use of org.apache.wss4j.policy.model.AlgorithmSuite in project cxf by apache.
the class WSSCUnitTest method createSymmetricBindingPolicy.
// mock up a SymmetricBinding policy to talk to the STS
private Policy createSymmetricBindingPolicy() {
// Add Addressing policy
Policy p = new Policy();
ExactlyOne ea = new ExactlyOne();
p.addPolicyComponent(ea);
All all = new All();
all.addPolicyComponent(new PrimitiveAssertion(MetadataConstants.USING_ADDRESSING_2006_QNAME, false));
ea.addPolicyComponent(all);
// X509 Token
final X509Token x509Token = new X509Token(SPConstants.SPVersion.SP12, SPConstants.IncludeTokenType.INCLUDE_TOKEN_NEVER, null, null, null, new Policy());
Policy x509Policy = new Policy();
ExactlyOne x509PolicyEa = new ExactlyOne();
x509Policy.addPolicyComponent(x509PolicyEa);
All x509PolicyAll = new All();
x509PolicyAll.addPolicyComponent(x509Token);
x509PolicyEa.addPolicyComponent(x509PolicyAll);
// AlgorithmSuite
Policy algSuitePolicy = new Policy();
ExactlyOne algSuitePolicyEa = new ExactlyOne();
algSuitePolicy.addPolicyComponent(algSuitePolicyEa);
All algSuitePolicyAll = new All();
algSuitePolicyAll.addAssertion(new PrimitiveAssertion(new QName(SP12Constants.SP_NS, SPConstants.ALGO_SUITE_BASIC128)));
algSuitePolicyEa.addPolicyComponent(algSuitePolicyAll);
AlgorithmSuite algorithmSuite = new AlgorithmSuite(SPConstants.SPVersion.SP12, algSuitePolicy);
// Symmetric Binding
Policy bindingPolicy = new Policy();
ExactlyOne bindingPolicyEa = new ExactlyOne();
bindingPolicy.addPolicyComponent(bindingPolicyEa);
All bindingPolicyAll = new All();
bindingPolicyAll.addPolicyComponent(new ProtectionToken(SPConstants.SPVersion.SP12, x509Policy));
bindingPolicyAll.addPolicyComponent(algorithmSuite);
bindingPolicyAll.addAssertion(new PrimitiveAssertion(SP12Constants.INCLUDE_TIMESTAMP));
bindingPolicyAll.addAssertion(new PrimitiveAssertion(SP12Constants.ONLY_SIGN_ENTIRE_HEADERS_AND_BODY));
bindingPolicyEa.addPolicyComponent(bindingPolicyAll);
DefaultSymmetricBinding binding = new DefaultSymmetricBinding(SPConstants.SPVersion.SP12, bindingPolicy);
binding.setOnlySignEntireHeadersAndBody(true);
binding.setProtectTokens(false);
all.addPolicyComponent(binding);
List<Header> headers = new ArrayList<>();
SignedParts signedParts = new SignedParts(SPConstants.SPVersion.SP12, true, null, headers, false);
all.addPolicyComponent(signedParts);
return p;
}
use of org.apache.wss4j.policy.model.AlgorithmSuite in project cxf by apache.
the class AlgorithmSuiteBuilder method build.
@Override
public Assertion build(Element element, AssertionBuilderFactory factory) throws IllegalArgumentException {
final SPConstants.SPVersion spVersion = SPConstants.SPVersion.getSPVersion(element.getNamespaceURI());
final Element nestedPolicyElement = SPUtils.getFirstPolicyChildElement(element);
if (nestedPolicyElement == null) {
throw new IllegalArgumentException("sp:AlgorithmSuite must have an inner wsp:Policy element");
}
final Policy nestedPolicy = factory.getPolicyEngine().getPolicy(nestedPolicyElement);
AlgorithmSuiteLoader loader = bus.getExtension(AlgorithmSuiteLoader.class);
if (loader == null) {
loader = new DefaultAlgorithmSuiteLoader();
}
AlgorithmSuite algorithmSuite = loader.getAlgorithmSuite(bus, spVersion, nestedPolicy);
if (algorithmSuite == null || algorithmSuite.getAlgorithmSuiteType() == null) {
String algorithmSuiteName = null;
if (algorithmSuite != null) {
algorithmSuiteName = algorithmSuite.getFirstInvalidAlgorithmSuite();
}
if (algorithmSuiteName == null) {
algorithmSuiteName = DOMUtils.getFirstElement(nestedPolicyElement).getLocalName();
}
throw new IllegalArgumentException("Algorithm suite \"" + algorithmSuiteName + "\" is not registered");
}
algorithmSuite.setOptional(SPUtils.isOptional(element));
algorithmSuite.setIgnorable(SPUtils.isIgnorable(element));
return algorithmSuite;
}
use of org.apache.wss4j.policy.model.AlgorithmSuite in project cxf by apache.
the class SecureConversationTokenInterceptorProvider method setupClient.
static String setupClient(STSClient client, SoapMessage message, AssertionInfoMap aim, SecureConversationToken itok, boolean endorse) {
if (itok.getBootstrapPolicy() == null || itok.getBootstrapPolicy().getPolicy() == null) {
throw new Fault("The SecureConversationToken does not define a BootstrapPolicy", LOG);
}
client.setTrust(NegotiationUtils.getTrust10(aim));
client.setTrust(NegotiationUtils.getTrust13(aim));
Policy pol = itok.getBootstrapPolicy().getPolicy();
Policy p = new Policy();
ExactlyOne ea = new ExactlyOne();
p.addPolicyComponent(ea);
All all = new All();
all.addPolicyComponent(NegotiationUtils.getAddressingPolicy(aim, false));
ea.addPolicyComponent(all);
if (endorse) {
SupportingTokens st = new SupportingTokens(SPConstants.SPVersion.SP12, SP12Constants.ENDORSING_SUPPORTING_TOKENS, new Policy());
st.addToken(itok);
all.addPolicyComponent(st);
}
pol = p.merge(pol);
client.setPolicy(pol);
client.setSoap11(message.getVersion() == Soap11.getInstance());
client.setSecureConv(true);
String s = message.getContextualProperty(Message.ENDPOINT_ADDRESS).toString();
client.setLocation(s);
AlgorithmSuite suite = NegotiationUtils.getAlgorithmSuite(aim);
if (suite != null) {
client.setAlgorithmSuite(suite);
int x = suite.getAlgorithmSuiteType().getMaximumSymmetricKeyLength();
if (x < 256) {
client.setKeySize(x);
}
}
Map<String, Object> ctx = client.getRequestContext();
mapSecurityProps(message, ctx);
return s;
}
use of org.apache.wss4j.policy.model.AlgorithmSuite in project cxf by apache.
the class AsymmetricBindingHandler method doEncryption.
private WSSecBase doEncryption(AbstractTokenWrapper recToken, List<WSEncryptionPart> encrParts, boolean externalRef) {
// Do encryption
if (recToken != null && recToken.getToken() != null && !encrParts.isEmpty()) {
AbstractToken encrToken = recToken.getToken();
assertPolicy(recToken);
assertPolicy(encrToken);
AlgorithmSuite algorithmSuite = abinding.getAlgorithmSuite();
if (encrToken.getDerivedKeys() == DerivedKeys.RequireDerivedKeys) {
return doEncryptionDerived(recToken, encrToken, encrParts, algorithmSuite);
}
try {
WSSecEncrypt encr = new WSSecEncrypt(secHeader);
encr.setEncryptionSerializer(new StaxSerializer());
encr.setIdAllocator(wssConfig.getIdAllocator());
encr.setCallbackLookup(callbackLookup);
encr.setAttachmentCallbackHandler(new AttachmentCallbackHandler(message));
encr.setStoreBytesInAttachment(storeBytesInAttachment);
encr.setExpandXopInclude(isExpandXopInclude());
encr.setWsDocInfo(wsDocInfo);
Crypto crypto = getEncryptionCrypto();
SecurityToken securityToken = getSecurityToken();
if (!isRequestor() && securityToken != null && recToken.getToken() instanceof SamlToken) {
String tokenType = securityToken.getTokenType();
if (WSS4JConstants.WSS_SAML_TOKEN_TYPE.equals(tokenType) || WSS4JConstants.SAML_NS.equals(tokenType)) {
encr.setCustomEKTokenValueType(WSS4JConstants.WSS_SAML_KI_VALUE_TYPE);
encr.setKeyIdentifierType(WSConstants.CUSTOM_KEY_IDENTIFIER);
encr.setCustomEKTokenId(securityToken.getId());
} else if (WSS4JConstants.WSS_SAML2_TOKEN_TYPE.equals(tokenType) || WSS4JConstants.SAML2_NS.equals(tokenType)) {
encr.setCustomEKTokenValueType(WSS4JConstants.WSS_SAML2_KI_VALUE_TYPE);
encr.setKeyIdentifierType(WSConstants.CUSTOM_KEY_IDENTIFIER);
encr.setCustomEKTokenId(securityToken.getId());
} else {
setKeyIdentifierType(encr, encrToken);
}
} else {
setKeyIdentifierType(encr, encrToken);
}
//
if (!isRequestor() && securityToken != null && securityToken.getX509Certificate() != null) {
encr.setUseThisCert(securityToken.getX509Certificate());
} else if (!isRequestor() && securityToken != null && securityToken.getKey() instanceof PublicKey) {
encr.setUseThisPublicKey((PublicKey) securityToken.getKey());
} else {
setEncryptionUser(encr, encrToken, false, crypto);
}
if (!encr.isCertSet() && encr.getUseThisPublicKey() == null && crypto == null) {
unassertPolicy(recToken, "Missing security configuration. " + "Make sure jaxws:client element is configured " + "with a " + SecurityConstants.ENCRYPT_PROPERTIES + " value.");
}
AlgorithmSuiteType algType = algorithmSuite.getAlgorithmSuiteType();
encr.setSymmetricEncAlgorithm(algType.getEncryption());
encr.setKeyEncAlgo(algType.getAsymmetricKeyWrap());
encr.setMGFAlgorithm(algType.getMGFAlgo());
encr.setDigestAlgorithm(algType.getEncryptionDigest());
encr.prepare(crypto);
Element encryptedKeyElement = encr.getEncryptedKeyElement();
List<Element> attachments = encr.getAttachmentEncryptedDataElements();
// Encrypt, get hold of the ref list and add it
if (externalRef) {
Element refList = encr.encryptForRef(null, encrParts);
if (refList != null) {
insertBeforeBottomUp(refList);
}
if (attachments != null) {
for (Element attachment : attachments) {
this.insertBeforeBottomUp(attachment);
}
}
if (refList != null || (attachments != null && !attachments.isEmpty())) {
this.addEncryptedKeyElement(encryptedKeyElement);
}
} else {
Element refList = encr.encryptForRef(null, encrParts);
if (refList != null || (attachments != null && !attachments.isEmpty())) {
this.addEncryptedKeyElement(encryptedKeyElement);
}
// Add internal refs
if (refList != null) {
encryptedKeyElement.appendChild(refList);
}
if (attachments != null) {
for (Element attachment : attachments) {
this.addEncryptedKeyElement(attachment);
}
}
}
// Put BST before EncryptedKey element
if (encr.getBSTTokenId() != null) {
encr.prependBSTElementToHeader();
}
return encr;
} catch (WSSecurityException e) {
LOG.log(Level.FINE, e.getMessage(), e);
unassertPolicy(recToken, e);
}
}
return null;
}
use of org.apache.wss4j.policy.model.AlgorithmSuite in project cxf by apache.
the class PolicyBasedWSS4JInInterceptor method computeAction.
protected void computeAction(SoapMessage message, RequestData data) throws WSSecurityException {
String action = getString(ConfigurationConstants.ACTION, message);
if (action == null) {
action = "";
}
AssertionInfoMap aim = message.get(AssertionInfoMap.class);
if (aim != null) {
// things that DO impact setup
handleWSS11(aim, message);
action = checkAsymmetricBinding(aim, action, message, data);
action = checkSymmetricBinding(aim, action, message, data);
Collection<AssertionInfo> ais = aim.get(SP12Constants.TRANSPORT_BINDING);
if ("".equals(action) || (ais != null && !ais.isEmpty())) {
action = checkDefaultBinding(aim, action, message, data);
}
// Allow for setting non-standard asymmetric signature algorithms
String asymSignatureAlgorithm = (String) message.getContextualProperty(SecurityConstants.ASYMMETRIC_SIGNATURE_ALGORITHM);
String symSignatureAlgorithm = (String) message.getContextualProperty(SecurityConstants.SYMMETRIC_SIGNATURE_ALGORITHM);
if (asymSignatureAlgorithm != null || symSignatureAlgorithm != null) {
Collection<AssertionInfo> algorithmSuites = PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.ALGORITHM_SUITE);
if (algorithmSuites != null && !algorithmSuites.isEmpty()) {
for (AssertionInfo algorithmSuite : algorithmSuites) {
AlgorithmSuite algSuite = (AlgorithmSuite) algorithmSuite.getAssertion();
if (asymSignatureAlgorithm != null) {
algSuite.setAsymmetricSignature(asymSignatureAlgorithm);
}
if (symSignatureAlgorithm != null) {
algSuite.setSymmetricSignature(symSignatureAlgorithm);
}
}
}
}
checkUsernameToken(aim, message);
// stuff we can default to asserted and un-assert if a condition isn't met
PolicyUtils.assertPolicy(aim, SPConstants.KEY_VALUE_TOKEN);
PolicyUtils.assertPolicy(aim, SPConstants.RSA_KEY_VALUE);
// WSS10
ais = PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.WSS10);
if (!ais.isEmpty()) {
for (AssertionInfo ai : ais) {
ai.setAsserted(true);
}
PolicyUtils.assertPolicy(aim, SPConstants.MUST_SUPPORT_REF_KEY_IDENTIFIER);
PolicyUtils.assertPolicy(aim, SPConstants.MUST_SUPPORT_REF_ISSUER_SERIAL);
PolicyUtils.assertPolicy(aim, SPConstants.MUST_SUPPORT_REF_EXTERNAL_URI);
PolicyUtils.assertPolicy(aim, SPConstants.MUST_SUPPORT_REF_EMBEDDED_TOKEN);
}
// Trust 1.0
ais = PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.TRUST_10);
boolean trust10Asserted = false;
if (!ais.isEmpty()) {
for (AssertionInfo ai : ais) {
ai.setAsserted(true);
}
PolicyUtils.assertPolicy(aim, SPConstants.MUST_SUPPORT_CLIENT_CHALLENGE);
PolicyUtils.assertPolicy(aim, SPConstants.MUST_SUPPORT_SERVER_CHALLENGE);
PolicyUtils.assertPolicy(aim, SPConstants.REQUIRE_CLIENT_ENTROPY);
PolicyUtils.assertPolicy(aim, SPConstants.REQUIRE_SERVER_ENTROPY);
PolicyUtils.assertPolicy(aim, SPConstants.MUST_SUPPORT_ISSUED_TOKENS);
trust10Asserted = true;
}
// Trust 1.3
ais = PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.TRUST_13);
if (!ais.isEmpty()) {
for (AssertionInfo ai : ais) {
ai.setAsserted(true);
}
PolicyUtils.assertPolicy(aim, SP12Constants.REQUIRE_REQUEST_SECURITY_TOKEN_COLLECTION);
PolicyUtils.assertPolicy(aim, SP12Constants.REQUIRE_APPLIES_TO);
PolicyUtils.assertPolicy(aim, SP13Constants.SCOPE_POLICY_15);
PolicyUtils.assertPolicy(aim, SP13Constants.MUST_SUPPORT_INTERACTIVE_CHALLENGE);
if (!trust10Asserted) {
PolicyUtils.assertPolicy(aim, SPConstants.MUST_SUPPORT_CLIENT_CHALLENGE);
PolicyUtils.assertPolicy(aim, SPConstants.MUST_SUPPORT_SERVER_CHALLENGE);
PolicyUtils.assertPolicy(aim, SPConstants.REQUIRE_CLIENT_ENTROPY);
PolicyUtils.assertPolicy(aim, SPConstants.REQUIRE_SERVER_ENTROPY);
PolicyUtils.assertPolicy(aim, SPConstants.MUST_SUPPORT_ISSUED_TOKENS);
}
}
message.put(ConfigurationConstants.ACTION, action.trim());
}
}
Aggregations