throw new WSSecurityException(WSSecurityException.ErrorCode.INVALID_SECURITY, "noCipher"); WSDocInfo docInfo = new WSDocInfo(child.getOwnerDocument()); RequestData data = new RequestData(); data.setWssConfig(WSSConfig.getNewInstance()); data.setDecCrypto(createCrypto(true)); data.setCallbackHandler(createHandler()); data.setWsDocInfo(docInfo); List<WSSecurityEngineResult> result = proc.handleToken(child, data); return (byte[])result.get(0).get( WSSecurityEngineResult.TAG_SECRET );
private List<WSSecurityEngineResult> processToken(Element tokenElement, final SoapMessage message) throws WSSecurityException { RequestData data = new CXFRequestData(); Object o = SecurityUtils.getSecurityPropertyValue(SecurityConstants.CALLBACK_HANDLER, message); try { data.setCallbackHandler(SecurityUtils.getCallbackHandler(o)); } catch (Exception ex) { throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, ex); } data.setMsgContext(message); data.setWssConfig(WSSConfig.getNewInstance()); data.setSigVerCrypto(getCrypto(null, SecurityConstants.SIGNATURE_CRYPTO, SecurityConstants.SIGNATURE_PROPERTIES, message)); WSDocInfo wsDocInfo = new WSDocInfo(tokenElement.getOwnerDocument()); data.setWsDocInfo(wsDocInfo); SAMLTokenProcessor p = new SAMLTokenProcessor(); return p.handleToken(tokenElement, data); }
/** Verifies the trust of a certificate. * @param result*/ protected void verifyCertificateTrust(WSHandlerResult result) throws WSSecurityException { List<WSSecurityEngineResult> results = result.getActionResults().get(WSConstants.SIGN); if (!CollectionUtils.isEmpty(results)) { WSSecurityEngineResult actionResult = results.get(0); X509Certificate returnCert = (X509Certificate) actionResult.get(WSSecurityEngineResult.TAG_X509_CERTIFICATE); Credential credential = new Credential(); credential.setCertificates(new X509Certificate[] { returnCert}); RequestData requestData = new RequestData(); requestData.setSigVerCrypto(validationSignatureCrypto); requestData.setEnableRevocation(enableRevocation); SignatureTrustValidator validator = new SignatureTrustValidator(); validator.validate(credential, requestData); } }
/** * Creates and initializes a request data for the given message context. * * @param messageContext the message context * @return the request data */ protected RequestData initializeValidationRequestData(MessageContext messageContext) { RequestData requestData = new RequestData(); requestData.setMsgContext(messageContext); requestData.setWssConfig(wssConfig); requestData.setDecCrypto(validationDecryptionCrypto); requestData.setSigVerCrypto(validationSignatureCrypto); requestData.setCallbackHandler(validationCallbackHandler); messageContext.setProperty(WSHandlerConstants.TTL_TIMESTAMP, Integer.toString(validationTimeToLive)); requestData.setAllowRSA15KeyTransportAlgorithm(allowRSA15KeyTransportAlgorithm); requestData.setDisableBSPEnforcement(!bspCompliant); if (requestData.getBSPEnforcer() != null) { requestData.getBSPEnforcer().setDisableBSPRules(!bspCompliant); } // allow for qualified password types for .Net interoperability requestData.setAllowNamespaceQualifiedPasswordTypes(true); return requestData; }
protected void decodeDecryptionParameter(RequestData reqData) throws WSSecurityException { if (reqData.getDecCrypto() == null) { reqData.setDecCrypto(loadDecryptionCrypto(reqData)); } boolean allowRsa15 = decodeBooleanConfigValue( reqData.getMsgContext(), WSHandlerConstants.ALLOW_RSA15_KEY_TRANSPORT_ALGORITHM, false ); reqData.setAllowRSA15KeyTransportAlgorithm(allowRsa15); }
private PrivateKey getPrivateKey( RequestData data, X509Certificate[] certs, PublicKey publicKey ) throws WSSecurityException { try { if (certs != null) { return data.getDecCrypto().getPrivateKey(certs[0], data.getCallbackHandler()); } return data.getDecCrypto().getPrivateKey(publicKey, data.getCallbackHandler()); } catch (WSSecurityException ex) { throw new WSSecurityException(WSSecurityException.ErrorCode.FAILED_CHECK, ex); } }
String keyIdentifierValue = secRef.getKeyIdentifierValue(); String type = secRef.getKeyIdentifierValueType(); WSSecurityEngineResult result = request.getWsDocInfo().getResult(keyIdentifierValue); if (result != null) { samlAssertion = (SamlAssertionWrapper)result.get(WSSecurityEngineResult.TAG_SAML_ASSERTION); return samlAssertion; } else { token = findProcessedTokenElement( strElement.getOwnerDocument(), request.getWsDocInfo(), request.getCallbackHandler(), keyIdentifierValue, type ); if (token != null) { if (!"Assertion".equals(token.getLocalName())) { throw new WSSecurityException( WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity" ); strElement.getOwnerDocument(), request.getWsDocInfo(), request.getCallbackHandler(), keyIdentifierValue, type ); Processor proc = request.getWssConfig().getProcessor(WSConstants.SAML_TOKEN); List<WSSecurityEngineResult> samlResult = proc.handleToken(token, request); return (SamlAssertionWrapper)samlResult.get(0).get( WSSecurityEngineResult.TAG_SAML_ASSERTION
String id = elem.getAttributeNS(null, "Id"); if (!"".equals(id)) { WSSecurityEngineResult result = data.getWsDocInfo().getResult(id); if (result != null && WSConstants.ENCR == (Integer)result.get(WSSecurityEngineResult.TAG_ACTION) ) { return Collections.singletonList(result); if (data.getCallbackHandler() == null) { throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "noCallback"); && !data.isAllowRSA15KeyTransportAlgorithm() && (algorithmSuite == null || !algorithmSuite.getKeyWrapAlgorithms().contains(WSConstants.KEYTRANSPORT_RSA15))) { checkBSPCompliance(elem, encryptedKeyTransportMethod, data.getBSPEnforcer()); decryptedBytes = getSymmetricDecryptedBytes(data, data.getWsDocInfo(), keyInfoChildElement, refList, encryptedEphemeralKey); } else { PrivateKey privateKey = getPrivateKey(data, certs, publicKey); decryptedBytes = getAsymmetricDecryptedBytes(data, data.getWsDocInfo(), encryptedKeyTransportMethod, encryptedEphemeralKey, refList, elem, privateKey); List<WSDataRef> dataRefs = decryptDataRefs(refList, data.getWsDocInfo(), decryptedBytes, data); data.getWsDocInfo().addResult(result); data.getWsDocInfo().addTokenElement(elem);
public void execute(WSHandler handler, SecurityActionToken actionToken, RequestData reqData) throws WSSecurityException { CallbackHandler callbackHandler = reqData.getCallbackHandler(); if (callbackHandler == null) { callbackHandler = handler.getPasswordCallbackHandler(reqData); throw new WSSecurityException( WSSecurityException.ErrorCode.FAILURE, "noCallback" ); new WSPasswordCallback(reqData.getUsername(), WSPasswordCallback.CUSTOM_TOKEN); throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, e, "empty", new Object[] {"WSHandler: password callback failed"}); throw new WSSecurityException( WSSecurityException.ErrorCode.FAILURE, "resourceNotFound", new Object[] {"CustomToken"} ); Element securityHeader = reqData.getSecHeader().getSecurityHeaderElement(); securityHeader.appendChild(securityHeader.getOwnerDocument().adoptNode(customToken));
CAS4.DS_NS, "SignatureMethod"); String sAlgorithm = aSignatureAlgorithm == null ? null : aSignatureAlgorithm.getAttribute ("Algorithm"); final ECryptoAlgorithmSign eSignAlgo = ECryptoAlgorithmSign.getFromURIOrNull (sAlgorithm); sAlgorithm = aSignedNode == null ? null : aSignedNode.getAttribute ("Algorithm"); final ECryptoAlgorithmSignDigest eSignDigestAlgo = ECryptoAlgorithmSignDigest.getFromURIOrNull (sAlgorithm); final RequestData aRequestData = new RequestData (); aRequestData.setCallbackHandler (aKeyStoreCallback); if (aAttachments.isNotEmpty ()) aRequestData.setAttachmentCallbackHandler (aAttachmentCallbackHandler); aRequestData.setSigVerCrypto (AS4ServerSettings.getAS4CryptoFactory ().getCrypto ()); aRequestData.setDecCrypto (AS4ServerSettings.getAS4CryptoFactory ().getCrypto ()); aRequestData.setWssConfig (WSSConfig.getNewInstance ()); for (final WSSecurityEngineResult aResult : aResults) final X509Certificate aCert = (X509Certificate) aResult.get (WSSecurityEngineResult.TAG_X509_CERTIFICATE); if (aCert != null) aCertSet.add (aCert); final Integer aAction = (Integer) aResult.get (WSSecurityEngineResult.TAG_ACTION); if (aAction != null) switch (aAction.intValue ())
RequestData data = parameters.getData(); Element strElement = parameters.getStrElement(); WSDocInfo wsDocInfo = data.getWsDocInfo(); Crypto crypto = data.getDecCrypto(); secRef, strElement, data ); STRParserUtil.checkSamlTokenBSPCompliance(secRef, samlAssertion, data.getBSPEnforcer()); data.getSigVerCrypto(), data.getCallbackHandler()); parserResult.setCerts(samlKi.getCerts()); parserResult.setPublicKey(samlKi.getPublicKey()); } else { STRParserUtil.checkBinarySecurityBSPCompliance(secRef, null, data.getBSPEnforcer()); parserResult.setCerts(secRef.getKeyIdentifier(crypto)); Reference reference = secRef.getReference(); Element bstElement = STRParserUtil.getTokenElement(strElement.getOwnerDocument(), wsDocInfo, data.getCallbackHandler(), reference.getURI(), reference.getValueType()); QName el = new QName(bstElement.getNamespaceURI(), bstElement.getLocalName()); if (el.equals(WSConstants.BINARY_TOKEN)) { X509Security token = new X509Security(bstElement, data.getBSPEnforcer()); STRParserUtil.checkBinarySecurityBSPCompliance(secRef, token, data.getBSPEnforcer()); parserResult.setCerts(new X509Certificate[]{token.getX509Certificate(crypto)}); } else { throw new WSSecurityException( WSSecurityException.ErrorCode.UNSUPPORTED_SECURITY_TOKEN,
RequestData requestData = new RequestData(); requestData.setSigVerCrypto(crypto); requestData.setWssConfig(WSSConfig.getNewInstance()); requestData.setCallbackHandler(callbackHandler); requestData.setMsgContext(tokenParameters.getMessageContext()); requestData.setSubjectCertConstraints(certConstraints.getCompiledSubjectContraints()); binarySecurity.getElement().appendChild(textNode); } else if (validateTarget.isDOMElement()) { try { Credential credential = new Credential(); credential.setBinarySecurityToken(binarySecurity); if (crypto != null) { X509Certificate cert = ((X509Security)binarySecurity).getX509Certificate(crypto); credential.setCertificates(new X509Certificate[]{cert});
&& "EncryptedKey".equals(((Element)entropyObject).getLocalName())) { EncryptedKeyProcessor processor = new EncryptedKeyProcessor(); Element entropyElement = (Element)entropyObject; RequestData requestData = new RequestData(); requestData.setDecCrypto(stsProperties.getSignatureCrypto()); requestData.setCallbackHandler(stsProperties.getCallbackHandler()); requestData.setWssConfig(WSSConfig.getNewInstance()); requestData.setWsDocInfo(new WSDocInfo(entropyElement.getOwnerDocument())); try { List<WSSecurityEngineResult> results = processor.handleToken(entropyElement, requestData); Entropy entropy = new Entropy(); entropy.setDecryptedKey((byte[])results.get(0).get(WSSecurityEngineResult.TAG_SECRET)); return entropy; } catch (WSSecurityException e) { LOG.log(Level.WARNING, "", e); throw new STSException(e.getMessage(), e, STSException.INVALID_REQUEST);
throw new WSSecurityException( WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity", RequestData data = new RequestData(); data.setWsDocInfo(getWsDocInfo()); SignatureActionToken actionToken = new SignatureActionToken(); data.setSignatureToken(actionToken); actionToken.setCrypto(userCrypto); SAMLKeyInfo samlKeyInfo = SAMLUtil.getCredentialFromSubject( samlAssertion, new WSSSAMLKeyInfoProcessor(data), userCrypto, data.getCallbackHandler() ); if (samlKeyInfo != null) { throw new WSSecurityException( WSSecurityException.ErrorCode.FAILURE, "noCertsFound", key = publicKey; } else { throw new WSSecurityException( WSSecurityException.ErrorCode.FAILURE, "unknownSignatureAlgorithm" ); secRefSaml.addTokenType(WSConstants.WSS_SAML2_TOKEN_TYPE);
data.getValidator(new QName(elem.getNamespaceURI(), elem.getLocalName())); new WSSecurityEngineResult(WSConstants.SCT, sct); if (validator != null) { Credential credential = new Credential(); credential.setSecurityContextToken(sct); result.put(WSSecurityEngineResult.TAG_VALIDATED_TOKEN, Boolean.TRUE); String tokenId = sct.getID(); if (!"".equals(tokenId)) { result.put(WSSecurityEngineResult.TAG_ID, tokenId); result.put(WSSecurityEngineResult.TAG_SECRET, returnedCredential.getSecretKey()); } else { String id = sct.getID(); secret = getSecret(data.getCallbackHandler(), sct.getIdentifier()); } catch (WSSecurityException ex) { secret = getSecret(data.getCallbackHandler(), id); secret = getSecret(data.getCallbackHandler(), id); result.put(WSSecurityEngineResult.TAG_ID, sct.getID()); data.getWsDocInfo().addTokenElement(elem); data.getWsDocInfo().addResult(result); return java.util.Collections.singletonList(result);
if (requestData.getWssConfig() == null) { requestData.setWssConfig(getWssConfig()); WSDocInfo wsDocInfo = new WSDocInfo(securityHeader.getOwnerDocument()); CallbackLookup callbackLookupToUse = callbackLookup; if (callbackLookupToUse == null) { callbackLookupToUse = new DOMCallbackLookup(securityHeader.getOwnerDocument()); wsDocInfo.setCrypto(requestData.getSigVerCrypto()); wsDocInfo.setSecurityHeader(securityHeader); requestData.setWsDocInfo(wsDocInfo); Node node = securityHeader.getFirstChild(); requestData.getBSPEnforcer().handleBSPRule(BSPRule.R3227); } else if (el.equals(WSConstants.TIMESTAMP)) { foundTimestamp = true; Processor p = cfg.getProcessor(el); if (p != null) { List<WSSecurityEngineResult> results = p.handleToken((Element) node, requestData); new WSHandlerResult(requestData.getActor(), returnResults, wsDocInfo.getActionResults()); if (requestData.isValidateSamlSubjectConfirmation()) { Element bodyElement = callbackLookupToUse.getSOAPBody(); DOMSAMLUtil.validateSAMLResults(handlerResult, requestData.getTlsCerts(), bodyElement);
protected void validateToken(Message message, SamlAssertionWrapper assertion) { try { RequestData data = new RequestData(); if (assertion.isSigned()) { WSSConfig cfg = WSSConfig.getNewInstance(); data.setWssConfig(cfg); data.setCallbackHandler(RSSecurityUtils.getCallbackHandler(message, this.getClass())); try { data.setSigVerCrypto(new CryptoLoader().getCrypto(message, SecurityConstants.SIGNATURE_CRYPTO, SecurityConstants.SIGNATURE_PROPERTIES)); data.setEnableRevocation(enableRevocation); WSDocInfo docInfo = new WSDocInfo(sig.getDOM().getOwnerDocument()); data.setWsDocInfo(docInfo); KeyInfo keyInfo = sig.getKeyInfo(); SAMLUtil.getCredentialFromKeyInfo( keyInfo.getDOM(), new WSSSAMLKeyInfoProcessor(data), data.getSigVerCrypto() ); assertion.verifySignature(samlKeyInfo); assertion.parseSubject( new WSSSAMLKeyInfoProcessor(data), data.getSigVerCrypto(), data.getCallbackHandler() ); } else if (getTLSCertificates(message) == null) {
CallbackHandler callbackHandler = stsProperties.getCallbackHandler(); RequestData requestData = new RequestData(); requestData.setSigVerCrypto(sigCrypto); WSSConfig wssConfig = WSSConfig.getNewInstance(); requestData.setWssConfig(wssConfig); requestData.setCallbackHandler(callbackHandler); requestData.setMsgContext(tokenParameters.getMessageContext()); ); marshaller.marshal(tokenType, rootElement); usernameTokenElement = (Element)rootElement.getFirstChild(); } catch (JAXBException ex) { LOG.log(Level.WARNING, "", ex); requestData.isAllowNamespaceQualifiedPasswordTypes(); UsernameToken ut = new UsernameToken(usernameTokenElement, allowNamespaceQualifiedPasswordTypes, Credential credential = new Credential(); credential.setUsernametoken(ut); credential = validator.validate(credential, requestData); principal = credential.getPrincipal(); if (credential.getSubject() != null && roleParser != null) {
reqData.setWssConfig(config); reqData.setEncryptionSerializer(new StaxSerializer()); reqData.setAudienceRestrictions(SAMLUtils.getAudienceRestrictions(msg, true)); reqData.setMsgContext(msg); reqData.setAttachmentCallbackHandler(new AttachmentCallbackHandler(msg)); reqData.setCallbackHandler(getCallback(reqData, utWithCallbacks)); actor = (String)msg.getContextualProperty(SecurityConstants.ACTOR); reqData.setActor(actor); if (tlsInfo != null) { Certificate[] tlsCerts = tlsInfo.getPeerCertificates(); reqData.setTlsCerts(tlsCerts); reqData.setExpandXopInclude(AttachmentUtil.isMtomEnabled(msg)); boolean enableRevocation = reqData.isRevocationEnabled() || MessageUtils.isTrue(SecurityUtils.getSecurityPropertyValue(SecurityConstants.ENABLE_REVOCATION, msg)); reqData.setEnableRevocation(enableRevocation); if (reqData.isEnableSignatureConfirmation()) { checkSignatureConfirmation(reqData, wsResult);
RequestData requestData = new RequestData(); requestData.setSigVerCrypto(sigCrypto); WSSConfig wssConfig = WSSConfig.getNewInstance(); requestData.setWssConfig(wssConfig); requestData.setCallbackHandler(callbackHandler); requestData.setMsgContext(tokenParameters.getMessageContext()); requestData.setSubjectCertConstraints(certConstraints.getCompiledSubjectContraints()); requestData.setWsDocInfo(new WSDocInfo(validateTargetElement.getOwnerDocument())); Credential trustCredential = new Credential(); trustCredential.setPublicKey(samlKeyInfo.getPublicKey()); trustCredential.setCertificates(samlKeyInfo.getCerts());