1 /**
2 * Licensed to the Apache Software Foundation (ASF) under one
3 * or more contributor license agreements. See the NOTICE file
4 * distributed with this work for additional information
5 * regarding copyright ownership. The ASF licenses this file
6 * to you under the Apache License, Version 2.0 (the
7 * "License"); you may not use this file except in compliance
8 * with the License. You may obtain a copy of the License at
9 *
10 * http://www.apache.org/licenses/LICENSE-2.0
11 *
12 * Unless required by applicable law or agreed to in writing,
13 * software distributed under the License is distributed on an
14 * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
15 * KIND, either express or implied. See the License for the
16 * specific language governing permissions and limitations
17 * under the License.
18 */
19
20 package org.apache.ws.security.handler;
21
22 import org.apache.ws.security.WSConstants;
23
24 import java.util.HashMap;
25 import java.util.Map;
26
27 /**
28 * This class defines the names, actions, and other string for the deployment
29 * data of the WS handler.
30 *
31 * @author Werner Dittmann (werner@apache.org)
32 */
33 public final class WSHandlerConstants {
34
35 //
36 // Action configuration tags
37 //
38
39 private WSHandlerConstants() {
40 // Complete
41 }
42
43 /**
44 * The action parameter. The handlers use the value of this parameter to determine how
45 * to process the SOAP Envelope. It is a blank separated list of actions to perform.
46 * <p/>
47 * The application may set this parameter using the following method:
48 * <pre>
49 * call.setProperty(WSHandlerConstants.ACTION, WSHandlerConstants.USERNAME_TOKEN);
50 * </pre>
51 */
52 public static final String ACTION = "action";
53
54 /**
55 * Perform no action.
56 */
57 public static final String NO_SECURITY = "NoSecurity";
58
59 /**
60 * Perform a UsernameToken action.
61 */
62 public static final String USERNAME_TOKEN = "UsernameToken";
63
64 /**
65 * Perform a UsernameToken action with no password.
66 */
67 public static final String USERNAME_TOKEN_NO_PASSWORD = "UsernameTokenNoPassword";
68
69 /**
70 * Perform an unsigned SAML Token action.
71 */
72 public static final String SAML_TOKEN_UNSIGNED = "SAMLTokenUnsigned";
73
74 /**
75 * Perform a signed SAML Token action.
76 */
77 public static final String SAML_TOKEN_SIGNED = "SAMLTokenSigned";
78
79 /**
80 * Perform a Signature action. The signature specific parameters define how
81 * to sign, which keys to use, and so on.
82 */
83 public static final String SIGNATURE = "Signature";
84
85 /**
86 * Perform an Encryption action. The encryption specific parameters define how
87 * to encrypt, which keys to use, and so on.
88 */
89 public static final String ENCRYPT = "Encrypt";
90
91 /**
92 * Add a timestamp to the security header.
93 */
94 public static final String TIMESTAMP = "Timestamp";
95
96 /**
97 * Use this to use a specific signature mechanism for .Net. This signature mechanism
98 * uses data from the username token and a well defined constant string and constructs
99 * a signature key. Please note that this action is NOT spec-compliant.
100 */
101 public static final String SIGN_WITH_UT_KEY = "UsernameTokenSignature";
102
103 //
104 // User properties
105 //
106
107 /**
108 * The actor or role name of the <code>wsse:Security</code> header. If this parameter
109 * is omitted, the actor name is not set.
110 * <p/>
111 * The value of the actor or role has to match the receiver's setting
112 * or may contain standard values.
113 * <p/>
114 * The application may set this parameter using the following method:
115 * <pre>
116 * call.setProperty(WSHandlerConstants.ACTOR, "ActorName");
117 * </pre>
118 */
119 public static final String ACTOR = "actor";
120
121 /**
122 * The user's name. It is used differently by each of the WS-Security functions.
123 * <ul>
124 * <li>The <i>UsernameToken</i> function sets this name in the
125 * <code>UsernameToken</code>.
126 * </li>
127 * <li>The <i>Signing</i> function uses this name as the alias name
128 * in the keystore to get user's certificate and private key to
129 * perform signing if {@link #SIGNATURE_USER} is not used.
130 * </li>
131 * <li>The <i>encryption</i>
132 * functions uses this parameter as fallback if {@link #ENCRYPTION_USER}
133 * is not used.
134 * </li>
135 * </ul>
136 */
137 public static final String USER = "user";
138
139 /**
140 * The user's name for encryption. The encryption functions use the public key of
141 * this user's certificate to encrypt the generated symmetric key.
142 * <p/>
143 * If this parameter is not set, then the encryption
144 * function falls back to the {@link #USER} parameter to get the
145 * certificate.
146 * <p/>
147 * If <b>only</b> encryption of the SOAP body data is requested,
148 * it is recommended to use this parameter to define the username.
149 * <p/>
150 * The application may set this parameter using the following method:
151 * <pre>
152 * call.setProperty(WSHandlerConstants.ENCRYPTION_USER, "encryptionUser");
153 * </pre>
154 */
155 public static final String ENCRYPTION_USER = "encryptionUser";
156
157 /**
158 * The user's name for signature. This name is used as the alias name in the keystore
159 * to get user's certificate and private key to perform signing.
160 * <p/>
161 * If this parameter is not set, then the signature
162 * function falls back to the {@link #USER} parameter.
163 * <p/>
164 * The application may set this parameter using the following method:
165 * <pre>
166 * call.setProperty(WSHandlerConstants.SIGNATURE_USER, "signatureUser");
167 * </pre>
168 */
169 public static final String SIGNATURE_USER = "signatureUser";
170
171 /**
172 * Specifying this name as {@link #ENCRYPTION_USER}
173 * triggers a special action to get the public key to use for encryption.
174 * <p/>
175 * The handler uses the public key of the sender's certificate. Using this
176 * way to define an encryption key simplifies certificate management to
177 * a large extend.
178 */
179 public static final String USE_REQ_SIG_CERT = "useReqSigCert";
180
181
182 //
183 // Callback class and property file properties
184 //
185
186 /**
187 * This tag refers to the CallbackHandler implementation class used to obtain passwords.
188 * The value of this tag must be the class name of a
189 * {@link javax.security.auth.callback.CallbackHandler} instance.
190 * </p>
191 * The callback function
192 * {@link javax.security.auth.callback.CallbackHandler#handle(
193 * javax.security.auth.callback.Callback[])} gets an array of
194 * {@link org.apache.ws.security.WSPasswordCallback} objects. Only the first entry of the
195 * array is used. This object contains the username/keyname as identifier. The callback
196 * handler must set the password or key associated with this identifier before it returns.
197 * <p/>
198 * The application may set this parameter using the following method:
199 * <pre>
200 * call.setProperty(WSHandlerConstants.PW_CALLBACK_CLASS, "PWCallbackClass");
201 * </pre>
202 */
203 public static final String PW_CALLBACK_CLASS = "passwordCallbackClass";
204
205 /**
206 * This tag refers to the CallbackHandler implementation object used to obtain
207 * passwords. The value of this tag must be a
208 * {@link javax.security.auth.callback.CallbackHandler} instance.
209 * </p>
210 * Refer to {@link #PW_CALLBACK_CLASS} for further information about password callback
211 * handling.
212 */
213 public static final String PW_CALLBACK_REF = "passwordCallbackRef";
214
215 /**
216 * This tag refers to the SAML CallbackHandler implementation class used to construct
217 * SAML Assertions. The value of this tag must be the class name of a
218 * {@link javax.security.auth.callback.CallbackHandler} instance.
219 */
220 public static final String SAML_CALLBACK_CLASS = "samlCallbackClass";
221
222 /**
223 * This tag refers to the SAML CallbackHandler implementation object used to construct
224 * SAML Assertions. The value of this tag must be a
225 * {@link javax.security.auth.callback.CallbackHandler} instance.
226 */
227 public static final String SAML_CALLBACK_REF = "samlCallbackRef";
228
229 /**
230 * This tag refers to the CallbackHandler implementation class used to get the key
231 * associated with a key name. The value of this tag must be the class name of a
232 * {@link javax.security.auth.callback.CallbackHandler} instance.
233 */
234 public static final String ENC_CALLBACK_CLASS = "embeddedKeyCallbackClass";
235
236 /**
237 * This tag refers to the CallbackHandler implementation object used to get the key
238 * associated with a key name. The value of this tag must be a
239 * {@link javax.security.auth.callback.CallbackHandler} instance.
240 */
241 public static final String ENC_CALLBACK_REF = "embeddedKeyCallbackRef";
242
243 /**
244 * The path of the crypto property file to use for Signature. The classloader loads this
245 * file. Therefore it must be accessible via the classpath.
246 * <p/>
247 * To locate the implementation of the
248 * {@link org.apache.ws.security.components.crypto.Crypto Crypto}
249 * interface implementation the property file must contain the property
250 * <code>org.apache.ws.security.crypto.provider</code>. The value of
251 * this property is the classname of the implementation class.
252 * <p/>
253 * The following line defines the standard implementation:
254 * <pre>
255 * org.apache.ws.security.crypto.provider=org.apache.ws.security.components.crypto.Merlin
256 * </pre>
257 * The other contents of the property file depend on the implementation
258 * of the {@link org.apache.ws.security.components.crypto.Crypto Crypto}
259 * interface. Please see the WSS4J website for more information on the Merlin property
260 * tags and values.
261 * </p>
262 * The application may set this parameter using the following method:
263 * <pre>
264 * call.setProperty(WSHandlerConstants.SIG_PROP_FILE, "myCrypto.properties");
265 * </pre>
266 */
267 public static final String SIG_PROP_FILE = "signaturePropFile";
268
269 /**
270 * The key that holds a reference to the object holding complete information about
271 * the signature Crypto implementation. This object can either be a Crypto instance or a
272 * <code>java.util.Properties</code> file, which should contain all information that
273 * would contain in an equivalent properties file which includes the Crypto implementation
274 * class name.
275 *
276 * Refer to documentation of {@link #SIG_PROP_FILE}.
277 */
278 public static final String SIG_PROP_REF_ID = "signaturePropRefId";
279
280 /**
281 * The path of the crypto property file to use for Decryption. The classloader loads this
282 * file. Therefore it must be accessible via the classpath. Refer to documentation of
283 * {@link #SIG_PROP_FILE} for more information about the contents of the Properties file.
284 * <p/>
285 * The application may set this parameter using the following method:
286 * <pre>
287 * call.setProperty(WSHandlerConstants.DEC_PROP_FILE, "myCrypto.properties");
288 * </pre>
289 */
290 public static final String DEC_PROP_FILE = "decryptionPropFile";
291
292 /**
293 * The key that holds a reference to the object holding complete information about
294 * the decryption Crypto implementation. This object can either be a Crypto instance or a
295 * <code>java.util.Properties</code> file, which should contain all information that
296 * would contain in an equivalent properties file which includes the Crypto implementation
297 * class name.
298 *
299 * Refer to documentation of {@link #DEC_PROP_FILE}.
300 */
301 public static final String DEC_PROP_REF_ID = "decryptionPropRefId";
302
303 /**
304 * The path of the crypto property file to use for Encryption. The classloader loads this
305 * file. Therefore it must be accessible via the classpath. Refer to documentation of
306 * {@link #SIG_PROP_FILE} for more information about the contents of the Properties file.
307 * <p/>
308 * The application may set this parameter using the following method:
309 * <pre>
310 * call.setProperty(WSHandlerConstants.ENC_PROP_FILE, "myCrypto.properties");
311 * </pre>
312 */
313 public static final String ENC_PROP_FILE = "encryptionPropFile";
314
315 /**
316 * The key that holds a reference to the object holding complete information about
317 * the encryption Crypto implementation. This object can either be a Crypto instance or a
318 * <code>java.util.Properties</code> file, which should contain all information that
319 * would contain in an equivalent properties file which includes the Crypto implementation
320 * class name.
321 *
322 * Refer to documentation of {@link #ENC_PROP_FILE}.
323 */
324 public static final String ENC_PROP_REF_ID = "encryptionPropRefId";
325
326 /**
327 * The name of the SAML Issuer factory property file.
328 * The classloader loads this file. Therefore it must be accessible
329 * via the classpath.
330 */
331 public static final String SAML_PROP_FILE = "samlPropFile";
332
333 //
334 // Boolean configuration tags, e.g. the value should be "true" or "false".
335 //
336
337 /**
338 * Whether to enable signatureConfirmation or not. The default value is "false".
339 */
340 public static final String ENABLE_SIGNATURE_CONFIRMATION = "enableSignatureConfirmation";
341
342 /**
343 * Whether to set the mustUnderstand flag on an outbound message or not. The default
344 * setting is "true".
345 * <p/>
346 * The application may set this parameter using the following method:
347 * <pre>
348 * call.setProperty(WSHandlerConstants.MUST_UNDERSTAND, "false");
349 * </pre>
350 */
351 public static final String MUST_UNDERSTAND = "mustUnderstand";
352
353 /**
354 * Whether to ensure compliance with the Basic Security Profile (BSP) 1.1 or not. The
355 * default value is "true".
356 * <p/>
357 * The application may set this parameter using the following method:
358 * <pre>
359 * call.setProperty(WSHandlerConstants.IS_BSP_COMPLIANT, "false");
360 * </pre>
361 */
362 public static final String IS_BSP_COMPLIANT = "isBSPCompliant";
363
364 /**
365 * This variable controls whether types other than PasswordDigest or PasswordText
366 * are allowed when processing UsernameTokens. The default value is "false".
367 */
368 public static final String HANDLE_CUSTOM_PASSWORD_TYPES = "handleCustomPasswordTypes";
369
370 /**
371 * Set the value of this parameter to true to enable strict Username Token password type
372 * handling. The default value is "false".
373 *
374 * If this parameter is set to true, it throws an exception if the password type of
375 * the Username Token does not match that of the configured PASSWORD_TYPE parameter.
376 */
377 public static final String PASSWORD_TYPE_STRICT = "passwordTypeStrict";
378
379 /**
380 * This variable controls whether (wsse) namespace qualified password types are
381 * accepted when processing UsernameTokens. The default value is "false".
382 */
383 public static final String ALLOW_NAMESPACE_QUALIFIED_PASSWORD_TYPES
384 = "allowNamespaceQualifiedPasswordTypes";
385
386 /**
387 * This variable controls whether to enable Certificate Revocation List (CRL) checking
388 * or not when verifying trust in a certificate. The default value is "false".
389 */
390 public static final String ENABLE_REVOCATION = "enableRevocation";
391
392 /**
393 * Set the value of this parameter to true to treat passwords as binary values
394 * for Username Tokens. The default value is "false".
395 *
396 * This is needed to properly handle password equivalence for UsernameToken
397 * passwords. Binary passwords are Base64 encoded so they can be treated as
398 * strings in most places, but when the password digest is calculated or a key
399 * is derived from the password, the password will be Base64 decoded before
400 * being used. This is most useful for hashed passwords as password equivalents.
401 */
402 public static final String USE_ENCODED_PASSWORDS = "useEncodedPasswords";
403
404 /**
405 * This parameter sets whether to use a single certificate or a whole certificate
406 * chain when constructing a BinarySecurityToken used for direct reference in
407 * signature. The default is "true", meaning that only a single certificate is used.
408 */
409 public static final String USE_SINGLE_CERTIFICATE = "useSingleCertificate";
410
411 /**
412 * This parameter sets whether to use UsernameToken Key Derivation, as defined
413 * in the UsernameTokenProfile 1.1 specification. The default is "true". If false,
414 * then it falls back to the old behaviour of WSE derived key functionality.
415 */
416 public static final String USE_DERIVED_KEY = "useDerivedKey";
417
418 /**
419 * This parameter sets whether to use the Username Token derived key for a MAC
420 * or not. The default is "true".
421 */
422 public static final String USE_DERIVED_KEY_FOR_MAC = "useDerivedKeyForMAC";
423
424 /**
425 * Set whether Timestamps have precision in milliseconds. This applies to the
426 * creation of Timestamps only. The default value is "true".
427 */
428 public static final String TIMESTAMP_PRECISION = "precisionInMilliseconds";
429
430 /**
431 * Set the value of this parameter to true to enable strict timestamp
432 * handling. The default value is "true".
433 *
434 * Strict Timestamp handling: throw an exception if a Timestamp contains
435 * an <code>Expires</code> element and the semantics of the request are
436 * expired, i.e. the current time at the receiver is past the expires time.
437 */
438 public static final String TIMESTAMP_STRICT = "timestampStrict";
439
440 /**
441 * Defines whether to encrypt the symmetric encryption key or not. If true
442 * (the default), the symmetric key used for encryption is encrypted in turn,
443 * and inserted into the security header in an "EncryptedKey" structure. If
444 * set to false, no EncryptedKey structure is constructed.
445 * <p/>
446 * The application may set this parameter using the following method:
447 * <pre>
448 * call.setProperty(WSHandlerConstants.ENC_SYM_ENC_KEY, "false");
449 * </pre>
450 */
451 public static final String ENC_SYM_ENC_KEY = "encryptSymmetricEncryptionKey";
452
453 /**
454 * Whether the engine needs to enforce EncryptedData elements are
455 * in a signed subtree of the document. This can be used to prevent
456 * some wrapping based attacks when encrypt-before-sign token
457 * protection is selected.
458 */
459 public static final String REQUIRE_SIGNED_ENCRYPTED_DATA_ELEMENTS = "requireSignedEncryptedDataElements";
460
461 //
462 // (Non-boolean) Configuration parameters for the actions/processors
463 //
464
465 /**
466 * Text of the embedded key name to be sent in the KeyInfo for encryption.
467 */
468 public static final String ENC_KEY_NAME = "embeddedKeyName";
469
470 /**
471 * Specific parameter for UsernameToken action to define the encoding
472 * of the password.
473 * <p/>
474 * The parameter can be set to either {@link WSConstants#PW_DIGEST}
475 * or to {@link WSConstants#PW_TEXT}.
476 * <p/>
477 * The application may set this parameter using the following method:
478 * <pre>
479 * call.setProperty(WSHandlerConstants.PASSWORD_TYPE, WSConstants.PW_DIGEST);
480 * </pre>
481 * The default setting is PW_DIGEST.
482 */
483 public static final String PASSWORD_TYPE = "passwordType";
484
485 /**
486 * Parameter to generate additional elements (nonce and created) in a
487 * <code>UsernameToken</code>.
488 * <p/>
489 * The value of this parameter is a list of element names that are added
490 * to the UsernameToken. The names of the list a separated by spaces.
491 * <p/>
492 * The list may contain the names <code>nonce</code> and
493 * <code>created</code> only. Use this option if the password type is
494 * <code>passwordText</code> and the handler shall add the <code>Nonce</code>
495 * and/or <code>Created</code> elements.
496 */
497 public static final String ADD_UT_ELEMENTS = "addUTElements";
498
499 /**
500 * Defines which key identifier type to use for signature. The WS-Security specifications
501 * recommends to use the identifier type <code>IssuerSerial</code>. For possible signature
502 * key identifier types refer to {@link #keyIdentifier}.
503 * For signature <code>IssuerSerial</code> and <code>DirectReference</code> are valid only.
504 * The default is <code>IssuerSerial</code>.
505 * <p/>
506 * The application may set this parameter using the following method:
507 * <pre>
508 * call.setProperty(WSHandlerConstants.SIG_KEY_ID, "DirectReference");
509 * </pre>
510 */
511 public static final String SIG_KEY_ID = "signatureKeyIdentifier";
512
513 /**
514 * Defines which signature algorithm to use. The default is set by the data in the
515 * certificate, i.e. one of the following:
516 *
517 * "http://www.w3.org/2000/09/xmldsig#rsa-sha1"
518 * "http://www.w3.org/2000/09/xmldsig#dsa-sha1"
519 *
520 * <p/>
521 * The application may set this parameter using the following method:
522 * <pre>
523 * call.setProperty(
524 * WSHandlerConstants.SIG_ALGO,
525 * "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"
526 * );
527 * </pre>
528 */
529 public static final String SIG_ALGO = "signatureAlgorithm";
530
531 /**
532 * Defines which signature digest algorithm to use. The default is:
533 *
534 * "http://www.w3.org/2000/09/xmldsig#sha1"
535 *
536 * <p/>
537 * The application may set this parameter using the following method:
538 * <pre>
539 * call.setProperty(
540 * WSHandlerConstants.SIG_DIGEST_ALGO, "http://www.w3.org/2001/04/xmlenc#sha256"
541 * );
542 * </pre>
543 */
544 public static final String SIG_DIGEST_ALGO = "signatureDigestAlgorithm";
545
546 /**
547 * Parameter to define which parts of the request shall be signed.
548 * <p/>
549 * Refer to {@link #ENCRYPTION_PARTS} for a detailed description of
550 * the format of the value string.
551 * <p/>
552 * If this parameter is not specified the handler signs the SOAP Body
553 * by default, i.e.:
554 * <pre>
555 * <parameter name="signatureParts"
556 * value="{}{http://schemas.xmlsoap.org/soap/envelope/}Body;" />
557 * </pre>
558 * To specify an element without a namespace use the string
559 * <code>Null</code> as the namespace name (this is a case sensitive
560 * string)
561 * <p/>
562 * If there is no other element in the request with a local name of
563 * <code>Body</code> then the SOAP namespace identifier can be empty
564 * (<code>{}</code>).
565 */
566 public static final String SIGNATURE_PARTS = "signatureParts";
567
568 /**
569 * This parameter sets the length of the secret (derived) key to use for the
570 * WSE UT_SIGN functionality.
571 *
572 * The default value is 16 bytes.
573 */
574 public static final String WSE_SECRET_KEY_LENGTH = "wseSecretKeyLength";
575
576 /**
577 * This parameter sets the number of iterations to use when deriving a key
578 * from a Username Token. The default is 1000.
579 */
580 public static final String DERIVED_KEY_ITERATIONS = "derivedKeyIterations";
581
582 /**
583 * Defines which key identifier type to use for encryption. The WS-Security specifications
584 * recommends to use the identifier type <code>IssuerSerial</code>. For
585 * possible encryption key identifier types refer to
586 * {@link #keyIdentifier}. For encryption <code>IssuerSerial</code>,
587 * <code>X509KeyIdentifier</code>, <code>DirectReference</code>,
588 * <code>Thumbprint</code>, <code>SKIKeyIdentifier</code>, and
589 * <code>EmbeddedKeyName</code> are valid only.
590 * <p/>
591 * The application may set this parameter using the following method:
592 * <pre>
593 * call.setProperty(WSHandlerConstants.ENC_KEY_ID, "X509KeyIdentifier");
594 * </pre>
595 */
596 public static final String ENC_KEY_ID = "encryptionKeyIdentifier";
597
598 /**
599 * Defines which symmetric encryption algorithm to use. WSS4J supports the
600 * following algorithms: {@link WSConstants#TRIPLE_DES},
601 * {@link WSConstants#AES_128}, {@link WSConstants#AES_256},
602 * and {@link WSConstants#AES_192}. Except for AES 192 all of these
603 * algorithms are required by the XML Encryption specification.
604 * The default algorithm is:
605 *
606 * "http://www.w3.org/2001/04/xmlenc#aes128-cbc"
607 *
608 * <p/>
609 * The application may set this parameter using the following method:
610 * <pre>
611 * call.setProperty(WSHandlerConstants.ENC_SYM_ALGO, WSConstants.AES_256);
612 * </pre>
613 */
614 public static final String ENC_SYM_ALGO = "encryptionSymAlgorithm";
615
616 /**
617 * Defines which algorithm to use to encrypt the generated symmetric key.
618 * The default algorithm is:
619 *
620 * "http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"
621 *
622 * <p/>
623 * The application may set this parameter using the following method:
624 * <pre>
625 * call.setProperty(WSHandlerConstants.ENC_KEY_TRANSPORT, WSConstants.KEYTRANSPORT_RSA15);
626 * </pre>
627 */
628 public static final String ENC_KEY_TRANSPORT = "encryptionKeyTransportAlgorithm";
629
630 /**
631 * Parameter to define which parts of the request shall be encrypted.
632 * <p/>
633 * The value of this parameter is a list of semi-colon separated
634 * element names that identify the elements to encrypt. An encryption mode
635 * specifier and a namespace identification, each inside a pair of curly
636 * brackets, may preceed each element name.
637 * <p/>
638 * The encryption mode specifier is either <code>{Content}</code> or
639 * <code>{Element}</code>. Please refer to the W3C XML Encryption
640 * specification about the differences between Element and Content
641 * encryption. The encryption mode defaults to <code>Content</code>
642 * if it is omitted. Example of a list:
643 * <pre>
644 * <parameter name="encryptionParts"
645 * value="{Content}{http://example.org/paymentv2}CreditCard;
646 * {Element}{}UserName" />
647 * </pre>
648 * The the first entry of the list identifies the element
649 * <code>CreditCard</code> in the namespace
650 * <code>http://example.org/paymentv2</code>, and will encrypt its content.
651 * Be aware that the element name, the namespace identifier, and the
652 * encryption modifier are case sensitive.
653 * <p/>
654 * The encryption modifier and the namespace identifier can be ommited.
655 * In this case the encryption mode defaults to <code>Content</code> and
656 * the namespace is set to the SOAP namespace.
657 * <p/>
658 * An empty encryption mode defaults to <code>Content</code>, an empty
659 * namespace identifier defaults to the SOAP namespace.
660 * The second line of the example defines <code>Element</code> as
661 * encryption mode for an <code>UserName</code> element in the SOAP
662 * namespace.
663 * <p/>
664 * To specify an element without a namespace use the string
665 * <code>Null</code> as the namespace name (this is a case sensitive
666 * string)
667 * <p/>
668 * If no list is specified, the handler encrypts the SOAP Body in
669 * <code>Content</code> mode by default.
670 */
671 public static final String ENCRYPTION_PARTS = "encryptionParts";
672
673 /**
674 * Defines which encryption digest algorithm to use with the RSA OAEP Key Transport
675 * algorithm for encryption. The default is SHA-1.
676 * <p/>
677 * The application may set this parameter using the following method:
678 * <pre>
679 * call.setProperty(
680 * WSHandlerConstants.ENC_DIGEST_ALGO, "http://www.w3.org/2001/04/xmlenc#sha256"
681 * );
682 * </pre>
683 */
684 public static final String ENC_DIGEST_ALGO = "encryptionDigestAlgorithm";
685
686 /**
687 * Time-To-Live is the time difference between creation and expiry time in
688 * seconds in the WSS Timestamp. After this time the SOAP request is
689 * invalid (at least the security data shall be treated this way).
690 * <p/>
691 * If this parameter is not defined, contains a value less or equal
692 * zero, or an illegal format the handlers use a default TTL of
693 * 300 seconds (5 minutes).
694 */
695 public static final String TTL_TIMESTAMP = "timeToLive";
696
697 /**
698 * This configuration tag specifies the time in seconds in the future within which
699 * the Created time of an incoming Timestamp is valid. The default value is "60",
700 * to avoid problems where clocks are slightly askew. To reject all future-created
701 * Timestamps, set this value to "0".
702 */
703 public static final String TTL_FUTURE_TIMESTAMP = "futureTimeToLive";
704
705 /**
706 * This configuration tag is a comma separated String of regular expressions which
707 * will be applied to the subject DN of the certificate used for signature
708 * validation, after trust verification of the certificate chain associated with the
709 * certificate. These constraints are not used when the certificate is contained in
710 * the keystore (direct trust).
711 */
712 public static final String SIG_SUBJECT_CERT_CONSTRAINTS = "sigSubjectCertConstraints";
713
714
715 //
716 // Internal storage constants
717 //
718
719 /**
720 * The WSHandler stores a result <code>List</code> in this property.
721 */
722 public static final String RECV_RESULTS = "RECV_RESULTS";
723
724 /**
725 * internally used property names to store values inside the message context
726 * that must have the same lifetime as a message (request/response model).
727 */
728 public static final String SEND_SIGV = "_sendSignatureValues_";
729
730 /**
731 *
732 */
733 public static final String SIG_CONF_DONE = "_sigConfDone_";
734
735
736 /**
737 * Define the parameter values to set the key identifier types. These are:
738 * <ul>
739 * <li><code>DirectReference</code> for {@link WSConstants#BST_DIRECT_REFERENCE}
740 * </li>
741 * <li><code>IssuerSerial</code> for {@link WSConstants#ISSUER_SERIAL}
742 * </li>
743 * <li><code>X509KeyIdentifier</code> for {@link WSConstants#X509_KEY_IDENTIFIER}
744 * </li>
745 * <li><code>SKIKeyIdentifier</code> for {@link WSConstants#SKI_KEY_IDENTIFIER}
746 * </li>
747 * <li><code>EmbeddedKeyName</code> for {@link WSConstants#EMBEDDED_KEYNAME}
748 * </li>
749 * <li><code>Thumbprint</code> for {@link WSConstants#THUMBPRINT}
750 * </li>
751 * <li><code>EncryptedKeySHA1</code> for {@link WSConstants#ENCRYPTED_KEY_SHA1_IDENTIFIER}
752 * </li>
753 * </ul>
754 * See {@link #SIG_KEY_ID} {@link #ENC_KEY_ID}.
755 */
756 private static Map<String, Integer> keyIdentifier = new HashMap<String, Integer>();
757
758 static {
759 keyIdentifier.put("DirectReference",
760 Integer.valueOf(WSConstants.BST_DIRECT_REFERENCE));
761 keyIdentifier.put("IssuerSerial",
762 Integer.valueOf(WSConstants.ISSUER_SERIAL));
763 keyIdentifier.put("X509KeyIdentifier",
764 Integer.valueOf(WSConstants.X509_KEY_IDENTIFIER));
765 keyIdentifier.put("SKIKeyIdentifier",
766 Integer.valueOf(WSConstants.SKI_KEY_IDENTIFIER));
767 keyIdentifier.put("EmbeddedKeyName",
768 Integer.valueOf(WSConstants.EMBEDDED_KEYNAME));
769 keyIdentifier.put("Thumbprint",
770 Integer.valueOf(WSConstants.THUMBPRINT_IDENTIFIER));
771 keyIdentifier.put("EncryptedKeySHA1",
772 Integer.valueOf(WSConstants.ENCRYPTED_KEY_SHA1_IDENTIFIER));
773 }
774
775 /**
776 * Get the key identifier type corresponding to the parameter
777 * @param parameter
778 * @return the key identifier type corresponding to the parameter
779 */
780 public static Integer getKeyIdentifier(String parameter) {
781 return keyIdentifier.get(parameter);
782 }
783 }
784