Author: dkulp
Date: Mon Sep 29 13:08:57 2008
New Revision: 700233
URL: http://svn.apache.org/viewvc?rev=700233&view=rev
Log:
Get MS wcf Interop encrypt then sign working
Modified:
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AsymmetricBindingHandler.java
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/BindingBuilder.java
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/SymmetricBindingHandler.java
Modified:
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AsymmetricBindingHandler.java
URL:
http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AsymmetricBindingHandler.java?rev=700233&r1=700232&r2=700233&view=diff
==============================================================================
---
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AsymmetricBindingHandler.java
(original)
+++
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AsymmetricBindingHandler.java
Mon Sep 29 13:08:57 2008
@@ -51,7 +51,6 @@
import org.apache.ws.security.message.WSSecHeader;
import org.apache.ws.security.message.WSSecSignature;
import org.apache.ws.security.message.WSSecTimestamp;
-import org.apache.ws.security.util.WSSecurityUtil;
/**
*
@@ -236,42 +235,6 @@
}
}
- public void handleEncryptedSignedHeaders(Vector<WSEncryptionPart>
encryptedParts,
- Vector<WSEncryptionPart>
signedParts) {
-
- for (WSEncryptionPart signedPart : signedParts) {
- if (signedPart.getNamespace() == null || signedPart.getName() ==
null) {
- continue;
- }
-
- for (WSEncryptionPart encryptedPart : encryptedParts) {
- if (encryptedPart.getNamespace() == null
- || encryptedPart.getName() == null) {
- continue;
- }
-
- if (signedPart.getName().equals(encryptedPart.getName())
- &&
signedPart.getNamespace().equals(encryptedPart.getNamespace())) {
-
- String encDataID = encryptedPart.getEncId();
- Element encDataElem = WSSecurityUtil
-
.findElementById(saaj.getSOAPPart().getDocumentElement(),
- encDataID, null);
-
- if (encDataElem != null) {
- Element encHeader =
(Element)encDataElem.getParentNode();
- String encHeaderId =
encHeader.getAttributeNS(WSConstants.WSU_NS, "Id");
-
- signedParts.remove(signedPart);
- WSEncryptionPart encHeaderToSign = new
WSEncryptionPart(encHeaderId);
- signedParts.add(encHeaderToSign);
- }
- }
- }
- }
- }
-
-
private WSSecBase doEncryption(TokenWrapper recToken,
Vector<WSEncryptionPart> encrParts,
Modified:
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/BindingBuilder.java
URL:
http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/BindingBuilder.java?rev=700233&r1=700232&r2=700233&view=diff
==============================================================================
---
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/BindingBuilder.java
(original)
+++
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/BindingBuilder.java
Mon Sep 29 13:08:57 2008
@@ -821,7 +821,7 @@
if (encrUser == null || "".equals(encrUser)) {
policyNotAsserted(token, "No " + (sign ? "signature" :
"encryption") + " username found.");
}
- if (encrUser.equals(WSHandlerConstants.USE_REQ_SIG_CERT)) {
+ if (WSHandlerConstants.USE_REQ_SIG_CERT.equals(encrUser)) {
Object resultsObj =
message.getExchange().getInMessage().get(WSHandlerConstants.RECV_RESULTS);
if (resultsObj != null) {
encrKeyBuilder.setUseThisCert(getReqSigCert((Vector)resultsObj));
@@ -1119,4 +1119,42 @@
}
}
}
+
+
+ public void handleEncryptedSignedHeaders(Vector<WSEncryptionPart>
encryptedParts,
+ Vector<WSEncryptionPart>
signedParts) {
+
+ for (WSEncryptionPart signedPart : signedParts) {
+ if (signedPart.getNamespace() == null || signedPart.getName() ==
null) {
+ continue;
+ }
+
+ for (WSEncryptionPart encryptedPart : encryptedParts) {
+ if (encryptedPart.getNamespace() == null
+ || encryptedPart.getName() == null) {
+ continue;
+ }
+
+ if (signedPart.getName().equals(encryptedPart.getName())
+ &&
signedPart.getNamespace().equals(encryptedPart.getNamespace())) {
+
+ String encDataID = encryptedPart.getEncId();
+ Element encDataElem = WSSecurityUtil
+
.findElementById(saaj.getSOAPPart().getDocumentElement(),
+ encDataID, null);
+
+ if (encDataElem != null) {
+ Element encHeader =
(Element)encDataElem.getParentNode();
+ String encHeaderId =
encHeader.getAttributeNS(WSConstants.WSU_NS, "Id");
+
+ signedParts.remove(signedPart);
+ WSEncryptionPart encHeaderToSign = new
WSEncryptionPart(encHeaderId);
+ signedParts.add(encHeaderToSign);
+ }
+ }
+ }
+ }
+ }
+
+
}
Modified:
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/SymmetricBindingHandler.java
URL:
http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/SymmetricBindingHandler.java?rev=700233&r1=700232&r2=700233&view=diff
==============================================================================
---
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/SymmetricBindingHandler.java
(original)
+++
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/SymmetricBindingHandler.java
Mon Sep 29 13:08:57 2008
@@ -25,6 +25,7 @@
import java.util.Calendar;
import java.util.Vector;
+import javax.xml.soap.SOAPException;
import javax.xml.soap.SOAPMessage;
import org.w3c.dom.Document;
@@ -110,11 +111,18 @@
}
if (sbinding.getProtectionOrder() ==
SPConstants.ProtectionOrder.EncryptBeforeSigning) {
-// doEncryptBeforeSign();
- System.err.println("encrypt before sign, not yet");
+ try {
+ doEncryptBeforeSign();
+ } catch (Exception e) {
+ e.printStackTrace();
+ //REVISIT - exception
+ }
} else {
doSignBeforeEncrypt();
}
+ //REVIST - what to do with these policies?
+ policyAsserted(SP11Constants.TRUST_10);
+ policyAsserted(SP12Constants.TRUST_13);
}
@@ -135,6 +143,134 @@
+ private void doEncryptBeforeSign() throws SOAPException,
+ WSSecurityException, ConversationException {
+
+ TokenWrapper encryptionWrapper = getEncryptionToken();
+ Token encryptionToken = encryptionWrapper.getToken();
+ Vector<WSEncryptionPart> encrParts = getEncryptedParts();
+ Vector<WSEncryptionPart> sigParts = getSignedParts();
+
+ if (encryptionToken == null && encrParts.size() > 0) {
+ //REVISIT - nothing to encrypt?
+ }
+
+ if (encryptionToken != null && encrParts.size() > 0) {
+ //The encryption token can be an IssuedToken or a
+ //SecureConversationToken
+ String tokenId = null;
+
+ if (encryptionToken instanceof IssuedToken) {
+ //REVISIT - IssuedToken
+ } else if (encryptionToken instanceof SecureConversationToken) {
+ //REVISIT - SecureConversation
+ } else if (encryptionToken instanceof X509Token) {
+ if (isRequestor()) {
+ tokenId = setupEncryptedKey(encryptionWrapper,
encryptionToken);
+ } else {
+ tokenId = getEncryptedKey();
+ }
+ }
+
+ if (tokenId == null || tokenId.length() == 0) {
+ //REVISIT - no tokenM
+ }
+ if (tokenId.startsWith("#")) {
+ tokenId = tokenId.substring(1);
+ }
+
+ /*
+ * Get hold of the token from the token storage
+ */
+ SecurityToken tok = tokenStore.getToken(tokenId);
+
+ boolean attached = false;
+
+ if (SPConstants.IncludeTokenType.INCLUDE_TOKEN_ALWAYS ==
encryptionToken.getInclusion()
+ || SPConstants.IncludeTokenType.INCLUDE_TOKEN_ONCE ==
encryptionToken.getInclusion()
+ || (isRequestor()
+ &&
SPConstants.IncludeTokenType.INCLUDE_TOKEN_ALWAYS_TO_RECIPIENT
+ == encryptionToken.getInclusion())) {
+
+ Element el = tok.getToken();
+ el =
(Element)secHeader.getSecurityHeader().getOwnerDocument().importNode(el, true);
+ this.addEncyptedKeyElement(el);
+ attached = true;
+ } else if (encryptionToken instanceof X509Token && isRequestor()) {
+ Element el = tok.getToken();
+ el =
(Element)secHeader.getSecurityHeader().getOwnerDocument().importNode(el, true);
+ this.addEncyptedKeyElement(el);
+ }
+
+ WSSecBase encr = doEncryption(encryptionWrapper, tok, attached,
encrParts, true);
+
+ handleEncryptedSignedHeaders(encrParts, sigParts);
+
+
+ if (timestampEl != null) {
+ sigParts.add(new
WSEncryptionPart(addWsuIdToElement(timestampEl.getElement())));
+ }
+
+ if (isRequestor()) {
+ this.addSupportingTokens(sigParts);
+ } else {
+ addSignatureConfirmation(sigParts);
+ }
+
+
+ //Sign the message
+ //We should use the same key in the case of EncryptBeforeSig
+ if (sigParts.size() > 0) {
+ signatures.add(this.doSignature(sigParts, encryptionWrapper,
encryptionToken, tok));
+ }
+
+ if (isRequestor()) {
+ this.doEndorse();
+ }
+
+
+ //Check for signature protection and encryption of UsernameToken
+ if (sbinding.isSignatureProtection() && this.mainSigId != null
+ || encryptedTokensIdList.size() > 0 && isRequestor()) {
+ Vector<WSEncryptionPart> secondEncrParts = new
Vector<WSEncryptionPart>();
+
+ //Now encrypt the signature using the above token
+ if (sbinding.isSignatureProtection()) {
+ secondEncrParts.add(new WSEncryptionPart(this.mainSigId,
"Element"));
+ }
+
+ if (isRequestor()) {
+ for (String s : encryptedTokensIdList) {
+ secondEncrParts.add(new WSEncryptionPart(s,
"Element"));
+ }
+ }
+
+ Element secondRefList = null;
+
+ if (encryptionToken.isDerivedKeys()) {
+ try {
+ secondRefList =
((WSSecDKEncrypt)encr).encryptForExternalRef(null,
+ secondEncrParts);
+ this.addDerivedKeyElement(secondRefList);
+ } catch (WSSecurityException e) {
+ //REVISIT - exception
+ }
+ } else {
+ try {
+ //Encrypt, get hold of the ref list and add it
+ secondRefList =
((WSSecEncrypt)encr).encryptForExternalRef(null,
+ encrParts);
+ this.addDerivedKeyElement(secondRefList);
+ } catch (WSSecurityException e) {
+ //REVISIT - exception
+ }
+ }
+ }
+
+ } else {
+ //REVISIT - nothing to do?!?
+ }
+ }
private void doSignBeforeEncrypt() {
TokenWrapper sigTokenWrapper = getSignatureToken();
Token sigToken = sigTokenWrapper.getToken();
@@ -208,20 +344,15 @@
doSignature(sigs, sigTokenWrapper, sigToken, sigTok);
}
- //REVIST - what to do with these policies?
- policyAsserted(SP11Constants.TRUST_10);
- policyAsserted(SP12Constants.TRUST_13);
//Encryption
TokenWrapper encrTokenWrapper = getEncryptionToken();
Token encrToken = encrTokenWrapper.getToken();
SecurityToken encrTok = null;
- Element encrElem = null;
if (sigToken.equals(encrToken)) {
//Use the same token
encrTok = sigTok;
- encrElem = sigTokElem;
} else {
String encrTokId = null;
//REVISIT - issued token from trust?
@@ -253,17 +384,20 @@
}
doEncryption(encrTokenWrapper,
encrTok,
- encrElem,
- enc);
+ true,
+ enc,
+ false);
} catch (Exception e) {
e.printStackTrace();
//REVISIT!!
}
}
+
private WSSecBase doEncryption(TokenWrapper recToken,
SecurityToken encrTok,
- Element encrElem,
- Vector<WSEncryptionPart> encrParts) {
+ boolean attached,
+ Vector<WSEncryptionPart> encrParts,
+ boolean atEnd) {
//Do encryption
if (recToken != null && recToken.getToken() != null &&
encrParts.size() > 0) {
Token encrToken = recToken.getToken();
@@ -274,7 +408,7 @@
try {
WSSecDKEncrypt dkEncr = new WSSecDKEncrypt();
- if (encrElem != null && encrTok.getAttachedReference() !=
null) {
+ if (attached && encrTok.getAttachedReference() != null) {
dkEncr.setExternalKey(encrTok.getSecret(),
(Element)saaj.getSOAPPart()
.importNode((Element)
encrTok.getAttachedReference(),
@@ -309,7 +443,11 @@
encrDKTokenElem = dkEncr.getdktElement();
addDerivedKeyElement(encrDKTokenElem);
Element refList = dkEncr.encryptForExternalRef(null,
encrParts);
- this.addDerivedKeyElement(refList);
+ if (atEnd) {
+ this.insertBeforeBottomUp(refList);
+ } else {
+ this.addDerivedKeyElement(refList);
+ }
return dkEncr;
} catch (Exception e) {
policyNotAsserted(recToken, e);
@@ -345,8 +483,11 @@
Element refList = encr.encryptForExternalRef(null,
encrParts);
- this.addDerivedKeyElement(refList);
-
+ if (atEnd) {
+ this.insertBeforeBottomUp(refList);
+ } else {
+ this.addDerivedKeyElement(refList);
+ }
return encr;
} catch (WSSecurityException e) {
policyNotAsserted(recToken, e.getMessage());
