You are viewing a plain text version of this content. The canonical link for it is here.
Posted to wss4j-dev@ws.apache.org by co...@apache.org on 2009/05/20 13:37:58 UTC
svn commit: r776668 - in /webservices/wss4j/trunk/src/org/apache/ws/security:
action/UsernameTokenSignedAction.java components/crypto/CryptoBase.java
message/WSSecBase.java message/WSSecDKSign.java message/WSSecSignature.java
message/WSSecTimestamp.java
Author: coheigea
Date: Wed May 20 11:37:58 2009
New Revision: 776668
URL: http://svn.apache.org/viewvc?rev=776668&view=rev
Log:
[WSS40] - Refactored WSSecSignature.addReferencesToSign
- Removed special cases for "Assertion" and "Token"
- WSSecDKSign now uses this (static) method instead of its own copy
Modified:
webservices/wss4j/trunk/src/org/apache/ws/security/action/UsernameTokenSignedAction.java
webservices/wss4j/trunk/src/org/apache/ws/security/components/crypto/CryptoBase.java
webservices/wss4j/trunk/src/org/apache/ws/security/message/WSSecBase.java
webservices/wss4j/trunk/src/org/apache/ws/security/message/WSSecDKSign.java
webservices/wss4j/trunk/src/org/apache/ws/security/message/WSSecSignature.java
webservices/wss4j/trunk/src/org/apache/ws/security/message/WSSecTimestamp.java
Modified: webservices/wss4j/trunk/src/org/apache/ws/security/action/UsernameTokenSignedAction.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/org/apache/ws/security/action/UsernameTokenSignedAction.java?rev=776668&r1=776667&r2=776668&view=diff
==============================================================================
--- webservices/wss4j/trunk/src/org/apache/ws/security/action/UsernameTokenSignedAction.java (original)
+++ webservices/wss4j/trunk/src/org/apache/ws/security/action/UsernameTokenSignedAction.java Wed May 20 11:37:58 2009
@@ -84,6 +84,9 @@
sign.setSecretKey(builder.getSecretKey());
sign.setKeyIdentifierType(WSConstants.CUSTOM_SYMM_SIGNING);
sign.setSignatureAlgorithm(XMLSignature.ALGO_ID_MAC_HMAC_SHA1);
+ if (reqData.getSigDigestAlgorithm() != null) {
+ sign.setDigestAlgo(reqData.getSigDigestAlgorithm());
+ }
sign.prepare(doc, null, reqData.getSecHeader());
Modified: webservices/wss4j/trunk/src/org/apache/ws/security/components/crypto/CryptoBase.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/org/apache/ws/security/components/crypto/CryptoBase.java?rev=776668&r1=776667&r2=776668&view=diff
==============================================================================
--- webservices/wss4j/trunk/src/org/apache/ws/security/components/crypto/CryptoBase.java (original)
+++ webservices/wss4j/trunk/src/org/apache/ws/security/components/crypto/CryptoBase.java Wed May 20 11:37:58 2009
@@ -398,30 +398,31 @@
*/
public X509Certificate[] getCertificates(String alias) throws WSSecurityException {
Certificate[] certs = null;
- Certificate cert = null;
try {
- if (this.keystore != null) {
- //There's a chance that there can only be a set of trust stores
+ if (keystore != null) {
+ // There's a chance that there can only be a set of trust stores
certs = keystore.getCertificateChain(alias);
if (certs == null || certs.length == 0) {
- // no cert chain, so lets check if getCertificate gives us a
- // result.
- cert = keystore.getCertificate(alias);
+ // no cert chain, so lets check if getCertificate gives us a result.
+ Certificate cert = keystore.getCertificate(alias);
+ if (cert != null) {
+ certs = new Certificate[]{cert};
+ }
}
}
- if (certs == null && cert == null && cacerts != null) {
+ if (certs == null && cacerts != null) {
// Now look into the trust stores
certs = cacerts.getCertificateChain(alias);
if (certs == null) {
- cert = cacerts.getCertificate(alias);
+ Certificate cert = cacerts.getCertificate(alias);
+ if (cert != null) {
+ certs = new Certificate[]{cert};
+ }
}
}
- if (cert != null) {
- certs = new Certificate[]{cert};
- } else if (certs == null) {
- // At this point we don't have certs or a cert
+ if (certs == null) {
return null;
}
} catch (KeyStoreException e) {
Modified: webservices/wss4j/trunk/src/org/apache/ws/security/message/WSSecBase.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/org/apache/ws/security/message/WSSecBase.java?rev=776668&r1=776667&r2=776668&view=diff
==============================================================================
--- webservices/wss4j/trunk/src/org/apache/ws/security/message/WSSecBase.java (original)
+++ webservices/wss4j/trunk/src/org/apache/ws/security/message/WSSecBase.java Wed May 20 11:37:58 2009
@@ -126,7 +126,7 @@
}
return id;
}
-
+
/**
* Set the user and password info.
*
Modified: webservices/wss4j/trunk/src/org/apache/ws/security/message/WSSecDKSign.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/org/apache/ws/security/message/WSSecDKSign.java?rev=776668&r1=776667&r2=776668&view=diff
==============================================================================
--- webservices/wss4j/trunk/src/org/apache/ws/security/message/WSSecDKSign.java (original)
+++ webservices/wss4j/trunk/src/org/apache/ws/security/message/WSSecDKSign.java Wed May 20 11:37:58 2009
@@ -29,17 +29,12 @@
import org.apache.ws.security.conversation.ConversationException;
import org.apache.ws.security.message.token.Reference;
import org.apache.ws.security.message.token.SecurityTokenReference;
-import org.apache.ws.security.saml.SAMLUtil;
-import org.apache.ws.security.transform.STRTransform;
import org.apache.ws.security.util.WSSecurityUtil;
import org.apache.xml.security.c14n.Canonicalizer;
import org.apache.xml.security.exceptions.XMLSecurityException;
import org.apache.xml.security.keys.KeyInfo;
import org.apache.xml.security.signature.XMLSignature;
import org.apache.xml.security.signature.XMLSignatureException;
-import org.apache.xml.security.transforms.TransformationException;
-import org.apache.xml.security.transforms.Transforms;
-import org.apache.xml.security.transforms.params.InclusiveNamespaces;
import org.w3c.dom.Document;
import org.w3c.dom.Element;
import java.util.List;
@@ -57,6 +52,7 @@
private static Log log = LogFactory.getLog(WSSecDKSign.class.getName());
protected String sigAlgo = XMLSignature.ALGO_ID_MAC_HMAC_SHA1;
+ protected String digestAlgo = "http://www.w3.org/2000/09/xmldsig#sha1";
protected String canonAlgo = Canonicalizer.ALGO_ID_C14N_EXCL_OMIT_COMMENTS;
protected byte[] signatureValue = null;
@@ -141,127 +137,14 @@
/**
* This method adds references to the Signature.
- *
- * The added references are signed when calling
- * <code>computeSignature()</code>. This method can be called several
- * times to add references as required. <code>addReferencesToSign()</code>
- * can be called any time after <code>prepare</code>.
- *
- * @param references A list containing <code>WSEncryptionPart</code> objects
- * that define the parts to sign.
- * @param secHeader Used to compute namespaces to be inserted by
- * InclusiveNamespaces to be WSI compliant.
- * @throws WSSecurityException
*/
public void addReferencesToSign(List references, WSSecHeader secHeader)
throws WSSecurityException {
- Transforms transforms = null;
-
- Element envel = document.getDocumentElement();
-
- for (int part = 0; part < references.size(); part++) {
- WSEncryptionPart encPart = (WSEncryptionPart) references.get(part);
-
- String idToSign = encPart.getId();
- String elemName = encPart.getName();
- String nmSpace = encPart.getNamespace();
-
- //
- // Set up the elements to sign. There are two reserved element
- // names: "Token" and "STRTransform" "Token": Setup the Signature to
- // either sign the information that points to the security token or
- // the token itself. If its a direct reference sign the token,
- // otherwise sign the KeyInfo Element. "STRTransform": Setup the
- // ds:Reference to use STR Transform
- //
- transforms = new Transforms(document);
- try {
- if (idToSign != null) {
- Element toSignById =
- WSSecurityUtil.findElementById(
- document.getDocumentElement(), idToSign, WSConstants.WSU_NS);
- if (toSignById == null) {
- toSignById =
- WSSecurityUtil.findElementById(
- document.getDocumentElement(), idToSign, null
- );
- }
- transforms.addTransform(Transforms.TRANSFORM_C14N_EXCL_OMIT_COMMENTS);
- if (wssConfig.isWsiBSPCompliant()) {
- transforms.item(0).getElement().appendChild(
- new InclusiveNamespaces(
- document, WSSecSignature.getInclusivePrefixes(toSignById)).getElement()
- );
- }
- sig.addDocument("#" + idToSign, transforms);
- } else if (elemName.equals("Token")) {
- transforms.addTransform(Transforms.TRANSFORM_C14N_EXCL_OMIT_COMMENTS);
- if (wssConfig.isWsiBSPCompliant()) {
- transforms.item(0).getElement().appendChild(
- new InclusiveNamespaces(document,
- WSSecSignature.getInclusivePrefixes(keyInfo.getElement())).getElement()
- );
- }
- sig.addDocument("#" + keyInfoUri, transforms);
- } else if (elemName.equals("STRTransform")) { // STRTransform
- Element ctx = WSSecSignature.createSTRParameter(document);
- transforms.addTransform(STRTransform.TRANSFORM_URI, ctx);
- sig.addDocument("#" + strUri, transforms);
- } else if (elemName.equals("Assertion")) { // Assertion
- String id = SAMLUtil.getAssertionId(envel, elemName, nmSpace);
-
- Element body =
- (Element) WSSecurityUtil.findElement(envel, elemName, nmSpace);
- if (body == null) {
- throw new WSSecurityException(
- WSSecurityException.FAILURE,
- "noEncElement",
- new Object[] {nmSpace + ", " + elemName}
- );
- }
- transforms.addTransform(Transforms.TRANSFORM_C14N_EXCL_OMIT_COMMENTS);
- if (wssConfig.isWsiBSPCompliant()) {
- transforms.item(0).getElement().appendChild(
- new InclusiveNamespaces(
- document, WSSecSignature.getInclusivePrefixes(body)).getElement()
- );
- }
- String prefix =
- WSSecurityUtil.setNamespace(body, WSConstants.WSU_NS, WSConstants.WSU_PREFIX);
- body.setAttributeNS(WSConstants.WSU_NS, prefix + ":Id", id);
- sig.addDocument("#" + id, transforms);
-
- } else {
- Element body = (Element) WSSecurityUtil.findElement(envel, elemName, nmSpace);
- if (body == null) {
- throw new WSSecurityException(
- WSSecurityException.FAILURE,
- "noEncElement",
- new Object[] {nmSpace + ", " + elemName}
- );
- }
- transforms.addTransform(Transforms.TRANSFORM_C14N_EXCL_OMIT_COMMENTS);
- if (wssConfig.isWsiBSPCompliant()) {
- transforms.item(0).getElement().appendChild(
- new InclusiveNamespaces(
- document, WSSecSignature.getInclusivePrefixes(body)).getElement()
- );
- }
- sig.addDocument("#" + setWsuId(body), transforms);
- }
- } catch (TransformationException ex) {
- throw new WSSecurityException(
- WSSecurityException.FAILED_SIGNATURE, "noXMLSig", null, ex
- );
- } catch (XMLSignatureException ex) {
- throw new WSSecurityException(
- WSSecurityException.FAILED_SIGNATURE, "noXMLSig", null, ex
- );
- }
- }
+ WSSecSignature.addReferencesToSign(
+ document, parts, sig, secHeader, wssConfig, digestAlgo, strUri
+ );
}
-
/**
* Prepends the Signature element to the elements already in the Security
* header.
@@ -327,9 +210,34 @@
WSSecurityUtil.getKeyLength(sigAlgo);
}
+ /**
+ * Set the signature algorithm to use. The default is XMLSignature.ALGO_ID_MAC_HMAC_SHA1
+ * @param algorithm the signature algorithm to use.
+ */
+ public void setSignatureAlgorithm(String algorithm) {
+ sigAlgo = algorithm;
+ }
- public void setSignatureAlgorithm(String algo) {
- sigAlgo = algo;
+ /**
+ * @return the signature algorithm to use
+ */
+ public String getSignatureAlgorithm() {
+ return sigAlgo;
+ }
+
+ /**
+ * Set the digest algorithm to use. The default is SHA-1.
+ * @param algorithm the digest algorithm to use.
+ */
+ public void setDigestAlgorithm(String algorithm) {
+ digestAlgo = algorithm;
+ }
+
+ /**
+ * @return the digest algorithm to use
+ */
+ public String getDigestAlgorithm() {
+ return digestAlgo;
}
/**
Modified: webservices/wss4j/trunk/src/org/apache/ws/security/message/WSSecSignature.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/org/apache/ws/security/message/WSSecSignature.java?rev=776668&r1=776667&r2=776668&view=diff
==============================================================================
--- webservices/wss4j/trunk/src/org/apache/ws/security/message/WSSecSignature.java (original)
+++ webservices/wss4j/trunk/src/org/apache/ws/security/message/WSSecSignature.java Wed May 20 11:37:58 2009
@@ -25,6 +25,7 @@
import org.apache.ws.security.WSDocInfo;
import org.apache.ws.security.WSDocInfoStore;
import org.apache.ws.security.WSEncryptionPart;
+import org.apache.ws.security.WSSConfig;
import org.apache.ws.security.WSSecurityException;
import org.apache.ws.security.components.crypto.Crypto;
import org.apache.ws.security.message.token.BinarySecurity;
@@ -32,7 +33,6 @@
import org.apache.ws.security.message.token.Reference;
import org.apache.ws.security.message.token.SecurityTokenReference;
import org.apache.ws.security.message.token.X509Security;
-import org.apache.ws.security.saml.SAMLUtil;
import org.apache.ws.security.transform.STRTransform;
import org.apache.ws.security.util.Base64;
import org.apache.ws.security.util.WSSecurityUtil;
@@ -309,41 +309,53 @@
return doc;
}
+
+ /**
+ * This method adds references to the Signature.
+ *
+ * @param references The list of references to sign
+ * @param secHeader The Security Header
+ * @throws WSSecurityException
+ */
+ public void addReferencesToSign(List references, WSSecHeader secHeader) throws WSSecurityException {
+ addReferencesToSign(document, references, sig, secHeader, wssConfig, digestAlgo, strUri);
+ }
+
/**
* This method adds references to the Signature.
*
- * The added references are signed when calling
- * <code>computeSignature()</code>. This method can be called several
- * times to add references as required. <code>addReferencesToSign()</code>
- * can be called any time after <code>prepare</code>.
- *
- * @param references A list containing <code>WSEncryptionPart</code> objects
- * that define the parts to sign.
- * @param secHeader Used to compute namespaces to be inserted by
- * InclusiveNamespaces to be WSI compliant.
+ * @param doc The parent document
+ * @param references The list of references to sign
+ * @param sig The XMLSignature object
+ * @param secHeader The Security Header
+ * @param wssConfig The WSSConfig
+ * @param digestAlgo The digest algorithm to use
+ * @param strUri The SecurityTokenReference uri to use for STRTransform
* @throws WSSecurityException
*/
- public void addReferencesToSign(List references, WSSecHeader secHeader)
- throws WSSecurityException {
- Element envelope = document.getDocumentElement();
+ public static void addReferencesToSign(
+ Document doc,
+ List references,
+ XMLSignature sig,
+ WSSecHeader secHeader,
+ WSSConfig wssConfig,
+ String digestAlgo,
+ String strUri
+ ) throws WSSecurityException {
+ Element envelope = doc.getDocumentElement();
for (int part = 0; part < references.size(); part++) {
WSEncryptionPart encPart = (WSEncryptionPart) references.get(part);
String idToSign = encPart.getId();
String elemName = encPart.getName();
- String nmSpace = encPart.getNamespace();
//
- // Set up the elements to sign. There are two reserved element
- // names: "Token" and "STRTransform" "Token": Setup the Signature to
- // either sign the information that points to the security token or
- // the token itself. If it's a direct reference sign the token,
- // otherwise sign the KeyInfo Element. "STRTransform": Setup the
- // ds:Reference to use STR Transform
+ // Set up the elements to sign. There is one reserved element
+ // names: "STRTransform": Setup the ds:Reference to use STR Transform
//
- Transforms transforms = new Transforms(document);
+ Transforms transforms = new Transforms(doc);
try {
if (idToSign != null) {
Element toSignById =
@@ -360,61 +372,19 @@
if (wssConfig.isWsiBSPCompliant()) {
transforms.item(0).getElement().appendChild(
new InclusiveNamespaces(
- document, getInclusivePrefixes(toSignById)).getElement()
+ doc, getInclusivePrefixes(toSignById)).getElement()
);
}
sig.addDocument("#" + idToSign, transforms, digestAlgo);
- } else if (elemName.equals("Token")) {
- transforms.addTransform(Transforms.TRANSFORM_C14N_EXCL_OMIT_COMMENTS);
- if (keyIdentifierType == WSConstants.BST_DIRECT_REFERENCE) {
- if (wssConfig.isWsiBSPCompliant()) {
- transforms.item(0).getElement().appendChild(
- new InclusiveNamespaces(
- document,
- getInclusivePrefixes(secHeader.getSecurityHeader())).getElement()
- );
- }
- sig.addDocument("#" + certUri, transforms, digestAlgo);
- } else {
- if (wssConfig.isWsiBSPCompliant()) {
- transforms.item(0).getElement().appendChild(
- new InclusiveNamespaces(
- document, getInclusivePrefixes(keyInfo.getElement())).getElement()
- );
- }
- sig.addDocument("#" + keyInfoUri, transforms, digestAlgo);
- }
- } else if (elemName.equals("STRTransform")) { // STRTransform
- Element ctx = createSTRParameter(document);
+ } else if (elemName.equals("STRTransform")) {
+ Element ctx = createSTRParameter(doc);
transforms.addTransform(STRTransform.TRANSFORM_URI, ctx);
sig.addDocument("#" + strUri, transforms, digestAlgo);
- } else if (elemName.equals("Assertion")) { // Assertion
- String id = null;
- id = SAMLUtil.getAssertionId(envelope, elemName, nmSpace);
-
- Element body =
- (Element) WSSecurityUtil.findElement(envelope, elemName, nmSpace);
- if (body == null) {
- throw new WSSecurityException(
- WSSecurityException.FAILURE, "noEncElement",
- new Object[] {nmSpace + ", " + elemName}
- );
- }
- transforms.addTransform(Transforms.TRANSFORM_C14N_EXCL_OMIT_COMMENTS);
- if (wssConfig.isWsiBSPCompliant()) {
- transforms.item(0).getElement().appendChild(
- new InclusiveNamespaces(
- document, getInclusivePrefixes(body)).getElement()
- );
- }
- String prefix =
- WSSecurityUtil.setNamespace(body, WSConstants.WSU_NS, WSConstants.WSU_PREFIX);
- body.setAttributeNS(WSConstants.WSU_NS, prefix + ":Id", id);
- sig.addDocument("#" + id, transforms, digestAlgo);
} else {
- Element body =
+ String nmSpace = encPart.getNamespace();
+ Element elementToSign =
(Element)WSSecurityUtil.findElement(envelope, elemName, nmSpace);
- if (body == null) {
+ if (elementToSign == null) {
throw new WSSecurityException(
WSSecurityException.FAILURE,
"noEncElement",
@@ -425,10 +395,10 @@
if (wssConfig.isWsiBSPCompliant()) {
transforms.item(0).getElement().appendChild(
new InclusiveNamespaces(
- document, getInclusivePrefixes(body)).getElement()
+ doc, getInclusivePrefixes(elementToSign)).getElement()
);
}
- sig.addDocument("#" + setWsuId(body), transforms, digestAlgo);
+ sig.addDocument("#" + setWsuId(elementToSign, wssConfig), transforms, digestAlgo);
}
} catch (TransformationException ex) {
throw new WSSecurityException(
@@ -532,6 +502,21 @@
/**
+ * Set the wsu:Id on the element argument
+ */
+ public static String setWsuId(Element element, WSSConfig wssConfig) {
+ String id = element.getAttributeNS(WSConstants.WSU_NS, "Id");
+
+ if ((id == null) || (id.length() == 0)) {
+ id = wssConfig.getIdAllocator().createId("id-", element);
+ String prefix =
+ WSSecurityUtil.setNamespace(element, WSConstants.WSU_NS, WSConstants.WSU_PREFIX);
+ element.setAttributeNS(WSConstants.WSU_NS, prefix + ":Id", id);
+ }
+ return id;
+ }
+
+ /**
* Create an STRTransformationParameters element
*/
public static Element createSTRParameter(Document doc) {
@@ -728,14 +713,14 @@
}
/**
- * @return the digestAlgo
+ * @return the digest algorithm to use
*/
public String getDigestAlgo() {
return digestAlgo;
}
/**
- * Set the string that defines which digest algorithm to use
+ * Set the string that defines which digest algorithm to use. The default is SHA-1.
*
* @param digestAlgo the digestAlgo to set
*/
@@ -882,7 +867,7 @@
new Object[] { user, "signature" }
);
}
- certUri = wssConfig.getIdAllocator().createSecureId("CertId-", certs[0]);
+ certUri = wssConfig.getIdAllocator().createSecureId("X509-", certs[0]);
//
// If no signature algorithm was set try to detect it according to the
// data stored in the certificate.
Modified: webservices/wss4j/trunk/src/org/apache/ws/security/message/WSSecTimestamp.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/org/apache/ws/security/message/WSSecTimestamp.java?rev=776668&r1=776667&r2=776668&view=diff
==============================================================================
--- webservices/wss4j/trunk/src/org/apache/ws/security/message/WSSecTimestamp.java (original)
+++ webservices/wss4j/trunk/src/org/apache/ws/security/message/WSSecTimestamp.java Wed May 20 11:37:58 2009
@@ -64,7 +64,7 @@
*/
public void prepare(Document doc) {
ts = new Timestamp(wssConfig.isPrecisionInMilliSeconds(), doc, timeToLive);
- String tsId = wssConfig.getIdAllocator().createId("Timestamp-", ts);
+ String tsId = wssConfig.getIdAllocator().createId("TS-", ts);
ts.setID(tsId);
}
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org