Search in sources :

Example 16 with AlgorithmSuiteType

use of org.apache.wss4j.policy.model.AlgorithmSuite.AlgorithmSuiteType in project cxf by apache.

the class AbstractStaxBindingHandler method configureSignature.

protected void configureSignature(AbstractToken token, boolean attached) throws WSSecurityException {
    if (token instanceof X509Token) {
        X509Token x509Token = (X509Token) token;
        TokenType tokenType = x509Token.getTokenType();
        if (tokenType == TokenType.WssX509PkiPathV1Token10 || tokenType == TokenType.WssX509PkiPathV1Token11) {
            properties.setUseSingleCert(false);
        }
    }
    properties.setSignatureKeyIdentifier(getKeyIdentifierType(token));
    // Find out do we also need to include the token as per the Inclusion requirement
    WSSecurityTokenConstants.KeyIdentifier keyIdentifier = properties.getSignatureKeyIdentifier();
    if (token instanceof X509Token && isTokenRequired(token.getIncludeTokenType()) && (WSSecurityTokenConstants.KeyIdentifier_IssuerSerial.equals(keyIdentifier) || WSSecurityTokenConstants.KEYIDENTIFIER_THUMBPRINT_IDENTIFIER.equals(keyIdentifier) || WSSecurityTokenConstants.KEYIDENTIFIER_SECURITY_TOKEN_DIRECT_REFERENCE.equals(keyIdentifier))) {
        properties.setIncludeSignatureToken(true);
    } else {
        properties.setIncludeSignatureToken(false);
    }
    String userNameKey = SecurityConstants.SIGNATURE_USERNAME;
    if (binding instanceof SymmetricBinding) {
        userNameKey = SecurityConstants.ENCRYPT_USERNAME;
        properties.setSignatureAlgorithm(binding.getAlgorithmSuite().getSymmetricSignature());
    } else {
        properties.setSignatureAlgorithm(binding.getAlgorithmSuite().getAsymmetricSignature());
    }
    properties.setSignatureCanonicalizationAlgorithm(binding.getAlgorithmSuite().getC14n().getValue());
    String sigUser = (String) SecurityUtils.getSecurityPropertyValue(userNameKey, message);
    if (sigUser == null) {
        sigUser = (String) SecurityUtils.getSecurityPropertyValue(SecurityConstants.USERNAME, message);
    }
    if (sigUser != null && properties.getSignatureUser() == null) {
        properties.setSignatureUser(sigUser);
    }
    AlgorithmSuiteType algType = binding.getAlgorithmSuite().getAlgorithmSuiteType();
    properties.setSignatureDigestAlgorithm(algType.getDigest());
    // sig.setSigCanonicalization(binding.getAlgorithmSuite().getC14n().getValue());
    boolean includePrefixes = MessageUtils.getContextualBoolean(message, SecurityConstants.ADD_INCLUSIVE_PREFIXES, true);
    properties.setAddExcC14NInclusivePrefixes(includePrefixes);
}
Also used : SymmetricBinding(org.apache.wss4j.policy.model.SymmetricBinding) TokenType(org.apache.wss4j.policy.model.X509Token.TokenType) IncludeTokenType(org.apache.wss4j.policy.SPConstants.IncludeTokenType) SamlTokenType(org.apache.wss4j.policy.model.SamlToken.SamlTokenType) X509Token(org.apache.wss4j.policy.model.X509Token) AlgorithmSuiteType(org.apache.wss4j.policy.model.AlgorithmSuite.AlgorithmSuiteType) WSSecurityTokenConstants(org.apache.wss4j.stax.securityToken.WSSecurityTokenConstants)

Example 17 with AlgorithmSuiteType

use of org.apache.wss4j.policy.model.AlgorithmSuite.AlgorithmSuiteType in project cxf by apache.

the class AsymmetricBindingHandler method doEncryption.

private WSSecBase doEncryption(AbstractTokenWrapper recToken, List<WSEncryptionPart> encrParts, boolean externalRef) {
    // Do encryption
    if (recToken != null && recToken.getToken() != null && !encrParts.isEmpty()) {
        AbstractToken encrToken = recToken.getToken();
        assertPolicy(recToken);
        assertPolicy(encrToken);
        AlgorithmSuite algorithmSuite = abinding.getAlgorithmSuite();
        if (encrToken.getDerivedKeys() == DerivedKeys.RequireDerivedKeys) {
            return doEncryptionDerived(recToken, encrToken, encrParts, algorithmSuite);
        }
        try {
            WSSecEncrypt encr = new WSSecEncrypt(secHeader);
            encr.setEncryptionSerializer(new StaxSerializer());
            encr.setIdAllocator(wssConfig.getIdAllocator());
            encr.setCallbackLookup(callbackLookup);
            encr.setAttachmentCallbackHandler(new AttachmentCallbackHandler(message));
            encr.setStoreBytesInAttachment(storeBytesInAttachment);
            encr.setExpandXopInclude(isExpandXopInclude());
            encr.setWsDocInfo(wsDocInfo);
            Crypto crypto = getEncryptionCrypto();
            SecurityToken securityToken = getSecurityToken();
            if (!isRequestor() && securityToken != null && recToken.getToken() instanceof SamlToken) {
                String tokenType = securityToken.getTokenType();
                if (WSS4JConstants.WSS_SAML_TOKEN_TYPE.equals(tokenType) || WSS4JConstants.SAML_NS.equals(tokenType)) {
                    encr.setCustomEKTokenValueType(WSS4JConstants.WSS_SAML_KI_VALUE_TYPE);
                    encr.setKeyIdentifierType(WSConstants.CUSTOM_KEY_IDENTIFIER);
                    encr.setCustomEKTokenId(securityToken.getId());
                } else if (WSS4JConstants.WSS_SAML2_TOKEN_TYPE.equals(tokenType) || WSS4JConstants.SAML2_NS.equals(tokenType)) {
                    encr.setCustomEKTokenValueType(WSS4JConstants.WSS_SAML2_KI_VALUE_TYPE);
                    encr.setKeyIdentifierType(WSConstants.CUSTOM_KEY_IDENTIFIER);
                    encr.setCustomEKTokenId(securityToken.getId());
                } else {
                    setKeyIdentifierType(encr, encrToken);
                }
            } else {
                setKeyIdentifierType(encr, encrToken);
            }
            // 
            if (!isRequestor() && securityToken != null && securityToken.getX509Certificate() != null) {
                encr.setUseThisCert(securityToken.getX509Certificate());
            } else if (!isRequestor() && securityToken != null && securityToken.getKey() instanceof PublicKey) {
                encr.setUseThisPublicKey((PublicKey) securityToken.getKey());
            } else {
                setEncryptionUser(encr, encrToken, false, crypto);
            }
            if (!encr.isCertSet() && encr.getUseThisPublicKey() == null && crypto == null) {
                unassertPolicy(recToken, "Missing security configuration. " + "Make sure jaxws:client element is configured " + "with a " + SecurityConstants.ENCRYPT_PROPERTIES + " value.");
            }
            AlgorithmSuiteType algType = algorithmSuite.getAlgorithmSuiteType();
            encr.setSymmetricEncAlgorithm(algType.getEncryption());
            encr.setKeyEncAlgo(algType.getAsymmetricKeyWrap());
            encr.setMGFAlgorithm(algType.getMGFAlgo());
            encr.setDigestAlgorithm(algType.getEncryptionDigest());
            encr.prepare(crypto);
            Element encryptedKeyElement = encr.getEncryptedKeyElement();
            List<Element> attachments = encr.getAttachmentEncryptedDataElements();
            // Encrypt, get hold of the ref list and add it
            if (externalRef) {
                Element refList = encr.encryptForRef(null, encrParts);
                if (refList != null) {
                    insertBeforeBottomUp(refList);
                }
                if (attachments != null) {
                    for (Element attachment : attachments) {
                        this.insertBeforeBottomUp(attachment);
                    }
                }
                if (refList != null || (attachments != null && !attachments.isEmpty())) {
                    this.addEncryptedKeyElement(encryptedKeyElement);
                }
            } else {
                Element refList = encr.encryptForRef(null, encrParts);
                if (refList != null || (attachments != null && !attachments.isEmpty())) {
                    this.addEncryptedKeyElement(encryptedKeyElement);
                }
                // Add internal refs
                if (refList != null) {
                    encryptedKeyElement.appendChild(refList);
                }
                if (attachments != null) {
                    for (Element attachment : attachments) {
                        this.addEncryptedKeyElement(attachment);
                    }
                }
            }
            // Put BST before EncryptedKey element
            if (encr.getBSTTokenId() != null) {
                encr.prependBSTElementToHeader();
            }
            return encr;
        } catch (WSSecurityException e) {
            LOG.log(Level.FINE, e.getMessage(), e);
            unassertPolicy(recToken, e);
        }
    }
    return null;
}
Also used : WSSecEncrypt(org.apache.wss4j.dom.message.WSSecEncrypt) SamlToken(org.apache.wss4j.policy.model.SamlToken) AlgorithmSuiteType(org.apache.wss4j.policy.model.AlgorithmSuite.AlgorithmSuiteType) PublicKey(java.security.PublicKey) Element(org.w3c.dom.Element) WSSecurityException(org.apache.wss4j.common.ext.WSSecurityException) SecurityToken(org.apache.cxf.ws.security.tokenstore.SecurityToken) AlgorithmSuite(org.apache.wss4j.policy.model.AlgorithmSuite) StaxSerializer(org.apache.cxf.ws.security.wss4j.StaxSerializer) Crypto(org.apache.wss4j.common.crypto.Crypto) AbstractToken(org.apache.wss4j.policy.model.AbstractToken) AttachmentCallbackHandler(org.apache.cxf.ws.security.wss4j.AttachmentCallbackHandler)

Example 18 with AlgorithmSuiteType

use of org.apache.wss4j.policy.model.AlgorithmSuite.AlgorithmSuiteType in project cxf by apache.

the class AsymmetricBindingHandler method doSignature.

private void doSignature(AbstractTokenWrapper wrapper, List<WSEncryptionPart> sigParts, boolean attached) throws WSSecurityException, SOAPException {
    if (!isRequestor()) {
        assertUnusedTokens(abinding.getInitiatorToken());
        assertUnusedTokens(abinding.getInitiatorEncryptionToken());
        assertUnusedTokens(abinding.getInitiatorSignatureToken());
    } else {
        assertUnusedTokens(abinding.getRecipientToken());
        assertUnusedTokens(abinding.getRecipientEncryptionToken());
        assertUnusedTokens(abinding.getRecipientSignatureToken());
    }
    AbstractToken sigToken = wrapper.getToken();
    if (sigParts.isEmpty()) {
        // Add the BST to the security header if required
        if (!attached && isTokenRequired(sigToken.getIncludeTokenType())) {
            WSSecSignature sig = getSignatureBuilder(sigToken, attached, false);
            sig.appendBSTElementToHeader();
        }
        return;
    }
    if (sigToken.getDerivedKeys() == DerivedKeys.RequireDerivedKeys) {
        // Set up the encrypted key to use
        setupEncryptedKey(wrapper, sigToken);
        WSSecDKSign dkSign = new WSSecDKSign(secHeader);
        dkSign.setIdAllocator(wssConfig.getIdAllocator());
        dkSign.setCallbackLookup(callbackLookup);
        dkSign.setAttachmentCallbackHandler(new AttachmentCallbackHandler(message));
        dkSign.setStoreBytesInAttachment(storeBytesInAttachment);
        dkSign.setExpandXopInclude(isExpandXopInclude());
        dkSign.setWsDocInfo(wsDocInfo);
        if (wrapper.getToken().getVersion() == SPConstants.SPVersion.SP11) {
            dkSign.setWscVersion(ConversationConstants.VERSION_05_02);
        }
        dkSign.setExternalKey(this.encryptedKeyValue, this.encryptedKeyId);
        // Set the algo info
        dkSign.setSignatureAlgorithm(abinding.getAlgorithmSuite().getSymmetricSignature());
        dkSign.setSigCanonicalization(abinding.getAlgorithmSuite().getC14n().getValue());
        AlgorithmSuiteType algType = abinding.getAlgorithmSuite().getAlgorithmSuiteType();
        dkSign.setDigestAlgorithm(algType.getDigest());
        dkSign.setDerivedKeyLength(algType.getSignatureDerivedKeyLength() / 8);
        dkSign.setCustomValueType(WSS4JConstants.SOAPMESSAGE_NS11 + "#" + WSS4JConstants.ENC_KEY_VALUE_TYPE);
        boolean includePrefixes = MessageUtils.getContextualBoolean(message, SecurityConstants.ADD_INCLUSIVE_PREFIXES, true);
        dkSign.setAddInclusivePrefixes(includePrefixes);
        try {
            dkSign.prepare();
            if (abinding.isProtectTokens()) {
                assertPolicy(new QName(abinding.getName().getNamespaceURI(), SPConstants.PROTECT_TOKENS));
                if (bstElement != null) {
                    WSEncryptionPart bstPart = new WSEncryptionPart(bstElement.getAttributeNS(WSS4JConstants.WSU_NS, "Id"));
                    bstPart.setElement(bstElement);
                    sigParts.add(bstPart);
                } else {
                    WSEncryptionPart ekPart = new WSEncryptionPart(encrKey.getId());
                    ekPart.setElement(encrKey.getEncryptedKeyElement());
                    sigParts.add(ekPart);
                }
            }
            dkSign.getParts().addAll(sigParts);
            List<Reference> referenceList = dkSign.addReferencesToSign(sigParts);
            if (!referenceList.isEmpty()) {
                // Add elements to header
                addDerivedKeyElement(dkSign.getdktElement());
                // Do signature
                if (bottomUpElement == null) {
                    dkSign.computeSignature(referenceList, false, null);
                } else {
                    dkSign.computeSignature(referenceList, true, bottomUpElement);
                }
                bottomUpElement = dkSign.getSignatureElement();
                addSig(dkSign.getSignatureValue());
                mainSigId = dkSign.getSignatureId();
            }
        } catch (Exception ex) {
            LOG.log(Level.FINE, ex.getMessage(), ex);
            throw new Fault(ex);
        }
    } else {
        WSSecSignature sig = getSignatureBuilder(sigToken, attached, false);
        if (abinding.isProtectTokens()) {
            assertPolicy(new QName(abinding.getName().getNamespaceURI(), SPConstants.PROTECT_TOKENS));
            if (sig.getCustomTokenId() != null && (sigToken instanceof SamlToken || sigToken instanceof IssuedToken)) {
                WSEncryptionPart samlPart = new WSEncryptionPart(sig.getCustomTokenId());
                sigParts.add(samlPart);
            } else if (sig.getBSTTokenId() != null) {
                // This action must occur before sig.prependBSTElementToHeader
                WSEncryptionPart bstPart = new WSEncryptionPart(sig.getBSTTokenId());
                bstPart.setElement(sig.getBinarySecurityTokenElement());
                sigParts.add(bstPart);
                sig.prependBSTElementToHeader();
            }
        }
        List<Reference> referenceList = sig.addReferencesToSign(sigParts);
        if (!referenceList.isEmpty()) {
            // Do signature
            if (bottomUpElement == null) {
                sig.computeSignature(referenceList, false, null);
            } else {
                sig.computeSignature(referenceList, true, bottomUpElement);
            }
            bottomUpElement = sig.getSignatureElement();
            if (!abinding.isProtectTokens()) {
                Element bstElement = sig.getBinarySecurityTokenElement();
                if (bstElement != null) {
                    secHeader.getSecurityHeaderElement().insertBefore(bstElement, bottomUpElement);
                }
            }
            addSig(sig.getSignatureValue());
            mainSigId = sig.getId();
        }
    }
}
Also used : WSEncryptionPart(org.apache.wss4j.common.WSEncryptionPart) SamlToken(org.apache.wss4j.policy.model.SamlToken) AlgorithmSuiteType(org.apache.wss4j.policy.model.AlgorithmSuite.AlgorithmSuiteType) QName(javax.xml.namespace.QName) Reference(javax.xml.crypto.dsig.Reference) WSSecSignature(org.apache.wss4j.dom.message.WSSecSignature) IssuedToken(org.apache.wss4j.policy.model.IssuedToken) Element(org.w3c.dom.Element) Fault(org.apache.cxf.interceptor.Fault) SOAPException(javax.xml.soap.SOAPException) WSSecurityException(org.apache.wss4j.common.ext.WSSecurityException) WSSecDKSign(org.apache.wss4j.dom.message.WSSecDKSign) AbstractToken(org.apache.wss4j.policy.model.AbstractToken) AttachmentCallbackHandler(org.apache.cxf.ws.security.wss4j.AttachmentCallbackHandler)

Example 19 with AlgorithmSuiteType

use of org.apache.wss4j.policy.model.AlgorithmSuite.AlgorithmSuiteType in project cxf by apache.

the class StaxTransportBindingHandler method handleEndorsingToken.

private void handleEndorsingToken(AbstractToken token, SupportingTokens wrapper) throws Exception {
    assertToken(token);
    if (token != null && !isTokenRequired(token.getIncludeTokenType())) {
        return;
    }
    if (token instanceof IssuedToken) {
        SecurityToken securityToken = getSecurityToken();
        addIssuedToken(token, securityToken, false, true);
        signPartsAndElements(wrapper.getSignedParts(), wrapper.getSignedElements());
        WSSSecurityProperties properties = getProperties();
        if (securityToken != null && securityToken.getSecret() != null) {
            properties.setSignatureAlgorithm(tbinding.getAlgorithmSuite().getSymmetricSignature());
        } else {
            properties.setSignatureAlgorithm(tbinding.getAlgorithmSuite().getAsymmetricSignature());
        }
        properties.setSignatureCanonicalizationAlgorithm(tbinding.getAlgorithmSuite().getC14n().getValue());
        AlgorithmSuiteType algType = tbinding.getAlgorithmSuite().getAlgorithmSuiteType();
        properties.setSignatureDigestAlgorithm(algType.getDigest());
    } else if (token instanceof SecureConversationToken || token instanceof SecurityContextToken || token instanceof SpnegoContextToken) {
        SecurityToken securityToken = getSecurityToken();
        addIssuedToken(token, securityToken, false, true);
        WSSSecurityProperties properties = getProperties();
        if (securityToken != null) {
            storeSecurityToken(token, securityToken);
            // Set up CallbackHandler which wraps the configured Handler
            TokenStoreCallbackHandler callbackHandler = new TokenStoreCallbackHandler(properties.getCallbackHandler(), TokenStoreUtils.getTokenStore(message));
            properties.setCallbackHandler(callbackHandler);
        }
        doSignature(token, wrapper);
        properties.setIncludeSignatureToken(true);
        properties.setSignatureAlgorithm(tbinding.getAlgorithmSuite().getSymmetricSignature());
        properties.setSignatureCanonicalizationAlgorithm(tbinding.getAlgorithmSuite().getC14n().getValue());
        AlgorithmSuiteType algType = tbinding.getAlgorithmSuite().getAlgorithmSuiteType();
        properties.setSignatureDigestAlgorithm(algType.getDigest());
    } else if (token instanceof X509Token || token instanceof KeyValueToken) {
        doSignature(token, wrapper);
    } else if (token instanceof SamlToken) {
        addSamlToken((SamlToken) token, false, true);
        signPartsAndElements(wrapper.getSignedParts(), wrapper.getSignedElements());
        WSSSecurityProperties properties = getProperties();
        properties.setSignatureAlgorithm(tbinding.getAlgorithmSuite().getAsymmetricSignature());
        properties.setSignatureCanonicalizationAlgorithm(tbinding.getAlgorithmSuite().getC14n().getValue());
        AlgorithmSuiteType algType = tbinding.getAlgorithmSuite().getAlgorithmSuiteType();
        properties.setSignatureDigestAlgorithm(algType.getDigest());
    } else if (token instanceof UsernameToken) {
        throw new Exception("Endorsing UsernameTokens are not supported in the streaming code");
    } else if (token instanceof KerberosToken) {
        WSSSecurityProperties properties = getProperties();
        properties.addAction(XMLSecurityConstants.SIGNATURE);
        configureSignature(token, false);
        addKerberosToken((KerberosToken) token, false, true, false);
        signPartsAndElements(wrapper.getSignedParts(), wrapper.getSignedElements());
        properties.setSignatureAlgorithm(tbinding.getAlgorithmSuite().getSymmetricSignature());
        properties.setSignatureCanonicalizationAlgorithm(tbinding.getAlgorithmSuite().getC14n().getValue());
        AlgorithmSuiteType algType = tbinding.getAlgorithmSuite().getAlgorithmSuiteType();
        properties.setSignatureDigestAlgorithm(algType.getDigest());
    }
}
Also used : WSSSecurityProperties(org.apache.wss4j.stax.ext.WSSSecurityProperties) SamlToken(org.apache.wss4j.policy.model.SamlToken) AlgorithmSuiteType(org.apache.wss4j.policy.model.AlgorithmSuite.AlgorithmSuiteType) KerberosToken(org.apache.wss4j.policy.model.KerberosToken) IssuedToken(org.apache.wss4j.policy.model.IssuedToken) UsernameToken(org.apache.wss4j.policy.model.UsernameToken) SecureConversationToken(org.apache.wss4j.policy.model.SecureConversationToken) SpnegoContextToken(org.apache.wss4j.policy.model.SpnegoContextToken) SOAPException(javax.xml.soap.SOAPException) SecurityToken(org.apache.cxf.ws.security.tokenstore.SecurityToken) X509Token(org.apache.wss4j.policy.model.X509Token) SecurityContextToken(org.apache.wss4j.policy.model.SecurityContextToken) KeyValueToken(org.apache.wss4j.policy.model.KeyValueToken) TokenStoreCallbackHandler(org.apache.cxf.ws.security.wss4j.TokenStoreCallbackHandler)

Example 20 with AlgorithmSuiteType

use of org.apache.wss4j.policy.model.AlgorithmSuite.AlgorithmSuiteType in project cxf by apache.

the class SymmetricBindingHandler method doSignature.

private byte[] doSignature(List<WSEncryptionPart> sigs, AbstractTokenWrapper policyAbstractTokenWrapper, AbstractToken policyToken, SecurityToken tok, boolean included) throws WSSecurityException {
    if (policyToken.getDerivedKeys() == DerivedKeys.RequireDerivedKeys) {
        return doSignatureDK(sigs, policyAbstractTokenWrapper, policyToken, tok, included);
    }
    WSSecSignature sig = new WSSecSignature(secHeader);
    sig.setIdAllocator(wssConfig.getIdAllocator());
    sig.setCallbackLookup(callbackLookup);
    sig.setAttachmentCallbackHandler(new AttachmentCallbackHandler(message));
    sig.setStoreBytesInAttachment(storeBytesInAttachment);
    sig.setExpandXopInclude(isExpandXopInclude());
    sig.setWsDocInfo(wsDocInfo);
    // If a EncryptedKeyToken is used, set the correct value type to
    // be used in the wsse:Reference in ds:KeyInfo
    int type = included ? WSConstants.CUSTOM_SYMM_SIGNING : WSConstants.CUSTOM_SYMM_SIGNING_DIRECT;
    String sigTokId = tok.getId();
    if (policyToken instanceof X509Token) {
        if (isRequestor()) {
            sig.setCustomTokenValueType(WSS4JConstants.SOAPMESSAGE_NS11 + "#" + WSS4JConstants.ENC_KEY_VALUE_TYPE);
            sig.setKeyIdentifierType(type);
        } else {
            // the tok has to be an EncryptedKey token
            sig.setEncrKeySha1value(tok.getSHA1());
            sig.setKeyIdentifierType(WSConstants.ENCRYPTED_KEY_SHA1_IDENTIFIER);
        }
    } else if (policyToken instanceof UsernameToken) {
        sig.setCustomTokenValueType(WSS4JConstants.WSS_USERNAME_TOKEN_VALUE_TYPE);
        sig.setKeyIdentifierType(type);
    } else if (policyToken instanceof KerberosToken) {
        if (isRequestor()) {
            sig.setCustomTokenValueType(tok.getTokenType());
            sig.setKeyIdentifierType(type);
        } else {
            sig.setCustomTokenValueType(WSS4JConstants.WSS_KRB_KI_VALUE_TYPE);
            sig.setKeyIdentifierType(WSConstants.CUSTOM_KEY_IDENTIFIER);
            sigTokId = tok.getSHA1();
        }
    } else {
        // Setting the AttachedReference or the UnattachedReference according to the flag
        Element ref;
        if (included) {
            ref = tok.getAttachedReference();
        } else {
            ref = tok.getUnattachedReference();
        }
        if (ref != null) {
            SecurityTokenReference secRef = new SecurityTokenReference(cloneElement(ref), new BSPEnforcer());
            sig.setSecurityTokenReference(secRef);
            sig.setKeyIdentifierType(WSConstants.CUSTOM_KEY_IDENTIFIER);
        } else {
            String tokenType = tok.getTokenType();
            if (WSS4JConstants.WSS_SAML_TOKEN_TYPE.equals(tokenType) || WSS4JConstants.SAML_NS.equals(tokenType)) {
                sig.setCustomTokenValueType(WSS4JConstants.WSS_SAML_KI_VALUE_TYPE);
                sig.setKeyIdentifierType(WSConstants.CUSTOM_KEY_IDENTIFIER);
            } else if (WSS4JConstants.WSS_SAML2_TOKEN_TYPE.equals(tokenType) || WSS4JConstants.SAML2_NS.equals(tokenType)) {
                sig.setCustomTokenValueType(WSS4JConstants.WSS_SAML2_KI_VALUE_TYPE);
                sig.setKeyIdentifierType(WSConstants.CUSTOM_KEY_IDENTIFIER);
            } else {
                sig.setCustomTokenValueType(tokenType);
                sig.setKeyIdentifierType(type);
            }
        }
    }
    if (included) {
        sigTokId = tok.getWsuId();
        if (sigTokId == null) {
            if (policyToken instanceof SecureConversationToken || policyToken instanceof SecurityContextToken) {
                sig.setKeyIdentifierType(WSConstants.CUSTOM_SYMM_SIGNING_DIRECT);
            }
            sigTokId = tok.getId();
        }
        if (sigTokId.startsWith("#")) {
            sigTokId = sigTokId.substring(1);
        }
    }
    if (sbinding.isProtectTokens()) {
        assertPolicy(new QName(sbinding.getName().getNamespaceURI(), SPConstants.PROTECT_TOKENS));
        if (included) {
            sigs.add(new WSEncryptionPart(sigTokId));
        }
    }
    sig.setCustomTokenId(sigTokId);
    sig.setSecretKey(tok.getSecret());
    sig.setSignatureAlgorithm(sbinding.getAlgorithmSuite().getSymmetricSignature());
    boolean includePrefixes = MessageUtils.getContextualBoolean(message, SecurityConstants.ADD_INCLUSIVE_PREFIXES, true);
    sig.setAddInclusivePrefixes(includePrefixes);
    AlgorithmSuiteType algType = sbinding.getAlgorithmSuite().getAlgorithmSuiteType();
    sig.setDigestAlgo(algType.getDigest());
    sig.setSigCanonicalization(sbinding.getAlgorithmSuite().getC14n().getValue());
    Crypto crypto = null;
    if (sbinding.getProtectionToken() != null) {
        crypto = getEncryptionCrypto();
    } else {
        crypto = getSignatureCrypto();
    }
    this.message.getExchange().put(SecurityConstants.SIGNATURE_CRYPTO, crypto);
    sig.prepare(crypto);
    sig.getParts().addAll(sigs);
    List<Reference> referenceList = sig.addReferencesToSign(sigs);
    if (!referenceList.isEmpty()) {
        // Do signature
        if (bottomUpElement == null) {
            sig.computeSignature(referenceList, false, null);
        } else {
            sig.computeSignature(referenceList, true, bottomUpElement);
        }
        bottomUpElement = sig.getSignatureElement();
        this.mainSigId = sig.getId();
        return sig.getSignatureValue();
    }
    return null;
}
Also used : WSEncryptionPart(org.apache.wss4j.common.WSEncryptionPart) AlgorithmSuiteType(org.apache.wss4j.policy.model.AlgorithmSuite.AlgorithmSuiteType) KerberosToken(org.apache.wss4j.policy.model.KerberosToken) QName(javax.xml.namespace.QName) SecurityTokenReference(org.apache.wss4j.common.token.SecurityTokenReference) Reference(javax.xml.crypto.dsig.Reference) WSSecSignature(org.apache.wss4j.dom.message.WSSecSignature) Element(org.w3c.dom.Element) UsernameToken(org.apache.wss4j.policy.model.UsernameToken) WSSecUsernameToken(org.apache.wss4j.dom.message.WSSecUsernameToken) BSPEnforcer(org.apache.wss4j.common.bsp.BSPEnforcer) SecureConversationToken(org.apache.wss4j.policy.model.SecureConversationToken) Crypto(org.apache.wss4j.common.crypto.Crypto) X509Token(org.apache.wss4j.policy.model.X509Token) SecurityTokenReference(org.apache.wss4j.common.token.SecurityTokenReference) SecurityContextToken(org.apache.wss4j.policy.model.SecurityContextToken) AttachmentCallbackHandler(org.apache.cxf.ws.security.wss4j.AttachmentCallbackHandler)

Aggregations

AlgorithmSuiteType (org.apache.wss4j.policy.model.AlgorithmSuite.AlgorithmSuiteType)25 AttachmentCallbackHandler (org.apache.cxf.ws.security.wss4j.AttachmentCallbackHandler)12 Element (org.w3c.dom.Element)12 SecurityTokenReference (org.apache.wss4j.common.token.SecurityTokenReference)9 Reference (javax.xml.crypto.dsig.Reference)8 UsernameToken (org.apache.wss4j.policy.model.UsernameToken)8 X509Token (org.apache.wss4j.policy.model.X509Token)8 WSSecurityException (org.apache.wss4j.common.ext.WSSecurityException)7 WSSecUsernameToken (org.apache.wss4j.dom.message.WSSecUsernameToken)7 QName (javax.xml.namespace.QName)6 WSEncryptionPart (org.apache.wss4j.common.WSEncryptionPart)6 WSSecSignature (org.apache.wss4j.dom.message.WSSecSignature)6 KerberosToken (org.apache.wss4j.policy.model.KerberosToken)6 SecureConversationToken (org.apache.wss4j.policy.model.SecureConversationToken)6 SecurityContextToken (org.apache.wss4j.policy.model.SecurityContextToken)6 SOAPException (javax.xml.soap.SOAPException)5 Crypto (org.apache.wss4j.common.crypto.Crypto)5 WSSecDKSign (org.apache.wss4j.dom.message.WSSecDKSign)5 IssuedToken (org.apache.wss4j.policy.model.IssuedToken)5 SecurityToken (org.apache.cxf.ws.security.tokenstore.SecurityToken)4