WSS4J
  1. WSS4J
  2. WSS-111

Some work on UsernameToken derived keys

    Details

    • Type: Bug Bug
    • Status: Closed
    • Priority: Minor Minor
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 1.5.5
    • Component/s: None
    • Labels:
      None

      Description

      The UsernameToken profile 1.1 provides for using UsernameTokens for key derivation (section 4: Key Derivation). We currently have some limited support in UsernameToken.java for generating and parsing UsernameTokens with derived keys, but no tests.

      The attached patch contains the following improvements:

      1) Two bugs in processing a Username Token in UsernameToken.java with a derived key are fixed + some cleanup to the code.

      2) WSSecUsernameToken.java is extended to wrap the key derivation functionality of UsernameToken.java.

      3) A unit test is added for UsernameToken.java, as well as two tests which use a derived key from a username token for encryption and signing purposes.

      The processing of a UsernameToken with derived keys is left for a future release.

      1. wss4j_derived_keys.patch
        17 kB
        Colm O hEigeartaigh

        Activity

        Hide
        Colm O hEigeartaigh added a comment -


        I should be able to squeeze this in for 1.5.5

        Show
        Colm O hEigeartaigh added a comment - I should be able to squeeze this in for 1.5.5
        Hide
        Sérgio Patrício added a comment -

        I used the test case TestWSSecurityUTDK.java to try this, the code worked OK and the generated soap seems good.
        The validation don't worked, received the error:
        org.apache.ws.security.WSSecurityException: The signature or decryption was invalid (Unsupported key identification)
        at org.apache.ws.security.processor.DerivedKeyTokenProcessor.extractSecret(DerivedKeyTokenProcessor.java:156)
        at org.apache.ws.security.processor.DerivedKeyTokenProcessor.handleToken(DerivedKeyTokenProcessor.java:67)

        Show
        Sérgio Patrício added a comment - I used the test case TestWSSecurityUTDK.java to try this, the code worked OK and the generated soap seems good. The validation don't worked, received the error: org.apache.ws.security.WSSecurityException: The signature or decryption was invalid (Unsupported key identification) at org.apache.ws.security.processor.DerivedKeyTokenProcessor.extractSecret(DerivedKeyTokenProcessor.java:156) at org.apache.ws.security.processor.DerivedKeyTokenProcessor.handleToken(DerivedKeyTokenProcessor.java:67)
        Hide
        Fred Dushin added a comment -

        Committed Colm's patch.

        Note that I also forced conversion of the pre-SHA1 hashed password to UTF-8.

        Could we get a review on this patch, before closure?

        Thanks!

        Show
        Fred Dushin added a comment - Committed Colm's patch. Note that I also forced conversion of the pre-SHA1 hashed password to UTF-8. Could we get a review on this patch, before closure? Thanks!

          People

          • Assignee:
            Colm O hEigeartaigh
            Reporter:
            Colm O hEigeartaigh
          • Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development