View Javadoc
1   /**
2    * Licensed to the Apache Software Foundation (ASF) under one
3    * or more contributor license agreements. See the NOTICE file
4    * distributed with this work for additional information
5    * regarding copyright ownership. The ASF licenses this file
6    * to you under the Apache License, Version 2.0 (the
7    * "License"); you may not use this file except in compliance
8    * with the License. You may obtain a copy of the License at
9    *
10   * http://www.apache.org/licenses/LICENSE-2.0
11   *
12   * Unless required by applicable law or agreed to in writing,
13   * software distributed under the License is distributed on an
14   * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
15   * KIND, either express or implied. See the License for the
16   * specific language governing permissions and limitations
17   * under the License.
18   */
19  package org.apache.wss4j.policy.stax.assertionStates;
20  
21  import javax.xml.namespace.QName;
22  
23  import org.apache.wss4j.policy.AssertionState;
24  import org.apache.wss4j.common.WSSPolicyException;
25  import org.apache.wss4j.policy.model.AbstractSecurityAssertion;
26  import org.apache.wss4j.policy.model.AlgorithmSuite;
27  import org.apache.wss4j.policy.stax.Assertable;
28  import org.apache.wss4j.policy.stax.DummyPolicyAsserter;
29  import org.apache.wss4j.policy.stax.PolicyAsserter;
30  import org.apache.wss4j.stax.ext.WSSConstants;
31  import org.apache.xml.security.stax.ext.XMLSecurityConstants;
32  import org.apache.xml.security.stax.securityEvent.AlgorithmSuiteSecurityEvent;
33  import org.apache.xml.security.stax.securityEvent.SecurityEvent;
34  import org.apache.xml.security.stax.securityEvent.SecurityEventConstants;
35  
36  /**
37   * WSP1.3, 6.1 Algorithm Suite Property
38   */
39  public class AlgorithmSuiteAssertionState extends AssertionState implements Assertable {
40  
41      private PolicyAsserter policyAsserter;
42  
43      public AlgorithmSuiteAssertionState(AbstractSecurityAssertion assertion,
44                                          PolicyAsserter policyAsserter,
45                                          boolean asserted) {
46          super(assertion, asserted);
47  
48          this.policyAsserter = policyAsserter;
49          if (this.policyAsserter == null) {
50              this.policyAsserter = new DummyPolicyAsserter();
51          }
52  
53          if (asserted) {
54              AlgorithmSuite algorithmSuite = (AlgorithmSuite) getAssertion();
55              policyAsserter.assertPolicy(getAssertion());
56              String namespace = algorithmSuite.getAlgorithmSuiteType().getNamespace();
57              String name = algorithmSuite.getAlgorithmSuiteType().getName();
58              policyAsserter.assertPolicy(new QName(namespace, name));
59          }
60      }
61  
62      @Override
63      public SecurityEventConstants.Event[] getSecurityEventType() {
64          return new SecurityEventConstants.Event[]{
65                  SecurityEventConstants.AlgorithmSuite
66          };
67      }
68  
69      @Override
70      public boolean assertEvent(SecurityEvent securityEvent) throws WSSPolicyException {
71          AlgorithmSuiteSecurityEvent algorithmSuiteSecurityEvent = (AlgorithmSuiteSecurityEvent) securityEvent;
72          AlgorithmSuite algorithmSuite = (AlgorithmSuite) getAssertion();
73          if (algorithmSuite.getAlgorithmSuiteType() == null) {
74              setAsserted(false);
75              setErrorMessage("There is an error with the AlgorithmSuite policy");
76              policyAsserter.unassertPolicy(getAssertion(), getErrorMessage());
77              return isAsserted();
78          }
79  
80          XMLSecurityConstants.AlgorithmUsage keyUsage = algorithmSuiteSecurityEvent.getAlgorithmUsage();
81          int keyLength = algorithmSuiteSecurityEvent.getKeyLength();
82          String algorithmURI = algorithmSuiteSecurityEvent.getAlgorithmURI();
83          if (WSSConstants.Sym_Sig.equals(keyUsage)) {
84              if (algorithmSuite.getAlgorithmSuiteType().getSymmetricSignature() != null
85                  && !algorithmSuite.getAlgorithmSuiteType().getSymmetricSignature().equals(algorithmURI)) {
86                  setAsserted(false);
87                  setErrorMessage("Symmetric signature algorithm " + algorithmURI + " does not meet policy");
88                  policyAsserter.unassertPolicy(getAssertion(), getErrorMessage());
89              }
90  
91              if (!algorithmSuiteSecurityEvent.isDerivedKey()
92                  && (algorithmSuite.getAlgorithmSuiteType().getMinimumSymmetricKeyLength() > keyLength
93                      || algorithmSuite.getAlgorithmSuiteType().getMaximumSymmetricKeyLength() < keyLength)) {
94                  setAsserted(false);
95                  setErrorMessage("Symmetric signature algorithm key length " + keyLength  + " does not meet policy");
96                  policyAsserter.unassertPolicy(getAssertion(), getErrorMessage());
97              } else if (algorithmSuiteSecurityEvent.isDerivedKey()
98                  && algorithmSuite.getAlgorithmSuiteType().getSignatureDerivedKeyLength() != keyLength) {
99                  setAsserted(false);
100                 setErrorMessage("Symmetric signature algorithm derived key length " + keyLength + " does not meet policy");
101                 policyAsserter.unassertPolicy(getAssertion(), getErrorMessage());
102             }
103         } else if (WSSConstants.Asym_Sig.equals(keyUsage)) {
104             if (algorithmSuite.getAlgorithmSuiteType().getAsymmetricSignature() != null
105                 && !algorithmSuite.getAlgorithmSuiteType().getAsymmetricSignature().equals(algorithmURI)) {
106                 setAsserted(false);
107                 setErrorMessage("Asymmetric algorithm " + algorithmURI + " does not meet policy");
108                 policyAsserter.unassertPolicy(getAssertion(), getErrorMessage());
109             }
110             if (algorithmSuite.getAlgorithmSuiteType().getMinimumAsymmetricKeyLength() > keyLength
111                 || algorithmSuite.getAlgorithmSuiteType().getMaximumAsymmetricKeyLength() < keyLength) {
112                 setAsserted(false);
113                 setErrorMessage("Asymmetric signature algorithm key length " + keyLength + " does not meet policy");
114                 policyAsserter.unassertPolicy(getAssertion(), getErrorMessage());
115             }
116         } else if (WSSConstants.SigDig.equals(keyUsage)) {
117             if (!algorithmSuite.getAlgorithmSuiteType().getDigest().equals(algorithmURI)) {
118                 setAsserted(false);
119                 setErrorMessage("Digest algorithm " + algorithmURI + " does not meet policy");
120                 policyAsserter.unassertPolicy(getAssertion(), getErrorMessage());
121             }
122         } else if (WSSConstants.Enc.equals(keyUsage)) {
123             if (!algorithmSuite.getAlgorithmSuiteType().getEncryption().equals(algorithmURI)) {
124                 setAsserted(false);
125                 setErrorMessage("Encryption algorithm " + algorithmURI + " does not meet policy");
126                 policyAsserter.unassertPolicy(getAssertion(), getErrorMessage());
127             }
128 
129             if (!algorithmSuiteSecurityEvent.isDerivedKey()
130                 && (algorithmSuite.getAlgorithmSuiteType().getMinimumSymmetricKeyLength() > keyLength
131                     || algorithmSuite.getAlgorithmSuiteType().getMaximumSymmetricKeyLength() < keyLength)) {
132                 setAsserted(false);
133                 setErrorMessage("Symmetric encryption algorithm key length " + keyLength  + " does not meet policy");
134                 policyAsserter.unassertPolicy(getAssertion(), getErrorMessage());
135             } else if (algorithmSuiteSecurityEvent.isDerivedKey()
136                 && algorithmSuite.getAlgorithmSuiteType().getEncryptionDerivedKeyLength() != keyLength) {
137                 setAsserted(false);
138                 setErrorMessage("Symmetric encryption algorithm derived key length " + keyLength  + " does not meet policy");
139                 policyAsserter.unassertPolicy(getAssertion(), getErrorMessage());
140             }
141         } else if (WSSConstants.Sym_Key_Wrap.equals(keyUsage)) {
142             if (!algorithmSuite.getAlgorithmSuiteType().getSymmetricKeyWrap().equals(algorithmURI)) {
143                 setAsserted(false);
144                 setErrorMessage("Symmetric key wrap algorithm " + algorithmURI + " does not meet policy");
145                 policyAsserter.unassertPolicy(getAssertion(), getErrorMessage());
146             }
147             if (algorithmSuite.getAlgorithmSuiteType().getMinimumSymmetricKeyLength() > keyLength
148                 || algorithmSuite.getAlgorithmSuiteType().getMaximumSymmetricKeyLength() < keyLength) {
149                 setAsserted(false);
150                 setErrorMessage("Symmetric key wrap algorithm key length " + keyLength  + " does not meet policy");
151                 policyAsserter.unassertPolicy(getAssertion(), getErrorMessage());
152             }
153         } else if (WSSConstants.Asym_Key_Wrap.equals(keyUsage)) {
154             if (!algorithmSuite.getAlgorithmSuiteType().getAsymmetricKeyWrap().equals(algorithmURI)) {
155                 setAsserted(false);
156                 setErrorMessage("Asymmetric key wrap algorithm " + algorithmURI + " does not meet policy");
157                 policyAsserter.unassertPolicy(getAssertion(), getErrorMessage());
158             }
159             if (algorithmSuite.getAlgorithmSuiteType().getMinimumAsymmetricKeyLength() > keyLength
160                 || algorithmSuite.getAlgorithmSuiteType().getMaximumAsymmetricKeyLength() < keyLength) {
161                 setAsserted(false);
162                 setErrorMessage("Asymmetric key wrap algorithm key length " + keyLength + " does not meet policy");
163                 policyAsserter.unassertPolicy(getAssertion(), getErrorMessage());
164             }
165         } else if (WSSConstants.COMP_KEY.equals(keyUsage)) {
166             if (!algorithmSuite.getComputedKey().equals(algorithmURI)) {
167                 setAsserted(false);
168                 setErrorMessage("Computed key algorithm " + algorithmURI + " does not meet policy");
169                 policyAsserter.unassertPolicy(getAssertion(), getErrorMessage());
170             }
171         } else if (WSSConstants.ENC_KD.equals(keyUsage)) {
172             if (!algorithmSuite.getAlgorithmSuiteType().getEncryptionKeyDerivation().equals(algorithmURI)) {
173                 setAsserted(false);
174                 setErrorMessage("Encryption key derivation algorithm " + algorithmURI + " does not meet policy");
175                 policyAsserter.unassertPolicy(getAssertion(), getErrorMessage());
176             }
177         } else if (WSSConstants.SIG_KD.equals(keyUsage)) {
178             if (!algorithmSuite.getAlgorithmSuiteType().getSignatureKeyDerivation().equals(algorithmURI)) {
179                 setAsserted(false);
180                 setErrorMessage("Signature key derivation algorithm " + algorithmURI + " does not meet policy");
181                 policyAsserter.unassertPolicy(getAssertion(), getErrorMessage());
182             }
183         } else if (WSSConstants.SigC14n.equals(keyUsage)) {
184             if (algorithmSuite.getC14n() != null
185                     && !algorithmSuite.getC14n().getValue().equals(algorithmURI)) {
186                 setAsserted(false);
187                 setErrorMessage("C14N algorithm " + algorithmURI + " does not meet policy");
188                 policyAsserter.unassertPolicy(getAssertion(), getErrorMessage());
189             }
190         } else if (WSSConstants.SigTransform.equals(keyUsage)) {
191             if (algorithmSuite.getC14n() != null
192                 && !algorithmSuite.getC14n().getValue().equals(algorithmURI)
193                 && !WSSConstants.NS_C14N_EXCL.equals(algorithmURI)
194                 && !WSSConstants.SOAPMESSAGE_NS10_STR_TRANSFORM.equals(algorithmURI)
195                 && !WSSConstants.SWA_ATTACHMENT_CONTENT_SIG_TRANS.equals(algorithmURI)
196                 && !WSSConstants.SWA_ATTACHMENT_COMPLETE_SIG_TRANS.equals(algorithmURI)) {
197                 setAsserted(false);
198                 setErrorMessage("Transform C14N algorithm " + algorithmURI + " does not meet policy");
199                 policyAsserter.unassertPolicy(getAssertion(), getErrorMessage());
200             }
201         } else if (WSSConstants.SOAP_NORM.equals(keyUsage)) {
202             if (algorithmSuite.getSoapNormType() != null
203                     && !algorithmSuite.getSoapNormType().getValue().equals(algorithmURI)) {
204                 setAsserted(false);
205                 setErrorMessage("Soap normalization algorithm " + algorithmURI + " does not meet policy");
206                 policyAsserter.unassertPolicy(getAssertion(), getErrorMessage());
207             }
208         } else if (WSSConstants.STR_TRANS.equals(keyUsage)) {
209             if (algorithmSuite.getStrType() != null
210                     && !algorithmSuite.getStrType().getValue().equals(algorithmURI)) {
211                 setAsserted(false);
212                 setErrorMessage("STR transformation algorithm " + algorithmURI  + " does not meet policy");
213                 policyAsserter.unassertPolicy(getAssertion(), getErrorMessage());
214             }
215         } else if (WSSConstants.XPATH.equals(keyUsage) && algorithmSuite.getXPathType() != null
216             && !algorithmSuite.getXPathType().getValue().equals(algorithmURI)) {
217             setAsserted(false);
218             setErrorMessage("XPATH algorithm " + algorithmURI + " does not meet policy");
219             policyAsserter.unassertPolicy(getAssertion(), getErrorMessage());
220         }
221 
222         if (isAsserted()) {
223             policyAsserter.assertPolicy(getAssertion());
224             String namespace = algorithmSuite.getAlgorithmSuiteType().getNamespace();
225             String name = algorithmSuite.getAlgorithmSuiteType().getName();
226             policyAsserter.assertPolicy(new QName(namespace, name));
227             if (algorithmSuite.getC14n() != null) {
228                 policyAsserter.assertPolicy(new QName(namespace, algorithmSuite.getC14n().name()));
229             }
230         }
231 
232         return isAsserted();
233     }
234 }