Examples of org.jboss.ws.extensions.security.exception.WSSecurityException

• org.jboss.ws.extensions.security.exception.WSSecurityException
  @author Jason T. Greene

   public X509Certificate getCertificateByIssuerSerial(String issuer, String serial) throws WSSecurityException
   {
      if (keyStore == null)
      {
         throw new WSSecurityException("KeyStore not set.");
      }

      try
      {
         Enumeration i = keyStore.aliases();

         while (i.hasMoreElements())
         {
            String alias = (String)i.nextElement();
            Certificate cert = keyStore.getCertificate(alias);
            if (!(cert instanceof X509Certificate))
               continue;

            X509Certificate x509 = (X509Certificate)cert;
            if (issuer.equals(x509.getIssuerDN().toString()) && serial.equals(x509.getSerialNumber().toString()))
               return x509;
         }
      }
      catch (KeyStoreException e)
      {
         throw new WSSecurityException("Problems retrieving cert: " + e.getMessage(), e);
      }

      return null;
   }

   public PrivateKey getPrivateKey(String alias) throws WSSecurityException
   {
      if (keyStore == null)
      {
         throw new WSSecurityException("KeyStore not set.");
      }

      PrivateKey key;
      try
      {
         String password = keyStorePassword;
         if (keyPasswords != null && keyPasswords.containsKey(alias))
             password = keyPasswords.get(alias);
         key = (PrivateKey)keyStore.getKey(alias, decryptPassword(password).toCharArray());
      }
      catch (Exception e)
      {
         throw new WSSecurityException("Problems retrieving private key: " + e.getMessage(), e);
      }

      if (key == null)
         throw new WSSecurityException("Private key (" + alias + ") not in keystore");

      return key;
   }

   public PrivateKey getPrivateKey(X509Certificate cert) throws WSSecurityException
   {
      if (keyStore == null)
      {
         throw new WSSecurityException("KeyStore not set.");
      }

      try
      {
         String alias = keyStore.getCertificateAlias(cert);
         return getPrivateKey(alias);
      }
      catch (Exception e)
      {
         throw new WSSecurityException("Problems retrieving private key: " + e.getMessage(), e);
      }
   }

         throw new FailedAuthenticationException();
      }

      if (keyStore == null)
      {
         throw new WSSecurityException("TrustStore not set.");
      }

      // Check for the exact entry in the truststore first, then fallback to a CA check
      try
      {
         if (trustStore.getCertificateAlias(cert) != null)
         {
            return;
         }
      }
      catch (KeyStoreException e)
      {
         throw new WSSecurityException("Problems searching truststore", e);
      }

      List list = new ArrayList(1);
      list.add(cert);

      CertPath cp;
      CertPathValidator cpv;
      PKIXParameters parameters;

      try
      {
         cp = CertificateFactory.getInstance("X.509").generateCertPath(list);
         cpv = CertPathValidator.getInstance("PKIX");
         parameters = new PKIXParameters(trustStore);

         // We currently don't support CRLs
         parameters.setRevocationEnabled(false);
      }
      catch (Exception e)
      {
         throw new WSSecurityException("Problems setting up certificate validation", e);
      }

      try
      {
         cpv.validate(cp, parameters);
      }
      catch (CertPathValidatorException cpve)
      {
         log.debug("Certificate is invalid:", cpve);
         throw new FailedAuthenticationException();
      }
      catch (InvalidAlgorithmParameterException e)
      {
         throw new WSSecurityException("Problems setting up certificate validation", e);
      }
   }

      {
         Calendar cal = SimpleTypeBindings.unmarshalDateTime(token.getCreated());
         Calendar ref = Calendar.getInstance();
         ref.add(Calendar.SECOND, -TIMESTAMP_FRESHNESS_THRESHOLD);
         if (ref.after(cal))
            throw new WSSecurityException("Request rejected since a stale timestamp has been provided: " + token.getCreated());
      }
      String nonce = token.getNonce();
      if (nonce != null)
      {
         if (nonceStore.hasNonce(nonce))
            throw new WSSecurityException("Request rejected since a message with the same nonce has been recently received; nonce = " + nonce);
         nonceStore.putNonce(nonce);
      }
   }

      {
         throw new FailedCheckException("Decryption was invalid.");
      }
      catch (Exception e)
      {
         throw new WSSecurityException("Could not decrypt element: " + e.getMessage(), e);
      }

      if (isContent)
         return Util.getWsuId(previous);

      ReferenceList list = key.getReferenceList();
      for (String uri : list.getAllReferences())
      {
         Element element = Util.findElementByWsuId(message.getDocumentElement(), uri);
         if (element == null)
            throw new WSSecurityException("A reference list refered to an element that was not found: " + uri);

         if (!isEncryptedData(element))
            throw new WSSecurityException("Malformed reference list, a non encrypted data element was referenced: " + uri);

         ids.add(decryptElement(element, key.getSecretKey()));
      }

      return ids;

   public KeyIdentifier(Element element) throws WSSecurityException
   {
      this.doc = element.getOwnerDocument();

      if (! "KeyIdentifier".equals(element.getLocalName()))
         throw new WSSecurityException("Invalid message, invalid local name on a KeyIdentifier");

      String valueType = element.getAttribute("ValueType");
      if (valueType == null || valueType.length() == 0)
         throw new WSSecurityException("Inavliad message, KeyIdentifier element is missing an ValueType");

      if (! SKI_TYPE.equals(valueType))
         throw new WSSecurityException("Currently only SubjectKeyIdentifiers are supported, was passed: " + valueType);

      // Lets be soft on encoding type since other clients don't properly use it
      this.value = XMLUtils.getFullTextChildrenFromElement(element);
   }

   }

   public void referenceToken(BinarySecurityToken token) throws WSSecurityException
   {
      if (! (token instanceof X509Token))
         throw new WSSecurityException("KeyIdentifier tried to reference something besides an X509 token");

      X509Token x509 = (X509Token) token;
      X509Certificate cert = x509.getCert();

      // Maybee we should make one ourselves if it isn't there?
      byte[] encoded = cert.getExtensionValue("2.5.29.14");
      if (encoded == null)
         throw new WSSecurityException("Certificate did not contain a subject key identifier!");

      // We need to skip 4 bytes [(OCTET STRING) (LENGTH)[(OCTET STRING) (LENGTH) (Actual data)]]
      int trunc = encoded.length - 4;

      byte[] identifier = new byte[trunc];

      {
         return Base64.decode(value);
      }
      catch (Base64DecodingException e)
      {
         throw new WSSecurityException("Error decoding key identifier", e);
      }
   }