| /** |
| * Licensed to the Apache Software Foundation (ASF) under one |
| * or more contributor license agreements. See the NOTICE file |
| * distributed with this work for additional information |
| * regarding copyright ownership. The ASF licenses this file |
| * to you under the Apache License, Version 2.0 (the |
| * "License"); you may not use this file except in compliance |
| * with the License. You may obtain a copy of the License at |
| * |
| * http://www.apache.org/licenses/LICENSE-2.0 |
| * |
| * Unless required by applicable law or agreed to in writing, |
| * software distributed under the License is distributed on an |
| * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY |
| * KIND, either express or implied. See the License for the |
| * specific language governing permissions and limitations |
| * under the License. |
| */ |
| |
| package org.apache.wss4j.dom; |
| |
| import javax.xml.namespace.QName; |
| |
| import org.apache.wss4j.common.WSS4JConstants; |
| import org.apache.wss4j.common.derivedKey.ConversationConstants; |
| |
| /** |
| * Constants in WS-Security spec. |
| */ |
| public final class WSConstants extends WSS4JConstants { |
| |
| // |
| // QNames for the security header elements |
| // |
| |
| /** |
| * <code>wsse:BinarySecurityToken</code> as defined by WS Security specification |
| */ |
| public static final QName BINARY_TOKEN = |
| new QName(WSConstants.WSSE_NS, WSConstants.BINARY_TOKEN_LN); |
| /** |
| * <code>wsse:UsernameToken</code> as defined by WS Security specification |
| */ |
| public static final QName USERNAME_TOKEN = |
| new QName(WSConstants.WSSE_NS, WSConstants.USERNAME_TOKEN_LN); |
| /** |
| * <code>wsu:Timestamp</code> as defined by OASIS WS Security specification, |
| */ |
| public static final QName TIMESTAMP = |
| new QName(WSConstants.WSU_NS, WSConstants.TIMESTAMP_TOKEN_LN); |
| /** |
| * <code>wsse11:signatureConfirmation</code> as defined by OASIS WS Security specification, |
| */ |
| public static final QName SIGNATURE_CONFIRMATION = |
| new QName(WSConstants.WSSE11_NS, WSConstants.SIGNATURE_CONFIRMATION_LN); |
| /** |
| * <code>ds:Signature</code> as defined by XML Signature specification, |
| * enhanced by WS Security specification |
| */ |
| public static final QName SIGNATURE = |
| new QName(WSConstants.SIG_NS, WSConstants.SIG_LN); |
| /** |
| * <code>xenc:EncryptedKey</code> as defined by XML Encryption specification, |
| * enhanced by WS Security specification |
| */ |
| public static final QName ENCRYPTED_KEY = |
| new QName(WSConstants.ENC_NS, WSConstants.ENC_KEY_LN); |
| /** |
| * <code>xenc:EncryptedData</code> as defined by XML Encryption specification, |
| * enhanced by WS Security specification |
| */ |
| public static final QName ENCRYPTED_DATA = |
| new QName(WSConstants.ENC_NS, WSConstants.ENC_DATA_LN); |
| /** |
| * <code>xenc:ReferenceList</code> as defined by XML Encryption specification, |
| */ |
| public static final QName REFERENCE_LIST = |
| new QName(WSConstants.ENC_NS, WSConstants.REF_LIST_LN); |
| /** |
| * <code>saml:Assertion</code> as defined by SAML v1.1 specification |
| */ |
| public static final QName SAML_TOKEN = |
| new QName(WSConstants.SAML_NS, WSConstants.ASSERTION_LN); |
| |
| /** |
| * <code>saml:Assertion</code> as defined by SAML v2.0 specification |
| */ |
| public static final QName SAML2_TOKEN = |
| new QName(WSConstants.SAML2_NS, WSConstants.ASSERTION_LN); |
| |
| /** |
| * <code>saml:EncryptedAssertion</code> as defined by SAML v2.0 specification |
| */ |
| public static final QName ENCRYPTED_ASSERTION = |
| new QName(WSConstants.SAML2_NS, WSConstants.ENCRYPED_ASSERTION_LN); |
| |
| /** |
| * <code>wsc:DerivedKeyToken</code> as defined by WS-SecureConversation specification |
| */ |
| public static final QName DERIVED_KEY_TOKEN_05_02 = |
| new QName(ConversationConstants.WSC_NS_05_02, ConversationConstants.DERIVED_KEY_TOKEN_LN); |
| |
| /** |
| * <code>wsc:SecurityContextToken</code> as defined by WS-SecureConversation specification |
| */ |
| public static final QName SECURITY_CONTEXT_TOKEN_05_02 = |
| new QName(ConversationConstants.WSC_NS_05_02, ConversationConstants.SECURITY_CONTEXT_TOKEN_LN); |
| |
| /** |
| * <code>wsc:DerivedKeyToken</code> as defined by WS-SecureConversation specification in WS-SX |
| */ |
| public static final QName DERIVED_KEY_TOKEN_05_12 = |
| new QName(ConversationConstants.WSC_NS_05_12, ConversationConstants.DERIVED_KEY_TOKEN_LN); |
| |
| /** |
| * <code>wsc:SecurityContextToken</code> as defined by WS-SecureConversation specification in |
| * WS-SX |
| */ |
| public static final QName SECURITY_CONTEXT_TOKEN_05_12 = |
| new QName(ConversationConstants.WSC_NS_05_12, ConversationConstants.SECURITY_CONTEXT_TOKEN_LN); |
| |
| // |
| // Fault codes defined in the WSS 1.1 spec under section 12, Error handling |
| // |
| |
| /** |
| * An unsupported token was provided |
| */ |
| public static final QName UNSUPPORTED_SECURITY_TOKEN = |
| new QName(WSSE_NS, "UnsupportedSecurityToken"); |
| |
| /** |
| * An unsupported signature or encryption algorithm was used |
| */ |
| public static final QName UNSUPPORTED_ALGORITHM = |
| new QName(WSSE_NS, "UnsupportedAlgorithm"); |
| |
| /** |
| * An error was discovered processing the <Security> header |
| */ |
| public static final QName INVALID_SECURITY = new QName(WSSE_NS, "InvalidSecurity"); |
| |
| /** |
| * An invalid security token was provided |
| */ |
| public static final QName INVALID_SECURITY_TOKEN = new QName(WSSE_NS, "InvalidSecurityToken"); |
| |
| /** |
| * The security token could not be authenticated or authorized |
| */ |
| public static final QName FAILED_AUTHENTICATION = new QName(WSSE_NS, "FailedAuthentication"); |
| |
| /** |
| * The signature or decryption was invalid |
| */ |
| public static final QName FAILED_CHECK = new QName(WSSE_NS, "FailedCheck"); |
| |
| /** |
| * Referenced security token could not be retrieved |
| */ |
| public static final QName SECURITY_TOKEN_UNAVAILABLE = new QName(WSSE_NS, "SecurityTokenUnavailable"); |
| |
| /** |
| * The message has expired |
| */ |
| public static final QName MESSAGE_EXPIRED = new QName(WSSE_NS, "MessageExpired"); |
| |
| /* |
| * Constants used to configure WSS4J |
| */ |
| |
| /** |
| * Sets the {@link |
| * org.apache.wss4j.dom.message.WSSecSignature#build(Document, Crypto, WSSecHeader) |
| * } method to send the signing certificate as a <code>BinarySecurityToken</code>. |
| * <p/> |
| * The signing method takes the signing certificate, converts it to a |
| * <code>BinarySecurityToken</code>, puts it in the security header, |
| * and inserts a <code>Reference</code> to the binary security token |
| * into the <code>wsse:SecurityReferenceToken</code>. Thus the whole |
| * signing certificate is transfered to the receiver. |
| * The X509 profile recommends to use {@link #ISSUER_SERIAL} instead |
| * of sending the whole certificate. |
| * <p/> |
| * Please refer to WS Security specification X509 1.1 profile, chapter 3.3.2 |
| * and to WS Security SOAP Message security 1.1 specification, chapter 7.2 |
| * <p/> |
| * Note: only local references to BinarySecurityToken are supported |
| */ |
| public static final int BST_DIRECT_REFERENCE = 1; |
| |
| /** |
| * Sets the {@link |
| * org.apache.wss4j.dom.message.WSSecSignature#build(Document, Crypto, WSSecHeader) |
| * } or the {@link |
| * org.apache.wss4j.dom.message.WSSecEncrypt#build(Document, Crypto, WSSecHeader) |
| * } method to send the issuer name and the serial number of a certificate to |
| * the receiver. |
| * <p/> |
| * In contrast to {@link #BST_DIRECT_REFERENCE} only the issuer name |
| * and the serial number of the signing certificate are sent to the |
| * receiver. This reduces the amount of data being sent. The encryption |
| * method uses the public key associated with this certificate to encrypt |
| * the symmetric key used to encrypt data. |
| * <p/> |
| * Please refer to WS Security specification X509 1.1 profile, chapter 3.3.3 |
| */ |
| public static final int ISSUER_SERIAL = 2; |
| |
| /** |
| * Sets the {@link |
| * org.apache.wss4j.dom.message.WSSecSignature#build(Document, Crypto, WSSecHeader) |
| * } or the {@link |
| * org.apache.wss4j.dom.message.WSSecEncrypt#build(Document, Crypto, WSSecHeader) |
| * }method to send the certificate used to encrypt the symmetric key. |
| * <p/> |
| * The encryption method uses the public key associated with this certificate |
| * to encrypt the symmetric key used to encrypt data. The certificate is |
| * converted into a <code>KeyIdentifier</code> token and sent to the receiver. |
| * Thus the complete certificate data is transfered to receiver. |
| * The X509 profile recommends to use {@link #ISSUER_SERIAL} instead |
| * of sending the whole certificate. |
| * <p/> |
| * Please refer to WS Security SOAP Message security 1.1 specification, |
| * chapter 7.3. Note that this is a NON-STANDARD method. The standard way to refer to |
| * an X.509 Certificate via a KeyIdentifier is to use {@link #SKI_KEY_IDENTIFIER} |
| */ |
| public static final int X509_KEY_IDENTIFIER = 3; |
| |
| /** |
| * Sets the {@link |
| * org.apache.wss4j.dom.message.WSSecSignature#build(Document, Crypto, WSSecHeader) |
| * } method to send a <code>SubjectKeyIdentifier</code> to identify |
| * the signing certificate. |
| * <p/> |
| * Refer to WS Security specification X509 1.1 profile, chapter 3.3.1 |
| */ |
| public static final int SKI_KEY_IDENTIFIER = 4; |
| |
| /** |
| * Embeds a keyinfo/key name into the EncryptedData element. |
| * <p/> |
| */ |
| @Deprecated |
| public static final int EMBEDDED_KEYNAME = 5; |
| |
| /** |
| * Embeds a keyinfo/wsse:SecurityTokenReference into EncryptedData element. |
| */ |
| @Deprecated |
| public static final int EMBED_SECURITY_TOKEN_REF = 6; |
| |
| /** |
| * <code>UT_SIGNING</code> is used internally only to set a specific Signature |
| * behavior. |
| * |
| * The signing token is constructed from values in the UsernameToken according |
| * to WS-Trust specification. |
| */ |
| public static final int UT_SIGNING = 7; |
| |
| /** |
| * <code>THUMPRINT_IDENTIFIER</code> is used to set the specific key identifier |
| * ThumbprintSHA1. |
| * |
| * This identifier uses the SHA-1 digest of a security token to |
| * identify the security token. Please refer to chapter 7.2 of the OASIS WSS 1.1 |
| * specification. |
| * |
| */ |
| public static final int THUMBPRINT_IDENTIFIER = 8; |
| |
| /** |
| * <code>CUSTOM_SYMM_SIGNING</code> is used internally only to set a |
| * specific Signature behavior. |
| * |
| * The signing key, reference id and value type are set externally. |
| */ |
| public static final int CUSTOM_SYMM_SIGNING = 9; |
| |
| /** |
| * <code>ENCRYPTED_KEY_SHA1_IDENTIFIER</code> is used to set the specific key identifier |
| * EncryptedKeySHA1. |
| * |
| * This identifier uses the SHA-1 digest of a security token to |
| * identify the security token. Please refer to chapter 7.3 of the OASIS WSS 1.1 |
| * specification. |
| */ |
| public static final int ENCRYPTED_KEY_SHA1_IDENTIFIER = 10; |
| |
| /** |
| * <code>CUSTOM_SYMM_SIGNING_DIRECT</code> is used internally only to set a |
| * specific Signature behavior. |
| * |
| * The signing key, reference id and value type are set externally. |
| */ |
| public static final int CUSTOM_SYMM_SIGNING_DIRECT = 11; |
| |
| /** |
| * <code>CUSTOM_KEY_IDENTIFIER</code> is used to set a KeyIdentifier to |
| * a particular ID |
| * |
| * The reference id and value type are set externally. |
| */ |
| public static final int CUSTOM_KEY_IDENTIFIER = 12; |
| |
| /** |
| * <code>KEY_VALUE</code> is used to set a ds:KeyInfo/ds:KeyValue element to refer to |
| * either an RSA or DSA public key. |
| */ |
| public static final int KEY_VALUE = 13; |
| |
| /** |
| * <code>ENDPOINT_KEY_IDENTIFIER</code> is used to specify service endpoint as public key |
| * identifier. |
| * |
| * Constant is useful in case of symmetric holder of key, where token service can determine |
| * target service public key to encrypt shared secret. |
| */ |
| public static final int ENDPOINT_KEY_IDENTIFIER = 14; |
| |
| /* |
| * The following values are bits that can be combined to for a set. |
| * Be careful when selecting new values. |
| */ |
| public static final int NO_SECURITY = 0; |
| public static final int UT = 0x1; // perform UsernameToken |
| public static final int SIGN = 0x2; // Perform Signature |
| public static final int ENCR = 0x4; // Perform Encryption |
| |
| public static final int ST_UNSIGNED = 0x8; // perform SAMLToken unsigned |
| public static final int ST_SIGNED = 0x10; // perform SAMLToken signed |
| |
| public static final int TS = 0x20; // insert Timestamp |
| public static final int UT_SIGN = 0x40; // perform signature with UT secret key |
| public static final int SC = 0x80; // this is a SignatureConfirmation |
| |
| public static final int NO_SERIALIZE = 0x100; |
| public static final int SERIALIZE = 0x200; |
| public static final int SCT = 0x400; //SecurityContextToken |
| public static final int DKT = 0x800; //DerivedKeyToken |
| public static final int BST = 0x1000; //BinarySecurityToken |
| public static final int UT_NOPASSWORD = 0x2000; // perform UsernameToken |
| public static final int CUSTOM_TOKEN = 0x4000; // perform a Custom Token action |
| public static final int DKT_SIGN = 0x8000; // Perform Signature with a Derived Key |
| public static final int DKT_ENCR = 0x10000; // Perform Encryption with a Derived Key |
| |
| private WSConstants() { |
| super(); |
| } |
| |
| } |