Author: kaushalye
Date: Wed Nov 7 23:52:55 2007
New Revision: 593049
URL: http://svn.apache.org/viewvc?rev=593049&view=rev
Log:
1. Introducing a new scenario to demonstrate the Sign->Encrypt protection
order.
2. Reference list processing in Security Header to facilitate both symmetric
and asymmetric bindings in Security Policy.
Added:
webservices/rampart/trunk/c/samples/secpolicy/scenario7/
webservices/rampart/trunk/c/samples/secpolicy/scenario7/client-policy.xml
webservices/rampart/trunk/c/samples/secpolicy/scenario7/services.xml
Modified:
webservices/rampart/trunk/c/samples/secpolicy/README.txt
webservices/rampart/trunk/c/samples/secpolicy/run_all.sh
webservices/rampart/trunk/c/samples/secpolicy/scenario5/client-policy.xml
webservices/rampart/trunk/c/samples/secpolicy/scenario5/services.xml
webservices/rampart/trunk/c/samples/secpolicy/scenario6/client-policy.xml
webservices/rampart/trunk/c/samples/secpolicy/scenario6/services.xml
webservices/rampart/trunk/c/src/omxmlsec/axiom.c
webservices/rampart/trunk/c/src/util/rampart_sec_header_processor.c
Modified: webservices/rampart/trunk/c/samples/secpolicy/README.txt
URL:
http://svn.apache.org/viewvc/webservices/rampart/trunk/c/samples/secpolicy/README.txt?rev=593049&r1=593048&r2=593049&view=diff
==============================================================================
--- webservices/rampart/trunk/c/samples/secpolicy/README.txt (original)
+++ webservices/rampart/trunk/c/samples/secpolicy/README.txt Wed Nov 7
23:52:55 2007
@@ -18,7 +18,13 @@
2. UsernameToken
3. Encryption
4. Signature
-5. A complete scenario to show: Timestamp, UsernameToken, Encrypt,
Sign
+5. A complete scenario to show: Timestamp, UsernameToken, Encrypt,
+ The protection order is Sign->Encrypt
+ Signature is Encrypted
+6. A complete scenario to show: Timestamp, UsernameToken, Encrypt,
+ The protection order is Encrypt->Sign
+ Signature is Encrypted
+7. Replay detection
FAQ:
---
Modified: webservices/rampart/trunk/c/samples/secpolicy/run_all.sh
URL:
http://svn.apache.org/viewvc/webservices/rampart/trunk/c/samples/secpolicy/run_all.sh?rev=593049&r1=593048&r2=593049&view=diff
==============================================================================
--- webservices/rampart/trunk/c/samples/secpolicy/run_all.sh (original)
+++ webservices/rampart/trunk/c/samples/secpolicy/run_all.sh Wed Nov 7
23:52:55 2007
@@ -4,7 +4,7 @@
_PORT=9090
_SLEEP=3
#You may change these to scenarios u need to run
-_LST="1 2 3 4 5 6"
+_LST="1 2 3 4 5 6 7"
if [ $# -eq 1 ]
then
Modified:
webservices/rampart/trunk/c/samples/secpolicy/scenario5/client-policy.xml
URL:
http://svn.apache.org/viewvc/webservices/rampart/trunk/c/samples/secpolicy/scenario5/client-policy.xml?rev=593049&r1=593048&r2=593049&view=diff
==============================================================================
--- webservices/rampart/trunk/c/samples/secpolicy/scenario5/client-policy.xml
(original)
+++ webservices/rampart/trunk/c/samples/secpolicy/scenario5/client-policy.xml
Wed Nov 7 23:52:55 2007
@@ -33,7 +33,7 @@
</sp:Layout>
<sp:IncludeTimestamp/>
<sp:EncryptSignature/>
- <sp:EncryptBeforeSigning/>
+ <!--sp:EncryptBeforeSigning/-->
</wsp:Policy>
</sp:AsymmetricBinding>
<sp:SignedSupportingTokens
xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";>
Modified: webservices/rampart/trunk/c/samples/secpolicy/scenario5/services.xml
URL:
http://svn.apache.org/viewvc/webservices/rampart/trunk/c/samples/secpolicy/scenario5/services.xml?rev=593049&r1=593048&r2=593049&view=diff
==============================================================================
--- webservices/rampart/trunk/c/samples/secpolicy/scenario5/services.xml
(original)
+++ webservices/rampart/trunk/c/samples/secpolicy/scenario5/services.xml Wed
Nov 7 23:52:55 2007
@@ -44,7 +44,7 @@
</sp:Layout>
<sp:IncludeTimestamp/>
<sp:EncryptSignature/>
- <sp:EncryptBeforeSigning/>
+ <!--sp:EncryptBeforeSigning/-->
</wsp:Policy>
</sp:AsymmetricBinding>
<sp:SignedSupportingTokens
xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";>
Modified:
webservices/rampart/trunk/c/samples/secpolicy/scenario6/client-policy.xml
URL:
http://svn.apache.org/viewvc/webservices/rampart/trunk/c/samples/secpolicy/scenario6/client-policy.xml?rev=593049&r1=593048&r2=593049&view=diff
==============================================================================
--- webservices/rampart/trunk/c/samples/secpolicy/scenario6/client-policy.xml
(original)
+++ webservices/rampart/trunk/c/samples/secpolicy/scenario6/client-policy.xml
Wed Nov 7 23:52:55 2007
@@ -21,15 +21,49 @@
</sp:X509Token>
</wsp:Policy>
</sp:RecipientToken>
+ <sp:AlgorithmSuite>
+ <wsp:Policy>
+ <sp:Basic256Rsa15/>
+ </wsp:Policy>
+ </sp:AlgorithmSuite>
<sp:Layout>
<wsp:Policy>
<sp:Strict/>
</wsp:Policy>
</sp:Layout>
<sp:IncludeTimestamp/>
+ <sp:EncryptSignature/>
+ <sp:EncryptBeforeSigning/>
</wsp:Policy>
</sp:AsymmetricBinding>
+ <sp:SignedSupportingTokens
xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";>
+ <wsp:Policy>
+ <sp:UsernameToken
sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Always"/>
+ </wsp:Policy>
+ </sp:SignedSupportingTokens>
+ <sp:Wss10
xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";>
+ <wsp:Policy>
+ <sp:MustSupportRefKeyIdentifier/>
+ <sp:MustSupportRefEmbeddedToken/>
+ <sp:MustSupportRefIssuerSerial/>
+ </wsp:Policy>
+ </sp:Wss10>
+ <sp:EncryptedParts
xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";>
+ <sp:Body/>
+ </sp:EncryptedParts>
+ <sp:SignedParts
xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";>
+ <sp:Body/>
+ <sp:Header Namespace="http://www.w3.org/2005/08/addressing"/>
+ </sp:SignedParts>
<rampc:RampartConfig
xmlns:rampc="http://ws.apache.org/rampart/c/policy";>
+ <rampc:User>Alice</rampc:User>
+ <rampc:TimeToLive>360</rampc:TimeToLive>
+ <rampc:EncryptionUser>a</rampc:EncryptionUser>
+ <rampc:PasswordType>Digest</rampc:PasswordType>
+
<rampc:PasswordCallbackClass>AXIS2C_HOME/bin/samples/rampart/callback/libpwcb.so</rampc:PasswordCallbackClass>
+
<rampc:ReceiverCertificate>AXIS2C_HOME/bin/samples/rampart/keys/ahome/bob_cert.cert</rampc:ReceiverCertificate>
+
<rampc:Certificate>AXIS2C_HOME/bin/samples/rampart/keys/ahome/alice_cert.cert</rampc:Certificate>
+
<rampc:PrivateKey>AXIS2C_HOME/bin/samples/rampart/keys/ahome/alice_key.pem</rampc:PrivateKey>
</rampc:RampartConfig>
</wsp:All>
</wsp:ExactlyOne>
Modified: webservices/rampart/trunk/c/samples/secpolicy/scenario6/services.xml
URL:
http://svn.apache.org/viewvc/webservices/rampart/trunk/c/samples/secpolicy/scenario6/services.xml?rev=593049&r1=593048&r2=593049&view=diff
==============================================================================
--- webservices/rampart/trunk/c/samples/secpolicy/scenario6/services.xml
(original)
+++ webservices/rampart/trunk/c/samples/secpolicy/scenario6/services.xml Wed
Nov 7 23:52:55 2007
@@ -4,9 +4,7 @@
<description>
This is a testing service , to test the system is working or not
</description>
-
<module ref="rampart"/>
-
<operation name="echoString">
<parameter
name="wsamapping">http://example.com/ws/2004/09/policy/Test/EchoRequest</parameter>
</operation>
@@ -34,17 +32,48 @@
</sp:X509Token>
</wsp:Policy>
</sp:RecipientToken>
+ <sp:AlgorithmSuite>
+ <wsp:Policy>
+ <sp:Basic256Rsa15/>
+ </wsp:Policy>
+ </sp:AlgorithmSuite>
<sp:Layout>
<wsp:Policy>
<sp:Strict/>
</wsp:Policy>
</sp:Layout>
<sp:IncludeTimestamp/>
+ <sp:EncryptSignature/>
+ <sp:EncryptBeforeSigning/>
</wsp:Policy>
</sp:AsymmetricBinding>
+ <sp:SignedSupportingTokens
xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";>
+ <wsp:Policy>
+ <sp:UsernameToken
sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Always"/>
+ </wsp:Policy>
+ </sp:SignedSupportingTokens>
+ <sp:Wss10
xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";>
+ <wsp:Policy>
+ <sp:MustSupportRefKeyIdentifier/>
+ <sp:MustSupportRefEmbeddedToken/>
+ <sp:MustSupportRefIssuerSerial/>
+ </wsp:Policy>
+ </sp:Wss10>
+ <sp:EncryptedParts
xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";>
+ <sp:Body/>
+ </sp:EncryptedParts>
+ <sp:SignedParts
xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";>
+ <sp:Body/>
+ </sp:SignedParts>
<rampc:RampartConfig
xmlns:rampc="http://ws.apache.org/rampart/c/policy";>
-
<rampc:ReplayDetection>5</rampc:ReplayDetection>
-
<rampc:ReplayDetectionModule>AXIS2C_HOME/bin/samples/rampart/replay_detector/librdflatfile.so</rampc:ReplayDetectionModule>
+ <rampc:User>Bob</rampc:User>
+ <rampc:TimeToLive>360</rampc:TimeToLive>
+ <rampc:EncryptionUser>b</rampc:EncryptionUser>
+ <rampc:PasswordType>Digest</rampc:PasswordType>
+
<rampc:PasswordCallbackClass>AXIS2C_HOME/bin/samples/rampart/callback/libpwcb.so</rampc:PasswordCallbackClass>
+
<rampc:ReceiverCertificate>AXIS2C_HOME/bin/samples/rampart/keys/bhome/alice_cert.cert</rampc:ReceiverCertificate>
+
<rampc:Certificate>AXIS2C_HOME/bin/samples/rampart/keys/bhome/bob_cert.cert</rampc:Certificate>
+
<rampc:PrivateKey>AXIS2C_HOME/bin/samples/rampart/keys/bhome/bob_key.pem</rampc:PrivateKey>
</rampc:RampartConfig>
</wsp:All>
</wsp:ExactlyOne>
Added: webservices/rampart/trunk/c/samples/secpolicy/scenario7/client-policy.xml
URL:
http://svn.apache.org/viewvc/webservices/rampart/trunk/c/samples/secpolicy/scenario7/client-policy.xml?rev=593049&view=auto
==============================================================================
--- webservices/rampart/trunk/c/samples/secpolicy/scenario7/client-policy.xml
(added)
+++ webservices/rampart/trunk/c/samples/secpolicy/scenario7/client-policy.xml
Wed Nov 7 23:52:55 2007
@@ -0,0 +1,36 @@
+<wsp:Policy xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy";>
+ <wsp:ExactlyOne>
+ <wsp:All>
+ <sp:AsymmetricBinding
xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";>
+ <wsp:Policy>
+ <sp:InitiatorToken>
+ <wsp:Policy>
+ <sp:X509Token
sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient";>
+ <wsp:Policy>
+ <sp:WssX509V3Token10/>
+ </wsp:Policy>
+ </sp:X509Token>
+ </wsp:Policy>
+ </sp:InitiatorToken>
+ <sp:RecipientToken>
+ <wsp:Policy>
+ <sp:X509Token
sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Never";>
+ <wsp:Policy>
+ <sp:WssX509V3Token10/>
+ </wsp:Policy>
+ </sp:X509Token>
+ </wsp:Policy>
+ </sp:RecipientToken>
+ <sp:Layout>
+ <wsp:Policy>
+ <sp:Strict/>
+ </wsp:Policy>
+ </sp:Layout>
+ <sp:IncludeTimestamp/>
+ </wsp:Policy>
+ </sp:AsymmetricBinding>
+ <rampc:RampartConfig
xmlns:rampc="http://ws.apache.org/rampart/c/policy";>
+ </rampc:RampartConfig>
+ </wsp:All>
+ </wsp:ExactlyOne>
+</wsp:Policy>
Added: webservices/rampart/trunk/c/samples/secpolicy/scenario7/services.xml
URL:
http://svn.apache.org/viewvc/webservices/rampart/trunk/c/samples/secpolicy/scenario7/services.xml?rev=593049&view=auto
==============================================================================
--- webservices/rampart/trunk/c/samples/secpolicy/scenario7/services.xml (added)
+++ webservices/rampart/trunk/c/samples/secpolicy/scenario7/services.xml Wed
Nov 7 23:52:55 2007
@@ -0,0 +1,52 @@
+<service name="sec_echo">
+ <parameter name="ServiceClass" locked="xsd:false">sec_echo</parameter>
+
+ <description>
+ This is a testing service , to test the system is working or not
+ </description>
+
+ <module ref="rampart"/>
+
+ <operation name="echoString">
+ <parameter
name="wsamapping">http://example.com/ws/2004/09/policy/Test/EchoRequest</parameter>
+ </operation>
+
+ <wsp:Policy xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy";>
+ <wsp:ExactlyOne>
+ <wsp:All>
+ <sp:AsymmetricBinding
xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";>
+ <wsp:Policy>
+ <sp:InitiatorToken>
+ <wsp:Policy>
+ <sp:X509Token
sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient";>
+ <wsp:Policy>
+ <sp:WssX509V3Token10/>
+ </wsp:Policy>
+ </sp:X509Token>
+ </wsp:Policy>
+ </sp:InitiatorToken>
+ <sp:RecipientToken>
+ <wsp:Policy>
+ <sp:X509Token
sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Never";>
+ <wsp:Policy>
+ <sp:WssX509V3Token10/>
+ </wsp:Policy>
+ </sp:X509Token>
+ </wsp:Policy>
+ </sp:RecipientToken>
+ <sp:Layout>
+ <wsp:Policy>
+ <sp:Strict/>
+ </wsp:Policy>
+ </sp:Layout>
+ <sp:IncludeTimestamp/>
+ </wsp:Policy>
+ </sp:AsymmetricBinding>
+ <rampc:RampartConfig
xmlns:rampc="http://ws.apache.org/rampart/c/policy";>
+
<rampc:ReplayDetection>5</rampc:ReplayDetection>
+
<rampc:ReplayDetectionModule>AXIS2C_HOME/bin/samples/rampart/replay_detector/librdflatfile.so</rampc:ReplayDetectionModule>
+ </rampc:RampartConfig>
+ </wsp:All>
+ </wsp:ExactlyOne>
+ </wsp:Policy>
+</service>
Modified: webservices/rampart/trunk/c/src/omxmlsec/axiom.c
URL:
http://svn.apache.org/viewvc/webservices/rampart/trunk/c/src/omxmlsec/axiom.c?rev=593049&r1=593048&r2=593049&view=diff
==============================================================================
--- webservices/rampart/trunk/c/src/omxmlsec/axiom.c (original)
+++ webservices/rampart/trunk/c/src/omxmlsec/axiom.c Wed Nov 7 23:52:55 2007
@@ -148,8 +148,8 @@
localname = axiom_util_get_localname(node, env);
/*AXIS2_LOG_INFO(env->log, "[rampart][axiom] Checking node %s for the
attribute %s with value = %s", localname, attr, val);*/
-
attribute_value = oxs_axiom_get_attribute_value_of_node_by_name(env, node,
attr, ns);
+
if(0 == axutil_strcmp(val, attribute_value) ){
/*Gottcha.. return this node*/
return node;
Modified: webservices/rampart/trunk/c/src/util/rampart_sec_header_processor.c
URL:
http://svn.apache.org/viewvc/webservices/rampart/trunk/c/src/util/rampart_sec_header_processor.c?rev=593049&r1=593048&r2=593049&view=diff
==============================================================================
--- webservices/rampart/trunk/c/src/util/rampart_sec_header_processor.c
(original)
+++ webservices/rampart/trunk/c/src/util/rampart_sec_header_processor.c Wed Nov
7 23:52:55 2007
@@ -695,48 +695,6 @@
key_info_node = oxs_axiom_get_first_child_node_by_name(env,
enc_data_node,
OXS_NODE_KEY_INFO, OXS_DSIG_NS, NULL);
-#if 0
- if(key_info_node)
- {
- axiom_node_t *str_node = NULL;
- str_node = oxs_axiom_get_first_child_node_by_name(env,
key_info_node,
- OXS_NODE_SECURITY_TOKEN_REFRENCE, OXS_WSSE_XMLNS, NULL);
-
- if(str_node)
- {
- axiom_node_t *str_child_node = NULL;
- axis2_char_t *str_child_name = NULL;
-
- str_child_node = axiom_node_get_first_element(str_node, env);
- str_child_name = axiom_util_get_localname(str_child_node, env);
- if(str_child_name)
- {
- if(axutil_strcmp(str_child_name, OXS_NODE_REFERENCE) == 0)
- {
- axis2_char_t *ref = NULL;
- axis2_char_t *ref_id = NULL;
- axiom_node_t *reffed_node = NULL;
-
- ref = oxs_token_get_reference(env, str_child_node);
- ref_id =
axutil_string_substring_starting_at(axutil_strdup(env, ref), 1);
- reffed_node = oxs_axiom_get_node_by_id(env, sec_node,
"Id", ref_id, NULL);
- AXIS2_FREE(env->allocator, ref_id);
- ref_id = NULL;
- if(reffed_node)
- {
- ref_list_node = axiom_node_detach(ref_list_node,
env);
- axiom_node_add_child(reffed_node, env,
ref_list_node);
-
- status = rampart_shp_process_encrypted_key(env,
msg_ctx, rampart_context,
- soap_envelope, sec_node, reffed_node);
- break;
- }
-
- }
- }
- }
- }
-#else
if(key_info_node){
axiom_node_t *reffed_node = NULL;
axis2_char_t *reffed_node_name = NULL;
@@ -806,7 +764,6 @@
return AXIS2_FAILURE;
}
}
-#endif
}
axutil_array_list_free(reference_list, env);
@@ -1360,8 +1317,7 @@
if(!cur_node)
{
AXIS2_LOG_ERROR(env->log, AXIS2_LOG_SI, "[rampart][shp] No
Signature element");
- rampart_create_fault_envelope(env,
RAMPART_FAULT_INVALID_SECURITY,
- "Message is not signed ",
RAMPART_FAULT_IN_SIGNATURE, msg_ctx);
+ rampart_create_fault_envelope(env,
RAMPART_FAULT_INVALID_SECURITY, "Message is not signed ",
RAMPART_FAULT_IN_SIGNATURE, msg_ctx);
return AXIS2_FAILURE;
}
@@ -1439,7 +1395,8 @@
return status;
}
}else{
- cur_node = oxs_axiom_get_node_by_local_name(env, sec_node,
OXS_NODE_REFERENCE_LIST);
+ cur_node = oxs_axiom_get_first_child_node_by_name(env,
sec_node, OXS_NODE_REFERENCE_LIST, OXS_ENC_NS, OXS_XENC);
+ /*oxs_axiom_get_node_by_local_name(env, sec_node,
OXS_NODE_REFERENCE_LIST);*/
if(!cur_node)
{
AXIS2_LOG_ERROR(env->log, AXIS2_LOG_SI,
@@ -1493,7 +1450,7 @@
AXIS2_LOG_INFO(env->log, "[rampart][shp] Error in the
security header");
return AXIS2_FAILURE;
}
-
+ /*If the signature to be encrypted*/
if(signature_protection)
{
if(oxs_axiom_get_node_by_local_name(env, sec_node,
OXS_NODE_SIGNATURE))
@@ -1511,7 +1468,8 @@
/*Now process the Reference List. if any*/
AXIS2_LOG_INFO(env->log, "[rampart][shp] Process
ReferenceList");
- cur_node = oxs_axiom_get_node_by_local_name(env, sec_node,
OXS_NODE_REFERENCE_LIST);
+ cur_node = oxs_axiom_get_first_child_node_by_name(env,
sec_node, OXS_NODE_REFERENCE_LIST, OXS_ENC_NS, OXS_XENC);
+ /*cur_node = oxs_axiom_get_node_by_local_name(env, sec_node,
OXS_NODE_REFERENCE_LIST);*/
if(cur_node)
{
status = rampart_shp_process_reference_list(env, msg_ctx,
