use of org.apache.wss4j.common.derivedKey.P_SHA1 in project cxf by apache.
the class AbstractSTSClient method createSecurityToken.
protected SecurityToken createSecurityToken(Element el, byte[] requestorEntropy) throws WSSecurityException, Base64DecodingException {
if ("RequestSecurityTokenResponseCollection".equals(el.getLocalName())) {
el = DOMUtils.getFirstElement(el);
}
if (!"RequestSecurityTokenResponse".equals(el.getLocalName())) {
throw new Fault("Unexpected element " + el.getLocalName(), LOG);
}
el = DOMUtils.getFirstElement(el);
Element rst = null;
Element rar = null;
Element rur = null;
Element rpt = null;
Element lte = null;
Element entropy = null;
String tt = null;
String retKeySize = null;
while (el != null) {
String ln = el.getLocalName();
if (namespace.equals(el.getNamespaceURI())) {
if ("Lifetime".equals(ln)) {
lte = el;
} else if ("RequestedSecurityToken".equals(ln)) {
rst = DOMUtils.getFirstElement(el);
} else if ("RequestedAttachedReference".equals(ln)) {
rar = DOMUtils.getFirstElement(el);
} else if ("RequestedUnattachedReference".equals(ln)) {
rur = DOMUtils.getFirstElement(el);
} else if ("RequestedProofToken".equals(ln)) {
rpt = el;
} else if ("Entropy".equals(ln)) {
entropy = el;
} else if ("TokenType".equals(ln)) {
tt = DOMUtils.getContent(el);
} else if ("KeySize".equals(ln)) {
retKeySize = DOMUtils.getContent(el);
}
}
el = DOMUtils.getNextElement(el);
}
Element rstDec = rst;
String id = findID(rar, rur, rstDec);
if (StringUtils.isEmpty(id)) {
LOG.fine("No ID extracted from token, so just making one up");
id = WSSConfig.getNewInstance().getIdAllocator().createSecureId("_", null);
}
SecurityToken token = new SecurityToken(id, rstDec, lte);
token.setAttachedReference(rar);
token.setUnattachedReference(rur);
token.setIssuerAddress(location);
token.setTokenType(tt);
byte[] secret = null;
if (rpt != null) {
Element child = DOMUtils.getFirstElement(rpt);
QName childQname = DOMUtils.getElementQName(child);
if (childQname.equals(new QName(namespace, "BinarySecret"))) {
// First check for the binary secret
String b64Secret = DOMUtils.getContent(child);
secret = org.apache.xml.security.utils.XMLUtils.decode(b64Secret);
} else if (childQname.equals(new QName(WSS4JConstants.ENC_NS, WSS4JConstants.ENC_KEY_LN))) {
secret = decryptKey(child);
} else if (childQname.equals(new QName(namespace, "ComputedKey"))) {
// Handle the computed key
Element computedKeyChild = entropy == null ? null : DOMUtils.getFirstElement(entropy);
byte[] serviceEntr = null;
if (computedKeyChild != null) {
QName computedKeyChildQName = DOMUtils.getElementQName(computedKeyChild);
if (computedKeyChildQName.equals(new QName(WSS4JConstants.ENC_NS, WSS4JConstants.ENC_KEY_LN))) {
serviceEntr = decryptKey(computedKeyChild);
} else if (computedKeyChildQName.equals(new QName(namespace, "BinarySecret"))) {
String content = DOMUtils.getContent(computedKeyChild);
serviceEntr = org.apache.xml.security.utils.XMLUtils.decode(content);
}
}
if (serviceEntr != null) {
// Right now we only use PSHA1 as the computed key algo
P_SHA1 psha1 = new P_SHA1();
int length = 0;
if (retKeySize != null) {
try {
length = Integer.parseInt(retKeySize);
} catch (NumberFormatException ex) {
// do nothing
}
} else {
length = keySize;
}
if (length <= 0) {
length = 256;
}
try {
secret = psha1.createKey(requestorEntropy, serviceEntr, 0, length / 8);
} catch (WSSecurityException e) {
throw new TrustException("DERIVED_KEY_ERROR", e, LOG);
}
} else {
// Service entropy missing
throw new TrustException("NO_ENTROPY", LOG);
}
}
} else if (requestorEntropy != null) {
// Use requester entropy as the key
secret = requestorEntropy;
}
token.setSecret(secret);
return token;
}
use of org.apache.wss4j.common.derivedKey.P_SHA1 in project cxf by apache.
the class SymmetricKeyHandler method createSymmetricKey.
/**
* Create the Symmetric Key
*/
public void createSymmetricKey() {
computedKey = false;
boolean generateEntropy = true;
if (clientEntropy != null) {
BinarySecret binarySecret = clientEntropy.getBinarySecret();
if (binarySecret != null && (STSConstants.SYMMETRIC_KEY_TYPE.equals(binarySecret.getBinarySecretType()) || binarySecret.getBinarySecretType() == null)) {
secret = binarySecret.getBinarySecretValue();
generateEntropy = false;
} else if (clientEntropy.getDecryptedKey() != null) {
secret = clientEntropy.getDecryptedKey();
generateEntropy = false;
}
}
if (generateEntropy) {
try {
entropyBytes = WSSecurityUtil.generateNonce(keySize / 8);
secret = entropyBytes;
} catch (WSSecurityException ex) {
LOG.log(Level.WARNING, "", ex);
throw new STSException("Error in creating symmetric key", ex, STSException.INVALID_REQUEST);
}
if (clientEntropy != null && clientEntropy.getBinarySecret() != null) {
byte[] nonce = clientEntropy.getBinarySecret().getBinarySecretValue();
try {
P_SHA1 psha1 = new P_SHA1();
secret = psha1.createKey(nonce, entropyBytes, 0, keySize / 8);
computedKey = true;
} catch (WSSecurityException ex) {
LOG.log(Level.WARNING, "", ex);
throw new STSException("Error in creating symmetric key", STSException.INVALID_REQUEST);
}
}
}
}
use of org.apache.wss4j.common.derivedKey.P_SHA1 in project cxf by apache.
the class SimpleBatchSTSClient method createSecurityToken.
protected SecurityToken createSecurityToken(Element el, byte[] requestorEntropy) throws WSSecurityException {
if ("RequestSecurityTokenResponseCollection".equals(el.getLocalName())) {
el = DOMUtils.getFirstElement(el);
}
if (!"RequestSecurityTokenResponse".equals(el.getLocalName())) {
throw new Fault("Unexpected element " + el.getLocalName(), LOG);
}
el = DOMUtils.getFirstElement(el);
Element rst = null;
Element rar = null;
Element rur = null;
Element rpt = null;
Element lte = null;
Element entropy = null;
String tt = null;
while (el != null) {
String ln = el.getLocalName();
if (namespace.equals(el.getNamespaceURI())) {
if ("Lifetime".equals(ln)) {
lte = el;
} else if ("RequestedSecurityToken".equals(ln)) {
rst = DOMUtils.getFirstElement(el);
} else if ("RequestedAttachedReference".equals(ln)) {
rar = DOMUtils.getFirstElement(el);
} else if ("RequestedUnattachedReference".equals(ln)) {
rur = DOMUtils.getFirstElement(el);
} else if ("RequestedProofToken".equals(ln)) {
rpt = el;
} else if ("Entropy".equals(ln)) {
entropy = el;
} else if ("TokenType".equals(ln)) {
tt = DOMUtils.getContent(el);
}
}
el = DOMUtils.getNextElement(el);
}
Element rstDec = rst;
String id = findID(rar, rur, rstDec);
if (StringUtils.isEmpty(id)) {
throw new TrustException("NO_ID", LOG);
}
SecurityToken token = new SecurityToken(id, rstDec, lte);
token.setAttachedReference(rar);
token.setUnattachedReference(rur);
token.setIssuerAddress(location);
token.setTokenType(tt);
byte[] secret = null;
if (rpt != null) {
Element child = DOMUtils.getFirstElement(rpt);
QName childQname = DOMUtils.getElementQName(child);
if (childQname.equals(new QName(namespace, "BinarySecret"))) {
// First check for the binary secret
String b64Secret = DOMUtils.getContent(child);
secret = Base64.getMimeDecoder().decode(b64Secret);
} else if (childQname.equals(new QName(WSS4JConstants.ENC_NS, WSS4JConstants.ENC_KEY_LN))) {
secret = decryptKey(child);
} else if (childQname.equals(new QName(namespace, "ComputedKey"))) {
// Handle the computed key
Element computedKeyChild = entropy == null ? null : DOMUtils.getFirstElement(entropy);
byte[] serviceEntr = null;
if (computedKeyChild != null) {
QName computedKeyChildQName = DOMUtils.getElementQName(computedKeyChild);
if (computedKeyChildQName.equals(new QName(WSS4JConstants.ENC_NS, WSS4JConstants.ENC_KEY_LN))) {
serviceEntr = decryptKey(computedKeyChild);
} else if (computedKeyChildQName.equals(new QName(namespace, "BinarySecret"))) {
String content = DOMUtils.getContent(computedKeyChild);
serviceEntr = Base64.getMimeDecoder().decode(content);
}
}
if (serviceEntr != null) {
// Right now we only use PSHA1 as the computed key algo
P_SHA1 psha1 = new P_SHA1();
int length = (keySize > 0) ? keySize : 256;
if (algorithmSuite != null) {
AlgorithmSuiteType algType = algorithmSuite.getAlgorithmSuiteType();
length = (keySize > 0) ? keySize : algType.getMaximumSymmetricKeyLength();
}
try {
secret = psha1.createKey(requestorEntropy, serviceEntr, 0, length / 8);
} catch (WSSecurityException e) {
throw new TrustException("DERIVED_KEY_ERROR", e, LOG);
}
} else {
// Service entropy missing
throw new TrustException("NO_ENTROPY", LOG);
}
}
} else if (requestorEntropy != null) {
// Use requester entropy as the key
secret = requestorEntropy;
}
token.setSecret(secret);
return token;
}
use of org.apache.wss4j.common.derivedKey.P_SHA1 in project cxf by apache.
the class STSInvoker method writeProofToken.
byte[] writeProofToken(String prefix, String namespace, W3CDOMStreamWriter writer, byte[] clientEntropy, int keySize) throws NoSuchAlgorithmException, WSSecurityException, XMLStreamException {
final byte[] secret;
writer.writeStartElement(prefix, "RequestedProofToken", namespace);
if (clientEntropy == null) {
secret = WSSecurityUtil.generateNonce(keySize / 8);
writer.writeStartElement(prefix, "BinarySecret", namespace);
writer.writeAttribute("Type", namespace + "/Nonce");
writer.writeCharacters(XMLUtils.encodeToString(secret));
writer.writeEndElement();
} else {
byte[] entropy = WSSecurityUtil.generateNonce(keySize / 8);
P_SHA1 psha1 = new P_SHA1();
secret = psha1.createKey(clientEntropy, entropy, 0, keySize / 8);
writer.writeStartElement(prefix, "ComputedKey", namespace);
writer.writeCharacters(namespace + "/CK/PSHA1");
writer.writeEndElement();
writer.writeEndElement();
writer.writeStartElement(prefix, "Entropy", namespace);
writer.writeStartElement(prefix, "BinarySecret", namespace);
writer.writeAttribute("Type", namespace + "/Nonce");
writer.writeCharacters(XMLUtils.encodeToString(entropy));
writer.writeEndElement();
}
writer.writeEndElement();
return secret;
}
Aggregations