| /** |
| * Licensed to the Apache Software Foundation (ASF) under one |
| * or more contributor license agreements. See the NOTICE file |
| * distributed with this work for additional information |
| * regarding copyright ownership. The ASF licenses this file |
| * to you under the Apache License, Version 2.0 (the |
| * "License"); you may not use this file except in compliance |
| * with the License. You may obtain a copy of the License at |
| * |
| * http://www.apache.org/licenses/LICENSE-2.0 |
| * |
| * Unless required by applicable law or agreed to in writing, |
| * software distributed under the License is distributed on an |
| * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY |
| * KIND, either express or implied. See the License for the |
| * specific language governing permissions and limitations |
| * under the License. |
| */ |
| |
| package org.apache.ws.security.handler; |
| |
| import org.apache.ws.security.WSConstants; |
| |
| import java.util.HashMap; |
| import java.util.Map; |
| |
| /** |
| * This class defines the names, actions, and other string for the deployment |
| * data of the WS handler. |
| * |
| * @author Werner Dittmann (werner@apache.org) |
| */ |
| public final class WSHandlerConstants { |
| |
| // |
| // Action configuration tags |
| // |
| |
| private WSHandlerConstants() { |
| // Complete |
| } |
| |
| /** |
| * The action parameter. The handlers use the value of this parameter to determine how |
| * to process the SOAP Envelope. It is a blank separated list of actions to perform. |
| * <p/> |
| * The application may set this parameter using the following method: |
| * <pre> |
| * call.setProperty(WSHandlerConstants.ACTION, WSHandlerConstants.USERNAME_TOKEN); |
| * </pre> |
| */ |
| public static final String ACTION = "action"; |
| |
| /** |
| * Perform no action. |
| */ |
| public static final String NO_SECURITY = "NoSecurity"; |
| |
| /** |
| * Perform a UsernameToken action. |
| */ |
| public static final String USERNAME_TOKEN = "UsernameToken"; |
| |
| /** |
| * Perform a UsernameToken action with no password. |
| */ |
| public static final String USERNAME_TOKEN_NO_PASSWORD = "UsernameTokenNoPassword"; |
| |
| /** |
| * Perform an unsigned SAML Token action. |
| */ |
| public static final String SAML_TOKEN_UNSIGNED = "SAMLTokenUnsigned"; |
| |
| /** |
| * Perform a signed SAML Token action. |
| */ |
| public static final String SAML_TOKEN_SIGNED = "SAMLTokenSigned"; |
| |
| /** |
| * Perform a Signature action. The signature specific parameters define how |
| * to sign, which keys to use, and so on. |
| */ |
| public static final String SIGNATURE = "Signature"; |
| |
| /** |
| * Perform an Encryption action. The encryption specific parameters define how |
| * to encrypt, which keys to use, and so on. |
| */ |
| public static final String ENCRYPT = "Encrypt"; |
| |
| /** |
| * Add a timestamp to the security header. |
| */ |
| public static final String TIMESTAMP = "Timestamp"; |
| |
| /** |
| * Use this to use a specific signature mechanism for .Net. This signature mechanism |
| * uses data from the username token and a well defined constant string and constructs |
| * a signature key. Please note that this action is NOT spec-compliant. |
| */ |
| public static final String SIGN_WITH_UT_KEY = "UsernameTokenSignature"; |
| |
| // |
| // User properties |
| // |
| |
| /** |
| * The actor or role name of the <code>wsse:Security</code> header. If this parameter |
| * is omitted, the actor name is not set. |
| * <p/> |
| * The value of the actor or role has to match the receiver's setting |
| * or may contain standard values. |
| * <p/> |
| * The application may set this parameter using the following method: |
| * <pre> |
| * call.setProperty(WSHandlerConstants.ACTOR, "ActorName"); |
| * </pre> |
| */ |
| public static final String ACTOR = "actor"; |
| |
| /** |
| * The user's name. It is used differently by each of the WS-Security functions. |
| * <ul> |
| * <li>The <i>UsernameToken</i> function sets this name in the |
| * <code>UsernameToken</code>. |
| * </li> |
| * <li>The <i>Signing</i> function uses this name as the alias name |
| * in the keystore to get user's certificate and private key to |
| * perform signing if {@link #SIGNATURE_USER} is not used. |
| * </li> |
| * <li>The <i>encryption</i> |
| * functions uses this parameter as fallback if {@link #ENCRYPTION_USER} |
| * is not used. |
| * </li> |
| * </ul> |
| */ |
| public static final String USER = "user"; |
| |
| /** |
| * The user's name for encryption. The encryption functions use the public key of |
| * this user's certificate to encrypt the generated symmetric key. |
| * <p/> |
| * If this parameter is not set, then the encryption |
| * function falls back to the {@link #USER} parameter to get the |
| * certificate. |
| * <p/> |
| * If <b>only</b> encryption of the SOAP body data is requested, |
| * it is recommended to use this parameter to define the username. |
| * <p/> |
| * The application may set this parameter using the following method: |
| * <pre> |
| * call.setProperty(WSHandlerConstants.ENCRYPTION_USER, "encryptionUser"); |
| * </pre> |
| */ |
| public static final String ENCRYPTION_USER = "encryptionUser"; |
| |
| /** |
| * The user's name for signature. This name is used as the alias name in the keystore |
| * to get user's certificate and private key to perform signing. |
| * <p/> |
| * If this parameter is not set, then the signature |
| * function falls back to the {@link #USER} parameter. |
| * <p/> |
| * The application may set this parameter using the following method: |
| * <pre> |
| * call.setProperty(WSHandlerConstants.SIGNATURE_USER, "signatureUser"); |
| * </pre> |
| */ |
| public static final String SIGNATURE_USER = "signatureUser"; |
| |
| /** |
| * Specifying this name as {@link #ENCRYPTION_USER} |
| * triggers a special action to get the public key to use for encryption. |
| * <p/> |
| * The handler uses the public key of the sender's certificate. Using this |
| * way to define an encryption key simplifies certificate management to |
| * a large extent. |
| */ |
| public static final String USE_REQ_SIG_CERT = "useReqSigCert"; |
| |
| |
| // |
| // Callback class and property file properties |
| // |
| |
| /** |
| * This tag refers to the CallbackHandler implementation class used to obtain passwords. |
| * The value of this tag must be the class name of a |
| * {@link javax.security.auth.callback.CallbackHandler} instance. |
| * </p> |
| * The callback function |
| * {@link javax.security.auth.callback.CallbackHandler#handle( |
| * javax.security.auth.callback.Callback[])} gets an array of |
| * {@link org.apache.ws.security.WSPasswordCallback} objects. Only the first entry of the |
| * array is used. This object contains the username/keyname as identifier. The callback |
| * handler must set the password or key associated with this identifier before it returns. |
| * <p/> |
| * The application may set this parameter using the following method: |
| * <pre> |
| * call.setProperty(WSHandlerConstants.PW_CALLBACK_CLASS, "PWCallbackClass"); |
| * </pre> |
| */ |
| public static final String PW_CALLBACK_CLASS = "passwordCallbackClass"; |
| |
| /** |
| * This tag refers to the CallbackHandler implementation object used to obtain |
| * passwords. The value of this tag must be a |
| * {@link javax.security.auth.callback.CallbackHandler} instance. |
| * </p> |
| * Refer to {@link #PW_CALLBACK_CLASS} for further information about password callback |
| * handling. |
| */ |
| public static final String PW_CALLBACK_REF = "passwordCallbackRef"; |
| |
| /** |
| * This tag refers to the SAML CallbackHandler implementation class used to construct |
| * SAML Assertions. The value of this tag must be the class name of a |
| * {@link javax.security.auth.callback.CallbackHandler} instance. |
| */ |
| public static final String SAML_CALLBACK_CLASS = "samlCallbackClass"; |
| |
| /** |
| * This tag refers to the SAML CallbackHandler implementation object used to construct |
| * SAML Assertions. The value of this tag must be a |
| * {@link javax.security.auth.callback.CallbackHandler} instance. |
| */ |
| public static final String SAML_CALLBACK_REF = "samlCallbackRef"; |
| |
| /** |
| * This tag refers to the CallbackHandler implementation class used to get the key |
| * associated with a key name. The value of this tag must be the class name of a |
| * {@link javax.security.auth.callback.CallbackHandler} instance. |
| */ |
| public static final String ENC_CALLBACK_CLASS = "embeddedKeyCallbackClass"; |
| |
| /** |
| * This tag refers to the CallbackHandler implementation object used to get the key |
| * associated with a key name. The value of this tag must be a |
| * {@link javax.security.auth.callback.CallbackHandler} instance. |
| */ |
| public static final String ENC_CALLBACK_REF = "embeddedKeyCallbackRef"; |
| |
| /** |
| * The path of the crypto property file to use for Signature. The classloader loads this |
| * file. Therefore it must be accessible via the classpath. |
| * <p/> |
| * To locate the implementation of the |
| * {@link org.apache.ws.security.components.crypto.Crypto Crypto} |
| * interface implementation the property file must contain the property |
| * <code>org.apache.ws.security.crypto.provider</code>. The value of |
| * this property is the classname of the implementation class. |
| * <p/> |
| * The following line defines the standard implementation: |
| * <pre> |
| * org.apache.ws.security.crypto.provider=org.apache.ws.security.components.crypto.Merlin |
| * </pre> |
| * The other contents of the property file depend on the implementation |
| * of the {@link org.apache.ws.security.components.crypto.Crypto Crypto} |
| * interface. Please see the WSS4J website for more information on the Merlin property |
| * tags and values. |
| * </p> |
| * The application may set this parameter using the following method: |
| * <pre> |
| * call.setProperty(WSHandlerConstants.SIG_PROP_FILE, "myCrypto.properties"); |
| * </pre> |
| */ |
| public static final String SIG_PROP_FILE = "signaturePropFile"; |
| |
| /** |
| * The key that holds a reference to the object holding complete information about |
| * the signature Crypto implementation. This object can either be a Crypto instance or a |
| * <code>java.util.Properties</code> file, which should contain all information that |
| * would contain in an equivalent properties file which includes the Crypto implementation |
| * class name. |
| * |
| * Refer to documentation of {@link #SIG_PROP_FILE}. |
| */ |
| public static final String SIG_PROP_REF_ID = "signaturePropRefId"; |
| |
| /** |
| * The path of the crypto property file to use for Decryption. The classloader loads this |
| * file. Therefore it must be accessible via the classpath. Refer to documentation of |
| * {@link #SIG_PROP_FILE} for more information about the contents of the Properties file. |
| * <p/> |
| * The application may set this parameter using the following method: |
| * <pre> |
| * call.setProperty(WSHandlerConstants.DEC_PROP_FILE, "myCrypto.properties"); |
| * </pre> |
| */ |
| public static final String DEC_PROP_FILE = "decryptionPropFile"; |
| |
| /** |
| * The key that holds a reference to the object holding complete information about |
| * the decryption Crypto implementation. This object can either be a Crypto instance or a |
| * <code>java.util.Properties</code> file, which should contain all information that |
| * would contain in an equivalent properties file which includes the Crypto implementation |
| * class name. |
| * |
| * Refer to documentation of {@link #DEC_PROP_FILE}. |
| */ |
| public static final String DEC_PROP_REF_ID = "decryptionPropRefId"; |
| |
| /** |
| * The path of the crypto property file to use for Encryption. The classloader loads this |
| * file. Therefore it must be accessible via the classpath. Refer to documentation of |
| * {@link #SIG_PROP_FILE} for more information about the contents of the Properties file. |
| * <p/> |
| * The application may set this parameter using the following method: |
| * <pre> |
| * call.setProperty(WSHandlerConstants.ENC_PROP_FILE, "myCrypto.properties"); |
| * </pre> |
| */ |
| public static final String ENC_PROP_FILE = "encryptionPropFile"; |
| |
| /** |
| * The key that holds a reference to the object holding complete information about |
| * the encryption Crypto implementation. This object can either be a Crypto instance or a |
| * <code>java.util.Properties</code> file, which should contain all information that |
| * would contain in an equivalent properties file which includes the Crypto implementation |
| * class name. |
| * |
| * Refer to documentation of {@link #ENC_PROP_FILE}. |
| */ |
| public static final String ENC_PROP_REF_ID = "encryptionPropRefId"; |
| |
| /** |
| * The name of the SAML Issuer factory property file. |
| * The classloader loads this file. Therefore it must be accessible |
| * via the classpath. |
| */ |
| public static final String SAML_PROP_FILE = "samlPropFile"; |
| |
| /** |
| * The key that holds a reference to the object holding complete information about |
| * the SAML Issuer configuration. This object can either be a SAMLIssuer instance or a |
| * <code>java.util.Properties</code> Object. |
| * |
| * Refer to documentation of {@link #SAML_PROP_FILE}. |
| */ |
| public static final String SAML_PROP_REF_ID = "samlPropRefId"; |
| |
| // |
| // Boolean configuration tags, e.g. the value should be "true" or "false". |
| // |
| |
| /** |
| * Whether to enable signatureConfirmation or not. The default value is "false". |
| */ |
| public static final String ENABLE_SIGNATURE_CONFIRMATION = "enableSignatureConfirmation"; |
| |
| /** |
| * Whether to set the mustUnderstand flag on an outbound message or not. The default |
| * setting is "true". |
| * <p/> |
| * The application may set this parameter using the following method: |
| * <pre> |
| * call.setProperty(WSHandlerConstants.MUST_UNDERSTAND, "false"); |
| * </pre> |
| */ |
| public static final String MUST_UNDERSTAND = "mustUnderstand"; |
| |
| /** |
| * Whether to ensure compliance with the Basic Security Profile (BSP) 1.1 or not. The |
| * default value is "true". |
| * <p/> |
| * The application may set this parameter using the following method: |
| * <pre> |
| * call.setProperty(WSHandlerConstants.IS_BSP_COMPLIANT, "false"); |
| * </pre> |
| */ |
| public static final String IS_BSP_COMPLIANT = "isBSPCompliant"; |
| |
| /** |
| * This variable controls whether types other than PasswordDigest or PasswordText |
| * are allowed when processing UsernameTokens. The default value is "false". |
| */ |
| public static final String HANDLE_CUSTOM_PASSWORD_TYPES = "handleCustomPasswordTypes"; |
| |
| /** |
| * This variable controls whether a UsernameToken with no password element is allowed. |
| * The default value is "false". Set it to "true" to allow deriving keys from UsernameTokens |
| * or to support UsernameTokens for purposes other than authentication. |
| */ |
| public static final String ALLOW_USERNAMETOKEN_NOPASSWORD = "allowUsernameTokenNoPassword"; |
| |
| /** |
| * Set the value of this parameter to true to enable strict Username Token password type |
| * handling. The default value is "false". |
| * |
| * If this parameter is set to true, it throws an exception if the password type of |
| * the Username Token does not match that of the configured PASSWORD_TYPE parameter. |
| */ |
| public static final String PASSWORD_TYPE_STRICT = "passwordTypeStrict"; |
| |
| /** |
| * This variable controls whether (wsse) namespace qualified password types are |
| * accepted when processing UsernameTokens. The default value is "false". |
| */ |
| public static final String ALLOW_NAMESPACE_QUALIFIED_PASSWORD_TYPES |
| = "allowNamespaceQualifiedPasswordTypes"; |
| |
| /** |
| * This variable controls whether to enable Certificate Revocation List (CRL) checking |
| * or not when verifying trust in a certificate. The default value is "false". |
| */ |
| public static final String ENABLE_REVOCATION = "enableRevocation"; |
| |
| /** |
| * Set the value of this parameter to true to treat passwords as binary values |
| * for Username Tokens. The default value is "false". |
| * |
| * This is needed to properly handle password equivalence for UsernameToken |
| * passwords. Binary passwords are Base64 encoded so they can be treated as |
| * strings in most places, but when the password digest is calculated or a key |
| * is derived from the password, the password will be Base64 decoded before |
| * being used. This is most useful for hashed passwords as password equivalents. |
| */ |
| public static final String USE_ENCODED_PASSWORDS = "useEncodedPasswords"; |
| |
| /** |
| * This parameter sets whether to use a single certificate or a whole certificate |
| * chain when constructing a BinarySecurityToken used for direct reference in |
| * signature. The default is "true", meaning that only a single certificate is used. |
| */ |
| public static final String USE_SINGLE_CERTIFICATE = "useSingleCertificate"; |
| |
| /** |
| * This parameter sets whether to use UsernameToken Key Derivation, as defined |
| * in the UsernameTokenProfile 1.1 specification. The default is "true". If false, |
| * then it falls back to the old behaviour of WSE derived key functionality. |
| */ |
| public static final String USE_DERIVED_KEY = "useDerivedKey"; |
| |
| /** |
| * This parameter sets whether to use the Username Token derived key for a MAC |
| * or not. The default is "true". |
| */ |
| public static final String USE_DERIVED_KEY_FOR_MAC = "useDerivedKeyForMAC"; |
| |
| /** |
| * Set whether Timestamps have precision in milliseconds. This applies to the |
| * creation of Timestamps only. The default value is "true". |
| */ |
| public static final String TIMESTAMP_PRECISION = "precisionInMilliseconds"; |
| |
| /** |
| * Set the value of this parameter to true to enable strict timestamp |
| * handling. The default value is "true". |
| * |
| * Strict Timestamp handling: throw an exception if a Timestamp contains |
| * an <code>Expires</code> element and the semantics of the request are |
| * expired, i.e. the current time at the receiver is past the expires time. |
| */ |
| public static final String TIMESTAMP_STRICT = "timestampStrict"; |
| |
| /** |
| * Defines whether to encrypt the symmetric encryption key or not. If true |
| * (the default), the symmetric key used for encryption is encrypted in turn, |
| * and inserted into the security header in an "EncryptedKey" structure. If |
| * set to false, no EncryptedKey structure is constructed. |
| * <p/> |
| * The application may set this parameter using the following method: |
| * <pre> |
| * call.setProperty(WSHandlerConstants.ENC_SYM_ENC_KEY, "false"); |
| * </pre> |
| */ |
| public static final String ENC_SYM_ENC_KEY = "encryptSymmetricEncryptionKey"; |
| |
| /** |
| * Whether the engine needs to enforce EncryptedData elements are |
| * in a signed subtree of the document. This can be used to prevent |
| * some wrapping based attacks when encrypt-before-sign token |
| * protection is selected. |
| */ |
| public static final String REQUIRE_SIGNED_ENCRYPTED_DATA_ELEMENTS = "requireSignedEncryptedDataElements"; |
| |
| // |
| // (Non-boolean) Configuration parameters for the actions/processors |
| // |
| |
| /** |
| * Text of the embedded key name to be sent in the KeyInfo for encryption. |
| */ |
| public static final String ENC_KEY_NAME = "embeddedKeyName"; |
| |
| /** |
| * Specific parameter for UsernameToken action to define the encoding |
| * of the password. |
| * <p/> |
| * The parameter can be set to either {@link WSConstants#PW_DIGEST} |
| * or to {@link WSConstants#PW_TEXT}. |
| * <p/> |
| * The application may set this parameter using the following method: |
| * <pre> |
| * call.setProperty(WSHandlerConstants.PASSWORD_TYPE, WSConstants.PW_DIGEST); |
| * </pre> |
| * The default setting is PW_DIGEST. |
| */ |
| public static final String PASSWORD_TYPE = "passwordType"; |
| |
| /** |
| * Parameter to generate additional elements (nonce and created) in a |
| * <code>UsernameToken</code>. |
| * <p/> |
| * The value of this parameter is a list of element names that are added |
| * to the UsernameToken. The names of the list a separated by spaces. |
| * <p/> |
| * The list may contain the names <code>nonce</code> and |
| * <code>created</code> only. Use this option if the password type is |
| * <code>passwordText</code> and the handler shall add the <code>Nonce</code> |
| * and/or <code>Created</code> elements. |
| */ |
| public static final String ADD_UT_ELEMENTS = "addUTElements"; |
| |
| /** |
| * Defines which key identifier type to use for signature. The WS-Security specifications |
| * recommends to use the identifier type <code>IssuerSerial</code>. For possible signature |
| * key identifier types refer to {@link #getKeyIdentifier(String)}. |
| * For signature <code>IssuerSerial</code>, <code>DirectReference</code>, |
| * <code>X509KeyIdentifier</code>, <code>Thumbprint</code>, <code>SKIKeyIdentifier</code> |
| * and <code>KeyValue</code> are valid only. |
| * <p/> |
| * The default is <code>IssuerSerial</code>. |
| * <p/> |
| * The application may set this parameter using the following method: |
| * <pre> |
| * call.setProperty(WSHandlerConstants.SIG_KEY_ID, "DirectReference"); |
| * </pre> |
| */ |
| public static final String SIG_KEY_ID = "signatureKeyIdentifier"; |
| |
| /** |
| * Defines which signature algorithm to use. The default is set by the data in the |
| * certificate, i.e. one of the following: |
| * |
| * "http://www.w3.org/2000/09/xmldsig#rsa-sha1" |
| * "http://www.w3.org/2000/09/xmldsig#dsa-sha1" |
| * |
| * <p/> |
| * The application may set this parameter using the following method: |
| * <pre> |
| * call.setProperty( |
| * WSHandlerConstants.SIG_ALGO, |
| * "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" |
| * ); |
| * </pre> |
| */ |
| public static final String SIG_ALGO = "signatureAlgorithm"; |
| |
| /** |
| * Defines which signature digest algorithm to use. The default is: |
| * |
| * "http://www.w3.org/2000/09/xmldsig#sha1" |
| * |
| * <p/> |
| * The application may set this parameter using the following method: |
| * <pre> |
| * call.setProperty( |
| * WSHandlerConstants.SIG_DIGEST_ALGO, "http://www.w3.org/2001/04/xmlenc#sha256" |
| * ); |
| * </pre> |
| */ |
| public static final String SIG_DIGEST_ALGO = "signatureDigestAlgorithm"; |
| |
| /** |
| * Defines which signature c14n (canonicalization) algorithm to use. The default is: |
| * "http://www.w3.org/2001/10/xml-exc-c14n#" |
| */ |
| public static final String SIG_C14N_ALGO = "signatureC14nAlgorithm"; |
| |
| /** |
| * Parameter to define which parts of the request shall be signed. |
| * <p/> |
| * Refer to {@link #ENCRYPTION_PARTS} for a detailed description of |
| * the format of the value string. |
| * <p/> |
| * If this parameter is not specified the handler signs the SOAP Body |
| * by default, i.e.: |
| * <pre> |
| * <parameter name="signatureParts" |
| * value="{}{http://schemas.xmlsoap.org/soap/envelope/}Body;" /> |
| * </pre> |
| * To specify an element without a namespace use the string |
| * <code>Null</code> as the namespace name (this is a case sensitive |
| * string) |
| * <p/> |
| * If there is no other element in the request with a local name of |
| * <code>Body</code> then the SOAP namespace identifier can be empty |
| * (<code>{}</code>). |
| */ |
| public static final String SIGNATURE_PARTS = "signatureParts"; |
| |
| /** |
| * This parameter sets the length of the secret (derived) key to use for the |
| * WSE UT_SIGN functionality. |
| * |
| * The default value is 16 bytes. |
| */ |
| public static final String WSE_SECRET_KEY_LENGTH = "wseSecretKeyLength"; |
| |
| /** |
| * This parameter sets the number of iterations to use when deriving a key |
| * from a Username Token. The default is 1000. |
| */ |
| public static final String DERIVED_KEY_ITERATIONS = "derivedKeyIterations"; |
| |
| /** |
| * Defines which key identifier type to use for encryption. The WS-Security specifications |
| * recommends to use the identifier type <code>IssuerSerial</code>. For |
| * possible encryption key identifier types refer to |
| * {@link #getKeyIdentifier(String)}. For encryption <code>IssuerSerial</code>, |
| * <code>DirectReference</code>, <code>X509KeyIdentifier</code>, |
| * <code>Thumbprint</code>, <code>SKIKeyIdentifier</code>, <code>EncryptedKeySHA1</code> |
| * and <code>EmbeddedKeyName</code> are valid only. |
| * <p/> |
| * The default is <code>IssuerSerial</code>. |
| * <p/> |
| * The application may set this parameter using the following method: |
| * <pre> |
| * call.setProperty(WSHandlerConstants.ENC_KEY_ID, "X509KeyIdentifier"); |
| * </pre> |
| */ |
| public static final String ENC_KEY_ID = "encryptionKeyIdentifier"; |
| |
| /** |
| * Defines which symmetric encryption algorithm to use. WSS4J supports the |
| * following algorithms: {@link WSConstants#TRIPLE_DES}, |
| * {@link WSConstants#AES_128}, {@link WSConstants#AES_256}, |
| * and {@link WSConstants#AES_192}. Except for AES 192 all of these |
| * algorithms are required by the XML Encryption specification. |
| * The default algorithm is: |
| * |
| * "http://www.w3.org/2001/04/xmlenc#aes128-cbc" |
| * |
| * <p/> |
| * The application may set this parameter using the following method: |
| * <pre> |
| * call.setProperty(WSHandlerConstants.ENC_SYM_ALGO, WSConstants.AES_256); |
| * </pre> |
| */ |
| public static final String ENC_SYM_ALGO = "encryptionSymAlgorithm"; |
| |
| /** |
| * Defines which algorithm to use to encrypt the generated symmetric key. |
| * The default algorithm is: |
| * |
| * "http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p" |
| * |
| * <p/> |
| * The application may set this parameter using the following method: |
| * <pre> |
| * call.setProperty(WSHandlerConstants.ENC_KEY_TRANSPORT, WSConstants.KEYTRANSPORT_RSA15); |
| * </pre> |
| */ |
| public static final String ENC_KEY_TRANSPORT = "encryptionKeyTransportAlgorithm"; |
| |
| /** |
| * Parameter to define which parts of the request shall be encrypted. |
| * <p/> |
| * The value of this parameter is a list of semi-colon separated |
| * element names that identify the elements to encrypt. An encryption mode |
| * specifier and a namespace identification, each inside a pair of curly |
| * brackets, may preceed each element name. |
| * <p/> |
| * The encryption mode specifier is either <code>{Content}</code> or |
| * <code>{Element}</code>. Please refer to the W3C XML Encryption |
| * specification about the differences between Element and Content |
| * encryption. The encryption mode defaults to <code>Content</code> |
| * if it is omitted. Example of a list: |
| * <pre> |
| * <parameter name="encryptionParts" |
| * value="{Content}{http://example.org/paymentv2}CreditCard; |
| * {Element}{}UserName" /> |
| * </pre> |
| * The the first entry of the list identifies the element |
| * <code>CreditCard</code> in the namespace |
| * <code>http://example.org/paymentv2</code>, and will encrypt its content. |
| * Be aware that the element name, the namespace identifier, and the |
| * encryption modifier are case sensitive. |
| * <p/> |
| * The encryption modifier and the namespace identifier can be ommited. |
| * In this case the encryption mode defaults to <code>Content</code> and |
| * the namespace is set to the SOAP namespace. |
| * <p/> |
| * An empty encryption mode defaults to <code>Content</code>, an empty |
| * namespace identifier defaults to the SOAP namespace. |
| * The second line of the example defines <code>Element</code> as |
| * encryption mode for an <code>UserName</code> element in the SOAP |
| * namespace. |
| * <p/> |
| * To specify an element without a namespace use the string |
| * <code>Null</code> as the namespace name (this is a case sensitive |
| * string) |
| * <p/> |
| * If no list is specified, the handler encrypts the SOAP Body in |
| * <code>Content</code> mode by default. |
| */ |
| public static final String ENCRYPTION_PARTS = "encryptionParts"; |
| |
| /** |
| * Defines which encryption digest algorithm to use with the RSA OAEP Key Transport |
| * algorithm for encryption. The default is SHA-1. |
| * <p/> |
| * The application may set this parameter using the following method: |
| * <pre> |
| * call.setProperty( |
| * WSHandlerConstants.ENC_DIGEST_ALGO, "http://www.w3.org/2001/04/xmlenc#sha256" |
| * ); |
| * </pre> |
| */ |
| public static final String ENC_DIGEST_ALGO = "encryptionDigestAlgorithm"; |
| |
| /** |
| * Time-To-Live is the time difference between creation and expiry time in |
| * seconds of the UsernameToken Created value. After this time the SOAP request |
| * is invalid (at least the security data shall be treated this way). |
| * <p/> |
| * If this parameter is not defined, contains a value less or equal |
| * zero, or an illegal format the handlers use a default TTL of |
| * 300 seconds (5 minutes). |
| */ |
| public static final String TTL_USERNAMETOKEN = "utTimeToLive"; |
| |
| /** |
| * This configuration tag specifies the time in seconds in the future within which |
| * the Created time of an incoming UsernameToken is valid. The default value is "60", |
| * to avoid problems where clocks are slightly askew. To reject all future-created |
| * UsernameTokens, set this value to "0". |
| */ |
| public static final String TTL_FUTURE_USERNAMETOKEN = "utFutureTimeToLive"; |
| |
| /** |
| * This configuration tag is a comma separated String of regular expressions which |
| * will be applied to the subject DN of the certificate used for signature |
| * validation, after trust verification of the certificate chain associated with the |
| * certificate. These constraints are not used when the certificate is contained in |
| * the keystore (direct trust). |
| */ |
| public static final String SIG_SUBJECT_CERT_CONSTRAINTS = "sigSubjectCertConstraints"; |
| |
| /** |
| * Time-To-Live is the time difference between creation and expiry time in |
| * seconds in the WSS Timestamp. After this time the SOAP request is |
| * invalid (at least the security data shall be treated this way). |
| * <p/> |
| * If this parameter is not defined, contains a value less or equal |
| * zero, or an illegal format the handlers use a default TTL of |
| * 300 seconds (5 minutes). |
| */ |
| public static final String TTL_TIMESTAMP = "timeToLive"; |
| |
| /** |
| * This configuration tag specifies the time in seconds in the future within which |
| * the Created time of an incoming Timestamp is valid. The default value is "60", |
| * to avoid problems where clocks are slightly askew. To reject all future-created |
| * Timestamps, set this value to "0". |
| */ |
| public static final String TTL_FUTURE_TIMESTAMP = "futureTimeToLive"; |
| |
| |
| // |
| // Internal storage constants |
| // |
| |
| /** |
| * The WSHandler stores a result <code>List</code> in this property. |
| */ |
| public static final String RECV_RESULTS = "RECV_RESULTS"; |
| |
| /** |
| * internally used property names to store values inside the message context |
| * that must have the same lifetime as a message (request/response model). |
| */ |
| public static final String SEND_SIGV = "_sendSignatureValues_"; |
| |
| /** |
| * |
| */ |
| public static final String SIG_CONF_DONE = "_sigConfDone_"; |
| |
| |
| /** |
| * Define the parameter values to set the key identifier types. These are: |
| * <ul> |
| * <li><code>DirectReference</code> for {@link WSConstants#BST_DIRECT_REFERENCE} |
| * </li> |
| * <li><code>IssuerSerial</code> for {@link WSConstants#ISSUER_SERIAL} |
| * </li> |
| * <li><code>X509KeyIdentifier</code> for {@link WSConstants#X509_KEY_IDENTIFIER} |
| * </li> |
| * <li><code>SKIKeyIdentifier</code> for {@link WSConstants#SKI_KEY_IDENTIFIER} |
| * </li> |
| * <li><code>EmbeddedKeyName</code> for {@link WSConstants#EMBEDDED_KEYNAME} |
| * </li> |
| * <li><code>Thumbprint</code> for {@link WSConstants#THUMBPRINT} |
| * </li> |
| * <li><code>EncryptedKeySHA1</code> for {@link WSConstants#ENCRYPTED_KEY_SHA1_IDENTIFIER} |
| * </li> |
| * </ul> |
| * See {@link #SIG_KEY_ID} {@link #ENC_KEY_ID}. |
| */ |
| private static Map<String, Integer> keyIdentifier = new HashMap<String, Integer>(); |
| |
| static { |
| keyIdentifier.put("DirectReference", |
| Integer.valueOf(WSConstants.BST_DIRECT_REFERENCE)); |
| keyIdentifier.put("IssuerSerial", |
| Integer.valueOf(WSConstants.ISSUER_SERIAL)); |
| keyIdentifier.put("X509KeyIdentifier", |
| Integer.valueOf(WSConstants.X509_KEY_IDENTIFIER)); |
| keyIdentifier.put("SKIKeyIdentifier", |
| Integer.valueOf(WSConstants.SKI_KEY_IDENTIFIER)); |
| keyIdentifier.put("EmbeddedKeyName", |
| Integer.valueOf(WSConstants.EMBEDDED_KEYNAME)); |
| keyIdentifier.put("Thumbprint", |
| Integer.valueOf(WSConstants.THUMBPRINT_IDENTIFIER)); |
| keyIdentifier.put("EncryptedKeySHA1", |
| Integer.valueOf(WSConstants.ENCRYPTED_KEY_SHA1_IDENTIFIER)); |
| keyIdentifier.put("KeyValue", |
| Integer.valueOf(WSConstants.KEY_VALUE)); |
| } |
| |
| /** |
| * Get the key identifier type corresponding to the parameter. This is intended for internal |
| * use only. Valid values for "parameter" are: |
| * - "IssuerSerial" |
| * - "DirectReference" |
| * - "X509KeyIdentifier" |
| * - "Thumbprint" |
| * - "SKIKeyIdentifier" |
| * - "KeyValue" |
| * - "EmbeddedKeyName" |
| * - "EncryptedKeySHA1" |
| * |
| * @param parameter |
| * @return the key identifier type corresponding to the parameter |
| */ |
| public static Integer getKeyIdentifier(String parameter) { |
| return keyIdentifier.get(parameter); |
| } |
| } |
| |