Search in sources :

Example 6 with BinarySecurity

use of org.apache.wss4j.common.token.BinarySecurity in project cxf by apache.

the class AbstractSupportingTokenPolicyValidator method processX509Tokens.

/**
 * Process X509 Tokens.
 */
protected boolean processX509Tokens(PolicyValidatorParameters parameters, boolean derived) {
    List<WSSecurityEngineResult> tokenResults = null;
    if (parameters.getResults().getActionResults().containsKey(WSConstants.BST)) {
        tokenResults = new ArrayList<>();
        for (WSSecurityEngineResult wser : parameters.getResults().getActionResults().get(WSConstants.BST)) {
            BinarySecurity binarySecurity = (BinarySecurity) wser.get(WSSecurityEngineResult.TAG_BINARY_SECURITY_TOKEN);
            if (binarySecurity instanceof X509Security || binarySecurity instanceof PKIPathSecurity) {
                tokenResults.add(wser);
            }
        }
    }
    if (tokenResults == null || tokenResults.isEmpty()) {
        return false;
    }
    if (isSigned() && !areTokensSigned(tokenResults, parameters.getSignedResults(), parameters.getEncryptedResults(), parameters.getMessage())) {
        return false;
    }
    if (isEncrypted() && !areTokensEncrypted(tokenResults, parameters.getEncryptedResults())) {
        return false;
    }
    if (derived && parameters.getResults().getActionResults().containsKey(WSConstants.DKT)) {
        List<WSSecurityEngineResult> dktResults = new ArrayList<>(tokenResults.size());
        for (WSSecurityEngineResult wser : tokenResults) {
            WSSecurityEngineResult resultToStore = processX509DerivedTokenResult(wser, parameters.getResults());
            if (resultToStore != null) {
                dktResults.add(resultToStore);
            }
        }
        tokenResults.addAll(dktResults);
    }
    if (isEndorsing() && !checkEndorsed(tokenResults, parameters.getSignedResults(), parameters.getMessage(), parameters.getTimestampElement())) {
        return false;
    }
    return validateSignedEncryptedPolicies(tokenResults, parameters.getSignedResults(), parameters.getEncryptedResults(), parameters.getMessage());
}
Also used : BinarySecurity(org.apache.wss4j.common.token.BinarySecurity) PKIPathSecurity(org.apache.wss4j.common.token.PKIPathSecurity) ArrayList(java.util.ArrayList) WSSecurityEngineResult(org.apache.wss4j.dom.engine.WSSecurityEngineResult) X509Security(org.apache.wss4j.common.token.X509Security)

Example 7 with BinarySecurity

use of org.apache.wss4j.common.token.BinarySecurity in project cxf by apache.

the class DoubleItBSTImpl method doubleIt.

public int doubleIt(int numberToDouble) throws DoubleItFault {
    if (numberToDouble == 0) {
        throw new DoubleItFault("0 can't be doubled!");
    }
    List<WSHandlerResult> results = CastUtils.cast((List<?>) wsContext.getMessageContext().get(WSHandlerConstants.RECV_RESULTS));
    Assert.assertNotNull("Security Results cannot be null", results);
    Assert.assertFalse(results.isEmpty());
    WSHandlerResult result = results.get(0);
    List<WSSecurityEngineResult> securityResults = result.getResults();
    Assert.assertNotNull("Security Results cannot be null", securityResults);
    Assert.assertFalse(securityResults.isEmpty());
    WSSecurityEngineResult securityResult = securityResults.get(0);
    BinarySecurity binarySecurityToken = (BinarySecurity) securityResult.get(WSSecurityEngineResult.TAG_BINARY_SECURITY_TOKEN);
    Assert.assertNotNull(binarySecurityToken);
    Assert.assertArrayEquals(binarySecurityToken.getToken(), "This is a token".getBytes());
    return numberToDouble * 2;
}
Also used : BinarySecurity(org.apache.wss4j.common.token.BinarySecurity) DoubleItFault(org.example.contract.doubleit.DoubleItFault) WSHandlerResult(org.apache.wss4j.dom.handler.WSHandlerResult) WSSecurityEngineResult(org.apache.wss4j.dom.engine.WSSecurityEngineResult)

Example 8 with BinarySecurity

use of org.apache.wss4j.common.token.BinarySecurity in project cxf by apache.

the class CustomBSTTokenProvider method createToken.

public TokenProviderResponse createToken(TokenProviderParameters tokenParameters) {
    try {
        Document doc = DOMUtils.getEmptyDocument();
        // Mock up a BinarySecurityToken
        String id = "BST-1234";
        BinarySecurity bst = new BinarySecurity(doc);
        bst.addWSSENamespace();
        bst.addWSUNamespace();
        bst.setID(id);
        bst.setValueType(TOKEN_TYPE);
        bst.setEncodingType(BASE64_NS);
        bst.setToken("12345678".getBytes());
        TokenProviderResponse response = new TokenProviderResponse();
        response.setToken(bst.getElement());
        response.setTokenId(id);
        return response;
    } catch (Exception e) {
        e.printStackTrace();
        throw new STSException("Can't serialize SAML assertion", e, STSException.REQUEST_FAILED);
    }
}
Also used : BinarySecurity(org.apache.wss4j.common.token.BinarySecurity) STSException(org.apache.cxf.ws.security.sts.provider.STSException) TokenProviderResponse(org.apache.cxf.sts.token.provider.TokenProviderResponse) Document(org.w3c.dom.Document) STSException(org.apache.cxf.ws.security.sts.provider.STSException)

Example 9 with BinarySecurity

use of org.apache.wss4j.common.token.BinarySecurity in project cxf by apache.

the class AbstractBindingBuilder method addSignatureParts.

protected void addSignatureParts(List<SupportingToken> tokenList, List<WSEncryptionPart> sigParts) {
    boolean useSTRTransform = MessageUtils.getContextualBoolean(message, SecurityConstants.USE_STR_TRANSFORM, true);
    for (SupportingToken supportingToken : tokenList) {
        Object tempTok = supportingToken.getTokenImplementation();
        WSEncryptionPart part = null;
        if (tempTok instanceof WSSecSignature) {
            WSSecSignature tempSig = (WSSecSignature) tempTok;
            SecurityTokenReference secRef = tempSig.getSecurityTokenReference();
            if (WSS4JConstants.WSS_SAML_KI_VALUE_TYPE.equals(secRef.getKeyIdentifierValueType()) || WSS4JConstants.WSS_SAML2_KI_VALUE_TYPE.equals(secRef.getKeyIdentifierValueType())) {
                Element secRefElement = cloneElement(secRef.getElement());
                addSupportingElement(secRefElement);
                part = new WSEncryptionPart("STRTransform", null, "Element");
                part.setId(tempSig.getSecurityTokenReferenceURI());
                part.setElement(secRefElement);
            } else {
                if (tempSig.getBSTTokenId() != null) {
                    part = new WSEncryptionPart(tempSig.getBSTTokenId());
                    part.setElement(tempSig.getBinarySecurityTokenElement());
                }
            }
        } else if (tempTok instanceof WSSecUsernameToken) {
            WSSecUsernameToken unt = (WSSecUsernameToken) tempTok;
            part = new WSEncryptionPart(unt.getId());
            part.setElement(unt.getUsernameTokenElement());
        } else if (tempTok instanceof BinarySecurity) {
            BinarySecurity bst = (BinarySecurity) tempTok;
            part = new WSEncryptionPart(bst.getID());
            part.setElement(bst.getElement());
        } else if (tempTok instanceof SamlAssertionWrapper) {
            SamlAssertionWrapper assertionWrapper = (SamlAssertionWrapper) tempTok;
            Document doc = assertionWrapper.getElement().getOwnerDocument();
            boolean saml1 = assertionWrapper.getSaml1() != null;
            if (useSTRTransform) {
                // TODO We only support using a KeyIdentifier for the moment
                SecurityTokenReference secRef = createSTRForSamlAssertion(doc, assertionWrapper.getId(), saml1, false);
                Element clone = cloneElement(secRef.getElement());
                addSupportingElement(clone);
                part = new WSEncryptionPart("STRTransform", null, "Element");
                part.setId(secRef.getID());
                part.setElement(clone);
            } else {
                part = new WSEncryptionPart(assertionWrapper.getId());
                part.setElement(assertionWrapper.getElement());
            }
        } else if (tempTok instanceof WSSecurityTokenHolder) {
            SecurityToken token = ((WSSecurityTokenHolder) tempTok).getToken();
            String tokenType = token.getTokenType();
            if (WSS4JConstants.WSS_SAML_TOKEN_TYPE.equals(tokenType) || WSS4JConstants.SAML_NS.equals(tokenType) || WSS4JConstants.WSS_SAML2_TOKEN_TYPE.equals(tokenType) || WSS4JConstants.SAML2_NS.equals(tokenType)) {
                Document doc = token.getToken().getOwnerDocument();
                boolean saml1 = WSS4JConstants.WSS_SAML_TOKEN_TYPE.equals(tokenType) || WSS4JConstants.SAML_NS.equals(tokenType);
                String id = token.getId();
                if (id == null || "".equals(id)) {
                    if (saml1) {
                        id = token.getToken().getAttributeNS(null, "AssertionID");
                    } else {
                        id = token.getToken().getAttributeNS(null, "ID");
                    }
                }
                if (useSTRTransform) {
                    SecurityTokenReference secRef = createSTRForSamlAssertion(doc, id, saml1, false);
                    Element clone = cloneElement(secRef.getElement());
                    addSupportingElement(clone);
                    part = new WSEncryptionPart("STRTransform", null, "Element");
                    part.setId(secRef.getID());
                    part.setElement(clone);
                } else {
                    part = new WSEncryptionPart(id);
                    part.setElement(token.getToken());
                }
            } else {
                String id = XMLUtils.getIDFromReference(token.getId());
                part = new WSEncryptionPart(id);
                part.setElement(token.getToken());
            }
        } else {
            unassertPolicy(supportingToken.getToken(), "UnsupportedTokenInSupportingToken: " + tempTok);
        }
        if (part != null) {
            sigParts.add(part);
        }
    }
}
Also used : WSEncryptionPart(org.apache.wss4j.common.WSEncryptionPart) BinarySecurity(org.apache.wss4j.common.token.BinarySecurity) WSSecSignature(org.apache.wss4j.dom.message.WSSecSignature) Element(org.w3c.dom.Element) SamlAssertionWrapper(org.apache.wss4j.common.saml.SamlAssertionWrapper) Document(org.w3c.dom.Document) SecurityToken(org.apache.cxf.ws.security.tokenstore.SecurityToken) SecurityTokenReference(org.apache.wss4j.common.token.SecurityTokenReference) WSSecUsernameToken(org.apache.wss4j.dom.message.WSSecUsernameToken)

Example 10 with BinarySecurity

use of org.apache.wss4j.common.token.BinarySecurity in project cxf by apache.

the class AbstractBindingBuilder method getEncryptedKeyBuilder.

protected WSSecEncryptedKey getEncryptedKeyBuilder(AbstractToken token, SecretKey symmetricKey) throws WSSecurityException {
    WSSecEncryptedKey encrKey = new WSSecEncryptedKey(secHeader);
    encrKey.setIdAllocator(wssConfig.getIdAllocator());
    encrKey.setCallbackLookup(callbackLookup);
    encrKey.setAttachmentCallbackHandler(new AttachmentCallbackHandler(message));
    encrKey.setStoreBytesInAttachment(storeBytesInAttachment);
    Crypto crypto = getEncryptionCrypto();
    message.getExchange().put(SecurityConstants.ENCRYPT_CRYPTO, crypto);
    setKeyIdentifierType(encrKey, token);
    boolean alsoIncludeToken = false;
    // Find out do we also need to include the token as per the Inclusion requirement
    if (token instanceof X509Token && token.getIncludeTokenType() != IncludeTokenType.INCLUDE_TOKEN_NEVER && encrKey.getKeyIdentifierType() != WSConstants.BST_DIRECT_REFERENCE) {
        alsoIncludeToken = true;
    }
    String encrUser = setEncryptionUser(encrKey, token, false, crypto);
    AlgorithmSuiteType algType = binding.getAlgorithmSuite().getAlgorithmSuiteType();
    encrKey.setKeyEncAlgo(algType.getAsymmetricKeyWrap());
    encrKey.setMGFAlgorithm(algType.getMGFAlgo());
    encrKey.prepare(crypto, symmetricKey);
    if (alsoIncludeToken) {
        X509Certificate encCert = getEncryptCert(crypto, encrUser);
        BinarySecurity bstToken = new X509Security(saaj.getSOAPPart());
        ((X509Security) bstToken).setX509Certificate(encCert);
        bstToken.addWSUNamespace();
        bstToken.setID(wssConfig.getIdAllocator().createSecureId("X509-", encCert));
        WSSecurityUtil.prependChildElement(secHeader.getSecurityHeaderElement(), bstToken.getElement());
        bstElement = bstToken.getElement();
    }
    return encrKey;
}
Also used : Crypto(org.apache.wss4j.common.crypto.Crypto) WSSecEncryptedKey(org.apache.wss4j.dom.message.WSSecEncryptedKey) BinarySecurity(org.apache.wss4j.common.token.BinarySecurity) X509Token(org.apache.wss4j.policy.model.X509Token) AlgorithmSuiteType(org.apache.wss4j.policy.model.AlgorithmSuite.AlgorithmSuiteType) AttachmentCallbackHandler(org.apache.cxf.ws.security.wss4j.AttachmentCallbackHandler) X509Certificate(java.security.cert.X509Certificate) X509Security(org.apache.wss4j.common.token.X509Security)

Aggregations

BinarySecurity (org.apache.wss4j.common.token.BinarySecurity)18 X509Security (org.apache.wss4j.common.token.X509Security)11 X509Certificate (java.security.cert.X509Certificate)9 WSSecurityEngineResult (org.apache.wss4j.dom.engine.WSSecurityEngineResult)8 Document (org.w3c.dom.Document)8 Crypto (org.apache.wss4j.common.crypto.Crypto)5 SamlAssertionWrapper (org.apache.wss4j.common.saml.SamlAssertionWrapper)5 Element (org.w3c.dom.Element)5 BinarySecurityTokenType (org.apache.cxf.ws.security.sts.provider.model.secext.BinarySecurityTokenType)4 WSSecurityException (org.apache.wss4j.common.ext.WSSecurityException)4 PKIPathSecurity (org.apache.wss4j.common.token.PKIPathSecurity)4 Node (org.w3c.dom.Node)4 PublicKey (java.security.PublicKey)3 CallbackHandler (javax.security.auth.callback.CallbackHandler)3 STSPropertiesMBean (org.apache.cxf.sts.STSPropertiesMBean)3 ReceivedToken (org.apache.cxf.sts.request.ReceivedToken)3 SecurityToken (org.apache.cxf.ws.security.tokenstore.SecurityToken)3 SAMLKeyInfo (org.apache.wss4j.common.saml.SAMLKeyInfo)3 RequestData (org.apache.wss4j.dom.handler.RequestData)3 Credential (org.apache.wss4j.dom.validate.Credential)3