Search in sources :

Example 6 with SecurityTokenReference

use of org.apache.wss4j.common.token.SecurityTokenReference in project cxf by apache.

the class TransportBindingHandler method doSignature.

private byte[] doSignature(boolean tokenIncluded, SecurityToken secTok, AbstractToken token, SupportingTokens wrapper, List<WSEncryptionPart> sigParts) throws Exception {
    WSSecSignature sig = new WSSecSignature(secHeader);
    sig.setIdAllocator(wssConfig.getIdAllocator());
    sig.setCallbackLookup(callbackLookup);
    sig.setAttachmentCallbackHandler(new AttachmentCallbackHandler(message));
    sig.setStoreBytesInAttachment(storeBytesInAttachment);
    sig.setExpandXopInclude(isExpandXopInclude());
    sig.setWsDocInfo(wsDocInfo);
    // Setting the AttachedReference or the UnattachedReference according to the flag
    Element ref;
    if (tokenIncluded) {
        ref = secTok.getAttachedReference();
    } else {
        ref = secTok.getUnattachedReference();
    }
    if (ref != null) {
        SecurityTokenReference secRef = new SecurityTokenReference(cloneElement(ref), new BSPEnforcer());
        sig.setSecurityTokenReference(secRef);
        sig.setKeyIdentifierType(WSConstants.CUSTOM_KEY_IDENTIFIER);
    } else if (token instanceof UsernameToken) {
        sig.setCustomTokenId(secTok.getId());
        sig.setCustomTokenValueType(WSS4JConstants.WSS_USERNAME_TOKEN_VALUE_TYPE);
        int type = tokenIncluded ? WSConstants.CUSTOM_SYMM_SIGNING : WSConstants.CUSTOM_SYMM_SIGNING_DIRECT;
        sig.setKeyIdentifierType(type);
    } else if (secTok.getTokenType() == null) {
        sig.setCustomTokenValueType(WSS4JConstants.WSS_SAML_KI_VALUE_TYPE);
        sig.setKeyIdentifierType(WSConstants.CUSTOM_KEY_IDENTIFIER);
    } else {
        String id = secTok.getWsuId();
        if (id == null) {
            sig.setCustomTokenId(secTok.getId());
            sig.setKeyIdentifierType(WSConstants.CUSTOM_SYMM_SIGNING_DIRECT);
        } else {
            sig.setCustomTokenId(secTok.getWsuId());
            sig.setKeyIdentifierType(WSConstants.CUSTOM_SYMM_SIGNING);
        }
        String tokenType = secTok.getTokenType();
        if (WSS4JConstants.WSS_SAML_TOKEN_TYPE.equals(tokenType) || WSS4JConstants.SAML_NS.equals(tokenType)) {
            sig.setCustomTokenValueType(WSS4JConstants.WSS_SAML_KI_VALUE_TYPE);
            sig.setKeyIdentifierType(WSConstants.CUSTOM_KEY_IDENTIFIER);
        } else if (WSS4JConstants.WSS_SAML2_TOKEN_TYPE.equals(tokenType) || WSS4JConstants.SAML2_NS.equals(tokenType)) {
            sig.setCustomTokenValueType(WSS4JConstants.WSS_SAML2_KI_VALUE_TYPE);
            sig.setKeyIdentifierType(WSConstants.CUSTOM_KEY_IDENTIFIER);
        } else {
            sig.setCustomTokenValueType(tokenType);
        }
    }
    Crypto crypto = null;
    if (secTok.getSecret() == null) {
        sig.setX509Certificate(secTok.getX509Certificate());
        crypto = secTok.getCrypto();
        if (crypto == null) {
            crypto = getSignatureCrypto();
        }
        if (crypto == null) {
            LOG.fine("No signature Crypto properties are available");
            Exception ex = new Exception("No signature Crypto properties are available");
            throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, ex);
        }
        String uname = crypto.getX509Identifier(secTok.getX509Certificate());
        if (uname == null) {
            String userNameKey = SecurityConstants.SIGNATURE_USERNAME;
            uname = (String) SecurityUtils.getSecurityPropertyValue(userNameKey, message);
        }
        String password = getPassword(uname, token, WSPasswordCallback.SIGNATURE);
        sig.setUserInfo(uname, password);
        sig.setSignatureAlgorithm(binding.getAlgorithmSuite().getAsymmetricSignature());
    } else {
        crypto = getSignatureCrypto();
        sig.setSecretKey(secTok.getSecret());
        sig.setSignatureAlgorithm(binding.getAlgorithmSuite().getSymmetricSignature());
    }
    sig.setSigCanonicalization(binding.getAlgorithmSuite().getC14n().getValue());
    AlgorithmSuiteType algType = binding.getAlgorithmSuite().getAlgorithmSuiteType();
    sig.setDigestAlgo(algType.getDigest());
    sig.prepare(crypto);
    sig.getParts().addAll(sigParts);
    List<Reference> referenceList = sig.addReferencesToSign(sigParts);
    // Do signature
    if (bottomUpElement == null) {
        sig.computeSignature(referenceList, false, null);
    } else {
        sig.computeSignature(referenceList, true, bottomUpElement);
    }
    bottomUpElement = sig.getSignatureElement();
    mainSigId = sig.getId();
    return sig.getSignatureValue();
}
Also used : AlgorithmSuiteType(org.apache.wss4j.policy.model.AlgorithmSuite.AlgorithmSuiteType) SecurityTokenReference(org.apache.wss4j.common.token.SecurityTokenReference) Reference(javax.xml.crypto.dsig.Reference) WSSecSignature(org.apache.wss4j.dom.message.WSSecSignature) Element(org.w3c.dom.Element) UsernameToken(org.apache.wss4j.policy.model.UsernameToken) WSSecUsernameToken(org.apache.wss4j.dom.message.WSSecUsernameToken) BSPEnforcer(org.apache.wss4j.common.bsp.BSPEnforcer) WSSecurityException(org.apache.wss4j.common.ext.WSSecurityException) SOAPException(javax.xml.soap.SOAPException) WSSecurityException(org.apache.wss4j.common.ext.WSSecurityException) Crypto(org.apache.wss4j.common.crypto.Crypto) SecurityTokenReference(org.apache.wss4j.common.token.SecurityTokenReference) AttachmentCallbackHandler(org.apache.cxf.ws.security.wss4j.AttachmentCallbackHandler)

Example 7 with SecurityTokenReference

use of org.apache.wss4j.common.token.SecurityTokenReference in project cxf by apache.

the class STSInvoker method writeSecurityTokenReference.

Element writeSecurityTokenReference(W3CDOMStreamWriter writer, String id, String refValueType) {
    Reference ref = new Reference(writer.getDocument());
    ref.setURI(id);
    if (refValueType != null) {
        ref.setValueType(refValueType);
    }
    SecurityTokenReference str = new SecurityTokenReference(writer.getDocument());
    str.addWSSENamespace();
    str.setReference(ref);
    writer.getCurrentNode().appendChild(str.getElement());
    return str.getElement();
}
Also used : SecurityTokenReference(org.apache.wss4j.common.token.SecurityTokenReference) Reference(org.apache.wss4j.common.token.Reference) SecurityTokenReference(org.apache.wss4j.common.token.SecurityTokenReference)

Example 8 with SecurityTokenReference

use of org.apache.wss4j.common.token.SecurityTokenReference in project cxf by apache.

the class STSInvoker method findCancelOrRenewToken.

private SecurityToken findCancelOrRenewToken(Exchange exchange, Element el) throws WSSecurityException {
    Element childElement = DOMUtils.getFirstElement(el);
    String uri = "";
    if ("SecurityContextToken".equals(childElement.getLocalName())) {
        SecurityContextToken sct = new SecurityContextToken(childElement);
        uri = sct.getIdentifier();
    } else {
        SecurityTokenReference ref = new SecurityTokenReference(childElement, new BSPEnforcer());
        uri = ref.getReference().getURI();
    }
    TokenStore store = (TokenStore) exchange.getEndpoint().getEndpointInfo().getProperty(TokenStore.class.getName());
    return store.getToken(uri);
}
Also used : SecurityTokenReference(org.apache.wss4j.common.token.SecurityTokenReference) SecurityContextToken(org.apache.wss4j.dom.message.token.SecurityContextToken) Element(org.w3c.dom.Element) BSPEnforcer(org.apache.wss4j.common.bsp.BSPEnforcer) TokenStore(org.apache.cxf.ws.security.tokenstore.TokenStore)

Example 9 with SecurityTokenReference

use of org.apache.wss4j.common.token.SecurityTokenReference in project cxf by apache.

the class AbstractBindingBuilder method doSymmSignatureDerived.

private void doSymmSignatureDerived(AbstractToken policyToken, SecurityToken tok, List<WSEncryptionPart> sigParts, boolean isTokenProtection, boolean isSigProtect) throws WSSecurityException {
    Document doc = saaj.getSOAPPart();
    WSSecDKSign dkSign = new WSSecDKSign(secHeader);
    dkSign.setIdAllocator(wssConfig.getIdAllocator());
    dkSign.setCallbackLookup(callbackLookup);
    dkSign.setStoreBytesInAttachment(storeBytesInAttachment);
    dkSign.setExpandXopInclude(isExpandXopInclude());
    // Check whether it is security policy 1.2 and use the secure conversation accordingly
    if (policyToken.getVersion() == SPConstants.SPVersion.SP11) {
        dkSign.setWscVersion(ConversationConstants.VERSION_05_02);
    }
    // Check for whether the token is attached in the message or not
    boolean attached = false;
    if (isTokenRequired(policyToken.getIncludeTokenType())) {
        attached = true;
    }
    // Setting the AttachedReference or the UnattachedReference according to the flag
    Element ref;
    if (attached) {
        ref = tok.getAttachedReference();
    } else {
        ref = tok.getUnattachedReference();
    }
    if (ref != null) {
        ref = cloneElement(ref);
        dkSign.setExternalKey(tok.getSecret(), ref);
    } else if (!isRequestor() && policyToken.getDerivedKeys() == DerivedKeys.RequireDerivedKeys) {
        // If the Encrypted key used to create the derived key is not
        // attached use key identifier as defined in WSS1.1 section
        // 7.7 Encrypted Key reference
        SecurityTokenReference tokenRef = new SecurityTokenReference(doc);
        if (tok.getSHA1() != null) {
            tokenRef.setKeyIdentifierEncKeySHA1(tok.getSHA1());
            tokenRef.addTokenType(WSS4JConstants.WSS_ENC_KEY_VALUE_TYPE);
        }
        dkSign.setExternalKey(tok.getSecret(), tokenRef.getElement());
    } else {
        dkSign.setExternalKey(tok.getSecret(), tok.getId());
    }
    // Set the algo info
    dkSign.setSignatureAlgorithm(binding.getAlgorithmSuite().getSymmetricSignature());
    dkSign.setSigCanonicalization(binding.getAlgorithmSuite().getC14n().getValue());
    AlgorithmSuiteType algType = binding.getAlgorithmSuite().getAlgorithmSuiteType();
    dkSign.setDerivedKeyLength(algType.getSignatureDerivedKeyLength() / 8);
    if (tok.getSHA1() != null) {
        // Set the value type of the reference
        dkSign.setCustomValueType(WSS4JConstants.SOAPMESSAGE_NS11 + "#" + WSS4JConstants.ENC_KEY_VALUE_TYPE);
    } else if (policyToken instanceof UsernameToken) {
        dkSign.setCustomValueType(WSS4JConstants.WSS_USERNAME_TOKEN_VALUE_TYPE);
    }
    dkSign.prepare();
    if (isTokenProtection) {
        String sigTokId = XMLUtils.getIDFromReference(tok.getId());
        sigParts.add(new WSEncryptionPart(sigTokId));
    }
    dkSign.getParts().addAll(sigParts);
    List<Reference> referenceList = dkSign.addReferencesToSign(sigParts);
    // Add elements to header
    addSupportingElement(dkSign.getdktElement());
    // Do signature
    dkSign.computeSignature(referenceList, false, null);
    if (isSigProtect) {
        WSEncryptionPart part = new WSEncryptionPart(dkSign.getSignatureId(), "Element");
        encryptedTokensList.add(part);
    }
    addSig(dkSign.getSignatureValue());
}
Also used : WSSecDKSign(org.apache.wss4j.dom.message.WSSecDKSign) WSEncryptionPart(org.apache.wss4j.common.WSEncryptionPart) SecurityTokenReference(org.apache.wss4j.common.token.SecurityTokenReference) AlgorithmSuiteType(org.apache.wss4j.policy.model.AlgorithmSuite.AlgorithmSuiteType) Reference(javax.xml.crypto.dsig.Reference) SecurityTokenReference(org.apache.wss4j.common.token.SecurityTokenReference) Element(org.w3c.dom.Element) WSSecUsernameToken(org.apache.wss4j.dom.message.WSSecUsernameToken) UsernameToken(org.apache.wss4j.policy.model.UsernameToken) Document(org.w3c.dom.Document)

Example 10 with SecurityTokenReference

use of org.apache.wss4j.common.token.SecurityTokenReference in project cxf by apache.

the class AbstractBindingBuilder method getElements.

/**
 * Identifies the portions of the message to be signed/encrypted.
 *
 * @param encryptionModifier
 *            indicates the scope of the crypto operation over matched
 *            elements. Either "Content" or "Element".
 * @param xpaths
 *            any XPath expressions to sign/encrypt matches
 * @param found
 *            a list of elements that have previously been tagged for
 *            signing/encryption. Populated with additional matches found by
 *            this method and used to prevent including the same element
 *            twice under the same operation.
 * @param forceId
 *         force adding a wsu:Id onto the elements.  Recommended for signatures.
 * @return a configured list of {@code WSEncryptionPart}s suitable for
 *         processing by WSS4J
 * @throws SOAPException
 *             if there is an error extracting SOAP content from the SAAJ
 *             model
 */
protected List<WSEncryptionPart> getElements(String encryptionModifier, List<org.apache.wss4j.policy.model.XPath> xpaths, List<Element> found, boolean forceId) throws SOAPException {
    List<WSEncryptionPart> result = new ArrayList<>();
    if (xpaths != null && !xpaths.isEmpty()) {
        boolean useSTRTransform = MessageUtils.getContextualBoolean(message, SecurityConstants.USE_STR_TRANSFORM, true);
        XPathFactory factory = XPathFactory.newInstance();
        for (org.apache.wss4j.policy.model.XPath xPath : xpaths) {
            XPath xpath = factory.newXPath();
            if (xPath.getPrefixNamespaceMap() != null) {
                xpath.setNamespaceContext(new MapNamespaceContext(xPath.getPrefixNamespaceMap()));
            }
            NodeList list = null;
            try {
                Element envelope = saaj.getSOAPPart().getEnvelope();
                envelope = (Element) DOMUtils.getDomElement(envelope);
                list = (NodeList) xpath.evaluate(xPath.getXPath(), envelope, XPathConstants.NODESET);
            } catch (XPathExpressionException e) {
                LOG.log(Level.WARNING, "Failure in evaluating an XPath expression", e);
            }
            if (list != null) {
                for (int x = 0; x < list.getLength(); x++) {
                    Element el = (Element) list.item(x);
                    if (!found.contains(el)) {
                        found.add(el);
                        WSEncryptionPart part = null;
                        boolean saml1 = WSS4JConstants.SAML_NS.equals(el.getNamespaceURI()) && "Assertion".equals(el.getLocalName());
                        boolean saml2 = WSS4JConstants.SAML2_NS.equals(el.getNamespaceURI()) && "Assertion".equals(el.getLocalName());
                        if (useSTRTransform && (saml1 || saml2)) {
                            String id = saml2 ? el.getAttributeNS(null, "ID") : el.getAttributeNS(null, "AssertionID");
                            SecurityTokenReference secRef = createSTRForSamlAssertion(el.getOwnerDocument(), id, saml1, false);
                            Element clone = cloneElement(secRef.getElement());
                            addSupportingElement(clone);
                            part = new WSEncryptionPart("STRTransform", null, "Element");
                            part.setId(secRef.getID());
                            part.setElement(clone);
                        } else {
                            String id = setIdOnElement(el, forceId);
                            part = new WSEncryptionPart(id, encryptionModifier);
                            part.setElement(el);
                        }
                        part.setXpath(xPath.getXPath());
                        result.add(part);
                    }
                }
            }
        }
    }
    return result;
}
Also used : XPath(javax.xml.xpath.XPath) WSEncryptionPart(org.apache.wss4j.common.WSEncryptionPart) XPathExpressionException(javax.xml.xpath.XPathExpressionException) NodeList(org.w3c.dom.NodeList) Element(org.w3c.dom.Element) ArrayList(java.util.ArrayList) MapNamespaceContext(org.apache.cxf.helpers.MapNamespaceContext) XPathFactory(javax.xml.xpath.XPathFactory) SecurityTokenReference(org.apache.wss4j.common.token.SecurityTokenReference)

Aggregations

SecurityTokenReference (org.apache.wss4j.common.token.SecurityTokenReference)12 Element (org.w3c.dom.Element)11 WSSecUsernameToken (org.apache.wss4j.dom.message.WSSecUsernameToken)7 AttachmentCallbackHandler (org.apache.cxf.ws.security.wss4j.AttachmentCallbackHandler)6 AlgorithmSuiteType (org.apache.wss4j.policy.model.AlgorithmSuite.AlgorithmSuiteType)6 UsernameToken (org.apache.wss4j.policy.model.UsernameToken)6 Reference (javax.xml.crypto.dsig.Reference)5 WSEncryptionPart (org.apache.wss4j.common.WSEncryptionPart)5 BSPEnforcer (org.apache.wss4j.common.bsp.BSPEnforcer)5 Crypto (org.apache.wss4j.common.crypto.Crypto)4 WSSecurityException (org.apache.wss4j.common.ext.WSSecurityException)4 WSSecSignature (org.apache.wss4j.dom.message.WSSecSignature)4 KerberosToken (org.apache.wss4j.policy.model.KerberosToken)4 SecureConversationToken (org.apache.wss4j.policy.model.SecureConversationToken)4 SecurityContextToken (org.apache.wss4j.policy.model.SecurityContextToken)4 Document (org.w3c.dom.Document)3 QName (javax.xml.namespace.QName)2 SOAPException (javax.xml.soap.SOAPException)2 SecurityToken (org.apache.cxf.ws.security.tokenstore.SecurityToken)2 StaxSerializer (org.apache.cxf.ws.security.wss4j.StaxSerializer)2