParts>\n" +
2236 " <sp:EncryptedElements>\n" +
2237 " <sp:XPath xmlns:soap=\"http://schemas.xmlsoap.org/soap/envelope/\" " +
2238 " xmlns:wsse=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd\" " +
2239 " xmlns:wsu=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd\">" +
2240 " /soap:Envelope/soap:Header/wsse:Security/wsu:Timestamp/wsu:Created" +
2241 " </sp:XPath>\n" +
2242 " </sp:EncryptedElements>\n" +
2243 " <sp:ContentEncryptedElements>\n" +
2244 " <sp:XPath xmlns:soap=\"http://schemas.xmlsoap.org/soap/envelope/\" " +
2245 " xmlns:wsse=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd\" " +
2246 " xmlns:wsu=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd\">" +
2247 " /soap:Envelope/soap:Header/wsse:Security/wsu:Timestamp/wsu:Expires" +
2248 " </sp:XPath>\n" +
2249 " </sp:ContentEncryptedElements>\n" +
2250 " </wsp:All>\n" +
2251 " </wsp:ExactlyOne>";
2252
2253 WSSSecurityProperties outSecurityProperties = new WSSSecurityProperties();
2254 List<WSSConstants.Action> actions = new ArrayList<>();
2255 actions.add(WSSConstants.TIMESTAMP);
2256 actions.add(WSSConstants.USERNAMETOKEN);
2257 actions.add(WSSConstants.SAML_TOKEN_SIGNED);
2258 actions.add(WSSConstants.ENCRYPTION_WITH_DERIVED_KEY);
2259 outSecurityProperties.setActions(actions);
2260 SAMLCallbackHandlerImpl samlCallbackHandler = new SAMLCallbackHandlerImpl();
2261 samlCallbackHandler.setSamlVersion(Version.SAML_20);
2262 samlCallbackHandler.setStatement(SAMLCallbackHandlerImpl.Statement.AUTHN);
2263 samlCallbackHandler.setConfirmationMethod(SAML2Constants.CONF_HOLDER_KEY);
2264 samlCallbackHandler.setIssuer("www.example.com");
2265 byte[] secret = WSSConstants.generateBytes(128 / 8);
2266 CallbackHandlerImpl callbackHandler = new CallbackHandlerImpl();
2267 callbackHandler.setSecret(secret);
2268 KeyStore keyStore = KeyStore.getInstance("jks");
2269 keyStore.load(this.getClass().getClassLoader().getResourceAsStream("transmitter.jks"), "default".toCharArray());
2270 Merlin crypto = new Merlin();
2271 crypto.setKeyStore(keyStore);
2272 CryptoType cryptoType = new CryptoType(CryptoType.TYPE.ALIAS);
2273 cryptoType.setAlias("transmitter");
2274 samlCallbackHandler.setCerts(crypto.getX509Certificates(cryptoType));
2275 outSecurityProperties.setCallbackHandler(callbackHandler);
2276 outSecurityProperties.setSamlCallbackHandler(samlCallbackHandler);
2277 outSecurityProperties.setTokenUser("tester");
2278 outSecurityProperties.setSignatureKeyIdentifier(WSSecurityTokenConstants.KEYIDENTIFIER_EMBEDDED_KEY_IDENTIFIER_REF);
2279 outSecurityProperties.loadSignatureKeyStore(this.getClass().getClassLoader().getResource("transmitter.jks"), "default".toCharArray());
2280 outSecurityProperties.setSignatureUser("transmitter");
2281 outSecurityProperties.addSignaturePart(new SecurePart(WSSConstants.TAG_SOAP11_BODY, SecurePart.Modifier.Element));
2282 outSecurityProperties.addSignaturePart(new SecurePart(WSSConstants.TAG_WSSE_USERNAME_TOKEN, SecurePart.Modifier.Element));
2283 outSecurityProperties.addSignaturePart(new SecurePart(WSSConstants.TAG_WSU_TIMESTAMP, SecurePart.Modifier.Element));
2284 outSecurityProperties.loadEncryptionKeystore(this.getClass().getClassLoader().getResource("transmitter.jks"), "default".toCharArray());
2285 outSecurityProperties.setEncryptionUser("receiver");
2286 outSecurityProperties.addEncryptionPart(new SecurePart(WSSConstants.TAG_SOAP11_BODY, SecurePart.Modifier.Content));
2287 outSecurityProperties.addEncryptionPart(new SecurePart(WSSConstants.TAG_WSU_CREATED, SecurePart.Modifier.Element));
2288 outSecurityProperties.addEncryptionPart(new SecurePart(WSSConstants.TAG_WSU_EXPIRES, SecurePart.Modifier.Content));
2289 outSecurityProperties.setUsernameTokenPasswordType(UsernameTokenPasswordType.PASSWORD_TEXT);
2290
2291 InputStream sourceDocument = this.getClass().getClassLoader().getResourceAsStream("testdata/plain-soap-1.1.xml");
2292 ByteArrayOutputStream baos = doOutboundSecurity(outSecurityProperties, sourceDocument);
2293
2294 WSSSecurityProperties inSecurityProperties = new WSSSecurityProperties();
2295 inSecurityProperties.setCallbackHandler(new CallbackHandlerImpl());
2296 inSecurityProperties.loadSignatureVerificationKeystore(this.getClass().getClassLoader().getResource("receiver.jks"), "default".toCharArray());
2297 inSecurityProperties.loadDecryptionKeystore(this.getClass().getClassLoader().getResource("receiver.jks"), "default".toCharArray());
2298
2299 PolicyEnforcer policyEnforcer = buildAndStartPolicyEngine(policyString);
2300 inSecurityProperties.addInputProcessor(new PolicyInputProcessor(policyEnforcer, inSecurityProperties));
2301 Document document = doInboundSecurity(inSecurityProperties, new ByteArrayInputStream(baos.toByteArray()), policyEnforcer);
2302
2303
2304 Transformer transformer = TransformerFactory.newInstance().newTransformer();
2305 transformer.transform(new DOMSource(document), new StreamResult(
2306 new OutputStream() {
2307 @Override
2308 public void write(int b) throws IOException {
2309
2310 }
2311 }
2312 ));
2313 }
2314
2315 @Test
2316 public void testTokenScenarioLateEncryption() throws Exception {
2317
2318 String policyString =
2319 "<wsp:ExactlyOne xmlns:wsp=\"http://schemas.xmlsoap.org/ws/2004/09/policy\" " +
2320 "xmlns:sp=\"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702\">\n" +
2321 " <wsp:All>\n" +
2322 " <sp:AsymmetricBinding>\n" +
2323 " <wsp:Policy>\n" +
2324 " <sp:InitiatorToken>\n" +
2325 " <wsp:Policy>\n" +
2326 " <sp:SamlToken sp:IncludeToken=\" http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Always\">\n" +
2327 " <sp:IssuerName>www.example.com</sp:IssuerName>\n" +
2328 " <wsp:Policy xmlns:wsp=\"http://schemas.xmlsoap.org/ws/2004/09/policy\">\n" +
2329 " <sp:WssSamlV20Token11/>\n" +
2330 " </wsp:Policy>\n" +
2331 " </sp:SamlToken>\n" +
2332 " </wsp:Policy>\n" +
2333 " </sp:InitiatorToken>\n" +
2334 " <sp:RecipientToken>\n" +
2335 " <wsp:Policy>\n" +
2336 " <sp:X509Token sp:IncludeToken=\"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient\">\n" +
2337 " <sp:IssuerName>CN=receiver,OU=swssf,C=CH</sp:IssuerName>\n" +
2338 " <wsp:Policy>\n" +
2339 " <sp:RequireDerivedKeys/>\n" +
2340 " <sp:WssX509V3Token11/>\n" +
2341 " </wsp:Policy>\n" +
2342 " </sp:X509Token>\n" +
2343 " </wsp:Policy>\n" +
2344 " </sp:RecipientToken>\n" +
2345 " <sp:AlgorithmSuite>\n" +
2346 " <wsp:Policy>\n" +
2347 " <sp:Basic256/>\n" +
2348 " </wsp:Policy>\n" +
2349 " </sp:AlgorithmSuite>\n" +
2350 " <sp:IncludeTimestamp/>\n" +
2351 " </wsp:Policy>\n" +
2352 " </sp:AsymmetricBinding>\n" +
2353 " <sp:SignedSupportingTokens>\n" +
2354 " <wsp:Policy>\n" +
2355 " <sp:UsernameToken sp:IncludeToken=\" http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient\">\n" +
2356 " <wsp:Policy>\n" +
2357 " </wsp:Policy>\n" +
2358 " </sp:UsernameToken>\n" +
2359 " </wsp:Policy>\n" +
2360 " </sp:SignedSupportingTokens>\n" +
2361 " <sp:SignedParts>\n" +
2362 " <sp:Body/>\n" +
2363 " <sp:Header Name=\"Header1\" Namespace=\"...\"/>\n" +
2364 " <sp:Header Namespace=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd\"/>\n" +
2365 " </sp:SignedParts>\n" +
2366 " <sp:SignedElements>\n" +
2367 " <sp:XPath xmlns:soap=\"http://schemas.xmlsoap.org/soap/envelope/\" " +
2368 " xmlns:wsse=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd\" " +
2369 " xmlns:wsu=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd\">" +
2370 " /soap:Envelope/soap:Header/wsse:Security/wsu:Timestamp/wsu:Created" +
2371 " </sp:XPath>\n" +
2372 " </sp:SignedElements>\n" +
2373 " <sp:EncryptedElements>\n" +
2374 " <sp:XPath xmlns:soap=\"http://schemas.xmlsoap.org/soap/envelope/\" " +
2375 " xmlns:wsdl=\"http://schemas.xmlsoap.org/wsdl/\" " +
2376 " xmlns:xsd=\"http://www.w3.org/1999/XMLSchema\">" +
2377 " /soap:Envelope/soap:Body/wsdl:definitions/wsdl:types/xsd:schema/xsd:simpleType" +
2378 " </sp:XPath>\n" +
2379 " </sp:EncryptedElements>\n" +
2380 " </wsp:All>\n" +
2381 " </wsp:ExactlyOne>";
2382
2383 WSSSecurityProperties outSecurityProperties = new WSSSecurityProperties();
2384 List<WSSConstants.Action> actions = new ArrayList<>();
2385 actions.add(WSSConstants.TIMESTAMP);
2386 actions.add(WSSConstants.USERNAMETOKEN);
2387 actions.add(WSSConstants.SAML_TOKEN_SIGNED);
2388 actions.add(WSSConstants.ENCRYPTION_WITH_DERIVED_KEY);
2389 outSecurityProperties.setActions(actions);
2390 SAMLCallbackHandlerImpl samlCallbackHandler = new SAMLCallbackHandlerImpl();
2391 samlCallbackHandler.setSamlVersion(Version.SAML_20);
2392 samlCallbackHandler.setStatement(SAMLCallbackHandlerImpl.Statement.AUTHN);
2393 samlCallbackHandler.setConfirmationMethod(SAML2Constants.CONF_HOLDER_KEY);
2394 samlCallbackHandler.setIssuer("www.example.com");
2395 byte[] secret = WSSConstants.generateBytes(128 / 8);
2396 CallbackHandlerImpl callbackHandler = new CallbackHandlerImpl();
2397 callbackHandler.setSecret(secret);
2398 KeyStore keyStore = KeyStore.getInstance("jks");
2399 keyStore.load(this.getClass().getClassLoader().getResourceAsStream("transmitter.jks"), "default".toCharArray());
2400 Merlin crypto = new Merlin();
2401 crypto.setKeyStore(keyStore);
2402 CryptoType cryptoType = new CryptoType(CryptoType.TYPE.ALIAS);
2403 cryptoType.setAlias("transmitter");
2404 samlCallbackHandler.setCerts(crypto.getX509Certificates(cryptoType));
2405 outSecurityProperties.setCallbackHandler(callbackHandler);
2406 outSecurityProperties.setSamlCallbackHandler(samlCallbackHandler);
2407 outSecurityProperties.setTokenUser("tester");
2408 outSecurityProperties.setSignatureKeyIdentifier(WSSecurityTokenConstants.KEYIDENTIFIER_EMBEDDED_KEY_IDENTIFIER_REF);
2409 outSecurityProperties.loadSignatureKeyStore(this.getClass().getClassLoader().getResource("transmitter.jks"), "default".toCharArray());
2410 outSecurityProperties.setSignatureUser("transmitter");
2411 outSecurityProperties.addSignaturePart(new SecurePart(WSSConstants.TAG_SOAP11_BODY, SecurePart.Modifier.Element));
2412 outSecurityProperties.addSignaturePart(new SecurePart(WSSConstants.TAG_WSSE_USERNAME_TOKEN, SecurePart.Modifier.Element));
2413 outSecurityProperties.addSignaturePart(new SecurePart(WSSConstants.TAG_WSU_TIMESTAMP, SecurePart.Modifier.Element));
2414 outSecurityProperties.loadEncryptionKeystore(this.getClass().getClassLoader().getResource("transmitter.jks"), "default".toCharArray());
2415 outSecurityProperties.setEncryptionUser("receiver");
2416 outSecurityProperties.addEncryptionPart(new SecurePart(new QName("http://www.w3.org/1999/XMLSchema", "simpleType"), SecurePart.Modifier.Element));
2417 outSecurityProperties.setUsernameTokenPasswordType(UsernameTokenPasswordType.PASSWORD_TEXT);
2418
2419 InputStream sourceDocument = this.getClass().getClassLoader().getResourceAsStream("testdata/plain-soap-1.1.xml");
2420 ByteArrayOutputStream baos = doOutboundSecurity(outSecurityProperties, sourceDocument);
2421
2422 WSSSecurityProperties inSecurityProperties = new WSSSecurityProperties();
2423 inSecurityProperties.setCallbackHandler(new CallbackHandlerImpl());
2424 inSecurityProperties.loadSignatureVerificationKeystore(this.getClass().getClassLoader().getResource("receiver.jks"), "default".toCharArray());
2425 inSecurityProperties.loadDecryptionKeystore(this.getClass().getClassLoader().getResource("receiver.jks"), "default".toCharArray());
2426
2427 PolicyEnforcer policyEnforcer = buildAndStartPolicyEngine(policyString);
2428 inSecurityProperties.addInputProcessor(new PolicyInputProcessor(policyEnforcer, inSecurityProperties));
2429 Document document = doInboundSecurity(inSecurityProperties, new ByteArrayInputStream(baos.toByteArray()), policyEnforcer);
2430
2431
2432 Transformer transformer = TransformerFactory.newInstance().newTransformer();
2433 transformer.transform(new DOMSource(document), new StreamResult(
2434 new OutputStream() {
2435 @Override
2436 public void write(int b) throws IOException {
2437
2438 }
2439 }
2440 ));
2441 }
2442
2443 @Test
2444 public void testRecipientTokenInclusionAlwaysToRecipientPolicy() throws Exception {
2445
2446 String policyString =
2447 "<wsp:ExactlyOne xmlns:wsp=\"http://schemas.xmlsoap.org/ws/2004/09/policy\" " +
2448 "xmlns:sp=\"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702\">\n" +
2449 " <wsp:All>\n" +
2450 " <sp:AsymmetricBinding>\n" +
2451 " <wsp:Policy>\n" +
2452 " <sp:InitiatorToken>\n" +
2453 " <wsp:Policy>\n" +
2454 " <sp:X509Token sp:IncludeToken=\"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never\">\n" +
2455 " <sp:IssuerName>CN=transmitter,OU=swssf,C=CH</sp:IssuerName>\n" +
2456 " <wsp:Policy>\n" +
2457 " <sp:WssX509V3Token11/>\n" +
2458 " </wsp:Policy>\n" +
2459 " </sp:X509Token>\n" +
2460 " </wsp:Policy>\n" +
2461 " </sp:InitiatorToken>\n" +
2462 " <sp:RecipientToken>\n" +
2463 " <wsp:Policy>\n" +
2464 " <sp:X509Token sp:IncludeToken=\"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient\">\n" +
2465 " <sp:IssuerName>CN=receiver,OU=swssf,C=CH</sp:IssuerName>\n" +
2466 " <wsp:Policy>\n" +
2467 " <sp:WssX509V3Token11/>\n" +
2468 " </wsp:Policy>\n" +
2469 " </sp:X509Token>\n" +
2470 " </wsp:Policy>\n" +
2471 " </sp:RecipientToken>\n" +
2472 " <sp:AlgorithmSuite>\n" +
2473 " <wsp:Policy>\n" +
2474 " <sp:Basic256/>\n" +
2475 " </wsp:Policy>\n" +
2476 " </sp:AlgorithmSuite>\n" +
2477 " <sp:Layout>\n" +
2478 " <wsp:Policy>\n" +
2479 " <sp:Lax/>\n" +
2480 " </wsp:Policy>\n" +
2481 " </sp:Layout>\n" +
2482 " <sp:IncludeTimestamp/>\n" +
2483 " </wsp:Policy>\n" +
2484 " </sp:AsymmetricBinding>\n" +
2485 " <sp:SignedParts>\n" +
2486 " <sp:Body/>\n" +
2487 " <sp:Header Name=\"Header1\" Namespace=\"...\"/>\n" +
2488 " <sp:Header Namespace=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd\"/>\n" +
2489 " </sp:SignedParts>\n" +
2490 " <sp:SignedElements>\n" +
2491 " <sp:XPath xmlns:wsu=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd\">wsu:Created</sp:XPath>\n" +
2492 " </sp:SignedElements>\n" +
2493 " <sp:EncryptedParts>\n" +
2494 " <sp:Body/>\n" +
2495 " <sp:Header Name=\"Header2\" Namespace=\"...\"/>\n" +
2496 " <sp:Header Namespace=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd\"/>\n" +
2497 " </sp:EncryptedParts>\n" +
2498 " <sp:EncryptedElements>\n" +
2499 " <sp:XPath xmlns:wsu=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd\">wsu:Created</sp:XPath>\n" +
2500 " </sp:EncryptedElements>\n" +
2501 " <sp:ContentEncryptedElements>\n" +
2502 " <sp:XPath xmlns:wsu=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd\">wsu:Expires</sp:XPath>\n" +
2503 " </sp:ContentEncryptedElements>\n" +
2504 " </wsp:All>\n" +
2505 " </wsp:ExactlyOne>";
2506
2507 WSSSecurityProperties outSecurityProperties = new WSSSecurityProperties();
2508 outSecurityProperties.setCallbackHandler(new CallbackHandlerImpl());
2509 outSecurityProperties.setEncryptionUser("receiver");
2510 outSecurityProperties.loadEncryptionKeystore(this.getClass().getClassLoader().getResource("transmitter.jks"), "default".toCharArray());
2511 outSecurityProperties.setSignatureUser("transmitter");
2512 outSecurityProperties.loadSignatureKeyStore(this.getClass().getClassLoader().getResource("transmitter.jks"), "default".toCharArray());
2513
2514 outSecurityProperties.addSignaturePart(new SecurePart(WSSConstants.TAG_WSU_TIMESTAMP, SecurePart.Modifier.Element));
2515 outSecurityProperties.addSignaturePart(new SecurePart(WSSConstants.TAG_SOAP11_BODY, SecurePart.Modifier.Element));
2516 outSecurityProperties.addEncryptionPart(new SecurePart(WSSConstants.TAG_WSU_CREATED, SecurePart.Modifier.Element));
2517 outSecurityProperties.addEncryptionPart(new SecurePart(WSSConstants.TAG_WSU_EXPIRES, SecurePart.Modifier.Content));
2518 outSecurityProperties.addEncryptionPart(new SecurePart(WSSConstants.TAG_SOAP11_BODY, SecurePart.Modifier.Content));
2519 List<WSSConstants.Action> actions = new ArrayList<>();
2520 actions.add(WSSConstants.TIMESTAMP);
2521 actions.add(WSSConstants.SIGNATURE);
2522 actions.add(WSSConstants.ENCRYPTION);
2523 outSecurityProperties.setActions(actions);
2524
2525 InputStream sourceDocument = this.getClass().getClassLoader().getResourceAsStream("testdata/plain-soap-1.1.xml");
2526 ByteArrayOutputStream baos = doOutboundSecurity(outSecurityProperties, sourceDocument);
2527
2528 WSSSecurityProperties inSecurityProperties = new WSSSecurityProperties();
2529 inSecurityProperties.setCallbackHandler(new CallbackHandlerImpl());
2530 inSecurityProperties.loadSignatureVerificationKeystore(this.getClass().getClassLoader().getResource("receiver.jks"), "default".toCharArray());
2531 inSecurityProperties.loadDecryptionKeystore(this.getClass().getClassLoader().getResource("receiver.jks"), "default".toCharArray());
2532
2533 PolicyEnforcer policyEnforcer = buildAndStartPolicyEngine(policyString);
2534 inSecurityProperties.addInputProcessor(new PolicyInputProcessor(policyEnforcer, inSecurityProperties));
2535
2536 try {
2537 Document document = doInboundSecurity(inSecurityProperties, new ByteArrayInputStream(baos.toByteArray()), policyEnforcer);
2538
2539
2540 Transformer transformer = TransformerFactory.newInstance().newTransformer();
2541 transformer.transform(new DOMSource(document), new StreamResult(
2542 new OutputStream() {
2543 @Override
2544 public void write(int b) throws IOException {
2545
2546 }
2547 }
2548 ));
2549 fail("Exception expected");
2550 } catch (XMLStreamException e) {
2551 assertTrue(e.getCause() instanceof WSSecurityException);
2552 assertEquals(e.getCause().getMessage(), "Token must be included");
2553 assertEquals(((WSSecurityException) e.getCause()).getFaultCode(), WSSecurityException.INVALID_SECURITY);
2554 }
2555 }
2556
2557 @Test
2558 public void testInitiatorTokenInclusionAlwaysToRecipientPolicy() throws Exception {
2559
2560 String policyString =
2561 "<wsp:ExactlyOne xmlns:wsp=\"http://schemas.xmlsoap.org/ws/2004/09/policy\" " +
2562 "xmlns:sp=\"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702\">\n" +
2563 " <wsp:All>\n" +
2564 " <sp:AsymmetricBinding>\n" +
2565 " <wsp:Policy>\n" +
2566 " <sp:InitiatorToken>\n" +
2567 " <wsp:Policy>\n" +
2568 " <sp:X509Token sp:IncludeToken=\"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient\">\n" +
2569 " <sp:IssuerName>CN=transmitter,OU=swssf,C=CH</sp:IssuerName>\n" +
2570 " <wsp:Policy>\n" +
2571 " <sp:WssX509V3Token11/>\n" +
2572 " </wsp:Policy>\n" +
2573 " </sp:X509Token>\n" +
2574 " </wsp:Policy>\n" +
2575 " </sp:InitiatorToken>\n" +
2576 " <sp:RecipientToken>\n" +
2577 " <wsp:Policy>\n" +
2578 " <sp:X509Token sp:IncludeToken=\"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never\">\n" +
2579 " <sp:IssuerName>CN=receiver,OU=swssf,C=CH</sp:IssuerName>\n" +
2580 " <wsp:Policy>\n" +
2581 " <sp:WssX509V3Token11/>\n" +
2582 " </wsp:Policy>\n" +
2583 " </sp:X509Token>\n" +
2584 " </wsp:Policy>\n" +
2585 " </sp:RecipientToken>\n" +
2586 " <sp:AlgorithmSuite>\n" +
2587 " <wsp:Policy>\n" +
2588 " <sp:Basic256/>\n" +
2589 " </wsp:Policy>\n" +
2590 " </sp:AlgorithmSuite>\n" +
2591 " <sp:Layout>\n" +
2592 " <wsp:Policy>\n" +
2593 " <sp:Lax/>\n" +
2594 " </wsp:Policy>\n" +
2595 " </sp:Layout>\n" +
2596 " <sp:IncludeTimestamp/>\n" +
2597 " </wsp:Policy>\n" +
2598 " </sp:AsymmetricBinding>\n" +
2599 " <sp:SignedParts>\n" +
2600 " <sp:Body/>\n" +
2601 " <sp:Header Name=\"Header1\" Namespace=\"...\"/>\n" +
2602 " <sp:Header Namespace=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd\"/>\n" +
2603 " </sp:SignedParts>\n" +
2604 " <sp:SignedElements>\n" +
2605 " <sp:XPath xmlns:wsu=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd\">wsu:Created</sp:XPath>\n" +
2606 " </sp:SignedElements>\n" +
2607 " <sp:EncryptedParts>\n" +
2608 " <sp:Body/>\n" +
2609 " <sp:Header Name=\"Header2\" Namespace=\"...\"/>\n" +
2610 " <sp:Header Namespace=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd\"/>\n" +
2611 " </sp:EncryptedParts>\n" +
2612 " <sp:EncryptedElements>\n" +
2613 " <sp:XPath xmlns:wsu=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd\">wsu:Created</sp:XPath>\n" +
2614 " </sp:EncryptedElements>\n" +
2615 " <sp:ContentEncryptedElements>\n" +
2616 " <sp:XPath xmlns:wsu=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd\">wsu:Expires</sp:XPath>\n" +
2617 " </sp:ContentEncryptedElements>\n" +
2618 " </wsp:All>\n" +
2619 " </wsp:ExactlyOne>";
2620
2621 WSSSecurityProperties outSecurityProperties = new WSSSecurityProperties();
2622 outSecurityProperties.setCallbackHandler(new CallbackHandlerImpl());
2623 outSecurityProperties.setEncryptionUser("receiver");
2624 outSecurityProperties.loadEncryptionKeystore(this.getClass().getClassLoader().getResource("transmitter.jks"), "default".toCharArray());
2625 outSecurityProperties.setSignatureUser("transmitter");
2626 outSecurityProperties.loadSignatureKeyStore(this.getClass().getClassLoader().getResource("transmitter.jks"), "default".toCharArray());
2627
2628 outSecurityProperties.addSignaturePart(new SecurePart(WSSConstants.TAG_WSU_TIMESTAMP, SecurePart.Modifier.Element));
2629 outSecurityProperties.addSignaturePart(new SecurePart(WSSConstants.TAG_SOAP11_BODY, SecurePart.Modifier.Element));
2630 outSecurityProperties.addEncryptionPart(new SecurePart(WSSConstants.TAG_WSU_CREATED, SecurePart.Modifier.Element));
2631 outSecurityProperties.addEncryptionPart(new SecurePart(WSSConstants.TAG_WSU_EXPIRES, SecurePart.Modifier.Content));
2632 outSecurityProperties.addEncryptionPart(new SecurePart(WSSConstants.TAG_SOAP11_BODY, SecurePart.Modifier.Content));
2633 List<WSSConstants.Action> actions = new ArrayList<>();
2634 actions.add(WSSConstants.TIMESTAMP);
2635 actions.add(WSSConstants.SIGNATURE);
2636 actions.add(WSSConstants.ENCRYPTION);
2637 outSecurityProperties.setActions(actions);
2638
2639 InputStream sourceDocument = this.getClass().getClassLoader().getResourceAsStream("testdata/plain-soap-1.1.xml");
2640 ByteArrayOutputStream baos = doOutboundSecurity(outSecurityProperties, sourceDocument);
2641
2642 WSSSecurityProperties inSecurityProperties = new WSSSecurityProperties();
2643 inSecurityProperties.setCallbackHandler(new CallbackHandlerImpl());
2644 inSecurityProperties.loadSignatureVerificationKeystore(this.getClass().getClassLoader().getResource("receiver.jks"), "default".toCharArray());
2645 inSecurityProperties.loadDecryptionKeystore(this.getClass().getClassLoader().getResource("receiver.jks"), "default".toCharArray());
2646
2647 PolicyEnforcer policyEnforcer = buildAndStartPolicyEngine(policyString);
2648 inSecurityProperties.addInputProcessor(new PolicyInputProcessor(policyEnforcer, inSecurityProperties));
2649
2650 try {
2651 Document document = doInboundSecurity(inSecurityProperties, new ByteArrayInputStream(baos.toByteArray()), policyEnforcer);
2652
2653
2654 Transformer transformer = TransformerFactory.newInstance().newTransformer();
2655 transformer.transform(new DOMSource(document), new StreamResult(
2656 new OutputStream() {
2657 @Override
2658 public void write(int b) throws IOException {
2659
2660 }
2661 }
2662 ));
2663 fail("Exception expected");
2664 } catch (XMLStreamException e) {
2665 assertTrue(e.getCause() instanceof WSSecurityException);
2666 assertEquals(e.getCause().getMessage(), "Token must be included");
2667 assertEquals(((WSSecurityException) e.getCause()).getFaultCode(), WSSecurityException.INVALID_SECURITY);
2668 }
2669 }
2670
2671 @Test
2672 public void testSignBeforeEncryptNegativeTest() throws Exception {
2673
2674 String policyString =
2675 "<wsp:ExactlyOne xmlns:wsp=\"http://schemas.xmlsoap.org/ws/2004/09/policy\" " +
2676 "xmlns:sp=\"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702\">\n" +
2677 " <wsp:All>\n" +
2678 " <sp:AsymmetricBinding>\n" +
2679 " <wsp:Policy>\n" +
2680 " <sp:InitiatorToken>\n" +
2681 " <wsp:Policy>\n" +
2682 " <sp:X509Token sp:IncludeToken=\"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never\">\n" +
2683 " <sp:IssuerName>CN=transmitter,OU=swssf,C=CH</sp:IssuerName>\n" +
2684 " <wsp:Policy>\n" +
2685 " <sp:WssX509V3Token11/>\n" +
2686 " </wsp:Policy>\n" +
2687 " </sp:X509Token>\n" +
2688 " </wsp:Policy>\n" +
2689 " </sp:InitiatorToken>\n" +
2690 " <sp:RecipientToken>\n" +
2691 " <wsp:Policy>\n" +
2692 " <sp:X509Token sp:IncludeToken=\"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never\">\n" +
2693 " <sp:IssuerName>CN=receiver,OU=swssf,C=CH</sp:IssuerName>\n" +
2694 " <wsp:Policy>\n" +
2695 " <sp:WssX509V3Token11/>\n" +
2696 " </wsp:Policy>\n" +
2697 " </sp:X509Token>\n" +
2698 " </wsp:Policy>\n" +
2699 " </sp:RecipientToken>\n" +
2700 " <sp:AlgorithmSuite>\n" +
2701 " <wsp:Policy>\n" +
2702 " <sp:Basic256/>\n" +
2703 " </wsp:Policy>\n" +
2704 " </sp:AlgorithmSuite>\n" +
2705 " <sp:Layout>\n" +
2706 " <wsp:Policy>\n" +
2707 " <sp:Lax/>\n" +
2708 " </wsp:Policy>\n" +
2709 " </sp:Layout>\n" +
2710 " <sp:SignBeforeEncrypting/>\n" +
2711 " <sp:IncludeTimestamp/>\n" +
2712 " </wsp:Policy>\n" +
2713 " </sp:AsymmetricBinding>\n" +
2714 " <sp:SignedParts>\n" +
2715 " <sp:Body/>\n" +
2716 " <sp:Header Name=\"Header1\" Namespace=\"...\"/>\n" +
2717 " <sp:Header Namespace=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd\"/>\n" +
2718 " </sp:SignedParts>\n" +
2719 " <sp:SignedElements>\n" +
2720 " <sp:XPath xmlns:wsu=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd\">wsu:Created</sp:XPath>\n" +
2721 " </sp:SignedElements>\n" +
2722 " <sp:EncryptedParts>\n" +
2723 " <sp:Body/>\n" +
2724 " <sp:Header Name=\"Header2\" Namespace=\"...\"/>\n" +
2725 " <sp:Header Namespace=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd\"/>\n" +
2726 " </sp:EncryptedParts>\n" +
2727 " <sp:EncryptedElements>\n" +
2728 " <sp:XPath xmlns:wsu=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd\">wsu:Created</sp:XPath>\n" +
2729 " </sp:EncryptedElements>\n" +
2730 " <sp:ContentEncryptedElements>\n" +
2731 " <sp:XPath xmlns:wsu=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd\">wsu:Expires</sp:XPath>\n" +
2732 " </sp:ContentEncryptedElements>\n" +
2733 " </wsp:All>\n" +
2734 " </wsp:ExactlyOne>";
2735
2736 WSSSecurityProperties outSecurityProperties = new WSSSecurityProperties();
2737 outSecurityProperties.setCallbackHandler(new CallbackHandlerImpl());
2738 outSecurityProperties.setEncryptionUser("receiver");
2739 outSecurityProperties.loadEncryptionKeystore(this.getClass().getClassLoader().getResource("transmitter.jks"), "default".toCharArray());
2740 outSecurityProperties.setSignatureUser("transmitter");
2741 outSecurityProperties.loadSignatureKeyStore(this.getClass().getClassLoader().getResource("transmitter.jks"), "default".toCharArray());
2742
2743 outSecurityProperties.addSignaturePart(new SecurePart(WSSConstants.TAG_WSU_TIMESTAMP, SecurePart.Modifier.Element));
2744 outSecurityProperties.addSignaturePart(new SecurePart(WSSConstants.TAG_SOAP11_BODY, SecurePart.Modifier.Element));
2745 outSecurityProperties.addEncryptionPart(new SecurePart(WSSConstants.TAG_SOAP11_BODY, SecurePart.Modifier.Content));
2746 List<WSSConstants.Action> actions = new ArrayList<>();
2747 actions.add(WSSConstants.TIMESTAMP);
2748 actions.add(WSSConstants.ENCRYPTION);
2749 actions.add(WSSConstants.SIGNATURE);
2750 outSecurityProperties.setActions(actions);
2751
2752 InputStream sourceDocument = this.getClass().getClassLoader().getResourceAsStream("testdata/plain-soap-1.1.xml");
2753 ByteArrayOutputStream baos = doOutboundSecurity(outSecurityProperties, sourceDocument);
2754
2755 WSSSecurityProperties inSecurityProperties = new WSSSecurityProperties();
2756 inSecurityProperties.setCallbackHandler(new CallbackHandlerImpl());
2757 inSecurityProperties.loadSignatureVerificationKeystore(this.getClass().getClassLoader().getResource("receiver.jks"), "default".toCharArray());
2758 inSecurityProperties.loadDecryptionKeystore(this.getClass().getClassLoader().getResource("receiver.jks"), "default".toCharArray());
2759
2760 PolicyEnforcer policyEnforcer = buildAndStartPolicyEngine(policyString);
2761 inSecurityProperties.addInputProcessor(new PolicyInputProcessor(policyEnforcer, inSecurityProperties));
2762
2763 try {
2764 Document document = doInboundSecurity(inSecurityProperties, new ByteArrayInputStream(baos.toByteArray()), policyEnforcer);
2765
2766
2767 Transformer transformer = TransformerFactory.newInstance().newTransformer();
2768 transformer.transform(new DOMSource(document), new StreamResult(
2769 new OutputStream() {
2770 @Override
2771 public void write(int b) throws IOException {
2772
2773 }
2774 }
2775 ));
2776 fail("Exception expected");
2777 } catch (XMLStreamException e) {
2778 assertTrue(e.getCause() instanceof WSSecurityException);
2779 assertEquals(e.getCause().getMessage(),
2780 "Policy enforces SignBeforeEncrypting but the /{http://schemas.xmlsoap.org/soap/envelope/}Envelope/{http://schemas.xmlsoap.org/soap/envelope/}Body was encrypted and then signed");
2781 assertEquals(((WSSecurityException) e.getCause()).getFaultCode(), WSSecurityException.INVALID_SECURITY);
2782 }
2783 }
2784
2785 @Test
2786 public void testEncryptBeforeSigningNegativeTest() throws Exception {
2787
2788 String policyString =
2789 "<wsp:ExactlyOne xmlns:wsp=\"http://schemas.xmlsoap.org/ws/2004/09/policy\" " +
2790 "xmlns:sp=\"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702\">\n" +
2791 " <wsp:All>\n" +
2792 " <sp:AsymmetricBinding>\n" +
2793 " <wsp:Policy>\n" +
2794 " <sp:InitiatorToken>\n" +
2795 " <wsp:Policy>\n" +
2796 " <sp:X509Token sp:IncludeToken=\"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never\">\n" +
2797 " <sp:IssuerName>CN=transmitter,OU=swssf,C=CH</sp:IssuerName>\n" +
2798 " <wsp:Policy>\n" +
2799 " <sp:WssX509V3Token11/>\n" +
2800 " </wsp:Policy>\n" +
2801 " </sp:X509Token>\n" +
2802 " </wsp:Policy>\n" +
2803 " </sp:InitiatorToken>\n" +
2804 " <sp:RecipientToken>\n" +
2805 " <wsp:Policy>\n" +
2806 " <sp:X509Token sp:IncludeToken=\"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never\">\n" +
2807 " <sp:IssuerName>CN=receiver,OU=swssf,C=CH</sp:IssuerName>\n" +
2808 " <wsp:Policy>\n" +
2809 " <sp:WssX509V3Token11/>\n" +
2810 " </wsp:Policy>\n" +
2811 " </sp:X509Token>\n" +
2812 " </wsp:Policy>\n" +
2813 " </sp:RecipientToken>\n" +
2814 " <sp:AlgorithmSuite>\n" +
2815 " <wsp:Policy>\n" +
2816 " <sp:Basic256/>\n" +
2817 " </wsp:Policy>\n" +
2818 " </sp:AlgorithmSuite>\n" +
2819 " <sp:Layout>\n" +
2820 " <wsp:Policy>\n" +
2821 " <sp:Lax/>\n" +
2822 " </wsp:Policy>\n" +
2823 " </sp:Layout>\n" +
2824 " <sp:EncryptBeforeSigning/>\n" +
2825 " <sp:IncludeTimestamp/>\n" +
2826 " </wsp:Policy>\n" +
2827 " </sp:AsymmetricBinding>\n" +
2828 " <sp:SignedParts>\n" +
2829 " <sp:Body/>\n" +
2830 " <sp:Header Name=\"Header1\" Namespace=\"...\"/>\n" +
2831 " <sp:Header Namespace=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd\"/>\n" +
2832 " </sp:SignedParts>\n" +
2833 " <sp:SignedElements>\n" +
2834 " <sp:XPath xmlns:wsu=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd\">wsu:Created</sp:XPath>\n" +
2835 " </sp:SignedElements>\n" +
2836 " <sp:EncryptedParts>\n" +
2837 " <sp:Body/>\n" +
2838 " <sp:Header Name=\"Header2\" Namespace=\"...\"/>\n" +
2839 " <sp:Header Namespace=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd\"/>\n" +
2840 " </sp:EncryptedParts>\n" +
2841 " <sp:EncryptedElements>\n" +
2842 " <sp:XPath xmlns:wsu=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd\">wsu:Created</sp:XPath>\n" +
2843 " </sp:EncryptedElements>\n" +
2844 " <sp:ContentEncryptedElements>\n" +
2845 " <sp:XPath xmlns:wsu=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd\">wsu:Expires</sp:XPath>\n" +
2846 " </sp:ContentEncryptedElements>\n" +
2847 " </wsp:All>\n" +
2848 " </wsp:ExactlyOne>";
2849
2850 WSSSecurityProperties outSecurityProperties = new WSSSecurityProperties();
2851 outSecurityProperties.setCallbackHandler(new CallbackHandlerImpl());
2852 outSecurityProperties.setEncryptionUser("receiver");
2853 outSecurityProperties.loadEncryptionKeystore(this.getClass().getClassLoader().getResource("transmitter.jks"), "default".toCharArray());
2854 outSecurityProperties.setSignatureUser("transmitter");
2855 outSecurityProperties.loadSignatureKeyStore(this.getClass().getClassLoader().getResource("transmitter.jks"), "default".toCharArray());
2856
2857 outSecurityProperties.addSignaturePart(new SecurePart(WSSConstants.TAG_WSU_TIMESTAMP, SecurePart.Modifier.Element));
2858 outSecurityProperties.addSignaturePart(new SecurePart(WSSConstants.TAG_SOAP11_BODY, SecurePart.Modifier.Element));
2859 outSecurityProperties.addEncryptionPart(new SecurePart(WSSConstants.TAG_SOAP11_BODY, SecurePart.Modifier.Content));
2860 List<WSSConstants.Action> actions = new ArrayList<>();
2861 actions.add(WSSConstants.TIMESTAMP);
2862 actions.add(WSSConstants.SIGNATURE);
2863 actions.add(WSSConstants.ENCRYPTION);
2864 outSecurityProperties.setActions(actions);
2865
2866 InputStream sourceDocument = this.getClass().getClassLoader().getResourceAsStream("testdata/plain-soap-1.1.xml");
2867 ByteArrayOutputStream baos = doOutboundSecurity(outSecurityProperties, sourceDocument);
2868
2869 WSSSecurityProperties inSecurityProperties = new WSSSecurityProperties();
2870 inSecurityProperties.setCallbackHandler(new CallbackHandlerImpl());
2871 inSecurityProperties.loadSignatureVerificationKeystore(this.getClass().getClassLoader().getResource("receiver.jks"), "default".toCharArray());
2872 inSecurityProperties.loadDecryptionKeystore(this.getClass().getClassLoader().getResource("receiver.jks"), "default".toCharArray());
2873
2874 PolicyEnforcer policyEnforcer = buildAndStartPolicyEngine(policyString);
2875 inSecurityProperties.addInputProcessor(new PolicyInputProcessor(policyEnforcer, inSecurityProperties));
2876
2877 try {
2878 Document document = doInboundSecurity(inSecurityProperties, new ByteArrayInputStream(baos.toByteArray()), policyEnforcer);
2879
2880
2881 Transformer transformer = TransformerFactory.newInstance().newTransformer();
2882 transformer.transform(new DOMSource(document), new StreamResult(
2883 new OutputStream() {
2884 @Override
2885 public void write(int b) throws IOException {
2886
2887 }
2888 }
2889 ));
2890 fail("Exception expected");
2891 } catch (XMLStreamException e) {
2892 assertTrue(e.getCause() instanceof WSSecurityException);
2893 assertEquals(e.getCause().getMessage(),
2894 "Policy enforces EncryptBeforeSigning but the /{http://schemas.xmlsoap.org/soap/envelope/}Envelope/{http://schemas.xmlsoap.org/soap/envelope/}Body was signed and then encrypted");
2895 assertEquals(((WSSecurityException) e.getCause()).getFaultCode(), WSSecurityException.INVALID_SECURITY);
2896 }
2897 }
2898 }