Author: kaushalye
Date: Wed Nov 14 02:38:47 2007
New Revision: 594828
URL: http://svn.apache.org/viewvc?rev=594828&view=rev
Log:
1. Derived key store in rampart context
2. Sequencial security header processing
Modified:
webservices/rampart/trunk/c/include/rampart_context.h
webservices/rampart/trunk/c/src/omxmlsec/derivation.c
webservices/rampart/trunk/c/src/util/rampart_context.c
webservices/rampart/trunk/c/src/util/rampart_sec_header_builder.c
webservices/rampart/trunk/c/src/util/rampart_sec_header_processor.c
Modified: webservices/rampart/trunk/c/include/rampart_context.h
URL:
http://svn.apache.org/viewvc/webservices/rampart/trunk/c/include/rampart_context.h?rev=594828&r1=594827&r2=594828&view=diff
==============================================================================
--- webservices/rampart/trunk/c/include/rampart_context.h (original)
+++ webservices/rampart/trunk/c/include/rampart_context.h Wed Nov 14 02:38:47
2007
@@ -38,6 +38,7 @@
#include <axis2_key_type.h>
#include <axis2_msg_ctx.h>
#include <oxs_key.h>
+#include <axutil_array_list.h>
#ifdef __cplusplus
extern "C"
@@ -203,7 +204,10 @@
const axutil_env_t *env,
axis2_char_t *reciever_certificate_file);
-
+ AXIS2_EXTERN axis2_status_t AXIS2_CALL
+ rampart_context_add_derived_key(rampart_context_t *rampart_context,
+ const axutil_env_t *env,
+ oxs_key_t *derived_key);
/**********************************************************8*/
@@ -289,6 +293,15 @@
rampart_context_get_password_type(
rampart_context_t *rampart_context,
const axutil_env_t *env);
+
+ AXIS2_EXTERN axutil_array_list_t* AXIS2_CALL
+ rampart_context_get_derived_keys(rampart_context_t *rampart_context,
+ const axutil_env_t *env);
+
+ AXIS2_EXTERN oxs_key_t* AXIS2_CALL
+ rampart_context_get_derived_key(rampart_context_t *rampart_context,
+ const axutil_env_t *env,
+ axis2_char_t* dk_id);
/*End of Getters */
Modified: webservices/rampart/trunk/c/src/omxmlsec/derivation.c
URL:
http://svn.apache.org/viewvc/webservices/rampart/trunk/c/src/omxmlsec/derivation.c?rev=594828&r1=594827&r2=594828&view=diff
==============================================================================
--- webservices/rampart/trunk/c/src/omxmlsec/derivation.c (original)
+++ webservices/rampart/trunk/c/src/omxmlsec/derivation.c Wed Nov 14 02:38:47
2007
@@ -25,6 +25,7 @@
#include <oxs_tokens.h>
#include <openssl_hmac.h>
+/*Remove this funciton if not in use*/
AXIS2_EXTERN oxs_key_t* AXIS2_CALL
oxs_derivation_get_the_referenced_base_key(const axutil_env_t *env,
axiom_node_t *dk_token_node,
Modified: webservices/rampart/trunk/c/src/util/rampart_context.c
URL:
http://svn.apache.org/viewvc/webservices/rampart/trunk/c/src/util/rampart_context.c?rev=594828&r1=594827&r2=594828&view=diff
==============================================================================
--- webservices/rampart/trunk/c/src/util/rampart_context.c (original)
+++ webservices/rampart/trunk/c/src/util/rampart_context.c Wed Nov 14 02:38:47
2007
@@ -57,10 +57,11 @@
axis2_bool_t require_timestamp;
axis2_bool_t require_ut;
+ oxs_key_t *session_key;
+ axutil_array_list_t *dk_list;
/*This is used in callback functions.*/
void *ctx;
- oxs_key_t *session_key;
-
+
};
/*void rampart_context_set_callback_fn(axutil_env_t *env,
@@ -182,6 +183,8 @@
rampart_context->ref = 0;
rampart_context->session_key = NULL;
+ rampart_context->dk_list = axutil_array_list_create(env, 2);
+
return rampart_context;
}
@@ -244,6 +247,8 @@
rampart_context->session_key = NULL;
}
+ /*TODO Free derived key list*/
+
if(rampart_context->certificate){
oxs_x509_cert_free(rampart_context->certificate, env);
rampart_context->certificate = NULL;
@@ -828,6 +833,51 @@
return AXIS2_SUCCESS;
}
+AXIS2_EXTERN axis2_status_t AXIS2_CALL
+rampart_context_add_derived_key(rampart_context_t *rampart_context,
+ const axutil_env_t *env,
+ oxs_key_t *derived_key)
+{
+ if(rampart_context->dk_list){
+ axutil_array_list_add(rampart_context->dk_list, env, derived_key);
+ }else{
+ return AXIS2_FALSE;
+ }
+ return AXIS2_SUCCESS;
+}
+
+AXIS2_EXTERN axutil_array_list_t* AXIS2_CALL
+rampart_context_get_derived_keys(rampart_context_t *rampart_context,
+ const axutil_env_t *env)
+{
+ AXIS2_ENV_CHECK(env, AXIS2_FALSE);
+ return rampart_context->dk_list;
+}
+
+AXIS2_EXTERN oxs_key_t* AXIS2_CALL
+rampart_context_get_derived_key(rampart_context_t *rampart_context,
+ const axutil_env_t *env,
+ axis2_char_t* dk_id)
+{
+ oxs_key_t* dk = NULL;
+ int i = 0;
+
+ AXIS2_ENV_CHECK(env, AXIS2_FALSE);
+
+ /*Repeat thru all the derived keys and find the matching one*/
+ for(i=0 ; i < axutil_array_list_size(rampart_context->dk_list, env); i++)
+ {
+ axis2_char_t *key_name = NULL;
+
+ dk = (oxs_key_t*)axutil_array_list_get(rampart_context->dk_list, env,
i);
+ key_name = oxs_key_get_name(dk, env);
+ if(0 == axutil_strcmp(key_name, dk_id)){
+ return dk;
+ }
+ }
+
+ return NULL;
+}
AXIS2_EXTERN axis2_bool_t AXIS2_CALL
Modified: webservices/rampart/trunk/c/src/util/rampart_sec_header_builder.c
URL:
http://svn.apache.org/viewvc/webservices/rampart/trunk/c/src/util/rampart_sec_header_builder.c?rev=594828&r1=594827&r2=594828&view=diff
==============================================================================
--- webservices/rampart/trunk/c/src/util/rampart_sec_header_builder.c (original)
+++ webservices/rampart/trunk/c/src/util/rampart_sec_header_builder.c Wed Nov
14 02:38:47 2007
@@ -252,7 +252,7 @@
/*Signature Confirmation support. Only in the server side*/
if(axis2_msg_ctx_get_server_side(msg_ctx,env)){
- axis2_bool_t sign_conf_reqd = AXIS2_TRUE;
+ axis2_bool_t sign_conf_reqd = AXIS2_FALSE;
/*TODO sign_conf_reqd <- Get from context <- policy*/
if(sign_conf_reqd){
status = rampart_sig_confirm_signature(env, msg_ctx,
rampart_context, sec_node);
Modified: webservices/rampart/trunk/c/src/util/rampart_sec_header_processor.c
URL:
http://svn.apache.org/viewvc/webservices/rampart/trunk/c/src/util/rampart_sec_header_processor.c?rev=594828&r1=594827&r2=594828&view=diff
==============================================================================
--- webservices/rampart/trunk/c/src/util/rampart_sec_header_processor.c
(original)
+++ webservices/rampart/trunk/c/src/util/rampart_sec_header_processor.c Wed Nov
14 02:38:47 2007
@@ -1254,9 +1254,183 @@
return status;
}
+/***/
+static axis2_status_t
+rampart_shp_detect_replays(const axutil_env_t *env,
+ axis2_msg_ctx_t *msg_ctx,
+ rampart_context_t *rampart_context,
+ axiom_soap_envelope_t *soap_envelope,
+ axiom_node_t *sec_node)
+{
+ axis2_bool_t need_replay_detection = AXIS2_FALSE;
+ axis2_status_t status = AXIS2_FAILURE;
+
+ if((NULL == rampart_context_get_rd_val(rampart_context, env)) && (NULL
== rampart_context_get_replay_detector_name(rampart_context, env)))
+ {
+ AXIS2_LOG_INFO(env->log, "[rampart][shp] Replay detection is not
specified. Nothing to do");
+ need_replay_detection = AXIS2_FALSE;
+ }
+ else
+ {
+ AXIS2_LOG_INFO(env->log, "[rampart][shp] Checking message for
replay.");
+ need_replay_detection = AXIS2_TRUE;
+ }
+ if(AXIS2_TRUE == need_replay_detection)
+ {
+ axis2_char_t* replay_detector_name =
rampart_context_get_replay_detector_name(rampart_context, env);
+ if (replay_detector_name)
+ {
+ rampart_replay_detector_t* replay_detector =
(rampart_replay_detector_t*)rampart_context_get_replay_detector(rampart_context,
env);
+ if (!replay_detector)
+ {
+ AXIS2_LOG_ERROR(env->log,
AXIS2_LOG_SI,"[rampart][shp] Cannot find the replay detector module");
+ rampart_create_fault_envelope(env,
RAMPART_FAULT_INVALID_SECURITY, "Message is replayed",
RAMPART_FAULT_MSG_REPLAYED, msg_ctx);
+ return AXIS2_FAILURE;
+ }
+
+ AXIS2_LOG_DEBUG(env->log, AXIS2_LOG_SI,
"[rampart][shp] Using replay module.");
+ status =
RAMPART_REPLAY_DETECTOR_IS_REPLAYED(replay_detector, env, msg_ctx,
rampart_context);
+ if(status != AXIS2_SUCCESS)
+ {
+ /*Scream .. replayed*/
+ AXIS2_LOG_ERROR(env->log,
AXIS2_LOG_SI,"[rampart][shp] Message can be replayed");
+ rampart_create_fault_envelope(env,
RAMPART_FAULT_INVALID_SECURITY, "Message is replayed",
RAMPART_FAULT_MSG_REPLAYED, msg_ctx);
+ return AXIS2_FAILURE;
+ }
+ else
+ {
+ AXIS2_LOG_INFO(env->log,
"[rampart][shp] Checked message for replays. Not a replay.");
+ }
+ }
+ else
+ {
+ rampart_is_replayed_fn rd_fn = NULL;
+ AXIS2_LOG_DEBUG(env->log, AXIS2_LOG_SI,
"[rampart][shp] Replay module not defined. Using replay function.");
+
+ /*Is replayed*/
+ rd_fn =
rampart_context_get_replay_detect_function(rampart_context, env);
+ if(rd_fn)
+ {
+ status = (*rd_fn)(env, msg_ctx,
rampart_context);
+ if(status != AXIS2_SUCCESS)
+ {
+ /*Scream .. replayed*/
+ AXIS2_LOG_ERROR(env->log,
AXIS2_LOG_SI,"[rampart][shp] Message can be replayed");
+
rampart_create_fault_envelope(env, RAMPART_FAULT_INVALID_SECURITY, "Message is
replayed", RAMPART_FAULT_MSG_REPLAYED, msg_ctx);
+ return AXIS2_FAILURE;
+ }
+ else
+ {
+ AXIS2_LOG_INFO(env->log,
"[rampart][shp] Checked message for replays. Not a replay.");
+ }
+ }
+ else
+ {
+ AXIS2_LOG_INFO(env->log,
"[rampart][shp] No replay detection function specified. Nothing to do. ");
+ }
+ }
+ }
+ return AXIS2_SUCCESS;
+}
+/***/
+static axis2_status_t
+rampart_shp_process_derived_key(const axutil_env_t *env,
+ axis2_msg_ctx_t *msg_ctx,
+ rampart_context_t *rampart_context,
+ axiom_node_t *sec_node,
+ axiom_node_t *dk_node)
+{
+ oxs_key_t *session_key = NULL;
+ oxs_key_t *derived_key = NULL;
+
+ /*Get the session key.*/
+ session_key = rampart_context_get_session_key(rampart_context, env);
+ if(!session_key){
+ AXIS2_LOG_INFO(env->log, "[rampart][shp] On processing
ReferenceList, failed to get the session key. Cannot derive the key");
+ return AXIS2_FAILURE;
+ }
+
+ /*Derive the key*/
+ derived_key = oxs_derivation_extract_derived_key_from_token(env, dk_node,
sec_node, session_key);
+
+ /*Add to the rampart context*/
+ rampart_context_add_derived_key(rampart_context, env, derived_key);
+
+ return AXIS2_SUCCESS;
+}
+
/*Public functions*/
AXIS2_EXTERN axis2_status_t AXIS2_CALL
+rampart_shp_strict_process_message(const axutil_env_t *env,
+ axis2_msg_ctx_t *msg_ctx,
+ rampart_context_t *rampart_context,
+ axiom_soap_envelope_t *soap_envelope,
+ axiom_node_t *sec_node)
+{
+ axiom_node_t *cur_node = NULL;
+ axis2_status_t status = AXIS2_FAILURE;
+
+ AXIS2_LOG_INFO(env->log, "[rampart][shp] Processing security header in
Strict layout");
+
+ cur_node = axiom_node_get_first_child(sec_node, env);
+
+ /*Loop all security headers*/
+ while(cur_node){
+ axis2_char_t *cur_local_name = NULL;
+
+ cur_local_name = axiom_util_get_localname(cur_node, env);
+ AXIS2_LOG_INFO(env->log, "[rampart][shp] Processing security header
element %s", cur_local_name);
+
+ if(0 == axutil_strcmp(cur_local_name, OXS_NODE_ENCRYPTED_KEY)){
+ status = rampart_shp_process_encrypted_key(env, msg_ctx,
rampart_context, soap_envelope, sec_node, cur_node);
+
+ }else if(0 == axutil_strcmp(cur_local_name,
RAMPART_SECURITY_TIMESTAMP)){
+ status = rampart_shp_process_timestamptoken(env, msg_ctx,
rampart_context, sec_node);
+
+ }else if(0 == axutil_strcmp(cur_local_name,
RAMPART_SECURITY_USERNAMETOKEN)){
+ status = rampart_shp_process_usernametoken(env, msg_ctx,
rampart_context, sec_node);
+
+ }else if(0 == axutil_strcmp(cur_local_name, OXS_NODE_SIGNATURE)){
+ status = rampart_shp_process_signature(env, msg_ctx,
rampart_context, soap_envelope, sec_node, cur_node);
+
+ }else if(0 == axutil_strcmp(cur_local_name, OXS_NODE_REFERENCE_LIST)){
+ status = rampart_shp_process_reference_list(env, msg_ctx,
rampart_context, soap_envelope, sec_node, cur_node);
+
+ }else if(0 == axutil_strcmp(cur_local_name,
OXS_NODE_DERIVED_KEY_TOKEN)){
+ /* We need to extract this and store in the rampart context*/
+ status = rampart_shp_process_derived_key(env, msg_ctx,
rampart_context, sec_node, cur_node);
+
+ }else if(0 == axutil_strcmp(cur_local_name, OXS_NODE_ENCRYPTED_DATA)){
+ /*TODO: When a security header is Encrypted*/
+ status = AXIS2_SUCCESS;
+ }else if(0 == axutil_strcmp(cur_local_name,
OXS_NODE_SIGNATURE_CONFIRMATION)){
+ /*TODO*/
+ status = AXIS2_SUCCESS;
+ }else{
+ AXIS2_LOG_INFO(env->log, "[rampart][shp] Unknown security header
%s", cur_local_name);
+ status = AXIS2_SUCCESS;
+ }
+ if(status != AXIS2_SUCCESS){
+ AXIS2_LOG_ERROR(env->log, AXIS2_LOG_SI, "[rampart][shp] %s
processing failed", cur_local_name);
+ return status;
+ }
+
+ /*Get next node*/
+ cur_node = axiom_node_get_next_sibling(cur_node, env);
+ }/*Eof while loop*/
+
+ AXIS2_LOG_INFO(env->log, "Security header processing done");
+ /*Now detect replays*/
+ status = rampart_shp_detect_replays(env, msg_ctx, rampart_context,
soap_envelope, sec_node);
+ if(status != AXIS2_SUCCESS){
+ AXIS2_LOG_ERROR(env->log, AXIS2_LOG_SI, "[rampart][shp] A replay
detected");
+ return AXIS2_FAILURE;
+ }
+ return AXIS2_SUCCESS;
+}
+
+AXIS2_EXTERN axis2_status_t AXIS2_CALL
rampart_shp_process_message(const axutil_env_t *env,
axis2_msg_ctx_t *msg_ctx,
rampart_context_t *rampart_context,
@@ -1265,7 +1439,6 @@
{
axiom_node_t *cur_node = NULL;
axis2_status_t status = AXIS2_FAILURE;
- axis2_bool_t need_replay_detection = AXIS2_FALSE;
axis2_bool_t signature_protection = AXIS2_FALSE;
AXIS2_LOG_INFO(env->log, "[rampart][shp] Processing security header");
@@ -1586,71 +1759,9 @@
}
}
- if((NULL == rampart_context_get_rd_val(rampart_context, env)) && (NULL
== rampart_context_get_replay_detector_name(rampart_context, env)))
- {
- AXIS2_LOG_INFO(env->log, "[rampart][shp] Replay detection is not
specified. Nothing to do");
- need_replay_detection = AXIS2_FALSE;
- }
- else
- {
- AXIS2_LOG_INFO(env->log, "[rampart][shp] Checking message for
replay.");
- need_replay_detection = AXIS2_TRUE;
- }
- if(AXIS2_TRUE == need_replay_detection)
- {
- axis2_char_t* replay_detector_name =
rampart_context_get_replay_detector_name(rampart_context, env);
- if (replay_detector_name)
- {
- rampart_replay_detector_t* replay_detector =
(rampart_replay_detector_t*)rampart_context_get_replay_detector(rampart_context,
env);
- if (!replay_detector)
- {
- AXIS2_LOG_ERROR(env->log,
AXIS2_LOG_SI,"[rampart][shp] Cannot find the replay detector module");
- rampart_create_fault_envelope(env,
RAMPART_FAULT_INVALID_SECURITY, "Message is replayed",
RAMPART_FAULT_MSG_REPLAYED, msg_ctx);
- return AXIS2_FAILURE;
- }
-
- AXIS2_LOG_DEBUG(env->log, AXIS2_LOG_SI,
"[rampart][shp] Using replay module.");
- status =
RAMPART_REPLAY_DETECTOR_IS_REPLAYED(replay_detector, env, msg_ctx,
rampart_context);
- if(status != AXIS2_SUCCESS)
- {
- /*Scream .. replayed*/
- AXIS2_LOG_ERROR(env->log,
AXIS2_LOG_SI,"[rampart][shp] Message can be replayed");
- rampart_create_fault_envelope(env,
RAMPART_FAULT_INVALID_SECURITY, "Message is replayed",
RAMPART_FAULT_MSG_REPLAYED, msg_ctx);
- return AXIS2_FAILURE;
- }
- else
- {
- AXIS2_LOG_INFO(env->log,
"[rampart][shp] Checked message for replays. Not a replay.");
- }
- }
- else
- {
- rampart_is_replayed_fn rd_fn = NULL;
- AXIS2_LOG_DEBUG(env->log, AXIS2_LOG_SI,
"[rampart][shp] Replay module not defined. Using replay function.");
-
- /*Is replayed*/
- rd_fn =
rampart_context_get_replay_detect_function(rampart_context, env);
- if(rd_fn)
- {
- status = (*rd_fn)(env, msg_ctx,
rampart_context);
- if(status != AXIS2_SUCCESS)
- {
- /*Scream .. replayed*/
- AXIS2_LOG_ERROR(env->log,
AXIS2_LOG_SI,"[rampart][shp] Message can be replayed");
-
rampart_create_fault_envelope(env, RAMPART_FAULT_INVALID_SECURITY, "Message is
replayed", RAMPART_FAULT_MSG_REPLAYED, msg_ctx);
- return AXIS2_FAILURE;
- }
- else
- {
- AXIS2_LOG_INFO(env->log,
"[rampart][shp] Checked message for replays. Not a replay.");
- }
- }
- else
- {
- AXIS2_LOG_INFO(env->log,
"[rampart][shp] No replay detection function specified. Nothing to do. ");
- }
- }
- }
+ /*Now detect replays*/
+ status = rampart_shp_detect_replays(env, msg_ctx, rampart_context,
soap_envelope, sec_node);
+
AXIS2_LOG_INFO(env->log, "[rampart][shp] Security header element
processing, DONE ");
/*Do the action accordingly*/
return AXIS2_SUCCESS;
@@ -1690,64 +1801,8 @@
}
}
- if((NULL == rampart_context_get_rd_val(rampart_context, env)) && (NULL
== rampart_context_get_replay_detector(rampart_context, env)))
- {
- AXIS2_LOG_INFO(env->log, "[rampart][shp] Replay detection is not
specified. Nothing to do");
- need_replay_detection = AXIS2_FALSE;
- }
- else
- {
- AXIS2_LOG_INFO(env->log, "[rampart][shp] Checking message for
replay.");
- need_replay_detection = AXIS2_TRUE;
- }
-
- if(AXIS2_TRUE == need_replay_detection)
- {/*TODO Chk for the policy configuration*/
- rampart_replay_detector_t* replay_detector =
(rampart_replay_detector_t*)rampart_context_get_replay_detector(rampart_context,
env);
- if (replay_detector)
- {
- AXIS2_LOG_DEBUG(env->log, AXIS2_LOG_SI,
"[rampart][shp] Using replay module.");
- status =
RAMPART_REPLAY_DETECTOR_IS_REPLAYED(replay_detector, env, msg_ctx,
rampart_context);
- if(status != AXIS2_SUCCESS)
- {
- /*Scream .. replayed*/
- AXIS2_LOG_ERROR(env->log,
AXIS2_LOG_SI,"[rampart][shp] Message can be replayed");
- rampart_create_fault_envelope(env,
RAMPART_FAULT_INVALID_SECURITY, "Message is replayed",
RAMPART_FAULT_MSG_REPLAYED, msg_ctx);
- return AXIS2_FAILURE;
- }
- else
- {
- AXIS2_LOG_INFO(env->log,
"[rampart][shp] Checked message for replays. Not a replay.");
- }
- }
- else
- {
- rampart_is_replayed_fn rd_fn = NULL;
- AXIS2_LOG_DEBUG(env->log, AXIS2_LOG_SI,
"[rampart][shp] Replay module not defined. Using replay function.");
-
- /*Is replayed*/
- rd_fn =
rampart_context_get_replay_detect_function(rampart_context, env);
- if(rd_fn)
- {
- status = (*rd_fn)(env, msg_ctx,
rampart_context);
- if(status != AXIS2_SUCCESS)
- {
- /*Scream .. replayed*/
- AXIS2_LOG_ERROR(env->log,
AXIS2_LOG_SI,"[rampart][shp] Message can be replayed");
-
rampart_create_fault_envelope(env, RAMPART_FAULT_INVALID_SECURITY, "Message is
replayed", RAMPART_FAULT_MSG_REPLAYED, msg_ctx);
- return AXIS2_FAILURE;
- }
- else
- {
- AXIS2_LOG_INFO(env->log,
"[rampart][shp] Checked message for replays. Not a replay.");
- }
- }
- else
- {
- AXIS2_LOG_INFO(env->log,
"[rampart][shp] No replay detection function specified. Nothing to do. ");
- }
- }
- }
+ /*Now detect replays*/
+ status = rampart_shp_detect_replays(env, msg_ctx, rampart_context,
soap_envelope, sec_node);
AXIS2_LOG_INFO(env->log, "[rampart][shp] Security header element
processing, DONE ");
/*Do the action accordingly*/
