You are viewing a plain text version of this content. The canonical link for it is here.
Posted to java-dev@axis.apache.org by ru...@apache.org on 2006/09/10 12:30:49 UTC
svn commit: r441937 - in
/webservices/axis2/trunk/java/modules/security/src/org/apache/rampart:
builder/TransportBindingBuilder.java errors.properties
Author: ruchithf
Date: Sun Sep 10 03:30:47 2006
New Revision: 441937
URL: http://svn.apache.org/viewvc?view=rev&rev=441937
Log:
Updated transport binding
- to be able to handle X509Tokens in EndorsingSupportingTokens and EndorsingSignedSupportingTokens
- not to process supporting token in the serverside
IMPORTANT : Requires latest WSS4J : (SVN revision : 441936)
Modified:
webservices/axis2/trunk/java/modules/security/src/org/apache/rampart/builder/TransportBindingBuilder.java
webservices/axis2/trunk/java/modules/security/src/org/apache/rampart/errors.properties
Modified: webservices/axis2/trunk/java/modules/security/src/org/apache/rampart/builder/TransportBindingBuilder.java
URL: http://svn.apache.org/viewvc/webservices/axis2/trunk/java/modules/security/src/org/apache/rampart/builder/TransportBindingBuilder.java?view=diff&rev=441937&r1=441936&r2=441937
==============================================================================
--- webservices/axis2/trunk/java/modules/security/src/org/apache/rampart/builder/TransportBindingBuilder.java (original)
+++ webservices/axis2/trunk/java/modules/security/src/org/apache/rampart/builder/TransportBindingBuilder.java Sun Sep 10 03:30:47 2006
@@ -23,16 +23,21 @@
import org.apache.rampart.RampartException;
import org.apache.rampart.RampartMessageData;
import org.apache.rampart.policy.RampartPolicyData;
+import org.apache.rampart.policy.model.RampartConfig;
import org.apache.rampart.util.RampartUtil;
import org.apache.ws.secpolicy.Constants;
import org.apache.ws.secpolicy.model.IssuedToken;
import org.apache.ws.secpolicy.model.SupportingToken;
import org.apache.ws.secpolicy.model.Token;
import org.apache.ws.secpolicy.model.UsernameToken;
+import org.apache.ws.secpolicy.model.X509Token;
+import org.apache.ws.security.WSConstants;
import org.apache.ws.security.WSPasswordCallback;
import org.apache.ws.security.WSSecurityException;
import org.apache.ws.security.conversation.ConversationException;
import org.apache.ws.security.message.WSSecDKSign;
+import org.apache.ws.security.message.WSSecEncryptedKey;
+import org.apache.ws.security.message.WSSecSignature;
import org.apache.ws.security.message.WSSecTimestamp;
import org.apache.ws.security.message.WSSecUsernameToken;
import org.w3c.dom.Document;
@@ -79,64 +84,179 @@
/*
* Process Supporting tokens
*/
-
- SupportingToken sgndSuppTokens = rpd.getSignedSupportingTokens();
-
- if(sgndSuppTokens != null && sgndSuppTokens.getTokens() != null &&
- sgndSuppTokens.getTokens().size() > 0) {
+ if(rmd.isClientSide()) {
+ Vector signatureValues = new Vector();
- log.debug("Processing signed supporting tokens");
+ SupportingToken sgndSuppTokens = rpd.getSignedSupportingTokens();
+
+ if(sgndSuppTokens != null && sgndSuppTokens.getTokens() != null &&
+ sgndSuppTokens.getTokens().size() > 0) {
+
+ log.debug("Processing signed supporting tokens");
+
+ ArrayList tokens = sgndSuppTokens.getTokens();
+ for (Iterator iter = tokens.iterator(); iter.hasNext();) {
+
+ Token token = (Token) iter.next();
+ if(token instanceof UsernameToken) {
+ addUsernameToken(rmd);
+ } else {
+ throw new RampartException("unsupportedSignedSupportingToken",
+ new String[]{"{" +token.getName().getNamespaceURI()
+ + "}" + token.getName().getLocalPart()});
+ }
+ }
+ }
- ArrayList tokens = sgndSuppTokens.getTokens();
- for (Iterator iter = tokens.iterator(); iter.hasNext();) {
-
- Token token = (Token) iter.next();
- if(token instanceof UsernameToken && rmd.isClientSide()) {
- addUsernameToken(rmd);
- } else {
- throw new RampartException("unsupportedSignedSupportingToken",
- new String[]{"{" +token.getName().getNamespaceURI()
- + "}" + token.getName().getLocalPart()});
+ SupportingToken sgndEndSuppTokens = rpd.getSignedEndorsingSupportingTokens();
+ if(sgndEndSuppTokens != null && sgndEndSuppTokens.getTokens() != null &&
+ sgndEndSuppTokens.getTokens().size() > 0) {
+
+ log.debug("Processing endorsing signed supporting tokens");
+
+ ArrayList tokens = sgndEndSuppTokens.getTokens();
+ for (Iterator iter = tokens.iterator(); iter.hasNext();) {
+ Token token = (Token) iter.next();
+ if(token instanceof IssuedToken && rmd.isClientSide()) {
+ signatureValues.add(doIssuedTokenSignature(rmd, token));
+ } else if(token instanceof X509Token) {
+ signatureValues.add(doX509TokenSignature(rmd, token));
+ }
+ }
+ }
+
+ SupportingToken endSupptokens = rpd.getEndorsingSupportingTokens();
+ if(endSupptokens != null && endSupptokens.getTokens() != null &&
+ endSupptokens.getTokens().size() > 0) {
+ log.debug("Processing endorsing supporting tokens");
+ ArrayList tokens = endSupptokens.getTokens();
+ for (Iterator iter = tokens.iterator(); iter.hasNext();) {
+ Token token = (Token) iter.next();
+ if(token instanceof IssuedToken && rmd.isClientSide()){
+ signatureValues.add(doIssuedTokenSignature(rmd, token));
+ } else if(token instanceof X509Token) {
+ signatureValues.add(doX509TokenSignature(rmd, token));
+ }
}
}
}
+ }
+
+ /**
+ * X.509 signature
+ * @param rmd
+ * @param token
+ */
+ private byte[] doX509TokenSignature(RampartMessageData rmd, Token token) throws RampartException {
+
+ RampartPolicyData rpd = rmd.getPolicyData();
+ Document doc = rmd.getDocument();
- SupportingToken sgndEndSuppTokens = rpd.getSignedEndorsingSupportingTokens();
- if(sgndEndSuppTokens != null && sgndEndSuppTokens.getTokens() != null &&
- sgndEndSuppTokens.getTokens().size() > 0) {
-
- log.debug("Processing endorsing signed supporting tokens");
-
- ArrayList tokens = sgndEndSuppTokens.getTokens();
- for (Iterator iter = tokens.iterator(); iter.hasNext();) {
- Token token = (Token) iter.next();
- if(token instanceof IssuedToken){
- doIssuedTokenSignature(rmd, token);
+ if(token.isDerivedKeys()) {
+ //In this case we will have to encrypt the ephmeral key with the
+ //other party's key and then use it as the parent key of the
+ // derived keys
+
+ WSSecEncryptedKey encrKey = new WSSecEncryptedKey();
+ boolean bst = false;
+ if(token.getInclusion().equals(Constants.INCLUDE_NEVER)) {
+ //Use thumbprint
+ encrKey.setKeyIdentifierType(WSConstants.THUMBPRINT_IDENTIFIER);
+ } else {
+ encrKey.setKeyIdentifierType(WSConstants.BST_DIRECT_REFERENCE);
+ bst = true;
+ }
+
+ try {
+
+ encrKey.setUserInfo(rpd.getRampartConfig().getEncryptionUser());
+ encrKey.setKeySize(rpd.getAlgorithmSuite().getMaximumSymmetricKeyLength());
+ encrKey.setKeyEncAlgo(rpd.getAlgorithmSuite().getAsymmetricKeyWrap());
+
+ encrKey.prepare(doc, RampartUtil.getEncryptionCrypto(rpd.getRampartConfig()));
+
+ if(bst) {
+ encrKey.appendBSTElementToHeader(rmd.getSecHeader());
}
+
+ encrKey.appendToHeader(rmd.getSecHeader());
+
+ WSSecDKSign dkSig = new WSSecDKSign();
+ dkSig.setSigCanonicalization(rpd.getAlgorithmSuite().getInclusiveC14n());
+ dkSig.setSignatureAlgorithm(rpd.getAlgorithmSuite().getSymmetricSignature());
+
+ dkSig.setExternalKey(encrKey.getEphemeralKey(), encrKey.getId());
+
+ Vector sigParts = new Vector();
+
+ sigParts.add(rmd.getTimestampId());
+
+ if(rpd.isTokenProtection()) {
+ sigParts.add(encrKey.getBSTTokenId());
+ }
+
+ dkSig.setParts(sigParts);
+
+ dkSig.addReferencesToSign(sigParts, rmd.getSecHeader());
+
+ //Do signature
+ dkSig.computeSignature();
+
+ return dkSig.getSignatureValue();
+
+ } catch (WSSecurityException e) {
+ throw new RampartException("errorCreatingEncryptedKey", e);
}
- }
+
+ } else {
+ WSSecSignature sig = new WSSecSignature();
+ sig.setWsConfig(rmd.getConfig());
+ boolean bst = false;
+
+ if(token.getInclusion().equals(Constants.INCLUDE_NEVER)) {
+ //Use thumbprint
+ sig.setKeyIdentifierType(WSConstants.THUMBPRINT_IDENTIFIER);
+ } else {
+ sig.setKeyIdentifierType(WSConstants.BST_DIRECT_REFERENCE);
+ bst = true;
+ }
+
+ sig.setSignatureAlgorithm(rpd.getAlgorithmSuite().getAsymmetricSignature());
+ sig.setSigCanonicalization(rpd.getAlgorithmSuite().getInclusiveC14n());
+
+ try {
+ sig.prepare(doc, RampartUtil.getSignatureCrypto(rpd.getRampartConfig()), rmd.getSecHeader());
- SupportingToken endSupptokens = rpd.getEndorsingSupportingTokens();
- if(endSupptokens != null && endSupptokens.getTokens() != null &&
- endSupptokens.getTokens().size() > 0) {
- log.debug("Processing endorsing supporting tokens");
- ArrayList tokens = endSupptokens.getTokens();
- for (Iterator iter = tokens.iterator(); iter.hasNext();) {
- Token token = (Token) iter.next();
- if(token instanceof IssuedToken){
- doIssuedTokenSignature(rmd, token);
+ sig.appendBSTElementToHeader(rmd.getSecHeader());
+
+ Vector sigParts = new Vector();
+ sigParts.add(rmd.getTimestampId());
+ if(rpd.isTokenProtection() && bst) {
+ sigParts.add(sig.getBSTTokenId());
}
+
+ sig.addReferencesToSign(sigParts, rmd.getSecHeader());
+
+ sig.appendToHeader(rmd.getSecHeader());
+
+ sig.computeSignature();
+
+ } catch (WSSecurityException e) {
+ throw new RampartException("errorInSignatureWithX509Token", e);
}
+
+ return sig.getSignatureValue();
}
}
/**
+ * IssuedToken signature
* @param rmd
* @param token
* @throws RampartException
*/
- private void doIssuedTokenSignature(RampartMessageData rmd, Token token) throws RampartException {
+ private byte[] doIssuedTokenSignature(RampartMessageData rmd, Token token) throws RampartException {
RampartPolicyData rpd = rmd.getPolicyData();
Document doc= rmd.getDocument();
@@ -153,15 +273,18 @@
new String[]{id} ,e);
}
+ boolean tokenIncluded = false;
+
if(inclusion.equals(Constants.INCLUDE_ALWAYS) ||
((inclusion.equals(Constants.INCLUDE_ALWAYS_TO_RECIPIENT)
|| inclusion.equals(Constants.INCLUDE_ONCE))
&& rmd.isClientSide())) {
- //Add the token
- rmd.getSecHeader().getSecurityHeader().appendChild(
+ //Add the token
+ rmd.getSecHeader().getSecurityHeader().appendChild(
doc.importNode((Element) tok.getToken(), true));
+ tokenIncluded = true;
}
//check for dirived keys
@@ -195,17 +318,21 @@
sigParts.add(rmd.getTimestampId());
- if(rpd.isTokenProtection()) {
+ if(rpd.isTokenProtection() && tokenIncluded) {
sigParts.add(id);
}
dkSign.setParts(sigParts);
+ dkSign.addReferencesToSign(sigParts, rmd.getSecHeader());
+
//Do signature
dkSign.computeSignature();
dkSign.appendSigToHeader(rmd.getSecHeader());
+ return dkSign.getSignatureValue();
+
} catch (ConversationException e) {
throw new RampartException(
"errorInDerivedKeyTokenSignature", e);
@@ -216,6 +343,7 @@
} else {
//TODO: Do signature withtout derived keys with the Issuedtoken ??
+ return null;
}
}
Modified: webservices/axis2/trunk/java/modules/security/src/org/apache/rampart/errors.properties
URL: http://svn.apache.org/viewvc/webservices/axis2/trunk/java/modules/security/src/org/apache/rampart/errors.properties?view=diff&rev=441937&r1=441936&r2=441937
==============================================================================
--- webservices/axis2/trunk/java/modules/security/src/org/apache/rampart/errors.properties (original)
+++ webservices/axis2/trunk/java/modules/security/src/org/apache/rampart/errors.properties Sun Sep 10 03:30:47 2006
@@ -20,4 +20,6 @@
noPasswordForUser = No password supplied by the callback handler for the user : \"{0}\"
unsupportedSignedSupportingToken = Unsupported SignedSupportingToken : \"{0}\"
errorExtractingToken = Error extracting token : \"{0}\"
-errorInDerivedKeyTokenSignature = Error in creating DerivedKeyToken signature
\ No newline at end of file
+errorInDerivedKeyTokenSignature = Error in DerivedKeyToken signature
+errorInSignatureWithX509Token = Error in signature with X509Token
+errorCreatingEncryptedKey = Error in creating an encrypted key
\ No newline at end of file
---------------------------------------------------------------------
To unsubscribe, e-mail: axis-cvs-unsubscribe@ws.apache.org
For additional commands, e-mail: axis-cvs-help@ws.apache.org