|
Java example source code file (TruncateHMAC.java)
The TruncateHMAC.java Java example source code/* * Copyright (c) 2009, 2013, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License version 2 only, as * published by the Free Software Foundation. * * This code is distributed in the hope that it will be useful, but WITHOUT * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License * version 2 for more details (a copy is included in the LICENSE file that * accompanied this code). * * You should have received a copy of the GNU General Public License version * 2 along with this work; if not, write to the Free Software Foundation, * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. * * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA * or visit www.oracle.com if you need additional information or have any * questions. */ /** * @test %I% %E% * @bug 6824440 6858484 * @summary Check that Apache XMLSec APIs will not accept HMAC truncation * lengths less than minimum bound * @compile -XDignore.symbol.file TruncateHMAC.java * @run main TruncateHMAC */ import java.io.File; import javax.crypto.SecretKey; import javax.xml.parsers.DocumentBuilderFactory; import org.w3c.dom.Document; import org.w3c.dom.Element; import org.w3c.dom.NodeList; import com.sun.org.apache.xml.internal.security.Init; import com.sun.org.apache.xml.internal.security.c14n.Canonicalizer; import com.sun.org.apache.xml.internal.security.signature.XMLSignature; import com.sun.org.apache.xml.internal.security.signature.XMLSignatureException; import com.sun.org.apache.xml.internal.security.utils.Constants; public class TruncateHMAC { private final static String DIR = System.getProperty("test.src", "."); private static DocumentBuilderFactory dbf = null; private static boolean atLeastOneFailed = false; public static void main(String[] args) throws Exception { Init.init(); dbf = DocumentBuilderFactory.newInstance(); dbf.setNamespaceAware(true); dbf.setValidating(false); validate("signature-enveloping-hmac-sha1-trunclen-0-attack.xml", false); validate("signature-enveloping-hmac-sha1-trunclen-8-attack.xml", false); // this one should pass validate("signature-enveloping-hmac-sha1.xml", true); generate_hmac_sha1_40(); if (atLeastOneFailed) { throw new Exception ("At least one signature did not validate as expected"); } } private static void validate(String data, boolean pass) throws Exception { System.out.println("Validating " + data); File file = new File(DIR, data); Document doc = dbf.newDocumentBuilder().parse(file); NodeList nl = doc.getElementsByTagNameNS(Constants.SignatureSpecNS, "Signature"); if (nl.getLength() == 0) { throw new Exception("Couldn't find signature Element"); } Element sigElement = (Element) nl.item(0); XMLSignature signature = new XMLSignature (sigElement, file.toURI().toString()); SecretKey sk = signature.createSecretKey("secret".getBytes("ASCII")); try { System.out.println ("Validation status: " + signature.checkSignatureValue(sk)); if (!pass) { System.out.println("FAILED"); atLeastOneFailed = true; } else { System.out.println("PASSED"); } } catch (XMLSignatureException xse) { System.out.println(xse.getMessage()); if (!pass) { System.out.println("PASSED"); } else { System.out.println("FAILED"); atLeastOneFailed = true; } } } private static void generate_hmac_sha1_40() throws Exception { System.out.println("Generating "); Document doc = dbf.newDocumentBuilder().newDocument(); XMLSignature sig = new XMLSignature (doc, null, XMLSignature.ALGO_ID_MAC_HMAC_SHA1, 40, Canonicalizer.ALGO_ID_C14N_OMIT_COMMENTS); try { sig.sign(getSecretKey("secret".getBytes("ASCII"))); System.out.println("FAILED"); atLeastOneFailed = true; } catch (XMLSignatureException xse) { System.out.println(xse.getMessage()); System.out.println("PASSED"); } } private static SecretKey getSecretKey(final byte[] secret) { return new SecretKey() { public String getFormat() { return "RAW"; } public byte[] getEncoded() { return secret; } public String getAlgorithm(){ return "SECRET"; } }; } } Other Java examples (source code examples)Here is a short list of links related to this Java TruncateHMAC.java source code file: |
... this post is sponsored by my books ... | |
#1 New Release! |
FP Best Seller |
Copyright 1998-2024 Alvin Alexander, alvinalexander.com
All Rights Reserved.
A percentage of advertising revenue from
pages under the /java/jwarehouse
URI on this website is
paid back to open source projects.