001: /*
002: * EncryptionPolicyVerifier.java
003: *
004: * Created on August 7, 2005, 9:08 PM
005: */
006:
007: /*
008: * The contents of this file are subject to the terms
009: * of the Common Development and Distribution License
010: * (the License). You may not use this file except in
011: * compliance with the License.
012: *
013: * You can obtain a copy of the license at
014: * https://glassfish.dev.java.net/public/CDDLv1.0.html.
015: * See the License for the specific language governing
016: * permissions and limitations under the License.
017: *
018: * When distributing Covered Code, include this CDDL
019: * Header Notice in each file and include the License file
020: * at https://glassfish.dev.java.net/public/CDDLv1.0.html.
021: * If applicable, add the following below the CDDL Header,
022: * with the fields enclosed by brackets [] replaced by
023: * you own identifying information:
024: * "Portions Copyrighted [year] [name of copyright owner]"
025: *
026: * Copyright 2006 Sun Microsystems Inc. All Rights Reserved
027: */
028:
029: package com.sun.xml.wss.impl.policy.verifier;
030:
031: import com.sun.xml.wss.impl.PolicyTypeUtil;
032: import com.sun.xml.wss.impl.PolicyViolationException;
033: import com.sun.xml.wss.impl.policy.spi.PolicyVerifier;
034: import com.sun.xml.wss.impl.policy.SecurityPolicy;
035: import com.sun.xml.wss.impl.policy.mls.AuthenticationTokenPolicy.SAMLAssertionBinding;
036: import com.sun.xml.wss.impl.policy.mls.AuthenticationTokenPolicy.X509CertificateBinding;
037: import com.sun.xml.wss.impl.policy.mls.EncryptionPolicy;
038: import com.sun.xml.wss.impl.FilterProcessingContext;
039: import com.sun.xml.wss.impl.WSSAssertion;
040: import com.sun.xml.wss.impl.MessageConstants;
041:
042: /**
043: *
044: * @author K.Venugopal@sun.com
045: */
046: public class EncryptionPolicyVerifier implements PolicyVerifier {
047:
048: FilterProcessingContext context;
049:
050: /** Creates a new instance of EncryptionPolicyVerifier */
051: public EncryptionPolicyVerifier(FilterProcessingContext context) {
052: this .context = context;
053: }
054:
055: /**
056: *
057: * @param configPolicy Policy configured for the incoming message.
058: * @param recvdPolicy policy infered from the incoming message.
059: * @throws com.sun.xml.wss.PolicyViolationException when policy infered from incoming message does not match with what
060: * is configured.
061: *
062: */
063: public void verifyPolicy(SecurityPolicy configPolicy,
064: SecurityPolicy recvdPolicy) throws PolicyViolationException {
065: if (PolicyTypeUtil.encryptionPolicy(configPolicy)
066: && PolicyTypeUtil.encryptionPolicy(recvdPolicy)) {
067: EncryptionPolicy rEP = (EncryptionPolicy) recvdPolicy;
068: EncryptionPolicy cEP = (EncryptionPolicy) configPolicy;
069:
070: EncryptionPolicy.FeatureBinding rfBinding = (EncryptionPolicy.FeatureBinding) rEP
071: .getFeatureBinding();
072: EncryptionPolicy.FeatureBinding cfBinding = (EncryptionPolicy.FeatureBinding) cEP
073: .getFeatureBinding();
074: String rDA = rfBinding.getDataEncryptionAlgorithm();
075: String cDA = cfBinding.getDataEncryptionAlgorithm();
076: if (cDA != null && cDA.length() > 0) {
077: if (!cDA.equals(rDA)) {
078: throw new PolicyViolationException(
079: "Receiver side requirement verification failed, "
080: + "DataEncryptionAlgorithm specified in the receiver requirements did match with"
081: + " DataEncryptionAlgorithm used to encrypt the message."
082: + "Configured DataEncryptionAlgorithm is "
083: + cDA
084: + " DataEncryptionAlgorithm used in the"
085: + "message is " + rDA);
086: }
087: }
088: /*
089: WSSPolicy ckeyBinding = (WSSPolicy) cEP.getKeyBinding ();
090: if(ckeyBinding != null){
091: String cKeyType = ckeyBinding.getType ();
092: WSSPolicy rkeyBinding = (WSSPolicy) rEP.getKeyBinding ();
093: if(rkeyBinding == null){
094: throw new PolicyViolationException ("KeyType used to Encrypt the message doesnot match with " +
095: " the receiver side requirements. Configured KeyType is "+ckeyBinding+
096: " KeyType inferred from the message is "+ rkeyBinding);
097: }
098: String rKeyType = rkeyBinding.getType ();
099: //TODO: Verification of KeyBinding later
100: if(rKeyType != cKeyType){
101: throw new PolicyViolationException ("KeyType used to Encrypt the message doesnot match with " +
102: " the receiver side requirements. Configured KeyType is "+ckeyBinding+
103: " KeyType inferred from the message is "+ rkeyBinding);
104: //log propert error message.
105: }
106: if(cKeyType == PolicyTypeUtil.SAMLASSERTION_TYPE){
107: checkSAMLAssertionBinding ((SAMLAssertionBinding)ckeyBinding,(SAMLAssertionBinding)rkeyBinding);
108: }else if(cKeyType == PolicyTypeUtil.X509CERTIFICATE_TYPE ){
109: checkX509CertificateBinding ((X509CertificateBinding)ckeyBinding,(X509CertificateBinding)rkeyBinding);
110: }
111:
112: } */
113: }
114: }
115:
116: private void checkSAMLAssertionBinding(
117: SAMLAssertionBinding configPolicy,
118: SAMLAssertionBinding recvdPolicy)
119: throws PolicyViolationException {
120:
121: boolean matched = true;
122:
123: String _cAI = configPolicy.getAuthorityIdentifier();
124: String _rAI = recvdPolicy.getAuthorityIdentifier();
125: if ((_cAI != null && _cAI.length() > 0) && _rAI != null) {
126: matched = _cAI.equals(_rAI);
127: _throwError(configPolicy, recvdPolicy, matched);
128: }
129:
130: }
131:
132: private void checkX509CertificateBinding(
133: X509CertificateBinding configPolicy,
134: X509CertificateBinding recvdPolicy)
135: throws PolicyViolationException {
136:
137: boolean matched = true;
138:
139: configPolicy = setReferenceType(configPolicy);
140: String ckeyAlg = configPolicy.getKeyAlgorithm();
141: String rkeyAlg = recvdPolicy.getKeyAlgorithm();
142: if (ckeyAlg != null && ckeyAlg.length() > 0
143: && rkeyAlg.length() > 0) {
144: matched = ckeyAlg.equals(rkeyAlg);
145: }
146: _throwError(configPolicy, recvdPolicy, matched);
147:
148: /*String cRT = configPolicy.getReferenceType ();
149: String rRT = recvdPolicy.getReferenceType ();
150:
151: if(cRT != null && cRT.length () > 0 ){
152: matched = cRT.equals (rRT);
153: }
154: _throwError (configPolicy,recvdPolicy,matched);*/
155:
156: String cVT = configPolicy.getValueType();
157: String rVT = recvdPolicy.getValueType();
158:
159: if (cVT != null && cVT.length() > 0) {
160: matched = cVT.equals(rVT);
161: }
162: _throwError(configPolicy, recvdPolicy, matched);
163: /*
164: String cCI = configPolicy.getCertificateIdentifier ();
165: String rCI = recvdPolicy.getCertificateIdentifier ();
166:
167: if(cCI != null && cCI.length () > 0 ){
168: matched = cCI.equals (rCI);
169: }
170: _throwError (configPolicy,recvdPolicy,matched);
171:
172: if(!matched){
173: throw new PolicyViolationException ("KeyType used to sign the message doesnot match with " +
174: " the receiver side requirements. Configured KeyType is "+configPolicy+
175: " KeyType inferred from the message is "+ recvdPolicy);
176: }*/
177: }
178:
179: private final void _throwError(SecurityPolicy configPolicy,
180: SecurityPolicy recvdPolicy, boolean matched)
181: throws PolicyViolationException {
182: if (!matched) {
183: throw new PolicyViolationException(
184: "KeyType used to Encrypt the message doesnot match with "
185: + " the receiver side requirements. Configured KeyType is "
186: + configPolicy
187: + " KeyType inferred from the message is "
188: + recvdPolicy);
189: }
190: }
191:
192: private X509CertificateBinding setReferenceType(
193: X509CertificateBinding configPolicy) {
194:
195: //Token policyToken = configPolicy.getPolicyToken();
196: //if (policyToken != null) {
197: if (configPolicy.policyTokenWasSet()) {
198: if (configPolicy.INCLUDE_NEVER.equals(configPolicy
199: .getIncludeToken())) {
200: WSSAssertion wssAssertion = context.getWSSAssertion();
201: if (MessageConstants.DIRECT_REFERENCE_TYPE
202: .equals(configPolicy.getReferenceType())) {
203: if (wssAssertion != null) {
204: if (wssAssertion
205: .getRequiredProperties()
206: .contains(
207: WSSAssertion.MUST_SUPPORT_REF_KEYIDENTIFIER))
208: configPolicy
209: .setReferenceType(MessageConstants.KEY_INDETIFIER_TYPE);
210: else if (wssAssertion
211: .getRequiredProperties()
212: .contains(
213: WSSAssertion.MUSTSUPPORT_REF_THUMBPRINT))
214: configPolicy
215: .setReferenceType(MessageConstants.THUMB_PRINT_TYPE);
216: } else {
217: // when wssAssertion is not set use KeyIdentifier
218: configPolicy
219: .setReferenceType(MessageConstants.KEY_INDETIFIER_TYPE);
220: }
221: }
222: }
223: }
224:
225: return configPolicy;
226: }
227: }
|