You are viewing a plain text version of this content. The canonical link for it is here.
Posted to rampart-dev@ws.apache.org by sh...@apache.org on 2008/02/08 11:06:22 UTC
svn commit: r619820 [2/2] - in /webservices/rampart/trunk/c: ./ build/win32/
include/ src/ src/core/ src/handlers/ src/omxmlsec/ src/omxmlsec/tokens/
src/secconv/ src/trust/ src/util/
Modified: webservices/rampart/trunk/c/src/util/rampart_encryption.c
URL: http://svn.apache.org/viewvc/webservices/rampart/trunk/c/src/util/rampart_encryption.c?rev=619820&r1=619819&r2=619820&view=diff
==============================================================================
--- webservices/rampart/trunk/c/src/util/rampart_encryption.c (original)
+++ webservices/rampart/trunk/c/src/util/rampart_encryption.c Fri Feb 8 02:06:20 2008
@@ -32,6 +32,8 @@
#include <oxs_derivation.h>
#include <axis2_key_type.h>
#include <oxs_derivation.h>
+#include <rampart_sct_provider.h>
+
/*Private functions*/
@@ -224,12 +226,14 @@
axis2_char_t *asym_key_id = NULL;
axis2_bool_t free_asym_key_id = AXIS2_FALSE;
axiom_node_t *encrypted_key_node = NULL;
+ axiom_node_t *key_reference_node = NULL;
axiom_node_t *sig_node = NULL;
axiom_node_t *data_ref_list_node = NULL;
axis2_bool_t use_derived_keys = AXIS2_TRUE;
- axis2_bool_t free_session_key = AXIS2_FALSE;
axis2_bool_t server_side = AXIS2_FALSE;
rp_property_t *token = NULL;
+ rp_property_type_t token_type;
+
axis2_bool_t signature_protection = AXIS2_FALSE;
int i = 0;
int j = 0;
@@ -242,7 +246,7 @@
if(status != AXIS2_SUCCESS)
{
AXIS2_LOG_ERROR(env->log, AXIS2_LOG_SI,
- "[rampart][rampart_signature] Error occured in Adding Encrypted parts..");
+ "[rampart][rampart_encryption] Error occured in Adding Encrypted parts..");
axutil_array_list_free(nodes_to_encrypt, env);
nodes_to_encrypt = NULL;
return AXIS2_FAILURE;
@@ -251,6 +255,19 @@
/*If the sp:EncryptSignature is ON && We sign before the encryption, we need to add signature node too. */
signature_protection = rampart_context_is_encrypt_signature(
rampart_context, env);
+
+ if((axutil_array_list_size(nodes_to_encrypt, env)==0))
+ {
+ if(!signature_protection)
+ {
+ AXIS2_LOG_INFO(env->log,
+ "[rampart][rampart_encryption] No parts specified or specified parts can't be found for encryprion.");
+ axutil_array_list_free(nodes_to_encrypt, env);
+ nodes_to_encrypt = NULL;
+ return AXIS2_SUCCESS;
+ }
+ }
+
if(signature_protection)
{
if(!(rampart_context_is_encrypt_before_sign(rampart_context, env)))
@@ -279,26 +296,49 @@
enc_sym_algo = OXS_DEFAULT_SYM_ALGO;
}
- session_key = rampart_context_get_session_key(rampart_context, env);
- if(!session_key){
- /*Generate the session key*/
+ /*We need to take the decision whether to use derived keys or not*/
+ server_side = axis2_msg_ctx_get_server_side(msg_ctx, env);
+ token = rampart_context_get_token(rampart_context, env, AXIS2_TRUE, server_side, AXIS2_FALSE);
+ token_type = rp_property_get_type(token, env);
+ use_derived_keys = rampart_context_check_is_derived_keys (env, token);
+
+ session_key = rampart_context_get_encryption_session_key(rampart_context, env);
+ if(!session_key)
+ {
+ /*Generate the session key. if security context token, get the
+ shared secret and create the session key.*/
session_key = oxs_key_create(env);
- status = oxs_key_for_algo(session_key, env, enc_sym_algo);
- rampart_context_set_session_key(rampart_context, env, session_key);
- free_session_key = AXIS2_TRUE;
+ if(token_type == RP_PROPERTY_SECURITY_CONTEXT_TOKEN)
+ {
+ oxs_buffer_t *key_buf = NULL;
+ key_buf = sct_provider_get_secret(env, token, server_side, AXIS2_TRUE, rampart_context, msg_ctx);
+ if(!key_buf)
+ {
+ AXIS2_LOG_ERROR(env->log, AXIS2_LOG_SI,
+ "[rampart][rampart_encryption]Cannot get shared secret of security context token");
+ oxs_key_free(session_key, env);
+ return AXIS2_FAILURE;
+ }
+ oxs_key_populate(session_key, env,
+ oxs_buffer_get_data(key_buf, env), "for-algo",
+ oxs_buffer_get_size(key_buf, env), OXS_KEY_USAGE_NONE);
+ }
+ else
+ {
+ status = oxs_key_for_algo(session_key, env, enc_sym_algo);
+ }
+ rampart_context_set_encryption_session_key(rampart_context, env, session_key);
}
-
+
id_list = axutil_array_list_create(env, 5);
dk_list = axutil_array_list_create(env, 5);
/* For each and every encryption part.
1. Derive a new key if key derivation is enabled. Or else use the same session key
2. Encrypt using that key
*/
-
- /*We need to take the decision whether to use derived keys or not*/
- server_side = axis2_msg_ctx_get_server_side(msg_ctx, env);
- token = rampart_context_get_token(rampart_context, env, AXIS2_TRUE, server_side, AXIS2_FALSE);
- use_derived_keys = rampart_context_check_is_derived_keys (env, token);
+
+ /*Add ReferenceList element to the Security header. Note that we pass the sec_node. Not the EncryptedKey*/
+ data_ref_list_node = oxs_token_build_reference_list_element(env, sec_node);
/*Repeat until all encryption parts are encrypted*/
for(i=0 ; i < axutil_array_list_size(nodes_to_encrypt, env); i++)
@@ -317,7 +357,8 @@
/*Create the encryption context for OMXMLSEC*/
enc_ctx = oxs_ctx_create(env);
- if(AXIS2_TRUE == use_derived_keys){
+ if(AXIS2_TRUE == use_derived_keys)
+ {
/*Derive a new key*/
derived_key = oxs_key_create(env);
status = oxs_derivation_derive_key(env, session_key, derived_key, AXIS2_TRUE);
@@ -330,11 +371,34 @@
/*Add derived key to the list. We will create tokens*/
axutil_array_list_add(dk_list, env, derived_key);
- }else{
+ key_reference_node = NULL;
+ }
+ else
+ {
/*No key derivation. We use the same session key*/
oxs_ctx_set_key(enc_ctx, env, session_key);
oxs_ctx_set_ref_key_name(enc_ctx, env, oxs_key_get_name(session_key, env));
+
+ if (token_type == RP_PROPERTY_SECURITY_CONTEXT_TOKEN)
+ {
+ if(rampart_context_is_token_include(rampart_context,
+ token, token_type, server_side, AXIS2_FALSE, env))
+ {
+ /*set the AttachedReference to key_reference_node*/
+ key_reference_node = sct_provider_get_attached_reference(env, token, server_side, AXIS2_TRUE, rampart_context, msg_ctx);
+ }
+ else
+ {
+ /*get the unattachedReference and set to key_reference_node*/
+ key_reference_node = sct_provider_get_unattached_reference(env, token, server_side, AXIS2_TRUE, rampart_context, msg_ctx);
+ }
+ }
+ else
+ {
+ key_reference_node = NULL;
+ }
}
+
/*Set the algorithm*/
oxs_ctx_set_enc_mtd_algorithm(enc_ctx, env, enc_sym_algo);
@@ -347,7 +411,7 @@
enc_data_node = oxs_token_build_encrypted_data_element(env,
parent_of_node_to_enc, OXS_TYPE_ENC_ELEMENT, enc_data_id );
status = oxs_xml_enc_encrypt_node(env, enc_ctx,
- node_to_enc, &enc_data_node);
+ node_to_enc, &enc_data_node, key_reference_node);
/*Add Ids to the list. We will create reference list*/
axutil_array_list_add(id_list, env, enc_data_id);
@@ -355,11 +419,6 @@
{
AXIS2_LOG_ERROR(env->log, AXIS2_LOG_SI,
"[rampart][rampart_encryption] Cannot encrypt the node " );
- if(free_session_key)
- {
- oxs_key_free(session_key, env);
- session_key = NULL;
- }
for(j=0 ; j < axutil_array_list_size(id_list, env); j++)
{
axis2_char_t *id = NULL;
@@ -382,65 +441,90 @@
axutil_array_list_free(nodes_to_encrypt, env);
nodes_to_encrypt = NULL;
- /* If not done already, Encrypt the session key using the Public Key of the recipient*/
- /* Note: Here we do not send the id_list to create a ReferenceList inside the encrypted key. Instead we create the
- * ReferenceList as a child of Security element */
-
- encrypted_key_node = oxs_axiom_get_node_by_local_name(env, sec_node, OXS_NODE_ENCRYPTED_KEY);
- if(!encrypted_key_node){
- /*Create EncryptedKey element*/
- status = rampart_enc_encrypt_session_key(env, session_key, msg_ctx, rampart_context, soap_envelope, sec_node, NULL );
- if(AXIS2_FAILURE == status){
- AXIS2_LOG_ERROR(env->log, AXIS2_LOG_SI,
- "[rampart][rampart_encryption] Cannot encrypt the session key " );
- if(free_session_key)
- {
- oxs_key_free(session_key, env);
- session_key = NULL;
- }
- for(j=0 ; j < axutil_array_list_size(id_list, env); j++)
- {
- axis2_char_t *id = NULL;
- id = (axis2_char_t *)axutil_array_list_get(id_list, env, j);
- AXIS2_FREE(env->allocator, id);
- }
- axutil_array_list_free(id_list, env);
- id_list = NULL;
- return AXIS2_FAILURE;
+ if (token_type == RP_PROPERTY_SECURITY_CONTEXT_TOKEN)
+ {
+ if(rampart_context_is_token_include(rampart_context,
+ token, token_type, server_side, AXIS2_FALSE, env))
+ {
+ axiom_node_t *security_context_token_node = NULL;
+ /*include the security context token*/
+ security_context_token_node = oxs_axiom_get_node_by_local_name(env, sec_node, OXS_NODE_SECURITY_CONTEXT_TOKEN);
+ if((!security_context_token_node) || (is_different_session_key_for_encryption_and_signing(env, rampart_context)))
+ {
+ security_context_token_node = sct_provider_get_token(env, token, server_side, AXIS2_TRUE, rampart_context, msg_ctx);
+ if(!security_context_token_node)
+ {
+ AXIS2_LOG_ERROR(env->log, AXIS2_LOG_SI,
+ "[rampart][rampart_encryption] Cannot get security context token");
+ for(j=0 ; j < axutil_array_list_size(id_list, env); j++)
+ {
+ axis2_char_t *id = NULL;
+ id = (axis2_char_t *)axutil_array_list_get(id_list, env, j);
+ AXIS2_FREE(env->allocator, id);
+ }
+ axutil_array_list_free(id_list, env);
+ id_list = NULL;
+ return AXIS2_FAILURE;
+ }
+ axiom_node_add_child(sec_node, env, security_context_token_node);
+ }
}
- /*Now we have en EncryptedKey Node*/
+ }
+ else
+ {
+ /* If not done already, Encrypt the session key using the Public Key of the recipient*/
+ /* Note: Here we do not send the id_list to create a ReferenceList inside the encrypted key. Instead we create the
+ * ReferenceList as a child of Security element */
encrypted_key_node = oxs_axiom_get_node_by_local_name(env, sec_node, OXS_NODE_ENCRYPTED_KEY);
-
- /*Get the asym key Id*/
if(!encrypted_key_node)
{
- AXIS2_LOG_ERROR(env->log, AXIS2_LOG_SI,
- "[rampart][rampart_encryption]Encrypting signature, EncryptedKey Not found");
- if(free_session_key)
- {
- oxs_key_free(session_key, env);
- session_key = NULL;
- }
- for(j=0 ; j < axutil_array_list_size(id_list, env); j++)
- {
- axis2_char_t *id = NULL;
- id = (axis2_char_t *)axutil_array_list_get(id_list, env, j);
- AXIS2_FREE(env->allocator, id);
- }
- axutil_array_list_free(id_list, env);
- id_list = NULL;
- return AXIS2_FAILURE;
+ /*Create EncryptedKey element*/
+ status = rampart_enc_encrypt_session_key(env, session_key, msg_ctx, rampart_context, soap_envelope, sec_node, NULL );
+ if(AXIS2_FAILURE == status)
+ {
+ AXIS2_LOG_ERROR(env->log, AXIS2_LOG_SI,
+ "[rampart][rampart_encryption] Cannot encrypt the session key " );
+ for(j=0 ; j < axutil_array_list_size(id_list, env); j++)
+ {
+ axis2_char_t *id = NULL;
+ id = (axis2_char_t *)axutil_array_list_get(id_list, env, j);
+ AXIS2_FREE(env->allocator, id);
+ }
+ axutil_array_list_free(id_list, env);
+ id_list = NULL;
+ return AXIS2_FAILURE;
+ }
+ /*Now we have en EncryptedKey Node*/
+ encrypted_key_node = oxs_axiom_get_node_by_local_name(env, sec_node, OXS_NODE_ENCRYPTED_KEY);
+
+ /*Get the asym key Id*/
+ if(!encrypted_key_node)
+ {
+ AXIS2_LOG_ERROR(env->log, AXIS2_LOG_SI,
+ "[rampart][rampart_encryption]Encrypting signature, EncryptedKey Not found");
+ for(j=0 ; j < axutil_array_list_size(id_list, env); j++)
+ {
+ axis2_char_t *id = NULL;
+ id = (axis2_char_t *)axutil_array_list_get(id_list, env, j);
+ AXIS2_FREE(env->allocator, id);
+ }
+ axutil_array_list_free(id_list, env);
+ id_list = NULL;
+ return AXIS2_FAILURE;
+ }
+ asym_key_id = oxs_util_generate_id(env, (axis2_char_t*)OXS_ENCKEY_ID);
+ free_asym_key_id = AXIS2_TRUE;
+ if(asym_key_id)
+ {
+ oxs_axiom_add_attribute(env, encrypted_key_node, NULL,
+ NULL, OXS_ATTR_ID, asym_key_id);
+ }
}
- asym_key_id = oxs_util_generate_id(env, (axis2_char_t*)OXS_ENCKEY_ID);
- free_asym_key_id = AXIS2_TRUE;
- if(asym_key_id)
+ else
{
- oxs_axiom_add_attribute(env, encrypted_key_node, NULL,
- NULL, OXS_ATTR_ID, asym_key_id);
+ /*OK Buddy we have already created EncryptedKey node. Get the Id */
+ asym_key_id = oxs_axiom_get_attribute_value_of_node_by_name(env, encrypted_key_node, OXS_ATTR_ID, NULL);
}
- }else{
- /*OK Buddy we have already created EncryptedKey node. Get the Id */
- asym_key_id = oxs_axiom_get_attribute_value_of_node_by_name(env, encrypted_key_node, OXS_ATTR_ID, NULL);
}
/*Add used <wsc:DerivedKeyToken> elements to the header*/
@@ -450,19 +534,39 @@
dk = (oxs_key_t *)axutil_array_list_get(dk_list, env, j);
/*Build the <wsc:DerivedKeyToken> element*/
- if(dk){
+ if(dk)
+ {
axiom_node_t *dk_node = NULL;
- dk_node = oxs_derivation_build_derived_key_token(env, dk, sec_node, asym_key_id, OXS_WSS_11_VALUE_TYPE_ENCRYPTED_KEY);
+ if (token_type == RP_PROPERTY_SECURITY_CONTEXT_TOKEN)
+ {
+ if(rampart_context_is_token_include(rampart_context,
+ token, token_type, server_side, AXIS2_FALSE, env))
+ {
+ /*set the AttachedReference to key_reference_node*/
+ key_reference_node = sct_provider_get_attached_reference(env, token, server_side, AXIS2_TRUE, rampart_context, msg_ctx);
+ }
+ else
+ {
+ /*get the unattachedReference and set to key_reference_node*/
+ key_reference_node = sct_provider_get_unattached_reference(env, token, server_side, AXIS2_TRUE, rampart_context, msg_ctx);
+ }
+ dk_node = oxs_derivation_build_derived_key_token_with_stre(env, dk, sec_node, key_reference_node);
+ }
+ else
+ {
+ dk_node = oxs_derivation_build_derived_key_token(env, dk, sec_node, asym_key_id, OXS_WSS_11_VALUE_TYPE_ENCRYPTED_KEY);
+ }
+
+ /*derived key should appear before ReferenceList*/
+ oxs_axiom_interchange_nodes(env, dk_node, data_ref_list_node);
}
+
/*We will free DK here*/
oxs_key_free(dk, env);
dk = NULL;
}/*End of For loop of dk_list iteration*/
- /*Add ReferenceList element to the Security header. Note that we pass the sec_node. Not the EncryptedKey*/
- data_ref_list_node = oxs_token_build_data_reference_list(env, sec_node, id_list);
-
/*Free derrived key list*/
axutil_array_list_free(dk_list, env);
dk_list = NULL;
@@ -471,18 +575,15 @@
for(j=0 ; j < axutil_array_list_size(id_list, env); j++)
{
axis2_char_t *id = NULL;
+ axis2_char_t* mod_id = NULL;
id = (axis2_char_t *)axutil_array_list_get(id_list, env, j);
+ mod_id = axutil_stracat(env, "#",id);
+ oxs_token_build_data_reference_element(env, data_ref_list_node, mod_id);
AXIS2_FREE(env->allocator, id);
}
axutil_array_list_free(id_list, env);
id_list = NULL;
- if(free_session_key && session_key)
- {
- oxs_key_free(session_key, env);
- session_key = NULL;
- }
-
if(free_asym_key_id && asym_key_id)
{
AXIS2_FREE(env->allocator, asym_key_id);
@@ -506,7 +607,6 @@
axis2_char_t *enc_sym_algo = NULL;
oxs_key_t *session_key = NULL;
axis2_bool_t server_side = AXIS2_FALSE;
- axis2_bool_t free_session_key = AXIS2_FALSE;
rp_property_type_t token_type;
rp_property_t *token = NULL;
int i = 0;
@@ -604,13 +704,12 @@
enc_sym_algo = OXS_DEFAULT_SYM_ALGO;
}
- session_key = rampart_context_get_session_key(rampart_context, env);
+ session_key = rampart_context_get_encryption_session_key(rampart_context, env);
if(!session_key){
/*Generate the session key*/
session_key = oxs_key_create(env);
status = oxs_key_for_algo(session_key, env, enc_sym_algo);
- rampart_context_set_session_key(rampart_context, env, session_key);
- free_session_key = AXIS2_TRUE;
+ rampart_context_set_encryption_session_key(rampart_context, env, session_key);
}
if(AXIS2_FAILURE == status)
{
@@ -618,11 +717,6 @@
"[rampart][rampart_encryption] Cannot generate the key for the algorithm %s, ", enc_sym_algo);
axutil_array_list_free(nodes_to_encrypt, env);
nodes_to_encrypt = NULL;
- if (free_session_key)
- {
- oxs_key_free(session_key, env);
- session_key = NULL;
- }
return AXIS2_FAILURE;
}
@@ -656,11 +750,6 @@
"[rampart][rampart_encryption] Cannot get the node from the list to encrypt");
axutil_array_list_free(nodes_to_encrypt, env);
nodes_to_encrypt = NULL;
- if (free_session_key)
- {
- oxs_key_free(session_key, env);
- session_key = NULL;
- }
return AXIS2_FAILURE;
}
/*Create the encryption context for OMXMLSEC*/
@@ -678,7 +767,7 @@
enc_data_node = oxs_token_build_encrypted_data_element(env,
parent_of_node_to_enc, OXS_TYPE_ENC_ELEMENT, id );
enc_status = oxs_xml_enc_encrypt_node(env, enc_ctx,
- node_to_enc, &enc_data_node);
+ node_to_enc, &enc_data_node, NULL);
axutil_array_list_add(id_list, env, id);
if(AXIS2_FAILURE == enc_status)
{
@@ -686,11 +775,6 @@
"[rampart][rampart_encryption] Cannot encrypt the node " );
axutil_array_list_free(nodes_to_encrypt, env);
nodes_to_encrypt = NULL;
- if (free_session_key)
- {
- oxs_key_free(session_key, env);
- session_key = NULL;
- }
return AXIS2_FAILURE;
}
}
@@ -705,12 +789,6 @@
/*We need to encrypt the session key.*/
status = rampart_enc_encrypt_session_key(env, session_key, msg_ctx, rampart_context, soap_envelope, sec_node, id_list);
- if (free_session_key)
- {
- oxs_key_free(session_key, env);
- session_key = NULL;
- }
-
if(AXIS2_FAILURE == status){
return AXIS2_FAILURE;
}
@@ -864,9 +942,12 @@
axis2_bool_t use_derived_keys = AXIS2_TRUE;
axis2_bool_t server_side = AXIS2_FALSE;
rp_property_t *token = NULL;
+ rp_property_type_t token_type;
axis2_status_t status = AXIS2_FAILURE;
+ axiom_node_t *key_reference_node = NULL;
+ axiom_node_t *key_reference_for_encrypted_data = NULL;
- session_key = rampart_context_get_session_key(rampart_context, env);
+ session_key = rampart_context_get_encryption_session_key(rampart_context, env);
if(!session_key)
{
@@ -885,34 +966,57 @@
return AXIS2_FAILURE;
}
- encrypted_key_node = oxs_axiom_get_node_by_local_name(
- env, sec_node, OXS_NODE_ENCRYPTED_KEY);
- if(!encrypted_key_node)
+ server_side = axis2_msg_ctx_get_server_side(msg_ctx, env);
+ token = rampart_context_get_token(rampart_context, env, AXIS2_TRUE, server_side, AXIS2_FALSE);
+ token_type = rp_property_get_type(token, env);
+
+ if(token_type == RP_PROPERTY_SECURITY_CONTEXT_TOKEN)
{
- AXIS2_LOG_ERROR(env->log, AXIS2_LOG_SI,
- "[rampart][rampart_encryption]Encrypting signature, EncryptedKey Not found");
- return AXIS2_FAILURE;
+ if(rampart_context_is_token_include(rampart_context,
+ token, token_type, server_side, AXIS2_FALSE, env))
+ {
+ /*set the AttachedReference to key_reference_node*/
+ key_reference_node = sct_provider_get_attached_reference(env, token, server_side, AXIS2_TRUE, rampart_context, msg_ctx);
+ }
+ else
+ {
+ /*get the unattachedReference and set to key_reference_node*/
+ key_reference_node = sct_provider_get_unattached_reference(env, token, server_side, AXIS2_TRUE, rampart_context, msg_ctx);
+ }
+ }
+ else
+ {
+ encrypted_key_node = oxs_axiom_get_node_by_local_name(
+ env, sec_node, OXS_NODE_ENCRYPTED_KEY);
+ if(!encrypted_key_node)
+ {
+ AXIS2_LOG_ERROR(env->log, AXIS2_LOG_SI,
+ "[rampart][rampart_encryption]Encrypting signature, EncryptedKey Not found");
+ return AXIS2_FAILURE;
+ }
}
enc_ctx = oxs_ctx_create(env);
/*We need to take the decision whether to use derived keys or not*/
- server_side = axis2_msg_ctx_get_server_side(msg_ctx, env);
- token = rampart_context_get_token(rampart_context, env, AXIS2_TRUE, server_side, AXIS2_FALSE);
use_derived_keys = rampart_context_check_is_derived_keys (env, token);
- if(AXIS2_TRUE == use_derived_keys){
- /*Derive a new key*/
- derived_key = oxs_key_create(env);
- status = oxs_derivation_derive_key(env, session_key, derived_key, AXIS2_TRUE);
+ if(AXIS2_TRUE == use_derived_keys)
+ {
+ /*Derive a new key*/
+ derived_key = oxs_key_create(env);
+ status = oxs_derivation_derive_key(env, session_key, derived_key, AXIS2_TRUE);
- /*Set the derived key for the encryption*/
- oxs_ctx_set_key(enc_ctx, env, derived_key);
+ /*Set the derived key for the encryption*/
+ oxs_ctx_set_key(enc_ctx, env, derived_key);
- /*Set the ref key name to build KeyInfo element. Here the key name is the derived key id*/
- oxs_ctx_set_ref_key_name(enc_ctx, env, oxs_key_get_name(derived_key, env));
- }else{
+ /*Set the ref key name to build KeyInfo element. Here the key name is the derived key id*/
+ oxs_ctx_set_ref_key_name(enc_ctx, env, oxs_key_get_name(derived_key, env));
+ }
+ else
+ {
/*No Key derivation is needed we will proceed with the same session key*/
oxs_ctx_set_key(enc_ctx, env, session_key);
+ key_reference_for_encrypted_data = key_reference_node;
}
enc_sym_algo = rampart_context_get_enc_sym_algo(rampart_context, env);
oxs_ctx_set_enc_mtd_algorithm(enc_ctx, env, enc_sym_algo);
@@ -921,33 +1025,42 @@
/*Manage the reference list*/
id_list = axutil_array_list_create(env, 0);
axutil_array_list_add(id_list, env, id);
- if((rampart_context_get_binding_type(rampart_context,env)) == RP_PROPERTY_ASYMMETRIC_BINDING){
+ if((rampart_context_get_binding_type(rampart_context,env)) == RP_PROPERTY_ASYMMETRIC_BINDING)
+ {
/*We append IDs to the EncryptedKey node*/
axiom_node_t *ref_list_node = NULL;
ref_list_node = oxs_token_build_data_reference_list(
env, encrypted_key_node, id_list);
- if(!ref_list_node){
+ if(!ref_list_node)
+ {
AXIS2_LOG_ERROR(env->log, AXIS2_LOG_SI, "[rampart][rampart_encryption]Asym Encrypting signature,"
"Building reference list failed");
return AXIS2_FAILURE;
}
- }else if((rampart_context_get_binding_type(rampart_context,env)) == RP_PROPERTY_SYMMETRIC_BINDING){
- if(AXIS2_TRUE == use_derived_keys){
+ }
+ else if((rampart_context_get_binding_type(rampart_context,env)) == RP_PROPERTY_SYMMETRIC_BINDING)
+ {
+ if((AXIS2_TRUE == use_derived_keys) || (token_type == RP_PROPERTY_SECURITY_CONTEXT_TOKEN))
+ {
/*We need to create a new reference list and then attach it before the EncryptedData(signature)*/
axiom_node_t *ref_list_node = NULL;
ref_list_node = oxs_token_build_data_reference_list(env, sec_node, id_list);
- if(!ref_list_node){
+ if(!ref_list_node)
+ {
AXIS2_LOG_ERROR(env->log, AXIS2_LOG_SI, "[rampart][rampart_encryption]Sym Encrypting signature,"
"Building reference list failed");
return AXIS2_FAILURE;
- }
- }else{
+ }
+ }
+ else
+ {
/*The session key is in use. Add a ref to the EncryptedKey's ref list*/
axiom_node_t *ref_list_node = NULL;
ref_list_node = oxs_axiom_get_first_child_node_by_name(
env, encrypted_key_node, OXS_NODE_REFERENCE_LIST, OXS_ENC_NS, NULL);
- if(ref_list_node){
+ if(ref_list_node)
+ {
/*There is a ref list node in EncryptedKey. So append*/
axiom_node_t *data_ref_node = NULL;
axis2_char_t *mod_id = NULL;
@@ -956,12 +1069,16 @@
mod_id = axutil_stracat(env, "#",id);
data_ref_node = oxs_token_build_data_reference_element(env, ref_list_node, mod_id);
- }else{
+ }
+ else
+ {
/*There is NO ref list node in EncryptedKey. So create a new one */
ref_list_node = oxs_token_build_data_reference_list(env, encrypted_key_node, id_list);
}
}
- }else{
+ }
+ else
+ {
/*Nothing to do*/
}
@@ -969,7 +1086,7 @@
enc_data_node = oxs_token_build_encrypted_data_element(
env, sec_node, OXS_TYPE_ENC_ELEMENT, id );
enc_status = oxs_xml_enc_encrypt_node(
- env, enc_ctx, node_to_enc, &enc_data_node);
+ env, enc_ctx, node_to_enc, &enc_data_node, key_reference_for_encrypted_data);
/*FREE*/
oxs_ctx_free(enc_ctx, env);
@@ -982,11 +1099,18 @@
return AXIS2_FAILURE;
}
/*If we have used a derrived key, we need to attach it to the Securuty Header*/
- if(AXIS2_TRUE == use_derived_keys){
- axis2_char_t *asym_key_id = NULL;
-
- asym_key_id = oxs_axiom_get_attribute_value_of_node_by_name(env, encrypted_key_node, OXS_ATTR_ID, NULL);
- oxs_derivation_build_derived_key_token(env, derived_key, sec_node, asym_key_id, OXS_WSS_11_VALUE_TYPE_ENCRYPTED_KEY);
+ if(AXIS2_TRUE == use_derived_keys)
+ {
+ if (token_type == RP_PROPERTY_SECURITY_CONTEXT_TOKEN)
+ {
+ oxs_derivation_build_derived_key_token_with_stre(env, derived_key, sec_node, key_reference_node);
+ }
+ else
+ {
+ axis2_char_t *asym_key_id = NULL;
+ asym_key_id = oxs_axiom_get_attribute_value_of_node_by_name(env, encrypted_key_node, OXS_ATTR_ID, NULL);
+ oxs_derivation_build_derived_key_token(env, derived_key, sec_node, asym_key_id, OXS_WSS_11_VALUE_TYPE_ENCRYPTED_KEY);
+ }
/*now we can free the derived key*/
oxs_key_free(derived_key, env);
derived_key = NULL;
@@ -1012,7 +1136,8 @@
}
- if(id_list){
+ if(id_list)
+ {
/*Need to free data of the list*/
int size = 0;
int j = 0;
@@ -1020,7 +1145,6 @@
for (j = 0; j < size; j++)
{
axis2_char_t *id_temp = NULL;
-
id_temp = axutil_array_list_get(id_list, env, j);
AXIS2_FREE(env->allocator, id_temp);
id_temp = NULL;
Modified: webservices/rampart/trunk/c/src/util/rampart_engine.c
URL: http://svn.apache.org/viewvc/webservices/rampart/trunk/c/src/util/rampart_engine.c?rev=619820&r1=619819&r2=619820&view=diff
==============================================================================
--- webservices/rampart/trunk/c/src/util/rampart_engine.c (original)
+++ webservices/rampart/trunk/c/src/util/rampart_engine.c Fri Feb 8 02:06:20 2008
@@ -74,7 +74,7 @@
is_server_side = axis2_msg_ctx_get_server_side(msg_ctx, env);
/*Server, Outflow*/
- if(is_server_side || !is_inflow)
+ if((is_server_side && is_inflow) || (!is_server_side && !is_inflow))
{
policy = build_policy(env, msg_ctx, is_inflow);
if(!policy)
@@ -154,12 +154,32 @@
}
}
+ conf_ctx = axis2_msg_ctx_get_conf_ctx(msg_ctx,env);
+ if(!conf_ctx)
+ {
+ AXIS2_LOG_ERROR(env->log, AXIS2_LOG_SI,
+ "[rampart][engine] Conf context is NULL ");
+ rampart_context_free(rampart_context, env);
+ rampart_context = NULL;
+ return NULL;
+ }
+
+ ctx = axis2_conf_ctx_get_base(conf_ctx,env);
+ if(!ctx)
+ {
+ AXIS2_LOG_ERROR(env->log, AXIS2_LOG_SI,
+ "[rampart][engine] axis2 context is NULL ");
+ rampart_context_free(rampart_context, env);
+ rampart_context = NULL;
+ return NULL;
+ }
+ property = axutil_property_create_with_args(env, AXIS2_SCOPE_REQUEST ,
+ AXIS2_TRUE, (void *)rampart_context_free, rampart_context);
+ axis2_ctx_set_property(ctx, env, RAMPART_CONTEXT, property);
+
/*For the client side*/
if(!is_server_side)
{
- /* axis2_options_t* options = NULL;
- options = axis2_msg_ctx_get_options(msg_ctx, env);
- value = axis2_options_get_property(options, env, RAMPART_CLIENT_CONFIGURATION);*/
value = axis2_msg_ctx_get_property_value(msg_ctx, env, RAMPART_CLIENT_CONFIGURATION);
if(value)
{
@@ -198,29 +218,6 @@
rampart_context_set_saml_tokens(rampart_context, env, saml_tokens);
}
}
-
- conf_ctx = axis2_msg_ctx_get_conf_ctx(msg_ctx,env);
- if(!conf_ctx)
- {
- AXIS2_LOG_ERROR(env->log, AXIS2_LOG_SI,
- "[rampart][engine] Conf context is NULL ");
- rampart_context_free(rampart_context, env);
- rampart_context = NULL;
- return NULL;
- }
-
- ctx = axis2_conf_ctx_get_base(conf_ctx,env);
- if(!ctx)
- {
- AXIS2_LOG_ERROR(env->log, AXIS2_LOG_SI,
- "[rampart][engine] axis2 context is NULL ");
- rampart_context_free(rampart_context, env);
- rampart_context = NULL;
- return NULL;
- }
- property = axutil_property_create_with_args(env, AXIS2_SCOPE_REQUEST ,
- AXIS2_TRUE, (void *)rampart_context_free, rampart_context);
- axis2_ctx_set_property(ctx, env, RAMPART_CONTEXT, property);
}
else
{ /*Server side only*/
@@ -323,9 +320,11 @@
rampart_callback_t* password_callback_module = NULL;
rampart_authn_provider_t *authn_provider = NULL;
rampart_replay_detector_t *replay_detector = NULL;
+ rampart_sct_provider_t* sct_provider = NULL;
axis2_char_t *pwcb_module_name = NULL;
axis2_char_t *authn_provider_name = NULL;
axis2_char_t *replay_detector_name = NULL;
+ axis2_char_t *sct_provider_name = NULL;
axis2_status_t status = AXIS2_SUCCESS;
status = rampart_context_set_user_from_file(rampart_context,env);
@@ -353,15 +352,14 @@
}
pwcb_module_name = rampart_context_get_password_callback_class(rampart_context,env);
-
if(pwcb_module_name)
{
password_callback_module = rampart_load_pwcb_module(env, pwcb_module_name);
if(password_callback_module)
rampart_context_set_password_callback(rampart_context,env,password_callback_module);
}
- authn_provider_name = rampart_context_get_authn_module_name(rampart_context,env);
+ authn_provider_name = rampart_context_get_authn_module_name(rampart_context,env);
if(authn_provider_name)
{
authn_provider = rampart_load_auth_module(env,authn_provider_name);
@@ -370,12 +368,19 @@
}
replay_detector_name = rampart_context_get_replay_detector_name(rampart_context,env);
-
if(replay_detector_name)
{
replay_detector = rampart_load_replay_detector(env,replay_detector_name);
if(replay_detector)
rampart_context_set_replay_detector(rampart_context,env,(void*)replay_detector);
+ }
+
+ sct_provider_name = rampart_context_get_sct_provider_name(rampart_context,env);
+ if(sct_provider_name)
+ {
+ sct_provider = rampart_load_sct_provider(env,sct_provider_name);
+ if(sct_provider)
+ rampart_context_set_sct_provider(rampart_context,env,(void*)sct_provider);
}
return status;
}
Modified: webservices/rampart/trunk/c/src/util/rampart_policy_validator.c
URL: http://svn.apache.org/viewvc/webservices/rampart/trunk/c/src/util/rampart_policy_validator.c?rev=619820&r1=619819&r2=619820&view=diff
==============================================================================
--- webservices/rampart/trunk/c/src/util/rampart_policy_validator.c (original)
+++ webservices/rampart/trunk/c/src/util/rampart_policy_validator.c Fri Feb 8 02:06:20 2008
@@ -184,7 +184,49 @@
}
}
+/*We validate only the body encryption*/
+static axis2_status_t
+rampart_pv_validate_signature(const axutil_env_t *env,
+ rampart_context_t *rampart_context,
+ axis2_msg_ctx_t *msg_ctx)
+{
+ axis2_status_t status = AXIS2_SUCCESS;
+ axutil_array_list_t *nodes_to_sign = NULL;
+ axiom_soap_envelope_t *soap_envelope = NULL;
+ axis2_char_t* signature_verified = NULL;
+ nodes_to_sign = axutil_array_list_create(env, 0);
+ soap_envelope = axis2_msg_ctx_get_soap_envelope(msg_ctx, env);
+
+ status = rampart_context_get_nodes_to_sign(
+ rampart_context, env, soap_envelope, nodes_to_sign);
+
+ status = rampart_context_get_elements_to_sign(
+ rampart_context, env, soap_envelope, nodes_to_sign);
+
+ signature_verified = (axis2_char_t*)rampart_get_security_processed_result(env, msg_ctx, RAMPART_SPR_SIG_VERIFIED);
+ if(0 == axutil_strcmp(RAMPART_YES, signature_verified))
+ {
+ if(axutil_array_list_size(nodes_to_sign, env) <= 0)
+ {
+ AXIS2_LOG_ERROR(env->log, AXIS2_LOG_SI,"[rampart][rpv] Signature is not expected.");
+ rampart_create_fault_envelope(env, RAMPART_FAULT_FAILED_CHECK, "Signature is not expected",
+ RAMPART_FAULT_INVALID_SECURITY, msg_ctx);
+ return AXIS2_FAILURE;
+ }
+ }
+ else
+ {
+ if(axutil_array_list_size(nodes_to_sign, env) > 0)
+ {
+ AXIS2_LOG_ERROR(env->log, AXIS2_LOG_SI,"[rampart][rpv] Could not find signature.");
+ rampart_create_fault_envelope(env, RAMPART_FAULT_FAILED_CHECK, "Could not find signature",
+ RAMPART_FAULT_INVALID_SECURITY, msg_ctx);
+ return AXIS2_FAILURE;
+ }
+ }
+ return AXIS2_SUCCESS;
+}
/*Public functions*/
AXIS2_EXTERN axis2_status_t AXIS2_CALL
@@ -212,6 +254,11 @@
}
/*Check if encryption is valid found*/
if(!rampart_pv_validate_encryption(env, rampart_context, msg_ctx)){
+ return AXIS2_FAILURE;
+ }
+ /*Check if signature is valid found*/
+ if(!rampart_pv_validate_signature(env, rampart_context, msg_ctx))
+ {
return AXIS2_FAILURE;
}
/*All the policy reqmnts are met. We are good to go*/
Modified: webservices/rampart/trunk/c/src/util/rampart_sec_header_builder.c
URL: http://svn.apache.org/viewvc/webservices/rampart/trunk/c/src/util/rampart_sec_header_builder.c?rev=619820&r1=619819&r2=619820&view=diff
==============================================================================
--- webservices/rampart/trunk/c/src/util/rampart_sec_header_builder.c (original)
+++ webservices/rampart/trunk/c/src/util/rampart_sec_header_builder.c Fri Feb 8 02:06:20 2008
@@ -197,14 +197,13 @@
axiom_namespace_t *sec_ns_obj)
{
axis2_status_t status = AXIS2_FAILURE;
- axis2_bool_t is_encrypt_before_sign = AXIS2_FALSE;
-
/*Check the encryption and signature order*/
if(rampart_context_is_encrypt_before_sign(rampart_context, env))
{
+ axis2_bool_t signature_protection = AXIS2_FALSE;
+ signature_protection = rampart_context_is_encrypt_signature(rampart_context, env);
/*Encrypt before sign. Complicated stuff...*/
- is_encrypt_before_sign = AXIS2_TRUE;
/**
* 1. encrypt parts to be encrypted
* 2. sign parts to be signed
@@ -227,17 +226,19 @@
return AXIS2_FAILURE;
}
/*3. Encrypt signature*/
- status = rampart_enc_encrypt_signature(env, msg_ctx, rampart_context, soap_envelope, sec_node);
- if(status != AXIS2_SUCCESS)
+ if(signature_protection)
{
- AXIS2_LOG_ERROR(env->log, AXIS2_LOG_SI, "[rampart][shb] Encrypt signature failed. ERROR");
- return AXIS2_FAILURE;
+ status = rampart_enc_encrypt_signature(env, msg_ctx, rampart_context, soap_envelope, sec_node);
+ if(status != AXIS2_SUCCESS)
+ {
+ AXIS2_LOG_ERROR(env->log, AXIS2_LOG_SI, "[rampart][shb] Encrypt signature failed. ERROR");
+ return AXIS2_FAILURE;
+ }
}
-
-
- }else{ /*Sign before encrypt*/
- is_encrypt_before_sign = AXIS2_FALSE;
-
+ }
+ else
+ {
+ /*Sign before encrypt*/
/*First do signature specific stuff using Symmetric key*/
status = rampart_sig_sign_message(env, msg_ctx, rampart_context, soap_envelope, sec_node);
if(status != AXIS2_SUCCESS)
@@ -284,51 +285,109 @@
axiom_node_t *sig_node = NULL;
axiom_node_t *enc_key_node = NULL;
axiom_node_t *ref_list_node = NULL;
- /*axiom_node_t *ts_node = NULL;
- axiom_node_t *un_node = NULL;*/
axiom_node_t *h_node = NULL;
axutil_array_list_t *dk_list = NULL;
+ axutil_array_list_t *enc_key_list = NULL;
+ axiom_node_t* first_protection_item = NULL;
int i = 0;
signature_protection = rampart_context_is_encrypt_signature(rampart_context, env);
is_encrypt_before_sign = rampart_context_is_encrypt_before_sign(rampart_context, env);
- enc_key_node = oxs_axiom_get_first_child_node_by_name(env, sec_node, OXS_NODE_ENCRYPTED_KEY, OXS_ENC_NS, NULL);
+
+ dk_list = axutil_array_list_create(env, 5);
+ enc_key_list = axutil_array_list_create(env, 2);
+
+ h_node = axiom_node_get_first_child(sec_node, env);
+ while(h_node)
+ {
+ if(0 == axutil_strcmp(OXS_NODE_DERIVED_KEY_TOKEN, axiom_util_get_localname(h_node, env)))
+ {
+ axutil_array_list_add(dk_list, env, h_node);
+ }
+ else if((0 == axutil_strcmp(OXS_NODE_ENCRYPTED_KEY, axiom_util_get_localname(h_node, env))) ||
+ (0 == axutil_strcmp(OXS_NODE_SECURITY_CONTEXT_TOKEN, axiom_util_get_localname(h_node, env))))
+ {
+ axutil_array_list_add(enc_key_list, env, h_node);
+ }
+ h_node = axiom_node_get_next_sibling(h_node, env);
+ }
+
ref_list_node = oxs_axiom_get_first_child_node_by_name(env, sec_node, OXS_NODE_REFERENCE_LIST, OXS_ENC_NS, NULL);
sig_node = oxs_axiom_get_first_child_node_by_name(env, sec_node, OXS_NODE_SIGNATURE, OXS_DSIG_NS, NULL);
/*Ensure the protection order in the header*/
- if(sig_node && ref_list_node){
- if(is_encrypt_before_sign){
+ if(sig_node && ref_list_node)
+ {
+ if(is_encrypt_before_sign)
+ {
/*Encrypt->Sig <Sig><RefList>*/
oxs_axiom_interchange_nodes(env, sig_node, ref_list_node );
- }else{
+ first_protection_item = sig_node;
+ }
+ else
+ {
/*Sig->Encrypt <RefList> <Sig>*/
oxs_axiom_interchange_nodes(env, ref_list_node, sig_node );
+ first_protection_item = ref_list_node;
+ }
+ }
+ else if(sig_node)
+ {
+ first_protection_item = sig_node;
+ }
+ else
+ {
+ first_protection_item = ref_list_node;
+ }
+
+ /*makesure enc_key_node is appearing before first protection item*/
+ if(first_protection_item)
+ {
+ for(i = 0; i < axutil_array_list_size(enc_key_list, env); i++)
+ {
+ axiom_node_t *tmp_node = NULL;
+ tmp_node = (axiom_node_t*)axutil_array_list_get(enc_key_list, env, i);
+ enc_key_node = axiom_node_detach(tmp_node, env);
+ axiom_node_insert_sibling_before(first_protection_item, env, enc_key_node);
}
}
/*
- * If there are derived keys, make sure they come after the EncryptedKey
+ * If there are derived keys, make sure they come after the EncryptedKey/security context token
1. First we get all the derived keys
- 2. Then we attach after the EncryptedKey (hidden sessionkey)
+ 2. Then we attach after the EncryptedKey(hidden sessionkey)/security context token
+ 3. If key is not available, then attach derived keys before sig_node and ref_list_node (whichever is first)
*/
- dk_list = axutil_array_list_create(env, 5);
- h_node = axiom_node_get_first_child(sec_node, env);
- while(h_node){
- if(0 == axutil_strcmp(OXS_NODE_DERIVED_KEY_TOKEN, axiom_util_get_localname(h_node, env))){
- axutil_array_list_add(dk_list, env, h_node);
+
+ if(enc_key_node)
+ {
+ for(i = 0; i < axutil_array_list_size(dk_list, env); i++)
+ {
+ axiom_node_t *dk_node = NULL;
+ axiom_node_t *tmp_node = NULL;
+
+ dk_node = (axiom_node_t*)axutil_array_list_get(dk_list, env, i);
+ tmp_node = axiom_node_detach(dk_node, env);
+ axiom_node_insert_sibling_after(enc_key_node, env, tmp_node);
}
- h_node = axiom_node_get_next_sibling(h_node, env);
}
- for(i = 0; i < axutil_array_list_size(dk_list, env); i++){
- axiom_node_t *dk_node = NULL;
- axiom_node_t *tmp_node = NULL;
-
- dk_node = (axiom_node_t*)axutil_array_list_get(dk_list, env, i);
- tmp_node = axiom_node_detach(dk_node, env);
- axiom_node_insert_sibling_after(enc_key_node, env, tmp_node);
+ else
+ {
+ if(first_protection_item)
+ {
+ for(i = 0; i < axutil_array_list_size(dk_list, env); i++)
+ {
+ axiom_node_t *dk_node = NULL;
+ axiom_node_t *tmp_node = NULL;
+ dk_node = (axiom_node_t*)axutil_array_list_get(dk_list, env, i);
+ tmp_node = axiom_node_detach(dk_node, env);
+ axiom_node_insert_sibling_before(first_protection_item, env, tmp_node);
+ }
+ }
}
- axutil_array_list_free(dk_list, env);
+
+ axutil_array_list_free(dk_list, env);
+ axutil_array_list_free(enc_key_list, env);
return AXIS2_SUCCESS;
}
Modified: webservices/rampart/trunk/c/src/util/rampart_sec_header_processor.c
URL: http://svn.apache.org/viewvc/webservices/rampart/trunk/c/src/util/rampart_sec_header_processor.c?rev=619820&r1=619819&r2=619820&view=diff
==============================================================================
--- webservices/rampart/trunk/c/src/util/rampart_sec_header_processor.c (original)
+++ webservices/rampart/trunk/c/src/util/rampart_sec_header_processor.c Fri Feb 8 02:06:20 2008
@@ -41,38 +41,222 @@
#include <oxs_xml_signature.h>
#include <oxs_key_mgr.h>
#include <rampart_replay_detector.h>
+#include <rampart_sct_provider.h>
+
#include <saml.h>
#include <rampart_saml.h>
#include <rampart_saml_token.h>
/*Private functions*/
-/*Process a KeyInfo and return the reference value*/
-static axis2_char_t *
-rampart_shp_process_key_info_for_ref_val(const axutil_env_t *env,
- axiom_node_t *key_info_node)
+/*Get the security context token and store it in key array*/
+static axis2_status_t
+rampart_shp_add_security_context_token(const axutil_env_t* env,
+ axis2_char_t* identifier,
+ axis2_char_t* key_name,
+ rampart_context_t* rampart_context,
+ axis2_msg_ctx_t* msg_ctx)
{
+ oxs_buffer_t *key_buf = NULL;
+ oxs_key_t* key = NULL;
+
+ /*get the shared secret and create the key*/
+ key_buf = sct_provider_get_secret_using_id(env, identifier, rampart_context, msg_ctx);
+ if(!key_buf)
+ {
+ AXIS2_LOG_ERROR(env->log, AXIS2_LOG_SI,
+ "[rampart][shp]Cannot get shared secret of security context token");
+ return AXIS2_FAILURE;
+ }
+
+ key = oxs_key_create(env);
+ oxs_key_populate(key, env,
+ oxs_buffer_get_data(key_buf, env), key_name,
+ oxs_buffer_get_size(key_buf, env), OXS_KEY_USAGE_NONE);
+
+ rampart_context_add_key(rampart_context, env, key);
+ return AXIS2_SUCCESS;
+}
+
+static void
+rampart_shp_store_sct_id(const axutil_env_t *env,
+ axiom_node_t *key_info_node,
+ rampart_context_t *rampart_context,
+ axiom_node_t *sec_node,
+ axis2_bool_t is_encryption,
+ axis2_msg_ctx_t* msg_ctx)
+{
+ axis2_char_t *sct_id = NULL;
+ axiom_node_t* key_node = NULL;
+ rp_property_t *token = NULL;
+ rp_property_type_t token_type;
+
+ if(is_encryption)
+ sct_id = rampart_context_get_encryption_sct_id(rampart_context, env);
+ else
+ sct_id = rampart_context_get_signature_sct_id(rampart_context, env);
+
+ /*if already stored, then can return*/
+ if(sct_id)
+ return;
+
+ /*if not symmetric binding, then return*/
+ if (rampart_context_get_binding_type(rampart_context,env) != RP_PROPERTY_SYMMETRIC_BINDING)
+ return;
+
+ /*if not server side, then return*/
+ if(!axis2_msg_ctx_get_server_side(msg_ctx,env))
+ return;
+
+ /*if the token to be used is not security context token, then return*/
+ token = rampart_context_get_token(rampart_context, env,
+ is_encryption, AXIS2_TRUE, AXIS2_TRUE);
+ token_type = rp_property_get_type(token, env);
+ if(token_type != RP_PROPERTY_SECURITY_CONTEXT_TOKEN)
+ return;
+
+ key_node = key_info_node;
+
+ while(!sct_id)
+ {
+ axis2_char_t* id = NULL;
+ axis2_char_t *cur_local_name = NULL;
+ axiom_node_t *str_node = NULL;
+ axiom_node_t *ref_node = NULL;
+ axis2_char_t *ref_val = NULL;
+
+ /*Get the STR*/
+ str_node = oxs_axiom_get_first_child_node_by_name(env, key_node, OXS_NODE_SECURITY_TOKEN_REFRENCE, OXS_WSSE_XMLNS, NULL);
+ if(!str_node)
+ {
+ AXIS2_LOG_INFO(env->log, "[rampart][shp] Failed to get security token reference node");
+ break;
+ }
+
+ /*Get Reference element*/
+ ref_node = oxs_axiom_get_first_child_node_by_name(env, str_node, OXS_NODE_REFERENCE, OXS_WSSE_XMLNS, NULL);
+ if(!ref_node)
+ {
+ AXIS2_LOG_INFO(env->log, "[rampart][shp]Failed to get reference node from security token reference");
+ break;
+ }
+
+ /*Get the reference value in the @URI*/
+ ref_val = oxs_token_get_reference(env, ref_node);
+ if(ref_val[0] != '#')
+ {
+ axis2_char_t* value_type = NULL;
+ value_type = oxs_token_get_reference_value_type(env, ref_node);
+ if(0 == axutil_strcmp(value_type, OXS_VALUE_TYPE_SECURITY_CONTEXT_TOKEN))
+ {
+ sct_id = axutil_strdup(env, ref_val);
+ break;
+ }
+ }
+
+ id = axutil_string_substring_starting_at(axutil_strdup(env, ref_val), 1);
+ key_node = oxs_axiom_get_node_by_id(env, sec_node, OXS_ATTR_ID, id, OXS_WSU_XMLNS);
+ if(!key_node)
+ break;
+
+ cur_local_name = axiom_util_get_localname(key_node, env);
+ if(0 == axutil_strcmp(cur_local_name, OXS_NODE_SECURITY_CONTEXT_TOKEN))
+ {
+ axiom_node_t *identifier_node = NULL;
+
+ /*Get the identifier node*/
+ identifier_node = oxs_axiom_get_first_child_node_by_name(
+ env, key_node, OXS_NODE_IDENTIFIER, OXS_WSC_NS, NULL);
+
+ if(!identifier_node)
+ {
+ AXIS2_LOG_ERROR(env->log, AXIS2_LOG_SI, "[rampart][shp] Cannot find identifier node in security context token");
+ break;
+ }
+ sct_id = oxs_axiom_get_node_content(env, identifier_node);
+ break;
+ }
+ }
+
+ /*if same key is used for encryption and signature, then store it at both place*/
+ if(is_different_session_key_for_encryption_and_signing(env, rampart_context))
+ {
+ if(is_encryption)
+ rampart_context_set_encryption_sct_id(rampart_context, env, sct_id);
+ else
+ rampart_context_set_signature_sct_id(rampart_context, env, sct_id);
+ }
+ else
+ {
+ rampart_context_set_encryption_sct_id(rampart_context, env, sct_id);
+ rampart_context_set_signature_sct_id(rampart_context, env, sct_id);
+ }
+}
+
+/*Process a KeyInfo and return the key*/
+static oxs_key_t*
+rampart_shp_get_key_for_key_info(const axutil_env_t* env,
+ axiom_node_t* key_info_node,
+ rampart_context_t* rampart_context,
+ axis2_msg_ctx_t *msg_ctx)
+{
+ oxs_key_t *key = NULL;
axiom_node_t *str_node = NULL;
axiom_node_t *ref_node = NULL;
axis2_char_t *ref_val = NULL;
axis2_char_t *id = NULL;
+ axis2_bool_t external_reference = AXIS2_TRUE;
/*Get the STR*/
str_node = oxs_axiom_get_first_child_node_by_name(env, key_info_node, OXS_NODE_SECURITY_TOKEN_REFRENCE, OXS_WSSE_XMLNS, NULL);
+ if(!str_node)
+ {
+ AXIS2_LOG_INFO(env->log, "[rampart][shp] Failed to get security token reference node");
+ return NULL;
+ }
/*Get Reference element*/
- if(str_node){
- ref_node = oxs_axiom_get_first_child_node_by_name(env, str_node, OXS_NODE_REFERENCE, OXS_WSSE_XMLNS, NULL);
+ ref_node = oxs_axiom_get_first_child_node_by_name(env, str_node, OXS_NODE_REFERENCE, OXS_WSSE_XMLNS, NULL);
+ if(!ref_node)
+ {
+ AXIS2_LOG_INFO(env->log, "[rampart][shp]Failed to get reference node from security token reference");
+ return NULL;
+ }
- /*Get the reference value in the @URI*/
- if(ref_node){
- ref_val = oxs_token_get_reference(env, ref_node);
- /*Need to remove # sign from the ID*/
- id = axutil_string_substring_starting_at(ref_val, 1);
+ /*Get the reference value in the @URI*/
+
+ ref_val = oxs_token_get_reference(env, ref_node);
+ if(ref_val[0] == '#')
+ {
+ /*Need to remove # sign from the ID*/
+ id = axutil_string_substring_starting_at(axutil_strdup(env, ref_val), 1);
+ external_reference = AXIS2_FALSE;
+ }
+ else
+ {
+ id = axutil_strdup(env, ref_val);
+ }
+
+ if(!id)
+ {
+ AXIS2_LOG_INFO(env->log, "[rampart][shp]Failed to get key name from reference node");
+ return NULL;
+ }
+
+ key = rampart_context_get_key(rampart_context, env, id);
+ if(!key && external_reference)
+ {
+ axis2_char_t* value_type = NULL;
+ value_type = oxs_token_get_reference_value_type(env, ref_node);
+ if(0 == axutil_strcmp(value_type, OXS_VALUE_TYPE_SECURITY_CONTEXT_TOKEN))
+ {
+ rampart_shp_add_security_context_token(env, id, id, rampart_context, msg_ctx);
}
+ key = rampart_context_get_key(rampart_context, env, id);
}
- return id;
-}
+ return key;
+}
+
static axis2_bool_t
rampart_shp_validate_qnames(const axutil_env_t *env,
axiom_node_t *node)
@@ -318,6 +502,39 @@
}
static axis2_status_t
+rampart_shp_process_security_context_token(const axutil_env_t *env,
+ axiom_node_t *token_node,
+ rampart_context_t* rampart_context,
+ axis2_msg_ctx_t *msg_ctx)
+{
+ axiom_node_t *identifier_node = NULL;
+ axis2_char_t *identifier = NULL;
+ axis2_char_t *key_name = NULL;
+
+ /*Get the identifier node*/
+ identifier_node = oxs_axiom_get_first_child_node_by_name(
+ env, token_node, OXS_NODE_IDENTIFIER, OXS_WSC_NS, NULL);
+
+ if(!identifier_node)
+ {
+ rampart_create_fault_envelope(env, RAMPART_FAULT_INVALID_SECURITY_TOKEN, "Cannot find identifier node in security context token", RAMPART_FAULT_INVALID_SECURITY_TOKEN, msg_ctx);
+ AXIS2_LOG_ERROR(env->log, AXIS2_LOG_SI, "[rampart][shp] Cannot find identifier node in security context token");
+ return AXIS2_FAILURE;
+ }
+
+ identifier = oxs_axiom_get_node_content(env, identifier_node);
+ if(!identifier)
+ {
+ rampart_create_fault_envelope(env, RAMPART_FAULT_INVALID_SECURITY_TOKEN, "Cannot find identifier content in security context token", RAMPART_FAULT_INVALID_SECURITY_TOKEN, msg_ctx);
+ AXIS2_LOG_ERROR(env->log, AXIS2_LOG_SI, "[rampart][shp] Cannot find identifier content in security context token");
+ return AXIS2_FAILURE;
+ }
+
+ key_name = oxs_axiom_get_attribute_value_of_node_by_name(env, token_node, OXS_ATTR_ID, OXS_WSU_XMLNS);
+ return rampart_shp_add_security_context_token(env, identifier, key_name, rampart_context, msg_ctx);
+}
+
+static axis2_status_t
rampart_shp_process_encrypted_key(const axutil_env_t *env,
axis2_msg_ctx_t *msg_ctx,
rampart_context_t *rampart_context,
@@ -474,7 +691,7 @@
oxs_key_set_name(decrypted_sym_key, env, key_id);
}
/*Now we need to set this to the rampart context for future use*/
- rampart_context_set_session_key(rampart_context, env, decrypted_sym_key);
+ rampart_context_add_key(rampart_context, env, decrypted_sym_key);
/*Alright now we have the key used to encrypt the elements in the reference_list*/
/*Go thru each and every node in the list and decrypt them*/
@@ -609,12 +826,6 @@
asym_ctx = NULL;
}
- if(decrypted_sym_key)
- {
- oxs_key_free(decrypted_sym_key, env);
- decrypted_sym_key = NULL;
- }
-
if(reference_list){
axutil_array_list_free(reference_list, env);
reference_list = NULL;
@@ -691,24 +902,18 @@
key_info_node = oxs_axiom_get_first_child_node_by_name(env, enc_data_node,
OXS_NODE_KEY_INFO, OXS_DSIG_NS, NULL);
- if(key_info_node){
- axis2_char_t *key_name = NULL;
- oxs_key_t *session_key = NULL;
+ if(key_info_node)
+ {
oxs_key_t *key_to_decrypt = NULL;
- key_name = rampart_shp_process_key_info_for_ref_val(env, key_info_node);
/*Get the sesison key*/
- session_key = rampart_context_get_session_key(rampart_context, env);
- /*Search for the key using key_name. It can be either the session or a derived key*/
- if(0 == axutil_strcmp(key_name, oxs_key_get_name(session_key, env))){
- /*OK the key used to encrypt is the session key*/
- key_to_decrypt = session_key;
- }else{
- /*The key used to decrypt can be a derived key*/
- key_to_decrypt = rampart_context_get_derived_key(rampart_context, env, key_name);
- }
+ key_to_decrypt = rampart_shp_get_key_for_key_info(env, key_info_node, rampart_context, msg_ctx);
- if(key_to_decrypt){
+ /*if security context token is used, then store it. It will be used by the server to encrypt the message*/
+ rampart_shp_store_sct_id(env, key_info_node, rampart_context, sec_node, AXIS2_TRUE, msg_ctx);
+
+ if(key_to_decrypt)
+ {
/*Now if everything is fine we need to decrypt*/
oxs_ctx_t *ctx = NULL;
axiom_node_t *decrypted_node = NULL;
@@ -735,14 +940,14 @@
/*Free*/
oxs_ctx_free(ctx, env);
ctx = NULL;
-
- }else{
+ }
+ else
+ {
/*Can't help. Error retrieving the key to decrypt the reference. */
AXIS2_LOG_ERROR(env->log, AXIS2_LOG_SI, "[rampart][shp] On processing ReferenceList, failed to get the key to decrypt");
return AXIS2_FAILURE;
}
- }
-
+ }
}
axutil_array_list_free(reference_list, env);
@@ -765,44 +970,21 @@
axiom_node_t *envelope_node = NULL;
axiom_node_t *key_info_node = NULL;
oxs_key_t *key_to_verify = NULL;
- oxs_key_t *session_key = NULL;
+ axis2_char_t *key_name = NULL;
- /*Get the session key*/
- session_key = rampart_context_get_session_key(rampart_context, env);
-
/*Get the envelope node*/
envelope_node = axiom_soap_envelope_get_base_node(soap_envelope, env);
/*Get the KeyInfo node*/
key_info_node = oxs_axiom_get_first_child_node_by_name(env, sig_node,
OXS_NODE_KEY_INFO, OXS_DSIG_NS, NULL);
- if(key_info_node){
- /* axiom_node_t *reffed_node = NULL;
- axis2_char_t *reffed_node_name = NULL;*/
-
- /*Now we need to decrypt the EncryptedKey if not done already*/
- if(!session_key){
- axiom_node_t *encrypted_key_node = NULL;
-
- encrypted_key_node = oxs_axiom_get_first_child_node_by_name(env, sec_node, OXS_NODE_ENCRYPTED_KEY, OXS_ENC_NS, NULL);
- status = rampart_shp_process_encrypted_key(env, msg_ctx, rampart_context, soap_envelope, sec_node, encrypted_key_node);
- session_key = rampart_context_get_session_key(rampart_context, env);
- }
- }
- if(session_key){
- axis2_char_t *key_name = NULL;
-
- key_name = rampart_shp_process_key_info_for_ref_val(env, key_info_node);
- /*Search for the key using key_name. It can be either the session or a derived key*/
- if(0 == axutil_strcmp(key_name, oxs_key_get_name(session_key, env))){
- /*OK the key used to sign is the session key*/
- key_to_verify = session_key;
- }else{
- /*The key used to sign can be a derived key*/
- key_to_verify = rampart_context_get_derived_key(rampart_context, env, key_name);
- }
+ if(key_info_node)
+ {
+ key_to_verify = rampart_shp_get_key_for_key_info(env, key_info_node,rampart_context, msg_ctx);
}
- if(!key_to_verify){
+
+ if(!key_to_verify)
+ {
/*It's an error*/
rampart_create_fault_envelope(env, RAMPART_FAULT_FAILED_CHECK,
"Signature Verification failed. Cannot get the key to verify",
@@ -811,6 +993,9 @@
return AXIS2_FAILURE;
}
+ /*if security context token is used, then store it. It will be used by the server to sign the message*/
+ rampart_shp_store_sct_id(env, key_info_node, rampart_context, sec_node, AXIS2_FALSE, msg_ctx);
+
/*Create sign context*/
sign_ctx = oxs_sign_ctx_create(env);
oxs_sign_ctx_set_operation(sign_ctx, env, OXS_SIGN_OPERATION_VERIFY);
@@ -1348,17 +1533,18 @@
oxs_key_t *derived_key = NULL;
/*Get the session key.*/
- session_key = rampart_context_get_session_key(rampart_context, env);
- if(!session_key){
- AXIS2_LOG_INFO(env->log, "[rampart][shp] On processing ReferenceList, failed to get the session key. Cannot derive the key");
- return AXIS2_FAILURE;
+ session_key = rampart_shp_get_key_for_key_info(env, dk_node, rampart_context, msg_ctx);
+ if(!session_key)
+ {
+ AXIS2_LOG_INFO(env->log, "[rampart][shp] On processing derived key, failed to get the session key. Cannot derive the key");
+ return AXIS2_FAILURE;
}
/*Derive the key*/
derived_key = oxs_derivation_extract_derived_key_from_token(env, dk_node, sec_node, session_key);
/*Add to the rampart context*/
- rampart_context_add_derived_key(rampart_context, env, derived_key);
+ rampart_context_add_key(rampart_context, env, derived_key);
return AXIS2_SUCCESS;
}
@@ -1418,38 +1604,54 @@
cur_node = axiom_node_get_first_child(sec_node, env);
/*Loop all security headers*/
- while(cur_node){
+ while(cur_node)
+ {
axis2_char_t *cur_local_name = NULL;
cur_local_name = axiom_util_get_localname(cur_node, env);
AXIS2_LOG_INFO(env->log, "[rampart][shp] Processing security header element %s", cur_local_name);
- if(0 == axutil_strcmp(cur_local_name, OXS_NODE_ENCRYPTED_KEY)){
- status = rampart_shp_process_encrypted_key(env, msg_ctx, rampart_context, soap_envelope, sec_node, cur_node);
-
- }else if(0 == axutil_strcmp(cur_local_name, RAMPART_SECURITY_TIMESTAMP)){
+ if(0 == axutil_strcmp(cur_local_name, OXS_NODE_ENCRYPTED_KEY))
+ {
+ status = rampart_shp_process_encrypted_key(env, msg_ctx, rampart_context, soap_envelope, sec_node, cur_node);
+ }
+ else if(0 == axutil_strcmp(cur_local_name, OXS_NODE_SECURITY_CONTEXT_TOKEN))
+ {
+ status = rampart_shp_process_security_context_token(env, cur_node, rampart_context, msg_ctx);
+ }
+ else if(0 == axutil_strcmp(cur_local_name, RAMPART_SECURITY_TIMESTAMP))
+ {
status = rampart_shp_process_timestamptoken(env, msg_ctx, rampart_context, sec_node);
-
- }else if(0 == axutil_strcmp(cur_local_name, RAMPART_SECURITY_USERNAMETOKEN)){
+ }
+ else if(0 == axutil_strcmp(cur_local_name, RAMPART_SECURITY_USERNAMETOKEN))
+ {
status = rampart_shp_process_usernametoken(env, msg_ctx, rampart_context, sec_node);
- }else if(0 == axutil_strcmp(cur_local_name, OXS_NODE_SIGNATURE)){
+ }
+ else if(0 == axutil_strcmp(cur_local_name, OXS_NODE_SIGNATURE))
+ {
status = rampart_shp_process_signature(env, msg_ctx, rampart_context, soap_envelope, sec_node, cur_node);
-
- }else if(0 == axutil_strcmp(cur_local_name, OXS_NODE_REFERENCE_LIST)){
+ }
+ else if(0 == axutil_strcmp(cur_local_name, OXS_NODE_REFERENCE_LIST))
+ {
status = rampart_shp_process_reference_list(env, msg_ctx, rampart_context, soap_envelope, sec_node, cur_node);
-
- }else if(0 == axutil_strcmp(cur_local_name, OXS_NODE_DERIVED_KEY_TOKEN)){
+ }
+ else if(0 == axutil_strcmp(cur_local_name, OXS_NODE_DERIVED_KEY_TOKEN))
+ {
/* We need to extract this and store in the rampart context*/
status = rampart_shp_process_derived_key(env, msg_ctx, rampart_context, sec_node, cur_node);
-
- }else if(0 == axutil_strcmp(cur_local_name, OXS_NODE_ENCRYPTED_DATA)){
+ }
+ else if(0 == axutil_strcmp(cur_local_name, OXS_NODE_ENCRYPTED_DATA))
+ {
/*We do nothing. But this is possible when a security header is Encrypted. But it would be decrypted thru a ref list*/
status = AXIS2_SUCCESS;
- }else if(0 == axutil_strcmp(cur_local_name, OXS_NODE_SIGNATURE_CONFIRMATION)){
+ }
+ else if(0 == axutil_strcmp(cur_local_name, OXS_NODE_SIGNATURE_CONFIRMATION))
+ {
status = rampart_shp_process_signature_confirmation(env, msg_ctx, rampart_context, cur_node);
-
- }else if(0 == axutil_strcmp(cur_local_name, OXS_NODE_BINARY_SECURITY_TOKEN)){
+ }
+ else if(0 == axutil_strcmp(cur_local_name, OXS_NODE_BINARY_SECURITY_TOKEN))
+ {
/*We do nothing.*/
status = AXIS2_SUCCESS;
}else if(0 == axutil_strcmp(cur_local_name, OXS_NODE_SAML_ASSERTION)){
@@ -1462,7 +1664,9 @@
AXIS2_LOG_INFO(env->log, "[rampart][shp] Unknown security header %s", cur_local_name);
status = AXIS2_SUCCESS;
}
- if(status != AXIS2_SUCCESS){
+
+ if(status != AXIS2_SUCCESS)
+ {
AXIS2_LOG_ERROR(env->log, AXIS2_LOG_SI, "[rampart][shp] %s processing failed", cur_local_name);
return AXIS2_FAILURE;
}
Modified: webservices/rampart/trunk/c/src/util/rampart_signature.c
URL: http://svn.apache.org/viewvc/webservices/rampart/trunk/c/src/util/rampart_signature.c?rev=619820&r1=619819&r2=619820&view=diff
==============================================================================
--- webservices/rampart/trunk/c/src/util/rampart_signature.c (original)
+++ webservices/rampart/trunk/c/src/util/rampart_signature.c Fri Feb 8 02:06:20 2008
@@ -41,7 +41,9 @@
#include <rampart_token_builder.h>
#include <rampart_util.h>
#include <rampart_sec_processed_result.h>
+#include <rampart_sct_provider.h>
#include <rampart_saml_token.h>
+
/*Private functions*/
axis2_status_t AXIS2_CALL
@@ -260,42 +262,65 @@
{
oxs_key_t *session_key = NULL;
rp_property_t *token = NULL;
+ rp_property_type_t token_type;
+
axis2_bool_t use_derived_keys = AXIS2_FALSE;
axis2_bool_t server_side = AXIS2_FALSE;
- axis2_bool_t free_session_key = AXIS2_FALSE;
- /*We are trying to reuse the same session key which is used for encryption*/
- session_key = rampart_context_get_session_key(rampart_context, env);
- if(!session_key){
+ server_side = axis2_msg_ctx_get_server_side(msg_ctx, env);
+ token = rampart_context_get_token(rampart_context, env, AXIS2_FALSE, server_side, AXIS2_FALSE);
+ token_type = rp_property_get_type(token, env);
+
+ /*We are trying to reuse the same session key which is used for encryption if possible*/
+ session_key = rampart_context_get_signature_session_key(rampart_context, env);
+ if(!session_key)
+ {
/*Create a new key and set to the rampart_context. This usually happens when the SignBeforeEncrypt*/
+ /*Generate the session key. if security context token, get the
+ shared secret and create the session key.*/
session_key = oxs_key_create(env);
- oxs_key_for_algo(session_key, env, OXS_HREF_HMAC_SHA1);
- rampart_context_set_session_key(rampart_context, env, session_key);
- free_session_key = AXIS2_TRUE;
+ if(token_type == RP_PROPERTY_SECURITY_CONTEXT_TOKEN)
+ {
+ oxs_buffer_t *key_buf = NULL;
+ key_buf = sct_provider_get_secret(env, token, server_side, AXIS2_FALSE, rampart_context, msg_ctx);
+ if(!key_buf)
+ {
+ AXIS2_LOG_ERROR(env->log, AXIS2_LOG_SI,
+ "[rampart][rampart_signature]Cannot get shared secret of security context token");
+ oxs_key_free(session_key, env);
+ return AXIS2_FAILURE;
+ }
+ oxs_key_populate(session_key, env,
+ oxs_buffer_get_data(key_buf, env), "for-algo",
+ oxs_buffer_get_size(key_buf, env), OXS_KEY_USAGE_NONE);
+ }
+ else
+ {
+ oxs_key_for_algo(session_key, env, OXS_HREF_HMAC_SHA1);
+ }
+ rampart_context_set_signature_session_key(rampart_context, env, session_key);
}
+
/*If we need to use derrived keys, we must sign using a derived key of the session key*/
- server_side = axis2_msg_ctx_get_server_side(msg_ctx, env);
- token = rampart_context_get_token(rampart_context, env, AXIS2_TRUE, server_side, AXIS2_FALSE);
use_derived_keys = rampart_context_check_is_derived_keys (env, token);
- if(use_derived_keys){
+ if(use_derived_keys)
+ {
oxs_key_t *derived_key = NULL;
/*Derive a new key*/
derived_key = oxs_key_create(env);
oxs_derivation_derive_key(env, session_key, derived_key, AXIS2_TRUE);
oxs_sign_ctx_set_secret(sign_ctx, env, derived_key);
- }else{
+ }
+ else
+ {
/*No need to use derived keys, we use the same session key*/
- oxs_sign_ctx_set_secret(sign_ctx, env, session_key);
+ oxs_sign_ctx_set_secret(sign_ctx, env, rampart_context_get_signature_session_key(rampart_context, env));
}
oxs_sign_ctx_set_sign_mtd_algo(sign_ctx, env, OXS_HREF_HMAC_SHA1);
oxs_sign_ctx_set_c14n_mtd(sign_ctx, env, OXS_HREF_XML_EXC_C14N);
oxs_sign_ctx_set_operation(sign_ctx, env, OXS_SIGN_OPERATION_SIGN);
- if(free_session_key)
- {
- oxs_key_free(session_key, env);
- }
return AXIS2_SUCCESS;
}
@@ -469,7 +494,12 @@
rp_property_t *token = NULL;
axiom_node_t *sig_node = NULL;
axis2_char_t *eki = NULL;
- axis2_bool_t is_direct_reference = AXIS2_TRUE, include = AXIS2_FALSE;
+ axis2_bool_t is_direct_reference = AXIS2_TRUE;
+ axis2_bool_t include = AXIS2_FALSE;
+ axiom_node_t *key_reference_node = NULL;
+ int i = 0;
+ oxs_x509_cert_t *cert = NULL;
+ axiom_node_t *bst_node = NULL;
axis2_char_t *cert_id = NULL;
/*Get nodes to be signed*/
@@ -554,21 +584,26 @@
include = rampart_context_is_token_include(rampart_context, token,
token_type, server_side,
AXIS2_FALSE, env);
- if (token_type == RP_PROPERTY_X509_TOKEN) {
- if (include) {
+ if (token_type == RP_PROPERTY_X509_TOKEN)
+ {
+ if (include)
+ {
cert_id = oxs_util_generate_id(env,(axis2_char_t*)OXS_CERT_ID);
if (!rampart_sig_add_x509_token(env, rampart_context,
nodes_to_sign, token,
- sec_node, cert_id)) {
+ sec_node, cert_id))
+ {
return AXIS2_FAILURE;
}
/*This flag will be useful when creating key Info element.*/
is_direct_reference = AXIS2_TRUE;
eki = RAMPART_STR_DIRECT_REFERENCE;
}
- else {
+ else
+ {
eki = rampart_context_get_key_identifier(rampart_context, token, env);
- if(!eki) {
+ if(!eki)
+ {
AXIS2_LOG_ERROR(env->log, AXIS2_LOG_SI,
"[rampart][rampart_signature] Cannot attach the token.");
axutil_array_list_free(nodes_to_sign, env);
@@ -577,7 +612,35 @@
}
is_direct_reference = AXIS2_FALSE;
}
- }
+ }
+ else if (token_type == RP_PROPERTY_SECURITY_CONTEXT_TOKEN)
+ {
+ if(include)
+ {
+ axiom_node_t *security_context_token_node = NULL;
+ /*include the security context token and set the AttachedReference to key_reference_node*/
+ security_context_token_node = oxs_axiom_get_node_by_local_name(env, sec_node, OXS_NODE_SECURITY_CONTEXT_TOKEN);
+ if((!security_context_token_node) || (is_different_session_key_for_encryption_and_signing(env, rampart_context)))
+ {
+ security_context_token_node = sct_provider_get_token(env, token, server_side, AXIS2_FALSE, rampart_context, msg_ctx);
+ if(!security_context_token_node)
+ {
+ AXIS2_LOG_ERROR(env->log, AXIS2_LOG_SI,
+ "[rampart][rampart_signature] Cannot get security context token");
+ axutil_array_list_free(nodes_to_sign, env);
+ nodes_to_sign = NULL;
+ return AXIS2_FAILURE;
+ }
+ axiom_node_add_child(sec_node, env, security_context_token_node);
+ }
+ key_reference_node = sct_provider_get_attached_reference(env, token, server_side, AXIS2_FALSE, rampart_context, msg_ctx);
+ }
+ else
+ {
+ /*get the unattachedReference and set to key_reference_node*/
+ key_reference_node = sct_provider_get_unattached_reference(env, token, server_side, AXIS2_FALSE, rampart_context, msg_ctx);
+ }
+ }
sign_ctx = oxs_sign_ctx_create(env);
/* Create the sign parts */
@@ -588,13 +651,18 @@
/*Get the binding type. Either symmetric or asymmetric for signature*/
binding_type = rampart_context_get_binding_type(rampart_context,env);
- if(RP_PROPERTY_ASYMMETRIC_BINDING == binding_type){
+ if(RP_PROPERTY_ASYMMETRIC_BINDING == binding_type)
+ {
/* Pack for asymmetric signature*/
status = rampart_sig_pack_for_asym(env, rampart_context, sign_ctx);
- }else if(RP_PROPERTY_SYMMETRIC_BINDING == binding_type){
+ }
+ else if(RP_PROPERTY_SYMMETRIC_BINDING == binding_type)
+ {
/* Pack for symmetric signature*/
status = rampart_sig_pack_for_sym(env, rampart_context, sign_ctx, msg_ctx);
- }else{
+ }
+ else
+ {
/*We do not support*/
AXIS2_LOG_ERROR(env->log, AXIS2_LOG_SI,"[rampart][rampart_signature] Signature support only symmetric and asymmetric bindings.");
return AXIS2_FAILURE;
@@ -607,77 +675,102 @@
AXIS2_LOG_ERROR(env->log, AXIS2_LOG_SI, "[rampart][rampart_signature] Message signing failed.");
return AXIS2_FAILURE;
}
+
+ /*build the key info inside signature node*/
if(RP_PROPERTY_ASYMMETRIC_BINDING == binding_type)
- {
- rampart_sig_prepare_key_info_for_asym_binding(env, rampart_context, sign_ctx, sig_node, cert_id, eki, is_direct_reference);
+ {
+ rampart_sig_prepare_key_info_for_asym_binding(env, rampart_context, sign_ctx, sig_node , cert_id, eki, is_direct_reference);
}
- else if(RP_PROPERTY_SYMMETRIC_BINDING == binding_type)
- {
- axiom_node_t *encrypted_key_node = NULL;
+ else if(RP_PROPERTY_SYMMETRIC_BINDING == binding_type)
+ {
oxs_key_t *signed_key = NULL;
oxs_key_t *session_key = NULL;
- axis2_char_t *enc_key_id = NULL;
- axis2_bool_t free_enc_key_id = AXIS2_FALSE;
signed_key = oxs_sign_ctx_get_secret(sign_ctx, env);
- session_key = rampart_context_get_session_key(rampart_context, env);
+ session_key = rampart_context_get_signature_session_key(rampart_context, env);
- /*If there is an EncryptedKey element use the Id. If not, generate an Id and use it*/
- encrypted_key_node = oxs_axiom_get_node_by_local_name(env, sec_node, OXS_NODE_ENCRYPTED_KEY);
- if(!encrypted_key_node)
- {
- /*There is no EncryptedKey so generate one*/
- status = rampart_enc_encrypt_session_key(env, session_key, msg_ctx, rampart_context, soap_envelope, sec_node, NULL );
- if(AXIS2_FAILURE == status)
- {
- AXIS2_LOG_ERROR(env->log, AXIS2_LOG_SI, "[rampart][rampart_signature] Cannot encrypt the session key " );
- return AXIS2_FAILURE;
- }
- encrypted_key_node = oxs_axiom_get_node_by_local_name(env, sec_node, OXS_NODE_ENCRYPTED_KEY);
- /*Add Id attribute*/
- enc_key_id = oxs_util_generate_id(env, (axis2_char_t*)OXS_ENCKEY_ID);
- free_enc_key_id = AXIS2_TRUE;
- oxs_axiom_add_attribute(env, encrypted_key_node, NULL, NULL, OXS_ATTR_ID, enc_key_id);
- /*And we have to make sure that we place this newly generated EncryptedKey node above the Signature node*/
- oxs_axiom_interchange_nodes(env, encrypted_key_node, sig_node);
- }
- else
- {
- /*There is the encrypted key. May be used by the encryption process. So get the Id and use it*/
- enc_key_id = oxs_axiom_get_attribute_value_of_node_by_name(env, encrypted_key_node, OXS_ATTR_ID, NULL);
+ if(token_type == RP_PROPERTY_SECURITY_CONTEXT_TOKEN)
+ {
+ if(0 == axutil_strcmp(oxs_key_get_name(session_key, env), oxs_key_get_name(signed_key, env)))
+ {
+ /*Now then... we have used the security context token to sign*/
+ axiom_node_t* key_info_node = NULL;
+ key_info_node = oxs_token_build_key_info_element(env, sig_node);
+ axiom_node_add_child(key_info_node, env, key_reference_node);
+ }
+ else
+ {
+ axiom_node_t *dk_token = NULL;
+ /*We have used a derived key to sign. Note the NULL we pass for the enc_key_id*/
+ rampart_sig_prepare_key_info_for_sym_binding(env, rampart_context, sign_ctx, sig_node, signed_key, NULL);
+ /*In addition we need to add a DerivedKeyToken*/
+ dk_token = oxs_derivation_build_derived_key_token_with_stre(env, signed_key, sec_node, key_reference_node);
+ /*We need to make DerivedKeyToken to appear before the sginature node*/
+ oxs_axiom_interchange_nodes(env, dk_token, sig_node);
+ }
}
-
- /* Now if the signed key is the session key. We need to Encrypt it. If it's a derived key, we need to Attach a
- * DerivedKeyToken and encrypt the session key if not done already */
- if(0 == axutil_strcmp(oxs_key_get_name(session_key, env), oxs_key_get_name(signed_key, env)))
- {
- /*Now then... we have used the session key to sign*/
- rampart_sig_prepare_key_info_for_sym_binding(env, rampart_context, sign_ctx, sig_node, signed_key, enc_key_id );
- }
- else
- {
- axiom_node_t *dk_token = NULL;
- /*We have used a derived key to sign. Note the NULL we pass for the enc_key_id*/
- rampart_sig_prepare_key_info_for_sym_binding(env, rampart_context, sign_ctx, sig_node, signed_key, NULL );
- /*In addition we need to add a DerivedKeyToken after the EncryptedKey*/
- dk_token = oxs_derivation_build_derived_key_token(env, signed_key, sec_node, enc_key_id ,OXS_WSS_11_VALUE_TYPE_ENCRYPTED_KEY);
- /*We need to make DerivedKeyToken to appear before the sginature node*/
- oxs_axiom_interchange_nodes(env, dk_token, sig_node);
- }
- if (free_enc_key_id)
- {
- AXIS2_FREE(env->allocator, enc_key_id);
- }
+ else
+ {
+ axiom_node_t *encrypted_key_node = NULL;
+ axis2_char_t *enc_key_id = NULL;
+ axis2_bool_t free_enc_key_id = AXIS2_FALSE;
+
+ /*If there is an EncryptedKey element use the Id. If not, generate an Id and use it*/
+ encrypted_key_node = oxs_axiom_get_node_by_local_name(env, sec_node, OXS_NODE_ENCRYPTED_KEY);
+ if(!encrypted_key_node)
+ {
+ /*There is no EncryptedKey so generate one*/
+ status = rampart_enc_encrypt_session_key(env, session_key, msg_ctx, rampart_context, soap_envelope, sec_node, NULL );
+ if(AXIS2_FAILURE == status)
+ {
+ AXIS2_LOG_ERROR(env->log, AXIS2_LOG_SI, "[rampart][rampart_signature] Cannot encrypt the session key " );
+ return AXIS2_FAILURE;
+ }
+ encrypted_key_node = oxs_axiom_get_node_by_local_name(env, sec_node, OXS_NODE_ENCRYPTED_KEY);
+ /*Add Id attribute*/
+ enc_key_id = oxs_util_generate_id(env, (axis2_char_t*)OXS_ENCKEY_ID);
+ free_enc_key_id = AXIS2_TRUE;
+ oxs_axiom_add_attribute(env, encrypted_key_node, NULL, NULL, OXS_ATTR_ID, enc_key_id);
+ /*And we have to make sure that we place this newly generated EncryptedKey node above the Signature node*/
+ oxs_axiom_interchange_nodes(env, encrypted_key_node, sig_node);
+ }
+ else
+ {
+ /*There is the encrypted key. May be used by the encryption process. So get the Id and use it*/
+ enc_key_id = oxs_axiom_get_attribute_value_of_node_by_name(env, encrypted_key_node, OXS_ATTR_ID, NULL);
+ }
+ /* Now if the signed key is the session key. We need to Encrypt it. If it's a derived key, we need to Attach a
+ * DerivedKeyToken and encrypt the session key if not done already */
+ if(0 == axutil_strcmp(oxs_key_get_name(session_key, env), oxs_key_get_name(signed_key, env)))
+ {
+ /*Now then... we have used the session key to sign*/
+ rampart_sig_prepare_key_info_for_sym_binding(env, rampart_context, sign_ctx, sig_node, signed_key, enc_key_id);
+ }
+ else
+ {
+ axiom_node_t *dk_token = NULL;
+ /*We have used a derived key to sign. Note the NULL we pass for the enc_key_id*/
+ rampart_sig_prepare_key_info_for_sym_binding(env, rampart_context, sign_ctx, sig_node, signed_key, NULL );
+ /*In addition we need to add a DerivedKeyToken after the EncryptedKey*/
+ dk_token = oxs_derivation_build_derived_key_token(env, signed_key, sec_node, enc_key_id ,OXS_WSS_11_VALUE_TYPE_ENCRYPTED_KEY);
+ /*We need to make DerivedKeyToken to appear before the sginature node*/
+ oxs_axiom_interchange_nodes(env, dk_token, sig_node);
+ }
+ if (free_enc_key_id)
+ {
+ AXIS2_FREE(env->allocator, enc_key_id);
+ }
+ }
}
/*If we have used derived keys, then we need to free the key in sign_ctx*/
if((RP_PROPERTY_SYMMETRIC_BINDING == binding_type) && (rampart_context_check_is_derived_keys (env, token)))
- {
+ {
oxs_key_t *sig_ctx_dk = NULL;
sig_ctx_dk = oxs_sign_ctx_get_secret(sign_ctx, env);
if(sig_ctx_dk && (OXS_KEY_USAGE_DERIVED == oxs_key_get_usage(sig_ctx_dk, env)))
- {
+ {
oxs_key_free(sig_ctx_dk, env);
sig_ctx_dk = NULL;
}
Modified: webservices/rampart/trunk/c/src/util/rampart_util.c
URL: http://svn.apache.org/viewvc/webservices/rampart/trunk/c/src/util/rampart_util.c?rev=619820&r1=619819&r2=619820&view=diff
==============================================================================
--- webservices/rampart/trunk/c/src/util/rampart_util.c (original)
+++ webservices/rampart/trunk/c/src/util/rampart_util.c Fri Feb 8 02:06:20 2008
@@ -29,8 +29,10 @@
#include <rampart_callback.h>
#include <rampart_credentials.h>
#include <rampart_replay_detector.h>
+#include <rampart_sct_provider.h>
#include <oxs_buffer.h>
#include <oxs_utility.h>
+#include <rampart_context.h>
/*Calculate the hash of concatenated string of
* nonce, created and the password.
@@ -145,6 +147,27 @@
return rd;
}
+AXIS2_EXTERN rampart_sct_provider_t* AXIS2_CALL
+rampart_load_sct_provider(const axutil_env_t *env,
+ axis2_char_t *sct_provider_name)
+{
+ rampart_sct_provider_t *sct_provider = NULL;
+ axutil_param_t *param = NULL;
+
+ sct_provider = (rampart_sct_provider_t*)rampart_load_module(env, sct_provider_name, ¶m);
+ if (!sct_provider)
+ {
+ AXIS2_LOG_INFO(env->log, "[rampart][rampart_util] Unable to identify the security context token provider module %s. ERROR", sct_provider_name);
+ return AXIS2_FAILURE;
+ }
+ if(param)
+ {
+ sct_provider->param = param;
+ }
+
+ return sct_provider;
+}
+
AXIS2_EXTERN rampart_callback_t* AXIS2_CALL
rampart_load_pwcb_module(const axutil_env_t *env,
axis2_char_t *callback_module_name)
@@ -282,5 +305,29 @@
return AXIS2_SUCCESS;
}
+AXIS2_EXTERN axis2_bool_t AXIS2_CALL
+is_different_session_key_for_encryption_and_signing(const axutil_env_t *env,
+ rampart_context_t *rampart_context)
+{
+ rp_property_t *binding = NULL;
+ binding = rp_secpolicy_get_binding(rampart_context_get_secpolicy(rampart_context, env),env);
+ if(binding)
+ {
+ if(rp_property_get_type(binding,env) == RP_PROPERTY_SYMMETRIC_BINDING)
+ {
+ rp_symmetric_binding_t *sym_binding = NULL;
+ rp_property_t *token = NULL;
+ sym_binding = (rp_symmetric_binding_t *)rp_property_get_value(binding,env);
+ if(sym_binding)
+ {
+ /*check protection tokens have being specified. If not, use the different session key for
+ encryption and signature */
+ token = rp_symmetric_binding_get_protection_token(sym_binding,env);
+ if(!token)
+ return AXIS2_TRUE;
+ }
+ }
+ }
-
+ return AXIS2_FALSE;
+}
\ No newline at end of file