001: /**
002: * $Id: EncryptionFilter.java,v 1.10 2007/01/13 16:44:58 kumarjayanti Exp $
003: */package com.sun.xml.wss.impl.filter;
004:
005: import com.sun.xml.wss.ProcessingContext;
006: import com.sun.xml.wss.XWSSecurityException;
007: import com.sun.xml.wss.impl.FilterProcessingContext;
008: import com.sun.xml.ws.security.opt.impl.JAXBFilterProcessingContext;
009: import java.security.cert.X509Certificate;
010: import javax.crypto.SecretKey;
011:
012: import com.sun.xml.wss.impl.PolicyTypeUtil;
013: import com.sun.xml.wss.impl.HarnessUtil;
014: import com.sun.xml.wss.impl.MessageConstants;
015: import com.sun.xml.wss.impl.callback.DynamicPolicyCallback;
016: import com.sun.xml.wss.impl.apachecrypto.DecryptionProcessor;
017: import com.sun.xml.wss.impl.apachecrypto.EncryptionProcessor;
018: import com.sun.xml.wss.impl.misc.SecurityUtil;
019: import com.sun.xml.wss.impl.policy.mls.WSSPolicy;
020: import com.sun.xml.wss.impl.policy.mls.EncryptionPolicy;
021: import com.sun.xml.wss.impl.policy.mls.SymmetricKeyBinding;
022: import com.sun.xml.wss.impl.policy.mls.DerivedTokenKeyBinding;
023: import com.sun.xml.wss.impl.policy.mls.AuthenticationTokenPolicy;
024: import com.sun.xml.wss.impl.configuration.DynamicApplicationContext;
025:
026: import java.util.logging.Level;
027: import java.util.logging.Logger;
028:
029: import com.sun.xml.wss.logging.LogDomainConstants;
030: import com.sun.xml.wss.impl.policy.mls.SecureConversationTokenKeyBinding;
031: import com.sun.xml.wss.impl.policy.mls.IssuedTokenKeyBinding;
032:
033: import org.w3c.dom.Element;
034:
035: /**
036: * Performs encryption or decryption
037: *
038: * Message ANNOTATION is performed as follows:
039: *
040: * if (complete policy resolution should happen)
041: * make DynamicPolicyCallback
042: * else
043: * // assumes feature binding component is statically specified -
044: * // including targets and canonicalization algorithm
045: * if (X509CertificateBinding)
046: * resolve certificate - make EncryptionKeyCallback
047: * else
048: * if (SymmetricKeyBinding)
049: * resolve symmetrick key - make SymmetricKeyCallback
050: * else
051: * throw Exception
052: * call EncryptionProcessor
053: *
054: * Message (decryption) VALIDATION is performed as follows:
055: *
056: * if (ADHOC processing mode)
057: * if (complete policy resolution should happen)
058: * make DynamicPolicyCallback
059: * call DecryptionProcessor
060: * else
061: * if (POSTHOC or DEFAULT mode)
062: * call DecryptionProcessor
063: */
064: public class EncryptionFilter {
065:
066: protected static final Logger log = Logger.getLogger(
067: LogDomainConstants.IMPL_FILTER_DOMAIN,
068: LogDomainConstants.IMPL_FILTER_DOMAIN_BUNDLE);
069:
070: /**
071: * @param context FilterProcessingContext
072: *
073: * @throws XWSSecurityException
074: */
075: public static void process(FilterProcessingContext context)
076: throws XWSSecurityException {
077:
078: if (!context.isInboundMessage()) {
079:
080: EncryptionPolicy policy = (EncryptionPolicy) context
081: .getSecurityPolicy();
082: EncryptionPolicy resolvedPolicy = (EncryptionPolicy) policy;
083:
084: boolean wss11Receiver = "true"
085: .equals(context
086: .getExtraneousProperty("EnableWSS11PolicyReceiver"));
087: boolean wss11Sender = "true".equals(context
088: .getExtraneousProperty("EnableWSS11PolicySender"));
089: boolean sendEKSHA1 = wss11Receiver && wss11Sender
090: && (getReceivedSecret(context) != null);
091: boolean wss10 = !wss11Sender;
092:
093: if (!context.makeDynamicPolicyCallback()) {
094: WSSPolicy keyBinding = (WSSPolicy) policy
095: .getKeyBinding();
096: String dataEncAlgo = MessageConstants.TRIPLE_DES_BLOCK_ENCRYPTION;
097:
098: EncryptionPolicy.FeatureBinding featureBinding = (EncryptionPolicy.FeatureBinding) policy
099: .getFeatureBinding();
100: String tmp = featureBinding
101: .getDataEncryptionAlgorithm();
102: if (tmp == null || "".equals(tmp)) {
103: if (context.getAlgorithmSuite() != null) {
104: tmp = context.getAlgorithmSuite()
105: .getEncryptionAlgorithm();
106: } else {
107: // warn that no dataEncAlgo was set
108: }
109: }
110:
111: if (tmp != null && !"".equals(tmp)) {
112: dataEncAlgo = tmp;
113: }
114:
115: // derivedTokenKeyBinding with x509 as originalkeyBinding is to be treated same as
116: // DerivedKey with Symmetric binding and X509 as key binding of Symmetric binding
117: if (PolicyTypeUtil.derivedTokenKeyBinding(keyBinding)) {
118: DerivedTokenKeyBinding dtk = (DerivedTokenKeyBinding) keyBinding
119: .clone();
120: WSSPolicy originalKeyBinding = dtk
121: .getOriginalKeyBinding();
122:
123: if (PolicyTypeUtil
124: .x509CertificateBinding(originalKeyBinding)) {
125: AuthenticationTokenPolicy.X509CertificateBinding ckBindingClone = (AuthenticationTokenPolicy.X509CertificateBinding) originalKeyBinding
126: .clone();
127: //create a symmetric key binding and set it as original key binding of dkt
128: SymmetricKeyBinding skb = new SymmetricKeyBinding();
129: skb.setKeyBinding(ckBindingClone);
130: // set the x509 binding as key binding of symmetric binding
131: dtk.setOriginalKeyBinding(skb);
132: keyBinding = dtk;
133: }
134: }
135:
136: if (PolicyTypeUtil.x509CertificateBinding(keyBinding)) {
137: try {
138: AuthenticationTokenPolicy.X509CertificateBinding binding = (AuthenticationTokenPolicy.X509CertificateBinding) keyBinding
139: .clone();
140:
141: String certIdentifier = binding
142: .getCertificateIdentifier();
143:
144: X509Certificate cert = context
145: .getSecurityEnvironment()
146: .getCertificate(
147: context
148: .getExtraneousProperties(),
149: certIdentifier, false);
150: binding.setX509Certificate(cert);
151:
152: context.setX509CertificateBinding(binding);
153:
154: } catch (Exception e) {
155: log.log(Level.SEVERE,
156: "WSS1413.error.extracting.certificate",
157: e);
158: throw new XWSSecurityException(e);
159: }
160: } else if (PolicyTypeUtil
161: .symmetricKeyBinding(keyBinding)) {
162: try {
163: SymmetricKeyBinding binding = (SymmetricKeyBinding) keyBinding
164: .clone();
165:
166: String keyIdentifier = binding
167: .getKeyIdentifier();
168: SecretKey sKey = null;
169:
170: WSSPolicy ckBinding = (WSSPolicy) binding
171: .getKeyBinding();
172: if (PolicyTypeUtil
173: .x509CertificateBinding(ckBinding)) {
174: try {
175: if (!sendEKSHA1) {
176: AuthenticationTokenPolicy.X509CertificateBinding ckBindingClone = (AuthenticationTokenPolicy.X509CertificateBinding) ckBinding
177: .clone();
178: String certIdentifier = ckBindingClone
179: .getCertificateIdentifier();
180: X509Certificate cert = context
181: .getSecurityEnvironment()
182: .getCertificate(
183: context
184: .getExtraneousProperties(),
185: certIdentifier,
186: false);
187: ckBindingClone
188: .setX509Certificate(cert);
189: context
190: .setX509CertificateBinding(ckBindingClone);
191: }
192: } catch (Exception e) {
193: log
194: .log(
195: Level.SEVERE,
196: "WSS1413.error.extracting.certificate",
197: e);
198: throw new XWSSecurityException(e);
199: }
200: }
201:
202: if (!keyIdentifier
203: .equals(MessageConstants._EMPTY)) {
204: sKey = context
205: .getSecurityEnvironment()
206: .getSecretKey(
207: context
208: .getExtraneousProperties(),
209: keyIdentifier, true);
210: } else if (sendEKSHA1) {
211: sKey = getReceivedSecret(context);
212: } else if (wss11Sender || wss10) {
213: sKey = SecurityUtil
214: .generateSymmetricKey(dataEncAlgo);
215: }
216:
217: binding.setSecretKey(sKey);
218: context.setSymmetricKeyBinding(binding);
219: } catch (Exception e) {
220: //TODO: this error message should come only in Symm Keystore case
221: log
222: .log(
223: Level.SEVERE,
224: "WSS1414.error.extracting.symmetrickey",
225: new Object[] { e.getMessage() });
226: throw new XWSSecurityException(e);
227: }
228: } else if (PolicyTypeUtil.samlTokenPolicy(keyBinding)) {
229:
230: //resolvedPolicy = (EncryptionPolicy)policy.clone();
231: keyBinding = (WSSPolicy) ((EncryptionPolicy) policy)
232: .getKeyBinding();
233:
234: DynamicApplicationContext dynamicContext = new DynamicApplicationContext(
235: context.getPolicyContext());
236: dynamicContext.setMessageIdentifier(context
237: .getMessageIdentifier());
238: dynamicContext.inBoundMessage(false);
239:
240: AuthenticationTokenPolicy.SAMLAssertionBinding binding = (AuthenticationTokenPolicy.SAMLAssertionBinding) keyBinding;
241: binding.isReadOnly(true);
242:
243: AuthenticationTokenPolicy.SAMLAssertionBinding samlBinding = new AuthenticationTokenPolicy.SAMLAssertionBinding();
244:
245: if (context
246: .getExtraneousProperty(MessageConstants.INCOMING_SAML_ASSERTION) == null) {
247: samlBinding = context
248: .getSecurityEnvironment()
249: .populateSAMLPolicy(
250: context
251: .getExtraneousProperties(),
252: binding, dynamicContext);
253: } else {
254: Object assertion = context
255: .getExtraneousProperty(MessageConstants.INCOMING_SAML_ASSERTION);
256: if (assertion instanceof Element) {
257: samlBinding
258: .setAssertion((Element) assertion);
259: if (samlBinding.getAssertion() == null) {
260: log
261: .log(Level.SEVERE,
262: "WSS1415.saml.assertion.notset");
263: throw new XWSSecurityException(
264: "SAML Assertion not set by CallbackHandler "
265: + " for Encryption Processing");
266: }
267: }
268:
269: }
270:
271: policy.setKeyBinding(samlBinding);
272: resolvedPolicy = (EncryptionPolicy) policy;
273: } else if (PolicyTypeUtil
274: .secureConversationTokenKeyBinding(keyBinding)) {
275: // resolve the ProofKey here and set it into ProcessingContext
276: SecureConversationTokenKeyBinding sctBinding = (SecureConversationTokenKeyBinding) keyBinding;
277: SecurityUtil.resolveSCT(context, sctBinding);
278:
279: } else if (PolicyTypeUtil
280: .issuedTokenKeyBinding(keyBinding)) {
281: IssuedTokenKeyBinding itkb = (IssuedTokenKeyBinding) keyBinding;
282: SecurityUtil.resolveIssuedToken(context, itkb);
283: } else if (PolicyTypeUtil
284: .derivedTokenKeyBinding(keyBinding)) {
285: DerivedTokenKeyBinding dtk = (DerivedTokenKeyBinding) keyBinding
286: .clone();
287: WSSPolicy originalKeyBinding = dtk
288: .getOriginalKeyBinding();
289:
290: if (PolicyTypeUtil
291: .symmetricKeyBinding(originalKeyBinding)) {
292: SymmetricKeyBinding symmBinding = (SymmetricKeyBinding) originalKeyBinding
293: .clone();
294: SecretKey sKey = null;
295:
296: WSSPolicy ckBinding = (WSSPolicy) originalKeyBinding
297: .getKeyBinding();
298: if (PolicyTypeUtil
299: .x509CertificateBinding(ckBinding)) {
300: try {
301: if (!sendEKSHA1) {
302: AuthenticationTokenPolicy.X509CertificateBinding ckBindingClone = (AuthenticationTokenPolicy.X509CertificateBinding) ckBinding
303: .clone();
304: String certIdentifier = ckBindingClone
305: .getCertificateIdentifier();
306: X509Certificate cert = context
307: .getSecurityEnvironment()
308: .getCertificate(
309: context
310: .getExtraneousProperties(),
311: certIdentifier,
312: false);
313: ckBindingClone
314: .setX509Certificate(cert);
315: context
316: .setX509CertificateBinding(ckBindingClone);
317: }
318: } catch (Exception e) {
319: log
320: .log(
321: Level.SEVERE,
322: "WSS1413.error.extracting.certificate",
323: e);
324: throw new XWSSecurityException(e);
325: }
326: }
327:
328: if (sendEKSHA1) {
329: sKey = getReceivedSecret(context);
330: } else if (wss11Sender || wss10) {
331: sKey = SecurityUtil
332: .generateSymmetricKey(dataEncAlgo);
333: }
334: symmBinding.setSecretKey(sKey);
335: context.setSymmetricKeyBinding(symmBinding);
336: } else if (PolicyTypeUtil
337: .secureConversationTokenKeyBinding(originalKeyBinding)) {
338: // resolve the ProofKey here and set it into ProcessingContext
339: SecureConversationTokenKeyBinding sctBinding = (SecureConversationTokenKeyBinding) originalKeyBinding;
340: SecurityUtil.resolveSCT(context, sctBinding);
341: } else if (PolicyTypeUtil
342: .issuedTokenKeyBinding(originalKeyBinding)) {
343: IssuedTokenKeyBinding itkb = (IssuedTokenKeyBinding) originalKeyBinding;
344: SecurityUtil.resolveIssuedToken(context, itkb);
345: }
346: } else {
347: log
348: .log(Level.SEVERE,
349: "WSS1422.unsupported.keybinding.EncryptionPolicy");
350: throw new XWSSecurityException(
351: "Unsupported KeyBinding for EncryptionPolicy");
352: }
353:
354: } else {
355: try {
356: //resolvedPolicy = (EncryptionPolicy)policy.clone();
357: ((EncryptionPolicy) policy).isReadOnly(true);
358:
359: DynamicApplicationContext dynamicContext = new DynamicApplicationContext(
360: context.getPolicyContext());
361: dynamicContext.setMessageIdentifier(context
362: .getMessageIdentifier());
363: dynamicContext.inBoundMessage(false);
364: // TODO: copy runtime context for making dynamic callback
365: DynamicPolicyCallback dynamicCallback = new DynamicPolicyCallback(
366: policy, dynamicContext);
367: ProcessingContext.copy(dynamicContext
368: .getRuntimeProperties(), context
369: .getExtraneousProperties());
370: HarnessUtil.makeDynamicPolicyCallback(
371: dynamicCallback, context
372: .getSecurityEnvironment()
373: .getCallbackHandler());
374:
375: resolvedPolicy = (EncryptionPolicy) dynamicCallback
376: .getSecurityPolicy();
377:
378: } catch (Exception e) {
379: log.log(Level.SEVERE,
380: "WSS1412.error.processing.dynamicpolicy",
381: new Object[] { e.getMessage() });
382: throw new XWSSecurityException(e);
383: }
384: }
385:
386: context.setSecurityPolicy(resolvedPolicy);
387: encrypt(context);
388:
389: } else {
390:
391: if (context.makeDynamicPolicyCallback()) {
392: WSSPolicy policy = (WSSPolicy) context
393: .getSecurityPolicy();
394: EncryptionPolicy resolvedPolicy = null;
395:
396: try {
397: ((EncryptionPolicy) policy).isReadOnly(true);
398: DynamicApplicationContext dynamicContext = new DynamicApplicationContext(
399: context.getPolicyContext());
400:
401: dynamicContext.setMessageIdentifier(context
402: .getMessageIdentifier());
403: dynamicContext.inBoundMessage(true);
404: // TODO: set runtime context for making callback
405: DynamicPolicyCallback dynamicCallback = new DynamicPolicyCallback(
406: policy, dynamicContext);
407: ProcessingContext.copy(dynamicContext
408: .getRuntimeProperties(), context
409: .getExtraneousProperties());
410: HarnessUtil.makeDynamicPolicyCallback(
411: dynamicCallback, context
412: .getSecurityEnvironment()
413: .getCallbackHandler());
414:
415: resolvedPolicy = (EncryptionPolicy) dynamicCallback
416: .getSecurityPolicy();
417:
418: } catch (Exception e) {
419: log.log(Level.SEVERE,
420: "WSS1420.dynamic.policy.signature",
421: new Object[] { e.getMessage() });
422: throw new XWSSecurityException(e);
423: }
424: context.setSecurityPolicy(resolvedPolicy);
425: }
426:
427: DecryptionProcessor.decrypt(context);
428: }
429: }
430:
431: private static void encrypt(
432: com.sun.xml.wss.impl.FilterProcessingContext context)
433: throws XWSSecurityException {
434: if (context instanceof JAXBFilterProcessingContext)
435: new com.sun.xml.ws.security.opt.impl.enc.EncryptionProcessor()
436: .process((JAXBFilterProcessingContext) context);
437: else
438: EncryptionProcessor.encrypt(context);
439: }
440:
441: private static SecretKey getReceivedSecret(
442: com.sun.xml.wss.impl.FilterProcessingContext context) {
443: SecretKey sKey = null;
444: sKey = (javax.crypto.SecretKey) context
445: .getExtraneousProperty(MessageConstants.SECRET_KEY_VALUE);
446: return sKey;
447: }
448:
449: }
|