/** Test the Symmetric Key SAML1 case */
@org.junit.Test
public void testSymmetricKeySaml1() throws Exception {
SpringBusFactory bf = new SpringBusFactory();
URL busFile = IssueUnitTest.class.getResource("cxf-client.xml");
Bus bus = bf.createBus(busFile.toString());
SpringBusFactory.setDefaultBus(bus);
SpringBusFactory.setThreadDefaultBus(bus);
// Get a token
SecurityToken token =
requestSecurityToken(SAML1_TOKEN_TYPE, SYMMETRIC_KEY_KEYTYPE, bus, DEFAULT_ADDRESS);
assertTrue(token.getSecret() != null && token.getSecret().length > 0);
assertTrue(SAML1_TOKEN_TYPE.equals(token.getTokenType()));
assertTrue(token.getToken() != null);
// Process the token
List<WSSecurityEngineResult> results = processToken(token);
assertTrue(results != null && results.size() == 1);
SamlAssertionWrapper assertion =
(SamlAssertionWrapper) results.get(0).get(WSSecurityEngineResult.TAG_SAML_ASSERTION);
assertTrue(assertion != null);
assertTrue(assertion.getSaml1() != null && assertion.getSaml2() == null);
assertTrue(assertion.isSigned());
List<String> methods = assertion.getConfirmationMethods();
String confirmMethod = null;
if (methods != null && methods.size() > 0) {
confirmMethod = methods.get(0);
}
assertTrue(OpenSAMLUtil.isMethodHolderOfKey(confirmMethod));
SAMLKeyInfo subjectKeyInfo = assertion.getSubjectKeyInfo();
assertTrue(subjectKeyInfo.getSecret() != null);
bus.shutdown(true);
}
private byte[] doSignature(
List<WSEncryptionPart> sigs,
TokenWrapper policyTokenWrapper,
Token policyToken,
SecurityToken tok,
boolean included)
throws WSSecurityException {
if (policyToken.isDerivedKeys()) {
return doSignatureDK(sigs, policyTokenWrapper, policyToken, tok, included);
} else {
WSSecSignature sig = new WSSecSignature(wssConfig);
sig.setWsConfig(wssConfig);
// If a EncryptedKeyToken is used, set the correct value type to
// be used in the wsse:Reference in ds:KeyInfo
int type =
included ? WSConstants.CUSTOM_SYMM_SIGNING : WSConstants.CUSTOM_SYMM_SIGNING_DIRECT;
if (policyToken instanceof X509Token) {
if (isRequestor()) {
sig.setCustomTokenValueType(
WSConstants.SOAPMESSAGE_NS11 + "#" + WSConstants.ENC_KEY_VALUE_TYPE);
sig.setKeyIdentifierType(type);
} else {
// the tok has to be an EncryptedKey token
sig.setEncrKeySha1value(tok.getSHA1());
sig.setKeyIdentifierType(WSConstants.ENCRYPTED_KEY_SHA1_IDENTIFIER);
}
} else if (policyToken instanceof UsernameToken) {
sig.setCustomTokenValueType(WSConstants.WSS_USERNAME_TOKEN_VALUE_TYPE);
sig.setKeyIdentifierType(type);
} else {
// Setting the AttachedReference or the UnattachedReference according to the flag
Element ref;
if (included) {
ref = tok.getAttachedReference();
} else {
ref = tok.getUnattachedReference();
}
if (ref != null) {
SecurityTokenReference secRef = new SecurityTokenReference(cloneElement(ref), false);
sig.setSecurityTokenReference(secRef);
sig.setKeyIdentifierType(WSConstants.CUSTOM_KEY_IDENTIFIER);
} else {
String tokenType = tok.getTokenType();
if (WSConstants.WSS_SAML_TOKEN_TYPE.equals(tokenType)
|| WSConstants.SAML_NS.equals(tokenType)) {
sig.setCustomTokenValueType(WSConstants.WSS_SAML_KI_VALUE_TYPE);
sig.setKeyIdentifierType(WSConstants.CUSTOM_KEY_IDENTIFIER);
} else if (WSConstants.WSS_SAML2_TOKEN_TYPE.equals(tokenType)
|| WSConstants.SAML2_NS.equals(tokenType)) {
sig.setCustomTokenValueType(WSConstants.WSS_SAML2_KI_VALUE_TYPE);
sig.setKeyIdentifierType(WSConstants.CUSTOM_KEY_IDENTIFIER);
} else {
sig.setCustomTokenValueType(tokenType);
sig.setKeyIdentifierType(type);
}
}
}
String sigTokId;
if (included) {
sigTokId = tok.getWsuId();
if (sigTokId == null) {
if (policyToken instanceof SecureConversationToken
|| policyToken instanceof SecurityContextToken) {
sig.setKeyIdentifierType(WSConstants.CUSTOM_SYMM_SIGNING_DIRECT);
}
sigTokId = tok.getId();
}
if (sigTokId.startsWith("#")) {
sigTokId = sigTokId.substring(1);
}
} else {
sigTokId = tok.getId();
}
if (included && sbinding.isTokenProtection()) {
sigs.add(new WSEncryptionPart(sigTokId));
}
sig.setCustomTokenId(sigTokId);
sig.setSecretKey(tok.getSecret());
sig.setSignatureAlgorithm(sbinding.getAlgorithmSuite().getSymmetricSignature());
Crypto crypto = null;
if (sbinding.getProtectionToken() != null) {
crypto = getEncryptionCrypto(sbinding.getProtectionToken());
} else {
crypto = getSignatureCrypto(policyTokenWrapper);
}
this.message.getExchange().put(SecurityConstants.SIGNATURE_CRYPTO, crypto);
sig.prepare(saaj.getSOAPPart(), crypto, secHeader);
sig.setParts(sigs);
List<Reference> referenceList = sig.addReferencesToSign(sigs, secHeader);
// Do signature
if (bottomUpElement == null) {
sig.computeSignature(referenceList, false, null);
} else {
sig.computeSignature(referenceList, true, bottomUpElement);
}
bottomUpElement = sig.getSignatureElement();
this.mainSigId = sig.getId();
return sig.getSignatureValue();
}
}
private byte[] doSignatureDK(
List<WSEncryptionPart> sigs,
TokenWrapper policyTokenWrapper,
Token policyToken,
SecurityToken tok,
boolean included)
throws WSSecurityException {
Document doc = saaj.getSOAPPart();
WSSecDKSign dkSign = new WSSecDKSign(wssConfig);
if (policyTokenWrapper.getToken().getSPConstants() == SP12Constants.INSTANCE) {
dkSign.setWscVersion(ConversationConstants.VERSION_05_12);
}
// Check for whether the token is attached in the message or not
boolean attached = false;
if (includeToken(policyToken.getInclusion())) {
attached = true;
}
// Setting the AttachedReference or the UnattachedReference according to the flag
Element ref;
if (attached) {
ref = tok.getAttachedReference();
} else {
ref = tok.getUnattachedReference();
}
if (ref != null) {
dkSign.setExternalKey(tok.getSecret(), cloneElement(ref));
} else if (!isRequestor() && policyToken.isDerivedKeys() && tok.getSHA1() != null) {
// If the Encrypted key used to create the derived key is not
// attached use key identifier as defined in WSS1.1 section
// 7.7 Encrypted Key reference
SecurityTokenReference tokenRef = new SecurityTokenReference(doc);
if (tok.getSHA1() != null) {
tokenRef.setKeyIdentifierEncKeySHA1(tok.getSHA1());
String tokenType = tok.getTokenType();
if (tokenType == null) {
tokenType = WSConstants.WSS_ENC_KEY_VALUE_TYPE;
}
tokenRef.addTokenType(tokenType);
}
dkSign.setExternalKey(tok.getSecret(), tokenRef.getElement());
} else {
if ((!attached && !isRequestor())
|| policyToken instanceof SecureConversationToken
|| policyToken instanceof SecurityContextToken) {
dkSign.setTokenIdDirectId(true);
}
dkSign.setExternalKey(tok.getSecret(), tok.getId());
}
// Set the algo info
dkSign.setSignatureAlgorithm(sbinding.getAlgorithmSuite().getSymmetricSignature());
dkSign.setDerivedKeyLength(sbinding.getAlgorithmSuite().getSignatureDerivedKeyLength() / 8);
if (tok.getSHA1() != null) {
// Set the value type of the reference
String tokenType = tok.getTokenType();
if (tokenType == null) {
tokenType = WSConstants.WSS_ENC_KEY_VALUE_TYPE;
}
dkSign.setCustomValueType(tokenType);
} else {
String tokenType = tok.getTokenType();
if (WSConstants.WSS_SAML_TOKEN_TYPE.equals(tokenType)
|| WSConstants.SAML_NS.equals(tokenType)) {
dkSign.setKeyIdentifierType(WSConstants.CUSTOM_KEY_IDENTIFIER);
dkSign.setCustomValueType(WSConstants.WSS_SAML_KI_VALUE_TYPE);
} else if (WSConstants.WSS_SAML2_TOKEN_TYPE.equals(tokenType)
|| WSConstants.SAML2_NS.equals(tokenType)) {
dkSign.setKeyIdentifierType(WSConstants.CUSTOM_KEY_IDENTIFIER);
dkSign.setCustomValueType(WSConstants.WSS_SAML2_KI_VALUE_TYPE);
} else if (policyToken instanceof UsernameToken) {
dkSign.setCustomValueType(WSConstants.WSS_USERNAME_TOKEN_VALUE_TYPE);
} else {
dkSign.setCustomValueType(tokenType);
}
}
try {
dkSign.prepare(doc, secHeader);
} catch (ConversationException e) {
throw new WSSecurityException(e.getMessage(), e);
}
if (sbinding.isTokenProtection()) {
String sigTokId = tok.getId();
if (included) {
sigTokId = tok.getWsuId();
if (sigTokId == null) {
sigTokId = tok.getId();
}
if (sigTokId.startsWith("#")) {
sigTokId = sigTokId.substring(1);
}
}
sigs.add(new WSEncryptionPart(sigTokId));
}
dkSign.setParts(sigs);
List<Reference> referenceList = dkSign.addReferencesToSign(sigs, secHeader);
// Add elements to header
Element el = dkSign.getdktElement();
addDerivedKeyElement(el);
// Do signature
if (bottomUpElement == null) {
dkSign.computeSignature(referenceList, false, null);
} else {
dkSign.computeSignature(referenceList, true, bottomUpElement);
}
bottomUpElement = dkSign.getSignatureElement();
this.mainSigId = dkSign.getSignatureId();
return dkSign.getSignatureValue();
}
private WSSecBase doEncryption(
TokenWrapper recToken,
SecurityToken encrTok,
boolean attached,
List<WSEncryptionPart> encrParts,
boolean atEnd) {
// Do encryption
if (recToken != null && recToken.getToken() != null && encrParts.size() > 0) {
Token encrToken = recToken.getToken();
policyAsserted(recToken);
policyAsserted(encrToken);
AlgorithmSuite algorithmSuite = sbinding.getAlgorithmSuite();
if (encrToken.isDerivedKeys()) {
return doEncryptionDerived(recToken, encrTok, encrToken, attached, encrParts, atEnd);
} else {
try {
WSSecEncrypt encr = new WSSecEncrypt(wssConfig);
String encrTokId = encrTok.getId();
if (attached) {
encrTokId = encrTok.getWsuId();
if (encrTokId == null
&& (encrToken instanceof SecureConversationToken
|| encrToken instanceof SecurityContextToken)) {
encr.setEncKeyIdDirectId(true);
encrTokId = encrTok.getId();
} else if (encrTokId == null) {
encrTokId = encrTok.getId();
}
if (encrTokId.startsWith("#")) {
encrTokId = encrTokId.substring(1);
}
} else {
encr.setEncKeyIdDirectId(true);
}
if (encrTok.getTokenType() != null) {
encr.setCustomReferenceValue(encrTok.getTokenType());
}
encr.setEncKeyId(encrTokId);
encr.setEphemeralKey(encrTok.getSecret());
Crypto crypto = getEncryptionCrypto(recToken);
if (crypto != null) {
this.message.getExchange().put(SecurityConstants.ENCRYPT_CRYPTO, crypto);
setEncryptionUser(encr, recToken, false, crypto);
}
encr.setDocument(saaj.getSOAPPart());
encr.setEncryptSymmKey(false);
encr.setSymmetricEncAlgorithm(algorithmSuite.getEncryption());
if (encrToken instanceof IssuedToken || encrToken instanceof SpnegoContextToken) {
// Setting the AttachedReference or the UnattachedReference according to the flag
Element ref;
if (attached) {
ref = encrTok.getAttachedReference();
} else {
ref = encrTok.getUnattachedReference();
}
String tokenType = encrTok.getTokenType();
if (ref != null) {
SecurityTokenReference secRef = new SecurityTokenReference(cloneElement(ref), false);
encr.setSecurityTokenReference(secRef);
} else if (WSConstants.WSS_SAML_TOKEN_TYPE.equals(tokenType)
|| WSConstants.SAML_NS.equals(tokenType)) {
encr.setCustomReferenceValue(WSConstants.WSS_SAML_KI_VALUE_TYPE);
encr.setKeyIdentifierType(WSConstants.CUSTOM_KEY_IDENTIFIER);
} else if (WSConstants.WSS_SAML2_TOKEN_TYPE.equals(tokenType)
|| WSConstants.SAML2_NS.equals(tokenType)) {
encr.setCustomReferenceValue(WSConstants.WSS_SAML2_KI_VALUE_TYPE);
encr.setKeyIdentifierType(WSConstants.CUSTOM_KEY_IDENTIFIER);
} else {
encr.setCustomReferenceValue(tokenType);
encr.setKeyIdentifierType(WSConstants.CUSTOM_KEY_IDENTIFIER);
}
} else if (encrToken instanceof UsernameToken) {
encr.setCustomReferenceValue(WSConstants.WSS_USERNAME_TOKEN_VALUE_TYPE);
} else if (!isRequestor()) {
if (encrTok.getSHA1() != null) {
encr.setCustomReferenceValue(encrTok.getSHA1());
encr.setKeyIdentifierType(WSConstants.ENCRYPTED_KEY_SHA1_IDENTIFIER);
} else {
encr.setKeyIdentifierType(WSConstants.EMBED_SECURITY_TOKEN_REF);
}
}
encr.prepare(saaj.getSOAPPart(), crypto);
if (encr.getBSTTokenId() != null) {
encr.prependBSTElementToHeader(secHeader);
}
Element refList = encr.encryptForRef(null, encrParts);
if (atEnd) {
this.insertBeforeBottomUp(refList);
} else {
this.addDerivedKeyElement(refList);
}
return encr;
} catch (WSSecurityException e) {
policyNotAsserted(recToken, e);
}
}
}
return null;
}
private WSSecBase doEncryptionDerived(
TokenWrapper recToken,
SecurityToken encrTok,
Token encrToken,
boolean attached,
List<WSEncryptionPart> encrParts,
boolean atEnd) {
try {
WSSecDKEncrypt dkEncr = new WSSecDKEncrypt(wssConfig);
if (recToken.getToken().getSPConstants() == SP12Constants.INSTANCE) {
dkEncr.setWscVersion(ConversationConstants.VERSION_05_12);
}
if (attached && encrTok.getAttachedReference() != null) {
dkEncr.setExternalKey(encrTok.getSecret(), cloneElement(encrTok.getAttachedReference()));
} else if (encrTok.getUnattachedReference() != null) {
dkEncr.setExternalKey(encrTok.getSecret(), cloneElement(encrTok.getUnattachedReference()));
} else if (!isRequestor() && encrTok.getSHA1() != null) {
// If the Encrypted key used to create the derived key is not
// attached use key identifier as defined in WSS1.1 section
// 7.7 Encrypted Key reference
SecurityTokenReference tokenRef = new SecurityTokenReference(saaj.getSOAPPart());
tokenRef.setKeyIdentifierEncKeySHA1(encrTok.getSHA1());
String tokenType = encrTok.getTokenType();
if (tokenType == null) {
tokenType = WSConstants.WSS_ENC_KEY_VALUE_TYPE;
}
tokenRef.addTokenType(tokenType);
dkEncr.setExternalKey(encrTok.getSecret(), tokenRef.getElement());
} else {
if (attached) {
String id = encrTok.getWsuId();
if (id == null
&& (encrToken instanceof SecureConversationToken
|| encrToken instanceof SecurityContextToken)) {
dkEncr.setTokenIdDirectId(true);
id = encrTok.getId();
} else if (id == null) {
id = encrTok.getId();
}
if (id.startsWith("#")) {
id = id.substring(1);
}
dkEncr.setExternalKey(encrTok.getSecret(), id);
} else {
dkEncr.setTokenIdDirectId(true);
dkEncr.setExternalKey(encrTok.getSecret(), encrTok.getId());
}
}
if (encrTok.getSHA1() != null) {
String tokenType = encrTok.getTokenType();
if (tokenType == null) {
tokenType = WSConstants.WSS_ENC_KEY_VALUE_TYPE;
}
dkEncr.setCustomValueType(tokenType);
} else {
String tokenType = encrTok.getTokenType();
if (WSConstants.WSS_SAML_TOKEN_TYPE.equals(tokenType)
|| WSConstants.SAML_NS.equals(tokenType)) {
dkEncr.setKeyIdentifierType(WSConstants.CUSTOM_KEY_IDENTIFIER);
dkEncr.setCustomValueType(WSConstants.WSS_SAML_KI_VALUE_TYPE);
} else if (WSConstants.WSS_SAML2_TOKEN_TYPE.equals(tokenType)
|| WSConstants.SAML2_NS.equals(tokenType)) {
dkEncr.setKeyIdentifierType(WSConstants.CUSTOM_KEY_IDENTIFIER);
dkEncr.setCustomValueType(WSConstants.WSS_SAML2_KI_VALUE_TYPE);
} else if (encrToken instanceof UsernameToken) {
dkEncr.setCustomValueType(WSConstants.WSS_USERNAME_TOKEN_VALUE_TYPE);
} else {
dkEncr.setCustomValueType(tokenType);
}
}
dkEncr.setSymmetricEncAlgorithm(sbinding.getAlgorithmSuite().getEncryption());
dkEncr.setDerivedKeyLength(sbinding.getAlgorithmSuite().getEncryptionDerivedKeyLength() / 8);
dkEncr.prepare(saaj.getSOAPPart());
Element encrDKTokenElem = null;
encrDKTokenElem = dkEncr.getdktElement();
addDerivedKeyElement(encrDKTokenElem);
Element refList = dkEncr.encryptForExternalRef(null, encrParts);
if (atEnd) {
this.insertBeforeBottomUp(refList);
} else {
this.addDerivedKeyElement(refList);
}
return dkEncr;
} catch (Exception e) {
policyNotAsserted(recToken, e);
}
return null;
}