TransportBindingBuilder.java
/*
* Copyright 2004,2005 The Apache Software Foundation.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.apache.rampart.builder;
import org.apache.axiom.om.OMElement;
import org.apache.axiom.soap.SOAPEnvelope;
import org.apache.axis2.context.MessageContext;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.rahas.RahasConstants;
import org.apache.rahas.TrustException;
import org.apache.rampart.RampartConstants;
import org.apache.rampart.RampartException;
import org.apache.rampart.RampartMessageData;
import org.apache.rampart.policy.RampartPolicyData;
import org.apache.rampart.util.RampartUtil;
import org.apache.ws.secpolicy.SPConstants;
import org.apache.ws.secpolicy.model.AlgorithmSuite;
import org.apache.ws.secpolicy.model.Header;
import org.apache.ws.secpolicy.model.IssuedToken;
import org.apache.ws.secpolicy.model.SecureConversationToken;
import org.apache.ws.secpolicy.model.SignedEncryptedParts;
import org.apache.ws.secpolicy.model.SupportingToken;
import org.apache.ws.secpolicy.model.Token;
import org.apache.ws.secpolicy.model.UsernameToken;
import org.apache.ws.secpolicy.model.X509Token;
import org.apache.ws.security.WSConstants;
import org.apache.ws.security.WSEncryptionPart;
import org.apache.ws.security.WSSecurityException;
import org.apache.ws.security.conversation.ConversationException;
import org.apache.ws.security.handler.WSHandlerConstants;
import org.apache.ws.security.message.*;
import org.w3c.dom.Document;
import org.w3c.dom.Element;
import javax.xml.crypto.dsig.Reference;
import java.util.ArrayList;
import java.util.Iterator;
import java.util.List;
public class TransportBindingBuilder extends BindingBuilder {
private static Log log = LogFactory.getLog(TransportBindingBuilder.class);
private static Log tlog = LogFactory.getLog(RampartConstants.TIME_LOG);
public void build(RampartMessageData rmd) throws RampartException {
log.debug("TransportBindingBuilder build invoked");
long t0 = 0, t1 = 0;
if(tlog.isDebugEnabled()){
t1 = System.currentTimeMillis();
}
RampartPolicyData rpd = rmd.getPolicyData();
if (rpd.isIncludeTimestamp()) {
addTimestamp(rmd);
}
/*
* Process Supporting tokens
*/
if(rmd.isInitiator()) {
List<byte[]> signatureValues = new ArrayList<byte[]>();
SupportingToken sgndSuppTokens = rpd.getSignedSupportingTokens();
if(sgndSuppTokens != null && sgndSuppTokens.getTokens() != null &&
sgndSuppTokens.getTokens().size() > 0) {
log.debug("Processing signed supporting tokens");
ArrayList tokens = sgndSuppTokens.getTokens();
for (Object signedSupportingToken : tokens) {
Token token = (Token) signedSupportingToken;
if (token instanceof UsernameToken) {
WSSecUsernameToken utBuilder = addUsernameToken(rmd, (UsernameToken) token);
utBuilder.prepare(rmd.getDocument());
//Add the UT
utBuilder.appendToHeader(rmd.getSecHeader());
} else {
throw new RampartException("unsupportedSignedSupportingToken",
new String[]{"{" + token.getName().getNamespaceURI()
+ "}" + token.getName().getLocalPart()});
}
}
}
SupportingToken sgndEndSuppTokens = rpd.getSignedEndorsingSupportingTokens();
if(sgndEndSuppTokens != null && sgndEndSuppTokens.getTokens() != null &&
sgndEndSuppTokens.getTokens().size() > 0) {
log.debug("Processing endorsing signed supporting tokens");
ArrayList tokens = sgndEndSuppTokens.getTokens();
SignedEncryptedParts signdParts = sgndEndSuppTokens.getSignedParts();
for (Object objectToken : tokens) {
Token token = (Token) objectToken;
if (token instanceof IssuedToken && rmd.isInitiator()) {
signatureValues.add(doIssuedTokenSignature(rmd, token, signdParts));
} else if (token instanceof X509Token) {
signatureValues.add(doX509TokenSignature(rmd, token, signdParts));
}
}
}
SupportingToken endSupptokens = rpd.getEndorsingSupportingTokens();
if(endSupptokens != null && endSupptokens.getTokens() != null &&
endSupptokens.getTokens().size() > 0) {
log.debug("Processing endorsing supporting tokens");
ArrayList tokens = endSupptokens.getTokens();
SignedEncryptedParts signdParts = endSupptokens.getSignedParts();
for (Object objectToken : tokens) {
Token token = (Token) objectToken;
if (token instanceof IssuedToken && rmd.isInitiator()) {
signatureValues.add(doIssuedTokenSignature(rmd, token, signdParts));
} else if (token instanceof X509Token) {
signatureValues.add(doX509TokenSignature(rmd, token, signdParts));
} else if (token instanceof SecureConversationToken) {
handleSecureConversationTokens(rmd, (SecureConversationToken) token);
signatureValues.add(doSecureConversationSignature(rmd, token, signdParts));
}
}
}
List<SupportingToken> supportingToks = rpd.getSupportingTokensList();
for (SupportingToken supportingTok : supportingToks) {
this.handleSupportingTokens(rmd, supportingTok);
}
//Store the signature values list
rmd.getMsgContext().setProperty(WSHandlerConstants.SEND_SIGV, signatureValues);
} else {
addSignatureConfirmation(rmd, null);
}
if(tlog.isDebugEnabled()){
t1 = System.currentTimeMillis();
tlog.debug("Transport binding build took "+ (t1 - t0));
}
}
/**
* X.509 signature
* @param rmd
* @param token
* @param signdParts
*/
private byte[] doX509TokenSignature(RampartMessageData rmd, Token token, SignedEncryptedParts signdParts) throws RampartException {
RampartPolicyData rpd = rmd.getPolicyData();
Document doc = rmd.getDocument();
List<WSEncryptionPart> sigParts = new ArrayList<WSEncryptionPart>();
if(this.timestampElement != null){
sigParts.add(new WSEncryptionPart(rmd.getTimestampId()));
}
if(signdParts != null) {
if(signdParts.isBody()) {
SOAPEnvelope env = rmd.getMsgContext().getEnvelope();
sigParts.add(new WSEncryptionPart(RampartUtil.addWsuIdToElement(env.getBody())));
}
ArrayList headers = signdParts.getHeaders();
for (Iterator iterator = headers.iterator(); iterator.hasNext();) {
Header header = (Header) iterator.next();
WSEncryptionPart wep = new WSEncryptionPart(header.getName(),
header.getNamespace(),
"Content");
sigParts.add(wep);
}
}
if(token.isDerivedKeys()) {
//In this case we will have to encrypt the ephmeral key with the
//other party's key and then use it as the parent key of the
// derived keys
try {
WSSecEncryptedKey encrKey = getEncryptedKeyBuilder(rmd, token);
Element bstElem = encrKey.getBinarySecurityTokenElement();
if(bstElem != null) {
RampartUtil.appendChildToSecHeader(rmd, bstElem);
}
// Add <xenc:EncryptedKey Id="EncKeyId-E67B75302ACB3BEDF313277587471272">..</xenc:EncryptedKey>
// to security header.
encrKey.appendToHeader(rmd.getSecHeader());
WSSecDKSign dkSig = new WSSecDKSign();
dkSig.setWsConfig(rmd.getConfig());
dkSig.setSigCanonicalization(rpd.getAlgorithmSuite().getInclusiveC14n());
dkSig.setSignatureAlgorithm(rpd.getAlgorithmSuite().getSymmetricSignature());
dkSig.setDerivedKeyLength(rpd.getAlgorithmSuite().getSignatureDerivedKeyLength()/8);
/**
* Add a reference to encrypted key in the derived key
*/
dkSig.setExternalKey(encrKey.getEphemeralKey(), encrKey.getId());
dkSig.prepare(doc, rmd.getSecHeader());
if(rpd.isTokenProtection()) {
sigParts.add(new WSEncryptionPart(encrKey.getBSTTokenId()));
}
dkSig.setParts(sigParts);
List<Reference> referenceList
= dkSig.addReferencesToSign(sigParts, rmd.getSecHeader());
/**
* Add <wsc:DerivedKeyToken>..</wsc:DerivedKeyToken> to security
* header. We need to add this just after Encrypted Key and just before <Signature>..</Signature>
* elements. (As a convention)
*/
dkSig.appendDKElementToHeader(rmd.getSecHeader());
//Do signature and append to the security header
dkSig.computeSignature(referenceList, false, null);
// TODO this is bit dubious, before migration code was like "dkSig.appendSigToHeader(rmd.getSecHeader())"
// but WSS4J has remove append methods. Need to find why ?
//this.appendToHeader(rmd.getSecHeader(), dkSig.getSignatureElement());
return dkSig.getSignatureValue();
} catch (WSSecurityException e) {
throw new RampartException("errorInDerivedKeyTokenSignature", e);
} catch (ConversationException e) {
throw new RampartException("errorInDerivedKeyTokenSignature", e);
}
} else {
try {
WSSecSignature sig = this.getSignatureBuilder(rmd, token);
sig.appendBSTElementToHeader(rmd.getSecHeader());
if (rpd.isTokenProtection()
&& !(SPConstants.INCLUDE_TOKEN_NEVER == token.getInclusion())) {
sigParts.add(new WSEncryptionPart(sig.getBSTTokenId()));
}
List<Reference> referenceList
= sig.addReferencesToSign(sigParts, rmd.getSecHeader());
// TODO changed the order - verify
// Compute signature and append to the header
sig.computeSignature(referenceList, false, null);
return sig.getSignatureValue();
} catch (WSSecurityException e) {
throw new RampartException("errorInSignatureWithX509Token", e);
}
}
}
private void appendToHeader(WSSecHeader secHeader, Element appendingChild) {
// TODO this is bit dubious, before migration code was like "dkSig.appendSigToHeader(rmd.getSecHeader())"
// but WSS4J has remove append methods. Need to find why ?
Element secHeaderElement = secHeader.getSecurityHeader();
secHeaderElement.appendChild(appendingChild);
}
/**
* IssuedToken signature
* @param rmd
* @param token
* @param signdParts
* @throws RampartException
*/
private byte[] doIssuedTokenSignature(RampartMessageData rmd, Token token, SignedEncryptedParts signdParts) throws RampartException {
RampartPolicyData rpd = rmd.getPolicyData();
Document doc= rmd.getDocument();
//Get the issued token
String id = RampartUtil.getIssuedToken(rmd, (IssuedToken)token);
int inclusion = token.getInclusion();
org.apache.rahas.Token tok = null;
try {
tok = rmd.getTokenStorage().getToken(id);
} catch (TrustException e) {
throw new RampartException("errorExtractingToken",
new String[]{id} ,e);
}
boolean tokenIncluded = false;
if(inclusion == SPConstants.INCLUDE_TOEKN_ALWAYS ||
((inclusion == SPConstants.INCLUDE_TOEKN_ALWAYS_TO_RECIPIENT
|| inclusion == SPConstants.INCLUDE_TOKEN_ONCE)
&& rmd.isInitiator())) {
//Add the token
rmd.getSecHeader().getSecurityHeader().appendChild(
doc.importNode((Element) tok.getToken(), true));
tokenIncluded = true;
}
List<WSEncryptionPart> sigParts = new ArrayList<WSEncryptionPart>();
if(this.timestampElement != null){
sigParts.add(new WSEncryptionPart(rmd.getTimestampId()));
}
if(rpd.isTokenProtection() && tokenIncluded) {
sigParts.add(new WSEncryptionPart(id));
}
if(signdParts != null) {
if(signdParts.isBody()) {
SOAPEnvelope env = rmd.getMsgContext().getEnvelope();
sigParts.add(new WSEncryptionPart(RampartUtil.addWsuIdToElement(env.getBody())));
}
ArrayList headers = signdParts.getHeaders();
for (Object signedHeader : headers) {
Header header = (Header) signedHeader;
WSEncryptionPart wep = new WSEncryptionPart(header.getName(),
header.getNamespace(),
"Content");
sigParts.add(wep);
}
}
//check for derived keys
AlgorithmSuite algorithmSuite = rpd.getAlgorithmSuite();
if(token.isDerivedKeys()) {
//Create a derived key and add
try {
//Do Signature with derived keys
WSSecDKSign dkSign = new WSSecDKSign();
// Setting the AttachedReference or the UnattachedReference according to the flag
OMElement ref;
if (tokenIncluded) {
ref = tok.getAttachedReference();
} else {
ref = tok.getUnattachedReference();
}
if(ref != null) {
dkSign.setExternalKey(tok.getSecret(), (Element)
doc.importNode((Element) ref, true));
} else {
dkSign.setExternalKey(tok.getSecret(), tok.getId());
}
//Set the algo info
dkSign.setSignatureAlgorithm(algorithmSuite.getSymmetricSignature());
dkSign.setDerivedKeyLength(algorithmSuite.getSignatureDerivedKeyLength());
dkSign.prepare(doc);
/**
* Add <wsc:DerivedKeyToken>..</wsc:DerivedKeyToken> to security
* header. We need to add this just after Encrypted Key and just before <Signature>..</Signature>
* elements. (As a convention)
*/
dkSign.appendDKElementToHeader(rmd.getSecHeader());
dkSign.setParts(sigParts);
List<Reference> referenceList
= dkSign.addReferencesToSign(sigParts, rmd.getSecHeader());
//Do signature
dkSign.computeSignature(referenceList, false, null);
// TODO verify before migration - dkSign.appendSigToHeader(rmd.getSecHeader())
// this.appendToHeader(rmd.getSecHeader(), dkSign.getSignatureElement());
return dkSign.getSignatureValue();
} catch (ConversationException e) {
throw new RampartException(
"errorInDerivedKeyTokenSignature", e);
} catch (WSSecurityException e) {
throw new RampartException(
"errorInDerivedKeyTokenSignature", e);
}
} else {
try {
WSSecSignature sig = new WSSecSignature();
sig.setWsConfig(rmd.getConfig());
String tokId = tok.getId();
if (tokId.charAt(0) == '#') {
tokId = tokId.substring(1);
}
sig.setCustomTokenId(tokId);
sig.setCustomTokenValueType(RampartUtil.getSAML10AssertionNamespace());
sig.setSecretKey(tok.getSecret());
sig.setSignatureAlgorithm(algorithmSuite.getAsymmetricSignature());
sig.setSignatureAlgorithm(algorithmSuite.getSymmetricSignature());
sig.setKeyIdentifierType(WSConstants.CUSTOM_SYMM_SIGNING);
sig.prepare(rmd.getDocument(), RampartUtil.getSignatureCrypto(rpd
.getRampartConfig(), rmd.getCustomClassLoader()),
rmd.getSecHeader());
sig.setParts(sigParts);
List<javax.xml.crypto.dsig.Reference> referenceList
= sig.addReferencesToSign(sigParts, rmd.getSecHeader());
//Do signature
sig.computeSignature(referenceList);
//Add elements to header
this.setInsertionLocation(RampartUtil.insertSiblingAfter(
rmd,
this.getInsertionLocation(),
sig.getSignatureElement()));
return sig.getSignatureValue();
} catch (WSSecurityException e) {
throw new RampartException("errorInSignatureWithACustomToken", e);
}
}
}
private byte[] doSecureConversationSignature(RampartMessageData rmd, Token token, SignedEncryptedParts signdParts) throws RampartException {
RampartPolicyData rpd = rmd.getPolicyData();
Document doc= rmd.getDocument();
//Get the issued token
String id = rmd.getSecConvTokenId();
int inclusion = token.getInclusion();
org.apache.rahas.Token tok = null;
try {
tok = rmd.getTokenStorage().getToken(id);
} catch (TrustException e) {
throw new RampartException("errorExtractingToken",
new String[]{id} ,e);
}
boolean tokenIncluded = false;
if(inclusion == SPConstants.INCLUDE_TOEKN_ALWAYS ||
((inclusion == SPConstants.INCLUDE_TOEKN_ALWAYS_TO_RECIPIENT
|| inclusion == SPConstants.INCLUDE_TOKEN_ONCE)
&& rmd.isInitiator())) {
//Add the token
rmd.getSecHeader().getSecurityHeader().appendChild(
doc.importNode((Element) tok.getToken(), true));
tokenIncluded = true;
}
List<WSEncryptionPart> sigParts = new ArrayList<WSEncryptionPart>();
if(this.timestampElement != null){
sigParts.add(new WSEncryptionPart(rmd.getTimestampId()));
}
if(rpd.isTokenProtection() && tokenIncluded) {
sigParts.add(new WSEncryptionPart(id));
}
if(signdParts != null) {
if(signdParts.isBody()) {
SOAPEnvelope env = rmd.getMsgContext().getEnvelope();
sigParts.add(new WSEncryptionPart(RampartUtil.addWsuIdToElement(env.getBody())));
}
ArrayList headers = signdParts.getHeaders();
for (Object objectHeader : headers) {
Header header = (Header) objectHeader;
WSEncryptionPart wep = new WSEncryptionPart(header.getName(),
header.getNamespace(),
"Content");
sigParts.add(wep);
}
}
//check for derived keys
AlgorithmSuite algorithmSuite = rpd.getAlgorithmSuite();
if(token.isDerivedKeys()) {
//Create a derived key and add
try {
//Do Signature with derived keys
WSSecDKSign dkSign = new WSSecDKSign();
// Setting the AttachedReference or the UnattachedReference according to the flag
OMElement ref;
if (tokenIncluded) {
ref = tok.getAttachedReference();
} else {
ref = tok.getUnattachedReference();
}
if(ref != null) {
dkSign.setExternalKey(tok.getSecret(), (Element)
doc.importNode((Element) ref, true));
} else {
dkSign.setExternalKey(tok.getSecret(), tok.getId());
}
//Set the algo info
dkSign.setSignatureAlgorithm(algorithmSuite.getSymmetricSignature());
dkSign.setDerivedKeyLength(algorithmSuite.getSignatureDerivedKeyLength());
dkSign.prepare(doc);
/**
* Add <wsc:DerivedKeyToken>..</wsc:DerivedKeyToken> to security
* header. We need to add this just after Encrypted Key and just before <Signature>..</Signature>
* elements. (As a convention)
*/
dkSign.appendDKElementToHeader(rmd.getSecHeader());
dkSign.setParts(sigParts);
List<Reference> referenceList
= dkSign.addReferencesToSign(sigParts, rmd.getSecHeader());
//Do signature
dkSign.computeSignature(referenceList, false, null);
//this.appendToHeader(rmd.getSecHeader(), dkSign.getSignatureElement());
return dkSign.getSignatureValue();
} catch (ConversationException e) {
throw new RampartException(
"errorInDerivedKeyTokenSignature", e);
} catch (WSSecurityException e) {
throw new RampartException(
"errorInDerivedKeyTokenSignature", e);
}
} else {
try {
WSSecSignature sig = new WSSecSignature();
sig.setWsConfig(rmd.getConfig());
sig.setCustomTokenId(tok.getId().substring(1));
sig.setCustomTokenValueType(RampartUtil.getSAML10AssertionNamespace());
sig.setSecretKey(tok.getSecret());
sig.setSignatureAlgorithm(algorithmSuite.getAsymmetricSignature());
sig.setSignatureAlgorithm(algorithmSuite.getSymmetricSignature());
sig.setKeyIdentifierType(WSConstants.CUSTOM_SYMM_SIGNING);
sig.prepare(rmd.getDocument(), RampartUtil.getSignatureCrypto(rpd
.getRampartConfig(), rmd.getCustomClassLoader()),
rmd.getSecHeader());
sig.setParts(sigParts);
List<Reference> referenceList
= sig.addReferencesToSign(sigParts, rmd.getSecHeader());
//Do signature
sig.computeSignature(referenceList, false, this.getInsertionLocation());
//Add elements to header
this.setInsertionLocation(sig.getSignatureElement());
return sig.getSignatureValue();
} catch (WSSecurityException e) {
throw new RampartException("errorInSignatureWithACustomToken", e);
}
}
}
private void handleSecureConversationTokens(RampartMessageData rmd,
SecureConversationToken secConvTok) throws RampartException {
MessageContext msgContext = rmd.getMsgContext();
String secConvTokenId = rmd.getSecConvTokenId();
//The RSTR has to be secured with the cancelled token
String action = msgContext.getOptions().getAction();
boolean cancelReqResp = action.equals(RahasConstants.WST_NS_05_02 + RahasConstants.RSTR_ACTION_CANCEL_SCT) ||
action.equals(RahasConstants.WST_NS_05_02 + RahasConstants.RSTR_ACTION_CANCEL_SCT) ||
action.equals(RahasConstants.WST_NS_05_02 + RahasConstants.RST_ACTION_CANCEL_SCT) ||
action.equals(RahasConstants.WST_NS_05_02 + RahasConstants.RST_ACTION_CANCEL_SCT);
//In the case of the cancel req or resp we should mark the token as cancelled
if(secConvTokenId != null && cancelReqResp) {
try {
rmd.getTokenStorage().getToken(secConvTokenId).setState(org.apache.rahas.Token.CANCELLED);
msgContext.setProperty(RampartMessageData.SCT_ID, secConvTokenId);
//remove from the local map of contexts
String contextIdentifierKey = RampartUtil.getContextIdentifierKey(msgContext);
RampartUtil.getContextMap(msgContext).remove(contextIdentifierKey);
} catch (TrustException e) {
throw new RampartException("errorExtractingToken",e);
}
}
if (secConvTokenId == null
|| (secConvTokenId != null &&
(!RampartUtil.isTokenValid(rmd, secConvTokenId) && !cancelReqResp))) {
log.debug("No SecureConversationToken found, requesting a new token");
try {
secConvTokenId = RampartUtil.getSecConvToken(rmd, secConvTok);
rmd.setSecConvTokenId(secConvTokenId);
} catch (TrustException e) {
throw new RampartException("errorInObtainingSct", e);
}
}
/* org.apache.rahas.Token token;
try {
token = rmd.getTokenStorage().getToken(secConvTokenId);
} catch (TrustException e) {
throw new RampartException("errorExtractingToken", e);
}
//Add the token to the header
Element siblingElem = RampartUtil
.insertSiblingAfter(rmd, this.getInsertionLocation(),
(Element) token.getToken());
this.setInsertionLocation(siblingElem);*/
}
}