Search in sources :

Example 1 with PKIPathSecurity

use of org.apache.wss4j.common.token.PKIPathSecurity in project cxf by apache.

the class DefaultWSS4JSecurityContextCreator method skipResult.

private boolean skipResult(Integer resultPriority, WSSecurityEngineResult result) {
    Object binarySecurity = result.get(WSSecurityEngineResult.TAG_BINARY_SECURITY_TOKEN);
    PublicKey publickey = (PublicKey) result.get(WSSecurityEngineResult.TAG_PUBLIC_KEY);
    X509Certificate cert = (X509Certificate) result.get(WSSecurityEngineResult.TAG_X509_CERTIFICATE);
    return resultPriority == WSConstants.BST && (binarySecurity instanceof X509Security || binarySecurity instanceof PKIPathSecurity) || resultPriority == WSConstants.SIGN && publickey == null && cert == null;
}
Also used : PublicKey(java.security.PublicKey) PKIPathSecurity(org.apache.wss4j.common.token.PKIPathSecurity) X509Certificate(java.security.cert.X509Certificate) X509Security(org.apache.wss4j.common.token.X509Security)

Example 2 with PKIPathSecurity

use of org.apache.wss4j.common.token.PKIPathSecurity in project cxf by apache.

the class AbstractBindingPolicyValidator method findCorrespondingToken.

/**
 * Find the token corresponding to either the X509Certificate or PublicKey used to sign
 * the "signatureResult" argument.
 */
private WSSecurityEngineResult findCorrespondingToken(WSSecurityEngineResult signatureResult, List<WSSecurityEngineResult> results) {
    // See what was used to sign this result
    X509Certificate cert = (X509Certificate) signatureResult.get(WSSecurityEngineResult.TAG_X509_CERTIFICATE);
    PublicKey publicKey = (PublicKey) signatureResult.get(WSSecurityEngineResult.TAG_PUBLIC_KEY);
    for (WSSecurityEngineResult token : results) {
        Integer actInt = (Integer) token.get(WSSecurityEngineResult.TAG_ACTION);
        if (actInt == WSConstants.SIGN) {
            continue;
        }
        BinarySecurity binarySecurity = (BinarySecurity) token.get(WSSecurityEngineResult.TAG_BINARY_SECURITY_TOKEN);
        PublicKey foundPublicKey = (PublicKey) token.get(WSSecurityEngineResult.TAG_PUBLIC_KEY);
        if (binarySecurity instanceof X509Security || binarySecurity instanceof PKIPathSecurity) {
            X509Certificate foundCert = (X509Certificate) token.get(WSSecurityEngineResult.TAG_X509_CERTIFICATE);
            if (foundCert.equals(cert)) {
                return token;
            }
        } else if (actInt.intValue() == WSConstants.ST_SIGNED || actInt.intValue() == WSConstants.ST_UNSIGNED) {
            SamlAssertionWrapper assertionWrapper = (SamlAssertionWrapper) token.get(WSSecurityEngineResult.TAG_SAML_ASSERTION);
            SAMLKeyInfo samlKeyInfo = assertionWrapper.getSubjectKeyInfo();
            if (samlKeyInfo != null) {
                X509Certificate[] subjectCerts = samlKeyInfo.getCerts();
                PublicKey subjectPublicKey = samlKeyInfo.getPublicKey();
                if ((cert != null && subjectCerts != null && cert.equals(subjectCerts[0])) || (subjectPublicKey != null && subjectPublicKey.equals(publicKey))) {
                    return token;
                }
            }
        } else if (publicKey != null && publicKey.equals(foundPublicKey)) {
            return token;
        }
    }
    return null;
}
Also used : BinarySecurity(org.apache.wss4j.common.token.BinarySecurity) SAMLKeyInfo(org.apache.wss4j.common.saml.SAMLKeyInfo) PublicKey(java.security.PublicKey) PKIPathSecurity(org.apache.wss4j.common.token.PKIPathSecurity) SamlAssertionWrapper(org.apache.wss4j.common.saml.SamlAssertionWrapper) WSSecurityEngineResult(org.apache.wss4j.dom.engine.WSSecurityEngineResult) X509Certificate(java.security.cert.X509Certificate) X509Security(org.apache.wss4j.common.token.X509Security)

Example 3 with PKIPathSecurity

use of org.apache.wss4j.common.token.PKIPathSecurity in project cxf by apache.

the class AbstractSupportingTokenPolicyValidator method checkSignatureOrEncryptionResult.

/**
 * Check that a WSSecurityEngineResult corresponding to a signature or encryption uses the same
 * signing/encrypting credential as one of the tokens.
 * @param signatureResult a WSSecurityEngineResult corresponding to a signature or encryption
 * @param tokenResult A list of WSSecurityEngineResults corresponding to tokens
 * @return
 */
private boolean checkSignatureOrEncryptionResult(WSSecurityEngineResult result, List<WSSecurityEngineResult> tokenResult) {
    // See what was used to sign/encrypt this result
    X509Certificate cert = (X509Certificate) result.get(WSSecurityEngineResult.TAG_X509_CERTIFICATE);
    byte[] secret = (byte[]) result.get(WSSecurityEngineResult.TAG_SECRET);
    PublicKey publicKey = (PublicKey) result.get(WSSecurityEngineResult.TAG_PUBLIC_KEY);
    // Now see if the same credential exists in the tokenResult list
    for (WSSecurityEngineResult token : tokenResult) {
        Integer actInt = (Integer) token.get(WSSecurityEngineResult.TAG_ACTION);
        BinarySecurity binarySecurity = (BinarySecurity) token.get(WSSecurityEngineResult.TAG_BINARY_SECURITY_TOKEN);
        if (binarySecurity instanceof X509Security || binarySecurity instanceof PKIPathSecurity) {
            X509Certificate foundCert = (X509Certificate) token.get(WSSecurityEngineResult.TAG_X509_CERTIFICATE);
            if (foundCert.equals(cert)) {
                return true;
            }
        } else if (actInt.intValue() == WSConstants.ST_SIGNED || actInt.intValue() == WSConstants.ST_UNSIGNED) {
            SamlAssertionWrapper assertionWrapper = (SamlAssertionWrapper) token.get(WSSecurityEngineResult.TAG_SAML_ASSERTION);
            SAMLKeyInfo samlKeyInfo = assertionWrapper.getSubjectKeyInfo();
            if (samlKeyInfo != null) {
                X509Certificate[] subjectCerts = samlKeyInfo.getCerts();
                byte[] subjectSecretKey = samlKeyInfo.getSecret();
                PublicKey subjectPublicKey = samlKeyInfo.getPublicKey();
                if ((cert != null && subjectCerts != null && cert.equals(subjectCerts[0])) || (subjectSecretKey != null && Arrays.equals(subjectSecretKey, secret)) || (subjectPublicKey != null && subjectPublicKey.equals(publicKey))) {
                    return true;
                }
            }
        } else if (publicKey != null) {
            PublicKey foundPublicKey = (PublicKey) token.get(WSSecurityEngineResult.TAG_PUBLIC_KEY);
            if (publicKey.equals(foundPublicKey)) {
                return true;
            }
        } else {
            byte[] foundSecret = (byte[]) token.get(WSSecurityEngineResult.TAG_SECRET);
            byte[] derivedKey = (byte[]) token.get(WSSecurityEngineResult.TAG_ENCRYPTED_EPHEMERAL_KEY);
            if ((foundSecret != null && Arrays.equals(foundSecret, secret)) || (derivedKey != null && Arrays.equals(derivedKey, secret))) {
                return true;
            }
        }
    }
    return false;
}
Also used : BinarySecurity(org.apache.wss4j.common.token.BinarySecurity) SAMLKeyInfo(org.apache.wss4j.common.saml.SAMLKeyInfo) PublicKey(java.security.PublicKey) PKIPathSecurity(org.apache.wss4j.common.token.PKIPathSecurity) SamlAssertionWrapper(org.apache.wss4j.common.saml.SamlAssertionWrapper) WSSecurityEngineResult(org.apache.wss4j.dom.engine.WSSecurityEngineResult) X509Certificate(java.security.cert.X509Certificate) X509Security(org.apache.wss4j.common.token.X509Security)

Example 4 with PKIPathSecurity

use of org.apache.wss4j.common.token.PKIPathSecurity in project cxf by apache.

the class AbstractSupportingTokenPolicyValidator method processX509Tokens.

/**
 * Process X509 Tokens.
 */
protected boolean processX509Tokens(PolicyValidatorParameters parameters, boolean derived) {
    List<WSSecurityEngineResult> tokenResults = null;
    if (parameters.getResults().getActionResults().containsKey(WSConstants.BST)) {
        tokenResults = new ArrayList<>();
        for (WSSecurityEngineResult wser : parameters.getResults().getActionResults().get(WSConstants.BST)) {
            BinarySecurity binarySecurity = (BinarySecurity) wser.get(WSSecurityEngineResult.TAG_BINARY_SECURITY_TOKEN);
            if (binarySecurity instanceof X509Security || binarySecurity instanceof PKIPathSecurity) {
                tokenResults.add(wser);
            }
        }
    }
    if (tokenResults == null || tokenResults.isEmpty()) {
        return false;
    }
    if (isSigned() && !areTokensSigned(tokenResults, parameters.getSignedResults(), parameters.getEncryptedResults(), parameters.getMessage())) {
        return false;
    }
    if (isEncrypted() && !areTokensEncrypted(tokenResults, parameters.getEncryptedResults(), parameters.getMessage())) {
        return false;
    }
    if (derived && parameters.getResults().getActionResults().containsKey(WSConstants.DKT)) {
        List<WSSecurityEngineResult> dktResults = new ArrayList<>(tokenResults.size());
        for (WSSecurityEngineResult wser : tokenResults) {
            WSSecurityEngineResult resultToStore = processX509DerivedTokenResult(wser, parameters.getResults());
            if (resultToStore != null) {
                dktResults.add(resultToStore);
            }
        }
        tokenResults.addAll(dktResults);
    }
    if (isEndorsing() && !checkEndorsed(tokenResults, parameters.getSignedResults(), parameters.getMessage(), parameters.getTimestampElement())) {
        return false;
    }
    return validateSignedEncryptedPolicies(tokenResults, parameters.getSignedResults(), parameters.getEncryptedResults(), parameters.getMessage());
}
Also used : BinarySecurity(org.apache.wss4j.common.token.BinarySecurity) PKIPathSecurity(org.apache.wss4j.common.token.PKIPathSecurity) ArrayList(java.util.ArrayList) WSSecurityEngineResult(org.apache.wss4j.dom.engine.WSSecurityEngineResult) X509Security(org.apache.wss4j.common.token.X509Security)

Example 5 with PKIPathSecurity

use of org.apache.wss4j.common.token.PKIPathSecurity in project cxf by apache.

the class LayoutPolicyValidator method findCorrespondingTokenIndex.

/**
 * Find the index of the token corresponding to either the X509Certificate or PublicKey used
 * to sign the "signatureResult" argument.
 */
private int findCorrespondingTokenIndex(WSSecurityEngineResult signatureResult, List<WSSecurityEngineResult> results) {
    // See what was used to sign this result
    X509Certificate cert = (X509Certificate) signatureResult.get(WSSecurityEngineResult.TAG_X509_CERTIFICATE);
    PublicKey publicKey = (PublicKey) signatureResult.get(WSSecurityEngineResult.TAG_PUBLIC_KEY);
    for (int i = 0; i < results.size(); i++) {
        WSSecurityEngineResult token = results.get(i);
        Integer actInt = (Integer) token.get(WSSecurityEngineResult.TAG_ACTION);
        if (actInt == WSConstants.SIGN) {
            continue;
        }
        BinarySecurity binarySecurity = (BinarySecurity) token.get(WSSecurityEngineResult.TAG_BINARY_SECURITY_TOKEN);
        PublicKey foundPublicKey = (PublicKey) token.get(WSSecurityEngineResult.TAG_PUBLIC_KEY);
        if (binarySecurity instanceof X509Security || binarySecurity instanceof PKIPathSecurity) {
            X509Certificate foundCert = (X509Certificate) token.get(WSSecurityEngineResult.TAG_X509_CERTIFICATE);
            if (foundCert.equals(cert)) {
                return i;
            }
        } else if (actInt.intValue() == WSConstants.ST_SIGNED || actInt.intValue() == WSConstants.ST_UNSIGNED) {
            SamlAssertionWrapper assertionWrapper = (SamlAssertionWrapper) token.get(WSSecurityEngineResult.TAG_SAML_ASSERTION);
            SAMLKeyInfo samlKeyInfo = assertionWrapper.getSubjectKeyInfo();
            if (samlKeyInfo != null) {
                X509Certificate[] subjectCerts = samlKeyInfo.getCerts();
                PublicKey subjectPublicKey = samlKeyInfo.getPublicKey();
                if ((cert != null && subjectCerts != null && cert.equals(subjectCerts[0])) || (subjectPublicKey != null && subjectPublicKey.equals(publicKey))) {
                    return i;
                }
            }
        } else if (publicKey != null && publicKey.equals(foundPublicKey)) {
            return i;
        }
    }
    return -1;
}
Also used : BinarySecurity(org.apache.wss4j.common.token.BinarySecurity) SAMLKeyInfo(org.apache.wss4j.common.saml.SAMLKeyInfo) PublicKey(java.security.PublicKey) PKIPathSecurity(org.apache.wss4j.common.token.PKIPathSecurity) SamlAssertionWrapper(org.apache.wss4j.common.saml.SamlAssertionWrapper) WSSecurityEngineResult(org.apache.wss4j.dom.engine.WSSecurityEngineResult) X509Certificate(java.security.cert.X509Certificate) X509Security(org.apache.wss4j.common.token.X509Security)

Aggregations

PKIPathSecurity (org.apache.wss4j.common.token.PKIPathSecurity)5 X509Security (org.apache.wss4j.common.token.X509Security)5 PublicKey (java.security.PublicKey)4 X509Certificate (java.security.cert.X509Certificate)4 BinarySecurity (org.apache.wss4j.common.token.BinarySecurity)4 WSSecurityEngineResult (org.apache.wss4j.dom.engine.WSSecurityEngineResult)4 SAMLKeyInfo (org.apache.wss4j.common.saml.SAMLKeyInfo)3 SamlAssertionWrapper (org.apache.wss4j.common.saml.SamlAssertionWrapper)3 ArrayList (java.util.ArrayList)1