Example 16 with WSEncryptionPart
use of org.apache.wss4j.common.WSEncryptionPart in project cxf by apache.
the class AbstractBindingBuilder method doSymmSignatureDerived.
private void doSymmSignatureDerived(AbstractToken policyToken, SecurityToken tok, List<WSEncryptionPart> sigParts, boolean isTokenProtection, boolean isSigProtect) throws WSSecurityException {
Document doc = saaj.getSOAPPart();
WSSecDKSign dkSign = new WSSecDKSign(secHeader);
dkSign.setIdAllocator(wssConfig.getIdAllocator());
dkSign.setCallbackLookup(callbackLookup);
dkSign.setStoreBytesInAttachment(storeBytesInAttachment);
dkSign.setExpandXopInclude(isExpandXopInclude());
// Check whether it is security policy 1.2 and use the secure conversation accordingly
if (policyToken.getVersion() == SPConstants.SPVersion.SP11) {
dkSign.setWscVersion(ConversationConstants.VERSION_05_02);
}
// Check for whether the token is attached in the message or not
boolean attached = false;
if (isTokenRequired(policyToken.getIncludeTokenType())) {
attached = true;
}
// Setting the AttachedReference or the UnattachedReference according to the flag
Element ref;
if (attached) {
ref = tok.getAttachedReference();
} else {
ref = tok.getUnattachedReference();
}
if (ref != null) {
ref = cloneElement(ref);
dkSign.setExternalKey(tok.getSecret(), ref);
} else if (!isRequestor() && policyToken.getDerivedKeys() == DerivedKeys.RequireDerivedKeys) {
// If the Encrypted key used to create the derived key is not
// attached use key identifier as defined in WSS1.1 section
// 7.7 Encrypted Key reference
SecurityTokenReference tokenRef = new SecurityTokenReference(doc);
if (tok.getSHA1() != null) {
tokenRef.setKeyIdentifierEncKeySHA1(tok.getSHA1());
tokenRef.addTokenType(WSS4JConstants.WSS_ENC_KEY_VALUE_TYPE);
}
dkSign.setExternalKey(tok.getSecret(), tokenRef.getElement());
} else {
dkSign.setExternalKey(tok.getSecret(), tok.getId());
}
// Set the algo info
dkSign.setSignatureAlgorithm(binding.getAlgorithmSuite().getSymmetricSignature());
dkSign.setSigCanonicalization(binding.getAlgorithmSuite().getC14n().getValue());
AlgorithmSuiteType algType = binding.getAlgorithmSuite().getAlgorithmSuiteType();
dkSign.setDerivedKeyLength(algType.getSignatureDerivedKeyLength() / 8);
if (tok.getSHA1() != null) {
// Set the value type of the reference
dkSign.setCustomValueType(WSS4JConstants.SOAPMESSAGE_NS11 + "#" + WSS4JConstants.ENC_KEY_VALUE_TYPE);
} else if (policyToken instanceof UsernameToken) {
dkSign.setCustomValueType(WSS4JConstants.WSS_USERNAME_TOKEN_VALUE_TYPE);
}
dkSign.prepare();
if (isTokenProtection) {
String sigTokId = XMLUtils.getIDFromReference(tok.getId());
sigParts.add(new WSEncryptionPart(sigTokId));
}
dkSign.getParts().addAll(sigParts);
List<Reference> referenceList = dkSign.addReferencesToSign(sigParts);
// Add elements to header
addSupportingElement(dkSign.getdktElement());
// Do signature
dkSign.computeSignature(referenceList, false, null);
if (isSigProtect) {
WSEncryptionPart part = new WSEncryptionPart(dkSign.getSignatureId(), "Element");
encryptedTokensList.add(part);
}
addSig(dkSign.getSignatureValue());
}
Also used :
WSSecDKSign(org.apache.wss4j.dom.message.WSSecDKSign)
WSEncryptionPart(org.apache.wss4j.common.WSEncryptionPart)
SecurityTokenReference(org.apache.wss4j.common.token.SecurityTokenReference)
AlgorithmSuiteType(org.apache.wss4j.policy.model.AlgorithmSuite.AlgorithmSuiteType)
Reference(javax.xml.crypto.dsig.Reference)
SecurityTokenReference(org.apache.wss4j.common.token.SecurityTokenReference)
Element(org.w3c.dom.Element)
WSSecUsernameToken(org.apache.wss4j.dom.message.WSSecUsernameToken)
UsernameToken(org.apache.wss4j.policy.model.UsernameToken)
Document(org.w3c.dom.Document)
Example 17 with WSEncryptionPart
use of org.apache.wss4j.common.WSEncryptionPart in project cxf by apache.
the class AbstractBindingBuilder method getElements.
/**
* Identifies the portions of the message to be signed/encrypted.
*
* @param encryptionModifier
* indicates the scope of the crypto operation over matched
* elements. Either "Content" or "Element".
* @param xpaths
* any XPath expressions to sign/encrypt matches
* @param found
* a list of elements that have previously been tagged for
* signing/encryption. Populated with additional matches found by
* this method and used to prevent including the same element
* twice under the same operation.
* @param forceId
* force adding a wsu:Id onto the elements. Recommended for signatures.
* @return a configured list of {@code WSEncryptionPart}s suitable for
* processing by WSS4J
* @throws SOAPException
* if there is an error extracting SOAP content from the SAAJ
* model
*/
protected List<WSEncryptionPart> getElements(String encryptionModifier, List<org.apache.wss4j.policy.model.XPath> xpaths, List<Element> found, boolean forceId) throws SOAPException {
List<WSEncryptionPart> result = new ArrayList<>();
if (xpaths != null && !xpaths.isEmpty()) {
boolean useSTRTransform = MessageUtils.getContextualBoolean(message, SecurityConstants.USE_STR_TRANSFORM, true);
XPathFactory factory = XPathFactory.newInstance();
for (org.apache.wss4j.policy.model.XPath xPath : xpaths) {
XPath xpath = factory.newXPath();
if (xPath.getPrefixNamespaceMap() != null) {
xpath.setNamespaceContext(new MapNamespaceContext(xPath.getPrefixNamespaceMap()));
}
NodeList list = null;
try {
Element envelope = saaj.getSOAPPart().getEnvelope();
envelope = (Element) DOMUtils.getDomElement(envelope);
list = (NodeList) xpath.evaluate(xPath.getXPath(), envelope, XPathConstants.NODESET);
} catch (XPathExpressionException e) {
LOG.log(Level.WARNING, "Failure in evaluating an XPath expression", e);
}
if (list != null) {
for (int x = 0; x < list.getLength(); x++) {
Element el = (Element) list.item(x);
if (!found.contains(el)) {
found.add(el);
WSEncryptionPart part = null;
boolean saml1 = WSS4JConstants.SAML_NS.equals(el.getNamespaceURI()) && "Assertion".equals(el.getLocalName());
boolean saml2 = WSS4JConstants.SAML2_NS.equals(el.getNamespaceURI()) && "Assertion".equals(el.getLocalName());
if (useSTRTransform && (saml1 || saml2)) {
String id = saml2 ? el.getAttributeNS(null, "ID") : el.getAttributeNS(null, "AssertionID");
SecurityTokenReference secRef = createSTRForSamlAssertion(el.getOwnerDocument(), id, saml1, false);
Element clone = cloneElement(secRef.getElement());
addSupportingElement(clone);
part = new WSEncryptionPart("STRTransform", null, "Element");
part.setId(secRef.getID());
part.setElement(clone);
} else {
String id = setIdOnElement(el, forceId);
part = new WSEncryptionPart(id, encryptionModifier);
part.setElement(el);
}
part.setXpath(xPath.getXPath());
result.add(part);
}
}
}
}
}
return result;
}
Also used :
XPath(javax.xml.xpath.XPath)
WSEncryptionPart(org.apache.wss4j.common.WSEncryptionPart)
XPathExpressionException(javax.xml.xpath.XPathExpressionException)
NodeList(org.w3c.dom.NodeList)
Element(org.w3c.dom.Element)
ArrayList(java.util.ArrayList)
MapNamespaceContext(org.apache.cxf.helpers.MapNamespaceContext)
XPathFactory(javax.xml.xpath.XPathFactory)
SecurityTokenReference(org.apache.wss4j.common.token.SecurityTokenReference)
Example 18 with WSEncryptionPart
use of org.apache.wss4j.common.WSEncryptionPart in project cxf by apache.
the class AbstractBindingBuilder method doSymmSignature.
private void doSymmSignature(AbstractToken policyToken, SecurityToken tok, List<WSEncryptionPart> sigParts, boolean isTokenProtection, boolean isSigProtect) throws WSSecurityException {
WSSecSignature sig = new WSSecSignature(secHeader);
sig.setIdAllocator(wssConfig.getIdAllocator());
sig.setCallbackLookup(callbackLookup);
sig.setAttachmentCallbackHandler(new AttachmentCallbackHandler(message));
sig.setStoreBytesInAttachment(storeBytesInAttachment);
sig.setExpandXopInclude(isExpandXopInclude());
sig.setWsDocInfo(wsDocInfo);
// be used in the wsse:Reference in ds:KeyInfo
if (policyToken instanceof X509Token) {
if (isRequestor()) {
// TODO Add support for SAML2 here
sig.setCustomTokenValueType(WSS4JConstants.SOAPMESSAGE_NS11 + "#" + WSS4JConstants.ENC_KEY_VALUE_TYPE);
sig.setKeyIdentifierType(WSConstants.CUSTOM_SYMM_SIGNING);
} else {
// the tok has to be an EncryptedKey token
sig.setEncrKeySha1value(tok.getSHA1());
sig.setKeyIdentifierType(WSConstants.ENCRYPTED_KEY_SHA1_IDENTIFIER);
}
} else {
String tokenType = tok.getTokenType();
if (WSS4JConstants.WSS_SAML_TOKEN_TYPE.equals(tokenType) || WSS4JConstants.SAML_NS.equals(tokenType)) {
sig.setCustomTokenValueType(WSS4JConstants.WSS_SAML_KI_VALUE_TYPE);
} else if (WSS4JConstants.WSS_SAML2_TOKEN_TYPE.equals(tokenType) || WSS4JConstants.SAML2_NS.equals(tokenType)) {
sig.setCustomTokenValueType(WSS4JConstants.WSS_SAML2_KI_VALUE_TYPE);
} else if (tokenType != null) {
sig.setCustomTokenValueType(tokenType);
} else if (policyToken instanceof UsernameToken) {
sig.setCustomTokenValueType(WSS4JConstants.WSS_USERNAME_TOKEN_VALUE_TYPE);
} else {
sig.setCustomTokenValueType(WSS4JConstants.WSS_SAML_KI_VALUE_TYPE);
}
sig.setKeyIdentifierType(WSConstants.CUSTOM_SYMM_SIGNING);
}
String sigTokId = tok.getWsuId();
if (sigTokId == null) {
sigTokId = tok.getId();
}
sigTokId = XMLUtils.getIDFromReference(sigTokId);
sig.setCustomTokenId(sigTokId);
sig.setSecretKey(tok.getSecret());
sig.setSignatureAlgorithm(binding.getAlgorithmSuite().getSymmetricSignature());
AlgorithmSuiteType algType = binding.getAlgorithmSuite().getAlgorithmSuiteType();
sig.setDigestAlgo(algType.getDigest());
sig.setSigCanonicalization(binding.getAlgorithmSuite().getC14n().getValue());
sig.prepare(getSignatureCrypto());
sig.getParts().addAll(sigParts);
List<Reference> referenceList = sig.addReferencesToSign(sigParts);
// Do signature
sig.computeSignature(referenceList, false, null);
if (isSigProtect) {
WSEncryptionPart part = new WSEncryptionPart(sig.getId(), "Element");
encryptedTokensList.add(part);
}
addSig(sig.getSignatureValue());
}
Also used :
WSEncryptionPart(org.apache.wss4j.common.WSEncryptionPart)
X509Token(org.apache.wss4j.policy.model.X509Token)
AlgorithmSuiteType(org.apache.wss4j.policy.model.AlgorithmSuite.AlgorithmSuiteType)
Reference(javax.xml.crypto.dsig.Reference)
SecurityTokenReference(org.apache.wss4j.common.token.SecurityTokenReference)
WSSecSignature(org.apache.wss4j.dom.message.WSSecSignature)
AttachmentCallbackHandler(org.apache.cxf.ws.security.wss4j.AttachmentCallbackHandler)
WSSecUsernameToken(org.apache.wss4j.dom.message.WSSecUsernameToken)
UsernameToken(org.apache.wss4j.policy.model.UsernameToken)
Example 19 with WSEncryptionPart
use of org.apache.wss4j.common.WSEncryptionPart in project cxf by apache.
the class AbstractBindingBuilder method getEncryptedParts.
public List<WSEncryptionPart> getEncryptedParts() throws SOAPException {
EncryptedParts parts = null;
EncryptedElements elements = null;
ContentEncryptedElements celements = null;
Collection<AssertionInfo> ais = getAllAssertionsByLocalname(SPConstants.ENCRYPTED_PARTS);
if (!ais.isEmpty()) {
for (AssertionInfo ai : ais) {
parts = (EncryptedParts) ai.getAssertion();
ai.setAsserted(true);
}
}
ais = getAllAssertionsByLocalname(SPConstants.ENCRYPTED_ELEMENTS);
if (!ais.isEmpty()) {
for (AssertionInfo ai : ais) {
elements = (EncryptedElements) ai.getAssertion();
ai.setAsserted(true);
}
}
ais = getAllAssertionsByLocalname(SPConstants.CONTENT_ENCRYPTED_ELEMENTS);
if (!ais.isEmpty()) {
for (AssertionInfo ai : ais) {
celements = (ContentEncryptedElements) ai.getAssertion();
ai.setAsserted(true);
}
}
if (parts == null && elements == null && celements == null) {
return new ArrayList<>();
}
List<WSEncryptionPart> securedParts = new ArrayList<>();
boolean isBody = false;
if (parts != null) {
isBody = parts.isBody();
for (Header head : parts.getHeaders()) {
WSEncryptionPart wep = new WSEncryptionPart(head.getName(), head.getNamespace(), "Header");
securedParts.add(wep);
}
Attachments attachments = parts.getAttachments();
if (attachments != null) {
String encModifier = "Element";
if (MessageUtils.getContextualBoolean(message, SecurityConstants.USE_ATTACHMENT_ENCRYPTION_CONTENT_ONLY_TRANSFORM, false)) {
encModifier = "Content";
}
WSEncryptionPart wep = new WSEncryptionPart("cid:Attachments", encModifier);
securedParts.add(wep);
}
}
// the encrypted list to prevent duplication / errors in encryption.
return getPartsAndElements(false, isBody, securedParts, elements == null ? null : elements.getXPaths(), celements == null ? null : celements.getXPaths());
}
Also used :
ContentEncryptedElements(org.apache.wss4j.policy.model.ContentEncryptedElements)
EncryptedElements(org.apache.wss4j.policy.model.EncryptedElements)
EncryptedParts(org.apache.wss4j.policy.model.EncryptedParts)
AssertionInfo(org.apache.cxf.ws.policy.AssertionInfo)
WSEncryptionPart(org.apache.wss4j.common.WSEncryptionPart)
SOAPHeader(javax.xml.soap.SOAPHeader)
Header(org.apache.wss4j.policy.model.Header)
WSSecHeader(org.apache.wss4j.dom.message.WSSecHeader)
ContentEncryptedElements(org.apache.wss4j.policy.model.ContentEncryptedElements)
ArrayList(java.util.ArrayList)
Attachments(org.apache.wss4j.policy.model.Attachments)
Example 20 with WSEncryptionPart
use of org.apache.wss4j.common.WSEncryptionPart in project cxf by apache.
the class AbstractBindingBuilder method handleUsernameTokenSupportingToken.
protected void handleUsernameTokenSupportingToken(UsernameToken token, boolean endorse, boolean encryptedToken, List<SupportingToken> ret) throws WSSecurityException {
if (endorse) {
WSSecUsernameToken utBuilder = addDKUsernameToken(token, true);
if (utBuilder != null) {
utBuilder.prepare();
addSupportingElement(utBuilder.getUsernameTokenElement());
ret.add(new SupportingToken(token, utBuilder, null));
if (encryptedToken) {
WSEncryptionPart part = new WSEncryptionPart(utBuilder.getId(), "Element");
part.setElement(utBuilder.getUsernameTokenElement());
encryptedTokensList.add(part);
}
}
} else {
WSSecUsernameToken utBuilder = addUsernameToken(token);
if (utBuilder != null) {
utBuilder.prepare();
addSupportingElement(utBuilder.getUsernameTokenElement());
ret.add(new SupportingToken(token, utBuilder, null));
// encryptedTokensIdList.add(utBuilder.getId());
if (encryptedToken || MessageUtils.getContextualBoolean(message, SecurityConstants.ALWAYS_ENCRYPT_UT, true)) {
WSEncryptionPart part = new WSEncryptionPart(utBuilder.getId(), "Element");
part.setElement(utBuilder.getUsernameTokenElement());
encryptedTokensList.add(part);
}
}
}
}
Also used :
WSEncryptionPart(org.apache.wss4j.common.WSEncryptionPart)
WSSecUsernameToken(org.apache.wss4j.dom.message.WSSecUsernameToken)
Aggregations
WSEncryptionPart (org.apache.wss4j.common.WSEncryptionPart)25
Element (org.w3c.dom.Element)17
ArrayList (java.util.ArrayList)13
WSSecUsernameToken (org.apache.wss4j.dom.message.WSSecUsernameToken)10
QName (javax.xml.namespace.QName)8
SecurityToken (org.apache.cxf.ws.security.tokenstore.SecurityToken)8
WSSecurityException (org.apache.wss4j.common.ext.WSSecurityException)8
SecurityTokenReference (org.apache.wss4j.common.token.SecurityTokenReference)8
Reference (javax.xml.crypto.dsig.Reference)7
SOAPException (javax.xml.soap.SOAPException)7
WSSecSignature (org.apache.wss4j.dom.message.WSSecSignature)7
UsernameToken (org.apache.wss4j.policy.model.UsernameToken)7
Fault (org.apache.cxf.interceptor.Fault)6
AbstractToken (org.apache.wss4j.policy.model.AbstractToken)6
AlgorithmSuiteType (org.apache.wss4j.policy.model.AlgorithmSuite.AlgorithmSuiteType)6
IssuedToken (org.apache.wss4j.policy.model.IssuedToken)6
AttachmentCallbackHandler (org.apache.cxf.ws.security.wss4j.AttachmentCallbackHandler)5
KerberosToken (org.apache.wss4j.policy.model.KerberosToken)5
SecureConversationToken (org.apache.wss4j.policy.model.SecureConversationToken)5
SecurityContextToken (org.apache.wss4j.policy.model.SecurityContextToken)5
