private void doSignature( AbstractTokenWrapper wrapper, AbstractToken policyToken, SecurityToken tok, List<SecurePart> sigParts) throws WSSecurityException, SOAPException { // Action WSSSecurityProperties properties = getProperties(); WSSConstants.Action actionToPerform = WSSConstants.SIGNATURE; if (wrapper.getToken().getDerivedKeys() == DerivedKeys.RequireDerivedKeys) { actionToPerform = WSSConstants.SIGNATURE_WITH_DERIVED_KEY; if (MessageUtils.isRequestor(message) && policyToken instanceof X509Token) { properties.setDerivedKeyTokenReference(WSSConstants.DerivedKeyTokenReference.EncryptedKey); } else { properties.setDerivedKeyTokenReference( WSSConstants.DerivedKeyTokenReference.DirectReference); } AlgorithmSuiteType algSuiteType = sbinding.getAlgorithmSuite().getAlgorithmSuiteType(); properties.setDerivedSignatureKeyLength(algSuiteType.getSignatureDerivedKeyLength() / 8); } if (policyToken.getVersion() == SPConstants.SPVersion.SP12) { properties.setUse200512Namespace(true); } List<WSSConstants.Action> actionList = properties.getActions(); // Add a Signature directly before Kerberos, otherwise just append it boolean actionAdded = false; for (int i = 0; i < actionList.size(); i++) { WSSConstants.Action action = actionList.get(i); if (action.equals(WSSConstants.KERBEROS_TOKEN)) { actionList.add(i, actionToPerform); actionAdded = true; break; } } if (!actionAdded) { actionList.add(actionToPerform); } properties.getSignatureSecureParts().addAll(sigParts); AbstractToken sigToken = wrapper.getToken(); if (sbinding.isProtectTokens() && sigToken instanceof X509Token && isRequestor()) { SecurePart securePart = new SecurePart(new QName(WSSConstants.NS_XMLENC, "EncryptedKey"), Modifier.Element); properties.addSignaturePart(securePart); } configureSignature(sigToken, false); if (policyToken instanceof X509Token) { properties.setIncludeSignatureToken(false); if (isRequestor()) { properties.setSignatureKeyIdentifier(WSSecurityTokenConstants.KeyIdentifier_EncryptedKey); } else { properties.setSignatureKeyIdentifier( WSSecurityTokenConstants.KEYIDENTIFIER_ENCRYPTED_KEY_SHA1_IDENTIFIER); if (wrapper.getToken().getDerivedKeys() == DerivedKeys.RequireDerivedKeys) { properties.setDerivedKeyKeyIdentifier( WSSecurityTokenConstants.KEYIDENTIFIER_ENCRYPTED_KEY_SHA1_IDENTIFIER); properties.setSignatureKeyIdentifier( WSSecurityTokenConstants.KEYIDENTIFIER_SECURITY_TOKEN_DIRECT_REFERENCE); } } } else if (policyToken instanceof KerberosToken) { if (isRequestor()) { properties.setDerivedKeyKeyIdentifier( WSSecurityTokenConstants.KEYIDENTIFIER_SECURITY_TOKEN_DIRECT_REFERENCE); } else { if (wrapper.getToken().getDerivedKeys() == DerivedKeys.RequireDerivedKeys) { properties.setSignatureKeyIdentifier( WSSecurityTokenConstants.KEYIDENTIFIER_SECURITY_TOKEN_DIRECT_REFERENCE); } else { properties.setSignatureKeyIdentifier( WSSecurityTokenConstants.KEYIDENTIFIER_KERBEROS_SHA1_IDENTIFIER); } properties.setDerivedKeyKeyIdentifier( WSSecurityTokenConstants.KEYIDENTIFIER_KERBEROS_SHA1_IDENTIFIER); } } else if (policyToken instanceof IssuedToken || policyToken instanceof SecurityContextToken || policyToken instanceof SecureConversationToken || policyToken instanceof SpnegoContextToken) { if (!isRequestor()) { properties.setIncludeSignatureToken(false); } else { properties.setIncludeSignatureToken(true); } properties.setDerivedKeyKeyIdentifier( WSSecurityTokenConstants.KEYIDENTIFIER_SECURITY_TOKEN_DIRECT_REFERENCE); } if (sigToken.getDerivedKeys() == DerivedKeys.RequireDerivedKeys) { properties.setSignatureAlgorithm(sbinding.getAlgorithmSuite().getSymmetricSignature()); } }
private void doSignBeforeEncrypt() { AbstractTokenWrapper sigAbstractTokenWrapper = getSignatureToken(); assertTokenWrapper(sigAbstractTokenWrapper); AbstractToken sigToken = sigAbstractTokenWrapper.getToken(); String sigTokId = null; try { SecurityToken sigTok = null; if (sigToken != null) { if (sigToken instanceof KerberosToken) { sigTok = getSecurityToken(); if (isRequestor()) { addKerberosToken((KerberosToken) sigToken, false, true, true); } } else if (sigToken instanceof IssuedToken) { sigTok = getSecurityToken(); addIssuedToken((IssuedToken) sigToken, sigTok, false, true); if (sigTok == null && !isRequestor()) { org.apache.xml.security.stax.securityToken.SecurityToken securityToken = findInboundSecurityToken(WSSecurityEventConstants.SAML_TOKEN); sigTokId = WSS4JUtils.parseAndStoreStreamingSecurityToken(securityToken, message); } } else if (sigToken instanceof SecureConversationToken || sigToken instanceof SecurityContextToken || sigToken instanceof SpnegoContextToken) { sigTok = getSecurityToken(); if (sigTok != null && isRequestor()) { WSSSecurityProperties properties = getProperties(); WSSConstants.Action actionToPerform = WSSConstants.CUSTOM_TOKEN; properties.addAction(actionToPerform); } else if (sigTok == null && !isRequestor()) { org.apache.xml.security.stax.securityToken.SecurityToken securityToken = findInboundSecurityToken(WSSecurityEventConstants.SECURITY_CONTEXT_TOKEN); sigTokId = WSS4JUtils.parseAndStoreStreamingSecurityToken(securityToken, message); } } else if (sigToken instanceof X509Token) { if (isRequestor()) { sigTokId = setupEncryptedKey(sigAbstractTokenWrapper, sigToken); } else { org.apache.xml.security.stax.securityToken.SecurityToken securityToken = findEncryptedKeyToken(); sigTokId = WSS4JUtils.parseAndStoreStreamingSecurityToken(securityToken, message); } } else if (sigToken instanceof UsernameToken) { unassertPolicy(sbinding, "UsernameTokens not supported with Symmetric binding"); return; } assertToken(sigToken); } else { unassertPolicy(sbinding, "No signature token"); return; } if (sigTok == null && StringUtils.isEmpty(sigTokId)) { unassertPolicy(sigAbstractTokenWrapper, "No signature token id"); return; } if (sigTok == null) { sigTok = TokenStoreUtils.getTokenStore(message).getToken(sigTokId); } // Store key if (!(MessageUtils.isRequestor(message) && sigToken instanceof KerberosToken)) { storeSecurityToken(sigToken, sigTok); } // Add timestamp List<SecurePart> sigs = new ArrayList<>(); if (timestampAdded) { SecurePart part = new SecurePart(new QName(WSSConstants.NS_WSU10, "Timestamp"), Modifier.Element); sigs.add(part); } sigs.addAll(this.getSignedParts()); if (!isRequestor()) { addSignatureConfirmation(sigs); } if (!sigs.isEmpty()) { doSignature(sigAbstractTokenWrapper, sigToken, sigTok, sigs); } addSupportingTokens(); removeSignatureIfSignedSAML(); prependSignatureToSC(); // Encryption List<SecurePart> enc = getEncryptedParts(); // Check for signature protection if (sbinding.isEncryptSignature()) { SecurePart part = new SecurePart(new QName(WSSConstants.NS_DSIG, "Signature"), Modifier.Element); enc.add(part); if (signatureConfirmationAdded) { part = new SecurePart(WSSConstants.TAG_WSSE11_SIG_CONF, Modifier.Element); enc.add(part); } assertPolicy( new QName(sbinding.getName().getNamespaceURI(), SPConstants.ENCRYPT_SIGNATURE)); } // Do encryption if (isRequestor()) { enc.addAll(encryptedTokensList); } AbstractTokenWrapper encrAbstractTokenWrapper = getEncryptionToken(); doEncryption(encrAbstractTokenWrapper, enc, false); putCustomTokenAfterSignature(); } catch (Exception e) { throw new Fault(e); } }
private void doEncryption( AbstractTokenWrapper recToken, List<SecurePart> encrParts, boolean externalRef) throws SOAPException { // Do encryption if (recToken != null && recToken.getToken() != null) { AbstractToken encrToken = recToken.getToken(); AlgorithmSuite algorithmSuite = sbinding.getAlgorithmSuite(); // Action WSSSecurityProperties properties = getProperties(); WSSConstants.Action actionToPerform = WSSConstants.ENCRYPT; if (recToken.getToken().getDerivedKeys() == DerivedKeys.RequireDerivedKeys) { actionToPerform = WSSConstants.ENCRYPT_WITH_DERIVED_KEY; if (MessageUtils.isRequestor(message) && recToken.getToken() instanceof X509Token) { properties.setDerivedKeyTokenReference( WSSConstants.DerivedKeyTokenReference.EncryptedKey); } else { properties.setDerivedKeyTokenReference( WSSConstants.DerivedKeyTokenReference.DirectReference); } AlgorithmSuiteType algSuiteType = sbinding.getAlgorithmSuite().getAlgorithmSuiteType(); properties.setDerivedEncryptionKeyLength(algSuiteType.getEncryptionDerivedKeyLength() / 8); } if (recToken.getVersion() == SPConstants.SPVersion.SP12) { properties.setUse200512Namespace(true); } properties.getEncryptionSecureParts().addAll(encrParts); properties.addAction(actionToPerform); if (isRequestor()) { properties.setEncryptionKeyIdentifier(getKeyIdentifierType(encrToken)); properties.setDerivedKeyKeyIdentifier( WSSecurityTokenConstants.KEYIDENTIFIER_SECURITY_TOKEN_DIRECT_REFERENCE); } else if (recToken.getToken() instanceof KerberosToken && !isRequestor()) { properties.setEncryptionKeyIdentifier( WSSecurityTokenConstants.KEYIDENTIFIER_KERBEROS_SHA1_IDENTIFIER); properties.setDerivedKeyKeyIdentifier( WSSecurityTokenConstants.KEYIDENTIFIER_KERBEROS_SHA1_IDENTIFIER); if (recToken.getToken().getDerivedKeys() == DerivedKeys.RequireDerivedKeys) { properties.setEncryptionKeyIdentifier( WSSecurityTokenConstants.KEYIDENTIFIER_SECURITY_TOKEN_DIRECT_REFERENCE); } } else if ((recToken.getToken() instanceof IssuedToken || recToken.getToken() instanceof SecureConversationToken || recToken.getToken() instanceof SpnegoContextToken) && !isRequestor()) { properties.setEncryptionKeyIdentifier( WSSecurityTokenConstants.KEYIDENTIFIER_SECURITY_TOKEN_DIRECT_REFERENCE); } else { properties.setEncryptionKeyIdentifier( WSSecurityTokenConstants.KEYIDENTIFIER_ENCRYPTED_KEY_SHA1_IDENTIFIER); if (recToken.getToken().getDerivedKeys() == DerivedKeys.RequireDerivedKeys) { properties.setDerivedKeyKeyIdentifier( WSSecurityTokenConstants.KEYIDENTIFIER_ENCRYPTED_KEY_SHA1_IDENTIFIER); properties.setEncryptionKeyIdentifier( WSSecurityTokenConstants.KEYIDENTIFIER_SECURITY_TOKEN_DIRECT_REFERENCE); properties.setEncryptSymmetricEncryptionKey(false); } } // Find out do we also need to include the token as per the Inclusion requirement WSSecurityTokenConstants.KeyIdentifier keyIdentifier = properties.getEncryptionKeyIdentifier(); if (encrToken instanceof X509Token && isTokenRequired(encrToken.getIncludeTokenType()) && (WSSecurityTokenConstants.KeyIdentifier_IssuerSerial.equals(keyIdentifier) || WSSecurityTokenConstants.KEYIDENTIFIER_THUMBPRINT_IDENTIFIER.equals(keyIdentifier) || WSSecurityTokenConstants.KEYIDENTIFIER_SECURITY_TOKEN_DIRECT_REFERENCE.equals( keyIdentifier))) { properties.setIncludeEncryptionToken(true); } else { properties.setIncludeEncryptionToken(false); } properties.setEncryptionKeyTransportAlgorithm( algorithmSuite.getAlgorithmSuiteType().getAsymmetricKeyWrap()); properties.setEncryptionSymAlgorithm(algorithmSuite.getAlgorithmSuiteType().getEncryption()); String encUser = (String) SecurityUtils.getSecurityPropertyValue(SecurityConstants.ENCRYPT_USERNAME, message); if (encUser == null) { encUser = (String) SecurityUtils.getSecurityPropertyValue(SecurityConstants.USERNAME, message); } if (encUser != null && properties.getEncryptionUser() == null) { properties.setEncryptionUser(encUser); } if (ConfigurationConstants.USE_REQ_SIG_CERT.equals(encUser)) { properties.setUseReqSigCertForEncryption(true); } if (encrToken instanceof KerberosToken || encrToken instanceof IssuedToken || encrToken instanceof SpnegoContextToken || encrToken instanceof SecurityContextToken || encrToken instanceof SecureConversationToken) { properties.setEncryptSymmetricEncryptionKey(false); } } }
private void doEncryptBeforeSign() { try { AbstractTokenWrapper encryptionWrapper = getEncryptionToken(); assertTokenWrapper(encryptionWrapper); AbstractToken encryptionToken = encryptionWrapper.getToken(); String tokenId = null; SecurityToken tok = null; if (encryptionToken instanceof KerberosToken) { tok = getSecurityToken(); if (MessageUtils.isRequestor(message)) { addKerberosToken((KerberosToken) encryptionToken, false, true, true); } } else if (encryptionToken instanceof IssuedToken) { tok = getSecurityToken(); addIssuedToken((IssuedToken) encryptionToken, tok, false, true); if (tok == null && !isRequestor()) { org.apache.xml.security.stax.securityToken.SecurityToken securityToken = findInboundSecurityToken(WSSecurityEventConstants.SAML_TOKEN); tokenId = WSS4JUtils.parseAndStoreStreamingSecurityToken(securityToken, message); } } else if (encryptionToken instanceof SecureConversationToken || encryptionToken instanceof SecurityContextToken || encryptionToken instanceof SpnegoContextToken) { tok = getSecurityToken(); if (tok != null && isRequestor()) { WSSSecurityProperties properties = getProperties(); WSSConstants.Action actionToPerform = WSSConstants.CUSTOM_TOKEN; properties.addAction(actionToPerform); } else if (tok == null && !isRequestor()) { org.apache.xml.security.stax.securityToken.SecurityToken securityToken = findInboundSecurityToken(WSSecurityEventConstants.SECURITY_CONTEXT_TOKEN); tokenId = WSS4JUtils.parseAndStoreStreamingSecurityToken(securityToken, message); } } else if (encryptionToken instanceof X509Token) { if (isRequestor()) { tokenId = setupEncryptedKey(encryptionWrapper, encryptionToken); } else { org.apache.xml.security.stax.securityToken.SecurityToken securityToken = findEncryptedKeyToken(); tokenId = WSS4JUtils.parseAndStoreStreamingSecurityToken(securityToken, message); } } else if (encryptionToken instanceof UsernameToken) { unassertPolicy(sbinding, "UsernameTokens not supported with Symmetric binding"); return; } assertToken(encryptionToken); if (tok == null) { tokenId = XMLUtils.getIDFromReference(tokenId); // Get hold of the token from the token storage tok = TokenStoreUtils.getTokenStore(message).getToken(tokenId); } // Store key if (!(MessageUtils.isRequestor(message) && encryptionToken instanceof KerberosToken)) { storeSecurityToken(encryptionToken, tok); } List<SecurePart> encrParts = null; List<SecurePart> sigParts = null; try { encrParts = getEncryptedParts(); // Signed parts are determined before encryption because encrypted signed headers // will not be included otherwise sigParts = getSignedParts(); } catch (SOAPException ex) { throw new Fault(ex); } addSupportingTokens(); if (encryptionToken != null && encrParts.size() > 0) { if (isRequestor()) { encrParts.addAll(encryptedTokensList); } // Check for signature protection if (sbinding.isEncryptSignature()) { SecurePart part = new SecurePart(new QName(WSSConstants.NS_DSIG, "Signature"), Modifier.Element); encrParts.add(part); if (signatureConfirmationAdded) { part = new SecurePart(WSSConstants.TAG_WSSE11_SIG_CONF, Modifier.Element); encrParts.add(part); } assertPolicy( new QName(sbinding.getName().getNamespaceURI(), SPConstants.ENCRYPT_SIGNATURE)); } doEncryption(encryptionWrapper, encrParts, true); } if (timestampAdded) { SecurePart part = new SecurePart(new QName(WSSConstants.NS_WSU10, "Timestamp"), Modifier.Element); sigParts.add(part); } sigParts.addAll(this.getSignedParts()); if (sigParts.size() > 0) { AbstractTokenWrapper sigAbstractTokenWrapper = getSignatureToken(); if (sigAbstractTokenWrapper != null) { AbstractToken sigToken = sigAbstractTokenWrapper.getToken(); if (isRequestor()) { doSignature(sigAbstractTokenWrapper, sigToken, tok, sigParts); } else { addSignatureConfirmation(sigParts); doSignature(sigAbstractTokenWrapper, sigToken, tok, sigParts); } } } removeSignatureIfSignedSAML(); enforceEncryptBeforeSigningWithSignedSAML(); prependSignatureToSC(); putCustomTokenAfterSignature(); } catch (RuntimeException ex) { throw ex; } catch (Exception ex) { throw new Fault(ex); } }