View Javadoc
1   /**
2    * Licensed to the Apache Software Foundation (ASF) under one
3    * or more contributor license agreements. See the NOTICE file
4    * distributed with this work for additional information
5    * regarding copyright ownership. The ASF licenses this file
6    * to you under the Apache License, Version 2.0 (the
7    * "License"); you may not use this file except in compliance
8    * with the License. You may obtain a copy of the License at
9    *
10   * http://www.apache.org/licenses/LICENSE-2.0
11   *
12   * Unless required by applicable law or agreed to in writing,
13   * software distributed under the License is distributed on an
14   * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
15   * KIND, either express or implied. See the License for the
16   * specific language governing permissions and limitations
17   * under the License.
18   */
19  package org.apache.wss4j.policy.stax.test;
20  
21  import java.util.ArrayList;
22  import java.util.List;
23  
24  import javax.xml.namespace.QName;
25  
26  import org.apache.neethi.Assertion;
27  import org.apache.neethi.Policy;
28  import org.apache.neethi.builders.AssertionBuilder;
29  import org.apache.wss4j.common.ext.WSSecurityException;
30  import org.apache.wss4j.policy.SPConstants;
31  import org.apache.wss4j.policy.builders.AlgorithmSuiteBuilder;
32  import org.apache.wss4j.policy.model.AbstractSecurityAssertion;
33  import org.apache.wss4j.policy.model.AlgorithmSuite;
34  import org.apache.wss4j.policy.stax.PolicyViolationException;
35  import org.apache.wss4j.policy.stax.enforcer.PolicyEnforcer;
36  import org.apache.wss4j.stax.ext.WSSConstants;
37  import org.apache.wss4j.stax.securityEvent.OperationSecurityEvent;
38  import org.apache.xml.security.stax.securityEvent.AlgorithmSuiteSecurityEvent;
39  import org.junit.jupiter.api.Test;
40  import org.w3c.dom.Element;
41  
42  import static org.junit.jupiter.api.Assertions.assertEquals;
43  import static org.junit.jupiter.api.Assertions.assertTrue;
44  import static org.junit.jupiter.api.Assertions.fail;
45  
46  public class AlgorithmSuiteTest extends AbstractPolicyTestBase {
47  
48      @Test
49      public void testAlgorithmSuitePolicy() throws Exception {
50          String policyString =
51                  "<sp:AlgorithmSuite xmlns:sp=\"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702\">\n" +
52                          "<wsp:Policy xmlns:wsp=\"http://schemas.xmlsoap.org/ws/2004/09/policy\">\n" +
53                          "<sp:TripleDesRsa15/>\n" +
54                          "</wsp:Policy>\n" +
55                          "</sp:AlgorithmSuite>";
56          PolicyEnforcer policyEnforcer = buildAndStartPolicyEngine(policyString);
57  
58          OperationSecurityEvent operationSecurityEvent = new OperationSecurityEvent();
59          operationSecurityEvent.setOperation(new QName("definitions"));
60          policyEnforcer.registerSecurityEvent(operationSecurityEvent);
61  
62          AlgorithmSuiteSecurityEvent algorithmSuiteSecurityEvent = new AlgorithmSuiteSecurityEvent();
63          algorithmSuiteSecurityEvent.setAlgorithmURI("http://www.w3.org/2001/04/xmlenc#tripledes-cbc");
64          algorithmSuiteSecurityEvent.setKeyLength(192);
65          algorithmSuiteSecurityEvent.setAlgorithmUsage(WSSConstants.Enc);
66          policyEnforcer.registerSecurityEvent(algorithmSuiteSecurityEvent);
67          policyEnforcer.doFinal();
68      }
69  
70      @Test
71      public void testAlgorithmSuitePolicyMultipleAssertionEventsNegative() throws Exception {
72          String policyString =
73                  "<sp:AlgorithmSuite xmlns:sp=\"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702\">\n" +
74                          "<wsp:Policy xmlns:wsp=\"http://schemas.xmlsoap.org/ws/2004/09/policy\">\n" +
75                          "<sp:TripleDesRsa15/>\n" +
76                          "</wsp:Policy>\n" +
77                          "</sp:AlgorithmSuite>";
78          PolicyEnforcer policyEnforcer = buildAndStartPolicyEngine(policyString);
79  
80          OperationSecurityEvent operationSecurityEvent = new OperationSecurityEvent();
81          operationSecurityEvent.setOperation(new QName("definitions"));
82          policyEnforcer.registerSecurityEvent(operationSecurityEvent);
83  
84          AlgorithmSuiteSecurityEvent algorithmSuiteSecurityEvent = new AlgorithmSuiteSecurityEvent();
85          algorithmSuiteSecurityEvent.setAlgorithmURI("http://www.w3.org/2001/04/xmlenc#tripledes-cbc");
86          algorithmSuiteSecurityEvent.setKeyLength(192);
87          algorithmSuiteSecurityEvent.setAlgorithmUsage(WSSConstants.Enc);
88          policyEnforcer.registerSecurityEvent(algorithmSuiteSecurityEvent);
89          algorithmSuiteSecurityEvent.setAlgorithmURI("http://www.w3.org/2001/04/xmlenc#sha256");
90          algorithmSuiteSecurityEvent.setAlgorithmUsage(WSSConstants.SigDig);
91          try {
92              policyEnforcer.registerSecurityEvent(algorithmSuiteSecurityEvent);
93              fail("Exception expected");
94          } catch (WSSecurityException e) {
95              assertTrue(e.getCause() instanceof PolicyViolationException);
96              assertEquals(e.getCause().getMessage(),
97                      "Digest algorithm http://www.w3.org/2001/04/xmlenc#sha256 does not meet policy");
98              assertEquals(e.getFaultCode(), WSSecurityException.INVALID_SECURITY);
99          }
100     }
101 
102     @Test
103     public void testAlgorithmSuitePolicyNegative() throws Exception {
104         String policyString =
105                 "<sp:AlgorithmSuite xmlns:sp=\"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702\">\n" +
106                         "<wsp:Policy xmlns:wsp=\"http://schemas.xmlsoap.org/ws/2004/09/policy\">\n" +
107                         "<sp:TripleDesRsa15/>\n" +
108                         "</wsp:Policy>\n" +
109                         "</sp:AlgorithmSuite>";
110         PolicyEnforcer policyEnforcer = buildAndStartPolicyEngine(policyString);
111 
112         OperationSecurityEvent operationSecurityEvent = new OperationSecurityEvent();
113         operationSecurityEvent.setOperation(new QName("definitions"));
114         policyEnforcer.registerSecurityEvent(operationSecurityEvent);
115 
116         AlgorithmSuiteSecurityEvent algorithmSuiteSecurityEvent = new AlgorithmSuiteSecurityEvent();
117         algorithmSuiteSecurityEvent.setAlgorithmURI("http://www.w3.org/2001/04/xmlenc#aes128-cbc");
118         algorithmSuiteSecurityEvent.setKeyLength(128);
119         algorithmSuiteSecurityEvent.setAlgorithmUsage(WSSConstants.Enc);
120         try {
121             policyEnforcer.registerSecurityEvent(algorithmSuiteSecurityEvent);
122             fail("Exception expected");
123         } catch (WSSecurityException e) {
124             assertTrue(e.getCause() instanceof PolicyViolationException);
125             assertEquals(e.getCause().getMessage(),
126                     "Encryption algorithm http://www.w3.org/2001/04/xmlenc#aes128-cbc does not meet policy\n" +
127                     "Symmetric encryption algorithm key length 128 does not meet policy");
128             assertEquals(e.getFaultCode(), WSSecurityException.INVALID_SECURITY);
129         }
130     }
131 
132     @Test
133     public void testAlgorithmSuitePolicyAlternatives() throws Exception {
134         String policyString =
135                 "<sp:AlgorithmSuite xmlns:sp=\"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702\">\n" +
136                         "<wsp:Policy xmlns:wsp=\"http://schemas.xmlsoap.org/ws/2004/09/policy\">\n" +
137                         "<wsp:ExactlyOne>\n" +
138                         "<sp:Basic256/>\n" +
139                         "<sp:TripleDesRsa15/>\n" +
140                         "</wsp:ExactlyOne>\n" +
141                         "</wsp:Policy>\n" +
142                         "</sp:AlgorithmSuite>";
143         PolicyEnforcer policyEnforcer = buildAndStartPolicyEngine(policyString);
144 
145         OperationSecurityEvent operationSecurityEvent = new OperationSecurityEvent();
146         operationSecurityEvent.setOperation(new QName("definitions"));
147         policyEnforcer.registerSecurityEvent(operationSecurityEvent);
148 
149         AlgorithmSuiteSecurityEvent algorithmSuiteSecurityEvent = new AlgorithmSuiteSecurityEvent();
150         algorithmSuiteSecurityEvent.setAlgorithmURI("http://www.w3.org/2001/04/xmlenc#tripledes-cbc");
151         algorithmSuiteSecurityEvent.setKeyLength(192);
152         algorithmSuiteSecurityEvent.setAlgorithmUsage(WSSConstants.Enc);
153         policyEnforcer.registerSecurityEvent(algorithmSuiteSecurityEvent);
154         policyEnforcer.doFinal();
155     }
156 
157     @Test
158     public void testAlgorithmSuitePolicyAlternativesNegative() throws Exception {
159         String policyString =
160                 "<sp:AlgorithmSuite xmlns:sp=\"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702\">\n" +
161                         "<wsp:Policy xmlns:wsp=\"http://schemas.xmlsoap.org/ws/2004/09/policy\">\n" +
162                         "<wsp:ExactlyOne>\n" +
163                         "<sp:Basic256/>\n" +
164                         "<sp:TripleDesRsa15/>\n" +
165                         "</wsp:ExactlyOne>\n" +
166                         "</wsp:Policy>\n" +
167                         "</sp:AlgorithmSuite>";
168         PolicyEnforcer policyEnforcer = buildAndStartPolicyEngine(policyString);
169 
170         OperationSecurityEvent operationSecurityEvent = new OperationSecurityEvent();
171         operationSecurityEvent.setOperation(new QName("definitions"));
172         policyEnforcer.registerSecurityEvent(operationSecurityEvent);
173 
174         AlgorithmSuiteSecurityEvent algorithmSuiteSecurityEvent = new AlgorithmSuiteSecurityEvent();
175         algorithmSuiteSecurityEvent.setAlgorithmURI("http://www.w3.org/2001/04/xmlenc#aes128-cbc");
176         algorithmSuiteSecurityEvent.setKeyLength(128);
177         algorithmSuiteSecurityEvent.setAlgorithmUsage(WSSConstants.Enc);
178         try {
179             policyEnforcer.registerSecurityEvent(algorithmSuiteSecurityEvent);
180             fail("Exception expected");
181         } catch (WSSecurityException e) {
182             assertTrue(e.getCause() instanceof PolicyViolationException);
183             assertEquals(e.getCause().getMessage(),
184                     "Encryption algorithm http://www.w3.org/2001/04/xmlenc#aes128-cbc does not meet policy\n" +
185                     "Symmetric encryption algorithm key length 128 does not meet policy");
186             assertEquals(e.getFaultCode(), WSSecurityException.INVALID_SECURITY);
187         }
188     }
189 
190     @Test
191     public void testAES256GCMAlgorithmSuitePolicy() throws Exception {
192         String policyString =
193                 "<sp:AlgorithmSuite xmlns:sp=\"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702\">\n" +
194                         "<wsp:Policy xmlns:wsp=\"http://schemas.xmlsoap.org/ws/2004/09/policy\">\n" +
195                         "<cxf:Basic256GCM xmlns:cxf=\"http://cxf.apache.org/custom/security-policy\"/>\n" +
196                         "</wsp:Policy>\n" +
197                         "</sp:AlgorithmSuite>";
198 
199         class GCMAlgorithmSuite extends AlgorithmSuite {
200 
201             GCMAlgorithmSuite(SPConstants.SPVersion version, Policy nestedPolicy) {
202                 super(version, nestedPolicy);
203             }
204 
205             @Override
206             protected AbstractSecurityAssertion cloneAssertion(Policy nestedPolicy) {
207                 return new GCMAlgorithmSuite(getVersion(), nestedPolicy);
208             }
209 
210             @Override
211             protected void parseCustomAssertion(Assertion assertion) {
212                 String assertionName = assertion.getName().getLocalPart();
213                 String assertionNamespace = assertion.getName().getNamespaceURI();
214                 if (!"http://cxf.apache.org/custom/security-policy".equals(assertionNamespace)) {
215                     return;
216                 }
217 
218                 if ("Basic128GCM".equals(assertionName)) {
219                     setAlgorithmSuiteType(new AlgorithmSuiteType(
220                             "Basic128GCM",
221                             SPConstants.SHA1,
222                             WSSConstants.NS_XENC11_AES128_GCM,
223                             SPConstants.KW_AES128,
224                             SPConstants.KW_RSA_OAEP,
225                             SPConstants.P_SHA1_L128,
226                             SPConstants.P_SHA1_L128,
227                             128, 128, 128, 256, 1024, 4096
228                     ));
229                 } else if ("Basic192GCM".equals(assertionName)) {
230                     setAlgorithmSuiteType(new AlgorithmSuiteType(
231                             "Basic192GCM",
232                             SPConstants.SHA1,
233                             WSSConstants.NS_XENC11_AES192_GCM,
234                             SPConstants.KW_AES192,
235                             SPConstants.KW_RSA_OAEP,
236                             SPConstants.P_SHA1_L192,
237                             SPConstants.P_SHA1_L192,
238                             192, 192, 192, 256, 1024, 4096));
239                 } else if ("Basic256GCM".equals(assertionName)) {
240                     setAlgorithmSuiteType(new AlgorithmSuiteType(
241                             "Basic256GCM",
242                             SPConstants.SHA1,
243                             WSSConstants.NS_XENC11_AES256_GCM,
244                             SPConstants.KW_AES256,
245                             SPConstants.KW_RSA_OAEP,
246                             SPConstants.P_SHA1_L256,
247                             SPConstants.P_SHA1_L192,
248                             256, 192, 256, 256, 1024, 4096));
249                 }
250             }
251         }
252 
253         class GCMAlgorithmSuiteBuilder extends AlgorithmSuiteBuilder {
254             @Override
255             protected AlgorithmSuite createAlgorithmSuite(SPConstants.SPVersion version, Policy nestedPolicy) {
256                 return new GCMAlgorithmSuite(version, nestedPolicy);
257             }
258         }
259 
260         List<AssertionBuilder<Element>> customAssertionBuilders = new ArrayList<>();
261         customAssertionBuilders.add(new GCMAlgorithmSuiteBuilder());
262         PolicyEnforcer policyEnforcer = buildAndStartPolicyEngine(policyString, false, customAssertionBuilders);
263 
264         OperationSecurityEvent operationSecurityEvent = new OperationSecurityEvent();
265         operationSecurityEvent.setOperation(new QName("definitions"));
266         policyEnforcer.registerSecurityEvent(operationSecurityEvent);
267 
268         AlgorithmSuiteSecurityEvent algorithmSuiteSecurityEvent = new AlgorithmSuiteSecurityEvent();
269         algorithmSuiteSecurityEvent.setAlgorithmURI(WSSConstants.NS_XENC11_AES256_GCM);
270         algorithmSuiteSecurityEvent.setKeyLength(256);
271         algorithmSuiteSecurityEvent.setAlgorithmUsage(WSSConstants.Enc);
272         policyEnforcer.registerSecurityEvent(algorithmSuiteSecurityEvent);
273 
274         algorithmSuiteSecurityEvent = new AlgorithmSuiteSecurityEvent();
275         algorithmSuiteSecurityEvent.setAlgorithmURI(WSSConstants.NS_XENC_AES256);
276         algorithmSuiteSecurityEvent.setKeyLength(256);
277         algorithmSuiteSecurityEvent.setAlgorithmUsage(WSSConstants.Enc);
278 
279         try {
280             policyEnforcer.registerSecurityEvent(algorithmSuiteSecurityEvent);
281             fail("Exception expected");
282         } catch (Exception e) {
283             assertEquals(e.getCause().getMessage(), "Encryption algorithm http://www.w3.org/2001/04/xmlenc#aes256-cbc does not meet policy");
284         }
285     }
286 }