001: /*
002: * MessagePolicyVerifier.java
003: *
004: * Created on 26 October, 2006, 5:52 PM
005: *
006: * To change this template, choose Tools | Template Manager
007: * and open the template in the editor.
008: */
009:
010: package com.sun.xml.wss.impl.policy.verifier;
011:
012: import com.sun.xml.wss.ProcessingContext;
013: import com.sun.xml.wss.XWSSecurityException;
014: import com.sun.xml.wss.impl.MessageConstants;
015: import com.sun.xml.wss.impl.PolicyTypeUtil;
016: import com.sun.xml.wss.impl.PolicyViolationException;
017: import com.sun.xml.wss.impl.ProcessingContextImpl;
018: import com.sun.xml.wss.impl.WSSAssertion;
019: import com.sun.xml.wss.impl.policy.MLSPolicy;
020: import com.sun.xml.wss.impl.policy.SecurityPolicy;
021: import com.sun.xml.wss.impl.policy.mls.AuthenticationTokenPolicy;
022: import com.sun.xml.wss.impl.policy.mls.DerivedTokenKeyBinding;
023: import com.sun.xml.wss.impl.policy.mls.EncryptionPolicy;
024: import com.sun.xml.wss.impl.policy.mls.EncryptionTarget;
025: import com.sun.xml.wss.impl.policy.mls.IssuedTokenKeyBinding;
026: import com.sun.xml.wss.impl.policy.mls.MessagePolicy;
027: import com.sun.xml.wss.impl.policy.mls.SecureConversationTokenKeyBinding;
028: import com.sun.xml.wss.impl.policy.mls.SignaturePolicy;
029: import com.sun.xml.wss.impl.policy.mls.SignatureTarget;
030: import com.sun.xml.wss.impl.policy.mls.SymmetricKeyBinding;
031: import com.sun.xml.wss.impl.policy.mls.Target;
032: import com.sun.xml.wss.impl.policy.mls.TimestampPolicy;
033: import com.sun.xml.wss.impl.policy.mls.WSSPolicy;
034: import com.sun.xml.wss.impl.policy.spi.PolicyVerifier;
035: import com.sun.xml.wss.logging.LogDomainConstants;
036: import java.util.ArrayList;
037: import java.util.List;
038: import java.util.logging.Level;
039: import java.util.logging.Logger;
040:
041: /**
042: *
043: * @author
044: */
045: public class MessagePolicyVerifier implements PolicyVerifier {
046: private ProcessingContext ctx = null;
047: private TargetResolver targetResolver;
048:
049: private static Logger log = Logger.getLogger(
050: LogDomainConstants.WSS_API_DOMAIN,
051: LogDomainConstants.WSS_API_DOMAIN_BUNDLE);
052:
053: /** Creates a new instance of MessagePolicyVerifier */
054: public MessagePolicyVerifier(ProcessingContext ctx,
055: TargetResolver targetResolver) {
056: this .ctx = ctx;
057: this .targetResolver = targetResolver;
058: }
059:
060: public void verifyPolicy(SecurityPolicy ip, SecurityPolicy ap)
061: throws PolicyViolationException {
062:
063: MessagePolicy actualPolicy = (MessagePolicy) ap;
064: MessagePolicy inferredSecurityPolicy = (MessagePolicy) ip;
065:
066: if (actualPolicy == null || actualPolicy.size() <= 0) {
067: if ((inferredSecurityPolicy != null)
068: && (inferredSecurityPolicy.size() > 0)) {
069: //this could be a plain SSL scenario
070: if (!checkAllowExtraTimestamp(inferredSecurityPolicy)) {
071: log.log(Level.SEVERE, "WSS0805.policy.null");
072: throw new PolicyViolationException(
073: "ERROR: Policy for the service could not be obtained");
074: }
075: }
076: } else if (inferredSecurityPolicy == null
077: || inferredSecurityPolicy.size() <= 0) {
078: throw new PolicyViolationException(
079: "ERROR: No security header found in the message");
080: } else { // verify policy now
081: try {
082: for (int i = 0; i < actualPolicy.size(); i++) {
083: WSSPolicy actualPol = (WSSPolicy) actualPolicy
084: .get(i);
085: if (PolicyTypeUtil.isSecondaryPolicy(actualPol)) {
086: processSecondaryPolicy(actualPol,
087: inferredSecurityPolicy);
088: } else if (PolicyTypeUtil
089: .isPrimaryPolicy(actualPol)) {
090: processPrimaryPolicy(actualPol,
091: inferredSecurityPolicy);
092: }
093: }
094:
095: } catch (Exception e) {
096: throw new PolicyViolationException(e);
097: }
098: }
099: }
100:
101: private void processSecondaryPolicy(WSSPolicy actualPol,
102: MessagePolicy inferredSecurityPolicy)
103: throws XWSSecurityException {
104: try {
105: if (PolicyTypeUtil.timestampPolicy(actualPol)) {
106: boolean found = false;
107: for (int j = 0; j < inferredSecurityPolicy.size(); j++) {
108: WSSPolicy pol = (WSSPolicy) inferredSecurityPolicy
109: .get(j);
110: if (PolicyTypeUtil.timestampPolicy(pol)) {
111: inferredSecurityPolicy.remove(pol);
112: found = true;
113: break;
114: }
115: }
116: if (!found) {
117: if (MessageConstants.debug) {
118: log
119: .log(Level.WARNING,
120: "Timestamp not found in message but occurs in configured policy");
121: }
122: // commenting for now, uncomment once this is corrected in SecurityPolicy
123: /*throw new XWSSecurityException("Policy Verification error:"
124: + "Timestamp not found in configured policy but occurs in message");*/
125: }
126: } else if (PolicyTypeUtil.usernameTokenPolicy(actualPol
127: .getFeatureBinding())) {
128: boolean found = false;
129: for (int j = 0; j < inferredSecurityPolicy.size(); j++) {
130: WSSPolicy pol = (WSSPolicy) inferredSecurityPolicy
131: .get(j);
132: if (PolicyTypeUtil.usernameTokenPolicy(pol)) {
133: inferredSecurityPolicy.remove(pol);
134: found = true;
135: break;
136: }
137: }
138: if (!found) {
139: throw new XWSSecurityException(
140: "Policy Verification error:"
141: + "UsernameToken not found in message but occurs in configured policy");
142: }
143: }
144: } catch (Exception e) {
145: throw new XWSSecurityException(e);
146: }
147: }
148:
149: private void processPrimaryPolicy(WSSPolicy actualPol,
150: MessagePolicy inferredSecurityPolicy)
151: throws XWSSecurityException {
152:
153: //WSSAssertion wssAssertion = ((ProcessingContextImpl)ctx).getWSSAssertion();
154: if (PolicyTypeUtil.signaturePolicy(actualPol)) {
155: SignaturePolicy actualSignPolicy = (SignaturePolicy) actualPol;
156: boolean isEndorsing = ((SignaturePolicy.FeatureBinding) actualSignPolicy
157: .getFeatureBinding()).isEndorsingSignature();
158: boolean isPrimary = ((SignaturePolicy.FeatureBinding) actualSignPolicy
159: .getFeatureBinding()).isPrimarySignature();
160: WSSPolicy pol = getFirstPrimaryPolicy(
161: inferredSecurityPolicy, isEndorsing, 0);
162: if (pol == null) {
163: throw new XWSSecurityException(
164: "Policy verification error:"
165: + "Missing Signature Element");
166: }
167:
168: if (PolicyTypeUtil.signaturePolicy(pol)) {
169: SignaturePolicy inferredPol = (SignaturePolicy) pol;
170: // verify key binding
171: boolean isKBTrue = verifyKeyBinding(actualSignPolicy
172: .getKeyBinding(), inferredPol.getKeyBinding(),
173: false);
174: int nth = 1;
175: while (!isKBTrue && !isPrimary) {
176: pol = getFirstPrimaryPolicy(inferredSecurityPolicy,
177: isEndorsing, nth);
178: if (pol == null) {
179: throw new XWSSecurityException(
180: "Policy verification error:"
181: + "Missing Signature Element - perhaps a second supporting signature or "
182: + "Incorrect Key types or references were used in Signature");
183: }
184: inferredPol = (SignaturePolicy) pol;
185: isKBTrue = verifyKeyBinding(actualSignPolicy
186: .getKeyBinding(), inferredPol
187: .getKeyBinding(), false);
188: nth++;
189: }
190: // verify target binding
191: boolean isTBTrue = verifySignTargetBinding(
192: (SignaturePolicy.FeatureBinding) actualSignPolicy
193: .getFeatureBinding(),
194: (SignaturePolicy.FeatureBinding) inferredPol
195: .getFeatureBinding());
196:
197: inferredSecurityPolicy.remove(pol);
198: if (!isKBTrue) {
199: log.log(Level.SEVERE,
200: "WSS0206.policy.violation.exception");
201: throw new XWSSecurityException(
202: "Policy verification error: "
203: + "Incorrect Key types or references were used in Signature");
204: }
205: if (!isTBTrue) {
206: log.log(Level.SEVERE,
207: "WSS0206.policy.violation.exception");
208: throw new XWSSecurityException(
209: "Policy verification error: "
210: + "One or more Signed Parts could not be validated");
211: }
212: checkTargets(actualPol, pol);
213: } else {
214: //check to see for the case when no Signature Target present in message
215: //The incoming message will not have Signature policy in that case.
216: if (checkTargetPresence(actualPol)) {
217: log.log(Level.SEVERE,
218: "WSS0206.policy.violation.exception");
219: throw new XWSSecurityException(
220: "Signature Policy verification error: Looking for a Signature Element "
221: + " in Security header, but found "
222: + pol + ".");
223: }
224: }
225: } else if (PolicyTypeUtil.encryptionPolicy(actualPol)) {
226: EncryptionPolicy actualEncryptionPolicy = (EncryptionPolicy) actualPol;
227: WSSPolicy pol = getFirstPrimaryPolicy(
228: inferredSecurityPolicy, false, 0);
229: if (pol == null) {
230: throw new XWSSecurityException(
231: "Encryption Policy verification error:"
232: + "Missing encryption element");
233: }
234:
235: if (PolicyTypeUtil.encryptionPolicy(pol)) {
236: EncryptionPolicy inferredPol = (EncryptionPolicy) pol;
237: //verify key binding
238: boolean isKBTrue = verifyKeyBinding(
239: actualEncryptionPolicy.getKeyBinding(),
240: inferredPol.getKeyBinding(), true);
241: // verify target binding
242: boolean isTBTrue = verifyEncTargetBinding(
243: (EncryptionPolicy.FeatureBinding) actualEncryptionPolicy
244: .getFeatureBinding(),
245: (EncryptionPolicy.FeatureBinding) inferredPol
246: .getFeatureBinding());
247:
248: inferredSecurityPolicy.remove(pol);
249: if (!isKBTrue) {
250: log.log(Level.SEVERE,
251: "WSS0206.policy.violation.exception");
252: throw new XWSSecurityException(
253: "Encryption Policy verification error: "
254: + "Incorrect Key types or references were used in encryption");
255: }
256: if (!isTBTrue) {
257: log.log(Level.SEVERE,
258: "WSS0206.policy.violation.exception");
259: throw new XWSSecurityException(
260: "Policy verification error: "
261: + "One or more encrypted parts could not be validated");
262: }
263: List<Target> inferredList = ((EncryptionPolicy.FeatureBinding) pol
264: .getFeatureBinding()).getTargetBindings();
265: List<Target> actualList = ((EncryptionPolicy.FeatureBinding) actualPol
266: .getFeatureBinding()).getTargetBindings();
267: if (actualList.size() > inferredList.size()) {
268: int nthEncrypt = 0;
269: EncryptionPolicy inferredPol2 = getNthEncryptionPolicy(
270: inferredSecurityPolicy, nthEncrypt);
271: while (inferredPol2 != null) {
272: boolean isKBTrue2 = verifyKeyBinding(
273: actualEncryptionPolicy.getKeyBinding(),
274: inferredPol2.getKeyBinding(), true);
275: boolean isTBTrue2 = verifyEncTargetBinding(
276: (EncryptionPolicy.FeatureBinding) actualEncryptionPolicy
277: .getFeatureBinding(),
278: (EncryptionPolicy.FeatureBinding) inferredPol2
279: .getFeatureBinding());
280: if (!isKBTrue2 || !isTBTrue2) {
281: nthEncrypt++;
282: inferredPol2 = getNthEncryptionPolicy(
283: inferredSecurityPolicy, nthEncrypt);
284: } else {
285: List<Target> moreTargets = ((EncryptionPolicy.FeatureBinding) inferredPol2
286: .getFeatureBinding())
287: .getTargetBindings();
288: for (Target moreTarget : moreTargets) {
289: ((EncryptionPolicy.FeatureBinding) inferredPol
290: .getFeatureBinding())
291: .addTargetBinding(moreTarget);
292: }
293: if (actualList.size() == inferredList
294: .size()) {
295: inferredSecurityPolicy
296: .remove(inferredPol2);
297: break;
298: }
299: inferredSecurityPolicy.remove(inferredPol2);
300: nthEncrypt++;
301: inferredPol2 = getNthEncryptionPolicy(
302: inferredSecurityPolicy, nthEncrypt);
303: }
304: }
305: }
306: checkTargets(actualPol, pol);
307: } else {
308: //check to see for the case when no Encryption Target present in message
309: //The incoming message will not have Encryption policy in that case.
310: if (checkTargetPresence(actualPol)) {
311: log.log(Level.SEVERE,
312: "WSS0206.policy.violation.exception");
313: throw new XWSSecurityException(
314: "Encryption Policy verification error: Looking for an Encryption Element "
315: + " in Security header, but found "
316: + pol + ".");
317: }
318: }
319:
320: }
321:
322: }
323:
324: private void checkTargets(WSSPolicy actualPol, WSSPolicy inferredPol)
325: throws XWSSecurityException {
326:
327: List<Target> inferredTargets = null;
328: List<Target> actualTargets = null;
329:
330: if (PolicyTypeUtil.signaturePolicy(actualPol)) {
331:
332: SignaturePolicy.FeatureBinding inferredFeatureBinding = (SignaturePolicy.FeatureBinding) inferredPol
333: .getFeatureBinding();
334: SignaturePolicy.FeatureBinding actualFeatureBinding = (SignaturePolicy.FeatureBinding) actualPol
335: .getFeatureBinding();
336:
337: inferredTargets = (List<Target>) inferredFeatureBinding
338: .getTargetBindings();
339: actualTargets = (List<Target>) actualFeatureBinding
340: .getTargetBindings();
341:
342: } else if (PolicyTypeUtil.encryptionPolicy(actualPol)) {
343:
344: EncryptionPolicy.FeatureBinding inferredFeatureBinding = (EncryptionPolicy.FeatureBinding) inferredPol
345: .getFeatureBinding();
346: EncryptionPolicy.FeatureBinding actualFeatureBinding = (EncryptionPolicy.FeatureBinding) actualPol
347: .getFeatureBinding();
348:
349: inferredTargets = (List<Target>) inferredFeatureBinding
350: .getTargetBindings();
351: actualTargets = (List<Target>) actualFeatureBinding
352: .getTargetBindings();
353:
354: }
355: targetResolver.resolveAndVerifyTargets(actualTargets,
356: inferredTargets, actualPol);
357: }
358:
359: private boolean verifyKeyBinding(MLSPolicy actualKeyBinding,
360: MLSPolicy inferredKeyBinding, boolean isEncryptPolicy)
361: throws XWSSecurityException {
362: boolean verified = false;
363: if (actualKeyBinding != null && inferredKeyBinding != null) {
364: if (PolicyTypeUtil.x509CertificateBinding(actualKeyBinding)
365: && PolicyTypeUtil
366: .x509CertificateBinding(inferredKeyBinding)) {
367: /* TODO: cannot change actual policy, there seems to be a bug in
368: * security policy
369: AuthenticationTokenPolicy.X509CertificateBinding actualX509Bind =
370: (AuthenticationTokenPolicy.X509CertificateBinding)actualKeyBinding;
371: AuthenticationTokenPolicy.X509CertificateBinding inferredX509Bind =
372: (AuthenticationTokenPolicy.X509CertificateBinding)inferredKeyBinding;
373: // workaround - policy sets reference type as Thumprint
374: if(actualX509Bind.getReferenceType().equals(MessageConstants.THUMB_PRINT_TYPE))
375: actualX509Bind.setReferenceType(MessageConstants.KEY_INDETIFIER_TYPE);
376: correctIncludeTokenPolicy(actualX509Bind, wssAssertion);
377: if(actualX509Bind.getReferenceType().equals(inferredX509Bind.getReferenceType()))*/
378: verified = true;
379: } else if (PolicyTypeUtil
380: .symmetricKeyBinding(actualKeyBinding)
381: && PolicyTypeUtil
382: .symmetricKeyBinding(inferredKeyBinding)) {
383: verified = verifyKeyBinding(actualKeyBinding
384: .getKeyBinding(), inferredKeyBinding
385: .getKeyBinding(), isEncryptPolicy);
386: } else if (PolicyTypeUtil
387: .issuedTokenKeyBinding(actualKeyBinding)
388: && PolicyTypeUtil
389: .issuedTokenKeyBinding(inferredKeyBinding)) {
390:
391: verified = true;
392: } else if (PolicyTypeUtil
393: .secureConversationTokenKeyBinding(actualKeyBinding)
394: && PolicyTypeUtil
395: .secureConversationTokenKeyBinding(inferredKeyBinding)) {
396:
397: verified = true;
398: } else if (PolicyTypeUtil
399: .derivedTokenKeyBinding(actualKeyBinding)
400: && PolicyTypeUtil
401: .derivedTokenKeyBinding(inferredKeyBinding)) {
402:
403: verified = verifyKeyBinding(
404: ((DerivedTokenKeyBinding) actualKeyBinding)
405: .getOriginalKeyBinding(),
406: ((DerivedTokenKeyBinding) inferredKeyBinding)
407: .getOriginalKeyBinding(),
408: isEncryptPolicy);
409: } else if (PolicyTypeUtil
410: .x509CertificateBinding(actualKeyBinding)
411: && PolicyTypeUtil
412: .symmetricKeyBinding(inferredKeyBinding)) {
413: MLSPolicy ikbkb = inferredKeyBinding.getKeyBinding();
414: if (isEncryptPolicy
415: && PolicyTypeUtil.x509CertificateBinding(ikbkb)) {
416: verified = true;
417: }
418: } else if (PolicyTypeUtil.samlTokenPolicy(actualKeyBinding)
419: && PolicyTypeUtil
420: .symmetricKeyBinding(inferredKeyBinding)) {
421: MLSPolicy ikbkb = inferredKeyBinding.getKeyBinding();
422: if (isEncryptPolicy
423: && PolicyTypeUtil.samlTokenPolicy(ikbkb)) {
424: verified = true;
425: }
426: } else if (PolicyTypeUtil.samlTokenPolicy(actualKeyBinding)
427: && PolicyTypeUtil
428: .samlTokenPolicy(inferredKeyBinding)) {
429:
430: verified = true;
431: } else if (PolicyTypeUtil
432: .symmetricKeyBinding(actualKeyBinding)
433: && PolicyTypeUtil
434: .x509CertificateBinding(inferredKeyBinding)) {
435: MLSPolicy akbkb = actualKeyBinding.getKeyBinding();
436: if (isEncryptPolicy
437: && PolicyTypeUtil.x509CertificateBinding(akbkb)) {
438: verified = true;
439: }
440: } else if (PolicyTypeUtil
441: .derivedTokenKeyBinding(actualKeyBinding)) {
442: //workaround for IssuedToken under Endorsing, with PublicKey inside IssuedToken
443: if (PolicyTypeUtil
444: .issuedTokenKeyBinding(inferredKeyBinding)
445: && PolicyTypeUtil
446: .issuedTokenKeyBinding(((DerivedTokenKeyBinding) actualKeyBinding)
447: .getOriginalKeyBinding())) {
448: verified = true;
449: }
450: }
451: }
452:
453: return verified;
454: }
455:
456: private boolean verifySignTargetBinding(
457: SignaturePolicy.FeatureBinding actualFeatureBinding,
458: SignaturePolicy.FeatureBinding inferredFeatureBinding)
459: throws XWSSecurityException {
460: String actualCanonAlgo = actualFeatureBinding
461: .getCanonicalizationAlgorithm();
462: String inferredCanonAlgo = inferredFeatureBinding
463: .getCanonicalizationAlgorithm();
464:
465: if (actualCanonAlgo == null || inferredCanonAlgo == null) {
466: throw new XWSSecurityException(
467: "ActualCanonicalizationAlgorithm or InferredCanonicalizationAlgorithm "
468: + " is null while verifying SignatureTargetBinding");
469: }
470: if (actualCanonAlgo.length() > 0
471: && inferredCanonAlgo.length() > 0) {
472: if (!inferredCanonAlgo.equals(actualCanonAlgo)) {
473: log
474: .warning("Receiver side requirement verification failed,"
475: + " canonicalization algorithm received in the message is "
476: + inferredCanonAlgo
477: + " policy requires " + actualCanonAlgo);
478: return false;
479: }
480: }
481:
482: return true;
483: }
484:
485: private boolean verifyEncTargetBinding(
486: EncryptionPolicy.FeatureBinding actualFeatureBinding,
487: EncryptionPolicy.FeatureBinding inferredFeatureBinding) {
488: String rDA = inferredFeatureBinding
489: .getDataEncryptionAlgorithm();
490: String cDA = actualFeatureBinding.getDataEncryptionAlgorithm();
491: if (cDA != null && cDA.length() > 0) {
492: if (!cDA.equals(rDA)) {
493: log
494: .warning("Receiver side requirement verification failed, "
495: + "DataEncryptionAlgorithm specified in the receiver requirements did match with"
496: + " DataEncryptionAlgorithm used to encrypt the message."
497: + "Configured DataEncryptionAlgorithm is "
498: + cDA
499: + " DataEncryptionAlgorithm used in the"
500: + "message is " + rDA);
501: return false;
502: }
503: }
504: return true;
505: }
506:
507: private EncryptionPolicy getNthEncryptionPolicy(
508: MessagePolicy securityPolicy, int nth)
509: throws XWSSecurityException {
510: try {
511: int count = nth;
512: for (int i = 0; i < securityPolicy.size(); i++) {
513: WSSPolicy pol = (WSSPolicy) securityPolicy.get(i);
514: if (PolicyTypeUtil.isPrimaryPolicy(pol)
515: && PolicyTypeUtil.encryptionPolicy(pol)) {
516: if (((EncryptionPolicy.FeatureBinding) pol
517: .getFeatureBinding()).encryptsIssuedToken()) {
518: continue;
519: }
520: if (count > 0) {
521: count--;
522: continue;
523: } else {
524: return (EncryptionPolicy) pol;
525: }
526: }
527: }
528: } catch (Exception e) {
529: throw new XWSSecurityException(e);
530: }
531: return null;
532: }
533:
534: private WSSPolicy getFirstPrimaryPolicy(
535: MessagePolicy securityPolicy, boolean isEndorsingSign,
536: int nth) throws XWSSecurityException {
537: try {
538:
539: int count = nth;
540: if (!isEndorsingSign) {
541: for (int i = 0; i < securityPolicy.size(); i++) {
542: WSSPolicy pol = (WSSPolicy) securityPolicy.get(i);
543: if (PolicyTypeUtil.isPrimaryPolicy(pol)) {
544: // accounts for encrypted SAML tokens issued by STS
545: if (PolicyTypeUtil.encryptionPolicy(pol)
546: && ((EncryptionPolicy.FeatureBinding) pol
547: .getFeatureBinding())
548: .encryptsIssuedToken()) {
549: continue;
550: } else if (count > 0) {
551: if (PolicyTypeUtil.signaturePolicy(pol))
552: count--;
553: continue;
554: } else if (nth != 0
555: && !PolicyTypeUtil.signaturePolicy(pol)) {
556: continue;
557: } else {
558: return pol;
559: }
560: }
561: }
562: } else {
563: // endorsingSign policy is not placed correctly in actual policy
564: for (int i = 0; i < securityPolicy.size(); i++) {
565: WSSPolicy pol = (WSSPolicy) securityPolicy.get(i);
566: if (PolicyTypeUtil.isPrimaryPolicy(pol)
567: && PolicyTypeUtil.signaturePolicy(pol)) {
568: SignaturePolicy signPol = (SignaturePolicy) pol;
569: SignaturePolicy.FeatureBinding fb = (SignaturePolicy.FeatureBinding) signPol
570: .getFeatureBinding();
571: for (int no_of_sig_targets = 0; no_of_sig_targets < fb
572: .getTargetBindings().size(); no_of_sig_targets++) {
573: SignatureTarget target = (SignatureTarget) fb
574: .getTargetBindings().get(
575: no_of_sig_targets);
576: if ("{http://www.w3.org/2000/09/xmldsig#}Signature"
577: .equals(target.getValue()))
578: return pol;
579: }
580: }
581: }
582: }
583: } catch (Exception e) {
584: throw new XWSSecurityException(e);
585: }
586: return null;
587: }
588:
589: private void correctIncludeTokenPolicy(
590: AuthenticationTokenPolicy.X509CertificateBinding x509Bind,
591: WSSAssertion wssAssertion) {
592: if (x509Bind.INCLUDE_NEVER.equals(x509Bind.getIncludeToken())) {
593: if (MessageConstants.DIRECT_REFERENCE_TYPE.equals(x509Bind
594: .getReferenceType())) {
595: if (wssAssertion != null) {
596: if (wssAssertion
597: .getRequiredProperties()
598: .contains(
599: WSSAssertion.MUST_SUPPORT_REF_KEYIDENTIFIER))
600: x509Bind
601: .setReferenceType(MessageConstants.KEY_INDETIFIER_TYPE);
602: else if (wssAssertion
603: .getRequiredProperties()
604: .contains(
605: WSSAssertion.MUSTSUPPORT_REF_THUMBPRINT))
606: x509Bind
607: .setReferenceType(MessageConstants.THUMB_PRINT_TYPE);
608: } else {
609: // when wssAssertion is not set use KeyIdentifier
610: x509Bind
611: .setReferenceType(MessageConstants.KEY_INDETIFIER_TYPE);
612: }
613: }
614: } else if (x509Bind.INCLUDE_ALWAYS_TO_RECIPIENT.equals(x509Bind
615: .getIncludeToken())
616: || x509Bind.INCLUDE_ALWAYS.equals(x509Bind
617: .getIncludeToken())) {
618: x509Bind
619: .setReferenceType(MessageConstants.DIRECT_REFERENCE_TYPE);
620: }
621: }
622:
623: public void printInferredSecurityPolicy(
624: MessagePolicy inferredSecurityPolicy) throws Exception {
625: StringBuffer buffer = new StringBuffer();
626: if (inferredSecurityPolicy == null) {
627: buffer.append("Security Policy not set\n");
628: } else {
629: buffer.append("Size of Policy:: "
630: + inferredSecurityPolicy.size() + "\n");
631: for (int i = 0; i < inferredSecurityPolicy.size(); i++) {
632: WSSPolicy pol = (WSSPolicy) inferredSecurityPolicy
633: .get(i);
634: if (PolicyTypeUtil.timestampPolicy(pol)) {
635: buffer.append("Timestamp Policy\n");
636: } else if (PolicyTypeUtil.usernameTokenPolicy(pol)) {
637: buffer.append("UsernameToken Policy\n");
638: } else if (PolicyTypeUtil.signaturePolicy(pol)) {
639: buffer.append("Signature Policy\n");
640: SignaturePolicy sigPol = (SignaturePolicy) pol;
641: SignaturePolicy.FeatureBinding featureBinding = (SignaturePolicy.FeatureBinding) sigPol
642: .getFeatureBinding();
643: ArrayList targets = featureBinding
644: .getTargetBindings();
645: buffer.append("\tCanonicalizationAlgorithm"
646: + featureBinding
647: .getCanonicalizationAlgorithm()
648: + "\n");
649: buffer.append("\t Targets\n");
650: for (int j = 0; j < targets.size(); j++) {
651: SignatureTarget target = (SignatureTarget) targets
652: .get(j);
653: buffer.append("\t " + j + ":Type:"
654: + target.getType() + "\n");
655: buffer.append("\t Value:" + target.getValue()
656: + "\n");
657: buffer.append("\t DigestAlgorithm:"
658: + target.getDigestAlgorithm() + "\n");
659: ArrayList transforms = target.getTransforms();
660:
661: if (transforms != null) {
662: buffer.append("\t " + "Transforms::\n");
663: for (int k = 0; k < transforms.size(); k++) {
664: buffer
665: .append("\t "
666: + " "
667: + ((SignatureTarget.Transform) transforms
668: .get(k))
669: .getTransform()
670: + "\n");
671: }
672: }
673: }
674: MLSPolicy keyBinding = sigPol.getKeyBinding();
675: if (keyBinding != null) {
676: buffer.append("\tKeyBinding\n");
677: printKeyBinding(keyBinding, buffer);
678: }
679: } else if (PolicyTypeUtil.encryptionPolicy(pol)) {
680: buffer.append("Encryption Policy\n");
681: EncryptionPolicy encPol = (EncryptionPolicy) pol;
682: EncryptionPolicy.FeatureBinding featureBinding = (EncryptionPolicy.FeatureBinding) encPol
683: .getFeatureBinding();
684: ArrayList targets = featureBinding
685: .getTargetBindings();
686: buffer.append("\t Targets\n");
687: for (int j = 0; j < targets.size(); j++) {
688: EncryptionTarget target = (EncryptionTarget) targets
689: .get(j);
690: buffer.append("\t " + j + ":" + "Type:"
691: + target.getType() + "\n");
692: buffer.append("\t Value:" + target.getValue()
693: + "\n");
694: buffer.append("\t ContentOnly:"
695: + target.getContentOnly() + "\n");
696: buffer.append("\t DataEncryptionAlgorithm:"
697: + target.getDataEncryptionAlgorithm()
698: + "\n");
699: }
700: MLSPolicy keyBinding = encPol.getKeyBinding();
701: if (keyBinding != null) {
702: buffer.append("\tKeyBinding\n");
703: printKeyBinding(keyBinding, buffer);
704: }
705: } else if (PolicyTypeUtil
706: .signatureConfirmationPolicy(pol)) {
707: buffer.append("SignatureConfirmation Policy\n");
708: } else {
709: buffer.append(pol + "\n");
710: }
711: }
712: }
713: if (MessageConstants.debug) {
714: System.out.println(buffer.toString());
715: }
716: }
717:
718: private void printKeyBinding(MLSPolicy keyBinding,
719: StringBuffer buffer) {
720: if (keyBinding != null) {
721: if (keyBinding instanceof AuthenticationTokenPolicy.X509CertificateBinding) {
722: AuthenticationTokenPolicy.X509CertificateBinding x509Binding = (AuthenticationTokenPolicy.X509CertificateBinding) keyBinding;
723: buffer.append("\t X509CertificateBinding\n");
724: buffer.append("\t ValueType:"
725: + x509Binding.getValueType() + "\n");
726: buffer.append("\t ReferenceType:"
727: + x509Binding.getReferenceType() + "\n");
728: } else if (keyBinding instanceof AuthenticationTokenPolicy.SAMLAssertionBinding) {
729: AuthenticationTokenPolicy.SAMLAssertionBinding samlBinding = (AuthenticationTokenPolicy.SAMLAssertionBinding) keyBinding;
730: buffer.append("\t SAMLAssertionBinding\n");
731: //buffer.append("\t ValueType:" + samlBinding.getValueType() + "\n");
732: buffer.append("\t ReferenceType:"
733: + samlBinding.getReferenceType() + "\n");
734: } else if (keyBinding instanceof SymmetricKeyBinding) {
735: SymmetricKeyBinding skBinding = (SymmetricKeyBinding) keyBinding;
736: buffer.append("\t SymmetricKeyBinding\n");
737: AuthenticationTokenPolicy.X509CertificateBinding x509Binding = (AuthenticationTokenPolicy.X509CertificateBinding) skBinding
738: .getKeyBinding();
739: if (x509Binding != null) {
740: buffer.append("\t X509CertificateBinding\n");
741: buffer.append("\t ValueType:"
742: + x509Binding.getValueType() + "\n");
743: buffer.append("\t ReferenceType:"
744: + x509Binding.getReferenceType() + "\n");
745: }
746: } else if (keyBinding instanceof IssuedTokenKeyBinding) {
747: buffer.append("\t IssuedTokenKeyBinding\n");
748:
749: } else if (keyBinding instanceof SecureConversationTokenKeyBinding) {
750: buffer
751: .append("\t SecureConversationTokenKeyBinding\n");
752:
753: } else if (keyBinding instanceof DerivedTokenKeyBinding) {
754: buffer.append("\t DerivedTokenKeyBinding\n");
755: DerivedTokenKeyBinding dtkBinding = (DerivedTokenKeyBinding) keyBinding;
756: buffer.append("\t OriginalKeyBinding:\n");
757: printKeyBinding(dtkBinding.getOriginalKeyBinding(),
758: buffer);
759: }
760: }
761: }
762:
763: private boolean checkTargetPresence(WSSPolicy actualPol)
764: throws XWSSecurityException {
765: List<Target> actualTargets = null;
766: if (PolicyTypeUtil.signaturePolicy(actualPol)) {
767: SignaturePolicy.FeatureBinding actualFeatureBinding = (SignaturePolicy.FeatureBinding) actualPol
768: .getFeatureBinding();
769: actualTargets = (List<Target>) actualFeatureBinding
770: .getTargetBindings();
771: } else if (PolicyTypeUtil.encryptionPolicy(actualPol)) {
772: EncryptionPolicy.FeatureBinding actualFeatureBinding = (EncryptionPolicy.FeatureBinding) actualPol
773: .getFeatureBinding();
774: actualTargets = (List<Target>) actualFeatureBinding
775: .getTargetBindings();
776: }
777:
778: return targetResolver.isTargetPresent(actualTargets);
779: }
780:
781: private boolean checkAllowExtraTimestamp(
782: MessagePolicy inferredSecurityPolicy) {
783: //assumption : inferredSecurityPolicy != null and size > 0
784: if (inferredSecurityPolicy.size() > 1) {
785: return false;
786: }
787: SecurityPolicy pol = null;
788: try {
789: pol = inferredSecurityPolicy.get(0);
790: } catch (Exception ex) {
791: //ignore for now;
792: }
793: if (pol instanceof TimestampPolicy) {
794: return true;
795: }
796: return false;
797: }
798: }
|