Search in sources :

Example 21 with X509Token

use of org.apache.wss4j.policy.model.X509Token in project cxf by apache.

the class StaxTransportBindingHandler method handleEndorsingToken.

private void handleEndorsingToken(AbstractToken token, SupportingTokens wrapper) throws Exception {
    assertToken(token);
    if (token != null && !isTokenRequired(token.getIncludeTokenType())) {
        return;
    }
    if (token instanceof IssuedToken) {
        SecurityToken securityToken = getSecurityToken();
        addIssuedToken(token, securityToken, false, true);
        signPartsAndElements(wrapper.getSignedParts(), wrapper.getSignedElements());
        WSSSecurityProperties properties = getProperties();
        if (securityToken != null && securityToken.getSecret() != null) {
            properties.setSignatureAlgorithm(tbinding.getAlgorithmSuite().getSymmetricSignature());
        } else {
            properties.setSignatureAlgorithm(tbinding.getAlgorithmSuite().getAsymmetricSignature());
        }
        properties.setSignatureCanonicalizationAlgorithm(tbinding.getAlgorithmSuite().getC14n().getValue());
        AlgorithmSuiteType algType = tbinding.getAlgorithmSuite().getAlgorithmSuiteType();
        properties.setSignatureDigestAlgorithm(algType.getDigest());
    } else if (token instanceof SecureConversationToken || token instanceof SecurityContextToken || token instanceof SpnegoContextToken) {
        SecurityToken securityToken = getSecurityToken();
        addIssuedToken(token, securityToken, false, true);
        WSSSecurityProperties properties = getProperties();
        if (securityToken != null) {
            storeSecurityToken(token, securityToken);
            // Set up CallbackHandler which wraps the configured Handler
            TokenStoreCallbackHandler callbackHandler = new TokenStoreCallbackHandler(properties.getCallbackHandler(), TokenStoreUtils.getTokenStore(message));
            properties.setCallbackHandler(callbackHandler);
        }
        doSignature(token, wrapper);
        properties.setIncludeSignatureToken(true);
        properties.setSignatureAlgorithm(tbinding.getAlgorithmSuite().getSymmetricSignature());
        properties.setSignatureCanonicalizationAlgorithm(tbinding.getAlgorithmSuite().getC14n().getValue());
        AlgorithmSuiteType algType = tbinding.getAlgorithmSuite().getAlgorithmSuiteType();
        properties.setSignatureDigestAlgorithm(algType.getDigest());
    } else if (token instanceof X509Token || token instanceof KeyValueToken) {
        doSignature(token, wrapper);
    } else if (token instanceof SamlToken) {
        addSamlToken((SamlToken) token, false, true);
        signPartsAndElements(wrapper.getSignedParts(), wrapper.getSignedElements());
        WSSSecurityProperties properties = getProperties();
        properties.setSignatureAlgorithm(tbinding.getAlgorithmSuite().getAsymmetricSignature());
        properties.setSignatureCanonicalizationAlgorithm(tbinding.getAlgorithmSuite().getC14n().getValue());
        AlgorithmSuiteType algType = tbinding.getAlgorithmSuite().getAlgorithmSuiteType();
        properties.setSignatureDigestAlgorithm(algType.getDigest());
    } else if (token instanceof UsernameToken) {
        throw new Exception("Endorsing UsernameTokens are not supported in the streaming code");
    } else if (token instanceof KerberosToken) {
        WSSSecurityProperties properties = getProperties();
        properties.addAction(XMLSecurityConstants.SIGNATURE);
        configureSignature(token, false);
        addKerberosToken((KerberosToken) token, false, true, false);
        signPartsAndElements(wrapper.getSignedParts(), wrapper.getSignedElements());
        properties.setSignatureAlgorithm(tbinding.getAlgorithmSuite().getSymmetricSignature());
        properties.setSignatureCanonicalizationAlgorithm(tbinding.getAlgorithmSuite().getC14n().getValue());
        AlgorithmSuiteType algType = tbinding.getAlgorithmSuite().getAlgorithmSuiteType();
        properties.setSignatureDigestAlgorithm(algType.getDigest());
    }
}
Also used : WSSSecurityProperties(org.apache.wss4j.stax.ext.WSSSecurityProperties) SamlToken(org.apache.wss4j.policy.model.SamlToken) AlgorithmSuiteType(org.apache.wss4j.policy.model.AlgorithmSuite.AlgorithmSuiteType) KerberosToken(org.apache.wss4j.policy.model.KerberosToken) IssuedToken(org.apache.wss4j.policy.model.IssuedToken) UsernameToken(org.apache.wss4j.policy.model.UsernameToken) SecureConversationToken(org.apache.wss4j.policy.model.SecureConversationToken) SpnegoContextToken(org.apache.wss4j.policy.model.SpnegoContextToken) SOAPException(javax.xml.soap.SOAPException) SecurityToken(org.apache.cxf.ws.security.tokenstore.SecurityToken) X509Token(org.apache.wss4j.policy.model.X509Token) SecurityContextToken(org.apache.wss4j.policy.model.SecurityContextToken) KeyValueToken(org.apache.wss4j.policy.model.KeyValueToken) TokenStoreCallbackHandler(org.apache.cxf.ws.security.wss4j.TokenStoreCallbackHandler)

Example 22 with X509Token

use of org.apache.wss4j.policy.model.X509Token in project cxf by apache.

the class SymmetricBindingHandler method doSignature.

private byte[] doSignature(List<WSEncryptionPart> sigs, AbstractTokenWrapper policyAbstractTokenWrapper, AbstractToken policyToken, SecurityToken tok, boolean included) throws WSSecurityException {
    if (policyToken.getDerivedKeys() == DerivedKeys.RequireDerivedKeys) {
        return doSignatureDK(sigs, policyAbstractTokenWrapper, policyToken, tok, included);
    }
    WSSecSignature sig = new WSSecSignature(secHeader);
    sig.setIdAllocator(wssConfig.getIdAllocator());
    sig.setCallbackLookup(callbackLookup);
    sig.setAttachmentCallbackHandler(new AttachmentCallbackHandler(message));
    sig.setStoreBytesInAttachment(storeBytesInAttachment);
    sig.setExpandXopInclude(isExpandXopInclude());
    sig.setWsDocInfo(wsDocInfo);
    // If a EncryptedKeyToken is used, set the correct value type to
    // be used in the wsse:Reference in ds:KeyInfo
    int type = included ? WSConstants.CUSTOM_SYMM_SIGNING : WSConstants.CUSTOM_SYMM_SIGNING_DIRECT;
    String sigTokId = tok.getId();
    if (policyToken instanceof X509Token) {
        if (isRequestor()) {
            sig.setCustomTokenValueType(WSS4JConstants.SOAPMESSAGE_NS11 + "#" + WSS4JConstants.ENC_KEY_VALUE_TYPE);
            sig.setKeyIdentifierType(type);
        } else {
            // the tok has to be an EncryptedKey token
            sig.setEncrKeySha1value(tok.getSHA1());
            sig.setKeyIdentifierType(WSConstants.ENCRYPTED_KEY_SHA1_IDENTIFIER);
        }
    } else if (policyToken instanceof UsernameToken) {
        sig.setCustomTokenValueType(WSS4JConstants.WSS_USERNAME_TOKEN_VALUE_TYPE);
        sig.setKeyIdentifierType(type);
    } else if (policyToken instanceof KerberosToken) {
        if (isRequestor()) {
            sig.setCustomTokenValueType(tok.getTokenType());
            sig.setKeyIdentifierType(type);
        } else {
            sig.setCustomTokenValueType(WSS4JConstants.WSS_KRB_KI_VALUE_TYPE);
            sig.setKeyIdentifierType(WSConstants.CUSTOM_KEY_IDENTIFIER);
            sigTokId = tok.getSHA1();
        }
    } else {
        // Setting the AttachedReference or the UnattachedReference according to the flag
        Element ref;
        if (included) {
            ref = tok.getAttachedReference();
        } else {
            ref = tok.getUnattachedReference();
        }
        if (ref != null) {
            SecurityTokenReference secRef = new SecurityTokenReference(cloneElement(ref), new BSPEnforcer());
            sig.setSecurityTokenReference(secRef);
            sig.setKeyIdentifierType(WSConstants.CUSTOM_KEY_IDENTIFIER);
        } else {
            String tokenType = tok.getTokenType();
            if (WSS4JConstants.WSS_SAML_TOKEN_TYPE.equals(tokenType) || WSS4JConstants.SAML_NS.equals(tokenType)) {
                sig.setCustomTokenValueType(WSS4JConstants.WSS_SAML_KI_VALUE_TYPE);
                sig.setKeyIdentifierType(WSConstants.CUSTOM_KEY_IDENTIFIER);
            } else if (WSS4JConstants.WSS_SAML2_TOKEN_TYPE.equals(tokenType) || WSS4JConstants.SAML2_NS.equals(tokenType)) {
                sig.setCustomTokenValueType(WSS4JConstants.WSS_SAML2_KI_VALUE_TYPE);
                sig.setKeyIdentifierType(WSConstants.CUSTOM_KEY_IDENTIFIER);
            } else {
                sig.setCustomTokenValueType(tokenType);
                sig.setKeyIdentifierType(type);
            }
        }
    }
    if (included) {
        sigTokId = tok.getWsuId();
        if (sigTokId == null) {
            if (policyToken instanceof SecureConversationToken || policyToken instanceof SecurityContextToken) {
                sig.setKeyIdentifierType(WSConstants.CUSTOM_SYMM_SIGNING_DIRECT);
            }
            sigTokId = tok.getId();
        }
        if (sigTokId.startsWith("#")) {
            sigTokId = sigTokId.substring(1);
        }
    }
    if (sbinding.isProtectTokens()) {
        assertPolicy(new QName(sbinding.getName().getNamespaceURI(), SPConstants.PROTECT_TOKENS));
        if (included) {
            sigs.add(new WSEncryptionPart(sigTokId));
        }
    }
    sig.setCustomTokenId(sigTokId);
    sig.setSecretKey(tok.getSecret());
    sig.setSignatureAlgorithm(sbinding.getAlgorithmSuite().getSymmetricSignature());
    boolean includePrefixes = MessageUtils.getContextualBoolean(message, SecurityConstants.ADD_INCLUSIVE_PREFIXES, true);
    sig.setAddInclusivePrefixes(includePrefixes);
    AlgorithmSuiteType algType = sbinding.getAlgorithmSuite().getAlgorithmSuiteType();
    sig.setDigestAlgo(algType.getDigest());
    sig.setSigCanonicalization(sbinding.getAlgorithmSuite().getC14n().getValue());
    Crypto crypto = null;
    if (sbinding.getProtectionToken() != null) {
        crypto = getEncryptionCrypto();
    } else {
        crypto = getSignatureCrypto();
    }
    this.message.getExchange().put(SecurityConstants.SIGNATURE_CRYPTO, crypto);
    sig.prepare(crypto);
    sig.getParts().addAll(sigs);
    List<Reference> referenceList = sig.addReferencesToSign(sigs);
    if (!referenceList.isEmpty()) {
        // Do signature
        if (bottomUpElement == null) {
            sig.computeSignature(referenceList, false, null);
        } else {
            sig.computeSignature(referenceList, true, bottomUpElement);
        }
        bottomUpElement = sig.getSignatureElement();
        this.mainSigId = sig.getId();
        return sig.getSignatureValue();
    }
    return null;
}
Also used : WSEncryptionPart(org.apache.wss4j.common.WSEncryptionPart) AlgorithmSuiteType(org.apache.wss4j.policy.model.AlgorithmSuite.AlgorithmSuiteType) KerberosToken(org.apache.wss4j.policy.model.KerberosToken) QName(javax.xml.namespace.QName) SecurityTokenReference(org.apache.wss4j.common.token.SecurityTokenReference) Reference(javax.xml.crypto.dsig.Reference) WSSecSignature(org.apache.wss4j.dom.message.WSSecSignature) Element(org.w3c.dom.Element) UsernameToken(org.apache.wss4j.policy.model.UsernameToken) WSSecUsernameToken(org.apache.wss4j.dom.message.WSSecUsernameToken) BSPEnforcer(org.apache.wss4j.common.bsp.BSPEnforcer) SecureConversationToken(org.apache.wss4j.policy.model.SecureConversationToken) Crypto(org.apache.wss4j.common.crypto.Crypto) X509Token(org.apache.wss4j.policy.model.X509Token) SecurityTokenReference(org.apache.wss4j.common.token.SecurityTokenReference) SecurityContextToken(org.apache.wss4j.policy.model.SecurityContextToken) AttachmentCallbackHandler(org.apache.cxf.ws.security.wss4j.AttachmentCallbackHandler)

Example 23 with X509Token

use of org.apache.wss4j.policy.model.X509Token in project cxf by apache.

the class TransportBindingHandler method handleEndorsingToken.

private void handleEndorsingToken(AbstractToken token, SupportingTokens wrapper) throws Exception {
    assertToken(token);
    if (token != null && !isTokenRequired(token.getIncludeTokenType())) {
        return;
    }
    if (token instanceof IssuedToken || token instanceof SecureConversationToken || token instanceof SecurityContextToken || token instanceof KerberosToken || token instanceof SpnegoContextToken) {
        addSig(doIssuedTokenSignature(token, wrapper));
    } else if (token instanceof X509Token || token instanceof KeyValueToken) {
        addSig(doX509TokenSignature(token, wrapper));
    } else if (token instanceof SamlToken) {
        SamlAssertionWrapper assertionWrapper = addSamlToken((SamlToken) token);
        Element envelope = saaj.getSOAPPart().getEnvelope();
        envelope = (Element) DOMUtils.getDomElement(envelope);
        assertionWrapper.toDOM(envelope.getOwnerDocument());
        storeAssertionAsSecurityToken(assertionWrapper);
        addSig(doIssuedTokenSignature(token, wrapper));
    } else if (token instanceof UsernameToken) {
        // Create a UsernameToken object for derived keys and store the security token
        WSSecUsernameToken usernameToken = addDKUsernameToken((UsernameToken) token, true);
        String id = usernameToken.getId();
        byte[] secret = usernameToken.getDerivedKey();
        Instant created = Instant.now();
        Instant expires = created.plusSeconds(WSS4JUtils.getSecurityTokenLifetime(message) / 1000L);
        SecurityToken tempTok = new SecurityToken(id, usernameToken.getUsernameTokenElement(), created, expires);
        tempTok.setSecret(secret);
        getTokenStore().add(tempTok);
        message.put(SecurityConstants.TOKEN_ID, tempTok.getId());
        addSig(doIssuedTokenSignature(token, wrapper));
    }
}
Also used : SamlToken(org.apache.wss4j.policy.model.SamlToken) KerberosToken(org.apache.wss4j.policy.model.KerberosToken) IssuedToken(org.apache.wss4j.policy.model.IssuedToken) Element(org.w3c.dom.Element) Instant(java.time.Instant) UsernameToken(org.apache.wss4j.policy.model.UsernameToken) WSSecUsernameToken(org.apache.wss4j.dom.message.WSSecUsernameToken) SamlAssertionWrapper(org.apache.wss4j.common.saml.SamlAssertionWrapper) SecureConversationToken(org.apache.wss4j.policy.model.SecureConversationToken) SpnegoContextToken(org.apache.wss4j.policy.model.SpnegoContextToken) SecurityToken(org.apache.cxf.ws.security.tokenstore.SecurityToken) X509Token(org.apache.wss4j.policy.model.X509Token) SecurityContextToken(org.apache.wss4j.policy.model.SecurityContextToken) KeyValueToken(org.apache.wss4j.policy.model.KeyValueToken) WSSecUsernameToken(org.apache.wss4j.dom.message.WSSecUsernameToken)

Example 24 with X509Token

use of org.apache.wss4j.policy.model.X509Token in project cxf by apache.

the class AbstractBindingPolicyValidator method checkDerivedKeys.

/**
 * Check the derived key requirement.
 */
protected boolean checkDerivedKeys(AbstractTokenWrapper tokenWrapper, boolean hasDerivedKeys, List<WSSecurityEngineResult> signedResults, List<WSSecurityEngineResult> encryptedResults) {
    AbstractToken token = tokenWrapper.getToken();
    boolean isDerivedKeys = token.getDerivedKeys() == DerivedKeys.RequireDerivedKeys;
    // If derived keys are not required then just return
    if (!(token instanceof X509Token && isDerivedKeys)) {
        return true;
    }
    if (tokenWrapper instanceof EncryptionToken && !hasDerivedKeys && !encryptedResults.isEmpty()) {
        return false;
    } else if (tokenWrapper instanceof SignatureToken && !hasDerivedKeys && !signedResults.isEmpty()) {
        return false;
    } else if (tokenWrapper instanceof ProtectionToken && !hasDerivedKeys && !(signedResults.isEmpty() || encryptedResults.isEmpty())) {
        return false;
    }
    return true;
}
Also used : AbstractToken(org.apache.wss4j.policy.model.AbstractToken) X509Token(org.apache.wss4j.policy.model.X509Token) SignatureToken(org.apache.wss4j.policy.model.SignatureToken) EncryptionToken(org.apache.wss4j.policy.model.EncryptionToken) ProtectionToken(org.apache.wss4j.policy.model.ProtectionToken)

Example 25 with X509Token

use of org.apache.wss4j.policy.model.X509Token in project cxf by apache.

the class AsymmetricBindingPolicyValidator method checkInitiatorTokens.

private boolean checkInitiatorTokens(AbstractTokenWrapper wrapper, AsymmetricBinding binding, AssertionInfo ai, AssertionInfoMap aim, boolean hasDerivedKeys, List<WSSecurityEngineResult> signedResults, List<WSSecurityEngineResult> encryptedResults) {
    AbstractToken token = wrapper.getToken();
    if (token instanceof X509Token) {
        boolean foundCert = false;
        for (WSSecurityEngineResult result : signedResults) {
            X509Certificate cert = (X509Certificate) result.get(WSSecurityEngineResult.TAG_X509_CERTIFICATE);
            if (cert != null) {
                foundCert = true;
                break;
            }
        }
        if (!foundCert && !signedResults.isEmpty()) {
            String error = "An X.509 certificate was not used for the " + wrapper.getName();
            unassertPolicy(aim, wrapper.getName(), error);
            ai.setNotAsserted(error);
            return false;
        }
    }
    PolicyUtils.assertPolicy(aim, wrapper.getName());
    if (!checkDerivedKeys(wrapper, hasDerivedKeys, signedResults, encryptedResults)) {
        ai.setNotAsserted("Message fails the DerivedKeys requirement");
        return false;
    }
    assertDerivedKeys(wrapper.getToken(), aim);
    return true;
}
Also used : AbstractToken(org.apache.wss4j.policy.model.AbstractToken) X509Token(org.apache.wss4j.policy.model.X509Token) WSSecurityEngineResult(org.apache.wss4j.dom.engine.WSSecurityEngineResult) X509Certificate(java.security.cert.X509Certificate)

Aggregations

X509Token (org.apache.wss4j.policy.model.X509Token)31 IssuedToken (org.apache.wss4j.policy.model.IssuedToken)21 SecurityContextToken (org.apache.wss4j.policy.model.SecurityContextToken)20 AbstractToken (org.apache.wss4j.policy.model.AbstractToken)19 KerberosToken (org.apache.wss4j.policy.model.KerberosToken)19 SpnegoContextToken (org.apache.wss4j.policy.model.SpnegoContextToken)18 UsernameToken (org.apache.wss4j.policy.model.UsernameToken)18 SamlToken (org.apache.wss4j.policy.model.SamlToken)14 KeyValueToken (org.apache.wss4j.policy.model.KeyValueToken)13 SecureConversationToken (org.apache.wss4j.policy.model.SecureConversationToken)12 QName (javax.xml.namespace.QName)9 AssertionInfo (org.apache.cxf.ws.policy.AssertionInfo)9 SecurityToken (org.apache.cxf.ws.security.tokenstore.SecurityToken)8 AlgorithmSuiteType (org.apache.wss4j.policy.model.AlgorithmSuite.AlgorithmSuiteType)8 SupportingTokens (org.apache.wss4j.policy.model.SupportingTokens)8 WSSSecurityProperties (org.apache.wss4j.stax.ext.WSSSecurityProperties)7 WSSecUsernameToken (org.apache.wss4j.dom.message.WSSecUsernameToken)6 WSSConstants (org.apache.wss4j.stax.ext.WSSConstants)6 Element (org.w3c.dom.Element)6 SOAPException (javax.xml.soap.SOAPException)5