use of org.apache.wss4j.common.WSEncryptionPart in project cxf by apache.
the class SymmetricBindingHandler method doSignBeforeEncrypt.
private void doSignBeforeEncrypt() {
AbstractTokenWrapper sigAbstractTokenWrapper = getSignatureToken();
assertTokenWrapper(sigAbstractTokenWrapper);
AbstractToken sigToken = sigAbstractTokenWrapper.getToken();
String sigTokId = null;
Element sigTokElem = null;
try {
SecurityToken sigTok = null;
if (sigToken != null) {
if (sigToken instanceof SecureConversationToken || sigToken instanceof SecurityContextToken || sigToken instanceof IssuedToken || sigToken instanceof KerberosToken || sigToken instanceof SpnegoContextToken) {
sigTok = getSecurityToken();
} else if (sigToken instanceof X509Token) {
if (isRequestor()) {
sigTokId = setupEncryptedKey(sigAbstractTokenWrapper, sigToken);
} else {
sigTok = getEncryptedKey();
}
} else if (sigToken instanceof UsernameToken) {
if (isRequestor()) {
sigTokId = setupUTDerivedKey((UsernameToken) sigToken);
} else {
sigTok = getUTDerivedKey();
}
}
} else {
unassertPolicy(sbinding, "No signature token");
return;
}
if (sigTok == null && StringUtils.isEmpty(sigTokId)) {
unassertPolicy(sigAbstractTokenWrapper, "No signature token id");
return;
}
assertPolicy(sigAbstractTokenWrapper);
if (sigTok == null) {
sigTok = tokenStore.getToken(sigTokId);
}
// if (sigTok == null) {
// REVISIT - no token?
// }
boolean tokIncluded = true;
if (isTokenRequired(sigToken.getIncludeTokenType())) {
Element el = sigTok.getToken();
sigTokElem = cloneElement(el);
this.addEncryptedKeyElement(sigTokElem);
} else if (isRequestor() && sigToken instanceof X509Token) {
Element el = sigTok.getToken();
sigTokElem = cloneElement(el);
this.addEncryptedKeyElement(sigTokElem);
} else {
tokIncluded = false;
}
// Add timestamp
List<WSEncryptionPart> sigs = new ArrayList<>();
if (timestampEl != null) {
WSEncryptionPart timestampPart = convertToEncryptionPart(timestampEl.getElement());
sigs.add(timestampPart);
}
addSupportingTokens(sigs);
sigs.addAll(getSignedParts(null));
if (isRequestor()) {
if (!sigs.isEmpty()) {
addSig(doSignature(sigs, sigAbstractTokenWrapper, sigToken, sigTok, tokIncluded));
}
doEndorse();
} else {
// confirm sig
addSignatureConfirmation(sigs);
if (!sigs.isEmpty()) {
doSignature(sigs, sigAbstractTokenWrapper, sigToken, sigTok, tokIncluded);
}
}
// Encryption
AbstractTokenWrapper encrAbstractTokenWrapper = getEncryptionToken();
AbstractToken encrToken = encrAbstractTokenWrapper.getToken();
SecurityToken encrTok = null;
if (sigToken.equals(encrToken)) {
// Use the same token
encrTok = sigTok;
} else {
unassertPolicy(sbinding, "Encryption token does not equal signature token");
return;
}
List<WSEncryptionPart> enc = getEncryptedParts();
// Check for signature protection
if (sbinding.isEncryptSignature()) {
if (mainSigId != null) {
WSEncryptionPart sigPart = new WSEncryptionPart(mainSigId, "Element");
sigPart.setElement(bottomUpElement);
enc.add(sigPart);
}
if (sigConfList != null && !sigConfList.isEmpty()) {
enc.addAll(sigConfList);
}
assertPolicy(new QName(sbinding.getName().getNamespaceURI(), SPConstants.ENCRYPT_SIGNATURE));
}
if (isRequestor()) {
enc.addAll(encryptedTokensList);
}
doEncryption(encrAbstractTokenWrapper, encrTok, tokIncluded, enc, false);
} catch (Exception e) {
LOG.log(Level.FINE, e.getMessage(), e);
throw new Fault(e);
}
}
use of org.apache.wss4j.common.WSEncryptionPart in project cxf by apache.
the class SymmetricBindingHandler method doSignatureDK.
private byte[] doSignatureDK(List<WSEncryptionPart> sigs, AbstractTokenWrapper policyAbstractTokenWrapper, AbstractToken policyToken, SecurityToken tok, boolean included) throws WSSecurityException {
Document doc = saaj.getSOAPPart();
WSSecDKSign dkSign = new WSSecDKSign(secHeader);
dkSign.setIdAllocator(wssConfig.getIdAllocator());
dkSign.setCallbackLookup(callbackLookup);
dkSign.setAttachmentCallbackHandler(new AttachmentCallbackHandler(message));
dkSign.setStoreBytesInAttachment(storeBytesInAttachment);
dkSign.setExpandXopInclude(isExpandXopInclude());
dkSign.setWsDocInfo(wsDocInfo);
if (policyAbstractTokenWrapper.getToken().getVersion() == SPConstants.SPVersion.SP11) {
dkSign.setWscVersion(ConversationConstants.VERSION_05_02);
}
// Check for whether the token is attached in the message or not
boolean attached = false;
if (isTokenRequired(policyToken.getIncludeTokenType())) {
attached = true;
}
// Setting the AttachedReference or the UnattachedReference according to the flag
Element ref;
if (attached) {
ref = tok.getAttachedReference();
} else {
ref = tok.getUnattachedReference();
}
if (ref != null) {
dkSign.setExternalKey(tok.getSecret(), cloneElement(ref));
} else if (!isRequestor() && policyToken.getDerivedKeys() == DerivedKeys.RequireDerivedKeys && tok.getSHA1() != null) {
// If the Encrypted key used to create the derived key is not
// attached use key identifier as defined in WSS1.1 section
// 7.7 Encrypted Key reference
SecurityTokenReference tokenRef = new SecurityTokenReference(doc);
if (tok.getSHA1() != null) {
String tokenType = tok.getTokenType();
if (policyToken instanceof KerberosToken) {
tokenRef.setKeyIdentifier(WSS4JConstants.WSS_KRB_KI_VALUE_TYPE, tok.getSHA1(), true);
if (tokenType == null) {
tokenType = WSS4JConstants.WSS_GSS_KRB_V5_AP_REQ;
}
} else {
tokenRef.setKeyIdentifierEncKeySHA1(tok.getSHA1());
if (tokenType == null) {
tokenType = WSS4JConstants.WSS_ENC_KEY_VALUE_TYPE;
}
}
tokenRef.addTokenType(tokenType);
}
dkSign.setExternalKey(tok.getSecret(), tokenRef.getElement());
} else {
if ((!attached && !isRequestor()) || policyToken instanceof SecureConversationToken || policyToken instanceof SecurityContextToken) {
dkSign.setTokenIdDirectId(true);
}
dkSign.setExternalKey(tok.getSecret(), tok.getId());
}
// Set the algo info
dkSign.setSignatureAlgorithm(sbinding.getAlgorithmSuite().getSymmetricSignature());
dkSign.setSigCanonicalization(sbinding.getAlgorithmSuite().getC14n().getValue());
AlgorithmSuiteType algType = sbinding.getAlgorithmSuite().getAlgorithmSuiteType();
dkSign.setDigestAlgorithm(algType.getDigest());
dkSign.setDerivedKeyLength(algType.getSignatureDerivedKeyLength() / 8);
boolean includePrefixes = MessageUtils.getContextualBoolean(message, SecurityConstants.ADD_INCLUSIVE_PREFIXES, true);
dkSign.setAddInclusivePrefixes(includePrefixes);
if (tok.getSHA1() != null) {
// Set the value type of the reference
String tokenType = tok.getTokenType();
if (tokenType == null) {
tokenType = WSS4JConstants.WSS_ENC_KEY_VALUE_TYPE;
}
dkSign.setCustomValueType(tokenType);
} else {
String tokenType = tok.getTokenType();
if (WSS4JConstants.WSS_SAML_TOKEN_TYPE.equals(tokenType) || WSS4JConstants.SAML_NS.equals(tokenType)) {
dkSign.setKeyIdentifierType(WSConstants.CUSTOM_KEY_IDENTIFIER);
dkSign.setCustomValueType(WSS4JConstants.WSS_SAML_KI_VALUE_TYPE);
} else if (WSS4JConstants.WSS_SAML2_TOKEN_TYPE.equals(tokenType) || WSS4JConstants.SAML2_NS.equals(tokenType)) {
dkSign.setKeyIdentifierType(WSConstants.CUSTOM_KEY_IDENTIFIER);
dkSign.setCustomValueType(WSS4JConstants.WSS_SAML2_KI_VALUE_TYPE);
} else if (policyToken instanceof UsernameToken) {
dkSign.setCustomValueType(WSS4JConstants.WSS_USERNAME_TOKEN_VALUE_TYPE);
} else {
dkSign.setCustomValueType(tokenType);
}
}
dkSign.prepare();
if (sbinding.isProtectTokens()) {
String sigTokId = tok.getId();
if (included) {
sigTokId = tok.getWsuId();
if (sigTokId == null) {
sigTokId = tok.getId();
}
if (sigTokId.startsWith("#")) {
sigTokId = sigTokId.substring(1);
}
}
sigs.add(new WSEncryptionPart(sigTokId));
assertPolicy(new QName(sbinding.getName().getNamespaceURI(), SPConstants.PROTECT_TOKENS));
}
dkSign.getParts().addAll(sigs);
List<Reference> referenceList = dkSign.addReferencesToSign(sigs);
if (!referenceList.isEmpty()) {
// Add elements to header
Element el = dkSign.getdktElement();
addDerivedKeyElement(el);
// Do signature
if (bottomUpElement == null) {
dkSign.computeSignature(referenceList, false, null);
} else {
dkSign.computeSignature(referenceList, true, bottomUpElement);
}
bottomUpElement = dkSign.getSignatureElement();
this.mainSigId = dkSign.getSignatureId();
return dkSign.getSignatureValue();
}
return null;
}
use of org.apache.wss4j.common.WSEncryptionPart in project cxf by apache.
the class SymmetricBindingHandler method doEncryptBeforeSign.
private void doEncryptBeforeSign() {
try {
AbstractTokenWrapper encryptionWrapper = getEncryptionToken();
assertTokenWrapper(encryptionWrapper);
AbstractToken encryptionToken = encryptionWrapper.getToken();
if (encryptionToken != null) {
// The encryption token can be an IssuedToken or a
// SecureConversationToken
String tokenId = null;
SecurityToken tok = null;
if (encryptionToken instanceof IssuedToken || encryptionToken instanceof KerberosToken || encryptionToken instanceof SecureConversationToken || encryptionToken instanceof SecurityContextToken || encryptionToken instanceof SpnegoContextToken) {
tok = getSecurityToken();
} else if (encryptionToken instanceof X509Token) {
if (isRequestor()) {
tokenId = setupEncryptedKey(encryptionWrapper, encryptionToken);
} else {
tok = getEncryptedKey();
}
} else if (encryptionToken instanceof UsernameToken) {
if (isRequestor()) {
tokenId = setupUTDerivedKey((UsernameToken) encryptionToken);
} else {
tok = getUTDerivedKey();
}
}
if (tok == null) {
// }
if (tokenId != null && tokenId.startsWith("#")) {
tokenId = tokenId.substring(1);
}
/*
* Get hold of the token from the token storage
*/
tok = tokenStore.getToken(tokenId);
}
boolean attached = false;
if (isTokenRequired(encryptionToken.getIncludeTokenType())) {
Element el = tok.getToken();
this.addEncryptedKeyElement(cloneElement(el));
attached = true;
} else if (encryptionToken instanceof X509Token && isRequestor()) {
Element el = tok.getToken();
this.addEncryptedKeyElement(cloneElement(el));
attached = true;
}
List<WSEncryptionPart> sigParts = new ArrayList<>();
if (timestampEl != null) {
WSEncryptionPart timestampPart = convertToEncryptionPart(timestampEl.getElement());
sigParts.add(timestampPart);
}
addSupportingTokens(sigParts);
sigParts.addAll(this.getSignedParts(null));
List<WSEncryptionPart> encrParts = getEncryptedParts();
WSSecBase encr = doEncryption(encryptionWrapper, tok, attached, encrParts, true);
handleEncryptedSignedHeaders(encrParts, sigParts);
if (!isRequestor()) {
addSignatureConfirmation(sigParts);
}
// We should use the same key in the case of EncryptBeforeSig
if (!sigParts.isEmpty()) {
addSig(this.doSignature(sigParts, encryptionWrapper, encryptionToken, tok, attached));
}
if (isRequestor()) {
this.doEndorse();
}
// Check for signature protection and encryption of UsernameToken
if (sbinding.isEncryptSignature() || !encryptedTokensList.isEmpty() && isRequestor()) {
List<WSEncryptionPart> secondEncrParts = new ArrayList<>();
// Now encrypt the signature using the above token
if (sbinding.isEncryptSignature()) {
if (this.mainSigId != null) {
WSEncryptionPart sigPart = new WSEncryptionPart(this.mainSigId, "Element");
sigPart.setElement(bottomUpElement);
secondEncrParts.add(sigPart);
}
if (sigConfList != null && !sigConfList.isEmpty()) {
secondEncrParts.addAll(sigConfList);
}
assertPolicy(new QName(sbinding.getName().getNamespaceURI(), SPConstants.ENCRYPT_SIGNATURE));
}
if (isRequestor()) {
secondEncrParts.addAll(encryptedTokensList);
}
Element secondRefList = null;
if (encryptionToken.getDerivedKeys() == DerivedKeys.RequireDerivedKeys && !secondEncrParts.isEmpty()) {
secondRefList = ((WSSecDKEncrypt) encr).encryptForExternalRef(null, secondEncrParts);
} else if (!secondEncrParts.isEmpty()) {
// Encrypt, get hold of the ref list and add it
secondRefList = ((WSSecEncrypt) encr).encryptForRef(null, secondEncrParts);
}
if (secondRefList != null) {
this.addDerivedKeyElement(secondRefList);
}
}
}
} catch (RuntimeException ex) {
LOG.log(Level.FINE, ex.getMessage(), ex);
throw ex;
} catch (Exception ex) {
LOG.log(Level.FINE, ex.getMessage(), ex);
throw new Fault(ex);
}
}
use of org.apache.wss4j.common.WSEncryptionPart in project cxf by apache.
the class TransportBindingHandler method doIssuedTokenSignature.
private byte[] doIssuedTokenSignature(final AbstractToken token, final SupportingTokens wrapper) throws Exception {
boolean tokenIncluded = false;
// Get the issued token
SecurityToken secTok = getSecurityToken();
if (secTok == null) {
LOG.fine("The retrieved SecurityToken was null");
Exception ex = new Exception("The retrieved SecurityToken was null");
throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, ex);
}
if (isTokenRequired(token.getIncludeTokenType())) {
// Add the token
Element el = cloneElement(secTok.getToken());
// if (securityTok != null) {
// do we need to sign this as well?
// String id = addWsuIdToElement(el);
// sigParts.add(new WSEncryptionPart(id));
// }
addEncryptedKeyElement(el);
tokenIncluded = true;
}
List<WSEncryptionPart> sigParts = signPartsAndElements(wrapper.getSignedParts(), wrapper.getSignedElements());
if (token.getDerivedKeys() == DerivedKeys.RequireDerivedKeys) {
return doDerivedKeySignature(tokenIncluded, secTok, token, sigParts);
}
return doSignature(tokenIncluded, secTok, token, wrapper, sigParts);
}
use of org.apache.wss4j.common.WSEncryptionPart in project cxf by apache.
the class TransportBindingHandler method doX509TokenSignature.
private byte[] doX509TokenSignature(AbstractToken token, SupportingTokens wrapper) throws Exception {
List<WSEncryptionPart> sigParts = signPartsAndElements(wrapper.getSignedParts(), wrapper.getSignedElements());
if (token.getDerivedKeys() == DerivedKeys.RequireDerivedKeys) {
WSSecEncryptedKey encrKey = getEncryptedKeyBuilder(token);
assertPolicy(wrapper);
Element bstElem = encrKey.getBinarySecurityTokenElement();
if (bstElem != null) {
addTopDownElement(bstElem);
}
encrKey.appendToHeader();
WSSecDKSign dkSig = new WSSecDKSign(secHeader);
dkSig.setIdAllocator(wssConfig.getIdAllocator());
dkSig.setCallbackLookup(callbackLookup);
if (token.getVersion() == SPConstants.SPVersion.SP11) {
dkSig.setWscVersion(ConversationConstants.VERSION_05_02);
}
dkSig.setSigCanonicalization(binding.getAlgorithmSuite().getC14n().getValue());
dkSig.setSignatureAlgorithm(binding.getAlgorithmSuite().getSymmetricSignature());
dkSig.setAttachmentCallbackHandler(new AttachmentCallbackHandler(message));
dkSig.setStoreBytesInAttachment(storeBytesInAttachment);
dkSig.setExpandXopInclude(isExpandXopInclude());
dkSig.setWsDocInfo(wsDocInfo);
AlgorithmSuiteType algType = binding.getAlgorithmSuite().getAlgorithmSuiteType();
dkSig.setDerivedKeyLength(algType.getSignatureDerivedKeyLength() / 8);
dkSig.setExternalKey(encrKey.getEphemeralKey(), encrKey.getId());
dkSig.prepare();
dkSig.getParts().addAll(sigParts);
List<Reference> referenceList = dkSig.addReferencesToSign(sigParts);
// Do signature
dkSig.appendDKElementToHeader();
dkSig.computeSignature(referenceList, false, null);
return dkSig.getSignatureValue();
}
WSSecSignature sig = getSignatureBuilder(token, false, false);
assertPolicy(wrapper);
if (sig != null) {
sig.prependBSTElementToHeader();
List<Reference> referenceList = sig.addReferencesToSign(sigParts);
if (bottomUpElement == null) {
sig.computeSignature(referenceList, false, null);
} else {
sig.computeSignature(referenceList, true, bottomUpElement);
}
bottomUpElement = sig.getSignatureElement();
mainSigId = sig.getId();
return sig.getSignatureValue();
}
return new byte[0];
}
Aggregations