cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From dk...@apache.org
Subject svn commit: r700233 - in /cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers: AsymmetricBindingHandler.java BindingBuilder.java SymmetricBindingHandler.java
Date Mon, 29 Sep 2008 20:08:57 GMT
Author: dkulp
Date: Mon Sep 29 13:08:57 2008
New Revision: 700233

URL: http://svn.apache.org/viewvc?rev=700233&view=rev
Log:
Get MS wcf Interop encrypt then sign working

Modified:
    cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AsymmetricBindingHandler.java
    cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/BindingBuilder.java
    cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/SymmetricBindingHandler.java

Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AsymmetricBindingHandler.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AsymmetricBindingHandler.java?rev=700233&r1=700232&r2=700233&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AsymmetricBindingHandler.java
(original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AsymmetricBindingHandler.java
Mon Sep 29 13:08:57 2008
@@ -51,7 +51,6 @@
 import org.apache.ws.security.message.WSSecHeader;
 import org.apache.ws.security.message.WSSecSignature;
 import org.apache.ws.security.message.WSSecTimestamp;
-import org.apache.ws.security.util.WSSecurityUtil;
 
 /**
  * 
@@ -236,42 +235,6 @@
         }
     }
     
-    public void handleEncryptedSignedHeaders(Vector<WSEncryptionPart> encryptedParts,

-                                              Vector<WSEncryptionPart> signedParts)
{
-        
-        for (WSEncryptionPart signedPart : signedParts) {
-            if (signedPart.getNamespace() == null || signedPart.getName() == null) {
-                continue;
-            }
-             
-            for (WSEncryptionPart encryptedPart : encryptedParts) {
-                if (encryptedPart.getNamespace() == null 
-                    || encryptedPart.getName() == null) {
-                    continue;
-                }
-                
-                if (signedPart.getName().equals(encryptedPart.getName()) 
-                    && signedPart.getNamespace().equals(encryptedPart.getNamespace()))
{
-                    
-                    String encDataID =  encryptedPart.getEncId();                    
-                    Element encDataElem = WSSecurityUtil
-                        .findElementById(saaj.getSOAPPart().getDocumentElement(),
-                                         encDataID, null);
-                    
-                    if (encDataElem != null) {
-                        Element encHeader = (Element)encDataElem.getParentNode();
-                        String encHeaderId = encHeader.getAttributeNS(WSConstants.WSU_NS,
"Id");
-                        
-                        signedParts.remove(signedPart);
-                        WSEncryptionPart encHeaderToSign = new WSEncryptionPart(encHeaderId);
-                        signedParts.add(encHeaderToSign);
-                    }
-                }
-            }
-        }
-    }
-    
-   
     
     private WSSecBase doEncryption(TokenWrapper recToken,
                                     Vector<WSEncryptionPart> encrParts,

Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/BindingBuilder.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/BindingBuilder.java?rev=700233&r1=700232&r2=700233&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/BindingBuilder.java
(original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/BindingBuilder.java
Mon Sep 29 13:08:57 2008
@@ -821,7 +821,7 @@
         if (encrUser == null || "".equals(encrUser)) {
             policyNotAsserted(token, "No " + (sign ? "signature" : "encryption") + " username
found.");
         }
-        if (encrUser.equals(WSHandlerConstants.USE_REQ_SIG_CERT)) {
+        if (WSHandlerConstants.USE_REQ_SIG_CERT.equals(encrUser)) {
             Object resultsObj = message.getExchange().getInMessage().get(WSHandlerConstants.RECV_RESULTS);
             if (resultsObj != null) {
                 encrKeyBuilder.setUseThisCert(getReqSigCert((Vector)resultsObj));
@@ -1119,4 +1119,42 @@
             }
         }
     }
+    
+    
+    public void handleEncryptedSignedHeaders(Vector<WSEncryptionPart> encryptedParts,

+                                             Vector<WSEncryptionPart> signedParts)
{
+       
+        for (WSEncryptionPart signedPart : signedParts) {
+            if (signedPart.getNamespace() == null || signedPart.getName() == null) {
+                continue;
+            }
+            
+            for (WSEncryptionPart encryptedPart : encryptedParts) {
+                if (encryptedPart.getNamespace() == null 
+                    || encryptedPart.getName() == null) {
+                    continue;
+                }
+               
+                if (signedPart.getName().equals(encryptedPart.getName()) 
+                    && signedPart.getNamespace().equals(encryptedPart.getNamespace()))
{
+                   
+                    String encDataID =  encryptedPart.getEncId();                    
+                    Element encDataElem = WSSecurityUtil
+                           .findElementById(saaj.getSOAPPart().getDocumentElement(),
+                                            encDataID, null);
+                   
+                    if (encDataElem != null) {
+                        Element encHeader = (Element)encDataElem.getParentNode();
+                        String encHeaderId = encHeader.getAttributeNS(WSConstants.WSU_NS,
"Id");
+                        
+                        signedParts.remove(signedPart);
+                        WSEncryptionPart encHeaderToSign = new WSEncryptionPart(encHeaderId);
+                        signedParts.add(encHeaderToSign);
+                    }
+                }
+            }
+        }
+    }
+   
+  
 }

Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/SymmetricBindingHandler.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/SymmetricBindingHandler.java?rev=700233&r1=700232&r2=700233&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/SymmetricBindingHandler.java
(original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/SymmetricBindingHandler.java
Mon Sep 29 13:08:57 2008
@@ -25,6 +25,7 @@
 import java.util.Calendar;
 import java.util.Vector;
 
+import javax.xml.soap.SOAPException;
 import javax.xml.soap.SOAPMessage;
 
 import org.w3c.dom.Document;
@@ -110,11 +111,18 @@
         }
         
         if (sbinding.getProtectionOrder() == SPConstants.ProtectionOrder.EncryptBeforeSigning)
{
-//            doEncryptBeforeSign();
-            System.err.println("encrypt before sign, not yet");
+            try {
+                doEncryptBeforeSign();
+            } catch (Exception e) {
+                e.printStackTrace();
+                //REVISIT - exception
+            }
         } else {
             doSignBeforeEncrypt();
         }
+        //REVIST - what to do with these policies?
+        policyAsserted(SP11Constants.TRUST_10);
+        policyAsserted(SP12Constants.TRUST_13);
 
     }
     
@@ -135,6 +143,134 @@
     
     
 
+    private void doEncryptBeforeSign() throws SOAPException, 
+        WSSecurityException, ConversationException {
+        
+        TokenWrapper encryptionWrapper = getEncryptionToken();
+        Token encryptionToken = encryptionWrapper.getToken();
+        Vector<WSEncryptionPart> encrParts = getEncryptedParts();
+        Vector<WSEncryptionPart> sigParts = getSignedParts();
+        
+        if (encryptionToken == null && encrParts.size() > 0) {
+            //REVISIT - nothing to encrypt?
+        }
+        
+        if (encryptionToken != null && encrParts.size() > 0) {
+            //The encryption token can be an IssuedToken or a 
+             //SecureConversationToken
+            String tokenId = null;
+            
+            if (encryptionToken instanceof IssuedToken) {
+                //REVISIT - IssuedToken
+            } else if (encryptionToken instanceof SecureConversationToken) {
+                //REVISIT - SecureConversation
+            } else if (encryptionToken instanceof X509Token) {
+                if (isRequestor()) {
+                    tokenId = setupEncryptedKey(encryptionWrapper, encryptionToken);
+                } else {
+                    tokenId = getEncryptedKey();
+                }
+            }
+            
+            if (tokenId == null || tokenId.length() == 0) {
+                //REVISIT - no tokenM
+            }
+            if (tokenId.startsWith("#")) {
+                tokenId = tokenId.substring(1);
+            }
+            
+            /*
+             * Get hold of the token from the token storage
+             */
+            SecurityToken tok = tokenStore.getToken(tokenId);
+
+            boolean attached = false;
+            
+            if (SPConstants.IncludeTokenType.INCLUDE_TOKEN_ALWAYS == encryptionToken.getInclusion()
+                || SPConstants.IncludeTokenType.INCLUDE_TOKEN_ONCE == encryptionToken.getInclusion()
+                || (isRequestor() 
+                    && SPConstants.IncludeTokenType.INCLUDE_TOKEN_ALWAYS_TO_RECIPIENT

+                        == encryptionToken.getInclusion())) {
+                
+                Element el = tok.getToken();
+                el = (Element)secHeader.getSecurityHeader().getOwnerDocument().importNode(el,
true);
+                this.addEncyptedKeyElement(el);
+                attached = true;
+            } else if (encryptionToken instanceof X509Token && isRequestor()) {
+                Element el = tok.getToken();
+                el = (Element)secHeader.getSecurityHeader().getOwnerDocument().importNode(el,
true);
+                this.addEncyptedKeyElement(el);
+            }
+            
+            WSSecBase encr = doEncryption(encryptionWrapper, tok, attached, encrParts, true);
+            
+            handleEncryptedSignedHeaders(encrParts, sigParts);
+            
+            
+            if (timestampEl != null) {
+                sigParts.add(new WSEncryptionPart(addWsuIdToElement(timestampEl.getElement())));
+            }
+            
+            if (isRequestor()) {
+                this.addSupportingTokens(sigParts);
+            } else {
+                addSignatureConfirmation(sigParts);
+            }
+                
+            
+            //Sign the message
+            //We should use the same key in the case of EncryptBeforeSig
+            if (sigParts.size() > 0) {
+                signatures.add(this.doSignature(sigParts, encryptionWrapper, encryptionToken,
tok));
+            }
+            
+            if (isRequestor()) {
+                this.doEndorse();
+            }
+            
+            
+            //Check for signature protection and encryption of UsernameToken
+            if (sbinding.isSignatureProtection() && this.mainSigId != null 
+                || encryptedTokensIdList.size() > 0 && isRequestor()) {
+                Vector<WSEncryptionPart> secondEncrParts = new Vector<WSEncryptionPart>();
+                
+                //Now encrypt the signature using the above token
+                if (sbinding.isSignatureProtection()) {
+                    secondEncrParts.add(new WSEncryptionPart(this.mainSigId, "Element"));
+                }
+                
+                if (isRequestor()) {
+                    for (String s : encryptedTokensIdList) {
+                        secondEncrParts.add(new WSEncryptionPart(s, "Element"));
+                    }
+                }
+                
+                Element secondRefList = null;
+                
+                if (encryptionToken.isDerivedKeys()) {
+                    try {
+                        secondRefList = ((WSSecDKEncrypt)encr).encryptForExternalRef(null,

+                                secondEncrParts);
+                        this.addDerivedKeyElement(secondRefList);
+                    } catch (WSSecurityException e) {
+                        //REVISIT - exception
+                    }
+                } else {
+                    try {
+                        //Encrypt, get hold of the ref list and add it
+                        secondRefList = ((WSSecEncrypt)encr).encryptForExternalRef(null,
+                                encrParts);
+                        this.addDerivedKeyElement(secondRefList);
+                    } catch (WSSecurityException e) {
+                        //REVISIT - exception
+                    }    
+                }
+            }
+           
+        } else {
+            //REVISIT - nothing to do?!?
+        }
+    }
     private void doSignBeforeEncrypt() {
         TokenWrapper sigTokenWrapper = getSignatureToken();
         Token sigToken = sigTokenWrapper.getToken();
@@ -208,20 +344,15 @@
                 doSignature(sigs, sigTokenWrapper, sigToken, sigTok);
             }
 
-            //REVIST - what to do with these policies?
-            policyAsserted(SP11Constants.TRUST_10);
-            policyAsserted(SP12Constants.TRUST_13);
             
             
             //Encryption
             TokenWrapper encrTokenWrapper = getEncryptionToken();
             Token encrToken = encrTokenWrapper.getToken();
             SecurityToken encrTok = null;
-            Element encrElem = null;
             if (sigToken.equals(encrToken)) {
                 //Use the same token
                 encrTok = sigTok;
-                encrElem = sigTokElem;
             } else {
                 String encrTokId = null;
                 //REVISIT - issued token from trust? 
@@ -253,17 +384,20 @@
             }
             doEncryption(encrTokenWrapper,
                          encrTok,
-                         encrElem,
-                         enc);
+                         true,
+                         enc,
+                         false);
         } catch (Exception e) {
             e.printStackTrace();
             //REVISIT!!
         }
     }
+    
     private WSSecBase doEncryption(TokenWrapper recToken,
                                    SecurityToken encrTok,
-                                   Element encrElem,
-                                   Vector<WSEncryptionPart> encrParts) {
+                                   boolean attached,
+                                   Vector<WSEncryptionPart> encrParts,
+                                   boolean atEnd) {
         //Do encryption
         if (recToken != null && recToken.getToken() != null && encrParts.size()
> 0) {
             Token encrToken = recToken.getToken();
@@ -274,7 +408,7 @@
                 try {
                     WSSecDKEncrypt dkEncr = new WSSecDKEncrypt();
                     
-                    if (encrElem != null && encrTok.getAttachedReference() != null)
{
+                    if (attached && encrTok.getAttachedReference() != null) {
                         dkEncr.setExternalKey(encrTok.getSecret(),
                                               (Element)saaj.getSOAPPart()
                                                   .importNode((Element) encrTok.getAttachedReference(),
@@ -309,7 +443,11 @@
                     encrDKTokenElem = dkEncr.getdktElement();
                     addDerivedKeyElement(encrDKTokenElem);
                     Element refList = dkEncr.encryptForExternalRef(null, encrParts);
-                    this.addDerivedKeyElement(refList);
+                    if (atEnd) {
+                        this.insertBeforeBottomUp(refList);
+                    } else {
+                        this.addDerivedKeyElement(refList);                        
+                    }
                     return dkEncr;
                 } catch (Exception e) {
                     policyNotAsserted(recToken, e);
@@ -345,8 +483,11 @@
                    
                    
                     Element refList = encr.encryptForExternalRef(null, encrParts);
-                    this.addDerivedKeyElement(refList);
-
+                    if (atEnd) {
+                        this.insertBeforeBottomUp(refList);
+                    } else {
+                        this.addDerivedKeyElement(refList);                        
+                    }
                     return encr;
                 } catch (WSSecurityException e) {
                     policyNotAsserted(recToken, e.getMessage());



Mime
View raw message