Examples of org.apache.wss4j.common.ext.WSPasswordCallback

• org.apache.wss4j.common.ext.WSPasswordCallback
  Simple class to provide a password callback mechanism.

  It uses the JAAS authentication mechanisms and callback methods. In addition to the identifier (user name) this class also provides information what type of information the callback handle method shall provide.

  The WSPasswordCallback class defines the following usage codes:

  • UNKNOWN - an unknown usage. Never used by the WSS4J implementation and shall be treated as an error by the handle method.
  • DECRYPT - need a password to get the private key of this identifier (username) from the keystore. WSS4J uses this private key to decrypt the session (symmetric) key. Because the encryption method uses the public key to encrypt the session key it needs no password (a public key is usually not protected by a password).
  • USERNAME_TOKEN - need the password to fill in or to verify a UsernameToken.
  • SIGNATURE - need the password to get the private key of this identifier (username) from the keystore. WSS4J uses this private key to produce a signature. The signature verification uses the public key to verify the signature.
  • SECURITY_CONTEXT_TOKEN - need the key to to be associated with a wsc:SecurityContextToken.
  • PASSWORD_ENCRYPTOR_PASSWORD - return the password used with a PasswordEncryptor implementation to decrypt encrypted passwords stored in Crypto properties files

                                 WSSSecurityProperties securityProperties) throws WSSecurityException {
        super(wsInboundSecurityContext, id, keyIdentifier, false);
        this.securityProperties = securityProperties;
        if (securityProperties.getCallbackHandler() != null) {
            // Try to get the Assertion from a CallbackHandler
            WSPasswordCallback pwcb =
                new WSPasswordCallback(id, WSPasswordCallback.Usage.CUSTOM_TOKEN);
            try {
                securityProperties.getCallbackHandler().handle(new Callback[]{pwcb});
            } catch (IOException e) {
                throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "noPassword", e);
            } catch (UnsupportedCallbackException e) {
                throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "noPassword", e);
            }
            Element assertionElem = pwcb.getCustomToken();
            if (assertionElem != null && "Assertion".equals(assertionElem.getLocalName())
                && (WSSConstants.NS_SAML.equals(assertionElem.getNamespaceURI())
                || WSSConstants.NS_SAML2.equals(assertionElem))) {
                this.samlAssertionWrapper = new SamlAssertionWrapper(assertionElem);

                subjectKeyInfo =
                    SAMLUtil.getCredentialFromSubject(samlAssertionWrapper, null,
                                                      securityProperties.getSignatureVerificationCrypto(),
                                                      securityProperties.getCallbackHandler());
            } else {
                // Possibly an Encrypted Assertion...just get the key
                this.samlAssertionWrapper = null;
                secret = pwcb.getKey();
                key = pwcb.getKeyObject();
                if (this.key instanceof PrivateKey) {
                    super.setAsymmetric(true);
                }
            }

    }

    @Override
    public Key getKey(String algorithmURI, XMLSecurityConstants.AlgorithmUsage algorithmUsage,
                      String correlationID) throws XMLSecurityException {
        WSPasswordCallback pwCb = new WSPasswordCallback(getAlias(), WSPasswordCallback.Usage.DECRYPT);
        WSSUtils.doPasswordCallback(getCallbackHandler(), pwCb);
        try {
            return getCrypto().getPrivateKey(getAlias(), pwCb.getPassword());
        } catch (WSSecurityException ex) {
            // Check to see if we are decrypting rather than signature verification
            Crypto decCrypto = securityProperties.getDecryptionCrypto();
            if (decCrypto != null && decCrypto != getCrypto()) {
                return decCrypto.getPrivateKey(getAlias(), pwCb.getPassword());
            }
            throw ex;
        }
    }

        Key key = getSecretKey().get(algorithmURI);
        if (key != null) {
            return key;
        }

        WSPasswordCallback secretKeyCallback =
                new WSPasswordCallback(getSha1Identifier(), null,
                        WSSConstants.NS_ENCRYPTED_KEY_SHA1, WSPasswordCallback.Usage.SECRET_KEY);
        WSSUtils.doSecretKeyCallback(callbackHandler, secretKeyCallback, getSha1Identifier());
        if (secretKeyCallback.getKey() == null) {
            throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "noKey", getSha1Identifier());
        }

        String keyAlgorithm = JCEMapper.getJCEKeyAlgorithmFromURI(algorithmURI);
        key = new SecretKeySpec(secretKeyCallback.getKey(), keyAlgorithm);
        setSecretKey(algorithmURI, key);
        return key;
    }

                                 WSSSecurityProperties securityProperties,
                                 boolean included) throws WSSecurityException {
        super(wsInboundSecurityContext, id, keyIdentifier, included);
        if (securityProperties.getCallbackHandler() != null) {
            // Try to get the token from a CallbackHandler
            WSPasswordCallback pwcb =
                new WSPasswordCallback(id, WSPasswordCallback.Usage.CUSTOM_TOKEN);
            try {
                securityProperties.getCallbackHandler().handle(new Callback[]{pwcb});
            } catch (IOException e) {
                throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "noPassword", e);
            } catch (UnsupportedCallbackException e) {
                throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "noPassword", e);
            }
            this.tokenElement = pwcb.getCustomToken();
            this.key = pwcb.getKey();
        }

        if (this.tokenElement == null) {
            throw new WSSecurityException(
                WSSecurityException.ErrorCode.SECURITY_TOKEN_UNAVAILABLE, "noToken", id

            securityProperties.setSignatureAlgorithm("http://www.w3.org/2000/09/xmldsig#hmac-sha1");
            securityProperties.setCallbackHandler(
                    new org.apache.wss4j.stax.test.CallbackHandlerImpl(key.getEncoded()){
                        @Override
                        public void handle(Callback[] callbacks) throws IOException, UnsupportedCallbackException {
                            WSPasswordCallback pc = (WSPasswordCallback) callbacks[0];
                            pc.setKey(key.getEncoded());
                        }
                    }
            );

            OutboundWSSec wsSecOut = WSSec.getOutboundWSSec(securityProperties);

    @Override
    public void handle(Callback[] callbacks)
            throws IOException, UnsupportedCallbackException {
        for (int i = 0; i < callbacks.length; i++) {
            if (callbacks[i] instanceof WSPasswordCallback) {
                WSPasswordCallback pc = (WSPasswordCallback) callbacks[i];
                if ((pc.getUsage() == WSPasswordCallback.Usage.SECRET_KEY)
                    || (pc.getUsage() == WSPasswordCallback.Usage.SECURITY_CONTEXT_TOKEN)) {
                    byte[] secret = this.secrets.get(pc.getIdentifier());
                    if (secret == null) {
                        secret = outboundSecret;
                    }
                    pc.setKey(secret);
                    break;
                }
            } else {
                throw new UnsupportedCallbackException(callbacks[i], "Unrecognized Callback");
            }

            String tokenId = outputProcessorChain.getSecurityContext().get(WSSConstants.PROP_USE_THIS_TOKEN_ID_FOR_CUSTOM_TOKEN);
            if (tokenId == null) {
                throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE);
            }

            WSPasswordCallback wsPasswordCallback = new WSPasswordCallback(tokenId, WSPasswordCallback.Usage.CUSTOM_TOKEN);
            WSSUtils.doPasswordCallback(
                    ((WSSSecurityProperties) getSecurityProperties()).getCallbackHandler(),
                    wsPasswordCallback);
            Element customToken = wsPasswordCallback.getCustomToken();
            if (customToken == null) {
                throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE);
            }

            FinalUnknownTokenOutputProcessor outputProcessor =

                            String alias = ((WSSSecurityProperties) getSecurityProperties()).getSignatureCrypto().
                                    getX509Identifier(x509Certificate);
                            if (alias == null) {
                                throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "aliasIsNull");
                            }
                            WSPasswordCallback wsPasswordCallback = new WSPasswordCallback(alias, WSPasswordCallback.Usage.SIGNATURE);
                            WSSUtils.doPasswordCallback(
                                    ((WSSSecurityProperties) getSecurityProperties()).getCallbackHandler(),
                                    wsPasswordCallback);
                            CryptoType cryptoType = new CryptoType(CryptoType.TYPE.ALIAS);
                            cryptoType.setAlias(alias);
                            samlKeyInfo.setCerts(((WSSSecurityProperties) getSecurityProperties()).
                                    getSignatureCrypto().getX509Certificates(cryptoType));
                            samlKeyInfo.setPrivateKey(((WSSSecurityProperties) getSecurityProperties()).
                                    getSignatureCrypto().getPrivateKey(alias, wsPasswordCallback.getPassword()));
                        } else if (keyInfoBean.getPublicKey() != null) {
                            PublicKey publicKey = keyInfoBean.getPublicKey();
                            samlKeyInfo.setPublicKey(publicKey);
                            samlKeyInfo.setPrivateKey(((WSSSecurityProperties) getSecurityProperties()).
                                    getSignatureCrypto().getPrivateKey(

            final byte[] derivedKeyBytes;
            try {
                byte[] secret;
                if (WSSecurityTokenConstants.SecurityContextToken.equals(wrappingSecurityToken.getTokenType())) {
                    WSPasswordCallback passwordCallback = new WSPasswordCallback(wsuIdDKT, WSPasswordCallback.Usage.SECRET_KEY);
                    WSSUtils.doSecretKeyCallback(((WSSSecurityProperties)securityProperties).getCallbackHandler(), passwordCallback, wsuIdDKT);
                    if (passwordCallback.getKey() == null) {
                        throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "noKey", wsuIdDKT);
                    }
                    secret = passwordCallback.getKey();
                } else {
                    secret = wrappingSecurityToken.getSecretKey("").getEncoded();
                }

                derivedKeyBytes = derivationAlgorithm.createKey(secret, seed, offset, length);

                throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "noCallback");
            }

            String password = null;
            if (callbackHandler != null) {
                WSPasswordCallback pwCb = new WSPasswordCallback(((WSSSecurityProperties) getSecurityProperties()).getTokenUser(), WSPasswordCallback.Usage.USERNAME_TOKEN);
                WSSUtils.doPasswordCallback(callbackHandler, pwCb);
                password = pwCb.getPassword();
            }

            if (password == null && WSSConstants.UsernameTokenPasswordType.PASSWORD_NONE != usernameTokenPasswordType) {
                throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE);
            }