001: /**
002: * $Id: SignatureFilter.java,v 1.9 2007/01/13 16:44:58 kumarjayanti Exp $
003: */package com.sun.xml.wss.impl.filter;
004:
005: import com.sun.xml.wss.ProcessingContext;
006: import com.sun.xml.wss.XWSSecurityException;
007: import com.sun.xml.wss.impl.FilterProcessingContext;
008: import com.sun.xml.ws.security.opt.impl.JAXBFilterProcessingContext;
009:
010: import java.security.PrivateKey;
011: import java.security.cert.X509Certificate;
012: import javax.crypto.SecretKey;
013:
014: import com.sun.xml.wss.impl.dsig.SignatureProcessor;
015: import com.sun.xml.wss.impl.PolicyTypeUtil;
016: import com.sun.xml.wss.impl.HarnessUtil;
017: import com.sun.xml.wss.impl.callback.SignatureKeyCallback;
018: import com.sun.xml.wss.impl.callback.DynamicPolicyCallback;
019: import com.sun.xml.wss.impl.misc.DefaultSecurityEnvironmentImpl;
020: import com.sun.xml.wss.impl.misc.SecurityUtil;
021: import com.sun.xml.wss.impl.policy.mls.WSSPolicy;
022: import com.sun.xml.wss.impl.policy.mls.SignaturePolicy;
023: import com.sun.xml.wss.impl.policy.mls.PrivateKeyBinding;
024: import com.sun.xml.wss.impl.policy.mls.SymmetricKeyBinding;
025: import com.sun.xml.wss.impl.policy.mls.AuthenticationTokenPolicy;
026: import com.sun.xml.wss.impl.policy.mls.DerivedTokenKeyBinding;
027: import com.sun.xml.wss.impl.configuration.DynamicApplicationContext;
028:
029: import java.util.logging.Level;
030: import java.util.logging.Logger;
031:
032: import com.sun.xml.wss.logging.LogDomainConstants;
033: import com.sun.xml.wss.impl.MessageConstants;
034: import com.sun.xml.wss.impl.policy.mls.SecureConversationTokenKeyBinding;
035: import com.sun.xml.wss.impl.policy.mls.IssuedTokenKeyBinding;
036:
037: /**
038: * Performs signature or verifies signature
039: *
040: * Message ANNOTATION is performed as follows:
041: *
042: * if (complete policy resolution should happen)
043: * make DynamicPolicyCallback
044: * else
045: * // assumes feature binding component is statically specified -
046: * // including targets and canonicalization algorithm
047: * if (X509CertificateBinding)
048: * resolve certificate - make SignatureKeyCallback
049: * if (X509CertificateBinding has associated SymmetricKeyBinding)
050: * resolve symmetric key - make SymmetricKeyCallback
051: * else
052: * if (X509CertificateBinding has no associated bindings ||
053: * X509CertificateBinding has associated PrivateKeyBinding)
054: * create PrivateKeyBinding if req'd with private key associated with the certificate
055: * else
056: * throw Exception
057: * else
058: * throw Exception
059: *
060: * call SignatureProcessor
061: *
062: * Message (signature verification) VALIDATION is performed as follows:
063: *
064: * if (ADHOC processing mode)
065: * if (complete policy resolution should happen)
066: * make DynamicPolicyCallback
067: * call VerificationProcessor
068: * else
069: * if (POSTHOC or DEFAULT mode)
070: * call VerificationProcessor
071: */
072: public class SignatureFilter {
073:
074: private static Logger log = Logger.getLogger(
075: LogDomainConstants.IMPL_FILTER_DOMAIN,
076: LogDomainConstants.IMPL_FILTER_DOMAIN_BUNDLE);
077:
078: /**
079: * @param context FilterProcessingContext
080: *
081: * @throws XWSSecurityException
082: */
083: public static void process(FilterProcessingContext context)
084: throws XWSSecurityException {
085:
086: if (!context.isInboundMessage()) {
087:
088: WSSPolicy policy = (WSSPolicy) context.getSecurityPolicy();
089: SignaturePolicy resolvedPolicy = (SignaturePolicy) policy;
090:
091: if (!context.makeDynamicPolicyCallback()) {
092:
093: WSSPolicy keyBinding = (WSSPolicy) ((SignaturePolicy) policy)
094: .getKeyBinding();
095: SignaturePolicy.FeatureBinding featureBinding = (SignaturePolicy.FeatureBinding) policy
096: .getFeatureBinding();
097:
098: if (PolicyTypeUtil.x509CertificateBinding(keyBinding)) {
099: try {
100: AuthenticationTokenPolicy.X509CertificateBinding binding = (AuthenticationTokenPolicy.X509CertificateBinding) keyBinding
101: .clone();
102: String certIdentifier = binding
103: .getCertificateIdentifier();
104: String algorithm = binding.getKeyAlgorithm();
105: if (MessageConstants.HMAC_SHA1_SIGMETHOD
106: .equals(algorithm)) {
107: X509Certificate cert = context
108: .getSecurityEnvironment()
109: .getCertificate(
110: context
111: .getExtraneousProperties(),
112: certIdentifier, false);
113: binding.setX509Certificate(cert);
114: } else {
115:
116: if (certIdentifier == null
117: || "".equals(certIdentifier)) {
118:
119: WSSPolicy ckBinding = (WSSPolicy) binding
120: .getKeyBinding();
121:
122: if (ckBinding == null) {
123: ckBinding = (WSSPolicy) binding
124: .newPrivateKeyBinding();
125: }
126:
127: if (context
128: .getSecurityEnvironment()
129: .getClass()
130: .getName()
131: .equals(
132: "com.sun.xml.wss.impl.misc.DefaultSecurityEnvironmentImpl")) {
133: SignatureKeyCallback.PrivKeyCertRequest request = ((DefaultSecurityEnvironmentImpl) context
134: .getSecurityEnvironment())
135: .getDefaultPrivKeyCertRequest(context
136: .getExtraneousProperties());
137:
138: binding.setX509Certificate(request
139: .getX509Certificate());
140: if (request.getX509Certificate() == null) {
141: log
142: .log(Level.SEVERE,
143: "WSS1421.no.default.x509certificate.provided");
144: throw new XWSSecurityException(
145: "No default X509Certificate was provided");
146: }
147: ((PrivateKeyBinding) ckBinding)
148: .setPrivateKey(request
149: .getPrivateKey());
150: } else {
151: X509Certificate cert = context
152: .getSecurityEnvironment()
153: .getDefaultCertificate(
154: context
155: .getExtraneousProperties());
156: if (cert == null) {
157: log
158: .log(Level.SEVERE,
159: "WSS1421.no.default.x509certificate.provided");
160: throw new XWSSecurityException(
161: "No default X509Certificate was provided");
162: }
163: binding.setX509Certificate(cert);
164: PrivateKey pk = context
165: .getSecurityEnvironment()
166: .getPrivateKey(
167: context
168: .getExtraneousProperties(),
169: cert);
170: ((PrivateKeyBinding) ckBinding)
171: .setPrivateKey(pk);
172: }
173:
174: } else {
175:
176: if (context
177: .getSecurityEnvironment()
178: .getClass()
179: .getName()
180: .equals(
181: "com.sun.xml.wss.impl.misc.DefaultSecurityEnvironmentImpl")) {
182: SignatureKeyCallback.AliasPrivKeyCertRequest request = ((DefaultSecurityEnvironmentImpl) context
183: .getSecurityEnvironment())
184: .getAliasPrivKeyCertRequest(certIdentifier);
185:
186: binding.setX509Certificate(request
187: .getX509Certificate());
188: if (request.getX509Certificate() == null) {
189: log
190: .log(Level.SEVERE,
191: "WSS1421.no.default.x509certificate.provided");
192: throw new XWSSecurityException(
193: "No X509Certificate was provided");
194: }
195:
196: WSSPolicy ckBinding = (WSSPolicy) binding
197: .getKeyBinding();
198:
199: if (PolicyTypeUtil
200: .privateKeyBinding(ckBinding)) {
201: ((PrivateKeyBinding) ckBinding)
202: .setPrivateKey(request
203: .getPrivateKey());
204: } else {
205: if (ckBinding == null) {
206: // keyBinding un-defined
207:
208: ((PrivateKeyBinding) binding
209: .newPrivateKeyBinding())
210: .setPrivateKey(request
211: .getPrivateKey());
212: } else {
213: log
214: .log(Level.SEVERE,
215: "WSS1416.unsupported.keybinding");
216: throw new XWSSecurityException(
217: "Unsupported KeyBinding for X509CertificateBinding");
218: }
219: }
220: } else {
221: // not handling symmetric key for provider
222: X509Certificate cert = context
223: .getSecurityEnvironment()
224: .getCertificate(
225: context
226: .getExtraneousProperties(),
227: certIdentifier,
228: true);
229: binding.setX509Certificate(cert);
230: WSSPolicy ckBinding = (WSSPolicy) binding
231: .getKeyBinding();
232: PrivateKey key = context
233: .getSecurityEnvironment()
234: .getPrivateKey(
235: context
236: .getExtraneousProperties(),
237: certIdentifier);
238:
239: if (PolicyTypeUtil
240: .privateKeyBinding(ckBinding)) {
241: ((PrivateKeyBinding) ckBinding)
242: .setPrivateKey(key);
243: } else {
244: if (ckBinding == null) {
245: // keyBinding un-defined
246: ((PrivateKeyBinding) binding
247: .newPrivateKeyBinding())
248: .setPrivateKey(key);
249: } else {
250: log
251: .log(Level.SEVERE,
252: "WSS1416.unsupported.keybinding");
253: throw new XWSSecurityException(
254: "Unsupported KeyBinding for X509CertificateBinding");
255: }
256: }
257:
258: }
259: }
260:
261: }
262:
263: context.setX509CertificateBinding(binding);
264:
265: } catch (Exception e) {
266: log
267: .log(
268: Level.SEVERE,
269: "WSS1417.exception.processing.signature",
270: new Object[] { e.getMessage() });
271: throw new XWSSecurityException(e);
272: }
273: } else if (PolicyTypeUtil.samlTokenPolicy(keyBinding)) {
274: //resolvedPolicy = (SignaturePolicy)policy.clone();
275: keyBinding = (WSSPolicy) ((SignaturePolicy) policy)
276: .getKeyBinding();
277:
278: AuthenticationTokenPolicy.SAMLAssertionBinding binding = (AuthenticationTokenPolicy.SAMLAssertionBinding) keyBinding;
279: binding.isReadOnly(true);
280:
281: DynamicApplicationContext dynamicContext = new DynamicApplicationContext(
282: context.getPolicyContext());
283:
284: dynamicContext.setMessageIdentifier(context
285: .getMessageIdentifier());
286: dynamicContext.inBoundMessage(false);
287: context
288: .getExtraneousProperties()
289: .get(
290: MessageConstants.SAML_ASSERTION_CLIENT_CACHE);
291: //try to obtain the HOK assertion
292: AuthenticationTokenPolicy.SAMLAssertionBinding resolvedSAMLBinding = context
293: .getSecurityEnvironment()
294: .populateSAMLPolicy(
295: context.getExtraneousProperties(),
296: binding, dynamicContext);
297:
298: if ((resolvedSAMLBinding.getAssertion() == null)
299: && (resolvedSAMLBinding
300: .getAuthorityBinding() == null)) {
301: log.log(Level.SEVERE,
302: "WSS1418.saml.info.notset");
303: throw new XWSSecurityException(
304: "None of SAML Assertion, SAML AuthorityBinding information was set into "
305: + " the Policy by the CallbackHandler");
306: }
307:
308: policy.setKeyBinding(resolvedSAMLBinding);
309: resolvedPolicy = (SignaturePolicy) policy;
310: context
311: .getExtraneousProperties()
312: .put(
313: MessageConstants.SAML_ASSERTION_CLIENT_CACHE,
314: resolvedSAMLBinding.getAssertion());
315:
316: } else if (PolicyTypeUtil
317: .symmetricKeyBinding(keyBinding)) {
318: try {
319:
320: String dataEncAlgo = null;
321: if (context.getAlgorithmSuite() != null) {
322: dataEncAlgo = context.getAlgorithmSuite()
323: .getEncryptionAlgorithm();
324: } else {
325: dataEncAlgo = MessageConstants.DEFAULT_DATA_ENC_ALGO;
326: // warn about using default
327: }
328:
329: SymmetricKeyBinding binding = (SymmetricKeyBinding) keyBinding
330: .clone();
331:
332: String keyIdentifier = binding
333: .getKeyIdentifier();
334: SecretKey sKey = null;
335:
336: WSSPolicy ckBinding = (WSSPolicy) binding
337: .getKeyBinding();
338: boolean wss11Receiver = "true"
339: .equals(context
340: .getExtraneousProperty("EnableWSS11PolicyReceiver"));
341: boolean wss11Sender = "true"
342: .equals(context
343: .getExtraneousProperty("EnableWSS11PolicySender"));
344: boolean wss10 = !wss11Sender;
345: boolean sendEKSHA1 = wss11Receiver
346: && wss11Sender
347: && (getReceivedSecret(context) != null);
348:
349: if (PolicyTypeUtil
350: .x509CertificateBinding(ckBinding)) {
351: try {
352: if (!sendEKSHA1) {
353: AuthenticationTokenPolicy.X509CertificateBinding ckBindingClone = (AuthenticationTokenPolicy.X509CertificateBinding) ckBinding
354: .clone();
355: String certIdentifier = ckBindingClone
356: .getCertificateIdentifier();
357: X509Certificate cert = context
358: .getSecurityEnvironment()
359: .getCertificate(
360: context
361: .getExtraneousProperties(),
362: certIdentifier,
363: false);
364: ckBindingClone
365: .setX509Certificate(cert);
366: context
367: .setX509CertificateBinding(ckBindingClone);
368: }
369: } catch (Exception e) {
370: log
371: .log(
372: Level.SEVERE,
373: "WSS1413.error.extracting.certificate",
374: e);
375: throw new XWSSecurityException(e);
376: }
377: }
378:
379: if (!binding.getKeyIdentifier().equals(
380: MessageConstants._EMPTY)) {
381: sKey = context
382: .getSecurityEnvironment()
383: .getSecretKey(
384: context
385: .getExtraneousProperties(),
386: keyIdentifier, true);
387: } else if (sendEKSHA1) {
388: sKey = getReceivedSecret(context);
389: } else if (wss11Sender || wss10) {
390:
391: sKey = SecurityUtil
392: .generateSymmetricKey(dataEncAlgo);
393: }
394:
395: binding.setSecretKey(sKey);
396: context.setSymmetricKeyBinding(binding);
397: } catch (Exception e) {
398: //TODO: this error message should come only in Symm Keystore case
399: log
400: .log(
401: Level.SEVERE,
402: "WSS1414.error.extracting.symmetrickey",
403: new Object[] { e.getMessage() });
404: throw new XWSSecurityException(e);
405: }
406: } else if (PolicyTypeUtil
407: .issuedTokenKeyBinding(keyBinding)) {
408: IssuedTokenKeyBinding itkb = (IssuedTokenKeyBinding) keyBinding;
409: SecurityUtil.resolveIssuedToken(context, itkb);
410:
411: } else if (PolicyTypeUtil
412: .derivedTokenKeyBinding(keyBinding)) {
413:
414: DerivedTokenKeyBinding dtk = (DerivedTokenKeyBinding) keyBinding
415: .clone();
416: WSSPolicy originalKeyBinding = dtk
417: .getOriginalKeyBinding();
418:
419: if (PolicyTypeUtil
420: .symmetricKeyBinding(originalKeyBinding)) {
421:
422: String dataEncAlgo = null;
423: if (context.getAlgorithmSuite() != null) {
424: dataEncAlgo = context.getAlgorithmSuite()
425: .getEncryptionAlgorithm();
426: } else {
427: dataEncAlgo = MessageConstants.DEFAULT_DATA_ENC_ALGO;
428: // warn about using default
429: }
430:
431: SymmetricKeyBinding symmBinding = (SymmetricKeyBinding) originalKeyBinding
432: .clone();
433: SecretKey sKey = null;
434: boolean wss11Receiver = "true"
435: .equals(context
436: .getExtraneousProperty("EnableWSS11PolicyReceiver"));
437: boolean wss11Sender = "true"
438: .equals(context
439: .getExtraneousProperty("EnableWSS11PolicySender"));
440: boolean wss10 = !wss11Sender;
441: boolean sendEKSHA1 = wss11Receiver
442: && wss11Sender
443: && (getReceivedSecret(context) != null);
444:
445: WSSPolicy ckBinding = (WSSPolicy) originalKeyBinding
446: .getKeyBinding();
447: if (PolicyTypeUtil
448: .x509CertificateBinding(ckBinding)) {
449: try {
450: if (!sendEKSHA1) {
451: AuthenticationTokenPolicy.X509CertificateBinding ckBindingClone = (AuthenticationTokenPolicy.X509CertificateBinding) ckBinding
452: .clone();
453: String certIdentifier = ckBindingClone
454: .getCertificateIdentifier();
455: X509Certificate cert = context
456: .getSecurityEnvironment()
457: .getCertificate(
458: context
459: .getExtraneousProperties(),
460: certIdentifier,
461: false);
462: ckBindingClone
463: .setX509Certificate(cert);
464: context
465: .setX509CertificateBinding(ckBindingClone);
466: }
467: } catch (Exception e) {
468: log
469: .log(
470: Level.SEVERE,
471: "WSS1413.error.extracting.certificate",
472: e);
473: throw new XWSSecurityException(e);
474: }
475: }
476:
477: if (sendEKSHA1) {
478: sKey = getReceivedSecret(context);
479: } else if (wss11Sender || wss10) {
480: sKey = SecurityUtil
481: .generateSymmetricKey(dataEncAlgo);
482: }
483: symmBinding.setSecretKey(sKey);
484: context.setSymmetricKeyBinding(symmBinding);
485: } else if (PolicyTypeUtil
486: .secureConversationTokenKeyBinding(originalKeyBinding)) {
487: // resolve the ProofKey here and set it into ProcessingContext
488: SecureConversationTokenKeyBinding sctBinding = (SecureConversationTokenKeyBinding) originalKeyBinding;
489: SecurityUtil.resolveSCT(context, sctBinding);
490: } else if (PolicyTypeUtil
491: .issuedTokenKeyBinding(originalKeyBinding)) {
492: IssuedTokenKeyBinding itkb = (IssuedTokenKeyBinding) originalKeyBinding;
493: SecurityUtil.resolveIssuedToken(context, itkb);
494: }
495:
496: } else if (PolicyTypeUtil
497: .secureConversationTokenKeyBinding(keyBinding)) {
498: // resolve the ProofKey here and set it into ProcessingContext
499: SecureConversationTokenKeyBinding sctBinding = (SecureConversationTokenKeyBinding) keyBinding;
500: SecurityUtil.resolveSCT(context, sctBinding);
501: } else {
502: log.log(Level.SEVERE,
503: "WSS1419.unsupported.keybinding.signature");
504: throw new XWSSecurityException(
505: "Unsupported KeyBinding for SignaturePolicy");
506: }
507: } else {
508: //resolvedPolicy = (SignaturePolicy)policy.clone();
509: ((SignaturePolicy) policy).isReadOnly(true);
510:
511: try {
512: DynamicApplicationContext dynamicContext = new DynamicApplicationContext(
513: context.getPolicyContext());
514:
515: dynamicContext.setMessageIdentifier(context
516: .getMessageIdentifier());
517: dynamicContext.inBoundMessage(false);
518: // TODO: set runtime context for making callback
519: DynamicPolicyCallback dynamicCallback = new DynamicPolicyCallback(
520: policy, dynamicContext);
521: ProcessingContext.copy(dynamicContext
522: .getRuntimeProperties(), context
523: .getExtraneousProperties());
524: HarnessUtil.makeDynamicPolicyCallback(
525: dynamicCallback, context
526: .getSecurityEnvironment()
527: .getCallbackHandler());
528: resolvedPolicy = (SignaturePolicy) dynamicCallback
529: .getSecurityPolicy();
530:
531: } catch (Exception e) {
532: log.log(Level.SEVERE,
533: "WSS1420.dynamic.policy.signature",
534: new Object[] { e.getMessage() });
535: throw new XWSSecurityException(e);
536: }
537: }
538:
539: context.setSecurityPolicy(resolvedPolicy);
540:
541: sign(context);
542:
543: } else {
544:
545: if (context.makeDynamicPolicyCallback()) {
546: WSSPolicy policy = (WSSPolicy) context
547: .getSecurityPolicy();
548: SignaturePolicy resolvedPolicy = null;
549: ((SignaturePolicy) policy).isReadOnly(true);
550:
551: try {
552: DynamicApplicationContext dynamicContext = new DynamicApplicationContext(
553: context.getPolicyContext());
554:
555: dynamicContext.setMessageIdentifier(context
556: .getMessageIdentifier());
557: dynamicContext.inBoundMessage(true);
558: // TODO: set runtime context for making callback
559: DynamicPolicyCallback dynamicCallback = new DynamicPolicyCallback(
560: policy, dynamicContext);
561: ProcessingContext.copy(dynamicContext
562: .getRuntimeProperties(), context
563: .getExtraneousProperties());
564: HarnessUtil.makeDynamicPolicyCallback(
565: dynamicCallback, context
566: .getSecurityEnvironment()
567: .getCallbackHandler());
568:
569: resolvedPolicy = (SignaturePolicy) dynamicCallback
570: .getSecurityPolicy();
571: } catch (Exception e) {
572: log.log(Level.SEVERE,
573: "WSS1420.dynamic.policy.signature",
574: new Object[] { e.getMessage() });
575: throw new XWSSecurityException(e);
576: }
577: context.setSecurityPolicy(resolvedPolicy);
578: }
579:
580: SignatureProcessor.verify(context);
581: }
582: }
583:
584: private static void sign(
585: com.sun.xml.wss.impl.FilterProcessingContext context)
586: throws XWSSecurityException {
587: if (context instanceof JAXBFilterProcessingContext)
588: com.sun.xml.ws.security.opt.impl.dsig.SignatureProcessor
589: .sign((JAXBFilterProcessingContext) context);
590: else
591: SignatureProcessor.sign(context);
592:
593: }
594:
595: private static SecretKey getReceivedSecret(
596: com.sun.xml.wss.impl.FilterProcessingContext context) {
597: SecretKey sKey = null;
598: sKey = (javax.crypto.SecretKey) context
599: .getExtraneousProperty(MessageConstants.SECRET_KEY_VALUE);
600: return sKey;
601: }
602:
603: }
|