You are viewing a plain text version of this content. The canonical link for it is here.
Posted to fx-dev@ws.apache.org by we...@apache.org on 2004/05/14 16:48:35 UTC
cvs commit: ws-fx/wss4j/src/org/apache/ws/security/components/crypto Crypto.java Merlin.java
werner 2004/05/14 07:48:35
Modified: wss4j/src/org/apache/ws/security WSConstants.java
WSSecurityEngine.java
wss4j/src/org/apache/ws/security/message/token
BinarySecurity.java X509Security.java
SecurityTokenReference.java
wss4j/src/org/apache/ws/security/components/crypto
Crypto.java Merlin.java
Log:
Include patches for JIRA issue: (WSFX-5) Interoperability improvements
Revision Changes Path
1.16 +67 -3 ws-fx/wss4j/src/org/apache/ws/security/WSConstants.java
Index: WSConstants.java
===================================================================
RCS file: /home/cvs/ws-fx/wss4j/src/org/apache/ws/security/WSConstants.java,v
retrieving revision 1.15
retrieving revision 1.16
diff -u -r1.15 -r1.16
--- WSConstants.java 19 Apr 2004 17:46:13 -0000 1.15
+++ WSConstants.java 14 May 2004 14:48:34 -0000 1.16
@@ -24,14 +24,48 @@
/**
* Constants in WS-Security spec.
*/
-public interface WSConstants {
- public static final String WSSE_NS = "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";
+public class WSConstants {
+ // the following compliance mode values must have increasing values as new
+ // modes are added; a later spec should have a value > value of an an earlier spec.
+ public static final int OASIS_2002_07 = 1;
+ public static final int OASIS_2002_12 = 2;
+ public static final int OASIS_2003_06 = 3;
+ public static final int OASIS_1_0 = 4;
+
+ /**
+ * Set the specification compliance mode. This affects namespaces as well
+ * as how certain items are constructed in security headers.
+ * <p/>
+ * Currently this can only be set at compile time. The valid values are:
+ * <ul>
+ * <li> {@link #OASIS_2002_07} </li>
+ * <li> {@link #OASIS_2002_12} </li>
+ * <li> {@link #OASIS_2003_06} </li>
+ * <li> {@link #OASIS_1_0} OASIS WS-Security v1.0 as released on March 2004. This is the default and recommended setting</li>
+ * </ul>
+ * <p/>
+ * Using {@link #OASIS_2002} enhances chances of interoperability with other
+ * WSS implementations that do not fully adhere to the OASIS v1.0 March 2004
+ * specs yet.
+ * @param specs instructs WSS4J on which standard to follow
+ */
+ public static final int COMPLIANCE_MODE = OASIS_1_0;
+
+ public static final String WSSE_NS_OASIS_2002_07 = "http://schemas.xmlsoap.org/ws/2002/07/secext";
+ public static final String WSSE_NS_OASIS_2002_12 = "http://schemas.xmlsoap.org/ws/2002/12/secext";
+ public static final String WSSE_NS_OASIS_2003_06 = "http://schemas.xmlsoap.org/ws/2003/06/secext";
+ public static final String WSSE_NS_OASIS_1_0 = "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";
+ public static String WSSE_NS = WSSE_NS_OASIS_1_0;
public static final String USERNAMETOKEN_NS = "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0";
public static final String SOAPMESSAGE_NS = "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0";
public static final String X509TOKEN_NS = "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0";
public static final String WSSE_PREFIX = "wsse";
public static final String WSSE_LN = "Security";
- public static final String WSU_NS = "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
+ public static final String WSU_NS_OASIS_2002_07 = "http://schemas.xmlsoap.org/ws/2002/07/utility";
+ public static final String WSU_NS_OASIS_2002_12 = "http://schemas.xmlsoap.org/ws/2002/12/utility";
+ public static final String WSU_NS_OASIS_2003_06 = "http://schemas.xmlsoap.org/ws/2003/06/utility";
+ public static final String WSU_NS_OASIS_1_0 = "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
+ public static String WSU_NS = WSU_NS_OASIS_1_0;
public static final String WSU_PREFIX = "wsu";
public static final String SIG_NS = "http://www.w3.org/2000/09/xmldsig#";
public static final String SIG_PREFIX = "ds";
@@ -257,5 +291,35 @@
public static final int NO_SERIALIZE = 0x100;
public static final int SERIALIZE = 0x200;
+ static {
+ setComplianceMode();
+ }
+
+ /**
+ * init various constants to the chosen compliance mode
+ */
+ private static void setComplianceMode() {
+ switch (COMPLIANCE_MODE) {
+ case OASIS_1_0:
+ WSSE_NS = WSSE_NS_OASIS_1_0;
+ WSU_NS = WSU_NS_OASIS_1_0;
+ break;
+ case OASIS_2003_06:
+ WSSE_NS = WSSE_NS_OASIS_2003_06;
+ WSU_NS = WSU_NS_OASIS_2003_06;
+ break;
+ case OASIS_2002_12:
+ WSSE_NS = WSSE_NS_OASIS_2002_12;
+ WSU_NS = WSU_NS_OASIS_2002_12;
+ break;
+ case OASIS_2002_07:
+ WSSE_NS = WSSE_NS_OASIS_2002_07;
+ WSU_NS = WSU_NS_OASIS_2002_07;
+ break;
+ default:
+ WSSE_NS = WSSE_NS_OASIS_1_0;
+ WSU_NS = WSU_NS_OASIS_1_0;
+ }
+ }
}
1.20 +134 -121 ws-fx/wss4j/src/org/apache/ws/security/WSSecurityEngine.java
Index: WSSecurityEngine.java
===================================================================
RCS file: /home/cvs/ws-fx/wss4j/src/org/apache/ws/security/WSSecurityEngine.java,v
retrieving revision 1.19
retrieving revision 1.20
diff -u -r1.19 -r1.20
--- WSSecurityEngine.java 7 Apr 2004 05:56:17 -0000 1.19
+++ WSSecurityEngine.java 14 May 2004 14:48:34 -0000 1.20
@@ -109,8 +109,7 @@
* <code>wsu:Timestamp</code> as defined by OASIS WS Security specification,
*/
protected static final QName TIMESTAMP = new QName(WSConstants.WSU_NS, WSConstants.TIMESTAMP_TOKEN_LN);
-
-
+
static {
org.apache.xml.security.Init.init();
String Id = "BC";
@@ -452,36 +451,42 @@
X509Certificate[] certs = null;
KeyInfo info = sig.getKeyInfo();
-
- Node node =
- WSSecurityUtil.getDirectChild(
- info.getElement(),
- SecurityTokenReference.TOKEN.getLocalPart(),
- SecurityTokenReference.TOKEN.getNamespaceURI());
- if (node == null) {
- throw new WSSecurityException(
- WSSecurityException.INVALID_SECURITY,
- "unsupportedKeyInfo");
- }
- SecurityTokenReference secRef =
- new SecurityTokenReference((Element) node);
- if (secRef.containsReference()) {
- Element token = secRef.getTokenElement(elem.getOwnerDocument());
-
- // at this point ... check token type: Binary
- QName el = new QName(token.getNamespaceURI(), token.getLocalName());
- if (el.equals(BINARY_TOKEN)) {
- certs = getCertificatesTokenReference((Element) token, crypto);
- } else {
- throw new WSSecurityException(
- WSSecurityException.INVALID_SECURITY,
- "unsupportedToken", new Object[] { el.toString()});
- }
- } else if (secRef.containsX509IssuerSerial()) {
- certs = secRef.getX509IssuerSerial(crypto);
- } else if (secRef.containsKeyIdentifier()) {
- certs = secRef.getKeyIdentifier(crypto);
- }
+ if (/*crypto.getDefaultX509Alias() == null &&*/ info != null) {
+ Node node =
+ WSSecurityUtil.getDirectChild(
+ info.getElement(),
+ SecurityTokenReference.TOKEN.getLocalPart(),
+ SecurityTokenReference.TOKEN.getNamespaceURI());
+ if (node == null) {
+ throw new WSSecurityException(
+ WSSecurityException.INVALID_SECURITY,
+ "unsupportedKeyInfo");
+ }
+ SecurityTokenReference secRef =
+ new SecurityTokenReference((Element) node);
+ if (secRef.containsReference()) {
+ Element token = secRef.getTokenElement(elem.getOwnerDocument());
+
+ // at this point ... check token type: Binary
+ QName el = new QName(token.getNamespaceURI(), token.getLocalName());
+ if (el.equals(BINARY_TOKEN)) {
+ certs = getCertificatesTokenReference((Element) token, crypto);
+ } else {
+ throw new WSSecurityException(
+ WSSecurityException.INVALID_SECURITY,
+ "unsupportedToken", new Object[] { el.toString()});
+ }
+ } else if (secRef.containsX509IssuerSerial()) {
+ certs = secRef.getX509IssuerSerial(crypto);
+ } else if (secRef.containsKeyIdentifier()) {
+ certs = secRef.getKeyIdentifier(crypto);
+ }
+ } else if (crypto.getDefaultX509Alias() != null) {
+ certs = crypto.getCertificates(crypto.getDefaultX509Alias());
+ } else {
+ throw new WSSecurityException(WSSecurityException.INVALID_SECURITY,
+ "unsupportedKeyInfo");
+ }
if (tlog.isDebugEnabled()) {
t1 = System.currentTimeMillis();
}
@@ -689,99 +694,107 @@
// see check above ... maybe later
Element keyInfo = (Element) WSSecurityUtil.getDirectChild((Node) xencEncryptedKey,
"KeyInfo", WSConstants.SIG_NS);
- if (keyInfo == null) {
- throw new WSSecurityException
- (WSSecurityException.INVALID_SECURITY, "noKeyinfo");
- }
- Element secRefToken = (Element) WSSecurityUtil.getDirectChild((Node) keyInfo,
- "SecurityTokenReference", WSConstants.WSSE_NS);
- if (secRefToken == null) {
- throw new WSSecurityException
- (WSSecurityException.INVALID_SECURITY, "noSecTokRef");
- }
- SecurityTokenReference secRef = new SecurityTokenReference(secRefToken);
- /*
- * Well, at this point there are several ways to get the key. Try to handle all of them :-).
- */
- String alias = null;
- /*
- * handle X509IssuerSerial here. First check if all elements are available,
- * get the appropriate data, check if all data is available.
- * If all is ok up to that point, look up the certificate alias according
- * to issuer name and serial number.
- * This method is recommended by OASIS WS-S specification, X509 profile
- */
- if (secRef.containsX509IssuerSerial()) {
- alias = secRef.getX509IssuerSerialAlias(crypto);
- if (doDebug) {
- log.debug("X509IssuerSerial alias: " + alias);
- }
- }
- /*
- * If wsse:KeyIdentifier found, then the public key of the attached cert was used to
- * encrypt the session (symmetric) key that encrypts the data. Extract the certificate
- * using the BinarySecurity token (was enhanced to handle KeyIdentifier too).
- * This method is _not_recommended by OASIS WS-S specification, X509 profile
- */
- else if (secRef.containsKeyIdentifier()) {
- X509Certificate[] certs = secRef.getKeyIdentifier(crypto);
- if (certs == null || certs.length != 1 || certs[0] == null) {
- throw new WSSecurityException(WSSecurityException.FAILURE,
- "invalidX509Data", new Object[]{"for decryption (KeyId)"});
+ String alias;
+ if (keyInfo != null) {
+ Element secRefToken = (Element) WSSecurityUtil.getDirectChild((Node) keyInfo,
+ "SecurityTokenReference", WSConstants.WSSE_NS);
+ if (secRefToken == null) {
+ throw new WSSecurityException
+ (WSSecurityException.INVALID_SECURITY, "noSecTokRef");
}
+ SecurityTokenReference secRef = new SecurityTokenReference(secRefToken);
+ /*
+ * Well, at this point there are several ways to get the key. Try to handle all of them :-).
+ */
+ alias = null;
/*
- * Here we have the certificate. Now find the alias for it. Needed to identify
- * the private key associated with this certificate
+ * handle X509IssuerSerial here. First check if all elements are available,
+ * get the appropriate data, check if all data is available.
+ * If all is ok up to that point, look up the certificate alias according
+ * to issuer name and serial number.
+ * This method is recommended by OASIS WS-S specification, X509 profile
*/
- alias = crypto.getAliasForX509Cert(certs[0]);
- if (doDebug) {
- log.debug("cert: " + certs[0]);
- log.debug("KeyIdentifier Alias: " + alias);
+ if (secRef.containsX509IssuerSerial()) {
+ alias = secRef.getX509IssuerSerialAlias(crypto);
+ if (doDebug) {
+ log.debug("X509IssuerSerial alias: " + alias);
+ }
}
- } else if (secRef.containsReference()) {
- Element bstElement = secRef.getTokenElement(doc);
-
- // at this point ... check token type: Binary
- QName el =
- new QName(
- bstElement.getNamespaceURI(),
- bstElement.getLocalName());
- if (el.equals(BINARY_TOKEN)) {
- X509Security token = null;
- String value = bstElement.getAttribute("ValueType");
- if (!value.equals(X509Security.TYPE)
- || ((token = new X509Security(bstElement)) == null)) {
- throw new WSSecurityException(
- WSSecurityException.UNSUPPORTED_SECURITY_TOKEN,
- "unsupportedBinaryTokenType",
- new Object[] { "for decryption (BST)" });
- }
- X509Certificate cert = token.getX509Certificate(crypto);
- if (cert == null) {
- throw new WSSecurityException(
- WSSecurityException.FAILURE,
- "invalidX509Data",
- new Object[] { "for decryption" });
- }
- /*
- * Here we have the certificate. Now find the alias for it. Needed to identify
- * the private key associated with this certificate
- */
- alias = crypto.getAliasForX509Cert(cert);
- if (doDebug) {
- log.debug("BST Alias: " + alias);
- }
- } else {
- throw new WSSecurityException(
- WSSecurityException.INVALID_SECURITY,
- "unsupportedToken",
- null);
- }
- } else {
- throw new WSSecurityException(
- WSSecurityException.FAILURE, "unsupportedKeyId");
- }
-
+ /*
+ * If wsse:KeyIdentifier found, then the public key of the attached cert was used to
+ * encrypt the session (symmetric) key that encrypts the data. Extract the certificate
+ * using the BinarySecurity token (was enhanced to handle KeyIdentifier too).
+ * This method is _not_recommended by OASIS WS-S specification, X509 profile
+ */
+ else if (secRef.containsKeyIdentifier()) {
+ X509Certificate[] certs = secRef.getKeyIdentifier(crypto);
+ if (certs == null || certs.length != 1 || certs[0] == null) {
+ throw new WSSecurityException(WSSecurityException.FAILURE,
+ "invalidX509Data", new Object[]{"for decryption (KeyId)"});
+ }
+ /*
+ * Here we have the certificate. Now find the alias for it. Needed to identify
+ * the private key associated with this certificate
+ */
+ alias = crypto.getAliasForX509Cert(certs[0]);
+ if (doDebug) {
+ log.debug("cert: " + certs[0]);
+ log.debug("KeyIdentifier Alias: " + alias);
+ }
+ } else if (secRef.containsReference()) {
+ Element bstElement = secRef.getTokenElement(doc);
+
+ // at this point ... check token type: Binary
+ QName el =
+ new QName(
+ bstElement.getNamespaceURI(),
+ bstElement.getLocalName());
+ if (el.equals(BINARY_TOKEN)) {
+ X509Security token = null;
+ String value = bstElement.getAttribute("ValueType");
+ // attempt to get attribute in case it is qualified
+ // NYI: need to iterate through all valid namespaces
+ if (value.length() == 0) {
+ value = bstElement.getAttributeNS(WSConstants.WSSE_NS, "ValueType");
+ }
+ if (!value.endsWith(X509Security.X509_V3)
+ || ((token = new X509Security(bstElement)) == null)) {
+ throw new WSSecurityException(
+ WSSecurityException.UNSUPPORTED_SECURITY_TOKEN,
+ "unsupportedBinaryTokenType",
+ new Object[] { "for decryption (BST)" });
+ }
+ X509Certificate cert = token.getX509Certificate(crypto);
+ if (cert == null) {
+ throw new WSSecurityException(
+ WSSecurityException.FAILURE,
+ "invalidX509Data",
+ new Object[] { "for decryption" });
+ }
+ /*
+ * Here we have the certificate. Now find the alias for it. Needed to identify
+ * the private key associated with this certificate
+ */
+ alias = crypto.getAliasForX509Cert(cert);
+ if (doDebug) {
+ log.debug("BST Alias: " + alias);
+ }
+ } else {
+ throw new WSSecurityException(
+ WSSecurityException.INVALID_SECURITY,
+ "unsupportedToken",
+ null);
+ }
+ } else {
+ throw new WSSecurityException(
+ WSSecurityException.FAILURE, "unsupportedKeyId");
+ }
+ } else if (crypto.getDefaultX509Alias() != null){
+ alias = crypto.getDefaultX509Alias();
+ } else {
+ throw new WSSecurityException
+ (WSSecurityException.INVALID_SECURITY, "noKeyinfo");
+ }
/*
* At this point we have all information necessary to decrypt the session
* key:
1.4 +35 -6 ws-fx/wss4j/src/org/apache/ws/security/message/token/BinarySecurity.java
Index: BinarySecurity.java
===================================================================
RCS file: /home/cvs/ws-fx/wss4j/src/org/apache/ws/security/message/token/BinarySecurity.java,v
retrieving revision 1.3
retrieving revision 1.4
diff -u -r1.3 -r1.4
--- BinarySecurity.java 11 Mar 2004 13:41:30 -0000 1.3
+++ BinarySecurity.java 14 May 2004 14:48:34 -0000 1.4
@@ -38,9 +38,18 @@
public class BinarySecurity {
public static final QName TOKEN = new QName(WSConstants.WSSE_NS, "BinarySecurityToken");
public static final QName TOKEN_KI = new QName(WSConstants.WSSE_NS, "KeyIdentifier");
- public static final String BASE64_ENCODING = WSConstants.SOAPMESSAGE_NS + "#Base64Binary";
+ public static final String BASE64_BINARY = "Base64Binary";
+ public static String BASE64_ENCODING = null; // set in a static block later
protected Element element = null;
+ static {
+ if (WSConstants.COMPLIANCE_MODE <= WSConstants.OASIS_2002_12) {
+ BASE64_ENCODING = WSConstants.WSSE_PREFIX + ":" + BASE64_BINARY;
+ } else {
+ BASE64_ENCODING = WSConstants.SOAPMESSAGE_NS + "#Base64Binary";
+ }
+ }
+
/**
* Constructor.
* <p/>
@@ -54,7 +63,7 @@
if (!el.equals(TOKEN) && !el.equals(TOKEN_KI)) {
throw new WSSecurityException(WSSecurityException.INVALID_SECURITY_TOKEN, "badTokenType", new Object[]{el});
}
- if (!getEncodingType().equals(BASE64_ENCODING)) {
+ if (!getEncodingType().endsWith(BASE64_BINARY)) {
throw new WSSecurityException(WSSecurityException.INVALID_SECURITY_TOKEN, "badEncoding", new Object[]{getEncodingType()});
}
}
@@ -79,7 +88,13 @@
* @return
*/
public String getValueType() {
- return this.element.getAttribute("ValueType");
+ String valueType = this.element.getAttribute("ValueType");
+ // also attempt to get the attribute in case it was qualified
+ // NYI: still need to check for all supported namespaces here
+ if (valueType.length() == 0) {
+ valueType = element.getAttributeNS(WSConstants.WSSE_NS, "ValueType");
+ }
+ return valueType;
}
/**
@@ -89,7 +104,11 @@
* @param type
*/
protected void setValueType(String type) {
- this.element.setAttributeNS(null, "ValueType", type);
+ if (WSConstants.COMPLIANCE_MODE <= WSConstants.OASIS_2002_12) {
+ this.element.setAttributeNS(WSConstants.WSSE_NS, WSConstants.WSSE_PREFIX + ":ValueType", type);
+ } else {
+ this.element.setAttributeNS(null, "ValueType", type);
+ }
}
/**
@@ -99,7 +118,13 @@
* @return
*/
public String getEncodingType() {
- return this.element.getAttribute("EncodingType");
+ String encodingType = this.element.getAttribute("EncodingType");
+ // attempt to get the attribute in case it was qualified
+ // NYI: still need to check for all supported namespaces here
+ if (encodingType.length() == 0) {
+ encodingType = this.element.getAttributeNS(WSConstants.WSSE_NS, "EncodingType");
+ }
+ return encodingType;
}
/**
@@ -109,7 +134,11 @@
* @param encoding
*/
protected void setEncodingType(String encoding) {
- this.element.setAttributeNS(null, "EncodingType", encoding);
+ if (WSConstants.COMPLIANCE_MODE <= WSConstants.OASIS_2002_12) {
+ this.element.setAttributeNS(WSConstants.WSSE_NS, WSConstants.WSSE_PREFIX + ":EncodingType", encoding);
+ } else {
+ this.element.setAttributeNS(null, "EncodingType", encoding);
+ }
}
/**
1.7 +12 -3 ws-fx/wss4j/src/org/apache/ws/security/message/token/X509Security.java
Index: X509Security.java
===================================================================
RCS file: /home/cvs/ws-fx/wss4j/src/org/apache/ws/security/message/token/X509Security.java,v
retrieving revision 1.6
retrieving revision 1.7
diff -u -r1.6 -r1.7
--- X509Security.java 24 Mar 2004 19:22:49 -0000 1.6
+++ X509Security.java 14 May 2004 14:48:34 -0000 1.7
@@ -34,14 +34,23 @@
* @author Davanum Srinivas (dims@yahoo.com).
*/
public class X509Security extends BinarySecurity {
- public static final String TYPE = WSConstants.X509TOKEN_NS + "#X509v3";
-
+ public static String TYPE = null; // set later in a static block
+ public static final String X509_V3 = "X509v3";
+
/*
* Stores the associated X.509 Certificate. This saves numerous
* crypto loadCertificate operations
*/
private X509Certificate cachedCert = null;
+ static {
+ if (WSConstants.COMPLIANCE_MODE <= WSConstants.OASIS_2002_12) {
+ TYPE = WSConstants.WSSE_PREFIX + ":" + X509_V3;
+ } else {
+ TYPE = WSConstants.X509TOKEN_NS + "#" + X509_V3;
+ }
+ }
+
/**
* This constructor creates a new X509 certificate object and initializes
* it from the data containe in the element.
@@ -51,7 +60,7 @@
*/
public X509Security(Element elem) throws WSSecurityException {
super(elem);
- if (!getValueType().equals(TYPE)) {
+ if (!getValueType().endsWith(X509_V3)) {
throw new WSSecurityException(WSSecurityException.INVALID_SECURITY_TOKEN, "invalidValueType", new Object[]{TYPE, getValueType()});
}
}
1.11 +21 -6 ws-fx/wss4j/src/org/apache/ws/security/message/token/SecurityTokenReference.java
Index: SecurityTokenReference.java
===================================================================
RCS file: /home/cvs/ws-fx/wss4j/src/org/apache/ws/security/message/token/SecurityTokenReference.java,v
retrieving revision 1.10
retrieving revision 1.11
diff -u -r1.10 -r1.11
--- SecurityTokenReference.java 24 Mar 2004 19:22:49 -0000 1.10
+++ SecurityTokenReference.java 14 May 2004 14:48:34 -0000 1.11
@@ -53,7 +53,7 @@
public static final QName TOKEN =
new QName(WSConstants.WSSE_NS, "SecurityTokenReference");
- public static final String SKI_URI = WSConstants.X509TOKEN_NS + "#X509SubjectKeyIdentifier";
+ public static final String SKI_URI = WSConstants.X509TOKEN_NS + "#X509SubjectKeyIdentifier";
protected Element element = null;
private XMLX509IssuerSerial issuerSerial = null;
private byte[] skiBytes = null;
@@ -190,8 +190,13 @@
Text certText = doc.createTextNode(Base64.encode(data));
Element keyId =
doc.createElementNS(WSConstants.WSSE_NS, "wsse:KeyIdentifier");
- keyId.setAttributeNS(null, "ValueType", X509Security.TYPE);
- keyId.setAttributeNS(null, "EncodingType", BinarySecurity.BASE64_ENCODING);
+ if (WSConstants.COMPLIANCE_MODE <= WSConstants.OASIS_2002_12) {
+ keyId.setAttributeNS(WSConstants.WSSE_NS, WSConstants.WSSE_PREFIX + ":ValueType", X509Security.TYPE);
+ keyId.setAttributeNS(WSConstants.WSSE_NS, WSConstants.WSSE_PREFIX + ":EncodingType", BinarySecurity.BASE64_ENCODING);
+ } else {
+ keyId.setAttributeNS(null, "ValueType", X509Security.TYPE);
+ keyId.setAttributeNS(null, "EncodingType", BinarySecurity.BASE64_ENCODING);
+ }
keyId.appendChild(certText);
Element elem = getFirstElement();
if (elem != null) {
@@ -215,8 +220,13 @@
org.w3c.dom.Text skiText = doc.createTextNode(Base64.encode(data));
Element keyId =
doc.createElementNS(WSConstants.WSSE_NS, "wsse:KeyIdentifier");
- keyId.setAttributeNS(null, "ValueType", SKI_URI);
- keyId.setAttributeNS(null, "EncodingType", BinarySecurity.BASE64_ENCODING);
+ if (WSConstants.COMPLIANCE_MODE <= WSConstants.OASIS_2002_12) {
+ keyId.setAttributeNS(WSConstants.WSSE_NS, WSConstants.WSSE_PREFIX + ":ValueType", SKI_URI);
+ keyId.setAttributeNS(WSConstants.WSSE_NS, WSConstants.WSSE_PREFIX + ":EncodingType", BinarySecurity.BASE64_ENCODING);
+ } else {
+ keyId.setAttributeNS(null, "ValueType", SKI_URI);
+ keyId.setAttributeNS(null, "EncodingType", BinarySecurity.BASE64_ENCODING);
+ }
keyId.appendChild(skiText);
Element elem = getFirstElement();
if (elem != null) {
@@ -237,7 +247,12 @@
X509Security token = null;
Element elem = getFirstElement();
String value = elem.getAttribute("ValueType");
- if (value.equals(X509Security.TYPE)) {
+ // attempt to get the attribute if it was qualified
+ // NYI iterate through all the possible namespaces
+ if (value.length() == 0) {
+ value = elem.getAttributeNS(WSConstants.WSSE_NS, "ValueType");
+ }
+ if (value.endsWith(X509Security.X509_V3)) {
token = new X509Security(elem);
if (token != null) {
X509Certificate cert = token.getX509Certificate(crypto);
1.6 +25 -13 ws-fx/wss4j/src/org/apache/ws/security/components/crypto/Crypto.java
Index: Crypto.java
===================================================================
RCS file: /home/cvs/ws-fx/wss4j/src/org/apache/ws/security/components/crypto/Crypto.java,v
retrieving revision 1.5
retrieving revision 1.6
diff -u -r1.5 -r1.6
--- Crypto.java 13 May 2004 14:27:39 -0000 1.5
+++ Crypto.java 14 May 2004 14:48:34 -0000 1.6
@@ -126,19 +126,31 @@
*/
public String getAliasForX509Cert(String issuer, BigInteger serialNumber) throws WSSecurityException;
- /**
- * Lookup a X509 Certificate in the keystore according to a given
- * SubjectKeyIdentifier.
- * <p/>
- * The search gets all alias names of the keystore and gets the certificate chain
- * or certificate for each alias. Then the SKI for each user certificate
- * is compared with the SKI parameter.
- *
- * @param skiBytes The SKI info bytes
- * @return alias name of the certificate that matches serialNumber and issuer name
- * or null if no such certificate was found.
- */
- public String getAliasForX509Cert(byte[] skiBytes) throws WSSecurityException;
+ /**
+ * Lookup a X509 Certificate in the keystore according to a given
+ * SubjectKeyIdentifier.
+ * <p/>
+ * The search gets all alias names of the keystore and gets the certificate chain
+ * or certificate for each alias. Then the SKI for each user certificate
+ * is compared with the SKI parameter.
+ *
+ * @param skiBytes The SKI info bytes
+ * @return alias name of the certificate that matches serialNumber and issuer name
+ * or null if no such certificate was found.
+ */
+ public String getAliasForX509Cert(byte[] skiBytes) throws WSSecurityException;
+
+ /**
+ * Retrieves the alias name of the default certificate which has been
+ * specified as a property. This should be the certificate that is used for
+ * signature and encryption. This alias corresponds to the certificate that
+ * should be used whenever KeyInfo is not poresent in a signed or
+ * an encrypted message. May return null.
+ *
+ * @return alias name of the default X509 certificate.
+ */
+ public String getDefaultX509Alias();
+
/**
* Reads the SubjectKeyIdentifier information from the certificate.
* <p/>
1.18 +16 -0 ws-fx/wss4j/src/org/apache/ws/security/components/crypto/Merlin.java
Index: Merlin.java
===================================================================
RCS file: /home/cvs/ws-fx/wss4j/src/org/apache/ws/security/components/crypto/Merlin.java,v
retrieving revision 1.17
retrieving revision 1.18
diff -u -r1.17 -r1.18
--- Merlin.java 13 May 2004 14:27:39 -0000 1.17
+++ Merlin.java 14 May 2004 14:48:34 -0000 1.18
@@ -422,6 +422,22 @@
}
/**
+ * Retrieves the alias name of the default certificate which has been
+ * specified as a property. This should be the certificate that is used for
+ * signature and encryption. This alias corresponds to the certificate that
+ * should be used whenever KeyInfo is not poresent in a signed or
+ * an encrypted message. May return null.
+ *
+ * @return alias name of the default X509 certificate
+ */
+ public String getDefaultX509Alias() {
+ if (properties == null) {
+ return null;
+ }
+ return properties.getProperty("org.apache.ws.security.crypto.merlin.keystore.alias");
+ }
+
+ /**
* Gets the list of certificates for a given alias.
* <p/>
*