Example 1 with UsernameToken
use of org.apache.wss4j.policy.model.UsernameToken in project cxf by apache.
the class SymmetricBindingHandler method doEncryptionDerived.
private WSSecBase doEncryptionDerived(AbstractTokenWrapper recToken, SecurityToken encrTok, AbstractToken encrToken, boolean attached, List<WSEncryptionPart> encrParts, boolean atEnd) {
try {
WSSecDKEncrypt dkEncr = new WSSecDKEncrypt(secHeader);
dkEncr.setEncryptionSerializer(new StaxSerializer());
dkEncr.setIdAllocator(wssConfig.getIdAllocator());
dkEncr.setCallbackLookup(callbackLookup);
dkEncr.setAttachmentCallbackHandler(new AttachmentCallbackHandler(message));
dkEncr.setStoreBytesInAttachment(storeBytesInAttachment);
dkEncr.setExpandXopInclude(isExpandXopInclude());
dkEncr.setWsDocInfo(wsDocInfo);
if (recToken.getToken().getVersion() == SPConstants.SPVersion.SP11) {
dkEncr.setWscVersion(ConversationConstants.VERSION_05_02);
}
if (attached && encrTok.getAttachedReference() != null) {
dkEncr.setExternalKey(encrTok.getSecret(), cloneElement(encrTok.getAttachedReference()));
} else if (encrTok.getUnattachedReference() != null) {
dkEncr.setExternalKey(encrTok.getSecret(), cloneElement(encrTok.getUnattachedReference()));
} else if (!isRequestor() && encrTok.getSHA1() != null) {
// If the Encrypted key used to create the derived key is not
// attached use key identifier as defined in WSS1.1 section
// 7.7 Encrypted Key reference
SecurityTokenReference tokenRef = new SecurityTokenReference(saaj.getSOAPPart());
String tokenType = encrTok.getTokenType();
if (encrToken instanceof KerberosToken) {
tokenRef.setKeyIdentifier(WSS4JConstants.WSS_KRB_KI_VALUE_TYPE, encrTok.getSHA1(), true);
if (tokenType == null) {
tokenType = WSS4JConstants.WSS_GSS_KRB_V5_AP_REQ;
}
} else {
tokenRef.setKeyIdentifierEncKeySHA1(encrTok.getSHA1());
if (tokenType == null) {
tokenType = WSS4JConstants.WSS_ENC_KEY_VALUE_TYPE;
}
}
tokenRef.addTokenType(tokenType);
dkEncr.setExternalKey(encrTok.getSecret(), tokenRef.getElement());
} else {
if (attached) {
String id = encrTok.getWsuId();
if (id == null && (encrToken instanceof SecureConversationToken || encrToken instanceof SecurityContextToken)) {
dkEncr.setTokenIdDirectId(true);
id = encrTok.getId();
} else if (id == null) {
id = encrTok.getId();
}
if (id.startsWith("#")) {
id = id.substring(1);
}
dkEncr.setExternalKey(encrTok.getSecret(), id);
} else {
dkEncr.setTokenIdDirectId(true);
dkEncr.setExternalKey(encrTok.getSecret(), encrTok.getId());
}
}
if (encrTok.getSHA1() != null) {
String tokenType = encrTok.getTokenType();
if (tokenType == null) {
tokenType = WSS4JConstants.WSS_ENC_KEY_VALUE_TYPE;
}
dkEncr.setCustomValueType(tokenType);
} else {
String tokenType = encrTok.getTokenType();
if (WSS4JConstants.WSS_SAML_TOKEN_TYPE.equals(tokenType) || WSS4JConstants.SAML_NS.equals(tokenType)) {
dkEncr.setKeyIdentifierType(WSConstants.CUSTOM_KEY_IDENTIFIER);
dkEncr.setCustomValueType(WSS4JConstants.WSS_SAML_KI_VALUE_TYPE);
} else if (WSS4JConstants.WSS_SAML2_TOKEN_TYPE.equals(tokenType) || WSS4JConstants.SAML2_NS.equals(tokenType)) {
dkEncr.setKeyIdentifierType(WSConstants.CUSTOM_KEY_IDENTIFIER);
dkEncr.setCustomValueType(WSS4JConstants.WSS_SAML2_KI_VALUE_TYPE);
} else if (encrToken instanceof UsernameToken) {
dkEncr.setCustomValueType(WSS4JConstants.WSS_USERNAME_TOKEN_VALUE_TYPE);
} else {
dkEncr.setCustomValueType(tokenType);
}
}
AlgorithmSuiteType algType = sbinding.getAlgorithmSuite().getAlgorithmSuiteType();
dkEncr.setSymmetricEncAlgorithm(algType.getEncryption());
dkEncr.setDerivedKeyLength(algType.getEncryptionDerivedKeyLength() / 8);
dkEncr.prepare();
Element encrDKTokenElem = null;
encrDKTokenElem = dkEncr.getdktElement();
addDerivedKeyElement(encrDKTokenElem);
Element refList = dkEncr.encryptForExternalRef(null, encrParts);
List<Element> attachments = dkEncr.getAttachmentEncryptedDataElements();
addAttachmentsForEncryption(atEnd, refList, attachments);
return dkEncr;
} catch (Exception e) {
LOG.log(Level.FINE, e.getMessage(), e);
unassertPolicy(recToken, e);
}
return null;
}
Also used :
AlgorithmSuiteType(org.apache.wss4j.policy.model.AlgorithmSuite.AlgorithmSuiteType)
KerberosToken(org.apache.wss4j.policy.model.KerberosToken)
Element(org.w3c.dom.Element)
UsernameToken(org.apache.wss4j.policy.model.UsernameToken)
WSSecUsernameToken(org.apache.wss4j.dom.message.WSSecUsernameToken)
WSSecDKEncrypt(org.apache.wss4j.dom.message.WSSecDKEncrypt)
SecureConversationToken(org.apache.wss4j.policy.model.SecureConversationToken)
SOAPException(javax.xml.soap.SOAPException)
WSSecurityException(org.apache.wss4j.common.ext.WSSecurityException)
StaxSerializer(org.apache.cxf.ws.security.wss4j.StaxSerializer)
SecurityTokenReference(org.apache.wss4j.common.token.SecurityTokenReference)
SecurityContextToken(org.apache.wss4j.policy.model.SecurityContextToken)
AttachmentCallbackHandler(org.apache.cxf.ws.security.wss4j.AttachmentCallbackHandler)
Example 2 with UsernameToken
use of org.apache.wss4j.policy.model.UsernameToken in project cxf by apache.
the class SymmetricBindingHandler method doEncryption.
private WSSecBase doEncryption(AbstractTokenWrapper recToken, SecurityToken encrTok, boolean attached, List<WSEncryptionPart> encrParts, boolean atEnd) {
// Do encryption
if (recToken != null && recToken.getToken() != null && !encrParts.isEmpty()) {
AbstractToken encrToken = recToken.getToken();
assertPolicy(recToken);
assertPolicy(encrToken);
AlgorithmSuite algorithmSuite = sbinding.getAlgorithmSuite();
if (encrToken.getDerivedKeys() == DerivedKeys.RequireDerivedKeys) {
return doEncryptionDerived(recToken, encrTok, encrToken, attached, encrParts, atEnd);
}
try {
WSSecEncrypt encr = new WSSecEncrypt(secHeader);
encr.setEncryptionSerializer(new StaxSerializer());
encr.setIdAllocator(wssConfig.getIdAllocator());
encr.setCallbackLookup(callbackLookup);
encr.setAttachmentCallbackHandler(new AttachmentCallbackHandler(message));
encr.setStoreBytesInAttachment(storeBytesInAttachment);
encr.setExpandXopInclude(isExpandXopInclude());
encr.setWsDocInfo(wsDocInfo);
String encrTokId = encrTok.getId();
if (attached) {
encrTokId = encrTok.getWsuId();
if (encrTokId == null && (encrToken instanceof SecureConversationToken || encrToken instanceof SecurityContextToken)) {
encr.setEncKeyIdDirectId(true);
encrTokId = encrTok.getId();
} else if (encrTokId == null) {
encrTokId = encrTok.getId();
}
if (encrTokId.startsWith("#")) {
encrTokId = encrTokId.substring(1);
}
} else {
encr.setEncKeyIdDirectId(true);
}
if (encrTok.getTokenType() != null) {
encr.setCustomReferenceValue(encrTok.getTokenType());
}
encr.setEncKeyId(encrTokId);
encr.setEphemeralKey(encrTok.getSecret());
Crypto crypto = getEncryptionCrypto();
if (crypto != null) {
setEncryptionUser(encr, encrToken, false, crypto);
}
encr.setEncryptSymmKey(false);
encr.setSymmetricEncAlgorithm(algorithmSuite.getAlgorithmSuiteType().getEncryption());
encr.setMGFAlgorithm(algorithmSuite.getAlgorithmSuiteType().getMGFAlgo());
encr.setDigestAlgorithm(algorithmSuite.getAlgorithmSuiteType().getEncryptionDigest());
if (encrToken instanceof IssuedToken || encrToken instanceof SpnegoContextToken || encrToken instanceof SecureConversationToken) {
// Setting the AttachedReference or the UnattachedReference according to the flag
Element ref;
if (attached) {
ref = encrTok.getAttachedReference();
} else {
ref = encrTok.getUnattachedReference();
}
String tokenType = encrTok.getTokenType();
if (ref != null) {
SecurityTokenReference secRef = new SecurityTokenReference(cloneElement(ref), new BSPEnforcer());
encr.setSecurityTokenReference(secRef);
} else if (WSS4JConstants.WSS_SAML_TOKEN_TYPE.equals(tokenType) || WSS4JConstants.SAML_NS.equals(tokenType)) {
encr.setCustomReferenceValue(WSS4JConstants.WSS_SAML_KI_VALUE_TYPE);
encr.setKeyIdentifierType(WSConstants.CUSTOM_KEY_IDENTIFIER);
} else if (WSS4JConstants.WSS_SAML2_TOKEN_TYPE.equals(tokenType) || WSS4JConstants.SAML2_NS.equals(tokenType)) {
encr.setCustomReferenceValue(WSS4JConstants.WSS_SAML2_KI_VALUE_TYPE);
encr.setKeyIdentifierType(WSConstants.CUSTOM_KEY_IDENTIFIER);
} else {
encr.setCustomReferenceValue(tokenType);
encr.setKeyIdentifierType(WSConstants.CUSTOM_KEY_IDENTIFIER);
}
} else if (encrToken instanceof UsernameToken) {
encr.setCustomReferenceValue(WSS4JConstants.WSS_USERNAME_TOKEN_VALUE_TYPE);
} else if (encrToken instanceof KerberosToken && !isRequestor()) {
encr.setCustomReferenceValue(WSS4JConstants.WSS_KRB_KI_VALUE_TYPE);
encr.setEncKeyId(encrTok.getSHA1());
} else if (!isRequestor() && encrTok.getSHA1() != null) {
encr.setCustomReferenceValue(encrTok.getSHA1());
encr.setKeyIdentifierType(WSConstants.ENCRYPTED_KEY_SHA1_IDENTIFIER);
}
encr.prepare(crypto);
if (encr.getBSTTokenId() != null) {
encr.prependBSTElementToHeader();
}
Element refList = encr.encryptForRef(null, encrParts);
List<Element> attachments = encr.getAttachmentEncryptedDataElements();
addAttachmentsForEncryption(atEnd, refList, attachments);
return encr;
} catch (WSSecurityException e) {
LOG.log(Level.FINE, e.getMessage(), e);
unassertPolicy(recToken, e);
}
}
return null;
}
Also used :
WSSecEncrypt(org.apache.wss4j.dom.message.WSSecEncrypt)
KerberosToken(org.apache.wss4j.policy.model.KerberosToken)
IssuedToken(org.apache.wss4j.policy.model.IssuedToken)
Element(org.w3c.dom.Element)
UsernameToken(org.apache.wss4j.policy.model.UsernameToken)
WSSecUsernameToken(org.apache.wss4j.dom.message.WSSecUsernameToken)
BSPEnforcer(org.apache.wss4j.common.bsp.BSPEnforcer)
WSSecurityException(org.apache.wss4j.common.ext.WSSecurityException)
SecureConversationToken(org.apache.wss4j.policy.model.SecureConversationToken)
SpnegoContextToken(org.apache.wss4j.policy.model.SpnegoContextToken)
AlgorithmSuite(org.apache.wss4j.policy.model.AlgorithmSuite)
StaxSerializer(org.apache.cxf.ws.security.wss4j.StaxSerializer)
Crypto(org.apache.wss4j.common.crypto.Crypto)
AbstractToken(org.apache.wss4j.policy.model.AbstractToken)
SecurityTokenReference(org.apache.wss4j.common.token.SecurityTokenReference)
SecurityContextToken(org.apache.wss4j.policy.model.SecurityContextToken)
AttachmentCallbackHandler(org.apache.cxf.ws.security.wss4j.AttachmentCallbackHandler)
Example 3 with UsernameToken
use of org.apache.wss4j.policy.model.UsernameToken in project cxf by apache.
the class TransportBindingHandler method doSignature.
private byte[] doSignature(boolean tokenIncluded, SecurityToken secTok, AbstractToken token, SupportingTokens wrapper, List<WSEncryptionPart> sigParts) throws Exception {
WSSecSignature sig = new WSSecSignature(secHeader);
sig.setIdAllocator(wssConfig.getIdAllocator());
sig.setCallbackLookup(callbackLookup);
sig.setAttachmentCallbackHandler(new AttachmentCallbackHandler(message));
sig.setStoreBytesInAttachment(storeBytesInAttachment);
sig.setExpandXopInclude(isExpandXopInclude());
sig.setWsDocInfo(wsDocInfo);
// Setting the AttachedReference or the UnattachedReference according to the flag
Element ref;
if (tokenIncluded) {
ref = secTok.getAttachedReference();
} else {
ref = secTok.getUnattachedReference();
}
if (ref != null) {
SecurityTokenReference secRef = new SecurityTokenReference(cloneElement(ref), new BSPEnforcer());
sig.setSecurityTokenReference(secRef);
sig.setKeyIdentifierType(WSConstants.CUSTOM_KEY_IDENTIFIER);
} else if (token instanceof UsernameToken) {
sig.setCustomTokenId(secTok.getId());
sig.setCustomTokenValueType(WSS4JConstants.WSS_USERNAME_TOKEN_VALUE_TYPE);
int type = tokenIncluded ? WSConstants.CUSTOM_SYMM_SIGNING : WSConstants.CUSTOM_SYMM_SIGNING_DIRECT;
sig.setKeyIdentifierType(type);
} else if (secTok.getTokenType() == null) {
sig.setCustomTokenValueType(WSS4JConstants.WSS_SAML_KI_VALUE_TYPE);
sig.setKeyIdentifierType(WSConstants.CUSTOM_KEY_IDENTIFIER);
} else {
String id = secTok.getWsuId();
if (id == null) {
sig.setCustomTokenId(secTok.getId());
sig.setKeyIdentifierType(WSConstants.CUSTOM_SYMM_SIGNING_DIRECT);
} else {
sig.setCustomTokenId(secTok.getWsuId());
sig.setKeyIdentifierType(WSConstants.CUSTOM_SYMM_SIGNING);
}
String tokenType = secTok.getTokenType();
if (WSS4JConstants.WSS_SAML_TOKEN_TYPE.equals(tokenType) || WSS4JConstants.SAML_NS.equals(tokenType)) {
sig.setCustomTokenValueType(WSS4JConstants.WSS_SAML_KI_VALUE_TYPE);
sig.setKeyIdentifierType(WSConstants.CUSTOM_KEY_IDENTIFIER);
} else if (WSS4JConstants.WSS_SAML2_TOKEN_TYPE.equals(tokenType) || WSS4JConstants.SAML2_NS.equals(tokenType)) {
sig.setCustomTokenValueType(WSS4JConstants.WSS_SAML2_KI_VALUE_TYPE);
sig.setKeyIdentifierType(WSConstants.CUSTOM_KEY_IDENTIFIER);
} else {
sig.setCustomTokenValueType(tokenType);
}
}
Crypto crypto = null;
if (secTok.getSecret() == null) {
sig.setX509Certificate(secTok.getX509Certificate());
crypto = secTok.getCrypto();
if (crypto == null) {
crypto = getSignatureCrypto();
}
if (crypto == null) {
LOG.fine("No signature Crypto properties are available");
Exception ex = new Exception("No signature Crypto properties are available");
throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, ex);
}
String uname = crypto.getX509Identifier(secTok.getX509Certificate());
if (uname == null) {
String userNameKey = SecurityConstants.SIGNATURE_USERNAME;
uname = (String) SecurityUtils.getSecurityPropertyValue(userNameKey, message);
}
String password = getPassword(uname, token, WSPasswordCallback.SIGNATURE);
sig.setUserInfo(uname, password);
sig.setSignatureAlgorithm(binding.getAlgorithmSuite().getAsymmetricSignature());
} else {
crypto = getSignatureCrypto();
sig.setSecretKey(secTok.getSecret());
sig.setSignatureAlgorithm(binding.getAlgorithmSuite().getSymmetricSignature());
}
sig.setSigCanonicalization(binding.getAlgorithmSuite().getC14n().getValue());
AlgorithmSuiteType algType = binding.getAlgorithmSuite().getAlgorithmSuiteType();
sig.setDigestAlgo(algType.getDigest());
sig.prepare(crypto);
sig.getParts().addAll(sigParts);
List<Reference> referenceList = sig.addReferencesToSign(sigParts);
// Do signature
if (bottomUpElement == null) {
sig.computeSignature(referenceList, false, null);
} else {
sig.computeSignature(referenceList, true, bottomUpElement);
}
bottomUpElement = sig.getSignatureElement();
mainSigId = sig.getId();
return sig.getSignatureValue();
}
Also used :
AlgorithmSuiteType(org.apache.wss4j.policy.model.AlgorithmSuite.AlgorithmSuiteType)
SecurityTokenReference(org.apache.wss4j.common.token.SecurityTokenReference)
Reference(javax.xml.crypto.dsig.Reference)
WSSecSignature(org.apache.wss4j.dom.message.WSSecSignature)
Element(org.w3c.dom.Element)
UsernameToken(org.apache.wss4j.policy.model.UsernameToken)
WSSecUsernameToken(org.apache.wss4j.dom.message.WSSecUsernameToken)
BSPEnforcer(org.apache.wss4j.common.bsp.BSPEnforcer)
WSSecurityException(org.apache.wss4j.common.ext.WSSecurityException)
SOAPException(javax.xml.soap.SOAPException)
WSSecurityException(org.apache.wss4j.common.ext.WSSecurityException)
Crypto(org.apache.wss4j.common.crypto.Crypto)
SecurityTokenReference(org.apache.wss4j.common.token.SecurityTokenReference)
AttachmentCallbackHandler(org.apache.cxf.ws.security.wss4j.AttachmentCallbackHandler)
Example 4 with UsernameToken
use of org.apache.wss4j.policy.model.UsernameToken in project cxf by apache.
the class SymmetricBindingHandler method doEncryption.
private WSSecEncrypt doEncryption(AbstractTokenWrapper recToken, SecurityToken encrTok, boolean attached, List<WSEncryptionPart> encrParts, boolean atEnd, SecretKey symmetricKey) {
AbstractToken encrToken = recToken.getToken();
assertPolicy(recToken);
assertPolicy(encrToken);
try {
WSSecEncrypt encr = new WSSecEncrypt(secHeader);
encr.setEncryptionSerializer(new StaxSerializer());
encr.setIdAllocator(wssConfig.getIdAllocator());
encr.setCallbackLookup(callbackLookup);
encr.setAttachmentCallbackHandler(new AttachmentCallbackHandler(message));
encr.setStoreBytesInAttachment(storeBytesInAttachment);
encr.setExpandXopInclude(isExpandXopInclude());
encr.setWsDocInfo(wsDocInfo);
String encrTokId = encrTok.getId();
if (attached) {
encrTokId = encrTok.getWsuId();
if (encrTokId == null && (encrToken instanceof SecureConversationToken || encrToken instanceof SecurityContextToken)) {
encr.setEncKeyIdDirectId(true);
encrTokId = encrTok.getId();
} else if (encrTokId == null) {
encrTokId = encrTok.getId();
}
if (encrTokId.startsWith("#")) {
encrTokId = encrTokId.substring(1);
}
} else {
encr.setEncKeyIdDirectId(true);
}
if (encrTok.getTokenType() != null) {
encr.setCustomReferenceValue(encrTok.getTokenType());
}
encr.setEncKeyId(encrTokId);
AlgorithmSuite algorithmSuite = sbinding.getAlgorithmSuite();
encr.setSymmetricEncAlgorithm(algorithmSuite.getAlgorithmSuiteType().getEncryption());
Crypto crypto = getEncryptionCrypto();
if (crypto != null) {
setEncryptionUser(encr, encrToken, false, crypto);
}
encr.setEncryptSymmKey(false);
encr.setMGFAlgorithm(algorithmSuite.getAlgorithmSuiteType().getMGFAlgo());
encr.setDigestAlgorithm(algorithmSuite.getAlgorithmSuiteType().getEncryptionDigest());
if (encrToken instanceof IssuedToken || encrToken instanceof SpnegoContextToken || encrToken instanceof SecureConversationToken) {
// Setting the AttachedReference or the UnattachedReference according to the flag
Element ref;
if (attached) {
ref = encrTok.getAttachedReference();
} else {
ref = encrTok.getUnattachedReference();
}
String tokenType = encrTok.getTokenType();
if (ref != null) {
SecurityTokenReference secRef = new SecurityTokenReference(cloneElement(ref), new BSPEnforcer());
encr.setSecurityTokenReference(secRef);
} else if (WSS4JConstants.WSS_SAML_TOKEN_TYPE.equals(tokenType) || WSS4JConstants.SAML_NS.equals(tokenType)) {
encr.setCustomReferenceValue(WSS4JConstants.WSS_SAML_KI_VALUE_TYPE);
encr.setKeyIdentifierType(WSConstants.CUSTOM_KEY_IDENTIFIER);
} else if (WSS4JConstants.WSS_SAML2_TOKEN_TYPE.equals(tokenType) || WSS4JConstants.SAML2_NS.equals(tokenType)) {
encr.setCustomReferenceValue(WSS4JConstants.WSS_SAML2_KI_VALUE_TYPE);
encr.setKeyIdentifierType(WSConstants.CUSTOM_KEY_IDENTIFIER);
} else {
encr.setCustomReferenceValue(tokenType);
encr.setKeyIdentifierType(WSConstants.CUSTOM_KEY_IDENTIFIER);
}
} else if (encrToken instanceof UsernameToken) {
encr.setCustomReferenceValue(WSS4JConstants.WSS_USERNAME_TOKEN_VALUE_TYPE);
} else if (encrToken instanceof KerberosToken && !isRequestor()) {
encr.setCustomReferenceValue(WSS4JConstants.WSS_KRB_KI_VALUE_TYPE);
encr.setEncKeyId(encrTok.getSHA1());
} else if (!isRequestor() && encrTok.getSHA1() != null) {
encr.setCustomReferenceValue(encrTok.getSHA1());
encr.setKeyIdentifierType(WSConstants.ENCRYPTED_KEY_SHA1_IDENTIFIER);
}
encr.prepare(crypto, symmetricKey);
if (encr.getBSTTokenId() != null) {
encr.prependBSTElementToHeader();
}
Element refList = encr.encryptForRef(null, encrParts, symmetricKey);
List<Element> attachments = encr.getAttachmentEncryptedDataElements();
addAttachmentsForEncryption(atEnd, refList, attachments);
return encr;
} catch (InvalidCanonicalizerException | WSSecurityException e) {
LOG.log(Level.FINE, e.getMessage(), e);
unassertPolicy(recToken, e);
}
return null;
}
Also used :
WSSecEncrypt(org.apache.wss4j.dom.message.WSSecEncrypt)
KerberosToken(org.apache.wss4j.policy.model.KerberosToken)
IssuedToken(org.apache.wss4j.policy.model.IssuedToken)
Element(org.w3c.dom.Element)
UsernameToken(org.apache.wss4j.policy.model.UsernameToken)
WSSecUsernameToken(org.apache.wss4j.dom.message.WSSecUsernameToken)
BSPEnforcer(org.apache.wss4j.common.bsp.BSPEnforcer)
WSSecurityException(org.apache.wss4j.common.ext.WSSecurityException)
SecureConversationToken(org.apache.wss4j.policy.model.SecureConversationToken)
SpnegoContextToken(org.apache.wss4j.policy.model.SpnegoContextToken)
AlgorithmSuite(org.apache.wss4j.policy.model.AlgorithmSuite)
StaxSerializer(org.apache.cxf.ws.security.wss4j.StaxSerializer)
Crypto(org.apache.wss4j.common.crypto.Crypto)
AbstractToken(org.apache.wss4j.policy.model.AbstractToken)
SecurityTokenReference(org.apache.wss4j.common.token.SecurityTokenReference)
SecurityContextToken(org.apache.wss4j.policy.model.SecurityContextToken)
InvalidCanonicalizerException(org.apache.xml.security.c14n.InvalidCanonicalizerException)
AttachmentCallbackHandler(org.apache.cxf.ws.security.wss4j.AttachmentCallbackHandler)
Example 5 with UsernameToken
use of org.apache.wss4j.policy.model.UsernameToken in project cxf by apache.
the class SymmetricBindingHandler method doSignBeforeEncrypt.
private void doSignBeforeEncrypt() {
AbstractTokenWrapper sigAbstractTokenWrapper = getSignatureToken();
assertTokenWrapper(sigAbstractTokenWrapper);
AbstractToken sigToken = sigAbstractTokenWrapper.getToken();
String sigTokId = null;
try {
SecurityToken sigTok = null;
if (sigToken != null) {
if (sigToken instanceof SecureConversationToken || sigToken instanceof SecurityContextToken || sigToken instanceof IssuedToken || sigToken instanceof KerberosToken || sigToken instanceof SpnegoContextToken) {
sigTok = getSecurityToken();
} else if (sigToken instanceof X509Token) {
if (isRequestor()) {
sigTokId = setupEncryptedKey(sigAbstractTokenWrapper, sigToken);
} else {
sigTok = getEncryptedKey();
}
} else if (sigToken instanceof UsernameToken) {
if (isRequestor()) {
sigTokId = setupUTDerivedKey((UsernameToken) sigToken);
} else {
sigTok = getUTDerivedKey();
}
}
} else {
unassertPolicy(sbinding, "No signature token");
return;
}
if (sigTok == null && StringUtils.isEmpty(sigTokId)) {
unassertPolicy(sigAbstractTokenWrapper, "No signature token id");
return;
}
assertPolicy(sigAbstractTokenWrapper);
if (sigTok == null) {
sigTok = tokenStore.getToken(sigTokId);
}
// if (sigTok == null) {
// REVISIT - no token?
// }
boolean tokIncluded = true;
if (isTokenRequired(sigToken.getIncludeTokenType())) {
Element el = sigTok.getToken();
Element sigTokElem = cloneElement(el);
this.addEncryptedKeyElement(sigTokElem);
} else if (isRequestor() && sigToken instanceof X509Token) {
Element el = sigTok.getToken();
Element sigTokElem = cloneElement(el);
this.addEncryptedKeyElement(sigTokElem);
} else {
tokIncluded = false;
}
// Add timestamp
List<WSEncryptionPart> sigs = new ArrayList<>();
if (timestampEl != null) {
WSEncryptionPart timestampPart = convertToEncryptionPart(timestampEl.getElement());
sigs.add(timestampPart);
}
addSupportingTokens(sigs);
sigs.addAll(getSignedParts(null));
if (isRequestor()) {
if (!sigs.isEmpty()) {
addSig(doSignature(sigs, sigAbstractTokenWrapper, sigToken, sigTok, tokIncluded));
}
doEndorse();
} else {
// confirm sig
addSignatureConfirmation(sigs);
if (!sigs.isEmpty()) {
doSignature(sigs, sigAbstractTokenWrapper, sigToken, sigTok, tokIncluded);
}
}
// Encryption
AbstractTokenWrapper encrAbstractTokenWrapper = getEncryptionToken();
AbstractToken encrToken = encrAbstractTokenWrapper.getToken();
final SecurityToken encrTok;
if (sigToken.equals(encrToken)) {
// Use the same token
encrTok = sigTok;
} else {
unassertPolicy(sbinding, "Encryption token does not equal signature token");
return;
}
List<WSEncryptionPart> enc = getEncryptedParts();
// Check for signature protection
if (sbinding.isEncryptSignature()) {
if (mainSigId != null) {
WSEncryptionPart sigPart = new WSEncryptionPart(mainSigId, "Element");
sigPart.setElement(bottomUpElement);
enc.add(sigPart);
}
if (sigConfList != null && !sigConfList.isEmpty()) {
enc.addAll(sigConfList);
}
assertPolicy(new QName(sbinding.getName().getNamespaceURI(), SPConstants.ENCRYPT_SIGNATURE));
}
if (isRequestor()) {
enc.addAll(encryptedTokensList);
}
if (encrAbstractTokenWrapper.getToken() != null && !enc.isEmpty()) {
final WSSecBase encr;
if (encrAbstractTokenWrapper.getToken().getDerivedKeys() == DerivedKeys.RequireDerivedKeys) {
encr = doEncryptionDerived(encrAbstractTokenWrapper, encrTok, tokIncluded, enc, false);
} else {
byte[] ephemeralKey = encrTok.getSecret();
final SecretKey symmetricKey;
String symEncAlgorithm = sbinding.getAlgorithmSuite().getAlgorithmSuiteType().getEncryption();
if (ephemeralKey != null) {
symmetricKey = KeyUtils.prepareSecretKey(symEncAlgorithm, ephemeralKey);
} else {
KeyGenerator keyGen = KeyUtils.getKeyGenerator(symEncAlgorithm);
symmetricKey = keyGen.generateKey();
}
encr = doEncryption(encrAbstractTokenWrapper, encrTok, tokIncluded, enc, false, symmetricKey);
}
encr.clean();
}
} catch (Exception e) {
LOG.log(Level.FINE, e.getMessage(), e);
throw new Fault(e);
}
}
Also used :
WSEncryptionPart(org.apache.wss4j.common.WSEncryptionPart)
KerberosToken(org.apache.wss4j.policy.model.KerberosToken)
QName(javax.xml.namespace.QName)
IssuedToken(org.apache.wss4j.policy.model.IssuedToken)
Element(org.w3c.dom.Element)
UsernameToken(org.apache.wss4j.policy.model.UsernameToken)
WSSecUsernameToken(org.apache.wss4j.dom.message.WSSecUsernameToken)
ArrayList(java.util.ArrayList)
Fault(org.apache.cxf.interceptor.Fault)
SecureConversationToken(org.apache.wss4j.policy.model.SecureConversationToken)
SpnegoContextToken(org.apache.wss4j.policy.model.SpnegoContextToken)
SOAPException(javax.xml.soap.SOAPException)
WSSecurityException(org.apache.wss4j.common.ext.WSSecurityException)
InvalidCanonicalizerException(org.apache.xml.security.c14n.InvalidCanonicalizerException)
TokenStoreException(org.apache.cxf.ws.security.tokenstore.TokenStoreException)
SecurityToken(org.apache.cxf.ws.security.tokenstore.SecurityToken)
WSSecBase(org.apache.wss4j.dom.message.WSSecBase)
SecretKey(javax.crypto.SecretKey)
AbstractToken(org.apache.wss4j.policy.model.AbstractToken)
X509Token(org.apache.wss4j.policy.model.X509Token)
SecurityContextToken(org.apache.wss4j.policy.model.SecurityContextToken)
AbstractTokenWrapper(org.apache.wss4j.policy.model.AbstractTokenWrapper)
KeyGenerator(javax.crypto.KeyGenerator)
Aggregations
UsernameToken (org.apache.wss4j.policy.model.UsernameToken)31
KerberosToken (org.apache.wss4j.policy.model.KerberosToken)23
SecurityContextToken (org.apache.wss4j.policy.model.SecurityContextToken)22
WSSecUsernameToken (org.apache.wss4j.dom.message.WSSecUsernameToken)19
IssuedToken (org.apache.wss4j.policy.model.IssuedToken)19
SpnegoContextToken (org.apache.wss4j.policy.model.SpnegoContextToken)18
X509Token (org.apache.wss4j.policy.model.X509Token)18
AbstractToken (org.apache.wss4j.policy.model.AbstractToken)17
Element (org.w3c.dom.Element)16
SecureConversationToken (org.apache.wss4j.policy.model.SecureConversationToken)14
SamlToken (org.apache.wss4j.policy.model.SamlToken)13
KeyValueToken (org.apache.wss4j.policy.model.KeyValueToken)12
SecurityTokenReference (org.apache.wss4j.common.token.SecurityTokenReference)11
AssertionInfo (org.apache.cxf.ws.policy.AssertionInfo)10
AttachmentCallbackHandler (org.apache.cxf.ws.security.wss4j.AttachmentCallbackHandler)10
WSSecurityException (org.apache.wss4j.common.ext.WSSecurityException)10
AlgorithmSuiteType (org.apache.wss4j.policy.model.AlgorithmSuite.AlgorithmSuiteType)10
SOAPException (javax.xml.soap.SOAPException)9
SecurityToken (org.apache.cxf.ws.security.tokenstore.SecurityToken)8
SupportingTokens (org.apache.wss4j.policy.model.SupportingTokens)8
