Java Code Examples for org.apache.cxf.ws.security.tokenstore.SecurityToken#getId()

The following examples show how to use org.apache.cxf.ws.security.tokenstore.SecurityToken#getId() . You can vote up the ones you like or vote down the ones you don't like, and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example 1
Source File: StaxSymmetricBindingHandler.java    From cxf with Apache License 2.0 6 votes vote down vote up
private String setupEncryptedKey() throws WSSecurityException, TokenStoreException {

        Instant created = Instant.now();
        Instant expires = created.plusSeconds(WSS4JUtils.getSecurityTokenLifetime(message) / 1000L);
        SecurityToken tempTok =
            new SecurityToken(IDGenerator.generateID(null), created, expires);

        KeyGenerator keyGenerator =
            KeyUtils.getKeyGenerator(sbinding.getAlgorithmSuite().getAlgorithmSuiteType().getEncryption());
        SecretKey symmetricKey = keyGenerator.generateKey();
        tempTok.setKey(symmetricKey);
        tempTok.setSecret(symmetricKey.getEncoded());

        TokenStoreUtils.getTokenStore(message).add(tempTok);

        return tempTok.getId();
    }
 
Example 2
Source File: AbstractBindingBuilder.java    From steady with Apache License 2.0 4 votes vote down vote up
private void doSymmSignatureDerived(Token policyToken, SecurityToken tok,
                             List<WSEncryptionPart> sigParts, boolean isTokenProtection)
    throws WSSecurityException, ConversationException {
    
    Document doc = saaj.getSOAPPart();
    WSSecDKSign dkSign = new WSSecDKSign(wssConfig);  
    
    //Check whether it is security policy 1.2 and use the secure conversation accordingly
    if (SP12Constants.INSTANCE == policyToken.getSPConstants()) {
        dkSign.setWscVersion(ConversationConstants.VERSION_05_12);
    }
                  
    //Check for whether the token is attached in the message or not
    boolean attached = false;
    if (includeToken(policyToken.getInclusion())) {
        attached = true;
    }
    
    // Setting the AttachedReference or the UnattachedReference according to the flag
    Element ref;
    if (attached) {
        ref = tok.getAttachedReference();
    } else {
        ref = tok.getUnattachedReference();
    }
    
    if (ref != null) {
        ref = cloneElement(ref);
        dkSign.setExternalKey(tok.getSecret(), ref);
    } else if (!isRequestor() && policyToken.isDerivedKeys()) { 
        // If the Encrypted key used to create the derived key is not
        // attached use key identifier as defined in WSS1.1 section
        // 7.7 Encrypted Key reference
        SecurityTokenReference tokenRef 
            = new SecurityTokenReference(doc);
        if (tok.getSHA1() != null) {
            tokenRef.setKeyIdentifierEncKeySHA1(tok.getSHA1());
            tokenRef.addTokenType(WSConstants.WSS_ENC_KEY_VALUE_TYPE);
        }
        dkSign.setExternalKey(tok.getSecret(), tokenRef.getElement());
    
    } else {
        dkSign.setExternalKey(tok.getSecret(), tok.getId());
    }

    //Set the algo info
    dkSign.setSignatureAlgorithm(binding.getAlgorithmSuite().getSymmetricSignature());
    dkSign.setDerivedKeyLength(binding.getAlgorithmSuite().getSignatureDerivedKeyLength() / 8);
    if (tok.getSHA1() != null) {
        //Set the value type of the reference
        dkSign.setCustomValueType(WSConstants.SOAPMESSAGE_NS11 + "#"
            + WSConstants.ENC_KEY_VALUE_TYPE);
    } else if (policyToken instanceof UsernameToken) {
        dkSign.setCustomValueType(WSConstants.WSS_USERNAME_TOKEN_VALUE_TYPE);
    } 
    
    dkSign.prepare(doc, secHeader);
    
    if (isTokenProtection) {
        //Hack to handle reference id issues
        //TODO Need a better fix
        String sigTokId = tok.getId();
        if (sigTokId.startsWith("#")) {
            sigTokId = sigTokId.substring(1);
        }
        sigParts.add(new WSEncryptionPart(sigTokId));
    }
    
    dkSign.setParts(sigParts);
    
    List<Reference> referenceList = dkSign.addReferencesToSign(sigParts, secHeader);
    
    //Add elements to header
    addSupportingElement(dkSign.getdktElement());
    
    //Do signature
    dkSign.computeSignature(referenceList, false, null);
    
    signatures.add(dkSign.getSignatureValue());
}
 
Example 3
Source File: AbstractBindingBuilder.java    From steady with Apache License 2.0 4 votes vote down vote up
private void doSymmSignature(Token policyToken, SecurityToken tok,
                                     List<WSEncryptionPart> sigParts, boolean isTokenProtection)
    throws WSSecurityException, ConversationException {
    
    Document doc = saaj.getSOAPPart();
    WSSecSignature sig = new WSSecSignature(wssConfig);
    // If a EncryptedKeyToken is used, set the correct value type to
    // be used in the wsse:Reference in ds:KeyInfo
    if (policyToken instanceof X509Token) {
        if (isRequestor()) {
            // TODO Add support for SAML2 here
            sig.setCustomTokenValueType(
                WSConstants.SOAPMESSAGE_NS11 + "#" + WSConstants.ENC_KEY_VALUE_TYPE
            );
            sig.setKeyIdentifierType(WSConstants.CUSTOM_SYMM_SIGNING);
        } else {
            //the tok has to be an EncryptedKey token
            sig.setEncrKeySha1value(tok.getSHA1());
            sig.setKeyIdentifierType(WSConstants.ENCRYPTED_KEY_SHA1_IDENTIFIER);
        }
        
    } else {
        String tokenType = tok.getTokenType();
        if (WSConstants.WSS_SAML_TOKEN_TYPE.equals(tokenType)
            || WSConstants.SAML_NS.equals(tokenType)) {
            sig.setCustomTokenValueType(WSConstants.WSS_SAML_KI_VALUE_TYPE);
        } else if (WSConstants.WSS_SAML2_TOKEN_TYPE.equals(tokenType)
            || WSConstants.SAML2_NS.equals(tokenType)) {
            sig.setCustomTokenValueType(WSConstants.WSS_SAML2_KI_VALUE_TYPE);
        } else if (tokenType != null) {
            sig.setCustomTokenValueType(tokenType);
        } else if (policyToken instanceof UsernameToken) {
            sig.setCustomTokenValueType(WSConstants.WSS_USERNAME_TOKEN_VALUE_TYPE);
        } else {
            sig.setCustomTokenValueType(WSConstants.WSS_SAML_KI_VALUE_TYPE);
        }
        sig.setKeyIdentifierType(WSConstants.CUSTOM_SYMM_SIGNING);
    }
    
    String sigTokId = tok.getWsuId();
    if (sigTokId == null) {
        sigTokId = tok.getId();
    }
                   
    //Hack to handle reference id issues
    //TODO Need a better fix
    if (sigTokId.startsWith("#")) {
        sigTokId = sigTokId.substring(1);
    }
    
    sig.setCustomTokenId(sigTokId);
    sig.setSecretKey(tok.getSecret());
    sig.setSignatureAlgorithm(binding.getAlgorithmSuite().getAsymmetricSignature());
    sig.setSignatureAlgorithm(binding.getAlgorithmSuite().getSymmetricSignature());
    sig.prepare(doc, getSignatureCrypto(null), secHeader);

    sig.setParts(sigParts);
    List<Reference> referenceList = sig.addReferencesToSign(sigParts, secHeader);

    //Do signature
    sig.computeSignature(referenceList, false, null);
    signatures.add(sig.getSignatureValue());
}
 
Example 4
Source File: AbstractBindingBuilder.java    From steady with Apache License 2.0 4 votes vote down vote up
private void doSymmSignatureDerived(Token policyToken, SecurityToken tok,
                             List<WSEncryptionPart> sigParts, boolean isTokenProtection)
    throws WSSecurityException, ConversationException {
    
    Document doc = saaj.getSOAPPart();
    WSSecDKSign dkSign = new WSSecDKSign(wssConfig);  
    
    //Check whether it is security policy 1.2 and use the secure conversation accordingly
    if (SP12Constants.INSTANCE == policyToken.getSPConstants()) {
        dkSign.setWscVersion(ConversationConstants.VERSION_05_12);
    }
                  
    //Check for whether the token is attached in the message or not
    boolean attached = false;
    if (includeToken(policyToken.getInclusion())) {
        attached = true;
    }
    
    // Setting the AttachedReference or the UnattachedReference according to the flag
    Element ref;
    if (attached) {
        ref = tok.getAttachedReference();
    } else {
        ref = tok.getUnattachedReference();
    }
    
    if (ref != null) {
        ref = cloneElement(ref);
        dkSign.setExternalKey(tok.getSecret(), ref);
    } else if (!isRequestor() && policyToken.isDerivedKeys()) { 
        // If the Encrypted key used to create the derived key is not
        // attached use key identifier as defined in WSS1.1 section
        // 7.7 Encrypted Key reference
        SecurityTokenReference tokenRef 
            = new SecurityTokenReference(doc);
        if (tok.getSHA1() != null) {
            tokenRef.setKeyIdentifierEncKeySHA1(tok.getSHA1());
            tokenRef.addTokenType(WSConstants.WSS_ENC_KEY_VALUE_TYPE);
        }
        dkSign.setExternalKey(tok.getSecret(), tokenRef.getElement());
    
    } else {
        dkSign.setExternalKey(tok.getSecret(), tok.getId());
    }

    //Set the algo info
    dkSign.setSignatureAlgorithm(binding.getAlgorithmSuite().getSymmetricSignature());
    dkSign.setDerivedKeyLength(binding.getAlgorithmSuite().getSignatureDerivedKeyLength() / 8);
    if (tok.getSHA1() != null) {
        //Set the value type of the reference
        dkSign.setCustomValueType(WSConstants.SOAPMESSAGE_NS11 + "#"
            + WSConstants.ENC_KEY_VALUE_TYPE);
    } else if (policyToken instanceof UsernameToken) {
        dkSign.setCustomValueType(WSConstants.WSS_USERNAME_TOKEN_VALUE_TYPE);
    } 
    
    dkSign.prepare(doc, secHeader);
    
    if (isTokenProtection) {
        //Hack to handle reference id issues
        //TODO Need a better fix
        String sigTokId = tok.getId();
        if (sigTokId.startsWith("#")) {
            sigTokId = sigTokId.substring(1);
        }
        sigParts.add(new WSEncryptionPart(sigTokId));
    }
    
    dkSign.setParts(sigParts);
    
    List<Reference> referenceList = dkSign.addReferencesToSign(sigParts, secHeader);
    
    //Add elements to header
    addSupportingElement(dkSign.getdktElement());
    
    //Do signature
    dkSign.computeSignature(referenceList, false, null);
    
    signatures.add(dkSign.getSignatureValue());
}
 
Example 5
Source File: AbstractBindingBuilder.java    From steady with Apache License 2.0 4 votes vote down vote up
private void doSymmSignature(Token policyToken, SecurityToken tok,
                                     List<WSEncryptionPart> sigParts, boolean isTokenProtection)
    throws WSSecurityException, ConversationException {
    
    Document doc = saaj.getSOAPPart();
    WSSecSignature sig = new WSSecSignature(wssConfig);
    // If a EncryptedKeyToken is used, set the correct value type to
    // be used in the wsse:Reference in ds:KeyInfo
    if (policyToken instanceof X509Token) {
        if (isRequestor()) {
            // TODO Add support for SAML2 here
            sig.setCustomTokenValueType(
                WSConstants.SOAPMESSAGE_NS11 + "#" + WSConstants.ENC_KEY_VALUE_TYPE
            );
            sig.setKeyIdentifierType(WSConstants.CUSTOM_SYMM_SIGNING);
        } else {
            //the tok has to be an EncryptedKey token
            sig.setEncrKeySha1value(tok.getSHA1());
            sig.setKeyIdentifierType(WSConstants.ENCRYPTED_KEY_SHA1_IDENTIFIER);
        }
        
    } else {
        String tokenType = tok.getTokenType();
        if (WSConstants.WSS_SAML_TOKEN_TYPE.equals(tokenType)
            || WSConstants.SAML_NS.equals(tokenType)) {
            sig.setCustomTokenValueType(WSConstants.WSS_SAML_KI_VALUE_TYPE);
        } else if (WSConstants.WSS_SAML2_TOKEN_TYPE.equals(tokenType)
            || WSConstants.SAML2_NS.equals(tokenType)) {
            sig.setCustomTokenValueType(WSConstants.WSS_SAML2_KI_VALUE_TYPE);
        } else if (tokenType != null) {
            sig.setCustomTokenValueType(tokenType);
        } else if (policyToken instanceof UsernameToken) {
            sig.setCustomTokenValueType(WSConstants.WSS_USERNAME_TOKEN_VALUE_TYPE);
        } else {
            sig.setCustomTokenValueType(WSConstants.WSS_SAML_KI_VALUE_TYPE);
        }
        sig.setKeyIdentifierType(WSConstants.CUSTOM_SYMM_SIGNING);
    }
    
    String sigTokId = tok.getWsuId();
    if (sigTokId == null) {
        sigTokId = tok.getId();
    }
                   
    //Hack to handle reference id issues
    //TODO Need a better fix
    if (sigTokId.startsWith("#")) {
        sigTokId = sigTokId.substring(1);
    }
    
    sig.setCustomTokenId(sigTokId);
    sig.setSecretKey(tok.getSecret());
    sig.setSignatureAlgorithm(binding.getAlgorithmSuite().getAsymmetricSignature());
    sig.setSignatureAlgorithm(binding.getAlgorithmSuite().getSymmetricSignature());
    sig.prepare(doc, getSignatureCrypto(null), secHeader);

    sig.setParts(sigParts);
    List<Reference> referenceList = sig.addReferencesToSign(sigParts, secHeader);

    //Do signature
    sig.computeSignature(referenceList, false, null);
    signatures.add(sig.getSignatureValue());
}
 
Example 6
Source File: AbstractBindingBuilder.java    From steady with Apache License 2.0 4 votes vote down vote up
private void doSymmSignatureDerived(Token policyToken, SecurityToken tok,
                             List<WSEncryptionPart> sigParts, boolean isTokenProtection)
    throws WSSecurityException, ConversationException {
    
    Document doc = saaj.getSOAPPart();
    WSSecDKSign dkSign = new WSSecDKSign(wssConfig);  
    
    //Check whether it is security policy 1.2 and use the secure conversation accordingly
    if (SP12Constants.INSTANCE == policyToken.getSPConstants()) {
        dkSign.setWscVersion(ConversationConstants.VERSION_05_12);
    }
                  
    //Check for whether the token is attached in the message or not
    boolean attached = false;
    if (includeToken(policyToken.getInclusion())) {
        attached = true;
    }
    
    // Setting the AttachedReference or the UnattachedReference according to the flag
    Element ref;
    if (attached) {
        ref = tok.getAttachedReference();
    } else {
        ref = tok.getUnattachedReference();
    }
    
    if (ref != null) {
        ref = cloneElement(ref);
        dkSign.setExternalKey(tok.getSecret(), ref);
    } else if (!isRequestor() && policyToken.isDerivedKeys()) { 
        // If the Encrypted key used to create the derived key is not
        // attached use key identifier as defined in WSS1.1 section
        // 7.7 Encrypted Key reference
        SecurityTokenReference tokenRef 
            = new SecurityTokenReference(doc);
        if (tok.getSHA1() != null) {
            tokenRef.setKeyIdentifierEncKeySHA1(tok.getSHA1());
            tokenRef.addTokenType(WSConstants.WSS_ENC_KEY_VALUE_TYPE);
        }
        dkSign.setExternalKey(tok.getSecret(), tokenRef.getElement());
    
    } else {
        dkSign.setExternalKey(tok.getSecret(), tok.getId());
    }

    //Set the algo info
    dkSign.setSignatureAlgorithm(binding.getAlgorithmSuite().getSymmetricSignature());
    dkSign.setDerivedKeyLength(binding.getAlgorithmSuite().getSignatureDerivedKeyLength() / 8);
    if (tok.getSHA1() != null) {
        //Set the value type of the reference
        dkSign.setCustomValueType(WSConstants.SOAPMESSAGE_NS11 + "#"
            + WSConstants.ENC_KEY_VALUE_TYPE);
    } else if (policyToken instanceof UsernameToken) {
        dkSign.setCustomValueType(WSConstants.WSS_USERNAME_TOKEN_VALUE_TYPE);
    } 
    
    dkSign.prepare(doc, secHeader);
    
    if (isTokenProtection) {
        //Hack to handle reference id issues
        //TODO Need a better fix
        String sigTokId = tok.getId();
        if (sigTokId.startsWith("#")) {
            sigTokId = sigTokId.substring(1);
        }
        sigParts.add(new WSEncryptionPart(sigTokId));
    }
    
    dkSign.setParts(sigParts);
    
    List<Reference> referenceList = dkSign.addReferencesToSign(sigParts, secHeader);
    
    //Add elements to header
    addSupportingElement(dkSign.getdktElement());
    
    //Do signature
    dkSign.computeSignature(referenceList, false, null);
    
    signatures.add(dkSign.getSignatureValue());
}
 
Example 7
Source File: AbstractBindingBuilder.java    From steady with Apache License 2.0 4 votes vote down vote up
private void doSymmSignature(Token policyToken, SecurityToken tok,
                                     List<WSEncryptionPart> sigParts, boolean isTokenProtection)
    throws WSSecurityException, ConversationException {
    
    Document doc = saaj.getSOAPPart();
    WSSecSignature sig = new WSSecSignature(wssConfig);
    // If a EncryptedKeyToken is used, set the correct value type to
    // be used in the wsse:Reference in ds:KeyInfo
    if (policyToken instanceof X509Token) {
        if (isRequestor()) {
            // TODO Add support for SAML2 here
            sig.setCustomTokenValueType(
                WSConstants.SOAPMESSAGE_NS11 + "#" + WSConstants.ENC_KEY_VALUE_TYPE
            );
            sig.setKeyIdentifierType(WSConstants.CUSTOM_SYMM_SIGNING);
        } else {
            //the tok has to be an EncryptedKey token
            sig.setEncrKeySha1value(tok.getSHA1());
            sig.setKeyIdentifierType(WSConstants.ENCRYPTED_KEY_SHA1_IDENTIFIER);
        }
        
    } else {
        String tokenType = tok.getTokenType();
        if (WSConstants.WSS_SAML_TOKEN_TYPE.equals(tokenType)
            || WSConstants.SAML_NS.equals(tokenType)) {
            sig.setCustomTokenValueType(WSConstants.WSS_SAML_KI_VALUE_TYPE);
        } else if (WSConstants.WSS_SAML2_TOKEN_TYPE.equals(tokenType)
            || WSConstants.SAML2_NS.equals(tokenType)) {
            sig.setCustomTokenValueType(WSConstants.WSS_SAML2_KI_VALUE_TYPE);
        } else if (tokenType != null) {
            sig.setCustomTokenValueType(tokenType);
        } else if (policyToken instanceof UsernameToken) {
            sig.setCustomTokenValueType(WSConstants.WSS_USERNAME_TOKEN_VALUE_TYPE);
        } else {
            sig.setCustomTokenValueType(WSConstants.WSS_SAML_KI_VALUE_TYPE);
        }
        sig.setKeyIdentifierType(WSConstants.CUSTOM_SYMM_SIGNING);
    }
    
    String sigTokId = tok.getWsuId();
    if (sigTokId == null) {
        sigTokId = tok.getId();
    }
                   
    //Hack to handle reference id issues
    //TODO Need a better fix
    if (sigTokId.startsWith("#")) {
        sigTokId = sigTokId.substring(1);
    }
    
    sig.setCustomTokenId(sigTokId);
    sig.setSecretKey(tok.getSecret());
    sig.setSignatureAlgorithm(binding.getAlgorithmSuite().getAsymmetricSignature());
    sig.setSignatureAlgorithm(binding.getAlgorithmSuite().getSymmetricSignature());
    sig.prepare(doc, getSignatureCrypto(null), secHeader);

    sig.setParts(sigParts);
    List<Reference> referenceList = sig.addReferencesToSign(sigParts, secHeader);

    //Do signature
    sig.computeSignature(referenceList, false, null);
    signatures.add(sig.getSignatureValue());
}
 
Example 8
Source File: AbstractBindingBuilder.java    From steady with Apache License 2.0 4 votes vote down vote up
private void doSymmSignatureDerived(Token policyToken, SecurityToken tok,
                             List<WSEncryptionPart> sigParts, boolean isTokenProtection)
    throws WSSecurityException, ConversationException {
    
    Document doc = saaj.getSOAPPart();
    WSSecDKSign dkSign = new WSSecDKSign(wssConfig);  
    
    //Check whether it is security policy 1.2 and use the secure conversation accordingly
    if (SP12Constants.INSTANCE == policyToken.getSPConstants()) {
        dkSign.setWscVersion(ConversationConstants.VERSION_05_12);
    }
                  
    //Check for whether the token is attached in the message or not
    boolean attached = false;
    if (includeToken(policyToken.getInclusion())) {
        attached = true;
    }
    
    // Setting the AttachedReference or the UnattachedReference according to the flag
    Element ref;
    if (attached) {
        ref = tok.getAttachedReference();
    } else {
        ref = tok.getUnattachedReference();
    }
    
    if (ref != null) {
        ref = cloneElement(ref);
        dkSign.setExternalKey(tok.getSecret(), ref);
    } else if (!isRequestor() && policyToken.isDerivedKeys()) { 
        // If the Encrypted key used to create the derived key is not
        // attached use key identifier as defined in WSS1.1 section
        // 7.7 Encrypted Key reference
        SecurityTokenReference tokenRef 
            = new SecurityTokenReference(doc);
        if (tok.getSHA1() != null) {
            tokenRef.setKeyIdentifierEncKeySHA1(tok.getSHA1());
            tokenRef.addTokenType(WSConstants.WSS_ENC_KEY_VALUE_TYPE);
        }
        dkSign.setExternalKey(tok.getSecret(), tokenRef.getElement());
    
    } else {
        dkSign.setExternalKey(tok.getSecret(), tok.getId());
    }

    //Set the algo info
    dkSign.setSignatureAlgorithm(binding.getAlgorithmSuite().getSymmetricSignature());
    dkSign.setDerivedKeyLength(binding.getAlgorithmSuite().getSignatureDerivedKeyLength() / 8);
    if (tok.getSHA1() != null) {
        //Set the value type of the reference
        dkSign.setCustomValueType(WSConstants.SOAPMESSAGE_NS11 + "#"
            + WSConstants.ENC_KEY_VALUE_TYPE);
    } else if (policyToken instanceof UsernameToken) {
        dkSign.setCustomValueType(WSConstants.WSS_USERNAME_TOKEN_VALUE_TYPE);
    } 
    
    dkSign.prepare(doc, secHeader);
    
    if (isTokenProtection) {
        //Hack to handle reference id issues
        //TODO Need a better fix
        String sigTokId = tok.getId();
        if (sigTokId.startsWith("#")) {
            sigTokId = sigTokId.substring(1);
        }
        sigParts.add(new WSEncryptionPart(sigTokId));
    }
    
    dkSign.setParts(sigParts);
    
    List<Reference> referenceList = dkSign.addReferencesToSign(sigParts, secHeader);
    
    //Add elements to header
    addSupportingElement(dkSign.getdktElement());
    
    //Do signature
    dkSign.computeSignature(referenceList, false, null);
    
    signatures.add(dkSign.getSignatureValue());
}
 
Example 9
Source File: AbstractBindingBuilder.java    From steady with Apache License 2.0 4 votes vote down vote up
private void doSymmSignature(Token policyToken, SecurityToken tok,
                                     List<WSEncryptionPart> sigParts, boolean isTokenProtection)
    throws WSSecurityException, ConversationException {
    
    Document doc = saaj.getSOAPPart();
    WSSecSignature sig = new WSSecSignature(wssConfig);
    // If a EncryptedKeyToken is used, set the correct value type to
    // be used in the wsse:Reference in ds:KeyInfo
    if (policyToken instanceof X509Token) {
        if (isRequestor()) {
            // TODO Add support for SAML2 here
            sig.setCustomTokenValueType(
                WSConstants.SOAPMESSAGE_NS11 + "#" + WSConstants.ENC_KEY_VALUE_TYPE
            );
            sig.setKeyIdentifierType(WSConstants.CUSTOM_SYMM_SIGNING);
        } else {
            //the tok has to be an EncryptedKey token
            sig.setEncrKeySha1value(tok.getSHA1());
            sig.setKeyIdentifierType(WSConstants.ENCRYPTED_KEY_SHA1_IDENTIFIER);
        }
        
    } else {
        String tokenType = tok.getTokenType();
        if (WSConstants.WSS_SAML_TOKEN_TYPE.equals(tokenType)
            || WSConstants.SAML_NS.equals(tokenType)) {
            sig.setCustomTokenValueType(WSConstants.WSS_SAML_KI_VALUE_TYPE);
        } else if (WSConstants.WSS_SAML2_TOKEN_TYPE.equals(tokenType)
            || WSConstants.SAML2_NS.equals(tokenType)) {
            sig.setCustomTokenValueType(WSConstants.WSS_SAML2_KI_VALUE_TYPE);
        } else if (tokenType != null) {
            sig.setCustomTokenValueType(tokenType);
        } else if (policyToken instanceof UsernameToken) {
            sig.setCustomTokenValueType(WSConstants.WSS_USERNAME_TOKEN_VALUE_TYPE);
        } else {
            sig.setCustomTokenValueType(WSConstants.WSS_SAML_KI_VALUE_TYPE);
        }
        sig.setKeyIdentifierType(WSConstants.CUSTOM_SYMM_SIGNING);
    }
    
    String sigTokId = tok.getWsuId();
    if (sigTokId == null) {
        sigTokId = tok.getId();
    }
                   
    //Hack to handle reference id issues
    //TODO Need a better fix
    if (sigTokId.startsWith("#")) {
        sigTokId = sigTokId.substring(1);
    }
    
    sig.setCustomTokenId(sigTokId);
    sig.setSecretKey(tok.getSecret());
    sig.setSignatureAlgorithm(binding.getAlgorithmSuite().getAsymmetricSignature());
    sig.setSignatureAlgorithm(binding.getAlgorithmSuite().getSymmetricSignature());
    sig.prepare(doc, getSignatureCrypto(null), secHeader);

    sig.setParts(sigParts);
    List<Reference> referenceList = sig.addReferencesToSign(sigParts, secHeader);

    //Do signature
    sig.computeSignature(referenceList, false, null);
    signatures.add(sig.getSignatureValue());
}
 
Example 10
Source File: WSS4JUtils.java    From cxf with Apache License 2.0 4 votes vote down vote up
public static String parseAndStoreStreamingSecurityToken(
    org.apache.xml.security.stax.securityToken.SecurityToken securityToken,
    Message message
) throws XMLSecurityException, TokenStoreException {
    if (securityToken == null) {
        return null;
    }
    SecurityToken existingToken = TokenStoreUtils.getTokenStore(message).getToken(securityToken.getId());
    if (existingToken == null || existingToken.isExpired()) {
        Instant created = Instant.now();
        Instant expires = created.plusSeconds(WSS4JUtils.getSecurityTokenLifetime(message) / 1000L);

        SecurityToken cachedTok =
            new SecurityToken(securityToken.getId(), created, expires);
        cachedTok.setSHA1(securityToken.getSha1Identifier());

        if (securityToken.getTokenType() != null) {
            if (securityToken.getTokenType() == WSSecurityTokenConstants.EncryptedKeyToken) {
                cachedTok.setTokenType(WSSConstants.NS_WSS_ENC_KEY_VALUE_TYPE);
            } else if (securityToken.getTokenType() == WSSecurityTokenConstants.KERBEROS_TOKEN) {
                cachedTok.setTokenType(WSSConstants.NS_GSS_KERBEROS5_AP_REQ);
            } else if (securityToken.getTokenType() == WSSecurityTokenConstants.SAML_11_TOKEN) {
                cachedTok.setTokenType(WSSConstants.NS_SAML11_TOKEN_PROFILE_TYPE);
            } else if (securityToken.getTokenType() == WSSecurityTokenConstants.SAML_20_TOKEN) {
                cachedTok.setTokenType(WSSConstants.NS_SAML20_TOKEN_PROFILE_TYPE);
            } else if (securityToken.getTokenType() == WSSecurityTokenConstants.SECURE_CONVERSATION_TOKEN
                || securityToken.getTokenType() == WSSecurityTokenConstants.SECURITY_CONTEXT_TOKEN) {
                cachedTok.setTokenType(WSSConstants.NS_WSC_05_02);
            }
        }

        for (Map.Entry<String, Key> entry : securityToken.getSecretKey().entrySet()) {
            if (entry.getValue() != null) {
                cachedTok.setKey(entry.getValue());
                if (entry.getValue() instanceof SecretKey) {
                    cachedTok.setSecret(entry.getValue().getEncoded());
                }
                break;
            }
        }

        TokenStoreUtils.getTokenStore(message).add(cachedTok);

        return cachedTok.getId();
    }
    return existingToken.getId();

}
 
Example 11
Source File: AbstractStaxBindingHandler.java    From cxf with Apache License 2.0 4 votes vote down vote up
protected SecurePart addKerberosToken(
    KerberosToken token, boolean signed, boolean endorsing, boolean encrypting
) throws WSSecurityException, TokenStoreException {
    assertToken(token);
    IncludeTokenType includeToken = token.getIncludeTokenType();
    if (!isTokenRequired(includeToken)) {
        return null;
    }

    final SecurityToken secToken = getSecurityToken();
    if (secToken == null) {
        unassertPolicy(token, "Could not find KerberosToken");
    }

    // Get the kerberos token from the element
    byte[] data = null;
    if (secToken.getToken() != null) {
        String text = XMLUtils.getElementText(secToken.getToken());
        if (text != null) {
            data = org.apache.xml.security.utils.XMLUtils.decode(text);
        }
    }

    // Convert to WSS4J token
    final KerberosClientSecurityToken wss4jToken =
        new KerberosClientSecurityToken(data, secToken.getKey(), secToken.getId()) {

            @Override
            public Key getSecretKey(String algorithmURI) throws XMLSecurityException {
                if (secToken.getSecret() != null && algorithmURI != null && !"".equals(algorithmURI)) {
                    return KeyUtils.prepareSecretKey(algorithmURI, secToken.getSecret());
                }
                return secToken.getKey();
            }
        };
    wss4jToken.setSha1Identifier(secToken.getSHA1());

    final SecurityTokenProvider<OutboundSecurityToken> kerberosSecurityTokenProvider =
        new SecurityTokenProvider<OutboundSecurityToken>() {

            @Override
            public OutboundSecurityToken getSecurityToken() throws WSSecurityException {
                return wss4jToken;
            }

            @Override
            public String getId() {
                return wss4jToken.getId();
            }
        };
    outboundSecurityContext.registerSecurityTokenProvider(
            kerberosSecurityTokenProvider.getId(), kerberosSecurityTokenProvider);
    outboundSecurityContext.put(WSSConstants.PROP_USE_THIS_TOKEN_ID_FOR_KERBEROS,
            kerberosSecurityTokenProvider.getId());

    if (encrypting) {
        outboundSecurityContext.put(XMLSecurityConstants.PROP_USE_THIS_TOKEN_ID_FOR_ENCRYPTION,
                kerberosSecurityTokenProvider.getId());
    }
    if (endorsing) {
        outboundSecurityContext.put(XMLSecurityConstants.PROP_USE_THIS_TOKEN_ID_FOR_SIGNATURE,
                kerberosSecurityTokenProvider.getId());
    }

    // Action
    properties.addAction(WSSConstants.KERBEROS_TOKEN);

    /*
    if (endorsing) {
        String action = (String)config.get(ConfigurationConstants.ACTION);
        config.put(ConfigurationConstants.ACTION,
            ConfigurationConstants.SIGNATURE_WITH_KERBEROS_TOKEN  + " " + action);
        // config.put(ConfigurationConstants.SIG_KEY_ID, "DirectReference");
    }
    */

    SecurePart securePart = new SecurePart(WSSConstants.TAG_WSSE_BINARY_SECURITY_TOKEN, Modifier.Element);
    securePart.setIdToSecure(wss4jToken.getId());

    return securePart;
}
 
Example 12
Source File: AbstractStaxBindingHandler.java    From cxf with Apache License 2.0 4 votes vote down vote up
protected void storeSecurityToken(AbstractToken policyToken, SecurityToken tok) {
    SecurityTokenConstants.TokenType tokenType = WSSecurityTokenConstants.EncryptedKeyToken;
    if (tok.getTokenType() != null) {
        if (tok.getTokenType().startsWith(WSSConstants.NS_KERBEROS11_TOKEN_PROFILE)) {
            tokenType = WSSecurityTokenConstants.KERBEROS_TOKEN;
        } else if (tok.getTokenType().startsWith(WSSConstants.NS_SAML10_TOKEN_PROFILE)
            || tok.getTokenType().startsWith(WSSConstants.NS_SAML11_TOKEN_PROFILE)) {
            tokenType = WSSecurityTokenConstants.SAML_11_TOKEN;
        } else if (tok.getTokenType().startsWith(WSSConstants.NS_WSC_05_02)
            || tok.getTokenType().startsWith(WSSConstants.NS_WSC_05_12)) {
            tokenType = WSSecurityTokenConstants.SECURE_CONVERSATION_TOKEN;
        }
    }

    final Key key = tok.getKey();
    final byte[] secret = tok.getSecret();
    final X509Certificate[] certs = new X509Certificate[1];
    if (tok.getX509Certificate() != null) {
        certs[0] = tok.getX509Certificate();
    }

    final GenericOutboundSecurityToken encryptedKeySecurityToken =
        new GenericOutboundSecurityToken(tok.getId(), tokenType, key, certs) {

            @Override
            public Key getSecretKey(String algorithmURI) throws XMLSecurityException {
                if (secret != null && algorithmURI != null && !"".equals(algorithmURI)) {
                    return KeyUtils.prepareSecretKey(algorithmURI, secret);
                }
                if (key != null) {
                    return key;
                }
                if (secret != null) {
                    String jceAlg = JCEMapper.getJCEKeyAlgorithmFromURI(algorithmURI);
                    if (jceAlg == null || "".equals(jceAlg)) {
                        jceAlg = "HmacSHA1";
                    }
                    return new SecretKeySpec(secret, jceAlg);
                }

                return super.getSecretKey(algorithmURI);
            }
        };

    // Store a DOM Element reference if it exists
    Element ref;
    if (isTokenRequired(policyToken.getIncludeTokenType())) {
        ref = tok.getAttachedReference();
    } else {
        ref = tok.getUnattachedReference();
    }

    if (ref != null && policyToken instanceof IssuedToken) {
        encryptedKeySecurityToken.setCustomTokenReference(ref);
    }
    final SecurityTokenProvider<OutboundSecurityToken> encryptedKeySecurityTokenProvider =
        new SecurityTokenProvider<OutboundSecurityToken>() {

            @Override
            public OutboundSecurityToken getSecurityToken() throws XMLSecurityException {
                return encryptedKeySecurityToken;
            }

            @Override
            public String getId() {
                return encryptedKeySecurityToken.getId();
            }

        };
    encryptedKeySecurityToken.setSha1Identifier(tok.getSHA1());

    outboundSecurityContext.registerSecurityTokenProvider(
            encryptedKeySecurityTokenProvider.getId(), encryptedKeySecurityTokenProvider);
    outboundSecurityContext.put(XMLSecurityConstants.PROP_USE_THIS_TOKEN_ID_FOR_ENCRYPTION,
            encryptedKeySecurityTokenProvider.getId());
    outboundSecurityContext.put(XMLSecurityConstants.PROP_USE_THIS_TOKEN_ID_FOR_SIGNATURE,
            encryptedKeySecurityTokenProvider.getId());
    outboundSecurityContext.put(WSSConstants.PROP_USE_THIS_TOKEN_ID_FOR_CUSTOM_TOKEN,
            encryptedKeySecurityTokenProvider.getId());
}
 
Example 13
Source File: AbstractBindingBuilder.java    From cxf with Apache License 2.0 4 votes vote down vote up
private void doSymmSignature(AbstractToken policyToken, SecurityToken tok,
                                     List<WSEncryptionPart> sigParts,
                                     boolean isSigProtect)
    throws WSSecurityException {

    WSSecSignature sig = new WSSecSignature(secHeader);
    sig.setIdAllocator(wssConfig.getIdAllocator());
    sig.setCallbackLookup(callbackLookup);
    sig.setAttachmentCallbackHandler(new AttachmentCallbackHandler(message));
    sig.setStoreBytesInAttachment(storeBytesInAttachment);
    sig.setExpandXopInclude(isExpandXopInclude());
    sig.setWsDocInfo(wsDocInfo);

    // If a EncryptedKeyToken is used, set the correct value type to
    // be used in the wsse:Reference in ds:KeyInfo
    if (policyToken instanceof X509Token) {
        if (isRequestor()) {
            // TODO Add support for SAML2 here
            sig.setCustomTokenValueType(
                WSS4JConstants.SOAPMESSAGE_NS11 + "#" + WSS4JConstants.ENC_KEY_VALUE_TYPE
            );
            sig.setKeyIdentifierType(WSConstants.CUSTOM_SYMM_SIGNING);
        } else {
            //the tok has to be an EncryptedKey token
            sig.setEncrKeySha1value(tok.getSHA1());
            sig.setKeyIdentifierType(WSConstants.ENCRYPTED_KEY_SHA1_IDENTIFIER);
        }

    } else {
        String tokenType = tok.getTokenType();
        if (WSS4JConstants.WSS_SAML_TOKEN_TYPE.equals(tokenType)
            || WSS4JConstants.SAML_NS.equals(tokenType)) {
            sig.setCustomTokenValueType(WSS4JConstants.WSS_SAML_KI_VALUE_TYPE);
        } else if (WSS4JConstants.WSS_SAML2_TOKEN_TYPE.equals(tokenType)
            || WSS4JConstants.SAML2_NS.equals(tokenType)) {
            sig.setCustomTokenValueType(WSS4JConstants.WSS_SAML2_KI_VALUE_TYPE);
        } else if (tokenType != null) {
            sig.setCustomTokenValueType(tokenType);
        } else if (policyToken instanceof UsernameToken) {
            sig.setCustomTokenValueType(WSS4JConstants.WSS_USERNAME_TOKEN_VALUE_TYPE);
        } else {
            sig.setCustomTokenValueType(WSS4JConstants.WSS_SAML_KI_VALUE_TYPE);
        }
        sig.setKeyIdentifierType(WSConstants.CUSTOM_SYMM_SIGNING);
    }

    String sigTokId = tok.getWsuId();
    if (sigTokId == null) {
        sigTokId = tok.getId();
    }

    sigTokId = XMLUtils.getIDFromReference(sigTokId);
    sig.setCustomTokenId(sigTokId);
    sig.setSecretKey(tok.getSecret());
    sig.setSignatureAlgorithm(binding.getAlgorithmSuite().getAlgorithmSuiteType().getSymmetricSignature());
    AlgorithmSuiteType algType = binding.getAlgorithmSuite().getAlgorithmSuiteType();
    sig.setDigestAlgo(algType.getDigest());
    sig.setSigCanonicalization(binding.getAlgorithmSuite().getC14n().getValue());
    sig.prepare(getSignatureCrypto());

    sig.getParts().addAll(sigParts);
    List<Reference> referenceList = sig.addReferencesToSign(sigParts);

    //Do signature
    sig.computeSignature(referenceList, false, null);

    if (isSigProtect) {
        WSEncryptionPart part = new WSEncryptionPart(sig.getId(), "Element");
        encryptedTokensList.add(part);
    }

    addSig(sig.getSignatureValue());
}