Example 76 with InboundXMLSec
use of org.apache.xml.security.stax.ext.InboundXMLSec in project testcases by coheigea.
the class EncryptionUtils method decryptUsingStAX.
/**
* Decrypt the document using the StAX API of Apache Santuario - XML Security for Java.
*/
public static void decryptUsingStAX(InputStream inputStream, List<QName> namesToEncrypt, Key privateKey) throws Exception {
// Set up the Configuration
XMLSecurityProperties properties = new XMLSecurityProperties();
List<XMLSecurityConstants.Action> actions = new ArrayList<XMLSecurityConstants.Action>();
actions.add(XMLSecurityConstants.ENCRYPT);
properties.setActions(actions);
properties.setDecryptionKey(privateKey);
InboundXMLSec inboundXMLSec = XMLSec.getInboundWSSec(properties);
XMLInputFactory xmlInputFactory = XMLInputFactory.newInstance();
final XMLStreamReader xmlStreamReader = xmlInputFactory.createXMLStreamReader(inputStream);
TestSecurityEventListener eventListener = new TestSecurityEventListener();
XMLStreamReader securityStreamReader = inboundXMLSec.processInMessage(xmlStreamReader, null, eventListener);
while (securityStreamReader.hasNext()) {
securityStreamReader.next();
}
xmlStreamReader.close();
inputStream.close();
// Check that what we were expecting to be encrypted was actually encrypted
List<EncryptedElementSecurityEvent> encryptedElementEvents = eventListener.getSecurityEvents(SecurityEventConstants.EncryptedElement);
Assert.assertNotNull(encryptedElementEvents);
for (QName nameToEncrypt : namesToEncrypt) {
boolean found = false;
for (EncryptedElementSecurityEvent encryptedElement : encryptedElementEvents) {
if (encryptedElement.isEncrypted() && nameToEncrypt.equals(getEncryptedQName(encryptedElement.getElementPath()))) {
found = true;
break;
}
}
Assert.assertTrue(found);
}
}
Also used :
XMLSecurityConstants(org.apache.xml.security.stax.ext.XMLSecurityConstants)
XMLStreamReader(javax.xml.stream.XMLStreamReader)
EncryptedElementSecurityEvent(org.apache.xml.security.stax.securityEvent.EncryptedElementSecurityEvent)
QName(javax.xml.namespace.QName)
ArrayList(java.util.ArrayList)
InboundXMLSec(org.apache.xml.security.stax.ext.InboundXMLSec)
XMLSecurityProperties(org.apache.xml.security.stax.ext.XMLSecurityProperties)
XMLInputFactory(javax.xml.stream.XMLInputFactory)
Example 77 with InboundXMLSec
use of org.apache.xml.security.stax.ext.InboundXMLSec in project testcases by coheigea.
the class SignatureUtils method verifyUsingStAX.
/**
* Verify the document using the StAX API of Apache Santuario - XML Security for Java.
*/
public static void verifyUsingStAX(InputStream inputStream, List<QName> namesToSign, X509Certificate cert) throws Exception {
// Set up the Configuration
XMLSecurityProperties properties = new XMLSecurityProperties();
List<XMLSecurityConstants.Action> actions = new ArrayList<XMLSecurityConstants.Action>();
actions.add(XMLSecurityConstants.SIGNATURE);
properties.setActions(actions);
properties.setSignatureVerificationKey(cert.getPublicKey());
InboundXMLSec inboundXMLSec = XMLSec.getInboundWSSec(properties);
XMLInputFactory xmlInputFactory = XMLInputFactory.newInstance();
final XMLStreamReader xmlStreamReader = xmlInputFactory.createXMLStreamReader(inputStream);
TestSecurityEventListener eventListener = new TestSecurityEventListener();
XMLStreamReader securityStreamReader = inboundXMLSec.processInMessage(xmlStreamReader, null, eventListener);
while (securityStreamReader.hasNext()) {
securityStreamReader.next();
}
xmlStreamReader.close();
inputStream.close();
// Check that what we were expecting to be signed was actually signed
List<SignedElementSecurityEvent> signedElementEvents = eventListener.getSecurityEvents(SecurityEventConstants.SignedElement);
Assert.assertNotNull(signedElementEvents);
for (QName nameToSign : namesToSign) {
boolean found = false;
for (SignedElementSecurityEvent signedElement : signedElementEvents) {
if (signedElement.isSigned() && nameToSign.equals(getSignedQName(signedElement.getElementPath()))) {
found = true;
break;
}
}
Assert.assertTrue(found);
}
// Check Signing cert
X509TokenSecurityEvent tokenEvent = (X509TokenSecurityEvent) eventListener.getSecurityEvent(SecurityEventConstants.X509Token);
Assert.assertNotNull(tokenEvent);
Assert.assertTrue(tokenEvent.getSecurityToken() instanceof X509SecurityToken);
X509SecurityToken x509SecurityToken = (X509SecurityToken) tokenEvent.getSecurityToken();
Assert.assertEquals(x509SecurityToken.getX509Certificates()[0], cert);
}
Also used :
XMLSecurityConstants(org.apache.xml.security.stax.ext.XMLSecurityConstants)
XMLStreamReader(javax.xml.stream.XMLStreamReader)
QName(javax.xml.namespace.QName)
ArrayList(java.util.ArrayList)
InboundXMLSec(org.apache.xml.security.stax.ext.InboundXMLSec)
X509SecurityToken(org.apache.xml.security.stax.impl.securityToken.X509SecurityToken)
X509TokenSecurityEvent(org.apache.xml.security.stax.securityEvent.X509TokenSecurityEvent)
XMLSecurityProperties(org.apache.xml.security.stax.ext.XMLSecurityProperties)
SignedElementSecurityEvent(org.apache.xml.security.stax.securityEvent.SignedElementSecurityEvent)
XMLInputFactory(javax.xml.stream.XMLInputFactory)
Example 78 with InboundXMLSec
use of org.apache.xml.security.stax.ext.InboundXMLSec in project santuario-java by apache.
the class BaltimoreTest method test_twenty_three_enveloping_b64_dsa.
@Test
public void test_twenty_three_enveloping_b64_dsa() throws Exception {
// Read in plaintext document
InputStream sourceDocument = this.getClass().getClassLoader().getResourceAsStream("ie/baltimore/merlin-examples/merlin-xmldsig-twenty-three/signature-enveloping-b64-dsa.xml");
DocumentBuilder builder = XMLUtils.createDocumentBuilder(false);
Document document = builder.parse(sourceDocument);
// Set up the Key
Key publicKey = getPublicKey("DSA", 23);
// XMLUtils.outputDOM(document, System.out);
// Convert Document to a Stream Reader
javax.xml.transform.Transformer transformer = transformerFactory.newTransformer();
ByteArrayOutputStream baos = new ByteArrayOutputStream();
transformer.transform(new DOMSource(document), new StreamResult(baos));
XMLStreamReader xmlStreamReader = null;
try (InputStream is = new ByteArrayInputStream(baos.toByteArray())) {
xmlStreamReader = xmlInputFactory.createXMLStreamReader(is);
}
// Verify signature
XMLSecurityProperties properties = new XMLSecurityProperties();
properties.setSignatureVerificationKey(publicKey);
InboundXMLSec inboundXMLSec = XMLSec.getInboundWSSec(properties);
TestSecurityEventListener securityEventListener = new TestSecurityEventListener();
XMLStreamReader securityStreamReader = inboundXMLSec.processInMessage(xmlStreamReader, null, securityEventListener);
StAX2DOM.readDoc(XMLUtils.createDocumentBuilder(false), securityStreamReader);
// Check the SecurityEvents
checkSignatureToken(securityEventListener, getPublicKey("DSA", 23), SecurityTokenConstants.KeyIdentifier_KeyValue);
}
Also used :
DOMSource(javax.xml.transform.dom.DOMSource)
XMLStreamReader(javax.xml.stream.XMLStreamReader)
StreamResult(javax.xml.transform.stream.StreamResult)
ByteArrayInputStream(java.io.ByteArrayInputStream)
InputStream(java.io.InputStream)
ByteArrayOutputStream(java.io.ByteArrayOutputStream)
InboundXMLSec(org.apache.xml.security.stax.ext.InboundXMLSec)
Document(org.w3c.dom.Document)
DocumentBuilder(javax.xml.parsers.DocumentBuilder)
ByteArrayInputStream(java.io.ByteArrayInputStream)
XMLSecurityProperties(org.apache.xml.security.stax.ext.XMLSecurityProperties)
Key(java.security.Key)
SecretKey(javax.crypto.SecretKey)
PublicKey(java.security.PublicKey)
Test(org.junit.Test)
Example 79 with InboundXMLSec
use of org.apache.xml.security.stax.ext.InboundXMLSec in project santuario-java by apache.
the class BaltimoreTest method test_signature_x509_crt.
// See SANTUARIO-319
@Test
public void test_signature_x509_crt() throws Exception {
Proxy proxy = HttpRequestRedirectorProxy.startHttpEngine();
try {
ResolverHttp.setProxy(proxy);
ResolverDirectHTTP resolverDirectHTTP = new ResolverDirectHTTP();
resolverDirectHTTP.engineSetProperty("http.proxy.host", ((InetSocketAddress) proxy.address()).getAddress().getHostAddress());
resolverDirectHTTP.engineSetProperty("http.proxy.port", "" + ((InetSocketAddress) proxy.address()).getPort());
TestUtils.switchAllowNotSameDocumentReferences(true);
// Read in plaintext document
InputStream sourceDocument = this.getClass().getClassLoader().getResourceAsStream("ie/baltimore/merlin-examples/merlin-xmldsig-twenty-three/signature-x509-crt.xml");
DocumentBuilder builder = XMLUtils.createDocumentBuilder(false);
Document document = builder.parse(sourceDocument);
// XMLUtils.outputDOM(document, System.out);
// Convert Document to a Stream Reader
javax.xml.transform.Transformer transformer = transformerFactory.newTransformer();
ByteArrayOutputStream baos = new ByteArrayOutputStream();
transformer.transform(new DOMSource(document), new StreamResult(baos));
XMLStreamReader xmlStreamReader = null;
try (InputStream is = new ByteArrayInputStream(baos.toByteArray())) {
xmlStreamReader = xmlInputFactory.createXMLStreamReader(is);
}
// Verify signature
XMLSecurityProperties properties = new XMLSecurityProperties();
InboundXMLSec inboundXMLSec = XMLSec.getInboundWSSec(properties);
XMLStreamReader securityStreamReader = inboundXMLSec.processInMessage(xmlStreamReader);
StAX2DOM.readDoc(XMLUtils.createDocumentBuilder(false), securityStreamReader);
} finally {
TestUtils.switchAllowNotSameDocumentReferences(false);
HttpRequestRedirectorProxy.stopHttpEngine();
}
}
Also used :
DOMSource(javax.xml.transform.dom.DOMSource)
XMLStreamReader(javax.xml.stream.XMLStreamReader)
StreamResult(javax.xml.transform.stream.StreamResult)
InetSocketAddress(java.net.InetSocketAddress)
ByteArrayInputStream(java.io.ByteArrayInputStream)
InputStream(java.io.InputStream)
ResolverDirectHTTP(org.apache.xml.security.utils.resolver.implementations.ResolverDirectHTTP)
ByteArrayOutputStream(java.io.ByteArrayOutputStream)
InboundXMLSec(org.apache.xml.security.stax.ext.InboundXMLSec)
Document(org.w3c.dom.Document)
Proxy(java.net.Proxy)
HttpRequestRedirectorProxy(org.apache.xml.security.test.stax.utils.HttpRequestRedirectorProxy)
DocumentBuilder(javax.xml.parsers.DocumentBuilder)
ByteArrayInputStream(java.io.ByteArrayInputStream)
XMLSecurityProperties(org.apache.xml.security.stax.ext.XMLSecurityProperties)
Test(org.junit.Test)
Example 80 with InboundXMLSec
use of org.apache.xml.security.stax.ext.InboundXMLSec in project santuario-java by apache.
the class BaltimoreTest method test_fifteen_enveloping_hmac_sha1_40.
@Test
public void test_fifteen_enveloping_hmac_sha1_40() throws Exception {
// Read in plaintext document
InputStream sourceDocument = this.getClass().getClassLoader().getResourceAsStream("ie/baltimore/merlin-examples/merlin-xmldsig-fifteen/signature-enveloping-hmac-sha1-40.xml");
DocumentBuilder builder = XMLUtils.createDocumentBuilder(false);
Document document = builder.parse(sourceDocument);
// Set up the Key
byte[] hmacKey = "secret".getBytes(StandardCharsets.US_ASCII);
SecretKey key = new SecretKeySpec(hmacKey, "http://www.w3.org/2000/09/xmldsig#hmac-sha1");
// XMLUtils.outputDOM(document, System.out);
// Convert Document to a Stream Reader
javax.xml.transform.Transformer transformer = transformerFactory.newTransformer();
ByteArrayOutputStream baos = new ByteArrayOutputStream();
transformer.transform(new DOMSource(document), new StreamResult(baos));
XMLStreamReader xmlStreamReader = null;
try (InputStream is = new ByteArrayInputStream(baos.toByteArray())) {
xmlStreamReader = xmlInputFactory.createXMLStreamReader(is);
}
// Verify signature
XMLSecurityProperties properties = new XMLSecurityProperties();
properties.setSignatureVerificationKey(key);
InboundXMLSec inboundXMLSec = XMLSec.getInboundWSSec(properties);
XMLStreamReader securityStreamReader = inboundXMLSec.processInMessage(xmlStreamReader);
try {
StAX2DOM.readDoc(XMLUtils.createDocumentBuilder(false), securityStreamReader);
fail("Failure expected on a short HMAC length");
} catch (XMLStreamException ex) {
Assert.assertTrue(ex.getCause() instanceof XMLSecurityException);
Assert.assertEquals("INVALID signature -- core validation failed.", ex.getCause().getMessage());
}
}
Also used :
DOMSource(javax.xml.transform.dom.DOMSource)
XMLStreamReader(javax.xml.stream.XMLStreamReader)
StreamResult(javax.xml.transform.stream.StreamResult)
ByteArrayInputStream(java.io.ByteArrayInputStream)
InputStream(java.io.InputStream)
ByteArrayOutputStream(java.io.ByteArrayOutputStream)
InboundXMLSec(org.apache.xml.security.stax.ext.InboundXMLSec)
Document(org.w3c.dom.Document)
XMLSecurityException(org.apache.xml.security.exceptions.XMLSecurityException)
SecretKey(javax.crypto.SecretKey)
XMLStreamException(javax.xml.stream.XMLStreamException)
DocumentBuilder(javax.xml.parsers.DocumentBuilder)
ByteArrayInputStream(java.io.ByteArrayInputStream)
SecretKeySpec(javax.crypto.spec.SecretKeySpec)
XMLSecurityProperties(org.apache.xml.security.stax.ext.XMLSecurityProperties)
Test(org.junit.Test)
Aggregations
XMLStreamReader (javax.xml.stream.XMLStreamReader)155
InboundXMLSec (org.apache.xml.security.stax.ext.InboundXMLSec)155
XMLSecurityProperties (org.apache.xml.security.stax.ext.XMLSecurityProperties)155
Test (org.junit.Test)151
InputStream (java.io.InputStream)150
DOMSource (javax.xml.transform.dom.DOMSource)150
ByteArrayInputStream (java.io.ByteArrayInputStream)149
ByteArrayOutputStream (java.io.ByteArrayOutputStream)149
DocumentBuilder (javax.xml.parsers.DocumentBuilder)149
StreamResult (javax.xml.transform.stream.StreamResult)149
Document (org.w3c.dom.Document)123
ArrayList (java.util.ArrayList)89
SecretKey (javax.crypto.SecretKey)79
TestSecurityEventListener (org.apache.xml.security.test.stax.signature.TestSecurityEventListener)58
KeyGenerator (javax.crypto.KeyGenerator)34
Key (java.security.Key)31
KeyStore (java.security.KeyStore)27
X509Certificate (java.security.cert.X509Certificate)27
SecretKeySpec (javax.crypto.spec.SecretKeySpec)26
InetSocketAddress (java.net.InetSocketAddress)22
