Package com.sun.xml.wss.impl.policy.mls

Examples of com.sun.xml.wss.impl.policy.mls.SignaturePolicy$FeatureBinding


                    throw SecurableSoapMessage.newSOAPFaultException(
                            MessageConstants.WSSE_INVALID_SECURITY,
                            "Exception during Signature verfication in SAML Assertion",
                            e);
                }
                SignaturePolicy policy = (SignaturePolicy)context.getInferredPolicy();
                // will be only during verify.
//                AuthenticationTokenPolicy.SAMLAssertionBinding keyBinding = null;
//
//                if(policy != null){
//                    keyBinding = (AuthenticationTokenPolicy.SAMLAssertionBinding) policy.newSAMLAssertionKeyBinding();
View Full Code Here


        Key returnKey = null;
        HashMap tokenCache = context.getTokenCache();
        SecurableSoapMessage secureMsg = context.getSecurableSoapMessage();
        SecurityTokenReference str = keyInfo.getSecurityTokenReference(0);
        ReferenceElement refElement = str.getReference();
        SignaturePolicy policy = (SignaturePolicy)context.getInferredPolicy();
        SignaturePolicy inferredSignaturePolicy = null;
        boolean isWSITRecipient = (context.getMode()== FilterProcessingContext.WSDL_POLICY);
        try{
            if(isWSITRecipient){
                int i = context.getInferredSecurityPolicy().size() - 1;
                inferredSignaturePolicy = (SignaturePolicy)context.getInferredSecurityPolicy().get(i);
            }
        } catch(Exception e){
            log.log(Level.SEVERE, LogStringsMessages.WSS_0250_FAILED_PROCESS_STR(), e);
            throw new XWSSecurityException(e);
        }
        // Do a case analysis based on the type of refElement.
        // X509 Token Profile supports 3 kinds of reference mechanisms.
        // Embedded Reference not considered.
        if (refElement instanceof KeyIdentifier) {
            KeyIdentifier keyId = (KeyIdentifier)refElement;
           
            if (MessageConstants.X509SubjectKeyIdentifier_NS.equals(keyId.getValueType()) ||
                    MessageConstants.X509v3SubjectKeyIdentifier_NS.equals(keyId.getValueType())) {
                if(policy != null){
                    AuthenticationTokenPolicy.X509CertificateBinding keyBinding = null;
                    keyBinding = (AuthenticationTokenPolicy.X509CertificateBinding) policy.newX509CertificateKeyBinding();
                    keyBinding.setReferenceType(MessageConstants.KEY_INDETIFIER_TYPE);
                }
                if(isWSITRecipient){
                    MLSPolicy inferredKB = inferredSignaturePolicy.getKeyBinding();
                    AuthenticationTokenPolicy.X509CertificateBinding x509Binding = new AuthenticationTokenPolicy.X509CertificateBinding();
                    x509Binding.setValueType(MessageConstants.X509SubjectKeyIdentifier_NS);
                    x509Binding.setReferenceType(MessageConstants.KEY_INDETIFIER_TYPE);
                    if(inferredKB == null){
                        inferredSignaturePolicy.setKeyBinding(x509Binding);
                    } else if(PolicyTypeUtil.derivedTokenKeyBinding(inferredKB)){
                        if(((DerivedTokenKeyBinding)inferredKB).getOriginalKeyBinding() == null)
                            ((DerivedTokenKeyBinding)inferredKB).setOriginalKeyBinding(x509Binding);
                    }
                }
                if (sig) {
                    returnKey =
                            context.getSecurityEnvironment().getPublicKey(context.getExtraneousProperties(),
                            getDecodedBase64EncodedData(keyId.getReferenceValue()));
                } else {
                    returnKey =
                            context.getSecurityEnvironment().getPrivateKey(context.getExtraneousProperties(),
                            getDecodedBase64EncodedData(keyId.getReferenceValue()));
                }
               
            } else if (MessageConstants.ThumbPrintIdentifier_NS.equals(keyId.getValueType())) {
                if(policy != null){
                    AuthenticationTokenPolicy.X509CertificateBinding keyBinding = null;
                    keyBinding = (AuthenticationTokenPolicy.X509CertificateBinding) policy.newX509CertificateKeyBinding();
                    keyBinding.setReferenceType(MessageConstants.THUMB_PRINT_TYPE);
                }
                if(isWSITRecipient){
                    MLSPolicy inferredKB = inferredSignaturePolicy.getKeyBinding();
                    AuthenticationTokenPolicy.X509CertificateBinding x509Binding = new AuthenticationTokenPolicy.X509CertificateBinding();
                    x509Binding.setValueType(MessageConstants.ThumbPrintIdentifier_NS);
                    x509Binding.setReferenceType(MessageConstants.KEY_INDETIFIER_TYPE);
                    if(inferredKB == null){
                        inferredSignaturePolicy.setKeyBinding(x509Binding);
                    } else if(PolicyTypeUtil.derivedTokenKeyBinding(inferredKB)){
                        if(((DerivedTokenKeyBinding)inferredKB).getOriginalKeyBinding() == null)
                            ((DerivedTokenKeyBinding)inferredKB).setOriginalKeyBinding(x509Binding);
                    }
                }
                if (sig) {
                    returnKey =
                            context.getSecurityEnvironment().getPublicKey(
                            context.getExtraneousProperties(),
                            getDecodedBase64EncodedData(keyId.getReferenceValue()),
                            MessageConstants.THUMB_PRINT_TYPE
                            );
                } else {
                    returnKey =
                            context.getSecurityEnvironment().getPrivateKey(
                            context.getExtraneousProperties(),
                            getDecodedBase64EncodedData(keyId.getReferenceValue()),
                            MessageConstants.THUMB_PRINT_TYPE
                            );
                }
               
            } else if(MessageConstants.EncryptedKeyIdentifier_NS.equals(keyId.getValueType())){
                if(isWSITRecipient){
                    MLSPolicy inferredKB = inferredSignaturePolicy.getKeyBinding();
                    SymmetricKeyBinding skBinding = new SymmetricKeyBinding();
                    AuthenticationTokenPolicy.X509CertificateBinding x509Binding = new AuthenticationTokenPolicy.X509CertificateBinding();
                    skBinding.setKeyBinding(x509Binding);
                    //TODO: ReferenceType and ValueType not set on X509Binding
                    if(inferredKB == null){
                        inferredSignaturePolicy.setKeyBinding(skBinding);
                    } else if(PolicyTypeUtil.derivedTokenKeyBinding(inferredKB)){
                        if(((DerivedTokenKeyBinding)inferredKB).getOriginalKeyBinding() == null)
                            ((DerivedTokenKeyBinding)inferredKB).setOriginalKeyBinding(skBinding);
                    }
                }
                String ekSha1RefValue = (String)context.getExtraneousProperty("EncryptedKeySHA1");
                Key secretKey = (Key)context.getExtraneousProperty("SecretKey");
                String keyRefValue = keyId.getReferenceValue();
                if(ekSha1RefValue != null && secretKey != null){
                    if(ekSha1RefValue.equals(keyRefValue))
                        returnKey = secretKey;
                } else{
                    log.log(Level.SEVERE, LogStringsMessages.WSS_0240_INVALID_ENCRYPTED_KEY_SHA_1_REFERENCE());
                    String message = "EncryptedKeySHA1 reference not correct";
                    throw new XWSSecurityException(message);
                }
               
            } else if (MessageConstants.WSSE_SAML_KEY_IDENTIFIER_VALUE_TYPE.equals(keyId.getValueType()) ||
                    MessageConstants.WSSE_SAML_v2_0_KEY_IDENTIFIER_VALUE_TYPE.equals(keyId.getValueType())) {
                // Its a SAML Assertion, retrieve the assertion
                if(policy != null){
                    AuthenticationTokenPolicy.SAMLAssertionBinding keyBinding = null;
                    keyBinding = (AuthenticationTokenPolicy.SAMLAssertionBinding) policy.newSAMLAssertionKeyBinding();
                    keyBinding.setReferenceType(keyId.getValueType());
                }
               
                String assertionID = keyId.getDecodedReferenceValue();
                Element samlAssertion = resolveSAMLToken(str, assertionID,context);
                if(isWSITRecipient){
                    MLSPolicy inferredKB = inferredSignaturePolicy.getKeyBinding();
                    IssuedTokenKeyBinding itkBinding = new IssuedTokenKeyBinding();
                    if(inferredKB == null){
                        if (context.hasIssuedToken()){
                            inferredSignaturePolicy.setKeyBinding(itkBinding);
                        }else{
                            inferredSignaturePolicy.setKeyBinding(new AuthenticationTokenPolicy.SAMLAssertionBinding());
                        }
                    } else if(PolicyTypeUtil.derivedTokenKeyBinding(inferredKB)){
                        if(((DerivedTokenKeyBinding)inferredKB).getOriginalKeyBinding() == null)
                            ((DerivedTokenKeyBinding)inferredKB).setOriginalKeyBinding(itkBinding);
                    }
                }
                returnKey = resolveSamlAssertion(secureMsg,samlAssertion, sig,context, assertionID);
                if (context.hasIssuedToken() && returnKey != null){
                    SecurityUtil.initInferredIssuedTokenContext(context,str, returnKey);
                }
               
            } else {
                if(policy != null){
                    AuthenticationTokenPolicy.SAMLAssertionBinding keyBinding = null;
                    keyBinding = (AuthenticationTokenPolicy.SAMLAssertionBinding) policy.newSAMLAssertionKeyBinding();
                }
                Element samlAssertion = null;
                String assertionID = keyId.getDecodedReferenceValue();
                try{
                    samlAssertion = resolveSAMLToken(str, assertionID,context);
                }catch(Exception ex){
                    //ignore
                }
                if (samlAssertion != null) {
                    if(isWSITRecipient){
                        MLSPolicy inferredKB = inferredSignaturePolicy.getKeyBinding();
                        IssuedTokenKeyBinding itkBinding = new IssuedTokenKeyBinding();
                        if(inferredKB == null){
                            if (context.hasIssuedToken()){
                                inferredSignaturePolicy.setKeyBinding(itkBinding);
                            }else{
                                inferredSignaturePolicy.setKeyBinding(new AuthenticationTokenPolicy.SAMLAssertionBinding());
                            }
                        } else if(PolicyTypeUtil.derivedTokenKeyBinding(inferredKB)){
                            if(((DerivedTokenKeyBinding)inferredKB).getOriginalKeyBinding() == null)
                                ((DerivedTokenKeyBinding)inferredKB).setOriginalKeyBinding(itkBinding);
                        }
                    }
                    returnKey = resolveSamlAssertion(secureMsg,samlAssertion, sig,context, assertionID);
                    if (context.hasIssuedToken() && returnKey != null){
                        SecurityUtil.initInferredIssuedTokenContext(context,str, returnKey);
                    }
                } else {
                    // now assume its an X509Token
                    // Note: the code below assumes base64 EncodingType for X509 SKI
                    if(isWSITRecipient){
                        MLSPolicy inferredKB = inferredSignaturePolicy.getKeyBinding();
                        AuthenticationTokenPolicy.X509CertificateBinding x509Binding = new AuthenticationTokenPolicy.X509CertificateBinding();
                        x509Binding.setValueType(MessageConstants.X509SubjectKeyIdentifier_NS);
                        x509Binding.setReferenceType(MessageConstants.KEY_INDETIFIER_TYPE);
                        if(inferredKB == null){
                            inferredSignaturePolicy.setKeyBinding(x509Binding);
                        } else if(PolicyTypeUtil.derivedTokenKeyBinding(inferredKB)){
                            if(((DerivedTokenKeyBinding)inferredKB).getOriginalKeyBinding() == null)
                                ((DerivedTokenKeyBinding)inferredKB).setOriginalKeyBinding(x509Binding);
                        }
                    }
                    if (sig) {
                        returnKey =
                                context.getSecurityEnvironment().getPublicKey(context.getExtraneousProperties(),
                                getDecodedBase64EncodedData(keyId.getReferenceValue()));
                    } else {
                        returnKey =
                                context.getSecurityEnvironment().getPrivateKey(context.getExtraneousProperties(),
                                getDecodedBase64EncodedData(keyId.getReferenceValue()));
                    }
                }
            }
        } else if (refElement instanceof DirectReference) {
            String uri = ((DirectReference) refElement).getURI();
           
            // will be only during verify.
            AuthenticationTokenPolicy.X509CertificateBinding keyBinding = null;
            String valueType = ((DirectReference) refElement).getValueType();
            if (MessageConstants.DKT_VALUETYPE.equals(valueType) ||
                    MessageConstants.DKT_13_VALUETYPE.equals(valueType)){
                //TODO: this will work for now but need to handle this case here later
                valueType = null;
            }
           
            if(policy != null){
                keyBinding = (AuthenticationTokenPolicy.X509CertificateBinding) policy.newX509CertificateKeyBinding();
                keyBinding.setReferenceType(MessageConstants.DIRECT_REFERENCE_TYPE);
                keyBinding.setValueType(valueType);
            }
           
            if (MessageConstants.X509v3_NS.equals(valueType)||MessageConstants.X509v1_NS.equals(valueType)) {
                // its an X509 Token
                HashMap insertedX509Cache = context.getInsertedX509Cache();
                String wsuId = secureMsg.getIdFromFragmentRef(uri);
                X509SecurityToken token = (X509SecurityToken)insertedX509Cache.get(wsuId);
                if(token == null)
                    token =(X509SecurityToken)resolveToken(wsuId,context,secureMsg);
                if(isWSITRecipient){
                    MLSPolicy inferredKB = inferredSignaturePolicy.getKeyBinding();
                    AuthenticationTokenPolicy.X509CertificateBinding x509Binding = new AuthenticationTokenPolicy.X509CertificateBinding();
                    x509Binding.setReferenceType(MessageConstants.DIRECT_REFERENCE_TYPE);
                    x509Binding.setValueType(valueType);
                    if(inferredKB == null){
                        inferredSignaturePolicy.setKeyBinding(x509Binding);
                    } else  if(PolicyTypeUtil.derivedTokenKeyBinding(inferredKB)){
                        if(((DerivedTokenKeyBinding)inferredKB).getOriginalKeyBinding() == null)
                            ((DerivedTokenKeyBinding)inferredKB).setOriginalKeyBinding(x509Binding);
                    }
                }
                returnKey = resolveX509Token(secureMsg, token, sig,context);
               
            } else if(MessageConstants.EncryptedKey_NS.equals(valueType)){
                // Do default processing
                String wsuId = secureMsg.getIdFromFragmentRef(uri);
                SecurityToken token =resolveToken(wsuId,context,secureMsg);
                //TODO: STR is referring to EncryptedKey
                KeyInfoHeaderBlock kiHB = ((EncryptedKeyToken)token).getKeyInfo();
                SecurityTokenReference sectr = kiHB.getSecurityTokenReference(0);
               
                //TODO: PLUGFEST Algorithm hardcoded for now
                //String dataEncAlgo = MessageConstants.AES_BLOCK_ENCRYPTION_128;
                // restore Backward compatibility
                String dataEncAlgo = MessageConstants.DEFAULT_DATA_ENC_ALGO;
                if (context.getAlgorithmSuite() != null) {
                    dataEncAlgo = context.getAlgorithmSuite().getEncryptionAlgorithm();
                }else{
                    if (context.getDataEncryptionAlgorithm() != null){
                        dataEncAlgo = context.getDataEncryptionAlgorithm();
                    }
                }
                try{
                    Element cipherData = (Element)((EncryptedKeyToken)token).getAsSoapElement().getChildElements(new QName(MessageConstants.XENC_NS, "CipherData", MessageConstants.XENC_PREFIX)).next();
                    String cipherValue = cipherData.getElementsByTagNameNS(MessageConstants.XENC_NS, "CipherValue").item(0).getTextContent();
                    byte[] decodedCipher = Base64.decode(cipherValue);
                    byte[] ekSha1 = MessageDigest.getInstance("SHA-1").digest(decodedCipher);
                    String encEkSha1 = Base64.encode(ekSha1);
                    context.setExtraneousProperty(MessageConstants.EK_SHA1_VALUE, encEkSha1);
                } catch(Exception e){
                    log.log(Level.SEVERE, LogStringsMessages.WSS_0241_UNABLETO_SET_EKSHA_1_ON_CONTEXT(), e);
                    throw new XWSSecurityException(e);
                }
                if(isWSITRecipient){
                    MLSPolicy inferredKB = inferredSignaturePolicy.getKeyBinding();
                    SymmetricKeyBinding skBinding = new SymmetricKeyBinding();
                    AuthenticationTokenPolicy.X509CertificateBinding x509Binding = new AuthenticationTokenPolicy.X509CertificateBinding();
                    skBinding.setKeyBinding(x509Binding);
                    //TODO: ReferenceType and ValueType not set on X509Binding
                    if(inferredKB == null){
                        inferredSignaturePolicy.setKeyBinding(skBinding);
                    } else if(PolicyTypeUtil.derivedTokenKeyBinding(inferredKB)){
                        if(((DerivedTokenKeyBinding)inferredKB).getOriginalKeyBinding() == null)
                            ((DerivedTokenKeyBinding)inferredKB).setOriginalKeyBinding(skBinding);
                    }
                }
                returnKey = ((EncryptedKeyToken)token).getSecretKey(getKey(kiHB, sig, context), dataEncAlgo);
                context.setExtraneousProperty(MessageConstants.SECRET_KEY_VALUE, returnKey);
               
            } else if (MessageConstants.SCT_VALUETYPE.equals(valueType) || MessageConstants.SCT_13_VALUETYPE.equals(valueType)) {
                // could be wsuId or SCT Session Id
                String sctId = secureMsg.getIdFromFragmentRef(uri);
                SecurityToken token = (SecurityToken)tokenCache.get(sctId);
               
                if(token == null){
                    token = SecurityUtil.locateBySCTId(context, uri);
                    if (token == null) {
                        token = resolveToken(sctId, context, secureMsg);
                    }
                    if(token == null){
                        log.log(Level.SEVERE, LogStringsMessages.WSS_0242_UNABLETO_LOCATE_SCT());
                        throw new XWSSecurityException("SCT Token with Id "+sctId+ "not found");
                    }else{
                        tokenCache.put(sctId, token);
                    }
                }
               
                if (token instanceof SecurityContextToken) {
                    //handling for SecurityContext Token
                    byte[] proofKey = resolveSCT(context, (SecurityContextTokenImpl)token, sig);
                    String encAlgo = "AES"; //hardcoding for now
                    if (context.getAlgorithmSuite() != null) {
                        encAlgo = SecurityUtil.getSecretKeyAlgorithm(context.getAlgorithmSuite().getEncryptionAlgorithm());
                    }
                    if(isWSITRecipient){
                        MLSPolicy inferredKB = inferredSignaturePolicy.getKeyBinding();
                        SecureConversationTokenKeyBinding sctBinding = new SecureConversationTokenKeyBinding();
                        if(inferredKB == null){
                            inferredSignaturePolicy.setKeyBinding(sctBinding);
                        } else if(PolicyTypeUtil.derivedTokenKeyBinding(inferredKB)){
                            if(((DerivedTokenKeyBinding)inferredKB).getOriginalKeyBinding() == null)
                                ((DerivedTokenKeyBinding)inferredKB).setOriginalKeyBinding(sctBinding);
                        }
                    }
                    returnKey = new SecretKeySpec(proofKey, encAlgo);
                   
                } else {
                    log.log(Level.SEVERE, LogStringsMessages.WSS_0243_INVALID_VALUE_TYPE_NON_SCT_TOKEN());
                    throw new XWSSecurityException("Incorrect ValueType: " + MessageConstants.SCT_VALUETYPE + ", specified for a Non SCT Token");
                }
               
            } else if (null == valueType) {
                // Do default processing
                String wsuId = secureMsg.getIdFromFragmentRef(uri);
                SecurityToken token = SecurityUtil.locateBySCTId(context, wsuId);
                if (token == null) {
                    token =resolveToken(wsuId,context,secureMsg);
                }
                if (token instanceof X509SecurityToken) {
                    if(isWSITRecipient){
                        MLSPolicy inferredKB = inferredSignaturePolicy.getKeyBinding();
                        AuthenticationTokenPolicy.X509CertificateBinding x509Binding = new AuthenticationTokenPolicy.X509CertificateBinding();
                        x509Binding.setReferenceType(MessageConstants.DIRECT_REFERENCE_TYPE);
                        if(inferredKB == null){
                            inferredSignaturePolicy.setKeyBinding(x509Binding);
                        } else if(PolicyTypeUtil.derivedTokenKeyBinding(inferredKB)){
                            if(((DerivedTokenKeyBinding)inferredKB).getOriginalKeyBinding() == null)
                                ((DerivedTokenKeyBinding)inferredKB).setOriginalKeyBinding(x509Binding);
                        }
                    }
                    returnKey = resolveX509Token(secureMsg, (X509SecurityToken)token, sig,context);
                } else if (token instanceof EncryptedKeyToken) {
                    //TODO: STR is referring to EncryptedKey
                    KeyInfoHeaderBlock kiHB = ((EncryptedKeyToken)token).getKeyInfo();
                    SecurityTokenReference sectr = kiHB.getSecurityTokenReference(0);
                    ReferenceElement refElem = sectr.getReference();
                    String dataEncAlgo = MessageConstants.DEFAULT_DATA_ENC_ALGO;
                    //restoring BC
                    //String dataEncAlgo = MessageConstants.AES_BLOCK_ENCRYPTION_128;
                    if (context.getAlgorithmSuite() != null) {
                        dataEncAlgo = context.getAlgorithmSuite().getEncryptionAlgorithm();
                    }else{
                        if (context.getDataEncryptionAlgorithm() != null){
                            dataEncAlgo = context.getDataEncryptionAlgorithm();
                        }
                    }
                    try{
                        Element cipherData = (Element)((EncryptedKeyToken)token).getAsSoapElement().getChildElements(new QName(MessageConstants.XENC_NS, "CipherData", MessageConstants.XENC_PREFIX)).next();
                        String cipherValue = cipherData.getElementsByTagNameNS(MessageConstants.XENC_NS, "CipherValue").item(0).getTextContent();
                        byte[] decodedCipher = Base64.decode(cipherValue);
                        byte[] ekSha1 = MessageDigest.getInstance("SHA-1").digest(decodedCipher);
                        String encEkSha1 = Base64.encode(ekSha1);
                        context.setExtraneousProperty(MessageConstants.EK_SHA1_VALUE, encEkSha1);
                    } catch(Exception e){
                        log.log(Level.SEVERE, LogStringsMessages.WSS_0241_UNABLETO_SET_EKSHA_1_ON_CONTEXT(), e);
                        throw new XWSSecurityException(e);
                    }
                    if(isWSITRecipient){
                        MLSPolicy inferredKB = inferredSignaturePolicy.getKeyBinding();
                        SymmetricKeyBinding skBinding = new SymmetricKeyBinding();
                        AuthenticationTokenPolicy.X509CertificateBinding x509Binding = new AuthenticationTokenPolicy.X509CertificateBinding();
                        skBinding.setKeyBinding(x509Binding);
                        //TODO: ReferenceType and ValueType not set on X509Binding
                        if(inferredKB == null){
                            inferredSignaturePolicy.setKeyBinding(skBinding);
                        } else if(PolicyTypeUtil.derivedTokenKeyBinding(inferredKB)){
                            if(((DerivedTokenKeyBinding)inferredKB).getOriginalKeyBinding() == null)
                                ((DerivedTokenKeyBinding)inferredKB).setOriginalKeyBinding(skBinding);
                        }
                    }
                    returnKey = ((EncryptedKeyToken)token).getSecretKey(getKey(kiHB, sig, context), dataEncAlgo);
                    context.setExtraneousProperty(MessageConstants.SECRET_KEY_VALUE, returnKey);
                   
                } else if (token instanceof SecurityContextToken) {
                    //handling for SecurityContext Token
                    byte[] proofKey = resolveSCT(context, (SecurityContextTokenImpl)token, sig);
                    String encAlgo = "AES"; //default algo
                    if (context.getAlgorithmSuite() != null) {
                        encAlgo = SecurityUtil.getSecretKeyAlgorithm(context.getAlgorithmSuite().getEncryptionAlgorithm());
                    }
                    if(isWSITRecipient){
                        MLSPolicy inferredKB = inferredSignaturePolicy.getKeyBinding();
                        SecureConversationTokenKeyBinding sctBinding = new SecureConversationTokenKeyBinding();
                        if(inferredKB == null){
                            inferredSignaturePolicy.setKeyBinding(sctBinding);
                        } else if(PolicyTypeUtil.derivedTokenKeyBinding(inferredKB)){
                            if(((DerivedTokenKeyBinding)inferredKB).getOriginalKeyBinding() == null)
                                ((DerivedTokenKeyBinding)inferredKB).setOriginalKeyBinding(sctBinding);
                        }
                    }
                    returnKey = new SecretKeySpec(proofKey, encAlgo);
                   
                } else if (token instanceof DerivedKeyTokenHeaderBlock){
                    if(isWSITRecipient){
                        MLSPolicy inferredKB = inferredSignaturePolicy.getKeyBinding();
                        DerivedTokenKeyBinding dtkBinding = new DerivedTokenKeyBinding();
                        if(inferredKB == null){
                            inferredSignaturePolicy.setKeyBinding(dtkBinding);
                        } else{
                            log.log(Level.SEVERE, LogStringsMessages.WSS_0244_INVALID_LEVEL_DKT());
                            throw new XWSSecurityException("A derived Key Token should be a top level key binding");
                        }
                    }
                    returnKey = resolveDKT(context, (DerivedKeyTokenHeaderBlock)token);
                } else {
                    String message = " Cannot Resolve URI " + uri;
                    log.log(Level.SEVERE,LogStringsMessages.WSS_0337_UNSUPPORTED_DIRECTREF_MECHANISM(message),
                            new Object[] {message});
                    XWSSecurityException xwsse = new XWSSecurityException(message);
                    throw SecurableSoapMessage.newSOAPFaultException(
                            MessageConstants.WSSE_SECURITY_TOKEN_UNAVAILABLE,
                            xwsse.getMessage(), xwsse);
                }
            } else {
                log.log(
                        Level.SEVERE,
                        LogStringsMessages.WSS_0337_UNSUPPORTED_DIRECTREF_MECHANISM(((DirectReference)refElement).getValueType()),
                        new Object[] {((DirectReference)refElement).getValueType()});
                XWSSecurityException xwsse =
                        new XWSSecurityException(
                        "unsupported directreference ValueType "
                        + ((DirectReference) refElement).getValueType());
                throw SecurableSoapMessage.newSOAPFaultException(
                        MessageConstants.WSSE_INVALID_SECURITY_TOKEN,
                        xwsse.getMessage(), xwsse);
            }
        } else if (refElement instanceof X509IssuerSerial) {
            BigInteger serialNumber = ((X509IssuerSerial) refElement).getSerialNumber();
            String issuerName = ((X509IssuerSerial) refElement).getIssuerName();
           
            if(isWSITRecipient){
                MLSPolicy inferredKB = inferredSignaturePolicy.getKeyBinding();
                AuthenticationTokenPolicy.X509CertificateBinding x509Binding = new AuthenticationTokenPolicy.X509CertificateBinding();
                x509Binding.setReferenceType(MessageConstants.X509_ISSUER_TYPE);
                if(inferredKB == null){
                    inferredSignaturePolicy.setKeyBinding(x509Binding);
                } else if(PolicyTypeUtil.derivedTokenKeyBinding(inferredKB)){
                    if(((DerivedTokenKeyBinding)inferredKB).getOriginalKeyBinding() == null)
                        ((DerivedTokenKeyBinding)inferredKB).setOriginalKeyBinding(x509Binding);
                }
            }
View Full Code Here

                            if (et.getValue().equals(Target.BODY)) {
                                securedBody = true;
                            }
                        }
                    } else if (PolicyTypeUtil.signaturePolicy(wp)) {
                        SignaturePolicy sp = (SignaturePolicy) wp;
                        ArrayList list = ((SignaturePolicy.FeatureBinding) sp.getFeatureBinding()).getTargetBindings();
                        for (int ei = 0; ei < list.size(); ei++) {
                            SignatureTarget st = (SignatureTarget) list.get(ei);
                            //if(st.getValue() == Target.BODY){
                            if (st.getValue().equals(Target.BODY)) {
                                securedBody = true;
View Full Code Here

        this.currentParentNS.putAll(namespaceList);
        this.creator = sbc;
        this.securityContext = jpc.getSecurityContext();
        this.context = jpc;
        cacheSignature = true;
        signPolicy = new SignaturePolicy();
        signPolicy.setFeatureBinding(new SignaturePolicy.FeatureBinding());
        //signatureFactory = JAXBSignatureFactory.newInstance();
    }
View Full Code Here

        this.currentParentNS.putAll(namespaceList);
        this.creator = sbc;
        this.securityContext = jpc.getSecurityContext();
        this.context = jpc;
        cacheSignature = cacheSig;
        signPolicy = new SignaturePolicy();
        signPolicy.setFeatureBinding(new SignaturePolicy.FeatureBinding());
    }
View Full Code Here

     */
    @SuppressWarnings("unchecked")
    public static int sign(FilterProcessingContext context) throws XWSSecurityException {
       
        try{
            SignaturePolicy signaturePolicy  = (SignaturePolicy)context.getSecurityPolicy();
            SOAPMessage soapMessage = context.getSOAPMessage();
            //Dependant on secure soap meesage.
            //discuss and refactor.
            SecurableSoapMessage secureMessage = context.getSecurableSoapMessage();
            WSSPolicy keyBinding = (WSSPolicy)signaturePolicy.getKeyBinding();
            if(logger.isLoggable(Level.FINEST)){
                logger.log(Level.FINEST, "KeyBinding is "+keyBinding);
            }
           
            Key signingKey = null;
            Node nextSibling =  null;
            //TODO :: Creation of WSSPolicyConsumerImpl every time.
            WSSPolicyConsumerImpl dsigHelper = WSSPolicyConsumerImpl.getInstance();
            KeyInfo keyInfo = null;
            SecurityHeader securityHeader = secureMessage.findOrCreateSecurityHeader();
           
            SignaturePolicy.FeatureBinding featureBinding =
                    (SignaturePolicy.FeatureBinding)signaturePolicy.getFeatureBinding();
            AlgorithmSuite algSuite = context.getAlgorithmSuite();
           
            boolean wss11Receiver = "true".equals(context.getExtraneousProperty("EnableWSS11PolicyReceiver"));
            boolean wss11Sender = "true".equals(context.getExtraneousProperty("EnableWSS11PolicySender"));
            boolean wss10 = !wss11Sender;
            boolean sendEKSHA1 =  wss11Receiver && wss11Sender && (getEKSHA1Ref(context) != null);
           
            if (PolicyTypeUtil.usernameTokenPolicy(keyBinding)) {
                logger.log(Level.SEVERE, LogStringsMessages.WSS_1326_UNSUPPORTED_USERNAMETOKEN_KEYBINDING());
                throw new XWSSecurityException("UsernameToken as KeyBinding for SignaturePolicy is Not Yet Supported");
            } else if ( PolicyTypeUtil.derivedTokenKeyBinding(keyBinding)) {
                DerivedTokenKeyBinding dtk = (DerivedTokenKeyBinding)keyBinding.clone();
               
                WSSPolicy originalKeyBinding = dtk.getOriginalKeyBinding();
               
                String algorithm = null;
                if(algSuite != null){
                    algorithm = algSuite.getEncryptionAlgorithm();
                }
                String jceAlgo = SecurityUtil.getSecretKeyAlgorithm(algorithm);
                //The offset and length to be used for DKT
                //TODO: PLUGFEST the length here should be set correctly
                long offset = 0; // Default 0
                long length = SecurityUtil.getLengthFromAlgorithm(algorithm);
                if(length == 32) length = 24;
               
                if (PolicyTypeUtil.x509CertificateBinding(originalKeyBinding)) {
                    // this is becuase SecurityPolicy Converter never produces this combination
                    logger.log(Level.SEVERE, LogStringsMessages.WSS_1327_UNSUPPORTED_ASYMMETRICBINDING_DERIVEDKEY_X_509_TOKEN());
                    throw new XWSSecurityException("Asymmetric Binding with DerivedKeys under X509Token Policy Not Yet Supported");
                } else if ( PolicyTypeUtil.symmetricKeyBinding(originalKeyBinding)) {
                   
                    SymmetricKeyBinding skb = null;
                    if ( context.getSymmetricKeyBinding() != null) {
                        skb = context.getSymmetricKeyBinding();
                        context.setSymmetricKeyBinding(null);
                    }
                    //Construct a derivedKeyToken to be used
                    Key originalKey = null;
                    if(context.getCurrentSecret() != null){
                        originalKey = context.getCurrentSecret();
                    }else{
                        originalKey = skb.getSecretKey();
                        context.setCurrentSecret(originalKey);
                    }
                    byte[] secret = originalKey.getEncoded();
                    DerivedKeyToken dkt = new DerivedKeyTokenImpl(offset, length, secret);
                    //get the signing key for signature from derivedkeyToken
                    signingKey = dkt.generateSymmetricKey(jceAlgo);
                   
                    Node[] nxtSiblingContainer = new Node[1];
                    keyInfo = prepareForSymmetricKeySignature(context, keyBinding, originalKey, signaturePolicy, nxtSiblingContainer, null, dkt);
                    nextSibling = nxtSiblingContainer[0];
                   
                } else if ( PolicyTypeUtil.issuedTokenKeyBinding(originalKeyBinding)) {
                    byte[] prfKey = context.getTrustContext().getProofKey();
                    if (prfKey == null) {
                        //handle Asymmetric Issued Token
                        X509Certificate cert =
                                context.getTrustContext().getRequestorCertificate();
                        if (cert == null){
                            logger.log(Level.SEVERE, LogStringsMessages.WSS_1328_ILLEGAL_CERTIFICATE_KEY_NULL());
                            throw new XWSSecurityException(
                                    "Requestor Certificate and Proof Key are both null for Issued Token");
                        }
                        signingKey = context.getSecurityEnvironment().
                                getPrivateKey(context.getExtraneousProperties(), cert);
                       
                        //Get the IssuedToken and insert it into the message
                        GenericToken issuedToken =
                                (GenericToken)context.getTrustContext().getSecurityToken();
                        Element elem = (Element)issuedToken.getTokenValue();
                        SOAPElement tokenElem =
                                XMLUtil.convertToSoapElement(secureMessage.getSOAPPart(), elem);
                        //FIX for Issue 26: We need an Id to cache and MS is not setting in
                        //some cases
                        String tokId = tokenElem.getAttribute("Id");
                        if ("".equals(tokId) &&
                                MessageConstants.ENCRYPTED_DATA_LNAME.equals(
                                tokenElem.getLocalName())) {
                            tokenElem.setAttribute("Id", secureMessage.generateId());
                        }
                        context.getTokenCache().put(keyBinding.getUUID(), tokenElem);
                        IssuedTokenKeyBinding ikb = (IssuedTokenKeyBinding)originalKeyBinding;
                        String iTokenType = ikb.getIncludeToken();
                        boolean includeToken =  (ikb.INCLUDE_ALWAYS_TO_RECIPIENT.equals(iTokenType) ||
                                                 ikb.INCLUDE_ALWAYS.equals(iTokenType) ||
                                                 ikb.INCLUDE_ALWAYS_VER2.equals(iTokenType) ||
                                                 ikb.INCLUDE_ALWAYS_TO_RECIPIENT_VER2.equals(iTokenType)
                                                );
                        Element strElem = null;
                       
                        if (includeToken) {
                            strElem =(Element)context.getTrustContext().
                                    getAttachedSecurityTokenReference().getTokenValue();
                        }else  {
                            strElem = (Element)context.getTrustContext().
                                    getUnAttachedSecurityTokenReference().getTokenValue();
                        }
                        //TODO: remove these expensive conversions
                        Element imported = (Element)
                        secureMessage.getSOAPPart().importNode(strElem,true);
                        SecurityTokenReference str = new SecurityTokenReference(
                                XMLUtil.convertToSoapElement(secureMessage.getSOAPPart(),
                                (Element)imported.cloneNode(true)), false);
                       
                        if (tokenElem != null) {
                            if(includeToken) {
                                secureMessage.findOrCreateSecurityHeader().
                                        insertHeaderBlockElement(tokenElem);
                                nextSibling = tokenElem.getNextSibling();
                               
                            } else {
                                nextSibling =  null;
                            }
                            context.setIssuedSAMLToken(tokenElem);
                        }
                        keyInfo = dsigHelper.constructKeyInfo(signaturePolicy,str);
                        SecurityUtil.updateSamlVsKeyCache(str, context, cert.getPublicKey());
                    } else {
                        DerivedKeyToken dkt = new DerivedKeyTokenImpl(offset, length, prfKey);
                        signingKey = dkt.generateSymmetricKey(jceAlgo);
                        Node[] nxtSiblingContainer = new Node[1];
                        //NOTE: passing the proofKey here as original key
                        String secretKeyAlg = "AES";
                        if (algSuite != null) {
                            secretKeyAlg = SecurityUtil.getSecretKeyAlgorithm(algSuite.getEncryptionAlgorithm());
                        }
                        Key originalKey = new SecretKeySpec(prfKey, secretKeyAlg);
                        keyInfo = prepareForSymmetricKeySignature(
                                context, keyBinding, originalKey, signaturePolicy, nxtSiblingContainer, null, dkt);
                        nextSibling = nxtSiblingContainer[0];
                    }
                } else if (PolicyTypeUtil.secureConversationTokenKeyBinding(originalKeyBinding)) {
                   
                    DerivedKeyToken dkt = new DerivedKeyTokenImpl(offset, length, context.getSecureConversationContext().getProofKey());
                    //get the signing key for signature from derivedkeyToken
                    signingKey = dkt.generateSymmetricKey(jceAlgo);
                    Node[] nxtSiblingContainer = new Node[1];
                    keyInfo = prepareForSymmetricKeySignature(context, keyBinding, null, signaturePolicy, nxtSiblingContainer, null, dkt);
                    nextSibling = nxtSiblingContainer[0];
                }
               
            } else if ( PolicyTypeUtil.issuedTokenKeyBinding(keyBinding)) {
                Node[] nxtSiblingContainer = new Node[1];
                // look for the proof token inside the IssuedToken
                byte[] proofKey = context.getTrustContext().getProofKey();
                if (proofKey == null) {
                    //handle Asymmetric Issued Token
                    X509Certificate cert =
                            context.getTrustContext().getRequestorCertificate();
                    if (cert == null){
                        logger.log(Level.SEVERE,LogStringsMessages.WSS_1328_ILLEGAL_CERTIFICATE_KEY_NULL());
                        throw new XWSSecurityException(
                                "Requestor Certificate and Proof Key are both null for Issued Token");
                    }
                    signingKey = context.getSecurityEnvironment().
                            getPrivateKey(context.getExtraneousProperties(), cert);
                   
                    //Get the IssuedToken and insert it into the message
                    GenericToken issuedToken =
                            (GenericToken)context.getTrustContext().getSecurityToken();
                    Element elem = (Element)issuedToken.getTokenValue();
                    SOAPElement tokenElem =
                            XMLUtil.convertToSoapElement(secureMessage.getSOAPPart(), elem);
                    //FIX for Issue 26: We need an Id to cache and MS is not setting in
                    //some cases
                    String tokId = tokenElem.getAttribute("Id");
                    if ("".equals(tokId) &&
                            MessageConstants.ENCRYPTED_DATA_LNAME.equals(
                            tokenElem.getLocalName())) {
                        tokenElem.setAttribute("Id", secureMessage.generateId());
                    }
                    context.getTokenCache().put(keyBinding.getUUID(), tokenElem);
                    IssuedTokenKeyBinding ikb = (IssuedTokenKeyBinding)keyBinding;
                    String iTokenType = ikb.getIncludeToken();
                    boolean includeToken =  (ikb.INCLUDE_ALWAYS_TO_RECIPIENT.equals(iTokenType) ||
                                                 ikb.INCLUDE_ALWAYS.equals(iTokenType) ||
                                                 ikb.INCLUDE_ALWAYS_VER2.equals(iTokenType) ||
                                                 ikb.INCLUDE_ALWAYS_TO_RECIPIENT_VER2.equals(iTokenType)
                                                );
                    Element strElem = null;
                   
                    if (includeToken) {
                        strElem =(Element)context.getTrustContext().
                                getAttachedSecurityTokenReference().getTokenValue();
                    }else  {
                        strElem = (Element)context.getTrustContext().
                                getUnAttachedSecurityTokenReference().getTokenValue();
                    }
                    //TODO: remove these expensive conversions
                    Element imported = (Element)
                    secureMessage.getSOAPPart().importNode(strElem,true);
                    SecurityTokenReference str = new SecurityTokenReference(
                            XMLUtil.convertToSoapElement(secureMessage.getSOAPPart(),
                            (Element)imported.cloneNode(true)), false);
                   
                    if (tokenElem != null) {
                        if(includeToken) {
                            secureMessage.findOrCreateSecurityHeader().
                                    insertHeaderBlockElement(tokenElem);
                            nextSibling = tokenElem.getNextSibling();
                           
                        } else {
                            nextSibling =  null;
                        }
                        context.setIssuedSAMLToken(tokenElem);
                    }
                    keyInfo = dsigHelper.constructKeyInfo(signaturePolicy,str);
                    SecurityUtil.updateSamlVsKeyCache(str, context, cert.getPublicKey());
                } else {
                    // symmetric issued
                    String secretKeyAlg = "AES"; // hardcoding to AES for now
                    if (algSuite != null) {
                        secretKeyAlg = SecurityUtil.getSecretKeyAlgorithm(algSuite.getEncryptionAlgorithm());
                    }
                    //TODO: assuming proofkey is a byte array in case of Trust as well
                    signingKey = new SecretKeySpec(proofKey, secretKeyAlg);
                    keyInfo = prepareForSymmetricKeySignature(
                            context, keyBinding, signingKey, signaturePolicy, nxtSiblingContainer, null, null);
                    nextSibling = nxtSiblingContainer[0];
                }
               
            } else if (PolicyTypeUtil.secureConversationTokenKeyBinding(keyBinding)) {
               
                //Hack to get the nextSibling node from prepareForSymmetricKeySignature
                Node[] nxtSiblingContainer = new Node[1];
                keyInfo = prepareForSymmetricKeySignature(
                        context, keyBinding, null, signaturePolicy, nxtSiblingContainer, null, null);
               
                // look for the proof token inside the secureConversationToken
                String secretKeyAlg = "AES"; // hardcoding to AES for now
                if (algSuite != null) {
                    secretKeyAlg = SecurityUtil.getSecretKeyAlgorithm(algSuite.getEncryptionAlgorithm());
                }
                signingKey = new SecretKeySpec(context.getSecureConversationContext().getProofKey(), secretKeyAlg);
                nextSibling = nxtSiblingContainer[0];
               
            } else if(PolicyTypeUtil.x509CertificateBinding(keyBinding)) {
               
                AuthenticationTokenPolicy.X509CertificateBinding certInfo = null;
                if ( context.getX509CertificateBinding() != null ) {
                    certInfo = context.getX509CertificateBinding();
                    context.setX509CertificateBinding(null);
                } else {
                    certInfo = (AuthenticationTokenPolicy.X509CertificateBinding)keyBinding;
                }
               
                PrivateKeyBinding privKBinding  = (PrivateKeyBinding)certInfo.getKeyBinding();
                signingKey = privKBinding.getPrivateKey();
               
                Node[] nxtSiblingContainer = new Node[1];
                keyInfo = handleX509Binding(context, signaturePolicy, certInfo, nxtSiblingContainer);
                nextSibling = nxtSiblingContainer[0];
               
            } else if (PolicyTypeUtil.samlTokenPolicy(keyBinding)) {
                // populate the policy, the handler should also add a privateKey binding for HOK
               
                AuthenticationTokenPolicy.SAMLAssertionBinding samlBinding =
                        (AuthenticationTokenPolicy.SAMLAssertionBinding)keyBinding;
                PrivateKeyBinding privKBinding  = (PrivateKeyBinding)samlBinding.getKeyBinding();
                if (privKBinding == null) {
                    logger.log(Level.SEVERE, LogStringsMessages.WSS_1329_NULL_PRIVATEKEYBINDING_SAML_POLICY());
                    throw new XWSSecurityException("PrivateKey binding not set for SAML Policy by CallbackHandler");
                }
               
                signingKey = privKBinding.getPrivateKey();
               
                if (signingKey == null) {
                    logger.log(Level.SEVERE, LogStringsMessages.WSS_1330_NULL_PRIVATEKEY_SAML_POLICY());
                    throw new XWSSecurityException("PrivateKey null inside PrivateKeyBinding set for SAML Policy ");
                }
               
                String referenceType = samlBinding.getReferenceType();
                if (referenceType.equals(MessageConstants.EMBEDDED_REFERENCE_TYPE)) {
                    logger.log(Level.SEVERE, LogStringsMessages.WSS_1331_UNSUPPORTED_EMBEDDED_REFERENCE_SAML());
                    throw new XWSSecurityException("Embedded Reference Type for SAML Assertions not supported yet");
                }
               
                String assertionId = samlBinding.getAssertionId();
                Element _assertion = samlBinding.getAssertion();
                Element _authorityBinding = samlBinding.getAuthorityBinding();
               
                if (assertionId == null) {
                    if (_assertion == null) {
                        logger.log(Level.SEVERE, LogStringsMessages.WSS_1332_NULL_SAML_ASSERTION_SAML_ASSERTION_ID());
                        throw new XWSSecurityException(
                                "None of SAML Assertion, SAML Assertion Id information was set into " +
                                " the Policy by the CallbackHandler");
                    }
                    if(_assertion.getAttributeNode("ID") != null){
                        assertionId = _assertion.getAttribute("ID");
                    }else{
                        assertionId = _assertion.getAttribute("AssertionID");
                    }
                }
               
                SecurityTokenReference tokenRef = new SecurityTokenReference(secureMessage.getSOAPPart());
                String strId = samlBinding.getSTRID();
                if(strId == null){
                    strId = secureMessage.generateId();
                }
                tokenRef.setWsuId(strId);
                // set wsse11:TokenType to SAML1.1 or SAML2.0
                if(_assertion.getAttributeNode("ID") != null){
                    tokenRef.setTokenType(MessageConstants.WSSE_SAML_v2_0_TOKEN_TYPE);
                }else{
                    tokenRef.setTokenType(MessageConstants.WSSE_SAML_v1_1_TOKEN_TYPE);
                }
               
                if (_authorityBinding != null) {
                    tokenRef.setSamlAuthorityBinding(_authorityBinding,
                            secureMessage.getSOAPPart());
                }
               
                if ((_assertion != null) && (_authorityBinding == null)) {
                    //insert the SAML Assertion
                    SamlAssertionHeaderBlock samlHeaderblock =
                            new SamlAssertionHeaderBlock(_assertion, secureMessage.getSOAPPart());
                    secureMessage.findOrCreateSecurityHeader().insertHeaderBlock(samlHeaderblock);
                    // setting ValueType of Keydentifier to SAML1.1 0r SAML2.0
                    KeyIdentifierStrategy strat = new KeyIdentifierStrategy(assertionId);
                    strat.insertKey(tokenRef, secureMessage);
                    keyInfo = dsigHelper.constructKeyInfo(signaturePolicy, tokenRef);
                   
                    nextSibling = samlHeaderblock.getAsSoapElement().getNextSibling();
                } else {
                    nextSibling = securityHeader.getNextSiblingOfTimestamp();
                }
            }else if(PolicyTypeUtil.symmetricKeyBinding(keyBinding)){
                SymmetricKeyBinding skb = null;
                if ( context.getSymmetricKeyBinding() != null) {
                    skb = context.getSymmetricKeyBinding();
                    context.setSymmetricKeyBinding(null);
                } else {
                    skb = (SymmetricKeyBinding)keyBinding;
                }
               
                // sign method is HMACSHA-1 for symmetric keys
                if(!skb.getKeyIdentifier().equals(MessageConstants._EMPTY)){
                    signingKey = skb.getSecretKey();
                    String symmetricKeyName = skb.getKeyIdentifier();
                   
                    keyInfo = dsigHelper.constructKeyInfo(signaturePolicy, symmetricKeyName);
                    nextSibling = securityHeader.getNextSiblingOfTimestamp();
                } else if(sendEKSHA1){
                    //get the signing key and EKSHA1 reference from the Subject, it was stored from the incoming message
                    String ekSha1Ref = getEKSHA1Ref(context);
                    signingKey = skb.getSecretKey();
                   
                    SecurityTokenReference secTokenRef = new SecurityTokenReference(secureMessage.getSOAPPart());
                   
                    EncryptedKeySHA1Identifier refElem = new EncryptedKeySHA1Identifier(secureMessage.getSOAPPart());
                    refElem.setReferenceValue(ekSha1Ref);
                    secTokenRef.setReference(refElem);
                   
                    //set the wsse11:TokenType attribute as required by WSS 1.1
                    //secTokenRef.setTokenType(MessageConstants.EncryptedKey_NS);
                   
                    keyInfo = dsigHelper.constructKeyInfo(signaturePolicy, secTokenRef);
                    nextSibling = securityHeader.getNextSiblingOfTimestamp();
                   
                    //TODO: the below condition is always true
                }else if(wss11Sender || wss10){
                    signingKey = skb.getSecretKey();
                   
                    AuthenticationTokenPolicy.X509CertificateBinding x509Binding = null;
                    X509Certificate cert = null;
                    if(!skb.getCertAlias().equals(MessageConstants._EMPTY)){
                        x509Binding = new AuthenticationTokenPolicy.X509CertificateBinding();
                        x509Binding.newPrivateKeyBinding();
                        x509Binding.setCertificateIdentifier(skb.getCertAlias());
                        cert = context.getSecurityEnvironment().getCertificate(context.getExtraneousProperties(), x509Binding.getCertificateIdentifier(), false);
                        x509Binding.setX509Certificate(cert);
                       
                        x509Binding.setReferenceType("Direct");
                    }else if ( context.getX509CertificateBinding() != null ) {
                        x509Binding = context.getX509CertificateBinding();
                        context.setX509CertificateBinding(null);
                        cert = x509Binding.getX509Certificate();
                    }
                   
                    HashMap tokenCache = context.getTokenCache();
                    HashMap insertedX509Cache = context.getInsertedX509Cache();
                    String x509id = x509Binding.getUUID();
                    if(x509id == null || x509id.equals("")){
                        x509id = secureMessage.generateId();
                    }
                   
                    SecurityUtil.checkIncludeTokenPolicy(context, x509Binding, x509id);
                   
                    String keyEncAlgo = XMLCipher.RSA_v1dot5;  //<--Harcoding of Algo
                    String tmp = null;
                    if(algSuite != null){
                        tmp = algSuite.getAsymmetricKeyAlgorithm();
                    }
                    if(tmp != null && !"".equals(tmp)){
                        keyEncAlgo = tmp;
                    }
                    String referenceType =  x509Binding.getReferenceType();
                    if(referenceType.equals("Identifier") && x509Binding.getValueType().equals(MessageConstants.X509v1_NS)){
                        logger.log(Level.SEVERE, LogStringsMessages.WSS_1333_UNSUPPORTED_KEYIDENTIFER_X_509_V_1());
                        throw new XWSSecurityException("Key Identifier strategy in X509v1 is not supported");
                    }
                    KeyInfoStrategy  strategy = KeyInfoStrategy.getInstance(referenceType);
                    KeyInfoHeaderBlock keyInfoBlock  = null;
                    secureMessage = context.getSecurableSoapMessage();
                    dsigHelper = WSSPolicyConsumerImpl.getInstance();
                   
                    //Check to see if same x509 token used for Signature and Encryption
                    X509SecurityToken token = null;
                    cert = x509Binding.getX509Certificate();
                    String x509TokenId = x509Binding.getUUID();
                    //String x509TokenId = x509Binding.getPolicyToken().getTokenId();
                    boolean tokenInserted = false;
                   
                    //insert x509 token in tokencache always irrespective of reference type
                    if(x509TokenId == null || x509TokenId.equals("")){
                        x509TokenId = secureMessage.generateId();
                    }
                   
                    token = (X509SecurityToken)tokenCache.get(x509TokenId);
                   
                    //reference type adjustment in checkIncludePolicy might
                    // have inserted x509
                    X509SecurityToken insertedx509 =
                            (X509SecurityToken)context.getInsertedX509Cache().get(x509TokenId);
                   
                    if (token == null) {
                        String valueType = x509Binding.getValueType();
                        if(valueType==null||valueType.equals("")){
                            //default valueType for X509 as v3
                            valueType = MessageConstants.X509v3_NS;
                        }
                        token = new X509SecurityToken(secureMessage.getSOAPPart(), cert, x509TokenId, valueType);
                        tokenCache.put(x509TokenId, token);
                    } else{
                        tokenInserted = true;
                    }
                    String id = null;
                    HashMap ekCache = context.getEncryptedKeyCache();
                    if(!tokenInserted){
                        context.setCurrentSecret(signingKey);
                        //Store SymmetricKey generated in ProcessingContext
                        context.setExtraneousProperty("SecretKey", signingKey);
                        keyInfoBlock = new KeyInfoHeaderBlock(secureMessage.getSOAPPart());
                        strategy.setCertificate(cert);
                        strategy.insertKey(keyInfoBlock, secureMessage, x509TokenId);
                        org.apache.xml.security.keys.KeyInfo apacheKeyInfo = keyInfoBlock.getKeyInfo();
                        //create an encrypted Key
                        EncryptedKey encryptedKey = null;
                        XMLCipher keyEncryptor = null;
                        try{
                            keyEncryptor = XMLCipher.getInstance(keyEncAlgo);
                            keyEncryptor.init(XMLCipher.WRAP_MODE, cert.getPublicKey());
                            if (keyEncryptor != null) {
                                encryptedKey = keyEncryptor.encryptKey(secureMessage.getSOAPPart(), signingKey);
                            }
                        }catch(Exception e){
                            logger.log(Level.SEVERE, LogStringsMessages.WSS_1334_ERROR_CREATING_ENCRYPTEDKEY());
                            throw new XWSSecurityException(e);
                        }
                        id = secureMessage.generateId();
                        encryptedKey.setId(id);
                        ekCache.put(x509TokenId, id);
                        // set its KeyInfo
                        encryptedKey.setKeyInfo(apacheKeyInfo);
                       
                        // insert the EK into the SOAPMessage
                        SOAPElement se = (SOAPElement)keyEncryptor.martial(encryptedKey);
                        if (insertedx509 == null) {
                            secureMessage.findOrCreateSecurityHeader().insertHeaderBlockElement(se);
                        } else {
                            secureMessage.findOrCreateSecurityHeader().insertBefore(se,insertedx509.getNextSibling());
                        }
                       
                        //store EKSHA1 of KeyValue contents in context
                        Element cipherData = (Element)se.getChildElements(new QName(MessageConstants.XENC_NS, "CipherData", MessageConstants.XENC_PREFIX)).next();
                        String cipherValue = cipherData.getElementsByTagNameNS(MessageConstants.XENC_NS, "CipherValue").item(0).getTextContent();
                        byte[] decodedCipher = Base64.decode(cipherValue);
                        byte[] ekSha1 = MessageDigest.getInstance("SHA-1").digest(decodedCipher);
                        String encEkSha1 = Base64.encode(ekSha1);
                        context.setExtraneousProperty("EncryptedKeySHA1", encEkSha1);
                        nextSibling = se.getNextSibling();
                    } else{
                       
                        id = (String)ekCache.get(x509TokenId);
                        signingKey = context.getCurrentSecret();
                        nextSibling = secureMessage.getElementById(id).getNextSibling();
                    }
                    //insert the token as the first child in SecurityHeader -- if same token was not already
                    // inserted by Encryption
                    if (MessageConstants.DIRECT_REFERENCE_TYPE.equals(referenceType) && insertedx509 == null){
                        secureMessage.findOrCreateSecurityHeader().insertHeaderBlock(token);
                        insertedX509Cache.put(x509TokenId, token);
                    }
                   
                    //STR for the KeyInfo of signature
                    SecurityTokenReference secTokenRef = new SecurityTokenReference(secureMessage.getSOAPPart());
                    DirectReference reference = new DirectReference();
                    String strId = x509Binding.getSTRID();
                    if(strId == null){
                        strId = secureMessage.generateId();
                    }
                    secTokenRef.setWsuId(strId);
                    //TODO: PLUGFEST Microsoft setting EK on reference inseatd of STR
                    //secTokenRef.setTokenType(MessageConstants.EncryptedKey_NS);
                    //set id of encrypted key
                    reference.setURI("#"+id);
                    reference.setValueType(MessageConstants.EncryptedKey_NS);
                    secTokenRef.setReference(reference);
                    keyInfo = dsigHelper.constructKeyInfo(signaturePolicy,secTokenRef);
                   
                }
            }else {
                logger.log(Level.SEVERE,LogStringsMessages.WSS_1335_UNSUPPORTED_KEYBINDING_SIGNATUREPOLICY());
                throw new XWSSecurityException("Unsupported Key Binding for SignaturePolicy");
            }
           
            // Put UsernameToken above signature
            NodeList nodeList = securityHeader.getElementsByTagNameNS(MessageConstants.WSSE_NS, MessageConstants.USERNAME_TOKEN_LNAME);
            if(nodeList != null && nodeList.getLength() > 0){
                nextSibling = nodeList.item(0).getNextSibling();
            }
           
            // if currentReflist is non-null it means we are doing E before S
            Node refList = context.getCurrentRefList();
            if (refList != null) {
                nextSibling = refList;
                //reset it after using once to null.
                context.setCurrentReferenceList(null);
            }
           
            if(featureBinding.isEndorsingSignature()){
                nextSibling = securityHeader.getLastChild().getNextSibling();
            }
           
            SignedInfo signedInfo = WSSPolicyConsumerImpl.getInstance().constructSignedInfo(context);
            DOMSignContext signContext = null;
            if(nextSibling == null){
                signContext = new DOMSignContext(signingKey,securityHeader.getAsSoapElement());//firstChildElement);
            }else{
                signContext = new DOMSignContext(signingKey,securityHeader.getAsSoapElement(),nextSibling);
            }
            signContext.setURIDereferencer(DSigResolver.getInstance());
            XMLSignature signature = dsigHelper.constructSignature(signedInfo, keyInfo, signaturePolicy.getUUID());
            signContext.put(MessageConstants.WSS_PROCESSING_CONTEXT, context);
            signContext.putNamespacePrefix(MessageConstants.DSIG_NS, MessageConstants.DSIG_PREFIX);
//            XMLUtils.circumventBug2650(context.getSecurableSoapMessage().getSOAPPart());
            signature.sign(signContext);
           
View Full Code Here

            //End SignatureConfirmation specific code
           
            validationContext.setURIDereferencer(DSigResolver.getInstance());
            // Validate the XMLSignature (generated above)
            validationContext.put(MessageConstants.WSS_PROCESSING_CONTEXT, context);
            SignaturePolicy currentMessagePolicy = null;
            if(context.getMode() == FilterProcessingContext.ADHOC ||
                    context.getMode() == FilterProcessingContext.POSTHOC){
                currentMessagePolicy = new SignaturePolicy();
                context.setInferredPolicy(currentMessagePolicy);
            } else if (context.getMode() == FilterProcessingContext.WSDL_POLICY) {
                currentMessagePolicy = new SignaturePolicy();
                context.getInferredSecurityPolicy().append(currentMessagePolicy);
            }
           
//            XMLUtils.circumventBug2650(context.getSecurableSoapMessage().getSOAPPart());
            boolean coreValidity = signature.validate(validationContext);
            SecurityPolicy securityPolicy = context.getSecurityPolicy();
           
            boolean isBSP = false;
            if(securityPolicy != null) {
                if (PolicyTypeUtil.messagePolicy(securityPolicy)) {
                    isBSP = ((MessagePolicy)securityPolicy).isBSP();
                } else {
                    isBSP = ((WSSPolicy)securityPolicy).isBSP();
                }
            }
           
           
            // Check core validation status
            if (coreValidity == false) {
               
                if(logger.isLoggable(Level.FINEST)){
                    logger.log(Level.FINEST,"Signature failed core validation");
                    boolean sv = signature.getSignatureValue().validate(validationContext);
                    logger.log(Level.FINEST,"Signature validation status: " + sv);
                    // check the validation status of each Reference
                    Iterator i = signature.getSignedInfo().getReferences().iterator();
                    for (int j=0; i.hasNext(); j++) {
                        Reference ref = (Reference) i.next();
                        logger.log(Level.FINEST,"Reference ID "+ref.getId());
                        logger.log(Level.FINEST,"Reference URI "+ref.getURI());
                        boolean refValid =
                                ref.validate(validationContext);
                        logger.log(Level.FINEST,"Reference["+j+"] validity status: " + refValid);
                    }
                }
                    logger.log(Level.SEVERE, LogStringsMessages.WSS_1315_SIGNATURE_VERIFICATION_FAILED());
                XWSSecurityException xwsse =   new XWSSecurityException("Signature verification failed");
                throw SecurableSoapMessage.newSOAPFaultException(
                        MessageConstants.WSSE_FAILED_CHECK,"Signature verification failed ",xwsse);
            } else {
                if(logger.isLoggable(Level.FINEST)){
                    logger.log(Level.FINE,"Signature Passed Core Validation");
                }
                SignedInfo signInfo = signature.getSignedInfo();
                if (isBSP) {
                    Iterator i = signInfo.getReferences().iterator();
                    for (int j=0; i.hasNext(); j++) {
                        Reference reference = (Reference) i.next();
                       
                        Iterator t = reference.getTransforms().iterator();
                        for (int index=0; t.hasNext(); index++) {
                            Transform transform = (Transform) t.next();
                            if (Transform.ENVELOPED.equals(transform.getAlgorithm())) {
                                logger.log(Level.SEVERE, LogStringsMessages.WSS_1336_ILLEGAL_ENVELOPEDSIGNATURE());
                                throw new XWSSecurityException("Enveloped signatures not permitted by BSP");
                            }
                            if (MessageConstants.TRANSFORM_C14N_EXCL_OMIT_COMMENTS.equals(transform.getAlgorithm())) {
                                //check the inclusiveprefix list is not empty
                                if (transform.getParameterSpec()!=null) {
                                    ExcC14NParameterSpec spec = (ExcC14NParameterSpec)transform.getParameterSpec();
                                    if (spec.getPrefixList().isEmpty())
                                        logger.log(Level.SEVERE, LogStringsMessages.WSS_1337_INVALID_EMPTYPREFIXLIST());
                                        throw new XWSSecurityException("Prefix List cannot be empty: violation of BSP 5407");
                                }
                            }
                        }
                    }
                }
                if(context.getMode() == FilterProcessingContext.POSTHOC){
                    //TODO: handle SAML KeyBinding here
                    MessagePolicy policy = (MessagePolicy) context.getSecurityPolicy();
                    dsigUtil.constructSignaturePolicy(signInfo, policy.isBSP(),currentMessagePolicy);
                    policy.append(currentMessagePolicy);
                }
               
                if(context.getMode() == FilterProcessingContext.ADHOC){
                    //throws Exception for now , need to throw only
                    //appropriate errors.
                    //Next step do it more efficiently.
                    verifyRequirements(context,signature,validationContext);
                    SignaturePolicy policy =(SignaturePolicy) context.getSecurityPolicy();
                    dsigUtil.constructSignaturePolicy(signInfo, policy.isBSP(),currentMessagePolicy);
                    SignaturePolicyVerifier spv = new SignaturePolicyVerifier(context);
                    spv.verifyPolicy(policy,currentMessagePolicy);
                   
                    if(logger.isLoggable(Level.FINEST)){
                        logger.log(Level.FINE,"Reciever Requirements  are met");
View Full Code Here

     */
    @SuppressWarnings("unchecked")
    public static void verifyRequirements(FilterProcessingContext context ,
            XMLSignature signature,DOMValidateContext validationContext )throws Exception{
       
        SignaturePolicy policy =(SignaturePolicy) context.getSecurityPolicy();
        SignaturePolicy.FeatureBinding featureBinding = (SignaturePolicy.FeatureBinding)policy.getFeatureBinding();
        WSSPolicyConsumerImpl dsigUtil = WSSPolicyConsumerImpl.getInstance();
        ArrayList targets = featureBinding.getTargetBindings();
        if(targets == null || targets.size() == 0){
            return;
        }
View Full Code Here

    /**
     * @param signedInfo
     * @return SignaturePolicy
     */
    public SignaturePolicy constructSignaturePolicy(SignedInfo signedInfo, boolean isBSP){
        SignaturePolicy policy = new SignaturePolicy();
        constructSignaturePolicy(signedInfo,isBSP,policy);
        return policy;
    }
View Full Code Here

        }
    }
   
    private SignedInfo generateSignedInfo(FilterProcessingContext fpContext)
    throws PolicyGenerationException,NoSuchAlgorithmException,InvalidAlgorithmParameterException ,XWSSecurityException{
        SignaturePolicy signaturePolicy = (SignaturePolicy) fpContext.getSecurityPolicy();
        SignaturePolicy.FeatureBinding featureBinding = (SignaturePolicy.FeatureBinding)signaturePolicy.getFeatureBinding();
        MLSPolicy keyBinding = signaturePolicy.getKeyBinding();
        XMLSignatureFactory signatureFactory = getSignatureFactory();
        SecurableSoapMessage secureMessage = fpContext.getSecurableSoapMessage();
        String canonicalAlgo = featureBinding.getCanonicalizationAlgorithm();
        boolean disableInclusivePrefix = featureBinding.getDisableInclusivePrefix();
        //String digestAlgo = featureBinding.getDigestAlgorithm();
View Full Code Here

TOP

Related Classes of com.sun.xml.wss.impl.policy.mls.SignaturePolicy$FeatureBinding

Copyright © 2018 www.massapicom. All rights reserved.
All source code are property of their respective owners. Java is a trademark of Sun Microsystems, Inc and owned by ORACLE Inc. Contact coftware#gmail.com.