Author: kaushalye
Date: Tue Nov 6 22:48:15 2007
New Revision: 592632
URL: http://svn.apache.org/viewvc?rev=592632&view=rev
Log:
Symmetric binding signature verification.
Modified:
webservices/rampart/trunk/c/include/oxs_signature.h
webservices/rampart/trunk/c/src/omxmlsec/derivation.c
webservices/rampart/trunk/c/src/omxmlsec/signature.c
webservices/rampart/trunk/c/src/util/rampart_sec_header_processor.c
Modified: webservices/rampart/trunk/c/include/oxs_signature.h
URL:
http://svn.apache.org/viewvc/webservices/rampart/trunk/c/include/oxs_signature.h?rev=592632&r1=592631&r2=592632&view=diff
==============================================================================
--- webservices/rampart/trunk/c/include/oxs_signature.h (original)
+++ webservices/rampart/trunk/c/include/oxs_signature.h Tue Nov 6 22:48:15 2007
@@ -105,6 +105,18 @@
axis2_char_t *content,
axis2_char_t *signature);
+ AXIS2_EXTERN axis2_status_t AXIS2_CALL
+ oxs_sig_verify_hmac_sha1(const axutil_env_t *env,
+ oxs_sign_ctx_t *sign_ctx,
+ axis2_char_t *content,
+ axis2_char_t *signature);
+
+ AXIS2_EXTERN axis2_status_t AXIS2_CALL
+ oxs_sig_verify_rsa_sha1(const axutil_env_t *env,
+ oxs_sign_ctx_t *sign_ctx,
+ axis2_char_t *content,
+ axis2_char_t *signature);
+
/** @} */
#ifdef __cplusplus
}
Modified: webservices/rampart/trunk/c/src/omxmlsec/derivation.c
URL:
http://svn.apache.org/viewvc/webservices/rampart/trunk/c/src/omxmlsec/derivation.c?rev=592632&r1=592631&r2=592632&view=diff
==============================================================================
--- webservices/rampart/trunk/c/src/omxmlsec/derivation.c (original)
+++ webservices/rampart/trunk/c/src/omxmlsec/derivation.c Tue Nov 6 22:48:15
2007
@@ -38,6 +38,7 @@
axiom_node_t *offset_node = NULL;
axis2_status_t status = AXIS2_FAILURE;
axis2_char_t *nonce = NULL;
+ axis2_char_t *id = NULL;
/*Default values*/
int offset = -1;
int length = 0;
@@ -45,7 +46,7 @@
/*If the session_key is NULL then extract it form the refered
EncryptedKey. Otherwise use it*/
if(!session_key){
- /*TODO Lots of work including decrypting the EncryotedKey*/
+ /*TODO Lots of work including decrypting the EncryptedKey*/
}else{
base_key = session_key;
}
@@ -82,6 +83,9 @@
oxs_key_free(derived_key, env);
derived_key = NULL;
}
+ /*We need to set the name of the derived key*/
+ id = oxs_axiom_get_attribute_value_of_node_by_name(env, dk_token_node,
OXS_ATTR_ID, OXS_WSU_XMLNS);
+ oxs_key_set_name(derived_key, env, id);
return derived_key;
}
Modified: webservices/rampart/trunk/c/src/omxmlsec/signature.c
URL:
http://svn.apache.org/viewvc/webservices/rampart/trunk/c/src/omxmlsec/signature.c?rev=592632&r1=592631&r2=592632&view=diff
==============================================================================
--- webservices/rampart/trunk/c/src/omxmlsec/signature.c (original)
+++ webservices/rampart/trunk/c/src/omxmlsec/signature.c Tue Nov 6 22:48:15
2007
@@ -47,6 +47,10 @@
/*Get the shared secret form the sig_ctx*/
secret = oxs_sign_ctx_get_secret(sign_ctx, env);
+ if(!secret){
+ oxs_error(env, ERROR_LOCATION, OXS_ERROR_SIGN_FAILED,"Signature
failed. using HMAC-SHA1. No secret key is set");
+ return AXIS2_FAILURE;
+ }
/*Sign using HMAC-SHA1*/
status = openssl_hmac_sha1(env, secret, input, signed_result_buf);
if(AXIS2_FAILURE == status){
@@ -149,7 +153,64 @@
}
AXIS2_EXTERN axis2_status_t AXIS2_CALL
+oxs_sig_verify_hmac_sha1(const axutil_env_t *env,
+ oxs_sign_ctx_t *sign_ctx,
+ axis2_char_t *content,
+ axis2_char_t *signature)
+{
+ axis2_status_t status = AXIS2_FAILURE;
+ oxs_buffer_t *input_buf = NULL;
+ oxs_buffer_t *output_buf = NULL;
+ axis2_char_t *signed_val = NULL;
+
+ /*Make the input and out put buffers*/
+ input_buf = oxs_buffer_create(env);
+ output_buf = oxs_buffer_create(env);
+
+ oxs_buffer_populate(input_buf, env, (unsigned char *)content,
axutil_strlen(content));
+ /*Sign the content and get the output*/
+ status = oxs_sig_sign_hmac_sha1(env, sign_ctx, input_buf, output_buf);
+
+ signed_val = (axis2_char_t*)oxs_buffer_get_data(output_buf, env);
+ /*Compare the output with the signature. If tally; SUCCESS*/
+ if(axutil_strcmp(signature, signed_val)){
+ return AXIS2_SUCCESS;
+ }else{
+ oxs_error(env, ERROR_LOCATION, OXS_ERROR_SIG_VERIFICATION_FAILED,
"Signature verification failed using HMAC-SHA1");
+ return AXIS2_FAILURE;
+ }
+}
+
+AXIS2_EXTERN axis2_status_t AXIS2_CALL
oxs_sig_verify(const axutil_env_t *env,
+ oxs_sign_ctx_t *sign_ctx,
+ axis2_char_t *content,
+ axis2_char_t *signature)
+{
+ axis2_char_t *sign_algo = NULL;
+
+ /*Get algo. To check whether we support*/
+ sign_algo = oxs_sign_ctx_get_sign_mtd_algo(sign_ctx, env);
+
+ /*Prepare content and verify*/
+ if ((axutil_strcmp(sign_algo, OXS_HREF_RSA_SHA1)) == 0)
+ {
+ oxs_sig_verify_rsa_sha1(env, sign_ctx, content, signature);
+ }
+ else if ((axutil_strcmp(sign_algo, OXS_HREF_HMAC_SHA1)) == 0)
+ {
+ oxs_sig_verify_hmac_sha1(env, sign_ctx, content, signature);
+ }
+ else
+ {
+ oxs_error(env, ERROR_LOCATION, OXS_ERROR_INVALID_DATA, "Cannot
support cipher %s for verification", sign_algo);
+ return AXIS2_FAILURE;
+ }
+
+ return AXIS2_SUCCESS;
+}
+AXIS2_EXTERN axis2_status_t AXIS2_CALL
+oxs_sig_verify_rsa_sha1(const axutil_env_t *env,
oxs_sign_ctx_t *sign_ctx,
axis2_char_t *content,
axis2_char_t *signature)
Modified: webservices/rampart/trunk/c/src/util/rampart_sec_header_processor.c
URL:
http://svn.apache.org/viewvc/webservices/rampart/trunk/c/src/util/rampart_sec_header_processor.c?rev=592632&r1=592631&r2=592632&view=diff
==============================================================================
--- webservices/rampart/trunk/c/src/util/rampart_sec_header_processor.c
(original)
+++ webservices/rampart/trunk/c/src/util/rampart_sec_header_processor.c Tue Nov
6 22:48:15 2007
@@ -48,7 +48,7 @@
static axiom_node_t*
rampart_shp_process_key_info_for_ref(const axutil_env_t *env,
axiom_node_t *key_info_node,
- axiom_node_t *envelope_node)
+ axiom_node_t *root_node)
{
axiom_node_t *str_node = NULL;
axiom_node_t *ref_node = NULL;
@@ -71,7 +71,7 @@
id = axutil_string_substring_starting_at(ref_val, 1);
/*Search for an element with the val(@Id)[EMAIL PROTECTED]/
- refed_node = oxs_axiom_get_node_by_id(env, envelope_node,
OXS_ATTR_ID, id, NULL);
+ refed_node = oxs_axiom_get_node_by_id(env, root_node,
OXS_ATTR_ID, id, OXS_WSU_XMLNS);
if(!refed_node){
AXIS2_LOG_ERROR(env->log, AXIS2_LOG_SI,"[rampart][shp] Node
cannot be found with the Id=%s.", id);
return NULL;
@@ -820,7 +820,67 @@
axiom_node_t *sig_node)
{
axis2_status_t status = AXIS2_FAILURE;
+ oxs_sign_ctx_t *sign_ctx = NULL;
+ axiom_node_t *envelope_node = NULL;
+ axiom_node_t *key_info_node = NULL;
+ oxs_key_t *key_to_verify = NULL;
+ oxs_key_t *session_key = NULL;
+ /*Get the session key*/
+ session_key = rampart_context_get_session_key(rampart_context, env);
+
+ /*Get the envelope node*/
+ envelope_node = axiom_soap_envelope_get_base_node(soap_envelope, env);
+
+ /*Get the KeyInfo node*/
+ key_info_node = oxs_axiom_get_first_child_node_by_name(env, sig_node,
+ OXS_NODE_KEY_INFO, OXS_DSIG_NS, NULL);
+ if(key_info_node){
+ axiom_node_t *reffed_node = NULL;
+ axis2_char_t *reffed_node_name = NULL;
+
+ /*This can be a derrived key or an EncryptedKey. Whatever it is, it
should be within the Security header*/
+ reffed_node = rampart_shp_process_key_info_for_ref(env, key_info_node,
sec_node);
+ if(!reffed_node){
+ /*Error*/
+ AXIS2_LOG_ERROR(env->log, AXIS2_LOG_SI, "[rampart][shp]
Reffered node cannot be found");
+ return AXIS2_FAILURE;
+ }
+ reffed_node_name = axiom_util_get_localname(reffed_node, env);
+ if(0 == axutil_strcmp(reffed_node_name, OXS_NODE_DERIVED_KEY_TOKEN)){
+ /*Signed by a DerivedKey*/
+ key_to_verify = oxs_derivation_extract_derived_key_from_token(env,
reffed_node, envelope_node, session_key);
+ if(!key_to_verify){
+ AXIS2_LOG_ERROR(env->log, AXIS2_LOG_SI, "[rampart][shp]
Derived key cannot be taken for the signature verification");
+ return AXIS2_FAILURE;
+ }
+ }else if(0 == axutil_strcmp(reffed_node_name, OXS_NODE_ENCRYPTED_KEY)){
+ /*TODO: Now we need to decrypt the EncryptedKey and get the
session key.
+ * But for the most common scenario we will assume that this
is the session key.
+ * Q: Would the session key is guranteed to be set in the
ramart_context?*/
+ key_to_verify = session_key;
+ }
+ }else{
+ key_to_verify = session_key;
+ }
+ /*Create sign context*/
+ sign_ctx = oxs_sign_ctx_create(env);
+ oxs_sign_ctx_set_operation(sign_ctx, env, OXS_SIGN_OPERATION_VERIFY);
+ oxs_sign_ctx_set_secret(sign_ctx, env, key_to_verify);
+ status = oxs_xml_sig_verify(env, sign_ctx, sig_node, envelope_node);
+ if(status != AXIS2_SUCCESS)
+ {
+ if(!axis2_msg_ctx_get_fault_soap_envelope(msg_ctx, env))
+ {
+ rampart_create_fault_envelope( env, RAMPART_FAULT_INVALID_SECURITY,
+ "Signature Verification failed.", RAMPART_FAULT_IN_SIGNATURE,
msg_ctx);
+ }
+
+ AXIS2_LOG_ERROR(env->log, AXIS2_LOG_SI, "[Rampart][shp]Signature
Verification failed.");
+
+ return AXIS2_FAILURE;
+ }
+
return status;
}
@@ -879,7 +939,6 @@
}
cur_node = axiom_node_get_first_element(sign_info_node, env);
-#if 0
while(cur_node)
{
axis2_char_t *localname = NULL;
@@ -948,7 +1007,6 @@
}
cur_node = axiom_node_get_next_sibling(cur_node, env);
}/*Eof While*/
-#endif
/*Get the key identifiers and build the certificate*/
/*First we should verify with policy*/
@@ -971,7 +1029,6 @@
return AXIS2_FAILURE;
}
-#if 0
if(rampart_context_check_is_derived_keys(env, token))
{
rampart_create_fault_envelope(env,
RAMPART_FAULT_UNSUPPORTED_SECURITY_TOKEN,
@@ -981,7 +1038,6 @@
return AXIS2_FAILURE;
}
-#endif
is_include_token = rampart_context_is_token_include(
rampart_context, token, token_type, server_side,
AXIS2_TRUE, env);
@@ -1220,7 +1276,7 @@
}else if ((rampart_context_get_binding_type(rampart_context,env)) ==
RP_PROPERTY_SYMMETRIC_BINDING){
status = rampart_shp_process_sym_binding_signature(env, msg_ctx,
rampart_context, soap_envelope, sec_node, sig_node);
}else if((rampart_context_get_binding_type(rampart_context,env)) ==
RP_PROPERTY_TRANSPORT_BINDING){
-
+ /*Not supported*/
}else{
/*Not supported*/
}
