You are viewing a plain text version of this content. The canonical link for it is here.
Posted to wss4j-dev@ws.apache.org by co...@apache.org on 2009/02/27 13:48:56 UTC
svn commit: r748498 [2/3] - in /webservices/wss4j/trunk: keys/
src/org/apache/ws/security/message/ src/org/apache/ws/security/message/token/
src/org/apache/ws/security/processor/ src/org/apache/ws/security/transform/
test/ test/wssec/
Modified: webservices/wss4j/trunk/src/org/apache/ws/security/processor/EncryptedDataProcessor.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/org/apache/ws/security/processor/EncryptedDataProcessor.java?rev=748498&r1=748497&r2=748498&view=diff
==============================================================================
--- webservices/wss4j/trunk/src/org/apache/ws/security/processor/EncryptedDataProcessor.java (original)
+++ webservices/wss4j/trunk/src/org/apache/ws/security/processor/EncryptedDataProcessor.java Fri Feb 27 12:48:54 2009
@@ -39,24 +39,26 @@
* This will process incoming <code>xenc:EncryptedData</code> elements.
* This processor will not be invoked for encrypted content referenced by a
* <code>xenc:ReferenceList</code>.
- *
*/
public class EncryptedDataProcessor implements Processor {
-
private byte[] symmKey;
-
public String getId() {
return null;
}
- public void handleToken(Element elem, Crypto crypto, Crypto decCrypto,
- CallbackHandler cb, WSDocInfo wsDocInfo, Vector returnResults,
- WSSConfig config) throws WSSecurityException {
+ public void handleToken(
+ Element elem,
+ Crypto crypto,
+ Crypto decCrypto,
+ CallbackHandler cb,
+ WSDocInfo wsDocInfo,
+ Vector returnResults,
+ WSSConfig config
+ ) throws WSSecurityException {
Element kiElem = (Element)WSSecurityUtil.findElement(elem, "KeyInfo", WSConstants.SIG_NS);
-
NodeList children = kiElem.getChildNodes();
int len = children.getLength();
@@ -68,7 +70,9 @@
QName el = new QName(child.getNamespaceURI(), child.getLocalName());
if(el.equals(WSSecurityEngine.ENCRYPTED_KEY)) {
EncryptedKeyProcessor encrKeyProc = new EncryptedKeyProcessor();
- encrKeyProc.handleToken((Element)child, crypto, decCrypto, cb, wsDocInfo, returnResults, config);
+ encrKeyProc.handleToken(
+ (Element)child, crypto, decCrypto, cb, wsDocInfo, returnResults, config
+ );
this.symmKey = encrKeyProc.getDecryptedBytes();
break;
}
@@ -84,25 +88,26 @@
xmlCipher.init(XMLCipher.DECRYPT_MODE, key);
} catch (XMLEncryptionException e1) {
throw new WSSecurityException(
- WSSecurityException.UNSUPPORTED_ALGORITHM, null, null, e1);
+ WSSecurityException.UNSUPPORTED_ALGORITHM, null, null, e1
+ );
}
Node previousSibling = elem.getPreviousSibling();
-
try {
xmlCipher.doFinal(elem.getOwnerDocument(), elem, false);
} catch (Exception e) {
- throw new WSSecurityException(WSSecurityException.FAILED_CHECK,
- null, null, e);
+ throw new WSSecurityException(
+ WSSecurityException.FAILED_CHECK, null, null, e
+ );
}
- //GEt hold of the plain text element
+ // Get hold of the plain text element
Element decryptedElem = (Element)previousSibling.getNextSibling();
- QName el = new QName(decryptedElem.getNamespaceURI(), decryptedElem
- .getLocalName());
+ QName el = new QName(decryptedElem.getNamespaceURI(), decryptedElem.getLocalName());
Processor proc = config.getProcessor(el);
- proc.handleToken((Element) decryptedElem, crypto, decCrypto, cb,
- wsDocInfo, returnResults, config);
+ proc.handleToken(
+ decryptedElem, crypto, decCrypto, cb, wsDocInfo, returnResults, config
+ );
wsDocInfo.setProcessor(proc);
}
Modified: webservices/wss4j/trunk/src/org/apache/ws/security/processor/EncryptedKeyProcessor.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/org/apache/ws/security/processor/EncryptedKeyProcessor.java?rev=748498&r1=748497&r2=748498&view=diff
==============================================================================
--- webservices/wss4j/trunk/src/org/apache/ws/security/processor/EncryptedKeyProcessor.java (original)
+++ webservices/wss4j/trunk/src/org/apache/ws/security/processor/EncryptedKeyProcessor.java Fri Feb 27 12:48:54 2009
@@ -65,41 +65,59 @@
private String encryptedKeyId = null;
- public void handleToken(Element elem, Crypto crypto, Crypto decCrypto, CallbackHandler cb, WSDocInfo wsDocInfo, Vector returnResults, WSSConfig wsc) throws WSSecurityException {
+ public void handleToken(
+ Element elem,
+ Crypto crypto,
+ Crypto decCrypto,
+ CallbackHandler cb,
+ WSDocInfo wsDocInfo,
+ Vector returnResults,
+ WSSConfig wsc
+ ) throws WSSecurityException {
if (log.isDebugEnabled()) {
log.debug("Found encrypted key element");
}
if (decCrypto == null) {
- throw new WSSecurityException(WSSecurityException.FAILURE,
- "noDecCryptoFile");
+ throw new WSSecurityException(WSSecurityException.FAILURE, "noDecCryptoFile");
}
if (cb == null) {
- throw new WSSecurityException(WSSecurityException.FAILURE,
- "noCallback");
+ throw new WSSecurityException(WSSecurityException.FAILURE, "noCallback");
}
ArrayList dataRefUris = handleEncryptedKey((Element) elem, cb, decCrypto);
encryptedKeyId = elem.getAttributeNS(null, "Id");
-
- returnResults.add(0, new WSSecurityEngineResult(WSConstants.ENCR,
- this.decryptedBytes,
- this.encryptedEphemeralKey,
- this.encryptedKeyId,
- dataRefUris));
- }
-
- public ArrayList handleEncryptedKey(Element xencEncryptedKey,
- CallbackHandler cb, Crypto crypto) throws WSSecurityException {
+ returnResults.add(
+ 0,
+ new WSSecurityEngineResult(
+ WSConstants.ENCR,
+ this.decryptedBytes,
+ this.encryptedEphemeralKey,
+ this.encryptedKeyId,
+ dataRefUris
+ )
+ );
+ }
+
+ public ArrayList handleEncryptedKey(
+ Element xencEncryptedKey,
+ CallbackHandler cb,
+ Crypto crypto
+ ) throws WSSecurityException {
return handleEncryptedKey(xencEncryptedKey, cb, crypto, null);
}
- public ArrayList handleEncryptedKey(Element xencEncryptedKey,
- PrivateKey privatekey) throws WSSecurityException {
+ public ArrayList handleEncryptedKey(
+ Element xencEncryptedKey,
+ PrivateKey privatekey
+ ) throws WSSecurityException {
return handleEncryptedKey(xencEncryptedKey, null, null, privatekey);
}
- public ArrayList handleEncryptedKey(Element xencEncryptedKey,
- CallbackHandler cb, Crypto crypto, PrivateKey privateKey)
- throws WSSecurityException {
+ public ArrayList handleEncryptedKey(
+ Element xencEncryptedKey,
+ CallbackHandler cb,
+ Crypto crypto,
+ PrivateKey privateKey
+ ) throws WSSecurityException {
long t0 = 0, t1 = 0, t2 = 0;
if (tlog.isDebugEnabled()) {
t0 = System.currentTimeMillis();
@@ -111,91 +129,98 @@
// how the key was encrypted. Then check if we support the algorithm
Node tmpE = null; // short living Element used for lookups only
- tmpE = (Element) WSSecurityUtil.getDirectChild((Node) xencEncryptedKey,
- "EncryptionMethod", WSConstants.ENC_NS);
+ tmpE =
+ (Element) WSSecurityUtil.getDirectChild(
+ (Node) xencEncryptedKey, "EncryptionMethod", WSConstants.ENC_NS
+ );
String keyEncAlgo = null;
if (tmpE != null) {
keyEncAlgo = ((Element) tmpE).getAttribute("Algorithm");
}
if (keyEncAlgo == null) {
- throw new WSSecurityException
- (WSSecurityException.UNSUPPORTED_ALGORITHM, "noEncAlgo");
+ throw new WSSecurityException(WSSecurityException.UNSUPPORTED_ALGORITHM, "noEncAlgo");
}
Cipher cipher = WSSecurityUtil.getCipherInstance(keyEncAlgo);
- /*
- * Well, we can decrypt the session (symmetric) key. Now lookup CipherValue, this is the value of the
- * encrypted session key (session key usually is a symmetrical key that encrypts
- * the referenced content). This is a 2-step lookup
- */
+ //
+ // Well, we can decrypt the session (symmetric) key. Now lookup CipherValue, this is the
+ // value of the encrypted session key (session key usually is a symmetrical key that encrypts
+ // the referenced content). This is a 2-step lookup
+ //
Element xencCipherValue = null;
- tmpE = (Element) WSSecurityUtil.getDirectChild((Node) xencEncryptedKey, "CipherData", WSConstants.ENC_NS);
+ tmpE =
+ (Element) WSSecurityUtil.getDirectChild(
+ (Node) xencEncryptedKey, "CipherData", WSConstants.ENC_NS
+ );
if (tmpE != null) {
- xencCipherValue = (Element) WSSecurityUtil.getDirectChild((Node) tmpE,
- "CipherValue", WSConstants.ENC_NS);
+ xencCipherValue =
+ (Element) WSSecurityUtil.getDirectChild(tmpE, "CipherValue", WSConstants.ENC_NS);
}
if (xencCipherValue == null) {
- throw new WSSecurityException
- (WSSecurityException.INVALID_SECURITY, "noCipher");
+ throw new WSSecurityException(WSSecurityException.INVALID_SECURITY, "noCipher");
}
if (privateKey == null) {
- Element keyInfo = (Element) WSSecurityUtil.getDirectChild((Node) xencEncryptedKey,
- "KeyInfo", WSConstants.SIG_NS);
+ Element keyInfo =
+ (Element) WSSecurityUtil.getDirectChild(
+ (Node) xencEncryptedKey, "KeyInfo", WSConstants.SIG_NS
+ );
String alias;
if (keyInfo != null) {
- Element secRefToken;
- secRefToken = (Element) WSSecurityUtil.getDirectChild(keyInfo,
- "SecurityTokenReference", WSConstants.WSSE_NS);
- /*
- * EncryptedKey must a a STR as child of KeyInfo, KeyName
- * valid only for EncryptedData
- */
-// if (secRefToken == null) {
-// secRefToken = (Element) WSSecurityUtil.getDirectChild(keyInfo,
-// "KeyName", WSConstants.SIG_NS);
-// }
+ Element secRefToken =
+ (Element) WSSecurityUtil.getDirectChild(
+ keyInfo, "SecurityTokenReference", WSConstants.WSSE_NS
+ );
+ //
+ // EncryptedKey must a a STR as child of KeyInfo, KeyName
+ // valid only for EncryptedData
+ //
+ // if (secRefToken == null) {
+ // secRefToken = (Element) WSSecurityUtil.getDirectChild(keyInfo,
+ // "KeyName", WSConstants.SIG_NS);
+ // }
if (secRefToken == null) {
- throw new WSSecurityException
- (WSSecurityException.INVALID_SECURITY, "noSecTokRef");
+ throw new WSSecurityException(
+ WSSecurityException.INVALID_SECURITY, "noSecTokRef"
+ );
}
SecurityTokenReference secRef = new SecurityTokenReference(secRefToken);
- /*
- * Well, at this point there are several ways to get the key.
- * Try to handle all of them :-).
- */
+ //
+ // Well, at this point there are several ways to get the key.
+ // Try to handle all of them :-).
+ //
alias = null;
- /*
- * handle X509IssuerSerial here. First check if all elements are available,
- * get the appropriate data, check if all data is available.
- * If all is ok up to that point, look up the certificate alias according
- * to issuer name and serial number.
- * This method is recommended by OASIS WS-S specification, X509 profile
- */
+ //
+ // handle X509IssuerSerial here. First check if all elements are available,
+ // get the appropriate data, check if all data is available.
+ // If all is ok up to that point, look up the certificate alias according
+ // to issuer name and serial number.
+ // This method is recommended by OASIS WS-S specification, X509 profile
+ //
if (secRef.containsX509Data() || secRef.containsX509IssuerSerial()) {
alias = secRef.getX509IssuerSerialAlias(crypto);
if (log.isDebugEnabled()) {
log.debug("X509IssuerSerial alias: " + alias);
}
}
- /*
- * If wsse:KeyIdentifier found, then the public key of the attached cert was used to
- * encrypt the session (symmetric) key that encrypts the data. Extract the certificate
- * using the BinarySecurity token (was enhanced to handle KeyIdentifier too).
- * This method is _not_ recommended by OASIS WS-S specification, X509 profile
- */
+ //
+ // If wsse:KeyIdentifier found, then the public key of the attached cert was used to
+ // encrypt the session (symmetric) key that encrypts the data. Extract the certificate
+ // using the BinarySecurity token (was enhanced to handle KeyIdentifier too).
+ // This method is _not_ recommended by OASIS WS-S specification, X509 profile
+ //
else if (secRef.containsKeyIdentifier()) {
X509Certificate[] certs = secRef.getKeyIdentifier(crypto);
if (certs == null || certs.length < 1 || certs[0] == null) {
throw new WSSecurityException(
WSSecurityException.FAILURE,
"noCertsFound",
- new Object[] { "decryption (KeyId)" }
+ new Object[] {"decryption (KeyId)"}
);
}
- /*
- * Here we have the certificate. Now find the alias for it. Needed to identify
- * the private key associated with this certificate
- */
+ //
+ // Here we have the certificate. Now find the alias for it. Needed to identify
+ // the private key associated with this certificate
+ //
alias = crypto.getAliasForX509Cert(certs[0]);
if (log.isDebugEnabled()) {
log.debug("cert: " + certs[0]);
@@ -205,90 +230,98 @@
Element bstElement = secRef.getTokenElement(doc, null, cb);
// at this point ... check token type: Binary
- QName el =
- new QName(bstElement.getNamespaceURI(),
- bstElement.getLocalName());
+ QName el =
+ new QName(bstElement.getNamespaceURI(), bstElement.getLocalName());
if (el.equals(WSSecurityEngine.binaryToken)) {
- X509Security token = null;
+ X509Security token = new X509Security(bstElement);
String value = bstElement.getAttribute(WSSecurityEngine.VALUE_TYPE);
- if (!(X509Security.X509_V3_TYPE.equals(value)
- || X509Security.X509_V1_TYPE.equals(value))
- || ((token = new X509Security(bstElement)) == null)) {
- throw new WSSecurityException(WSSecurityException.UNSUPPORTED_SECURITY_TOKEN,
- "unsupportedBinaryTokenType",
- new Object[]{"for decryption (BST)"});
+ if (!X509Security.X509_V3_TYPE.equals(value) || (token == null)) {
+ throw new WSSecurityException(
+ WSSecurityException.UNSUPPORTED_SECURITY_TOKEN,
+ "unsupportedBinaryTokenType",
+ new Object[] {"for decryption (BST)"}
+ );
}
X509Certificate cert = token.getX509Certificate(crypto);
if (cert == null) {
throw new WSSecurityException(
WSSecurityException.FAILURE,
"noCertsFound",
- new Object[] { "decryption" }
+ new Object[] {"decryption"}
);
}
- /*
- * Here we have the certificate. Now find the alias for it. Needed to identify
- * the private key associated with this certificate
- */
+ //
+ // Here we have the certificate. Now find the alias for it. Needed to identify
+ // the private key associated with this certificate
+ //
alias = crypto.getAliasForX509Cert(cert);
if (log.isDebugEnabled()) {
log.debug("BST Alias: " + alias);
}
} else {
- throw new WSSecurityException(WSSecurityException.UNSUPPORTED_SECURITY_TOKEN,
- "unsupportedBinaryTokenType",
- null);
+ throw new WSSecurityException(
+ WSSecurityException.UNSUPPORTED_SECURITY_TOKEN,
+ "unsupportedBinaryTokenType",
+ null
+ );
}
- /*
- * The following code is somewhat strange: the called crypto method gets
- * the keyname and searches for a certificate with an issuer's name that is
- * equal to this keyname. No serialnumber is used - IMHO this does
- * not identifies a certificate. In addition neither the WSS4J encryption
- * nor signature methods use this way to identify a certificate. Because of that
- * the next lines of code are disabled.
- */
-// } else if (secRef.containsKeyName()) {
-// alias = crypto.getAliasForX509Cert(secRef.getKeyNameValue());
-// if (log.isDebugEnabled()) {
-// log.debug("KeyName alias: " + alias);
-// }
+ //
+ // The following code is somewhat strange: the called crypto method gets
+ // the keyname and searches for a certificate with an issuer's name that is
+ // equal to this keyname. No serialnumber is used - IMHO this does
+ // not identifies a certificate. In addition neither the WSS4J encryption
+ // nor signature methods use this way to identify a certificate. Because of that
+ // the next lines of code are disabled.
+ //
+ // } else if (secRef.containsKeyName()) {
+ // alias = crypto.getAliasForX509Cert(secRef.getKeyNameValue());
+ // if (log.isDebugEnabled()) {
+ // log.debug("KeyName alias: " + alias);
+ // }
} else {
- throw new WSSecurityException(WSSecurityException.INVALID_SECURITY, "unsupportedKeyId");
+ throw new WSSecurityException(
+ WSSecurityException.INVALID_SECURITY, "unsupportedKeyId"
+ );
}
} else if (crypto.getDefaultX509Alias() != null) {
alias = crypto.getDefaultX509Alias();
} else {
- throw new WSSecurityException
- (WSSecurityException.INVALID_SECURITY, "noKeyinfo");
+ throw new WSSecurityException(WSSecurityException.INVALID_SECURITY, "noKeyinfo");
}
- /*
- * At this point we have all information necessary to decrypt the session
- * key:
- * - the Cipher object intialized with the correct methods
- * - The data that holds the encrypted session key
- * - the alias name for the private key
- *
- * Now use the callback here to get password that enables
- * us to read the private key
- */
+ //
+ // At this point we have all information necessary to decrypt the session
+ // key:
+ // - the Cipher object intialized with the correct methods
+ // - The data that holds the encrypted session key
+ // - the alias name for the private key
+ //
+ // Now use the callback here to get password that enables
+ // us to read the private key
+ //
WSPasswordCallback pwCb = new WSPasswordCallback(alias, WSPasswordCallback.DECRYPT);
- Callback[] callbacks = new Callback[1];
- callbacks[0] = pwCb;
try {
+ Callback[] callbacks = new Callback[]{pwCb};
cb.handle(callbacks);
} catch (IOException e) {
- throw new WSSecurityException(WSSecurityException.FAILURE,
- "noPassword",
- new Object[]{alias}, e);
+ throw new WSSecurityException(
+ WSSecurityException.FAILURE,
+ "noPassword",
+ new Object[]{alias},
+ e
+ );
} catch (UnsupportedCallbackException e) {
- throw new WSSecurityException(WSSecurityException.FAILURE,
- "noPassword",
- new Object[]{alias}, e);
+ throw new WSSecurityException(
+ WSSecurityException.FAILURE,
+ "noPassword",
+ new Object[]{alias},
+ e
+ );
}
String password = pwCb.getPassword();
if (password == null) {
- throw new WSSecurityException(WSSecurityException.FAILURE,
- "noPassword", new Object[]{alias});
+ throw new WSSecurityException(
+ WSSecurityException.FAILURE, "noPassword", new Object[]{alias}
+ );
}
try {
@@ -299,16 +332,14 @@
}
try {
- cipher.init(Cipher.DECRYPT_MODE,
- privateKey);
+ cipher.init(Cipher.DECRYPT_MODE, privateKey);
} catch (Exception e1) {
throw new WSSecurityException(WSSecurityException.FAILED_CHECK, null, null, e1);
}
try {
encryptedEphemeralKey = getDecodedBase64EncodedData(xencCipherValue);
- decryptedBytes =
- cipher.doFinal(encryptedEphemeralKey);
+ decryptedBytes = cipher.doFinal(encryptedEphemeralKey);
} catch (IllegalStateException e2) {
throw new WSSecurityException(WSSecurityException.FAILED_CHECK, null, null, e2);
} catch (IllegalBlockSizeException e2) {
@@ -321,20 +352,21 @@
t1 = System.currentTimeMillis();
}
- /* At this point we have the decrypted session (symmetric) key. According
- * to W3C XML-Enc this key is used to decrypt _any_ references contained in
- * the reference list
- * Now lookup the references that are encrypted with this key
- */
- String dataRefURI = null;
- WSDataRef dataRef = null;
- Element refList = (Element) WSSecurityUtil.getDirectChild((Node) xencEncryptedKey,
- "ReferenceList", WSConstants.ENC_NS);
+ // At this point we have the decrypted session (symmetric) key. According
+ // to W3C XML-Enc this key is used to decrypt _any_ references contained in
+ // the reference list
+ // Now lookup the references that are encrypted with this key
+ //
+ Element refList =
+ (Element) WSSecurityUtil.getDirectChild(
+ (Node) xencEncryptedKey, "ReferenceList", WSConstants.ENC_NS
+ );
ArrayList dataRefs = new ArrayList();
if (refList != null) {
-
for (tmpE = refList.getFirstChild();
- tmpE != null; tmpE = tmpE.getNextSibling()) {
+ tmpE != null;
+ tmpE = tmpE.getNextSibling()
+ ) {
if (tmpE.getNodeType() != Node.ELEMENT_NODE) {
continue;
}
@@ -342,14 +374,12 @@
continue;
}
if (tmpE.getLocalName().equals("DataReference")) {
- dataRefURI = ((Element) tmpE).getAttribute("URI");
- dataRef = new WSDataRef(dataRefURI.substring(1));
- Element elt =
- decryptDataRef(doc, dataRefURI,dataRef, decryptedBytes);
+ String dataRefURI = ((Element) tmpE).getAttribute("URI");
+ WSDataRef dataRef = new WSDataRef(dataRefURI.substring(1));
+ Element elt = decryptDataRef(doc, dataRefURI,dataRef, decryptedBytes);
dataRef.setName(
new javax.xml.namespace.QName(
- elt.getNamespaceURI(),
- elt.getLocalName()
+ elt.getNamespaceURI(), elt.getLocalName()
)
);
dataRefs.add(dataRef);
@@ -360,9 +390,10 @@
if (tlog.isDebugEnabled()) {
t2 = System.currentTimeMillis();
- tlog.debug("XMLDecrypt: total= " + (t2 - t0) +
- ", get-sym-key= " + (t1 - t0) +
- ", decrypt= " + (t2 - t1));
+ tlog.debug(
+ "XMLDecrypt: total= " + (t2 - t0) + ", get-sym-key= " + (t1 - t0)
+ + ", decrypt= " + (t2 - t1)
+ );
}
return null;
@@ -381,29 +412,35 @@
int iMax = children.getLength();
for (int i = 0; i < iMax; i++) {
Node curr = children.item(i);
- if (curr.getNodeType() == Node.TEXT_NODE)
+ if (curr.getNodeType() == Node.TEXT_NODE) {
sb.append(((Text) curr).getData());
+ }
}
String encodedData = sb.toString();
return Base64.decode(encodedData);
}
- private Element decryptDataRef(Document doc, String dataRefURI, WSDataRef wsDataRef, byte[] decryptedData) throws WSSecurityException {
+ private Element decryptDataRef(
+ Document doc,
+ String dataRefURI,
+ WSDataRef wsDataRef,
+ byte[] decryptedData
+ ) throws WSSecurityException {
if (log.isDebugEnabled()) {
log.debug("found data refernce: " + dataRefURI);
}
- /*
- * Look up the encrypted data. First try wsu:Id="someURI". If no such Id then
- * try the generic lookup to find Id="someURI"
- */
- Element encBodyData = null;
- if ((encBodyData = WSSecurityUtil.getElementByWsuId(doc, dataRefURI)) == null) {
+ //
+ // Look up the encrypted data. First try wsu:Id="someURI". If no such Id then
+ // try the generic lookup to find Id="someURI"
+ //
+ Element encBodyData = WSSecurityUtil.getElementByWsuId(doc, dataRefURI);
+ if (encBodyData == null) {
encBodyData = WSSecurityUtil.getElementByGenId(doc, dataRefURI);
}
if (encBodyData == null) {
- throw new WSSecurityException
- (WSSecurityException.INVALID_SECURITY,
- "dataRef", new Object[]{dataRefURI});
+ throw new WSSecurityException(
+ WSSecurityException.INVALID_SECURITY, "dataRef", new Object[]{dataRefURI}
+ );
}
boolean content = X509Util.isContent(encBodyData);
@@ -411,8 +448,8 @@
// get the encryption method
String symEncAlgo = X509Util.getEncAlgo(encBodyData);
- SecretKey symmetricKey = WSSecurityUtil.prepareSecretKey(
- symEncAlgo, decryptedData);
+ SecretKey symmetricKey =
+ WSSecurityUtil.prepareSecretKey(symEncAlgo, decryptedData);
// initialize Cipher ....
XMLCipher xmlCipher = null;
@@ -421,7 +458,8 @@
xmlCipher.init(XMLCipher.DECRYPT_MODE, symmetricKey);
} catch (XMLEncryptionException e) {
throw new WSSecurityException(
- WSSecurityException.UNSUPPORTED_ALGORITHM, null, null, e);
+ WSSecurityException.UNSUPPORTED_ALGORITHM, null, null, e
+ );
}
if (content) {
@@ -436,28 +474,28 @@
throw new WSSecurityException(WSSecurityException.FAILED_CHECK, null, null, e1);
}
- if(parent.getLocalName().equals(WSConstants.ENCRYPTED_HEADER)
- && parent.getNamespaceURI().equals(WSConstants.WSSE11_NS)) {
+ if (parent.getLocalName().equals(WSConstants.ENCRYPTED_HEADER)
+ && parent.getNamespaceURI().equals(WSConstants.WSSE11_NS)) {
Node decryptedHeader = parent.getFirstChild();
Element decryptedHeaderClone = (Element)decryptedHeader.cloneNode(true);
String sigId = decryptedHeaderClone.getAttributeNS(WSConstants.WSU_NS, "Id");
- if ( sigId == null || sigId.equals("")) {
+ if (sigId == null || sigId.equals("")) {
String id = ((Element)parent).getAttributeNS(WSConstants.WSU_NS, "Id");
- String wsuPrefix = WSSecurityUtil.setNamespace(decryptedHeaderClone,
- WSConstants.WSU_NS, WSConstants.WSU_PREFIX);
+ String wsuPrefix =
+ WSSecurityUtil.setNamespace(
+ decryptedHeaderClone, WSConstants.WSU_NS, WSConstants.WSU_PREFIX
+ );
decryptedHeaderClone.setAttributeNS(WSConstants.WSU_NS, wsuPrefix + ":Id", id);
wsDataRef.setWsuId(id.substring(1));
-
} else {
wsDataRef.setWsuId(sigId);
}
parent.getParentNode().appendChild(decryptedHeaderClone);
parent.getParentNode().removeChild(parent);
-
}
final java.util.List after_peers = listChildren(parent);
@@ -468,13 +506,14 @@
) {
Node node = (Node) pos.next();
if (node instanceof Element) {
- if(!Constants.SignatureSpecNS.equals(node.getNamespaceURI()) &&
+ if (!Constants.SignatureSpecNS.equals(node.getNamespaceURI()) &&
node.getAttributes().getNamedItemNS(WSConstants.WSU_NS, "Id") == null) {
- String wsuPrefix = WSSecurityUtil.setNamespace((Element)node,
- WSConstants.WSU_NS, WSConstants.WSU_PREFIX);
+ String wsuPrefix =
+ WSSecurityUtil.setNamespace(
+ (Element)node, WSConstants.WSU_NS, WSConstants.WSU_PREFIX
+ );
((Element)node).setAttributeNS(WSConstants.WSU_NS, wsuPrefix + ":Id", dataRefURI);
wsDataRef.setWsuId(dataRefURI.substring(1));
-
}
wsDataRef.setName(new QName(node.getNamespaceURI(),node.getLocalName()));
@@ -485,7 +524,7 @@
}
/**
- * @return a list of Nodes, representing the
+ * @return a list of child Nodes
*/
private static java.util.List
listChildren(
@@ -507,7 +546,7 @@
}
/**
- * @return a list of Nodes in b that are not in a
+ * @return a list of Nodes in b that are not in a
*/
private static java.util.List
newNodes(
Modified: webservices/wss4j/trunk/src/org/apache/ws/security/processor/ReferenceListProcessor.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/org/apache/ws/security/processor/ReferenceListProcessor.java?rev=748498&r1=748497&r2=748498&view=diff
==============================================================================
--- webservices/wss4j/trunk/src/org/apache/ws/security/processor/ReferenceListProcessor.java (original)
+++ webservices/wss4j/trunk/src/org/apache/ws/security/processor/ReferenceListProcessor.java Fri Feb 27 12:48:54 2009
@@ -53,46 +53,54 @@
LogFactory.getLog(ReferenceListProcessor.class.getName());
private boolean debug = false;
-
-
WSDocInfo wsDocInfo = null;
- public void handleToken(Element elem, Crypto crypto, Crypto decCrypto,
- CallbackHandler cb, WSDocInfo wdi, Vector returnResults,
- WSSConfig wsc) throws WSSecurityException {
+ public void handleToken(
+ Element elem,
+ Crypto crypto,
+ Crypto decCrypto,
+ CallbackHandler cb,
+ WSDocInfo wdi,
+ Vector returnResults,
+ WSSConfig wsc
+ ) throws WSSecurityException {
debug = log.isDebugEnabled();
if (debug) {
log.debug("Found reference list element");
}
if (cb == null) {
- throw new WSSecurityException(WSSecurityException.FAILURE,
- "noCallback");
+ throw new WSSecurityException(WSSecurityException.FAILURE, "noCallback");
}
wsDocInfo = wdi;
- ArrayList uris = handleReferenceList((Element) elem, cb, crypto);
- returnResults.add(0, new WSSecurityEngineResult(WSConstants.ENCR, uris));
+ ArrayList uris = handleReferenceList(elem, cb, crypto);
+ returnResults.add(
+ 0,
+ new WSSecurityEngineResult(WSConstants.ENCR, uris)
+ );
}
/**
* Dereferences and decodes encrypted data elements.
*
- * @param elem
- * contains the <code>ReferenceList</code> to the encrypted
- * data elements
- * @param cb
- * the callback handler to get the key for a key name stored if
- * <code>KeyInfo</code> inside the encrypted data elements
+ * @param elem contains the <code>ReferenceList</code> to the encrypted
+ * data elements
+ * @param cb the callback handler to get the key for a key name stored if
+ * <code>KeyInfo</code> inside the encrypted data elements
*/
- private ArrayList handleReferenceList(Element elem, CallbackHandler cb,
- Crypto crypto) throws WSSecurityException {
-
+ private ArrayList handleReferenceList(
+ Element elem,
+ CallbackHandler cb,
+ Crypto crypto
+ ) throws WSSecurityException {
Document doc = elem.getOwnerDocument();
Node tmpE = null;
ArrayList dataRefUris = new ArrayList();
- for (tmpE = elem.getFirstChild(); tmpE != null; tmpE = tmpE
- .getNextSibling()) {
+ for (tmpE = elem.getFirstChild();
+ tmpE != null;
+ tmpE = tmpE.getNextSibling()
+ ) {
if (tmpE.getNodeType() != Node.ELEMENT_NODE) {
continue;
}
@@ -110,23 +118,29 @@
return dataRefUris;
}
- public void decryptDataRefEmbedded(Document doc, String dataRefURI, WSDataRef dataRef,
- CallbackHandler cb, Crypto crypto) throws WSSecurityException {
+ public void decryptDataRefEmbedded(
+ Document doc,
+ String dataRefURI,
+ WSDataRef dataRef,
+ CallbackHandler cb,
+ Crypto crypto
+ ) throws WSSecurityException {
if (log.isDebugEnabled()) {
log.debug("Found data reference: " + dataRefURI);
}
- /*
- * Look up the encrypted data. First try wsu:Id="someURI". If no such Id
- * then try the generic lookup to find Id="someURI"
- */
+ //
+ // Look up the encrypted data. First try wsu:Id="someURI". If no such Id
+ // then try the generic lookup to find Id="someURI"
+ //
Element encBodyData = null;
if ((encBodyData = WSSecurityUtil.getElementByWsuId(doc, dataRefURI)) == null) {
encBodyData = WSSecurityUtil.getElementByGenId(doc, dataRefURI);
}
if (encBodyData == null) {
- throw new WSSecurityException(WSSecurityException.INVALID_SECURITY,
- "dataRef", new Object[] { dataRefURI });
+ throw new WSSecurityException(
+ WSSecurityException.INVALID_SECURITY, "dataRef", new Object[] {dataRefURI}
+ );
}
boolean content = X509Util.isContent(encBodyData);
@@ -134,25 +148,29 @@
// Now figure out the encryption algorithm
String symEncAlgo = X509Util.getEncAlgo(encBodyData);
- Element tmpE = (Element) WSSecurityUtil.findElement((Node) encBodyData,
- "KeyInfo", WSConstants.SIG_NS);
+ Element tmpE =
+ (Element)WSSecurityUtil.findElement(
+ (Node) encBodyData, "KeyInfo", WSConstants.SIG_NS
+ );
if (tmpE == null) {
- throw new WSSecurityException(WSSecurityException.INVALID_SECURITY,
- "noKeyinfo");
+ throw new WSSecurityException(WSSecurityException.INVALID_SECURITY, "noKeyinfo");
}
- /*
- * Try to get a security reference token, if none found try to get a
- * shared key using a KeyName.
- */
- Element secRefToken = (Element) WSSecurityUtil.getDirectChild(tmpE,
- "SecurityTokenReference", WSConstants.WSSE_NS);
+ //
+ // Try to get a security reference token, if none found try to get a
+ // shared key using a KeyName.
+ //
+ Element secRefToken =
+ (Element) WSSecurityUtil.getDirectChild(
+ tmpE, "SecurityTokenReference", WSConstants.WSSE_NS
+ );
SecretKey symmetricKey = null;
if (secRefToken == null) {
symmetricKey = X509Util.getSharedKey(tmpE, symEncAlgo, cb);
- } else
+ } else {
symmetricKey = getKeyFromSecurityTokenReference(secRefToken, symEncAlgo, crypto, cb);
+ }
// initialize Cipher ....
XMLCipher xmlCipher = null;
@@ -161,7 +179,8 @@
xmlCipher.init(XMLCipher.DECRYPT_MODE, symmetricKey);
} catch (XMLEncryptionException e1) {
throw new WSSecurityException(
- WSSecurityException.UNSUPPORTED_ALGORITHM, null, null, e1);
+ WSSecurityException.UNSUPPORTED_ALGORITHM, null, null, e1
+ );
}
if (content) {
@@ -170,46 +189,49 @@
try {
Node parentEncBody =encBodyData.getParentNode();
-
- final java.util.List before_peers = listChildren(parentEncBody);
+ final java.util.List before_peers = listChildren(parentEncBody);
xmlCipher.doFinal(doc, encBodyData, content);
- if(parentEncBody.getLocalName().equals(WSConstants.ENCRYPTED_HEADER)
- && parentEncBody.getNamespaceURI().equals(WSConstants.WSSE11_NS)) {
+ if (parentEncBody.getLocalName().equals(WSConstants.ENCRYPTED_HEADER)
+ && parentEncBody.getNamespaceURI().equals(WSConstants.WSSE11_NS)) {
Node decryptedHeader = parentEncBody.getFirstChild();
Element decryptedHeaderClone = (Element)decryptedHeader.cloneNode(true);
- String sigId = decryptedHeaderClone.getAttributeNS(WSConstants.WSU_NS, "Id");
+ String sigId = decryptedHeaderClone.getAttributeNS(WSConstants.WSU_NS, "Id");
- if ( sigId == null || sigId.equals("") ) {
- String id = ((Element)parentEncBody).getAttributeNS(WSConstants.WSU_NS, "Id");
- String wsuPrefix = WSSecurityUtil.setNamespace(decryptedHeaderClone,
- WSConstants.WSU_NS, WSConstants.WSU_PREFIX);
- decryptedHeaderClone.setAttributeNS(WSConstants.WSU_NS, wsuPrefix + ":Id", id);
- dataRef.setWsuId(id.substring(1));
- } else {
- dataRef.setWsuId(sigId);
- }
+ if (sigId == null || sigId.equals("")) {
+ String id = ((Element)parentEncBody).getAttributeNS(WSConstants.WSU_NS, "Id");
+ String wsuPrefix =
+ WSSecurityUtil.setNamespace(
+ decryptedHeaderClone, WSConstants.WSU_NS, WSConstants.WSU_PREFIX
+ );
+ decryptedHeaderClone.setAttributeNS(WSConstants.WSU_NS, wsuPrefix + ":Id", id);
+ dataRef.setWsuId(id.substring(1));
+ } else {
+ dataRef.setWsuId(sigId);
+ }
parentEncBody.getParentNode().appendChild(decryptedHeaderClone);
parentEncBody.getParentNode().removeChild(parentEncBody);
-
}
final java.util.List after_peers = listChildren(parentEncBody);
final java.util.List new_nodes = newNodes(before_peers, after_peers);
-
for (
final java.util.Iterator pos = new_nodes.iterator();
pos.hasNext();
) {
Node node = (Node) pos.next();
if (node instanceof Element) {
- if(!Constants.SignatureSpecNS.equals(node.getNamespaceURI()) &&
- node.getAttributes().getNamedItemNS(WSConstants.WSU_NS, "Id") == null) {
- String wsuPrefix = WSSecurityUtil.setNamespace((Element)node,
- WSConstants.WSU_NS, WSConstants.WSU_PREFIX);
- ((Element)node).setAttributeNS(WSConstants.WSU_NS, wsuPrefix + ":Id", dataRefURI);
+ if(!Constants.SignatureSpecNS.equals(node.getNamespaceURI())
+ && node.getAttributes().getNamedItemNS(WSConstants.WSU_NS, "Id") == null) {
+ String wsuPrefix =
+ WSSecurityUtil.setNamespace(
+ (Element)node, WSConstants.WSU_NS, WSConstants.WSU_PREFIX
+ );
+ ((Element)node).setAttributeNS(
+ WSConstants.WSU_NS, wsuPrefix + ":Id", dataRefURI
+ );
dataRef.setWsuId(dataRefURI.substring(1));
}
dataRef.setName(new QName(node.getNamespaceURI(),node.getLocalName()));
@@ -217,18 +239,12 @@
}
} catch (Exception e) {
- throw new WSSecurityException(WSSecurityException.FAILED_CHECK,
- null, null, e);
+ throw new WSSecurityException(
+ WSSecurityException.FAILED_CHECK, null, null, e
+ );
}
}
- /*
- * (non-Javadoc)
- *
- * @see org.apache.ws.security.processor.Processor#getId()
- *
- * A reference list does not have an id.
- */
public String getId() {
return null;
}
@@ -243,24 +259,23 @@
* EncrypteKey element to get the decrypted session key bytes. Using the
* algorithm parameter these bytes are converted into a secret key.
*
- * <p/>
- *
* This method requires that the EncyrptedKey element is already available,
* thus requires a strict layout of the security header. This method
* supports EncryptedKey elements within the same message.
*
- * @param secRefToken
- * The element containing the STR
- * @param algorithm
- * A string that identifies the symmetric decryption algorithm
+ * @param secRefToken The element containing the STR
+ * @param algorithm A string that identifies the symmetric decryption algorithm
* @param crypto Crypto instance to obtain key
* @param cb CAllback handler to obtain the key passwords
* @return The secret key for the specified algorithm
* @throws WSSecurityException
*/
- private SecretKey getKeyFromSecurityTokenReference(Element secRefToken, String algorithm,
- Crypto crypto, CallbackHandler cb)
- throws WSSecurityException {
+ private SecretKey getKeyFromSecurityTokenReference(
+ Element secRefToken,
+ String algorithm,
+ Crypto crypto,
+ CallbackHandler cb
+ ) throws WSSecurityException {
SecurityTokenReference secRef = new SecurityTokenReference(secRefToken);
byte[] decryptedData = null;
@@ -273,57 +288,69 @@
id = id.substring(1);
}
Processor p = wsDocInfo.getProcessor(id);
- if (p == null
- || (!(p instanceof EncryptedKeyProcessor)
- && !(p instanceof DerivedKeyTokenProcessor)
- && !(p instanceof SAMLTokenProcessor))) {
-
+ if (!(p instanceof EncryptedKeyProcessor
+ || p instanceof DerivedKeyTokenProcessor
+ || p instanceof SAMLTokenProcessor)
+ ) {
// Try custom token
WSPasswordCallback pwcb = new WSPasswordCallback(id, WSPasswordCallback.CUSTOM_TOKEN);
try {
- cb.handle(new Callback[]{pwcb});
+ Callback[] callbacks = new Callback[]{pwcb};
+ cb.handle(callbacks);
} catch (Exception e) {
- throw new WSSecurityException(WSSecurityException.FAILURE,
- "noPassword", new Object[] { id }, e);
+ throw new WSSecurityException(
+ WSSecurityException.FAILURE,
+ "noPassword",
+ new Object[] {id},
+ e
+ );
}
decryptedData = pwcb.getKey();
- if(decryptedData == null) {
+ if (decryptedData == null) {
throw new WSSecurityException(
- WSSecurityException.FAILED_CHECK, "unsupportedKeyId");
+ WSSecurityException.FAILED_CHECK, "unsupportedKeyId"
+ );
}
}
- if(p instanceof EncryptedKeyProcessor) {
+ if (p instanceof EncryptedKeyProcessor) {
EncryptedKeyProcessor ekp = (EncryptedKeyProcessor) p;
decryptedData = ekp.getDecryptedBytes();
- } else if(p instanceof DerivedKeyTokenProcessor) {
+ } else if (p instanceof DerivedKeyTokenProcessor) {
DerivedKeyTokenProcessor dkp = (DerivedKeyTokenProcessor) p;
decryptedData = dkp.getKeyBytes(WSSecurityUtil.getKeyLength(algorithm));
- } else if(p instanceof SAMLTokenProcessor) {
+ } else if (p instanceof SAMLTokenProcessor) {
SAMLTokenProcessor samlp = (SAMLTokenProcessor) p;
- SAMLKeyInfo keyInfo = SAMLUtil.getSAMLKeyInfo(samlp
- .getSamlTokenElement(), crypto, cb);
- //TODO Handle malformed SAML tokens where they don't have the
- //secret in them
+ SAMLKeyInfo keyInfo =
+ SAMLUtil.getSAMLKeyInfo(samlp.getSamlTokenElement(), crypto, cb);
+ // TODO Handle malformed SAML tokens where they don't have the
+ // secret in them
decryptedData = keyInfo.getSecret();
}
} else if (secRef.containsKeyIdentifier()){
String sha = secRef.getKeyIdentifierValue();
- WSPasswordCallback pwcb = new WSPasswordCallback(secRef.getKeyIdentifierValue(),
- null,
- secRef.getKeyIdentifierValueType(),
- WSPasswordCallback.ENCRYPTED_KEY_TOKEN);
+ WSPasswordCallback pwcb =
+ new WSPasswordCallback(
+ secRef.getKeyIdentifierValue(),
+ null,
+ secRef.getKeyIdentifierValueType(),
+ WSPasswordCallback.ENCRYPTED_KEY_TOKEN
+ );
try {
- cb.handle(new Callback[]{pwcb});
+ Callback[] callbacks = new Callback[]{pwcb};
+ cb.handle(callbacks);
} catch (Exception e) {
- throw new WSSecurityException(WSSecurityException.FAILURE,
- "noPassword", new Object[] { sha }, e);
+ throw new WSSecurityException(
+ WSSecurityException.FAILURE,
+ "noPassword",
+ new Object[] {sha},
+ e
+ );
}
decryptedData = pwcb.getKey();
} else {
- throw new WSSecurityException(WSSecurityException.FAILED_CHECK,
- "noReference");
+ throw new WSSecurityException(WSSecurityException.FAILED_CHECK, "noReference");
}
return WSSecurityUtil.prepareSecretKey(algorithm, decryptedData);
}
Modified: webservices/wss4j/trunk/src/org/apache/ws/security/processor/SAMLTokenProcessor.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/org/apache/ws/security/processor/SAMLTokenProcessor.java?rev=748498&r1=748497&r2=748498&view=diff
==============================================================================
--- webservices/wss4j/trunk/src/org/apache/ws/security/processor/SAMLTokenProcessor.java (original)
+++ webservices/wss4j/trunk/src/org/apache/ws/security/processor/SAMLTokenProcessor.java Fri Feb 27 12:48:54 2009
@@ -38,15 +38,25 @@
private String id;
private Element samlTokenElement;
- public void handleToken(Element elem, Crypto crypto, Crypto decCrypto, CallbackHandler cb, WSDocInfo wsDocInfo, Vector returnResults, WSSConfig wsc) throws WSSecurityException {
+ public void handleToken(
+ Element elem,
+ Crypto crypto,
+ Crypto decCrypto,
+ CallbackHandler cb,
+ WSDocInfo wsDocInfo,
+ Vector returnResults,
+ WSSConfig wsc
+ ) throws WSSecurityException {
if (log.isDebugEnabled()) {
log.debug("Found SAML Assertion element");
}
SAMLAssertion assertion = handleSAMLToken((Element) elem);
this.id = assertion.getId();
wsDocInfo.setAssertion((Element) elem);
- returnResults.add(0,
- new WSSecurityEngineResult(WSConstants.ST_UNSIGNED, assertion));
+ returnResults.add(
+ 0,
+ new WSSecurityEngineResult(WSConstants.ST_UNSIGNED, assertion)
+ );
this.samlTokenElement = elem;
}
@@ -61,8 +71,9 @@
log.debug("SAML Assertion issuer " + assertion.getIssuer());
}
} catch (SAMLException e) {
- throw new WSSecurityException(WSSecurityException.FAILURE,
- "invalidSAMLsecurity", null, e);
+ throw new WSSecurityException(
+ WSSecurityException.FAILURE, "invalidSAMLsecurity", null, e
+ );
}
if (!result) {
throw new WSSecurityException(WSSecurityException.FAILED_AUTHENTICATION);
Modified: webservices/wss4j/trunk/src/org/apache/ws/security/processor/SecurityContextTokenProcessor.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/org/apache/ws/security/processor/SecurityContextTokenProcessor.java?rev=748498&r1=748497&r2=748498&view=diff
==============================================================================
--- webservices/wss4j/trunk/src/org/apache/ws/security/processor/SecurityContextTokenProcessor.java (original)
+++ webservices/wss4j/trunk/src/org/apache/ws/security/processor/SecurityContextTokenProcessor.java Fri Feb 27 12:48:54 2009
@@ -57,16 +57,24 @@
*/
private String identifier;
- public void handleToken(Element elem, Crypto crypto, Crypto decCrypto,
- CallbackHandler cb, WSDocInfo wsDocInfo, Vector returnResults,
- WSSConfig config) throws WSSecurityException {
-
+ public void handleToken(
+ Element elem,
+ Crypto crypto,
+ Crypto decCrypto,
+ CallbackHandler cb,
+ WSDocInfo wsDocInfo,
+ Vector returnResults,
+ WSSConfig config
+ ) throws WSSecurityException {
SecurityContextToken sct = new SecurityContextToken(elem);
this.identifier = sct.getIdentifier();
this.secret = this.getSecret(cb, sct);
this.sctId = sct.getID();
- returnResults.add(0, new WSSecurityEngineResult(WSConstants.SCT, sct));
+ returnResults.add(
+ 0,
+ new WSSecurityEngineResult(WSConstants.SCT, sct)
+ );
}
/**
@@ -77,25 +85,33 @@
* @return The key collected using the callback handler
*/
private byte[] getSecret(CallbackHandler cb, SecurityContextToken sct)
- throws WSSecurityException {
+ throws WSSecurityException {
if (cb == null) {
- throw new WSSecurityException(WSSecurityException.FAILURE,
- "noCallback");
+ throw new WSSecurityException(WSSecurityException.FAILURE, "noCallback");
}
- WSPasswordCallback callback = new WSPasswordCallback(sct
- .getIdentifier(), WSPasswordCallback.SECURITY_CONTEXT_TOKEN);
- Callback[] callbacks = new Callback[1];
- callbacks[0] = callback;
+ WSPasswordCallback callback =
+ new WSPasswordCallback(
+ sct.getIdentifier(), WSPasswordCallback.SECURITY_CONTEXT_TOKEN
+ );
try {
+ Callback[] callbacks = new Callback[]{callback};
cb.handle(callbacks);
} catch (IOException e) {
- throw new WSSecurityException(WSSecurityException.FAILURE, "noKey",
- new Object[] { sct.getIdentifier() }, e);
+ throw new WSSecurityException(
+ WSSecurityException.FAILURE,
+ "noKey",
+ new Object[] {sct.getIdentifier()},
+ e
+ );
} catch (UnsupportedCallbackException e) {
- throw new WSSecurityException(WSSecurityException.FAILURE, "noKey",
- new Object[] { sct.getIdentifier() }, e);
+ throw new WSSecurityException(
+ WSSecurityException.FAILURE,
+ "noKey",
+ new Object[] {sct.getIdentifier()},
+ e
+ );
}
return callback.getKey();
Modified: webservices/wss4j/trunk/src/org/apache/ws/security/processor/SignatureConfirmationProcessor.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/org/apache/ws/security/processor/SignatureConfirmationProcessor.java?rev=748498&r1=748497&r2=748498&view=diff
==============================================================================
--- webservices/wss4j/trunk/src/org/apache/ws/security/processor/SignatureConfirmationProcessor.java (original)
+++ webservices/wss4j/trunk/src/org/apache/ws/security/processor/SignatureConfirmationProcessor.java Fri Feb 27 12:48:54 2009
@@ -36,24 +36,29 @@
private String scId;
- public void handleToken(Element elem, Crypto crypto, Crypto decCrypto, CallbackHandler cb, WSDocInfo wsDocInfo, Vector returnResults, WSSConfig wsc) throws WSSecurityException {
+ public void handleToken(
+ Element elem,
+ Crypto crypto,
+ Crypto decCrypto,
+ CallbackHandler cb,
+ WSDocInfo wsDocInfo,
+ Vector returnResults,
+ WSSConfig wsc
+ ) throws WSSecurityException {
if (log.isDebugEnabled()) {
log.debug("Found SignatureConfirmation list element");
}
- /*
- * Decode SignatureConfirmation, just store in result
- */
- SignatureConfirmation sigConf = new SignatureConfirmation(
- (Element) elem);
- returnResults.add(0, new WSSecurityEngineResult(WSConstants.SC,
- sigConf));
-
+ //
+ // Decode SignatureConfirmation, just store in result
+ //
+ SignatureConfirmation sigConf = new SignatureConfirmation(elem);
+ returnResults.add(
+ 0,
+ new WSSecurityEngineResult(WSConstants.SC, sigConf)
+ );
scId = elem.getAttributeNS(WSConstants.WSU_NS, "Id");
}
- /* (non-Javadoc)
- * @see org.apache.ws.security.processor.Processor#getId()
- */
public String getId() {
return scId;
}
Modified: webservices/wss4j/trunk/src/org/apache/ws/security/processor/SignatureProcessor.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/org/apache/ws/security/processor/SignatureProcessor.java?rev=748498&r1=748497&r2=748498&view=diff
==============================================================================
--- webservices/wss4j/trunk/src/org/apache/ws/security/processor/SignatureProcessor.java (original)
+++ webservices/wss4j/trunk/src/org/apache/ws/security/processor/SignatureProcessor.java Fri Feb 27 12:48:54 2009
@@ -66,12 +66,19 @@
public class SignatureProcessor implements Processor {
private static Log log = LogFactory.getLog(SignatureProcessor.class.getName());
- private static Log tlog =
- LogFactory.getLog("org.apache.ws.security.TIME");
+ private static Log tlog = LogFactory.getLog("org.apache.ws.security.TIME");
private String signatureId;
- public void handleToken(Element elem, Crypto crypto, Crypto decCrypto, CallbackHandler cb, WSDocInfo wsDocInfo, Vector returnResults, WSSConfig wsc) throws WSSecurityException {
+ public void handleToken(
+ Element elem,
+ Crypto crypto,
+ Crypto decCrypto,
+ CallbackHandler cb,
+ WSDocInfo wsDocInfo,
+ Vector returnResults,
+ WSSConfig wsc
+ ) throws WSSecurityException {
if (log.isDebugEnabled()) {
log.debug("Found signature element");
}
@@ -82,32 +89,50 @@
byte[][] signatureValue = new byte[1][];
Principal lastPrincipalFound = null;
try {
- lastPrincipalFound = verifyXMLSignature((Element) elem,
- crypto, returnCert, returnElements, protectedElements, signatureValue, cb);
+ lastPrincipalFound =
+ verifyXMLSignature(
+ elem, crypto, returnCert, returnElements, protectedElements, signatureValue, cb
+ );
} catch (WSSecurityException ex) {
throw ex;
} finally {
WSDocInfoStore.delete(wsDocInfo);
}
if (lastPrincipalFound instanceof WSUsernameTokenPrincipal) {
- returnResults.add(0, new WSSecurityEngineResult(
- WSConstants.UT_SIGN, lastPrincipalFound, null,
- returnElements, protectedElements, signatureValue[0]));
+ returnResults.add(
+ 0,
+ new WSSecurityEngineResult(
+ WSConstants.UT_SIGN,
+ lastPrincipalFound,
+ null,
+ returnElements,
+ protectedElements,
+ signatureValue[0]
+ )
+ );
} else {
- returnResults.add(0, new WSSecurityEngineResult(
- WSConstants.SIGN, lastPrincipalFound,
- returnCert[0], returnElements, protectedElements, signatureValue[0]));
+ returnResults.add(
+ 0,
+ new WSSecurityEngineResult(
+ WSConstants.SIGN,
+ lastPrincipalFound,
+ returnCert[0],
+ returnElements,
+ protectedElements,
+ signatureValue[0]
+ )
+ );
}
signatureId = elem.getAttributeNS(null, "Id");
}
/**
* Verify the WS-Security signature.
- * <p/>
+ *
* The functions at first checks if then <code>KeyInfo</code> that is
* contained in the signature contains standard X509 data. If yes then
* get the certificate data via the standard <code>KeyInfo</code> methods.
- * <p/>
+ *
* Otherwise, if the <code>KeyInfo</code> info does not contain X509 data, check
* if we can find a <code>wsse:SecurityTokenReference</code> element. If yes, the next
* step is to check how to get the certificate. Two methods are currently supported
@@ -121,7 +146,7 @@
* looks up the certificate in the keystore via the <code>crypto</code> parameter.
* </li>
* </ul>
- * <p/>
+ *
* The methods checks is the certificate is valid and calls the
* {@link org.apache.xml.security.signature.XMLSignature#checkSignatureValue(X509Certificate)
* verification} function.
@@ -140,14 +165,15 @@
* principal for further authentication or authorization.
* @throws WSSecurityException
*/
- protected Principal verifyXMLSignature(Element elem,
- Crypto crypto,
- X509Certificate[] returnCert,
- Set returnElements,
- Set protectedElements,
- byte[][] signatureValue,
- CallbackHandler cb)
- throws WSSecurityException {
+ protected Principal verifyXMLSignature(
+ Element elem,
+ Crypto crypto,
+ X509Certificate[] returnCert,
+ Set returnElements,
+ Set protectedElements,
+ byte[][] signatureValue,
+ CallbackHandler cb
+ ) throws WSSecurityException {
if (log.isDebugEnabled()) {
log.debug("Verify XML Signature");
}
@@ -176,33 +202,33 @@
String customTokenId = null;
if (info != null) {
- Node node = WSSecurityUtil.getDirectChild(info.getElement(),
+ Node node =
+ WSSecurityUtil.getDirectChild(
+ info.getElement(),
SecurityTokenReference.SECURITY_TOKEN_REFERENCE,
- WSConstants.WSSE_NS);
+ WSConstants.WSSE_NS
+ );
if (node == null) {
throw new WSSecurityException(
- WSSecurityException.INVALID_SECURITY,
- "unsupportedKeyInfo");
+ WSSecurityException.INVALID_SECURITY, "unsupportedKeyInfo"
+ );
}
SecurityTokenReference secRef = new SecurityTokenReference((Element) node);
-
int docHash = elem.getOwnerDocument().hashCode();
- /*
- * Here we get some information about the document that is being
- * processed, in particular the crypto implementation, and already
- * detected BST that may be used later during dereferencing.
- */
+ //
+ // Here we get some information about the document that is being
+ // processed, in particular the crypto implementation, and already
+ // detected BST that may be used later during dereferencing.
+ //
WSDocInfo wsDocInfo = WSDocInfoStore.lookup(docHash);
if (secRef.containsReference()) {
- Element token = secRef.getTokenElement(elem.getOwnerDocument(),
- wsDocInfo, cb);
- /*
- * at this point check token type: UsernameToken, Binary, SAML
- * Crypto required only for Binary and SAML
- */
- QName el = new QName(token.getNamespaceURI(), token
- .getLocalName());
+ Element token = secRef.getTokenElement(elem.getOwnerDocument(), wsDocInfo, cb);
+ //
+ // at this point check token type: UsernameToken, Binary, SAML
+ // Crypto required only for Binary and SAML
+ //
+ QName el = new QName(token.getNamespaceURI(), token.getLocalName());
if (el.equals(WSSecurityEngine.usernameToken)) {
String id = token.getAttributeNS(WSConstants.WSU_NS, "Id");
UsernameTokenProcessor utProcessor =
@@ -213,8 +239,8 @@
} else {
secretKey = ut.getSecretKey();
}
- } else if(el.equals(WSSecurityEngine.DERIVED_KEY_TOKEN_05_02) ||
- el.equals(WSSecurityEngine.DERIVED_KEY_TOKEN_05_12)) {
+ } else if (el.equals(WSSecurityEngine.DERIVED_KEY_TOKEN_05_02)
+ || el.equals(WSSecurityEngine.DERIVED_KEY_TOKEN_05_12)) {
dkt = new DerivedKeyToken(token);
String id = dkt.getID();
DerivedKeyTokenProcessor dktProcessor =
@@ -226,102 +252,110 @@
secretKey = dktProcessor.getKeyBytes(keyLength);
} else {
if (el.equals(WSSecurityEngine.binaryToken)) {
- //TODO: Use results from BinarySecurityTokenProcessor
- certs = getCertificatesTokenReference((Element) token,
- crypto);
+ // TODO: Use results from BinarySecurityTokenProcessor
+ certs = getCertificatesTokenReference(token, crypto);
} else if (el.equals(WSSecurityEngine.SAML_TOKEN)) {
if (crypto == null) {
- throw new WSSecurityException(WSSecurityException.FAILURE,
- "noSigCryptoFile");
+ throw new WSSecurityException(
+ WSSecurityException.FAILURE, "noSigCryptoFile"
+ );
}
- samlKi = SAMLUtil.getSAMLKeyInfo(
- (Element) token, crypto, cb);
+ samlKi = SAMLUtil.getSAMLKeyInfo(token, crypto, cb);
certs = samlKi.getCerts();
secretKey = samlKi.getSecret();
} else if (el.equals(WSSecurityEngine.ENCRYPTED_KEY)){
String encryptedKeyID = token.getAttributeNS(null,"Id");
- EncryptedKeyProcessor encryptKeyProcessor = (EncryptedKeyProcessor)
- wsDocInfo.getProcessor(encryptedKeyID);
+ EncryptedKeyProcessor encryptKeyProcessor =
+ (EncryptedKeyProcessor)wsDocInfo.getProcessor(encryptedKeyID);
if (encryptKeyProcessor == null ) {
if (crypto == null) {
- throw new WSSecurityException(WSSecurityException.FAILURE,
- "noSigCryptoFile");
+ throw new WSSecurityException(
+ WSSecurityException.FAILURE, "noSigCryptoFile"
+ );
}
encryptKeyProcessor = new EncryptedKeyProcessor();
encryptKeyProcessor.handleEncryptedKey((Element)token, cb, crypto);
-
}
secretKey = encryptKeyProcessor.getDecryptedBytes();
-
} else {
-
- //Try custom token through callback handler
- //try to find a custom token
- String id = secRef
- .getReference().getURI();
+ // Try custom token through callback handler
+ // try to find a custom token
+ String id = secRef.getReference().getURI();
if (id.charAt(0) == '#') {
id = id.substring(1);
}
- WSPasswordCallback pwcb = new WSPasswordCallback(id,
- WSPasswordCallback.CUSTOM_TOKEN);
+ WSPasswordCallback pwcb =
+ new WSPasswordCallback(id, WSPasswordCallback.CUSTOM_TOKEN);
try {
- cb.handle(new Callback[]{pwcb});
+ Callback[] callbacks = new Callback[]{pwcb};
+ cb.handle(callbacks);
} catch (Exception e) {
- throw new WSSecurityException(WSSecurityException.FAILURE,
- "noPassword", new Object[] { id }, e);
+ throw new WSSecurityException(
+ WSSecurityException.FAILURE,
+ "noPassword",
+ new Object[] {id},
+ e
+ );
}
secretKey = pwcb.getKey();
customTokenId = id;
-
- if(secretKey == null) {
+ if (secretKey == null) {
throw new WSSecurityException(
- WSSecurityException.INVALID_SECURITY,
- "unsupportedKeyInfo", new Object[]{el
- .toString()});
+ WSSecurityException.INVALID_SECURITY,
+ "unsupportedKeyInfo",
+ new Object[]{el.toString()}
+ );
}
}
}
} else if (secRef.containsX509Data() || secRef.containsX509IssuerSerial()) {
certs = secRef.getX509IssuerSerial(crypto);
} else if (secRef.containsKeyIdentifier()) {
- if (secRef.getKeyIdentifierValueType().equals
- (SecurityTokenReference.ENC_KEY_SHA1_URI)) {
+ if (secRef.getKeyIdentifierValueType().equals(SecurityTokenReference.ENC_KEY_SHA1_URI)) {
String id = secRef.getKeyIdentifierValue();
- WSPasswordCallback pwcb = new WSPasswordCallback(id,
- null,
- SecurityTokenReference.ENC_KEY_SHA1_URI,
- WSPasswordCallback.ENCRYPTED_KEY_TOKEN);
+ WSPasswordCallback pwcb =
+ new WSPasswordCallback(
+ id,
+ null,
+ SecurityTokenReference.ENC_KEY_SHA1_URI,
+ WSPasswordCallback.ENCRYPTED_KEY_TOKEN
+ );
try {
- cb.handle(new Callback[]{pwcb});
+ Callback[] callbacks = new Callback[]{pwcb};
+ cb.handle(callbacks);
} catch (Exception e) {
- throw new WSSecurityException(WSSecurityException.FAILURE,
- "noPassword", new Object[] { id }, e);
+ throw new WSSecurityException(
+ WSSecurityException.FAILURE,
+ "noPassword",
+ new Object[] {id},
+ e
+ );
}
secretKey = pwcb.getKey();
-
} else {
certs = secRef.getKeyIdentifier(crypto);
}
} else {
throw new WSSecurityException(
- WSSecurityException.INVALID_SECURITY,
- "unsupportedKeyInfo", new Object[]{node.toString()});
+ WSSecurityException.INVALID_SECURITY,
+ "unsupportedKeyInfo",
+ new Object[]{node.toString()}
+ );
}
} else {
if (crypto == null) {
- throw new WSSecurityException(WSSecurityException.FAILURE,
- "noSigCryptoFile");
+ throw new WSSecurityException(WSSecurityException.FAILURE, "noSigCryptoFile");
}
if (crypto.getDefaultX509Alias() != null) {
certs = crypto.getCertificates(crypto.getDefaultX509Alias());
} else {
throw new WSSecurityException(
- WSSecurityException.INVALID_SECURITY,
- "unsupportedKeyInfo");
+ WSSecurityException.INVALID_SECURITY, "unsupportedKeyInfo"
+ );
}
}
if (tlog.isDebugEnabled()) {
@@ -348,22 +382,22 @@
if (certs != null) {
signatureOk = sig.checkSignatureValue(certs[0]);
} else {
- signatureOk = sig.checkSignatureValue(sig
- .createSecretKey(secretKey));
+ signatureOk = sig.checkSignatureValue(sig.createSecretKey(secretKey));
}
if (signatureOk) {
if (tlog.isDebugEnabled()) {
t2 = System.currentTimeMillis();
- tlog.debug("Verify: total= " + (t2 - t0)
- + ", prepare-cert= " + (t1 - t0) + ", verify= "
- + (t2 - t1));
+ tlog.debug(
+ "Verify: total= " + (t2 - t0) + ", prepare-cert= " + (t1 - t0)
+ + ", verify= " + (t2 - t1)
+ );
}
signatureValue[0] = sig.getSignatureValue();
- /*
- * Now dig into the Signature element to get the elements that
- * this Signature covers. Build the QName of these Elements and
- * return them to caller
- */
+ //
+ // Now dig into the Signature element to get the elements that
+ // this Signature covers. Build the QName of these Elements and
+ // return them to caller
+ //
SignedInfo si = sig.getSignedInfo();
int numReferences = si.getLength();
for (int i = 0; i < numReferences; i++) {
@@ -379,19 +413,17 @@
if(uri != null && !"".equals(uri)) {
Element se = WSSecurityUtil.getElementByWsuId(elem.getOwnerDocument(), uri);
if (se == null) {
- se = WSSecurityUtil.getElementByGenId(elem
- .getOwnerDocument(), uri);
+ se = WSSecurityUtil.getElementByGenId(elem.getOwnerDocument(), uri);
}
if (se == null) {
- throw new WSSecurityException(
- WSSecurityException.FAILED_CHECK);
+ throw new WSSecurityException(WSSecurityException.FAILED_CHECK);
}
returnElements.add(WSSecurityUtil.getIDFromReference(uri));
} else {
- //This is the case where the signed element is identified
- //by a transform such as XPath filtering
- //We add the complete reference element to the return
- //elements
+ // This is the case where the signed element is identified
+ // by a transform such as XPath filtering
+ // We add the complete reference element to the return
+ // elements
returnElements.add(siRef);
}
}
@@ -400,8 +432,8 @@
returnCert[0] = certs[0];
return certs[0].getSubjectDN();
} else if (ut != null){
- WSUsernameTokenPrincipal principal = new WSUsernameTokenPrincipal(
- ut.getName(), ut.isHashed());
+ WSUsernameTokenPrincipal principal =
+ new WSUsernameTokenPrincipal(ut.getName(), ut.isHashed());
principal.setNonce(ut.getNonce());
principal.setPassword(ut.getPassword());
principal.setCreatedTime(ut.getCreated());
@@ -413,18 +445,15 @@
principal.setLength(dkt.getLength());
principal.setOffset(dkt.getOffset());
String basetokenId = null;
- SecurityTokenReference securityTokenReference = dkt
- .getSecurityTokenReference();
+ SecurityTokenReference securityTokenReference = dkt.getSecurityTokenReference();
if (securityTokenReference.containsReference()) {
- basetokenId = securityTokenReference.getReference()
- .getURI();
+ basetokenId = securityTokenReference.getReference().getURI();
if (basetokenId.charAt(0) == '#') {
basetokenId = basetokenId.substring(1);
}
} else {
// KeyIdentifier
- basetokenId = securityTokenReference
- .getKeyIdentifierValue();
+ basetokenId = securityTokenReference.getKeyIdentifierValue();
}
principal.setBasetokenId(basetokenId);
return principal;
@@ -434,9 +463,8 @@
principal.setTokenObject(assertion);
return principal;
} else if (secretKey != null) {
- //This is the custom key scenario
- CustomTokenPrincipal principal = new CustomTokenPrincipal(customTokenId);
- return principal;
+ // This is the custom key scenario
+ return new CustomTokenPrincipal(customTokenId);
} else {
throw new WSSecurityException("Cannot determine principal");
}
@@ -452,19 +480,16 @@
/**
* Extracts the certificate(s) from the Binary Security token reference.
- * <p/>
*
* @param elem The element containing the binary security token. This is
* either X509 certificate(s) or a PKIPath.
* @return an array of X509 certificates
* @throws WSSecurityException
*/
- public X509Certificate[] getCertificatesTokenReference(Element elem,
- Crypto crypto)
- throws WSSecurityException {
+ public X509Certificate[] getCertificatesTokenReference(Element elem, Crypto crypto)
+ throws WSSecurityException {
if (crypto == null) {
- throw new WSSecurityException(WSSecurityException.FAILURE,
- "noSigCryptoFile");
+ throw new WSSecurityException(WSSecurityException.FAILURE, "noSigCryptoFile");
}
BinarySecurity token = createSecurityToken(elem);
if (token instanceof PKIPathSecurity) {
@@ -497,20 +522,17 @@
if (X509Security.X509_V3_TYPE.equals(type)) {
x509 = new X509Security(element);
return (BinarySecurity) x509;
- } else if (X509Security.X509_V1_TYPE.equals(type)) {
- x509 = new X509Security(element);
- return (BinarySecurity) x509;
} else if (PKIPathSecurity.getType().equals(type)) {
pkiPath = new PKIPathSecurity(element);
return (BinarySecurity) pkiPath;
}
- throw new WSSecurityException(WSSecurityException.UNSUPPORTED_SECURITY_TOKEN,
- "unsupportedBinaryTokenType", new Object[]{type});
+ throw new WSSecurityException(
+ WSSecurityException.UNSUPPORTED_SECURITY_TOKEN,
+ "unsupportedBinaryTokenType",
+ new Object[]{type}
+ );
}
- /* (non-Javadoc)
- * @see org.apache.ws.security.processor.Processor#getId()
- */
public String getId() {
return signatureId;
}
Modified: webservices/wss4j/trunk/src/org/apache/ws/security/processor/TimestampProcessor.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/org/apache/ws/security/processor/TimestampProcessor.java?rev=748498&r1=748497&r2=748498&view=diff
==============================================================================
--- webservices/wss4j/trunk/src/org/apache/ws/security/processor/TimestampProcessor.java (original)
+++ webservices/wss4j/trunk/src/org/apache/ws/security/processor/TimestampProcessor.java Fri Feb 27 12:48:54 2009
@@ -40,21 +40,29 @@
private WSSConfig wssConfig = null;
private String tsId;
- public void handleToken(Element elem, Crypto crypto, Crypto decCrypto, CallbackHandler cb, WSDocInfo wsDocInfo, Vector returnResults, WSSConfig wsc) throws WSSecurityException {
+ public void handleToken(
+ Element elem,
+ Crypto crypto,
+ Crypto decCrypto,
+ CallbackHandler cb,
+ WSDocInfo wsDocInfo,
+ Vector returnResults,
+ WSSConfig wsc
+ ) throws WSSecurityException {
if (log.isDebugEnabled()) {
log.debug("Found Timestamp list element");
}
wssConfig = wsc;
- /*
- * Decode Timestamp, add the found time (created/expiry) to result
- */
+ //
+ // Decode Timestamp, add the found time (created/expiry) to result
+ //
Timestamp timestamp = new Timestamp(elem);
handleTimestamp(timestamp);
- returnResults.add(0,
- new WSSecurityEngineResult(WSConstants.TS,
- timestamp));
+ returnResults.add(
+ 0,
+ new WSSecurityEngineResult(WSConstants.TS, timestamp)
+ );
tsId = elem.getAttributeNS(WSConstants.WSU_NS, "Id");
-
}
public void handleTimestamp(Timestamp timestamp) throws WSSecurityException {
@@ -63,15 +71,12 @@
DateFormat zulu = new XmlSchemaDateFormat();
- log.debug("Current time: "
- + zulu.format(Calendar.getInstance().getTime()));
+ log.debug("Current time: " + zulu.format(Calendar.getInstance().getTime()));
if (timestamp.getCreated() != null) {
- log.debug("Timestamp created: "
- + zulu.format(timestamp.getCreated().getTime()));
+ log.debug("Timestamp created: " + zulu.format(timestamp.getCreated().getTime()));
}
if (timestamp.getExpires() != null) {
- log.debug("Timestamp expires: "
- + zulu.format(timestamp.getExpires().getTime()));
+ log.debug("Timestamp expires: " + zulu.format(timestamp.getExpires().getTime()));
}
}
@@ -83,15 +88,12 @@
throw new WSSecurityException(
WSSecurityException.MESSAGE_EXPIRED,
"invalidTimestamp",
- new Object[] { "The security semantics of the message have expired" }
+ new Object[] {"The security semantics of the message have expired"}
);
}
}
}
- /* (non-Javadoc)
- * @see org.apache.ws.security.processor.Processor#getId()
- */
public String getId() {
return tsId;
}
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org