CYBS-737: WSS4j security vulnerability fix

Author: sumadhav

README.md

@@ -10,7 +10,7 @@ To install the `cybersource-sdk-java` from central repository, add dependency to
 <dependency>
   <groupId>com.cybersource</groupId>
   <artifactId>cybersource-sdk-java</artifactId>
-  <version>6.2.11</version>
+  <version>6.2.12</version>
 </dependency> 
 ```
 Run `mvn install` to install dependency
@@ -19,7 +19,7 @@ Run `mvn install` to install dependency
 Add the dependency to your build.gradle
 ```java
 dependencies {
-  compile 'com.cybersource:cybersource-sdk-java:6.2.11'
+  compile 'com.cybersource:cybersource-sdk-java:6.2.12'
 }
 ```
 ## Requirements
@@ -250,6 +250,11 @@ Retry Pattern allows to retry sending a failed request and it will only work wit
 
 ## Changes
 _______________________________
+Version Cybersource-sdk-java 6.2.12 (JUNE,2022)
+_______________________________
+    1) Apache WSS4j Security Vulnerability fix.
+_______________________________
+_______________________________
 Version Cybersource-sdk-java 6.2.11 (MAY,2020)
 _______________________________
     1)Exception handling improvement.

java/pom.xml

@@ -230,7 +230,7 @@
         <dependency>
     		<groupId>org.apache.santuario</groupId>
     		<artifactId>xmlsec</artifactId>
-    		<version>1.5.6</version>
+    		<version>2.3.0</version>
 		</dependency>
         <dependency>
             <groupId>org.apache.httpcomponents</groupId>
@@ -249,15 +249,14 @@
             <version>1.61</version>
         </dependency>
         <dependency>
-            <groupId>org.apache.ws.security</groupId>
-            <artifactId>wss4j</artifactId>
-            <version>1.6.19</version>
-	        <exclusions>
-                <exclusion>
-                    <groupId>org.opensaml</groupId>
-                    <artifactId>opensaml</artifactId>
-                </exclusion>
-            </exclusions>
+            <groupId>org.apache.wss4j</groupId>
+            <artifactId>wss4j-ws-security-common</artifactId>
+            <version>2.4.1</version>
+        </dependency>
+        <dependency>
+            <groupId>org.apache.wss4j</groupId>
+            <artifactId>wss4j-ws-security-dom</artifactId>
+            <version>2.4.1</version>
         </dependency>
         <dependency>
             <groupId>org.apache.commons</groupId>
@@ -270,6 +269,12 @@
             <version>1.10.19</version>
             <scope>test</scope>
         </dependency>
+        <dependency>
+            <groupId>org.apache.wss4j</groupId>
+            <artifactId>wss4j-ws-security-dom</artifactId>
+            <version>2.4.1</version>
+            <scope>compile</scope>
+        </dependency>
     </dependencies>
 </project>
 

java/src/main/java/com/cybersource/ws/client/MessageHandlerKeyStore.java

@@ -1,7 +1,6 @@
 package com.cybersource.ws.client;
 
-import org.apache.ws.security.components.crypto.CredentialException;
-import org.apache.ws.security.components.crypto.Merlin;
+import org.apache.wss4j.common.crypto.Merlin;
 
 import java.io.IOException;
 import java.security.KeyStoreException;
@@ -15,11 +14,10 @@
 public class MessageHandlerKeyStore extends Merlin {
 
     /**
-     * @throws CredentialException
      * @throws IOException
      */
-	public MessageHandlerKeyStore() throws CredentialException, IOException {
-        super(null);
+	public MessageHandlerKeyStore() {
+        super();
         properties = new Properties();
     }
 

java/src/main/java/com/cybersource/ws/client/SecurityUtil.java

@@ -1,20 +1,20 @@
 package com.cybersource.ws.client;
 
-import org.apache.ws.security.WSConstants;
-import org.apache.ws.security.WSEncryptionPart;
-import org.apache.ws.security.WSSecurityException;
-import org.apache.ws.security.components.crypto.CredentialException;
-import org.apache.ws.security.message.WSSecEncrypt;
-import org.apache.ws.security.message.WSSecHeader;
-import org.apache.ws.security.message.WSSecSignature;
+import org.apache.wss4j.common.WSEncryptionPart;
+import org.apache.wss4j.common.ext.WSSecurityException;
+import org.apache.wss4j.dom.WSConstants;
+import org.apache.wss4j.dom.WSDocInfo;
+import org.apache.wss4j.dom.message.WSSecEncrypt;
+import org.apache.wss4j.dom.message.WSSecHeader;
+import org.apache.wss4j.dom.message.WSSecSignature;
 import org.bouncycastle.jce.provider.BouncyCastleProvider;
 import org.w3c.dom.Document;
 
+import javax.crypto.KeyGenerator;
 import java.io.FileInputStream;
 import java.io.FileNotFoundException;
 import java.io.IOException;
 import java.security.*;
-import java.security.cert.Certificate;
 import java.security.cert.CertificateException;
 import java.security.cert.X509Certificate;
 import java.util.Collections;
@@ -44,7 +44,9 @@ public class SecurityUtil {
     private static final String SIGNATURE_ALGORITHM = "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256";
     // By default digest algorithm is set to "http://www.w3.org/2000/09/xmldsig#sha1"
     private static final String DIGEST_ALGORITHM = "http://www.w3.org/2001/04/xmlenc#sha256";
-    
+    // SymmetricKey Generator Algorithm to handle message encryption
+    private static final String SYM_KEY_ALGO = "AES";
+
     private static BouncyCastleProvider bcProvider = new BouncyCastleProvider();
 
     // This is loaded by WSS4J but since we use it lets make sure its here
@@ -57,7 +59,7 @@ public class SecurityUtil {
         }
     }
 
-    private static void initKeystore() throws KeyStoreException, CredentialException, IOException, NoSuchAlgorithmException, CertificateException{
+    private static void initKeystore() throws KeyStoreException, IOException, NoSuchAlgorithmException, CertificateException{
         KeyStore keyStore = KeyStore.getInstance("jks");
         keyStore.load(null, null);
         localKeyStoreHandler = new MessageHandlerKeyStore();
@@ -190,91 +192,92 @@ private static void readAndStoreCertificateAndPrivateKey(MerchantConfig merchant
      * @throws SignException
      */
     public static Document handleMessageCreation(Document signedDoc, String merchantId, Logger logger) throws SignEncryptException, SignException{
-        
+
         logger.log(Logger.LT_INFO, "Encrypting Signed doc ...");
-        
-        WSSecHeader secHeader = new WSSecHeader();
+
+        org.apache.xml.security.Init.init();
+        WSSecHeader secHeader = new WSSecHeader(signedDoc);
         try {
-            secHeader.insertSecurityHeader(signedDoc);
+            secHeader.insertSecurityHeader();
         } catch (WSSecurityException e) {
             logger.log(Logger.LT_EXCEPTION, "Exception while adding document in soap securiy header for MLE");
             throw new SignException(e);
         }
-        
-        WSSecEncrypt encrBuilder = new WSSecEncrypt();
+        WSSecEncrypt encrBuilder = new WSSecEncrypt(secHeader);
         //Set the user name to get the encryption certificate.
         //The public key of this certificate is used, thus no password necessary. The user name is a keystore alias usually.
         encrBuilder.setUserInfo(identities.get(SERVER_ALIAS).getKeyAlias());
-        
+
         /*This is to reference a public key or certificate when signing or encrypting a SOAP message.
          *The following valid values for these configuration items are:
          *IssuerSerial (default),DirectReference[BST],X509KeyIdentifier,Thumbprint,SKIKeyIdentifier,KeyValue (signature only),EncryptedKeySHA1 (encryption only)
          */
         encrBuilder.setKeyIdentifierType(WSConstants.X509_KEY_IDENTIFIER);
-        
+
         //This encryption algorithm is used to encrypt the data.
         encrBuilder.setSymmetricEncAlgorithm(WSConstants.AES_256);
-        
+
         //Sets the algorithm to encode the symmetric key. Default is the WSConstants.KEYTRANSPORT_RSAOEP algorithm.
         //encrBuilder.setKeyEnc(WSConstants.KEYTRANSPORT_RSAOEP);
-        
-        
+
+
         //Create signed document
         //Document signedDoc = createSignedDoc(workingDocument,senderAlias,password,secHeader);
-        
+
         Document signedEncryptedDoc;
         try {
             //Builds the SOAP envelope with encrypted Body and adds encrypted key.
             // If no external key (symmetricalKey) was set ,generate an encryption
             // key (session key) for this Encrypt element. This key will be
             // encrypted using the public key of the receiver
-            signedEncryptedDoc = encrBuilder.build(signedDoc, localKeyStoreHandler, secHeader);
-        } catch (WSSecurityException e) {
+            signedEncryptedDoc = encrBuilder.build(localKeyStoreHandler, KeyGenerator.getInstance(SYM_KEY_ALGO).generateKey());
+        } catch (WSSecurityException | NoSuchAlgorithmException e) {
             logger.log(Logger.LT_EXCEPTION, "Failed while encrypting signed requeest for , '" + merchantId + "'" + " with " + SERVER_ALIAS);
             throw new SignEncryptException("Failed while encrypting signed requeest for , '" + merchantId + "'" + " with " + SERVER_ALIAS, e);
         }
-        encrBuilder.prependToHeader(secHeader);
+        encrBuilder.prependToHeader();
         return signedEncryptedDoc;
     }
 
     /**
      * Create signed document
-     * @param workingDocument
+     * @param signedDoc
      * @param keyAlias
      * @param password
      * @param logger
      * @return Document
      * @throws SignException
      */
-    public static Document createSignedDoc(Document workingDocument,String keyAlias, String password,Logger logger) throws SignException {
-        
+    public static Document createSignedDoc(Document signedDoc,String keyAlias, String password,Logger logger) throws SignException {
+
         logger.log(Logger.LT_INFO, "Signing request...");
-        //long startTime = System.nanoTime();
-        WSSecHeader secHeader = new WSSecHeader();
+        long startTime = System.nanoTime();
+        WSSecHeader secHeader = new WSSecHeader(signedDoc);
         try {
-            secHeader.insertSecurityHeader(workingDocument);
+            secHeader.insertSecurityHeader();
         } catch (WSSecurityException e) {
             logger.log(Logger.LT_EXCEPTION,
-                       "Exception while signing XML document");
+                    "Exception while signing XML document");
             throw new SignException(e);
         }
-        
-        WSSecSignature sign = new WSSecSignature();
-        
+
+        WSSecSignature sign = new WSSecSignature(secHeader);
         sign.setUserInfo(keyAlias, password);
-        
-        //sign.setUserInfo(mc.getKeyAlias(), mc.getPassword());
+
         sign.setDigestAlgo(DIGEST_ALGORITHM);
         sign.setSignatureAlgorithm(SIGNATURE_ALGORITHM);
         sign.setKeyIdentifierType(WSConstants.BST_DIRECT_REFERENCE);
         sign.setUseSingleCertificate(true);
-        
+        //
+        sign.setWsDocInfo(new WSDocInfo(signedDoc));
+
         //Set which parts of the message to encrypt/sign.
         WSEncryptionPart msgBodyPart = new WSEncryptionPart(WSConstants.ELEM_BODY, WSConstants.URI_SOAP11_ENV, "");
-        sign.setParts(Collections.singletonList(msgBodyPart));
+
         try {
-            Document document = sign.build(workingDocument, localKeyStoreHandler, secHeader);
-            //System.out.println("SecurityUtil.createSignedDoc time taken to sign the request is " + TimeUnit.NANOSECONDS.toMillis(System.nanoTime() - startTime) + " ms");
+            sign.addReferencesToSign(Collections.singletonList(msgBodyPart));
+            Document document = sign.build(localKeyStoreHandler);
+            System.out.println("SecurityUtil.createSignedDoc time taken to sign the request is " + TimeUnit.NANOSECONDS.toMillis(System.nanoTime() - startTime) + " ms");
             return document;
         } catch (WSSecurityException e) {
             logger.log(Logger.LT_EXCEPTION, "Failed while signing request for , '" + keyAlias + "'");

zip/README

@@ -277,6 +277,10 @@ Provides low level HTTP transport components that can be used to build custom cl
 
 ##Changes
 
+Version Cybersource-sdk-java 6.2.12 (JUNE,2022)
+_______________________________
+    1) Apache WSS4j Security Vulnerability fix.
+
 Version Cybersource-sdk-java 6.2.11 (MAY,2020)
 _______________________________