Navigation Menu

Skip to content
This repository has been archived by the owner on May 26, 2020. It is now read-only.

Commit

Permalink
SANTUARIO-490 - Use requested SecureRandom for OAEP in XMLCipher.encr…
Browse files Browse the repository at this point in the history 
…yptKey

git-svn-id: https://svn.apache.org/repos/asf/santuario/xml-security-java/trunk@1838001 13f79535-47bb-0310-9956-ffa450edef68
  • Loading branch information
@coheigea
coheigea committed Aug 14, 2018
1 parent 89f66bd commit 2fc0e59
Show file tree
Hide file tree
Showing 2 changed files with 116 additions and 4 deletions.
37 changes: 34 additions & 3 deletions src/main/java/org/apache/xml/security/encryption/XMLCipher.java
View file
Expand Up @@ -30,6 +30,7 @@
import java.security.Key;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.security.SecureRandom;
import java.security.spec.AlgorithmParameterSpec;
import java.security.spec.MGF1ParameterSpec;
import java.util.ArrayList;
Expand Down Expand Up @@ -1317,6 +1318,28 @@ public EncryptedKey encryptKey(
Key key,
String mgfAlgorithm,
byte[] oaepParams
) throws XMLEncryptionException {
return encryptKey(doc, key, mgfAlgorithm, oaepParams, null);
}

/**
* Encrypts a key to an EncryptedKey structure
*
* @param doc the Context document that will be used to general DOM
* @param key Key to encrypt (will use previously set KEK to
* perform encryption
* @param mgfAlgorithm The xenc11 MGF Algorithm to use
* @param oaepParams The OAEPParams to use
* @param random The SecureRandom instance to use when initializing the Cipher
* @return the <code>EncryptedKey</code>
* @throws XMLEncryptionException
*/
public EncryptedKey encryptKey(
Document doc,
Key key,
String mgfAlgorithm,
byte[] oaepParams,
SecureRandom random
) throws XMLEncryptionException {
LOG.debug("Encrypting key ...");

Expand Down Expand Up @@ -1350,10 +1373,18 @@ public EncryptedKey encryptKey(
constructOAEPParameters(
algorithm, digestAlg, mgfAlgorithm, oaepParams
);
if (oaepParameters == null) {
c.init(Cipher.WRAP_MODE, this.key);
if (random != null) {
if (oaepParameters == null) {
c.init(Cipher.WRAP_MODE, this.key, random);
} else {
c.init(Cipher.WRAP_MODE, this.key, oaepParameters, random);
}
} else {
c.init(Cipher.WRAP_MODE, this.key, oaepParameters);
if (oaepParameters == null) {
c.init(Cipher.WRAP_MODE, this.key);
} else {
c.init(Cipher.WRAP_MODE, this.key, oaepParameters);
}
}
encryptedBytes = c.wrap(key);
} catch (InvalidKeyException ike) {
Expand Down
83 changes: 82 additions & 1 deletion src/test/java/org/apache/xml/security/test/dom/encryption/XMLEncryption11Test.java
View file
Expand Up @@ -23,6 +23,7 @@
import java.security.KeyStore;
import java.security.NoSuchAlgorithmException;
import java.security.PrivateKey;
import java.security.SecureRandom;
import java.security.cert.Certificate;
import java.security.cert.X509Certificate;
import java.util.HashMap;
Expand Down Expand Up @@ -218,6 +219,72 @@ public void testKeyWrappingRSA2048EncryptDecrypt() throws Exception {
}
}

/**
* rsa-oaep-mgf1p, Digest:SHA256, MGF:SHA1, PSource: None
*/
@org.junit.Test
public void testKeyWrappingRSA2048EncryptDecryptWithSecureRandom() throws Exception {
if (haveISOPadding) {
String keystore =
"src/test/resources/org/w3c/www/interop/xmlenc-core-11/RSA-2048_SHA256WithRSA.jks";
String basedir = System.getProperty("basedir");
if (basedir != null && !"".equals(basedir)) {
keystore = basedir + "/" + keystore;
}

KeyStore keyStore = KeyStore.getInstance("jks");
keyStore.load(new java.io.FileInputStream(keystore), "passwd".toCharArray());

Certificate cert = keyStore.getCertificate("importkey");

KeyStore.PrivateKeyEntry pkEntry = (KeyStore.PrivateKeyEntry)
keyStore.getEntry("importkey", new KeyStore.PasswordProtection("passwd".toCharArray()));
PrivateKey rsaKey = pkEntry.getPrivateKey();

// Perform encryption
String filename = "src/test/resources/org/w3c/www/interop/xmlenc-core-11/plaintext.xml";
if (basedir != null && !"".equals(basedir)) {
filename = basedir + "/" + filename;
}
File f = new File(filename);

DocumentBuilder db = XMLUtils.createDocumentBuilder(false);
Document doc = db.parse(new java.io.FileInputStream(f));

Key sessionKey = getSessionKey("http://www.w3.org/2009/xmlenc11#aes128-gcm");
EncryptedKey encryptedKey =
createEncryptedKey(
doc,
(X509Certificate)cert,
sessionKey,
"http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p",
"http://www.w3.org/2000/09/xmldsig#sha1",
null,
null,
new SecureRandom()
);

doc =
encryptDocument(
doc,
encryptedKey,
sessionKey,
"http://www.w3.org/2009/xmlenc11#aes128-gcm"
);
// XMLUtils.outputDOM(doc.getFirstChild(), System.out);

// Perform decryption
Document dd = decryptElement(doc, rsaKey, (X509Certificate)cert);
// XMLUtils.outputDOM(dd.getFirstChild(), System.out);
checkDecryptedDoc(dd, true);
} else {
LOG.warn(
"Skipping testRSA2048 as necessary "
+ "crypto algorithms are not available"
);
}
}

/**
* rsa-oaep-mgf1p, Digest:SHA256, MGF:SHA1, PSource: None
*/
Expand Down Expand Up @@ -600,12 +667,26 @@ private EncryptedKey createEncryptedKey(
String digestMethod,
String mgfAlgorithm,
byte[] oaepParams
) throws Exception {
return createEncryptedKey(doc, rsaCert, sessionKey, encryptionMethod,
digestMethod, mgfAlgorithm, oaepParams, null);
}

private EncryptedKey createEncryptedKey(
Document doc,
X509Certificate rsaCert,
Key sessionKey,
String encryptionMethod,
String digestMethod,
String mgfAlgorithm,
byte[] oaepParams,
SecureRandom random
) throws Exception {
// Create the XMLCipher element
XMLCipher cipher = XMLCipher.getInstance(encryptionMethod, null, digestMethod);

cipher.init(XMLCipher.WRAP_MODE, rsaCert.getPublicKey());
EncryptedKey encryptedKey = cipher.encryptKey(doc, sessionKey, mgfAlgorithm, oaepParams);
EncryptedKey encryptedKey = cipher.encryptKey(doc, sessionKey, mgfAlgorithm, oaepParams, random);

KeyInfo builderKeyInfo = encryptedKey.getKeyInfo();
if (builderKeyInfo == null) {
Expand Down

0 comments on commit 2fc0e59

Please sign in to comment.