Search in sources :

Example 1 with ReceivedCredential

use of org.apache.cxf.sts.request.ReceivedCredential in project cxf by apache.

the class IssueJWTOnbehalfofUnitTest method createProviderParameters.

private TokenProviderParameters createProviderParameters(String tokenType, String keyType, Crypto crypto, String signatureUsername, CallbackHandler callbackHandler) throws WSSecurityException {
    TokenProviderParameters parameters = new TokenProviderParameters();
    TokenRequirements tokenRequirements = new TokenRequirements();
    tokenRequirements.setTokenType(tokenType);
    parameters.setTokenRequirements(tokenRequirements);
    KeyRequirements keyRequirements = new KeyRequirements();
    keyRequirements.setKeyType(keyType);
    CryptoType cryptoType = new CryptoType(CryptoType.TYPE.ALIAS);
    cryptoType.setAlias("myclientkey");
    X509Certificate[] certs = crypto.getX509Certificates(cryptoType);
    ReceivedCredential receivedCredential = new ReceivedCredential();
    receivedCredential.setX509Cert(certs[0]);
    keyRequirements.setReceivedCredential(receivedCredential);
    parameters.setKeyRequirements(keyRequirements);
    parameters.setPrincipal(new CustomTokenPrincipal("alice"));
    // Mock up message context
    MessageImpl msg = new MessageImpl();
    WrappedMessageContext msgCtx = new WrappedMessageContext(msg);
    parameters.setMessageContext(msgCtx);
    parameters.setAppliesToAddress("http://dummy-service.com/dummy");
    // Add STSProperties object
    StaticSTSProperties stsProperties = new StaticSTSProperties();
    stsProperties.setSignatureCrypto(crypto);
    stsProperties.setSignatureUsername(signatureUsername);
    stsProperties.setCallbackHandler(callbackHandler);
    stsProperties.setIssuer("STS");
    stsProperties.setEncryptionUsername("myservicekey");
    stsProperties.setEncryptionCrypto(crypto);
    parameters.setStsProperties(stsProperties);
    parameters.setEncryptionProperties(new EncryptionProperties());
    return parameters;
}
Also used : CustomTokenPrincipal(org.apache.wss4j.common.principal.CustomTokenPrincipal) TokenRequirements(org.apache.cxf.sts.request.TokenRequirements) WrappedMessageContext(org.apache.cxf.jaxws.context.WrappedMessageContext) EncryptionProperties(org.apache.cxf.sts.service.EncryptionProperties) KeyRequirements(org.apache.cxf.sts.request.KeyRequirements) CryptoType(org.apache.wss4j.common.crypto.CryptoType) StaticSTSProperties(org.apache.cxf.sts.StaticSTSProperties) MessageImpl(org.apache.cxf.message.MessageImpl) X509Certificate(java.security.cert.X509Certificate) TokenProviderParameters(org.apache.cxf.sts.token.provider.TokenProviderParameters) ReceivedCredential(org.apache.cxf.sts.request.ReceivedCredential)

Example 2 with ReceivedCredential

use of org.apache.cxf.sts.request.ReceivedCredential in project cxf by apache.

the class DefaultSubjectProvider method createKeyInfo.

/**
 * Create and return the KeyInfoBean to be inserted into the SubjectBean
 */
protected KeyInfoBean createKeyInfo(SubjectProviderParameters subjectProviderParameters) {
    TokenProviderParameters providerParameters = subjectProviderParameters.getProviderParameters();
    KeyRequirements keyRequirements = providerParameters.getKeyRequirements();
    STSPropertiesMBean stsProperties = providerParameters.getStsProperties();
    String keyType = keyRequirements.getKeyType();
    if (STSConstants.SYMMETRIC_KEY_KEYTYPE.equals(keyType)) {
        Crypto crypto = stsProperties.getEncryptionCrypto();
        EncryptionProperties encryptionProperties = providerParameters.getEncryptionProperties();
        String encryptionName = encryptionProperties.getEncryptionName();
        if (encryptionName == null) {
            // Fall back on the STS encryption name
            encryptionName = stsProperties.getEncryptionUsername();
        }
        if (encryptionName == null) {
            LOG.fine("No encryption Name is configured for Symmetric KeyType");
            throw new STSException("No Encryption Name is configured", STSException.REQUEST_FAILED);
        }
        final CryptoType cryptoType;
        // Check for using of service endpoint (AppliesTo) as certificate identifier
        if (STSConstants.USE_ENDPOINT_AS_CERT_ALIAS.equals(encryptionName)) {
            if (providerParameters.getAppliesToAddress() == null) {
                throw new STSException("AppliesTo is not initilaized for encryption name " + STSConstants.USE_ENDPOINT_AS_CERT_ALIAS);
            }
            cryptoType = new CryptoType(CryptoType.TYPE.ENDPOINT);
            cryptoType.setEndpoint(providerParameters.getAppliesToAddress());
        } else {
            cryptoType = new CryptoType(CryptoType.TYPE.ALIAS);
            cryptoType.setAlias(encryptionName);
        }
        try {
            X509Certificate[] certs = crypto.getX509Certificates(cryptoType);
            if ((certs == null) || (certs.length == 0)) {
                throw new STSException("Encryption certificate is not found for alias: " + encryptionName);
            }
            Document doc = subjectProviderParameters.getDoc();
            byte[] secret = subjectProviderParameters.getSecret();
            return createEncryptedKeyKeyInfo(certs[0], secret, doc, encryptionProperties, crypto);
        } catch (WSSecurityException ex) {
            LOG.log(Level.WARNING, "", ex);
            throw new STSException(ex.getMessage(), ex);
        }
    } else if (STSConstants.PUBLIC_KEY_KEYTYPE.equals(keyType)) {
        ReceivedCredential receivedCredential = keyRequirements.getReceivedCredential();
        // Validate UseKey trust
        if (stsProperties.isValidateUseKey() && stsProperties.getSignatureCrypto() != null) {
            if (receivedCredential.getX509Cert() != null) {
                try {
                    Collection<Pattern> constraints = Collections.emptyList();
                    stsProperties.getSignatureCrypto().verifyTrust(new X509Certificate[] { receivedCredential.getX509Cert() }, false, constraints, null);
                } catch (WSSecurityException e) {
                    LOG.log(Level.FINE, "Error in trust validation of UseKey: ", e);
                    throw new STSException("Error in trust validation of UseKey", STSException.REQUEST_FAILED);
                }
            }
            if (receivedCredential.getPublicKey() != null) {
                try {
                    stsProperties.getSignatureCrypto().verifyTrust(receivedCredential.getPublicKey());
                } catch (WSSecurityException e) {
                    LOG.log(Level.FINE, "Error in trust validation of UseKey: ", e);
                    throw new STSException("Error in trust validation of UseKey", STSException.REQUEST_FAILED);
                }
            }
        }
        return createPublicKeyKeyInfo(receivedCredential.getX509Cert(), receivedCredential.getPublicKey());
    }
    return null;
}
Also used : STSException(org.apache.cxf.ws.security.sts.provider.STSException) EncryptionProperties(org.apache.cxf.sts.service.EncryptionProperties) WSSecurityException(org.apache.wss4j.common.ext.WSSecurityException) CryptoType(org.apache.wss4j.common.crypto.CryptoType) Document(org.w3c.dom.Document) X509Certificate(java.security.cert.X509Certificate) ReceivedCredential(org.apache.cxf.sts.request.ReceivedCredential) Crypto(org.apache.wss4j.common.crypto.Crypto) STSPropertiesMBean(org.apache.cxf.sts.STSPropertiesMBean) Collection(java.util.Collection) KeyRequirements(org.apache.cxf.sts.request.KeyRequirements)

Example 3 with ReceivedCredential

use of org.apache.cxf.sts.request.ReceivedCredential in project cxf by apache.

the class SAMLTokenRenewerPOPTest method createProviderParameters.

private TokenProviderParameters createProviderParameters(String tokenType, String keyType, Crypto crypto, String signatureUsername, CallbackHandler callbackHandler) throws WSSecurityException {
    TokenProviderParameters parameters = new TokenProviderParameters();
    TokenRequirements tokenRequirements = new TokenRequirements();
    tokenRequirements.setTokenType(tokenType);
    parameters.setTokenRequirements(tokenRequirements);
    KeyRequirements keyRequirements = new KeyRequirements();
    keyRequirements.setKeyType(keyType);
    ReceivedCredential receivedCredential = new ReceivedCredential();
    CryptoType cryptoType = new CryptoType(CryptoType.TYPE.ALIAS);
    cryptoType.setAlias("myclientkey");
    receivedCredential.setX509Cert(crypto.getX509Certificates(cryptoType)[0]);
    keyRequirements.setReceivedCredential(receivedCredential);
    parameters.setKeyRequirements(keyRequirements);
    parameters.setPrincipal(new CustomTokenPrincipal("alice"));
    // Mock up message context
    MessageImpl msg = new MessageImpl();
    WrappedMessageContext msgCtx = new WrappedMessageContext(msg);
    parameters.setMessageContext(msgCtx);
    parameters.setAppliesToAddress("http://dummy-service.com/dummy");
    // Add STSProperties object
    StaticSTSProperties stsProperties = new StaticSTSProperties();
    stsProperties.setSignatureCrypto(crypto);
    stsProperties.setSignatureUsername(signatureUsername);
    stsProperties.setCallbackHandler(callbackHandler);
    stsProperties.setIssuer("STS");
    parameters.setStsProperties(stsProperties);
    parameters.setEncryptionProperties(new EncryptionProperties());
    parameters.setTokenStore(tokenStore);
    return parameters;
}
Also used : CustomTokenPrincipal(org.apache.wss4j.common.principal.CustomTokenPrincipal) TokenRequirements(org.apache.cxf.sts.request.TokenRequirements) WrappedMessageContext(org.apache.cxf.jaxws.context.WrappedMessageContext) EncryptionProperties(org.apache.cxf.sts.service.EncryptionProperties) KeyRequirements(org.apache.cxf.sts.request.KeyRequirements) CryptoType(org.apache.wss4j.common.crypto.CryptoType) StaticSTSProperties(org.apache.cxf.sts.StaticSTSProperties) MessageImpl(org.apache.cxf.message.MessageImpl) TokenProviderParameters(org.apache.cxf.sts.token.provider.TokenProviderParameters) ReceivedCredential(org.apache.cxf.sts.request.ReceivedCredential)

Example 4 with ReceivedCredential

use of org.apache.cxf.sts.request.ReceivedCredential in project cxf by apache.

the class SAMLProviderKeyTypeTest method testDefaultSaml1PublicKeyAssertion.

/**
 * Create a default Saml1 PublicKey Assertion.
 */
@org.junit.Test
public void testDefaultSaml1PublicKeyAssertion() throws Exception {
    TokenProvider samlTokenProvider = new SAMLTokenProvider();
    TokenProviderParameters providerParameters = createProviderParameters(WSS4JConstants.SAML_NS, STSConstants.PUBLIC_KEY_KEYTYPE);
    assertTrue(samlTokenProvider.canHandleToken(WSS4JConstants.SAML_NS));
    try {
        samlTokenProvider.createToken(providerParameters);
        fail("Failure expected on no certificate");
    } catch (STSException ex) {
    // expected as no certificate is provided
    }
    // Now get a certificate and set it on the key requirements of the provider parameter
    Crypto crypto = providerParameters.getStsProperties().getEncryptionCrypto();
    CryptoType cryptoType = new CryptoType(CryptoType.TYPE.ALIAS);
    cryptoType.setAlias("myclientkey");
    X509Certificate[] certs = crypto.getX509Certificates(cryptoType);
    ReceivedCredential receivedCredential = new ReceivedCredential();
    receivedCredential.setX509Cert(certs[0]);
    providerParameters.getKeyRequirements().setReceivedCredential(receivedCredential);
    TokenProviderResponse providerResponse = samlTokenProvider.createToken(providerParameters);
    assertNotNull(providerResponse);
    assertTrue(providerResponse.getToken() != null && providerResponse.getTokenId() != null);
    Element token = (Element) providerResponse.getToken();
    String tokenString = DOM2Writer.nodeToString(token);
    assertTrue(tokenString.contains(providerResponse.getTokenId()));
    assertTrue(tokenString.contains("AttributeStatement"));
    assertFalse(tokenString.contains("AuthenticationStatement"));
    assertTrue(tokenString.contains("alice"));
    assertTrue(tokenString.contains(SAML1Constants.CONF_HOLDER_KEY));
    assertFalse(tokenString.contains(SAML1Constants.CONF_BEARER));
}
Also used : Crypto(org.apache.wss4j.common.crypto.Crypto) Element(org.w3c.dom.Element) STSException(org.apache.cxf.ws.security.sts.provider.STSException) CryptoType(org.apache.wss4j.common.crypto.CryptoType) X509Certificate(java.security.cert.X509Certificate) ReceivedCredential(org.apache.cxf.sts.request.ReceivedCredential)

Example 5 with ReceivedCredential

use of org.apache.cxf.sts.request.ReceivedCredential in project cxf by apache.

the class SAMLProviderKeyTypeTest method testDefaultSaml2PublicKeyAssertion.

/**
 * Create a default Saml2 PublicKey Assertion.
 */
@org.junit.Test
public void testDefaultSaml2PublicKeyAssertion() throws Exception {
    TokenProvider samlTokenProvider = new SAMLTokenProvider();
    TokenProviderParameters providerParameters = createProviderParameters(WSS4JConstants.SAML2_NS, STSConstants.PUBLIC_KEY_KEYTYPE);
    assertTrue(samlTokenProvider.canHandleToken(WSS4JConstants.SAML2_NS));
    try {
        samlTokenProvider.createToken(providerParameters);
        fail("Failure expected on no certificate");
    } catch (STSException ex) {
    // expected as no certificate is provided
    }
    // Now get a certificate and set it on the key requirements of the provider parameter
    Crypto crypto = providerParameters.getStsProperties().getEncryptionCrypto();
    CryptoType cryptoType = new CryptoType(CryptoType.TYPE.ALIAS);
    cryptoType.setAlias("myclientkey");
    X509Certificate[] certs = crypto.getX509Certificates(cryptoType);
    ReceivedCredential receivedCredential = new ReceivedCredential();
    receivedCredential.setX509Cert(certs[0]);
    providerParameters.getKeyRequirements().setReceivedCredential(receivedCredential);
    TokenProviderResponse providerResponse = samlTokenProvider.createToken(providerParameters);
    assertNotNull(providerResponse);
    assertTrue(providerResponse.getToken() != null && providerResponse.getTokenId() != null);
    Element token = (Element) providerResponse.getToken();
    String tokenString = DOM2Writer.nodeToString(token);
    assertTrue(tokenString.contains(providerResponse.getTokenId()));
    assertTrue(tokenString.contains("AttributeStatement"));
    assertFalse(tokenString.contains("AuthenticationStatement"));
    assertTrue(tokenString.contains("alice"));
    assertTrue(tokenString.contains(SAML2Constants.CONF_HOLDER_KEY));
    assertFalse(tokenString.contains(SAML2Constants.CONF_BEARER));
}
Also used : Crypto(org.apache.wss4j.common.crypto.Crypto) Element(org.w3c.dom.Element) STSException(org.apache.cxf.ws.security.sts.provider.STSException) CryptoType(org.apache.wss4j.common.crypto.CryptoType) X509Certificate(java.security.cert.X509Certificate) ReceivedCredential(org.apache.cxf.sts.request.ReceivedCredential)

Aggregations

ReceivedCredential (org.apache.cxf.sts.request.ReceivedCredential)6 CryptoType (org.apache.wss4j.common.crypto.CryptoType)6 X509Certificate (java.security.cert.X509Certificate)5 KeyRequirements (org.apache.cxf.sts.request.KeyRequirements)4 EncryptionProperties (org.apache.cxf.sts.service.EncryptionProperties)4 WrappedMessageContext (org.apache.cxf.jaxws.context.WrappedMessageContext)3 MessageImpl (org.apache.cxf.message.MessageImpl)3 StaticSTSProperties (org.apache.cxf.sts.StaticSTSProperties)3 TokenRequirements (org.apache.cxf.sts.request.TokenRequirements)3 TokenProviderParameters (org.apache.cxf.sts.token.provider.TokenProviderParameters)3 STSException (org.apache.cxf.ws.security.sts.provider.STSException)3 Crypto (org.apache.wss4j.common.crypto.Crypto)3 CustomTokenPrincipal (org.apache.wss4j.common.principal.CustomTokenPrincipal)3 Element (org.w3c.dom.Element)2 Collection (java.util.Collection)1 STSPropertiesMBean (org.apache.cxf.sts.STSPropertiesMBean)1 WSSecurityException (org.apache.wss4j.common.ext.WSSecurityException)1 Document (org.w3c.dom.Document)1