You are viewing a plain text version of this content. The canonical link for it is here.
Posted to java-dev@axis.apache.org by az...@apache.org on 2006/09/21 17:35:16 UTC
svn commit: r448581 - in /webservices/axis2/trunk/java/modules:
integration/test-resources/rahas/ integration/test-resources/security/sc/
rahas/src/org/apache/rahas/ rahas/src/org/apache/rahas/impl/
Author: azeez
Date: Thu Sep 21 08:35:15 2006
New Revision: 448581
URL: http://svn.apache.org/viewvc?view=rev&rev=448581
Log:
1. Confgure trust <proofKeyType> based on keyComputation method
2. Updated SCTIssuer with above
Added:
webservices/axis2/trunk/java/modules/rahas/src/org/apache/rahas/impl/AbstractIssuerConfig.java
webservices/axis2/trunk/java/modules/rahas/src/org/apache/rahas/impl/TokenIssuerUtil.java
Modified:
webservices/axis2/trunk/java/modules/integration/test-resources/rahas/s1-services.xml
webservices/axis2/trunk/java/modules/integration/test-resources/rahas/s3-services.xml
webservices/axis2/trunk/java/modules/integration/test-resources/security/sc/s1-services.xml
webservices/axis2/trunk/java/modules/integration/test-resources/security/sc/s2-services.xml
webservices/axis2/trunk/java/modules/integration/test-resources/security/sc/s3-services.xml
webservices/axis2/trunk/java/modules/integration/test-resources/security/sc/s4-services.xml
webservices/axis2/trunk/java/modules/rahas/src/org/apache/rahas/errors.properties
webservices/axis2/trunk/java/modules/rahas/src/org/apache/rahas/impl/SAMLTokenIssuer.java
webservices/axis2/trunk/java/modules/rahas/src/org/apache/rahas/impl/SAMLTokenIssuerConfig.java
webservices/axis2/trunk/java/modules/rahas/src/org/apache/rahas/impl/SCTIssuer.java
webservices/axis2/trunk/java/modules/rahas/src/org/apache/rahas/impl/SCTIssuerConfig.java
Modified: webservices/axis2/trunk/java/modules/integration/test-resources/rahas/s1-services.xml
URL: http://svn.apache.org/viewvc/webservices/axis2/trunk/java/modules/integration/test-resources/rahas/s1-services.xml?view=diff&rev=448581&r1=448580&r2=448581
==============================================================================
--- webservices/axis2/trunk/java/modules/integration/test-resources/rahas/s1-services.xml (original)
+++ webservices/axis2/trunk/java/modules/integration/test-resources/rahas/s1-services.xml Thu Sep 21 08:35:15 2006
@@ -20,7 +20,23 @@
<keySize>256</keySize>
<addRequestedAttachedRef />
<addRequestedUnattachedRef />
- <trusted-services>
+
+ <!--
+ Key computation mechanism
+ 1 - Use Request Entropy
+ 2 - Provide Entropy
+ 3 - Use Own Key
+ -->
+ <keyComputation>2</keyComputation>
+
+ <!--
+ proofKeyType element is valid only if the keyComputation is set to 3
+ i.e. Use Own Key
+
+ Valid values are: EncryptedKey & BinarySecret
+ -->
+ <proofKeyType>BinarySecret</proofKeyType>
+ <trusted-services>
<service alias="bob">http://localhost:5555/axis2/services/SecureService</service>
<service alias="bob1">http://localhost:5555/axis2/services/SecureService1</service>
<service alias="bob2">http://localhost:5555/axis2/services/SecureService2</service>
Modified: webservices/axis2/trunk/java/modules/integration/test-resources/rahas/s3-services.xml
URL: http://svn.apache.org/viewvc/webservices/axis2/trunk/java/modules/integration/test-resources/rahas/s3-services.xml?view=diff&rev=448581&r1=448580&r2=448581
==============================================================================
--- webservices/axis2/trunk/java/modules/integration/test-resources/rahas/s3-services.xml (original)
+++ webservices/axis2/trunk/java/modules/integration/test-resources/rahas/s3-services.xml Thu Sep 21 08:35:15 2006
@@ -20,7 +20,23 @@
<keySize>256</keySize>
<addRequestedAttachedRef />
<addRequestedUnattachedRef />
- <trusted-services>
+
+ <!--
+ Key computation mechanism
+ 1 - Use Request Entropy
+ 2 - Provide Entropy
+ 3 - Use Own Key
+ -->
+ <keyComputation>2</keyComputation>
+
+ <!--
+ proofKeyType element is valid only if the keyComputation is set to 3
+ i.e. Use Own Key
+
+ Valid values are: EncryptedKey & BinarySecret
+ -->
+ <proofKeyType>BinarySecret</proofKeyType>
+ <trusted-services>
<service alias="bob">http://localhost:5555/axis2/services/SecureService</service>
<service alias="bob1">http://localhost:5555/axis2/services/SecureService1</service>
<service alias="bob2">http://localhost:5555/axis2/services/SecureService2</service>
Modified: webservices/axis2/trunk/java/modules/integration/test-resources/security/sc/s1-services.xml
URL: http://svn.apache.org/viewvc/webservices/axis2/trunk/java/modules/integration/test-resources/security/sc/s1-services.xml?view=diff&rev=448581&r1=448580&r2=448581
==============================================================================
--- webservices/axis2/trunk/java/modules/integration/test-resources/security/sc/s1-services.xml (original)
+++ webservices/axis2/trunk/java/modules/integration/test-resources/security/sc/s1-services.xml Thu Sep 21 08:35:15 2006
@@ -8,16 +8,40 @@
<operation name="echo">
<messageReceiver class="org.apache.axis2.receivers.RawXMLINOutMessageReceiver"/>
<actionMapping>urn:echo</actionMapping>
- </operation>
+ </operation>
- <parameter name="sct-issuer-config">
+ <!-- <parameter name="sct-issuer-config">
<sct-issuer-config>
<proofToken>EncryptedKey</proofToken>
<cryptoProperties>sctIssuer.properties</cryptoProperties>
<addRequestedAttachedRef />
</sct-issuer-config>
+ </parameter>-->
+
+ <parameter name="sct-issuer-config">
+ <sct-issuer-config>
+ <addRequestedAttachedRef/>
+ <addRequestedUnattachedRef/>
+ <cryptoProperties>sctIssuer.properties</cryptoProperties>
+
+ <!--
+ Key computation mechanism
+ 1 - Use Request Entropy
+ 2 - Provide Entropy
+ 3 - Use Own Key
+ -->
+ <keyComputation>3</keyComputation>
+
+ <!--
+ proofKeyType element is valid only if the keyComputation is set to 3
+ i.e. Use Own Key
+
+ Valid values are: EncryptedKey & BinarySecret
+ -->
+ <proofKeyType>EncryptedKey</proofKeyType>
+ </sct-issuer-config>
</parameter>
-
+
<parameter name="token-canceler-config">
<token-canceler-config>
<!--<proofToken>EncryptedKey</proofToken>-->
@@ -50,5 +74,5 @@
<passwordCallbackClass xmlns="">org.apache.axis2.security.sc.PWCallback</passwordCallbackClass>
</action>
</parameter>
-
+
</service>
Modified: webservices/axis2/trunk/java/modules/integration/test-resources/security/sc/s2-services.xml
URL: http://svn.apache.org/viewvc/webservices/axis2/trunk/java/modules/integration/test-resources/security/sc/s2-services.xml?view=diff&rev=448581&r1=448580&r2=448581
==============================================================================
--- webservices/axis2/trunk/java/modules/integration/test-resources/security/sc/s2-services.xml (original)
+++ webservices/axis2/trunk/java/modules/integration/test-resources/security/sc/s2-services.xml Thu Sep 21 08:35:15 2006
@@ -12,11 +12,26 @@
<parameter name="sct-issuer-config">
<sct-issuer-config>
- <proofToken>BinarySecret</proofToken>
- <cryptoProperties>sctIssuer.properties</cryptoProperties>
<addRequestedAttachedRef />
<addRequestedUnattachedRef />
- </sct-issuer-config>
+ <cryptoProperties>sctIssuer.properties</cryptoProperties>
+
+ <!--
+ Key computation mechanism
+ 1 - Use Request Entropy
+ 2 - Provide Entropy
+ 3 - Use Own Key
+ -->
+ <keyComputation>3</keyComputation>
+
+ <!--
+ proofKeyType element is valid only if the keyComputation is set to 3
+ i.e. Use Own Key
+
+ Valid values are: EncryptedKey & BinarySecret
+ -->
+ <proofKeyType>BinarySecret</proofKeyType>
+ </sct-issuer-config>
</parameter>
<parameter xmlns="" name="sc-configuration">
Modified: webservices/axis2/trunk/java/modules/integration/test-resources/security/sc/s3-services.xml
URL: http://svn.apache.org/viewvc/webservices/axis2/trunk/java/modules/integration/test-resources/security/sc/s3-services.xml?view=diff&rev=448581&r1=448580&r2=448581
==============================================================================
--- webservices/axis2/trunk/java/modules/integration/test-resources/security/sc/s3-services.xml (original)
+++ webservices/axis2/trunk/java/modules/integration/test-resources/security/sc/s3-services.xml Thu Sep 21 08:35:15 2006
@@ -11,10 +11,25 @@
<parameter name="sct-issuer-config">
<sct-issuer-config>
- <proofToken>EncryptedKey</proofToken>
<cryptoProperties>sctIssuer.properties</cryptoProperties>
<addRequestedAttachedRef />
- </sct-issuer-config>
+
+ <!--
+ Key computation mechanism
+ 1 - Use Request Entropy
+ 2 - Provide Entropy
+ 3 - Use Own Key
+ -->
+ <keyComputation>3</keyComputation>
+
+ <!--
+ proofKeyType element is valid only if the keyComputation is set to 3
+ i.e. Use Own Key
+
+ Valid values are: EncryptedKey & BinarySecret
+ -->
+ <proofKeyType>BinarySecret</proofKeyType>
+ </sct-issuer-config>
</parameter>
<parameter xmlns="" name="sc-configuration">
Modified: webservices/axis2/trunk/java/modules/integration/test-resources/security/sc/s4-services.xml
URL: http://svn.apache.org/viewvc/webservices/axis2/trunk/java/modules/integration/test-resources/security/sc/s4-services.xml?view=diff&rev=448581&r1=448580&r2=448581
==============================================================================
--- webservices/axis2/trunk/java/modules/integration/test-resources/security/sc/s4-services.xml (original)
+++ webservices/axis2/trunk/java/modules/integration/test-resources/security/sc/s4-services.xml Thu Sep 21 08:35:15 2006
@@ -12,10 +12,25 @@
<parameter name="sct-issuer-config">
<sct-issuer-config>
- <proofToken>EncryptedKey</proofToken>
<cryptoProperties>sctIssuer.properties</cryptoProperties>
<addRequestedAttachedRef />
- </sct-issuer-config>
+
+ <!--
+ Key computation mechanism
+ 1 - Use Request Entropy
+ 2 - Provide Entropy
+ 3 - Use Own Key
+ -->
+ <keyComputation>3</keyComputation>
+
+ <!--
+ proofKeyType element is valid only if the keyComputation is set to 3
+ i.e. Use Own Key
+
+ Valid values are: EncryptedKey & BinarySecret
+ -->
+ <proofKeyType>BinarySecret</proofKeyType>
+ </sct-issuer-config>
</parameter>
<parameter xmlns="" name="sc-configuration">
Modified: webservices/axis2/trunk/java/modules/rahas/src/org/apache/rahas/errors.properties
URL: http://svn.apache.org/viewvc/webservices/axis2/trunk/java/modules/rahas/src/org/apache/rahas/errors.properties?view=diff&rev=448581&r1=448580&r2=448581
==============================================================================
--- webservices/axis2/trunk/java/modules/rahas/src/org/apache/rahas/errors.properties (original)
+++ webservices/axis2/trunk/java/modules/rahas/src/org/apache/rahas/errors.properties Thu Sep 21 08:35:15 2006
@@ -11,6 +11,7 @@
UnableToRenew = The requested renewal failed
+errorInObtainingToken = Error in obtaining token from : \"{0}\"
incorrectConfiguration = The given configuration element is not a "token-dispatcher-configuration" element
missingClassName = Class attribute missing
cannotLoadClass = Error in loading and instanciating the class \"{0}\"
@@ -64,4 +65,4 @@
cannotDetermineTokenId = Cannot determine token ID from request
tokenNotFound = Token with ID \"{0}\" cannot be found
configurationIsNull = Configuration is null
-errorInCancelingToken = Error occurred while trying to cancel token
\ No newline at end of file
+errorInCancelingToken = Error occurred while trying to cancel token
\ No newline at end of file
Added: webservices/axis2/trunk/java/modules/rahas/src/org/apache/rahas/impl/AbstractIssuerConfig.java
URL: http://svn.apache.org/viewvc/webservices/axis2/trunk/java/modules/rahas/src/org/apache/rahas/impl/AbstractIssuerConfig.java?view=auto&rev=448581
==============================================================================
--- webservices/axis2/trunk/java/modules/rahas/src/org/apache/rahas/impl/AbstractIssuerConfig.java (added)
+++ webservices/axis2/trunk/java/modules/rahas/src/org/apache/rahas/impl/AbstractIssuerConfig.java Thu Sep 21 08:35:15 2006
@@ -0,0 +1,47 @@
+/*
+ * Copyright 2004,2005 The Apache Software Foundation.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.rahas.impl;
+
+import javax.xml.namespace.QName;
+
+/**
+ *
+ */
+public abstract class AbstractIssuerConfig {
+
+ /**
+ * The key computation policy when clien't entropy is provided
+ */
+ public static class KeyComputation {
+ public static final QName KEY_COMPUTATION = new QName("keyComputation");
+ public final static int KEY_COMP_USE_REQ_ENT = 1;
+ public final static int KEY_COMP_PROVIDE_ENT = 2;
+ public final static int KEY_COMP_USE_OWN_KEY = 3;
+ }
+
+ public final static QName ADD_REQUESTED_ATTACHED_REF = new QName("addRequestedAttachedRef");
+ public final static QName ADD_REQUESTED_UNATTACHED_REF = new QName("addRequestedUnattachedRef");
+ public static final QName PROOF_KEY_TYPE = new QName("proofKeyType");
+
+ protected int keyComputation = KeyComputation.KEY_COMP_PROVIDE_ENT;
+ protected String proofKeyType = TokenIssuerUtil.ENCRYPTED_KEY;
+ protected boolean addRequestedAttachedRef;
+ protected boolean addRequestedUnattachedRef;
+ protected long ttl = 300000;
+ protected String cryptoPropertiesFile;
+ protected int keySize = 128;
+
+}
Modified: webservices/axis2/trunk/java/modules/rahas/src/org/apache/rahas/impl/SAMLTokenIssuer.java
URL: http://svn.apache.org/viewvc/webservices/axis2/trunk/java/modules/rahas/src/org/apache/rahas/impl/SAMLTokenIssuer.java?view=diff&rev=448581&r1=448580&r2=448581
==============================================================================
--- webservices/axis2/trunk/java/modules/rahas/src/org/apache/rahas/impl/SAMLTokenIssuer.java (original)
+++ webservices/axis2/trunk/java/modules/rahas/src/org/apache/rahas/impl/SAMLTokenIssuer.java Thu Sep 21 08:35:15 2006
@@ -33,11 +33,8 @@
import org.apache.ws.security.WSUsernameTokenPrincipal;
import org.apache.ws.security.components.crypto.Crypto;
import org.apache.ws.security.components.crypto.CryptoFactory;
-import org.apache.ws.security.conversation.ConversationException;
-import org.apache.ws.security.conversation.dkalgo.P_SHA1;
import org.apache.ws.security.message.WSSecEncryptedKey;
import org.apache.ws.security.util.Base64;
-import org.apache.ws.security.util.WSSecurityUtil;
import org.apache.ws.security.util.XmlSchemaDateFormat;
import org.apache.xml.security.signature.XMLSignature;
import org.apache.xml.security.utils.EncryptionConstants;
@@ -110,7 +107,7 @@
SOAPEnvelope env =
TrustUtil.
createSOAPEnvelope(inMsgCtx.getEnvelope().getNamespace().getNamespaceURI());
- Crypto crypto = CryptoFactory.getInstance(config.cryptoPropFile,
+ Crypto crypto = CryptoFactory.getInstance(config.cryptoPropertiesFile,
inMsgCtx.getAxisService().getClassLoader());
//Creation and expiration times
@@ -155,35 +152,34 @@
}
OMElement rstrElem;
- int version = data.getVersion();
- if (RahasConstants.VERSION_05_02 == version) {
- rstrElem = TrustUtil
- .createRequestSecurityTokenResponseElement(version, env.getBody());
+ int wstVersion = data.getVersion();
+ if (RahasConstants.VERSION_05_02 == wstVersion) {
+ rstrElem =
+ TrustUtil.createRequestSecurityTokenResponseElement(wstVersion, env.getBody());
} else {
- OMElement rstrcElem = TrustUtil
- .createRequestSecurityTokenResponseCollectionElement(
- version, env.getBody());
-
- rstrElem = TrustUtil.createRequestSecurityTokenResponseElement(version, rstrcElem);
+ OMElement rstrcElem =
+ TrustUtil.createRequestSecurityTokenResponseCollectionElement(wstVersion,
+ env.getBody());
+ rstrElem = TrustUtil.createRequestSecurityTokenResponseElement(wstVersion, rstrcElem);
}
- TrustUtil.createtTokenTypeElement(version,
+ TrustUtil.createtTokenTypeElement(wstVersion,
rstrElem).setText(RahasConstants.TOK_TYPE_SAML_10);
if (keyType.endsWith(RahasConstants.KEY_TYPE_SYMM_KEY)) {
- TrustUtil.createKeySizeElement(version, rstrElem, keySize);
+ TrustUtil.createKeySizeElement(wstVersion, rstrElem, keySize);
}
if (config.addRequestedAttachedRef) {
- TrustUtil.createRequestedAttachedRef(version,
+ TrustUtil.createRequestedAttachedRef(wstVersion,
rstrElem,
"#" + assertion.getId(),
RahasConstants.TOK_TYPE_SAML_10);
}
if (config.addRequestedUnattachedRef) {
- TrustUtil.createRequestedUnattachedRef(version, rstrElem, assertion
- .getId(), RahasConstants.TOK_TYPE_SAML_10);
+ TrustUtil.createRequestedUnattachedRef(wstVersion, rstrElem, assertion.getId(),
+ RahasConstants.TOK_TYPE_SAML_10);
}
if (data.getAppliesToAddress() != null) {
@@ -195,20 +191,25 @@
DateFormat zulu = new XmlSchemaDateFormat();
// Add the Lifetime element
- TrustUtil.createLifetimeElement(version, rstrElem, zulu
+ TrustUtil.createLifetimeElement(wstVersion, rstrElem, zulu
.format(creationTime), zulu.format(expirationTime));
//Create the RequestedSecurityToken element and add the SAML token to it
OMElement reqSecTokenElem = TrustUtil
- .createRequestedSecurityTokenElement(version, rstrElem);
+ .createRequestedSecurityTokenElement(wstVersion, rstrElem);
+ Token assertionToken;
try {
Node tempNode = assertion.toDOM();
- reqSecTokenElem.addChild((OMNode) ((Element) rstrElem)
- .getOwnerDocument().importNode(tempNode, true));
+ reqSecTokenElem.
+ addChild((OMNode) ((Element) rstrElem).getOwnerDocument().importNode(tempNode,
+ true));
// Store the token
- Token assertionToken = new Token(assertion.getId(), (OMElement) assertion
- .toDOM(), creationTime, expirationTime);
+ assertionToken = new Token(assertion.getId(),
+ (OMElement) assertion.toDOM(),
+ creationTime,
+ expirationTime);
+
// At this point we definitely have the secret
// Otherwise it should fail with an exception earlier
assertionToken.setSecret(data.getEphmeralKey());
@@ -218,40 +219,16 @@
throw new TrustException("samlConverstionError", e);
}
-
if (keyType.endsWith(RahasConstants.KEY_TYPE_SYMM_KEY) &&
- config.keyComputation != SAMLTokenIssuerConfig.KEY_COMP_USE_REQ_ENT) {
+ config.keyComputation != SAMLTokenIssuerConfig.KeyComputation.KEY_COMP_USE_REQ_ENT) {
//Add the RequestedProofToken
- OMElement reqProofTokElem =
- TrustUtil.createRequestedProofTokenElement(version, rstrElem);
-
- if (config.keyComputation == SAMLTokenIssuerConfig.KEY_COMP_PROVIDE_ENT
- && data.getRequestEntropy() != null) {
- //If we there's requestor entropy and its configured to provide
- //entropy then we have to set the entropy value and
- //set the RPT to include a ComputedKey element
-
- OMElement respEntrElem = TrustUtil.createEntropyElement(
- version, rstrElem);
-
- TrustUtil.createBinarySecretElement(version, respEntrElem,
- RahasConstants.BIN_SEC_TYPE_NONCE).setText(
- Base64.encode(data.getResponseEntropy()));
-
- OMElement compKeyElem = TrustUtil.createComputedKeyElement(
- version, reqProofTokElem);
- compKeyElem.setText(data.getWstNs()
- + RahasConstants.COMPUTED_KEY_PSHA1);
- } else {
- //In all other cases use send the key in a binary sectret element
-
- //TODO : Provide a config option to set this type to encrypted key
- OMElement binSecElem = TrustUtil.createBinarySecretElement(version,
- reqProofTokElem, null);
- binSecElem.setText(Base64.encode(data.getEphmeralKey()));
-
- }
+ TokenIssuerUtil.handleRequestedProofToken(data,
+ wstVersion,
+ config,
+ rstrElem,
+ assertionToken,
+ doc);
}
// Unset the DOM impl to default
@@ -301,8 +278,7 @@
try {
//Get ApliesTo to figureout which service to issue the token for
- serviceCert = getServiceCert(data.getRstElement(),
- config,
+ serviceCert = getServiceCert(config,
crypto,
data.getAppliesToAddress());
@@ -320,26 +296,10 @@
keysize = (keysize != -1) ? keysize : config.keySize;
encrKeyBuilder.setKeySize(keysize);
- boolean reqEntrPresent = data.getRequestEntropy() != null;
-
- if (reqEntrPresent &&
- config.keyComputation != SAMLTokenIssuerConfig.KEY_COMP_USE_OWN_KEY) {
- //If there is requestor entropy and if the issuer is not
- //configured to use its own key
-
- if (config.keyComputation == SAMLTokenIssuerConfig.KEY_COMP_PROVIDE_ENT) {
- data.setResponseEntropy(WSSecurityUtil.generateNonce(config.keySize / 8));
- P_SHA1 p_sha1 = new P_SHA1();
- encrKeyBuilder.setEphemeralKey(p_sha1.createKey(data.getRequestEntropy(),
- data.getResponseEntropy(),
- 0,
- keysize / 8));
- } else {
- //If we reach this its expected to use the requestor's
- //entropy
- encrKeyBuilder.setEphemeralKey(data.getRequestEntropy());
- }
- }// else : We have to use our own key here, so don't set the key
+ encrKeyBuilder.
+ setEphemeralKey(TokenIssuerUtil.getSharedSecret(data,
+ config.keyComputation,
+ keysize));
//Set key encryption algo
encrKeyBuilder.setKeyEncAlgo(EncryptionConstants.ALGO_ID_KEYTRANSPORT_RSA15);
@@ -358,9 +318,6 @@
} catch (WSSecurityException e) {
throw new TrustException("errorInBuildingTheEncryptedKeyForPrincipal",
new String[]{serviceCert.getSubjectDN().getName()}, e);
- } catch (ConversationException e) {
- throw new TrustException("errorInBuildingTheEncryptedKeyForPrincipal",
- new String[]{serviceCert.getSubjectDN().getName()}, e);
}
return this.createAttributeAssertion(doc, encryptedKeyElem,
config, crypto, creationTime, expirationTime);
@@ -403,15 +360,13 @@
* Uses the <code>wst:AppliesTo</code> to figure out the certificate to
* encrypt the secret in the SAML token
*
- * @param request
* @param config
* @param crypto
* @param serviceAddress The address of the service
* @return
* @throws WSSecurityException
*/
- private X509Certificate getServiceCert(OMElement request,
- SAMLTokenIssuerConfig config,
+ private X509Certificate getServiceCert(SAMLTokenIssuerConfig config,
Crypto crypto,
String serviceAddress) throws WSSecurityException {
Modified: webservices/axis2/trunk/java/modules/rahas/src/org/apache/rahas/impl/SAMLTokenIssuerConfig.java
URL: http://svn.apache.org/viewvc/webservices/axis2/trunk/java/modules/rahas/src/org/apache/rahas/impl/SAMLTokenIssuerConfig.java?view=diff&rev=448581&r1=448580&r2=448581
==============================================================================
--- webservices/axis2/trunk/java/modules/rahas/src/org/apache/rahas/impl/SAMLTokenIssuerConfig.java (original)
+++ webservices/axis2/trunk/java/modules/rahas/src/org/apache/rahas/impl/SAMLTokenIssuerConfig.java Thu Sep 21 08:35:15 2006
@@ -26,191 +26,175 @@
import java.io.FileInputStream;
import java.util.HashMap;
import java.util.Iterator;
+import java.util.Map;
/**
* Configuration manager for the <code>SAMLTokenIssuer</code>
- *
- * @see org.apache.rahas.impl.SAMLTokenIssuer
+ *
+ * @see SAMLTokenIssuer
*/
-public class SAMLTokenIssuerConfig {
+public class SAMLTokenIssuerConfig extends AbstractIssuerConfig{
/**
* The QName of the configuration element of the SAMLTokenIssuer
*/
public final static QName SAML_ISSUER_CONFIG = new QName("saml-issuer-config");
-
+
/**
* Element name to include the alias of the private key to sign the response or
* the issued token
*/
private final static QName ISSUER_KEY_ALIAS = new QName("issuerKeyAlias");
-
+
/**
- * Element name to include the password of the private key to sign the
+ * Element name to include the password of the private key to sign the
* response or the issued token
*/
private final static QName ISSUER_KEY_PASSWD = new QName("issuerKeyPassword");
/**
- * Element name to include the crypto properties used to load the
+ * Element name to include the crypto properties used to load the
* information used securing the response
*/
private final static QName CRYPTO_PROPERTIES = new QName("cryptoProperties");
-
+
/**
* Element to specify the lifetime of the SAMLToken
* Dafaults to 300000 milliseconds (5 mins)
*/
private final static QName TTL = new QName("timeToLive");
-
+
/**
* Element to list the trusted services
*/
private final static QName TRUSTED_SERVICES = new QName("trusted-services");
-
+
private final static QName KEY_SIZE = new QName("keySize");
-
+
private final static QName SERVICE = new QName("service");
private final static QName ALIAS = new QName("alias");
- public final static QName ADD_REQUESTED_ATTACHED_REF = new QName("addRequestedAttachedRef");
- public final static QName ADD_REQUESTED_UNATTACHED_REF = new QName("addRequestedUnattachedRef");
-
public final static QName USE_SAML_ATTRIBUTE_STATEMENT = new QName("useSAMLAttributeStatement");
-
+
public final static QName ISSUER_NAME = new QName("issuerName");
-
- /**
- * The key computation policy when clien't entropy is provided
- */
- public static final QName KEY_COMPUTATION = new QName("keyComputation");
-
- public final static int KEY_COMP_USE_REQ_ENT = 1;
-
- public final static int KEY_COMP_PROVIDE_ENT = 2;
-
- public final static int KEY_COMP_USE_OWN_KEY = 3;
-
- protected String cryptoPropFile;
+
protected String issuerKeyAlias;
protected String issuerKeyPassword;
protected String issuerName;
- protected HashMap trustedServices;
+ protected Map trustedServices;
protected String trustStorePropFile;
- protected int keySize = 128;
- protected long ttl = 300000;
- protected boolean addRequestedAttachedRef;
- protected boolean addRequestedUnattachedRef;
- protected int keyComputation = KEY_COMP_PROVIDE_ENT;
-
+
private SAMLTokenIssuerConfig(OMElement elem) throws TrustException {
-
+ OMElement proofKeyElem = elem.getFirstChildWithName(PROOF_KEY_TYPE);
+ if (proofKeyElem != null) {
+ this.proofKeyType = proofKeyElem.getText().trim();
+ }
+
//The alias of the private key
OMElement userElem = elem.getFirstChildWithName(ISSUER_KEY_ALIAS);
- if(userElem != null) {
+ if (userElem != null) {
this.issuerKeyAlias = userElem.getText().trim();
}
- if(this.issuerKeyAlias == null || "".equals(this.issuerKeyAlias)) {
+ if (this.issuerKeyAlias == null || "".equals(this.issuerKeyAlias)) {
throw new TrustException("samlIssuerKeyAliasMissing");
}
-
+
OMElement issuerKeyPasswdElem = elem.getFirstChildWithName(ISSUER_KEY_PASSWD);
- if(issuerKeyPasswdElem != null) {
+ if (issuerKeyPasswdElem != null) {
this.issuerKeyPassword = issuerKeyPasswdElem.getText().trim();
}
- if(this.issuerKeyPassword == null || "".equals(this.issuerKeyPassword)) {
+ if (this.issuerKeyPassword == null || "".equals(this.issuerKeyPassword)) {
throw new TrustException("samlIssuerKeyPasswdMissing");
}
-
+
OMElement issuerNameElem = elem.getFirstChildWithName(ISSUER_NAME);
- if(issuerNameElem != null) {
+ if (issuerNameElem != null) {
this.issuerName = issuerNameElem.getText().trim();
}
- if(this.issuerName == null || "".equals(this.issuerName)) {
+ if (this.issuerName == null || "".equals(this.issuerName)) {
throw new TrustException("samlIssuerNameMissing");
}
-
+
OMElement cryptoPropElem = elem.getFirstChildWithName(CRYPTO_PROPERTIES);
- if(cryptoPropElem != null) {
- this.cryptoPropFile = cryptoPropElem.getText().trim();
+ if (cryptoPropElem != null) {
+ this.cryptoPropertiesFile = cryptoPropElem.getText().trim();
}
-
- if(this.cryptoPropFile == null || "".equals(this.cryptoPropFile)) {
+
+ if (this.cryptoPropertiesFile == null || "".equals(this.cryptoPropertiesFile)) {
throw new TrustException("samlPropFileMissing");
}
-
- OMElement keyCompElem = elem.getFirstChildWithName(KEY_COMPUTATION);
-
- if(keyCompElem != null && keyCompElem.getText() != null && !"".equals(keyCompElem)) {
+
+ OMElement keyCompElem = elem.getFirstChildWithName(KeyComputation.KEY_COMPUTATION);
+ if (keyCompElem != null && keyCompElem.getText() != null && !"".equals(keyCompElem)) {
this.keyComputation = Integer.parseInt(keyCompElem.getText());
}
-
+
//time to live
OMElement ttlElem = elem.getFirstChildWithName(TTL);
- if(ttlElem != null) {
+ if (ttlElem != null) {
try {
this.ttl = Long.parseLong(ttlElem.getText().trim());
} catch (NumberFormatException e) {
throw new TrustException("invlidTTL");
}
}
-
+
OMElement keySizeElem = elem.getFirstChildWithName(KEY_SIZE);
- if(keySizeElem != null) {
+ if (keySizeElem != null) {
try {
this.keySize = Integer.parseInt(keySizeElem.getText().trim());
} catch (NumberFormatException e) {
throw new TrustException("invalidKeysize");
}
}
-
+
this.addRequestedAttachedRef = elem
.getFirstChildWithName(ADD_REQUESTED_ATTACHED_REF) != null;
this.addRequestedUnattachedRef = elem
.getFirstChildWithName(ADD_REQUESTED_UNATTACHED_REF) != null;
-
+
//Process trusted services
OMElement trustedServices = elem.getFirstChildWithName(TRUSTED_SERVICES);
-
+
/*
- * If there are trusted services add them to a list
- * Only trusts myself to issue tokens to :
- * In this case the STS is embedded in the service as well and
- * the issued token can only be used with that particular service
- * since the response secret is encrypted by the service's public key
- */
- if(trustedServices != null) {
+ * If there are trusted services add them to a list
+ * Only trusts myself to issue tokens to :
+ * In this case the STS is embedded in the service as well and
+ * the issued token can only be used with that particular service
+ * since the response secret is encrypted by the service's public key
+ */
+ if (trustedServices != null) {
//Now process the trusted services
Iterator servicesIter = trustedServices.getChildrenWithName(SERVICE);
while (servicesIter.hasNext()) {
OMElement service = (OMElement) servicesIter.next();
OMAttribute aliasAttr = service.getAttribute(ALIAS);
- if(aliasAttr == null) {
+ if (aliasAttr == null) {
//The certificate alias is a must
throw new TrustException("aliasMissingForService",
new String[]{service.getText().trim()});
}
- if(this.trustedServices == null) {
+ if (this.trustedServices == null) {
this.trustedServices = new HashMap();
}
-
+
//Add the trusted service and the alias to the map of services
this.trustedServices.put(service.getText().trim(), aliasAttr.getAttributeValue());
}
-
+
//There maybe no trusted services as well, Therefore do not
//throw an exception when there are no trusted in the list at the
//moment
}
}
-
+
public static SAMLTokenIssuerConfig load(OMElement elem) throws TrustException {
return new SAMLTokenIssuerConfig(elem);
}
-
+
public static SAMLTokenIssuerConfig load(String configFilePath)
throws TrustException {
FileInputStream fis;
@@ -220,9 +204,9 @@
builder = new StAXOMBuilder(fis);
} catch (Exception e) {
throw new TrustException("errorLoadingConfigFile",
- new String[] { configFilePath });
+ new String[]{configFilePath});
}
return load(builder.getDocumentElement());
}
-
+
}
Modified: webservices/axis2/trunk/java/modules/rahas/src/org/apache/rahas/impl/SCTIssuer.java
URL: http://svn.apache.org/viewvc/webservices/axis2/trunk/java/modules/rahas/src/org/apache/rahas/impl/SCTIssuer.java?view=diff&rev=448581&r1=448580&r2=448581
==============================================================================
--- webservices/axis2/trunk/java/modules/rahas/src/org/apache/rahas/impl/SCTIssuer.java (original)
+++ webservices/axis2/trunk/java/modules/rahas/src/org/apache/rahas/impl/SCTIssuer.java Thu Sep 21 08:35:15 2006
@@ -19,37 +19,26 @@
import org.apache.axiom.om.OMElement;
import org.apache.axiom.soap.SOAPEnvelope;
import org.apache.axis2.description.Parameter;
-import org.apache.axis2.util.Base64;
import org.apache.rahas.RahasConstants;
import org.apache.rahas.RahasData;
import org.apache.rahas.Token;
import org.apache.rahas.TokenIssuer;
import org.apache.rahas.TrustException;
import org.apache.rahas.TrustUtil;
-import org.apache.ws.security.WSConstants;
-import org.apache.ws.security.WSSecurityException;
-import org.apache.ws.security.components.crypto.Crypto;
-import org.apache.ws.security.components.crypto.CryptoFactory;
import org.apache.ws.security.conversation.ConversationConstants;
import org.apache.ws.security.conversation.ConversationException;
-import org.apache.ws.security.message.WSSecEncryptedKey;
import org.apache.ws.security.message.token.SecurityContextToken;
import org.apache.ws.security.util.XmlSchemaDateFormat;
import org.w3c.dom.Document;
import org.w3c.dom.Element;
-import java.security.SecureRandom;
import java.text.DateFormat;
import java.util.Date;
public class SCTIssuer implements TokenIssuer {
- public final static String ENCRYPTED_KEY = "EncryptedKey";
-
public final static String COMPUTED_KEY = "ComputedKey";
- public final static String BINARY_SECRET = "BinarySecret";
-
private String configFile;
private OMElement configElement;
@@ -59,7 +48,7 @@
/**
* Issue a {@link SecurityContextToken} based on the wsse:Signature or
* wsse:UsernameToken
- *
+ * <p/>
* This will support returning the SecurityContextToken with the following
* types of wst:RequestedProof tokens:
* <ul>
@@ -88,199 +77,103 @@
if (param != null && param.getParameterElement() != null) {
config = SCTIssuerConfig.load(param.getParameterElement()
.getFirstChildWithName(
- SCTIssuerConfig.SCT_ISSUER_CONFIG));
+ SCTIssuerConfig.SCT_ISSUER_CONFIG));
} else {
throw new TrustException("expectedParameterMissing",
- new String[] { this.configParamName });
+ new String[]{this.configParamName});
}
}
if (config == null) {
throw new TrustException("missingConfiguration",
- new String[] { SCTIssuerConfig.SCT_ISSUER_CONFIG
- .getLocalPart() });
+ new String[]{SCTIssuerConfig.SCT_ISSUER_CONFIG
+ .getLocalPart()});
}
- if (ENCRYPTED_KEY.equals(config.proofTokenType)) {
- return this.doEncryptedKey(config,data);
- } else if (BINARY_SECRET.equals(config.proofTokenType)) {
- return this.doBinarySecret(config, data);
- } else if (COMPUTED_KEY.equals(config.proofTokenType)) {
- // TODO
- throw new UnsupportedOperationException("TODO");
- } else {
- // TODO
- throw new UnsupportedOperationException("TODO: Default");
- }
+ // Env
+ return createEnvelope(data, config);
}
- private SOAPEnvelope doBinarySecret(SCTIssuerConfig config, RahasData data)
- throws TrustException {
-
+ private SOAPEnvelope createEnvelope(RahasData data,
+ SCTIssuerConfig config) throws TrustException {
try {
SOAPEnvelope env = TrustUtil.createSOAPEnvelope(data.getSoapNs());
int wstVersion = data.getVersion();
-
- // Get the document
- Document doc = ((Element) env).getOwnerDocument();
-
- SecurityContextToken sct = new SecurityContextToken(this.getWSCVersion(data.getTokenType()), doc);
-
- OMElement rstrElem = TrustUtil
- .createRequestSecurityTokenResponseElement(wstVersion, env
- .getBody());
-
- OMElement rstElem = TrustUtil.createRequestedSecurityTokenElement(
- wstVersion, rstrElem);
-
- rstElem.addChild((OMElement) sct.getElement());
-
- String tokenType = data.getTokenType();
-
- if (config.addRequestedAttachedRef) {
- if (wstVersion == RahasConstants.VERSION_05_02) {
- TrustUtil.createRequestedAttachedRef(wstVersion, rstrElem, "#"
- + sct.getID(), tokenType);
- } else {
- TrustUtil.createRequestedAttachedRef(wstVersion, rstrElem, "#"
- + sct.getID(), tokenType);
- }
- }
-
- if (config.addRequestedUnattachedRef) {
- if (wstVersion == RahasConstants.VERSION_05_02) {
- TrustUtil.createRequestedUnattachedRef(wstVersion, rstrElem,
- sct.getIdentifier(),
- tokenType);
- } else {
- TrustUtil.createRequestedUnattachedRef(wstVersion, rstrElem,
- sct.getIdentifier(),
- tokenType);
- }
- }
-
- OMElement reqProofTok = TrustUtil.createRequestedProofTokenElement(
- wstVersion, rstrElem);
-
- OMElement binSecElem = TrustUtil.createBinarySecretElement(wstVersion,
- reqProofTok, null);
-
- byte[] secret = this.generateEphemeralKey();
- binSecElem.setText(Base64.encode(secret));
-
- //Creation and expiration times
- Date creationTime = new Date();
- Date expirationTime = new Date();
-
- expirationTime.setTime(creationTime.getTime() + config.ttl);
-
-
- // Use GMT time in milliseconds
- DateFormat zulu = new XmlSchemaDateFormat();
-
- // Add the Lifetime element
- TrustUtil.createLifetimeElement(wstVersion, rstrElem, zulu
- .format(creationTime), zulu.format(expirationTime));
-
- // Store the tokens
- Token sctToken = new Token(sct.getIdentifier(), (OMElement) sct
- .getElement(), creationTime, expirationTime);
- sctToken.setSecret(secret);
- TrustUtil.getTokenStore(data.getInMessageContext()).add(sctToken);
-
- return env;
- } catch (ConversationException e) {
- throw new TrustException(e.getMessage(), e);
- }
- }
-
- private SOAPEnvelope doEncryptedKey(SCTIssuerConfig config, RahasData data)
- throws TrustException {
- try {
- int wstVersion = data.getVersion();
-
- SOAPEnvelope env = TrustUtil.createSOAPEnvelope(data.getSoapNs());
// Get the document
Document doc = ((Element) env).getOwnerDocument();
-
- WSSecEncryptedKey encrKeyBuilder = new WSSecEncryptedKey();
- Crypto crypto = CryptoFactory.getInstance(config.cryptoPropertiesFile,
- data.getInMessageContext().getAxisService().getClassLoader());
-
- encrKeyBuilder.setKeyIdentifierType(WSConstants.THUMBPRINT_IDENTIFIER);
- try {
- encrKeyBuilder.setUseThisCert(data.getClientCert());
- encrKeyBuilder.prepare(doc, crypto);
- } catch (WSSecurityException e) {
- throw new TrustException(
- "errorInBuildingTheEncryptedKeyForPrincipal",
- new String[] { data.getClientCert().getSubjectDN()
- .getName() });
- }
-
+
SecurityContextToken sct =
new SecurityContextToken(this.getWSCVersion(data.getTokenType()), doc);
-
+
OMElement rstrElem =
- TrustUtil.createRequestSecurityTokenResponseElement(wstVersion, env.getBody());
-
- OMElement rstElem = TrustUtil.createRequestedSecurityTokenElement(wstVersion, rstrElem);
+ TrustUtil.createRequestSecurityTokenResponseElement(wstVersion,
+ env.getBody());
+
+ OMElement rstElem =
+ TrustUtil.createRequestedSecurityTokenElement(wstVersion, rstrElem);
+
rstElem.addChild((OMElement) sct.getElement());
+
String tokenType = data.getTokenType();
-
+
if (config.addRequestedAttachedRef) {
if (wstVersion == RahasConstants.VERSION_05_02) {
- TrustUtil.createRequestedAttachedRef(wstVersion, rstrElem, "#"
- + sct.getID(), tokenType);
+ TrustUtil.createRequestedAttachedRef(wstVersion,
+ rstrElem,
+ "#" + sct.getID(),
+ tokenType);
} else {
- TrustUtil.createRequestedAttachedRef(wstVersion, rstrElem, "#"
- + sct.getID(), tokenType);
+ TrustUtil.createRequestedAttachedRef(wstVersion,
+ rstrElem,
+ "#" + sct.getID(),
+ tokenType);
}
}
-
+
if (config.addRequestedUnattachedRef) {
if (wstVersion == RahasConstants.VERSION_05_02) {
- TrustUtil.createRequestedUnattachedRef(wstVersion, rstrElem,
- sct.getIdentifier(), tokenType);
+ TrustUtil.createRequestedUnattachedRef(wstVersion,
+ rstrElem,
+ sct.getIdentifier(),
+ tokenType);
} else {
- TrustUtil.createRequestedUnattachedRef(wstVersion, rstrElem,
- sct.getIdentifier(), tokenType);
+ TrustUtil.createRequestedUnattachedRef(wstVersion,
+ rstrElem,
+ sct.getIdentifier(),
+ tokenType);
}
}
-
+
//Creation and expiration times
Date creationTime = new Date();
Date expirationTime = new Date();
-
+
expirationTime.setTime(creationTime.getTime() + config.ttl);
-
+
// Use GMT time in milliseconds
DateFormat zulu = new XmlSchemaDateFormat();
-
+
// Add the Lifetime element
- TrustUtil.createLifetimeElement(wstVersion, rstrElem, zulu
- .format(creationTime), zulu.format(expirationTime));
-
- Element encryptedKeyElem = encrKeyBuilder.getEncryptedKeyElement();
- Element bstElem = encrKeyBuilder.getBinarySecurityTokenElement();
-
- OMElement reqProofTok = TrustUtil.createRequestedProofTokenElement(
- wstVersion, rstrElem);
-
- if (bstElem != null) {
- reqProofTok.addChild((OMElement) bstElem);
- }
-
- reqProofTok.addChild((OMElement) encryptedKeyElem);
-
-
+ TrustUtil.createLifetimeElement(wstVersion,
+ rstrElem,
+ zulu.format(creationTime),
+ zulu.format(expirationTime));
+
// Store the tokens
- Token sctToken = new Token(sct.getIdentifier(), (OMElement) sct
- .getElement(), creationTime, expirationTime);
- sctToken.setSecret(encrKeyBuilder.getEphemeralKey());
+ Token sctToken = new Token(sct.getIdentifier(),
+ (OMElement) sct.getElement(),
+ creationTime,
+ expirationTime);
+
+ //Add the RequestedProofToken
+ TokenIssuerUtil.handleRequestedProofToken(data,
+ wstVersion,
+ config,
+ rstrElem,
+ sctToken,
+ doc);
TrustUtil.getTokenStore(data.getInMessageContext()).add(sctToken);
-
return env;
} catch (ConversationException e) {
throw new TrustException(e.getMessage(), e);
@@ -299,46 +192,28 @@
}
/**
- * @see org.apache.rahas.TokenIssuer#setConfigurationElement(java.lang.String)
+ * @see org.apache.rahas.TokenIssuer#setConfigurationElement(OMElement)
*/
public void setConfigurationElement(OMElement configElement) {
this.configElement = configElement;
}
- /**
- * Create an ephemeral key
- *
- * @return
- * @throws WSSecurityException
- */
- private byte[] generateEphemeralKey() throws TrustException {
- try {
- SecureRandom random = SecureRandom.getInstance("SHA1PRNG");
- byte[] temp = new byte[16];
- random.nextBytes(temp);
- return temp;
- } catch (Exception e) {
- throw new TrustException("errorCreatingSymmKey", e);
- }
- }
-
public void setConfigurationParamName(String configParamName) {
this.configParamName = configParamName;
}
private int getWSCVersion(String tokenTypeValue) throws ConversationException {
-
- if(tokenTypeValue == null) {
+
+ if (tokenTypeValue == null) {
return ConversationConstants.DEFAULT_VERSION;
}
-
- if(tokenTypeValue != null && tokenTypeValue.startsWith(ConversationConstants.WSC_NS_05_02)) {
+
+ if (tokenTypeValue.startsWith(ConversationConstants.WSC_NS_05_02)) {
return ConversationConstants.getWSTVersion(ConversationConstants.WSC_NS_05_02);
- } else if(tokenTypeValue != null && tokenTypeValue.startsWith(ConversationConstants.WSC_NS_05_12)) {
+ } else if (tokenTypeValue.startsWith(ConversationConstants.WSC_NS_05_12)) {
return ConversationConstants.getWSTVersion(ConversationConstants.WSC_NS_05_12);
} else {
throw new ConversationException("unsupportedSecConvVersion");
}
}
-
}
Modified: webservices/axis2/trunk/java/modules/rahas/src/org/apache/rahas/impl/SCTIssuerConfig.java
URL: http://svn.apache.org/viewvc/webservices/axis2/trunk/java/modules/rahas/src/org/apache/rahas/impl/SCTIssuerConfig.java?view=diff&rev=448581&r1=448580&r2=448581
==============================================================================
--- webservices/axis2/trunk/java/modules/rahas/src/org/apache/rahas/impl/SCTIssuerConfig.java (original)
+++ webservices/axis2/trunk/java/modules/rahas/src/org/apache/rahas/impl/SCTIssuerConfig.java Thu Sep 21 08:35:15 2006
@@ -27,40 +27,21 @@
/**
* SCTIssuer Configuration processor
*/
-public class SCTIssuerConfig {
+public class SCTIssuerConfig extends AbstractIssuerConfig{
public final static QName SCT_ISSUER_CONFIG = new QName("sct-issuer-config");
- public final static QName ADD_REQUESTED_ATTACHED_REF = new QName("addRequestedAttachedRef");
- public final static QName ADD_REQUESTED_UNATTACHED_REF = new QName("addRequestedUnattachedRef");
-
-
- protected String proofTokenType = SCTIssuer.ENCRYPTED_KEY;
-
- protected String cryptoPropertiesFile = null;
-
- protected boolean addRequestedAttachedRef;
-
- protected boolean addRequestedUnattachedRef;
-
protected byte[] requesterEntropy;
-
- protected int keySize;
-
- //TODO: get from config
- protected long ttl = 300000;
-
+
private SCTIssuerConfig(OMElement elem) throws TrustException {
- OMElement proofTokenElem =
- elem.getFirstChildWithName(new QName("proofToken"));
- if (proofTokenElem != null) {
- this.proofTokenType = proofTokenElem.getText().trim();
+ OMElement proofKeyElem = elem.getFirstChildWithName(PROOF_KEY_TYPE);
+ if (proofKeyElem != null) {
+ this.proofKeyType = proofKeyElem.getText().trim();
}
OMElement cryptoPropertiesElem = elem
.getFirstChildWithName(new QName("cryptoProperties"));
- if (!SCTIssuer.BINARY_SECRET.equals(proofTokenType)
- && cryptoPropertiesElem == null) {
+ if (!TokenIssuerUtil.BINARY_SECRET.equals(proofKeyType) && cryptoPropertiesElem == null) {
throw new TrustException("sctIssuerCryptoPropertiesMissing");
}
@@ -69,6 +50,10 @@
this.addRequestedUnattachedRef =
elem.getFirstChildWithName(ADD_REQUESTED_UNATTACHED_REF) != null;
this.cryptoPropertiesFile = cryptoPropertiesElem.getText().trim();
+ OMElement keyCompElem = elem.getFirstChildWithName(KeyComputation.KEY_COMPUTATION);
+ if (keyCompElem != null && keyCompElem.getText() != null && !"".equals(keyCompElem)) {
+ this.keyComputation = Integer.parseInt(keyCompElem.getText());
+ }
}
public static SCTIssuerConfig load(OMElement elem) throws TrustException {
@@ -89,7 +74,4 @@
return load(builder.getDocumentElement());
}
-
-
-
}
Added: webservices/axis2/trunk/java/modules/rahas/src/org/apache/rahas/impl/TokenIssuerUtil.java
URL: http://svn.apache.org/viewvc/webservices/axis2/trunk/java/modules/rahas/src/org/apache/rahas/impl/TokenIssuerUtil.java?view=auto&rev=448581
==============================================================================
--- webservices/axis2/trunk/java/modules/rahas/src/org/apache/rahas/impl/TokenIssuerUtil.java (added)
+++ webservices/axis2/trunk/java/modules/rahas/src/org/apache/rahas/impl/TokenIssuerUtil.java Thu Sep 21 08:35:15 2006
@@ -0,0 +1,157 @@
+/*
+ * Copyright 2004,2005 The Apache Software Foundation.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.rahas.impl;
+
+import org.apache.axiom.om.OMElement;
+import org.apache.rahas.RahasData;
+import org.apache.rahas.Token;
+import org.apache.rahas.TrustException;
+import org.apache.rahas.TrustUtil;
+import org.apache.rahas.RahasConstants;
+import org.apache.ws.security.WSConstants;
+import org.apache.ws.security.WSSecurityException;
+import org.apache.ws.security.components.crypto.Crypto;
+import org.apache.ws.security.components.crypto.CryptoFactory;
+import org.apache.ws.security.conversation.ConversationException;
+import org.apache.ws.security.conversation.dkalgo.P_SHA1;
+import org.apache.ws.security.message.WSSecEncryptedKey;
+import org.apache.ws.security.util.WSSecurityUtil;
+import org.apache.axis2.util.Base64;
+import org.w3c.dom.Document;
+import org.w3c.dom.Element;
+
+import java.security.SecureRandom;
+
+/**
+ *
+ */
+public class TokenIssuerUtil {
+
+ public final static String ENCRYPTED_KEY = "EncryptedKey";
+ public final static String BINARY_SECRET = "BinarySecret";
+
+ public static byte[] getSharedSecret(RahasData data,
+ int keyComputation,
+ int keySize) throws TrustException {
+
+ boolean reqEntrPresent = data.getRequestEntropy() != null;
+
+ try {
+ if (reqEntrPresent &&
+ keyComputation != SAMLTokenIssuerConfig.KeyComputation.KEY_COMP_USE_OWN_KEY) {
+ //If there is requestor entropy and if the issuer is not
+ //configured to use its own key
+
+ if (keyComputation ==
+ SAMLTokenIssuerConfig.KeyComputation.KEY_COMP_PROVIDE_ENT) {
+ data.setResponseEntropy(WSSecurityUtil.generateNonce(keySize / 8));
+ P_SHA1 p_sha1 = new P_SHA1();
+ return p_sha1.createKey(data.getRequestEntropy(),
+ data.getResponseEntropy(),
+ 0,
+ keySize / 8);
+ } else {
+ //If we reach this its expected to use the requestor's
+ //entropy
+ return data.getRequestEntropy();
+ }
+ } else { // need to use a generated key
+ return generateEphemeralKey(keySize);
+ }
+ } catch (WSSecurityException e) {
+ throw new TrustException("errorCreatingSymmKey", e);
+ } catch (ConversationException e) {
+ throw new TrustException("errorCreatingSymmKey", e);
+ }
+ }
+
+ public static void handleRequestedProofToken(RahasData data,
+ int wstVersion,
+ AbstractIssuerConfig config,
+ OMElement rstrElem,
+ Token token,
+ Document doc) throws TrustException {
+ OMElement reqProofTokElem =
+ TrustUtil.createRequestedProofTokenElement(wstVersion, rstrElem);
+
+ if (config.keyComputation == AbstractIssuerConfig.KeyComputation.KEY_COMP_PROVIDE_ENT
+ && data.getRequestEntropy() != null) {
+ //If we there's requestor entropy and its configured to provide
+ //entropy then we have to set the entropy value and
+ //set the RPT to include a ComputedKey element
+
+ OMElement respEntrElem = TrustUtil.createEntropyElement(wstVersion, rstrElem);
+ TrustUtil.createBinarySecretElement(wstVersion,
+ respEntrElem,
+ RahasConstants.BIN_SEC_TYPE_NONCE).
+ setText(Base64.encode(data.getResponseEntropy()));
+
+ OMElement compKeyElem =
+ TrustUtil.createComputedKeyElement(wstVersion, reqProofTokElem);
+ compKeyElem.setText(data.getWstNs() + RahasConstants.COMPUTED_KEY_PSHA1);
+ } else {
+ if (TokenIssuerUtil.ENCRYPTED_KEY.equals(config.proofKeyType)) {
+ WSSecEncryptedKey encrKeyBuilder = new WSSecEncryptedKey();
+ Crypto crypto =
+ CryptoFactory.getInstance(config.cryptoPropertiesFile,
+ data.getInMessageContext().
+ getAxisService().getClassLoader());
+
+ encrKeyBuilder.setKeyIdentifierType(WSConstants.THUMBPRINT_IDENTIFIER);
+ try {
+ encrKeyBuilder.setUseThisCert(data.getClientCert());
+ encrKeyBuilder.prepare(doc, crypto);
+ } catch (WSSecurityException e) {
+ throw new TrustException("errorInBuildingTheEncryptedKeyForPrincipal",
+ new String[]{data.
+ getClientCert().getSubjectDN().getName()});
+ }
+ Element encryptedKeyElem = encrKeyBuilder.getEncryptedKeyElement();
+ Element bstElem = encrKeyBuilder.getBinarySecurityTokenElement();
+ if (bstElem != null) {
+ reqProofTokElem.addChild((OMElement) bstElem);
+ }
+
+ reqProofTokElem.addChild((OMElement) encryptedKeyElem);
+
+ token.setSecret(encrKeyBuilder.getEphemeralKey());
+ } else if (TokenIssuerUtil.BINARY_SECRET.equals(config.proofKeyType)) {
+ byte[] secret = TokenIssuerUtil.getSharedSecret(data,
+ config.keyComputation,
+ config.keySize);
+ OMElement binSecElem = TrustUtil.createBinarySecretElement(wstVersion,
+ reqProofTokElem,
+ null);
+ binSecElem.setText(org.apache.axis2.util.Base64.encode(secret));
+ token.setSecret(secret);
+ } else {
+ throw new IllegalArgumentException(config.proofKeyType);
+ }
+ }
+ }
+
+ private static byte[] generateEphemeralKey(int keySize) throws TrustException {
+ try {
+ SecureRandom random = SecureRandom.getInstance("SHA1PRNG");
+ byte[] temp = new byte[keySize / 8];
+ random.nextBytes(temp);
+ return temp;
+ } catch (Exception e) {
+ throw new TrustException("errorCreatingSymmKey", e);
+ }
+ }
+
+}
---------------------------------------------------------------------
To unsubscribe, e-mail: axis-cvs-unsubscribe@ws.apache.org
For additional commands, e-mail: axis-cvs-help@ws.apache.org