Skip to content
Browse files

Add the option to also include an encryption token

git-svn-id: https://svn.apache.org/repos/asf/webservices/wss4j/trunk@1571742 13f79535-47bb-0310-9956-ffa450edef68
  • Loading branch information...
1 parent ed2bd5a commit 9221c69be864015e72f90b183b01211ace089dc8 @coheigea coheigea committed Feb 25, 2014
View
9 ws-security-common/src/main/java/org/apache/wss4j/common/ConfigurationConstants.java
@@ -503,11 +503,18 @@ protected ConfigurationConstants() {
/**
* Whether to include the Signature Token in the security header as well or not. This is only
- * applicable to the IssuerSerial and Thumbprint Key Identifier cases. The default is false.
+ * applicable to the IssuerSerial, Thumbprint and SKI Key Identifier cases. The default is false.
*/
public static final String INCLUDE_SIGNATURE_TOKEN = "includeSignatureToken";
/**
+ * Whether to include the Encryption token (BinarySecurityToken) in the security header as well
+ * or not. This is only applicable to the IssuerSerial, Thumbprint and SKI Key Identifier cases.
+ * The default is false.
+ */
+ public static final String INCLUDE_ENCRYPTION_TOKEN = "includeEncryptionToken";
+
+ /**
* Whether to cache UsernameToken nonces. The default value is "true".
*/
public static final String ENABLE_NONCE_CACHE = "enableNonceCache";
View
7 ws-security-common/src/main/java/org/apache/wss4j/common/SignatureActionToken.java
@@ -25,7 +25,6 @@
public class SignatureActionToken extends SignatureEncryptionActionToken {
private String c14nAlgorithm;
- private boolean includeSignatureToken = true;
private boolean useSingleCert = true;
private String signatureAlgorithm;
@@ -35,12 +34,6 @@ public String getC14nAlgorithm() {
public void setC14nAlgorithm(String c14nAlgorithm) {
this.c14nAlgorithm = c14nAlgorithm;
}
- public boolean isIncludeSignatureToken() {
- return includeSignatureToken;
- }
- public void setIncludeSignatureToken(boolean includeSignatureToken) {
- this.includeSignatureToken = includeSignatureToken;
- }
public boolean isUseSingleCert() {
return useSingleCert;
}
View
7 ws-security-common/src/main/java/org/apache/wss4j/common/SignatureEncryptionActionToken.java
@@ -54,6 +54,7 @@
private String derivedKeyTokenReference;
private int derivedKeyLength;
private int derivedKeyIdentifier;
+ private boolean includeToken;
public X509Certificate getCertificate() {
return certificate;
@@ -174,5 +175,11 @@ public int getDerivedKeyIdentifier() {
public void setDerivedKeyIdentifier(int derivedKeyIdentifier) {
this.derivedKeyIdentifier = derivedKeyIdentifier;
}
+ public boolean isIncludeToken() {
+ return includeToken;
+ }
+ public void setIncludeToken(boolean includeToken) {
+ this.includeToken = includeToken;
+ }
}
View
2 ws-security-dom/src/main/java/org/apache/wss4j/dom/action/EncryptionAction.java
@@ -68,6 +68,8 @@ public void execute(WSHandler handler, SecurityActionToken actionToken,
wsEncrypt.setMGFAlgorithm(encryptionToken.getMgfAlgorithm());
}
+ wsEncrypt.setIncludeEncryptionToken(encryptionToken.isIncludeToken());
+
wsEncrypt.setUserInfo(encryptionToken.getUser());
wsEncrypt.setUseThisCert(encryptionToken.getCertificate());
Crypto crypto = encryptionToken.getCrypto();
View
2 ws-security-dom/src/main/java/org/apache/wss4j/dom/action/SignatureAction.java
@@ -71,7 +71,7 @@ public void execute(WSHandler handler, SecurityActionToken actionToken,
wsSign.setSigCanonicalization(signatureToken.getC14nAlgorithm());
}
- wsSign.setIncludeSignatureToken(signatureToken.isIncludeSignatureToken());
+ wsSign.setIncludeSignatureToken(signatureToken.isIncludeToken());
wsSign.setUserInfo(signatureToken.getUser(), passwordCallback.getPassword());
wsSign.setUseSingleCertificate(signatureToken.isUseSingleCert());
View
14 ws-security-dom/src/main/java/org/apache/wss4j/dom/handler/WSHandler.java
@@ -609,8 +609,8 @@ protected void decodeSignatureParameter(RequestData reqData)
boolean useSingleCert = decodeUseSingleCertificate(reqData);
actionToken.setUseSingleCert(useSingleCert);
- boolean includeSignatureToken = decodeIncludeSignatureToken(reqData);
- actionToken.setIncludeSignatureToken(includeSignatureToken);
+ boolean includeToken = decodeIncludeSignatureToken(reqData);
+ actionToken.setIncludeToken(includeToken);
}
protected void decodeAlgorithmSuite(RequestData reqData) throws WSSecurityException {
@@ -744,6 +744,9 @@ protected void decodeEncryptionParameter(RequestData reqData)
if (encParts != null) {
splitEncParts(false, encParts, actionToken.getParts(), reqData);
}
+
+ boolean includeToken = decodeIncludeEncryptionToken(reqData);
+ actionToken.setIncludeToken(includeToken);
}
/**
@@ -910,6 +913,13 @@ protected boolean decodeIncludeSignatureToken(RequestData reqData)
);
}
+ protected boolean decodeIncludeEncryptionToken(RequestData reqData)
+ throws WSSecurityException {
+ return decodeBooleanConfigValue(
+ reqData, WSHandlerConstants.INCLUDE_ENCRYPTION_TOKEN, false
+ );
+ }
+
protected void decodeRequireSignedEncryptedDataElements(RequestData reqData)
throws WSSecurityException {
reqData.setRequireSignedEncryptedDataElements(decodeBooleanConfigValue(
View
56 ws-security-dom/src/main/java/org/apache/wss4j/dom/message/WSSecEncryptedKey.java
@@ -123,6 +123,14 @@
protected String encKeyId;
/**
+ * BinarySecurityToken to be included in the case where BST_DIRECT_REFERENCE
+ * is used to refer to the asymmetric encryption cert
+ */
+ protected BinarySecurity bstToken;
+
+ protected X509Certificate useThisCert;
+
+ /**
* Custom token value
*/
private String customEKTokenValueType;
@@ -132,13 +140,8 @@
*/
private String customEKTokenId;
- /**
- * BinarySecurityToken to be included in the case where BST_DIRECT_REFERENCE
- * is used to refer to the asymmetric encryption cert
- */
- protected BinarySecurity bstToken;
-
- protected X509Certificate useThisCert;
+ private boolean bstAddedToSecurityHeader;
+ private boolean includeEncryptionToken;
public WSSecEncryptedKey() {
super();
@@ -327,6 +330,10 @@ protected void prepareInternal(
case WSConstants.SKI_KEY_IDENTIFIER:
secToken.setKeyIdentifierSKI(remoteCert, crypto);
+
+ if (includeEncryptionToken) {
+ addBST(remoteCert);
+ }
break;
case WSConstants.THUMBPRINT_IDENTIFIER:
@@ -336,6 +343,10 @@ protected void prepareInternal(
// ThumbprintRSA.
//
secToken.setKeyIdentifierThumb(remoteCert);
+
+ if (includeEncryptionToken) {
+ addBST(remoteCert);
+ }
break;
case WSConstants.ISSUER_SERIAL:
@@ -347,6 +358,10 @@ protected void prepareInternal(
);
DOMX509Data domX509Data = new DOMX509Data(document, domIssuerSerial);
secToken.setX509Data(domX509Data);
+
+ if (includeEncryptionToken) {
+ addBST(remoteCert);
+ }
break;
case WSConstants.BST_DIRECT_REFERENCE:
@@ -425,6 +440,17 @@ protected void prepareInternal(
envelope = document.getDocumentElement();
}
+
+ /**
+ * Add a BinarySecurityToken
+ */
+ private void addBST(X509Certificate cert) throws WSSecurityException {
+ bstToken = new X509Security(document);
+ ((X509Security) bstToken).setX509Certificate(cert);
+
+ bstAddedToSecurityHeader = false;
+ bstToken.setID(IDGenerator.generateID(null));
+ }
protected KeyGenerator getKeyGenerator() throws WSSecurityException {
try {
@@ -536,12 +562,12 @@ public void appendToHeader(WSSecHeader secHeader) {
* @param secHeader The security header that holds the BST element.
*/
public void prependBSTElementToHeader(WSSecHeader secHeader) {
- if (bstToken != null) {
+ if (bstToken != null && !bstAddedToSecurityHeader) {
WSSecurityUtil.prependChildElement(
secHeader.getSecurityHeader(), bstToken.getElement()
);
+ bstAddedToSecurityHeader = true;
}
- bstToken = null;
}
/**
@@ -554,11 +580,11 @@ public void prependBSTElementToHeader(WSSecHeader secHeader) {
* @param secHeader The security header that holds the BST element.
*/
public void appendBSTElementToHeader(WSSecHeader secHeader) {
- if (bstToken != null) {
+ if (bstToken != null && !bstAddedToSecurityHeader) {
Element secHeaderElement = secHeader.getSecurityHeader();
secHeaderElement.appendChild(bstToken.getElement());
+ bstAddedToSecurityHeader = true;
}
- bstToken = null;
}
/**
@@ -750,5 +776,13 @@ public void setSymmetricKey(SecretKey key) {
this.symmetricKey = key;
}
+ public boolean isIncludeEncryptionToken() {
+ return includeEncryptionToken;
+ }
+
+ public void setIncludeEncryptionToken(boolean includeEncryptionToken) {
+ this.includeEncryptionToken = includeEncryptionToken;
+ }
+
}
View
38 ws-security-dom/src/test/java/org/apache/wss4j/dom/handler/SecurityActionTokenTest.java
@@ -174,7 +174,7 @@ public void testAsymmetricDoubleSignature() throws Exception {
SignatureActionToken actionToken2 = new SignatureActionToken();
actionToken2.setUser("16c73ab6-b892-458f-abf5-2f875f74882e");
actionToken2.setCryptoProperties("crypto.properties");
- actionToken2.setIncludeSignatureToken(false);
+ actionToken2.setIncludeToken(false);
WSEncryptionPart encP =
new WSEncryptionPart("Timestamp", WSConstants.WSU_NS, "");
actionToken2.setParts(Collections.singletonList(encP));
@@ -288,6 +288,42 @@ public void testAsymmetricEncryption() throws Exception {
}
@org.junit.Test
+ public void testAsymmetricEncryptionIncludeToken() throws Exception {
+ final WSSConfig cfg = WSSConfig.getNewInstance();
+ final RequestData reqData = new RequestData();
+ reqData.setWssConfig(cfg);
+ java.util.Map<String, Object> messageContext = new java.util.TreeMap<String, Object>();
+ messageContext.put(
+ WSHandlerConstants.PW_CALLBACK_REF, new KeystoreCallbackHandler()
+ );
+ reqData.setMsgContext(messageContext);
+
+ EncryptionActionToken actionToken = new EncryptionActionToken();
+ actionToken.setUser("wss40");
+ actionToken.setCryptoProperties("wss40.properties");
+ actionToken.setIncludeToken(true);
+
+ final Document doc = SOAPUtil.toSOAPPart(SOAPUtil.SAMPLE_SOAP_MSG);
+ CustomHandler handler = new CustomHandler();
+ List<HandlerAction> actions = new ArrayList<HandlerAction>();
+ actions.add(new HandlerAction(WSConstants.ENCR, actionToken));
+ handler.send(
+ doc,
+ reqData,
+ actions,
+ true
+ );
+
+ if (LOG.isDebugEnabled()) {
+ String outputString =
+ XMLUtils.PrettyDocumentToString(doc);
+ LOG.debug(outputString);
+ }
+
+ verify(doc, new KeystoreCallbackHandler());
+ }
+
+ @org.junit.Test
public void testSymmetricEncryption() throws Exception {
final WSSConfig cfg = WSSConfig.getNewInstance();
final RequestData reqData = new RequestData();
View
4 ws-security-stax/src/main/java/org/apache/wss4j/stax/ConfigurationConverter.java
@@ -447,6 +447,10 @@ public static void parseBooleanProperties(
decodeBooleanConfigValue(ConfigurationConstants.INCLUDE_SIGNATURE_TOKEN, false, config);
properties.setIncludeSignatureToken(includeSignatureToken);
+ boolean includeEncryptionToken =
+ decodeBooleanConfigValue(ConfigurationConstants.INCLUDE_ENCRYPTION_TOKEN, false, config);
+ properties.setIncludeEncryptionToken(includeEncryptionToken);
+
boolean enableTimestampCache =
decodeBooleanConfigValue(ConfigurationConstants.ENABLE_TIMESTAMP_CACHE, true, config);
properties.setEnableTimestampReplayCache(enableTimestampCache);
View
10 ws-security-stax/src/main/java/org/apache/wss4j/stax/ext/WSSSecurityProperties.java
@@ -99,6 +99,7 @@
private String signatureUser;
private boolean enableSignatureConfirmationVerification = false;
private boolean includeSignatureToken;
+ private boolean includeEncryptionToken;
private WSSCrypto signatureVerificationWSSCrypto;
private CertStore crlCertStore;
private WSSCrypto decryptionWSSCrypto;
@@ -152,6 +153,7 @@ public WSSSecurityProperties(WSSSecurityProperties wssSecurityProperties) {
this.signatureUser = wssSecurityProperties.signatureUser;
this.enableSignatureConfirmationVerification = wssSecurityProperties.enableSignatureConfirmationVerification;
this.includeSignatureToken = wssSecurityProperties.includeSignatureToken;
+ this.includeEncryptionToken = wssSecurityProperties.includeEncryptionToken;
this.signatureVerificationWSSCrypto = wssSecurityProperties.signatureVerificationWSSCrypto;
this.crlCertStore = wssSecurityProperties.crlCertStore;
this.decryptionWSSCrypto = wssSecurityProperties.decryptionWSSCrypto;
@@ -865,6 +867,14 @@ public void setIncludeSignatureToken(boolean includeSignatureToken) {
this.includeSignatureToken = includeSignatureToken;
}
+ public boolean isIncludeEncryptionToken() {
+ return includeEncryptionToken;
+ }
+
+ public void setIncludeEncryptionToken(boolean includeEncryptionToken) {
+ this.includeEncryptionToken = includeEncryptionToken;
+ }
+
public boolean isEnableTimestampReplayCache() {
return enableTimestampReplayCache;
}
View
51 .../java/org/apache/wss4j/stax/impl/processor/output/BinarySecurityTokenOutputProcessor.java
@@ -73,33 +73,36 @@ public void processEvent(XMLSecEvent xmlSecEvent, OutputProcessorChain outputPro
securityToken = (GenericOutboundSecurityToken)tokenProvider.getSecurityToken();
}
}
+
+ boolean includeToken = false;
+ WSSecurityTokenConstants.KeyIdentifier keyIdentifier = null;
+ if (WSSConstants.SIGNATURE.equals(action) || WSSConstants.SAML_TOKEN_SIGNED.equals(action)) {
+ includeToken = ((WSSSecurityProperties) getSecurityProperties()).isIncludeSignatureToken();
+ keyIdentifier = getSecurityProperties().getSignatureKeyIdentifier();
+ } else if (WSSConstants.ENCRYPT.equals(action)) {
+ includeToken = ((WSSSecurityProperties) getSecurityProperties()).isIncludeEncryptionToken();
+ keyIdentifier = getSecurityProperties().getEncryptionKeyIdentifier();
+ }
if (securityToken != null) {
- if (WSSConstants.SIGNATURE.equals(action) || WSSConstants.SAML_TOKEN_SIGNED.equals(action)) {
- boolean includeSignatureToken =
- ((WSSSecurityProperties) getSecurityProperties()).isIncludeSignatureToken();
- if ((includeSignatureToken
- || WSSecurityTokenConstants.KeyIdentifier_SecurityTokenDirectReference.equals(getSecurityProperties().getSignatureKeyIdentifier()))
- && (securityToken.getTokenType() == null
- || WSSecurityTokenConstants.X509V3Token.equals(securityToken.getTokenType()))) {
- FinalBinarySecurityTokenOutputProcessor finalBinarySecurityTokenOutputProcessor = new FinalBinarySecurityTokenOutputProcessor(securityToken);
- finalBinarySecurityTokenOutputProcessor.setXMLSecurityProperties(getSecurityProperties());
- finalBinarySecurityTokenOutputProcessor.setAction(getAction());
- finalBinarySecurityTokenOutputProcessor.addBeforeProcessor(WSSSignatureOutputProcessor.class.getName());
- finalBinarySecurityTokenOutputProcessor.init(outputProcessorChain);
- securityToken.setProcessor(finalBinarySecurityTokenOutputProcessor);
- }
+ if ((WSSConstants.SIGNATURE.equals(action) || WSSConstants.SAML_TOKEN_SIGNED.equals(action))
+ && (includeToken || WSSecurityTokenConstants.KeyIdentifier_SecurityTokenDirectReference.equals(keyIdentifier))
+ && (securityToken.getTokenType() == null || WSSecurityTokenConstants.X509V3Token.equals(securityToken.getTokenType()))) {
+ FinalBinarySecurityTokenOutputProcessor finalBinarySecurityTokenOutputProcessor = new FinalBinarySecurityTokenOutputProcessor(securityToken);
+ finalBinarySecurityTokenOutputProcessor.setXMLSecurityProperties(getSecurityProperties());
+ finalBinarySecurityTokenOutputProcessor.setAction(getAction());
+ finalBinarySecurityTokenOutputProcessor.addBeforeProcessor(WSSSignatureOutputProcessor.class.getName());
+ finalBinarySecurityTokenOutputProcessor.init(outputProcessorChain);
+ securityToken.setProcessor(finalBinarySecurityTokenOutputProcessor);
} else if (WSSConstants.ENCRYPT.equals(action)
- && (securityToken.getTokenType() == null
- || WSSecurityTokenConstants.X509V3Token.equals(securityToken.getTokenType()))) {
- if (WSSecurityTokenConstants.KeyIdentifier_SecurityTokenDirectReference.equals(((WSSSecurityProperties) getSecurityProperties()).getEncryptionKeyIdentifier())) {
- FinalBinarySecurityTokenOutputProcessor finalBinarySecurityTokenOutputProcessor = new FinalBinarySecurityTokenOutputProcessor(securityToken);
- finalBinarySecurityTokenOutputProcessor.setXMLSecurityProperties(getSecurityProperties());
- finalBinarySecurityTokenOutputProcessor.setAction(getAction());
- finalBinarySecurityTokenOutputProcessor.addAfterProcessor(EncryptEndingOutputProcessor.class.getName());
- finalBinarySecurityTokenOutputProcessor.init(outputProcessorChain);
- securityToken.setProcessor(finalBinarySecurityTokenOutputProcessor);
- }
+ && (includeToken || WSSecurityTokenConstants.KeyIdentifier_SecurityTokenDirectReference.equals(keyIdentifier))
+ && (securityToken.getTokenType() == null || WSSecurityTokenConstants.X509V3Token.equals(securityToken.getTokenType()))) {
+ FinalBinarySecurityTokenOutputProcessor finalBinarySecurityTokenOutputProcessor = new FinalBinarySecurityTokenOutputProcessor(securityToken);
+ finalBinarySecurityTokenOutputProcessor.setXMLSecurityProperties(getSecurityProperties());
+ finalBinarySecurityTokenOutputProcessor.setAction(getAction());
+ finalBinarySecurityTokenOutputProcessor.addAfterProcessor(EncryptEndingOutputProcessor.class.getName());
+ finalBinarySecurityTokenOutputProcessor.init(outputProcessorChain);
+ securityToken.setProcessor(finalBinarySecurityTokenOutputProcessor);
} else if (WSSConstants.ENCRYPT_WITH_KERBEROS_TOKEN.equals(getAction())
|| WSSConstants.SIGNATURE_WITH_KERBEROS_TOKEN.equals(getAction())
|| WSSConstants.KERBEROS_TOKEN.equals(getAction())) {

0 comments on commit 9221c69

Please sign in to comment.
Something went wrong with that request. Please try again.