1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19 package org.apache.wss4j.stax.impl.processor.input;
20
21 import org.apache.wss4j.binding.wss10.ObjectFactory;
22 import org.apache.wss4j.binding.wss10.ReferenceType;
23 import org.apache.wss4j.binding.wss10.SecurityTokenReferenceType;
24 import org.apache.wss4j.common.bsp.BSPRule;
25 import org.apache.wss4j.common.ext.WSSecurityException;
26 import org.apache.wss4j.common.util.AttachmentUtils;
27 import org.apache.wss4j.stax.ext.WSInboundSecurityContext;
28 import org.apache.xml.security.binding.xmldsig.KeyInfoType;
29 import org.apache.xml.security.binding.xmlenc.EncryptedKeyType;
30 import org.apache.xml.security.binding.xmlenc.EncryptionMethodType;
31 import org.apache.xml.security.exceptions.XMLSecurityException;
32 import org.apache.xml.security.stax.ext.InputProcessorChain;
33 import org.apache.xml.security.stax.ext.XMLSecurityProperties;
34 import org.apache.xml.security.stax.ext.stax.XMLSecEvent;
35 import org.apache.xml.security.stax.impl.processor.input.XMLEncryptedKeyInputHandler;
36 import org.apache.wss4j.stax.ext.WSSConstants;
37 import org.apache.wss4j.stax.ext.WSSSecurityProperties;
38
39
40
41
42 public class WSSEncryptedKeyInputHandler extends XMLEncryptedKeyInputHandler {
43
44 private static final transient org.slf4j.Logger LOG =
45 org.slf4j.LoggerFactory.getLogger(WSSEncryptedKeyInputHandler.class);
46
47 @Override
48 public void handle(InputProcessorChain inputProcessorChain, EncryptedKeyType encryptedKeyType,
49 XMLSecEvent responsibleXMLSecStartXMLEvent, XMLSecurityProperties securityProperties)
50 throws XMLSecurityException {
51 checkBSPCompliance(inputProcessorChain, encryptedKeyType);
52
53
54 EncryptionMethodType encryptionMethodType = encryptedKeyType.getEncryptionMethod();
55 if (securityProperties.getEncryptionKeyTransportAlgorithm() != null
56 && encryptionMethodType != null) {
57 String encryptionMethod = encryptionMethodType.getAlgorithm();
58 if (!securityProperties.getEncryptionKeyTransportAlgorithm().equals(encryptionMethod)) {
59 LOG.warn(
60 "The Key transport method does not match the requirement"
61 );
62 throw new WSSecurityException(WSSecurityException.ErrorCode.INVALID_SECURITY);
63 }
64 }
65
66 super.handle(inputProcessorChain, encryptedKeyType, responsibleXMLSecStartXMLEvent, securityProperties);
67 }
68
69
70
71 @Override
72 protected void handleReferenceList(final InputProcessorChain inputProcessorChain,
73 final EncryptedKeyType encryptedKeyType,
74 final XMLSecurityProperties securityProperties) throws XMLSecurityException {
75 KeyInfoType keyInfoType = new KeyInfoType();
76 SecurityTokenReferenceType securityTokenReferenceType = new SecurityTokenReferenceType();
77 ReferenceType referenceType = new ReferenceType();
78 referenceType.setURI("#" + encryptedKeyType.getId());
79 ObjectFactory objectFactory = new ObjectFactory();
80 securityTokenReferenceType.getAny().add(objectFactory.createReference(referenceType));
81 keyInfoType.getContent().add(objectFactory.createSecurityTokenReference(securityTokenReferenceType));
82 inputProcessorChain.addProcessor(
83 new DecryptInputProcessor(keyInfoType, encryptedKeyType.getReferenceList(),
84 (WSSSecurityProperties) securityProperties,
85 (WSInboundSecurityContext) inputProcessorChain.getSecurityContext())
86 );
87 }
88
89 protected void checkBSPCompliance(InputProcessorChain inputProcessorChain, EncryptedKeyType encryptedKeyType)
90 throws XMLSecurityException {
91 final WSInboundSecurityContext securityContext = (WSInboundSecurityContext) inputProcessorChain.getSecurityContext();
92 if (encryptedKeyType.getType() != null) {
93 securityContext.handleBSPRule(BSPRule.R3209);
94 }
95 if (encryptedKeyType.getMimeType() != null) {
96 securityContext.handleBSPRule(BSPRule.R5622);
97 }
98 if (encryptedKeyType.getEncoding() != null) {
99 securityContext.handleBSPRule(BSPRule.R5623);
100 }
101 if (encryptedKeyType.getRecipient() != null) {
102 securityContext.handleBSPRule(BSPRule.R5602);
103 }
104 EncryptionMethodType encryptionMethodType = encryptedKeyType.getEncryptionMethod();
105 if (encryptionMethodType == null) {
106 securityContext.handleBSPRule(BSPRule.R5603);
107 } else {
108 String encryptionMethod = encryptionMethodType.getAlgorithm();
109 if (!(WSSConstants.NS_XENC_RSA15.equals(encryptionMethod)
110 || WSSConstants.NS_XENC_RSAOAEPMGF1P.equals(encryptionMethod)
111 || WSSConstants.NS_XENC11_RSAOAEP.equals(encryptionMethod))) {
112 securityContext.handleBSPRule(BSPRule.R5621);
113 }
114 }
115 }
116
117 @Override
118 protected byte[] getBytesFromAttachment(String xopUri, final XMLSecurityProperties securityProperties) throws XMLSecurityException {
119 WSSSecurityProperties securityProps = (WSSSecurityProperties)securityProperties;
120 return AttachmentUtils.getBytesFromAttachment(xopUri, securityProps.getAttachmentCallbackHandler(), true);
121 }
122
123 }