Search in sources :

Example 1 with ECryptoAlgorithmSign

use of com.helger.phase4.crypto.ECryptoAlgorithmSign in project phase4 by phax.

the class SOAPHeaderElementProcessorWSS4J method processHeaderElement.

@Nonnull
public ESuccess processHeaderElement(@Nonnull final Document aSOAPDoc, @Nonnull final Element aSecurityNode, @Nonnull final ICommonsList<WSS4JAttachment> aAttachments, @Nonnull final AS4MessageState aState, @Nonnull final ErrorList aErrorList) {
    IPMode aPMode = aState.getPMode();
    if (aPMode == null)
        aPMode = m_aFallbackPMode;
    // Safety Check
    if (aPMode == null)
        throw new IllegalStateException("No PMode contained in AS4 state - seems like Ebms3 Messaging header is missing!");
    // Default is Leg 1, gets overwritten when a reference to a message id
    // exists and then uses leg2
    final Locale aLocale = aState.getLocale();
    PModeLeg aPModeLeg = aPMode.getLeg1();
    final Ebms3UserMessage aUserMessage = aState.getEbmsUserMessage();
    if (aUserMessage != null && StringHelper.hasText(aUserMessage.getMessageInfo().getRefToMessageId()))
        aPModeLeg = aPMode.getLeg2();
    // Does security - leg part checks if not <code>null</code>
    if (aPModeLeg.getSecurity() != null) {
        // Get Signature Algorithm
        Element aSignedNode = XMLHelper.getFirstChildElementOfName(aSecurityNode, CAS4.DS_NS, "Signature");
        if (aSignedNode != null) {
            // Go through the security nodes to find the algorithm attribute
            aSignedNode = XMLHelper.getFirstChildElementOfName(aSignedNode, CAS4.DS_NS, "SignedInfo");
            final Element aSignatureAlgorithm = XMLHelper.getFirstChildElementOfName(aSignedNode, CAS4.DS_NS, "SignatureMethod");
            String sAlgorithm = aSignatureAlgorithm == null ? null : aSignatureAlgorithm.getAttribute("Algorithm");
            final ECryptoAlgorithmSign eSignAlgo = ECryptoAlgorithmSign.getFromURIOrNull(sAlgorithm);
            if (eSignAlgo == null) {
                LOGGER.error("Error processing the Security Header, your signing algorithm '" + sAlgorithm + "' is incorrect. Expected one of the following '" + Arrays.asList(ECryptoAlgorithmSign.values()) + "' algorithms");
                aErrorList.add(EEbmsError.EBMS_FAILED_AUTHENTICATION.getAsError(aLocale));
                return ESuccess.FAILURE;
            }
            if (LOGGER.isDebugEnabled())
                LOGGER.debug("Using signature algorithm " + eSignAlgo);
            // Get Signature Digest Algorithm
            aSignedNode = XMLHelper.getFirstChildElementOfName(aSignedNode, CAS4.DS_NS, "Reference");
            aSignedNode = XMLHelper.getFirstChildElementOfName(aSignedNode, CAS4.DS_NS, "DigestMethod");
            sAlgorithm = aSignedNode == null ? null : aSignedNode.getAttribute("Algorithm");
            final ECryptoAlgorithmSignDigest eSignDigestAlgo = ECryptoAlgorithmSignDigest.getFromURIOrNull(sAlgorithm);
            if (eSignDigestAlgo == null) {
                LOGGER.error("Error processing the Security Header, your signing digest algorithm is incorrect. Expected one of the following'" + Arrays.toString(ECryptoAlgorithmSignDigest.values()) + "' algorithms");
                aErrorList.add(EEbmsError.EBMS_FAILED_AUTHENTICATION.getAsError(aLocale));
                return ESuccess.FAILURE;
            }
            if (LOGGER.isDebugEnabled())
                LOGGER.debug("Using signature digest algorithm " + eSignDigestAlgo);
        }
        // Check attachment validity only if a PartInfo element is available
        if (aUserMessage != null) {
            final boolean bBodyPayloadPresent = aState.isSoapBodyPayloadPresent();
            // Check if Attachment IDs are the same
            for (int i = 0; i < aAttachments.size(); i++) {
                String sAttachmentID = aAttachments.get(i).getHeaders().get(AttachmentUtils.MIME_HEADER_CONTENT_ID);
                if (StringHelper.hasNoText(sAttachmentID)) {
                    LOGGER.error("The provided attachment ID in the 'Content-ID' header may not be empty.");
                    aErrorList.add(EEbmsError.EBMS_VALUE_INCONSISTENT.getAsError(aLocale));
                    return ESuccess.FAILURE;
                }
                if (!sAttachmentID.startsWith(WSS4JAttachment.CONTENT_ID_PREFIX)) {
                    LOGGER.error("The provided attachment ID '" + sAttachmentID + "' in the 'Content-ID' header does not start with the required prefix '" + WSS4JAttachment.CONTENT_ID_PREFIX + "'");
                    aErrorList.add(EEbmsError.EBMS_VALUE_INCONSISTENT.getAsError(aLocale));
                    return ESuccess.FAILURE;
                }
                if (!sAttachmentID.endsWith(WSS4JAttachment.CONTENT_ID_SUFFIX)) {
                    LOGGER.error("The provided attachment ID '" + sAttachmentID + "' in the 'Content-ID' header does not end with the required suffix '" + WSS4JAttachment.CONTENT_ID_SUFFIX + "'");
                    aErrorList.add(EEbmsError.EBMS_VALUE_INCONSISTENT.getAsError(aLocale));
                    return ESuccess.FAILURE;
                }
                // Strip prefix and suffix
                sAttachmentID = sAttachmentID.substring(WSS4JAttachment.CONTENT_ID_PREFIX.length(), sAttachmentID.length() - WSS4JAttachment.CONTENT_ID_SUFFIX.length());
                // Add +1 because the payload has index 0
                final String sHref = aUserMessage.getPayloadInfo().getPartInfoAtIndex((bBodyPayloadPresent ? 1 : 0) + i).getHref();
                if (!sHref.contains(sAttachmentID)) {
                    LOGGER.error("The usermessage part information '" + sHref + "' does not reference the respective attachment ID '" + sAttachmentID + "'");
                    aErrorList.add(EEbmsError.EBMS_VALUE_INCONSISTENT.getAsError(aLocale));
                    return ESuccess.FAILURE;
                }
            }
        }
        final ESuccess eSuccess;
        if (AS4Configuration.isWSS4JSynchronizedSecurity()) {
            // Use static WSSConfig creation
            eSuccess = WSSSynchronizer.call(() -> _verifyAndDecrypt(aSOAPDoc, aAttachments, aState, aErrorList, WSSConfigManager::createStaticWSSConfig));
        } else {
            // Use instance WSSConfig creation
            eSuccess = _verifyAndDecrypt(aSOAPDoc, aAttachments, aState, aErrorList, WSSConfigManager.getInstance()::createWSSConfig);
        }
        if (eSuccess.isFailure())
            return ESuccess.FAILURE;
    }
    return ESuccess.SUCCESS;
}
Also used : Locale(java.util.Locale) ESuccess(com.helger.commons.state.ESuccess) PModeLeg(com.helger.phase4.model.pmode.leg.PModeLeg) Element(org.w3c.dom.Element) IPMode(com.helger.phase4.model.pmode.IPMode) ECryptoAlgorithmSignDigest(com.helger.phase4.crypto.ECryptoAlgorithmSignDigest) WSSConfigManager(com.helger.phase4.wss.WSSConfigManager) Ebms3UserMessage(com.helger.phase4.ebms3header.Ebms3UserMessage) ECryptoAlgorithmSign(com.helger.phase4.crypto.ECryptoAlgorithmSign) Nonnull(javax.annotation.Nonnull)

Example 2 with ECryptoAlgorithmSign

use of com.helger.phase4.crypto.ECryptoAlgorithmSign in project phase4 by phax.

the class PModeLegSecurityMicroTypeConverter method convertToNative.

@Nonnull
public PModeLegSecurity convertToNative(@Nonnull final IMicroElement aElement) {
    final String sWSSVersion = aElement.getAttributeValue(ATTR_WSS_VERSION);
    final EWSSVersion eWSSVersion = EWSSVersion.getFromVersionOrNull(sWSSVersion);
    if (eWSSVersion == null && sWSSVersion != null) {
        throw new IllegalStateException("Invalid WSS version '" + sWSSVersion + "'");
    }
    final ICommonsList<String> aX509SignElement = new CommonsArrayList<>();
    for (final IMicroElement aSignElement : aElement.getAllChildElements(ELEMENT_X509_SIGN_ELEMENT)) {
        aX509SignElement.add(aSignElement.getTextContentTrimmed());
    }
    final ICommonsList<String> aX509SignAttachment = new CommonsArrayList<>();
    for (final IMicroElement aSignElement : aElement.getAllChildElements(ELEMENT_X509_SIGN_ATTACHMENT)) {
        aX509SignAttachment.add(aSignElement.getTextContentTrimmed());
    }
    final String sX509SignatureCertificate = MicroHelper.getChildTextContentTrimmed(aElement, ELEMENT_X509_SIGNATURE_CERTIFICATE);
    final String sX509SignatureHashFunction = aElement.getAttributeValue(ATTR_X509_SIGNATURE_HASH_FUNCTION);
    final ECryptoAlgorithmSignDigest eX509SignatureHashFunction = ECryptoAlgorithmSignDigest.getFromIDOrNull(sX509SignatureHashFunction);
    if (eX509SignatureHashFunction == null && sX509SignatureHashFunction != null) {
        throw new IllegalStateException("Invalid signature hash function '" + sX509SignatureHashFunction + "'");
    }
    final String sX509SignatureAlgorithm = aElement.getAttributeValue(ATTR_X509_SIGNATURE_ALGORITHM);
    final ECryptoAlgorithmSign eX509SignatureAlgorithm = ECryptoAlgorithmSign.getFromIDOrNull(sX509SignatureAlgorithm);
    if (eX509SignatureAlgorithm == null && sX509SignatureAlgorithm != null) {
        throw new IllegalStateException("Invalid signature algorithm '" + sX509SignatureAlgorithm + "'");
    }
    final ICommonsList<String> aX509EncryptionEncryptElement = new CommonsArrayList<>();
    for (final IMicroElement aEncryptElement : aElement.getAllChildElements(ELEMENT_X509_ENCRYPTION_ENCRYPT_ELEMENT)) {
        aX509EncryptionEncryptElement.add(aEncryptElement.getTextContentTrimmed());
    }
    final ICommonsList<String> aX509EncryptionEncryptAttachment = new CommonsArrayList<>();
    for (final IMicroElement aEncryptElement : aElement.getAllChildElements(ELEMENT_X509_ENCRYPTION_ENCRYPT_ATTACHMENT)) {
        aX509EncryptionEncryptAttachment.add(aEncryptElement.getTextContentTrimmed());
    }
    final String sX509EncryptionCertificate = MicroHelper.getChildTextContentTrimmed(aElement, ELEMENT_X509_ENCRYPTION_CERTIFICATE);
    final String sX509EncryptionAlgorithm = aElement.getAttributeValue(ATTR_X509_ENCRYPTION_ALGORITHM);
    final ECryptoAlgorithmCrypt eX509EncryptionAlgorithm = ECryptoAlgorithmCrypt.getFromIDOrNull(sX509EncryptionAlgorithm);
    if (eX509EncryptionAlgorithm == null && sX509EncryptionAlgorithm != null) {
        throw new IllegalStateException("Invalid encrypt algorithm '" + sX509EncryptionAlgorithm + "'");
    }
    final Integer aX509EncryptionMinimumStrength = aElement.getAttributeValueWithConversion(ATTR_X509_ENCRYPTION_MINIMUM_STRENGTH, Integer.class);
    final String sUsernameTokenUsername = aElement.getAttributeValue(ATTR_USERNAME_TOKEN_USERNAME);
    final String sUsernameTokenPassword = aElement.getAttributeValue(ATTR_USERNAME_TOKEN_PASSWORD);
    final ETriState eUsernameTokenDigest = getTriState(aElement.getAttributeValue(ATTR_USERNAME_TOKEN_DIGEST), PModeLegSecurity.DEFAULT_USERNAME_TOKEN_DIGEST);
    final ETriState eUsernameTokenNonce = getTriState(aElement.getAttributeValue(ATTR_USERNAME_TOKEN_NONCE), PModeLegSecurity.DEFAULT_USERNAME_TOKEN_NONCE);
    final ETriState eUsernameTokenCreated = getTriState(aElement.getAttributeValue(ATTR_USERNAME_TOKEN_CREATED), PModeLegSecurity.DEFAULT_USERNAME_TOKEN_CREATED);
    final ETriState ePModeAuthorize = getTriState(aElement.getAttributeValue(ATTR_PMODE_AUTHORIZE), PModeLegSecurity.DEFAULT_PMODE_AUTHORIZE);
    final ETriState eSendReceipt = getTriState(aElement.getAttributeValue(ATTR_SEND_RECEIPT), PModeLegSecurity.DEFAULT_SEND_RECEIPT);
    final String sSendReceiptReplyPattern = aElement.getAttributeValue(ATTR_SEND_RECEIPT_REPLY_PATTERN);
    final EPModeSendReceiptReplyPattern eSendReceiptReplyPattern = EPModeSendReceiptReplyPattern.getFromIDOrNull(sSendReceiptReplyPattern);
    if (eSendReceiptReplyPattern == null && sSendReceiptReplyPattern != null) {
        throw new IllegalStateException("Invalid SendReceipt ReplyPattern version '" + sSendReceiptReplyPattern + "'");
    }
    final ETriState eSendReceiptNonRepudiation = getTriState(aElement.getAttributeValue(ATTR_SEND_RECEIPT_NON_REPUDIATION), PModeLegSecurity.DEFAULT_SEND_RECEIPT_NON_REPUDIATION);
    return new PModeLegSecurity(eWSSVersion, aX509SignElement, aX509SignAttachment, sX509SignatureCertificate, eX509SignatureHashFunction, eX509SignatureAlgorithm, aX509EncryptionEncryptElement, aX509EncryptionEncryptAttachment, sX509EncryptionCertificate, eX509EncryptionAlgorithm, aX509EncryptionMinimumStrength, sUsernameTokenUsername, sUsernameTokenPassword, eUsernameTokenDigest, eUsernameTokenNonce, eUsernameTokenCreated, ePModeAuthorize, eSendReceipt, eSendReceiptReplyPattern, eSendReceiptNonRepudiation);
}
Also used : ETriState(com.helger.commons.state.ETriState) ECryptoAlgorithmCrypt(com.helger.phase4.crypto.ECryptoAlgorithmCrypt) IMicroElement(com.helger.xml.microdom.IMicroElement) ECryptoAlgorithmSignDigest(com.helger.phase4.crypto.ECryptoAlgorithmSignDigest) EWSSVersion(com.helger.phase4.wss.EWSSVersion) CommonsArrayList(com.helger.commons.collection.impl.CommonsArrayList) ECryptoAlgorithmSign(com.helger.phase4.crypto.ECryptoAlgorithmSign) Nonnull(javax.annotation.Nonnull)

Example 3 with ECryptoAlgorithmSign

use of com.helger.phase4.crypto.ECryptoAlgorithmSign in project phase4 by phax.

the class PModeLegSecurityJsonConverter method convertToNative.

/**
 * Convert the provided JSON to a {@link PModeLegSecurity} object.
 *
 * @param aElement
 *        The JSON object to be converted. May not be <code>null</code>.
 * @return A non-<code>null</code> {@link PModeLegSecurity}
 * @throws IllegalStateException
 *         In case of an unsupported value
 */
@Nonnull
public static PModeLegSecurity convertToNative(@Nonnull final IJsonObject aElement) {
    final String sWSSVersion = aElement.getAsString(ATTR_WSS_VERSION);
    final EWSSVersion eWSSVersion = EWSSVersion.getFromVersionOrNull(sWSSVersion);
    if (eWSSVersion == null && sWSSVersion != null)
        throw new IllegalStateException("Invalid WSS version '" + sWSSVersion + "'");
    final ICommonsList<String> aX509SignElements = new CommonsArrayList<>();
    final IJsonArray aSignElement = aElement.getAsArray(ELEMENT_X509_SIGN_ELEMENT);
    if (aSignElement != null)
        for (final IJsonValue aItem : aSignElement.iteratorValues()) aX509SignElements.add(aItem.getAsString());
    final ICommonsList<String> aX509SignAttachments = new CommonsArrayList<>();
    final IJsonArray aSignAttachment = aElement.getAsArray(ELEMENT_X509_SIGN_ATTACHMENT);
    if (aSignAttachment != null)
        for (final IJsonValue aItem : aSignAttachment.iteratorValues()) aX509SignAttachments.add(aItem.getAsString());
    final String sX509SignatureCertificate = aElement.getAsString(ELEMENT_X509_SIGNATURE_CERTIFICATE);
    final String sX509SignatureHashFunction = aElement.getAsString(ATTR_X509_SIGNATURE_HASH_FUNCTION);
    final ECryptoAlgorithmSignDigest eX509SignatureHashFunction = ECryptoAlgorithmSignDigest.getFromIDOrNull(sX509SignatureHashFunction);
    if (eX509SignatureHashFunction == null && sX509SignatureHashFunction != null)
        throw new IllegalStateException("Invalid signature hash function '" + sX509SignatureHashFunction + "'");
    final String sX509SignatureAlgorithm = aElement.getAsString(ATTR_X509_SIGNATURE_ALGORITHM);
    final ECryptoAlgorithmSign eX509SignatureAlgorithm = ECryptoAlgorithmSign.getFromIDOrNull(sX509SignatureAlgorithm);
    if (eX509SignatureAlgorithm == null && sX509SignatureAlgorithm != null)
        throw new IllegalStateException("Invalid signature algorithm '" + sX509SignatureAlgorithm + "'");
    final ICommonsList<String> aX509EncryptionElements = new CommonsArrayList<>();
    final IJsonArray aEncryptElement = aElement.getAsArray(ELEMENT_X509_ENCRYPTION_ENCRYPT_ELEMENT);
    if (aEncryptElement != null)
        for (final IJsonValue aItem : aEncryptElement.iteratorValues()) aX509EncryptionElements.add(aItem.getAsString());
    final ICommonsList<String> aX509EncryptionAttachments = new CommonsArrayList<>();
    final IJsonArray aEncryptAttachment = aElement.getAsArray(ELEMENT_X509_ENCRYPTION_ENCRYPT_ATTACHMENT);
    if (aEncryptAttachment != null)
        for (final IJsonValue aItem : aEncryptAttachment.iteratorValues()) aX509EncryptionAttachments.add(aItem.getAsString());
    final String sX509EncryptionCertificate = aElement.getAsString(ELEMENT_X509_ENCRYPTION_CERTIFICATE);
    final String sX509EncryptionAlgorithm = aElement.getAsString(ATTR_X509_ENCRYPTION_ALGORITHM);
    final ECryptoAlgorithmCrypt eX509EncryptionAlgorithm = ECryptoAlgorithmCrypt.getFromIDOrNull(sX509EncryptionAlgorithm);
    if (eX509EncryptionAlgorithm == null && sX509EncryptionAlgorithm != null)
        throw new IllegalStateException("Invalid encrypt algorithm '" + sX509EncryptionAlgorithm + "'");
    final Integer aX509EncryptionMinimumStrength = aElement.getAsIntObj(ATTR_X509_ENCRYPTION_MINIMUM_STRENGTH);
    final String sUsernameTokenUsername = aElement.getAsString(ATTR_USERNAME_TOKEN_USERNAME);
    final String sUsernameTokenPassword = aElement.getAsString(ATTR_USERNAME_TOKEN_PASSWORD);
    final ETriState eUsernameTokenDigest = AbstractPModeMicroTypeConverter.getTriState(aElement.getAsString(ATTR_USERNAME_TOKEN_DIGEST), PModeLegSecurity.DEFAULT_USERNAME_TOKEN_DIGEST);
    final ETriState eUsernameTokenNonce = AbstractPModeMicroTypeConverter.getTriState(aElement.getAsString(ATTR_USERNAME_TOKEN_NONCE), PModeLegSecurity.DEFAULT_USERNAME_TOKEN_NONCE);
    final ETriState eUsernameTokenCreated = AbstractPModeMicroTypeConverter.getTriState(aElement.getAsString(ATTR_USERNAME_TOKEN_CREATED), PModeLegSecurity.DEFAULT_USERNAME_TOKEN_CREATED);
    final ETriState ePModeAuthorize = AbstractPModeMicroTypeConverter.getTriState(aElement.getAsString(ATTR_PMODE_AUTHORIZE), PModeLegSecurity.DEFAULT_PMODE_AUTHORIZE);
    final ETriState eSendReceipt = AbstractPModeMicroTypeConverter.getTriState(aElement.getAsString(ATTR_SEND_RECEIPT), PModeLegSecurity.DEFAULT_SEND_RECEIPT);
    final String sSendReceiptReplyPattern = aElement.getAsString(ATTR_SEND_RECEIPT_REPLY_PATTERN);
    final EPModeSendReceiptReplyPattern eSendReceiptReplyPattern = EPModeSendReceiptReplyPattern.getFromIDOrNull(sSendReceiptReplyPattern);
    if (eSendReceiptReplyPattern == null && sSendReceiptReplyPattern != null)
        throw new IllegalStateException("Invalid SendReceipt ReplyPattern version '" + sSendReceiptReplyPattern + "'");
    final ETriState eSendReceiptNonRepudiation = AbstractPModeMicroTypeConverter.getTriState(aElement.getAsString(ATTR_SEND_RECEIPT_NON_REPUDIATION), PModeLegSecurity.DEFAULT_SEND_RECEIPT_NON_REPUDIATION);
    return new PModeLegSecurity(eWSSVersion, aX509SignElements, aX509SignAttachments, sX509SignatureCertificate, eX509SignatureHashFunction, eX509SignatureAlgorithm, aX509EncryptionElements, aX509EncryptionAttachments, sX509EncryptionCertificate, eX509EncryptionAlgorithm, aX509EncryptionMinimumStrength, sUsernameTokenUsername, sUsernameTokenPassword, eUsernameTokenDigest, eUsernameTokenNonce, eUsernameTokenCreated, ePModeAuthorize, eSendReceipt, eSendReceiptReplyPattern, eSendReceiptNonRepudiation);
}
Also used : ETriState(com.helger.commons.state.ETriState) ECryptoAlgorithmCrypt(com.helger.phase4.crypto.ECryptoAlgorithmCrypt) IJsonValue(com.helger.json.IJsonValue) ECryptoAlgorithmSignDigest(com.helger.phase4.crypto.ECryptoAlgorithmSignDigest) IJsonArray(com.helger.json.IJsonArray) EWSSVersion(com.helger.phase4.wss.EWSSVersion) CommonsArrayList(com.helger.commons.collection.impl.CommonsArrayList) ECryptoAlgorithmSign(com.helger.phase4.crypto.ECryptoAlgorithmSign) Nonnull(javax.annotation.Nonnull)

Aggregations

ECryptoAlgorithmSign (com.helger.phase4.crypto.ECryptoAlgorithmSign)3 ECryptoAlgorithmSignDigest (com.helger.phase4.crypto.ECryptoAlgorithmSignDigest)3 Nonnull (javax.annotation.Nonnull)3 CommonsArrayList (com.helger.commons.collection.impl.CommonsArrayList)2 ETriState (com.helger.commons.state.ETriState)2 ECryptoAlgorithmCrypt (com.helger.phase4.crypto.ECryptoAlgorithmCrypt)2 EWSSVersion (com.helger.phase4.wss.EWSSVersion)2 ESuccess (com.helger.commons.state.ESuccess)1 IJsonArray (com.helger.json.IJsonArray)1 IJsonValue (com.helger.json.IJsonValue)1 Ebms3UserMessage (com.helger.phase4.ebms3header.Ebms3UserMessage)1 IPMode (com.helger.phase4.model.pmode.IPMode)1 PModeLeg (com.helger.phase4.model.pmode.leg.PModeLeg)1 WSSConfigManager (com.helger.phase4.wss.WSSConfigManager)1 IMicroElement (com.helger.xml.microdom.IMicroElement)1 Locale (java.util.Locale)1 Element (org.w3c.dom.Element)1