Search in sources :

Example 16 with WSEncryptionPart

use of org.apache.wss4j.common.WSEncryptionPart in project cxf by apache.

the class AbstractBindingBuilder method doSymmSignatureDerived.

private void doSymmSignatureDerived(AbstractToken policyToken, SecurityToken tok, List<WSEncryptionPart> sigParts, boolean isTokenProtection, boolean isSigProtect) throws WSSecurityException {
    Document doc = saaj.getSOAPPart();
    WSSecDKSign dkSign = new WSSecDKSign(secHeader);
    dkSign.setIdAllocator(wssConfig.getIdAllocator());
    dkSign.setCallbackLookup(callbackLookup);
    dkSign.setStoreBytesInAttachment(storeBytesInAttachment);
    dkSign.setExpandXopInclude(isExpandXopInclude());
    // Check whether it is security policy 1.2 and use the secure conversation accordingly
    if (policyToken.getVersion() == SPConstants.SPVersion.SP11) {
        dkSign.setWscVersion(ConversationConstants.VERSION_05_02);
    }
    // Check for whether the token is attached in the message or not
    boolean attached = false;
    if (isTokenRequired(policyToken.getIncludeTokenType())) {
        attached = true;
    }
    // Setting the AttachedReference or the UnattachedReference according to the flag
    Element ref;
    if (attached) {
        ref = tok.getAttachedReference();
    } else {
        ref = tok.getUnattachedReference();
    }
    if (ref != null) {
        ref = cloneElement(ref);
        dkSign.setExternalKey(tok.getSecret(), ref);
    } else if (!isRequestor() && policyToken.getDerivedKeys() == DerivedKeys.RequireDerivedKeys) {
        // If the Encrypted key used to create the derived key is not
        // attached use key identifier as defined in WSS1.1 section
        // 7.7 Encrypted Key reference
        SecurityTokenReference tokenRef = new SecurityTokenReference(doc);
        if (tok.getSHA1() != null) {
            tokenRef.setKeyIdentifierEncKeySHA1(tok.getSHA1());
            tokenRef.addTokenType(WSS4JConstants.WSS_ENC_KEY_VALUE_TYPE);
        }
        dkSign.setExternalKey(tok.getSecret(), tokenRef.getElement());
    } else {
        dkSign.setExternalKey(tok.getSecret(), tok.getId());
    }
    // Set the algo info
    dkSign.setSignatureAlgorithm(binding.getAlgorithmSuite().getSymmetricSignature());
    dkSign.setSigCanonicalization(binding.getAlgorithmSuite().getC14n().getValue());
    AlgorithmSuiteType algType = binding.getAlgorithmSuite().getAlgorithmSuiteType();
    dkSign.setDerivedKeyLength(algType.getSignatureDerivedKeyLength() / 8);
    if (tok.getSHA1() != null) {
        // Set the value type of the reference
        dkSign.setCustomValueType(WSS4JConstants.SOAPMESSAGE_NS11 + "#" + WSS4JConstants.ENC_KEY_VALUE_TYPE);
    } else if (policyToken instanceof UsernameToken) {
        dkSign.setCustomValueType(WSS4JConstants.WSS_USERNAME_TOKEN_VALUE_TYPE);
    }
    dkSign.prepare();
    if (isTokenProtection) {
        String sigTokId = XMLUtils.getIDFromReference(tok.getId());
        sigParts.add(new WSEncryptionPart(sigTokId));
    }
    dkSign.getParts().addAll(sigParts);
    List<Reference> referenceList = dkSign.addReferencesToSign(sigParts);
    // Add elements to header
    addSupportingElement(dkSign.getdktElement());
    // Do signature
    dkSign.computeSignature(referenceList, false, null);
    if (isSigProtect) {
        WSEncryptionPart part = new WSEncryptionPart(dkSign.getSignatureId(), "Element");
        encryptedTokensList.add(part);
    }
    addSig(dkSign.getSignatureValue());
}
Also used : WSSecDKSign(org.apache.wss4j.dom.message.WSSecDKSign) WSEncryptionPart(org.apache.wss4j.common.WSEncryptionPart) SecurityTokenReference(org.apache.wss4j.common.token.SecurityTokenReference) AlgorithmSuiteType(org.apache.wss4j.policy.model.AlgorithmSuite.AlgorithmSuiteType) Reference(javax.xml.crypto.dsig.Reference) SecurityTokenReference(org.apache.wss4j.common.token.SecurityTokenReference) Element(org.w3c.dom.Element) WSSecUsernameToken(org.apache.wss4j.dom.message.WSSecUsernameToken) UsernameToken(org.apache.wss4j.policy.model.UsernameToken) Document(org.w3c.dom.Document)

Example 17 with WSEncryptionPart

use of org.apache.wss4j.common.WSEncryptionPart in project cxf by apache.

the class AbstractBindingBuilder method getElements.

/**
 * Identifies the portions of the message to be signed/encrypted.
 *
 * @param encryptionModifier
 *            indicates the scope of the crypto operation over matched
 *            elements. Either "Content" or "Element".
 * @param xpaths
 *            any XPath expressions to sign/encrypt matches
 * @param found
 *            a list of elements that have previously been tagged for
 *            signing/encryption. Populated with additional matches found by
 *            this method and used to prevent including the same element
 *            twice under the same operation.
 * @param forceId
 *         force adding a wsu:Id onto the elements.  Recommended for signatures.
 * @return a configured list of {@code WSEncryptionPart}s suitable for
 *         processing by WSS4J
 * @throws SOAPException
 *             if there is an error extracting SOAP content from the SAAJ
 *             model
 */
protected List<WSEncryptionPart> getElements(String encryptionModifier, List<org.apache.wss4j.policy.model.XPath> xpaths, List<Element> found, boolean forceId) throws SOAPException {
    List<WSEncryptionPart> result = new ArrayList<>();
    if (xpaths != null && !xpaths.isEmpty()) {
        boolean useSTRTransform = MessageUtils.getContextualBoolean(message, SecurityConstants.USE_STR_TRANSFORM, true);
        XPathFactory factory = XPathFactory.newInstance();
        for (org.apache.wss4j.policy.model.XPath xPath : xpaths) {
            XPath xpath = factory.newXPath();
            if (xPath.getPrefixNamespaceMap() != null) {
                xpath.setNamespaceContext(new MapNamespaceContext(xPath.getPrefixNamespaceMap()));
            }
            NodeList list = null;
            try {
                Element envelope = saaj.getSOAPPart().getEnvelope();
                envelope = (Element) DOMUtils.getDomElement(envelope);
                list = (NodeList) xpath.evaluate(xPath.getXPath(), envelope, XPathConstants.NODESET);
            } catch (XPathExpressionException e) {
                LOG.log(Level.WARNING, "Failure in evaluating an XPath expression", e);
            }
            if (list != null) {
                for (int x = 0; x < list.getLength(); x++) {
                    Element el = (Element) list.item(x);
                    if (!found.contains(el)) {
                        found.add(el);
                        WSEncryptionPart part = null;
                        boolean saml1 = WSS4JConstants.SAML_NS.equals(el.getNamespaceURI()) && "Assertion".equals(el.getLocalName());
                        boolean saml2 = WSS4JConstants.SAML2_NS.equals(el.getNamespaceURI()) && "Assertion".equals(el.getLocalName());
                        if (useSTRTransform && (saml1 || saml2)) {
                            String id = saml2 ? el.getAttributeNS(null, "ID") : el.getAttributeNS(null, "AssertionID");
                            SecurityTokenReference secRef = createSTRForSamlAssertion(el.getOwnerDocument(), id, saml1, false);
                            Element clone = cloneElement(secRef.getElement());
                            addSupportingElement(clone);
                            part = new WSEncryptionPart("STRTransform", null, "Element");
                            part.setId(secRef.getID());
                            part.setElement(clone);
                        } else {
                            String id = setIdOnElement(el, forceId);
                            part = new WSEncryptionPart(id, encryptionModifier);
                            part.setElement(el);
                        }
                        part.setXpath(xPath.getXPath());
                        result.add(part);
                    }
                }
            }
        }
    }
    return result;
}
Also used : XPath(javax.xml.xpath.XPath) WSEncryptionPart(org.apache.wss4j.common.WSEncryptionPart) XPathExpressionException(javax.xml.xpath.XPathExpressionException) NodeList(org.w3c.dom.NodeList) Element(org.w3c.dom.Element) ArrayList(java.util.ArrayList) MapNamespaceContext(org.apache.cxf.helpers.MapNamespaceContext) XPathFactory(javax.xml.xpath.XPathFactory) SecurityTokenReference(org.apache.wss4j.common.token.SecurityTokenReference)

Example 18 with WSEncryptionPart

use of org.apache.wss4j.common.WSEncryptionPart in project cxf by apache.

the class AbstractBindingBuilder method doSymmSignature.

private void doSymmSignature(AbstractToken policyToken, SecurityToken tok, List<WSEncryptionPart> sigParts, boolean isTokenProtection, boolean isSigProtect) throws WSSecurityException {
    WSSecSignature sig = new WSSecSignature(secHeader);
    sig.setIdAllocator(wssConfig.getIdAllocator());
    sig.setCallbackLookup(callbackLookup);
    sig.setAttachmentCallbackHandler(new AttachmentCallbackHandler(message));
    sig.setStoreBytesInAttachment(storeBytesInAttachment);
    sig.setExpandXopInclude(isExpandXopInclude());
    sig.setWsDocInfo(wsDocInfo);
    // be used in the wsse:Reference in ds:KeyInfo
    if (policyToken instanceof X509Token) {
        if (isRequestor()) {
            // TODO Add support for SAML2 here
            sig.setCustomTokenValueType(WSS4JConstants.SOAPMESSAGE_NS11 + "#" + WSS4JConstants.ENC_KEY_VALUE_TYPE);
            sig.setKeyIdentifierType(WSConstants.CUSTOM_SYMM_SIGNING);
        } else {
            // the tok has to be an EncryptedKey token
            sig.setEncrKeySha1value(tok.getSHA1());
            sig.setKeyIdentifierType(WSConstants.ENCRYPTED_KEY_SHA1_IDENTIFIER);
        }
    } else {
        String tokenType = tok.getTokenType();
        if (WSS4JConstants.WSS_SAML_TOKEN_TYPE.equals(tokenType) || WSS4JConstants.SAML_NS.equals(tokenType)) {
            sig.setCustomTokenValueType(WSS4JConstants.WSS_SAML_KI_VALUE_TYPE);
        } else if (WSS4JConstants.WSS_SAML2_TOKEN_TYPE.equals(tokenType) || WSS4JConstants.SAML2_NS.equals(tokenType)) {
            sig.setCustomTokenValueType(WSS4JConstants.WSS_SAML2_KI_VALUE_TYPE);
        } else if (tokenType != null) {
            sig.setCustomTokenValueType(tokenType);
        } else if (policyToken instanceof UsernameToken) {
            sig.setCustomTokenValueType(WSS4JConstants.WSS_USERNAME_TOKEN_VALUE_TYPE);
        } else {
            sig.setCustomTokenValueType(WSS4JConstants.WSS_SAML_KI_VALUE_TYPE);
        }
        sig.setKeyIdentifierType(WSConstants.CUSTOM_SYMM_SIGNING);
    }
    String sigTokId = tok.getWsuId();
    if (sigTokId == null) {
        sigTokId = tok.getId();
    }
    sigTokId = XMLUtils.getIDFromReference(sigTokId);
    sig.setCustomTokenId(sigTokId);
    sig.setSecretKey(tok.getSecret());
    sig.setSignatureAlgorithm(binding.getAlgorithmSuite().getSymmetricSignature());
    AlgorithmSuiteType algType = binding.getAlgorithmSuite().getAlgorithmSuiteType();
    sig.setDigestAlgo(algType.getDigest());
    sig.setSigCanonicalization(binding.getAlgorithmSuite().getC14n().getValue());
    sig.prepare(getSignatureCrypto());
    sig.getParts().addAll(sigParts);
    List<Reference> referenceList = sig.addReferencesToSign(sigParts);
    // Do signature
    sig.computeSignature(referenceList, false, null);
    if (isSigProtect) {
        WSEncryptionPart part = new WSEncryptionPart(sig.getId(), "Element");
        encryptedTokensList.add(part);
    }
    addSig(sig.getSignatureValue());
}
Also used : WSEncryptionPart(org.apache.wss4j.common.WSEncryptionPart) X509Token(org.apache.wss4j.policy.model.X509Token) AlgorithmSuiteType(org.apache.wss4j.policy.model.AlgorithmSuite.AlgorithmSuiteType) Reference(javax.xml.crypto.dsig.Reference) SecurityTokenReference(org.apache.wss4j.common.token.SecurityTokenReference) WSSecSignature(org.apache.wss4j.dom.message.WSSecSignature) AttachmentCallbackHandler(org.apache.cxf.ws.security.wss4j.AttachmentCallbackHandler) WSSecUsernameToken(org.apache.wss4j.dom.message.WSSecUsernameToken) UsernameToken(org.apache.wss4j.policy.model.UsernameToken)

Example 19 with WSEncryptionPart

use of org.apache.wss4j.common.WSEncryptionPart in project cxf by apache.

the class AbstractBindingBuilder method getEncryptedParts.

public List<WSEncryptionPart> getEncryptedParts() throws SOAPException {
    EncryptedParts parts = null;
    EncryptedElements elements = null;
    ContentEncryptedElements celements = null;
    Collection<AssertionInfo> ais = getAllAssertionsByLocalname(SPConstants.ENCRYPTED_PARTS);
    if (!ais.isEmpty()) {
        for (AssertionInfo ai : ais) {
            parts = (EncryptedParts) ai.getAssertion();
            ai.setAsserted(true);
        }
    }
    ais = getAllAssertionsByLocalname(SPConstants.ENCRYPTED_ELEMENTS);
    if (!ais.isEmpty()) {
        for (AssertionInfo ai : ais) {
            elements = (EncryptedElements) ai.getAssertion();
            ai.setAsserted(true);
        }
    }
    ais = getAllAssertionsByLocalname(SPConstants.CONTENT_ENCRYPTED_ELEMENTS);
    if (!ais.isEmpty()) {
        for (AssertionInfo ai : ais) {
            celements = (ContentEncryptedElements) ai.getAssertion();
            ai.setAsserted(true);
        }
    }
    if (parts == null && elements == null && celements == null) {
        return new ArrayList<>();
    }
    List<WSEncryptionPart> securedParts = new ArrayList<>();
    boolean isBody = false;
    if (parts != null) {
        isBody = parts.isBody();
        for (Header head : parts.getHeaders()) {
            WSEncryptionPart wep = new WSEncryptionPart(head.getName(), head.getNamespace(), "Header");
            securedParts.add(wep);
        }
        Attachments attachments = parts.getAttachments();
        if (attachments != null) {
            String encModifier = "Element";
            if (MessageUtils.getContextualBoolean(message, SecurityConstants.USE_ATTACHMENT_ENCRYPTION_CONTENT_ONLY_TRANSFORM, false)) {
                encModifier = "Content";
            }
            WSEncryptionPart wep = new WSEncryptionPart("cid:Attachments", encModifier);
            securedParts.add(wep);
        }
    }
    // the encrypted list to prevent duplication / errors in encryption.
    return getPartsAndElements(false, isBody, securedParts, elements == null ? null : elements.getXPaths(), celements == null ? null : celements.getXPaths());
}
Also used : ContentEncryptedElements(org.apache.wss4j.policy.model.ContentEncryptedElements) EncryptedElements(org.apache.wss4j.policy.model.EncryptedElements) EncryptedParts(org.apache.wss4j.policy.model.EncryptedParts) AssertionInfo(org.apache.cxf.ws.policy.AssertionInfo) WSEncryptionPart(org.apache.wss4j.common.WSEncryptionPart) SOAPHeader(javax.xml.soap.SOAPHeader) Header(org.apache.wss4j.policy.model.Header) WSSecHeader(org.apache.wss4j.dom.message.WSSecHeader) ContentEncryptedElements(org.apache.wss4j.policy.model.ContentEncryptedElements) ArrayList(java.util.ArrayList) Attachments(org.apache.wss4j.policy.model.Attachments)

Example 20 with WSEncryptionPart

use of org.apache.wss4j.common.WSEncryptionPart in project cxf by apache.

the class AbstractBindingBuilder method handleUsernameTokenSupportingToken.

protected void handleUsernameTokenSupportingToken(UsernameToken token, boolean endorse, boolean encryptedToken, List<SupportingToken> ret) throws WSSecurityException {
    if (endorse) {
        WSSecUsernameToken utBuilder = addDKUsernameToken(token, true);
        if (utBuilder != null) {
            utBuilder.prepare();
            addSupportingElement(utBuilder.getUsernameTokenElement());
            ret.add(new SupportingToken(token, utBuilder, null));
            if (encryptedToken) {
                WSEncryptionPart part = new WSEncryptionPart(utBuilder.getId(), "Element");
                part.setElement(utBuilder.getUsernameTokenElement());
                encryptedTokensList.add(part);
            }
        }
    } else {
        WSSecUsernameToken utBuilder = addUsernameToken(token);
        if (utBuilder != null) {
            utBuilder.prepare();
            addSupportingElement(utBuilder.getUsernameTokenElement());
            ret.add(new SupportingToken(token, utBuilder, null));
            // encryptedTokensIdList.add(utBuilder.getId());
            if (encryptedToken || MessageUtils.getContextualBoolean(message, SecurityConstants.ALWAYS_ENCRYPT_UT, true)) {
                WSEncryptionPart part = new WSEncryptionPart(utBuilder.getId(), "Element");
                part.setElement(utBuilder.getUsernameTokenElement());
                encryptedTokensList.add(part);
            }
        }
    }
}
Also used : WSEncryptionPart(org.apache.wss4j.common.WSEncryptionPart) WSSecUsernameToken(org.apache.wss4j.dom.message.WSSecUsernameToken)

Aggregations

WSEncryptionPart (org.apache.wss4j.common.WSEncryptionPart)25 Element (org.w3c.dom.Element)17 ArrayList (java.util.ArrayList)13 WSSecUsernameToken (org.apache.wss4j.dom.message.WSSecUsernameToken)10 QName (javax.xml.namespace.QName)8 SecurityToken (org.apache.cxf.ws.security.tokenstore.SecurityToken)8 WSSecurityException (org.apache.wss4j.common.ext.WSSecurityException)8 SecurityTokenReference (org.apache.wss4j.common.token.SecurityTokenReference)8 Reference (javax.xml.crypto.dsig.Reference)7 SOAPException (javax.xml.soap.SOAPException)7 WSSecSignature (org.apache.wss4j.dom.message.WSSecSignature)7 UsernameToken (org.apache.wss4j.policy.model.UsernameToken)7 Fault (org.apache.cxf.interceptor.Fault)6 AbstractToken (org.apache.wss4j.policy.model.AbstractToken)6 AlgorithmSuiteType (org.apache.wss4j.policy.model.AlgorithmSuite.AlgorithmSuiteType)6 IssuedToken (org.apache.wss4j.policy.model.IssuedToken)6 AttachmentCallbackHandler (org.apache.cxf.ws.security.wss4j.AttachmentCallbackHandler)5 KerberosToken (org.apache.wss4j.policy.model.KerberosToken)5 SecureConversationToken (org.apache.wss4j.policy.model.SecureConversationToken)5 SecurityContextToken (org.apache.wss4j.policy.model.SecurityContextToken)5