Search in sources :

Example 1 with X509Token

use of org.apache.wss4j.policy.model.X509Token in project cxf by apache.

the class AbstractBindingBuilder method getEncryptedKeyBuilder.

protected WSSecEncryptedKey getEncryptedKeyBuilder(AbstractToken token) throws WSSecurityException {
    WSSecEncryptedKey encrKey = new WSSecEncryptedKey(secHeader);
    encrKey.setIdAllocator(wssConfig.getIdAllocator());
    encrKey.setCallbackLookup(callbackLookup);
    encrKey.setAttachmentCallbackHandler(new AttachmentCallbackHandler(message));
    encrKey.setStoreBytesInAttachment(storeBytesInAttachment);
    Crypto crypto = getEncryptionCrypto();
    message.getExchange().put(SecurityConstants.ENCRYPT_CRYPTO, crypto);
    setKeyIdentifierType(encrKey, token);
    boolean alsoIncludeToken = false;
    // Find out do we also need to include the token as per the Inclusion requirement
    if (token instanceof X509Token && token.getIncludeTokenType() != IncludeTokenType.INCLUDE_TOKEN_NEVER && encrKey.getKeyIdentifierType() != WSConstants.BST_DIRECT_REFERENCE) {
        alsoIncludeToken = true;
    }
    String encrUser = setEncryptionUser(encrKey, token, false, crypto);
    AlgorithmSuiteType algType = binding.getAlgorithmSuite().getAlgorithmSuiteType();
    encrKey.setSymmetricEncAlgorithm(algType.getEncryption());
    encrKey.setKeyEncAlgo(algType.getAsymmetricKeyWrap());
    encrKey.setMGFAlgorithm(algType.getMGFAlgo());
    encrKey.prepare(crypto);
    if (alsoIncludeToken) {
        X509Certificate encCert = getEncryptCert(crypto, encrUser);
        BinarySecurity bstToken = new X509Security(saaj.getSOAPPart());
        ((X509Security) bstToken).setX509Certificate(encCert);
        bstToken.addWSUNamespace();
        bstToken.setID(wssConfig.getIdAllocator().createSecureId("X509-", encCert));
        WSSecurityUtil.prependChildElement(secHeader.getSecurityHeaderElement(), bstToken.getElement());
        bstElement = bstToken.getElement();
    }
    return encrKey;
}
Also used : Crypto(org.apache.wss4j.common.crypto.Crypto) WSSecEncryptedKey(org.apache.wss4j.dom.message.WSSecEncryptedKey) BinarySecurity(org.apache.wss4j.common.token.BinarySecurity) X509Token(org.apache.wss4j.policy.model.X509Token) AlgorithmSuiteType(org.apache.wss4j.policy.model.AlgorithmSuite.AlgorithmSuiteType) AttachmentCallbackHandler(org.apache.cxf.ws.security.wss4j.AttachmentCallbackHandler) X509Certificate(java.security.cert.X509Certificate) X509Security(org.apache.wss4j.common.token.X509Security)

Example 2 with X509Token

use of org.apache.wss4j.policy.model.X509Token in project cxf by apache.

the class AbstractBindingBuilder method setKeyIdentifierType.

public void setKeyIdentifierType(WSSecBase secBase, AbstractToken token) {
    boolean tokenTypeSet = false;
    if (token instanceof X509Token) {
        X509Token x509Token = (X509Token) token;
        if (x509Token.isRequireIssuerSerialReference()) {
            secBase.setKeyIdentifierType(WSConstants.ISSUER_SERIAL);
            tokenTypeSet = true;
        } else if (x509Token.isRequireKeyIdentifierReference()) {
            secBase.setKeyIdentifierType(WSConstants.SKI_KEY_IDENTIFIER);
            tokenTypeSet = true;
        } else if (x509Token.isRequireThumbprintReference()) {
            secBase.setKeyIdentifierType(WSConstants.THUMBPRINT_IDENTIFIER);
            tokenTypeSet = true;
        }
    } else if (token instanceof KeyValueToken) {
        secBase.setKeyIdentifierType(WSConstants.KEY_VALUE);
        tokenTypeSet = true;
    }
    assertToken(token);
    if (!tokenTypeSet) {
        boolean requestor = isRequestor();
        if (token.getIncludeTokenType() == IncludeTokenType.INCLUDE_TOKEN_NEVER || token instanceof X509Token && ((token.getIncludeTokenType() == IncludeTokenType.INCLUDE_TOKEN_ALWAYS_TO_RECIPIENT && !requestor) || (token.getIncludeTokenType() == IncludeTokenType.INCLUDE_TOKEN_ALWAYS_TO_INITIATOR && requestor))) {
            Wss10 wss = getWss10();
            assertPolicy(wss);
            if (wss == null || wss.isMustSupportRefKeyIdentifier()) {
                secBase.setKeyIdentifierType(WSConstants.SKI_KEY_IDENTIFIER);
            } else if (wss.isMustSupportRefIssuerSerial()) {
                secBase.setKeyIdentifierType(WSConstants.ISSUER_SERIAL);
            } else if (wss instanceof Wss11 && ((Wss11) wss).isMustSupportRefThumbprint()) {
                secBase.setKeyIdentifierType(WSConstants.THUMBPRINT_IDENTIFIER);
            } else {
                secBase.setKeyIdentifierType(WSConstants.ISSUER_SERIAL);
            }
        } else {
            secBase.setKeyIdentifierType(WSConstants.BST_DIRECT_REFERENCE);
        }
    }
}
Also used : X509Token(org.apache.wss4j.policy.model.X509Token) KeyValueToken(org.apache.wss4j.policy.model.KeyValueToken) Wss11(org.apache.wss4j.policy.model.Wss11) Wss10(org.apache.wss4j.policy.model.Wss10)

Example 3 with X509Token

use of org.apache.wss4j.policy.model.X509Token in project cxf by apache.

the class AbstractCommonBindingHandler method assertToken.

protected void assertToken(AbstractToken token) {
    if (token == null) {
        return;
    }
    assertPolicy(token.getName());
    String namespace = token.getName().getNamespaceURI();
    if (token.getDerivedKeys() != null) {
        assertPolicy(new QName(namespace, token.getDerivedKeys().name()));
    }
    if (token instanceof X509Token) {
        X509Token x509Token = (X509Token) token;
        assertX509Token(x509Token);
    } else if (token instanceof HttpsToken) {
        HttpsToken httpsToken = (HttpsToken) token;
        if (httpsToken.getAuthenticationType() != null) {
            assertPolicy(new QName(namespace, httpsToken.getAuthenticationType().name()));
        }
    } else if (token instanceof KeyValueToken) {
        KeyValueToken keyValueToken = (KeyValueToken) token;
        if (keyValueToken.isRsaKeyValue()) {
            assertPolicy(new QName(namespace, SPConstants.RSA_KEY_VALUE));
        }
    } else if (token instanceof UsernameToken) {
        UsernameToken usernameToken = (UsernameToken) token;
        assertUsernameToken(usernameToken);
    } else if (token instanceof SecureConversationToken) {
        SecureConversationToken scToken = (SecureConversationToken) token;
        assertSecureConversationToken(scToken);
    } else if (token instanceof SecurityContextToken) {
        SecurityContextToken scToken = (SecurityContextToken) token;
        assertSecurityContextToken(scToken);
    } else if (token instanceof SpnegoContextToken) {
        SpnegoContextToken scToken = (SpnegoContextToken) token;
        assertSpnegoContextToken(scToken);
    } else if (token instanceof IssuedToken) {
        IssuedToken issuedToken = (IssuedToken) token;
        assertIssuedToken(issuedToken);
    } else if (token instanceof KerberosToken) {
        KerberosToken kerberosToken = (KerberosToken) token;
        assertKerberosToken(kerberosToken);
    } else if (token instanceof SamlToken) {
        SamlToken samlToken = (SamlToken) token;
        assertSamlToken(samlToken);
    }
}
Also used : HttpsToken(org.apache.wss4j.policy.model.HttpsToken) X509Token(org.apache.wss4j.policy.model.X509Token) SamlToken(org.apache.wss4j.policy.model.SamlToken) SecurityContextToken(org.apache.wss4j.policy.model.SecurityContextToken) QName(javax.xml.namespace.QName) KerberosToken(org.apache.wss4j.policy.model.KerberosToken) KeyValueToken(org.apache.wss4j.policy.model.KeyValueToken) IssuedToken(org.apache.wss4j.policy.model.IssuedToken) UsernameToken(org.apache.wss4j.policy.model.UsernameToken) SecureConversationToken(org.apache.wss4j.policy.model.SecureConversationToken) SpnegoContextToken(org.apache.wss4j.policy.model.SpnegoContextToken)

Example 4 with X509Token

use of org.apache.wss4j.policy.model.X509Token in project cxf by apache.

the class StaxAsymmetricBindingHandler method doEncryption.

private void doEncryption(AbstractTokenWrapper recToken, List<SecurePart> encrParts, boolean externalRef) throws SOAPException {
    // Do encryption
    if (recToken != null && recToken.getToken() != null && !encrParts.isEmpty()) {
        AbstractToken encrToken = recToken.getToken();
        AlgorithmSuite algorithmSuite = abinding.getAlgorithmSuite();
        // Action
        WSSSecurityProperties properties = getProperties();
        WSSConstants.Action actionToPerform = XMLSecurityConstants.ENCRYPT;
        if (recToken.getToken().getDerivedKeys() == DerivedKeys.RequireDerivedKeys) {
            actionToPerform = WSSConstants.ENCRYPT_WITH_DERIVED_KEY;
        }
        properties.addAction(actionToPerform);
        properties.getEncryptionSecureParts().addAll(encrParts);
        properties.setEncryptionKeyIdentifier(getKeyIdentifierType(encrToken));
        // Find out do we also need to include the token as per the Inclusion requirement
        WSSecurityTokenConstants.KeyIdentifier keyIdentifier = properties.getEncryptionKeyIdentifier();
        if (encrToken instanceof X509Token && isTokenRequired(encrToken.getIncludeTokenType()) && (WSSecurityTokenConstants.KeyIdentifier_IssuerSerial.equals(keyIdentifier) || WSSecurityTokenConstants.KEYIDENTIFIER_THUMBPRINT_IDENTIFIER.equals(keyIdentifier) || WSSecurityTokenConstants.KEYIDENTIFIER_SECURITY_TOKEN_DIRECT_REFERENCE.equals(keyIdentifier))) {
            properties.setIncludeEncryptionToken(true);
        } else {
            properties.setIncludeEncryptionToken(false);
        }
        properties.setEncryptionKeyTransportAlgorithm(algorithmSuite.getAlgorithmSuiteType().getAsymmetricKeyWrap());
        properties.setEncryptionSymAlgorithm(algorithmSuite.getAlgorithmSuiteType().getEncryption());
        properties.setEncryptionKeyTransportDigestAlgorithm(algorithmSuite.getAlgorithmSuiteType().getEncryptionDigest());
        properties.setEncryptionKeyTransportMGFAlgorithm(algorithmSuite.getAlgorithmSuiteType().getMGFAlgo());
        String encUser = (String) SecurityUtils.getSecurityPropertyValue(SecurityConstants.ENCRYPT_USERNAME, message);
        if (encUser == null) {
            encUser = (String) SecurityUtils.getSecurityPropertyValue(SecurityConstants.USERNAME, message);
        }
        if (encUser != null && properties.getEncryptionUser() == null) {
            properties.setEncryptionUser(encUser);
        }
        if (ConfigurationConstants.USE_REQ_SIG_CERT.equals(encUser)) {
            properties.setUseReqSigCertForEncryption(true);
        }
        // 
        if (!isRequestor() && recToken.getToken() instanceof IssuedToken) {
            properties.setUseReqSigCertForEncryption(true);
        }
    }
}
Also used : AlgorithmSuite(org.apache.wss4j.policy.model.AlgorithmSuite) WSSSecurityProperties(org.apache.wss4j.stax.ext.WSSSecurityProperties) WSSConstants(org.apache.wss4j.stax.ext.WSSConstants) AbstractToken(org.apache.wss4j.policy.model.AbstractToken) X509Token(org.apache.wss4j.policy.model.X509Token) IssuedToken(org.apache.wss4j.policy.model.IssuedToken) WSSecurityTokenConstants(org.apache.wss4j.stax.securityToken.WSSecurityTokenConstants)

Example 5 with X509Token

use of org.apache.wss4j.policy.model.X509Token in project cxf by apache.

the class StaxSymmetricBindingHandler method doSignature.

private void doSignature(AbstractTokenWrapper wrapper, AbstractToken policyToken, SecurityToken tok, List<SecurePart> sigParts) throws WSSecurityException, SOAPException {
    // Action
    WSSSecurityProperties properties = getProperties();
    WSSConstants.Action actionToPerform = XMLSecurityConstants.SIGNATURE;
    if (wrapper.getToken().getDerivedKeys() == DerivedKeys.RequireDerivedKeys) {
        actionToPerform = WSSConstants.SIGNATURE_WITH_DERIVED_KEY;
        if (MessageUtils.isRequestor(message) && policyToken instanceof X509Token) {
            properties.setDerivedKeyTokenReference(WSSConstants.DerivedKeyTokenReference.EncryptedKey);
        } else {
            properties.setDerivedKeyTokenReference(WSSConstants.DerivedKeyTokenReference.DirectReference);
        }
        AlgorithmSuiteType algSuiteType = sbinding.getAlgorithmSuite().getAlgorithmSuiteType();
        properties.setDerivedSignatureKeyLength(algSuiteType.getSignatureDerivedKeyLength() / 8);
    }
    if (policyToken.getVersion() == SPConstants.SPVersion.SP12) {
        properties.setUse200512Namespace(true);
    }
    List<WSSConstants.Action> actionList = properties.getActions();
    // Add a Signature directly before Kerberos, otherwise just append it
    boolean actionAdded = false;
    for (int i = 0; i < actionList.size(); i++) {
        WSSConstants.Action action = actionList.get(i);
        if (action.equals(WSSConstants.KERBEROS_TOKEN)) {
            actionList.add(i, actionToPerform);
            actionAdded = true;
            break;
        }
    }
    if (!actionAdded) {
        actionList.add(actionToPerform);
    }
    properties.getSignatureSecureParts().addAll(sigParts);
    AbstractToken sigToken = wrapper.getToken();
    if (sbinding.isProtectTokens() && sigToken instanceof X509Token && isRequestor()) {
        SecurePart securePart = new SecurePart(new QName(XMLSecurityConstants.NS_XMLENC, "EncryptedKey"), Modifier.Element);
        properties.addSignaturePart(securePart);
    }
    configureSignature(sigToken, false);
    if (policyToken instanceof X509Token) {
        properties.setIncludeSignatureToken(false);
        if (isRequestor()) {
            properties.setSignatureKeyIdentifier(WSSecurityTokenConstants.KeyIdentifier_EncryptedKey);
        } else {
            properties.setSignatureKeyIdentifier(WSSecurityTokenConstants.KEYIDENTIFIER_ENCRYPTED_KEY_SHA1_IDENTIFIER);
            if (wrapper.getToken().getDerivedKeys() == DerivedKeys.RequireDerivedKeys) {
                properties.setDerivedKeyKeyIdentifier(WSSecurityTokenConstants.KEYIDENTIFIER_ENCRYPTED_KEY_SHA1_IDENTIFIER);
                properties.setSignatureKeyIdentifier(WSSecurityTokenConstants.KEYIDENTIFIER_SECURITY_TOKEN_DIRECT_REFERENCE);
            }
        }
    } else if (policyToken instanceof KerberosToken) {
        if (isRequestor()) {
            properties.setDerivedKeyKeyIdentifier(WSSecurityTokenConstants.KEYIDENTIFIER_SECURITY_TOKEN_DIRECT_REFERENCE);
        } else {
            if (wrapper.getToken().getDerivedKeys() == DerivedKeys.RequireDerivedKeys) {
                properties.setSignatureKeyIdentifier(WSSecurityTokenConstants.KEYIDENTIFIER_SECURITY_TOKEN_DIRECT_REFERENCE);
            } else {
                properties.setSignatureKeyIdentifier(WSSecurityTokenConstants.KEYIDENTIFIER_KERBEROS_SHA1_IDENTIFIER);
            }
            properties.setDerivedKeyKeyIdentifier(WSSecurityTokenConstants.KEYIDENTIFIER_KERBEROS_SHA1_IDENTIFIER);
        }
    } else if (policyToken instanceof IssuedToken || policyToken instanceof SecurityContextToken || policyToken instanceof SecureConversationToken || policyToken instanceof SpnegoContextToken) {
        if (!isRequestor()) {
            properties.setIncludeSignatureToken(false);
        } else {
            properties.setIncludeSignatureToken(true);
        }
        properties.setDerivedKeyKeyIdentifier(WSSecurityTokenConstants.KEYIDENTIFIER_SECURITY_TOKEN_DIRECT_REFERENCE);
    }
    if (sigToken.getDerivedKeys() == DerivedKeys.RequireDerivedKeys) {
        properties.setSignatureAlgorithm(sbinding.getAlgorithmSuite().getSymmetricSignature());
    }
}
Also used : WSSSecurityProperties(org.apache.wss4j.stax.ext.WSSSecurityProperties) WSSConstants(org.apache.wss4j.stax.ext.WSSConstants) AlgorithmSuiteType(org.apache.wss4j.policy.model.AlgorithmSuite.AlgorithmSuiteType) QName(javax.xml.namespace.QName) KerberosToken(org.apache.wss4j.policy.model.KerberosToken) IssuedToken(org.apache.wss4j.policy.model.IssuedToken) SecureConversationToken(org.apache.wss4j.policy.model.SecureConversationToken) SpnegoContextToken(org.apache.wss4j.policy.model.SpnegoContextToken) SecurePart(org.apache.xml.security.stax.ext.SecurePart) X509Token(org.apache.wss4j.policy.model.X509Token) AbstractToken(org.apache.wss4j.policy.model.AbstractToken) SecurityContextToken(org.apache.wss4j.policy.model.SecurityContextToken)

Aggregations

X509Token (org.apache.wss4j.policy.model.X509Token)31 IssuedToken (org.apache.wss4j.policy.model.IssuedToken)21 SecurityContextToken (org.apache.wss4j.policy.model.SecurityContextToken)20 AbstractToken (org.apache.wss4j.policy.model.AbstractToken)19 KerberosToken (org.apache.wss4j.policy.model.KerberosToken)19 SpnegoContextToken (org.apache.wss4j.policy.model.SpnegoContextToken)18 UsernameToken (org.apache.wss4j.policy.model.UsernameToken)18 SamlToken (org.apache.wss4j.policy.model.SamlToken)14 KeyValueToken (org.apache.wss4j.policy.model.KeyValueToken)13 SecureConversationToken (org.apache.wss4j.policy.model.SecureConversationToken)12 QName (javax.xml.namespace.QName)9 AssertionInfo (org.apache.cxf.ws.policy.AssertionInfo)9 SecurityToken (org.apache.cxf.ws.security.tokenstore.SecurityToken)8 AlgorithmSuiteType (org.apache.wss4j.policy.model.AlgorithmSuite.AlgorithmSuiteType)8 SupportingTokens (org.apache.wss4j.policy.model.SupportingTokens)8 WSSSecurityProperties (org.apache.wss4j.stax.ext.WSSSecurityProperties)7 WSSecUsernameToken (org.apache.wss4j.dom.message.WSSecUsernameToken)6 WSSConstants (org.apache.wss4j.stax.ext.WSSConstants)6 Element (org.w3c.dom.Element)6 SOAPException (javax.xml.soap.SOAPException)5