Search in sources :

Example 6 with AlgorithmSuite

use of org.apache.wss4j.policy.model.AlgorithmSuite in project cxf by apache.

the class WSSCUnitTest method createSymmetricBindingPolicy.

// mock up a SymmetricBinding policy to talk to the STS
private Policy createSymmetricBindingPolicy() {
    // Add Addressing policy
    Policy p = new Policy();
    ExactlyOne ea = new ExactlyOne();
    p.addPolicyComponent(ea);
    All all = new All();
    all.addPolicyComponent(new PrimitiveAssertion(MetadataConstants.USING_ADDRESSING_2006_QNAME, false));
    ea.addPolicyComponent(all);
    // X509 Token
    final X509Token x509Token = new X509Token(SPConstants.SPVersion.SP12, SPConstants.IncludeTokenType.INCLUDE_TOKEN_NEVER, null, null, null, new Policy());
    Policy x509Policy = new Policy();
    ExactlyOne x509PolicyEa = new ExactlyOne();
    x509Policy.addPolicyComponent(x509PolicyEa);
    All x509PolicyAll = new All();
    x509PolicyAll.addPolicyComponent(x509Token);
    x509PolicyEa.addPolicyComponent(x509PolicyAll);
    // AlgorithmSuite
    Policy algSuitePolicy = new Policy();
    ExactlyOne algSuitePolicyEa = new ExactlyOne();
    algSuitePolicy.addPolicyComponent(algSuitePolicyEa);
    All algSuitePolicyAll = new All();
    algSuitePolicyAll.addAssertion(new PrimitiveAssertion(new QName(SP12Constants.SP_NS, SPConstants.ALGO_SUITE_BASIC128)));
    algSuitePolicyEa.addPolicyComponent(algSuitePolicyAll);
    AlgorithmSuite algorithmSuite = new AlgorithmSuite(SPConstants.SPVersion.SP12, algSuitePolicy);
    // Symmetric Binding
    Policy bindingPolicy = new Policy();
    ExactlyOne bindingPolicyEa = new ExactlyOne();
    bindingPolicy.addPolicyComponent(bindingPolicyEa);
    All bindingPolicyAll = new All();
    bindingPolicyAll.addPolicyComponent(new ProtectionToken(SPConstants.SPVersion.SP12, x509Policy));
    bindingPolicyAll.addPolicyComponent(algorithmSuite);
    bindingPolicyAll.addAssertion(new PrimitiveAssertion(SP12Constants.INCLUDE_TIMESTAMP));
    bindingPolicyAll.addAssertion(new PrimitiveAssertion(SP12Constants.ONLY_SIGN_ENTIRE_HEADERS_AND_BODY));
    bindingPolicyEa.addPolicyComponent(bindingPolicyAll);
    DefaultSymmetricBinding binding = new DefaultSymmetricBinding(SPConstants.SPVersion.SP12, bindingPolicy);
    binding.setOnlySignEntireHeadersAndBody(true);
    binding.setProtectTokens(false);
    all.addPolicyComponent(binding);
    List<Header> headers = new ArrayList<>();
    SignedParts signedParts = new SignedParts(SPConstants.SPVersion.SP12, true, null, headers, false);
    all.addPolicyComponent(signedParts);
    return p;
}
Also used : Policy(org.apache.neethi.Policy) All(org.apache.neethi.All) PrimitiveAssertion(org.apache.cxf.ws.policy.builder.primitive.PrimitiveAssertion) QName(javax.xml.namespace.QName) ArrayList(java.util.ArrayList) DefaultSymmetricBinding(org.apache.cxf.ws.security.trust.DefaultSymmetricBinding) ExactlyOne(org.apache.neethi.ExactlyOne) AlgorithmSuite(org.apache.wss4j.policy.model.AlgorithmSuite) X509Token(org.apache.wss4j.policy.model.X509Token) Header(org.apache.wss4j.policy.model.Header) SignedParts(org.apache.wss4j.policy.model.SignedParts) ProtectionToken(org.apache.wss4j.policy.model.ProtectionToken)

Example 7 with AlgorithmSuite

use of org.apache.wss4j.policy.model.AlgorithmSuite in project cxf by apache.

the class AlgorithmSuiteBuilder method build.

@Override
public Assertion build(Element element, AssertionBuilderFactory factory) throws IllegalArgumentException {
    final SPConstants.SPVersion spVersion = SPConstants.SPVersion.getSPVersion(element.getNamespaceURI());
    final Element nestedPolicyElement = SPUtils.getFirstPolicyChildElement(element);
    if (nestedPolicyElement == null) {
        throw new IllegalArgumentException("sp:AlgorithmSuite must have an inner wsp:Policy element");
    }
    final Policy nestedPolicy = factory.getPolicyEngine().getPolicy(nestedPolicyElement);
    AlgorithmSuiteLoader loader = bus.getExtension(AlgorithmSuiteLoader.class);
    if (loader == null) {
        loader = new DefaultAlgorithmSuiteLoader();
    }
    AlgorithmSuite algorithmSuite = loader.getAlgorithmSuite(bus, spVersion, nestedPolicy);
    if (algorithmSuite == null || algorithmSuite.getAlgorithmSuiteType() == null) {
        String algorithmSuiteName = null;
        if (algorithmSuite != null) {
            algorithmSuiteName = algorithmSuite.getFirstInvalidAlgorithmSuite();
        }
        if (algorithmSuiteName == null) {
            algorithmSuiteName = DOMUtils.getFirstElement(nestedPolicyElement).getLocalName();
        }
        throw new IllegalArgumentException("Algorithm suite \"" + algorithmSuiteName + "\" is not registered");
    }
    algorithmSuite.setOptional(SPUtils.isOptional(element));
    algorithmSuite.setIgnorable(SPUtils.isIgnorable(element));
    return algorithmSuite;
}
Also used : Policy(org.apache.neethi.Policy) AlgorithmSuite(org.apache.wss4j.policy.model.AlgorithmSuite) Element(org.w3c.dom.Element) SPConstants(org.apache.wss4j.policy.SPConstants)

Example 8 with AlgorithmSuite

use of org.apache.wss4j.policy.model.AlgorithmSuite in project cxf by apache.

the class SecureConversationTokenInterceptorProvider method setupClient.

static String setupClient(STSClient client, SoapMessage message, AssertionInfoMap aim, SecureConversationToken itok, boolean endorse) {
    if (itok.getBootstrapPolicy() == null || itok.getBootstrapPolicy().getPolicy() == null) {
        throw new Fault("The SecureConversationToken does not define a BootstrapPolicy", LOG);
    }
    client.setTrust(NegotiationUtils.getTrust10(aim));
    client.setTrust(NegotiationUtils.getTrust13(aim));
    Policy pol = itok.getBootstrapPolicy().getPolicy();
    Policy p = new Policy();
    ExactlyOne ea = new ExactlyOne();
    p.addPolicyComponent(ea);
    All all = new All();
    all.addPolicyComponent(NegotiationUtils.getAddressingPolicy(aim, false));
    ea.addPolicyComponent(all);
    if (endorse) {
        SupportingTokens st = new SupportingTokens(SPConstants.SPVersion.SP12, SP12Constants.ENDORSING_SUPPORTING_TOKENS, new Policy());
        st.addToken(itok);
        all.addPolicyComponent(st);
    }
    pol = p.merge(pol);
    client.setPolicy(pol);
    client.setSoap11(message.getVersion() == Soap11.getInstance());
    client.setSecureConv(true);
    String s = message.getContextualProperty(Message.ENDPOINT_ADDRESS).toString();
    client.setLocation(s);
    AlgorithmSuite suite = NegotiationUtils.getAlgorithmSuite(aim);
    if (suite != null) {
        client.setAlgorithmSuite(suite);
        int x = suite.getAlgorithmSuiteType().getMaximumSymmetricKeyLength();
        if (x < 256) {
            client.setKeySize(x);
        }
    }
    Map<String, Object> ctx = client.getRequestContext();
    mapSecurityProps(message, ctx);
    return s;
}
Also used : Policy(org.apache.neethi.Policy) All(org.apache.neethi.All) SupportingTokens(org.apache.wss4j.policy.model.SupportingTokens) AlgorithmSuite(org.apache.wss4j.policy.model.AlgorithmSuite) Fault(org.apache.cxf.interceptor.Fault) ExactlyOne(org.apache.neethi.ExactlyOne)

Example 9 with AlgorithmSuite

use of org.apache.wss4j.policy.model.AlgorithmSuite in project cxf by apache.

the class AsymmetricBindingHandler method doEncryption.

private WSSecBase doEncryption(AbstractTokenWrapper recToken, List<WSEncryptionPart> encrParts, boolean externalRef) {
    // Do encryption
    if (recToken != null && recToken.getToken() != null && !encrParts.isEmpty()) {
        AbstractToken encrToken = recToken.getToken();
        assertPolicy(recToken);
        assertPolicy(encrToken);
        AlgorithmSuite algorithmSuite = abinding.getAlgorithmSuite();
        if (encrToken.getDerivedKeys() == DerivedKeys.RequireDerivedKeys) {
            return doEncryptionDerived(recToken, encrToken, encrParts, algorithmSuite);
        }
        try {
            WSSecEncrypt encr = new WSSecEncrypt(secHeader);
            encr.setEncryptionSerializer(new StaxSerializer());
            encr.setIdAllocator(wssConfig.getIdAllocator());
            encr.setCallbackLookup(callbackLookup);
            encr.setAttachmentCallbackHandler(new AttachmentCallbackHandler(message));
            encr.setStoreBytesInAttachment(storeBytesInAttachment);
            encr.setExpandXopInclude(isExpandXopInclude());
            encr.setWsDocInfo(wsDocInfo);
            Crypto crypto = getEncryptionCrypto();
            SecurityToken securityToken = getSecurityToken();
            if (!isRequestor() && securityToken != null && recToken.getToken() instanceof SamlToken) {
                String tokenType = securityToken.getTokenType();
                if (WSS4JConstants.WSS_SAML_TOKEN_TYPE.equals(tokenType) || WSS4JConstants.SAML_NS.equals(tokenType)) {
                    encr.setCustomEKTokenValueType(WSS4JConstants.WSS_SAML_KI_VALUE_TYPE);
                    encr.setKeyIdentifierType(WSConstants.CUSTOM_KEY_IDENTIFIER);
                    encr.setCustomEKTokenId(securityToken.getId());
                } else if (WSS4JConstants.WSS_SAML2_TOKEN_TYPE.equals(tokenType) || WSS4JConstants.SAML2_NS.equals(tokenType)) {
                    encr.setCustomEKTokenValueType(WSS4JConstants.WSS_SAML2_KI_VALUE_TYPE);
                    encr.setKeyIdentifierType(WSConstants.CUSTOM_KEY_IDENTIFIER);
                    encr.setCustomEKTokenId(securityToken.getId());
                } else {
                    setKeyIdentifierType(encr, encrToken);
                }
            } else {
                setKeyIdentifierType(encr, encrToken);
            }
            // 
            if (!isRequestor() && securityToken != null && securityToken.getX509Certificate() != null) {
                encr.setUseThisCert(securityToken.getX509Certificate());
            } else if (!isRequestor() && securityToken != null && securityToken.getKey() instanceof PublicKey) {
                encr.setUseThisPublicKey((PublicKey) securityToken.getKey());
            } else {
                setEncryptionUser(encr, encrToken, false, crypto);
            }
            if (!encr.isCertSet() && encr.getUseThisPublicKey() == null && crypto == null) {
                unassertPolicy(recToken, "Missing security configuration. " + "Make sure jaxws:client element is configured " + "with a " + SecurityConstants.ENCRYPT_PROPERTIES + " value.");
            }
            AlgorithmSuiteType algType = algorithmSuite.getAlgorithmSuiteType();
            encr.setSymmetricEncAlgorithm(algType.getEncryption());
            encr.setKeyEncAlgo(algType.getAsymmetricKeyWrap());
            encr.setMGFAlgorithm(algType.getMGFAlgo());
            encr.setDigestAlgorithm(algType.getEncryptionDigest());
            encr.prepare(crypto);
            Element encryptedKeyElement = encr.getEncryptedKeyElement();
            List<Element> attachments = encr.getAttachmentEncryptedDataElements();
            // Encrypt, get hold of the ref list and add it
            if (externalRef) {
                Element refList = encr.encryptForRef(null, encrParts);
                if (refList != null) {
                    insertBeforeBottomUp(refList);
                }
                if (attachments != null) {
                    for (Element attachment : attachments) {
                        this.insertBeforeBottomUp(attachment);
                    }
                }
                if (refList != null || (attachments != null && !attachments.isEmpty())) {
                    this.addEncryptedKeyElement(encryptedKeyElement);
                }
            } else {
                Element refList = encr.encryptForRef(null, encrParts);
                if (refList != null || (attachments != null && !attachments.isEmpty())) {
                    this.addEncryptedKeyElement(encryptedKeyElement);
                }
                // Add internal refs
                if (refList != null) {
                    encryptedKeyElement.appendChild(refList);
                }
                if (attachments != null) {
                    for (Element attachment : attachments) {
                        this.addEncryptedKeyElement(attachment);
                    }
                }
            }
            // Put BST before EncryptedKey element
            if (encr.getBSTTokenId() != null) {
                encr.prependBSTElementToHeader();
            }
            return encr;
        } catch (WSSecurityException e) {
            LOG.log(Level.FINE, e.getMessage(), e);
            unassertPolicy(recToken, e);
        }
    }
    return null;
}
Also used : WSSecEncrypt(org.apache.wss4j.dom.message.WSSecEncrypt) SamlToken(org.apache.wss4j.policy.model.SamlToken) AlgorithmSuiteType(org.apache.wss4j.policy.model.AlgorithmSuite.AlgorithmSuiteType) PublicKey(java.security.PublicKey) Element(org.w3c.dom.Element) WSSecurityException(org.apache.wss4j.common.ext.WSSecurityException) SecurityToken(org.apache.cxf.ws.security.tokenstore.SecurityToken) AlgorithmSuite(org.apache.wss4j.policy.model.AlgorithmSuite) StaxSerializer(org.apache.cxf.ws.security.wss4j.StaxSerializer) Crypto(org.apache.wss4j.common.crypto.Crypto) AbstractToken(org.apache.wss4j.policy.model.AbstractToken) AttachmentCallbackHandler(org.apache.cxf.ws.security.wss4j.AttachmentCallbackHandler)

Example 10 with AlgorithmSuite

use of org.apache.wss4j.policy.model.AlgorithmSuite in project cxf by apache.

the class PolicyBasedWSS4JInInterceptor method computeAction.

protected void computeAction(SoapMessage message, RequestData data) throws WSSecurityException {
    String action = getString(ConfigurationConstants.ACTION, message);
    if (action == null) {
        action = "";
    }
    AssertionInfoMap aim = message.get(AssertionInfoMap.class);
    if (aim != null) {
        // things that DO impact setup
        handleWSS11(aim, message);
        action = checkAsymmetricBinding(aim, action, message, data);
        action = checkSymmetricBinding(aim, action, message, data);
        Collection<AssertionInfo> ais = aim.get(SP12Constants.TRANSPORT_BINDING);
        if ("".equals(action) || (ais != null && !ais.isEmpty())) {
            action = checkDefaultBinding(aim, action, message, data);
        }
        // Allow for setting non-standard asymmetric signature algorithms
        String asymSignatureAlgorithm = (String) message.getContextualProperty(SecurityConstants.ASYMMETRIC_SIGNATURE_ALGORITHM);
        String symSignatureAlgorithm = (String) message.getContextualProperty(SecurityConstants.SYMMETRIC_SIGNATURE_ALGORITHM);
        if (asymSignatureAlgorithm != null || symSignatureAlgorithm != null) {
            Collection<AssertionInfo> algorithmSuites = PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.ALGORITHM_SUITE);
            if (algorithmSuites != null && !algorithmSuites.isEmpty()) {
                for (AssertionInfo algorithmSuite : algorithmSuites) {
                    AlgorithmSuite algSuite = (AlgorithmSuite) algorithmSuite.getAssertion();
                    if (asymSignatureAlgorithm != null) {
                        algSuite.setAsymmetricSignature(asymSignatureAlgorithm);
                    }
                    if (symSignatureAlgorithm != null) {
                        algSuite.setSymmetricSignature(symSignatureAlgorithm);
                    }
                }
            }
        }
        checkUsernameToken(aim, message);
        // stuff we can default to asserted and un-assert if a condition isn't met
        PolicyUtils.assertPolicy(aim, SPConstants.KEY_VALUE_TOKEN);
        PolicyUtils.assertPolicy(aim, SPConstants.RSA_KEY_VALUE);
        // WSS10
        ais = PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.WSS10);
        if (!ais.isEmpty()) {
            for (AssertionInfo ai : ais) {
                ai.setAsserted(true);
            }
            PolicyUtils.assertPolicy(aim, SPConstants.MUST_SUPPORT_REF_KEY_IDENTIFIER);
            PolicyUtils.assertPolicy(aim, SPConstants.MUST_SUPPORT_REF_ISSUER_SERIAL);
            PolicyUtils.assertPolicy(aim, SPConstants.MUST_SUPPORT_REF_EXTERNAL_URI);
            PolicyUtils.assertPolicy(aim, SPConstants.MUST_SUPPORT_REF_EMBEDDED_TOKEN);
        }
        // Trust 1.0
        ais = PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.TRUST_10);
        boolean trust10Asserted = false;
        if (!ais.isEmpty()) {
            for (AssertionInfo ai : ais) {
                ai.setAsserted(true);
            }
            PolicyUtils.assertPolicy(aim, SPConstants.MUST_SUPPORT_CLIENT_CHALLENGE);
            PolicyUtils.assertPolicy(aim, SPConstants.MUST_SUPPORT_SERVER_CHALLENGE);
            PolicyUtils.assertPolicy(aim, SPConstants.REQUIRE_CLIENT_ENTROPY);
            PolicyUtils.assertPolicy(aim, SPConstants.REQUIRE_SERVER_ENTROPY);
            PolicyUtils.assertPolicy(aim, SPConstants.MUST_SUPPORT_ISSUED_TOKENS);
            trust10Asserted = true;
        }
        // Trust 1.3
        ais = PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.TRUST_13);
        if (!ais.isEmpty()) {
            for (AssertionInfo ai : ais) {
                ai.setAsserted(true);
            }
            PolicyUtils.assertPolicy(aim, SP12Constants.REQUIRE_REQUEST_SECURITY_TOKEN_COLLECTION);
            PolicyUtils.assertPolicy(aim, SP12Constants.REQUIRE_APPLIES_TO);
            PolicyUtils.assertPolicy(aim, SP13Constants.SCOPE_POLICY_15);
            PolicyUtils.assertPolicy(aim, SP13Constants.MUST_SUPPORT_INTERACTIVE_CHALLENGE);
            if (!trust10Asserted) {
                PolicyUtils.assertPolicy(aim, SPConstants.MUST_SUPPORT_CLIENT_CHALLENGE);
                PolicyUtils.assertPolicy(aim, SPConstants.MUST_SUPPORT_SERVER_CHALLENGE);
                PolicyUtils.assertPolicy(aim, SPConstants.REQUIRE_CLIENT_ENTROPY);
                PolicyUtils.assertPolicy(aim, SPConstants.REQUIRE_SERVER_ENTROPY);
                PolicyUtils.assertPolicy(aim, SPConstants.MUST_SUPPORT_ISSUED_TOKENS);
            }
        }
        message.put(ConfigurationConstants.ACTION, action.trim());
    }
}
Also used : AlgorithmSuite(org.apache.wss4j.policy.model.AlgorithmSuite) AssertionInfo(org.apache.cxf.ws.policy.AssertionInfo) AssertionInfoMap(org.apache.cxf.ws.policy.AssertionInfoMap)

Aggregations

AlgorithmSuite (org.apache.wss4j.policy.model.AlgorithmSuite)12 Policy (org.apache.neethi.Policy)4 AbstractToken (org.apache.wss4j.policy.model.AbstractToken)4 Element (org.w3c.dom.Element)4 AssertionInfo (org.apache.cxf.ws.policy.AssertionInfo)3 AttachmentCallbackHandler (org.apache.cxf.ws.security.wss4j.AttachmentCallbackHandler)3 All (org.apache.neethi.All)3 ExactlyOne (org.apache.neethi.ExactlyOne)3 AlgorithmSuiteType (org.apache.wss4j.policy.model.AlgorithmSuite.AlgorithmSuiteType)3 IssuedToken (org.apache.wss4j.policy.model.IssuedToken)3 X509Token (org.apache.wss4j.policy.model.X509Token)3 QName (javax.xml.namespace.QName)2 AssertionInfoMap (org.apache.cxf.ws.policy.AssertionInfoMap)2 StaxSerializer (org.apache.cxf.ws.security.wss4j.StaxSerializer)2 Crypto (org.apache.wss4j.common.crypto.Crypto)2 WSSecurityException (org.apache.wss4j.common.ext.WSSecurityException)2 SecurityTokenReference (org.apache.wss4j.common.token.SecurityTokenReference)2 WSSecEncrypt (org.apache.wss4j.dom.message.WSSecEncrypt)2 WSSecUsernameToken (org.apache.wss4j.dom.message.WSSecUsernameToken)2 KerberosToken (org.apache.wss4j.policy.model.KerberosToken)2