You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ws.apache.org by co...@apache.org on 2016/01/12 12:54:11 UTC
svn commit: r1724214 - in
/webservices/wss4j/branches/2_1_x-fixes/ws-security-stax/src/main/java/org/apache/wss4j/stax:
impl/processor/output/ setup/
Author: coheigea
Date: Tue Jan 12 11:54:10 2016
New Revision: 1724214
URL: http://svn.apache.org/viewvc?rev=1724214&view=rev
Log:
Getting the streaming code to work with KeyValues for encryption
Modified:
webservices/wss4j/branches/2_1_x-fixes/ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/processor/output/BinarySecurityTokenOutputProcessor.java
webservices/wss4j/branches/2_1_x-fixes/ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/processor/output/EncryptedKeyOutputProcessor.java
webservices/wss4j/branches/2_1_x-fixes/ws-security-stax/src/main/java/org/apache/wss4j/stax/setup/OutboundWSSec.java
Modified: webservices/wss4j/branches/2_1_x-fixes/ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/processor/output/BinarySecurityTokenOutputProcessor.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/branches/2_1_x-fixes/ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/processor/output/BinarySecurityTokenOutputProcessor.java?rev=1724214&r1=1724213&r2=1724214&view=diff
==============================================================================
--- webservices/wss4j/branches/2_1_x-fixes/ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/processor/output/BinarySecurityTokenOutputProcessor.java (original)
+++ webservices/wss4j/branches/2_1_x-fixes/ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/processor/output/BinarySecurityTokenOutputProcessor.java Tue Jan 12 11:54:10 2016
@@ -156,14 +156,14 @@ public class BinarySecurityTokenOutputPr
if (WSSUtils.isSecurityHeaderElement(xmlSecEvent, ((WSSSecurityProperties) getSecurityProperties()).getActor())) {
final QName headerElementName = WSSConstants.TAG_wsse_BinarySecurityToken;
- OutputProcessorUtils.updateSecurityHeaderOrder(
- outputProcessorChain, headerElementName, getAction(), false);
-
- OutputProcessorChain subOutputProcessorChain = outputProcessorChain.createSubChain(this);
if (WSSConstants.ENCRYPT_WITH_KERBEROS_TOKEN.equals(getAction())
|| WSSConstants.SIGNATURE_WITH_KERBEROS_TOKEN.equals(getAction())
|| WSSConstants.KERBEROS_TOKEN.equals(getAction())) {
+ OutputProcessorUtils.updateSecurityHeaderOrder(
+ outputProcessorChain, headerElementName, getAction(), false);
+ OutputProcessorChain subOutputProcessorChain = outputProcessorChain.createSubChain(this);
+
List<XMLSecAttribute> attributes = new ArrayList<>(3);
attributes.add(createAttribute(WSSConstants.ATT_NULL_EncodingType, WSSConstants.SOAPMESSAGE_NS10_BASE64_ENCODING));
attributes.add(createAttribute(WSSConstants.ATT_NULL_ValueType, WSSConstants.NS_GSS_Kerberos5_AP_REQ));
@@ -179,7 +179,12 @@ public class BinarySecurityTokenOutputPr
getAction(), false);
WSSUtils.createReferenceListStructureForEncryption(this, subOutputProcessorChain);
}
- } else {
+ } else if (securityToken.getX509Certificates() != null
+ && securityToken.getX509Certificates().length > 0) {
+ OutputProcessorUtils.updateSecurityHeaderOrder(
+ outputProcessorChain, headerElementName, getAction(), false);
+ OutputProcessorChain subOutputProcessorChain = outputProcessorChain.createSubChain(this);
+
boolean useSingleCertificate = getSecurityProperties().isUseSingleCert();
WSSUtils.createBinarySecurityTokenStructure(
this, subOutputProcessorChain, securityToken.getId(),
Modified: webservices/wss4j/branches/2_1_x-fixes/ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/processor/output/EncryptedKeyOutputProcessor.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/branches/2_1_x-fixes/ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/processor/output/EncryptedKeyOutputProcessor.java?rev=1724214&r1=1724213&r2=1724214&view=diff
==============================================================================
--- webservices/wss4j/branches/2_1_x-fixes/ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/processor/output/EncryptedKeyOutputProcessor.java (original)
+++ webservices/wss4j/branches/2_1_x-fixes/ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/processor/output/EncryptedKeyOutputProcessor.java Tue Jan 12 11:54:10 2016
@@ -23,6 +23,7 @@ import java.security.InvalidAlgorithmPar
import java.security.InvalidKeyException;
import java.security.Key;
import java.security.NoSuchAlgorithmException;
+import java.security.PublicKey;
import java.security.cert.X509Certificate;
import java.security.spec.AlgorithmParameterSpec;
import java.security.spec.MGF1ParameterSpec;
@@ -207,7 +208,20 @@ public class EncryptedKeyOutputProcessor
OutputProcessorChain subOutputProcessorChain = outputProcessorChain.createSubChain(this);
- final X509Certificate x509Certificate = securityToken.getKeyWrappingToken().getX509Certificates()[0];
+ PublicKey publicKey = null;
+ if (securityToken.getKeyWrappingToken().getX509Certificates() != null
+ && securityToken.getKeyWrappingToken().getX509Certificates().length > 0) {
+ publicKey = securityToken.getKeyWrappingToken().getX509Certificates()[0].getPublicKey();
+ } else {
+ publicKey = securityToken.getKeyWrappingToken().getPublicKey();
+ }
+ if (publicKey == null) {
+ throw new WSSecurityException(
+ WSSecurityException.ErrorCode.FAILURE,
+ "failedCredentialLoad"
+ );
+ }
+
final String encryptionKeyTransportAlgorithm = getSecurityProperties().getEncryptionKeyTransportAlgorithm();
List<XMLSecAttribute> attributes = new ArrayList<>(1);
@@ -290,7 +304,7 @@ public class EncryptedKeyOutputProcessor
algorithmParameterSpec = new OAEPParameterSpec(jceDigestAlgorithm, "MGF1", mgfParameterSpec, pSource);
}
- cipher.init(Cipher.WRAP_MODE, x509Certificate.getPublicKey(), algorithmParameterSpec);
+ cipher.init(Cipher.WRAP_MODE, publicKey, algorithmParameterSpec);
Key secretKey = securityToken.getSecretKey("");
@@ -347,6 +361,14 @@ public class EncryptedKeyOutputProcessor
outputDOMElement(securityToken.getCustomTokenReference(), outputProcessorChain);
return;
}
+
+ X509Certificate[] x509Certificates = securityToken.getKeyWrappingToken().getX509Certificates();
+ if ((x509Certificates == null || x509Certificates.length == 0)
+ && securityToken.getKeyWrappingToken().getPublicKey() != null) {
+ WSSUtils.createKeyValueTokenStructure(this, outputProcessorChain,
+ securityToken.getKeyWrappingToken().getPublicKey());
+ return;
+ }
List<XMLSecAttribute> attributes = new ArrayList<>(2);
attributes.add(createAttribute(WSSConstants.ATT_wsu_Id, IDGenerator.generateID(null)));
@@ -355,7 +377,6 @@ public class EncryptedKeyOutputProcessor
}
createStartElementAndOutputAsEvent(outputProcessorChain, WSSConstants.TAG_wsse_SecurityTokenReference, false, attributes);
- X509Certificate[] x509Certificates = securityToken.getKeyWrappingToken().getX509Certificates();
String tokenId = securityToken.getKeyWrappingToken().getId();
if (WSSecurityTokenConstants.KeyIdentifier_IssuerSerial.equals(keyIdentifier)) {
Modified: webservices/wss4j/branches/2_1_x-fixes/ws-security-stax/src/main/java/org/apache/wss4j/stax/setup/OutboundWSSec.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/branches/2_1_x-fixes/ws-security-stax/src/main/java/org/apache/wss4j/stax/setup/OutboundWSSec.java?rev=1724214&r1=1724213&r2=1724214&view=diff
==============================================================================
--- webservices/wss4j/branches/2_1_x-fixes/ws-security-stax/src/main/java/org/apache/wss4j/stax/setup/OutboundWSSec.java (original)
+++ webservices/wss4j/branches/2_1_x-fixes/ws-security-stax/src/main/java/org/apache/wss4j/stax/setup/OutboundWSSec.java Tue Jan 12 11:54:10 2016
@@ -21,6 +21,7 @@ package org.apache.wss4j.stax.setup;
import java.io.OutputStream;
import java.security.Key;
import java.security.NoSuchAlgorithmException;
+import java.security.PublicKey;
import java.security.cert.X509Certificate;
import java.util.List;
@@ -544,17 +545,21 @@ public class OutboundWSSec {
// Set up a security token with the certs required to encrypt the symmetric key
X509Certificate[] x509Certificates = null;
- X509Certificate x509Certificate = getReqSigCert(outputProcessorChain.getSecurityContext());
+ PublicKey publicKey = null;
if (securityProperties.isUseReqSigCertForEncryption()) {
+ X509Certificate x509Certificate = getReqSigCert(outputProcessorChain.getSecurityContext());
if (x509Certificate == null) {
- throw new WSSecurityException(WSSecurityException.ErrorCode.FAILED_ENCRYPTION, "noCert");
+ publicKey = getReqSigPublicKey(outputProcessorChain.getSecurityContext());
+ if (publicKey == null) {
+ throw new WSSecurityException(WSSecurityException.ErrorCode.FAILED_ENCRYPTION, "noCert");
+ }
+ } else {
+ x509Certificates = new X509Certificate[1];
+ x509Certificates[0] = x509Certificate;
}
- x509Certificates = new X509Certificate[1];
- x509Certificates[0] = x509Certificate;
} else if (securityProperties.getEncryptionUseThisCertificate() != null) {
- x509Certificate = securityProperties.getEncryptionUseThisCertificate();
x509Certificates = new X509Certificate[1];
- x509Certificates[0] = x509Certificate;
+ x509Certificates[0] = securityProperties.getEncryptionUseThisCertificate();
} else {
CryptoType cryptoType = new CryptoType(CryptoType.TYPE.ALIAS);
cryptoType.setAlias(securityProperties.getEncryptionUser());
@@ -567,7 +572,7 @@ public class OutboundWSSec {
}
// Check for Revocation
- if (securityProperties.isEnableRevocation()) {
+ if (securityProperties.isEnableRevocation() && x509Certificates != null) {
Crypto crypto = securityProperties.getEncryptionCrypto();
crypto.verifyTrust(x509Certificates, true, null);
}
@@ -575,7 +580,7 @@ public class OutboundWSSec {
// Create a new outbound EncryptedKey token for the cert
final String id = IDGenerator.generateID(null);
final GenericOutboundSecurityToken encryptedKeyToken =
- new GenericOutboundSecurityToken(id, WSSecurityTokenConstants.X509V3Token, null, x509Certificates);
+ new GenericOutboundSecurityToken(id, WSSecurityTokenConstants.X509V3Token, publicKey, x509Certificates);
encryptedKeyToken.addWrappedToken(securityToken);
securityToken.setKeyWrappingToken(encryptedKeyToken);
@@ -683,6 +688,28 @@ public class OutboundWSSec {
}
}
}
+ }
+ return null;
+ }
+
+ private PublicKey getReqSigPublicKey(SecurityContext securityContext) throws XMLSecurityException {
+ List<SecurityEvent> securityEventList = securityContext.getAsList(SecurityEvent.class);
+ if (securityEventList != null) {
+ for (int i = 0; i < securityEventList.size(); i++) {
+ SecurityEvent securityEvent = securityEventList.get(i);
+ if (securityEvent instanceof TokenSecurityEvent) {
+ @SuppressWarnings("unchecked")
+ TokenSecurityEvent<? extends SecurityToken> tokenSecurityEvent
+ = (TokenSecurityEvent<? extends SecurityToken>) securityEvent;
+ if (!tokenSecurityEvent.getSecurityToken().getTokenUsages().contains(WSSecurityTokenConstants.TokenUsage_MainSignature)) {
+ continue;
+ }
+ PublicKey publicKey = tokenSecurityEvent.getSecurityToken().getPublicKey();
+ if (publicKey != null) {
+ return publicKey;
+ }
+ }
+ }
}
return null;
}