1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19 package org.apache.wss4j.policy.stax.assertionStates;
20
21 import javax.xml.namespace.QName;
22
23 import org.apache.wss4j.policy.AssertionState;
24 import org.apache.wss4j.common.WSSPolicyException;
25 import org.apache.wss4j.policy.model.AbstractSecurityAssertion;
26 import org.apache.wss4j.policy.model.AlgorithmSuite;
27 import org.apache.wss4j.policy.stax.Assertable;
28 import org.apache.wss4j.policy.stax.DummyPolicyAsserter;
29 import org.apache.wss4j.policy.stax.PolicyAsserter;
30 import org.apache.wss4j.stax.ext.WSSConstants;
31 import org.apache.xml.security.stax.ext.XMLSecurityConstants;
32 import org.apache.xml.security.stax.securityEvent.AlgorithmSuiteSecurityEvent;
33 import org.apache.xml.security.stax.securityEvent.SecurityEvent;
34 import org.apache.xml.security.stax.securityEvent.SecurityEventConstants;
35
36
37
38
39 public class AlgorithmSuiteAssertionState extends AssertionState implements Assertable {
40
41 private PolicyAsserter policyAsserter;
42
43 public AlgorithmSuiteAssertionState(AbstractSecurityAssertion assertion,
44 PolicyAsserter policyAsserter,
45 boolean asserted) {
46 super(assertion, asserted);
47
48 this.policyAsserter = policyAsserter;
49 if (this.policyAsserter == null) {
50 this.policyAsserter = new DummyPolicyAsserter();
51 }
52
53 if (asserted) {
54 AlgorithmSuite algorithmSuite = (AlgorithmSuite) getAssertion();
55 policyAsserter.assertPolicy(getAssertion());
56 String namespace = algorithmSuite.getAlgorithmSuiteType().getNamespace();
57 String name = algorithmSuite.getAlgorithmSuiteType().getName();
58 policyAsserter.assertPolicy(new QName(namespace, name));
59 }
60 }
61
62 @Override
63 public SecurityEventConstants.Event[] getSecurityEventType() {
64 return new SecurityEventConstants.Event[]{
65 SecurityEventConstants.AlgorithmSuite
66 };
67 }
68
69 @Override
70 public boolean assertEvent(SecurityEvent securityEvent) throws WSSPolicyException {
71 AlgorithmSuiteSecurityEvent algorithmSuiteSecurityEvent = (AlgorithmSuiteSecurityEvent) securityEvent;
72 AlgorithmSuite algorithmSuite = (AlgorithmSuite) getAssertion();
73 if (algorithmSuite.getAlgorithmSuiteType() == null) {
74 setAsserted(false);
75 setErrorMessage("There is an error with the AlgorithmSuite policy");
76 policyAsserter.unassertPolicy(getAssertion(), getErrorMessage());
77 return isAsserted();
78 }
79
80 XMLSecurityConstants.AlgorithmUsage keyUsage = algorithmSuiteSecurityEvent.getAlgorithmUsage();
81 int keyLength = algorithmSuiteSecurityEvent.getKeyLength();
82 String algorithmURI = algorithmSuiteSecurityEvent.getAlgorithmURI();
83 if (WSSConstants.Sym_Sig.equals(keyUsage)) {
84 if (algorithmSuite.getAlgorithmSuiteType().getSymmetricSignature() != null
85 && !algorithmSuite.getAlgorithmSuiteType().getSymmetricSignature().equals(algorithmURI)) {
86 setAsserted(false);
87 setErrorMessage("Symmetric signature algorithm " + algorithmURI + " does not meet policy");
88 policyAsserter.unassertPolicy(getAssertion(), getErrorMessage());
89 }
90
91 if (!algorithmSuiteSecurityEvent.isDerivedKey()
92 && (algorithmSuite.getAlgorithmSuiteType().getMinimumSymmetricKeyLength() > keyLength
93 || algorithmSuite.getAlgorithmSuiteType().getMaximumSymmetricKeyLength() < keyLength)) {
94 setAsserted(false);
95 setErrorMessage("Symmetric signature algorithm key length " + keyLength + " does not meet policy");
96 policyAsserter.unassertPolicy(getAssertion(), getErrorMessage());
97 } else if (algorithmSuiteSecurityEvent.isDerivedKey()
98 && algorithmSuite.getAlgorithmSuiteType().getSignatureDerivedKeyLength() != keyLength) {
99 setAsserted(false);
100 setErrorMessage("Symmetric signature algorithm derived key length " + keyLength + " does not meet policy");
101 policyAsserter.unassertPolicy(getAssertion(), getErrorMessage());
102 }
103 } else if (WSSConstants.Asym_Sig.equals(keyUsage)) {
104 if (algorithmSuite.getAlgorithmSuiteType().getAsymmetricSignature() != null
105 && !algorithmSuite.getAlgorithmSuiteType().getAsymmetricSignature().equals(algorithmURI)) {
106 setAsserted(false);
107 setErrorMessage("Asymmetric algorithm " + algorithmURI + " does not meet policy");
108 policyAsserter.unassertPolicy(getAssertion(), getErrorMessage());
109 }
110 if (algorithmSuite.getAlgorithmSuiteType().getMinimumAsymmetricKeyLength() > keyLength
111 || algorithmSuite.getAlgorithmSuiteType().getMaximumAsymmetricKeyLength() < keyLength) {
112 setAsserted(false);
113 setErrorMessage("Asymmetric signature algorithm key length " + keyLength + " does not meet policy");
114 policyAsserter.unassertPolicy(getAssertion(), getErrorMessage());
115 }
116 } else if (WSSConstants.SigDig.equals(keyUsage)) {
117 if (!algorithmSuite.getAlgorithmSuiteType().getDigest().equals(algorithmURI)) {
118 setAsserted(false);
119 setErrorMessage("Digest algorithm " + algorithmURI + " does not meet policy");
120 policyAsserter.unassertPolicy(getAssertion(), getErrorMessage());
121 }
122 } else if (WSSConstants.Enc.equals(keyUsage)) {
123 if (!algorithmSuite.getAlgorithmSuiteType().getEncryption().equals(algorithmURI)) {
124 setAsserted(false);
125 setErrorMessage("Encryption algorithm " + algorithmURI + " does not meet policy");
126 policyAsserter.unassertPolicy(getAssertion(), getErrorMessage());
127 }
128
129 if (!algorithmSuiteSecurityEvent.isDerivedKey()
130 && (algorithmSuite.getAlgorithmSuiteType().getMinimumSymmetricKeyLength() > keyLength
131 || algorithmSuite.getAlgorithmSuiteType().getMaximumSymmetricKeyLength() < keyLength)) {
132 setAsserted(false);
133 setErrorMessage("Symmetric encryption algorithm key length " + keyLength + " does not meet policy");
134 policyAsserter.unassertPolicy(getAssertion(), getErrorMessage());
135 } else if (algorithmSuiteSecurityEvent.isDerivedKey()
136 && algorithmSuite.getAlgorithmSuiteType().getEncryptionDerivedKeyLength() != keyLength) {
137 setAsserted(false);
138 setErrorMessage("Symmetric encryption algorithm derived key length " + keyLength + " does not meet policy");
139 policyAsserter.unassertPolicy(getAssertion(), getErrorMessage());
140 }
141 } else if (WSSConstants.Sym_Key_Wrap.equals(keyUsage)) {
142 if (!algorithmSuite.getAlgorithmSuiteType().getSymmetricKeyWrap().equals(algorithmURI)) {
143 setAsserted(false);
144 setErrorMessage("Symmetric key wrap algorithm " + algorithmURI + " does not meet policy");
145 policyAsserter.unassertPolicy(getAssertion(), getErrorMessage());
146 }
147 if (algorithmSuite.getAlgorithmSuiteType().getMinimumSymmetricKeyLength() > keyLength
148 || algorithmSuite.getAlgorithmSuiteType().getMaximumSymmetricKeyLength() < keyLength) {
149 setAsserted(false);
150 setErrorMessage("Symmetric key wrap algorithm key length " + keyLength + " does not meet policy");
151 policyAsserter.unassertPolicy(getAssertion(), getErrorMessage());
152 }
153 } else if (WSSConstants.Asym_Key_Wrap.equals(keyUsage)) {
154 if (!algorithmSuite.getAlgorithmSuiteType().getAsymmetricKeyWrap().equals(algorithmURI)) {
155 setAsserted(false);
156 setErrorMessage("Asymmetric key wrap algorithm " + algorithmURI + " does not meet policy");
157 policyAsserter.unassertPolicy(getAssertion(), getErrorMessage());
158 }
159 if (algorithmSuite.getAlgorithmSuiteType().getMinimumAsymmetricKeyLength() > keyLength
160 || algorithmSuite.getAlgorithmSuiteType().getMaximumAsymmetricKeyLength() < keyLength) {
161 setAsserted(false);
162 setErrorMessage("Asymmetric key wrap algorithm key length " + keyLength + " does not meet policy");
163 policyAsserter.unassertPolicy(getAssertion(), getErrorMessage());
164 }
165 } else if (WSSConstants.COMP_KEY.equals(keyUsage)) {
166 if (!algorithmSuite.getComputedKey().equals(algorithmURI)) {
167 setAsserted(false);
168 setErrorMessage("Computed key algorithm " + algorithmURI + " does not meet policy");
169 policyAsserter.unassertPolicy(getAssertion(), getErrorMessage());
170 }
171 } else if (WSSConstants.ENC_KD.equals(keyUsage)) {
172 if (!algorithmSuite.getAlgorithmSuiteType().getEncryptionKeyDerivation().equals(algorithmURI)) {
173 setAsserted(false);
174 setErrorMessage("Encryption key derivation algorithm " + algorithmURI + " does not meet policy");
175 policyAsserter.unassertPolicy(getAssertion(), getErrorMessage());
176 }
177 } else if (WSSConstants.SIG_KD.equals(keyUsage)) {
178 if (!algorithmSuite.getAlgorithmSuiteType().getSignatureKeyDerivation().equals(algorithmURI)) {
179 setAsserted(false);
180 setErrorMessage("Signature key derivation algorithm " + algorithmURI + " does not meet policy");
181 policyAsserter.unassertPolicy(getAssertion(), getErrorMessage());
182 }
183 } else if (WSSConstants.SigC14n.equals(keyUsage)) {
184 if (algorithmSuite.getC14n() != null
185 && !algorithmSuite.getC14n().getValue().equals(algorithmURI)) {
186 setAsserted(false);
187 setErrorMessage("C14N algorithm " + algorithmURI + " does not meet policy");
188 policyAsserter.unassertPolicy(getAssertion(), getErrorMessage());
189 }
190 } else if (WSSConstants.SigTransform.equals(keyUsage)) {
191 if (algorithmSuite.getC14n() != null
192 && !algorithmSuite.getC14n().getValue().equals(algorithmURI)
193 && !WSSConstants.NS_C14N_EXCL.equals(algorithmURI)
194 && !WSSConstants.SOAPMESSAGE_NS10_STR_TRANSFORM.equals(algorithmURI)
195 && !WSSConstants.SWA_ATTACHMENT_CONTENT_SIG_TRANS.equals(algorithmURI)
196 && !WSSConstants.SWA_ATTACHMENT_COMPLETE_SIG_TRANS.equals(algorithmURI)) {
197 setAsserted(false);
198 setErrorMessage("Transform C14N algorithm " + algorithmURI + " does not meet policy");
199 policyAsserter.unassertPolicy(getAssertion(), getErrorMessage());
200 }
201 } else if (WSSConstants.SOAP_NORM.equals(keyUsage)) {
202 if (algorithmSuite.getSoapNormType() != null
203 && !algorithmSuite.getSoapNormType().getValue().equals(algorithmURI)) {
204 setAsserted(false);
205 setErrorMessage("Soap normalization algorithm " + algorithmURI + " does not meet policy");
206 policyAsserter.unassertPolicy(getAssertion(), getErrorMessage());
207 }
208 } else if (WSSConstants.STR_TRANS.equals(keyUsage)) {
209 if (algorithmSuite.getStrType() != null
210 && !algorithmSuite.getStrType().getValue().equals(algorithmURI)) {
211 setAsserted(false);
212 setErrorMessage("STR transformation algorithm " + algorithmURI + " does not meet policy");
213 policyAsserter.unassertPolicy(getAssertion(), getErrorMessage());
214 }
215 } else if (WSSConstants.XPATH.equals(keyUsage) && algorithmSuite.getXPathType() != null
216 && !algorithmSuite.getXPathType().getValue().equals(algorithmURI)) {
217 setAsserted(false);
218 setErrorMessage("XPATH algorithm " + algorithmURI + " does not meet policy");
219 policyAsserter.unassertPolicy(getAssertion(), getErrorMessage());
220 }
221
222 if (isAsserted()) {
223 policyAsserter.assertPolicy(getAssertion());
224 String namespace = algorithmSuite.getAlgorithmSuiteType().getNamespace();
225 String name = algorithmSuite.getAlgorithmSuiteType().getName();
226 policyAsserter.assertPolicy(new QName(namespace, name));
227 if (algorithmSuite.getC14n() != null) {
228 policyAsserter.assertPolicy(new QName(namespace, algorithmSuite.getC14n().name()));
229 }
230 }
231
232 return isAsserted();
233 }
234 }