Author: werner
Date: Tue Sep 6 06:00:19 2005
New Revision: 278993
URL: http://svn.apache.org/viewcvs?rev=278993&view=rev
Log:
First iplementation of the SignatureCOnfirmation feature of WSS 1.1.
Modified:
webservices/wss4j/trunk/src/org/apache/ws/security/WSConstants.java
webservices/wss4j/trunk/src/org/apache/ws/security/WSSecurityEngine.java
webservices/wss4j/trunk/src/org/apache/ws/security/WSSecurityEngineResult.java
webservices/wss4j/trunk/src/org/apache/ws/security/handler/WSHandler.java
webservices/wss4j/trunk/src/org/apache/ws/security/handler/WSS4JHandler.java
webservices/wss4j/trunk/src/org/apache/ws/security/message/WSAddTimestamp.java
webservices/wss4j/trunk/src/org/apache/ws/security/message/token/SecurityTokenReference.java
webservices/wss4j/trunk/src/org/apache/ws/security/message/token/Timestamp.java
webservices/wss4j/trunk/src/org/apache/ws/security/util/WSSecurityUtil.java
Modified: webservices/wss4j/trunk/src/org/apache/ws/security/WSConstants.java
URL:
http://svn.apache.org/viewcvs/webservices/wss4j/trunk/src/org/apache/ws/security/WSConstants.java?rev=278993&r1=278992&r2=278993&view=diff
==============================================================================
--- webservices/wss4j/trunk/src/org/apache/ws/security/WSConstants.java
(original)
+++ webservices/wss4j/trunk/src/org/apache/ws/security/WSConstants.java Tue Sep
6 06:00:19 2005
@@ -84,6 +84,7 @@
public static final String NONCE_LN = "Nonce";
public static final String CREATED_LN = "Created";
public static final String EXPIRES_LN = "Expires";
+ public static final String SIGNATURE_CONFIRMATION_LN =
"SignatureConfirmation";
/*
* The definitions for SAML
@@ -325,6 +326,7 @@
public static final int TS = 0x20; // insert Timestamp
public static final int UT_SIGN = 0x40; // perform sinagture with UT
secrect key
+ public static final int SC = 0x80; // this is a SignatureConfirmation
public static final int NO_SERIALIZE = 0x100;
public static final int SERIALIZE = 0x200;
Modified:
webservices/wss4j/trunk/src/org/apache/ws/security/WSSecurityEngine.java
URL:
http://svn.apache.org/viewcvs/webservices/wss4j/trunk/src/org/apache/ws/security/WSSecurityEngine.java?rev=278993&r1=278992&r2=278993&view=diff
==============================================================================
--- webservices/wss4j/trunk/src/org/apache/ws/security/WSSecurityEngine.java
(original)
+++ webservices/wss4j/trunk/src/org/apache/ws/security/WSSecurityEngine.java
Tue Sep 6 06:00:19 2005
@@ -28,6 +28,7 @@
import org.apache.ws.security.message.token.Timestamp;
import org.apache.ws.security.message.token.UsernameToken;
import org.apache.ws.security.message.token.X509Security;
+import org.apache.ws.security.message.token.SignatureConfirmation;
import org.apache.ws.security.util.WSSecurityUtil;
import org.apache.ws.security.util.XmlSchemaDateFormat;
import org.apache.xml.security.encryption.XMLCipher;
@@ -109,6 +110,10 @@
*/
protected static final QName timeStamp = new QName(WSConstants.WSU_NS,
WSConstants.TIMESTAMP_TOKEN_LN);
/**
+ * <code>wsse11:signatureConfirmation</code> as defined by OASIS WS
Security specification,
+ */
+ protected static final QName signatureConfirmation = new
QName(WSConstants.WSSE11_NS, WSConstants.SIGNATURE_CONFIRMATION_LN);
+ /**
* <code>ds:Signature</code> as defined by XML Signature specification,
* enhanced by WS Security specification
*/
@@ -297,7 +302,7 @@
WSDocInfoStore.store(wsDocInfo);
X509Certificate[] returnCert = new X509Certificate[1];
Vector returnQname[] = new Vector[1];
- byte signatureValue[] = null;
+ byte[][] signatureValue = new byte[1][];
try {
lastPrincipalFound =
verifyXMLSignature((Element) elem,
sigCrypto, returnCert,
returnQname, signatureValue);
@@ -309,12 +314,12 @@
if (lastPrincipalFound instanceof WSUsernameTokenPrincipal) {
returnResults.add(0, new
WSSecurityEngineResult(
WSConstants.UT_SIGN,
lastPrincipalFound, null,
- returnQname[0],
signatureValue));
+ returnQname[0],
signatureValue[0]));
} else {
returnResults.add(0, new
WSSecurityEngineResult(
WSConstants.SIGN,
lastPrincipalFound,
- returnCert[0],
returnQname[0], signatureValue));
+ returnCert[0],
returnQname[0], signatureValue[0]));
}
} else if (el.equals(ENCRYPTED_KEY)) {
if (doDebug) {
@@ -367,6 +372,17 @@
returnResults.add(0,
new WSSecurityEngineResult(WSConstants.TS,
timestamp));
+ } else if (el.equals(signatureConfirmation)) {
+ if (doDebug) {
+ log.debug("Found SignatureConfirmation list element");
+ }
+ /*
+ * Decode SignatureConfirmation, just store in result
+ */
+ SignatureConfirmation sigConf = new SignatureConfirmation(
+ (Element) elem);
+ returnResults.add(0, new WSSecurityEngineResult(WSConstants.SC,
+ sigConf));
} else {
/*
* Add check for a BinarySecurityToken, add info to WSDocInfo.
If BST is
@@ -429,7 +445,7 @@
Crypto crypto,
X509Certificate[] returnCert,
Vector[] returnQname,
- byte[] signatureValue)
+ byte[][] signatureValue)
throws WSSecurityException {
if (doDebug) {
log.debug("Verify XML Signature");
@@ -556,7 +572,7 @@
+ ", prepare-cert= " +
(t1 - t0) + ", verify= "
+ (t2 - t1));
}
- signatureValue = sig.getSignatureValue();
+ signatureValue[0] = sig.getSignatureValue();
/*
* Now dig into the Signature element to get
the elements that
* this Signature covers. Build the QName of
these Elements and
Modified:
webservices/wss4j/trunk/src/org/apache/ws/security/WSSecurityEngineResult.java
URL:
http://svn.apache.org/viewcvs/webservices/wss4j/trunk/src/org/apache/ws/security/WSSecurityEngineResult.java?rev=278993&r1=278992&r2=278993&view=diff
==============================================================================
---
webservices/wss4j/trunk/src/org/apache/ws/security/WSSecurityEngineResult.java
(original)
+++
webservices/wss4j/trunk/src/org/apache/ws/security/WSSecurityEngineResult.java
Tue Sep 6 06:00:19 2005
@@ -18,6 +18,7 @@
package org.apache.ws.security;
import org.apache.ws.security.message.token.Timestamp;
+import org.apache.ws.security.message.token.SignatureConfirmation;
import org.opensaml.SAMLAssertion;
import java.security.Principal;
@@ -25,7 +26,7 @@
import java.util.Vector;
/**
- * @author Werner Dittmann ([EMAIL PROTECTED])
+ * @author Werner Dittmann ([EMAIL PROTECTED])
*/
public class WSSecurityEngineResult {
@@ -36,6 +37,7 @@
private Timestamp timestamp;
private Vector signedElementQnames;
private byte[] signatureValue = null;
+ private SignatureConfirmation sigConf = null;
WSSecurityEngineResult(int act, SAMLAssertion ass) {
principal = null;
@@ -53,12 +55,15 @@
signatureValue = sv;
}
- WSSecurityEngineResult(int act,
- Timestamp tstamp) {
+ WSSecurityEngineResult(int act, Timestamp tstamp) {
action = act;
timestamp = tstamp;
}
+ WSSecurityEngineResult(int act, SignatureConfirmation sc) {
+ action = act;
+ sigConf = sc;
+ }
/**
* @return the actions vector. These actions were performed by the the
* security engine.
@@ -109,6 +114,20 @@
*/
public byte[] getSignatureValue() {
return signatureValue;
+ }
+
+ /**
+ * @return Returns the sigConf.
+ */
+ public SignatureConfirmation getSigConf() {
+ return sigConf;
+ }
+
+ /**
+ * @param signatureValue The signatureValue to set.
+ */
+ public void setSignatureValue(byte[] signatureValue) {
+ this.signatureValue = signatureValue;
}
}
Modified:
webservices/wss4j/trunk/src/org/apache/ws/security/handler/WSHandler.java
URL:
http://svn.apache.org/viewcvs/webservices/wss4j/trunk/src/org/apache/ws/security/handler/WSHandler.java?rev=278993&r1=278992&r2=278993&view=diff
==============================================================================
--- webservices/wss4j/trunk/src/org/apache/ws/security/handler/WSHandler.java
(original)
+++ webservices/wss4j/trunk/src/org/apache/ws/security/handler/WSHandler.java
Tue Sep 6 06:00:19 2005
@@ -16,6 +16,7 @@
*/
package org.apache.ws.security.handler;
+import org.apache.axis.AxisFault;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.ws.security.WSConstants;
@@ -32,6 +33,7 @@
import org.apache.ws.security.message.WSSAddSAMLToken;
import org.apache.ws.security.message.WSSAddUsernameToken;
import org.apache.ws.security.message.WSSignEnvelope;
+import org.apache.ws.security.message.WSAddSignatureConfirmation;
import org.apache.ws.security.message.token.Timestamp;
import org.apache.ws.security.saml.SAMLIssuer;
import org.apache.ws.security.saml.SAMLIssuerFactory;
@@ -51,6 +53,8 @@
import java.util.Calendar;
import java.util.Hashtable;
import java.util.Vector;
+import java.util.Arrays;
+
/**
* Extracted from WSDoAllReceiver and WSDoAllSender
@@ -195,7 +199,8 @@
setProperty(reqData.getMsgContext(),
WSHandlerConstants.SEND_SIGV, sigv);
}
- sigv.add(reqData.getSignatureValues());
+// sigv.add(reqData.getSignatureValues());
+ sigv.addAll(reqData.getSignatureValues());
}
} else {
/*
@@ -229,6 +234,30 @@
}
}
+ protected boolean checkReceiverResults(Vector wsResult, Vector actions) {
+ int resultActions = wsResult.size();
+ int size = actions.size();
+
+ // if (size != resultActions) {
+ // throw new AxisFault(
+ // "WSDoAllReceiver: security processing failed (actions number
+ // mismatch)");
+ // }
+
+ int ai = 0;
+ for (int i = 0; i < resultActions; i++) {
+ int act = ((WSSecurityEngineResult) wsResult.get(i)).getAction();
+ if (act == WSConstants.SC) {
+ continue;
+ }
+ if (ai >= size || ((Integer) actions.get(ai++)).intValue() != act)
{
+ return false;
+ }
+ }
+ return true;
+ }
+
+
protected void performSIGNAction(int actionToDo, boolean mu, Document doc,
RequestData reqData)
throws WSSecurityException {
String password;
@@ -464,16 +493,102 @@
if (doDebug) {
log.debug("Perform Signature confirmation");
}
+ /*
+ * loop over all results gathered by all handlers in the chain. For
+ * each handler result get the various actions. After that loop we
+ * have all signature results in the signatureActions vector
+ */
+ Vector signatureActions = new Vector();
+ for (int i = 0; i < results.size(); i++) {
+ WSHandlerResult wshResult = (WSHandlerResult) results.get(i);
+
+ WSSecurityUtil.fetchAllActionResults(wshResult.getResults(),
+ WSConstants.SIGN, signatureActions);
+ WSSecurityUtil.fetchAllActionResults(wshResult.getResults(),
+ WSConstants.ST_SIGNED, signatureActions);
+ WSSecurityUtil.fetchAllActionResults(wshResult.getResults(),
+ WSConstants.UT_SIGN, signatureActions);
+ }
+ // prepage a SignatureConfirmation token
+ WSAddSignatureConfirmation wsc = new
WSAddSignatureConfirmation(reqData.getActor(), mu);
+ int idHash = wsc.hashCode();
+ if (signatureActions.size() > 0) {
+ if (doDebug) {
+ log.debug("Signature Confirmation: number of Signature
results: " + signatureActions.size());
+ }
+ for (int i = 0; i < signatureActions.size(); i++) {
+ WSSecurityEngineResult wsr =
(WSSecurityEngineResult)signatureActions.get(i);
+ byte[] sigVal = wsr.getSignatureValue();
+ if (sigVal != null) {
+ wsc.setId("sigcon-" + (idHash + i));
+ wsc.build(doc, sigVal);
+ }
+ wsr.setSignatureValue(null);
+ }
+ }
+ else {
+ wsc.setId("sigcon-" + idHash);
+ wsc.build(doc, null);
+ }
}
- protected boolean checkSignatureConfirmation(RequestData reqData, Vector
wsResult) {
+ protected void checkSignatureConfirmation(RequestData reqData,
+ Vector wsResult) throws WSSecurityException{
if (doDebug) {
log.debug("Check Signature confirmation");
}
+
+ /*
+ * First get all Signature value stored during sending the request
+ */
+ Vector sigv = (Vector) getProperty(reqData.getMsgContext(),
+ WSHandlerConstants.SEND_SIGV);
+ /*
+ * Now get all results that hold a SignatureConfirmation element from
+ * the current run of receiver (we can have mor than on run: if we
+ * have several security header blocks with different actors/roles)
+ */
+ Vector sigConf = new Vector();
+ WSSecurityUtil.fetchAllActionResults(wsResult, WSConstants.SC,
sigConf);
+ /*
+ * now loop over all SignatureConfirmation results and check:
+ * - if there is a signature value and no Signature value generated in
request: error
+ * - if there is a signature value and no machting Signature value
found: error
+ *
+ * If a matching value found: remove from vector of stored signature
values
+ */
+ for (int i = 0; i < sigConf.size(); i++) {
+ byte[] sigVal =
((WSSecurityEngineResult)sigConf.get(i)).getSigConf().getSignatureValue();
+ if (sigVal != null) {
+ if (sigv == null || sigv.size() == 0) {
+ throw new WSSecurityException("WSHandler: Check Signature
confirmation: got a SC element, but no stored SV");
+ }
+ boolean found = false;
+ for (int ii = 0; ii < sigv.size(); ii++) {
+ byte[] storedValue = (byte[])sigv.get(i);
+ if (Arrays.equals(sigVal, storedValue)) {
+ log.debug("Check Signature confirmation: match ");
+ found = true;
+ sigv.remove(ii);
+ break;
+ }
+ }
+ if (!found) {
+ throw new WSSecurityException("WSHandler: Check Signature
confirmation: got SC element, but no matching SV");
+ }
+ }
+ }
+
+ /*
+ * This indicates this is the last handler: the vector holding the
+ * stored Signature values must be empty, otherwise we have an error
+ */
if (!reqData.isNoSerialization()) {
log.debug("Check Signature confirmation - last handler");
+ if (sigv != null && !sigv.isEmpty()) {
+ throw new WSSecurityException("WSHandler: Check Signature
confirmation: stored SV vector not empty");
+ }
}
- return true;
}
/**
* Hook to allow subclasses to load their Signature Crypto however they see
Modified:
webservices/wss4j/trunk/src/org/apache/ws/security/handler/WSS4JHandler.java
URL:
http://svn.apache.org/viewcvs/webservices/wss4j/trunk/src/org/apache/ws/security/handler/WSS4JHandler.java?rev=278993&r1=278992&r2=278993&view=diff
==============================================================================
---
webservices/wss4j/trunk/src/org/apache/ws/security/handler/WSS4JHandler.java
(original)
+++
webservices/wss4j/trunk/src/org/apache/ws/security/handler/WSS4JHandler.java
Tue Sep 6 06:00:19 2005
@@ -490,16 +490,8 @@
/*
* now check the security actions: do they match, in right order?
*/
- int resultActions = wsResult.size();
- int size = actions.size();
- if (size != resultActions) {
- throw new JAXRPCException("WSS4JHandler: security processing
failed (actions number mismatch)");
- }
- for (int i = 0; i < size; i++) {
- if (((Integer) actions.get(i)).intValue()
- != ((WSSecurityEngineResult) wsResult.get(i)).getAction())
{
- throw new JAXRPCException("WSS4JHandler: security processing
failed (actions mismatch)");
- }
+ if (!checkReceiverResults(wsResult, actions)) {
+ throw new JAXRPCException("WSS4JHandler: security processing
failed (actions mismatch)");
}
/*
Modified:
webservices/wss4j/trunk/src/org/apache/ws/security/message/WSAddTimestamp.java
URL:
http://svn.apache.org/viewcvs/webservices/wss4j/trunk/src/org/apache/ws/security/message/WSAddTimestamp.java?rev=278993&r1=278992&r2=278993&view=diff
==============================================================================
---
webservices/wss4j/trunk/src/org/apache/ws/security/message/WSAddTimestamp.java
(original)
+++
webservices/wss4j/trunk/src/org/apache/ws/security/message/WSAddTimestamp.java
Tue Sep 6 06:00:19 2005
@@ -1,5 +1,5 @@
/*
- * Copyright 2003-2004 The Apache Software Foundation.
+ * Copyright 2003-2005 The Apache Software Foundation.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -25,9 +25,9 @@
import org.w3c.dom.Element;
/**
- * Builds a WS Timestamp and inserts it into the SOAP Envelope.
- * Refer to the WS specification 1.0. chapter 10 / appendix A.2
- *
+ * Builds a WS Timestamp and inserts it into the SOAP Envelope. Refer to the WS
+ * specification 1.0. chapter 10 / appendix A.2
+ *
* @author Christof Soehngen ([EMAIL PROTECTED]).
*/
@@ -35,7 +35,9 @@
private static Log log = LogFactory.getLog(WSAddTimestamp.class.getName());
private Timestamp ts = null;
+
private String id = null;
+
/**
* Constructor.
*/
@@ -43,21 +45,24 @@
}
/**
- * Constructor.
- * <p/>
- *
- * @param actor the name of the actor of the <code>wsse:Security</code>
header
+ * Constructor. <p/>
+ *
+ * @param actor
+ * the name of the actor of the <code>wsse:Security</code>
+ * header
*/
public WSAddTimestamp(String actor) {
super(actor);
}
/**
- * Constructor.
- * <p/>
- *
- * @param actor The name of the actor of the <code>wsse:Security</code>
header
- * @param mu Set <code>mustUnderstand</code> to true or false
+ * Constructor. <p/>
+ *
+ * @param actor
+ * The name of the actor of the <code>wsse:Security</code>
+ * header
+ * @param mu
+ * Set <code>mustUnderstand</code> to true or false
*/
public WSAddTimestamp(String actor, boolean mu) {
super(actor, mu);
@@ -65,12 +70,17 @@
/**
* Adds a new <code>Timestamp</code> to a soap envelope.
- * <p/>
- * A complete <code>Timestamp</code> is constructed and added to
- * the <code>wsse:Security</code> header.
- *
- * @param doc The SOAP enevlope as W3C document
- * @param ttl This is the time difference in seconds between the
<code>Created</code> and the <code>Expires</code> in <code>Timestamp</code>,
set to zero if <code>Expires</code> should not be added.
+ *
+ * A complete <code>Timestamp</code> is constructed and added to the
+ * <code>wsse:Security</code> header.
+ *
+ * @param doc
+ * The SOAP enevlope as W3C document
+ * @param ttl
+ * This is the time difference in seconds between the
+ * <code>Created</code> and the <code>Expires</code> in
+ * <code>Timestamp</code>, set to zero if <code>Expires</code>
+ * should not be added.
* @return Document with Timestamp added
* @throws Exception
*/
@@ -78,15 +88,17 @@
log.debug("Begin add timestamp...");
Element securityHeader = insertSecurityHeader(doc);
ts = new Timestamp(wssConfig.isPrecisionInMilliSeconds(), doc, ttl);
- if(id != null) {
- ts.setID(id);
+ if (id != null) {
+ ts.setID(id);
}
- WSSecurityUtil.prependChildElement(doc, securityHeader,
ts.getElement(), true);
+ WSSecurityUtil.prependChildElement(doc, securityHeader,
+ ts.getElement(), true);
return doc;
}
/**
* Set the wsu:Id value of the Timestamp
+ *
* @param id
*/
public void setId(String id) {
@@ -94,9 +106,10 @@
if (ts != null)
ts.setID(id);
}
-
+
/**
* Get the wsu:Id value of the Timestamp
+ *
* @return
*/
public String getId() {
Modified:
webservices/wss4j/trunk/src/org/apache/ws/security/message/token/SecurityTokenReference.java
URL:
http://svn.apache.org/viewcvs/webservices/wss4j/trunk/src/org/apache/ws/security/message/token/SecurityTokenReference.java?rev=278993&r1=278992&r2=278993&view=diff
==============================================================================
---
webservices/wss4j/trunk/src/org/apache/ws/security/message/token/SecurityTokenReference.java
(original)
+++
webservices/wss4j/trunk/src/org/apache/ws/security/message/token/SecurityTokenReference.java
Tue Sep 6 06:00:19 2005
@@ -125,7 +125,8 @@
/**
* Gets the signing token element, which maybe a <code>BinarySecurityToken
- * </code> or a SAML token .
+ * </code> or a SAML token.
+ *
* The method gets the URI attribute of the [EMAIL PROTECTED] Reference}
contained in
* the [EMAIL PROTECTED] SecurityTokenReference} and tries to find the
referenced
* Element in the document.
Modified:
webservices/wss4j/trunk/src/org/apache/ws/security/message/token/Timestamp.java
URL:
http://svn.apache.org/viewcvs/webservices/wss4j/trunk/src/org/apache/ws/security/message/token/Timestamp.java?rev=278993&r1=278992&r2=278993&view=diff
==============================================================================
---
webservices/wss4j/trunk/src/org/apache/ws/security/message/token/Timestamp.java
(original)
+++
webservices/wss4j/trunk/src/org/apache/ws/security/message/token/Timestamp.java
Tue Sep 6 06:00:19 2005
@@ -61,6 +61,8 @@
*/
public Timestamp(Element element) throws WSSecurityException {
+ this.element = element;
+
customElements = new Vector();
String strCreated = "";
Modified:
webservices/wss4j/trunk/src/org/apache/ws/security/util/WSSecurityUtil.java
URL:
http://svn.apache.org/viewcvs/webservices/wss4j/trunk/src/org/apache/ws/security/util/WSSecurityUtil.java?rev=278993&r1=278992&r2=278993&view=diff
==============================================================================
--- webservices/wss4j/trunk/src/org/apache/ws/security/util/WSSecurityUtil.java
(original)
+++ webservices/wss4j/trunk/src/org/apache/ws/security/util/WSSecurityUtil.java
Tue Sep 6 06:00:19 2005
@@ -729,6 +729,31 @@
return wsResult;
}
+ /**
+ * Fetch the result of a given action from a given result vector <p/>
+ *
+ * @param wsResultVector
+ * The result vector to fetch an action from
+ * @param action
+ * The action to fetch
+ * @param results where to store the found results data for the action
+ * @return The result fetched from the result vector, null if the result
+ * could not be found
+ */
+ public static Vector fetchAllActionResults(Vector wsResultVector,
+ int action, Vector results) {
+
+ // Find the parts of the security result that matches the given action
+ for (int i = 0; i < wsResultVector.size(); i++) {
+ // Check the result of every action whether it matches the given
+ // action
+ if (((WSSecurityEngineResult) wsResultVector.get(i)).getAction()
== action) {
+ results.add(wsResultVector.get(i));
+ }
+ }
+ return results;
+ }
+
static public int decodeAction(String action, Vector actions)
throws WSSecurityException {
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
