You are viewing a plain text version of this content. The canonical link for it is here.
Posted to rampart-dev@ws.apache.org by sh...@apache.org on 2008/02/28 14:17:15 UTC
svn commit: r631958 - in /webservices/rampart/trunk/c: include/
samples/sct_provider/ src/omxmlsec/ src/omxmlsec/openssl/ src/secconv/
src/trust/ src/util/
Author: shankar
Date: Thu Feb 28 05:17:12 2008
New Revision: 631958
URL: http://svn.apache.org/viewvc?rev=631958&view=rev
Log:
client entropy, server entropy and computed key support
Modified:
webservices/rampart/trunk/c/include/openssl_hmac.h
webservices/rampart/trunk/c/include/oxs_axiom.h
webservices/rampart/trunk/c/include/trust_entropy.h
webservices/rampart/trunk/c/include/trust_sts_client.h
webservices/rampart/trunk/c/samples/sct_provider/sct_provider_hash_map.c
webservices/rampart/trunk/c/src/omxmlsec/axiom.c
webservices/rampart/trunk/c/src/omxmlsec/openssl/hmac.c
webservices/rampart/trunk/c/src/secconv/security_context_token.c
webservices/rampart/trunk/c/src/trust/entropy.c
webservices/rampart/trunk/c/src/trust/rstr.c
webservices/rampart/trunk/c/src/trust/sts_client.c
webservices/rampart/trunk/c/src/util/rampart_encryption.c
Modified: webservices/rampart/trunk/c/include/openssl_hmac.h
URL: http://svn.apache.org/viewvc/webservices/rampart/trunk/c/include/openssl_hmac.h?rev=631958&r1=631957&r2=631958&view=diff
==============================================================================
--- webservices/rampart/trunk/c/include/openssl_hmac.h (original)
+++ webservices/rampart/trunk/c/include/openssl_hmac.h Thu Feb 28 05:17:12 2008
@@ -52,6 +52,15 @@
axis2_char_t *seed,
oxs_key_t *derived_key);
+ AXIS2_EXTERN axis2_status_t AXIS2_CALL
+ openssl_p_hash(const axutil_env_t *env,
+ unsigned char *secret,
+ unsigned int secret_len,
+ unsigned char *seed,
+ unsigned int seed_len,
+ unsigned char *output,
+ unsigned int output_len);
+
/* @} */
#ifdef __cplusplus
}
Modified: webservices/rampart/trunk/c/include/oxs_axiom.h
URL: http://svn.apache.org/viewvc/webservices/rampart/trunk/c/include/oxs_axiom.h?rev=631958&r1=631957&r2=631958&view=diff
==============================================================================
--- webservices/rampart/trunk/c/include/oxs_axiom.h (original)
+++ webservices/rampart/trunk/c/include/oxs_axiom.h Thu Feb 28 05:17:12 2008
@@ -202,6 +202,10 @@
axis2_char_t *attr_name,
axis2_char_t *attr_val,
axis2_char_t *attr_ns);
+
+ AXIS2_EXTERN axiom_node_t *AXIS2_CALL
+ oxs_axiom_clone_node(const axutil_env_t *env,
+ axiom_node_t *node);
/** @} */
#ifdef __cplusplus
Modified: webservices/rampart/trunk/c/include/trust_entropy.h
URL: http://svn.apache.org/viewvc/webservices/rampart/trunk/c/include/trust_entropy.h?rev=631958&r1=631957&r2=631958&view=diff
==============================================================================
--- webservices/rampart/trunk/c/include/trust_entropy.h (original)
+++ webservices/rampart/trunk/c/include/trust_entropy.h Thu Feb 28 05:17:12 2008
@@ -32,9 +32,9 @@
{
#endif
- #define BIN_SEC_ASSYM "http://schemas.xmlsoap.org/ws/2005/02/trust/AsymmetricKey"
- #define BIN_SEC_SYM "http://schemas.xmlsoap.org/ws/2005/02/trust/SymmetricKey"
- #define BIN_SEC_NONCE "http://schemas.xmlsoap.org/ws/2005/02/trust/Nonce"
+ #define BIN_SEC_ASSYM "/AsymmetricKey"
+ #define BIN_SEC_SYM "/SymmetricKey"
+ #define BIN_SEC_NONCE "/Nonce"
typedef enum
{
@@ -111,6 +111,12 @@
trust_entropy_t *entropy,
const axutil_env_t *env,
axis2_char_t *ns_uri);
+
+ AXIS2_EXTERN axis2_status_t AXIS2_CALL
+ trust_entropy_set_binary_secret_type(
+ trust_entropy_t *entropy,
+ const axutil_env_t *env,
+ trust_bin_sec_type_t binsec_type);
#ifdef __cplusplus
}
Modified: webservices/rampart/trunk/c/include/trust_sts_client.h
URL: http://svn.apache.org/viewvc/webservices/rampart/trunk/c/include/trust_sts_client.h?rev=631958&r1=631957&r2=631958&view=diff
==============================================================================
--- webservices/rampart/trunk/c/include/trust_sts_client.h (original)
+++ webservices/rampart/trunk/c/include/trust_sts_client.h Thu Feb 28 05:17:12 2008
@@ -95,7 +95,7 @@
const axutil_env_t * env,
axis2_char_t * directory);
- AXIS2_EXTERN void AXIS2_CALL
+ AXIS2_EXTERN oxs_buffer_t* AXIS2_CALL
trust_sts_client_request_security_token_using_policy(
trust_sts_client_t * sts_client,
const axutil_env_t * env,
Modified: webservices/rampart/trunk/c/samples/sct_provider/sct_provider_hash_map.c
URL: http://svn.apache.org/viewvc/webservices/rampart/trunk/c/samples/sct_provider/sct_provider_hash_map.c?rev=631958&r1=631957&r2=631958&view=diff
==============================================================================
--- webservices/rampart/trunk/c/samples/sct_provider/sct_provider_hash_map.c (original)
+++ webservices/rampart/trunk/c/samples/sct_provider/sct_provider_hash_map.c Thu Feb 28 05:17:12 2008
@@ -223,6 +223,7 @@
axis2_ctx_t *ctx = NULL;
axis2_char_t *addressing_version_from_msg_ctx = NULL;
axutil_property_t *property = NULL;
+ oxs_buffer_t *buffer = NULL;
/*check whether rp_property is valid*/
rp_sct = (rp_security_context_token_t*)rp_property_get_value(token, env);
@@ -296,7 +297,7 @@
cloned_policy = neethi_engine_get_normalize(env, AXIS2_FALSE, sts_policy);
}
- trust_sts_client_request_security_token_using_policy(sts_client, env, trust_context, cloned_policy, addressing_version_from_msg_ctx);
+ buffer = trust_sts_client_request_security_token_using_policy(sts_client, env, trust_context, cloned_policy, addressing_version_from_msg_ctx);
/*obtain the reply from sts*/
rstr = trust_context_get_rstr(trust_context, env);
@@ -311,7 +312,10 @@
security_context_token_set_token(sct, env, trust_rstr_get_requested_security_token(rstr, env));
security_context_token_set_attached_reference(sct, env, trust_rstr_get_requested_attached_reference(rstr, env));
security_context_token_set_unattached_reference(sct, env, trust_rstr_get_requested_unattached_reference(rstr, env));
- security_context_token_set_requested_proof_token(sct, env, trust_rstr_get_requested_proof_token(rstr, env));
+ if(buffer)
+ security_context_token_set_secret(sct, env, buffer);
+ else
+ security_context_token_set_requested_proof_token(sct, env, trust_rstr_get_requested_proof_token(rstr, env));
/*now we can clear unwanted stuff*/
trust_context_free(trust_context, env);
Modified: webservices/rampart/trunk/c/src/omxmlsec/axiom.c
URL: http://svn.apache.org/viewvc/webservices/rampart/trunk/c/src/omxmlsec/axiom.c?rev=631958&r1=631957&r2=631958&view=diff
==============================================================================
--- webservices/rampart/trunk/c/src/omxmlsec/axiom.c (original)
+++ webservices/rampart/trunk/c/src/omxmlsec/axiom.c Thu Feb 28 05:17:12 2008
@@ -538,3 +538,31 @@
return NULL;
}
+AXIS2_EXTERN axiom_node_t *AXIS2_CALL
+oxs_axiom_clone_node(const axutil_env_t *env,
+ axiom_node_t *node)
+{
+ axis2_char_t* node_string = NULL;
+ axiom_xml_reader_t *reader = NULL;
+ axiom_document_t *doc = NULL;
+ axiom_stax_builder_t *builder = NULL;
+ axiom_node_t *clone = NULL;
+
+ if(!node)
+ return NULL;
+
+ node_string = axiom_node_sub_tree_to_string(node, env);
+ reader = axiom_xml_reader_create_for_memory(env, node_string, axutil_strlen(node_string),
+ NULL,
+ AXIS2_XML_PARSER_TYPE_BUFFER);
+
+ builder = axiom_stax_builder_create(env, reader);
+ doc = axiom_document_create(env, NULL, builder);
+ clone = axiom_document_build_all(doc, env);
+
+ axiom_xml_reader_xml_free(reader, env, NULL);
+ if(node_string)
+ AXIS2_FREE(env->allocator, node_string);
+
+ return clone;
+}
\ No newline at end of file
Modified: webservices/rampart/trunk/c/src/omxmlsec/openssl/hmac.c
URL: http://svn.apache.org/viewvc/webservices/rampart/trunk/c/src/omxmlsec/openssl/hmac.c?rev=631958&r1=631957&r2=631958&view=diff
==============================================================================
--- webservices/rampart/trunk/c/src/omxmlsec/openssl/hmac.c (original)
+++ webservices/rampart/trunk/c/src/omxmlsec/openssl/hmac.c Thu Feb 28 05:17:12 2008
@@ -70,7 +70,8 @@
*/
AXIS2_EXTERN axis2_status_t AXIS2_CALL
openssl_p_hash(const axutil_env_t *env,
- oxs_key_t *secret,
+ unsigned char *secret,
+ unsigned int secret_len,
unsigned char *seed,
unsigned int seed_len,
unsigned char *output,
@@ -112,8 +113,8 @@
HMAC_CTX_init(&ctx);
HMAC_CTX_init(&ctx_tmp);
- HMAC_Init_ex(&ctx, oxs_key_get_data(secret, env), oxs_key_get_size(secret, env), EVP_sha1(), NULL);
- HMAC_Init_ex(&ctx_tmp, oxs_key_get_data(secret, env), oxs_key_get_size(secret, env), EVP_sha1(), NULL);
+ HMAC_Init_ex(&ctx, secret, secret_len, EVP_sha1(), NULL);
+ HMAC_Init_ex(&ctx_tmp, secret, secret_len, EVP_sha1(), NULL);
HMAC_Update(&ctx, seed, seed_len);
HMAC_Final(&ctx, A1, &A1_len);
@@ -229,7 +230,11 @@
oxs_key_set_offset(derived_key, env, offset);
key_len = length + offset;
output = (unsigned char*)AXIS2_MALLOC(env->allocator, key_len + 1);
- status = openssl_p_hash(env, secret, oxs_buffer_get_data(label_and_seed, env), oxs_buffer_get_size(label_and_seed, env), output, key_len);
+ status = openssl_p_hash(env, oxs_key_get_data(secret, env),
+ oxs_key_get_size(secret, env),
+ oxs_buffer_get_data(label_and_seed, env),
+ oxs_buffer_get_size(label_and_seed, env),
+ output, key_len);
/*output = (unsigned char*)axutil_string_substring_starting_at((axis2_char_t*)output, offset);*/
dk_id = (axis2_char_t*)oxs_util_generate_id(env, (axis2_char_t*)OXS_DERIVED_ID);
dk_name = axutil_stracat(env, "#", dk_id);
Modified: webservices/rampart/trunk/c/src/secconv/security_context_token.c
URL: http://svn.apache.org/viewvc/webservices/rampart/trunk/c/src/secconv/security_context_token.c?rev=631958&r1=631957&r2=631958&view=diff
==============================================================================
--- webservices/rampart/trunk/c/src/secconv/security_context_token.c (original)
+++ webservices/rampart/trunk/c/src/secconv/security_context_token.c Thu Feb 28 05:17:12 2008
@@ -25,6 +25,9 @@
oxs_buffer_t *buffer;
axis2_char_t *global_id;
axis2_char_t *local_id;
+ axiom_node_t *sct_node;
+ axiom_node_t *attached_reference;
+ axiom_node_t *unattached_reference;
};
AXIS2_EXTERN security_context_token_t *AXIS2_CALL
@@ -47,6 +50,9 @@
sct->buffer = NULL;
sct->global_id = NULL;
sct->local_id = NULL;
+ sct->sct_node = NULL;
+ sct->attached_reference = NULL;
+ sct->unattached_reference = NULL;
return sct;
}
@@ -68,6 +74,18 @@
{
AXIS2_FREE(env->allocator, sct->global_id);
}
+ if(sct->sct_node)
+ {
+ axiom_node_free_tree(sct->sct_node, env);
+ }
+ if(sct->attached_reference)
+ {
+ axiom_node_free_tree(sct->attached_reference, env);
+ }
+ if(sct->unattached_reference)
+ {
+ axiom_node_free_tree(sct->unattached_reference, env);
+ }
AXIS2_FREE(env->allocator, sct);
return;
@@ -190,6 +208,9 @@
axiom_node_t *str_token = NULL;
axiom_node_t *ref_token = NULL;
+ if(sct->attached_reference)
+ return oxs_axiom_clone_node(env, sct->attached_reference);
+
if(!sct->local_id)
{
AXIS2_LOG_INFO(env->log, "[rampart][security context token] Security context token does not have a local identifier");
@@ -209,6 +230,9 @@
axiom_node_t *str_token = NULL;
axiom_node_t *ref_token = NULL;
+ if(sct->unattached_reference)
+ return oxs_axiom_clone_node(env, sct->unattached_reference);
+
if(!sct->global_id)
{
AXIS2_LOG_INFO(env->log, "[rampart][security context token] Security context token does not have a global identifier");
@@ -233,6 +257,9 @@
axiom_namespace_t *ns_obj_wsu = NULL;
axiom_attribute_t *id_attr = NULL;
+ if(sct->sct_node)
+ return oxs_axiom_clone_node(env, sct->sct_node);
+
if(!sct->global_id)
{
AXIS2_LOG_INFO(env->log, "[rampart][security context token] Security context token does not have an identifier.");
@@ -336,6 +363,7 @@
return AXIS2_FAILURE;
}
+ sct->attached_reference = oxs_axiom_clone_node(env, node);
return security_context_token_set_local_identifier(sct, env, axutil_strdup(env, local_id));
}
@@ -365,6 +393,8 @@
return AXIS2_FAILURE;
}
+ sct->unattached_reference = oxs_axiom_clone_node(env, node);
+
return security_context_token_set_global_identifier(sct, env, axutil_strdup(env, reference_id));
}
@@ -374,6 +404,7 @@
const axutil_env_t * env,
axiom_node_t *node)
{
+ sct->sct_node = oxs_axiom_clone_node(env, node);
return AXIS2_SUCCESS;
}
Modified: webservices/rampart/trunk/c/src/trust/entropy.c
URL: http://svn.apache.org/viewvc/webservices/rampart/trunk/c/src/trust/entropy.c?rev=631958&r1=631957&r2=631958&view=diff
==============================================================================
--- webservices/rampart/trunk/c/src/trust/entropy.c (original)
+++ webservices/rampart/trunk/c/src/trust/entropy.c Thu Feb 28 05:17:12 2008
@@ -185,6 +185,16 @@
return AXIS2_FALSE;
}
+AXIS2_EXTERN axis2_status_t AXIS2_CALL
+trust_entropy_set_binary_secret_type(
+ trust_entropy_t *entropy,
+ const axutil_env_t *env,
+ trust_bin_sec_type_t binsec_type)
+{
+ entropy->binsec_type = binsec_type;
+ return AXIS2_SUCCESS;
+}
+
AXIS2_EXTERN axiom_node_t * AXIS2_CALL
trust_entropy_get_other(
trust_entropy_t *entropy,
Modified: webservices/rampart/trunk/c/src/trust/rstr.c
URL: http://svn.apache.org/viewvc/webservices/rampart/trunk/c/src/trust/rstr.c?rev=631958&r1=631957&r2=631958&view=diff
==============================================================================
--- webservices/rampart/trunk/c/src/trust/rstr.c (original)
+++ webservices/rampart/trunk/c/src/trust/rstr.c Thu Feb 28 05:17:12 2008
@@ -229,6 +229,8 @@
entropy_ele = axiom_element_get_first_child_with_qname(rstr_ele, env, entropy_qname, rstr_node, &entropy_node);
if(entropy_ele)
{
+ entropy = trust_entropy_create(env);
+ trust_entropy_set_ns_uri(entropy, env, rstr->wst_ns_uri);
if(AXIS2_SUCCESS == trust_entropy_deserialize(entropy, env, entropy_node))
{
rstr->entropy = entropy;
Modified: webservices/rampart/trunk/c/src/trust/sts_client.c
URL: http://svn.apache.org/viewvc/webservices/rampart/trunk/c/src/trust/sts_client.c?rev=631958&r1=631957&r2=631958&view=diff
==============================================================================
--- webservices/rampart/trunk/c/src/trust/sts_client.c (original)
+++ webservices/rampart/trunk/c/src/trust/sts_client.c Thu Feb 28 05:17:12 2008
@@ -17,11 +17,25 @@
#include <trust_sts_client.h>
#include <axis2_op_client.h>
+#include <openssl_hmac.h>
#ifndef TRUST_COMPUTED_KEY_PSHA1
#define TRUST_COMPUTED_KEY_PSHA1 "P-SHA1"
#endif
+static void
+trust_sts_client_insert_entropy(
+ trust_sts_client_t *sts_client,
+ const axutil_env_t *env,
+ trust_rst_t *rst);
+
+static oxs_buffer_t*
+trust_sts_client_compute_key(
+ trust_sts_client_t *sts_client,
+ const axutil_env_t *env,
+ trust_rst_t *rst,
+ trust_rstr_t *rstr);
+
struct trust_sts_client
{
@@ -388,7 +402,7 @@
return sts_client->service_policy_location;
}
-AXIS2_EXTERN void AXIS2_CALL
+AXIS2_EXTERN oxs_buffer_t* AXIS2_CALL
trust_sts_client_request_security_token_using_policy(
trust_sts_client_t * sts_client,
const axutil_env_t * env,
@@ -415,7 +429,7 @@
if(NULL == rst)
{
AXIS2_LOG_ERROR(env->log, AXIS2_LOG_SI, "[trust] RST is NULL: Created RST_CTX may not set to TrustContest");
- return;
+ return NULL;
}
request_type = trust_rst_get_request_type(rst, env);
@@ -424,7 +438,7 @@
if(NULL == request_type)
{
AXIS2_LOG_ERROR(env->log, AXIS2_LOG_SI, "[trust] RST-RequestType is NOT set. RST MUST have a RequestType");
- return;
+ return NULL;
}
if(NULL == wsa_action)
@@ -444,6 +458,9 @@
{
AXIS2_LOG_ERROR(env->log, AXIS2_LOG_SI, "Policy setting failed.");
}
+
+ /*insert entropy if needed*/
+ trust_sts_client_insert_entropy(sts_client, env, rst);
}
/*Building the RST */
@@ -460,6 +477,13 @@
}
else
{
+ /*---- for debug ------*/
+ /*axis2_char_t *serialise_node = NULL;
+ serialise_node = axiom_node_to_string(return_node, env);
+ printf("sct reply is %s\n", serialise_node);*/
+ /*---- End for debug ------*/
+
+
/*Processing IN_MSG_CONTEXT*/
op_client = axis2_svc_client_get_op_client(sts_client->svc_client, env);
if(op_client)
@@ -470,6 +494,7 @@
{
trust_context_process_rstr(trust_context, env, in_msg_ctx);
sts_client->received_in_msg_ctx = in_msg_ctx; /*Store the in_msg_context for sec_header extentions in trust*/
+ return trust_sts_client_compute_key(sts_client, env, rst, trust_context_get_rstr(trust_context, env));
}
}
@@ -478,11 +503,159 @@
else
{
AXIS2_LOG_ERROR(env->log, AXIS2_LOG_SI, "[trust] RST-Not send -> RST Node building failed");
- return;
+ return NULL;
}
}
+ return NULL;
+}
+
+static void
+trust_sts_client_insert_entropy(
+ trust_sts_client_t *sts_client,
+ const axutil_env_t *env,
+ trust_rst_t *rst)
+{
+ axis2_char_t *request_type = NULL;
+ int key_size = 0;
+ axis2_char_t *nonce = NULL;
+ trust_entropy_t* entropy = NULL;
+
+ request_type = trust_rst_get_request_type(rst, env);
+
+ /*we support entropy for issue only*/
+ if(0 != axutil_strcmp(request_type, TRUST_REQ_TYPE_ISSUE))
+ return;
+
+ /*if entropy is already give, no need to create*/
+ if(trust_rst_get_entropy(rst, env))
+ return;
+
+ /*if algorithm suite is missing or trust10 is missing, then we can't proceed*/
+ if((!sts_client->algo_suite) || (!sts_client->trust10))
+ return;
+
+ /*check whether client entropy is needed. If not can return*/
+ if(!rp_trust10_get_require_client_entropy(sts_client->trust10, env))
+ return;
+
+ key_size = rp_algorithmsuite_get_max_symmetric_keylength(sts_client->algo_suite, env);
+ if (key_size <= 0)
+ {
+ AXIS2_LOG_ERROR(env->log, AXIS2_LOG_SI, "[trust] maximum symmetric key length of issuer algorithm suite is not valid");
+ return;
+ }
+
+ /*nonce should be created with half the size. size is in bits, have to convert it to bytes*/
+ nonce = rampart_generate_nonce(env, key_size/16);
+ if(!nonce)
+ {
+ AXIS2_LOG_ERROR(env->log, AXIS2_LOG_SI, "[trust] cannon create nonce with length %d", key_size/16);
+ return;
+ }
+
+ entropy = trust_entropy_create(env);
+ trust_entropy_set_binary_secret(entropy, env, nonce);
+ trust_entropy_set_ns_uri(entropy, env, TRUST_WST_XMLNS_05_02);
+ trust_entropy_set_binary_secret_type(entropy, env, NONCE);
+
+ trust_rst_set_key_size(rst, env, key_size);
+ trust_rst_set_entropy(rst, env, entropy);
return;
}
+static oxs_buffer_t*
+trust_sts_client_compute_key(trust_sts_client_t *sts_client,
+ const axutil_env_t *env,
+ trust_rst_t *rst,
+ trust_rstr_t *rstr)
+{
+ trust_entropy_t* requester_entropy = NULL;
+ axiom_node_t *proof_token = NULL;
+
+ /*if rstr is not valid, then can't proceed*/
+ if(!rstr)
+ return NULL;
+
+ /*if requester doesn't provide entropy, then no need to compute the key */
+ requester_entropy = trust_rst_get_entropy(rst, env);
+ if((!requester_entropy) || (!trust_entropy_get_binary_secret(requester_entropy, env)))
+ return NULL;
+ /*check the proof token whether to compute the token or not*/
+ proof_token = trust_rstr_get_requested_proof_token(rstr, env);
+
+ /*if issuer doesn't give a proof token/entropy, then requester_entropy is the key*/
+ if(!proof_token)
+ {
+ oxs_buffer_t *buffer = NULL;
+ int decoded_len = 0;
+ axis2_char_t *decoded_shared_secret = NULL;
+ axis2_char_t* shared_secret = NULL;
+
+ shared_secret = trust_entropy_get_binary_secret(requester_entropy, env);
+ decoded_len = axutil_base64_decode_len(shared_secret);
+ decoded_shared_secret = AXIS2_MALLOC(env->allocator, decoded_len);
+ axutil_base64_decode_binary((unsigned char*)decoded_shared_secret, shared_secret);
+ buffer = oxs_buffer_create(env);
+ oxs_buffer_populate(buffer, env, (unsigned char*)decoded_shared_secret, decoded_len);
+ AXIS2_FREE(env->allocator, decoded_shared_secret);
+ return buffer;
+ }
+ else
+ /*proof token is available. We have to check the content of proof token*/
+ {
+ axis2_char_t *local_name = NULL;
+ axis2_char_t *compute_key_algo = NULL;
+ trust_entropy_t* issuer_entropy = NULL;
+ int key_size = 0;
+ axis2_char_t *output = NULL;
+
+ oxs_buffer_t *buffer = NULL;
+ int requester_entropy_len = 0;
+ axis2_char_t *decoded_requester_entropy = NULL;
+ axis2_char_t *requester_nonce = NULL;
+ int issuer_entropy_len = 0;
+ axis2_char_t *decoded_issuer_entropy = NULL;
+ axis2_char_t *issuer_nonce = NULL;
+
+ local_name = axiom_util_get_localname(proof_token, env);
+ /*if local name is not ComputedKey, then we can return*/
+ if(axutil_strcmp(local_name, TRUST_COMPUTED_KEY) != 0)
+ return NULL;
+
+ key_size = trust_rst_get_key_size(rst, env)/8;
+ if(key_size <= 0)
+ return NULL;
+
+ compute_key_algo = oxs_axiom_get_node_content(env, proof_token);
+
+ buffer = oxs_buffer_create(env);
+ requester_nonce = trust_entropy_get_binary_secret(requester_entropy, env);
+ requester_entropy_len = axutil_base64_decode_len(requester_nonce);
+ decoded_requester_entropy = AXIS2_MALLOC(env->allocator, requester_entropy_len);
+ axutil_base64_decode_binary((unsigned char*)decoded_requester_entropy, requester_nonce);
+
+ issuer_entropy = trust_rstr_get_entropy(rstr, env);
+
+ /*if issuer doesn't provide entropy, we can take requester entropy as key*/
+ if((!requester_entropy) || (!trust_entropy_get_binary_secret(requester_entropy, env)))
+ {
+ oxs_buffer_populate(buffer, env, (unsigned char*)decoded_requester_entropy, requester_entropy_len);
+ AXIS2_FREE(env->allocator, decoded_requester_entropy);
+ return buffer;
+ }
+
+ issuer_nonce = trust_entropy_get_binary_secret(issuer_entropy, env);
+ issuer_entropy_len = axutil_base64_decode_len(issuer_nonce);
+ decoded_issuer_entropy = AXIS2_MALLOC(env->allocator, issuer_entropy_len);
+ axutil_base64_decode_binary((unsigned char*)decoded_issuer_entropy, issuer_nonce);
+ output = AXIS2_MALLOC(env->allocator, key_size);
+
+ openssl_p_hash(env, (unsigned char*)decoded_requester_entropy, requester_entropy_len,
+ (unsigned char*)decoded_issuer_entropy, issuer_entropy_len,
+ (unsigned char*)output, key_size);
+ oxs_buffer_populate(buffer, env, (unsigned char*)output, key_size);
+ return buffer;
+ }
+}
\ No newline at end of file
Modified: webservices/rampart/trunk/c/src/util/rampart_encryption.c
URL: http://svn.apache.org/viewvc/webservices/rampart/trunk/c/src/util/rampart_encryption.c?rev=631958&r1=631957&r2=631958&view=diff
==============================================================================
--- webservices/rampart/trunk/c/src/util/rampart_encryption.c (original)
+++ webservices/rampart/trunk/c/src/util/rampart_encryption.c Thu Feb 28 05:17:12 2008
@@ -234,6 +234,8 @@
rp_property_t *token = NULL;
rp_property_type_t token_type;
+ oxs_key_t *derived_key = NULL;
+
axis2_bool_t signature_protection = AXIS2_FALSE;
int i = 0;
int j = 0;
@@ -352,12 +354,27 @@
/*Add ReferenceList element to the Security header. Note that we pass the sec_node. Not the EncryptedKey*/
data_ref_list_node = oxs_token_build_reference_list_element(env, sec_node);
+ /*create derived key. */
+ if(AXIS2_TRUE == use_derived_keys)
+ {
+ /*Derive a new key*/
+ derived_key = oxs_key_create(env);
+ oxs_key_set_length(derived_key, env, rampart_context_get_encryption_derived_key_len(rampart_context, env));
+ status = oxs_derivation_derive_key(env, session_key, derived_key, AXIS2_TRUE);
+
+ /*Add derived key to the list. We will create tokens*/
+ axutil_array_list_add(dk_list, env, derived_key);
+ key_reference_node = NULL;
+ }
+
/*Repeat until all encryption parts are encrypted*/
for(i=0 ; i < axutil_array_list_size(nodes_to_encrypt, env); i++)
{
axiom_node_t *node_to_enc = NULL;
oxs_ctx_t *enc_ctx = NULL;
+#if 0
oxs_key_t *derived_key = NULL;
+#endif
axis2_char_t *enc_data_id = NULL;
axiom_node_t *parent_of_node_to_enc = NULL;
axiom_node_t *enc_data_node = NULL;
@@ -371,20 +388,22 @@
if(AXIS2_TRUE == use_derived_keys)
{
+#if 0
/*Derive a new key*/
derived_key = oxs_key_create(env);
oxs_key_set_length(derived_key, env, rampart_context_get_encryption_derived_key_len(rampart_context, env));
status = oxs_derivation_derive_key(env, session_key, derived_key, AXIS2_TRUE);
-
+#endif
/*Set the derived key for the encryption*/
oxs_ctx_set_key(enc_ctx, env, derived_key);
/*Set the ref key name to build KeyInfo element. Here the key name is the derived key id*/
oxs_ctx_set_ref_key_name(enc_ctx, env, oxs_key_get_name(derived_key, env));
-
+#if 0
/*Add derived key to the list. We will create tokens*/
axutil_array_list_add(dk_list, env, derived_key);
key_reference_node = NULL;
+#endif
}
else
{