Search in sources :

Example 6 with WSSecEncryptedKey

use of org.apache.wss4j.dom.message.WSSecEncryptedKey in project cxf by apache.

the class DefaultSubjectProvider method createEncryptedKeyKeyInfo.

/**
 * Create an EncryptedKey KeyInfo.
 */
protected static KeyInfoBean createEncryptedKeyKeyInfo(X509Certificate certificate, byte[] secret, Document doc, EncryptionProperties encryptionProperties, Crypto encryptionCrypto) throws WSSecurityException {
    KeyInfoBean keyInfo = new KeyInfoBean();
    // Create an EncryptedKey
    WSSecEncryptedKey encrKey = new WSSecEncryptedKey(doc);
    encrKey.setKeyIdentifierType(encryptionProperties.getKeyIdentifierType());
    encrKey.setEphemeralKey(secret);
    encrKey.setSymmetricEncAlgorithm(encryptionProperties.getEncryptionAlgorithm());
    encrKey.setUseThisCert(certificate);
    encrKey.setKeyEncAlgo(encryptionProperties.getKeyWrapAlgorithm());
    encrKey.prepare(encryptionCrypto);
    Element encryptedKeyElement = encrKey.getEncryptedKeyElement();
    // Append the EncryptedKey to a KeyInfo element
    Element keyInfoElement = doc.createElementNS(WSS4JConstants.SIG_NS, WSS4JConstants.SIG_PREFIX + ":" + WSS4JConstants.KEYINFO_LN);
    keyInfoElement.setAttributeNS(WSS4JConstants.XMLNS_NS, "xmlns:" + WSS4JConstants.SIG_PREFIX, WSS4JConstants.SIG_NS);
    keyInfoElement.appendChild(encryptedKeyElement);
    keyInfo.setElement(keyInfoElement);
    return keyInfo;
}
Also used : KeyInfoBean(org.apache.wss4j.common.saml.bean.KeyInfoBean) WSSecEncryptedKey(org.apache.wss4j.dom.message.WSSecEncryptedKey) Element(org.w3c.dom.Element)

Example 7 with WSSecEncryptedKey

use of org.apache.wss4j.dom.message.WSSecEncryptedKey in project cxf by apache.

the class SymmetricBindingHandler method setupEncryptedKey.

private String setupEncryptedKey(AbstractTokenWrapper wrapper, AbstractToken sigToken) throws WSSecurityException {
    WSSecEncryptedKey encrKey = this.getEncryptedKeyBuilder(sigToken);
    assertTokenWrapper(wrapper);
    String id = encrKey.getId();
    byte[] secret = encrKey.getEphemeralKey();
    Instant created = Instant.now();
    Instant expires = created.plusSeconds(WSS4JUtils.getSecurityTokenLifetime(message) / 1000L);
    SecurityToken tempTok = new SecurityToken(id, encrKey.getEncryptedKeyElement(), created, expires);
    tempTok.setSecret(secret);
    // Set the SHA1 value of the encrypted key, this is used when the encrypted
    // key is referenced via a key identifier of type EncryptedKeySHA1
    tempTok.setSHA1(getSHA1(encrKey.getEncryptedEphemeralKey()));
    tokenStore.add(tempTok);
    // Create another cache entry with the SHA1 Identifier as the key for easy retrieval
    tokenStore.add(tempTok.getSHA1(), tempTok);
    String bstTokenId = encrKey.getBSTTokenId();
    // then add the cert to the sec header now
    if (bstTokenId != null && bstTokenId.length() > 0) {
        encrKey.prependBSTElementToHeader();
    }
    return id;
}
Also used : SecurityToken(org.apache.cxf.ws.security.tokenstore.SecurityToken) WSSecEncryptedKey(org.apache.wss4j.dom.message.WSSecEncryptedKey) Instant(java.time.Instant)

Example 8 with WSSecEncryptedKey

use of org.apache.wss4j.dom.message.WSSecEncryptedKey in project cxf by apache.

the class IssueSamlUnitTest method testIssueSaml2SymmetricKeyTokenEncryptedKey.

/**
 * Test to successfully issue a Saml2 SymmetricKey token. Rather than using a Nonce as the Entropy,
 * a secret key is supplied by the client instead in an EncryptedKey structure.
 */
@org.junit.Test
public void testIssueSaml2SymmetricKeyTokenEncryptedKey() throws Exception {
    TokenIssueOperation issueOperation = new TokenIssueOperation();
    // Add Token Provider
    List<TokenProvider> providerList = new ArrayList<>();
    providerList.add(new SAMLTokenProvider());
    issueOperation.setTokenProviders(providerList);
    // Add Service
    ServiceMBean service = new StaticService();
    service.setEndpoints(Collections.singletonList("http://dummy-service.com/dummy"));
    issueOperation.setServices(Collections.singletonList(service));
    // Add STSProperties object
    STSPropertiesMBean stsProperties = new StaticSTSProperties();
    Crypto crypto = CryptoFactory.getInstance(getEncryptionProperties());
    stsProperties.setEncryptionCrypto(crypto);
    stsProperties.setSignatureCrypto(crypto);
    stsProperties.setEncryptionUsername("myservicekey");
    stsProperties.setSignatureUsername("mystskey");
    stsProperties.setCallbackHandler(new PasswordCallbackHandler());
    stsProperties.setIssuer("STS");
    issueOperation.setStsProperties(stsProperties);
    // Mock up a request
    RequestSecurityTokenType request = new RequestSecurityTokenType();
    JAXBElement<String> tokenType = new JAXBElement<String>(QNameConstants.TOKEN_TYPE, String.class, WSS4JConstants.WSS_SAML2_TOKEN_TYPE);
    request.getAny().add(tokenType);
    JAXBElement<String> keyType = new JAXBElement<String>(QNameConstants.KEY_TYPE, String.class, STSConstants.SYMMETRIC_KEY_KEYTYPE);
    request.getAny().add(keyType);
    request.getAny().add(createAppliesToElement("http://dummy-service.com/dummy"));
    // Mock up message context
    MessageImpl msg = new MessageImpl();
    WrappedMessageContext msgCtx = new WrappedMessageContext(msg);
    Principal principal = new CustomTokenPrincipal("alice");
    msgCtx.put(SecurityContext.class.getName(), createSecurityContext(principal));
    // Now add Entropy
    Document doc = DOMUtils.createDocument();
    WSSecEncryptedKey builder = new WSSecEncryptedKey(doc);
    builder.setUserInfo("mystskey");
    builder.setKeyIdentifierType(WSConstants.ISSUER_SERIAL);
    builder.setKeyEncAlgo(WSS4JConstants.KEYTRANSPORT_RSAOAEP);
    builder.prepare(stsProperties.getSignatureCrypto());
    Element encryptedKeyElement = builder.getEncryptedKeyElement();
    byte[] secret = builder.getEphemeralKey();
    EntropyType entropyType = new EntropyType();
    entropyType.getAny().add(encryptedKeyElement);
    JAXBElement<EntropyType> entropyJaxbType = new JAXBElement<EntropyType>(QNameConstants.ENTROPY, EntropyType.class, entropyType);
    request.getAny().add(entropyJaxbType);
    RequestSecurityTokenResponseCollectionType response = issueOperation.issue(request, principal, msgCtx);
    List<RequestSecurityTokenResponseType> securityTokenResponse = response.getRequestSecurityTokenResponse();
    assertTrue(!securityTokenResponse.isEmpty());
    // Test the generated token.
    Element assertion = null;
    for (Object tokenObject : securityTokenResponse.get(0).getAny()) {
        if (tokenObject instanceof JAXBElement<?> && REQUESTED_SECURITY_TOKEN.equals(((JAXBElement<?>) tokenObject).getName())) {
            RequestedSecurityTokenType rstType = (RequestedSecurityTokenType) ((JAXBElement<?>) tokenObject).getValue();
            assertion = (Element) rstType.getAny();
        }
    }
    assertNotNull(assertion);
    String tokenString = DOM2Writer.nodeToString(assertion);
    assertTrue(tokenString.contains("AttributeStatement"));
    assertTrue(tokenString.contains("alice"));
    assertFalse(tokenString.contains(SAML2Constants.CONF_BEARER));
    assertTrue(tokenString.contains(SAML2Constants.CONF_HOLDER_KEY));
    // Test that the (encrypted) secret sent in Entropy was used in the SAML Subject KeyInfo
    SamlAssertionWrapper assertionWrapper = new SamlAssertionWrapper(assertion);
    RequestData data = new RequestData();
    Properties properties = new Properties();
    properties.put("org.apache.wss4j.crypto.provider", "org.apache.wss4j.common.crypto.Merlin");
    properties.put("org.apache.wss4j.crypto.merlin.keystore.password", "sspass");
    properties.put("org.apache.wss4j.crypto.merlin.keystore.file", "keys/servicestore.jks");
    data.setDecCrypto(CryptoFactory.getInstance(properties));
    data.setCallbackHandler(new PasswordCallbackHandler());
    data.setWssConfig(WSSConfig.getNewInstance());
    data.setWsDocInfo(new WSDocInfo(assertion.getOwnerDocument()));
    assertionWrapper.parseSubject(new WSSSAMLKeyInfoProcessor(data), data.getSigVerCrypto(), data.getCallbackHandler());
    SAMLKeyInfo samlKeyInfo = assertionWrapper.getSubjectKeyInfo();
    assertTrue(Arrays.equals(secret, samlKeyInfo.getSecret()));
}
Also used : WSSecEncryptedKey(org.apache.wss4j.dom.message.WSSecEncryptedKey) ServiceMBean(org.apache.cxf.sts.service.ServiceMBean) RequestSecurityTokenType(org.apache.cxf.ws.security.sts.provider.model.RequestSecurityTokenType) JAXBElement(javax.xml.bind.JAXBElement) Element(org.w3c.dom.Element) ArrayList(java.util.ArrayList) SamlAssertionWrapper(org.apache.wss4j.common.saml.SamlAssertionWrapper) RequestSecurityTokenResponseType(org.apache.cxf.ws.security.sts.provider.model.RequestSecurityTokenResponseType) StaticSTSProperties(org.apache.cxf.sts.StaticSTSProperties) RequestedSecurityTokenType(org.apache.cxf.ws.security.sts.provider.model.RequestedSecurityTokenType) StaticService(org.apache.cxf.sts.service.StaticService) Document(org.w3c.dom.Document) RequestSecurityTokenResponseCollectionType(org.apache.cxf.ws.security.sts.provider.model.RequestSecurityTokenResponseCollectionType) EncryptionProperties(org.apache.cxf.sts.service.EncryptionProperties) SignatureProperties(org.apache.cxf.sts.SignatureProperties) StaticSTSProperties(org.apache.cxf.sts.StaticSTSProperties) Properties(java.util.Properties) CustomTokenPrincipal(org.apache.wss4j.common.principal.CustomTokenPrincipal) TokenProvider(org.apache.cxf.sts.token.provider.TokenProvider) SAMLTokenProvider(org.apache.cxf.sts.token.provider.SAMLTokenProvider) SAMLKeyInfo(org.apache.wss4j.common.saml.SAMLKeyInfo) EntropyType(org.apache.cxf.ws.security.sts.provider.model.EntropyType) RequestData(org.apache.wss4j.dom.handler.RequestData) PasswordCallbackHandler(org.apache.cxf.sts.common.PasswordCallbackHandler) WSDocInfo(org.apache.wss4j.dom.WSDocInfo) JAXBElement(javax.xml.bind.JAXBElement) Crypto(org.apache.wss4j.common.crypto.Crypto) SAMLTokenProvider(org.apache.cxf.sts.token.provider.SAMLTokenProvider) STSPropertiesMBean(org.apache.cxf.sts.STSPropertiesMBean) WrappedMessageContext(org.apache.cxf.jaxws.context.WrappedMessageContext) SecurityContext(org.apache.cxf.security.SecurityContext) MessageImpl(org.apache.cxf.message.MessageImpl) WSSSAMLKeyInfoProcessor(org.apache.wss4j.dom.saml.WSSSAMLKeyInfoProcessor) CustomTokenPrincipal(org.apache.wss4j.common.principal.CustomTokenPrincipal) Principal(java.security.Principal)

Aggregations

WSSecEncryptedKey (org.apache.wss4j.dom.message.WSSecEncryptedKey)8 Element (org.w3c.dom.Element)5 Document (org.w3c.dom.Document)4 KeyInfoBean (org.apache.wss4j.common.saml.bean.KeyInfoBean)3 DocumentBuilder (javax.xml.parsers.DocumentBuilder)2 DocumentBuilderFactory (javax.xml.parsers.DocumentBuilderFactory)2 AttachmentCallbackHandler (org.apache.cxf.ws.security.wss4j.AttachmentCallbackHandler)2 Crypto (org.apache.wss4j.common.crypto.Crypto)2 AlgorithmSuiteType (org.apache.wss4j.policy.model.AlgorithmSuite.AlgorithmSuiteType)2 Principal (java.security.Principal)1 X509Certificate (java.security.cert.X509Certificate)1 Instant (java.time.Instant)1 ArrayList (java.util.ArrayList)1 Properties (java.util.Properties)1 JAXBElement (javax.xml.bind.JAXBElement)1 Reference (javax.xml.crypto.dsig.Reference)1 WrappedMessageContext (org.apache.cxf.jaxws.context.WrappedMessageContext)1 MessageImpl (org.apache.cxf.message.MessageImpl)1 SecurityContext (org.apache.cxf.security.SecurityContext)1 STSPropertiesMBean (org.apache.cxf.sts.STSPropertiesMBean)1