| <?xml version="1.0" encoding="UTF-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" lang="en"><head><meta http-equiv="Content-Type" content="text/html;charset=UTF-8"/><link rel="stylesheet" href="../.resources/report.css" type="text/css"/><link rel="shortcut icon" href="../.resources/report.gif" type="image/gif"/><title>SymmetricBindingBuilder.java</title><link rel="stylesheet" href="../.resources/prettify.css" type="text/css"/><script type="text/javascript" src="../.resources/prettify.js"></script></head><body onload="window['PR_TAB_WIDTH']=4;prettyPrint()"><div class="breadcrumb" id="breadcrumb"><span class="right"><a href="../.sessions.html" class="el_session">Sessions</a></span><a href="../index.html" class="el_report">Coverage Report</a> > <a href="index.html" class="el_package">org.apache.rampart.builder</a> > <span class="el_source">SymmetricBindingBuilder.java</span></div><h1>SymmetricBindingBuilder.java</h1><pre class="source lang-java linenums">/* |
| * Copyright 2004,2005 The Apache Software Foundation. |
| * |
| * Licensed under the Apache License, Version 2.0 (the "License"); |
| * you may not use this file except in compliance with the License. |
| * You may obtain a copy of the License at |
| * |
| * http://www.apache.org/licenses/LICENSE-2.0 |
| * |
| * Unless required by applicable law or agreed to in writing, software |
| * distributed under the License is distributed on an "AS IS" BASIS, |
| * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| * See the License for the specific language governing permissions and |
| * limitations under the License. |
| */ |
| |
| package org.apache.rampart.builder; |
| |
| import org.apache.axiom.om.OMElement; |
| import org.apache.axis2.context.MessageContext; |
| import org.apache.commons.logging.Log; |
| import org.apache.commons.logging.LogFactory; |
| import org.apache.rahas.EncryptedKeyToken; |
| import org.apache.rahas.RahasConstants; |
| import org.apache.rahas.TrustException; |
| import org.apache.rampart.RampartConstants; |
| import org.apache.rampart.RampartException; |
| import org.apache.rampart.RampartMessageData; |
| import org.apache.rampart.policy.RampartPolicyData; |
| import org.apache.rampart.util.RampartUtil; |
| import org.apache.ws.secpolicy.SPConstants; |
| import org.apache.ws.secpolicy.model.AlgorithmSuite; |
| import org.apache.ws.secpolicy.model.IssuedToken; |
| import org.apache.ws.secpolicy.model.SecureConversationToken; |
| import org.apache.ws.secpolicy.model.SupportingToken; |
| import org.apache.ws.secpolicy.model.Token; |
| import org.apache.ws.secpolicy.model.X509Token; |
| import org.apache.ws.security.WSConstants; |
| import org.apache.ws.security.WSEncryptionPart; |
| import org.apache.ws.security.WSSecurityEngineResult; |
| import org.apache.ws.security.WSSecurityException; |
| import org.apache.ws.security.conversation.ConversationConstants; |
| import org.apache.ws.security.conversation.ConversationException; |
| import org.apache.ws.security.handler.WSHandlerConstants; |
| import org.apache.ws.security.handler.WSHandlerResult; |
| import org.apache.ws.security.message.WSSecDKEncrypt; |
| import org.apache.ws.security.message.WSSecEncrypt; |
| import org.apache.ws.security.message.WSSecEncryptedKey; |
| import org.apache.ws.security.message.token.SecurityTokenReference; |
| import org.apache.ws.security.util.Base64; |
| import org.w3c.dom.Document; |
| import org.w3c.dom.Element; |
| |
| import java.security.MessageDigest; |
| import java.security.NoSuchAlgorithmException; |
| import java.util.*; |
| |
| |
| <span class="fc" id="L59">public class SymmetricBindingBuilder extends BindingBuilder {</span> |
| |
| <span class="fc" id="L61"> private static Log log = LogFactory.getLog(SymmetricBindingBuilder.class);</span> |
| <span class="fc" id="L62"> private static Log tlog = LogFactory.getLog(RampartConstants.TIME_LOG); </span> |
| |
| public void build(RampartMessageData rmd) throws RampartException { |
| |
| <span class="fc" id="L66"> log.debug("SymmetricBindingBuilder build invoked");</span> |
| |
| <span class="fc" id="L68"> RampartPolicyData rpd = rmd.getPolicyData();</span> |
| <span class="fc bfc" id="L69" title="All 2 branches covered."> if(rpd.isIncludeTimestamp()) {</span> |
| <span class="fc" id="L70"> this.addTimestamp(rmd);</span> |
| } |
| |
| <span class="fc bfc" id="L73" title="All 2 branches covered."> if(rmd.isInitiator()) {</span> |
| //Setup required tokens |
| <span class="fc" id="L75"> initializeTokens(rmd);</span> |
| } |
| |
| |
| <span class="fc bfc" id="L79" title="All 2 branches covered."> if(SPConstants.ENCRYPT_BEFORE_SIGNING.equals(rpd.getProtectionOrder())) {</span> |
| <span class="fc" id="L80"> this.doEncryptBeforeSig(rmd);</span> |
| } else { |
| <span class="fc" id="L82"> this.doSignBeforeEncrypt(rmd);</span> |
| } |
| |
| <span class="fc" id="L85"> log.debug("SymmetricBindingBuilder build invoked : DONE");</span> |
| |
| <span class="fc" id="L87"> }</span> |
| |
| private void doEncryptBeforeSig(RampartMessageData rmd) throws RampartException { |
| |
| <span class="fc" id="L91"> long t0 = 0, t1 = 0, t2 = 0;</span> |
| |
| <span class="fc" id="L93"> RampartPolicyData rpd = rmd.getPolicyData();</span> |
| |
| <span class="fc" id="L95"> List<byte[]> signatureValues = new ArrayList<byte[]>();</span> |
| |
| <span class="pc bpc" id="L97" title="1 of 2 branches missed."> if(tlog.isDebugEnabled()){</span> |
| <span class="nc" id="L98"> t0 = System.currentTimeMillis();</span> |
| } |
| |
| <span class="fc" id="L101"> Token encryptionToken = rpd.getEncryptionToken();</span> |
| <span class="fc" id="L102"> List<WSEncryptionPart> encrParts = RampartUtil.getEncryptedParts(rmd);</span> |
| |
| <span class="fc" id="L104"> List<WSEncryptionPart> sigParts = RampartUtil.getSignedParts(rmd);</span> |
| |
| <span class="pc bpc" id="L106" title="3 of 4 branches missed."> if(encryptionToken == null && encrParts.size() > 0) {</span> |
| <span class="nc" id="L107"> throw new RampartException("encryptionTokenMissing");</span> |
| } |
| |
| <span class="pc bpc" id="L110" title="2 of 4 branches missed."> if(encryptionToken != null && encrParts.size() > 0) {</span> |
| //The encryption token can be an IssuedToken or a |
| //SecureConversationToken |
| <span class="fc" id="L113"> String tokenId = null;</span> |
| <span class="fc" id="L114"> org.apache.rahas.Token tok = null;</span> |
| |
| <span class="pc bpc" id="L116" title="1 of 2 branches missed."> if(encryptionToken instanceof IssuedToken) {</span> |
| <span class="nc" id="L117"> tokenId = rmd.getIssuedEncryptionTokenId();</span> |
| <span class="nc bnc" id="L118" title="All 2 branches missed."> if (log.isDebugEnabled()) {</span> |
| <span class="nc" id="L119"> log.debug("Issued EncryptionToken Id : " + tokenId);</span> |
| } |
| <span class="pc bpc" id="L121" title="1 of 2 branches missed."> } else if(encryptionToken instanceof SecureConversationToken) {</span> |
| <span class="nc" id="L122"> tokenId = rmd.getSecConvTokenId();</span> |
| <span class="nc bnc" id="L123" title="All 2 branches missed."> if (log.isDebugEnabled()) {</span> |
| <span class="nc" id="L124"> log.debug("SCT Id : " + tokenId);</span> |
| } |
| <span class="pc bpc" id="L126" title="1 of 2 branches missed."> } else if (encryptionToken instanceof X509Token) {</span> |
| <span class="pc bpc" id="L127" title="1 of 2 branches missed."> if (rmd.isInitiator()) {</span> |
| <span class="fc" id="L128"> tokenId = setupEncryptedKey(rmd, encryptionToken);</span> |
| } else { |
| <span class="nc" id="L130"> tokenId = getEncryptedKey(rmd);</span> |
| } |
| } //TODO SAMLToken |
| |
| <span class="pc bpc" id="L134" title="2 of 4 branches missed."> if(tokenId == null || tokenId.length() == 0) {</span> |
| <span class="nc" id="L135"> throw new RampartException("noSecurityToken");</span> |
| } |
| |
| //Hack to handle reference id issues |
| //TODO Need a better fix |
| <span class="pc bpc" id="L140" title="1 of 2 branches missed."> if(tokenId.startsWith("#")) {</span> |
| <span class="nc" id="L141"> tokenId = tokenId.substring(1);</span> |
| } |
| |
| /* |
| * Get hold of the token from the token storage |
| */ |
| <span class="fc" id="L147"> tok = this.getToken(rmd, tokenId);</span> |
| |
| /* |
| * Attach the token into the message based on token inclusion |
| * values |
| */ |
| <span class="fc" id="L153"> boolean attached = false;</span> |
| <span class="fc" id="L154"> Element encrTokenElement = null;</span> |
| <span class="fc" id="L155"> Element refList = null;</span> |
| <span class="fc" id="L156"> WSSecDKEncrypt dkEncr = null;</span> |
| <span class="fc" id="L157"> WSSecEncrypt encr = null;</span> |
| <span class="fc" id="L158"> Element encrDKTokenElem = null;</span> |
| |
| <span class="pc bpc" id="L160" title="4 of 8 branches missed."> if(SPConstants.INCLUDE_TOEKN_ALWAYS == encryptionToken.getInclusion() ||</span> |
| SPConstants.INCLUDE_TOKEN_ONCE == encryptionToken.getInclusion() || |
| (rmd.isInitiator() && SPConstants.INCLUDE_TOEKN_ALWAYS_TO_RECIPIENT == encryptionToken.getInclusion())) { |
| <span class="nc" id="L163"> encrTokenElement = RampartUtil.appendChildToSecHeader(rmd, tok.getToken());</span> |
| <span class="nc" id="L164"> attached = true;</span> |
| <span class="pc bpc" id="L165" title="2 of 4 branches missed."> } else if(encryptionToken instanceof X509Token && rmd.isInitiator()) {</span> |
| <span class="fc" id="L166"> encrTokenElement = RampartUtil.appendChildToSecHeader(rmd, tok.getToken());</span> |
| } |
| |
| <span class="fc" id="L169"> Document doc = rmd.getDocument();</span> |
| |
| <span class="fc" id="L171"> AlgorithmSuite algorithmSuite = rpd.getAlgorithmSuite();</span> |
| <span class="fc bfc" id="L172" title="All 2 branches covered."> if(encryptionToken.isDerivedKeys()) {</span> |
| <span class="fc" id="L173"> log.debug("Use drived keys");</span> |
| |
| <span class="fc" id="L175"> dkEncr = new WSSecDKEncrypt();</span> |
| |
| <span class="pc bpc" id="L177" title="3 of 4 branches missed."> if(attached && tok.getAttachedReference() != null) {</span> |
| |
| <span class="nc" id="L179"> dkEncr.setExternalKey(tok.getSecret(), (Element) doc</span> |
| .importNode((Element) tok.getAttachedReference(), |
| true)); |
| |
| <span class="pc bpc" id="L183" title="1 of 2 branches missed."> } else if(tok.getUnattachedReference() != null) {</span> |
| <span class="nc" id="L184"> dkEncr.setExternalKey(tok.getSecret(), (Element) doc</span> |
| .importNode((Element) tok.getUnattachedReference(), |
| true)); |
| } else { |
| <span class="fc" id="L188"> dkEncr.setExternalKey(tok.getSecret(), tok.getId());</span> |
| } |
| try { |
| <span class="fc" id="L191"> dkEncr.setSymmetricEncAlgorithm(algorithmSuite.getEncryption());</span> |
| <span class="fc" id="L192"> dkEncr.setDerivedKeyLength(algorithmSuite.getEncryptionDerivedKeyLength()/8);</span> |
| <span class="fc" id="L193"> dkEncr.prepare(doc);</span> |
| <span class="fc" id="L194"> encrDKTokenElem = dkEncr.getdktElement();</span> |
| <span class="fc" id="L195"> RampartUtil.appendChildToSecHeader(rmd, encrDKTokenElem);</span> |
| |
| <span class="fc" id="L197"> refList = dkEncr.encryptForExternalRef(null, encrParts);</span> |
| |
| <span class="nc" id="L199"> } catch (WSSecurityException e) {</span> |
| <span class="nc" id="L200"> throw new RampartException("errorInDKEncr");</span> |
| <span class="nc" id="L201"> } catch (ConversationException e) {</span> |
| <span class="nc" id="L202"> throw new RampartException("errorInDKEncr");</span> |
| <span class="fc" id="L203"> }</span> |
| } else { |
| <span class="fc" id="L205"> log.debug("NO derived keys, use the shared secret");</span> |
| <span class="fc" id="L206"> encr = new WSSecEncrypt();</span> |
| |
| <span class="fc" id="L208"> encr.setWsConfig(rmd.getConfig());</span> |
| <span class="fc" id="L209"> encr.setEncKeyId(tokenId);</span> |
| <span class="fc" id="L210"> RampartUtil.setEncryptionUser(rmd, encr);</span> |
| <span class="fc" id="L211"> encr.setEphemeralKey(tok.getSecret());</span> |
| <span class="fc" id="L212"> encr.setDocument(doc);</span> |
| <span class="fc" id="L213"> encr.setSymmetricEncAlgorithm(algorithmSuite.getEncryption());</span> |
| // SymmKey is already encrypted, no need to do it again |
| <span class="fc" id="L215"> encr.setEncryptSymmKey(false);</span> |
| <span class="pc bpc" id="L216" title="3 of 4 branches missed."> if (!rmd.isInitiator() && tok instanceof EncryptedKeyToken) {</span> |
| // TODO was encr.setUseKeyIdentifier(true); - verify |
| <span class="nc" id="L218"> encr.setEncKeyIdDirectId(true);</span> |
| <span class="nc" id="L219"> encr.setCustomReferenceValue(((EncryptedKeyToken)tok).getSHA1());</span> |
| <span class="nc" id="L220"> encr.setKeyIdentifierType(WSConstants.ENCRYPTED_KEY_SHA1_IDENTIFIER);</span> |
| } |
| |
| try { |
| |
| <span class="fc" id="L225"> encr.prepare(doc, RampartUtil.getEncryptionCrypto(rpd</span> |
| .getRampartConfig(), rmd.getCustomClassLoader())); |
| //Encrypt, get hold of the ref list and add it |
| <span class="fc" id="L228"> refList = encr.encryptForExternalRef(null, encrParts);</span> |
| <span class="nc" id="L229"> } catch (WSSecurityException e) {</span> |
| <span class="nc" id="L230"> throw new RampartException("errorInEncryption", e);</span> |
| <span class="fc" id="L231"> }</span> |
| } |
| |
| <span class="fc" id="L234"> this.mainRefListElement = RampartUtil.appendChildToSecHeader(rmd, refList);</span> |
| |
| <span class="pc bpc" id="L236" title="1 of 2 branches missed."> if(tlog.isDebugEnabled()){</span> |
| <span class="nc" id="L237"> t1 = System.currentTimeMillis();</span> |
| } |
| |
| // Sometimes encryption token is not included in the the message |
| <span class="pc bpc" id="L241" title="1 of 2 branches missed."> if (encrTokenElement != null) {</span> |
| <span class="fc" id="L242"> this.setInsertionLocation(encrTokenElement);</span> |
| <span class="nc bnc" id="L243" title="All 2 branches missed."> } else if (timestampElement != null) {</span> |
| <span class="nc" id="L244"> this.setInsertionLocation(timestampElement);</span> |
| } |
| |
| <span class="fc" id="L247"> RampartUtil.handleEncryptedSignedHeaders(encrParts, sigParts, doc);</span> |
| |
| <span class="fc" id="L249"> HashMap sigSuppTokMap = null;</span> |
| <span class="fc" id="L250"> HashMap endSuppTokMap = null;</span> |
| <span class="fc" id="L251"> HashMap sgndEndSuppTokMap = null;</span> |
| <span class="fc" id="L252"> HashMap sgndEncSuppTokMap = null;</span> |
| <span class="fc" id="L253"> HashMap endEncSuppTokMap = null;</span> |
| <span class="fc" id="L254"> HashMap sgndEndEncSuppTokMap = null;</span> |
| |
| |
| <span class="pc bpc" id="L257" title="1 of 2 branches missed."> if(this.timestampElement != null){</span> |
| <span class="fc" id="L258"> sigParts.add(new WSEncryptionPart(RampartUtil</span> |
| .addWsuIdToElement((OMElement) this.timestampElement))); |
| } |
| |
| <span class="pc bpc" id="L262" title="1 of 2 branches missed."> if(rmd.isInitiator()) {</span> |
| |
| // Now add the supporting tokens |
| <span class="fc" id="L265"> SupportingToken sgndSuppTokens = rpd.getSignedSupportingTokens();</span> |
| <span class="fc" id="L266"> sigSuppTokMap = this.handleSupportingTokens(rmd, sgndSuppTokens); </span> |
| |
| <span class="fc" id="L268"> SupportingToken endSuppTokens = rpd.getEndorsingSupportingTokens();</span> |
| <span class="fc" id="L269"> endSuppTokMap = this.handleSupportingTokens(rmd, endSuppTokens);</span> |
| |
| <span class="fc" id="L271"> SupportingToken sgndEndSuppTokens = rpd.getSignedEndorsingSupportingTokens(); </span> |
| <span class="fc" id="L272"> sgndEndSuppTokMap = this.handleSupportingTokens(rmd, sgndEndSuppTokens);</span> |
| |
| <span class="fc" id="L274"> SupportingToken sgndEncryptedSuppTokens = rpd.getSignedEncryptedSupportingTokens();</span> |
| <span class="fc" id="L275"> sgndEncSuppTokMap = this.handleSupportingTokens(rmd, sgndEncryptedSuppTokens);</span> |
| |
| <span class="fc" id="L277"> SupportingToken endorsingEncryptedSuppTokens = rpd.getEndorsingEncryptedSupportingTokens();</span> |
| <span class="fc" id="L278"> endEncSuppTokMap = this.handleSupportingTokens(rmd, endorsingEncryptedSuppTokens);</span> |
| |
| <span class="fc" id="L280"> SupportingToken sgndEndEncSuppTokens = rpd.getSignedEndorsingEncryptedSupportingTokens(); </span> |
| <span class="fc" id="L281"> sgndEndEncSuppTokMap = this.handleSupportingTokens(rmd, sgndEndEncSuppTokens);</span> |
| |
| <span class="fc" id="L283"> List<SupportingToken> supportingToks = rpd.getSupportingTokensList();</span> |
| <span class="pc bpc" id="L284" title="1 of 2 branches missed."> for (SupportingToken supportingTok : supportingToks) {</span> |
| <span class="nc" id="L285"> this.handleSupportingTokens(rmd, supportingTok);</span> |
| <span class="nc" id="L286"> } </span> |
| |
| <span class="fc" id="L288"> SupportingToken encryptedSupportingToks = rpd.getEncryptedSupportingTokens();</span> |
| <span class="fc" id="L289"> this.handleSupportingTokens(rmd, encryptedSupportingToks);</span> |
| |
| //Setup signature parts |
| <span class="fc" id="L292"> sigParts = addSignatureParts(sigSuppTokMap, sigParts);</span> |
| <span class="fc" id="L293"> sigParts = addSignatureParts(sgndEncSuppTokMap, sigParts);</span> |
| <span class="fc" id="L294"> sigParts = addSignatureParts(sgndEndSuppTokMap, sigParts);</span> |
| <span class="fc" id="L295"> sigParts = addSignatureParts(sgndEndEncSuppTokMap, sigParts);</span> |
| |
| <span class="fc" id="L297"> } else {</span> |
| <span class="nc" id="L298"> addSignatureConfirmation(rmd, sigParts);</span> |
| } |
| |
| |
| //Sign the message |
| //We should use the same key in the case of EncryptBeforeSig |
| <span class="pc bpc" id="L304" title="1 of 2 branches missed."> if ( sigParts.size() > 0) {</span> |
| <span class="fc" id="L305"> signatureValues.add(this.doSymmSignature(rmd, encryptionToken, tok, sigParts));</span> |
| <span class="fc" id="L306"> this.mainSigId = RampartUtil.addWsuIdToElement((OMElement)this.getInsertionLocation()); </span> |
| } |
| |
| <span class="pc bpc" id="L309" title="1 of 2 branches missed."> if(rmd.isInitiator()) {</span> |
| |
| <span class="fc" id="L311"> endSuppTokMap.putAll(endEncSuppTokMap);</span> |
| //Do endorsed signatures |
| <span class="fc" id="L313"> List<byte[]> endSigVals = this.doEndorsedSignatures(rmd, endSuppTokMap);</span> |
| <span class="pc bpc" id="L314" title="1 of 2 branches missed."> for (byte[] endSigVal : endSigVals) {</span> |
| <span class="nc" id="L315"> signatureValues.add(endSigVal);</span> |
| <span class="nc" id="L316"> }</span> |
| |
| <span class="fc" id="L318"> sgndEndSuppTokMap.putAll(sgndEndEncSuppTokMap);</span> |
| //Do signed endorsing signatures |
| <span class="fc" id="L320"> List<byte[]> sigEndSigVals = this.doEndorsedSignatures(rmd, sgndEndSuppTokMap);</span> |
| <span class="pc bpc" id="L321" title="1 of 2 branches missed."> for (byte[] sigEndSigVal : sigEndSigVals) {</span> |
| <span class="nc" id="L322"> signatureValues.add(sigEndSigVal);</span> |
| <span class="nc" id="L323"> }</span> |
| } |
| |
| <span class="pc bpc" id="L326" title="1 of 2 branches missed."> if(tlog.isDebugEnabled()){</span> |
| <span class="nc" id="L327"> t2 = System.currentTimeMillis();</span> |
| <span class="nc" id="L328"> tlog.debug("Encryption took :" + (t1 - t0)</span> |
| +", Signature tool :" + (t2 - t1) ); |
| } |
| |
| //Check for signature protection and encryption of UsernameToken |
| <span class="pc bpc" id="L333" title="6 of 8 branches missed."> if(rpd.isSignatureProtection() && this.mainSigId != null || </span> |
| encryptedTokensIdList.size() > 0 && rmd.isInitiator()) { |
| <span class="nc" id="L335"> long t3 = 0, t4 = 0;</span> |
| <span class="nc bnc" id="L336" title="All 2 branches missed."> if(tlog.isDebugEnabled()){</span> |
| <span class="nc" id="L337"> t3 = System.currentTimeMillis();</span> |
| } |
| <span class="nc" id="L339"> log.debug("Signature protection");</span> |
| <span class="nc" id="L340"> List<WSEncryptionPart> secondEncrParts = new ArrayList<WSEncryptionPart>();</span> |
| |
| //Now encrypt the signature using the above token |
| <span class="nc bnc" id="L343" title="All 2 branches missed."> if(rpd.isSignatureProtection()) {</span> |
| <span class="nc" id="L344"> secondEncrParts.add(new WSEncryptionPart(this.mainSigId, "Element"));</span> |
| } |
| |
| <span class="nc bnc" id="L347" title="All 2 branches missed."> if(rmd.isInitiator()) {</span> |
| <span class="nc bnc" id="L348" title="All 2 branches missed."> for (String anEncryptedTokensIdList : encryptedTokensIdList) {</span> |
| <span class="nc" id="L349"> secondEncrParts.add(new WSEncryptionPart(anEncryptedTokensIdList, "Element"));</span> |
| <span class="nc" id="L350"> }</span> |
| } |
| |
| <span class="nc" id="L353"> Element secondRefList = null;</span> |
| |
| <span class="nc bnc" id="L355" title="All 2 branches missed."> if(encryptionToken.isDerivedKeys()) {</span> |
| try { |
| <span class="nc" id="L357"> secondRefList = dkEncr.encryptForExternalRef(null, </span> |
| secondEncrParts); |
| <span class="nc" id="L359"> RampartUtil.insertSiblingAfter(</span> |
| rmd, |
| encrDKTokenElem, |
| secondRefList); |
| <span class="nc" id="L363"> } catch (WSSecurityException e) {</span> |
| <span class="nc" id="L364"> throw new RampartException("errorInDKEncr");</span> |
| <span class="nc" id="L365"> }</span> |
| } else { |
| try { |
| //Encrypt, get hold of the ref list and add it |
| <span class="nc" id="L369"> secondRefList = encr.encryptForExternalRef(null,</span> |
| encrParts); |
| <span class="nc" id="L371"> RampartUtil.insertSiblingAfter(</span> |
| rmd, |
| encrTokenElement, |
| secondRefList); |
| <span class="nc" id="L375"> } catch (WSSecurityException e) {</span> |
| <span class="nc" id="L376"> throw new RampartException("errorInEncryption", e);</span> |
| <span class="nc" id="L377"> } </span> |
| } |
| <span class="nc bnc" id="L379" title="All 2 branches missed."> if(tlog.isDebugEnabled()){</span> |
| <span class="nc" id="L380"> t4 = System.currentTimeMillis();</span> |
| <span class="nc" id="L381"> tlog.debug("Signature protection took :" + (t4 - t3));</span> |
| } |
| } |
| |
| <span class="fc" id="L385"> } else {</span> |
| <span class="nc" id="L386"> throw new RampartException("encryptionTokenMissing");</span> |
| } |
| <span class="fc" id="L388"> }</span> |
| |
| |
| private void doSignBeforeEncrypt(RampartMessageData rmd) throws RampartException { |
| |
| <span class="fc" id="L393"> long t0 = 0, t1 = 0, t2 = 0;</span> |
| |
| <span class="fc" id="L395"> RampartPolicyData rpd = rmd.getPolicyData();</span> |
| <span class="fc" id="L396"> Document doc = rmd.getDocument();</span> |
| |
| <span class="pc bpc" id="L398" title="1 of 2 branches missed."> if(tlog.isDebugEnabled()){</span> |
| <span class="nc" id="L399"> t0 = System.currentTimeMillis();</span> |
| } |
| <span class="fc" id="L401"> Token sigToken = rpd.getSignatureToken();</span> |
| |
| <span class="fc" id="L403"> String encrTokId = null;</span> |
| <span class="fc" id="L404"> String sigTokId = null;</span> |
| |
| <span class="fc" id="L406"> org.apache.rahas.Token encrTok = null;</span> |
| <span class="fc" id="L407"> org.apache.rahas.Token sigTok = null;</span> |
| |
| <span class="fc" id="L409"> Element sigTokElem = null;</span> |
| |
| <span class="fc" id="L411"> List<byte[]> signatureValues = new ArrayList<byte[]>();</span> |
| |
| <span class="pc bpc" id="L413" title="1 of 2 branches missed."> if(sigToken != null) {</span> |
| <span class="fc bfc" id="L414" title="All 2 branches covered."> if(sigToken instanceof SecureConversationToken) {</span> |
| <span class="fc" id="L415"> sigTokId = rmd.getSecConvTokenId();</span> |
| <span class="pc bpc" id="L416" title="1 of 2 branches missed."> } else if(sigToken instanceof IssuedToken) {</span> |
| <span class="nc" id="L417"> sigTokId = rmd.getIssuedSignatureTokenId();</span> |
| <span class="pc bpc" id="L418" title="1 of 2 branches missed."> } else if(sigToken instanceof X509Token) {</span> |
| <span class="fc bfc" id="L419" title="All 2 branches covered."> if (rmd.isInitiator()) {</span> |
| <span class="fc" id="L420"> sigTokId = setupEncryptedKey(rmd, sigToken);</span> |
| } else { |
| <span class="fc" id="L422"> sigTokId = getEncryptedKey(rmd);</span> |
| } |
| } |
| } else { |
| <span class="nc" id="L426"> throw new RampartException("signatureTokenMissing");</span> |
| } |
| |
| <span class="pc bpc" id="L429" title="2 of 4 branches missed."> if(sigTokId == null || sigTokId.length() == 0) {</span> |
| <span class="nc" id="L430"> throw new RampartException("noSecurityToken");</span> |
| } |
| |
| <span class="fc" id="L433"> sigTok = this.getToken(rmd, sigTokId);</span> |
| |
| <span class="pc bpc" id="L435" title="2 of 8 branches missed."> if(SPConstants.INCLUDE_TOEKN_ALWAYS == sigToken.getInclusion() ||</span> |
| SPConstants.INCLUDE_TOKEN_ONCE == sigToken.getInclusion() || |
| (rmd.isInitiator() && |
| SPConstants.INCLUDE_TOEKN_ALWAYS_TO_RECIPIENT == sigToken.getInclusion())) { |
| <span class="fc" id="L439"> sigTokElem = RampartUtil.appendChildToSecHeader(rmd, </span> |
| sigTok.getToken()); |
| <span class="fc" id="L441"> this.setInsertionLocation(sigTokElem);</span> |
| <span class="pc bpc" id="L442" title="1 of 6 branches missed."> } else if ((rmd.isInitiator() && sigToken instanceof X509Token)</span> |
| || sigToken instanceof SecureConversationToken) { |
| <span class="fc" id="L444"> sigTokElem = RampartUtil.appendChildToSecHeader(rmd, sigTok.getToken());</span> |
| |
| //Set the insertion location |
| <span class="fc" id="L447"> this.setInsertionLocation(sigTokElem);</span> |
| } |
| |
| |
| <span class="fc" id="L451"> HashMap sigSuppTokMap = null;</span> |
| <span class="fc" id="L452"> HashMap endSuppTokMap = null;</span> |
| <span class="fc" id="L453"> HashMap sgndEndSuppTokMap = null;</span> |
| <span class="fc" id="L454"> HashMap sgndEncSuppTokMap = null;</span> |
| <span class="fc" id="L455"> HashMap endEncSuppTokMap = null;</span> |
| <span class="fc" id="L456"> HashMap sgndEndEncSuppTokMap = null;</span> |
| |
| <span class="fc" id="L458"> List<WSEncryptionPart> sigParts = RampartUtil.getSignedParts(rmd);</span> |
| |
| <span class="fc bfc" id="L460" title="All 2 branches covered."> if(this.timestampElement != null){</span> |
| <span class="fc" id="L461"> sigParts.add(new WSEncryptionPart(RampartUtil</span> |
| .addWsuIdToElement((OMElement) this.timestampElement))); |
| } |
| |
| <span class="fc bfc" id="L465" title="All 2 branches covered."> if(rmd.isInitiator()) {</span> |
| // Now add the supporting tokens |
| <span class="fc" id="L467"> SupportingToken sgndSuppTokens = rpd.getSignedSupportingTokens();</span> |
| <span class="fc" id="L468"> sigSuppTokMap = this.handleSupportingTokens(rmd, sgndSuppTokens); </span> |
| |
| <span class="fc" id="L470"> SupportingToken endSuppTokens = rpd.getEndorsingSupportingTokens();</span> |
| <span class="fc" id="L471"> endSuppTokMap = this.handleSupportingTokens(rmd, endSuppTokens);</span> |
| |
| <span class="fc" id="L473"> SupportingToken sgndEndSuppTokens = rpd.getSignedEndorsingSupportingTokens(); </span> |
| <span class="fc" id="L474"> sgndEndSuppTokMap = this.handleSupportingTokens(rmd, sgndEndSuppTokens);</span> |
| |
| <span class="fc" id="L476"> SupportingToken sgndEncryptedSuppTokens = rpd.getSignedEncryptedSupportingTokens();</span> |
| <span class="fc" id="L477"> sgndEncSuppTokMap = this.handleSupportingTokens(rmd, sgndEncryptedSuppTokens);</span> |
| |
| <span class="fc" id="L479"> SupportingToken endorsingEncryptedSuppTokens = rpd.getEndorsingEncryptedSupportingTokens();</span> |
| <span class="fc" id="L480"> endEncSuppTokMap = this.handleSupportingTokens(rmd, endorsingEncryptedSuppTokens);</span> |
| |
| <span class="fc" id="L482"> SupportingToken sgndEndEncSuppTokens = rpd.getSignedEndorsingEncryptedSupportingTokens(); </span> |
| <span class="fc" id="L483"> sgndEndEncSuppTokMap = this.handleSupportingTokens(rmd, sgndEndEncSuppTokens);</span> |
| |
| <span class="fc" id="L485"> List<SupportingToken> supportingToks = rpd.getSupportingTokensList();</span> |
| <span class="fc bfc" id="L486" title="All 2 branches covered."> for (SupportingToken supportingTok : supportingToks) {</span> |
| <span class="fc" id="L487"> this.handleSupportingTokens(rmd, supportingTok);</span> |
| <span class="fc" id="L488"> } </span> |
| |
| <span class="fc" id="L490"> SupportingToken encryptedSupportingToks = rpd.getEncryptedSupportingTokens();</span> |
| <span class="fc" id="L491"> this.handleSupportingTokens(rmd, encryptedSupportingToks);</span> |
| |
| //Setup signature parts |
| <span class="fc" id="L494"> sigParts = addSignatureParts(sigSuppTokMap, sigParts);</span> |
| <span class="fc" id="L495"> sigParts = addSignatureParts(sgndEncSuppTokMap, sigParts);</span> |
| <span class="fc" id="L496"> sigParts = addSignatureParts(sgndEndSuppTokMap, sigParts);</span> |
| <span class="fc" id="L497"> sigParts = addSignatureParts(sgndEndEncSuppTokMap, sigParts);</span> |
| |
| <span class="fc" id="L499"> } else {</span> |
| <span class="fc" id="L500"> addSignatureConfirmation(rmd, sigParts);</span> |
| } |
| |
| <span class="fc bfc" id="L503" title="All 2 branches covered."> if (sigParts.size() > 0 ) {</span> |
| //Sign the message |
| <span class="fc" id="L505"> signatureValues.add(this.doSymmSignature(rmd, sigToken, sigTok, sigParts));</span> |
| |
| <span class="fc" id="L507"> this.mainSigId = RampartUtil.addWsuIdToElement((OMElement)this.getInsertionLocation());</span> |
| |
| } |
| |
| <span class="fc bfc" id="L511" title="All 2 branches covered."> if(rmd.isInitiator()) {</span> |
| // Adding the endorsing encrypted supporting tokens to endorsing supporting tokens |
| <span class="fc" id="L513"> endSuppTokMap.putAll(endEncSuppTokMap);</span> |
| //Do endorsed signatures |
| <span class="fc" id="L515"> List<byte[]> endSigVals = this.doEndorsedSignatures(rmd, endSuppTokMap);</span> |
| |
| <span class="fc bfc" id="L517" title="All 2 branches covered."> for (byte[] endSigVal : endSigVals) {</span> |
| <span class="fc" id="L518"> signatureValues.add(endSigVal);</span> |
| <span class="fc" id="L519"> }</span> |
| |
| //Adding the signed endorsed encrypted tokens to signed endorsed supporting tokens |
| <span class="fc" id="L522"> sgndEndSuppTokMap.putAll(sgndEndEncSuppTokMap);</span> |
| //Do signed endorsing signatures |
| <span class="fc" id="L524"> List<byte[]> sigEndSigVals = this.doEndorsedSignatures(rmd, sgndEndSuppTokMap);</span> |
| <span class="fc bfc" id="L525" title="All 2 branches covered."> for (byte[] sigEndSigVal : sigEndSigVals) {</span> |
| <span class="fc" id="L526"> signatureValues.add(sigEndSigVal);</span> |
| <span class="fc" id="L527"> }</span> |
| } |
| |
| <span class="pc bpc" id="L530" title="1 of 2 branches missed."> if(tlog.isDebugEnabled()){</span> |
| <span class="nc" id="L531"> t1 = System.currentTimeMillis();</span> |
| } |
| |
| //Encryption |
| <span class="fc" id="L535"> Token encrToken = rpd.getEncryptionToken();</span> |
| <span class="fc" id="L536"> Element encrTokElem = null;</span> |
| <span class="pc bpc" id="L537" title="1 of 2 branches missed."> if(sigToken.equals(encrToken)) {</span> |
| //Use the same token |
| <span class="fc" id="L539"> encrTokId = sigTokId;</span> |
| <span class="fc" id="L540"> encrTok = sigTok;</span> |
| <span class="fc" id="L541"> encrTokElem = sigTokElem;</span> |
| } else { |
| <span class="nc" id="L543"> encrTokId = rmd.getIssuedEncryptionTokenId();</span> |
| <span class="nc" id="L544"> encrTok = this.getToken(rmd, encrTokId);</span> |
| |
| <span class="nc bnc" id="L546" title="All 8 branches missed."> if(SPConstants.INCLUDE_TOEKN_ALWAYS == encrToken.getInclusion() ||</span> |
| SPConstants.INCLUDE_TOKEN_ONCE == encrToken.getInclusion() || |
| (rmd.isInitiator() && SPConstants.INCLUDE_TOEKN_ALWAYS_TO_RECIPIENT == encrToken.getInclusion())) { |
| <span class="nc" id="L549"> encrTokElem = (Element)encrTok.getToken();</span> |
| |
| //Add the encrToken element before the sigToken element |
| <span class="nc" id="L552"> RampartUtil.insertSiblingBefore(rmd, sigTokElem, encrTokElem);</span> |
| } |
| |
| } |
| |
| <span class="fc" id="L557"> List<WSEncryptionPart> encrParts = RampartUtil.getEncryptedParts(rmd);</span> |
| |
| //Check for signature protection |
| <span class="pc bpc" id="L560" title="1 of 4 branches missed."> if(rpd.isSignatureProtection() && this.mainSigId != null) {</span> |
| //Now encrypt the signature using the above token |
| <span class="fc" id="L562"> encrParts.add(new WSEncryptionPart(this.mainSigId, "Element"));</span> |
| } |
| |
| <span class="fc bfc" id="L565" title="All 2 branches covered."> if(rmd.isInitiator()) {</span> |
| <span class="fc bfc" id="L566" title="All 2 branches covered."> for (String anEncryptedTokensIdList : encryptedTokensIdList) {</span> |
| <span class="fc" id="L567"> encrParts.add(new WSEncryptionPart(anEncryptedTokensIdList, "Element"));</span> |
| <span class="fc" id="L568"> }</span> |
| } |
| |
| <span class="fc" id="L571"> Element refList = null;</span> |
| <span class="fc bfc" id="L572" title="All 2 branches covered."> if(encrParts.size() > 0) {</span> |
| //The sec conv token can be used without derived keys |
| <span class="fc bfc" id="L574" title="All 2 branches covered."> if(encrToken.isDerivedKeys()) {</span> |
| |
| try { |
| <span class="fc" id="L577"> WSSecDKEncrypt dkEncr = new WSSecDKEncrypt();</span> |
| |
| //Check whether it is security policy 1.2 and use the secure conversation accordingly |
| <span class="fc bfc" id="L580" title="All 2 branches covered."> if (SPConstants.SP_V12 == encrToken.getVersion()) {</span> |
| <span class="fc" id="L581"> dkEncr.setWscVersion(ConversationConstants.VERSION_05_12);</span> |
| } |
| |
| <span class="fc bfc" id="L584" title="All 4 branches covered."> if(encrTokElem != null && encrTok.getAttachedReference() != null) {</span> |
| |
| <span class="fc" id="L586"> dkEncr.setExternalKey(encrTok.getSecret(), (Element) doc</span> |
| .importNode((Element) encrTok.getAttachedReference(), |
| true)); |
| <span class="pc bpc" id="L589" title="1 of 2 branches missed."> } else if(encrTok.getUnattachedReference() != null) {</span> |
| <span class="nc" id="L590"> dkEncr.setExternalKey(encrTok.getSecret(), (Element) doc</span> |
| .importNode((Element) encrTok.getUnattachedReference(), |
| true)); |
| <span class="pc bpc" id="L593" title="1 of 4 branches missed."> } else if (!rmd.isInitiator() && encrToken.isDerivedKeys()) { </span> |
| |
| // If the Encrypted key used to create the derived key is not |
| // attached use key identifier as defined in WSS1.1 section |
| // 7.7 Encrypted Key reference |
| <span class="fc" id="L598"> SecurityTokenReference tokenRef = new SecurityTokenReference(doc);</span> |
| <span class="pc bpc" id="L599" title="1 of 2 branches missed."> if(encrTok instanceof EncryptedKeyToken) {</span> |
| <span class="fc" id="L600"> tokenRef.setKeyIdentifierEncKeySHA1(((EncryptedKeyToken)encrTok).getSHA1());</span> |
| } |
| <span class="fc" id="L602"> dkEncr.setExternalKey(encrTok.getSecret(), tokenRef.getElement());</span> |
| <span class="fc" id="L603"> tokenRef.addTokenType(WSConstants.WSS_ENC_KEY_VALUE_TYPE); // TODO check this</span> |
| |
| <span class="fc" id="L605"> } else {</span> |
| <span class="fc" id="L606"> dkEncr.setExternalKey(encrTok.getSecret(), encrTok.getId());</span> |
| } |
| |
| <span class="fc bfc" id="L609" title="All 2 branches covered."> if(encrTok instanceof EncryptedKeyToken) {</span> |
| <span class="fc" id="L610"> dkEncr.setCustomValueType(WSConstants.SOAPMESSAGE_NS11 + "#"</span> |
| + WSConstants.ENC_KEY_VALUE_TYPE); |
| } |
| |
| <span class="fc" id="L614"> dkEncr.setSymmetricEncAlgorithm(rpd.getAlgorithmSuite().getEncryption());</span> |
| <span class="fc" id="L615"> dkEncr.setDerivedKeyLength(rpd.getAlgorithmSuite().getEncryptionDerivedKeyLength()/8);</span> |
| <span class="fc" id="L616"> dkEncr.prepare(doc);</span> |
| <span class="fc" id="L617"> Element encrDKTokenElem = null;</span> |
| <span class="fc" id="L618"> encrDKTokenElem = dkEncr.getdktElement();</span> |
| <span class="fc bfc" id="L619" title="All 2 branches covered."> if(encrTokElem != null) {</span> |
| <span class="fc" id="L620"> RampartUtil.insertSiblingAfter(rmd, encrTokElem, encrDKTokenElem);</span> |
| <span class="pc bpc" id="L621" title="1 of 2 branches missed."> } else if (timestampElement != null){</span> |
| <span class="fc" id="L622"> RampartUtil.insertSiblingAfter(rmd, this.timestampElement, encrDKTokenElem);</span> |
| } else { |
| <span class="nc" id="L624"> RampartUtil.insertSiblingBefore(rmd, this.getInsertionLocation(), encrDKTokenElem);</span> |
| } |
| |
| <span class="fc" id="L627"> refList = dkEncr.encryptForExternalRef(null, encrParts);</span> |
| |
| <span class="fc" id="L629"> RampartUtil.insertSiblingAfter(rmd, </span> |
| encrDKTokenElem, |
| refList); |
| |
| <span class="nc" id="L633"> } catch (WSSecurityException e) {</span> |
| <span class="nc" id="L634"> throw new RampartException("errorInDKEncr");</span> |
| <span class="nc" id="L635"> } catch (ConversationException e) {</span> |
| <span class="nc" id="L636"> throw new RampartException("errorInDKEncr");</span> |
| <span class="fc" id="L637"> } </span> |
| } else { |
| try { |
| |
| <span class="fc" id="L641"> WSSecEncrypt encr = new WSSecEncrypt();</span> |
| |
| <span class="fc" id="L643"> encr.setWsConfig(rmd.getConfig());</span> |
| //Hack to handle reference id issues |
| //TODO Need a better fix |
| <span class="pc bpc" id="L646" title="1 of 2 branches missed."> if(encrTokId.startsWith("#")) {</span> |
| <span class="nc" id="L647"> encrTokId = encrTokId.substring(1);</span> |
| } |
| <span class="fc" id="L649"> encr.setEncKeyId(encrTokId);</span> |
| |
| <span class="fc" id="L651"> encr.setEphemeralKey(encrTok.getSecret());</span> |
| <span class="fc" id="L652"> RampartUtil.setEncryptionUser(rmd, encr);</span> |
| <span class="fc" id="L653"> encr.setDocument(doc);</span> |
| <span class="fc" id="L654"> encr.setEncryptSymmKey(false);</span> |
| <span class="fc" id="L655"> encr.setSymmetricEncAlgorithm(rpd.getAlgorithmSuite().getEncryption());</span> |
| // Use key identifier in the KeyInfo in server side |
| <span class="fc bfc" id="L657" title="All 2 branches covered."> if (!rmd.isInitiator()) {</span> |
| <span class="pc bpc" id="L658" title="1 of 2 branches missed."> if(encrTok instanceof EncryptedKeyToken) {</span> |
| // TODO was encr.setUseKeyIdentifier(true); verify |
| <span class="fc" id="L660"> encr.setEncKeyIdDirectId(true);</span> |
| <span class="fc" id="L661"> encr.setCustomReferenceValue(((EncryptedKeyToken)encrTok).getSHA1());</span> |
| <span class="fc" id="L662"> encr.setKeyIdentifierType(WSConstants.ENCRYPTED_KEY_SHA1_IDENTIFIER);</span> |
| } |
| } |
| <span class="fc" id="L665"> encr.prepare(doc, RampartUtil.getEncryptionCrypto(rpd</span> |
| .getRampartConfig(), rmd.getCustomClassLoader())); |
| |
| //Encrypt, get hold of the ref list and add it |
| <span class="fc" id="L669"> refList = encr.encryptForExternalRef(null, encrParts); </span> |
| |
| <span class="fc bfc" id="L671" title="All 2 branches covered."> if(encrTokElem != null) {</span> |
| <span class="fc" id="L672"> RampartUtil.insertSiblingAfter(rmd,</span> |
| encrTokElem, |
| refList); |
| } else { |
| <span class="fc" id="L676"> RampartUtil.insertSiblingBeforeOrPrepend(rmd,</span> |
| this.getInsertionLocation(), |
| refList); |
| } |
| |
| <span class="nc" id="L681"> } catch (WSSecurityException e) {</span> |
| <span class="nc" id="L682"> throw new RampartException("errorInEncryption", e);</span> |
| <span class="fc" id="L683"> } </span> |
| } |
| } |
| |
| <span class="pc bpc" id="L687" title="1 of 2 branches missed."> if(tlog.isDebugEnabled()){</span> |
| <span class="nc" id="L688"> t2 = System.currentTimeMillis();</span> |
| <span class="nc" id="L689"> tlog.debug("Signature took :" + (t1 - t0)</span> |
| +", Encryption took :" + (t2 - t1) ); |
| } |
| |
| |
| <span class="fc" id="L694"> }</span> |
| |
| /** |
| * @param rmd |
| * @param sigToken |
| * @return |
| * @throws RampartException |
| */ |
| private String setupEncryptedKey(RampartMessageData rmd, Token sigToken) |
| throws RampartException { |
| try { |
| <span class="fc" id="L705"> WSSecEncryptedKey encrKey = this.getEncryptedKeyBuilder(rmd, </span> |
| sigToken); |
| <span class="fc" id="L707"> String id = encrKey.getId();</span> |
| <span class="fc" id="L708"> byte[] secret = encrKey.getEphemeralKey();</span> |
| //Create a rahas token from this info and store it so we can use |
| //it in the next steps |
| |
| <span class="fc" id="L712"> Date created = new Date();</span> |
| <span class="fc" id="L713"> Date expires = new Date();</span> |
| //TODO make this lifetime configurable ??? |
| <span class="fc" id="L715"> expires.setTime(System.currentTimeMillis() + 300000);</span> |
| <span class="fc" id="L716"> org.apache.rahas.EncryptedKeyToken tempTok = new org.apache.rahas.EncryptedKeyToken(</span> |
| id, |
| (OMElement) encrKey.getEncryptedKeyElement(), |
| created, |
| expires); |
| |
| |
| <span class="fc" id="L723"> tempTok.setSecret(secret);</span> |
| |
| // Set the SHA1 value of the encrypted key, this is used when the encrypted |
| // key is referenced via a key identifier of type EncryptedKeySHA1 |
| <span class="fc" id="L727"> tempTok.setSHA1(getSHA1(encrKey.getEncryptedEphemeralKey()));</span> |
| |
| <span class="fc" id="L729"> rmd.getTokenStorage().add(tempTok);</span> |
| |
| <span class="fc" id="L731"> String bstTokenId = encrKey.getBSTTokenId();</span> |
| //If direct ref is used to refer to the cert |
| //then add the cert to the sec header now |
| <span class="pc bpc" id="L734" title="3 of 4 branches missed."> if(bstTokenId != null && bstTokenId.length() > 0) {</span> |
| <span class="nc" id="L735"> RampartUtil.appendChildToSecHeader(rmd, </span> |
| encrKey.getBinarySecurityTokenElement()); |
| } |
| |
| <span class="fc" id="L739"> return id;</span> |
| |
| <span class="nc" id="L741"> } catch (TrustException e) {</span> |
| <span class="nc" id="L742"> throw new RampartException("errorInAddingTokenIntoStore");</span> |
| } |
| } |
| |
| private String getSHA1(byte[] input) throws RampartException{ |
| |
| <span class="fc" id="L748"> MessageDigest sha = null;</span> |
| try { |
| <span class="fc" id="L750"> sha = MessageDigest.getInstance("SHA-1");</span> |
| <span class="nc" id="L751"> } catch (NoSuchAlgorithmException e1) {</span> |
| <span class="nc" id="L752"> throw new RampartException("noSHA1availabe", e1);</span> |
| <span class="fc" id="L753"> }</span> |
| <span class="fc" id="L754"> sha.reset();</span> |
| <span class="fc" id="L755"> sha.update(input);</span> |
| <span class="fc" id="L756"> byte[] data = sha.digest();</span> |
| |
| <span class="fc" id="L758"> return Base64.encode(data);</span> |
| } |
| |
| private String getEncryptedKey(RampartMessageData rmd) throws RampartException { |
| |
| <span class="fc" id="L763"> List<WSHandlerResult> results</span> |
| = (List<WSHandlerResult>) rmd.getMsgContext().getProperty(WSHandlerConstants.RECV_RESULTS); |
| |
| <span class="pc bpc" id="L766" title="1 of 2 branches missed."> for (WSHandlerResult result : results) {</span> |
| |
| <span class="fc" id="L768"> List<WSSecurityEngineResult> wsSecEngineResults = result.getResults();</span> |
| |
| <span class="pc bpc" id="L770" title="1 of 2 branches missed."> for (WSSecurityEngineResult wsSecEngineResult : wsSecEngineResults) {</span> |
| <span class="fc" id="L771"> Integer actInt = (Integer) wsSecEngineResult.get(WSSecurityEngineResult.TAG_ACTION);</span> |
| <span class="fc bfc" id="L772" title="All 2 branches covered."> if (actInt == WSConstants.ENCR) {</span> |
| |
| <span class="pc bpc" id="L774" title="1 of 4 branches missed."> if (wsSecEngineResult.get(WSSecurityEngineResult.TAG_ID) != null &&</span> |
| ((String) wsSecEngineResult.get(WSSecurityEngineResult.TAG_ID)).length() != 0) { |
| |
| try { |
| |
| <span class="fc" id="L779"> String encryptedKeyID = (String) wsSecEngineResult.get(WSSecurityEngineResult.TAG_ID);</span> |
| |
| <span class="fc" id="L781"> Date created = new Date();</span> |
| <span class="fc" id="L782"> Date expires = new Date();</span> |
| <span class="fc" id="L783"> expires.setTime(System.currentTimeMillis() + 300000);</span> |
| <span class="fc" id="L784"> EncryptedKeyToken tempTok = new EncryptedKeyToken(encryptedKeyID, created, expires);</span> |
| <span class="fc" id="L785"> tempTok.setSecret((byte[]) wsSecEngineResult.get(WSSecurityEngineResult.TAG_SECRET));</span> |
| <span class="fc" id="L786"> tempTok.setSHA1(getSHA1((byte[]) wsSecEngineResult.</span> |
| get(WSSecurityEngineResult.TAG_ENCRYPTED_EPHEMERAL_KEY))); |
| <span class="fc" id="L788"> rmd.getTokenStorage().add(tempTok);</span> |
| |
| <span class="fc" id="L790"> return encryptedKeyID;</span> |
| |
| <span class="nc" id="L792"> } catch (TrustException e) {</span> |
| <span class="nc" id="L793"> throw new RampartException("errorInAddingTokenIntoStore");</span> |
| } |
| |
| } |
| } |
| <span class="fc" id="L798"> }</span> |
| <span class="nc" id="L799"> }</span> |
| <span class="nc" id="L800"> return null;</span> |
| } |
| |
| |
| /** |
| * Setup the required tokens |
| * @param rmd |
| * @throws RampartException |
| */ |
| private void initializeTokens(RampartMessageData rmd) throws RampartException { |
| |
| <span class="fc" id="L811"> RampartPolicyData rpd = rmd.getPolicyData();</span> |
| |
| <span class="fc" id="L813"> MessageContext msgContext = rmd.getMsgContext();</span> |
| <span class="pc bpc" id="L814" title="2 of 4 branches missed."> if(rpd.isSymmetricBinding() && !msgContext.isServerSide()) {</span> |
| <span class="pc bpc" id="L815" title="1 of 2 branches missed."> if (log.isDebugEnabled()) {</span> |
| <span class="nc" id="L816"> log.debug("Processing symmetric binding: " +</span> |
| "Setting up encryption token and signature token"); |
| } |
| //Setting up encryption token and signature token |
| |
| <span class="fc" id="L821"> Token sigTok = rpd.getSignatureToken();</span> |
| <span class="fc" id="L822"> Token encrTok = rpd.getEncryptionToken();</span> |
| <span class="pc bpc" id="L823" title="1 of 2 branches missed."> if(sigTok instanceof IssuedToken) {</span> |
| <span class="nc" id="L824"> log.debug("SignatureToken is an IssuedToken");</span> |
| <span class="nc bnc" id="L825" title="All 2 branches missed."> if(rmd.getIssuedSignatureTokenId() == null) {</span> |
| <span class="nc" id="L826"> log.debug("No Issuedtoken found, requesting a new token");</span> |
| |
| <span class="nc" id="L828"> IssuedToken issuedToken = (IssuedToken)sigTok;</span> |
| |
| <span class="nc" id="L830"> String id = RampartUtil.getIssuedToken(rmd, </span> |
| issuedToken); |
| <span class="nc" id="L832"> rmd.setIssuedSignatureTokenId(id);</span> |
| |
| <span class="nc" id="L834"> }</span> |
| |
| <span class="fc bfc" id="L836" title="All 2 branches covered."> } else if(sigTok instanceof SecureConversationToken) {</span> |
| |
| <span class="fc" id="L838"> log.debug("SignatureToken is a SecureConversationToken");</span> |
| |
| //TODO check for an existing token and use it |
| |
| <span class="fc" id="L842"> String secConvTokenId = rmd.getSecConvTokenId();</span> |
| |
| //The RSTR has to be secured with the cancelled token |
| <span class="fc" id="L845"> String action = msgContext.getOptions().getAction();</span> |
| <span class="pc bpc" id="L846" title="3 of 8 branches missed."> boolean cancelReqResp = action.equals(RahasConstants.WST_NS_05_02 + RahasConstants.RSTR_ACTION_CANCEL_SCT) || </span> |
| action.equals(RahasConstants.WST_NS_05_02 + RahasConstants.RSTR_ACTION_CANCEL_SCT) || |
| action.equals(RahasConstants.WST_NS_05_02 + RahasConstants.RST_ACTION_CANCEL_SCT) || |
| action.equals(RahasConstants.WST_NS_05_02 + RahasConstants.RST_ACTION_CANCEL_SCT); |
| |
| //In the case of the cancel req or resp we should mark the token as cancelled |
| <span class="fc bfc" id="L852" title="All 4 branches covered."> if(secConvTokenId != null && cancelReqResp) {</span> |
| try { |
| <span class="fc" id="L854"> rmd.getTokenStorage().getToken(secConvTokenId).setState(org.apache.rahas.Token.CANCELLED);</span> |
| <span class="fc" id="L855"> msgContext.setProperty(RampartMessageData.SCT_ID, secConvTokenId);</span> |
| |
| //remove from the local map of contexts |
| <span class="fc" id="L858"> String contextIdentifierKey = RampartUtil.getContextIdentifierKey(msgContext);</span> |
| <span class="fc" id="L859"> RampartUtil.getContextMap(msgContext).remove(contextIdentifierKey);</span> |
| <span class="nc" id="L860"> } catch (TrustException e) {</span> |
| <span class="nc" id="L861"> throw new RampartException("errorExtractingToken");</span> |
| <span class="fc" id="L862"> }</span> |
| } |
| |
| <span class="pc bpc" id="L865" title="2 of 8 branches missed."> if (secConvTokenId == null</span> |
| || (secConvTokenId != null && |
| (!RampartUtil.isTokenValid(rmd, secConvTokenId) && !cancelReqResp))) { |
| |
| <span class="fc" id="L869"> log.debug("No SecureConversationToken found, requesting a new token");</span> |
| |
| <span class="fc" id="L871"> SecureConversationToken secConvTok = </span> |
| (SecureConversationToken) sigTok; |
| |
| try { |
| |
| <span class="fc" id="L876"> String id = RampartUtil.getSecConvToken(rmd, secConvTok);</span> |
| <span class="fc" id="L877"> rmd.setSecConvTokenId(id);</span> |
| |
| <span class="nc" id="L879"> } catch (TrustException e) {</span> |
| <span class="nc" id="L880"> throw new RampartException("errorInObtainingSct", e);</span> |
| <span class="fc" id="L881"> }</span> |
| } |
| } |
| |
| //If it was the ProtectionToken assertion then sigTok is the |
| //same as encrTok |
| <span class="pc bpc" id="L887" title="2 of 4 branches missed."> if(sigTok.equals(encrTok) && sigTok instanceof IssuedToken) {</span> |
| |
| <span class="nc" id="L889"> log.debug("Symmetric binding uses a ProtectionToken, both" +</span> |
| " SignatureToken and EncryptionToken are the same"); |
| |
| <span class="nc" id="L892"> rmd.setIssuedEncryptionTokenId(rmd.getIssuedEncryptionTokenId());</span> |
| } else { |
| //Now we'll have to obtain the encryption token as well :-) |
| //ASSUMPTION: SecureConversationToken is used as a |
| //ProtectionToken therefore we only have to process a issued |
| //token here |
| |
| <span class="fc" id="L899"> log.debug("Obtaining the Encryption Token");</span> |
| |
| <span class="pc bpc" id="L901" title="1 of 2 branches missed."> if(rmd.getIssuedEncryptionTokenId() != null) {</span> |
| |
| <span class="nc" id="L903"> log.debug("EncrytionToken not alredy set");</span> |
| |
| <span class="nc" id="L905"> IssuedToken issuedToken = (IssuedToken)encrTok;</span> |
| |
| <span class="nc" id="L907"> String id = RampartUtil.getIssuedToken(rmd, </span> |
| issuedToken); |
| <span class="nc" id="L909"> rmd.setIssuedEncryptionTokenId(id);</span> |
| |
| } |
| |
| } |
| } |
| |
| //TODO : Support processing IssuedToken and SecConvToken assertoins |
| //in supporting tokens, right now we only support UsernameTokens and |
| //X.509 Tokens |
| <span class="fc" id="L919"> }</span> |
| |
| |
| |
| } |
| </pre><div class="footer"><span class="right">Created with <a href="http://www.eclemma.org/jacoco">JaCoCo</a> 0.6.1.201212231917</span></div></body></html> |