Examples of KeyRequirements

• org.apache.cxf.sts.request.KeyRequirements
  This class contains values that have been extracted from a RequestSecurityToken corresponding to various key and encryption requirements.

Examples of org.apache.cxf.sts.request.KeyRequirements

    @org.junit.Test
    public void testDefaultSaml2BearerDifferentC14nAssertion() throws Exception {
        TokenProvider samlTokenProvider = new SAMLTokenProvider();
        TokenProviderParameters providerParameters =
            createProviderParameters(WSConstants.WSS_SAML2_TOKEN_TYPE, STSConstants.BEARER_KEY_KEYTYPE);
        KeyRequirements keyRequirements = providerParameters.getKeyRequirements();

        keyRequirements.setC14nAlgorithm(WSConstants.C14N_EXCL_WITH_COMMENTS);

        // This will fail as the requested c14n algorithm is rejected
        TokenProviderResponse providerResponse = samlTokenProvider.createToken(providerParameters);
        assertTrue(providerResponse != null);
        assertTrue(providerResponse.getToken() != null && providerResponse.getTokenId() != null);

Examples of org.apache.cxf.sts.request.KeyRequirements

        }

        TokenProvider samlTokenProvider = new SAMLTokenProvider();
        TokenProviderParameters providerParameters =
            createProviderParameters(WSConstants.WSS_SAML2_TOKEN_TYPE, STSConstants.BEARER_KEY_KEYTYPE);
        KeyRequirements keyRequirements = providerParameters.getKeyRequirements();

        String signatureAlgorithm = "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256";
        keyRequirements.setSignatureAlgorithm(signatureAlgorithm);

        // This will fail as the requested signature algorithm is rejected
        TokenProviderResponse providerResponse = samlTokenProvider.createToken(providerParameters);
        assertTrue(providerResponse != null);
        assertTrue(providerResponse.getToken() != null && providerResponse.getTokenId() != null);

Examples of org.apache.cxf.sts.request.KeyRequirements

    @org.junit.Test
    public void testDefaultSaml2EncryptWith() throws Exception {
        TokenProvider samlTokenProvider = new SAMLTokenProvider();
        TokenProviderParameters providerParameters =
            createProviderParameters(WSConstants.WSS_SAML2_TOKEN_TYPE, STSConstants.SYMMETRIC_KEY_KEYTYPE);
        KeyRequirements keyRequirements = providerParameters.getKeyRequirements();

        keyRequirements.setEncryptWith(WSConstants.AES_128);
        keyRequirements.setKeySize(92);
        TokenProviderResponse providerResponse = samlTokenProvider.createToken(providerParameters);
        assertTrue(providerResponse != null);
        assertTrue(providerResponse.getToken() != null && providerResponse.getTokenId() != null);

        keyRequirements.setKeySize(128);
        keyRequirements.setEncryptWith(WSConstants.AES_256);
        providerResponse = samlTokenProvider.createToken(providerParameters);
        assertTrue(providerResponse != null);
        assertTrue(providerResponse.getToken() != null && providerResponse.getTokenId() != null);
    }

Examples of org.apache.cxf.sts.request.KeyRequirements

        TokenRequirements tokenRequirements = new TokenRequirements();
        tokenRequirements.setTokenType(tokenType);
        parameters.setTokenRequirements(tokenRequirements);

        KeyRequirements keyRequirements = new KeyRequirements();
        keyRequirements.setKeyType(keyType);
        parameters.setKeyRequirements(keyRequirements);

        parameters.setPrincipal(new CustomTokenPrincipal("alice"));
        // Mock up message context
        MessageImpl msg = new MessageImpl();

Examples of org.apache.cxf.sts.request.KeyRequirements

        TokenRequirements tokenRequirements = new TokenRequirements();
        tokenRequirements.setTokenType(tokenType);
        parameters.setTokenRequirements(tokenRequirements);

        KeyRequirements keyRequirements = new KeyRequirements();
        keyRequirements.setKeyType(keyType);
        parameters.setKeyRequirements(keyRequirements);

        parameters.setPrincipal(new CustomTokenPrincipal("alice"));
        // Mock up message context
        MessageImpl msg = new MessageImpl();

Examples of org.apache.cxf.sts.request.KeyRequirements

        TokenRequirements tokenRequirements = new TokenRequirements();
        tokenRequirements.setTokenType(tokenType);
        parameters.setTokenRequirements(tokenRequirements);

        KeyRequirements keyRequirements = new KeyRequirements();
        keyRequirements.setKeyType(keyType);
        parameters.setKeyRequirements(keyRequirements);

        parameters.setPrincipal(new CustomTokenPrincipal("alice"));
        // Mock up message context
        MessageImpl msg = new MessageImpl();

Examples of org.apache.cxf.sts.request.KeyRequirements

        testKeyType(tokenParameters);
        byte[] secret = null;
        byte[] entropyBytes = null;
        long keySize = 0;
        boolean computedKey = false;
        KeyRequirements keyRequirements = tokenParameters.getKeyRequirements();
        TokenRequirements tokenRequirements = tokenParameters.getTokenRequirements();
        LOG.fine("Handling token of type: " + tokenRequirements.getTokenType());

        if (STSConstants.SYMMETRIC_KEY_KEYTYPE.equals(keyRequirements.getKeyType())) {
            SymmetricKeyHandler keyHandler = new SymmetricKeyHandler(tokenParameters);
            keyHandler.createSymmetricKey();
            secret = keyHandler.getSecret();
            entropyBytes = keyHandler.getEntropyBytes();
            keySize = keyHandler.getKeySize();

Examples of org.apache.cxf.sts.request.KeyRequirements

    /**
     * Do some tests on the KeyType parameter.
     */
    private void testKeyType(TokenProviderParameters tokenParameters) {
        KeyRequirements keyRequirements = tokenParameters.getKeyRequirements();

        String keyType = keyRequirements.getKeyType();
        if (STSConstants.PUBLIC_KEY_KEYTYPE.equals(keyType)) {
            if (keyRequirements.getReceivedKey() == null
                || (keyRequirements.getReceivedKey().getX509Cert() == null
                    && keyRequirements.getReceivedKey().getPublicKey() == null)) {
                LOG.log(Level.WARNING, "A PublicKey Keytype is requested, but no certificate is provided");
                throw new STSException(
                    "No client certificate for PublicKey KeyType", STSException.INVALID_REQUEST
                );
            }

Examples of org.apache.cxf.sts.request.KeyRequirements

     */
    public SubjectBean getSubject(
        TokenProviderParameters providerParameters, Document doc, byte[] secret
    ) {
        TokenRequirements tokenRequirements = providerParameters.getTokenRequirements();
        KeyRequirements keyRequirements = providerParameters.getKeyRequirements();
        STSPropertiesMBean stsProperties = providerParameters.getStsProperties();

        String tokenType = tokenRequirements.getTokenType();
        String keyType = keyRequirements.getKeyType();
        String confirmationMethod = getSubjectConfirmationMethod(tokenType, keyType);

        Principal principal = null;
        ReceivedToken receivedToken = null;
        //[TODO] ActAs support
        //TokenValidator in IssueOperation has validated the ReceivedToken
        //if validation was successful, the principal was set in ReceivedToken
        if (providerParameters.getTokenRequirements().getOnBehalfOf() != null) {
            receivedToken = providerParameters.getTokenRequirements().getOnBehalfOf();
            if (receivedToken.getState().equals(STATE.VALID)) {
                principal = receivedToken.getPrincipal();
            }
        } else if (providerParameters.getTokenRequirements().getValidateTarget() != null) {
            receivedToken = providerParameters.getTokenRequirements().getValidateTarget();
            if (receivedToken.getState().equals(STATE.VALID)) {
                principal = receivedToken.getPrincipal();
            }
        } else {
            principal = providerParameters.getPrincipal();
        }

        if (principal == null) {
            LOG.fine("Error in getting principal");
            throw new STSException("Error in getting principal", STSException.REQUEST_FAILED);
        }

        SubjectBean subjectBean =
            new SubjectBean(principal.getName(), subjectNameQualifier, confirmationMethod);
        LOG.fine("Creating new subject with principal name: " + principal.getName());
        if (subjectNameIDFormat != null && subjectNameIDFormat.length() > 0) {
            subjectBean.setSubjectNameIDFormat(subjectNameIDFormat);
        }

        if (STSConstants.SYMMETRIC_KEY_KEYTYPE.equals(keyType)) {
            Crypto crypto = stsProperties.getEncryptionCrypto();

            EncryptionProperties encryptionProperties = providerParameters.getEncryptionProperties();
            String encryptionName = encryptionProperties.getEncryptionName();
            if (encryptionName == null) {
                // Fall back on the STS encryption name
                encryptionName = stsProperties.getEncryptionUsername();
            }
            if (encryptionName == null) {
                LOG.fine("No encryption Name is configured for Symmetric KeyType");
                throw new STSException("No Encryption Name is configured", STSException.REQUEST_FAILED);
            }

            CryptoType cryptoType = null;

            // Check for using of service endpoint (AppliesTo) as certificate identifier
            if (STSConstants.USE_ENDPOINT_AS_CERT_ALIAS.equals(encryptionName)) {
                if (providerParameters.getAppliesToAddress() == null) {
                    throw new STSException("AppliesTo is not initilaized for encryption name "
                                           + STSConstants.USE_ENDPOINT_AS_CERT_ALIAS);
                }
                cryptoType = new CryptoType(CryptoType.TYPE.ENDPOINT);
                cryptoType.setEndpoint(providerParameters.getAppliesToAddress());
            } else {
                cryptoType = new CryptoType(CryptoType.TYPE.ALIAS);
                cryptoType.setAlias(encryptionName);
            }

            try {
                X509Certificate[] certs = crypto.getX509Certificates(cryptoType);
                if ((certs == null) || (certs.length == 0)) {
                    throw new STSException("Encryption certificate is not found for alias: " + encryptionName);
                }
                KeyInfoBean keyInfo =
                    createKeyInfo(certs[0], secret, doc, encryptionProperties, crypto);
                subjectBean.setKeyInfo(keyInfo);
            } catch (WSSecurityException ex) {
                LOG.log(Level.WARNING, "", ex);
                throw new STSException(ex.getMessage(), ex);
            }
        } else if (STSConstants.PUBLIC_KEY_KEYTYPE.equals(keyType)) {
            ReceivedKey receivedKey = keyRequirements.getReceivedKey();

            // Validate UseKey trust
            if (stsProperties.isValidateUseKey() && stsProperties.getSignatureCrypto() != null) {
                if (receivedKey.getX509Cert() != null) {
                    try {

Examples of org.apache.cxf.sts.request.KeyRequirements

    private byte[] entropyBytes;
    private byte[] secret;
    private boolean computedKey;

    public SymmetricKeyHandler(TokenProviderParameters tokenParameters) {
        KeyRequirements keyRequirements = tokenParameters.getKeyRequirements();

        keySize = Long.valueOf(keyRequirements.getKeySize()).intValue();
        STSPropertiesMBean stsProperties = tokenParameters.getStsProperties();
        SignatureProperties signatureProperties = stsProperties.getSignatureProperties();

        // Test EncryptWith
        String encryptWith = keyRequirements.getEncryptWith();
        if (encryptWith != null) {
            if ((WSConstants.AES_128.equals(encryptWith) || WSConstants.AES_128_GCM.equals(encryptWith))
                && keySize < 128) {
                keySize = 128;
            } else if ((WSConstants.AES_192.equals(encryptWith)
                || WSConstants.AES_192_GCM.equals(encryptWith))
                && keySize < 192) {
                keySize = 192;
            } else if ((WSConstants.AES_256.equals(encryptWith)
                || WSConstants.AES_256_GCM.equals(encryptWith))
                && keySize < 256) {
                keySize = 256;
            } else if (WSConstants.TRIPLE_DES.equals(encryptWith) && keySize < 192) {
                keySize = 192;
            }
        }

        // Test KeySize
        if (keySize < signatureProperties.getMinimumKeySize()
            || keySize > signatureProperties.getMaximumKeySize()) {
            keySize = Long.valueOf(signatureProperties.getKeySize()).intValue();
            LOG.log(
                Level.WARNING, "Received KeySize of " + keyRequirements.getKeySize()
                + " not accepted so defaulting to " + signatureProperties.getKeySize()
            );
        }

        // Test Entropy
        clientEntropy = keyRequirements.getEntropy();
        if (clientEntropy == null) {
            LOG.log(Level.WARNING, "A SymmetricKey KeyType is requested, but no client entropy is provided");
        } else if (clientEntropy.getBinarySecret() != null) {
            BinarySecret binarySecret = clientEntropy.getBinarySecret();
            if (STSConstants.NONCE_TYPE.equals(binarySecret.getBinarySecretType())) {
                byte[] nonce = binarySecret.getBinarySecretValue();
                if (nonce == null || (nonce.length < (keySize / 8))) {
                    LOG.log(Level.WARNING, "User Entropy rejected");
                    clientEntropy = null;
                }
                String computedKeyAlgorithm = keyRequirements.getComputedKeyAlgorithm();
                if (!STSConstants.COMPUTED_KEY_PSHA1.equals(computedKeyAlgorithm)) {
                    LOG.log(
                        Level.WARNING,
                        "The computed key algorithm of " + computedKeyAlgorithm + " is not supported"
                    );