Search in sources :

Example 11 with BinarySecurity

use of org.apache.wss4j.common.token.BinarySecurity in project cxf by apache.

the class X509TokenValidator method validateToken.

/**
 * Validate a Token using the given TokenValidatorParameters.
 */
public TokenValidatorResponse validateToken(TokenValidatorParameters tokenParameters) {
    LOG.fine("Validating X.509 Token");
    STSPropertiesMBean stsProperties = tokenParameters.getStsProperties();
    CallbackHandler callbackHandler = stsProperties.getCallbackHandler();
    // See CXF-4028
    Crypto crypto = stsProperties.getEncryptionCrypto();
    if (crypto == null) {
        crypto = stsProperties.getSignatureCrypto();
    }
    RequestData requestData = new RequestData();
    requestData.setSigVerCrypto(crypto);
    requestData.setWssConfig(WSSConfig.getNewInstance());
    requestData.setCallbackHandler(callbackHandler);
    requestData.setMsgContext(tokenParameters.getMessageContext());
    requestData.setSubjectCertConstraints(certConstraints.getCompiledSubjectContraints());
    TokenValidatorResponse response = new TokenValidatorResponse();
    ReceivedToken validateTarget = tokenParameters.getToken();
    validateTarget.setState(STATE.INVALID);
    response.setToken(validateTarget);
    final BinarySecurity binarySecurity;
    if (validateTarget.isBinarySecurityToken()) {
        BinarySecurityTokenType binarySecurityType = (BinarySecurityTokenType) validateTarget.getToken();
        // Test the encoding type
        String encodingType = binarySecurityType.getEncodingType();
        if (!BASE64_ENCODING.equals(encodingType)) {
            LOG.fine("Bad encoding type attribute specified: " + encodingType);
            return response;
        }
        // 
        // Turn the received JAXB object into a DOM element
        // 
        Document doc = DOMUtils.getEmptyDocument();
        binarySecurity = new X509Security(doc);
        binarySecurity.setEncodingType(encodingType);
        binarySecurity.setValueType(binarySecurityType.getValueType());
        String data = binarySecurityType.getValue();
        Node textNode = doc.createTextNode(data);
        binarySecurity.getElement().appendChild(textNode);
    } else if (validateTarget.isDOMElement()) {
        try {
            Document doc = DOMUtils.getEmptyDocument();
            binarySecurity = new X509Security(doc);
            binarySecurity.setEncodingType(BASE64_ENCODING);
            X509Data x509Data = new X509Data((Element) validateTarget.getToken(), "");
            if (x509Data.containsCertificate()) {
                X509Certificate cert = x509Data.itemCertificate(0).getX509Certificate();
                ((X509Security) binarySecurity).setX509Certificate(cert);
            }
        } catch (XMLSecurityException ex) {
            LOG.log(Level.WARNING, "", ex);
            return response;
        }
    } else {
        return response;
    }
    // 
    try {
        Credential credential = new Credential();
        credential.setBinarySecurityToken(binarySecurity);
        if (crypto != null) {
            X509Certificate cert = ((X509Security) binarySecurity).getX509Certificate(crypto);
            credential.setCertificates(new X509Certificate[] { cert });
        }
        Credential returnedCredential = validator.validate(credential, requestData);
        Principal principal = returnedCredential.getPrincipal();
        if (principal == null) {
            principal = returnedCredential.getCertificates()[0].getSubjectX500Principal();
        }
        response.setPrincipal(principal);
        validateTarget.setState(STATE.VALID);
        LOG.fine("X.509 Token successfully validated");
    } catch (WSSecurityException ex) {
        LOG.log(Level.WARNING, "", ex);
    }
    return response;
}
Also used : CallbackHandler(javax.security.auth.callback.CallbackHandler) Credential(org.apache.wss4j.dom.validate.Credential) BinarySecurity(org.apache.wss4j.common.token.BinarySecurity) Node(org.w3c.dom.Node) Element(org.w3c.dom.Element) WSSecurityException(org.apache.wss4j.common.ext.WSSecurityException) Document(org.w3c.dom.Document) X509Data(org.apache.xml.security.keys.content.X509Data) X509Certificate(java.security.cert.X509Certificate) XMLSecurityException(org.apache.xml.security.exceptions.XMLSecurityException) Crypto(org.apache.wss4j.common.crypto.Crypto) STSPropertiesMBean(org.apache.cxf.sts.STSPropertiesMBean) BinarySecurityTokenType(org.apache.cxf.ws.security.sts.provider.model.secext.BinarySecurityTokenType) RequestData(org.apache.wss4j.dom.handler.RequestData) ReceivedToken(org.apache.cxf.sts.request.ReceivedToken) X509Security(org.apache.wss4j.common.token.X509Security) Principal(java.security.Principal)

Example 12 with BinarySecurity

use of org.apache.wss4j.common.token.BinarySecurity in project ddf by codice.

the class X509PathTokenValidator method validateToken.

/**
     * Validate a Token using the given TokenValidatorParameters.
     *
     * @param tokenParameters
     * @return TokenValidatorResponse
     */
public TokenValidatorResponse validateToken(TokenValidatorParameters tokenParameters) {
    LOGGER.trace("Validating X.509 Token");
    STSPropertiesMBean stsProperties = tokenParameters.getStsProperties();
    Crypto sigCrypto = stsProperties.getSignatureCrypto();
    CallbackHandler callbackHandler = stsProperties.getCallbackHandler();
    RequestData requestData = new RequestData();
    requestData.setSigVerCrypto(sigCrypto);
    requestData.setWssConfig(WSSConfig.getNewInstance());
    requestData.setCallbackHandler(callbackHandler);
    requestData.setMsgContext(tokenParameters.getMessageContext());
    requestData.setSubjectCertConstraints(certConstraints.getCompiledSubjectContraints());
    TokenValidatorResponse response = new TokenValidatorResponse();
    ReceivedToken validateTarget = tokenParameters.getToken();
    validateTarget.setState(STATE.INVALID);
    response.setToken(validateTarget);
    BinarySecurity binarySecurity = null;
    BinarySecurityTokenType binarySecurityType = null;
    if (validateTarget.isBinarySecurityToken()) {
        binarySecurityType = (BinarySecurityTokenType) validateTarget.getToken();
        // Test the encoding type
        String encodingType = binarySecurityType.getEncodingType();
        if (!BASE64_ENCODING.equals(encodingType)) {
            LOGGER.trace("Bad encoding type attribute specified: {}", encodingType);
            return response;
        }
        //
        // Turn the received JAXB object into a DOM element
        //
        Document doc = DOMUtils.createDocument();
        binarySecurity = new X509Security(doc);
        binarySecurity.setEncodingType(encodingType);
        binarySecurity.setValueType(binarySecurityType.getValueType());
        String data = binarySecurityType.getValue();
        Node textNode = doc.createTextNode(data);
        binarySecurity.getElement().appendChild(textNode);
    } else if (validateTarget.isDOMElement()) {
        try {
            Document doc = DOMUtils.createDocument();
            binarySecurity = new X509Security(doc);
            binarySecurity.setEncodingType(BASE64_ENCODING);
            X509Data x509Data = new X509Data((Element) validateTarget.getToken(), "");
            if (x509Data.containsCertificate()) {
                XMLX509Certificate xmlx509Certificate = x509Data.itemCertificate(0);
                if (xmlx509Certificate == null) {
                    throw new WSSecurityException(WSSecurityException.ErrorCode.INVALID_SECURITY_TOKEN);
                }
                X509Certificate cert = xmlx509Certificate.getX509Certificate();
                ((X509Security) binarySecurity).setX509Certificate(cert);
            }
        } catch (WSSecurityException ex) {
            LOGGER.debug("Unable to set certificate", ex);
            return response;
        } catch (XMLSecurityException ex) {
            LOGGER.debug("Unable to get certificates", ex);
            return response;
        }
    } else {
        return response;
    }
    //
    try {
        Credential credential = new Credential();
        credential.setBinarySecurityToken(binarySecurity);
        if (merlin != null) {
            byte[] token = binarySecurity.getToken();
            if (token != null) {
                if (binarySecurityType != null) {
                    if (binarySecurityType.getValueType().equals(X509_PKI_PATH)) {
                        X509Certificate[] certificates = merlin.getCertificatesFromBytes(token);
                        if (certificates != null) {
                            credential.setCertificates(certificates);
                        }
                    } else {
                        X509Certificate singleCert = merlin.loadCertificate(new ByteArrayInputStream(token));
                        credential.setCertificates(new X509Certificate[] { singleCert });
                    }
                }
            } else {
                LOGGER.debug("Binary Security Token bytes were null.");
            }
        }
        Credential returnedCredential = validator.validate(credential, requestData);
        X500Principal subjectX500Principal = returnedCredential.getCertificates()[0].getSubjectX500Principal();
        response.setPrincipal(subjectX500Principal);
        if (response.getAdditionalProperties() == null) {
            response.setAdditionalProperties(new HashMap<>());
        }
        try {
            String emailAddress = SubjectUtils.getEmailAddress(subjectX500Principal);
            if (emailAddress != null) {
                response.getAdditionalProperties().put(SubjectUtils.EMAIL_ADDRESS_CLAIM_URI, emailAddress);
            }
            String country = SubjectUtils.getCountry(subjectX500Principal);
            if (country != null) {
                response.getAdditionalProperties().put(SubjectUtils.COUNTRY_CLAIM_URI, country);
            }
        } catch (Exception e) {
            LOGGER.debug("Unable to set email address or country from certificate.", e);
        }
        validateTarget.setState(STATE.VALID);
        validateTarget.setPrincipal(subjectX500Principal);
    } catch (WSSecurityException ex) {
        LOGGER.debug("Unable to validate credentials.", ex);
    }
    return response;
}
Also used : CallbackHandler(javax.security.auth.callback.CallbackHandler) Node(org.w3c.dom.Node) Element(org.w3c.dom.Element) Document(org.w3c.dom.Document) X509Data(org.apache.xml.security.keys.content.X509Data) BinarySecurityTokenType(org.apache.cxf.ws.security.sts.provider.model.secext.BinarySecurityTokenType) RequestData(org.apache.wss4j.dom.handler.RequestData) ReceivedToken(org.apache.cxf.sts.request.ReceivedToken) X509Security(org.apache.wss4j.common.token.X509Security) Credential(org.apache.wss4j.dom.validate.Credential) BinarySecurity(org.apache.wss4j.common.token.BinarySecurity) WSSecurityException(org.apache.wss4j.common.ext.WSSecurityException) X509Certificate(java.security.cert.X509Certificate) XMLX509Certificate(org.apache.xml.security.keys.content.x509.XMLX509Certificate) XMLSecurityException(org.apache.xml.security.exceptions.XMLSecurityException) WSSecurityException(org.apache.wss4j.common.ext.WSSecurityException) IOException(java.io.IOException) XMLSecurityException(org.apache.xml.security.exceptions.XMLSecurityException) XMLX509Certificate(org.apache.xml.security.keys.content.x509.XMLX509Certificate) Crypto(org.apache.wss4j.common.crypto.Crypto) STSPropertiesMBean(org.apache.cxf.sts.STSPropertiesMBean) ByteArrayInputStream(java.io.ByteArrayInputStream) X500Principal(javax.security.auth.x500.X500Principal) TokenValidatorResponse(org.apache.cxf.sts.token.validator.TokenValidatorResponse)

Example 13 with BinarySecurity

use of org.apache.wss4j.common.token.BinarySecurity in project cxf by apache.

the class BinarySecurityTokenTest method testBinarySecurityToken.

@org.junit.Test
public void testBinarySecurityToken() throws Exception {
    SpringBusFactory bf = new SpringBusFactory();
    URL busFile = BinarySecurityTokenTest.class.getResource("client.xml");
    Bus bus = bf.createBus(busFile.toString());
    BusFactory.setDefaultBus(bus);
    BusFactory.setThreadDefaultBus(bus);
    URL wsdl = BinarySecurityTokenTest.class.getResource("DoubleItTokens.wsdl");
    Service service = Service.create(wsdl, SERVICE_QNAME);
    // Successful invocation
    QName portQName = new QName(NAMESPACE, "DoubleItBinarySecurityTokenPort");
    DoubleItPortType port = service.getPort(portQName, DoubleItPortType.class);
    updateAddressPort(port, PORT);
    // Mock up a BinarySecurityToken to add
    SecurityToken securityToken = new SecurityToken();
    securityToken.setId("_" + UUID.randomUUID().toString());
    Document doc = DOMUtils.newDocument();
    BinarySecurity binarySecurity = new BinarySecurity(doc);
    binarySecurity.setValueType("http://custom-value-type");
    binarySecurity.setToken("This is a token".getBytes());
    securityToken.setToken(binarySecurity.getElement());
    ((BindingProvider) port).getRequestContext().put(SecurityConstants.TOKEN, securityToken);
    assertEquals(50, port.doubleIt(25));
    ((java.io.Closeable) port).close();
    bus.shutdown(true);
}
Also used : SecurityToken(org.apache.cxf.ws.security.tokenstore.SecurityToken) Bus(org.apache.cxf.Bus) SpringBusFactory(org.apache.cxf.bus.spring.SpringBusFactory) BinarySecurity(org.apache.wss4j.common.token.BinarySecurity) QName(javax.xml.namespace.QName) Service(javax.xml.ws.Service) DoubleItPortType(org.example.contract.doubleit.DoubleItPortType) Document(org.w3c.dom.Document) URL(java.net.URL)

Example 14 with BinarySecurity

use of org.apache.wss4j.common.token.BinarySecurity in project cxf by apache.

the class IssuedTokenPolicyValidator method validatePolicies.

/**
 * Validate policies.
 */
public void validatePolicies(PolicyValidatorParameters parameters, Collection<AssertionInfo> ais) {
    List<WSSecurityEngineResult> samlResults = parameters.getSamlResults();
    if (samlResults != null) {
        for (WSSecurityEngineResult samlResult : samlResults) {
            SamlAssertionWrapper samlAssertion = (SamlAssertionWrapper) samlResult.get(WSSecurityEngineResult.TAG_SAML_ASSERTION);
            if (validateSAMLToken(parameters, samlAssertion, ais)) {
                // Store token on the security context
                SecurityToken token = createSecurityToken(samlAssertion);
                parameters.getMessage().getExchange().put(SecurityConstants.TOKEN, token);
                return;
            }
        }
    }
    List<WSSecurityEngineResult> bstResults = parameters.getResults().getActionResults().get(WSConstants.BST);
    if (bstResults != null) {
        for (WSSecurityEngineResult bstResult : bstResults) {
            BinarySecurity binarySecurity = (BinarySecurity) bstResult.get(WSSecurityEngineResult.TAG_BINARY_SECURITY_TOKEN);
            if (Boolean.TRUE.equals(bstResult.get(WSSecurityEngineResult.TAG_VALIDATED_TOKEN)) && validateBinarySecurityToken(parameters, binarySecurity, ais)) {
                // Store token on the security context
                SecurityToken token = createSecurityToken(binarySecurity);
                parameters.getMessage().getExchange().put(SecurityConstants.TOKEN, token);
                return;
            }
        }
    }
}
Also used : SecurityToken(org.apache.cxf.ws.security.tokenstore.SecurityToken) BinarySecurity(org.apache.wss4j.common.token.BinarySecurity) SamlAssertionWrapper(org.apache.wss4j.common.saml.SamlAssertionWrapper) WSSecurityEngineResult(org.apache.wss4j.dom.engine.WSSecurityEngineResult)

Example 15 with BinarySecurity

use of org.apache.wss4j.common.token.BinarySecurity in project cxf by apache.

the class LayoutPolicyValidator method findCorrespondingTokenIndex.

/**
 * Find the index of the token corresponding to either the X509Certificate or PublicKey used
 * to sign the "signatureResult" argument.
 */
private int findCorrespondingTokenIndex(WSSecurityEngineResult signatureResult, List<WSSecurityEngineResult> results) {
    // See what was used to sign this result
    X509Certificate cert = (X509Certificate) signatureResult.get(WSSecurityEngineResult.TAG_X509_CERTIFICATE);
    PublicKey publicKey = (PublicKey) signatureResult.get(WSSecurityEngineResult.TAG_PUBLIC_KEY);
    for (int i = 0; i < results.size(); i++) {
        WSSecurityEngineResult token = results.get(i);
        Integer actInt = (Integer) token.get(WSSecurityEngineResult.TAG_ACTION);
        if (actInt == WSConstants.SIGN) {
            continue;
        }
        BinarySecurity binarySecurity = (BinarySecurity) token.get(WSSecurityEngineResult.TAG_BINARY_SECURITY_TOKEN);
        PublicKey foundPublicKey = (PublicKey) token.get(WSSecurityEngineResult.TAG_PUBLIC_KEY);
        if (binarySecurity instanceof X509Security || binarySecurity instanceof PKIPathSecurity) {
            X509Certificate foundCert = (X509Certificate) token.get(WSSecurityEngineResult.TAG_X509_CERTIFICATE);
            if (foundCert.equals(cert)) {
                return i;
            }
        } else if (actInt.intValue() == WSConstants.ST_SIGNED || actInt.intValue() == WSConstants.ST_UNSIGNED) {
            SamlAssertionWrapper assertionWrapper = (SamlAssertionWrapper) token.get(WSSecurityEngineResult.TAG_SAML_ASSERTION);
            SAMLKeyInfo samlKeyInfo = assertionWrapper.getSubjectKeyInfo();
            if (samlKeyInfo != null) {
                X509Certificate[] subjectCerts = samlKeyInfo.getCerts();
                PublicKey subjectPublicKey = samlKeyInfo.getPublicKey();
                if ((cert != null && subjectCerts != null && cert.equals(subjectCerts[0])) || (subjectPublicKey != null && subjectPublicKey.equals(publicKey))) {
                    return i;
                }
            }
        } else if (publicKey != null && publicKey.equals(foundPublicKey)) {
            return i;
        }
    }
    return -1;
}
Also used : BinarySecurity(org.apache.wss4j.common.token.BinarySecurity) SAMLKeyInfo(org.apache.wss4j.common.saml.SAMLKeyInfo) PublicKey(java.security.PublicKey) PKIPathSecurity(org.apache.wss4j.common.token.PKIPathSecurity) SamlAssertionWrapper(org.apache.wss4j.common.saml.SamlAssertionWrapper) WSSecurityEngineResult(org.apache.wss4j.dom.engine.WSSecurityEngineResult) X509Certificate(java.security.cert.X509Certificate) X509Security(org.apache.wss4j.common.token.X509Security)

Aggregations

BinarySecurity (org.apache.wss4j.common.token.BinarySecurity)18 X509Security (org.apache.wss4j.common.token.X509Security)11 X509Certificate (java.security.cert.X509Certificate)9 WSSecurityEngineResult (org.apache.wss4j.dom.engine.WSSecurityEngineResult)8 Document (org.w3c.dom.Document)8 Crypto (org.apache.wss4j.common.crypto.Crypto)5 SamlAssertionWrapper (org.apache.wss4j.common.saml.SamlAssertionWrapper)5 Element (org.w3c.dom.Element)5 BinarySecurityTokenType (org.apache.cxf.ws.security.sts.provider.model.secext.BinarySecurityTokenType)4 WSSecurityException (org.apache.wss4j.common.ext.WSSecurityException)4 PKIPathSecurity (org.apache.wss4j.common.token.PKIPathSecurity)4 Node (org.w3c.dom.Node)4 PublicKey (java.security.PublicKey)3 CallbackHandler (javax.security.auth.callback.CallbackHandler)3 STSPropertiesMBean (org.apache.cxf.sts.STSPropertiesMBean)3 ReceivedToken (org.apache.cxf.sts.request.ReceivedToken)3 SecurityToken (org.apache.cxf.ws.security.tokenstore.SecurityToken)3 SAMLKeyInfo (org.apache.wss4j.common.saml.SAMLKeyInfo)3 RequestData (org.apache.wss4j.dom.handler.RequestData)3 Credential (org.apache.wss4j.dom.validate.Credential)3