View Javadoc
1   /**
2    * Licensed to the Apache Software Foundation (ASF) under one
3    * or more contributor license agreements. See the NOTICE file
4    * distributed with this work for additional information
5    * regarding copyright ownership. The ASF licenses this file
6    * to you under the Apache License, Version 2.0 (the
7    * "License"); you may not use this file except in compliance
8    * with the License. You may obtain a copy of the License at
9    *
10   * http://www.apache.org/licenses/LICENSE-2.0
11   *
12   * Unless required by applicable law or agreed to in writing,
13   * software distributed under the License is distributed on an
14   * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
15   * KIND, either express or implied. See the License for the
16   * specific language governing permissions and limitations
17   * under the License.
18   */
19  package org.apache.wss4j.stax.test;
20  
21  import java.io.ByteArrayInputStream;
22  import java.io.ByteArrayOutputStream;
23  import java.io.IOException;
24  import java.io.InputStream;
25  import java.nio.charset.StandardCharsets;
26  import java.security.Security;
27  import java.util.ArrayList;
28  import java.util.HashMap;
29  import java.util.List;
30  import java.util.Map;
31  import java.util.Properties;
32  
33  import javax.crypto.KeyGenerator;
34  import javax.crypto.SecretKey;
35  import javax.security.auth.callback.Callback;
36  import javax.security.auth.callback.UnsupportedCallbackException;
37  import javax.xml.crypto.dsig.SignatureMethod;
38  import javax.xml.namespace.QName;
39  import javax.xml.stream.XMLStreamException;
40  import javax.xml.stream.XMLStreamReader;
41  import javax.xml.stream.XMLStreamWriter;
42  import javax.xml.transform.dom.DOMSource;
43  import javax.xml.transform.stream.StreamResult;
44  import javax.xml.xpath.XPathConstants;
45  import javax.xml.xpath.XPathExpression;
46  
47  import org.apache.wss4j.common.ConfigurationConstants;
48  import org.apache.wss4j.common.bsp.BSPRule;
49  import org.apache.wss4j.common.crypto.CryptoFactory;
50  import org.apache.wss4j.common.ext.WSPasswordCallback;
51  import org.apache.wss4j.common.ext.WSSecurityException;
52  import org.apache.wss4j.dom.WSConstants;
53  import org.apache.wss4j.dom.handler.WSHandlerConstants;
54  import org.apache.wss4j.dom.message.WSSecHeader;
55  import org.apache.wss4j.dom.message.WSSecSignature;
56  import org.apache.wss4j.stax.ext.WSSConstants;
57  import org.apache.wss4j.stax.ext.WSSSecurityProperties;
58  import org.apache.wss4j.stax.securityEvent.OperationSecurityEvent;
59  import org.apache.wss4j.stax.securityEvent.SignedPartSecurityEvent;
60  import org.apache.wss4j.stax.securityEvent.WSSecurityEventConstants;
61  import org.apache.wss4j.stax.securityToken.WSSecurityTokenConstants;
62  import org.apache.wss4j.stax.setup.ConfigurationConverter;
63  import org.apache.wss4j.stax.setup.InboundWSSec;
64  import org.apache.wss4j.stax.setup.OutboundWSSec;
65  import org.apache.wss4j.stax.setup.WSSec;
66  import org.apache.wss4j.stax.test.utils.StAX2DOM;
67  import org.apache.wss4j.stax.test.utils.XmlReaderToWriter;
68  import org.apache.xml.security.exceptions.XMLSecurityException;
69  import org.apache.xml.security.stax.ext.SecurePart;
70  import org.apache.xml.security.stax.securityEvent.SecurityEvent;
71  import org.apache.xml.security.stax.securityEvent.SignatureValueSecurityEvent;
72  import org.junit.jupiter.api.Test;
73  import org.w3c.dom.Document;
74  import org.w3c.dom.Element;
75  import org.w3c.dom.Node;
76  import org.w3c.dom.NodeList;
77  
78  import static org.junit.jupiter.api.Assertions.assertEquals;
79  import static org.junit.jupiter.api.Assertions.assertNotNull;
80  import static org.junit.jupiter.api.Assertions.assertNotSame;
81  import static org.junit.jupiter.api.Assertions.assertSame;
82  import static org.junit.jupiter.api.Assertions.assertTrue;
83  import static org.junit.jupiter.api.Assertions.fail;
84  
85  public class SignatureTest extends AbstractTestBase {
86  
87      @Test
88      public void testSignatureDefaultConfigurationOutbound() throws Exception {
89  
90          ByteArrayOutputStream baos = new ByteArrayOutputStream();
91          {
92              WSSSecurityProperties securityProperties = new WSSSecurityProperties();
93              List<WSSConstants.Action> actions = new ArrayList<>();
94              actions.add(WSSConstants.SIGNATURE);
95              securityProperties.setActions(actions);
96              securityProperties.loadSignatureKeyStore(this.getClass().getClassLoader().getResource("transmitter.jks"), "default".toCharArray());
97              securityProperties.setSignatureUser("transmitter");
98              securityProperties.setCallbackHandler(new CallbackHandlerImpl());
99  
100             OutboundWSSec wsSecOut = WSSec.getOutboundWSSec(securityProperties);
101             XMLStreamWriter xmlStreamWriter = wsSecOut.processOutMessage(baos, StandardCharsets.UTF_8.name(), new ArrayList<SecurityEvent>());
102             XMLStreamReader xmlStreamReader = xmlInputFactory.createXMLStreamReader(this.getClass().getClassLoader().getResourceAsStream("testdata/plain-soap-1.1.xml"));
103             XmlReaderToWriter.writeAll(xmlStreamReader, xmlStreamWriter);
104             xmlStreamWriter.close();
105 
106             Document document = documentBuilderFactory.newDocumentBuilder().parse(new ByteArrayInputStream(baos.toByteArray()));
107             NodeList nodeList = document.getElementsByTagNameNS(WSSConstants.TAG_dsig_Signature.getNamespaceURI(), WSSConstants.TAG_dsig_Signature.getLocalPart());
108             assertEquals(nodeList.item(0).getParentNode().getLocalName(), WSSConstants.TAG_WSSE_SECURITY.getLocalPart());
109 
110             nodeList = document.getElementsByTagNameNS(WSSConstants.TAG_dsig_Reference.getNamespaceURI(), WSSConstants.TAG_dsig_Reference.getLocalPart());
111             assertEquals(nodeList.getLength(), 1);
112 
113             nodeList = document.getElementsByTagNameNS(WSSConstants.NS_SOAP11, WSSConstants.TAG_SOAP_BODY_LN);
114             assertEquals(nodeList.getLength(), 1);
115             String idAttrValue = ((Element) nodeList.item(0)).getAttributeNS(WSSConstants.ATT_WSU_ID.getNamespaceURI(), WSSConstants.ATT_WSU_ID.getLocalPart());
116             assertNotNull(idAttrValue);
117             assertTrue(idAttrValue.length() > 0);
118 
119             nodeList = document.getElementsByTagNameNS(WSSConstants.TAG_c14nExcl_InclusiveNamespaces.getNamespaceURI(), WSSConstants.TAG_c14nExcl_InclusiveNamespaces.getLocalPart());
120             assertEquals(nodeList.getLength(), 2);
121             assertEquals(((Element) nodeList.item(0)).getAttributeNS(null, WSSConstants.ATT_NULL_PrefixList.getLocalPart()), "env");
122             assertEquals(((Element) nodeList.item(1)).getAttributeNS(null, WSSConstants.ATT_NULL_PrefixList.getLocalPart()), "");
123         }
124         //done signature; now test sig-verification:
125         {
126             String action = WSHandlerConstants.SIGNATURE;
127             doInboundSecurityWithWSS4J(documentBuilderFactory.newDocumentBuilder().parse(new ByteArrayInputStream(baos.toByteArray())), action);
128         }
129     }
130 
131     @Test
132     public void testSignatureDefaultConfigurationInbound() throws Exception {
133 
134         ByteArrayOutputStream baos = new ByteArrayOutputStream();
135         {
136             InputStream sourceDocument = this.getClass().getClassLoader().getResourceAsStream("testdata/plain-soap-1.1.xml");
137             String action = WSHandlerConstants.SIGNATURE;
138             Document securedDocument = doOutboundSecurityWithWSS4J(sourceDocument, action, new Properties());
139 
140             //some test that we can really sure we get what we want from WSS4J
141             NodeList nodeList = securedDocument.getElementsByTagNameNS(WSSConstants.TAG_dsig_Signature.getNamespaceURI(), WSSConstants.TAG_dsig_Signature.getLocalPart());
142             assertEquals(nodeList.item(0).getParentNode().getLocalName(), WSSConstants.TAG_WSSE_SECURITY.getLocalPart());
143 
144             javax.xml.transform.Transformer transformer = TRANSFORMER_FACTORY.newTransformer();
145             transformer.transform(new DOMSource(securedDocument), new StreamResult(baos));
146         }
147 
148         //done signature; now test sig-verification:
149         {
150             WSSSecurityProperties securityProperties = new WSSSecurityProperties();
151             securityProperties.loadSignatureVerificationKeystore(this.getClass().getClassLoader().getResource("receiver.jks"), "default".toCharArray());
152             InboundWSSec wsSecIn = WSSec.getInboundWSSec(securityProperties);
153             XMLStreamReader xmlStreamReader = wsSecIn.processInMessage(xmlInputFactory.createXMLStreamReader(new ByteArrayInputStream(baos.toByteArray())));
154 
155             Document document = StAX2DOM.readDoc(documentBuilderFactory.newDocumentBuilder(), xmlStreamReader);
156 
157             //header element must still be there
158             NodeList nodeList = document.getElementsByTagNameNS(WSSConstants.TAG_dsig_Signature.getNamespaceURI(), WSSConstants.TAG_dsig_Signature.getLocalPart());
159             assertEquals(nodeList.getLength(), 1);
160             assertEquals(nodeList.item(0).getParentNode().getLocalName(), WSSConstants.TAG_WSSE_SECURITY.getLocalPart());
161         }
162     }
163 
164     @Test
165     public void testSignatureCryptoPropertiesOutbound() throws Exception {
166 
167         ByteArrayOutputStream baos = new ByteArrayOutputStream();
168         {
169             WSSSecurityProperties securityProperties = new WSSSecurityProperties();
170             List<WSSConstants.Action> actions = new ArrayList<>();
171             actions.add(WSSConstants.SIGNATURE);
172             securityProperties.setActions(actions);
173             Properties properties =
174                 CryptoFactory.getProperties("transmitter-crypto.properties", this.getClass().getClassLoader());
175             securityProperties.setSignatureCryptoProperties(properties);
176             securityProperties.setSignatureUser("transmitter");
177             securityProperties.setCallbackHandler(new CallbackHandlerImpl());
178 
179             OutboundWSSec wsSecOut = WSSec.getOutboundWSSec(securityProperties);
180             XMLStreamWriter xmlStreamWriter = wsSecOut.processOutMessage(baos, StandardCharsets.UTF_8.name(), new ArrayList<SecurityEvent>());
181             XMLStreamReader xmlStreamReader = xmlInputFactory.createXMLStreamReader(this.getClass().getClassLoader().getResourceAsStream("testdata/plain-soap-1.1.xml"));
182             XmlReaderToWriter.writeAll(xmlStreamReader, xmlStreamWriter);
183             xmlStreamWriter.close();
184 
185             Document document = documentBuilderFactory.newDocumentBuilder().parse(new ByteArrayInputStream(baos.toByteArray()));
186             NodeList nodeList = document.getElementsByTagNameNS(WSSConstants.TAG_dsig_Signature.getNamespaceURI(), WSSConstants.TAG_dsig_Signature.getLocalPart());
187             assertEquals(nodeList.item(0).getParentNode().getLocalName(), WSSConstants.TAG_WSSE_SECURITY.getLocalPart());
188 
189             nodeList = document.getElementsByTagNameNS(WSSConstants.TAG_dsig_Reference.getNamespaceURI(), WSSConstants.TAG_dsig_Reference.getLocalPart());
190             assertEquals(nodeList.getLength(), 1);
191 
192             nodeList = document.getElementsByTagNameNS(WSSConstants.NS_SOAP11, WSSConstants.TAG_SOAP_BODY_LN);
193             assertEquals(nodeList.getLength(), 1);
194             String idAttrValue = ((Element) nodeList.item(0)).getAttributeNS(WSSConstants.ATT_WSU_ID.getNamespaceURI(), WSSConstants.ATT_WSU_ID.getLocalPart());
195             assertNotNull(idAttrValue);
196             assertTrue(idAttrValue.length() > 0);
197 
198             nodeList = document.getElementsByTagNameNS(WSSConstants.TAG_c14nExcl_InclusiveNamespaces.getNamespaceURI(), WSSConstants.TAG_c14nExcl_InclusiveNamespaces.getLocalPart());
199             assertEquals(nodeList.getLength(), 2);
200             assertEquals(((Element) nodeList.item(0)).getAttributeNS(null, WSSConstants.ATT_NULL_PrefixList.getLocalPart()), "env");
201             assertEquals(((Element) nodeList.item(1)).getAttributeNS(null, WSSConstants.ATT_NULL_PrefixList.getLocalPart()), "");
202         }
203         //done signature; now test sig-verification:
204         {
205             String action = WSHandlerConstants.SIGNATURE;
206             doInboundSecurityWithWSS4J(documentBuilderFactory.newDocumentBuilder().parse(new ByteArrayInputStream(baos.toByteArray())), action);
207         }
208     }
209 
210     @Test
211     public void testSignatureCryptoPropertiesInbound() throws Exception {
212 
213         ByteArrayOutputStream baos = new ByteArrayOutputStream();
214         {
215             InputStream sourceDocument = this.getClass().getClassLoader().getResourceAsStream("testdata/plain-soap-1.1.xml");
216             String action = WSHandlerConstants.SIGNATURE;
217             Document securedDocument = doOutboundSecurityWithWSS4J(sourceDocument, action, new Properties());
218 
219             //some test that we can really sure we get what we want from WSS4J
220             NodeList nodeList = securedDocument.getElementsByTagNameNS(WSSConstants.TAG_dsig_Signature.getNamespaceURI(), WSSConstants.TAG_dsig_Signature.getLocalPart());
221             assertEquals(nodeList.item(0).getParentNode().getLocalName(), WSSConstants.TAG_WSSE_SECURITY.getLocalPart());
222 
223             javax.xml.transform.Transformer transformer = TRANSFORMER_FACTORY.newTransformer();
224             transformer.transform(new DOMSource(securedDocument), new StreamResult(baos));
225         }
226 
227         //done signature; now test sig-verification:
228         {
229             WSSSecurityProperties securityProperties = new WSSSecurityProperties();
230             Properties properties =
231                 CryptoFactory.getProperties("receiver-crypto.properties", this.getClass().getClassLoader());
232             securityProperties.setSignatureVerificationCryptoProperties(properties);
233             InboundWSSec wsSecIn = WSSec.getInboundWSSec(securityProperties);
234             XMLStreamReader xmlStreamReader = wsSecIn.processInMessage(xmlInputFactory.createXMLStreamReader(new ByteArrayInputStream(baos.toByteArray())));
235 
236             Document document = StAX2DOM.readDoc(documentBuilderFactory.newDocumentBuilder(), xmlStreamReader);
237 
238             //header element must still be there
239             NodeList nodeList = document.getElementsByTagNameNS(WSSConstants.TAG_dsig_Signature.getNamespaceURI(), WSSConstants.TAG_dsig_Signature.getLocalPart());
240             assertEquals(nodeList.getLength(), 1);
241             assertEquals(nodeList.item(0).getParentNode().getLocalName(), WSSConstants.TAG_WSSE_SECURITY.getLocalPart());
242         }
243     }
244 
245     @Test
246     public void testSignaturePartsOutbound() throws Exception {
247 
248         ByteArrayOutputStream baos = new ByteArrayOutputStream();
249         {
250             WSSSecurityProperties securityProperties = new WSSSecurityProperties();
251             List<WSSConstants.Action> actions = new ArrayList<>();
252             actions.add(WSSConstants.SIGNATURE);
253             securityProperties.setActions(actions);
254             securityProperties.loadSignatureKeyStore(this.getClass().getClassLoader().getResource("transmitter.jks"), "default".toCharArray());
255             securityProperties.setSignatureUser("transmitter");
256             securityProperties.addSignaturePart(new SecurePart(new QName("http://www.w3.org/1999/XMLSchema", "complexType"), SecurePart.Modifier.Element));
257             securityProperties.setCallbackHandler(new CallbackHandlerImpl());
258 
259             OutboundWSSec wsSecOut = WSSec.getOutboundWSSec(securityProperties);
260             XMLStreamWriter xmlStreamWriter = wsSecOut.processOutMessage(baos, StandardCharsets.UTF_8.name(), new ArrayList<SecurityEvent>());
261             XMLStreamReader xmlStreamReader = xmlInputFactory.createXMLStreamReader(this.getClass().getClassLoader().getResourceAsStream("testdata/plain-soap-1.1.xml"));
262             XmlReaderToWriter.writeAll(xmlStreamReader, xmlStreamWriter);
263             xmlStreamWriter.close();
264 
265             Document document = documentBuilderFactory.newDocumentBuilder().parse(new ByteArrayInputStream(baos.toByteArray()));
266             NodeList nodeList = document.getElementsByTagNameNS(WSSConstants.TAG_dsig_Signature.getNamespaceURI(), WSSConstants.TAG_dsig_Signature.getLocalPart());
267             assertEquals(nodeList.item(0).getParentNode().getLocalName(), WSSConstants.TAG_WSSE_SECURITY.getLocalPart());
268 
269             nodeList = document.getElementsByTagNameNS(WSSConstants.TAG_dsig_Reference.getNamespaceURI(), WSSConstants.TAG_dsig_Reference.getLocalPart());
270             assertEquals(nodeList.getLength(), 25);
271 
272             nodeList = document.getElementsByTagNameNS("http://www.w3.org/1999/XMLSchema", "complexType");
273             assertEquals(nodeList.getLength(), 26);
274             for (int i = 0; i < nodeList.getLength(); i++) {
275                 String idAttrValue = ((Element) nodeList.item(i)).getAttributeNS(WSSConstants.ATT_WSU_ID.getNamespaceURI(), WSSConstants.ATT_WSU_ID.getLocalPart());
276                 if (i == 10) {
277                     assertSame(idAttrValue, "");
278                 } else {
279                     assertNotSame(idAttrValue, "");
280                     assertTrue(idAttrValue.length() > 0);
281                 }
282             }
283         }
284 
285         //done signature; now test sig-verification:
286         {
287             String action = WSHandlerConstants.SIGNATURE;
288             doInboundSecurityWithWSS4J(documentBuilderFactory.newDocumentBuilder().parse(new ByteArrayInputStream(baos.toByteArray())), action);
289         }
290     }
291 
292     @Test
293     public void testExceptionOnElementToSignNotFound() throws Exception {
294 
295         ByteArrayOutputStream baos = new ByteArrayOutputStream();
296         {
297             WSSSecurityProperties securityProperties = new WSSSecurityProperties();
298             List<WSSConstants.Action> actions = new ArrayList<>();
299             actions.add(WSSConstants.SIGNATURE);
300             securityProperties.setActions(actions);
301             securityProperties.loadSignatureKeyStore(this.getClass().getClassLoader().getResource("transmitter.jks"), "default".toCharArray());
302             securityProperties.setSignatureUser("transmitter");
303             securityProperties.addSignaturePart(new SecurePart(new QName("http://www.wrongnamespace.org", "complexType"), SecurePart.Modifier.Element));
304             securityProperties.setCallbackHandler(new CallbackHandlerImpl());
305 
306             OutboundWSSec wsSecOut = WSSec.getOutboundWSSec(securityProperties);
307             XMLStreamWriter xmlStreamWriter = wsSecOut.processOutMessage(baos, StandardCharsets.UTF_8.name(), new ArrayList<SecurityEvent>());
308             XMLStreamReader xmlStreamReader = xmlInputFactory.createXMLStreamReader(this.getClass().getClassLoader().getResourceAsStream("testdata/plain-soap-1.1.xml"));
309 
310             try {
311                 XmlReaderToWriter.writeAll(xmlStreamReader, xmlStreamWriter);
312                 xmlStreamWriter.close();
313                 fail("Exception expected");
314             } catch (XMLStreamException e) {
315                 assertTrue(e.getCause() instanceof XMLSecurityException);
316                 assertEquals("Part to sign not found: {http://www.wrongnamespace.org}complexType", e.getCause().getMessage());
317             }
318         }
319     }
320 
321     @Test
322     public void testSignatureC14NInclusivePartsOutbound() throws Exception {
323 
324         ByteArrayOutputStream baos = new ByteArrayOutputStream();
325         {
326             WSSSecurityProperties securityProperties = new WSSSecurityProperties();
327             List<WSSConstants.Action> actions = new ArrayList<>();
328             actions.add(WSSConstants.SIGNATURE);
329             securityProperties.setActions(actions);
330             securityProperties.loadSignatureKeyStore(this.getClass().getClassLoader().getResource("transmitter.jks"), "default".toCharArray());
331             securityProperties.setSignatureUser("transmitter");
332             securityProperties.addSignaturePart(new SecurePart(new QName("http://www.w3.org/1999/XMLSchema", "complexType"), SecurePart.Modifier.Element));
333             securityProperties.setSignatureCanonicalizationAlgorithm("http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments");
334             securityProperties.setCallbackHandler(new CallbackHandlerImpl());
335 
336             OutboundWSSec wsSecOut = WSSec.getOutboundWSSec(securityProperties);
337             XMLStreamWriter xmlStreamWriter = wsSecOut.processOutMessage(baos, StandardCharsets.UTF_8.name(), new ArrayList<SecurityEvent>());
338             XMLStreamReader xmlStreamReader = xmlInputFactory.createXMLStreamReader(this.getClass().getClassLoader().getResourceAsStream("testdata/plain-soap-1.1.xml"));
339             XmlReaderToWriter.writeAll(xmlStreamReader, xmlStreamWriter);
340             xmlStreamWriter.close();
341 
342             Document document = documentBuilderFactory.newDocumentBuilder().parse(new ByteArrayInputStream(baos.toByteArray()));
343             NodeList nodeList = document.getElementsByTagNameNS(WSSConstants.TAG_dsig_Signature.getNamespaceURI(), WSSConstants.TAG_dsig_Signature.getLocalPart());
344             assertEquals(nodeList.item(0).getParentNode().getLocalName(), WSSConstants.TAG_WSSE_SECURITY.getLocalPart());
345 
346             nodeList = document.getElementsByTagNameNS(WSSConstants.TAG_dsig_Reference.getNamespaceURI(), WSSConstants.TAG_dsig_Reference.getLocalPart());
347             assertEquals(nodeList.getLength(), 25);
348 
349             nodeList = document.getElementsByTagNameNS("http://www.w3.org/1999/XMLSchema", "complexType");
350             assertEquals(nodeList.getLength(), 26);
351             for (int i = 0; i < nodeList.getLength(); i++) {
352                 String idAttrValue = ((Element) nodeList.item(i)).getAttributeNS(WSSConstants.ATT_WSU_ID.getNamespaceURI(), WSSConstants.ATT_WSU_ID.getLocalPart());
353                 if (i == 10) {
354                     assertSame(idAttrValue, "");
355                 } else {
356                     assertNotSame(idAttrValue, "");
357                     assertTrue(idAttrValue.length() > 0);
358                 }
359             }
360         }
361 
362         //done signature; now test sig-verification:
363         {
364             String action = WSHandlerConstants.SIGNATURE;
365             Properties properties = new Properties();
366             doInboundSecurityWithWSS4J_1(documentBuilderFactory.newDocumentBuilder().parse(new ByteArrayInputStream(baos.toByteArray())), action, properties, false);
367         }
368     }
369 
370     @Test
371     public void testSignaturePartsInbound() throws Exception {
372 
373         ByteArrayOutputStream baos = new ByteArrayOutputStream();
374         {
375             InputStream sourceDocument = this.getClass().getClassLoader().getResourceAsStream("testdata/plain-soap-1.1.xml");
376             String action = WSHandlerConstants.SIGNATURE;
377             Properties properties = new Properties();
378             properties.setProperty(WSHandlerConstants.SIGNATURE_PARTS, "{Element}{http://www.w3.org/1999/XMLSchema}complexType;");
379             Document securedDocument = doOutboundSecurityWithWSS4J(sourceDocument, action, properties);
380 
381             //some test that we can really sure we get what we want from WSS4J
382             NodeList nodeList = securedDocument.getElementsByTagNameNS(WSSConstants.TAG_dsig_Signature.getNamespaceURI(), WSSConstants.TAG_dsig_Signature.getLocalPart());
383             assertEquals(nodeList.item(0).getParentNode().getLocalName(), WSSConstants.TAG_WSSE_SECURITY.getLocalPart());
384 
385             javax.xml.transform.Transformer transformer = TRANSFORMER_FACTORY.newTransformer();
386             transformer.transform(new DOMSource(securedDocument), new StreamResult(baos));
387         }
388 
389         //done signature; now test sig-verification:
390         {
391             WSSSecurityProperties securityProperties = new WSSSecurityProperties();
392             securityProperties.loadSignatureVerificationKeystore(this.getClass().getClassLoader().getResource("receiver.jks"), "default".toCharArray());
393             InboundWSSec wsSecIn = WSSec.getInboundWSSec(securityProperties);
394             XMLStreamReader xmlStreamReader = wsSecIn.processInMessage(xmlInputFactory.createXMLStreamReader(new ByteArrayInputStream(baos.toByteArray())));
395 
396             Document document = StAX2DOM.readDoc(documentBuilderFactory.newDocumentBuilder(), xmlStreamReader);
397 
398             //header element must still be there
399             NodeList nodeList = document.getElementsByTagNameNS(WSSConstants.TAG_dsig_Signature.getNamespaceURI(), WSSConstants.TAG_dsig_Signature.getLocalPart());
400             assertEquals(nodeList.getLength(), 1);
401             assertEquals(nodeList.item(0).getParentNode().getLocalName(), WSSConstants.TAG_WSSE_SECURITY.getLocalPart());
402         }
403     }
404 
405     @Test
406     public void testSignatureC14NInclusivePartsInbound() throws Exception {
407 
408         ByteArrayOutputStream baos = new ByteArrayOutputStream();
409         {
410             InputStream sourceDocument = this.getClass().getClassLoader().getResourceAsStream("testdata/plain-soap-1.1.xml");
411             String action = WSHandlerConstants.SIGNATURE;
412             Properties properties = new Properties();
413             properties.setProperty(WSHandlerConstants.SIGNATURE_PARTS, "{Element}{http://www.w3.org/1999/XMLSchema}complexType;");
414             properties.setProperty("CanonicalizationAlgo", "http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments");
415             Document securedDocument = doOutboundSecurityWithWSS4J(sourceDocument, action, properties);
416 
417             //some test that we can really sure we get what we want from WSS4J
418             NodeList nodeList = securedDocument.getElementsByTagNameNS(WSSConstants.TAG_dsig_Signature.getNamespaceURI(), WSSConstants.TAG_dsig_Signature.getLocalPart());
419             assertEquals(nodeList.item(0).getParentNode().getLocalName(), WSSConstants.TAG_WSSE_SECURITY.getLocalPart());
420 
421             javax.xml.transform.Transformer transformer = TRANSFORMER_FACTORY.newTransformer();
422             transformer.transform(new DOMSource(securedDocument), new StreamResult(baos));
423         }
424 
425         //done signature; now test sig-verification:
426         {
427             WSSSecurityProperties securityProperties = new WSSSecurityProperties();
428             securityProperties.loadSignatureVerificationKeystore(this.getClass().getClassLoader().getResource("receiver.jks"), "default".toCharArray());
429             InboundWSSec wsSecIn = WSSec.getInboundWSSec(securityProperties);
430             XMLStreamReader xmlStreamReader = wsSecIn.processInMessage(xmlInputFactory.createXMLStreamReader(new ByteArrayInputStream(baos.toByteArray())));
431 
432             Document document = StAX2DOM.readDoc(documentBuilderFactory.newDocumentBuilder(), xmlStreamReader);
433 
434             //header element must still be there
435             NodeList nodeList = document.getElementsByTagNameNS(WSSConstants.TAG_dsig_Signature.getNamespaceURI(), WSSConstants.TAG_dsig_Signature.getLocalPart());
436             assertEquals(nodeList.getLength(), 1);
437             assertEquals(nodeList.item(0).getParentNode().getLocalName(), WSSConstants.TAG_WSSE_SECURITY.getLocalPart());
438         }
439     }
440 
441     /**
442      * Since WSS4J hardcoded the C14N algo for References, we test against our framework
443      *
444      * @throws Exception
445      */
446     @Test
447     public void testSignatureC14NInclusivePartsInbound_1() throws Exception {
448 
449         ByteArrayOutputStream baos = new ByteArrayOutputStream();
450         {
451             WSSSecurityProperties securityProperties = new WSSSecurityProperties();
452             List<WSSConstants.Action> actions = new ArrayList<>();
453             actions.add(WSSConstants.SIGNATURE);
454             securityProperties.setActions(actions);
455             securityProperties.loadSignatureKeyStore(this.getClass().getClassLoader().getResource("transmitter.jks"), "default".toCharArray());
456             securityProperties.setSignatureUser("transmitter");
457             securityProperties.addSignaturePart(new SecurePart(new QName("http://www.w3.org/1999/XMLSchema", "complexType"), SecurePart.Modifier.Element));
458             securityProperties.setSignatureCanonicalizationAlgorithm("http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments");
459             securityProperties.setCallbackHandler(new CallbackHandlerImpl());
460 
461             OutboundWSSec wsSecOut = WSSec.getOutboundWSSec(securityProperties);
462             XMLStreamWriter xmlStreamWriter = wsSecOut.processOutMessage(baos, StandardCharsets.UTF_8.name(), new ArrayList<SecurityEvent>());
463             XMLStreamReader xmlStreamReader = xmlInputFactory.createXMLStreamReader(this.getClass().getClassLoader().getResourceAsStream("testdata/plain-soap-1.1.xml"));
464             XmlReaderToWriter.writeAll(xmlStreamReader, xmlStreamWriter);
465             xmlStreamWriter.close();
466 
467             Document securedDocument = documentBuilderFactory.newDocumentBuilder().parse(new ByteArrayInputStream(baos.toByteArray()));
468             NodeList nodeList = securedDocument.getElementsByTagNameNS(WSSConstants.TAG_dsig_Signature.getNamespaceURI(), WSSConstants.TAG_dsig_Signature.getLocalPart());
469             assertEquals(nodeList.item(0).getParentNode().getLocalName(), WSSConstants.TAG_WSSE_SECURITY.getLocalPart());
470         }
471 
472         //done signature; now test sig-verification:
473         {
474             WSSSecurityProperties securityProperties = new WSSSecurityProperties();
475             securityProperties.loadSignatureVerificationKeystore(this.getClass().getClassLoader().getResource("receiver.jks"), "default".toCharArray());
476             securityProperties.addIgnoreBSPRule(BSPRule.R5404);
477             securityProperties.addIgnoreBSPRule(BSPRule.R5423);
478             securityProperties.addIgnoreBSPRule(BSPRule.R5412);
479             InboundWSSec wsSecIn = WSSec.getInboundWSSec(securityProperties);
480             XMLStreamReader xmlStreamReader = wsSecIn.processInMessage(xmlInputFactory.createXMLStreamReader(new ByteArrayInputStream(baos.toByteArray())));
481 
482             Document document = StAX2DOM.readDoc(documentBuilderFactory.newDocumentBuilder(), xmlStreamReader);
483 
484             //header element must still be there
485             NodeList nodeList = document.getElementsByTagNameNS(WSSConstants.TAG_dsig_Signature.getNamespaceURI(), WSSConstants.TAG_dsig_Signature.getLocalPart());
486             assertEquals(nodeList.getLength(), 1);
487             assertEquals(nodeList.item(0).getParentNode().getLocalName(), WSSConstants.TAG_WSSE_SECURITY.getLocalPart());
488         }
489     }
490 
491     /**
492      * Since WSS4J hardcoded the C14N algo for References, we test against our framework
493      *
494      * @throws Exception
495      */
496     @Test
497     public void testSignatureC14NInclusivePartsInbound_DisableAllBSPRules() throws Exception {
498 
499         ByteArrayOutputStream baos = new ByteArrayOutputStream();
500         {
501             WSSSecurityProperties securityProperties = new WSSSecurityProperties();
502             List<WSSConstants.Action> actions = new ArrayList<>();
503             actions.add(WSSConstants.SIGNATURE);
504             securityProperties.setActions(actions);
505             securityProperties.loadSignatureKeyStore(this.getClass().getClassLoader().getResource("transmitter.jks"), "default".toCharArray());
506             securityProperties.setSignatureUser("transmitter");
507             securityProperties.addSignaturePart(new SecurePart(new QName("http://www.w3.org/1999/XMLSchema", "complexType"), SecurePart.Modifier.Element));
508             securityProperties.setSignatureCanonicalizationAlgorithm("http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments");
509             securityProperties.setCallbackHandler(new CallbackHandlerImpl());
510 
511             OutboundWSSec wsSecOut = WSSec.getOutboundWSSec(securityProperties);
512             XMLStreamWriter xmlStreamWriter = wsSecOut.processOutMessage(baos, StandardCharsets.UTF_8.name(), new ArrayList<SecurityEvent>());
513             XMLStreamReader xmlStreamReader = xmlInputFactory.createXMLStreamReader(this.getClass().getClassLoader().getResourceAsStream("testdata/plain-soap-1.1.xml"));
514             XmlReaderToWriter.writeAll(xmlStreamReader, xmlStreamWriter);
515             xmlStreamWriter.close();
516 
517             Document securedDocument = documentBuilderFactory.newDocumentBuilder().parse(new ByteArrayInputStream(baos.toByteArray()));
518             NodeList nodeList = securedDocument.getElementsByTagNameNS(WSSConstants.TAG_dsig_Signature.getNamespaceURI(), WSSConstants.TAG_dsig_Signature.getLocalPart());
519             assertEquals(nodeList.item(0).getParentNode().getLocalName(), WSSConstants.TAG_WSSE_SECURITY.getLocalPart());
520         }
521 
522         //done signature; now test sig-verification:
523         {
524             WSSSecurityProperties securityProperties = new WSSSecurityProperties();
525             securityProperties.setDisableBSPEnforcement(true);
526             securityProperties.loadSignatureVerificationKeystore(this.getClass().getClassLoader().getResource("receiver.jks"), "default".toCharArray());
527             InboundWSSec wsSecIn = WSSec.getInboundWSSec(securityProperties);
528             XMLStreamReader xmlStreamReader = wsSecIn.processInMessage(xmlInputFactory.createXMLStreamReader(new ByteArrayInputStream(baos.toByteArray())));
529 
530             Document document = StAX2DOM.readDoc(documentBuilderFactory.newDocumentBuilder(), xmlStreamReader);
531 
532             //header element must still be there
533             NodeList nodeList = document.getElementsByTagNameNS(WSSConstants.TAG_dsig_Signature.getNamespaceURI(), WSSConstants.TAG_dsig_Signature.getLocalPart());
534             assertEquals(nodeList.getLength(), 1);
535             assertEquals(nodeList.item(0).getParentNode().getLocalName(), WSSConstants.TAG_WSSE_SECURITY.getLocalPart());
536         }
537     }
538 
539     @Test
540     public void testSignatureKeyIdentifierIssuerSerialOutbound() throws Exception {
541 
542         ByteArrayOutputStream baos = new ByteArrayOutputStream();
543         {
544             WSSSecurityProperties securityProperties = new WSSSecurityProperties();
545             List<WSSConstants.Action> actions = new ArrayList<>();
546             actions.add(WSSConstants.SIGNATURE);
547             securityProperties.setActions(actions);
548             securityProperties.loadSignatureKeyStore(this.getClass().getClassLoader().getResource("transmitter.jks"), "default".toCharArray());
549             securityProperties.setSignatureUser("transmitter");
550             securityProperties.setSignatureKeyIdentifier(WSSecurityTokenConstants.KeyIdentifier_IssuerSerial);
551             securityProperties.setCallbackHandler(new CallbackHandlerImpl());
552 
553             OutboundWSSec wsSecOut = WSSec.getOutboundWSSec(securityProperties);
554             XMLStreamWriter xmlStreamWriter = wsSecOut.processOutMessage(baos, StandardCharsets.UTF_8.name(), new ArrayList<SecurityEvent>());
555             XMLStreamReader xmlStreamReader = xmlInputFactory.createXMLStreamReader(this.getClass().getClassLoader().getResourceAsStream("testdata/plain-soap-1.1.xml"));
556             XmlReaderToWriter.writeAll(xmlStreamReader, xmlStreamWriter);
557             xmlStreamWriter.close();
558 
559             Document document = documentBuilderFactory.newDocumentBuilder().parse(new ByteArrayInputStream(baos.toByteArray()));
560             NodeList nodeList = document.getElementsByTagNameNS(WSSConstants.TAG_dsig_Signature.getNamespaceURI(), WSSConstants.TAG_dsig_Signature.getLocalPart());
561             assertEquals(nodeList.item(0).getParentNode().getLocalName(), WSSConstants.TAG_WSSE_SECURITY.getLocalPart());
562 
563             XPathExpression xPathExpression = getXPath("/soap:Envelope/soap:Header/wsse:Security/dsig:Signature/dsig:KeyInfo/wsse:SecurityTokenReference/dsig:X509Data/dsig:X509IssuerSerial/dsig:X509SerialNumber");
564             Node node = (Node) xPathExpression.evaluate(document, XPathConstants.NODE);
565             assertNotNull(node);
566 
567             nodeList = document.getElementsByTagNameNS(WSSConstants.TAG_dsig_Reference.getNamespaceURI(), WSSConstants.TAG_dsig_Reference.getLocalPart());
568             assertEquals(nodeList.getLength(), 1);
569 
570             nodeList = document.getElementsByTagNameNS(WSSConstants.NS_SOAP11, WSSConstants.TAG_SOAP_BODY_LN);
571             assertEquals(nodeList.getLength(), 1);
572             String idAttrValue = ((Element) nodeList.item(0)).getAttributeNS(WSSConstants.ATT_WSU_ID.getNamespaceURI(), WSSConstants.ATT_WSU_ID.getLocalPart());
573             assertNotNull(idAttrValue);
574             assertTrue(idAttrValue.length() > 0);
575         }
576 
577         //done signature; now test sig-verification:
578         {
579             String action = WSHandlerConstants.SIGNATURE;
580             doInboundSecurityWithWSS4J(documentBuilderFactory.newDocumentBuilder().parse(new ByteArrayInputStream(baos.toByteArray())), action);
581         }
582     }
583 
584     @Test
585     public void testSignatureKeyIdentifierIssuerSerialInbound() throws Exception {
586 
587         ByteArrayOutputStream baos = new ByteArrayOutputStream();
588         {
589             InputStream sourceDocument = this.getClass().getClassLoader().getResourceAsStream("testdata/plain-soap-1.1.xml");
590             String action = WSHandlerConstants.SIGNATURE;
591             Properties properties = new Properties();
592             properties.setProperty(WSHandlerConstants.SIG_KEY_ID, "IssuerSerial");
593             Document securedDocument = doOutboundSecurityWithWSS4J(sourceDocument, action, properties);
594 
595             //some test that we can really sure we get what we want from WSS4J
596             XPathExpression xPathExpression = getXPath("/soap:Envelope/soap:Header/wsse:Security/dsig:Signature/dsig:KeyInfo/wsse:SecurityTokenReference/dsig:X509Data/dsig:X509IssuerSerial/dsig:X509SerialNumber");
597             Node node = (Node) xPathExpression.evaluate(securedDocument, XPathConstants.NODE);
598             assertNotNull(node);
599 
600             javax.xml.transform.Transformer transformer = TRANSFORMER_FACTORY.newTransformer();
601             transformer.transform(new DOMSource(securedDocument), new StreamResult(baos));
602         }
603 
604         //done signature; now test sig-verification:
605         {
606             WSSSecurityProperties securityProperties = new WSSSecurityProperties();
607             securityProperties.loadSignatureVerificationKeystore(this.getClass().getClassLoader().getResource("receiver.jks"), "default".toCharArray());
608             InboundWSSec wsSecIn = WSSec.getInboundWSSec(securityProperties);
609             XMLStreamReader xmlStreamReader = wsSecIn.processInMessage(xmlInputFactory.createXMLStreamReader(new ByteArrayInputStream(baos.toByteArray())));
610 
611             Document document = StAX2DOM.readDoc(documentBuilderFactory.newDocumentBuilder(), xmlStreamReader);
612 
613             //header element must still be there
614             NodeList nodeList = document.getElementsByTagNameNS(WSSConstants.TAG_dsig_Signature.getNamespaceURI(), WSSConstants.TAG_dsig_Signature.getLocalPart());
615             assertEquals(nodeList.getLength(), 1);
616             assertEquals(nodeList.item(0).getParentNode().getLocalName(), WSSConstants.TAG_WSSE_SECURITY.getLocalPart());
617         }
618     }
619 
620     @Test
621     public void testSignatureKeyIdentifierIssuerSerialIncludeTokenOutbound() throws Exception {
622 
623         ByteArrayOutputStream baos = new ByteArrayOutputStream();
624         {
625             WSSSecurityProperties securityProperties = new WSSSecurityProperties();
626             List<WSSConstants.Action> actions = new ArrayList<>();
627             actions.add(WSSConstants.SIGNATURE);
628             securityProperties.setActions(actions);
629             securityProperties.loadSignatureKeyStore(this.getClass().getClassLoader().getResource("transmitter.jks"), "default".toCharArray());
630             securityProperties.setSignatureUser("transmitter");
631             securityProperties.setSignatureKeyIdentifier(WSSecurityTokenConstants.KeyIdentifier_IssuerSerial);
632             securityProperties.setCallbackHandler(new CallbackHandlerImpl());
633             securityProperties.setIncludeSignatureToken(true);
634 
635             OutboundWSSec wsSecOut = WSSec.getOutboundWSSec(securityProperties);
636             XMLStreamWriter xmlStreamWriter = wsSecOut.processOutMessage(baos, StandardCharsets.UTF_8.name(), new ArrayList<SecurityEvent>());
637             XMLStreamReader xmlStreamReader = xmlInputFactory.createXMLStreamReader(this.getClass().getClassLoader().getResourceAsStream("testdata/plain-soap-1.1.xml"));
638             XmlReaderToWriter.writeAll(xmlStreamReader, xmlStreamWriter);
639             xmlStreamWriter.close();
640 
641             Document document = documentBuilderFactory.newDocumentBuilder().parse(new ByteArrayInputStream(baos.toByteArray()));
642             NodeList nodeList = document.getElementsByTagNameNS(WSSConstants.TAG_dsig_Signature.getNamespaceURI(), WSSConstants.TAG_dsig_Signature.getLocalPart());
643             assertEquals(nodeList.item(0).getParentNode().getLocalName(), WSSConstants.TAG_WSSE_SECURITY.getLocalPart());
644 
645             XPathExpression xPathExpression = getXPath("/soap:Envelope/soap:Header/wsse:Security/dsig:Signature/dsig:KeyInfo/wsse:SecurityTokenReference/dsig:X509Data/dsig:X509IssuerSerial/dsig:X509SerialNumber");
646             Node node = (Node) xPathExpression.evaluate(document, XPathConstants.NODE);
647             assertNotNull(node);
648 
649             nodeList = document.getElementsByTagNameNS(WSSConstants.TAG_dsig_Reference.getNamespaceURI(), WSSConstants.TAG_dsig_Reference.getLocalPart());
650             assertEquals(nodeList.getLength(), 1);
651 
652             nodeList = document.getElementsByTagNameNS(WSSConstants.NS_SOAP11, WSSConstants.TAG_SOAP_BODY_LN);
653             assertEquals(nodeList.getLength(), 1);
654             String idAttrValue = ((Element) nodeList.item(0)).getAttributeNS(WSSConstants.ATT_WSU_ID.getNamespaceURI(), WSSConstants.ATT_WSU_ID.getLocalPart());
655             assertNotNull(idAttrValue);
656             assertTrue(idAttrValue.length() > 0);
657         }
658 
659         //done signature; now test sig-verification:
660         {
661             String action = WSHandlerConstants.SIGNATURE;
662             doInboundSecurityWithWSS4J(documentBuilderFactory.newDocumentBuilder().parse(new ByteArrayInputStream(baos.toByteArray())), action);
663         }
664     }
665 
666     @Test
667     public void testSignatureKeyIdentifierBinarySecurityTokenDirectReferenceOutbound() throws Exception {
668 
669         ByteArrayOutputStream baos = new ByteArrayOutputStream();
670         {
671             WSSSecurityProperties securityProperties = new WSSSecurityProperties();
672             List<WSSConstants.Action> actions = new ArrayList<>();
673             actions.add(WSSConstants.SIGNATURE);
674             securityProperties.setActions(actions);
675             securityProperties.loadSignatureKeyStore(this.getClass().getClassLoader().getResource("transmitter.jks"), "default".toCharArray());
676             securityProperties.setSignatureUser("transmitter");
677             securityProperties.setSignatureKeyIdentifier(WSSecurityTokenConstants.KEYIDENTIFIER_SECURITY_TOKEN_DIRECT_REFERENCE);
678             securityProperties.setCallbackHandler(new CallbackHandlerImpl());
679 
680             OutboundWSSec wsSecOut = WSSec.getOutboundWSSec(securityProperties);
681             XMLStreamWriter xmlStreamWriter = wsSecOut.processOutMessage(baos, StandardCharsets.UTF_8.name(), new ArrayList<SecurityEvent>());
682             XMLStreamReader xmlStreamReader = xmlInputFactory.createXMLStreamReader(this.getClass().getClassLoader().getResourceAsStream("testdata/plain-soap-1.1.xml"));
683             XmlReaderToWriter.writeAll(xmlStreamReader, xmlStreamWriter);
684             xmlStreamWriter.close();
685 
686             Document document = documentBuilderFactory.newDocumentBuilder().parse(new ByteArrayInputStream(baos.toByteArray()));
687             NodeList nodeList = document.getElementsByTagNameNS(WSSConstants.TAG_dsig_Signature.getNamespaceURI(), WSSConstants.TAG_dsig_Signature.getLocalPart());
688             assertEquals(nodeList.item(0).getParentNode().getLocalName(), WSSConstants.TAG_WSSE_SECURITY.getLocalPart());
689 
690             XPathExpression xPathExpression = getXPath("/soap:Envelope/soap:Header/wsse:Security/wsse:BinarySecurityToken");
691             Node node = (Node) xPathExpression.evaluate(document, XPathConstants.NODE);
692             assertNotNull(node);
693 
694             nodeList = document.getElementsByTagNameNS(WSSConstants.TAG_dsig_Reference.getNamespaceURI(), WSSConstants.TAG_dsig_Reference.getLocalPart());
695             assertEquals(nodeList.getLength(), 1);
696 
697             nodeList = document.getElementsByTagNameNS(WSSConstants.NS_SOAP11, WSSConstants.TAG_SOAP_BODY_LN);
698             assertEquals(nodeList.getLength(), 1);
699             String idAttrValue = ((Element) nodeList.item(0)).getAttributeNS(WSSConstants.ATT_WSU_ID.getNamespaceURI(), WSSConstants.ATT_WSU_ID.getLocalPart());
700             assertNotNull(idAttrValue);
701             assertTrue(idAttrValue.length() > 0);
702         }
703 
704         //done signature; now test sig-verification:
705         {
706             String action = WSHandlerConstants.SIGNATURE;
707             doInboundSecurityWithWSS4J(documentBuilderFactory.newDocumentBuilder().parse(new ByteArrayInputStream(baos.toByteArray())), action);
708         }
709     }
710 
711     @Test
712     public void testSignatureKeyIdentifierBinarySecurityTokenDirectReferenceInbound() throws Exception {
713 
714         ByteArrayOutputStream baos = new ByteArrayOutputStream();
715         {
716             InputStream sourceDocument = this.getClass().getClassLoader().getResourceAsStream("testdata/plain-soap-1.1.xml");
717             String action = WSHandlerConstants.SIGNATURE;
718             Properties properties = new Properties();
719             properties.setProperty(WSHandlerConstants.SIG_KEY_ID, "DirectReference");
720             Document securedDocument = doOutboundSecurityWithWSS4J(sourceDocument, action, properties);
721 
722             //some test that we can really sure we get what we want from WSS4J
723             XPathExpression xPathExpression = getXPath("/soap:Envelope/soap:Header/wsse:Security/wsse:BinarySecurityToken");
724             Node node = (Node) xPathExpression.evaluate(securedDocument, XPathConstants.NODE);
725             assertNotNull(node);
726 
727             javax.xml.transform.Transformer transformer = TRANSFORMER_FACTORY.newTransformer();
728             transformer.transform(new DOMSource(securedDocument), new StreamResult(baos));
729         }
730 
731         //done signature; now test sig-verification:
732         {
733             WSSSecurityProperties securityProperties = new WSSSecurityProperties();
734             securityProperties.loadSignatureVerificationKeystore(this.getClass().getClassLoader().getResource("receiver.jks"), "default".toCharArray());
735             InboundWSSec wsSecIn = WSSec.getInboundWSSec(securityProperties);
736             XMLStreamReader xmlStreamReader = wsSecIn.processInMessage(xmlInputFactory.createXMLStreamReader(new ByteArrayInputStream(baos.toByteArray())));
737 
738             Document document = StAX2DOM.readDoc(documentBuilderFactory.newDocumentBuilder(), xmlStreamReader);
739 
740             //header element must still be there
741             NodeList nodeList = document.getElementsByTagNameNS(WSSConstants.TAG_dsig_Signature.getNamespaceURI(), WSSConstants.TAG_dsig_Signature.getLocalPart());
742             assertEquals(nodeList.getLength(), 1);
743             assertEquals(nodeList.item(0).getParentNode().getLocalName(), WSSConstants.TAG_WSSE_SECURITY.getLocalPart());
744         }
745     }
746 
747 /*  Not spec conform and therefore not supported!:
748     @Test
749     public void testSignatureKeyIdentifierBinarySecurityTokenEmbedded() throws Exception {
750 
751         ByteArrayOutputStream baos = new ByteArrayOutputStream();
752         {
753             WSSSecurityProperties securityProperties = new WSSSecurityProperties();
754             WSSConstants.Action[] actions = new WSSConstants.Action[]{WSSConstants.SIGNATURE};
755             securityProperties.setActions(actions);
756             securityProperties.loadSignatureKeyStore(this.getClass().getClassLoader().getResource("transmitter.jks"), "default".toCharArray());
757             securityProperties.setSignatureUser("transmitter");
758             securityProperties.setSignatureKeyIdentifierType(WSSConstants.WSSKeyIdentifierType.BST_EMBEDDED);
759             securityProperties.setCallbackHandler(new CallbackHandlerImpl());
760 
761             OutboundWSSec wsSecOut = WSSec.getOutboundWSSec(securityProperties);
762             XMLStreamWriter xmlStreamWriter = wsSecOut.processOutMessage(baos, StandardCharsets.UTF_8.name(), new ArrayList<SecurityEvent>());
763             XMLStreamReader xmlStreamReader = xmlInputFactory.createXMLStreamReader(this.getClass().getClassLoader().getResourceAsStream("testdata/plain-soap-1.1.xml"));
764             XmlReaderToWriter.writeAll(xmlStreamReader, xmlStreamWriter);
765             xmlStreamWriter.close();
766 
767             Document document = documentBuilderFactory.newDocumentBuilder().parse(new ByteArrayInputStream(baos.toByteArray()));
768             NodeList nodeList = document.getElementsByTagNameNS(WSSConstants.TAG_dsig_Signature.getNamespaceURI(), WSSConstants.TAG_dsig_Signature.getLocalPart());
769             assertEquals(nodeList.item(0).getParentNode().getLocalName(), WSSConstants.TAG_WSSE_SECURITY.getLocalPart());
770 
771             XPathExpression xPathExpression = getXPath("/soap:Envelope/soap:Header/wsse:Security/dsig:Signature/dsig:KeyInfo/wsse:SecurityTokenReference/wsse:Reference/wsse:BinarySecurityToken");
772             Node node = (Node) xPathExpression.evaluate(document, XPathConstants.NODE);
773             assertNotNull(node);
774 
775             nodeList = document.getElementsByTagNameNS(WSSConstants.TAG_dsig_Reference.getNamespaceURI(), WSSConstants.TAG_dsig_Reference.getLocalPart());
776             assertEquals(nodeList.getLength(), 1);
777 
778             nodeList = document.getElementsByTagNameNS(WSSConstants.NS_SOAP11, WSSConstants.TAG_SOAP_BODY_LN);
779             assertEquals(nodeList.getLength(), 1);
780             String idAttrValue = ((Element) nodeList.item(0)).getAttributeNS(WSSConstants.ATT_WSU_ID.getNamespaceURI(), WSSConstants.ATT_WSU_ID.getLocalPart());
781             assertNotNull(idAttrValue);
782             assertTrue(idAttrValue.length() > 0);
783         }
784 
785         //done signature; now test sig-verification:
786         {
787             WSSSecurityProperties securityProperties = new WSSSecurityProperties();
788             securityProperties.loadSignatureVerificationKeystore(this.getClass().getClassLoader().getResource("receiver.jks"), "default".toCharArray());
789             InboundWSSec wsSecIn = WSSec.getInboundWSSec(securityProperties);
790             XMLStreamReader xmlStreamReader = wsSecIn.processInMessage(xmlInputFactory.createXMLStreamReader(new ByteArrayInputStream(baos.toByteArray())));
791 
792             Document document = StAX2DOM.readDoc(documentBuilderFactory.newDocumentBuilder(), xmlStreamReader);
793 
794             //header element must still be there
795             NodeList nodeList = document.getElementsByTagNameNS(WSSConstants.TAG_dsig_Signature.getNamespaceURI(), WSSConstants.TAG_dsig_Signature.getLocalPart());
796             assertEquals(nodeList.getLength(), 1);
797             assertEquals(nodeList.item(0).getParentNode().getLocalName(), WSSConstants.TAG_WSSE_SECURITY.getLocalPart());
798         }
799     }*/
800 
801     @Test
802     public void testSignatureKeyIdentifierX509KeyOutbound() throws Exception {
803 
804         ByteArrayOutputStream baos = new ByteArrayOutputStream();
805         {
806             WSSSecurityProperties securityProperties = new WSSSecurityProperties();
807             List<WSSConstants.Action> actions = new ArrayList<>();
808             actions.add(WSSConstants.SIGNATURE);
809             securityProperties.setActions(actions);
810             securityProperties.loadSignatureKeyStore(this.getClass().getClassLoader().getResource("transmitter.jks"), "default".toCharArray());
811             securityProperties.setSignatureUser("transmitter");
812             securityProperties.setSignatureKeyIdentifier(WSSecurityTokenConstants.KeyIdentifier_X509KeyIdentifier);
813             securityProperties.setCallbackHandler(new CallbackHandlerImpl());
814 
815             OutboundWSSec wsSecOut = WSSec.getOutboundWSSec(securityProperties);
816             XMLStreamWriter xmlStreamWriter = wsSecOut.processOutMessage(baos, StandardCharsets.UTF_8.name(), new ArrayList<SecurityEvent>());
817             XMLStreamReader xmlStreamReader = xmlInputFactory.createXMLStreamReader(this.getClass().getClassLoader().getResourceAsStream("testdata/plain-soap-1.1.xml"));
818             XmlReaderToWriter.writeAll(xmlStreamReader, xmlStreamWriter);
819             xmlStreamWriter.close();
820 
821             Document document = documentBuilderFactory.newDocumentBuilder().parse(new ByteArrayInputStream(baos.toByteArray()));
822             NodeList nodeList = document.getElementsByTagNameNS(WSSConstants.TAG_dsig_Signature.getNamespaceURI(), WSSConstants.TAG_dsig_Signature.getLocalPart());
823             assertEquals(nodeList.item(0).getParentNode().getLocalName(), WSSConstants.TAG_WSSE_SECURITY.getLocalPart());
824 
825             XPathExpression xPathExpression = getXPath("/soap:Envelope/soap:Header/wsse:Security/dsig:Signature/dsig:KeyInfo/wsse:SecurityTokenReference/wsse:KeyIdentifier[@ValueType='http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3']");
826             Node node = (Node) xPathExpression.evaluate(document, XPathConstants.NODE);
827             assertNotNull(node);
828 
829             nodeList = document.getElementsByTagNameNS(WSSConstants.TAG_dsig_Reference.getNamespaceURI(), WSSConstants.TAG_dsig_Reference.getLocalPart());
830             assertEquals(nodeList.getLength(), 1);
831 
832             nodeList = document.getElementsByTagNameNS(WSSConstants.NS_SOAP11, WSSConstants.TAG_SOAP_BODY_LN);
833             assertEquals(nodeList.getLength(), 1);
834             String idAttrValue = ((Element) nodeList.item(0)).getAttributeNS(WSSConstants.ATT_WSU_ID.getNamespaceURI(), WSSConstants.ATT_WSU_ID.getLocalPart());
835             assertNotNull(idAttrValue);
836             assertTrue(idAttrValue.length() > 0);
837         }
838 
839         //done signature; now test sig-verification:
840         {
841             String action = WSHandlerConstants.SIGNATURE;
842             Properties properties = new Properties();
843             doInboundSecurityWithWSS4J_1(documentBuilderFactory.newDocumentBuilder().parse(new ByteArrayInputStream(baos.toByteArray())), action, properties, false);
844         }
845     }
846 
847     @Test
848     public void testSignatureKeyIdentifierX509KeyInbound() throws Exception {
849 
850         ByteArrayOutputStream baos = new ByteArrayOutputStream();
851         {
852             InputStream sourceDocument = this.getClass().getClassLoader().getResourceAsStream("testdata/plain-soap-1.1.xml");
853             String action = WSHandlerConstants.SIGNATURE;
854             Properties properties = new Properties();
855             properties.setProperty(WSHandlerConstants.SIG_KEY_ID, "X509KeyIdentifier");
856             Document securedDocument = doOutboundSecurityWithWSS4J(sourceDocument, action, properties);
857 
858             //some test that we can really sure we get what we want from WSS4J
859             XPathExpression xPathExpression = getXPath("/soap:Envelope/soap:Header/wsse:Security/dsig:Signature/dsig:KeyInfo/wsse:SecurityTokenReference/wsse:KeyIdentifier[@ValueType='http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3']");
860             Node node = (Node) xPathExpression.evaluate(securedDocument, XPathConstants.NODE);
861             assertNotNull(node);
862 
863             javax.xml.transform.Transformer transformer = TRANSFORMER_FACTORY.newTransformer();
864             transformer.transform(new DOMSource(securedDocument), new StreamResult(baos));
865         }
866 
867         //done signature; now test sig-verification:
868         {
869             WSSSecurityProperties securityProperties = new WSSSecurityProperties();
870             securityProperties.loadSignatureVerificationKeystore(this.getClass().getClassLoader().getResource("receiver.jks"), "default".toCharArray());
871             InboundWSSec wsSecIn = WSSec.getInboundWSSec(securityProperties);
872             XMLStreamReader xmlStreamReader = wsSecIn.processInMessage(xmlInputFactory.createXMLStreamReader(new ByteArrayInputStream(baos.toByteArray())));
873 
874             Document document = StAX2DOM.readDoc(documentBuilderFactory.newDocumentBuilder(), xmlStreamReader);
875 
876             //header element must still be there
877             NodeList nodeList = document.getElementsByTagNameNS(WSSConstants.TAG_dsig_Signature.getNamespaceURI(), WSSConstants.TAG_dsig_Signature.getLocalPart());
878             assertEquals(nodeList.getLength(), 1);
879             assertEquals(nodeList.item(0).getParentNode().getLocalName(), WSSConstants.TAG_WSSE_SECURITY.getLocalPart());
880         }
881     }
882 
883     @Test
884     public void testSignatureKeyIdentifierSubjectKeyOutbound() throws Exception {
885 
886         ByteArrayOutputStream baos = new ByteArrayOutputStream();
887         {
888             WSSSecurityProperties securityProperties = new WSSSecurityProperties();
889             List<WSSConstants.Action> actions = new ArrayList<>();
890             actions.add(WSSConstants.SIGNATURE);
891             securityProperties.setActions(actions);
892             securityProperties.loadSignatureKeyStore(this.getClass().getClassLoader().getResource("transmitter.jks"), "default".toCharArray());
893             securityProperties.setSignatureUser("transmitter");
894             securityProperties.setSignatureKeyIdentifier(WSSecurityTokenConstants.KeyIdentifier_SkiKeyIdentifier);
895             securityProperties.setCallbackHandler(new CallbackHandlerImpl());
896 
897             OutboundWSSec wsSecOut = WSSec.getOutboundWSSec(securityProperties);
898             XMLStreamWriter xmlStreamWriter = wsSecOut.processOutMessage(baos, StandardCharsets.UTF_8.name(), new ArrayList<SecurityEvent>());
899             XMLStreamReader xmlStreamReader = xmlInputFactory.createXMLStreamReader(this.getClass().getClassLoader().getResourceAsStream("testdata/plain-soap-1.1.xml"));
900             XmlReaderToWriter.writeAll(xmlStreamReader, xmlStreamWriter);
901             xmlStreamWriter.close();
902 
903             Document document = documentBuilderFactory.newDocumentBuilder().parse(new ByteArrayInputStream(baos.toByteArray()));
904             NodeList nodeList = document.getElementsByTagNameNS(WSSConstants.TAG_dsig_Signature.getNamespaceURI(), WSSConstants.TAG_dsig_Signature.getLocalPart());
905             assertEquals(nodeList.item(0).getParentNode().getLocalName(), WSSConstants.TAG_WSSE_SECURITY.getLocalPart());
906 
907             XPathExpression xPathExpression = getXPath("/soap:Envelope/soap:Header/wsse:Security/dsig:Signature/dsig:KeyInfo/wsse:SecurityTokenReference/wsse:KeyIdentifier[@ValueType='http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentifier']");
908             Node node = (Node) xPathExpression.evaluate(document, XPathConstants.NODE);
909             assertNotNull(node);
910 
911             nodeList = document.getElementsByTagNameNS(WSSConstants.TAG_dsig_Reference.getNamespaceURI(), WSSConstants.TAG_dsig_Reference.getLocalPart());
912             assertEquals(nodeList.getLength(), 1);
913 
914             nodeList = document.getElementsByTagNameNS(WSSConstants.NS_SOAP11, WSSConstants.TAG_SOAP_BODY_LN);
915             assertEquals(nodeList.getLength(), 1);
916             String idAttrValue = ((Element) nodeList.item(0)).getAttributeNS(WSSConstants.ATT_WSU_ID.getNamespaceURI(), WSSConstants.ATT_WSU_ID.getLocalPart());
917             assertNotNull(idAttrValue);
918             assertTrue(idAttrValue.length() > 0);
919         }
920 
921         //done signature; now test sig-verification:
922         {
923             String action = WSHandlerConstants.SIGNATURE;
924             doInboundSecurityWithWSS4J(documentBuilderFactory.newDocumentBuilder().parse(new ByteArrayInputStream(baos.toByteArray())), action);
925         }
926     }
927 
928     @Test
929     public void testSignatureKeyIdentifierSubjectKeyInbound() throws Exception {
930 
931         ByteArrayOutputStream baos = new ByteArrayOutputStream();
932         {
933             InputStream sourceDocument = this.getClass().getClassLoader().getResourceAsStream("testdata/plain-soap-1.1.xml");
934             String action = WSHandlerConstants.SIGNATURE;
935             Properties properties = new Properties();
936             properties.setProperty(WSHandlerConstants.SIG_KEY_ID, "SKIKeyIdentifier");
937             Document securedDocument = doOutboundSecurityWithWSS4J(sourceDocument, action, properties);
938 
939             //some test that we can really sure we get what we want from WSS4J
940             XPathExpression xPathExpression = getXPath("/soap:Envelope/soap:Header/wsse:Security/dsig:Signature/dsig:KeyInfo/wsse:SecurityTokenReference/wsse:KeyIdentifier[@ValueType='http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentifier']");
941             Node node = (Node) xPathExpression.evaluate(securedDocument, XPathConstants.NODE);
942             assertNotNull(node);
943 
944             javax.xml.transform.Transformer transformer = TRANSFORMER_FACTORY.newTransformer();
945             transformer.transform(new DOMSource(securedDocument), new StreamResult(baos));
946         }
947 
948         //done signature; now test sig-verification:
949         {
950             WSSSecurityProperties securityProperties = new WSSSecurityProperties();
951             securityProperties.loadSignatureVerificationKeystore(this.getClass().getClassLoader().getResource("receiver.jks"), "default".toCharArray());
952             InboundWSSec wsSecIn = WSSec.getInboundWSSec(securityProperties);
953             XMLStreamReader xmlStreamReader = wsSecIn.processInMessage(xmlInputFactory.createXMLStreamReader(new ByteArrayInputStream(baos.toByteArray())));
954 
955             Document document = StAX2DOM.readDoc(documentBuilderFactory.newDocumentBuilder(), xmlStreamReader);
956 
957             //header element must still be there
958             NodeList nodeList = document.getElementsByTagNameNS(WSSConstants.TAG_dsig_Signature.getNamespaceURI(), WSSConstants.TAG_dsig_Signature.getLocalPart());
959             assertEquals(nodeList.getLength(), 1);
960             assertEquals(nodeList.item(0).getParentNode().getLocalName(), WSSConstants.TAG_WSSE_SECURITY.getLocalPart());
961         }
962     }
963 
964     @Test
965     public void testSignatureKeyIdentifierThumbprintOutbound() throws Exception {
966 
967         ByteArrayOutputStream baos = new ByteArrayOutputStream();
968         {
969             WSSSecurityProperties securityProperties = new WSSSecurityProperties();
970             List<WSSConstants.Action> actions = new ArrayList<>();
971             actions.add(WSSConstants.SIGNATURE);
972             securityProperties.setActions(actions);
973             securityProperties.loadSignatureKeyStore(this.getClass().getClassLoader().getResource("transmitter.jks"), "default".toCharArray());
974             securityProperties.setSignatureUser("transmitter");
975             securityProperties.setSignatureKeyIdentifier(WSSecurityTokenConstants.KEYIDENTIFIER_THUMBPRINT_IDENTIFIER);
976             securityProperties.setCallbackHandler(new CallbackHandlerImpl());
977 
978             OutboundWSSec wsSecOut = WSSec.getOutboundWSSec(securityProperties);
979             XMLStreamWriter xmlStreamWriter = wsSecOut.processOutMessage(baos, StandardCharsets.UTF_8.name(), new ArrayList<SecurityEvent>());
980             XMLStreamReader xmlStreamReader = xmlInputFactory.createXMLStreamReader(this.getClass().getClassLoader().getResourceAsStream("testdata/plain-soap-1.1.xml"));
981             XmlReaderToWriter.writeAll(xmlStreamReader, xmlStreamWriter);
982             xmlStreamWriter.close();
983 
984             Document document = documentBuilderFactory.newDocumentBuilder().parse(new ByteArrayInputStream(baos.toByteArray()));
985             NodeList nodeList = document.getElementsByTagNameNS(WSSConstants.TAG_dsig_Signature.getNamespaceURI(), WSSConstants.TAG_dsig_Signature.getLocalPart());
986             assertEquals(nodeList.item(0).getParentNode().getLocalName(), WSSConstants.TAG_WSSE_SECURITY.getLocalPart());
987 
988             XPathExpression xPathExpression = getXPath("/soap:Envelope/soap:Header/wsse:Security/dsig:Signature/dsig:KeyInfo/wsse:SecurityTokenReference/wsse:KeyIdentifier[@ValueType='http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1']");
989             Node node = (Node) xPathExpression.evaluate(document, XPathConstants.NODE);
990             assertNotNull(node);
991 
992             nodeList = document.getElementsByTagNameNS(WSSConstants.TAG_dsig_Reference.getNamespaceURI(), WSSConstants.TAG_dsig_Reference.getLocalPart());
993             assertEquals(nodeList.getLength(), 1);
994 
995             nodeList = document.getElementsByTagNameNS(WSSConstants.NS_SOAP11, WSSConstants.TAG_SOAP_BODY_LN);
996             assertEquals(nodeList.getLength(), 1);
997             String idAttrValue = ((Element) nodeList.item(0)).getAttributeNS(WSSConstants.ATT_WSU_ID.getNamespaceURI(), WSSConstants.ATT_WSU_ID.getLocalPart());
998             assertNotNull(idAttrValue);
999             assertTrue(idAttrValue.length() > 0);
1000         }
1001 
1002         //done signature; now test sig-verification:
1003         {
1004             String action = WSHandlerConstants.SIGNATURE;
1005             doInboundSecurityWithWSS4J(documentBuilderFactory.newDocumentBuilder().parse(new ByteArrayInputStream(baos.toByteArray())), action);
1006         }
1007     }
1008 
1009     @Test
1010     public void testSignatureKeyIdentifierThumbprintInbound() throws Exception {
1011 
1012         ByteArrayOutputStream baos = new ByteArrayOutputStream();
1013         {
1014             InputStream sourceDocument = this.getClass().getClassLoader().getResourceAsStream("testdata/plain-soap-1.1.xml");
1015             String action = WSHandlerConstants.SIGNATURE;
1016             Properties properties = new Properties();
1017             properties.setProperty(WSHandlerConstants.SIG_KEY_ID, "Thumbprint");
1018             Document securedDocument = doOutboundSecurityWithWSS4J(sourceDocument, action, properties);
1019 
1020             //some test that we can really sure we get what we want from WSS4J
1021             XPathExpression xPathExpression = getXPath("/soap:Envelope/soap:Header/wsse:Security/dsig:Signature/dsig:KeyInfo/wsse:SecurityTokenReference/wsse:KeyIdentifier[@ValueType='http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1']");
1022             Node node = (Node) xPathExpression.evaluate(securedDocument, XPathConstants.NODE);
1023             assertNotNull(node);
1024 
1025             javax.xml.transform.Transformer transformer = TRANSFORMER_FACTORY.newTransformer();
1026             transformer.transform(new DOMSource(securedDocument), new StreamResult(baos));
1027         }
1028 
1029         //done signature; now test sig-verification:
1030         {
1031             WSSSecurityProperties securityProperties = new WSSSecurityProperties();
1032             securityProperties.loadSignatureVerificationKeystore(this.getClass().getClassLoader().getResource("receiver.jks"), "default".toCharArray());
1033             InboundWSSec wsSecIn = WSSec.getInboundWSSec(securityProperties);
1034             XMLStreamReader xmlStreamReader = wsSecIn.processInMessage(xmlInputFactory.createXMLStreamReader(new ByteArrayInputStream(baos.toByteArray())));
1035 
1036             Document document = StAX2DOM.readDoc(documentBuilderFactory.newDocumentBuilder(), xmlStreamReader);
1037 
1038             //header element must still be there
1039             NodeList nodeList = document.getElementsByTagNameNS(WSSConstants.TAG_dsig_Signature.getNamespaceURI(), WSSConstants.TAG_dsig_Signature.getLocalPart());
1040             assertEquals(nodeList.getLength(), 1);
1041             assertEquals(nodeList.item(0).getParentNode().getLocalName(), WSSConstants.TAG_WSSE_SECURITY.getLocalPart());
1042         }
1043     }
1044 
1045 
1046     @Test
1047     public void testSignatureKeyIdentifierThumbprintIncludeTokenOutbound() throws Exception {
1048 
1049         ByteArrayOutputStream baos = new ByteArrayOutputStream();
1050         {
1051             WSSSecurityProperties securityProperties = new WSSSecurityProperties();
1052             List<WSSConstants.Action> actions = new ArrayList<>();
1053             actions.add(WSSConstants.SIGNATURE);
1054             securityProperties.setActions(actions);
1055             securityProperties.loadSignatureKeyStore(this.getClass().getClassLoader().getResource("transmitter.jks"), "default".toCharArray());
1056             securityProperties.setSignatureUser("transmitter");
1057             securityProperties.setSignatureKeyIdentifier(WSSecurityTokenConstants.KEYIDENTIFIER_THUMBPRINT_IDENTIFIER);
1058             securityProperties.setCallbackHandler(new CallbackHandlerImpl());
1059             securityProperties.setIncludeSignatureToken(true);
1060 
1061             OutboundWSSec wsSecOut = WSSec.getOutboundWSSec(securityProperties);
1062             XMLStreamWriter xmlStreamWriter = wsSecOut.processOutMessage(baos, StandardCharsets.UTF_8.name(), new ArrayList<SecurityEvent>());
1063             XMLStreamReader xmlStreamReader = xmlInputFactory.createXMLStreamReader(this.getClass().getClassLoader().getResourceAsStream("testdata/plain-soap-1.1.xml"));
1064             XmlReaderToWriter.writeAll(xmlStreamReader, xmlStreamWriter);
1065             xmlStreamWriter.close();
1066 
1067             Document document = documentBuilderFactory.newDocumentBuilder().parse(new ByteArrayInputStream(baos.toByteArray()));
1068             NodeList nodeList = document.getElementsByTagNameNS(WSSConstants.TAG_dsig_Signature.getNamespaceURI(), WSSConstants.TAG_dsig_Signature.getLocalPart());
1069             assertEquals(nodeList.item(0).getParentNode().getLocalName(), WSSConstants.TAG_WSSE_SECURITY.getLocalPart());
1070 
1071             XPathExpression xPathExpression = getXPath("/soap:Envelope/soap:Header/wsse:Security/dsig:Signature/dsig:KeyInfo/wsse:SecurityTokenReference/wsse:KeyIdentifier[@ValueType='http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1']");
1072             Node node = (Node) xPathExpression.evaluate(document, XPathConstants.NODE);
1073             assertNotNull(node);
1074 
1075             nodeList = document.getElementsByTagNameNS(WSSConstants.TAG_dsig_Reference.getNamespaceURI(), WSSConstants.TAG_dsig_Reference.getLocalPart());
1076             assertEquals(nodeList.getLength(), 1);
1077 
1078             nodeList = document.getElementsByTagNameNS(WSSConstants.NS_SOAP11, WSSConstants.TAG_SOAP_BODY_LN);
1079             assertEquals(nodeList.getLength(), 1);
1080             String idAttrValue = ((Element) nodeList.item(0)).getAttributeNS(WSSConstants.ATT_WSU_ID.getNamespaceURI(), WSSConstants.ATT_WSU_ID.getLocalPart());
1081             assertNotNull(idAttrValue);
1082             assertTrue(idAttrValue.length() > 0);
1083         }
1084 
1085         //done signature; now test sig-verification:
1086         {
1087             String action = WSHandlerConstants.SIGNATURE;
1088             doInboundSecurityWithWSS4J(documentBuilderFactory.newDocumentBuilder().parse(new ByteArrayInputStream(baos.toByteArray())), action);
1089         }
1090     }
1091 
1092     @Test
1093     public void testSignatureKeyIdentifierSha1Outbound() throws Exception {
1094 
1095         KeyGenerator keyGen = KeyGenerator.getInstance("AES");
1096         keyGen.init(128);
1097         final SecretKey key = keyGen.generateKey();
1098 
1099         ByteArrayOutputStream baos = new ByteArrayOutputStream();
1100         {
1101             WSSSecurityProperties securityProperties = new WSSSecurityProperties();
1102             List<WSSConstants.Action> actions = new ArrayList<>();
1103             actions.add(WSSConstants.SIGNATURE);
1104             securityProperties.setActions(actions);
1105             securityProperties.setSignatureUser("transmitter");
1106             securityProperties.loadSignatureKeyStore(this.getClass().getClassLoader().getResource("transmitter.jks"), "default".toCharArray());
1107             securityProperties.setSignatureKeyIdentifier(WSSecurityTokenConstants.KEYIDENTIFIER_ENCRYPTED_KEY_SHA1_IDENTIFIER);
1108             securityProperties.setSignatureAlgorithm("http://www.w3.org/2000/09/xmldsig#hmac-sha1");
1109             securityProperties.setCallbackHandler(
1110                     new CallbackHandlerImpl(key.getEncoded()){
1111                         @Override
1112                         public void handle(Callback[] callbacks) throws IOException, UnsupportedCallbackException {
1113                             WSPasswordCallback pc = (WSPasswordCallback) callbacks[0];
1114                             pc.setKey(key.getEncoded());
1115                         }
1116                     }
1117             );
1118 
1119             OutboundWSSec wsSecOut = WSSec.getOutboundWSSec(securityProperties);
1120             XMLStreamWriter xmlStreamWriter = wsSecOut.processOutMessage(baos, StandardCharsets.UTF_8.name(), new ArrayList<SecurityEvent>());
1121             XMLStreamReader xmlStreamReader = xmlInputFactory.createXMLStreamReader(this.getClass().getClassLoader().getResourceAsStream("testdata/plain-soap-1.1.xml"));
1122             XmlReaderToWriter.writeAll(xmlStreamReader, xmlStreamWriter);
1123             xmlStreamWriter.close();
1124 
1125             Document document = documentBuilderFactory.newDocumentBuilder().parse(new ByteArrayInputStream(baos.toByteArray()));
1126             NodeList nodeList = document.getElementsByTagNameNS(WSSConstants.TAG_dsig_Signature.getNamespaceURI(), WSSConstants.TAG_dsig_Signature.getLocalPart());
1127             assertEquals(nodeList.item(0).getParentNode().getLocalName(), WSSConstants.TAG_WSSE_SECURITY.getLocalPart());
1128 
1129             XPathExpression xPathExpression =
1130                     getXPath("/soap:Envelope/soap:Header/wsse:Security/dsig:Signature/dsig:KeyInfo/" +
1131                             "wsse:SecurityTokenReference/wsse:KeyIdentifier[@ValueType=" +
1132                             "'http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA1']");
1133             Node node = (Node) xPathExpression.evaluate(document, XPathConstants.NODE);
1134             assertNotNull(node);
1135 
1136             nodeList = document.getElementsByTagNameNS(WSSConstants.TAG_dsig_Reference.getNamespaceURI(), WSSConstants.TAG_dsig_Reference.getLocalPart());
1137             assertEquals(nodeList.getLength(), 1);
1138 
1139             nodeList = document.getElementsByTagNameNS(WSSConstants.NS_SOAP11, WSSConstants.TAG_SOAP_BODY_LN);
1140             assertEquals(nodeList.getLength(), 1);
1141             String idAttrValue = ((Element) nodeList.item(0)).getAttributeNS(WSSConstants.ATT_WSU_ID.getNamespaceURI(), WSSConstants.ATT_WSU_ID.getLocalPart());
1142             assertNotNull(idAttrValue);
1143             assertTrue(idAttrValue.length() > 0);
1144         }
1145 
1146         //done signature; now test sig-verification:
1147         {
1148             String action = WSHandlerConstants.SIGNATURE;
1149             Properties properties = new Properties();
1150             WSS4JCallbackHandlerImpl callbackHandler = new WSS4JCallbackHandlerImpl(key.getEncoded());
1151             properties.put(WSHandlerConstants.PW_CALLBACK_REF, callbackHandler);
1152             doInboundSecurityWithWSS4J_1(
1153                     documentBuilderFactory.newDocumentBuilder().parse(new ByteArrayInputStream(baos.toByteArray())),
1154                     action, properties, true);
1155         }
1156     }
1157 
1158     @Test
1159     public void testSignatureKeyIdentifierSha1Inbound() throws Exception {
1160 
1161         KeyGenerator keyGen = KeyGenerator.getInstance("AES");
1162         keyGen.init(128);
1163         SecretKey key = keyGen.generateKey();
1164 
1165         ByteArrayOutputStream baos = new ByteArrayOutputStream();
1166         {
1167             InputStream sourceDocument = this.getClass().getClassLoader().getResourceAsStream("testdata/plain-soap-1.1.xml");
1168 
1169             Document doc = documentBuilderFactory.newDocumentBuilder().parse(sourceDocument);
1170             WSSecHeader secHeader = new WSSecHeader(doc);
1171             secHeader.insertSecurityHeader();
1172 
1173             WSSecSignature sign = new WSSecSignature(secHeader);
1174             sign.setKeyIdentifierType(WSConstants.ENCRYPTED_KEY_SHA1_IDENTIFIER);
1175             sign.setSecretKey(key.getEncoded());
1176             sign.setSignatureAlgorithm(SignatureMethod.HMAC_SHA1);
1177 
1178             Document securedDocument = sign.build(null);
1179 
1180             //some test that we can really sure we get what we want from WSS4J
1181             XPathExpression xPathExpression =
1182                     getXPath("/soap:Envelope/soap:Header/wsse:Security/dsig:Signature/dsig:KeyInfo/" +
1183                                     "wsse:SecurityTokenReference/wsse:KeyIdentifier[@ValueType=" +
1184                                     "'http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA1']");
1185             Node node = (Node) xPathExpression.evaluate(securedDocument, XPathConstants.NODE);
1186             assertNotNull(node);
1187 
1188             javax.xml.transform.Transformer transformer = TRANSFORMER_FACTORY.newTransformer();
1189             transformer.transform(new DOMSource(securedDocument), new StreamResult(baos));
1190         }
1191 
1192         //done signature; now test sig-verification:
1193         {
1194             WSSSecurityProperties securityProperties = new WSSSecurityProperties();
1195             securityProperties.loadSignatureVerificationKeystore(this.getClass().getClassLoader().getResource("receiver.jks"), "default".toCharArray());
1196             securityProperties.setCallbackHandler(new CallbackHandlerImpl(key.getEncoded()));
1197             InboundWSSec wsSecIn = WSSec.getInboundWSSec(securityProperties);
1198             XMLStreamReader xmlStreamReader = wsSecIn.processInMessage(xmlInputFactory.createXMLStreamReader(new ByteArrayInputStream(baos.toByteArray())));
1199 
1200             Document document = StAX2DOM.readDoc(documentBuilderFactory.newDocumentBuilder(), xmlStreamReader);
1201 
1202             //header element must still be there
1203             NodeList nodeList = document.getElementsByTagNameNS(WSSConstants.TAG_dsig_Signature.getNamespaceURI(), WSSConstants.TAG_dsig_Signature.getLocalPart());
1204             assertEquals(nodeList.getLength(), 1);
1205             assertEquals(nodeList.item(0).getParentNode().getLocalName(), WSSConstants.TAG_WSSE_SECURITY.getLocalPart());
1206         }
1207     }
1208 
1209     @Test
1210     public void testSignatureUsePKIPathOutbound() throws Exception {
1211 
1212         // Needs BouncyCastle to work properly...
1213         if (Security.getProvider("BC") == null) {
1214             return;
1215         }
1216 
1217         ByteArrayOutputStream baos = new ByteArrayOutputStream();
1218         {
1219             WSSSecurityProperties securityProperties = new WSSSecurityProperties();
1220             List<WSSConstants.Action> actions = new ArrayList<>();
1221             actions.add(WSSConstants.SIGNATURE);
1222             securityProperties.setActions(actions);
1223             securityProperties.loadSignatureKeyStore(this.getClass().getClassLoader().getResource("transmitter.jks"), "default".toCharArray());
1224             securityProperties.setSignatureUser("transmitter");
1225             securityProperties.setUseSingleCert(false);
1226             securityProperties.setSignatureKeyIdentifier(WSSecurityTokenConstants.KEYIDENTIFIER_SECURITY_TOKEN_DIRECT_REFERENCE);
1227             securityProperties.setCallbackHandler(new CallbackHandlerImpl());
1228 
1229             OutboundWSSec wsSecOut = WSSec.getOutboundWSSec(securityProperties);
1230             XMLStreamWriter xmlStreamWriter = wsSecOut.processOutMessage(baos, StandardCharsets.UTF_8.name(), new ArrayList<SecurityEvent>());
1231             XMLStreamReader xmlStreamReader = xmlInputFactory.createXMLStreamReader(this.getClass().getClassLoader().getResourceAsStream("testdata/plain-soap-1.1.xml"));
1232             XmlReaderToWriter.writeAll(xmlStreamReader, xmlStreamWriter);
1233             xmlStreamWriter.close();
1234 
1235             Document document = documentBuilderFactory.newDocumentBuilder().parse(new ByteArrayInputStream(baos.toByteArray()));
1236             NodeList nodeList = document.getElementsByTagNameNS(WSSConstants.TAG_dsig_Signature.getNamespaceURI(), WSSConstants.TAG_dsig_Signature.getLocalPart());
1237             assertEquals(nodeList.item(0).getParentNode().getLocalName(), WSSConstants.TAG_WSSE_SECURITY.getLocalPart());
1238 
1239             nodeList = document.getElementsByTagNameNS(WSSConstants.TAG_dsig_Reference.getNamespaceURI(), WSSConstants.TAG_dsig_Reference.getLocalPart());
1240             assertEquals(nodeList.getLength(), 1);
1241 
1242             nodeList = document.getElementsByTagNameNS(WSSConstants.NS_SOAP11, WSSConstants.TAG_SOAP_BODY_LN);
1243             assertEquals(nodeList.getLength(), 1);
1244             String idAttrValue = ((Element) nodeList.item(0)).getAttributeNS(WSSConstants.ATT_WSU_ID.getNamespaceURI(), WSSConstants.ATT_WSU_ID.getLocalPart());
1245             assertNotNull(idAttrValue);
1246             assertTrue(idAttrValue.length() > 0);
1247         }
1248 
1249         //done signature; now test sig-verification:
1250         {
1251             String action = WSHandlerConstants.SIGNATURE;
1252             doInboundSecurityWithWSS4J(documentBuilderFactory.newDocumentBuilder().parse(new ByteArrayInputStream(baos.toByteArray())), action);
1253         }
1254     }
1255 
1256     @Test
1257     public void testSignatureUsePKIPathInbound() throws Exception {
1258 
1259         ByteArrayOutputStream baos = new ByteArrayOutputStream();
1260         {
1261             InputStream sourceDocument = this.getClass().getClassLoader().getResourceAsStream("testdata/plain-soap-1.1.xml");
1262             String action = WSHandlerConstants.SIGNATURE;
1263             Properties properties = new Properties();
1264             properties.setProperty(WSHandlerConstants.USE_SINGLE_CERTIFICATE, "false");
1265             Document securedDocument = doOutboundSecurityWithWSS4J(sourceDocument, action, properties);
1266 
1267             //some test that we can really sure we get what we want from WSS4J
1268             NodeList nodeList = securedDocument.getElementsByTagNameNS(WSSConstants.TAG_dsig_Signature.getNamespaceURI(), WSSConstants.TAG_dsig_Signature.getLocalPart());
1269             assertEquals(nodeList.item(0).getParentNode().getLocalName(), WSSConstants.TAG_WSSE_SECURITY.getLocalPart());
1270 
1271             javax.xml.transform.Transformer transformer = TRANSFORMER_FACTORY.newTransformer();
1272             transformer.transform(new DOMSource(securedDocument), new StreamResult(baos));
1273         }
1274 
1275         //done signature; now test sig-verification:
1276         {
1277             WSSSecurityProperties securityProperties = new WSSSecurityProperties();
1278             securityProperties.loadSignatureVerificationKeystore(this.getClass().getClassLoader().getResource("receiver.jks"), "default".toCharArray());
1279             InboundWSSec wsSecIn = WSSec.getInboundWSSec(securityProperties);
1280             XMLStreamReader xmlStreamReader = wsSecIn.processInMessage(xmlInputFactory.createXMLStreamReader(new ByteArrayInputStream(baos.toByteArray())));
1281 
1282             Document document = StAX2DOM.readDoc(documentBuilderFactory.newDocumentBuilder(), xmlStreamReader);
1283 
1284             //header element must still be there
1285             NodeList nodeList = document.getElementsByTagNameNS(WSSConstants.TAG_dsig_Signature.getNamespaceURI(), WSSConstants.TAG_dsig_Signature.getLocalPart());
1286             assertEquals(nodeList.getLength(), 1);
1287             assertEquals(nodeList.item(0).getParentNode().getLocalName(), WSSConstants.TAG_WSSE_SECURITY.getLocalPart());
1288         }
1289     }
1290 
1291     @Test
1292     public void testSignatureRSAKeyValue() throws Exception {
1293 
1294         ByteArrayOutputStream baos = new ByteArrayOutputStream();
1295         {
1296             WSSSecurityProperties securityProperties = new WSSSecurityProperties();
1297             List<WSSConstants.Action> actions = new ArrayList<>();
1298             actions.add(WSSConstants.SIGNATURE);
1299             securityProperties.setActions(actions);
1300             securityProperties.loadSignatureKeyStore(this.getClass().getClassLoader().getResource("transmitter.jks"), "default".toCharArray());
1301             securityProperties.setSignatureUser("transmitter");
1302             securityProperties.setSignatureKeyIdentifier(WSSecurityTokenConstants.KeyIdentifier_KeyValue);
1303             securityProperties.setCallbackHandler(new CallbackHandlerImpl());
1304 
1305             OutboundWSSec wsSecOut = WSSec.getOutboundWSSec(securityProperties);
1306             XMLStreamWriter xmlStreamWriter = wsSecOut.processOutMessage(baos, StandardCharsets.UTF_8.name(), new ArrayList<SecurityEvent>());
1307             XMLStreamReader xmlStreamReader = xmlInputFactory.createXMLStreamReader(this.getClass().getClassLoader().getResourceAsStream("testdata/plain-soap-1.1.xml"));
1308             XmlReaderToWriter.writeAll(xmlStreamReader, xmlStreamWriter);
1309             xmlStreamWriter.close();
1310 
1311             Document document = documentBuilderFactory.newDocumentBuilder().parse(new ByteArrayInputStream(baos.toByteArray()));
1312             NodeList nodeList = document.getElementsByTagNameNS(WSSConstants.TAG_dsig_Signature.getNamespaceURI(), WSSConstants.TAG_dsig_Signature.getLocalPart());
1313             assertEquals(nodeList.item(0).getParentNode().getLocalName(), WSSConstants.TAG_WSSE_SECURITY.getLocalPart());
1314 
1315             nodeList = document.getElementsByTagNameNS(WSSConstants.TAG_dsig_RSAKeyValue.getNamespaceURI(), WSSConstants.TAG_dsig_RSAKeyValue.getLocalPart());
1316             assertEquals(nodeList.getLength(), 1);
1317 
1318             nodeList = document.getElementsByTagNameNS(WSSConstants.NS_SOAP11, WSSConstants.TAG_SOAP_BODY_LN);
1319             assertEquals(nodeList.getLength(), 1);
1320             String idAttrValue = ((Element) nodeList.item(0)).getAttributeNS(WSSConstants.ATT_WSU_ID.getNamespaceURI(), WSSConstants.ATT_WSU_ID.getLocalPart());
1321             assertNotNull(idAttrValue);
1322             assertTrue(idAttrValue.length() > 0);
1323         }
1324         //done signature; now test sig-verification:
1325         {
1326             String action = WSHandlerConstants.SIGNATURE;
1327             Properties properties = new Properties();
1328             doInboundSecurityWithWSS4J_1(documentBuilderFactory.newDocumentBuilder().parse(new ByteArrayInputStream(baos.toByteArray())), action, properties, false);
1329         }
1330         //also test swssf inbound
1331         {
1332             WSSSecurityProperties securityProperties = new WSSSecurityProperties();
1333             securityProperties.loadSignatureVerificationKeystore(this.getClass().getClassLoader().getResource("receiver.jks"), "default".toCharArray());
1334             securityProperties.addIgnoreBSPRule(BSPRule.R5421);
1335             securityProperties.addIgnoreBSPRule(BSPRule.R5417);
1336             InboundWSSec wsSecIn = WSSec.getInboundWSSec(securityProperties);
1337 
1338             WSSecurityEventConstants.Event[] expectedSecurityEvents = new WSSecurityEventConstants.Event[]{
1339                     WSSecurityEventConstants.AlgorithmSuite,
1340                     WSSecurityEventConstants.AlgorithmSuite,
1341                     WSSecurityEventConstants.AlgorithmSuite,
1342                     WSSecurityEventConstants.AlgorithmSuite,
1343                     WSSecurityEventConstants.KeyValueToken,
1344                     WSSecurityEventConstants.SignatureValue,
1345                     WSSecurityEventConstants.SIGNED_PART,
1346                     WSSecurityEventConstants.OPERATION,
1347             };
1348             final TestSecurityEventListener securityEventListener = new TestSecurityEventListener(expectedSecurityEvents);
1349             XMLStreamReader xmlStreamReader = wsSecIn.processInMessage(xmlInputFactory.createXMLStreamReader(new ByteArrayInputStream(baos.toByteArray())), null, securityEventListener);
1350             StAX2DOM.readDoc(documentBuilderFactory.newDocumentBuilder(), xmlStreamReader);
1351 
1352             securityEventListener.compare();
1353 
1354             SignedPartSecurityEvent signedPartSecurityEvent = securityEventListener.getSecurityEvent(WSSecurityEventConstants.SIGNED_PART);
1355             SignatureValueSecurityEvent signatureValueSecurityEvent = securityEventListener.getSecurityEvent(WSSecurityEventConstants.SignatureValue);
1356             OperationSecurityEvent operationSecurityEvent = securityEventListener.getSecurityEvent(WSSecurityEventConstants.OPERATION);
1357             String signedElementCorrelationID = signedPartSecurityEvent.getCorrelationID();
1358             String signatureValueCorrelationID = signatureValueSecurityEvent.getCorrelationID();
1359             String operationCorrelationID = operationSecurityEvent.getCorrelationID();
1360 
1361             List<SecurityEvent> operationSecurityEvents = new ArrayList<>();
1362             List<SecurityEvent> signedElementSecurityEvents = new ArrayList<>();
1363             List<SecurityEvent> signatureValueSecurityEvents = new ArrayList<>();
1364 
1365             List<SecurityEvent> securityEvents = securityEventListener.getReceivedSecurityEvents();
1366             for (SecurityEvent securityEvent : securityEvents) {
1367                 if (securityEvent.getCorrelationID().equals(signedElementCorrelationID)) {
1368                     signedElementSecurityEvents.add(securityEvent);
1369                 } else if (securityEvent.getCorrelationID().equals(signatureValueCorrelationID)) {
1370                     signatureValueSecurityEvents.add(securityEvent);
1371                 } else if (securityEvent.getCorrelationID().equals(operationCorrelationID)) {
1372                     operationSecurityEvents.add(securityEvent);
1373                 }
1374             }
1375 
1376             assertEquals(3, signedElementSecurityEvents.size());
1377             assertEquals(4, signatureValueSecurityEvents.size());
1378             assertEquals(securityEventListener.getReceivedSecurityEvents().size(),
1379                     operationSecurityEvents.size() +
1380                             signedElementSecurityEvents.size() + signatureValueSecurityEvents.size()
1381             );
1382         }
1383     }
1384 
1385     @Test
1386     public void testSignatureDSAKeyValue() throws Exception {
1387 
1388         ByteArrayOutputStream baos = new ByteArrayOutputStream();
1389         {
1390             WSSSecurityProperties securityProperties = new WSSSecurityProperties();
1391             List<WSSConstants.Action> actions = new ArrayList<>();
1392             actions.add(WSSConstants.SIGNATURE);
1393             securityProperties.setActions(actions);
1394             securityProperties.loadSignatureKeyStore(this.getClass().getClassLoader().getResource("transmitter.jks"), "default".toCharArray());
1395             securityProperties.setSignatureUser("transmitter-dsa");
1396             securityProperties.setSignatureKeyIdentifier(WSSecurityTokenConstants.KeyIdentifier_KeyValue);
1397             securityProperties.setCallbackHandler(new CallbackHandlerImpl());
1398             securityProperties.setSignatureAlgorithm("http://www.w3.org/2000/09/xmldsig#dsa-sha1");
1399 
1400             OutboundWSSec wsSecOut = WSSec.getOutboundWSSec(securityProperties);
1401             XMLStreamWriter xmlStreamWriter = wsSecOut.processOutMessage(baos, StandardCharsets.UTF_8.name(), new ArrayList<SecurityEvent>());
1402             XMLStreamReader xmlStreamReader = xmlInputFactory.createXMLStreamReader(this.getClass().getClassLoader().getResourceAsStream("testdata/plain-soap-1.1.xml"));
1403             XmlReaderToWriter.writeAll(xmlStreamReader, xmlStreamWriter);
1404             xmlStreamWriter.close();
1405 
1406             Document document = documentBuilderFactory.newDocumentBuilder().parse(new ByteArrayInputStream(baos.toByteArray()));
1407             NodeList nodeList = document.getElementsByTagNameNS(WSSConstants.TAG_dsig_Signature.getNamespaceURI(), WSSConstants.TAG_dsig_Signature.getLocalPart());
1408             assertEquals(nodeList.item(0).getParentNode().getLocalName(), WSSConstants.TAG_WSSE_SECURITY.getLocalPart());
1409 
1410             nodeList = document.getElementsByTagNameNS(WSSConstants.TAG_dsig_DSAKeyValue.getNamespaceURI(), WSSConstants.TAG_dsig_DSAKeyValue.getLocalPart());
1411             assertEquals(nodeList.getLength(), 1);
1412 
1413             nodeList = document.getElementsByTagNameNS(WSSConstants.NS_SOAP11, WSSConstants.TAG_SOAP_BODY_LN);
1414             assertEquals(nodeList.getLength(), 1);
1415             String idAttrValue = ((Element) nodeList.item(0)).getAttributeNS(WSSConstants.ATT_WSU_ID.getNamespaceURI(), WSSConstants.ATT_WSU_ID.getLocalPart());
1416             assertNotNull(idAttrValue);
1417             assertTrue(idAttrValue.length() > 0);
1418         }
1419         //done signature; now test sig-verification:
1420         {
1421             String action = WSHandlerConstants.SIGNATURE;
1422             Properties properties = new Properties();
1423             doInboundSecurityWithWSS4J_1(documentBuilderFactory.newDocumentBuilder().parse(new ByteArrayInputStream(baos.toByteArray())), action, properties, false);
1424         }
1425         //also test swssf inbound
1426         {
1427             WSSSecurityProperties securityProperties = new WSSSecurityProperties();
1428             securityProperties.loadSignatureVerificationKeystore(this.getClass().getClassLoader().getResource("receiver.jks"), "default".toCharArray());
1429             securityProperties.addIgnoreBSPRule(BSPRule.R5421);
1430             securityProperties.addIgnoreBSPRule(BSPRule.R5417);
1431             InboundWSSec wsSecIn = WSSec.getInboundWSSec(securityProperties);
1432             XMLStreamReader xmlStreamReader = wsSecIn.processInMessage(xmlInputFactory.createXMLStreamReader(new ByteArrayInputStream(baos.toByteArray())));
1433 
1434             Document document = StAX2DOM.readDoc(documentBuilderFactory.newDocumentBuilder(), xmlStreamReader);
1435             assertNotNull(document);
1436         }
1437     }
1438 
1439     @Test
1440     public void testSignatureECKeyValue() throws Exception {
1441 
1442         //
1443         // This test fails with the IBM JDK and with JDK 1.8
1444         // TODO - Re-enable with JDK 1.8 when we fix Santuario
1445         //
1446         if ("IBM Corporation".equals(System.getProperty("java.vendor"))
1447             || System.getProperty("java.version") != null
1448                 && System.getProperty("java.version").startsWith("1.8")) {
1449             return;
1450         }
1451 
1452         if (Security.getProvider("BC") == null) {
1453             return;
1454         }
1455 
1456         ByteArrayOutputStream baos = new ByteArrayOutputStream();
1457         {
1458             WSSSecurityProperties securityProperties = new WSSSecurityProperties();
1459             List<WSSConstants.Action> actions = new ArrayList<>();
1460             actions.add(WSSConstants.SIGNATURE);
1461             securityProperties.setActions(actions);
1462             securityProperties.loadSignatureKeyStore(this.getClass().getClassLoader().getResource("transmitter.jks"), "default".toCharArray());
1463             securityProperties.setSignatureUser("transmitter-ecdsa");
1464             securityProperties.setSignatureKeyIdentifier(WSSecurityTokenConstants.KeyIdentifier_KeyValue);
1465             securityProperties.setCallbackHandler(new CallbackHandlerImpl());
1466             securityProperties.setSignatureAlgorithm("http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha512");
1467 
1468             OutboundWSSec wsSecOut = WSSec.getOutboundWSSec(securityProperties);
1469             XMLStreamWriter xmlStreamWriter = wsSecOut.processOutMessage(baos, StandardCharsets.UTF_8.name(), new ArrayList<SecurityEvent>());
1470             XMLStreamReader xmlStreamReader = xmlInputFactory.createXMLStreamReader(this.getClass().getClassLoader().getResourceAsStream("testdata/plain-soap-1.1.xml"));
1471             XmlReaderToWriter.writeAll(xmlStreamReader, xmlStreamWriter);
1472             xmlStreamWriter.close();
1473 
1474             Document document = documentBuilderFactory.newDocumentBuilder().parse(new ByteArrayInputStream(baos.toByteArray()));
1475             NodeList nodeList = document.getElementsByTagNameNS(WSSConstants.TAG_dsig_Signature.getNamespaceURI(), WSSConstants.TAG_dsig_Signature.getLocalPart());
1476             assertEquals(nodeList.item(0).getParentNode().getLocalName(), WSSConstants.TAG_WSSE_SECURITY.getLocalPart());
1477 
1478             nodeList = document.getElementsByTagNameNS(WSSConstants.TAG_dsig11_ECKeyValue.getNamespaceURI(), WSSConstants.TAG_dsig11_ECKeyValue.getLocalPart());
1479             assertEquals(nodeList.getLength(), 1);
1480 
1481             nodeList = document.getElementsByTagNameNS(WSSConstants.NS_SOAP11, WSSConstants.TAG_SOAP_BODY_LN);
1482             assertEquals(nodeList.getLength(), 1);
1483             String idAttrValue = ((Element) nodeList.item(0)).getAttributeNS(WSSConstants.ATT_WSU_ID.getNamespaceURI(), WSSConstants.ATT_WSU_ID.getLocalPart());
1484             assertNotNull(idAttrValue);
1485             assertTrue(idAttrValue.length() > 0);
1486         }
1487         //done signature; now test sig-verification:
1488         {
1489             String action = WSHandlerConstants.SIGNATURE;
1490             Properties properties = new Properties();
1491             doInboundSecurityWithWSS4J_1(documentBuilderFactory.newDocumentBuilder().parse(new ByteArrayInputStream(baos.toByteArray())), action, properties, false);
1492         }
1493         //also test swssf inbound
1494         {
1495             WSSSecurityProperties securityProperties = new WSSSecurityProperties();
1496             securityProperties.loadSignatureVerificationKeystore(this.getClass().getClassLoader().getResource("receiver.jks"), "default".toCharArray());
1497             securityProperties.addIgnoreBSPRule(BSPRule.R5421);
1498             securityProperties.addIgnoreBSPRule(BSPRule.R5417);
1499             InboundWSSec wsSecIn = WSSec.getInboundWSSec(securityProperties);
1500             XMLStreamReader xmlStreamReader = wsSecIn.processInMessage(xmlInputFactory.createXMLStreamReader(new ByteArrayInputStream(baos.toByteArray())));
1501 
1502             Document document = StAX2DOM.readDoc(documentBuilderFactory.newDocumentBuilder(), xmlStreamReader);
1503             assertNotNull(document);
1504         }
1505     }
1506 
1507     @Test
1508     public void testSignatureHMACOutputLengthInbound() throws Exception {
1509 
1510         ByteArrayOutputStream baos = new ByteArrayOutputStream();
1511         {
1512             InputStream sourceDocument = this.getClass().getClassLoader().getResourceAsStream("testdata/plain-soap-1.1.xml");
1513             String action = WSHandlerConstants.SIGNATURE;
1514             Document securedDocument = doOutboundSecurityWithWSS4J(sourceDocument, action, new Properties());
1515 
1516             NodeList nodeList = securedDocument.getElementsByTagNameNS(WSSConstants.TAG_dsig_SignatureMethod.getNamespaceURI(), WSSConstants.TAG_dsig_SignatureMethod.getLocalPart());
1517             Element hmacElement = securedDocument.createElementNS(WSSConstants.TAG_dsig_HMACOutputLength.getNamespaceURI(), WSSConstants.TAG_dsig_HMACOutputLength.getLocalPart());
1518             hmacElement.setTextContent("abc");
1519             nodeList.item(0).appendChild(hmacElement);
1520 
1521             javax.xml.transform.Transformer transformer = TRANSFORMER_FACTORY.newTransformer();
1522             transformer.transform(new DOMSource(securedDocument), new StreamResult(baos));
1523         }
1524 
1525         //done signature; now test sig-verification:
1526         {
1527             WSSSecurityProperties securityProperties = new WSSSecurityProperties();
1528             securityProperties.loadSignatureVerificationKeystore(this.getClass().getClassLoader().getResource("receiver.jks"), "default".toCharArray());
1529             InboundWSSec wsSecIn = WSSec.getInboundWSSec(securityProperties, false, true);
1530             XMLStreamReader xmlStreamReader = wsSecIn.processInMessage(xmlInputFactory.createXMLStreamReader(new ByteArrayInputStream(baos.toByteArray())));
1531 
1532             try {
1533                 StAX2DOM.readDoc(documentBuilderFactory.newDocumentBuilder(), xmlStreamReader);
1534                 fail("Should have thrown XMLStreamException");
1535             } catch (XMLStreamException e) {
1536                 assertTrue(e.getCause() instanceof WSSecurityException);
1537                 assertEquals(((WSSecurityException) e.getCause()).getFaultCode(), WSSecurityException.INVALID_SECURITY);
1538             }
1539         }
1540     }
1541 
1542     @Test
1543     public void testInboundRequiredAlgorithm() throws Exception {
1544 
1545         ByteArrayOutputStream baos = new ByteArrayOutputStream();
1546         {
1547             InputStream sourceDocument = this.getClass().getClassLoader().getResourceAsStream("testdata/plain-soap-1.1.xml");
1548             String action = WSHandlerConstants.SIGNATURE;
1549             Document securedDocument = doOutboundSecurityWithWSS4J(sourceDocument, action, new Properties());
1550 
1551             //some test that we can really sure we get what we want from WSS4J
1552             NodeList nodeList = securedDocument.getElementsByTagNameNS(WSSConstants.TAG_dsig_Signature.getNamespaceURI(), WSSConstants.TAG_dsig_Signature.getLocalPart());
1553             assertEquals(nodeList.item(0).getParentNode().getLocalName(), WSSConstants.TAG_WSSE_SECURITY.getLocalPart());
1554 
1555             javax.xml.transform.Transformer transformer = TRANSFORMER_FACTORY.newTransformer();
1556             transformer.transform(new DOMSource(securedDocument), new StreamResult(baos));
1557         }
1558 
1559         //done signature; now test sig-verification:
1560         {
1561             WSSSecurityProperties securityProperties = new WSSSecurityProperties();
1562             securityProperties.setSignatureAlgorithm(WSSConstants.NS_XMLDSIG_RSASHA1);
1563             securityProperties.loadSignatureVerificationKeystore(this.getClass().getClassLoader().getResource("receiver.jks"), "default".toCharArray());
1564             InboundWSSec wsSecIn = WSSec.getInboundWSSec(securityProperties);
1565             XMLStreamReader xmlStreamReader = wsSecIn.processInMessage(xmlInputFactory.createXMLStreamReader(new ByteArrayInputStream(baos.toByteArray())));
1566 
1567             Document document = StAX2DOM.readDoc(documentBuilderFactory.newDocumentBuilder(), xmlStreamReader);
1568 
1569             //header element must still be there
1570             NodeList nodeList = document.getElementsByTagNameNS(WSSConstants.TAG_dsig_Signature.getNamespaceURI(), WSSConstants.TAG_dsig_Signature.getLocalPart());
1571             assertEquals(nodeList.getLength(), 1);
1572             assertEquals(nodeList.item(0).getParentNode().getLocalName(), WSSConstants.TAG_WSSE_SECURITY.getLocalPart());
1573         }
1574 
1575         // This should fail as we require another signature algorithm
1576         {
1577             WSSSecurityProperties securityProperties = new WSSSecurityProperties();
1578             securityProperties.setSignatureAlgorithm(WSSConstants.NS_XMLDSIG_HMACSHA1);
1579             securityProperties.loadSignatureVerificationKeystore(this.getClass().getClassLoader().getResource("receiver.jks"), "default".toCharArray());
1580             InboundWSSec wsSecIn = WSSec.getInboundWSSec(securityProperties);
1581 
1582             try {
1583                 XMLStreamReader xmlStreamReader = wsSecIn.processInMessage(xmlInputFactory.createXMLStreamReader(new ByteArrayInputStream(baos.toByteArray())));
1584                 StAX2DOM.readDoc(documentBuilderFactory.newDocumentBuilder(), xmlStreamReader);
1585                 fail("Failure expected on the wrong signature algorithm");
1586             } catch (XMLStreamException e) {
1587                 assertTrue(e.getCause() instanceof WSSecurityException);
1588             }
1589         }
1590     }
1591 
1592     @Test
1593     public void testSignaturePropertiesOutbound() throws Exception {
1594 
1595         ByteArrayOutputStream baos = new ByteArrayOutputStream();
1596         {
1597             Map<String, Object> config = new HashMap<>();
1598             config.put(ConfigurationConstants.ACTION, ConfigurationConstants.SIGNATURE);
1599             config.put(ConfigurationConstants.SIGNATURE_USER, "transmitter");
1600             config.put(ConfigurationConstants.PW_CALLBACK_REF, new CallbackHandlerImpl());
1601             config.put(ConfigurationConstants.SIG_PROP_FILE, "transmitter-crypto.properties");
1602 
1603             WSSSecurityProperties securityProperties = ConfigurationConverter.convert(config);
1604             OutboundWSSec wsSecOut = WSSec.getOutboundWSSec(securityProperties);
1605             XMLStreamWriter xmlStreamWriter = wsSecOut.processOutMessage(baos, StandardCharsets.UTF_8.name(), new ArrayList<SecurityEvent>());
1606             XMLStreamReader xmlStreamReader = xmlInputFactory.createXMLStreamReader(this.getClass().getClassLoader().getResourceAsStream("testdata/plain-soap-1.1.xml"));
1607             XmlReaderToWriter.writeAll(xmlStreamReader, xmlStreamWriter);
1608             xmlStreamWriter.close();
1609 
1610             Document document = documentBuilderFactory.newDocumentBuilder().parse(new ByteArrayInputStream(baos.toByteArray()));
1611             NodeList nodeList = document.getElementsByTagNameNS(WSSConstants.TAG_dsig_Signature.getNamespaceURI(), WSSConstants.TAG_dsig_Signature.getLocalPart());
1612             assertEquals(nodeList.item(0).getParentNode().getLocalName(), WSSConstants.TAG_WSSE_SECURITY.getLocalPart());
1613 
1614             nodeList = document.getElementsByTagNameNS(WSSConstants.TAG_dsig_Reference.getNamespaceURI(), WSSConstants.TAG_dsig_Reference.getLocalPart());
1615             assertEquals(nodeList.getLength(), 1);
1616 
1617             nodeList = document.getElementsByTagNameNS(WSSConstants.NS_SOAP11, WSSConstants.TAG_SOAP_BODY_LN);
1618             assertEquals(nodeList.getLength(), 1);
1619             String idAttrValue = ((Element) nodeList.item(0)).getAttributeNS(WSSConstants.ATT_WSU_ID.getNamespaceURI(), WSSConstants.ATT_WSU_ID.getLocalPart());
1620             assertNotNull(idAttrValue);
1621             assertTrue(idAttrValue.length() > 0);
1622 
1623             nodeList = document.getElementsByTagNameNS(WSSConstants.TAG_c14nExcl_InclusiveNamespaces.getNamespaceURI(), WSSConstants.TAG_c14nExcl_InclusiveNamespaces.getLocalPart());
1624             assertEquals(nodeList.getLength(), 2);
1625             assertEquals(((Element) nodeList.item(0)).getAttributeNS(null, WSSConstants.ATT_NULL_PrefixList.getLocalPart()), "env");
1626             assertEquals(((Element) nodeList.item(1)).getAttributeNS(null, WSSConstants.ATT_NULL_PrefixList.getLocalPart()), "");
1627         }
1628         //done signature; now test sig-verification:
1629         {
1630             String action = WSHandlerConstants.SIGNATURE;
1631             doInboundSecurityWithWSS4J(documentBuilderFactory.newDocumentBuilder().parse(new ByteArrayInputStream(baos.toByteArray())), action);
1632         }
1633     }
1634 
1635     @Test
1636     public void testSignaturePropertiesInbound() throws Exception {
1637 
1638         ByteArrayOutputStream baos = new ByteArrayOutputStream();
1639         {
1640             InputStream sourceDocument = this.getClass().getClassLoader().getResourceAsStream("testdata/plain-soap-1.1.xml");
1641             String action = WSHandlerConstants.SIGNATURE;
1642             Document securedDocument = doOutboundSecurityWithWSS4J(sourceDocument, action, new Properties());
1643 
1644             //some test that we can really sure we get what we want from WSS4J
1645             NodeList nodeList = securedDocument.getElementsByTagNameNS(WSSConstants.TAG_dsig_Signature.getNamespaceURI(), WSSConstants.TAG_dsig_Signature.getLocalPart());
1646             assertEquals(nodeList.item(0).getParentNode().getLocalName(), WSSConstants.TAG_WSSE_SECURITY.getLocalPart());
1647 
1648             javax.xml.transform.Transformer transformer = TRANSFORMER_FACTORY.newTransformer();
1649             transformer.transform(new DOMSource(securedDocument), new StreamResult(baos));
1650         }
1651 
1652         //done signature; now test sig-verification:
1653         {
1654             Map<String, Object> config = new HashMap<>();
1655             config.put(ConfigurationConstants.ACTION, ConfigurationConstants.SIGNATURE);
1656             config.put(ConfigurationConstants.SIG_VER_PROP_FILE, "transmitter-crypto.properties");
1657 
1658             WSSSecurityProperties securityProperties = ConfigurationConverter.convert(config);
1659             InboundWSSec wsSecIn = WSSec.getInboundWSSec(securityProperties);
1660             XMLStreamReader xmlStreamReader = wsSecIn.processInMessage(xmlInputFactory.createXMLStreamReader(new ByteArrayInputStream(baos.toByteArray())));
1661 
1662             Document document = StAX2DOM.readDoc(documentBuilderFactory.newDocumentBuilder(), xmlStreamReader);
1663 
1664             //header element must still be there
1665             NodeList nodeList = document.getElementsByTagNameNS(WSSConstants.TAG_dsig_Signature.getNamespaceURI(), WSSConstants.TAG_dsig_Signature.getLocalPart());
1666             assertEquals(nodeList.getLength(), 1);
1667             assertEquals(nodeList.item(0).getParentNode().getLocalName(), WSSConstants.TAG_WSSE_SECURITY.getLocalPart());
1668         }
1669     }
1670 
1671     @Test
1672     public void testElementToSignNotFound() throws Exception {
1673 
1674         ByteArrayOutputStream baos = new ByteArrayOutputStream();
1675         {
1676             WSSSecurityProperties securityProperties = new WSSSecurityProperties();
1677             List<WSSConstants.Action> actions = new ArrayList<>();
1678             actions.add(WSSConstants.SIGNATURE);
1679             securityProperties.setActions(actions);
1680             securityProperties.loadSignatureKeyStore(this.getClass().getClassLoader().getResource("transmitter.jks"), "default".toCharArray());
1681             securityProperties.setSignatureUser("transmitter");
1682             securityProperties.setTokenUser("transmitter");
1683             securityProperties.setCallbackHandler(new CallbackHandlerImpl());
1684             securityProperties.addSignaturePart(
1685                     new SecurePart(new QName(WSSConstants.NS_WSSE10, "UsernameToken"), SecurePart.Modifier.Element)
1686             );
1687             securityProperties.addSignaturePart(
1688                     new SecurePart(new QName(WSSConstants.NS_SOAP11, "Body"), SecurePart.Modifier.Element)
1689             );
1690 
1691             OutboundWSSec wsSecOut = WSSec.getOutboundWSSec(securityProperties);
1692             XMLStreamWriter xmlStreamWriter = wsSecOut.processOutMessage(baos, StandardCharsets.UTF_8.name(), new ArrayList<SecurityEvent>());
1693             XMLStreamReader xmlStreamReader = xmlInputFactory.createXMLStreamReader(this.getClass().getClassLoader().getResourceAsStream("testdata/plain-soap-1.1.xml"));
1694 
1695             try {
1696                 XmlReaderToWriter.writeAll(xmlStreamReader, xmlStreamWriter);
1697                 xmlStreamWriter.close();
1698                 fail("Exception expected");
1699             } catch (XMLStreamException e) {
1700                 assertTrue(e.getCause() instanceof XMLSecurityException);
1701                 assertEquals("Part to sign not found: {http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd}UsernameToken", e.getCause().getMessage());
1702             }
1703         }
1704     }
1705 }