Example 1 with WSSecEncryptedKey
use of org.apache.wss4j.dom.message.WSSecEncryptedKey in project cxf by apache.
the class AbstractSAMLCallbackHandler method createKeyInfo.
protected KeyInfoBean createKeyInfo() throws Exception {
KeyInfoBean keyInfo = new KeyInfoBean();
if (statement == Statement.AUTHN) {
keyInfo.setCertificate(certs[0]);
keyInfo.setCertIdentifer(certIdentifier);
} else if (statement == Statement.ATTR) {
// Build a new Document
DocumentBuilderFactory docBuilderFactory = DocumentBuilderFactory.newInstance();
docBuilderFactory.setNamespaceAware(true);
DocumentBuilder docBuilder = docBuilderFactory.newDocumentBuilder();
Document doc = docBuilder.newDocument();
// Create an Encrypted Key
WSSecEncryptedKey encrKey = new WSSecEncryptedKey(doc);
encrKey.setKeyIdentifierType(WSConstants.ISSUER_SERIAL);
encrKey.setUseThisCert(certs[0]);
encrKey.prepare(null);
ephemeralKey = encrKey.getEphemeralKey();
Element encryptedKeyElement = encrKey.getEncryptedKeyElement();
// Append the EncryptedKey to a KeyInfo element
Element keyInfoElement = doc.createElementNS(WSS4JConstants.SIG_NS, WSS4JConstants.SIG_PREFIX + ":" + WSS4JConstants.KEYINFO_LN);
keyInfoElement.setAttributeNS(WSS4JConstants.XMLNS_NS, "xmlns:" + WSS4JConstants.SIG_PREFIX, WSS4JConstants.SIG_NS);
keyInfoElement.appendChild(encryptedKeyElement);
keyInfo.setElement(keyInfoElement);
}
return keyInfo;
}
Also used :
KeyInfoBean(org.apache.wss4j.common.saml.bean.KeyInfoBean)
DocumentBuilderFactory(javax.xml.parsers.DocumentBuilderFactory)
WSSecEncryptedKey(org.apache.wss4j.dom.message.WSSecEncryptedKey)
DocumentBuilder(javax.xml.parsers.DocumentBuilder)
Element(org.w3c.dom.Element)
Document(org.w3c.dom.Document)
Example 2 with WSSecEncryptedKey
use of org.apache.wss4j.dom.message.WSSecEncryptedKey in project cxf by apache.
the class AbstractBindingBuilder method getEncryptedKeyBuilder.
protected WSSecEncryptedKey getEncryptedKeyBuilder(AbstractToken token) throws WSSecurityException {
WSSecEncryptedKey encrKey = new WSSecEncryptedKey(secHeader);
encrKey.setIdAllocator(wssConfig.getIdAllocator());
encrKey.setCallbackLookup(callbackLookup);
encrKey.setAttachmentCallbackHandler(new AttachmentCallbackHandler(message));
encrKey.setStoreBytesInAttachment(storeBytesInAttachment);
Crypto crypto = getEncryptionCrypto();
message.getExchange().put(SecurityConstants.ENCRYPT_CRYPTO, crypto);
setKeyIdentifierType(encrKey, token);
boolean alsoIncludeToken = false;
// Find out do we also need to include the token as per the Inclusion requirement
if (token instanceof X509Token && token.getIncludeTokenType() != IncludeTokenType.INCLUDE_TOKEN_NEVER && encrKey.getKeyIdentifierType() != WSConstants.BST_DIRECT_REFERENCE) {
alsoIncludeToken = true;
}
String encrUser = setEncryptionUser(encrKey, token, false, crypto);
AlgorithmSuiteType algType = binding.getAlgorithmSuite().getAlgorithmSuiteType();
encrKey.setSymmetricEncAlgorithm(algType.getEncryption());
encrKey.setKeyEncAlgo(algType.getAsymmetricKeyWrap());
encrKey.setMGFAlgorithm(algType.getMGFAlgo());
encrKey.prepare(crypto);
if (alsoIncludeToken) {
X509Certificate encCert = getEncryptCert(crypto, encrUser);
BinarySecurity bstToken = new X509Security(saaj.getSOAPPart());
((X509Security) bstToken).setX509Certificate(encCert);
bstToken.addWSUNamespace();
bstToken.setID(wssConfig.getIdAllocator().createSecureId("X509-", encCert));
WSSecurityUtil.prependChildElement(secHeader.getSecurityHeaderElement(), bstToken.getElement());
bstElement = bstToken.getElement();
}
return encrKey;
}
Also used :
Crypto(org.apache.wss4j.common.crypto.Crypto)
WSSecEncryptedKey(org.apache.wss4j.dom.message.WSSecEncryptedKey)
BinarySecurity(org.apache.wss4j.common.token.BinarySecurity)
X509Token(org.apache.wss4j.policy.model.X509Token)
AlgorithmSuiteType(org.apache.wss4j.policy.model.AlgorithmSuite.AlgorithmSuiteType)
AttachmentCallbackHandler(org.apache.cxf.ws.security.wss4j.AttachmentCallbackHandler)
X509Certificate(java.security.cert.X509Certificate)
X509Security(org.apache.wss4j.common.token.X509Security)
Example 3 with WSSecEncryptedKey
use of org.apache.wss4j.dom.message.WSSecEncryptedKey in project cxf by apache.
the class TransportBindingHandler method doX509TokenSignature.
private byte[] doX509TokenSignature(AbstractToken token, SupportingTokens wrapper) throws Exception {
List<WSEncryptionPart> sigParts = signPartsAndElements(wrapper.getSignedParts(), wrapper.getSignedElements());
if (token.getDerivedKeys() == DerivedKeys.RequireDerivedKeys) {
WSSecEncryptedKey encrKey = getEncryptedKeyBuilder(token);
assertPolicy(wrapper);
Element bstElem = encrKey.getBinarySecurityTokenElement();
if (bstElem != null) {
addTopDownElement(bstElem);
}
encrKey.appendToHeader();
WSSecDKSign dkSig = new WSSecDKSign(secHeader);
dkSig.setIdAllocator(wssConfig.getIdAllocator());
dkSig.setCallbackLookup(callbackLookup);
if (token.getVersion() == SPConstants.SPVersion.SP11) {
dkSig.setWscVersion(ConversationConstants.VERSION_05_02);
}
dkSig.setSigCanonicalization(binding.getAlgorithmSuite().getC14n().getValue());
dkSig.setSignatureAlgorithm(binding.getAlgorithmSuite().getSymmetricSignature());
dkSig.setAttachmentCallbackHandler(new AttachmentCallbackHandler(message));
dkSig.setStoreBytesInAttachment(storeBytesInAttachment);
dkSig.setExpandXopInclude(isExpandXopInclude());
dkSig.setWsDocInfo(wsDocInfo);
AlgorithmSuiteType algType = binding.getAlgorithmSuite().getAlgorithmSuiteType();
dkSig.setDerivedKeyLength(algType.getSignatureDerivedKeyLength() / 8);
dkSig.setExternalKey(encrKey.getEphemeralKey(), encrKey.getId());
dkSig.prepare();
dkSig.getParts().addAll(sigParts);
List<Reference> referenceList = dkSig.addReferencesToSign(sigParts);
// Do signature
dkSig.appendDKElementToHeader();
dkSig.computeSignature(referenceList, false, null);
return dkSig.getSignatureValue();
}
WSSecSignature sig = getSignatureBuilder(token, false, false);
assertPolicy(wrapper);
if (sig != null) {
sig.prependBSTElementToHeader();
List<Reference> referenceList = sig.addReferencesToSign(sigParts);
if (bottomUpElement == null) {
sig.computeSignature(referenceList, false, null);
} else {
sig.computeSignature(referenceList, true, bottomUpElement);
}
bottomUpElement = sig.getSignatureElement();
mainSigId = sig.getId();
return sig.getSignatureValue();
}
return new byte[0];
}
Also used :
WSSecDKSign(org.apache.wss4j.dom.message.WSSecDKSign)
WSEncryptionPart(org.apache.wss4j.common.WSEncryptionPart)
WSSecEncryptedKey(org.apache.wss4j.dom.message.WSSecEncryptedKey)
AlgorithmSuiteType(org.apache.wss4j.policy.model.AlgorithmSuite.AlgorithmSuiteType)
SecurityTokenReference(org.apache.wss4j.common.token.SecurityTokenReference)
Reference(javax.xml.crypto.dsig.Reference)
Element(org.w3c.dom.Element)
WSSecSignature(org.apache.wss4j.dom.message.WSSecSignature)
AttachmentCallbackHandler(org.apache.cxf.ws.security.wss4j.AttachmentCallbackHandler)
Example 4 with WSSecEncryptedKey
use of org.apache.wss4j.dom.message.WSSecEncryptedKey in project cxf by apache.
the class AbstractSAMLCallbackHandler method createKeyInfo.
protected KeyInfoBean createKeyInfo() throws Exception {
KeyInfoBean keyInfo = new KeyInfoBean();
if (statement == Statement.AUTHN) {
keyInfo.setCertificate(certs[0]);
keyInfo.setCertIdentifer(certIdentifier);
} else if (statement == Statement.ATTR) {
// Build a new Document
DocumentBuilderFactory docBuilderFactory = DocumentBuilderFactory.newInstance();
docBuilderFactory.setNamespaceAware(true);
DocumentBuilder docBuilder = docBuilderFactory.newDocumentBuilder();
Document doc = docBuilder.newDocument();
// Create an Encrypted Key
WSSecEncryptedKey encrKey = new WSSecEncryptedKey(doc);
encrKey.setKeyIdentifierType(WSConstants.X509_KEY_IDENTIFIER);
encrKey.setUseThisCert(certs[0]);
encrKey.prepare(null);
ephemeralKey = encrKey.getEphemeralKey();
Element encryptedKeyElement = encrKey.getEncryptedKeyElement();
// Append the EncryptedKey to a KeyInfo element
Element keyInfoElement = doc.createElementNS(WSS4JConstants.SIG_NS, WSS4JConstants.SIG_PREFIX + ":" + WSS4JConstants.KEYINFO_LN);
keyInfoElement.setAttributeNS(WSS4JConstants.XMLNS_NS, "xmlns:" + WSS4JConstants.SIG_PREFIX, WSS4JConstants.SIG_NS);
keyInfoElement.appendChild(encryptedKeyElement);
keyInfo.setElement(keyInfoElement);
}
return keyInfo;
}
Also used :
KeyInfoBean(org.apache.wss4j.common.saml.bean.KeyInfoBean)
DocumentBuilderFactory(javax.xml.parsers.DocumentBuilderFactory)
WSSecEncryptedKey(org.apache.wss4j.dom.message.WSSecEncryptedKey)
DocumentBuilder(javax.xml.parsers.DocumentBuilder)
Element(org.w3c.dom.Element)
Document(org.w3c.dom.Document)
Example 5 with WSSecEncryptedKey
use of org.apache.wss4j.dom.message.WSSecEncryptedKey in project cxf by apache.
the class AbstractOperation method encryptSecret.
/**
* Encrypt a secret using the given arguments producing a DOM EncryptedKey element
*/
protected Element encryptSecret(byte[] secret, EncryptionProperties encryptionProperties, KeyRequirements keyRequirements) throws WSSecurityException {
String name = encryptionProperties.getEncryptionName();
if (name == null) {
name = stsProperties.getEncryptionUsername();
}
if (name == null) {
throw new STSException("No encryption alias is configured", STSException.REQUEST_FAILED);
}
// Get the key-wrap algorithm to use
String keyWrapAlgorithm = keyRequirements.getKeywrapAlgorithm();
if (keyWrapAlgorithm == null) {
// If none then default to what is configured
keyWrapAlgorithm = encryptionProperties.getKeyWrapAlgorithm();
} else {
List<String> supportedAlgorithms = encryptionProperties.getAcceptedKeyWrapAlgorithms();
if (!supportedAlgorithms.contains(keyWrapAlgorithm)) {
keyWrapAlgorithm = encryptionProperties.getKeyWrapAlgorithm();
if (LOG.isLoggable(Level.FINE)) {
LOG.fine("KeyWrapAlgorithm not supported, defaulting to: " + keyWrapAlgorithm);
}
}
}
Document doc = DOMUtils.getEmptyDocument();
WSSecEncryptedKey builder = new WSSecEncryptedKey(doc);
builder.setUserInfo(name);
builder.setKeyIdentifierType(encryptionProperties.getKeyIdentifierType());
builder.setEphemeralKey(secret);
builder.setKeyEncAlgo(keyWrapAlgorithm);
builder.prepare(stsProperties.getEncryptionCrypto());
return builder.getEncryptedKeyElement();
}
Also used :
WSSecEncryptedKey(org.apache.wss4j.dom.message.WSSecEncryptedKey)
STSException(org.apache.cxf.ws.security.sts.provider.STSException)
Document(org.w3c.dom.Document)
Aggregations
WSSecEncryptedKey (org.apache.wss4j.dom.message.WSSecEncryptedKey)8
Element (org.w3c.dom.Element)5
Document (org.w3c.dom.Document)4
KeyInfoBean (org.apache.wss4j.common.saml.bean.KeyInfoBean)3
DocumentBuilder (javax.xml.parsers.DocumentBuilder)2
DocumentBuilderFactory (javax.xml.parsers.DocumentBuilderFactory)2
AttachmentCallbackHandler (org.apache.cxf.ws.security.wss4j.AttachmentCallbackHandler)2
Crypto (org.apache.wss4j.common.crypto.Crypto)2
AlgorithmSuiteType (org.apache.wss4j.policy.model.AlgorithmSuite.AlgorithmSuiteType)2
Principal (java.security.Principal)1
X509Certificate (java.security.cert.X509Certificate)1
Instant (java.time.Instant)1
ArrayList (java.util.ArrayList)1
Properties (java.util.Properties)1
JAXBElement (javax.xml.bind.JAXBElement)1
Reference (javax.xml.crypto.dsig.Reference)1
WrappedMessageContext (org.apache.cxf.jaxws.context.WrappedMessageContext)1
MessageImpl (org.apache.cxf.message.MessageImpl)1
SecurityContext (org.apache.cxf.security.SecurityContext)1
STSPropertiesMBean (org.apache.cxf.sts.STSPropertiesMBean)1
