Merge remote-tracking branch 'refs/remotes/origin/master'

Evolveum · Sep 3, 2019 · 5ff5753 · 5ff5753
2 parents 98dc65e + 5a9f812
commit 5ff5753
Show file tree

Hide file tree

Showing 12 changed files with 53 additions and 54 deletions.
diff --git a/build-system/pom.xml b/build-system/pom.xml
@@ -1,6 +1,6 @@
 <?xml version="1.0"?>
 <!--
-  ~ Copyright (c) 2010-2017 Evolveum
+  ~ Copyright (c) 2010-2019 Evolveum
   ~
   ~ Licensed under the Apache License, Version 2.0 (the "License");
   ~ you may not use this file except in compliance with the License.
@@ -82,7 +82,7 @@
         <wicket.version>8.3.0</wicket.version>
         <groovy.version>2.5.6</groovy.version>
         <commons-email.version>1.3</commons-email.version>
-        <xmlsec.version>2.0.6</xmlsec.version>
+        <xmlsec.version>2.1.4</xmlsec.version>
         <connid.version>1.5.0.10</connid.version>
         <jasper.version>6.5.0</jasper.version>
         <derby.version>10.11.1.1</derby.version>
@@ -801,6 +801,8 @@
                 </exclusions>
             </dependency>
             <dependency>
+            	<!-- Need to explicitly specify this, because there seems to be three different xmlsec
+            	     dependencies in CXF (three versions). Once the CXF is gone, xmlsec can go as well. MID-5714 -->
 				<groupId>org.apache.santuario</groupId>
 				<artifactId>xmlsec</artifactId>
 				<version>${xmlsec.version}</version>

diff --git a/infra/common/pom.xml b/infra/common/pom.xml
@@ -138,10 +138,5 @@
 			<version>4.0-SNAPSHOT</version>
 			<scope>test</scope>
 		</dependency>
-		<dependency>
-			<groupId>org.apache.santuario</groupId>
-			<artifactId>xmlsec</artifactId>
-			<scope>test</scope>
-		</dependency>
 	</dependencies>
 </project>
diff --git a/infra/common/src/test/java/com/evolveum/midpoint/common/TestCryptoUtil.java b/infra/common/src/test/java/com/evolveum/midpoint/common/TestCryptoUtil.java
@@ -32,7 +32,6 @@
 import com.evolveum.midpoint.util.exception.SchemaException;
 import com.evolveum.midpoint.xml.ns._public.common.common_3.*;
 import com.evolveum.prism.xml.ns._public.types_3.ProtectedStringType;
-import org.apache.xml.security.encryption.XMLCipher;
 import org.testng.annotations.BeforeSuite;
 import org.testng.annotations.Listeners;
 import org.testng.annotations.Test;
@@ -274,7 +273,7 @@ private Protector createProtector() {
 		return KeyStoreBasedProtectorBuilder.create(getPrismContext())
 				.keyStorePassword(KEYSTORE_PASSWORD)
 				.keyStorePath(KEYSTORE_PATH)
-				.encryptionAlgorithm(XMLCipher.AES_256)
+				.encryptionAlgorithm(Protector.XMLSEC_ENCRYPTION_ALGORITHM_AES256_CBC)
 				.initialize();
 	}
 
@@ -283,7 +282,7 @@ private Protector createCompromisedProtector() {
 				.keyStorePassword(KEYSTORE_PASSWORD)
 				.keyStorePath(KEYSTORE_PATH)
 				.encryptionKeyAlias("compromised")
-				.encryptionAlgorithm(XMLCipher.AES_256)
+				.encryptionAlgorithm(Protector.XMLSEC_ENCRYPTION_ALGORITHM_AES256_CBC)
 				.initialize();
 	}
 

diff --git a/infra/prism-api/pom.xml b/infra/prism-api/pom.xml
@@ -57,10 +57,6 @@
 			<groupId>org.apache.commons</groupId>
 			<artifactId>commons-collections4</artifactId>
 		</dependency>
-		<dependency>
-			<groupId>org.apache.santuario</groupId>
-			<artifactId>xmlsec</artifactId>
-		</dependency>
         <dependency>
             <groupId>org.jetbrains</groupId>
             <artifactId>annotations-java5</artifactId>

diff --git a/infra/prism-api/src/main/java/com/evolveum/midpoint/prism/crypto/Protector.java b/infra/prism-api/src/main/java/com/evolveum/midpoint/prism/crypto/Protector.java
@@ -30,6 +30,10 @@
 
 public interface Protector {
 
+	static final String XMLSEC_ENCRYPTION_NS = "http://www.w3.org/2001/04/xmlenc";
+    static final String XMLSEC_ENCRYPTION_ALGORITHM_AES128_CBC = XMLSEC_ENCRYPTION_NS + "#aes128-cbc";
+    static final String XMLSEC_ENCRYPTION_ALGORITHM_AES256_CBC = XMLSEC_ENCRYPTION_NS + "#aes256-cbc";
+
 	<T> void decrypt(ProtectedData<T> protectedData) throws EncryptionException, SchemaException;
 
 	<T> void encrypt(ProtectedData<T> protectedData) throws EncryptionException;

diff --git a/.../prism-api/src/main/java/com/evolveum/prism/xml/ns/_public/types_3/ProtectedDataType.java b/.../prism-api/src/main/java/com/evolveum/prism/xml/ns/_public/types_3/ProtectedDataType.java
@@ -31,13 +31,11 @@
 import javax.xml.bind.annotation.XmlTransient;
 import javax.xml.bind.annotation.XmlType;
 import javax.xml.namespace.QName;
-
+import org.apache.commons.codec.binary.Base64;
 import com.evolveum.midpoint.prism.JaxbVisitable;
 import com.evolveum.midpoint.prism.JaxbVisitor;
 import com.evolveum.midpoint.prism.util.CloneUtil;
 import org.apache.commons.lang.StringUtils;
-import org.apache.xml.security.exceptions.Base64DecodingException;
-import org.apache.xml.security.utils.Base64;
 import org.w3c.dom.Element;
 
 import com.evolveum.midpoint.prism.crypto.ProtectedData;
@@ -256,12 +254,7 @@ private EncryptedDataType convertXmlEncToEncryptedDate(Element eEncryptedData) {
 			Element eCipherValue = DOMUtil.getChildElement(eCipherData, F_XML_ENC_CIPHER_VALUE);
 			if (eCipherValue != null) {
 				String cipherValue = eCipherValue.getTextContent();
-				byte[] cipherValueBytes;
-				try {
-					cipherValueBytes = Base64.decode(cipherValue);
-				} catch (Base64DecodingException e) {
-					throw new IllegalArgumentException("Bad base64 encoding in CipherValue element: "+e.getMessage(),e);
-				}
+				byte[] cipherValueBytes = Base64.decodeBase64(cipherValue);
 				cipherDataType.setCipherValue(cipherValueBytes);
 			}
     	}

diff --git a/infra/prism-impl/pom.xml b/infra/prism-impl/pom.xml
@@ -81,10 +81,6 @@
 			<groupId>org.apache.commons</groupId>
 			<artifactId>commons-collections4</artifactId>
 		</dependency>
-		<dependency>
-			<groupId>org.apache.santuario</groupId>
-			<artifactId>xmlsec</artifactId>
-		</dependency>
         <dependency>
             <groupId>org.jetbrains</groupId>
             <artifactId>annotations-java5</artifactId>

diff --git a/...mpl/src/main/java/com/evolveum/midpoint/prism/impl/crypto/KeyStoreBasedProtectorImpl.java b/...mpl/src/main/java/com/evolveum/midpoint/prism/impl/crypto/KeyStoreBasedProtectorImpl.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2010-2018 Evolveum
+ * Copyright (c) 2010-2019 Evolveum
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -28,10 +28,7 @@
 import com.evolveum.prism.xml.ns._public.types_3.*;
 import org.apache.commons.lang.StringUtils;
 import org.apache.commons.lang.Validate;
-import org.apache.xml.security.Init;
-import org.apache.xml.security.algorithms.JCEMapper;
-import org.apache.xml.security.encryption.XMLCipher;
-import org.apache.xml.security.utils.Base64;
+import org.apache.commons.codec.binary.Base64;
 import org.jetbrains.annotations.NotNull;
 
 import javax.crypto.BadPaddingException;
@@ -85,7 +82,9 @@ public class KeyStoreBasedProtectorImpl extends BaseProtector implements KeyStor
     private static final String ALGORITH_PBKDF2_WITH_HMAC_SHA512_URI = QNameUtil.qNameToUri(ALGORITH_PBKDF2_WITH_HMAC_SHA512_QNAME);
 
     private static final String KEY_DIGEST_TYPE = "SHA1";
-    private static final String DEFAULT_ENCRYPTION_ALGORITHM = XMLCipher.AES_128;
+
+    private static final String DEFAULT_ENCRYPTION_ALGORITHM = XMLSEC_ENCRYPTION_ALGORITHM_AES256_CBC;
+
     private static final char[] KEY_PASSWORD = "midpoint".toCharArray();
 
     private static final String DEFAULT_DIGEST_ALGORITHM = ALGORITH_PBKDF2_WITH_HMAC_SHA512_URI;
@@ -109,13 +108,17 @@ public class KeyStoreBasedProtectorImpl extends BaseProtector implements KeyStor
 
     private static final Map<String, SecretKey> aliasToSecretKeyHashMap = new HashMap<>();
     private static final Map<String, SecretKey> digestToSecretKeyHashMap = new HashMap<>();
+    private static final Map<String,String> xmlsecToJceAlgorithmMap = new HashMap<>();
 
     static {
         try {
             keyStore = KeyStore.getInstance("jceks");
         } catch (KeyStoreException ex) {
             throw new SystemException(ex.getMessage(), ex);
         }
+
+        xmlsecToJceAlgorithmMap.put(XMLSEC_ENCRYPTION_ALGORITHM_AES128_CBC, "AES/CBC/ISO10126Padding");
+        xmlsecToJceAlgorithmMap.put(XMLSEC_ENCRYPTION_ALGORITHM_AES256_CBC, "AES/CBC/ISO10126Padding");
     }
 
 	public KeyStoreBasedProtectorImpl() {
@@ -199,7 +202,7 @@ public void init() {
                     LOGGER.trace("Found secret key for alias {}", alias);
                     aliasToSecretKeyHashMap.put(alias, secretKey);
 
-                    final String digest = Base64.encode(sha1.digest(key.getEncoded()));
+                    final String digest = Base64.encodeBase64String(sha1.digest(key.getEncoded()));
                     LOGGER.trace("Calculated digest {} for key alias {}", digest, key);
                     digestToSecretKeyHashMap.put(digest, secretKey);
 
@@ -219,9 +222,6 @@ public void init() {
                 trustManagers.add(trustManager);
             }
 
-            //init apache crypto library
-            Init.init();
-
         } catch (Exception ex) {
             LOGGER.error("Unable to work with keystore {}, reason {}.",
                 new Object[]{getKeyStorePath(), ex.getMessage()}, ex);
@@ -398,7 +398,7 @@ private byte[] decryptBytes(byte[] encryptedBytes, String algorithmUri, Key key)
     }
 
     private Cipher getCipher(int cipherMode, String algorithmUri) throws NoSuchAlgorithmException, NoSuchPaddingException, NoSuchProviderException, InvalidKeyException, InvalidAlgorithmParameterException {
-        String jceAlgorithm = JCEMapper.translateURItoJCEID(algorithmUri);//JCEMapper.getJCEKeyAlgorithmFromURI(algorithmUri);
+    	String jceAlgorithm = xmlsecToJceAlgorithmMap.get(algorithmUri);
         Cipher cipher;
         if (requestedJceProviderName == null) {
             cipher = Cipher.getInstance(jceAlgorithm);

diff --git a/infra/prism-impl/src/test/java/com/evolveum/midpoint/prism/crypto/TestProtector.java b/infra/prism-impl/src/test/java/com/evolveum/midpoint/prism/crypto/TestProtector.java
@@ -1,5 +1,5 @@
 /**
- * Copyright (c) 2010-2017 Evolveum
+ * Copyright (c) 2010-2019 Evolveum
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -19,7 +19,6 @@
 import static org.testng.AssertJUnit.assertNull;
 import static org.testng.AssertJUnit.assertTrue;
 import static org.testng.AssertJUnit.assertFalse;
-import org.apache.xml.security.encryption.XMLCipher;
 import org.testng.AssertJUnit;
 import org.testng.annotations.Test;
 
@@ -36,8 +35,8 @@ public class TestProtector {
 	public void testProtectorEncryptionRoundTrip() throws Exception {
 		String value = "someValue";
 
-		Protector protector256 = PrismInternalTestUtil.createProtector(XMLCipher.AES_256);
-		Protector protector128 = PrismInternalTestUtil.createProtector(XMLCipher.AES_128);
+		Protector protector256 = PrismInternalTestUtil.createProtector(Protector.XMLSEC_ENCRYPTION_ALGORITHM_AES256_CBC);
+		Protector protector128 = PrismInternalTestUtil.createProtector(Protector.XMLSEC_ENCRYPTION_ALGORITHM_AES128_CBC);
 
 		ProtectedStringType pdt = new ProtectedStringType();
 		pdt.setClearValue(value);
@@ -113,7 +112,7 @@ public void testProtectorHashRoundTrip() throws Exception {
 		pst.setClearValue(value);
 		assertFalse(pst.isEmpty());
 
-		Protector protector256 = PrismInternalTestUtil.createProtector(XMLCipher.AES_256);
+		Protector protector256 = PrismInternalTestUtil.createProtector(Protector.XMLSEC_ENCRYPTION_ALGORITHM_AES256_CBC);
 
 		// WHEN
 		protector256.hash(pst);

diff --git a/infra/prism-impl/src/test/java/com/evolveum/midpoint/prism/lex/TestProtectedString.java b/infra/prism-impl/src/test/java/com/evolveum/midpoint/prism/lex/TestProtectedString.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2010-2017 Evolveum
+ * Copyright (c) 2010-2019 Evolveum
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -25,7 +25,6 @@
 import com.evolveum.midpoint.util.exception.SchemaException;
 import com.evolveum.prism.xml.ns._public.types_3.ProtectedStringType;
 
-import org.apache.xml.security.encryption.XMLCipher;
 import org.testng.annotations.BeforeSuite;
 import org.testng.annotations.Test;
 import org.xml.sax.SAXException;
@@ -55,7 +54,7 @@ public void testParseProtectedStringEncrypted() throws Exception {
 		displayTestTitle(TEST_NAME);
 
 		// GIVEN
-        Protector protector = PrismInternalTestUtil.createProtector(XMLCipher.AES_128);
+        Protector protector = PrismInternalTestUtil.createProtector(Protector.XMLSEC_ENCRYPTION_ALGORITHM_AES256_CBC);
         ProtectedStringType protectedStringType = protector.encryptString("salalala");
 
         PrismContext prismContext = PrismTestUtil.getPrismContext();
@@ -80,7 +79,7 @@ public void testParseProtectedStringHashed() throws Exception {
 		// GIVEN
 		ProtectedStringType protectedStringType = new ProtectedStringType();
 		protectedStringType.setClearValue("blabla");
-        Protector protector = PrismInternalTestUtil.createProtector(XMLCipher.AES_128);
+        Protector protector = PrismInternalTestUtil.createProtector(Protector.XMLSEC_ENCRYPTION_ALGORITHM_AES256_CBC);
         protector.hash(protectedStringType);
 
         PrismContext prismContext = PrismTestUtil.getPrismContext();

diff --git a/tools/ninja/pom.xml b/tools/ninja/pom.xml
@@ -1,6 +1,6 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!--
-  ~ Copyright (c) 2010-2017 Evolveum
+  ~ Copyright (c) 2010-2019 Evolveum
   ~
   ~ Licensed under the Apache License, Version 2.0 (the "License");
   ~ you may not use this file except in compliance with the License.
@@ -190,12 +190,12 @@
             <artifactId>commons-io</artifactId>
         </dependency>
         <dependency>
-            <groupId>commons-configuration</groupId>
-            <artifactId>commons-configuration</artifactId>
+            <groupId>commons-codec</groupId>
+            <artifactId>commons-codec</artifactId>
         </dependency>
         <dependency>
-            <groupId>org.apache.santuario</groupId>
-            <artifactId>xmlsec</artifactId>
+            <groupId>commons-configuration</groupId>
+            <artifactId>commons-configuration</artifactId>
         </dependency>
         <dependency>
 		    <groupId>javax.xml.ws</groupId>

diff --git a/tools/ninja/src/main/java/com/evolveum/midpoint/ninja/action/ListKeysRepositoryAction.java b/tools/ninja/src/main/java/com/evolveum/midpoint/ninja/action/ListKeysRepositoryAction.java
@@ -1,3 +1,18 @@
+/*
+ * Copyright (c) 2010-2019 Evolveum
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
 package com.evolveum.midpoint.ninja.action;
 
 import com.evolveum.midpoint.ninja.impl.LogTarget;
@@ -6,7 +21,8 @@
 import com.evolveum.midpoint.prism.crypto.EncryptionException;
 import com.evolveum.midpoint.prism.crypto.KeyStoreBasedProtector;
 import com.evolveum.midpoint.prism.crypto.Protector;
-import org.apache.xml.security.utils.Base64;
+
+import org.apache.commons.codec.binary.Base64;
 import org.springframework.context.ApplicationContext;
 
 import javax.crypto.SecretKey;
@@ -123,6 +139,6 @@ private String getSecretKeyDigest(SecretKey key) throws NinjaException {
             throw new NinjaException(ex.getMessage(), ex);
         }
 
-        return Base64.encode(sha1.digest(key.getEncoded()));
+        return Base64.encodeBase64String(sha1.digest(key.getEncoded()));
     }
 }