Element writeSecurityTokenReference( W3CDOMStreamWriter writer, String id, String refValueType ) { Reference ref = new Reference(writer.getDocument()); ref.setURI(id); if (refValueType != null) { ref.setValueType(refValueType); } SecurityTokenReference str = new SecurityTokenReference(writer.getDocument()); str.addWSSENamespace(); str.setReference(ref); writer.getCurrentNode().appendChild(str.getElement()); return str.getElement(); }
if (secRef.containsReference()) { LOG.debug("STR: Reference"); Reference reference = secRef.getReference(); return STRParserUtil.getTokenElement(doc, wsDocInfo, null, reference.getURI(), reference.getValueType()); } else if (secRef.containsX509Data() || secRef.containsX509IssuerSerial()) { secRef.getX509IssuerSerial(wsDocInfo.getCrypto()); if (certs == null || certs.length == 0 || certs[0] == null) { throw new WSSecurityException(WSSecurityException.ErrorCode.FAILED_CHECK); return createBSTX509(doc, certs[0], secRef.getElement(), secRef.getKeyIdentifierEncodingType()); } else if (secRef.containsKeyIdentifier()) { if (WSConstants.WSS_SAML_KI_VALUE_TYPE.equals(secRef.getKeyIdentifierValueType()) || WSConstants.WSS_SAML2_KI_VALUE_TYPE.equals(secRef.getKeyIdentifierValueType())) { return STRParserUtil.getTokenElement(doc, wsDocInfo, null, secRef.getKeyIdentifierValue(), secRef.getKeyIdentifierValueType()); } else { X509Certificate[] certs = secRef.getKeyIdentifier(wsDocInfo.getCrypto()); if (certs == null || certs.length == 0 || certs[0] == null) { throw new WSSecurityException(WSSecurityException.ErrorCode.FAILED_CHECK); return createBSTX509(doc, certs[0], secRef.getElement());
keyInfo.addUnknownElement(getEncryptedKeyElement()); } else if (keyIdentifierType == WSConstants.ENCRYPTED_KEY_SHA1_IDENTIFIER) { SecurityTokenReference secToken = new SecurityTokenReference(getDocument()); secToken.addWSSENamespace(); if (customReferenceValue != null) { secToken.setKeyIdentifierEncKeySHA1(customReferenceValue); } else { byte[] encodedBytes = KeyUtils.generateDigest(encryptedEphemeralKey); secToken.setKeyIdentifierEncKeySHA1(org.apache.xml.security.utils.XMLUtils.encodeToString(encodedBytes)); secToken.addTokenType(WSConstants.WSS_ENC_KEY_VALUE_TYPE); keyInfo.addUnknownElement(secToken.getElement()); } else if (WSConstants.WSS_SAML_KI_VALUE_TYPE.equals(customReferenceValue)) { SecurityTokenReference secToken = new SecurityTokenReference(getDocument()); secToken.addWSSENamespace(); secToken.addTokenType(WSConstants.WSS_SAML_TOKEN_TYPE); secToken.setKeyIdentifier(WSConstants.WSS_SAML_KI_VALUE_TYPE, getId()); keyInfo.addUnknownElement(secToken.getElement()); } else if (WSConstants.WSS_SAML2_KI_VALUE_TYPE.equals(customReferenceValue)) { SecurityTokenReference secToken = new SecurityTokenReference(getDocument()); secToken.addWSSENamespace(); secToken.addTokenType(WSConstants.WSS_SAML2_TOKEN_TYPE); secToken.setKeyIdentifier(WSConstants.WSS_SAML2_KI_VALUE_TYPE, getId()); keyInfo.addUnknownElement(secToken.getElement()); } else if (WSConstants.WSS_KRB_KI_VALUE_TYPE.equals(customReferenceValue)) { SecurityTokenReference secToken = new SecurityTokenReference(getDocument()); secToken.addWSSENamespace(); secToken.addTokenType(WSConstants.WSS_GSS_KRB_V5_AP_REQ); secToken.setKeyIdentifier(customReferenceValue, getId(), true);
private REFERENCE_TYPE getReferenceType(SecurityTokenReference secRef) { if (secRef.containsReference()) { return REFERENCE_TYPE.DIRECT_REF; } else if (secRef.containsKeyIdentifier()) { if (SecurityTokenReference.THUMB_URI.equals(secRef.getKeyIdentifierValueType())) { return REFERENCE_TYPE.THUMBPRINT_SHA1; } else { return REFERENCE_TYPE.KEY_IDENTIFIER; } } return null; }
public String getKeyIdentifierEncodingType() { if (containsKeyIdentifier()) { Element elem = getFirstElement(); return elem.getAttributeNS(null, "EncodingType"); } return null; }
if (!getReference().equals(tokenReference.getReference())) { return false; return false; if (!compare(getKeyIdentifierEncodingType(), tokenReference.getKeyIdentifierEncodingType())) { return false; if (!compare(getKeyIdentifierValueType(), tokenReference.getKeyIdentifierValueType())) { return false; if (!compare(getKeyIdentifierValue(), tokenReference.getKeyIdentifierValue())) { return false; if (!compare(getTokenType(), tokenReference.getTokenType())) { return false; if (!Arrays.equals(getSKIBytes(), tokenReference.getSKIBytes())) { return false; if (getIssuerSerial() != null && tokenReference.getIssuerSerial() != null) { if (!compare(getIssuerSerial().getIssuer(), tokenReference.getIssuerSerial().getIssuer())) { return false; if (!compare(getIssuerSerial().getSerialNumber(), tokenReference.getIssuerSerial().getSerialNumber())) { return false;
SecurityTokenReference tokenRef = new SecurityTokenReference(saaj.getSOAPPart()); String tokenType = encrTok.getTokenType(); if (encrToken instanceof KerberosToken) { tokenRef.setKeyIdentifier(WSS4JConstants.WSS_KRB_KI_VALUE_TYPE, encrTok.getSHA1(), true); if (tokenType == null) { tokenType = WSS4JConstants.WSS_GSS_KRB_V5_AP_REQ; tokenRef.setKeyIdentifierEncKeySHA1(encrTok.getSHA1()); if (tokenType == null) { tokenType = WSS4JConstants.WSS_ENC_KEY_VALUE_TYPE; tokenRef.addTokenType(tokenType); dkEncr.setExternalKey(encrTok.getSecret(), tokenRef.getElement()); } else { if (attached) {
boolean useDirectReferenceToAssertion ) { SecurityTokenReference secRefSaml = new SecurityTokenReference(doc); String secRefID = wssConfig.getIdAllocator().createSecureId("STR-", secRefSaml); secRefSaml.setID(secRefID); if (saml1) { ref.setValueType(WSS4JConstants.WSS_SAML_KI_VALUE_TYPE); secRefSaml.addTokenType(WSS4JConstants.WSS_SAML_TOKEN_TYPE); } else { secRefSaml.addTokenType(WSS4JConstants.WSS_SAML2_TOKEN_TYPE); secRefSaml.setReference(ref); } else { Element keyId = doc.createElementNS(WSS4JConstants.WSSE_NS, "wsse:KeyIdentifier"); if (saml1) { valueType = WSS4JConstants.WSS_SAML_KI_VALUE_TYPE; secRefSaml.addTokenType(WSS4JConstants.WSS_SAML_TOKEN_TYPE); } else { valueType = WSS4JConstants.WSS_SAML2_KI_VALUE_TYPE; secRefSaml.addTokenType(WSS4JConstants.WSS_SAML2_TOKEN_TYPE); ); keyId.appendChild(doc.createTextNode(id)); Element elem = secRefSaml.getElement(); elem.appendChild(keyId);
encryptedKeyElement.appendChild(getDocument().adoptNode(customEKKeyInfoElement)); } else { SecurityTokenReference secToken = new SecurityTokenReference(getDocument()); secToken.setKeyIdentifier(remoteCert); break; secToken.setKeyIdentifierSKI(remoteCert, crypto); secToken.setKeyIdentifierThumb(remoteCert); ); DOMX509Data domX509Data = new DOMX509Data(getDocument(), domIssuerSerial); secToken.setUnknownElement(domX509Data.getElement()); bstToken.setID(certUri); ref.setValueType(bstToken.getValueType()); secToken.setReference(ref); break; Reference refCust = new Reference(getDocument()); if (WSConstants.WSS_SAML_KI_VALUE_TYPE.equals(customEKTokenValueType)) { secToken.addTokenType(WSConstants.WSS_SAML_TOKEN_TYPE); refCust.setValueType(customEKTokenValueType); } else if (WSConstants.WSS_SAML2_KI_VALUE_TYPE.equals(customEKTokenValueType)) { secToken.addTokenType(WSConstants.WSS_SAML2_TOKEN_TYPE); } else if (WSConstants.WSS_ENC_KEY_VALUE_TYPE.equals(customEKTokenValueType)) { secToken.addTokenType(WSConstants.WSS_ENC_KEY_VALUE_TYPE); refCust.setValueType(customEKTokenValueType);
secRef = new SecurityTokenReference(getDocument()); strUri = getIdAllocator().createSecureId("STR-", secRef); secRef.addWSSENamespace(); secRef.addWSUNamespace(); secRef.setID(strUri); secRef.addTokenType(PKIPathSecurity.PKI_TYPE); ref.setValueType(PKIPathSecurity.PKI_TYPE); } else { ref.setValueType(X509Security.X509_V3_TYPE); secRef.setReference(ref); break; new DOMX509IssuerSerial(getDocument(), issuer, serialNumber); DOMX509Data domX509Data = new DOMX509Data(getDocument(), domIssuerSerial); secRef.setUnknownElement(domX509Data.getElement()); secRef.setKeyIdentifier(certs[0]); break; secRef.setKeyIdentifierSKI(certs[0], crypto); secRef.setKeyIdentifierThumb(certs[0]); secRef.setKeyIdentifierEncKeySHA1(encrKeySha1value); } else { byte[] digestBytes = KeyUtils.generateDigest(secretKey); secRef.setKeyIdentifierEncKeySHA1(org.apache.xml.security.utils.XMLUtils.encodeToString(digestBytes));
BSPEnforcer bspEnforcer ) throws WSSecurityException { if (secRef.containsReference()) { String valueType = secRef.getReference().getValueType(); if (token instanceof X509Security && !X509Security.X509_V3_TYPE.equals(valueType) || token instanceof PKIPathSecurity && !PKIPathSecurity.PKI_TYPE.equals(valueType) bspEnforcer.handleBSPRule(BSPRule.R3058); } else if (secRef.containsKeyIdentifier()) { String valueType = secRef.getKeyIdentifierValueType(); if (!SecurityTokenReference.SKI_URI.equals(valueType) && !SecurityTokenReference.THUMB_URI.equals(valueType) String tokenType = secRef.getTokenType(); if (!PKIPathSecurity.PKI_TYPE.equals(tokenType)) { bspEnforcer.handleBSPRule(BSPRule.R5215);
|| keyIdentifierType == WSConstants.CUSTOM_SYMM_SIGNING_DIRECT || keyIdentifierType == WSConstants.CUSTOM_KEY_IDENTIFIER) { SecurityTokenReference secToken = new SecurityTokenReference(getDocument()); Reference refCust = new Reference(getDocument()); if (WSConstants.WSS_SAML_KI_VALUE_TYPE.equals(customEKTokenValueType)) { secToken.addTokenType(WSConstants.WSS_SAML_TOKEN_TYPE); refCust.setValueType(customEKTokenValueType); } else if (WSConstants.WSS_SAML2_KI_VALUE_TYPE.equals(customEKTokenValueType)) { secToken.addTokenType(WSConstants.WSS_SAML2_TOKEN_TYPE); } else if (WSConstants.WSS_ENC_KEY_VALUE_TYPE.equals(customEKTokenValueType)) { secToken.addTokenType(WSConstants.WSS_ENC_KEY_VALUE_TYPE); refCust.setValueType(customEKTokenValueType); } else { secToken.setReference(refCust); break; Reference refCustd = new Reference(getDocument()); if (WSConstants.WSS_SAML_KI_VALUE_TYPE.equals(customEKTokenValueType)) { secToken.addTokenType(WSConstants.WSS_SAML_TOKEN_TYPE); refCustd.setValueType(customEKTokenValueType); } else if (WSConstants.WSS_SAML2_KI_VALUE_TYPE.equals(customEKTokenValueType)) { secToken.addTokenType(WSConstants.WSS_SAML2_TOKEN_TYPE); } else if (WSConstants.WSS_ENC_KEY_VALUE_TYPE.equals(customEKTokenValueType)) { secToken.addTokenType(WSConstants.WSS_ENC_KEY_VALUE_TYPE); refCustd.setValueType(customEKTokenValueType); } else {
/** * Parse a SecurityTokenReference element and extract credentials. * * @param parameters The parameters to parse * @return the STRParserResult Object containing the parsing results * @throws WSSecurityException */ public STRParserResult parseSecurityTokenReference(STRParserParameters parameters) throws WSSecurityException { if (parameters == null || parameters.getData() == null || parameters.getData().getWsDocInfo() == null || parameters.getStrElement() == null) { throw new WSSecurityException( WSSecurityException.ErrorCode.FAILURE, "invalidSTRParserParameter" ); } SecurityTokenReference secRef = new SecurityTokenReference(parameters.getStrElement(), parameters.getData().getBSPEnforcer()); String uri = null; if (secRef.getReference() != null) { uri = secRef.getReference().getURI(); uri = XMLUtils.getIDFromReference(uri); } else if (secRef.containsKeyIdentifier()) { uri = secRef.getKeyIdentifierValue(); } WSSecurityEngineResult result = parameters.getData().getWsDocInfo().getResult(uri); if (result != null) { return processPreviousResult(result, secRef, parameters); } return processSTR(secRef, uri, parameters); }
if (secRef.containsReference()) { Reference reference = secRef.getReference(); STRParserUtil.findProcessedTokenElement( strElement.getOwnerDocument(), wsDocInfo, data.getCallbackHandler(), uri, secRef.getReference().getValueType() ); SamlAssertionWrapper samlAssertion = null; } else if (secRef.containsX509Data() || secRef.containsX509IssuerSerial()) { parserResult.setReferenceType(REFERENCE_TYPE.ISSUER_SERIAL); Crypto crypto = data.getSigVerCrypto(); X509Certificate[] foundCerts = secRef.getX509IssuerSerial(crypto); if (foundCerts != null && foundCerts.length > 0) { parserResult.setCerts(new X509Certificate[]{foundCerts[0]}); } else if (secRef.containsKeyIdentifier()) { if (secRef.getKeyIdentifierValueType().equals(SecurityTokenReference.ENC_KEY_SHA1_URI)) { STRParserUtil.checkEncryptedKeyBSPCompliance(secRef, data.getBSPEnforcer()); String id = secRef.getKeyIdentifierValue(); parserResult.setSecretKey( STRParserUtil.getSecretKeyFromToken(id, SecurityTokenReference.ENC_KEY_SHA1_URI, WSPasswordCallback.SECRET_KEY, data)); parserResult.setPrincipal(new CustomTokenPrincipal(id)); } else if (WSConstants.WSS_SAML_KI_VALUE_TYPE.equals(secRef.getKeyIdentifierValueType()) || WSConstants.WSS_SAML2_KI_VALUE_TYPE.equals(secRef.getKeyIdentifierValueType())) { parseSAMLKeyIdentifier(secRef, data, parserResult); } else {
SecurityTokenReference secRef = new SecurityTokenReference(getDocument()); String strUri = getIdAllocator().createSecureId("STR-", secRef); secRef.setID(strUri); secRef.setKeyIdentifier(certs[0]); break; secRef.setKeyIdentifierSKI(certs[0], crypto); break; secRef.setKeyIdentifierThumb(certs[0]); break; secRef.setKeyIdentifier(customValueType, tokenIdentifier); if (WSConstants.WSS_SAML_KI_VALUE_TYPE.equals(customValueType)) { secRef.addTokenType(WSConstants.WSS_SAML_TOKEN_TYPE); } else if (WSConstants.WSS_SAML2_KI_VALUE_TYPE.equals(customValueType)) { secRef.addTokenType(WSConstants.WSS_SAML2_TOKEN_TYPE); } else if (WSConstants.WSS_ENC_KEY_VALUE_TYPE.equals(customValueType)) { secRef.addTokenType(WSConstants.WSS_ENC_KEY_VALUE_TYPE); secRef.addTokenType(WSConstants.WSS_SAML_TOKEN_TYPE); ref.setValueType(customValueType); } else if (WSConstants.WSS_SAML2_KI_VALUE_TYPE.equals(customValueType)) { secRef.addTokenType(WSConstants.WSS_SAML2_TOKEN_TYPE); } else if (WSConstants.WSS_ENC_KEY_VALUE_TYPE.equals(customValueType)) { secRef.addTokenType(WSConstants.WSS_ENC_KEY_VALUE_TYPE); ref.setValueType(customValueType); } else if (KerberosSecurity.isKerberosToken(customValueType)) {
Crypto crypto = data.getDecCrypto(); if (secRef.containsKeyIdentifier()) { if (WSConstants.WSS_SAML_KI_VALUE_TYPE.equals(secRef.getKeyIdentifierValueType()) || WSConstants.WSS_SAML2_KI_VALUE_TYPE.equals(secRef.getKeyIdentifierValueType())) { SamlAssertionWrapper samlAssertion = STRParserUtil.getAssertionFromKeyIdentifier( } else { STRParserUtil.checkBinarySecurityBSPCompliance(secRef, null, data.getBSPEnforcer()); parserResult.setCerts(secRef.getKeyIdentifier(crypto)); } else if (secRef.containsX509Data() || secRef.containsX509IssuerSerial()) { parserResult.setReferenceType(REFERENCE_TYPE.ISSUER_SERIAL); parserResult.setCerts(secRef.getX509IssuerSerial(crypto)); } else if (secRef.containsReference()) { Reference reference = secRef.getReference(); Element bstElement = STRParserUtil.getTokenElement(strElement.getOwnerDocument(), wsDocInfo, data.getCallbackHandler(),
WSDocInfo wsDocInfo = data.getWsDocInfo(); if (secRef.containsReference()) { Reference reference = secRef.getReference(); } else if (secRef.containsKeyIdentifier()) { String valueType = secRef.getKeyIdentifierValueType(); if (WSConstants.WSS_SAML_KI_VALUE_TYPE.equals(valueType) || WSConstants.WSS_SAML2_KI_VALUE_TYPE.equals(valueType)) { byte[] secretKey = STRParserUtil.getSecretKeyFromToken(secRef.getKeyIdentifierValue(), valueType, WSPasswordCallback.SECRET_KEY, data); if (secretKey == null) { } else if (WSConstants.WSS_KRB_KI_VALUE_TYPE.equals(valueType)) { byte[] secretKey = STRParserUtil.getSecretKeyFromToken(secRef.getKeyIdentifierValue(), valueType, WSPasswordCallback.SECRET_KEY, data); if (secretKey == null) { byte[] keyBytes = secRef.getSKIBytes(); List<WSSecurityEngineResult> resultsList = wsDocInfo.getResultsByTag(WSConstants.BST); secRef.getKeyIdentifierValue(), secRef.getKeyIdentifierValueType(), WSPasswordCallback.SECRET_KEY, data );
RequestData data = parameters.getData(); if (secRef.containsReference()) { } else if (secRef.containsKeyIdentifier()) { String keyIdentifierValueType = secRef.getKeyIdentifierValueType(); if (WSConstants.WSS_KRB_KI_VALUE_TYPE.equals(keyIdentifierValueType)) { byte[] secretKey = STRParserUtil.getSecretKeyFromToken( secRef.getKeyIdentifierValue(), keyIdentifierValueType, WSPasswordCallback.SECRET_KEY, data ); if (secretKey == null) { byte[] keyBytes = secRef.getSKIBytes(); List<WSSecurityEngineResult> resultsList = data.getWsDocInfo().getResultsByTag(WSConstants.BST); X509Certificate[] certs = secRef.getKeyIdentifier(crypto); if (certs == null || certs.length < 1 || certs[0] == null) { byte[] secretKey = STRParserUtil.getSecretKeyFromToken( secRef.getKeyIdentifierValue(), keyIdentifierValueType, WSPasswordCallback.SECRET_KEY, data );
SecurityTokenReference secRef = tempSig.getSecurityTokenReference(); if (WSS4JConstants.WSS_SAML_KI_VALUE_TYPE.equals(secRef.getKeyIdentifierValueType()) || WSS4JConstants.WSS_SAML2_KI_VALUE_TYPE.equals(secRef.getKeyIdentifierValueType())) { Element secRefElement = cloneElement(secRef.getElement()); addSupportingElement(secRefElement); Element clone = cloneElement(secRef.getElement()); addSupportingElement(clone); part = new WSEncryptionPart("STRTransform", null, "Element"); part.setId(secRef.getID()); part.setElement(clone); } else { SecurityTokenReference secRef = createSTRForSamlAssertion(doc, id, saml1, false); Element clone = cloneElement(secRef.getElement()); addSupportingElement(clone); part = new WSEncryptionPart("STRTransform", null, "Element"); part.setId(secRef.getID()); part.setElement(clone); } else {
/** * Check that the EncryptedKey referenced by the SecurityTokenReference argument * is BSP compliant. * @param secRef The SecurityTokenReference to the BinarySecurityToken * @param bspEnforcer a BSPEnforcer instance to enforce BSP rules * @throws WSSecurityException */ public static void checkEncryptedKeyBSPCompliance( SecurityTokenReference secRef, BSPEnforcer bspEnforcer ) throws WSSecurityException { if (secRef.containsKeyIdentifier()) { String valueType = secRef.getKeyIdentifierValueType(); if (!SecurityTokenReference.ENC_KEY_SHA1_URI.equals(valueType)) { bspEnforcer.handleBSPRule(BSPRule.R3063); } } String tokenType = secRef.getTokenType(); if (!WSConstants.WSS_ENC_KEY_VALUE_TYPE.equals(tokenType)) { bspEnforcer.handleBSPRule(BSPRule.R5215); } }