You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ws.apache.org by gi...@apache.org on 2011/10/11 20:03:15 UTC
svn commit: r1181995 [7/26] - in /webservices/wss4j/branches/swssf: ./
cxf-integration/ cxf-integration/src/main/java/org/swssf/cxfIntegration/
cxf-integration/src/main/java/org/swssf/cxfIntegration/interceptor/
cxf-integration/src/main/java/org/swssf/...
Modified: webservices/wss4j/branches/swssf/streaming-ws-security/src/main/java/org/swssf/wss/impl/processor/input/SignatureConfirmationInputProcessor.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/branches/swssf/streaming-ws-security/src/main/java/org/swssf/wss/impl/processor/input/SignatureConfirmationInputProcessor.java?rev=1181995&r1=1179730&r2=1181995&view=diff
==============================================================================
--- webservices/wss4j/branches/swssf/streaming-ws-security/src/main/java/org/swssf/wss/impl/processor/input/SignatureConfirmationInputProcessor.java (original)
+++ webservices/wss4j/branches/swssf/streaming-ws-security/src/main/java/org/swssf/wss/impl/processor/input/SignatureConfirmationInputProcessor.java Tue Oct 11 18:03:00 2011
@@ -16,12 +16,17 @@
* specific language governing permissions and limitations
* under the License.
*/
-package org.swssf.impl.processor.input;
+package org.swssf.wss.impl.processor.input;
import org.oasis_open.docs.wss.oasis_wss_wssecurity_secext_1_1.SignatureConfirmationType;
-import org.swssf.ext.*;
-import org.swssf.securityEvent.SecurityEvent;
-import org.swssf.securityEvent.SignatureValueSecurityEvent;
+import org.swssf.wss.ext.WSSConstants;
+import org.swssf.wss.ext.WSSSecurityProperties;
+import org.swssf.wss.ext.WSSecurityException;
+import org.swssf.wss.securityEvent.SecurityEvent;
+import org.swssf.wss.securityEvent.SignatureValueSecurityEvent;
+import org.swssf.xmlsec.ext.AbstractInputProcessor;
+import org.swssf.xmlsec.ext.InputProcessorChain;
+import org.swssf.xmlsec.ext.XMLSecurityException;
import javax.xml.stream.XMLStreamException;
import javax.xml.stream.events.EndElement;
@@ -35,16 +40,16 @@ import java.util.List;
*/
public class SignatureConfirmationInputProcessor extends AbstractInputProcessor {
- public SignatureConfirmationInputProcessor(SecurityProperties securityProperties) {
+ public SignatureConfirmationInputProcessor(WSSSecurityProperties securityProperties) {
super(securityProperties);
}
@Override
- public XMLEvent processNextHeaderEvent(InputProcessorChain inputProcessorChain) throws XMLStreamException, WSSecurityException {
+ public XMLEvent processNextHeaderEvent(InputProcessorChain inputProcessorChain) throws XMLStreamException, XMLSecurityException {
XMLEvent xmlEvent = inputProcessorChain.processHeaderEvent();
if (xmlEvent.isEndElement()) {
EndElement endElement = xmlEvent.asEndElement();
- if (endElement.getName().equals(Constants.TAG_wsse_Security)) {
+ if (endElement.getName().equals(WSSConstants.TAG_wsse_Security)) {
inputProcessorChain.removeProcessor(this);
List<SignatureValueSecurityEvent> signatureValueSecurityEventList = inputProcessorChain.getSecurityContext().getAsList(SecurityEvent.class);
Modified: webservices/wss4j/branches/swssf/streaming-ws-security/src/main/java/org/swssf/wss/impl/processor/input/SignatureInputHandler.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/branches/swssf/streaming-ws-security/src/main/java/org/swssf/wss/impl/processor/input/SignatureInputHandler.java?rev=1181995&r1=1179730&r2=1181995&view=diff
==============================================================================
--- webservices/wss4j/branches/swssf/streaming-ws-security/src/main/java/org/swssf/wss/impl/processor/input/SignatureInputHandler.java (original)
+++ webservices/wss4j/branches/swssf/streaming-ws-security/src/main/java/org/swssf/wss/impl/processor/input/SignatureInputHandler.java Tue Oct 11 18:03:00 2011
@@ -16,198 +16,96 @@
* specific language governing permissions and limitations
* under the License.
*/
-package org.swssf.impl.processor.input;
+package org.swssf.wss.impl.processor.input;
-import org.swssf.ext.*;
-import org.swssf.impl.algorithms.SignatureAlgorithm;
-import org.swssf.impl.algorithms.SignatureAlgorithmFactory;
-import org.swssf.impl.securityToken.SecurityTokenFactory;
-import org.swssf.impl.util.SignerOutputStream;
-import org.swssf.securityEvent.AlgorithmSuiteSecurityEvent;
-import org.swssf.securityEvent.SecurityEvent;
-import org.swssf.securityEvent.SignatureTokenSecurityEvent;
-import org.w3._2000._09.xmldsig_.KeyInfoType;
-import org.w3._2000._09.xmldsig_.SignatureType;
+import org.swssf.wss.ext.WSSConstants;
+import org.swssf.wss.ext.WSSecurityContext;
+import org.swssf.wss.securityEvent.AlgorithmSuiteSecurityEvent;
+import org.swssf.wss.securityEvent.SecurityEvent;
+import org.swssf.wss.securityEvent.SignatureTokenSecurityEvent;
+import org.swssf.xmlsec.ext.*;
+import org.swssf.xmlsec.impl.processor.input.AbstractSignatureInputHandler;
+import org.w3._2000._09.xmldsig_.*;
import javax.xml.stream.XMLStreamException;
import javax.xml.stream.events.StartElement;
import javax.xml.stream.events.XMLEvent;
-import java.io.BufferedOutputStream;
-import java.io.IOException;
-import java.io.OutputStream;
-import java.lang.reflect.InvocationTargetException;
import java.security.InvalidKeyException;
-import java.security.Key;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.security.cert.CertificateException;
import java.util.Deque;
-import java.util.Iterator;
/**
* @author $Author$
* @version $Revision$ $Date$
*/
-public class SignatureInputHandler extends AbstractInputSecurityHeaderHandler {
+public class SignatureInputHandler extends AbstractSignatureInputHandler {
- public SignatureInputHandler(InputProcessorChain inputProcessorChain, SecurityProperties securityProperties, Deque<XMLEvent> eventQueue, Integer index) throws WSSecurityException, XMLStreamException {
+ public SignatureInputHandler(InputProcessorChain inputProcessorChain, XMLSecurityProperties securityProperties,
+ Deque<XMLEvent> eventQueue, Integer index) throws XMLSecurityException, XMLStreamException {
- final SignatureType signatureType = (SignatureType) parseStructure(eventQueue, index);
- verifySignedInfo(inputProcessorChain, securityProperties, signatureType, eventQueue, index);
+ super(inputProcessorChain, securityProperties, eventQueue, index);
}
@Override
protected Parseable getParseable(StartElement startElement) {
- return new SignatureType(startElement);
- }
-
- private void verifySignedInfo(InputProcessorChain inputProcessorChain, SecurityProperties securityProperties, SignatureType signatureType, Deque<XMLEvent> eventDeque, int index) throws WSSecurityException, XMLStreamException {
- //todo reparse SignedInfo when custom canonicalization method is used
- //verify SignedInfo
- SignatureVerifier signatureVerifier = new SignatureVerifier(signatureType, inputProcessorChain.getSecurityContext(), securityProperties);
-
- Iterator<XMLEvent> iterator = eventDeque.descendingIterator();
- //skip to <Signature> Element
- int i = 0;
- while (i < index) {
- iterator.next();
- i++;
- }
-
- boolean verifyElement = false;
- while (iterator.hasNext()) {
- XMLEvent xmlEvent = iterator.next();
- if (xmlEvent.isStartElement() && xmlEvent.asStartElement().getName().equals(Constants.TAG_dsig_SignedInfo)) {
- verifyElement = true;
- } else if (xmlEvent.isEndElement() && xmlEvent.asEndElement().getName().equals(Constants.TAG_dsig_SignedInfo)) {
- signatureVerifier.processEvent(xmlEvent);
- break;
- }
- if (verifyElement) {
- signatureVerifier.processEvent(xmlEvent);
+ return new SignatureType(startElement) {
+ @Override
+ protected KeyInfoType newKeyInfoType(StartElement startElement) {
+ return new org.w3._2000._09.xmldsig_.wss.KeyInfoType(startElement);
+ }
+
+ @Override
+ protected SignedInfoType newSignedInfoType(StartElement startElement) {
+ return new org.w3._2000._09.xmldsig_.wss.SignedInfoType(startElement) {
+ @Override
+ protected ReferenceType newReferenceType(StartElement startElement) {
+ return new org.w3._2000._09.xmldsig_.wss.ReferenceType(startElement) {
+ @Override
+ protected TransformsType newTransformsType(StartElement startElement) {
+ return new org.w3._2000._09.xmldsig_.wss.TransformsType(startElement) {
+ @Override
+ protected TransformType newTransformType(StartElement startElement) {
+ return new org.w3._2000._09.xmldsig_.wss.TransformType(startElement);
+ }
+ };
+ }
+ };
+ }
+ };
}
- }
- signatureVerifier.doFinal();
+ };
+ }
+ @Override
+ protected void addSignatureReferenceInputProcessorToChain(InputProcessorChain inputProcessorChain, XMLSecurityProperties securityProperties, SignatureType signatureType) {
//add processors to verify references
inputProcessorChain.addProcessor(new SignatureReferenceVerifyInputProcessor(signatureType, securityProperties));
}
-/*
- <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#" Id="Signature-1022834285">
- <ds:SignedInfo>
- <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
- <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
- <ds:Reference URI="#id-1612925417">
- <ds:Transforms>
- <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
- </ds:Transforms>
- <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
- <ds:DigestValue>cy/khx5N6UobCJ1EbX+qnrGID2U=</ds:DigestValue>
- </ds:Reference>
- <ds:Reference URI="#Timestamp-1106985890">
- <ds:Transforms>
- <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
- </ds:Transforms>
- <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
- <ds:DigestValue>+p5YRII6uvUdsJ7XLKkWx1CBewE=</ds:DigestValue>
- </ds:Reference>
- </ds:SignedInfo>
- <ds:SignatureValue>
- Izg1FlI9oa4gOon2vTXi7V0EpiyCUazECVGYflbXq7/3GF8ThKGDMpush/fo1I2NVjEFTfmT2WP/
- +ZG5N2jASFptrcGbsqmuLE5JbxUP1TVKb9SigKYcOQJJ8klzmVfPXnSiRZmIU+DUT2UXopWnGNFL
- TwY0Uxja4ZuI6U8m8Tg=
- </ds:SignatureValue>
- <ds:KeyInfo Id="KeyId-1043455692">
- <wsse:SecurityTokenReference xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="STRId-1008354042">
- <wsse:Reference xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" URI="#CertId-3458500" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" />
- </wsse:SecurityTokenReference>
- </ds:KeyInfo>
- </ds:Signature>
- */
-
- public static class SignatureVerifier {
-
- private SignatureType signatureType;
- private SecurityContext securityContext;
- private SecurityProperties securityProperties;
-
- private SignerOutputStream signerOutputStream;
- private OutputStream bufferedSignerOutputStream;
- private Transformer transformer;
-
- public SignatureVerifier(SignatureType signatureType, SecurityContext securityContext, SecurityProperties securityProperties) throws WSSecurityException {
- this.signatureType = signatureType;
- this.securityContext = securityContext;
- this.securityProperties = securityProperties;
-
- try {
- createSignatureAlgorithm();
- } catch (Exception e) {
- throw new WSSecurityException(WSSecurityException.ErrorCode.FAILED_CHECK, e);
- }
- }
-
- private void createSignatureAlgorithm() throws NoSuchAlgorithmException, NoSuchProviderException, InvalidKeyException, CertificateException, WSSecurityException {
- KeyInfoType keyInfoType = signatureType.getKeyInfo();
- SecurityToken securityToken = SecurityTokenFactory.newInstance().getSecurityToken(keyInfoType, securityProperties.getSignatureVerificationCrypto(), securityProperties.getCallbackHandler(), securityContext, this);
- securityToken.verify();
-
- SignatureTokenSecurityEvent signatureTokenSecurityEvent = new SignatureTokenSecurityEvent(SecurityEvent.Event.SignatureToken);
- signatureTokenSecurityEvent.setSecurityToken(securityToken);
- signatureTokenSecurityEvent.setSignatureValue(signatureType.getSignatureValue().getValue());
- securityContext.registerSecurityEvent(signatureTokenSecurityEvent);
-
- /*AlgorithmSuiteSecurityEvent algorithmSuiteSecurityEvent = new AlgorithmSuiteSecurityEvent(SecurityEvent.Event.AlgorithmSuite);
- algorithmSuiteSecurityEvent.setAlgorithmURI(signatureType.getSignedInfo().getSignatureMethod().getAlgorithm());
- algorithmSuiteSecurityEvent.setKeyUsage();
- securityContext.registerSecurityEvent(algorithmSuiteSecurityEvent);
- */
-
- AlgorithmSuiteSecurityEvent algorithmSuiteSecurityEvent = new AlgorithmSuiteSecurityEvent(SecurityEvent.Event.AlgorithmSuite);
- algorithmSuiteSecurityEvent.setAlgorithmURI(signatureType.getSignedInfo().getCanonicalizationMethod().getAlgorithm());
- algorithmSuiteSecurityEvent.setKeyUsage(Constants.KeyUsage.C14n);
- securityContext.registerSecurityEvent(algorithmSuiteSecurityEvent);
-
- Key verifyKey;
- if (securityToken.isAsymmetric()) {
- verifyKey = securityToken.getPublicKey(Constants.KeyUsage.Asym_Sig);
- } else {
- verifyKey = securityToken.getSecretKey(
- signatureType.getSignedInfo().getSignatureMethod().getAlgorithm(), Constants.KeyUsage.Sym_Sig);
- }
-
- SignatureAlgorithm signatureAlgorithm = SignatureAlgorithmFactory.getInstance().getSignatureAlgorithm(signatureType.getSignedInfo().getSignatureMethod().getAlgorithm());
- signatureAlgorithm.engineInitVerify(verifyKey);
- signerOutputStream = new SignerOutputStream(signatureAlgorithm);
- bufferedSignerOutputStream = new BufferedOutputStream(signerOutputStream);
-
- try {
- transformer = Utils.getTransformer(signatureType.getSignedInfo().getCanonicalizationMethod().getInclusiveNamespaces(), this.bufferedSignerOutputStream, signatureType.getSignedInfo().getCanonicalizationMethod().getAlgorithm());
- } catch (NoSuchMethodException e) {
- throw new WSSecurityException(WSSecurityException.ErrorCode.FAILED_CHECK, e);
- } catch (InstantiationException e) {
- throw new WSSecurityException(WSSecurityException.ErrorCode.FAILED_CHECK, e);
- } catch (IllegalAccessException e) {
- throw new WSSecurityException(WSSecurityException.ErrorCode.FAILED_CHECK, e);
- } catch (InvocationTargetException e) {
- throw new WSSecurityException(WSSecurityException.ErrorCode.FAILED_CHECK, e);
+ @Override
+ protected SignatureVerifier newSignatureVerifier(InputProcessorChain inputProcessorChain,
+ XMLSecurityProperties securityProperties,
+ final SignatureType signatureType) throws XMLSecurityException {
+
+ final WSSecurityContext securityContext = (WSSecurityContext) inputProcessorChain.getSecurityContext();
+ SignatureVerifier signatureVerifier = new SignatureVerifier(signatureType, inputProcessorChain.getSecurityContext(), securityProperties) {
+ @Override
+ protected void createSignatureAlgorithm(SecurityToken securityToken) throws NoSuchAlgorithmException, NoSuchProviderException, InvalidKeyException, CertificateException, XMLSecurityException {
+ SignatureTokenSecurityEvent signatureTokenSecurityEvent = new SignatureTokenSecurityEvent(SecurityEvent.Event.SignatureToken);
+ signatureTokenSecurityEvent.setSecurityToken(securityToken);
+ signatureTokenSecurityEvent.setSignatureValue(signatureType.getSignatureValue().getValue());
+ securityContext.registerSecurityEvent(signatureTokenSecurityEvent);
+
+ AlgorithmSuiteSecurityEvent algorithmSuiteSecurityEvent = new AlgorithmSuiteSecurityEvent(SecurityEvent.Event.AlgorithmSuite);
+ algorithmSuiteSecurityEvent.setAlgorithmURI(signatureType.getSignedInfo().getCanonicalizationMethod().getAlgorithm());
+ algorithmSuiteSecurityEvent.setKeyUsage(WSSConstants.C14n);
+ securityContext.registerSecurityEvent(algorithmSuiteSecurityEvent);
+ super.createSignatureAlgorithm(securityToken);
}
- }
+ };
- public void processEvent(XMLEvent xmlEvent) throws XMLStreamException {
- transformer.transform(xmlEvent);
- }
-
- public void doFinal() throws WSSecurityException {
- try {
- bufferedSignerOutputStream.close();
- if (!signerOutputStream.verify(signatureType.getSignatureValue().getValue())) {
- throw new WSSecurityException(WSSecurityException.ErrorCode.FAILED_CHECK);
- }
- } catch (IOException e) {
- throw new WSSecurityException(WSSecurityException.ErrorCode.FAILED_CHECK, e);
- }
- }
+ return signatureVerifier;
}
}
Modified: webservices/wss4j/branches/swssf/streaming-ws-security/src/main/java/org/swssf/wss/impl/processor/input/SignatureReferenceVerifyInputProcessor.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/branches/swssf/streaming-ws-security/src/main/java/org/swssf/wss/impl/processor/input/SignatureReferenceVerifyInputProcessor.java?rev=1181995&r1=1179730&r2=1181995&view=diff
==============================================================================
--- webservices/wss4j/branches/swssf/streaming-ws-security/src/main/java/org/swssf/wss/impl/processor/input/SignatureReferenceVerifyInputProcessor.java (original)
+++ webservices/wss4j/branches/swssf/streaming-ws-security/src/main/java/org/swssf/wss/impl/processor/input/SignatureReferenceVerifyInputProcessor.java Tue Oct 11 18:03:00 2011
@@ -16,35 +16,28 @@
* specific language governing permissions and limitations
* under the License.
*/
-package org.swssf.impl.processor.input;
+package org.swssf.wss.impl.processor.input;
-import org.apache.commons.codec.binary.Base64;
import org.apache.jcs.JCS;
import org.apache.jcs.access.exception.CacheException;
import org.apache.jcs.engine.ElementAttributes;
import org.oasis_open.docs.wss._2004._01.oasis_200401_wss_wssecurity_secext_1_0.TransformationParametersType;
-import org.swssf.config.JCEAlgorithmMapper;
-import org.swssf.ext.*;
-import org.swssf.impl.securityToken.SecurityTokenReference;
-import org.swssf.impl.util.DigestOutputStream;
-import org.swssf.securityEvent.*;
+import org.swssf.wss.ext.*;
+import org.swssf.wss.impl.securityToken.SecurityTokenReference;
+import org.swssf.wss.securityEvent.*;
+import org.swssf.xmlsec.ext.*;
+import org.swssf.xmlsec.impl.processor.input.AbstractSignatureReferenceVerifyInputProcessor;
import org.w3._2000._09.xmldsig_.CanonicalizationMethodType;
import org.w3._2000._09.xmldsig_.ReferenceType;
import org.w3._2000._09.xmldsig_.SignatureType;
-import org.w3._2000._09.xmldsig_.TransformType;
import org.xmlsecurity.ns.configuration.AlgorithmType;
import javax.xml.namespace.QName;
import javax.xml.stream.XMLStreamException;
import javax.xml.stream.events.Attribute;
-import javax.xml.stream.events.EndElement;
import javax.xml.stream.events.StartElement;
import javax.xml.stream.events.XMLEvent;
-import java.io.BufferedOutputStream;
-import java.io.IOException;
-import java.io.OutputStream;
import java.lang.reflect.InvocationTargetException;
-import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.util.Date;
@@ -55,7 +48,7 @@ import java.util.List;
* @author $Author$
* @version $Revision$ $Date$
*/
-public class SignatureReferenceVerifyInputProcessor extends AbstractInputProcessor {
+public class SignatureReferenceVerifyInputProcessor extends AbstractSignatureReferenceVerifyInputProcessor {
private static final String cacheRegionName = "timestamp";
@@ -69,23 +62,15 @@ public class SignatureReferenceVerifyInp
}
}
- private SignatureType signatureType;
private boolean replayChecked = false;
- public SignatureReferenceVerifyInputProcessor(SignatureType signatureType, SecurityProperties securityProperties) {
- super(securityProperties);
- this.signatureType = signatureType;
- this.getAfterProcessors().add(SignatureInputHandler.class.getName());
+ public SignatureReferenceVerifyInputProcessor(SignatureType signatureType, XMLSecurityProperties securityProperties) {
+ super(signatureType, securityProperties);
this.getAfterProcessors().add(SignatureReferenceVerifyInputProcessor.class.getName());
}
@Override
- public XMLEvent processNextHeaderEvent(InputProcessorChain inputProcessorChain) throws XMLStreamException, WSSecurityException {
- return inputProcessorChain.processHeaderEvent();
- }
-
- @Override
- public XMLEvent processNextEvent(InputProcessorChain inputProcessorChain) throws XMLStreamException, WSSecurityException {
+ public XMLEvent processNextEvent(InputProcessorChain inputProcessorChain) throws XMLStreamException, XMLSecurityException {
//this is the earliest possible point to check for an replay attack
if (!replayChecked) {
@@ -97,49 +82,41 @@ public class SignatureReferenceVerifyInp
if (xmlEvent.isStartElement()) {
StartElement startElement = xmlEvent.asStartElement();
+ ReferenceType referenceType = matchesReferenceId(startElement);
+ if (referenceType != null) {
- Attribute refId = startElement.getAttributeByName(Constants.ATT_wsu_Id);
- if (refId != null) {
- List<ReferenceType> references = signatureType.getSignedInfo().getReference();
- for (int i = 0; i < references.size(); i++) {
- ReferenceType referenceType = references.get(i);
- if (refId.getValue().equals(referenceType.getURI())) {
- logger.debug("Found signature reference: " + refId.getValue() + " on element" + startElement.getName());
- if (referenceType.isProcessed()) {
- throw new WSSecurityException(WSSecurityException.ErrorCode.FAILED_CHECK, "duplicateId");
- }
- InternalSignatureReferenceVerifier internalSignatureReferenceVerifier =
- new InternalSignatureReferenceVerifier(getSecurityProperties(), inputProcessorChain, referenceType, startElement.getName());
- if (!internalSignatureReferenceVerifier.isFinished()) {
- internalSignatureReferenceVerifier.processEvent(xmlEvent, inputProcessorChain);
- inputProcessorChain.addProcessor(internalSignatureReferenceVerifier);
- }
- referenceType.setProcessed(true);
- inputProcessorChain.getDocumentContext().setIsInSignedContent();
-
- //fire a SecurityEvent:
- if (inputProcessorChain.getDocumentContext().getDocumentLevel() == 3
- && inputProcessorChain.getDocumentContext().isInSOAPHeader()) {
- SignedPartSecurityEvent signedPartSecurityEvent = new SignedPartSecurityEvent(SecurityEvent.Event.SignedPart, false);
- signedPartSecurityEvent.setElement(startElement.getName());
- inputProcessorChain.getSecurityContext().registerSecurityEvent(signedPartSecurityEvent);
- } else {
- SignedElementSecurityEvent signedElementSecurityEvent = new SignedElementSecurityEvent(SecurityEvent.Event.SignedElement, false);
- signedElementSecurityEvent.setElement(startElement.getName());
- inputProcessorChain.getSecurityContext().registerSecurityEvent(signedElementSecurityEvent);
- }
- }
+ if (referenceType.isProcessed()) {
+ throw new WSSecurityException(WSSecurityException.ErrorCode.FAILED_CHECK, "duplicateId");
+ }
+ InternalSignatureReferenceVerifier internalSignatureReferenceVerifier =
+ new InternalSignatureReferenceVerifier(((WSSSecurityProperties) getSecurityProperties()), inputProcessorChain, referenceType, startElement.getName());
+ if (!internalSignatureReferenceVerifier.isFinished()) {
+ internalSignatureReferenceVerifier.processEvent(xmlEvent, inputProcessorChain);
+ inputProcessorChain.addProcessor(internalSignatureReferenceVerifier);
+ }
+ referenceType.setProcessed(true);
+ inputProcessorChain.getDocumentContext().setIsInSignedContent();
+
+ //fire a SecurityEvent:
+ if (inputProcessorChain.getDocumentContext().getDocumentLevel() == 3
+ && ((WSSDocumentContext) inputProcessorChain.getDocumentContext()).isInSOAPHeader()) {
+ SignedPartSecurityEvent signedPartSecurityEvent = new SignedPartSecurityEvent(SecurityEvent.Event.SignedPart, false);
+ signedPartSecurityEvent.setElement(startElement.getName());
+ ((WSSecurityContext) inputProcessorChain.getSecurityContext()).registerSecurityEvent(signedPartSecurityEvent);
+ } else {
+ SignedElementSecurityEvent signedElementSecurityEvent = new SignedElementSecurityEvent(SecurityEvent.Event.SignedElement, false);
+ signedElementSecurityEvent.setElement(startElement.getName());
+ ((WSSecurityContext) inputProcessorChain.getSecurityContext()).registerSecurityEvent(signedElementSecurityEvent);
}
}
}
-
return xmlEvent;
}
private void detectReplayAttack(InputProcessorChain inputProcessorChain) throws WSSecurityException {
- TimestampSecurityEvent timestampSecurityEvent = inputProcessorChain.getSecurityContext().get(Constants.PROP_TIMESTAMP_SECURITYEVENT);
+ TimestampSecurityEvent timestampSecurityEvent = inputProcessorChain.getSecurityContext().get(WSSConstants.PROP_TIMESTAMP_SECURITYEVENT);
if (timestampSecurityEvent != null) {
- final String cacheKey = String.valueOf(timestampSecurityEvent.getCreated().getTimeInMillis()) + signatureType.getSignatureValue().getRawValue();
+ final String cacheKey = String.valueOf(timestampSecurityEvent.getCreated().getTimeInMillis()) + getSignatureType().getSignatureValue().getRawValue();
if (cache.get(cacheKey) != null) {
throw new WSSecurityException(WSSecurityException.ErrorCode.MESSAGE_EXPIRED);
}
@@ -159,60 +136,38 @@ public class SignatureReferenceVerifyInp
}
@Override
- public void doFinal(InputProcessorChain inputProcessorChain) throws XMLStreamException, WSSecurityException {
- List<ReferenceType> references = signatureType.getSignedInfo().getReference();
- for (int i = 0; i < references.size(); i++) {
- ReferenceType referenceType = references.get(i);
- if (!referenceType.isProcessed()) {
- throw new WSSecurityException(WSSecurityException.ErrorCode.FAILED_CHECK, "unprocessedSignatureReferences");
- }
+ public Attribute getReferenceIDAttribute(StartElement startElement) {
+ Attribute attribute = startElement.getAttributeByName(WSSConstants.ATT_wsu_Id);
+ if (attribute == null) {
+ attribute = super.getReferenceIDAttribute(startElement);
}
- inputProcessorChain.doFinal();
+ return attribute;
}
- class InternalSignatureReferenceVerifier extends AbstractInputProcessor {
- private ReferenceType referenceType;
-
- private Transformer transformer;
- private DigestOutputStream digestOutputStream;
- private OutputStream bufferedDigestOutputStream;
- private QName startElement;
- private int elementCounter = 0;
- private boolean finished = false;
+ class InternalSignatureReferenceVerifier extends AbstractSignatureReferenceVerifyInputProcessor.InternalSignatureReferenceVerifier {
- public InternalSignatureReferenceVerifier(SecurityProperties securityProperties, InputProcessorChain inputProcessorChain, ReferenceType referenceType, QName startElement) throws WSSecurityException {
- super(securityProperties);
+ InternalSignatureReferenceVerifier(WSSSecurityProperties securityProperties, InputProcessorChain inputProcessorChain, ReferenceType referenceType, QName startElement) throws XMLSecurityException {
+ super(securityProperties, inputProcessorChain, referenceType, startElement);
this.getAfterProcessors().add(SignatureReferenceVerifyInputProcessor.class.getName());
- this.startElement = startElement;
- this.referenceType = referenceType;
- try {
- createMessageDigest(inputProcessorChain.getSecurityContext());
- buildTransformerChain(referenceType, inputProcessorChain);
- } catch (Exception e) {
- throw new WSSecurityException(WSSecurityException.ErrorCode.FAILED_CHECK, e);
- }
}
- private void createMessageDigest(SecurityContext securityContext) throws WSSecurityException, NoSuchAlgorithmException, NoSuchProviderException {
- AlgorithmType digestAlgorithm = JCEAlgorithmMapper.getAlgorithmMapping(referenceType.getDigestMethod().getAlgorithm());
+ protected AlgorithmType createMessageDigest(SecurityContext securityContext) throws XMLSecurityException, NoSuchAlgorithmException, NoSuchProviderException {
+ AlgorithmType digestAlgorithm = super.createMessageDigest(securityContext);
AlgorithmSuiteSecurityEvent algorithmSuiteSecurityEvent = new AlgorithmSuiteSecurityEvent(SecurityEvent.Event.AlgorithmSuite);
algorithmSuiteSecurityEvent.setAlgorithmURI(digestAlgorithm.getURI());
- algorithmSuiteSecurityEvent.setKeyUsage(Constants.KeyUsage.Dig);
- securityContext.registerSecurityEvent(algorithmSuiteSecurityEvent);
-
- MessageDigest messageDigest = MessageDigest.getInstance(digestAlgorithm.getJCEName(), digestAlgorithm.getJCEProvider());
- this.digestOutputStream = new DigestOutputStream(messageDigest);
- this.bufferedDigestOutputStream = new BufferedOutputStream(this.digestOutputStream);
+ algorithmSuiteSecurityEvent.setKeyUsage(WSSConstants.Dig);
+ ((WSSecurityContext) securityContext).registerSecurityEvent(algorithmSuiteSecurityEvent);
+ return digestAlgorithm;
}
- private void buildTransformerChain(ReferenceType referenceType, InputProcessorChain inputProcessorChain) throws WSSecurityException, XMLStreamException, NoSuchMethodException, InstantiationException, IllegalAccessException, InvocationTargetException {
- List<TransformType> transformTypeList = referenceType.getTransforms().getTransform();
+ protected void buildTransformerChain(ReferenceType referenceType, InputProcessorChain inputProcessorChain) throws XMLSecurityException, XMLStreamException, NoSuchMethodException, InstantiationException, IllegalAccessException, InvocationTargetException {
+ List<org.w3._2000._09.xmldsig_.wss.TransformType> transformTypeList = (List<org.w3._2000._09.xmldsig_.wss.TransformType>) (List<?>) referenceType.getTransforms().getTransform();
String algorithm = null;
Transformer parentTransformer = null;
for (int i = transformTypeList.size() - 1; i >= 0; i--) {
- TransformType transformType = transformTypeList.get(i);
+ org.w3._2000._09.xmldsig_.wss.TransformType transformType = transformTypeList.get(i);
if (transformType.getTransformationParametersType() != null) {
TransformationParametersType transformationParametersType = transformType.getTransformationParametersType();
@@ -220,33 +175,33 @@ public class SignatureReferenceVerifyInp
if (canonicalizationMethodType != null) {
algorithm = canonicalizationMethodType.getAlgorithm();
String inclusiveNamespaces = canonicalizationMethodType.getInclusiveNamespaces();
- if (Constants.SOAPMESSAGE_NS10_STRTransform.equals(transformType.getAlgorithm())) {
+ if (WSSConstants.SOAPMESSAGE_NS10_STRTransform.equals(transformType.getAlgorithm())) {
if (inclusiveNamespaces == null) {
inclusiveNamespaces = "#default";
} else {
inclusiveNamespaces = "#default " + inclusiveNamespaces;
}
}
- parentTransformer = Utils.getTransformer(inclusiveNamespaces, this.bufferedDigestOutputStream, algorithm);
+ parentTransformer = WSSUtils.getTransformer(inclusiveNamespaces, this.getBufferedDigestOutputStream(), algorithm);
}
}
algorithm = transformType.getAlgorithm();
AlgorithmSuiteSecurityEvent algorithmSuiteSecurityEvent = new AlgorithmSuiteSecurityEvent(SecurityEvent.Event.AlgorithmSuite);
algorithmSuiteSecurityEvent.setAlgorithmURI(algorithm);
- algorithmSuiteSecurityEvent.setKeyUsage(Constants.KeyUsage.C14n);
- inputProcessorChain.getSecurityContext().registerSecurityEvent(algorithmSuiteSecurityEvent);
+ algorithmSuiteSecurityEvent.setKeyUsage(WSSConstants.C14n);
+ ((WSSecurityContext) inputProcessorChain.getSecurityContext()).registerSecurityEvent(algorithmSuiteSecurityEvent);
if (parentTransformer != null) {
- parentTransformer = Utils.getTransformer(parentTransformer, transformType.getInclusiveNamespaces(), algorithm);
+ parentTransformer = WSSUtils.getTransformer(parentTransformer, transformType.getInclusiveNamespaces(), algorithm);
} else {
- parentTransformer = Utils.getTransformer(transformType.getInclusiveNamespaces(), this.bufferedDigestOutputStream, algorithm);
+ parentTransformer = WSSUtils.getTransformer(transformType.getInclusiveNamespaces(), this.getBufferedDigestOutputStream(), algorithm);
}
}
- this.transformer = parentTransformer;
+ this.setTransformer(parentTransformer);
- if (Constants.SOAPMESSAGE_NS10_STRTransform.equals(algorithm)) {
+ if (WSSConstants.SOAPMESSAGE_NS10_STRTransform.equals(algorithm)) {
SecurityTokenProvider securityTokenProvider = inputProcessorChain.getSecurityContext().getSecurityTokenProvider(referenceType.getURI());
if (securityTokenProvider == null) {
throw new WSSecurityException(WSSecurityException.ErrorCode.INVALID_SECURITY_TOKEN, "noReference");
@@ -256,7 +211,7 @@ public class SignatureReferenceVerifyInp
throw new WSSecurityException(WSSecurityException.ErrorCode.UNSUPPORTED_SECURITY_TOKEN);
}
SecurityTokenReference securityTokenReference = (SecurityTokenReference) securityToken;
- this.startElement = securityTokenReference.getXmlEvents().getLast().asStartElement().getName();
+ this.setStartElement(securityTokenReference.getXmlEvents().getLast().asStartElement().getName());
Iterator<XMLEvent> xmlEventIterator = securityTokenReference.getXmlEvents().descendingIterator();
while (xmlEventIterator.hasNext()) {
processEvent(xmlEventIterator.next(), inputProcessorChain);
@@ -265,54 +220,8 @@ public class SignatureReferenceVerifyInp
}
@Override
- public XMLEvent processNextHeaderEvent(InputProcessorChain inputProcessorChain) throws XMLStreamException, WSSecurityException {
- return inputProcessorChain.processHeaderEvent();
- }
-
- @Override
- public XMLEvent processNextEvent(InputProcessorChain inputProcessorChain) throws XMLStreamException, WSSecurityException {
- XMLEvent xmlEvent = inputProcessorChain.processEvent();
- processEvent(xmlEvent, inputProcessorChain);
- return xmlEvent;
- }
-
- protected void processEvent(XMLEvent xmlEvent, InputProcessorChain inputProcessorChain) throws XMLStreamException, WSSecurityException {
-
- transformer.transform(xmlEvent);
-
- if (xmlEvent.isStartElement()) {
- elementCounter++;
- } else if (xmlEvent.isEndElement()) {
- EndElement endElement = xmlEvent.asEndElement();
- elementCounter--;
-
- if (endElement.getName().equals(startElement) && elementCounter == 0) {
- try {
- bufferedDigestOutputStream.close();
- } catch (IOException e) {
- throw new WSSecurityException(WSSecurityException.ErrorCode.FAILED_CHECK, e);
- }
-
- byte[] calculatedDigest = this.digestOutputStream.getDigestValue();
- byte[] storedDigest = Base64.decodeBase64(referenceType.getDigestValue());
-
- if (logger.isDebugEnabled()) {
- logger.debug("Calculated Digest: " + new String(Base64.encodeBase64(calculatedDigest)));
- logger.debug("Stored Digest: " + new String(Base64.encodeBase64(storedDigest)));
- }
-
- if (!MessageDigest.isEqual(storedDigest, calculatedDigest)) {
- throw new WSSecurityException(WSSecurityException.ErrorCode.FAILED_CHECK, "digestVerificationFailed", referenceType.getURI());
- }
- inputProcessorChain.removeProcessor(this);
- inputProcessorChain.getDocumentContext().unsetIsInSignedContent();
- finished = true;
- }
- }
- }
-
- public boolean isFinished() {
- return finished;
+ protected void processEvent(XMLEvent xmlEvent, InputProcessorChain inputProcessorChain) throws XMLStreamException, XMLSecurityException {
+ super.processEvent(xmlEvent, inputProcessorChain);
}
}
}
Modified: webservices/wss4j/branches/swssf/streaming-ws-security/src/main/java/org/swssf/wss/impl/processor/input/TimestampInputHandler.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/branches/swssf/streaming-ws-security/src/main/java/org/swssf/wss/impl/processor/input/TimestampInputHandler.java?rev=1181995&r1=1179730&r2=1181995&view=diff
==============================================================================
--- webservices/wss4j/branches/swssf/streaming-ws-security/src/main/java/org/swssf/wss/impl/processor/input/TimestampInputHandler.java (original)
+++ webservices/wss4j/branches/swssf/streaming-ws-security/src/main/java/org/swssf/wss/impl/processor/input/TimestampInputHandler.java Tue Oct 11 18:03:00 2011
@@ -16,12 +16,19 @@
* specific language governing permissions and limitations
* under the License.
*/
-package org.swssf.impl.processor.input;
+package org.swssf.wss.impl.processor.input;
import org.oasis_open.docs.wss._2004._01.oasis_200401_wss_wssecurity_utility_1_0.TimestampType;
-import org.swssf.ext.*;
-import org.swssf.securityEvent.SecurityEvent;
-import org.swssf.securityEvent.TimestampSecurityEvent;
+import org.swssf.wss.ext.WSSConstants;
+import org.swssf.wss.ext.WSSSecurityProperties;
+import org.swssf.wss.ext.WSSecurityContext;
+import org.swssf.wss.ext.WSSecurityException;
+import org.swssf.wss.securityEvent.SecurityEvent;
+import org.swssf.wss.securityEvent.TimestampSecurityEvent;
+import org.swssf.xmlsec.ext.AbstractInputSecurityHeaderHandler;
+import org.swssf.xmlsec.ext.InputProcessorChain;
+import org.swssf.xmlsec.ext.Parseable;
+import org.swssf.xmlsec.ext.XMLSecurityException;
import javax.xml.datatype.DatatypeConfigurationException;
import javax.xml.datatype.DatatypeFactory;
@@ -40,16 +47,16 @@ public class TimestampInputHandler exten
//Chapter 10 Security Timestamps: ...may only be present at most once per header (that is, per SOAP actor/role)
public TimestampInputHandler(InputProcessorChain inputProcessorChain,
- final SecurityProperties securityProperties,
+ final WSSSecurityProperties securityProperties,
Deque<XMLEvent> eventQueue,
- Integer index) throws WSSecurityException {
+ Integer index) throws XMLSecurityException {
- Boolean alreadyProcessed = inputProcessorChain.getSecurityContext().<Boolean>get(Constants.TIMESTAMP_PROCESSED);
+ Boolean alreadyProcessed = inputProcessorChain.getSecurityContext().<Boolean>get(WSSConstants.TIMESTAMP_PROCESSED);
if (Boolean.TRUE.equals(alreadyProcessed)) {
throw new WSSecurityException(WSSecurityException.ErrorCode.MESSAGE_EXPIRED, "invalidTimestamp",
"Message contains two or more timestamps");
}
- inputProcessorChain.getSecurityContext().put(Constants.TIMESTAMP_PROCESSED, Boolean.TRUE);
+ inputProcessorChain.getSecurityContext().put(WSSConstants.TIMESTAMP_PROCESSED, Boolean.TRUE);
final TimestampType timestampType = (TimestampType) parseStructure(eventQueue, index);
@@ -97,8 +104,8 @@ public class TimestampInputHandler exten
TimestampSecurityEvent timestampSecurityEvent = new TimestampSecurityEvent(SecurityEvent.Event.Timestamp);
timestampSecurityEvent.setCreated(crea);
timestampSecurityEvent.setExpires(exp);
- inputProcessorChain.getSecurityContext().registerSecurityEvent(timestampSecurityEvent);
- inputProcessorChain.getSecurityContext().put(Constants.PROP_TIMESTAMP_SECURITYEVENT, timestampSecurityEvent);
+ ((WSSecurityContext) inputProcessorChain.getSecurityContext()).registerSecurityEvent(timestampSecurityEvent);
+ inputProcessorChain.getSecurityContext().put(WSSConstants.PROP_TIMESTAMP_SECURITYEVENT, timestampSecurityEvent);
} catch (DatatypeConfigurationException e) {
throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, e);
Modified: webservices/wss4j/branches/swssf/streaming-ws-security/src/main/java/org/swssf/wss/impl/processor/input/UsernameTokenInputHandler.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/branches/swssf/streaming-ws-security/src/main/java/org/swssf/wss/impl/processor/input/UsernameTokenInputHandler.java?rev=1181995&r1=1179730&r2=1181995&view=diff
==============================================================================
--- webservices/wss4j/branches/swssf/streaming-ws-security/src/main/java/org/swssf/wss/impl/processor/input/UsernameTokenInputHandler.java (original)
+++ webservices/wss4j/branches/swssf/streaming-ws-security/src/main/java/org/swssf/wss/impl/processor/input/UsernameTokenInputHandler.java Tue Oct 11 18:03:00 2011
@@ -16,18 +16,19 @@
* specific language governing permissions and limitations
* under the License.
*/
-package org.swssf.impl.processor.input;
+package org.swssf.wss.impl.processor.input;
import org.apache.commons.codec.binary.Base64;
import org.apache.jcs.JCS;
import org.apache.jcs.access.exception.CacheException;
import org.apache.jcs.engine.ElementAttributes;
import org.oasis_open.docs.wss._2004._01.oasis_200401_wss_wssecurity_secext_1_0.UsernameTokenType;
-import org.swssf.crypto.Crypto;
-import org.swssf.ext.*;
-import org.swssf.impl.securityToken.SecurityTokenFactory;
-import org.swssf.securityEvent.SecurityEvent;
-import org.swssf.securityEvent.UsernameTokenSecurityEvent;
+import org.swssf.wss.ext.*;
+import org.swssf.wss.impl.securityToken.SecurityTokenFactoryImpl;
+import org.swssf.wss.securityEvent.SecurityEvent;
+import org.swssf.wss.securityEvent.UsernameTokenSecurityEvent;
+import org.swssf.xmlsec.crypto.Crypto;
+import org.swssf.xmlsec.ext.*;
import javax.xml.datatype.DatatypeConfigurationException;
import javax.xml.datatype.DatatypeFactory;
@@ -56,7 +57,9 @@ public class UsernameTokenInputHandler e
}
}
- public UsernameTokenInputHandler(final InputProcessorChain inputProcessorChain, final SecurityProperties securityProperties, Deque<XMLEvent> eventQueue, Integer index) throws WSSecurityException {
+ public UsernameTokenInputHandler(final InputProcessorChain inputProcessorChain,
+ final WSSSecurityProperties securityProperties,
+ Deque<XMLEvent> eventQueue, Integer index) throws XMLSecurityException {
final UsernameTokenType usernameTokenType = (UsernameTokenType) parseStructure(eventQueue, index);
if (usernameTokenType.getId() == null) {
@@ -78,13 +81,13 @@ public class UsernameTokenInputHandler e
GregorianCalendar createdCal = null;
byte[] nonceVal = null;
- Constants.UsernameTokenPasswordType usernameTokenPasswordType = Constants.UsernameTokenPasswordType.PASSWORD_NONE;
+ WSSConstants.UsernameTokenPasswordType usernameTokenPasswordType = WSSConstants.UsernameTokenPasswordType.PASSWORD_NONE;
if (usernameTokenType.getPasswordType() != null) {
- usernameTokenPasswordType = Constants.UsernameTokenPasswordType.getUsernameTokenPasswordType(usernameTokenType.getPasswordType());
+ usernameTokenPasswordType = WSSConstants.UsernameTokenPasswordType.getUsernameTokenPasswordType(usernameTokenType.getPasswordType());
}
final String username = usernameTokenType.getUsername();
- if (usernameTokenPasswordType == Constants.UsernameTokenPasswordType.PASSWORD_DIGEST) {
+ if (usernameTokenPasswordType == WSSConstants.UsernameTokenPasswordType.PASSWORD_DIGEST) {
final String nonce = usernameTokenType.getNonce();
if (nonce == null || usernameTokenType.getCreated() == null) {
throw new WSSecurityException(WSSecurityException.ErrorCode.INVALID_SECURITY_TOKEN, "badTokenType01");
@@ -129,7 +132,7 @@ public class UsernameTokenInputHandler e
usernameTokenType.getPasswordType(),
WSPasswordCallback.Usage.USERNAME_TOKEN);
try {
- Utils.doPasswordCallback(securityProperties.getCallbackHandler(), pwCb);
+ WSSUtils.doPasswordCallback(securityProperties.getCallbackHandler(), pwCb);
} catch (WSSecurityException e) {
throw new WSSecurityException(WSSecurityException.ErrorCode.FAILED_AUTHENTICATION, e);
}
@@ -140,7 +143,7 @@ public class UsernameTokenInputHandler e
nonceVal = Base64.decodeBase64(nonce);
- String passDigest = Utils.doPasswordDigest(nonceVal, usernameTokenType.getCreated(), pwCb.getPassword());
+ String passDigest = WSSUtils.doPasswordDigest(nonceVal, usernameTokenType.getCreated(), pwCb.getPassword());
if (!usernameTokenType.getPassword().equals(passDigest)) {
throw new WSSecurityException(WSSecurityException.ErrorCode.FAILED_AUTHENTICATION);
}
@@ -151,7 +154,7 @@ public class UsernameTokenInputHandler e
usernameTokenType.getPasswordType(),
WSPasswordCallback.Usage.USERNAME_TOKEN_UNKNOWN);
try {
- Utils.doPasswordCallback(securityProperties.getCallbackHandler(), pwCb);
+ WSSUtils.doPasswordCallback(securityProperties.getCallbackHandler(), pwCb);
} catch (WSSecurityException e) {
throw new WSSecurityException(WSSecurityException.ErrorCode.FAILED_AUTHENTICATION, e);
}
@@ -167,7 +170,7 @@ public class UsernameTokenInputHandler e
if (securityToken != null) {
return securityToken;
}
- securityToken = SecurityTokenFactory.newInstance().getSecurityToken(
+ securityToken = SecurityTokenFactoryImpl.getSecurityToken(
usernameTokenType, inputProcessorChain.getSecurityContext(), null);
securityTokens.put(crypto, securityToken);
return securityToken;
@@ -182,8 +185,8 @@ public class UsernameTokenInputHandler e
UsernameTokenSecurityEvent usernameTokenSecurityEvent = new UsernameTokenSecurityEvent(SecurityEvent.Event.UsernameToken);
usernameTokenSecurityEvent.setUsernameTokenPasswordType(usernameTokenPasswordType);
usernameTokenSecurityEvent.setSecurityToken(securityTokenProvider.getSecurityToken(null));
- usernameTokenSecurityEvent.setUsernameTokenProfile(Constants.NS_USERNAMETOKEN_PROFILE11);
- inputProcessorChain.getSecurityContext().registerSecurityEvent(usernameTokenSecurityEvent);
+ usernameTokenSecurityEvent.setUsernameTokenProfile(WSSConstants.NS_USERNAMETOKEN_PROFILE11);
+ ((WSSecurityContext) inputProcessorChain.getSecurityContext()).registerSecurityEvent(usernameTokenSecurityEvent);
}
@Override
Modified: webservices/wss4j/branches/swssf/streaming-ws-security/src/main/java/org/swssf/wss/impl/processor/output/BinarySecurityTokenOutputProcessor.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/branches/swssf/streaming-ws-security/src/main/java/org/swssf/wss/impl/processor/output/BinarySecurityTokenOutputProcessor.java?rev=1181995&r1=1179730&r2=1181995&view=diff
==============================================================================
--- webservices/wss4j/branches/swssf/streaming-ws-security/src/main/java/org/swssf/wss/impl/processor/output/BinarySecurityTokenOutputProcessor.java (original)
+++ webservices/wss4j/branches/swssf/streaming-ws-security/src/main/java/org/swssf/wss/impl/processor/output/BinarySecurityTokenOutputProcessor.java Tue Oct 11 18:03:00 2011
@@ -16,24 +16,30 @@
* specific language governing permissions and limitations
* under the License.
*/
-package org.swssf.impl.processor.output;
+package org.swssf.wss.impl.processor.output;
-import org.swssf.crypto.Crypto;
-import org.swssf.ext.*;
-import org.swssf.impl.securityToken.DelegatingSecurityToken;
-import org.swssf.impl.securityToken.ProcessorInfoSecurityToken;
-import org.swssf.impl.securityToken.X509SecurityToken;
-import org.swssf.securityEvent.SecurityEvent;
-import org.swssf.securityEvent.SignatureTokenSecurityEvent;
+import org.apache.commons.codec.binary.Base64;
+import org.swssf.wss.ext.*;
+import org.swssf.wss.impl.securityToken.DelegatingSecurityToken;
+import org.swssf.wss.impl.securityToken.ProcessorInfoSecurityToken;
+import org.swssf.wss.impl.securityToken.X509SecurityToken;
+import org.swssf.wss.securityEvent.SecurityEvent;
+import org.swssf.wss.securityEvent.SignatureTokenSecurityEvent;
+import org.swssf.xmlsec.crypto.Crypto;
+import org.swssf.xmlsec.ext.*;
+import javax.xml.namespace.QName;
import javax.xml.stream.XMLStreamException;
import javax.xml.stream.events.StartElement;
import javax.xml.stream.events.XMLEvent;
import java.security.Key;
+import java.security.NoSuchProviderException;
import java.security.PublicKey;
+import java.security.cert.CertificateEncodingException;
+import java.security.cert.CertificateException;
+import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
-import java.util.List;
-import java.util.UUID;
+import java.util.*;
/**
* @author $Author$
@@ -41,56 +47,54 @@ import java.util.UUID;
*/
public class BinarySecurityTokenOutputProcessor extends AbstractOutputProcessor {
- public BinarySecurityTokenOutputProcessor(SecurityProperties securityProperties, Constants.Action action) throws WSSecurityException {
+ public BinarySecurityTokenOutputProcessor(WSSSecurityProperties securityProperties, XMLSecurityConstants.Action action) throws XMLSecurityException {
super(securityProperties, action);
}
@Override
- public void processEvent(XMLEvent xmlEvent, OutputProcessorChain outputProcessorChain) throws XMLStreamException, WSSecurityException {
+ public void processEvent(XMLEvent xmlEvent, OutputProcessorChain outputProcessorChain) throws XMLStreamException, XMLSecurityException {
try {
final String bstId = "BST-" + UUID.randomUUID().toString();
final X509Certificate[] x509Certificates;
final Key key;
- switch (getAction()) {
- case SIGNATURE:
- case SAML_TOKEN_SIGNED:
- case SIGNATURE_WITH_DERIVED_KEY:
- String alias = getSecurityProperties().getSignatureUser();
- WSPasswordCallback pwCb = new WSPasswordCallback(alias, WSPasswordCallback.Usage.SIGNATURE);
- Utils.doPasswordCallback(getSecurityProperties().getCallbackHandler(), pwCb);
- String password = pwCb.getPassword();
- if (password == null) {
- throw new WSSecurityException(WSSecurityException.ErrorCode.FAILED_SIGNATURE, "noPassword", alias);
- }
- key = getSecurityProperties().getSignatureCrypto().getPrivateKey(alias, password);
- x509Certificates = getSecurityProperties().getSignatureCrypto().getCertificates(getSecurityProperties().getSignatureUser());
+ XMLSecurityConstants.Action action = getAction();
+ if (action.equals(WSSConstants.SIGNATURE)
+ || action.equals(WSSConstants.SAML_TOKEN_SIGNED)
+ || action.equals(WSSConstants.SIGNATURE_WITH_DERIVED_KEY)) {
+
+ String alias = getSecurityProperties().getSignatureUser();
+ WSPasswordCallback pwCb = new WSPasswordCallback(alias, WSPasswordCallback.Usage.SIGNATURE);
+ WSSUtils.doPasswordCallback(getSecurityProperties().getCallbackHandler(), pwCb);
+ String password = pwCb.getPassword();
+ if (password == null) {
+ throw new WSSecurityException(WSSecurityException.ErrorCode.FAILED_SIGNATURE, "noPassword", alias);
+ }
+ key = getSecurityProperties().getSignatureCrypto().getPrivateKey(alias, password);
+ x509Certificates = getSecurityProperties().getSignatureCrypto().getCertificates(getSecurityProperties().getSignatureUser());
+ if (x509Certificates == null || x509Certificates.length == 0) {
+ throw new WSSecurityException(WSSecurityException.ErrorCode.FAILED_SIGNATURE, "noUserCertsFound", alias);
+ }
+ } else if (action.equals(WSSConstants.ENCRYPT) ||
+ action.equals(WSSConstants.ENCRYPT_WITH_DERIVED_KEY)) {
+ X509Certificate x509Certificate = getReqSigCert(outputProcessorChain.getSecurityContext());
+ if (x509Certificate != null && ((WSSSecurityProperties) getSecurityProperties()).isUseReqSigCertForEncryption()) {
+ x509Certificates = new X509Certificate[1];
+ x509Certificates[0] = x509Certificate;
+ } else if (getSecurityProperties().getEncryptionUseThisCertificate() != null) {
+ x509Certificate = getSecurityProperties().getEncryptionUseThisCertificate();
+ x509Certificates = new X509Certificate[1];
+ x509Certificates[0] = x509Certificate;
+ } else {
+ x509Certificates = getSecurityProperties().getEncryptionCrypto().getCertificates(getSecurityProperties().getEncryptionUser());
if (x509Certificates == null || x509Certificates.length == 0) {
- throw new WSSecurityException(WSSecurityException.ErrorCode.FAILED_SIGNATURE, "noUserCertsFound", alias);
- }
- break;
- case ENCRYPT:
- case ENCRYPT_WITH_DERIVED_KEY:
- X509Certificate x509Certificate = getReqSigCert(outputProcessorChain.getSecurityContext());
- if (x509Certificate != null && getSecurityProperties().isUseReqSigCertForEncryption()) {
- x509Certificates = new X509Certificate[1];
- x509Certificates[0] = x509Certificate;
- } else if (getSecurityProperties().getEncryptionUseThisCertificate() != null) {
- x509Certificate = getSecurityProperties().getEncryptionUseThisCertificate();
- x509Certificates = new X509Certificate[1];
- x509Certificates[0] = x509Certificate;
- } else {
- x509Certificates = getSecurityProperties().getEncryptionCrypto().getCertificates(getSecurityProperties().getEncryptionUser());
- if (x509Certificates == null || x509Certificates.length == 0) {
- throw new WSSecurityException(WSSecurityException.ErrorCode.FAILED_ENCRYPTION, "noUserCertsFound", getSecurityProperties().getEncryptionUser());
- }
+ throw new WSSecurityException(WSSecurityException.ErrorCode.FAILED_ENCRYPTION, "noUserCertsFound", getSecurityProperties().getEncryptionUser());
}
- key = null;
- break;
- default:
- x509Certificates = null;
- key = null;
- break;
+ }
+ key = null;
+ } else {
+ x509Certificates = null;
+ key = null;
}
final ProcessorInfoSecurityToken binarySecurityToken = new ProcessorInfoSecurityToken() {
@@ -113,11 +117,11 @@ public class BinarySecurityTokenOutputPr
return true;
}
- public Key getSecretKey(String algorithmURI, Constants.KeyUsage keyUsage) throws WSSecurityException {
+ public Key getSecretKey(String algorithmURI, XMLSecurityConstants.KeyUsage keyUsage) throws WSSecurityException {
return key;
}
- public PublicKey getPublicKey(Constants.KeyUsage keyUsage) throws WSSecurityException {
+ public PublicKey getPublicKey(XMLSecurityConstants.KeyUsage keyUsage) throws WSSecurityException {
return x509Certificates[0].getPublicKey();
}
@@ -136,7 +140,7 @@ public class BinarySecurityTokenOutputPr
return null;
}
- public Constants.TokenType getTokenType() {
+ public WSSConstants.TokenType getTokenType() {
return null;
}
};
@@ -151,51 +155,49 @@ public class BinarySecurityTokenOutputPr
}
};
- switch (getAction()) {
- case SIGNATURE:
- case SAML_TOKEN_SIGNED:
- outputProcessorChain.getSecurityContext().put(Constants.PROP_USE_THIS_TOKEN_ID_FOR_SIGNATURE, bstId);
- if (getSecurityProperties().getSignatureKeyIdentifierType() == Constants.KeyIdentifierType.BST_DIRECT_REFERENCE) {
- outputProcessorChain.getSecurityContext().put(Constants.PROP_APPEND_SIGNATURE_ON_THIS_ID, bstId);
- FinalBinarySecurityTokenOutputProcessor finalBinarySecurityTokenOutputProcessor = new FinalBinarySecurityTokenOutputProcessor(getSecurityProperties(), getAction(), binarySecurityToken);
- finalBinarySecurityTokenOutputProcessor.getBeforeProcessors().add(SignatureOutputProcessor.class.getName());
- outputProcessorChain.addProcessor(finalBinarySecurityTokenOutputProcessor);
- binarySecurityToken.setProcessor(finalBinarySecurityTokenOutputProcessor);
- }
- break;
- case ENCRYPT:
- outputProcessorChain.getSecurityContext().put(Constants.PROP_USE_THIS_TOKEN_ID_FOR_ENCRYPTED_KEY, bstId);
- if (getSecurityProperties().getEncryptionKeyIdentifierType() == Constants.KeyIdentifierType.BST_DIRECT_REFERENCE) {
- FinalBinarySecurityTokenOutputProcessor finalBinarySecurityTokenOutputProcessor = new FinalBinarySecurityTokenOutputProcessor(getSecurityProperties(), getAction(), binarySecurityToken);
- finalBinarySecurityTokenOutputProcessor.getAfterProcessors().add(EncryptEndingOutputProcessor.class.getName());
- outputProcessorChain.addProcessor(finalBinarySecurityTokenOutputProcessor);
- binarySecurityToken.setProcessor(finalBinarySecurityTokenOutputProcessor);
- }
- break;
- case SIGNATURE_WITH_DERIVED_KEY:
- case ENCRYPT_WITH_DERIVED_KEY:
- switch (getSecurityProperties().getDerivedKeyTokenReference()) {
-
- case DirectReference:
- outputProcessorChain.getSecurityContext().put(Constants.PROP_USE_THIS_TOKEN_ID_FOR_DERIVED_KEY, bstId);
- break;
- case EncryptedKey:
- outputProcessorChain.getSecurityContext().put(Constants.PROP_USE_THIS_TOKEN_ID_FOR_ENCRYPTED_KEY, bstId);
- break;
- case SecurityContextToken:
- outputProcessorChain.getSecurityContext().put(Constants.PROP_USE_THIS_TOKEN_ID_FOR_SECURITYCONTEXTTOKEN, bstId);
- break;
- }
- if ((getAction() == Constants.Action.ENCRYPT_WITH_DERIVED_KEY
- && getSecurityProperties().getEncryptionKeyIdentifierType() == Constants.KeyIdentifierType.BST_DIRECT_REFERENCE)
- || (getAction() == Constants.Action.SIGNATURE_WITH_DERIVED_KEY
- && getSecurityProperties().getSignatureKeyIdentifierType() == Constants.KeyIdentifierType.BST_DIRECT_REFERENCE)) {
- FinalBinarySecurityTokenOutputProcessor finalBinarySecurityTokenOutputProcessor = new FinalBinarySecurityTokenOutputProcessor(getSecurityProperties(), getAction(), binarySecurityToken);
- finalBinarySecurityTokenOutputProcessor.getAfterProcessors().add(EncryptEndingOutputProcessor.class.getName());
- outputProcessorChain.addProcessor(finalBinarySecurityTokenOutputProcessor);
- binarySecurityToken.setProcessor(finalBinarySecurityTokenOutputProcessor);
- }
- break;
+ if (action.equals(WSSConstants.SIGNATURE)
+ || action.equals(WSSConstants.SAML_TOKEN_SIGNED)) {
+ outputProcessorChain.getSecurityContext().put(WSSConstants.PROP_USE_THIS_TOKEN_ID_FOR_SIGNATURE, bstId);
+ if (((WSSSecurityProperties) getSecurityProperties()).getSignatureKeyIdentifierType() == WSSConstants.KeyIdentifierType.BST_DIRECT_REFERENCE) {
+ outputProcessorChain.getSecurityContext().put(WSSConstants.PROP_APPEND_SIGNATURE_ON_THIS_ID, bstId);
+ FinalBinarySecurityTokenOutputProcessor finalBinarySecurityTokenOutputProcessor = new FinalBinarySecurityTokenOutputProcessor(getSecurityProperties(), getAction(), binarySecurityToken);
+ finalBinarySecurityTokenOutputProcessor.getBeforeProcessors().add(org.swssf.wss.impl.processor.output.SignatureOutputProcessor.class.getName());
+ outputProcessorChain.addProcessor(finalBinarySecurityTokenOutputProcessor);
+ binarySecurityToken.setProcessor(finalBinarySecurityTokenOutputProcessor);
+ }
+ } else if (action.equals(WSSConstants.ENCRYPT)) {
+ outputProcessorChain.getSecurityContext().put(WSSConstants.PROP_USE_THIS_TOKEN_ID_FOR_ENCRYPTED_KEY, bstId);
+ if (((WSSSecurityProperties) getSecurityProperties()).getEncryptionKeyIdentifierType() == WSSConstants.KeyIdentifierType.BST_DIRECT_REFERENCE) {
+ FinalBinarySecurityTokenOutputProcessor finalBinarySecurityTokenOutputProcessor = new FinalBinarySecurityTokenOutputProcessor(getSecurityProperties(), getAction(), binarySecurityToken);
+ finalBinarySecurityTokenOutputProcessor.getAfterProcessors().add(org.swssf.wss.impl.processor.output.EncryptEndingOutputProcessor.class.getName());
+ outputProcessorChain.addProcessor(finalBinarySecurityTokenOutputProcessor);
+ binarySecurityToken.setProcessor(finalBinarySecurityTokenOutputProcessor);
+ }
+ } else if (action.equals(WSSConstants.SIGNATURE_WITH_DERIVED_KEY)
+ || action.equals(WSSConstants.ENCRYPT_WITH_DERIVED_KEY)) {
+
+ WSSConstants.DerivedKeyTokenReference derivedKeyTokenReference = ((WSSSecurityProperties) getSecurityProperties()).getDerivedKeyTokenReference();
+ switch (derivedKeyTokenReference) {
+
+ case DirectReference:
+ outputProcessorChain.getSecurityContext().put(WSSConstants.PROP_USE_THIS_TOKEN_ID_FOR_DERIVED_KEY, bstId);
+ break;
+ case EncryptedKey:
+ outputProcessorChain.getSecurityContext().put(WSSConstants.PROP_USE_THIS_TOKEN_ID_FOR_ENCRYPTED_KEY, bstId);
+ break;
+ case SecurityContextToken:
+ outputProcessorChain.getSecurityContext().put(WSSConstants.PROP_USE_THIS_TOKEN_ID_FOR_SECURITYCONTEXTTOKEN, bstId);
+ break;
+ }
+ if ((getAction() == WSSConstants.ENCRYPT_WITH_DERIVED_KEY
+ && ((WSSSecurityProperties) getSecurityProperties()).getEncryptionKeyIdentifierType() == WSSConstants.KeyIdentifierType.BST_DIRECT_REFERENCE)
+ || (getAction() == WSSConstants.SIGNATURE_WITH_DERIVED_KEY
+ && ((WSSSecurityProperties) getSecurityProperties()).getSignatureKeyIdentifierType() == WSSConstants.KeyIdentifierType.BST_DIRECT_REFERENCE)) {
+ FinalBinarySecurityTokenOutputProcessor finalBinarySecurityTokenOutputProcessor = new FinalBinarySecurityTokenOutputProcessor(getSecurityProperties(), getAction(), binarySecurityToken);
+ finalBinarySecurityTokenOutputProcessor.getAfterProcessors().add(org.swssf.wss.impl.processor.output.EncryptEndingOutputProcessor.class.getName());
+ outputProcessorChain.addProcessor(finalBinarySecurityTokenOutputProcessor);
+ binarySecurityToken.setProcessor(finalBinarySecurityTokenOutputProcessor);
+ }
}
outputProcessorChain.getSecurityContext().registerSecurityTokenProvider(bstId, binarySecurityTokenProvider);
@@ -206,7 +208,7 @@ public class BinarySecurityTokenOutputPr
outputProcessorChain.processEvent(xmlEvent);
}
- private X509Certificate getReqSigCert(SecurityContext securityContext) throws WSSecurityException {
+ private X509Certificate getReqSigCert(SecurityContext securityContext) throws XMLSecurityException {
List<SecurityEvent> securityEventList = securityContext.getAsList(SecurityEvent.class);
if (securityEventList != null) {
for (int i = 0; i < securityEventList.size(); i++) {
@@ -232,18 +234,18 @@ public class BinarySecurityTokenOutputPr
private SecurityToken securityToken;
- FinalBinarySecurityTokenOutputProcessor(SecurityProperties securityProperties, Constants.Action action, SecurityToken securityToken) throws WSSecurityException {
+ FinalBinarySecurityTokenOutputProcessor(XMLSecurityProperties securityProperties, XMLSecurityConstants.Action action, SecurityToken securityToken) throws XMLSecurityException {
super(securityProperties, action);
this.getAfterProcessors().add(BinarySecurityTokenOutputProcessor.class.getName());
this.securityToken = securityToken;
}
@Override
- public void processEvent(XMLEvent xmlEvent, OutputProcessorChain outputProcessorChain) throws XMLStreamException, WSSecurityException {
+ public void processEvent(XMLEvent xmlEvent, OutputProcessorChain outputProcessorChain) throws XMLStreamException, XMLSecurityException {
outputProcessorChain.processEvent(xmlEvent);
if (xmlEvent.isStartElement()) {
StartElement startElement = xmlEvent.asStartElement();
- if (outputProcessorChain.getDocumentContext().isInSecurityHeader() && startElement.getName().equals(Constants.TAG_wsse_Security)) {
+ if (((WSSDocumentContext) outputProcessorChain.getDocumentContext()).isInSecurityHeader() && startElement.getName().equals(WSSConstants.TAG_wsse_Security)) {
OutputProcessorChain subOutputProcessorChain = outputProcessorChain.createSubChain(this);
boolean useSingleCertificate = getSecurityProperties().isUseSingleCert();
@@ -253,5 +255,38 @@ public class BinarySecurityTokenOutputPr
}
}
}
+
+ //todo common method
+ protected void createBinarySecurityTokenStructure(OutputProcessorChain outputProcessorChain, String referenceId, X509Certificate[] x509Certificates, boolean useSingleCertificate) throws XMLStreamException, XMLSecurityException {
+ Map<QName, String> attributes = new HashMap<QName, String>();
+ String valueType;
+ if (useSingleCertificate) {
+ valueType = WSSConstants.NS_X509_V3_TYPE;
+ } else {
+ valueType = WSSConstants.NS_X509PKIPathv1;
+ }
+ attributes.put(WSSConstants.ATT_NULL_EncodingType, WSSConstants.SOAPMESSAGE_NS10_BASE64_ENCODING);
+ attributes.put(WSSConstants.ATT_NULL_ValueType, valueType);
+ attributes.put(WSSConstants.ATT_wsu_Id, referenceId);
+ createStartElementAndOutputAsEvent(outputProcessorChain, WSSConstants.TAG_wsse_BinarySecurityToken, attributes);
+ try {
+ if (useSingleCertificate) {
+ createCharactersAndOutputAsEvent(outputProcessorChain, new Base64(76, new byte[]{'\n'}).encodeToString(x509Certificates[0].getEncoded()));
+ } else {
+ try {
+ CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509", "BC");
+ List<X509Certificate> certificates = Arrays.asList(x509Certificates);
+ createCharactersAndOutputAsEvent(outputProcessorChain, new Base64(76, new byte[]{'\n'}).encodeToString(certificateFactory.generateCertPath(certificates).getEncoded()));
+ } catch (CertificateException e) {
+ throw new XMLSecurityException(XMLSecurityException.ErrorCode.INVALID_SECURITY_TOKEN, e);
+ } catch (NoSuchProviderException e) {
+ throw new XMLSecurityException(XMLSecurityException.ErrorCode.INVALID_SECURITY_TOKEN, e);
+ }
+ }
+ } catch (CertificateEncodingException e) {
+ throw new XMLSecurityException(XMLSecurityException.ErrorCode.FAILED_SIGNATURE, e);
+ }
+ createEndElementAndOutputAsEvent(outputProcessorChain, WSSConstants.TAG_wsse_BinarySecurityToken);
+ }
}
}