use of org.apache.wss4j.common.token.SecurityTokenReference in project cxf by apache.
the class TransportBindingHandler method doSignature.
private byte[] doSignature(boolean tokenIncluded, SecurityToken secTok, AbstractToken token, SupportingTokens wrapper, List<WSEncryptionPart> sigParts) throws Exception {
WSSecSignature sig = new WSSecSignature(secHeader);
sig.setIdAllocator(wssConfig.getIdAllocator());
sig.setCallbackLookup(callbackLookup);
sig.setAttachmentCallbackHandler(new AttachmentCallbackHandler(message));
sig.setStoreBytesInAttachment(storeBytesInAttachment);
sig.setExpandXopInclude(isExpandXopInclude());
sig.setWsDocInfo(wsDocInfo);
// Setting the AttachedReference or the UnattachedReference according to the flag
Element ref;
if (tokenIncluded) {
ref = secTok.getAttachedReference();
} else {
ref = secTok.getUnattachedReference();
}
if (ref != null) {
SecurityTokenReference secRef = new SecurityTokenReference(cloneElement(ref), new BSPEnforcer());
sig.setSecurityTokenReference(secRef);
sig.setKeyIdentifierType(WSConstants.CUSTOM_KEY_IDENTIFIER);
} else if (token instanceof UsernameToken) {
sig.setCustomTokenId(secTok.getId());
sig.setCustomTokenValueType(WSS4JConstants.WSS_USERNAME_TOKEN_VALUE_TYPE);
int type = tokenIncluded ? WSConstants.CUSTOM_SYMM_SIGNING : WSConstants.CUSTOM_SYMM_SIGNING_DIRECT;
sig.setKeyIdentifierType(type);
} else if (secTok.getTokenType() == null) {
sig.setCustomTokenValueType(WSS4JConstants.WSS_SAML_KI_VALUE_TYPE);
sig.setKeyIdentifierType(WSConstants.CUSTOM_KEY_IDENTIFIER);
} else {
String id = secTok.getWsuId();
if (id == null) {
sig.setCustomTokenId(secTok.getId());
sig.setKeyIdentifierType(WSConstants.CUSTOM_SYMM_SIGNING_DIRECT);
} else {
sig.setCustomTokenId(secTok.getWsuId());
sig.setKeyIdentifierType(WSConstants.CUSTOM_SYMM_SIGNING);
}
String tokenType = secTok.getTokenType();
if (WSS4JConstants.WSS_SAML_TOKEN_TYPE.equals(tokenType) || WSS4JConstants.SAML_NS.equals(tokenType)) {
sig.setCustomTokenValueType(WSS4JConstants.WSS_SAML_KI_VALUE_TYPE);
sig.setKeyIdentifierType(WSConstants.CUSTOM_KEY_IDENTIFIER);
} else if (WSS4JConstants.WSS_SAML2_TOKEN_TYPE.equals(tokenType) || WSS4JConstants.SAML2_NS.equals(tokenType)) {
sig.setCustomTokenValueType(WSS4JConstants.WSS_SAML2_KI_VALUE_TYPE);
sig.setKeyIdentifierType(WSConstants.CUSTOM_KEY_IDENTIFIER);
} else {
sig.setCustomTokenValueType(tokenType);
}
}
Crypto crypto = null;
if (secTok.getSecret() == null) {
sig.setX509Certificate(secTok.getX509Certificate());
crypto = secTok.getCrypto();
if (crypto == null) {
crypto = getSignatureCrypto();
}
if (crypto == null) {
LOG.fine("No signature Crypto properties are available");
Exception ex = new Exception("No signature Crypto properties are available");
throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, ex);
}
String uname = crypto.getX509Identifier(secTok.getX509Certificate());
if (uname == null) {
String userNameKey = SecurityConstants.SIGNATURE_USERNAME;
uname = (String) SecurityUtils.getSecurityPropertyValue(userNameKey, message);
}
String password = getPassword(uname, token, WSPasswordCallback.SIGNATURE);
sig.setUserInfo(uname, password);
sig.setSignatureAlgorithm(binding.getAlgorithmSuite().getAsymmetricSignature());
} else {
crypto = getSignatureCrypto();
sig.setSecretKey(secTok.getSecret());
sig.setSignatureAlgorithm(binding.getAlgorithmSuite().getSymmetricSignature());
}
sig.setSigCanonicalization(binding.getAlgorithmSuite().getC14n().getValue());
AlgorithmSuiteType algType = binding.getAlgorithmSuite().getAlgorithmSuiteType();
sig.setDigestAlgo(algType.getDigest());
sig.prepare(crypto);
sig.getParts().addAll(sigParts);
List<Reference> referenceList = sig.addReferencesToSign(sigParts);
// Do signature
if (bottomUpElement == null) {
sig.computeSignature(referenceList, false, null);
} else {
sig.computeSignature(referenceList, true, bottomUpElement);
}
bottomUpElement = sig.getSignatureElement();
mainSigId = sig.getId();
return sig.getSignatureValue();
}
use of org.apache.wss4j.common.token.SecurityTokenReference in project cxf by apache.
the class STSInvoker method writeSecurityTokenReference.
Element writeSecurityTokenReference(W3CDOMStreamWriter writer, String id, String refValueType) {
Reference ref = new Reference(writer.getDocument());
ref.setURI(id);
if (refValueType != null) {
ref.setValueType(refValueType);
}
SecurityTokenReference str = new SecurityTokenReference(writer.getDocument());
str.addWSSENamespace();
str.setReference(ref);
writer.getCurrentNode().appendChild(str.getElement());
return str.getElement();
}
use of org.apache.wss4j.common.token.SecurityTokenReference in project cxf by apache.
the class STSInvoker method findCancelOrRenewToken.
private SecurityToken findCancelOrRenewToken(Exchange exchange, Element el) throws WSSecurityException {
Element childElement = DOMUtils.getFirstElement(el);
String uri = "";
if ("SecurityContextToken".equals(childElement.getLocalName())) {
SecurityContextToken sct = new SecurityContextToken(childElement);
uri = sct.getIdentifier();
} else {
SecurityTokenReference ref = new SecurityTokenReference(childElement, new BSPEnforcer());
uri = ref.getReference().getURI();
}
TokenStore store = (TokenStore) exchange.getEndpoint().getEndpointInfo().getProperty(TokenStore.class.getName());
return store.getToken(uri);
}
use of org.apache.wss4j.common.token.SecurityTokenReference in project cxf by apache.
the class AbstractBindingBuilder method doSymmSignatureDerived.
private void doSymmSignatureDerived(AbstractToken policyToken, SecurityToken tok, List<WSEncryptionPart> sigParts, boolean isTokenProtection, boolean isSigProtect) throws WSSecurityException {
Document doc = saaj.getSOAPPart();
WSSecDKSign dkSign = new WSSecDKSign(secHeader);
dkSign.setIdAllocator(wssConfig.getIdAllocator());
dkSign.setCallbackLookup(callbackLookup);
dkSign.setStoreBytesInAttachment(storeBytesInAttachment);
dkSign.setExpandXopInclude(isExpandXopInclude());
// Check whether it is security policy 1.2 and use the secure conversation accordingly
if (policyToken.getVersion() == SPConstants.SPVersion.SP11) {
dkSign.setWscVersion(ConversationConstants.VERSION_05_02);
}
// Check for whether the token is attached in the message or not
boolean attached = false;
if (isTokenRequired(policyToken.getIncludeTokenType())) {
attached = true;
}
// Setting the AttachedReference or the UnattachedReference according to the flag
Element ref;
if (attached) {
ref = tok.getAttachedReference();
} else {
ref = tok.getUnattachedReference();
}
if (ref != null) {
ref = cloneElement(ref);
dkSign.setExternalKey(tok.getSecret(), ref);
} else if (!isRequestor() && policyToken.getDerivedKeys() == DerivedKeys.RequireDerivedKeys) {
// If the Encrypted key used to create the derived key is not
// attached use key identifier as defined in WSS1.1 section
// 7.7 Encrypted Key reference
SecurityTokenReference tokenRef = new SecurityTokenReference(doc);
if (tok.getSHA1() != null) {
tokenRef.setKeyIdentifierEncKeySHA1(tok.getSHA1());
tokenRef.addTokenType(WSS4JConstants.WSS_ENC_KEY_VALUE_TYPE);
}
dkSign.setExternalKey(tok.getSecret(), tokenRef.getElement());
} else {
dkSign.setExternalKey(tok.getSecret(), tok.getId());
}
// Set the algo info
dkSign.setSignatureAlgorithm(binding.getAlgorithmSuite().getSymmetricSignature());
dkSign.setSigCanonicalization(binding.getAlgorithmSuite().getC14n().getValue());
AlgorithmSuiteType algType = binding.getAlgorithmSuite().getAlgorithmSuiteType();
dkSign.setDerivedKeyLength(algType.getSignatureDerivedKeyLength() / 8);
if (tok.getSHA1() != null) {
// Set the value type of the reference
dkSign.setCustomValueType(WSS4JConstants.SOAPMESSAGE_NS11 + "#" + WSS4JConstants.ENC_KEY_VALUE_TYPE);
} else if (policyToken instanceof UsernameToken) {
dkSign.setCustomValueType(WSS4JConstants.WSS_USERNAME_TOKEN_VALUE_TYPE);
}
dkSign.prepare();
if (isTokenProtection) {
String sigTokId = XMLUtils.getIDFromReference(tok.getId());
sigParts.add(new WSEncryptionPart(sigTokId));
}
dkSign.getParts().addAll(sigParts);
List<Reference> referenceList = dkSign.addReferencesToSign(sigParts);
// Add elements to header
addSupportingElement(dkSign.getdktElement());
// Do signature
dkSign.computeSignature(referenceList, false, null);
if (isSigProtect) {
WSEncryptionPart part = new WSEncryptionPart(dkSign.getSignatureId(), "Element");
encryptedTokensList.add(part);
}
addSig(dkSign.getSignatureValue());
}
use of org.apache.wss4j.common.token.SecurityTokenReference in project cxf by apache.
the class AbstractBindingBuilder method getElements.
/**
* Identifies the portions of the message to be signed/encrypted.
*
* @param encryptionModifier
* indicates the scope of the crypto operation over matched
* elements. Either "Content" or "Element".
* @param xpaths
* any XPath expressions to sign/encrypt matches
* @param found
* a list of elements that have previously been tagged for
* signing/encryption. Populated with additional matches found by
* this method and used to prevent including the same element
* twice under the same operation.
* @param forceId
* force adding a wsu:Id onto the elements. Recommended for signatures.
* @return a configured list of {@code WSEncryptionPart}s suitable for
* processing by WSS4J
* @throws SOAPException
* if there is an error extracting SOAP content from the SAAJ
* model
*/
protected List<WSEncryptionPart> getElements(String encryptionModifier, List<org.apache.wss4j.policy.model.XPath> xpaths, List<Element> found, boolean forceId) throws SOAPException {
List<WSEncryptionPart> result = new ArrayList<>();
if (xpaths != null && !xpaths.isEmpty()) {
boolean useSTRTransform = MessageUtils.getContextualBoolean(message, SecurityConstants.USE_STR_TRANSFORM, true);
XPathFactory factory = XPathFactory.newInstance();
for (org.apache.wss4j.policy.model.XPath xPath : xpaths) {
XPath xpath = factory.newXPath();
if (xPath.getPrefixNamespaceMap() != null) {
xpath.setNamespaceContext(new MapNamespaceContext(xPath.getPrefixNamespaceMap()));
}
NodeList list = null;
try {
Element envelope = saaj.getSOAPPart().getEnvelope();
envelope = (Element) DOMUtils.getDomElement(envelope);
list = (NodeList) xpath.evaluate(xPath.getXPath(), envelope, XPathConstants.NODESET);
} catch (XPathExpressionException e) {
LOG.log(Level.WARNING, "Failure in evaluating an XPath expression", e);
}
if (list != null) {
for (int x = 0; x < list.getLength(); x++) {
Element el = (Element) list.item(x);
if (!found.contains(el)) {
found.add(el);
WSEncryptionPart part = null;
boolean saml1 = WSS4JConstants.SAML_NS.equals(el.getNamespaceURI()) && "Assertion".equals(el.getLocalName());
boolean saml2 = WSS4JConstants.SAML2_NS.equals(el.getNamespaceURI()) && "Assertion".equals(el.getLocalName());
if (useSTRTransform && (saml1 || saml2)) {
String id = saml2 ? el.getAttributeNS(null, "ID") : el.getAttributeNS(null, "AssertionID");
SecurityTokenReference secRef = createSTRForSamlAssertion(el.getOwnerDocument(), id, saml1, false);
Element clone = cloneElement(secRef.getElement());
addSupportingElement(clone);
part = new WSEncryptionPart("STRTransform", null, "Element");
part.setId(secRef.getID());
part.setElement(clone);
} else {
String id = setIdOnElement(el, forceId);
part = new WSEncryptionPart(id, encryptionModifier);
part.setElement(el);
}
part.setXpath(xPath.getXPath());
result.add(part);
}
}
}
}
}
return result;
}
Aggregations