/*
* Copyright 2004,2005 The Apache Software Foundation.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.apache.rampart.builder;
import org.apache.axiom.om.OMElement;
import org.apache.axis2.context.MessageContext;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.rahas.RahasConstants;
import org.apache.rahas.TrustException;
import org.apache.rampart.RampartConstants;
import org.apache.rampart.RampartException;
import org.apache.rampart.RampartMessageData;
import org.apache.rampart.policy.RampartPolicyData;
import org.apache.rampart.util.RampartUtil;
import org.apache.ws.secpolicy.Constants;
import org.apache.ws.secpolicy.model.IssuedToken;
import org.apache.ws.secpolicy.model.SecureConversationToken;
import org.apache.ws.secpolicy.model.SupportingToken;
import org.apache.ws.secpolicy.model.Token;
import org.apache.ws.secpolicy.model.X509Token;
import org.apache.ws.security.WSEncryptionPart;
import org.apache.ws.security.WSSecurityException;
import org.apache.ws.security.conversation.ConversationException;
import org.apache.ws.security.message.WSSecDKEncrypt;
import org.apache.ws.security.message.WSSecEncrypt;
import org.apache.ws.security.message.WSSecEncryptedKey;
import org.w3c.dom.Document;
import org.w3c.dom.Element;
import java.util.Date;
import java.util.HashMap;
import java.util.Iterator;
import java.util.Vector;
public class SymmetricBindingBuilder extends BindingBuilder {
private static Log log = LogFactory.getLog(SymmetricBindingBuilder.class);
private static Log tlog = LogFactory.getLog(RampartConstants.TIME_LOG);
private boolean dotDebug = false;
public SymmetricBindingBuilder(){
dotDebug = tlog.isDebugEnabled();
}
public void build(RampartMessageData rmd) throws RampartException {
log.debug("SymmetricBindingBuilder build invoked");
RampartPolicyData rpd = rmd.getPolicyData();
if(rpd.isIncludeTimestamp()) {
this.addTimestamp(rmd);
}
if(rmd.isInitiator()) {
//Setup required tokens
initializeTokens(rmd);
}
if(Constants.ENCRYPT_BEFORE_SIGNING.equals(rpd.getProtectionOrder())) {
this.doEncryptBeforeSig(rmd);
} else {
this.doSignBeforeEncrypt(rmd);
}
log.debug("SymmetricBindingBuilder build invoked : DONE");
}
private void doEncryptBeforeSig(RampartMessageData rmd) throws RampartException {
long t0 = 0, t1 = 0, t2 = 0;
RampartPolicyData rpd = rmd.getPolicyData();
Vector signatureValues = new Vector();
if(dotDebug){
t0 = System.currentTimeMillis();
}
Token encryptionToken = rpd.getEncryptionToken();
Vector encrParts = RampartUtil.getEncryptedParts(rmd);
if(encryptionToken == null && encrParts.size() > 0) {
throw new RampartException("encryptionTokenMissing");
}
if(encryptionToken != null && encrParts.size() > 0) {
//The encryption token can be an IssuedToken or a
//SecureConversationToken
String tokenId = null;
org.apache.rahas.Token tok = null;
if(encryptionToken instanceof IssuedToken) {
tokenId = rmd.getIssuedEncryptionTokenId();
log.debug("Issued EncryptionToken Id : " + tokenId);
} else if(encryptionToken instanceof SecureConversationToken) {
tokenId = rmd.getSecConvTokenId();
log.debug("SCT Id : " + tokenId);
} else if (encryptionToken instanceof X509Token) {
tokenId = setupEncryptedKey(rmd, encryptionToken);
} //TODO SAMLToken
if(tokenId == null || tokenId.length() == 0) {
throw new RampartException("noSecurityToken");
}
/*
* Get hold of the token from the token storage
*/
tok = this.getToken(rmd, tokenId);
/*
* Attach the token into the message based on token inclusion
* values
*/
boolean attached = false;
Element encrTokenElement = null;
Element refList = null;
WSSecDKEncrypt dkEncr = null;
WSSecEncrypt encr = null;
Element encrDKTokenElem = null;
if(Constants.INCLUDE_ALWAYS.equals(encryptionToken.getInclusion()) ||
Constants.INCLUDE_ONCE.equals(encryptionToken.getInclusion()) ||
(rmd.isInitiator() && Constants.INCLUDE_ALWAYS_TO_RECIPIENT.equals(encryptionToken.getInclusion()))) {
encrTokenElement = RampartUtil.appendChildToSecHeader(rmd, tok.getToken());
attached = true;
}
//In the X509 case we MUST add the EncryptedKey
if(encryptionToken instanceof X509Token) {
RampartUtil.appendChildToSecHeader(rmd, tok.getToken());
}
Document doc = rmd.getDocument();
if(encryptionToken.isDerivedKeys()) {
log.debug("Use drived keys");
dkEncr = new WSSecDKEncrypt();
if(attached && tok.getAttachedReference() != null) {
dkEncr.setExternalKey(tok.getSecret(), (Element) doc
.importNode((Element) tok.getAttachedReference(),
true));
} else if(tok.getUnattachedReference() != null) {
dkEncr.setExternalKey(tok.getSecret(), (Element) doc
.importNode((Element) tok.getUnattachedReference(),
true));
} else {
dkEncr.setExternalKey(tok.getSecret(), tok.getId());
}
try {
dkEncr.prepare(doc);
encrDKTokenElem = dkEncr.getdktElement();
RampartUtil.appendChildToSecHeader(rmd, encrDKTokenElem);
refList = dkEncr.encryptForExternalRef(null, encrParts);
} catch (WSSecurityException e) {
throw new RampartException("errorInDKEncr");
} catch (ConversationException e) {
throw new RampartException("errorInDKEncr");
}
} else {
log.debug("NO derived keys, use the shared secret");
encr = new WSSecEncrypt();
encr.setWsConfig(rmd.getConfig());
encr.setEphemeralKey(tok.getSecret());
encr.setDocument(doc);
try {
//Encrypt, get hold of the ref list and add it
refList = encr.encryptForExternalRef(null, encrParts);
} catch (WSSecurityException e) {
throw new RampartException("errorInEncryption", e);
}
}
RampartUtil.appendChildToSecHeader(rmd, refList);
if(dotDebug){
t1 = System.currentTimeMillis();
}
this.setInsertionLocation(encrTokenElement);
HashMap sigSuppTokMap = null;
HashMap endSuppTokMap = null;
HashMap sgndEndSuppTokMap = null;
Vector sigParts = RampartUtil.getSignedParts(rmd);
if(this.timestampElement != null){
sigParts.add(new WSEncryptionPart(RampartUtil
.addWsuIdToElement((OMElement) this.timestampElement)));
}
if(rmd.isInitiator()) {
// Now add the supporting tokens
SupportingToken sgndSuppTokens = rpd.getSignedSupportingTokens();
sigSuppTokMap = this.handleSupportingTokens(rmd, sgndSuppTokens);
SupportingToken endSuppTokens = rpd.getEndorsingSupportingTokens();
endSuppTokMap = this.handleSupportingTokens(rmd, endSuppTokens);
SupportingToken sgndEndSuppTokens = rpd.getSignedEndorsingSupportingTokens();
sgndEndSuppTokMap = this.handleSupportingTokens(rmd, sgndEndSuppTokens);
SupportingToken supportingToks = rpd.getSupportingTokens();
this.handleSupportingTokens(rmd, supportingToks);
//Setup signature parts
sigParts = addSignatureParts(sigSuppTokMap, sigParts);
sigParts = addSignatureParts(sgndEndSuppTokMap, sigParts);
} else {
addSignatureConfirmation(rmd, sigParts);
}
//Sign the message
//We should use the same key in the case of EncryptBeforeSig
signatureValues.add(this.doSymmSignature(rmd, encryptionToken, tok, sigParts));
this.mainSigId = RampartUtil.addWsuIdToElement((OMElement)this.getInsertionLocation());
if(rmd.isInitiator()) {
//Do endorsed signatures
Vector endSigVals = this.doEndorsedSignatures(rmd, endSuppTokMap);
for (Iterator iter = endSigVals.iterator(); iter.hasNext();) {
signatureValues.add(iter.next());
}
//Do signed endorsing signatures
Vector sigEndSigVals = this.doEndorsedSignatures(rmd, sgndEndSuppTokMap);
for (Iterator iter = sigEndSigVals.iterator(); iter.hasNext();) {
signatureValues.add(iter.next());
}
}
if(dotDebug){
t2 = System.currentTimeMillis();
tlog.debug("Encryption took :" + (t1 - t0)
+", Signature tool :" + (t2 - t1) );
}
//Check for signature protection
if(rpd.isSignatureProtection() && this.mainSigId != null) {
long t3 = 0, t4 = 0;
if(dotDebug){
t3 = System.currentTimeMillis();
}
log.debug("Signature protection");
Vector secondEncrParts = new Vector();
//Now encrypt the signature using the above token
secondEncrParts.add(new WSEncryptionPart(this.mainSigId, "Element"));
Element secondRefList = null;
if(encryptionToken.isDerivedKeys()) {
try {
secondRefList = dkEncr.encryptForExternalRef(null,
secondEncrParts);
RampartUtil.insertSiblingAfter(
rmd,
encrDKTokenElem,
secondRefList);
} catch (WSSecurityException e) {
throw new RampartException("errorInDKEncr");
}
} else {
try {
//Encrypt, get hold of the ref list and add it
secondRefList = encr.encryptForExternalRef(null,
encrParts);
RampartUtil.insertSiblingAfter(
rmd,
encrTokenElement,
secondRefList);
} catch (WSSecurityException e) {
throw new RampartException("errorInEncryption", e);
}
}
if(dotDebug){
t4 = System.currentTimeMillis();
tlog.debug("Signature protection took :" + (t4 - t3));
}
}
} else {
throw new RampartException("encryptionTokenMissing");
}
}
private void doSignBeforeEncrypt(RampartMessageData rmd) throws RampartException {
long t0 = 0, t1 = 0, t2 = 0;
RampartPolicyData rpd = rmd.getPolicyData();
Document doc = rmd.getDocument();
if(dotDebug){
t0 = System.currentTimeMillis();
}
Token sigToken = rpd.getSignatureToken();
String encrTokId = null;
String sigTokId = null;
org.apache.rahas.Token encrTok = null;
org.apache.rahas.Token sigTok = null;
Element sigTokElem = null;
Vector signatureValues = new Vector();
if(sigToken != null) {
if(sigToken instanceof SecureConversationToken) {
sigTokId = rmd.getSecConvTokenId();
} else if(sigToken instanceof IssuedToken) {
sigTokId = rmd.getIssuedSignatureTokenId();
} else if(sigToken instanceof X509Token) {
sigTokId = setupEncryptedKey(rmd, sigToken);
}
} else {
throw new RampartException("signatureTokenMissing");
}
if(sigTokId == null || sigTokId.length() == 0) {
throw new RampartException("noSecurityToken");
}
sigTok = this.getToken(rmd, sigTokId);
if(Constants.INCLUDE_ALWAYS.equals(sigToken.getInclusion()) ||
Constants.INCLUDE_ONCE.equals(sigToken.getInclusion()) ||
(rmd.isInitiator() &&
Constants.INCLUDE_ALWAYS_TO_RECIPIENT.equals(
sigToken.getInclusion()))) {
sigTokElem = RampartUtil.appendChildToSecHeader(rmd,
sigTok.getToken());
this.setInsertionLocation(sigTokElem);
}
//In the X509 case we MUST add the EncryptedKey
if(sigToken instanceof X509Token) {
sigTokElem = RampartUtil.appendChildToSecHeader(rmd, sigTok.getToken());
//Set the insertion location
this.setInsertionLocation(sigTokElem);
}
HashMap sigSuppTokMap = null;
HashMap endSuppTokMap = null;
HashMap sgndEndSuppTokMap = null;
Vector sigParts = RampartUtil.getSignedParts(rmd);
if(this.timestampElement != null){
sigParts.add(new WSEncryptionPart(RampartUtil
.addWsuIdToElement((OMElement) this.timestampElement)));
}
if(rmd.isInitiator()) {
// Now add the supporting tokens
SupportingToken sgndSuppTokens = rpd.getSignedSupportingTokens();
sigSuppTokMap = this.handleSupportingTokens(rmd, sgndSuppTokens);
SupportingToken endSuppTokens = rpd.getEndorsingSupportingTokens();
endSuppTokMap = this.handleSupportingTokens(rmd, endSuppTokens);
SupportingToken sgndEndSuppTokens = rpd.getSignedEndorsingSupportingTokens();
sgndEndSuppTokMap = this.handleSupportingTokens(rmd, sgndEndSuppTokens);
//Setup signature parts
sigParts = addSignatureParts(sigSuppTokMap, sigParts);
sigParts = addSignatureParts(sgndEndSuppTokMap, sigParts);
} else {
addSignatureConfirmation(rmd, sigParts);
}
//Sign the message
signatureValues.add(this.doSymmSignature(rmd, sigToken, sigTok, sigParts));
this.mainSigId = RampartUtil.addWsuIdToElement((OMElement)this.getInsertionLocation());
if(rmd.isInitiator()) {
//Do endorsed signatures
Vector endSigVals = this.doEndorsedSignatures(rmd, endSuppTokMap);
for (Iterator iter = endSigVals.iterator(); iter.hasNext();) {
signatureValues.add(iter.next());
}
//Do signed endorsing signatures
Vector sigEndSigVals = this.doEndorsedSignatures(rmd, sgndEndSuppTokMap);
for (Iterator iter = sigEndSigVals.iterator(); iter.hasNext();) {
signatureValues.add(iter.next());
}
}
if(dotDebug){
t1 = System.currentTimeMillis();
}
//Encryption
Token encrToken = rpd.getEncryptionToken();
Element encrTokElem = null;
if(sigToken.equals(encrToken)) {
//Use the same token
encrTokId = sigTokId;
encrTok = sigTok;
encrTokElem = sigTokElem;
} else {
encrTokId = rmd.getIssuedEncryptionTokenId();
encrTok = this.getToken(rmd, encrTokId);
if(Constants.INCLUDE_ALWAYS.equals(encrToken.getInclusion()) ||
Constants.INCLUDE_ONCE.equals(encrToken.getInclusion()) ||
(rmd.isInitiator() && Constants.INCLUDE_ALWAYS_TO_RECIPIENT.equals(encrToken.getInclusion()))) {
encrTokElem = (Element)encrTok.getToken();
//Add the encrToken element before the sigToken element
RampartUtil.insertSiblingBefore(rmd, sigTokElem, encrTokElem);
}
}
Vector encrParts = RampartUtil.getEncryptedParts(rmd);
//Check for signature protection
if(rpd.isSignatureProtection() && this.mainSigId != null) {
//Now encrypt the signature using the above token
encrParts.add(new WSEncryptionPart(this.mainSigId, "Element"));
}
Element refList = null;
if(encrToken.isDerivedKeys() || encrToken instanceof SecureConversationToken) {
try {
WSSecDKEncrypt dkEncr = new WSSecDKEncrypt();
if(encrTokElem != null && encrTok.getAttachedReference() != null) {
dkEncr.setExternalKey(encrTok.getSecret(), (Element) doc
.importNode((Element) encrTok.getAttachedReference(),
true));
} else if(encrTok.getUnattachedReference() != null) {
dkEncr.setExternalKey(encrTok.getSecret(), (Element) doc
.importNode((Element) encrTok.getUnattachedReference(),
true));
} else {
dkEncr.setExternalKey(encrTok.getSecret(), encrTok.getId());
}
dkEncr.prepare(doc);
Element encrDKTokenElem = null;
encrDKTokenElem = dkEncr.getdktElement();
if(encrTokElem != null) {
RampartUtil.insertSiblingAfter(rmd, encrTokElem, encrDKTokenElem);
} else {
RampartUtil.insertSiblingAfter(rmd, this.timestampElement, encrDKTokenElem);
}
refList = dkEncr.encryptForExternalRef(null, encrParts);
RampartUtil.insertSiblingAfter(rmd,
encrDKTokenElem,
refList);
} catch (WSSecurityException e) {
throw new RampartException("errorInDKEncr");
} catch (ConversationException e) {
throw new RampartException("errorInDKEncr");
}
} else {
try {
WSSecEncrypt encr = new WSSecEncrypt();
encr.setWsConfig(rmd.getConfig());
//Hack to handle reference id issues
//TODO Need a better fix
if(encrTokId.startsWith("#")) {
encrTokId = encrTokId.substring(1);
}
encr.setEncKeyId(encrTokId);
encr.setEphemeralKey(encrTok.getSecret());
RampartUtil.setEncryptionUser(rmd, encr);
encr.setDocument(doc);
encr.setEncryptSymmKey(false);
encr.prepare(doc, RampartUtil.getEncryptionCrypto(rpd
.getRampartConfig(), rmd.getCustomClassLoader()));
//Encrypt, get hold of the ref list and add it
refList = encr.encryptForExternalRef(null, encrParts);
if(encrTokElem != null) {
RampartUtil.insertSiblingAfter(rmd,
encrTokElem,
refList);
} else {
RampartUtil.insertSiblingAfter(rmd,
this.timestampElement,
refList);
}
} catch (WSSecurityException e) {
throw new RampartException("errorInEncryption", e);
}
}
if(dotDebug){
t2 = System.currentTimeMillis();
tlog.debug("Signature took :" + (t1 - t0)
+", Encryption took :" + (t2 - t1) );
}
}
/**
* @param rmd
* @param sigToken
* @return
* @throws RampartException
*/
private String setupEncryptedKey(RampartMessageData rmd, Token sigToken)
throws RampartException {
try {
WSSecEncryptedKey encrKey = this.getEncryptedKeyBuilder(rmd,
sigToken);
String id = encrKey.getId();
//Create a rahas token from this info and store it so we can use
//it in the next steps
Date created = new Date();
Date expires = new Date();
//TODO make this lifetime configurable ???
expires.setTime(System.currentTimeMillis() + 300000);
org.apache.rahas.Token tempTok = new org.apache.rahas.Token(
id,
(OMElement) encrKey.getEncryptedKeyElement(),
created,
expires);
tempTok.setSecret(encrKey.getEphemeralKey());
rmd.getTokenStorage().add(tempTok);
String bstTokenId = encrKey.getBSTTokenId();
//If direct ref is used to refer to the cert
//then add the cert to the sec header now
if(bstTokenId != null && bstTokenId.length() > 0) {
RampartUtil.appendChildToSecHeader(rmd,
encrKey.getBinarySecurityTokenElement());
}
return id;
} catch (TrustException e) {
throw new RampartException("errorInAddingTokenIntoStore");
}
}
/**
* Setup the required tokens
* @param rmd
* @param rpd
* @throws RampartException
*/
private void initializeTokens(RampartMessageData rmd) throws RampartException {
RampartPolicyData rpd = rmd.getPolicyData();
MessageContext msgContext = rmd.getMsgContext();
if(rpd.isSymmetricBinding() && !msgContext.isServerSide()) {
log.debug("Processing symmetric binding: " +
"Setting up encryption token and signature token");
//Setting up encryption token and signature token
Token sigTok = rpd.getSignatureToken();
Token encrTok = rpd.getEncryptionToken();
if(sigTok instanceof IssuedToken) {
log.debug("SignatureToken is an IssuedToken");
if(rmd.getIssuedSignatureTokenId() == null) {
log.debug("No Issuedtoken found, requesting a new token");
IssuedToken issuedToken = (IssuedToken)sigTok;
String id = RampartUtil.getIssuedToken(rmd,
issuedToken);
rmd.setIssuedSignatureTokenId(id);
}
} else if(sigTok instanceof SecureConversationToken) {
log.debug("SignatureToken is a SecureConversationToken");
//TODO check for an existing token and use it
String secConvTokenId = rmd.getSecConvTokenId();
//The RSTR has to be secured with the cancelled token
String action = msgContext.getOptions().getAction();
boolean cancelReqResp = action.equals(RahasConstants.WST_NS_05_02 + RahasConstants.RSTR_ACTION_CANCEL_SCT) ||
action.equals(RahasConstants.WST_NS_05_02 + RahasConstants.RSTR_ACTION_CANCEL_SCT) ||
action.equals(RahasConstants.WST_NS_05_02 + RahasConstants.RST_ACTION_CANCEL_SCT) ||
action.equals(RahasConstants.WST_NS_05_02 + RahasConstants.RST_ACTION_CANCEL_SCT);
//In the case of the cancel req or resp we should mark the token as cancelled
if(secConvTokenId != null && cancelReqResp) {
try {
rmd.getTokenStorage().getToken(secConvTokenId).setState(org.apache.rahas.Token.CANCELLED);
msgContext.setProperty(RampartMessageData.SCT_ID, secConvTokenId);
//remove from the local map of contexts
String contextIdentifierKey = RampartUtil.getContextIdentifierKey(msgContext);
RampartUtil.getContextMap(msgContext).remove(contextIdentifierKey);
} catch (TrustException e) {
throw new RampartException("errorExtractingToken");
}
}
if (secConvTokenId == null
|| (secConvTokenId != null &&
(!RampartUtil.isTokenValid(rmd, secConvTokenId) && !cancelReqResp))) {
log.debug("No SecureConversationToken found, " +
"requesting a new token");
SecureConversationToken secConvTok =
(SecureConversationToken) sigTok;
try {
String id = RampartUtil.getSecConvToken(rmd, secConvTok);
rmd.setSecConvTokenId(id);
} catch (TrustException e) {
throw new RampartException("errorInObtainingSct", e);
}
}
}
//If it was the ProtectionToken assertion then sigTok is the
//same as encrTok
if(sigTok.equals(encrTok) && sigTok instanceof IssuedToken) {
log.debug("Symmetric binding uses a ProtectionToken, both" +
" SignatureToken and EncryptionToken are the same");
rmd.setIssuedEncryptionTokenId(rmd.getIssuedEncryptionTokenId());
} else {
//Now we'll have to obtain the encryption token as well :-)
//ASSUMPTION: SecureConversationToken is used as a
//ProtectionToken therefore we only have to process a issued
//token here
log.debug("Obtaining the Encryption Token");
if(rmd.getIssuedEncryptionTokenId() != null) {
log.debug("EncrytionToken not alredy set");
IssuedToken issuedToken = (IssuedToken)encrTok;
String id = RampartUtil.getIssuedToken(rmd,
issuedToken);
rmd.setIssuedEncryptionTokenId(id);
}
}
}
//TODO : Support processing IssuedToken and SecConvToken assertoins
//in supporting tokens, right now we only support UsernameTokens and
//X.509 Tokens
}
}