001: /*
002: * SignaturePolicyVerifier.java
003: *
004: * Created on August 7, 2005, 9:06 PM
005: */
006:
007: /*
008: * The contents of this file are subject to the terms
009: * of the Common Development and Distribution License
010: * (the License). You may not use this file except in
011: * compliance with the License.
012: *
013: * You can obtain a copy of the license at
014: * https://glassfish.dev.java.net/public/CDDLv1.0.html.
015: * See the License for the specific language governing
016: * permissions and limitations under the License.
017: *
018: * When distributing Covered Code, include this CDDL
019: * Header Notice in each file and include the License file
020: * at https://glassfish.dev.java.net/public/CDDLv1.0.html.
021: * If applicable, add the following below the CDDL Header,
022: * with the fields enclosed by brackets [] replaced by
023: * you own identifying information:
024: * "Portions Copyrighted [year] [name of copyright owner]"
025: *
026: * Copyright 2006 Sun Microsystems Inc. All Rights Reserved
027: */
028:
029: package com.sun.xml.wss.impl.policy.verifier;
030:
031: import com.sun.xml.wss.impl.PolicyTypeUtil;
032: import com.sun.xml.wss.impl.PolicyViolationException;
033: import com.sun.xml.wss.impl.policy.spi.PolicyVerifier;
034: import com.sun.xml.wss.impl.policy.SecurityPolicy;
035: import com.sun.xml.wss.impl.policy.mls.AuthenticationTokenPolicy.SAMLAssertionBinding;
036: import com.sun.xml.wss.impl.policy.mls.AuthenticationTokenPolicy.X509CertificateBinding;
037: import com.sun.xml.wss.impl.policy.mls.SignaturePolicy;
038: import com.sun.xml.wss.impl.FilterProcessingContext;
039: import com.sun.xml.wss.impl.WSSAssertion;
040: import com.sun.xml.wss.impl.MessageConstants;
041:
042: /**
043: *
044: * @author K.Venugopal@sun.com
045: */
046: public class SignaturePolicyVerifier implements PolicyVerifier {
047:
048: FilterProcessingContext context;
049:
050: /** Creates a new instance of SignaturePolicyVerifier */
051: public SignaturePolicyVerifier(FilterProcessingContext context) {
052: this .context = context;
053: }
054:
055: /**
056: *
057: * @param configPolicy Policy configured for the incoming message.
058: * @param recvdPolicy policy inferred from the incoming message.
059: * @throws com.sun.xml.wss.PolicyViolationException when policy infered from incoming message does not match with what
060: * is configured.
061: *
062: */
063:
064: /*
065: * Note : Right now we dont check Signature Target requirements here. We should come up
066: * with a better and yet performant design as policy requirements get clear.
067: *
068: */
069: public void verifyPolicy(SecurityPolicy configPolicy,
070: SecurityPolicy recvdPolicy) throws PolicyViolationException {
071:
072: if (PolicyTypeUtil.signaturePolicy(configPolicy)
073: && PolicyTypeUtil.signaturePolicy(recvdPolicy)) {
074: SignaturePolicy rsignPolicy = (SignaturePolicy) recvdPolicy;
075: SignaturePolicy csignPolicy = (SignaturePolicy) configPolicy;
076:
077: SignaturePolicy.FeatureBinding rfBinding = (SignaturePolicy.FeatureBinding) rsignPolicy
078: .getFeatureBinding();
079: SignaturePolicy.FeatureBinding cfBinding = (SignaturePolicy.FeatureBinding) csignPolicy
080: .getFeatureBinding();
081:
082: String cCanonAlgo = cfBinding
083: .getCanonicalizationAlgorithm();
084: String rCanonAlgo = rfBinding
085: .getCanonicalizationAlgorithm();
086: if (cCanonAlgo == null || rCanonAlgo == null) {
087: throw new PolicyViolationException(
088: "Either Policy configured or Policy inferred is null "
089: + "while verifying inferredPolicy with configuredPolicy");
090: }
091: if (cCanonAlgo.length() > 0 && rCanonAlgo.length() > 0) {
092: if (!rCanonAlgo.equals(cCanonAlgo)) {
093: throw new PolicyViolationException(
094: "Receiver side requirement verification failed,"
095: + " canonicalization algorithm received in the message is "
096: + rfBinding
097: .getCanonicalizationAlgorithm()
098: + " policy requires "
099: + cfBinding
100: .getCanonicalizationAlgorithm());
101: }
102: }
103: /*
104: WSSPolicy ckeyBinding = (WSSPolicy) csignPolicy.getKeyBinding ();
105: if(ckeyBinding != null){
106: String cKeyType = ckeyBinding.getType ();
107: WSSPolicy rkeyBinding = (WSSPolicy) rsignPolicy.getKeyBinding ();
108: if(rkeyBinding == null){
109: throw new PolicyViolationException ("KeyType used to sign the message doesnot match with " +
110: " the receiver side requirements. Configured KeyType is "+ckeyBinding+
111: " KeyType inferred from the message is "+ rkeyBinding);
112: }
113: String rKeyType = rkeyBinding.getType ();
114: //TODO: Verification of KeyBinding later
115: if(rKeyType != cKeyType){
116: throw new PolicyViolationException ("KeyType used to sign the message doesnot match with " +
117: " the receiver side requirements. Configured KeyType is "+ckeyBinding+
118: " KeyType inferred from the message is "+ rkeyBinding);
119: //log propert error message.
120: }
121: if(cKeyType == PolicyTypeUtil.SAMLASSERTION_TYPE){
122: // checkSAMLAssertionBinding ((SAMLAssertionBinding)ckeyBinding,(SAMLAssertionBinding)rkeyBinding);
123: }else if(cKeyType == PolicyTypeUtil.X509CERTIFICATE_TYPE ){
124: checkX509CertificateBinding ((X509CertificateBinding)ckeyBinding,(X509CertificateBinding)rkeyBinding);
125: }
126:
127: }*/
128: }
129: }
130:
131: private void checkSAMLAssertionBinding(
132: SAMLAssertionBinding configPolicy,
133: SAMLAssertionBinding recvdPolicy)
134: throws PolicyViolationException {
135:
136: boolean matched = true;
137:
138: String _cAI = configPolicy.getAuthorityIdentifier();
139: String _rAI = recvdPolicy.getAuthorityIdentifier();
140: if ((_cAI != null && _cAI.length() > 0) && _rAI != null) {
141: matched = _cAI.equals(_rAI);
142: _throwError(configPolicy, recvdPolicy, matched);
143: }
144:
145: }
146:
147: private void checkX509CertificateBinding(
148: X509CertificateBinding configPolicy,
149: X509CertificateBinding recvdPolicy)
150: throws PolicyViolationException {
151:
152: boolean matched = true;
153:
154: configPolicy = setReferenceType(configPolicy);
155: String ckeyAlg = configPolicy.getKeyAlgorithm();
156: String rkeyAlg = recvdPolicy.getKeyAlgorithm();
157: if (ckeyAlg != null && ckeyAlg.length() > 0
158: && rkeyAlg.length() > 0) {
159: matched = ckeyAlg.equals(rkeyAlg);
160: }
161: _throwError(configPolicy, recvdPolicy, matched);
162:
163: /*String cRT = configPolicy.getReferenceType ();
164: String rRT = recvdPolicy.getReferenceType ();
165:
166: if(cRT != null && cRT.length () > 0 ){
167: matched = cRT.equals (rRT);
168: }
169: _throwError (configPolicy,recvdPolicy,matched);*/
170:
171: String cVT = configPolicy.getValueType();
172: String rVT = recvdPolicy.getValueType();
173:
174: if (cVT != null && cVT.length() > 0 && rVT.length() > 0) {
175: matched = cVT.equals(rVT);
176: }
177: _throwError(configPolicy, recvdPolicy, matched);
178: /*
179: String cCI = configPolicy.getCertificateIdentifier ();
180: String rCI = recvdPolicy.getCertificateIdentifier ();
181:
182: if(cCI != null && cCI.length () > 0 ){
183: matched = cCI.equals (rCI);
184: }
185: _throwError (configPolicy,recvdPolicy,matched);
186: */
187: /*if(!matched){
188: throw new PolicyViolationException ("KeyType used to sign the message doesnot match with " +
189: " the receiver side requirements. Configured KeyType is "+configPolicy+
190: " KeyType inferred from the message is "+ recvdPolicy);
191: }*/
192: }
193:
194: private final void _throwError(SecurityPolicy configPolicy,
195: SecurityPolicy recvdPolicy, boolean matched)
196: throws PolicyViolationException {
197: if (!matched) {
198: throw new PolicyViolationException(
199: "KeyType used to sign the message doesnot match with "
200: + " the receiver side requirements. Configured KeyType is "
201: + configPolicy
202: + " KeyType inferred from the message is "
203: + recvdPolicy);
204: }
205: }
206:
207: private X509CertificateBinding setReferenceType(
208: X509CertificateBinding configPolicy) {
209:
210: //Token policyToken = configPolicy.getPolicyToken();
211: //if (policyToken != null) {
212: if (configPolicy.policyTokenWasSet()) {
213: if (configPolicy.INCLUDE_NEVER.equals(configPolicy
214: .getIncludeToken())) {
215: WSSAssertion wssAssertion = context.getWSSAssertion();
216: if (MessageConstants.DIRECT_REFERENCE_TYPE
217: .equals(configPolicy.getReferenceType())) {
218: if (wssAssertion != null) {
219: if (wssAssertion
220: .getRequiredProperties()
221: .contains(
222: WSSAssertion.MUST_SUPPORT_REF_KEYIDENTIFIER))
223: configPolicy
224: .setReferenceType(MessageConstants.KEY_INDETIFIER_TYPE);
225: else if (wssAssertion
226: .getRequiredProperties()
227: .contains(
228: WSSAssertion.MUSTSUPPORT_REF_THUMBPRINT))
229: configPolicy
230: .setReferenceType(MessageConstants.THUMB_PRINT_TYPE);
231: } else {
232: // when wssAssertion is not set use KeyIdentifier
233: configPolicy
234: .setReferenceType(MessageConstants.KEY_INDETIFIER_TYPE);
235: }
236: }
237: }
238: }
239:
240: return configPolicy;
241: }
242: }
|