Example 1 with ReceivedKey
use of org.apache.cxf.sts.request.ReceivedKey in project cxf by apache.
the class DefaultSubjectProvider method createKeyInfo.
/**
* Create and return the KeyInfoBean to be inserted into the SubjectBean
*/
protected KeyInfoBean createKeyInfo(SubjectProviderParameters subjectProviderParameters) {
TokenProviderParameters providerParameters = subjectProviderParameters.getProviderParameters();
KeyRequirements keyRequirements = providerParameters.getKeyRequirements();
STSPropertiesMBean stsProperties = providerParameters.getStsProperties();
String keyType = keyRequirements.getKeyType();
if (STSConstants.SYMMETRIC_KEY_KEYTYPE.equals(keyType)) {
Crypto crypto = stsProperties.getEncryptionCrypto();
EncryptionProperties encryptionProperties = providerParameters.getEncryptionProperties();
String encryptionName = encryptionProperties.getEncryptionName();
if (encryptionName == null) {
// Fall back on the STS encryption name
encryptionName = stsProperties.getEncryptionUsername();
}
if (encryptionName == null) {
LOG.fine("No encryption Name is configured for Symmetric KeyType");
throw new STSException("No Encryption Name is configured", STSException.REQUEST_FAILED);
}
CryptoType cryptoType = null;
// Check for using of service endpoint (AppliesTo) as certificate identifier
if (STSConstants.USE_ENDPOINT_AS_CERT_ALIAS.equals(encryptionName)) {
if (providerParameters.getAppliesToAddress() == null) {
throw new STSException("AppliesTo is not initilaized for encryption name " + STSConstants.USE_ENDPOINT_AS_CERT_ALIAS);
}
cryptoType = new CryptoType(CryptoType.TYPE.ENDPOINT);
cryptoType.setEndpoint(providerParameters.getAppliesToAddress());
} else {
cryptoType = new CryptoType(CryptoType.TYPE.ALIAS);
cryptoType.setAlias(encryptionName);
}
try {
X509Certificate[] certs = crypto.getX509Certificates(cryptoType);
if ((certs == null) || (certs.length == 0)) {
throw new STSException("Encryption certificate is not found for alias: " + encryptionName);
}
Document doc = subjectProviderParameters.getDoc();
byte[] secret = subjectProviderParameters.getSecret();
return createEncryptedKeyKeyInfo(certs[0], secret, doc, encryptionProperties, crypto);
} catch (WSSecurityException ex) {
LOG.log(Level.WARNING, "", ex);
throw new STSException(ex.getMessage(), ex);
}
} else if (STSConstants.PUBLIC_KEY_KEYTYPE.equals(keyType)) {
ReceivedKey receivedKey = keyRequirements.getReceivedKey();
// Validate UseKey trust
if (stsProperties.isValidateUseKey() && stsProperties.getSignatureCrypto() != null) {
if (receivedKey.getX509Cert() != null) {
try {
Collection<Pattern> constraints = Collections.emptyList();
stsProperties.getSignatureCrypto().verifyTrust(new X509Certificate[] { receivedKey.getX509Cert() }, false, constraints, null);
} catch (WSSecurityException e) {
LOG.log(Level.FINE, "Error in trust validation of UseKey: ", e);
throw new STSException("Error in trust validation of UseKey", STSException.REQUEST_FAILED);
}
}
if (receivedKey.getPublicKey() != null) {
try {
stsProperties.getSignatureCrypto().verifyTrust(receivedKey.getPublicKey());
} catch (WSSecurityException e) {
LOG.log(Level.FINE, "Error in trust validation of UseKey: ", e);
throw new STSException("Error in trust validation of UseKey", STSException.REQUEST_FAILED);
}
}
}
return createPublicKeyKeyInfo(receivedKey.getX509Cert(), receivedKey.getPublicKey());
}
return null;
}
Also used :
STSException(org.apache.cxf.ws.security.sts.provider.STSException)
EncryptionProperties(org.apache.cxf.sts.service.EncryptionProperties)
WSSecurityException(org.apache.wss4j.common.ext.WSSecurityException)
CryptoType(org.apache.wss4j.common.crypto.CryptoType)
Document(org.w3c.dom.Document)
X509Certificate(java.security.cert.X509Certificate)
ReceivedKey(org.apache.cxf.sts.request.ReceivedKey)
Crypto(org.apache.wss4j.common.crypto.Crypto)
STSPropertiesMBean(org.apache.cxf.sts.STSPropertiesMBean)
Collection(java.util.Collection)
KeyRequirements(org.apache.cxf.sts.request.KeyRequirements)
Example 2 with ReceivedKey
use of org.apache.cxf.sts.request.ReceivedKey in project cxf by apache.
the class IssueJWTOnbehalfofUnitTest method createProviderParameters.
private TokenProviderParameters createProviderParameters(String tokenType, String keyType, Crypto crypto, String signatureUsername, CallbackHandler callbackHandler) throws WSSecurityException {
TokenProviderParameters parameters = new TokenProviderParameters();
TokenRequirements tokenRequirements = new TokenRequirements();
tokenRequirements.setTokenType(tokenType);
parameters.setTokenRequirements(tokenRequirements);
KeyRequirements keyRequirements = new KeyRequirements();
keyRequirements.setKeyType(keyType);
CryptoType cryptoType = new CryptoType(CryptoType.TYPE.ALIAS);
cryptoType.setAlias("myclientkey");
X509Certificate[] certs = crypto.getX509Certificates(cryptoType);
ReceivedKey receivedKey = new ReceivedKey();
receivedKey.setX509Cert(certs[0]);
keyRequirements.setReceivedKey(receivedKey);
parameters.setKeyRequirements(keyRequirements);
parameters.setPrincipal(new CustomTokenPrincipal("alice"));
// Mock up message context
MessageImpl msg = new MessageImpl();
WrappedMessageContext msgCtx = new WrappedMessageContext(msg);
parameters.setMessageContext(msgCtx);
parameters.setAppliesToAddress("http://dummy-service.com/dummy");
// Add STSProperties object
StaticSTSProperties stsProperties = new StaticSTSProperties();
stsProperties.setSignatureCrypto(crypto);
stsProperties.setSignatureUsername(signatureUsername);
stsProperties.setCallbackHandler(callbackHandler);
stsProperties.setIssuer("STS");
stsProperties.setEncryptionUsername("myservicekey");
stsProperties.setEncryptionCrypto(crypto);
parameters.setStsProperties(stsProperties);
parameters.setEncryptionProperties(new EncryptionProperties());
return parameters;
}
Also used :
CustomTokenPrincipal(org.apache.wss4j.common.principal.CustomTokenPrincipal)
TokenRequirements(org.apache.cxf.sts.request.TokenRequirements)
WrappedMessageContext(org.apache.cxf.jaxws.context.WrappedMessageContext)
EncryptionProperties(org.apache.cxf.sts.service.EncryptionProperties)
KeyRequirements(org.apache.cxf.sts.request.KeyRequirements)
CryptoType(org.apache.wss4j.common.crypto.CryptoType)
StaticSTSProperties(org.apache.cxf.sts.StaticSTSProperties)
MessageImpl(org.apache.cxf.message.MessageImpl)
X509Certificate(java.security.cert.X509Certificate)
ReceivedKey(org.apache.cxf.sts.request.ReceivedKey)
TokenProviderParameters(org.apache.cxf.sts.token.provider.TokenProviderParameters)
Example 3 with ReceivedKey
use of org.apache.cxf.sts.request.ReceivedKey in project cxf by apache.
the class SAMLProviderKeyTypeTest method testDefaultSaml1PublicKeyAssertion.
/**
* Create a default Saml1 PublicKey Assertion.
*/
@org.junit.Test
public void testDefaultSaml1PublicKeyAssertion() throws Exception {
TokenProvider samlTokenProvider = new SAMLTokenProvider();
TokenProviderParameters providerParameters = createProviderParameters(WSS4JConstants.SAML_NS, STSConstants.PUBLIC_KEY_KEYTYPE);
assertTrue(samlTokenProvider.canHandleToken(WSS4JConstants.SAML_NS));
try {
samlTokenProvider.createToken(providerParameters);
fail("Failure expected on no certificate");
} catch (STSException ex) {
// expected as no certificate is provided
}
// Now get a certificate and set it on the key requirements of the provider parameter
Crypto crypto = providerParameters.getStsProperties().getEncryptionCrypto();
CryptoType cryptoType = new CryptoType(CryptoType.TYPE.ALIAS);
cryptoType.setAlias("myclientkey");
X509Certificate[] certs = crypto.getX509Certificates(cryptoType);
ReceivedKey receivedKey = new ReceivedKey();
receivedKey.setX509Cert(certs[0]);
providerParameters.getKeyRequirements().setReceivedKey(receivedKey);
TokenProviderResponse providerResponse = samlTokenProvider.createToken(providerParameters);
assertTrue(providerResponse != null);
assertTrue(providerResponse.getToken() != null && providerResponse.getTokenId() != null);
Element token = (Element) providerResponse.getToken();
String tokenString = DOM2Writer.nodeToString(token);
assertTrue(tokenString.contains(providerResponse.getTokenId()));
assertTrue(tokenString.contains("AttributeStatement"));
assertFalse(tokenString.contains("AuthenticationStatement"));
assertTrue(tokenString.contains("alice"));
assertTrue(tokenString.contains(SAML1Constants.CONF_HOLDER_KEY));
assertFalse(tokenString.contains(SAML1Constants.CONF_BEARER));
}
Also used :
Crypto(org.apache.wss4j.common.crypto.Crypto)
Element(org.w3c.dom.Element)
STSException(org.apache.cxf.ws.security.sts.provider.STSException)
CryptoType(org.apache.wss4j.common.crypto.CryptoType)
X509Certificate(java.security.cert.X509Certificate)
ReceivedKey(org.apache.cxf.sts.request.ReceivedKey)
Example 4 with ReceivedKey
use of org.apache.cxf.sts.request.ReceivedKey in project cxf by apache.
the class SAMLProviderKeyTypeTest method testDefaultSaml2PublicKeyAssertion.
/**
* Create a default Saml2 PublicKey Assertion.
*/
@org.junit.Test
public void testDefaultSaml2PublicKeyAssertion() throws Exception {
TokenProvider samlTokenProvider = new SAMLTokenProvider();
TokenProviderParameters providerParameters = createProviderParameters(WSS4JConstants.SAML2_NS, STSConstants.PUBLIC_KEY_KEYTYPE);
assertTrue(samlTokenProvider.canHandleToken(WSS4JConstants.SAML2_NS));
try {
samlTokenProvider.createToken(providerParameters);
fail("Failure expected on no certificate");
} catch (STSException ex) {
// expected as no certificate is provided
}
// Now get a certificate and set it on the key requirements of the provider parameter
Crypto crypto = providerParameters.getStsProperties().getEncryptionCrypto();
CryptoType cryptoType = new CryptoType(CryptoType.TYPE.ALIAS);
cryptoType.setAlias("myclientkey");
X509Certificate[] certs = crypto.getX509Certificates(cryptoType);
ReceivedKey receivedKey = new ReceivedKey();
receivedKey.setX509Cert(certs[0]);
providerParameters.getKeyRequirements().setReceivedKey(receivedKey);
TokenProviderResponse providerResponse = samlTokenProvider.createToken(providerParameters);
assertTrue(providerResponse != null);
assertTrue(providerResponse.getToken() != null && providerResponse.getTokenId() != null);
Element token = (Element) providerResponse.getToken();
String tokenString = DOM2Writer.nodeToString(token);
assertTrue(tokenString.contains(providerResponse.getTokenId()));
assertTrue(tokenString.contains("AttributeStatement"));
assertFalse(tokenString.contains("AuthenticationStatement"));
assertTrue(tokenString.contains("alice"));
assertTrue(tokenString.contains(SAML2Constants.CONF_HOLDER_KEY));
assertFalse(tokenString.contains(SAML2Constants.CONF_BEARER));
}
Also used :
Crypto(org.apache.wss4j.common.crypto.Crypto)
Element(org.w3c.dom.Element)
STSException(org.apache.cxf.ws.security.sts.provider.STSException)
CryptoType(org.apache.wss4j.common.crypto.CryptoType)
X509Certificate(java.security.cert.X509Certificate)
ReceivedKey(org.apache.cxf.sts.request.ReceivedKey)
Example 5 with ReceivedKey
use of org.apache.cxf.sts.request.ReceivedKey in project cxf by apache.
the class SAMLTokenRenewerPOPTest method createProviderParameters.
private TokenProviderParameters createProviderParameters(String tokenType, String keyType, Crypto crypto, String signatureUsername, CallbackHandler callbackHandler) throws WSSecurityException {
TokenProviderParameters parameters = new TokenProviderParameters();
TokenRequirements tokenRequirements = new TokenRequirements();
tokenRequirements.setTokenType(tokenType);
parameters.setTokenRequirements(tokenRequirements);
KeyRequirements keyRequirements = new KeyRequirements();
keyRequirements.setKeyType(keyType);
ReceivedKey receivedKey = new ReceivedKey();
CryptoType cryptoType = new CryptoType(CryptoType.TYPE.ALIAS);
cryptoType.setAlias("myclientkey");
receivedKey.setX509Cert(crypto.getX509Certificates(cryptoType)[0]);
keyRequirements.setReceivedKey(receivedKey);
parameters.setKeyRequirements(keyRequirements);
parameters.setPrincipal(new CustomTokenPrincipal("alice"));
// Mock up message context
MessageImpl msg = new MessageImpl();
WrappedMessageContext msgCtx = new WrappedMessageContext(msg);
parameters.setMessageContext(msgCtx);
parameters.setAppliesToAddress("http://dummy-service.com/dummy");
// Add STSProperties object
StaticSTSProperties stsProperties = new StaticSTSProperties();
stsProperties.setSignatureCrypto(crypto);
stsProperties.setSignatureUsername(signatureUsername);
stsProperties.setCallbackHandler(callbackHandler);
stsProperties.setIssuer("STS");
parameters.setStsProperties(stsProperties);
parameters.setEncryptionProperties(new EncryptionProperties());
parameters.setTokenStore(tokenStore);
return parameters;
}
Also used :
CustomTokenPrincipal(org.apache.wss4j.common.principal.CustomTokenPrincipal)
TokenRequirements(org.apache.cxf.sts.request.TokenRequirements)
WrappedMessageContext(org.apache.cxf.jaxws.context.WrappedMessageContext)
EncryptionProperties(org.apache.cxf.sts.service.EncryptionProperties)
KeyRequirements(org.apache.cxf.sts.request.KeyRequirements)
CryptoType(org.apache.wss4j.common.crypto.CryptoType)
StaticSTSProperties(org.apache.cxf.sts.StaticSTSProperties)
MessageImpl(org.apache.cxf.message.MessageImpl)
ReceivedKey(org.apache.cxf.sts.request.ReceivedKey)
TokenProviderParameters(org.apache.cxf.sts.token.provider.TokenProviderParameters)
Aggregations
ReceivedKey (org.apache.cxf.sts.request.ReceivedKey)7
X509Certificate (java.security.cert.X509Certificate)6
CryptoType (org.apache.wss4j.common.crypto.CryptoType)6
KeyRequirements (org.apache.cxf.sts.request.KeyRequirements)4
EncryptionProperties (org.apache.cxf.sts.service.EncryptionProperties)4
WrappedMessageContext (org.apache.cxf.jaxws.context.WrappedMessageContext)3
MessageImpl (org.apache.cxf.message.MessageImpl)3
StaticSTSProperties (org.apache.cxf.sts.StaticSTSProperties)3
TokenRequirements (org.apache.cxf.sts.request.TokenRequirements)3
TokenProviderParameters (org.apache.cxf.sts.token.provider.TokenProviderParameters)3
STSException (org.apache.cxf.ws.security.sts.provider.STSException)3
Crypto (org.apache.wss4j.common.crypto.Crypto)3
CustomTokenPrincipal (org.apache.wss4j.common.principal.CustomTokenPrincipal)3
Element (org.w3c.dom.Element)2
Collection (java.util.Collection)1
STSPropertiesMBean (org.apache.cxf.sts.STSPropertiesMBean)1
WSSecurityException (org.apache.wss4j.common.ext.WSSecurityException)1
AMSTSRuntimeException (org.forgerock.openam.sts.AMSTSRuntimeException)1
TokenMarshalException (org.forgerock.openam.sts.TokenMarshalException)1
Document (org.w3c.dom.Document)1
