1
/*******************************************************************************
2
*Copyright (c) 2009 Eucalyptus Systems, Inc.
4
* This program is free software: you can redistribute it and/or modify
5
* it under the terms of the GNU General Public License as published by
6
* the Free Software Foundation, only version 3 of the License.
9
* This file is distributed in the hope that it will be useful, but WITHOUT
10
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
11
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
14
* You should have received a copy of the GNU General Public License along
15
* with this program. If not, see <http://www.gnu.org/licenses/>.
17
* Please contact Eucalyptus Systems, Inc., 130 Castilian
18
* Dr., Goleta, CA 93101 USA or visit <http://www.eucalyptus.com/licenses/>
19
* if you need additional information or have any questions.
21
* This file may incorporate work covered under the following copyright and
24
* Software License Agreement (BSD License)
26
* Copyright (c) 2008, Regents of the University of California
27
* All rights reserved.
29
* Redistribution and use of this software in source and binary forms, with
30
* or without modification, are permitted provided that the following
33
* Redistributions of source code must retain the above copyright notice,
34
* this list of conditions and the following disclaimer.
36
* Redistributions in binary form must reproduce the above copyright
37
* notice, this list of conditions and the following disclaimer in the
38
* documentation and/or other materials provided with the distribution.
40
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS
41
* IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
42
* TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
43
* PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER
44
* OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
45
* EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
46
* PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
47
* PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
48
* LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
49
* NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
50
* SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. USERS OF
51
* THIS SOFTWARE ACKNOWLEDGE THE POSSIBLE PRESENCE OF OTHER OPEN SOURCE
52
* LICENSED MATERIAL, COPYRIGHTED MATERIAL OR PATENTED MATERIAL IN THIS
53
* SOFTWARE, AND IF ANY SUCH MATERIAL IS DISCOVERED THE PARTY DISCOVERING
54
* IT MAY INFORM DR. RICH WOLSKI AT THE UNIVERSITY OF CALIFORNIA, SANTA
55
* BARBARA WHO WILL THEN ASCERTAIN THE MOST APPROPRIATE REMEDY, WHICH IN
56
* THE REGENTS’ DISCRETION MAY INCLUDE, WITHOUT LIMITATION, REPLACEMENT
57
* OF THE CODE SO IDENTIFIED, LICENSING OF THE CODE SO IDENTIFIED, OR
58
* WITHDRAWAL OF THE CODE CAPABILITY TO THE EXTENT NEEDED TO COMPLY WITH
59
* ANY SUCH LICENSES OR RIGHTS.
60
*******************************************************************************/
62
* Author: chris grzegorczyk <grze@eucalyptus.com>
64
package com.eucalyptus.ws.util;
66
import java.io.ByteArrayInputStream;
67
import java.io.ByteArrayOutputStream;
68
import java.io.IOException;
69
import java.io.InputStreamReader;
70
import java.security.NoSuchProviderException;
71
import java.security.cert.CertificateException;
72
import java.security.cert.CertificateFactory;
73
import java.security.cert.X509Certificate;
75
import org.apache.axiom.om.OMElement;
76
import org.apache.axiom.om.impl.builder.StAXOMBuilder;
77
import org.apache.axiom.soap.SOAPEnvelope;
78
import org.apache.log4j.Logger;
79
import org.apache.ws.security.SOAPConstants;
80
import org.apache.ws.security.WSConstants;
81
import org.apache.ws.security.WSSecurityException;
82
import org.apache.ws.security.message.EnvelopeIdResolver;
83
import org.apache.ws.security.message.token.BinarySecurity;
84
import org.apache.ws.security.message.token.Reference;
85
import org.apache.ws.security.message.token.SecurityTokenReference;
86
import org.apache.ws.security.message.token.X509Security;
87
import org.apache.ws.security.util.WSSecurityUtil;
88
import org.apache.xml.security.exceptions.XMLSecurityException;
89
import org.apache.xml.security.keys.KeyInfo;
90
import org.apache.xml.security.signature.XMLSignature;
91
import org.apache.xml.security.signature.XMLSignatureException;
92
import org.bouncycastle.openssl.PEMReader;
93
import org.w3c.dom.Element;
94
import org.w3c.dom.Node;
95
import org.w3c.dom.Text;
97
import com.eucalyptus.auth.Credentials;
98
import com.eucalyptus.auth.util.Hashes;
99
import com.eucalyptus.util.HoldMe;
101
public class WSSecurity {
102
private static Logger LOG = Logger.getLogger( WSSecurity.class );
103
private static CertificateFactory factory;
108
public static CertificateFactory getCertificateFactory( ) {
109
if ( factory == null ) {
111
factory = CertificateFactory.getInstance( "X.509"/*, "BC"*/ );
112
} catch ( CertificateException e ) {
114
} /*catch ( NoSuchProviderException e ) {
120
private static boolean useBc = false;
121
public static X509Certificate verifySignature( final Element securityNode, final XMLSignature sig ) throws WSSecurityException, XMLSignatureException {
122
final SecurityTokenReference secRef = WSSecurity.getSecurityTokenReference( sig.getKeyInfo( ) );
123
final Reference tokenRef = secRef.getReference( );
124
Element bstDirect = WSSecurityUtil.getElementByWsuId( securityNode.getOwnerDocument( ), tokenRef.getURI( ) );
125
if ( bstDirect == null ) {
126
bstDirect = WSSecurityUtil.getElementByGenId( securityNode.getOwnerDocument( ), tokenRef.getURI( ) );
127
if ( bstDirect == null ) { throw new WSSecurityException( WSSecurityException.INVALID_SECURITY, "noCert" ); }
129
BinarySecurity token = new BinarySecurity( bstDirect );
130
String type = token.getValueType( );
131
X509Certificate cert = null;
134
Node node = bstDirect.getFirstChild( );
135
String certStr = ("-----BEGIN CERTIFICATE-----\n" + (node == null || !(node instanceof Text) ? null : ((Text)node).getData( ) ) +"\n-----END CERTIFICATE-----\n");
136
ByteArrayInputStream pemByteIn = new ByteArrayInputStream( certStr.getBytes( ) );
137
PEMReader in = new PEMReader( new InputStreamReader( pemByteIn ) );
139
cert = ( X509Certificate ) in.readObject( );
140
} catch ( Throwable e ) {
144
X509Security x509 = new X509Security( bstDirect );
145
byte[] bstToken = x509.getToken( );
146
CertificateFactory factory = getCertificateFactory( );
147
cert = ( X509Certificate ) factory.generateCertificate( new ByteArrayInputStream( bstToken ) );
149
} catch ( Exception e ) {
151
throw new WSSecurityException( WSSecurityException.UNSUPPORTED_SECURITY_TOKEN, "unsupportedBinaryTokenType", new Object[] { type } );
153
if ( !sig.checkSignatureValue( cert ) ) { throw new WSSecurityException( WSSecurityException.FAILED_CHECK ); }
157
public static XMLSignature getXmlSignature( final Element signatureNode ) throws WSSecurityException {
158
XMLSignature sig = null;
160
sig = new XMLSignature( ( Element ) signatureNode, null );
161
} catch ( XMLSecurityException e2 ) {
162
throw new WSSecurityException( WSSecurityException.FAILED_CHECK, "noXMLSig", null, e2 );
164
sig.addResourceResolver( EnvelopeIdResolver.getInstance( ) );
168
public static SecurityTokenReference getSecurityTokenReference( KeyInfo info ) throws WSSecurityException {
169
Node secTokenRef = WSSecurityUtil.getDirectChild( info.getElement( ), SecurityTokenReference.SECURITY_TOKEN_REFERENCE, WSConstants.WSSE_NS );
170
if ( secTokenRef == null ) { throw new WSSecurityException( WSSecurityException.INVALID_SECURITY, "unsupportedKeyInfo" ); }
172
SecurityTokenReference secRef;
174
secRef = new SecurityTokenReference( ( Element ) secTokenRef );
175
} catch ( WSSecurityException e1 ) {
179
if ( !secRef.containsReference( ) ) throw new WSSecurityException( WSSecurityException.FAILED_CHECK );
183
public static Element getSignatureElement( final Element securityNode ) {
184
final Element signatureNode = ( Element ) WSSecurityUtil.getDirectChildElement( securityNode, WSConstants.SIG_LN, WSConstants.SIG_NS );
185
return signatureNode;
188
public static Element getSecurityElement( final Element env ) {
189
final SOAPConstants soapConstants = WSSecurityUtil.getSOAPConstants( env );
190
final Element soapHeaderElement = ( Element ) WSSecurityUtil.getDirectChildElement( env, soapConstants.getHeaderQName( ).getLocalPart( ), soapConstants.getEnvelopeURI( ) );
191
if(soapHeaderElement != null) {
192
final Element securityNode = ( Element ) WSSecurityUtil.getDirectChildElement( soapHeaderElement, WSConstants.WSSE_LN, WSConstants.WSSE_NS );
198
public static X509Certificate getVerifiedCertificate( SOAPEnvelope envelope ) throws WSSecurityException, XMLSignatureException {
199
final StAXOMBuilder doomBuilder = HoldMe.getStAXOMBuilder( HoldMe.getDOOMFactory(), envelope.getXMLStreamReader( ) );
200
final OMElement elem = doomBuilder.getDocumentElement( );
202
final Element env = ( ( Element ) elem );
203
final Element securityNode = getSecurityElement( env );
204
if(securityNode != null) {
205
final Element signatureNode = getSignatureElement( securityNode );
206
final XMLSignature sig = getXmlSignature( signatureNode );
207
if ( sig.getKeyInfo( ) == null ) throw new WSSecurityException( WSSecurityException.SECURITY_TOKEN_UNAVAILABLE );
208
X509Certificate cert = verifySignature( securityNode, sig );