All Downloads are FREE. Search and download functionalities are using the official Maven repository.

com.sun.xml.ws.security.secconv.WSSCClientContract Maven / Gradle / Ivy

There is a newer version: 4.0.4
Show newest version
/*
 * Copyright (c) 1997, 2021 Oracle and/or its affiliates. All rights reserved.
 *
 * This program and the accompanying materials are made available under the
 * terms of the Eclipse Distribution License v. 1.0, which is available at
 * http://www.eclipse.org/org/documents/edl-v10.php.
 *
 * SPDX-License-Identifier: BSD-3-Clause
 */

package com.sun.xml.ws.security.secconv;

import com.sun.xml.ws.api.security.secconv.client.SCTokenConfiguration;
import com.sun.xml.ws.policy.impl.bindings.AppliesTo;
import com.sun.xml.ws.security.IssuedTokenContext;
import com.sun.xml.ws.security.SecurityContextToken;
import com.sun.xml.ws.security.SecurityContextTokenInfo;
import com.sun.xml.ws.security.secconv.impl.SecurityContextTokenInfoImpl;
import com.sun.xml.ws.security.secconv.logging.LogDomainConstants;
import com.sun.xml.ws.security.secconv.logging.LogStringsMessages;
import com.sun.xml.ws.security.trust.WSTrustVersion;
import com.sun.xml.ws.security.trust.elements.BinarySecret;
import com.sun.xml.ws.security.trust.elements.Entropy;
import com.sun.xml.ws.security.trust.elements.Lifetime;
import com.sun.xml.ws.security.trust.elements.RequestSecurityToken;
import com.sun.xml.ws.security.trust.elements.RequestSecurityTokenResponse;
import com.sun.xml.ws.security.trust.elements.RequestSecurityTokenResponseCollection;
import com.sun.xml.ws.security.trust.elements.RequestedAttachedReference;
import com.sun.xml.ws.security.trust.elements.RequestedProofToken;
import com.sun.xml.ws.security.trust.elements.RequestedSecurityToken;
import com.sun.xml.ws.security.trust.elements.RequestedTokenCancelled;
import com.sun.xml.ws.security.trust.elements.RequestedUnattachedReference;
import com.sun.xml.ws.security.trust.util.WSTrustUtil;
import com.sun.xml.ws.security.wsu10.AttributedDateTime;
import com.sun.xml.wss.impl.misc.SecurityUtil;

import java.net.URI;
import java.util.Date;
import java.util.Iterator;
import java.util.List;
import java.util.logging.Level;
import java.util.logging.Logger;

public class WSSCClientContract {
    
    private static final Logger log =
            Logger.getLogger(
            LogDomainConstants.WSSC_IMPL_DOMAIN,
            LogDomainConstants.WSSC_IMPL_DOMAIN_BUNDLE);
    
    private static final int DEFAULT_KEY_SIZE = 256;
    private WSSCVersion wsscVer = WSSCVersion.WSSC_10;
    private WSTrustVersion wsTrustVer = WSTrustVersion.WS_TRUST_10;
    
    
    /**
     * Handle an RSTR returned by the Issuer and update Token information into the
     * IssuedTokenContext.
     */
    public void handleRSTR(
            final RequestSecurityToken rst, final RequestSecurityTokenResponse rstr, final IssuedTokenContext context) throws WSSecureConversationException {        
        if(!context.getSecurityPolicy().isEmpty()){
            SCTokenConfiguration sctConfig = (SCTokenConfiguration)context.getSecurityPolicy().get(0);
            wsscVer = WSSCVersion.getInstance(sctConfig.getProtocol());        
        }
        if(wsscVer.getNamespaceURI().equals(WSSCVersion.WSSC_13_NS_URI)){
            wsTrustVer = WSTrustVersion.WS_TRUST_13;
        }
        if (rst.getRequestType().toString().equals(wsTrustVer.getIssueRequestTypeURI())){
            // ToDo
            //final AppliesTo requestAppliesTo = rst.getAppliesTo();
            //final AppliesTo responseAppliesTo = rstr.getAppliesTo();
            
            final RequestedSecurityToken securityToken = rstr.getRequestedSecurityToken();
            
            // Requested References
            final RequestedAttachedReference attachedRef = rstr.getRequestedAttachedReference();
            final RequestedUnattachedReference unattachedRef = rstr.getRequestedUnattachedReference();
            
            // RequestedProofToken
            final RequestedProofToken proofToken = rstr.getRequestedProofToken();
            
            // Obtain the secret key for the context
            final byte[] key = getKey(rstr, proofToken, rst);
            
            if(key != null){
                context.setProofKey(key);
            }
            
            //get the creation time and expires time and set it in the context
            setLifetime(rstr, context);
            
            if(securityToken == null && proofToken == null){
                log.log(Level.SEVERE,
                        LogStringsMessages.WSSC_0002_NULL_TOKEN());
                throw new WSSecureConversationException(LogStringsMessages.WSSC_0002_NULL_TOKEN());
            }
            
            if (securityToken != null){
                context.setSecurityToken(securityToken.getToken());
            }
            
            if(attachedRef != null){
                context.setAttachedSecurityTokenReference(attachedRef.getSTR());
            }
            
            if (unattachedRef != null){
                context.setUnAttachedSecurityTokenReference(unattachedRef.getSTR());
            }
        }if (rst.getRequestType().toString().equals(wsTrustVer.getRenewRequestTypeURI())){
            final RequestedSecurityToken securityToken = rstr.getRequestedSecurityToken();
            // RequestedProofToken
            final RequestedProofToken proofToken = rstr.getRequestedProofToken();
            
            // Obtain the secret key for the context
            final byte[] key = getKey(rstr, proofToken, rst);
                        
            //get the creation time and expires time and set it in the context
            setLifetime(rstr, context);
            if (securityToken != null){
                context.setSecurityToken(securityToken.getToken());
            }
            SecurityContextTokenInfo sctInfo = null;
            if(context.getSecurityContextTokenInfo() == null){
                sctInfo = new SecurityContextTokenInfoImpl();                
            }else{
                sctInfo = context.getSecurityContextTokenInfo();
            }
            sctInfo.setIdentifier(((SecurityContextToken)context.getSecurityToken()).getIdentifier().toString());
            sctInfo.setInstance(((SecurityContextToken)context.getSecurityToken()).getInstance());
            sctInfo.setExternalId(((SecurityContextToken)context.getSecurityToken()).getWsuId());
            if(key != null){
                sctInfo.addInstance(((SecurityContextToken)context.getSecurityToken()).getInstance(), key);                
            }            
            context.setSecurityContextTokenInfo(sctInfo);
        }else if (rst.getRequestType().toString().equals(wsTrustVer.getCancelRequestTypeURI())){
            
            // Check if the rstr contains the RequestTedTokenCancelled element
            // if yes cleanup the IssuedTokenContext accordingly
            final RequestedTokenCancelled cancelled = rstr.getRequestedTokenCancelled();
            if(cancelled!=null){
                //context.setSecurityToken(null);
                context.setProofKey(null);
            }
        }
        
    }

   /**
     * Handle an RSTRC returned by the Issuer and update Token information into the
     * IssuedTokenContext.
     */
    public void handleRSTRC(
            final RequestSecurityToken rst, final RequestSecurityTokenResponseCollection rstrc, final IssuedTokenContext context) throws WSSecureConversationException {
        List rstrList = rstrc.getRequestSecurityTokenResponses();
        Iterator rstrIterator = rstrList.iterator();
        RequestSecurityTokenResponse rstr;
        while(rstrIterator.hasNext()){
            rstr = (RequestSecurityTokenResponse)rstrIterator.next();
            this.handleRSTR(rst, rstr, context);
        }
    }
    
    private byte[] getKey(final RequestSecurityTokenResponse rstr, final RequestedProofToken proofToken, final RequestSecurityToken rst) throws WSSecureConversationException, UnsupportedOperationException {
        byte[] key = null;
        if (proofToken != null){
            final String proofTokenType = proofToken.getProofTokenType();
            if (RequestedProofToken.COMPUTED_KEY_TYPE.equals(proofTokenType)){
                key = computeKey(rstr, proofToken, rst);
            } else if (RequestedProofToken.TOKEN_REF_TYPE.equals(proofTokenType)){
                //ToDo
                throw new UnsupportedOperationException("To Do");
            } else if (RequestedProofToken.ENCRYPTED_KEY_TYPE.equals(proofTokenType)){
                //ToDo
                throw new UnsupportedOperationException("To Do");
            } else if (RequestedProofToken.BINARY_SECRET_TYPE.equals(proofTokenType)){
                final BinarySecret binarySecret = proofToken.getBinarySecret();
                key = binarySecret.getRawValue();
            } else{
                log.log(Level.SEVERE,
                        LogStringsMessages.WSSC_0003_INVALID_PROOFTOKEN(proofTokenType));
                throw new WSSecureConversationException(LogStringsMessages.WSSC_0003_INVALID_PROOFTOKEN(proofTokenType));
            }
        }
        return key;
    }
    
    private void setLifetime(final RequestSecurityTokenResponse rstr, final IssuedTokenContext context){
        
        // Get Created and Expires from Lifetime
        final Lifetime lifetime = rstr.getLifetime();
        final AttributedDateTime created = lifetime.getCreated();
        final AttributedDateTime expires = lifetime.getExpires();

        // populate the IssuedTokenContext
        if (created != null){
            context.setCreationTime(WSTrustUtil.parseAttributedDateTime(created));
        }else{
            // set the current time as specified in the spec.
            context.setCreationTime(new Date());
        }
        if (expires != null){
            context.setExpirationTime(WSTrustUtil.parseAttributedDateTime(expires));
        }
    }
    
    private byte[] computeKey(final RequestSecurityTokenResponse rstr, final RequestedProofToken proofToken, final RequestSecurityToken rst) throws WSSecureConversationException, UnsupportedOperationException {
        // get ComputeKey algorithm URI, client entropy, server entropy and compute
        // the SecretKey
        final URI computedKey = proofToken.getComputedKey();
        final Entropy clientEntropy = rst.getEntropy();
        final Entropy serverEntropy = rstr.getEntropy();
        final BinarySecret clientBS = clientEntropy.getBinarySecret();
        final BinarySecret serverBS = serverEntropy.getBinarySecret();
        byte [] clientEntr = null;
        byte [] serverEntr = null;
        if(clientBS!=null){
            clientEntr = clientBS.getRawValue();
        }
        if(serverBS!=null){
            serverEntr = serverBS.getRawValue();
        }
        byte[] key = null;
        int keySize = (int)rstr.getKeySize();
        if(keySize == 0){
            keySize = (int)rst.getKeySize();//get it from the request
        }
        if(keySize == 0){
            keySize = DEFAULT_KEY_SIZE;//key size is in bits
        }
        if (log.isLoggable(Level.FINE)) {
            log.log(Level.FINE,
                    LogStringsMessages.WSSC_0005_COMPUTED_KEYSIZE(keySize, DEFAULT_KEY_SIZE));
        }
        if(computedKey.toString().equals(wsTrustVer.getCKPSHA1algorithmURI())){
            try {
                key = SecurityUtil.P_SHA1(clientEntr,serverEntr, keySize/8);
            } catch (Exception ex) {
                log.log(Level.SEVERE,
                        LogStringsMessages.WSSC_0006_UNABLETOEXTRACT_KEY(), ex);
                throw new WSSecureConversationException(LogStringsMessages.WSSC_0006_UNABLETOEXTRACT_KEY(), ex);
            }
        } else {
            log.log(Level.SEVERE,
                    LogStringsMessages.WSSC_0026_UNSUPPORTED_COMPUTED_KEY(computedKey));
            throw new WSSecureConversationException(LogStringsMessages.WSSC_0026_UNSUPPORTED_COMPUTED_KEY_E(computedKey));
        }
        return key;
    }
    
    /**
     * Handle an RSTR returned by the Issuer and Respond to the Challenge
     *
     */
    public RequestSecurityTokenResponse handleRSTRForNegotiatedExchange(
            final RequestSecurityToken rst, final RequestSecurityTokenResponse rstr, final IssuedTokenContext context) {
        return null;
    }
    
    /**
     * Create an RSTR for a client initiated IssuedTokenContext establishment,
     * for example a Client Initiated WS-SecureConversation context.
     *
     */
    public RequestSecurityTokenResponse createRSTRForClientInitiatedIssuedTokenContext(final AppliesTo scopes,final IssuedTokenContext context) throws WSSecureConversationException {
        final WSSCElementFactory eleFac = WSSCElementFactory.newInstance();
        
        final byte[] secret = WSTrustUtil.generateRandomSecret(DEFAULT_KEY_SIZE);
        final BinarySecret binarySecret = eleFac.createBinarySecret(secret, this.wsTrustVer.getSymmetricKeyTypeURI());
        
        final RequestedProofToken proofToken = eleFac.createRequestedProofToken();
        proofToken.setProofTokenType(RequestedProofToken.BINARY_SECRET_TYPE);
        proofToken.setBinarySecret(binarySecret);
        
        final SecurityContextToken token = WSTrustUtil.createSecurityContextToken(eleFac);
        final RequestedSecurityToken rst = eleFac.createRequestedSecurityToken(token);
        
        final RequestSecurityTokenResponse rstr = eleFac.createRSTR();
        rstr.setAppliesTo(scopes);
        rstr.setRequestedSecurityToken(rst);
        rstr.setRequestedProofToken(proofToken);
        
        context.setSecurityToken(token);
        context.setProofKey(secret);
        if (log.isLoggable(Level.FINE)) {
            log.log(Level.FINE,
                    LogStringsMessages.WSSC_0007_CREATED_RSTR(rstr.toString()));
        }
        return rstr;
    }
    
    /**
     * Contains Challenge
     * @return true if the RSTR contains a SignChallenge/BinaryExchange or
     *  some other custom challenge recognized by this implementation.
     */
    public boolean containsChallenge(final RequestSecurityTokenResponse rstr) {
        return false;
    }
    
    /**
     * Return the <wst:ComputedKey> URI if any inside the RSTR, null otherwise
     */
    public URI getComputedKeyAlgorithmFromProofToken(final RequestSecurityTokenResponse rstr) {
        return null;
    }
}




© 2015 - 2024 Weber Informatics LLC | Privacy Policy