use of org.apache.wss4j.policy.model.AlgorithmSuite in project cxf by apache.
the class StaxAsymmetricBindingHandler method doEncryption.
private void doEncryption(AbstractTokenWrapper recToken, List<SecurePart> encrParts, boolean externalRef) throws SOAPException {
// Do encryption
if (recToken != null && recToken.getToken() != null && !encrParts.isEmpty()) {
AbstractToken encrToken = recToken.getToken();
AlgorithmSuite algorithmSuite = abinding.getAlgorithmSuite();
// Action
WSSSecurityProperties properties = getProperties();
WSSConstants.Action actionToPerform = XMLSecurityConstants.ENCRYPT;
if (recToken.getToken().getDerivedKeys() == DerivedKeys.RequireDerivedKeys) {
actionToPerform = WSSConstants.ENCRYPT_WITH_DERIVED_KEY;
}
properties.addAction(actionToPerform);
properties.getEncryptionSecureParts().addAll(encrParts);
properties.setEncryptionKeyIdentifier(getKeyIdentifierType(encrToken));
// Find out do we also need to include the token as per the Inclusion requirement
WSSecurityTokenConstants.KeyIdentifier keyIdentifier = properties.getEncryptionKeyIdentifier();
if (encrToken instanceof X509Token && isTokenRequired(encrToken.getIncludeTokenType()) && (WSSecurityTokenConstants.KeyIdentifier_IssuerSerial.equals(keyIdentifier) || WSSecurityTokenConstants.KEYIDENTIFIER_THUMBPRINT_IDENTIFIER.equals(keyIdentifier) || WSSecurityTokenConstants.KEYIDENTIFIER_SECURITY_TOKEN_DIRECT_REFERENCE.equals(keyIdentifier))) {
properties.setIncludeEncryptionToken(true);
} else {
properties.setIncludeEncryptionToken(false);
}
properties.setEncryptionKeyTransportAlgorithm(algorithmSuite.getAlgorithmSuiteType().getAsymmetricKeyWrap());
properties.setEncryptionSymAlgorithm(algorithmSuite.getAlgorithmSuiteType().getEncryption());
properties.setEncryptionKeyTransportDigestAlgorithm(algorithmSuite.getAlgorithmSuiteType().getEncryptionDigest());
properties.setEncryptionKeyTransportMGFAlgorithm(algorithmSuite.getAlgorithmSuiteType().getMGFAlgo());
String encUser = (String) SecurityUtils.getSecurityPropertyValue(SecurityConstants.ENCRYPT_USERNAME, message);
if (encUser == null) {
encUser = (String) SecurityUtils.getSecurityPropertyValue(SecurityConstants.USERNAME, message);
}
if (encUser != null && properties.getEncryptionUser() == null) {
properties.setEncryptionUser(encUser);
}
if (ConfigurationConstants.USE_REQ_SIG_CERT.equals(encUser)) {
properties.setUseReqSigCertForEncryption(true);
}
//
if (!isRequestor() && recToken.getToken() instanceof IssuedToken) {
properties.setUseReqSigCertForEncryption(true);
}
}
}
use of org.apache.wss4j.policy.model.AlgorithmSuite in project cxf by apache.
the class StaxSymmetricBindingHandler method doEncryption.
private void doEncryption(AbstractTokenWrapper recToken, List<SecurePart> encrParts, boolean externalRef) throws SOAPException {
// Do encryption
if (recToken != null && recToken.getToken() != null) {
AbstractToken encrToken = recToken.getToken();
AlgorithmSuite algorithmSuite = sbinding.getAlgorithmSuite();
// Action
WSSSecurityProperties properties = getProperties();
WSSConstants.Action actionToPerform = XMLSecurityConstants.ENCRYPT;
if (recToken.getToken().getDerivedKeys() == DerivedKeys.RequireDerivedKeys) {
actionToPerform = WSSConstants.ENCRYPT_WITH_DERIVED_KEY;
if (MessageUtils.isRequestor(message) && recToken.getToken() instanceof X509Token) {
properties.setDerivedKeyTokenReference(WSSConstants.DerivedKeyTokenReference.EncryptedKey);
} else {
properties.setDerivedKeyTokenReference(WSSConstants.DerivedKeyTokenReference.DirectReference);
}
AlgorithmSuiteType algSuiteType = sbinding.getAlgorithmSuite().getAlgorithmSuiteType();
properties.setDerivedEncryptionKeyLength(algSuiteType.getEncryptionDerivedKeyLength() / 8);
}
if (recToken.getVersion() == SPConstants.SPVersion.SP12) {
properties.setUse200512Namespace(true);
}
properties.getEncryptionSecureParts().addAll(encrParts);
properties.addAction(actionToPerform);
if (isRequestor()) {
properties.setEncryptionKeyIdentifier(getKeyIdentifierType(encrToken));
properties.setDerivedKeyKeyIdentifier(WSSecurityTokenConstants.KEYIDENTIFIER_SECURITY_TOKEN_DIRECT_REFERENCE);
} else if (recToken.getToken() instanceof KerberosToken && !isRequestor()) {
properties.setEncryptionKeyIdentifier(WSSecurityTokenConstants.KEYIDENTIFIER_KERBEROS_SHA1_IDENTIFIER);
properties.setDerivedKeyKeyIdentifier(WSSecurityTokenConstants.KEYIDENTIFIER_KERBEROS_SHA1_IDENTIFIER);
if (recToken.getToken().getDerivedKeys() == DerivedKeys.RequireDerivedKeys) {
properties.setEncryptionKeyIdentifier(WSSecurityTokenConstants.KEYIDENTIFIER_SECURITY_TOKEN_DIRECT_REFERENCE);
}
} else if ((recToken.getToken() instanceof IssuedToken || recToken.getToken() instanceof SecureConversationToken || recToken.getToken() instanceof SpnegoContextToken) && !isRequestor()) {
properties.setEncryptionKeyIdentifier(WSSecurityTokenConstants.KEYIDENTIFIER_SECURITY_TOKEN_DIRECT_REFERENCE);
} else {
properties.setEncryptionKeyIdentifier(WSSecurityTokenConstants.KEYIDENTIFIER_ENCRYPTED_KEY_SHA1_IDENTIFIER);
if (recToken.getToken().getDerivedKeys() == DerivedKeys.RequireDerivedKeys) {
properties.setDerivedKeyKeyIdentifier(WSSecurityTokenConstants.KEYIDENTIFIER_ENCRYPTED_KEY_SHA1_IDENTIFIER);
properties.setEncryptionKeyIdentifier(WSSecurityTokenConstants.KEYIDENTIFIER_SECURITY_TOKEN_DIRECT_REFERENCE);
properties.setEncryptSymmetricEncryptionKey(false);
}
}
// Find out do we also need to include the token as per the Inclusion requirement
WSSecurityTokenConstants.KeyIdentifier keyIdentifier = properties.getEncryptionKeyIdentifier();
if (encrToken instanceof X509Token && isTokenRequired(encrToken.getIncludeTokenType()) && (WSSecurityTokenConstants.KeyIdentifier_IssuerSerial.equals(keyIdentifier) || WSSecurityTokenConstants.KEYIDENTIFIER_THUMBPRINT_IDENTIFIER.equals(keyIdentifier) || WSSecurityTokenConstants.KEYIDENTIFIER_SECURITY_TOKEN_DIRECT_REFERENCE.equals(keyIdentifier))) {
properties.setIncludeEncryptionToken(true);
} else {
properties.setIncludeEncryptionToken(false);
}
properties.setEncryptionKeyTransportAlgorithm(algorithmSuite.getAlgorithmSuiteType().getAsymmetricKeyWrap());
properties.setEncryptionSymAlgorithm(algorithmSuite.getAlgorithmSuiteType().getEncryption());
properties.setEncryptionKeyTransportDigestAlgorithm(algorithmSuite.getAlgorithmSuiteType().getEncryptionDigest());
properties.setEncryptionKeyTransportMGFAlgorithm(algorithmSuite.getAlgorithmSuiteType().getMGFAlgo());
String encUser = (String) SecurityUtils.getSecurityPropertyValue(SecurityConstants.ENCRYPT_USERNAME, message);
if (encUser == null) {
encUser = (String) SecurityUtils.getSecurityPropertyValue(SecurityConstants.USERNAME, message);
}
if (encUser != null && properties.getEncryptionUser() == null) {
properties.setEncryptionUser(encUser);
}
if (ConfigurationConstants.USE_REQ_SIG_CERT.equals(encUser)) {
properties.setUseReqSigCertForEncryption(true);
}
if (encrToken instanceof KerberosToken || encrToken instanceof IssuedToken || encrToken instanceof SpnegoContextToken || encrToken instanceof SecurityContextToken || encrToken instanceof SecureConversationToken) {
properties.setEncryptSymmetricEncryptionKey(false);
}
}
}
use of org.apache.wss4j.policy.model.AlgorithmSuite in project cxf by apache.
the class SymmetricBindingHandler method doEncryption.
private WSSecBase doEncryption(AbstractTokenWrapper recToken, SecurityToken encrTok, boolean attached, List<WSEncryptionPart> encrParts, boolean atEnd) {
// Do encryption
if (recToken != null && recToken.getToken() != null && !encrParts.isEmpty()) {
AbstractToken encrToken = recToken.getToken();
assertPolicy(recToken);
assertPolicy(encrToken);
AlgorithmSuite algorithmSuite = sbinding.getAlgorithmSuite();
if (encrToken.getDerivedKeys() == DerivedKeys.RequireDerivedKeys) {
return doEncryptionDerived(recToken, encrTok, encrToken, attached, encrParts, atEnd);
}
try {
WSSecEncrypt encr = new WSSecEncrypt(secHeader);
encr.setEncryptionSerializer(new StaxSerializer());
encr.setIdAllocator(wssConfig.getIdAllocator());
encr.setCallbackLookup(callbackLookup);
encr.setAttachmentCallbackHandler(new AttachmentCallbackHandler(message));
encr.setStoreBytesInAttachment(storeBytesInAttachment);
encr.setExpandXopInclude(isExpandXopInclude());
encr.setWsDocInfo(wsDocInfo);
String encrTokId = encrTok.getId();
if (attached) {
encrTokId = encrTok.getWsuId();
if (encrTokId == null && (encrToken instanceof SecureConversationToken || encrToken instanceof SecurityContextToken)) {
encr.setEncKeyIdDirectId(true);
encrTokId = encrTok.getId();
} else if (encrTokId == null) {
encrTokId = encrTok.getId();
}
if (encrTokId.startsWith("#")) {
encrTokId = encrTokId.substring(1);
}
} else {
encr.setEncKeyIdDirectId(true);
}
if (encrTok.getTokenType() != null) {
encr.setCustomReferenceValue(encrTok.getTokenType());
}
encr.setEncKeyId(encrTokId);
encr.setEphemeralKey(encrTok.getSecret());
Crypto crypto = getEncryptionCrypto();
if (crypto != null) {
setEncryptionUser(encr, encrToken, false, crypto);
}
encr.setEncryptSymmKey(false);
encr.setSymmetricEncAlgorithm(algorithmSuite.getAlgorithmSuiteType().getEncryption());
encr.setMGFAlgorithm(algorithmSuite.getAlgorithmSuiteType().getMGFAlgo());
encr.setDigestAlgorithm(algorithmSuite.getAlgorithmSuiteType().getEncryptionDigest());
if (encrToken instanceof IssuedToken || encrToken instanceof SpnegoContextToken || encrToken instanceof SecureConversationToken) {
// Setting the AttachedReference or the UnattachedReference according to the flag
Element ref;
if (attached) {
ref = encrTok.getAttachedReference();
} else {
ref = encrTok.getUnattachedReference();
}
String tokenType = encrTok.getTokenType();
if (ref != null) {
SecurityTokenReference secRef = new SecurityTokenReference(cloneElement(ref), new BSPEnforcer());
encr.setSecurityTokenReference(secRef);
} else if (WSS4JConstants.WSS_SAML_TOKEN_TYPE.equals(tokenType) || WSS4JConstants.SAML_NS.equals(tokenType)) {
encr.setCustomReferenceValue(WSS4JConstants.WSS_SAML_KI_VALUE_TYPE);
encr.setKeyIdentifierType(WSConstants.CUSTOM_KEY_IDENTIFIER);
} else if (WSS4JConstants.WSS_SAML2_TOKEN_TYPE.equals(tokenType) || WSS4JConstants.SAML2_NS.equals(tokenType)) {
encr.setCustomReferenceValue(WSS4JConstants.WSS_SAML2_KI_VALUE_TYPE);
encr.setKeyIdentifierType(WSConstants.CUSTOM_KEY_IDENTIFIER);
} else {
encr.setCustomReferenceValue(tokenType);
encr.setKeyIdentifierType(WSConstants.CUSTOM_KEY_IDENTIFIER);
}
} else if (encrToken instanceof UsernameToken) {
encr.setCustomReferenceValue(WSS4JConstants.WSS_USERNAME_TOKEN_VALUE_TYPE);
} else if (encrToken instanceof KerberosToken && !isRequestor()) {
encr.setCustomReferenceValue(WSS4JConstants.WSS_KRB_KI_VALUE_TYPE);
encr.setEncKeyId(encrTok.getSHA1());
} else if (!isRequestor() && encrTok.getSHA1() != null) {
encr.setCustomReferenceValue(encrTok.getSHA1());
encr.setKeyIdentifierType(WSConstants.ENCRYPTED_KEY_SHA1_IDENTIFIER);
}
encr.prepare(crypto);
if (encr.getBSTTokenId() != null) {
encr.prependBSTElementToHeader();
}
Element refList = encr.encryptForRef(null, encrParts);
List<Element> attachments = encr.getAttachmentEncryptedDataElements();
addAttachmentsForEncryption(atEnd, refList, attachments);
return encr;
} catch (WSSecurityException e) {
LOG.log(Level.FINE, e.getMessage(), e);
unassertPolicy(recToken, e);
}
}
return null;
}
use of org.apache.wss4j.policy.model.AlgorithmSuite in project cxf by apache.
the class AlgorithmSuitePolicyValidator method validatePolicies.
/**
* Validate policies.
*/
public void validatePolicies(PolicyValidatorParameters parameters, Collection<AssertionInfo> ais) {
for (AssertionInfo ai : ais) {
AlgorithmSuite algorithmSuite = (AlgorithmSuite) ai.getAssertion();
ai.setAsserted(true);
boolean valid = validatePolicy(ai, algorithmSuite, parameters.getResults().getResults());
if (valid) {
String namespace = algorithmSuite.getAlgorithmSuiteType().getNamespace();
String name = algorithmSuite.getAlgorithmSuiteType().getName();
Collection<AssertionInfo> algSuiteAis = parameters.getAssertionInfoMap().get(new QName(namespace, name));
if (algSuiteAis != null) {
for (AssertionInfo algSuiteAi : algSuiteAis) {
algSuiteAi.setAsserted(true);
}
}
PolicyUtils.assertPolicy(parameters.getAssertionInfoMap(), new QName(algorithmSuite.getName().getNamespaceURI(), algorithmSuite.getC14n().name()));
} else if (!valid && ai.isAsserted()) {
ai.setNotAsserted("Error in validating AlgorithmSuite policy");
}
}
}
use of org.apache.wss4j.policy.model.AlgorithmSuite in project cxf by apache.
the class SpnegoTokenInterceptorProvider method setupClient.
static String setupClient(STSClient client, SoapMessage message, AssertionInfoMap aim) {
client.setTrust(NegotiationUtils.getTrust10(aim));
client.setTrust(NegotiationUtils.getTrust13(aim));
Policy p = new Policy();
ExactlyOne ea = new ExactlyOne();
p.addPolicyComponent(ea);
All all = new All();
all.addPolicyComponent(NegotiationUtils.getAddressingPolicy(aim, false));
ea.addPolicyComponent(all);
client.setPolicy(p);
client.setSoap11(message.getVersion() == Soap11.getInstance());
client.setSpnego(true);
WSSConfig config = WSSConfig.getNewInstance();
String context = config.getIdAllocator().createSecureId("_", null);
client.setContext(context);
String s = message.getContextualProperty(Message.ENDPOINT_ADDRESS).toString();
client.setLocation(s);
AlgorithmSuite suite = NegotiationUtils.getAlgorithmSuite(aim);
if (suite != null) {
client.setAlgorithmSuite(suite);
int x = suite.getAlgorithmSuiteType().getMaximumSymmetricKeyLength();
if (x < 256) {
client.setKeySize(x);
}
}
Map<String, Object> ctx = client.getRequestContext();
mapSecurityProps(message, ctx);
return s;
}
Aggregations