Example 1 with BinarySecurity
use of org.apache.wss4j.common.token.BinarySecurity in project ddf by codice.
the class WssPKIHandler method extractAuthenticationInfo.
@Override
protected BaseAuthenticationToken extractAuthenticationInfo(String realm, X509Certificate[] certs) {
PKIAuthenticationToken pkiToken = tokenFactory.getTokenFromCerts(certs, realm);
BinarySecurityTokenType binarySecurityType = pkiToken.createBinarySecurityTokenType(pkiToken.getCredentials());
//
// Turn the received JAXB object into a DOM element
//
Document doc = DOMUtils.createDocument();
BinarySecurity binarySecurity = new X509Security(doc);
binarySecurity.setEncodingType(binarySecurityType.getEncodingType());
binarySecurity.setValueType(X509Security.X509_V3_TYPE);
String data = binarySecurityType.getValue();
Node textNode = doc.createTextNode(data);
binarySecurity.getElement().appendChild(textNode);
BaseAuthenticationToken baseAuthenticationToken = new BaseAuthenticationToken(null, "", binarySecurity.toString());
baseAuthenticationToken.setUseWssSts(true);
return baseAuthenticationToken;
}
Also used :
PKIAuthenticationToken(org.codice.ddf.security.handler.api.PKIAuthenticationToken)
BinarySecurity(org.apache.wss4j.common.token.BinarySecurity)
BinarySecurityTokenType(org.apache.cxf.ws.security.sts.provider.model.secext.BinarySecurityTokenType)
Node(org.w3c.dom.Node)
BaseAuthenticationToken(org.codice.ddf.security.handler.api.BaseAuthenticationToken)
Document(org.w3c.dom.Document)
X509Security(org.apache.wss4j.common.token.X509Security)
Example 2 with BinarySecurity
use of org.apache.wss4j.common.token.BinarySecurity in project ddf by codice.
the class PKITokenValidator method validateToken.
/**
* Validate a Token using the given TokenValidatorParameters.
*
* @param tokenParameters
* @return TokenValidatorResponse
*/
public TokenValidatorResponse validateToken(TokenValidatorParameters tokenParameters) {
LOGGER.trace("Validating PKI Token");
STSPropertiesMBean stsProperties = tokenParameters.getStsProperties();
Crypto sigCrypto = stsProperties.getSignatureCrypto();
CallbackHandler callbackHandler = stsProperties.getCallbackHandler();
RequestData requestData = new RequestData();
requestData.setSigVerCrypto(sigCrypto);
requestData.setWssConfig(WSSConfig.getNewInstance());
requestData.setCallbackHandler(callbackHandler);
TokenValidatorResponse response = new TokenValidatorResponse();
ReceivedToken validateTarget = tokenParameters.getToken();
validateTarget.setState(STATE.INVALID);
response.setToken(validateTarget);
PKIAuthenticationToken pkiToken = getPKITokenFromTarget(validateTarget);
if (pkiToken == null) {
return response;
}
BinarySecurityTokenType binarySecurityType = pkiToken.createBinarySecurityTokenType(pkiToken.getCredentials());
// Test the encoding type
String encodingType = binarySecurityType.getEncodingType();
if (!PKIAuthenticationToken.BASE64_ENCODING.equals(encodingType)) {
LOGGER.trace("Bad encoding type attribute specified: {}", encodingType);
return response;
}
//
// Turn the received JAXB object into a DOM element
//
Document doc = DOMUtils.createDocument();
BinarySecurity binarySecurity = new X509Security(doc);
binarySecurity.setEncodingType(encodingType);
binarySecurity.setValueType(binarySecurityType.getValueType());
String data = binarySecurityType.getValue();
Node textNode = doc.createTextNode(data);
binarySecurity.getElement().appendChild(textNode);
//
try {
Credential credential = new Credential();
credential.setBinarySecurityToken(binarySecurity);
if (merlin != null) {
byte[] token = binarySecurity.getToken();
if (token != null) {
X509Certificate[] certificates = merlin.getCertificatesFromBytes(token);
if (certificates != null) {
if (doPathValidation) {
credential.setCertificates(certificates);
} else {
credential.setCertificates(new X509Certificate[] { certificates[0] });
}
}
} else {
LOGGER.debug("Binary Security Token bytes were null.");
}
}
Credential returnedCredential = validator.validate(credential, requestData);
X500Principal subjectX500Principal = returnedCredential.getCertificates()[0].getSubjectX500Principal();
response.setPrincipal(subjectX500Principal);
if (response.getAdditionalProperties() == null) {
response.setAdditionalProperties(new HashMap<>());
}
try {
String emailAddress = SubjectUtils.getEmailAddress(subjectX500Principal);
if (emailAddress != null) {
response.getAdditionalProperties().put(SubjectUtils.EMAIL_ADDRESS_CLAIM_URI, emailAddress);
}
String country = SubjectUtils.getCountry(subjectX500Principal);
if (country != null) {
response.getAdditionalProperties().put(SubjectUtils.COUNTRY_CLAIM_URI, country);
}
} catch (Exception e) {
LOGGER.debug("Unable to set email address or country from certificate.", e);
}
validateTarget.setPrincipal(subjectX500Principal);
validateTarget.setState(STATE.VALID);
} catch (WSSecurityException ex) {
LOGGER.info("Unable to validate credentials.", ex);
}
return response;
}
Also used :
CallbackHandler(javax.security.auth.callback.CallbackHandler)
Credential(org.apache.wss4j.dom.validate.Credential)
BinarySecurity(org.apache.wss4j.common.token.BinarySecurity)
Node(org.w3c.dom.Node)
WSSecurityException(org.apache.wss4j.common.ext.WSSecurityException)
Document(org.w3c.dom.Document)
X509Certificate(java.security.cert.X509Certificate)
WSSecurityException(org.apache.wss4j.common.ext.WSSecurityException)
IOException(java.io.IOException)
PKIAuthenticationToken(org.codice.ddf.security.handler.api.PKIAuthenticationToken)
Crypto(org.apache.wss4j.common.crypto.Crypto)
STSPropertiesMBean(org.apache.cxf.sts.STSPropertiesMBean)
BinarySecurityTokenType(org.apache.cxf.ws.security.sts.provider.model.secext.BinarySecurityTokenType)
RequestData(org.apache.wss4j.dom.handler.RequestData)
X500Principal(javax.security.auth.x500.X500Principal)
TokenValidatorResponse(org.apache.cxf.sts.token.validator.TokenValidatorResponse)
ReceivedToken(org.apache.cxf.sts.request.ReceivedToken)
X509Security(org.apache.wss4j.common.token.X509Security)
Example 3 with BinarySecurity
use of org.apache.wss4j.common.token.BinarySecurity in project cxf by apache.
the class AbstractBindingBuilder method getEncryptedKeyBuilder.
protected WSSecEncryptedKey getEncryptedKeyBuilder(AbstractToken token) throws WSSecurityException {
WSSecEncryptedKey encrKey = new WSSecEncryptedKey(secHeader);
encrKey.setIdAllocator(wssConfig.getIdAllocator());
encrKey.setCallbackLookup(callbackLookup);
encrKey.setAttachmentCallbackHandler(new AttachmentCallbackHandler(message));
encrKey.setStoreBytesInAttachment(storeBytesInAttachment);
Crypto crypto = getEncryptionCrypto();
message.getExchange().put(SecurityConstants.ENCRYPT_CRYPTO, crypto);
setKeyIdentifierType(encrKey, token);
boolean alsoIncludeToken = false;
// Find out do we also need to include the token as per the Inclusion requirement
if (token instanceof X509Token && token.getIncludeTokenType() != IncludeTokenType.INCLUDE_TOKEN_NEVER && encrKey.getKeyIdentifierType() != WSConstants.BST_DIRECT_REFERENCE) {
alsoIncludeToken = true;
}
String encrUser = setEncryptionUser(encrKey, token, false, crypto);
AlgorithmSuiteType algType = binding.getAlgorithmSuite().getAlgorithmSuiteType();
encrKey.setSymmetricEncAlgorithm(algType.getEncryption());
encrKey.setKeyEncAlgo(algType.getAsymmetricKeyWrap());
encrKey.setMGFAlgorithm(algType.getMGFAlgo());
encrKey.prepare(crypto);
if (alsoIncludeToken) {
X509Certificate encCert = getEncryptCert(crypto, encrUser);
BinarySecurity bstToken = new X509Security(saaj.getSOAPPart());
((X509Security) bstToken).setX509Certificate(encCert);
bstToken.addWSUNamespace();
bstToken.setID(wssConfig.getIdAllocator().createSecureId("X509-", encCert));
WSSecurityUtil.prependChildElement(secHeader.getSecurityHeaderElement(), bstToken.getElement());
bstElement = bstToken.getElement();
}
return encrKey;
}
Also used :
Crypto(org.apache.wss4j.common.crypto.Crypto)
WSSecEncryptedKey(org.apache.wss4j.dom.message.WSSecEncryptedKey)
BinarySecurity(org.apache.wss4j.common.token.BinarySecurity)
X509Token(org.apache.wss4j.policy.model.X509Token)
AlgorithmSuiteType(org.apache.wss4j.policy.model.AlgorithmSuite.AlgorithmSuiteType)
AttachmentCallbackHandler(org.apache.cxf.ws.security.wss4j.AttachmentCallbackHandler)
X509Certificate(java.security.cert.X509Certificate)
X509Security(org.apache.wss4j.common.token.X509Security)
Example 4 with BinarySecurity
use of org.apache.wss4j.common.token.BinarySecurity in project cxf by apache.
the class AbstractBindingPolicyValidator method findCorrespondingToken.
/**
* Find the token corresponding to either the X509Certificate or PublicKey used to sign
* the "signatureResult" argument.
*/
private WSSecurityEngineResult findCorrespondingToken(WSSecurityEngineResult signatureResult, List<WSSecurityEngineResult> results) {
// See what was used to sign this result
X509Certificate cert = (X509Certificate) signatureResult.get(WSSecurityEngineResult.TAG_X509_CERTIFICATE);
PublicKey publicKey = (PublicKey) signatureResult.get(WSSecurityEngineResult.TAG_PUBLIC_KEY);
for (WSSecurityEngineResult token : results) {
Integer actInt = (Integer) token.get(WSSecurityEngineResult.TAG_ACTION);
if (actInt == WSConstants.SIGN) {
continue;
}
BinarySecurity binarySecurity = (BinarySecurity) token.get(WSSecurityEngineResult.TAG_BINARY_SECURITY_TOKEN);
PublicKey foundPublicKey = (PublicKey) token.get(WSSecurityEngineResult.TAG_PUBLIC_KEY);
if (binarySecurity instanceof X509Security || binarySecurity instanceof PKIPathSecurity) {
X509Certificate foundCert = (X509Certificate) token.get(WSSecurityEngineResult.TAG_X509_CERTIFICATE);
if (foundCert.equals(cert)) {
return token;
}
} else if (actInt.intValue() == WSConstants.ST_SIGNED || actInt.intValue() == WSConstants.ST_UNSIGNED) {
SamlAssertionWrapper assertionWrapper = (SamlAssertionWrapper) token.get(WSSecurityEngineResult.TAG_SAML_ASSERTION);
SAMLKeyInfo samlKeyInfo = assertionWrapper.getSubjectKeyInfo();
if (samlKeyInfo != null) {
X509Certificate[] subjectCerts = samlKeyInfo.getCerts();
PublicKey subjectPublicKey = samlKeyInfo.getPublicKey();
if ((cert != null && subjectCerts != null && cert.equals(subjectCerts[0])) || (subjectPublicKey != null && subjectPublicKey.equals(publicKey))) {
return token;
}
}
} else if (publicKey != null && publicKey.equals(foundPublicKey)) {
return token;
}
}
return null;
}
Also used :
BinarySecurity(org.apache.wss4j.common.token.BinarySecurity)
SAMLKeyInfo(org.apache.wss4j.common.saml.SAMLKeyInfo)
PublicKey(java.security.PublicKey)
PKIPathSecurity(org.apache.wss4j.common.token.PKIPathSecurity)
SamlAssertionWrapper(org.apache.wss4j.common.saml.SamlAssertionWrapper)
WSSecurityEngineResult(org.apache.wss4j.dom.engine.WSSecurityEngineResult)
X509Certificate(java.security.cert.X509Certificate)
X509Security(org.apache.wss4j.common.token.X509Security)
Example 5 with BinarySecurity
use of org.apache.wss4j.common.token.BinarySecurity in project cxf by apache.
the class AbstractSupportingTokenPolicyValidator method checkSignatureOrEncryptionResult.
/**
* Check that a WSSecurityEngineResult corresponding to a signature or encryption uses the same
* signing/encrypting credential as one of the tokens.
* @param result a WSSecurityEngineResult corresponding to a signature or encryption
* @param tokenResult A list of WSSecurityEngineResults corresponding to tokens
* @return
*/
private boolean checkSignatureOrEncryptionResult(WSSecurityEngineResult result, List<WSSecurityEngineResult> tokenResult) {
// See what was used to sign/encrypt this result
X509Certificate cert = (X509Certificate) result.get(WSSecurityEngineResult.TAG_X509_CERTIFICATE);
byte[] secret = (byte[]) result.get(WSSecurityEngineResult.TAG_SECRET);
PublicKey publicKey = (PublicKey) result.get(WSSecurityEngineResult.TAG_PUBLIC_KEY);
// Now see if the same credential exists in the tokenResult list
for (WSSecurityEngineResult token : tokenResult) {
Integer actInt = (Integer) token.get(WSSecurityEngineResult.TAG_ACTION);
BinarySecurity binarySecurity = (BinarySecurity) token.get(WSSecurityEngineResult.TAG_BINARY_SECURITY_TOKEN);
if (binarySecurity instanceof X509Security || binarySecurity instanceof PKIPathSecurity) {
X509Certificate foundCert = (X509Certificate) token.get(WSSecurityEngineResult.TAG_X509_CERTIFICATE);
if (foundCert.equals(cert)) {
return true;
}
} else if (actInt.intValue() == WSConstants.ST_SIGNED || actInt.intValue() == WSConstants.ST_UNSIGNED) {
SamlAssertionWrapper assertionWrapper = (SamlAssertionWrapper) token.get(WSSecurityEngineResult.TAG_SAML_ASSERTION);
SAMLKeyInfo samlKeyInfo = assertionWrapper.getSubjectKeyInfo();
if (samlKeyInfo != null) {
X509Certificate[] subjectCerts = samlKeyInfo.getCerts();
byte[] subjectSecretKey = samlKeyInfo.getSecret();
PublicKey subjectPublicKey = samlKeyInfo.getPublicKey();
if ((cert != null && subjectCerts != null && cert.equals(subjectCerts[0])) || (subjectSecretKey != null && Arrays.equals(subjectSecretKey, secret)) || (subjectPublicKey != null && subjectPublicKey.equals(publicKey))) {
return true;
}
}
} else if (publicKey != null) {
PublicKey foundPublicKey = (PublicKey) token.get(WSSecurityEngineResult.TAG_PUBLIC_KEY);
if (publicKey.equals(foundPublicKey)) {
return true;
}
} else {
byte[] foundSecret = (byte[]) token.get(WSSecurityEngineResult.TAG_SECRET);
byte[] derivedKey = (byte[]) token.get(WSSecurityEngineResult.TAG_ENCRYPTED_EPHEMERAL_KEY);
if ((foundSecret != null && Arrays.equals(foundSecret, secret)) || (derivedKey != null && Arrays.equals(derivedKey, secret))) {
return true;
}
}
}
return false;
}
Also used :
BinarySecurity(org.apache.wss4j.common.token.BinarySecurity)
SAMLKeyInfo(org.apache.wss4j.common.saml.SAMLKeyInfo)
PublicKey(java.security.PublicKey)
PKIPathSecurity(org.apache.wss4j.common.token.PKIPathSecurity)
SamlAssertionWrapper(org.apache.wss4j.common.saml.SamlAssertionWrapper)
WSSecurityEngineResult(org.apache.wss4j.dom.engine.WSSecurityEngineResult)
X509Certificate(java.security.cert.X509Certificate)
X509Security(org.apache.wss4j.common.token.X509Security)
Aggregations
BinarySecurity (org.apache.wss4j.common.token.BinarySecurity)18
X509Security (org.apache.wss4j.common.token.X509Security)11
X509Certificate (java.security.cert.X509Certificate)9
WSSecurityEngineResult (org.apache.wss4j.dom.engine.WSSecurityEngineResult)8
Document (org.w3c.dom.Document)8
Crypto (org.apache.wss4j.common.crypto.Crypto)5
SamlAssertionWrapper (org.apache.wss4j.common.saml.SamlAssertionWrapper)5
Element (org.w3c.dom.Element)5
BinarySecurityTokenType (org.apache.cxf.ws.security.sts.provider.model.secext.BinarySecurityTokenType)4
WSSecurityException (org.apache.wss4j.common.ext.WSSecurityException)4
PKIPathSecurity (org.apache.wss4j.common.token.PKIPathSecurity)4
Node (org.w3c.dom.Node)4
PublicKey (java.security.PublicKey)3
CallbackHandler (javax.security.auth.callback.CallbackHandler)3
STSPropertiesMBean (org.apache.cxf.sts.STSPropertiesMBean)3
ReceivedToken (org.apache.cxf.sts.request.ReceivedToken)3
SecurityToken (org.apache.cxf.ws.security.tokenstore.SecurityToken)3
SAMLKeyInfo (org.apache.wss4j.common.saml.SAMLKeyInfo)3
RequestData (org.apache.wss4j.dom.handler.RequestData)3
Credential (org.apache.wss4j.dom.validate.Credential)3
