Search in sources :

Example 81 with WSSecurityException

use of org.apache.wss4j.common.ext.WSSecurityException in project cxf by apache.

the class AbstractBindingBuilder method getEncryptionCrypto.

public Crypto getEncryptionCrypto() throws WSSecurityException {
    Crypto crypto = getCrypto(SecurityConstants.ENCRYPT_CRYPTO, SecurityConstants.ENCRYPT_PROPERTIES);
    boolean enableRevocation = false;
    String enableRevStr = (String) SecurityUtils.getSecurityPropertyValue(SecurityConstants.ENABLE_REVOCATION, message);
    if (enableRevStr != null) {
        enableRevocation = Boolean.parseBoolean(enableRevStr);
    }
    if (enableRevocation && crypto != null) {
        CryptoType cryptoType = new CryptoType(CryptoType.TYPE.ALIAS);
        String encrUser = (String) SecurityUtils.getSecurityPropertyValue(SecurityConstants.ENCRYPT_USERNAME, message);
        if (encrUser == null) {
            try {
                encrUser = crypto.getDefaultX509Identifier();
            } catch (WSSecurityException e1) {
                throw new Fault(e1);
            }
        }
        cryptoType.setAlias(encrUser);
        X509Certificate[] certs = crypto.getX509Certificates(cryptoType);
        if (certs != null && certs.length > 0) {
            crypto.verifyTrust(certs, enableRevocation, null, null);
        }
    }
    if (crypto != null) {
        this.message.getExchange().put(SecurityConstants.ENCRYPT_CRYPTO, crypto);
    }
    return crypto;
}
Also used : Crypto(org.apache.wss4j.common.crypto.Crypto) WSSecurityException(org.apache.wss4j.common.ext.WSSecurityException) Fault(org.apache.cxf.interceptor.Fault) CryptoType(org.apache.wss4j.common.crypto.CryptoType) X509Certificate(java.security.cert.X509Certificate)

Example 82 with WSSecurityException

use of org.apache.wss4j.common.ext.WSSecurityException in project cxf by apache.

the class AbstractBindingBuilder method doEndorsedSignatures.

protected void doEndorsedSignatures(List<SupportingToken> tokenList, boolean isTokenProtection, boolean isSigProtect) {
    for (SupportingToken supportingToken : tokenList) {
        Object tempTok = supportingToken.getTokenImplementation();
        List<WSEncryptionPart> sigParts = new ArrayList<>();
        WSEncryptionPart sigPart = new WSEncryptionPart(mainSigId);
        sigPart.setElement(bottomUpElement);
        sigParts.add(sigPart);
        if (supportingToken.getSignedParts() != null) {
            for (WSEncryptionPart signedPart : supportingToken.getSignedParts()) {
                sigParts.add(signedPart);
            }
        }
        if (tempTok instanceof WSSecSignature) {
            WSSecSignature sig = (WSSecSignature) tempTok;
            if (isTokenProtection && sig.getBSTTokenId() != null) {
                WSEncryptionPart bstPart = new WSEncryptionPart(sig.getBSTTokenId());
                bstPart.setElement(sig.getBinarySecurityTokenElement());
                sigParts.add(bstPart);
            }
            try {
                List<Reference> referenceList = sig.addReferencesToSign(sigParts);
                sig.computeSignature(referenceList, false, null);
                addSig(sig.getSignatureValue());
                if (isSigProtect) {
                    WSEncryptionPart part = new WSEncryptionPart(sig.getId(), "Element");
                    encryptedTokensList.add(part);
                }
            } catch (WSSecurityException e) {
                unassertPolicy(supportingToken.getToken(), e);
            }
        } else if (tempTok instanceof WSSecurityTokenHolder) {
            SecurityToken token = ((WSSecurityTokenHolder) tempTok).getToken();
            if (isTokenProtection) {
                sigParts.add(new WSEncryptionPart(token.getId()));
            }
            try {
                if (supportingToken.getToken().getDerivedKeys() == DerivedKeys.RequireDerivedKeys) {
                    doSymmSignatureDerived(supportingToken.getToken(), token, sigParts, isTokenProtection, isSigProtect);
                } else {
                    doSymmSignature(supportingToken.getToken(), token, sigParts, isSigProtect);
                }
            } catch (Exception e) {
                LOG.log(Level.FINE, e.getMessage(), e);
            }
        } else if (tempTok instanceof WSSecUsernameToken) {
            WSSecUsernameToken utBuilder = (WSSecUsernameToken) tempTok;
            String id = utBuilder.getId();
            Instant created = Instant.now();
            Instant expires = created.plusSeconds(WSS4JUtils.getSecurityTokenLifetime(message) / 1000L);
            SecurityToken secToken = new SecurityToken(id, utBuilder.getUsernameTokenElement(), created, expires);
            if (isTokenProtection) {
                sigParts.add(new WSEncryptionPart(secToken.getId()));
            }
            try {
                byte[] secret = utBuilder.getDerivedKey(supportingToken.getSalt());
                secToken.setSecret(secret);
                Arrays.fill(supportingToken.getSalt(), (byte) 0);
                if (supportingToken.getToken().getDerivedKeys() == DerivedKeys.RequireDerivedKeys) {
                    doSymmSignatureDerived(supportingToken.getToken(), secToken, sigParts, isTokenProtection, isSigProtect);
                } else {
                    doSymmSignature(supportingToken.getToken(), secToken, sigParts, isSigProtect);
                }
            } catch (Exception e) {
                LOG.log(Level.FINE, e.getMessage(), e);
            }
        }
    }
}
Also used : WSEncryptionPart(org.apache.wss4j.common.WSEncryptionPart) Reference(javax.xml.crypto.dsig.Reference) SecurityTokenReference(org.apache.wss4j.common.token.SecurityTokenReference) WSSecSignature(org.apache.wss4j.dom.message.WSSecSignature) Instant(java.time.Instant) ArrayList(java.util.ArrayList) WSSecurityException(org.apache.wss4j.common.ext.WSSecurityException) SOAPException(javax.xml.soap.SOAPException) WSSecurityException(org.apache.wss4j.common.ext.WSSecurityException) XMLStreamException(javax.xml.stream.XMLStreamException) TokenStoreException(org.apache.cxf.ws.security.tokenstore.TokenStoreException) XPathExpressionException(javax.xml.xpath.XPathExpressionException) SecurityToken(org.apache.cxf.ws.security.tokenstore.SecurityToken) WSSecUsernameToken(org.apache.wss4j.dom.message.WSSecUsernameToken)

Example 83 with WSSecurityException

use of org.apache.wss4j.common.ext.WSSecurityException in project cxf by apache.

the class TransportBindingHandler method doIssuedTokenSignature.

private byte[] doIssuedTokenSignature(final AbstractToken token, final SupportingTokens wrapper) throws Exception {
    boolean tokenIncluded = false;
    // Get the issued token
    SecurityToken secTok = getSecurityToken();
    if (secTok == null) {
        LOG.fine("The retrieved SecurityToken was null");
        Exception ex = new Exception("The retrieved SecurityToken was null");
        throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, ex);
    }
    if (isTokenRequired(token.getIncludeTokenType())) {
        // Add the token
        Element el = cloneElement(secTok.getToken());
        // if (securityTok != null) {
        // do we need to sign this as well?
        // String id = addWsuIdToElement(el);
        // sigParts.add(new WSEncryptionPart(id));
        // }
        addEncryptedKeyElement(el);
        tokenIncluded = true;
    }
    List<WSEncryptionPart> sigParts = signPartsAndElements(wrapper.getSignedParts(), wrapper.getSignedElements());
    if (token.getDerivedKeys() == DerivedKeys.RequireDerivedKeys) {
        return doDerivedKeySignature(tokenIncluded, secTok, token, sigParts);
    }
    return doSignature(tokenIncluded, secTok, token, sigParts);
}
Also used : SecurityToken(org.apache.cxf.ws.security.tokenstore.SecurityToken) WSEncryptionPart(org.apache.wss4j.common.WSEncryptionPart) Element(org.w3c.dom.Element) WSSecurityException(org.apache.wss4j.common.ext.WSSecurityException) SOAPException(javax.xml.soap.SOAPException) WSSecurityException(org.apache.wss4j.common.ext.WSSecurityException)

Example 84 with WSSecurityException

use of org.apache.wss4j.common.ext.WSSecurityException in project cxf by apache.

the class TransportBindingHandler method doSignature.

private byte[] doSignature(boolean tokenIncluded, SecurityToken secTok, AbstractToken token, List<WSEncryptionPart> sigParts) throws Exception {
    WSSecSignature sig = new WSSecSignature(secHeader);
    sig.setIdAllocator(wssConfig.getIdAllocator());
    sig.setCallbackLookup(callbackLookup);
    sig.setAttachmentCallbackHandler(new AttachmentCallbackHandler(message));
    sig.setStoreBytesInAttachment(storeBytesInAttachment);
    sig.setExpandXopInclude(isExpandXopInclude());
    sig.setWsDocInfo(wsDocInfo);
    // Setting the AttachedReference or the UnattachedReference according to the flag
    Element ref;
    if (tokenIncluded) {
        ref = secTok.getAttachedReference();
    } else {
        ref = secTok.getUnattachedReference();
    }
    if (ref != null) {
        SecurityTokenReference secRef = new SecurityTokenReference(cloneElement(ref), new BSPEnforcer());
        sig.setSecurityTokenReference(secRef);
        sig.setKeyIdentifierType(WSConstants.CUSTOM_KEY_IDENTIFIER);
    } else if (token instanceof UsernameToken) {
        sig.setCustomTokenId(secTok.getId());
        sig.setCustomTokenValueType(WSS4JConstants.WSS_USERNAME_TOKEN_VALUE_TYPE);
        int type = tokenIncluded ? WSConstants.CUSTOM_SYMM_SIGNING : WSConstants.CUSTOM_SYMM_SIGNING_DIRECT;
        sig.setKeyIdentifierType(type);
    } else if (secTok.getTokenType() == null) {
        sig.setCustomTokenValueType(WSS4JConstants.WSS_SAML_KI_VALUE_TYPE);
        sig.setKeyIdentifierType(WSConstants.CUSTOM_KEY_IDENTIFIER);
    } else {
        String id = secTok.getWsuId();
        if (id == null) {
            sig.setCustomTokenId(secTok.getId());
            sig.setKeyIdentifierType(WSConstants.CUSTOM_SYMM_SIGNING_DIRECT);
        } else {
            sig.setCustomTokenId(secTok.getWsuId());
            sig.setKeyIdentifierType(WSConstants.CUSTOM_SYMM_SIGNING);
        }
        String tokenType = secTok.getTokenType();
        if (WSS4JConstants.WSS_SAML_TOKEN_TYPE.equals(tokenType) || WSS4JConstants.SAML_NS.equals(tokenType)) {
            sig.setCustomTokenValueType(WSS4JConstants.WSS_SAML_KI_VALUE_TYPE);
            sig.setKeyIdentifierType(WSConstants.CUSTOM_KEY_IDENTIFIER);
        } else if (WSS4JConstants.WSS_SAML2_TOKEN_TYPE.equals(tokenType) || WSS4JConstants.SAML2_NS.equals(tokenType)) {
            sig.setCustomTokenValueType(WSS4JConstants.WSS_SAML2_KI_VALUE_TYPE);
            sig.setKeyIdentifierType(WSConstants.CUSTOM_KEY_IDENTIFIER);
        } else {
            sig.setCustomTokenValueType(tokenType);
        }
    }
    Crypto crypto;
    if (secTok.getSecret() == null) {
        sig.setX509Certificate(secTok.getX509Certificate());
        crypto = secTok.getCrypto();
        if (crypto == null) {
            crypto = getSignatureCrypto();
        }
        if (crypto == null) {
            LOG.fine("No signature Crypto properties are available");
            Exception ex = new Exception("No signature Crypto properties are available");
            throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, ex);
        }
        String uname = crypto.getX509Identifier(secTok.getX509Certificate());
        if (uname == null) {
            String userNameKey = SecurityConstants.SIGNATURE_USERNAME;
            uname = (String) SecurityUtils.getSecurityPropertyValue(userNameKey, message);
        }
        String password = (String) SecurityUtils.getSecurityPropertyValue(SecurityConstants.SIGNATURE_PASSWORD, message);
        if (StringUtils.isEmpty(password)) {
            password = getPassword(uname, token, WSPasswordCallback.SIGNATURE);
        }
        sig.setUserInfo(uname, password);
        sig.setSignatureAlgorithm(binding.getAlgorithmSuite().getAlgorithmSuiteType().getAsymmetricSignature());
    } else {
        crypto = getSignatureCrypto();
        sig.setSecretKey(secTok.getSecret());
        sig.setSignatureAlgorithm(binding.getAlgorithmSuite().getAlgorithmSuiteType().getSymmetricSignature());
    }
    sig.setSigCanonicalization(binding.getAlgorithmSuite().getC14n().getValue());
    AlgorithmSuiteType algType = binding.getAlgorithmSuite().getAlgorithmSuiteType();
    sig.setDigestAlgo(algType.getDigest());
    sig.prepare(crypto);
    sig.getParts().addAll(sigParts);
    List<Reference> referenceList = sig.addReferencesToSign(sigParts);
    // Do signature
    if (bottomUpElement == null) {
        sig.computeSignature(referenceList, false, null);
    } else {
        sig.computeSignature(referenceList, true, bottomUpElement);
    }
    bottomUpElement = sig.getSignatureElement();
    mainSigId = sig.getId();
    return sig.getSignatureValue();
}
Also used : AlgorithmSuiteType(org.apache.wss4j.policy.model.AlgorithmSuite.AlgorithmSuiteType) SecurityTokenReference(org.apache.wss4j.common.token.SecurityTokenReference) Reference(javax.xml.crypto.dsig.Reference) WSSecSignature(org.apache.wss4j.dom.message.WSSecSignature) Element(org.w3c.dom.Element) UsernameToken(org.apache.wss4j.policy.model.UsernameToken) WSSecUsernameToken(org.apache.wss4j.dom.message.WSSecUsernameToken) BSPEnforcer(org.apache.wss4j.common.bsp.BSPEnforcer) WSSecurityException(org.apache.wss4j.common.ext.WSSecurityException) SOAPException(javax.xml.soap.SOAPException) WSSecurityException(org.apache.wss4j.common.ext.WSSecurityException) Crypto(org.apache.wss4j.common.crypto.Crypto) SecurityTokenReference(org.apache.wss4j.common.token.SecurityTokenReference) AttachmentCallbackHandler(org.apache.cxf.ws.security.wss4j.AttachmentCallbackHandler)

Example 85 with WSSecurityException

use of org.apache.wss4j.common.ext.WSSecurityException in project cxf by apache.

the class StaxCryptoCoverageChecker method handleMessage.

@Override
public void handleMessage(SoapMessage soapMessage) throws Fault {
    @SuppressWarnings("unchecked") final List<SecurityEvent> incomingSecurityEventList = (List<SecurityEvent>) soapMessage.get(SecurityEvent.class.getName() + ".in");
    List<SecurityEvent> results = new ArrayList<>();
    if (incomingSecurityEventList != null) {
        // Get all Signed/Encrypted Results
        results.addAll(getEventFromResults(WSSecurityEventConstants.SIGNED_PART, incomingSecurityEventList));
        results.addAll(getEventFromResults(WSSecurityEventConstants.SignedElement, incomingSecurityEventList));
        if (encryptBody || encryptUsernameToken) {
            results.addAll(getEventFromResults(WSSecurityEventConstants.ENCRYPTED_PART, incomingSecurityEventList));
            results.addAll(getEventFromResults(WSSecurityEventConstants.EncryptedElement, incomingSecurityEventList));
        }
    }
    try {
        checkSignedBody(results);
        checkEncryptedBody(results);
        if (signTimestamp) {
            // We only insist on the Timestamp being signed if it is actually present in the message
            List<SecurityEvent> timestampResults = getEventFromResults(WSSecurityEventConstants.TIMESTAMP, incomingSecurityEventList);
            if (!timestampResults.isEmpty()) {
                checkSignedTimestamp(results);
            }
        }
        if (signAddressingHeaders) {
            AddressingProperties addressingProperties = (AddressingProperties) soapMessage.get("javax.xml.ws.addressing.context.inbound");
            checkSignedAddressing(results, addressingProperties);
        }
        if (signUsernameToken || encryptUsernameToken) {
            // We only insist on the UsernameToken being signed/encrypted if it is actually
            // present in the message
            List<SecurityEvent> usernameTokenResults = getEventFromResults(WSSecurityEventConstants.USERNAME_TOKEN, incomingSecurityEventList);
            if (!usernameTokenResults.isEmpty()) {
                if (signUsernameToken) {
                    checkSignedUsernameToken(results);
                }
                if (encryptUsernameToken) {
                    checkEncryptedUsernameToken(results);
                }
            }
        }
    } catch (WSSecurityException e) {
        throw createSoapFault(soapMessage.getVersion(), e);
    }
}
Also used : SecurityEvent(org.apache.xml.security.stax.securityEvent.SecurityEvent) AbstractSecuredElementSecurityEvent(org.apache.xml.security.stax.securityEvent.AbstractSecuredElementSecurityEvent) ArrayList(java.util.ArrayList) ArrayList(java.util.ArrayList) List(java.util.List) AddressingProperties(org.apache.cxf.ws.addressing.AddressingProperties) WSSecurityException(org.apache.wss4j.common.ext.WSSecurityException)

Aggregations

WSSecurityException (org.apache.wss4j.common.ext.WSSecurityException)241 Element (org.w3c.dom.Element)72 Document (org.w3c.dom.Document)53 IOException (java.io.IOException)51 Crypto (org.apache.wss4j.common.crypto.Crypto)50 SamlAssertionWrapper (org.apache.wss4j.common.saml.SamlAssertionWrapper)39 Credential (org.apache.wss4j.dom.validate.Credential)37 RequestData (org.apache.wss4j.dom.handler.RequestData)36 X509Certificate (java.security.cert.X509Certificate)31 Response (org.opensaml.saml.saml2.core.Response)31 SAMLCallback (org.apache.wss4j.common.saml.SAMLCallback)25 DateTime (org.joda.time.DateTime)22 XMLObject (org.opensaml.core.xml.XMLObject)22 XMLStreamException (javax.xml.stream.XMLStreamException)21 SecurityToken (org.apache.cxf.ws.security.tokenstore.SecurityToken)21 Fault (org.apache.cxf.interceptor.Fault)20 SOAPException (javax.xml.soap.SOAPException)19 CallbackHandler (javax.security.auth.callback.CallbackHandler)18 ReceivedToken (org.apache.cxf.sts.request.ReceivedToken)17 InputStream (java.io.InputStream)16