Search in sources :

Example 61 with STSPropertiesMBean

use of org.apache.cxf.sts.STSPropertiesMBean in project cxf by apache.

the class DefaultSubjectProvider method createKeyInfo.

/**
 * Create and return the KeyInfoBean to be inserted into the SubjectBean
 */
protected KeyInfoBean createKeyInfo(SubjectProviderParameters subjectProviderParameters) {
    TokenProviderParameters providerParameters = subjectProviderParameters.getProviderParameters();
    KeyRequirements keyRequirements = providerParameters.getKeyRequirements();
    STSPropertiesMBean stsProperties = providerParameters.getStsProperties();
    String keyType = keyRequirements.getKeyType();
    if (STSConstants.SYMMETRIC_KEY_KEYTYPE.equals(keyType)) {
        Crypto crypto = stsProperties.getEncryptionCrypto();
        EncryptionProperties encryptionProperties = providerParameters.getEncryptionProperties();
        String encryptionName = encryptionProperties.getEncryptionName();
        if (encryptionName == null) {
            // Fall back on the STS encryption name
            encryptionName = stsProperties.getEncryptionUsername();
        }
        if (encryptionName == null) {
            LOG.fine("No encryption Name is configured for Symmetric KeyType");
            throw new STSException("No Encryption Name is configured", STSException.REQUEST_FAILED);
        }
        final CryptoType cryptoType;
        // Check for using of service endpoint (AppliesTo) as certificate identifier
        if (STSConstants.USE_ENDPOINT_AS_CERT_ALIAS.equals(encryptionName)) {
            if (providerParameters.getAppliesToAddress() == null) {
                throw new STSException("AppliesTo is not initilaized for encryption name " + STSConstants.USE_ENDPOINT_AS_CERT_ALIAS);
            }
            cryptoType = new CryptoType(CryptoType.TYPE.ENDPOINT);
            cryptoType.setEndpoint(providerParameters.getAppliesToAddress());
        } else {
            cryptoType = new CryptoType(CryptoType.TYPE.ALIAS);
            cryptoType.setAlias(encryptionName);
        }
        try {
            X509Certificate[] certs = crypto.getX509Certificates(cryptoType);
            if ((certs == null) || (certs.length == 0)) {
                throw new STSException("Encryption certificate is not found for alias: " + encryptionName);
            }
            Document doc = subjectProviderParameters.getDoc();
            byte[] secret = subjectProviderParameters.getSecret();
            return createEncryptedKeyKeyInfo(certs[0], secret, doc, encryptionProperties, crypto);
        } catch (WSSecurityException ex) {
            LOG.log(Level.WARNING, "", ex);
            throw new STSException(ex.getMessage(), ex);
        }
    } else if (STSConstants.PUBLIC_KEY_KEYTYPE.equals(keyType)) {
        ReceivedCredential receivedCredential = keyRequirements.getReceivedCredential();
        // Validate UseKey trust
        if (stsProperties.isValidateUseKey() && stsProperties.getSignatureCrypto() != null) {
            if (receivedCredential.getX509Cert() != null) {
                try {
                    Collection<Pattern> constraints = Collections.emptyList();
                    stsProperties.getSignatureCrypto().verifyTrust(new X509Certificate[] { receivedCredential.getX509Cert() }, false, constraints, null);
                } catch (WSSecurityException e) {
                    LOG.log(Level.FINE, "Error in trust validation of UseKey: ", e);
                    throw new STSException("Error in trust validation of UseKey", STSException.REQUEST_FAILED);
                }
            }
            if (receivedCredential.getPublicKey() != null) {
                try {
                    stsProperties.getSignatureCrypto().verifyTrust(receivedCredential.getPublicKey());
                } catch (WSSecurityException e) {
                    LOG.log(Level.FINE, "Error in trust validation of UseKey: ", e);
                    throw new STSException("Error in trust validation of UseKey", STSException.REQUEST_FAILED);
                }
            }
        }
        return createPublicKeyKeyInfo(receivedCredential.getX509Cert(), receivedCredential.getPublicKey());
    }
    return null;
}
Also used : STSException(org.apache.cxf.ws.security.sts.provider.STSException) EncryptionProperties(org.apache.cxf.sts.service.EncryptionProperties) WSSecurityException(org.apache.wss4j.common.ext.WSSecurityException) CryptoType(org.apache.wss4j.common.crypto.CryptoType) Document(org.w3c.dom.Document) X509Certificate(java.security.cert.X509Certificate) ReceivedCredential(org.apache.cxf.sts.request.ReceivedCredential) Crypto(org.apache.wss4j.common.crypto.Crypto) STSPropertiesMBean(org.apache.cxf.sts.STSPropertiesMBean) Collection(java.util.Collection) KeyRequirements(org.apache.cxf.sts.request.KeyRequirements)

Example 62 with STSPropertiesMBean

use of org.apache.cxf.sts.STSPropertiesMBean in project cxf by apache.

the class SAMLTokenRenewer method signAssertion.

private void signAssertion(SamlAssertionWrapper assertion, TokenRenewerParameters tokenParameters) throws Exception {
    if (signToken) {
        STSPropertiesMBean stsProperties = tokenParameters.getStsProperties();
        String realm = tokenParameters.getRealm();
        RealmProperties samlRealm = null;
        if (realm != null) {
            samlRealm = realmMap.get(realm);
        }
        signToken(assertion, samlRealm, stsProperties, tokenParameters.getKeyRequirements());
    } else {
        if (assertion.getSaml1().getSignature() != null) {
            assertion.getSaml1().setSignature(null);
        } else if (assertion.getSaml2().getSignature() != null) {
            assertion.getSaml2().setSignature(null);
        }
    }
}
Also used : STSPropertiesMBean(org.apache.cxf.sts.STSPropertiesMBean) RealmProperties(org.apache.cxf.sts.token.realm.RealmProperties)

Example 63 with STSPropertiesMBean

use of org.apache.cxf.sts.STSPropertiesMBean in project cxf by apache.

the class X509TokenValidator method validateToken.

/**
 * Validate a Token using the given TokenValidatorParameters.
 */
public TokenValidatorResponse validateToken(TokenValidatorParameters tokenParameters) {
    LOG.fine("Validating X.509 Token");
    STSPropertiesMBean stsProperties = tokenParameters.getStsProperties();
    CallbackHandler callbackHandler = stsProperties.getCallbackHandler();
    // See CXF-4028
    Crypto crypto = stsProperties.getEncryptionCrypto();
    if (crypto == null) {
        crypto = stsProperties.getSignatureCrypto();
    }
    RequestData requestData = new RequestData();
    requestData.setSigVerCrypto(crypto);
    requestData.setWssConfig(WSSConfig.getNewInstance());
    requestData.setCallbackHandler(callbackHandler);
    requestData.setMsgContext(tokenParameters.getMessageContext());
    requestData.setSubjectCertConstraints(certConstraints.getCompiledSubjectContraints());
    TokenValidatorResponse response = new TokenValidatorResponse();
    ReceivedToken validateTarget = tokenParameters.getToken();
    validateTarget.setState(STATE.INVALID);
    response.setToken(validateTarget);
    final BinarySecurity binarySecurity;
    if (validateTarget.isBinarySecurityToken()) {
        BinarySecurityTokenType binarySecurityType = (BinarySecurityTokenType) validateTarget.getToken();
        // Test the encoding type
        String encodingType = binarySecurityType.getEncodingType();
        if (!BASE64_ENCODING.equals(encodingType)) {
            LOG.fine("Bad encoding type attribute specified: " + encodingType);
            return response;
        }
        // 
        // Turn the received JAXB object into a DOM element
        // 
        Document doc = DOMUtils.getEmptyDocument();
        binarySecurity = new X509Security(doc);
        binarySecurity.setEncodingType(encodingType);
        binarySecurity.setValueType(binarySecurityType.getValueType());
        String data = binarySecurityType.getValue();
        Node textNode = doc.createTextNode(data);
        binarySecurity.getElement().appendChild(textNode);
    } else if (validateTarget.isDOMElement()) {
        try {
            Document doc = DOMUtils.getEmptyDocument();
            binarySecurity = new X509Security(doc);
            binarySecurity.setEncodingType(BASE64_ENCODING);
            X509Data x509Data = new X509Data((Element) validateTarget.getToken(), "");
            if (x509Data.containsCertificate()) {
                X509Certificate cert = x509Data.itemCertificate(0).getX509Certificate();
                ((X509Security) binarySecurity).setX509Certificate(cert);
            }
        } catch (XMLSecurityException ex) {
            LOG.log(Level.WARNING, "", ex);
            return response;
        }
    } else {
        return response;
    }
    // 
    try {
        Credential credential = new Credential();
        credential.setBinarySecurityToken(binarySecurity);
        if (crypto != null) {
            X509Certificate cert = ((X509Security) binarySecurity).getX509Certificate(crypto);
            credential.setCertificates(new X509Certificate[] { cert });
        }
        Credential returnedCredential = validator.validate(credential, requestData);
        Principal principal = returnedCredential.getPrincipal();
        if (principal == null) {
            principal = returnedCredential.getCertificates()[0].getSubjectX500Principal();
        }
        response.setPrincipal(principal);
        validateTarget.setState(STATE.VALID);
        LOG.fine("X.509 Token successfully validated");
    } catch (WSSecurityException ex) {
        LOG.log(Level.WARNING, "", ex);
    }
    return response;
}
Also used : CallbackHandler(javax.security.auth.callback.CallbackHandler) Credential(org.apache.wss4j.dom.validate.Credential) BinarySecurity(org.apache.wss4j.common.token.BinarySecurity) Node(org.w3c.dom.Node) Element(org.w3c.dom.Element) WSSecurityException(org.apache.wss4j.common.ext.WSSecurityException) Document(org.w3c.dom.Document) X509Data(org.apache.xml.security.keys.content.X509Data) X509Certificate(java.security.cert.X509Certificate) XMLSecurityException(org.apache.xml.security.exceptions.XMLSecurityException) Crypto(org.apache.wss4j.common.crypto.Crypto) STSPropertiesMBean(org.apache.cxf.sts.STSPropertiesMBean) BinarySecurityTokenType(org.apache.cxf.ws.security.sts.provider.model.secext.BinarySecurityTokenType) RequestData(org.apache.wss4j.dom.handler.RequestData) ReceivedToken(org.apache.cxf.sts.request.ReceivedToken) X509Security(org.apache.wss4j.common.token.X509Security) Principal(java.security.Principal)

Example 64 with STSPropertiesMBean

use of org.apache.cxf.sts.STSPropertiesMBean in project ddf by codice.

the class TestPKITokenValidator method testValidateToken.

@Test
public void testValidateToken() {
    BinarySecurityTokenType binarySecurityTokenType = new BinarySecurityTokenType();
    binarySecurityTokenType.setEncodingType(WSConstants.SOAPMESSAGE_NS + "#Base64Binary");
    binarySecurityTokenType.setValueType(PKIAuthenticationToken.PKI_TOKEN_VALUE_TYPE);
    PKIAuthenticationTokenFactory pkiAuthenticationTokenFactory = new PKIAuthenticationTokenFactory();
    pkiAuthenticationTokenFactory.setSignaturePropertiesPath(TestPKITokenValidator.class.getResource("/signature.properties").getPath());
    pkiAuthenticationTokenFactory.init();
    PKIAuthenticationToken pkiAuthenticationToken = pkiAuthenticationTokenFactory.getTokenFromCerts(certificates, "karaf");
    binarySecurityTokenType.setValue(pkiAuthenticationToken.getEncodedCredentials());
    ReceivedToken receivedToken = mock(ReceivedToken.class);
    when(receivedToken.getToken()).thenReturn(binarySecurityTokenType);
    TokenValidatorParameters tokenValidatorParameters = mock(TokenValidatorParameters.class);
    STSPropertiesMBean stsPropertiesMBean = mock(STSPropertiesMBean.class);
    when(stsPropertiesMBean.getSignatureCrypto()).thenReturn(merlin);
    when(tokenValidatorParameters.getStsProperties()).thenReturn(stsPropertiesMBean);
    when(tokenValidatorParameters.getToken()).thenReturn(receivedToken);
    doCallRealMethod().when(receivedToken).setState(any(ReceivedToken.STATE.class));
    doCallRealMethod().when(receivedToken).getState();
    TokenValidatorResponse tokenValidatorResponse = pkiTokenValidator.validateToken(tokenValidatorParameters);
    assertEquals(ReceivedToken.STATE.VALID, tokenValidatorResponse.getToken().getState());
    assertEquals("US", tokenValidatorResponse.getAdditionalProperties().get(SubjectUtils.COUNTRY_CLAIM_URI));
    assertEquals("localhost@example.org", tokenValidatorResponse.getAdditionalProperties().get(SubjectUtils.EMAIL_ADDRESS_CLAIM_URI));
}
Also used : TokenValidatorParameters(org.apache.cxf.sts.token.validator.TokenValidatorParameters) PKIAuthenticationToken(org.codice.ddf.security.handler.api.PKIAuthenticationToken) BinarySecurityTokenType(org.apache.cxf.ws.security.sts.provider.model.secext.BinarySecurityTokenType) PKIAuthenticationTokenFactory(org.codice.ddf.security.handler.api.PKIAuthenticationTokenFactory) STSPropertiesMBean(org.apache.cxf.sts.STSPropertiesMBean) TokenValidatorResponse(org.apache.cxf.sts.token.validator.TokenValidatorResponse) ReceivedToken(org.apache.cxf.sts.request.ReceivedToken) Test(org.junit.Test)

Example 65 with STSPropertiesMBean

use of org.apache.cxf.sts.STSPropertiesMBean in project ddf by codice.

the class TestUsernameTokenValidator method testValidateGoodToken.

@Test
public void testValidateGoodToken() {
    UsernameTokenValidator usernameTokenValidator = getUsernameTokenValidator(new XmlParser(), niceValidator);
    usernameTokenValidator.addRealm(null);
    TokenValidatorParameters tokenValidatorParameters = mock(TokenValidatorParameters.class);
    STSPropertiesMBean stsPropertiesMBean = mock(STSPropertiesMBean.class);
    when(stsPropertiesMBean.getSignatureCrypto()).thenReturn(mock(Crypto.class));
    when(tokenValidatorParameters.getStsProperties()).thenReturn(stsPropertiesMBean);
    ReceivedToken receivedToken = mock(ReceivedToken.class);
    doCallRealMethod().when(receivedToken).setState(any(ReceivedToken.STATE.class));
    doCallRealMethod().when(receivedToken).getState();
    when(receivedToken.isUsernameToken()).thenReturn(true);
    when(tokenValidatorParameters.getToken()).thenReturn(receivedToken);
    Set<Class<?>> classes = new HashSet<>();
    classes.add(ObjectFactory.class);
    classes.add(org.apache.cxf.ws.security.sts.provider.model.wstrust14.ObjectFactory.class);
    JAXBContextCache.CachedContextAndSchemas cache = null;
    try {
        cache = JAXBContextCache.getCachedContextAndSchemas(classes, null, null, null, false);
    } catch (JAXBException e) {
        fail(e.getMessage());
    }
    JAXBContext jaxbContext = cache.getContext();
    Unmarshaller unmarshaller = null;
    try {
        if (jaxbContext != null) {
            unmarshaller = jaxbContext.createUnmarshaller();
        }
    } catch (JAXBException e) {
        fail(e.getMessage());
    }
    JAXBElement<?> token = null;
    if (unmarshaller != null) {
        try {
            token = (JAXBElement<?>) unmarshaller.unmarshal(this.getClass().getResourceAsStream("/user.xml"));
        } catch (JAXBException e) {
            fail(e.getMessage());
        }
    }
    when(receivedToken.getToken()).thenReturn(token.getValue());
    TokenValidatorResponse tokenValidatorResponse = usernameTokenValidator.validateToken(tokenValidatorParameters);
    assertEquals(ReceivedToken.STATE.VALID, tokenValidatorResponse.getToken().getState());
    verify(failedLoginDelayer, never()).delay(anyString());
}
Also used : XmlParser(org.codice.ddf.parser.xml.XmlParser) JAXBContextCache(org.apache.cxf.common.jaxb.JAXBContextCache) JAXBException(javax.xml.bind.JAXBException) JAXBContext(javax.xml.bind.JAXBContext) TokenValidatorParameters(org.apache.cxf.sts.token.validator.TokenValidatorParameters) Crypto(org.apache.wss4j.common.crypto.Crypto) JAASUsernameTokenValidator(org.apache.wss4j.dom.validate.JAASUsernameTokenValidator) STSPropertiesMBean(org.apache.cxf.sts.STSPropertiesMBean) TokenValidatorResponse(org.apache.cxf.sts.token.validator.TokenValidatorResponse) ReceivedToken(org.apache.cxf.sts.request.ReceivedToken) Unmarshaller(javax.xml.bind.Unmarshaller) HashSet(java.util.HashSet) Test(org.junit.Test)

Aggregations

STSPropertiesMBean (org.apache.cxf.sts.STSPropertiesMBean)122 Crypto (org.apache.wss4j.common.crypto.Crypto)93 JAXBElement (javax.xml.bind.JAXBElement)86 WrappedMessageContext (org.apache.cxf.jaxws.context.WrappedMessageContext)83 MessageImpl (org.apache.cxf.message.MessageImpl)83 StaticSTSProperties (org.apache.cxf.sts.StaticSTSProperties)83 RequestSecurityTokenType (org.apache.cxf.ws.security.sts.provider.model.RequestSecurityTokenType)83 RequestSecurityTokenResponseType (org.apache.cxf.ws.security.sts.provider.model.RequestSecurityTokenResponseType)79 PasswordCallbackHandler (org.apache.cxf.sts.common.PasswordCallbackHandler)75 Element (org.w3c.dom.Element)70 Principal (java.security.Principal)56 ServiceMBean (org.apache.cxf.sts.service.ServiceMBean)54 StaticService (org.apache.cxf.sts.service.StaticService)54 CustomTokenPrincipal (org.apache.wss4j.common.principal.CustomTokenPrincipal)54 SecurityContext (org.apache.cxf.security.SecurityContext)49 RequestSecurityTokenResponseCollectionType (org.apache.cxf.ws.security.sts.provider.model.RequestSecurityTokenResponseCollectionType)49 RequestedSecurityTokenType (org.apache.cxf.ws.security.sts.provider.model.RequestedSecurityTokenType)49 SAMLTokenProvider (org.apache.cxf.sts.token.provider.SAMLTokenProvider)43 Document (org.w3c.dom.Document)38 CallbackHandler (javax.security.auth.callback.CallbackHandler)34