Example 1 with EncryptedKeyTokenSecurityEvent
use of org.apache.xml.security.stax.securityEvent.EncryptedKeyTokenSecurityEvent in project santuario-java by apache.
the class XMLEncryptedKeyInputHandler method handle.
public void handle(final InputProcessorChain inputProcessorChain, final EncryptedKeyType encryptedKeyType, final XMLSecEvent responsibleXMLSecStartXMLEvent, final XMLSecurityProperties securityProperties) throws XMLSecurityException {
if (encryptedKeyType.getEncryptionMethod() == null) {
throw new XMLSecurityException("stax.encryption.noEncAlgo");
}
if (encryptedKeyType.getId() == null) {
encryptedKeyType.setId(IDGenerator.generateID(null));
}
final InboundSecurityContext inboundSecurityContext = inputProcessorChain.getSecurityContext();
final SecurityTokenProvider<InboundSecurityToken> securityTokenProvider = new SecurityTokenProvider<InboundSecurityToken>() {
private AbstractInboundSecurityToken securityToken;
@Override
public InboundSecurityToken getSecurityToken() throws XMLSecurityException {
if (this.securityToken != null) {
return this.securityToken;
}
this.securityToken = new AbstractInboundSecurityToken(inboundSecurityContext, encryptedKeyType.getId(), SecurityTokenConstants.KeyIdentifier_EncryptedKey, true) {
private byte[] decryptedKey;
@Override
public Key getKey(String algorithmURI, XMLSecurityConstants.AlgorithmUsage algorithmUsage, String correlationID) throws XMLSecurityException {
Key key = getSecretKey().get(algorithmURI);
if (key != null) {
return key;
}
String algoFamily = JCEAlgorithmMapper.getJCEKeyAlgorithmFromURI(algorithmURI);
key = new SecretKeySpec(getSecret(this, correlationID, algorithmURI), algoFamily);
setSecretKey(algorithmURI, key);
return key;
}
@Override
public InboundSecurityToken getKeyWrappingToken() throws XMLSecurityException {
return getWrappingSecurityToken(this);
}
@Override
public SecurityTokenConstants.TokenType getTokenType() {
return SecurityTokenConstants.EncryptedKeyToken;
}
private InboundSecurityToken wrappingSecurityToken;
private InboundSecurityToken getWrappingSecurityToken(InboundSecurityToken wrappedSecurityToken) throws XMLSecurityException {
if (wrappingSecurityToken != null) {
return this.wrappingSecurityToken;
}
KeyInfoType keyInfoType = encryptedKeyType.getKeyInfo();
this.wrappingSecurityToken = SecurityTokenFactory.getInstance().getSecurityToken(keyInfoType, SecurityTokenConstants.KeyUsage_Decryption, securityProperties, inboundSecurityContext);
this.wrappingSecurityToken.addWrappedToken(wrappedSecurityToken);
return this.wrappingSecurityToken;
}
private byte[] getSecret(InboundSecurityToken wrappedSecurityToken, String correlationID, String symmetricAlgorithmURI) throws XMLSecurityException {
if (this.decryptedKey != null) {
return this.decryptedKey;
}
String algorithmURI = encryptedKeyType.getEncryptionMethod().getAlgorithm();
if (algorithmURI == null) {
throw new XMLSecurityException("stax.encryption.noEncAlgo");
}
String jceName = JCEAlgorithmMapper.translateURItoJCEID(algorithmURI);
String jceProvider = JCEAlgorithmMapper.getJCEProviderFromURI(algorithmURI);
if (jceName == null) {
throw new XMLSecurityException("algorithms.NoSuchMap", new Object[] { algorithmURI });
}
final InboundSecurityToken wrappingSecurityToken = getWrappingSecurityToken(wrappedSecurityToken);
Cipher cipher;
try {
XMLSecurityConstants.AlgorithmUsage algorithmUsage;
if (wrappingSecurityToken.isAsymmetric()) {
algorithmUsage = XMLSecurityConstants.Asym_Key_Wrap;
} else {
algorithmUsage = XMLSecurityConstants.Sym_Key_Wrap;
}
if (jceProvider == null) {
cipher = Cipher.getInstance(jceName);
} else {
cipher = Cipher.getInstance(jceName, jceProvider);
}
if (XMLSecurityConstants.NS_XENC11_RSAOAEP.equals(algorithmURI) || XMLSecurityConstants.NS_XENC_RSAOAEPMGF1P.equals(algorithmURI)) {
final DigestMethodType digestMethodType = XMLSecurityUtils.getQNameType(encryptedKeyType.getEncryptionMethod().getContent(), XMLSecurityConstants.TAG_dsig_DigestMethod);
String jceDigestAlgorithm = "SHA-1";
if (digestMethodType != null) {
AlgorithmSuiteSecurityEvent algorithmSuiteSecurityEvent = new AlgorithmSuiteSecurityEvent();
algorithmSuiteSecurityEvent.setAlgorithmURI(digestMethodType.getAlgorithm());
algorithmSuiteSecurityEvent.setAlgorithmUsage(XMLSecurityConstants.EncDig);
algorithmSuiteSecurityEvent.setCorrelationID(correlationID);
inboundSecurityContext.registerSecurityEvent(algorithmSuiteSecurityEvent);
jceDigestAlgorithm = JCEAlgorithmMapper.translateURItoJCEID(digestMethodType.getAlgorithm());
}
PSource.PSpecified pSource = PSource.PSpecified.DEFAULT;
final byte[] oaepParams = XMLSecurityUtils.getQNameType(encryptedKeyType.getEncryptionMethod().getContent(), XMLSecurityConstants.TAG_xenc_OAEPparams);
if (oaepParams != null) {
pSource = new PSource.PSpecified(oaepParams);
}
MGF1ParameterSpec mgfParameterSpec = new MGF1ParameterSpec("SHA-1");
final MGFType mgfType = XMLSecurityUtils.getQNameType(encryptedKeyType.getEncryptionMethod().getContent(), XMLSecurityConstants.TAG_xenc11_MGF);
if (mgfType != null) {
String jceMGFAlgorithm = JCEAlgorithmMapper.translateURItoJCEID(mgfType.getAlgorithm());
mgfParameterSpec = new MGF1ParameterSpec(jceMGFAlgorithm);
}
OAEPParameterSpec oaepParameterSpec = new OAEPParameterSpec(jceDigestAlgorithm, "MGF1", mgfParameterSpec, pSource);
cipher.init(Cipher.UNWRAP_MODE, wrappingSecurityToken.getSecretKey(algorithmURI, algorithmUsage, correlationID), oaepParameterSpec);
} else {
cipher.init(Cipher.UNWRAP_MODE, wrappingSecurityToken.getSecretKey(algorithmURI, algorithmUsage, correlationID));
}
if (encryptedKeyType.getCipherData() == null || encryptedKeyType.getCipherData().getCipherValue() == null) {
throw new XMLSecurityException("stax.encryption.noCipherValue");
}
} catch (NoSuchPaddingException e) {
throw new XMLSecurityException(e);
} catch (NoSuchAlgorithmException e) {
throw new XMLSecurityException(e);
} catch (InvalidAlgorithmParameterException e) {
throw new XMLSecurityException(e);
} catch (InvalidKeyException e) {
throw new XMLSecurityException(e);
} catch (NoSuchProviderException e) {
throw new XMLSecurityException(e);
}
byte[] sha1Bytes = generateDigest(encryptedKeyType.getCipherData().getCipherValue());
String sha1Identifier = Base64.getMimeEncoder().encodeToString(sha1Bytes);
super.setSha1Identifier(sha1Identifier);
try {
Key key = cipher.unwrap(encryptedKeyType.getCipherData().getCipherValue(), jceName, Cipher.SECRET_KEY);
return this.decryptedKey = key.getEncoded();
} catch (IllegalStateException e) {
throw new XMLSecurityException(e);
} catch (Exception e) {
LOG.warn("Unwrapping of the encrypted key failed with error: " + e.getMessage() + ". " + "Generating a faked one to mitigate timing attacks.");
int keyLength = JCEAlgorithmMapper.getKeyLengthFromURI(symmetricAlgorithmURI);
this.decryptedKey = XMLSecurityConstants.generateBytes(keyLength / 8);
return this.decryptedKey;
}
}
};
this.securityToken.setElementPath(responsibleXMLSecStartXMLEvent.getElementPath());
this.securityToken.setXMLSecEvent(responsibleXMLSecStartXMLEvent);
return this.securityToken;
}
@Override
public String getId() {
return encryptedKeyType.getId();
}
};
// register the key token for decryption:
inboundSecurityContext.registerSecurityTokenProvider(encryptedKeyType.getId(), securityTokenProvider);
// fire a tokenSecurityEvent
EncryptedKeyTokenSecurityEvent tokenSecurityEvent = new EncryptedKeyTokenSecurityEvent();
tokenSecurityEvent.setSecurityToken(securityTokenProvider.getSecurityToken());
tokenSecurityEvent.setCorrelationID(encryptedKeyType.getId());
inboundSecurityContext.registerSecurityEvent(tokenSecurityEvent);
// if this EncryptedKey structure contains a reference list, delegate it to a subclass
if (encryptedKeyType.getReferenceList() != null) {
handleReferenceList(inputProcessorChain, encryptedKeyType, securityProperties);
}
}
Also used :
AlgorithmSuiteSecurityEvent(org.apache.xml.security.stax.securityEvent.AlgorithmSuiteSecurityEvent)
EncryptedKeyTokenSecurityEvent(org.apache.xml.security.stax.securityEvent.EncryptedKeyTokenSecurityEvent)
SecretKeySpec(javax.crypto.spec.SecretKeySpec)
AbstractInboundSecurityToken(org.apache.xml.security.stax.impl.securityToken.AbstractInboundSecurityToken)
NoSuchPaddingException(javax.crypto.NoSuchPaddingException)
DigestMethodType(org.apache.xml.security.binding.xmldsig.DigestMethodType)
MGFType(org.apache.xml.security.binding.xmlenc11.MGFType)
XMLSecurityException(org.apache.xml.security.exceptions.XMLSecurityException)
NoSuchPaddingException(javax.crypto.NoSuchPaddingException)
XMLSecurityException(org.apache.xml.security.exceptions.XMLSecurityException)
KeyInfoType(org.apache.xml.security.binding.xmldsig.KeyInfoType)
OAEPParameterSpec(javax.crypto.spec.OAEPParameterSpec)
AbstractInboundSecurityToken(org.apache.xml.security.stax.impl.securityToken.AbstractInboundSecurityToken)
InboundSecurityToken(org.apache.xml.security.stax.securityToken.InboundSecurityToken)
Cipher(javax.crypto.Cipher)
SecurityTokenProvider(org.apache.xml.security.stax.securityToken.SecurityTokenProvider)
MGF1ParameterSpec(java.security.spec.MGF1ParameterSpec)
Example 2 with EncryptedKeyTokenSecurityEvent
use of org.apache.xml.security.stax.securityEvent.EncryptedKeyTokenSecurityEvent in project santuario-java by apache.
the class DecryptionTest method checkEncryptionToken.
protected void checkEncryptionToken(TestSecurityEventListener securityEventListener, X509Certificate cert, Key key, SecurityTokenConstants.KeyIdentifier keyIdentifier, String algorithm) throws XMLSecurityException {
if (SecurityTokenConstants.KeyIdentifier_NoKeyInfo.equals(keyIdentifier)) {
DefaultTokenSecurityEvent tokenEvent = (DefaultTokenSecurityEvent) securityEventListener.getSecurityEvent(SecurityEventConstants.DefaultToken);
assertNotNull(tokenEvent);
Key processedKey = tokenEvent.getSecurityToken().getSecretKey().values().iterator().next();
assertEquals(processedKey, key);
} else if (SecurityTokenConstants.KeyIdentifier_EncryptedKey.equals(keyIdentifier)) {
EncryptedKeyTokenSecurityEvent tokenEvent = (EncryptedKeyTokenSecurityEvent) securityEventListener.getSecurityEvent(SecurityEventConstants.EncryptedKeyToken);
assertNotNull(tokenEvent);
Key processedKey = tokenEvent.getSecurityToken().getSecretKey().values().iterator().next();
assertEquals(processedKey, key);
}
}
Also used :
DefaultTokenSecurityEvent(org.apache.xml.security.stax.securityEvent.DefaultTokenSecurityEvent)
EncryptedKeyTokenSecurityEvent(org.apache.xml.security.stax.securityEvent.EncryptedKeyTokenSecurityEvent)
Key(java.security.Key)
PrivateKey(java.security.PrivateKey)
SecretKey(javax.crypto.SecretKey)
PublicKey(java.security.PublicKey)
EncryptedKey(org.apache.xml.security.encryption.EncryptedKey)
Aggregations
EncryptedKeyTokenSecurityEvent (org.apache.xml.security.stax.securityEvent.EncryptedKeyTokenSecurityEvent)2
Key (java.security.Key)1
PrivateKey (java.security.PrivateKey)1
PublicKey (java.security.PublicKey)1
MGF1ParameterSpec (java.security.spec.MGF1ParameterSpec)1
Cipher (javax.crypto.Cipher)1
NoSuchPaddingException (javax.crypto.NoSuchPaddingException)1
SecretKey (javax.crypto.SecretKey)1
OAEPParameterSpec (javax.crypto.spec.OAEPParameterSpec)1
SecretKeySpec (javax.crypto.spec.SecretKeySpec)1
DigestMethodType (org.apache.xml.security.binding.xmldsig.DigestMethodType)1
KeyInfoType (org.apache.xml.security.binding.xmldsig.KeyInfoType)1
MGFType (org.apache.xml.security.binding.xmlenc11.MGFType)1
EncryptedKey (org.apache.xml.security.encryption.EncryptedKey)1
XMLSecurityException (org.apache.xml.security.exceptions.XMLSecurityException)1
AbstractInboundSecurityToken (org.apache.xml.security.stax.impl.securityToken.AbstractInboundSecurityToken)1
AlgorithmSuiteSecurityEvent (org.apache.xml.security.stax.securityEvent.AlgorithmSuiteSecurityEvent)1
DefaultTokenSecurityEvent (org.apache.xml.security.stax.securityEvent.DefaultTokenSecurityEvent)1
InboundSecurityToken (org.apache.xml.security.stax.securityToken.InboundSecurityToken)1
SecurityTokenProvider (org.apache.xml.security.stax.securityToken.SecurityTokenProvider)1
