Search in sources :

Example 1 with IssuedToken

use of org.apache.wss4j.policy.model.IssuedToken in project cxf by apache.

the class AbstractCommonBindingHandler method assertToken.

protected void assertToken(AbstractToken token) {
    if (token == null) {
        return;
    }
    assertPolicy(token.getName());
    String namespace = token.getName().getNamespaceURI();
    if (token.getDerivedKeys() != null) {
        assertPolicy(new QName(namespace, token.getDerivedKeys().name()));
    }
    if (token instanceof X509Token) {
        X509Token x509Token = (X509Token) token;
        assertX509Token(x509Token);
    } else if (token instanceof HttpsToken) {
        HttpsToken httpsToken = (HttpsToken) token;
        if (httpsToken.getAuthenticationType() != null) {
            assertPolicy(new QName(namespace, httpsToken.getAuthenticationType().name()));
        }
    } else if (token instanceof KeyValueToken) {
        KeyValueToken keyValueToken = (KeyValueToken) token;
        if (keyValueToken.isRsaKeyValue()) {
            assertPolicy(new QName(namespace, SPConstants.RSA_KEY_VALUE));
        }
    } else if (token instanceof UsernameToken) {
        UsernameToken usernameToken = (UsernameToken) token;
        assertUsernameToken(usernameToken);
    } else if (token instanceof SecureConversationToken) {
        SecureConversationToken scToken = (SecureConversationToken) token;
        assertSecureConversationToken(scToken);
    } else if (token instanceof SecurityContextToken) {
        SecurityContextToken scToken = (SecurityContextToken) token;
        assertSecurityContextToken(scToken);
    } else if (token instanceof SpnegoContextToken) {
        SpnegoContextToken scToken = (SpnegoContextToken) token;
        assertSpnegoContextToken(scToken);
    } else if (token instanceof IssuedToken) {
        IssuedToken issuedToken = (IssuedToken) token;
        assertIssuedToken(issuedToken);
    } else if (token instanceof KerberosToken) {
        KerberosToken kerberosToken = (KerberosToken) token;
        assertKerberosToken(kerberosToken);
    } else if (token instanceof SamlToken) {
        SamlToken samlToken = (SamlToken) token;
        assertSamlToken(samlToken);
    }
}
Also used : HttpsToken(org.apache.wss4j.policy.model.HttpsToken) X509Token(org.apache.wss4j.policy.model.X509Token) SamlToken(org.apache.wss4j.policy.model.SamlToken) SecurityContextToken(org.apache.wss4j.policy.model.SecurityContextToken) QName(javax.xml.namespace.QName) KerberosToken(org.apache.wss4j.policy.model.KerberosToken) KeyValueToken(org.apache.wss4j.policy.model.KeyValueToken) IssuedToken(org.apache.wss4j.policy.model.IssuedToken) UsernameToken(org.apache.wss4j.policy.model.UsernameToken) SecureConversationToken(org.apache.wss4j.policy.model.SecureConversationToken) SpnegoContextToken(org.apache.wss4j.policy.model.SpnegoContextToken)

Example 2 with IssuedToken

use of org.apache.wss4j.policy.model.IssuedToken in project cxf by apache.

the class AbstractStaxBindingHandler method storeSecurityToken.

protected void storeSecurityToken(AbstractToken policyToken, SecurityToken tok) {
    SecurityTokenConstants.TokenType tokenType = WSSecurityTokenConstants.EncryptedKeyToken;
    if (tok.getTokenType() != null) {
        if (tok.getTokenType().startsWith(WSSConstants.NS_KERBEROS11_TOKEN_PROFILE)) {
            tokenType = WSSecurityTokenConstants.KERBEROS_TOKEN;
        } else if (tok.getTokenType().startsWith(WSSConstants.NS_SAML10_TOKEN_PROFILE) || tok.getTokenType().startsWith(WSSConstants.NS_SAML11_TOKEN_PROFILE)) {
            tokenType = WSSecurityTokenConstants.SAML_11_TOKEN;
        } else if (tok.getTokenType().startsWith(WSSConstants.NS_WSC_05_02) || tok.getTokenType().startsWith(WSSConstants.NS_WSC_05_12)) {
            tokenType = WSSecurityTokenConstants.SECURE_CONVERSATION_TOKEN;
        }
    }
    final Key key = tok.getKey();
    final byte[] secret = tok.getSecret();
    final X509Certificate[] certs = new X509Certificate[1];
    if (tok.getX509Certificate() != null) {
        certs[0] = tok.getX509Certificate();
    }
    final GenericOutboundSecurityToken encryptedKeySecurityToken = new GenericOutboundSecurityToken(tok.getId(), tokenType, key, certs) {

        @Override
        public Key getSecretKey(String algorithmURI) throws XMLSecurityException {
            if (secret != null && algorithmURI != null && !"".equals(algorithmURI)) {
                return KeyUtils.prepareSecretKey(algorithmURI, secret);
            }
            if (key != null) {
                return key;
            }
            if (secret != null) {
                String jceAlg = JCEMapper.getJCEKeyAlgorithmFromURI(algorithmURI);
                if (jceAlg == null || "".equals(jceAlg)) {
                    jceAlg = "HmacSHA1";
                }
                return new SecretKeySpec(secret, jceAlg);
            }
            return super.getSecretKey(algorithmURI);
        }
    };
    // Store a DOM Element reference if it exists
    Element ref;
    if (isTokenRequired(policyToken.getIncludeTokenType())) {
        ref = tok.getAttachedReference();
    } else {
        ref = tok.getUnattachedReference();
    }
    if (ref != null && policyToken instanceof IssuedToken) {
        encryptedKeySecurityToken.setCustomTokenReference(ref);
    }
    final SecurityTokenProvider<OutboundSecurityToken> encryptedKeySecurityTokenProvider = new SecurityTokenProvider<OutboundSecurityToken>() {

        @Override
        public OutboundSecurityToken getSecurityToken() throws XMLSecurityException {
            return encryptedKeySecurityToken;
        }

        @Override
        public String getId() {
            return encryptedKeySecurityToken.getId();
        }
    };
    encryptedKeySecurityToken.setSha1Identifier(tok.getSHA1());
    outboundSecurityContext.registerSecurityTokenProvider(encryptedKeySecurityTokenProvider.getId(), encryptedKeySecurityTokenProvider);
    outboundSecurityContext.put(XMLSecurityConstants.PROP_USE_THIS_TOKEN_ID_FOR_ENCRYPTION, encryptedKeySecurityTokenProvider.getId());
    outboundSecurityContext.put(XMLSecurityConstants.PROP_USE_THIS_TOKEN_ID_FOR_SIGNATURE, encryptedKeySecurityTokenProvider.getId());
    outboundSecurityContext.put(WSSConstants.PROP_USE_THIS_TOKEN_ID_FOR_CUSTOM_TOKEN, encryptedKeySecurityTokenProvider.getId());
}
Also used : Element(org.w3c.dom.Element) IssuedToken(org.apache.wss4j.policy.model.IssuedToken) SecurityTokenConstants(org.apache.xml.security.stax.securityToken.SecurityTokenConstants) WSSecurityTokenConstants(org.apache.wss4j.stax.securityToken.WSSecurityTokenConstants) X509Certificate(java.security.cert.X509Certificate) GenericOutboundSecurityToken(org.apache.xml.security.stax.impl.securityToken.GenericOutboundSecurityToken) GenericOutboundSecurityToken(org.apache.xml.security.stax.impl.securityToken.GenericOutboundSecurityToken) OutboundSecurityToken(org.apache.xml.security.stax.securityToken.OutboundSecurityToken) SecretKeySpec(javax.crypto.spec.SecretKeySpec) Key(java.security.Key) SecurityTokenProvider(org.apache.xml.security.stax.securityToken.SecurityTokenProvider)

Example 3 with IssuedToken

use of org.apache.wss4j.policy.model.IssuedToken in project cxf by apache.

the class AsymmetricBindingHandler method doSignBeforeEncrypt.

private void doSignBeforeEncrypt() {
    try {
        AbstractTokenWrapper initiatorWrapper = abinding.getInitiatorSignatureToken();
        if (initiatorWrapper == null) {
            initiatorWrapper = abinding.getInitiatorToken();
        }
        assertTokenWrapper(initiatorWrapper);
        boolean attached = false;
        if (initiatorWrapper != null) {
            AbstractToken initiatorToken = initiatorWrapper.getToken();
            if (initiatorToken instanceof IssuedToken) {
                SecurityToken secToken = getSecurityToken();
                if (secToken == null) {
                    unassertPolicy(initiatorToken, "Security token is not found or expired");
                    return;
                } else if (isTokenRequired(initiatorToken.getIncludeTokenType())) {
                    Element el = secToken.getToken();
                    this.addEncryptedKeyElement(cloneElement(el));
                    attached = true;
                }
            } else if (initiatorToken instanceof SamlToken && isRequestor()) {
                SamlAssertionWrapper assertionWrapper = addSamlToken((SamlToken) initiatorToken);
                if (assertionWrapper != null && isTokenRequired(initiatorToken.getIncludeTokenType())) {
                    Element envelope = saaj.getSOAPPart().getEnvelope();
                    envelope = (Element) DOMUtils.getDomElement(envelope);
                    addSupportingElement(assertionWrapper.toDOM(envelope.getOwnerDocument()));
                    storeAssertionAsSecurityToken(assertionWrapper);
                }
            } else if (initiatorToken instanceof SamlToken) {
                String tokenId = getSAMLToken();
                if (tokenId == null) {
                    unassertPolicy(initiatorToken, "Security token is not found or expired");
                    return;
                }
            }
            assertToken(initiatorToken);
        }
        // Add timestamp
        List<WSEncryptionPart> sigs = new ArrayList<>();
        if (timestampEl != null) {
            WSEncryptionPart timestampPart = convertToEncryptionPart(timestampEl.getElement());
            sigs.add(timestampPart);
        }
        addSupportingTokens(sigs);
        sigs.addAll(this.getSignedParts(null));
        if (isRequestor() && initiatorWrapper != null) {
            doSignature(initiatorWrapper, sigs, attached);
            doEndorse();
        } else if (!isRequestor()) {
            // confirm sig
            addSignatureConfirmation(sigs);
            AbstractTokenWrapper recipientSignatureToken = abinding.getRecipientSignatureToken();
            if (recipientSignatureToken == null) {
                recipientSignatureToken = abinding.getRecipientToken();
            }
            if (recipientSignatureToken != null) {
                assertTokenWrapper(recipientSignatureToken);
                assertToken(recipientSignatureToken.getToken());
                doSignature(recipientSignatureToken, sigs, attached);
            }
        }
        List<WSEncryptionPart> enc = getEncryptedParts();
        // Check for signature protection
        if (abinding.isEncryptSignature()) {
            if (mainSigId != null) {
                WSEncryptionPart sigPart = new WSEncryptionPart(mainSigId, "Element");
                sigPart.setElement(bottomUpElement);
                enc.add(sigPart);
            }
            if (sigConfList != null && !sigConfList.isEmpty()) {
                enc.addAll(sigConfList);
            }
            assertPolicy(new QName(abinding.getName().getNamespaceURI(), SPConstants.ENCRYPT_SIGNATURE));
        }
        // Do encryption
        AbstractTokenWrapper encToken;
        if (isRequestor()) {
            enc.addAll(encryptedTokensList);
            encToken = abinding.getRecipientEncryptionToken();
            if (encToken == null) {
                encToken = abinding.getRecipientToken();
            }
        } else {
            encToken = abinding.getInitiatorEncryptionToken();
            if (encToken == null) {
                encToken = abinding.getInitiatorToken();
            }
        }
        doEncryption(encToken, enc, false);
        if (encToken != null) {
            assertTokenWrapper(encToken);
            assertToken(encToken.getToken());
        }
    } catch (Exception e) {
        String reason = e.getMessage();
        LOG.log(Level.WARNING, "Sign before encryption failed due to : " + reason);
        LOG.log(Level.FINE, e.getMessage(), e);
        throw new Fault(e);
    }
}
Also used : WSEncryptionPart(org.apache.wss4j.common.WSEncryptionPart) SamlToken(org.apache.wss4j.policy.model.SamlToken) QName(javax.xml.namespace.QName) IssuedToken(org.apache.wss4j.policy.model.IssuedToken) Element(org.w3c.dom.Element) ArrayList(java.util.ArrayList) SamlAssertionWrapper(org.apache.wss4j.common.saml.SamlAssertionWrapper) Fault(org.apache.cxf.interceptor.Fault) SOAPException(javax.xml.soap.SOAPException) WSSecurityException(org.apache.wss4j.common.ext.WSSecurityException) SecurityToken(org.apache.cxf.ws.security.tokenstore.SecurityToken) AbstractToken(org.apache.wss4j.policy.model.AbstractToken) AbstractTokenWrapper(org.apache.wss4j.policy.model.AbstractTokenWrapper)

Example 4 with IssuedToken

use of org.apache.wss4j.policy.model.IssuedToken in project cxf by apache.

the class StaxAsymmetricBindingHandler method doEncryptBeforeSign.

private void doEncryptBeforeSign() {
    try {
        AbstractTokenWrapper wrapper;
        AbstractToken encryptionToken = null;
        if (isRequestor()) {
            wrapper = abinding.getRecipientEncryptionToken();
            if (wrapper == null) {
                wrapper = abinding.getRecipientToken();
            }
        } else {
            wrapper = abinding.getInitiatorEncryptionToken();
            if (wrapper == null) {
                wrapper = abinding.getInitiatorToken();
            }
        }
        assertTokenWrapper(wrapper);
        if (wrapper != null) {
            encryptionToken = wrapper.getToken();
            assertToken(encryptionToken);
        }
        AbstractTokenWrapper initiatorWrapper = abinding.getInitiatorSignatureToken();
        if (initiatorWrapper == null) {
            initiatorWrapper = abinding.getInitiatorToken();
        }
        if (initiatorWrapper != null) {
            assertTokenWrapper(initiatorWrapper);
            AbstractToken initiatorToken = initiatorWrapper.getToken();
            if (initiatorToken instanceof IssuedToken) {
                SecurityToken sigTok = getSecurityToken();
                addIssuedToken(initiatorToken, sigTok, false, true);
                if (sigTok != null) {
                    storeSecurityToken(initiatorToken, sigTok);
                    outboundSecurityContext.remove(XMLSecurityConstants.PROP_USE_THIS_TOKEN_ID_FOR_ENCRYPTION);
                }
                // Set up CallbackHandler which wraps the configured Handler
                WSSSecurityProperties properties = getProperties();
                TokenStoreCallbackHandler callbackHandler = new TokenStoreCallbackHandler(properties.getCallbackHandler(), TokenStoreUtils.getTokenStore(message));
                properties.setCallbackHandler(callbackHandler);
            } else if (initiatorToken instanceof SamlToken) {
                addSamlToken((SamlToken) initiatorToken, false, true);
            }
        }
        List<SecurePart> encrParts = null;
        List<SecurePart> sigParts = null;
        try {
            encrParts = getEncryptedParts();
            // Signed parts are determined before encryption because encrypted signed headers
            // will not be included otherwise
            sigParts = getSignedParts();
        } catch (SOAPException ex) {
            throw new Fault(ex);
        }
        addSupportingTokens();
        if (encryptionToken != null && !encrParts.isEmpty()) {
            if (isRequestor()) {
                encrParts.addAll(encryptedTokensList);
            } else {
                addSignatureConfirmation(sigParts);
            }
            // Check for signature protection
            if (abinding.isEncryptSignature()) {
                SecurePart part = new SecurePart(new QName(XMLSecurityConstants.NS_DSIG, "Signature"), Modifier.Element);
                encrParts.add(part);
                if (signatureConfirmationAdded) {
                    SecurePart securePart = new SecurePart(WSSConstants.TAG_WSSE11_SIG_CONF, Modifier.Element);
                    encrParts.add(securePart);
                }
                assertPolicy(new QName(abinding.getName().getNamespaceURI(), SPConstants.ENCRYPT_SIGNATURE));
            }
            doEncryption(wrapper, encrParts, true);
        }
        if (timestampAdded) {
            SecurePart part = new SecurePart(new QName(WSSConstants.NS_WSU10, "Timestamp"), Modifier.Element);
            sigParts.add(part);
        }
        if (!sigParts.isEmpty()) {
            if (initiatorWrapper != null && isRequestor()) {
                doSignature(initiatorWrapper, sigParts);
            } else if (!isRequestor()) {
                AbstractTokenWrapper recipientSignatureToken = abinding.getRecipientSignatureToken();
                if (recipientSignatureToken == null) {
                    recipientSignatureToken = abinding.getRecipientToken();
                }
                if (recipientSignatureToken != null) {
                    assertTokenWrapper(recipientSignatureToken);
                    assertToken(recipientSignatureToken.getToken());
                    doSignature(recipientSignatureToken, sigParts);
                }
            }
        }
        removeSignatureIfSignedSAML();
        enforceEncryptBeforeSigningWithSignedSAML();
        prependSignatureToSC();
        putCustomTokenAfterSignature();
    } catch (Exception e) {
        String reason = e.getMessage();
        LOG.log(Level.WARNING, "Encrypt before signing failed due to : " + reason);
        throw new Fault(e);
    }
}
Also used : WSSSecurityProperties(org.apache.wss4j.stax.ext.WSSSecurityProperties) SamlToken(org.apache.wss4j.policy.model.SamlToken) QName(javax.xml.namespace.QName) IssuedToken(org.apache.wss4j.policy.model.IssuedToken) Fault(org.apache.cxf.interceptor.Fault) SOAPException(javax.xml.soap.SOAPException) WSSecurityException(org.apache.wss4j.common.ext.WSSecurityException) SecurityToken(org.apache.cxf.ws.security.tokenstore.SecurityToken) SecurePart(org.apache.xml.security.stax.ext.SecurePart) AbstractToken(org.apache.wss4j.policy.model.AbstractToken) SOAPException(javax.xml.soap.SOAPException) TokenStoreCallbackHandler(org.apache.cxf.ws.security.wss4j.TokenStoreCallbackHandler) AbstractTokenWrapper(org.apache.wss4j.policy.model.AbstractTokenWrapper)

Example 5 with IssuedToken

use of org.apache.wss4j.policy.model.IssuedToken in project cxf by apache.

the class StaxAsymmetricBindingHandler method doEncryption.

private void doEncryption(AbstractTokenWrapper recToken, List<SecurePart> encrParts, boolean externalRef) throws SOAPException {
    // Do encryption
    if (recToken != null && recToken.getToken() != null && !encrParts.isEmpty()) {
        AbstractToken encrToken = recToken.getToken();
        AlgorithmSuite algorithmSuite = abinding.getAlgorithmSuite();
        // Action
        WSSSecurityProperties properties = getProperties();
        WSSConstants.Action actionToPerform = XMLSecurityConstants.ENCRYPT;
        if (recToken.getToken().getDerivedKeys() == DerivedKeys.RequireDerivedKeys) {
            actionToPerform = WSSConstants.ENCRYPT_WITH_DERIVED_KEY;
        }
        properties.addAction(actionToPerform);
        properties.getEncryptionSecureParts().addAll(encrParts);
        properties.setEncryptionKeyIdentifier(getKeyIdentifierType(encrToken));
        // Find out do we also need to include the token as per the Inclusion requirement
        WSSecurityTokenConstants.KeyIdentifier keyIdentifier = properties.getEncryptionKeyIdentifier();
        if (encrToken instanceof X509Token && isTokenRequired(encrToken.getIncludeTokenType()) && (WSSecurityTokenConstants.KeyIdentifier_IssuerSerial.equals(keyIdentifier) || WSSecurityTokenConstants.KEYIDENTIFIER_THUMBPRINT_IDENTIFIER.equals(keyIdentifier) || WSSecurityTokenConstants.KEYIDENTIFIER_SECURITY_TOKEN_DIRECT_REFERENCE.equals(keyIdentifier))) {
            properties.setIncludeEncryptionToken(true);
        } else {
            properties.setIncludeEncryptionToken(false);
        }
        properties.setEncryptionKeyTransportAlgorithm(algorithmSuite.getAlgorithmSuiteType().getAsymmetricKeyWrap());
        properties.setEncryptionSymAlgorithm(algorithmSuite.getAlgorithmSuiteType().getEncryption());
        properties.setEncryptionKeyTransportDigestAlgorithm(algorithmSuite.getAlgorithmSuiteType().getEncryptionDigest());
        properties.setEncryptionKeyTransportMGFAlgorithm(algorithmSuite.getAlgorithmSuiteType().getMGFAlgo());
        String encUser = (String) SecurityUtils.getSecurityPropertyValue(SecurityConstants.ENCRYPT_USERNAME, message);
        if (encUser == null) {
            encUser = (String) SecurityUtils.getSecurityPropertyValue(SecurityConstants.USERNAME, message);
        }
        if (encUser != null && properties.getEncryptionUser() == null) {
            properties.setEncryptionUser(encUser);
        }
        if (ConfigurationConstants.USE_REQ_SIG_CERT.equals(encUser)) {
            properties.setUseReqSigCertForEncryption(true);
        }
        // 
        if (!isRequestor() && recToken.getToken() instanceof IssuedToken) {
            properties.setUseReqSigCertForEncryption(true);
        }
    }
}
Also used : AlgorithmSuite(org.apache.wss4j.policy.model.AlgorithmSuite) WSSSecurityProperties(org.apache.wss4j.stax.ext.WSSSecurityProperties) WSSConstants(org.apache.wss4j.stax.ext.WSSConstants) AbstractToken(org.apache.wss4j.policy.model.AbstractToken) X509Token(org.apache.wss4j.policy.model.X509Token) IssuedToken(org.apache.wss4j.policy.model.IssuedToken) WSSecurityTokenConstants(org.apache.wss4j.stax.securityToken.WSSecurityTokenConstants)

Aggregations

IssuedToken (org.apache.wss4j.policy.model.IssuedToken)33 AbstractToken (org.apache.wss4j.policy.model.AbstractToken)25 X509Token (org.apache.wss4j.policy.model.X509Token)21 KerberosToken (org.apache.wss4j.policy.model.KerberosToken)20 SamlToken (org.apache.wss4j.policy.model.SamlToken)20 SecurityContextToken (org.apache.wss4j.policy.model.SecurityContextToken)20 SpnegoContextToken (org.apache.wss4j.policy.model.SpnegoContextToken)20 UsernameToken (org.apache.wss4j.policy.model.UsernameToken)18 SecurityToken (org.apache.cxf.ws.security.tokenstore.SecurityToken)15 Element (org.w3c.dom.Element)14 SOAPException (javax.xml.soap.SOAPException)12 Fault (org.apache.cxf.interceptor.Fault)12 WSSecurityException (org.apache.wss4j.common.ext.WSSecurityException)12 KeyValueToken (org.apache.wss4j.policy.model.KeyValueToken)12 SecureConversationToken (org.apache.wss4j.policy.model.SecureConversationToken)12 QName (javax.xml.namespace.QName)11 AssertionInfo (org.apache.cxf.ws.policy.AssertionInfo)10 WSSSecurityProperties (org.apache.wss4j.stax.ext.WSSSecurityProperties)9 AbstractTokenWrapper (org.apache.wss4j.policy.model.AbstractTokenWrapper)8 SupportingTokens (org.apache.wss4j.policy.model.SupportingTokens)8