All Downloads are FREE. Search and download functionalities are using the official Maven repository.

org.apache.cxf.ws.security.wss4j.CryptoCoverageUtil Maven / Gradle / Ivy

There is a newer version: 3.0.0-milestone2
Show newest version
/**
 * Licensed to the Apache Software Foundation (ASF) under one
 * or more contributor license agreements. See the NOTICE file
 * distributed with this work for additional information
 * regarding copyright ownership. The ASF licenses this file
 * to you under the Apache License, Version 2.0 (the
 * "License"); you may not use this file except in compliance
 * with the License. You may obtain a copy of the License at
 *
 * http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing,
 * software distributed under the License is distributed on an
 * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
 * KIND, either express or implied. See the License for the
 * specific language governing permissions and limitations
 * under the License.
 */

package org.apache.cxf.ws.security.wss4j;


import java.util.Arrays;
import java.util.Collection;
import java.util.Iterator;
import java.util.LinkedList;
import java.util.List;
import java.util.Map;

import javax.xml.namespace.QName;
import javax.xml.xpath.XPath;
import javax.xml.xpath.XPathConstants;
import javax.xml.xpath.XPathExpressionException;
import javax.xml.xpath.XPathFactory;

import org.w3c.dom.Attr;
import org.w3c.dom.Element;
import org.w3c.dom.NodeList;

import org.apache.cxf.helpers.DOMUtils;
import org.apache.cxf.helpers.MapNamespaceContext;
import org.apache.cxf.ws.policy.PolicyConstants;
import org.apache.ws.security.WSConstants;
import org.apache.ws.security.WSDataRef;
import org.apache.ws.security.WSSecurityException;
import org.apache.ws.security.processor.ReferenceListProcessor;


/**
 * Utility to enable the checking of WS-Security signature / WS-Security
 * encryption coverage based on the results of the WSS4J signature/encryption
 * processor.
 */
public final class CryptoCoverageUtil {
    /**
     * Hidden in utility class.
     */
    private CryptoCoverageUtil() {
    }
    
    /**
     * Inspects the signed and encrypted content in the message and accurately
     * resolves encrypted and then signed elements in {@code signedRefs}.
     * Entries in {@code signedRefs} that correspond to an encrypted element
     * are resolved to the decrypted element and added to {@code signedRefs}.
     * The original reference to the encrypted content remains unaltered in the
     * list to allow for matching against a requirement that xenc:EncryptedData
     * and xenc:EncryptedKey elements be signed.
     * 
     * @param signedRefs references to the signed content in the message
     * @param encryptedRefs references to the encrypted content in the message
     */
    public static void reconcileEncryptedSignedRefs(final Collection signedRefs, 
            final Collection encryptedRefs) {
        
        final List encryptedSignedRefs = new LinkedList();
        
        for (WSDataRef encryptedRef : encryptedRefs) {
            final Iterator signedRefsIt = signedRefs.iterator();
            while (signedRefsIt.hasNext()) {
                final WSDataRef signedRef = signedRefsIt.next();
                
                if (isSignedEncryptionRef(encryptedRef, signedRef)) {

                    final WSDataRef encryptedSignedRef = new WSDataRef();
                    encryptedSignedRef.setWsuId(signedRef.getWsuId());
                    
                    encryptedSignedRef.setContent(false);
                    encryptedSignedRef.setName(encryptedRef.getName());
                    encryptedSignedRef.setProtectedElement(encryptedRef
                            .getProtectedElement());
                    // This value is the ID of the encrypted element, not
                    // the value of the ID in the decrypted content 
                    // (WSS4J 1.5.8).  Therefore, passing it along does
                    // not provide much value.
                    //encryptedSignedRef.setWsuId(encryptedRef.getWsuId());
                    encryptedSignedRef.setXpath(encryptedRef.getXpath());
                    
                    encryptedSignedRefs.add(encryptedSignedRef);
                }
            }
        }
        
        signedRefs.addAll(encryptedSignedRefs);
    }

    /**
     * Checks that the references provided refer to the
     * signed/encrypted SOAP body element.
     * 
     * @param soapBody
     *            the SOAP body element
     * @param refs
     *            the refs to the data extracted from the signature/encryption
     * @param type
     *            the type of cryptographic coverage to check for
     * @param scope
     *            the scope of the cryptographic coverage to check for, defaults
     *            to element
     * 
     * @throws WSSecurityException
     *             if there is an error evaluating the coverage or the body is not
     *             covered by the signature/encryption.
     */
    public static void checkBodyCoverage(
        Element soapBody,
        final Collection refs,
        CoverageType type,
        CoverageScope scope
    ) throws WSSecurityException {
        String xpath = ReferenceListProcessor.getXPath(soapBody);
        if (!CryptoCoverageUtil.matchElement(refs, type, scope, soapBody, xpath)) {
            throw new WSSecurityException("The " + getCoverageTypeString(type)
                    + " does not cover the required elements (soap:Body).");
        }
    }

    
    /**
     * Checks that the references provided refer to the required
     * signed/encrypted SOAP header element(s) matching the provided name and
     * namespace.  If {@code name} is null, all headers from {@code namespace}
     * are inspected for coverage.
     * 
     * @param soapHeader
     *            the SOAP header element
     * @param refs
     *            the refs to the data extracted from the signature/encryption
     * @param namespaces
     *            the namespace of the header(s) to check for coverage
     * @param name
     *            the local part of the header name to check for coverage, may be null
     * @param type
     *            the type of cryptographic coverage to check for
     * @param scope
     *            the scope of the cryptographic coverage to check for, defaults
     *            to element
     * 
     * @throws WSSecurityException
     *             if there is an error evaluating the coverage or a header is not
     *             covered by the signature/encryption.
     */
    public static void checkHeaderCoverage(
            Element soapHeader,
            final Collection refs,
            String namespace,
            String name,
            CoverageType type,
            CoverageScope scope) throws WSSecurityException {
        
        final List elements;
        if (name == null) {
            elements = DOMUtils.getChildrenWithNamespace(soapHeader, namespace);
        } else {
            elements = DOMUtils.getChildrenWithName(soapHeader, namespace, name);
        }
        
        for (Element el : elements) {
            String xpath = ReferenceListProcessor.getXPath(el);
            if (!CryptoCoverageUtil.matchElement(refs, type, scope, el, xpath)) {
                throw new WSSecurityException("The " + getCoverageTypeString(type)
                        + " does not cover the required elements ({"
                        + namespace + "}" + name + ").");
            }
        }          
    }
    
    /**
     * Checks that the references provided refer to the required
     * signed/encrypted elements as defined by the XPath expression in {@code
     * xPath}.
     * 
     * @param soapEnvelope
     *            the SOAP Envelope element
     * @param refs
     *            the refs to the data extracted from the signature/encryption
     * @param namespaces
     *            the prefix to namespace mapping, may be {@code null}
     * @param xPath
     *            the XPath expression
     * @param type
     *            the type of cryptographic coverage to check for
     * @param scope
     *            the scope of the cryptographic coverage to check for, defaults
     *            to element
     * 
     * @throws WSSecurityException
     *             if there is an error evaluating an XPath or an element is not
     *             covered by the signature/encryption.
     */
    public static void checkCoverage(
            Element soapEnvelope,
            final Collection refs,
            Map namespaces,
            String xPath,
            CoverageType type,
            CoverageScope scope) throws WSSecurityException {
        
        CryptoCoverageUtil.checkCoverage(soapEnvelope, refs, namespaces, Arrays
                .asList(xPath), type, scope);
    }
    
    /**
     * Checks that the references provided refer to the required
     * signed/encrypted elements as defined by the XPath expressions in {@code
     * xPaths}.
     * 
     * @param soapEnvelope
     *            the SOAP Envelope element
     * @param refs
     *            the refs to the data extracted from the signature/encryption
     * @param namespaces
     *            the prefix to namespace mapping, may be {@code null}
     * @param xPaths
     *            the collection of XPath expressions
     * @param type
     *            the type of cryptographic coverage to check for
     * @param scope
     *            the scope of the cryptographic coverage to check for, defaults
     *            to element
     * 
     * @throws WSSecurityException
     *             if there is an error evaluating an XPath or an element is not
     *             covered by the signature/encryption.
     */
    public static void checkCoverage(
            Element soapEnvelope,
            final Collection refs,
            Map namespaces,
            Collection xPaths,
            CoverageType type,
            CoverageScope scope) throws WSSecurityException {
        
        // XPathFactory and XPath are not thread-safe so we must recreate them
        // each request.
        final XPathFactory factory = XPathFactory.newInstance();
        final XPath xpath = factory.newXPath();
        
        if (namespaces != null) {
            xpath.setNamespaceContext(new MapNamespaceContext(namespaces));
        }
        
        // For each XPath
        for (String xpathString : xPaths) {
            // Get the matching nodes
            NodeList list;
            try {
                list = (NodeList)xpath.evaluate(
                        xpathString, 
                        soapEnvelope,
                        XPathConstants.NODESET);
            } catch (XPathExpressionException e) {
                // The xpath's are not valid in the config.
                throw new WSSecurityException(WSSecurityException.FAILURE);
            }
            
            // If we found nodes then we need to do the check.
            if (list.getLength() != 0) {
                // For each matching element, check for a ref that
                // covers it.
                for (int x = 0; x < list.getLength(); x++) {
                    
                    final Element el = (Element)list.item(x);
                    
                    boolean instanceMatched = CryptoCoverageUtil.
                            matchElement(refs, type, scope, el, xpathString);
                    
                    // We looked through all of the refs, but the element was
                    // not signed.
                    if (!instanceMatched) {
                        throw new WSSecurityException("The " + getCoverageTypeString(type)
                                + " does not cover the required elements ("
                                + xpathString + ").");
                    }
                }
            }
        }
    }
    
    /**
     * Determines if {@code signedRef} points to the encrypted content represented by
     * {@code encryptedRef} using the following algorithm.
     *
     * 
    *
  1. Check that the signed content is an XML Encryption element.
  2. *
  3. Check that the reference Ids of the signed content and encrypted content * (not the decrypted version of the encrypted content) match. Check that the * reference Id of the signed content matches the reference Id of the encrypted * content prepended with a #. *
  4. Check for other Id attributes on the signed element that may match the * referenced identifier for the encrypted content. This is a workaround for * WSS-242.
  5. *
* * @param encryptedRef the ref representing the encrpted content * @param signedRef the ref representing the signed content */ private static boolean isSignedEncryptionRef(WSDataRef encryptedRef, WSDataRef signedRef) { // Don't even bother if the signed element wasn't an XML Enc element. if (!WSConstants.ENC_NS.equals(signedRef.getProtectedElement() .getNamespaceURI())) { return false; } if (signedRef.getWsuId().equals(encryptedRef.getWsuId()) || signedRef.getWsuId().equals("#" + encryptedRef.getWsuId())) { return true; } // There should be no other Ids on an EncryptedData or EncryptedKey element; // however, WSS4J will happily add them on the outbound side. See WSS-242. // The following code looks for the specific behavior that exists in // 1.5.8 and earlier version. String wsuId = signedRef.getProtectedElement().getAttributeNS( WSConstants.WSU_NS, "Id"); if (signedRef.getWsuId().equals(wsuId) || signedRef.getWsuId().equals("#" + wsuId)) { return true; } return false; } private static boolean matchElement(Collection refs, CoverageType type, CoverageScope scope, Element el, String elXPath) { final boolean content; switch (scope) { case CONTENT: content = true; break; case ELEMENT: default: content = false; } // Get the Element Id Attr idAttr = el.getAttributeNodeNS(PolicyConstants.WSU_NAMESPACE_URI, "Id"); // We didn't get it with a qualified name, so // look for the attribute using only the local name. if (idAttr == null) { idAttr = el.getAttributeNode("Id"); } String id = idAttr == null ? null : idAttr.getValue(); if (id != null && id.charAt(0) == '#') { id = id.substring(1); } for (WSDataRef r : refs) { // If the element is the same object instance // as that in the ref, we found it and can // stop looking at this element. if (r.getProtectedElement() == el && r.isContent() == content) { return true; } // Only if checking signature coverage do we attempt to // do matches based on ID and element names (and XPath expressions) and not object // equality. if (CoverageType.SIGNED.equals(type)) { QName elQName = new QName(el.getNamespaceURI(), el.getLocalName()); if (r.getName().equals(elQName) && r.getWsuId() != null && (r.getWsuId().equals(id) && r.getXpath() != null && r.getXpath().equals(elXPath))) { return true; } } } return false; } private static String getCoverageTypeString(CoverageType type) { String typeString; switch (type) { case SIGNED: typeString = "signature"; break; case ENCRYPTED: typeString = "encryption"; break; default: typeString = "crpytography"; } return typeString; } /** * Differentiates which type of cryptographic coverage to check for. */ public static enum CoverageType { /** * Checks for encryption of the matching elements. */ ENCRYPTED, /** * Checks for a signature over the matching elements. */ SIGNED } /** * Differentiates which part of an element to check for cryptographic coverage. */ public static enum CoverageScope { /** * Checks for encryption of the matching elements. */ CONTENT, /** * Checks for a signature over the matching elements. */ ELEMENT } }




© 2015 - 2024 Weber Informatics LLC | Privacy Policy