You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ws.apache.org by co...@apache.org on 2014/02/07 16:35:53 UTC
svn commit: r1565692 - in /webservices/wss4j/trunk:
ws-security-common/src/main/java/org/apache/wss4j/common/
ws-security-dom/src/main/java/org/apache/wss4j/dom/
ws-security-dom/src/main/java/org/apache/wss4j/dom/action/
ws-security-dom/src/main/java/o...
Author: coheigea
Date: Fri Feb 7 15:35:52 2014
New Revision: 1565692
URL: http://svn.apache.org/r1565692
Log:
Added initial support for outbound derived signature using an action for the DOM code
Added:
webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/action/SignatureDerivedAction.java
webservices/wss4j/trunk/ws-security-dom/src/test/java/org/apache/wss4j/dom/message/DerivedKeyActionTest.java
Modified:
webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/wss4j/common/SignatureEncryptionActionToken.java
webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/WSConstants.java
webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/WSSConfig.java
webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/handler/RequestData.java
webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/handler/WSHandler.java
webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/message/WSSecDerivedKeyBase.java
webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/processor/SecurityContextTokenProcessor.java
webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/util/WSSecurityUtil.java
Modified: webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/wss4j/common/SignatureEncryptionActionToken.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/wss4j/common/SignatureEncryptionActionToken.java?rev=1565692&r1=1565691&r2=1565692&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/wss4j/common/SignatureEncryptionActionToken.java (original)
+++ webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/wss4j/common/SignatureEncryptionActionToken.java Fri Feb 7 15:35:52 2014
@@ -51,6 +51,7 @@ public abstract class SignatureEncryptio
private String tokenType;
private String tokenId;
private String sha1Value;
+ private String derivedKeyTokenReference;
public X509Certificate getCertificate() {
return certificate;
@@ -153,5 +154,11 @@ public abstract class SignatureEncryptio
public void setSha1Value(String sha1Value) {
this.sha1Value = sha1Value;
}
+ public String getDerivedKeyTokenReference() {
+ return derivedKeyTokenReference;
+ }
+ public void setDerivedKeyTokenReference(String derivedKeyTokenReference) {
+ this.derivedKeyTokenReference = derivedKeyTokenReference;
+ }
}
Modified: webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/WSConstants.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/WSConstants.java?rev=1565692&r1=1565691&r2=1565692&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/WSConstants.java (original)
+++ webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/WSConstants.java Fri Feb 7 15:35:52 2014
@@ -491,6 +491,7 @@ public final class WSConstants {
public static final int BST = 0x1000; //BinarySecurityToken
public static final int UT_NOPASSWORD = 0x2000; // perform UsernameToken
public static final int CUSTOM_TOKEN = 0x4000; // perform a Custom Token action
+ public static final int DKT_SIGN = 0x8000; // Perform Signature with a Derived Key
private WSConstants() {
// Complete
Modified: webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/WSSConfig.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/WSSConfig.java?rev=1565692&r1=1565691&r2=1565692&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/WSSConfig.java (original)
+++ webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/WSSConfig.java Fri Feb 7 15:35:52 2014
@@ -88,6 +88,10 @@ public class WSSConfig {
org.apache.wss4j.dom.action.SignatureAction.class
);
tmp.put(
+ WSConstants.DKT_SIGN,
+ org.apache.wss4j.dom.action.SignatureDerivedAction.class
+ );
+ tmp.put(
WSConstants.ST_SIGNED,
org.apache.wss4j.dom.action.SAMLTokenSignedAction.class
);
Added: webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/action/SignatureDerivedAction.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/action/SignatureDerivedAction.java?rev=1565692&view=auto
==============================================================================
--- webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/action/SignatureDerivedAction.java (added)
+++ webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/action/SignatureDerivedAction.java Fri Feb 7 15:35:52 2014
@@ -0,0 +1,154 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.wss4j.dom.action;
+
+import java.util.ArrayList;
+import java.util.List;
+
+import javax.security.auth.callback.CallbackHandler;
+
+import org.apache.wss4j.common.SecurityActionToken;
+import org.apache.wss4j.common.SignatureActionToken;
+import org.apache.wss4j.common.WSEncryptionPart;
+import org.apache.wss4j.common.crypto.Crypto;
+import org.apache.wss4j.common.derivedKey.ConversationException;
+import org.apache.wss4j.common.ext.WSPasswordCallback;
+import org.apache.wss4j.common.ext.WSSecurityException;
+import org.apache.wss4j.dom.WSConstants;
+import org.apache.wss4j.dom.handler.RequestData;
+import org.apache.wss4j.dom.handler.WSHandler;
+import org.apache.wss4j.dom.message.WSSecDKSign;
+import org.apache.wss4j.dom.message.WSSecEncryptedKey;
+import org.apache.wss4j.dom.message.token.SecurityContextToken;
+import org.apache.wss4j.dom.util.WSSecurityUtil;
+import org.apache.xml.security.stax.impl.util.IDGenerator;
+import org.w3c.dom.Document;
+
+public class SignatureDerivedAction implements Action {
+
+ public void execute(WSHandler handler, SecurityActionToken actionToken,
+ Document doc, RequestData reqData)
+ throws WSSecurityException {
+ CallbackHandler callbackHandler = reqData.getCallbackHandler();
+ if (callbackHandler == null) {
+ callbackHandler = handler.getPasswordCallbackHandler(reqData);
+ }
+
+ SignatureActionToken signatureToken = null;
+ if (actionToken instanceof SignatureActionToken) {
+ signatureToken = (SignatureActionToken)actionToken;
+ }
+ if (signatureToken == null) {
+ signatureToken = reqData.getSignatureToken();
+ }
+
+ WSPasswordCallback passwordCallback =
+ handler.getPasswordCB(signatureToken.getUser(), WSConstants.DKT_SIGN, callbackHandler, reqData);
+ WSSecDKSign wsSign = new WSSecDKSign(reqData.getWssConfig());
+
+ if (signatureToken.getSignatureAlgorithm() != null) {
+ wsSign.setSignatureAlgorithm(signatureToken.getSignatureAlgorithm());
+ }
+ //if (signatureToken.getDigestAlgorithm() != null) {
+ // wsSign.setDigestAlgo(signatureToken.getDigestAlgorithm());
+ //}
+ if (signatureToken.getC14nAlgorithm() != null) {
+ wsSign.setSigCanonicalization(signatureToken.getC14nAlgorithm());
+ }
+ wsSign.setUserInfo(signatureToken.getUser(), passwordCallback.getPassword());
+
+ WSSecEncryptedKey encrKeyBuilder = null;
+ String sctId = null;
+
+ String derivedKeyTokenReference = signatureToken.getDerivedKeyTokenReference();
+ if ("EncryptedKey".equals(derivedKeyTokenReference)) {
+ encrKeyBuilder = new WSSecEncryptedKey();
+ encrKeyBuilder.setUserInfo(signatureToken.getUser());
+ encrKeyBuilder.setKeyIdentifierType(signatureToken.getKeyIdentifierId());
+ encrKeyBuilder.prepare(doc, signatureToken.getCrypto());
+
+ byte[] ek = encrKeyBuilder.getEphemeralKey();
+ String tokenIdentifier = encrKeyBuilder.getId();
+
+ wsSign.setExternalKey(ek, tokenIdentifier);
+ wsSign.setCustomValueType(WSConstants.WSS_ENC_KEY_VALUE_TYPE);
+ } else if ("SecurityContextToken".equals(derivedKeyTokenReference)) {
+ sctId = IDGenerator.generateID("uuid:");
+ wsSign.setCustomValueType(WSConstants.WSC_SCT);
+
+ wsSign.setExternalKey(passwordCallback.getKey(), sctId);
+
+ } else {
+ // DirectReference
+
+ if (signatureToken.getKeyIdentifierId() != 0) {
+ wsSign.setKeyIdentifierType(signatureToken.getKeyIdentifierId());
+ }
+
+ byte[] key = null;
+ if (passwordCallback.getKey() != null) {
+ key = passwordCallback.getKey();
+ } else if (signatureToken.getKey() != null) {
+ key = signatureToken.getKey();
+ } else {
+ Crypto crypto = signatureToken.getCrypto();
+ key = crypto.getPrivateKey(signatureToken.getUser(), passwordCallback.getPassword()).getEncoded();
+ }
+ wsSign.setCrypto(signatureToken.getCrypto());
+ wsSign.setExternalKey(key, (String)null);
+ }
+
+ wsSign.setAttachmentCallbackHandler(reqData.getAttachmentCallbackHandler());
+
+ try {
+ List<WSEncryptionPart> parts = signatureToken.getParts();
+ if (parts == null || parts.isEmpty()) {
+ WSEncryptionPart encP = new WSEncryptionPart(reqData.getSoapConstants()
+ .getBodyQName().getLocalPart(), reqData.getSoapConstants()
+ .getEnvelopeURI(), "Content");
+ parts = new ArrayList<WSEncryptionPart>();
+ parts.add(encP);
+ }
+
+ wsSign.setParts(parts);
+ wsSign.build(doc, reqData.getSecHeader());
+
+ wsSign.prependDKElementToHeader(reqData.getSecHeader());
+
+ if (encrKeyBuilder != null) {
+ encrKeyBuilder.prependToHeader(reqData.getSecHeader());
+ } else if (sctId != null) {
+ try {
+ SecurityContextToken sct = new SecurityContextToken(doc, sctId);
+ WSSecurityUtil.prependChildElement(reqData.getSecHeader().getSecurityHeader(), sct.getElement());
+ } catch (ConversationException ex) {
+ ex.printStackTrace();
+ }
+ }
+
+ reqData.getSignatureValues().add(wsSign.getSignatureValue());
+ } catch (WSSecurityException e) {
+ throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "empty", e, "Error during Signature: ");
+ } catch (ConversationException e) {
+ throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "empty", e, "Error during Signature: ");
+ }
+ }
+
+}
Modified: webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/handler/RequestData.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/handler/RequestData.java?rev=1565692&r1=1565691&r2=1565692&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/handler/RequestData.java (original)
+++ webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/handler/RequestData.java Fri Feb 7 15:35:52 2014
@@ -91,6 +91,7 @@ public class RequestData {
private boolean enableNonceReplayCache = true;
private boolean enableSamlOneTimeUseReplayCache = true;
private PasswordEncryptor passwordEncryptor;
+ private String derivedKeyTokenReference;
public void clear() {
soapConstants = null;
@@ -123,6 +124,7 @@ public class RequestData {
enableNonceReplayCache = true;
setEnableSamlOneTimeUseReplayCache(true);
passwordEncryptor = null;
+ derivedKeyTokenReference = null;
}
public boolean isEnableTimestampReplayCache() {
@@ -542,5 +544,13 @@ public class RequestData {
public void setEncryptionToken(EncryptionActionToken encryptionToken) {
this.encryptionToken = encryptionToken;
}
+
+ public String getDerivedKeyTokenReference() {
+ return derivedKeyTokenReference;
+ }
+
+ public void setDerivedKeyTokenReference(String derivedKeyTokenReference) {
+ this.derivedKeyTokenReference = derivedKeyTokenReference;
+ }
}
Modified: webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/handler/WSHandler.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/handler/WSHandler.java?rev=1565692&r1=1565691&r2=1565692&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/handler/WSHandler.java (original)
+++ webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/handler/WSHandler.java Fri Feb 7 15:35:52 2014
@@ -127,7 +127,8 @@ public abstract class WSHandler {
&& actionToDo.getActionToken() == null) {
decodeUTParameter(reqData);
decodeSignatureParameter(reqData);
- } else if (actionToDo.getAction() == WSConstants.SIGN
+ } else if ((actionToDo.getAction() == WSConstants.SIGN
+ || actionToDo.getAction() == WSConstants.DKT_SIGN)
&& actionToDo.getActionToken() == null) {
SignatureActionToken actionToken = reqData.getSignatureToken();
if (actionToken == null) {
@@ -216,6 +217,7 @@ public abstract class WSHandler {
case WSConstants.UT:
case WSConstants.ENCR:
case WSConstants.SIGN:
+ case WSConstants.DKT_SIGN:
case WSConstants.ST_SIGNED:
case WSConstants.ST_UNSIGNED:
case WSConstants.TS:
@@ -563,6 +565,9 @@ public abstract class WSHandler {
String algo = getString(WSHandlerConstants.SIG_ALGO, mc);
actionToken.setSignatureAlgorithm(algo);
+ String derivedKeyReference = getString(WSHandlerConstants.DERIVED_TOKEN_REFERENCE, mc);
+ actionToken.setDerivedKeyTokenReference(derivedKeyReference);
+
String digestAlgo = getString(WSHandlerConstants.SIG_DIGEST_ALGO, mc);
actionToken.setDigestAlgorithm(digestAlgo);
@@ -659,6 +664,9 @@ public abstract class WSHandler {
getString(WSHandlerConstants.ENC_KEY_TRANSPORT, mc);
actionToken.setKeyTransportAlgorithm(encKeyTransport);
+ String derivedKeyReference = getString(WSHandlerConstants.DERIVED_TOKEN_REFERENCE, mc);
+ actionToken.setDerivedKeyTokenReference(derivedKeyReference);
+
String digestAlgo = getString(WSHandlerConstants.ENC_DIGEST_ALGO, mc);
actionToken.setDigestAlgorithm(digestAlgo);
@@ -1209,6 +1217,9 @@ public abstract class WSHandler {
case WSConstants.SIGN:
reason = WSPasswordCallback.SIGNATURE;
break;
+ case WSConstants.DKT_SIGN:
+ reason = WSPasswordCallback.SECRET_KEY;
+ break;
case WSConstants.ENCR:
reason = WSPasswordCallback.SECRET_KEY;
break;
Modified: webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/message/WSSecDerivedKeyBase.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/message/WSSecDerivedKeyBase.java?rev=1565692&r1=1565691&r2=1565692&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/message/WSSecDerivedKeyBase.java (original)
+++ webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/message/WSSecDerivedKeyBase.java Fri Feb 7 15:35:52 2014
@@ -22,6 +22,8 @@ package org.apache.wss4j.dom.message;
import org.apache.wss4j.dom.WSConstants;
import org.apache.wss4j.dom.WSSConfig;
import org.apache.wss4j.common.ext.WSSecurityException;
+import org.apache.wss4j.common.crypto.Crypto;
+import org.apache.wss4j.common.crypto.CryptoType;
import org.apache.wss4j.common.derivedKey.ConversationConstants;
import org.apache.wss4j.common.derivedKey.ConversationException;
import org.apache.wss4j.common.derivedKey.AlgoFactory;
@@ -36,6 +38,7 @@ import org.w3c.dom.Document;
import org.w3c.dom.Element;
import java.io.UnsupportedEncodingException;
+import java.security.cert.X509Certificate;
/**
* Base class for DerivedKey encryption and signature
@@ -109,15 +112,18 @@ public abstract class WSSecDerivedKeyBas
protected int derivedKeyLength = -1;
private String customValueType;
-
+ private X509Certificate useThisCert;
+ private Crypto crypto;
public WSSecDerivedKeyBase() {
super();
+ setKeyIdentifierType(0);
}
+
public WSSecDerivedKeyBase(WSSConfig config) {
super(config);
+ setKeyIdentifierType(0);
}
-
/**
* @param ephemeralKey The ephemeralKey to set.
@@ -143,6 +149,14 @@ public abstract class WSSecDerivedKeyBas
}
/**
+ * Set the X509 Certificate to use
+ * @param cer the X509 Certificate to use
+ */
+ public void setX509Certificate(X509Certificate cer) {
+ this.useThisCert = cer;
+ }
+
+ /**
* Get the id generated during <code>prepare()</code>.
*
* Returns the the value of wsu:Id attribute of the DerivedKeyToken element.
@@ -224,7 +238,22 @@ public abstract class WSSecDerivedKeyBas
String strUri = getWsConfig().getIdAllocator().createSecureId("STR-", secRef);
secRef.setID(strUri);
+ X509Certificate[] certs = getSigningCerts();
+
switch (keyIdentifierType) {
+
+ case WSConstants.X509_KEY_IDENTIFIER:
+ secRef.setKeyIdentifier(certs[0]);
+ break;
+
+ case WSConstants.SKI_KEY_IDENTIFIER:
+ secRef.setKeyIdentifierSKI(certs[0], crypto);
+ break;
+
+ case WSConstants.THUMBPRINT_IDENTIFIER:
+ secRef.setKeyIdentifierThumb(certs[0]);
+ break;
+
case WSConstants.CUSTOM_KEY_IDENTIFIER:
secRef.setKeyIdentifier(customValueType, tokenIdentifier);
if (WSConstants.WSS_SAML_KI_VALUE_TYPE.equals(customValueType)) {
@@ -321,4 +350,37 @@ public abstract class WSSecDerivedKeyBas
public void setTokenIdDirectId(boolean b) {
tokenIdDirectId = b;
}
+
+ /**
+ * Set up the X509 Certificate(s) for signing.
+ */
+ private X509Certificate[] getSigningCerts() throws WSSecurityException {
+ X509Certificate[] certs = null;
+ if (keyIdentifierType == WSConstants.ISSUER_SERIAL
+ || keyIdentifierType == WSConstants.X509_KEY_IDENTIFIER
+ || keyIdentifierType == WSConstants.SKI_KEY_IDENTIFIER
+ || keyIdentifierType == WSConstants.THUMBPRINT_IDENTIFIER) {
+ if (useThisCert == null) {
+ CryptoType cryptoType = new CryptoType(CryptoType.TYPE.ALIAS);
+ cryptoType.setAlias(user);
+ if (crypto == null) {
+ throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "noSigCryptoFile");
+ }
+ certs = crypto.getX509Certificates(cryptoType);
+ } else {
+ certs = new X509Certificate[] {useThisCert};
+ }
+ if (certs == null || certs.length <= 0) {
+ throw new WSSecurityException(
+ WSSecurityException.ErrorCode.FAILURE,
+ "noUserCertsFound",
+ user, "signature");
+ }
+ }
+ return certs;
+ }
+
+ public void setCrypto(Crypto crypto) {
+ this.crypto = crypto;
+ }
}
Modified: webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/processor/SecurityContextTokenProcessor.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/processor/SecurityContextTokenProcessor.java?rev=1565692&r1=1565691&r2=1565692&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/processor/SecurityContextTokenProcessor.java (original)
+++ webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/processor/SecurityContextTokenProcessor.java Fri Feb 7 15:35:52 2014
@@ -66,7 +66,7 @@ public class SecurityContextTokenProcess
result.put(WSSecurityEngineResult.TAG_SECRET, returnedCredential.getSecretKey());
} else {
String id = sct.getID();
- if (id.charAt(0) == '#') {
+ if (!"".equals(id) && id.charAt(0) == '#') {
id = id.substring(1);
}
byte[] secret = null;
Modified: webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/util/WSSecurityUtil.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/util/WSSecurityUtil.java?rev=1565692&r1=1565691&r2=1565692&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/util/WSSecurityUtil.java (original)
+++ webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/util/WSSecurityUtil.java Fri Feb 7 15:35:52 2014
@@ -925,6 +925,8 @@ public final class WSSecurityUtil {
actions.add(WSConstants.UT_NOPASSWORD);
} else if (single[i].equals(WSHandlerConstants.SIGNATURE)) {
actions.add(WSConstants.SIGN);
+ } else if (single[i].equals(WSHandlerConstants.SIGNATURE_DERIVED)) {
+ actions.add(WSConstants.DKT_SIGN);
} else if (single[i].equals(WSHandlerConstants.ENCRYPT)) {
actions.add(WSConstants.ENCR);
} else if (single[i].equals(WSHandlerConstants.SAML_TOKEN_UNSIGNED)) {
@@ -971,6 +973,8 @@ public final class WSSecurityUtil {
actions.add(new HandlerAction(WSConstants.UT));
} else if (single[i].equals(WSHandlerConstants.SIGNATURE)) {
actions.add(new HandlerAction(WSConstants.SIGN));
+ } else if (single[i].equals(WSHandlerConstants.SIGNATURE_DERIVED)) {
+ actions.add(new HandlerAction(WSConstants.DKT_SIGN));
} else if (single[i].equals(WSHandlerConstants.ENCRYPT)) {
actions.add(new HandlerAction(WSConstants.ENCR));
} else if (single[i].equals(WSHandlerConstants.SAML_TOKEN_UNSIGNED)) {
Added: webservices/wss4j/trunk/ws-security-dom/src/test/java/org/apache/wss4j/dom/message/DerivedKeyActionTest.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-dom/src/test/java/org/apache/wss4j/dom/message/DerivedKeyActionTest.java?rev=1565692&view=auto
==============================================================================
--- webservices/wss4j/trunk/ws-security-dom/src/test/java/org/apache/wss4j/dom/message/DerivedKeyActionTest.java (added)
+++ webservices/wss4j/trunk/ws-security-dom/src/test/java/org/apache/wss4j/dom/message/DerivedKeyActionTest.java Fri Feb 7 15:35:52 2014
@@ -0,0 +1,244 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.wss4j.dom.message;
+
+import java.util.Collections;
+import java.util.List;
+
+import javax.crypto.KeyGenerator;
+import javax.crypto.SecretKey;
+import javax.security.auth.callback.CallbackHandler;
+
+import org.w3c.dom.Document;
+
+import org.apache.wss4j.common.crypto.Crypto;
+import org.apache.wss4j.common.crypto.CryptoFactory;
+import org.apache.wss4j.common.util.XMLUtils;
+import org.apache.wss4j.dom.WSConstants;
+import org.apache.wss4j.dom.WSSConfig;
+import org.apache.wss4j.dom.WSSecurityEngine;
+import org.apache.wss4j.dom.WSSecurityEngineResult;
+import org.apache.wss4j.dom.common.CustomHandler;
+import org.apache.wss4j.dom.common.KeystoreCallbackHandler;
+import org.apache.wss4j.dom.common.SOAPUtil;
+import org.apache.wss4j.dom.common.SecretKeyCallbackHandler;
+import org.apache.wss4j.dom.common.SecurityTestUtil;
+import org.apache.wss4j.dom.handler.HandlerAction;
+import org.apache.wss4j.dom.handler.RequestData;
+import org.apache.wss4j.dom.handler.WSHandlerConstants;
+
+/**
+ * A set of tests for using a derived key for encryption/signature using WSHandler actions.
+ */
+public class DerivedKeyActionTest extends org.junit.Assert {
+ private static final org.slf4j.Logger LOG =
+ org.slf4j.LoggerFactory.getLogger(DerivedKeyActionTest.class);
+ private CallbackHandler callbackHandler = new KeystoreCallbackHandler();
+ private Crypto crypto = null;
+
+ @org.junit.AfterClass
+ public static void cleanup() throws Exception {
+ SecurityTestUtil.cleanup();
+ }
+
+ public DerivedKeyActionTest() throws Exception {
+ crypto = CryptoFactory.getInstance("wss40.properties");
+ WSSConfig.init();
+ }
+
+ @org.junit.Test
+ public void testSignatureThumbprintSHA1() throws Exception {
+ final WSSConfig cfg = WSSConfig.getNewInstance();
+ final RequestData reqData = new RequestData();
+ reqData.setWssConfig(cfg);
+ reqData.setUsername("wss40");
+
+ java.util.Map<String, Object> config = new java.util.TreeMap<String, Object>();
+ config.put(WSHandlerConstants.SIG_PROP_FILE, "wss40.properties");
+ config.put(WSHandlerConstants.PW_CALLBACK_REF, callbackHandler);
+ config.put(WSHandlerConstants.SIG_KEY_ID, "Thumbprint");
+ reqData.setMsgContext(config);
+
+ final Document doc = SOAPUtil.toSOAPPart(SOAPUtil.SAMPLE_SOAP_MSG);
+ CustomHandler handler = new CustomHandler();
+ HandlerAction action = new HandlerAction(WSConstants.DKT_SIGN);
+ handler.send(
+ doc,
+ reqData,
+ Collections.singletonList(action),
+ true
+ );
+ String outputString =
+ XMLUtils.PrettyDocumentToString(doc);
+ if (LOG.isDebugEnabled()) {
+ LOG.debug(outputString);
+ }
+
+ verify(doc);
+ }
+
+ @org.junit.Test
+ public void testSignatureSKI() throws Exception {
+ final WSSConfig cfg = WSSConfig.getNewInstance();
+ final RequestData reqData = new RequestData();
+ reqData.setWssConfig(cfg);
+ reqData.setUsername("wss40");
+
+ java.util.Map<String, Object> config = new java.util.TreeMap<String, Object>();
+ config.put(WSHandlerConstants.SIG_PROP_FILE, "wss40.properties");
+ config.put(WSHandlerConstants.PW_CALLBACK_REF, callbackHandler);
+ config.put(WSHandlerConstants.SIG_KEY_ID, "SKIKeyIdentifier");
+ reqData.setMsgContext(config);
+
+ final Document doc = SOAPUtil.toSOAPPart(SOAPUtil.SAMPLE_SOAP_MSG);
+ CustomHandler handler = new CustomHandler();
+ HandlerAction action = new HandlerAction(WSConstants.DKT_SIGN);
+ handler.send(
+ doc,
+ reqData,
+ Collections.singletonList(action),
+ true
+ );
+ String outputString =
+ XMLUtils.PrettyDocumentToString(doc);
+ if (LOG.isDebugEnabled()) {
+ LOG.debug(outputString);
+ }
+
+ verify(doc);
+ }
+
+ @org.junit.Test
+ public void testSignatureX509() throws Exception {
+ final WSSConfig cfg = WSSConfig.getNewInstance();
+ final RequestData reqData = new RequestData();
+ reqData.setWssConfig(cfg);
+ reqData.setUsername("wss40");
+
+ java.util.Map<String, Object> config = new java.util.TreeMap<String, Object>();
+ config.put(WSHandlerConstants.SIG_PROP_FILE, "wss40.properties");
+ config.put(WSHandlerConstants.PW_CALLBACK_REF, callbackHandler);
+ config.put(WSHandlerConstants.DERIVED_TOKEN_REFERENCE, "DirectReference");
+ config.put(WSHandlerConstants.SIG_KEY_ID, "X509KeyIdentifier");
+ reqData.setMsgContext(config);
+
+ final Document doc = SOAPUtil.toSOAPPart(SOAPUtil.SAMPLE_SOAP_MSG);
+ CustomHandler handler = new CustomHandler();
+ HandlerAction action = new HandlerAction(WSConstants.DKT_SIGN);
+ handler.send(
+ doc,
+ reqData,
+ Collections.singletonList(action),
+ true
+ );
+ String outputString =
+ XMLUtils.PrettyDocumentToString(doc);
+ if (LOG.isDebugEnabled()) {
+ LOG.debug(outputString);
+ }
+
+ verify(doc);
+ }
+
+ @org.junit.Test
+ public void testSignatureEncryptedKeyThumbprintSHA1() throws Exception {
+ final WSSConfig cfg = WSSConfig.getNewInstance();
+ final RequestData reqData = new RequestData();
+ reqData.setWssConfig(cfg);
+ reqData.setUsername("wss40");
+
+ java.util.Map<String, Object> config = new java.util.TreeMap<String, Object>();
+ config.put(WSHandlerConstants.SIG_PROP_FILE, "wss40.properties");
+ config.put(WSHandlerConstants.PW_CALLBACK_REF, callbackHandler);
+ config.put(WSHandlerConstants.DERIVED_TOKEN_REFERENCE, "EncryptedKey");
+ config.put(WSHandlerConstants.SIG_KEY_ID, "Thumbprint");
+ reqData.setMsgContext(config);
+
+ final Document doc = SOAPUtil.toSOAPPart(SOAPUtil.SAMPLE_SOAP_MSG);
+ CustomHandler handler = new CustomHandler();
+ HandlerAction action = new HandlerAction(WSConstants.DKT_SIGN);
+ handler.send(
+ doc,
+ reqData,
+ Collections.singletonList(action),
+ true
+ );
+ String outputString =
+ XMLUtils.PrettyDocumentToString(doc);
+ if (LOG.isDebugEnabled()) {
+ LOG.debug(outputString);
+ }
+
+ verify(doc);
+ }
+
+ @org.junit.Test
+ public void testSignatureSCT() throws Exception {
+ final WSSConfig cfg = WSSConfig.getNewInstance();
+ final RequestData reqData = new RequestData();
+ reqData.setWssConfig(cfg);
+
+ // Generate a Key
+ SecretKeyCallbackHandler secretKeyCallbackHandler = new SecretKeyCallbackHandler();
+ KeyGenerator keyGen = KeyGenerator.getInstance("AES");
+ keyGen.init(128);
+ SecretKey key = keyGen.generateKey();
+ byte[] keyData = key.getEncoded();
+ secretKeyCallbackHandler.setOutboundSecret(keyData);
+
+ java.util.Map<String, Object> config = new java.util.TreeMap<String, Object>();
+ config.put(WSHandlerConstants.PW_CALLBACK_REF, secretKeyCallbackHandler);
+ config.put(WSHandlerConstants.DERIVED_TOKEN_REFERENCE, "SecurityContextToken");
+ reqData.setMsgContext(config);
+
+ final Document doc = SOAPUtil.toSOAPPart(SOAPUtil.SAMPLE_SOAP_MSG);
+ CustomHandler handler = new CustomHandler();
+ HandlerAction action = new HandlerAction(WSConstants.DKT_SIGN);
+ handler.send(
+ doc,
+ reqData,
+ Collections.singletonList(action),
+ true
+ );
+ String outputString =
+ XMLUtils.PrettyDocumentToString(doc);
+ if (LOG.isDebugEnabled()) {
+ LOG.debug(outputString);
+ }
+
+ verify(doc, secretKeyCallbackHandler);
+ }
+
+ private List<WSSecurityEngineResult> verify(Document doc) throws Exception {
+ return verify(doc, callbackHandler);
+ }
+
+ private List<WSSecurityEngineResult> verify(Document doc, CallbackHandler cbHandler) throws Exception {
+ WSSecurityEngine secEngine = new WSSecurityEngine();
+ List<WSSecurityEngineResult> results =
+ secEngine.processSecurityHeader(doc, null, cbHandler, crypto);
+ String outputString =
+ XMLUtils.PrettyDocumentToString(doc);
+ assertTrue(outputString.indexOf("counter_port_type") > 0 ? true : false);
+
+ return results;
+ }
+
+}