View Javadoc
1   /**
2    * Licensed to the Apache Software Foundation (ASF) under one
3    * or more contributor license agreements. See the NOTICE file
4    * distributed with this work for additional information
5    * regarding copyright ownership. The ASF licenses this file
6    * to you under the Apache License, Version 2.0 (the
7    * "License"); you may not use this file except in compliance
8    * with the License. You may obtain a copy of the License at
9    *
10   * http://www.apache.org/licenses/LICENSE-2.0
11   *
12   * Unless required by applicable law or agreed to in writing,
13   * software distributed under the License is distributed on an
14   * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
15   * KIND, either express or implied. See the License for the
16   * specific language governing permissions and limitations
17   * under the License.
18   */
19  package org.apache.wss4j.stax.test;
20  
21  import java.io.ByteArrayInputStream;
22  import java.io.ByteArrayOutputStream;
23  import java.io.InputStream;
24  import java.util.ArrayList;
25  import java.util.List;
26  
27  import javax.xml.xpath.XPathConstants;
28  import javax.xml.xpath.XPathExpression;
29  
30  import org.apache.wss4j.common.ext.WSSecurityException;
31  import org.apache.wss4j.stax.ext.WSSConstants;
32  import org.apache.wss4j.stax.ext.WSSSecurityProperties;
33  import org.apache.wss4j.stax.securityToken.WSSecurityTokenConstants;
34  import org.junit.jupiter.api.Test;
35  import org.w3c.dom.Document;
36  import org.w3c.dom.Node;
37  import org.w3c.dom.NodeList;
38  
39  import static org.junit.jupiter.api.Assertions.assertEquals;
40  import static org.junit.jupiter.api.Assertions.assertNotNull;
41  import static org.junit.jupiter.api.Assertions.assertTrue;
42  import static org.junit.jupiter.api.Assertions.fail;
43  
44  /**
45   * This is a test for Certificate Revocation List checking before encryption.
46   *
47   * This test reuses the revoked certificate from SignatureCRLTest
48   */
49  public class EncryptionCRLTest extends AbstractTestBase {
50  
51      @Test
52      public void testEncryptionWithOutRevocationCheck() throws Exception {
53  
54          ByteArrayOutputStream baos;
55          {
56              WSSSecurityProperties securityProperties = new WSSSecurityProperties();
57              List<WSSConstants.Action> actions = new ArrayList<>();
58              actions.add(WSSConstants.ENCRYPTION);
59              securityProperties.setActions(actions);
60              securityProperties.loadEncryptionKeystore(this.getClass().getClassLoader().getResource("keys/wss40rev.jks"), "security".toCharArray());
61              securityProperties.setEncryptionUser("wss40rev");
62              securityProperties.setEncryptionKeyIdentifier(WSSecurityTokenConstants.KEYIDENTIFIER_SECURITY_TOKEN_DIRECT_REFERENCE);
63  
64              InputStream sourceDocument = this.getClass().getClassLoader().getResourceAsStream("testdata/plain-soap-1.1.xml");
65              baos = doOutboundSecurity(securityProperties, sourceDocument);
66  
67              Document document = documentBuilderFactory.newDocumentBuilder().parse(new ByteArrayInputStream(baos.toByteArray()));
68              NodeList nodeList = document.getElementsByTagNameNS(WSSConstants.TAG_xenc_EncryptedKey.getNamespaceURI(), WSSConstants.TAG_xenc_EncryptedKey.getLocalPart());
69              assertEquals(nodeList.item(0).getParentNode().getLocalName(), WSSConstants.TAG_WSSE_SECURITY.getLocalPart());
70  
71              XPathExpression xPathExpression = getXPath("/soap:Envelope/soap:Header/wsse:Security/xenc:EncryptedKey/xenc:EncryptionMethod[@Algorithm='http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p']");
72              Node node = (Node) xPathExpression.evaluate(document, XPathConstants.NODE);
73              assertNotNull(node);
74  
75              nodeList = document.getElementsByTagNameNS(WSSConstants.TAG_xenc_DataReference.getNamespaceURI(), WSSConstants.TAG_xenc_DataReference.getLocalPart());
76              assertEquals(nodeList.getLength(), 1);
77  
78              nodeList = document.getElementsByTagNameNS(WSSConstants.TAG_xenc_EncryptedData.getNamespaceURI(), WSSConstants.TAG_xenc_EncryptedData.getLocalPart());
79              assertEquals(nodeList.getLength(), 1);
80  
81              xPathExpression = getXPath("/soap:Envelope/soap:Body/xenc:EncryptedData/xenc:EncryptionMethod[@Algorithm='http://www.w3.org/2001/04/xmlenc#aes256-cbc']");
82              node = (Node) xPathExpression.evaluate(document, XPathConstants.NODE);
83              assertNotNull(node);
84  
85              assertEquals(node.getParentNode().getParentNode().getLocalName(), "Body");
86              NodeList childNodes = node.getParentNode().getParentNode().getChildNodes();
87              for (int i = 0; i < childNodes.getLength(); i++) {
88                  Node child = childNodes.item(i);
89                  if (child.getNodeType() == Node.TEXT_NODE) {
90                      assertEquals(child.getTextContent().trim(), "");
91                  } else if (child.getNodeType() == Node.ELEMENT_NODE) {
92                      assertEquals(child, nodeList.item(0));
93                  } else {
94                      fail("Unexpected Node encountered");
95                  }
96              }
97          }
98      }
99  
100     /**
101      * TODO Re-enable once CRL issue fixed
102      */
103     @Test
104     @org.junit.jupiter.api.Disabled
105     public void testEncryptionWithRevocationCheck() throws Exception {
106         {
107             WSSSecurityProperties securityProperties = new WSSSecurityProperties();
108             List<WSSConstants.Action> actions = new ArrayList<>();
109             actions.add(WSSConstants.ENCRYPTION);
110             securityProperties.setEnableRevocation(true);
111             securityProperties.setActions(actions);
112             securityProperties.loadEncryptionKeystore(this.getClass().getClassLoader().getResource("keys/wss40rev.jks"), "security".toCharArray());
113             securityProperties.setEncryptionUser("wss40rev");
114             securityProperties.setEncryptionKeyIdentifier(WSSecurityTokenConstants.KEYIDENTIFIER_SECURITY_TOKEN_DIRECT_REFERENCE);
115             securityProperties.loadCRLCertStore(this.getClass().getClassLoader().getResource("wss40CACRL.pem"));
116 
117             InputStream sourceDocument = this.getClass().getClassLoader().getResourceAsStream("testdata/plain-soap-1.1.xml");
118 
119             try {
120                 doOutboundSecurity(securityProperties, sourceDocument);
121                 fail("Expected failure on a revocation check");
122             } catch (Exception ex) {
123                 assertNotNull(ex.getCause());
124                 assertTrue(ex.getCause() instanceof WSSecurityException);
125             }
126         }
127     }
128 
129 }