You are viewing a plain text version of this content. The canonical link for it is here.
Posted to wss4j-dev@ws.apache.org by co...@apache.org on 2009/08/21 15:43:43 UTC
svn commit: r806549 [1/2] - in /webservices/wss4j/trunk:
src/org/apache/ws/security/ src/org/apache/ws/security/action/
src/org/apache/ws/security/components/crypto/
src/org/apache/ws/security/handler/ src/org/apache/ws/security/message/
src/org/apache...
Author: coheigea
Date: Fri Aug 21 13:43:42 2009
New Revision: 806549
URL: http://svn.apache.org/viewvc?rev=806549&view=rev
Log:
[WSS-203] - Moved to JSR-105 API's for XML digital signature creation
- Processing move to follow.
- All the tests are passing...there are a few hacks in there though that need to be ironed out.
Added:
webservices/wss4j/trunk/src/org/apache/ws/security/message/token/DOMX509Data.java (with props)
webservices/wss4j/trunk/src/org/apache/ws/security/message/token/DOMX509IssuerSerial.java (with props)
webservices/wss4j/trunk/src/org/apache/ws/security/transform/STRApacheTransform.java (with props)
Modified:
webservices/wss4j/trunk/src/org/apache/ws/security/WSConstants.java
webservices/wss4j/trunk/src/org/apache/ws/security/WSEncryptionPart.java
webservices/wss4j/trunk/src/org/apache/ws/security/WSSConfig.java
webservices/wss4j/trunk/src/org/apache/ws/security/action/UsernameTokenSignedAction.java
webservices/wss4j/trunk/src/org/apache/ws/security/components/crypto/AbstractCrypto.java
webservices/wss4j/trunk/src/org/apache/ws/security/handler/WSHandler.java
webservices/wss4j/trunk/src/org/apache/ws/security/message/WSSecDKSign.java
webservices/wss4j/trunk/src/org/apache/ws/security/message/WSSecDerivedKeyBase.java
webservices/wss4j/trunk/src/org/apache/ws/security/message/WSSecEncrypt.java
webservices/wss4j/trunk/src/org/apache/ws/security/message/WSSecEncryptedKey.java
webservices/wss4j/trunk/src/org/apache/ws/security/message/WSSecSignature.java
webservices/wss4j/trunk/src/org/apache/ws/security/message/token/SecurityTokenReference.java
webservices/wss4j/trunk/src/org/apache/ws/security/processor/SignatureProcessor.java
webservices/wss4j/trunk/src/org/apache/ws/security/saml/WSSecSignatureSAML.java
webservices/wss4j/trunk/src/org/apache/ws/security/transform/STRTransform.java
webservices/wss4j/trunk/src/org/apache/ws/security/util/WSSecurityUtil.java
webservices/wss4j/trunk/test/wssec/TestWSSecurityNew6.java
Modified: webservices/wss4j/trunk/src/org/apache/ws/security/WSConstants.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/org/apache/ws/security/WSConstants.java?rev=806549&r1=806548&r2=806549&view=diff
==============================================================================
--- webservices/wss4j/trunk/src/org/apache/ws/security/WSConstants.java (original)
+++ webservices/wss4j/trunk/src/org/apache/ws/security/WSConstants.java Fri Aug 21 13:43:42 2009
@@ -95,7 +95,14 @@
public static final String AES_256 = EncryptionConstants.ALGO_ID_BLOCKCIPHER_AES256;
public static final String AES_192 = EncryptionConstants.ALGO_ID_BLOCKCIPHER_AES192;
public static final String DSA = XMLSignature.ALGO_ID_SIGNATURE_DSA;
- public static final String RSA = XMLSignature.ALGO_ID_SIGNATURE_RSA_SHA1;
+ public static final String RSA = XMLSignature.ALGO_ID_SIGNATURE_RSA;
+ public static final String RSA_SHA1 = XMLSignature.ALGO_ID_SIGNATURE_RSA_SHA1;
+ public static final String SHA1 = Constants.ALGO_ID_DIGEST_SHA1;
+ public static final String HMAC_SHA1 = XMLSignature.ALGO_ID_MAC_HMAC_SHA1;
+ public static final String HMAC_SHA256 = XMLSignature.ALGO_ID_MAC_HMAC_SHA256;
+ public static final String HMAC_SHA384 = XMLSignature.ALGO_ID_MAC_HMAC_SHA384;
+ public static final String HMAC_SHA512 = XMLSignature.ALGO_ID_MAC_HMAC_SHA512;
+ public static final String HMAC_MD5 = XMLSignature.ALGO_ID_MAC_HMAC_NOT_RECOMMENDED_MD5;
public static final String WST_NS = "http://schemas.xmlsoap.org/ws/2005/02/trust";
public final static String WSC_SCT = "http://schemas.xmlsoap.org/ws/2005/02/sc/sct";
@@ -130,6 +137,11 @@
public static final String PW_TEXT = "PasswordText";
public static final String PW_NONE = "PasswordNone";
public static final String ENCRYPTED_HEADER = "EncryptedHeader";
+ public static final String X509_ISSUER_SERIAL_LN = "X509IssuerSerial";
+ public static final String X509_ISSUER_NAME_LN = "X509IssuerName";
+ public static final String X509_SERIAL_NUMBER_LN = "X509SerialNumber";
+ public static final String X509_DATA_LN = "X509Data";
+ public static final String X509_CERT_LN = "X509Certificate";
public static final String ELEM_ENVELOPE = "Envelope";
public static final String ELEM_HEADER = "Header";
@@ -148,6 +160,7 @@
public static final String DEFAULT_SOAP_PREFIX = "soapenv";
public static final String SIG_PREFIX = "ds";
public static final String ENC_PREFIX = "xenc";
+ public static final String C14N_EXCL_OMIT_COMMENTS_PREFIX = "ec";
//
Modified: webservices/wss4j/trunk/src/org/apache/ws/security/WSEncryptionPart.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/org/apache/ws/security/WSEncryptionPart.java?rev=806549&r1=806548&r2=806549&view=diff
==============================================================================
--- webservices/wss4j/trunk/src/org/apache/ws/security/WSEncryptionPart.java (original)
+++ webservices/wss4j/trunk/src/org/apache/ws/security/WSEncryptionPart.java Fri Aug 21 13:43:42 2009
@@ -27,7 +27,6 @@
private String name;
private String namespace;
private String encModifier;
- private String encId;
private String id;
/**
@@ -124,12 +123,12 @@
return id;
}
- public void setEncId(String id) {
- encId = id;
- }
-
- public String getEncId() {
- return encId;
+ /**
+ * Set the id
+ * @param id
+ */
+ public void setId(String id) {
+ this.id = id;
}
/**
Modified: webservices/wss4j/trunk/src/org/apache/ws/security/WSSConfig.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/org/apache/ws/security/WSSConfig.java?rev=806549&r1=806548&r2=806549&view=diff
==============================================================================
--- webservices/wss4j/trunk/src/org/apache/ws/security/WSSConfig.java (original)
+++ webservices/wss4j/trunk/src/org/apache/ws/security/WSSConfig.java Fri Aug 21 13:43:42 2009
@@ -238,7 +238,7 @@
};
protected WsuIdAllocator idAllocator = DEFAULT_ID_ALLOCATOR;
- protected HashMap jceProvider = new HashMap(10);
+ protected java.util.Map jceProvider = new HashMap(10);
/**
* The known actions. This map is of the form <Integer, String> or <Integer, Action>.
@@ -287,7 +287,18 @@
org.apache.xml.security.Init.init();
if (addJceProviders) {
addJceProvider("BC", "org.bouncycastle.jce.provider.BouncyCastleProvider");
+ String xmlDSigName =
+ addJceProvider("XMLDSig", "org.jcp.xml.dsig.internal.dom.XMLDSigRI");
+ if (xmlDSigName != null) {
+ java.security.Provider provider =
+ java.security.Security.getProvider(xmlDSigName);
+ provider.put(
+ "TransformService." + STRTransform.TRANSFORM_URI,
+ "org.apache.ws.security.transform.STRApacheTransform"
+ );
+ }
}
+
Transform.init();
try {
Transform.register(
@@ -299,6 +310,7 @@
log.debug(ex.getMessage(), ex);
}
}
+
staticallyInitialized = true;
}
}
@@ -568,12 +580,19 @@
return null;
}
- private boolean loadProvider(String id, String className) {
+
+ /**
+ * Load the provider of the specified name, and of the specified class. Return either the
+ * name of the previously loaded provider, the name of the new loaded provider, or null if
+ * there's an exception in loading the provider.
+ */
+ private String loadProvider(String name, String className) {
try {
- if (java.security.Security.getProvider(id) == null) {
+ if (java.security.Security.getProvider(name) == null) {
Class c = Loader.loadClass(className, false);
java.security.Provider[] provs =
java.security.Security.getProviders();
+ java.security.Provider newProvider = (java.security.Provider)c.newInstance();
//
// Install the provider after the SUN provider (see WSS-99)
// Otherwise fall back to the old behaviour of inserting
@@ -586,27 +605,28 @@
|| "IBMJCE".equals(provs[i].getName())) {
ret =
java.security.Security.insertProviderAt(
- (java.security.Provider) c.newInstance(), i + 2
+ newProvider, i + 2
);
break;
}
}
if (ret == 0) {
- ret =
- java.security.Security.insertProviderAt(
- (java.security.Provider) c.newInstance(), 2
- );
+ ret = java.security.Security.insertProviderAt(newProvider, 2);
}
if (log.isDebugEnabled()) {
- log.debug("The provider " + id + " was added at position: " + ret);
- }
+ log.debug(
+ "The provider " + newProvider.getName() + " was added at position: " + ret
+ );
+ }
+ return newProvider.getName();
+ } else {
+ return name;
}
- return true;
} catch (Throwable t) {
if (log.isDebugEnabled()) {
- log.debug("The provider " + id + " could not be added: " + t.getMessage());
+ log.debug("The provider " + name + " could not be added: " + t.getMessage(), t);
}
- return false;
+ return null;
}
}
@@ -617,21 +637,22 @@
* If the provider is not already known the method loads a security provider
* class and adds the provider to the java security service.
*
- *
- * @param id
- * The id string of the provider
+ * @param name
+ * The name string of the provider (this may not be the real name of the provider)
* @param className
* Name of the class the implements the provider. This class must
* be a subclass of <code>java.security.Provider</code>
*
- * @return Returns <code>true</code> if the provider was successfully
- * added, <code>false</code> otherwise.
+ * @return Returns the actual name of the provider that was loaded
*/
- public boolean addJceProvider(String id, String className) {
- if (jceProvider.get(id) == null && loadProvider(id, className)) {
- jceProvider.put(id, className);
- return true;
+ public String addJceProvider(String name, String className) {
+ if (jceProvider.get(name) == null) {
+ String newName = loadProvider(name, className);
+ if (newName != null) {
+ jceProvider.put(newName, className);
+ }
+ return newName;
}
- return false;
+ return name;
}
}
Modified: webservices/wss4j/trunk/src/org/apache/ws/security/action/UsernameTokenSignedAction.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/org/apache/ws/security/action/UsernameTokenSignedAction.java?rev=806549&r1=806548&r2=806549&view=diff
==============================================================================
--- webservices/wss4j/trunk/src/org/apache/ws/security/action/UsernameTokenSignedAction.java (original)
+++ webservices/wss4j/trunk/src/org/apache/ws/security/action/UsernameTokenSignedAction.java Fri Aug 21 13:43:42 2009
@@ -32,7 +32,6 @@
import org.apache.ws.security.message.WSSecUsernameToken;
import org.apache.ws.security.message.WSSecSignature;
import org.apache.ws.security.util.WSSecurityUtil;
-import org.apache.xml.security.signature.XMLSignature;
import org.w3c.dom.Document;
/**
@@ -83,7 +82,7 @@
sign.setCustomTokenId(builder.getId());
sign.setSecretKey(builder.getSecretKey());
sign.setKeyIdentifierType(WSConstants.CUSTOM_SYMM_SIGNING);
- sign.setSignatureAlgorithm(XMLSignature.ALGO_ID_MAC_HMAC_SHA1);
+ sign.setSignatureAlgorithm(WSConstants.HMAC_SHA1);
if (reqData.getSigDigestAlgorithm() != null) {
sign.setDigestAlgo(reqData.getSigDigestAlgorithm());
}
@@ -93,8 +92,8 @@
// prepend in this order: first the Signature Element and then the
// UsernameToken Element. This way the server gets the UsernameToken
// first, can check it and are prepared to compute the Signature key.
- sign.prependToHeader(reqData.getSecHeader());
- builder.prependToHeader(reqData.getSecHeader());
+ // sign.prependToHeader(reqData.getSecHeader());
+ // builder.prependToHeader(reqData.getSecHeader());
List parts = null;
if (reqData.getSignatureParts().size() > 0) {
@@ -109,15 +108,16 @@
new WSEncryptionPart(WSConstants.ELEM_BODY, soapConstants.getEnvelopeURI(), "Content");
parts.add(encP);
}
- sign.addReferencesToSign(parts, reqData.getSecHeader());
+ List referenceList = sign.addReferencesToSign(parts, reqData.getSecHeader());
try {
- sign.computeSignature();
+ sign.computeSignature(referenceList, reqData.getSecHeader());
reqData.getSignatureValues().add(sign.getSignatureValue());
} catch (WSSecurityException e) {
throw new WSSecurityException(
"WSHandler: Error during UsernameTokenSignature", e
);
}
+ builder.prependToHeader(reqData.getSecHeader());
}
}
Modified: webservices/wss4j/trunk/src/org/apache/ws/security/components/crypto/AbstractCrypto.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/org/apache/ws/security/components/crypto/AbstractCrypto.java?rev=806549&r1=806548&r2=806549&view=diff
==============================================================================
--- webservices/wss4j/trunk/src/org/apache/ws/security/components/crypto/AbstractCrypto.java (original)
+++ webservices/wss4j/trunk/src/org/apache/ws/security/components/crypto/AbstractCrypto.java Fri Aug 21 13:43:42 2009
@@ -47,6 +47,8 @@
"org.apache.ws.security.crypto.merlin.file";
public static final String OLD_CRYPTO_PROVIDER =
"org.apache.ws.security.crypto.merlin.keystore.provider";
+ public static final String OLD_CRYPTO_CERT_PROVIDER =
+ "org.apache.ws.security.crypto.merlin.cert.provider";
/*
* Crypto provider
@@ -260,7 +262,11 @@
protected String
getCryptoProvider() {
- return properties.getProperty(CRYPTO_PROVIDER);
+ String provider = properties.getProperty(CRYPTO_PROVIDER);
+ if (provider == null) {
+ provider = properties.getProperty(OLD_CRYPTO_CERT_PROVIDER);
+ }
+ return provider;
}
/**
Modified: webservices/wss4j/trunk/src/org/apache/ws/security/handler/WSHandler.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/org/apache/ws/security/handler/WSHandler.java?rev=806549&r1=806548&r2=806549&view=diff
==============================================================================
--- webservices/wss4j/trunk/src/org/apache/ws/security/handler/WSHandler.java (original)
+++ webservices/wss4j/trunk/src/org/apache/ws/security/handler/WSHandler.java Fri Aug 21 13:43:42 2009
@@ -289,6 +289,7 @@
if (act == WSConstants.SC || act == WSConstants.BST) {
continue;
}
+
if (ai >= size || ((Integer) actions.get(ai++)).intValue() != act) {
return false;
}
Modified: webservices/wss4j/trunk/src/org/apache/ws/security/message/WSSecDKSign.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/org/apache/ws/security/message/WSSecDKSign.java?rev=806549&r1=806548&r2=806549&view=diff
==============================================================================
--- webservices/wss4j/trunk/src/org/apache/ws/security/message/WSSecDKSign.java (original)
+++ webservices/wss4j/trunk/src/org/apache/ws/security/message/WSSecDKSign.java Fri Aug 21 13:43:42 2009
@@ -30,17 +30,25 @@
import org.apache.ws.security.message.token.Reference;
import org.apache.ws.security.message.token.SecurityTokenReference;
import org.apache.ws.security.util.WSSecurityUtil;
-import org.apache.xml.security.c14n.Canonicalizer;
-import org.apache.xml.security.exceptions.XMLSecurityException;
-import org.apache.xml.security.keys.KeyInfo;
-import org.apache.xml.security.signature.XMLSignature;
-import org.apache.xml.security.signature.XMLSignatureException;
-import org.apache.xml.security.utils.Constants;
+
import org.w3c.dom.Document;
-import org.w3c.dom.Element;
import java.util.List;
import java.util.Vector;
+import javax.xml.crypto.XMLStructure;
+import javax.xml.crypto.dom.DOMStructure;
+import javax.xml.crypto.dsig.CanonicalizationMethod;
+import javax.xml.crypto.dsig.SignatureMethod;
+import javax.xml.crypto.dsig.SignedInfo;
+import javax.xml.crypto.dsig.XMLSignature;
+import javax.xml.crypto.dsig.XMLSignatureFactory;
+import javax.xml.crypto.dsig.XMLSignContext;
+import javax.xml.crypto.dsig.dom.DOMSignContext;
+import javax.xml.crypto.dsig.keyinfo.KeyInfo;
+import javax.xml.crypto.dsig.keyinfo.KeyInfoFactory;
+import javax.xml.crypto.dsig.spec.C14NMethodParameterSpec;
+import javax.xml.crypto.dsig.spec.ExcC14NParameterSpec;
+
/**
* Builder to sign with derived keys
*
@@ -52,17 +60,20 @@
private static Log log = LogFactory.getLog(WSSecDKSign.class.getName());
- protected String sigAlgo = XMLSignature.ALGO_ID_MAC_HMAC_SHA1;
- protected String digestAlgo = Constants.ALGO_ID_DIGEST_SHA1;
- protected String canonAlgo = Canonicalizer.ALGO_ID_C14N_EXCL_OMIT_COMMENTS;
- protected byte[] signatureValue = null;
+ private String sigAlgo = WSConstants.HMAC_SHA1;
+ private String digestAlgo = WSConstants.SHA1;
+ private String canonAlgo = WSConstants.C14N_EXCL_OMIT_COMMENTS;
+ private byte[] signatureValue = null;
- private XMLSignature sig = null;
- private KeyInfo keyInfo = null;
private String keyInfoUri = null;
private SecurityTokenReference secRef = null;
private String strUri = null;
private WSDocInfo wsDocInfo;
+
+ private KeyInfoFactory keyInfoFactory = KeyInfoFactory.getInstance("DOM");
+ private XMLSignatureFactory signatureFactory = XMLSignatureFactory.getInstance("DOM");
+ private KeyInfo keyInfo;
+ private CanonicalizationMethod c14nMethod;
public Document build(Document doc, WSSecHeader secHeader)
@@ -79,11 +90,18 @@
"Content"
);
parts.add(encP);
+ } else {
+ for (int i = 0; i < parts.size(); i++) {
+ WSEncryptionPart part = (WSEncryptionPart)parts.get(i);
+ if ("STRTransform".equals(part.getName()) && part.getId() == null) {
+ part.setId(strUri);
+ }
+ }
}
- addReferencesToSign(parts, secHeader);
- computeSignature();
- prependSigToHeader(secHeader);
+ List referenceList = addReferencesToSign(parts, secHeader);
+ computeSignature(referenceList, secHeader);
+
//
// prepend elements in the right order to the security header
//
@@ -97,32 +115,23 @@
super.prepare(doc);
wsDocInfo = new WSDocInfo(doc);
- //
- // Get an initialized XMLSignature element.
- //
- if (wssConfig.isWsiBSPCompliant() && canonAlgo.equals(WSConstants.C14N_EXCL_OMIT_COMMENTS)) {
- sig =
- WSSecSignature.createXMLSignatureInclusivePrefixes(
- doc, secHeader.getSecurityHeader(), canonAlgo, sigAlgo
- );
- } else {
- try {
- sig = new XMLSignature(doc, null, sigAlgo, canonAlgo);
- } catch (XMLSecurityException e) {
- log.error("", e);
- throw new WSSecurityException(
- WSSecurityException.FAILED_SIGNATURE, "noXMLSig", null, e
- );
+ try {
+ C14NMethodParameterSpec c14nSpec = null;
+ if (wssConfig.isWsiBSPCompliant() && canonAlgo.equals(WSConstants.C14N_EXCL_OMIT_COMMENTS)) {
+ List prefixes =
+ WSSecSignature.getInclusivePrefixes(secHeader.getSecurityHeader(), false);
+ c14nSpec = new ExcC14NParameterSpec(prefixes);
}
+
+ c14nMethod = signatureFactory.newCanonicalizationMethod(canonAlgo, c14nSpec);
+ } catch (Exception ex) {
+ log.error("", ex);
+ throw new WSSecurityException(
+ WSSecurityException.FAILED_SIGNATURE, "noXMLSig", null, ex
+ );
}
-
- sig.addResourceResolver(EnvelopeIdResolver.getInstance());
- String sigUri = wssConfig.getIdAllocator().createId("SIG-", sig);
- sig.setId(sigUri);
-
- keyInfo = sig.getKeyInfo();
+
keyInfoUri = wssConfig.getIdAllocator().createSecureId("KI-", keyInfo);
- keyInfo.setId(keyInfoUri);
secRef = new SecurityTokenReference(doc);
strUri = wssConfig.getIdAllocator().createSecureId("STR-", secRef);
@@ -132,47 +141,35 @@
refUt.setURI("#" + dktId);
secRef.setReference(refUt);
- keyInfo.addUnknownElement(secRef.getElement());
+ XMLStructure structure = new DOMStructure(secRef.getElement());
+ keyInfo =
+ keyInfoFactory.newKeyInfo(
+ java.util.Collections.singletonList(structure), keyInfoUri
+ );
+
}
/**
* This method adds references to the Signature.
- */
- public void addReferencesToSign(List references, WSSecHeader secHeader)
- throws WSSecurityException {
- WSSecSignature.addReferencesToSign(
- document, parts, sig, secHeader, wssConfig, digestAlgo, strUri
- );
- }
-
- /**
- * Prepends the Signature element to the elements already in the Security
- * header.
*
- * The method can be called any time after <code>prepare()</code>.
- * This allows to insert the Signature element at any position in the
- * Security header.
- *
- * @param secHeader The secHeader that holds the Signature element.
+ * @param references The list of references to sign
+ * @param secHeader The Security Header
+ * @throws WSSecurityException
*/
- public void prependSigToHeader(WSSecHeader secHeader) {
- WSSecurityUtil.prependChildElement(secHeader.getSecurityHeader(), sig.getElement());
- }
-
- public void appendSigToHeader(WSSecHeader secHeader) {
- Element secHeaderElement = secHeader.getSecurityHeader();
- secHeaderElement.appendChild(sig.getElement());
+ public List addReferencesToSign(List references, WSSecHeader secHeader)
+ throws WSSecurityException {
+ return
+ WSSecSignature.addReferencesToSign(
+ document,
+ references,
+ signatureFactory,
+ secHeader,
+ wssConfig,
+ digestAlgo
+ );
}
- /**
- * Returns the signature Element.
- * The method can be called any time after <code>prepare()</code>.
- * @return the signature element
- */
- public Element getSignatureElement() {
- return sig.getElement();
- }
/**
* Compute the Signature over the references.
@@ -183,16 +180,47 @@
*
* @throws WSSecurityException
*/
- public void computeSignature() throws WSSecurityException {
+ public void computeSignature(List referenceList, WSSecHeader secHeader) throws WSSecurityException {
boolean remove = WSDocInfoStore.store(wsDocInfo);
try {
- sig.sign(sig.createSecretKey(derivedKeyBytes));
- signatureValue = sig.getSignatureValue();
- } catch (XMLSignatureException ex) {
- throw new WSSecurityException(
- WSSecurityException.FAILED_SIGNATURE, null, null, ex
- );
+ java.security.Key key =
+ WSSecurityUtil.prepareSecretKey(sigAlgo, derivedKeyBytes);
+ SignatureMethod signatureMethod =
+ signatureFactory.newSignatureMethod(sigAlgo, null);
+ SignedInfo signedInfo =
+ signatureFactory.newSignedInfo(c14nMethod, signatureMethod, referenceList);
+
+ XMLSignature sig =
+ signatureFactory.newXMLSignature(
+ signedInfo,
+ keyInfo,
+ null,
+ wssConfig.getIdAllocator().createId("SIG-", null),
+ null);
+
+ org.w3c.dom.Element securityHeaderElement = secHeader.getSecurityHeader();
+ //
+ // Prepend the signature element to the security header
+ //
+ XMLSignContext signContext = null;
+ if (securityHeaderElement.hasChildNodes()) {
+ org.w3c.dom.Node firstChild = securityHeaderElement.getFirstChild();
+ signContext = new DOMSignContext(key, securityHeaderElement, firstChild);
+ } else {
+ signContext = new DOMSignContext(key, securityHeaderElement);
+ }
+ signContext.putNamespacePrefix(WSConstants.SIG_NS, WSConstants.SIG_PREFIX);
+ if (WSConstants.C14N_EXCL_OMIT_COMMENTS.equals(canonAlgo)) {
+ signContext.putNamespacePrefix(
+ WSConstants.C14N_EXCL_OMIT_COMMENTS,
+ WSConstants.C14N_EXCL_OMIT_COMMENTS_PREFIX
+ );
+ }
+ sig.sign(signContext);
+
+ signatureValue = sig.getSignatureValue().getValue();
} catch (Exception ex) {
+ log.error(ex);
throw new WSSecurityException(
WSSecurityException.FAILED_SIGNATURE, null, null, ex
);
@@ -212,7 +240,7 @@
}
/**
- * Set the signature algorithm to use. The default is XMLSignature.ALGO_ID_MAC_HMAC_SHA1
+ * Set the signature algorithm to use. The default is WSConstants.SHA1.
* @param algorithm the signature algorithm to use.
*/
public void setSignatureAlgorithm(String algorithm) {
Modified: webservices/wss4j/trunk/src/org/apache/ws/security/message/WSSecDerivedKeyBase.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/org/apache/ws/security/message/WSSecDerivedKeyBase.java?rev=806549&r1=806548&r2=806549&view=diff
==============================================================================
--- webservices/wss4j/trunk/src/org/apache/ws/security/message/WSSecDerivedKeyBase.java (original)
+++ webservices/wss4j/trunk/src/org/apache/ws/security/message/WSSecDerivedKeyBase.java Fri Aug 21 13:43:42 2009
@@ -27,8 +27,8 @@
import org.apache.ws.security.message.token.DerivedKeyToken;
import org.apache.ws.security.message.token.Reference;
import org.apache.ws.security.message.token.SecurityTokenReference;
+import org.apache.ws.security.util.Base64;
import org.apache.ws.security.util.WSSecurityUtil;
-import org.apache.xml.security.utils.Base64;
import org.w3c.dom.Document;
import org.w3c.dom.Element;
Modified: webservices/wss4j/trunk/src/org/apache/ws/security/message/WSSecEncrypt.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/org/apache/ws/security/message/WSSecEncrypt.java?rev=806549&r1=806548&r2=806549&view=diff
==============================================================================
--- webservices/wss4j/trunk/src/org/apache/ws/security/message/WSSecEncrypt.java (original)
+++ webservices/wss4j/trunk/src/org/apache/ws/security/message/WSSecEncrypt.java Fri Aug 21 13:43:42 2009
@@ -451,12 +451,11 @@
}
boolean content = modifier.equals("Content") ? true : false;
- String xencEncryptedDataId =
- config.getIdAllocator().createId("ED-", elementToEncrypt);
- encPart.setEncId(xencEncryptedDataId);
//
// Encrypt data, and set necessary attributes in xenc:EncryptedData
//
+ String xencEncryptedDataId =
+ config.getIdAllocator().createId("ED-", elementToEncrypt);
try {
if (modifier.equals("Header")) {
Element elem =
@@ -607,7 +606,7 @@
doc.createElementNS(
WSConstants.ENC_NS, WSConstants.ENC_PREFIX + ":DataReference"
);
- dataReference.setAttribute("URI", dataReferenceUri);
+ dataReference.setAttributeNS(null, "URI", dataReferenceUri);
referenceList.appendChild(dataReference);
}
return referenceList;
Modified: webservices/wss4j/trunk/src/org/apache/ws/security/message/WSSecEncryptedKey.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/org/apache/ws/security/message/WSSecEncryptedKey.java?rev=806549&r1=806548&r2=806549&view=diff
==============================================================================
--- webservices/wss4j/trunk/src/org/apache/ws/security/message/WSSecEncryptedKey.java (original)
+++ webservices/wss4j/trunk/src/org/apache/ws/security/message/WSSecEncryptedKey.java Fri Aug 21 13:43:42 2009
@@ -33,14 +33,16 @@
import org.apache.ws.security.WSSecurityException;
import org.apache.ws.security.components.crypto.Crypto;
import org.apache.ws.security.message.token.BinarySecurity;
+import org.apache.ws.security.message.token.DOMX509Data;
+import org.apache.ws.security.message.token.DOMX509IssuerSerial;
import org.apache.ws.security.message.token.Reference;
import org.apache.ws.security.message.token.SecurityTokenReference;
import org.apache.ws.security.message.token.X509Security;
import org.apache.ws.security.util.UUIDGenerator;
import org.apache.ws.security.util.WSSecurityUtil;
+
import org.apache.xml.security.keys.KeyInfo;
-import org.apache.xml.security.keys.content.X509Data;
-import org.apache.xml.security.keys.content.x509.XMLX509IssuerSerial;
+
import org.w3c.dom.Document;
import org.w3c.dom.Element;
import org.w3c.dom.Text;
@@ -243,7 +245,7 @@
if (encKeyId == null || "".equals(encKeyId)) {
encKeyId = "EK-" + UUIDGenerator.getUUID();
}
- encryptedKeyElement.setAttribute("Id", encKeyId);
+ encryptedKeyElement.setAttributeNS(null, "Id", encKeyId);
KeyInfo keyInfo = new KeyInfo(document);
SecurityTokenReference secToken = new SecurityTokenReference(document);
@@ -270,10 +272,14 @@
break;
case WSConstants.ISSUER_SERIAL:
- XMLX509IssuerSerial data = new XMLX509IssuerSerial(document, remoteCert);
- X509Data x509Data = new X509Data(document);
- x509Data.add(data);
- secToken.setX509IssuerSerial(x509Data);
+ String issuer = remoteCert.getIssuerX500Principal().getName();
+ java.math.BigInteger serialNumber = remoteCert.getSerialNumber();
+ DOMX509IssuerSerial domIssuerSerial =
+ new DOMX509IssuerSerial(
+ document, issuer, serialNumber
+ );
+ DOMX509Data domX509Data = new DOMX509Data(document, domIssuerSerial);
+ secToken.setX509Data(domX509Data);
break;
case WSConstants.BST_DIRECT_REFERENCE:
@@ -334,7 +340,7 @@
WSSecurityUtil.setNamespace(encryptedKey, WSConstants.ENC_NS, WSConstants.ENC_PREFIX);
Element encryptionMethod =
doc.createElementNS(WSConstants.ENC_NS, WSConstants.ENC_PREFIX + ":EncryptionMethod");
- encryptionMethod.setAttribute("Algorithm", keyTransportAlgo);
+ encryptionMethod.setAttributeNS(null, "Algorithm", keyTransportAlgo);
encryptedKey.appendChild(encryptionMethod);
return encryptedKey;
}
Modified: webservices/wss4j/trunk/src/org/apache/ws/security/message/WSSecSignature.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/org/apache/ws/security/message/WSSecSignature.java?rev=806549&r1=806548&r2=806549&view=diff
==============================================================================
--- webservices/wss4j/trunk/src/org/apache/ws/security/message/WSSecSignature.java (original)
+++ webservices/wss4j/trunk/src/org/apache/ws/security/message/WSSecSignature.java Fri Aug 21 13:43:42 2009
@@ -29,28 +29,16 @@
import org.apache.ws.security.WSSecurityException;
import org.apache.ws.security.components.crypto.Crypto;
import org.apache.ws.security.message.token.BinarySecurity;
+import org.apache.ws.security.message.token.DOMX509Data;
+import org.apache.ws.security.message.token.DOMX509IssuerSerial;
import org.apache.ws.security.message.token.PKIPathSecurity;
import org.apache.ws.security.message.token.Reference;
import org.apache.ws.security.message.token.SecurityTokenReference;
import org.apache.ws.security.message.token.X509Security;
-import org.apache.ws.security.transform.STRTransform;
+import org.apache.ws.security.transform.STRApacheTransform;
import org.apache.ws.security.util.Base64;
import org.apache.ws.security.util.WSSecurityUtil;
-import org.apache.xml.security.algorithms.SignatureAlgorithm;
-import org.apache.xml.security.c14n.Canonicalizer;
-import org.apache.xml.security.exceptions.XMLSecurityException;
-import org.apache.xml.security.keys.KeyInfo;
-import org.apache.xml.security.keys.content.X509Data;
-import org.apache.xml.security.keys.content.x509.XMLX509IssuerSerial;
-import org.apache.xml.security.keys.content.keyvalues.DSAKeyValue;
-import org.apache.xml.security.keys.content.keyvalues.RSAKeyValue;
-import org.apache.xml.security.signature.XMLSignature;
-import org.apache.xml.security.signature.XMLSignatureException;
-import org.apache.xml.security.transforms.TransformationException;
-import org.apache.xml.security.transforms.Transforms;
-import org.apache.xml.security.transforms.params.InclusiveNamespaces;
-import org.apache.xml.security.utils.Constants;
-import org.apache.xml.security.utils.XMLUtils;
+
import org.w3c.dom.Document;
import org.w3c.dom.Element;
import org.w3c.dom.NamedNodeMap;
@@ -59,11 +47,29 @@
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.security.cert.X509Certificate;
-import java.util.HashSet;
+import java.util.Collections;
import java.util.List;
-import java.util.Set;
import java.util.Vector;
+import javax.xml.crypto.XMLStructure;
+import javax.xml.crypto.dom.DOMStructure;
+import javax.xml.crypto.dsig.CanonicalizationMethod;
+import javax.xml.crypto.dsig.DigestMethod;
+import javax.xml.crypto.dsig.SignatureMethod;
+import javax.xml.crypto.dsig.SignedInfo;
+import javax.xml.crypto.dsig.Transform;
+import javax.xml.crypto.dsig.XMLSignature;
+import javax.xml.crypto.dsig.XMLSignatureFactory;
+import javax.xml.crypto.dsig.XMLSignContext;
+import javax.xml.crypto.dsig.dom.DOMSignContext;
+import javax.xml.crypto.dsig.keyinfo.KeyInfo;
+import javax.xml.crypto.dsig.keyinfo.KeyInfoFactory;
+import javax.xml.crypto.dsig.keyinfo.KeyValue;
+import javax.xml.crypto.dsig.spec.C14NMethodParameterSpec;
+import javax.xml.crypto.dsig.spec.ExcC14NParameterSpec;
+import javax.xml.crypto.dsig.spec.TransformParameterSpec;
+
+
/**
* Creates a Signature according to WS Specification, X509 profile.
*
@@ -88,19 +94,23 @@
protected Document document = null;
protected WSDocInfo wsDocInfo = null;
protected String certUri = null;
- protected XMLSignature sig = null;
- protected KeyInfo keyInfo = null;
protected String keyInfoUri = null;
protected SecurityTokenReference secRef = null;
protected String strUri = null;
protected BinarySecurity bstToken = null;
+
+ protected KeyInfoFactory keyInfoFactory = KeyInfoFactory.getInstance("DOM");
+ protected XMLSignatureFactory signatureFactory = XMLSignatureFactory.getInstance("DOM");
+ protected KeyInfo keyInfo;
+ protected CanonicalizationMethod c14nMethod;
+ protected XMLSignature sig;
private byte[] secretKey = null;
private String encrKeySha1value = null;
private Crypto crypto = null;
private String customTokenValueType;
private String customTokenId;
- private String digestAlgo = Constants.ALGO_ID_DIGEST_SHA1;
+ private String digestAlgo = WSConstants.SHA1;
private X509Certificate useThisCert = null;
@@ -130,38 +140,28 @@
document = doc;
wsDocInfo = new WSDocInfo(doc);
wsDocInfo.setCrypto(cr);
-
+
//
// At first get the security token (certificate) according to the parameters.
//
X509Certificate[] certs = getSigningCerts();
- //
- // Get an initialized XMLSignature element.
- //
- if (wssConfig.isWsiBSPCompliant() && canonAlgo.equals(WSConstants.C14N_EXCL_OMIT_COMMENTS)) {
- sig =
- createXMLSignatureInclusivePrefixes(
- doc, secHeader.getSecurityHeader(), canonAlgo, sigAlgo
- );
- } else {
- try {
- sig = new XMLSignature(doc, null, sigAlgo, canonAlgo);
- } catch (XMLSecurityException e) {
- log.error("", e);
- throw new WSSecurityException(
- WSSecurityException.FAILED_SIGNATURE, "noXMLSig", null, e
- );
+ try {
+ C14NMethodParameterSpec c14nSpec = null;
+ if (wssConfig.isWsiBSPCompliant() && canonAlgo.equals(WSConstants.C14N_EXCL_OMIT_COMMENTS)) {
+ List prefixes = getInclusivePrefixes(secHeader.getSecurityHeader(), false);
+ c14nSpec = new ExcC14NParameterSpec(prefixes);
}
+
+ c14nMethod = signatureFactory.newCanonicalizationMethod(canonAlgo, c14nSpec);
+ } catch (Exception ex) {
+ log.error("", ex);
+ throw new WSSecurityException(
+ WSSecurityException.FAILED_SIGNATURE, "noXMLSig", null, ex
+ );
}
- sig.addResourceResolver(EnvelopeIdResolver.getInstance());
- sig.setId(wssConfig.getIdAllocator().createId("SIG-", sig));
-
- keyInfo = sig.getKeyInfo();
keyInfoUri = wssConfig.getIdAllocator().createSecureId("KI-", keyInfo);
- keyInfo.setId(keyInfoUri);
-
secRef = new SecurityTokenReference(doc);
strUri = wssConfig.getIdAllocator().createSecureId("STR-", secRef);
secRef.setID(strUri);
@@ -187,10 +187,12 @@
break;
case WSConstants.ISSUER_SERIAL:
- XMLX509IssuerSerial data = new XMLX509IssuerSerial(document, certs[0]);
- X509Data x509Data = new X509Data(document);
- x509Data.add(data);
- secRef.setX509IssuerSerial(x509Data);
+ String issuer = certs[0].getIssuerX500Principal().getName();
+ java.math.BigInteger serialNumber = certs[0].getSerialNumber();
+ DOMX509IssuerSerial domIssuerSerial =
+ new DOMX509IssuerSerial(doc, issuer, serialNumber);
+ DOMX509Data domX509Data = new DOMX509Data(doc, domIssuerSerial);
+ secRef.setX509Data(domX509Data);
break;
case WSConstants.X509_KEY_IDENTIFIER:
@@ -233,26 +235,29 @@
case WSConstants.KEY_VALUE:
java.security.PublicKey publicKey = certs[0].getPublicKey();
- String pubKeyAlgo = publicKey.getAlgorithm();
- if (pubKeyAlgo.equalsIgnoreCase("DSA")) {
- DSAKeyValue dsaKeyValue = new DSAKeyValue(document, publicKey);
- keyInfo.add(dsaKeyValue);
- } else if (pubKeyAlgo.equalsIgnoreCase("RSA")) {
- RSAKeyValue rsaKeyValue = new RSAKeyValue(document, publicKey);
- keyInfo.add(rsaKeyValue);
- } else {
- throw new WSSecurityException(
- WSSecurityException.FAILURE,
- "unknownSignatureAlgorithm",
- new Object[] {pubKeyAlgo}
- );
- }
+
+ try {
+ KeyValue keyValue = keyInfoFactory.newKeyValue(publicKey);
+ keyInfo =
+ keyInfoFactory.newKeyInfo(
+ java.util.Collections.singletonList(keyValue), keyInfoUri
+ );
+ } catch (java.security.KeyException ex) {
+ log.error("", ex);
+ throw new WSSecurityException(
+ WSSecurityException.FAILED_SIGNATURE, "noXMLSig", null, ex
+ );
+ }
break;
default:
throw new WSSecurityException(WSSecurityException.FAILURE, "unsupportedKeyId");
}
if (keyIdentifierType != WSConstants.KEY_VALUE) {
- keyInfo.addUnknownElement(secRef.getElement());
+ XMLStructure structure = new DOMStructure(secRef.getElement());
+ keyInfo =
+ keyInfoFactory.newKeyInfo(
+ java.util.Collections.singletonList(structure), keyInfoUri
+ );
}
}
@@ -291,11 +296,19 @@
"Content"
);
parts.add(encP);
+ } else {
+ for (int i = 0; i < parts.size(); i++) {
+ WSEncryptionPart part = (WSEncryptionPart)parts.get(i);
+ if ("STRTransform".equals(part.getName()) && part.getId() == null) {
+ part.setId(strUri);
+ }
+ }
}
- addReferencesToSign(parts, secHeader);
- prependToHeader(secHeader);
+ List referenceList = addReferencesToSign(parts, secHeader);
+ computeSignature(referenceList, secHeader);
+
//
// if we have a BST prepend it in front of the Signature according to
// strict layout rules.
@@ -304,8 +317,6 @@
prependBSTElementToHeader(secHeader);
}
- computeSignature();
-
return doc;
}
@@ -317,8 +328,16 @@
* @param secHeader The Security Header
* @throws WSSecurityException
*/
- public void addReferencesToSign(List references, WSSecHeader secHeader) throws WSSecurityException {
- addReferencesToSign(document, references, sig, secHeader, wssConfig, digestAlgo, strUri);
+ public List addReferencesToSign(List references, WSSecHeader secHeader) throws WSSecurityException {
+ return
+ addReferencesToSign(
+ document,
+ references,
+ signatureFactory,
+ secHeader,
+ wssConfig,
+ digestAlgo
+ );
}
@@ -331,19 +350,29 @@
* @param secHeader The Security Header
* @param wssConfig The WSSConfig
* @param digestAlgo The digest algorithm to use
- * @param strUri The SecurityTokenReference uri to use for STRTransform
* @throws WSSecurityException
*/
- public static void addReferencesToSign(
+ public static List addReferencesToSign(
Document doc,
List references,
- XMLSignature sig,
+ XMLSignatureFactory signatureFactory,
WSSecHeader secHeader,
WSSConfig wssConfig,
- String digestAlgo,
- String strUri
+ String digestAlgo
) throws WSSecurityException {
Element envelope = doc.getDocumentElement();
+
+ DigestMethod digestMethod;
+ try {
+ digestMethod = signatureFactory.newDigestMethod(digestAlgo, null);
+ } catch (Exception ex) {
+ log.error("", ex);
+ throw new WSSecurityException(
+ WSSecurityException.FAILED_SIGNATURE, "noXMLSig", null, ex
+ );
+ }
+
+ List referenceList = new Vector();
for (int part = 0; part < references.size(); part++) {
WSEncryptionPart encPart = (WSEncryptionPart) references.get(part);
@@ -355,9 +384,8 @@
// Set up the elements to sign. There is one reserved element
// names: "STRTransform": Setup the ds:Reference to use STR Transform
//
- Transforms transforms = new Transforms(doc);
try {
- if (idToSign != null) {
+ if (idToSign != null && !"STRTransform".equals(elemName)) {
Element toSignById =
WSSecurityUtil.findElementById(
envelope, idToSign, WSConstants.WSU_NS, false
@@ -368,18 +396,44 @@
envelope, idToSign, null, false
);
}
- transforms.addTransform(Transforms.TRANSFORM_C14N_EXCL_OMIT_COMMENTS);
+ TransformParameterSpec transformSpec = null;
if (wssConfig.isWsiBSPCompliant()) {
- transforms.item(0).getElement().appendChild(
- new InclusiveNamespaces(
- doc, getInclusivePrefixes(toSignById)).getElement()
- );
+ List prefixes = getInclusivePrefixes(toSignById);
+ transformSpec = new ExcC14NParameterSpec(prefixes);
}
- sig.addDocument("#" + idToSign, transforms, digestAlgo);
- } else if (elemName.equals("STRTransform")) {
+ Transform transform =
+ signatureFactory.newTransform(
+ WSConstants.C14N_EXCL_OMIT_COMMENTS,
+ transformSpec
+ );
+ javax.xml.crypto.dsig.Reference reference =
+ signatureFactory.newReference(
+ "#" + idToSign,
+ digestMethod,
+ Collections.singletonList(transform),
+ null,
+ null
+ );
+ referenceList.add(reference);
+ } else if (idToSign != null && elemName.equals("STRTransform")) {
Element ctx = createSTRParameter(doc);
- transforms.addTransform(STRTransform.TRANSFORM_URI, ctx);
- sig.addDocument("#" + strUri, transforms, digestAlgo);
+
+ XMLStructure structure = new DOMStructure(ctx);
+ Transform transform =
+ signatureFactory.newTransform(
+ STRApacheTransform.TRANSFORM_URI,
+ structure
+ );
+
+ javax.xml.crypto.dsig.Reference reference =
+ signatureFactory.newReference(
+ "#" + idToSign,
+ digestMethod,
+ Collections.singletonList(transform),
+ null,
+ null
+ );
+ referenceList.add(reference);
} else {
String nmSpace = encPart.getNamespace();
Element elementToSign =
@@ -391,55 +445,37 @@
new Object[] {nmSpace + ", " + elemName}
);
}
- transforms.addTransform(Transforms.TRANSFORM_C14N_EXCL_OMIT_COMMENTS);
+ TransformParameterSpec transformSpec = null;
if (wssConfig.isWsiBSPCompliant()) {
- transforms.item(0).getElement().appendChild(
- new InclusiveNamespaces(
- doc, getInclusivePrefixes(elementToSign)).getElement()
- );
+ List prefixes = getInclusivePrefixes(elementToSign);
+ transformSpec = new ExcC14NParameterSpec(prefixes);
}
- sig.addDocument("#" + setWsuId(elementToSign, wssConfig), transforms, digestAlgo);
+ Transform transform =
+ signatureFactory.newTransform(
+ WSConstants.C14N_EXCL_OMIT_COMMENTS,
+ transformSpec
+ );
+ javax.xml.crypto.dsig.Reference reference =
+ signatureFactory.newReference(
+ "#" + setWsuId(elementToSign, wssConfig),
+ digestMethod,
+ Collections.singletonList(transform),
+ null,
+ null
+ );
+ referenceList.add(reference);
}
- } catch (TransformationException ex) {
- throw new WSSecurityException(
- WSSecurityException.FAILED_SIGNATURE, "noXMLSig", null, ex
- );
- } catch (XMLSignatureException ex) {
+ } catch (Exception ex) {
+ log.error("", ex);
throw new WSSecurityException(
WSSecurityException.FAILED_SIGNATURE, "noXMLSig", null, ex
);
}
}
- }
-
- /**
- * Prepends the Signature element to the elements already in the Security
- * header.
- *
- * The method can be called any time after <code>prepare()</code>.
- * This allows to insert the Signature element at any position in the
- * Security header.
- *
- * @param secHeader The secHeader that holds the Signature element.
- */
- public void prependToHeader(WSSecHeader secHeader) {
- WSSecurityUtil.prependChildElement(secHeader.getSecurityHeader(), sig.getElement());
+
+ return referenceList;
}
- /**
- * Appends the Signature element to the elements already in the Security
- * header.
- *
- * The method can be called any time after <code>prepare()</code>.
- * This allows to insert the Signature element at any position in the
- * Security header.
- *
- * @param secHeader The secHeader that holds the Signature element.
- */
- public void appendToHeader(WSSecHeader secHeader) {
- Element secHeaderElement = secHeader.getSecurityHeader();
- secHeaderElement.appendChild(sig.getElement());
- }
/**
* Prepend the BinarySecurityToken to the elements already in the Security
@@ -470,6 +506,7 @@
bstToken = null;
}
+
/**
* Compute the Signature over the references.
*
@@ -479,16 +516,51 @@
*
* @throws WSSecurityException
*/
- public void computeSignature() throws WSSecurityException {
+ public void computeSignature(List referenceList, WSSecHeader secHeader)
+ throws WSSecurityException {
boolean remove = WSDocInfoStore.store(wsDocInfo);
try {
+ java.security.Key key;
if (secretKey == null) {
- sig.sign(crypto.getPrivateKey(user, password));
+ key = crypto.getPrivateKey(user, password);
} else {
- sig.sign(sig.createSecretKey(secretKey));
+ key = WSSecurityUtil.prepareSecretKey(sigAlgo, secretKey);
}
- signatureValue = sig.getSignatureValue();
+ SignatureMethod signatureMethod =
+ signatureFactory.newSignatureMethod(sigAlgo, null);
+ SignedInfo signedInfo =
+ signatureFactory.newSignedInfo(c14nMethod, signatureMethod, referenceList);
+
+ sig = signatureFactory.newXMLSignature(
+ signedInfo,
+ keyInfo,
+ null,
+ wssConfig.getIdAllocator().createId("SIG-", null),
+ null);
+
+ org.w3c.dom.Element securityHeaderElement = secHeader.getSecurityHeader();
+ //
+ // Prepend the signature element to the security header
+ //
+ XMLSignContext signContext = null;
+ if (securityHeaderElement.hasChildNodes()) {
+ org.w3c.dom.Node firstChild = securityHeaderElement.getFirstChild();
+ signContext = new DOMSignContext(key, securityHeaderElement, firstChild);
+ } else {
+ signContext = new DOMSignContext(key, securityHeaderElement);
+ }
+ signContext.putNamespacePrefix(WSConstants.SIG_NS, WSConstants.SIG_PREFIX);
+ if (WSConstants.C14N_EXCL_OMIT_COMMENTS.equals(canonAlgo)) {
+ signContext.putNamespacePrefix(
+ WSConstants.C14N_EXCL_OMIT_COMMENTS,
+ WSConstants.C14N_EXCL_OMIT_COMMENTS_PREFIX
+ );
+ }
+ sig.sign(signContext);
+
+ signatureValue = sig.getSignatureValue().getValue();
} catch (Exception ex) {
+ log.error(ex);
throw new WSSecurityException(
WSSecurityException.FAILED_SIGNATURE, null, null, ex
);
@@ -532,60 +604,25 @@
WSConstants.SIG_PREFIX + ":CanonicalizationMethod"
);
- canonElem.setAttribute("Algorithm", Canonicalizer.ALGO_ID_C14N_EXCL_OMIT_COMMENTS);
+ canonElem.setAttributeNS(null, "Algorithm", WSConstants.C14N_EXCL_OMIT_COMMENTS);
transformParam.appendChild(canonElem);
return transformParam;
}
/**
- * Create a new XMLSignature object with inclusive prefixes
- * @param doc The document that will own the signature
- * @param securityHeader The security header in which to insert the signature
- * @param c14nAlgorithm The canonicalization algorithm to use in SignedInfo
- * @param signatureAlg The signature algorithm to use in SignedInfo
- * @return A new XMLSignature object with inclusive prefixes
- * @throws WSSecurityException
+ * Get the List of inclusive prefixes from the DOM Element argument
*/
- public static XMLSignature createXMLSignatureInclusivePrefixes(
- Document doc,
- Element securityHeader,
- String c14nAlgorithm,
- String signatureAlg
- ) throws WSSecurityException {
- Element canonElem =
- XMLUtils.createElementInSignatureSpace(doc, Constants._TAG_CANONICALIZATIONMETHOD);
- canonElem.setAttribute(Constants._ATT_ALGORITHM, c14nAlgorithm);
-
- Set prefixes = getInclusivePrefixes(securityHeader, false);
- InclusiveNamespaces inclusiveNamespaces = new InclusiveNamespaces(doc, prefixes);
- canonElem.appendChild(inclusiveNamespaces.getElement());
-
- try {
- SignatureAlgorithm signatureAlgorithm = new SignatureAlgorithm(doc, signatureAlg);
- return new XMLSignature(doc, null, signatureAlgorithm.getElement(), canonElem);
- } catch (XMLSecurityException e) {
- log.error("", e);
- throw new WSSecurityException(
- WSSecurityException.FAILED_SIGNATURE, "noXMLSig", null, e
- );
- }
- }
-
-
- /**
- * Get the set of inclusive prefixes from the DOM Element argument
- */
- public static Set getInclusivePrefixes(Element target) {
+ public static List getInclusivePrefixes(Element target) {
return getInclusivePrefixes(target, true);
}
/**
- * Get the set of inclusive prefixes from the DOM Element argument
+ * Get the List of inclusive prefixes from the DOM Element argument
*/
- public static Set getInclusivePrefixes(Element target, boolean excludeVisible) {
- Set result = new HashSet();
+ public static List getInclusivePrefixes(Element target, boolean excludeVisible) {
+ List result = new Vector();
Node parent = target;
while (!(Node.DOCUMENT_NODE == parent.getParentNode().getNodeType())) {
parent = parent.getParentNode();
@@ -803,15 +840,6 @@
}
/**
- * Returns the SignatureElement.
- * The method can be called any time after <code>prepare()</code>.
- * @return The DOM Element of the signature.
- */
- public Element getSignatureElement() {
- return sig.getElement();
- }
-
- /**
* Returns the BST Token element.
* The method can be called any time after <code>prepare()</code>.
* @return the BST Token element
@@ -869,9 +897,9 @@
String pubKeyAlgo = certs[0].getPublicKey().getAlgorithm();
log.debug("Automatic signature algorithm detection: " + pubKeyAlgo);
if (pubKeyAlgo.equalsIgnoreCase("DSA")) {
- sigAlgo = XMLSignature.ALGO_ID_SIGNATURE_DSA;
+ sigAlgo = WSConstants.DSA;
} else if (pubKeyAlgo.equalsIgnoreCase("RSA")) {
- sigAlgo = XMLSignature.ALGO_ID_SIGNATURE_RSA;
+ sigAlgo = WSConstants.RSA;
} else {
throw new WSSecurityException(
WSSecurityException.FAILURE,
Added: webservices/wss4j/trunk/src/org/apache/ws/security/message/token/DOMX509Data.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/org/apache/ws/security/message/token/DOMX509Data.java?rev=806549&view=auto
==============================================================================
--- webservices/wss4j/trunk/src/org/apache/ws/security/message/token/DOMX509Data.java (added)
+++ webservices/wss4j/trunk/src/org/apache/ws/security/message/token/DOMX509Data.java Fri Aug 21 13:43:42 2009
@@ -0,0 +1,65 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.ws.security.message.token;
+
+import org.apache.ws.security.WSConstants;
+import org.apache.ws.security.util.DOM2Writer;
+import org.w3c.dom.Document;
+import org.w3c.dom.Element;
+import org.w3c.dom.Node;
+
+/**
+ * An X509Data token.
+ */
+public final class DOMX509Data {
+ private final Element element;
+
+ /**
+ * Constructor.
+ */
+ public DOMX509Data(Document doc, DOMX509IssuerSerial domIssuerSerial) {
+ element =
+ doc.createElementNS(
+ WSConstants.SIG_NS, WSConstants.SIG_PREFIX + ":" + WSConstants.X509_DATA_LN
+ );
+
+ element.appendChild(domIssuerSerial.getElement());
+ }
+
+
+ /**
+ * return the dom element.
+ *
+ * @return the dom element.
+ */
+ public Element getElement() {
+ return element;
+ }
+
+ /**
+ * return the string representation of the token.
+ *
+ * @return the string representation of the token.
+ */
+ public String toString() {
+ return DOM2Writer.nodeToString((Node)element);
+ }
+
+}
Propchange: webservices/wss4j/trunk/src/org/apache/ws/security/message/token/DOMX509Data.java
------------------------------------------------------------------------------
svn:eol-style = native
Propchange: webservices/wss4j/trunk/src/org/apache/ws/security/message/token/DOMX509Data.java
------------------------------------------------------------------------------
svn:keywords = Rev Date
Added: webservices/wss4j/trunk/src/org/apache/ws/security/message/token/DOMX509IssuerSerial.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/org/apache/ws/security/message/token/DOMX509IssuerSerial.java?rev=806549&view=auto
==============================================================================
--- webservices/wss4j/trunk/src/org/apache/ws/security/message/token/DOMX509IssuerSerial.java (added)
+++ webservices/wss4j/trunk/src/org/apache/ws/security/message/token/DOMX509IssuerSerial.java Fri Aug 21 13:43:42 2009
@@ -0,0 +1,141 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.ws.security.message.token;
+
+import org.apache.ws.security.WSConstants;
+import org.apache.ws.security.util.DOM2Writer;
+import org.apache.ws.security.util.WSSecurityUtil;
+import org.w3c.dom.Document;
+import org.w3c.dom.Element;
+import org.w3c.dom.Node;
+import org.w3c.dom.Text;
+
+import java.math.BigInteger;
+
+import javax.security.auth.x500.X500Principal;
+
+/**
+ * An X.509 Issuer Serial token.
+ */
+public final class DOMX509IssuerSerial {
+ private final Element element;
+ private final String issuer;
+ private final BigInteger serialNumber;
+
+ /**
+ * Constructor.
+ */
+ public DOMX509IssuerSerial(Element issuerSerialElement) {
+ element = issuerSerialElement;
+
+ Element issuerNameElement =
+ WSSecurityUtil.getDirectChildElement(
+ element, WSConstants.X509_ISSUER_NAME_LN, WSConstants.SIG_NS
+ );
+ issuer = getChildText(issuerNameElement);
+
+ Element serialNumberElement =
+ WSSecurityUtil.getDirectChildElement(
+ element, WSConstants.X509_SERIAL_NUMBER_LN, WSConstants.SIG_NS
+ );
+ String serialNumberStr = getChildText(serialNumberElement);
+ serialNumber = new BigInteger(serialNumberStr);
+ }
+
+ /**
+ * Constructor.
+ */
+ public DOMX509IssuerSerial(Document doc, String issuer, BigInteger serialNumber) {
+ if (issuer == null) {
+ throw new NullPointerException("The issuerName cannot be null");
+ }
+ if (serialNumber == null) {
+ throw new NullPointerException("The serialNumber cannot be null");
+ }
+ new X500Principal(issuer);
+ this.issuer = issuer;
+ this.serialNumber = serialNumber;
+
+ element =
+ doc.createElementNS(
+ WSConstants.SIG_NS, WSConstants.SIG_PREFIX + ":" + WSConstants.X509_ISSUER_SERIAL_LN
+ );
+
+ Element issuerNameElement =
+ doc.createElementNS(
+ WSConstants.SIG_NS, WSConstants.SIG_PREFIX + ":" + WSConstants.X509_ISSUER_NAME_LN
+ );
+ issuerNameElement.appendChild(doc.createTextNode(issuer));
+ element.appendChild(issuerNameElement);
+
+ Element serialNumberElement =
+ doc.createElementNS(
+ WSConstants.SIG_NS, WSConstants.SIG_PREFIX + ":" + WSConstants.X509_SERIAL_NUMBER_LN
+ );
+ serialNumberElement.appendChild(doc.createTextNode(serialNumber.toString()));
+ element.appendChild(serialNumberElement);
+ }
+
+
+ /**
+ * return the dom element.
+ *
+ * @return the dom element.
+ */
+ public Element getElement() {
+ return element;
+ }
+
+ /**
+ * Return the issuer name.
+ */
+ public String getIssuer() {
+ return issuer;
+ }
+
+ /**
+ * Return the Serial Number.
+ */
+ public BigInteger getSerialNumber() {
+ return serialNumber;
+ }
+
+ /**
+ * return the string representation of the token.
+ *
+ * @return the string representation of the token.
+ */
+ public String toString() {
+ return DOM2Writer.nodeToString((Node)element);
+ }
+
+
+ private String getChildText(Node parentNode) {
+ Node node = parentNode.getFirstChild();
+ StringBuffer buffer = new StringBuffer();
+ while (node != null) {
+ if (Node.TEXT_NODE == node.getNodeType()) {
+ buffer.append(((Text)node).getData());
+ }
+ node = node.getNextSibling();
+ }
+ return buffer.toString();
+ }
+}
Propchange: webservices/wss4j/trunk/src/org/apache/ws/security/message/token/DOMX509IssuerSerial.java
------------------------------------------------------------------------------
svn:eol-style = native
Propchange: webservices/wss4j/trunk/src/org/apache/ws/security/message/token/DOMX509IssuerSerial.java
------------------------------------------------------------------------------
svn:keywords = Rev Date
Modified: webservices/wss4j/trunk/src/org/apache/ws/security/message/token/SecurityTokenReference.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/org/apache/ws/security/message/token/SecurityTokenReference.java?rev=806549&r1=806548&r2=806549&view=diff
==============================================================================
--- webservices/wss4j/trunk/src/org/apache/ws/security/message/token/SecurityTokenReference.java (original)
+++ webservices/wss4j/trunk/src/org/apache/ws/security/message/token/SecurityTokenReference.java Fri Aug 21 13:43:42 2009
@@ -28,11 +28,7 @@
import org.apache.ws.security.components.crypto.Crypto;
import org.apache.ws.security.util.DOM2Writer;
import org.apache.ws.security.util.WSSecurityUtil;
-import org.apache.xml.security.exceptions.XMLSecurityException;
-import org.apache.xml.security.keys.content.x509.XMLX509IssuerSerial;
-import org.apache.xml.security.keys.content.X509Data;
import org.apache.ws.security.util.Base64;
-import org.apache.xml.security.utils.Constants;
import org.w3c.dom.Document;
import org.w3c.dom.Element;
@@ -69,7 +65,7 @@
private static Log log =
LogFactory.getLog(SecurityTokenReference.class.getName());
protected Element element = null;
- private XMLX509IssuerSerial issuerSerial = null;
+ private DOMX509IssuerSerial issuerSerial = null;
private byte[] skiBytes = null;
private static boolean doDebug = false;
@@ -264,6 +260,23 @@
}
}
+ //
+ // If the type is a BinarySecurityToken then check to see if it's available in
+ // the WSDocInfo
+ //
+ if (docInfo != null &&
+ (X509Security.X509_V3_TYPE.equals(type) || PKIPathSecurity.getType().equals(type))) {
+ Element bst = docInfo.getBst(uri);
+ if (bst != null) {
+ //
+ // Add the WSSE/WSU namespaces to the element for C14n
+ //
+ WSSecurityUtil.setNamespace(bst, WSConstants.WSSE_NS, WSConstants.WSSE_PREFIX);
+ WSSecurityUtil.setNamespace(bst, WSConstants.WSU_NS, WSConstants.WSU_PREFIX);
+ return bst;
+ }
+ }
+
//
// Try to find a custom token
//
@@ -528,17 +541,17 @@
/**
- * Sets the X509 IssuerSerial data.
+ * Sets the X509Data.
*
- * @param ref the {@link XMLX509IssuerSerial} to put into this
+ * @param ref the {@link DOMX509Data} to put into this
* SecurityTokenReference
*/
- public void setX509IssuerSerial(X509Data ref) {
+ public void setX509Data(DOMX509Data domX509Data) {
Element elem = getFirstElement();
if (elem != null) {
- element.replaceChild(ref.getElement(), elem);
+ element.replaceChild(domX509Data.getElement(), elem);
} else {
- element.appendChild(ref.getElement());
+ element.appendChild(domX509Data.getElement());
}
}
@@ -589,14 +602,14 @@
}
String alias =
- crypto.getAliasForX509Cert(issuerSerial.getIssuerName(), issuerSerial.getSerialNumber());
+ crypto.getAliasForX509Cert(issuerSerial.getIssuer(), issuerSerial.getSerialNumber());
if (doDebug) {
log.debug("X509IssuerSerial alias: " + alias);
}
return alias;
}
- private XMLX509IssuerSerial getIssuerSerial() throws WSSecurityException {
+ private DOMX509IssuerSerial getIssuerSerial() throws WSSecurityException {
if (issuerSerial != null) {
return issuerSerial;
}
@@ -604,22 +617,14 @@
if (elem == null) {
return null;
}
- try {
- if (Constants._TAG_X509DATA.equals(elem.getLocalName())) {
- elem =
- (Element)WSSecurityUtil.findElement(
- elem, Constants._TAG_X509ISSUERSERIAL, Constants.SignatureSpecNS
- );
- }
- issuerSerial = new XMLX509IssuerSerial(elem, "");
- } catch (XMLSecurityException e) {
- throw new WSSecurityException(
- WSSecurityException.SECURITY_TOKEN_UNAVAILABLE,
- "noToken",
- new Object[]{"Issuer/Serial data element missing"},
- e
- );
+ if (WSConstants.X509_DATA_LN.equals(elem.getLocalName())) {
+ elem =
+ (Element)WSSecurityUtil.findElement(
+ elem, WSConstants.X509_ISSUER_SERIAL_LN, WSConstants.SIG_NS
+ );
}
+ issuerSerial = new DOMX509IssuerSerial(elem);
+
return issuerSerial;
}
@@ -670,7 +675,7 @@
* the <code>SecurtityTokenReference</code>
*/
public int lengthX509IssuerSerial() {
- return length(WSConstants.SIG_NS, Constants._TAG_X509ISSUERSERIAL);
+ return length(WSConstants.SIG_NS, WSConstants.X509_ISSUER_SERIAL_LN);
}
/**
@@ -680,7 +685,7 @@
* the <code>SecurtityTokenReference</code>
*/
public int lengthX509Data() {
- return length(WSConstants.SIG_NS, Constants._TAG_X509DATA);
+ return length(WSConstants.SIG_NS, WSConstants.X509_DATA_LN);
}
/**
Modified: webservices/wss4j/trunk/src/org/apache/ws/security/processor/SignatureProcessor.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/org/apache/ws/security/processor/SignatureProcessor.java?rev=806549&r1=806548&r2=806549&view=diff
==============================================================================
--- webservices/wss4j/trunk/src/org/apache/ws/security/processor/SignatureProcessor.java (original)
+++ webservices/wss4j/trunk/src/org/apache/ws/security/processor/SignatureProcessor.java Fri Aug 21 13:43:42 2009
@@ -45,6 +45,7 @@
import org.apache.ws.security.saml.SAMLKeyInfo;
import org.apache.ws.security.saml.SAMLUtil;
import org.apache.ws.security.util.WSSecurityUtil;
+
import org.apache.xml.security.exceptions.XMLSecurityException;
import org.apache.xml.security.keys.KeyInfo;
import org.apache.xml.security.keys.keyresolver.KeyResolverException;
@@ -52,6 +53,7 @@
import org.apache.xml.security.signature.SignedInfo;
import org.apache.xml.security.signature.XMLSignature;
import org.apache.xml.security.signature.XMLSignatureException;
+
import org.opensaml.SAMLAssertion;
import org.w3c.dom.Document;
import org.w3c.dom.Element;
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org