Search in sources :

Example 16 with BinarySecurity

use of org.apache.wss4j.common.token.BinarySecurity in project cxf by apache.

the class AbstractSupportingTokenPolicyValidator method processKerberosTokens.

/**
 * Process Kerberos Tokens.
 */
protected boolean processKerberosTokens(PolicyValidatorParameters parameters, boolean derived) {
    List<WSSecurityEngineResult> tokenResults = null;
    if (parameters.getResults().getActionResults().containsKey(WSConstants.BST)) {
        tokenResults = new ArrayList<>();
        for (WSSecurityEngineResult wser : parameters.getResults().getActionResults().get(WSConstants.BST)) {
            BinarySecurity binarySecurity = (BinarySecurity) wser.get(WSSecurityEngineResult.TAG_BINARY_SECURITY_TOKEN);
            if (binarySecurity instanceof KerberosSecurity) {
                tokenResults.add(wser);
            }
        }
    }
    if (tokenResults == null || tokenResults.isEmpty()) {
        return false;
    }
    if (isSigned() && !areTokensSigned(tokenResults, parameters.getSignedResults(), parameters.getEncryptedResults(), parameters.getMessage())) {
        return false;
    }
    if (isEncrypted() && !areTokensEncrypted(tokenResults, parameters.getEncryptedResults())) {
        return false;
    }
    if (derived && parameters.getResults().getActionResults().containsKey(WSConstants.DKT)) {
        List<WSSecurityEngineResult> dktResults = new ArrayList<>(tokenResults.size());
        for (WSSecurityEngineResult wser : tokenResults) {
            byte[] secret = (byte[]) wser.get(WSSecurityEngineResult.TAG_SECRET);
            WSSecurityEngineResult dktResult = getMatchingDerivedKey(secret, parameters.getResults());
            if (dktResult != null) {
                dktResults.add(dktResult);
            }
        }
        tokenResults.addAll(dktResults);
    }
    if (isEndorsing() && !checkEndorsed(tokenResults, parameters.getSignedResults(), parameters.getMessage(), parameters.getTimestampElement())) {
        return false;
    }
    return validateSignedEncryptedPolicies(tokenResults, parameters.getSignedResults(), parameters.getEncryptedResults(), parameters.getMessage());
}
Also used : KerberosSecurity(org.apache.wss4j.dom.message.token.KerberosSecurity) BinarySecurity(org.apache.wss4j.common.token.BinarySecurity) ArrayList(java.util.ArrayList) WSSecurityEngineResult(org.apache.wss4j.dom.engine.WSSecurityEngineResult)

Example 17 with BinarySecurity

use of org.apache.wss4j.common.token.BinarySecurity in project cxf by apache.

the class X509TokenPolicyValidator method checkTokenType.

/**
 * Check that at least one received token matches the token type.
 */
private boolean checkTokenType(TokenType tokenType, List<WSSecurityEngineResult> bstResults, List<WSSecurityEngineResult> signedResults) {
    if ((bstResults == null || bstResults.isEmpty()) && signedResults.isEmpty()) {
        return false;
    }
    String requiredType = X509_V3_VALUETYPE;
    boolean v3certRequired = false;
    if (tokenType == TokenType.WssX509PkiPathV1Token10 || tokenType == TokenType.WssX509PkiPathV1Token11) {
        requiredType = PKI_VALUETYPE;
    } else if (tokenType == TokenType.WssX509V3Token10 || tokenType == TokenType.WssX509V3Token11) {
        v3certRequired = true;
    }
    if (bstResults != null) {
        for (WSSecurityEngineResult result : bstResults) {
            BinarySecurity binarySecurityToken = (BinarySecurity) result.get(WSSecurityEngineResult.TAG_BINARY_SECURITY_TOKEN);
            if (binarySecurityToken != null && requiredType.equals(binarySecurityToken.getValueType())) {
                if (v3certRequired && binarySecurityToken instanceof X509Security) {
                    try {
                        X509Certificate cert = ((X509Security) binarySecurityToken).getX509Certificate(null);
                        if (cert != null && cert.getVersion() == 3) {
                            return true;
                        }
                    } catch (WSSecurityException e) {
                        LOG.log(Level.FINE, e.getMessage());
                    }
                } else {
                    return true;
                }
            }
        }
    }
    // Maybe the X.509 token was included as a KeyIdentifier
    if (X509_V3_VALUETYPE.equals(requiredType)) {
        for (WSSecurityEngineResult result : signedResults) {
            STRParser.REFERENCE_TYPE referenceType = (STRParser.REFERENCE_TYPE) result.get(WSSecurityEngineResult.TAG_X509_REFERENCE_TYPE);
            if (STRParser.REFERENCE_TYPE.KEY_IDENTIFIER == referenceType) {
                Element signatureElement = (Element) result.get(WSSecurityEngineResult.TAG_TOKEN_ELEMENT);
                Element keyIdentifier = getKeyIdentifier(signatureElement);
                if (keyIdentifier != null && X509_V3_VALUETYPE.equals(keyIdentifier.getAttributeNS(null, "ValueType"))) {
                    try {
                        X509Security token = new X509Security(keyIdentifier, new BSPEnforcer(true));
                        X509Certificate cert = token.getX509Certificate(null);
                        if (cert != null && cert.getVersion() == 3) {
                            return true;
                        }
                    } catch (WSSecurityException e) {
                        LOG.log(Level.FINE, e.getMessage());
                    }
                }
            }
        }
    }
    return false;
}
Also used : STRParser(org.apache.wss4j.dom.str.STRParser) BinarySecurity(org.apache.wss4j.common.token.BinarySecurity) Element(org.w3c.dom.Element) BSPEnforcer(org.apache.wss4j.common.bsp.BSPEnforcer) WSSecurityException(org.apache.wss4j.common.ext.WSSecurityException) WSSecurityEngineResult(org.apache.wss4j.dom.engine.WSSecurityEngineResult) X509Security(org.apache.wss4j.common.token.X509Security) X509Certificate(java.security.cert.X509Certificate)

Example 18 with BinarySecurity

use of org.apache.wss4j.common.token.BinarySecurity in project cxf by apache.

the class DummyTokenProvider method createToken.

public TokenProviderResponse createToken(TokenProviderParameters tokenParameters) {
    try {
        Document doc = DOMUtils.getEmptyDocument();
        // Mock up a dummy BinarySecurityToken
        String id = "BST-1234";
        BinarySecurity bst = new BinarySecurity(doc);
        bst.addWSSENamespace();
        bst.addWSUNamespace();
        bst.setID(id);
        bst.setValueType(TOKEN_TYPE);
        bst.setEncodingType(BASE64_NS);
        bst.setToken("12345678".getBytes());
        TokenProviderResponse response = new TokenProviderResponse();
        response.setToken(bst.getElement());
        response.setTokenId(id);
        if (tokenParameters.isEncryptToken()) {
            Element el = TokenProviderUtils.encryptToken(bst.getElement(), response.getTokenId(), tokenParameters.getStsProperties(), tokenParameters.getEncryptionProperties(), tokenParameters.getKeyRequirements(), tokenParameters.getMessageContext());
            response.setToken(el);
        } else {
            response.setToken(bst.getElement());
        }
        return response;
    } catch (Exception e) {
        throw new STSException("Can't serialize SAML assertion", e, STSException.REQUEST_FAILED);
    }
}
Also used : BinarySecurity(org.apache.wss4j.common.token.BinarySecurity) Element(org.w3c.dom.Element) STSException(org.apache.cxf.ws.security.sts.provider.STSException) TokenProviderResponse(org.apache.cxf.sts.token.provider.TokenProviderResponse) Document(org.w3c.dom.Document) STSException(org.apache.cxf.ws.security.sts.provider.STSException)

Aggregations

BinarySecurity (org.apache.wss4j.common.token.BinarySecurity)18 X509Security (org.apache.wss4j.common.token.X509Security)11 X509Certificate (java.security.cert.X509Certificate)9 WSSecurityEngineResult (org.apache.wss4j.dom.engine.WSSecurityEngineResult)8 Document (org.w3c.dom.Document)8 Crypto (org.apache.wss4j.common.crypto.Crypto)5 SamlAssertionWrapper (org.apache.wss4j.common.saml.SamlAssertionWrapper)5 Element (org.w3c.dom.Element)5 BinarySecurityTokenType (org.apache.cxf.ws.security.sts.provider.model.secext.BinarySecurityTokenType)4 WSSecurityException (org.apache.wss4j.common.ext.WSSecurityException)4 PKIPathSecurity (org.apache.wss4j.common.token.PKIPathSecurity)4 Node (org.w3c.dom.Node)4 PublicKey (java.security.PublicKey)3 CallbackHandler (javax.security.auth.callback.CallbackHandler)3 STSPropertiesMBean (org.apache.cxf.sts.STSPropertiesMBean)3 ReceivedToken (org.apache.cxf.sts.request.ReceivedToken)3 SecurityToken (org.apache.cxf.ws.security.tokenstore.SecurityToken)3 SAMLKeyInfo (org.apache.wss4j.common.saml.SAMLKeyInfo)3 RequestData (org.apache.wss4j.dom.handler.RequestData)3 Credential (org.apache.wss4j.dom.validate.Credential)3