You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ws.apache.org by gi...@apache.org on 2012/11/06 17:36:24 UTC
svn commit: r1406211 [1/3] - in /webservices/wss4j/trunk:
ws-security-common/src/main/java/org/apache/ws/security/common/crypto/
ws-security-common/src/main/java/org/apache/ws/security/common/saml/
ws-security-common/src/main/java/org/apache/ws/securit...
Author: giger
Date: Tue Nov 6 16:36:23 2012
New Revision: 1406211
URL: http://svn.apache.org/viewvc?rev=1406211&view=rev
Log:
WSS-353 - Add support in the streaming code for decrypting an EncryptedKey in the Subject of a SAML Assertion.
Added:
webservices/wss4j/trunk/ws-security-stax/src/test/java/org/apache/ws/security/stax/test/saml/SamlConditionsTest.java (with props)
webservices/wss4j/trunk/ws-security-stax/src/test/java/org/apache/ws/security/stax/test/saml/SamlTokenDerivedTest.java (with props)
Removed:
webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/ws/security/stax/impl/saml/
Modified:
webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/ws/security/common/crypto/Merlin.java
webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/ws/security/common/saml/AssertionWrapper.java
webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/ws/security/common/saml/SAMLUtil.java
webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/ws/security/common/saml/bean/KeyInfoBean.java
webservices/wss4j/trunk/ws-security-common/src/main/resources/messages/wss4j_errors.properties
webservices/wss4j/trunk/ws-security-policy-stax/src/test/java/org/apache/ws/security/policy/stax/test/SupportingTokensTest.java (contents, props changed)
webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/ws/security/stax/ext/WSSConstants.java
webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/ws/security/stax/impl/processor/input/DerivedKeyTokenInputHandler.java
webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/ws/security/stax/impl/processor/input/SAMLTokenInputHandler.java
webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/ws/security/stax/impl/processor/input/SecurityTokenReferenceInputHandler.java
webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/ws/security/stax/impl/processor/output/SAMLTokenOutputProcessor.java
webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/ws/security/stax/impl/securityToken/SAMLSecurityToken.java
webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/ws/security/stax/impl/securityToken/X509DataSecurityToken.java
webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/ws/security/stax/impl/securityToken/X509SecurityToken.java
webservices/wss4j/trunk/ws-security-stax/src/test/java/org/apache/ws/security/stax/test/AbstractTestBase.java
webservices/wss4j/trunk/ws-security-stax/src/test/java/org/apache/ws/security/stax/test/CallbackHandlerImpl.java
webservices/wss4j/trunk/ws-security-stax/src/test/java/org/apache/ws/security/stax/test/InboundWSSecurityContextImplTest.java (contents, props changed)
webservices/wss4j/trunk/ws-security-stax/src/test/java/org/apache/ws/security/stax/test/saml/SAMLTokenHOKTest.java
webservices/wss4j/trunk/ws-security-stax/src/test/java/org/apache/ws/security/stax/test/saml/SAMLTokenNegativeTest.java
webservices/wss4j/trunk/ws-security-stax/src/test/java/org/apache/ws/security/stax/test/saml/SAMLTokenReferenceTest.java
webservices/wss4j/trunk/ws-security-stax/src/test/java/org/apache/ws/security/stax/test/saml/SAMLTokenSVTest.java
webservices/wss4j/trunk/ws-security-stax/src/test/java/org/apache/ws/security/stax/test/saml/SAMLTokenTest.java
Modified: webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/ws/security/common/crypto/Merlin.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/ws/security/common/crypto/Merlin.java?rev=1406211&r1=1406210&r2=1406211&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/ws/security/common/crypto/Merlin.java (original)
+++ webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/ws/security/common/crypto/Merlin.java Tue Nov 6 16:36:23 2012
@@ -844,7 +844,7 @@ public class Merlin extends CryptoBase {
} catch (java.security.NoSuchProviderException e) {
throw new WSSecurityException(
WSSecurityException.ErrorCode.FAILURE, "certpath",
- new Object[] { e.getMessage() }, e
+ e
);
} catch (java.security.NoSuchAlgorithmException e) {
throw new WSSecurityException(
@@ -855,28 +855,28 @@ public class Merlin extends CryptoBase {
} catch (java.security.cert.CertificateException e) {
throw new WSSecurityException(
WSSecurityException.ErrorCode.FAILURE, "certpath",
- new Object[] { e.getMessage() }, e
+ e
);
} catch (java.security.InvalidAlgorithmParameterException e) {
throw new WSSecurityException(
WSSecurityException.ErrorCode.FAILURE, "certpath",
- new Object[] { e.getMessage() }, e
+ e
);
} catch (java.security.cert.CertPathValidatorException e) {
throw new WSSecurityException(
- WSSecurityException.ErrorCode.FAILURE, "certpath",
- new Object[] { e.getMessage() }, e
+ WSSecurityException.ErrorCode.FAILED_AUTHENTICATION, "certpath",
+ e
);
} catch (java.security.KeyStoreException e) {
throw new WSSecurityException(
WSSecurityException.ErrorCode.FAILURE, "certpath",
- new Object[] { e.getMessage() }, e
+ e
);
} catch (NullPointerException e) {
// NPE thrown by JDK 1.7 for one of the test cases
throw new WSSecurityException(
WSSecurityException.ErrorCode.FAILURE, "certpath",
- new Object[] { e.getMessage() }, e
+ e
);
}
}
Modified: webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/ws/security/common/saml/AssertionWrapper.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/ws/security/common/saml/AssertionWrapper.java?rev=1406211&r1=1406210&r2=1406211&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/ws/security/common/saml/AssertionWrapper.java (original)
+++ webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/ws/security/common/saml/AssertionWrapper.java Tue Nov 6 16:36:23 2012
@@ -657,6 +657,16 @@ public class AssertionWrapper {
}
return null;
}
+
+ public Signature getSignature() throws WSSecurityException {
+ Signature sig = null;
+ if (saml2 != null && saml2.getSignature() != null) {
+ sig = saml2.getSignature();
+ } else if (saml1 != null && saml1.getSignature() != null) {
+ sig = saml1.getSignature();
+ }
+ return sig;
+ }
/**
* Parse the DOM Element into Opensaml objects.
Modified: webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/ws/security/common/saml/SAMLUtil.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/ws/security/common/saml/SAMLUtil.java?rev=1406211&r1=1406210&r2=1406211&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/ws/security/common/saml/SAMLUtil.java (original)
+++ webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/ws/security/common/saml/SAMLUtil.java Tue Nov 6 16:36:23 2012
@@ -86,7 +86,7 @@ public final class SAMLUtil {
* @return An array of bytes corresponding to the secret key (can be null)
* @throws WSSecurityException
*/
- private static byte[] getSecretKeyFromCallbackHandler(
+ public static byte[] getSecretKeyFromCallbackHandler(
String id,
CallbackHandler cb
) throws WSSecurityException {
Modified: webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/ws/security/common/saml/bean/KeyInfoBean.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/ws/security/common/saml/bean/KeyInfoBean.java?rev=1406211&r1=1406210&r2=1406211&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/ws/security/common/saml/bean/KeyInfoBean.java (original)
+++ webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/ws/security/common/saml/bean/KeyInfoBean.java Tue Nov 6 16:36:23 2012
@@ -37,6 +37,7 @@ public class KeyInfoBean {
private X509Certificate cert;
private CERT_IDENTIFIER certIdentifier = CERT_IDENTIFIER.X509_CERT;
private PublicKey publicKey;
+ private byte[] ephemeralKey;
private Element keyInfoElement;
/**
@@ -98,7 +99,15 @@ public class KeyInfoBean {
public void setCertIdentifer(CERT_IDENTIFIER certIdentifier) {
this.certIdentifier = certIdentifier;
}
-
+
+ public byte[] getEphemeralKey() {
+ return ephemeralKey;
+ }
+
+ public void setEphemeralKey(byte[] ephemeralKey) {
+ this.ephemeralKey = ephemeralKey;
+ }
+
/**
* Method getElement returns the DOM Element of this KeyInfoBean object.
*
Modified: webservices/wss4j/trunk/ws-security-common/src/main/resources/messages/wss4j_errors.properties
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-common/src/main/resources/messages/wss4j_errors.properties?rev=1406211&r1=1406210&r2=1406211&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-common/src/main/resources/messages/wss4j_errors.properties (original)
+++ webservices/wss4j/trunk/ws-security-common/src/main/resources/messages/wss4j_errors.properties Tue Nov 6 16:36:23 2012
@@ -40,6 +40,7 @@ keystore = Cannot access/read keystore d
missingCreated = Created time is missing
missingSecurityHeader = Security header is missing
missingSecurityProperties = SecurityProperties must not be null!
+noCallback=No password callback supplied
noCert = No certificate provided
noCertsFound = No certificates were found for {0}
noCipher = EncryptedKey does not contain xenc:CipherData/xenc:CipherValue
Modified: webservices/wss4j/trunk/ws-security-policy-stax/src/test/java/org/apache/ws/security/policy/stax/test/SupportingTokensTest.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-policy-stax/src/test/java/org/apache/ws/security/policy/stax/test/SupportingTokensTest.java?rev=1406211&r1=1406210&r2=1406211&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-policy-stax/src/test/java/org/apache/ws/security/policy/stax/test/SupportingTokensTest.java (original)
+++ webservices/wss4j/trunk/ws-security-policy-stax/src/test/java/org/apache/ws/security/policy/stax/test/SupportingTokensTest.java Tue Nov 6 16:36:23 2012
@@ -23,7 +23,6 @@ import org.apache.ws.security.policy.WSS
import org.opensaml.common.SAMLVersion;
import org.apache.ws.security.policy.stax.PolicyEnforcer;
import org.apache.ws.security.stax.ext.WSSConstants;
-import org.apache.ws.security.stax.ext.WSSecurityContext;
import org.apache.ws.security.stax.impl.securityToken.SAMLSecurityToken;
import org.apache.ws.security.stax.impl.securityToken.UsernameSecurityToken;
import org.apache.ws.security.stax.impl.securityToken.X509SecurityToken;
@@ -38,8 +37,8 @@ import javax.xml.namespace.QName;
import java.util.Date;
/**
- * @author $Author: $
- * @version $Revision: $ $Date: $
+ * @author $Author$
+ * @version $Revision$ $Date$
*/
public class SupportingTokensTest extends AbstractPolicyTestBase {
Propchange: webservices/wss4j/trunk/ws-security-policy-stax/src/test/java/org/apache/ws/security/policy/stax/test/SupportingTokensTest.java
------------------------------------------------------------------------------
svn:keywords = Author Date Id Revision
Modified: webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/ws/security/stax/ext/WSSConstants.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/ws/security/stax/ext/WSSConstants.java?rev=1406211&r1=1406210&r2=1406211&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/ws/security/stax/ext/WSSConstants.java (original)
+++ webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/ws/security/stax/ext/WSSConstants.java Tue Nov 6 16:36:23 2012
@@ -124,6 +124,7 @@ public class WSSConstants extends XMLSec
public static final String NS_SOAP12 = "http://www.w3.org/2003/05/soap-envelope";
public static final String NS_WST = "http://schemas.xmlsoap.org/ws/2005/02/trust";
+ public static final String NS_WST_05_12 = "http://docs.oasis-open.org/ws-sx/ws-trust/200512";
public static final String NS_WSC_SCT = "http://schemas.xmlsoap.org/ws/2005/02/sc/sct";
public static final String NS_SAML = "urn:oasis:names:tc:SAML:1.0:assertion";
@@ -200,6 +201,7 @@ public class WSSConstants extends XMLSec
public static final String PREFIX_C14N_EXCL = "c14nEx";
public static final QName TAG_wst_BinarySecret = new QName(NS_WST, "BinarySecret");
+ public static final QName TAG_wst0512_BinarySecret = new QName(NS_WST_05_12, "BinarySecret");
public static final String SOAPMESSAGE_NS10_STRTransform = NS10_SOAPMESSAGE_SECURITY + "#STR-Transform";
public static final String SWA_ATTACHMENT_CONTENT_SIG_TRANS = "http://docs.oasis-open.org/wss/oasis-wss-SwAProfile-1.1#Attachment-Content-Signature-Transform";
Modified: webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/ws/security/stax/impl/processor/input/DerivedKeyTokenInputHandler.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/ws/security/stax/impl/processor/input/DerivedKeyTokenInputHandler.java?rev=1406211&r1=1406210&r2=1406211&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/ws/security/stax/impl/processor/input/DerivedKeyTokenInputHandler.java (original)
+++ webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/ws/security/stax/impl/processor/input/DerivedKeyTokenInputHandler.java Tue Nov 6 16:36:23 2012
@@ -24,7 +24,6 @@ import org.apache.ws.security.common.ext
import org.apache.ws.security.stax.ext.WSSConstants;
import org.apache.ws.security.stax.ext.WSSSecurityProperties;
import org.apache.ws.security.stax.ext.WSSecurityContext;
-import org.apache.ws.security.stax.impl.securityToken.SAMLSecurityToken;
import org.apache.ws.security.stax.impl.securityToken.SecurityTokenFactoryImpl;
import org.apache.ws.security.stax.impl.securityToken.UsernameSecurityToken;
import org.apache.ws.security.stax.securityEvent.DerivedKeyTokenSecurityEvent;
@@ -111,9 +110,6 @@ public class DerivedKeyTokenInputHandler
if (referencedSecurityToken instanceof UsernameSecurityToken) {
UsernameSecurityToken usernameSecurityToken = (UsernameSecurityToken) referencedSecurityToken;
secret = usernameSecurityToken.generateDerivedKey();
- } else if (referencedSecurityToken instanceof SAMLSecurityToken) {
- SAMLSecurityToken samlSecurityToken = (SAMLSecurityToken) referencedSecurityToken;
- secret = samlSecurityToken.getSamlKeyInfo().getSecret();
} else {
secret = referencedSecurityToken.getSecretKey(algorithmURI, keyUsage, correlationID).getEncoded();
}
Modified: webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/ws/security/stax/impl/processor/input/SAMLTokenInputHandler.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/ws/security/stax/impl/processor/input/SAMLTokenInputHandler.java?rev=1406211&r1=1406210&r2=1406211&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/ws/security/stax/impl/processor/input/SAMLTokenInputHandler.java (original)
+++ webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/ws/security/stax/impl/processor/input/SAMLTokenInputHandler.java Tue Nov 6 16:36:23 2012
@@ -18,44 +18,59 @@
*/
package org.apache.ws.security.stax.impl.processor.input;
+import org.apache.commons.codec.binary.Base64;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
-import org.apache.ws.security.common.crypto.Crypto;
-import org.apache.ws.security.common.crypto.CryptoType;
+import org.apache.ws.security.binding.wss10.ObjectFactory;
+import org.apache.ws.security.binding.wss10.SecurityTokenReferenceType;
import org.apache.ws.security.common.ext.WSSecurityException;
import org.apache.ws.security.common.saml.AssertionWrapper;
import org.apache.ws.security.common.saml.OpenSAMLUtil;
-import org.apache.ws.security.common.saml.SAMLKeyInfo;
+import org.apache.ws.security.common.saml.SAMLUtil;
import org.apache.ws.security.stax.ext.WSSConstants;
import org.apache.ws.security.stax.ext.WSSSecurityProperties;
import org.apache.ws.security.stax.ext.WSSecurityContext;
-import org.apache.ws.security.stax.impl.saml.WSSSAMLKeyInfoProcessor;
import org.apache.ws.security.stax.impl.securityToken.SAMLSecurityToken;
import org.apache.ws.security.stax.securityEvent.SamlTokenSecurityEvent;
+import org.apache.xml.security.binding.xmldsig.KeyInfoType;
+import org.apache.xml.security.binding.xmldsig.KeyValueType;
+import org.apache.xml.security.binding.xmldsig.X509DataType;
+import org.apache.xml.security.binding.xmlenc.EncryptedKeyType;
import org.apache.xml.security.exceptions.XMLSecurityException;
+import org.apache.xml.security.stax.config.JCEAlgorithmMapper;
import org.apache.xml.security.stax.ext.*;
import org.apache.xml.security.stax.ext.stax.XMLSecAttribute;
import org.apache.xml.security.stax.ext.stax.XMLSecEvent;
import org.apache.xml.security.stax.ext.stax.XMLSecNamespace;
import org.apache.xml.security.stax.ext.stax.XMLSecStartElement;
+import org.apache.xml.security.stax.impl.XMLSecurityEventReader;
+import org.apache.xml.security.stax.impl.securityToken.AbstractInboundSecurityToken;
+import org.apache.xml.security.stax.impl.securityToken.SecurityTokenFactory;
+import org.joda.time.DateTime;
+import org.opensaml.common.SAMLVersion;
+import org.opensaml.security.SAMLSignatureProfileValidator;
+import org.opensaml.xml.security.x509.BasicX509Credential;
+import org.opensaml.xml.signature.Signature;
+import org.opensaml.xml.signature.SignatureValidator;
+import org.opensaml.xml.validation.ValidationException;
+import org.opensaml.xml.validation.ValidatorSuite;
import org.w3c.dom.Attr;
import org.w3c.dom.Document;
import org.w3c.dom.Element;
import org.w3c.dom.Node;
+import javax.crypto.spec.SecretKeySpec;
+import javax.xml.bind.JAXBElement;
+import javax.xml.bind.JAXBException;
+import javax.xml.bind.Unmarshaller;
import javax.xml.namespace.QName;
import javax.xml.parsers.DocumentBuilderFactory;
import javax.xml.parsers.ParserConfigurationException;
import javax.xml.stream.XMLStreamConstants;
-import javax.xml.stream.events.Attribute;
import javax.xml.stream.events.Comment;
import javax.xml.stream.events.Namespace;
import javax.xml.stream.events.ProcessingInstruction;
-import java.math.BigInteger;
-import java.security.PublicKey;
-import java.security.cert.CertificateExpiredException;
-import java.security.cert.CertificateNotYetValidException;
-import java.security.cert.X509Certificate;
+import java.security.Key;
import java.util.Deque;
import java.util.Iterator;
import java.util.List;
@@ -75,6 +90,12 @@ public class SAMLTokenInputHandler exten
documentBuilderFactory.setNamespaceAware(true);
}
+ /**
+ * The time in seconds in the future within which the NotBefore time of an incoming
+ * Assertion is valid. The default is 60 seconds.
+ */
+ private int futureTTL = 60;
+
@Override
public void handle(final InputProcessorChain inputProcessorChain, final XMLSecurityProperties securityProperties,
Deque<XMLSecEvent> eventQueue, Integer index) throws XMLSecurityException {
@@ -83,41 +104,121 @@ public class SAMLTokenInputHandler exten
final AssertionWrapper assertionWrapper = new AssertionWrapper(samlTokenDocument.getDocumentElement());
+ //important: check the signature before we do other processing...
if (assertionWrapper.isSigned()) {
- assertionWrapper.verifySignature(
- new WSSSAMLKeyInfoProcessor(),
- ((WSSSecurityProperties) securityProperties).getSignatureVerificationCrypto()
- );
- // Verify trust on the signature
- final SAMLKeyInfo samlIssuerKeyInfo = assertionWrapper.getSignatureKeyInfo();
- verifySignedAssertion(samlIssuerKeyInfo,
- (WSSSecurityProperties) securityProperties);
- }
- // Parse the HOK subject if it exists
- assertionWrapper.parseHOKSubject(
- new WSSSAMLKeyInfoProcessor(),
- ((WSSSecurityProperties) securityProperties).getSignatureVerificationCrypto(),
- ((WSSSecurityProperties)securityProperties).getCallbackHandler()
- );
+ Signature signature = assertionWrapper.getSignature();
+ if (signature == null) {
+ throw new WSSecurityException(WSSecurityException.ErrorCode.INVALID_SECURITY_TOKEN,
+ "empty", "no signature to validate");
+ }
+ SAMLSignatureProfileValidator validator = new SAMLSignatureProfileValidator();
+ try {
+ validator.validate(signature);
+ } catch (ValidationException ex) {
+ throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE,
+ "empty", ex, "SAML signature validation failed");
+ }
+
+ int sigKeyInfoIdx = getSignatureKeyInfoIndex(eventQueue);
+ if (sigKeyInfoIdx < 0) {
+ throw new WSSecurityException(WSSecurityException.ErrorCode.INVALID_SECURITY_TOKEN, "noKeyInSAMLToken");
+ }
+ SecurityToken sigSecurityToken = parseKeyInfo(inputProcessorChain, securityProperties, eventQueue, sigKeyInfoIdx);
+
+ if (sigSecurityToken == null) {
+ throw new WSSecurityException(WSSecurityException.ErrorCode.INVALID_SECURITY_TOKEN, "noKeyInSAMLToken");
+ }
+ sigSecurityToken.verify();
+
+ BasicX509Credential credential = new BasicX509Credential();
+ if (sigSecurityToken.getX509Certificates() != null) {
+ credential.setEntityCertificate(sigSecurityToken.getX509Certificates()[0]);
+ } else if (sigSecurityToken.getPublicKey() != null) {
+ credential.setPublicKey(sigSecurityToken.getPublicKey());
+ } else {
+ throw new WSSecurityException(
+ WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity",
+ "cannot get certificate or key"
+ );
+ }
+ SignatureValidator sigValidator = new SignatureValidator(credential);
+ try {
+ sigValidator.validate(signature);
+ } catch (ValidationException ex) {
+ throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE,
+ "empty", ex, "SAML signature validation failed");
+ }
+ }
+
+ // TODO move the following into a Validator eventually
+
+ checkConditions(assertionWrapper);
+ validateAssertion(assertionWrapper);
- // TODO move this into a Validator eventually
String confirmMethod = null;
List<String> methods = assertionWrapper.getConfirmationMethods();
if (methods != null && methods.size() > 0) {
confirmMethod = methods.get(0);
}
+
+ final SecurityToken subjectSecurityToken;
+
if (OpenSAMLUtil.isMethodHolderOfKey(confirmMethod)) {
- if (assertionWrapper.getSubjectKeyInfo() == null) {
- throw new WSSecurityException(WSSecurityException.ErrorCode.INVALID_SECURITY_TOKEN, "noKeyInSAMLToken");
- }
- // The assertion must have been signed for HOK
- if (!assertionWrapper.isSigned()) {
- throw new WSSecurityException(WSSecurityException.ErrorCode.INVALID_SECURITY_TOKEN, "invalidSAMLsecurity");
+
+ //todo shouldn't we do a crypto-lookup here first?
+
+ // First try to get the credential from a CallbackHandler
+ final byte[] subjectSecretKey = SAMLUtil.getSecretKeyFromCallbackHandler(
+ assertionWrapper.getId(), ((WSSSecurityProperties) securityProperties).getCallbackHandler());
+
+ if (subjectSecretKey != null && subjectSecretKey.length > 0) {
+
+ subjectSecurityToken = new AbstractInboundSecurityToken(
+ inputProcessorChain.getSecurityContext(), "",
+ XMLSecurityConstants.XMLKeyIdentifierType.NO_KEY_INFO) {
+ @Override
+ public XMLSecurityConstants.TokenType getTokenType() {
+ return XMLSecurityConstants.DefaultToken;
+ }
+
+ @Override
+ public boolean isAsymmetric() throws XMLSecurityException {
+ return false;
+ }
+
+ @Override
+ protected Key getKey(String algorithmURI, XMLSecurityConstants.KeyUsage
+ keyUsage, String correlationID) throws XMLSecurityException {
+
+ Key key = super.getKey(algorithmURI, keyUsage, correlationID);
+ if (key == null) {
+ String algoFamily = JCEAlgorithmMapper.getJCERequiredKeyFromURI(algorithmURI);
+ key = new SecretKeySpec(subjectSecretKey, algoFamily);
+ setSecretKey(algorithmURI, key);
+ }
+ return key;
+ }
+ };
+ } else {
+ // The assertion must have been signed for HOK
+ if (!assertionWrapper.isSigned()) {
+ throw new WSSecurityException(WSSecurityException.ErrorCode.INVALID_SECURITY_TOKEN, "invalidSAMLsecurity");
+ }
+
+ int subjectKeyInfoIndex = getSubjectKeyInfoIndex(eventQueue);
+ if (subjectKeyInfoIndex < 0) {
+ throw new WSSecurityException(WSSecurityException.ErrorCode.INVALID_SECURITY_TOKEN, "noKeyInSAMLToken");
+ }
+ subjectSecurityToken = parseKeyInfo(inputProcessorChain, securityProperties, eventQueue, subjectKeyInfoIndex);
+
+ if (subjectSecurityToken == null) {
+ throw new WSSecurityException(WSSecurityException.ErrorCode.INVALID_SECURITY_TOKEN, "noKeyInSAMLToken");
+ }
}
+ } else {
+ subjectSecurityToken = null;
}
- final SAMLKeyInfo samlSubjectKeyInfo = assertionWrapper.getSubjectKeyInfo();
-
if (log.isDebugEnabled()) {
log.debug("SAML Assertion issuer " + assertionWrapper.getIssuerString());
}
@@ -136,7 +237,7 @@ public class SAMLTokenInputHandler exten
return this.securityToken;
}
- this.securityToken = new SAMLSecurityToken(assertionWrapper.getSamlVersion(), samlSubjectKeyInfo,
+ this.securityToken = new SAMLSecurityToken(assertionWrapper.getSamlVersion(), subjectSecurityToken,
assertionWrapper.getIssuerString(),
(WSSecurityContext) inputProcessorChain.getSecurityContext(),
((WSSSecurityProperties) securityProperties).getSignatureVerificationCrypto(),
@@ -157,9 +258,175 @@ public class SAMLTokenInputHandler exten
//fire a tokenSecurityEvent
SamlTokenSecurityEvent samlTokenSecurityEvent = new SamlTokenSecurityEvent();
samlTokenSecurityEvent.setSecurityToken((SecurityToken) securityTokenProvider.getSecurityToken());
+ samlTokenSecurityEvent.setCorrelationID(assertionWrapper.getId());
inputProcessorChain.getSecurityContext().registerSecurityEvent(samlTokenSecurityEvent);
}
+ private int getSubjectKeyInfoIndex(Deque<XMLSecEvent> eventQueue) {
+ int idx = -1;
+ Iterator<XMLSecEvent> xmlSecEventIterator = eventQueue.descendingIterator();
+ while (xmlSecEventIterator.hasNext()) {
+ XMLSecEvent xmlSecEvent = xmlSecEventIterator.next();
+ idx++;
+ switch (xmlSecEvent.getEventType()) {
+ case XMLStreamConstants.START_ELEMENT: {
+ QName elementName = xmlSecEvent.asStartElement().getName();
+ if (WSSConstants.TAG_dsig_KeyInfo.equals(elementName)) {
+ List<QName> elementPath = xmlSecEvent.asStartElement().getElementPath();
+ if (elementPath.size() >= 4) {
+ int lastIndex = elementPath.size() - 2;
+ if ("SubjectConfirmationData".equals(elementPath.get(lastIndex).getLocalPart()) &&
+ "SubjectConfirmation".equals(elementPath.get(lastIndex - 1).getLocalPart()) &&
+ "Subject".equals(elementPath.get(lastIndex - 2).getLocalPart())) {
+ return idx;
+ } else if ("SubjectConfirmation".equals(elementPath.get(lastIndex).getLocalPart()) &&
+ "Subject".equals(elementPath.get(lastIndex - 1).getLocalPart())) {
+ return idx;
+ }
+ }
+ }
+ }
+ }
+ }
+ return idx;
+ }
+
+ private int getSignatureKeyInfoIndex(Deque<XMLSecEvent> eventQueue) {
+ int idx = -1;
+ Iterator<XMLSecEvent> xmlSecEventIterator = eventQueue.descendingIterator();
+ while (xmlSecEventIterator.hasNext()) {
+ XMLSecEvent xmlSecEvent = xmlSecEventIterator.next();
+ idx++;
+ switch (xmlSecEvent.getEventType()) {
+ case XMLStreamConstants.START_ELEMENT: {
+ QName elementName = xmlSecEvent.asStartElement().getName();
+ if (WSSConstants.TAG_dsig_KeyInfo.equals(elementName)) {
+ List<QName> elementPath = xmlSecEvent.asStartElement().getElementPath();
+ if (elementPath.size() >= 4) {
+ int lastIndex = elementPath.size() - 2;
+ if ("Signature".equals(elementPath.get(lastIndex).getLocalPart()) &&
+ "Assertion".equals(elementPath.get(lastIndex - 1).getLocalPart())) {
+ return idx;
+ }
+ }
+ }
+ }
+ }
+ }
+ return idx;
+ }
+
+ private SecurityToken parseKeyInfo(InputProcessorChain inputProcessorChain, XMLSecurityProperties securityProperties,
+ Deque<XMLSecEvent> eventQueue, int index) throws XMLSecurityException {
+ XMLSecEvent xmlSecEvent = null;
+ int idx = 0;
+ Iterator<XMLSecEvent> xmlSecEventIterator = eventQueue.descendingIterator();
+ while (xmlSecEventIterator.hasNext() && idx <= index) {
+ xmlSecEvent = xmlSecEventIterator.next();
+ idx++;
+ }
+ //forward to next start element
+ while (xmlSecEventIterator.hasNext()) {
+ xmlSecEvent = xmlSecEventIterator.next();
+ if (xmlSecEvent.isStartElement()) {
+ break;
+ }
+ idx++;
+ }
+ if (xmlSecEvent == null || !xmlSecEvent.isStartElement()) {
+ throw new WSSecurityException(WSSecurityException.ErrorCode.INVALID_SECURITY_TOKEN, "noKeyInSAMLToken");
+ }
+
+ final XMLSecStartElement xmlSecStartElement = xmlSecEvent.asStartElement();
+ final QName elementName = xmlSecStartElement.getName();
+ if (WSSConstants.TAG_wst_BinarySecret.equals(elementName) ||
+ WSSConstants.TAG_wst0512_BinarySecret.equals(elementName)) {
+
+ final StringBuilder stringBuilder = new StringBuilder();
+ loop:
+ while (xmlSecEventIterator.hasNext()) {
+ xmlSecEvent = xmlSecEventIterator.next();
+ switch (xmlSecEvent.getEventType()) {
+ case XMLStreamConstants.END_ELEMENT:
+ if (xmlSecEvent.asEndElement().getName().equals(elementName)) {
+ break loop;
+ }
+ break;
+ case XMLStreamConstants.CHARACTERS:
+ stringBuilder.append(xmlSecEvent.asCharacters().getText());
+ break;
+ }
+ }
+
+ return new AbstractInboundSecurityToken(
+ inputProcessorChain.getSecurityContext(), "",
+ XMLSecurityConstants.XMLKeyIdentifierType.NO_KEY_INFO) {
+ @Override
+ public XMLSecurityConstants.TokenType getTokenType() {
+ return XMLSecurityConstants.DefaultToken;
+ }
+
+ @Override
+ public boolean isAsymmetric() throws XMLSecurityException {
+ return false;
+ }
+
+ @Override
+ protected Key getKey(String algorithmURI, XMLSecurityConstants.KeyUsage keyUsage, String correlationID) throws XMLSecurityException {
+ Key key = super.getKey(algorithmURI, keyUsage, correlationID);
+ if (key == null) {
+ String algoFamily = JCEAlgorithmMapper.getJCERequiredKeyFromURI(algorithmURI);
+ key = new SecretKeySpec(Base64.decodeBase64(stringBuilder.toString()), algoFamily);
+ setSecretKey(algorithmURI, key);
+ }
+ return key;
+ }
+ };
+ } else {
+ Object object = null;
+ try {
+ Unmarshaller unmarshaller = WSSConstants.getJaxbUnmarshaller(securityProperties.isDisableSchemaValidation());
+ object = unmarshaller.unmarshal(new XMLSecurityEventReader(eventQueue, idx));
+ } catch (JAXBException e) {
+ throw new WSSecurityException(WSSecurityException.ErrorCode.UNSUPPORTED_SECURITY_TOKEN, e);
+ }
+
+ if (object instanceof JAXBElement) {
+ object = ((JAXBElement) object).getValue();
+ }
+
+ KeyInfoType keyInfoType = null;
+ if (object instanceof X509DataType) {
+ JAXBElement<X509DataType> x509DataTypeJAXBElement =
+ new org.apache.xml.security.binding.xmldsig.ObjectFactory().createX509Data((X509DataType) object);
+ keyInfoType = new KeyInfoType();
+ SecurityTokenReferenceType securityTokenReferenceType = new SecurityTokenReferenceType();
+ securityTokenReferenceType.getAny().add(x509DataTypeJAXBElement);
+ JAXBElement<SecurityTokenReferenceType> securityTokenReferenceTypeJAXBElement =
+ new ObjectFactory().createSecurityTokenReference(securityTokenReferenceType);
+ keyInfoType.getContent().add(securityTokenReferenceTypeJAXBElement);
+ } else if (object instanceof EncryptedKeyType) {
+ EncryptedKeyType encryptedKeyType = (EncryptedKeyType) object;
+ keyInfoType = encryptedKeyType.getKeyInfo();
+ } else if (object instanceof SecurityTokenReferenceType) {
+ JAXBElement<SecurityTokenReferenceType> securityTokenReferenceTypeJAXBElement =
+ new ObjectFactory().createSecurityTokenReference((SecurityTokenReferenceType) object);
+ keyInfoType = new KeyInfoType();
+ keyInfoType.getContent().add(securityTokenReferenceTypeJAXBElement);
+ } else if (object instanceof KeyValueType) {
+ JAXBElement<KeyValueType> keyValueTypeJAXBElement = new org.apache.xml.security.binding.xmldsig.ObjectFactory().createKeyValue((KeyValueType) object);
+ keyInfoType = new KeyInfoType();
+ keyInfoType.getContent().add(keyValueTypeJAXBElement);
+ } else {
+ throw new WSSecurityException(WSSecurityException.ErrorCode.UNSUPPORTED_SECURITY_TOKEN, "unsupportedKeyInfo");
+ }
+
+ return SecurityTokenFactory.getInstance().getSecurityToken(
+ keyInfoType, SecurityToken.KeyInfoUsage.SIGNATURE_VERIFICATION,
+ securityProperties, inputProcessorChain.getSecurityContext());
+ }
+ }
+
@SuppressWarnings("unchecked")
@Override
protected <T> T parseStructure(Deque<XMLSecEvent> eventDeque, int index, XMLSecurityProperties securityProperties)
@@ -208,6 +475,11 @@ public class SAMLTokenInputHandler exten
XMLSecAttribute next = attributesIterator.next();
parseXMLEvent(next, currentNode, document);
}
+ //add namespace which is not declared on current element but must be on a parent element:
+ String elementNs = document.lookupNamespaceURI(xmlSecStartElement.getName().getPrefix());
+ if (elementNs == null) {
+ parseXMLEvent(xmlSecStartElement.getElementNamespace(), currentNode, document);
+ }
break;
case XMLStreamConstants.END_ELEMENT:
if (currentNode.getParentNode() != null) {
@@ -234,12 +506,19 @@ public class SAMLTokenInputHandler exten
case XMLStreamConstants.END_DOCUMENT:
return currentNode;
case XMLStreamConstants.ATTRIBUTE:
+ final XMLSecAttribute xmlSecAttribute = (XMLSecAttribute) xmlSecEvent;
Attr attributeNode = document.createAttributeNS(
- ((Attribute) xmlSecEvent).getName().getNamespaceURI(),
- ((Attribute) xmlSecEvent).getName().getLocalPart());
- attributeNode.setPrefix(((Attribute) xmlSecEvent).getName().getPrefix());
- attributeNode.setValue(((Attribute) xmlSecEvent).getValue());
+ xmlSecAttribute.getName().getNamespaceURI(),
+ xmlSecAttribute.getName().getLocalPart());
+ attributeNode.setPrefix(xmlSecAttribute.getName().getPrefix());
+ attributeNode.setValue(xmlSecAttribute.getValue());
((Element) currentNode).setAttributeNodeNS(attributeNode);
+
+ //add namespace which is not declared on current element but must be on a parent element:
+ String attrNs = document.lookupNamespaceURI(xmlSecAttribute.getName().getPrefix());
+ if (attrNs == null) {
+ parseXMLEvent(xmlSecAttribute.getAttributeNamespace(), currentNode, document);
+ }
break;
case XMLStreamConstants.DTD:
//todo?:
@@ -271,233 +550,64 @@ public class SAMLTokenInputHandler exten
}
/**
- * Verify trust in the signature of a signed Assertion. This method is separate so that
- * the user can override if if they want.
- *
- * @return A Credential instance
- * @throws WSSecurityException
- */
- public void verifySignedAssertion(SAMLKeyInfo samlKeyInfo, WSSSecurityProperties securityProperties)
- throws WSSecurityException {
- validate(samlKeyInfo.getCerts(), samlKeyInfo.getPublicKey(), securityProperties);
- }
-
- /**
- * Validate the credential argument. It must contain a non-null X509Certificate chain
- * or a PublicKey. A Crypto implementation is also required to be set.
- * <p/>
- * This implementation first attempts to verify trust on the certificate (chain). If
- * this is not successful, then it will attempt to verify trust on the Public Key.
- *
- * @throws WSSecurityException on a failed validation
- */
- protected void validate(X509Certificate[] certs, PublicKey publicKey, WSSSecurityProperties securityProperties)
- throws WSSecurityException {
- Crypto crypto = securityProperties.getSignatureVerificationCrypto();
- if (crypto == null) {
- throw new WSSecurityException(WSSecurityException.ErrorCode.FAILED_AUTHENTICATION, "noSigCryptoFile");
- }
-
- if (certs != null && certs.length > 0) {
- validateCertificates(certs);
- boolean trust = false;
- if (certs.length == 1) {
- trust = verifyTrustInCert(certs[0], crypto);
- } else {
- trust = verifyTrustInCerts(certs, crypto);
- }
- if (trust) {
- return;
- }
- }
- if (publicKey != null) {
- boolean trust = validatePublicKey(publicKey, crypto);
- if (trust) {
- return;
- }
- }
- throw new WSSecurityException(WSSecurityException.ErrorCode.FAILED_AUTHENTICATION);
- }
-
- /**
- * Validate the certificates by checking the validity of each cert
- *
- * @throws WSSecurityException
+ * Check the Conditions of the Assertion.
*/
- protected void validateCertificates(X509Certificate[] certificates) throws WSSecurityException {
- try {
- for (int i = 0; i < certificates.length; i++) {
- certificates[i].checkValidity();
+ protected void checkConditions(AssertionWrapper assertion) throws WSSecurityException {
+ DateTime validFrom = null;
+ DateTime validTill = null;
+ if (assertion.getSamlVersion().equals(SAMLVersion.VERSION_20)
+ && assertion.getSaml2().getConditions() != null) {
+ validFrom = assertion.getSaml2().getConditions().getNotBefore();
+ validTill = assertion.getSaml2().getConditions().getNotOnOrAfter();
+ } else if (assertion.getSamlVersion().equals(SAMLVersion.VERSION_11)
+ && assertion.getSaml1().getConditions() != null) {
+ validFrom = assertion.getSaml1().getConditions().getNotBefore();
+ validTill = assertion.getSaml1().getConditions().getNotOnOrAfter();
+ }
+
+ if (validFrom != null) {
+ DateTime currentTime = new DateTime();
+ currentTime = currentTime.plusSeconds(futureTTL);
+ if (validFrom.isAfter(currentTime)) {
+ throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "empty", "SAML Token condition (Not Before) not met");
}
- } catch (CertificateExpiredException e) {
- throw new WSSecurityException(
- WSSecurityException.ErrorCode.FAILED_AUTHENTICATION, "invalidCert", e
- );
- } catch (CertificateNotYetValidException e) {
- throw new WSSecurityException(
- WSSecurityException.ErrorCode.FAILED_AUTHENTICATION, "invalidCert", e
- );
}
- }
- /**
- * Check to see if the certificate argument is in the keystore
- *
- * @param crypto The Crypto instance to use
- * @param cert The certificate to check
- * @return true if cert is in the keystore
- * @throws WSSecurityException
- */
- protected boolean isCertificateInKeyStore(Crypto crypto, X509Certificate cert) throws WSSecurityException {
- String issuerString = cert.getIssuerX500Principal().getName();
- BigInteger issuerSerial = cert.getSerialNumber();
-
- CryptoType cryptoType = new CryptoType(CryptoType.TYPE.ISSUER_SERIAL);
- cryptoType.setIssuerSerial(issuerString, issuerSerial);
- X509Certificate[] foundCerts = crypto.getX509Certificates(cryptoType);
-
- //
- // If a certificate has been found, the certificates must be compared
- // to ensure against phony DNs (compare encoded form including signature)
- //
- if (foundCerts != null && foundCerts[0] != null && foundCerts[0].equals(cert)) {
- if (log.isDebugEnabled()) {
- log.debug(
- "Direct trust for certificate with " + cert.getSubjectX500Principal().getName()
- );
- }
- return true;
- }
- if (log.isDebugEnabled()) {
- log.debug(
- "No certificate found for subject from issuer with " + issuerString
- + " (serial " + issuerSerial + ")"
- );
+ if (validTill != null && validTill.isBeforeNow()) {
+ throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "empty", "SAML Token condition (Not On Or After) not met");
}
- return false;
}
-
/**
- * Evaluate whether a given certificate should be trusted.
- * <p/>
- * Policy used in this implementation:
- * 1. Search the keystore for the transmitted certificate
- * 2. Search the keystore for a connection to the transmitted certificate
- * (that is, search for certificate(s) of the issuer of the transmitted certificate
- * 3. Verify the trust path for those certificates found because the search for the issuer
- * might be fooled by a phony DN (String!)
- *
- * @param cert the certificate that should be validated against the keystore
- * @param crypto A crypto instance to use for trust validation
- * @return true if the certificate is trusted, false if not
- * @throws WSSecurityException
+ * Validate the assertion against schemas/profiles
*/
- protected boolean verifyTrustInCert(X509Certificate cert, Crypto crypto) throws WSSecurityException {
- String subjectString = cert.getSubjectX500Principal().getName();
- String issuerString = cert.getIssuerX500Principal().getName();
- BigInteger issuerSerial = cert.getSerialNumber();
-
- if (log.isDebugEnabled()) {
- log.debug("Transmitted certificate has subject " + subjectString);
- log.debug(
- "Transmitted certificate has issuer " + issuerString + " (serial "
- + issuerSerial + ")"
- );
- }
-
- //
- // FIRST step - Search the keystore for the transmitted certificate
- //
- if (isCertificateInKeyStore(crypto, cert)) {
- return true;
- }
-
- //
- // SECOND step - Search for the issuer cert (chain) of the transmitted certificate in the
- // keystore or the truststore
- //
- CryptoType cryptoType = new CryptoType(CryptoType.TYPE.ALIAS);
- cryptoType.setAlias(issuerString);
- X509Certificate[] foundCerts = crypto.getX509Certificates(cryptoType);
-
- // If the certs have not been found, the issuer is not in the keystore/truststore
- // As a direct result, do not trust the transmitted certificate
- if (foundCerts == null || foundCerts.length < 1) {
- if (log.isDebugEnabled()) {
- log.debug(
- "No certs found in keystore for issuer " + issuerString
- + " of certificate for " + subjectString
+ protected void validateAssertion(AssertionWrapper assertion) throws WSSecurityException {
+ if (assertion.getSaml1() != null) {
+ ValidatorSuite schemaValidators =
+ org.opensaml.Configuration.getValidatorSuite("saml1-schema-validator");
+ ValidatorSuite specValidators =
+ org.opensaml.Configuration.getValidatorSuite("saml1-spec-validator");
+ try {
+ schemaValidators.validate(assertion.getSaml1());
+ specValidators.validate(assertion.getSaml1());
+ } catch (ValidationException e) {
+ throw new WSSecurityException(
+ WSSecurityException.ErrorCode.FAILURE, "empty", e, "Saml Validation error: "
);
}
- return false;
- }
-
- //
- // THIRD step
- // Check the certificate trust path for the issuer cert chain
- //
- if (log.isDebugEnabled()) {
- log.debug(
- "Preparing to validate certificate path for issuer " + issuerString
- );
- }
- //
- // Form a certificate chain from the transmitted certificate
- // and the certificate(s) of the issuer from the keystore/truststore
- //
- X509Certificate[] x509certs = new X509Certificate[foundCerts.length + 1];
- x509certs[0] = cert;
- System.arraycopy(foundCerts, 0, x509certs, 1, foundCerts.length);
-
- //
- // Use the validation method from the crypto to check whether the subjects'
- // certificate was really signed by the issuer stated in the certificate
- //
- if (crypto.verifyTrust(x509certs)) {
- if (log.isDebugEnabled()) {
- log.debug(
- "Certificate path has been verified for certificate with subject "
- + subjectString
+ } else if (assertion.getSaml2() != null) {
+ ValidatorSuite schemaValidators =
+ org.opensaml.Configuration.getValidatorSuite("saml2-core-schema-validator");
+ ValidatorSuite specValidators =
+ org.opensaml.Configuration.getValidatorSuite("saml2-core-spec-validator");
+ try {
+ schemaValidators.validate(assertion.getSaml2());
+ specValidators.validate(assertion.getSaml2());
+ } catch (ValidationException e) {
+ throw new WSSecurityException(
+ WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity", e, "Saml Validation error: "
);
}
- return true;
- }
-
- if (log.isDebugEnabled()) {
- log.debug(
- "Certificate path could not be verified for certificate with subject "
- + subjectString
- );
- }
- return false;
- }
-
- /**
- * Evaluate whether the given certificate chain should be trusted.
- *
- * @param certificates the certificate chain that should be validated against the keystore
- * @return true if the certificate chain is trusted, false if not
- * @throws WSSecurityException
- */
- protected boolean verifyTrustInCerts(X509Certificate[] certificates, Crypto crypto) throws WSSecurityException {
- //
- // Use the validation method from the crypto to check whether the subjects'
- // certificate was really signed by the issuer stated in the certificate
- //
- if (certificates != null && certificates.length > 0
- && crypto.verifyTrust(certificates)) {
- return true;
}
- return false;
- }
-
- /**
- * Validate a public key
- *
- * @throws WSSecurityException
- */
- protected boolean validatePublicKey(PublicKey publicKey, Crypto crypto) throws WSSecurityException {
- return crypto.verifyTrust(publicKey);
}
}
Modified: webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/ws/security/stax/impl/processor/input/SecurityTokenReferenceInputHandler.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/ws/security/stax/impl/processor/input/SecurityTokenReferenceInputHandler.java?rev=1406211&r1=1406210&r2=1406211&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/ws/security/stax/impl/processor/input/SecurityTokenReferenceInputHandler.java (original)
+++ webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/ws/security/stax/impl/processor/input/SecurityTokenReferenceInputHandler.java Tue Nov 6 16:36:23 2012
@@ -19,6 +19,7 @@
package org.apache.ws.security.stax.impl.processor.input;
import org.apache.ws.security.binding.wss10.KeyIdentifierType;
+import org.apache.ws.security.binding.wss10.ReferenceType;
import org.apache.ws.security.binding.wss10.SecurityTokenReferenceType;
import org.apache.ws.security.common.ext.WSSecurityException;
import org.apache.ws.security.stax.ext.WSSConstants;
@@ -57,23 +58,39 @@ public class SecurityTokenReferenceInput
final SecurityTokenReferenceType securityTokenReferenceType =
((JAXBElement<SecurityTokenReferenceType>) parseStructure(eventQueue, index, securityProperties)).getValue();
+ QName attributeName = null;
+ String attributeValue = null;
+
final KeyIdentifierType keyIdentifierType = XMLSecurityUtils.getQNameType(
securityTokenReferenceType.getAny(), WSSConstants.TAG_wsse_KeyIdentifier);
if (keyIdentifierType != null) {
+ attributeValue = keyIdentifierType.getValue().trim();
if (WSSConstants.NS_SAML10_TYPE.equals(keyIdentifierType.getValueType())) {
- InternalSecurityTokenReferenceInputProcessor internalSecurityTokenReferenceInputHandler
- = new InternalSecurityTokenReferenceInputProcessor(
- securityTokenReferenceType.getId(), WSSConstants.ATT_NULL_AssertionID,
- keyIdentifierType.getValue().trim(), (WSSSecurityProperties) securityProperties);
- inputProcessorChain.addProcessor(internalSecurityTokenReferenceInputHandler);
+ attributeName = WSSConstants.ATT_NULL_AssertionID;
} else if (WSSConstants.NS_SAML20_TYPE.equals(keyIdentifierType.getValueType())) {
- InternalSecurityTokenReferenceInputProcessor internalSecurityTokenReferenceInputHandler
- = new InternalSecurityTokenReferenceInputProcessor(
- securityTokenReferenceType.getId(), WSSConstants.ATT_NULL_ID,
- keyIdentifierType.getValue().trim(), (WSSSecurityProperties) securityProperties);
- inputProcessorChain.addProcessor(internalSecurityTokenReferenceInputHandler);
+ attributeName = WSSConstants.ATT_NULL_ID;
+ }
+ }
+ final ReferenceType referenceType = XMLSecurityUtils.getQNameType(
+ securityTokenReferenceType.getAny(), WSSConstants.TAG_wsse_Reference);
+ if (referenceType != null) {
+ attributeValue = WSSUtils.dropReferenceMarker(referenceType.getURI());
+ if (WSSConstants.NS_SAML10_TYPE.equals(referenceType.getValueType())) {
+ attributeName = WSSConstants.ATT_NULL_AssertionID;
+ } else if (WSSConstants.NS_SAML20_TYPE.equals(referenceType.getValueType())) {
+ attributeName = WSSConstants.ATT_NULL_ID;
}
}
+
+ if (attributeName != null) {
+ InternalSecurityTokenReferenceInputProcessor internalSecurityTokenReferenceInputHandler
+ = new InternalSecurityTokenReferenceInputProcessor(
+ securityTokenReferenceType.getId(), attributeName,
+ attributeValue, (WSSSecurityProperties) securityProperties);
+ inputProcessorChain.addProcessor(internalSecurityTokenReferenceInputHandler);
+ } else {
+ throw new WSSecurityException(WSSecurityException.ErrorCode.UNSUPPORTED_SECURITY_TOKEN);
+ }
}
class InternalSecurityTokenReferenceInputProcessor extends AbstractInputProcessor {
Modified: webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/ws/security/stax/impl/processor/output/SAMLTokenOutputProcessor.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/ws/security/stax/impl/processor/output/SAMLTokenOutputProcessor.java?rev=1406211&r1=1406210&r2=1406211&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/ws/security/stax/impl/processor/output/SAMLTokenOutputProcessor.java (original)
+++ webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/ws/security/stax/impl/processor/output/SAMLTokenOutputProcessor.java Tue Nov 6 16:36:23 2012
@@ -28,6 +28,7 @@ import org.apache.ws.security.stax.ext.W
import org.apache.ws.security.stax.ext.WSSSecurityProperties;
import org.apache.ws.security.stax.ext.WSSUtils;
import org.apache.xml.security.exceptions.XMLSecurityException;
+import org.apache.xml.security.stax.config.JCEAlgorithmMapper;
import org.apache.xml.security.stax.ext.*;
import org.apache.xml.security.stax.ext.stax.XMLSecAttribute;
import org.apache.xml.security.stax.ext.stax.XMLSecEvent;
@@ -39,9 +40,11 @@ import org.apache.xml.security.stax.impl
import org.opensaml.common.SAMLVersion;
import org.w3c.dom.*;
+import javax.crypto.spec.SecretKeySpec;
import javax.xml.namespace.QName;
import javax.xml.stream.XMLStreamConstants;
import javax.xml.stream.XMLStreamException;
+import java.security.Key;
import java.security.PrivateKey;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
@@ -60,6 +63,8 @@ public class SAMLTokenOutputProcessor ex
@Override
public void processEvent(XMLSecEvent xmlSecEvent, final OutputProcessorChain outputProcessorChain) throws XMLStreamException, XMLSecurityException {
+ //todo refactor/cleanup/simplify
+
try {
final SAMLCallback samlCallback = new SAMLCallback();
SAMLUtil.doSAMLCallback(((WSSSecurityProperties)getSecurityProperties()).getCallbackHandler(), samlCallback);
@@ -90,6 +95,7 @@ public class SAMLTokenOutputProcessor ex
PrivateKey privateKey = null;
X509Certificate[] certificates = null;
+ byte[] ephemeralKey = null;
if (senderVouches) {
// prepare to sign the SAML token
@@ -124,14 +130,19 @@ public class SAMLTokenOutputProcessor ex
cryptoType.setAlias(alias);
certificates = ((WSSSecurityProperties) getSecurityProperties()).getSignatureCrypto().getX509Certificates(cryptoType);
privateKey = ((WSSSecurityProperties) getSecurityProperties()).getSignatureCrypto().getPrivateKey(alias, wsPasswordCallback.getPassword());
+ } else {
+ ephemeralKey = keyInfoBean.getEphemeralKey();
}
}
}
}
final SAMLKeyInfo samlKeyInfo = new SAMLKeyInfo(certificates);
- samlKeyInfo.setPublicKey(certificates[0].getPublicKey());
+ if (certificates != null && certificates.length > 0) {
+ samlKeyInfo.setPublicKey(certificates[0].getPublicKey());
+ }
samlKeyInfo.setPrivateKey(privateKey);
+ samlKeyInfo.setSecret(ephemeralKey);
final X509Certificate[] x509Certificates;
if (certificates != null && certificates.length > 0) {
@@ -196,7 +207,32 @@ public class SAMLTokenOutputProcessor ex
} else {
tokenType = WSSConstants.Saml20Token;
}
- this.samlSecurityToken = new GenericOutboundSecurityToken(tokenId, tokenType, samlKeyInfo.getPrivateKey(), samlKeyInfo.getCerts());
+ if (samlKeyInfo.getPrivateKey() != null) {
+ this.samlSecurityToken = new GenericOutboundSecurityToken(
+ tokenId, tokenType, samlKeyInfo.getPrivateKey(), samlKeyInfo.getCerts());
+ } else {
+ this.samlSecurityToken = new GenericOutboundSecurityToken(
+ tokenId, tokenType) {
+
+ @Override
+ public Key getSecretKey(String algorithmURI) throws WSSecurityException {
+
+ Key key = null;
+ try {
+ key = super.getSecretKey(algorithmURI);
+ } catch (XMLSecurityException e) {
+ throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, e);
+ }
+ if (key != null) {
+ return key;
+ }
+ String algoFamily = JCEAlgorithmMapper.getJCERequiredKeyFromURI(algorithmURI);
+ key = new SecretKeySpec(samlKeyInfo.getSecret(), algoFamily);
+ setSecretKey(algorithmURI, key);
+ return key;
+ }
+ };
+ }
this.samlSecurityToken.setProcessor(finalSAMLTokenOutputProcessor);
return this.samlSecurityToken;
}
Modified: webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/ws/security/stax/impl/securityToken/SAMLSecurityToken.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/ws/security/stax/impl/securityToken/SAMLSecurityToken.java?rev=1406211&r1=1406210&r2=1406211&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/ws/security/stax/impl/securityToken/SAMLSecurityToken.java (original)
+++ webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/ws/security/stax/impl/securityToken/SAMLSecurityToken.java Tue Nov 6 16:36:23 2012
@@ -20,14 +20,16 @@ package org.apache.ws.security.stax.impl
import org.apache.ws.security.common.crypto.Crypto;
import org.apache.ws.security.common.ext.WSSecurityException;
-import org.apache.ws.security.common.saml.SAMLKeyInfo;
import org.apache.ws.security.stax.ext.WSSConstants;
import org.apache.ws.security.stax.ext.WSSecurityContext;
import org.apache.xml.security.exceptions.XMLSecurityException;
+import org.apache.xml.security.stax.ext.SecurityToken;
import org.apache.xml.security.stax.ext.XMLSecurityConstants;
import org.apache.xml.security.stax.impl.securityToken.AbstractInboundSecurityToken;
import org.opensaml.common.SAMLVersion;
+import java.security.Key;
+import java.security.PublicKey;
import java.security.cert.CertificateExpiredException;
import java.security.cert.CertificateNotYetValidException;
import java.security.cert.X509Certificate;
@@ -39,28 +41,77 @@ import java.security.cert.X509Certificat
public class SAMLSecurityToken extends AbstractInboundSecurityToken {
private final SAMLVersion samlVersion;
- private final SAMLKeyInfo samlKeyInfo;
+ private SecurityToken subjectSecurityToken;
private String issuer;
private Crypto crypto;
- public SAMLSecurityToken(SAMLVersion samlVersion, SAMLKeyInfo samlKeyInfo, String issuer,
+ public SAMLSecurityToken(SAMLVersion samlVersion, SecurityToken subjectSecurityToken, String issuer,
WSSecurityContext wsSecurityContext, Crypto crypto,
String id, WSSConstants.KeyIdentifierType keyIdentifierType) {
super(wsSecurityContext, id, keyIdentifierType);
this.samlVersion = samlVersion;
- this.samlKeyInfo = samlKeyInfo;
this.issuer = issuer;
this.crypto = crypto;
- if (samlKeyInfo != null) {
- setSecretKey("", samlKeyInfo.getPrivateKey());
- setPublicKey(samlKeyInfo.getPublicKey());
- setX509Certificates(samlKeyInfo.getCerts());
+ this.subjectSecurityToken = subjectSecurityToken;
+ }
+
+ public SAMLSecurityToken(SAMLVersion samlVersion, Key secretKey, PublicKey publicKey,
+ X509Certificate[] x509Certificates, String issuer,
+ WSSecurityContext wsSecurityContext, Crypto crypto,
+ String id, WSSConstants.KeyIdentifierType keyIdentifierType) {
+ super(wsSecurityContext, id, keyIdentifierType);
+ this.samlVersion = samlVersion;
+ this.issuer = issuer;
+ this.crypto = crypto;
+ if (secretKey != null) {
+ setSecretKey("", secretKey);
+ }
+ if (publicKey != null) {
+ setPublicKey(publicKey);
+ }
+ if (x509Certificates != null) {
+ setX509Certificates(x509Certificates);
+ }
+ }
+
+ @Override
+ public boolean isAsymmetric() throws XMLSecurityException {
+ if (this.subjectSecurityToken != null && this.subjectSecurityToken.isAsymmetric()) {
+ return true;
+ }
+ return super.isAsymmetric();
+ }
+
+ @Override
+ protected Key getKey(String algorithmURI, XMLSecurityConstants.KeyUsage keyUsage, String correlationID) throws XMLSecurityException {
+ if (this.subjectSecurityToken != null) {
+ return subjectSecurityToken.getSecretKey(algorithmURI, keyUsage, correlationID);
}
+ return super.getKey(algorithmURI, keyUsage, correlationID);
}
- public SAMLSecurityToken(SAMLVersion samlVersion, SAMLKeyInfo samlKeyInfo, WSSecurityContext wsSecurityContext,
- Crypto crypto, String id) {
- this(samlVersion, samlKeyInfo, null, wsSecurityContext, crypto, id, null);
+ @Override
+ protected PublicKey getPubKey(String algorithmURI, XMLSecurityConstants.KeyUsage keyUsage, String correlationID) throws XMLSecurityException {
+ if (this.subjectSecurityToken != null) {
+ return subjectSecurityToken.getPublicKey(algorithmURI, keyUsage, correlationID);
+ }
+ return super.getPubKey(algorithmURI, keyUsage, correlationID);
+ }
+
+ @Override
+ public PublicKey getPublicKey() throws XMLSecurityException {
+ if (this.subjectSecurityToken != null) {
+ return subjectSecurityToken.getPublicKey();
+ }
+ return super.getPublicKey();
+ }
+
+ @Override
+ public X509Certificate[] getX509Certificates() throws XMLSecurityException {
+ if (this.subjectSecurityToken != null) {
+ return subjectSecurityToken.getX509Certificates();
+ }
+ return super.getX509Certificates();
}
public Crypto getCrypto() {
@@ -69,9 +120,13 @@ public class SAMLSecurityToken extends A
@Override
public void verify() throws XMLSecurityException {
+ //todo verify public key if exists
+ //todo revisit verify for every security token incl. public-key
+ //todo should we call verify implicit when accessing the keys?
try {
X509Certificate[] x509Certificates = getX509Certificates();
if (x509Certificates != null && x509Certificates.length > 0) {
+ //todo I don't think the checkValidity is necessary because the CertPathChecker
x509Certificates[0].checkValidity();
//todo deprecated method:
getCrypto().verifyTrust(x509Certificates);
@@ -93,11 +148,6 @@ public class SAMLSecurityToken extends A
return WSSConstants.Saml20Token;
}
- public SAMLKeyInfo getSamlKeyInfo() {
- //todo AlgoSecEvent?
- return samlKeyInfo;
- }
-
public SAMLVersion getSamlVersion() {
return samlVersion;
}
Modified: webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/ws/security/stax/impl/securityToken/X509DataSecurityToken.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/ws/security/stax/impl/securityToken/X509DataSecurityToken.java?rev=1406211&r1=1406210&r2=1406211&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/ws/security/stax/impl/securityToken/X509DataSecurityToken.java (original)
+++ webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/ws/security/stax/impl/securityToken/X509DataSecurityToken.java Tue Nov 6 16:36:23 2012
@@ -27,6 +27,7 @@ import org.apache.xml.security.binding.x
import org.apache.xml.security.binding.xmldsig.X509IssuerSerialType;
import org.apache.xml.security.exceptions.XMLSecurityException;
import org.apache.xml.security.stax.ext.XMLSecurityUtils;
+import org.apache.xml.security.stax.impl.util.UnsynchronizedByteArrayInputStream;
import javax.security.auth.callback.CallbackHandler;
import java.security.cert.X509Certificate;
@@ -51,20 +52,33 @@ public class X509DataSecurityToken exten
if (this.alias == null) {
X509IssuerSerialType x509IssuerSerialType = XMLSecurityUtils.getQNameType(
x509DataType.getX509IssuerSerialOrX509SKIOrX509SubjectName(), WSSConstants.TAG_dsig_X509IssuerSerial);
- if (x509IssuerSerialType == null
- || x509IssuerSerialType.getX509IssuerName() == null
- || x509IssuerSerialType.getX509SerialNumber() == null) {
- throw new WSSecurityException(WSSecurityException.ErrorCode.INVALID_SECURITY);
+ if (x509IssuerSerialType != null) {
+ if (x509IssuerSerialType.getX509IssuerName() == null
+ || x509IssuerSerialType.getX509SerialNumber() == null) {
+ throw new WSSecurityException(WSSecurityException.ErrorCode.INVALID_SECURITY);
+ }
+ CryptoType cryptoType = new CryptoType(CryptoType.TYPE.ISSUER_SERIAL);
+ cryptoType.setIssuerSerial(
+ x509IssuerSerialType.getX509IssuerName(), x509IssuerSerialType.getX509SerialNumber()
+ );
+ X509Certificate[] certs = getCrypto().getX509Certificates(cryptoType);
+ setX509Certificates(certs);
+ if (certs == null) {
+ throw new WSSecurityException(WSSecurityException.ErrorCode.INVALID_SECURITY);
+ }
+ return this.alias = getCrypto().getX509Identifier(certs[0]);
}
- CryptoType cryptoType = new CryptoType(CryptoType.TYPE.ISSUER_SERIAL);
- cryptoType.setIssuerSerial(
- x509IssuerSerialType.getX509IssuerName(), x509IssuerSerialType.getX509SerialNumber()
- );
- X509Certificate[] certs = getCrypto().getX509Certificates(cryptoType);
- if (certs == null) {
- throw new WSSecurityException(WSSecurityException.ErrorCode.INVALID_SECURITY);
+ byte[] x509CertificateBytes = XMLSecurityUtils.getQNameType(
+ x509DataType.getX509IssuerSerialOrX509SKIOrX509SubjectName(), WSSConstants.TAG_dsig_X509Certificate);
+ if (x509CertificateBytes != null) {
+ X509Certificate[] certs =
+ new X509Certificate[]{
+ getCrypto().loadCertificate(
+ new UnsynchronizedByteArrayInputStream(x509CertificateBytes))
+ };
+ setX509Certificates(certs);
+ return this.alias = getCrypto().getX509Identifier(certs[0]);
}
- this.alias = getCrypto().getX509Identifier(certs[0]);
}
return this.alias;
}
Modified: webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/ws/security/stax/impl/securityToken/X509SecurityToken.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/ws/security/stax/impl/securityToken/X509SecurityToken.java?rev=1406211&r1=1406210&r2=1406211&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/ws/security/stax/impl/securityToken/X509SecurityToken.java (original)
+++ webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/ws/security/stax/impl/securityToken/X509SecurityToken.java Tue Nov 6 16:36:23 2012
@@ -70,9 +70,12 @@ public abstract class X509SecurityToken
@Override
public X509Certificate[] getX509Certificates() throws XMLSecurityException {
if (super.getX509Certificates() == null) {
- CryptoType cryptoType = new CryptoType(CryptoType.TYPE.ALIAS);
- cryptoType.setAlias(getAlias());
- setX509Certificates(getCrypto().getX509Certificates(cryptoType));
+ String alias = getAlias();
+ if (alias != null) {
+ CryptoType cryptoType = new CryptoType(CryptoType.TYPE.ALIAS);
+ cryptoType.setAlias(alias);
+ setX509Certificates(getCrypto().getX509Certificates(cryptoType));
+ }
}
return super.getX509Certificates();
}
@@ -82,6 +85,8 @@ public abstract class X509SecurityToken
try {
X509Certificate[] x509Certificates = getX509Certificates();
if (x509Certificates != null && x509Certificates.length > 0) {
+ //todo I don't think the checkValidity is necessary because the CertPathChecker
+ // in crypto-verify trust should already do the job
x509Certificates[0].checkValidity();
//todo deprecated method:
getCrypto().verifyTrust(x509Certificates);
Modified: webservices/wss4j/trunk/ws-security-stax/src/test/java/org/apache/ws/security/stax/test/AbstractTestBase.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-stax/src/test/java/org/apache/ws/security/stax/test/AbstractTestBase.java?rev=1406211&r1=1406210&r2=1406211&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-stax/src/test/java/org/apache/ws/security/stax/test/AbstractTestBase.java (original)
+++ webservices/wss4j/trunk/ws-security-stax/src/test/java/org/apache/ws/security/stax/test/AbstractTestBase.java Tue Nov 6 16:36:23 2012
@@ -21,6 +21,8 @@ package org.apache.ws.security.stax.test
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.ws.security.common.bsp.BSPRule;
+import org.apache.ws.security.common.crypto.Crypto;
+import org.apache.ws.security.common.crypto.CryptoFactory;
import org.apache.ws.security.common.ext.WSSecurityException;
import org.apache.ws.security.common.util.XMLUtils;
import org.apache.ws.security.dom.WSConstants;
@@ -94,6 +96,7 @@ public abstract class AbstractTestBase {
static {
LogManager.getLogManager().addLogger(Logger.getLogger("org.jcp.xml.dsig.internal.dom"));
LogManager.getLogManager().getLogger("org.jcp.xml.dsig.internal.dom").setLevel(Level.FINE);
+ WSSConfig.init();
}
public AbstractTestBase() {
@@ -237,41 +240,12 @@ public abstract class AbstractTestBase {
messageContext.put(WSHandlerConstants.USER, "receiver");
}
- //handlerInfo.getHandlerConfig().put(WSHandlerConstants.ACTOR, "receiver");
- Properties sigProperties = new Properties();
- sigProperties.setProperty("org.apache.ws.security.crypto.provider", "org.apache.ws.security.components.crypto.Merlin");
- if (client) {
- sigProperties.setProperty("org.apache.ws.security.crypto.merlin.file", "transmitter.jks");
- } else {
- sigProperties.setProperty("org.apache.ws.security.crypto.merlin.file", "receiver.jks");
- }
- //sigProperties.setProperty("org.apache.ws.security.crypto.merlin.alias.password", "default");
- sigProperties.setProperty("org.apache.ws.security.crypto.merlin.keystore.password", "default");
- //sigProperties.setProperty("org.apache.ws.security.crypto.merlin.keystore.alias", "transmitter");
- wss4JHandler.setPassword(messageContext, "default");
-
- messageContext.put(WSHandlerConstants.SIG_VER_PROP_REF_ID, "" + sigProperties.hashCode());
- messageContext.put("" + sigProperties.hashCode(), sigProperties);
if (properties.get(WSHandlerConstants.PW_CALLBACK_REF) != null) {
messageContext.put(WSHandlerConstants.PW_CALLBACK_REF, properties.get(WSHandlerConstants.PW_CALLBACK_REF));
} else {
messageContext.put(WSHandlerConstants.PW_CALLBACK_REF, new WSS4JCallbackHandlerImpl());
}
- Properties decProperties = new Properties();
- decProperties.setProperty("org.apache.ws.security.crypto.provider", "org.apache.ws.security.components.crypto.Merlin");
- if (client) {
- decProperties.setProperty("org.apache.ws.security.crypto.merlin.file", "transmitter.jks");
- } else {
- decProperties.setProperty("org.apache.ws.security.crypto.merlin.file", "receiver.jks");
- }
- //sigProperties.setProperty("org.apache.ws.security.crypto.merlin.alias.password", "default");
- decProperties.setProperty("org.apache.ws.security.crypto.merlin.keystore.password", "default");
- //sigProperties.setProperty("org.apache.ws.security.crypto.merlin.keystore.alias", "transmitter");
- wss4JHandler.setPassword(messageContext, "default");
- messageContext.put(WSHandlerConstants.DEC_PROP_REF_ID, "" + decProperties.hashCode());
- messageContext.put("" + decProperties.hashCode(), decProperties);
-
Enumeration<?> enumeration = properties.propertyNames();
while (enumeration.hasMoreElements()) {
String s = (String) enumeration.nextElement();
@@ -280,6 +254,15 @@ public abstract class AbstractTestBase {
RequestData requestData = new RequestData();
requestData.setMsgContext(messageContext);
+ if (client) {
+ final Crypto crypto = CryptoFactory.getInstance("transmitter-crypto.properties");
+ requestData.setDecCrypto(crypto);
+ requestData.setSigVerCrypto(crypto);
+ } else {
+ final Crypto crypto = CryptoFactory.getInstance("receiver-crypto.properties");
+ requestData.setDecCrypto(crypto);
+ requestData.setSigVerCrypto(crypto);
+ }
// Disable PrefixList checking as the stax code doesn't support this yet
List<BSPRule> ignoredRules = new ArrayList<BSPRule>();
Modified: webservices/wss4j/trunk/ws-security-stax/src/test/java/org/apache/ws/security/stax/test/CallbackHandlerImpl.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-stax/src/test/java/org/apache/ws/security/stax/test/CallbackHandlerImpl.java?rev=1406211&r1=1406210&r2=1406211&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-stax/src/test/java/org/apache/ws/security/stax/test/CallbackHandlerImpl.java (original)
+++ webservices/wss4j/trunk/ws-security-stax/src/test/java/org/apache/ws/security/stax/test/CallbackHandlerImpl.java Tue Nov 6 16:36:23 2012
@@ -225,6 +225,7 @@ public class CallbackHandlerImpl impleme
encrKey.setUseThisCert(certs[0]);
encrKey.prepare(doc, null);
ephemeralKey = encrKey.getEphemeralKey();
+ keyInfo.setEphemeralKey(ephemeralKey);
Element encryptedKeyElement = encrKey.getEncryptedKeyElement();
// Append the EncryptedKey to a KeyInfo element
Modified: webservices/wss4j/trunk/ws-security-stax/src/test/java/org/apache/ws/security/stax/test/InboundWSSecurityContextImplTest.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-stax/src/test/java/org/apache/ws/security/stax/test/InboundWSSecurityContextImplTest.java?rev=1406211&r1=1406210&r2=1406211&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-stax/src/test/java/org/apache/ws/security/stax/test/InboundWSSecurityContextImplTest.java (original)
+++ webservices/wss4j/trunk/ws-security-stax/src/test/java/org/apache/ws/security/stax/test/InboundWSSecurityContextImplTest.java Tue Nov 6 16:36:23 2012
@@ -46,8 +46,8 @@ import java.util.LinkedList;
import java.util.List;
/**
- * @author $Author: giger $
- * @version $Revision: 1297086 $ $Date: 2012-03-05 16:25:08 +0100 (Mon, 05 Mar 2012) $
+ * @author $Author$
+ * @version $Revision$ $Date$
*/
public class InboundWSSecurityContextImplTest {
@@ -509,7 +509,7 @@ public class InboundWSSecurityContextImp
XMLSecEvent samlTokenXmlEvent = XMLSecEventFactory.createXmlSecStartElement(WSSConstants.TAG_wsse_UsernameToken, null, null);
SAMLSecurityToken samlSecurityToken = new SAMLSecurityToken(
- SAMLVersion.VERSION_20, new SAMLKeyInfo(getX509Token(WSSConstants.X509V3Token).getX509Certificates()), null, null, "1");
+ SAMLVersion.VERSION_20, getX509Token(WSSConstants.X509V3Token), null, null, null, "1", WSSConstants.WSSKeyIdentifierType.X509_KEY_IDENTIFIER);
samlSecurityToken.setElementPath(samlTokenPath);
samlSecurityToken.setXMLSecEvent(samlTokenXmlEvent);
samlSecurityToken.addTokenUsage(SecurityToken.TokenUsage.Encryption);
Propchange: webservices/wss4j/trunk/ws-security-stax/src/test/java/org/apache/ws/security/stax/test/InboundWSSecurityContextImplTest.java
------------------------------------------------------------------------------
svn:keywords = Author Date Id Revision