Examples with X509Token org.apache.wss4j.policy.model.X509Token used on opensource projects

Example 21 with X509Token

use of org.apache.wss4j.policy.model.X509Token in project cxf by apache.

the class StaxTransportBindingHandler method handleEndorsingToken.

private void handleEndorsingToken(AbstractToken token, SupportingTokens wrapper) throws Exception {
    assertToken(token);
    if (token != null && !isTokenRequired(token.getIncludeTokenType())) {
        return;
    }
    if (token instanceof IssuedToken) {
        SecurityToken securityToken = getSecurityToken();
        addIssuedToken(token, securityToken, false, true);
        signPartsAndElements(wrapper.getSignedParts(), wrapper.getSignedElements());
        WSSSecurityProperties properties = getProperties();
        if (securityToken != null && securityToken.getSecret() != null) {
            properties.setSignatureAlgorithm(tbinding.getAlgorithmSuite().getSymmetricSignature());
        } else {
            properties.setSignatureAlgorithm(tbinding.getAlgorithmSuite().getAsymmetricSignature());
        }
        properties.setSignatureCanonicalizationAlgorithm(tbinding.getAlgorithmSuite().getC14n().getValue());
        AlgorithmSuiteType algType = tbinding.getAlgorithmSuite().getAlgorithmSuiteType();
        properties.setSignatureDigestAlgorithm(algType.getDigest());
    } else if (token instanceof SecureConversationToken || token instanceof SecurityContextToken || token instanceof SpnegoContextToken) {
        SecurityToken securityToken = getSecurityToken();
        addIssuedToken(token, securityToken, false, true);
        WSSSecurityProperties properties = getProperties();
        if (securityToken != null) {
            storeSecurityToken(token, securityToken);
            // Set up CallbackHandler which wraps the configured Handler
            TokenStoreCallbackHandler callbackHandler = new TokenStoreCallbackHandler(properties.getCallbackHandler(), TokenStoreUtils.getTokenStore(message));
            properties.setCallbackHandler(callbackHandler);
        }
        doSignature(token, wrapper);
        properties.setIncludeSignatureToken(true);
        properties.setSignatureAlgorithm(tbinding.getAlgorithmSuite().getSymmetricSignature());
        properties.setSignatureCanonicalizationAlgorithm(tbinding.getAlgorithmSuite().getC14n().getValue());
        AlgorithmSuiteType algType = tbinding.getAlgorithmSuite().getAlgorithmSuiteType();
        properties.setSignatureDigestAlgorithm(algType.getDigest());
    } else if (token instanceof X509Token || token instanceof KeyValueToken) {
        doSignature(token, wrapper);
    } else if (token instanceof SamlToken) {
        addSamlToken((SamlToken) token, false, true);
        signPartsAndElements(wrapper.getSignedParts(), wrapper.getSignedElements());
        WSSSecurityProperties properties = getProperties();
        properties.setSignatureAlgorithm(tbinding.getAlgorithmSuite().getAsymmetricSignature());
        properties.setSignatureCanonicalizationAlgorithm(tbinding.getAlgorithmSuite().getC14n().getValue());
        AlgorithmSuiteType algType = tbinding.getAlgorithmSuite().getAlgorithmSuiteType();
        properties.setSignatureDigestAlgorithm(algType.getDigest());
    } else if (token instanceof UsernameToken) {
        throw new Exception("Endorsing UsernameTokens are not supported in the streaming code");
    } else if (token instanceof KerberosToken) {
        WSSSecurityProperties properties = getProperties();
        properties.addAction(XMLSecurityConstants.SIGNATURE);
        configureSignature(token, false);
        addKerberosToken((KerberosToken) token, false, true, false);
        signPartsAndElements(wrapper.getSignedParts(), wrapper.getSignedElements());
        properties.setSignatureAlgorithm(tbinding.getAlgorithmSuite().getSymmetricSignature());
        properties.setSignatureCanonicalizationAlgorithm(tbinding.getAlgorithmSuite().getC14n().getValue());
        AlgorithmSuiteType algType = tbinding.getAlgorithmSuite().getAlgorithmSuiteType();
        properties.setSignatureDigestAlgorithm(algType.getDigest());
    }
}

Example 22 with X509Token

use of org.apache.wss4j.policy.model.X509Token in project cxf by apache.

the class SymmetricBindingHandler method doSignature.

private byte[] doSignature(List<WSEncryptionPart> sigs, AbstractTokenWrapper policyAbstractTokenWrapper, AbstractToken policyToken, SecurityToken tok, boolean included) throws WSSecurityException {
    if (policyToken.getDerivedKeys() == DerivedKeys.RequireDerivedKeys) {
        return doSignatureDK(sigs, policyAbstractTokenWrapper, policyToken, tok, included);
    }
    WSSecSignature sig = new WSSecSignature(secHeader);
    sig.setIdAllocator(wssConfig.getIdAllocator());
    sig.setCallbackLookup(callbackLookup);
    sig.setAttachmentCallbackHandler(new AttachmentCallbackHandler(message));
    sig.setStoreBytesInAttachment(storeBytesInAttachment);
    sig.setExpandXopInclude(isExpandXopInclude());
    sig.setWsDocInfo(wsDocInfo);
    // If a EncryptedKeyToken is used, set the correct value type to
    // be used in the wsse:Reference in ds:KeyInfo
    int type = included ? WSConstants.CUSTOM_SYMM_SIGNING : WSConstants.CUSTOM_SYMM_SIGNING_DIRECT;
    String sigTokId = tok.getId();
    if (policyToken instanceof X509Token) {
        if (isRequestor()) {
            sig.setCustomTokenValueType(WSS4JConstants.SOAPMESSAGE_NS11 + "#" + WSS4JConstants.ENC_KEY_VALUE_TYPE);
            sig.setKeyIdentifierType(type);
        } else {
            // the tok has to be an EncryptedKey token
            sig.setEncrKeySha1value(tok.getSHA1());
            sig.setKeyIdentifierType(WSConstants.ENCRYPTED_KEY_SHA1_IDENTIFIER);
        }
    } else if (policyToken instanceof UsernameToken) {
        sig.setCustomTokenValueType(WSS4JConstants.WSS_USERNAME_TOKEN_VALUE_TYPE);
        sig.setKeyIdentifierType(type);
    } else if (policyToken instanceof KerberosToken) {
        if (isRequestor()) {
            sig.setCustomTokenValueType(tok.getTokenType());
            sig.setKeyIdentifierType(type);
        } else {
            sig.setCustomTokenValueType(WSS4JConstants.WSS_KRB_KI_VALUE_TYPE);
            sig.setKeyIdentifierType(WSConstants.CUSTOM_KEY_IDENTIFIER);
            sigTokId = tok.getSHA1();
        }
    } else {
        // Setting the AttachedReference or the UnattachedReference according to the flag
        Element ref;
        if (included) {
            ref = tok.getAttachedReference();
        } else {
            ref = tok.getUnattachedReference();
        }
        if (ref != null) {
            SecurityTokenReference secRef = new SecurityTokenReference(cloneElement(ref), new BSPEnforcer());
            sig.setSecurityTokenReference(secRef);
            sig.setKeyIdentifierType(WSConstants.CUSTOM_KEY_IDENTIFIER);
        } else {
            String tokenType = tok.getTokenType();
            if (WSS4JConstants.WSS_SAML_TOKEN_TYPE.equals(tokenType) || WSS4JConstants.SAML_NS.equals(tokenType)) {
                sig.setCustomTokenValueType(WSS4JConstants.WSS_SAML_KI_VALUE_TYPE);
                sig.setKeyIdentifierType(WSConstants.CUSTOM_KEY_IDENTIFIER);
            } else if (WSS4JConstants.WSS_SAML2_TOKEN_TYPE.equals(tokenType) || WSS4JConstants.SAML2_NS.equals(tokenType)) {
                sig.setCustomTokenValueType(WSS4JConstants.WSS_SAML2_KI_VALUE_TYPE);
                sig.setKeyIdentifierType(WSConstants.CUSTOM_KEY_IDENTIFIER);
            } else {
                sig.setCustomTokenValueType(tokenType);
                sig.setKeyIdentifierType(type);
            }
        }
    }
    if (included) {
        sigTokId = tok.getWsuId();
        if (sigTokId == null) {
            if (policyToken instanceof SecureConversationToken || policyToken instanceof SecurityContextToken) {
                sig.setKeyIdentifierType(WSConstants.CUSTOM_SYMM_SIGNING_DIRECT);
            }
            sigTokId = tok.getId();
        }
        if (sigTokId.startsWith("#")) {
            sigTokId = sigTokId.substring(1);
        }
    }
    if (sbinding.isProtectTokens()) {
        assertPolicy(new QName(sbinding.getName().getNamespaceURI(), SPConstants.PROTECT_TOKENS));
        if (included) {
            sigs.add(new WSEncryptionPart(sigTokId));
        }
    }
    sig.setCustomTokenId(sigTokId);
    sig.setSecretKey(tok.getSecret());
    sig.setSignatureAlgorithm(sbinding.getAlgorithmSuite().getSymmetricSignature());
    boolean includePrefixes = MessageUtils.getContextualBoolean(message, SecurityConstants.ADD_INCLUSIVE_PREFIXES, true);
    sig.setAddInclusivePrefixes(includePrefixes);
    AlgorithmSuiteType algType = sbinding.getAlgorithmSuite().getAlgorithmSuiteType();
    sig.setDigestAlgo(algType.getDigest());
    sig.setSigCanonicalization(sbinding.getAlgorithmSuite().getC14n().getValue());
    Crypto crypto = null;
    if (sbinding.getProtectionToken() != null) {
        crypto = getEncryptionCrypto();
    } else {
        crypto = getSignatureCrypto();
    }
    this.message.getExchange().put(SecurityConstants.SIGNATURE_CRYPTO, crypto);
    sig.prepare(crypto);
    sig.getParts().addAll(sigs);
    List<Reference> referenceList = sig.addReferencesToSign(sigs);
    if (!referenceList.isEmpty()) {
        // Do signature
        if (bottomUpElement == null) {
            sig.computeSignature(referenceList, false, null);
        } else {
            sig.computeSignature(referenceList, true, bottomUpElement);
        }
        bottomUpElement = sig.getSignatureElement();
        this.mainSigId = sig.getId();
        return sig.getSignatureValue();
    }
    return null;
}

Example 23 with X509Token

use of org.apache.wss4j.policy.model.X509Token in project cxf by apache.

the class TransportBindingHandler method handleEndorsingToken.

private void handleEndorsingToken(AbstractToken token, SupportingTokens wrapper) throws Exception {
    assertToken(token);
    if (token != null && !isTokenRequired(token.getIncludeTokenType())) {
        return;
    }
    if (token instanceof IssuedToken || token instanceof SecureConversationToken || token instanceof SecurityContextToken || token instanceof KerberosToken || token instanceof SpnegoContextToken) {
        addSig(doIssuedTokenSignature(token, wrapper));
    } else if (token instanceof X509Token || token instanceof KeyValueToken) {
        addSig(doX509TokenSignature(token, wrapper));
    } else if (token instanceof SamlToken) {
        SamlAssertionWrapper assertionWrapper = addSamlToken((SamlToken) token);
        Element envelope = saaj.getSOAPPart().getEnvelope();
        envelope = (Element) DOMUtils.getDomElement(envelope);
        assertionWrapper.toDOM(envelope.getOwnerDocument());
        storeAssertionAsSecurityToken(assertionWrapper);
        addSig(doIssuedTokenSignature(token, wrapper));
    } else if (token instanceof UsernameToken) {
        // Create a UsernameToken object for derived keys and store the security token
        WSSecUsernameToken usernameToken = addDKUsernameToken((UsernameToken) token, true);
        String id = usernameToken.getId();
        byte[] secret = usernameToken.getDerivedKey();
        Instant created = Instant.now();
        Instant expires = created.plusSeconds(WSS4JUtils.getSecurityTokenLifetime(message) / 1000L);
        SecurityToken tempTok = new SecurityToken(id, usernameToken.getUsernameTokenElement(), created, expires);
        tempTok.setSecret(secret);
        getTokenStore().add(tempTok);
        message.put(SecurityConstants.TOKEN_ID, tempTok.getId());
        addSig(doIssuedTokenSignature(token, wrapper));
    }
}

Example 24 with X509Token

use of org.apache.wss4j.policy.model.X509Token in project cxf by apache.

the class AbstractBindingPolicyValidator method checkDerivedKeys.

/**
 * Check the derived key requirement.
 */
protected boolean checkDerivedKeys(AbstractTokenWrapper tokenWrapper, boolean hasDerivedKeys, List<WSSecurityEngineResult> signedResults, List<WSSecurityEngineResult> encryptedResults) {
    AbstractToken token = tokenWrapper.getToken();
    boolean isDerivedKeys = token.getDerivedKeys() == DerivedKeys.RequireDerivedKeys;
    // If derived keys are not required then just return
    if (!(token instanceof X509Token && isDerivedKeys)) {
        return true;
    }
    if (tokenWrapper instanceof EncryptionToken && !hasDerivedKeys && !encryptedResults.isEmpty()) {
        return false;
    } else if (tokenWrapper instanceof SignatureToken && !hasDerivedKeys && !signedResults.isEmpty()) {
        return false;
    } else if (tokenWrapper instanceof ProtectionToken && !hasDerivedKeys && !(signedResults.isEmpty() || encryptedResults.isEmpty())) {
        return false;
    }
    return true;
}

Example 25 with X509Token

use of org.apache.wss4j.policy.model.X509Token in project cxf by apache.

the class AsymmetricBindingPolicyValidator method checkInitiatorTokens.

private boolean checkInitiatorTokens(AbstractTokenWrapper wrapper, AsymmetricBinding binding, AssertionInfo ai, AssertionInfoMap aim, boolean hasDerivedKeys, List<WSSecurityEngineResult> signedResults, List<WSSecurityEngineResult> encryptedResults) {
    AbstractToken token = wrapper.getToken();
    if (token instanceof X509Token) {
        boolean foundCert = false;
        for (WSSecurityEngineResult result : signedResults) {
            X509Certificate cert = (X509Certificate) result.get(WSSecurityEngineResult.TAG_X509_CERTIFICATE);
            if (cert != null) {
                foundCert = true;
                break;
            }
        }
        if (!foundCert && !signedResults.isEmpty()) {
            String error = "An X.509 certificate was not used for the " + wrapper.getName();
            unassertPolicy(aim, wrapper.getName(), error);
            ai.setNotAsserted(error);
            return false;
        }
    }
    PolicyUtils.assertPolicy(aim, wrapper.getName());
    if (!checkDerivedKeys(wrapper, hasDerivedKeys, signedResults, encryptedResults)) {
        ai.setNotAsserted("Message fails the DerivedKeys requirement");
        return false;
    }
    assertDerivedKeys(wrapper.getToken(), aim);
    return true;
}