XMLCipher refactor (#587)

Author: coheigea

src/main/java/org/apache/xml/security/encryption/XMLCipher.java

@@ -1467,6 +1467,8 @@ public Key decryptKey(EncryptedKey encryptedKey, String algorithm)
             throw new XMLEncryptionException("empty", "Cannot decrypt a key without knowing the algorithm");
         }
 
+        validateEncryptionMethodAlgorithm(encryptedKey.getEncryptionMethod().getAlgorithm());
+
         if (key == null) {
             LOG.debug("Trying to find a KEK via key resolvers");
 
@@ -1841,6 +1843,9 @@ public byte[] decryptToByteArray(Element element) throws XMLEncryptionException
         EncryptedData encryptedData = factory.newEncryptedData(element);
         String encMethodAlgorithm = encryptedData.getEncryptionMethod().getAlgorithm();
 
+        // Reject any attempt to decrypt with an algorithm that doesn't match the one specified when the XMLCipher was initialized
+        validateEncryptionMethodAlgorithm(encMethodAlgorithm);
+
         if (key == null) {
             KeyInfo ki = encryptedData.getKeyInfo();
             if (ki != null) {
@@ -1913,6 +1918,15 @@ public byte[] decryptToByteArray(Element element) throws XMLEncryptionException
         }
     }
 
+    private void validateEncryptionMethodAlgorithm(String encryptionMethodAlgorithm) throws XMLEncryptionException {
+        if (algorithm != null && !algorithm.equals(encryptionMethodAlgorithm)) {
+            throw new XMLEncryptionException("empty",
+                "EncryptionMethod algorithm \"" + encryptionMethodAlgorithm
+                + "\" does not match the algorithm this XMLCipher was initialised with: \""
+                + algorithm + "\"");
+        }
+    }
+
     /*
      * Expose the interface for creating XML Encryption objects
      */

src/test/java/org/apache/xml/security/test/dom/encryption/XMLCipherTest.java

@@ -49,6 +49,7 @@
 import org.apache.xml.security.encryption.EncryptionProperties;
 import org.apache.xml.security.encryption.EncryptionProperty;
 import org.apache.xml.security.encryption.XMLCipher;
+import org.apache.xml.security.encryption.XMLEncryptionException;
 import org.apache.xml.security.encryption.XMLCipherUtil;
 import org.apache.xml.security.encryption.keys.KeyInfoEnc;
 import org.apache.xml.security.encryption.params.ConcatKDFParams;
@@ -83,6 +84,7 @@
 import static org.junit.jupiter.api.Assertions.assertEquals;
 import static org.junit.jupiter.api.Assertions.assertNotNull;
 import static org.junit.jupiter.api.Assertions.assertNull;
+import static org.junit.jupiter.api.Assertions.assertThrows;
 import static org.junit.jupiter.api.Assumptions.assumeFalse;
 
 
@@ -1368,6 +1370,89 @@ void testMultipleKEKs() throws Exception {
         }
     }
 
+    /**
+     * Test that you can't substitute an encryption algorithm in the EncryptionMethod and have it be accepted by the decryptor.
+     */
+    @Test
+    void testAlgorithmSubstitutionNotDetected() throws Exception {
+        // Fixed 256-bit server key.
+        byte[] bits256 = {
+            (byte)0x00, (byte)0x01, (byte)0x02, (byte)0x03,
+            (byte)0x04, (byte)0x05, (byte)0x06, (byte)0x07,
+            (byte)0x08, (byte)0x09, (byte)0x0A, (byte)0x0B,
+            (byte)0x0C, (byte)0x0D, (byte)0x0E, (byte)0x0F,
+            (byte)0x10, (byte)0x11, (byte)0x12, (byte)0x13,
+            (byte)0x14, (byte)0x15, (byte)0x16, (byte)0x17,
+            (byte)0x18, (byte)0x19, (byte)0x1A, (byte)0x1B,
+            (byte)0x1C, (byte)0x1D, (byte)0x1E, (byte)0x1F
+        };
+        Key serverKey = new SecretKeySpec(bits256, "AES");
+
+        Document d = document();
+        Element e = (Element) d.getElementsByTagName(element()).item(index());
+
+        // Step 1 – server encrypts with AES-256-CBC.
+        cipher = XMLCipher.getInstance(XMLCipher.AES_256);
+        cipher.init(XMLCipher.ENCRYPT_MODE, serverKey);
+        Document encryptedDoc = cipher.doFinal(d, e);
+
+        Element encData = (Element) encryptedDoc.getElementsByTagName("xenc:EncryptedData").item(0);
+        Element encMethod = (Element) encData.getElementsByTagName("xenc:EncryptionMethod").item(0);
+        assertEquals(XMLCipher.AES_256, encMethod.getAttribute("Algorithm"),
+            "Sanity check: encrypted document should advertise AES-256-CBC");
+
+        // Step 2 – attacker tampers the EncryptionMethod to claim AES-128-CBC.
+        encMethod.setAttribute("Algorithm", XMLCipher.AES_128);
+
+        // Step 3 – server decrypts using its AES-256-CBC XMLCipher.
+        XMLCipher serverDecryptor = XMLCipher.getInstance(XMLCipher.AES_256);
+        serverDecryptor.init(XMLCipher.DECRYPT_MODE, serverKey);
+
+        XMLEncryptionException thrown = assertThrows(XMLEncryptionException.class,
+            () -> serverDecryptor.doFinal(encryptedDoc, encData),
+            "Expected XMLEncryptionException for algorithm substitution AES-256-CBC -> AES-128-CBC");
+
+        // The error must originate from algorithm validation, not from a downstream
+        // JCE operation, so the cause must be null (it is a pure logic rejection).
+        assertNull(thrown.getCause(),
+            "Algorithm mismatch must be detected upfront, not wrapped around a JCE exception");
+    }
+
+    @Test
+    void testKeyWrapAlgorithmSubstitutionNotDetected() throws Exception {
+        KeyGenerator wrapKeyGenerator = KeyGenerator.getInstance("AES");
+        wrapKeyGenerator.init(192);
+        Key wrappingKey = wrapKeyGenerator.generateKey();
+
+        KeyGenerator trafficKeyGenerator = KeyGenerator.getInstance("AES");
+        trafficKeyGenerator.init(128);
+        Key trafficKey = trafficKeyGenerator.generateKey();
+
+        XMLCipher wrapCipher = XMLCipher.getInstance(XMLCipher.AES_192_KeyWrap);
+        wrapCipher.init(XMLCipher.WRAP_MODE, wrappingKey);
+
+        Document d = document();
+        EncryptedKey encryptedKey = wrapCipher.encryptKey(d, trafficKey);
+        Element encryptedKeyElement = wrapCipher.martial(encryptedKey);
+
+        Element encMethod = (Element) encryptedKeyElement.getElementsByTagName("xenc:EncryptionMethod").item(0);
+        assertEquals(XMLCipher.AES_192_KeyWrap, encMethod.getAttribute("Algorithm"),
+            "Sanity check: encrypted key should advertise AES-192 key wrap");
+
+        encMethod.setAttribute("Algorithm", XMLCipher.AES_128_KeyWrap);
+
+        XMLCipher unwrapCipher = XMLCipher.getInstance(XMLCipher.AES_192_KeyWrap);
+        unwrapCipher.init(XMLCipher.UNWRAP_MODE, wrappingKey);
+        EncryptedKey tamperedEncryptedKey = unwrapCipher.loadEncryptedKey(encryptedKeyElement);
+
+        XMLEncryptionException thrown = assertThrows(XMLEncryptionException.class,
+            () -> unwrapCipher.decryptKey(tamperedEncryptedKey, XMLCipher.AES_128),
+            "Expected XMLEncryptionException for key-wrap algorithm substitution AES-192-KW -> AES-128-KW");
+
+        assertNull(thrown.getCause(),
+            "Algorithm mismatch must be detected upfront, not wrapped around a JCE exception");
+    }
+
     private String toString (Node n) throws Exception {
         ByteArrayOutputStream baos = new ByteArrayOutputStream();
         Canonicalizer c14n = Canonicalizer.getInstance(Canonicalizer.ALGO_ID_C14N_OMIT_COMMENTS);

src/test/java/org/apache/xml/security/test/stax/encryption/EncryptionCreationTest.java

@@ -475,7 +475,7 @@ public void testAES128ElementAES192KWCipherUsingKEKOutbound() throws Exception {
 
         // Decrypt using DOM API
         Document doc =
-            decryptUsingDOM("http://www.w3.org/2001/04/xmlenc#tripledes-cbc", null, transportKey, document);
+            decryptUsingDOM("http://www.w3.org/2001/04/xmlenc#aes128-cbc", null, transportKey, document);
 
         // Check the CreditCard decrypted ok
         nodeList = doc.getElementsByTagNameNS("urn:example:po", "CreditCard");
@@ -544,7 +544,7 @@ public void testAES256ElementRSAKWCipherUsingKEKOutbound() throws Exception {
 
         // Decrypt using DOM API
         Document doc =
-            decryptUsingDOM("http://www.w3.org/2001/04/xmlenc#tripledes-cbc", null, priv, document);
+            decryptUsingDOM("http://www.w3.org/2001/04/xmlenc#aes256-cbc", null, priv, document);
 
         // Check the CreditCard decrypted ok
         nodeList = doc.getElementsByTagNameNS("urn:example:po", "CreditCard");
@@ -613,7 +613,7 @@ public void testEncryptedKeyKeyValueReference() throws Exception {
 
         // Decrypt using DOM API
         Document doc =
-            decryptUsingDOM("http://www.w3.org/2001/04/xmlenc#tripledes-cbc", null, priv, document);
+            decryptUsingDOM("http://www.w3.org/2001/04/xmlenc#aes256-cbc", null, priv, document);
 
         // Check the CreditCard decrypted ok
         nodeList = doc.getElementsByTagNameNS("urn:example:po", "CreditCard");
@@ -683,7 +683,7 @@ public void testEncryptedKeyKeyNameReference() throws Exception {
 
         // Decrypt using DOM API
         Document doc =
-                decryptUsingDOM("http://www.w3.org/2001/04/xmlenc#tripledes-cbc", null, priv, document);
+                decryptUsingDOM("http://www.w3.org/2001/04/xmlenc#aes256-cbc", null, priv, document);
 
         // Check the CreditCard decrypted ok
         nodeList = doc.getElementsByTagNameNS("urn:example:po", "CreditCard");
@@ -751,7 +751,7 @@ public void testEncryptedKeyMultipleElements() throws Exception {
         assertEquals(nodeList.getLength(), 2);
 
         // Decrypt using DOM API
-        decryptUsingDOM("http://www.w3.org/2001/04/xmlenc#tripledes-cbc", null, priv, document);
+        decryptUsingDOM("http://www.w3.org/2001/04/xmlenc#aes256-cbc", null, priv, document);
     }
 
     @Test
@@ -818,7 +818,7 @@ public void testEncryptedKeyIssuerSerialReference() throws Exception {
 
         // Decrypt using DOM API
         Document doc =
-            decryptUsingDOM("http://www.w3.org/2001/04/xmlenc#tripledes-cbc", null, priv, document);
+            decryptUsingDOM("http://www.w3.org/2001/04/xmlenc#aes256-cbc", null, priv, document);
 
         // Check the CreditCard decrypted ok
         nodeList = doc.getElementsByTagNameNS("urn:example:po", "CreditCard");
@@ -889,7 +889,7 @@ public void testEncryptedKeyX509CertificateReference() throws Exception {
 
         // Decrypt using DOM API
         Document doc =
-            decryptUsingDOM("http://www.w3.org/2001/04/xmlenc#tripledes-cbc", null, priv, document);
+            decryptUsingDOM("http://www.w3.org/2001/04/xmlenc#aes256-cbc", null, priv, document);
 
         // Check the CreditCard decrypted ok
         nodeList = doc.getElementsByTagNameNS("urn:example:po", "CreditCard");
@@ -968,7 +968,7 @@ public void testEncryptedKeySKI() throws Exception {
 
         // Decrypt using DOM API
         Document doc =
-            decryptUsingDOM("http://www.w3.org/2001/04/xmlenc#tripledes-cbc", null, priv, document);
+            decryptUsingDOM("http://www.w3.org/2001/04/xmlenc#aes256-cbc", null, priv, document);
 
         // Check the CreditCard decrypted ok
         nodeList = doc.getElementsByTagNameNS("urn:example:po", "CreditCard");
@@ -1039,7 +1039,7 @@ public void testEncryptedKeyX509SubjectName() throws Exception {
 
         // Decrypt using DOM API
         Document doc =
-            decryptUsingDOM("http://www.w3.org/2001/04/xmlenc#tripledes-cbc", null, priv, document);
+            decryptUsingDOM("http://www.w3.org/2001/04/xmlenc#aes256-cbc", null, priv, document);
 
         // Check the CreditCard decrypted ok
         nodeList = doc.getElementsByTagNameNS("urn:example:po", "CreditCard");
@@ -1110,7 +1110,7 @@ public void testEncryptedKeyNoKeyInfo() throws Exception {
 
         // Decrypt using DOM API
         Document doc =
-            decryptUsingDOM("http://www.w3.org/2001/04/xmlenc#tripledes-cbc", null, priv, document);
+            decryptUsingDOM("http://www.w3.org/2001/04/xmlenc#aes256-cbc", null, priv, document);
 
         // Check the CreditCard decrypted ok
         nodeList = doc.getElementsByTagNameNS("urn:example:po", "CreditCard");
@@ -1177,7 +1177,7 @@ public void testAES192Element3DESKWCipher() throws Exception {
 
         // Decrypt using DOM API
         Document doc =
-            decryptUsingDOM("http://www.w3.org/2001/04/xmlenc#tripledes-cbc", null, transportKey, document);
+            decryptUsingDOM("http://www.w3.org/2001/04/xmlenc#aes192-cbc", null, transportKey, document);
 
         // Check the CreditCard decrypted ok
         nodeList = doc.getElementsByTagNameNS("urn:example:po", "CreditCard");
@@ -1680,7 +1680,7 @@ public void testTransportKey() throws Exception {
 
         // Decrypt using DOM API
         Document doc =
-            decryptUsingDOM("http://www.w3.org/2001/04/xmlenc#tripledes-cbc", null, transportKey, document);
+            decryptUsingDOM("http://www.w3.org/2001/04/xmlenc#aes128-cbc", null, transportKey, document);
 
         // Check the CreditCard decrypted ok
         nodeList = doc.getElementsByTagNameNS("urn:example:po", "CreditCard");