You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by dv...@apache.org on 2010/08/05 00:02:12 UTC
svn commit: r982413 -
/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/STSClient.java
Author: dvaleri
Date: Wed Aug 4 22:02:12 2010
New Revision: 982413
URL: http://svn.apache.org/viewvc?rev=982413&view=rev
Log:
[CXF-2928] Add ability to send X509Data in lieu of KeyValue data in RST.
Modified:
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/STSClient.java
Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/STSClient.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/STSClient.java?rev=982413&r1=982412&r2=982413&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/STSClient.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/STSClient.java Wed Aug 4 22:02:12 2010
@@ -112,6 +112,7 @@ import org.apache.ws.security.processor.
import org.apache.ws.security.util.Base64;
import org.apache.ws.security.util.WSSecurityUtil;
import org.apache.ws.security.util.XmlSchemaDateFormat;
+import org.apache.xml.security.keys.content.X509Data;
import org.apache.xml.security.keys.content.keyvalues.DSAKeyValue;
import org.apache.xml.security.keys.content.keyvalues.RSAKeyValue;
@@ -139,6 +140,7 @@ public class STSClient implements Config
String namespace = STSUtils.WST_NS_05_12;
String addressingNamespace;
+ boolean useCertificateForConfirmationKeyInfo;
boolean isSecureConv;
int ttl = 300;
@@ -290,6 +292,22 @@ public class STSClient implements Config
return keySize;
}
+ /**
+ * Indicate whether to use the signer's public X509 certificate for the subject confirmation key info
+ * when creating a RequestsSecurityToken message. If the property is set to 'false', only the public key
+ * value will be provided in the request. If the property is set to 'true' the complete certificate will
+ * be sent in the request.
+ *
+ * Note: this setting is only applicable for assertions that use an asymmetric proof key
+ */
+ public void setUseCertificateForConfirmationKeyInfo(boolean useCertificate) {
+ this.useCertificateForConfirmationKeyInfo = useCertificate;
+ }
+
+ public boolean isUseCertificateForConfirmationKeyInfo() {
+ return useCertificateForConfirmationKeyInfo;
+ }
+
protected void setPolicyInternal(Policy newPolicy) {
this.policy = newPolicy;
if (algorithmSuite == null) {
@@ -439,51 +457,13 @@ public class STSClient implements Config
keySize = 256;
}
if (keyType.endsWith("SymmetricKey")) {
- if (!wroteKeySize && (!isSecureConv || keySize != 256)) {
- writer.writeStartElement("wst", "KeySize", namespace);
- writer.writeCharacters(Integer.toString(keySize));
- writer.writeEndElement();
- }
-
- if (requiresEntropy) {
- writer.writeStartElement("wst", "Entropy", namespace);
- writer.writeStartElement("wst", "BinarySecret", namespace);
- writer.writeAttribute("Type", namespace + "/Nonce");
- if (algorithmSuite == null) {
- requestorEntropy = WSSecurityUtil.generateNonce(keySize / 8);
- } else {
- requestorEntropy = WSSecurityUtil
- .generateNonce(algorithmSuite.getMaximumSymmetricKeyLength() / 8);
- }
- writer.writeCharacters(Base64.encode(requestorEntropy));
-
- writer.writeEndElement();
- writer.writeEndElement();
- writer.writeStartElement("wst", "ComputedKeyAlgorithm", namespace);
- writer.writeCharacters(namespace + "/CK/PSHA1");
- writer.writeEndElement();
- }
+ requestorEntropy = writeElementsForRSTSymmetricKey(writer, wroteKeySize);
} else if (keyType.endsWith("PublicKey")) {
- writer.writeStartElement("wst", "UseKey", namespace);
- writer.writeStartElement("dsig", "KeyInfo", "http://www.w3.org/2000/09/xmldsig#");
- writer.writeNamespace("dsig", "http://www.w3.org/2000/09/xmldsig#");
- writer.writeStartElement("dsig", "KeyValue", "http://www.w3.org/2000/09/xmldsig#");
crypto = createCrypto(false);
cert = getCert(crypto);
- PublicKey key = cert.getPublicKey();
- String pubKeyAlgo = key.getAlgorithm();
- if ("DSA".equalsIgnoreCase(pubKeyAlgo)) {
- DSAKeyValue dsaKeyValue = new DSAKeyValue(writer.getDocument(), key);
- writer.getCurrentNode().appendChild(dsaKeyValue.getElement());
- } else if ("RSA".equalsIgnoreCase(pubKeyAlgo)) {
- RSAKeyValue rsaKeyValue = new RSAKeyValue(writer.getDocument(), key);
- writer.getCurrentNode().appendChild(rsaKeyValue.getElement());
- }
-
- writer.writeEndElement();
- writer.writeEndElement();
- writer.writeEndElement();
+ writeElementsForRSTPublicKey(writer, cert);
}
+
if (target != null) {
writer.writeStartElement("wst", "RenewTarget", namespace);
Element el = target.getUnattachedReference();
@@ -506,6 +486,66 @@ public class STSClient implements Config
}
return token;
}
+
+ private byte[] writeElementsForRSTSymmetricKey(W3CDOMStreamWriter writer,
+ boolean wroteKeySize) throws Exception {
+ byte[] requestorEntropy = null;
+
+ if (!wroteKeySize && (!isSecureConv || keySize != 256)) {
+ writer.writeStartElement("wst", "KeySize", namespace);
+ writer.writeCharacters(Integer.toString(keySize));
+ writer.writeEndElement();
+ }
+
+ if (requiresEntropy) {
+ writer.writeStartElement("wst", "Entropy", namespace);
+ writer.writeStartElement("wst", "BinarySecret", namespace);
+ writer.writeAttribute("Type", namespace + "/Nonce");
+ if (algorithmSuite == null) {
+ requestorEntropy = WSSecurityUtil.generateNonce(keySize / 8);
+ } else {
+ requestorEntropy = WSSecurityUtil
+ .generateNonce(algorithmSuite.getMaximumSymmetricKeyLength() / 8);
+ }
+ writer.writeCharacters(Base64.encode(requestorEntropy));
+
+ writer.writeEndElement();
+ writer.writeEndElement();
+ writer.writeStartElement("wst", "ComputedKeyAlgorithm", namespace);
+ writer.writeCharacters(namespace + "/CK/PSHA1");
+ writer.writeEndElement();
+ }
+ return requestorEntropy;
+ }
+
+
+ private void writeElementsForRSTPublicKey(W3CDOMStreamWriter writer,
+ X509Certificate cert) throws Exception {
+ writer.writeStartElement("wst", "UseKey", namespace);
+ writer.writeStartElement("dsig", "KeyInfo", "http://www.w3.org/2000/09/xmldsig#");
+ writer.writeNamespace("dsig", "http://www.w3.org/2000/09/xmldsig#");
+
+ if (useCertificateForConfirmationKeyInfo) {
+ X509Data certElem = new X509Data(writer.getDocument());
+ certElem.addCertificate(cert);
+ writer.getCurrentNode().appendChild(certElem.getElement());
+ } else {
+ writer.writeStartElement("dsig", "KeyValue", "http://www.w3.org/2000/09/xmldsig#");
+ PublicKey key = cert.getPublicKey();
+ String pubKeyAlgo = key.getAlgorithm();
+ if ("DSA".equalsIgnoreCase(pubKeyAlgo)) {
+ DSAKeyValue dsaKeyValue = new DSAKeyValue(writer.getDocument(), key);
+ writer.getCurrentNode().appendChild(dsaKeyValue.getElement());
+ } else if ("RSA".equalsIgnoreCase(pubKeyAlgo)) {
+ RSAKeyValue rsaKeyValue = new RSAKeyValue(writer.getDocument(), key);
+ writer.getCurrentNode().appendChild(rsaKeyValue.getElement());
+ }
+ writer.writeEndElement();
+ }
+
+ writer.writeEndElement();
+ writer.writeEndElement();
+ }
private void addRequestType(String requestType, W3CDOMStreamWriter writer) throws XMLStreamException {
writer.writeStartElement("wst", "RequestType", namespace);
@@ -1034,7 +1074,7 @@ public class STSClient implements Config
public void setOutFaultInterceptors(List<Interceptor<? extends Message>> interceptors) {
getOutFaultInterceptors().addAll(interceptors);
}
-
+
public void setFeatures(List<AbstractFeature> f) {
features = f;
}