1 /** 2 * Licensed to the Apache Software Foundation (ASF) under one 3 * or more contributor license agreements. See the NOTICE file 4 * distributed with this work for additional information 5 * regarding copyright ownership. The ASF licenses this file 6 * to you under the Apache License, Version 2.0 (the 7 * "License"); you may not use this file except in compliance 8 * with the License. You may obtain a copy of the License at 9 * 10 * http://www.apache.org/licenses/LICENSE-2.0 11 * 12 * Unless required by applicable law or agreed to in writing, 13 * software distributed under the License is distributed on an 14 * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY 15 * KIND, either express or implied. See the License for the 16 * specific language governing permissions and limitations 17 * under the License. 18 */ 19 20 package org.apache.wss4j.dom; 21 22 import javax.xml.namespace.QName; 23 24 import org.apache.wss4j.common.WSS4JConstants; 25 import org.apache.wss4j.common.derivedKey.ConversationConstants; 26 27 /** 28 * Constants in WS-Security spec. 29 */ 30 public final class WSConstants extends WSS4JConstants { 31 32 // 33 // QNames for the security header elements 34 // 35 36 /** 37 * <code>wsse:BinarySecurityToken</code> as defined by WS Security specification 38 */ 39 public static final QName BINARY_TOKEN = 40 new QName(WSConstants.WSSE_NS, WSConstants.BINARY_TOKEN_LN); 41 /** 42 * <code>wsse:UsernameToken</code> as defined by WS Security specification 43 */ 44 public static final QName USERNAME_TOKEN = 45 new QName(WSConstants.WSSE_NS, WSConstants.USERNAME_TOKEN_LN); 46 /** 47 * <code>wsu:Timestamp</code> as defined by OASIS WS Security specification, 48 */ 49 public static final QName TIMESTAMP = 50 new QName(WSConstants.WSU_NS, WSConstants.TIMESTAMP_TOKEN_LN); 51 /** 52 * <code>wsse11:signatureConfirmation</code> as defined by OASIS WS Security specification, 53 */ 54 public static final QName SIGNATURE_CONFIRMATION = 55 new QName(WSConstants.WSSE11_NS, WSConstants.SIGNATURE_CONFIRMATION_LN); 56 /** 57 * <code>ds:Signature</code> as defined by XML Signature specification, 58 * enhanced by WS Security specification 59 */ 60 public static final QName SIGNATURE = 61 new QName(WSConstants.SIG_NS, WSConstants.SIG_LN); 62 /** 63 * <code>xenc:EncryptedKey</code> as defined by XML Encryption specification, 64 * enhanced by WS Security specification 65 */ 66 public static final QName ENCRYPTED_KEY = 67 new QName(WSConstants.ENC_NS, WSConstants.ENC_KEY_LN); 68 /** 69 * <code>xenc:EncryptedData</code> as defined by XML Encryption specification, 70 * enhanced by WS Security specification 71 */ 72 public static final QName ENCRYPTED_DATA = 73 new QName(WSConstants.ENC_NS, WSConstants.ENC_DATA_LN); 74 /** 75 * <code>xenc:ReferenceList</code> as defined by XML Encryption specification, 76 */ 77 public static final QName REFERENCE_LIST = 78 new QName(WSConstants.ENC_NS, WSConstants.REF_LIST_LN); 79 /** 80 * <code>saml:Assertion</code> as defined by SAML v1.1 specification 81 */ 82 public static final QName SAML_TOKEN = 83 new QName(WSConstants.SAML_NS, WSConstants.ASSERTION_LN); 84 85 /** 86 * <code>saml:Assertion</code> as defined by SAML v2.0 specification 87 */ 88 public static final QName SAML2_TOKEN = 89 new QName(WSConstants.SAML2_NS, WSConstants.ASSERTION_LN); 90 91 /** 92 * <code>saml:EncryptedAssertion</code> as defined by SAML v2.0 specification 93 */ 94 public static final QName ENCRYPTED_ASSERTION = 95 new QName(WSConstants.SAML2_NS, WSConstants.ENCRYPED_ASSERTION_LN); 96 97 /** 98 * <code>wsc:DerivedKeyToken</code> as defined by WS-SecureConversation specification 99 */ 100 public static final QName DERIVED_KEY_TOKEN_05_02 = 101 new QName(ConversationConstants.WSC_NS_05_02, ConversationConstants.DERIVED_KEY_TOKEN_LN); 102 103 /** 104 * <code>wsc:SecurityContextToken</code> as defined by WS-SecureConversation specification 105 */ 106 public static final QName SECURITY_CONTEXT_TOKEN_05_02 = 107 new QName(ConversationConstants.WSC_NS_05_02, ConversationConstants.SECURITY_CONTEXT_TOKEN_LN); 108 109 /** 110 * <code>wsc:DerivedKeyToken</code> as defined by WS-SecureConversation specification in WS-SX 111 */ 112 public static final QName DERIVED_KEY_TOKEN_05_12 = 113 new QName(ConversationConstants.WSC_NS_05_12, ConversationConstants.DERIVED_KEY_TOKEN_LN); 114 115 /** 116 * <code>wsc:SecurityContextToken</code> as defined by WS-SecureConversation specification in 117 * WS-SX 118 */ 119 public static final QName SECURITY_CONTEXT_TOKEN_05_12 = 120 new QName(ConversationConstants.WSC_NS_05_12, ConversationConstants.SECURITY_CONTEXT_TOKEN_LN); 121 122 // 123 // Fault codes defined in the WSS 1.1 spec under section 12, Error handling 124 // 125 126 /** 127 * An unsupported token was provided 128 */ 129 public static final QName UNSUPPORTED_SECURITY_TOKEN = 130 new QName(WSSE_NS, "UnsupportedSecurityToken"); 131 132 /** 133 * An unsupported signature or encryption algorithm was used 134 */ 135 public static final QName UNSUPPORTED_ALGORITHM = 136 new QName(WSSE_NS, "UnsupportedAlgorithm"); 137 138 /** 139 * An error was discovered processing the <Security> header 140 */ 141 public static final QName INVALID_SECURITY = new QName(WSSE_NS, "InvalidSecurity"); 142 143 /** 144 * An invalid security token was provided 145 */ 146 public static final QName INVALID_SECURITY_TOKEN = new QName(WSSE_NS, "InvalidSecurityToken"); 147 148 /** 149 * The security token could not be authenticated or authorized 150 */ 151 public static final QName FAILED_AUTHENTICATION = new QName(WSSE_NS, "FailedAuthentication"); 152 153 /** 154 * The signature or decryption was invalid 155 */ 156 public static final QName FAILED_CHECK = new QName(WSSE_NS, "FailedCheck"); 157 158 /** 159 * Referenced security token could not be retrieved 160 */ 161 public static final QName SECURITY_TOKEN_UNAVAILABLE = new QName(WSSE_NS, "SecurityTokenUnavailable"); 162 163 /** 164 * The message has expired 165 */ 166 public static final QName MESSAGE_EXPIRED = new QName(WSSE_NS, "MessageExpired"); 167 168 /* 169 * Constants used to configure WSS4J 170 */ 171 172 /** 173 * Sets the {@link 174 * org.apache.wss4j.dom.message.WSSecSignature#build(Document, Crypto, WSSecHeader) 175 * } method to send the signing certificate as a <code>BinarySecurityToken</code>. 176 * <p/> 177 * The signing method takes the signing certificate, converts it to a 178 * <code>BinarySecurityToken</code>, puts it in the security header, 179 * and inserts a <code>Reference</code> to the binary security token 180 * into the <code>wsse:SecurityReferenceToken</code>. Thus the whole 181 * signing certificate is transfered to the receiver. 182 * The X509 profile recommends to use {@link #ISSUER_SERIAL} instead 183 * of sending the whole certificate. 184 * <p/> 185 * Please refer to WS Security specification X509 1.1 profile, chapter 3.3.2 186 * and to WS Security SOAP Message security 1.1 specification, chapter 7.2 187 * <p/> 188 * Note: only local references to BinarySecurityToken are supported 189 */ 190 public static final int BST_DIRECT_REFERENCE = 1; 191 192 /** 193 * Sets the {@link 194 *org.apache.wss4j.dom.message.WSSecSignature#build(Crypto) 195 *} or the {@link 196 *org.apache.wss4j.dom.message.WSSecEncrypt#build(Crypto, SecretKey) 197 * } method to send the issuer name and the serial number of a certificate to 198 * the receiver. 199 * <p/> 200 * In contrast to {@link #BST_DIRECT_REFERENCE} only the issuer name 201 * and the serial number of the signing certificate are sent to the 202 * receiver. This reduces the amount of data being sent. The encryption 203 * method uses the public key associated with this certificate to encrypt 204 * the symmetric key used to encrypt data. 205 * The name format will delimit unicode characters with a '\' which is not compatible with Microsoft's WCF stack. 206 * To send issuer name with format that is compatible with WCF and Java use {@link #ISSUER_SERIAL_QUOTE_FORMAT} 207 * <p/> 208 * Please refer to WS Security specification X509 1.1 profile, chapter 3.3.3 209 */ 210 public static final int ISSUER_SERIAL = 2; 211 212 /** 213 * Sets the {@link 214 * org.apache.wss4j.dom.message.WSSecSignature#build(Document, Crypto, WSSecHeader) 215 * } or the {@link 216 * org.apache.wss4j.dom.message.WSSecEncrypt#build(Document, Crypto, WSSecHeader) 217 * }method to send the certificate used to encrypt the symmetric key. 218 * <p/> 219 * The encryption method uses the public key associated with this certificate 220 * to encrypt the symmetric key used to encrypt data. The certificate is 221 * converted into a <code>KeyIdentifier</code> token and sent to the receiver. 222 * Thus the complete certificate data is transferred to receiver. 223 * The X509 profile recommends to use {@link #ISSUER_SERIAL} instead 224 * of sending the whole certificate. 225 * <p/> 226 * Please refer to WS Security SOAP Message security 1.1 specification, 227 * chapter 7.3. Note that this is a NON-STANDARD method. The standard way to refer to 228 * an X.509 Certificate via a KeyIdentifier is to use {@link #SKI_KEY_IDENTIFIER} 229 */ 230 public static final int X509_KEY_IDENTIFIER = 3; 231 232 /** 233 * Sets the {@link 234 * org.apache.wss4j.dom.message.WSSecSignature#build(Document, Crypto, WSSecHeader) 235 * } method to send a <code>SubjectKeyIdentifier</code> to identify 236 * the signing certificate. 237 * <p/> 238 * Refer to WS Security specification X509 1.1 profile, chapter 3.3.1 239 */ 240 public static final int SKI_KEY_IDENTIFIER = 4; 241 242 /** 243 * Embeds a keyinfo/key name into the EncryptedData element. 244 * <p/> 245 */ 246 @Deprecated 247 public static final int EMBEDDED_KEYNAME = 5; 248 249 /** 250 * Embeds a keyinfo/wsse:SecurityTokenReference into EncryptedData element. 251 */ 252 @Deprecated 253 public static final int EMBED_SECURITY_TOKEN_REF = 6; 254 255 /** 256 * <code>UT_SIGNING</code> is used internally only to set a specific Signature 257 * behavior. 258 * 259 * The signing token is constructed from values in the UsernameToken according 260 * to WS-Trust specification. 261 */ 262 public static final int UT_SIGNING = 7; 263 264 /** 265 * <code>THUMPRINT_IDENTIFIER</code> is used to set the specific key identifier 266 * ThumbprintSHA1. 267 * 268 * This identifier uses the SHA-1 digest of a security token to 269 * identify the security token. Please refer to chapter 7.2 of the OASIS WSS 1.1 270 * specification. 271 * 272 */ 273 public static final int THUMBPRINT_IDENTIFIER = 8; 274 275 /** 276 * <code>CUSTOM_SYMM_SIGNING</code> is used internally only to set a 277 * specific Signature behavior. 278 * 279 * The signing key, reference id and value type are set externally. 280 */ 281 public static final int CUSTOM_SYMM_SIGNING = 9; 282 283 /** 284 * <code>ENCRYPTED_KEY_SHA1_IDENTIFIER</code> is used to set the specific key identifier 285 * EncryptedKeySHA1. 286 * 287 * This identifier uses the SHA-1 digest of a security token to 288 * identify the security token. Please refer to chapter 7.3 of the OASIS WSS 1.1 289 * specification. 290 */ 291 public static final int ENCRYPTED_KEY_SHA1_IDENTIFIER = 10; 292 293 /** 294 * <code>CUSTOM_SYMM_SIGNING_DIRECT</code> is used internally only to set a 295 * specific Signature behavior. 296 * 297 * The signing key, reference id and value type are set externally. 298 */ 299 public static final int CUSTOM_SYMM_SIGNING_DIRECT = 11; 300 301 /** 302 * <code>CUSTOM_KEY_IDENTIFIER</code> is used to set a KeyIdentifier to 303 * a particular ID 304 * 305 * The reference id and value type are set externally. 306 */ 307 public static final int CUSTOM_KEY_IDENTIFIER = 12; 308 309 /** 310 * <code>KEY_VALUE</code> is used to set a ds:KeyInfo/ds:KeyValue element to refer to 311 * either an RSA or DSA public key. 312 */ 313 public static final int KEY_VALUE = 13; 314 315 /** 316 * <code>ENDPOINT_KEY_IDENTIFIER</code> is used to specify service endpoint as public key 317 * identifier. 318 * 319 * Constant is useful in case of symmetric holder of key, where token service can determine 320 * target service public key to encrypt shared secret. 321 */ 322 public static final int ENDPOINT_KEY_IDENTIFIER = 14; 323 324 325 /** 326 *Sets the {@link org.apache.wss4j.dom.message.WSSecSignature#build(Crypto)} 327 * or the {@link org.apache.wss4j.dom.message.WSSecEncrypt#build(Crypto, SecretKey)} 328 * method to send the issuer name and the serial number of a certificate to the receiver. 329 *<p/> 330 * In contrast to {@link #BST_DIRECT_REFERENCE} only the issuer name 331 * and the serial number of the signing certificate are sent to the 332 * receiver. This reduces the amount of data being sent. The encryption 333 * method uses the public key associated with this certificate to encrypt 334 * the symmetric key used to encrypt data. 335 * The issuer name format will use a quote delimited Rfc 2253 format if necessary which is recognized by the Microsoft's WCF stack. 336 * It also places a space before each subsequent RDN also required for WCF interoperability. 337 * In addition, this format is know to be correctly interpreted by Java. 338 *<p/> 339 *Please refer to WS Security specification X509 1.1 profile, chapter 3.3.3 340 * <p/> 341 */ 342 public static final int ISSUER_SERIAL_QUOTE_FORMAT = 15; 343 344 /* 345 * The following values are bits that can be combined to form a set. 346 * Be careful when adding new constants. 347 */ 348 public static final int NO_SECURITY = 0; 349 public static final int UT = 0x1; // perform UsernameToken 350 public static final int SIGN = 0x2; // Perform Signature 351 public static final int ENCR = 0x4; // Perform Encryption 352 353 public static final int ST_UNSIGNED = 0x8; // perform SAMLToken unsigned 354 public static final int ST_SIGNED = 0x10; // perform SAMLToken signed 355 356 public static final int TS = 0x20; // insert Timestamp 357 public static final int UT_SIGN = 0x40; // perform signature with UT secret key 358 public static final int SC = 0x80; // this is a SignatureConfirmation 359 360 public static final int NO_SERIALIZE = 0x100; 361 public static final int SERIALIZE = 0x200; 362 public static final int SCT = 0x400; //SecurityContextToken 363 public static final int DKT = 0x800; //DerivedKeyToken 364 public static final int BST = 0x1000; //BinarySecurityToken 365 public static final int UT_NOPASSWORD = 0x2000; // perform UsernameToken 366 public static final int CUSTOM_TOKEN = 0x4000; // perform a Custom Token action 367 public static final int DKT_SIGN = 0x8000; // Perform Signature with a Derived Key 368 public static final int DKT_ENCR = 0x10000; // Perform Encryption with a Derived Key 369 370 private WSConstants() { 371 super(); 372 } 373 374 }