CYBS-737: Review comments fix

Author: sumadhav

README.md

@@ -227,25 +227,27 @@ Retry Pattern allows to retry sending a failed request and it will only work wit
   - Config parameter for this property is 'retryInterval' in `cybs.property` file. The default value for 'retryInterval' parameter is 1000 which means a delay of 1000 milliSeconds.
 
 ## Third Party jars
-    1. org.apache.ws.security.wss4j:1.6.19
-      The Apache WSS4J project provides a Java implementation of the primary security standards for Web Services, namely the OASIS Web Services Security (WS-Security) specifications from the OASIS Web Services Security TC.
-    2. org.bouncycastle:bcprov-jdk15on:1.61
+    1. org.apache.wss4j:wss4j-ws-security-common:2.4.1
+      The Apache WSS4J project provides a Java implementation of the common primary security standards for Web Services, namely the OASIS Web Services Security (WS-Security) specifications from the OASIS Web Services Security TC.
+    2. org.apache.wss4j:wss4j-ws-security-dom:2.4.1
+      WSS4J 2.0.0 introduces a streaming (StAX-based) WS-Security implementation to complement the existing DOM-based implementation. The DOM-based implementation is quite performant and flexible, but suffers from having to read the entire XML tree into memory. For large SOAP requests this can have a detrimental impact on performance. In addition, for web services stacks such as Apache CXF which are streaming-based, it carries an additional performance penalty of having to explicitly convert the request stream to a DOM Element.
+    3. org.bouncycastle:bcprov-jdk15on:1.67
       This jar contains JCE provider and lightweight API for the Bouncy Castle Cryptography APIs for JDK 1.5 to JDK 1.8.
-    3. org.apache.santuario:xmlsec:1.5.6
+    4. org.apache.santuario:xmlsec:2.3.0
       The XML Security project is aimed at providing implementation of security standards for XML,supports XML-Signature Syntax and Processing,XML Encryption Syntax and Processing, and supports XML Digital Signature APIs.
-    4. org.apache.commons:commons-lang3:3.4
+    5. org.apache.commons:commons-lang3:3.4
       Apache Commons Lang, a package of Java utility classes for the classes that are in java.lang's hierarchy, or are considered to be so standard as to justify existence in java.lang.
-    5. commons-logging:commons-logging:jar:1.1.1
+    6. commons-logging:commons-logging:jar:1.1.1
       This is getting downloaded as compile time dependency of wss4j:1.6.19.Apache Commons Logging is a thin adapter allowing configurable bridging to other, well known logging systems.
-    6. org.slf4j:slf4j-api:1.7.21 and org.slf4j:slf4j-jcl:1.7.21
+    7. org.slf4j:slf4j-api:1.7.32, org.slf4j:slf4j-jcl:1.7.32, org.slf4j:slf4j-simple:1.7.32
       slf4j-api is getting used as a dependency for wss4j. Modified to latest version.
-    7. junit:junit:4.13.1
+    8. junit:junit:4.13.1
       JUnit is a unit testing framework for Java.
-    8. org.mockito:mockito-all:1.10.19
+    9. org.mockito:mockito-all:1.10.19
       Mock objects library for java  
-    9. org.apache.httpcomponents:httpclient:4.5.13
+    10. org.apache.httpcomponents:httpclient:4.5.13
        Provides reusable components for client-side authentication, HTTP state management, and HTTP connection management. It is used for poolinghttpclientconnectionmanager feature.
-    10. org.apache.httpcomponents:httpcore:4.4.13
+    11. org.apache.httpcomponents:httpcore:4.4.13
        Provides low level HTTP transport components that can be used to build custom client and server side HTTP services with a minimal footprint.
 
 ## Changes

java/src/main/java/com/cybersource/ws/client/SecurityUtil.java

@@ -2,6 +2,7 @@
 
 import org.apache.wss4j.common.WSEncryptionPart;
 import org.apache.wss4j.common.ext.WSSecurityException;
+import org.apache.wss4j.common.util.KeyUtils;
 import org.apache.wss4j.dom.WSConstants;
 import org.apache.wss4j.dom.WSDocInfo;
 import org.apache.wss4j.dom.message.WSSecEncrypt;
@@ -12,7 +13,6 @@
 import org.w3c.dom.Document;
 
 import javax.crypto.KeyGenerator;
-import javax.crypto.SecretKey;
 import java.io.FileInputStream;
 import java.io.FileNotFoundException;
 import java.io.IOException;
@@ -46,8 +46,6 @@ public class SecurityUtil {
     private static final String SIGNATURE_ALGORITHM = "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256";
     // By default digest algorithm is set to "http://www.w3.org/2000/09/xmldsig#sha1"
     private static final String DIGEST_ALGORITHM = "http://www.w3.org/2001/04/xmlenc#sha256";
-    // SymmetricKey Generator Algorithm to handle message encryption
-    private static final String SYM_KEY_ALGO = "AES";
 
     private static BouncyCastleProvider bcProvider = new BouncyCastleProvider();
 
@@ -56,6 +54,8 @@ public class SecurityUtil {
         Security.addProvider(bcProvider);
         try {
             initKeystore();
+            //Must initialize xml-security library correctly before use it
+            Init.init();
         } catch (Exception e) {
             localKeyStoreHandler=null;
         }
@@ -205,9 +205,6 @@ public static Document handleMessageCreation(Document signedDoc, String merchant
             throw new SignException(e);
         }
 
-        //Must initialize xml-security library correctly before use it
-        Init.init();
-
         WSSecEncrypt encrBuilder = new WSSecEncrypt(secHeader);
         //Set the user name to get the encryption certificate.
         //The public key of this certificate is used, thus no password necessary. The user name is a keystore alias usually.
@@ -225,7 +222,6 @@ public static Document handleMessageCreation(Document signedDoc, String merchant
         //Sets the algorithm to encode the symmetric key. Default is the WSConstants.KEYTRANSPORT_RSAOEP algorithm.
         //encrBuilder.setKeyEnc(WSConstants.KEYTRANSPORT_RSAOEP);
 
-
         //Create signed document
         //Document signedDoc = createSignedDoc(workingDocument,senderAlias,password,secHeader);
 
@@ -235,13 +231,8 @@ public static Document handleMessageCreation(Document signedDoc, String merchant
             // If no external key (symmetricalKey) was set ,generate an encryption
             // key (session key) for this Encrypt element. This key will be
             // encrypted using the public key of the receiver
-            SecretKey symmetricKey;
-            try {
-                symmetricKey = KeyGenerator.getInstance(SYM_KEY_ALGO).generateKey();
-            } catch (NoSuchAlgorithmException e) {
-                throw new WSSecurityException(WSSecurityException.ErrorCode.UNSUPPORTED_ALGORITHM, e, "Failed to generate SecretKey");
-            }
-            signedEncryptedDoc = encrBuilder.build(localKeyStoreHandler, symmetricKey);
+            KeyGenerator keyGen = KeyUtils.getKeyGenerator(WSConstants.AES_256);
+            signedEncryptedDoc = encrBuilder.build(localKeyStoreHandler, keyGen.generateKey());
         } catch (WSSecurityException e) {
             logger.log(Logger.LT_EXCEPTION, "Failed while encrypting signed requeest for , '" + merchantId + "'" + " with " + SERVER_ALIAS);
             throw new SignEncryptException("Failed while encrypting signed requeest for , '" + merchantId + "'" + " with " + SERVER_ALIAS, e);
@@ -260,9 +251,8 @@ public static Document handleMessageCreation(Document signedDoc, String merchant
      * @throws SignException
      */
     public static Document createSignedDoc(Document workingDocument,String keyAlias, String password,Logger logger) throws SignException {
-
         logger.log(Logger.LT_INFO, "Signing request...");
-        long startTime = System.nanoTime();
+//        long startTime = System.nanoTime();
         WSSecHeader secHeader = new WSSecHeader(workingDocument);
         try {
             secHeader.insertSecurityHeader();
@@ -288,7 +278,7 @@ public static Document createSignedDoc(Document workingDocument,String keyAlias,
         try {
             sign.addReferencesToSign(Collections.singletonList(msgBodyPart));
             Document document = sign.build(localKeyStoreHandler);
-            System.out.println("SecurityUtil.createSignedDoc time taken to sign the request is " + TimeUnit.NANOSECONDS.toMillis(System.nanoTime() - startTime) + " ms");
+//            System.out.println("SecurityUtil.createSignedDoc time taken to sign the request is " + TimeUnit.NANOSECONDS.toMillis(System.nanoTime() - startTime) + " ms");
             return document;
         } catch (WSSecurityException e) {
             logger.log(Logger.LT_EXCEPTION, "Failed while signing request for , '" + keyAlias + "'");

zip/README

@@ -242,37 +242,39 @@ numberOfRetries parameter value should be set between 0 to 5. By default the val
 Config parameter for this property is 'retryInterval' in cybs.property file. The default value for 'retryInterval' parameter is 1000 which means a delay of 1000 milliSeconds.
 
 ##Third Party jars
-1.) org.apache.ws.security.wss4j:1.6.19
-The Apache WSS4J project provides a Java implementation of the primary security standards for Web Services, namely the OASIS Web Services Security (WS-Security) specifications
-from the OASIS Web Services Security TC.
+1.) org.apache.wss4j:wss4j-ws-security-common:2.4.1
+      The Apache WSS4J project provides a Java implementation of the common primary security standards for Web Services, namely the OASIS Web Services Security (WS-Security) specifications from the OASIS Web Services Security TC.
 
-2.) org.bouncycastle:bcprov-jdk15on:1.61
+2.) org.apache.wss4j:wss4j-ws-security-dom:2.4.1
+      WSS4J 2.0.0 introduces a streaming (StAX-based) WS-Security implementation to complement the existing DOM-based implementation. The DOM-based implementation is quite performant and flexible, but suffers from having to read the entire XML tree into memory. For large SOAP requests this can have a detrimental impact on performance. In addition, for web services stacks such as Apache CXF which are streaming-based, it carries an additional performance penalty of having to explicitly convert the request stream to a DOM Element.
+
+3.) org.bouncycastle:bcprov-jdk15on:1.61
 This jar contains JCE provider and lightweight API for the Bouncy Castle Cryptography APIs for JDK 1.5 to JDK 1.8.
 
-3.) org.apache.santuario:xmlsec:1.5.6
+4.) org.apache.santuario:xmlsec:1.5.6
 The XML Security project is aimed at providing implementation of security standards for XML,supports XML-Signature Syntax and Processing,XML Encryption Syntax and Processing,
 and supports XML Digital Signature APIs.
 
-4.) org.apache.commons:commons-lang3:3.4
+5.) org.apache.commons:commons-lang3:3.4
 Apache Commons Lang, a package of Java utility classes for the classes that are in java.lang's hierarchy, or are considered to be so standard as to justify existence in
 java.lang.
 
-5.) commons-logging:commons-logging:jar:1.1.1
+6.) commons-logging:commons-logging:jar:1.1.1
 This is getting downloaded as compile time dependency of wss4j:1.6.19.Apache Commons Logging is a thin adapter allowing configurable bridging to other, well known logging systems.
 
-6.) org.slf4j:slf4j-api:1.7.21 and org.slf4j:slf4j-jcl:1.7.21
+7.) org.slf4j:slf4j-api:1.7.21 and org.slf4j:slf4j-jcl:1.7.21
 slf4j-api is getting used as a dependency for wss4j. Modified to latest version.
 
-7.) junit:junit:4.13.1
+8.) junit:junit:4.13.1
 JUnit is a unit testing framework for Java.
 
-8.) org.mockito:mockito-all:1.10.19
+9.) org.mockito:mockito-all:1.10.19
 Mock objects library for java
 
-9.) org.apache.httpcomponents:httpclient:4.5.13
+10.) org.apache.httpcomponents:httpclient:4.5.13
 provides reusable components for client-side authentication, HTTP state management, and HTTP connection management. It is used for poolinghttpclientconnectionmanager feature.
 
-10.) org.apache.httpcomponents:httpcore:4.4.13
+11.) org.apache.httpcomponents:httpcore:4.4.13
 Provides low level HTTP transport components that can be used to build custom client and server side HTTP services with a minimal footprint.
 
 ##Changes