Example 61 with WSSecurityEngineResult
use of org.apache.wss4j.dom.engine.WSSecurityEngineResult in project cxf by apache.
the class AbstractSupportingTokenPolicyValidator method processX509DerivedTokenResult.
/**
* Find an EncryptedKey element that has a cert that matches the cert of the signature, then
* find a DerivedKey element that matches that EncryptedKey element.
*/
private WSSecurityEngineResult processX509DerivedTokenResult(WSSecurityEngineResult result, WSHandlerResult results) {
X509Certificate cert = (X509Certificate) result.get(WSSecurityEngineResult.TAG_X509_CERTIFICATE);
WSSecurityEngineResult encrResult = getMatchingEncryptedKey(cert, results);
if (encrResult != null) {
byte[] secret = (byte[]) encrResult.get(WSSecurityEngineResult.TAG_SECRET);
WSSecurityEngineResult dktResult = getMatchingDerivedKey(secret, results);
if (dktResult != null) {
return dktResult;
}
}
return null;
}
Also used :
WSSecurityEngineResult(org.apache.wss4j.dom.engine.WSSecurityEngineResult)
X509Certificate(java.security.cert.X509Certificate)
Example 62 with WSSecurityEngineResult
use of org.apache.wss4j.dom.engine.WSSecurityEngineResult in project cxf by apache.
the class AbstractSupportingTokenPolicyValidator method processKerberosTokens.
/**
* Process Kerberos Tokens.
*/
protected boolean processKerberosTokens(PolicyValidatorParameters parameters, boolean derived) {
List<WSSecurityEngineResult> tokenResults = null;
if (parameters.getResults().getActionResults().containsKey(WSConstants.BST)) {
tokenResults = new ArrayList<>();
for (WSSecurityEngineResult wser : parameters.getResults().getActionResults().get(WSConstants.BST)) {
BinarySecurity binarySecurity = (BinarySecurity) wser.get(WSSecurityEngineResult.TAG_BINARY_SECURITY_TOKEN);
if (binarySecurity instanceof KerberosSecurity) {
tokenResults.add(wser);
}
}
}
if (tokenResults == null || tokenResults.isEmpty()) {
return false;
}
if (isSigned() && !areTokensSigned(tokenResults, parameters.getSignedResults(), parameters.getEncryptedResults(), parameters.getMessage())) {
return false;
}
if (isEncrypted() && !areTokensEncrypted(tokenResults, parameters.getEncryptedResults())) {
return false;
}
if (derived && parameters.getResults().getActionResults().containsKey(WSConstants.DKT)) {
List<WSSecurityEngineResult> dktResults = new ArrayList<>(tokenResults.size());
for (WSSecurityEngineResult wser : tokenResults) {
byte[] secret = (byte[]) wser.get(WSSecurityEngineResult.TAG_SECRET);
WSSecurityEngineResult dktResult = getMatchingDerivedKey(secret, parameters.getResults());
if (dktResult != null) {
dktResults.add(dktResult);
}
}
tokenResults.addAll(dktResults);
}
if (isEndorsing() && !checkEndorsed(tokenResults, parameters.getSignedResults(), parameters.getMessage(), parameters.getTimestampElement())) {
return false;
}
return validateSignedEncryptedPolicies(tokenResults, parameters.getSignedResults(), parameters.getEncryptedResults(), parameters.getMessage());
}
Also used :
KerberosSecurity(org.apache.wss4j.dom.message.token.KerberosSecurity)
BinarySecurity(org.apache.wss4j.common.token.BinarySecurity)
ArrayList(java.util.ArrayList)
WSSecurityEngineResult(org.apache.wss4j.dom.engine.WSSecurityEngineResult)
Example 63 with WSSecurityEngineResult
use of org.apache.wss4j.dom.engine.WSSecurityEngineResult in project cxf by apache.
the class AbstractSupportingTokenPolicyValidator method processSCTokens.
/**
* Process Security Context Tokens.
*/
protected boolean processSCTokens(PolicyValidatorParameters parameters, boolean derived) {
if (!parameters.getResults().getActionResults().containsKey(WSConstants.SCT)) {
return false;
}
List<WSSecurityEngineResult> tokenResults = new ArrayList<>();
tokenResults.addAll(parameters.getResults().getActionResults().get(WSConstants.SCT));
if (isSigned() && !areTokensSigned(tokenResults, parameters.getSignedResults(), parameters.getEncryptedResults(), parameters.getMessage())) {
return false;
}
if (isEncrypted() && !areTokensEncrypted(tokenResults, parameters.getEncryptedResults())) {
return false;
}
if (derived && parameters.getResults().getActionResults().containsKey(WSConstants.DKT)) {
List<WSSecurityEngineResult> dktResults = new ArrayList<>(tokenResults.size());
for (WSSecurityEngineResult wser : tokenResults) {
byte[] secret = (byte[]) wser.get(WSSecurityEngineResult.TAG_SECRET);
WSSecurityEngineResult dktResult = getMatchingDerivedKey(secret, parameters.getResults());
if (dktResult != null) {
dktResults.add(dktResult);
}
}
tokenResults.addAll(dktResults);
}
if (isEndorsing() && !checkEndorsed(tokenResults, parameters.getSignedResults(), parameters.getMessage(), parameters.getTimestampElement())) {
return false;
}
return validateSignedEncryptedPolicies(tokenResults, parameters.getSignedResults(), parameters.getEncryptedResults(), parameters.getMessage());
}
Also used :
ArrayList(java.util.ArrayList)
WSSecurityEngineResult(org.apache.wss4j.dom.engine.WSSecurityEngineResult)
Example 64 with WSSecurityEngineResult
use of org.apache.wss4j.dom.engine.WSSecurityEngineResult in project cxf by apache.
the class LayoutPolicyValidator method findCorrespondingTokenIndex.
/**
* Find the index of the token corresponding to either the X509Certificate or PublicKey used
* to sign the "signatureResult" argument.
*/
private int findCorrespondingTokenIndex(WSSecurityEngineResult signatureResult, List<WSSecurityEngineResult> results) {
// See what was used to sign this result
X509Certificate cert = (X509Certificate) signatureResult.get(WSSecurityEngineResult.TAG_X509_CERTIFICATE);
PublicKey publicKey = (PublicKey) signatureResult.get(WSSecurityEngineResult.TAG_PUBLIC_KEY);
for (int i = 0; i < results.size(); i++) {
WSSecurityEngineResult token = results.get(i);
Integer actInt = (Integer) token.get(WSSecurityEngineResult.TAG_ACTION);
if (actInt == WSConstants.SIGN) {
continue;
}
BinarySecurity binarySecurity = (BinarySecurity) token.get(WSSecurityEngineResult.TAG_BINARY_SECURITY_TOKEN);
PublicKey foundPublicKey = (PublicKey) token.get(WSSecurityEngineResult.TAG_PUBLIC_KEY);
if (binarySecurity instanceof X509Security || binarySecurity instanceof PKIPathSecurity) {
X509Certificate foundCert = (X509Certificate) token.get(WSSecurityEngineResult.TAG_X509_CERTIFICATE);
if (foundCert.equals(cert)) {
return i;
}
} else if (actInt.intValue() == WSConstants.ST_SIGNED || actInt.intValue() == WSConstants.ST_UNSIGNED) {
SamlAssertionWrapper assertionWrapper = (SamlAssertionWrapper) token.get(WSSecurityEngineResult.TAG_SAML_ASSERTION);
SAMLKeyInfo samlKeyInfo = assertionWrapper.getSubjectKeyInfo();
if (samlKeyInfo != null) {
X509Certificate[] subjectCerts = samlKeyInfo.getCerts();
PublicKey subjectPublicKey = samlKeyInfo.getPublicKey();
if ((cert != null && subjectCerts != null && cert.equals(subjectCerts[0])) || (subjectPublicKey != null && subjectPublicKey.equals(publicKey))) {
return i;
}
}
} else if (publicKey != null && publicKey.equals(foundPublicKey)) {
return i;
}
}
return -1;
}
Also used :
BinarySecurity(org.apache.wss4j.common.token.BinarySecurity)
SAMLKeyInfo(org.apache.wss4j.common.saml.SAMLKeyInfo)
PublicKey(java.security.PublicKey)
PKIPathSecurity(org.apache.wss4j.common.token.PKIPathSecurity)
SamlAssertionWrapper(org.apache.wss4j.common.saml.SamlAssertionWrapper)
WSSecurityEngineResult(org.apache.wss4j.dom.engine.WSSecurityEngineResult)
X509Certificate(java.security.cert.X509Certificate)
X509Security(org.apache.wss4j.common.token.X509Security)
Example 65 with WSSecurityEngineResult
use of org.apache.wss4j.dom.engine.WSSecurityEngineResult in project cxf by apache.
the class X509TokenPolicyValidator method checkTokenType.
/**
* Check that at least one received token matches the token type.
*/
private boolean checkTokenType(TokenType tokenType, List<WSSecurityEngineResult> bstResults, List<WSSecurityEngineResult> signedResults) {
if ((bstResults == null || bstResults.isEmpty()) && signedResults.isEmpty()) {
return false;
}
String requiredType = X509_V3_VALUETYPE;
boolean v3certRequired = false;
if (tokenType == TokenType.WssX509PkiPathV1Token10 || tokenType == TokenType.WssX509PkiPathV1Token11) {
requiredType = PKI_VALUETYPE;
} else if (tokenType == TokenType.WssX509V3Token10 || tokenType == TokenType.WssX509V3Token11) {
v3certRequired = true;
}
if (bstResults != null) {
for (WSSecurityEngineResult result : bstResults) {
BinarySecurity binarySecurityToken = (BinarySecurity) result.get(WSSecurityEngineResult.TAG_BINARY_SECURITY_TOKEN);
if (binarySecurityToken != null && requiredType.equals(binarySecurityToken.getValueType())) {
if (v3certRequired && binarySecurityToken instanceof X509Security) {
try {
X509Certificate cert = ((X509Security) binarySecurityToken).getX509Certificate(null);
if (cert != null && cert.getVersion() == 3) {
return true;
}
} catch (WSSecurityException e) {
LOG.log(Level.FINE, e.getMessage());
}
} else {
return true;
}
}
}
}
// Maybe the X.509 token was included as a KeyIdentifier
if (X509_V3_VALUETYPE.equals(requiredType)) {
for (WSSecurityEngineResult result : signedResults) {
STRParser.REFERENCE_TYPE referenceType = (STRParser.REFERENCE_TYPE) result.get(WSSecurityEngineResult.TAG_X509_REFERENCE_TYPE);
if (STRParser.REFERENCE_TYPE.KEY_IDENTIFIER == referenceType) {
Element signatureElement = (Element) result.get(WSSecurityEngineResult.TAG_TOKEN_ELEMENT);
Element keyIdentifier = getKeyIdentifier(signatureElement);
if (keyIdentifier != null && X509_V3_VALUETYPE.equals(keyIdentifier.getAttributeNS(null, "ValueType"))) {
try {
X509Security token = new X509Security(keyIdentifier, new BSPEnforcer(true));
X509Certificate cert = token.getX509Certificate(null);
if (cert != null && cert.getVersion() == 3) {
return true;
}
} catch (WSSecurityException e) {
LOG.log(Level.FINE, e.getMessage());
}
}
}
}
}
return false;
}
Also used :
STRParser(org.apache.wss4j.dom.str.STRParser)
BinarySecurity(org.apache.wss4j.common.token.BinarySecurity)
Element(org.w3c.dom.Element)
BSPEnforcer(org.apache.wss4j.common.bsp.BSPEnforcer)
WSSecurityException(org.apache.wss4j.common.ext.WSSecurityException)
WSSecurityEngineResult(org.apache.wss4j.dom.engine.WSSecurityEngineResult)
X509Security(org.apache.wss4j.common.token.X509Security)
X509Certificate(java.security.cert.X509Certificate)
Aggregations
WSSecurityEngineResult (org.apache.wss4j.dom.engine.WSSecurityEngineResult)89
WSHandlerResult (org.apache.wss4j.dom.handler.WSHandlerResult)42
SamlAssertionWrapper (org.apache.wss4j.common.saml.SamlAssertionWrapper)35
Element (org.w3c.dom.Element)23
HashMap (java.util.HashMap)19
ArrayList (java.util.ArrayList)18
Test (org.junit.Test)18
QName (javax.xml.namespace.QName)17
SecurityToken (org.apache.cxf.ws.security.tokenstore.SecurityToken)16
X509Certificate (java.security.cert.X509Certificate)12
SOAPMessage (javax.xml.soap.SOAPMessage)12
SoapMessage (org.apache.cxf.binding.soap.SoapMessage)12
SecurityContext (org.apache.cxf.security.SecurityContext)12
WSSecurityException (org.apache.wss4j.common.ext.WSSecurityException)12
Message (org.apache.cxf.message.Message)9
WSDataRef (org.apache.wss4j.dom.WSDataRef)9
Document (org.w3c.dom.Document)9
AbstractSecurityTest (org.apache.cxf.ws.security.wss4j.AbstractSecurityTest)8
BinarySecurity (org.apache.wss4j.common.token.BinarySecurity)8
RequestData (org.apache.wss4j.dom.handler.RequestData)8
