View Javadoc
1   /**
2    * Licensed to the Apache Software Foundation (ASF) under one
3    * or more contributor license agreements. See the NOTICE file
4    * distributed with this work for additional information
5    * regarding copyright ownership. The ASF licenses this file
6    * to you under the Apache License, Version 2.0 (the
7    * "License"); you may not use this file except in compliance
8    * with the License. You may obtain a copy of the License at
9    *
10   * http://www.apache.org/licenses/LICENSE-2.0
11   *
12   * Unless required by applicable law or agreed to in writing,
13   * software distributed under the License is distributed on an
14   * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
15   * KIND, either express or implied. See the License for the
16   * specific language governing permissions and limitations
17   * under the License.
18   */
19  package org.apache.wss4j.stax.impl.processor.input;
20  
21  import org.apache.wss4j.binding.wss10.ObjectFactory;
22  import org.apache.wss4j.binding.wss10.ReferenceType;
23  import org.apache.wss4j.binding.wss10.SecurityTokenReferenceType;
24  import org.apache.wss4j.common.bsp.BSPRule;
25  import org.apache.wss4j.common.ext.WSSecurityException;
26  import org.apache.wss4j.common.util.AttachmentUtils;
27  import org.apache.wss4j.stax.ext.WSInboundSecurityContext;
28  import org.apache.xml.security.binding.xmldsig.KeyInfoType;
29  import org.apache.xml.security.binding.xmlenc.EncryptedKeyType;
30  import org.apache.xml.security.binding.xmlenc.EncryptionMethodType;
31  import org.apache.xml.security.exceptions.XMLSecurityException;
32  import org.apache.xml.security.stax.ext.InputProcessorChain;
33  import org.apache.xml.security.stax.ext.XMLSecurityProperties;
34  import org.apache.xml.security.stax.ext.stax.XMLSecEvent;
35  import org.apache.xml.security.stax.impl.processor.input.XMLEncryptedKeyInputHandler;
36  import org.apache.wss4j.stax.ext.WSSConstants;
37  import org.apache.wss4j.stax.ext.WSSSecurityProperties;
38  
39  /**
40   * Processor for the EncryptedKey XML Structure
41   */
42  public class WSSEncryptedKeyInputHandler extends XMLEncryptedKeyInputHandler {
43  
44      private static final transient org.slf4j.Logger LOG =
45          org.slf4j.LoggerFactory.getLogger(WSSEncryptedKeyInputHandler.class);
46  
47      @Override
48      public void handle(InputProcessorChain inputProcessorChain, EncryptedKeyType encryptedKeyType,
49                         XMLSecEvent responsibleXMLSecStartXMLEvent, XMLSecurityProperties securityProperties)
50          throws XMLSecurityException {
51          checkBSPCompliance(inputProcessorChain, encryptedKeyType);
52  
53          // Check encryption algorithm against the required algorithm, if defined
54          EncryptionMethodType encryptionMethodType = encryptedKeyType.getEncryptionMethod();
55          if (securityProperties.getEncryptionKeyTransportAlgorithm() != null
56              && encryptionMethodType != null) {
57              String encryptionMethod = encryptionMethodType.getAlgorithm();
58              if (!securityProperties.getEncryptionKeyTransportAlgorithm().equals(encryptionMethod)) {
59                  LOG.warn(
60                      "The Key transport method does not match the requirement"
61                  );
62                  throw new WSSecurityException(WSSecurityException.ErrorCode.INVALID_SECURITY);
63              }
64          }
65  
66          super.handle(inputProcessorChain, encryptedKeyType, responsibleXMLSecStartXMLEvent, securityProperties);
67      }
68  
69      //if this EncryptedKey structure contains a reference list, instantiate a new DecryptInputProcessor
70      //and add it to the chain
71      @Override
72      protected void handleReferenceList(final InputProcessorChain inputProcessorChain,
73              final EncryptedKeyType encryptedKeyType,
74              final XMLSecurityProperties securityProperties) throws XMLSecurityException {
75          KeyInfoType keyInfoType = new KeyInfoType();
76          SecurityTokenReferenceType securityTokenReferenceType = new SecurityTokenReferenceType();
77          ReferenceType referenceType = new ReferenceType();
78          referenceType.setURI("#" + encryptedKeyType.getId());
79          ObjectFactory objectFactory = new ObjectFactory();
80          securityTokenReferenceType.getAny().add(objectFactory.createReference(referenceType));
81          keyInfoType.getContent().add(objectFactory.createSecurityTokenReference(securityTokenReferenceType));
82          inputProcessorChain.addProcessor(
83                  new DecryptInputProcessor(keyInfoType, encryptedKeyType.getReferenceList(),
84                          (WSSSecurityProperties) securityProperties,
85                          (WSInboundSecurityContext) inputProcessorChain.getSecurityContext())
86                  );
87      }
88  
89      protected void checkBSPCompliance(InputProcessorChain inputProcessorChain, EncryptedKeyType encryptedKeyType)
90              throws XMLSecurityException {
91          final WSInboundSecurityContext securityContext = (WSInboundSecurityContext) inputProcessorChain.getSecurityContext();
92          if (encryptedKeyType.getType() != null) {
93              securityContext.handleBSPRule(BSPRule.R3209);
94          }
95          if (encryptedKeyType.getMimeType() != null) {
96              securityContext.handleBSPRule(BSPRule.R5622);
97          }
98          if (encryptedKeyType.getEncoding() != null) {
99              securityContext.handleBSPRule(BSPRule.R5623);
100         }
101         if (encryptedKeyType.getRecipient() != null) {
102             securityContext.handleBSPRule(BSPRule.R5602);
103         }
104         EncryptionMethodType encryptionMethodType = encryptedKeyType.getEncryptionMethod();
105         if (encryptionMethodType == null) {
106             securityContext.handleBSPRule(BSPRule.R5603);
107         } else {
108             String encryptionMethod = encryptionMethodType.getAlgorithm();
109             if (!(WSSConstants.NS_XENC_RSA15.equals(encryptionMethod)
110                 || WSSConstants.NS_XENC_RSAOAEPMGF1P.equals(encryptionMethod)
111                 || WSSConstants.NS_XENC11_RSAOAEP.equals(encryptionMethod))) {
112                 securityContext.handleBSPRule(BSPRule.R5621);
113             }
114         }
115     }
116 
117     @Override
118     protected byte[] getBytesFromAttachment(String xopUri, final XMLSecurityProperties securityProperties) throws XMLSecurityException {
119         WSSSecurityProperties securityProps = (WSSSecurityProperties)securityProperties;
120         return AttachmentUtils.getBytesFromAttachment(xopUri, securityProps.getAttachmentCallbackHandler(), true);
121     }
122 
123 }