1 /**
2 * Licensed to the Apache Software Foundation (ASF) under one
3 * or more contributor license agreements. See the NOTICE file
4 * distributed with this work for additional information
5 * regarding copyright ownership. The ASF licenses this file
6 * to you under the Apache License, Version 2.0 (the
7 * "License"); you may not use this file except in compliance
8 * with the License. You may obtain a copy of the License at
9 *
10 * http://www.apache.org/licenses/LICENSE-2.0
11 *
12 * Unless required by applicable law or agreed to in writing,
13 * software distributed under the License is distributed on an
14 * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
15 * KIND, either express or implied. See the License for the
16 * specific language governing permissions and limitations
17 * under the License.
18 */
19
20 package org.apache.wss4j.dom;
21
22 import javax.xml.namespace.QName;
23
24 import org.apache.wss4j.common.WSS4JConstants;
25 import org.apache.wss4j.common.derivedKey.ConversationConstants;
26
27 /**
28 * Constants in WS-Security spec.
29 */
30 public final class WSConstants extends WSS4JConstants {
31
32 //
33 // QNames for the security header elements
34 //
35
36 /**
37 * <code>wsse:BinarySecurityToken</code> as defined by WS Security specification
38 */
39 public static final QName BINARY_TOKEN =
40 new QName(WSConstants.WSSE_NS, WSConstants.BINARY_TOKEN_LN);
41 /**
42 * <code>wsse:UsernameToken</code> as defined by WS Security specification
43 */
44 public static final QName USERNAME_TOKEN =
45 new QName(WSConstants.WSSE_NS, WSConstants.USERNAME_TOKEN_LN);
46 /**
47 * <code>wsu:Timestamp</code> as defined by OASIS WS Security specification,
48 */
49 public static final QName TIMESTAMP =
50 new QName(WSConstants.WSU_NS, WSConstants.TIMESTAMP_TOKEN_LN);
51 /**
52 * <code>wsse11:signatureConfirmation</code> as defined by OASIS WS Security specification,
53 */
54 public static final QName SIGNATURE_CONFIRMATION =
55 new QName(WSConstants.WSSE11_NS, WSConstants.SIGNATURE_CONFIRMATION_LN);
56 /**
57 * <code>ds:Signature</code> as defined by XML Signature specification,
58 * enhanced by WS Security specification
59 */
60 public static final QName SIGNATURE =
61 new QName(WSConstants.SIG_NS, WSConstants.SIG_LN);
62 /**
63 * <code>xenc:EncryptedKey</code> as defined by XML Encryption specification,
64 * enhanced by WS Security specification
65 */
66 public static final QName ENCRYPTED_KEY =
67 new QName(WSConstants.ENC_NS, WSConstants.ENC_KEY_LN);
68 /**
69 * <code>xenc:EncryptedData</code> as defined by XML Encryption specification,
70 * enhanced by WS Security specification
71 */
72 public static final QName ENCRYPTED_DATA =
73 new QName(WSConstants.ENC_NS, WSConstants.ENC_DATA_LN);
74 /**
75 * <code>xenc:ReferenceList</code> as defined by XML Encryption specification,
76 */
77 public static final QName REFERENCE_LIST =
78 new QName(WSConstants.ENC_NS, WSConstants.REF_LIST_LN);
79 /**
80 * <code>saml:Assertion</code> as defined by SAML v1.1 specification
81 */
82 public static final QName SAML_TOKEN =
83 new QName(WSConstants.SAML_NS, WSConstants.ASSERTION_LN);
84
85 /**
86 * <code>saml:Assertion</code> as defined by SAML v2.0 specification
87 */
88 public static final QName SAML2_TOKEN =
89 new QName(WSConstants.SAML2_NS, WSConstants.ASSERTION_LN);
90
91 /**
92 * <code>saml:EncryptedAssertion</code> as defined by SAML v2.0 specification
93 */
94 public static final QName ENCRYPTED_ASSERTION =
95 new QName(WSConstants.SAML2_NS, WSConstants.ENCRYPED_ASSERTION_LN);
96
97 /**
98 * <code>wsc:DerivedKeyToken</code> as defined by WS-SecureConversation specification
99 */
100 public static final QName DERIVED_KEY_TOKEN_05_02 =
101 new QName(ConversationConstants.WSC_NS_05_02, ConversationConstants.DERIVED_KEY_TOKEN_LN);
102
103 /**
104 * <code>wsc:SecurityContextToken</code> as defined by WS-SecureConversation specification
105 */
106 public static final QName SECURITY_CONTEXT_TOKEN_05_02 =
107 new QName(ConversationConstants.WSC_NS_05_02, ConversationConstants.SECURITY_CONTEXT_TOKEN_LN);
108
109 /**
110 * <code>wsc:DerivedKeyToken</code> as defined by WS-SecureConversation specification in WS-SX
111 */
112 public static final QName DERIVED_KEY_TOKEN_05_12 =
113 new QName(ConversationConstants.WSC_NS_05_12, ConversationConstants.DERIVED_KEY_TOKEN_LN);
114
115 /**
116 * <code>wsc:SecurityContextToken</code> as defined by WS-SecureConversation specification in
117 * WS-SX
118 */
119 public static final QName SECURITY_CONTEXT_TOKEN_05_12 =
120 new QName(ConversationConstants.WSC_NS_05_12, ConversationConstants.SECURITY_CONTEXT_TOKEN_LN);
121
122 //
123 // Fault codes defined in the WSS 1.1 spec under section 12, Error handling
124 //
125
126 /**
127 * An unsupported token was provided
128 */
129 public static final QName UNSUPPORTED_SECURITY_TOKEN =
130 new QName(WSSE_NS, "UnsupportedSecurityToken");
131
132 /**
133 * An unsupported signature or encryption algorithm was used
134 */
135 public static final QName UNSUPPORTED_ALGORITHM =
136 new QName(WSSE_NS, "UnsupportedAlgorithm");
137
138 /**
139 * An error was discovered processing the <Security> header
140 */
141 public static final QName INVALID_SECURITY = new QName(WSSE_NS, "InvalidSecurity");
142
143 /**
144 * An invalid security token was provided
145 */
146 public static final QName INVALID_SECURITY_TOKEN = new QName(WSSE_NS, "InvalidSecurityToken");
147
148 /**
149 * The security token could not be authenticated or authorized
150 */
151 public static final QName FAILED_AUTHENTICATION = new QName(WSSE_NS, "FailedAuthentication");
152
153 /**
154 * The signature or decryption was invalid
155 */
156 public static final QName FAILED_CHECK = new QName(WSSE_NS, "FailedCheck");
157
158 /**
159 * Referenced security token could not be retrieved
160 */
161 public static final QName SECURITY_TOKEN_UNAVAILABLE = new QName(WSSE_NS, "SecurityTokenUnavailable");
162
163 /**
164 * The message has expired
165 */
166 public static final QName MESSAGE_EXPIRED = new QName(WSSE_NS, "MessageExpired");
167
168 /*
169 * Constants used to configure WSS4J
170 */
171
172 /**
173 * Sets the {@link
174 * org.apache.wss4j.dom.message.WSSecSignature#build(Document, Crypto, WSSecHeader)
175 * } method to send the signing certificate as a <code>BinarySecurityToken</code>.
176 * <p/>
177 * The signing method takes the signing certificate, converts it to a
178 * <code>BinarySecurityToken</code>, puts it in the security header,
179 * and inserts a <code>Reference</code> to the binary security token
180 * into the <code>wsse:SecurityReferenceToken</code>. Thus the whole
181 * signing certificate is transfered to the receiver.
182 * The X509 profile recommends to use {@link #ISSUER_SERIAL} instead
183 * of sending the whole certificate.
184 * <p/>
185 * Please refer to WS Security specification X509 1.1 profile, chapter 3.3.2
186 * and to WS Security SOAP Message security 1.1 specification, chapter 7.2
187 * <p/>
188 * Note: only local references to BinarySecurityToken are supported
189 */
190 public static final int BST_DIRECT_REFERENCE = 1;
191
192 /**
193 * Sets the {@link
194 *org.apache.wss4j.dom.message.WSSecSignature#build(Crypto)
195 *} or the {@link
196 *org.apache.wss4j.dom.message.WSSecEncrypt#build(Crypto, SecretKey)
197 * } method to send the issuer name and the serial number of a certificate to
198 * the receiver.
199 * <p/>
200 * In contrast to {@link #BST_DIRECT_REFERENCE} only the issuer name
201 * and the serial number of the signing certificate are sent to the
202 * receiver. This reduces the amount of data being sent. The encryption
203 * method uses the public key associated with this certificate to encrypt
204 * the symmetric key used to encrypt data.
205 * The name format will delimit unicode characters with a '\' which is not compatible with Microsoft's WCF stack.
206 * To send issuer name with format that is compatible with WCF and Java use {@link #ISSUER_SERIAL_QUOTE_FORMAT}
207 * <p/>
208 * Please refer to WS Security specification X509 1.1 profile, chapter 3.3.3
209 */
210 public static final int ISSUER_SERIAL = 2;
211
212 /**
213 * Sets the {@link
214 * org.apache.wss4j.dom.message.WSSecSignature#build(Document, Crypto, WSSecHeader)
215 * } or the {@link
216 * org.apache.wss4j.dom.message.WSSecEncrypt#build(Document, Crypto, WSSecHeader)
217 * }method to send the certificate used to encrypt the symmetric key.
218 * <p/>
219 * The encryption method uses the public key associated with this certificate
220 * to encrypt the symmetric key used to encrypt data. The certificate is
221 * converted into a <code>KeyIdentifier</code> token and sent to the receiver.
222 * Thus the complete certificate data is transferred to receiver.
223 * The X509 profile recommends to use {@link #ISSUER_SERIAL} instead
224 * of sending the whole certificate.
225 * <p/>
226 * Please refer to WS Security SOAP Message security 1.1 specification,
227 * chapter 7.3. Note that this is a NON-STANDARD method. The standard way to refer to
228 * an X.509 Certificate via a KeyIdentifier is to use {@link #SKI_KEY_IDENTIFIER}
229 */
230 public static final int X509_KEY_IDENTIFIER = 3;
231
232 /**
233 * Sets the {@link
234 * org.apache.wss4j.dom.message.WSSecSignature#build(Document, Crypto, WSSecHeader)
235 * } method to send a <code>SubjectKeyIdentifier</code> to identify
236 * the signing certificate.
237 * <p/>
238 * Refer to WS Security specification X509 1.1 profile, chapter 3.3.1
239 */
240 public static final int SKI_KEY_IDENTIFIER = 4;
241
242 /**
243 * Embeds a keyinfo/key name into the EncryptedData element.
244 * <p/>
245 */
246 @Deprecated
247 public static final int EMBEDDED_KEYNAME = 5;
248
249 /**
250 * Embeds a keyinfo/wsse:SecurityTokenReference into EncryptedData element.
251 */
252 @Deprecated
253 public static final int EMBED_SECURITY_TOKEN_REF = 6;
254
255 /**
256 * <code>UT_SIGNING</code> is used internally only to set a specific Signature
257 * behavior.
258 *
259 * The signing token is constructed from values in the UsernameToken according
260 * to WS-Trust specification.
261 */
262 public static final int UT_SIGNING = 7;
263
264 /**
265 * <code>THUMPRINT_IDENTIFIER</code> is used to set the specific key identifier
266 * ThumbprintSHA1.
267 *
268 * This identifier uses the SHA-1 digest of a security token to
269 * identify the security token. Please refer to chapter 7.2 of the OASIS WSS 1.1
270 * specification.
271 *
272 */
273 public static final int THUMBPRINT_IDENTIFIER = 8;
274
275 /**
276 * <code>CUSTOM_SYMM_SIGNING</code> is used internally only to set a
277 * specific Signature behavior.
278 *
279 * The signing key, reference id and value type are set externally.
280 */
281 public static final int CUSTOM_SYMM_SIGNING = 9;
282
283 /**
284 * <code>ENCRYPTED_KEY_SHA1_IDENTIFIER</code> is used to set the specific key identifier
285 * EncryptedKeySHA1.
286 *
287 * This identifier uses the SHA-1 digest of a security token to
288 * identify the security token. Please refer to chapter 7.3 of the OASIS WSS 1.1
289 * specification.
290 */
291 public static final int ENCRYPTED_KEY_SHA1_IDENTIFIER = 10;
292
293 /**
294 * <code>CUSTOM_SYMM_SIGNING_DIRECT</code> is used internally only to set a
295 * specific Signature behavior.
296 *
297 * The signing key, reference id and value type are set externally.
298 */
299 public static final int CUSTOM_SYMM_SIGNING_DIRECT = 11;
300
301 /**
302 * <code>CUSTOM_KEY_IDENTIFIER</code> is used to set a KeyIdentifier to
303 * a particular ID
304 *
305 * The reference id and value type are set externally.
306 */
307 public static final int CUSTOM_KEY_IDENTIFIER = 12;
308
309 /**
310 * <code>KEY_VALUE</code> is used to set a ds:KeyInfo/ds:KeyValue element to refer to
311 * either an RSA or DSA public key.
312 */
313 public static final int KEY_VALUE = 13;
314
315 /**
316 * <code>ENDPOINT_KEY_IDENTIFIER</code> is used to specify service endpoint as public key
317 * identifier.
318 *
319 * Constant is useful in case of symmetric holder of key, where token service can determine
320 * target service public key to encrypt shared secret.
321 */
322 public static final int ENDPOINT_KEY_IDENTIFIER = 14;
323
324
325 /**
326 *Sets the {@link org.apache.wss4j.dom.message.WSSecSignature#build(Crypto)}
327 * or the {@link org.apache.wss4j.dom.message.WSSecEncrypt#build(Crypto, SecretKey)}
328 * method to send the issuer name and the serial number of a certificate to the receiver.
329 *<p/>
330 * In contrast to {@link #BST_DIRECT_REFERENCE} only the issuer name
331 * and the serial number of the signing certificate are sent to the
332 * receiver. This reduces the amount of data being sent. The encryption
333 * method uses the public key associated with this certificate to encrypt
334 * the symmetric key used to encrypt data.
335 * The issuer name format will use a quote delimited Rfc 2253 format if necessary which is recognized by the Microsoft's WCF stack.
336 * It also places a space before each subsequent RDN also required for WCF interoperability.
337 * In addition, this format is know to be correctly interpreted by Java.
338 *<p/>
339 *Please refer to WS Security specification X509 1.1 profile, chapter 3.3.3
340 * <p/>
341 */
342 public static final int ISSUER_SERIAL_QUOTE_FORMAT = 15;
343
344 /**
345 * <code>X509_SKI</code> is used to set a ds:X509Data/ds:KeyValue element to refer to
346 * the base64 encoded plain value of a X509 V.3 SubjectKeyIdentifier extension
347 */
348 public static final int X509_SKI = 16;
349
350 /*
351 * The following values are bits that can be combined to form a set.
352 * Be careful when adding new constants.
353 */
354 public static final int NO_SECURITY = 0;
355 public static final int UT = 0x1; // perform UsernameToken
356 public static final int SIGN = 0x2; // Perform Signature
357 public static final int ENCR = 0x4; // Perform Encryption
358
359 public static final int ST_UNSIGNED = 0x8; // perform SAMLToken unsigned
360 public static final int ST_SIGNED = 0x10; // perform SAMLToken signed
361
362 public static final int TS = 0x20; // insert Timestamp
363 public static final int UT_SIGN = 0x40; // perform signature with UT secret key
364 public static final int SC = 0x80; // this is a SignatureConfirmation
365
366 public static final int NO_SERIALIZE = 0x100;
367 public static final int SERIALIZE = 0x200;
368 public static final int SCT = 0x400; //SecurityContextToken
369 public static final int DKT = 0x800; //DerivedKeyToken
370 public static final int BST = 0x1000; //BinarySecurityToken
371 public static final int UT_NOPASSWORD = 0x2000; // perform UsernameToken
372 public static final int CUSTOM_TOKEN = 0x4000; // perform a Custom Token action
373 public static final int DKT_SIGN = 0x8000; // Perform Signature with a Derived Key
374 public static final int DKT_ENCR = 0x10000; // Perform Encryption with a Derived Key
375
376 private WSConstants() {
377 super();
378 }
379
380 }