Examples with UseKeyType org.apache.cxf.ws.security.sts.provider.model.UseKeyType used on opensource projects

Example 1 with UseKeyType

use of org.apache.cxf.ws.security.sts.provider.model.UseKeyType in project cxf by apache.

the class RequestParser method parseKeyRequirements.

/**
 * Parse the Key and Encryption requirements into the KeyRequirements argument.
 */
private static boolean parseKeyRequirements(JAXBElement<?> jaxbElement, KeyRequirements keyRequirements, Map<String, Object> messageContext, STSPropertiesMBean stsProperties) {
    if (QNameConstants.AUTHENTICATION_TYPE.equals(jaxbElement.getName())) {
        String authenticationType = (String) jaxbElement.getValue();
        keyRequirements.setAuthenticationType(authenticationType);
    } else if (QNameConstants.KEY_TYPE.equals(jaxbElement.getName())) {
        String keyType = (String) jaxbElement.getValue();
        keyRequirements.setKeyType(keyType);
    } else if (QNameConstants.KEY_SIZE.equals(jaxbElement.getName())) {
        long keySize = ((Long) jaxbElement.getValue()).longValue();
        keyRequirements.setKeySize(keySize);
    } else if (QNameConstants.SIGNATURE_ALGORITHM.equals(jaxbElement.getName())) {
        String signatureAlgorithm = (String) jaxbElement.getValue();
        keyRequirements.setSignatureAlgorithm(signatureAlgorithm);
    } else if (QNameConstants.ENCRYPTION_ALGORITHM.equals(jaxbElement.getName())) {
        String encryptionAlgorithm = (String) jaxbElement.getValue();
        keyRequirements.setEncryptionAlgorithm(encryptionAlgorithm);
    } else if (QNameConstants.C14N_ALGORITHM.equals(jaxbElement.getName())) {
        String c14nAlgorithm = (String) jaxbElement.getValue();
        keyRequirements.setC14nAlgorithm(c14nAlgorithm);
    } else if (QNameConstants.COMPUTED_KEY_ALGORITHM.equals(jaxbElement.getName())) {
        String computedKeyAlgorithm = (String) jaxbElement.getValue();
        keyRequirements.setComputedKeyAlgorithm(computedKeyAlgorithm);
    } else if (QNameConstants.KEYWRAP_ALGORITHM.equals(jaxbElement.getName())) {
        String keywrapAlgorithm = (String) jaxbElement.getValue();
        keyRequirements.setKeywrapAlgorithm(keywrapAlgorithm);
    } else if (QNameConstants.USE_KEY.equals(jaxbElement.getName())) {
        UseKeyType useKey = (UseKeyType) jaxbElement.getValue();
        ReceivedKey receivedKey = parseUseKey(useKey, messageContext);
        keyRequirements.setReceivedKey(receivedKey);
    } else if (QNameConstants.ENTROPY.equals(jaxbElement.getName())) {
        EntropyType entropyType = (EntropyType) jaxbElement.getValue();
        Entropy entropy = parseEntropy(entropyType, stsProperties);
        keyRequirements.setEntropy(entropy);
    } else if (QNameConstants.SIGN_WITH.equals(jaxbElement.getName())) {
        String signWith = (String) jaxbElement.getValue();
        keyRequirements.setSignWith(signWith);
    } else if (QNameConstants.ENCRYPT_WITH.equals(jaxbElement.getName())) {
        String encryptWith = (String) jaxbElement.getValue();
        keyRequirements.setEncryptWith(encryptWith);
    } else if (QNameConstants.REQUEST_TYPE.equals(jaxbElement.getName())) {
    // NOPMD
    // Skip the request type.
    } else {
        return false;
    }
    return true;
}

Example 2 with UseKeyType

use of org.apache.cxf.ws.security.sts.provider.model.UseKeyType in project cxf by apache.

the class RESTSecurityTokenServiceImpl method issueToken.

private RequestSecurityTokenResponseType issueToken(String tokenType, String keyType, List<String> requestedClaims, String appliesTo) {
    String tokenTypeToUse = tokenType;
    if (tokenTypeMap != null && tokenTypeMap.containsKey(tokenTypeToUse)) {
        tokenTypeToUse = tokenTypeMap.get(tokenTypeToUse);
    }
    String keyTypeToUse = keyType;
    if (DEFAULT_KEY_TYPE_MAP.containsKey(keyTypeToUse)) {
        keyTypeToUse = DEFAULT_KEY_TYPE_MAP.get(keyTypeToUse);
    }
    ObjectFactory of = new ObjectFactory();
    RequestSecurityTokenType request = of.createRequestSecurityTokenType();
    request.getAny().add(of.createTokenType(tokenTypeToUse));
    request.getAny().add(of.createRequestType("http://docs.oasis-open.org/ws-sx/ws-trust/200512/Issue"));
    String desiredKeyType = keyTypeToUse != null ? keyTypeToUse : defaultKeyType;
    request.getAny().add(of.createKeyType(desiredKeyType));
    // Add the TLS client Certificate as the UseKey Element if the KeyType is PublicKey
    if (STSConstants.PUBLIC_KEY_KEYTYPE.equals(desiredKeyType)) {
        X509Certificate clientCert = getTLSClientCertificate();
        if (clientCert != null) {
            Document doc = DOMUtils.getEmptyDocument();
            Element keyInfoElement = doc.createElementNS("http://www.w3.org/2000/09/xmldsig#", "KeyInfo");
            try {
                X509Data certElem = new X509Data(doc);
                certElem.addCertificate(clientCert);
                keyInfoElement.appendChild(certElem.getElement());
                UseKeyType useKeyType = of.createUseKeyType();
                useKeyType.setAny(keyInfoElement);
                JAXBElement<UseKeyType> useKey = of.createUseKey(useKeyType);
                request.getAny().add(useKey);
            } catch (XMLSecurityException ex) {
                LOG.warning(ex.getMessage());
            }
        }
    }
    // Claims
    if (requestedClaims == null || requestedClaims.isEmpty()) {
        requestedClaims = defaultClaims;
    }
    if (requestedClaims != null && !requestedClaims.isEmpty()) {
        ClaimsType claimsType = of.createClaimsType();
        claimsType.setDialect(CLAIM_TYPE_NS);
        JAXBElement<ClaimsType> claims = of.createClaims(claimsType);
        for (String claim : requestedClaims) {
            if (claimTypeMap != null && claimTypeMap.containsKey(claim)) {
                claim = claimTypeMap.get(claim);
            }
            Document doc = DOMUtils.createDocument();
            Element claimElement = doc.createElementNS(CLAIM_TYPE_NS, CLAIM_TYPE);
            claimElement.setAttributeNS(null, "Uri", claim);
            claimElement.setAttributeNS(null, "Optional", Boolean.toString(requestClaimsOptional));
            claimsType.getAny().add(claimElement);
        }
        request.getAny().add(claims);
    }
    if (appliesTo != null) {
        String wspNamespace = "http://www.w3.org/ns/ws-policy";
        Document doc = DOMUtils.createDocument();
        Element appliesToElement = doc.createElementNS(wspNamespace, "AppliesTo");
        String addressingNamespace = "http://www.w3.org/2005/08/addressing";
        Element eprElement = doc.createElementNS(addressingNamespace, "EndpointReference");
        Element addressElement = doc.createElementNS(addressingNamespace, "Address");
        addressElement.setTextContent(appliesTo);
        eprElement.appendChild(addressElement);
        appliesToElement.appendChild(eprElement);
        request.getAny().add(appliesToElement);
    }
    // request.setContext(null);
    return processRequest(Action.issue, request);
}

Example 3 with UseKeyType

use of org.apache.cxf.ws.security.sts.provider.model.UseKeyType in project cxf by apache.

the class IssueSamlUnitTest method createUseKey.

/*
     * Mock up a UseKeyType object
     */
private UseKeyType createUseKey(Crypto crypto, String alias) throws Exception {
    CryptoType cryptoType = new CryptoType(CryptoType.TYPE.ALIAS);
    cryptoType.setAlias(alias);
    X509Certificate[] certs = crypto.getX509Certificates(cryptoType);
    Document doc = DOMUtils.getEmptyDocument();
    Element x509Data = doc.createElementNS(WSS4JConstants.SIG_NS, "ds:X509Data");
    x509Data.setAttributeNS(WSS4JConstants.XMLNS_NS, "xmlns:ds", WSS4JConstants.SIG_NS);
    Element x509Cert = doc.createElementNS(WSS4JConstants.SIG_NS, "ds:X509Certificate");
    Text certText = doc.createTextNode(Base64.getMimeEncoder().encodeToString(certs[0].getEncoded()));
    x509Cert.appendChild(certText);
    x509Data.appendChild(x509Cert);
    UseKeyType useKey = new UseKeyType();
    useKey.setAny(x509Data);
    return useKey;
}

Example 4 with UseKeyType

use of org.apache.cxf.ws.security.sts.provider.model.UseKeyType in project cxf by apache.

the class IssueSamlUnitTest method testUseKey.

/**
 * Test to UseKey validation
 */
@org.junit.Test
public void testUseKey() throws Exception {
    TokenIssueOperation issueOperation = new TokenIssueOperation();
    // Add Token Provider
    List<TokenProvider> providerList = new ArrayList<>();
    providerList.add(new SAMLTokenProvider());
    issueOperation.setTokenProviders(providerList);
    // Add Service
    ServiceMBean service = new StaticService();
    service.setEndpoints(Collections.singletonList("http://dummy-service.com/dummy"));
    issueOperation.setServices(Collections.singletonList(service));
    // Add STSProperties object
    STSPropertiesMBean stsProperties = new StaticSTSProperties();
    Crypto crypto = CryptoFactory.getInstance(getEncryptionProperties());
    stsProperties.setEncryptionCrypto(crypto);
    stsProperties.setSignatureCrypto(crypto);
    stsProperties.setEncryptionUsername("myservicekey");
    stsProperties.setSignatureUsername("mystskey");
    stsProperties.setCallbackHandler(new PasswordCallbackHandler());
    stsProperties.setIssuer("STS");
    issueOperation.setStsProperties(stsProperties);
    // Mock up a request
    RequestSecurityTokenType request = new RequestSecurityTokenType();
    JAXBElement<String> tokenType = new JAXBElement<String>(QNameConstants.TOKEN_TYPE, String.class, WSS4JConstants.WSS_SAML2_TOKEN_TYPE);
    request.getAny().add(tokenType);
    JAXBElement<String> keyType = new JAXBElement<String>(QNameConstants.KEY_TYPE, String.class, STSConstants.PUBLIC_KEY_KEYTYPE);
    request.getAny().add(keyType);
    UseKeyType useKey = createUseKey(crypto, "myclientkey");
    JAXBElement<UseKeyType> useKeyType = new JAXBElement<UseKeyType>(QNameConstants.USE_KEY, UseKeyType.class, useKey);
    request.getAny().add(useKeyType);
    request.getAny().add(createAppliesToElement("http://dummy-service.com/dummy"));
    // Mock up message context
    MessageImpl msg = new MessageImpl();
    WrappedMessageContext msgCtx = new WrappedMessageContext(msg);
    Principal principal = new CustomTokenPrincipal("alice");
    msgCtx.put(SecurityContext.class.getName(), createSecurityContext(principal));
    // Issue a token
    RequestSecurityTokenResponseCollectionType response = issueOperation.issue(request, principal, msgCtx);
    List<RequestSecurityTokenResponseType> securityTokenResponse = response.getRequestSecurityTokenResponse();
    assertTrue(!securityTokenResponse.isEmpty());
    // Test the generated token.
    Element assertion = null;
    for (Object tokenObject : securityTokenResponse.get(0).getAny()) {
        if (tokenObject instanceof JAXBElement<?> && REQUESTED_SECURITY_TOKEN.equals(((JAXBElement<?>) tokenObject).getName())) {
            RequestedSecurityTokenType rstType = (RequestedSecurityTokenType) ((JAXBElement<?>) tokenObject).getValue();
            assertion = (Element) rstType.getAny();
        }
    }
    String tokenString = DOM2Writer.nodeToString(assertion);
    assertTrue(tokenString.contains("AttributeStatement"));
    assertTrue(tokenString.contains("alice"));
    assertTrue(tokenString.contains(SAML2Constants.CONF_HOLDER_KEY));
    // Now remove the UseKey + send a non-trusted UseKey certificate
    request.getAny().remove(useKeyType);
    Properties properties = new Properties();
    properties.put("org.apache.wss4j.crypto.provider", "org.apache.wss4j.common.crypto.Merlin");
    properties.put("org.apache.wss4j.crypto.merlin.keystore.password", "evespass");
    properties.put("org.apache.wss4j.crypto.merlin.keystore.file", "eve.jks");
    useKey = createUseKey(CryptoFactory.getInstance(properties), "eve");
    useKeyType = new JAXBElement<UseKeyType>(QNameConstants.USE_KEY, UseKeyType.class, useKey);
    request.getAny().add(useKeyType);
    // This should fail as the UseKey certificate is not trusted
    try {
        issueOperation.issue(request, principal, msgCtx);
        fail("Failure expected as the UseKey certificate is not trusted");
    } catch (STSException ex) {
    // expected
    }
    // Now allow non-trusted UseKey certificates...
    stsProperties.setValidateUseKey(false);
    response = issueOperation.issue(request, principal, msgCtx);
    securityTokenResponse = response.getRequestSecurityTokenResponse();
    assertTrue(!securityTokenResponse.isEmpty());
}

Example 5 with UseKeyType

use of org.apache.cxf.ws.security.sts.provider.model.UseKeyType in project cxf by apache.

the class IssueSamlUnitTest method testIssueSaml1PublicKeyToken.

/**
 * Test to successfully issue a Saml 1.1 PublicKey token.
 */
@org.junit.Test
public void testIssueSaml1PublicKeyToken() throws Exception {
    TokenIssueOperation issueOperation = new TokenIssueOperation();
    // Add Token Provider
    List<TokenProvider> providerList = new ArrayList<>();
    providerList.add(new SAMLTokenProvider());
    issueOperation.setTokenProviders(providerList);
    // Add Service
    ServiceMBean service = new StaticService();
    service.setEndpoints(Collections.singletonList("http://dummy-service.com/dummy"));
    issueOperation.setServices(Collections.singletonList(service));
    // Add STSProperties object
    STSPropertiesMBean stsProperties = new StaticSTSProperties();
    Crypto crypto = CryptoFactory.getInstance(getEncryptionProperties());
    stsProperties.setEncryptionCrypto(crypto);
    stsProperties.setSignatureCrypto(crypto);
    stsProperties.setEncryptionUsername("myservicekey");
    stsProperties.setSignatureUsername("mystskey");
    stsProperties.setCallbackHandler(new PasswordCallbackHandler());
    stsProperties.setIssuer("STS");
    issueOperation.setStsProperties(stsProperties);
    // Mock up a request
    RequestSecurityTokenType request = new RequestSecurityTokenType();
    JAXBElement<String> tokenType = new JAXBElement<String>(QNameConstants.TOKEN_TYPE, String.class, WSS4JConstants.WSS_SAML_TOKEN_TYPE);
    request.getAny().add(tokenType);
    JAXBElement<String> keyType = new JAXBElement<String>(QNameConstants.KEY_TYPE, String.class, STSConstants.PUBLIC_KEY_KEYTYPE);
    request.getAny().add(keyType);
    request.getAny().add(createAppliesToElement("http://dummy-service.com/dummy"));
    // Mock up message context
    MessageImpl msg = new MessageImpl();
    WrappedMessageContext msgCtx = new WrappedMessageContext(msg);
    Principal principal = new CustomTokenPrincipal("alice");
    msgCtx.put(SecurityContext.class.getName(), createSecurityContext(principal));
    // Issue a token
    try {
        issueOperation.issue(request, principal, msgCtx);
        fail("Failure expected on no certificate");
    } catch (STSException ex) {
    // expected failure on no certificate
    }
    // Now add UseKey
    UseKeyType useKey = createUseKey(crypto, "myclientkey");
    JAXBElement<UseKeyType> useKeyType = new JAXBElement<UseKeyType>(QNameConstants.USE_KEY, UseKeyType.class, useKey);
    request.getAny().add(useKeyType);
    RequestSecurityTokenResponseCollectionType response = issueOperation.issue(request, principal, msgCtx);
    List<RequestSecurityTokenResponseType> securityTokenResponse = response.getRequestSecurityTokenResponse();
    assertTrue(!securityTokenResponse.isEmpty());
    // Test the generated token.
    Element assertion = null;
    for (Object tokenObject : securityTokenResponse.get(0).getAny()) {
        if (tokenObject instanceof JAXBElement<?> && REQUESTED_SECURITY_TOKEN.equals(((JAXBElement<?>) tokenObject).getName())) {
            RequestedSecurityTokenType rstType = (RequestedSecurityTokenType) ((JAXBElement<?>) tokenObject).getValue();
            assertion = (Element) rstType.getAny();
            break;
        }
    }
    assertNotNull(assertion);
    String tokenString = DOM2Writer.nodeToString(assertion);
    assertTrue(tokenString.contains("AttributeStatement"));
    assertTrue(tokenString.contains("alice"));
    assertFalse(tokenString.contains(SAML1Constants.CONF_BEARER));
    assertTrue(tokenString.contains(SAML1Constants.CONF_HOLDER_KEY));
}