Added check for specific enc algorithm on decrpytion

phax · Nov 28, 2024 · 52d2219 · 52d2219
1 parent 112bab0
commit 52d2219
Showing 1 changed file with 26 additions and 1 deletion.
diff --git a/...e4-lib/src/main/java/com/helger/phase4/incoming/soap/SoapHeaderElementProcessorWSS4J.java b/...e4-lib/src/main/java/com/helger/phase4/incoming/soap/SoapHeaderElementProcessorWSS4J.java
@@ -29,6 +29,7 @@
 import javax.annotation.Nullable;
 import javax.xml.namespace.QName;
 
+import org.apache.wss4j.common.crypto.AlgorithmSuite;
 import org.apache.wss4j.common.ext.WSSecurityException;
 import org.apache.wss4j.common.util.AttachmentUtils;
 import org.apache.wss4j.dom.WSConstants;
@@ -152,6 +153,25 @@ private ESuccess _verifyAndDecrypt (@Nonnull final Document aSOAPDoc,
       aRequestData.setWssConfig (aWSSConfig);
       aRequestData.setSignatureProvider (m_aSecurityProviderSignVerify);
 
+      // Undocumented property "phase4.decrypt.verify.algorithm" - set to
+      // "false" to disable this check
+      if (AS4Configuration.getConfig ().getAsBoolean ("phase4.decrypt.verify.algorithm", true))
+      {
+        // Add a test that only the algorithm from the PMode is effectively
+        // delivered
+        final PModeLeg aPModeLeg = aIncomingState.getEffectivePModeLeg ();
+        if (aPModeLeg != null && aPModeLeg.getSecurity () != null)
+        {
+          final String sAlgorithmURI = aPModeLeg.getSecurity ().getX509EncryptionAlgorithm ().getAlgorithmURI ();
+          if (LOGGER.isDebugEnabled ())
+            LOGGER.debug ("Testing that the received message was encrypted with algorithm '" + sAlgorithmURI + "'");
+
+          final AlgorithmSuite aAlgorithmSuite = new AlgorithmSuite ();
+          aAlgorithmSuite.addEncryptionMethod (sAlgorithmURI);
+          aRequestData.setAlgorithmSuite (aAlgorithmSuite);
+        }
+      }
+
       // Enable CRL checking
       if (false)
         aRequestData.setEnableRevocation (true);
@@ -319,7 +339,12 @@ private ESuccess _verifyAndDecrypt (@Nonnull final Document aSOAPDoc,
        */
 
       // Decryption or Signature check failed
-      final String sDetails = "Error processing the WSSSecurity Header";
+      String sDetails = "Error processing the WSSSecurity Header";
+      if (ex instanceof WSSecurityException)
+      {
+        sDetails += " (WS Security error: " + ((WSSecurityException) ex).getErrorCode () + ")";
+      }
+
       LOGGER.error (sDetails, ex);
       // TODO we need a way to differentiate signature and decrypt
       // WSSecurityException provides no such thing