You are viewing a plain text version of this content. The canonical link for it is here.
Posted to java-dev@axis.apache.org by "Marjorie Lindsey (JIRA)" <ji...@apache.org> on 2016/08/12 21:31:20 UTC
[jira] [Updated] (RAMPART-437) SHA256 not supported for
DigestAlgorithm for TransportBinding when specified correctly in policy.xml
[ https://issues.apache.org/jira/browse/RAMPART-437?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Marjorie Lindsey updated RAMPART-437:
-------------------------------------
Description:
TransportBinding is not recognizing SHA256 when specified in the policy.xml on the DigestAlgorithm. SignatureAlgorithm however is recognizing SHA256. This is because org.apache.rampart.builder.TransportBindingBuilder.java is not setting the digestAlgorithm, and thus using the default of SHA1. To correct this, add this line in 3 locations in this class:
sig.setDigestAlgo(rpd.getAlgorithmSuite().getDigest());
and add this line in 1 location in this class:
dkSig.setDigestAlgorithm(rpd.getAlgorithmSuite().getDigest());
Listed below is the entire class with the lines inserted for reference. Thank you.
/*
* =============================================================================
*
* Copyright (c) 2003-2013 Hewitt Associates, LLC.
* 100 Half Day Road, Lincolnshire, Illinois, 60069, U.S.A.
* All rights reserved.
*
* This program contains proprietary and confidential information and trade
* secrets of Hewitt Associates LLC. This program may not be duplicated,
* disclosed or provided to any third parties without the prior written consent
* of Hewitt Associates LLC. Disassembly or decompilation of the software and
* reverse engineering of the object code are prohibited.
*
* =============================================================================
*/
package org.apache.rampart.builder;
import org.apache.axiom.om.OMElement;
import org.apache.axiom.soap.SOAPEnvelope;
import org.apache.axis2.context.MessageContext;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.rahas.RahasConstants;
import org.apache.rahas.TrustException;
import org.apache.rampart.RampartConstants;
import org.apache.rampart.RampartException;
import org.apache.rampart.RampartMessageData;
import org.apache.rampart.policy.RampartPolicyData;
import org.apache.rampart.util.RampartUtil;
import org.apache.ws.secpolicy.SPConstants;
import org.apache.ws.secpolicy.model.AlgorithmSuite;
import org.apache.ws.secpolicy.model.Header;
import org.apache.ws.secpolicy.model.IssuedToken;
import org.apache.ws.secpolicy.model.SecureConversationToken;
import org.apache.ws.secpolicy.model.SignedEncryptedParts;
import org.apache.ws.secpolicy.model.SupportingToken;
import org.apache.ws.secpolicy.model.Token;
import org.apache.ws.secpolicy.model.UsernameToken;
import org.apache.ws.secpolicy.model.X509Token;
import org.apache.ws.security.WSConstants;
import org.apache.ws.security.WSEncryptionPart;
import org.apache.ws.security.WSSecurityException;
import org.apache.ws.security.conversation.ConversationException;
import org.apache.ws.security.handler.WSHandlerConstants;
import org.apache.ws.security.message.*;
import org.w3c.dom.Document;
import org.w3c.dom.Element;
import java.util.ArrayList;
import java.util.Iterator;
import java.util.List;
import javax.xml.crypto.dsig.Reference;
/**
* DOCUMENT ME!
*
* @hahistory 8/11/16 $author$ Initial creation.
* @since 1.0
*/
public class TransportBindingBuilder extends BindingBuilder
{
/**
* DOCUMENT ME!
*
* @since 1.0
*/
private static Log log = LogFactory.getLog(TransportBindingBuilder.class);
/**
* DOCUMENT ME!
*
* @since 1.0
*/
private static Log tlog = LogFactory.getLog(RampartConstants.TIME_LOG);
/**
* DOCUMENT ME!
*
* @since 1.0
*
* @param rmd DOCUMENT ME!
*
* @throws RampartException DOCUMENT ME!
*/
public void build(RampartMessageData rmd) throws RampartException
{
log.debug("TransportBindingBuilder build invoked");
long t0 = 0, t1 = 0;
if (tlog.isDebugEnabled())
{
t1 = System.currentTimeMillis();
}
RampartPolicyData rpd = rmd.getPolicyData();
if (rpd.isIncludeTimestamp())
{
addTimestamp(rmd);
}
/*
* Process Supporting tokens
*/
if (rmd.isInitiator())
{
List<byte[]> signatureValues = new ArrayList<byte[]>();
SupportingToken sgndSuppTokens = rpd.getSignedSupportingTokens();
if (
(sgndSuppTokens != null) &&
(sgndSuppTokens.getTokens() != null) &&
(sgndSuppTokens.getTokens()
.size() > 0)
)
{
log.debug("Processing signed supporting tokens");
ArrayList tokens = sgndSuppTokens.getTokens();
for (Object signedSupportingToken : tokens)
{
Token token = (Token)signedSupportingToken;
if (token instanceof UsernameToken)
{
WSSecUsernameToken utBuilder =
addUsernameToken(rmd, (UsernameToken)token);
utBuilder.prepare(rmd.getDocument());
//Add the UT
utBuilder.appendToHeader(rmd.getSecHeader());
}
else
{
throw new RampartException(
"unsupportedSignedSupportingToken",
new String[]
{
"{" + token.getName()
.getNamespaceURI() + "}" +
token.getName()
.getLocalPart()
}
);
}
}
}
SupportingToken sgndEndSuppTokens =
rpd.getSignedEndorsingSupportingTokens();
if (
(sgndEndSuppTokens != null) &&
(sgndEndSuppTokens.getTokens() != null) &&
(sgndEndSuppTokens.getTokens()
.size() > 0)
)
{
log.debug("Processing endorsing signed supporting tokens");
ArrayList tokens = sgndEndSuppTokens.getTokens();
SignedEncryptedParts signdParts =
sgndEndSuppTokens.getSignedParts();
for (Object objectToken : tokens)
{
Token token = (Token)objectToken;
if (token instanceof IssuedToken && rmd.isInitiator())
{
signatureValues.add(
doIssuedTokenSignature(rmd, token, signdParts)
);
}
else if (token instanceof X509Token)
{
signatureValues.add(
doX509TokenSignature(rmd, token, signdParts)
);
}
}
}
SupportingToken endSupptokens = rpd.getEndorsingSupportingTokens();
if (
(endSupptokens != null) &&
(endSupptokens.getTokens() != null) &&
(endSupptokens.getTokens()
.size() > 0)
)
{
log.debug("Processing endorsing supporting tokens");
ArrayList tokens = endSupptokens.getTokens();
SignedEncryptedParts signdParts =
endSupptokens.getSignedParts();
for (Object objectToken : tokens)
{
Token token = (Token)objectToken;
if (token instanceof IssuedToken && rmd.isInitiator())
{
signatureValues.add(
doIssuedTokenSignature(rmd, token, signdParts)
);
}
else if (token instanceof X509Token)
{
signatureValues.add(
doX509TokenSignature(rmd, token, signdParts)
);
}
else if (token instanceof SecureConversationToken)
{
handleSecureConversationTokens(
rmd, (SecureConversationToken)token
);
signatureValues.add(
doSecureConversationSignature(
rmd, token, signdParts
)
);
}
}
}
List<SupportingToken> supportingToks =
rpd.getSupportingTokensList();
for (SupportingToken supportingTok : supportingToks)
{
this.handleSupportingTokens(rmd, supportingTok);
}
//Store the signature values list
rmd.getMsgContext()
.setProperty(WSHandlerConstants.SEND_SIGV, signatureValues);
}
else
{
addSignatureConfirmation(rmd, null);
}
if (tlog.isDebugEnabled())
{
t1 = System.currentTimeMillis();
tlog.debug("Transport binding build took " + (t1 - t0));
}
}
/**
* DOCUMENT ME!
*
* @since 1.0
*
* @param secHeader DOCUMENT ME!
* @param appendingChild DOCUMENT ME!
*/
private void appendToHeader(WSSecHeader secHeader, Element appendingChild)
{
// TODO this is bit dubious, before migration code was like "dkSig.appendSigToHeader(rmd.getSecHeader())"
// but WSS4J has remove append methods. Need to find why ?
Element secHeaderElement = secHeader.getSecurityHeader();
secHeaderElement.appendChild(appendingChild);
}
/**
* IssuedToken signature
*
* @param rmd
* @param token
* @param signdParts
*
* @return DOCUMENT ME!
*
* @throws RampartException
*/
private byte[] doIssuedTokenSignature(
RampartMessageData rmd, Token token, SignedEncryptedParts signdParts
) throws RampartException
{
RampartPolicyData rpd = rmd.getPolicyData();
Document doc = rmd.getDocument();
//Get the issued token
String id = RampartUtil.getIssuedToken(rmd, (IssuedToken)token);
int inclusion = token.getInclusion();
org.apache.rahas.Token tok = null;
try
{
tok = rmd.getTokenStorage()
.getToken(id);
}
catch (TrustException e)
{
throw new RampartException(
"errorExtractingToken", new String[] {id}, e
);
}
boolean tokenIncluded = false;
if (
(inclusion == SPConstants.INCLUDE_TOEKN_ALWAYS) ||
(
(
(
inclusion ==
SPConstants.INCLUDE_TOEKN_ALWAYS_TO_RECIPIENT
) || (inclusion == SPConstants.INCLUDE_TOKEN_ONCE)
) && rmd.isInitiator()
)
)
{
//Add the token
rmd.getSecHeader()
.getSecurityHeader()
.appendChild(doc.importNode((Element)tok.getToken(), true));
tokenIncluded = true;
}
List<WSEncryptionPart> sigParts = new ArrayList<WSEncryptionPart>();
if (this.timestampElement != null)
{
sigParts.add(new WSEncryptionPart(rmd.getTimestampId()));
}
if (rpd.isTokenProtection() && tokenIncluded)
{
sigParts.add(new WSEncryptionPart(id));
}
if (signdParts != null)
{
if (signdParts.isBody())
{
SOAPEnvelope env = rmd.getMsgContext()
.getEnvelope();
sigParts.add(
new WSEncryptionPart(
RampartUtil.addWsuIdToElement(env.getBody())
)
);
}
ArrayList headers = signdParts.getHeaders();
for (Object signedHeader : headers)
{
Header header = (Header)signedHeader;
WSEncryptionPart wep =
new WSEncryptionPart(
header.getName(), header.getNamespace(), "Content"
);
sigParts.add(wep);
}
}
//check for derived keys
AlgorithmSuite algorithmSuite = rpd.getAlgorithmSuite();
if (token.isDerivedKeys())
{
//Create a derived key and add
try
{
//Do Signature with derived keys
WSSecDKSign dkSign = new WSSecDKSign();
// Setting the AttachedReference or the UnattachedReference according to the flag
OMElement ref;
if (tokenIncluded)
{
ref = tok.getAttachedReference();
}
else
{
ref = tok.getUnattachedReference();
}
if (ref != null)
{
dkSign.setExternalKey(
tok.getSecret(),
(Element)doc.importNode((Element)ref, true)
);
}
else
{
dkSign.setExternalKey(tok.getSecret(), tok.getId());
}
//Set the algo info
dkSign.setSignatureAlgorithm(
algorithmSuite.getSymmetricSignature()
);
dkSign.setDerivedKeyLength(
algorithmSuite.getSignatureDerivedKeyLength()
);
dkSign.prepare(doc);
/**
* Add <wsc:DerivedKeyToken>..</wsc:DerivedKeyToken> to security
* header. We need to add this just after Encrypted Key and just before <Signature>..</Signature>
* elements. (As a convention)
*/
dkSign.appendDKElementToHeader(rmd.getSecHeader());
dkSign.setParts(sigParts);
List<Reference> referenceList =
dkSign.addReferencesToSign(sigParts, rmd.getSecHeader());
//Do signature
dkSign.computeSignature(referenceList, false, null);
// TODO verify before migration - dkSign.appendSigToHeader(rmd.getSecHeader())
// this.appendToHeader(rmd.getSecHeader(), dkSign.getSignatureElement());
return dkSign.getSignatureValue();
}
catch (ConversationException e)
{
throw new RampartException(
"errorInDerivedKeyTokenSignature", e
);
}
catch (WSSecurityException e)
{
throw new RampartException(
"errorInDerivedKeyTokenSignature", e
);
}
}
else
{
try
{
WSSecSignature sig = new WSSecSignature();
sig.setWsConfig(rmd.getConfig());
String tokId = tok.getId();
if (tokId.charAt(0) == '#')
{
tokId = tokId.substring(1);
}
sig.setCustomTokenId(tokId);
sig.setCustomTokenValueType(
RampartUtil.getSAML10AssertionNamespace()
);
sig.setSecretKey(tok.getSecret());
sig.setSignatureAlgorithm(
algorithmSuite.getAsymmetricSignature()
);
sig.setSignatureAlgorithm(
algorithmSuite.getSymmetricSignature()
);
sig.setKeyIdentifierType(WSConstants.CUSTOM_SYMM_SIGNING);
sig.prepare(
rmd.getDocument(),
RampartUtil.getSignatureCrypto(
rpd.getRampartConfig(), rmd.getCustomClassLoader()
), rmd.getSecHeader()
);
sig.setParts(sigParts);
//Added by MRL
sig.setDigestAlgo(rpd.getAlgorithmSuite().getDigest());
List<javax.xml.crypto.dsig.Reference> referenceList =
sig.addReferencesToSign(sigParts, rmd.getSecHeader());
//Do signature
sig.computeSignature(referenceList);
//Add elements to header
this.setInsertionLocation(
RampartUtil.insertSiblingAfter(
rmd, this.getInsertionLocation(),
sig.getSignatureElement()
)
);
return sig.getSignatureValue();
}
catch (WSSecurityException e)
{
throw new RampartException(
"errorInSignatureWithACustomToken", e
);
}
}
}
/**
* DOCUMENT ME!
*
* @since 1.0
*
* @param rmd DOCUMENT ME!
* @param token DOCUMENT ME!
* @param signdParts DOCUMENT ME!
*
* @return DOCUMENT ME!
*
* @throws RampartException DOCUMENT ME!
*/
private byte[] doSecureConversationSignature(
RampartMessageData rmd, Token token, SignedEncryptedParts signdParts
) throws RampartException
{
RampartPolicyData rpd = rmd.getPolicyData();
Document doc = rmd.getDocument();
//Get the issued token
String id = rmd.getSecConvTokenId();
int inclusion = token.getInclusion();
org.apache.rahas.Token tok = null;
try
{
tok = rmd.getTokenStorage()
.getToken(id);
}
catch (TrustException e)
{
throw new RampartException(
"errorExtractingToken", new String[] {id}, e
);
}
boolean tokenIncluded = false;
if (
(inclusion == SPConstants.INCLUDE_TOEKN_ALWAYS) ||
(
(
(
inclusion ==
SPConstants.INCLUDE_TOEKN_ALWAYS_TO_RECIPIENT
) || (inclusion == SPConstants.INCLUDE_TOKEN_ONCE)
) && rmd.isInitiator()
)
)
{
//Add the token
rmd.getSecHeader()
.getSecurityHeader()
.appendChild(doc.importNode((Element)tok.getToken(), true));
tokenIncluded = true;
}
List<WSEncryptionPart> sigParts = new ArrayList<WSEncryptionPart>();
if (this.timestampElement != null)
{
sigParts.add(new WSEncryptionPart(rmd.getTimestampId()));
}
if (rpd.isTokenProtection() && tokenIncluded)
{
sigParts.add(new WSEncryptionPart(id));
}
if (signdParts != null)
{
if (signdParts.isBody())
{
SOAPEnvelope env = rmd.getMsgContext()
.getEnvelope();
sigParts.add(
new WSEncryptionPart(
RampartUtil.addWsuIdToElement(env.getBody())
)
);
}
ArrayList headers = signdParts.getHeaders();
for (Object objectHeader : headers)
{
Header header = (Header)objectHeader;
WSEncryptionPart wep =
new WSEncryptionPart(
header.getName(), header.getNamespace(), "Content"
);
sigParts.add(wep);
}
}
//check for derived keys
AlgorithmSuite algorithmSuite = rpd.getAlgorithmSuite();
if (token.isDerivedKeys())
{
//Create a derived key and add
try
{
//Do Signature with derived keys
WSSecDKSign dkSign = new WSSecDKSign();
// Setting the AttachedReference or the UnattachedReference according to the flag
OMElement ref;
if (tokenIncluded)
{
ref = tok.getAttachedReference();
}
else
{
ref = tok.getUnattachedReference();
}
if (ref != null)
{
dkSign.setExternalKey(
tok.getSecret(),
(Element)doc.importNode((Element)ref, true)
);
}
else
{
dkSign.setExternalKey(tok.getSecret(), tok.getId());
}
//Set the algo info
dkSign.setSignatureAlgorithm(
algorithmSuite.getSymmetricSignature()
);
dkSign.setDerivedKeyLength(
algorithmSuite.getSignatureDerivedKeyLength()
);
dkSign.prepare(doc);
/**
* Add <wsc:DerivedKeyToken>..</wsc:DerivedKeyToken> to security
* header. We need to add this just after Encrypted Key and just before <Signature>..</Signature>
* elements. (As a convention)
*/
dkSign.appendDKElementToHeader(rmd.getSecHeader());
dkSign.setParts(sigParts);
List<Reference> referenceList =
dkSign.addReferencesToSign(sigParts, rmd.getSecHeader());
//Do signature
dkSign.computeSignature(referenceList, false, null);
//this.appendToHeader(rmd.getSecHeader(), dkSign.getSignatureElement());
return dkSign.getSignatureValue();
}
catch (ConversationException e)
{
throw new RampartException(
"errorInDerivedKeyTokenSignature", e
);
}
catch (WSSecurityException e)
{
throw new RampartException(
"errorInDerivedKeyTokenSignature", e
);
}
}
else
{
try
{
WSSecSignature sig = new WSSecSignature();
sig.setWsConfig(rmd.getConfig());
sig.setCustomTokenId(tok.getId().substring(1));
sig.setCustomTokenValueType(
RampartUtil.getSAML10AssertionNamespace()
);
sig.setSecretKey(tok.getSecret());
sig.setSignatureAlgorithm(
algorithmSuite.getAsymmetricSignature()
);
sig.setSignatureAlgorithm(
algorithmSuite.getSymmetricSignature()
);
sig.setKeyIdentifierType(WSConstants.CUSTOM_SYMM_SIGNING);
sig.prepare(
rmd.getDocument(),
RampartUtil.getSignatureCrypto(
rpd.getRampartConfig(), rmd.getCustomClassLoader()
), rmd.getSecHeader()
);
sig.setParts(sigParts);
//Added by MRL
sig.setDigestAlgo(rpd.getAlgorithmSuite().getDigest());
List<Reference> referenceList =
sig.addReferencesToSign(sigParts, rmd.getSecHeader());
//Do signature
sig.computeSignature(
referenceList, false, this.getInsertionLocation()
);
//Add elements to header
this.setInsertionLocation(sig.getSignatureElement());
return sig.getSignatureValue();
}
catch (WSSecurityException e)
{
throw new RampartException(
"errorInSignatureWithACustomToken", e
);
}
}
}
/**
* X.509 signature
*
* @param rmd
* @param token
* @param signdParts
*
* @return DOCUMENT ME!
*
* @throws RampartException DOCUMENT ME!
*/
private byte[] doX509TokenSignature(
RampartMessageData rmd, Token token, SignedEncryptedParts signdParts
) throws RampartException
{
RampartPolicyData rpd = rmd.getPolicyData();
Document doc = rmd.getDocument();
List<WSEncryptionPart> sigParts = new ArrayList<WSEncryptionPart>();
if (this.timestampElement != null)
{
sigParts.add(new WSEncryptionPart(rmd.getTimestampId()));
}
if (signdParts != null)
{
if (signdParts.isBody())
{
SOAPEnvelope env = rmd.getMsgContext()
.getEnvelope();
sigParts.add(
new WSEncryptionPart(
RampartUtil.addWsuIdToElement(env.getBody())
)
);
}
ArrayList headers = signdParts.getHeaders();
for (Iterator iterator = headers.iterator(); iterator.hasNext();)
{
Header header = (Header)iterator.next();
WSEncryptionPart wep =
new WSEncryptionPart(
header.getName(), header.getNamespace(), "Content"
);
sigParts.add(wep);
}
}
if (token.isDerivedKeys())
{
//In this case we will have to encrypt the ephmeral key with the
//other party's key and then use it as the parent key of the
// derived keys
try
{
WSSecEncryptedKey encrKey = getEncryptedKeyBuilder(rmd, token);
Element bstElem = encrKey.getBinarySecurityTokenElement();
if (bstElem != null)
{
RampartUtil.appendChildToSecHeader(rmd, bstElem);
}
// Add <xenc:EncryptedKey Id="EncKeyId-E67B75302ACB3BEDF313277587471272">..</xenc:EncryptedKey>
// to security header.
encrKey.appendToHeader(rmd.getSecHeader());
WSSecDKSign dkSig = new WSSecDKSign();
dkSig.setWsConfig(rmd.getConfig());
dkSig.setSigCanonicalization(
rpd.getAlgorithmSuite().getInclusiveC14n()
);
dkSig.setSignatureAlgorithm(
rpd.getAlgorithmSuite().getSymmetricSignature()
);
dkSig.setDerivedKeyLength(
rpd.getAlgorithmSuite().getSignatureDerivedKeyLength() / 8
);
/**
* Add a reference to encrypted key in the derived key
*/
dkSig.setExternalKey(
encrKey.getEphemeralKey(), encrKey.getId()
);
dkSig.prepare(doc, rmd.getSecHeader());
if (rpd.isTokenProtection())
{
sigParts.add(new WSEncryptionPart(encrKey.getBSTTokenId()));
}
dkSig.setParts(sigParts);
//Added by MRL
dkSig.setDigestAlgorithm(rpd.getAlgorithmSuite().getDigest());
List<Reference> referenceList =
dkSig.addReferencesToSign(sigParts, rmd.getSecHeader());
/**
* Add <wsc:DerivedKeyToken>..</wsc:DerivedKeyToken> to security
* header. We need to add this just after Encrypted Key and just before <Signature>..</Signature>
* elements. (As a convention)
*/
dkSig.appendDKElementToHeader(rmd.getSecHeader());
//Do signature and append to the security header
dkSig.computeSignature(referenceList, false, null);
// TODO this is bit dubious, before migration code was like "dkSig.appendSigToHeader(rmd.getSecHeader())"
// but WSS4J has remove append methods. Need to find why ?
//this.appendToHeader(rmd.getSecHeader(), dkSig.getSignatureElement());
return dkSig.getSignatureValue();
}
catch (WSSecurityException e)
{
throw new RampartException(
"errorInDerivedKeyTokenSignature", e
);
}
catch (ConversationException e)
{
throw new RampartException(
"errorInDerivedKeyTokenSignature", e
);
}
}
else
{
try
{
WSSecSignature sig = this.getSignatureBuilder(rmd, token);
sig.appendBSTElementToHeader(rmd.getSecHeader());
if (
rpd.isTokenProtection() &&
!(
SPConstants.INCLUDE_TOKEN_NEVER ==
token.getInclusion()
)
)
{
sigParts.add(new WSEncryptionPart(sig.getBSTTokenId()));
}
//Added by MRL
sig.setDigestAlgo(rpd.getAlgorithmSuite().getDigest());
List<Reference> referenceList =
sig.addReferencesToSign(sigParts, rmd.getSecHeader());
// TODO changed the order - verify
// Compute signature and append to the header
sig.computeSignature(referenceList, false, null);
return sig.getSignatureValue();
}
catch (WSSecurityException e)
{
throw new RampartException("errorInSignatureWithX509Token", e);
}
}
}
/**
* DOCUMENT ME!
*
* @since 1.0
*
* @param rmd DOCUMENT ME!
* @param secConvTok DOCUMENT ME!
*
* @throws RampartException DOCUMENT ME!
*/
private void handleSecureConversationTokens(
RampartMessageData rmd, SecureConversationToken secConvTok
) throws RampartException
{
MessageContext msgContext = rmd.getMsgContext();
String secConvTokenId = rmd.getSecConvTokenId();
//The RSTR has to be secured with the cancelled token
String action = msgContext.getOptions()
.getAction();
boolean cancelReqResp =
action.equals(
RahasConstants.WST_NS_05_02 +
RahasConstants.RSTR_ACTION_CANCEL_SCT
) ||
action.equals(
RahasConstants.WST_NS_05_02 +
RahasConstants.RSTR_ACTION_CANCEL_SCT
) ||
action.equals(
RahasConstants.WST_NS_05_02 +
RahasConstants.RST_ACTION_CANCEL_SCT
) ||
action.equals(
RahasConstants.WST_NS_05_02 +
RahasConstants.RST_ACTION_CANCEL_SCT
);
//In the case of the cancel req or resp we should mark the token as cancelled
if ((secConvTokenId != null) && cancelReqResp)
{
try
{
rmd.getTokenStorage()
.getToken(secConvTokenId)
.setState(org.apache.rahas.Token.CANCELLED);
msgContext.setProperty(
RampartMessageData.SCT_ID, secConvTokenId
);
//remove from the local map of contexts
String contextIdentifierKey =
RampartUtil.getContextIdentifierKey(msgContext);
RampartUtil.getContextMap(msgContext)
.remove(contextIdentifierKey);
}
catch (TrustException e)
{
throw new RampartException("errorExtractingToken", e);
}
}
if (
(secConvTokenId == null) ||
(
(secConvTokenId != null) &&
(
!RampartUtil.isTokenValid(rmd, secConvTokenId) &&
!cancelReqResp
)
)
)
{
log.debug(
"No SecureConversationToken found, requesting a new token"
);
try
{
secConvTokenId = RampartUtil.getSecConvToken(rmd, secConvTok);
rmd.setSecConvTokenId(secConvTokenId);
}
catch (TrustException e)
{
throw new RampartException("errorInObtainingSct", e);
}
}
/* org.apache.rahas.Token token;
try {
token = rmd.getTokenStorage().getToken(secConvTokenId);
} catch (TrustException e) {
throw new RampartException("errorExtractingToken", e);
}
//Add the token to the header
Element siblingElem = RampartUtil
.insertSiblingAfter(rmd, this.getInsertionLocation(),
(Element) token.getToken());
this.setInsertionLocation(siblingElem);*/
}
}
This is the policy.xml being used:
<wsp:Policy wsu:Id="WSHttpBinding_ISecureService_policy" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy" xmlns:wsaw="http://www.w3.org/2006/05/addressing/wsdl">
<wsp:ExactlyOne>
<wsp:All>
<sp:TransportBinding xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<wsp:Policy>
<sp:TransportToken>
<wsp:Policy>
<sp:HttpsToken RequireClientCertificate="false" />
</wsp:Policy>
</sp:TransportToken>
<sp:AlgorithmSuite>
<wsp:Policy>
<sp:Basic256Sha256 />
</wsp:Policy>
</sp:AlgorithmSuite>
<sp:Layout>
<wsp:Policy>
<sp:Strict />
</wsp:Policy>
</sp:Layout>
<sp:IncludeTimestamp />
</wsp:Policy>
</sp:TransportBinding>
<sp:EndorsingSupportingTokens xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<wsp:Policy>
<sp:X509Token sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient">
<wsp:Policy>
<sp:RequireThumbprintReference />
<sp:WssX509V3Token10 />
</wsp:Policy>
</sp:X509Token>
<sp:SignedParts>
<sp:Header Name="To" Namespace="http://www.w3.org/2005/08/addressing" />
</sp:SignedParts>
</wsp:Policy>
</sp:EndorsingSupportingTokens>
<sp:Wss11 xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<wsp:Policy>
<sp:MustSupportRefKeyIdentifier />
<sp:MustSupportRefIssuerSerial />
<sp:MustSupportRefThumbprint />
<sp:MustSupportRefEncryptedKey />
</wsp:Policy>
</sp:Wss11>
<sp:Trust10 xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<wsp:Policy>
<sp:MustSupportIssuedTokens />
<sp:RequireClientEntropy />
<sp:RequireServerEntropy />
</wsp:Policy>
</sp:Trust10>
<wsaw:UsingAddressing />
<ramp:RampartConfig xmlns:ramp="http://ws.apache.org/rampart/policy">
<ramp:user>aliasName</ramp:user>
<ramp:passwordCallbackClass>com.test.hro.benefits.fndt.security.ClientPasswordCallback</ramp:passwordCallbackClass>
<ramp:signatureCrypto>
<ramp:crypto provider="com.test.hro.benefits.fndt.security.HAWebServicesCrypto">
<ramp:property name="org.apache.ws.security.crypto.keystore.type">JKS</ramp:property>
<ramp:property name="org.apache.ws.security.crypto.keystore.path">keys/KeyStore</ramp:property>
</ramp:crypto>
</ramp:signatureCrypto>
</ramp:RampartConfig>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
was:
TransportBinding is not recognizing SHA256 when specified in the policy.xml on the DigestAlgorithm. SignatureAlgorithm however is recognizing SHA256. This is because org.apache.rampart.builder.TransportBindingBuilder.java is not setting the digestAlgorithm, and thus using the default of SHA1. To correct this, add this line in 3 locations in this class:
sig.setDigestAlgo(rpd.getAlgorithmSuite().getDigest());
and add this line in 1 location in this class:
dkSig.setDigestAlgorithm(rpd.getAlgorithmSuite().getDigest());
Listed below is the entire class with the lines inserted for reference. Thank you.
/*
* =============================================================================
*
* Copyright (c) 2003-2013 Hewitt Associates, LLC.
* 100 Half Day Road, Lincolnshire, Illinois, 60069, U.S.A.
* All rights reserved.
*
* This program contains proprietary and confidential information and trade
* secrets of Hewitt Associates LLC. This program may not be duplicated,
* disclosed or provided to any third parties without the prior written consent
* of Hewitt Associates LLC. Disassembly or decompilation of the software and
* reverse engineering of the object code are prohibited.
*
* =============================================================================
*/
package org.apache.rampart.builder;
import org.apache.axiom.om.OMElement;
import org.apache.axiom.soap.SOAPEnvelope;
import org.apache.axis2.context.MessageContext;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.rahas.RahasConstants;
import org.apache.rahas.TrustException;
import org.apache.rampart.RampartConstants;
import org.apache.rampart.RampartException;
import org.apache.rampart.RampartMessageData;
import org.apache.rampart.policy.RampartPolicyData;
import org.apache.rampart.util.RampartUtil;
import org.apache.ws.secpolicy.SPConstants;
import org.apache.ws.secpolicy.model.AlgorithmSuite;
import org.apache.ws.secpolicy.model.Header;
import org.apache.ws.secpolicy.model.IssuedToken;
import org.apache.ws.secpolicy.model.SecureConversationToken;
import org.apache.ws.secpolicy.model.SignedEncryptedParts;
import org.apache.ws.secpolicy.model.SupportingToken;
import org.apache.ws.secpolicy.model.Token;
import org.apache.ws.secpolicy.model.UsernameToken;
import org.apache.ws.secpolicy.model.X509Token;
import org.apache.ws.security.WSConstants;
import org.apache.ws.security.WSEncryptionPart;
import org.apache.ws.security.WSSecurityException;
import org.apache.ws.security.conversation.ConversationException;
import org.apache.ws.security.handler.WSHandlerConstants;
import org.apache.ws.security.message.*;
import org.w3c.dom.Document;
import org.w3c.dom.Element;
import java.util.ArrayList;
import java.util.Iterator;
import java.util.List;
import javax.xml.crypto.dsig.Reference;
/**
* DOCUMENT ME!
*
* @hahistory 8/11/16 $author$ Initial creation.
* @since 1.0
*/
public class TransportBindingBuilder extends BindingBuilder
{
/**
* DOCUMENT ME!
*
* @since 1.0
*/
private static Log log = LogFactory.getLog(TransportBindingBuilder.class);
/**
* DOCUMENT ME!
*
* @since 1.0
*/
private static Log tlog = LogFactory.getLog(RampartConstants.TIME_LOG);
/**
* DOCUMENT ME!
*
* @since 1.0
*
* @param rmd DOCUMENT ME!
*
* @throws RampartException DOCUMENT ME!
*/
public void build(RampartMessageData rmd) throws RampartException
{
log.debug("TransportBindingBuilder build invoked");
long t0 = 0, t1 = 0;
if (tlog.isDebugEnabled())
{
t1 = System.currentTimeMillis();
}
RampartPolicyData rpd = rmd.getPolicyData();
if (rpd.isIncludeTimestamp())
{
addTimestamp(rmd);
}
/*
* Process Supporting tokens
*/
if (rmd.isInitiator())
{
List<byte[]> signatureValues = new ArrayList<byte[]>();
SupportingToken sgndSuppTokens = rpd.getSignedSupportingTokens();
if (
(sgndSuppTokens != null) &&
(sgndSuppTokens.getTokens() != null) &&
(sgndSuppTokens.getTokens()
.size() > 0)
)
{
log.debug("Processing signed supporting tokens");
ArrayList tokens = sgndSuppTokens.getTokens();
for (Object signedSupportingToken : tokens)
{
Token token = (Token)signedSupportingToken;
if (token instanceof UsernameToken)
{
WSSecUsernameToken utBuilder =
addUsernameToken(rmd, (UsernameToken)token);
utBuilder.prepare(rmd.getDocument());
//Add the UT
utBuilder.appendToHeader(rmd.getSecHeader());
}
else
{
throw new RampartException(
"unsupportedSignedSupportingToken",
new String[]
{
"{" + token.getName()
.getNamespaceURI() + "}" +
token.getName()
.getLocalPart()
}
);
}
}
}
SupportingToken sgndEndSuppTokens =
rpd.getSignedEndorsingSupportingTokens();
if (
(sgndEndSuppTokens != null) &&
(sgndEndSuppTokens.getTokens() != null) &&
(sgndEndSuppTokens.getTokens()
.size() > 0)
)
{
log.debug("Processing endorsing signed supporting tokens");
ArrayList tokens = sgndEndSuppTokens.getTokens();
SignedEncryptedParts signdParts =
sgndEndSuppTokens.getSignedParts();
for (Object objectToken : tokens)
{
Token token = (Token)objectToken;
if (token instanceof IssuedToken && rmd.isInitiator())
{
signatureValues.add(
doIssuedTokenSignature(rmd, token, signdParts)
);
}
else if (token instanceof X509Token)
{
signatureValues.add(
doX509TokenSignature(rmd, token, signdParts)
);
}
}
}
SupportingToken endSupptokens = rpd.getEndorsingSupportingTokens();
if (
(endSupptokens != null) &&
(endSupptokens.getTokens() != null) &&
(endSupptokens.getTokens()
.size() > 0)
)
{
log.debug("Processing endorsing supporting tokens");
ArrayList tokens = endSupptokens.getTokens();
SignedEncryptedParts signdParts =
endSupptokens.getSignedParts();
for (Object objectToken : tokens)
{
Token token = (Token)objectToken;
if (token instanceof IssuedToken && rmd.isInitiator())
{
signatureValues.add(
doIssuedTokenSignature(rmd, token, signdParts)
);
}
else if (token instanceof X509Token)
{
signatureValues.add(
doX509TokenSignature(rmd, token, signdParts)
);
}
else if (token instanceof SecureConversationToken)
{
handleSecureConversationTokens(
rmd, (SecureConversationToken)token
);
signatureValues.add(
doSecureConversationSignature(
rmd, token, signdParts
)
);
}
}
}
List<SupportingToken> supportingToks =
rpd.getSupportingTokensList();
for (SupportingToken supportingTok : supportingToks)
{
this.handleSupportingTokens(rmd, supportingTok);
}
//Store the signature values list
rmd.getMsgContext()
.setProperty(WSHandlerConstants.SEND_SIGV, signatureValues);
}
else
{
addSignatureConfirmation(rmd, null);
}
if (tlog.isDebugEnabled())
{
t1 = System.currentTimeMillis();
tlog.debug("Transport binding build took " + (t1 - t0));
}
}
/**
* DOCUMENT ME!
*
* @since 1.0
*
* @param secHeader DOCUMENT ME!
* @param appendingChild DOCUMENT ME!
*/
private void appendToHeader(WSSecHeader secHeader, Element appendingChild)
{
// TODO this is bit dubious, before migration code was like "dkSig.appendSigToHeader(rmd.getSecHeader())"
// but WSS4J has remove append methods. Need to find why ?
Element secHeaderElement = secHeader.getSecurityHeader();
secHeaderElement.appendChild(appendingChild);
}
/**
* IssuedToken signature
*
* @param rmd
* @param token
* @param signdParts
*
* @return DOCUMENT ME!
*
* @throws RampartException
*/
private byte[] doIssuedTokenSignature(
RampartMessageData rmd, Token token, SignedEncryptedParts signdParts
) throws RampartException
{
RampartPolicyData rpd = rmd.getPolicyData();
Document doc = rmd.getDocument();
//Get the issued token
String id = RampartUtil.getIssuedToken(rmd, (IssuedToken)token);
int inclusion = token.getInclusion();
org.apache.rahas.Token tok = null;
try
{
tok = rmd.getTokenStorage()
.getToken(id);
}
catch (TrustException e)
{
throw new RampartException(
"errorExtractingToken", new String[] {id}, e
);
}
boolean tokenIncluded = false;
if (
(inclusion == SPConstants.INCLUDE_TOEKN_ALWAYS) ||
(
(
(
inclusion ==
SPConstants.INCLUDE_TOEKN_ALWAYS_TO_RECIPIENT
) || (inclusion == SPConstants.INCLUDE_TOKEN_ONCE)
) && rmd.isInitiator()
)
)
{
//Add the token
rmd.getSecHeader()
.getSecurityHeader()
.appendChild(doc.importNode((Element)tok.getToken(), true));
tokenIncluded = true;
}
List<WSEncryptionPart> sigParts = new ArrayList<WSEncryptionPart>();
if (this.timestampElement != null)
{
sigParts.add(new WSEncryptionPart(rmd.getTimestampId()));
}
if (rpd.isTokenProtection() && tokenIncluded)
{
sigParts.add(new WSEncryptionPart(id));
}
if (signdParts != null)
{
if (signdParts.isBody())
{
SOAPEnvelope env = rmd.getMsgContext()
.getEnvelope();
sigParts.add(
new WSEncryptionPart(
RampartUtil.addWsuIdToElement(env.getBody())
)
);
}
ArrayList headers = signdParts.getHeaders();
for (Object signedHeader : headers)
{
Header header = (Header)signedHeader;
WSEncryptionPart wep =
new WSEncryptionPart(
header.getName(), header.getNamespace(), "Content"
);
sigParts.add(wep);
}
}
//check for derived keys
AlgorithmSuite algorithmSuite = rpd.getAlgorithmSuite();
if (token.isDerivedKeys())
{
//Create a derived key and add
try
{
//Do Signature with derived keys
WSSecDKSign dkSign = new WSSecDKSign();
// Setting the AttachedReference or the UnattachedReference according to the flag
OMElement ref;
if (tokenIncluded)
{
ref = tok.getAttachedReference();
}
else
{
ref = tok.getUnattachedReference();
}
if (ref != null)
{
dkSign.setExternalKey(
tok.getSecret(),
(Element)doc.importNode((Element)ref, true)
);
}
else
{
dkSign.setExternalKey(tok.getSecret(), tok.getId());
}
//Set the algo info
dkSign.setSignatureAlgorithm(
algorithmSuite.getSymmetricSignature()
);
dkSign.setDerivedKeyLength(
algorithmSuite.getSignatureDerivedKeyLength()
);
dkSign.prepare(doc);
/**
* Add <wsc:DerivedKeyToken>..</wsc:DerivedKeyToken> to security
* header. We need to add this just after Encrypted Key and just before <Signature>..</Signature>
* elements. (As a convention)
*/
dkSign.appendDKElementToHeader(rmd.getSecHeader());
dkSign.setParts(sigParts);
List<Reference> referenceList =
dkSign.addReferencesToSign(sigParts, rmd.getSecHeader());
//Do signature
dkSign.computeSignature(referenceList, false, null);
// TODO verify before migration - dkSign.appendSigToHeader(rmd.getSecHeader())
// this.appendToHeader(rmd.getSecHeader(), dkSign.getSignatureElement());
return dkSign.getSignatureValue();
}
catch (ConversationException e)
{
throw new RampartException(
"errorInDerivedKeyTokenSignature", e
);
}
catch (WSSecurityException e)
{
throw new RampartException(
"errorInDerivedKeyTokenSignature", e
);
}
}
else
{
try
{
WSSecSignature sig = new WSSecSignature();
sig.setWsConfig(rmd.getConfig());
String tokId = tok.getId();
if (tokId.charAt(0) == '#')
{
tokId = tokId.substring(1);
}
sig.setCustomTokenId(tokId);
sig.setCustomTokenValueType(
RampartUtil.getSAML10AssertionNamespace()
);
sig.setSecretKey(tok.getSecret());
sig.setSignatureAlgorithm(
algorithmSuite.getAsymmetricSignature()
);
sig.setSignatureAlgorithm(
algorithmSuite.getSymmetricSignature()
);
sig.setKeyIdentifierType(WSConstants.CUSTOM_SYMM_SIGNING);
sig.prepare(
rmd.getDocument(),
RampartUtil.getSignatureCrypto(
rpd.getRampartConfig(), rmd.getCustomClassLoader()
), rmd.getSecHeader()
);
sig.setParts(sigParts);
//Added by MRL
sig.setDigestAlgo(rpd.getAlgorithmSuite().getDigest());
List<javax.xml.crypto.dsig.Reference> referenceList =
sig.addReferencesToSign(sigParts, rmd.getSecHeader());
//Do signature
sig.computeSignature(referenceList);
//Add elements to header
this.setInsertionLocation(
RampartUtil.insertSiblingAfter(
rmd, this.getInsertionLocation(),
sig.getSignatureElement()
)
);
return sig.getSignatureValue();
}
catch (WSSecurityException e)
{
throw new RampartException(
"errorInSignatureWithACustomToken", e
);
}
}
}
/**
* DOCUMENT ME!
*
* @since 1.0
*
* @param rmd DOCUMENT ME!
* @param token DOCUMENT ME!
* @param signdParts DOCUMENT ME!
*
* @return DOCUMENT ME!
*
* @throws RampartException DOCUMENT ME!
*/
private byte[] doSecureConversationSignature(
RampartMessageData rmd, Token token, SignedEncryptedParts signdParts
) throws RampartException
{
RampartPolicyData rpd = rmd.getPolicyData();
Document doc = rmd.getDocument();
//Get the issued token
String id = rmd.getSecConvTokenId();
int inclusion = token.getInclusion();
org.apache.rahas.Token tok = null;
try
{
tok = rmd.getTokenStorage()
.getToken(id);
}
catch (TrustException e)
{
throw new RampartException(
"errorExtractingToken", new String[] {id}, e
);
}
boolean tokenIncluded = false;
if (
(inclusion == SPConstants.INCLUDE_TOEKN_ALWAYS) ||
(
(
(
inclusion ==
SPConstants.INCLUDE_TOEKN_ALWAYS_TO_RECIPIENT
) || (inclusion == SPConstants.INCLUDE_TOKEN_ONCE)
) && rmd.isInitiator()
)
)
{
//Add the token
rmd.getSecHeader()
.getSecurityHeader()
.appendChild(doc.importNode((Element)tok.getToken(), true));
tokenIncluded = true;
}
List<WSEncryptionPart> sigParts = new ArrayList<WSEncryptionPart>();
if (this.timestampElement != null)
{
sigParts.add(new WSEncryptionPart(rmd.getTimestampId()));
}
if (rpd.isTokenProtection() && tokenIncluded)
{
sigParts.add(new WSEncryptionPart(id));
}
if (signdParts != null)
{
if (signdParts.isBody())
{
SOAPEnvelope env = rmd.getMsgContext()
.getEnvelope();
sigParts.add(
new WSEncryptionPart(
RampartUtil.addWsuIdToElement(env.getBody())
)
);
}
ArrayList headers = signdParts.getHeaders();
for (Object objectHeader : headers)
{
Header header = (Header)objectHeader;
WSEncryptionPart wep =
new WSEncryptionPart(
header.getName(), header.getNamespace(), "Content"
);
sigParts.add(wep);
}
}
//check for derived keys
AlgorithmSuite algorithmSuite = rpd.getAlgorithmSuite();
if (token.isDerivedKeys())
{
//Create a derived key and add
try
{
//Do Signature with derived keys
WSSecDKSign dkSign = new WSSecDKSign();
// Setting the AttachedReference or the UnattachedReference according to the flag
OMElement ref;
if (tokenIncluded)
{
ref = tok.getAttachedReference();
}
else
{
ref = tok.getUnattachedReference();
}
if (ref != null)
{
dkSign.setExternalKey(
tok.getSecret(),
(Element)doc.importNode((Element)ref, true)
);
}
else
{
dkSign.setExternalKey(tok.getSecret(), tok.getId());
}
//Set the algo info
dkSign.setSignatureAlgorithm(
algorithmSuite.getSymmetricSignature()
);
dkSign.setDerivedKeyLength(
algorithmSuite.getSignatureDerivedKeyLength()
);
dkSign.prepare(doc);
/**
* Add <wsc:DerivedKeyToken>..</wsc:DerivedKeyToken> to security
* header. We need to add this just after Encrypted Key and just before <Signature>..</Signature>
* elements. (As a convention)
*/
dkSign.appendDKElementToHeader(rmd.getSecHeader());
dkSign.setParts(sigParts);
List<Reference> referenceList =
dkSign.addReferencesToSign(sigParts, rmd.getSecHeader());
//Do signature
dkSign.computeSignature(referenceList, false, null);
//this.appendToHeader(rmd.getSecHeader(), dkSign.getSignatureElement());
return dkSign.getSignatureValue();
}
catch (ConversationException e)
{
throw new RampartException(
"errorInDerivedKeyTokenSignature", e
);
}
catch (WSSecurityException e)
{
throw new RampartException(
"errorInDerivedKeyTokenSignature", e
);
}
}
else
{
try
{
WSSecSignature sig = new WSSecSignature();
sig.setWsConfig(rmd.getConfig());
sig.setCustomTokenId(tok.getId().substring(1));
sig.setCustomTokenValueType(
RampartUtil.getSAML10AssertionNamespace()
);
sig.setSecretKey(tok.getSecret());
sig.setSignatureAlgorithm(
algorithmSuite.getAsymmetricSignature()
);
sig.setSignatureAlgorithm(
algorithmSuite.getSymmetricSignature()
);
sig.setKeyIdentifierType(WSConstants.CUSTOM_SYMM_SIGNING);
sig.prepare(
rmd.getDocument(),
RampartUtil.getSignatureCrypto(
rpd.getRampartConfig(), rmd.getCustomClassLoader()
), rmd.getSecHeader()
);
sig.setParts(sigParts);
//Added by MRL
sig.setDigestAlgo(rpd.getAlgorithmSuite().getDigest());
List<Reference> referenceList =
sig.addReferencesToSign(sigParts, rmd.getSecHeader());
//Do signature
sig.computeSignature(
referenceList, false, this.getInsertionLocation()
);
//Add elements to header
this.setInsertionLocation(sig.getSignatureElement());
return sig.getSignatureValue();
}
catch (WSSecurityException e)
{
throw new RampartException(
"errorInSignatureWithACustomToken", e
);
}
}
}
/**
* X.509 signature
*
* @param rmd
* @param token
* @param signdParts
*
* @return DOCUMENT ME!
*
* @throws RampartException DOCUMENT ME!
*/
private byte[] doX509TokenSignature(
RampartMessageData rmd, Token token, SignedEncryptedParts signdParts
) throws RampartException
{
RampartPolicyData rpd = rmd.getPolicyData();
Document doc = rmd.getDocument();
List<WSEncryptionPart> sigParts = new ArrayList<WSEncryptionPart>();
if (this.timestampElement != null)
{
sigParts.add(new WSEncryptionPart(rmd.getTimestampId()));
}
if (signdParts != null)
{
if (signdParts.isBody())
{
SOAPEnvelope env = rmd.getMsgContext()
.getEnvelope();
sigParts.add(
new WSEncryptionPart(
RampartUtil.addWsuIdToElement(env.getBody())
)
);
}
ArrayList headers = signdParts.getHeaders();
for (Iterator iterator = headers.iterator(); iterator.hasNext();)
{
Header header = (Header)iterator.next();
WSEncryptionPart wep =
new WSEncryptionPart(
header.getName(), header.getNamespace(), "Content"
);
sigParts.add(wep);
}
}
if (token.isDerivedKeys())
{
//In this case we will have to encrypt the ephmeral key with the
//other party's key and then use it as the parent key of the
// derived keys
try
{
WSSecEncryptedKey encrKey = getEncryptedKeyBuilder(rmd, token);
Element bstElem = encrKey.getBinarySecurityTokenElement();
if (bstElem != null)
{
RampartUtil.appendChildToSecHeader(rmd, bstElem);
}
// Add <xenc:EncryptedKey Id="EncKeyId-E67B75302ACB3BEDF313277587471272">..</xenc:EncryptedKey>
// to security header.
encrKey.appendToHeader(rmd.getSecHeader());
WSSecDKSign dkSig = new WSSecDKSign();
dkSig.setWsConfig(rmd.getConfig());
dkSig.setSigCanonicalization(
rpd.getAlgorithmSuite().getInclusiveC14n()
);
dkSig.setSignatureAlgorithm(
rpd.getAlgorithmSuite().getSymmetricSignature()
);
dkSig.setDerivedKeyLength(
rpd.getAlgorithmSuite().getSignatureDerivedKeyLength() / 8
);
/**
* Add a reference to encrypted key in the derived key
*/
dkSig.setExternalKey(
encrKey.getEphemeralKey(), encrKey.getId()
);
dkSig.prepare(doc, rmd.getSecHeader());
if (rpd.isTokenProtection())
{
sigParts.add(new WSEncryptionPart(encrKey.getBSTTokenId()));
}
dkSig.setParts(sigParts);
//Added by MRL
dkSig.setDigestAlgorithm(rpd.getAlgorithmSuite().getDigest());
List<Reference> referenceList =
dkSig.addReferencesToSign(sigParts, rmd.getSecHeader());
/**
* Add <wsc:DerivedKeyToken>..</wsc:DerivedKeyToken> to security
* header. We need to add this just after Encrypted Key and just before <Signature>..</Signature>
* elements. (As a convention)
*/
dkSig.appendDKElementToHeader(rmd.getSecHeader());
//Do signature and append to the security header
dkSig.computeSignature(referenceList, false, null);
// TODO this is bit dubious, before migration code was like "dkSig.appendSigToHeader(rmd.getSecHeader())"
// but WSS4J has remove append methods. Need to find why ?
//this.appendToHeader(rmd.getSecHeader(), dkSig.getSignatureElement());
return dkSig.getSignatureValue();
}
catch (WSSecurityException e)
{
throw new RampartException(
"errorInDerivedKeyTokenSignature", e
);
}
catch (ConversationException e)
{
throw new RampartException(
"errorInDerivedKeyTokenSignature", e
);
}
}
else
{
try
{
WSSecSignature sig = this.getSignatureBuilder(rmd, token);
sig.appendBSTElementToHeader(rmd.getSecHeader());
if (
rpd.isTokenProtection() &&
!(
SPConstants.INCLUDE_TOKEN_NEVER ==
token.getInclusion()
)
)
{
sigParts.add(new WSEncryptionPart(sig.getBSTTokenId()));
}
//Added by MRL
sig.setDigestAlgo(rpd.getAlgorithmSuite().getDigest());
List<Reference> referenceList =
sig.addReferencesToSign(sigParts, rmd.getSecHeader());
// TODO changed the order - verify
// Compute signature and append to the header
sig.computeSignature(referenceList, false, null);
return sig.getSignatureValue();
}
catch (WSSecurityException e)
{
throw new RampartException("errorInSignatureWithX509Token", e);
}
}
}
/**
* DOCUMENT ME!
*
* @since 1.0
*
* @param rmd DOCUMENT ME!
* @param secConvTok DOCUMENT ME!
*
* @throws RampartException DOCUMENT ME!
*/
private void handleSecureConversationTokens(
RampartMessageData rmd, SecureConversationToken secConvTok
) throws RampartException
{
MessageContext msgContext = rmd.getMsgContext();
String secConvTokenId = rmd.getSecConvTokenId();
//The RSTR has to be secured with the cancelled token
String action = msgContext.getOptions()
.getAction();
boolean cancelReqResp =
action.equals(
RahasConstants.WST_NS_05_02 +
RahasConstants.RSTR_ACTION_CANCEL_SCT
) ||
action.equals(
RahasConstants.WST_NS_05_02 +
RahasConstants.RSTR_ACTION_CANCEL_SCT
) ||
action.equals(
RahasConstants.WST_NS_05_02 +
RahasConstants.RST_ACTION_CANCEL_SCT
) ||
action.equals(
RahasConstants.WST_NS_05_02 +
RahasConstants.RST_ACTION_CANCEL_SCT
);
//In the case of the cancel req or resp we should mark the token as cancelled
if ((secConvTokenId != null) && cancelReqResp)
{
try
{
rmd.getTokenStorage()
.getToken(secConvTokenId)
.setState(org.apache.rahas.Token.CANCELLED);
msgContext.setProperty(
RampartMessageData.SCT_ID, secConvTokenId
);
//remove from the local map of contexts
String contextIdentifierKey =
RampartUtil.getContextIdentifierKey(msgContext);
RampartUtil.getContextMap(msgContext)
.remove(contextIdentifierKey);
}
catch (TrustException e)
{
throw new RampartException("errorExtractingToken", e);
}
}
if (
(secConvTokenId == null) ||
(
(secConvTokenId != null) &&
(
!RampartUtil.isTokenValid(rmd, secConvTokenId) &&
!cancelReqResp
)
)
)
{
log.debug(
"No SecureConversationToken found, requesting a new token"
);
try
{
secConvTokenId = RampartUtil.getSecConvToken(rmd, secConvTok);
rmd.setSecConvTokenId(secConvTokenId);
}
catch (TrustException e)
{
throw new RampartException("errorInObtainingSct", e);
}
}
/* org.apache.rahas.Token token;
try {
token = rmd.getTokenStorage().getToken(secConvTokenId);
} catch (TrustException e) {
throw new RampartException("errorExtractingToken", e);
}
//Add the token to the header
Element siblingElem = RampartUtil
.insertSiblingAfter(rmd, this.getInsertionLocation(),
(Element) token.getToken());
this.setInsertionLocation(siblingElem);*/
}
}
> SHA256 not supported for DigestAlgorithm for TransportBinding when specified correctly in policy.xml
> ----------------------------------------------------------------------------------------------------
>
> Key: RAMPART-437
> URL: https://issues.apache.org/jira/browse/RAMPART-437
> Project: Rampart
> Issue Type: Bug
> Components: rampart-core
> Affects Versions: 1.6.2, 1.6.3, 1.6.4, 1.7.0
> Environment: I am using version 1.6.2, but see the code is not fixed in version 1.7.0 yet either.
> Reporter: Marjorie Lindsey
> Priority: Minor
>
> TransportBinding is not recognizing SHA256 when specified in the policy.xml on the DigestAlgorithm. SignatureAlgorithm however is recognizing SHA256. This is because org.apache.rampart.builder.TransportBindingBuilder.java is not setting the digestAlgorithm, and thus using the default of SHA1. To correct this, add this line in 3 locations in this class:
> sig.setDigestAlgo(rpd.getAlgorithmSuite().getDigest());
> and add this line in 1 location in this class:
> dkSig.setDigestAlgorithm(rpd.getAlgorithmSuite().getDigest());
> Listed below is the entire class with the lines inserted for reference. Thank you.
> /*
> * =============================================================================
> *
> * Copyright (c) 2003-2013 Hewitt Associates, LLC.
> * 100 Half Day Road, Lincolnshire, Illinois, 60069, U.S.A.
> * All rights reserved.
> *
> * This program contains proprietary and confidential information and trade
> * secrets of Hewitt Associates LLC. This program may not be duplicated,
> * disclosed or provided to any third parties without the prior written consent
> * of Hewitt Associates LLC. Disassembly or decompilation of the software and
> * reverse engineering of the object code are prohibited.
> *
> * =============================================================================
> */
> package org.apache.rampart.builder;
> import org.apache.axiom.om.OMElement;
> import org.apache.axiom.soap.SOAPEnvelope;
> import org.apache.axis2.context.MessageContext;
> import org.apache.commons.logging.Log;
> import org.apache.commons.logging.LogFactory;
> import org.apache.rahas.RahasConstants;
> import org.apache.rahas.TrustException;
> import org.apache.rampart.RampartConstants;
> import org.apache.rampart.RampartException;
> import org.apache.rampart.RampartMessageData;
> import org.apache.rampart.policy.RampartPolicyData;
> import org.apache.rampart.util.RampartUtil;
> import org.apache.ws.secpolicy.SPConstants;
> import org.apache.ws.secpolicy.model.AlgorithmSuite;
> import org.apache.ws.secpolicy.model.Header;
> import org.apache.ws.secpolicy.model.IssuedToken;
> import org.apache.ws.secpolicy.model.SecureConversationToken;
> import org.apache.ws.secpolicy.model.SignedEncryptedParts;
> import org.apache.ws.secpolicy.model.SupportingToken;
> import org.apache.ws.secpolicy.model.Token;
> import org.apache.ws.secpolicy.model.UsernameToken;
> import org.apache.ws.secpolicy.model.X509Token;
> import org.apache.ws.security.WSConstants;
> import org.apache.ws.security.WSEncryptionPart;
> import org.apache.ws.security.WSSecurityException;
> import org.apache.ws.security.conversation.ConversationException;
> import org.apache.ws.security.handler.WSHandlerConstants;
> import org.apache.ws.security.message.*;
> import org.w3c.dom.Document;
> import org.w3c.dom.Element;
> import java.util.ArrayList;
> import java.util.Iterator;
> import java.util.List;
> import javax.xml.crypto.dsig.Reference;
> /**
> * DOCUMENT ME!
> *
> * @hahistory 8/11/16 $author$ Initial creation.
> * @since 1.0
> */
> public class TransportBindingBuilder extends BindingBuilder
> {
> /**
> * DOCUMENT ME!
> *
> * @since 1.0
> */
> private static Log log = LogFactory.getLog(TransportBindingBuilder.class);
> /**
> * DOCUMENT ME!
> *
> * @since 1.0
> */
> private static Log tlog = LogFactory.getLog(RampartConstants.TIME_LOG);
> /**
> * DOCUMENT ME!
> *
> * @since 1.0
> *
> * @param rmd DOCUMENT ME!
> *
> * @throws RampartException DOCUMENT ME!
> */
> public void build(RampartMessageData rmd) throws RampartException
> {
> log.debug("TransportBindingBuilder build invoked");
> long t0 = 0, t1 = 0;
> if (tlog.isDebugEnabled())
> {
> t1 = System.currentTimeMillis();
> }
> RampartPolicyData rpd = rmd.getPolicyData();
> if (rpd.isIncludeTimestamp())
> {
> addTimestamp(rmd);
> }
> /*
> * Process Supporting tokens
> */
> if (rmd.isInitiator())
> {
> List<byte[]> signatureValues = new ArrayList<byte[]>();
> SupportingToken sgndSuppTokens = rpd.getSignedSupportingTokens();
> if (
> (sgndSuppTokens != null) &&
> (sgndSuppTokens.getTokens() != null) &&
> (sgndSuppTokens.getTokens()
> .size() > 0)
> )
> {
> log.debug("Processing signed supporting tokens");
> ArrayList tokens = sgndSuppTokens.getTokens();
> for (Object signedSupportingToken : tokens)
> {
> Token token = (Token)signedSupportingToken;
> if (token instanceof UsernameToken)
> {
> WSSecUsernameToken utBuilder =
> addUsernameToken(rmd, (UsernameToken)token);
> utBuilder.prepare(rmd.getDocument());
> //Add the UT
> utBuilder.appendToHeader(rmd.getSecHeader());
> }
> else
> {
> throw new RampartException(
> "unsupportedSignedSupportingToken",
> new String[]
> {
> "{" + token.getName()
> .getNamespaceURI() + "}" +
> token.getName()
> .getLocalPart()
> }
> );
> }
> }
> }
> SupportingToken sgndEndSuppTokens =
> rpd.getSignedEndorsingSupportingTokens();
> if (
> (sgndEndSuppTokens != null) &&
> (sgndEndSuppTokens.getTokens() != null) &&
> (sgndEndSuppTokens.getTokens()
> .size() > 0)
> )
> {
> log.debug("Processing endorsing signed supporting tokens");
> ArrayList tokens = sgndEndSuppTokens.getTokens();
> SignedEncryptedParts signdParts =
> sgndEndSuppTokens.getSignedParts();
> for (Object objectToken : tokens)
> {
> Token token = (Token)objectToken;
> if (token instanceof IssuedToken && rmd.isInitiator())
> {
> signatureValues.add(
> doIssuedTokenSignature(rmd, token, signdParts)
> );
> }
> else if (token instanceof X509Token)
> {
> signatureValues.add(
> doX509TokenSignature(rmd, token, signdParts)
> );
> }
> }
> }
> SupportingToken endSupptokens = rpd.getEndorsingSupportingTokens();
> if (
> (endSupptokens != null) &&
> (endSupptokens.getTokens() != null) &&
> (endSupptokens.getTokens()
> .size() > 0)
> )
> {
> log.debug("Processing endorsing supporting tokens");
> ArrayList tokens = endSupptokens.getTokens();
> SignedEncryptedParts signdParts =
> endSupptokens.getSignedParts();
> for (Object objectToken : tokens)
> {
> Token token = (Token)objectToken;
> if (token instanceof IssuedToken && rmd.isInitiator())
> {
> signatureValues.add(
> doIssuedTokenSignature(rmd, token, signdParts)
> );
> }
> else if (token instanceof X509Token)
> {
> signatureValues.add(
> doX509TokenSignature(rmd, token, signdParts)
> );
> }
> else if (token instanceof SecureConversationToken)
> {
> handleSecureConversationTokens(
> rmd, (SecureConversationToken)token
> );
> signatureValues.add(
> doSecureConversationSignature(
> rmd, token, signdParts
> )
> );
> }
> }
> }
> List<SupportingToken> supportingToks =
> rpd.getSupportingTokensList();
> for (SupportingToken supportingTok : supportingToks)
> {
> this.handleSupportingTokens(rmd, supportingTok);
> }
> //Store the signature values list
> rmd.getMsgContext()
> .setProperty(WSHandlerConstants.SEND_SIGV, signatureValues);
> }
> else
> {
> addSignatureConfirmation(rmd, null);
> }
> if (tlog.isDebugEnabled())
> {
> t1 = System.currentTimeMillis();
> tlog.debug("Transport binding build took " + (t1 - t0));
> }
> }
> /**
> * DOCUMENT ME!
> *
> * @since 1.0
> *
> * @param secHeader DOCUMENT ME!
> * @param appendingChild DOCUMENT ME!
> */
> private void appendToHeader(WSSecHeader secHeader, Element appendingChild)
> {
> // TODO this is bit dubious, before migration code was like "dkSig.appendSigToHeader(rmd.getSecHeader())"
> // but WSS4J has remove append methods. Need to find why ?
> Element secHeaderElement = secHeader.getSecurityHeader();
> secHeaderElement.appendChild(appendingChild);
> }
> /**
> * IssuedToken signature
> *
> * @param rmd
> * @param token
> * @param signdParts
> *
> * @return DOCUMENT ME!
> *
> * @throws RampartException
> */
> private byte[] doIssuedTokenSignature(
> RampartMessageData rmd, Token token, SignedEncryptedParts signdParts
> ) throws RampartException
> {
> RampartPolicyData rpd = rmd.getPolicyData();
> Document doc = rmd.getDocument();
> //Get the issued token
> String id = RampartUtil.getIssuedToken(rmd, (IssuedToken)token);
> int inclusion = token.getInclusion();
> org.apache.rahas.Token tok = null;
> try
> {
> tok = rmd.getTokenStorage()
> .getToken(id);
> }
> catch (TrustException e)
> {
> throw new RampartException(
> "errorExtractingToken", new String[] {id}, e
> );
> }
> boolean tokenIncluded = false;
> if (
> (inclusion == SPConstants.INCLUDE_TOEKN_ALWAYS) ||
> (
> (
> (
> inclusion ==
> SPConstants.INCLUDE_TOEKN_ALWAYS_TO_RECIPIENT
> ) || (inclusion == SPConstants.INCLUDE_TOKEN_ONCE)
> ) && rmd.isInitiator()
> )
> )
> {
> //Add the token
> rmd.getSecHeader()
> .getSecurityHeader()
> .appendChild(doc.importNode((Element)tok.getToken(), true));
> tokenIncluded = true;
> }
> List<WSEncryptionPart> sigParts = new ArrayList<WSEncryptionPart>();
> if (this.timestampElement != null)
> {
> sigParts.add(new WSEncryptionPart(rmd.getTimestampId()));
> }
> if (rpd.isTokenProtection() && tokenIncluded)
> {
> sigParts.add(new WSEncryptionPart(id));
> }
> if (signdParts != null)
> {
> if (signdParts.isBody())
> {
> SOAPEnvelope env = rmd.getMsgContext()
> .getEnvelope();
> sigParts.add(
> new WSEncryptionPart(
> RampartUtil.addWsuIdToElement(env.getBody())
> )
> );
> }
> ArrayList headers = signdParts.getHeaders();
> for (Object signedHeader : headers)
> {
> Header header = (Header)signedHeader;
> WSEncryptionPart wep =
> new WSEncryptionPart(
> header.getName(), header.getNamespace(), "Content"
> );
> sigParts.add(wep);
> }
> }
> //check for derived keys
> AlgorithmSuite algorithmSuite = rpd.getAlgorithmSuite();
> if (token.isDerivedKeys())
> {
> //Create a derived key and add
> try
> {
> //Do Signature with derived keys
> WSSecDKSign dkSign = new WSSecDKSign();
> // Setting the AttachedReference or the UnattachedReference according to the flag
> OMElement ref;
> if (tokenIncluded)
> {
> ref = tok.getAttachedReference();
> }
> else
> {
> ref = tok.getUnattachedReference();
> }
> if (ref != null)
> {
> dkSign.setExternalKey(
> tok.getSecret(),
> (Element)doc.importNode((Element)ref, true)
> );
> }
> else
> {
> dkSign.setExternalKey(tok.getSecret(), tok.getId());
> }
> //Set the algo info
> dkSign.setSignatureAlgorithm(
> algorithmSuite.getSymmetricSignature()
> );
> dkSign.setDerivedKeyLength(
> algorithmSuite.getSignatureDerivedKeyLength()
> );
> dkSign.prepare(doc);
> /**
> * Add <wsc:DerivedKeyToken>..</wsc:DerivedKeyToken> to security
> * header. We need to add this just after Encrypted Key and just before <Signature>..</Signature>
> * elements. (As a convention)
> */
> dkSign.appendDKElementToHeader(rmd.getSecHeader());
> dkSign.setParts(sigParts);
> List<Reference> referenceList =
> dkSign.addReferencesToSign(sigParts, rmd.getSecHeader());
> //Do signature
> dkSign.computeSignature(referenceList, false, null);
> // TODO verify before migration - dkSign.appendSigToHeader(rmd.getSecHeader())
> // this.appendToHeader(rmd.getSecHeader(), dkSign.getSignatureElement());
> return dkSign.getSignatureValue();
> }
> catch (ConversationException e)
> {
> throw new RampartException(
> "errorInDerivedKeyTokenSignature", e
> );
> }
> catch (WSSecurityException e)
> {
> throw new RampartException(
> "errorInDerivedKeyTokenSignature", e
> );
> }
> }
> else
> {
> try
> {
> WSSecSignature sig = new WSSecSignature();
> sig.setWsConfig(rmd.getConfig());
> String tokId = tok.getId();
> if (tokId.charAt(0) == '#')
> {
> tokId = tokId.substring(1);
> }
> sig.setCustomTokenId(tokId);
> sig.setCustomTokenValueType(
> RampartUtil.getSAML10AssertionNamespace()
> );
> sig.setSecretKey(tok.getSecret());
> sig.setSignatureAlgorithm(
> algorithmSuite.getAsymmetricSignature()
> );
> sig.setSignatureAlgorithm(
> algorithmSuite.getSymmetricSignature()
> );
> sig.setKeyIdentifierType(WSConstants.CUSTOM_SYMM_SIGNING);
> sig.prepare(
> rmd.getDocument(),
> RampartUtil.getSignatureCrypto(
> rpd.getRampartConfig(), rmd.getCustomClassLoader()
> ), rmd.getSecHeader()
> );
> sig.setParts(sigParts);
> //Added by MRL
> sig.setDigestAlgo(rpd.getAlgorithmSuite().getDigest());
> List<javax.xml.crypto.dsig.Reference> referenceList =
> sig.addReferencesToSign(sigParts, rmd.getSecHeader());
> //Do signature
> sig.computeSignature(referenceList);
> //Add elements to header
> this.setInsertionLocation(
> RampartUtil.insertSiblingAfter(
> rmd, this.getInsertionLocation(),
> sig.getSignatureElement()
> )
> );
> return sig.getSignatureValue();
> }
> catch (WSSecurityException e)
> {
> throw new RampartException(
> "errorInSignatureWithACustomToken", e
> );
> }
> }
> }
> /**
> * DOCUMENT ME!
> *
> * @since 1.0
> *
> * @param rmd DOCUMENT ME!
> * @param token DOCUMENT ME!
> * @param signdParts DOCUMENT ME!
> *
> * @return DOCUMENT ME!
> *
> * @throws RampartException DOCUMENT ME!
> */
> private byte[] doSecureConversationSignature(
> RampartMessageData rmd, Token token, SignedEncryptedParts signdParts
> ) throws RampartException
> {
> RampartPolicyData rpd = rmd.getPolicyData();
> Document doc = rmd.getDocument();
> //Get the issued token
> String id = rmd.getSecConvTokenId();
> int inclusion = token.getInclusion();
> org.apache.rahas.Token tok = null;
> try
> {
> tok = rmd.getTokenStorage()
> .getToken(id);
> }
> catch (TrustException e)
> {
> throw new RampartException(
> "errorExtractingToken", new String[] {id}, e
> );
> }
> boolean tokenIncluded = false;
> if (
> (inclusion == SPConstants.INCLUDE_TOEKN_ALWAYS) ||
> (
> (
> (
> inclusion ==
> SPConstants.INCLUDE_TOEKN_ALWAYS_TO_RECIPIENT
> ) || (inclusion == SPConstants.INCLUDE_TOKEN_ONCE)
> ) && rmd.isInitiator()
> )
> )
> {
> //Add the token
> rmd.getSecHeader()
> .getSecurityHeader()
> .appendChild(doc.importNode((Element)tok.getToken(), true));
> tokenIncluded = true;
> }
> List<WSEncryptionPart> sigParts = new ArrayList<WSEncryptionPart>();
> if (this.timestampElement != null)
> {
> sigParts.add(new WSEncryptionPart(rmd.getTimestampId()));
> }
> if (rpd.isTokenProtection() && tokenIncluded)
> {
> sigParts.add(new WSEncryptionPart(id));
> }
> if (signdParts != null)
> {
> if (signdParts.isBody())
> {
> SOAPEnvelope env = rmd.getMsgContext()
> .getEnvelope();
> sigParts.add(
> new WSEncryptionPart(
> RampartUtil.addWsuIdToElement(env.getBody())
> )
> );
> }
> ArrayList headers = signdParts.getHeaders();
> for (Object objectHeader : headers)
> {
> Header header = (Header)objectHeader;
> WSEncryptionPart wep =
> new WSEncryptionPart(
> header.getName(), header.getNamespace(), "Content"
> );
> sigParts.add(wep);
> }
> }
> //check for derived keys
> AlgorithmSuite algorithmSuite = rpd.getAlgorithmSuite();
> if (token.isDerivedKeys())
> {
> //Create a derived key and add
> try
> {
> //Do Signature with derived keys
> WSSecDKSign dkSign = new WSSecDKSign();
> // Setting the AttachedReference or the UnattachedReference according to the flag
> OMElement ref;
> if (tokenIncluded)
> {
> ref = tok.getAttachedReference();
> }
> else
> {
> ref = tok.getUnattachedReference();
> }
> if (ref != null)
> {
> dkSign.setExternalKey(
> tok.getSecret(),
> (Element)doc.importNode((Element)ref, true)
> );
> }
> else
> {
> dkSign.setExternalKey(tok.getSecret(), tok.getId());
> }
> //Set the algo info
> dkSign.setSignatureAlgorithm(
> algorithmSuite.getSymmetricSignature()
> );
> dkSign.setDerivedKeyLength(
> algorithmSuite.getSignatureDerivedKeyLength()
> );
> dkSign.prepare(doc);
> /**
> * Add <wsc:DerivedKeyToken>..</wsc:DerivedKeyToken> to security
> * header. We need to add this just after Encrypted Key and just before <Signature>..</Signature>
> * elements. (As a convention)
> */
> dkSign.appendDKElementToHeader(rmd.getSecHeader());
> dkSign.setParts(sigParts);
> List<Reference> referenceList =
> dkSign.addReferencesToSign(sigParts, rmd.getSecHeader());
> //Do signature
> dkSign.computeSignature(referenceList, false, null);
> //this.appendToHeader(rmd.getSecHeader(), dkSign.getSignatureElement());
> return dkSign.getSignatureValue();
> }
> catch (ConversationException e)
> {
> throw new RampartException(
> "errorInDerivedKeyTokenSignature", e
> );
> }
> catch (WSSecurityException e)
> {
> throw new RampartException(
> "errorInDerivedKeyTokenSignature", e
> );
> }
> }
> else
> {
> try
> {
> WSSecSignature sig = new WSSecSignature();
> sig.setWsConfig(rmd.getConfig());
> sig.setCustomTokenId(tok.getId().substring(1));
> sig.setCustomTokenValueType(
> RampartUtil.getSAML10AssertionNamespace()
> );
> sig.setSecretKey(tok.getSecret());
> sig.setSignatureAlgorithm(
> algorithmSuite.getAsymmetricSignature()
> );
> sig.setSignatureAlgorithm(
> algorithmSuite.getSymmetricSignature()
> );
> sig.setKeyIdentifierType(WSConstants.CUSTOM_SYMM_SIGNING);
> sig.prepare(
> rmd.getDocument(),
> RampartUtil.getSignatureCrypto(
> rpd.getRampartConfig(), rmd.getCustomClassLoader()
> ), rmd.getSecHeader()
> );
> sig.setParts(sigParts);
> //Added by MRL
> sig.setDigestAlgo(rpd.getAlgorithmSuite().getDigest());
> List<Reference> referenceList =
> sig.addReferencesToSign(sigParts, rmd.getSecHeader());
> //Do signature
> sig.computeSignature(
> referenceList, false, this.getInsertionLocation()
> );
> //Add elements to header
> this.setInsertionLocation(sig.getSignatureElement());
> return sig.getSignatureValue();
> }
> catch (WSSecurityException e)
> {
> throw new RampartException(
> "errorInSignatureWithACustomToken", e
> );
> }
> }
> }
> /**
> * X.509 signature
> *
> * @param rmd
> * @param token
> * @param signdParts
> *
> * @return DOCUMENT ME!
> *
> * @throws RampartException DOCUMENT ME!
> */
> private byte[] doX509TokenSignature(
> RampartMessageData rmd, Token token, SignedEncryptedParts signdParts
> ) throws RampartException
> {
> RampartPolicyData rpd = rmd.getPolicyData();
> Document doc = rmd.getDocument();
> List<WSEncryptionPart> sigParts = new ArrayList<WSEncryptionPart>();
> if (this.timestampElement != null)
> {
> sigParts.add(new WSEncryptionPart(rmd.getTimestampId()));
> }
> if (signdParts != null)
> {
> if (signdParts.isBody())
> {
> SOAPEnvelope env = rmd.getMsgContext()
> .getEnvelope();
> sigParts.add(
> new WSEncryptionPart(
> RampartUtil.addWsuIdToElement(env.getBody())
> )
> );
> }
> ArrayList headers = signdParts.getHeaders();
> for (Iterator iterator = headers.iterator(); iterator.hasNext();)
> {
> Header header = (Header)iterator.next();
> WSEncryptionPart wep =
> new WSEncryptionPart(
> header.getName(), header.getNamespace(), "Content"
> );
> sigParts.add(wep);
> }
> }
> if (token.isDerivedKeys())
> {
> //In this case we will have to encrypt the ephmeral key with the
> //other party's key and then use it as the parent key of the
> // derived keys
> try
> {
> WSSecEncryptedKey encrKey = getEncryptedKeyBuilder(rmd, token);
> Element bstElem = encrKey.getBinarySecurityTokenElement();
> if (bstElem != null)
> {
> RampartUtil.appendChildToSecHeader(rmd, bstElem);
> }
> // Add <xenc:EncryptedKey Id="EncKeyId-E67B75302ACB3BEDF313277587471272">..</xenc:EncryptedKey>
> // to security header.
> encrKey.appendToHeader(rmd.getSecHeader());
> WSSecDKSign dkSig = new WSSecDKSign();
> dkSig.setWsConfig(rmd.getConfig());
> dkSig.setSigCanonicalization(
> rpd.getAlgorithmSuite().getInclusiveC14n()
> );
> dkSig.setSignatureAlgorithm(
> rpd.getAlgorithmSuite().getSymmetricSignature()
> );
> dkSig.setDerivedKeyLength(
> rpd.getAlgorithmSuite().getSignatureDerivedKeyLength() / 8
> );
> /**
> * Add a reference to encrypted key in the derived key
> */
> dkSig.setExternalKey(
> encrKey.getEphemeralKey(), encrKey.getId()
> );
> dkSig.prepare(doc, rmd.getSecHeader());
> if (rpd.isTokenProtection())
> {
> sigParts.add(new WSEncryptionPart(encrKey.getBSTTokenId()));
> }
> dkSig.setParts(sigParts);
> //Added by MRL
> dkSig.setDigestAlgorithm(rpd.getAlgorithmSuite().getDigest());
> List<Reference> referenceList =
> dkSig.addReferencesToSign(sigParts, rmd.getSecHeader());
> /**
> * Add <wsc:DerivedKeyToken>..</wsc:DerivedKeyToken> to security
> * header. We need to add this just after Encrypted Key and just before <Signature>..</Signature>
> * elements. (As a convention)
> */
> dkSig.appendDKElementToHeader(rmd.getSecHeader());
> //Do signature and append to the security header
> dkSig.computeSignature(referenceList, false, null);
> // TODO this is bit dubious, before migration code was like "dkSig.appendSigToHeader(rmd.getSecHeader())"
> // but WSS4J has remove append methods. Need to find why ?
> //this.appendToHeader(rmd.getSecHeader(), dkSig.getSignatureElement());
> return dkSig.getSignatureValue();
> }
> catch (WSSecurityException e)
> {
> throw new RampartException(
> "errorInDerivedKeyTokenSignature", e
> );
> }
> catch (ConversationException e)
> {
> throw new RampartException(
> "errorInDerivedKeyTokenSignature", e
> );
> }
> }
> else
> {
> try
> {
> WSSecSignature sig = this.getSignatureBuilder(rmd, token);
> sig.appendBSTElementToHeader(rmd.getSecHeader());
> if (
> rpd.isTokenProtection() &&
> !(
> SPConstants.INCLUDE_TOKEN_NEVER ==
> token.getInclusion()
> )
> )
> {
> sigParts.add(new WSEncryptionPart(sig.getBSTTokenId()));
> }
> //Added by MRL
> sig.setDigestAlgo(rpd.getAlgorithmSuite().getDigest());
> List<Reference> referenceList =
> sig.addReferencesToSign(sigParts, rmd.getSecHeader());
> // TODO changed the order - verify
> // Compute signature and append to the header
> sig.computeSignature(referenceList, false, null);
> return sig.getSignatureValue();
> }
> catch (WSSecurityException e)
> {
> throw new RampartException("errorInSignatureWithX509Token", e);
> }
> }
> }
> /**
> * DOCUMENT ME!
> *
> * @since 1.0
> *
> * @param rmd DOCUMENT ME!
> * @param secConvTok DOCUMENT ME!
> *
> * @throws RampartException DOCUMENT ME!
> */
> private void handleSecureConversationTokens(
> RampartMessageData rmd, SecureConversationToken secConvTok
> ) throws RampartException
> {
> MessageContext msgContext = rmd.getMsgContext();
> String secConvTokenId = rmd.getSecConvTokenId();
> //The RSTR has to be secured with the cancelled token
> String action = msgContext.getOptions()
> .getAction();
> boolean cancelReqResp =
> action.equals(
> RahasConstants.WST_NS_05_02 +
> RahasConstants.RSTR_ACTION_CANCEL_SCT
> ) ||
> action.equals(
> RahasConstants.WST_NS_05_02 +
> RahasConstants.RSTR_ACTION_CANCEL_SCT
> ) ||
> action.equals(
> RahasConstants.WST_NS_05_02 +
> RahasConstants.RST_ACTION_CANCEL_SCT
> ) ||
> action.equals(
> RahasConstants.WST_NS_05_02 +
> RahasConstants.RST_ACTION_CANCEL_SCT
> );
> //In the case of the cancel req or resp we should mark the token as cancelled
> if ((secConvTokenId != null) && cancelReqResp)
> {
> try
> {
> rmd.getTokenStorage()
> .getToken(secConvTokenId)
> .setState(org.apache.rahas.Token.CANCELLED);
> msgContext.setProperty(
> RampartMessageData.SCT_ID, secConvTokenId
> );
> //remove from the local map of contexts
> String contextIdentifierKey =
> RampartUtil.getContextIdentifierKey(msgContext);
> RampartUtil.getContextMap(msgContext)
> .remove(contextIdentifierKey);
> }
> catch (TrustException e)
> {
> throw new RampartException("errorExtractingToken", e);
> }
> }
> if (
> (secConvTokenId == null) ||
> (
> (secConvTokenId != null) &&
> (
> !RampartUtil.isTokenValid(rmd, secConvTokenId) &&
> !cancelReqResp
> )
> )
> )
> {
> log.debug(
> "No SecureConversationToken found, requesting a new token"
> );
> try
> {
> secConvTokenId = RampartUtil.getSecConvToken(rmd, secConvTok);
> rmd.setSecConvTokenId(secConvTokenId);
> }
> catch (TrustException e)
> {
> throw new RampartException("errorInObtainingSct", e);
> }
> }
> /* org.apache.rahas.Token token;
> try {
> token = rmd.getTokenStorage().getToken(secConvTokenId);
> } catch (TrustException e) {
> throw new RampartException("errorExtractingToken", e);
> }
> //Add the token to the header
> Element siblingElem = RampartUtil
> .insertSiblingAfter(rmd, this.getInsertionLocation(),
> (Element) token.getToken());
> this.setInsertionLocation(siblingElem);*/
> }
> }
> This is the policy.xml being used:
> <wsp:Policy wsu:Id="WSHttpBinding_ISecureService_policy" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy" xmlns:wsaw="http://www.w3.org/2006/05/addressing/wsdl">
> <wsp:ExactlyOne>
> <wsp:All>
> <sp:TransportBinding xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
> <wsp:Policy>
> <sp:TransportToken>
> <wsp:Policy>
> <sp:HttpsToken RequireClientCertificate="false" />
> </wsp:Policy>
> </sp:TransportToken>
> <sp:AlgorithmSuite>
> <wsp:Policy>
> <sp:Basic256Sha256 />
> </wsp:Policy>
> </sp:AlgorithmSuite>
> <sp:Layout>
> <wsp:Policy>
> <sp:Strict />
> </wsp:Policy>
> </sp:Layout>
> <sp:IncludeTimestamp />
> </wsp:Policy>
> </sp:TransportBinding>
> <sp:EndorsingSupportingTokens xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
> <wsp:Policy>
> <sp:X509Token sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient">
> <wsp:Policy>
> <sp:RequireThumbprintReference />
> <sp:WssX509V3Token10 />
> </wsp:Policy>
> </sp:X509Token>
> <sp:SignedParts>
> <sp:Header Name="To" Namespace="http://www.w3.org/2005/08/addressing" />
> </sp:SignedParts>
> </wsp:Policy>
> </sp:EndorsingSupportingTokens>
> <sp:Wss11 xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
> <wsp:Policy>
> <sp:MustSupportRefKeyIdentifier />
> <sp:MustSupportRefIssuerSerial />
> <sp:MustSupportRefThumbprint />
> <sp:MustSupportRefEncryptedKey />
> </wsp:Policy>
> </sp:Wss11>
> <sp:Trust10 xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
> <wsp:Policy>
> <sp:MustSupportIssuedTokens />
> <sp:RequireClientEntropy />
> <sp:RequireServerEntropy />
> </wsp:Policy>
> </sp:Trust10>
> <wsaw:UsingAddressing />
>
> <ramp:RampartConfig xmlns:ramp="http://ws.apache.org/rampart/policy">
> <ramp:user>aliasName</ramp:user>
> <ramp:passwordCallbackClass>com.test.hro.benefits.fndt.security.ClientPasswordCallback</ramp:passwordCallbackClass>
>
> <ramp:signatureCrypto>
> <ramp:crypto provider="com.test.hro.benefits.fndt.security.HAWebServicesCrypto">
> <ramp:property name="org.apache.ws.security.crypto.keystore.type">JKS</ramp:property>
> <ramp:property name="org.apache.ws.security.crypto.keystore.path">keys/KeyStore</ramp:property>
> </ramp:crypto>
> </ramp:signatureCrypto>
> </ramp:RampartConfig>
> </wsp:All>
> </wsp:ExactlyOne>
> </wsp:Policy>
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
---------------------------------------------------------------------
To unsubscribe, e-mail: java-dev-unsubscribe@axis.apache.org
For additional commands, e-mail: java-dev-help@axis.apache.org