use of org.apache.cxf.ws.security.tokenstore.TokenStoreException in project cxf by apache.
the class StaxSymmetricBindingHandler method handleBinding.
public void handleBinding() {
AssertionInfoMap aim = getMessage().get(AssertionInfoMap.class);
configureTimestamp(aim);
assertPolicy(sbinding.getName());
String asymSignatureAlgorithm = (String) getMessage().getContextualProperty(SecurityConstants.ASYMMETRIC_SIGNATURE_ALGORITHM);
if (asymSignatureAlgorithm != null && sbinding.getAlgorithmSuite() != null) {
sbinding.getAlgorithmSuite().getAlgorithmSuiteType().setAsymmetricSignature(asymSignatureAlgorithm);
}
String symSignatureAlgorithm = (String) getMessage().getContextualProperty(SecurityConstants.SYMMETRIC_SIGNATURE_ALGORITHM);
if (symSignatureAlgorithm != null && sbinding.getAlgorithmSuite() != null) {
sbinding.getAlgorithmSuite().getAlgorithmSuiteType().setSymmetricSignature(symSignatureAlgorithm);
}
// Set up CallbackHandler which wraps the configured Handler
WSSSecurityProperties properties = getProperties();
try {
TokenStoreCallbackHandler callbackHandler = new TokenStoreCallbackHandler(properties.getCallbackHandler(), TokenStoreUtils.getTokenStore(message));
properties.setCallbackHandler(callbackHandler);
} catch (TokenStoreException e) {
LOG.log(Level.FINE, e.getMessage(), e);
throw new Fault(e);
}
if (sbinding.getProtectionOrder() == AbstractSymmetricAsymmetricBinding.ProtectionOrder.EncryptBeforeSigning) {
doEncryptBeforeSign();
assertPolicy(new QName(sbinding.getName().getNamespaceURI(), SPConstants.ENCRYPT_BEFORE_SIGNING));
} else {
doSignBeforeEncrypt();
assertPolicy(new QName(sbinding.getName().getNamespaceURI(), SPConstants.SIGN_BEFORE_ENCRYPTING));
}
if (!isRequestor()) {
properties.setEncryptSymmetricEncryptionKey(false);
}
configureLayout(aim);
assertAlgorithmSuite(sbinding.getAlgorithmSuite());
assertWSSProperties(sbinding.getName().getNamespaceURI());
assertTrustProperties(sbinding.getName().getNamespaceURI());
assertPolicy(new QName(sbinding.getName().getNamespaceURI(), SPConstants.ONLY_SIGN_ENTIRE_HEADERS_AND_BODY));
if (sbinding.isProtectTokens()) {
assertPolicy(new QName(sbinding.getName().getNamespaceURI(), SPConstants.PROTECT_TOKENS));
}
}
use of org.apache.cxf.ws.security.tokenstore.TokenStoreException in project cxf by apache.
the class AsymmetricBindingHandler method doEncryption.
private WSSecBase doEncryption(AbstractTokenWrapper recToken, List<WSEncryptionPart> encrParts, boolean externalRef, SecretKey symmetricKey) {
AbstractToken encrToken = recToken.getToken();
assertPolicy(recToken);
assertPolicy(encrToken);
try {
WSSecEncrypt encr = new WSSecEncrypt(secHeader);
encr.setEncryptionSerializer(new StaxSerializer());
encr.setIdAllocator(wssConfig.getIdAllocator());
encr.setCallbackLookup(callbackLookup);
encr.setAttachmentCallbackHandler(new AttachmentCallbackHandler(message));
encr.setStoreBytesInAttachment(storeBytesInAttachment);
encr.setExpandXopInclude(isExpandXopInclude());
encr.setWsDocInfo(wsDocInfo);
Crypto crypto = getEncryptionCrypto();
final SecurityToken securityToken;
try {
securityToken = getSecurityToken();
if (!isRequestor() && securityToken != null && recToken.getToken() instanceof SamlToken) {
String tokenType = securityToken.getTokenType();
if (WSS4JConstants.WSS_SAML_TOKEN_TYPE.equals(tokenType) || WSS4JConstants.SAML_NS.equals(tokenType)) {
encr.setCustomEKTokenValueType(WSS4JConstants.WSS_SAML_KI_VALUE_TYPE);
encr.setKeyIdentifierType(WSConstants.CUSTOM_KEY_IDENTIFIER);
encr.setCustomEKTokenId(securityToken.getId());
} else if (WSS4JConstants.WSS_SAML2_TOKEN_TYPE.equals(tokenType) || WSS4JConstants.SAML2_NS.equals(tokenType)) {
encr.setCustomEKTokenValueType(WSS4JConstants.WSS_SAML2_KI_VALUE_TYPE);
encr.setKeyIdentifierType(WSConstants.CUSTOM_KEY_IDENTIFIER);
encr.setCustomEKTokenId(securityToken.getId());
} else {
setKeyIdentifierType(encr, encrToken);
}
} else {
setKeyIdentifierType(encr, encrToken);
}
} catch (TokenStoreException ex) {
LOG.log(Level.FINE, ex.getMessage(), ex);
throw new Fault(ex);
}
//
if (!isRequestor() && securityToken != null && securityToken.getX509Certificate() != null) {
encr.setUseThisCert(securityToken.getX509Certificate());
} else if (!isRequestor() && securityToken != null && securityToken.getKey() instanceof PublicKey) {
encr.setUseThisPublicKey((PublicKey) securityToken.getKey());
encr.setKeyIdentifierType(WSConstants.KEY_VALUE);
} else {
setEncryptionUser(encr, encrToken, false, crypto);
}
if (!encr.isCertSet() && encr.getUseThisPublicKey() == null && crypto == null) {
unassertPolicy(recToken, "Missing security configuration. " + "Make sure jaxws:client element is configured " + "with a " + SecurityConstants.ENCRYPT_PROPERTIES + " value.");
}
AlgorithmSuite algorithmSuite = abinding.getAlgorithmSuite();
AlgorithmSuiteType algType = algorithmSuite.getAlgorithmSuiteType();
encr.setSymmetricEncAlgorithm(algType.getEncryption());
encr.setKeyEncAlgo(algType.getAsymmetricKeyWrap());
encr.setMGFAlgorithm(algType.getMGFAlgo());
encr.setDigestAlgorithm(algType.getEncryptionDigest());
encr.prepare(crypto, symmetricKey);
Element encryptedKeyElement = encr.getEncryptedKeyElement();
List<Element> attachments = encr.getAttachmentEncryptedDataElements();
// Encrypt, get hold of the ref list and add it
if (externalRef) {
Element refList = encr.encryptForRef(null, encrParts, symmetricKey);
if (refList != null) {
insertBeforeBottomUp(refList);
}
if (attachments != null) {
for (Element attachment : attachments) {
this.insertBeforeBottomUp(attachment);
}
}
if (refList != null || (attachments != null && !attachments.isEmpty())) {
this.addEncryptedKeyElement(encryptedKeyElement);
}
} else {
Element refList = encr.encryptForRef(null, encrParts, symmetricKey);
if (refList != null || (attachments != null && !attachments.isEmpty())) {
this.addEncryptedKeyElement(encryptedKeyElement);
}
// Add internal refs
if (refList != null) {
encryptedKeyElement.appendChild(refList);
}
if (attachments != null) {
for (Element attachment : attachments) {
this.addEncryptedKeyElement(attachment);
}
}
}
// Put BST before EncryptedKey element
if (encr.getBSTTokenId() != null) {
encr.prependBSTElementToHeader();
}
return encr;
} catch (InvalidCanonicalizerException | WSSecurityException e) {
LOG.log(Level.FINE, e.getMessage(), e);
unassertPolicy(recToken, e);
}
return null;
}
use of org.apache.cxf.ws.security.tokenstore.TokenStoreException in project cxf by apache.
the class AsymmetricBindingHandler method doEncryptBeforeSign.
private void doEncryptBeforeSign() throws TokenStoreException {
AbstractTokenWrapper wrapper = getEncryptBeforeSignWrapper();
AbstractToken encryptionToken = null;
if (wrapper != null) {
encryptionToken = wrapper.getToken();
assertToken(encryptionToken);
}
AbstractTokenWrapper initiatorWrapper = abinding.getInitiatorSignatureToken();
if (initiatorWrapper == null) {
initiatorWrapper = abinding.getInitiatorToken();
}
assertTokenWrapper(initiatorWrapper);
boolean attached = false;
if (initiatorWrapper != null) {
AbstractToken initiatorToken = initiatorWrapper.getToken();
if (initiatorToken instanceof IssuedToken) {
SecurityToken secToken = getSecurityToken();
if (secToken == null) {
unassertPolicy(initiatorToken, "Security token is not found or expired");
return;
} else if (isTokenRequired(initiatorToken.getIncludeTokenType())) {
Element el = secToken.getToken();
this.addEncryptedKeyElement(cloneElement(el));
attached = true;
}
} else if (initiatorToken instanceof SamlToken && isRequestor()) {
try {
SamlAssertionWrapper assertionWrapper = addSamlToken((SamlToken) initiatorToken);
if (assertionWrapper != null && isTokenRequired(initiatorToken.getIncludeTokenType())) {
Element envelope = saaj.getSOAPPart().getEnvelope();
envelope = (Element) DOMUtils.getDomElement(envelope);
addSupportingElement(assertionWrapper.toDOM(envelope.getOwnerDocument()));
storeAssertionAsSecurityToken(assertionWrapper);
}
} catch (Exception e) {
String reason = e.getMessage();
LOG.log(Level.WARNING, "Encrypt before sign failed due to : " + reason);
LOG.log(Level.FINE, e.getMessage(), e);
throw new Fault(e);
}
} else if (initiatorToken instanceof SamlToken) {
String tokenId = getSAMLToken();
if (tokenId == null) {
unassertPolicy(initiatorToken, "Security token is not found or expired");
return;
}
}
}
List<WSEncryptionPart> sigParts = new ArrayList<>();
if (timestampEl != null) {
WSEncryptionPart timestampPart = convertToEncryptionPart(timestampEl.getElement());
sigParts.add(timestampPart);
}
try {
addSupportingTokens(sigParts);
} catch (WSSecurityException ex) {
LOG.log(Level.FINE, ex.getMessage(), ex);
unassertPolicy(encryptionToken, ex);
}
final List<WSEncryptionPart> encrParts;
try {
encrParts = getEncryptedParts();
// Signed parts are determined before encryption because encrypted signed headers
// will not be included otherwise
sigParts.addAll(this.getSignedParts(null));
} catch (SOAPException ex) {
LOG.log(Level.FINE, ex.getMessage(), ex);
throw new Fault(ex);
}
WSSecBase encrBase = null;
SecretKey symmetricKey = null;
if (encryptionToken != null && !encrParts.isEmpty()) {
if (encryptionToken.getDerivedKeys() == DerivedKeys.RequireDerivedKeys) {
encrBase = doEncryptionDerived(wrapper, encrParts);
} else {
String symEncAlgorithm = abinding.getAlgorithmSuite().getAlgorithmSuiteType().getEncryption();
try {
KeyGenerator keyGen = KeyUtils.getKeyGenerator(symEncAlgorithm);
symmetricKey = keyGen.generateKey();
encrBase = doEncryption(wrapper, encrParts, true, symmetricKey);
} catch (WSSecurityException ex) {
LOG.log(Level.FINE, ex.getMessage(), ex);
throw new Fault(ex);
}
}
}
if (!isRequestor()) {
addSignatureConfirmation(sigParts);
}
try {
if (!sigParts.isEmpty()) {
if (initiatorWrapper != null && isRequestor()) {
doSignature(initiatorWrapper, sigParts, attached);
} else if (!isRequestor()) {
AbstractTokenWrapper recipientSignatureToken = abinding.getRecipientSignatureToken();
if (recipientSignatureToken == null) {
recipientSignatureToken = abinding.getRecipientToken();
}
if (recipientSignatureToken != null) {
assertTokenWrapper(recipientSignatureToken);
assertToken(recipientSignatureToken.getToken());
doSignature(recipientSignatureToken, sigParts, attached);
}
}
}
} catch (WSSecurityException | SOAPException | TokenStoreException ex) {
LOG.log(Level.FINE, ex.getMessage(), ex);
throw new Fault(ex);
}
if (isRequestor()) {
doEndorse();
}
if (encrBase != null) {
encryptTokensInSecurityHeader(encryptionToken, encrBase, symmetricKey);
encrBase.clean();
}
}
use of org.apache.cxf.ws.security.tokenstore.TokenStoreException in project cxf by apache.
the class AsymmetricBindingHandler method doSignature.
private void doSignature(AbstractTokenWrapper wrapper, List<WSEncryptionPart> sigParts, boolean attached) throws WSSecurityException, SOAPException, TokenStoreException {
if (!isRequestor()) {
assertUnusedTokens(abinding.getInitiatorToken());
assertUnusedTokens(abinding.getInitiatorEncryptionToken());
assertUnusedTokens(abinding.getInitiatorSignatureToken());
} else {
assertUnusedTokens(abinding.getRecipientToken());
assertUnusedTokens(abinding.getRecipientEncryptionToken());
assertUnusedTokens(abinding.getRecipientSignatureToken());
}
AbstractToken sigToken = wrapper.getToken();
if (sigParts.isEmpty()) {
// Add the BST to the security header if required
if (!attached && isTokenRequired(sigToken.getIncludeTokenType())) {
WSSecSignature sig = getSignatureBuilder(sigToken, attached, false);
sig.appendBSTElementToHeader();
sig.clean();
}
return;
}
if (sigToken.getDerivedKeys() == DerivedKeys.RequireDerivedKeys) {
// Set up the encrypted key to use
setupEncryptedKey(sigToken);
WSSecDKSign dkSign = new WSSecDKSign(secHeader);
dkSign.setIdAllocator(wssConfig.getIdAllocator());
dkSign.setCallbackLookup(callbackLookup);
dkSign.setAttachmentCallbackHandler(new AttachmentCallbackHandler(message));
dkSign.setStoreBytesInAttachment(storeBytesInAttachment);
dkSign.setExpandXopInclude(isExpandXopInclude());
dkSign.setWsDocInfo(wsDocInfo);
if (wrapper.getToken().getVersion() == SPConstants.SPVersion.SP11) {
dkSign.setWscVersion(ConversationConstants.VERSION_05_02);
}
dkSign.setTokenIdentifier(this.encryptedKeyId);
// Set the algo info
dkSign.setSignatureAlgorithm(abinding.getAlgorithmSuite().getAlgorithmSuiteType().getSymmetricSignature());
dkSign.setSigCanonicalization(abinding.getAlgorithmSuite().getC14n().getValue());
AlgorithmSuiteType algType = abinding.getAlgorithmSuite().getAlgorithmSuiteType();
dkSign.setDigestAlgorithm(algType.getDigest());
dkSign.setDerivedKeyLength(algType.getSignatureDerivedKeyLength() / 8);
dkSign.setCustomValueType(WSS4JConstants.SOAPMESSAGE_NS11 + "#" + WSS4JConstants.ENC_KEY_VALUE_TYPE);
boolean includePrefixes = MessageUtils.getContextualBoolean(message, SecurityConstants.ADD_INCLUSIVE_PREFIXES, true);
dkSign.setAddInclusivePrefixes(includePrefixes);
try {
dkSign.prepare(this.encryptedKeyValue);
if (abinding.isProtectTokens()) {
assertPolicy(new QName(abinding.getName().getNamespaceURI(), SPConstants.PROTECT_TOKENS));
if (bstElement != null) {
WSEncryptionPart bstPart = new WSEncryptionPart(bstElement.getAttributeNS(WSS4JConstants.WSU_NS, "Id"));
bstPart.setElement(bstElement);
sigParts.add(bstPart);
} else {
WSEncryptionPart ekPart = new WSEncryptionPart(encrKey.getId());
ekPart.setElement(encrKey.getEncryptedKeyElement());
sigParts.add(ekPart);
}
}
dkSign.getParts().addAll(sigParts);
List<Reference> referenceList = dkSign.addReferencesToSign(sigParts);
if (!referenceList.isEmpty()) {
// Add elements to header
addDerivedKeyElement(dkSign.getdktElement());
// Do signature
if (bottomUpElement == null) {
dkSign.computeSignature(referenceList, false, null);
} else {
dkSign.computeSignature(referenceList, true, bottomUpElement);
}
bottomUpElement = dkSign.getSignatureElement();
addSig(dkSign.getSignatureValue());
mainSigId = dkSign.getSignatureId();
}
dkSign.clean();
} catch (Exception ex) {
LOG.log(Level.FINE, ex.getMessage(), ex);
throw new Fault(ex);
}
} else {
WSSecSignature sig = getSignatureBuilder(sigToken, attached, false);
if (abinding.isProtectTokens()) {
assertPolicy(new QName(abinding.getName().getNamespaceURI(), SPConstants.PROTECT_TOKENS));
if (sig.getCustomTokenId() != null && (sigToken instanceof SamlToken || sigToken instanceof IssuedToken)) {
WSEncryptionPart samlPart = new WSEncryptionPart(sig.getCustomTokenId());
sigParts.add(samlPart);
} else if (sig.getBSTTokenId() != null) {
// This action must occur before sig.prependBSTElementToHeader
WSEncryptionPart bstPart = new WSEncryptionPart(sig.getBSTTokenId());
bstPart.setElement(sig.getBinarySecurityTokenElement());
sigParts.add(bstPart);
sig.prependBSTElementToHeader();
}
}
List<Reference> referenceList = sig.addReferencesToSign(sigParts);
if (!referenceList.isEmpty()) {
// Do signature
if (bottomUpElement == null) {
sig.computeSignature(referenceList, false, null);
} else {
sig.computeSignature(referenceList, true, bottomUpElement);
}
bottomUpElement = sig.getSignatureElement();
if (!abinding.isProtectTokens()) {
Element bstElement = sig.getBinarySecurityTokenElement();
if (bstElement != null) {
secHeader.getSecurityHeaderElement().insertBefore(bstElement, bottomUpElement);
}
}
addSig(sig.getSignatureValue());
mainSigId = sig.getId();
}
sig.clean();
}
}
use of org.apache.cxf.ws.security.tokenstore.TokenStoreException in project cxf by apache.
the class StaxTransportBindingHandler method handleBinding.
public void handleBinding() {
AssertionInfoMap aim = getMessage().get(AssertionInfoMap.class);
configureTimestamp(aim);
if (this.isRequestor()) {
if (tbinding != null) {
assertPolicy(tbinding.getName());
String asymSignatureAlgorithm = (String) getMessage().getContextualProperty(SecurityConstants.ASYMMETRIC_SIGNATURE_ALGORITHM);
if (asymSignatureAlgorithm != null && tbinding.getAlgorithmSuite() != null) {
tbinding.getAlgorithmSuite().getAlgorithmSuiteType().setAsymmetricSignature(asymSignatureAlgorithm);
}
String symSignatureAlgorithm = (String) getMessage().getContextualProperty(SecurityConstants.SYMMETRIC_SIGNATURE_ALGORITHM);
if (symSignatureAlgorithm != null && tbinding.getAlgorithmSuite() != null) {
tbinding.getAlgorithmSuite().getAlgorithmSuiteType().setSymmetricSignature(symSignatureAlgorithm);
}
TransportToken token = tbinding.getTransportToken();
if (token.getToken() instanceof IssuedToken) {
try {
SecurityToken secToken = getSecurityToken();
if (secToken == null) {
unassertPolicy(token.getToken(), "No transport token id");
return;
}
addIssuedToken(token.getToken(), secToken, false, false);
} catch (TokenStoreException e) {
LOG.log(Level.FINE, e.getMessage(), e);
throw new Fault(e);
}
}
assertToken(token.getToken());
assertTokenWrapper(token);
}
try {
handleNonEndorsingSupportingTokens(aim);
handleEndorsingSupportingTokens(aim);
} catch (Exception e) {
LOG.log(Level.FINE, e.getMessage(), e);
throw new Fault(e);
}
} else {
try {
handleNonEndorsingSupportingTokens(aim);
} catch (Exception e) {
LOG.log(Level.FINE, e.getMessage(), e);
throw new Fault(e);
}
if (tbinding != null) {
assertPolicy(tbinding.getName());
if (tbinding.getTransportToken() != null) {
assertTokenWrapper(tbinding.getTransportToken());
assertToken(tbinding.getTransportToken().getToken());
try {
handleEndorsingSupportingTokens(aim);
} catch (Exception e) {
LOG.log(Level.FINE, e.getMessage(), e);
throw new Fault(e);
}
}
}
addSignatureConfirmation(null);
}
configureLayout(aim);
if (tbinding != null) {
assertAlgorithmSuite(tbinding.getAlgorithmSuite());
assertWSSProperties(tbinding.getName().getNamespaceURI());
assertTrustProperties(tbinding.getName().getNamespaceURI());
}
assertPolicy(SP12Constants.SIGNED_PARTS);
assertPolicy(SP11Constants.SIGNED_PARTS);
assertPolicy(SP12Constants.ENCRYPTED_PARTS);
assertPolicy(SP11Constants.ENCRYPTED_PARTS);
putCustomTokenAfterSignature();
}
Aggregations