You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ws.apache.org by co...@apache.org on 2013/10/09 15:28:15 UTC
svn commit: r1530597 - in /webservices/wss4j/trunk/ws-security-stax/src:
main/java/org/apache/wss4j/stax/ main/java/org/apache/wss4j/stax/ext/
main/java/org/apache/wss4j/stax/impl/processor/output/
test/java/org/apache/wss4j/stax/test/
Author: coheigea
Date: Wed Oct 9 13:28:15 2013
New Revision: 1530597
URL: http://svn.apache.org/r1530597
Log:
First refactor of how security tokens are referenced + set up for the streaming layer
Removed:
webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/processor/output/KerberosSecurityTokenOutputProcessor.java
Modified:
webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/ConfigurationConverter.java
webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/ext/OutboundWSSec.java
webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/ext/WSSConstants.java
webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/processor/output/BinarySecurityTokenOutputProcessor.java
webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/processor/output/DerivedKeyTokenOutputProcessor.java
webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/processor/output/EncryptedKeyOutputProcessor.java
webservices/wss4j/trunk/ws-security-stax/src/test/java/org/apache/wss4j/stax/test/DerivedKeyTokenTest.java
Modified: webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/ConfigurationConverter.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/ConfigurationConverter.java?rev=1530597&r1=1530596&r2=1530597&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/ConfigurationConverter.java (original)
+++ webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/ConfigurationConverter.java Wed Oct 9 13:28:15 2013
@@ -484,24 +484,48 @@ public final class ConfigurationConverte
String sigC14nAlgo = getString(ConfigurationConstants.SIG_C14N_ALGO, config);
properties.setSignatureCanonicalizationAlgorithm(sigC14nAlgo);
- String sigParts = getString(ConfigurationConstants.SIGNATURE_PARTS, config);
+ Object sigParts = config.get(ConfigurationConstants.SIGNATURE_PARTS);
if (sigParts != null) {
- List<SecurePart> parts = new ArrayList<SecurePart>();
- splitEncParts(sigParts, parts, WSSConstants.NS_SOAP11);
- for (SecurePart part : parts) {
- part.setDigestMethod(sigDigestAlgo);
- properties.addSignaturePart(part);
+ if (sigParts instanceof String) {
+ List<SecurePart> parts = new ArrayList<SecurePart>();
+ splitEncParts((String)sigParts, parts, WSSConstants.NS_SOAP11);
+ for (SecurePart part : parts) {
+ part.setDigestMethod(sigDigestAlgo);
+ properties.addSignaturePart(part);
+ }
+ } else if (sigParts instanceof List<?>) {
+ List<?> sigPartsList = (List<?>)sigParts;
+ for (Object obj : sigPartsList) {
+ if (obj instanceof SecurePart) {
+ SecurePart securePart = (SecurePart)obj;
+ System.out.println("ADDING SIG PART: " + securePart.getName());
+ securePart.setDigestMethod(sigDigestAlgo);
+ properties.addSignaturePart(securePart);
+ }
+ }
}
}
- sigParts = getString(ConfigurationConstants.OPTIONAL_SIGNATURE_PARTS, config);
+ sigParts = config.get(ConfigurationConstants.OPTIONAL_SIGNATURE_PARTS);
if (sigParts != null) {
- List<SecurePart> parts = new ArrayList<SecurePart>();
- splitEncParts(sigParts, parts, WSSConstants.NS_SOAP11);
- for (SecurePart part : parts) {
- part.setRequired(false);
- part.setDigestMethod(sigDigestAlgo);
- properties.addSignaturePart(part);
+ if (sigParts instanceof String) {
+ List<SecurePart> parts = new ArrayList<SecurePart>();
+ splitEncParts((String)sigParts, parts, WSSConstants.NS_SOAP11);
+ for (SecurePart part : parts) {
+ part.setRequired(false);
+ part.setDigestMethod(sigDigestAlgo);
+ properties.addSignaturePart(part);
+ }
+ } else if (sigParts instanceof List<?>) {
+ List<?> sigPartsList = (List<?>)sigParts;
+ for (Object obj : sigPartsList) {
+ if (obj instanceof SecurePart) {
+ SecurePart securePart = (SecurePart)obj;
+ securePart.setDigestMethod(sigDigestAlgo);
+ securePart.setRequired(false);
+ properties.addSignaturePart(securePart);
+ }
+ }
}
}
@@ -518,22 +542,43 @@ public final class ConfigurationConverte
properties.setEncryptionKeyIdentifier(convEncKeyIdentifier);
}
- String encParts = getString(ConfigurationConstants.ENCRYPTION_PARTS, config);
+ Object encParts = config.get(ConfigurationConstants.ENCRYPTION_PARTS);
if (encParts != null) {
- List<SecurePart> parts = new ArrayList<SecurePart>();
- splitEncParts(encParts, parts, WSSConstants.NS_SOAP11);
- for (SecurePart part : parts) {
- properties.addEncryptionPart(part);
+ if (encParts instanceof String) {
+ List<SecurePart> parts = new ArrayList<SecurePart>();
+ splitEncParts((String)encParts, parts, WSSConstants.NS_SOAP11);
+ for (SecurePart part : parts) {
+ properties.addEncryptionPart(part);
+ }
+ } else if (encParts instanceof List<?>) {
+ List<?> encPartsList = (List<?>)encParts;
+ for (Object obj : encPartsList) {
+ if (obj instanceof SecurePart) {
+ SecurePart securePart = (SecurePart)obj;
+ properties.addEncryptionPart(securePart);
+ }
+ }
}
}
- encParts = getString(ConfigurationConstants.OPTIONAL_ENCRYPTION_PARTS, config);
+ encParts = config.get(ConfigurationConstants.OPTIONAL_ENCRYPTION_PARTS);
if (encParts != null) {
- List<SecurePart> parts = new ArrayList<SecurePart>();
- splitEncParts(encParts, parts, WSSConstants.NS_SOAP11);
- for (SecurePart part : parts) {
- part.setRequired(false);
- properties.addEncryptionPart(part);
+ if (encParts instanceof String) {
+ List<SecurePart> parts = new ArrayList<SecurePart>();
+ splitEncParts((String)encParts, parts, WSSConstants.NS_SOAP11);
+ for (SecurePart part : parts) {
+ part.setRequired(false);
+ properties.addEncryptionPart(part);
+ }
+ } else if (encParts instanceof List<?>) {
+ List<?> encPartsList = (List<?>)encParts;
+ for (Object obj : encPartsList) {
+ if (obj instanceof SecurePart) {
+ SecurePart securePart = (SecurePart)obj;
+ securePart.setRequired(false);
+ properties.addEncryptionPart(securePart);
+ }
+ }
}
}
Modified: webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/ext/OutboundWSSec.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/ext/OutboundWSSec.java?rev=1530597&r1=1530596&r2=1530597&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/ext/OutboundWSSec.java (original)
+++ webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/ext/OutboundWSSec.java Wed Oct 9 13:28:15 2013
@@ -18,22 +18,41 @@
*/
package org.apache.wss4j.stax.ext;
+import org.apache.wss4j.common.crypto.Crypto;
+import org.apache.wss4j.common.crypto.CryptoType;
+import org.apache.wss4j.common.ext.WSPasswordCallback;
import org.apache.wss4j.common.ext.WSSecurityException;
import org.apache.wss4j.stax.impl.processor.output.*;
+import org.apache.wss4j.stax.impl.securityToken.KerberosClientSecurityToken;
+import org.apache.wss4j.stax.securityToken.WSSecurityTokenConstants;
import org.apache.xml.security.exceptions.XMLSecurityException;
+import org.apache.xml.security.stax.config.JCEAlgorithmMapper;
import org.apache.xml.security.stax.ext.OutboundSecurityContext;
import org.apache.xml.security.stax.ext.OutputProcessor;
+import org.apache.xml.security.stax.ext.SecurityContext;
import org.apache.xml.security.stax.ext.XMLSecurityConstants;
import org.apache.xml.security.stax.impl.DocumentContextImpl;
import org.apache.xml.security.stax.impl.OutboundSecurityContextImpl;
import org.apache.xml.security.stax.impl.OutputProcessorChainImpl;
import org.apache.xml.security.stax.impl.XMLSecurityStreamWriter;
import org.apache.xml.security.stax.impl.processor.output.FinalOutputProcessor;
+import org.apache.xml.security.stax.impl.securityToken.GenericOutboundSecurityToken;
+import org.apache.xml.security.stax.impl.util.IDGenerator;
import org.apache.xml.security.stax.securityEvent.SecurityEvent;
import org.apache.xml.security.stax.securityEvent.SecurityEventListener;
+import org.apache.xml.security.stax.securityEvent.TokenSecurityEvent;
+import org.apache.xml.security.stax.securityToken.OutboundSecurityToken;
+import org.apache.xml.security.stax.securityToken.SecurityToken;
+import org.apache.xml.security.stax.securityToken.SecurityTokenProvider;
+import javax.crypto.KeyGenerator;
+import javax.crypto.spec.SecretKeySpec;
import javax.xml.stream.XMLStreamWriter;
+
import java.io.OutputStream;
+import java.security.Key;
+import java.security.NoSuchAlgorithmException;
+import java.security.cert.X509Certificate;
import java.util.List;
/**
@@ -137,6 +156,30 @@ public class OutboundWSSec {
initializeOutputProcessor(outputProcessorChain, securityHeaderOutputProcessor, null);
//todo some combinations are not possible atm: eg Action.SIGNATURE and Action.USERNAMETOKEN_SIGNED
//todo they use the same signature parts
+ boolean signatureAction = false;
+ boolean encryptionAction = false;
+ boolean signedSAML = false;
+ boolean kerberos = false;
+ boolean signatureKerberos = false;
+ boolean encryptionKerberos = false;
+ boolean derivedSignature = false;
+ boolean derivedEncryption = false;
+
+ // Check to see whether we have a derived key signature, but not encryption, using
+ // an encrypted key reference (as we only want one encrypted key here...)
+ boolean derivedSignatureButNotDerivedEncryption = false;
+ if (securityProperties.getDerivedKeyTokenReference() == WSSConstants.DerivedKeyTokenReference.EncryptedKey) {
+ for (int i = 0; i < securityProperties.getOutAction().length; i++) {
+ XMLSecurityConstants.Action action = securityProperties.getOutAction()[i];
+ if (WSSConstants.SIGNATURE_WITH_DERIVED_KEY.equals(action)) {
+ derivedSignatureButNotDerivedEncryption = true;
+ } else if (WSSConstants.ENCRYPT_WITH_DERIVED_KEY.equals(action)) {
+ derivedSignatureButNotDerivedEncryption = false;
+ break;
+ }
+ }
+ }
+
for (int i = 0; i < securityProperties.getOutAction().length; i++) {
XMLSecurityConstants.Action action = securityProperties.getOutAction()[i];
if (WSSConstants.TIMESTAMP.equals(action)) {
@@ -144,14 +187,16 @@ public class OutboundWSSec {
initializeOutputProcessor(outputProcessorChain, timestampOutputProcessor, action);
} else if (WSSConstants.SIGNATURE.equals(action)) {
+ signatureAction = true;
final BinarySecurityTokenOutputProcessor binarySecurityTokenOutputProcessor =
- new BinarySecurityTokenOutputProcessor();
+ new BinarySecurityTokenOutputProcessor();
initializeOutputProcessor(outputProcessorChain, binarySecurityTokenOutputProcessor, action);
final WSSSignatureOutputProcessor signatureOutputProcessor = new WSSSignatureOutputProcessor();
initializeOutputProcessor(outputProcessorChain, signatureOutputProcessor, action);
} else if (WSSConstants.ENCRYPT.equals(action)) {
+ encryptionAction = true;
if (securityProperties.isEncryptSymmetricEncrytionKey()) {
final BinarySecurityTokenOutputProcessor binarySecurityTokenOutputProcessor =
new BinarySecurityTokenOutputProcessor();
@@ -181,20 +226,24 @@ public class OutboundWSSec {
initializeOutputProcessor(outputProcessorChain, signatureConfirmationOutputProcessor, action);
} else if (WSSConstants.SIGNATURE_WITH_DERIVED_KEY.equals(action)) {
- final BinarySecurityTokenOutputProcessor binarySecurityTokenOutputProcessor =
- new BinarySecurityTokenOutputProcessor();
- initializeOutputProcessor(outputProcessorChain, binarySecurityTokenOutputProcessor, action);
-
if (securityProperties.getDerivedKeyTokenReference() == WSSConstants.DerivedKeyTokenReference.EncryptedKey) {
- final EncryptedKeyOutputProcessor encryptedKeyOutputProcessor = new EncryptedKeyOutputProcessor();
- initializeOutputProcessor(outputProcessorChain, encryptedKeyOutputProcessor, action);
-
+ if (derivedSignatureButNotDerivedEncryption) {
+ final EncryptedKeyOutputProcessor encryptedKeyOutputProcessor = new EncryptedKeyOutputProcessor();
+ initializeOutputProcessor(outputProcessorChain, encryptedKeyOutputProcessor, action);
+ }
+ encryptionAction = true;
+ derivedEncryption = true;
} else if (securityProperties.getDerivedKeyTokenReference() == WSSConstants.DerivedKeyTokenReference.SecurityContextToken) {
final SecurityContextTokenOutputProcessor securityContextTokenOutputProcessor =
new SecurityContextTokenOutputProcessor();
initializeOutputProcessor(outputProcessorChain, securityContextTokenOutputProcessor, action);
-
+ signatureAction = true;
+ derivedSignature = true;
+ } else {
+ signatureAction = true;
+ derivedSignature = true;
}
+
final DerivedKeyTokenOutputProcessor derivedKeyTokenOutputProcessor = new DerivedKeyTokenOutputProcessor();
initializeOutputProcessor(outputProcessorChain, derivedKeyTokenOutputProcessor, action);
@@ -202,9 +251,8 @@ public class OutboundWSSec {
initializeOutputProcessor(outputProcessorChain, signatureOutputProcessor, action);
} else if (WSSConstants.ENCRYPT_WITH_DERIVED_KEY.equals(action)) {
- final BinarySecurityTokenOutputProcessor binarySecurityTokenOutputProcessor =
- new BinarySecurityTokenOutputProcessor();
- initializeOutputProcessor(outputProcessorChain, binarySecurityTokenOutputProcessor, action);
+ encryptionAction = true;
+ derivedEncryption = true;
if (securityProperties.getDerivedKeyTokenReference() == WSSConstants.DerivedKeyTokenReference.EncryptedKey) {
final EncryptedKeyOutputProcessor encryptedKeyOutputProcessor = new EncryptedKeyOutputProcessor();
@@ -223,6 +271,8 @@ public class OutboundWSSec {
initializeOutputProcessor(outputProcessorChain, encryptOutputProcessor, action);
} else if (WSSConstants.SAML_TOKEN_SIGNED.equals(action)) {
+ signatureAction = true;
+ signedSAML = true;
final SAMLTokenOutputProcessor samlTokenOutputProcessor = new SAMLTokenOutputProcessor();
initializeOutputProcessor(outputProcessorChain, samlTokenOutputProcessor, action);
@@ -233,26 +283,53 @@ public class OutboundWSSec {
final SAMLTokenOutputProcessor samlTokenOutputProcessor = new SAMLTokenOutputProcessor();
initializeOutputProcessor(outputProcessorChain, samlTokenOutputProcessor, action);
} else if (WSSConstants.SIGNATURE_WITH_KERBEROS_TOKEN.equals(action)) {
- final KerberosSecurityTokenOutputProcessor kerberosTokenOutputProcessor =
- new KerberosSecurityTokenOutputProcessor();
+ kerberos = true;
+ signatureKerberos = true;
+ final BinarySecurityTokenOutputProcessor kerberosTokenOutputProcessor =
+ new BinarySecurityTokenOutputProcessor();
initializeOutputProcessor(outputProcessorChain, kerberosTokenOutputProcessor, action);
final WSSSignatureOutputProcessor signatureOutputProcessor = new WSSSignatureOutputProcessor();
initializeOutputProcessor(outputProcessorChain, signatureOutputProcessor, action);
} else if (WSSConstants.ENCRYPT_WITH_KERBEROS_TOKEN.equals(action)) {
- final KerberosSecurityTokenOutputProcessor kerberosTokenOutputProcessor =
- new KerberosSecurityTokenOutputProcessor();
+ kerberos = true;
+ encryptionKerberos = true;
+ final BinarySecurityTokenOutputProcessor kerberosTokenOutputProcessor =
+ new BinarySecurityTokenOutputProcessor();
initializeOutputProcessor(outputProcessorChain, kerberosTokenOutputProcessor, action);
final EncryptOutputProcessor encryptOutputProcessor = new EncryptOutputProcessor();
initializeOutputProcessor(outputProcessorChain, encryptOutputProcessor, action);
} else if (WSSConstants.KERBEROS_TOKEN.equals(action)) {
- final KerberosSecurityTokenOutputProcessor kerberosTokenOutputProcessor =
- new KerberosSecurityTokenOutputProcessor();
+ kerberos = true;
+ final BinarySecurityTokenOutputProcessor kerberosTokenOutputProcessor =
+ new BinarySecurityTokenOutputProcessor();
initializeOutputProcessor(outputProcessorChain, kerberosTokenOutputProcessor, action);
}
}
+ // Set up appropriate keys
+ if (signatureAction) {
+ setupSignatureKey(outputProcessorChain, securityProperties, signedSAML);
+ }
+ if (encryptionAction) {
+ setupEncryptionKey(outputProcessorChain, securityProperties);
+ }
+ if (kerberos) {
+ setupKerberosKey(outputProcessorChain, securityProperties,
+ signatureKerberos, encryptionKerberos);
+ }
+ if (derivedSignature) {
+ String id =
+ outputProcessorChain.getSecurityContext().get(WSSConstants.PROP_USE_THIS_TOKEN_ID_FOR_SIGNATURE);
+ setDerivedIdentifier(outputProcessorChain, id);
+ }
+ if (derivedEncryption) {
+ String id =
+ outputProcessorChain.getSecurityContext().get(WSSConstants.PROP_USE_THIS_TOKEN_ID_FOR_ENCRYPTED_KEY);
+ setDerivedIdentifier(outputProcessorChain, id);
+ }
+
final SecurityHeaderReorderProcessor securityHeaderReorderProcessor = new SecurityHeaderReorderProcessor();
initializeOutputProcessor(outputProcessorChain, securityHeaderReorderProcessor, null);
@@ -280,4 +357,300 @@ public class OutboundWSSec {
outputProcessor.setAction(action);
outputProcessor.init(outputProcessorChain);
}
+
+ private void setupSignatureKey(
+ OutputProcessorChainImpl outputProcessorChain,
+ WSSSecurityProperties securityProperties,
+ boolean signedSAML
+ ) throws XMLSecurityException {
+ final String signatureAlgorithm = securityProperties.getSignatureAlgorithm();
+
+ GenericOutboundSecurityToken securityToken =
+ getOutboundSecurityToken(outputProcessorChain, WSSConstants.PROP_USE_THIS_TOKEN_ID_FOR_SIGNATURE);
+ // First off, see if we have a supplied token with the correct keys for
+ // (a)symmetric signature
+ if (securityToken != null && signatureAlgorithm != null) {
+ if (signatureAlgorithm.contains("hmac-sha")
+ && securityToken.getSecretKey(signatureAlgorithm) != null) {
+ return;
+ } else if (!signatureAlgorithm.contains("hmac-sha")
+ && (securityToken.getPublicKey() != null
+ || securityToken.getX509Certificates() != null)) {
+ return;
+ }
+ }
+
+ // We have no supplied key. So use the PasswordCallback to get a secret key or password
+ String alias = securityProperties.getSignatureUser();
+ WSPasswordCallback pwCb = new WSPasswordCallback(alias, WSPasswordCallback.Usage.SIGNATURE);
+ WSSUtils.doPasswordCallback(securityProperties.getCallbackHandler(), pwCb);
+
+ String password = pwCb.getPassword();
+ byte[] secretKey = pwCb.getKey();
+ Key key = null;
+ X509Certificate[] x509Certificates = null;
+ try {
+ if (password != null && securityProperties.getSignatureCrypto() != null) {
+ key = securityProperties.getSignatureCrypto().getPrivateKey(alias, password);
+ CryptoType cryptoType = new CryptoType(CryptoType.TYPE.ALIAS);
+ cryptoType.setAlias(alias);
+ x509Certificates = securityProperties.getSignatureCrypto().getX509Certificates(cryptoType);
+ if (x509Certificates == null || x509Certificates.length == 0) {
+ throw new WSSecurityException(WSSecurityException.ErrorCode.FAILED_SIGNATURE, "noUserCertsFound", alias);
+ }
+ } else if (secretKey != null) {
+ x509Certificates = null;
+ String algoFamily = JCEAlgorithmMapper.getJCEKeyAlgorithmFromURI(signatureAlgorithm);
+ key = new SecretKeySpec(secretKey, algoFamily);
+ } else {
+ throw new WSSecurityException(WSSecurityException.ErrorCode.FAILED_SIGNATURE, "noPassword", alias);
+ }
+ } catch (WSSecurityException ex) {
+ if (signedSAML && securityProperties.getSamlCallbackHandler() != null) {
+ // We may get the keys we require from the SAML CallbackHandler...
+ return;
+ }
+ throw ex;
+ }
+
+ // Create a new outbound Signature token for the generated key / cert
+ final String id = IDGenerator.generateID(null);
+ final GenericOutboundSecurityToken binarySecurityToken =
+ new GenericOutboundSecurityToken(id, WSSecurityTokenConstants.X509V3Token, key, x509Certificates);
+
+ // binarySecurityToken.setSha1Identifier(reference);
+ final SecurityTokenProvider<OutboundSecurityToken> binarySecurityTokenProvider =
+ new SecurityTokenProvider<OutboundSecurityToken>() {
+
+ @Override
+ public OutboundSecurityToken getSecurityToken() throws WSSecurityException {
+ return binarySecurityToken;
+ }
+
+ @Override
+ public String getId() {
+ return id;
+ }
+ };
+
+ outputProcessorChain.getSecurityContext().registerSecurityTokenProvider(id, binarySecurityTokenProvider);
+ outputProcessorChain.getSecurityContext().put(WSSConstants.PROP_USE_THIS_TOKEN_ID_FOR_SIGNATURE, id);
+ }
+
+ private void setupEncryptionKey(
+ OutputProcessorChainImpl outputProcessorChain,
+ WSSSecurityProperties securityProperties
+ ) throws XMLSecurityException {
+ final String symmetricEncryptionAlgorithm = securityProperties.getEncryptionSymAlgorithm();
+
+ // First check to see if a Symmetric key is available
+ GenericOutboundSecurityToken securityToken =
+ getOutboundSecurityToken(outputProcessorChain, WSSConstants.PROP_USE_THIS_TOKEN_ID_FOR_ENCRYPTION);
+ if (securityToken == null || securityToken.getSecretKey(symmetricEncryptionAlgorithm) == null) {
+ //prepare the symmetric session key for all encryption parts
+ String keyAlgorithm = JCEAlgorithmMapper.getJCEKeyAlgorithmFromURI(securityProperties.getEncryptionSymAlgorithm());
+ KeyGenerator keyGen;
+ try {
+ keyGen = KeyGenerator.getInstance(keyAlgorithm);
+ } catch (NoSuchAlgorithmException e) {
+ throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, e);
+ }
+ //the sun JCE provider expects the real key size for 3DES (112 or 168 bit)
+ //whereas bouncy castle expects the block size of 128 or 192 bits
+ if (keyAlgorithm.contains("AES")) {
+ int keyLength = JCEAlgorithmMapper.getKeyLengthFromURI(securityProperties.getEncryptionSymAlgorithm());
+ keyGen.init(keyLength);
+ }
+
+ final Key symmetricKey = keyGen.generateKey();
+ final String symmId = IDGenerator.generateID(null);
+
+ final GenericOutboundSecurityToken symmetricSecurityToken =
+ new GenericOutboundSecurityToken(symmId, WSSecurityTokenConstants.EncryptedKeyToken, symmetricKey);
+ securityToken = symmetricSecurityToken;
+ final SecurityTokenProvider<OutboundSecurityToken> securityTokenProvider =
+ new SecurityTokenProvider<OutboundSecurityToken>() {
+
+ @Override
+ public OutboundSecurityToken getSecurityToken() throws XMLSecurityException {
+ return symmetricSecurityToken;
+ }
+
+ @Override
+ public String getId() {
+ return symmId;
+ }
+ };
+
+ outputProcessorChain.getSecurityContext().registerSecurityTokenProvider(symmId, securityTokenProvider);
+ outputProcessorChain.getSecurityContext().put(WSSConstants.PROP_USE_THIS_TOKEN_ID_FOR_ENCRYPTION, symmId);
+ }
+
+ if (!securityProperties.isEncryptSymmetricEncrytionKey()) {
+ // No EncryptedKey Token required here, so return
+ return;
+ }
+
+ // Set up a security token with the certs required to encrypt the symmetric key
+ X509Certificate[] x509Certificates = null;
+ X509Certificate x509Certificate = getReqSigCert(outputProcessorChain.getSecurityContext());
+ if (securityProperties.isUseReqSigCertForEncryption()) {
+ if (x509Certificate == null) {
+ throw new WSSecurityException(WSSecurityException.ErrorCode.FAILED_ENCRYPTION, "noCert");
+ }
+ x509Certificates = new X509Certificate[1];
+ x509Certificates[0] = x509Certificate;
+ } else if (securityProperties.getEncryptionUseThisCertificate() != null) {
+ x509Certificate = securityProperties.getEncryptionUseThisCertificate();
+ x509Certificates = new X509Certificate[1];
+ x509Certificates[0] = x509Certificate;
+ } else {
+ CryptoType cryptoType = new CryptoType(CryptoType.TYPE.ALIAS);
+ cryptoType.setAlias(securityProperties.getEncryptionUser());
+ Crypto crypto = securityProperties.getEncryptionCrypto();
+ x509Certificates = crypto.getX509Certificates(cryptoType);
+ if (x509Certificates == null || x509Certificates.length == 0) {
+ throw new WSSecurityException(WSSecurityException.ErrorCode.FAILED_ENCRYPTION, "noUserCertsFound",
+ securityProperties.getEncryptionUser());
+ }
+ }
+
+ // Check for Revocation
+ if (securityProperties.isEnableRevocation()) {
+ Crypto crypto = securityProperties.getEncryptionCrypto();
+ crypto.verifyTrust(x509Certificates, true);
+ }
+
+ // Create a new outbound EncryptedKey token for the cert
+ final String id = IDGenerator.generateID(null);
+ final GenericOutboundSecurityToken encryptedKeyToken =
+ new GenericOutboundSecurityToken(id, WSSecurityTokenConstants.X509V3Token, null, x509Certificates);
+
+ encryptedKeyToken.addWrappedToken(securityToken);
+ securityToken.setKeyWrappingToken(encryptedKeyToken);
+
+ // binarySecurityToken.setSha1Identifier(reference);
+ final SecurityTokenProvider<OutboundSecurityToken> encryptedKeyTokenProvider =
+ new SecurityTokenProvider<OutboundSecurityToken>() {
+
+ @Override
+ public OutboundSecurityToken getSecurityToken() throws WSSecurityException {
+ return encryptedKeyToken;
+ }
+
+ @Override
+ public String getId() {
+ return id;
+ }
+ };
+
+ outputProcessorChain.getSecurityContext().registerSecurityTokenProvider(id, encryptedKeyTokenProvider);
+ outputProcessorChain.getSecurityContext().put(WSSConstants.PROP_USE_THIS_TOKEN_ID_FOR_ENCRYPTED_KEY, id);
+ }
+
+ private void setupKerberosKey(
+ OutputProcessorChainImpl outputProcessorChain,
+ WSSSecurityProperties securityProperties,
+ boolean signature,
+ boolean encryption
+ ) throws XMLSecurityException {
+ GenericOutboundSecurityToken securityToken =
+ getOutboundSecurityToken(outputProcessorChain, WSSConstants.PROP_USE_THIS_TOKEN_ID_FOR_KERBEROS);
+ String kerberosId = null;
+ // First off, see if we have a supplied token
+ if (securityToken == null) {
+ // If not then generate a new key
+ final String id = IDGenerator.generateID(null);
+ kerberosId = id;
+ final KerberosClientSecurityToken kerberosClientSecurityToken =
+ new KerberosClientSecurityToken(
+ securityProperties.getCallbackHandler(), id
+ );
+
+ final SecurityTokenProvider<OutboundSecurityToken> kerberosSecurityTokenProvider =
+ new SecurityTokenProvider<OutboundSecurityToken>() {
+
+ @Override
+ public OutboundSecurityToken getSecurityToken() throws WSSecurityException {
+ return kerberosClientSecurityToken;
+ }
+
+ @Override
+ public String getId() {
+ return id;
+ }
+ };
+
+ outputProcessorChain.getSecurityContext().registerSecurityTokenProvider(id, kerberosSecurityTokenProvider);
+ outputProcessorChain.getSecurityContext().put(WSSConstants.PROP_USE_THIS_TOKEN_ID_FOR_KERBEROS, id);
+ } else {
+ kerberosId = securityToken.getId();
+ }
+
+ if (signature) {
+ outputProcessorChain.getSecurityContext().put(WSSConstants.PROP_USE_THIS_TOKEN_ID_FOR_SIGNATURE, kerberosId);
+ }
+ if (encryption) {
+ outputProcessorChain.getSecurityContext().put(WSSConstants.PROP_USE_THIS_TOKEN_ID_FOR_ENCRYPTION, kerberosId);
+ }
+
+ }
+
+ // Return an outbound SecurityToken object for a given id (encryption/signature)
+ private GenericOutboundSecurityToken getOutboundSecurityToken(
+ OutputProcessorChainImpl outputProcessorChain, String id
+ ) throws XMLSecurityException {
+ String tokenId =
+ outputProcessorChain.getSecurityContext().get(id);
+ SecurityTokenProvider<OutboundSecurityToken> signatureTokenProvider = null;
+ if (tokenId != null) {
+ signatureTokenProvider =
+ outputProcessorChain.getSecurityContext().getSecurityTokenProvider(tokenId);
+ if (signatureTokenProvider != null) {
+ return (GenericOutboundSecurityToken)signatureTokenProvider.getSecurityToken();
+ }
+ }
+
+ return null;
+ }
+
+ private X509Certificate getReqSigCert(SecurityContext securityContext) throws XMLSecurityException {
+ List<SecurityEvent> securityEventList = securityContext.getAsList(SecurityEvent.class);
+ if (securityEventList != null) {
+ for (int i = 0; i < securityEventList.size(); i++) {
+ SecurityEvent securityEvent = securityEventList.get(i);
+ if (securityEvent instanceof TokenSecurityEvent) {
+ @SuppressWarnings("unchecked")
+ TokenSecurityEvent<? extends SecurityToken> tokenSecurityEvent
+ = (TokenSecurityEvent<? extends SecurityToken>) securityEvent;
+ if (!tokenSecurityEvent.getSecurityToken().getTokenUsages().contains(WSSecurityTokenConstants.TokenUsage_MainSignature)) {
+ continue;
+ }
+ X509Certificate[] x509Certificates = tokenSecurityEvent.getSecurityToken().getX509Certificates();
+ if (x509Certificates != null && x509Certificates.length > 0) {
+ return x509Certificates[0];
+ }
+ }
+ }
+ }
+ return null;
+ }
+
+ private void setDerivedIdentifier(OutputProcessorChainImpl outputProcessorChain, String id) {
+ WSSConstants.DerivedKeyTokenReference derivedKeyTokenReference = securityProperties.getDerivedKeyTokenReference();
+ switch (derivedKeyTokenReference) {
+
+ case DirectReference:
+ outputProcessorChain.getSecurityContext().put(WSSConstants.PROP_USE_THIS_TOKEN_ID_FOR_DERIVED_KEY, id);
+ break;
+ case EncryptedKey:
+ String symmId = outputProcessorChain.getSecurityContext().get(WSSConstants.PROP_USE_THIS_TOKEN_ID_FOR_ENCRYPTION);
+ outputProcessorChain.getSecurityContext().put(WSSConstants.PROP_USE_THIS_TOKEN_ID_FOR_DERIVED_KEY, symmId);
+ outputProcessorChain.getSecurityContext().put(WSSConstants.PROP_USE_THIS_TOKEN_ID_FOR_ENCRYPTED_KEY, id);
+ break;
+ case SecurityContextToken:
+ outputProcessorChain.getSecurityContext().put(WSSConstants.PROP_USE_THIS_TOKEN_ID_FOR_SECURITYCONTEXTTOKEN, id);
+ break;
+ }
+ }
}
Modified: webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/ext/WSSConstants.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/ext/WSSConstants.java?rev=1530597&r1=1530596&r2=1530597&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/ext/WSSConstants.java (original)
+++ webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/ext/WSSConstants.java Wed Oct 9 13:28:15 2013
@@ -266,7 +266,7 @@ public class WSSConstants extends XMLSec
public static final String NS_WSS_ENC_KEY_VALUE_TYPE = NS11_SOAPMESSAGE_SECURITY + "#EncryptedKey";
- public static final String PROP_USE_THIS_TOKEN_ID_FOR_BST = "PROP_USE_THIS_TOKEN_ID_FOR_BST";
+ public static final String PROP_USE_THIS_TOKEN_ID_FOR_KERBEROS = "PROP_USE_THIS_TOKEN_ID_FOR_KERBEROS";
public static final String PROP_USE_THIS_TOKEN_ID_FOR_DERIVED_KEY = "PROP_USE_THIS_TOKEN_ID_FOR_DERIVED_KEY";
public static final String PROP_USE_THIS_TOKEN_ID_FOR_SECURITYCONTEXTTOKEN = "PROP_USE_THIS_TOKEN_ID_FOR_SECURITYCONTEXTTOKEN";
Modified: webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/processor/output/BinarySecurityTokenOutputProcessor.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/processor/output/BinarySecurityTokenOutputProcessor.java?rev=1530597&r1=1530596&r2=1530597&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/processor/output/BinarySecurityTokenOutputProcessor.java (original)
+++ webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/processor/output/BinarySecurityTokenOutputProcessor.java Wed Oct 9 13:28:15 2013
@@ -18,244 +18,106 @@
*/
package org.apache.wss4j.stax.impl.processor.output;
-import org.apache.wss4j.common.crypto.Crypto;
-import org.apache.wss4j.common.crypto.CryptoType;
-import org.apache.wss4j.common.ext.WSPasswordCallback;
-import org.apache.wss4j.common.ext.WSSecurityException;
+import java.util.ArrayList;
+import java.util.List;
+
+import javax.xml.namespace.QName;
+import javax.xml.stream.XMLStreamException;
+
+import org.apache.commons.codec.binary.Base64;
import org.apache.wss4j.stax.ext.WSSConstants;
import org.apache.wss4j.stax.ext.WSSSecurityProperties;
import org.apache.wss4j.stax.ext.WSSUtils;
+import org.apache.wss4j.stax.impl.securityToken.KerberosClientSecurityToken;
import org.apache.wss4j.stax.securityToken.WSSecurityTokenConstants;
import org.apache.xml.security.exceptions.XMLSecurityException;
-import org.apache.xml.security.stax.config.JCEAlgorithmMapper;
-import org.apache.xml.security.stax.ext.*;
+import org.apache.xml.security.stax.ext.AbstractOutputProcessor;
+import org.apache.xml.security.stax.ext.OutputProcessorChain;
+import org.apache.xml.security.stax.ext.XMLSecurityConstants;
+import org.apache.xml.security.stax.ext.stax.XMLSecAttribute;
import org.apache.xml.security.stax.ext.stax.XMLSecEvent;
import org.apache.xml.security.stax.impl.securityToken.GenericOutboundSecurityToken;
-import org.apache.xml.security.stax.impl.util.IDGenerator;
-import org.apache.xml.security.stax.securityEvent.SecurityEvent;
-import org.apache.xml.security.stax.securityEvent.TokenSecurityEvent;
import org.apache.xml.security.stax.securityToken.OutboundSecurityToken;
-import org.apache.xml.security.stax.securityToken.SecurityToken;
-import org.apache.xml.security.stax.securityToken.SecurityTokenConstants.TokenType;
import org.apache.xml.security.stax.securityToken.SecurityTokenProvider;
-import javax.crypto.spec.SecretKeySpec;
-import javax.xml.stream.XMLStreamException;
-
-import java.security.Key;
-import java.security.cert.X509Certificate;
-import java.util.List;
-
public class BinarySecurityTokenOutputProcessor extends AbstractOutputProcessor {
public BinarySecurityTokenOutputProcessor() throws XMLSecurityException {
super();
+ addBeforeProcessor(WSSSignatureOutputProcessor.class.getName());
}
@Override
public void processEvent(XMLSecEvent xmlSecEvent, OutputProcessorChain outputProcessorChain) throws XMLStreamException, XMLSecurityException {
try {
- final String bstId;
- final X509Certificate[] x509Certificates;
GenericOutboundSecurityToken securityToken = null;
- Key key = null;
- String reference = null;
- TokenType tokenType = WSSecurityTokenConstants.X509V3Token;
XMLSecurityConstants.Action action = getAction();
+ String tokenId = null;
if (WSSConstants.SIGNATURE.equals(action)
- || WSSConstants.SAML_TOKEN_SIGNED.equals(action)
- || WSSConstants.SIGNATURE_WITH_DERIVED_KEY.equals(action)) {
- // See if a Symmetric Key is already available
- String tokenId =
- outputProcessorChain.getSecurityContext().get(WSSConstants.PROP_USE_THIS_TOKEN_ID_FOR_SIGNATURE);
- SecurityTokenProvider<OutboundSecurityToken> signatureTokenProvider = null;
- if (tokenId != null) {
- signatureTokenProvider =
- outputProcessorChain.getSecurityContext().getSecurityTokenProvider(tokenId);
- if (signatureTokenProvider != null) {
- securityToken =
- (GenericOutboundSecurityToken)signatureTokenProvider.getSecurityToken();
- if (securityToken != null) {
- key = securityToken.getSecretKey(getSecurityProperties().getSignatureAlgorithm());
- reference = securityToken.getSha1Identifier();
- tokenType = securityToken.getTokenType();
- }
- }
- }
-
- if (key == null) {
- bstId = IDGenerator.generateID(null);
- String alias = ((WSSSecurityProperties) getSecurityProperties()).getSignatureUser();
- WSPasswordCallback pwCb = new WSPasswordCallback(alias, WSPasswordCallback.Usage.SIGNATURE);
- WSSUtils.doPasswordCallback(((WSSSecurityProperties)getSecurityProperties()).getCallbackHandler(), pwCb);
- String password = pwCb.getPassword();
- byte[] secretKey = pwCb.getKey();
- if (password == null && secretKey == null) {
- throw new WSSecurityException(WSSecurityException.ErrorCode.FAILED_SIGNATURE, "noPassword", alias);
- }
- if (password != null) {
- key = ((WSSSecurityProperties) getSecurityProperties()).getSignatureCrypto().getPrivateKey(alias, password);
- CryptoType cryptoType = new CryptoType(CryptoType.TYPE.ALIAS);
- cryptoType.setAlias(alias);
- x509Certificates = ((WSSSecurityProperties) getSecurityProperties()).getSignatureCrypto().getX509Certificates(cryptoType);
- if (x509Certificates == null || x509Certificates.length == 0) {
- throw new WSSecurityException(WSSecurityException.ErrorCode.FAILED_SIGNATURE, "noUserCertsFound", alias);
- }
- } else {
- x509Certificates = null;
- String algoFamily = JCEAlgorithmMapper.getJCEKeyAlgorithmFromURI(getSecurityProperties().getSignatureAlgorithm());
- key = new SecretKeySpec(secretKey, algoFamily);
- }
- tokenType = null;
- } else {
- bstId = tokenId;
- x509Certificates = null;
- }
- } else if (WSSConstants.ENCRYPT.equals(action) ||
- WSSConstants.ENCRYPT_WITH_DERIVED_KEY.equals(action)) {
- X509Certificate x509Certificate = getReqSigCert(outputProcessorChain.getSecurityContext());
- if (((WSSSecurityProperties) getSecurityProperties()).isUseReqSigCertForEncryption()) {
- if (x509Certificate == null) {
- throw new WSSecurityException(WSSecurityException.ErrorCode.FAILED_ENCRYPTION, "noCert");
- }
- x509Certificates = new X509Certificate[1];
- x509Certificates[0] = x509Certificate;
- } else if (getSecurityProperties().getEncryptionUseThisCertificate() != null) {
- x509Certificate = getSecurityProperties().getEncryptionUseThisCertificate();
- x509Certificates = new X509Certificate[1];
- x509Certificates[0] = x509Certificate;
- } else {
- CryptoType cryptoType = new CryptoType(CryptoType.TYPE.ALIAS);
- WSSSecurityProperties securityProperties = ((WSSSecurityProperties) getSecurityProperties());
- cryptoType.setAlias(securityProperties.getEncryptionUser());
- Crypto crypto = securityProperties.getEncryptionCrypto();
- x509Certificates = crypto.getX509Certificates(cryptoType);
- if (x509Certificates == null || x509Certificates.length == 0) {
- throw new WSSecurityException(WSSecurityException.ErrorCode.FAILED_ENCRYPTION, "noUserCertsFound",
- ((WSSSecurityProperties) getSecurityProperties()).getEncryptionUser());
- }
- }
-
- // Check for Revocation
- WSSSecurityProperties securityProperties = ((WSSSecurityProperties) getSecurityProperties());
- if (securityProperties.isEnableRevocation()) {
- Crypto crypto = securityProperties.getEncryptionCrypto();
- crypto.verifyTrust(x509Certificates, true);
- }
-
- key = null;
- bstId = IDGenerator.generateID(null);
- } else {
- bstId = IDGenerator.generateID(null);
- x509Certificates = null;
- key = null;
+ || WSSConstants.SAML_TOKEN_SIGNED.equals(action)) {
+ tokenId = outputProcessorChain.getSecurityContext().get(WSSConstants.PROP_USE_THIS_TOKEN_ID_FOR_SIGNATURE);
+ } else if (WSSConstants.ENCRYPT.equals(action)) {
+ tokenId = outputProcessorChain.getSecurityContext().get(WSSConstants.PROP_USE_THIS_TOKEN_ID_FOR_ENCRYPTED_KEY);
+ } else if (WSSConstants.ENCRYPT_WITH_KERBEROS_TOKEN.equals(getAction())
+ || WSSConstants.SIGNATURE_WITH_KERBEROS_TOKEN.equals(getAction())
+ || WSSConstants.KERBEROS_TOKEN.equals(getAction())) {
+ tokenId = outputProcessorChain.getSecurityContext().get(WSSConstants.PROP_USE_THIS_TOKEN_ID_FOR_KERBEROS);
}
-
- final String signatureAlgorithm = getSecurityProperties().getSignatureAlgorithm();
- final GenericOutboundSecurityToken secToken = securityToken;
- final GenericOutboundSecurityToken binarySecurityToken =
- new GenericOutboundSecurityToken(bstId, tokenType, key, x509Certificates) {
-
- @Override
- public Key getSecretKey(String algorithmURI) throws XMLSecurityException {
- if (secToken == null || signatureAlgorithm.equals(algorithmURI)) {
- return super.getSecretKey(algorithmURI);
- }
-
- return secToken.getSecretKey(algorithmURI);
- }
- };
- binarySecurityToken.setSha1Identifier(reference);
- final SecurityTokenProvider<OutboundSecurityToken> binarySecurityTokenProvider =
- new SecurityTokenProvider<OutboundSecurityToken>() {
-
- @Override
- public OutboundSecurityToken getSecurityToken() throws WSSecurityException {
- return binarySecurityToken;
+
+ SecurityTokenProvider<OutboundSecurityToken> tokenProvider = null;
+ if (tokenId != null) {
+ tokenProvider =
+ outputProcessorChain.getSecurityContext().getSecurityTokenProvider(tokenId);
+ if (tokenProvider != null) {
+ securityToken = (GenericOutboundSecurityToken)tokenProvider.getSecurityToken();
}
+ }
- @Override
- public String getId() {
- return bstId;
- }
- };
-
- if (WSSConstants.SIGNATURE.equals(action)
- || WSSConstants.SAML_TOKEN_SIGNED.equals(action)) {
- outputProcessorChain.getSecurityContext().put(WSSConstants.PROP_USE_THIS_TOKEN_ID_FOR_SIGNATURE, bstId);
- boolean includeSignatureToken =
- ((WSSSecurityProperties) getSecurityProperties()).isIncludeSignatureToken();
- if ((includeSignatureToken
- || WSSecurityTokenConstants.KeyIdentifier_SecurityTokenDirectReference.equals(getSecurityProperties().getSignatureKeyIdentifier()))
- && !WSSecurityTokenConstants.KerberosToken.equals(tokenType)
- && !WSSecurityTokenConstants.Saml11Token.equals(tokenType)
- && !WSSecurityTokenConstants.Saml20Token.equals(tokenType)) {
- FinalBinarySecurityTokenOutputProcessor finalBinarySecurityTokenOutputProcessor = new FinalBinarySecurityTokenOutputProcessor(binarySecurityToken);
+ if (securityToken != null) {
+ if (WSSConstants.SIGNATURE.equals(action) || WSSConstants.SAML_TOKEN_SIGNED.equals(action)) {
+ boolean includeSignatureToken =
+ ((WSSSecurityProperties) getSecurityProperties()).isIncludeSignatureToken();
+ if ((includeSignatureToken
+ || WSSecurityTokenConstants.KeyIdentifier_SecurityTokenDirectReference.equals(getSecurityProperties().getSignatureKeyIdentifier()))
+ && (securityToken.getTokenType() == null
+ || WSSecurityTokenConstants.X509V3Token.equals(securityToken.getTokenType()))) {
+ FinalBinarySecurityTokenOutputProcessor finalBinarySecurityTokenOutputProcessor = new FinalBinarySecurityTokenOutputProcessor(securityToken);
+ finalBinarySecurityTokenOutputProcessor.setXMLSecurityProperties(getSecurityProperties());
+ finalBinarySecurityTokenOutputProcessor.setAction(getAction());
+ finalBinarySecurityTokenOutputProcessor.addBeforeProcessor(WSSSignatureOutputProcessor.class.getName());
+ finalBinarySecurityTokenOutputProcessor.init(outputProcessorChain);
+ securityToken.setProcessor(finalBinarySecurityTokenOutputProcessor);
+ }
+ } else if (WSSConstants.ENCRYPT.equals(action)
+ && (securityToken.getTokenType() == null
+ || WSSecurityTokenConstants.X509V3Token.equals(securityToken.getTokenType()))) {
+ if (WSSecurityTokenConstants.KeyIdentifier_SecurityTokenDirectReference.equals(((WSSSecurityProperties) getSecurityProperties()).getEncryptionKeyIdentifier())) {
+ FinalBinarySecurityTokenOutputProcessor finalBinarySecurityTokenOutputProcessor = new FinalBinarySecurityTokenOutputProcessor(securityToken);
+ finalBinarySecurityTokenOutputProcessor.setXMLSecurityProperties(getSecurityProperties());
+ finalBinarySecurityTokenOutputProcessor.setAction(getAction());
+ finalBinarySecurityTokenOutputProcessor.addAfterProcessor(EncryptEndingOutputProcessor.class.getName());
+ finalBinarySecurityTokenOutputProcessor.init(outputProcessorChain);
+ securityToken.setProcessor(finalBinarySecurityTokenOutputProcessor);
+ }
+ } else if (WSSConstants.ENCRYPT_WITH_KERBEROS_TOKEN.equals(getAction())
+ || WSSConstants.SIGNATURE_WITH_KERBEROS_TOKEN.equals(getAction())
+ || WSSConstants.KERBEROS_TOKEN.equals(getAction())) {
+ FinalBinarySecurityTokenOutputProcessor finalBinarySecurityTokenOutputProcessor = new FinalBinarySecurityTokenOutputProcessor(securityToken);
finalBinarySecurityTokenOutputProcessor.setXMLSecurityProperties(getSecurityProperties());
finalBinarySecurityTokenOutputProcessor.setAction(getAction());
finalBinarySecurityTokenOutputProcessor.addBeforeProcessor(WSSSignatureOutputProcessor.class.getName());
- finalBinarySecurityTokenOutputProcessor.init(outputProcessorChain);
- binarySecurityToken.setProcessor(finalBinarySecurityTokenOutputProcessor);
- }
- } else if (WSSConstants.ENCRYPT.equals(action)) {
- outputProcessorChain.getSecurityContext().put(WSSConstants.PROP_USE_THIS_TOKEN_ID_FOR_ENCRYPTED_KEY, bstId);
- if (WSSecurityTokenConstants.KeyIdentifier_SecurityTokenDirectReference.equals(((WSSSecurityProperties) getSecurityProperties()).getEncryptionKeyIdentifier())) {
- FinalBinarySecurityTokenOutputProcessor finalBinarySecurityTokenOutputProcessor = new FinalBinarySecurityTokenOutputProcessor(binarySecurityToken);
- finalBinarySecurityTokenOutputProcessor.setXMLSecurityProperties(getSecurityProperties());
- finalBinarySecurityTokenOutputProcessor.setAction(getAction());
finalBinarySecurityTokenOutputProcessor.addAfterProcessor(EncryptEndingOutputProcessor.class.getName());
finalBinarySecurityTokenOutputProcessor.init(outputProcessorChain);
- binarySecurityToken.setProcessor(finalBinarySecurityTokenOutputProcessor);
- }
- } else if (WSSConstants.SIGNATURE_WITH_DERIVED_KEY.equals(action)
- || WSSConstants.ENCRYPT_WITH_DERIVED_KEY.equals(action)) {
-
- WSSConstants.DerivedKeyTokenReference derivedKeyTokenReference = ((WSSSecurityProperties) getSecurityProperties()).getDerivedKeyTokenReference();
- switch (derivedKeyTokenReference) {
-
- case DirectReference:
- outputProcessorChain.getSecurityContext().put(WSSConstants.PROP_USE_THIS_TOKEN_ID_FOR_DERIVED_KEY, bstId);
- break;
- case EncryptedKey:
- outputProcessorChain.getSecurityContext().put(WSSConstants.PROP_USE_THIS_TOKEN_ID_FOR_ENCRYPTED_KEY, bstId);
- break;
- case SecurityContextToken:
- outputProcessorChain.getSecurityContext().put(WSSConstants.PROP_USE_THIS_TOKEN_ID_FOR_SECURITYCONTEXTTOKEN, bstId);
- break;
+ securityToken.setProcessor(finalBinarySecurityTokenOutputProcessor);
}
}
-
- outputProcessorChain.getSecurityContext().registerSecurityTokenProvider(bstId, binarySecurityTokenProvider);
-
} finally {
outputProcessorChain.removeProcessor(this);
}
outputProcessorChain.processEvent(xmlSecEvent);
}
- private X509Certificate getReqSigCert(SecurityContext securityContext) throws XMLSecurityException {
- List<SecurityEvent> securityEventList = securityContext.getAsList(SecurityEvent.class);
- if (securityEventList != null) {
- for (int i = 0; i < securityEventList.size(); i++) {
- SecurityEvent securityEvent = securityEventList.get(i);
- if (securityEvent instanceof TokenSecurityEvent) {
- @SuppressWarnings("unchecked")
- TokenSecurityEvent<? extends SecurityToken> tokenSecurityEvent
- = (TokenSecurityEvent<? extends SecurityToken>) securityEvent;
- if (!tokenSecurityEvent.getSecurityToken().getTokenUsages().contains(WSSecurityTokenConstants.TokenUsage_MainSignature)) {
- continue;
- }
- X509Certificate[] x509Certificates = tokenSecurityEvent.getSecurityToken().getX509Certificates();
- if (x509Certificates != null && x509Certificates.length > 0) {
- return x509Certificates[0];
- }
- }
- }
- }
- return null;
- }
-
class FinalBinarySecurityTokenOutputProcessor extends AbstractOutputProcessor {
private final OutboundSecurityToken securityToken;
@@ -274,15 +136,35 @@ public class BinarySecurityTokenOutputPr
if (WSSUtils.isSecurityHeaderElement(xmlSecEvent, ((WSSSecurityProperties) getSecurityProperties()).getActor())) {
+ final QName headerElementName = WSSConstants.TAG_wsse_BinarySecurityToken;
WSSUtils.updateSecurityHeaderOrder(
- outputProcessorChain, WSSConstants.TAG_wsse_BinarySecurityToken, getAction(), false);
+ outputProcessorChain, headerElementName, getAction(), false);
OutputProcessorChain subOutputProcessorChain = outputProcessorChain.createSubChain(this);
- boolean useSingleCertificate = getSecurityProperties().isUseSingleCert();
- WSSUtils.createBinarySecurityTokenStructure(
- this, subOutputProcessorChain, securityToken.getId(),
- securityToken.getX509Certificates(), useSingleCertificate);
+ if (WSSConstants.ENCRYPT_WITH_KERBEROS_TOKEN.equals(getAction())
+ || WSSConstants.SIGNATURE_WITH_KERBEROS_TOKEN.equals(getAction())
+ || WSSConstants.KERBEROS_TOKEN.equals(getAction())) {
+ List<XMLSecAttribute> attributes = new ArrayList<XMLSecAttribute>(3);
+ attributes.add(createAttribute(WSSConstants.ATT_NULL_EncodingType, WSSConstants.SOAPMESSAGE_NS10_BASE64_ENCODING));
+ attributes.add(createAttribute(WSSConstants.ATT_NULL_ValueType, WSSConstants.NS_GSS_Kerberos5_AP_REQ));
+ attributes.add(createAttribute(WSSConstants.ATT_wsu_Id, securityToken.getId()));
+ createStartElementAndOutputAsEvent(subOutputProcessorChain, headerElementName, false, attributes);
+ createCharactersAndOutputAsEvent(subOutputProcessorChain,
+ new Base64(76, new byte[]{'\n'}).encodeToString(
+ ((KerberosClientSecurityToken)securityToken).getTicket())
+ );
+ createEndElementAndOutputAsEvent(subOutputProcessorChain, headerElementName);
+ if (WSSConstants.ENCRYPT_WITH_KERBEROS_TOKEN.equals(getAction())) {
+ WSSUtils.updateSecurityHeaderOrder(outputProcessorChain, WSSConstants.TAG_xenc_ReferenceList, getAction(), false);
+ WSSUtils.createReferenceListStructureForEncryption(this, subOutputProcessorChain);
+ }
+ } else {
+ boolean useSingleCertificate = getSecurityProperties().isUseSingleCert();
+ WSSUtils.createBinarySecurityTokenStructure(
+ this, subOutputProcessorChain, securityToken.getId(),
+ securityToken.getX509Certificates(), useSingleCertificate);
+ }
outputProcessorChain.removeProcessor(this);
}
Modified: webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/processor/output/DerivedKeyTokenOutputProcessor.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/processor/output/DerivedKeyTokenOutputProcessor.java?rev=1530597&r1=1530596&r2=1530597&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/processor/output/DerivedKeyTokenOutputProcessor.java (original)
+++ webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/processor/output/DerivedKeyTokenOutputProcessor.java Wed Oct 9 13:28:15 2013
@@ -78,8 +78,10 @@ public class DerivedKeyTokenOutputProces
XMLSecurityConstants.Action action = getAction();
if (WSSConstants.SIGNATURE_WITH_DERIVED_KEY.equals(action)) {
length = JCEAlgorithmMapper.getKeyLengthFromURI(getSecurityProperties().getSignatureAlgorithm()) / 8;
+ System.out.println("SIG LEN: " + length);
} else if (WSSConstants.ENCRYPT_WITH_DERIVED_KEY.equals(action)) {
length = JCEAlgorithmMapper.getKeyLengthFromURI(getSecurityProperties().getEncryptionSymAlgorithm()) / 8;
+ System.out.println("ENC LEN: " + length);
}
byte[] label;
@@ -103,7 +105,7 @@ public class DerivedKeyTokenOutputProces
} catch (ConversationException e) {
throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, e);
}
-
+
final byte[] derivedKeyBytes;
try {
byte[] secret;
@@ -161,7 +163,7 @@ public class DerivedKeyTokenOutputProces
return wsuIdDKT;
}
};
-
+
if (WSSConstants.SIGNATURE_WITH_DERIVED_KEY.equals(action)) {
outputProcessorChain.getSecurityContext().put(WSSConstants.PROP_USE_THIS_TOKEN_ID_FOR_SIGNATURE, wsuIdDKT);
} else if (WSSConstants.ENCRYPT_WITH_DERIVED_KEY.equals(action)) {
Modified: webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/processor/output/EncryptedKeyOutputProcessor.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/processor/output/EncryptedKeyOutputProcessor.java?rev=1530597&r1=1530596&r2=1530597&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/processor/output/EncryptedKeyOutputProcessor.java (original)
+++ webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/processor/output/EncryptedKeyOutputProcessor.java Wed Oct 9 13:28:15 2013
@@ -18,6 +18,27 @@
*/
package org.apache.wss4j.stax.impl.processor.output;
+import java.io.IOException;
+import java.security.InvalidAlgorithmParameterException;
+import java.security.InvalidKeyException;
+import java.security.Key;
+import java.security.NoSuchAlgorithmException;
+import java.security.cert.X509Certificate;
+import java.security.spec.AlgorithmParameterSpec;
+import java.security.spec.MGF1ParameterSpec;
+import java.util.ArrayList;
+import java.util.List;
+
+import javax.crypto.Cipher;
+import javax.crypto.IllegalBlockSizeException;
+import javax.crypto.NoSuchPaddingException;
+import javax.crypto.spec.OAEPParameterSpec;
+import javax.crypto.spec.PSource;
+import javax.security.auth.callback.Callback;
+import javax.security.auth.callback.UnsupportedCallbackException;
+import javax.xml.namespace.QName;
+import javax.xml.stream.XMLStreamException;
+
import org.apache.commons.codec.binary.Base64;
import org.apache.wss4j.common.ext.WSPasswordCallback;
import org.apache.wss4j.common.ext.WSPasswordCallback.Usage;
@@ -28,7 +49,9 @@ import org.apache.wss4j.stax.ext.WSSUtil
import org.apache.wss4j.stax.securityToken.WSSecurityTokenConstants;
import org.apache.xml.security.exceptions.XMLSecurityException;
import org.apache.xml.security.stax.config.JCEAlgorithmMapper;
-import org.apache.xml.security.stax.ext.*;
+import org.apache.xml.security.stax.ext.AbstractOutputProcessor;
+import org.apache.xml.security.stax.ext.OutputProcessorChain;
+import org.apache.xml.security.stax.ext.XMLSecurityConstants;
import org.apache.xml.security.stax.ext.stax.XMLSecAttribute;
import org.apache.xml.security.stax.ext.stax.XMLSecEvent;
import org.apache.xml.security.stax.impl.securityToken.GenericOutboundSecurityToken;
@@ -36,28 +59,6 @@ import org.apache.xml.security.stax.impl
import org.apache.xml.security.stax.securityToken.OutboundSecurityToken;
import org.apache.xml.security.stax.securityToken.SecurityTokenProvider;
-import javax.crypto.Cipher;
-import javax.crypto.IllegalBlockSizeException;
-import javax.crypto.KeyGenerator;
-import javax.crypto.NoSuchPaddingException;
-import javax.crypto.spec.OAEPParameterSpec;
-import javax.crypto.spec.PSource;
-import javax.security.auth.callback.Callback;
-import javax.security.auth.callback.UnsupportedCallbackException;
-import javax.xml.namespace.QName;
-import javax.xml.stream.XMLStreamException;
-
-import java.io.IOException;
-import java.security.InvalidAlgorithmParameterException;
-import java.security.InvalidKeyException;
-import java.security.Key;
-import java.security.NoSuchAlgorithmException;
-import java.security.cert.X509Certificate;
-import java.security.spec.AlgorithmParameterSpec;
-import java.security.spec.MGF1ParameterSpec;
-import java.util.ArrayList;
-import java.util.List;
-
public class EncryptedKeyOutputProcessor extends AbstractOutputProcessor {
public EncryptedKeyOutputProcessor() throws XMLSecurityException {
@@ -86,7 +87,7 @@ public class EncryptedKeyOutputProcessor
outputProcessorChain.getSecurityContext().get(WSSConstants.PROP_USE_THIS_TOKEN_ID_FOR_ENCRYPTION);
SecurityTokenProvider<OutboundSecurityToken> encryptedKeySecurityTokenProvider = null;
GenericOutboundSecurityToken encryptedKeySecurityToken = null;
- if (encTokenId != null && !WSSConstants.SIGNATURE_WITH_DERIVED_KEY.equals(getAction())) {
+ if (encTokenId != null) {
encryptedKeySecurityTokenProvider =
outputProcessorChain.getSecurityContext().getSecurityTokenProvider(encTokenId);
if (encryptedKeySecurityTokenProvider != null) {
@@ -94,70 +95,24 @@ public class EncryptedKeyOutputProcessor
(GenericOutboundSecurityToken)encryptedKeySecurityTokenProvider.getSecurityToken();
}
}
-
- if (encryptedKeySecurityToken == null) {
- // Generate Key
- //prepare the symmetric session key for all encryption parts
- String keyAlgorithm = JCEAlgorithmMapper.getJCEKeyAlgorithmFromURI(securityProperties.getEncryptionSymAlgorithm());
- KeyGenerator keyGen;
- try {
- keyGen = KeyGenerator.getInstance(keyAlgorithm);
- } catch (NoSuchAlgorithmException e) {
- throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, e);
- }
- //the sun JCE provider expects the real key size for 3DES (112 or 168 bit)
- //whereas bouncy castle expects the block size of 128 or 192 bits
- if (keyAlgorithm.contains("AES")) {
- int keyLength = JCEAlgorithmMapper.getKeyLengthFromURI(securityProperties.getEncryptionSymAlgorithm());
- keyGen.init(keyLength);
- }
-
- final Key symmetricKey = keyGen.generateKey();
-
- final String ekId = IDGenerator.generateID(null);
-
- final GenericOutboundSecurityToken securityToken = new GenericOutboundSecurityToken(ekId, WSSecurityTokenConstants.EncryptedKeyToken, symmetricKey);
- final SecurityTokenProvider<OutboundSecurityToken> securityTokenProvider =
- new SecurityTokenProvider<OutboundSecurityToken>() {
-
- @Override
- public OutboundSecurityToken getSecurityToken() throws XMLSecurityException {
- return securityToken;
- }
-
- @Override
- public String getId() {
- return ekId;
- }
- };
-
- encryptedKeySecurityTokenProvider = securityTokenProvider;
- encryptedKeySecurityToken = securityToken;
- }
-
- encryptedKeySecurityToken.setKeyWrappingToken(wrappingSecurityToken);
- wrappingSecurityToken.addWrappedToken(encryptedKeySecurityToken);
FinalEncryptedKeyOutputProcessor finalEncryptedKeyOutputProcessor = new FinalEncryptedKeyOutputProcessor(encryptedKeySecurityToken);
finalEncryptedKeyOutputProcessor.setXMLSecurityProperties(getSecurityProperties());
finalEncryptedKeyOutputProcessor.setAction(getAction());
XMLSecurityConstants.Action action = getAction();
if (WSSConstants.ENCRYPT.equals(action)) {
- outputProcessorChain.getSecurityContext().put(WSSConstants.PROP_USE_THIS_TOKEN_ID_FOR_ENCRYPTION, encryptedKeySecurityToken.getId());
if (wrappingSecurityToken.getProcessor() != null) {
finalEncryptedKeyOutputProcessor.addBeforeProcessor(wrappingSecurityToken.getProcessor());
} else {
finalEncryptedKeyOutputProcessor.addAfterProcessor(EncryptEndingOutputProcessor.class.getName());
}
} else if (WSSConstants.SIGNATURE_WITH_DERIVED_KEY.equals(action)) {
- outputProcessorChain.getSecurityContext().put(WSSConstants.PROP_USE_THIS_TOKEN_ID_FOR_DERIVED_KEY, encryptedKeySecurityToken.getId());
if (wrappingSecurityToken.getProcessor() != null) {
finalEncryptedKeyOutputProcessor.addBeforeProcessor(wrappingSecurityToken.getProcessor());
} else {
finalEncryptedKeyOutputProcessor.addBeforeProcessor(WSSSignatureOutputProcessor.class.getName());
}
} else if (WSSConstants.ENCRYPT_WITH_DERIVED_KEY.equals(action)) {
- outputProcessorChain.getSecurityContext().put(WSSConstants.PROP_USE_THIS_TOKEN_ID_FOR_DERIVED_KEY, encryptedKeySecurityToken.getId());
if (wrappingSecurityToken.getProcessor() != null) {
finalEncryptedKeyOutputProcessor.addBeforeProcessor(wrappingSecurityToken.getProcessor());
} else {
Modified: webservices/wss4j/trunk/ws-security-stax/src/test/java/org/apache/wss4j/stax/test/DerivedKeyTokenTest.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-stax/src/test/java/org/apache/wss4j/stax/test/DerivedKeyTokenTest.java?rev=1530597&r1=1530596&r2=1530597&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-stax/src/test/java/org/apache/wss4j/stax/test/DerivedKeyTokenTest.java (original)
+++ webservices/wss4j/trunk/ws-security-stax/src/test/java/org/apache/wss4j/stax/test/DerivedKeyTokenTest.java Wed Oct 9 13:28:15 2013
@@ -55,6 +55,7 @@ import javax.xml.stream.XMLStreamReader;
import javax.xml.stream.XMLStreamWriter;
import javax.xml.transform.dom.DOMSource;
import javax.xml.transform.stream.StreamResult;
+
import java.io.ByteArrayInputStream;
import java.io.ByteArrayOutputStream;
import java.security.cert.X509Certificate;
@@ -584,15 +585,9 @@ public class DerivedKeyTokenTest extends
nodeList = document.getElementsByTagNameNS(WSSConstants.TAG_wsc0502_SecurityContextToken.getNamespaceURI(), WSSConstants.TAG_wsc0502_SecurityContextToken.getLocalPart());
Assert.assertEquals(nodeList.getLength(), 0);
nodeList = document.getElementsByTagNameNS(WSSConstants.TAG_xenc_EncryptedKey.getNamespaceURI(), WSSConstants.TAG_xenc_EncryptedKey.getLocalPart());
- Assert.assertEquals(nodeList.getLength(), 2);
+ Assert.assertEquals(nodeList.getLength(), 1);
nodeList = document.getElementsByTagNameNS(WSSConstants.TAG_wsc0502_DerivedKeyToken.getNamespaceURI(), WSSConstants.TAG_wsc0502_DerivedKeyToken.getLocalPart());
Assert.assertEquals(nodeList.getLength(), 2);
- nodeList = document.getElementsByTagNameNS(WSSConstants.TAG_wsse_KeyIdentifier.getNamespaceURI(), WSSConstants.TAG_wsse_KeyIdentifier.getLocalPart());
- Assert.assertEquals(nodeList.getLength(), 2);
- Attr attr = (Attr) nodeList.item(0).getAttributes().getNamedItem(WSSConstants.ATT_NULL_ValueType.getLocalPart());
- Assert.assertEquals(attr.getValue(), WSSConstants.NS_THUMBPRINT);
- attr = (Attr) nodeList.item(1).getAttributes().getNamedItem(WSSConstants.ATT_NULL_ValueType.getLocalPart());
- Assert.assertEquals(attr.getValue(), WSSConstants.NS_THUMBPRINT);
nodeList = document.getElementsByTagNameNS(WSSConstants.TAG_dsig_Signature.getNamespaceURI(), WSSConstants.TAG_dsig_Signature.getLocalPart());
Assert.assertEquals(nodeList.getLength(), 1);
}
@@ -725,54 +720,6 @@ public class DerivedKeyTokenTest extends
}
}
- @Test
- public void testEncryptSignatureOutbound() throws Exception {
- ByteArrayOutputStream baos = new ByteArrayOutputStream();
- {
- WSSSecurityProperties securityProperties = new WSSSecurityProperties();
- WSSConstants.Action[] actions = new WSSConstants.Action[]{WSSConstants.ENCRYPT_WITH_DERIVED_KEY, WSSConstants.SIGNATURE_WITH_DERIVED_KEY};
- securityProperties.setOutAction(actions);
- CallbackHandlerImpl callbackHandler = new CallbackHandlerImpl();
- securityProperties.setCallbackHandler(callbackHandler);
- securityProperties.setSignatureAlgorithm("http://www.w3.org/2000/09/xmldsig#hmac-sha1");
- securityProperties.loadSignatureKeyStore(this.getClass().getClassLoader().getResource("receiver.jks"), "default".toCharArray());
- securityProperties.setSignatureUser("receiver");
- securityProperties.loadEncryptionKeystore(this.getClass().getClassLoader().getResource("receiver.jks"), "default".toCharArray());
- securityProperties.setEncryptionUser("receiver");
- securityProperties.setEncryptionKeyIdentifier(WSSecurityTokenConstants.KeyIdentifier_ThumbprintIdentifier);
- securityProperties.setDerivedKeyTokenReference(WSSConstants.DerivedKeyTokenReference.EncryptedKey);
-
- OutboundWSSec wsSecOut = WSSec.getOutboundWSSec(securityProperties);
- XMLStreamWriter xmlStreamWriter = wsSecOut.processOutMessage(baos, "UTF-8", new ArrayList<SecurityEvent>());
- XMLStreamReader xmlStreamReader = xmlInputFactory.createXMLStreamReader(this.getClass().getClassLoader().getResourceAsStream("testdata/plain-soap-1.1.xml"));
- XmlReaderToWriter.writeAll(xmlStreamReader, xmlStreamWriter);
- xmlStreamWriter.close();
-
- Document document = documentBuilderFactory.newDocumentBuilder().parse(new ByteArrayInputStream(baos.toByteArray()));
- NodeList nodeList = document.getElementsByTagNameNS(WSSConstants.TAG_dsig_Signature.getNamespaceURI(), WSSConstants.TAG_dsig_Signature.getLocalPart());
- Assert.assertEquals(nodeList.item(0).getParentNode().getLocalName(), WSSConstants.TAG_wsse_Security.getLocalPart());
-
- nodeList = document.getElementsByTagNameNS(WSSConstants.TAG_wsc0502_SecurityContextToken.getNamespaceURI(), WSSConstants.TAG_wsc0502_SecurityContextToken.getLocalPart());
- Assert.assertEquals(nodeList.getLength(), 0);
- nodeList = document.getElementsByTagNameNS(WSSConstants.TAG_xenc_EncryptedKey.getNamespaceURI(), WSSConstants.TAG_xenc_EncryptedKey.getLocalPart());
- Assert.assertEquals(nodeList.getLength(), 2);
- nodeList = document.getElementsByTagNameNS(WSSConstants.TAG_wsc0502_DerivedKeyToken.getNamespaceURI(), WSSConstants.TAG_wsc0502_DerivedKeyToken.getLocalPart());
- Assert.assertEquals(nodeList.getLength(), 2);
- nodeList = document.getElementsByTagNameNS(WSSConstants.TAG_wsse_KeyIdentifier.getNamespaceURI(), WSSConstants.TAG_wsse_KeyIdentifier.getLocalPart());
- Assert.assertEquals(nodeList.getLength(), 2);
- Attr attr = (Attr) nodeList.item(0).getAttributes().getNamedItem(WSSConstants.ATT_NULL_ValueType.getLocalPart());
- Assert.assertEquals(attr.getValue(), WSSConstants.NS_THUMBPRINT);
- attr = (Attr) nodeList.item(1).getAttributes().getNamedItem(WSSConstants.ATT_NULL_ValueType.getLocalPart());
- Assert.assertEquals(attr.getValue(), WSSConstants.NS_THUMBPRINT);
- nodeList = document.getElementsByTagNameNS(WSSConstants.TAG_dsig_Signature.getNamespaceURI(), WSSConstants.TAG_dsig_Signature.getLocalPart());
- Assert.assertEquals(nodeList.getLength(), 1);
- }
- {
- String action = WSHandlerConstants.ENCRYPT + " " + WSHandlerConstants.SIGNATURE;
- doInboundSecurityWithWSS4J(documentBuilderFactory.newDocumentBuilder().parse(new ByteArrayInputStream(baos.toByteArray())), action);
- }
- }
-
@Test(dataProvider = "versionProvider")
public void testEncryptSignatureInbound(int version) throws Exception {
@@ -838,4 +785,5 @@ public class DerivedKeyTokenTest extends
Assert.assertEquals(nodeList.getLength(), 0);
}
}
+
}