com.sun.xml.wss.impl.misc.DefaultSecurityEnvironmentImpl Maven / Gradle / Ivy
Go to download
Show more of this group Show more artifacts with this name
Show all versions of webservices-rt Show documentation
Show all versions of webservices-rt Show documentation
This module contains the Metro runtime code.
/*
* Copyright (c) 2010, 2018 Oracle and/or its affiliates. All rights reserved.
*
* This program and the accompanying materials are made available under the
* terms of the Eclipse Distribution License v. 1.0, which is available at
* http://www.eclipse.org/org/documents/edl-v10.php.
*
* SPDX-License-Identifier: BSD-3-Clause
*/
/*
* $Id: DefaultSecurityEnvironmentImpl.java,v 1.4 2010-10-21 15:37:30 snajper Exp $
*/
package com.sun.xml.wss.impl.misc;
import org.apache.xml.security.exceptions.Base64DecodingException;
import com.sun.xml.ws.api.server.WSEndpoint;
import com.sun.xml.ws.security.impl.kerberos.KerberosContext;
import com.sun.xml.ws.security.impl.kerberos.KerberosLogin;
import com.sun.xml.ws.security.opt.impl.util.SOAPUtil;
import com.sun.xml.wss.NonceManager;
import com.sun.xml.wss.ProcessingContext;
import com.sun.xml.wss.RealmAuthenticationAdapter;
import java.math.BigInteger;
import java.security.Key;
import java.security.Principal;
import java.security.PrivateKey;
import java.security.PublicKey;
import java.security.cert.X509Certificate;
import java.text.SimpleDateFormat;
import java.util.Calendar;
import java.util.Date;
import java.util.GregorianCalendar;
import java.util.Properties;
import java.util.Map;
import java.util.logging.Level;
import java.util.logging.Logger;
import java.security.AccessController;
import java.security.PrivilegedAction;
import javax.crypto.SecretKey;
import javax.security.auth.Subject;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.callback.UnsupportedCallbackException;
import javax.security.auth.login.LoginException;
import javax.security.auth.x500.X500Principal;
import javax.xml.namespace.QName;
import com.sun.xml.wss.core.Timestamp;
import com.sun.xml.wss.impl.FilterProcessingContext;
import com.sun.xml.wss.logging.LogDomainConstants;
import com.sun.xml.wss.impl.MessageConstants;
import com.sun.xml.wss.XWSSecurityException;
import com.sun.xml.wss.impl.WssSoapFaultException;
import com.sun.xml.wss.SecurityEnvironment;
import com.sun.xml.wss.core.reference.X509SubjectKeyIdentifier;
import com.sun.xml.wss.impl.SecurableSoapMessage;
import com.sun.xml.wss.impl.XWSSecurityRuntimeException;
import com.sun.xml.wss.impl.callback.PasswordCallback;
import com.sun.xml.wss.impl.callback.PasswordValidationCallback;
import com.sun.xml.wss.impl.callback.UsernameCallback;
import com.sun.xml.wss.impl.callback.SignatureKeyCallback;
import com.sun.xml.wss.impl.callback.EncryptionKeyCallback;
import com.sun.xml.wss.impl.callback.SignatureVerificationKeyCallback;
import com.sun.xml.wss.impl.callback.DecryptionKeyCallback;
import com.sun.xml.wss.impl.callback.CertificateValidationCallback;
import com.sun.xml.wss.impl.callback.DynamicPolicyCallback;
import com.sun.xml.wss.impl.callback.SAMLValidator;
import com.sun.xml.wss.impl.callback.TimestampValidationCallback;
import com.sun.xml.wss.saml.Assertion;
import com.sun.xml.wss.impl.policy.mls.AuthenticationTokenPolicy;
import com.sun.xml.wss.impl.configuration.DynamicApplicationContext;
import com.sun.xml.wss.logging.LogStringsMessages;
import com.sun.xml.wss.util.XWSSUtil;
import java.util.Arrays;
import java.util.Iterator;
import java.util.Set;
import javax.security.auth.kerberos.KerberosPrincipal;
import javax.security.auth.login.LoginContext;
import javax.security.auth.x500.X500PrivateCredential;
import javax.xml.stream.XMLStreamReader;
import org.ietf.jgss.GSSCredential;
import org.ietf.jgss.GSSName;
import org.w3c.dom.Element;
import org.w3c.dom.Document;
//TODO: support PrefixNamespaceMappingCallback
public class DefaultSecurityEnvironmentImpl implements SecurityEnvironment {
// Zone offset
private static final long offset;
static {
Calendar c = new GregorianCalendar();
long calculatedOffset = c.get(Calendar.ZONE_OFFSET);
if (c.getTimeZone().inDaylightTime(c.getTime())) {
calculatedOffset += c.getTimeZone().getDSTSavings();
}
offset = calculatedOffset;
}
/** logger */
protected static final Logger log = Logger.getLogger(
LogDomainConstants.WSS_API_DOMAIN, LogDomainConstants.WSS_API_DOMAIN_BUNDLE);
// milliseconds (set to 5 mins), time for which a timestamp is considered fresh
private final SimpleDateFormat calendarFormatter1 = new SimpleDateFormat("yyyy-MM-dd'T'HH:mm:ss'Z'");
private final SimpleDateFormat calendarFormatter2 = new SimpleDateFormat("yyyy-MM-dd'T'HH:mm:ss'.'SSS'Z'");
private CallbackHandler callbackHandler = null;
private boolean isDefaultHandler = false;
private X509Certificate selfCertificate = null;
private Properties configAssertions = null;
private long maxNonceAge = MessageConstants.MAX_NONCE_AGE;
private String mnaProperty = null;
private String JAASLoginModuleForKeystore;
private Subject loginContextSubjectForKeystore;
private String keyStoreCBH;
private CallbackHandler keystoreCbHandlerClass;
public DefaultSecurityEnvironmentImpl(CallbackHandler cHandler) {
callbackHandler = cHandler;
if (callbackHandler instanceof DefaultCallbackHandler) {
isDefaultHandler = true;
}
// keep the self certificate handy
// if (callbackHandler != null && (callbackHandler instanceof DefaultCallbackHandler)) {
// try {
// X509Certificate defaultCert = null;
// SignatureKeyCallback.PrivKeyCertRequest privKeyRequest =
// new SignatureKeyCallback.DefaultPrivKeyCertRequest();
// SignatureKeyCallback sigKeyCallback = new SignatureKeyCallback(privKeyRequest);
// Callback[] callbacks = new Callback[]{sigKeyCallback};
// callbackHandler.handle(callbacks);
// selfCertificate = privKeyRequest.getX509Certificate();
// } catch (Exception e) {
// //ignore for now
// }
// }
}
public DefaultSecurityEnvironmentImpl(CallbackHandler cHandler, Properties confAssertions) {
this.configAssertions = confAssertions;
callbackHandler = cHandler;
if (callbackHandler instanceof DefaultCallbackHandler) {
isDefaultHandler = true;
}
//store the relevant config assertions here
this.mnaProperty = configAssertions.getProperty(DefaultCallbackHandler.MAX_NONCE_AGE_PROPERTY);
if (this.mnaProperty != null) {
try {
maxNonceAge = SecurityUtil.toLong(mnaProperty);
} catch (XWSSecurityException ex) {
log.log(Level.FINE, " Exception while converting maxNonceAge config property, Setting MaxNonceAge to Default value {0}", MessageConstants.MAX_NONCE_AGE);
maxNonceAge = MessageConstants.MAX_NONCE_AGE;
}
}
JAASLoginModuleForKeystore = configAssertions.getProperty(DefaultCallbackHandler.JAAS_KEYSTORE_LOGIN_MODULE);
keyStoreCBH = configAssertions.getProperty(DefaultCallbackHandler.KEYSTORE_CBH);
loginContextSubjectForKeystore = initJAASKeyStoreLoginModule();
// keep the self certificate handy
// if (callbackHandler != null && myAlias != null && (callbackHandler instanceof DefaultCallbackHandler)) {
// try {
// X509Certificate defaultCert = null;
// SignatureKeyCallback.PrivKeyCertRequest privKeyRequest =
// new SignatureKeyCallback.DefaultPrivKeyCertRequest();
// SignatureKeyCallback sigKeyCallback = new SignatureKeyCallback(privKeyRequest);
// Callback[] callbacks = new Callback[]{sigKeyCallback};
// callbackHandler.handle(callbacks);
// selfCertificate = privKeyRequest.getX509Certificate();
// } catch (Exception e) {
// //ignore for now
// }
// }
}
/*
* Applicable only for the signing case
*/
public X509Certificate getDefaultCertificate(Map context) throws XWSSecurityException {
X509Certificate cert = getPublicCredentialsFromLCSubject();
if (cert != null){
return cert;
}
X509Certificate defaultCert = null;
SignatureKeyCallback.PrivKeyCertRequest privKeyRequest =
new SignatureKeyCallback.DefaultPrivKeyCertRequest();
SignatureKeyCallback sigKeyCallback = new SignatureKeyCallback(privKeyRequest);
//we want to give all runtime properties to be used by CertSelectors
if (context != null /*&& !isDefaultHandler*/) {
ProcessingContext.copy(sigKeyCallback.getRuntimeProperties(), context);
}
Callback[] callbacks = new Callback[]{sigKeyCallback};
try {
callbackHandler.handle(callbacks);
} catch (Exception e) {
log.log(Level.SEVERE, LogStringsMessages.WSS_0216_CALLBACKHANDLER_HANDLE_EXCEPTION("SignatureKeyCallback.DefaultPrivKeyCertRequest"),
new Object[]{"SignatureKeyCallback.DefaultPrivKeyCertRequest"});
log.log(Level.SEVERE, LogStringsMessages.WSS_0217_CALLBACKHANDLER_HANDLE_EXCEPTION_LOG(), e);
throw new XWSSecurityException(e);
}
defaultCert = privKeyRequest.getX509Certificate();
if (defaultCert == null) {
log.log(Level.SEVERE, LogStringsMessages.WSS_0218_CANNOT_LOCATE_DEFAULT_CERT());
throw new XWSSecurityException(
"Unable to locate a default certificate");
}
return defaultCert;
}
public SignatureKeyCallback.PrivKeyCertRequest getDefaultPrivKeyCertRequest(Map context) throws XWSSecurityException {
SignatureKeyCallback.PrivKeyCertRequest privKeyRequest =
new SignatureKeyCallback.DefaultPrivKeyCertRequest();
SignatureKeyCallback sigKeyCallback = new SignatureKeyCallback(privKeyRequest);
//we want all runtime props to be available to certSelectors
if (context != null /*&& !isDefaultHandler*/) {
ProcessingContext.copy(sigKeyCallback.getRuntimeProperties(), context);
}
X500PrivateCredential cred = getPKCredentialsFromLCSubject();
if (cred != null) {
privKeyRequest.setX509Certificate(cred.getCertificate());
privKeyRequest.setPrivateKey(cred.getPrivateKey());
return privKeyRequest;
}
Callback[] callbacks = new Callback[]{sigKeyCallback};
try {
callbackHandler.handle(callbacks);
} catch (Exception e) {
log.log(Level.SEVERE, LogStringsMessages.WSS_0216_CALLBACKHANDLER_HANDLE_EXCEPTION("SignatureKeyCallback.DefaultPrivKeyCertRequest"),
new Object[]{"SignatureKeyCallback.DefaultPrivKeyCertRequest"});
log.log(Level.SEVERE, LogStringsMessages.WSS_0217_CALLBACKHANDLER_HANDLE_EXCEPTION_LOG(), e);
throw new XWSSecurityException(e);
}
return privKeyRequest;
}
public SignatureKeyCallback.AliasPrivKeyCertRequest getAliasPrivKeyCertRequest(String certIdentifier) throws XWSSecurityException {
SignatureKeyCallback.AliasPrivKeyCertRequest request =
new SignatureKeyCallback.AliasPrivKeyCertRequest(certIdentifier);
X500PrivateCredential cred = getPKCredentialsFromLCSubject();
if (cred != null && certIdentifier.equals(cred.getAlias())) {
request.setX509Certificate(cred.getCertificate());
request.setPrivateKey(cred.getPrivateKey());
return request;
}
SignatureKeyCallback sigCallback = new SignatureKeyCallback(request);
Callback[] callback = new Callback[]{sigCallback};
try {
callbackHandler.handle(callback);
} catch (Exception e) {
log.log(Level.SEVERE,LogStringsMessages.WSS_0216_CALLBACKHANDLER_HANDLE_EXCEPTION("SignatureKeyCallback.AliasPrivKeyCertRequest"),
new Object[]{"SignatureKeyCallback.AliasPrivKeyCertRequest"});
log.log(Level.SEVERE, LogStringsMessages.WSS_0217_CALLBACKHANDLER_HANDLE_EXCEPTION_LOG(), e);
throw new XWSSecurityException(e);
}
return request;
}
public PrivateKey getDefaultPrivateKey(Map context) throws XWSSecurityException {
X500PrivateCredential cred = getPKCredentialsFromLCSubject();
if(cred != null){
return cred.getPrivateKey();
}
PrivateKey defaultPrivKey = null;
SignatureKeyCallback.PrivKeyCertRequest privKeyRequest =
new SignatureKeyCallback.DefaultPrivKeyCertRequest();
SignatureKeyCallback sigKeyCallback = new SignatureKeyCallback(privKeyRequest);
//we want to give all runtime props to CertSelector(s)
if (context != null /*&& !isDefaultHandler*/) {
ProcessingContext.copy(sigKeyCallback.getRuntimeProperties(), context);
}
Callback[] callbacks = new Callback[]{sigKeyCallback};
try {
callbackHandler.handle(callbacks);
} catch (Exception e) {
log.log(Level.SEVERE, LogStringsMessages.WSS_0216_CALLBACKHANDLER_HANDLE_EXCEPTION("SignatureKeyCallback.DefaultPrivKeyCertRequest"),
new Object[]{"SignatureKeyCallback.DefaultPrivKeyCertRequest"});
log.log(Level.SEVERE, LogStringsMessages.WSS_0217_CALLBACKHANDLER_HANDLE_EXCEPTION_LOG(), e);
throw new XWSSecurityException(e);
}
defaultPrivKey = privKeyRequest.getPrivateKey();
if (defaultPrivKey == null) {
log.log(Level.SEVERE, LogStringsMessages.WSS_0219_CANNOT_LOCATE_DEFAULT_PRIVKEY());
throw new XWSSecurityException(
"Unable to locate a default certificate");
}
return defaultPrivKey;
}
public SecretKey getSecretKey(Map context, String alias, boolean encryptMode)
throws XWSSecurityException {
SecretKey symmetricKey = null;
if (encryptMode) {
EncryptionKeyCallback.SymmetricKeyRequest symmKeyRequest =
new EncryptionKeyCallback.AliasSymmetricKeyRequest(alias);
EncryptionKeyCallback encKeyCallback = new EncryptionKeyCallback(symmKeyRequest);
//if (!isDefaultHandler) {
ProcessingContext.copy(encKeyCallback.getRuntimeProperties(), context);
//}
Callback[] callbacks = new Callback[]{encKeyCallback};
try {
callbackHandler.handle(callbacks);
} catch (Exception e) {
log.log(Level.SEVERE, LogStringsMessages.WSS_0216_CALLBACKHANDLER_HANDLE_EXCEPTION("EncryptionKeyCallback.AliasSymmetricKeyRequest"),
new Object[]{"EncryptionKeyCallback.AliasSymmetricKeyRequest"});
log.log(Level.SEVERE, LogStringsMessages.WSS_0217_CALLBACKHANDLER_HANDLE_EXCEPTION_LOG(), e);
throw new XWSSecurityException(e);
}
symmetricKey = symmKeyRequest.getSymmetricKey();
} else {
DecryptionKeyCallback.SymmetricKeyRequest symmKeyRequest =
new DecryptionKeyCallback.AliasSymmetricKeyRequest(alias);
DecryptionKeyCallback decryptKeyCallback = new DecryptionKeyCallback(symmKeyRequest);
//if (!isDefaultHandler) {
ProcessingContext.copy(decryptKeyCallback.getRuntimeProperties(), context);
//}
Callback[] callbacks = new Callback[]{decryptKeyCallback};
try {
callbackHandler.handle(callbacks);
} catch (Exception e) {
log.log(Level.SEVERE, LogStringsMessages.WSS_0216_CALLBACKHANDLER_HANDLE_EXCEPTION("DecryptionKeyCallback.AliasSymmetricKeyRequest"),
new Object[]{"DecryptionKeyCallback.AliasSymmetricKeyRequest"});
log.log(Level.SEVERE,LogStringsMessages.WSS_0217_CALLBACKHANDLER_HANDLE_EXCEPTION_LOG(), e);
throw new XWSSecurityException(e);
}
symmetricKey = symmKeyRequest.getSymmetricKey();
}
if (symmetricKey == null) {
log.log(Level.SEVERE, LogStringsMessages.WSS_0220_CANNOT_LOCATE_SYMMETRICKEY_FOR_DECRYPT());
throw new XWSSecurityException(
"Could not locate the symmetric key for alias '" + alias + "'");
}
return symmetricKey;
}
public X509Certificate getCertificate(Map context, String alias, boolean forSigning)
throws XWSSecurityException {
X509Certificate cert = null;
if (((alias == null) || ("".equals(alias)) && forSigning)) {
return getDefaultCertificate(context);
}
cert = getPublicCredentialsFromLCSubject();
if(cert != null){
return cert;
}
if (forSigning) {
SignatureKeyCallback.PrivKeyCertRequest certRequest =
new SignatureKeyCallback.AliasPrivKeyCertRequest(alias);
SignatureKeyCallback sigKeyCallback = new SignatureKeyCallback(certRequest);
// if (!isDefaultHandler) {
ProcessingContext.copy(sigKeyCallback.getRuntimeProperties(), context);
// }
Callback[] callbacks = new Callback[]{sigKeyCallback};
try {
callbackHandler.handle(callbacks);
} catch (Exception e) {
log.log(Level.SEVERE, LogStringsMessages.WSS_0216_CALLBACKHANDLER_HANDLE_EXCEPTION("SignatureKeyCallback.AliasPrivKeyCertRequest"),
new Object[]{"SignatureKeyCallback.AliasPrivKeyCertRequest"});
log.log(Level.SEVERE, LogStringsMessages.WSS_0217_CALLBACKHANDLER_HANDLE_EXCEPTION_LOG(), e);
throw new XWSSecurityException(e);
}
cert = certRequest.getX509Certificate();
} else {
EncryptionKeyCallback.X509CertificateRequest certRequest =
new EncryptionKeyCallback.AliasX509CertificateRequest(alias);
EncryptionKeyCallback encKeyCallback = new EncryptionKeyCallback(certRequest);
//incase of EncryptionKeyCallback.AliasX509Request we need all runtime, properties
//so we can pass them to CertSelector(s) if any...
//if (!isDefaultHandler) {
ProcessingContext.copy(encKeyCallback.getRuntimeProperties(), context);
//} else {
// encKeyCallback.getRuntimeProperties().
// put(MessageConstants.AUTH_SUBJECT, context.get(MessageConstants.AUTH_SUBJECT));
//}
Callback[] callbacks = new Callback[]{encKeyCallback};
try {
callbackHandler.handle(callbacks);
} catch (Exception e) {
log.log(Level.SEVERE, LogStringsMessages.WSS_0216_CALLBACKHANDLER_HANDLE_EXCEPTION("EncryptionKeyCallback.AliasX509CertificateRequest"),
new Object[]{"EncryptionKeyCallback.AliasX509CertificateRequest"});
log.log(Level.SEVERE, LogStringsMessages.WSS_0217_CALLBACKHANDLER_HANDLE_EXCEPTION_LOG(), e);
throw new XWSSecurityException(e);
}
cert = certRequest.getX509Certificate();
}
if (cert == null) {
String val = forSigning ? "Signature" : "Key Encryption";
log.log(Level.SEVERE, LogStringsMessages.WSS_0221_CANNOT_LOCATE_CERT(val), new Object[]{val});
throw new XWSSecurityException(
"Unable to locate certificate for the alias '" + alias + "'");
}
return cert;
}
public X509Certificate getCertificate(Map context, PublicKey publicKey, boolean forSign)
throws XWSSecurityException {
X509Certificate cert = getPublicCredentialsFromLCSubject();
if(cert != null && cert.getPublicKey().equals(publicKey)){
return cert;
}
if (!forSign) {
SignatureVerificationKeyCallback.PublicKeyBasedRequest pubKeyReq =
new SignatureVerificationKeyCallback.PublicKeyBasedRequest(publicKey);
SignatureVerificationKeyCallback verifyKeyCallback = new SignatureVerificationKeyCallback(pubKeyReq);
// if (!isDefaultHandler) {
ProcessingContext.copy(verifyKeyCallback.getRuntimeProperties(), context);
// }
Callback[] callbacks = new Callback[]{verifyKeyCallback};
try {
callbackHandler.handle(callbacks);
} catch (UnsupportedCallbackException e1) {
//ignore;
} catch (Exception e) {
log.log(Level.SEVERE, LogStringsMessages.WSS_0216_CALLBACKHANDLER_HANDLE_EXCEPTION("SignatureVerificationKeyCallback.PublicKeyBasedRequest"),
new Object[]{"SignatureVerificationKeyCallback.PublicKeyBasedRequest"});
log.log(Level.SEVERE, LogStringsMessages.WSS_0217_CALLBACKHANDLER_HANDLE_EXCEPTION_LOG(), e);
throw new XWSSecurityException(e);
}
return pubKeyReq.getX509Certificate();
} else {
EncryptionKeyCallback.PublicKeyBasedRequest pubKeyReq =
new EncryptionKeyCallback.PublicKeyBasedRequest(publicKey);
EncryptionKeyCallback encCallback = new EncryptionKeyCallback(pubKeyReq);
// if (!isDefaultHandler) {
ProcessingContext.copy(encCallback.getRuntimeProperties(), context);
// }
Callback[] callbacks = new Callback[]{encCallback};
try {
callbackHandler.handle(callbacks);
} catch (UnsupportedCallbackException e1) {
//ignore;
} catch (Exception e) {
log.log(Level.SEVERE, LogStringsMessages.WSS_0216_CALLBACKHANDLER_HANDLE_EXCEPTION("EncryptionKeyCallback.PublicKeyBasedRequest"),
new Object[]{"EncryptionKeyCallback.PublicKeyBasedRequest"});
log.log(Level.SEVERE, LogStringsMessages.WSS_0217_CALLBACKHANDLER_HANDLE_EXCEPTION_LOG(), e);
throw new XWSSecurityException(e);
}
return pubKeyReq.getX509Certificate();
}
}
public PrivateKey getPrivateKey(Map context, String alias)
throws XWSSecurityException {
PrivateKey privKey = null;
if (alias == null) {
return getDefaultPrivateKey(context);
}
X500PrivateCredential cred = getPKCredentialsFromLCSubject();
if(cred != null && cred.getAlias().equals(alias)){
return cred.getPrivateKey();
}
SignatureKeyCallback.PrivKeyCertRequest privKeyRequest =
new SignatureKeyCallback.AliasPrivKeyCertRequest(alias);
SignatureKeyCallback sigKeyCallback = new SignatureKeyCallback(privKeyRequest);
// if (!isDefaultHandler) {
ProcessingContext.copy(sigKeyCallback.getRuntimeProperties(), context);
// }
Callback[] callbacks = new Callback[]{sigKeyCallback};
try {
callbackHandler.handle(callbacks);
} catch (Exception e) {
log.log(Level.SEVERE, LogStringsMessages.WSS_0216_CALLBACKHANDLER_HANDLE_EXCEPTION("SignatureKeyCallback.AliasPrivKeyCertRequest"),
new Object[]{"SignatureKeyCallback.AliasPrivKeyCertRequest"});
log.log(Level.SEVERE, LogStringsMessages.WSS_0217_CALLBACKHANDLER_HANDLE_EXCEPTION_LOG(), e);
throw new XWSSecurityException(e);
}
privKey = privKeyRequest.getPrivateKey();
if (privKey == null) {
log.log(Level.SEVERE, LogStringsMessages.WSS_0222_CANNOT_LOCATE_PRIVKEY(alias), new Object[]{alias});
throw new XWSSecurityException(
"Unable to locate private key for the alias " + alias);
}
return privKey;
}
public PrivateKey getPrivateKey(Map context, byte[] identifier, String valueType)
throws XWSSecurityException {
if (MessageConstants.KEY_INDETIFIER_TYPE.equals(valueType)) {
return getPrivateKey(context, identifier);
}
X500PrivateCredential cred = getPKCredentialsFromLCSubject();
try {
if (cred != null && matchesThumbPrint(Base64.decode(identifier), cred.getCertificate())) {
return cred.getPrivateKey();
}
} catch (Exception ex) {
log.log(Level.SEVERE, null, ex);
throw new XWSSecurityException(ex);
}
PrivateKey privateKey = null;
DecryptionKeyCallback.PrivateKeyRequest privKeyRequest =
new DecryptionKeyCallback.ThumbprintBasedRequest(identifier);
DecryptionKeyCallback decryptKeyCallback = new DecryptionKeyCallback(privKeyRequest);
// if (!isDefaultHandler) {
ProcessingContext.copy(decryptKeyCallback.getRuntimeProperties(), context);
// }
Callback[] callbacks = new Callback[]{decryptKeyCallback};
try {
callbackHandler.handle(callbacks);
} catch (Exception e) {
log.log(Level.SEVERE, LogStringsMessages.WSS_0216_CALLBACKHANDLER_HANDLE_EXCEPTION("DecryptionKeyCallback.ThumbprintBasedRequest"),
new Object[]{"DecryptionKeyCallback.ThumbprintBasedRequest"});
log.log(Level.SEVERE, LogStringsMessages.WSS_0217_CALLBACKHANDLER_HANDLE_EXCEPTION_LOG(), e);
throw new XWSSecurityException(e);
}
privateKey = privKeyRequest.getPrivateKey();
if (privateKey == null) {
// not found so throw an exception
log.log(Level.SEVERE, LogStringsMessages.WSS_0222_CANNOT_LOCATE_PRIVKEY(identifier), new Object[]{identifier});
throw new XWSSecurityException(
"No Matching private key for " + Base64.encode(identifier) + " thumb print identifier found");
}
return privateKey;
}
public PrivateKey getPrivateKey(Map context, byte[] keyIdentifier)
throws XWSSecurityException {
PrivateKey privateKey = null;
X500PrivateCredential cred = getPKCredentialsFromLCSubject();
try {
if (cred != null && matchesKeyIdentifier(Base64.decode(keyIdentifier), cred.getCertificate())) {
return cred.getPrivateKey();
}
} catch (Base64DecodingException ex) {
log.log(Level.SEVERE, null, ex);
throw new XWSSecurityException(ex);
}
DecryptionKeyCallback.PrivateKeyRequest privKeyRequest =
new DecryptionKeyCallback.X509SubjectKeyIdentifierBasedRequest(keyIdentifier);
DecryptionKeyCallback decryptKeyCallback = new DecryptionKeyCallback(privKeyRequest);
// if (!isDefaultHandler) {
ProcessingContext.copy(decryptKeyCallback.getRuntimeProperties(), context);
// }
Callback[] callbacks = new Callback[]{decryptKeyCallback};
try {
callbackHandler.handle(callbacks);
} catch (Exception e) {
log.log(Level.SEVERE, LogStringsMessages.WSS_0216_CALLBACKHANDLER_HANDLE_EXCEPTION("DecryptionKeyCallback.X509SubjectKeyIdentifierBasedRequest"),
new Object[]{"DecryptionKeyCallback.X509SubjectKeyIdentifierBasedRequest"});
log.log(Level.SEVERE, LogStringsMessages.WSS_0217_CALLBACKHANDLER_HANDLE_EXCEPTION_LOG(), e);
throw new XWSSecurityException(e);
}
privateKey = privKeyRequest.getPrivateKey();
if (privateKey == null) {
// not found so throw an exception
log.log(Level.SEVERE, LogStringsMessages.WSS_0222_CANNOT_LOCATE_PRIVKEY(keyIdentifier), new Object[]{keyIdentifier});
throw new XWSSecurityException(
"No Matching private key for " + Base64.encode(keyIdentifier) + " subject key identifier found");
}
return privateKey;
}
public PrivateKey getPrivateKey(Map context, BigInteger serialNumber, String issuerName)
throws XWSSecurityException {
X500PrivateCredential cred = getPKCredentialsFromLCSubject();
if (cred != null) {
X509Certificate x509Cert = cred.getCertificate();
BigInteger serialNo = x509Cert.getSerialNumber();
//Fix for WSIT issue
X500Principal currentIssuerPrincipal = x509Cert.getIssuerX500Principal();
X500Principal issuerPrincipal = new X500Principal(issuerName);
if (serialNo.equals(serialNumber) &&
currentIssuerPrincipal.equals(issuerPrincipal)) {
return cred.getPrivateKey();
}
}
PrivateKey privateKey = null;
DecryptionKeyCallback.PrivateKeyRequest privKeyRequest =
new DecryptionKeyCallback.X509IssuerSerialBasedRequest(issuerName, serialNumber);
DecryptionKeyCallback decryptKeyCallback = new DecryptionKeyCallback(privKeyRequest);
// if (!isDefaultHandler) {
ProcessingContext.copy(decryptKeyCallback.getRuntimeProperties(), context);
// }
Callback[] callbacks = new Callback[]{decryptKeyCallback};
try {
callbackHandler.handle(callbacks);
} catch (Exception e) {
log.log(Level.SEVERE, LogStringsMessages.WSS_0216_CALLBACKHANDLER_HANDLE_EXCEPTION("DecryptionKeyCallback.X509IssuerSerialBasedRequest"),
new Object[]{"DecryptionKeyCallback.X509IssuerSerialBasedRequest"});
log.log(Level.SEVERE, LogStringsMessages.WSS_0217_CALLBACKHANDLER_HANDLE_EXCEPTION_LOG(), e);
throw new XWSSecurityException(e);
}
privateKey = privKeyRequest.getPrivateKey();
if (privateKey == null) {
// not found so throw an exception
log.log(Level.SEVERE, LogStringsMessages.WSS_0222_CANNOT_LOCATE_PRIVKEY(serialNumber + ":" + issuerName),
new Object[]{serialNumber + ":" + issuerName});
throw new XWSSecurityException(
"No Matching private key for serial number " + serialNumber + " and issuer name " + issuerName + " found");
}
return privateKey;
}
public PublicKey getPublicKey(Map context, byte[] identifier, String valueType)
throws XWSSecurityException {
return getCertificate(context, identifier, valueType).getPublicKey();
}
public PublicKey getPublicKey(Map context, byte[] keyIdentifier)
throws XWSSecurityException {
return getCertificate(context, keyIdentifier).getPublicKey();
}
public X509Certificate getCertificate(Map context, byte[] identifier, String valueType)
throws XWSSecurityException {
if (MessageConstants.KEY_INDETIFIER_TYPE.equals(valueType)) {
return getCertificate(context, identifier);
}
//Else if it is Thumbprint
X509Certificate cert = null;
cert = getPublicCredentialsFromLCSubject();
try {
if (cert != null && matchesThumbPrint(Base64.decode(identifier), cert)) {
return cert;
}
} catch (Base64DecodingException ex) {
log.log(Level.SEVERE, LogStringsMessages.WSS_0816_BASE_64_DECODING_ERROR(), ex);
throw new XWSSecurityException(ex);
}
SignatureVerificationKeyCallback.X509CertificateRequest certRequest =
new SignatureVerificationKeyCallback.ThumbprintBasedRequest(identifier);
SignatureVerificationKeyCallback verifyKeyCallback = new SignatureVerificationKeyCallback(certRequest);
//if (!isDefaultHandler) {
ProcessingContext.copy(verifyKeyCallback.getRuntimeProperties(), context);
//}
Callback[] callbacks = new Callback[]{verifyKeyCallback};
try {
callbackHandler.handle(callbacks);
} catch (Exception e) {
log.log(Level.SEVERE, LogStringsMessages.WSS_0216_CALLBACKHANDLER_HANDLE_EXCEPTION("SignatureVerificationKeyCallback.ThumbprintBasedRequest"),
new Object[]{"SignatureVerificationKeyCallback.ThumbprintBasedRequest"});
log.log(Level.SEVERE, LogStringsMessages.WSS_0217_CALLBACKHANDLER_HANDLE_EXCEPTION_LOG(), e);
throw new XWSSecurityException(e);
}
cert = certRequest.getX509Certificate();
if (cert == null) {
// not found so throw an exception
log.log(Level.SEVERE, LogStringsMessages.WSS_0221_CANNOT_LOCATE_CERT(identifier), new Object[]{identifier});
throw new XWSSecurityException("No Matching public key for " + Base64.encode(identifier) + " thumb print identifier found");
}
return cert;
}
public X509Certificate getCertificate(Map context, byte[] keyIdentifier)
throws XWSSecurityException {
X509Certificate cert = null;
cert = getPublicCredentialsFromLCSubject();
try {
if (cert != null && matchesKeyIdentifier(Base64.decode(keyIdentifier), cert)) {
return cert;
}
} catch (Base64DecodingException ex) {
log.log(Level.SEVERE, LogStringsMessages.WSS_0816_BASE_64_DECODING_ERROR(), ex);
throw new XWSSecurityException(ex);
}
SignatureVerificationKeyCallback.X509CertificateRequest certRequest =
new SignatureVerificationKeyCallback.X509SubjectKeyIdentifierBasedRequest(keyIdentifier);
SignatureVerificationKeyCallback verifyKeyCallback = new SignatureVerificationKeyCallback(certRequest);
//if (!isDefaultHandler) {
ProcessingContext.copy(verifyKeyCallback.getRuntimeProperties(), context);
//}
Callback[] callbacks = new Callback[]{verifyKeyCallback};
try {
callbackHandler.handle(callbacks);
} catch (Exception e) {
log.log(Level.SEVERE, LogStringsMessages.WSS_0216_CALLBACKHANDLER_HANDLE_EXCEPTION("SignatureVerificationKeyCallback.X509SubjectKeyIdentifierBasedRequest"),
new Object[]{"SignatureVerificationKeyCallback.X509SubjectKeyIdentifierBasedRequest"});
log.log(Level.SEVERE, LogStringsMessages.WSS_0217_CALLBACKHANDLER_HANDLE_EXCEPTION_LOG(), e);
throw new XWSSecurityException(e);
}
cert = certRequest.getX509Certificate();
if (cert == null) {
// not found so throw an exception
log.log(Level.SEVERE, LogStringsMessages.WSS_0221_CANNOT_LOCATE_CERT(keyIdentifier), new Object[]{keyIdentifier});
throw new XWSSecurityException("No Matching public key for " + Base64.encode(keyIdentifier) + " subject key identifier found");
}
return cert;
}
public PublicKey getPublicKey(Map context, BigInteger serialNumber, String issuerName)
throws XWSSecurityException {
return getCertificate(context, serialNumber, issuerName).getPublicKey();
}
public X509Certificate getCertificate(Map context, BigInteger serialNumber, String issuerName)
throws XWSSecurityException {
X509Certificate cert = null;
cert = getPublicCredentialsFromLCSubject();
if (cert != null) {
BigInteger serialNo = cert.getSerialNumber();
//Fix for WSIT issue
X500Principal currentIssuerPrincipal = cert.getIssuerX500Principal();
X500Principal issuerPrincipal = new X500Principal(issuerName);
if (serialNo.equals(serialNumber) &&
currentIssuerPrincipal.equals(issuerPrincipal)) {
return cert;
}
}
SignatureVerificationKeyCallback.X509CertificateRequest certRequest =
new SignatureVerificationKeyCallback.X509IssuerSerialBasedRequest(issuerName, serialNumber);
SignatureVerificationKeyCallback verifyKeyCallback = new SignatureVerificationKeyCallback(certRequest);
//if (!isDefaultHandler) {
ProcessingContext.copy(verifyKeyCallback.getRuntimeProperties(), context);
//}
Callback[] callbacks = new Callback[]{verifyKeyCallback};
try {
callbackHandler.handle(callbacks);
} catch (Exception e) {
log.log(Level.SEVERE, LogStringsMessages.WSS_0216_CALLBACKHANDLER_HANDLE_EXCEPTION("SignatureVerificationKeyCallback.X509IssuerSerialBasedRequest"),
new Object[]{"SignatureVerificationKeyCallback.X509IssuerSerialBasedRequest"});
log.log(Level.SEVERE, LogStringsMessages.WSS_0217_CALLBACKHANDLER_HANDLE_EXCEPTION_LOG(), e);
throw new XWSSecurityException(e);
}
cert = certRequest.getX509Certificate();
if (cert == null) {
// not found so throw an exception
log.log(Level.SEVERE, LogStringsMessages.WSS_0221_CANNOT_LOCATE_CERT(serialNumber + ":" + issuerName), new Object[]{serialNumber + ":" + issuerName});
throw new XWSSecurityException(
"No Matching public key for serial number " + serialNumber + " and issuer name " + issuerName + " found");
}
return cert;
}
public boolean validateCertificate(X509Certificate cert, Map context)
throws XWSSecurityException {
CertificateValidationCallback certValCallback = new CertificateValidationCallback(cert, context);
Callback[] callbacks = new Callback[]{certValCallback};
try {
callbackHandler.handle(callbacks);
} catch (Exception e) {
log.log(Level.SEVERE, LogStringsMessages.WSS_0223_FAILED_CERTIFICATE_VALIDATION());
throw newSOAPFaultException(
MessageConstants.WSSE_INVALID_SECURITY_TOKEN,
"Certificate validation failed",
e);
}
if (log.isLoggable(Level.FINE)) {
log.log(Level.FINE, "Certificate Validation called on certificate {0}", cert.getSubjectDN());
}
return certValCallback.getResult();
}
public void updateOtherPartySubject(
final Subject subject, final String username, final String password) {
//do nothing....
}
private X500PrivateCredential getPKCredentialsFromLCSubject() {
if (loginContextSubjectForKeystore != null) {
Set set = loginContextSubjectForKeystore.getPrivateCredentials(X500PrivateCredential.class);
if (set != null) {
Iterator it = set.iterator();
if (it.hasNext()) {
X500PrivateCredential cred = (X500PrivateCredential) it.next();
return cred;
}
}
}
return null;
}
private X509Certificate getPublicCredentialsFromLCSubject() {
X500PrivateCredential cred = getPKCredentialsFromLCSubject();
if(cred != null){
return cred.getCertificate();
}
return null;
}
private Subject initJAASKeyStoreLoginModule() {
if (JAASLoginModuleForKeystore == null) {
return null;
}
LoginContext lc = null;
try {
if (keyStoreCBH != null) {
keystoreCbHandlerClass = (CallbackHandler) loadClass(keyStoreCBH).newInstance();
lc = new LoginContext(JAASLoginModuleForKeystore, keystoreCbHandlerClass);
} else {
lc = new LoginContext(JAASLoginModuleForKeystore);
}
lc.login();
return lc.getSubject();
} catch (InstantiationException ex) {
log.log(Level.SEVERE, LogStringsMessages.WSS_0817_KEYSTORE_LOGIN_MODULE_LOGIN_ERROR() , ex);
throw new XWSSecurityRuntimeException(ex);
} catch (IllegalAccessException ex) {
log.log(Level.SEVERE, LogStringsMessages.WSS_0817_KEYSTORE_LOGIN_MODULE_LOGIN_ERROR(), ex);
throw new XWSSecurityRuntimeException(ex);
} catch (XWSSecurityException ex) {
log.log(Level.SEVERE, LogStringsMessages.WSS_0817_KEYSTORE_LOGIN_MODULE_LOGIN_ERROR(), ex);
throw new XWSSecurityRuntimeException(ex);
} catch (LoginException ex) {
log.log(Level.SEVERE, LogStringsMessages.WSS_0817_KEYSTORE_LOGIN_MODULE_LOGIN_ERROR(), ex);
throw new XWSSecurityRuntimeException(ex);
}
}
private boolean matchesKeyIdentifier(
byte[] keyIdMatch,
X509Certificate x509Cert) throws XWSSecurityException {
byte[] keyId = X509SubjectKeyIdentifier.getSubjectKeyIdentifier(x509Cert);
if (keyId == null) {
// Cert does not contain a key identifier
return false;
}
if (Arrays.equals(keyIdMatch, keyId)) {
return true;
}
return false;
}
private boolean matchesThumbPrint(
byte[] keyIdMatch,
X509Certificate x509Cert) throws XWSSecurityException {
byte[] keyId = XWSSUtil.getThumbprintIdentifier(x509Cert);
if (keyId == null) {
// Cert does not contain a key identifier
return false;
}
if (Arrays.equals(keyIdMatch, keyId)) {
return true;
}
return false;
}
private void updateUsernameInSubject(
final Subject subject, final String username, final String password) {
AccessController.doPrivileged(new PrivilegedAction