public static boolean containsSecureUserTokenPolicy(UserTokenPolicy[] userIdentityTokens) {
if (userIdentityTokens != null)
for (UserTokenPolicy p : userIdentityTokens)
if (p.getSecurityPolicyUri() != null
&& !p.getSecurityPolicyUri().equals(SecurityPolicy.NONE)) return true;
return false;
}
/**
* Create anonymous user identity token
*
* @param ep
* @return user identity token
* @throws ServiceResultException if endpoint or the stack doesn't support Anonymous token policy
*/
public static UserIdentityToken createAnonymousIdentityToken(EndpointDescription ep)
throws ServiceResultException {
UserTokenPolicy policy = ep.findUserTokenPolicy(UserTokenType.Anonymous);
if (policy == null)
throw new ServiceResultException(
StatusCodes.Bad_IdentityTokenRejected, "Anonymous UserTokenType is not supported");
return new AnonymousIdentityToken(policy.getPolicyId());
}
/**
* Create user identity token based on an issued token
*
* @param ep
* @param senderNonce
* @param issuedIdentityToken
* @return user identity token
* @throws ServiceResultException if endpoint or the stack doesn't support UserName token policy
*/
public static UserIdentityToken createIssuedIdentityToken(
EndpointDescription ep, byte[] senderNonce, byte[] issuedIdentityToken)
throws ServiceResultException {
UserTokenPolicy policy = ep.findUserTokenPolicy(UserTokenType.IssuedToken);
if (policy == null)
throw new ServiceResultException(
StatusCodes.Bad_IdentityTokenRejected, "IssuedToken not supported");
String securityPolicyUri = policy.getSecurityPolicyUri();
if (securityPolicyUri == null) securityPolicyUri = ep.getSecurityPolicyUri();
SecurityPolicy securityPolicy = SecurityPolicy.getSecurityPolicy(securityPolicyUri);
if (securityPolicy == null) securityPolicy = SecurityPolicy.NONE;
IssuedIdentityToken token = new IssuedIdentityToken();
token.setTokenData(issuedIdentityToken);
// Encrypt the token
SecurityAlgorithm algorithmUri = securityPolicy.getAsymmetricEncryptionAlgorithm();
if (algorithmUri == null) algorithmUri = SecurityAlgorithm.RsaOaep;
try {
Cipher cipher = Cipher.getInstance(algorithmUri.getStandardName());
Cert serverCert = new Cert(ep.getServerCertificate());
cipher.init(Cipher.ENCRYPT_MODE, serverCert.getCertificate());
byte[] tokenData = issuedIdentityToken;
if (senderNonce != null)
tokenData =
ByteBufferUtils.concatenate(
toArray(issuedIdentityToken.length + senderNonce.length),
issuedIdentityToken,
senderNonce);
token.setTokenData(cipher.doFinal(tokenData));
token.setEncryptionAlgorithm(algorithmUri.getUri());
} catch (InvalidKeyException e) {
// Server certificate does not have encrypt usage
throw new ServiceResultException(
StatusCodes.Bad_CertificateInvalid,
"Server certificate in endpoint is invalid: " + e.getMessage());
} catch (IllegalBlockSizeException e) {
throw new ServiceResultException(
StatusCodes.Bad_SecurityPolicyRejected, e.getClass().getName() + ":" + e.getMessage());
} catch (BadPaddingException e) {
throw new ServiceResultException(
StatusCodes.Bad_CertificateInvalid,
"Server certificate in endpoint is invalid: " + e.getMessage());
} catch (NoSuchAlgorithmException e) {
throw new ServiceResultException(StatusCodes.Bad_InternalError, e);
} catch (NoSuchPaddingException e) {
throw new ServiceResultException(StatusCodes.Bad_InternalError, e);
}
return token;
}
/**
* Create user identity token based on username and password
*
* @param ep
* @param username
* @param password
* @return user identity token
* @throws ServiceResultException if endpoint or the stack doesn't support UserName token policy
*/
public static UserIdentityToken createUserNameIdentityToken(
EndpointDescription ep, byte[] senderNonce, String username, String password)
throws ServiceResultException {
UserTokenPolicy policy = ep.findUserTokenPolicy(UserTokenType.UserName);
if (policy == null)
throw new ServiceResultException(
StatusCodes.Bad_IdentityTokenRejected, "UserName not supported");
String securityPolicyUri = policy.getSecurityPolicyUri();
if (securityPolicyUri == null) securityPolicyUri = ep.getSecurityPolicyUri();
SecurityPolicy securityPolicy = SecurityPolicy.getSecurityPolicy(securityPolicyUri);
if (securityPolicy == null) securityPolicy = SecurityPolicy.NONE;
UserNameIdentityToken token = new UserNameIdentityToken();
token.setUserName(username);
token.setPolicyId(policy.getPolicyId());
// Encrypt the password, unless no security is defined
SecurityAlgorithm algorithm = securityPolicy.getAsymmetricEncryptionAlgorithm();
byte[] pw = password.getBytes(BinaryEncoder.UTF8);
if (algorithm == null) token.setPassword(pw);
else
try {
Cert serverCert = new Cert(ep.getServerCertificate());
if (senderNonce != null)
pw =
ByteBufferUtils.concatenate(toArray(pw.length + senderNonce.length), pw, senderNonce);
else pw = ByteBufferUtils.concatenate(toArray(pw.length), pw);
pw = CryptoUtil.asymmEncrypt(pw, serverCert.getCertificate().getPublicKey(), algorithm);
token.setPassword(pw);
} catch (InvalidKeyException e) {
// Server certificate does not have encrypt usage
throw new ServiceResultException(
StatusCodes.Bad_CertificateInvalid,
"Server certificate in endpoint is invalid: " + e.getMessage());
} catch (IllegalBlockSizeException e) {
throw new ServiceResultException(
StatusCodes.Bad_SecurityPolicyRejected, e.getClass().getName() + ":" + e.getMessage());
} catch (BadPaddingException e) {
throw new ServiceResultException(
StatusCodes.Bad_CertificateInvalid,
"Server certificate in endpoint is invalid: " + e.getMessage());
} catch (NoSuchAlgorithmException e) {
throw new ServiceResultException(StatusCodes.Bad_InternalError, e);
} catch (NoSuchPaddingException e) {
throw new ServiceResultException(StatusCodes.Bad_InternalError, e);
}
token.setEncryptionAlgorithm(algorithm.getUri());
return token;
}
public static X509IdentityToken createX509IdentityToken(
EndpointDescription ep,
byte[] serverNonce,
Cert certificate,
PrivateKey key,
SignatureData signatureData)
throws ServiceResultException {
if (signatureData == null)
throw new NullPointerException("signatureData must be defined (will be filled in)");
UserTokenPolicy policy = ep.findUserTokenPolicy(UserTokenType.Certificate);
if (policy == null)
throw new ServiceResultException(
StatusCodes.Bad_IdentityTokenRejected, "Certificate UserTokenType is not supported");
X509IdentityToken token = new X509IdentityToken(policy.getPolicyId(), certificate.getEncoded());
String securityPolicyUri = policy.getSecurityPolicyUri();
if (securityPolicyUri == null) securityPolicyUri = ep.getSecurityPolicyUri();
SecurityPolicy securityPolicy = SecurityPolicy.getSecurityPolicy(securityPolicyUri);
Cert serverCert = new Cert(ep.getServerCertificate());
if ((securityPolicy != null) && (serverCert != null))
try {
// Create a Signature object and initialize it with the private
// key
Signature signature =
Signature.getInstance(
securityPolicy.getAsymmetricSignatureAlgorithm().getTransformation());
signature.initSign(key);
signature.update(serverCert.getEncoded());
signature.update(serverNonce);
signatureData.setSignature(signature.sign());
signatureData.setAlgorithm(securityPolicy.getAsymmetricSignatureAlgorithm().getUri());
} catch (NoSuchAlgorithmException e) {
throw new ServiceResultException(
StatusCodes.Bad_SecurityChecksFailed, "Signature generation failed: " + e.getMessage());
} catch (InvalidKeyException e) {
// Server certificate does not have encrypt usage
throw new ServiceResultException(
StatusCodes.Bad_CertificateInvalid,
"Server certificate in endpoint is invalid: " + e.getMessage());
} catch (SignatureException e) {
throw new ServiceResultException(
StatusCodes.Bad_SecurityChecksFailed, "Signature generation failed: " + e.getMessage());
}
return token;
}