Bump wss4j from version 1.6.19 to version 2.4.3 (#835)

* Bump wss4j from version 1.6.19 to version 2.4.3

* Bump wws4j from version 1.6.19 to version 2.4.3

* Issue: 107613 Exclude geronimo-javamail_1.4_mail from transitive dependencies

* Exclude geronimo from wss4j-ws-security-dom

* Add variable commons-io.version

* Delete direct dependency commons-io

---------

Co-authored-by: Tomás Sexenian <[email protected]>

Author: sgrampone

wrappercommon/pom.xml

@@ -29,11 +29,28 @@
             <artifactId>log4j-core</artifactId>
             <version>${log4j.version}</version>
         </dependency>
-		<dependency>
-			<groupId>org.apache.ws.security</groupId>
-			<artifactId>wss4j</artifactId>
-			<version>1.6.19</version>			
-		</dependency>
+        <dependency>
+            <groupId>org.apache.wss4j</groupId>
+            <artifactId>wss4j-ws-security-common</artifactId>
+            <version>2.4.3</version>
+            <exclusions>
+                <exclusion>
+                    <groupId>org.apache.geronimo.javamail</groupId>
+                    <artifactId>geronimo-javamail_1.4_mail</artifactId>
+                </exclusion>
+            </exclusions>
+        </dependency>
+        <dependency>
+            <groupId>org.apache.wss4j</groupId>
+            <artifactId>wss4j-ws-security-dom</artifactId>
+            <version>2.4.3</version>
+            <exclusions>
+                <exclusion>
+                    <groupId>org.apache.geronimo.javamail</groupId>
+                    <artifactId>geronimo-javamail_1.4_mail</artifactId>
+                </exclusion>
+            </exclusions>
+        </dependency>
         <dependency>
             <groupId>org.apache.logging.log4j</groupId>
             <artifactId>log4j-layout-template-json</artifactId>

wrapperjakarta/src/main/java/com/genexus/ws/GXHandlerConsumerChain.java

@@ -3,6 +3,8 @@
 import java.util.Set;
 import java.util.HashSet;
 import java.util.Properties;
+import javax.crypto.KeyGenerator;
+import javax.crypto.SecretKey;
 import javax.xml.namespace.QName;
 import javax.xml.transform.*;
 import javax.xml.transform.dom.DOMResult;
@@ -12,12 +14,14 @@
 import jakarta.xml.ws.handler.soap.SOAPMessageContext;
 import jakarta.xml.soap.*;
 import javax.xml.parsers.DocumentBuilderFactory;
-import org.apache.ws.security.components.crypto.Crypto;
-import org.apache.ws.security.components.crypto.CryptoFactory;
-import org.apache.ws.security.message.WSSecEncrypt;
-import org.apache.ws.security.message.WSSecHeader;
-import org.apache.ws.security.message.WSSecSignature;
-import org.apache.ws.security.message.WSSecTimestamp;
+
+import org.apache.wss4j.common.crypto.Crypto;
+import org.apache.wss4j.common.crypto.CryptoFactory;
+import org.apache.wss4j.dom.message.WSSecEncrypt;
+import org.apache.wss4j.dom.message.WSSecHeader;
+import org.apache.wss4j.dom.message.WSSecSignature;
+import org.apache.wss4j.dom.message.WSSecTimestamp;
+
 import org.w3c.dom.*;
 import java.io.InputStream;
 import java.io.ByteArrayInputStream;
@@ -26,6 +30,8 @@
 import com.genexus.diagnostics.core.LogManager;
 import com.genexus.common.interfaces.*;
 
+import static org.apache.wss4j.common.util.KeyUtils.getKeyGenerator;
+
 public class GXHandlerConsumerChain implements SOAPHandler<SOAPMessageContext>
 {
 	public static final ILogger logger = LogManager.getLogger(GXHandlerConsumerChain.class);
@@ -156,8 +162,8 @@ public boolean handleMessage(SOAPMessageContext messageContext)
 				Document doc = messageToDocument(messageContext.getMessage());
 
 				//Security header
-				WSSecHeader secHeader = new WSSecHeader();
-				secHeader.insertSecurityHeader(doc);
+				WSSecHeader secHeader = new WSSecHeader(doc);
+				secHeader.insertSecurityHeader();
 				Document signedDoc = null;
 
 				//Signature
@@ -168,7 +174,7 @@ public boolean handleMessage(SOAPMessageContext messageContext)
 					signatureProperties.put("org.apache.ws.security.crypto.merlin.keystore.password", wsSignature.getKeystore().getPassword());
 					signatureProperties.put("org.apache.ws.security.crypto.merlin.file", wsSignature.getKeystore().getSource());
 					Crypto signatureCrypto = CryptoFactory.getInstance(signatureProperties);
-					WSSecSignature sign = new WSSecSignature();
+					WSSecSignature sign = new WSSecSignature(doc);
 					sign.setKeyIdentifierType(wsSignature.getKeyIdentifierType());
 					sign.setUserInfo(wsSignature.getAlias(), wsSignature.getKeystore().getPassword());
 					if (wsSignature.getCanonicalizationalgorithm() != null)
@@ -177,13 +183,13 @@ public boolean handleMessage(SOAPMessageContext messageContext)
 						sign.setDigestAlgo(wsSignature.getDigest());
 					if (wsSignature.getSignaturealgorithm() != null)
 						sign.setSignatureAlgorithm(wsSignature.getSignaturealgorithm());
-					signedDoc = sign.build(doc, signatureCrypto, secHeader);
+					signedDoc = sign.build( signatureCrypto);
 
 					if (expirationTimeout > 0)
 					{
-						WSSecTimestamp timestamp = new WSSecTimestamp();
+						WSSecTimestamp timestamp = new WSSecTimestamp(secHeader);
 						timestamp.setTimeToLive(expirationTimeout);
-						signedDoc = timestamp.build(signedDoc, secHeader);
+						signedDoc = timestamp.build();
 					}
 				}
 
@@ -195,14 +201,19 @@ public boolean handleMessage(SOAPMessageContext messageContext)
 					encryptionProperties.put("org.apache.ws.security.crypto.merlin.keystore.password", wsEncryption.getKeystore().getPassword());
 					encryptionProperties.put("org.apache.ws.security.crypto.merlin.file", wsEncryption.getKeystore().getSource());
 					Crypto encryptionCrypto = CryptoFactory.getInstance(encryptionProperties);
-					WSSecEncrypt builder = new WSSecEncrypt();
-					builder.setUserInfo(wsEncryption.getAlias(), wsEncryption.getKeystore().getPassword());
-					builder.setKeyIdentifierType(wsEncryption.getKeyIdentifierType());
 					if (signedDoc == null)
 					{
 						signedDoc = doc;
 					}
-					builder.build(signedDoc, encryptionCrypto, secHeader);
+					WSSecEncrypt builder = new WSSecEncrypt(signedDoc);
+					builder.setUserInfo(wsEncryption.getAlias(), wsEncryption.getKeystore().getPassword());
+					builder.setKeyIdentifierType(wsEncryption.getKeyIdentifierType());
+					//using wss4j default encryption algorithm AES128-CBC
+					KeyGenerator keyGenerator = KeyGenerator.getInstance("AES");
+					keyGenerator.init(128);
+					SecretKey key = keyGenerator.generateKey();
+
+					builder.build(encryptionCrypto, key);
 				}
 
 				Document securityDoc = doc;

wrapperjavax/src/main/java/com/genexus/ws/GXHandlerConsumerChain.java

@@ -3,6 +3,8 @@
 import java.util.Set;
 import java.util.HashSet;
 import java.util.Properties;
+import javax.crypto.KeyGenerator;
+import javax.crypto.SecretKey;
 import javax.xml.namespace.QName;
 import javax.xml.transform.*;
 import javax.xml.transform.dom.DOMResult;
@@ -12,12 +14,14 @@
 import javax.xml.ws.handler.soap.SOAPMessageContext;
 import javax.xml.soap.*;
 import javax.xml.parsers.DocumentBuilderFactory;
-import org.apache.ws.security.components.crypto.Crypto;
-import org.apache.ws.security.components.crypto.CryptoFactory;
-import org.apache.ws.security.message.WSSecEncrypt;
-import org.apache.ws.security.message.WSSecHeader;
-import org.apache.ws.security.message.WSSecSignature;
-import org.apache.ws.security.message.WSSecTimestamp;
+
+import org.apache.wss4j.common.crypto.Crypto;
+import org.apache.wss4j.common.crypto.CryptoFactory;
+import org.apache.wss4j.dom.message.WSSecEncrypt;
+import org.apache.wss4j.dom.message.WSSecHeader;
+import org.apache.wss4j.dom.message.WSSecSignature;
+import org.apache.wss4j.dom.message.WSSecTimestamp;
+
 import org.w3c.dom.*;
 import java.io.InputStream;
 import java.io.ByteArrayInputStream;
@@ -156,8 +160,8 @@ public boolean handleMessage(SOAPMessageContext messageContext)
 				Document doc = messageToDocument(messageContext.getMessage());
 
 				//Security header
-				WSSecHeader secHeader = new WSSecHeader();
-				secHeader.insertSecurityHeader(doc);
+				WSSecHeader secHeader = new WSSecHeader(doc);
+				secHeader.insertSecurityHeader();
 				Document signedDoc = null;
 
 				//Signature
@@ -168,7 +172,7 @@ public boolean handleMessage(SOAPMessageContext messageContext)
 					signatureProperties.put("org.apache.ws.security.crypto.merlin.keystore.password", wsSignature.getKeystore().getPassword());
 					signatureProperties.put("org.apache.ws.security.crypto.merlin.file", wsSignature.getKeystore().getSource());
 					Crypto signatureCrypto = CryptoFactory.getInstance(signatureProperties);
-					WSSecSignature sign = new WSSecSignature();
+					WSSecSignature sign = new WSSecSignature(doc);
 					sign.setKeyIdentifierType(wsSignature.getKeyIdentifierType());
 					sign.setUserInfo(wsSignature.getAlias(), wsSignature.getKeystore().getPassword());
 					if (wsSignature.getCanonicalizationalgorithm() != null)
@@ -177,13 +181,13 @@ public boolean handleMessage(SOAPMessageContext messageContext)
 						sign.setDigestAlgo(wsSignature.getDigest());
 					if (wsSignature.getSignaturealgorithm() != null)
 						sign.setSignatureAlgorithm(wsSignature.getSignaturealgorithm());
-					signedDoc = sign.build(doc, signatureCrypto, secHeader);
+					signedDoc = sign.build( signatureCrypto);
 
 					if (expirationTimeout > 0)
 					{
-						WSSecTimestamp timestamp = new WSSecTimestamp();
+						WSSecTimestamp timestamp = new WSSecTimestamp(secHeader);
 						timestamp.setTimeToLive(expirationTimeout);
-						signedDoc = timestamp.build(signedDoc, secHeader);
+						signedDoc = timestamp.build();
 					}
 				}
 
@@ -195,14 +199,19 @@ public boolean handleMessage(SOAPMessageContext messageContext)
 					encryptionProperties.put("org.apache.ws.security.crypto.merlin.keystore.password", wsEncryption.getKeystore().getPassword());
 					encryptionProperties.put("org.apache.ws.security.crypto.merlin.file", wsEncryption.getKeystore().getSource());
 					Crypto encryptionCrypto = CryptoFactory.getInstance(encryptionProperties);
-					WSSecEncrypt builder = new WSSecEncrypt();
-					builder.setUserInfo(wsEncryption.getAlias(), wsEncryption.getKeystore().getPassword());
-					builder.setKeyIdentifierType(wsEncryption.getKeyIdentifierType());
 					if (signedDoc == null)
 					{
 						signedDoc = doc;
 					}
-					builder.build(signedDoc, encryptionCrypto, secHeader);
+					WSSecEncrypt builder = new WSSecEncrypt(signedDoc);
+					builder.setUserInfo(wsEncryption.getAlias(), wsEncryption.getKeystore().getPassword());
+					builder.setKeyIdentifierType(wsEncryption.getKeyIdentifierType());
+					//using wss4j default encryption algorithm AES128-CBC
+					KeyGenerator keyGenerator = KeyGenerator.getInstance("AES");
+					keyGenerator.init(128);
+					SecretKey key = keyGenerator.generateKey();
+
+					builder.build(encryptionCrypto, key);
 				}
 
 				Document securityDoc = doc;