You are viewing a plain text version of this content. The canonical link for it is here.
Posted to axis-cvs@ws.apache.org by ru...@apache.org on 2006/09/04 07:27:05 UTC
svn commit: r439934 - in /webservices/axis2/trunk/java/modules:
integration/test/org/apache/rahas/ rahas/src/org/apache/rahas/
rahas/src/org/apache/rahas/impl/
Author: ruchithf
Date: Sun Sep 3 22:27:04 2006
New Revision: 439934
URL: http://svn.apache.org/viewvc?view=rev&rev=439934
Log:
Added Entropy handling in SAMLtokenIssuer - The SAML token issuer can be configured to use its own key, set response entropy or to use request entropy as the generated ephemeral key using the keyComputation child element of the configuration element.
IMPORTANT: This requires the latest wss4j-SNAPSHOT.jar
Modified:
webservices/axis2/trunk/java/modules/integration/test/org/apache/rahas/TestClient.java
webservices/axis2/trunk/java/modules/rahas/src/org/apache/rahas/RahasData.java
webservices/axis2/trunk/java/modules/rahas/src/org/apache/rahas/TrustUtil.java
webservices/axis2/trunk/java/modules/rahas/src/org/apache/rahas/impl/SAMLTokenIssuer.java
webservices/axis2/trunk/java/modules/rahas/src/org/apache/rahas/impl/SAMLTokenIssuerConfig.java
Modified: webservices/axis2/trunk/java/modules/integration/test/org/apache/rahas/TestClient.java
URL: http://svn.apache.org/viewvc/webservices/axis2/trunk/java/modules/integration/test/org/apache/rahas/TestClient.java?view=diff&rev=439934&r1=439933&r2=439934
==============================================================================
--- webservices/axis2/trunk/java/modules/integration/test/org/apache/rahas/TestClient.java (original)
+++ webservices/axis2/trunk/java/modules/integration/test/org/apache/rahas/TestClient.java Sun Sep 3 22:27:04 2006
@@ -16,7 +16,6 @@
package org.apache.rahas;
import org.apache.axiom.om.OMElement;
-import org.apache.axis2.AxisFault;
import org.apache.axis2.Constants;
import org.apache.axis2.addressing.AddressingConstants;
import org.apache.axis2.addressing.EndpointReference;
Modified: webservices/axis2/trunk/java/modules/rahas/src/org/apache/rahas/RahasData.java
URL: http://svn.apache.org/viewvc/webservices/axis2/trunk/java/modules/rahas/src/org/apache/rahas/RahasData.java?view=diff&rev=439934&r1=439933&r2=439934
==============================================================================
--- webservices/axis2/trunk/java/modules/rahas/src/org/apache/rahas/RahasData.java (original)
+++ webservices/axis2/trunk/java/modules/rahas/src/org/apache/rahas/RahasData.java Sun Sep 3 22:27:04 2006
@@ -17,6 +17,7 @@
package org.apache.rahas;
import org.apache.axiom.om.OMElement;
+import org.apache.axiom.om.util.Base64;
import org.apache.axis2.addressing.AddressingConstants;
import org.apache.axis2.context.MessageContext;
import org.apache.ws.security.WSConstants;
@@ -112,6 +113,8 @@
this.processKeySize();
this.processAppliesTo();
+
+ this.processEntropy();
}
@@ -259,6 +262,28 @@
}
this.keysize = -1;
}
+
+
+ /**
+ * Process wst:Entropy element in the request.
+ */
+ private void processEntropy() throws TrustException {
+ OMElement entropyElem = this.rstElement
+ .getFirstChildWithName(new QName(this.wstNs,
+ RahasConstants.ENTROPY_LN));
+
+ if(entropyElem != null) {
+ OMElement binSecElem = entropyElem.getFirstElement();
+ if (binSecElem != null && binSecElem.getText() != null
+ && !"".equals(binSecElem.getText())) {
+ this.requestEntropy = Base64.decode(binSecElem.getText());
+ } else {
+ throw new TrustException("malformedEntropyElement",
+ new String[] { entropyElem.toString() });
+ }
+
+ }
+ }
/**
* @return Returns the appliesToAddress.
@@ -377,6 +402,20 @@
*/
public String getSoapNs() {
return soapNs;
+ }
+
+ /**
+ * @param responseEntropy The responseEntropy to set.
+ */
+ public void setResponseEntropy(byte[] responseEntropy) {
+ this.responseEntropy = responseEntropy;
+ }
+
+ /**
+ * @param ephmeralKey The ephmeralKey to set.
+ */
+ public void setEphmeralKey(byte[] ephmeralKey) {
+ this.ephmeralKey = ephmeralKey;
}
Modified: webservices/axis2/trunk/java/modules/rahas/src/org/apache/rahas/TrustUtil.java
URL: http://svn.apache.org/viewvc/webservices/axis2/trunk/java/modules/rahas/src/org/apache/rahas/TrustUtil.java?view=diff&rev=439934&r1=439933&r2=439934
==============================================================================
--- webservices/axis2/trunk/java/modules/rahas/src/org/apache/rahas/TrustUtil.java (original)
+++ webservices/axis2/trunk/java/modules/rahas/src/org/apache/rahas/TrustUtil.java Sun Sep 3 22:27:04 2006
@@ -107,6 +107,13 @@
RahasConstants.ENTROPY_LN, RahasConstants.WST_PREFIX);
}
+ public static OMElement createComputedKeyElement(
+ int version, OMElement parent) throws TrustException {
+ String ns = getWSTNamespace(version);
+ return createOMElement(parent, ns,
+ RahasConstants.COMPUTED_KEY_LN, RahasConstants.WST_PREFIX);
+ }
+
public static OMElement createRequestTypeElement(
int version, OMElement parent, String value) throws TrustException {
String ns = getWSTNamespace(version);
Modified: webservices/axis2/trunk/java/modules/rahas/src/org/apache/rahas/impl/SAMLTokenIssuer.java
URL: http://svn.apache.org/viewvc/webservices/axis2/trunk/java/modules/rahas/src/org/apache/rahas/impl/SAMLTokenIssuer.java?view=diff&rev=439934&r1=439933&r2=439934
==============================================================================
--- webservices/axis2/trunk/java/modules/rahas/src/org/apache/rahas/impl/SAMLTokenIssuer.java (original)
+++ webservices/axis2/trunk/java/modules/rahas/src/org/apache/rahas/impl/SAMLTokenIssuer.java Sun Sep 3 22:27:04 2006
@@ -33,8 +33,10 @@
import org.apache.ws.security.WSUsernameTokenPrincipal;
import org.apache.ws.security.components.crypto.Crypto;
import org.apache.ws.security.components.crypto.CryptoFactory;
+import org.apache.ws.security.conversation.dkalgo.P_SHA1;
import org.apache.ws.security.message.WSSecEncryptedKey;
import org.apache.ws.security.util.Base64;
+import org.apache.ws.security.util.WSSecurityUtil;
import org.apache.ws.security.util.XmlSchemaDateFormat;
import org.apache.xml.security.signature.XMLSignature;
import org.apache.xml.security.utils.EncryptionConstants;
@@ -218,13 +220,37 @@
throw new TrustException("samlConverstionError", e);
}
+ //Add the RequestedProofToken
+ OMElement reqProofTokElem = TrustUtil.createRequestedProofTokenElement(
+ version, rstrElem);
+
if(keyType.endsWith(RahasConstants.KEY_TYPE_SYMM_KEY)) {
- //Add the RequestedProofToken
- OMElement reqProofTokElem = TrustUtil
- .createRequestedProofTokenElement(version, rstrElem);
- OMElement binSecElem = TrustUtil.createBinarySecretElement(version,
- reqProofTokElem, null);
- binSecElem.setText(Base64.encode(data.getEphmeralKey()));
+
+ if (config.keyComputation == SAMLTokenIssuerConfig.KEY_COMP_PROVIDE_ENT
+ && data.getRequestEntropy() != null) {
+ //If we there's requestor entropy and its configured to provide
+ //entropy then we have to set the entropy value and
+ //set the RPT to include a ComputedKey element
+
+ OMElement respEntrElem = TrustUtil.createEntropyElement(
+ version, rstrElem);
+
+ TrustUtil.createBinarySecretElement(version, respEntrElem,
+ RahasConstants.BIN_SEC_TYPE_NONCE);
+
+ OMElement compKeyElem = TrustUtil.createComputedKeyElement(
+ version, reqProofTokElem);
+ compKeyElem.setText(data.getWstNs()
+ + RahasConstants.COMPUTED_KEY_PSHA1);
+ } else {
+ //In all other cases use send the key in a binary sectret element
+
+ //TODO : Provide a config option to set this type to encrypted key
+ OMElement binSecElem = TrustUtil.createBinarySecretElement(version,
+ reqProofTokElem, null);
+ binSecElem.setText(Base64.encode(data.getEphmeralKey()));
+
+ }
}
// Unet the DOM impl to DOOM
@@ -270,13 +296,13 @@
//Get ApliesTo to figureout which service to issue the token for
serviceCert = getServiceCert(data.getRstElement(), config,
crypto, data.getAppliesToAddress());
-
+
//Ceate the encrypted key
WSSecEncryptedKey encrKeyBuilder = new WSSecEncryptedKey();
-
+
//Use thumbprint id
encrKeyBuilder.setKeyIdentifierType(WSConstants.THUMBPRINT_IDENTIFIER);
-
+
//SEt the encryption cert
encrKeyBuilder.setUseThisCert(serviceCert);
@@ -284,6 +310,26 @@
int keysize = data.getKeysize();
keysize = (keysize != -1) ? keysize : config.keySize;
encrKeyBuilder.setKeySize(keysize);
+
+ boolean reqEntrPresent = data.getRequestEntropy() != null;
+
+ if(reqEntrPresent && config.keyComputation != SAMLTokenIssuerConfig.KEY_COMP_USE_OWN_KEY) {
+ //If there's no requestor entropy and if the issuer is not
+ //configured to use its own key
+
+ if(config.keyComputation == SAMLTokenIssuerConfig.KEY_COMP_PROVIDE_ENT) {
+ data.setResponseEntropy(WSSecurityUtil.generateNonce(config.keySize/8));
+ P_SHA1 p_sha1 = new P_SHA1();
+ encrKeyBuilder.setEphemeralKey(p_sha1.createKey(data
+ .getRequestEntropy(),
+ data.getResponseEntropy(), 0, keysize / 8));
+ } else {
+ //If we reach this its expected to use the requestor's
+ //entropy
+ encrKeyBuilder.setEphemeralKey(data.getRequestEntropy());
+ }
+ }// else : We have to use our own key here, so don't set the key
+
//Set key encryption algo
encrKeyBuilder.setKeyEncAlgo(EncryptionConstants.ALGO_ID_KEYTRANSPORT_RSA15);
@@ -292,7 +338,10 @@
encrKeyBuilder.prepare(doc, crypto);
//Extract the base64 encoded secret value
- System.arraycopy(encrKeyBuilder.getEphemeralKey(), 0, data.getEphmeralKey(), 0, keysize/8);
+ byte[] tempKey = new byte[keysize/8];
+ System.arraycopy(encrKeyBuilder.getEphemeralKey(), 0, tempKey, 0, keysize/8);
+
+ data.setEphmeralKey(tempKey);
//Extract the Encryptedkey DOM element
encryptedKeyElem = encrKeyBuilder.getEncryptedKeyElement();
Modified: webservices/axis2/trunk/java/modules/rahas/src/org/apache/rahas/impl/SAMLTokenIssuerConfig.java
URL: http://svn.apache.org/viewvc/webservices/axis2/trunk/java/modules/rahas/src/org/apache/rahas/impl/SAMLTokenIssuerConfig.java?view=diff&rev=439934&r1=439933&r2=439934
==============================================================================
--- webservices/axis2/trunk/java/modules/rahas/src/org/apache/rahas/impl/SAMLTokenIssuerConfig.java (original)
+++ webservices/axis2/trunk/java/modules/rahas/src/org/apache/rahas/impl/SAMLTokenIssuerConfig.java Sun Sep 3 22:27:04 2006
@@ -80,6 +80,17 @@
public final static QName ISSUER_NAME = new QName("issuerName");
+ /**
+ * The key computation policy when clien't entropy is provided
+ */
+ public static final QName KEY_COMPUTATION = new QName("keyComputation");
+
+ public final static int KEY_COMP_USE_REQ_ENT = 1;
+
+ public final static int KEY_COMP_PROVIDE_ENT = 2;
+
+ public final static int KEY_COMP_USE_OWN_KEY = 3;
+
protected String cryptoPropFile;
protected String issuerKeyAlias;
protected String issuerKeyPassword;
@@ -90,7 +101,8 @@
protected long ttl = 300000;
protected boolean addRequestedAttachedRef;
protected boolean addRequestedUnattachedRef;
-
+ protected int keyComputation = KEY_COMP_PROVIDE_ENT;
+
private SAMLTokenIssuerConfig(OMElement elem) throws TrustException {
//The alias of the private key
@@ -128,6 +140,12 @@
if(this.cryptoPropFile == null || "".equals(this.cryptoPropFile)) {
throw new TrustException("samlPropFileMissing");
+ }
+
+ OMElement keyCompElem = elem.getFirstChildWithName(KEY_COMPUTATION);
+
+ if(keyCompElem != null && keyCompElem.getText() != null && !"".equals(keyCompElem)) {
+ this.keyComputation = Integer.parseInt(keyCompElem.getText());
}
//time to live
---------------------------------------------------------------------
To unsubscribe, e-mail: axis-cvs-unsubscribe@ws.apache.org
For additional commands, e-mail: axis-cvs-help@ws.apache.org