ws-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cohei...@apache.org
Subject svn commit: r1160235 - in /webservices/wss4j/trunk/src: main/java/org/apache/ws/security/message/ main/java/org/apache/ws/security/processor/ main/java/org/apache/ws/security/str/ test/java/org/apache/ws/security/message/token/
Date Mon, 22 Aug 2011 12:19:52 GMT
Author: coheigea
Date: Mon Aug 22 12:19:51 2011
New Revision: 1160235

URL: http://svn.apache.org/viewvc?rev=1160235&view=rev
Log:
[WSS-307] - Added support for decryption using a Kerberos Ticket.

Modified:
    webservices/wss4j/trunk/src/main/java/org/apache/ws/security/message/WSSecEncrypt.java
    webservices/wss4j/trunk/src/main/java/org/apache/ws/security/processor/ReferenceListProcessor.java
    webservices/wss4j/trunk/src/main/java/org/apache/ws/security/str/SecurityTokenRefSTRParser.java
    webservices/wss4j/trunk/src/test/java/org/apache/ws/security/message/token/KerberosTest.java

Modified: webservices/wss4j/trunk/src/main/java/org/apache/ws/security/message/WSSecEncrypt.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/main/java/org/apache/ws/security/message/WSSecEncrypt.java?rev=1160235&r1=1160234&r2=1160235&view=diff
==============================================================================
--- webservices/wss4j/trunk/src/main/java/org/apache/ws/security/message/WSSecEncrypt.java
(original)
+++ webservices/wss4j/trunk/src/main/java/org/apache/ws/security/message/WSSecEncrypt.java
Mon Aug 22 12:19:51 2011
@@ -530,7 +530,7 @@ public class WSSecEncrypt extends WSSecE
         } else if (WSConstants.WSS_KRB_KI_VALUE_TYPE.equals(customReferenceValue)) {
             SecurityTokenReference secToken = new SecurityTokenReference(document);
             secToken.addTokenType(WSConstants.WSS_GSS_KRB_V5_AP_REQ);
-            secToken.setKeyIdentifier(customReferenceValue, encKeyId);
+            secToken.setKeyIdentifier(customReferenceValue, encKeyId, true);
             keyInfo.addUnknownElement(secToken.getElement());
         } else if (securityTokenReference != null) {
             Element tmpE = securityTokenReference.getElement();

Modified: webservices/wss4j/trunk/src/main/java/org/apache/ws/security/processor/ReferenceListProcessor.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/main/java/org/apache/ws/security/processor/ReferenceListProcessor.java?rev=1160235&r1=1160234&r2=1160235&view=diff
==============================================================================
--- webservices/wss4j/trunk/src/main/java/org/apache/ws/security/processor/ReferenceListProcessor.java
(original)
+++ webservices/wss4j/trunk/src/main/java/org/apache/ws/security/processor/ReferenceListProcessor.java
Mon Aug 22 12:19:51 2011
@@ -57,9 +57,6 @@ public class ReferenceListProcessor impl
         if (log.isDebugEnabled()) {
             log.debug("Found reference list element");
         }
-        if (data.getCallbackHandler() == null) {
-            throw new WSSecurityException(WSSecurityException.FAILURE, "noCallback");
-        }
         List<WSDataRef> dataRefs = handleReferenceList(elem, data, wsDocInfo);
         WSSecurityEngineResult result = 
             new WSSecurityEngineResult(WSConstants.ENCR, dataRefs);

Modified: webservices/wss4j/trunk/src/main/java/org/apache/ws/security/str/SecurityTokenRefSTRParser.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/main/java/org/apache/ws/security/str/SecurityTokenRefSTRParser.java?rev=1160235&r1=1160234&r2=1160235&view=diff
==============================================================================
--- webservices/wss4j/trunk/src/main/java/org/apache/ws/security/str/SecurityTokenRefSTRParser.java
(original)
+++ webservices/wss4j/trunk/src/main/java/org/apache/ws/security/str/SecurityTokenRefSTRParser.java
Mon Aug 22 12:19:51 2011
@@ -23,12 +23,15 @@ import org.apache.ws.security.WSConstant
 import org.apache.ws.security.WSDocInfo;
 import org.apache.ws.security.WSPasswordCallback;
 import org.apache.ws.security.WSSConfig;
+import org.apache.ws.security.WSSecurityEngine;
 import org.apache.ws.security.WSSecurityEngineResult;
 import org.apache.ws.security.WSSecurityException;
 import org.apache.ws.security.handler.RequestData;
+import org.apache.ws.security.message.token.BinarySecurity;
 import org.apache.ws.security.message.token.DerivedKeyToken;
 import org.apache.ws.security.message.token.Reference;
 import org.apache.ws.security.message.token.SecurityTokenReference;
+import org.apache.ws.security.processor.Processor;
 import org.apache.ws.security.saml.SAMLKeyInfo;
 import org.apache.ws.security.saml.SAMLUtil;
 import org.apache.ws.security.saml.ext.AssertionWrapper;
@@ -38,9 +41,12 @@ import org.w3c.dom.Element;
 import java.security.Principal;
 import java.security.PublicKey;
 import java.security.cert.X509Certificate;
+import java.util.Arrays;
+import java.util.List;
 import java.util.Map;
 
 import javax.security.auth.callback.Callback;
+import javax.xml.namespace.QName;
 
 /**
  * This implementation of STRParser is for parsing a SecurityTokenReference element, found
in the
@@ -92,13 +98,28 @@ public class SecurityTokenRefSTRParser i
         if (result != null) {
             processPreviousResult(result, secRef, data, parameters, wsDocInfo, bspCompliant);
         } else if (secRef.containsReference()) {
-            Reference reference = secRef.getReference();
-            // Try asking the CallbackHandler for the secret key
-            secretKey = getSecretKeyFromToken(uri, reference.getValueType(), data);
-            if (secretKey == null) {
-                throw new WSSecurityException(
-                    WSSecurityException.FAILED_CHECK, "unsupportedKeyId", new Object[] {uri}
-                );
+            Element token = 
+                secRef.getTokenElement(strElement.getOwnerDocument(), wsDocInfo, data.getCallbackHandler());
+            QName el = new QName(token.getNamespaceURI(), token.getLocalName());
+            if (el.equals(WSSecurityEngine.BINARY_TOKEN)) {
+                Processor proc = data.getWssConfig().getProcessor(WSSecurityEngine.BINARY_TOKEN);
+                List<WSSecurityEngineResult> bstResult =
+                        proc.handleToken(token, data, wsDocInfo);
+                BinarySecurity bstToken = 
+                        (BinarySecurity)bstResult.get(0).get(WSSecurityEngineResult.TAG_BINARY_SECURITY_TOKEN);
+                if (bspCompliant) {
+                    BSPEnforcer.checkBinarySecurityBSPCompliance(secRef, bstToken);
+                }
+                secretKey = (byte[])bstResult.get(0).get(WSSecurityEngineResult.TAG_SECRET);
+            } else {
+                Reference reference = secRef.getReference();
+                // Try asking the CallbackHandler for the secret key
+                secretKey = getSecretKeyFromToken(uri, reference.getValueType(), data);
+                if (secretKey == null) {
+                    throw new WSSecurityException(
+                        WSSecurityException.FAILED_CHECK, "unsupportedKeyId", new Object[]
{uri}
+                    );
+                }
             }
         } else if (secRef.containsKeyIdentifier()) {
             String valueType = secRef.getKeyIdentifierValueType();
@@ -111,6 +132,19 @@ public class SecurityTokenRefSTRParser i
                     );
                 secretKey = 
                     getSecretKeyFromAssertion(assertion, secRef, data, wsDocInfo, bspCompliant);
+            } else if (WSConstants.WSS_KRB_KI_VALUE_TYPE.equals(valueType)) {
+                byte[] keyBytes = secRef.getSKIBytes();
+                List<WSSecurityEngineResult> resultsList = 
+                    wsDocInfo.getResultsByTag(WSConstants.BST);
+                for (WSSecurityEngineResult bstResult : resultsList) {
+                    BinarySecurity bstToken = 
+                        (BinarySecurity)bstResult.get(WSSecurityEngineResult.TAG_BINARY_SECURITY_TOKEN);
+                    byte[] tokenDigest = WSSecurityUtil.generateDigest(bstToken.getToken());
+                    if (Arrays.equals(tokenDigest, keyBytes)) {
+                        secretKey = (byte[])bstResult.get(WSSecurityEngineResult.TAG_SECRET);
+                        break;
+                    }
+                }
             } else {
                 if (bspCompliant && SecurityTokenReference.ENC_KEY_SHA1_URI.equals(valueType))
{
                     BSPEnforcer.checkEncryptedKeyBSPCompliance(secRef);

Modified: webservices/wss4j/trunk/src/test/java/org/apache/ws/security/message/token/KerberosTest.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/test/java/org/apache/ws/security/message/token/KerberosTest.java?rev=1160235&r1=1160234&r2=1160235&view=diff
==============================================================================
--- webservices/wss4j/trunk/src/test/java/org/apache/ws/security/message/token/KerberosTest.java
(original)
+++ webservices/wss4j/trunk/src/test/java/org/apache/ws/security/message/token/KerberosTest.java
Mon Aug 22 12:19:51 2011
@@ -281,6 +281,85 @@ public class KerberosTest extends org.ju
                 org.apache.ws.security.util.XMLUtils.PrettyDocumentToString(encryptedDoc);
             LOG.debug(outputString);
         }
+        
+        // Configure the Validator
+        WSSConfig wssConfig = WSSConfig.getNewInstance();
+        KerberosTokenValidator validator = new KerberosTokenValidator();
+        validator.setJaasLoginModuleName("bob");
+        validator.setServiceName("bob@service.ws.apache.org");
+        wssConfig.setValidator(WSSecurityEngine.BINARY_TOKEN, validator);
+        WSSecurityEngine secEngine = new WSSecurityEngine();
+        secEngine.setWssConfig(wssConfig);
+        
+        List<WSSecurityEngineResult> results = 
+            secEngine.processSecurityHeader(encryptedDoc, null, null, null);
+        WSSecurityEngineResult actionResult =
+            WSSecurityUtil.fetchActionResult(results, WSConstants.BST);
+        BinarySecurity token =
+            (BinarySecurity)actionResult.get(WSSecurityEngineResult.TAG_BINARY_SECURITY_TOKEN);
+        assertTrue(token != null);
+        
+        Principal principal = (Principal)actionResult.get(WSSecurityEngineResult.TAG_PRINCIPAL);
+        assertTrue(principal instanceof KerberosPrincipal);
+        assertTrue(principal.getName().contains("alice"));
+    }
+    
+    /**
+     * Test using the KerberosSecurity class to retrieve a service ticket from a KDC, wrap
it
+     * in a BinarySecurityToken, and use the session key to encrypt the SOAP Body.
+     */
+    @org.junit.Test
+    @org.junit.Ignore
+    public void testKerberosEncryptionKI() throws Exception {
+        Document doc = SOAPUtil.toSOAPPart(SOAPUtil.SAMPLE_SOAP_MSG);
+
+        WSSecHeader secHeader = new WSSecHeader();
+        secHeader.insertSecurityHeader(doc);
+        
+        KerberosSecurity bst = new KerberosSecurity(doc);
+        bst.retrieveServiceTicket("alice", null, "bob@service.ws.apache.org");
+        bst.setID("Id-" + bst.hashCode());
+        
+        WSSecEncrypt builder = new WSSecEncrypt();
+        builder.setSymmetricEncAlgorithm(WSConstants.AES_128);
+        SecretKey secretKey = bst.getSecretKey();
+        builder.setSymmetricKey(secretKey);
+        builder.setEncryptSymmKey(false);
+        builder.setCustomReferenceValue(WSConstants.WSS_KRB_KI_VALUE_TYPE);
+
+        byte[] digestBytes = WSSecurityUtil.generateDigest(bst.getToken());
+        builder.setEncKeyId(Base64.encode(digestBytes));
+        
+        Document encryptedDoc = builder.build(doc, null, secHeader);
+        
+        WSSecurityUtil.prependChildElement(secHeader.getSecurityHeader(), bst.getElement());
+        
+        if (LOG.isDebugEnabled()) {
+            String outputString = 
+                org.apache.ws.security.util.XMLUtils.PrettyDocumentToString(encryptedDoc);
+            LOG.debug(outputString);
+        }
+        
+        // Configure the Validator
+        WSSConfig wssConfig = WSSConfig.getNewInstance();
+        KerberosTokenValidator validator = new KerberosTokenValidator();
+        validator.setJaasLoginModuleName("bob");
+        validator.setServiceName("bob@service.ws.apache.org");
+        wssConfig.setValidator(WSSecurityEngine.BINARY_TOKEN, validator);
+        WSSecurityEngine secEngine = new WSSecurityEngine();
+        secEngine.setWssConfig(wssConfig);
+        
+        List<WSSecurityEngineResult> results = 
+            secEngine.processSecurityHeader(encryptedDoc, null, null, null);
+        WSSecurityEngineResult actionResult =
+            WSSecurityUtil.fetchActionResult(results, WSConstants.BST);
+        BinarySecurity token =
+            (BinarySecurity)actionResult.get(WSSecurityEngineResult.TAG_BINARY_SECURITY_TOKEN);
+        assertTrue(token != null);
+        
+        Principal principal = (Principal)actionResult.get(WSSecurityEngineResult.TAG_PRINCIPAL);
+        assertTrue(principal instanceof KerberosPrincipal);
+        assertTrue(principal.getName().contains("alice"));
     
     }
     



Mime
View raw message