Author: coheigea
Date: Mon Mar 7 11:57:46 2011
New Revision: 1078756
URL: http://svn.apache.org/viewvc?rev=1078756&view=rev
Log:
[WSS-256] - BSP compliance work for EncryptedKeys.
Modified:
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/message/WSSecDerivedKeyBase.java
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/message/WSSecEncrypt.java
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/message/WSSecEncryptedKey.java
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/message/WSSecSignature.java
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/str/DerivedKeyTokenSTRParser.java
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/str/SecurityTokenRefSTRParser.java
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/str/SignatureSTRParser.java
webservices/wss4j/trunk/src/test/java/org/apache/ws/security/message/SignatureEncryptionTest.java
webservices/wss4j/trunk/src/test/java/org/apache/ws/security/message/SymmetricSignatureTest.java
Modified:
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/message/WSSecDerivedKeyBase.java
URL:
http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/main/java/org/apache/ws/security/message/WSSecDerivedKeyBase.java?rev=1078756&r1=1078755&r2=1078756&view=diff
==============================================================================
---
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/message/WSSecDerivedKeyBase.java
(original)
+++
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/message/WSSecDerivedKeyBase.java
Mon Mar 7 11:57:46 2011
@@ -19,6 +19,7 @@
package org.apache.ws.security.message;
+import org.apache.ws.security.WSConstants;
import org.apache.ws.security.WSSecurityException;
import org.apache.ws.security.conversation.ConversationConstants;
import org.apache.ws.security.conversation.ConversationException;
@@ -220,9 +221,12 @@ public abstract class WSSecDerivedKeyBas
} else {
ref.setURI("#" + tokenIdentifier);
}
- if (customValueType != null && customValueType.trim().length() >
0) {
+ if (customValueType != null && !"".equals(customValueType)) {
ref.setValueType(customValueType);
}
+ if
(!WSConstants.WSS_USERNAME_TOKEN_VALUE_TYPE.equals(customValueType)) {
+ strEncKey.addTokenType(WSConstants.WSS_ENC_KEY_VALUE_TYPE);
+ }
strEncKey.setReference(ref);
dkt.setSecurityTokenReference(strEncKey);
} else {
Modified:
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/message/WSSecEncrypt.java
URL:
http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/main/java/org/apache/ws/security/message/WSSecEncrypt.java?rev=1078756&r1=1078755&r2=1078756&view=diff
==============================================================================
---
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/message/WSSecEncrypt.java
(original)
+++
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/message/WSSecEncrypt.java
Mon Mar 7 11:57:46 2011
@@ -544,6 +544,7 @@ public class WSSecEncrypt extends WSSecE
byte[] encodedBytes =
WSSecurityUtil.generateDigest(encryptedEphemeralKey);
secToken.setKeyIdentifierEncKeySHA1(Base64.encode(encodedBytes));
}
+ secToken.addTokenType(WSConstants.WSS_ENC_KEY_VALUE_TYPE);
keyInfo.addUnknownElement(secToken.getElement());
} else if (keyIdentifierType == WSConstants.EMBEDDED_KEYNAME) {
keyInfo.addKeyName(embeddedKeyName == null ? user :
embeddedKeyName);
@@ -580,6 +581,7 @@ public class WSSecEncrypt extends WSSecE
ref.setValueType(customReferenceValue);
}
secToken.setReference(ref);
+ secToken.addTokenType(WSConstants.WSS_ENC_KEY_VALUE_TYPE);
keyInfo.addUnknownElement(secToken.getElement());
}
Element keyInfoElement = keyInfo.getElement();
Modified:
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/message/WSSecEncryptedKey.java
URL:
http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/main/java/org/apache/ws/security/message/WSSecEncryptedKey.java?rev=1078756&r1=1078755&r2=1078756&view=diff
==============================================================================
---
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/message/WSSecEncryptedKey.java
(original)
+++
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/message/WSSecEncryptedKey.java
Mon Mar 7 11:57:46 2011
@@ -309,6 +309,9 @@ public class WSSecEncryptedKey extends W
refCust.setValueType(customEKTokenValueType);
} else if
(WSConstants.WSS_SAML2_KI_VALUE_TYPE.equals(customEKTokenValueType)) {
secToken.addTokenType(WSConstants.WSS_SAML2_TOKEN_TYPE);
+ } else if
(WSConstants.WSS_ENC_KEY_VALUE_TYPE.equals(customEKTokenValueType)) {
+ secToken.addTokenType(WSConstants.WSS_ENC_KEY_VALUE_TYPE);
+ refCust.setValueType(customEKTokenValueType);
} else {
refCust.setValueType(customEKTokenValueType);
}
@@ -323,6 +326,9 @@ public class WSSecEncryptedKey extends W
refCustd.setValueType(customEKTokenValueType);
} else if
(WSConstants.WSS_SAML2_KI_VALUE_TYPE.equals(customEKTokenValueType)) {
secToken.addTokenType(WSConstants.WSS_SAML2_TOKEN_TYPE);
+ } else if
(WSConstants.WSS_ENC_KEY_VALUE_TYPE.equals(customEKTokenValueType)) {
+ secToken.addTokenType(WSConstants.WSS_ENC_KEY_VALUE_TYPE);
+ refCustd.setValueType(customEKTokenValueType);
} else {
refCustd.setValueType(customEKTokenValueType);
}
@@ -336,6 +342,10 @@ public class WSSecEncryptedKey extends W
secToken.addTokenType(WSConstants.WSS_SAML_TOKEN_TYPE);
} else if
(WSConstants.WSS_SAML2_KI_VALUE_TYPE.equals(customEKTokenValueType)) {
secToken.addTokenType(WSConstants.WSS_SAML2_TOKEN_TYPE);
+ } else if
(WSConstants.WSS_ENC_KEY_VALUE_TYPE.equals(customEKTokenValueType)) {
+ secToken.addTokenType(WSConstants.WSS_ENC_KEY_VALUE_TYPE);
+ } else if
(SecurityTokenReference.ENC_KEY_SHA1_URI.equals(customEKTokenValueType)) {
+ secToken.addTokenType(WSConstants.WSS_ENC_KEY_VALUE_TYPE);
}
break;
Modified:
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/message/WSSecSignature.java
URL:
http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/main/java/org/apache/ws/security/message/WSSecSignature.java?rev=1078756&r1=1078755&r2=1078756&view=diff
==============================================================================
---
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/message/WSSecSignature.java
(original)
+++
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/message/WSSecSignature.java
Mon Mar 7 11:57:46 2011
@@ -214,6 +214,7 @@ public class WSSecSignature extends WSSe
byte[] digestBytes = WSSecurityUtil.generateDigest(secretKey);
secRef.setKeyIdentifierEncKeySHA1(Base64.encode(digestBytes));
}
+ secRef.addTokenType(WSConstants.WSS_ENC_KEY_VALUE_TYPE);
break;
case WSConstants.CUSTOM_SYMM_SIGNING :
@@ -223,6 +224,9 @@ public class WSSecSignature extends WSSe
refCust.setValueType(customTokenValueType);
} else if
(WSConstants.WSS_SAML2_KI_VALUE_TYPE.equals(customTokenValueType)) {
secRef.addTokenType(WSConstants.WSS_SAML2_TOKEN_TYPE);
+ } else if
(WSConstants.WSS_ENC_KEY_VALUE_TYPE.equals(customTokenValueType)) {
+ secRef.addTokenType(WSConstants.WSS_ENC_KEY_VALUE_TYPE);
+ refCust.setValueType(customTokenValueType);
} else {
refCust.setValueType(customTokenValueType);
}
@@ -237,6 +241,9 @@ public class WSSecSignature extends WSSe
refCustd.setValueType(customTokenValueType);
} else if
(WSConstants.WSS_SAML2_KI_VALUE_TYPE.equals(customTokenValueType)) {
secRef.addTokenType(WSConstants.WSS_SAML2_TOKEN_TYPE);
+ } else if
(WSConstants.WSS_ENC_KEY_VALUE_TYPE.equals(customTokenValueType)) {
+ secRef.addTokenType(WSConstants.WSS_ENC_KEY_VALUE_TYPE);
+ refCustd.setValueType(customTokenValueType);
} else {
refCustd.setValueType(customTokenValueType);
}
@@ -250,6 +257,10 @@ public class WSSecSignature extends WSSe
secRef.addTokenType(WSConstants.WSS_SAML_TOKEN_TYPE);
} else if
(WSConstants.WSS_SAML2_KI_VALUE_TYPE.equals(customTokenValueType)) {
secRef.addTokenType(WSConstants.WSS_SAML2_TOKEN_TYPE);
+ } else if
(WSConstants.WSS_ENC_KEY_VALUE_TYPE.equals(customTokenValueType)) {
+ secRef.addTokenType(WSConstants.WSS_ENC_KEY_VALUE_TYPE);
+ } else if
(SecurityTokenReference.ENC_KEY_SHA1_URI.equals(customTokenValueType)) {
+ secRef.addTokenType(WSConstants.WSS_ENC_KEY_VALUE_TYPE);
}
break;
Modified:
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/str/DerivedKeyTokenSTRParser.java
URL:
http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/main/java/org/apache/ws/security/str/DerivedKeyTokenSTRParser.java?rev=1078756&r1=1078755&r2=1078756&view=diff
==============================================================================
---
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/str/DerivedKeyTokenSTRParser.java
(original)
+++
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/str/DerivedKeyTokenSTRParser.java
Mon Mar 7 11:57:46 2011
@@ -106,6 +106,9 @@ public class DerivedKeyTokenSTRParser im
usernameToken.setRawPassword(cb);
secretKey = usernameToken.getDerivedKey();
} else if (WSConstants.ENCR == action) {
+ if (bspCompliant) {
+ checkEncryptedKeyBSPCompliance(secRef);
+ }
secretKey =
(byte[])result.get(WSSecurityEngineResult.TAG_SECRET);
} else if (WSConstants.SCT == action) {
secretKey =
(byte[])result.get(WSSecurityEngineResult.TAG_SECRET);
@@ -127,6 +130,10 @@ public class DerivedKeyTokenSTRParser im
secretKey =
getSecretKeyFromToken(uri, null,
WSPasswordCallback.SECURITY_CONTEXT_TOKEN, cb);
} else if (keyIdentifierValue != null && keyIdentifierValueType !=
null) {
+ if (bspCompliant
+ &&
keyIdentifierValueType.equals(SecurityTokenReference.ENC_KEY_SHA1_URI)) {
+ checkEncryptedKeyBSPCompliance(secRef);
+ }
X509Certificate[] certs = secRef.getKeyIdentifier(crypto);
if (certs == null || certs.length < 1 || certs[0] == null) {
secretKey =
@@ -234,4 +241,34 @@ public class DerivedKeyTokenSTRParser im
return pwcb.getKey();
}
+ /**
+ * Check that the EncryptedKey referenced by the SecurityTokenReference
argument
+ * is BSP compliant.
+ * @param secRef The SecurityTokenReference to the BinarySecurityToken
+ * @throws WSSecurityException
+ */
+ private static void checkEncryptedKeyBSPCompliance(
+ SecurityTokenReference secRef
+ ) throws WSSecurityException {
+ if (secRef.containsKeyIdentifier()) {
+ String valueType = secRef.getKeyIdentifierValueType();
+ if (!SecurityTokenReference.ENC_KEY_SHA1_URI.equals(valueType)) {
+ throw new WSSecurityException(
+ WSSecurityException.INVALID_SECURITY_TOKEN,
+ "invalidValueType",
+ new Object[]{valueType}
+ );
+ }
+ }
+
+ String tokenType = secRef.getTokenType();
+ if (!WSConstants.WSS_ENC_KEY_VALUE_TYPE.equals(tokenType)) {
+ throw new WSSecurityException(
+ WSSecurityException.INVALID_SECURITY_TOKEN,
+ "invalidTokenType",
+ new Object[]{tokenType}
+ );
+ }
+ }
+
}
Modified:
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/str/SecurityTokenRefSTRParser.java
URL:
http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/main/java/org/apache/ws/security/str/SecurityTokenRefSTRParser.java?rev=1078756&r1=1078755&r2=1078756&view=diff
==============================================================================
---
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/str/SecurityTokenRefSTRParser.java
(original)
+++
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/str/SecurityTokenRefSTRParser.java
Mon Mar 7 11:57:46 2011
@@ -93,6 +93,9 @@ public class SecurityTokenRefSTRParser i
if (result != null) {
int action =
((Integer)result.get(WSSecurityEngineResult.TAG_ACTION)).intValue();
if (WSConstants.ENCR == action) {
+ if (bspCompliant) {
+ checkEncryptedKeyBSPCompliance(secRef);
+ }
secretKey =
(byte[])result.get(WSSecurityEngineResult.TAG_SECRET);
} else if (WSConstants.DKT == action) {
DerivedKeyToken dkt =
@@ -122,8 +125,9 @@ public class SecurityTokenRefSTRParser i
}
}
} else if (secRef.containsKeyIdentifier()){
- if
(WSConstants.WSS_SAML_KI_VALUE_TYPE.equals(secRef.getKeyIdentifierValueType())
- ||
WSConstants.WSS_SAML2_KI_VALUE_TYPE.equals(secRef.getKeyIdentifierValueType()))
{
+ String valueType = secRef.getKeyIdentifierValueType();
+ if (WSConstants.WSS_SAML_KI_VALUE_TYPE.equals(valueType)
+ || WSConstants.WSS_SAML2_KI_VALUE_TYPE.equals(valueType)) {
AssertionWrapper assertion =
SAMLUtil.getAssertionFromKeyIdentifier(
secRef, strElement, crypto, cb, wsDocInfo, config
@@ -134,6 +138,9 @@ public class SecurityTokenRefSTRParser i
// secret in them
secretKey = samlKi.getSecret();
} else {
+ if (bspCompliant &&
SecurityTokenReference.ENC_KEY_SHA1_URI.equals(valueType)) {
+ checkEncryptedKeyBSPCompliance(secRef);
+ }
secretKey =
getSecretKeyFromToken(
secRef.getKeyIdentifierValue(),
secRef.getKeyIdentifierValueType(), cb
@@ -209,4 +216,34 @@ public class SecurityTokenRefSTRParser i
return pwcb.getKey();
}
+ /**
+ * Check that the EncryptedKey referenced by the SecurityTokenReference
argument
+ * is BSP compliant.
+ * @param secRef The SecurityTokenReference to the BinarySecurityToken
+ * @throws WSSecurityException
+ */
+ private static void checkEncryptedKeyBSPCompliance(
+ SecurityTokenReference secRef
+ ) throws WSSecurityException {
+ if (secRef.containsKeyIdentifier()) {
+ String valueType = secRef.getKeyIdentifierValueType();
+ if (!SecurityTokenReference.ENC_KEY_SHA1_URI.equals(valueType)) {
+ throw new WSSecurityException(
+ WSSecurityException.INVALID_SECURITY_TOKEN,
+ "invalidValueType",
+ new Object[]{valueType}
+ );
+ }
+ }
+
+ String tokenType = secRef.getTokenType();
+ if (!WSConstants.WSS_ENC_KEY_VALUE_TYPE.equals(tokenType)) {
+ throw new WSSecurityException(
+ WSSecurityException.INVALID_SECURITY_TOKEN,
+ "invalidTokenType",
+ new Object[]{tokenType}
+ );
+ }
+ }
+
}
Modified:
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/str/SignatureSTRParser.java
URL:
http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/main/java/org/apache/ws/security/str/SignatureSTRParser.java?rev=1078756&r1=1078755&r2=1078756&view=diff
==============================================================================
---
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/str/SignatureSTRParser.java
(original)
+++
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/str/SignatureSTRParser.java
Mon Mar 7 11:57:46 2011
@@ -151,6 +151,9 @@ public class SignatureSTRParser implemen
secretKey = keyInfo.getSecret();
principal = createPrincipalFromSAML(assertion);
} else if (el.equals(WSSecurityEngine.ENCRYPTED_KEY)) {
+ if (bspCompliant) {
+ checkEncryptedKeyBSPCompliance(secRef);
+ }
Processor proc =
config.getProcessor(WSSecurityEngine.ENCRYPTED_KEY);
List<WSSecurityEngineResult> encrResult =
proc.handleToken(token, null, crypto, cb, wsDocInfo,
config);
@@ -198,6 +201,9 @@ public class SignatureSTRParser implemen
certs =
(X509Certificate[])result.get(WSSecurityEngineResult.TAG_X509_CERTIFICATES);
} else if (WSConstants.ENCR == action) {
+ if (bspCompliant) {
+ checkEncryptedKeyBSPCompliance(secRef);
+ }
secretKey =
(byte[])result.get(WSSecurityEngineResult.TAG_SECRET);
String id =
(String)result.get(WSSecurityEngineResult.TAG_ID);
principal = new CustomTokenPrincipal(id);
@@ -240,6 +246,9 @@ public class SignatureSTRParser implemen
}
} else if (secRef.containsKeyIdentifier()) {
if
(secRef.getKeyIdentifierValueType().equals(SecurityTokenReference.ENC_KEY_SHA1_URI))
{
+ if (bspCompliant) {
+ checkEncryptedKeyBSPCompliance(secRef);
+ }
String id = secRef.getKeyIdentifierValue();
secretKey =
getSecretKeyFromToken(id,
SecurityTokenReference.ENC_KEY_SHA1_URI, cb);
@@ -396,6 +405,36 @@ public class SignatureSTRParser implemen
}
}
}
+
+ /**
+ * Check that the EncryptedKey referenced by the SecurityTokenReference
argument
+ * is BSP compliant.
+ * @param secRef The SecurityTokenReference to the BinarySecurityToken
+ * @throws WSSecurityException
+ */
+ private static void checkEncryptedKeyBSPCompliance(
+ SecurityTokenReference secRef
+ ) throws WSSecurityException {
+ if (secRef.containsKeyIdentifier()) {
+ String valueType = secRef.getKeyIdentifierValueType();
+ if (!SecurityTokenReference.ENC_KEY_SHA1_URI.equals(valueType)) {
+ throw new WSSecurityException(
+ WSSecurityException.INVALID_SECURITY_TOKEN,
+ "invalidValueType",
+ new Object[]{valueType}
+ );
+ }
+ }
+
+ String tokenType = secRef.getTokenType();
+ if (!WSConstants.WSS_ENC_KEY_VALUE_TYPE.equals(tokenType)) {
+ throw new WSSecurityException(
+ WSSecurityException.INVALID_SECURITY_TOKEN,
+ "invalidTokenType",
+ new Object[]{tokenType}
+ );
+ }
+ }
/**
* Checks the <code>element</code> and creates appropriate binary security
object.
Modified:
webservices/wss4j/trunk/src/test/java/org/apache/ws/security/message/SignatureEncryptionTest.java
URL:
http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/test/java/org/apache/ws/security/message/SignatureEncryptionTest.java?rev=1078756&r1=1078755&r2=1078756&view=diff
==============================================================================
---
webservices/wss4j/trunk/src/test/java/org/apache/ws/security/message/SignatureEncryptionTest.java
(original)
+++
webservices/wss4j/trunk/src/test/java/org/apache/ws/security/message/SignatureEncryptionTest.java
Mon Mar 7 11:57:46 2011
@@ -393,6 +393,7 @@ public class SignatureEncryptionTest ext
sign.setKeyIdentifierType(WSConstants.CUSTOM_SYMM_SIGNING);
sign.setCustomTokenId(encrKey.getId());
sign.setSecretKey(encrKey.getEphemeralKey());
+ sign.setCustomTokenValueType(WSConstants.WSS_ENC_KEY_VALUE_TYPE);
sign.setSignatureAlgorithm(SignatureMethod.HMAC_SHA1);
Document signedDoc = sign.build(doc, crypto, secHeader);
Modified:
webservices/wss4j/trunk/src/test/java/org/apache/ws/security/message/SymmetricSignatureTest.java
URL:
http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/test/java/org/apache/ws/security/message/SymmetricSignatureTest.java?rev=1078756&r1=1078755&r2=1078756&view=diff
==============================================================================
---
webservices/wss4j/trunk/src/test/java/org/apache/ws/security/message/SymmetricSignatureTest.java
(original)
+++
webservices/wss4j/trunk/src/test/java/org/apache/ws/security/message/SymmetricSignatureTest.java
Mon Mar 7 11:57:46 2011
@@ -132,9 +132,7 @@ public class SymmetricSignatureTest exte
sign.setCustomTokenId(encrKey.getId());
sign.setSecretKey(encrKey.getEphemeralKey());
sign.setSignatureAlgorithm(SignatureMethod.HMAC_SHA1);
- sign.setCustomTokenValueType(
- WSConstants.SOAPMESSAGE_NS11 + "#" + WSConstants.ENC_KEY_VALUE_TYPE
- );
+ sign.setCustomTokenValueType(WSConstants.WSS_ENC_KEY_VALUE_TYPE);
Document signedDoc = sign.build(doc, crypto, secHeader);
encrKey.prependToHeader(secHeader);
@@ -180,6 +178,7 @@ public class SymmetricSignatureTest exte
WSSecSignature sign = new WSSecSignature();
sign.setKeyIdentifierType(WSConstants.CUSTOM_SYMM_SIGNING);
sign.setCustomTokenId(encrKey.getId());
+ sign.setCustomTokenValueType(WSConstants.WSS_ENC_KEY_VALUE_TYPE);
sign.setSecretKey(encrKey.getEphemeralKey());
sign.setSignatureAlgorithm(SignatureMethod.HMAC_SHA1);
