Author: coheigea
Date: Tue Mar 8 11:19:51 2011
New Revision: 1079325
URL: http://svn.apache.org/viewvc?rev=1079325&view=rev
Log:
[WSS-256] - BSP work for SAML Assertions.
Added:
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/str/BSPEnforcer.java
Modified:
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/message/token/SecurityTokenReference.java
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/str/DerivedKeyTokenSTRParser.java
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/str/EncryptedKeySTRParser.java
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/str/SecurityTokenRefSTRParser.java
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/str/SignatureSTRParser.java
Modified:
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/message/token/SecurityTokenReference.java
URL:
http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/main/java/org/apache/ws/security/message/token/SecurityTokenReference.java?rev=1079325&r1=1079324&r2=1079325&view=diff
==============================================================================
---
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/message/token/SecurityTokenReference.java
(original)
+++
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/message/token/SecurityTokenReference.java
Tue Mar 8 11:19:51 2011
@@ -543,6 +543,14 @@ public class SecurityTokenReference {
return null;
}
+ public String getKeyIdentifierEncodingType() {
+ if (containsKeyIdentifier()) {
+ Element elem = getFirstElement();
+ return elem.getAttribute("EncodingType");
+ }
+ return null;
+ }
+
public X509Certificate getX509SKIAlias(Crypto crypto) throws
WSSecurityException {
if (skiBytes == null) {
skiBytes = getSKIBytes();
Added:
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/str/BSPEnforcer.java
URL:
http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/main/java/org/apache/ws/security/str/BSPEnforcer.java?rev=1079325&view=auto
==============================================================================
---
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/str/BSPEnforcer.java
(added)
+++
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/str/BSPEnforcer.java
Tue Mar 8 11:19:51 2011
@@ -0,0 +1,221 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.ws.security.str;
+
+import org.apache.ws.security.WSConstants;
+import org.apache.ws.security.WSSecurityException;
+import org.apache.ws.security.message.token.BinarySecurity;
+import org.apache.ws.security.message.token.PKIPathSecurity;
+import org.apache.ws.security.message.token.SecurityTokenReference;
+import org.apache.ws.security.message.token.X509Security;
+import org.apache.ws.security.saml.ext.AssertionWrapper;
+
+/**
+ * This class enforces processing rules for SecurityTokenReferences to various
token elements,
+ * according to the Basic Security Profile (BSP) specification.
+ */
+public final class BSPEnforcer {
+
+ private BSPEnforcer() {
+ //
+ }
+
+ /**
+ * Check that the BinarySecurityToken referenced by the
SecurityTokenReference argument
+ * is BSP compliant.
+ * @param secRef The SecurityTokenReference to the BinarySecurityToken
+ * @param token The BinarySecurityToken
+ * @throws WSSecurityException
+ */
+ public static void checkBinarySecurityBSPCompliance(
+ SecurityTokenReference secRef,
+ BinarySecurity token
+ ) throws WSSecurityException {
+ if (secRef.containsReference()) {
+ // Check the ValueType attributes
+ String valueType = secRef.getReference().getValueType();
+ if ((token instanceof X509Security) &&
!X509Security.X509_V3_TYPE.equals(valueType)) {
+ throw new WSSecurityException(
+ WSSecurityException.INVALID_SECURITY_TOKEN,
+ "invalidValueType",
+ new Object[]{valueType}
+ );
+ } else if ((token instanceof PKIPathSecurity)
+ && (!PKIPathSecurity.PKI_TYPE.equals(valueType))) {
+ throw new WSSecurityException(
+ WSSecurityException.INVALID_SECURITY_TOKEN,
+ "invalidValueType",
+ new Object[]{valueType}
+ );
+ }
+ } else if (secRef.containsKeyIdentifier()) {
+ String valueType = secRef.getKeyIdentifierValueType();
+ if (!SecurityTokenReference.SKI_URI.equals(valueType)
+ && !SecurityTokenReference.THUMB_URI.equals(valueType)) {
+ throw new WSSecurityException(
+ WSSecurityException.INVALID_SECURITY_TOKEN,
+ "invalidValueType",
+ new Object[]{valueType}
+ );
+ }
+ }
+
+ // Check TokenType attributes
+ if (token instanceof PKIPathSecurity) {
+ String tokenType = secRef.getTokenType();
+ if (!PKIPathSecurity.PKI_TYPE.equals(tokenType)) {
+ throw new WSSecurityException(
+ WSSecurityException.INVALID_SECURITY_TOKEN,
+ "invalidTokenType",
+ new Object[]{tokenType}
+ );
+ }
+ }
+ }
+
+ /**
+ * Check that the EncryptedKey referenced by the SecurityTokenReference
argument
+ * is BSP compliant.
+ * @param secRef The SecurityTokenReference to the BinarySecurityToken
+ * @throws WSSecurityException
+ */
+ public static void checkEncryptedKeyBSPCompliance(
+ SecurityTokenReference secRef
+ ) throws WSSecurityException {
+ if (secRef.containsKeyIdentifier()) {
+ String valueType = secRef.getKeyIdentifierValueType();
+ if (!SecurityTokenReference.ENC_KEY_SHA1_URI.equals(valueType)) {
+ throw new WSSecurityException(
+ WSSecurityException.INVALID_SECURITY_TOKEN,
+ "invalidValueType",
+ new Object[]{valueType}
+ );
+ }
+ }
+
+ String tokenType = secRef.getTokenType();
+ if (!WSConstants.WSS_ENC_KEY_VALUE_TYPE.equals(tokenType)) {
+ throw new WSSecurityException(
+ WSSecurityException.INVALID_SECURITY_TOKEN,
+ "invalidTokenType",
+ new Object[]{tokenType}
+ );
+ }
+ }
+
+ /**
+ * Check that the SAML token referenced by the SecurityTokenReference
argument
+ * is BSP compliant.
+ * @param secRef The SecurityTokenReference to the SAML token
+ * @param assertion The SAML Token AssertionWrapper object
+ * @throws WSSecurityException
+ */
+ public static void checkSamlTokenBSPCompliance(
+ SecurityTokenReference secRef,
+ AssertionWrapper assertion
+ ) throws WSSecurityException {
+ // Check the KeyIdentifier ValueType attributes
+ if (secRef.containsKeyIdentifier()) {
+ String valueType = secRef.getKeyIdentifierValueType();
+ if (assertion.getSaml1() != null
+ && !WSConstants.WSS_SAML_KI_VALUE_TYPE.equals(valueType)) {
+ throw new WSSecurityException(
+ WSSecurityException.INVALID_SECURITY_TOKEN,
+ "invalidValueType",
+ new Object[]{valueType}
+ );
+ }
+ if (assertion.getSaml2() != null
+ && !WSConstants.WSS_SAML2_KI_VALUE_TYPE.equals(valueType)) {
+ throw new WSSecurityException(
+ WSSecurityException.INVALID_SECURITY_TOKEN,
+ "invalidValueType",
+ new Object[]{valueType}
+ );
+ }
+ String encoding = secRef.getKeyIdentifierEncodingType();
+ if (encoding != null && !"".equals(encoding)) {
+ throw new WSSecurityException(
+ WSSecurityException.INVALID_SECURITY_TOKEN,
+ "badEncodingType",
+ new Object[]{encoding}
+ );
+ }
+ }
+
+ // Check the TokenType attribute
+ String tokenType = secRef.getTokenType();
+ if (assertion.getSaml1() != null &&
!WSConstants.WSS_SAML_TOKEN_TYPE.equals(tokenType)) {
+ throw new WSSecurityException(
+ WSSecurityException.INVALID_SECURITY_TOKEN,
+ "invalidTokenType",
+ new Object[]{tokenType}
+ );
+ }
+ if (assertion.getSaml2() != null &&
!WSConstants.WSS_SAML2_TOKEN_TYPE.equals(tokenType)) {
+ throw new WSSecurityException(
+ WSSecurityException.INVALID_SECURITY_TOKEN,
+ "invalidTokenType",
+ new Object[]{tokenType}
+ );
+ }
+
+ // Check the ValueType attribute of the Reference for SAML2
+ if (assertion.getSaml2() != null && secRef.containsReference()) {
+ String valueType = secRef.getReference().getValueType();
+ if (valueType != null && !"".equals(valueType)) {
+ throw new WSSecurityException(
+ WSSecurityException.INVALID_SECURITY_TOKEN,
+ "invalidValueType",
+ new Object[]{valueType}
+ );
+ }
+ }
+ }
+
+ /**
+ * Check that the Username token referenced by the SecurityTokenReference
argument
+ * is BSP compliant.
+ * @param secRef The SecurityTokenReference to the Username token
+ * @throws WSSecurityException
+ */
+ public static void checkUsernameTokenBSPCompliance(
+ SecurityTokenReference secRef
+ ) throws WSSecurityException {
+ if (!secRef.containsReference()) {
+ // BSP does not permit using a KeyIdentifier to refer to a U/T
+ throw new WSSecurityException(
+ WSSecurityException.FAILED_CHECK, "unsupportedKeyId"
+ );
+ }
+
+ String valueType = secRef.getReference().getValueType();
+ if (!WSConstants.WSS_USERNAME_TOKEN_VALUE_TYPE.equals(valueType)) {
+ // BSP says the Reference must have a ValueType of UsernameToken
+ throw new WSSecurityException(
+ WSSecurityException.INVALID_SECURITY,
+ "invalidValueType",
+ new Object[]{valueType}
+ );
+ }
+ }
+
+
+}
Modified:
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/str/DerivedKeyTokenSTRParser.java
URL:
http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/main/java/org/apache/ws/security/str/DerivedKeyTokenSTRParser.java?rev=1079325&r1=1079324&r2=1079325&view=diff
==============================================================================
---
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/str/DerivedKeyTokenSTRParser.java
(original)
+++
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/str/DerivedKeyTokenSTRParser.java
Tue Mar 8 11:19:51 2011
@@ -99,7 +99,7 @@ public class DerivedKeyTokenSTRParser im
int action =
((Integer)result.get(WSSecurityEngineResult.TAG_ACTION)).intValue();
if (WSConstants.UT_NOPASSWORD == action || WSConstants.UT ==
action) {
if (bspCompliant) {
- checkUTBSPCompliance(secRef);
+ BSPEnforcer.checkUsernameTokenBSPCompliance(secRef);
}
UsernameToken usernameToken =
(UsernameToken)result.get(WSSecurityEngineResult.TAG_USERNAME_TOKEN);
@@ -107,7 +107,7 @@ public class DerivedKeyTokenSTRParser im
secretKey = usernameToken.getDerivedKey();
} else if (WSConstants.ENCR == action) {
if (bspCompliant) {
- checkEncryptedKeyBSPCompliance(secRef);
+ BSPEnforcer.checkEncryptedKeyBSPCompliance(secRef);
}
secretKey =
(byte[])result.get(WSSecurityEngineResult.TAG_SECRET);
} else if (WSConstants.SCT == action) {
@@ -115,6 +115,9 @@ public class DerivedKeyTokenSTRParser im
} else if (WSConstants.ST_UNSIGNED == action ||
WSConstants.ST_SIGNED == action) {
AssertionWrapper assertion =
(AssertionWrapper)result.get(WSSecurityEngineResult.TAG_SAML_ASSERTION);
+ if (bspCompliant) {
+ BSPEnforcer.checkSamlTokenBSPCompliance(secRef, assertion);
+ }
SAMLKeyInfo keyInfo =
SAMLUtil.getCredentialFromSubject(assertion, crypto, cb,
wsDocInfo, bspCompliant);
// TODO Handle malformed SAML tokens where they don't have the
@@ -132,7 +135,7 @@ public class DerivedKeyTokenSTRParser im
} else if (keyIdentifierValue != null && keyIdentifierValueType !=
null) {
if (bspCompliant
&&
keyIdentifierValueType.equals(SecurityTokenReference.ENC_KEY_SHA1_URI)) {
- checkEncryptedKeyBSPCompliance(secRef);
+ BSPEnforcer.checkEncryptedKeyBSPCompliance(secRef);
}
X509Certificate[] certs = secRef.getKeyIdentifier(crypto);
if (certs == null || certs.length < 1 || certs[0] == null) {
@@ -184,30 +187,6 @@ public class DerivedKeyTokenSTRParser im
}
/**
- * Check the BSP compliance for a reference to a UsernameToken
- * @param secRef the SecurityTokenReference element
- * @throws WSSecurityException
- */
- private void checkUTBSPCompliance(SecurityTokenReference secRef) throws
WSSecurityException {
- if (!secRef.containsReference()) {
- // BSP does not permit using a KeyIdentifier to refer to a U/T
- throw new WSSecurityException(
- WSSecurityException.FAILED_CHECK, "unsupportedKeyId"
- );
- }
- String valueType = secRef.getReference().getValueType();
-
- if (!WSConstants.WSS_USERNAME_TOKEN_VALUE_TYPE.equals(valueType)) {
- // BSP says the Reference must have a ValueType of UsernameToken
- throw new WSSecurityException(
- WSSecurityException.INVALID_SECURITY,
- "invalidValueType",
- new Object[]{valueType}
- );
- }
- }
-
- /**
* Get the Secret Key from a CallbackHandler
* @param id The id of the element
* @param type The type of the element (may be null)
@@ -241,34 +220,4 @@ public class DerivedKeyTokenSTRParser im
return pwcb.getKey();
}
- /**
- * Check that the EncryptedKey referenced by the SecurityTokenReference
argument
- * is BSP compliant.
- * @param secRef The SecurityTokenReference to the BinarySecurityToken
- * @throws WSSecurityException
- */
- private static void checkEncryptedKeyBSPCompliance(
- SecurityTokenReference secRef
- ) throws WSSecurityException {
- if (secRef.containsKeyIdentifier()) {
- String valueType = secRef.getKeyIdentifierValueType();
- if (!SecurityTokenReference.ENC_KEY_SHA1_URI.equals(valueType)) {
- throw new WSSecurityException(
- WSSecurityException.INVALID_SECURITY_TOKEN,
- "invalidValueType",
- new Object[]{valueType}
- );
- }
- }
-
- String tokenType = secRef.getTokenType();
- if (!WSConstants.WSS_ENC_KEY_VALUE_TYPE.equals(tokenType)) {
- throw new WSSecurityException(
- WSSecurityException.INVALID_SECURITY_TOKEN,
- "invalidTokenType",
- new Object[]{tokenType}
- );
- }
- }
-
}
Modified:
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/str/EncryptedKeySTRParser.java
URL:
http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/main/java/org/apache/ws/security/str/EncryptedKeySTRParser.java?rev=1079325&r1=1079324&r2=1079325&view=diff
==============================================================================
---
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/str/EncryptedKeySTRParser.java
(original)
+++
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/str/EncryptedKeySTRParser.java
Tue Mar 8 11:19:51 2011
@@ -29,7 +29,6 @@ import org.apache.ws.security.WSSecurity
import org.apache.ws.security.WSSecurityException;
import org.apache.ws.security.components.crypto.Crypto;
import org.apache.ws.security.message.token.BinarySecurity;
-import org.apache.ws.security.message.token.PKIPathSecurity;
import org.apache.ws.security.message.token.SecurityTokenReference;
import org.apache.ws.security.message.token.X509Security;
import org.apache.ws.security.saml.SAMLKeyInfo;
@@ -101,12 +100,15 @@ public class EncryptedKeySTRParser imple
SAMLUtil.getAssertionFromKeyIdentifier(
secRef, strElement, crypto, cb, wsDocInfo, config
);
+ if (bspCompliant) {
+ BSPEnforcer.checkSamlTokenBSPCompliance(secRef, assertion);
+ }
SAMLKeyInfo samlKi =
SAMLUtil.getCredentialFromSubject(assertion, crypto, cb,
wsDocInfo, bspCompliant);
certs = samlKi.getCerts();
} else {
if (bspCompliant) {
- checkBinarySecurityBSPCompliance(secRef, null);
+ BSPEnforcer.checkBinarySecurityBSPCompliance(secRef, null);
}
certs = secRef.getKeyIdentifier(crypto);
}
@@ -123,7 +125,7 @@ public class EncryptedKeySTRParser imple
(BinarySecurity)result.get(
WSSecurityEngineResult.TAG_BINARY_SECURITY_TOKEN
);
- checkBinarySecurityBSPCompliance(secRef, token);
+
BSPEnforcer.checkBinarySecurityBSPCompliance(secRef, token);
}
certs =
(X509Certificate[])result.get(
@@ -132,6 +134,9 @@ public class EncryptedKeySTRParser imple
} else if (WSConstants.ST_UNSIGNED == action ||
WSConstants.ST_SIGNED == action) {
AssertionWrapper assertion =
(AssertionWrapper)result.get(WSSecurityEngineResult.TAG_SAML_ASSERTION);
+ if (bspCompliant) {
+ BSPEnforcer.checkSamlTokenBSPCompliance(secRef,
assertion);
+ }
SAMLKeyInfo keyInfo =
SAMLUtil.getCredentialFromSubject(assertion,
crypto, cb, wsDocInfo, bspCompliant);
certs = keyInfo.getCerts();
@@ -153,7 +158,7 @@ public class EncryptedKeySTRParser imple
if (el.equals(WSSecurityEngine.BINARY_TOKEN)) {
X509Security token = new X509Security(bstElement);
if (bspCompliant) {
- checkBinarySecurityBSPCompliance(secRef, token);
+ BSPEnforcer.checkBinarySecurityBSPCompliance(secRef,
token);
}
certs = new
X509Certificate[]{token.getX509Certificate(crypto)};
} else {
@@ -207,59 +212,4 @@ public class EncryptedKeySTRParser imple
return null;
}
- /**
- * Check that the BinarySecurityToken referenced by the
SecurityTokenReference argument
- * is BSP compliant.
- * @param secRef The SecurityTokenReference to the BinarySecurityToken
- * @param token The BinarySecurityToken
- * @throws WSSecurityException
- */
- private static void checkBinarySecurityBSPCompliance(
- SecurityTokenReference secRef,
- BinarySecurity token
- ) throws WSSecurityException {
- if (secRef.containsReference()) {
- // Check the ValueType attributes
- String valueType = secRef.getReference().getValueType();
- if ((token instanceof X509Security) &&
!X509Security.X509_V3_TYPE.equals(valueType)) {
- throw new WSSecurityException(
- WSSecurityException.INVALID_SECURITY_TOKEN,
- "invalidValueType",
- new Object[]{valueType}
- );
- } else if ((token instanceof PKIPathSecurity)
- && (!PKIPathSecurity.PKI_TYPE.equals(valueType))) {
- throw new WSSecurityException(
- WSSecurityException.INVALID_SECURITY_TOKEN,
- "invalidValueType",
- new Object[]{valueType}
- );
- }
- } else if (secRef.containsKeyIdentifier()) {
- String valueType = secRef.getKeyIdentifierValueType();
- if (!SecurityTokenReference.SKI_URI.equals(valueType)
- && !SecurityTokenReference.THUMB_URI.equals(valueType)) {
- throw new WSSecurityException(
- WSSecurityException.INVALID_SECURITY_TOKEN,
- "invalidValueType",
- new Object[]{valueType}
- );
- }
- }
-
-
- // Check TokenType attributes
- if (token instanceof PKIPathSecurity) {
- String tokenType = secRef.getTokenType();
- if (!PKIPathSecurity.PKI_TYPE.equals(tokenType)) {
- throw new WSSecurityException(
- WSSecurityException.INVALID_SECURITY_TOKEN,
- "invalidTokenType",
- new Object[]{tokenType}
- );
- }
- }
- }
-
-
}
Modified:
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/str/SecurityTokenRefSTRParser.java
URL:
http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/main/java/org/apache/ws/security/str/SecurityTokenRefSTRParser.java?rev=1079325&r1=1079324&r2=1079325&view=diff
==============================================================================
---
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/str/SecurityTokenRefSTRParser.java
(original)
+++
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/str/SecurityTokenRefSTRParser.java
Tue Mar 8 11:19:51 2011
@@ -94,7 +94,7 @@ public class SecurityTokenRefSTRParser i
int action =
((Integer)result.get(WSSecurityEngineResult.TAG_ACTION)).intValue();
if (WSConstants.ENCR == action) {
if (bspCompliant) {
- checkEncryptedKeyBSPCompliance(secRef);
+ BSPEnforcer.checkEncryptedKeyBSPCompliance(secRef);
}
secretKey =
(byte[])result.get(WSSecurityEngineResult.TAG_SECRET);
} else if (WSConstants.DKT == action) {
@@ -107,6 +107,9 @@ public class SecurityTokenRefSTRParser i
} else if (WSConstants.ST_UNSIGNED == action ||
WSConstants.ST_SIGNED == action) {
AssertionWrapper assertion =
(AssertionWrapper)result.get(WSSecurityEngineResult.TAG_SAML_ASSERTION);
+ if (bspCompliant) {
+ BSPEnforcer.checkSamlTokenBSPCompliance(secRef,
assertion);
+ }
SAMLKeyInfo keyInfo =
SAMLUtil.getCredentialFromSubject(assertion, crypto,
cb, wsDocInfo, bspCompliant);
// TODO Handle malformed SAML tokens where they don't have
the
@@ -132,6 +135,9 @@ public class SecurityTokenRefSTRParser i
SAMLUtil.getAssertionFromKeyIdentifier(
secRef, strElement, crypto, cb, wsDocInfo, config
);
+ if (bspCompliant) {
+ BSPEnforcer.checkSamlTokenBSPCompliance(secRef, assertion);
+ }
SAMLKeyInfo samlKi =
SAMLUtil.getCredentialFromSubject(assertion, crypto, cb,
wsDocInfo, bspCompliant);
// TODO Handle malformed SAML tokens where they don't have the
@@ -139,7 +145,7 @@ public class SecurityTokenRefSTRParser i
secretKey = samlKi.getSecret();
} else {
if (bspCompliant &&
SecurityTokenReference.ENC_KEY_SHA1_URI.equals(valueType)) {
- checkEncryptedKeyBSPCompliance(secRef);
+ BSPEnforcer.checkEncryptedKeyBSPCompliance(secRef);
}
secretKey =
getSecretKeyFromToken(
@@ -216,34 +222,5 @@ public class SecurityTokenRefSTRParser i
return pwcb.getKey();
}
- /**
- * Check that the EncryptedKey referenced by the SecurityTokenReference
argument
- * is BSP compliant.
- * @param secRef The SecurityTokenReference to the BinarySecurityToken
- * @throws WSSecurityException
- */
- private static void checkEncryptedKeyBSPCompliance(
- SecurityTokenReference secRef
- ) throws WSSecurityException {
- if (secRef.containsKeyIdentifier()) {
- String valueType = secRef.getKeyIdentifierValueType();
- if (!SecurityTokenReference.ENC_KEY_SHA1_URI.equals(valueType)) {
- throw new WSSecurityException(
- WSSecurityException.INVALID_SECURITY_TOKEN,
- "invalidValueType",
- new Object[]{valueType}
- );
- }
- }
-
- String tokenType = secRef.getTokenType();
- if (!WSConstants.WSS_ENC_KEY_VALUE_TYPE.equals(tokenType)) {
- throw new WSSecurityException(
- WSSecurityException.INVALID_SECURITY_TOKEN,
- "invalidTokenType",
- new Object[]{tokenType}
- );
- }
- }
}
Modified:
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/str/SignatureSTRParser.java
URL:
http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/main/java/org/apache/ws/security/str/SignatureSTRParser.java?rev=1079325&r1=1079324&r2=1079325&view=diff
==============================================================================
---
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/str/SignatureSTRParser.java
(original)
+++
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/str/SignatureSTRParser.java
Tue Mar 8 11:19:51 2011
@@ -143,6 +143,9 @@ public class SignatureSTRParser implemen
assertion = new AssertionWrapper(processedToken);
assertion.parseHOKSubject(crypto, cb, wsDocInfo,
config);
}
+ if (bspCompliant) {
+ BSPEnforcer.checkSamlTokenBSPCompliance(secRef,
assertion);
+ }
SAMLKeyInfo keyInfo = assertion.getSubjectKeyInfo();
X509Certificate[] foundCerts = keyInfo.getCerts();
if (foundCerts != null) {
@@ -152,7 +155,7 @@ public class SignatureSTRParser implemen
principal = createPrincipalFromSAML(assertion);
} else if (el.equals(WSSecurityEngine.ENCRYPTED_KEY)) {
if (bspCompliant) {
- checkEncryptedKeyBSPCompliance(secRef);
+ BSPEnforcer.checkEncryptedKeyBSPCompliance(secRef);
}
Processor proc =
config.getProcessor(WSSecurityEngine.ENCRYPTED_KEY);
List<WSSecurityEngineResult> encrResult =
@@ -170,14 +173,8 @@ public class SignatureSTRParser implemen
} else {
int action =
((Integer)result.get(WSSecurityEngineResult.TAG_ACTION)).intValue();
if (WSConstants.UT_NOPASSWORD == action || WSConstants.UT ==
action) {
- String valueType = ref.getValueType();
- if (bspCompliant &&
!WSConstants.WSS_USERNAME_TOKEN_VALUE_TYPE.equals(valueType)) {
- // BSP says the Reference must have a ValueType of
UsernameToken
- throw new WSSecurityException(
- WSSecurityException.INVALID_SECURITY,
- "invalidValueType",
- new Object[]{valueType}
- );
+ if (bspCompliant) {
+ BSPEnforcer.checkUsernameTokenBSPCompliance(secRef);
}
UsernameToken usernameToken =
(UsernameToken)result.get(WSSecurityEngineResult.TAG_USERNAME_TOKEN);
@@ -196,13 +193,13 @@ public class SignatureSTRParser implemen
(BinarySecurity)result.get(
WSSecurityEngineResult.TAG_BINARY_SECURITY_TOKEN
);
- checkBinarySecurityBSPCompliance(secRef, token);
+ BSPEnforcer.checkBinarySecurityBSPCompliance(secRef,
token);
}
certs =
(X509Certificate[])result.get(WSSecurityEngineResult.TAG_X509_CERTIFICATES);
} else if (WSConstants.ENCR == action) {
if (bspCompliant) {
- checkEncryptedKeyBSPCompliance(secRef);
+ BSPEnforcer.checkEncryptedKeyBSPCompliance(secRef);
}
secretKey =
(byte[])result.get(WSSecurityEngineResult.TAG_SECRET);
String id =
(String)result.get(WSSecurityEngineResult.TAG_ID);
@@ -226,9 +223,11 @@ public class SignatureSTRParser implemen
secretKey = dkt.deriveKey(keyLength, secret);
principal = dkt.createPrincipal();
} else if (WSConstants.ST_UNSIGNED == action ||
WSConstants.ST_SIGNED == action) {
-
AssertionWrapper assertion =
(AssertionWrapper)result.get(WSSecurityEngineResult.TAG_SAML_ASSERTION);
+ if (bspCompliant) {
+ BSPEnforcer.checkSamlTokenBSPCompliance(secRef,
assertion);
+ }
SAMLKeyInfo keyInfo = assertion.getSubjectKeyInfo();
X509Certificate[] foundCerts = keyInfo.getCerts();
if (foundCerts != null) {
@@ -247,7 +246,7 @@ public class SignatureSTRParser implemen
} else if (secRef.containsKeyIdentifier()) {
if
(secRef.getKeyIdentifierValueType().equals(SecurityTokenReference.ENC_KEY_SHA1_URI))
{
if (bspCompliant) {
- checkEncryptedKeyBSPCompliance(secRef);
+ BSPEnforcer.checkEncryptedKeyBSPCompliance(secRef);
}
String id = secRef.getKeyIdentifierValue();
secretKey =
@@ -259,6 +258,9 @@ public class SignatureSTRParser implemen
SAMLUtil.getAssertionFromKeyIdentifier(
secRef, strElement, crypto, cb, wsDocInfo, config
);
+ if (bspCompliant) {
+ BSPEnforcer.checkSamlTokenBSPCompliance(secRef, assertion);
+ }
SAMLKeyInfo samlKi =
SAMLUtil.getCredentialFromSubject(assertion, crypto, cb,
wsDocInfo, bspCompliant);
X509Certificate[] foundCerts = samlKi.getCerts();
@@ -270,7 +272,7 @@ public class SignatureSTRParser implemen
principal = createPrincipalFromSAML(assertion);
} else {
if (bspCompliant) {
- checkBinarySecurityBSPCompliance(secRef, null);
+ BSPEnforcer.checkBinarySecurityBSPCompliance(secRef, null);
}
X509Certificate[] foundCerts = secRef.getKeyIdentifier(crypto);
if (foundCerts != null) {
@@ -342,7 +344,7 @@ public class SignatureSTRParser implemen
}
BinarySecurity token = createSecurityToken(elem);
if (bspCompliant) {
- checkBinarySecurityBSPCompliance(secRef, token);
+ BSPEnforcer.checkBinarySecurityBSPCompliance(secRef, token);
}
if (token instanceof PKIPathSecurity) {
return ((PKIPathSecurity) token).getX509Certificates(crypto);
@@ -353,90 +355,6 @@ public class SignatureSTRParser implemen
}
/**
- * Check that the BinarySecurityToken referenced by the
SecurityTokenReference argument
- * is BSP compliant.
- * @param secRef The SecurityTokenReference to the BinarySecurityToken
- * @param token The BinarySecurityToken
- * @throws WSSecurityException
- */
- private static void checkBinarySecurityBSPCompliance(
- SecurityTokenReference secRef,
- BinarySecurity token
- ) throws WSSecurityException {
- if (secRef.containsReference()) {
- // Check the ValueType attributes
- String valueType = secRef.getReference().getValueType();
- if ((token instanceof X509Security) &&
!X509Security.X509_V3_TYPE.equals(valueType)) {
- throw new WSSecurityException(
- WSSecurityException.INVALID_SECURITY_TOKEN,
- "invalidValueType",
- new Object[]{valueType}
- );
- } else if ((token instanceof PKIPathSecurity)
- && (!PKIPathSecurity.PKI_TYPE.equals(valueType))) {
- throw new WSSecurityException(
- WSSecurityException.INVALID_SECURITY_TOKEN,
- "invalidValueType",
- new Object[]{valueType}
- );
- }
- } else if (secRef.containsKeyIdentifier()) {
- String valueType = secRef.getKeyIdentifierValueType();
- if (!SecurityTokenReference.SKI_URI.equals(valueType)
- && !SecurityTokenReference.THUMB_URI.equals(valueType)) {
- throw new WSSecurityException(
- WSSecurityException.INVALID_SECURITY_TOKEN,
- "invalidValueType",
- new Object[]{valueType}
- );
- }
- }
-
-
- // Check TokenType attributes
- if (token instanceof PKIPathSecurity) {
- String tokenType = secRef.getTokenType();
- if (!PKIPathSecurity.PKI_TYPE.equals(tokenType)) {
- throw new WSSecurityException(
- WSSecurityException.INVALID_SECURITY_TOKEN,
- "invalidTokenType",
- new Object[]{tokenType}
- );
- }
- }
- }
-
- /**
- * Check that the EncryptedKey referenced by the SecurityTokenReference
argument
- * is BSP compliant.
- * @param secRef The SecurityTokenReference to the BinarySecurityToken
- * @throws WSSecurityException
- */
- private static void checkEncryptedKeyBSPCompliance(
- SecurityTokenReference secRef
- ) throws WSSecurityException {
- if (secRef.containsKeyIdentifier()) {
- String valueType = secRef.getKeyIdentifierValueType();
- if (!SecurityTokenReference.ENC_KEY_SHA1_URI.equals(valueType)) {
- throw new WSSecurityException(
- WSSecurityException.INVALID_SECURITY_TOKEN,
- "invalidValueType",
- new Object[]{valueType}
- );
- }
- }
-
- String tokenType = secRef.getTokenType();
- if (!WSConstants.WSS_ENC_KEY_VALUE_TYPE.equals(tokenType)) {
- throw new WSSecurityException(
- WSSecurityException.INVALID_SECURITY_TOKEN,
- "invalidTokenType",
- new Object[]{tokenType}
- );
- }
- }
-
- /**
* Checks the <code>element</code> and creates appropriate binary security
object.
*
* @param element The XML element that contains either a
<code>BinarySecurityToken
