ws-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cohei...@apache.org
Subject svn commit: r1167207 - in /webservices/wss4j/trunk/src/main/java/org/apache/ws/security: WSDocInfo.java str/DerivedKeyTokenSTRParser.java str/SecurityTokenRefSTRParser.java str/SignatureSTRParser.java
Date Fri, 09 Sep 2011 14:26:38 GMT
Author: coheigea
Date: Fri Sep  9 14:26:38 2011
New Revision: 1167207

URL: http://svn.apache.org/viewvc?rev=1167207&view=rev
Log:
[WSS-307] - Changed the STRParsers to first look for a secret key from the CallbackHandler
for the Kerberos KeyIdentifier case.

Modified:
    webservices/wss4j/trunk/src/main/java/org/apache/ws/security/WSDocInfo.java
    webservices/wss4j/trunk/src/main/java/org/apache/ws/security/str/DerivedKeyTokenSTRParser.java
    webservices/wss4j/trunk/src/main/java/org/apache/ws/security/str/SecurityTokenRefSTRParser.java
    webservices/wss4j/trunk/src/main/java/org/apache/ws/security/str/SignatureSTRParser.java

Modified: webservices/wss4j/trunk/src/main/java/org/apache/ws/security/WSDocInfo.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/main/java/org/apache/ws/security/WSDocInfo.java?rev=1167207&r1=1167206&r2=1167207&view=diff
==============================================================================
--- webservices/wss4j/trunk/src/main/java/org/apache/ws/security/WSDocInfo.java (original)
+++ webservices/wss4j/trunk/src/main/java/org/apache/ws/security/WSDocInfo.java Fri Sep  9
14:26:38 2011
@@ -253,7 +253,7 @@ public class WSDocInfo {
                 }
             }
         }
-        return resultsList;
+        return foundResults;
     }
 
     /**

Modified: webservices/wss4j/trunk/src/main/java/org/apache/ws/security/str/DerivedKeyTokenSTRParser.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/main/java/org/apache/ws/security/str/DerivedKeyTokenSTRParser.java?rev=1167207&r1=1167206&r2=1167207&view=diff
==============================================================================
--- webservices/wss4j/trunk/src/main/java/org/apache/ws/security/str/DerivedKeyTokenSTRParser.java
(original)
+++ webservices/wss4j/trunk/src/main/java/org/apache/ws/security/str/DerivedKeyTokenSTRParser.java
Fri Sep  9 14:26:38 2011
@@ -27,16 +27,20 @@ import org.apache.ws.security.WSSecurity
 import org.apache.ws.security.WSSecurityException;
 import org.apache.ws.security.components.crypto.Crypto;
 import org.apache.ws.security.handler.RequestData;
+import org.apache.ws.security.message.token.BinarySecurity;
 import org.apache.ws.security.message.token.SecurityTokenReference;
 import org.apache.ws.security.message.token.UsernameToken;
 import org.apache.ws.security.saml.SAMLKeyInfo;
 import org.apache.ws.security.saml.SAMLUtil;
 import org.apache.ws.security.saml.ext.AssertionWrapper;
+import org.apache.ws.security.util.WSSecurityUtil;
 import org.w3c.dom.Element;
 
 import java.security.Principal;
 import java.security.PublicKey;
 import java.security.cert.X509Certificate;
+import java.util.Arrays;
+import java.util.List;
 import java.util.Map;
 
 import javax.security.auth.callback.Callback;
@@ -91,21 +95,58 @@ public class DerivedKeyTokenSTRParser im
             // Now use the callback and get it
             secretKey = 
                 getSecretKeyFromToken(uri, null, WSPasswordCallback.SECURITY_CONTEXT_TOKEN,
data);
+            if (secretKey == null) {
+                throw new WSSecurityException(
+                    WSSecurityException.FAILED_CHECK, "unsupportedKeyId", new Object[] {uri}
+                );
+            }
         } else if (secRef.containsKeyIdentifier()) {
             String keyIdentifierValueType = secRef.getKeyIdentifierValueType();
-            if (bspCompliant 
-                && keyIdentifierValueType.equals(SecurityTokenReference.ENC_KEY_SHA1_URI))
{
-                BSPEnforcer.checkEncryptedKeyBSPCompliance(secRef);
-            }
-            X509Certificate[] certs = secRef.getKeyIdentifier(crypto);
-            if (certs == null || certs.length < 1 || certs[0] == null) {
+            if (WSConstants.WSS_KRB_KI_VALUE_TYPE.equals(keyIdentifierValueType)) {
                 secretKey = 
-                    this.getSecretKeyFromToken(
+                    getSecretKeyFromToken(
                         secRef.getKeyIdentifierValue(), keyIdentifierValueType, 
                         WSPasswordCallback.SECRET_KEY, data
-                   ); 
+                    );
+                if (secretKey == null) {
+                    byte[] keyBytes = secRef.getSKIBytes();
+                    List<WSSecurityEngineResult> resultsList = 
+                        wsDocInfo.getResultsByTag(WSConstants.BST);
+                    for (WSSecurityEngineResult bstResult : resultsList) {
+                        BinarySecurity bstToken = 
+                            (BinarySecurity)bstResult.get(WSSecurityEngineResult.TAG_BINARY_SECURITY_TOKEN);
+                        byte[] tokenDigest = WSSecurityUtil.generateDigest(bstToken.getToken());
+                        if (Arrays.equals(tokenDigest, keyBytes)) {
+                            secretKey = (byte[])bstResult.get(WSSecurityEngineResult.TAG_SECRET);
+                            break;
+                        }
+                    }
+                }
+                if (secretKey == null) {
+                    throw new WSSecurityException(
+                        WSSecurityException.FAILED_CHECK, "unsupportedKeyId", new Object[]
{uri}
+                    );
+                }
             } else {
-                secretKey = crypto.getPrivateKey(certs[0], data.getCallbackHandler()).getEncoded();
+                if (bspCompliant 
+                    && keyIdentifierValueType.equals(SecurityTokenReference.ENC_KEY_SHA1_URI))
{
+                    BSPEnforcer.checkEncryptedKeyBSPCompliance(secRef);
+                }
+                X509Certificate[] certs = secRef.getKeyIdentifier(crypto);
+                if (certs == null || certs.length < 1 || certs[0] == null) {
+                    secretKey = 
+                        this.getSecretKeyFromToken(
+                            secRef.getKeyIdentifierValue(), keyIdentifierValueType, 
+                            WSPasswordCallback.SECRET_KEY, data
+                       ); 
+                    if (secretKey == null) {
+                        throw new WSSecurityException(
+                            WSSecurityException.FAILED_CHECK, "unsupportedKeyId", new Object[]
{uri}
+                        );
+                    }
+                } else {
+                    secretKey = crypto.getPrivateKey(certs[0], data.getCallbackHandler()).getEncoded();
+                }
             }
         } else {
             throw new WSSecurityException(
@@ -178,7 +219,10 @@ public class DerivedKeyTokenSTRParser im
             new WSPasswordCallback(id, null, type, identifier, data);
         try {
             Callback[] callbacks = new Callback[]{pwcb};
-            data.getCallbackHandler().handle(callbacks);
+            if (data.getCallbackHandler() != null) {
+                data.getCallbackHandler().handle(callbacks);
+                return pwcb.getKey();
+            }
         } catch (Exception e) {
             throw new WSSecurityException(
                 WSSecurityException.FAILURE,
@@ -188,7 +232,7 @@ public class DerivedKeyTokenSTRParser im
             );
         }
 
-        return pwcb.getKey();
+        return null;
     }
     
     /**

Modified: webservices/wss4j/trunk/src/main/java/org/apache/ws/security/str/SecurityTokenRefSTRParser.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/main/java/org/apache/ws/security/str/SecurityTokenRefSTRParser.java?rev=1167207&r1=1167206&r2=1167207&view=diff
==============================================================================
--- webservices/wss4j/trunk/src/main/java/org/apache/ws/security/str/SecurityTokenRefSTRParser.java
(original)
+++ webservices/wss4j/trunk/src/main/java/org/apache/ws/security/str/SecurityTokenRefSTRParser.java
Fri Sep  9 14:26:38 2011
@@ -134,18 +134,27 @@ public class SecurityTokenRefSTRParser i
                 secretKey = 
                     getSecretKeyFromAssertion(assertion, secRef, data, wsDocInfo, bspCompliant);
             } else if (WSConstants.WSS_KRB_KI_VALUE_TYPE.equals(valueType)) {
-                byte[] keyBytes = secRef.getSKIBytes();
-                List<WSSecurityEngineResult> resultsList = 
-                    wsDocInfo.getResultsByTag(WSConstants.BST);
-                for (WSSecurityEngineResult bstResult : resultsList) {
-                    BinarySecurity bstToken = 
-                        (BinarySecurity)bstResult.get(WSSecurityEngineResult.TAG_BINARY_SECURITY_TOKEN);
-                    byte[] tokenDigest = WSSecurityUtil.generateDigest(bstToken.getToken());
-                    if (Arrays.equals(tokenDigest, keyBytes)) {
-                        secretKey = (byte[])bstResult.get(WSSecurityEngineResult.TAG_SECRET);
-                        break;
+                secretKey = 
+                    getSecretKeyFromToken(secRef.getKeyIdentifierValue(), valueType, data);
+                if (secretKey == null) {
+                    byte[] keyBytes = secRef.getSKIBytes();
+                    List<WSSecurityEngineResult> resultsList = 
+                        wsDocInfo.getResultsByTag(WSConstants.BST);
+                    for (WSSecurityEngineResult bstResult : resultsList) {
+                        BinarySecurity bstToken = 
+                            (BinarySecurity)bstResult.get(WSSecurityEngineResult.TAG_BINARY_SECURITY_TOKEN);
+                        byte[] tokenDigest = WSSecurityUtil.generateDigest(bstToken.getToken());
+                        if (Arrays.equals(tokenDigest, keyBytes)) {
+                            secretKey = (byte[])bstResult.get(WSSecurityEngineResult.TAG_SECRET);
+                            break;
+                        }
                     }
                 }
+                if (secretKey == null) {
+                    throw new WSSecurityException(
+                        WSSecurityException.FAILED_CHECK, "unsupportedKeyId", new Object[]
{uri}
+                    );
+                }
             } else {
                 if (bspCompliant && SecurityTokenReference.ENC_KEY_SHA1_URI.equals(valueType))
{
                     BSPEnforcer.checkEncryptedKeyBSPCompliance(secRef);

Modified: webservices/wss4j/trunk/src/main/java/org/apache/ws/security/str/SignatureSTRParser.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/main/java/org/apache/ws/security/str/SignatureSTRParser.java?rev=1167207&r1=1167206&r2=1167207&view=diff
==============================================================================
--- webservices/wss4j/trunk/src/main/java/org/apache/ws/security/str/SignatureSTRParser.java
(original)
+++ webservices/wss4j/trunk/src/main/java/org/apache/ws/security/str/SignatureSTRParser.java
Fri Sep  9 14:26:38 2011
@@ -221,7 +221,7 @@ public class SignatureSTRParser implemen
                 publicKey = samlKi.getPublicKey();
                 principal = createPrincipalFromSAML(assertion);
             } else {
-                parseBSTKeyIdentifier(secRef, crypto, wsDocInfo, bspCompliant);
+                parseBSTKeyIdentifier(secRef, crypto, wsDocInfo, data, bspCompliant);
             }
         } else {
             throw new WSSecurityException(
@@ -342,6 +342,7 @@ public class SignatureSTRParser implemen
         SecurityTokenReference secRef,
         Crypto crypto,
         WSDocInfo wsDocInfo,
+        RequestData data,
         boolean bspCompliant
     ) throws WSSecurityException {
         if (bspCompliant) {
@@ -349,18 +350,24 @@ public class SignatureSTRParser implemen
         }
         String valueType = secRef.getKeyIdentifierValueType();
         if (WSConstants.WSS_KRB_KI_VALUE_TYPE.equals(valueType)) {
-            byte[] keyBytes = secRef.getSKIBytes();
-            List<WSSecurityEngineResult> resultsList = 
-                wsDocInfo.getResultsByTag(WSConstants.BST);
-            for (WSSecurityEngineResult bstResult : resultsList) {
-                BinarySecurity bstToken = 
-                    (BinarySecurity)bstResult.get(WSSecurityEngineResult.TAG_BINARY_SECURITY_TOKEN);
-                byte[] tokenDigest = WSSecurityUtil.generateDigest(bstToken.getToken());
-                if (Arrays.equals(tokenDigest, keyBytes)) {
-                    secretKey = (byte[])bstResult.get(WSSecurityEngineResult.TAG_SECRET);
-                    principal = (Principal)bstResult.get(WSSecurityEngineResult.TAG_PRINCIPAL);
-                    break;
+            secretKey = 
+                getSecretKeyFromToken(secRef.getKeyIdentifierValue(), valueType, data);
+            if (secretKey == null) {
+                byte[] keyBytes = secRef.getSKIBytes();
+                List<WSSecurityEngineResult> resultsList = 
+                    wsDocInfo.getResultsByTag(WSConstants.BST);
+                for (WSSecurityEngineResult bstResult : resultsList) {
+                    BinarySecurity bstToken = 
+                        (BinarySecurity)bstResult.get(WSSecurityEngineResult.TAG_BINARY_SECURITY_TOKEN);
+                    byte[] tokenDigest = WSSecurityUtil.generateDigest(bstToken.getToken());
+                    if (Arrays.equals(tokenDigest, keyBytes)) {
+                        secretKey = (byte[])bstResult.get(WSSecurityEngineResult.TAG_SECRET);
+                        principal = (Principal)bstResult.get(WSSecurityEngineResult.TAG_PRINCIPAL);
+                        break;
+                    }
                 }
+            } else {
+                principal = new CustomTokenPrincipal(secRef.getKeyIdentifierValue());
             }
         } else {
             X509Certificate[] foundCerts = secRef.getKeyIdentifier(crypto);



Mime
View raw message