'[jira] Commented: (RAMPART-31) Using Policy configuration - a SOAP'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       rampart-dev
Subject:    [jira] Commented: (RAMPART-31) Using Policy configuration - a SOAP
From:       "Nandana Mihindukulasooriya (JIRA)" <jira () apache ! org>
Date:       2007-11-28 12:11:43
Message-ID: 7001025.1196251903035.JavaMail.jira () brutus
[Download RAW message or body]


    [ https://issues.apache.org/jira/browse/RAMPART-31?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12546215 \
] 

Nandana Mihindukulasooriya commented on RAMPART-31:
---------------------------------------------------

This fixed in the Rampart trunk. Patch [1] for issue [2] introduces two test \
scenarios to check encryption only in the Symmetric Binding and in the Asymmetric \
Binding.

[1] - RAMPART-105-1.patch
[2] - https://issues.apache.org/jira/browse/RAMPART-105

> Using Policy configuration - a SOAP Message cannot be Encrypted only. 
> ----------------------------------------------------------------------
> 
> Key: RAMPART-31
> URL: https://issues.apache.org/jira/browse/RAMPART-31
> Project: Rampart
> Issue Type: Bug
> Components: rampart-core
> Affects Versions: 1.1
> Reporter: Ric Emery
> Attachments: diff.txt
> 
> 
> Unless I am mistaken AsymmetricBindingBuilder does not support only encrypting a \
> SOAP Message. AsymmetricBindingBuilder assumes that Signatures will always be \
> applied. Logically I would think that leaving out the Policy sp:SignedParts element \
> and/or the sp:InitiatorToken element would result in a message that is encrypted \
> (assuming the Policy configures encryption), but not signed. Leaving out the \
> InitiatorToken out of the profile results in a NullPointerException. Leaving out \
> the sp:SignedParts does not disable signatures. I modified \
> AssymetircBindingBuilder.java to allow encryption without signatures. Being new to \
> the source base I am not sure that this is the correct fix. I modified build method \
> adding a call to determine if signatures are disabled. Added a method to make the \
> determination. And added a doEncryption method.. I can submit a diff in the proper \
> format if requested. Thanks
> public void build(RampartMessageData rmd) throws RampartException {
> log.debug("AsymmetricBindingBuilder build invoked");
> RampartPolicyData rpd = rmd.getPolicyData();
> if (rpd.isIncludeTimestamp()) {
> this.addTimestamp(rmd);
> }
> 		if (shouldEncryptOnly(rmd))
> 		    this.doEncrypt(rmd);
> 		else if (Constants.ENCRYPT_BEFORE_SIGNING.equals(rpd.getProtectionOrder())) {
> this.doEncryptBeforeSig(rmd);
> } else {
> this.doSignBeforeEncrypt(rmd);
> }
> log.debug("AsymmetricBindingBuilder build invoked : DONE");
> }
> 	private boolean shouldEncryptOnly(RampartMessageData rmd)
> 	{
> // Is there a better way to determine if signatures should be disabled?
> 		RampartPolicyData rampartPolicyData = rmd.getPolicyData();		
> 		Vector parts = rampartPolicyData.getSignedParts();
> 		return !rampartPolicyData.isSignBody() && (null == parts || parts.size() == 0);
> 	}
> 	private void doEncrypt(RampartMessageData rmd)
> throws RampartException {
> RampartPolicyData rpd = rmd.getPolicyData();
> Document doc = rmd.getDocument();
> RampartConfig config = rpd.getRampartConfig();
> /*
> * We need to hold on to these two element to use them as refence in the
> * case of encypting the signature
> */
> Element encrDKTokenElem = null;
> WSSecEncrypt encr = null;
> Element refList = null;
> WSSecDKEncrypt dkEncr = null;
> /*
> * We MUST use keys derived from the same token
> */
> Token encryptionToken = rpd.getRecipientToken();
> Vector encrParts = RampartUtil.getEncryptedParts(rmd);
> if(encryptionToken == null && encrParts.size() > 0) {
> throw new RampartException("encryptionTokenMissing");
> }
> if (encryptionToken != null && encrParts.size() > 0) {
> if (encryptionToken.isDerivedKeys()) {
> try {
> this.setupEncryptedKey(rmd, encryptionToken);
> // Create the DK encryption builder
> dkEncr = new WSSecDKEncrypt();
> dkEncr.setParts(encrParts);
> dkEncr.setExternalKey(this.encryptedKeyValue,
> this.encryptedKeyId);
> dkEncr.prepare(doc);
> // Get and add the DKT element
> this.encrDKTElement = dkEncr.getdktElement();
> encrDKTokenElem = RampartUtil.appendChildToSecHeader(rmd, this.encrDKTElement);
> refList = dkEncr.encryptForExternalRef(null, encrParts);
> } catch (WSSecurityException e) {
> throw new RampartException("errorCreatingEncryptedKey", e);
> } catch (ConversationException e) {
> throw new RampartException("errorInDKEncr", e);
> }
> } else {
> try {
> encr = new WSSecEncrypt();
> encr.setParts(encrParts);
> encr.setWsConfig(rmd.getConfig());
> encr.setDocument(doc);
> RampartUtil.setEncryptionUser(rmd, encr);
> encr.setSymmetricEncAlgorithm(rpd.getAlgorithmSuite().getEncryption());
> encr.setKeyEncAlgo(rpd.getAlgorithmSuite().getAsymmetricKeyWrap());
> encr.prepare(doc, RampartUtil.getEncryptionCrypto(config, \
> rmd.getCustomClassLoader())); Element bstElem = \
> encr.getBinarySecurityTokenElement(); if (bstElem != null) {
> RampartUtil.appendChildToSecHeader(rmd, bstElem);
> }
> this.encrTokenElement = encr.getEncryptedKeyElement();
> this.encrTokenElement = RampartUtil.appendChildToSecHeader(rmd,
> encrTokenElement);
> refList = encr.encryptForExternalRef(null, encrParts);
> } catch (WSSecurityException e) {
> throw new RampartException("errorInEncryption", e);
> }
> }
> RampartUtil.appendChildToSecHeader(rmd, refList);
> this.setInsertionLocation(encrTokenElement);
> 		}
> 	}

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic