• Home
• org.glassfish.metro
• wssx-impl
• 4.0.0
• source code
• SecurityUtil.java

×

Project download

Many resources are needed to download a project. Please understand that we have to compensate our server costs. Thank you in advance.
Project price only 1 $

You can buy this project and download/modify it how often you want.

com.sun.xml.wss.impl.misc.SecurityUtil Maven / Gradle / Ivy

/*
 * Copyright (c) 1997, 2022 Oracle and/or its affiliates. All rights reserved.
 * Copyright (c) 2022 Contributors to the Eclipse Foundation
 *
 * This program and the accompanying materials are made available under the
 * terms of the Eclipse Distribution License v. 1.0, which is available at
 * http://www.eclipse.org/org/documents/edl-v10.php.
 *
 * SPDX-License-Identifier: BSD-3-Clause
 */

package com.sun.xml.wss.impl.misc;

import com.sun.xml.ws.security.Token;
import com.sun.xml.ws.security.opt.impl.JAXBFilterProcessingContext;
import com.sun.xml.ws.security.secext10.SecurityTokenReferenceType;
import com.sun.xml.wss.core.reference.SamlKeyIdentifier;
import com.sun.xml.wss.impl.PolicyTypeUtil;
import com.sun.xml.wss.impl.policy.mls.EncryptionPolicy;
import com.sun.xml.wss.impl.policy.mls.KeyBindingBase;
import com.sun.xml.wss.impl.policy.mls.WSSPolicy;

import java.nio.charset.StandardCharsets;
import java.security.InvalidKeyException;
import java.security.NoSuchAlgorithmException;
import java.util.List;
import java.util.Map;
import javax.crypto.SecretKey;
import javax.crypto.KeyGenerator;
import javax.crypto.Mac;
import javax.crypto.spec.SecretKeySpec;
import java.security.Key;
import jakarta.xml.bind.JAXBElement;

import jakarta.xml.soap.SOAPElement;

import com.sun.xml.wss.XWSSecurityException;
import com.sun.xml.wss.impl.MessageConstants;
import com.sun.xml.wss.logging.LogDomainConstants;
import com.sun.xml.wss.logging.impl.crypto.LogStringsMessages;

import java.util.Random;
import java.util.Hashtable;
import java.util.Iterator;
import java.util.logging.Level;
import java.util.logging.Logger;
import java.util.HashMap;

import com.sun.xml.wss.impl.FilterProcessingContext;
import com.sun.xml.wss.impl.policy.mls.AuthenticationTokenPolicy;
import com.sun.xml.wss.impl.SecurableSoapMessage;
import com.sun.xml.wss.core.X509SecurityToken;
import com.sun.xml.wss.impl.WSSAssertion;

import org.apache.xml.security.algorithms.JCEMapper;
import com.sun.xml.ws.api.SOAPVersion;
import com.sun.xml.ws.api.security.secconv.client.SCTokenConfiguration;
import com.sun.xml.ws.api.security.trust.WSTrustException;
import com.sun.xml.ws.api.security.trust.client.IssuedTokenManager;
import com.sun.xml.ws.security.impl.IssuedTokenContextImpl;
import com.sun.xml.ws.security.IssuedTokenContext;
import com.sun.xml.wss.core.SecurityContextTokenImpl;
import com.sun.xml.wss.impl.policy.mls.SecureConversationTokenKeyBinding;
import com.sun.xml.wss.impl.policy.mls.IssuedTokenKeyBinding;

import com.sun.xml.ws.security.SecurityTokenReference;

import org.w3c.dom.Node;
import org.w3c.dom.Element;
import org.w3c.dom.NamedNodeMap;
import org.w3c.dom.Document;

import com.sun.xml.ws.security.trust.WSTrustConstants;

import com.sun.xml.ws.security.SecurityContextToken;
import java.net.URL;
import java.security.AccessController;
import java.security.PrivilegedAction;
import java.security.cert.X509Certificate;
import javax.security.auth.Subject;
import com.sun.xml.ws.runtime.dev.SessionManager;
import com.sun.xml.ws.security.SecurityContextTokenInfo;
import com.sun.xml.ws.security.opt.impl.keyinfo.SecurityContextToken13;
import com.sun.xml.ws.security.secconv.impl.bindings.SecurityContextTokenType;
import com.sun.xml.ws.security.secconv.impl.client.DefaultSCTokenConfiguration;
import com.sun.xml.ws.security.trust.GenericToken;
import com.sun.xml.ws.security.trust.WSTrustElementFactory;
import com.sun.xml.wss.impl.XWSSecurityRuntimeException;
import com.sun.xml.wss.impl.policy.MLSPolicy;
import java.io.BufferedReader;
import java.io.IOException;
import java.io.InputStream;
import java.io.InputStreamReader;

/**
 * Utility class for the Encryption and Signature related methods
 * @author Ashutosh Shahi
 */
public class SecurityUtil {

    protected static final Logger log =  Logger.getLogger( LogDomainConstants.IMPL_CRYPTO_DOMAIN,
            LogDomainConstants.IMPL_CRYPTO_DOMAIN_BUNDLE);

    /** Creates a new instance of SecurityUtil */
    public SecurityUtil() {
    }

    public static SecretKey generateSymmetricKey(String algorithm) throws XWSSecurityException{
        try {

            //keyGen.init(168);//TODO-Venu
            String jceAlgo = JCEMapper.getJCEKeyAlgorithmFromURI(algorithm);
            //JCEMapper.translateURItoJCEID(algorithm);
            //
            if (MessageConstants.debug) {
                log.log(Level.FINEST, "JCE ALGORITHM "+ jceAlgo);
            }
            KeyGenerator keyGen = KeyGenerator.getInstance(jceAlgo);
            int length = 0;
            if(jceAlgo.startsWith("DES")){
                length = 168;
            }else{
                length = JCEMapper.getKeyLengthFromURI(algorithm);
            }
            keyGen.init(length);
            if (MessageConstants.debug) {
                log.log(Level.FINEST, "Algorithm key length "+length);
            }
            return keyGen.generateKey();
        } catch (Exception e) {
            log.log(Level.SEVERE,
                    LogStringsMessages.WSS_1208_FAILEDTO_GENERATE_RANDOM_SYMMETRICKEY(e.getMessage()),
                    new Object[] {e.getMessage()});
            throw new XWSSecurityException(
                    "Unable to Generate Symmetric Key", e);
        }
    }

    /**
     * Lookup method to get the Key Length based on algorithm
     * TODO: Not complete yet, need to add more algorithms
     * NOTE: This method should only be used for DerivedKeyTokenLengths
     **/
    public static int getLengthFromAlgorithm(String algorithm) {
        switch (algorithm) {
            case MessageConstants.AES_BLOCK_ENCRYPTION_192:
                return 24;
            case MessageConstants.AES_BLOCK_ENCRYPTION_256:
                return 32;
            case MessageConstants.AES_BLOCK_ENCRYPTION_128:
                return 16;
            case MessageConstants.TRIPLE_DES_BLOCK_ENCRYPTION:
                return 24;
            default:
                throw new UnsupportedOperationException("TODO: not yet implemented keyLength for" + algorithm);
        }
    }

    public static String generateUUID() {
        Random rnd = new Random();
        int intRandom = rnd.nextInt();
        return "XWSSGID-"+ System.currentTimeMillis() + intRandom;
    }

    public static byte[] P_SHA1(byte[] secret, byte[] seed
            ) throws Exception {

        byte[] aBytes, result;
        aBytes = seed;

        Mac hMac = Mac.getInstance("HMACSHA1");
        SecretKeySpec sKey = new SecretKeySpec(secret, "HMACSHA1");
        hMac.init(sKey);
        hMac.update(aBytes);
        aBytes = hMac.doFinal();
        hMac.reset();
        hMac.init(sKey);
        hMac.update(aBytes);
        hMac.update(seed);
        result = hMac.doFinal();

        return result;
    }

    public static byte[] P_SHA1(byte[] secret, byte[] seed,
            int requiredSize) throws NoSuchAlgorithmException, InvalidKeyException {
        Mac hMac = Mac.getInstance("HMACSHA1");
        SecretKeySpec sKey = new SecretKeySpec(secret, "HMACSHA1");

        byte[] result = new byte[requiredSize];
        int copied=0;

        byte[] aBytes = seed;
        hMac.init(sKey);
        hMac.update(aBytes);
        aBytes  = hMac.doFinal();

        int rounds = requiredSize/aBytes.length ;
        if(requiredSize % aBytes.length != 0)
            rounds++;

        for(int i = 0; i < rounds; i ++){

            hMac.reset();
            hMac.init(sKey);
            hMac.update(aBytes);
            hMac.update(seed);
            byte[] generated = hMac.doFinal();
            int takeBytes;
            if(i != rounds-1)
                takeBytes = generated.length;
            else
                takeBytes = requiredSize - (generated.length * i);
            System.arraycopy(generated, 0, result, copied, takeBytes);
            copied += takeBytes;
            hMac.init(sKey);
            hMac.update(aBytes);
            aBytes  = hMac.doFinal();
        }
        return result;
    }

    public static String getSecretKeyAlgorithm(String encryptionAlgo) {
        String encAlgo = JCEMapper.translateURItoJCEID(encryptionAlgo);
        if (encAlgo.startsWith("AES")) {
            return "AES";
        } else if (encAlgo.startsWith("DESede")) {
            return "DESede";
        } else if (encAlgo.startsWith("DES")) {
            return "DES";
        }
        return encAlgo;
    }

    public static void checkIncludeTokenPolicyOpt(JAXBFilterProcessingContext context,
            AuthenticationTokenPolicy.UsernameTokenBinding untBinding,
            String unTokenid) throws XWSSecurityException{
        try{
            //not sure if this check is required
            if (!untBinding.policyTokenWasSet()){
                return;
            }
            String itVersion = untBinding.getIncludeToken();
            if(KeyBindingBase.INCLUDE_ALWAYS_TO_RECIPIENT.equals(itVersion) ||
               KeyBindingBase.INCLUDE_ALWAYS_TO_RECIPIENT_VER2.equals(itVersion)){
                untBinding.setReferenceType(MessageConstants.DIRECT_REFERENCE_TYPE);
            } else {
                throw new UnsupportedOperationException(untBinding.getIncludeToken() + " not supported yet as IncludeToken policy");
            }
        } catch(Exception e){
            throw new XWSSecurityException(e);
        }
    }

    public static void checkIncludeTokenPolicy(FilterProcessingContext context,
            AuthenticationTokenPolicy.X509CertificateBinding certInfo,
            String x509id) throws XWSSecurityException{

        HashMap insertedX509Cache = context.getInsertedX509Cache();
        X509SecurityToken x509Token = (X509SecurityToken)insertedX509Cache.get(x509id);
        //SecurableSoapMessage secureMessage = context.getSecurableSoapMessage();

        try{
            if(x509Token == null){
                /*Token policyToken = certInfo.getPolicyToken();
                if (policyToken == null) {
                    return;
                }*/
                // no referencetype adjustment if it is not WS-SecurityPolicy
                if (!certInfo.policyTokenWasSet()){
                    return;
                }
                String itVersion = certInfo.getIncludeToken();
                if(KeyBindingBase.INCLUDE_ALWAYS_TO_RECIPIENT.equals(itVersion) ||
                   KeyBindingBase.INCLUDE_ALWAYS.equals(itVersion) ||
                   KeyBindingBase.INCLUDE_ALWAYS_TO_RECIPIENT_VER2.equals(itVersion) ||
                   KeyBindingBase.INCLUDE_ALWAYS_VER2.equals(itVersion)){
                    insertCertificate(context, certInfo, x509id);
                } else if(KeyBindingBase.INCLUDE_NEVER.equals(itVersion) ||
                          KeyBindingBase.INCLUDE_NEVER_VER2.equals(itVersion)){
                    WSSAssertion wssAssertion = context.getWSSAssertion();
                    if(MessageConstants.DIRECT_REFERENCE_TYPE.equals(certInfo.getReferenceType())){
                        if(wssAssertion != null){
                            if(wssAssertion.getRequiredProperties().contains(WSSAssertion.MUST_SUPPORT_REF_KEYIDENTIFIER))
                                certInfo.setReferenceType(MessageConstants.KEY_INDETIFIER_TYPE);
                            else if(wssAssertion.getRequiredProperties().contains(WSSAssertion.MUSTSUPPORT_REF_THUMBPRINT))
                                certInfo.setReferenceType(MessageConstants.THUMB_PRINT_TYPE);
                        } else {
                            // when wssAssertion is not set use KeyIdentifier
                            certInfo.setReferenceType(MessageConstants.KEY_INDETIFIER_TYPE);
                        }
                    }
                } else if(KeyBindingBase.INCLUDE_ONCE.equals(certInfo.getIncludeToken())){
                    throw new UnsupportedOperationException(KeyBindingBase.INCLUDE_ONCE + " not supported yet as IncludeToken policy");
                }
            }
        } catch(Exception e){
            throw new XWSSecurityException(e);
        }
    }

    public static void checkIncludeTokenPolicyOpt(JAXBFilterProcessingContext context,
            AuthenticationTokenPolicy.X509CertificateBinding certInfo,
            String x509id) throws XWSSecurityException{

        //SecurityHeaderElement she = context.getSecurityHeader().getChildElement(x509id);

        try{
            //if(she != null){
                /*Token policyToken = certInfo.getPolicyToken();
                if (policyToken == null) {
                    return;
                }*/
            // no referencetype adjustment if it is not WS-SecurityPolicy
            if (!certInfo.policyTokenWasSet()){
                return;
            }
            String itVersion = certInfo.getIncludeToken();
            if(KeyBindingBase.INCLUDE_ALWAYS_TO_RECIPIENT.equals(itVersion) ||
               KeyBindingBase.INCLUDE_ALWAYS.equals(itVersion) ||
               KeyBindingBase.INCLUDE_ALWAYS_TO_RECIPIENT_VER2.equals(itVersion) ||
               KeyBindingBase.INCLUDE_ALWAYS_VER2.equals(itVersion)){
                certInfo.setReferenceType(MessageConstants.DIRECT_REFERENCE_TYPE);
            } else if(KeyBindingBase.INCLUDE_NEVER.equals(itVersion) ||
                      KeyBindingBase.INCLUDE_NEVER_VER2.equals(itVersion)){
                WSSAssertion wssAssertion = context.getWSSAssertion();
                if(MessageConstants.DIRECT_REFERENCE_TYPE.equals(certInfo.getReferenceType())){
                    if(wssAssertion != null){
                        if (wssAssertion.getRequiredProperties().contains(WSSAssertion.MUSTSUPPORT_REF_ISSUER_SERIAL)) {
                            certInfo.setReferenceType(MessageConstants.X509_ISSUER_TYPE);
                        } else if(wssAssertion.getRequiredProperties().contains(WSSAssertion.MUSTSUPPORT_REF_THUMBPRINT)) {
                            certInfo.setReferenceType(MessageConstants.THUMB_PRINT_TYPE);
                        } else if(wssAssertion.getRequiredProperties().contains(WSSAssertion.MUST_SUPPORT_REF_KEYIDENTIFIER)) {
                            certInfo.setReferenceType(MessageConstants.KEY_INDETIFIER_TYPE);
                        }
                    } else {
                        // when wssAssertion is not set use Issuer Serial
                        certInfo.setReferenceType(MessageConstants.X509_ISSUER_TYPE);
                    }
                }
            } else if(KeyBindingBase.INCLUDE_ONCE.equals(certInfo.getIncludeToken())){
                throw new UnsupportedOperationException(KeyBindingBase.INCLUDE_ONCE + " not supported yet as IncludeToken policy");
            }
            //}
        } catch(Exception e){
            throw new XWSSecurityException(e);
        }
    }

    public static String  getWsuIdOrId(Element elem) throws XWSSecurityException {
        NamedNodeMap nmap = elem.getAttributes();
        Node attr = nmap.getNamedItem("Id");
        if (attr == null) {
            attr = nmap.getNamedItem("AssertionID");
            if (attr == null)
                attr = nmap.getNamedItem("ID");
            if (attr == null) {
                throw new XWSSecurityException("Issued Token Element does not have a Id or AssertionId attribute");
            }
        }
        return attr.getNodeValue();
    }


    public static void resolveSCT(FilterProcessingContext context, SecureConversationTokenKeyBinding sctBinding)
    throws XWSSecurityException {
        // resolve the ProofKey here and set it into ProcessingContext
        //String sctPolicyId = sctBinding.getPolicyToken().getTokenId();
        String sctPolicyId = sctBinding.getUUID();
        // this will work on the client side only
        //IssuedTokenContext ictx = context.getIssuedTokenContext(sctPolicyId);
        IssuedTokenContext ictx = null;
        String protocol = context.getWSSCVersion(context.getSecurityPolicyVersion());
        if(context.isClient()){
            String sctId = context.getSCPolicyIDtoSctIdMap(sctPolicyId);
            SCTokenConfiguration config = new DefaultSCTokenConfiguration(protocol, sctId, !context.isExpired(), !context.isInboundMessage());
            ictx =IssuedTokenManager.getInstance().createIssuedTokenContext(config, null);
            try{
                IssuedTokenManager.getInstance().getIssuedToken(ictx);
            }catch(WSTrustException e){
                throw new XWSSecurityException(e);
            }
        }
        if (ictx == null) {
            // this will work on the server side
            String sctId = "";
            if(context instanceof JAXBFilterProcessingContext){

                Object sctObject = context.getExtraneousProperty(MessageConstants.INCOMING_SCT);

                if (sctObject == null) {
                    throw new XWSSecurityException("SecureConversation Session Context not Found");
                }
                if(sctObject instanceof com.sun.xml.ws.security.opt.impl.incoming.SecurityContextToken){
                    com.sun.xml.ws.security.opt.impl.incoming.SecurityContextToken sct = (com.sun.xml.ws.security.opt.impl.incoming.SecurityContextToken)sctObject;
                    sctId = sct.getSCId();
                }else if(sctObject instanceof SecurityContextToken){
                    SecurityContextToken sct = (SecurityContextToken)sctObject;
                    sctId = sct.getIdentifier().toString();
                }
            } else{
                SecurityContextToken sct = (SecurityContextToken)context.getExtraneousProperty(MessageConstants.INCOMING_SCT);
                if (sct == null) {
                    throw new XWSSecurityException("SecureConversation Session Context not Found");
                }
                sctId = sct.getIdentifier().toString();
            }

            ictx = ((SessionManager)context.getExtraneousProperty("SessionManager")).getSecurityContext(sctId, !context.isExpired());
            java.net.URI identifier = null;
            String instance = null;
            String wsuId = null;

            SecurityContextToken sct = (SecurityContextToken)ictx.getSecurityToken();
            if (sct != null){
                identifier = sct.getIdentifier();
                instance = sct.getInstance();
                wsuId = sct.getWsuId();
            }else{
                SecurityContextTokenInfo sctInfo = ictx.getSecurityContextTokenInfo();
                identifier = java.net.URI.create(sctInfo.getIdentifier());
                instance = sctInfo.getInstance();
                wsuId = sctInfo.getExternalId();
            }

            ictx.setSecurityToken(WSTrustElementFactory.newInstance(protocol).createSecurityContextToken(identifier, instance, wsuId));
        }


        if (ictx == null) {
            throw new XWSSecurityException("SecureConversation Session Context not Found");
        } else {
            //System.out.println("SC Session located...");
        }
        //TODO: assuming only a single secure-conversation context
        context.setSecureConversationContext(ictx);
    }

    public static void resolveIssuedToken(FilterProcessingContext context, IssuedTokenKeyBinding itkb) throws XWSSecurityException {
        //resolve the ProofKey here and set it into ProcessingContext
        //String itPolicyId = itkb.getPolicyToken().getTokenId();
        String itPolicyId = itkb.getUUID();
        // this will work on the client side only
        IssuedTokenContext ictx = context.getIssuedTokenContext(itPolicyId);
        boolean clientSide = true;
        if (ictx == null) {
            // on the server we have the TrustCredentialHolder
            ictx = context.getTrustCredentialHolder();
            clientSide = false;
        }

        if (ictx == null) {
            throw new XWSSecurityException("Trust IssuedToken not Found");
        }
        if (ictx.getSecurityToken() instanceof GenericToken) {
            itkb.setRealId(((GenericToken)ictx.getSecurityToken()).getId());
        }

        context.setTrustContext(ictx);
        if (ictx.getProofKey() == null){
            //handle asymmetric issued key
            if (clientSide) {
                //TODO: change this later to use the Cert Alias
                X509Certificate cert = context.getSecurityEnvironment().getDefaultCertificate(
                        context.getExtraneousProperties());
                ictx.setRequestorCertificate(cert);
            }  else {
                //nothing todo on server side
            }
        }
    }

    public static void initInferredIssuedTokenContext(FilterProcessingContext wssContext, Token str, Key returnKey) {
        // new code which fixes issues with Brokered Trust.
        IssuedTokenContextImpl ictx = (IssuedTokenContextImpl)wssContext.getTrustCredentialHolder();
        if (ictx == null) {
            ictx = new IssuedTokenContextImpl();
        }

        ictx.setProofKey(returnKey.getEncoded());
        ictx.setUnAttachedSecurityTokenReference(str);
        wssContext.setTrustCredentialHolder(ictx);
    }

    public static boolean isEncryptedKey(SOAPElement elem) {

        return MessageConstants.XENC_ENCRYPTED_KEY_LNAME.equals(elem.getLocalName()) &&
                MessageConstants.XENC_NS.equals(elem.getNamespaceURI());
    }

    public static boolean isBinarySecret(SOAPElement elem) {
        return MessageConstants.BINARY_SECRET_LNAME.equals(elem.getLocalName()) &&
                WSTrustConstants.WST_NAMESPACE.equals(elem.getNamespaceURI());
    }
     @SuppressWarnings("unchecked")
    public static SecurityContextTokenImpl locateBySCTId(FilterProcessingContext context, String sctId) throws XWSSecurityException {

        Hashtable contextMap = context.getIssuedTokenContextMap();

        if (contextMap == null) {
            // print a warning here
            //System.out.println("context.getIssuedTokenContextMap was null.........");
            return null;
        }

        Iterator it = contextMap.entrySet().iterator();

        while (it.hasNext()) {
            Map.Entry entry = it.next();
            String tokenId = (String)entry.getKey();
            Object token = entry.getValue();
            if (token instanceof IssuedTokenContext) {
                Object securityToken = ((IssuedTokenContext)token).getSecurityToken();
                if (securityToken instanceof SecurityContextToken) {
                    SecurityContextToken ret = (SecurityContextToken)securityToken;
                    if (sctId.equals(ret.getIdentifier().toString())) {
                        return new SecurityContextTokenImpl(
                                context.getSOAPMessage().getSOAPPart(), ret.getIdentifier().toString(), ret.getInstance(), ret.getWsuId(), ret.getExtElements());
                    }
                }
            }
        }
        return null;
    }
     @SuppressWarnings("unchecked")
    public static void updateSamlVsKeyCache(SecurityTokenReference str, FilterProcessingContext ctx, Key symKey) {
        com.sun.xml.wss.core.ReferenceElement ref = ((com.sun.xml.wss.core.SecurityTokenReference)str).getReference();
        if (ref instanceof com.sun.xml.wss.core.reference.KeyIdentifier) {
            String assertionId = ((com.sun.xml.wss.core.reference.KeyIdentifier)ref).getReferenceValue();
            ctx.getSamlIdVSKeyCache().putIfAbsent(assertionId, symKey);
        }
    }
     @SuppressWarnings("unchecked")
    public static void updateSamlVsKeyCache(SecurityTokenReferenceType str, FilterProcessingContext ctx, Key symKey) {
        List