Example 21 with AlgorithmSuiteType
use of org.apache.wss4j.policy.model.AlgorithmSuite.AlgorithmSuiteType in project cxf by apache.
the class TransportBindingHandler method doDerivedKeySignature.
private byte[] doDerivedKeySignature(boolean tokenIncluded, SecurityToken secTok, AbstractToken token, List<WSEncryptionPart> sigParts) throws Exception {
// Do Signature with derived keys
WSSecDKSign dkSign = new WSSecDKSign(secHeader);
dkSign.setIdAllocator(wssConfig.getIdAllocator());
dkSign.setCallbackLookup(callbackLookup);
dkSign.setAttachmentCallbackHandler(new AttachmentCallbackHandler(message));
dkSign.setStoreBytesInAttachment(storeBytesInAttachment);
dkSign.setExpandXopInclude(isExpandXopInclude());
dkSign.setWsDocInfo(wsDocInfo);
AlgorithmSuite algorithmSuite = tbinding.getAlgorithmSuite();
// Setting the AttachedReference or the UnattachedReference according to the flag
Element ref;
if (tokenIncluded) {
ref = secTok.getAttachedReference();
} else {
ref = secTok.getUnattachedReference();
}
if (ref != null) {
dkSign.setExternalKey(secTok.getSecret(), cloneElement(ref));
} else {
dkSign.setExternalKey(secTok.getSecret(), secTok.getId());
}
if (token instanceof UsernameToken) {
dkSign.setCustomValueType(WSS4JConstants.WSS_USERNAME_TOKEN_VALUE_TYPE);
}
// Set the algo info
dkSign.setSignatureAlgorithm(algorithmSuite.getSymmetricSignature());
AlgorithmSuiteType algType = binding.getAlgorithmSuite().getAlgorithmSuiteType();
dkSign.setDerivedKeyLength(algType.getSignatureDerivedKeyLength() / 8);
if (token.getVersion() == SPConstants.SPVersion.SP11) {
dkSign.setWscVersion(ConversationConstants.VERSION_05_02);
}
dkSign.prepare();
addDerivedKeyElement(dkSign.getdktElement());
dkSign.getParts().addAll(sigParts);
List<Reference> referenceList = dkSign.addReferencesToSign(sigParts);
// Do signature
dkSign.computeSignature(referenceList, false, null);
return dkSign.getSignatureValue();
}
Also used :
WSSecDKSign(org.apache.wss4j.dom.message.WSSecDKSign)
AlgorithmSuite(org.apache.wss4j.policy.model.AlgorithmSuite)
AlgorithmSuiteType(org.apache.wss4j.policy.model.AlgorithmSuite.AlgorithmSuiteType)
SecurityTokenReference(org.apache.wss4j.common.token.SecurityTokenReference)
Reference(javax.xml.crypto.dsig.Reference)
Element(org.w3c.dom.Element)
AttachmentCallbackHandler(org.apache.cxf.ws.security.wss4j.AttachmentCallbackHandler)
UsernameToken(org.apache.wss4j.policy.model.UsernameToken)
WSSecUsernameToken(org.apache.wss4j.dom.message.WSSecUsernameToken)
Example 22 with AlgorithmSuiteType
use of org.apache.wss4j.policy.model.AlgorithmSuite.AlgorithmSuiteType in project cxf by apache.
the class AlgorithmSuitePolicyValidator method checkKeyLengths.
/**
* Check the key lengths of the secret and public keys.
*/
private boolean checkKeyLengths(WSSecurityEngineResult result, AlgorithmSuite algorithmPolicy, AssertionInfo ai, boolean signature) {
PublicKey publicKey = (PublicKey) result.get(WSSecurityEngineResult.TAG_PUBLIC_KEY);
if (publicKey != null && !checkPublicKeyLength(publicKey, algorithmPolicy, ai)) {
return false;
}
X509Certificate x509Cert = (X509Certificate) result.get(WSSecurityEngineResult.TAG_X509_CERTIFICATE);
if (x509Cert != null && !checkPublicKeyLength(x509Cert.getPublicKey(), algorithmPolicy, ai)) {
return false;
}
AlgorithmSuiteType algorithmSuiteType = algorithmPolicy.getAlgorithmSuiteType();
byte[] secret = (byte[]) result.get(WSSecurityEngineResult.TAG_SECRET);
if (signature) {
Principal principal = (Principal) result.get(WSSecurityEngineResult.TAG_PRINCIPAL);
if (principal instanceof WSDerivedKeyTokenPrincipal) {
int requiredLength = algorithmSuiteType.getSignatureDerivedKeyLength();
if (secret == null || secret.length != (requiredLength / 8)) {
ai.setNotAsserted("The signature derived key length does not match the requirement");
return false;
}
} else if (secret != null && (secret.length < (algorithmSuiteType.getMinimumSymmetricKeyLength() / 8) || secret.length > (algorithmSuiteType.getMaximumSymmetricKeyLength() / 8))) {
ai.setNotAsserted("The symmetric key length does not match the requirement");
return false;
}
} else if (secret != null && (secret.length < (algorithmSuiteType.getMinimumSymmetricKeyLength() / 8) || secret.length > (algorithmSuiteType.getMaximumSymmetricKeyLength() / 8))) {
ai.setNotAsserted("The symmetric key length does not match the requirement");
return false;
}
return true;
}
Also used :
AlgorithmSuiteType(org.apache.wss4j.policy.model.AlgorithmSuite.AlgorithmSuiteType)
PublicKey(java.security.PublicKey)
DSAPublicKey(java.security.interfaces.DSAPublicKey)
RSAPublicKey(java.security.interfaces.RSAPublicKey)
X509Certificate(java.security.cert.X509Certificate)
WSDerivedKeyTokenPrincipal(org.apache.wss4j.common.principal.WSDerivedKeyTokenPrincipal)
Principal(java.security.Principal)
WSDerivedKeyTokenPrincipal(org.apache.wss4j.common.principal.WSDerivedKeyTokenPrincipal)
Example 23 with AlgorithmSuiteType
use of org.apache.wss4j.policy.model.AlgorithmSuite.AlgorithmSuiteType in project cxf by apache.
the class AlgorithmSuitePolicyValidator method checkDataRefs.
/**
* Check the individual signature references
*/
private boolean checkDataRefs(List<WSDataRef> dataRefs, AlgorithmSuite algorithmPolicy, AssertionInfo ai) {
AlgorithmSuiteType algorithmSuiteType = algorithmPolicy.getAlgorithmSuiteType();
for (WSDataRef dataRef : dataRefs) {
String digestMethod = dataRef.getDigestAlgorithm();
if (!algorithmSuiteType.getDigest().equals(digestMethod)) {
ai.setNotAsserted("The digest method does not match the requirement");
return false;
}
List<String> transformAlgorithms = dataRef.getTransformAlgorithms();
// Only a max of 2 transforms per reference is allowed
if (transformAlgorithms == null || transformAlgorithms.size() > 2) {
ai.setNotAsserted("The transform algorithms do not match the requirement");
return false;
}
for (String transformAlgorithm : transformAlgorithms) {
if (!(algorithmPolicy.getC14n().getValue().equals(transformAlgorithm) || WSS4JConstants.C14N_EXCL_OMIT_COMMENTS.equals(transformAlgorithm) || STRTransform.TRANSFORM_URI.equals(transformAlgorithm) || Transforms.TRANSFORM_ENVELOPED_SIGNATURE.equals(transformAlgorithm) || WSS4JConstants.SWA_ATTACHMENT_CONTENT_SIG_TRANS.equals(transformAlgorithm) || WSS4JConstants.SWA_ATTACHMENT_COMPLETE_SIG_TRANS.equals(transformAlgorithm))) {
ai.setNotAsserted("The transform algorithms do not match the requirement");
return false;
}
}
}
return true;
}
Also used :
AlgorithmSuiteType(org.apache.wss4j.policy.model.AlgorithmSuite.AlgorithmSuiteType)
WSDataRef(org.apache.wss4j.dom.WSDataRef)
Example 24 with AlgorithmSuiteType
use of org.apache.wss4j.policy.model.AlgorithmSuite.AlgorithmSuiteType in project cxf by apache.
the class AlgorithmSuitePolicyValidator method checkEncryptionAlgorithms.
/**
* Check the Encryption Algorithms
*/
private boolean checkEncryptionAlgorithms(WSSecurityEngineResult result, AlgorithmSuite algorithmPolicy, AssertionInfo ai) {
AlgorithmSuiteType algorithmSuiteType = algorithmPolicy.getAlgorithmSuiteType();
String transportMethod = (String) result.get(WSSecurityEngineResult.TAG_ENCRYPTED_KEY_TRANSPORT_METHOD);
if (transportMethod != null && !algorithmSuiteType.getSymmetricKeyWrap().equals(transportMethod) && !algorithmSuiteType.getAsymmetricKeyWrap().equals(transportMethod)) {
ai.setNotAsserted("The Key transport method does not match the requirement");
return false;
}
List<WSDataRef> dataRefs = CastUtils.cast((List<?>) result.get(WSSecurityEngineResult.TAG_DATA_REF_URIS));
if (dataRefs != null) {
for (WSDataRef dataRef : dataRefs) {
String encryptionAlgorithm = dataRef.getAlgorithm();
if (!algorithmSuiteType.getEncryption().equals(encryptionAlgorithm)) {
ai.setNotAsserted("The encryption algorithm does not match the requirement");
return false;
}
}
}
return checkKeyLengths(result, algorithmPolicy, ai, false);
}
Also used :
AlgorithmSuiteType(org.apache.wss4j.policy.model.AlgorithmSuite.AlgorithmSuiteType)
WSDataRef(org.apache.wss4j.dom.WSDataRef)
Example 25 with AlgorithmSuiteType
use of org.apache.wss4j.policy.model.AlgorithmSuite.AlgorithmSuiteType in project cxf by apache.
the class SimpleBatchSTSClient method createSecurityToken.
protected SecurityToken createSecurityToken(Element el, byte[] requestorEntropy) throws WSSecurityException {
if ("RequestSecurityTokenResponseCollection".equals(el.getLocalName())) {
el = DOMUtils.getFirstElement(el);
}
if (!"RequestSecurityTokenResponse".equals(el.getLocalName())) {
throw new Fault("Unexpected element " + el.getLocalName(), LOG);
}
el = DOMUtils.getFirstElement(el);
Element rst = null;
Element rar = null;
Element rur = null;
Element rpt = null;
Element lte = null;
Element entropy = null;
String tt = null;
while (el != null) {
String ln = el.getLocalName();
if (namespace.equals(el.getNamespaceURI())) {
if ("Lifetime".equals(ln)) {
lte = el;
} else if ("RequestedSecurityToken".equals(ln)) {
rst = DOMUtils.getFirstElement(el);
} else if ("RequestedAttachedReference".equals(ln)) {
rar = DOMUtils.getFirstElement(el);
} else if ("RequestedUnattachedReference".equals(ln)) {
rur = DOMUtils.getFirstElement(el);
} else if ("RequestedProofToken".equals(ln)) {
rpt = el;
} else if ("Entropy".equals(ln)) {
entropy = el;
} else if ("TokenType".equals(ln)) {
tt = DOMUtils.getContent(el);
}
}
el = DOMUtils.getNextElement(el);
}
Element rstDec = rst;
String id = findID(rar, rur, rstDec);
if (StringUtils.isEmpty(id)) {
throw new TrustException("NO_ID", LOG);
}
SecurityToken token = new SecurityToken(id, rstDec, lte);
token.setAttachedReference(rar);
token.setUnattachedReference(rur);
token.setIssuerAddress(location);
token.setTokenType(tt);
byte[] secret = null;
if (rpt != null) {
Element child = DOMUtils.getFirstElement(rpt);
QName childQname = DOMUtils.getElementQName(child);
if (childQname.equals(new QName(namespace, "BinarySecret"))) {
// First check for the binary secret
String b64Secret = DOMUtils.getContent(child);
secret = Base64.getMimeDecoder().decode(b64Secret);
} else if (childQname.equals(new QName(WSS4JConstants.ENC_NS, WSS4JConstants.ENC_KEY_LN))) {
secret = decryptKey(child);
} else if (childQname.equals(new QName(namespace, "ComputedKey"))) {
// Handle the computed key
Element computedKeyChild = entropy == null ? null : DOMUtils.getFirstElement(entropy);
byte[] serviceEntr = null;
if (computedKeyChild != null) {
QName computedKeyChildQName = DOMUtils.getElementQName(computedKeyChild);
if (computedKeyChildQName.equals(new QName(WSS4JConstants.ENC_NS, WSS4JConstants.ENC_KEY_LN))) {
serviceEntr = decryptKey(computedKeyChild);
} else if (computedKeyChildQName.equals(new QName(namespace, "BinarySecret"))) {
String content = DOMUtils.getContent(computedKeyChild);
serviceEntr = Base64.getMimeDecoder().decode(content);
}
}
if (serviceEntr != null) {
// Right now we only use PSHA1 as the computed key algo
P_SHA1 psha1 = new P_SHA1();
int length = (keySize > 0) ? keySize : 256;
if (algorithmSuite != null) {
AlgorithmSuiteType algType = algorithmSuite.getAlgorithmSuiteType();
length = (keySize > 0) ? keySize : algType.getMaximumSymmetricKeyLength();
}
try {
secret = psha1.createKey(requestorEntropy, serviceEntr, 0, length / 8);
} catch (WSSecurityException e) {
throw new TrustException("DERIVED_KEY_ERROR", e, LOG);
}
} else {
// Service entropy missing
throw new TrustException("NO_ENTROPY", LOG);
}
}
} else if (requestorEntropy != null) {
// Use requester entropy as the key
secret = requestorEntropy;
}
token.setSecret(secret);
return token;
}
Also used :
SecurityToken(org.apache.cxf.ws.security.tokenstore.SecurityToken)
P_SHA1(org.apache.wss4j.common.derivedKey.P_SHA1)
TrustException(org.apache.cxf.ws.security.trust.TrustException)
AlgorithmSuiteType(org.apache.wss4j.policy.model.AlgorithmSuite.AlgorithmSuiteType)
QName(javax.xml.namespace.QName)
Element(org.w3c.dom.Element)
Fault(org.apache.cxf.interceptor.Fault)
WSSecurityException(org.apache.wss4j.common.ext.WSSecurityException)
Endpoint(org.apache.cxf.endpoint.Endpoint)
Aggregations
AlgorithmSuiteType (org.apache.wss4j.policy.model.AlgorithmSuite.AlgorithmSuiteType)25
AttachmentCallbackHandler (org.apache.cxf.ws.security.wss4j.AttachmentCallbackHandler)12
Element (org.w3c.dom.Element)12
SecurityTokenReference (org.apache.wss4j.common.token.SecurityTokenReference)9
Reference (javax.xml.crypto.dsig.Reference)8
UsernameToken (org.apache.wss4j.policy.model.UsernameToken)8
X509Token (org.apache.wss4j.policy.model.X509Token)8
WSSecurityException (org.apache.wss4j.common.ext.WSSecurityException)7
WSSecUsernameToken (org.apache.wss4j.dom.message.WSSecUsernameToken)7
QName (javax.xml.namespace.QName)6
WSEncryptionPart (org.apache.wss4j.common.WSEncryptionPart)6
WSSecSignature (org.apache.wss4j.dom.message.WSSecSignature)6
KerberosToken (org.apache.wss4j.policy.model.KerberosToken)6
SecureConversationToken (org.apache.wss4j.policy.model.SecureConversationToken)6
SecurityContextToken (org.apache.wss4j.policy.model.SecurityContextToken)6
SOAPException (javax.xml.soap.SOAPException)5
Crypto (org.apache.wss4j.common.crypto.Crypto)5
WSSecDKSign (org.apache.wss4j.dom.message.WSSecDKSign)5
IssuedToken (org.apache.wss4j.policy.model.IssuedToken)5
SecurityToken (org.apache.cxf.ws.security.tokenstore.SecurityToken)4
