Search in sources :

Example 1 with TrustValidator

use of org.apache.cxf.rs.security.common.TrustValidator in project cxf by apache.

the class AbstractXmlSigInHandler method checkSignature.

protected void checkSignature(Message message) {
    Document doc = getDocument(message);
    if (doc == null) {
        return;
    }
    Element root = doc.getDocumentElement();
    Element signatureElement = getSignatureElement(root);
    if (signatureElement == null) {
        throwFault("XML Signature is not available", null);
    }
    String cryptoKey = null;
    String propKey = null;
    if (RSSecurityUtils.isSignedAndEncryptedTwoWay(message)) {
        cryptoKey = SecurityConstants.ENCRYPT_CRYPTO;
        propKey = SecurityConstants.ENCRYPT_PROPERTIES;
    } else {
        cryptoKey = SecurityConstants.SIGNATURE_CRYPTO;
        propKey = SecurityConstants.SIGNATURE_PROPERTIES;
    }
    Crypto crypto = null;
    try {
        CryptoLoader loader = new CryptoLoader();
        crypto = loader.getCrypto(message, cryptoKey, propKey);
    } catch (Exception ex) {
        throwFault("Crypto can not be loaded", ex);
    }
    boolean valid = false;
    Reference ref = null;
    try {
        XMLSignature signature = new XMLSignature(signatureElement, "", true);
        if (sigProps != null) {
            SignedInfo sInfo = signature.getSignedInfo();
            if (sigProps.getSignatureAlgo() != null && !sigProps.getSignatureAlgo().equals(sInfo.getSignatureMethodURI())) {
                throwFault("Signature Algorithm is not supported", null);
            }
            if (sigProps.getSignatureC14nMethod() != null && !sigProps.getSignatureC14nMethod().equals(sInfo.getCanonicalizationMethodURI())) {
                throwFault("Signature C14n Algorithm is not supported", null);
            }
        }
        ref = getReference(signature);
        Element signedElement = validateReference(root, ref);
        if (signedElement.hasAttributeNS(null, "ID")) {
            signedElement.setIdAttributeNS(null, "ID", true);
        }
        if (signedElement.hasAttributeNS(null, "Id")) {
            signedElement.setIdAttributeNS(null, "Id", true);
        }
        X509Certificate cert = null;
        PublicKey publicKey = null;
        // See also WSS4J SAMLUtil.getCredentialFromKeyInfo
        KeyInfo keyInfo = signature.getKeyInfo();
        if (keyInfo != null) {
            cert = keyInfo.getX509Certificate();
            if (cert != null) {
                valid = signature.checkSignatureValue(cert);
            } else {
                publicKey = keyInfo.getPublicKey();
                if (publicKey != null) {
                    valid = signature.checkSignatureValue(publicKey);
                }
            }
        } else if (!keyInfoMustBeAvailable) {
            String user = getUserName(crypto, message);
            cert = RSSecurityUtils.getCertificates(crypto, user)[0];
            publicKey = cert.getPublicKey();
            valid = signature.checkSignatureValue(cert);
        }
        // validate trust
        new TrustValidator().validateTrust(crypto, cert, publicKey, getSubjectContraints(message));
        if (valid && persistSignature) {
            if (signature.getKeyInfo() != null) {
                message.put(SIGNING_CERT, signature.getKeyInfo().getX509Certificate());
            }
            if (signature.getKeyInfo() != null) {
                message.put(SIGNING_PUBLIC_KEY, signature.getKeyInfo().getPublicKey());
            }
            message.setContent(Element.class, signedElement);
        }
    } catch (Exception ex) {
        throwFault("Signature validation failed", ex);
    }
    if (!valid) {
        throwFault("Signature validation failed", null);
    }
    if (removeSignature) {
        if (!isEnveloping(root)) {
            Element signedEl = getSignedElement(root, ref);
            signedEl.removeAttribute("ID");
            root.removeChild(signatureElement);
        } else {
            Element actualBody = getActualBody(root);
            Document newDoc = DOMUtils.createDocument();
            newDoc.adoptNode(actualBody);
            root = actualBody;
        }
    }
    message.setContent(XMLStreamReader.class, new W3CDOMStreamReader(root));
    message.setContent(InputStream.class, null);
}
Also used : TrustValidator(org.apache.cxf.rs.security.common.TrustValidator) Reference(org.apache.xml.security.signature.Reference) PublicKey(java.security.PublicKey) Element(org.w3c.dom.Element) CryptoLoader(org.apache.cxf.rs.security.common.CryptoLoader) Document(org.w3c.dom.Document) PatternSyntaxException(java.util.regex.PatternSyntaxException) XMLSecurityException(org.apache.xml.security.exceptions.XMLSecurityException) X509Certificate(java.security.cert.X509Certificate) SignedInfo(org.apache.xml.security.signature.SignedInfo) Crypto(org.apache.wss4j.common.crypto.Crypto) KeyInfo(org.apache.xml.security.keys.KeyInfo) W3CDOMStreamReader(org.apache.cxf.staxutils.W3CDOMStreamReader) XMLSignature(org.apache.xml.security.signature.XMLSignature)

Example 2 with TrustValidator

use of org.apache.cxf.rs.security.common.TrustValidator in project cxf by apache.

the class XmlSecInInterceptor method checkSignatureTrust.

private void checkSignatureTrust(Crypto sigCrypto, Message msg, TokenSecurityEvent<?> event) throws XMLSecurityException {
    SecurityToken token = event.getSecurityToken();
    if (token != null) {
        X509Certificate[] certs = token.getX509Certificates();
        if (certs == null && token.getPublicKey() == null && token instanceof KeyNameSecurityToken) {
            certs = getX509CertificatesForKeyName(sigCrypto, msg, (KeyNameSecurityToken) token);
        }
        PublicKey publicKey = token.getPublicKey();
        X509Certificate cert = null;
        if (certs != null && certs.length > 0) {
            cert = certs[0];
        }
        // validate trust
        try {
            new TrustValidator().validateTrust(sigCrypto, cert, publicKey, getSubjectContraints(msg));
        } catch (WSSecurityException e) {
            String error = "Signature validation failed";
            throw new XMLSecurityException("empty", new Object[] { error });
        }
        if (persistSignature) {
            msg.setContent(X509Certificate.class, cert);
        }
    }
}
Also used : SecurityToken(org.apache.xml.security.stax.securityToken.SecurityToken) KeyNameSecurityToken(org.apache.xml.security.stax.impl.securityToken.KeyNameSecurityToken) TrustValidator(org.apache.cxf.rs.security.common.TrustValidator) PublicKey(java.security.PublicKey) WSSecurityException(org.apache.wss4j.common.ext.WSSecurityException) KeyNameSecurityToken(org.apache.xml.security.stax.impl.securityToken.KeyNameSecurityToken) X509Certificate(java.security.cert.X509Certificate) XMLSecurityException(org.apache.xml.security.exceptions.XMLSecurityException)

Example 3 with TrustValidator

use of org.apache.cxf.rs.security.common.TrustValidator in project cxf by apache.

the class AbstractXmlEncInHandler method getSymmetricKeyBytes.

// Subclasses can overwrite it and return the bytes, assuming they know the actual key
protected byte[] getSymmetricKeyBytes(Message message, Element encDataElement) {
    String cryptoKey = null;
    String propKey = null;
    if (RSSecurityUtils.isSignedAndEncryptedTwoWay(message)) {
        cryptoKey = SecurityConstants.SIGNATURE_CRYPTO;
        propKey = SecurityConstants.SIGNATURE_PROPERTIES;
    } else {
        cryptoKey = SecurityConstants.ENCRYPT_CRYPTO;
        propKey = SecurityConstants.ENCRYPT_PROPERTIES;
    }
    Crypto crypto = null;
    try {
        crypto = new CryptoLoader().getCrypto(message, cryptoKey, propKey);
    } catch (Exception ex) {
        throwFault("Crypto can not be loaded", ex);
    }
    Element encKeyElement = getNode(encDataElement, ENC_NS, "EncryptedKey", 0);
    if (encKeyElement == null) {
        // TODO: support EncryptedData/ds:KeyInfo - the encrypted key is passed out of band
        throwFault("EncryptedKey element is not available", null);
    }
    X509Certificate cert = loadCertificate(crypto, encKeyElement);
    try {
        new TrustValidator().validateTrust(crypto, cert, null);
    } catch (Exception ex) {
        throwFault(ex.getMessage(), ex);
    }
    // now start decrypting
    String keyEncAlgo = getEncodingMethodAlgorithm(encKeyElement);
    String digestAlgo = getDigestMethodAlgorithm(encKeyElement);
    if (encProps != null) {
        if (encProps.getEncryptionKeyTransportAlgo() != null && !encProps.getEncryptionKeyTransportAlgo().equals(keyEncAlgo)) {
            throwFault("Key Transport Algorithm is not supported", null);
        }
        if (encProps.getEncryptionDigestAlgo() != null && (digestAlgo == null || !encProps.getEncryptionDigestAlgo().equals(digestAlgo))) {
            throwFault("Digest Algorithm is not supported", null);
        }
    } else if (!XMLCipher.RSA_OAEP.equals(keyEncAlgo)) {
        // RSA OAEP is the required default Key Transport Algorithm
        throwFault("Key Transport Algorithm is not supported", null);
    }
    Element cipherValue = getNode(encKeyElement, ENC_NS, "CipherValue", 0);
    if (cipherValue == null) {
        throwFault("CipherValue element is not available", null);
    }
    try {
        return decryptSymmetricKey(cipherValue.getTextContent().trim(), cert, crypto, keyEncAlgo, digestAlgo, message);
    } catch (Exception ex) {
        throwFault(ex.getMessage(), ex);
    }
    return null;
}
Also used : Crypto(org.apache.wss4j.common.crypto.Crypto) TrustValidator(org.apache.cxf.rs.security.common.TrustValidator) CryptoLoader(org.apache.cxf.rs.security.common.CryptoLoader) Element(org.w3c.dom.Element) WSSecurityException(org.apache.wss4j.common.ext.WSSecurityException) XMLEncryptionException(org.apache.xml.security.encryption.XMLEncryptionException) Base64Exception(org.apache.cxf.common.util.Base64Exception) X509Certificate(java.security.cert.X509Certificate)

Aggregations

X509Certificate (java.security.cert.X509Certificate)3 TrustValidator (org.apache.cxf.rs.security.common.TrustValidator)3 PublicKey (java.security.PublicKey)2 CryptoLoader (org.apache.cxf.rs.security.common.CryptoLoader)2 Crypto (org.apache.wss4j.common.crypto.Crypto)2 WSSecurityException (org.apache.wss4j.common.ext.WSSecurityException)2 XMLSecurityException (org.apache.xml.security.exceptions.XMLSecurityException)2 Element (org.w3c.dom.Element)2 PatternSyntaxException (java.util.regex.PatternSyntaxException)1 Base64Exception (org.apache.cxf.common.util.Base64Exception)1 W3CDOMStreamReader (org.apache.cxf.staxutils.W3CDOMStreamReader)1 XMLEncryptionException (org.apache.xml.security.encryption.XMLEncryptionException)1 KeyInfo (org.apache.xml.security.keys.KeyInfo)1 Reference (org.apache.xml.security.signature.Reference)1 SignedInfo (org.apache.xml.security.signature.SignedInfo)1 XMLSignature (org.apache.xml.security.signature.XMLSignature)1 KeyNameSecurityToken (org.apache.xml.security.stax.impl.securityToken.KeyNameSecurityToken)1 SecurityToken (org.apache.xml.security.stax.securityToken.SecurityToken)1 Document (org.w3c.dom.Document)1