cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From dk...@apache.org
Subject svn commit: r727143 - in /cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers: AbstractBindingBuilder.java AsymmetricBindingHandler.java SymmetricBindingHandler.java TransportBindingHandler.java
Date Tue, 16 Dec 2008 20:52:44 GMT
Author: dkulp
Date: Tue Dec 16 12:52:43 2008
New Revision: 727143

URL: http://svn.apache.org/viewvc?rev=727143&view=rev
Log:
Updates for symetric x509 certs with ws-trust saml tokens

Modified:
    cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java
    cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AsymmetricBindingHandler.java
    cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/SymmetricBindingHandler.java
    cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/TransportBindingHandler.java

Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java?rev=727143&r1=727142&r2=727143&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java
(original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java
Tue Dec 16 12:52:43 2008
@@ -119,6 +119,8 @@
 public abstract class AbstractBindingBuilder {
     private static final Logger LOG = LogUtils.getL7dLogger(AbstractBindingBuilder.class);

     
+    protected SPConstants.ProtectionOrder protectionOrder = SPConstants.ProtectionOrder.SignBeforeEncrypting;
+    
     protected SOAPMessage saaj;
     protected WSSecHeader secHeader;
     protected AssertionInfoMap aim;
@@ -1097,7 +1099,11 @@
                 }
                 
                 try {
-                    doSymmSignature(ent.getKey(), token, sigParts, isTokenProtection);
+                    if (ent.getKey().isDerivedKeys()) {
+                        doSymmSignatureDerived(ent.getKey(), token, sigParts, isTokenProtection);
+                    } else {
+                        doSymmSignature(ent.getKey(), token, sigParts, isTokenProtection);
+                    }
                 } catch (Exception e) {
                     // TODO Auto-generated catch block
                     e.printStackTrace();
@@ -1105,185 +1111,151 @@
             }
         } 
     }
-    private void doSymmSignature(Token policyToken, SecurityToken tok,
+    private void doSymmSignatureDerived(Token policyToken, SecurityToken tok,
                                  Vector<WSEncryptionPart> sigParts, boolean isTokenProtection)
         throws WSSecurityException, ConversationException {
         
         Document doc = saaj.getSOAPPart();
-        if (policyToken.isDerivedKeys()) {
-            WSSecDKSign dkSign = new WSSecDKSign();  
-            
-            //Check whether it is security policy 1.2 and use the secure conversation accordingly
-            if (SP12Constants.INSTANCE == policyToken.getSPConstants()) {
-                dkSign.setWscVersion(ConversationConstants.VERSION_05_12);
-            }
-                          
-            //Check for whether the token is attached in the message or not
-            boolean attached = false;
-            
-            if (SPConstants.IncludeTokenType.INCLUDE_TOKEN_ALWAYS == policyToken.getInclusion()
-                || SPConstants.IncludeTokenType.INCLUDE_TOKEN_ONCE == policyToken.getInclusion()
-                || (isRequestor() && SPConstants.IncludeTokenType.INCLUDE_TOKEN_ALWAYS_TO_RECIPIENT

-                        == policyToken.getInclusion())) {
-                attached = true;
-            }
-            
-            // Setting the AttachedReference or the UnattachedReference according to the
flag
-            Element ref;
-            if (attached) {
-                ref = tok.getAttachedReference();
-            } else {
-                ref = tok.getUnattachedReference();
-            }
-            
-            if (ref != null) {
-                dkSign.setExternalKey(tok.getSecret(), (Element) 
-                                      cloneElement(ref));
-            } else if (!isRequestor() && policyToken.isDerivedKeys()) { 
-                // If the Encrypted key used to create the derived key is not
-                // attached use key identifier as defined in WSS1.1 section
-                // 7.7 Encrypted Key reference
-                SecurityTokenReference tokenRef 
-                    = new SecurityTokenReference(doc);
-                if (tok.getSHA1() != null) {
-                    tokenRef.setKeyIdentifierEncKeySHA1(tok.getSHA1());
-                }
-                dkSign.setExternalKey(tok.getSecret(), tokenRef.getElement());
-            
-            } else {
-                dkSign.setExternalKey(tok.getSecret(), tok.getId());
-            }
-
-            //Set the algo info
-            dkSign.setSignatureAlgorithm(binding.getAlgorithmSuite().getSymmetricSignature());
-            dkSign.setDerivedKeyLength(binding.getAlgorithmSuite().getSignatureDerivedKeyLength()
/ 8);
+        WSSecDKSign dkSign = new WSSecDKSign();  
+        
+        //Check whether it is security policy 1.2 and use the secure conversation accordingly
+        if (SP12Constants.INSTANCE == policyToken.getSPConstants()) {
+            dkSign.setWscVersion(ConversationConstants.VERSION_05_12);
+        }
+                      
+        //Check for whether the token is attached in the message or not
+        boolean attached = false;
+        
+        if (SPConstants.IncludeTokenType.INCLUDE_TOKEN_ALWAYS == policyToken.getInclusion()
+            || SPConstants.IncludeTokenType.INCLUDE_TOKEN_ONCE == policyToken.getInclusion()
+            || (isRequestor() && SPConstants.IncludeTokenType.INCLUDE_TOKEN_ALWAYS_TO_RECIPIENT

+                    == policyToken.getInclusion())) {
+            attached = true;
+        }
+        
+        // Setting the AttachedReference or the UnattachedReference according to the flag
+        Element ref;
+        if (attached) {
+            ref = tok.getAttachedReference();
+        } else {
+            ref = tok.getUnattachedReference();
+        }
+        
+        if (ref != null) {
+            ref = cloneElement(ref);
+            dkSign.setExternalKey(tok.getSecret(), ref);
+        } else if (!isRequestor() && policyToken.isDerivedKeys()) { 
+            // If the Encrypted key used to create the derived key is not
+            // attached use key identifier as defined in WSS1.1 section
+            // 7.7 Encrypted Key reference
+            SecurityTokenReference tokenRef 
+                = new SecurityTokenReference(doc);
             if (tok.getSHA1() != null) {
-                //Set the value type of the reference
-                dkSign.setCustomValueType(WSConstants.SOAPMESSAGE_NS11 + "#"
-                    + WSConstants.ENC_KEY_VALUE_TYPE);
+                tokenRef.setKeyIdentifierEncKeySHA1(tok.getSHA1());
             }
-            
-            dkSign.prepare(doc, secHeader);
-            
-            if (isTokenProtection) {
+            dkSign.setExternalKey(tok.getSecret(), tokenRef.getElement());
+        
+        } else {
+            dkSign.setExternalKey(tok.getSecret(), tok.getId());
+        }
 
-                //Hack to handle reference id issues
-                //TODO Need a better fix
-                String sigTokId = tok.getId();
-                if (sigTokId.startsWith("#")) {
-                    sigTokId = sigTokId.substring(1);
-                }
-                sigParts.add(new WSEncryptionPart(sigTokId));
+        //Set the algo info
+        dkSign.setSignatureAlgorithm(binding.getAlgorithmSuite().getSymmetricSignature());
+        dkSign.setDerivedKeyLength(binding.getAlgorithmSuite().getSignatureDerivedKeyLength()
/ 8);
+        if (tok.getSHA1() != null) {
+            //Set the value type of the reference
+            dkSign.setCustomValueType(WSConstants.SOAPMESSAGE_NS11 + "#"
+                + WSConstants.ENC_KEY_VALUE_TYPE);
+        }
+        
+        dkSign.prepare(doc, secHeader);
+        
+        if (isTokenProtection) {
+            //Hack to handle reference id issues
+            //TODO Need a better fix
+            String sigTokId = tok.getId();
+            if (sigTokId.startsWith("#")) {
+                sigTokId = sigTokId.substring(1);
             }
-            
-            dkSign.setParts(sigParts);
-            
-            dkSign.addReferencesToSign(sigParts, secHeader);
-            
-            //Do signature
-            dkSign.computeSignature();
+            sigParts.add(new WSEncryptionPart(sigTokId));
+        }
+        
+        dkSign.setParts(sigParts);
+        
+        dkSign.addReferencesToSign(sigParts, secHeader);
+        
+        //Do signature
+        dkSign.computeSignature();
 
-            //Add elements to header
-            
-            /*
-            if (rpd.getProtectionOrder().equals(SPConstants.ENCRYPT_BEFORE_SIGNING) &&
-                    this.getInsertionLocation() == null ) {
-                this.setInsertionLocation(RampartUtil
-                        
-                        .insertSiblingBefore(rmd, 
-                                this.mainRefListElement,
-                                dkSign.getdktElement()));
-
-                    this.setInsertionLocation(RampartUtil.insertSiblingAfter(
-                            rmd, 
-                            this.getInsertionLocation(), 
-                            dkSign.getSignatureElement()));                
-            } else {
-                this.setInsertionLocation(RampartUtil
-            
-                    .insertSiblingAfter(rmd, 
-                            this.getInsertionLocation(),
-                            dkSign.getdktElement()));
-
-                this.setInsertionLocation(RampartUtil.insertSiblingAfter(
-                        rmd, 
-                        this.getInsertionLocation(), 
-                        dkSign.getSignatureElement()));
-            }
-            */
-        } else {
-            WSSecSignature sig = new WSSecSignature();
-            // If a EncryptedKeyToken is used, set the correct value type to
-            // be used in the wsse:Reference in ds:KeyInfo
-            if (policyToken instanceof X509Token) {
-                if (isRequestor()) {
-                    sig.setCustomTokenValueType(WSConstants.WSS_SAML_NS
-                                          + WSConstants.ENC_KEY_VALUE_TYPE);
-                    sig.setKeyIdentifierType(WSConstants.CUSTOM_SYMM_SIGNING);
-                } else {
-                    //the tok has to be an EncryptedKey token
-                    sig.setEncrKeySha1value(tok.getSHA1());
-                    sig.setKeyIdentifierType(WSConstants.ENCRYPTED_KEY_SHA1_IDENTIFIER);
-                }
-                
-            } else {
+        //Add elements to header
+        addSupportingElement(dkSign.getdktElement());
+        secHeader.getSecurityHeader().appendChild(dkSign.getSignatureElement());
+        
+        signatures.add(dkSign.getSignatureValue());
+    }
+    private void doSymmSignature(Token policyToken, SecurityToken tok,
+                                         Vector<WSEncryptionPart> sigParts, boolean
isTokenProtection)
+        throws WSSecurityException, ConversationException {
+        
+        Document doc = saaj.getSOAPPart();
+        WSSecSignature sig = new WSSecSignature();
+        // If a EncryptedKeyToken is used, set the correct value type to
+        // be used in the wsse:Reference in ds:KeyInfo
+        if (policyToken instanceof X509Token) {
+            if (isRequestor()) {
                 sig.setCustomTokenValueType(WSConstants.WSS_SAML_NS
-                                      + WSConstants.SAML_ASSERTION_ID);
+                                      + WSConstants.ENC_KEY_VALUE_TYPE);
                 sig.setKeyIdentifierType(WSConstants.CUSTOM_SYMM_SIGNING);
+            } else {
+                //the tok has to be an EncryptedKey token
+                sig.setEncrKeySha1value(tok.getSHA1());
+                sig.setKeyIdentifierType(WSConstants.ENCRYPTED_KEY_SHA1_IDENTIFIER);
             }
             
-            String sigTokId; 
+        } else {
+            sig.setCustomTokenValueType(WSConstants.WSS_SAML_NS
+                                  + WSConstants.SAML_ASSERTION_ID);
+            sig.setKeyIdentifierType(WSConstants.CUSTOM_SYMM_SIGNING);
+        }
+        
+        String sigTokId; 
+        
+        if (policyToken instanceof SecureConversationToken) {
+            Element ref = tok.getAttachedReference();
+            if (ref == null) {
+                ref = tok.getUnattachedReference();
+            }
             
-            if (policyToken instanceof SecureConversationToken) {
-                Element ref = tok.getAttachedReference();
-                if (ref == null) {
-                    ref = tok.getUnattachedReference();
-                }
-                
-                if (ref != null) {
-                    sigTokId = MemoryTokenStore.getIdFromSTR(ref);
-                } else {
-                    sigTokId = tok.getId();
-                }
+            if (ref != null) {
+                sigTokId = MemoryTokenStore.getIdFromSTR(ref);
             } else {
                 sigTokId = tok.getId();
             }
-                           
-            //Hack to handle reference id issues
-            //TODO Need a better fix
-            if (sigTokId.startsWith("#")) {
-                sigTokId = sigTokId.substring(1);
-            }
-            
-            sig.setCustomTokenId(sigTokId);
-            sig.setSecretKey(tok.getSecret());
-            sig.setSignatureAlgorithm(binding.getAlgorithmSuite().getAsymmetricSignature());
-            sig.setSignatureAlgorithm(binding.getAlgorithmSuite().getSymmetricSignature());
-            sig.prepare(doc, getSignatureCrypto(null), secHeader);
+        } else {
+            sigTokId = tok.getId();
+        }
+                       
+        //Hack to handle reference id issues
+        //TODO Need a better fix
+        if (sigTokId.startsWith("#")) {
+            sigTokId = sigTokId.substring(1);
+        }
+        
+        sig.setCustomTokenId(sigTokId);
+        sig.setSecretKey(tok.getSecret());
+        sig.setSignatureAlgorithm(binding.getAlgorithmSuite().getAsymmetricSignature());
+        sig.setSignatureAlgorithm(binding.getAlgorithmSuite().getSymmetricSignature());
+        sig.prepare(doc, getSignatureCrypto(null), secHeader);
 
-            sig.setParts(sigParts);
-            sig.addReferencesToSign(sigParts, secHeader);
+        sig.setParts(sigParts);
+        sig.addReferencesToSign(sigParts, secHeader);
 
-            //Do signature
-            sig.computeSignature();
+        //Do signature
+        sig.computeSignature();
+        signatures.add(sig.getSignatureValue());
 
-            /*
-            if (rpd.getProtectionOrder().equals(SPConstants.ENCRYPT_BEFORE_SIGNING) &&
-                    this.getInsertionLocation() == null) {
-                this.setInsertionLocation(RampartUtil.insertSiblingBefore(
-                        rmd,
-                        this.mainRefListElement,
-                        sig.getSignatureElement()));                    
-            } else {
-                this.setInsertionLocation(RampartUtil.insertSiblingAfter(
-                        rmd,
-                        this.getInsertionLocation(),
-                        sig.getSignatureElement()));     
-            }
-            */
-        }
+        secHeader.getSecurityHeader().appendChild(sig.getSignatureElement());
     }
-
     protected void assertSupportingTokens(Vector<WSEncryptionPart> sigs) {
         assertSupportingTokens(findAndAssertPolicy(SP12Constants.SIGNED_SUPPORTING_TOKENS));
         assertSupportingTokens(findAndAssertPolicy(SP12Constants.ENDORSING_SUPPORTING_TOKENS));

Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AsymmetricBindingHandler.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AsymmetricBindingHandler.java?rev=727143&r1=727142&r2=727143&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AsymmetricBindingHandler.java
(original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AsymmetricBindingHandler.java
Tue Dec 16 12:52:43 2008
@@ -70,6 +70,7 @@
                                     SoapMessage message) {
         super(binding, saaj, secHeader, aim, message);
         this.abinding = binding;
+        protectionOrder = binding.getProtectionOrder();
     }
     
     public void handleBinding() {

Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/SymmetricBindingHandler.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/SymmetricBindingHandler.java?rev=727143&r1=727142&r2=727143&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/SymmetricBindingHandler.java
(original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/SymmetricBindingHandler.java
Tue Dec 16 12:52:43 2008
@@ -52,6 +52,7 @@
 import org.apache.ws.security.WSSecurityEngineResult;
 import org.apache.ws.security.WSSecurityException;
 import org.apache.ws.security.components.crypto.Crypto;
+import org.apache.ws.security.conversation.ConversationConstants;
 import org.apache.ws.security.conversation.ConversationException;
 import org.apache.ws.security.handler.WSHandlerConstants;
 import org.apache.ws.security.handler.WSHandlerResult;
@@ -81,6 +82,7 @@
         super(binding, saaj, secHeader, aim, message);
         this.sbinding = binding;
         tokenStore = getTokenStore();
+        protectionOrder = binding.getProtectionOrder();
     }
     
     private TokenWrapper getSignatureToken() {
@@ -402,7 +404,10 @@
             if (encrToken.isDerivedKeys()) {
                 try {
                     WSSecDKEncrypt dkEncr = new WSSecDKEncrypt();
-                    
+                    if (recToken.getToken().getSPConstants() == SP12Constants.INSTANCE) {
+                        dkEncr.setWscVersion(ConversationConstants.VERSION_05_12);
+                    }
+
                     if (attached && encrTok.getAttachedReference() != null) {
                         dkEncr.setExternalKey(encrTok.getSecret(),
                                               (Element)saaj.getSOAPPart()
@@ -499,6 +504,9 @@
                                SecurityToken tok) throws WSSecurityException {
         Document doc = saaj.getSOAPPart();
         WSSecDKSign dkSign = new WSSecDKSign();
+        if (policyTokenWrapper.getToken().getSPConstants() == SP12Constants.INSTANCE) {
+            dkSign.setWscVersion(ConversationConstants.VERSION_05_12);
+        }
         
         //Check for whether the token is attached in the message or not
         boolean attached = false;

Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/TransportBindingHandler.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/TransportBindingHandler.java?rev=727143&r1=727142&r2=727143&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/TransportBindingHandler.java
(original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/TransportBindingHandler.java
Tue Dec 16 12:52:43 2008
@@ -164,7 +164,8 @@
                                 signatureValues.add(doIssuedTokenSignature(token, null, 
                                                                            sgndSuppTokens));
                             } else if (token instanceof X509Token) {
-                                signatureValues.add(doX509TokenSignature(token, null, 
+                                signatureValues.add(doX509TokenSignature(token, 
+                                                                         sgndSuppTokens.getSignedParts(),

                                                                          sgndSuppTokens));
                             } else if (token instanceof SecureConversationToken) {
                                 signatureValues.add(doSecureConversationSignature(token,



Mime
View raw message