From 52d2219ebd60e4d5ca2567eefd5791fe399a06b3 Mon Sep 17 00:00:00 2001
From: Philip Helger <philip@helger.com>
Date: Thu, 28 Nov 2024 15:40:46 +0100
Subject: [PATCH] Added check for specific enc algorithm on decrpytion

---
 .../soap/SoapHeaderElementProcessorWSS4J.java | 27 ++++++++++++++++++-
 1 file changed, 26 insertions(+), 1 deletion(-)

diff --git a/phase4-lib/src/main/java/com/helger/phase4/incoming/soap/SoapHeaderElementProcessorWSS4J.java b/phase4-lib/src/main/java/com/helger/phase4/incoming/soap/SoapHeaderElementProcessorWSS4J.java
index e51f175b9..3b0dbffca 100644
--- a/phase4-lib/src/main/java/com/helger/phase4/incoming/soap/SoapHeaderElementProcessorWSS4J.java
+++ b/phase4-lib/src/main/java/com/helger/phase4/incoming/soap/SoapHeaderElementProcessorWSS4J.java
@@ -29,6 +29,7 @@
 import javax.annotation.Nullable;
 import javax.xml.namespace.QName;
 
+import org.apache.wss4j.common.crypto.AlgorithmSuite;
 import org.apache.wss4j.common.ext.WSSecurityException;
 import org.apache.wss4j.common.util.AttachmentUtils;
 import org.apache.wss4j.dom.WSConstants;
@@ -152,6 +153,25 @@ private ESuccess _verifyAndDecrypt (@Nonnull final Document aSOAPDoc,
       aRequestData.setWssConfig (aWSSConfig);
       aRequestData.setSignatureProvider (m_aSecurityProviderSignVerify);
 
+      // Undocumented property "phase4.decrypt.verify.algorithm" - set to
+      // "false" to disable this check
+      if (AS4Configuration.getConfig ().getAsBoolean ("phase4.decrypt.verify.algorithm", true))
+      {
+        // Add a test that only the algorithm from the PMode is effectively
+        // delivered
+        final PModeLeg aPModeLeg = aIncomingState.getEffectivePModeLeg ();
+        if (aPModeLeg != null && aPModeLeg.getSecurity () != null)
+        {
+          final String sAlgorithmURI = aPModeLeg.getSecurity ().getX509EncryptionAlgorithm ().getAlgorithmURI ();
+          if (LOGGER.isDebugEnabled ())
+            LOGGER.debug ("Testing that the received message was encrypted with algorithm '" + sAlgorithmURI + "'");
+
+          final AlgorithmSuite aAlgorithmSuite = new AlgorithmSuite ();
+          aAlgorithmSuite.addEncryptionMethod (sAlgorithmURI);
+          aRequestData.setAlgorithmSuite (aAlgorithmSuite);
+        }
+      }
+
       // Enable CRL checking
       if (false)
         aRequestData.setEnableRevocation (true);
@@ -319,7 +339,12 @@ private ESuccess _verifyAndDecrypt (@Nonnull final Document aSOAPDoc,
        */
 
       // Decryption or Signature check failed
-      final String sDetails = "Error processing the WSSSecurity Header";
+      String sDetails = "Error processing the WSSSecurity Header";
+      if (ex instanceof WSSecurityException)
+      {
+        sDetails += " (WS Security error: " + ((WSSecurityException) ex).getErrorCode () + ")";
+      }
+
       LOGGER.error (sDetails, ex);
       // TODO we need a way to differentiate signature and decrypt
       // WSSecurityException provides no such thing