Search in sources :

Example 1 with AbstractToken

use of org.apache.wss4j.policy.model.AbstractToken in project cxf by apache.

the class StaxAsymmetricBindingHandler method doEncryption.

private void doEncryption(AbstractTokenWrapper recToken, List<SecurePart> encrParts, boolean externalRef) throws SOAPException {
    // Do encryption
    if (recToken != null && recToken.getToken() != null && !encrParts.isEmpty()) {
        AbstractToken encrToken = recToken.getToken();
        AlgorithmSuite algorithmSuite = abinding.getAlgorithmSuite();
        // Action
        WSSSecurityProperties properties = getProperties();
        WSSConstants.Action actionToPerform = XMLSecurityConstants.ENCRYPT;
        if (recToken.getToken().getDerivedKeys() == DerivedKeys.RequireDerivedKeys) {
            actionToPerform = WSSConstants.ENCRYPT_WITH_DERIVED_KEY;
        }
        properties.addAction(actionToPerform);
        properties.getEncryptionSecureParts().addAll(encrParts);
        properties.setEncryptionKeyIdentifier(getKeyIdentifierType(encrToken));
        // Find out do we also need to include the token as per the Inclusion requirement
        WSSecurityTokenConstants.KeyIdentifier keyIdentifier = properties.getEncryptionKeyIdentifier();
        if (encrToken instanceof X509Token && isTokenRequired(encrToken.getIncludeTokenType()) && (WSSecurityTokenConstants.KeyIdentifier_IssuerSerial.equals(keyIdentifier) || WSSecurityTokenConstants.KEYIDENTIFIER_THUMBPRINT_IDENTIFIER.equals(keyIdentifier) || WSSecurityTokenConstants.KEYIDENTIFIER_SECURITY_TOKEN_DIRECT_REFERENCE.equals(keyIdentifier))) {
            properties.setIncludeEncryptionToken(true);
        } else {
            properties.setIncludeEncryptionToken(false);
        }
        properties.setEncryptionKeyTransportAlgorithm(algorithmSuite.getAlgorithmSuiteType().getAsymmetricKeyWrap());
        properties.setEncryptionSymAlgorithm(algorithmSuite.getAlgorithmSuiteType().getEncryption());
        properties.setEncryptionKeyTransportDigestAlgorithm(algorithmSuite.getAlgorithmSuiteType().getEncryptionDigest());
        properties.setEncryptionKeyTransportMGFAlgorithm(algorithmSuite.getAlgorithmSuiteType().getMGFAlgo());
        String encUser = (String) SecurityUtils.getSecurityPropertyValue(SecurityConstants.ENCRYPT_USERNAME, message);
        if (encUser == null) {
            encUser = (String) SecurityUtils.getSecurityPropertyValue(SecurityConstants.USERNAME, message);
        }
        if (encUser != null && properties.getEncryptionUser() == null) {
            properties.setEncryptionUser(encUser);
        }
        if (ConfigurationConstants.USE_REQ_SIG_CERT.equals(encUser)) {
            properties.setUseReqSigCertForEncryption(true);
        }
        // 
        if (!isRequestor() && recToken.getToken() instanceof IssuedToken) {
            properties.setUseReqSigCertForEncryption(true);
        }
    }
}
Also used : AlgorithmSuite(org.apache.wss4j.policy.model.AlgorithmSuite) WSSSecurityProperties(org.apache.wss4j.stax.ext.WSSSecurityProperties) WSSConstants(org.apache.wss4j.stax.ext.WSSConstants) AbstractToken(org.apache.wss4j.policy.model.AbstractToken) X509Token(org.apache.wss4j.policy.model.X509Token) IssuedToken(org.apache.wss4j.policy.model.IssuedToken) WSSecurityTokenConstants(org.apache.wss4j.stax.securityToken.WSSecurityTokenConstants)

Example 2 with AbstractToken

use of org.apache.wss4j.policy.model.AbstractToken in project cxf by apache.

the class StaxSymmetricBindingHandler method doSignature.

private void doSignature(AbstractTokenWrapper wrapper, AbstractToken policyToken, SecurityToken tok, List<SecurePart> sigParts) throws WSSecurityException, SOAPException {
    // Action
    WSSSecurityProperties properties = getProperties();
    WSSConstants.Action actionToPerform = XMLSecurityConstants.SIGNATURE;
    if (wrapper.getToken().getDerivedKeys() == DerivedKeys.RequireDerivedKeys) {
        actionToPerform = WSSConstants.SIGNATURE_WITH_DERIVED_KEY;
        if (MessageUtils.isRequestor(message) && policyToken instanceof X509Token) {
            properties.setDerivedKeyTokenReference(WSSConstants.DerivedKeyTokenReference.EncryptedKey);
        } else {
            properties.setDerivedKeyTokenReference(WSSConstants.DerivedKeyTokenReference.DirectReference);
        }
        AlgorithmSuiteType algSuiteType = sbinding.getAlgorithmSuite().getAlgorithmSuiteType();
        properties.setDerivedSignatureKeyLength(algSuiteType.getSignatureDerivedKeyLength() / 8);
    }
    if (policyToken.getVersion() == SPConstants.SPVersion.SP12) {
        properties.setUse200512Namespace(true);
    }
    List<WSSConstants.Action> actionList = properties.getActions();
    // Add a Signature directly before Kerberos, otherwise just append it
    boolean actionAdded = false;
    for (int i = 0; i < actionList.size(); i++) {
        WSSConstants.Action action = actionList.get(i);
        if (action.equals(WSSConstants.KERBEROS_TOKEN)) {
            actionList.add(i, actionToPerform);
            actionAdded = true;
            break;
        }
    }
    if (!actionAdded) {
        actionList.add(actionToPerform);
    }
    properties.getSignatureSecureParts().addAll(sigParts);
    AbstractToken sigToken = wrapper.getToken();
    if (sbinding.isProtectTokens() && sigToken instanceof X509Token && isRequestor()) {
        SecurePart securePart = new SecurePart(new QName(XMLSecurityConstants.NS_XMLENC, "EncryptedKey"), Modifier.Element);
        properties.addSignaturePart(securePart);
    }
    configureSignature(sigToken, false);
    if (policyToken instanceof X509Token) {
        properties.setIncludeSignatureToken(false);
        if (isRequestor()) {
            properties.setSignatureKeyIdentifier(WSSecurityTokenConstants.KeyIdentifier_EncryptedKey);
        } else {
            properties.setSignatureKeyIdentifier(WSSecurityTokenConstants.KEYIDENTIFIER_ENCRYPTED_KEY_SHA1_IDENTIFIER);
            if (wrapper.getToken().getDerivedKeys() == DerivedKeys.RequireDerivedKeys) {
                properties.setDerivedKeyKeyIdentifier(WSSecurityTokenConstants.KEYIDENTIFIER_ENCRYPTED_KEY_SHA1_IDENTIFIER);
                properties.setSignatureKeyIdentifier(WSSecurityTokenConstants.KEYIDENTIFIER_SECURITY_TOKEN_DIRECT_REFERENCE);
            }
        }
    } else if (policyToken instanceof KerberosToken) {
        if (isRequestor()) {
            properties.setDerivedKeyKeyIdentifier(WSSecurityTokenConstants.KEYIDENTIFIER_SECURITY_TOKEN_DIRECT_REFERENCE);
        } else {
            if (wrapper.getToken().getDerivedKeys() == DerivedKeys.RequireDerivedKeys) {
                properties.setSignatureKeyIdentifier(WSSecurityTokenConstants.KEYIDENTIFIER_SECURITY_TOKEN_DIRECT_REFERENCE);
            } else {
                properties.setSignatureKeyIdentifier(WSSecurityTokenConstants.KEYIDENTIFIER_KERBEROS_SHA1_IDENTIFIER);
            }
            properties.setDerivedKeyKeyIdentifier(WSSecurityTokenConstants.KEYIDENTIFIER_KERBEROS_SHA1_IDENTIFIER);
        }
    } else if (policyToken instanceof IssuedToken || policyToken instanceof SecurityContextToken || policyToken instanceof SecureConversationToken || policyToken instanceof SpnegoContextToken) {
        if (!isRequestor()) {
            properties.setIncludeSignatureToken(false);
        } else {
            properties.setIncludeSignatureToken(true);
        }
        properties.setDerivedKeyKeyIdentifier(WSSecurityTokenConstants.KEYIDENTIFIER_SECURITY_TOKEN_DIRECT_REFERENCE);
    }
    if (sigToken.getDerivedKeys() == DerivedKeys.RequireDerivedKeys) {
        properties.setSignatureAlgorithm(sbinding.getAlgorithmSuite().getSymmetricSignature());
    }
}
Also used : WSSSecurityProperties(org.apache.wss4j.stax.ext.WSSSecurityProperties) WSSConstants(org.apache.wss4j.stax.ext.WSSConstants) AlgorithmSuiteType(org.apache.wss4j.policy.model.AlgorithmSuite.AlgorithmSuiteType) QName(javax.xml.namespace.QName) KerberosToken(org.apache.wss4j.policy.model.KerberosToken) IssuedToken(org.apache.wss4j.policy.model.IssuedToken) SecureConversationToken(org.apache.wss4j.policy.model.SecureConversationToken) SpnegoContextToken(org.apache.wss4j.policy.model.SpnegoContextToken) SecurePart(org.apache.xml.security.stax.ext.SecurePart) X509Token(org.apache.wss4j.policy.model.X509Token) AbstractToken(org.apache.wss4j.policy.model.AbstractToken) SecurityContextToken(org.apache.wss4j.policy.model.SecurityContextToken)

Example 3 with AbstractToken

use of org.apache.wss4j.policy.model.AbstractToken in project cxf by apache.

the class StaxSymmetricBindingHandler method doEncryption.

private void doEncryption(AbstractTokenWrapper recToken, List<SecurePart> encrParts, boolean externalRef) throws SOAPException {
    // Do encryption
    if (recToken != null && recToken.getToken() != null) {
        AbstractToken encrToken = recToken.getToken();
        AlgorithmSuite algorithmSuite = sbinding.getAlgorithmSuite();
        // Action
        WSSSecurityProperties properties = getProperties();
        WSSConstants.Action actionToPerform = XMLSecurityConstants.ENCRYPT;
        if (recToken.getToken().getDerivedKeys() == DerivedKeys.RequireDerivedKeys) {
            actionToPerform = WSSConstants.ENCRYPT_WITH_DERIVED_KEY;
            if (MessageUtils.isRequestor(message) && recToken.getToken() instanceof X509Token) {
                properties.setDerivedKeyTokenReference(WSSConstants.DerivedKeyTokenReference.EncryptedKey);
            } else {
                properties.setDerivedKeyTokenReference(WSSConstants.DerivedKeyTokenReference.DirectReference);
            }
            AlgorithmSuiteType algSuiteType = sbinding.getAlgorithmSuite().getAlgorithmSuiteType();
            properties.setDerivedEncryptionKeyLength(algSuiteType.getEncryptionDerivedKeyLength() / 8);
        }
        if (recToken.getVersion() == SPConstants.SPVersion.SP12) {
            properties.setUse200512Namespace(true);
        }
        properties.getEncryptionSecureParts().addAll(encrParts);
        properties.addAction(actionToPerform);
        if (isRequestor()) {
            properties.setEncryptionKeyIdentifier(getKeyIdentifierType(encrToken));
            properties.setDerivedKeyKeyIdentifier(WSSecurityTokenConstants.KEYIDENTIFIER_SECURITY_TOKEN_DIRECT_REFERENCE);
        } else if (recToken.getToken() instanceof KerberosToken && !isRequestor()) {
            properties.setEncryptionKeyIdentifier(WSSecurityTokenConstants.KEYIDENTIFIER_KERBEROS_SHA1_IDENTIFIER);
            properties.setDerivedKeyKeyIdentifier(WSSecurityTokenConstants.KEYIDENTIFIER_KERBEROS_SHA1_IDENTIFIER);
            if (recToken.getToken().getDerivedKeys() == DerivedKeys.RequireDerivedKeys) {
                properties.setEncryptionKeyIdentifier(WSSecurityTokenConstants.KEYIDENTIFIER_SECURITY_TOKEN_DIRECT_REFERENCE);
            }
        } else if ((recToken.getToken() instanceof IssuedToken || recToken.getToken() instanceof SecureConversationToken || recToken.getToken() instanceof SpnegoContextToken) && !isRequestor()) {
            properties.setEncryptionKeyIdentifier(WSSecurityTokenConstants.KEYIDENTIFIER_SECURITY_TOKEN_DIRECT_REFERENCE);
        } else {
            properties.setEncryptionKeyIdentifier(WSSecurityTokenConstants.KEYIDENTIFIER_ENCRYPTED_KEY_SHA1_IDENTIFIER);
            if (recToken.getToken().getDerivedKeys() == DerivedKeys.RequireDerivedKeys) {
                properties.setDerivedKeyKeyIdentifier(WSSecurityTokenConstants.KEYIDENTIFIER_ENCRYPTED_KEY_SHA1_IDENTIFIER);
                properties.setEncryptionKeyIdentifier(WSSecurityTokenConstants.KEYIDENTIFIER_SECURITY_TOKEN_DIRECT_REFERENCE);
                properties.setEncryptSymmetricEncryptionKey(false);
            }
        }
        // Find out do we also need to include the token as per the Inclusion requirement
        WSSecurityTokenConstants.KeyIdentifier keyIdentifier = properties.getEncryptionKeyIdentifier();
        if (encrToken instanceof X509Token && isTokenRequired(encrToken.getIncludeTokenType()) && (WSSecurityTokenConstants.KeyIdentifier_IssuerSerial.equals(keyIdentifier) || WSSecurityTokenConstants.KEYIDENTIFIER_THUMBPRINT_IDENTIFIER.equals(keyIdentifier) || WSSecurityTokenConstants.KEYIDENTIFIER_SECURITY_TOKEN_DIRECT_REFERENCE.equals(keyIdentifier))) {
            properties.setIncludeEncryptionToken(true);
        } else {
            properties.setIncludeEncryptionToken(false);
        }
        properties.setEncryptionKeyTransportAlgorithm(algorithmSuite.getAlgorithmSuiteType().getAsymmetricKeyWrap());
        properties.setEncryptionSymAlgorithm(algorithmSuite.getAlgorithmSuiteType().getEncryption());
        properties.setEncryptionKeyTransportDigestAlgorithm(algorithmSuite.getAlgorithmSuiteType().getEncryptionDigest());
        properties.setEncryptionKeyTransportMGFAlgorithm(algorithmSuite.getAlgorithmSuiteType().getMGFAlgo());
        String encUser = (String) SecurityUtils.getSecurityPropertyValue(SecurityConstants.ENCRYPT_USERNAME, message);
        if (encUser == null) {
            encUser = (String) SecurityUtils.getSecurityPropertyValue(SecurityConstants.USERNAME, message);
        }
        if (encUser != null && properties.getEncryptionUser() == null) {
            properties.setEncryptionUser(encUser);
        }
        if (ConfigurationConstants.USE_REQ_SIG_CERT.equals(encUser)) {
            properties.setUseReqSigCertForEncryption(true);
        }
        if (encrToken instanceof KerberosToken || encrToken instanceof IssuedToken || encrToken instanceof SpnegoContextToken || encrToken instanceof SecurityContextToken || encrToken instanceof SecureConversationToken) {
            properties.setEncryptSymmetricEncryptionKey(false);
        }
    }
}
Also used : WSSSecurityProperties(org.apache.wss4j.stax.ext.WSSSecurityProperties) WSSConstants(org.apache.wss4j.stax.ext.WSSConstants) AlgorithmSuiteType(org.apache.wss4j.policy.model.AlgorithmSuite.AlgorithmSuiteType) KerberosToken(org.apache.wss4j.policy.model.KerberosToken) IssuedToken(org.apache.wss4j.policy.model.IssuedToken) WSSecurityTokenConstants(org.apache.wss4j.stax.securityToken.WSSecurityTokenConstants) SecureConversationToken(org.apache.wss4j.policy.model.SecureConversationToken) SpnegoContextToken(org.apache.wss4j.policy.model.SpnegoContextToken) AlgorithmSuite(org.apache.wss4j.policy.model.AlgorithmSuite) AbstractToken(org.apache.wss4j.policy.model.AbstractToken) X509Token(org.apache.wss4j.policy.model.X509Token) SecurityContextToken(org.apache.wss4j.policy.model.SecurityContextToken)

Example 4 with AbstractToken

use of org.apache.wss4j.policy.model.AbstractToken in project cxf by apache.

the class SymmetricBindingHandler method doEncryption.

private WSSecBase doEncryption(AbstractTokenWrapper recToken, SecurityToken encrTok, boolean attached, List<WSEncryptionPart> encrParts, boolean atEnd) {
    // Do encryption
    if (recToken != null && recToken.getToken() != null && !encrParts.isEmpty()) {
        AbstractToken encrToken = recToken.getToken();
        assertPolicy(recToken);
        assertPolicy(encrToken);
        AlgorithmSuite algorithmSuite = sbinding.getAlgorithmSuite();
        if (encrToken.getDerivedKeys() == DerivedKeys.RequireDerivedKeys) {
            return doEncryptionDerived(recToken, encrTok, encrToken, attached, encrParts, atEnd);
        }
        try {
            WSSecEncrypt encr = new WSSecEncrypt(secHeader);
            encr.setEncryptionSerializer(new StaxSerializer());
            encr.setIdAllocator(wssConfig.getIdAllocator());
            encr.setCallbackLookup(callbackLookup);
            encr.setAttachmentCallbackHandler(new AttachmentCallbackHandler(message));
            encr.setStoreBytesInAttachment(storeBytesInAttachment);
            encr.setExpandXopInclude(isExpandXopInclude());
            encr.setWsDocInfo(wsDocInfo);
            String encrTokId = encrTok.getId();
            if (attached) {
                encrTokId = encrTok.getWsuId();
                if (encrTokId == null && (encrToken instanceof SecureConversationToken || encrToken instanceof SecurityContextToken)) {
                    encr.setEncKeyIdDirectId(true);
                    encrTokId = encrTok.getId();
                } else if (encrTokId == null) {
                    encrTokId = encrTok.getId();
                }
                if (encrTokId.startsWith("#")) {
                    encrTokId = encrTokId.substring(1);
                }
            } else {
                encr.setEncKeyIdDirectId(true);
            }
            if (encrTok.getTokenType() != null) {
                encr.setCustomReferenceValue(encrTok.getTokenType());
            }
            encr.setEncKeyId(encrTokId);
            encr.setEphemeralKey(encrTok.getSecret());
            Crypto crypto = getEncryptionCrypto();
            if (crypto != null) {
                setEncryptionUser(encr, encrToken, false, crypto);
            }
            encr.setEncryptSymmKey(false);
            encr.setSymmetricEncAlgorithm(algorithmSuite.getAlgorithmSuiteType().getEncryption());
            encr.setMGFAlgorithm(algorithmSuite.getAlgorithmSuiteType().getMGFAlgo());
            encr.setDigestAlgorithm(algorithmSuite.getAlgorithmSuiteType().getEncryptionDigest());
            if (encrToken instanceof IssuedToken || encrToken instanceof SpnegoContextToken || encrToken instanceof SecureConversationToken) {
                // Setting the AttachedReference or the UnattachedReference according to the flag
                Element ref;
                if (attached) {
                    ref = encrTok.getAttachedReference();
                } else {
                    ref = encrTok.getUnattachedReference();
                }
                String tokenType = encrTok.getTokenType();
                if (ref != null) {
                    SecurityTokenReference secRef = new SecurityTokenReference(cloneElement(ref), new BSPEnforcer());
                    encr.setSecurityTokenReference(secRef);
                } else if (WSS4JConstants.WSS_SAML_TOKEN_TYPE.equals(tokenType) || WSS4JConstants.SAML_NS.equals(tokenType)) {
                    encr.setCustomReferenceValue(WSS4JConstants.WSS_SAML_KI_VALUE_TYPE);
                    encr.setKeyIdentifierType(WSConstants.CUSTOM_KEY_IDENTIFIER);
                } else if (WSS4JConstants.WSS_SAML2_TOKEN_TYPE.equals(tokenType) || WSS4JConstants.SAML2_NS.equals(tokenType)) {
                    encr.setCustomReferenceValue(WSS4JConstants.WSS_SAML2_KI_VALUE_TYPE);
                    encr.setKeyIdentifierType(WSConstants.CUSTOM_KEY_IDENTIFIER);
                } else {
                    encr.setCustomReferenceValue(tokenType);
                    encr.setKeyIdentifierType(WSConstants.CUSTOM_KEY_IDENTIFIER);
                }
            } else if (encrToken instanceof UsernameToken) {
                encr.setCustomReferenceValue(WSS4JConstants.WSS_USERNAME_TOKEN_VALUE_TYPE);
            } else if (encrToken instanceof KerberosToken && !isRequestor()) {
                encr.setCustomReferenceValue(WSS4JConstants.WSS_KRB_KI_VALUE_TYPE);
                encr.setEncKeyId(encrTok.getSHA1());
            } else if (!isRequestor() && encrTok.getSHA1() != null) {
                encr.setCustomReferenceValue(encrTok.getSHA1());
                encr.setKeyIdentifierType(WSConstants.ENCRYPTED_KEY_SHA1_IDENTIFIER);
            }
            encr.prepare(crypto);
            if (encr.getBSTTokenId() != null) {
                encr.prependBSTElementToHeader();
            }
            Element refList = encr.encryptForRef(null, encrParts);
            List<Element> attachments = encr.getAttachmentEncryptedDataElements();
            addAttachmentsForEncryption(atEnd, refList, attachments);
            return encr;
        } catch (WSSecurityException e) {
            LOG.log(Level.FINE, e.getMessage(), e);
            unassertPolicy(recToken, e);
        }
    }
    return null;
}
Also used : WSSecEncrypt(org.apache.wss4j.dom.message.WSSecEncrypt) KerberosToken(org.apache.wss4j.policy.model.KerberosToken) IssuedToken(org.apache.wss4j.policy.model.IssuedToken) Element(org.w3c.dom.Element) UsernameToken(org.apache.wss4j.policy.model.UsernameToken) WSSecUsernameToken(org.apache.wss4j.dom.message.WSSecUsernameToken) BSPEnforcer(org.apache.wss4j.common.bsp.BSPEnforcer) WSSecurityException(org.apache.wss4j.common.ext.WSSecurityException) SecureConversationToken(org.apache.wss4j.policy.model.SecureConversationToken) SpnegoContextToken(org.apache.wss4j.policy.model.SpnegoContextToken) AlgorithmSuite(org.apache.wss4j.policy.model.AlgorithmSuite) StaxSerializer(org.apache.cxf.ws.security.wss4j.StaxSerializer) Crypto(org.apache.wss4j.common.crypto.Crypto) AbstractToken(org.apache.wss4j.policy.model.AbstractToken) SecurityTokenReference(org.apache.wss4j.common.token.SecurityTokenReference) SecurityContextToken(org.apache.wss4j.policy.model.SecurityContextToken) AttachmentCallbackHandler(org.apache.cxf.ws.security.wss4j.AttachmentCallbackHandler)

Example 5 with AbstractToken

use of org.apache.wss4j.policy.model.AbstractToken in project cxf by apache.

the class AsymmetricBindingHandler method doSignBeforeEncrypt.

private void doSignBeforeEncrypt() {
    try {
        AbstractTokenWrapper initiatorWrapper = abinding.getInitiatorSignatureToken();
        if (initiatorWrapper == null) {
            initiatorWrapper = abinding.getInitiatorToken();
        }
        assertTokenWrapper(initiatorWrapper);
        boolean attached = false;
        if (initiatorWrapper != null) {
            AbstractToken initiatorToken = initiatorWrapper.getToken();
            if (initiatorToken instanceof IssuedToken) {
                SecurityToken secToken = getSecurityToken();
                if (secToken == null) {
                    unassertPolicy(initiatorToken, "Security token is not found or expired");
                    return;
                } else if (isTokenRequired(initiatorToken.getIncludeTokenType())) {
                    Element el = secToken.getToken();
                    this.addEncryptedKeyElement(cloneElement(el));
                    attached = true;
                }
            } else if (initiatorToken instanceof SamlToken && isRequestor()) {
                SamlAssertionWrapper assertionWrapper = addSamlToken((SamlToken) initiatorToken);
                if (assertionWrapper != null && isTokenRequired(initiatorToken.getIncludeTokenType())) {
                    Element envelope = saaj.getSOAPPart().getEnvelope();
                    envelope = (Element) DOMUtils.getDomElement(envelope);
                    addSupportingElement(assertionWrapper.toDOM(envelope.getOwnerDocument()));
                    storeAssertionAsSecurityToken(assertionWrapper);
                }
            } else if (initiatorToken instanceof SamlToken) {
                String tokenId = getSAMLToken();
                if (tokenId == null) {
                    unassertPolicy(initiatorToken, "Security token is not found or expired");
                    return;
                }
            }
            assertToken(initiatorToken);
        }
        // Add timestamp
        List<WSEncryptionPart> sigs = new ArrayList<>();
        if (timestampEl != null) {
            WSEncryptionPart timestampPart = convertToEncryptionPart(timestampEl.getElement());
            sigs.add(timestampPart);
        }
        addSupportingTokens(sigs);
        sigs.addAll(this.getSignedParts(null));
        if (isRequestor() && initiatorWrapper != null) {
            doSignature(initiatorWrapper, sigs, attached);
            doEndorse();
        } else if (!isRequestor()) {
            // confirm sig
            addSignatureConfirmation(sigs);
            AbstractTokenWrapper recipientSignatureToken = abinding.getRecipientSignatureToken();
            if (recipientSignatureToken == null) {
                recipientSignatureToken = abinding.getRecipientToken();
            }
            if (recipientSignatureToken != null) {
                assertTokenWrapper(recipientSignatureToken);
                assertToken(recipientSignatureToken.getToken());
                doSignature(recipientSignatureToken, sigs, attached);
            }
        }
        List<WSEncryptionPart> enc = getEncryptedParts();
        // Check for signature protection
        if (abinding.isEncryptSignature()) {
            if (mainSigId != null) {
                WSEncryptionPart sigPart = new WSEncryptionPart(mainSigId, "Element");
                sigPart.setElement(bottomUpElement);
                enc.add(sigPart);
            }
            if (sigConfList != null && !sigConfList.isEmpty()) {
                enc.addAll(sigConfList);
            }
            assertPolicy(new QName(abinding.getName().getNamespaceURI(), SPConstants.ENCRYPT_SIGNATURE));
        }
        // Do encryption
        AbstractTokenWrapper encToken;
        if (isRequestor()) {
            enc.addAll(encryptedTokensList);
            encToken = abinding.getRecipientEncryptionToken();
            if (encToken == null) {
                encToken = abinding.getRecipientToken();
            }
        } else {
            encToken = abinding.getInitiatorEncryptionToken();
            if (encToken == null) {
                encToken = abinding.getInitiatorToken();
            }
        }
        if (encToken != null) {
            if (encToken.getToken() != null && !enc.isEmpty()) {
                final WSSecBase encr;
                if (encToken.getToken().getDerivedKeys() == DerivedKeys.RequireDerivedKeys) {
                    encr = doEncryptionDerived(encToken, enc);
                } else {
                    String symEncAlgorithm = abinding.getAlgorithmSuite().getAlgorithmSuiteType().getEncryption();
                    KeyGenerator keyGen = KeyUtils.getKeyGenerator(symEncAlgorithm);
                    SecretKey symmetricKey = keyGen.generateKey();
                    encr = doEncryption(encToken, enc, false, symmetricKey);
                }
                encr.clean();
            }
            assertTokenWrapper(encToken);
            assertToken(encToken.getToken());
        }
    } catch (Exception e) {
        String reason = e.getMessage();
        LOG.log(Level.WARNING, "Sign before encryption failed due to : " + reason);
        LOG.log(Level.FINE, e.getMessage(), e);
        throw new Fault(e);
    }
}
Also used : WSEncryptionPart(org.apache.wss4j.common.WSEncryptionPart) SamlToken(org.apache.wss4j.policy.model.SamlToken) QName(javax.xml.namespace.QName) IssuedToken(org.apache.wss4j.policy.model.IssuedToken) Element(org.w3c.dom.Element) ArrayList(java.util.ArrayList) SamlAssertionWrapper(org.apache.wss4j.common.saml.SamlAssertionWrapper) Fault(org.apache.cxf.interceptor.Fault) SOAPException(javax.xml.soap.SOAPException) WSSecurityException(org.apache.wss4j.common.ext.WSSecurityException) InvalidCanonicalizerException(org.apache.xml.security.c14n.InvalidCanonicalizerException) TokenStoreException(org.apache.cxf.ws.security.tokenstore.TokenStoreException) SecurityToken(org.apache.cxf.ws.security.tokenstore.SecurityToken) WSSecBase(org.apache.wss4j.dom.message.WSSecBase) SecretKey(javax.crypto.SecretKey) AbstractToken(org.apache.wss4j.policy.model.AbstractToken) AbstractTokenWrapper(org.apache.wss4j.policy.model.AbstractTokenWrapper) KeyGenerator(javax.crypto.KeyGenerator)

Aggregations

AbstractToken (org.apache.wss4j.policy.model.AbstractToken)42 IssuedToken (org.apache.wss4j.policy.model.IssuedToken)29 X509Token (org.apache.wss4j.policy.model.X509Token)23 KerberosToken (org.apache.wss4j.policy.model.KerberosToken)21 SecurityContextToken (org.apache.wss4j.policy.model.SecurityContextToken)21 SpnegoContextToken (org.apache.wss4j.policy.model.SpnegoContextToken)20 SamlToken (org.apache.wss4j.policy.model.SamlToken)18 UsernameToken (org.apache.wss4j.policy.model.UsernameToken)17 WSSecurityException (org.apache.wss4j.common.ext.WSSecurityException)16 Element (org.w3c.dom.Element)14 SecurityToken (org.apache.cxf.ws.security.tokenstore.SecurityToken)13 QName (javax.xml.namespace.QName)12 SOAPException (javax.xml.soap.SOAPException)12 AssertionInfo (org.apache.cxf.ws.policy.AssertionInfo)12 Fault (org.apache.cxf.interceptor.Fault)11 SecureConversationToken (org.apache.wss4j.policy.model.SecureConversationToken)11 SupportingTokens (org.apache.wss4j.policy.model.SupportingTokens)11 WSSSecurityProperties (org.apache.wss4j.stax.ext.WSSSecurityProperties)11 TokenStoreException (org.apache.cxf.ws.security.tokenstore.TokenStoreException)10 AlgorithmSuite (org.apache.wss4j.policy.model.AlgorithmSuite)9