/**
* Licensed to the Apache Software Foundation (ASF) under one
* or more contributor license agreements. See the NOTICE file
* distributed with this work for additional information
* regarding copyright ownership. The ASF licenses this file
* to you under the Apache License, Version 2.0 (the
* "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing,
* software distributed under the License is distributed on an
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
* KIND, either express or implied. See the License for the
* specific language governing permissions and limitations
* under the License.
*/
package org.apache.ws.security.message.token;
import org.apache.ws.security.WSConstants;
import org.apache.ws.security.WSPasswordCallback;
import org.apache.ws.security.WSSecurityException;
import org.apache.ws.security.WSUsernameTokenPrincipal;
import org.apache.ws.security.handler.RequestData;
import org.apache.ws.security.util.DOM2Writer;
import org.apache.ws.security.util.DateUtil;
import org.apache.ws.security.util.WSSecurityUtil;
import org.apache.ws.security.util.XmlSchemaDateFormat;
import org.apache.ws.security.util.Base64;
import org.w3c.dom.Document;
import org.w3c.dom.Element;
import org.w3c.dom.Node;
import org.w3c.dom.Text;
import javax.crypto.Mac;
import javax.crypto.spec.SecretKeySpec;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.UnsupportedCallbackException;
import javax.xml.namespace.QName;
import java.io.IOException;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.security.Principal;
import java.text.ParseException;
import java.text.SimpleDateFormat;
import java.util.Arrays;
import java.util.Date;
import java.util.List;
import java.text.DateFormat;
import java.util.TimeZone;
/**
* UsernameToken according to WS Security specifications, UsernameToken profile.
*
* Enhanced to support digest password type for username token signature
* Enhanced to support passwordless usernametokens as allowed by spec.
*
* @author Davanum Srinivas (dims@yahoo.com)
* @author Werner Dittmann (Werner.Dittmann@t-online.de)
*/
public class UsernameToken {
public static final String BASE64_ENCODING = WSConstants.SOAPMESSAGE_NS + "#Base64Binary";
public static final String PASSWORD_TYPE = "passwordType";
public static final int DEFAULT_ITERATION = 1000;
public static final QName TOKEN =
new QName(WSConstants.WSSE_NS, WSConstants.USERNAME_TOKEN_LN);
private static final org.apache.commons.logging.Log LOG =
org.apache.commons.logging.LogFactory.getLog(UsernameToken.class);
private static final boolean DO_DEBUG = LOG.isDebugEnabled();
protected Element element = null;
protected Element elementUsername = null;
protected Element elementPassword = null;
protected Element elementNonce = null;
protected Element elementCreated = null;
protected Element elementSalt = null;
protected Element elementIteration = null;
protected String passwordType = null;
protected boolean hashed = true;
private String rawPassword; // enhancement by Alberto Coletti
private boolean passwordsAreEncoded = false;
private boolean bspCompliantDerivedKey = true;
private Date createdDate;
/**
* Constructs a <code>UsernameToken</code> object and parses the
* <code>wsse:UsernameToken</code> element to initialize it.
*
* @param elem the <code>wsse:UsernameToken</code> element that contains
* the UsernameToken data
* @throws WSSecurityException
*/
public UsernameToken(Element elem) throws WSSecurityException {
this (elem, false, true);
}
/**
* Constructs a <code>UsernameToken</code> object and parses the
* <code>wsse:UsernameToken</code> element to initialize it.
*
* @param elem the <code>wsse:UsernameToken</code> element that contains
* the UsernameToken data
* @param allowNamespaceQualifiedPasswordTypes whether to allow (wsse)
* namespace qualified password types or not (for interop with WCF)
* @param bspCompliant whether the UsernameToken processing complies with the BSP spec
* @throws WSSecurityException
*/
public UsernameToken(
Element elem,
boolean allowNamespaceQualifiedPasswordTypes,
boolean bspCompliant
) throws WSSecurityException {
element = elem;
QName el = new QName(element.getNamespaceURI(), element.getLocalName());
if (!el.equals(TOKEN)) {
throw new WSSecurityException(
WSSecurityException.INVALID_SECURITY_TOKEN,
"badUsernameToken"
);
}
elementUsername =
WSSecurityUtil.getDirectChildElement(
element, WSConstants.USERNAME_LN, WSConstants.WSSE_NS
);
elementPassword =
WSSecurityUtil.getDirectChildElement(
element, WSConstants.PASSWORD_LN, WSConstants.WSSE_NS
);
elementNonce =
WSSecurityUtil.getDirectChildElement(
element, WSConstants.NONCE_LN, WSConstants.WSSE_NS
);
elementCreated =
WSSecurityUtil.getDirectChildElement(
element, WSConstants.CREATED_LN, WSConstants.WSU_NS
);
elementSalt =
WSSecurityUtil.getDirectChildElement(
element, WSConstants.SALT_LN, WSConstants.WSSE11_NS
);
elementIteration =
WSSecurityUtil.getDirectChildElement(
element, WSConstants.ITERATION_LN, WSConstants.WSSE11_NS
);
if (elementUsername == null) {
throw new WSSecurityException(
WSSecurityException.INVALID_SECURITY_TOKEN,
"badUsernameToken"
);
}
if (bspCompliant) {
checkBSPCompliance();
}
hashed = false;
if (elementSalt != null) {
//
// If the UsernameToken is to be used for key derivation, the (1.1)
// spec says that it cannot contain a password, and it must contain
// an Iteration element
//
if (elementPassword != null || elementIteration == null) {
throw new WSSecurityException(
WSSecurityException.INVALID_SECURITY_TOKEN,
"badUsernameToken"
);
}
return;
}
// Guard against a malicious user sending a bogus iteration value
if (elementIteration != null) {
String iter = nodeString(elementIteration);
if (iter != null) {
int iterInt = Integer.parseInt(iter);
if (iterInt < 0 || iterInt > 10000) {
throw new WSSecurityException(
WSSecurityException.INVALID_SECURITY_TOKEN,
"badUsernameToken"
);
}
}
}
if (elementPassword != null) {
if (elementPassword.hasAttribute(WSConstants.PASSWORD_TYPE_ATTR)) {
passwordType = elementPassword.getAttributeNS(null, WSConstants.PASSWORD_TYPE_ATTR);
} else if (elementPassword.hasAttributeNS(
WSConstants.WSSE_NS, WSConstants.PASSWORD_TYPE_ATTR)
) {
if (allowNamespaceQualifiedPasswordTypes) {
passwordType =
elementPassword.getAttributeNS(
WSConstants.WSSE_NS, WSConstants.PASSWORD_TYPE_ATTR
);
} else {
throw new WSSecurityException(
WSSecurityException.INVALID_SECURITY_TOKEN,
"badUsernameToken"
);
}
}
}
if (WSConstants.PASSWORD_DIGEST.equals(passwordType)) {
hashed = true;
if (elementNonce == null || elementCreated == null) {
throw new WSSecurityException(
WSSecurityException.INVALID_SECURITY_TOKEN,
"badUsernameToken"
);
}
}
if (elementCreated != null) {
String createdString = getCreated();
if (createdString != null && !"".equals(createdString)) {
DateFormat zulu = new XmlSchemaDateFormat();
if (bspCompliant) {
zulu.setLenient(false);
}
try {
createdDate = zulu.parse(createdString);
} catch (ParseException e) {
throw new WSSecurityException(
WSSecurityException.INVALID_SECURITY, "invalidTimestamp", null, e
);
}
}
}
}
/**
* Constructs a <code>UsernameToken</code> object according to the defined
* parameters. <p/> This constructs set the password encoding to
* {@link WSConstants#PASSWORD_DIGEST}
*
* @param doc the SOAP envelope as <code>Document</code>
*/
public UsernameToken(boolean milliseconds, Document doc) {
this(milliseconds, doc, WSConstants.PASSWORD_DIGEST);
}
/**
* Constructs a <code>UsernameToken</code> object according to the defined
* parameters.
*
* @param doc the SOAP envelope as <code>Document</code>
* @param pwType the required password encoding, either
* {@link WSConstants#PASSWORD_DIGEST} or
* {@link WSConstants#PASSWORD_TEXT} or
* {@link WSConstants#PW_NONE} <code>null</code> if no
* password required
*/
public UsernameToken(boolean milliseconds, Document doc, String pwType) {
element =
doc.createElementNS(WSConstants.WSSE_NS, "wsse:" + WSConstants.USERNAME_TOKEN_LN);
elementUsername =
doc.createElementNS(WSConstants.WSSE_NS, "wsse:" + WSConstants.USERNAME_LN);
elementUsername.appendChild(doc.createTextNode(""));
element.appendChild(elementUsername);
if (pwType != null) {
elementPassword =
doc.createElementNS(WSConstants.WSSE_NS, "wsse:" + WSConstants.PASSWORD_LN);
elementPassword.appendChild(doc.createTextNode(""));
element.appendChild(elementPassword);
passwordType = pwType;
if (passwordType.equals(WSConstants.PASSWORD_DIGEST)) {
addNonce(doc);
addCreated(milliseconds, doc);
} else {
hashed = false;
}
}
}
/**
* Add the WSSE Namespace to this UT. The namespace is not added by default for
* efficiency purposes.
*/
public void addWSSENamespace() {
WSSecurityUtil.setNamespace(element, WSConstants.WSSE_NS, WSConstants.WSSE_PREFIX);
}
/**
* Add the WSU Namespace to this UT. The namespace is not added by default for
* efficiency purposes.
*/
public void addWSUNamespace() {
WSSecurityUtil.setNamespace(element, WSConstants.WSU_NS, WSConstants.WSU_PREFIX);
}
/**
* Creates and adds a Nonce element to this UsernameToken
*/
public void addNonce(Document doc) {
if (elementNonce != null) {
return;
}
byte[] nonceValue = null;
try {
nonceValue = WSSecurityUtil.generateNonce(16);
} catch (WSSecurityException ex) {
LOG.debug(ex.getMessage(), ex);
return;
}
elementNonce = doc.createElementNS(WSConstants.WSSE_NS, "wsse:" + WSConstants.NONCE_LN);
elementNonce.appendChild(doc.createTextNode(Base64.encode(nonceValue)));
elementNonce.setAttributeNS(null, "EncodingType", BASE64_ENCODING);
element.appendChild(elementNonce);
}
/**
* Creates and adds a Created element to this UsernameToken
*/
public void addCreated(boolean milliseconds, Document doc) {
if (elementCreated != null) {
return;
}
DateFormat zulu = null;
if (milliseconds) {
zulu = new XmlSchemaDateFormat();
} else {
zulu = new SimpleDateFormat("yyyy-MM-dd'T'HH:mm:ss'Z'");
zulu.setTimeZone(TimeZone.getTimeZone("UTC"));
}
elementCreated =
doc.createElementNS(
WSConstants.WSU_NS, WSConstants.WSU_PREFIX + ":" + WSConstants.CREATED_LN
);
Date currentTime = new Date();
elementCreated.appendChild(doc.createTextNode(zulu.format(currentTime)));
element.appendChild(elementCreated);
}
/**
* Adds and optionally creates a Salt element to this UsernameToken.
*
* If the <code>saltValue</code> is <code>null</code> the the method
* generates a new salt. Otherwise it uses the the given value.
*
* @param doc The Document for the UsernameToken
* @param saltValue The salt to add, if null generate a new salt value
* @param mac If <code>true</code> then an optionally generated value is
* usable for a MAC
* @return Returns the added salt
*/
public byte[] addSalt(Document doc, byte[] saltValue, boolean mac) {
if (saltValue == null) {
saltValue = generateSalt(mac);
}
elementSalt =
doc.createElementNS(
WSConstants.WSSE11_NS, WSConstants.WSSE11_PREFIX + ":" + WSConstants.SALT_LN
);
WSSecurityUtil.setNamespace(element, WSConstants.WSSE11_NS, WSConstants.WSSE11_PREFIX);
elementSalt.appendChild(doc.createTextNode(Base64.encode(saltValue)));
element.appendChild(elementSalt);
return saltValue;
}
/**
* Creates and adds a Iteration element to this UsernameToken
*/
public void addIteration(Document doc, int iteration) {
String text = "" + iteration;
elementIteration =
doc.createElementNS(
WSConstants.WSSE11_NS, WSConstants.WSSE11_PREFIX + ":" + WSConstants.ITERATION_LN
);
WSSecurityUtil.setNamespace(element, WSConstants.WSSE11_NS, WSConstants.WSSE11_PREFIX);
elementIteration.appendChild(doc.createTextNode(text));
element.appendChild(elementIteration);
}
/**
* Get the user name.
*
* @return the data from the user name element.
*/
public String getName() {
return nodeString(elementUsername);
}
/**
* Set the user name.
*
* @param name sets a text node containing the use name into the user name
* element.
*/
public void setName(String name) {
Text node = getFirstNode(elementUsername);
node.setData(name);
}
/**
* Get the nonce.
*
* @return the data from the nonce element.
*/
public String getNonce() {
return nodeString(elementNonce);
}
/**
* Get the created timestamp.
*
* @return the data from the created time element.
*/
public String getCreated() {
return nodeString(elementCreated);
}
/**
* Return the Created Element as a Date object
* @return the Created Date
*/
public Date getCreatedDate() {
return createdDate;
}
/**
* Gets the password string. This is the password as it is in the password
* element of a username token. Thus it can be either plain text or the
* password digest value.
*
* @return the password string or <code>null</code> if no such node exists.
*/
public String getPassword() {
String password = nodeString(elementPassword);
// See WSS-219
if (password == null && elementPassword != null) {
return "";
}
return password;
}
/**
* Return true if this UsernameToken contains a Password element
*/
public boolean containsPasswordElement() {
return elementPassword != null;
}
/**
* Get the Salt value of this UsernameToken.
*
* @return Returns the binary Salt value or <code>null</code> if no Salt
* value is available in the username token.
* @throws WSSecurityException
*/
public byte[] getSalt() throws WSSecurityException {
String salt = nodeString(elementSalt);
if (salt != null) {
return Base64.decode(salt);
}
return null;
}
/**
* Get the Iteration value of this UsernameToken.
*
* @return Returns the Iteration value. If no Iteration was specified in the
* username token the default value according to the specification
* is returned.
*/
public int getIteration() {
String iter = nodeString(elementIteration);
if (iter != null) {
return Integer.parseInt(iter);
}
return DEFAULT_ITERATION;
}
/**
* Get the hashed indicator. If the indicator is <code>true> the password of the
* <code>UsernameToken</code> was encoded using {@link WSConstants#PASSWORD_DIGEST}
*
* @return the hashed indicator.
*/
public boolean isHashed() {
return hashed;
}
/**
* @return Returns the passwordType.
*/
public String getPasswordType() {
return passwordType;
}
/**
* Sets the password string. This function sets the password in the
* <code>UsernameToken</code> either as plain text or encodes the password
* according to the WS Security specifications, UsernameToken profile, into
* a password digest.
*
* @param pwd the password to use
*/
public void setPassword(String pwd) {
if (pwd == null) {
if (passwordType != null) {
throw new IllegalArgumentException("pwd == null but a password is needed");
} else {
// Ignore setting the password.
return;
}
}
rawPassword = pwd; // enhancement by Alberto coletti
Text node = getFirstNode(elementPassword);
try {
if (hashed) {
if (passwordsAreEncoded) {
node.setData(doPasswordDigest(getNonce(), getCreated(), Base64.decode(pwd)));
} else {
node.setData(doPasswordDigest(getNonce(), getCreated(), pwd));
}
} else {
node.setData(pwd);
}
if (passwordType != null) {
elementPassword.setAttributeNS(null, "Type", passwordType);
}
} catch (Exception e) {
if (DO_DEBUG) {
LOG.debug(e.getMessage(), e);
}
}
}
/**
* Set the raw (plain text) password used to compute secret key.
*/
public void setRawPassword(RequestData data) throws WSSecurityException {
WSPasswordCallback pwCb =
new WSPasswordCallback(
getName(), getPassword(), getPasswordType(),
WSPasswordCallback.USERNAME_TOKEN, data
);
if (data.getCallbackHandler() == null) {
LOG.debug("CallbackHandler is null");
throw new WSSecurityException(WSSecurityException.FAILED_AUTHENTICATION);
}
try {
data.getCallbackHandler().handle(new Callback[]{pwCb});
} catch (IOException e) {
if (LOG.isDebugEnabled()) {
LOG.debug(e);
}
throw new WSSecurityException(
WSSecurityException.FAILED_AUTHENTICATION, null, null, e
);
} catch (UnsupportedCallbackException e) {
if (LOG.isDebugEnabled()) {
LOG.debug(e);
}
throw new WSSecurityException(
WSSecurityException.FAILED_AUTHENTICATION, null, null, e
);
}
rawPassword = pwCb.getPassword();
}
/**
* @param passwordsAreEncoded whether passwords are encoded
*/
public void setPasswordsAreEncoded(boolean passwordsAreEncoded) {
this.passwordsAreEncoded = passwordsAreEncoded;
}
/**
* @return whether passwords are encoded
*/
public boolean getPasswordsAreEncoded() {
return passwordsAreEncoded;
}
public static String doPasswordDigest(String nonce, String created, byte[] password) {
String passwdDigest = null;
try {
byte[] b1 = nonce != null ? Base64.decode(nonce) : new byte[0];
byte[] b2 = created != null ? created.getBytes("UTF-8") : new byte[0];
byte[] b3 = password;
byte[] b4 = new byte[b1.length + b2.length + b3.length];
int offset = 0;
System.arraycopy(b1, 0, b4, offset, b1.length);
offset += b1.length;
System.arraycopy(b2, 0, b4, offset, b2.length);
offset += b2.length;
System.arraycopy(b3, 0, b4, offset, b3.length);
byte[] digestBytes = WSSecurityUtil.generateDigest(b4);
passwdDigest = Base64.encode(digestBytes);
} catch (Exception e) {
if (DO_DEBUG) {
LOG.debug(e.getMessage(), e);
}
}
return passwdDigest;
}
public static String doPasswordDigest(String nonce, String created, String password) {
String passwdDigest = null;
try {
passwdDigest = doPasswordDigest(nonce, created, password.getBytes("UTF-8"));
} catch (Exception e) {
if (DO_DEBUG) {
LOG.debug(e.getMessage(), e);
}
}
return passwdDigest;
}
/**
* Returns the first text node of an element.
*
* @param e the element to get the node from
* @return the first text node or <code>null</code> if node is null or is
* not a text node
*/
private Text getFirstNode(Element e) {
Node node = e.getFirstChild();
return (node != null && Node.TEXT_NODE == node.getNodeType()) ? (Text) node : null;
}
/**
* Returns the data of an element as String or null if either the the element
* does not contain a Text node or the node is empty.
*
* @param e DOM element
* @return Element text node data as String
*/
private String nodeString(Element e) {
if (e != null) {
Node node = e.getFirstChild();
StringBuilder builder = new StringBuilder();
boolean found = false;
while (node != null) {
if (Node.TEXT_NODE == node.getNodeType()) {
found = true;
builder.append(((Text)node).getData());
}
node = node.getNextSibling();
}
if (!found) {
return null;
}
return builder.toString();
}
return null;
}
/**
* Returns the dom element of this <code>UsernameToken</code> object.
*
* @return the <code>wsse:UsernameToken</code> element
*/
public Element getElement() {
return element;
}
/**
* Returns the string representation of the token.
*
* @return a XML string representation
*/
public String toString() {
return DOM2Writer.nodeToString((Node)element);
}
/**
* Gets the id.
*
* @return the value of the <code>wsu:Id</code> attribute of this username
* token
*/
public String getID() {
return element.getAttributeNS(WSConstants.WSU_NS, "Id");
}
/**
* Set the id of this username token.
*
* @param id
* the value for the <code>wsu:Id</code> attribute of this
* username token
*/
public void setID(String id) {
element.setAttributeNS(WSConstants.WSU_NS, WSConstants.WSU_PREFIX + ":Id", id);
}
/**
* Gets the secret key as per WS-Trust spec. This method uses default setting
* to generate the secret key. These default values are suitable for .NET
* WSE.
*
* @return a secret key constructed from information contained in this
* username token
*/
public byte[] getSecretKey() {
return getSecretKey(WSConstants.WSE_DERIVED_KEY_LEN, WSConstants.LABEL_FOR_DERIVED_KEY);
}
/**
* Gets the secret key as per WS-Trust spec. This method uses default setting
* to generate the secret key. These default values are suitable for .NET
* WSE.
*
* @return a secret key constructed from information contained in this
* username token
*/
public byte[] getSecretKey(int keylen) {
return getSecretKey(keylen, WSConstants.LABEL_FOR_DERIVED_KEY);
}
/**
* Gets the secret key as per WS-Trust spec.
*
* @param keylen How many bytes to generate for the key
* @param labelString the label used to generate the seed
* @return a secret key constructed from information contained in this
* username token
*/
public byte[] getSecretKey(int keylen, String labelString) {
byte[] key = null;
try {
Mac mac = Mac.getInstance("HMACSHA1");
byte[] password;
if (passwordsAreEncoded) {
password = Base64.decode(rawPassword);
} else {
password = rawPassword.getBytes("UTF-8"); // enhancement by Alberto Coletti
}
byte[] label = labelString.getBytes("UTF-8");
byte[] nonce = Base64.decode(getNonce());
byte[] created = getCreated().getBytes("UTF-8");
byte[] seed = new byte[label.length + nonce.length + created.length];
int offset = 0;
System.arraycopy(label, 0, seed, offset, label.length);
offset += label.length;
System.arraycopy(nonce, 0, seed, offset, nonce.length);
offset += nonce.length;
System.arraycopy(created, 0, seed, offset, created.length);
key = P_hash(password, seed, mac, keylen);
if (LOG.isDebugEnabled()) {
LOG.debug("label :" + Base64.encode(label));
LOG.debug("nonce :" + Base64.encode(nonce));
LOG.debug("created :" + Base64.encode(created));
LOG.debug("seed :" + Base64.encode(seed));
LOG.debug("Key :" + Base64.encode(key));
}
} catch (Exception e) {
if (DO_DEBUG) {
LOG.debug(e.getMessage(), e);
}
return null;
}
return key;
}
/**
* This static method generates a derived key as defined in WSS Username
* Token Profile.
*
* @param password The password to include in the key generation
* @param salt The Salt value
* @param iteration The Iteration value. If zero (0) is given the method uses the
* default value
* @return Returns the derived key a byte array
* @throws WSSecurityException
*/
public static byte[] generateDerivedKey(
byte[] password,
byte[] salt,
int iteration
) throws WSSecurityException {
if (iteration == 0) {
iteration = DEFAULT_ITERATION;
}
byte[] pwSalt = new byte[salt.length + password.length];
System.arraycopy(password, 0, pwSalt, 0, password.length);
System.arraycopy(salt, 0, pwSalt, password.length, salt.length);
MessageDigest sha = null;
try {
sha = MessageDigest.getInstance("SHA1");
} catch (NoSuchAlgorithmException e) {
if (DO_DEBUG) {
LOG.debug(e.getMessage(), e);
}
throw new WSSecurityException(
WSSecurityException.FAILURE, "noSHA1availabe", null, e
);
}
//
// Make the first hash round with start value
//
byte[] k = sha.digest(pwSalt);
//
// Perform the 1st up to iteration-1 hash rounds
//
for (int i = 1; i < iteration; i++) {
k = sha.digest(k);
}
return k;
}
/**
* This static method generates a derived key as defined in WSS Username
* Token Profile.
*
* @param password The password to include in the key generation
* @param salt The Salt value
* @param iteration The Iteration value. If zero (0) is given the method uses the
* default value
* @return Returns the derived key a byte array
* @throws WSSecurityException
*/
public static byte[] generateDerivedKey(
String password,
byte[] salt,
int iteration
) throws WSSecurityException {
try {
return generateDerivedKey(password.getBytes("UTF-8"), salt, iteration);
} catch (final java.io.UnsupportedEncodingException e) {
if (DO_DEBUG) {
LOG.debug(e.getMessage(), e);
}
throw new WSSecurityException("Unable to convert password to UTF-8", e);
}
}
/**
* This method gets a derived key as defined in WSS Username Token Profile.
*
* @return Returns the derived key as a byte array
* @throws WSSecurityException
*/
public byte[] getDerivedKey() throws WSSecurityException {
if (rawPassword == null || !bspCompliantDerivedKey) {
LOG.debug("The raw password was null or the Username Token is not BSP compliant");
throw new WSSecurityException(WSSecurityException.FAILED_AUTHENTICATION);
}
int iteration = getIteration();
byte[] salt = getSalt();
if (passwordsAreEncoded) {
return generateDerivedKey(Base64.decode(rawPassword), salt, iteration);
} else {
return generateDerivedKey(rawPassword, salt, iteration);
}
}
/**
* Return whether the UsernameToken represented by this class is to be used
* for key derivation as per the UsernameToken Profile 1.1. It does this by
* checking that the username token has salt and iteration values.
*
* @throws WSSecurityException
*/
public boolean isDerivedKey() throws WSSecurityException {
if (elementSalt != null && elementIteration != null) {
return true;
}
return false;
}
/**
* Create a WSUsernameTokenPrincipal from this UsernameToken object
*/
public Principal createPrincipal() {
WSUsernameTokenPrincipal principal =
new WSUsernameTokenPrincipal(getName(), isHashed());
principal.setNonce(getNonce());
principal.setPassword(getPassword());
principal.setCreatedTime(getCreated());
return principal;
}
/**
* Return true if the "Created" value is before the current time minus the timeToLive
* argument, and if the Created value is not "in the future".
*
* @param timeToLive the value in seconds for the validity of the Created time
* @param futureTimeToLive the value in seconds for the future validity of the Created time
* @return true if the UsernameToken is before (now-timeToLive), false otherwise
*/
public boolean verifyCreated(
int timeToLive,
int futureTimeToLive
) {
return DateUtil.verifyCreated(createdDate, timeToLive, futureTimeToLive);
}
/**
* This static method generates a 128 bit salt value as defined in WSS
* Username Token Profile.
*
* @param useForMac If <code>true</code> define the Salt for use in a MAC
* @return Returns the 128 bit salt value as byte array
*/
public static byte[] generateSalt(boolean useForMac) {
byte[] saltValue = null;
try {
saltValue = WSSecurityUtil.generateNonce(16);
} catch (WSSecurityException ex) {
LOG.debug(ex.getMessage(), ex);
return null;
}
if (useForMac) {
saltValue[0] = 0x01;
} else {
saltValue[0] = 0x02;
}
return saltValue;
}
@Override
public int hashCode() {
int result = 17;
String username = getName();
if (username != null) {
result = 31 * result + username.hashCode();
}
String password = getPassword();
if (password != null) {
result = 31 * result + password.hashCode();
}
String passwordType = getPasswordType();
if (passwordType != null) {
result = 31 * result + passwordType.hashCode();
}
String nonce = getNonce();
if (nonce != null) {
result = 31 * result + nonce.hashCode();
}
String created = getCreated();
if (created != null) {
result = 31 * result + created.hashCode();
}
try {
byte[] salt = getSalt();
if (salt != null) {
result = 31 * result + Arrays.hashCode(salt);
}
} catch (WSSecurityException ex) {
if (LOG.isDebugEnabled()) {
LOG.debug(ex.getMessage(), ex);
}
}
result = 31 * result + Integer.valueOf(getIteration()).hashCode();
return result;
}
@Override
public boolean equals(Object object) {
if (!(object instanceof UsernameToken)) {
return false;
}
UsernameToken usernameToken = (UsernameToken)object;
if (!compare(usernameToken.getName(), getName())) {
return false;
}
if (!compare(usernameToken.getPassword(), getPassword())) {
return false;
}
if (!compare(usernameToken.getPasswordType(), getPasswordType())) {
return false;
}
if (!compare(usernameToken.getNonce(), getNonce())) {
return false;
}
if (!compare(usernameToken.getCreated(), getCreated())) {
return false;
}
try {
byte[] salt = usernameToken.getSalt();
if (!Arrays.equals(salt, getSalt())) {
return false;
}
} catch (WSSecurityException ex) {
if (LOG.isDebugEnabled()) {
LOG.debug(ex.getMessage(), ex);
}
}
int iteration = usernameToken.getIteration();
if (iteration != getIteration()) {
return false;
}
return true;
}
private boolean compare(String item1, String item2) {
if (item1 == null && item2 != null) {
return false;
} else if (item1 != null && !item1.equals(item2)) {
return false;
}
return true;
}
/**
* P_hash as defined in RFC 2246 for TLS.
*
* @param secret is the key for the HMAC
* @param seed the seed value to start the generation - A(0)
* @param mac the HMAC algorithm
* @param required number of bytes to generate
* @return a byte array that contains a secret key
* @throws Exception
*/
private static byte[] P_hash(
byte[] secret,
byte[] seed,
Mac mac,
int required
) throws Exception {
byte[] out = new byte[required];
int offset = 0, tocpy;
byte[] a, tmp;
//
// a(0) is the seed
//
a = seed;
SecretKeySpec key = new SecretKeySpec(secret, "HMACSHA1");
mac.init(key);
while (required > 0) {
mac.update(a);
a = mac.doFinal();
mac.update(a);
mac.update(seed);
tmp = mac.doFinal();
tocpy = min(required, tmp.length);
System.arraycopy(tmp, 0, out, offset, tocpy);
offset += tocpy;
required -= tocpy;
}
return out;
}
/**
* helper method.
*
* @param a
* @param b
* @return
*/
private static int min(int a, int b) {
return (a > b) ? b : a;
}
/**
* A method to check that the UsernameToken is compliant with the BSP spec.
* @throws WSSecurityException
*/
private void checkBSPCompliance() throws WSSecurityException {
List<Element> passwordElements =
WSSecurityUtil.getDirectChildElements(
element, WSConstants.PASSWORD_LN, WSConstants.WSSE_NS
);
// We can only have one password element
if (passwordElements.size() > 1) {
if (LOG.isDebugEnabled()) {
LOG.debug("The Username Token had more than one password element");
}
throw new WSSecurityException(
WSSecurityException.INVALID_SECURITY_TOKEN, "badUsernameToken"
);
}
// We must have a password type
if (passwordElements.size() == 1) {
Element passwordChild = passwordElements.get(0);
String type = passwordChild.getAttributeNS(null, WSConstants.PASSWORD_TYPE_ATTR);
if (type == null || "".equals(type)) {
if (LOG.isDebugEnabled()) {
LOG.debug("The Username Token password does not have a Type attribute");
}
throw new WSSecurityException(
WSSecurityException.INVALID_SECURITY_TOKEN, "badUsernameToken"
);
}
}
if (elementSalt == null) {
// We must have a salt element to use this token for a derived key
bspCompliantDerivedKey = false;
}
if (elementIteration == null) {
// we must have an iteration element to use this token for a derived key
bspCompliantDerivedKey = false;
} else {
String iter = nodeString(elementIteration);
if (iter == null || Integer.parseInt(iter) < 1000) {
bspCompliantDerivedKey = false;
}
}
List<Element> createdElements =
WSSecurityUtil.getDirectChildElements(
element, WSConstants.CREATED_LN, WSConstants.WSU_NS
);
// We can only have one created element
if (createdElements.size() > 1) {
if (LOG.isDebugEnabled()) {
LOG.debug("The Username Token has more than one created element");
}
throw new WSSecurityException(
WSSecurityException.INVALID_SECURITY_TOKEN, "badUsernameToken"
);
}
List<Element> nonceElements =
WSSecurityUtil.getDirectChildElements(
element, WSConstants.NONCE_LN, WSConstants.WSSE_NS
);
// We can only have one nonce element
if (nonceElements.size() > 1) {
if (LOG.isDebugEnabled()) {
LOG.debug("The Username Token has more than one nonce element");
}
throw new WSSecurityException(
WSSecurityException.INVALID_SECURITY_TOKEN, "badUsernameToken"
);
}
if (nonceElements.size() == 1) {
Element nonce = nonceElements.get(0);
String encodingType = nonce.getAttributeNS(null, "EncodingType");
// Encoding Type must be equal to Base64Binary
if (encodingType == null || "".equals(encodingType)
|| !BinarySecurity.BASE64_ENCODING.equals(encodingType)) {
if (LOG.isDebugEnabled()) {
LOG.debug("The Username Token's nonce element has a bad encoding type");
}
throw new WSSecurityException(
WSSecurityException.INVALID_SECURITY_TOKEN,
"badUsernameToken"
);
}
}
}
}