View Javadoc
1   /**
2    * Licensed to the Apache Software Foundation (ASF) under one
3    * or more contributor license agreements. See the NOTICE file
4    * distributed with this work for additional information
5    * regarding copyright ownership. The ASF licenses this file
6    * to you under the Apache License, Version 2.0 (the
7    * "License"); you may not use this file except in compliance
8    * with the License. You may obtain a copy of the License at
9    *
10   * http://www.apache.org/licenses/LICENSE-2.0
11   *
12   * Unless required by applicable law or agreed to in writing,
13   * software distributed under the License is distributed on an
14   * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
15   * KIND, either express or implied. See the License for the
16   * specific language governing permissions and limitations
17   * under the License.
18   */
19  
20  package org.apache.wss4j.dom;
21  
22  import javax.xml.namespace.QName;
23  
24  import org.apache.wss4j.common.WSS4JConstants;
25  import org.apache.wss4j.common.derivedKey.ConversationConstants;
26  
27  /**
28   * Constants in WS-Security spec.
29   */
30  public final class WSConstants extends WSS4JConstants {
31  
32      //
33      // QNames for the security header elements
34      //
35  
36      /**
37       * <code>wsse:BinarySecurityToken</code> as defined by WS Security specification
38       */
39      public static final QName BINARY_TOKEN =
40          new QName(WSConstants.WSSE_NS, WSConstants.BINARY_TOKEN_LN);
41      /**
42       * <code>wsse:UsernameToken</code> as defined by WS Security specification
43       */
44      public static final QName USERNAME_TOKEN =
45          new QName(WSConstants.WSSE_NS, WSConstants.USERNAME_TOKEN_LN);
46      /**
47       * <code>wsu:Timestamp</code> as defined by OASIS WS Security specification,
48       */
49      public static final QName TIMESTAMP =
50          new QName(WSConstants.WSU_NS, WSConstants.TIMESTAMP_TOKEN_LN);
51      /**
52       * <code>wsse11:signatureConfirmation</code> as defined by OASIS WS Security specification,
53       */
54      public static final QName SIGNATURE_CONFIRMATION =
55          new QName(WSConstants.WSSE11_NS, WSConstants.SIGNATURE_CONFIRMATION_LN);
56      /**
57       * <code>ds:Signature</code> as defined by XML Signature specification,
58       * enhanced by WS Security specification
59       */
60      public static final QName SIGNATURE =
61          new QName(WSConstants.SIG_NS, WSConstants.SIG_LN);
62      /**
63       * <code>xenc:EncryptedKey</code> as defined by XML Encryption specification,
64       * enhanced by WS Security specification
65       */
66      public static final QName ENCRYPTED_KEY =
67          new QName(WSConstants.ENC_NS, WSConstants.ENC_KEY_LN);
68      /**
69       * <code>xenc:EncryptedData</code> as defined by XML Encryption specification,
70       * enhanced by WS Security specification
71       */
72      public static final QName ENCRYPTED_DATA =
73          new QName(WSConstants.ENC_NS, WSConstants.ENC_DATA_LN);
74      /**
75       * <code>xenc:ReferenceList</code> as defined by XML Encryption specification,
76       */
77      public static final QName REFERENCE_LIST =
78          new QName(WSConstants.ENC_NS, WSConstants.REF_LIST_LN);
79      /**
80       * <code>saml:Assertion</code> as defined by SAML v1.1 specification
81       */
82      public static final QName SAML_TOKEN =
83          new QName(WSConstants.SAML_NS, WSConstants.ASSERTION_LN);
84  
85      /**
86       * <code>saml:Assertion</code> as defined by SAML v2.0 specification
87       */
88      public static final QName SAML2_TOKEN =
89          new QName(WSConstants.SAML2_NS, WSConstants.ASSERTION_LN);
90  
91      /**
92       * <code>saml:EncryptedAssertion</code> as defined by SAML v2.0 specification
93       */
94      public static final QName ENCRYPTED_ASSERTION =
95          new QName(WSConstants.SAML2_NS, WSConstants.ENCRYPED_ASSERTION_LN);
96  
97      /**
98       * <code>wsc:DerivedKeyToken</code> as defined by WS-SecureConversation specification
99       */
100     public static final QName DERIVED_KEY_TOKEN_05_02 =
101         new QName(ConversationConstants.WSC_NS_05_02, ConversationConstants.DERIVED_KEY_TOKEN_LN);
102 
103     /**
104      * <code>wsc:SecurityContextToken</code> as defined by WS-SecureConversation specification
105      */
106     public static final QName SECURITY_CONTEXT_TOKEN_05_02 =
107         new QName(ConversationConstants.WSC_NS_05_02, ConversationConstants.SECURITY_CONTEXT_TOKEN_LN);
108 
109     /**
110      * <code>wsc:DerivedKeyToken</code> as defined by WS-SecureConversation specification in WS-SX
111      */
112     public static final QName DERIVED_KEY_TOKEN_05_12 =
113         new QName(ConversationConstants.WSC_NS_05_12, ConversationConstants.DERIVED_KEY_TOKEN_LN);
114 
115     /**
116      * <code>wsc:SecurityContextToken</code> as defined by WS-SecureConversation specification in
117      * WS-SX
118      */
119     public static final QName SECURITY_CONTEXT_TOKEN_05_12 =
120         new QName(ConversationConstants.WSC_NS_05_12, ConversationConstants.SECURITY_CONTEXT_TOKEN_LN);
121 
122     //
123     // Fault codes defined in the WSS 1.1 spec under section 12, Error handling
124     //
125 
126     /**
127      * An unsupported token was provided
128      */
129     public static final QName UNSUPPORTED_SECURITY_TOKEN =
130         new QName(WSSE_NS, "UnsupportedSecurityToken");
131 
132     /**
133      * An unsupported signature or encryption algorithm was used
134      */
135     public static final QName UNSUPPORTED_ALGORITHM =
136         new QName(WSSE_NS, "UnsupportedAlgorithm");
137 
138     /**
139      * An error was discovered processing the <Security> header
140      */
141     public static final QName INVALID_SECURITY = new QName(WSSE_NS, "InvalidSecurity");
142 
143     /**
144      * An invalid security token was provided
145      */
146     public static final QName INVALID_SECURITY_TOKEN = new QName(WSSE_NS, "InvalidSecurityToken");
147 
148     /**
149      * The security token could not be authenticated or authorized
150      */
151     public static final QName FAILED_AUTHENTICATION = new QName(WSSE_NS, "FailedAuthentication");
152 
153     /**
154      * The signature or decryption was invalid
155      */
156     public static final QName FAILED_CHECK = new QName(WSSE_NS, "FailedCheck");
157 
158     /**
159      * Referenced security token could not be retrieved
160      */
161     public static final QName SECURITY_TOKEN_UNAVAILABLE = new QName(WSSE_NS, "SecurityTokenUnavailable");
162 
163     /**
164      * The message has expired
165      */
166     public static final QName MESSAGE_EXPIRED = new QName(WSSE_NS, "MessageExpired");
167 
168     /*
169      * Constants used to configure WSS4J
170      */
171 
172     /**
173      * Sets the {@link
174      * org.apache.wss4j.dom.message.WSSecSignature#build(Document, Crypto, WSSecHeader)
175      * } method to send the signing certificate as a <code>BinarySecurityToken</code>.
176      * <p/>
177      * The signing method takes the signing certificate, converts it to a
178      * <code>BinarySecurityToken</code>, puts it in the security header,
179      * and inserts a <code>Reference</code> to the binary security token
180      * into the <code>wsse:SecurityReferenceToken</code>. Thus the whole
181      * signing certificate is transfered to the receiver.
182      * The X509 profile recommends to use {@link #ISSUER_SERIAL} instead
183      * of sending the whole certificate.
184      * <p/>
185      * Please refer to WS Security specification X509 1.1 profile, chapter 3.3.2
186      * and to WS Security SOAP Message security 1.1 specification, chapter 7.2
187      * <p/>
188      * Note: only local references to BinarySecurityToken are supported
189      */
190     public static final int BST_DIRECT_REFERENCE = 1;
191 
192     /**
193      * Sets the {@link
194      *org.apache.wss4j.dom.message.WSSecSignature#build(Crypto)
195      *} or the {@link
196      *org.apache.wss4j.dom.message.WSSecEncrypt#build(Crypto, SecretKey)
197      * } method to send the issuer name and the serial number of a certificate to
198      * the receiver.
199      * <p/>
200      * In contrast to {@link #BST_DIRECT_REFERENCE} only the issuer name
201      * and the serial number of the signing certificate are sent to the
202      * receiver. This reduces the amount of data being sent. The encryption
203      * method uses the public key associated with this certificate to encrypt
204      * the symmetric key used to encrypt data. 
205      * The name format will delimit unicode characters with a '\' which is not compatible with Microsoft's WCF stack.
206      * To send issuer name with format that is compatible with WCF and Java use {@link #ISSUER_SERIAL_QUOTE_FORMAT}
207      * <p/>
208      * Please refer to WS Security specification X509 1.1 profile, chapter 3.3.3
209      */
210     public static final int ISSUER_SERIAL = 2;
211 
212     /**
213      * Sets the {@link
214      * org.apache.wss4j.dom.message.WSSecSignature#build(Document, Crypto, WSSecHeader)
215      * } or the {@link
216      * org.apache.wss4j.dom.message.WSSecEncrypt#build(Document, Crypto, WSSecHeader)
217      * }method to send the certificate used to encrypt the symmetric key.
218      * <p/>
219      * The encryption method uses the public key associated with this certificate
220      * to encrypt the symmetric key used to encrypt data. The certificate is
221      * converted into a <code>KeyIdentifier</code> token and sent to the receiver.
222      * Thus the complete certificate data is transferred to receiver.
223      * The X509 profile recommends to use {@link #ISSUER_SERIAL} instead
224      * of sending the whole certificate.
225      * <p/>
226      * Please refer to WS Security SOAP Message security 1.1 specification,
227      * chapter 7.3. Note that this is a NON-STANDARD method. The standard way to refer to
228      * an X.509 Certificate via a KeyIdentifier is to use {@link #SKI_KEY_IDENTIFIER}
229      */
230     public static final int X509_KEY_IDENTIFIER = 3;
231 
232     /**
233      * Sets the {@link
234      * org.apache.wss4j.dom.message.WSSecSignature#build(Document, Crypto, WSSecHeader)
235      * } method to send a <code>SubjectKeyIdentifier</code> to identify
236      * the signing certificate.
237      * <p/>
238      * Refer to WS Security specification X509 1.1 profile, chapter 3.3.1
239      */
240     public static final int SKI_KEY_IDENTIFIER = 4;
241 
242     /**
243      * Embeds a keyinfo/key name into the EncryptedData element.
244      * <p/>
245      */
246     @Deprecated
247     public static final int EMBEDDED_KEYNAME = 5;
248 
249     /**
250      * Embeds a keyinfo/wsse:SecurityTokenReference into EncryptedData element.
251      */
252     @Deprecated
253     public static final int EMBED_SECURITY_TOKEN_REF = 6;
254 
255     /**
256      * <code>UT_SIGNING</code> is used internally only to set a specific Signature
257      * behavior.
258      *
259      * The signing token is constructed from values in the UsernameToken according
260      * to WS-Trust specification.
261      */
262     public static final int UT_SIGNING = 7;
263 
264     /**
265      * <code>THUMPRINT_IDENTIFIER</code> is used to set the specific key identifier
266      * ThumbprintSHA1.
267      *
268      * This identifier uses the SHA-1 digest of a security token to
269      * identify the security token. Please refer to chapter 7.2 of the OASIS WSS 1.1
270      * specification.
271      *
272      */
273     public static final int THUMBPRINT_IDENTIFIER = 8;
274 
275     /**
276      * <code>CUSTOM_SYMM_SIGNING</code> is used internally only to set a
277      * specific Signature behavior.
278      *
279      * The signing key, reference id and value type are set externally.
280      */
281     public static final int CUSTOM_SYMM_SIGNING = 9;
282 
283     /**
284      * <code>ENCRYPTED_KEY_SHA1_IDENTIFIER</code> is used to set the specific key identifier
285      * EncryptedKeySHA1.
286      *
287      * This identifier uses the SHA-1 digest of a security token to
288      * identify the security token. Please refer to chapter 7.3 of the OASIS WSS 1.1
289      * specification.
290      */
291     public static final int ENCRYPTED_KEY_SHA1_IDENTIFIER = 10;
292 
293     /**
294      * <code>CUSTOM_SYMM_SIGNING_DIRECT</code> is used internally only to set a
295      * specific Signature behavior.
296      *
297      * The signing key, reference id and value type are set externally.
298      */
299     public static final int CUSTOM_SYMM_SIGNING_DIRECT = 11;
300 
301     /**
302      * <code>CUSTOM_KEY_IDENTIFIER</code> is used to set a KeyIdentifier to
303      * a particular ID
304      *
305      * The reference id and value type are set externally.
306      */
307     public static final int CUSTOM_KEY_IDENTIFIER = 12;
308 
309     /**
310      * <code>KEY_VALUE</code> is used to set a ds:KeyInfo/ds:KeyValue element to refer to
311      * either an RSA or DSA public key.
312      */
313     public static final int KEY_VALUE = 13;
314 
315     /**
316      * <code>ENDPOINT_KEY_IDENTIFIER</code> is used to specify service endpoint as public key
317      * identifier.
318      *
319      * Constant is useful in case of symmetric holder of key, where token service can determine
320      * target service public key to encrypt shared secret.
321      */
322     public static final int ENDPOINT_KEY_IDENTIFIER = 14;
323 
324 
325     /**
326      *Sets the {@link org.apache.wss4j.dom.message.WSSecSignature#build(Crypto)}
327      * or the {@link org.apache.wss4j.dom.message.WSSecEncrypt#build(Crypto, SecretKey)}
328      * method to send the issuer name and the serial number of a certificate to the receiver.
329      *<p/>
330      * In contrast to {@link #BST_DIRECT_REFERENCE} only the issuer name
331      * and the serial number of the signing certificate are sent to the
332      * receiver. This reduces the amount of data being sent. The encryption
333      * method uses the public key associated with this certificate to encrypt
334      * the symmetric key used to encrypt data.
335      * The issuer name format will use a quote delimited Rfc 2253 format if necessary which is recognized by the Microsoft's WCF stack.
336      * It also places a space before each subsequent RDN also required for WCF interoperability.
337      * In addition, this format is know to be correctly interpreted by Java.
338      *<p/>
339      *Please refer to WS Security specification X509 1.1 profile, chapter 3.3.3
340      * <p/>
341      */
342     public static final int ISSUER_SERIAL_QUOTE_FORMAT = 15;
343 
344     /*
345      * The following values are bits that can be combined to form a set.
346      * Be careful when adding new constants.
347      */
348     public static final int NO_SECURITY = 0;
349     public static final int UT = 0x1; // perform UsernameToken
350     public static final int SIGN = 0x2; // Perform Signature
351     public static final int ENCR = 0x4; // Perform Encryption
352 
353     public static final int ST_UNSIGNED = 0x8; // perform SAMLToken unsigned
354     public static final int ST_SIGNED = 0x10; // perform SAMLToken signed
355 
356     public static final int TS = 0x20; // insert Timestamp
357     public static final int UT_SIGN = 0x40; // perform signature with UT secret key
358     public static final int SC = 0x80;      // this is a SignatureConfirmation
359 
360     public static final int NO_SERIALIZE = 0x100;
361     public static final int SERIALIZE = 0x200;
362     public static final int SCT = 0x400; //SecurityContextToken
363     public static final int DKT = 0x800; //DerivedKeyToken
364     public static final int BST = 0x1000; //BinarySecurityToken
365     public static final int UT_NOPASSWORD = 0x2000; // perform UsernameToken
366     public static final int CUSTOM_TOKEN = 0x4000; // perform a Custom Token action
367     public static final int DKT_SIGN = 0x8000; // Perform Signature with a Derived Key
368     public static final int DKT_ENCR = 0x10000; // Perform Encryption with a Derived Key
369 
370     private WSConstants() {
371         super();
372     }
373 
374 }