Examples of org.apache.ws.security.message.WSSecSignature

org.apache.ws.security.message.WSSecSignature
Creates a Signature according to WS Specification, X509 profile. This class is a re-factored implementation of the previous WSS4J class WSSignEnvelope. This new class allows better control of the process to create a Signature and to add it to the Security header. The flexibility and fine granular control is required to implement a handler that uses WSSecurityPolicy files to control the setup of a Security header. @author Davanum Srinivas (dims@yahoo.com) @author Werner Dittmann (werner@apache.org)

     */
    public void testEncryptionSigning() throws Exception {
        SOAPEnvelope unsignedEnvelope = message.getSOAPEnvelope();
        SOAPEnvelope envelope = null;
        WSSecEncrypt encrypt = new WSSecEncrypt();
        WSSecSignature sign = new WSSecSignature();
        encrypt.setUserInfo("16c73ab6-b892-458f-abf5-2f875f74882e");
        sign.setUserInfo("16c73ab6-b892-458f-abf5-2f875f74882e", "security");
        log.info("Before Encryption....");
        Document doc = unsignedEnvelope.getAsDocument();


        WSSecHeader secHeader = new WSSecHeader();
        secHeader.insertSecurityHeader(doc);


        Document encryptedDoc = encrypt.build(doc, crypto, secHeader);
        Document encryptedSignedDoc = sign.build(encryptedDoc, crypto,
                secHeader);
        /*
         * convert the resulting document into a message first. The
         * toSOAPMessage() mehtod performs the necessary c14n call to properly
         * set up the signed document and convert it into a SOAP message. After

View Full Code Here

        builder.setUserInfo("wernerd", "verySecret");
        builder.addCreated();
        builder.addNonce();
        builder.prepare(doc);
        
        WSSecSignature sign = new WSSecSignature();
        sign.setUsernameToken(builder);
        sign.setKeyIdentifierType(WSConstants.UT_SIGNING);
        sign.setSignatureAlgorithm(XMLSignature.ALGO_ID_MAC_HMAC_SHA1);
        log.info("Before signing....");
        sign.build(doc, null, secHeader);
        log.info("Before adding UsernameToken PW Text....");
        builder.prependToHeader(secHeader);
        Document signedDoc = doc;
        Message signedMsg = (Message) SOAPUtil.toSOAPMessage(signedDoc);
        if (log.isDebugEnabled()) {

View Full Code Here

     * <p/>
     * 
     * @throws java.lang.Exception Thrown when there is any problem in signing or verification
     */
    public void testX509SignatureIS() throws Exception {
        WSSecSignature builder = new WSSecSignature();
        builder.setUserInfo("16c73ab6-b892-458f-abf5-2f875f74882e", "security");
        builder.setKeyIdentifierType(WSConstants.ISSUER_SERIAL);
        log.info("Before Signing IS....");
        Document doc = unsignedEnvelope.getAsDocument();
        WSSecHeader secHeader = new WSSecHeader();
        secHeader.insertSecurityHeader(doc);
        Document signedDoc = builder.build(doc, crypto, secHeader);


        /*
         * convert the resulting document into a message first. The toSOAPMessage()
         * mehtod performs the necessary c14n call to properly set up the signed
         * document and convert it into a SOAP message. After that we extract it

View Full Code Here

     * <p/>
     * 
     * @throws java.lang.Exception Thrown when there is any problem in signing or verification
     */
    public void testDoubleX509SignatureIS() throws Exception {
        WSSecSignature builder = new WSSecSignature();
        builder.setUserInfo("16c73ab6-b892-458f-abf5-2f875f74882e", "security");
        Document doc = unsignedEnvelope.getAsDocument();
        WSSecHeader secHeader = new WSSecHeader();
        secHeader.insertSecurityHeader(doc);
        Document signedDoc = builder.build(doc, crypto, secHeader);
        Document signedDoc1 = builder.build(signedDoc, crypto, secHeader);
        verify(signedDoc1);
    }

View Full Code Here

     * 
     * If TokenProtection is enabled add an appropriate signature reference.
     * 
     * TODO Check / enable for STRTransform
     */
    WSSecSignature iniSignature = null;
    WSS4JPolicyToken iniToken = null;
    if ((iniToken = wpd.getInitiatorToken()) != null) {
      iniSignature = new WSSecSignature();
      iniSignature.setUserInfo("16c73ab6-b892-458f-abf5-2f875f74882e",
          "security");
      iniSignature.setKeyIdentifierType(iniToken.getKeyIdentifier());
      iniSignature.setSignatureAlgorithm(iniToken.getSigAlgorithm());
      iniSignature.prepare(doc, crypto, secHeader);
      if (wpd.isSignatureProtection()) {
        encPartsInternal.add(new WSEncryptionPart(iniSignature.getId(),
            "Element"));
      }
      if (wpd.isTokenProtection()) {
        sigParts.add(new WSEncryptionPart("Token", null, null));
      }
    }


    Element body = WSSecurityUtil.findBodyElement(doc, soapConstants);
    if (body == null) {
      System.out
          .println("No SOAP Body found - illegal message structure. Processing terminated");
      return;
    }
    WSEncryptionPart bodyPart = new WSEncryptionPart("Body", soapConstants
        .getEnvelopeURI(), "Content");


    /*
     * Check the protection order. If Encrypt before signing then first take
     * all parts and elements to encrypt and encrypt them. Take their ids
     * after encryption and put them to the parts to be signed.
     * 
     */
    Element externRefList = null;
    if (Constants.ENCRYPT_BEFORE_SIGNING.equals(wpd.getProtectionOrder())) {
      /*
       * Process Body: it sign and encrypt: first encrypt the body, insert
       * the body to the parts to be signed.
       * 
       * If just to be signed: add the plain Body to the parts to be
       * signed
       */
      if (wpd.isSignBody()) {
        if (wpd.isEncryptBody()) {
          Vector parts = new Vector();
          parts.add(bodyPart);
          externRefList = recEncrypt.encryptForExternalRef(
              externRefList, parts);
          sigParts.add(bodyPart);
        } else {
          sigParts.add(bodyPart);
        }
      }
      /*
       * Here we need to handle signed/encrypted parts:
       * 
       * Get all parts that need to be encrypted _and_ signed, encrypt
       * them, get ids of thier encrypted data elements and add these ids
       * to the parts to be signed
       * 
       * Then encrypt the remaining parts that don't need to be signed.
       * 
       * Then add the remaining parts that don't nedd to be encrypted to
       * the parts to be signed.
       * 
       * Similar handling for signed/encrypted elements (compare XPath
       * strings?)
       * 
       * After all elements are encrypted put the external refernce list
       * to the security header. is at the bottom of the security header)
       */


      recEncrypt.addExternalRefElement(externRefList, secHeader);


      /*
       * Now handle the supporting tokens - according to OASIS WSP
       * supporting tokens are not part of a Binding assertion but a top
       * level assertion similar to Wss11 or SignedParts. If supporting
       * tokens are available their BST elements have to be added later
       * (probably prepended to the initiator token - see below)
       */


      /*
       * Now add the various elements to the header. We do a strict layout
       * here.
       * 
       */
      /*
       * Prepend Signature to the supporting tokens that sign the primary
       * signature
       */
      iniSignature.prependToHeader(secHeader);
      /*
       * This prepends a possible initiator token to the security header
       */
      iniSignature.prependBSTElementToHeader(secHeader);
      /*
       * Here prepend BST elements of supporting tokens
       * (EndorsingSupportTokens), then prepend supporting token that do
       * not sign the primary signature but are signed by the primary
       * signature. Take care of the TokenProtection protery!?
       */


      /*
       * Add the encrypted key element and then the associated BST element
       * recipient token)
       */
      recEncrypt.prependToHeader(secHeader);
      recEncrypt.prependBSTElementToHeader(secHeader);


      /*
       * Now we are ready to per Signature processing.
       * 
       * First the primary Signature then supporting tokens (Signatures)
       * that sign the primary Signature.
       */
      timestamp.prependToHeader(secHeader);


      iniSignature.addReferencesToSign(sigParts, secHeader);
      iniSignature.computeSignature();
      Element internRef = recEncrypt.encryptForInternalRef(null,
          encPartsInternal);
      recEncrypt.addInternalRefElement(internRef);
    } else {
      System.out.println("SignBeforeEncrypt needs to be implemented");

View Full Code Here

        encrypt.setEphemeralKey(encrKey.getEphemeralKey());
        encrypt.setSymmetricEncAlgorithm(WSConstants.TRIPLE_DES);
        encrypt.setEncryptSymmKey(false);
        encrypt.setEncryptedKeyElement(encrKey.getEncryptedKeyElement());


        WSSecSignature sign = new WSSecSignature();
        sign.setKeyIdentifierType(WSConstants.CUSTOM_SYMM_SIGNING);
        sign.setCustomTokenId(encrKey.getId());
        sign.setSecretKey(encrKey.getEphemeralKey());
        sign.setSignatureAlgorithm(SignatureMethod.HMAC_SHA1);


        Document signedDoc = sign.build(doc, crypto, secHeader);
        Document encryptedSignedDoc = encrypt.build(signedDoc, crypto, secHeader);


        if (LOG.isDebugEnabled()) {
            LOG.debug("Signed and encrypted message with IssuerSerial key identifier (both), 3DES:");
            String outputString =

View Full Code Here

                             SecurityToken tok,
                             boolean included) throws WSSecurityException {
        if (policyToken.isDerivedKeys()) {
            return doSignatureDK(sigs, policyTokenWrapper, policyToken, tok, included);
        } else {
            WSSecSignature sig = new WSSecSignature(wssConfig);
            sig.setWsConfig(wssConfig);
            // If a EncryptedKeyToken is used, set the correct value type to
            // be used in the wsse:Reference in ds:KeyInfo
            int type = included ? WSConstants.CUSTOM_SYMM_SIGNING 
                : WSConstants.CUSTOM_SYMM_SIGNING_DIRECT;
            if (policyToken instanceof X509Token) {
                if (isRequestor()) {
                    sig.setCustomTokenValueType(
                        WSConstants.SOAPMESSAGE_NS11 + "#" + WSConstants.ENC_KEY_VALUE_TYPE
                    );
                    sig.setKeyIdentifierType(type);
                } else {
                    //the tok has to be an EncryptedKey token
                    sig.setEncrKeySha1value(tok.getSHA1());
                    sig.setKeyIdentifierType(WSConstants.ENCRYPTED_KEY_SHA1_IDENTIFIER);
                }
            } else {
                //Setting the AttachedReference or the UnattachedReference according to the flag
                Element ref;
                if (included) {
                    ref = tok.getAttachedReference();
                } else {
                    ref = tok.getUnattachedReference();
                }
                
                if (ref != null) {
                    SecurityTokenReference secRef = 
                        new SecurityTokenReference(cloneElement(ref), false);
                    sig.setSecurityTokenReference(secRef);
                    sig.setKeyIdentifierType(WSConstants.CUSTOM_KEY_IDENTIFIER);
                } else {
                    String tokenType = tok.getTokenType();
                    if (WSConstants.WSS_SAML_TOKEN_TYPE.equals(tokenType)
                        || WSConstants.SAML_NS.equals(tokenType)) {
                        sig.setCustomTokenValueType(WSConstants.WSS_SAML_KI_VALUE_TYPE);
                        sig.setKeyIdentifierType(WSConstants.CUSTOM_KEY_IDENTIFIER);
                    } else if (WSConstants.WSS_SAML2_TOKEN_TYPE.equals(tokenType)
                        || WSConstants.SAML2_NS.equals(tokenType)) {
                        sig.setCustomTokenValueType(WSConstants.WSS_SAML2_KI_VALUE_TYPE);
                        sig.setKeyIdentifierType(WSConstants.CUSTOM_KEY_IDENTIFIER);
                    } else {
                        sig.setCustomTokenValueType(tokenType);
                        sig.setKeyIdentifierType(type);
                    }
                }
            }
            
            String sigTokId;
            if (included) {
                sigTokId = tok.getWsuId();
                if (sigTokId == null) {
                    if (policyToken instanceof SecureConversationToken
                        || policyToken instanceof SecurityContextToken) {
                        sig.setKeyIdentifierType(WSConstants.CUSTOM_SYMM_SIGNING_DIRECT);
                    }
                    sigTokId = tok.getId();                    
                }
                if (sigTokId.startsWith("#")) {
                    sigTokId = sigTokId.substring(1);
                }
            } else {
                sigTokId = tok.getId();
            }
                           
            
            sig.setCustomTokenId(sigTokId);
            sig.setSecretKey(tok.getSecret());
            sig.setSignatureAlgorithm(sbinding.getAlgorithmSuite().getSymmetricSignature());
            Crypto crypto = null;
            if (sbinding.getProtectionToken() != null) {
                crypto = getEncryptionCrypto(sbinding.getProtectionToken());
            } else {
                crypto = getSignatureCrypto(policyTokenWrapper);
            }
            this.message.getExchange().put(SecurityConstants.SIGNATURE_CRYPTO, crypto);
            sig.prepare(saaj.getSOAPPart(), crypto, secHeader);
            sig.setParts(sigs);
            List<Reference> referenceList = sig.addReferencesToSign(sigs, secHeader);


            //Do signature
            if (bottomUpElement == null) {
                sig.computeSignature(referenceList, false, null);
            } else {
                sig.computeSignature(referenceList, true, bottomUpElement);
            }
            bottomUpElement = sig.getSignatureElement();


            this.mainSigId = sig.getId();
            return sig.getSignatureValue();
        }
    }

View Full Code Here

        sigToken = wrapper.getToken();
        sigParts.addAll(this.getSignedParts());
        if (sigParts.isEmpty()) {
            // Add the BST to the security header if required
            if (!attached && includeToken(sigToken.getInclusion())) {
                WSSecSignature sig = getSignatureBuilder(wrapper, sigToken, attached, false);
                sig.prependBSTElementToHeader(secHeader);
            } 
            return;
        }
        if (sigToken.isDerivedKeys()) {
            // Set up the encrypted key to use
            setupEncryptedKey(wrapper, sigToken);
            
            WSSecDKSign dkSign = new WSSecDKSign(wssConfig);
            dkSign.setExternalKey(this.encryptedKeyValue, this.encryptedKeyId);


            // Set the algo info
            dkSign.setSignatureAlgorithm(abinding.getAlgorithmSuite()
                    .getSymmetricSignature());
            dkSign.setDerivedKeyLength(abinding.getAlgorithmSuite()
                    .getSignatureDerivedKeyLength() / 8);
            dkSign.setCustomValueType(WSConstants.SOAPMESSAGE_NS11 + "#"
                    + WSConstants.ENC_KEY_VALUE_TYPE);
            
            try {
                dkSign.prepare(saaj.getSOAPPart(), secHeader);


                if (abinding.isTokenProtection()) {
                    WSEncryptionPart ekPart = 
                        new WSEncryptionPart(encrKey.getId());
                    ekPart.setElement(encrKey.getEncryptedKeyElement());
                    sigParts.add(ekPart);
                }


                dkSign.setParts(sigParts);


                List<Reference> referenceList = dkSign.addReferencesToSign(sigParts, secHeader);


                // Add elements to header
                addDerivedKeyElement(dkSign.getdktElement());
                
                //Do signature
                if (bottomUpElement == null) {
                    dkSign.computeSignature(referenceList, false, null);
                } else {
                    dkSign.computeSignature(referenceList, true, bottomUpElement);
                }
                bottomUpElement = dkSign.getSignatureElement();
                signatures.add(dkSign.getSignatureValue());
                
                mainSigId = dkSign.getSignatureId();
            } catch (Exception ex) {
                throw new Fault(ex);
            }
        } else {
            WSSecSignature sig = getSignatureBuilder(wrapper, sigToken, attached, false);
                      
            // This action must occur before sig.prependBSTElementToHeader
            if (abinding.isTokenProtection()
                    && sig.getBSTTokenId() != null) {
                WSEncryptionPart bstPart = 
                    new WSEncryptionPart(sig.getBSTTokenId());
                bstPart.setElement(sig.getBinarySecurityTokenElement());
                sigParts.add(bstPart);
            }


            sig.prependBSTElementToHeader(secHeader);
            
            List<Reference> referenceList = sig.addReferencesToSign(sigParts, secHeader);
            //Do signature
            if (bottomUpElement == null) {
                sig.computeSignature(referenceList, false, null);
            } else {
                sig.computeSignature(referenceList, true, bottomUpElement);
            }
            bottomUpElement = sig.getSignatureElement();
            
            signatures.add(sig.getSignatureValue());
                        
            mainSigId = sig.getId();
        }
    }

View Full Code Here

                }
        
                if (secToken.getX509Certificate() == null) {  
                    ret.put(token, new WSSecurityTokenHolder(wssConfig, secToken));
                } else {
                    WSSecSignature sig = new WSSecSignature(wssConfig);                    
                    sig.setX509Certificate(secToken.getX509Certificate());
                    sig.setCustomTokenId(secToken.getId());
                    sig.setKeyIdentifierType(WSConstants.CUSTOM_KEY_IDENTIFIER);
                    String tokenType = secToken.getTokenType();
                    if (WSConstants.WSS_SAML_TOKEN_TYPE.equals(tokenType)
                        || WSConstants.SAML_NS.equals(tokenType)) {
                        sig.setCustomTokenValueType(WSConstants.WSS_SAML_KI_VALUE_TYPE);
                    } else if (WSConstants.WSS_SAML2_TOKEN_TYPE.equals(tokenType)
                        || WSConstants.SAML2_NS.equals(tokenType)) {
                        sig.setCustomTokenValueType(WSConstants.WSS_SAML2_KI_VALUE_TYPE);
                    } else if (tokenType != null) {
                        sig.setCustomTokenValueType(tokenType);
                    } else {
                        sig.setCustomTokenValueType(WSConstants.WSS_SAML_KI_VALUE_TYPE);
                    }
                    sig.setSignatureAlgorithm(binding.getAlgorithmSuite().getAsymmetricSignature());
                    sig.setSigCanonicalization(binding.getAlgorithmSuite().getInclusiveC14n());
                    
                    Crypto crypto = secToken.getCrypto();
                    String uname = null;
                    try {
                        uname = crypto.getX509Identifier(secToken.getX509Certificate());
                    } catch (WSSecurityException e1) {
                        throw new Fault(e1);
                    }


                    String password = getPassword(uname, token, WSPasswordCallback.SIGNATURE);
                    if (password == null) {
                        password = "";
                    }
                    sig.setUserInfo(uname, password);
                    try {
                        sig.prepare(saaj.getSOAPPart(), secToken.getCrypto(), secHeader);
                    } catch (WSSecurityException e) {
                        throw new Fault(e);
                    }
                    
                    if (suppTokens.isEncryptedToken()) {
                        encryptedTokensIdList.add(secToken.getId());
                    }
                    ret.put(token, sig);                
                }


            } else if (token instanceof X509Token) {
                //We have to use a cert
                //Prepare X509 signature
                WSSecSignature sig = getSignatureBuilder(suppTokens, token, endorse);
                Element bstElem = sig.getBinarySecurityTokenElement();
                if (bstElem != null) {
                    sig.prependBSTElementToHeader(secHeader);
                }
                if (suppTokens.isEncryptedToken()) {
                    encryptedTokensIdList.add(sig.getBSTTokenId());
                }
                ret.put(token, sig);
            } else if (token instanceof KeyValueToken) {
                WSSecSignature sig = getSignatureBuilder(suppTokens, token, endorse);
                if (suppTokens.isEncryptedToken()) {
                    encryptedTokensIdList.add(sig.getBSTTokenId());
                }
                ret.put(token, sig);                
            } else if (token instanceof SamlToken) {
                AssertionWrapper assertionWrapper = addSamlToken((SamlToken)token);
                if (assertionWrapper != null) {

View Full Code Here

            
            Object tempTok = entry.getValue();
            WSEncryptionPart part = null;
            
            if (tempTok instanceof WSSecSignature) {
                WSSecSignature tempSig = (WSSecSignature) tempTok;
                SecurityTokenReference secRef = tempSig.getSecurityTokenReference();
                // TODO Add support for SAML2 here
                if ((WSConstants.WSS_SAML_KI_VALUE_TYPE).equals(secRef.getKeyIdentifierValueType())) {
                    
                    Element secRefElement = cloneElement(secRef.getElement());
                    addSupportingElement(secRefElement);
                               
                    part = new WSEncryptionPart("STRTransform", null, "Element");
                    part.setId(tempSig.getSecurityTokenReferenceURI());
                    part.setElement(secRefElement);
                } else {
                    if (tempSig.getBSTTokenId() != null) {
                        part = new WSEncryptionPart(tempSig.getBSTTokenId());
                        part.setElement(tempSig.getBinarySecurityTokenElement());
                    }
                }
            } else if (tempTok instanceof WSSecUsernameToken) {
                WSSecUsernameToken unt = (WSSecUsernameToken)tempTok;
                part = new WSEncryptionPart(unt.getId());

View Full Code Here

0 1 2 3 4 5 6 7 8 9

TOP

Related Classes of org.apache.ws.security.message.WSSecSignature

br.net.woodstock.rockframework.web.ws.wss4j.WSS4JHelper

br.net.woodstock.rockframework.ws.wss4j.WSS4JHelper

com.eviware.soapui.impl.wsdl.support.wss.entries.AddSignatureEntry

com.eviware.soapui.impl.wsdl.support.wss.entries.SignatureEntry

org.apache.cxf.ws.security.wss4j.policyhandlers.AbstractBindingBuilder

org.apache.cxf.ws.security.wss4j.policyhandlers.AsymmetricBindingHandler

org.apache.cxf.ws.security.wss4j.policyhandlers.SymmetricBindingHandler

org.apache.cxf.ws.security.wss4j.policyhandlers.TransportBindingHandler

org.apache.rampart.builder.AsymmetricBindingBuilder

org.apache.rampart.builder.BindingBuilder

All source code are property of their respective owners. Java is a trademark of Sun Microsystems, Inc and owned by ORACLE Inc. Contact coftware#gmail.com.