use of org.apache.cxf.rs.security.common.TrustValidator in project cxf by apache.
the class AbstractXmlSigInHandler method checkSignature.
protected void checkSignature(Message message) {
Document doc = getDocument(message);
if (doc == null) {
return;
}
Element root = doc.getDocumentElement();
Element signatureElement = getSignatureElement(root);
if (signatureElement == null) {
throwFault("XML Signature is not available", null);
}
String cryptoKey = null;
String propKey = null;
if (RSSecurityUtils.isSignedAndEncryptedTwoWay(message)) {
cryptoKey = SecurityConstants.ENCRYPT_CRYPTO;
propKey = SecurityConstants.ENCRYPT_PROPERTIES;
} else {
cryptoKey = SecurityConstants.SIGNATURE_CRYPTO;
propKey = SecurityConstants.SIGNATURE_PROPERTIES;
}
Crypto crypto = null;
try {
CryptoLoader loader = new CryptoLoader();
crypto = loader.getCrypto(message, cryptoKey, propKey);
} catch (Exception ex) {
throwFault("Crypto can not be loaded", ex);
}
boolean valid = false;
Reference ref = null;
try {
XMLSignature signature = new XMLSignature(signatureElement, "", true);
if (sigProps != null) {
SignedInfo sInfo = signature.getSignedInfo();
if (sigProps.getSignatureAlgo() != null && !sigProps.getSignatureAlgo().equals(sInfo.getSignatureMethodURI())) {
throwFault("Signature Algorithm is not supported", null);
}
if (sigProps.getSignatureC14nMethod() != null && !sigProps.getSignatureC14nMethod().equals(sInfo.getCanonicalizationMethodURI())) {
throwFault("Signature C14n Algorithm is not supported", null);
}
}
ref = getReference(signature);
Element signedElement = validateReference(root, ref);
if (signedElement.hasAttributeNS(null, "ID")) {
signedElement.setIdAttributeNS(null, "ID", true);
}
if (signedElement.hasAttributeNS(null, "Id")) {
signedElement.setIdAttributeNS(null, "Id", true);
}
X509Certificate cert = null;
PublicKey publicKey = null;
// See also WSS4J SAMLUtil.getCredentialFromKeyInfo
KeyInfo keyInfo = signature.getKeyInfo();
if (keyInfo != null) {
cert = keyInfo.getX509Certificate();
if (cert != null) {
valid = signature.checkSignatureValue(cert);
} else {
publicKey = keyInfo.getPublicKey();
if (publicKey != null) {
valid = signature.checkSignatureValue(publicKey);
}
}
} else if (!keyInfoMustBeAvailable) {
String user = getUserName(crypto, message);
cert = RSSecurityUtils.getCertificates(crypto, user)[0];
publicKey = cert.getPublicKey();
valid = signature.checkSignatureValue(cert);
}
// validate trust
new TrustValidator().validateTrust(crypto, cert, publicKey, getSubjectContraints(message));
if (valid && persistSignature) {
if (signature.getKeyInfo() != null) {
message.put(SIGNING_CERT, signature.getKeyInfo().getX509Certificate());
}
if (signature.getKeyInfo() != null) {
message.put(SIGNING_PUBLIC_KEY, signature.getKeyInfo().getPublicKey());
}
message.setContent(Element.class, signedElement);
}
} catch (Exception ex) {
throwFault("Signature validation failed", ex);
}
if (!valid) {
throwFault("Signature validation failed", null);
}
if (removeSignature) {
if (!isEnveloping(root)) {
Element signedEl = getSignedElement(root, ref);
signedEl.removeAttribute("ID");
root.removeChild(signatureElement);
} else {
Element actualBody = getActualBody(root);
Document newDoc = DOMUtils.createDocument();
newDoc.adoptNode(actualBody);
root = actualBody;
}
}
message.setContent(XMLStreamReader.class, new W3CDOMStreamReader(root));
message.setContent(InputStream.class, null);
}
use of org.apache.cxf.rs.security.common.TrustValidator in project cxf by apache.
the class XmlSecInInterceptor method checkSignatureTrust.
private void checkSignatureTrust(Crypto sigCrypto, Message msg, TokenSecurityEvent<?> event) throws XMLSecurityException {
SecurityToken token = event.getSecurityToken();
if (token != null) {
X509Certificate[] certs = token.getX509Certificates();
if (certs == null && token.getPublicKey() == null && token instanceof KeyNameSecurityToken) {
certs = getX509CertificatesForKeyName(sigCrypto, msg, (KeyNameSecurityToken) token);
}
PublicKey publicKey = token.getPublicKey();
X509Certificate cert = null;
if (certs != null && certs.length > 0) {
cert = certs[0];
}
// validate trust
try {
new TrustValidator().validateTrust(sigCrypto, cert, publicKey, getSubjectContraints(msg));
} catch (WSSecurityException e) {
String error = "Signature validation failed";
throw new XMLSecurityException("empty", new Object[] { error });
}
if (persistSignature) {
msg.setContent(X509Certificate.class, cert);
}
}
}
use of org.apache.cxf.rs.security.common.TrustValidator in project cxf by apache.
the class AbstractXmlEncInHandler method getSymmetricKeyBytes.
// Subclasses can overwrite it and return the bytes, assuming they know the actual key
protected byte[] getSymmetricKeyBytes(Message message, Element encDataElement) {
String cryptoKey = null;
String propKey = null;
if (RSSecurityUtils.isSignedAndEncryptedTwoWay(message)) {
cryptoKey = SecurityConstants.SIGNATURE_CRYPTO;
propKey = SecurityConstants.SIGNATURE_PROPERTIES;
} else {
cryptoKey = SecurityConstants.ENCRYPT_CRYPTO;
propKey = SecurityConstants.ENCRYPT_PROPERTIES;
}
Crypto crypto = null;
try {
crypto = new CryptoLoader().getCrypto(message, cryptoKey, propKey);
} catch (Exception ex) {
throwFault("Crypto can not be loaded", ex);
}
Element encKeyElement = getNode(encDataElement, ENC_NS, "EncryptedKey", 0);
if (encKeyElement == null) {
// TODO: support EncryptedData/ds:KeyInfo - the encrypted key is passed out of band
throwFault("EncryptedKey element is not available", null);
}
X509Certificate cert = loadCertificate(crypto, encKeyElement);
try {
new TrustValidator().validateTrust(crypto, cert, null);
} catch (Exception ex) {
throwFault(ex.getMessage(), ex);
}
// now start decrypting
String keyEncAlgo = getEncodingMethodAlgorithm(encKeyElement);
String digestAlgo = getDigestMethodAlgorithm(encKeyElement);
if (encProps != null) {
if (encProps.getEncryptionKeyTransportAlgo() != null && !encProps.getEncryptionKeyTransportAlgo().equals(keyEncAlgo)) {
throwFault("Key Transport Algorithm is not supported", null);
}
if (encProps.getEncryptionDigestAlgo() != null && (digestAlgo == null || !encProps.getEncryptionDigestAlgo().equals(digestAlgo))) {
throwFault("Digest Algorithm is not supported", null);
}
} else if (!XMLCipher.RSA_OAEP.equals(keyEncAlgo)) {
// RSA OAEP is the required default Key Transport Algorithm
throwFault("Key Transport Algorithm is not supported", null);
}
Element cipherValue = getNode(encKeyElement, ENC_NS, "CipherValue", 0);
if (cipherValue == null) {
throwFault("CipherValue element is not available", null);
}
try {
return decryptSymmetricKey(cipherValue.getTextContent().trim(), cert, crypto, keyEncAlgo, digestAlgo, message);
} catch (Exception ex) {
throwFault(ex.getMessage(), ex);
}
return null;
}
Aggregations