You are viewing a plain text version of this content. The canonical link for it is here.
Posted to rampart-dev@ws.apache.org by ka...@apache.org on 2007/10/09 06:13:44 UTC
svn commit: r583042 - in /webservices/rampart/trunk/c: include/
src/omxmlsec/ src/omxmlsec/tokens/ src/util/
Author: kaushalye
Date: Mon Oct 8 21:13:43 2007
New Revision: 583042
URL: http://svn.apache.org/viewvc?rev=583042&view=rev
Log:
1. Introducing key derivation module
2. Introducing <wsc:DerivedKeyToken> element
Added:
webservices/rampart/trunk/c/include/oxs_derivation.h
webservices/rampart/trunk/c/src/omxmlsec/derivation.c
webservices/rampart/trunk/c/src/omxmlsec/tokens/token_derived_key_token.c
Modified:
webservices/rampart/trunk/c/include/oxs_constants.h
webservices/rampart/trunk/c/include/oxs_tokens.h
webservices/rampart/trunk/c/src/omxmlsec/Makefile.am
webservices/rampart/trunk/c/src/omxmlsec/tokens/Makefile.am
webservices/rampart/trunk/c/src/util/rampart_sec_header_builder.c
Modified: webservices/rampart/trunk/c/include/oxs_constants.h
URL: http://svn.apache.org/viewvc/webservices/rampart/trunk/c/include/oxs_constants.h?rev=583042&r1=583041&r2=583042&view=diff
==============================================================================
--- webservices/rampart/trunk/c/include/oxs_constants.h (original)
+++ webservices/rampart/trunk/c/include/oxs_constants.h Mon Oct 8 21:13:43 2007
@@ -51,9 +51,10 @@
#define OXS_DS "ds"
#define OXS_WSSE "wsse"
#define OXS_WSSE_11 "wsse11"
+#define OXS_WSU "wsu"
+#define OXS_WSC "wsc"
#define OXS_WSSE_XMLNS "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
#define OXS_WSSE_11_XMLNS "http://docs.oasis-open.org/wss/2005/xx/oasis-2005xx-wss-wssecurity-secext-1.1.xsd"
-#define OXS_WSU "wsu"
#define OXS_WSU_XMLNS "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
/****************************************************************
ID Prefixes
@@ -63,6 +64,7 @@
#define OXS_SIG_ID "SigID"
#define OXS_CERT_ID "CertID"
#define OXS_EMBEDDED_ID "EmbeddedID"
+#define OXS_DERIVED_ID "DerivedID"
/****************************************************************
Global namespaces
@@ -70,6 +72,7 @@
#define OXS_DSIG_NS "http://www.w3.org/2000/09/xmldsig#"
#define OXS_ENC_NS "http://www.w3.org/2001/04/xmlenc#"
#define OXS_WSSE_NS "http://schemas.xmlsoap.org/ws/2002/04/secext"
+#define OXS_WSC_NS "http://schemas.xmlsoap.org/ws/2005/02/sc"
/****************************************************************
DSig Nodes
@@ -119,6 +122,16 @@
#define OXS_NODE_SECURITY_TOKEN_REFRENCE "SecurityTokenReference"
#define OXS_NODE_EMBEDDED "Embedded"
+ /****************************************************************
+ Secure Conversation Nodes
+ ****************************************************************/
+#define OXS_NODE_DERIVED_KEY_TOKEN "DerivedKeyToken"
+#define OXS_NODE_PROPERTIES "Properties"
+#define OXS_NODE_GENERATION "Generation"
+#define OXS_NODE_OFFSET "Offset"
+#define OXS_NODE_LENGTH "Length"
+#define OXS_NODE_LABEL "Label"
+#define OXS_NODE_NONCE "Nonce"
/****************************************************************
Attributes
Added: webservices/rampart/trunk/c/include/oxs_derivation.h
URL: http://svn.apache.org/viewvc/webservices/rampart/trunk/c/include/oxs_derivation.h?rev=583042&view=auto
==============================================================================
--- webservices/rampart/trunk/c/include/oxs_derivation.h (added)
+++ webservices/rampart/trunk/c/include/oxs_derivation.h Mon Oct 8 21:13:43 2007
@@ -0,0 +1,68 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#ifndef OXS_DERIVATION_H
+#define OXS_DERIVATION_H
+
+
+/**
+ * @file oxs_derivation.h
+ * @brief The Key derivation module for OMXMLSecurity
+ */
+
+/**
+* @defgroup oxs_derivation Derivation
+* @ingroup oxs
+* @{
+*/
+#include <axis2_defines.h>
+#include <axutil_env.h>
+#include <oxs_key.h>
+#include <oxs_buffer.h>
+
+#ifdef __cplusplus
+extern "C"
+{
+#endif
+
+ /**
+ * Derive Keys
+ * Caller must free memory
+ * @param env pointer to environment struct
+ * @param secret The secret is the shared secret that is exchanged (note that if two secrets were securely exchanged,\
+ * possible as part of an initial exchange, they are concatenated in the order they were sent/received)
+ * @param label The label is the concatenation of the client's label and the service's label
+ * @param seed The seed is the concatenation of nonce values (if multiple were exchanged) that were exchanged (initiator + receiver)
+ * @param derived_key The derived key. Caller must create and free
+ * @return status
+ **/
+ AXIS2_EXTERN axis2_status_t AXIS2_CALL
+ oxs_derivation_derive_key(const axutil_env_t *env,
+ oxs_key_t *secret,
+ oxs_buffer_t *label,
+ oxs_buffer_t *seed,
+ oxs_key_t *derived_key
+ );
+
+
+
+ /** @} */
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* OXS_DERIVATION_H */
Modified: webservices/rampart/trunk/c/include/oxs_tokens.h
URL: http://svn.apache.org/viewvc/webservices/rampart/trunk/c/include/oxs_tokens.h?rev=583042&r1=583041&r2=583042&view=diff
==============================================================================
--- webservices/rampart/trunk/c/include/oxs_tokens.h (original)
+++ webservices/rampart/trunk/c/include/oxs_tokens.h Mon Oct 8 21:13:43 2007
@@ -492,6 +492,16 @@
const axutil_env_t * env,
axiom_node_t * signature_confirmation_node);
+ /**
+ * Creates <wsc:DerivedKeyToken> element
+ */
+ AXIS2_EXTERN axiom_node_t * AXIS2_CALL
+ oxs_token_build_derived_key_token_element(
+ const axutil_env_t * env,
+ axiom_node_t * parent,
+ axis2_char_t * id,
+ axis2_char_t * algo);
+
/** @} */
#ifdef __cplusplus
Modified: webservices/rampart/trunk/c/src/omxmlsec/Makefile.am
URL: http://svn.apache.org/viewvc/webservices/rampart/trunk/c/src/omxmlsec/Makefile.am?rev=583042&r1=583041&r2=583042&view=diff
==============================================================================
--- webservices/rampart/trunk/c/src/omxmlsec/Makefile.am (original)
+++ webservices/rampart/trunk/c/src/omxmlsec/Makefile.am Mon Oct 8 21:13:43 2007
@@ -5,7 +5,7 @@
iv.c xml_encryption.c encryption.c\
utility.c asym_ctx.c x509_cert.c key_mgr.c sign_part.c sign_ctx.c \
xml_signature.c signature.c transform.c transforms_factory.c xml_key_processor.c \
- xml_key_info_builder.c
+ xml_key_info_builder.c derivation.c
libomxmlsec_la_LIBADD = @OPENSSLLIB@ \
Added: webservices/rampart/trunk/c/src/omxmlsec/derivation.c
URL: http://svn.apache.org/viewvc/webservices/rampart/trunk/c/src/omxmlsec/derivation.c?rev=583042&view=auto
==============================================================================
--- webservices/rampart/trunk/c/src/omxmlsec/derivation.c (added)
+++ webservices/rampart/trunk/c/src/omxmlsec/derivation.c Mon Oct 8 21:13:43 2007
@@ -0,0 +1,45 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include <stdio.h>
+#include <axis2_util.h>
+#include <oxs_derivation.h>
+#include <oxs_key.h>
+#include <oxs_error.h>
+#include <oxs_asym_ctx.h>
+
+AXIS2_EXTERN axis2_status_t AXIS2_CALL
+oxs_derivation_derive_key(const axutil_env_t *env,
+ oxs_key_t *secret,
+ oxs_buffer_t *label,
+ oxs_buffer_t *seed,
+ oxs_key_t *derived_key
+ )
+{
+ axis2_status_t status = AXIS2_FAILURE;
+
+ /*TODO Concatenate the seed and label*/
+
+ /*TODO P_SHA1 (secret, label + seed)*/
+
+ /*TODO Populate the derived key*/
+
+
+
+ return status;
+}
+
Modified: webservices/rampart/trunk/c/src/omxmlsec/tokens/Makefile.am
URL: http://svn.apache.org/viewvc/webservices/rampart/trunk/c/src/omxmlsec/tokens/Makefile.am?rev=583042&r1=583041&r2=583042&view=diff
==============================================================================
--- webservices/rampart/trunk/c/src/omxmlsec/tokens/Makefile.am (original)
+++ webservices/rampart/trunk/c/src/omxmlsec/tokens/Makefile.am Mon Oct 8 21:13:43 2007
@@ -8,7 +8,7 @@
token_embedded.c token_reference.c token_signature_value.c token_signed_info.c \
token_c14n_method.c token_signature_method.c token_digest_method.c token_digest_value.c \
token_transform.c token_transforms.c token_signature.c token_ds_reference.c \
- token_x509_certificate.c token_signature_confirmation.c
+ token_x509_certificate.c token_signature_confirmation.c token_derived_key_token.c
INCLUDES = -I$(top_builddir)/include \
Added: webservices/rampart/trunk/c/src/omxmlsec/tokens/token_derived_key_token.c
URL: http://svn.apache.org/viewvc/webservices/rampart/trunk/c/src/omxmlsec/tokens/token_derived_key_token.c?rev=583042&view=auto
==============================================================================
--- webservices/rampart/trunk/c/src/omxmlsec/tokens/token_derived_key_token.c (added)
+++ webservices/rampart/trunk/c/src/omxmlsec/tokens/token_derived_key_token.c Mon Oct 8 21:13:43 2007
@@ -0,0 +1,68 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include <oxs_constants.h>
+#include <oxs_error.h>
+#include <oxs_tokens.h>
+#include <oxs_utility.h>
+#include <axiom_attribute.h>
+#include <axiom_element.h>
+#include <rampart_constants.h>
+
+AXIS2_EXTERN axiom_node_t* AXIS2_CALL
+oxs_token_build_derived_key_token_element(const axutil_env_t *env,
+ axiom_node_t *parent,
+ axis2_char_t* id,
+ axis2_char_t* algo)
+{
+ axiom_node_t *derived_key_token_node = NULL;
+ axiom_element_t *derived_key_token_ele = NULL;
+ axiom_attribute_t *algo_att = NULL;
+ axiom_attribute_t *id_attr = NULL;
+ int ret;
+ axiom_namespace_t *ns_obj = NULL;
+ axiom_namespace_t *ns = NULL;
+
+ ns_obj = axiom_namespace_create(env, OXS_WSC_NS,
+ OXS_WSC);
+
+ ns = axiom_namespace_create(env, RAMPART_WSU_XMLNS, OXS_WSU);
+
+ derived_key_token_ele = axiom_element_create(env, parent, OXS_NODE_DERIVED_KEY_TOKEN, ns_obj, &derived_key_token_node);
+ if (!derived_key_token_ele)
+ {
+ oxs_error(env, ERROR_LOCATION,
+ OXS_ERROR_ELEMENT_FAILED, "Error creating %s Token element", OXS_NODE_DERIVED_KEY_TOKEN);
+ return NULL;
+ }
+
+ if (!id)
+ {
+ id = oxs_util_generate_id(env,(axis2_char_t*)OXS_DERIVED_ID);
+ }
+
+
+ id_attr = axiom_attribute_create(env, OXS_ATTR_ID, id,ns);
+ algo_att = axiom_attribute_create(env, OXS_ATTR_ALGORITHM, algo, NULL);
+
+ ret = axiom_element_add_attribute(derived_key_token_ele, env, id_attr, derived_key_token_node);
+ ret = axiom_element_add_attribute(derived_key_token_ele, env, algo_att, derived_key_token_node);
+
+ return derived_key_token_node;
+}
+
+
Modified: webservices/rampart/trunk/c/src/util/rampart_sec_header_builder.c
URL: http://svn.apache.org/viewvc/webservices/rampart/trunk/c/src/util/rampart_sec_header_builder.c?rev=583042&r1=583041&r2=583042&view=diff
==============================================================================
--- webservices/rampart/trunk/c/src/util/rampart_sec_header_builder.c (original)
+++ webservices/rampart/trunk/c/src/util/rampart_sec_header_builder.c Mon Oct 8 21:13:43 2007
@@ -37,58 +37,78 @@
/*Private functions*/
axis2_status_t AXIS2_CALL
rampart_shb_do_symmetric_binding( const axutil_env_t *env,
- axis2_msg_ctx_t *msg_ctx,
- rampart_context_t *rampart_context,
- axiom_soap_envelope_t *soap_envelope,
- axiom_node_t *sec_node,
- axiom_namespace_t *sec_ns_obj)
+ axis2_msg_ctx_t *msg_ctx,
+ rampart_context_t *rampart_context,
+ axiom_soap_envelope_t *soap_envelope,
+ axiom_node_t *sec_node,
+ axiom_namespace_t *sec_ns_obj)
{
axis2_status_t status = AXIS2_FAILURE;
+ axis2_bool_t is_encrypt_before_sign = AXIS2_FALSE;
/*TODO Symmetric binding*/
if(rampart_context_is_include_timestamp(rampart_context,env))
{
- int ttl = -1;
- AXIS2_LOG_INFO(env->log, "[rampart][shb] building Timestamp Token");
- AXIS2_LOG_INFO(env->log, "[rampart][shb] Using default timeToLive value %d",
- RAMPART_TIMESTAMP_TOKEN_DEFAULT_TIME_TO_LIVE);
- /*ttl = RAMPART_TIMESTAMP_TOKEN_DEFAULT_TIME_TO_LIVE;*/
- ttl = rampart_context_get_ttl(rampart_context,env);
+ int ttl = -1;
+ AXIS2_LOG_INFO(env->log, "[rampart][shb] Sym binding, building Timestamp Token");
+ AXIS2_LOG_INFO(env->log, "[rampart][shb] Sym binding, Using default timeToLive value %d",
+ RAMPART_TIMESTAMP_TOKEN_DEFAULT_TIME_TO_LIVE);
+ /*ttl = RAMPART_TIMESTAMP_TOKEN_DEFAULT_TIME_TO_LIVE;*/
+ ttl = rampart_context_get_ttl(rampart_context,env);
+
+ status = rampart_timestamp_token_build(env,
+ sec_node, sec_ns_obj, ttl);
+ if (status == AXIS2_FAILURE)
+ {
+ AXIS2_LOG_ERROR(env->log, AXIS2_LOG_SI, "[rampart][shb] Sym binding, Timestamp Token build failed. ERROR");
+ return AXIS2_FAILURE;
+ }
+ }
- status = rampart_timestamp_token_build(env,
- sec_node, sec_ns_obj, ttl);
+ /*User name tokens includes in messages sent from client to server*/
+ if(!axis2_msg_ctx_get_server_side(msg_ctx,env))
+ {
+ if(rampart_context_is_include_username_token(rampart_context,env))
+ {
+
+ /*Now we are passing rampart_context here so inside this method
+ relevant parameters are extracted. */
+
+ AXIS2_LOG_INFO(env->log, "[rampart][shb] Sym binding, building UsernmaeToken");
+ status =rampart_username_token_build(
+ env,
+ rampart_context,
+ sec_node,
+ sec_ns_obj);
if (status == AXIS2_FAILURE)
{
- AXIS2_LOG_ERROR(env->log, AXIS2_LOG_SI, "[rampart][shb] Timestamp Token build failed. ERROR");
+ AXIS2_LOG_ERROR(env->log, AXIS2_LOG_SI,
+ "[rampart][shb] Sym binding, UsernmaeToken build failed. ERROR");
return AXIS2_FAILURE;
}
- }
-
- /*User name tokens includes in messages sent from client to server*/
- if(!axis2_msg_ctx_get_server_side(msg_ctx,env))
- {
- if(rampart_context_is_include_username_token(rampart_context,env))
- {
+ }
+ }
- /*Now we are passing rampart_context here so inside this method
- relevant parameters are extracted. */
+ /*Check the encryption and signature order*/
+ if(rampart_context_is_encrypt_before_sign(rampart_context, env))
+ {
+ /*TODO encrypt before sign*/
- AXIS2_LOG_INFO(env->log, "[rampart][shb] building UsernmaeToken");
- status =rampart_username_token_build(
- env,
- rampart_context,
- sec_node,
- sec_ns_obj);
- if (status == AXIS2_FAILURE)
- {
- AXIS2_LOG_ERROR(env->log, AXIS2_LOG_SI,
- "[rampart][shb] UsernmaeToken build failed. ERROR");
- return AXIS2_FAILURE;
- }
- }
+ }else{ /*Sign before encrypt*/
+ is_encrypt_before_sign = AXIS2_FALSE;
+
+ /*First do signature specific stuff*/
+ status = rampart_sig_sign_message(env, msg_ctx, rampart_context, soap_envelope, sec_node);
+ if(status != AXIS2_SUCCESS){
+ AXIS2_LOG_ERROR(env->log, AXIS2_LOG_SI,
+ "[rampart][shb] Sym binding, Signing failed. ERROR");
+ return AXIS2_FAILURE;
}
+ /*Then Handle Encryption stuff*/
+
+ }
status = AXIS2_SUCCESS;
return status;