You are viewing a plain text version of this content. The canonical link for it is here.
Posted to fx-dev@ws.apache.org by we...@apache.org on 2004/03/16 20:28:15 UTC
cvs commit: ws-fx/wss4j/src/org/apache/ws/security/message/token SecurityTokenReference.java
werner 2004/03/16 11:28:15
Modified: wss4j/src/org/apache/ws/security/transform STRTransform.java
wss4j/src/org/apache/ws/security/message WSSignEnvelope.java
WSEncryptBody.java
wss4j/src/org/apache/ws/security/message/token
SecurityTokenReference.java
Log:
Fix the STRTransform to be WSS compliant, fix reference to
SecurityTokenReference in Signature, some small code cleanup.
Revision Changes Path
1.10 +68 -125 ws-fx/wss4j/src/org/apache/ws/security/transform/STRTransform.java
Index: STRTransform.java
===================================================================
RCS file: /home/cvs/ws-fx/wss4j/src/org/apache/ws/security/transform/STRTransform.java,v
retrieving revision 1.9
retrieving revision 1.10
diff -u -r1.9 -r1.10
--- STRTransform.java 15 Mar 2004 19:36:48 -0000 1.9
+++ STRTransform.java 16 Mar 2004 19:28:15 -0000 1.10
@@ -22,7 +22,6 @@
import org.apache.ws.security.WSConstants;
import org.apache.ws.security.message.token.SecurityTokenReference;
import org.apache.ws.security.message.token.X509Security;
-import org.apache.ws.security.message.token.BinarySecurity;
import org.apache.ws.security.util.WSSecurityUtil;
@@ -36,9 +35,7 @@
import org.apache.xml.security.c14n.CanonicalizationException;
import org.apache.xml.security.c14n.InvalidCanonicalizerException;
import org.apache.xml.security.transforms.TransformSpi;
-import org.apache.xml.security.utils.XMLUtils;
import org.apache.xml.security.utils.Base64;
-import org.apache.xpath.XPathAPI;
import javax.xml.parsers.DocumentBuilder;
import javax.xml.parsers.DocumentBuilderFactory;
@@ -47,11 +44,8 @@
import java.security.cert.X509Certificate;
-import java.io.PrintWriter;
-
import org.xml.sax.SAXException;
import org.w3c.dom.Node;
-import org.w3c.dom.Attr;
import org.w3c.dom.Element;
import org.w3c.dom.NodeList;
import org.w3c.dom.Document;
@@ -203,119 +197,70 @@
WSConstants.WSSE_NS,
"SecurityTokenReference");
- int length = nodeList.getLength();
-
Element str = null;
+ Element tmpEl = (Element) nodeList.item(0);
+ if (doDebug) {
+ log.debug("STR: " + tmpEl.toString());
+ }
/*
- * loop over all STR elements
+ * Third and forht step are performed by derefenceSTR()
*/
- for (int i = 0; i < length; i++) {
- Element tmpEl = (Element) nodeList.item(i);
- if (doDebug) {
- log.debug("STR: " + tmpEl.toString());
- }
- /*
- * Third and forht step are performed by derefenceSTR()
- */
-
- str = dereferenceSTR(thisDoc, (Element) tmpEl);
- /*
- * Keep in mind: the returned element belong to "thisDoc", thus
- * import it to "doc" before replacing it.
- */
-
- /*
- * Fifth step: replace the STR with the above created/copied BST, feed
- * this result in the specified c14n method and return this to
- * the caller.
- *
- */
- str = (Element) doc.importNode(str, true);
- Node parent = tmpEl.getParentNode();
- parent.replaceChild(str, tmpEl);
- }
+ SecurityTokenReference secRef = new SecurityTokenReference(tmpEl);
+
+ str = dereferenceSTR(thisDoc, secRef);
/*
- * Convert resulting STR result doc into NodeList, then c14n
+ * Keep in mind: the returned element belong to "thisDoc", thus
+ * import it to "doc" before replacing it.
+ *
+ * Fifth step: replace the STR with the above created/copied BST, feed
+ * this result in the specified c14n method and return this to
+ * the caller.
+ *
*/
- // XMLUtils.circumventBug2650(doc); // This is needed???? not in every case
+ str = (Element) doc.importNode(str, true);
- if (doDebug) {
- log.debug("result doc: ");
- org.apache.axis.utils.XMLUtils.PrettyDocumentToWriter(
- doc,
- new PrintWriter(System.out));
- }
+ Node parent = tmpEl.getParentNode(); // point to document node
+ parent.replaceChild(str, tmpEl); // replace STR with new node
+
+ // XMLUtils.circumventBug2650(doc); // This is not needed in this case
+
/*
- nodeList =
- XPathAPI.selectNodeList(
- doc.getDocumentElement(),
- Canonicalizer.XPATH_C14N_WITH_COMMENTS_SINGLE_NODE);
-
- buf =
- canon.canonicalizeXPathNodeSet(
- XMLUtils.convertNodelistToSet(nodeList),"#default");
+ * C14n with specified algorithm. According to WSS Specification.
+ */
+ buf = canon.canonicalizeSubtree(doc, "#default");
+ // prepare a BOS for debug output and the following hack. If the
+ // problem with c14n mehtod is solved then just :
+ /* return new XMLSignatureInput(buf); */
+
+ bos = new ByteArrayOutputStream(buf.length);
+ bos.write(buf, 0, buf.length);
- */
- buf =
- canon.canonicalizeSubtree(doc, "#default");
if (doDebug) {
- bos = new ByteArrayOutputStream(buf.length);
- bos.write(buf, 0, buf.length);
- log.debug("result bos: " + bos.toString());
+ log.debug("after c14n: " + bos.toString());
}
+
/*
- * !!!!!!!! HACK ALERT --- here the hack starts
+ * This is a HACK - we need to know how to augment the
+ * above called c14n to leave the xmlns="" in.
+ * Thus - insert with string buffer operations. Be careful
+ * to insert as first namespace attribute or before any
+ * other attribute if there is no namespace attribute.
+ *
+ * TODO: This hack need to be checked/validated.
*/
- StringBuffer bf = new StringBuffer(bos.toString());
+ StringBuffer bf = new StringBuffer(bos.toString());
int idx = bf.indexOf("BinarySecurityToken");
- idx = bf.indexOf("xmlns", idx);
- bf.insert(idx, "xmlns=\"\" ");
+ int idx1 = bf.indexOf("xmlns", idx); // look up for a namespace attr
+ if (idx1 < 0) { // none found, locate first attr
+ idx1 = bf.indexOf("ValueType", idx);
+ }
+ bf.insert(idx1, "xmlns=\"\" "); // insert first
if (doDebug) {
log.debug("last result: ");
log.debug(bf.toString());
}
return new XMLSignatureInput(bf.toString().getBytes());
- /*
- * !!!!!!! ---Here the HACK ends
- */
- // return new XMLSignatureInput(buf);
-
- /*
- Document doc2 = db.parse(new ByteArrayInputStream(buf));
- XMLUtils.circumventBug2650(doc2); // This is needed
-
- NodeList nodeList2 =
- doc2.getElementsByTagNameNS(
- WSConstants.WSSE_NS,
- "BinarySecurityToken");
-
- int length2 = nodeList2.getLength();
- if (length2 > 0) {
- Element elem = (Element) nodeList2.item(0);
- elem.setAttributeNS(WSConstants.XMLNS_NS, "xmlns", "");
- }
- /
- nodeList2 =
- doc2.getElementsByTagNameNS(WSConstants.SIG_NS, "KeyInfo");
- length2 = nodeList2.getLength();
- if (length2 > 0) {
- Element elem = (Element) nodeList2.item(0);
- elem.setAttributeNS(WSConstants.XMLNS_NS, "xmlns", "");
- }
- /
- if (doDebug) {
- log.debug("result doc2: ");
- org.apache.axis.utils.XMLUtils.PrettyDocumentToWriter(
- doc2,
- new PrintWriter(System.out));
- }
- nodeList =
- XPathAPI.selectNodeList(
- doc2,
- Canonicalizer.XPATH_C14N_WITH_COMMENTS_SINGLE_NODE);
- return new XMLSignatureInput(XMLUtils.convertNodelistToSet(nodeList));
- */
} catch (IOException ex) {
throw new CanonicalizationException("empty", ex);
@@ -332,20 +277,19 @@
}
}
- private Element dereferenceSTR(Document doc, Element secRefE)
+ private Element dereferenceSTR(Document doc, SecurityTokenReference secRef)
throws Exception {
/*
* Third step: locate the security token referenced by the STR
* element. Either the Token is contained in the document as a
- * BinarySecurityToken or stored in some key storage. The WSDocInfo
- * contains the implementation of the key storage to use. To locate
- * a BST inside a document check if a BST was already found and the
- * element stored in WSDocInfo.
+ * BinarySecurityToken or stored in some key storage.
*
- * Forth step: after security token was located, prepare it. Wrap the
- * located token in a newly created BST element as specified in WSS
- * Specification.
+ * Forth step: after security token was located, prepare it. If its
+ * reference via a direct reference, i.e. a relative URI that references
+ * the BST directly in the message then just return that element.
+ * Otherwise wrap the located token in a newly created BST element
+ * as described in WSS Specification.
*
* Note: every element (also newly created elements) belong to the
* document defined by the doc parameter. This is the main SOAP document
@@ -354,26 +298,21 @@
* part that is signed/verified.
*
*/
- SecurityTokenReference secRef = null;
- Element tokElement = null;
-
- secRef = new SecurityTokenReference(secRefE);
+ Element tokElement = null;
/*
* First case: direct reference, according to chap 7.2 of OASIS
- * WS specification (main document)
+ * WS specification (main document). Only in this case return
+ * a true reference to the BST. Copying is done by the caller.
*/
if (secRef.containsReference()) {
if (doDebug) {
log.debug("STR: Reference");
}
- Element elem = secRef.getTokenElement(secRef, doc);
- if (elem == null) {
+ tokElement = secRef.getTokenElement(secRef, doc);
+ if (tokElement == null) {
throw new CanonicalizationException("empty");
}
- X509Security x509token = new X509Security(elem);
- X509Certificate cert = x509token.getX509Certificate(wsDocInfo.getCrypto());
- tokElement = createBST(doc, cert, secRefE);
}
/*
* second case: IssuerSerial, first try to get embedded
@@ -385,7 +324,10 @@
log.debug("STR: IssuerSerial");
}
X509Certificate cert = null;
- X509Security x509token = secRef.getEmbeddedTokenFromIS(doc, wsDocInfo.getCrypto());
+ X509Security x509token = null;
+ // Disable check for embedded, always get from store (comment from Merlin,
+ // Betrust)
+ // x509token = secRef.getEmbeddedTokenFromIS(doc, wsDocInfo.getCrypto());
if (x509token != null) {
cert = x509token.getX509Certificate(wsDocInfo.getCrypto());
}
@@ -396,7 +338,7 @@
}
cert = certs[0];
}
- tokElement = createBST(doc, cert, secRefE);
+ tokElement = createBST(doc, cert, secRef.getElement());
}
/*
* third case: KeyIdentifier, must be SKI, first try to get embedded
@@ -409,7 +351,10 @@
log.debug("STR: KeyIdentifier");
}
X509Certificate cert = null;
- X509Security x509token = secRef.getEmbeddedTokenFromSKI(doc, wsDocInfo.getCrypto());
+ X509Security x509token = null;
+ // Disable check for embedded, always get from store (comment from Merlin,
+ // Betrust)
+ // x509token = secRef.getEmbeddedTokenFromSKI(doc, wsDocInfo.getCrypto());
if (x509token != null) {
cert = x509token.getX509Certificate(wsDocInfo.getCrypto());
}
@@ -420,7 +365,7 @@
}
cert = certs[0];
}
- tokElement = createBST(doc, cert, secRefE);
+ tokElement = createBST(doc, cert, secRef.getElement());
}
return (Element) tokElement;
}
@@ -439,9 +384,7 @@
WSSecurityUtil.setNamespace(elem, WSConstants.WSSE_NS, prefix);
elem.setAttributeNS(WSConstants.XMLNS_NS, "xmlns", "");
elem.setAttributeNS(null, "ValueType", X509Security.TYPE);
- // elem.setAttributeNS(null, "EncodingType", BinarySecurity.BASE64_ENCODING);
- Text certText = doc.createTextNode(Base64.encode(data, 0));
- // Text certText = doc.createTextNode(data);
+ Text certText = doc.createTextNode(Base64.encode(data, 0)); // no line wrap
elem.appendChild(certText);
return elem;
}
1.8 +8 -6 ws-fx/wss4j/src/org/apache/ws/security/message/WSSignEnvelope.java
Index: WSSignEnvelope.java
===================================================================
RCS file: /home/cvs/ws-fx/wss4j/src/org/apache/ws/security/message/WSSignEnvelope.java,v
retrieving revision 1.7
retrieving revision 1.8
diff -u -r1.7 -r1.8
--- WSSignEnvelope.java 14 Mar 2004 10:44:38 -0000 1.7
+++ WSSignEnvelope.java 16 Mar 2004 19:28:15 -0000 1.8
@@ -245,9 +245,15 @@
*/
KeyInfo info = sig.getKeyInfo();
- String keyInfoUri = "SignId-" + info.hashCode();
+ String keyInfoUri = "KeyId-" + info.hashCode();
info.setId(keyInfoUri);
+
+ SecurityTokenReference secRef = new SecurityTokenReference(doc);
+ String strUri = "STRId-" + secRef.hashCode();
+ secRef.setID(strUri);
+ String certUri = "CertId-" + certs[0].hashCode();
+
if( tlog.isDebugEnabled() ) {
t1=System.currentTimeMillis();
}
@@ -262,8 +268,6 @@
parts.add(encP);
}
- String certUri = "SignId-" + certs[0].hashCode();
-
Transforms transforms = null;
for (int part = 0; part < parts.size(); part++) {
@@ -293,11 +297,10 @@
}
}
else if (elemName.equals("STRTransform")) { // STRTransform
- log.debug("in STRTRANSFORM");
Element ctx = createSTRParameter(doc); // This element shall conatin the arg to STR
transforms = new Transforms(doc);
transforms.addTransform(STRTransform.implementedTransformURI, ctx);
- sig.addDocument("#" + keyInfoUri, transforms);
+ sig.addDocument("#" + strUri, transforms);
}
else {
Element body = (Element) WSSecurityUtil.findElement(envelope, elemName, nmSpace);
@@ -316,7 +319,6 @@
sig.addResourceResolver(EnvelopeIdResolver.getInstance());
WSSecurityUtil.prependChildElement(doc, securityHeader, sig.getElement(), false);
- SecurityTokenReference secRef = new SecurityTokenReference(doc);
if (tlog.isDebugEnabled() ) {
t2=System.currentTimeMillis();
}
1.8 +2 -2 ws-fx/wss4j/src/org/apache/ws/security/message/WSEncryptBody.java
Index: WSEncryptBody.java
===================================================================
RCS file: /home/cvs/ws-fx/wss4j/src/org/apache/ws/security/message/WSEncryptBody.java,v
retrieving revision 1.7
retrieving revision 1.8
diff -u -r1.7 -r1.8
--- WSEncryptBody.java 14 Mar 2004 10:44:38 -0000 1.7
+++ WSEncryptBody.java 16 Mar 2004 19:28:15 -0000 1.8
@@ -311,7 +311,7 @@
envelope,
"EncryptedData",
"http://www.w3.org/2001/04/xmlenc#");
- xencEncryptedDataId = "id-" + body.hashCode();
+ xencEncryptedDataId = "EncDataId-" + body.hashCode();
body.setAttribute("Id", xencEncryptedDataId);
encDataRefs.add(new String("#" + xencEncryptedDataId));
@@ -334,7 +334,7 @@
"invalidX509Data", new Object[]{"for Encryption"});
}
remoteCert = certs[0];
- String certUri = "EncId-" + remoteCert.hashCode();
+ String certUri = "EncCertId-" + remoteCert.hashCode();
if (tlog.isDebugEnabled()) {
t2 = System.currentTimeMillis();
}
1.7 +3 -2 ws-fx/wss4j/src/org/apache/ws/security/message/token/SecurityTokenReference.java
Index: SecurityTokenReference.java
===================================================================
RCS file: /home/cvs/ws-fx/wss4j/src/org/apache/ws/security/message/token/SecurityTokenReference.java,v
retrieving revision 1.6
retrieving revision 1.7
diff -u -r1.6 -r1.7
--- SecurityTokenReference.java 11 Mar 2004 22:16:30 -0000 1.6
+++ SecurityTokenReference.java 16 Mar 2004 19:28:15 -0000 1.7
@@ -502,7 +502,7 @@
*
* @return the first <code>Element</code> child node
*/
- private Element getFirstElement() {
+ public Element getFirstElement() {
for (Node currentChild = this.element.getFirstChild();
currentChild != null;
currentChild = currentChild.getNextSibling()) {
@@ -629,7 +629,8 @@
* @param id
*/
public void setID(String id) {
- this.element.setAttributeNS(WSConstants.WSU_NS, "wsu:Id", id);
+ String prefix = WSSecurityUtil.setNamespace(this.element, WSConstants.WSU_NS, WSConstants.WSU_PREFIX);
+ this.element.setAttributeNS(WSConstants.WSU_NS, prefix+":Id", id);
}
/**