Merge pull request #139 from Nuvindu/master

Fix invalid cryptographic outputs in ws-security policies

README.md

@@ -85,9 +85,9 @@ The SOAP client module introduces a robust framework for configuring security me
 
 There are two primary security configurations available for SOAP clients:
 
-- `inboundSecurity`: This configuration is applied to the SOAP envelope when a request is made. It includes various ws security policies such as Username Token, Timestamp Token, X509 Token, Symmetric Binding, Asymmetric Binding, and Transport Binding, either individually or in combination with each other.
+- `outboundSecurity`: This configuration applies ws-security policies to outgoing SOAP messages. It supports multiple security options, such as Username Token, Timestamp Token, X.509 Token, Symmetric Binding, Asymmetric Binding, and Transport Binding. These can be used individually or in combination to secure the message.
 
-- `outboundSecurity`: This configuration is applied to the SOAP envelope when a response is received. Its purpose is to decrypt the data within the envelope and verify the digital signature for security validation.
+- `inboundSecurity`: This configuration handles the security of incoming SOAP messages. It decrypts encrypted data and verifies the digital signature to confirm the authenticity of the message.
 
 ### Policies
 
@@ -103,7 +103,7 @@ These policies empower SOAP clients to enhance the security of their web service
 
 ### Security Policy Configuration Types
 
-#### Inbound Security Configurations
+#### Outbound Security Configurations
 
 - `TimestampTokenConfig`: Represents the record for Timestamp Token policy.
   - Fields:
@@ -123,22 +123,18 @@ These policies empower SOAP clients to enhance the security of their web service
     - `EncryptionAlgorithm` encryptionAlgorithm : The algorithm to encrypt the SOAP envelope
     - `string` x509Token : The path or token of the X509 certificate
 
-- `AsymmetricBindingConfig`: Represents the record for Username Token with Asymmetric Binding policy.
+- `AsymmetricBindingConfig`: Represents the record for Asymmetric Binding policy.
   - Fields:
-    - `crypto:PrivateKey` signatureKey : The private key to sign the SOAP envelope
-    - `crypto:PublicKey` encryptionKey : The public key to encrypt the SOAP body
-    - `SignatureAlgorithm` signatureAlgorithm : The algorithm to sign the SOAP envelope
-    - `EncryptionAlgorithm` encryptionAlgorithm : The algorithm to encrypt the SOAP body
-    - `string` x509Token : field description
+    - `SignatureConfig` signatureConfig : Configuration for applying digital signatures
+    - `EncryptionConfig` encryptionConfig : Configuration for applying encryption
+    - `string` x509Token : The path or token of the X509 certificate
 
-#### Outbound Security Configurations
+#### Inbound Security Configurations
 
-- `OutboundSecurityConfig`: Represents the record for outbound security configurations to verify and decrypt SOAP envelopes.
+- `InboundSecurityConfig`: Represents the record for outbound security configurations to verify and decrypt SOAP envelopes.
   - Fields:
-    - `crypto:PublicKey` verificationKey : The public key to verify the signature of the SOAP envelope
-    - `crypto:PrivateKey`|`crypto:PublicKey` decryptionKey : The private key to decrypt the SOAP envelope
-    - `SignatureAlgorithm` signatureAlgorithm : The algorithm to verify the SOAP envelope
-    - `EncryptionAlgorithm` decryptionAlgorithm : The algorithm to decrypt the SOAP body
+    - `crypto:KeyStore` decryptKeystore - The keystore to decrypt the SOAP envelope
+    - `crypto:KeyStore` signatureKeystore - The keystore to verify the signature of the SOAP envelope
 
 ### Apply Security Policies
 
@@ -153,7 +149,7 @@ import ballerina/soap.soap11;
 public function main() returns error? {
     soap11:Client soapClient = check new ("https://www.secured-soap-endpoint.com", 
         {
-            inboundSecurity: [
+            outboundSecurity: [
             {
                 username: "username",
                 password: "password",
@@ -184,27 +180,41 @@ import ballerina/soap;
 import ballerina/soap.soap12;
 
 public function main() returns error? {
-    configurable crypto:PrivateKey clientPrivateKey = ?;
-    configurable crypto:PublicKey clientPublicKey = ?;
-    configurable ​crypto:PublicKey serverPublicKey = ?;
 
-    soap12:Client soapClient = check new ("https://www.secured-soap-endpoint.com",
+    soap12:Client soapClient = check new ("http://www.secured-soap-endpoint.com",
     {
-        inboundSecurity: {
-                signatureAlgorithm: soap:RSA_SHA256,
-                encryptionAlgorithm: soap:RSA_ECB,
-                signatureKey: clientPrivateKey,
-                encryptionKey: serverPublicKey,
-        },
         outboundSecurity: {
-                verificationKey: serverPublicKey,
-                signatureAlgorithm: soap:RSA_SHA256,
-                decryptionKey: clientPrivateKey,
-                decryptionAlgorithm: soap:RSA_ECB
+            signatureConfig: {
+                keystore: {
+                    path: KEY_STORE_PATH,
+                    password: PASSWORD
+                }, 
+                privateKeyAlias: ALIAS, 
+                privateKeyPassword: PASSWORD,
+                signatureAlgorithm: wssec:RSA_SHA1
+            },
+            encryptionConfig: {
+                keystore: {
+                    path: KEY_STORE_PATH_2,
+                    password: PASSWORD
+                },
+                publicKeyAlias: ALIAS,
+                encryptionAlgorithm: wssec:AES_128
+            }
+        },
+        inboundSecurity: {
+            decryptKeystore: {
+                path: KEY_STORE_PATH_2,
+                password: PASSWORD
+            },
+            signatureKeystore: {
+                path: KEY_STORE_PATH_2,
+                password: PASSWORD
+            }
         }
     });
 
-   xml envelope = xml `<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" soap:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
+    xml envelope = xml `<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" soap:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
                            <soap:Body>
                            <quer:Add xmlns:quer="http://tempuri.org/">
                               <quer:intA>2</quer:intA>

ballerina/Ballerina.toml

@@ -1,7 +1,7 @@
 [package]
 org = "ballerina"
 name = "soap"
-version = "1.1.0"
+version = "2.0.0"
 authors = ["Ballerina"]
 export=["soap", "soap.soap11", "soap.soap12"]
 keywords = ["soap"]
@@ -19,8 +19,8 @@ graalvmCompatible = true
 [[platform.java17.dependency]]
 groupId = "io.ballerina.stdlib"
 artifactId = "soap-native"
-version = "1.1.0"
-path = "../native/build/libs/soap-native-1.1.0.jar"
+version = "2.0.0"
+path = "../native/build/libs/soap-native-2.0.0-SNAPSHOT.jar"
 
 [[platform.java17.dependency]]
 groupId = "org.apache.wss4j"

ballerina/Dependencies.toml

@@ -64,7 +64,7 @@ dependencies = [
 [[package]]
 org = "ballerina"
 name = "http"
-version = "2.12.0"
+version = "2.12.1"
 dependencies = [
 	{org = "ballerina", name = "auth"},
 	{org = "ballerina", name = "cache"},
@@ -227,7 +227,7 @@ dependencies = [
 [[package]]
 org = "ballerina"
 name = "mime"
-version = "2.10.0"
+version = "2.10.1"
 dependencies = [
 	{org = "ballerina", name = "io"},
 	{org = "ballerina", name = "jballerina.java"},
@@ -271,7 +271,7 @@ dependencies = [
 [[package]]
 org = "ballerina"
 name = "soap"
-version = "1.1.0"
+version = "2.0.0"
 dependencies = [
 	{org = "ballerina", name = "crypto"},
 	{org = "ballerina", name = "http"},
@@ -314,7 +314,7 @@ modules = [
 [[package]]
 org = "ballerina"
 name = "time"
-version = "2.4.0"
+version = "2.5.0"
 dependencies = [
 	{org = "ballerina", name = "jballerina.java"}
 ]

ballerina/Module.md

@@ -77,9 +77,9 @@ The SOAP client module introduces a robust framework for configuring security me
 
 There are two primary security configurations available for SOAP clients:
 
-- `inboundSecurity`: This configuration is applied to the SOAP envelope when a request is made. It includes various ws security policies such as Username Token, Timestamp Token, X509 Token, Symmetric Binding, Asymmetric Binding, and Transport Binding, either individually or in combination with each other.
+- `outboundSecurity`: This configuration applies WS-Security policies to outgoing SOAP messages. It supports multiple security options, such as Username Token, Timestamp Token, X.509 Token, Symmetric Binding, Asymmetric Binding, and Transport Binding. These can be used individually or in combination to secure the message.
 
-- `outboundSecurity`: This configuration is applied to the SOAP envelope when a response is received. Its purpose is to decrypt the data within the envelope and verify the digital signature for security validation.
+- `inboundSecurity`: This configuration handles the security of incoming SOAP messages. It decrypts encrypted data and verifies the digital signature to confirm the authenticity of the message.
 
 ### Policies
 
@@ -95,7 +95,7 @@ These policies empower SOAP clients to enhance the security of their web service
 
 ### Security Policy Configuration Types
 
-#### Inbound Security Configurations
+#### Outbound Security Configurations
 
 - `TimestampTokenConfig`: Represents the record for Timestamp Token policy.
   - Fields:
@@ -115,22 +115,18 @@ These policies empower SOAP clients to enhance the security of their web service
     - `EncryptionAlgorithm` encryptionAlgorithm : The algorithm to encrypt the SOAP envelope
     - `string` x509Token : The path or token of the X509 certificate
 
-- `AsymmetricBindingConfig`: Represents the record for Username Token with Asymmetric Binding policy.
+- `AsymmetricBindingConfig`: Represents the record for Asymmetric Binding policy.
   - Fields:
-    - `crypto:PrivateKey` signatureKey : The private key to sign the SOAP envelope
-    - `crypto:PublicKey` encryptionKey : The public key to encrypt the SOAP body
-    - `SignatureAlgorithm` signatureAlgorithm : The algorithm to sign the SOAP envelope
-    - `EncryptionAlgorithm` encryptionAlgorithm : The algorithm to encrypt the SOAP body
-    - `string` x509Token : field description
+    - `SignatureConfig` signatureConfig : Configuration for applying digital signatures
+    - `EncryptionConfig` encryptionConfig : Configuration for applying encryption
+    - `string` x509Token : The path or token of the X509 certificate
 
-#### Outbound Security Configurations
+#### Inbound Security Configurations
 
-- `OutboundSecurityConfig`: Represents the record for outbound security configurations to verify and decrypt SOAP envelopes.
+- `InboundSecurityConfig`: Represents the record for outbound security configurations to verify and decrypt SOAP envelopes.
   - Fields:
-    - `crypto:PublicKey` verificationKey : The public key to verify the signature of the SOAP envelope
-    - `crypto:PrivateKey`|`crypto:PublicKey` decryptionKey : The private key to decrypt the SOAP envelope
-    - `SignatureAlgorithm` signatureAlgorithm : The algorithm to verify the SOAP envelope
-    - `EncryptionAlgorithm` decryptionAlgorithm : The algorithm to decrypt the SOAP body
+    - `crypto:KeyStore` decryptKeystore - The keystore to decrypt the SOAP envelope
+    - `crypto:KeyStore` signatureKeystore - The keystore to verify the signature of the SOAP envelope
 
 ### Apply Security Policies
 
@@ -145,7 +141,7 @@ import ballerina/soap.soap11;
 public function main() returns error? {
     soap11:Client soapClient = check new ("https://www.secured-soap-endpoint.com", 
         {
-            inboundSecurity: [
+            outboundSecurity: [
             {
                 username: "username",
                 password: "password",
@@ -182,17 +178,35 @@ public function main() returns error? {
 
     soap12:Client soapClient = check new ("https://www.secured-soap-endpoint.com",
     {
-        inboundSecurity: {
-                signatureAlgorithm: soap:RSA_SHA256,
-                encryptionAlgorithm: soap:RSA_ECB,
-                signatureKey: clientPrivateKey,
-                encryptionKey: serverPublicKey,
-        },
         outboundSecurity: {
-                verificationKey: serverPublicKey,
-                signatureAlgorithm: soap:RSA_SHA256,
-                decryptionKey: clientPrivateKey,
-                decryptionAlgorithm: soap:RSA_ECB
+            signatureConfig: {
+                keystore: {
+                    path: KEY_STORE_PATH,
+                    password: PASSWORD
+                }, 
+                privateKeyAlias: ALIAS, 
+                privateKeyPassword: PASSWORD, 
+                canonicalizationAlgorithm: wssec:C14N_EXCL_OMIT_COMMENTS, 
+                digestAlgorithm: wssec:SHA1
+            },
+            encryptionConfig: {
+                keystore: {
+                    path: KEY_STORE_PATH_2,
+                    password: PASSWORD
+                },
+                publicKeyAlias: ALIAS,
+                encryptionAlgorithm: wssec:AES_128
+            }
+        },
+        inboundSecurity: {
+            decryptKeystore: {
+                path: KEY_STORE_PATH_2,
+                password: PASSWORD
+            },
+            signatureKeystore: {
+                path: KEY_STORE_PATH,
+                password: PASSWORD
+            }
         }
     });
     xml envelope = xml `<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" soap:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">