You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ws.apache.org by gi...@apache.org on 2011/10/11 20:03:15 UTC
svn commit: r1181995 [9/26] - in /webservices/wss4j/branches/swssf: ./
cxf-integration/ cxf-integration/src/main/java/org/swssf/cxfIntegration/
cxf-integration/src/main/java/org/swssf/cxfIntegration/interceptor/
cxf-integration/src/main/java/org/swssf/...
Modified: webservices/wss4j/branches/swssf/streaming-ws-security/src/main/java/org/swssf/wss/impl/processor/output/SAMLTokenOutputProcessor.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/branches/swssf/streaming-ws-security/src/main/java/org/swssf/wss/impl/processor/output/SAMLTokenOutputProcessor.java?rev=1181995&r1=1179730&r2=1181995&view=diff
==============================================================================
--- webservices/wss4j/branches/swssf/streaming-ws-security/src/main/java/org/swssf/wss/impl/processor/output/SAMLTokenOutputProcessor.java (original)
+++ webservices/wss4j/branches/swssf/streaming-ws-security/src/main/java/org/swssf/wss/impl/processor/output/SAMLTokenOutputProcessor.java Tue Oct 11 18:03:00 2011
@@ -16,19 +16,21 @@
* specific language governing permissions and limitations
* under the License.
*/
-package org.swssf.impl.processor.output;
+package org.swssf.wss.impl.processor.output;
+import org.apache.commons.codec.binary.Base64;
import org.opensaml.common.SAMLVersion;
-import org.swssf.crypto.Crypto;
-import org.swssf.ext.*;
-import org.swssf.impl.saml.OpenSAMLUtil;
-import org.swssf.impl.saml.SAMLAssertionWrapper;
-import org.swssf.impl.saml.SAMLCallback;
-import org.swssf.impl.saml.SAMLKeyInfo;
-import org.swssf.impl.saml.bean.KeyInfoBean;
-import org.swssf.impl.saml.bean.SubjectBean;
-import org.swssf.impl.securityToken.ProcessorInfoSecurityToken;
-import org.swssf.impl.securityToken.SAMLSecurityToken;
+import org.swssf.wss.ext.*;
+import org.swssf.wss.impl.saml.OpenSAMLUtil;
+import org.swssf.wss.impl.saml.SAMLAssertionWrapper;
+import org.swssf.wss.impl.saml.SAMLCallback;
+import org.swssf.wss.impl.saml.SAMLKeyInfo;
+import org.swssf.wss.impl.saml.bean.KeyInfoBean;
+import org.swssf.wss.impl.saml.bean.SubjectBean;
+import org.swssf.wss.impl.securityToken.ProcessorInfoSecurityToken;
+import org.swssf.wss.impl.securityToken.SAMLSecurityToken;
+import org.swssf.xmlsec.crypto.Crypto;
+import org.swssf.xmlsec.ext.*;
import org.w3c.dom.*;
import javax.xml.namespace.QName;
@@ -36,13 +38,14 @@ import javax.xml.stream.XMLStreamExcepti
import javax.xml.stream.events.StartElement;
import javax.xml.stream.events.XMLEvent;
import java.security.Key;
+import java.security.NoSuchProviderException;
import java.security.PrivateKey;
import java.security.PublicKey;
+import java.security.cert.CertificateEncodingException;
+import java.security.cert.CertificateException;
+import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
-import java.util.HashMap;
-import java.util.List;
-import java.util.Map;
-import java.util.UUID;
+import java.util.*;
/**
* @author $Author$
@@ -50,16 +53,16 @@ import java.util.UUID;
*/
public class SAMLTokenOutputProcessor extends AbstractOutputProcessor {
- public SAMLTokenOutputProcessor(SecurityProperties securityProperties, Constants.Action action) throws WSSecurityException {
+ public SAMLTokenOutputProcessor(WSSSecurityProperties securityProperties, XMLSecurityConstants.Action action) throws XMLSecurityException {
super(securityProperties, action);
}
@Override
- public void processEvent(XMLEvent xmlEvent, final OutputProcessorChain outputProcessorChain) throws XMLStreamException, WSSecurityException {
+ public void processEvent(XMLEvent xmlEvent, final OutputProcessorChain outputProcessorChain) throws XMLStreamException, XMLSecurityException {
try {
final SAMLCallback samlCallback = new SAMLCallback();
- Utils.doPasswordCallback(getSecurityProperties().getCallbackHandler(), samlCallback);
+ WSSUtils.doPasswordCallback(getSecurityProperties().getCallbackHandler(), samlCallback);
SAMLAssertionWrapper samlAssertionWrapper = new SAMLAssertionWrapper(samlCallback);
boolean senderVouches = false;
@@ -104,7 +107,7 @@ public class SAMLTokenOutputProcessor ex
throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "aliasIsNull");
}
WSPasswordCallback wsPasswordCallback = new WSPasswordCallback(alias, WSPasswordCallback.Usage.SIGNATURE);
- Utils.doPasswordCallback(getSecurityProperties().getCallbackHandler(), wsPasswordCallback);
+ WSSUtils.doPasswordCallback(getSecurityProperties().getCallbackHandler(), wsPasswordCallback);
certificates = getSecurityProperties().getSignatureCrypto().getCertificates(alias);
privateKey = getSecurityProperties().getSignatureCrypto().getPrivateKey(alias, wsPasswordCallback.getPassword());
}
@@ -148,11 +151,11 @@ public class SAMLTokenOutputProcessor ex
return true;
}
- public Key getSecretKey(String algorithmURI, Constants.KeyUsage keyUsage) throws WSSecurityException {
+ public Key getSecretKey(String algorithmURI, XMLSecurityConstants.KeyUsage keyUsage) throws WSSecurityException {
return secretKey;
}
- public PublicKey getPublicKey(Constants.KeyUsage keyUsage) throws WSSecurityException {
+ public PublicKey getPublicKey(XMLSecurityConstants.KeyUsage keyUsage) throws WSSecurityException {
return x509Certificates[0].getPublicKey();
}
@@ -171,16 +174,16 @@ public class SAMLTokenOutputProcessor ex
return null;
}
- public Constants.TokenType getTokenType() {
+ public WSSConstants.TokenType getTokenType() {
//todo pkiPathToken etc?
- return Constants.TokenType.X509V3Token;
+ return WSSConstants.X509V3Token;
}
};
} else {
securityToken = null;
}
- final FinalSAMLTokenOutputProcessor finalSAMLTokenOutputProcessor = new FinalSAMLTokenOutputProcessor(getSecurityProperties(), getAction(), securityToken, samlAssertionWrapper, securityTokenReferenceId, binarySecurityTokenId, senderVouches);
+ final FinalSAMLTokenOutputProcessor finalSAMLTokenOutputProcessor = new FinalSAMLTokenOutputProcessor(((WSSSecurityProperties) getSecurityProperties()), getAction(), securityToken, samlAssertionWrapper, securityTokenReferenceId, binarySecurityTokenId, senderVouches);
if (senderVouches) {
@@ -195,8 +198,8 @@ public class SAMLTokenOutputProcessor ex
};
outputProcessorChain.getSecurityContext().registerSecurityTokenProvider(binarySecurityTokenId, securityTokenProvider);
- outputProcessorChain.getSecurityContext().put(Constants.PROP_USE_THIS_TOKEN_ID_FOR_SIGNATURE, binarySecurityTokenId);
- outputProcessorChain.getSecurityContext().put(Constants.PROP_APPEND_SIGNATURE_ON_THIS_ID, securityTokenReferenceId);
+ outputProcessorChain.getSecurityContext().put(WSSConstants.PROP_USE_THIS_TOKEN_ID_FOR_SIGNATURE, binarySecurityTokenId);
+ outputProcessorChain.getSecurityContext().put(WSSConstants.PROP_APPEND_SIGNATURE_ON_THIS_ID, securityTokenReferenceId);
} else {
securityTokenProvider = new SecurityTokenProvider() {
public SecurityToken getSecurityToken(Crypto crypto) throws WSSecurityException {
@@ -209,20 +212,16 @@ public class SAMLTokenOutputProcessor ex
};
outputProcessorChain.getSecurityContext().registerSecurityTokenProvider(tokenId, securityTokenProvider);
- outputProcessorChain.getSecurityContext().put(Constants.PROP_USE_THIS_TOKEN_ID_FOR_SIGNATURE, tokenId);
- outputProcessorChain.getSecurityContext().put(Constants.PROP_APPEND_SIGNATURE_ON_THIS_ID, tokenId);
+ outputProcessorChain.getSecurityContext().put(WSSConstants.PROP_USE_THIS_TOKEN_ID_FOR_SIGNATURE, tokenId);
+ outputProcessorChain.getSecurityContext().put(WSSConstants.PROP_APPEND_SIGNATURE_ON_THIS_ID, tokenId);
}
-
- switch (getAction()) {
- case SAML_TOKEN_SIGNED:
- if (senderVouches) {
- SecurePart securePart = new SecurePart(Constants.SOAPMESSAGE_NS10_STRTransform, null, SecurePart.Modifier.Element, tokenId, securityTokenReferenceId);
- outputProcessorChain.getSecurityContext().putAsList(SecurePart.class, securePart);
- }
- break;
- case SAML_TOKEN_UNSIGNED:
- break;
+ XMLSecurityConstants.Action action = getAction();
+ if (action.equals(WSSConstants.SAML_TOKEN_SIGNED)) {
+ if (senderVouches) {
+ SecurePart securePart = new SecurePart(WSSConstants.SOAPMESSAGE_NS10_STRTransform, null, SecurePart.Modifier.Element, tokenId, securityTokenReferenceId);
+ outputProcessorChain.getSecurityContext().putAsList(SecurePart.class, securePart);
+ }
}
outputProcessorChain.addProcessor(finalSAMLTokenOutputProcessor);
} finally {
@@ -231,6 +230,39 @@ public class SAMLTokenOutputProcessor ex
outputProcessorChain.processEvent(xmlEvent);
}
+ //todo common method
+ protected void createBinarySecurityTokenStructure(OutputProcessorChain outputProcessorChain, String referenceId, X509Certificate[] x509Certificates, boolean useSingleCertificate) throws XMLStreamException, XMLSecurityException {
+ Map<QName, String> attributes = new HashMap<QName, String>();
+ String valueType;
+ if (useSingleCertificate) {
+ valueType = WSSConstants.NS_X509_V3_TYPE;
+ } else {
+ valueType = WSSConstants.NS_X509PKIPathv1;
+ }
+ attributes.put(WSSConstants.ATT_NULL_EncodingType, WSSConstants.SOAPMESSAGE_NS10_BASE64_ENCODING);
+ attributes.put(WSSConstants.ATT_NULL_ValueType, valueType);
+ attributes.put(WSSConstants.ATT_wsu_Id, referenceId);
+ createStartElementAndOutputAsEvent(outputProcessorChain, WSSConstants.TAG_wsse_BinarySecurityToken, attributes);
+ try {
+ if (useSingleCertificate) {
+ createCharactersAndOutputAsEvent(outputProcessorChain, new Base64(76, new byte[]{'\n'}).encodeToString(x509Certificates[0].getEncoded()));
+ } else {
+ try {
+ CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509", "BC");
+ List<X509Certificate> certificates = Arrays.asList(x509Certificates);
+ createCharactersAndOutputAsEvent(outputProcessorChain, new Base64(76, new byte[]{'\n'}).encodeToString(certificateFactory.generateCertPath(certificates).getEncoded()));
+ } catch (CertificateException e) {
+ throw new XMLSecurityException(XMLSecurityException.ErrorCode.INVALID_SECURITY_TOKEN, e);
+ } catch (NoSuchProviderException e) {
+ throw new XMLSecurityException(XMLSecurityException.ErrorCode.INVALID_SECURITY_TOKEN, e);
+ }
+ }
+ } catch (CertificateEncodingException e) {
+ throw new XMLSecurityException(XMLSecurityException.ErrorCode.FAILED_SIGNATURE, e);
+ }
+ createEndElementAndOutputAsEvent(outputProcessorChain, WSSConstants.TAG_wsse_BinarySecurityToken);
+ }
+
class FinalSAMLTokenOutputProcessor extends AbstractOutputProcessor {
private SecurityToken securityToken;
@@ -239,8 +271,11 @@ public class SAMLTokenOutputProcessor ex
private String binarySecurityTokenReferenceId;
private boolean senderVouches = false;
- FinalSAMLTokenOutputProcessor(SecurityProperties securityProperties, Constants.Action action, SecurityToken securityToken, SAMLAssertionWrapper samlAssertionWrapper, String securityTokenReferenceId, String binarySecurityTokenReferenceId, boolean senderVouches)
- throws WSSecurityException {
+ FinalSAMLTokenOutputProcessor(WSSSecurityProperties securityProperties, XMLSecurityConstants.Action action,
+ SecurityToken securityToken, SAMLAssertionWrapper samlAssertionWrapper,
+ String securityTokenReferenceId, String binarySecurityTokenReferenceId,
+ boolean senderVouches)
+ throws XMLSecurityException {
super(securityProperties, action);
this.getAfterProcessors().add(UsernameTokenOutputProcessor.class.getName());
this.getAfterProcessors().add(SAMLTokenOutputProcessor.class.getName());
@@ -252,13 +287,13 @@ public class SAMLTokenOutputProcessor ex
}
@Override
- public void processEvent(XMLEvent xmlEvent, OutputProcessorChain outputProcessorChain) throws XMLStreamException, WSSecurityException {
+ public void processEvent(XMLEvent xmlEvent, OutputProcessorChain outputProcessorChain) throws XMLStreamException, XMLSecurityException {
outputProcessorChain.processEvent(xmlEvent);
if (xmlEvent.isStartElement()) {
StartElement startElement = xmlEvent.asStartElement();
- if (outputProcessorChain.getDocumentContext().isInSecurityHeader() && startElement.getName().equals(Constants.TAG_wsse_Security)) {
+ if (((WSSDocumentContext) outputProcessorChain.getDocumentContext()).isInSecurityHeader() && startElement.getName().equals(WSSConstants.TAG_wsse_Security)) {
OutputProcessorChain subOutputProcessorChain = outputProcessorChain.createSubChain(this);
- if (senderVouches && getSecurityProperties().getSignatureKeyIdentifierType() == Constants.KeyIdentifierType.BST_DIRECT_REFERENCE) {
+ if (senderVouches && ((WSSSecurityProperties) getSecurityProperties()).getSignatureKeyIdentifierType() == WSSConstants.KeyIdentifierType.BST_DIRECT_REFERENCE) {
outputBinarySecurityToken(outputProcessorChain, binarySecurityTokenReferenceId, securityToken.getX509Certificates(), getSecurityProperties().isUseSingleCert());
}
outputSamlAssertion(samlAssertionWrapper.toDOM(null), subOutputProcessorChain);
@@ -271,33 +306,33 @@ public class SAMLTokenOutputProcessor ex
}
}
- private void outputSecurityTokenReference(OutputProcessorChain outputProcessorChain, SAMLAssertionWrapper samlAssertionWrapper, String referenceId, String tokenId) throws XMLStreamException, WSSecurityException {
+ private void outputSecurityTokenReference(OutputProcessorChain outputProcessorChain, SAMLAssertionWrapper samlAssertionWrapper, String referenceId, String tokenId) throws XMLStreamException, XMLSecurityException {
Map<QName, String> attributes = new HashMap<QName, String>();
if (samlAssertionWrapper.getSAMLVersion() == SAMLVersion.VERSION_11) {
- attributes.put(Constants.ATT_wsse11_TokenType, Constants.NS_SAML11_TOKEN_PROFILE_TYPE);
+ attributes.put(WSSConstants.ATT_wsse11_TokenType, WSSConstants.NS_SAML11_TOKEN_PROFILE_TYPE);
} else {
- attributes.put(Constants.ATT_wsse11_TokenType, Constants.NS_SAML20_TOKEN_PROFILE_TYPE);
+ attributes.put(WSSConstants.ATT_wsse11_TokenType, WSSConstants.NS_SAML20_TOKEN_PROFILE_TYPE);
}
- attributes.put(Constants.ATT_wsu_Id, referenceId);
- createStartElementAndOutputAsEvent(outputProcessorChain, Constants.TAG_wsse_SecurityTokenReference, attributes);
+ attributes.put(WSSConstants.ATT_wsu_Id, referenceId);
+ createStartElementAndOutputAsEvent(outputProcessorChain, WSSConstants.TAG_wsse_SecurityTokenReference, attributes);
attributes = new HashMap<QName, String>();
if (samlAssertionWrapper.getSAMLVersion() == SAMLVersion.VERSION_11) {
- attributes.put(Constants.ATT_NULL_ValueType, Constants.NS_SAML10_TYPE);
+ attributes.put(WSSConstants.ATT_NULL_ValueType, WSSConstants.NS_SAML10_TYPE);
} else {
- attributes.put(Constants.ATT_NULL_ValueType, Constants.NS_SAML20_TYPE);
+ attributes.put(WSSConstants.ATT_NULL_ValueType, WSSConstants.NS_SAML20_TYPE);
}
- createStartElementAndOutputAsEvent(outputProcessorChain, Constants.TAG_wsse_KeyIdentifier, attributes);
+ createStartElementAndOutputAsEvent(outputProcessorChain, WSSConstants.TAG_wsse_KeyIdentifier, attributes);
createCharactersAndOutputAsEvent(outputProcessorChain, tokenId);
- createEndElementAndOutputAsEvent(outputProcessorChain, Constants.TAG_wsse_KeyIdentifier);
- createEndElementAndOutputAsEvent(outputProcessorChain, Constants.TAG_wsse_SecurityTokenReference);
+ createEndElementAndOutputAsEvent(outputProcessorChain, WSSConstants.TAG_wsse_KeyIdentifier);
+ createEndElementAndOutputAsEvent(outputProcessorChain, WSSConstants.TAG_wsse_SecurityTokenReference);
}
- private void outputBinarySecurityToken(OutputProcessorChain outputProcessorChain, String referenceId, X509Certificate[] x509Certificates, boolean useSingleCertificate) throws XMLStreamException, WSSecurityException {
+ private void outputBinarySecurityToken(OutputProcessorChain outputProcessorChain, String referenceId, X509Certificate[] x509Certificates, boolean useSingleCertificate) throws XMLStreamException, XMLSecurityException {
createBinarySecurityTokenStructure(outputProcessorChain, referenceId, x509Certificates, useSingleCertificate);
}
//todo serialize directly from SAML XMLObject?
- private void outputSamlAssertion(Element element, OutputProcessorChain outputProcessorChain) throws XMLStreamException, WSSecurityException {
+ private void outputSamlAssertion(Element element, OutputProcessorChain outputProcessorChain) throws XMLStreamException, XMLSecurityException {
Map<QName, String> attributes = new HashMap<QName, String>();
Map<QName, String> namespaces = new HashMap<QName, String>();
Modified: webservices/wss4j/branches/swssf/streaming-ws-security/src/main/java/org/swssf/wss/impl/processor/output/SecurityContextTokenOutputProcessor.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/branches/swssf/streaming-ws-security/src/main/java/org/swssf/wss/impl/processor/output/SecurityContextTokenOutputProcessor.java?rev=1181995&r1=1179730&r2=1181995&view=diff
==============================================================================
--- webservices/wss4j/branches/swssf/streaming-ws-security/src/main/java/org/swssf/wss/impl/processor/output/SecurityContextTokenOutputProcessor.java (original)
+++ webservices/wss4j/branches/swssf/streaming-ws-security/src/main/java/org/swssf/wss/impl/processor/output/SecurityContextTokenOutputProcessor.java Tue Oct 11 18:03:00 2011
@@ -16,11 +16,15 @@
* specific language governing permissions and limitations
* under the License.
*/
-package org.swssf.impl.processor.output;
+package org.swssf.wss.impl.processor.output;
-import org.swssf.crypto.Crypto;
-import org.swssf.ext.*;
-import org.swssf.impl.securityToken.ProcessorInfoSecurityToken;
+import org.swssf.wss.ext.WSSConstants;
+import org.swssf.wss.ext.WSSDocumentContext;
+import org.swssf.wss.ext.WSSSecurityProperties;
+import org.swssf.wss.ext.WSSecurityException;
+import org.swssf.wss.impl.securityToken.ProcessorInfoSecurityToken;
+import org.swssf.xmlsec.crypto.Crypto;
+import org.swssf.xmlsec.ext.*;
import javax.xml.namespace.QName;
import javax.xml.stream.XMLStreamException;
@@ -39,14 +43,14 @@ import java.util.UUID;
*/
public class SecurityContextTokenOutputProcessor extends AbstractOutputProcessor {
- public SecurityContextTokenOutputProcessor(SecurityProperties securityProperties, Constants.Action action) throws WSSecurityException {
+ public SecurityContextTokenOutputProcessor(WSSSecurityProperties securityProperties, XMLSecurityConstants.Action action) throws XMLSecurityException {
super(securityProperties, action);
}
@Override
- public void processEvent(XMLEvent xmlEvent, OutputProcessorChain outputProcessorChain) throws XMLStreamException, WSSecurityException {
+ public void processEvent(XMLEvent xmlEvent, OutputProcessorChain outputProcessorChain) throws XMLStreamException, XMLSecurityException {
try {
- String tokenId = outputProcessorChain.getSecurityContext().get(Constants.PROP_USE_THIS_TOKEN_ID_FOR_SECURITYCONTEXTTOKEN);
+ String tokenId = outputProcessorChain.getSecurityContext().get(WSSConstants.PROP_USE_THIS_TOKEN_ID_FOR_SECURITYCONTEXTTOKEN);
if (tokenId == null) {
throw new WSSecurityException(WSSecurityException.ErrorCode.FAILED_ENCRYPTION);
}
@@ -82,19 +86,19 @@ public class SecurityContextTokenOutputP
return wrappingSecurityToken.isAsymmetric();
}
- public Key getSecretKey(String algorithmURI, Constants.KeyUsage keyUsage) throws WSSecurityException {
+ public Key getSecretKey(String algorithmURI, XMLSecurityConstants.KeyUsage keyUsage) throws XMLSecurityException {
return wrappingSecurityToken.getSecretKey(algorithmURI, keyUsage);
}
- public PublicKey getPublicKey(Constants.KeyUsage keyUsage) throws WSSecurityException {
+ public PublicKey getPublicKey(XMLSecurityConstants.KeyUsage keyUsage) throws XMLSecurityException {
return wrappingSecurityToken.getPublicKey(keyUsage);
}
- public X509Certificate[] getX509Certificates() throws WSSecurityException {
+ public X509Certificate[] getX509Certificates() throws XMLSecurityException {
return wrappingSecurityToken.getX509Certificates();
}
- public void verify() throws WSSecurityException {
+ public void verify() throws XMLSecurityException {
wrappingSecurityToken.verify();
}
@@ -106,8 +110,8 @@ public class SecurityContextTokenOutputP
return null;
}
- public Constants.TokenType getTokenType() {
- return Constants.TokenType.SecurityContextToken;
+ public WSSConstants.TokenType getTokenType() {
+ return WSSConstants.SecurityContextToken;
}
};
@@ -122,23 +126,21 @@ public class SecurityContextTokenOutputP
};
FinalSecurityContextTokenOutputProcessor finalSecurityContextTokenOutputProcessor = new FinalSecurityContextTokenOutputProcessor(getSecurityProperties(), getAction(), securityContextSecurityToken, identifier);
- switch (getAction()) {
- case SIGNATURE_WITH_DERIVED_KEY:
- outputProcessorChain.getSecurityContext().put(Constants.PROP_USE_THIS_TOKEN_ID_FOR_DERIVED_KEY, wsuId);
- if (wrappingSecurityToken.getProcessor() != null) {
- finalSecurityContextTokenOutputProcessor.getBeforeProcessors().add(wrappingSecurityToken.getProcessor());
- } else {
- finalSecurityContextTokenOutputProcessor.getBeforeProcessors().add(SignatureOutputProcessor.class.getName());
- }
- break;
- case ENCRYPT_WITH_DERIVED_KEY:
- outputProcessorChain.getSecurityContext().put(Constants.PROP_USE_THIS_TOKEN_ID_FOR_DERIVED_KEY, wsuId);
- if (wrappingSecurityToken.getProcessor() != null) {
- finalSecurityContextTokenOutputProcessor.getBeforeProcessors().add(wrappingSecurityToken.getProcessor());
- } else {
- finalSecurityContextTokenOutputProcessor.getAfterProcessors().add(EncryptEndingOutputProcessor.class.getName());
- }
- break;
+ XMLSecurityConstants.Action action = getAction();
+ if (action.equals(WSSConstants.SIGNATURE_WITH_DERIVED_KEY)) {
+ outputProcessorChain.getSecurityContext().put(WSSConstants.PROP_USE_THIS_TOKEN_ID_FOR_DERIVED_KEY, wsuId);
+ if (wrappingSecurityToken.getProcessor() != null) {
+ finalSecurityContextTokenOutputProcessor.getBeforeProcessors().add(wrappingSecurityToken.getProcessor());
+ } else {
+ finalSecurityContextTokenOutputProcessor.getBeforeProcessors().add(org.swssf.wss.impl.processor.output.SignatureOutputProcessor.class.getName());
+ }
+ } else if (action.equals(WSSConstants.ENCRYPT_WITH_DERIVED_KEY)) {
+ outputProcessorChain.getSecurityContext().put(WSSConstants.PROP_USE_THIS_TOKEN_ID_FOR_DERIVED_KEY, wsuId);
+ if (wrappingSecurityToken.getProcessor() != null) {
+ finalSecurityContextTokenOutputProcessor.getBeforeProcessors().add(wrappingSecurityToken.getProcessor());
+ } else {
+ finalSecurityContextTokenOutputProcessor.getAfterProcessors().add(org.swssf.wss.impl.processor.output.EncryptEndingOutputProcessor.class.getName());
+ }
}
outputProcessorChain.getSecurityContext().registerSecurityTokenProvider(wsuId, securityContextSecurityTokenProvider);
@@ -156,27 +158,27 @@ public class SecurityContextTokenOutputP
private SecurityToken securityToken;
private String identifier;
- FinalSecurityContextTokenOutputProcessor(SecurityProperties securityProperties, Constants.Action action, SecurityToken securityToken, String identifier) throws WSSecurityException {
+ FinalSecurityContextTokenOutputProcessor(XMLSecurityProperties securityProperties, XMLSecurityConstants.Action action, SecurityToken securityToken, String identifier) throws XMLSecurityException {
super(securityProperties, action);
this.securityToken = securityToken;
this.identifier = identifier;
}
@Override
- public void processEvent(XMLEvent xmlEvent, OutputProcessorChain outputProcessorChain) throws XMLStreamException, WSSecurityException {
+ public void processEvent(XMLEvent xmlEvent, OutputProcessorChain outputProcessorChain) throws XMLStreamException, XMLSecurityException {
outputProcessorChain.processEvent(xmlEvent);
if (xmlEvent.isStartElement()) {
StartElement startElement = xmlEvent.asStartElement();
- if (outputProcessorChain.getDocumentContext().isInSecurityHeader() && startElement.getName().equals(Constants.TAG_wsse_Security)) {
+ if (((WSSDocumentContext) outputProcessorChain.getDocumentContext()).isInSecurityHeader() && startElement.getName().equals(WSSConstants.TAG_wsse_Security)) {
OutputProcessorChain subOutputProcessorChain = outputProcessorChain.createSubChain(this);
Map<QName, String> attributes = new HashMap<QName, String>();
- attributes.put(Constants.ATT_wsu_Id, securityToken.getId());
- createStartElementAndOutputAsEvent(subOutputProcessorChain, Constants.TAG_wsc0502_SecurityContextToken, attributes);
- createStartElementAndOutputAsEvent(subOutputProcessorChain, Constants.TAG_wsc0502_Identifier, null);
+ attributes.put(WSSConstants.ATT_wsu_Id, securityToken.getId());
+ createStartElementAndOutputAsEvent(subOutputProcessorChain, WSSConstants.TAG_wsc0502_SecurityContextToken, attributes);
+ createStartElementAndOutputAsEvent(subOutputProcessorChain, WSSConstants.TAG_wsc0502_Identifier, null);
createCharactersAndOutputAsEvent(subOutputProcessorChain, identifier);
- createEndElementAndOutputAsEvent(subOutputProcessorChain, Constants.TAG_wsc0502_Identifier);
- createEndElementAndOutputAsEvent(subOutputProcessorChain, Constants.TAG_wsc0502_SecurityContextToken);
+ createEndElementAndOutputAsEvent(subOutputProcessorChain, WSSConstants.TAG_wsc0502_Identifier);
+ createEndElementAndOutputAsEvent(subOutputProcessorChain, WSSConstants.TAG_wsc0502_SecurityContextToken);
outputProcessorChain.removeProcessor(this);
}
Modified: webservices/wss4j/branches/swssf/streaming-ws-security/src/main/java/org/swssf/wss/impl/processor/output/SecurityHeaderOutputProcessor.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/branches/swssf/streaming-ws-security/src/main/java/org/swssf/wss/impl/processor/output/SecurityHeaderOutputProcessor.java?rev=1181995&r1=1179730&r2=1181995&view=diff
==============================================================================
--- webservices/wss4j/branches/swssf/streaming-ws-security/src/main/java/org/swssf/wss/impl/processor/output/SecurityHeaderOutputProcessor.java (original)
+++ webservices/wss4j/branches/swssf/streaming-ws-security/src/main/java/org/swssf/wss/impl/processor/output/SecurityHeaderOutputProcessor.java Tue Oct 11 18:03:00 2011
@@ -16,9 +16,13 @@
* specific language governing permissions and limitations
* under the License.
*/
-package org.swssf.impl.processor.output;
+package org.swssf.wss.impl.processor.output;
-import org.swssf.ext.*;
+import org.swssf.wss.ext.*;
+import org.swssf.xmlsec.ext.AbstractOutputProcessor;
+import org.swssf.xmlsec.ext.OutputProcessorChain;
+import org.swssf.xmlsec.ext.SecurePart;
+import org.swssf.xmlsec.ext.XMLSecurityException;
import javax.xml.namespace.QName;
import javax.xml.stream.XMLStreamException;
@@ -37,18 +41,18 @@ import java.util.Map;
*/
public class SecurityHeaderOutputProcessor extends AbstractOutputProcessor {
- public SecurityHeaderOutputProcessor(SecurityProperties securityProperties, Constants.Action action) throws WSSecurityException {
+ public SecurityHeaderOutputProcessor(WSSSecurityProperties securityProperties, WSSConstants.Action action) throws XMLSecurityException {
super(securityProperties, action);
- setPhase(Constants.Phase.PREPROCESSING);
+ setPhase(WSSConstants.Phase.PREPROCESSING);
}
@Override
- public void processEvent(XMLEvent xmlEvent, OutputProcessorChain outputProcessorChain) throws XMLStreamException, WSSecurityException {
+ public void processEvent(XMLEvent xmlEvent, OutputProcessorChain outputProcessorChain) throws XMLStreamException, XMLSecurityException {
boolean eventHandled = false;
int level = outputProcessorChain.getDocumentContext().getDocumentLevel();
- String soapMessageVersion = outputProcessorChain.getDocumentContext().getSOAPMessageVersionNamespace();
+ String soapMessageVersion = ((WSSDocumentContext) outputProcessorChain.getDocumentContext()).getSOAPMessageVersionNamespace();
if (xmlEvent.isStartElement()) {
StartElement startElement = xmlEvent.asStartElement();
@@ -72,14 +76,14 @@ public class SecurityHeaderOutputProcess
securePart.setNamespace(soapMessageVersion);
}
}
- } else if (level == 3 && startElement.getName().equals(Constants.TAG_wsse_Security)) {
- if (Utils.isResponsibleActorOrRole(startElement, soapMessageVersion, getSecurityProperties().getActor())) {
- outputProcessorChain.getDocumentContext().setInSecurityHeader(true);
+ } else if (level == 3 && startElement.getName().equals(WSSConstants.TAG_wsse_Security)) {
+ if (WSSUtils.isResponsibleActorOrRole(startElement, soapMessageVersion, ((WSSSecurityProperties) getSecurityProperties()).getActor())) {
+ ((WSSDocumentContext) outputProcessorChain.getDocumentContext()).setInSecurityHeader(true);
//remove this processor. its no longer needed.
outputProcessorChain.removeProcessor(this);
}
} else if (level == 2
- && startElement.getName().getLocalPart().equals(Constants.TAG_soap_Body_LocalName)
+ && startElement.getName().getLocalPart().equals(WSSConstants.TAG_soap_Body_LocalName)
&& startElement.getName().getNamespaceURI().equals(soapMessageVersion)) {
//hmm it seems we don't have a soap header in the current document
//so output one and add securityHeader
@@ -87,10 +91,10 @@ public class SecurityHeaderOutputProcess
//create subchain and output soap-header and securityHeader
OutputProcessorChain subOutputProcessorChain = outputProcessorChain.createSubChain(this);
createStartElementAndOutputAsEvent(subOutputProcessorChain,
- new QName(soapMessageVersion, Constants.TAG_soap_Header_LocalName, Constants.PREFIX_SOAPENV), null);
+ new QName(soapMessageVersion, WSSConstants.TAG_soap_Header_LocalName, WSSConstants.PREFIX_SOAPENV), null);
buildSecurityHeader(soapMessageVersion, subOutputProcessorChain);
createEndElementAndOutputAsEvent(subOutputProcessorChain,
- new QName(soapMessageVersion, Constants.TAG_soap_Header_LocalName, Constants.PREFIX_SOAPENV));
+ new QName(soapMessageVersion, WSSConstants.TAG_soap_Header_LocalName, WSSConstants.PREFIX_SOAPENV));
//output current soap-header event
outputProcessorChain.processEvent(xmlEvent);
@@ -101,9 +105,9 @@ public class SecurityHeaderOutputProcess
}
} else if (xmlEvent.isEndElement()) {
EndElement endElement = xmlEvent.asEndElement();
- if (level == 2 && endElement.getName().equals(Constants.TAG_wsse_Security)) {
- outputProcessorChain.getDocumentContext().setInSecurityHeader(false);
- } else if (level == 1 && endElement.getName().getLocalPart().equals(Constants.TAG_soap_Header_LocalName)
+ if (level == 2 && endElement.getName().equals(WSSConstants.TAG_wsse_Security)) {
+ ((WSSDocumentContext) outputProcessorChain.getDocumentContext()).setInSecurityHeader(false);
+ } else if (level == 1 && endElement.getName().getLocalPart().equals(WSSConstants.TAG_soap_Header_LocalName)
&& endElement.getName().getNamespaceURI().equals(soapMessageVersion)) {
OutputProcessorChain subOutputProcessorChain = outputProcessorChain.createSubChain(this);
buildSecurityHeader(soapMessageVersion, subOutputProcessorChain);
@@ -121,19 +125,19 @@ public class SecurityHeaderOutputProcess
}
}
- private void buildSecurityHeader(String soapMessageVersion, OutputProcessorChain subOutputProcessorChain) throws XMLStreamException, WSSecurityException {
+ private void buildSecurityHeader(String soapMessageVersion, OutputProcessorChain subOutputProcessorChain) throws XMLStreamException, XMLSecurityException {
Map<QName, String> attributes = new HashMap<QName, String>();
- final String actor = getSecurityProperties().getActor();
+ final String actor = ((WSSSecurityProperties) getSecurityProperties()).getActor();
if (actor != null && !"".equals(actor)) {
- if (Constants.NS_SOAP11.equals(soapMessageVersion)) {
- attributes.put(Constants.ATT_soap11_Actor, actor);
+ if (WSSConstants.NS_SOAP11.equals(soapMessageVersion)) {
+ attributes.put(WSSConstants.ATT_soap11_Actor, actor);
} else {
- attributes.put(Constants.ATT_soap12_Role, actor);
+ attributes.put(WSSConstants.ATT_soap12_Role, actor);
}
}
- subOutputProcessorChain.getDocumentContext().setInSecurityHeader(true);
- createStartElementAndOutputAsEvent(subOutputProcessorChain, Constants.TAG_wsse_Security, attributes);
- createEndElementAndOutputAsEvent(subOutputProcessorChain, Constants.TAG_wsse_Security);
- subOutputProcessorChain.getDocumentContext().setInSecurityHeader(false);
+ ((WSSDocumentContext) subOutputProcessorChain.getDocumentContext()).setInSecurityHeader(true);
+ createStartElementAndOutputAsEvent(subOutputProcessorChain, WSSConstants.TAG_wsse_Security, attributes);
+ createEndElementAndOutputAsEvent(subOutputProcessorChain, WSSConstants.TAG_wsse_Security);
+ ((WSSDocumentContext) subOutputProcessorChain.getDocumentContext()).setInSecurityHeader(false);
}
}
Modified: webservices/wss4j/branches/swssf/streaming-ws-security/src/main/java/org/swssf/wss/impl/processor/output/SignatureConfirmationOutputProcessor.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/branches/swssf/streaming-ws-security/src/main/java/org/swssf/wss/impl/processor/output/SignatureConfirmationOutputProcessor.java?rev=1181995&r1=1179730&r2=1181995&view=diff
==============================================================================
--- webservices/wss4j/branches/swssf/streaming-ws-security/src/main/java/org/swssf/wss/impl/processor/output/SignatureConfirmationOutputProcessor.java (original)
+++ webservices/wss4j/branches/swssf/streaming-ws-security/src/main/java/org/swssf/wss/impl/processor/output/SignatureConfirmationOutputProcessor.java Tue Oct 11 18:03:00 2011
@@ -16,12 +16,18 @@
* specific language governing permissions and limitations
* under the License.
*/
-package org.swssf.impl.processor.output;
+package org.swssf.wss.impl.processor.output;
import org.apache.commons.codec.binary.Base64;
-import org.swssf.ext.*;
-import org.swssf.securityEvent.SecurityEvent;
-import org.swssf.securityEvent.SignatureTokenSecurityEvent;
+import org.swssf.wss.ext.WSSConstants;
+import org.swssf.wss.ext.WSSDocumentContext;
+import org.swssf.wss.ext.WSSSecurityProperties;
+import org.swssf.wss.securityEvent.SecurityEvent;
+import org.swssf.wss.securityEvent.SignatureTokenSecurityEvent;
+import org.swssf.xmlsec.ext.AbstractOutputProcessor;
+import org.swssf.xmlsec.ext.OutputProcessorChain;
+import org.swssf.xmlsec.ext.XMLSecurityConstants;
+import org.swssf.xmlsec.ext.XMLSecurityException;
import javax.xml.namespace.QName;
import javax.xml.stream.XMLStreamException;
@@ -38,18 +44,18 @@ import java.util.UUID;
*/
public class SignatureConfirmationOutputProcessor extends AbstractOutputProcessor {
- public SignatureConfirmationOutputProcessor(SecurityProperties securityProperties, Constants.Action action) throws WSSecurityException {
+ public SignatureConfirmationOutputProcessor(WSSSecurityProperties securityProperties, XMLSecurityConstants.Action action) throws XMLSecurityException {
super(securityProperties, action);
- getBeforeProcessors().add(SignatureOutputProcessor.class.getName());
- getBeforeProcessors().add(EncryptOutputProcessor.class.getName());
+ getBeforeProcessors().add(org.swssf.wss.impl.processor.output.SignatureOutputProcessor.class.getName());
+ getBeforeProcessors().add(org.swssf.wss.impl.processor.output.EncryptOutputProcessor.class.getName());
}
@Override
- public void processEvent(XMLEvent xmlEvent, OutputProcessorChain outputProcessorChain) throws XMLStreamException, WSSecurityException {
+ public void processEvent(XMLEvent xmlEvent, OutputProcessorChain outputProcessorChain) throws XMLStreamException, XMLSecurityException {
outputProcessorChain.processEvent(xmlEvent);
if (xmlEvent.isStartElement()) {
StartElement startElement = xmlEvent.asStartElement();
- if (outputProcessorChain.getDocumentContext().isInSecurityHeader() && startElement.getName().equals(Constants.TAG_wsse_Security)) {
+ if (((WSSDocumentContext) outputProcessorChain.getDocumentContext()).isInSecurityHeader() && startElement.getName().equals(WSSConstants.TAG_wsse_Security)) {
OutputProcessorChain subOutputProcessorChain = outputProcessorChain.createSubChain(this);
boolean aSignatureFound = false;
@@ -62,18 +68,18 @@ public class SignatureConfirmationOutput
SignatureTokenSecurityEvent signatureTokenSecurityEvent = (SignatureTokenSecurityEvent) securityEvent;
Map<QName, String> attributes = new HashMap<QName, String>();
- attributes.put(Constants.ATT_wsu_Id, "SigConf-" + UUID.randomUUID().toString());
- attributes.put(Constants.ATT_NULL_Value, new Base64(76, new byte[]{'\n'}).encodeToString(signatureTokenSecurityEvent.getSignatureValue()));
- createStartElementAndOutputAsEvent(subOutputProcessorChain, Constants.TAG_wsse11_SignatureConfirmation, attributes);
- createEndElementAndOutputAsEvent(subOutputProcessorChain, Constants.TAG_wsse11_SignatureConfirmation);
+ attributes.put(WSSConstants.ATT_wsu_Id, "SigConf-" + UUID.randomUUID().toString());
+ attributes.put(WSSConstants.ATT_NULL_Value, new Base64(76, new byte[]{'\n'}).encodeToString(signatureTokenSecurityEvent.getSignatureValue()));
+ createStartElementAndOutputAsEvent(subOutputProcessorChain, WSSConstants.TAG_wsse11_SignatureConfirmation, attributes);
+ createEndElementAndOutputAsEvent(subOutputProcessorChain, WSSConstants.TAG_wsse11_SignatureConfirmation);
}
}
if (!aSignatureFound) {
Map<QName, String> attributes = new HashMap<QName, String>();
- attributes.put(Constants.ATT_wsu_Id, "SigConf-" + UUID.randomUUID().toString());
- createStartElementAndOutputAsEvent(subOutputProcessorChain, Constants.TAG_wsse11_SignatureConfirmation, attributes);
- createEndElementAndOutputAsEvent(subOutputProcessorChain, Constants.TAG_wsse11_SignatureConfirmation);
+ attributes.put(WSSConstants.ATT_wsu_Id, "SigConf-" + UUID.randomUUID().toString());
+ createStartElementAndOutputAsEvent(subOutputProcessorChain, WSSConstants.TAG_wsse11_SignatureConfirmation, attributes);
+ createEndElementAndOutputAsEvent(subOutputProcessorChain, WSSConstants.TAG_wsse11_SignatureConfirmation);
}
outputProcessorChain.removeProcessor(this);
Modified: webservices/wss4j/branches/swssf/streaming-ws-security/src/main/java/org/swssf/wss/impl/processor/output/SignatureEndingOutputProcessor.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/branches/swssf/streaming-ws-security/src/main/java/org/swssf/wss/impl/processor/output/SignatureEndingOutputProcessor.java?rev=1181995&r1=1179730&r2=1181995&view=diff
==============================================================================
--- webservices/wss4j/branches/swssf/streaming-ws-security/src/main/java/org/swssf/wss/impl/processor/output/SignatureEndingOutputProcessor.java (original)
+++ webservices/wss4j/branches/swssf/streaming-ws-security/src/main/java/org/swssf/wss/impl/processor/output/SignatureEndingOutputProcessor.java Tue Oct 11 18:03:00 2011
@@ -16,227 +16,376 @@
* specific language governing permissions and limitations
* under the License.
*/
-package org.swssf.impl.processor.output;
+package org.swssf.wss.impl.processor.output;
import org.apache.commons.codec.binary.Base64;
-import org.swssf.ext.*;
-import org.swssf.impl.SignaturePartDef;
-import org.swssf.impl.algorithms.SignatureAlgorithm;
-import org.swssf.impl.algorithms.SignatureAlgorithmFactory;
-import org.swssf.impl.util.SignerOutputStream;
-import org.swssf.securityEvent.SecurityEvent;
-import org.swssf.securityEvent.SignatureValueSecurityEvent;
+import org.swssf.wss.ext.*;
+import org.swssf.wss.securityEvent.SecurityEvent;
+import org.swssf.wss.securityEvent.SignatureValueSecurityEvent;
+import org.swssf.xmlsec.ext.OutputProcessorChain;
+import org.swssf.xmlsec.ext.SecurityToken;
+import org.swssf.xmlsec.ext.XMLSecurityConstants;
+import org.swssf.xmlsec.ext.XMLSecurityException;
+import org.swssf.xmlsec.impl.SignaturePartDef;
+import org.swssf.xmlsec.impl.algorithms.SignatureAlgorithm;
+import org.swssf.xmlsec.impl.processor.output.AbstractSignatureEndingOutputProcessor;
import javax.xml.namespace.QName;
import javax.xml.stream.XMLStreamException;
+import javax.xml.stream.events.Attribute;
+import javax.xml.stream.events.EndElement;
+import javax.xml.stream.events.StartElement;
import javax.xml.stream.events.XMLEvent;
-import java.io.BufferedOutputStream;
-import java.io.IOException;
-import java.io.OutputStream;
-import java.lang.reflect.InvocationTargetException;
+import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
+import java.security.cert.CertificateEncodingException;
+import java.security.cert.CertificateException;
+import java.security.cert.CertificateFactory;
+import java.security.cert.X509Certificate;
import java.util.*;
/**
* @author $Author$
* @version $Revision$ $Date$
*/
-public class SignatureEndingOutputProcessor extends AbstractBufferingOutputProcessor {
+public class SignatureEndingOutputProcessor extends AbstractSignatureEndingOutputProcessor {
- private List<SignaturePartDef> signaturePartDefList;
+ private SignedInfoProcessor signedInfoProcessor = null;
- public SignatureEndingOutputProcessor(SecurityProperties securityProperties, Constants.Action action, SignatureOutputProcessor signatureOutputProcessor) throws WSSecurityException {
- super(securityProperties, action);
- this.getAfterProcessors().add(SignatureOutputProcessor.class.getName());
+ public SignatureEndingOutputProcessor(WSSSecurityProperties securityProperties, XMLSecurityConstants.Action action, org.swssf.wss.impl.processor.output.SignatureOutputProcessor signatureOutputProcessor) throws XMLSecurityException {
+ super(securityProperties, action, signatureOutputProcessor);
+ this.getAfterProcessors().add(org.swssf.wss.impl.processor.output.SignatureOutputProcessor.class.getName());
this.getAfterProcessors().add(UsernameTokenOutputProcessor.class.getName());
- signaturePartDefList = signatureOutputProcessor.getSignaturePartDefList();
}
@Override
- public void doFinal(OutputProcessorChain outputProcessorChain) throws XMLStreamException, WSSecurityException {
- setAppendAfterThisTokenId(outputProcessorChain.getSecurityContext().<String>get(Constants.PROP_APPEND_SIGNATURE_ON_THIS_ID));
- super.doFinal(outputProcessorChain);
- }
-
- /*
- <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#" Id="Signature-1022834285">
- <ds:SignedInfo>
- <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
- <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
- <ds:Reference URI="#id-1612925417">
- <ds:Transforms>
- <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
- </ds:Transforms>
- <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
- <ds:DigestValue>cy/khx5N6UobCJ1EbX+qnrGID2U=</ds:DigestValue>
- </ds:Reference>
- <ds:Reference URI="#Timestamp-1106985890">
- <ds:Transforms>
- <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
- </ds:Transforms>
- <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
- <ds:DigestValue>+p5YRII6uvUdsJ7XLKkWx1CBewE=</ds:DigestValue>
- </ds:Reference>
- </ds:SignedInfo>
- <ds:SignatureValue>
- Izg1FlI9oa4gOon2vTXi7V0EpiyCUazECVGYflbXq7/3GF8ThKGDMpush/fo1I2NVjEFTfmT2WP/
- +ZG5N2jASFptrcGbsqmuLE5JbxUP1TVKb9SigKYcOQJJ8klzmVfPXnSiRZmIU+DUT2UXopWnGNFL
- TwY0Uxja4ZuI6U8m8Tg=
- </ds:SignatureValue>
- <ds:KeyInfo Id="KeyId-1043455692">
- <wsse:SecurityTokenReference xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="STRId-1008354042">
- <wsse:Reference xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" URI="#CertId-3458500" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" />
- </wsse:SecurityTokenReference>
- </ds:KeyInfo>
- </ds:Signature>
- */
-
- protected void processHeaderEvent(OutputProcessorChain outputProcessorChain) throws XMLStreamException, WSSecurityException {
+ public void doFinal(OutputProcessorChain outputProcessorChain) throws XMLStreamException, XMLSecurityException {
+ setAppendAfterThisTokenId(outputProcessorChain.getSecurityContext().<String>get(WSSConstants.PROP_APPEND_SIGNATURE_ON_THIS_ID));
+ //todo replace this and in EncryptEndingOutputProcessor with a common method somewhere
OutputProcessorChain subOutputProcessorChain = outputProcessorChain.createSubChain(this);
- Map<QName, String> attributes = new HashMap<QName, String>();
- attributes.put(Constants.ATT_NULL_Id, "Signature-" + UUID.randomUUID().toString());
- createStartElementAndOutputAsEvent(subOutputProcessorChain, Constants.TAG_dsig_Signature, attributes);
-
- SignatureAlgorithm signatureAlgorithm;
-
- try {
- signatureAlgorithm = SignatureAlgorithmFactory.getInstance().getSignatureAlgorithm(getSecurityProperties().getSignatureAlgorithm());
- } catch (NoSuchAlgorithmException e) {
- throw new WSSecurityException(WSSecurityException.ErrorCode.FAILED_SIGNATURE, e);
- } catch (NoSuchProviderException e) {
- throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "noSecProvider", e);
+ //loop until we reach our security header and set flag
+ Iterator<XMLEvent> xmlEventIterator = getXmlEventBuffer().descendingIterator();
+ while (xmlEventIterator.hasNext()) {
+ XMLEvent xmlEvent = xmlEventIterator.next();
+ if (xmlEvent.isStartElement()) {
+ StartElement startElement = xmlEvent.asStartElement();
+ if (startElement.getName().equals(WSSConstants.TAG_wsse_Security)
+ && WSSUtils.isResponsibleActorOrRole(
+ startElement,
+ ((WSSDocumentContext) subOutputProcessorChain.getDocumentContext()).getSOAPMessageVersionNamespace(),
+ ((WSSSecurityProperties) getSecurityProperties()).getActor())) {
+ ((WSSDocumentContext) subOutputProcessorChain.getDocumentContext()).setInSecurityHeader(true);
+ subOutputProcessorChain.reset();
+ subOutputProcessorChain.processEvent(xmlEvent);
+ break;
+ }
+ }
+ subOutputProcessorChain.reset();
+ subOutputProcessorChain.processEvent(xmlEvent);
}
- String tokenId = outputProcessorChain.getSecurityContext().get(Constants.PROP_USE_THIS_TOKEN_ID_FOR_SIGNATURE);
- if (tokenId == null) {
- throw new WSSecurityException(WSSecurityException.ErrorCode.FAILED_SIGNATURE);
+ //append current header
+ if (getAppendAfterThisTokenId() == null) {
+ processHeaderEvent(subOutputProcessorChain);
+ } else {
+ //we have a dependent token. so we have to append the current header after the token
+ boolean found = false;
+ while (xmlEventIterator.hasNext() && !found) {
+ XMLEvent xmlEvent = xmlEventIterator.next();
+
+ subOutputProcessorChain.reset();
+ subOutputProcessorChain.processEvent(xmlEvent);
+
+ //search for an element with a matching wsu:Id. this is our token
+ if (xmlEvent.isStartElement()) {
+ StartElement startElement = xmlEvent.asStartElement();
+ QName matchingElementName;
+
+ @SuppressWarnings("unchecked")
+ Iterator<Attribute> attributeIterator = startElement.getAttributes();
+ while (attributeIterator.hasNext() && !found) {
+ Attribute attribute = attributeIterator.next();
+ final QName attributeName = attribute.getName();
+ final String attributeValue = attribute.getValue();
+ if ((WSSConstants.ATT_wsu_Id.equals(attributeName) && getAppendAfterThisTokenId().equals(attributeValue))
+ || (WSSConstants.ATT_NULL_Id.equals(attributeName) && getAppendAfterThisTokenId().equals(attributeValue))
+ || (WSSConstants.ATT_NULL_AssertionID.equals(attributeName) && getAppendAfterThisTokenId().equals(attributeValue))
+ || (WSSConstants.ATT_NULL_ID.equals(attributeName) && getAppendAfterThisTokenId().endsWith(attributeValue))) {
+ matchingElementName = startElement.getName();
+ //we found the token and...
+ int level = 0;
+ while (xmlEventIterator.hasNext() && !found) {
+ xmlEvent = xmlEventIterator.next();
+
+ subOutputProcessorChain.reset();
+ subOutputProcessorChain.processEvent(xmlEvent);
+
+ //loop until we reach the token end element
+ if (xmlEvent.isEndElement()) {
+ EndElement endElement = xmlEvent.asEndElement();
+ if (level == 0 && endElement.getName().equals(matchingElementName)) {
+ found = true;
+ //output now the current header
+ processHeaderEvent(subOutputProcessorChain);
+ }
+ level--;
+ } else if (xmlEvent.isStartElement()) {
+ level++;
+ }
+ }
+ }
+ }
+ }
+ }
}
- SecurityTokenProvider wrappingSecurityTokenProvider = outputProcessorChain.getSecurityContext().getSecurityTokenProvider(tokenId);
- if (wrappingSecurityTokenProvider == null) {
- throw new WSSecurityException(WSSecurityException.ErrorCode.FAILED_SIGNATURE);
+ //loop until our security header end element and unset the flag
+ while (xmlEventIterator.hasNext()) {
+ XMLEvent xmlEvent = xmlEventIterator.next();
+ if (xmlEvent.isEndElement()) {
+ EndElement endElement = xmlEvent.asEndElement();
+ if (endElement.getName().equals(WSSConstants.TAG_wsse_Security)) {
+ ((WSSDocumentContext) subOutputProcessorChain.getDocumentContext()).setInSecurityHeader(false);
+ subOutputProcessorChain.reset();
+ subOutputProcessorChain.processEvent(xmlEvent);
+ break;
+ }
+ }
+ subOutputProcessorChain.reset();
+ subOutputProcessorChain.processEvent(xmlEvent);
}
- final SecurityToken wrappingSecurityToken = wrappingSecurityTokenProvider.getSecurityToken(null);
- if (wrappingSecurityToken == null) {
- throw new WSSecurityException(WSSecurityException.ErrorCode.FAILED_SIGNATURE);
+ //loop throug the rest of the document
+ while (xmlEventIterator.hasNext()) {
+ XMLEvent xmlEvent = xmlEventIterator.next();
+ subOutputProcessorChain.reset();
+ subOutputProcessorChain.processEvent(xmlEvent);
}
+ subOutputProcessorChain.reset();
+ //call final on the rest of the chain
+ subOutputProcessorChain.doFinal();
+ //this processor is now finished and we can remove it now
+ subOutputProcessorChain.removeProcessor(this);
+ }
+
+ @Override
+ protected SignedInfoProcessor newSignedInfoProcessor(SignatureAlgorithm signatureAlgorithm) throws XMLSecurityException {
+ this.signedInfoProcessor = new SignedInfoProcessor(getSecurityProperties(), getAction(), signatureAlgorithm);
+ this.signedInfoProcessor.getAfterProcessors().add(SignatureEndingOutputProcessor.class.getName());
+ return this.signedInfoProcessor;
+ }
+
+ @Override
+ protected void processHeaderEvent(OutputProcessorChain outputProcessorChain) throws XMLStreamException, XMLSecurityException {
+ super.processHeaderEvent(outputProcessorChain);
- signatureAlgorithm.engineInitSign(wrappingSecurityToken.getSecretKey(getSecurityProperties().getSignatureAlgorithm(), null));
+ SignatureValueSecurityEvent signatureValueSecurityEvent = new SignatureValueSecurityEvent(SecurityEvent.Event.SignatureValue);
+ signatureValueSecurityEvent.setSignatureValue(this.signedInfoProcessor.getSignatureValue());
+ ((WSSecurityContext) outputProcessorChain.getSecurityContext()).registerSecurityEvent(signatureValueSecurityEvent);
+ }
- SignedInfoProcessor signedInfoProcessor = new SignedInfoProcessor(getSecurityProperties(), getAction(), signatureAlgorithm);
- subOutputProcessorChain.addProcessor(signedInfoProcessor);
+ @Override
+ protected void createKeyInfoStructureForSignature(
+ OutputProcessorChain outputProcessorChain,
+ SecurityToken securityToken,
+ boolean useSingleCertificate)
+ throws XMLStreamException, XMLSecurityException {
- createStartElementAndOutputAsEvent(subOutputProcessorChain, Constants.TAG_dsig_SignedInfo, null);
+ WSSConstants.KeyIdentifierType keyIdentifierType = ((WSSSecurityProperties) getSecurityProperties()).getSignatureKeyIdentifierType();
- attributes = new HashMap<QName, String>();
- attributes.put(Constants.ATT_NULL_Algorithm, getSecurityProperties().getSignatureCanonicalizationAlgorithm());
- createStartElementAndOutputAsEvent(subOutputProcessorChain, Constants.TAG_dsig_CanonicalizationMethod, attributes);
- createEndElementAndOutputAsEvent(subOutputProcessorChain, Constants.TAG_dsig_CanonicalizationMethod);
+ Map<QName, String> attributes = new HashMap<QName, String>();
+ attributes.put(WSSConstants.ATT_wsu_Id, "STRId-" + UUID.randomUUID().toString());
+ if ((keyIdentifierType == WSSConstants.KeyIdentifierType.BST_DIRECT_REFERENCE
+ || keyIdentifierType == WSSConstants.KeyIdentifierType.BST_EMBEDDED)
+ && !useSingleCertificate) {
+ attributes.put(WSSConstants.ATT_wsse11_TokenType, WSSConstants.NS_X509PKIPathv1);
+ } else if (WSSConstants.Saml10Token.equals(securityToken.getTokenType())
+ || WSSConstants.Saml11Token.equals(securityToken.getTokenType())) {
+ attributes.put(WSSConstants.ATT_wsse11_TokenType, WSSConstants.NS_SAML11_TOKEN_PROFILE_TYPE);
+ } else if (WSSConstants.Saml20Token.equals(securityToken.getTokenType())) {
+ attributes.put(WSSConstants.ATT_wsse11_TokenType, WSSConstants.NS_SAML20_TOKEN_PROFILE_TYPE);
+ }
+ createStartElementAndOutputAsEvent(outputProcessorChain, WSSConstants.TAG_wsse_SecurityTokenReference, attributes);
- attributes = new HashMap<QName, String>();
- attributes.put(Constants.ATT_NULL_Algorithm, getSecurityProperties().getSignatureAlgorithm());
- createStartElementAndOutputAsEvent(subOutputProcessorChain, Constants.TAG_dsig_SignatureMethod, attributes);
- createEndElementAndOutputAsEvent(subOutputProcessorChain, Constants.TAG_dsig_SignatureMethod);
+ X509Certificate[] x509Certificates = securityToken.getX509Certificates();
+ String tokenId = securityToken.getId();
- Iterator<SignaturePartDef> signaturePartDefIterator = signaturePartDefList.iterator();
- while (signaturePartDefIterator.hasNext()) {
- SignaturePartDef signaturePartDef = signaturePartDefIterator.next();
- attributes = new HashMap<QName, String>();
- attributes.put(Constants.ATT_NULL_URI, "#" + signaturePartDef.getSigRefId());
- createStartElementAndOutputAsEvent(subOutputProcessorChain, Constants.TAG_dsig_Reference, attributes);
- createStartElementAndOutputAsEvent(subOutputProcessorChain, Constants.TAG_dsig_Transforms, null);
-
- if (signaturePartDef.getTransformAlgo() != null) {
- attributes = new HashMap<QName, String>();
- attributes.put(Constants.ATT_NULL_Algorithm, signaturePartDef.getTransformAlgo());
- createStartElementAndOutputAsEvent(subOutputProcessorChain, Constants.TAG_dsig_Transform, attributes);
- createStartElementAndOutputAsEvent(subOutputProcessorChain, Constants.TAG_wsse_TransformationParameters, null);
- attributes = new HashMap<QName, String>();
- attributes.put(Constants.ATT_NULL_Algorithm, signaturePartDef.getC14nAlgo());
- createStartElementAndOutputAsEvent(subOutputProcessorChain, Constants.TAG_dsig_CanonicalizationMethod, attributes);
- createEndElementAndOutputAsEvent(subOutputProcessorChain, Constants.TAG_dsig_CanonicalizationMethod);
- createEndElementAndOutputAsEvent(subOutputProcessorChain, Constants.TAG_wsse_TransformationParameters);
- createEndElementAndOutputAsEvent(subOutputProcessorChain, Constants.TAG_dsig_Transform);
- } else {
- attributes = new HashMap<QName, String>();
- attributes.put(Constants.ATT_NULL_Algorithm, signaturePartDef.getC14nAlgo());
- createStartElementAndOutputAsEvent(subOutputProcessorChain, Constants.TAG_dsig_Transform, attributes);
- createEndElementAndOutputAsEvent(subOutputProcessorChain, Constants.TAG_dsig_Transform);
- }
+ if (keyIdentifierType == WSSConstants.KeyIdentifierType.ISSUER_SERIAL) {
+ createX509IssuerSerialStructure(outputProcessorChain, x509Certificates);
+ } else if (keyIdentifierType == WSSConstants.KeyIdentifierType.SKI_KEY_IDENTIFIER) {
+ createX509SubjectKeyIdentifierStructure(outputProcessorChain, x509Certificates);
+ } else if (keyIdentifierType == WSSConstants.KeyIdentifierType.X509_KEY_IDENTIFIER) {
+ createX509KeyIdentifierStructure(outputProcessorChain, x509Certificates);
+ } else if (keyIdentifierType == WSSConstants.KeyIdentifierType.THUMBPRINT_IDENTIFIER) {
+ createThumbprintKeyIdentifierStructure(outputProcessorChain, x509Certificates);
+ } else if (keyIdentifierType == WSSConstants.KeyIdentifierType.BST_EMBEDDED) {
+ createBSTReferenceStructure(outputProcessorChain, tokenId, x509Certificates, useSingleCertificate, true);
+ } else if (keyIdentifierType == WSSConstants.KeyIdentifierType.BST_DIRECT_REFERENCE) {
+ createBSTReferenceStructure(outputProcessorChain, tokenId, x509Certificates, useSingleCertificate, false);
+ } else if (keyIdentifierType == WSSConstants.KeyIdentifierType.EMBEDDED_SECURITY_TOKEN_REF) {
+ createEmbeddedSecurityTokenReferenceStructure(outputProcessorChain, tokenId);
+ } else if (keyIdentifierType == WSSConstants.KeyIdentifierType.EMEDDED_KEYIDENTIFIER_REF) {
+ createEmbeddedKeyIdentifierStructure(outputProcessorChain, securityToken.getTokenType(), tokenId);
+ } else if (keyIdentifierType == WSSConstants.KeyIdentifierType.USERNAMETOKEN_REFERENCE) {
+ createUsernameTokenReferenceStructure(outputProcessorChain, tokenId);
+ } else {
+ throw new XMLSecurityException(XMLSecurityException.ErrorCode.FAILED_SIGNATURE, "unsupportedSecurityToken", keyIdentifierType.name());
+ }
+ createEndElementAndOutputAsEvent(outputProcessorChain, WSSConstants.TAG_wsse_SecurityTokenReference);
+ }
- createEndElementAndOutputAsEvent(subOutputProcessorChain, Constants.TAG_dsig_Transforms);
+ //todo common method
+ protected void createX509SubjectKeyIdentifierStructure(OutputProcessorChain outputProcessorChain, X509Certificate[] x509Certificates) throws XMLSecurityException, XMLStreamException {
+ // As per the 1.1 specification, SKI can only be used for a V3 certificate
+ if (x509Certificates[0].getVersion() != 3) {
+ throw new XMLSecurityException(XMLSecurityException.ErrorCode.FAILED_SIGNATURE, "invalidCertForSKI");
+ }
- attributes = new HashMap<QName, String>();
- attributes.put(Constants.ATT_NULL_Algorithm, getSecurityProperties().getSignatureDigestAlgorithm());
- createStartElementAndOutputAsEvent(subOutputProcessorChain, Constants.TAG_dsig_DigestMethod, attributes);
- createEndElementAndOutputAsEvent(subOutputProcessorChain, Constants.TAG_dsig_DigestMethod);
- createStartElementAndOutputAsEvent(subOutputProcessorChain, Constants.TAG_dsig_DigestValue, null);
- createCharactersAndOutputAsEvent(subOutputProcessorChain, signaturePartDef.getDigestValue());
- createEndElementAndOutputAsEvent(subOutputProcessorChain, Constants.TAG_dsig_DigestValue);
- createEndElementAndOutputAsEvent(subOutputProcessorChain, Constants.TAG_dsig_Reference);
- }
-
- createEndElementAndOutputAsEvent(subOutputProcessorChain, Constants.TAG_dsig_SignedInfo);
- subOutputProcessorChain.removeProcessor(signedInfoProcessor);
-
- createStartElementAndOutputAsEvent(subOutputProcessorChain, Constants.TAG_dsig_SignatureValue, null);
- final byte[] signatureValue = signedInfoProcessor.getSignatureValue();
- createCharactersAndOutputAsEvent(subOutputProcessorChain, new Base64(76, new byte[]{'\n'}).encodeToString(signatureValue));
- createEndElementAndOutputAsEvent(subOutputProcessorChain, Constants.TAG_dsig_SignatureValue);
-
- attributes = new HashMap<QName, String>();
- attributes.put(Constants.ATT_NULL_Id, "KeyId-" + UUID.randomUUID().toString());
- createStartElementAndOutputAsEvent(subOutputProcessorChain, Constants.TAG_dsig_KeyInfo, attributes);
- createSecurityTokenReferenceStructureForSignature(subOutputProcessorChain, wrappingSecurityToken, getSecurityProperties().getSignatureKeyIdentifierType(), getSecurityProperties().isUseSingleCert());
- createEndElementAndOutputAsEvent(subOutputProcessorChain, Constants.TAG_dsig_KeyInfo);
- createEndElementAndOutputAsEvent(subOutputProcessorChain, Constants.TAG_dsig_Signature);
+ Map<QName, String> attributes = new HashMap<QName, String>();
+ attributes.put(WSSConstants.ATT_NULL_EncodingType, WSSConstants.SOAPMESSAGE_NS10_BASE64_ENCODING);
+ attributes.put(WSSConstants.ATT_NULL_ValueType, WSSConstants.NS_X509SubjectKeyIdentifier);
+ createStartElementAndOutputAsEvent(outputProcessorChain, WSSConstants.TAG_wsse_KeyIdentifier, attributes);
+ byte data[] = getSecurityProperties().getSignatureCrypto().getSKIBytesFromCert(x509Certificates[0]);
+ createCharactersAndOutputAsEvent(outputProcessorChain, new Base64(76, new byte[]{'\n'}).encodeToString(data));
+ createEndElementAndOutputAsEvent(outputProcessorChain, WSSConstants.TAG_wsse_KeyIdentifier);
+ }
- SignatureValueSecurityEvent signatureValueSecurityEvent = new SignatureValueSecurityEvent(SecurityEvent.Event.SignatureValue);
- signatureValueSecurityEvent.setSignatureValue(signatureValue);
- outputProcessorChain.getSecurityContext().registerSecurityEvent(signatureValueSecurityEvent);
+ //todo common method
+ protected void createX509KeyIdentifierStructure(OutputProcessorChain outputProcessorChain, X509Certificate[] x509Certificates) throws XMLStreamException, XMLSecurityException {
+ Map<QName, String> attributes = new HashMap<QName, String>();
+ attributes.put(WSSConstants.ATT_NULL_EncodingType, WSSConstants.SOAPMESSAGE_NS10_BASE64_ENCODING);
+ attributes.put(WSSConstants.ATT_NULL_ValueType, WSSConstants.NS_X509_V3_TYPE);
+ createStartElementAndOutputAsEvent(outputProcessorChain, WSSConstants.TAG_wsse_KeyIdentifier, attributes);
+ try {
+ createCharactersAndOutputAsEvent(outputProcessorChain, new Base64(76, new byte[]{'\n'}).encodeToString(x509Certificates[0].getEncoded()));
+ } catch (CertificateEncodingException e) {
+ throw new XMLSecurityException(XMLSecurityException.ErrorCode.FAILED_SIGNATURE, e);
+ }
+ createEndElementAndOutputAsEvent(outputProcessorChain, WSSConstants.TAG_wsse_KeyIdentifier);
}
- class SignedInfoProcessor extends AbstractOutputProcessor {
+ //todo common methdod
+ protected void createThumbprintKeyIdentifierStructure(OutputProcessorChain outputProcessorChain, X509Certificate[] x509Certificates) throws XMLStreamException, XMLSecurityException {
+ Map<QName, String> attributes = new HashMap<QName, String>();
+ attributes.put(WSSConstants.ATT_NULL_EncodingType, WSSConstants.SOAPMESSAGE_NS10_BASE64_ENCODING);
+ attributes.put(WSSConstants.ATT_NULL_ValueType, WSSConstants.NS_THUMBPRINT);
+ createStartElementAndOutputAsEvent(outputProcessorChain, WSSConstants.TAG_wsse_KeyIdentifier, attributes);
+ try {
+ MessageDigest sha;
+ sha = MessageDigest.getInstance("SHA-1");
+ sha.reset();
+ sha.update(x509Certificates[0].getEncoded());
+ byte[] data = sha.digest();
+
+ createCharactersAndOutputAsEvent(outputProcessorChain, new Base64(76, new byte[]{'\n'}).encodeToString(data));
+ } catch (CertificateEncodingException e) {
+ throw new XMLSecurityException(XMLSecurityException.ErrorCode.FAILED_SIGNATURE, e);
+ } catch (NoSuchAlgorithmException e) {
+ throw new XMLSecurityException(XMLSecurityException.ErrorCode.FAILED_SIGNATURE, e);
+ }
+ createEndElementAndOutputAsEvent(outputProcessorChain, WSSConstants.TAG_wsse_KeyIdentifier);
+ }
- private SignerOutputStream signerOutputStream;
- private OutputStream bufferedSignerOutputStream;
- private Transformer transformer;
-
- SignedInfoProcessor(SecurityProperties securityProperties, Constants.Action action, SignatureAlgorithm signatureAlgorithm) throws WSSecurityException {
- super(securityProperties, action);
- this.getAfterProcessors().add(SignatureEndingOutputProcessor.class.getName());
-
- signerOutputStream = new SignerOutputStream(signatureAlgorithm);
- bufferedSignerOutputStream = new BufferedOutputStream(signerOutputStream);
-
- try {
- transformer = Utils.getTransformer(null, this.bufferedSignerOutputStream, getSecurityProperties().getSignatureCanonicalizationAlgorithm());
- } catch (NoSuchMethodException e) {
- throw new WSSecurityException(WSSecurityException.ErrorCode.FAILED_SIGNATURE, e);
- } catch (InstantiationException e) {
- throw new WSSecurityException(WSSecurityException.ErrorCode.FAILED_SIGNATURE, e);
- } catch (IllegalAccessException e) {
- throw new WSSecurityException(WSSecurityException.ErrorCode.FAILED_SIGNATURE, e);
- } catch (InvocationTargetException e) {
- throw new WSSecurityException(WSSecurityException.ErrorCode.FAILED_SIGNATURE, e);
- }
+ //todo common method
+ protected void createBSTReferenceStructure(OutputProcessorChain outputProcessorChain, String referenceId, X509Certificate[] x509Certificates, boolean useSingleCertificate, boolean embed) throws XMLStreamException, XMLSecurityException {
+ Map<QName, String> attributes = new HashMap<QName, String>();
+ String valueType;
+ if (useSingleCertificate) {
+ valueType = WSSConstants.NS_X509_V3_TYPE;
+ } else {
+ valueType = WSSConstants.NS_X509PKIPathv1;
}
+ attributes.put(WSSConstants.ATT_NULL_URI, "#" + referenceId);
+ attributes.put(WSSConstants.ATT_NULL_ValueType, valueType);
+ createStartElementAndOutputAsEvent(outputProcessorChain, WSSConstants.TAG_wsse_Reference, attributes);
+ if (embed) {
+ createBinarySecurityTokenStructure(outputProcessorChain, referenceId, x509Certificates, useSingleCertificate);
+ }
+ createEndElementAndOutputAsEvent(outputProcessorChain, WSSConstants.TAG_wsse_Reference);
+ }
- public byte[] getSignatureValue() throws WSSecurityException {
- try {
- bufferedSignerOutputStream.close();
- return signerOutputStream.sign();
- } catch (IOException e) {
- throw new WSSecurityException(WSSecurityException.ErrorCode.FAILED_SIGNATURE, e);
+ //todo common method
+ protected void createBinarySecurityTokenStructure(OutputProcessorChain outputProcessorChain, String referenceId, X509Certificate[] x509Certificates, boolean useSingleCertificate) throws XMLStreamException, XMLSecurityException {
+ Map<QName, String> attributes = new HashMap<QName, String>();
+ String valueType;
+ if (useSingleCertificate) {
+ valueType = WSSConstants.NS_X509_V3_TYPE;
+ } else {
+ valueType = WSSConstants.NS_X509PKIPathv1;
+ }
+ attributes.put(WSSConstants.ATT_NULL_EncodingType, WSSConstants.SOAPMESSAGE_NS10_BASE64_ENCODING);
+ attributes.put(WSSConstants.ATT_NULL_ValueType, valueType);
+ attributes.put(WSSConstants.ATT_wsu_Id, referenceId);
+ createStartElementAndOutputAsEvent(outputProcessorChain, WSSConstants.TAG_wsse_BinarySecurityToken, attributes);
+ try {
+ if (useSingleCertificate) {
+ createCharactersAndOutputAsEvent(outputProcessorChain, new Base64(76, new byte[]{'\n'}).encodeToString(x509Certificates[0].getEncoded()));
+ } else {
+ try {
+ CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509", "BC");
+ List<X509Certificate> certificates = Arrays.asList(x509Certificates);
+ createCharactersAndOutputAsEvent(outputProcessorChain, new Base64(76, new byte[]{'\n'}).encodeToString(certificateFactory.generateCertPath(certificates).getEncoded()));
+ } catch (CertificateException e) {
+ throw new XMLSecurityException(XMLSecurityException.ErrorCode.INVALID_SECURITY_TOKEN, e);
+ } catch (NoSuchProviderException e) {
+ throw new XMLSecurityException(XMLSecurityException.ErrorCode.INVALID_SECURITY_TOKEN, e);
+ }
}
+ } catch (CertificateEncodingException e) {
+ throw new XMLSecurityException(XMLSecurityException.ErrorCode.FAILED_SIGNATURE, e);
+ }
+ createEndElementAndOutputAsEvent(outputProcessorChain, WSSConstants.TAG_wsse_BinarySecurityToken);
+ }
+
+ //todo common method
+ protected void createEmbeddedKeyIdentifierStructure(OutputProcessorChain outputProcessorChain, XMLSecurityConstants.TokenType tokenType, String referenceId) throws XMLStreamException, XMLSecurityException {
+ Map<QName, String> attributes = new HashMap<QName, String>();
+ if (tokenType.equals(WSSConstants.Saml10Token) || tokenType.equals(WSSConstants.Saml11Token)) {
+ attributes.put(WSSConstants.ATT_NULL_ValueType, WSSConstants.NS_SAML10_TYPE);
+ } else if (tokenType.equals(WSSConstants.Saml20Token)) {
+ attributes.put(WSSConstants.ATT_NULL_ValueType, WSSConstants.NS_SAML20_TYPE);
}
+ createStartElementAndOutputAsEvent(outputProcessorChain, WSSConstants.TAG_wsse_KeyIdentifier, attributes);
+ createCharactersAndOutputAsEvent(outputProcessorChain, referenceId);
+ createEndElementAndOutputAsEvent(outputProcessorChain, WSSConstants.TAG_wsse_KeyIdentifier);
+ }
- @Override
- public void processEvent(XMLEvent xmlEvent, OutputProcessorChain outputProcessorChain) throws XMLStreamException, WSSecurityException {
- transformer.transform(xmlEvent);
- outputProcessorChain.processEvent(xmlEvent);
+ //todo common method
+ protected void createEmbeddedSecurityTokenReferenceStructure(OutputProcessorChain outputProcessorChain, String referenceId) throws XMLStreamException, XMLSecurityException {
+ Map<QName, String> attributes = new HashMap<QName, String>();
+ attributes.put(WSSConstants.ATT_NULL_URI, "#" + referenceId);
+ createStartElementAndOutputAsEvent(outputProcessorChain, WSSConstants.TAG_wsse_Reference, attributes);
+ createEndElementAndOutputAsEvent(outputProcessorChain, WSSConstants.TAG_wsse_Reference);
+ }
+
+ //todo common method:
+ protected void createUsernameTokenReferenceStructure(OutputProcessorChain outputProcessorChain, String tokenId) throws XMLStreamException, XMLSecurityException {
+ Map<QName, String> attributes = new HashMap<QName, String>();
+ attributes.put(WSSConstants.ATT_NULL_URI, "#" + tokenId);
+ attributes.put(WSSConstants.ATT_NULL_ValueType, WSSConstants.NS_USERNAMETOKEN_PROFILE_UsernameToken);
+ createStartElementAndOutputAsEvent(outputProcessorChain, WSSConstants.TAG_wsse_Reference, attributes);
+ createEndElementAndOutputAsEvent(outputProcessorChain, WSSConstants.TAG_wsse_Reference);
+ }
+
+ protected void createTransformsStructureForSignature(OutputProcessorChain subOutputProcessorChain, SignaturePartDef signaturePartDef) throws XMLStreamException, XMLSecurityException {
+ Map<QName, String> attributes;
+ if (signaturePartDef.getTransformAlgo() != null) {
+ attributes = new HashMap<QName, String>();
+ attributes.put(WSSConstants.ATT_NULL_Algorithm, signaturePartDef.getTransformAlgo());
+ createStartElementAndOutputAsEvent(subOutputProcessorChain, WSSConstants.TAG_dsig_Transform, attributes);
+ createStartElementAndOutputAsEvent(subOutputProcessorChain, WSSConstants.TAG_wsse_TransformationParameters, null);
+ attributes = new HashMap<QName, String>();
+ attributes.put(WSSConstants.ATT_NULL_Algorithm, signaturePartDef.getC14nAlgo());
+ createStartElementAndOutputAsEvent(subOutputProcessorChain, WSSConstants.TAG_dsig_CanonicalizationMethod, attributes);
+ createEndElementAndOutputAsEvent(subOutputProcessorChain, WSSConstants.TAG_dsig_CanonicalizationMethod);
+ createEndElementAndOutputAsEvent(subOutputProcessorChain, WSSConstants.TAG_wsse_TransformationParameters);
+ createEndElementAndOutputAsEvent(subOutputProcessorChain, WSSConstants.TAG_dsig_Transform);
+ } else {
+ attributes = new HashMap<QName, String>();
+ attributes.put(WSSConstants.ATT_NULL_Algorithm, signaturePartDef.getC14nAlgo());
+ createStartElementAndOutputAsEvent(subOutputProcessorChain, WSSConstants.TAG_dsig_Transform, attributes);
+ createEndElementAndOutputAsEvent(subOutputProcessorChain, WSSConstants.TAG_dsig_Transform);
}
}
}