use of org.apache.wss4j.common.ext.WSSecurityException in project cxf by apache.
the class AbstractBindingBuilder method getEncryptionCrypto.
public Crypto getEncryptionCrypto() throws WSSecurityException {
Crypto crypto = getCrypto(SecurityConstants.ENCRYPT_CRYPTO, SecurityConstants.ENCRYPT_PROPERTIES);
boolean enableRevocation = false;
String enableRevStr = (String) SecurityUtils.getSecurityPropertyValue(SecurityConstants.ENABLE_REVOCATION, message);
if (enableRevStr != null) {
enableRevocation = Boolean.parseBoolean(enableRevStr);
}
if (enableRevocation && crypto != null) {
CryptoType cryptoType = new CryptoType(CryptoType.TYPE.ALIAS);
String encrUser = (String) SecurityUtils.getSecurityPropertyValue(SecurityConstants.ENCRYPT_USERNAME, message);
if (encrUser == null) {
try {
encrUser = crypto.getDefaultX509Identifier();
} catch (WSSecurityException e1) {
throw new Fault(e1);
}
}
cryptoType.setAlias(encrUser);
X509Certificate[] certs = crypto.getX509Certificates(cryptoType);
if (certs != null && certs.length > 0) {
crypto.verifyTrust(certs, enableRevocation, null, null);
}
}
if (crypto != null) {
this.message.getExchange().put(SecurityConstants.ENCRYPT_CRYPTO, crypto);
}
return crypto;
}
use of org.apache.wss4j.common.ext.WSSecurityException in project cxf by apache.
the class AbstractBindingBuilder method doEndorsedSignatures.
protected void doEndorsedSignatures(List<SupportingToken> tokenList, boolean isTokenProtection, boolean isSigProtect) {
for (SupportingToken supportingToken : tokenList) {
Object tempTok = supportingToken.getTokenImplementation();
List<WSEncryptionPart> sigParts = new ArrayList<>();
WSEncryptionPart sigPart = new WSEncryptionPart(mainSigId);
sigPart.setElement(bottomUpElement);
sigParts.add(sigPart);
if (supportingToken.getSignedParts() != null) {
for (WSEncryptionPart signedPart : supportingToken.getSignedParts()) {
sigParts.add(signedPart);
}
}
if (tempTok instanceof WSSecSignature) {
WSSecSignature sig = (WSSecSignature) tempTok;
if (isTokenProtection && sig.getBSTTokenId() != null) {
WSEncryptionPart bstPart = new WSEncryptionPart(sig.getBSTTokenId());
bstPart.setElement(sig.getBinarySecurityTokenElement());
sigParts.add(bstPart);
}
try {
List<Reference> referenceList = sig.addReferencesToSign(sigParts);
sig.computeSignature(referenceList, false, null);
addSig(sig.getSignatureValue());
if (isSigProtect) {
WSEncryptionPart part = new WSEncryptionPart(sig.getId(), "Element");
encryptedTokensList.add(part);
}
} catch (WSSecurityException e) {
unassertPolicy(supportingToken.getToken(), e);
}
} else if (tempTok instanceof WSSecurityTokenHolder) {
SecurityToken token = ((WSSecurityTokenHolder) tempTok).getToken();
if (isTokenProtection) {
sigParts.add(new WSEncryptionPart(token.getId()));
}
try {
if (supportingToken.getToken().getDerivedKeys() == DerivedKeys.RequireDerivedKeys) {
doSymmSignatureDerived(supportingToken.getToken(), token, sigParts, isTokenProtection, isSigProtect);
} else {
doSymmSignature(supportingToken.getToken(), token, sigParts, isSigProtect);
}
} catch (Exception e) {
LOG.log(Level.FINE, e.getMessage(), e);
}
} else if (tempTok instanceof WSSecUsernameToken) {
WSSecUsernameToken utBuilder = (WSSecUsernameToken) tempTok;
String id = utBuilder.getId();
Instant created = Instant.now();
Instant expires = created.plusSeconds(WSS4JUtils.getSecurityTokenLifetime(message) / 1000L);
SecurityToken secToken = new SecurityToken(id, utBuilder.getUsernameTokenElement(), created, expires);
if (isTokenProtection) {
sigParts.add(new WSEncryptionPart(secToken.getId()));
}
try {
byte[] secret = utBuilder.getDerivedKey(supportingToken.getSalt());
secToken.setSecret(secret);
Arrays.fill(supportingToken.getSalt(), (byte) 0);
if (supportingToken.getToken().getDerivedKeys() == DerivedKeys.RequireDerivedKeys) {
doSymmSignatureDerived(supportingToken.getToken(), secToken, sigParts, isTokenProtection, isSigProtect);
} else {
doSymmSignature(supportingToken.getToken(), secToken, sigParts, isSigProtect);
}
} catch (Exception e) {
LOG.log(Level.FINE, e.getMessage(), e);
}
}
}
}
use of org.apache.wss4j.common.ext.WSSecurityException in project cxf by apache.
the class TransportBindingHandler method doIssuedTokenSignature.
private byte[] doIssuedTokenSignature(final AbstractToken token, final SupportingTokens wrapper) throws Exception {
boolean tokenIncluded = false;
// Get the issued token
SecurityToken secTok = getSecurityToken();
if (secTok == null) {
LOG.fine("The retrieved SecurityToken was null");
Exception ex = new Exception("The retrieved SecurityToken was null");
throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, ex);
}
if (isTokenRequired(token.getIncludeTokenType())) {
// Add the token
Element el = cloneElement(secTok.getToken());
// if (securityTok != null) {
// do we need to sign this as well?
// String id = addWsuIdToElement(el);
// sigParts.add(new WSEncryptionPart(id));
// }
addEncryptedKeyElement(el);
tokenIncluded = true;
}
List<WSEncryptionPart> sigParts = signPartsAndElements(wrapper.getSignedParts(), wrapper.getSignedElements());
if (token.getDerivedKeys() == DerivedKeys.RequireDerivedKeys) {
return doDerivedKeySignature(tokenIncluded, secTok, token, sigParts);
}
return doSignature(tokenIncluded, secTok, token, sigParts);
}
use of org.apache.wss4j.common.ext.WSSecurityException in project cxf by apache.
the class TransportBindingHandler method doSignature.
private byte[] doSignature(boolean tokenIncluded, SecurityToken secTok, AbstractToken token, List<WSEncryptionPart> sigParts) throws Exception {
WSSecSignature sig = new WSSecSignature(secHeader);
sig.setIdAllocator(wssConfig.getIdAllocator());
sig.setCallbackLookup(callbackLookup);
sig.setAttachmentCallbackHandler(new AttachmentCallbackHandler(message));
sig.setStoreBytesInAttachment(storeBytesInAttachment);
sig.setExpandXopInclude(isExpandXopInclude());
sig.setWsDocInfo(wsDocInfo);
// Setting the AttachedReference or the UnattachedReference according to the flag
Element ref;
if (tokenIncluded) {
ref = secTok.getAttachedReference();
} else {
ref = secTok.getUnattachedReference();
}
if (ref != null) {
SecurityTokenReference secRef = new SecurityTokenReference(cloneElement(ref), new BSPEnforcer());
sig.setSecurityTokenReference(secRef);
sig.setKeyIdentifierType(WSConstants.CUSTOM_KEY_IDENTIFIER);
} else if (token instanceof UsernameToken) {
sig.setCustomTokenId(secTok.getId());
sig.setCustomTokenValueType(WSS4JConstants.WSS_USERNAME_TOKEN_VALUE_TYPE);
int type = tokenIncluded ? WSConstants.CUSTOM_SYMM_SIGNING : WSConstants.CUSTOM_SYMM_SIGNING_DIRECT;
sig.setKeyIdentifierType(type);
} else if (secTok.getTokenType() == null) {
sig.setCustomTokenValueType(WSS4JConstants.WSS_SAML_KI_VALUE_TYPE);
sig.setKeyIdentifierType(WSConstants.CUSTOM_KEY_IDENTIFIER);
} else {
String id = secTok.getWsuId();
if (id == null) {
sig.setCustomTokenId(secTok.getId());
sig.setKeyIdentifierType(WSConstants.CUSTOM_SYMM_SIGNING_DIRECT);
} else {
sig.setCustomTokenId(secTok.getWsuId());
sig.setKeyIdentifierType(WSConstants.CUSTOM_SYMM_SIGNING);
}
String tokenType = secTok.getTokenType();
if (WSS4JConstants.WSS_SAML_TOKEN_TYPE.equals(tokenType) || WSS4JConstants.SAML_NS.equals(tokenType)) {
sig.setCustomTokenValueType(WSS4JConstants.WSS_SAML_KI_VALUE_TYPE);
sig.setKeyIdentifierType(WSConstants.CUSTOM_KEY_IDENTIFIER);
} else if (WSS4JConstants.WSS_SAML2_TOKEN_TYPE.equals(tokenType) || WSS4JConstants.SAML2_NS.equals(tokenType)) {
sig.setCustomTokenValueType(WSS4JConstants.WSS_SAML2_KI_VALUE_TYPE);
sig.setKeyIdentifierType(WSConstants.CUSTOM_KEY_IDENTIFIER);
} else {
sig.setCustomTokenValueType(tokenType);
}
}
Crypto crypto;
if (secTok.getSecret() == null) {
sig.setX509Certificate(secTok.getX509Certificate());
crypto = secTok.getCrypto();
if (crypto == null) {
crypto = getSignatureCrypto();
}
if (crypto == null) {
LOG.fine("No signature Crypto properties are available");
Exception ex = new Exception("No signature Crypto properties are available");
throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, ex);
}
String uname = crypto.getX509Identifier(secTok.getX509Certificate());
if (uname == null) {
String userNameKey = SecurityConstants.SIGNATURE_USERNAME;
uname = (String) SecurityUtils.getSecurityPropertyValue(userNameKey, message);
}
String password = (String) SecurityUtils.getSecurityPropertyValue(SecurityConstants.SIGNATURE_PASSWORD, message);
if (StringUtils.isEmpty(password)) {
password = getPassword(uname, token, WSPasswordCallback.SIGNATURE);
}
sig.setUserInfo(uname, password);
sig.setSignatureAlgorithm(binding.getAlgorithmSuite().getAlgorithmSuiteType().getAsymmetricSignature());
} else {
crypto = getSignatureCrypto();
sig.setSecretKey(secTok.getSecret());
sig.setSignatureAlgorithm(binding.getAlgorithmSuite().getAlgorithmSuiteType().getSymmetricSignature());
}
sig.setSigCanonicalization(binding.getAlgorithmSuite().getC14n().getValue());
AlgorithmSuiteType algType = binding.getAlgorithmSuite().getAlgorithmSuiteType();
sig.setDigestAlgo(algType.getDigest());
sig.prepare(crypto);
sig.getParts().addAll(sigParts);
List<Reference> referenceList = sig.addReferencesToSign(sigParts);
// Do signature
if (bottomUpElement == null) {
sig.computeSignature(referenceList, false, null);
} else {
sig.computeSignature(referenceList, true, bottomUpElement);
}
bottomUpElement = sig.getSignatureElement();
mainSigId = sig.getId();
return sig.getSignatureValue();
}
use of org.apache.wss4j.common.ext.WSSecurityException in project cxf by apache.
the class StaxCryptoCoverageChecker method handleMessage.
@Override
public void handleMessage(SoapMessage soapMessage) throws Fault {
@SuppressWarnings("unchecked") final List<SecurityEvent> incomingSecurityEventList = (List<SecurityEvent>) soapMessage.get(SecurityEvent.class.getName() + ".in");
List<SecurityEvent> results = new ArrayList<>();
if (incomingSecurityEventList != null) {
// Get all Signed/Encrypted Results
results.addAll(getEventFromResults(WSSecurityEventConstants.SIGNED_PART, incomingSecurityEventList));
results.addAll(getEventFromResults(WSSecurityEventConstants.SignedElement, incomingSecurityEventList));
if (encryptBody || encryptUsernameToken) {
results.addAll(getEventFromResults(WSSecurityEventConstants.ENCRYPTED_PART, incomingSecurityEventList));
results.addAll(getEventFromResults(WSSecurityEventConstants.EncryptedElement, incomingSecurityEventList));
}
}
try {
checkSignedBody(results);
checkEncryptedBody(results);
if (signTimestamp) {
// We only insist on the Timestamp being signed if it is actually present in the message
List<SecurityEvent> timestampResults = getEventFromResults(WSSecurityEventConstants.TIMESTAMP, incomingSecurityEventList);
if (!timestampResults.isEmpty()) {
checkSignedTimestamp(results);
}
}
if (signAddressingHeaders) {
AddressingProperties addressingProperties = (AddressingProperties) soapMessage.get("javax.xml.ws.addressing.context.inbound");
checkSignedAddressing(results, addressingProperties);
}
if (signUsernameToken || encryptUsernameToken) {
// We only insist on the UsernameToken being signed/encrypted if it is actually
// present in the message
List<SecurityEvent> usernameTokenResults = getEventFromResults(WSSecurityEventConstants.USERNAME_TOKEN, incomingSecurityEventList);
if (!usernameTokenResults.isEmpty()) {
if (signUsernameToken) {
checkSignedUsernameToken(results);
}
if (encryptUsernameToken) {
checkEncryptedUsernameToken(results);
}
}
}
} catch (WSSecurityException e) {
throw createSoapFault(soapMessage.getVersion(), e);
}
}
Aggregations