CVE-2018-8039 Apache CXF TLS hostname verification does not work correctly with com.sun.net.ssl.* (#871)

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: maximthomas <[email protected]>

Author: dependabot[bot]

openam-sts/openam-soap-sts/openam-soap-sts-client/src/main/java/org/forgerock/openam/sts/soap/SoapSTSConsumer.java

@@ -12,6 +12,7 @@
  * information: "Portions Copyrighted [year] [name of copyright owner]".
  *
  * Copyright 2015 ForgeRock AS.
+ * Portions Copyrighted 2025 3A-Systems LLC.
  */
 
 package org.forgerock.openam.sts.soap;
@@ -31,9 +32,9 @@
 import org.apache.cxf.ws.security.tokenstore.SecurityToken;
 import org.apache.cxf.ws.security.trust.STSClient;
 import org.apache.cxf.ws.security.trust.TrustException;
-import org.apache.ws.security.WSSecurityException;
-import org.apache.ws.security.components.crypto.Crypto;
-import org.apache.ws.security.components.crypto.CryptoFactory;
+import org.apache.wss4j.common.ext.WSSecurityException;
+import org.apache.wss4j.common.crypto.Crypto;
+import org.apache.wss4j.common.crypto.CryptoFactory;
 import org.forgerock.openam.sts.AMSTSConstants;
 import org.forgerock.openam.sts.soap.policy.am.OpenAMSessionTokenClientAssertionBuilder;
 import org.forgerock.openam.sts.soap.policy.am.OpenAMSessionTokenClientInterceptorProvider;

openam-sts/openam-soap-sts/openam-soap-sts-client/src/main/java/org/forgerock/openam/sts/soap/SoapSTSConsumerCallbackHandler.java

@@ -12,11 +12,12 @@
  * information: "Portions Copyrighted [year] [name of copyright owner]".
  *
  * Copyright 2015 ForgeRock AS.
+ * Portions Copyrighted 2025 3A-Systems LLC.
  */
 
 package org.forgerock.openam.sts.soap;
 
-import org.apache.ws.security.WSPasswordCallback;
+import org.apache.wss4j.common.ext.WSPasswordCallback;
 
 import javax.security.auth.callback.Callback;
 import javax.security.auth.callback.CallbackHandler;

openam-sts/openam-soap-sts/openam-soap-sts-client/src/main/java/org/forgerock/openam/sts/soap/TokenSpecification.java

@@ -12,16 +12,17 @@
  * information: "Portions Copyrighted [year] [name of copyright owner]".
  *
  * Copyright 2015-2016 ForgeRock AS.
+ * Portions Copyrighted 2025 3A-Systems LLC.
  */
 
 package org.forgerock.openam.sts.soap;
 
 import static org.forgerock.openam.utils.Time.*;
 
-import org.apache.cxf.ws.security.policy.SP12Constants;
-import org.apache.cxf.ws.security.policy.SPConstants;
-import org.apache.ws.security.WSConstants;
-import org.apache.ws.security.message.WSSecUsernameToken;
+import org.apache.wss4j.policy.SP12Constants;
+import org.apache.wss4j.policy.SPConstants;
+import org.apache.wss4j.dom.WSConstants;
+import org.apache.wss4j.dom.message.WSSecUsernameToken;
 import org.forgerock.openam.sts.AMSTSConstants;
 import org.forgerock.openam.sts.soap.policy.am.OpenAMSessionAssertion;
 import org.w3c.dom.Document;
@@ -185,7 +186,7 @@ public static Element openAMSessionTokenOnBehalfOfElement(String sessionId) {
         type is generated
          */
         Element nestedPolicyElement = null;
-        return new OpenAMSessionAssertion(SP12Constants.INSTANCE, SPConstants.IncludeTokenType.INCLUDE_TOKEN_ALWAYS_TO_RECIPIENT,
+        return new OpenAMSessionAssertion(SPConstants.SPVersion.SP12, SPConstants.IncludeTokenType.INCLUDE_TOKEN_ALWAYS_TO_RECIPIENT,
                 nestedPolicyElement, sessionId).getTokenElement();
     }
 }

openam-sts/openam-soap-sts/openam-soap-sts-client/src/main/java/org/forgerock/openam/sts/soap/policy/am/OpenAMSessionTokenClientAssertionBuilder.java

@@ -12,13 +12,14 @@
  * information: "Portions Copyrighted [year] [name of copyright owner]".
  *
  * Copyright 2015 ForgeRock AS.
+ * Portions Copyrighted 2025 3A-Systems LLC.
  */
 
 package org.forgerock.openam.sts.soap.policy.am;
 
 import org.apache.cxf.ws.policy.PolicyConstants;
-import org.apache.cxf.ws.security.policy.SP12Constants;
-import org.apache.cxf.ws.security.policy.SPConstants;
+import org.apache.wss4j.policy.SP12Constants;
+import org.apache.wss4j.policy.SPConstants;
 import org.forgerock.openam.sts.soap.OpenAMSessionTokenCallback;
 import org.apache.neethi.Assertion;
 import org.apache.neethi.AssertionBuilderFactory;
@@ -72,7 +73,7 @@ public Assertion build(Element element, AssertionBuilderFactory assertionBuilder
             throw new IllegalStateException("CallbackHandler registered with OpenAMSessionTokenClientAssertionBuilder " +
                     "cannot handle OpenAMSessionTokenCallback: " + e, e);
         }
-        return new OpenAMSessionAssertion(SP12Constants.INSTANCE, SPConstants.IncludeTokenType.INCLUDE_TOKEN_ALWAYS_TO_RECIPIENT,
+        return new OpenAMSessionAssertion(SPConstants.SPVersion.SP12, SPConstants.IncludeTokenType.INCLUDE_TOKEN_ALWAYS_TO_RECIPIENT,
                 nestedPolicyElement, ((OpenAMSessionTokenCallback)callbacks[0]).getSessionId());
     }
 

openam-sts/openam-soap-sts/openam-soap-sts-client/src/main/java/org/forgerock/openam/sts/soap/policy/am/OpenAMSessionTokenClientInterceptor.java

@@ -12,6 +12,7 @@
  * information: "Portions Copyrighted [year] [name of copyright owner]".
  *
  * Copyright 2015 ForgeRock AS.
+ * Portions Copyrighted 2025 3A-Systems LLC.
  */
 
 package org.forgerock.openam.sts.soap.policy.am;
@@ -20,8 +21,8 @@
 import org.apache.cxf.headers.Header;
 import org.apache.cxf.ws.policy.AssertionInfo;
 import org.apache.cxf.ws.policy.AssertionInfoMap;
-import org.apache.cxf.ws.security.policy.SP12Constants;
-import org.apache.cxf.ws.security.policy.model.Token;
+import org.apache.wss4j.policy.SP12Constants;
+import org.apache.wss4j.policy.model.AbstractToken;
 import org.forgerock.openam.sts.AMSTSConstants;
 import org.w3c.dom.Element;
 
@@ -69,12 +70,12 @@ protected void addToken(SoapMessage message) {
      * soap-sts instances.
      */
     @Override
-    protected Token assertTokens(SoapMessage message) {
+    protected AbstractToken assertTokens(SoapMessage message) {
         AssertionInfoMap aim = message.get(AssertionInfoMap.class);
         Collection<AssertionInfo> ais = aim.getAssertionInfo(AMSTSConstants.AM_SESSION_TOKEN_ASSERTION_QNAME);
-        Token token = null;
+        AbstractToken token = null;
         for (AssertionInfo ai : ais) {
-            token = (Token)ai.getAssertion();
+            token = (AbstractToken)ai.getAssertion();
             ai.setAsserted(true);
         }
         ais = aim.getAssertionInfo(SP12Constants.SUPPORTING_TOKENS);

openam-sts/openam-soap-sts/openam-soap-sts-server/pom.xml

@@ -43,7 +43,7 @@
     </build>
 
     <properties>
-        <cxf.version>2.7.18</cxf.version>
+        <cxf.version>3.1.16</cxf.version>
     </properties>
 
     <dependencies>

openam-sts/openam-soap-sts/openam-soap-sts-server/src/main/java/org/forgerock/openam/sts/soap/SoapSTSCallbackHandler.java

@@ -12,11 +12,12 @@
  * information: "Portions Copyrighted [year] [name of copyright owner]".
  *
  * Copyright 2013-2015 ForgeRock AS.
+ * Portions Copyrighted 2025 3A-Systems LLC.
  */
 
 package org.forgerock.openam.sts.soap;
 
-import org.apache.ws.security.WSPasswordCallback;
+import org.apache.wss4j.common.ext.WSPasswordCallback;
 import org.forgerock.openam.sts.AMSTSConstants;
 
 import javax.security.auth.callback.Callback;

openam-sts/openam-soap-sts/openam-soap-sts-server/src/main/java/org/forgerock/openam/sts/soap/config/SoapSTSInstanceModule.java

@@ -12,6 +12,7 @@
  * information: "Portions Copyrighted [year] [name of copyright owner]".
  *
  * Copyright 2013-2015 ForgeRock AS.
+ * Portions Copyrighted 2025 3A-Systems LLC.
  */
 
 package org.forgerock.openam.sts.soap.config;
@@ -34,10 +35,10 @@
 import org.apache.cxf.ws.security.sts.provider.operation.IssueOperation;
 import org.apache.cxf.ws.security.sts.provider.operation.ValidateOperation;
 import org.apache.cxf.ws.security.tokenstore.TokenStore;
-import org.apache.ws.security.WSSecurityException;
-import org.apache.ws.security.components.crypto.Crypto;
-import org.apache.ws.security.components.crypto.CryptoFactory;
-import org.apache.ws.security.message.token.UsernameToken;
+import org.apache.wss4j.common.ext.WSSecurityException;
+import org.apache.wss4j.common.crypto.Crypto;
+import org.apache.wss4j.common.crypto.CryptoFactory;
+import org.apache.wss4j.dom.message.token.UsernameToken;
 import org.forgerock.openam.sts.HttpURLConnectionWrapperFactory;
 import org.forgerock.openam.sts.TokenType;
 import org.forgerock.openam.sts.XMLUtilities;
@@ -263,7 +264,7 @@ private void processSecurityPolicyTokenValidatorConfiguration(Map<String, Object
                 default:
                     String message = "Unexpected TokenType in processSecurityPolicyTokenValidatorConfiguration: " + tokenType;
                     logger.error(message);
-                    throw new WSSecurityException(message);
+                    throw new WSSecurityException(WSSecurityException.ErrorCode.UNSUPPORTED_SECURITY_TOKEN, message);
             }
         }
         /*

openam-sts/openam-soap-sts/openam-soap-sts-server/src/main/java/org/forgerock/openam/sts/soap/policy/am/OpenAMSessionAssertion.java

@@ -12,15 +12,21 @@
  * information: "Portions Copyrighted [year] [name of copyright owner]".
  *
  * Copyright 2015 ForgeRock AS.
+ * Portions Copyrighted 2025 3A-Systems LLC.
  */
 
 package org.forgerock.openam.sts.soap.policy.am;
 
 import org.apache.cxf.helpers.DOMUtils;
-import org.apache.cxf.ws.security.policy.SP12Constants;
-import org.apache.cxf.ws.security.policy.model.Token;
-import org.apache.ws.security.message.token.BinarySecurity;
-import org.apache.cxf.ws.security.policy.SPConstants;
+import org.apache.cxf.ws.policy.PolicyBuilderImpl;
+import org.apache.neethi.Constants;
+import org.apache.neethi.Policy;
+import org.apache.neethi.PolicyBuilder;
+import org.apache.wss4j.policy.SP12Constants;
+import org.apache.wss4j.common.token.BinarySecurity;
+import org.apache.wss4j.policy.SPConstants;
+import org.apache.wss4j.policy.model.AbstractSecurityAssertion;
+import org.apache.wss4j.policy.model.AbstractToken;
 import org.forgerock.openam.sts.AMSTSConstants;
 import org.w3c.dom.Document;
 import org.w3c.dom.Element;
@@ -35,7 +41,7 @@
  * OpenAMSessionTokenClientAssertionBuilder registered with the org.apache.cxf.ws.policy.AssertionBuilderRegistry (obtained
  * via the cxf Bus) in the STSClient instance used to consume the OpenAM soap sts.
  */
-public class OpenAMSessionAssertion extends Token {
+public class OpenAMSessionAssertion extends AbstractToken {
     private final String sessionId;
 
     /**
@@ -54,12 +60,10 @@ public class OpenAMSessionAssertion extends Token {
      *                  OpenAMSessionTokenClientAssertionBuilder, and pulled from the BinarySecurityToken element which
      *                  encapsulates this sessionId when it arrives at the targeted sts.
      */
-    public OpenAMSessionAssertion(SPConstants version, SPConstants.IncludeTokenType includeTokenType, Element nestedPolicy, String sessionId) {
-        super(version);
-        setInclusion(includeTokenType);
+    public OpenAMSessionAssertion(SPConstants.SPVersion version, SPConstants.IncludeTokenType includeTokenType, Element nestedPolicy, String sessionId) {
+        super(version, includeTokenType, null, null, null, new PolicyBuilderImpl().getPolicy(nestedPolicy));
         setIgnorable(false);
         setOptional(false);
-        setPolicy(nestedPolicy);
         this.sessionId = sessionId;
     }
 
@@ -95,13 +99,15 @@ public void serialize(XMLStreamWriter writer) throws XMLStreamException {
         writer.writeNamespace(prefix, namespaceURI);
         writer.writeAttribute(prefix, namespaceURI, SPConstants.ATTR_INCLUDE_TOKEN, SP12Constants.INCLUDE_ALWAYS);
 
-        String pPrefix = writer.getPrefix(SPConstants.POLICY.getNamespaceURI());
+        QName policy = Constants.Q_ELEM_POLICY_15;
+
+        String pPrefix = writer.getPrefix(policy.getNamespaceURI());
         if (pPrefix == null) {
-            pPrefix = SPConstants.POLICY.getPrefix();
-            writer.setPrefix(SPConstants.POLICY.getPrefix(), SPConstants.POLICY.getNamespaceURI());
+            pPrefix = policy.getPrefix();
+            writer.setPrefix(policy.getPrefix(), policy.getNamespaceURI());
         }
         // write start element of nested policy element
-        writer.writeStartElement(pPrefix, SPConstants.POLICY.getLocalPart(), SPConstants.POLICY
+        writer.writeStartElement(pPrefix, policy.getLocalPart(), policy
                 .getNamespaceURI());
         // write end element of nested policy element
         writer.writeEndElement();
@@ -124,6 +130,11 @@ public Element getTokenElement() {
         return token.getElement();
     }
 
+    @Override
+    protected AbstractSecurityAssertion cloneAssertion(Policy nestedPolicy) {
+        return super.clone(nestedPolicy);
+    }
+
     /**
      * A private subclass of the wss4j BinarySecurityToken class, as an aid to obtain the xml corresponding to a
      * BinarySecurityToken necessary for inclusion in the soap security header by the OpenAMSessionTokenClientInterceptor.
@@ -140,7 +151,7 @@ private static class OpenAMSessionToken extends BinarySecurity {
          * @param sessionId The OpenAM session id to-be-included in the BST.
          */
         void setSessionId(String sessionId) {
-            getFirstNode().setData(sessionId);
+            setRawToken(sessionId.getBytes());
         }
     }
 }

openam-sts/openam-soap-sts/openam-soap-sts-server/src/main/java/org/forgerock/openam/sts/soap/policy/am/OpenAMSessionTokenServerAssertionBuilder.java

@@ -12,15 +12,16 @@
  * information: "Portions Copyrighted [year] [name of copyright owner]".
  *
  * Copyright 2015 ForgeRock AS.
+ * Portions Copyrighted 2025 3A-Systems LLC.
  */
 
 package org.forgerock.openam.sts.soap.policy.am;
 import org.apache.cxf.ws.policy.PolicyConstants;
-import org.apache.cxf.ws.security.policy.SP12Constants;
+import org.apache.wss4j.policy.SP12Constants;
 import org.apache.neethi.Assertion;
 import org.apache.neethi.AssertionBuilderFactory;
 import org.apache.neethi.builders.AssertionBuilder;
-import org.apache.cxf.ws.security.policy.SPConstants;
+import org.apache.wss4j.policy.SPConstants;
 import org.forgerock.openam.sts.AMSTSConstants;
 
 import org.w3c.dom.Element;
@@ -45,7 +46,7 @@ public Assertion build(Element element, AssertionBuilderFactory assertionBuilder
             throw new IllegalArgumentException(AMSTSConstants.AM_SESSION_TOKEN_ASSERTION_QNAME
                     + " must have an inner wsp:Policy element");
         }
-        return new OpenAMSessionAssertion(SP12Constants.INSTANCE, SPConstants.IncludeTokenType.INCLUDE_TOKEN_ALWAYS_TO_RECIPIENT,
+        return new OpenAMSessionAssertion(SPConstants.SPVersion.SP12, SPConstants.IncludeTokenType.INCLUDE_TOKEN_ALWAYS_TO_RECIPIENT,
                 nestedPolicyElement, element.getTextContent());
     }