1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19 package org.apache.wss4j.policy.stax.test;
20
21 import java.util.LinkedList;
22 import java.util.List;
23
24 import javax.xml.namespace.QName;
25
26 import org.apache.wss4j.common.WSSPolicyException;
27 import org.apache.wss4j.common.ext.WSSecurityException;
28 import org.apache.wss4j.policy.stax.enforcer.PolicyEnforcer;
29 import org.apache.wss4j.stax.ext.WSSConstants;
30 import org.apache.wss4j.stax.impl.securityToken.X509SecurityTokenImpl;
31 import org.apache.wss4j.stax.securityEvent.DerivedKeyTokenSecurityEvent;
32 import org.apache.wss4j.stax.securityEvent.OperationSecurityEvent;
33 import org.apache.wss4j.stax.securityEvent.SignedPartSecurityEvent;
34 import org.apache.wss4j.stax.securityEvent.X509TokenSecurityEvent;
35 import org.apache.wss4j.stax.securityToken.WSSecurityTokenConstants;
36 import org.apache.xml.security.stax.ext.XMLSecurityConstants;
37 import org.apache.xml.security.stax.securityEvent.ContentEncryptedElementSecurityEvent;
38 import org.apache.xml.security.stax.securityToken.InboundSecurityToken;
39 import org.junit.jupiter.api.Test;
40
41 import static org.junit.jupiter.api.Assertions.assertEquals;
42 import static org.junit.jupiter.api.Assertions.assertTrue;
43 import static org.junit.jupiter.api.Assertions.fail;
44
45 public class DerivedKeyTests extends AbstractPolicyTestBase {
46
47 @Test
48 public void testDerivedKeyInitiatorTokenPolicy() throws Exception {
49 String policyString =
50 "<sp:AsymmetricBinding xmlns:sp=\"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702\" xmlns:sp3=\"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200802\">\n" +
51 "<wsp:Policy xmlns:wsp=\"http://schemas.xmlsoap.org/ws/2004/09/policy\">\n" +
52 "<sp:InitiatorToken>\n" +
53 " <wsp:Policy>\n" +
54 " <sp:X509Token>\n" +
55 " <sp:IssuerName>CN=transmitter,OU=swssf,C=CH</sp:IssuerName>\n" +
56 " <wsp:Policy xmlns:wsp=\"http://schemas.xmlsoap.org/ws/2004/09/policy\">\n" +
57 " <sp:RequireDerivedKeys/>\n" +
58 " </wsp:Policy>\n" +
59 " </sp:X509Token>\n" +
60 " </wsp:Policy>\n" +
61 "</sp:InitiatorToken>\n" +
62 "<sp:RecipientToken>\n" +
63 " <wsp:Policy>\n" +
64 " <sp:X509Token>\n" +
65 " <sp:IssuerName>CN=transmitter,OU=swssf,C=CH</sp:IssuerName>\n" +
66 " <wsp:Policy xmlns:wsp=\"http://schemas.xmlsoap.org/ws/2004/09/policy\">\n" +
67 " <sp:RequireDerivedKeys/>\n" +
68 " </wsp:Policy>\n" +
69 " </sp:X509Token>\n" +
70 " </wsp:Policy>\n" +
71 "</sp:RecipientToken>\n" +
72 " <sp:AlgorithmSuite>\n" +
73 " <wsp:Policy>\n" +
74 " <sp:Basic256/>\n" +
75 " </wsp:Policy>\n" +
76 " </sp:AlgorithmSuite>\n" +
77 "</wsp:Policy>\n" +
78 "</sp:AsymmetricBinding>";
79
80 PolicyEnforcer policyEnforcer = buildAndStartPolicyEngine(policyString);
81 X509TokenSecurityEvent initiatorX509TokenSecurityEvent = new X509TokenSecurityEvent();
82 X509SecurityTokenImpl securityToken = getX509Token(WSSecurityTokenConstants.X509V3Token);
83 securityToken.addTokenUsage(WSSecurityTokenConstants.TOKENUSAGE_MAIN_SIGNATURE);
84 initiatorX509TokenSecurityEvent.setSecurityToken(securityToken);
85
86 DerivedKeyTokenSecurityEvent derivedKeyTokenSecurityEvent = new DerivedKeyTokenSecurityEvent();
87 derivedKeyTokenSecurityEvent.setSecurityToken(getX509Token(WSSecurityTokenConstants.DerivedKeyToken));
88 securityToken.addWrappedToken((InboundSecurityToken)derivedKeyTokenSecurityEvent.getSecurityToken());
89
90 policyEnforcer.registerSecurityEvent(initiatorX509TokenSecurityEvent);
91
92 X509TokenSecurityEvent recipientX509TokenSecurityEvent = new X509TokenSecurityEvent();
93 securityToken = getX509Token(WSSecurityTokenConstants.X509V3Token);
94 securityToken.addTokenUsage(WSSecurityTokenConstants.TOKENUSAGE_MAIN_ENCRYPTION);
95 recipientX509TokenSecurityEvent.setSecurityToken(securityToken);
96
97 derivedKeyTokenSecurityEvent = new DerivedKeyTokenSecurityEvent();
98 derivedKeyTokenSecurityEvent.setSecurityToken(getX509Token(WSSecurityTokenConstants.DerivedKeyToken));
99 securityToken.addWrappedToken((InboundSecurityToken)derivedKeyTokenSecurityEvent.getSecurityToken());
100
101 policyEnforcer.registerSecurityEvent(recipientX509TokenSecurityEvent);
102
103 List<XMLSecurityConstants.ContentType> protectionOrder = new LinkedList<>();
104 protectionOrder.add(XMLSecurityConstants.ContentType.SIGNATURE);
105 protectionOrder.add(XMLSecurityConstants.ContentType.ENCRYPTION);
106 SignedPartSecurityEvent signedPartSecurityEvent =
107 new SignedPartSecurityEvent(
108 (InboundSecurityToken)recipientX509TokenSecurityEvent.getSecurityToken(), true, protectionOrder);
109 signedPartSecurityEvent.setElementPath(WSSConstants.SOAP_11_BODY_PATH);
110 policyEnforcer.registerSecurityEvent(signedPartSecurityEvent);
111
112 ContentEncryptedElementSecurityEvent contentEncryptedElementSecurityEvent =
113 new ContentEncryptedElementSecurityEvent(
114 (InboundSecurityToken)recipientX509TokenSecurityEvent.getSecurityToken(), true, protectionOrder);
115 contentEncryptedElementSecurityEvent.setElementPath(WSSConstants.SOAP_11_BODY_PATH);
116 policyEnforcer.registerSecurityEvent(contentEncryptedElementSecurityEvent);
117
118 OperationSecurityEvent operationSecurityEvent = new OperationSecurityEvent();
119 operationSecurityEvent.setOperation(new QName("definitions"));
120
121 policyEnforcer.registerSecurityEvent(operationSecurityEvent);
122 policyEnforcer.doFinal();
123 }
124
125 @Test
126 public void testDerivedKeyInitiatorTokenPolicyNegative() throws Exception {
127 String policyString =
128 "<sp:AsymmetricBinding xmlns:sp=\"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702\" xmlns:sp3=\"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200802\">\n" +
129 "<wsp:Policy xmlns:wsp=\"http://schemas.xmlsoap.org/ws/2004/09/policy\">\n" +
130 "<sp:InitiatorToken>\n" +
131 " <wsp:Policy>\n" +
132 " <sp:X509Token>\n" +
133 " <sp:IssuerName>CN=transmitter,OU=swssf,C=CH</sp:IssuerName>\n" +
134 " <wsp:Policy xmlns:wsp=\"http://schemas.xmlsoap.org/ws/2004/09/policy\">\n" +
135 " <sp:RequireDerivedKeys/>\n" +
136 " </wsp:Policy>\n" +
137 " </sp:X509Token>\n" +
138 " </wsp:Policy>\n" +
139 "</sp:InitiatorToken>\n" +
140 "<sp:RecipientToken>\n" +
141 " <wsp:Policy>\n" +
142 " <sp:X509Token>\n" +
143 " <sp:IssuerName>CN=transmitter,OU=swssf,C=CH</sp:IssuerName>\n" +
144 " <wsp:Policy xmlns:wsp=\"http://schemas.xmlsoap.org/ws/2004/09/policy\">\n" +
145 " <sp:RequireDerivedKeys/>\n" +
146 " </wsp:Policy>\n" +
147 " </sp:X509Token>\n" +
148 " </wsp:Policy>\n" +
149 "</sp:RecipientToken>\n" +
150 " <sp:AlgorithmSuite>\n" +
151 " <wsp:Policy>\n" +
152 " <sp:Basic256/>\n" +
153 " </wsp:Policy>\n" +
154 " </sp:AlgorithmSuite>\n" +
155 "</wsp:Policy>\n" +
156 "</sp:AsymmetricBinding>";
157
158 PolicyEnforcer policyEnforcer = buildAndStartPolicyEngine(policyString);
159 X509TokenSecurityEvent initiatorX509TokenSecurityEvent = new X509TokenSecurityEvent();
160 X509SecurityTokenImpl securityToken = getX509Token(WSSecurityTokenConstants.X509V3Token);
161 securityToken.addTokenUsage(WSSecurityTokenConstants.TOKENUSAGE_MAIN_SIGNATURE);
162 initiatorX509TokenSecurityEvent.setSecurityToken(securityToken);
163 policyEnforcer.registerSecurityEvent(initiatorX509TokenSecurityEvent);
164
165 X509TokenSecurityEvent recipientX509TokenSecurityEvent = new X509TokenSecurityEvent();
166 securityToken = getX509Token(WSSecurityTokenConstants.X509V3Token);
167 securityToken.addTokenUsage(WSSecurityTokenConstants.TOKENUSAGE_MAIN_ENCRYPTION);
168 recipientX509TokenSecurityEvent.setSecurityToken(securityToken);
169
170 DerivedKeyTokenSecurityEvent derivedKeyTokenSecurityEvent = new DerivedKeyTokenSecurityEvent();
171 derivedKeyTokenSecurityEvent.setSecurityToken(getX509Token(WSSecurityTokenConstants.DerivedKeyToken));
172 securityToken.addWrappedToken((InboundSecurityToken)derivedKeyTokenSecurityEvent.getSecurityToken());
173
174 policyEnforcer.registerSecurityEvent(recipientX509TokenSecurityEvent);
175
176 List<XMLSecurityConstants.ContentType> protectionOrder = new LinkedList<>();
177 protectionOrder.add(XMLSecurityConstants.ContentType.SIGNATURE);
178 protectionOrder.add(XMLSecurityConstants.ContentType.ENCRYPTION);
179 SignedPartSecurityEvent signedPartSecurityEvent =
180 new SignedPartSecurityEvent(
181 (InboundSecurityToken)recipientX509TokenSecurityEvent.getSecurityToken(), true, protectionOrder);
182 signedPartSecurityEvent.setElementPath(WSSConstants.SOAP_11_BODY_PATH);
183 policyEnforcer.registerSecurityEvent(signedPartSecurityEvent);
184
185 ContentEncryptedElementSecurityEvent contentEncryptedElementSecurityEvent =
186 new ContentEncryptedElementSecurityEvent(
187 (InboundSecurityToken)recipientX509TokenSecurityEvent.getSecurityToken(), true, protectionOrder);
188 contentEncryptedElementSecurityEvent.setElementPath(WSSConstants.SOAP_11_BODY_PATH);
189 policyEnforcer.registerSecurityEvent(contentEncryptedElementSecurityEvent);
190
191 OperationSecurityEvent operationSecurityEvent = new OperationSecurityEvent();
192 operationSecurityEvent.setOperation(new QName("definitions"));
193 try {
194 policyEnforcer.registerSecurityEvent(operationSecurityEvent);
195 fail("Exception expected");
196 } catch (WSSecurityException e) {
197 assertEquals(e.getMessage(),
198 "Derived key must be used");
199 assertEquals(e.getFaultCode(), WSSecurityException.INVALID_SECURITY);
200 }
201 }
202
203 @Test
204 public void testDerivedKeyRecipientTokenPolicyNegative() throws Exception {
205 String policyString =
206 "<sp:AsymmetricBinding xmlns:sp=\"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702\" xmlns:sp3=\"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200802\">\n" +
207 "<wsp:Policy xmlns:wsp=\"http://schemas.xmlsoap.org/ws/2004/09/policy\">\n" +
208 "<sp:InitiatorToken>\n" +
209 " <wsp:Policy>\n" +
210 " <sp:X509Token>\n" +
211 " <sp:IssuerName>CN=transmitter,OU=swssf,C=CH</sp:IssuerName>\n" +
212 " <wsp:Policy xmlns:wsp=\"http://schemas.xmlsoap.org/ws/2004/09/policy\">\n" +
213 " <sp:RequireDerivedKeys/>\n" +
214 " </wsp:Policy>\n" +
215 " </sp:X509Token>\n" +
216 " </wsp:Policy>\n" +
217 "</sp:InitiatorToken>\n" +
218 "<sp:RecipientToken>\n" +
219 " <wsp:Policy>\n" +
220 " <sp:X509Token>\n" +
221 " <sp:IssuerName>CN=transmitter,OU=swssf,C=CH</sp:IssuerName>\n" +
222 " <wsp:Policy xmlns:wsp=\"http://schemas.xmlsoap.org/ws/2004/09/policy\">\n" +
223 " <sp:RequireDerivedKeys/>\n" +
224 " </wsp:Policy>\n" +
225 " </sp:X509Token>\n" +
226 " </wsp:Policy>\n" +
227 "</sp:RecipientToken>\n" +
228 " <sp:AlgorithmSuite>\n" +
229 " <wsp:Policy>\n" +
230 " <sp:Basic256/>\n" +
231 " </wsp:Policy>\n" +
232 " </sp:AlgorithmSuite>\n" +
233 "</wsp:Policy>\n" +
234 "</sp:AsymmetricBinding>";
235
236 PolicyEnforcer policyEnforcer = buildAndStartPolicyEngine(policyString);
237 X509TokenSecurityEvent initiatorX509TokenSecurityEvent = new X509TokenSecurityEvent();
238 X509SecurityTokenImpl securityToken = getX509Token(WSSecurityTokenConstants.X509V3Token);
239 securityToken.addTokenUsage(WSSecurityTokenConstants.TOKENUSAGE_MAIN_SIGNATURE);
240 initiatorX509TokenSecurityEvent.setSecurityToken(securityToken);
241
242 DerivedKeyTokenSecurityEvent derivedKeyTokenSecurityEvent = new DerivedKeyTokenSecurityEvent();
243 derivedKeyTokenSecurityEvent.setSecurityToken(getX509Token(WSSecurityTokenConstants.DerivedKeyToken));
244 securityToken.addWrappedToken((InboundSecurityToken)derivedKeyTokenSecurityEvent.getSecurityToken());
245
246 policyEnforcer.registerSecurityEvent(initiatorX509TokenSecurityEvent);
247
248 X509TokenSecurityEvent recipientX509TokenSecurityEvent = new X509TokenSecurityEvent();
249 securityToken = getX509Token(WSSecurityTokenConstants.X509V3Token);
250 securityToken.addTokenUsage(WSSecurityTokenConstants.TOKENUSAGE_MAIN_ENCRYPTION);
251 recipientX509TokenSecurityEvent.setSecurityToken(securityToken);
252 policyEnforcer.registerSecurityEvent(recipientX509TokenSecurityEvent);
253
254 List<XMLSecurityConstants.ContentType> protectionOrder = new LinkedList<>();
255 protectionOrder.add(XMLSecurityConstants.ContentType.SIGNATURE);
256 protectionOrder.add(XMLSecurityConstants.ContentType.ENCRYPTION);
257 SignedPartSecurityEvent signedPartSecurityEvent =
258 new SignedPartSecurityEvent(
259 (InboundSecurityToken)recipientX509TokenSecurityEvent.getSecurityToken(), true, protectionOrder);
260 signedPartSecurityEvent.setElementPath(WSSConstants.SOAP_11_BODY_PATH);
261 policyEnforcer.registerSecurityEvent(signedPartSecurityEvent);
262
263 ContentEncryptedElementSecurityEvent contentEncryptedElementSecurityEvent =
264 new ContentEncryptedElementSecurityEvent(
265 (InboundSecurityToken)recipientX509TokenSecurityEvent.getSecurityToken(), true, protectionOrder);
266 contentEncryptedElementSecurityEvent.setElementPath(WSSConstants.SOAP_11_BODY_PATH);
267 policyEnforcer.registerSecurityEvent(contentEncryptedElementSecurityEvent);
268
269 OperationSecurityEvent operationSecurityEvent = new OperationSecurityEvent();
270 operationSecurityEvent.setOperation(new QName("definitions"));
271 try {
272 policyEnforcer.registerSecurityEvent(operationSecurityEvent);
273 fail("Exception expected");
274 } catch (WSSecurityException e) {
275 assertEquals(e.getMessage(),
276 "Derived key must be used");
277 assertEquals(e.getFaultCode(), WSSecurityException.INVALID_SECURITY);
278 }
279 }
280
281 @Test
282 public void testDerivedKeySupportingTokenPolicy() throws Exception {
283 String policyString =
284 "<sp:SupportingTokens xmlns:sp=\"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702\" xmlns:sp3=\"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200802\">\n" +
285 "<wsp:Policy xmlns:wsp=\"http://schemas.xmlsoap.org/ws/2004/09/policy\">\n" +
286 " <sp:X509Token>\n" +
287 " <sp:IssuerName>CN=transmitter,OU=swssf,C=CH</sp:IssuerName>\n" +
288 " <wsp:Policy xmlns:wsp=\"http://schemas.xmlsoap.org/ws/2004/09/policy\">\n" +
289 " <sp:RequireDerivedKeys/>\n" +
290 " </wsp:Policy>\n" +
291 " </sp:X509Token>\n" +
292 " </wsp:Policy>\n" +
293 "</sp:SupportingTokens>";
294
295 PolicyEnforcer policyEnforcer = buildAndStartPolicyEngine(policyString);
296 X509TokenSecurityEvent x509TokenSecurityEvent = new X509TokenSecurityEvent();
297 X509SecurityTokenImpl securityToken = getX509Token(WSSecurityTokenConstants.X509V3Token);
298 securityToken.addTokenUsage(WSSecurityTokenConstants.TOKENUSAGE_SUPPORTING_TOKENS);
299 x509TokenSecurityEvent.setSecurityToken(securityToken);
300
301 DerivedKeyTokenSecurityEvent derivedKeyTokenSecurityEvent = new DerivedKeyTokenSecurityEvent();
302 derivedKeyTokenSecurityEvent.setSecurityToken(getX509Token(WSSecurityTokenConstants.DerivedKeyToken));
303 securityToken.addWrappedToken((InboundSecurityToken)derivedKeyTokenSecurityEvent.getSecurityToken());
304
305 policyEnforcer.registerSecurityEvent(x509TokenSecurityEvent);
306
307 OperationSecurityEvent operationSecurityEvent = new OperationSecurityEvent();
308 operationSecurityEvent.setOperation(new QName("definitions"));
309 policyEnforcer.registerSecurityEvent(operationSecurityEvent);
310
311 policyEnforcer.doFinal();
312 }
313
314 @Test
315 public void testDerivedKeySupportingTokenPolicyNegative() throws Exception {
316 String policyString =
317 "<sp:SupportingTokens xmlns:sp=\"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702\" xmlns:sp3=\"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200802\">\n" +
318 "<wsp:Policy xmlns:wsp=\"http://schemas.xmlsoap.org/ws/2004/09/policy\">\n" +
319 " <sp:X509Token>\n" +
320 " <sp:IssuerName>CN=transmitter,OU=swssf,C=CH</sp:IssuerName>\n" +
321 " <wsp:Policy xmlns:wsp=\"http://schemas.xmlsoap.org/ws/2004/09/policy\">\n" +
322 " <sp:RequireDerivedKeys/>\n" +
323 " </wsp:Policy>\n" +
324 " </sp:X509Token>\n" +
325 " </wsp:Policy>\n" +
326 "</sp:SupportingTokens>";
327
328 PolicyEnforcer policyEnforcer = buildAndStartPolicyEngine(policyString);
329 X509TokenSecurityEvent x509TokenSecurityEvent = new X509TokenSecurityEvent();
330 X509SecurityTokenImpl securityToken = getX509Token(WSSecurityTokenConstants.X509V1Token);
331 securityToken.addTokenUsage(WSSecurityTokenConstants.TOKENUSAGE_SUPPORTING_TOKENS);
332 x509TokenSecurityEvent.setSecurityToken(securityToken);
333 policyEnforcer.registerSecurityEvent(x509TokenSecurityEvent);
334
335 OperationSecurityEvent operationSecurityEvent = new OperationSecurityEvent();
336 operationSecurityEvent.setOperation(new QName("definitions"));
337 try {
338 policyEnforcer.registerSecurityEvent(operationSecurityEvent);
339 fail("Exception expected");
340 } catch (WSSecurityException e) {
341 assertEquals(e.getMessage(),
342 "Derived key must be used");
343 assertEquals(e.getFaultCode(), WSSecurityException.INVALID_SECURITY);
344 }
345 }
346
347 @Test
348 public void testDerivedKeySupportingTokenPolicyAdditionalToken() throws Exception {
349 String policyString =
350 "<sp:SupportingTokens xmlns:sp=\"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702\" xmlns:sp3=\"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200802\">\n" +
351 "<wsp:Policy xmlns:wsp=\"http://schemas.xmlsoap.org/ws/2004/09/policy\">\n" +
352 " <sp:X509Token>\n" +
353 " <sp:IssuerName>CN=transmitter,OU=swssf,C=CH</sp:IssuerName>\n" +
354 " <wsp:Policy xmlns:wsp=\"http://schemas.xmlsoap.org/ws/2004/09/policy\">\n" +
355 " <sp:RequireDerivedKeys/>\n" +
356 " </wsp:Policy>\n" +
357 " </sp:X509Token>\n" +
358 " </wsp:Policy>\n" +
359 "</sp:SupportingTokens>";
360
361 PolicyEnforcer policyEnforcer = buildAndStartPolicyEngine(policyString);
362
363 X509TokenSecurityEvent x509TokenSecurityEvent = new X509TokenSecurityEvent();
364 X509SecurityTokenImpl securityToken = getX509Token(WSSecurityTokenConstants.X509V3Token);
365 securityToken.addTokenUsage(WSSecurityTokenConstants.TOKENUSAGE_SUPPORTING_TOKENS);
366 x509TokenSecurityEvent.setSecurityToken(securityToken);
367
368 DerivedKeyTokenSecurityEvent derivedKeyTokenSecurityEvent = new DerivedKeyTokenSecurityEvent();
369 derivedKeyTokenSecurityEvent.setSecurityToken(getX509Token(WSSecurityTokenConstants.DerivedKeyToken));
370 securityToken.addWrappedToken((InboundSecurityToken)derivedKeyTokenSecurityEvent.getSecurityToken());
371
372 policyEnforcer.registerSecurityEvent(x509TokenSecurityEvent);
373
374 x509TokenSecurityEvent = new X509TokenSecurityEvent();
375 securityToken = getX509Token(WSSecurityTokenConstants.X509V3Token);
376 securityToken.addTokenUsage(WSSecurityTokenConstants.TOKENUSAGE_SUPPORTING_TOKENS);
377 x509TokenSecurityEvent.setSecurityToken(securityToken);
378
379 derivedKeyTokenSecurityEvent = new DerivedKeyTokenSecurityEvent();
380 derivedKeyTokenSecurityEvent.setSecurityToken(getX509Token(WSSecurityTokenConstants.DerivedKeyToken));
381 securityToken.addWrappedToken((InboundSecurityToken)derivedKeyTokenSecurityEvent.getSecurityToken());
382
383 policyEnforcer.registerSecurityEvent(x509TokenSecurityEvent);
384
385 OperationSecurityEvent operationSecurityEvent = new OperationSecurityEvent();
386 operationSecurityEvent.setOperation(new QName("definitions"));
387 policyEnforcer.registerSecurityEvent(operationSecurityEvent);
388
389 policyEnforcer.doFinal();
390 }
391
392 @Test
393 public void testDerivedKeySupportingTokenPolicyAdditionalTokenNegative() throws Exception {
394 String policyString =
395 "<sp:SupportingTokens xmlns:sp=\"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702\" xmlns:sp3=\"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200802\">\n" +
396 "<wsp:Policy xmlns:wsp=\"http://schemas.xmlsoap.org/ws/2004/09/policy\">\n" +
397 " <sp:X509Token>\n" +
398 " <sp:IssuerName>CN=transmitter,OU=swssf,C=CH</sp:IssuerName>\n" +
399 " <wsp:Policy xmlns:wsp=\"http://schemas.xmlsoap.org/ws/2004/09/policy\">\n" +
400 " <sp:RequireDerivedKeys/>\n" +
401 " </wsp:Policy>\n" +
402 " </sp:X509Token>\n" +
403 " </wsp:Policy>\n" +
404 "</sp:SupportingTokens>";
405
406 PolicyEnforcer policyEnforcer = buildAndStartPolicyEngine(policyString);
407
408 X509TokenSecurityEvent x509TokenSecurityEvent = new X509TokenSecurityEvent();
409 X509SecurityTokenImpl securityToken = getX509Token(WSSecurityTokenConstants.X509V1Token);
410 securityToken.addTokenUsage(WSSecurityTokenConstants.TOKENUSAGE_SUPPORTING_TOKENS);
411 x509TokenSecurityEvent.setSecurityToken(securityToken);
412 policyEnforcer.registerSecurityEvent(x509TokenSecurityEvent);
413
414 x509TokenSecurityEvent = new X509TokenSecurityEvent();
415 securityToken = getX509Token(WSSecurityTokenConstants.X509V1Token);
416 securityToken.addTokenUsage(WSSecurityTokenConstants.TOKENUSAGE_SUPPORTING_TOKENS);
417 x509TokenSecurityEvent.setSecurityToken(securityToken);
418 policyEnforcer.registerSecurityEvent(x509TokenSecurityEvent);
419
420 OperationSecurityEvent operationSecurityEvent = new OperationSecurityEvent();
421 operationSecurityEvent.setOperation(new QName("definitions"));
422
423 try {
424 policyEnforcer.registerSecurityEvent(operationSecurityEvent);
425 fail("Exception expected");
426 } catch (WSSecurityException e) {
427 assertTrue(e.getCause() instanceof WSSPolicyException);
428 }
429 }
430
431 @Test
432 public void testDerivedKeySupportingTokenPolicyAdditionalTokenLastIgnore() throws Exception {
433 String policyString =
434 "<sp:SupportingTokens xmlns:sp=\"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702\" xmlns:sp3=\"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200802\">\n" +
435 "<wsp:Policy xmlns:wsp=\"http://schemas.xmlsoap.org/ws/2004/09/policy\">\n" +
436 " <sp:X509Token>\n" +
437 " <sp:IssuerName>CN=transmitter,OU=swssf,C=CH</sp:IssuerName>\n" +
438 " <wsp:Policy xmlns:wsp=\"http://schemas.xmlsoap.org/ws/2004/09/policy\">\n" +
439 " <sp:RequireDerivedKeys/>\n" +
440 " </wsp:Policy>\n" +
441 " </sp:X509Token>\n" +
442 " </wsp:Policy>\n" +
443 "</sp:SupportingTokens>";
444
445 PolicyEnforcer policyEnforcer = buildAndStartPolicyEngine(policyString);
446
447 X509TokenSecurityEvent x509TokenSecurityEvent = new X509TokenSecurityEvent();
448 X509SecurityTokenImpl securityToken = getX509Token(WSSecurityTokenConstants.X509V3Token);
449 securityToken.addTokenUsage(WSSecurityTokenConstants.TOKENUSAGE_SUPPORTING_TOKENS);
450 x509TokenSecurityEvent.setSecurityToken(securityToken);
451
452 DerivedKeyTokenSecurityEvent derivedKeyTokenSecurityEvent = new DerivedKeyTokenSecurityEvent();
453 derivedKeyTokenSecurityEvent.setSecurityToken(getX509Token(WSSecurityTokenConstants.DerivedKeyToken));
454 securityToken.addWrappedToken((InboundSecurityToken)derivedKeyTokenSecurityEvent.getSecurityToken());
455
456 policyEnforcer.registerSecurityEvent(x509TokenSecurityEvent);
457
458 x509TokenSecurityEvent = new X509TokenSecurityEvent();
459 securityToken = getX509Token(WSSecurityTokenConstants.X509V1Token);
460 securityToken.addTokenUsage(WSSecurityTokenConstants.TOKENUSAGE_SUPPORTING_TOKENS);
461 x509TokenSecurityEvent.setSecurityToken(securityToken);
462 policyEnforcer.registerSecurityEvent(x509TokenSecurityEvent);
463
464 OperationSecurityEvent operationSecurityEvent = new OperationSecurityEvent();
465 operationSecurityEvent.setOperation(new QName("definitions"));
466 policyEnforcer.registerSecurityEvent(operationSecurityEvent);
467
468 policyEnforcer.doFinal();
469 }
470
471 @Test
472 public void testDerivedKeySupportingTokenPolicyAdditionalTokenFirstIgnore() throws Exception {
473 String policyString =
474 "<sp:SupportingTokens xmlns:sp=\"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702\" xmlns:sp3=\"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200802\">\n" +
475 "<wsp:Policy xmlns:wsp=\"http://schemas.xmlsoap.org/ws/2004/09/policy\">\n" +
476 " <sp:X509Token>\n" +
477 " <sp:IssuerName>CN=transmitter,OU=swssf,C=CH</sp:IssuerName>\n" +
478 " <wsp:Policy xmlns:wsp=\"http://schemas.xmlsoap.org/ws/2004/09/policy\">\n" +
479 " <sp:RequireDerivedKeys/>\n" +
480 " </wsp:Policy>\n" +
481 " </sp:X509Token>\n" +
482 " </wsp:Policy>\n" +
483 "</sp:SupportingTokens>";
484
485 PolicyEnforcer policyEnforcer = buildAndStartPolicyEngine(policyString);
486
487 X509TokenSecurityEvent x509TokenSecurityEvent = new X509TokenSecurityEvent();
488 X509SecurityTokenImpl securityToken = getX509Token(WSSecurityTokenConstants.X509V1Token);
489 securityToken.addTokenUsage(WSSecurityTokenConstants.TOKENUSAGE_SUPPORTING_TOKENS);
490 x509TokenSecurityEvent.setSecurityToken(securityToken);
491 policyEnforcer.registerSecurityEvent(x509TokenSecurityEvent);
492
493 x509TokenSecurityEvent = new X509TokenSecurityEvent();
494 securityToken = getX509Token(WSSecurityTokenConstants.X509V3Token);
495 securityToken.addTokenUsage(WSSecurityTokenConstants.TOKENUSAGE_SUPPORTING_TOKENS);
496 x509TokenSecurityEvent.setSecurityToken(securityToken);
497
498 DerivedKeyTokenSecurityEvent derivedKeyTokenSecurityEvent = new DerivedKeyTokenSecurityEvent();
499 derivedKeyTokenSecurityEvent.setSecurityToken(getX509Token(WSSecurityTokenConstants.DerivedKeyToken));
500 securityToken.addWrappedToken((InboundSecurityToken)derivedKeyTokenSecurityEvent.getSecurityToken());
501
502 policyEnforcer.registerSecurityEvent(x509TokenSecurityEvent);
503
504 OperationSecurityEvent operationSecurityEvent = new OperationSecurityEvent();
505 operationSecurityEvent.setOperation(new QName("definitions"));
506 policyEnforcer.registerSecurityEvent(operationSecurityEvent);
507
508 policyEnforcer.doFinal();
509 }
510 }