You are viewing a plain text version of this content. The canonical link for it is here.
Posted to fx-dev@ws.apache.org by ji...@apache.org on 2004/05/13 03:27:56 UTC
[jira] Assigned: (WSFX-5) Interoperability improvements
Message:
The following issue has been re-assigned.
Assignee: Werner Dittmann (mailto:werner.dittmann@t-online.de)
Assigner: Davanum Srinivas (mailto:dims@yahoo.com)
Date: Wed, 12 May 2004 6:27 PM
Comment:
Werner,
Please take care of this.
thanks,
dims
---------------------------------------------------------------------
View the issue:
http://issues.apache.org/jira/browse/WSFX-5
Here is an overview of the issue:
---------------------------------------------------------------------
Key: WSFX-5
Summary: Interoperability improvements
Type: Improvement
Status: Open
Priority: Major
Project: WSFX
Components:
WSS4J
Assignee: Werner Dittmann
Reporter: Rami Jaamour
Created: Wed, 12 May 2004 4:52 PM
Updated: Wed, 12 May 2004 6:27 PM
Description:
This is a first step towards implementing specification configurability into WSS4J so that it can interoperate with other WSS implementations, namely ones that do not follow latest OASIS. This patch allows WSS4J to be configured in compile time to consume and generate messages of older specs (at least the differences that I could identify as interoperability hurdles with customers so far). See the new COMPLIANCE_MODE in WSConstans. If you put this in, I will proceed towards an implementation of "WSVariableConstantsObject" as discussed with Werner, in which case WSConstants will not have modifiable values as in this patch.
This also allows WSS4J to verify signartures and decrypt messages even if KeyInfo is not present as long as the "default" certificate alias is defined in the properties file. Of course this is not "recommended" by OASIS, but I have customers who omit KeyInfo and still want to be able to consume the messages.
Index: org/apache/ws/security/WSConstants.java
===================================================================
RCS file: /home/cvspublic/ws-fx/wss4j/src/org/apache/ws/security/WSConstants.java,v
retrieving revision 1.15
diff -u -r1.15 WSConstants.java
--- org/apache/ws/security/WSConstants.java 19 Apr 2004 17:46:13 -0000 1.15
+++ org/apache/ws/security/WSConstants.java 12 May 2004 23:11:46 -0000
@@ -24,14 +24,48 @@
/**
* Constants in WS-Security spec.
*/
-public interface WSConstants {
- public static final String WSSE_NS = "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";
+public class WSConstants {
+ // the following compliance mode values must have increasing values as new
+ // modes are added; a later spec should have a value > value of an an earlier spec.
+ public static final int OASIS_2002_07 = 1;
+ public static final int OASIS_2002_12 = 2;
+ public static final int OASIS_2003_06 = 3;
+ public static final int OASIS_1_0 = 4;
+
+ /**
+ * Set the specification compliance mode. This affects namespaces as well
+ * as how certain items are constructed in security headers.
+ * <p/>
+ * Currently this can only be set at compile time. The valid values are:
+ * <ul>
+ * <li> {@link #OASIS_2002_07} </li>
+ * <li> {@link #OASIS_2002_12} </li>
+ * <li> {@link #OASIS_2003_06} </li>
+ * <li> {@link #OASIS_1_0} OASIS WS-Security v1.0 as released on March 2004. This is the default and recommended setting</li>
+ * </ul>
+ * <p/>
+ * Using {@link #OASIS_2002} enhances chances of interoperability with other
+ * WSS implementations that do not fully adhere to the OASIS v1.0 March 2004
+ * specs yet.
+ * @param specs instructs WSS4J on which standard to follow
+ */
+ public static final int COMPLIANCE_MODE = OASIS_1_0;
+
+ public static final String WSSE_NS_OASIS_2002_07 = "http://schemas.xmlsoap.org/ws/2002/07/secext";
+ public static final String WSSE_NS_OASIS_2002_12 = "http://schemas.xmlsoap.org/ws/2002/12/secext";
+ public static final String WSSE_NS_OASIS_2003_06 = "http://schemas.xmlsoap.org/ws/2003/06/secext";
+ public static final String WSSE_NS_OASIS_1_0 = "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";
+ public static String WSSE_NS = WSSE_NS_OASIS_1_0;
public static final String USERNAMETOKEN_NS = "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0";
public static final String SOAPMESSAGE_NS = "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0";
public static final String X509TOKEN_NS = "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0";
public static final String WSSE_PREFIX = "wsse";
public static final String WSSE_LN = "Security";
- public static final String WSU_NS = "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
+ public static final String WSU_NS_OASIS_2002_07 = "http://schemas.xmlsoap.org/ws/2002/07/utility";
+ public static final String WSU_NS_OASIS_2002_12 = "http://schemas.xmlsoap.org/ws/2002/12/utility";
+ public static final String WSU_NS_OASIS_2003_06 = "http://schemas.xmlsoap.org/ws/2003/06/utility";
+ public static final String WSU_NS_OASIS_1_0 = "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
+ public static String WSU_NS = WSU_NS_OASIS_1_0;
public static final String WSU_PREFIX = "wsu";
public static final String SIG_NS = "http://www.w3.org/2000/09/xmldsig#";
public static final String SIG_PREFIX = "ds";
@@ -257,5 +291,35 @@
public static final int NO_SERIALIZE = 0x100;
public static final int SERIALIZE = 0x200;
+ static {
+ setComplianceMode();
+ }
+
+ /**
+ * init various constants to the chosen compliance mode
+ */
+ private static void setComplianceMode() {
+ switch (COMPLIANCE_MODE) {
+ case OASIS_1_0:
+ WSSE_NS = WSSE_NS_OASIS_1_0;
+ WSU_NS = WSU_NS_OASIS_1_0;
+ break;
+ case OASIS_2003_06:
+ WSSE_NS = WSSE_NS_OASIS_2003_06;
+ WSU_NS = WSU_NS_OASIS_2003_06;
+ break;
+ case OASIS_2002_12:
+ WSSE_NS = WSSE_NS_OASIS_2002_12;
+ WSU_NS = WSU_NS_OASIS_2002_12;
+ break;
+ case OASIS_2002_07:
+ WSSE_NS = WSSE_NS_OASIS_2002_07;
+ WSU_NS = WSU_NS_OASIS_2002_07;
+ break;
+ default:
+ WSSE_NS = WSSE_NS_OASIS_1_0;
+ WSU_NS = WSU_NS_OASIS_1_0;
+ }
+ }
}
Index: org/apache/ws/security/WSSecurityEngine.java
===================================================================
RCS file: /home/cvspublic/ws-fx/wss4j/src/org/apache/ws/security/WSSecurityEngine.java,v
retrieving revision 1.19
diff -u -r1.19 WSSecurityEngine.java
--- org/apache/ws/security/WSSecurityEngine.java 7 Apr 2004 05:56:17 -0000 1.19
+++ org/apache/ws/security/WSSecurityEngine.java 12 May 2004 23:11:46 -0000
@@ -109,8 +109,7 @@
* <code>wsu:Timestamp</code> as defined by OASIS WS Security specification,
*/
protected static final QName TIMESTAMP = new QName(WSConstants.WSU_NS, WSConstants.TIMESTAMP_TOKEN_LN);
-
-
+
static {
org.apache.xml.security.Init.init();
String Id = "BC";
@@ -452,36 +451,42 @@
X509Certificate[] certs = null;
KeyInfo info = sig.getKeyInfo();
-
- Node node =
- WSSecurityUtil.getDirectChild(
- info.getElement(),
- SecurityTokenReference.TOKEN.getLocalPart(),
- SecurityTokenReference.TOKEN.getNamespaceURI());
- if (node == null) {
- throw new WSSecurityException(
- WSSecurityException.INVALID_SECURITY,
- "unsupportedKeyInfo");
- }
- SecurityTokenReference secRef =
- new SecurityTokenReference((Element) node);
- if (secRef.containsReference()) {
- Element token = secRef.getTokenElement(elem.getOwnerDocument());
-
- // at this point ... check token type: Binary
- QName el = new QName(token.getNamespaceURI(), token.getLocalName());
- if (el.equals(BINARY_TOKEN)) {
- certs = getCertificatesTokenReference((Element) token, crypto);
- } else {
- throw new WSSecurityException(
- WSSecurityException.INVALID_SECURITY,
- "unsupportedToken", new Object[] { el.toString()});
- }
- } else if (secRef.containsX509IssuerSerial()) {
- certs = secRef.getX509IssuerSerial(crypto);
- } else if (secRef.containsKeyIdentifier()) {
- certs = secRef.getKeyIdentifier(crypto);
- }
+ if (/*crypto.getDefaultX509Alias() == null &&*/ info != null) {
+ Node node =
+ WSSecurityUtil.getDirectChild(
+ info.getElement(),
+ SecurityTokenReference.TOKEN.getLocalPart(),
+ SecurityTokenReference.TOKEN.getNamespaceURI());
+ if (node == null) {
+ throw new WSSecurityException(
+ WSSecurityException.INVALID_SECURITY,
+ "unsupportedKeyInfo");
+ }
+ SecurityTokenReference secRef =
+ new SecurityTokenReference((Element) node);
+ if (secRef.containsReference()) {
+ Element token = secRef.getTokenElement(elem.getOwnerDocument());
+
+ // at this point ... check token type: Binary
+ QName el = new QName(token.getNamespaceURI(), token.getLocalName());
+ if (el.equals(BINARY_TOKEN)) {
+ certs = getCertificatesTokenReference((Element) token, crypto);
+ } else {
+ throw new WSSecurityException(
+ WSSecurityException.INVALID_SECURITY,
+ "unsupportedToken", new Object[] { el.toString()});
+ }
+ } else if (secRef.containsX509IssuerSerial()) {
+ certs = secRef.getX509IssuerSerial(crypto);
+ } else if (secRef.containsKeyIdentifier()) {
+ certs = secRef.getKeyIdentifier(crypto);
+ }
+ } else if (crypto.getDefaultX509Alias() != null) {
+ certs = crypto.getCertificates(crypto.getDefaultX509Alias());
+ } else {
+ throw new WSSecurityException(WSSecurityException.INVALID_SECURITY,
+ "unsupportedKeyInfo");
+ }
if (tlog.isDebugEnabled()) {
t1 = System.currentTimeMillis();
}
@@ -689,99 +694,107 @@
// see check above ... maybe later
Element keyInfo = (Element) WSSecurityUtil.getDirectChild((Node) xencEncryptedKey,
"KeyInfo", WSConstants.SIG_NS);
- if (keyInfo == null) {
- throw new WSSecurityException
- (WSSecurityException.INVALID_SECURITY, "noKeyinfo");
- }
- Element secRefToken = (Element) WSSecurityUtil.getDirectChild((Node) keyInfo,
- "SecurityTokenReference", WSConstants.WSSE_NS);
- if (secRefToken == null) {
- throw new WSSecurityException
- (WSSecurityException.INVALID_SECURITY, "noSecTokRef");
- }
- SecurityTokenReference secRef = new SecurityTokenReference(secRefToken);
- /*
- * Well, at this point there are several ways to get the key. Try to handle all of them :-).
- */
- String alias = null;
- /*
- * handle X509IssuerSerial here. First check if all elements are available,
- * get the appropriate data, check if all data is available.
- * If all is ok up to that point, look up the certificate alias according
- * to issuer name and serial number.
- * This method is recommended by OASIS WS-S specification, X509 profile
- */
- if (secRef.containsX509IssuerSerial()) {
- alias = secRef.getX509IssuerSerialAlias(crypto);
- if (doDebug) {
- log.debug("X509IssuerSerial alias: " + alias);
- }
- }
- /*
- * If wsse:KeyIdentifier found, then the public key of the attached cert was used to
- * encrypt the session (symmetric) key that encrypts the data. Extract the certificate
- * using the BinarySecurity token (was enhanced to handle KeyIdentifier too).
- * This method is _not_recommended by OASIS WS-S specification, X509 profile
- */
- else if (secRef.containsKeyIdentifier()) {
- X509Certificate[] certs = secRef.getKeyIdentifier(crypto);
- if (certs == null || certs.length != 1 || certs[0] == null) {
- throw new WSSecurityException(WSSecurityException.FAILURE,
- "invalidX509Data", new Object[]{"for decryption (KeyId)"});
+ String alias;
+ if (keyInfo != null) {
+ Element secRefToken = (Element) WSSecurityUtil.getDirectChild((Node) keyInfo,
+ "SecurityTokenReference", WSConstants.WSSE_NS);
+ if (secRefToken == null) {
+ throw new WSSecurityException
+ (WSSecurityException.INVALID_SECURITY, "noSecTokRef");
}
+ SecurityTokenReference secRef = new SecurityTokenReference(secRefToken);
+ /*
+ * Well, at this point there are several ways to get the key. Try to handle all of them :-).
+ */
+ alias = null;
/*
- * Here we have the certificate. Now find the alias for it. Needed to identify
- * the private key associated with this certificate
+ * handle X509IssuerSerial here. First check if all elements are available,
+ * get the appropriate data, check if all data is available.
+ * If all is ok up to that point, look up the certificate alias according
+ * to issuer name and serial number.
+ * This method is recommended by OASIS WS-S specification, X509 profile
*/
- alias = crypto.getAliasForX509Cert(certs[0]);
- if (doDebug) {
- log.debug("cert: " + certs[0]);
- log.debug("KeyIdentifier Alias: " + alias);
+ if (secRef.containsX509IssuerSerial()) {
+ alias = secRef.getX509IssuerSerialAlias(crypto);
+ if (doDebug) {
+ log.debug("X509IssuerSerial alias: " + alias);
+ }
}
- } else if (secRef.containsReference()) {
- Element bstElement = secRef.getTokenElement(doc);
-
- // at this point ... check token type: Binary
- QName el =
- new QName(
- bstElement.getNamespaceURI(),
- bstElement.getLocalName());
- if (el.equals(BINARY_TOKEN)) {
- X509Security token = null;
- String value = bstElement.getAttribute("ValueType");
- if (!value.equals(X509Security.TYPE)
- || ((token = new X509Security(bstElement)) == null)) {
- throw new WSSecurityException(
- WSSecurityException.UNSUPPORTED_SECURITY_TOKEN,
- "unsupportedBinaryTokenType",
- new Object[] { "for decryption (BST)" });
- }
- X509Certificate cert = token.getX509Certificate(crypto);
- if (cert == null) {
- throw new WSSecurityException(
- WSSecurityException.FAILURE,
- "invalidX509Data",
- new Object[] { "for decryption" });
- }
- /*
- * Here we have the certificate. Now find the alias for it. Needed to identify
- * the private key associated with this certificate
- */
- alias = crypto.getAliasForX509Cert(cert);
- if (doDebug) {
- log.debug("BST Alias: " + alias);
- }
- } else {
- throw new WSSecurityException(
- WSSecurityException.INVALID_SECURITY,
- "unsupportedToken",
- null);
- }
- } else {
- throw new WSSecurityException(
- WSSecurityException.FAILURE, "unsupportedKeyId");
- }
-
+ /*
+ * If wsse:KeyIdentifier found, then the public key of the attached cert was used to
+ * encrypt the session (symmetric) key that encrypts the data. Extract the certificate
+ * using the BinarySecurity token (was enhanced to handle KeyIdentifier too).
+ * This method is _not_recommended by OASIS WS-S specification, X509 profile
+ */
+ else if (secRef.containsKeyIdentifier()) {
+ X509Certificate[] certs = secRef.getKeyIdentifier(crypto);
+ if (certs == null || certs.length != 1 || certs[0] == null) {
+ throw new WSSecurityException(WSSecurityException.FAILURE,
+ "invalidX509Data", new Object[]{"for decryption (KeyId)"});
+ }
+ /*
+ * Here we have the certificate. Now find the alias for it. Needed to identify
+ * the private key associated with this certificate
+ */
+ alias = crypto.getAliasForX509Cert(certs[0]);
+ if (doDebug) {
+ log.debug("cert: " + certs[0]);
+ log.debug("KeyIdentifier Alias: " + alias);
+ }
+ } else if (secRef.containsReference()) {
+ Element bstElement = secRef.getTokenElement(doc);
+
+ // at this point ... check token type: Binary
+ QName el =
+ new QName(
+ bstElement.getNamespaceURI(),
+ bstElement.getLocalName());
+ if (el.equals(BINARY_TOKEN)) {
+ X509Security token = null;
+ String value = bstElement.getAttribute("ValueType");
+ // attempt to get attribute in case it is qualified
+ // NYI: need to iterate through all valid namespaces
+ if (value.length() == 0) {
+ value = bstElement.getAttributeNS(WSConstants.WSSE_NS, "ValueType");
+ }
+ if (!value.endsWith(X509Security.X509_V3)
+ || ((token = new X509Security(bstElement)) == null)) {
+ throw new WSSecurityException(
+ WSSecurityException.UNSUPPORTED_SECURITY_TOKEN,
+ "unsupportedBinaryTokenType",
+ new Object[] { "for decryption (BST)" });
+ }
+ X509Certificate cert = token.getX509Certificate(crypto);
+ if (cert == null) {
+ throw new WSSecurityException(
+ WSSecurityException.FAILURE,
+ "invalidX509Data",
+ new Object[] { "for decryption" });
+ }
+ /*
+ * Here we have the certificate. Now find the alias for it. Needed to identify
+ * the private key associated with this certificate
+ */
+ alias = crypto.getAliasForX509Cert(cert);
+ if (doDebug) {
+ log.debug("BST Alias: " + alias);
+ }
+ } else {
+ throw new WSSecurityException(
+ WSSecurityException.INVALID_SECURITY,
+ "unsupportedToken",
+ null);
+ }
+ } else {
+ throw new WSSecurityException(
+ WSSecurityException.FAILURE, "unsupportedKeyId");
+ }
+ } else if (crypto.getDefaultX509Alias() != null){
+ alias = crypto.getDefaultX509Alias();
+ } else {
+ throw new WSSecurityException
+ (WSSecurityException.INVALID_SECURITY, "noKeyinfo");
+ }
/*
* At this point we have all information necessary to decrypt the session
* key:
Index: org/apache/ws/security/components/crypto/Crypto.java
===================================================================
RCS file: /home/cvspublic/ws-fx/wss4j/src/org/apache/ws/security/components/crypto/Crypto.java,v
retrieving revision 1.4
diff -u -r1.4 Crypto.java
--- org/apache/ws/security/components/crypto/Crypto.java 16 Apr 2004 03:30:38 -0000 1.4
+++ org/apache/ws/security/components/crypto/Crypto.java 12 May 2004 23:11:46 -0000
@@ -126,19 +126,31 @@
*/
public String getAliasForX509Cert(String issuer, BigInteger serialNumber) throws WSSecurityException;
- /**
- * Lookup a X509 Certificate in the keystore according to a given
- * SubjectKeyIdentifier.
- * <p/>
- * The search gets all alias names of the keystore and gets the certificate chain
- * or certificate for each alias. Then the SKI for each user certificate
- * is compared with the SKI parameter.
- *
- * @param skiBytes The SKI info bytes
- * @return alias name of the certificate that matches serialNumber and issuer name
- * or null if no such certificate was found.
- */
- public String getAliasForX509Cert(byte[] skiBytes) throws WSSecurityException;
+ /**
+ * Lookup a X509 Certificate in the keystore according to a given
+ * SubjectKeyIdentifier.
+ * <p/>
+ * The search gets all alias names of the keystore and gets the certificate chain
+ * or certificate for each alias. Then the SKI for each user certificate
+ * is compared with the SKI parameter.
+ *
+ * @param skiBytes The SKI info bytes
+ * @return alias name of the certificate that matches serialNumber and issuer name
+ * or null if no such certificate was found.
+ */
+ public String getAliasForX509Cert(byte[] skiBytes) throws WSSecurityException;
+
+ /**
+ * Retrieves the alias name of the default certificate which has been
+ * specified as a property. This should be the certificate that is used for
+ * signature and encryption. This alias corresponds to the certificate that
+ * should be used whenever KeyInfo is not poresent in a signed or
+ * an encrypted message. May return null.
+ *
+ * @return alias name of the default X509 certificate.
+ */
+ public String getDefaultX509Alias();
+
/**
* Reads the SubjectKeyIdentifier information from the certificate.
* <p/>
Index: org/apache/ws/security/components/crypto/Merlin.java
===================================================================
RCS file: /home/cvspublic/ws-fx/wss4j/src/org/apache/ws/security/components/crypto/Merlin.java,v
retrieving revision 1.15
diff -u -r1.15 Merlin.java
--- org/apache/ws/security/components/crypto/Merlin.java 20 Apr 2004 18:07:14 -0000 1.15
+++ org/apache/ws/security/components/crypto/Merlin.java 12 May 2004 23:11:46 -0000
@@ -57,7 +57,7 @@
*/
public class Merlin implements Crypto {
private static Log log = LogFactory.getLog(Merlin.class);
- private static CertificateFactory certFact;
+ protected static CertificateFactory certFact;
protected Properties properties = null;
protected KeyStore keystore = null;
@@ -419,6 +419,22 @@
return null;
}
+ /**
+ * Retrieves the alias name of the default certificate which has been
+ * specified as a property. This should be the certificate that is used for
+ * signature and encryption. This alias corresponds to the certificate that
+ * should be used whenever KeyInfo is not poresent in a signed or
+ * an encrypted message. May return null.
+ *
+ * @return alias name of the default X509 certificate
+ */
+ public String getDefaultX509Alias() {
+ if (properties == null) {
+ return null;
+ }
+ return properties.getProperty("org.apache.ws.security.crypto.merlin.keystore.alias");
+ }
+
/**
* Gets the list of certificates for a given alias.
* <p/>
Index: org/apache/ws/security/message/token/BinarySecurity.java
===================================================================
RCS file: /home/cvspublic/ws-fx/wss4j/src/org/apache/ws/security/message/token/BinarySecurity.java,v
retrieving revision 1.3
diff -u -r1.3 BinarySecurity.java
--- org/apache/ws/security/message/token/BinarySecurity.java 11 Mar 2004 13:41:30 -0000 1.3
+++ org/apache/ws/security/message/token/BinarySecurity.java 12 May 2004 23:11:46 -0000
@@ -38,9 +38,18 @@
public class BinarySecurity {
public static final QName TOKEN = new QName(WSConstants.WSSE_NS, "BinarySecurityToken");
public static final QName TOKEN_KI = new QName(WSConstants.WSSE_NS, "KeyIdentifier");
- public static final String BASE64_ENCODING = WSConstants.SOAPMESSAGE_NS + "#Base64Binary";
+ public static final String BASE64_BINARY = "Base64Binary";
+ public static String BASE64_ENCODING = null; // set in a static block later
protected Element element = null;
+ static {
+ if (WSConstants.COMPLIANCE_MODE <= WSConstants.OASIS_2002_12) {
+ BASE64_ENCODING = WSConstants.WSSE_PREFIX + ":" + BASE64_BINARY;
+ } else {
+ BASE64_ENCODING = WSConstants.SOAPMESSAGE_NS + "#Base64Binary";
+ }
+ }
+
/**
* Constructor.
* <p/>
@@ -54,7 +63,7 @@
if (!el.equals(TOKEN) && !el.equals(TOKEN_KI)) {
throw new WSSecurityException(WSSecurityException.INVALID_SECURITY_TOKEN, "badTokenType", new Object[]{el});
}
- if (!getEncodingType().equals(BASE64_ENCODING)) {
+ if (!getEncodingType().endsWith(BASE64_BINARY)) {
throw new WSSecurityException(WSSecurityException.INVALID_SECURITY_TOKEN, "badEncoding", new Object[]{getEncodingType()});
}
}
@@ -79,7 +88,13 @@
* @return
*/
public String getValueType() {
- return this.element.getAttribute("ValueType");
+ String valueType = this.element.getAttribute("ValueType");
+ // also attempt to get the attribute in case it was qualified
+ // NYI: still need to check for all supported namespaces here
+ if (valueType.length() == 0) {
+ valueType = element.getAttributeNS(WSConstants.WSSE_NS, "ValueType");
+ }
+ return valueType;
}
/**
@@ -89,7 +104,11 @@
* @param type
*/
protected void setValueType(String type) {
- this.element.setAttributeNS(null, "ValueType", type);
+ if (WSConstants.COMPLIANCE_MODE <= WSConstants.OASIS_2002_12) {
+ this.element.setAttributeNS(WSConstants.WSSE_NS, WSConstants.WSSE_PREFIX + ":ValueType", type);
+ } else {
+ this.element.setAttributeNS(null, "ValueType", type);
+ }
}
/**
@@ -99,7 +118,13 @@
* @return
*/
public String getEncodingType() {
- return this.element.getAttribute("EncodingType");
+ String encodingType = this.element.getAttribute("EncodingType");
+ // attempt to get the attribute in case it was qualified
+ // NYI: still need to check for all supported namespaces here
+ if (encodingType.length() == 0) {
+ encodingType = this.element.getAttributeNS(WSConstants.WSSE_NS, "EncodingType");
+ }
+ return encodingType;
}
/**
@@ -109,7 +134,11 @@
* @param encoding
*/
protected void setEncodingType(String encoding) {
- this.element.setAttributeNS(null, "EncodingType", encoding);
+ if (WSConstants.COMPLIANCE_MODE <= WSConstants.OASIS_2002_12) {
+ this.element.setAttributeNS(WSConstants.WSSE_NS, WSConstants.WSSE_PREFIX + ":EncodingType", encoding);
+ } else {
+ this.element.setAttributeNS(null, "EncodingType", encoding);
+ }
}
/**
Index: org/apache/ws/security/message/token/SecurityTokenReference.java
===================================================================
RCS file: /home/cvspublic/ws-fx/wss4j/src/org/apache/ws/security/message/token/SecurityTokenReference.java,v
retrieving revision 1.10
diff -u -r1.10 SecurityTokenReference.java
--- org/apache/ws/security/message/token/SecurityTokenReference.java 24 Mar 2004 19:22:49 -0000 1.10
+++ org/apache/ws/security/message/token/SecurityTokenReference.java 12 May 2004 23:11:47 -0000
@@ -53,7 +53,7 @@
public static final QName TOKEN =
new QName(WSConstants.WSSE_NS, "SecurityTokenReference");
- public static final String SKI_URI = WSConstants.X509TOKEN_NS + "#X509SubjectKeyIdentifier";
+ public static final String SKI_URI = WSConstants.X509TOKEN_NS + "#X509SubjectKeyIdentifier";
protected Element element = null;
private XMLX509IssuerSerial issuerSerial = null;
private byte[] skiBytes = null;
@@ -190,8 +190,13 @@
Text certText = doc.createTextNode(Base64.encode(data));
Element keyId =
doc.createElementNS(WSConstants.WSSE_NS, "wsse:KeyIdentifier");
- keyId.setAttributeNS(null, "ValueType", X509Security.TYPE);
- keyId.setAttributeNS(null, "EncodingType", BinarySecurity.BASE64_ENCODING);
+ if (WSConstants.COMPLIANCE_MODE <= WSConstants.OASIS_2002_12) {
+ keyId.setAttributeNS(WSConstants.WSSE_NS, WSConstants.WSSE_PREFIX + ":ValueType", X509Security.TYPE);
+ keyId.setAttributeNS(WSConstants.WSSE_NS, WSConstants.WSSE_PREFIX + ":EncodingType", BinarySecurity.BASE64_ENCODING);
+ } else {
+ keyId.setAttributeNS(null, "ValueType", X509Security.TYPE);
+ keyId.setAttributeNS(null, "EncodingType", BinarySecurity.BASE64_ENCODING);
+ }
keyId.appendChild(certText);
Element elem = getFirstElement();
if (elem != null) {
@@ -215,8 +220,13 @@
org.w3c.dom.Text skiText = doc.createTextNode(Base64.encode(data));
Element keyId =
doc.createElementNS(WSConstants.WSSE_NS, "wsse:KeyIdentifier");
- keyId.setAttributeNS(null, "ValueType", SKI_URI);
- keyId.setAttributeNS(null, "EncodingType", BinarySecurity.BASE64_ENCODING);
+ if (WSConstants.COMPLIANCE_MODE <= WSConstants.OASIS_2002_12) {
+ keyId.setAttributeNS(WSConstants.WSSE_NS, WSConstants.WSSE_PREFIX + ":ValueType", SKI_URI);
+ keyId.setAttributeNS(WSConstants.WSSE_NS, WSConstants.WSSE_PREFIX + ":EncodingType", BinarySecurity.BASE64_ENCODING);
+ } else {
+ keyId.setAttributeNS(null, "ValueType", SKI_URI);
+ keyId.setAttributeNS(null, "EncodingType", BinarySecurity.BASE64_ENCODING);
+ }
keyId.appendChild(skiText);
Element elem = getFirstElement();
if (elem != null) {
@@ -237,7 +247,12 @@
X509Security token = null;
Element elem = getFirstElement();
String value = elem.getAttribute("ValueType");
- if (value.equals(X509Security.TYPE)) {
+ // attempt to get the attribute if it was qualified
+ // NYI iterate through all the possible namespaces
+ if (value.length() == 0) {
+ value = elem.getAttributeNS(WSConstants.WSSE_NS, "ValueType");
+ }
+ if (value.endsWith(X509Security.X509_V3)) {
token = new X509Security(elem);
if (token != null) {
X509Certificate cert = token.getX509Certificate(crypto);
Index: org/apache/ws/security/message/token/X509Security.java
===================================================================
RCS file: /home/cvspublic/ws-fx/wss4j/src/org/apache/ws/security/message/token/X509Security.java,v
retrieving revision 1.6
diff -u -r1.6 X509Security.java
--- org/apache/ws/security/message/token/X509Security.java 24 Mar 2004 19:22:49 -0000 1.6
+++ org/apache/ws/security/message/token/X509Security.java 12 May 2004 23:11:48 -0000
@@ -34,14 +34,23 @@
* @author Davanum Srinivas (dims@yahoo.com).
*/
public class X509Security extends BinarySecurity {
- public static final String TYPE = WSConstants.X509TOKEN_NS + "#X509v3";
-
+ public static String TYPE = null; // set later in a static block
+ public static final String X509_V3 = "X509v3";
+
/*
* Stores the associated X.509 Certificate. This saves numerous
* crypto loadCertificate operations
*/
private X509Certificate cachedCert = null;
+ static {
+ if (WSConstants.COMPLIANCE_MODE <= WSConstants.OASIS_2002_12) {
+ TYPE = WSConstants.WSSE_PREFIX + ":" + X509_V3;
+ } else {
+ TYPE = WSConstants.X509TOKEN_NS + "#" + X509_V3;
+ }
+ }
+
/**
* This constructor creates a new X509 certificate object and initializes
* it from the data containe in the element.
@@ -51,7 +60,7 @@
*/
public X509Security(Element elem) throws WSSecurityException {
super(elem);
- if (!getValueType().equals(TYPE)) {
+ if (!getValueType().endsWith(X509_V3)) {
throw new WSSecurityException(WSSecurityException.INVALID_SECURITY_TOKEN, "invalidValueType", new Object[]{TYPE, getValueType()});
}
}
---------------------------------------------------------------------
JIRA INFORMATION:
This message is automatically generated by JIRA.
If you think it was sent incorrectly contact one of the administrators:
http://issues.apache.org/jira/secure/Administrators.jspa
If you want more information on JIRA, or have a bug to report see:
http://www.atlassian.com/software/jira