View Javadoc

1   /**
2    * Licensed to the Apache Software Foundation (ASF) under one
3    * or more contributor license agreements. See the NOTICE file
4    * distributed with this work for additional information
5    * regarding copyright ownership. The ASF licenses this file
6    * to you under the Apache License, Version 2.0 (the
7    * "License"); you may not use this file except in compliance
8    * with the License. You may obtain a copy of the License at
9    *
10   * http://www.apache.org/licenses/LICENSE-2.0
11   *
12   * Unless required by applicable law or agreed to in writing,
13   * software distributed under the License is distributed on an
14   * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
15   * KIND, either express or implied. See the License for the
16   * specific language governing permissions and limitations
17   * under the License.
18   */
19  
20  package org.apache.ws.security;
21  
22  import javax.xml.namespace.QName;
23  
24  /**
25   * Constants in WS-Security spec.
26   */
27  public final class WSConstants {
28      
29      /*
30       * Standard constants used in WSS4J
31       */
32      
33      //
34      // Namespaces
35      //
36      public static final String WSSE_NS = 
37          "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";
38      public static final String WSSE11_NS = 
39          "http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd";
40      public static final String WSU_NS = 
41          "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
42      
43      public static final String SOAPMESSAGE_NS = 
44          "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0";
45      public static final String SOAPMESSAGE_NS11 = 
46          "http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1";
47      public static final String USERNAMETOKEN_NS = 
48          "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0";
49      public static final String X509TOKEN_NS = 
50          "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0";
51      public static final String SAMLTOKEN_NS = 
52          "http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0";
53      public static final String SAMLTOKEN_NS11 = 
54          "http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1";
55      public static final String KERBEROS_NS11 =
56          "http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1"; 
57  
58      public static final String SIG_NS = "http://www.w3.org/2000/09/xmldsig#";
59      public static final String ENC_NS = "http://www.w3.org/2001/04/xmlenc#";
60      public static final String XMLNS_NS = "http://www.w3.org/2000/xmlns/";
61      public static final String XML_NS = "http://www.w3.org/XML/1998/namespace";
62      
63      public static final String SAML_NS = "urn:oasis:names:tc:SAML:1.0:assertion";
64      public static final String SAMLP_NS = "urn:oasis:names:tc:SAML:1.0:protocol";
65      public static final String SAML2_NS = "urn:oasis:names:tc:SAML:2.0:assertion";
66      public static final String SAMLP2_NS = "urn:oasis:names:tc:SAML:2.0:protocol";
67      
68      public static final String URI_SOAP11_ENV =
69          "http://schemas.xmlsoap.org/soap/envelope/";
70      public static final String URI_SOAP12_ENV =
71          "http://www.w3.org/2003/05/soap-envelope";
72      public static final String URI_SOAP11_NEXT_ACTOR =
73          "http://schemas.xmlsoap.org/soap/actor/next";
74      public static final String URI_SOAP12_NEXT_ROLE =
75          "http://www.w3.org/2003/05/soap-envelope/role/next";
76      public static final String URI_SOAP12_NONE_ROLE =
77          "http://www.w3.org/2003/05/soap-envelope/role/none";
78      public static final String URI_SOAP12_ULTIMATE_ROLE =
79          "http://www.w3.org/2003/05/soap-envelope/role/ultimateReceiver";
80      
81      public static final String C14N_OMIT_COMMENTS = 
82          "http://www.w3.org/TR/2001/REC-xml-c14n-20010315";
83      public static final String C14N_WITH_COMMENTS = 
84          "http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments";
85      public static final String C14N_EXCL_OMIT_COMMENTS = 
86          "http://www.w3.org/2001/10/xml-exc-c14n#";
87      public static final String C14N_EXCL_WITH_COMMENTS = 
88          "http://www.w3.org/2001/10/xml-exc-c14n#WithComments";
89      
90      public static final String NS_XMLDSIG_FILTER2 = 
91          "http://www.w3.org/2002/06/xmldsig-filter2";
92      public static final String NS_XMLDSIG_ENVELOPED_SIGNATURE = 
93          SIG_NS + "enveloped-signature";
94      public static final String SWA_ATTACHMENT_CONTENT_SIG_TRANS = 
95          "http://docs.oasis-open.org/wss/oasis-wss-SwAProfile-1.1#Attachment-Content-Signature-Transform";
96      public static final String SWA_ATTACHMENT_COMPLETE_SIG_TRANS = 
97          "http://docs.oasis-open.org/wss/oasis-wss-SwAProfile-1.1#Attachment-Complete-Signature-Transform";
98      
99      public static final String KEYTRANSPORT_RSA15 = 
100         "http://www.w3.org/2001/04/xmlenc#rsa-1_5";
101     public static final String KEYTRANSPORT_RSAOEP = 
102         "http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p";
103     public static final String TRIPLE_DES = 
104         "http://www.w3.org/2001/04/xmlenc#tripledes-cbc";
105     public static final String AES_128 = 
106         "http://www.w3.org/2001/04/xmlenc#aes128-cbc";
107     public static final String AES_256 = 
108         "http://www.w3.org/2001/04/xmlenc#aes256-cbc";
109     public static final String AES_192 = 
110         "http://www.w3.org/2001/04/xmlenc#aes192-cbc";
111     public static final String AES_128_GCM = 
112         "http://www.w3.org/2009/xmlenc11#aes128-gcm";
113     public static final String AES_192_GCM = 
114         "http://www.w3.org/2009/xmlenc11#aes192-gcm";
115     public static final String AES_256_GCM = 
116         "http://www.w3.org/2009/xmlenc11#aes256-gcm";
117     public static final String DSA = 
118         "http://www.w3.org/2000/09/xmldsig#dsa-sha1";
119     public static final String RSA = 
120         "http://www.w3.org/2000/09/xmldsig#rsa-sha1";
121     public static final String RSA_SHA1 = 
122         "http://www.w3.org/2000/09/xmldsig#rsa-sha1";
123     public static final String SHA1 = 
124         "http://www.w3.org/2000/09/xmldsig#sha1";
125     public static final String SHA256 =
126         "http://www.w3.org/2001/04/xmlenc#sha256";
127     public static final String HMAC_SHA1 = 
128         "http://www.w3.org/2000/09/xmldsig#hmac-sha1";
129     public static final String HMAC_SHA256 = 
130         "http://www.w3.org/2001/04/xmldsig-more#hmac-sha256";
131     public static final String HMAC_SHA384 = 
132         "http://www.w3.org/2001/04/xmldsig-more#hmac-sha384";
133     public static final String HMAC_SHA512 = 
134         "http://www.w3.org/2001/04/xmldsig-more#hmac-sha512";
135     public static final String HMAC_MD5 = 
136         "http://www.w3.org/2001/04/xmldsig-more#hmac-md5";
137     
138     public static final String WST_NS = "http://schemas.xmlsoap.org/ws/2005/02/trust";
139     /**
140      * WS-Trust 1.3 namespace
141      */
142     public static final String WST_NS_05_12 = "http://docs.oasis-open.org/ws-sx/ws-trust/200512";
143     /**
144      * WS-Trust 1.4 namespace
145      */
146     public static final String WST_NS_08_02 = "http://docs.oasis-open.org/ws-sx/ws-trust/200802";
147     
148     public static final String WSC_SCT = "http://schemas.xmlsoap.org/ws/2005/02/sc/sct";
149     
150     public static final String WSC_SCT_05_12 = 
151         "http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512/sct";
152 
153     //
154     // Localnames
155     //
156     public static final String WSSE_LN = "Security";
157     public static final String THUMBPRINT ="ThumbprintSHA1";
158     public static final String SAML_ASSERTION_ID = "SAMLAssertionID";
159     public static final String SAML2_ASSERTION_ID = "SAMLID";
160     public static final String ENC_KEY_VALUE_TYPE = "EncryptedKey";
161     public static final String ENC_KEY_SHA1_URI = "EncryptedKeySHA1";
162     public static final String SIG_LN = "Signature";
163     public static final String SIG_INFO_LN = "SignedInfo";
164     public static final String ENC_KEY_LN = "EncryptedKey";
165     public static final String ENC_DATA_LN = "EncryptedData";
166     public static final String REF_LIST_LN = "ReferenceList";
167     public static final String REF_LN = "Reference";
168     public static final String USERNAME_TOKEN_LN = "UsernameToken";
169     public static final String BINARY_TOKEN_LN = "BinarySecurityToken";
170     public static final String TIMESTAMP_TOKEN_LN = "Timestamp";
171     public static final String USERNAME_LN = "Username";
172     public static final String PASSWORD_LN = "Password";
173     public static final String PASSWORD_TYPE_ATTR = "Type";
174     public static final String NONCE_LN = "Nonce";
175     public static final String CREATED_LN = "Created";
176     public static final String EXPIRES_LN = "Expires";
177     public static final String SIGNATURE_CONFIRMATION_LN = "SignatureConfirmation"; 
178     public static final String SALT_LN = "Salt";
179     public static final String ITERATION_LN = "Iteration";
180     public static final String ASSERTION_LN = "Assertion";
181     public static final String PW_DIGEST = "PasswordDigest";
182     public static final String PW_TEXT = "PasswordText";
183     public static final String PW_NONE = "PasswordNone";
184     public static final String ENCRYPTED_HEADER = "EncryptedHeader";
185     public static final String X509_ISSUER_SERIAL_LN = "X509IssuerSerial";
186     public static final String X509_ISSUER_NAME_LN = "X509IssuerName";
187     public static final String X509_SERIAL_NUMBER_LN = "X509SerialNumber";
188     public static final String X509_DATA_LN = "X509Data";
189     public static final String X509_CERT_LN = "X509Certificate";
190     public static final String KEYINFO_LN = "KeyInfo";
191     public static final String KEYVALUE_LN = "KeyValue";
192     public static final String TOKEN_TYPE = "TokenType";
193     
194     public static final String ELEM_ENVELOPE = "Envelope";
195     public static final String ELEM_HEADER = "Header";
196     public static final String ELEM_BODY = "Body";
197     public static final String ATTR_MUST_UNDERSTAND = "mustUnderstand";
198     public static final String ATTR_ACTOR = "actor";
199     public static final String ATTR_ROLE = "role";
200     public static final String NULL_NS = "Null";
201     
202     //
203     // Prefixes
204     //
205     public static final String WSSE_PREFIX = "wsse";
206     public static final String WSSE11_PREFIX = "wsse11";
207     public static final String WSU_PREFIX = "wsu";
208     public static final String DEFAULT_SOAP_PREFIX = "soapenv";
209     public static final String SIG_PREFIX = "ds";
210     public static final String ENC_PREFIX = "xenc";
211     public static final String C14N_EXCL_OMIT_COMMENTS_PREFIX = "ec";
212     
213     
214     //
215     // Fault codes defined in the WSS 1.1 spec under section 12, Error handling
216     //
217     
218     /**
219      * An unsupported token was provided
220      */
221     public static final QName UNSUPPORTED_SECURITY_TOKEN = 
222         new QName(WSSE_NS, "UnsupportedSecurityToken");
223     
224     /**
225      * An unsupported signature or encryption algorithm was used
226      */
227     public static final QName UNSUPPORTED_ALGORITHM  = 
228         new QName(WSSE_NS, "UnsupportedAlgorithm");
229     
230     /**
231      * An error was discovered processing the <Security> header
232      */
233     public static final QName INVALID_SECURITY = 
234         new QName (WSSE_NS, "InvalidSecurity");
235     
236     /**
237      * An invalid security token was provided
238      */
239     public static final QName INVALID_SECURITY_TOKEN = 
240         new QName (WSSE_NS, "InvalidSecurityToken");
241     
242     /**
243      * The security token could not be authenticated or authorized
244      */
245     public static final QName FAILED_AUTHENTICATION = 
246         new QName (WSSE_NS, "FailedAuthentication");
247     
248     /**
249      * The signature or decryption was invalid
250      */
251     public static final QName FAILED_CHECK = 
252         new QName (WSSE_NS, "FailedCheck");
253     
254     /** 
255      * Referenced security token could not be retrieved
256      */
257     public static final QName SECURITY_TOKEN_UNAVAILABLE = 
258         new QName (WSSE_NS, "SecurityTokenUnavailable");
259     
260     /** 
261      * The message has expired
262      */
263     public static final QName MESSAGE_EXPIRED = 
264         new QName (WSSE_NS, "MessageExpired");
265 
266     //
267     // Kerberos ValueTypes
268     //
269     public static final String WSS_KRB_V5_AP_REQ = KERBEROS_NS11 + "#Kerberosv5_AP_REQ";
270     public static final String WSS_GSS_KRB_V5_AP_REQ = KERBEROS_NS11 + "#GSS_Kerberosv5_AP_REQ";
271     public static final String WSS_KRB_V5_AP_REQ1510 = KERBEROS_NS11 + "#Kerberosv5_AP_REQ1510";
272     public static final String WSS_GSS_KRB_V5_AP_REQ1510 = 
273         KERBEROS_NS11 + "#GSS_Kerberosv5_AP_REQ1510";
274     public static final String WSS_KRB_V5_AP_REQ4120 = KERBEROS_NS11 + "#Kerberosv5_AP_REQ4120";
275     public static final String WSS_GSS_KRB_V5_AP_REQ4120 = 
276         KERBEROS_NS11 + "#GSS_Kerberosv5_AP_REQ4120";
277     public static final String WSS_KRB_KI_VALUE_TYPE = KERBEROS_NS11 + "#Kerberosv5APREQSHA1";
278     
279     //
280     // Misc
281     //
282     public static final String WSS_SAML_KI_VALUE_TYPE = SAMLTOKEN_NS + "#" + SAML_ASSERTION_ID;
283     public static final String WSS_SAML2_KI_VALUE_TYPE = SAMLTOKEN_NS11 + "#" + SAML2_ASSERTION_ID;
284     public static final String WSS_SAML_TOKEN_TYPE = SAMLTOKEN_NS11 + "#SAMLV1.1";
285     public static final String WSS_SAML2_TOKEN_TYPE = SAMLTOKEN_NS11 + "#SAMLV2.0";
286     public static final String WSS_ENC_KEY_VALUE_TYPE = SOAPMESSAGE_NS11 + "#" + ENC_KEY_VALUE_TYPE;
287     public static final String PASSWORD_DIGEST = USERNAMETOKEN_NS + "#PasswordDigest";
288     public static final String PASSWORD_TEXT = USERNAMETOKEN_NS + "#PasswordText";
289     public static final String WSS_USERNAME_TOKEN_VALUE_TYPE = 
290         USERNAMETOKEN_NS + "#" + USERNAME_TOKEN_LN;
291 
292     public static final String[] URIS_SOAP_ENV = {
293         URI_SOAP11_ENV,
294         URI_SOAP12_ENV,
295     };
296 
297     /*
298      * Constants used to configure WSS4J
299      */
300 
301     /**
302      * Sets the {@link 
303      * org.apache.ws.security.message.WSSecSignature#build(Document, Crypto, WSSecHeader) 
304      * } method to send the signing certificate as a <code>BinarySecurityToken</code>.
305      * <p/>
306      * The signing method takes the signing certificate, converts it to a
307      * <code>BinarySecurityToken</code>, puts it in the security header,
308      * and inserts a <code>Reference</code> to the binary security token
309      * into the <code>wsse:SecurityReferenceToken</code>. Thus the whole
310      * signing certificate is transfered to the receiver.
311      * The X509 profile recommends to use {@link #ISSUER_SERIAL} instead
312      * of sending the whole certificate.
313      * <p/>
314      * Please refer to WS Security specification X509 1.1 profile, chapter 3.3.2
315      * and to WS Security SOAP Message security 1.1 specification, chapter 7.2
316      * <p/>
317      * Note: only local references to BinarySecurityToken are supported
318      */
319     public static final int BST_DIRECT_REFERENCE = 1;
320 
321     /**
322      * Sets the {@link 
323      * org.apache.ws.security.message.WSSecSignature#build(Document, Crypto, WSSecHeader)
324      * } or the {@link 
325      * org.apache.ws.security.message.WSSecEncrypt#build(Document, Crypto, WSSecHeader)
326      * } method to send the issuer name and the serial number of a certificate to
327      * the receiver.
328      * <p/>
329      * In contrast to {@link #BST_DIRECT_REFERENCE} only the issuer name
330      * and the serial number of the signing certificate are sent to the
331      * receiver. This reduces the amount of data being sent. The encryption
332      * method uses the public key associated with this certificate to encrypt
333      * the symmetric key used to encrypt data.
334      * <p/>
335      * Please refer to WS Security specification X509 1.1 profile, chapter 3.3.3
336      */
337     public static final int ISSUER_SERIAL = 2;
338 
339     /**
340      * Sets the {@link 
341      * org.apache.ws.security.message.WSSecSignature#build(Document, Crypto, WSSecHeader)
342      * } or the {@link 
343      * org.apache.ws.security.message.WSSecEncrypt#build(Document, Crypto, WSSecHeader)
344      * }method to send the certificate used to encrypt the symmetric key.
345      * <p/>
346      * The encryption method uses the public key associated with this certificate
347      * to encrypt the symmetric key used to encrypt data. The certificate is
348      * converted into a <code>KeyIdentifier</code> token and sent to the receiver.
349      * Thus the complete certificate data is transfered to receiver.
350      * The X509 profile recommends to use {@link #ISSUER_SERIAL} instead
351      * of sending the whole certificate.
352      * <p/>
353      * Please refer to WS Security SOAP Message security 1.1 specification, 
354      * chapter 7.3. Note that this is a NON-STANDARD method. The standard way to refer to
355      * an X.509 Certificate via a KeyIdentifier is to use {@link #SKI_KEY_IDENTIFIER}
356      */
357     public static final int X509_KEY_IDENTIFIER = 3;
358     
359     /**
360      * Sets the {@link 
361      * org.apache.ws.security.message.WSSecSignature#build(Document, Crypto, WSSecHeader)
362      * } method to send a <code>SubjectKeyIdentifier</code> to identify
363      * the signing certificate.
364      * <p/>
365      * Refer to WS Security specification X509 1.1 profile, chapter 3.3.1
366      */
367     public static final int SKI_KEY_IDENTIFIER = 4;
368 
369     /**
370      * Embeds a keyinfo/key name into the EncryptedData element.
371      * <p/>
372      */
373     public static final int EMBEDDED_KEYNAME = 5;
374     
375     /**
376      * Embeds a keyinfo/wsse:SecurityTokenReference into EncryptedData element.
377      */
378     public static final int EMBED_SECURITY_TOKEN_REF = 6;
379     
380     /**
381      * <code>UT_SIGNING</code> is used internally only to set a specific Signature
382      * behavior.
383      * 
384      * The signing token is constructed from values in the UsernameToken according
385      * to WS-Trust specification.
386      */
387     public static final int UT_SIGNING = 7;
388     
389     /**
390      * <code>THUMPRINT_IDENTIFIER</code> is used to set the specific key identifier
391      * ThumbprintSHA1.
392      * 
393      * This identifier uses the SHA-1 digest of a security token to
394      * identify the security token. Please refer to chapter 7.2 of the OASIS WSS 1.1
395      * specification.
396      * 
397      */
398     public static final int THUMBPRINT_IDENTIFIER = 8;
399     
400     /**
401      * <code>CUSTOM_SYMM_SIGNING</code> is used internally only to set a 
402      * specific Signature behavior.
403      * 
404      * The signing key, reference id and value type are set externally. 
405      */
406     public static final int CUSTOM_SYMM_SIGNING = 9;
407     
408     /**
409      * <code>ENCRYPTED_KEY_SHA1_IDENTIFIER</code> is used to set the specific key identifier
410      * EncryptedKeySHA1.
411      * 
412      * This identifier uses the SHA-1 digest of a security token to
413      * identify the security token. Please refer to chapter 7.3 of the OASIS WSS 1.1
414      * specification.
415      */
416     public static final int ENCRYPTED_KEY_SHA1_IDENTIFIER = 10;
417     
418     /**
419      * <code>CUSTOM_SYMM_SIGNING_DIRECT</code> is used internally only to set a 
420      * specific Signature behavior.
421      * 
422      * The signing key, reference id and value type are set externally. 
423      */
424     public static final int CUSTOM_SYMM_SIGNING_DIRECT = 11;
425     
426     /**
427      * <code>CUSTOM_KEY_IDENTIFIER</code> is used to set a KeyIdentifier to
428      * a particular ID
429      * 
430      * The reference id and value type are set externally. 
431      */
432     public static final int CUSTOM_KEY_IDENTIFIER = 12;
433     
434     /**
435      * <code>KEY_VALUE</code> is used to set a ds:KeyInfo/ds:KeyValue element to refer to
436      * either an RSA or DSA public key.
437      */
438     public static final int KEY_VALUE = 13;
439     
440     /*
441      * The following values are bits that can be combined to for a set.
442      * Be careful when selecting new values.
443      */
444     public static final int NO_SECURITY = 0;
445     public static final int UT = 0x1; // perform UsernameToken
446     public static final int SIGN = 0x2; // Perform Signature
447     public static final int ENCR = 0x4; // Perform Encryption
448 
449     public static final int ST_UNSIGNED = 0x8; // perform SAMLToken unsigned
450     public static final int ST_SIGNED = 0x10; // perform SAMLToken signed
451 
452     public static final int TS = 0x20; // insert Timestamp
453     public static final int UT_SIGN = 0x40; // perform signature with UT secret key
454     public static final int SC = 0x80;      // this is a SignatureConfirmation
455 
456     public static final int NO_SERIALIZE = 0x100;
457     public static final int SERIALIZE = 0x200;
458     public static final int SCT = 0x400; //SecurityContextToken
459     public static final int DKT = 0x800; //DerivedKeyToken
460     public static final int BST = 0x1000; //BinarySecurityToken
461     public static final int UT_NOPASSWORD = 0x2000; // perform UsernameToken
462 
463     /**
464      * Length of UsernameToken derived key used by .NET WSE to sign a message.
465      */
466     public static final int WSE_DERIVED_KEY_LEN = 16;
467     public static final String LABEL_FOR_DERIVED_KEY = "WS-Security";
468     
469     private WSConstants() {
470         // Complete
471     }
472     
473 }