com.sun.xml.ws.security.opt.impl.incoming.processor.KeyInfoProcessor Maven / Gradle / Ivy
Go to download
Show more of this group Show more artifacts with this name
Show all versions of webservices-osgi Show documentation
Show all versions of webservices-osgi Show documentation
Metro Web Services Runtime OSGi Bundle
/*
* Copyright (c) 1997, 2020 Oracle and/or its affiliates. All rights reserved.
*
* This program and the accompanying materials are made available under the
* terms of the Eclipse Distribution License v. 1.0, which is available at
* http://www.eclipse.org/org/documents/edl-v10.php.
*
* SPDX-License-Identifier: BSD-3-Clause
*/
package com.sun.xml.ws.security.opt.impl.incoming.processor;
import org.apache.xml.security.exceptions.Base64DecodingException;
import org.glassfish.jaxb.runtime.v2.runtime.unmarshaller.Base64Data;
import com.sun.xml.ws.security.opt.impl.JAXBFilterProcessingContext;
import com.sun.xml.ws.security.opt.impl.incoming.EncryptedKey;
import com.sun.xml.ws.security.opt.impl.util.NamespaceContextEx;
import com.sun.xml.ws.security.opt.impl.util.StreamUtil;
import com.sun.xml.wss.XWSSecurityException;
import com.sun.xml.wss.impl.MessageConstants;
import com.sun.xml.wss.impl.misc.Base64;
import com.sun.xml.wss.impl.misc.SecurityUtil;
import com.sun.xml.wss.impl.policy.mls.AuthenticationTokenPolicy;
import com.sun.xml.wss.logging.LogDomainConstants;
import java.security.Key;
import java.util.logging.Logger;
import javax.crypto.spec.SecretKeySpec;
import javax.xml.crypto.KeySelector.Purpose;
import javax.xml.stream.XMLStreamException;
import javax.xml.stream.XMLStreamReader;
import javax.xml.stream.XMLStreamWriter;
import java.io.ByteArrayInputStream;
import java.io.InputStream;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import org.jvnet.staxex.XMLStreamReaderEx;
import java.util.logging.Level;
import com.sun.xml.wss.logging.impl.opt.LogStringsMessages;
import java.security.PublicKey;
/**
*
* @author [email protected]
*/
public class KeyInfoProcessor {
private static final Logger logger = Logger.getLogger(LogDomainConstants.IMPL_OPT_DOMAIN,
LogDomainConstants.IMPL_OPT_DOMAIN_BUNDLE);
private static String KEYINFO = "KeyInfo".intern();
private static String SECURITY_TOKEN_REFERENCE = "SecurityTokenReference".intern();
private static final int SECURITY_TOKEN_REFERENCE_ELEMENT = 3;
private static final int ENCRYPTED_KEY_ELEMENT = 4;
private static final int KEY_VALUE_ELEMENT = 5;
private static final int RSA_KEY_VALUE_ELEMENT = 6;
private static final int DSA_KEY_VALUE_ELEMENT = 7;
private static final int MODULUS_ELEMENT = 8;
private static final int EXPONENT_ELEMENT = 9;
private static final int X509_DATA_ELEMENT = 10;
private static final int BINARY_SECRET_ELEMENT = 11;
private static final String RSA_KEY_VALUE = "RSAKeyValue";
private static final String DSA_KEY_VALUE = "DSAKeyValue";
private static final String ENCRYPTED_KEY = "EncryptedKey";
private static final String KEY_VALUE = "KeyValue";
private static final String EXPONENT = "Exponent";
private static final String MODULUS = "Modulus";
private static final String X509_DATA = "X509Data";
private static final String X509Certificate = "X509Certificate";
private static final String BINARY_SECRET = "BinarySecret";
private boolean strPresent = false;
private JAXBFilterProcessingContext pc = null;
private XMLStreamWriter canonWriter = null;
private boolean isSAMLSubjectConfirmationKeyInfo = false;
private Purpose purpose = null;
/** Creates a new instance of KeyInfoProcessor */
public KeyInfoProcessor(JAXBFilterProcessingContext pc) {
this.pc = pc;
((NamespaceContextEx)pc.getNamespaceContext()).addSignatureNS();
}
public KeyInfoProcessor(JAXBFilterProcessingContext pc, XMLStreamWriter canonWriter,Purpose purpose) {
this.pc = pc;
this.canonWriter = canonWriter;
this.purpose = purpose;
}
public KeyInfoProcessor(JAXBFilterProcessingContext pc,Purpose purpose) {
this.pc = pc;
this.purpose = purpose;
}
public KeyInfoProcessor(JAXBFilterProcessingContext pc,Purpose purpose, boolean isSAMLSCKey) {
this.pc = pc;
this.purpose = purpose;
this.isSAMLSubjectConfirmationKeyInfo = isSAMLSCKey;
}
public Key getKey(XMLStreamReader reader) throws XMLStreamException, XWSSecurityException{
return processKeyInfo(reader);
}
/**
* gets the event type from the reader,processes it and returns the key calculated from it
* @param reader XMLStreamReader
* @return Key
* @throws javax.xml.stream.XMLStreamException
* @throws com.sun.xml.wss.XWSSecurityException
*/
private Key processKeyInfo(XMLStreamReader reader) throws XMLStreamException, XWSSecurityException{
//Start element for KeyInfo
Key retKey = null;
if(canonWriter != null)
StreamUtil.writeStartElement(reader, canonWriter);
while(reader.hasNext() && !StreamUtil._break(reader,KEYINFO,MessageConstants.DSIG_NS)){
reader.next();
int eventType = getEventType(reader);
switch(eventType){
case SECURITY_TOKEN_REFERENCE_ELEMENT : {
SecurityTokenProcessor stp = new SecurityTokenProcessor(pc, canonWriter, purpose);
retKey = stp.resolveReference(reader);
strPresent = true;
break;
}
case ENCRYPTED_KEY_ELEMENT :{
EncryptedKey ek = new EncryptedKey(reader,pc,null,true);
String dataEncAlgo = MessageConstants.AES_BLOCK_ENCRYPTION_128;
if (pc.getAlgorithmSuite() != null) {
dataEncAlgo = pc.getAlgorithmSuite().getEncryptionAlgorithm();
}
retKey = ek.getKey(dataEncAlgo);
break;
}
case KEY_VALUE_ELEMENT :{
if(canonWriter != null){
StreamUtil.writeCurrentEvent(reader,canonWriter);
}
retKey = new KeyValueProcessor(pc,canonWriter).processKeyValue(reader);
//if the purpose is signature verification, we need to make sure we
//trust the certificate. in case of HOK SAML this can be the cert of the IP
if (!this.isSAMLSubjectConfirmationKeyInfo && this.purpose == Purpose.VERIFY ) {
X509Certificate cer = null;
try{
cer = pc.getSecurityEnvironment().getCertificate(pc.getExtraneousProperties(),(PublicKey)retKey, false);
}catch(XWSSecurityException ex){
//Ignore it. Its a RSA KeyPair scenario, so certificate won't be present in the server truststore'
}
if(cer != null){
pc.getSecurityEnvironment().validateCertificate(cer, pc.getExtraneousProperties());
}
pc.getSecurityContext().setInferredKB(new AuthenticationTokenPolicy.KeyValueTokenBinding());
}
break;
}
case BINARY_SECRET_ELEMENT:{
reader.next();
retKey = buildBinarySecret(reader);
break;
}
case X509_DATA_ELEMENT:{
if(canonWriter != null){
StreamUtil.writeCurrentEvent(reader,canonWriter);
}
StreamUtil.moveToNextStartOREndElement(reader, canonWriter);
if(reader.getLocalName() == X509Certificate && reader.getNamespaceURI() == MessageConstants.DSIG_NS){
reader.next();
StringBuffer sb = null;
byte [] value = null;
CharSequence charSeq = ((XMLStreamReaderEx)reader).getPCDATA();
if(charSeq instanceof Base64Data){
Base64Data bd = (Base64Data) ((XMLStreamReaderEx)reader).getPCDATA();
value = bd.getExact();
if(canonWriter != null){
String ev = Base64.encode(value);
canonWriter.writeCharacters(ev);
}
}else {
sb = new StringBuffer();
while(reader.getEventType() == reader.CHARACTERS && reader.getEventType() != reader.END_ELEMENT){
charSeq = ((XMLStreamReaderEx)reader).getPCDATA();
for(int i=0;i