CyberSource
diff --git a/‎README.md
+23-14 b/‎README.md
+23-14
diff --git a/‎java/pom.xml
+30-20 b/‎java/pom.xml
+30-20
diff --git a/‎java/src/main/java/com/cybersource/ws/client/Identity.java
+1-1 b/‎java/src/main/java/com/cybersource/ws/client/Identity.java
+1-1
diff --git a/‎java/src/main/java/com/cybersource/ws/client/MessageHandlerKeyStore.java
+3-5 b/‎java/src/main/java/com/cybersource/ws/client/MessageHandlerKeyStore.java
+3-5
diff --git a/‎java/src/main/java/com/cybersource/ws/client/SecurityUtil.java
+42-38 b/‎java/src/main/java/com/cybersource/ws/client/SecurityUtil.java
+42-38
@@ -1,6 +1,6 @@
 # CyberSource Simple Order API for Java
 
-[![Build Status](https://travis-ci.org/CyberSource/cybersource-sdk-java.png?branch=master)](https://travis-ci.org/CyberSource/cybersource-sdk-java)
+[![Build Status](https://travis-ci.org/CyberSource/cybersource-sdk-java.png?branch=future)](https://travis-ci.org/CyberSource/cybersource-sdk-java)
 
 ## Package Managers
 
@@ -10,7 +10,7 @@ To install the `cybersource-sdk-java` from central repository, add dependency to
 <dependency>
   <groupId>com.cybersource</groupId>
   <artifactId>cybersource-sdk-java</artifactId>
-  <version>6.2.11</version>
+  <version>6.2.12</version>
 </dependency> 
 ```
 Run `mvn install` to install dependency
@@ -19,7 +19,7 @@ Run `mvn install` to install dependency
 Add the dependency to your build.gradle
 ```java
 dependencies {
-  compile 'com.cybersource:cybersource-sdk-java:6.2.11'
+  compile 'com.cybersource:cybersource-sdk-java:6.2.12'
 }
 ```
 ## Requirements
@@ -227,29 +227,38 @@ Retry Pattern allows to retry sending a failed request and it will only work wit
   - Config parameter for this property is 'retryInterval' in `cybs.property` file. The default value for 'retryInterval' parameter is 1000 which means a delay of 1000 milliSeconds.
 
 ## Third Party jars
-    1. org.apache.ws.security.wss4j:1.6.19
-      The Apache WSS4J project provides a Java implementation of the primary security standards for Web Services, namely the OASIS Web Services Security (WS-Security) specifications from the OASIS Web Services Security TC.
-    2. org.bouncycastle:bcprov-jdk15on:1.61
+    1. org.apache.wss4j:wss4j-ws-security-common:2.4.1
+      The Apache WSS4J project provides a Java implementation of the common primary security standards for Web Services, namely the OASIS Web Services Security (WS-Security) specifications from the OASIS Web Services Security TC.
+    2. org.apache.wss4j:wss4j-ws-security-dom:2.4.1
+      WSS4J 2.0.0 introduces a streaming (StAX-based) WS-Security implementation to complement the existing DOM-based implementation. The DOM-based implementation is quite performant and flexible, but suffers from having to read the entire XML tree into memory. For large SOAP requests this can have a detrimental impact on performance. In addition, for web services stacks such as Apache CXF which are streaming-based, it carries an additional performance penalty of having to explicitly convert the request stream to a DOM Element.
+    3. org.bouncycastle:bcprov-jdk15on:1.70
       This jar contains JCE provider and lightweight API for the Bouncy Castle Cryptography APIs for JDK 1.5 to JDK 1.8.
-    3. org.apache.santuario:xmlsec:1.5.6
+    4. org.apache.santuario:xmlsec:2.3.0
       The XML Security project is aimed at providing implementation of security standards for XML,supports XML-Signature Syntax and Processing,XML Encryption Syntax and Processing, and supports XML Digital Signature APIs.
-    4. org.apache.commons:commons-lang3:3.4
+    5. org.apache.commons:commons-lang3:3.4
       Apache Commons Lang, a package of Java utility classes for the classes that are in java.lang's hierarchy, or are considered to be so standard as to justify existence in java.lang.
-    5. commons-logging:commons-logging:jar:1.1.1
+    6. commons-logging:commons-logging:jar:1.1.1
       This is getting downloaded as compile time dependency of wss4j:1.6.19.Apache Commons Logging is a thin adapter allowing configurable bridging to other, well known logging systems.
-    6. org.slf4j:slf4j-api:1.7.21 and org.slf4j:slf4j-jcl:1.7.21
+    7. org.slf4j:slf4j-api:1.7.32 and org.slf4j:slf4j-jcl:1.7.32
       slf4j-api is getting used as a dependency for wss4j. Modified to latest version.
-    7. junit:junit:4.13.1
+    8. junit:junit:4.13.1
       JUnit is a unit testing framework for Java.
-    8. org.mockito:mockito-all:1.10.19
+    9. org.mockito:mockito-all:1.10.19
       Mock objects library for java  
-    9. org.apache.httpcomponents:httpclient:4.5.13
+    10. org.apache.httpcomponents:httpclient:4.5.13
        Provides reusable components for client-side authentication, HTTP state management, and HTTP connection management. It is used for poolinghttpclientconnectionmanager feature.
-    10. org.apache.httpcomponents:httpcore:4.4.13
+    11. org.apache.httpcomponents:httpcore:4.4.13
        Provides low level HTTP transport components that can be used to build custom client and server side HTTP services with a minimal footprint.
 
 ## Changes
 _______________________________
+Version Cybersource-sdk-java 6.2.12 (JUNE,2022)
+_______________________________
+    1) Mitigation of Apache WSS4j Security Vulnerability (CVE-2016-1000343, CVE-2018-1000180).
+       i) Updated Apache wss4j version from 1.6.19 to 2.4.1
+       ii) Updated dependent libraries version. (xmlsec from 1.5.6 to 2.3.0, bcprov-jdk15on from 1.61 to 1.70)
+_______________________________
+_______________________________
 Version Cybersource-sdk-java 6.2.11 (MAY,2020)
 _______________________________
     1)Exception handling improvement.
 
@@ -2,17 +2,20 @@
 <project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
 
     <modelVersion>4.0.0</modelVersion>
+
     <parent>
-        <groupId>org.sonatype.oss</groupId>
-        <artifactId>oss-parent</artifactId>
-        <version>7</version>
+        <artifactId>cybersource-sdk-master</artifactId>
+        <groupId>com.cybersource</groupId>
+        <version>6.2.12-SNAPSHOT</version>
     </parent>
+
     <groupId>com.cybersource</groupId>
     <artifactId>cybersource-sdk-java</artifactId>
     <version>6.2.12-SNAPSHOT</version>
     <name>cybersource-sdk-java</name>
     <description>Simple Order API Client</description>
     <url>http://www.cybersource.com</url>
+
     <licenses>
         <license>
             <name>CyberSource SDK License Agreement</name>
@@ -34,10 +37,6 @@
         </developer>
     </developers>
 
-    <properties>
-        <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
-        <project.reporting.outputEncoding>UTF-8</project.reporting.outputEncoding>
-    </properties>
     <packaging>jar</packaging>
 
     <profiles>
@@ -219,23 +218,23 @@
       <dependency>
             <groupId>junit</groupId>
             <artifactId>junit</artifactId>
-            <version>4.13.1</version>
+            <version>${junit.version}</version>
             <scope>test</scope>
         </dependency>
        <dependency>
               <groupId>xalan</groupId>
              <artifactId>xalan</artifactId>
-             <version>2.7.2</version>
+             <version>${xalan.version}</version>
         </dependency>
         <dependency>
     		<groupId>org.apache.santuario</groupId>
     		<artifactId>xmlsec</artifactId>
-    		<version>1.5.6</version>
+    		<version>${xmlsec.version}</version>
 		</dependency>
         <dependency>
             <groupId>org.apache.httpcomponents</groupId>
             <artifactId>httpclient</artifactId>
-            <version>4.5.13</version>
+            <version>${httpclient.version}</version>
             <exclusions>
                 <exclusion>
                     <groupId>commons-logging</groupId>
@@ -246,28 +245,39 @@
          <dependency>
             <groupId>org.bouncycastle</groupId>
             <artifactId>bcprov-jdk15on</artifactId>
-            <version>1.61</version>
+            <version>${bouncycastle.version}</version>
+        </dependency>
+        <dependency>
+            <groupId>org.apache.wss4j</groupId>
+            <artifactId>wss4j-ws-security-common</artifactId>
+            <version>${wss4j.version}</version>
+            <exclusions>
+                <exclusion>
+                    <groupId>com.google.guava</groupId>
+                    <artifactId>guava</artifactId>
+                </exclusion>
+            </exclusions>
         </dependency>
         <dependency>
-            <groupId>org.apache.ws.security</groupId>
-            <artifactId>wss4j</artifactId>
-            <version>1.6.19</version>
-	        <exclusions>
+            <groupId>org.apache.wss4j</groupId>
+            <artifactId>wss4j-ws-security-dom</artifactId>
+            <version>${wss4j.version}</version>
+            <exclusions>
                 <exclusion>
-                    <groupId>org.opensaml</groupId>
-                    <artifactId>opensaml</artifactId>
+                    <groupId>org.ehcache</groupId>
+                    <artifactId>ehcache</artifactId>
                 </exclusion>
             </exclusions>
         </dependency>
         <dependency>
             <groupId>org.apache.commons</groupId>
             <artifactId>commons-lang3</artifactId>
-            <version>3.4</version>
+            <version>${commonlang3.version}</version>
         </dependency>
         <dependency>
       	    <groupId>org.mockito</groupId>
             <artifactId>mockito-all</artifactId>
-            <version>1.10.19</version>
+            <version>${mockito.version}</version>
             <scope>test</scope>
         </dependency>
     </dependencies>
 
@@ -72,7 +72,7 @@ private void setupJdkServerCerts() throws SignException {
                 }
                 else if (subjectDNrray.length == 2 && subjectDNrray[1].contains(SERVER_ALIAS)) {
                     name = SERVER_ALIAS;
-                    serialNumber = subjectDNrray[1];
+                    serialNumber = subjectDNrray[1].split(",")[0];
                     keyAlias = "serialNumber=" + serialNumber + ",CN=" + name;
                 }else{
                     throw new SignException("Exception while obtaining private key from KeyStore with alias, '" + merchantConfig.getKeyAlias() + "'");
 
@@ -1,7 +1,6 @@
 package com.cybersource.ws.client;
 
-import org.apache.ws.security.components.crypto.CredentialException;
-import org.apache.ws.security.components.crypto.Merlin;
+import org.apache.wss4j.common.crypto.Merlin;
 
 import java.io.IOException;
 import java.security.KeyStoreException;
@@ -15,11 +14,10 @@
 public class MessageHandlerKeyStore extends Merlin {
 
     /**
-     * @throws CredentialException
      * @throws IOException
      */
-	public MessageHandlerKeyStore() throws CredentialException, IOException {
-        super(null);
+	public MessageHandlerKeyStore() {
+        super();
         properties = new Properties();
     }
 
 
@@ -1,20 +1,22 @@
 package com.cybersource.ws.client;
 
-import org.apache.ws.security.WSConstants;
-import org.apache.ws.security.WSEncryptionPart;
-import org.apache.ws.security.WSSecurityException;
-import org.apache.ws.security.components.crypto.CredentialException;
-import org.apache.ws.security.message.WSSecEncrypt;
-import org.apache.ws.security.message.WSSecHeader;
-import org.apache.ws.security.message.WSSecSignature;
+import org.apache.wss4j.common.WSEncryptionPart;
+import org.apache.wss4j.common.ext.WSSecurityException;
+import org.apache.wss4j.common.util.KeyUtils;
+import org.apache.wss4j.dom.WSConstants;
+import org.apache.wss4j.dom.WSDocInfo;
+import org.apache.wss4j.dom.message.WSSecEncrypt;
+import org.apache.wss4j.dom.message.WSSecHeader;
+import org.apache.wss4j.dom.message.WSSecSignature;
+import org.apache.xml.security.Init;
 import org.bouncycastle.jce.provider.BouncyCastleProvider;
 import org.w3c.dom.Document;
 
+import javax.crypto.KeyGenerator;
 import java.io.FileInputStream;
 import java.io.FileNotFoundException;
 import java.io.IOException;
 import java.security.*;
-import java.security.cert.Certificate;
 import java.security.cert.CertificateException;
 import java.security.cert.X509Certificate;
 import java.util.Collections;
@@ -44,20 +46,22 @@ public class SecurityUtil {
     private static final String SIGNATURE_ALGORITHM = "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256";
     // By default digest algorithm is set to "http://www.w3.org/2000/09/xmldsig#sha1"
     private static final String DIGEST_ALGORITHM = "http://www.w3.org/2001/04/xmlenc#sha256";
-    
+
     private static BouncyCastleProvider bcProvider = new BouncyCastleProvider();
 
     // This is loaded by WSS4J but since we use it lets make sure its here
     static {
         Security.addProvider(bcProvider);
         try {
             initKeystore();
+            //Must initialize xml-security library correctly before use it
+            Init.init();
         } catch (Exception e) {
             localKeyStoreHandler=null;
         }
     }
 
-    private static void initKeystore() throws KeyStoreException, CredentialException, IOException, NoSuchAlgorithmException, CertificateException{
+    private static void initKeystore() throws KeyStoreException, IOException, NoSuchAlgorithmException, CertificateException{
         KeyStore keyStore = KeyStore.getInstance("jks");
         keyStore.load(null, null);
         localKeyStoreHandler = new MessageHandlerKeyStore();
@@ -190,50 +194,50 @@ private static void readAndStoreCertificateAndPrivateKey(MerchantConfig merchant
      * @throws SignException
      */
     public static Document handleMessageCreation(Document signedDoc, String merchantId, Logger logger) throws SignEncryptException, SignException{
-        
+
         logger.log(Logger.LT_INFO, "Encrypting Signed doc ...");
-        
-        WSSecHeader secHeader = new WSSecHeader();
+
+        WSSecHeader secHeader = new WSSecHeader(signedDoc);
         try {
-            secHeader.insertSecurityHeader(signedDoc);
+            secHeader.insertSecurityHeader();
         } catch (WSSecurityException e) {
             logger.log(Logger.LT_EXCEPTION, "Exception while adding document in soap securiy header for MLE");
             throw new SignException(e);
         }
-        
-        WSSecEncrypt encrBuilder = new WSSecEncrypt();
+
+        WSSecEncrypt encrBuilder = new WSSecEncrypt(secHeader);
         //Set the user name to get the encryption certificate.
         //The public key of this certificate is used, thus no password necessary. The user name is a keystore alias usually.
         encrBuilder.setUserInfo(identities.get(SERVER_ALIAS).getKeyAlias());
-        
+
         /*This is to reference a public key or certificate when signing or encrypting a SOAP message.
          *The following valid values for these configuration items are:
          *IssuerSerial (default),DirectReference[BST],X509KeyIdentifier,Thumbprint,SKIKeyIdentifier,KeyValue (signature only),EncryptedKeySHA1 (encryption only)
          */
         encrBuilder.setKeyIdentifierType(WSConstants.X509_KEY_IDENTIFIER);
-        
+
         //This encryption algorithm is used to encrypt the data.
         encrBuilder.setSymmetricEncAlgorithm(WSConstants.AES_256);
-        
+
         //Sets the algorithm to encode the symmetric key. Default is the WSConstants.KEYTRANSPORT_RSAOEP algorithm.
         //encrBuilder.setKeyEnc(WSConstants.KEYTRANSPORT_RSAOEP);
-        
-        
+
         //Create signed document
         //Document signedDoc = createSignedDoc(workingDocument,senderAlias,password,secHeader);
-        
+
         Document signedEncryptedDoc;
         try {
             //Builds the SOAP envelope with encrypted Body and adds encrypted key.
             // If no external key (symmetricalKey) was set ,generate an encryption
             // key (session key) for this Encrypt element. This key will be
             // encrypted using the public key of the receiver
-            signedEncryptedDoc = encrBuilder.build(signedDoc, localKeyStoreHandler, secHeader);
+            KeyGenerator keyGen = KeyUtils.getKeyGenerator(WSConstants.AES_256);
+            signedEncryptedDoc = encrBuilder.build(localKeyStoreHandler, keyGen.generateKey());
         } catch (WSSecurityException e) {
             logger.log(Logger.LT_EXCEPTION, "Failed while encrypting signed requeest for , '" + merchantId + "'" + " with " + SERVER_ALIAS);
             throw new SignEncryptException("Failed while encrypting signed requeest for , '" + merchantId + "'" + " with " + SERVER_ALIAS, e);
         }
-        encrBuilder.prependToHeader(secHeader);
+        encrBuilder.prependToHeader();
         return signedEncryptedDoc;
     }
 
@@ -247,34 +251,34 @@ public static Document handleMessageCreation(Document signedDoc, String merchant
      * @throws SignException
      */
     public static Document createSignedDoc(Document workingDocument,String keyAlias, String password,Logger logger) throws SignException {
-        
         logger.log(Logger.LT_INFO, "Signing request...");
-        //long startTime = System.nanoTime();
-        WSSecHeader secHeader = new WSSecHeader();
+//        long startTime = System.nanoTime();
+        WSSecHeader secHeader = new WSSecHeader(workingDocument);
         try {
-            secHeader.insertSecurityHeader(workingDocument);
+            secHeader.insertSecurityHeader();
         } catch (WSSecurityException e) {
             logger.log(Logger.LT_EXCEPTION,
-                       "Exception while signing XML document");
+                    "Exception while signing XML document");
             throw new SignException(e);
         }
-        
-        WSSecSignature sign = new WSSecSignature();
-        
+
+        WSSecSignature sign = new WSSecSignature(secHeader);
         sign.setUserInfo(keyAlias, password);
-        
-        //sign.setUserInfo(mc.getKeyAlias(), mc.getPassword());
+
         sign.setDigestAlgo(DIGEST_ALGORITHM);
         sign.setSignatureAlgorithm(SIGNATURE_ALGORITHM);
         sign.setKeyIdentifierType(WSConstants.BST_DIRECT_REFERENCE);
         sign.setUseSingleCertificate(true);
-        
+        //
+        sign.setWsDocInfo(new WSDocInfo(workingDocument));
+
         //Set which parts of the message to encrypt/sign.
         WSEncryptionPart msgBodyPart = new WSEncryptionPart(WSConstants.ELEM_BODY, WSConstants.URI_SOAP11_ENV, "");
-        sign.setParts(Collections.singletonList(msgBodyPart));
+
         try {
-            Document document = sign.build(workingDocument, localKeyStoreHandler, secHeader);
-            //System.out.println("SecurityUtil.createSignedDoc time taken to sign the request is " + TimeUnit.NANOSECONDS.toMillis(System.nanoTime() - startTime) + " ms");
+            sign.addReferencesToSign(Collections.singletonList(msgBodyPart));
+            Document document = sign.build(localKeyStoreHandler);
+//            System.out.println("SecurityUtil.createSignedDoc time taken to sign the request is " + TimeUnit.NANOSECONDS.toMillis(System.nanoTime() - startTime) + " ms");
             return document;
         } catch (WSSecurityException e) {
             logger.log(Logger.LT_EXCEPTION, "Failed while signing request for , '" + keyAlias + "'");
Original file line number	Diff line number	Diff line change
`@@ -72,7 +72,7 @@ private void setupJdkServerCerts() throws SignException {`
`72`	`72`	`}`
`73`	`73`	`else if (subjectDNrray.length == 2 && subjectDNrray[1].contains(SERVER_ALIAS)) {`
`74`	`74`	`name = SERVER_ALIAS;`
`75`		`- serialNumber = subjectDNrray[1];`
	`75`	`+ serialNumber = subjectDNrray[1].split(",")[0];`
`76`	`76`	`keyAlias = "serialNumber=" + serialNumber + ",CN=" + name;`
`77`	`77`	`}else{`
`78`	`78`	`throw new SignException("Exception while obtaining private key from KeyStore with alias, '" + merchantConfig.getKeyAlias() + "'");`