Java tutorial
/** * Licensed to the Apache Software Foundation (ASF) under one * or more contributor license agreements. See the NOTICE file * distributed with this work for additional information * regarding copyright ownership. The ASF licenses this file * to you under the Apache License, Version 2.0 (the * "License"); you may not use this file except in compliance * with the License. You may obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, * software distributed under the License is distributed on an * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY * KIND, either express or implied. See the License for the * specific language governing permissions and limitations * under the License. */ package org.apache.ws.security.str; import org.apache.ws.security.WSConstants; import org.apache.ws.security.WSDocInfo; import org.apache.ws.security.WSSConfig; import org.apache.ws.security.WSSecurityEngine; import org.apache.ws.security.WSSecurityEngineResult; import org.apache.ws.security.WSSecurityException; import org.apache.ws.security.components.crypto.Crypto; import org.apache.ws.security.handler.RequestData; import org.apache.ws.security.message.token.BinarySecurity; import org.apache.ws.security.message.token.SecurityTokenReference; import org.apache.ws.security.message.token.X509Security; import org.apache.ws.security.saml.SAMLKeyInfo; import org.apache.ws.security.saml.SAMLUtil; import org.apache.ws.security.saml.ext.AssertionWrapper; import org.w3c.dom.Element; import java.security.Principal; import java.security.PublicKey; import java.security.cert.X509Certificate; import java.util.Map; import javax.xml.namespace.QName; /** * This implementation of STRParser is for parsing a SecurityTokenReference element, found in the * KeyInfo element associated with an EncryptedKey element */ public class EncryptedKeySTRParser implements STRParser { private static final org.apache.commons.logging.Log LOG = org.apache.commons.logging.LogFactory .getLog(EncryptedKeySTRParser.class); private X509Certificate[] certs; private REFERENCE_TYPE referenceType; /** * Parse a SecurityTokenReference element and extract credentials. * * @param strElement The SecurityTokenReference element * @param data the RequestData associated with the request * @param wsDocInfo The WSDocInfo object to access previous processing results * @param parameters A set of implementation-specific parameters * @throws WSSecurityException */ public void parseSecurityTokenReference(Element strElement, RequestData data, WSDocInfo wsDocInfo, Map<String, Object> parameters) throws WSSecurityException { Crypto crypto = data.getDecCrypto(); WSSConfig config = data.getWssConfig(); boolean bspCompliant = true; if (config != null) { bspCompliant = config.isWsiBSPCompliant(); } SecurityTokenReference secRef = new SecurityTokenReference(strElement, bspCompliant); String uri = null; if (secRef.containsReference()) { uri = secRef.getReference().getURI(); if (uri.charAt(0) == '#') { uri = uri.substring(1); } referenceType = REFERENCE_TYPE.DIRECT_REF; } else if (secRef.containsKeyIdentifier()) { uri = secRef.getKeyIdentifierValue(); if (SecurityTokenReference.THUMB_URI.equals(secRef.getKeyIdentifierValueType())) { referenceType = REFERENCE_TYPE.THUMBPRINT_SHA1; } else { referenceType = REFERENCE_TYPE.KEY_IDENTIFIER; } } WSSecurityEngineResult result = wsDocInfo.getResult(uri); if (result != null) { processPreviousResult(result, secRef, data, wsDocInfo, bspCompliant); } else if (secRef.containsKeyIdentifier()) { if (WSConstants.WSS_SAML_KI_VALUE_TYPE.equals(secRef.getKeyIdentifierValueType()) || WSConstants.WSS_SAML2_KI_VALUE_TYPE.equals(secRef.getKeyIdentifierValueType())) { AssertionWrapper assertion = SAMLUtil.getAssertionFromKeyIdentifier(secRef, strElement, data, wsDocInfo); if (bspCompliant) { BSPEnforcer.checkSamlTokenBSPCompliance(secRef, assertion); } SAMLKeyInfo samlKi = SAMLUtil.getCredentialFromSubject(assertion, data, wsDocInfo, bspCompliant); certs = samlKi.getCerts(); } else { if (bspCompliant) { BSPEnforcer.checkBinarySecurityBSPCompliance(secRef, null); } certs = secRef.getKeyIdentifier(crypto); } } else if (secRef.containsX509Data() || secRef.containsX509IssuerSerial()) { referenceType = REFERENCE_TYPE.ISSUER_SERIAL; certs = secRef.getX509IssuerSerial(crypto); } else if (secRef.containsReference()) { Element bstElement = secRef.getTokenElement(strElement.getOwnerDocument(), wsDocInfo, data.getCallbackHandler()); // at this point ... check token type: Binary QName el = new QName(bstElement.getNamespaceURI(), bstElement.getLocalName()); if (el.equals(WSSecurityEngine.BINARY_TOKEN)) { X509Security token = new X509Security(bstElement); if (bspCompliant) { BSPEnforcer.checkBinarySecurityBSPCompliance(secRef, token); } certs = new X509Certificate[] { token.getX509Certificate(crypto) }; } else { throw new WSSecurityException(WSSecurityException.UNSUPPORTED_SECURITY_TOKEN, "unsupportedBinaryTokenType", null); } } if (LOG.isDebugEnabled() && certs != null && certs[0] != null) { LOG.debug("cert: " + certs[0]); } } /** * Get the X509Certificates associated with this SecurityTokenReference * @return the X509Certificates associated with this SecurityTokenReference */ public X509Certificate[] getCertificates() { return certs; } /** * Get the Principal associated with this SecurityTokenReference * @return the Principal associated with this SecurityTokenReference */ public Principal getPrincipal() { return null; } /** * Get the PublicKey associated with this SecurityTokenReference * @return the PublicKey associated with this SecurityTokenReference */ public PublicKey getPublicKey() { return null; } /** * Get the Secret Key associated with this SecurityTokenReference * @return the Secret Key associated with this SecurityTokenReference */ public byte[] getSecretKey() { return null; } /** * Get whether the returned credential is already trusted or not. This is currently * applicable in the case of a credential extracted from a trusted HOK SAML Assertion, * and a BinarySecurityToken that has been processed by a Validator. In these cases, * the SignatureProcessor does not need to verify trust on the credential. * @return true if trust has already been verified on the returned Credential */ public boolean isTrustedCredential() { return false; } /** * Get how the certificates were referenced * @return how the certificates were referenced */ public REFERENCE_TYPE getCertificatesReferenceType() { return referenceType; } /** * Process a previous security result */ private void processPreviousResult(WSSecurityEngineResult result, SecurityTokenReference secRef, RequestData data, WSDocInfo wsDocInfo, boolean bspCompliant) throws WSSecurityException { int action = ((Integer) result.get(WSSecurityEngineResult.TAG_ACTION)).intValue(); if (WSConstants.BST == action) { if (bspCompliant) { BinarySecurity token = (BinarySecurity) result .get(WSSecurityEngineResult.TAG_BINARY_SECURITY_TOKEN); BSPEnforcer.checkBinarySecurityBSPCompliance(secRef, token); } certs = (X509Certificate[]) result.get(WSSecurityEngineResult.TAG_X509_CERTIFICATES); } else if (WSConstants.ST_UNSIGNED == action || WSConstants.ST_SIGNED == action) { AssertionWrapper assertion = (AssertionWrapper) result.get(WSSecurityEngineResult.TAG_SAML_ASSERTION); if (bspCompliant) { BSPEnforcer.checkSamlTokenBSPCompliance(secRef, assertion); } SAMLKeyInfo keyInfo = SAMLUtil.getCredentialFromSubject(assertion, data, wsDocInfo, bspCompliant); certs = keyInfo.getCerts(); } else { throw new WSSecurityException(WSSecurityException.UNSUPPORTED_SECURITY_TOKEN, "unsupportedBinaryTokenType", null); } } }