WSS-679 - Fix regression in signing KeyInfos
diff --git a/ws-security-dom/src/main/java/org/apache/wss4j/dom/action/SignatureAction.java b/ws-security-dom/src/main/java/org/apache/wss4j/dom/action/SignatureAction.java
index eee1185..7c1b6ab 100644
--- a/ws-security-dom/src/main/java/org/apache/wss4j/dom/action/SignatureAction.java
+++ b/ws-security-dom/src/main/java/org/apache/wss4j/dom/action/SignatureAction.java
@@ -139,10 +139,8 @@
signBST = true;
} else if ("KeyInfo".equals(part.getName()) && WSConstants.SIG_NS.equals(part.getNamespace())
&& part.getElement() == null) {
- // Special code to sign the KeyInfo - we have to marshal the KeyInfo to a DOM Element
- // before the signing process
- Element keyInfoElement = wsSign.getKeyInfoElement();
- part.setElement(keyInfoElement);
+ // Special code to sign the KeyInfo
+ part.setId(wsSign.getKeyInfoUri());
break;
}
}
diff --git a/ws-security-dom/src/main/java/org/apache/wss4j/dom/message/WSSecSignature.java b/ws-security-dom/src/main/java/org/apache/wss4j/dom/message/WSSecSignature.java
index efa4212..61a9cbc 100644
--- a/ws-security-dom/src/main/java/org/apache/wss4j/dom/message/WSSecSignature.java
+++ b/ws-security-dom/src/main/java/org/apache/wss4j/dom/message/WSSecSignature.java
@@ -27,9 +27,7 @@
import java.util.Collections;
import java.util.List;
-import javax.xml.crypto.MarshalException;
import javax.xml.crypto.XMLStructure;
-import javax.xml.crypto.dom.DOMCryptoContext;
import javax.xml.crypto.dom.DOMStructure;
import javax.xml.crypto.dsig.CanonicalizationMethod;
import javax.xml.crypto.dsig.SignatureMethod;
@@ -389,10 +387,8 @@
part.setId(strUri);
} else if ("KeyInfo".equals(part.getName()) && WSConstants.SIG_NS.equals(part.getNamespace())
&& part.getElement() == null) {
- // Special code to sign the KeyInfo - we have to marshal the KeyInfo to a DOM Element
- // before the signing process
- Element keyInfoElement = getKeyInfoElement();
- part.setElement(keyInfoElement);
+ // Special code to sign the KeyInfo
+ part.setId(keyInfoUri);
}
}
}
@@ -734,26 +730,6 @@
}
/**
- * Return the computed KeyInfo value as a DOM Element
- * Call this method after <code>prepare()</code>
- */
- public Element getKeyInfoElement() throws WSSecurityException {
- Element parent = getDocument().createElement("temp");
- DOMCryptoContext cryptoContext = new DOMCryptoContext() { };
- cryptoContext.putNamespacePrefix(WSConstants.SIG_NS, WSConstants.SIG_PREFIX);
- try {
- keyInfo.marshal(new DOMStructure(parent), cryptoContext);
- } catch (MarshalException ex) {
- LOG.error(ex.getMessage(), ex);
- throw new WSSecurityException(
- WSSecurityException.ErrorCode.FAILED_SIGNATURE, ex
- );
- }
-
- return (Element)parent.getFirstChild();
- }
-
- /**
* Get the id generated during <code>prepare()</code>.
*
* Returns the the value of wsu:Id attribute of the Signature element.
@@ -939,4 +915,8 @@
public void setSignatureProvider(Provider signatureProvider) {
this.signatureProvider = signatureProvider;
}
+
+ public String getKeyInfoUri() {
+ return keyInfoUri;
+ }
}
diff --git a/ws-security-dom/src/main/java/org/apache/wss4j/dom/message/WSSecSignatureBase.java b/ws-security-dom/src/main/java/org/apache/wss4j/dom/message/WSSecSignatureBase.java
index ad078cc..c34f19f 100644
--- a/ws-security-dom/src/main/java/org/apache/wss4j/dom/message/WSSecSignatureBase.java
+++ b/ws-security-dom/src/main/java/org/apache/wss4j/dom/message/WSSecSignatureBase.java
@@ -138,7 +138,7 @@
}
element = callbackLookup.getElement(idToSign, null, false);
}
- if (addInclusivePrefixes) {
+ if (addInclusivePrefixes && element != null) {
List<String> prefixes = getInclusivePrefixes(element);
if (!prefixes.isEmpty()) {
transformSpec = new ExcC14NParameterSpec(prefixes);
diff --git a/ws-security-dom/src/test/java/org/apache/wss4j/dom/message/SignaturePartsTest.java b/ws-security-dom/src/test/java/org/apache/wss4j/dom/message/SignaturePartsTest.java
index 29bde30..f83da6f 100644
--- a/ws-security-dom/src/test/java/org/apache/wss4j/dom/message/SignaturePartsTest.java
+++ b/ws-security-dom/src/test/java/org/apache/wss4j/dom/message/SignaturePartsTest.java
@@ -556,7 +556,6 @@
}
@Test
- @org.junit.Ignore
public void testSignedKeyInfo() throws Exception {
Document doc = SOAPUtil.toSOAPPart(SOAPMSG);
WSSecHeader secHeader = new WSSecHeader(doc);
@@ -583,38 +582,10 @@
WSHandlerResult results = verify(signedDoc);
- WSSecurityEngineResult actionResult =
- results.getActionResults().get(WSConstants.SIGN).get(0);
- assertTrue(actionResult != null);
- assertFalse(actionResult.isEmpty());
- final List<WSDataRef> refs =
- (List<WSDataRef>) actionResult.get(WSSecurityEngineResult.TAG_DATA_REF_URIS);
-
- WSDataRef wsDataRef = refs.get(0);
- String xpath = wsDataRef.getXpath();
- assertEquals("/soapenv:Envelope/soapenv:Header/wsse:Security/ds:Signature/ds:KeyInfo", xpath);
- assertEquals(WSConstants.RSA_SHA1, wsDataRef.getAlgorithm());
- assertNotNull(wsDataRef.getDigestValue());
- assertTrue(wsDataRef.getDigestValue().length > 0);
- QName expectedQName = new QName(WSConstants.SIG_NS, "KeyInfo");
- assertEquals(expectedQName, wsDataRef.getName());
-
- assertEquals(WSConstants.SHA1, wsDataRef.getDigestAlgorithm());
-
- String sigMethod = (String)actionResult.get(WSSecurityEngineResult.TAG_SIGNATURE_METHOD);
- assertEquals(WSConstants.RSA_SHA1, sigMethod);
-
- String c14nMethod =
- (String)actionResult.get(WSSecurityEngineResult.TAG_CANONICALIZATION_METHOD);
- assertEquals(WSConstants.C14N_EXCL_OMIT_COMMENTS, c14nMethod);
-
- List<String> transformAlgorithms = wsDataRef.getTransformAlgorithms();
- assertTrue(transformAlgorithms.size() == 1);
- assertTrue(WSConstants.C14N_EXCL_OMIT_COMMENTS.equals(transformAlgorithms.get(0)));
+ verifySignedKeyInfoResults(results);
}
@Test
- @org.junit.Ignore
public void testSignedKeyInfoAction() throws Exception {
final WSSConfig cfg = WSSConfig.getNewInstance();
final RequestData reqData = new RequestData();
@@ -651,6 +622,40 @@
List<Integer> receivedActions = new ArrayList<>();
receivedActions.add(WSConstants.SIGN);
assertTrue(handler.checkResults(results.getResults(), receivedActions));
+
+ verifySignedKeyInfoResults(results);
+ }
+
+ private void verifySignedKeyInfoResults(WSHandlerResult results) {
+
+ WSSecurityEngineResult actionResult =
+ results.getActionResults().get(WSConstants.SIGN).get(0);
+ assertNotNull(actionResult);
+ assertFalse(actionResult.isEmpty());
+ final List<WSDataRef> refs =
+ (List<WSDataRef>) actionResult.get(WSSecurityEngineResult.TAG_DATA_REF_URIS);
+
+ WSDataRef wsDataRef = refs.get(0);
+ String xpath = wsDataRef.getXpath();
+ assertTrue(xpath.matches("/(soapenv|SOAP-ENV):Envelope/(soapenv|SOAP-ENV):Header/wsse:Security/ds:Signature/ds:KeyInfo"));
+ assertEquals(WSConstants.RSA_SHA1, wsDataRef.getAlgorithm());
+ assertNotNull(wsDataRef.getDigestValue());
+ assertTrue(wsDataRef.getDigestValue().length > 0);
+ QName expectedQName = new QName(WSConstants.SIG_NS, "KeyInfo");
+ assertEquals(expectedQName, wsDataRef.getName());
+
+ assertEquals(WSConstants.SHA1, wsDataRef.getDigestAlgorithm());
+
+ String sigMethod = (String)actionResult.get(WSSecurityEngineResult.TAG_SIGNATURE_METHOD);
+ assertEquals(WSConstants.RSA_SHA1, sigMethod);
+
+ String c14nMethod =
+ (String)actionResult.get(WSSecurityEngineResult.TAG_CANONICALIZATION_METHOD);
+ assertEquals(WSConstants.C14N_EXCL_OMIT_COMMENTS, c14nMethod);
+
+ List<String> transformAlgorithms = wsDataRef.getTransformAlgorithms();
+ assertTrue(transformAlgorithms.size() == 1);
+ assertTrue(WSConstants.C14N_EXCL_OMIT_COMMENTS.equals(transformAlgorithms.get(0)));
}
/**