Author: kaushalye
Date: Sun Nov 18 21:17:00 2007
New Revision: 596205
URL: http://svn.apache.org/viewvc?rev=596205&view=rev
Log:
1. New policy validator to validate security policies in SOAP messages
2. Signature confirmation support in sec processed results
3. Header comments
Added:
webservices/rampart/trunk/c/include/rampart_policy_validator.h
webservices/rampart/trunk/c/src/util/rampart_policy_validator.c
Modified:
webservices/rampart/trunk/c/include/oxs_derivation.h
webservices/rampart/trunk/c/include/oxs_signature.h
webservices/rampart/trunk/c/include/rampart_constants.h
webservices/rampart/trunk/c/include/rampart_context.h
webservices/rampart/trunk/c/include/rampart_encryption.h
webservices/rampart/trunk/c/include/rampart_sec_header_processor.h
webservices/rampart/trunk/c/include/rampart_signature.h
webservices/rampart/trunk/c/include/rampart_token_builder.h
webservices/rampart/trunk/c/src/handlers/rampart_in_handler.c
webservices/rampart/trunk/c/src/util/Makefile.am
webservices/rampart/trunk/c/src/util/rampart_sec_header_processor.c
Modified: webservices/rampart/trunk/c/include/oxs_derivation.h
URL:
http://svn.apache.org/viewvc/webservices/rampart/trunk/c/include/oxs_derivation.h?rev=596205&r1=596204&r2=596205&view=diff
==============================================================================
--- webservices/rampart/trunk/c/include/oxs_derivation.h (original)
+++ webservices/rampart/trunk/c/include/oxs_derivation.h Sun Nov 18 21:17:00
2007
@@ -41,14 +41,15 @@
/**
- * Derive Keys
- * Caller must free memory
+ * Derive Key depending on the secret key @secret
+ * Caller must free memory for derived key
* @param env pointer to environment struct
* @param secret The secret is the shared secret that is exchanged (note
that if two secrets were securely exchanged,\
* possible as part of an initial exchange, they are concatenated in the
order they were sent/received)
* @param derived_key The derived key. Caller must create and free
* @param build_fresh Whether to build fresh or build using details in
derived key(in case of recovering the derive key from xml)
- * @return status
+ * @return AXIS2_SUCCESS on success, else AXIS2_FAILURE
+ *
**/
AXIS2_EXTERN axis2_status_t AXIS2_CALL
oxs_derivation_derive_key(const axutil_env_t *env,
@@ -56,7 +57,16 @@
oxs_key_t *derived_key,
axis2_bool_t build_fresh
);
-
+ /**
+ * Build the <wsse:DerivedKeyToken> depending a given derived key
@derived_key
+ * The token will be attached to the parent @parent
+ * @param env pointer to environment struct
+ * @derived_key The derived key to be used to get information
+ * @parent The parent node to be attached to
+ * @stref_uri Security Toekn Reference URI
+ * @stref_val_type Security Token Reference Valut Type
+ * @return the built axiom node
+ */
AXIS2_EXTERN axiom_node_t * AXIS2_CALL
oxs_derivation_build_derived_key_token(const axutil_env_t *env,
oxs_key_t *derived_key,
@@ -64,8 +74,16 @@
axis2_char_t *stref_uri,
axis2_char_t *stref_val_type);
- /* If the (optional) session_key is NULL then extract it form the refered
EncryptedKey. Otherwise use it
- * to Derive a new key using information available in the dk_token*/
+ /**
+ * Extract information from an AXIOM node of typ <wsse:DerivedKeyToken>
and build a key
+ * If the (optional) session_key is NULL then extract it form the refered
EncryptedKey. Otherwise use it
+ * to Derive a new key using information available in the dk_token.
+ * @param env pointer to environment struct
+ * @dk_token The <wsse:DerivedKeyToken> axiom node
+ * @root_node The root node, which the search scope limited to
+ * @session_key The session key, which is the base for the key derivation.
+ * @return the derived key on SUCCESS or NULL on failure
+ * */
AXIS2_EXTERN oxs_key_t * AXIS2_CALL
oxs_derivation_extract_derived_key_from_token(const axutil_env_t *env,
axiom_node_t *dk_token,
Modified: webservices/rampart/trunk/c/include/oxs_signature.h
URL:
http://svn.apache.org/viewvc/webservices/rampart/trunk/c/include/oxs_signature.h?rev=596205&r1=596204&r2=596205&view=diff
==============================================================================
--- webservices/rampart/trunk/c/include/oxs_signature.h (original)
+++ webservices/rampart/trunk/c/include/oxs_signature.h Sun Nov 18 21:17:00 2007
@@ -104,13 +104,30 @@
oxs_sign_ctx_t *sign_ctx,
axis2_char_t *content,
axis2_char_t *signature);
-
+ /**
+ * Verifies @signature with @content using the information
+ * available in the signature content @sign_ctx as per the HMA-SHA1
algorithm
+ * @env pointer to environment struct
+ * @sign_ctx the signature context
+ * @content the content that's signed
+ * @signature the signature value
+ * @return AXIS2_SUCCESS on success, else AXIS2_FAILURE
+ */
AXIS2_EXTERN axis2_status_t AXIS2_CALL
oxs_sig_verify_hmac_sha1(const axutil_env_t *env,
oxs_sign_ctx_t *sign_ctx,
axis2_char_t *content,
axis2_char_t *signature);
+ /**
+ * Verifies @signature with @content using the information
+ * available in the signature content @sign_ctx as per the RSA-SHA1
algorithm
+ * @env pointer to environment struct
+ * @sign_ctx the signature context
+ * @content the content that's signed
+ * @signature the signature value
+ * @return AXIS2_SUCCESS on success, else AXIS2_FAILURE
+ */
AXIS2_EXTERN axis2_status_t AXIS2_CALL
oxs_sig_verify_rsa_sha1(const axutil_env_t *env,
oxs_sign_ctx_t *sign_ctx,
Modified: webservices/rampart/trunk/c/include/rampart_constants.h
URL:
http://svn.apache.org/viewvc/webservices/rampart/trunk/c/include/rampart_constants.h?rev=596205&r1=596204&r2=596205&view=diff
==============================================================================
--- webservices/rampart/trunk/c/include/rampart_constants.h (original)
+++ webservices/rampart/trunk/c/include/rampart_constants.h Sun Nov 18 21:17:00
2007
@@ -132,6 +132,7 @@
#define RAMPART_SPR_SIG_VALUE "SPR_Sig_Val"
#define RAMPART_SPR_SIG_VERIFIED "SPR_Sig_Verified"
#define RAMPART_SPR_SIG_ENCRYPTED "SPR_Sig_Encrypted"
+#define RAMPART_SPR_SIG_CONFIRM_FOUND "SPR_Sig_Confirmation_Found"
#define RAMPART_YES "YES"
#define RAMPART_NO "NO"
Modified: webservices/rampart/trunk/c/include/rampart_context.h
URL:
http://svn.apache.org/viewvc/webservices/rampart/trunk/c/include/rampart_context.h?rev=596205&r1=596204&r2=596205&view=diff
==============================================================================
--- webservices/rampart/trunk/c/include/rampart_context.h (original)
+++ webservices/rampart/trunk/c/include/rampart_context.h Sun Nov 18 21:17:00
2007
@@ -490,14 +490,7 @@
axis2_bool_t server_side,
axis2_bool_t is_inpath,
const axutil_env_t *env);
- /*
- AXIS2_EXTERN axis2_char_t *AXIS2_CALL
- rampart_context_get_enc_key_identifier(
- rampart_context_t *rampart_context,
- rp_property_t *token,
- axis2_bool_t server_side,
- const axutil_env_t *env);
- */
+
AXIS2_EXTERN axis2_char_t *AXIS2_CALL
rampart_context_get_key_identifier(
rampart_context_t *rampart_context,
@@ -583,7 +576,8 @@
const axutil_env_t *env);
AXIS2_EXTERN axis2_bool_t AXIS2_CALL
- rampart_context_is_sig_confirmation_reqd(rampart_context_t
*rampart_context,
+ rampart_context_is_sig_confirmation_reqd(
+ rampart_context_t *rampart_context,
const axutil_env_t *env);
#ifdef __cplusplus
Modified: webservices/rampart/trunk/c/include/rampart_encryption.h
URL:
http://svn.apache.org/viewvc/webservices/rampart/trunk/c/include/rampart_encryption.h?rev=596205&r1=596204&r2=596205&view=diff
==============================================================================
--- webservices/rampart/trunk/c/include/rampart_encryption.h (original)
+++ webservices/rampart/trunk/c/include/rampart_encryption.h Sun Nov 18
21:17:00 2007
@@ -48,19 +48,33 @@
*/
AXIS2_EXTERN axis2_status_t AXIS2_CALL
rampart_enc_encrypt_message(const axutil_env_t *env,
- axis2_msg_ctx_t *msg_ctx,
- rampart_context_t *rampart_context,
- axiom_soap_envelope_t *soap_envelope,
- axiom_node_t *sec_node);
+ axis2_msg_ctx_t *msg_ctx,
+ rampart_context_t *rampart_context,
+ axiom_soap_envelope_t *soap_envelope,
+ axiom_node_t *sec_node);
+ /**
+ * @param env pointer to environment struct
+ * @param msg_ctx message context
+ * @param soap_envelope the SOAP envelope
+ * @param sec_node The security element
+ * @return AXIS2_SUCCESS on success, else AXIS2_FAILURE
+ */
AXIS2_EXTERN axis2_status_t AXIS2_CALL
rampart_enc_dk_encrypt_message(const axutil_env_t *env,
- axis2_msg_ctx_t *msg_ctx,
- rampart_context_t *rampart_context,
- axiom_soap_envelope_t *soap_envelope,
- axiom_node_t *sec_node);
+ axis2_msg_ctx_t *msg_ctx,
+ rampart_context_t *rampart_context,
+ axiom_soap_envelope_t *soap_envelope,
+ axiom_node_t *sec_node);
+ /**
+ * @param env pointer to environment struct
+ * @param msg_ctx message context
+ * @param soap_envelope the SOAP envelope
+ * @param sec_node The security element
+ * @return AXIS2_SUCCESS on success, else AXIS2_FAILURE
+ */
AXIS2_EXTERN axis2_status_t AXIS2_CALL
rampart_enc_add_key_info(
const axutil_env_t *env,
@@ -70,6 +84,13 @@
axiom_node_t *sec_node);
+ /**
+ * @param env pointer to environment struct
+ * @param msg_ctx message context
+ * @param soap_envelope the SOAP envelope
+ * @param sec_node The security element
+ * @return AXIS2_SUCCESS on success, else AXIS2_FAILURE
+ */
AXIS2_EXTERN axis2_status_t AXIS2_CALL
rampart_enc_encrypt_signature(
const axutil_env_t *env,
@@ -78,14 +99,23 @@
axiom_soap_envelope_t *soap_envelope,
axiom_node_t *sec_node);
+ /**
+ * @param env pointer to environment struct
+ * @param session_key the session key to be encrypted
+ * @param msg_ctx message context
+ * @param rampart_context the rampart context
+ * @param soap_envelope the SOAP envelope
+ * @param sec_node The security element
+ * @return AXIS2_SUCCESS on success, else AXIS2_FAILURE
+ */
AXIS2_EXTERN axis2_status_t AXIS2_CALL
rampart_enc_encrypt_session_key(const axutil_env_t *env,
- oxs_key_t *session_key,
- axis2_msg_ctx_t *msg_ctx,
- rampart_context_t *rampart_context,
- axiom_soap_envelope_t *soap_envelope,
- axiom_node_t *sec_node,
- axutil_array_list_t *id_list);
+ oxs_key_t *session_key,
+ axis2_msg_ctx_t *msg_ctx,
+ rampart_context_t *rampart_context,
+ axiom_soap_envelope_t *soap_envelope,
+ axiom_node_t *sec_node,
+ axutil_array_list_t *id_list);
/* @} */
Added: webservices/rampart/trunk/c/include/rampart_policy_validator.h
URL:
http://svn.apache.org/viewvc/webservices/rampart/trunk/c/include/rampart_policy_validator.h?rev=596205&view=auto
==============================================================================
--- webservices/rampart/trunk/c/include/rampart_policy_validator.h (added)
+++ webservices/rampart/trunk/c/include/rampart_policy_validator.h Sun Nov 18
21:17:00 2007
@@ -0,0 +1,60 @@
+/*
+ * Copyright 2003-2004 The Apache Software Foundation.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include <axutil_utils_defines.h>
+#include <axis2_defines.h>
+#include <axutil_env.h>
+#include <axis2_msg_ctx.h>
+#include <rampart_context.h>
+/**
+ * @file rampart_policy_validator.h
+ * @brief Verifies whether the message complies with the security policy
reqmnt
+ */
+
+/**
+* @defgroup rampart_policy_validator PolicyValidator
+* @ingroup rampart_utils
+* @{
+*/
+
+#ifndef RAMPART_POLICY_VALIDATOR_H
+#define RAMPART_POLICY_VALIDATOR_H
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+ /**
+ * Validate security policies, those cannot be checked on the fly
+ * @param env pointer to environment struct
+ * @param rampart_context the Rampart Context
+ * @param sec_node The security element
+ * @param msg_ctx message context
+ * @return AXIS2_SUCCESS on success, else AXIS2_FAILURE
+ */
+ AXIS2_EXTERN axis2_status_t AXIS2_CALL
+ rampiart_pv_validate_sec_header(const axutil_env_t *env,
+ rampart_context_t *rampart_context,
+ axiom_node_t *sec_node,
+ axis2_msg_ctx_t *msg_ctx);
+
+
+ /* @} */
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* !RAMPART_POLICY_VALIDATOR_H */
Modified: webservices/rampart/trunk/c/include/rampart_sec_header_processor.h
URL:
http://svn.apache.org/viewvc/webservices/rampart/trunk/c/include/rampart_sec_header_processor.h?rev=596205&r1=596204&r2=596205&view=diff
==============================================================================
--- webservices/rampart/trunk/c/include/rampart_sec_header_processor.h
(original)
+++ webservices/rampart/trunk/c/include/rampart_sec_header_processor.h Sun Nov
18 21:17:00 2007
@@ -44,7 +44,7 @@
* Processes a message depending on it's security related claims.
* This is the main module in the infow of a message if rampart is enabled.
* Processing is depending on the order of tokens apear in the @sec_node
- * Also the module will check for the InflowSecurity Settings
+ * Also the module will check for security policy settings
* @param env pointer to environment struct
* @param msg_ctx message context
* @param soap_envelope the SOAP envelope
@@ -52,7 +52,7 @@
* @return AXIS2_SUCCESS on success, else AXIS2_FAILURE
*/
AXIS2_EXTERN axis2_status_t AXIS2_CALL
- rampart_shp_process_message(const axutil_env_t *env,
+ rampart_shp_process_sec_header(const axutil_env_t *env,
axis2_msg_ctx_t *msg_ctx,
rampart_context_t *rampart_context,
axiom_soap_envelope_t *soap_envelope,
Modified: webservices/rampart/trunk/c/include/rampart_signature.h
URL:
http://svn.apache.org/viewvc/webservices/rampart/trunk/c/include/rampart_signature.h?rev=596205&r1=596204&r2=596205&view=diff
==============================================================================
--- webservices/rampart/trunk/c/include/rampart_signature.h (original)
+++ webservices/rampart/trunk/c/include/rampart_signature.h Sun Nov 18 21:17:00
2007
@@ -37,12 +37,29 @@
#ifdef __cplusplus
extern "C" {
#endif
+ /**
+ * Build the signature confirmation element in the security header
+ * @param env pointer to environment struct
+ * @param msg_ctx message context
+ * @param rampart_context The rampart context
+ * @param sec_node The security element
+ * @return AXIS2_SUCCESS on success, else AXIS2_FAILURE
+ */
AXIS2_EXTERN axis2_status_t AXIS2_CALL
rampart_sig_confirm_signature(const axutil_env_t *env,
axis2_msg_ctx_t *msg_ctx,
rampart_context_t *rampart_context,
axiom_node_t *sec_node);
+ /**
+ * Sign a message depending on the security policies
+ * @param env pointer to environment struct
+ * @param msg_ctx message context
+ * @param rampart_context The rampart context
+ * @param soap_envelope The SOAP envelope
+ * @param sec_node The security element
+ * @return AXIS2_SUCCESS on success, else AXIS2_FAILURE
+ */
AXIS2_EXTERN axis2_status_t AXIS2_CALL
rampart_sig_sign_message(const axutil_env_t *env,
axis2_msg_ctx_t *msg_ctx,
Modified: webservices/rampart/trunk/c/include/rampart_token_builder.h
URL:
http://svn.apache.org/viewvc/webservices/rampart/trunk/c/include/rampart_token_builder.h?rev=596205&r1=596204&r2=596205&view=diff
==============================================================================
--- webservices/rampart/trunk/c/include/rampart_token_builder.h (original)
+++ webservices/rampart/trunk/c/include/rampart_token_builder.h Sun Nov 18
21:17:00 2007
@@ -58,6 +58,11 @@
* certificate @cert.
* Note that this method will internally call other token building methods
specified in this header
* depending on the @pattern.
+ * @param env pointer to environment struct
+ * @param parent The parent node
+ * @param cert The X509 certificate
+ * @param pattern The build pattern
+ * @return AXIS2_SUCCESS on success, else AXIS2_FAILURE
*/
AXIS2_EXTERN axis2_status_t AXIS2_CALL
rampart_token_build_security_token_reference(const axutil_env_t *env,
@@ -72,6 +77,10 @@
*
<BinarySecurityToken>UYISDjsdaousdWEqswOIUsd</BinarySecurityToken>
* </Embedded>
* </SecurityTokenReference>
+ * @param env pointer to environment struct
+ * @param parent The parent node
+ * @param cert The X509 certificate
+ * @return AXIS2_SUCCESS on success, else AXIS2_FAILURE
*/
AXIS2_EXTERN axis2_status_t AXIS2_CALL
@@ -84,6 +93,10 @@
* <KeyIdentifier>WEqswOIUsd</KeyIdentifier>
* </SecurityTokenReference>
*
+ * @param env pointer to environment struct
+ * @param parent The parent node
+ * @param cert The X509 certificate
+ * @return AXIS2_SUCCESS on success, else AXIS2_FAILURE
*/
AXIS2_EXTERN axis2_status_t AXIS2_CALL
@@ -101,6 +114,10 @@
* </X509IssuerSerial>
* </x509Data>
* </SecurityTokenReference>
+ * @param env pointer to environment struct
+ * @param parent The parent node
+ * @param cert The X509 certificate
+ * @return AXIS2_SUCCESS on success, else AXIS2_FAILURE
*/
AXIS2_EXTERN axis2_status_t AXIS2_CALL
@@ -116,6 +133,10 @@
* </ds:X509Certificate>
* <ds:X509Data>
* </SecurityTokenReference>
+ * @param env pointer to environment struct
+ * @param parent The parent node
+ * @param cert The X509 certificate
+ * @return AXIS2_SUCCESS on success, else AXIS2_FAILURE
*/
AXIS2_EXTERN axis2_status_t AXIS2_CALL
rampart_token_build_x509_data_issuer_serial(const axutil_env_t *env,
Modified: webservices/rampart/trunk/c/src/handlers/rampart_in_handler.c
URL:
http://svn.apache.org/viewvc/webservices/rampart/trunk/c/src/handlers/rampart_in_handler.c?rev=596205&r1=596204&r2=596205&view=diff
==============================================================================
--- webservices/rampart/trunk/c/src/handlers/rampart_in_handler.c (original)
+++ webservices/rampart/trunk/c/src/handlers/rampart_in_handler.c Sun Nov 18
21:17:00 2007
@@ -136,7 +136,7 @@
/*status = rampart_shp_process_message(env, msg_ctx, rampart_context,
soap_envelope, sec_node);*/
- status = rampart_shp_strict_process_message(env, msg_ctx, rampart_context,
+ status = rampart_shp_process_sec_header(env, msg_ctx, rampart_context,
soap_envelope, sec_node);
if(status!=AXIS2_SUCCESS)
Modified: webservices/rampart/trunk/c/src/util/Makefile.am
URL:
http://svn.apache.org/viewvc/webservices/rampart/trunk/c/src/util/Makefile.am?rev=596205&r1=596204&r2=596205&view=diff
==============================================================================
--- webservices/rampart/trunk/c/src/util/Makefile.am (original)
+++ webservices/rampart/trunk/c/src/util/Makefile.am Sun Nov 18 21:17:00 2007
@@ -6,7 +6,8 @@
rampart_util.c
rampart_handler_util.c rampart_username_token.c rampart_timestamp_token.c \
rampart_encryption.c
rampart_sec_header_processor.c rampart_sec_processed_result.c \
rampart_sec_header_builder.c rampart_context.c rampart_token_processor.c
rampart_signature.c \
- rampart_token_builder.c
rampart_rd_record.c rampart_replay_detector.c rampart_engine.c
+ rampart_token_builder.c
rampart_rd_record.c rampart_replay_detector.c rampart_engine.c \
+
rampart_policy_validator.c
librampart_util_la_LIBADD = -lssl \
Added: webservices/rampart/trunk/c/src/util/rampart_policy_validator.c
URL:
http://svn.apache.org/viewvc/webservices/rampart/trunk/c/src/util/rampart_policy_validator.c?rev=596205&view=auto
==============================================================================
--- webservices/rampart/trunk/c/src/util/rampart_policy_validator.c (added)
+++ webservices/rampart/trunk/c/src/util/rampart_policy_validator.c Sun Nov 18
21:17:00 2007
@@ -0,0 +1,106 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+/*
+ *
+ */
+#include <stdio.h>
+#include <rampart_util.h>
+#include <axis2_util.h>
+#include <rampart_constants.h>
+#include <oxs_constants.h>
+#include <oxs_axiom.h>
+#include <oxs_utility.h>
+
+
+
+/*Private functions*/
+static axis2_status_t
+rampiart_pv_validate_signature_confirmation(const axutil_env_t *env,
+ rampart_context_t *rampart_context,
+ axis2_msg_ctx_t *msg_ctx)
+{
+ axis2_bool_t sig_conf_reqd = AXIS2_FALSE;
+
+ sig_conf_reqd = rampart_context_is_sig_confirmation_reqd(rampart_context,
env);
+
+ if(AXIS2_TRUE == sig_conf_reqd){
+ axis2_char_t* sig_conf_found = NULL;
+ sig_conf_found =
(axis2_char_t*)rampart_get_security_processed_result(env, msg_ctx,
RAMPART_SPR_SIG_CONFIRM_FOUND);
+ if(0 == axutil_strcmp(RAMPART_YES, sig_conf_found)){
+ return AXIS2_SUCCESS;
+ }else{
+ /*Error*/
+ AXIS2_LOG_ERROR(env->log, AXIS2_LOG_SI,"[rampart][rpv] Signature
confirmation required.");
+ rampart_create_fault_envelope(env, RAMPART_FAULT_FAILED_CHECK,
"SignatureConfirmation is not found",
+ RAMPART_FAULT_INVALID_SECURITY, msg_ctx);
+ return AXIS2_FAILURE;
+ }
+ }else{
+ return AXIS2_SUCCESS;
+ }
+}
+
+static axis2_status_t
+rampiart_pv_validate_signature_encryption(const axutil_env_t *env,
+ rampart_context_t *rampart_context,
+ axis2_msg_ctx_t *msg_ctx)
+{
+ axis2_bool_t signature_protection = AXIS2_FALSE;
+
+ signature_protection = rampart_context_is_encrypt_signature(
+ rampart_context, env);
+ if(AXIS2_TRUE == signature_protection){
+ axis2_char_t* sig_encrypted = NULL;
+ sig_encrypted =
(axis2_char_t*)rampart_get_security_processed_result(env, msg_ctx,
RAMPART_SPR_SIG_ENCRYPTED);
+ if(0 == axutil_strcmp(RAMPART_YES, sig_encrypted)){
+ return AXIS2_SUCCESS;
+ }else{
+ /*Error*/
+ AXIS2_LOG_ERROR(env->log, AXIS2_LOG_SI,"[rampart][rpv] Signature
need to be encrypted.");
+ rampart_create_fault_envelope(env, RAMPART_FAULT_FAILED_CHECK,
"Signature need to be encrypted",
+ RAMPART_FAULT_INVALID_SECURITY, msg_ctx);
+ return AXIS2_FAILURE;
+ }
+ }else{
+ return AXIS2_SUCCESS;
+ }
+}
+
+/*Public functions*/
+AXIS2_EXTERN axis2_status_t AXIS2_CALL
+rampiart_pv_validate_sec_header(const axutil_env_t *env,
+ rampart_context_t *rampart_context,
+ axiom_node_t *sec_node,
+ axis2_msg_ctx_t *msg_ctx)
+{
+
+ /*Check if the signature needed to be encrypted*/
+ if(!rampiart_pv_validate_signature_encryption(env, rampart_context,
msg_ctx)){
+ return AXIS2_FAILURE;
+ }
+ /*Check if the Signature Confirmation is set*/
+ if(!rampiart_pv_validate_signature_confirmation(env, rampart_context,
msg_ctx)){
+ return AXIS2_FAILURE;
+ }
+
+ /*NOTE: Uusername tokens and Timestamps policies are checked, while
security header processing*/
+ /*All the policy reqmnts are met. We are good to go*/
+ return AXIS2_SUCCESS;
+}
+
+
Modified: webservices/rampart/trunk/c/src/util/rampart_sec_header_processor.c
URL:
http://svn.apache.org/viewvc/webservices/rampart/trunk/c/src/util/rampart_sec_header_processor.c?rev=596205&r1=596204&r2=596205&view=diff
==============================================================================
--- webservices/rampart/trunk/c/src/util/rampart_sec_header_processor.c
(original)
+++ webservices/rampart/trunk/c/src/util/rampart_sec_header_processor.c Sun Nov
18 21:17:00 2007
@@ -24,6 +24,8 @@
#include <rampart_util.h>
#include <rampart_sec_processed_result.h>
#include <rampart_handler_util.h>
+#include <rampart_token_processor.h>
+#include <rampart_policy_validator.h>
#include <oxs_ctx.h>
#include <oxs_error.h>
#include <oxs_utility.h>
@@ -35,7 +37,6 @@
#include <axutil_utils.h>
#include <axutil_array_list.h>
#include <axis2_key_type.h>
-#include <rampart_token_processor.h>
#include <oxs_sign_ctx.h>
#include <oxs_xml_signature.h>
#include <oxs_key_mgr.h>
@@ -200,6 +201,15 @@
}
}
+static axis2_status_t
+rampart_shp_process_signature_confirmation(const axutil_env_t *env,
+ axis2_msg_ctx_t *msg_ctx,
+ rampart_context_t *rampart_context,
+ axiom_node_t *cur_node)
+{
+ rampart_set_security_processed_result(env, msg_ctx,
RAMPART_SPR_SIG_CONFIRM_FOUND, RAMPART_YES);
+ return AXIS2_SUCCESS;
+}
static axis2_status_t
rampart_shp_process_timestamptoken(const axutil_env_t *env,
@@ -1458,7 +1468,7 @@
/*Public functions*/
AXIS2_EXTERN axis2_status_t AXIS2_CALL
-rampart_shp_strict_process_message(const axutil_env_t *env,
+rampart_shp_process_sec_header(const axutil_env_t *env,
axis2_msg_ctx_t *msg_ctx,
rampart_context_t *rampart_context,
axiom_soap_envelope_t *soap_envelope,
@@ -1498,11 +1508,11 @@
status = rampart_shp_process_derived_key(env, msg_ctx,
rampart_context, sec_node, cur_node);
}else if(0 == axutil_strcmp(cur_local_name, OXS_NODE_ENCRYPTED_DATA)){
- /*TODO: When a security header is Encrypted*/
+ /*We do nothing. But this is possible when a security header is
Encrypted. But it would be decrypted thru a ref list*/
status = AXIS2_SUCCESS;
}else if(0 == axutil_strcmp(cur_local_name,
OXS_NODE_SIGNATURE_CONFIRMATION)){
- /*TODO*/
- status = AXIS2_SUCCESS;
+ status = rampart_shp_process_signature_confirmation(env, msg_ctx,
rampart_context, cur_node);
+
}else if(0 == axutil_strcmp(cur_local_name,
OXS_NODE_BINARY_SECURITY_TOKEN)){
/*We do nothing.*/
status = AXIS2_SUCCESS;
@@ -1526,9 +1536,17 @@
AXIS2_LOG_ERROR(env->log, AXIS2_LOG_SI, "[rampart][shp] A replay
detected");
return AXIS2_FAILURE;
}
+
+ /*Now validate security policies, those cannot be checked on the fly*/
+ status = rampiart_pv_validate_sec_header(env, rampart_context, sec_node,
msg_ctx);
+ if(status != AXIS2_SUCCESS){
+ AXIS2_LOG_ERROR(env->log, AXIS2_LOG_SI, "[rampart][shp] Security
policy validation failed");
+ return AXIS2_FAILURE;
+ }
return AXIS2_SUCCESS;
}
+#if 0
AXIS2_EXTERN axis2_status_t AXIS2_CALL
rampart_shp_process_message(const axutil_env_t *env,
axis2_msg_ctx_t *msg_ctx,
@@ -1777,7 +1795,6 @@
if(rampart_context_check_whether_to_sign(rampart_context, env))
{
cur_node = oxs_axiom_get_first_child_node_by_name(env,
sec_node, OXS_NODE_SIGNATURE, OXS_DSIG_NS, NULL);
- /*cur_node = oxs_axiom_get_node_by_local_name(env, sec_node,
OXS_NODE_SIGNATURE);*/
if(!cur_node)
{
AXIS2_LOG_ERROR(env->log, AXIS2_LOG_SI,
@@ -1821,7 +1838,6 @@
else
{
cur_node = oxs_axiom_get_first_child_node_by_name(env,
sec_node, OXS_NODE_SIGNATURE, OXS_DSIG_NS, NULL);
- /*cur_node = oxs_axiom_get_node_by_local_name(env,
sec_node,OXS_NODE_SIGNATURE);*/
if(cur_node)
{
AXIS2_LOG_ERROR(env->log, AXIS2_LOG_SI,
@@ -1918,6 +1934,6 @@
}
}
-
+#endif
