org.apache.ws.security.message.WSSecEncryptedKey Maven / Gradle / Ivy
Go to download
Apache WSS4J is an implementation of the Web Services Security
(WS-Security) being developed at OASIS Web Services Security TC.
WSS4J is a primarily a Java library that can be used to sign and
verify SOAP Messages with WS-Security information. WSS4J will
use Apache Axis and Apache XML-Security projects and will be
interoperable with JAX-RPC based server/clients and .NET
server/clients.
/**
* Licensed to the Apache Software Foundation (ASF) under one
* or more contributor license agreements. See the NOTICE file
* distributed with this work for additional information
* regarding copyright ownership. The ASF licenses this file
* to you under the Apache License, Version 2.0 (the
* "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing,
* software distributed under the License is distributed on an
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
* KIND, either express or implied. See the License for the
* specific language governing permissions and limitations
* under the License.
*/
package org.apache.ws.security.message;
import java.security.InvalidKeyException;
import java.security.cert.X509Certificate;
import javax.crypto.BadPaddingException;
import javax.crypto.Cipher;
import javax.crypto.IllegalBlockSizeException;
import org.apache.ws.security.WSConstants;
import org.apache.ws.security.WSSConfig;
import org.apache.ws.security.WSSecurityException;
import org.apache.ws.security.components.crypto.Crypto;
import org.apache.ws.security.components.crypto.CryptoType;
import org.apache.ws.security.message.token.BinarySecurity;
import org.apache.ws.security.message.token.DOMX509Data;
import org.apache.ws.security.message.token.DOMX509IssuerSerial;
import org.apache.ws.security.message.token.Reference;
import org.apache.ws.security.message.token.SecurityTokenReference;
import org.apache.ws.security.message.token.X509Security;
import org.apache.ws.security.util.UUIDGenerator;
import org.apache.ws.security.util.WSSecurityUtil;
import org.w3c.dom.Document;
import org.w3c.dom.Element;
import org.w3c.dom.Text;
/**
* Builder class to build an EncryptedKey.
*
* This is especially useful in the case where the same
* EncryptedKey has to be used to sign and encrypt the message In
* such a situation this builder will add the EncryptedKey to the
* security header and we can use the information form the builder to provide to
* other builders to reference to the token
*/
public class WSSecEncryptedKey extends WSSecBase {
private static org.apache.commons.logging.Log log =
org.apache.commons.logging.LogFactory.getLog(WSSecEncryptedKey.class);
protected Document document;
/**
* soap:Envelope element
*/
protected Element envelope = null;
/**
* Session key used as the secret in key derivation
*/
protected byte[] ephemeralKey;
/**
* Encrypted bytes of the ephemeral key
*/
protected byte[] encryptedEphemeralKey;
/**
* Remote user's alias to obtain the cert to encrypt the ephemeral key
*/
protected String encrUser = null;
/**
* Algorithm used to encrypt the ephemeral key
*/
protected String keyEncAlgo = WSConstants.KEYTRANSPORT_RSA15;
/**
* xenc:EncryptedKey element
*/
protected Element encryptedKeyElement = null;
/**
* The Token identifier of the token that the DerivedKeyToken
* is (or to be) derived from.
*/
protected String encKeyId = null;
/**
* Custom token value
*/
protected String customEKTokenValueType;
/**
* Custom token id
*/
protected String customEKTokenId;
/**
* BinarySecurityToken to be included in the case where BST_DIRECT_REFERENCE
* is used to refer to the asymmetric encryption cert
*/
protected BinarySecurity bstToken = null;
protected X509Certificate useThisCert = null;
/**
* Key size in bits
* Defaults to 128
*/
protected int keySize = 128;
public WSSecEncryptedKey() {
super();
}
public WSSecEncryptedKey(WSSConfig config) {
super(config);
}
/**
* Set the user name to get the encryption certificate.
*
* The public key of this certificate is used, thus no password necessary.
* The user name is a keystore alias usually.
*
* @param user
*/
public void setUserInfo(String user) {
this.user = user;
}
/**
* Get the id generated during prepare().
*
* Returns the the value of wsu:Id attribute of the EncryptedKey element.
*
* @return Return the wsu:Id of this token or null if prepare()
* was not called before.
*/
public String getId() {
return encKeyId;
}
/**
* Prepare the ephemeralKey and the tokens required to be added to the
* security header
*
* @param doc The SOAP envelope as Document
* @param crypto An instance of the Crypto API to handle keystore and certificates
* @throws WSSecurityException
*/
public void prepare(Document doc, Crypto crypto) throws WSSecurityException {
document = doc;
//
// Set up the ephemeral key
//
if (ephemeralKey == null) {
ephemeralKey = generateEphemeralKey();
}
//
// Get the certificate that contains the public key for the public key
// algorithm that will encrypt the generated symmetric (session) key.
//
X509Certificate remoteCert = useThisCert;
if (remoteCert == null) {
CryptoType cryptoType = new CryptoType(CryptoType.TYPE.ALIAS);
cryptoType.setAlias(user);
X509Certificate[] certs = crypto.getX509Certificates(cryptoType);
if (certs == null || certs.length <= 0) {
throw new WSSecurityException(
WSSecurityException.FAILURE,
"noUserCertsFound",
new Object[] {user, "encryption"}
);
}
remoteCert = certs[0];
}
prepareInternal(ephemeralKey, remoteCert, crypto);
}
/**
* Encrypt the symmetric key data and prepare the EncryptedKey element
*
* This method does the most work for to prepare the EncryptedKey element.
* It is also used by the WSSecEncrypt sub-class.
*
* @param keyBytes The bytes that represent the symmetric key
* @param remoteCert The certificate that contains the public key to encrypt the
* symmetric key data
* @param crypto An instance of the Crypto API to handle keystore and certificates
* @throws WSSecurityException
*/
protected void prepareInternal(
byte[] keyBytes,
X509Certificate remoteCert,
Crypto crypto
) throws WSSecurityException {
Cipher cipher = WSSecurityUtil.getCipherInstance(keyEncAlgo);
try {
cipher.init(Cipher.ENCRYPT_MODE, remoteCert);
} catch (InvalidKeyException e) {
throw new WSSecurityException(
WSSecurityException.FAILED_ENCRYPTION, null, null, e
);
}
int blockSize = cipher.getBlockSize();
if (doDebug) {
log.debug(
"cipher blksize: " + blockSize
+ ", symm key length: " + keyBytes.length
);
}
if (blockSize > 0 && blockSize < keyBytes.length) {
throw new WSSecurityException(
WSSecurityException.FAILURE,
"unsupportedKeyTransp",
new Object[] {"public key algorithm too weak to encrypt symmetric key"}
);
}
try {
encryptedEphemeralKey = cipher.doFinal(keyBytes);
} catch (IllegalStateException ex) {
throw new WSSecurityException(
WSSecurityException.FAILED_ENCRYPTION, null, null, ex
);
} catch (IllegalBlockSizeException ex) {
throw new WSSecurityException(
WSSecurityException.FAILED_ENCRYPTION, null, null, ex
);
} catch (BadPaddingException ex) {
throw new WSSecurityException(
WSSecurityException.FAILED_ENCRYPTION, null, null, ex
);
}
Text keyText =
WSSecurityUtil.createBase64EncodedTextNode(document, encryptedEphemeralKey);
//
// Now we need to setup the EncryptedKey header block 1) create a
// EncryptedKey element and set a wsu:Id for it 2) Generate ds:KeyInfo
// element, this wraps the wsse:SecurityTokenReference 3) Create and set
// up the SecurityTokenReference according to the keyIdentifier parameter
// 4) Create the CipherValue element structure and insert the encrypted
// session key
//
encryptedKeyElement = createEncryptedKey(document, keyEncAlgo);
if (encKeyId == null || "".equals(encKeyId)) {
encKeyId = "EK-" + UUIDGenerator.getUUID();
}
encryptedKeyElement.setAttributeNS(null, "Id", encKeyId);
SecurityTokenReference secToken = new SecurityTokenReference(document);
switch (keyIdentifierType) {
case WSConstants.X509_KEY_IDENTIFIER:
secToken.setKeyIdentifier(remoteCert);
break;
case WSConstants.SKI_KEY_IDENTIFIER:
secToken.setKeyIdentifierSKI(remoteCert, crypto);
break;
case WSConstants.THUMBPRINT_IDENTIFIER:
secToken.setKeyIdentifierThumb(remoteCert);
break;
case WSConstants.ENCRYPTED_KEY_SHA1_IDENTIFIER:
//
// This identifier is not applicable for this case, so fall back to
// ThumbprintRSA.
//
secToken.setKeyIdentifierThumb(remoteCert);
break;
case WSConstants.ISSUER_SERIAL:
String issuer = remoteCert.getIssuerDN().getName();
java.math.BigInteger serialNumber = remoteCert.getSerialNumber();
DOMX509IssuerSerial domIssuerSerial =
new DOMX509IssuerSerial(
document, issuer, serialNumber
);
DOMX509Data domX509Data = new DOMX509Data(document, domIssuerSerial);
secToken.setX509Data(domX509Data);
break;
case WSConstants.BST_DIRECT_REFERENCE:
Reference ref = new Reference(document);
String certUri = UUIDGenerator.getUUID();
ref.setURI("#" + certUri);
bstToken = new X509Security(document);
((X509Security) bstToken).setX509Certificate(remoteCert);
bstToken.setID(certUri);
ref.setValueType(bstToken.getValueType());
secToken.setReference(ref);
break;
case WSConstants.CUSTOM_SYMM_SIGNING :
Reference refCust = new Reference(document);
if (WSConstants.WSS_SAML_KI_VALUE_TYPE.equals(customEKTokenValueType)) {
secToken.addTokenType(WSConstants.WSS_SAML_TOKEN_TYPE);
refCust.setValueType(customEKTokenValueType);
} else if (WSConstants.WSS_SAML2_KI_VALUE_TYPE.equals(customEKTokenValueType)) {
secToken.addTokenType(WSConstants.WSS_SAML2_TOKEN_TYPE);
} else if (WSConstants.WSS_ENC_KEY_VALUE_TYPE.equals(customEKTokenValueType)) {
secToken.addTokenType(WSConstants.WSS_ENC_KEY_VALUE_TYPE);
refCust.setValueType(customEKTokenValueType);
} else {
refCust.setValueType(customEKTokenValueType);
}
refCust.setURI("#" + customEKTokenId);
secToken.setReference(refCust);
break;
case WSConstants.CUSTOM_SYMM_SIGNING_DIRECT :
Reference refCustd = new Reference(document);
if (WSConstants.WSS_SAML_KI_VALUE_TYPE.equals(customEKTokenValueType)) {
secToken.addTokenType(WSConstants.WSS_SAML_TOKEN_TYPE);
refCustd.setValueType(customEKTokenValueType);
} else if (WSConstants.WSS_SAML2_KI_VALUE_TYPE.equals(customEKTokenValueType)) {
secToken.addTokenType(WSConstants.WSS_SAML2_TOKEN_TYPE);
} else if (WSConstants.WSS_ENC_KEY_VALUE_TYPE.equals(customEKTokenValueType)) {
secToken.addTokenType(WSConstants.WSS_ENC_KEY_VALUE_TYPE);
refCustd.setValueType(customEKTokenValueType);
} else {
refCustd.setValueType(customEKTokenValueType);
}
refCustd.setURI(customEKTokenId);
secToken.setReference(refCustd);
break;
case WSConstants.CUSTOM_KEY_IDENTIFIER:
secToken.setKeyIdentifier(customEKTokenValueType, customEKTokenId);
if (WSConstants.WSS_SAML_KI_VALUE_TYPE.equals(customEKTokenValueType)) {
secToken.addTokenType(WSConstants.WSS_SAML_TOKEN_TYPE);
} else if (WSConstants.WSS_SAML2_KI_VALUE_TYPE.equals(customEKTokenValueType)) {
secToken.addTokenType(WSConstants.WSS_SAML2_TOKEN_TYPE);
} else if (WSConstants.WSS_ENC_KEY_VALUE_TYPE.equals(customEKTokenValueType)) {
secToken.addTokenType(WSConstants.WSS_ENC_KEY_VALUE_TYPE);
} else if (SecurityTokenReference.ENC_KEY_SHA1_URI.equals(customEKTokenValueType)) {
secToken.addTokenType(WSConstants.WSS_ENC_KEY_VALUE_TYPE);
}
break;
default:
throw new WSSecurityException(WSSecurityException.FAILURE, "unsupportedKeyId");
}
Element keyInfoElement =
document.createElementNS(
WSConstants.SIG_NS, WSConstants.SIG_PREFIX + ":" + WSConstants.KEYINFO_LN
);
keyInfoElement.setAttributeNS(
WSConstants.XMLNS_NS, "xmlns:" + WSConstants.SIG_PREFIX, WSConstants.SIG_NS
);
keyInfoElement.appendChild(secToken.getElement());
encryptedKeyElement.appendChild(keyInfoElement);
Element xencCipherValue = createCipherValue(document, encryptedKeyElement);
xencCipherValue.appendChild(keyText);
envelope = document.getDocumentElement();
}
/**
* Create an ephemeral key
*
* @return an ephemeral key
* @throws WSSecurityException
*/
protected byte[] generateEphemeralKey() throws WSSecurityException {
try {
return WSSecurityUtil.generateNonce(this.keySize / 8);
} catch (Exception e) {
throw new WSSecurityException("Error in creating the ephemeral key", e);
}
}
/**
* Create DOM subtree for xenc:EncryptedKey
*
* @param doc the SOAP envelope parent document
* @param keyTransportAlgo specifies which algorithm to use to encrypt the symmetric key
* @return an xenc:EncryptedKey element
*/
protected Element createEncryptedKey(Document doc, String keyTransportAlgo) {
Element encryptedKey =
doc.createElementNS(WSConstants.ENC_NS, WSConstants.ENC_PREFIX + ":EncryptedKey");
WSSecurityUtil.setNamespace(encryptedKey, WSConstants.ENC_NS, WSConstants.ENC_PREFIX);
Element encryptionMethod =
doc.createElementNS(WSConstants.ENC_NS, WSConstants.ENC_PREFIX + ":EncryptionMethod");
encryptionMethod.setAttributeNS(null, "Algorithm", keyTransportAlgo);
encryptedKey.appendChild(encryptionMethod);
return encryptedKey;
}
protected Element createCipherValue(Document doc, Element encryptedKey) {
Element cipherData =
doc.createElementNS(WSConstants.ENC_NS, WSConstants.ENC_PREFIX + ":CipherData");
Element cipherValue =
doc.createElementNS(WSConstants.ENC_NS, WSConstants.ENC_PREFIX + ":CipherValue");
cipherData.appendChild(cipherValue);
encryptedKey.appendChild(cipherData);
return cipherValue;
}
/**
* Prepend the EncryptedKey element to the elements already in the Security
* header.
*
* The method can be called any time after prepare(). This
* allows to insert the EncryptedKey element at any position in the Security
* header.
*
* @param secHeader The security header that holds the Signature element.
*/
public void prependToHeader(WSSecHeader secHeader) {
WSSecurityUtil.prependChildElement(secHeader.getSecurityHeader(), encryptedKeyElement);
}
/**
* Append the EncryptedKey element to the elements already in the Security
* header.
*
* The method can be called any time after prepare(). This
* allows to insert the EncryptedKey element at any position in the Security
* header.
*
* @param secHeader The security header that holds the Signature element.
*/
public void appendToHeader(WSSecHeader secHeader) {
Element secHeaderElement = secHeader.getSecurityHeader();
secHeaderElement.appendChild(encryptedKeyElement);
}
/**
* Prepend the BinarySecurityToken to the elements already in the Security
* header.
*
* The method can be called any time after prepare(). This
* allows to insert the BST element at any position in the Security header.
*
* @param secHeader The security header that holds the BST element.
*/
public void prependBSTElementToHeader(WSSecHeader secHeader) {
if (bstToken != null) {
WSSecurityUtil.prependChildElement(
secHeader.getSecurityHeader(), bstToken.getElement()
);
}
bstToken = null;
}
/**
* Append the BinarySecurityToken to the elements already in the Security
* header.
*
* The method can be called any time after prepare(). This
* allows to insert the BST element at any position in the Security header.
*
* @param secHeader The security header that holds the BST element.
*/
public void appendBSTElementToHeader(WSSecHeader secHeader) {
if (bstToken != null) {
Element secHeaderElement = secHeader.getSecurityHeader();
secHeaderElement.appendChild(bstToken.getElement());
}
bstToken = null;
}
/**
* @return Returns the ephemeralKey.
*/
public byte[] getEphemeralKey() {
return ephemeralKey;
}
/**
* Set the X509 Certificate to use for encryption.
*
* If this is set and the key identifier is set to
* DirectReference then use this certificate to get the
* public key for encryption.
*
* @param cert is the X509 certificate to use for encryption
*/
public void setUseThisCert(X509Certificate cert) {
useThisCert = cert;
}
/**
* @return Returns the encryptedKeyElement.
*/
public Element getEncryptedKeyElement() {
return encryptedKeyElement;
}
/**
* Set the encrypted key element when a pre prepared encrypted key is used
* @param encryptedKeyElement EncryptedKey element of the encrypted key used
*/
public void setEncryptedKeyElement(Element encryptedKeyElement) {
this.encryptedKeyElement = encryptedKeyElement;
}
/**
* @return Returns the BinarySecurityToken element.
*/
public Element getBinarySecurityTokenElement() {
if (bstToken != null) {
return bstToken.getElement();
}
return null;
}
public void setKeySize(int keySize) throws WSSecurityException {
if (keySize < 64) {
// Minimum size has to be 64 bits - E.g. A DES key
throw new WSSecurityException("invalidKeySize");
}
this.keySize = keySize;
}
public void setKeyEncAlgo(String keyEncAlgo) {
this.keyEncAlgo = keyEncAlgo;
}
/**
* @param ephemeralKey The ephemeralKey to set.
*/
public void setEphemeralKey(byte[] ephemeralKey) {
this.ephemeralKey = ephemeralKey;
}
/**
* Get the id of the BSt generated during prepare().
*
* @return Returns the the value of wsu:Id attribute of the
* BinaruSecurityToken element.
*/
public String getBSTTokenId() {
if (bstToken == null) {
return null;
}
return bstToken.getID();
}
/**
* @param document The document to set.
*/
public void setDocument(Document document) {
this.document = document;
}
/**
* @param encKeyId The encKeyId to set.
*/
public void setEncKeyId(String encKeyId) {
this.encKeyId = encKeyId;
}
public boolean isCertSet() {
return (useThisCert == null ? true : false) ;
}
public byte[] getEncryptedEphemeralKey() {
return encryptedEphemeralKey;
}
public void setCustomEKTokenValueType(String customEKTokenValueType) {
this.customEKTokenValueType = customEKTokenValueType;
}
public void setCustomEKTokenId(String customEKTokenId) {
this.customEKTokenId = customEKTokenId;
}
}
© 2015 - 2025 Weber Informatics LLC | Privacy Policy