Search in sources :

Example 11 with StaxSerializer

use of org.apache.cxf.ws.security.wss4j.StaxSerializer in project cxf by apache.

the class AsymmetricBindingHandler method doEncryption.

private WSSecBase doEncryption(AbstractTokenWrapper recToken, List<WSEncryptionPart> encrParts, boolean externalRef, SecretKey symmetricKey) {
    AbstractToken encrToken = recToken.getToken();
    assertPolicy(recToken);
    assertPolicy(encrToken);
    try {
        WSSecEncrypt encr = new WSSecEncrypt(secHeader);
        encr.setEncryptionSerializer(new StaxSerializer());
        encr.setIdAllocator(wssConfig.getIdAllocator());
        encr.setCallbackLookup(callbackLookup);
        encr.setAttachmentCallbackHandler(new AttachmentCallbackHandler(message));
        encr.setStoreBytesInAttachment(storeBytesInAttachment);
        encr.setExpandXopInclude(isExpandXopInclude());
        encr.setWsDocInfo(wsDocInfo);
        Crypto crypto = getEncryptionCrypto();
        final SecurityToken securityToken;
        try {
            securityToken = getSecurityToken();
            if (!isRequestor() && securityToken != null && recToken.getToken() instanceof SamlToken) {
                String tokenType = securityToken.getTokenType();
                if (WSS4JConstants.WSS_SAML_TOKEN_TYPE.equals(tokenType) || WSS4JConstants.SAML_NS.equals(tokenType)) {
                    encr.setCustomEKTokenValueType(WSS4JConstants.WSS_SAML_KI_VALUE_TYPE);
                    encr.setKeyIdentifierType(WSConstants.CUSTOM_KEY_IDENTIFIER);
                    encr.setCustomEKTokenId(securityToken.getId());
                } else if (WSS4JConstants.WSS_SAML2_TOKEN_TYPE.equals(tokenType) || WSS4JConstants.SAML2_NS.equals(tokenType)) {
                    encr.setCustomEKTokenValueType(WSS4JConstants.WSS_SAML2_KI_VALUE_TYPE);
                    encr.setKeyIdentifierType(WSConstants.CUSTOM_KEY_IDENTIFIER);
                    encr.setCustomEKTokenId(securityToken.getId());
                } else {
                    setKeyIdentifierType(encr, encrToken);
                }
            } else {
                setKeyIdentifierType(encr, encrToken);
            }
        } catch (TokenStoreException ex) {
            LOG.log(Level.FINE, ex.getMessage(), ex);
            throw new Fault(ex);
        }
        // 
        if (!isRequestor() && securityToken != null && securityToken.getX509Certificate() != null) {
            encr.setUseThisCert(securityToken.getX509Certificate());
        } else if (!isRequestor() && securityToken != null && securityToken.getKey() instanceof PublicKey) {
            encr.setUseThisPublicKey((PublicKey) securityToken.getKey());
            encr.setKeyIdentifierType(WSConstants.KEY_VALUE);
        } else {
            setEncryptionUser(encr, encrToken, false, crypto);
        }
        if (!encr.isCertSet() && encr.getUseThisPublicKey() == null && crypto == null) {
            unassertPolicy(recToken, "Missing security configuration. " + "Make sure jaxws:client element is configured " + "with a " + SecurityConstants.ENCRYPT_PROPERTIES + " value.");
        }
        AlgorithmSuite algorithmSuite = abinding.getAlgorithmSuite();
        AlgorithmSuiteType algType = algorithmSuite.getAlgorithmSuiteType();
        encr.setSymmetricEncAlgorithm(algType.getEncryption());
        encr.setKeyEncAlgo(algType.getAsymmetricKeyWrap());
        encr.setMGFAlgorithm(algType.getMGFAlgo());
        encr.setDigestAlgorithm(algType.getEncryptionDigest());
        encr.prepare(crypto, symmetricKey);
        Element encryptedKeyElement = encr.getEncryptedKeyElement();
        List<Element> attachments = encr.getAttachmentEncryptedDataElements();
        // Encrypt, get hold of the ref list and add it
        if (externalRef) {
            Element refList = encr.encryptForRef(null, encrParts, symmetricKey);
            if (refList != null) {
                insertBeforeBottomUp(refList);
            }
            if (attachments != null) {
                for (Element attachment : attachments) {
                    this.insertBeforeBottomUp(attachment);
                }
            }
            if (refList != null || (attachments != null && !attachments.isEmpty())) {
                this.addEncryptedKeyElement(encryptedKeyElement);
            }
        } else {
            Element refList = encr.encryptForRef(null, encrParts, symmetricKey);
            if (refList != null || (attachments != null && !attachments.isEmpty())) {
                this.addEncryptedKeyElement(encryptedKeyElement);
            }
            // Add internal refs
            if (refList != null) {
                encryptedKeyElement.appendChild(refList);
            }
            if (attachments != null) {
                for (Element attachment : attachments) {
                    this.addEncryptedKeyElement(attachment);
                }
            }
        }
        // Put BST before EncryptedKey element
        if (encr.getBSTTokenId() != null) {
            encr.prependBSTElementToHeader();
        }
        return encr;
    } catch (InvalidCanonicalizerException | WSSecurityException e) {
        LOG.log(Level.FINE, e.getMessage(), e);
        unassertPolicy(recToken, e);
    }
    return null;
}
Also used : WSSecEncrypt(org.apache.wss4j.dom.message.WSSecEncrypt) SamlToken(org.apache.wss4j.policy.model.SamlToken) AlgorithmSuiteType(org.apache.wss4j.policy.model.AlgorithmSuite.AlgorithmSuiteType) PublicKey(java.security.PublicKey) Element(org.w3c.dom.Element) Fault(org.apache.cxf.interceptor.Fault) WSSecurityException(org.apache.wss4j.common.ext.WSSecurityException) SecurityToken(org.apache.cxf.ws.security.tokenstore.SecurityToken) AlgorithmSuite(org.apache.wss4j.policy.model.AlgorithmSuite) StaxSerializer(org.apache.cxf.ws.security.wss4j.StaxSerializer) Crypto(org.apache.wss4j.common.crypto.Crypto) AbstractToken(org.apache.wss4j.policy.model.AbstractToken) InvalidCanonicalizerException(org.apache.xml.security.c14n.InvalidCanonicalizerException) AttachmentCallbackHandler(org.apache.cxf.ws.security.wss4j.AttachmentCallbackHandler) TokenStoreException(org.apache.cxf.ws.security.tokenstore.TokenStoreException)

Example 12 with StaxSerializer

use of org.apache.cxf.ws.security.wss4j.StaxSerializer in project cxf by apache.

the class AsymmetricBindingHandler method doEncryptionDerived.

private WSSecBase doEncryptionDerived(AbstractTokenWrapper recToken, List<WSEncryptionPart> encrParts) {
    AbstractToken encrToken = recToken.getToken();
    assertPolicy(recToken);
    assertPolicy(encrToken);
    try {
        WSSecDKEncrypt dkEncr = new WSSecDKEncrypt(secHeader);
        dkEncr.setEncryptionSerializer(new StaxSerializer());
        dkEncr.setIdAllocator(wssConfig.getIdAllocator());
        dkEncr.setCallbackLookup(callbackLookup);
        dkEncr.setAttachmentCallbackHandler(new AttachmentCallbackHandler(message));
        dkEncr.setStoreBytesInAttachment(storeBytesInAttachment);
        dkEncr.setExpandXopInclude(isExpandXopInclude());
        dkEncr.setWsDocInfo(wsDocInfo);
        if (recToken.getToken().getVersion() == SPConstants.SPVersion.SP11) {
            dkEncr.setWscVersion(ConversationConstants.VERSION_05_02);
        }
        if (encrKey == null) {
            setupEncryptedKey(encrToken);
        }
        dkEncr.setTokenIdentifier(this.encryptedKeyId);
        dkEncr.getParts().addAll(encrParts);
        dkEncr.setCustomValueType(WSS4JConstants.SOAPMESSAGE_NS11 + "#" + WSS4JConstants.ENC_KEY_VALUE_TYPE);
        AlgorithmSuite algorithmSuite = abinding.getAlgorithmSuite();
        AlgorithmSuiteType algType = algorithmSuite.getAlgorithmSuiteType();
        dkEncr.setSymmetricEncAlgorithm(algType.getEncryption());
        dkEncr.setDerivedKeyLength(algType.getEncryptionDerivedKeyLength() / 8);
        dkEncr.prepare(this.encryptedKeyValue);
        addDerivedKeyElement(dkEncr.getdktElement());
        Element refList = dkEncr.encryptForExternalRef(null, encrParts);
        if (refList != null) {
            insertBeforeBottomUp(refList);
        }
        return dkEncr;
    } catch (Exception e) {
        LOG.log(Level.FINE, e.getMessage(), e);
        unassertPolicy(recToken, e);
    }
    return null;
}
Also used : AlgorithmSuite(org.apache.wss4j.policy.model.AlgorithmSuite) StaxSerializer(org.apache.cxf.ws.security.wss4j.StaxSerializer) AbstractToken(org.apache.wss4j.policy.model.AbstractToken) AlgorithmSuiteType(org.apache.wss4j.policy.model.AlgorithmSuite.AlgorithmSuiteType) Element(org.w3c.dom.Element) AttachmentCallbackHandler(org.apache.cxf.ws.security.wss4j.AttachmentCallbackHandler) WSSecDKEncrypt(org.apache.wss4j.dom.message.WSSecDKEncrypt) SOAPException(javax.xml.soap.SOAPException) WSSecurityException(org.apache.wss4j.common.ext.WSSecurityException) InvalidCanonicalizerException(org.apache.xml.security.c14n.InvalidCanonicalizerException) TokenStoreException(org.apache.cxf.ws.security.tokenstore.TokenStoreException)

Example 13 with StaxSerializer

use of org.apache.cxf.ws.security.wss4j.StaxSerializer in project cxf by apache.

the class SymmetricBindingHandler method doEncryptionDerived.

private WSSecDKEncrypt doEncryptionDerived(AbstractTokenWrapper recToken, SecurityToken encrTok, boolean attached, List<WSEncryptionPart> encrParts, boolean atEnd) {
    AbstractToken encrToken = recToken.getToken();
    assertPolicy(recToken);
    assertPolicy(encrToken);
    try {
        WSSecDKEncrypt dkEncr = new WSSecDKEncrypt(secHeader);
        dkEncr.setEncryptionSerializer(new StaxSerializer());
        dkEncr.setIdAllocator(wssConfig.getIdAllocator());
        dkEncr.setCallbackLookup(callbackLookup);
        dkEncr.setAttachmentCallbackHandler(new AttachmentCallbackHandler(message));
        dkEncr.setStoreBytesInAttachment(storeBytesInAttachment);
        dkEncr.setExpandXopInclude(isExpandXopInclude());
        dkEncr.setWsDocInfo(wsDocInfo);
        if (recToken.getToken().getVersion() == SPConstants.SPVersion.SP11) {
            dkEncr.setWscVersion(ConversationConstants.VERSION_05_02);
        }
        if (attached && encrTok.getAttachedReference() != null) {
            dkEncr.setStrElem(cloneElement(encrTok.getAttachedReference()));
        } else if (encrTok.getUnattachedReference() != null) {
            dkEncr.setStrElem(cloneElement(encrTok.getUnattachedReference()));
        } else if (!isRequestor() && encrTok.getSHA1() != null) {
            // If the Encrypted key used to create the derived key is not
            // attached use key identifier as defined in WSS1.1 section
            // 7.7 Encrypted Key reference
            SecurityTokenReference tokenRef = new SecurityTokenReference(saaj.getSOAPPart());
            String tokenType = encrTok.getTokenType();
            if (encrToken instanceof KerberosToken) {
                tokenRef.setKeyIdentifier(WSS4JConstants.WSS_KRB_KI_VALUE_TYPE, encrTok.getSHA1(), true);
                if (tokenType == null) {
                    tokenType = WSS4JConstants.WSS_GSS_KRB_V5_AP_REQ;
                }
            } else {
                tokenRef.setKeyIdentifierEncKeySHA1(encrTok.getSHA1());
                if (tokenType == null) {
                    tokenType = WSS4JConstants.WSS_ENC_KEY_VALUE_TYPE;
                }
            }
            tokenRef.addTokenType(tokenType);
            dkEncr.setStrElem(tokenRef.getElement());
        } else {
            if (attached) {
                String id = encrTok.getWsuId();
                if (id == null && (encrToken instanceof SecureConversationToken || encrToken instanceof SecurityContextToken)) {
                    dkEncr.setTokenIdDirectId(true);
                    id = encrTok.getId();
                } else if (id == null) {
                    id = encrTok.getId();
                }
                if (id.startsWith("#")) {
                    id = id.substring(1);
                }
                dkEncr.setTokenIdentifier(id);
            } else {
                dkEncr.setTokenIdDirectId(true);
                dkEncr.setTokenIdentifier(encrTok.getId());
            }
        }
        if (encrTok.getSHA1() != null) {
            String tokenType = encrTok.getTokenType();
            if (tokenType == null) {
                tokenType = WSS4JConstants.WSS_ENC_KEY_VALUE_TYPE;
            }
            dkEncr.setCustomValueType(tokenType);
        } else {
            String tokenType = encrTok.getTokenType();
            if (WSS4JConstants.WSS_SAML_TOKEN_TYPE.equals(tokenType) || WSS4JConstants.SAML_NS.equals(tokenType)) {
                dkEncr.setKeyIdentifierType(WSConstants.CUSTOM_KEY_IDENTIFIER);
                dkEncr.setCustomValueType(WSS4JConstants.WSS_SAML_KI_VALUE_TYPE);
            } else if (WSS4JConstants.WSS_SAML2_TOKEN_TYPE.equals(tokenType) || WSS4JConstants.SAML2_NS.equals(tokenType)) {
                dkEncr.setKeyIdentifierType(WSConstants.CUSTOM_KEY_IDENTIFIER);
                dkEncr.setCustomValueType(WSS4JConstants.WSS_SAML2_KI_VALUE_TYPE);
            } else if (encrToken instanceof UsernameToken) {
                dkEncr.setCustomValueType(WSS4JConstants.WSS_USERNAME_TOKEN_VALUE_TYPE);
            } else {
                dkEncr.setCustomValueType(tokenType);
            }
        }
        AlgorithmSuiteType algType = sbinding.getAlgorithmSuite().getAlgorithmSuiteType();
        dkEncr.setSymmetricEncAlgorithm(algType.getEncryption());
        dkEncr.setDerivedKeyLength(algType.getEncryptionDerivedKeyLength() / 8);
        dkEncr.prepare(encrTok.getSecret());
        Element encrDKTokenElem = dkEncr.getdktElement();
        addDerivedKeyElement(encrDKTokenElem);
        Element refList = dkEncr.encryptForExternalRef(null, encrParts);
        List<Element> attachments = dkEncr.getAttachmentEncryptedDataElements();
        addAttachmentsForEncryption(atEnd, refList, attachments);
        return dkEncr;
    } catch (Exception e) {
        LOG.log(Level.FINE, e.getMessage(), e);
        unassertPolicy(recToken, e);
    }
    return null;
}
Also used : AlgorithmSuiteType(org.apache.wss4j.policy.model.AlgorithmSuite.AlgorithmSuiteType) KerberosToken(org.apache.wss4j.policy.model.KerberosToken) Element(org.w3c.dom.Element) UsernameToken(org.apache.wss4j.policy.model.UsernameToken) WSSecUsernameToken(org.apache.wss4j.dom.message.WSSecUsernameToken) WSSecDKEncrypt(org.apache.wss4j.dom.message.WSSecDKEncrypt) SecureConversationToken(org.apache.wss4j.policy.model.SecureConversationToken) SOAPException(javax.xml.soap.SOAPException) WSSecurityException(org.apache.wss4j.common.ext.WSSecurityException) InvalidCanonicalizerException(org.apache.xml.security.c14n.InvalidCanonicalizerException) TokenStoreException(org.apache.cxf.ws.security.tokenstore.TokenStoreException) StaxSerializer(org.apache.cxf.ws.security.wss4j.StaxSerializer) AbstractToken(org.apache.wss4j.policy.model.AbstractToken) SecurityTokenReference(org.apache.wss4j.common.token.SecurityTokenReference) SecurityContextToken(org.apache.wss4j.policy.model.SecurityContextToken) AttachmentCallbackHandler(org.apache.cxf.ws.security.wss4j.AttachmentCallbackHandler)

Aggregations

StaxSerializer (org.apache.cxf.ws.security.wss4j.StaxSerializer)13 AttachmentCallbackHandler (org.apache.cxf.ws.security.wss4j.AttachmentCallbackHandler)8 WSSecurityException (org.apache.wss4j.common.ext.WSSecurityException)8 Element (org.w3c.dom.Element)8 AbstractToken (org.apache.wss4j.policy.model.AbstractToken)6 AlgorithmSuiteType (org.apache.wss4j.policy.model.AlgorithmSuite.AlgorithmSuiteType)6 AlgorithmSuite (org.apache.wss4j.policy.model.AlgorithmSuite)5 Serializer (org.apache.xml.security.encryption.Serializer)5 File (java.io.File)4 FileWriter (java.io.FileWriter)4 SOAPException (javax.xml.soap.SOAPException)4 Crypto (org.apache.wss4j.common.crypto.Crypto)4 SecurityTokenReference (org.apache.wss4j.common.token.SecurityTokenReference)4 WSSecDKEncrypt (org.apache.wss4j.dom.message.WSSecDKEncrypt)4 WSSecEncrypt (org.apache.wss4j.dom.message.WSSecEncrypt)4 WSSecUsernameToken (org.apache.wss4j.dom.message.WSSecUsernameToken)4 KerberosToken (org.apache.wss4j.policy.model.KerberosToken)4 SecureConversationToken (org.apache.wss4j.policy.model.SecureConversationToken)4 SecurityContextToken (org.apache.wss4j.policy.model.SecurityContextToken)4 UsernameToken (org.apache.wss4j.policy.model.UsernameToken)4