src/util/rampart_signature.c (868 lines of code) (raw):
/*
* Licensed to the Apache Software Foundation (ASF) under one or more
* contributor license agreements. See the NOTICE file distributed with
* this work for additional information regarding copyright ownership.
* The ASF licenses this file to You under the Apache License, Version 2.0
* (the "License"); you may not use this file except in compliance with
* the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
#include <rampart_signature.h>
#include <rampart_encryption.h>
#include <stdio.h>
#include <axutil_utils.h>
#include <oxs_ctx.h>
#include <oxs_error.h>
#include <oxs_utility.h>
#include <rampart_constants.h>
#include <oxs_tokens.h>
#include <axutil_array_list.h>
#include <oxs_axiom.h>
#include <axis2_key_type.h>
#include <oxs_key.h>
#include <oxs_key_mgr.h>
#include <openssl_pkey.h>
#include <oxs_axiom.h>
#include <oxs_transform.h>
#include <oxs_transforms_factory.h>
#include <oxs_sign_ctx.h>
#include <oxs_sign_part.h>
#include <oxs_xml_signature.h>
#include <oxs_derivation.h>
#include <axis2_key_type.h>
#include <rampart_token_builder.h>
#include <rampart_util.h>
#include <rampart_sec_processed_result.h>
#include <rampart_sct_provider_utility.h>
#include <rampart_saml_token.h>
#include <axiom_util.h>
/*Private functions*/
axis2_status_t AXIS2_CALL
rampart_sig_add_x509_token(const axutil_env_t *env,
rampart_context_t *rampart_context,
axiom_node_t *sec_node,
axis2_char_t *cert_id);
axutil_array_list_t * AXIS2_CALL
rampart_sig_create_sign_parts(const axutil_env_t *env,
rampart_context_t *rampart_context,
axutil_array_list_t *nodes_to_sign,
axis2_bool_t server_side,
axutil_array_list_t *sign_parts_list);
static axis2_status_t
rampart_sig_endorse_sign(
const axutil_env_t *env,
axis2_msg_ctx_t *msg_ctx,
rampart_context_t *rampart_context,
axiom_soap_envelope_t *soap_envelope,
axiom_node_t *sec_node);
axis2_status_t AXIS2_CALL
rampart_sig_prepare_key_info_for_sym_binding(const axutil_env_t *env,
rampart_context_t *rampart_context,
oxs_sign_ctx_t *sign_ctx,
axiom_node_t *sig_node,
oxs_key_t *key,
axis2_char_t* encrypted_key_id)
{
axiom_node_t *key_info_node = NULL;
axiom_node_t *str_node = NULL;
axiom_node_t *reference_node = NULL;
axis2_char_t *id_ref = NULL;
axis2_char_t *key_id = NULL;
axis2_char_t *value_type = NULL;
/*Now we must build the Key Info element*/
key_info_node = oxs_token_build_key_info_element(env, sig_node);
str_node = oxs_token_build_security_token_reference_element(
env, key_info_node);
/*Create the reference Id*/
/*There are two ways the key info can be built
* 1. If the key used to sign is encrypted using an X509 Certificate, then that EncryptedKey's id will be used
* 2. If the key used to sign is derrived from the session key, then the Id of the derived key will be used
*/
if(encrypted_key_id){
/*Session key in use. Which is encrypted and hidden in the EncryptedKey with Id=encrypted_key_id*/
key_id = encrypted_key_id;
value_type = OXS_WSS_11_VALUE_TYPE_ENCRYPTED_KEY;
id_ref = axutil_stracat(env, OXS_LOCAL_REFERENCE_PREFIX,key_id);
}else{
/*Derived Keys in use.*/
key_id = oxs_key_get_name(key, env);
value_type = NULL;
id_ref = key_id;
}
reference_node = oxs_token_build_reference_element(env, str_node,
id_ref, value_type );
return AXIS2_SUCCESS;
}
axis2_status_t AXIS2_CALL
rampart_sig_prepare_key_info_for_asym_binding(const axutil_env_t *env,
rampart_context_t *rampart_context,
oxs_sign_ctx_t *sign_ctx,
axiom_node_t *sig_node,
axis2_char_t *cert_id,
axis2_char_t *eki,
axis2_bool_t is_direct_reference)
{
axiom_node_t *key_info_node = NULL;
oxs_key_mgr_t *key_mgr = NULL;
/*axis2_bool_t is_direct_reference = AXIS2_TRUE;*/
axis2_status_t status = AXIS2_FAILURE;
/*Now we must build the Key Info element*/
key_info_node = oxs_token_build_key_info_element(env, sig_node);
if(is_direct_reference)
{
axiom_node_t *str_node = NULL;
axiom_node_t *reference_node = NULL;
axis2_char_t *cert_id_ref = NULL;
str_node = oxs_token_build_security_token_reference_element(
env, key_info_node);
if(!str_node)
{
AXIS2_LOG_ERROR(env->log, AXIS2_LOG_SI,
"[rampart][rampart_signature] Security Token element creation failed in Direct reference.");
return AXIS2_FAILURE;
}
cert_id_ref = axutil_stracat(env, OXS_LOCAL_REFERENCE_PREFIX,cert_id);
reference_node = oxs_token_build_reference_element(
env, str_node, cert_id_ref, OXS_VALUE_X509V3);
AXIS2_FREE(env->allocator, cert_id_ref);
cert_id_ref = NULL;
if(!reference_node)
{
AXIS2_LOG_ERROR(env->log, AXIS2_LOG_SI,
"[rampart][rampart_signature] Security Token element creation failed in Direct reference.");
return AXIS2_FAILURE;
}
}
else
{
oxs_x509_cert_t *cert = NULL;
key_mgr = rampart_context_get_key_mgr(rampart_context, env);
cert = oxs_key_mgr_get_certificate(key_mgr, env);
if(!cert)
{
AXIS2_LOG_ERROR(env->log, AXIS2_LOG_SI,
"[rampart][rampart_signature] Cannot get the certificate");
return AXIS2_FAILURE;
}
if(axutil_strcmp(eki, RAMPART_STR_EMBEDDED) == 0)
{
status = rampart_token_build_security_token_reference(
env, key_info_node, cert, RTBP_EMBEDDED);
}
else if(axutil_strcmp(eki, RAMPART_STR_ISSUER_SERIAL) == 0)
{
status = rampart_token_build_security_token_reference(
env, key_info_node, cert, RTBP_X509DATA_ISSUER_SERIAL);
}
else if(axutil_strcmp(eki, RAMPART_STR_KEY_IDENTIFIER) == 0)
{
status = rampart_token_build_security_token_reference(
env, key_info_node, cert, RTBP_KEY_IDENTIFIER);
}
else if(axutil_strcmp(eki, RAMPART_STR_THUMB_PRINT) == 0)
{
status = rampart_token_build_security_token_reference(
env, key_info_node, cert, RTBP_THUMBPRINT);
}
else
{
AXIS2_LOG_ERROR(env->log, AXIS2_LOG_SI,
"[rampart][rampart_signature] Unknown key Identifier type.Token attaching failed");
status = AXIS2_FAILURE;
}
oxs_x509_cert_free(cert, env);
cert = NULL;
}
/*FREE*/
if(cert_id)
{
AXIS2_FREE(env->allocator, cert_id);
cert_id = NULL;
}
return AXIS2_FAILURE;
}
axis2_status_t AXIS2_CALL
rampart_sig_pack_for_sym(const axutil_env_t *env,
rampart_context_t *rampart_context,
oxs_sign_ctx_t *sign_ctx,
axis2_msg_ctx_t *msg_ctx)
{
oxs_key_t *session_key = NULL;
rp_property_t *token = NULL;
rp_property_type_t token_type;
axis2_bool_t use_derived_keys = AXIS2_FALSE;
axis2_bool_t server_side = AXIS2_FALSE;
server_side = axis2_msg_ctx_get_server_side(msg_ctx, env);
token = rampart_context_get_token(rampart_context, env, AXIS2_FALSE, server_side, AXIS2_FALSE);
token_type = rp_property_get_type(token, env);
/*We are trying to reuse the same session key which is used for encryption if possible*/
session_key = rampart_context_get_signature_session_key(rampart_context, env);
if(!session_key)
{
/*Create a new key and set to the rampart_context. This usually happens when the SignBeforeEncrypt*/
/*Generate the session key. if security context token, get the
shared secret and create the session key.*/
if(token_type == RP_PROPERTY_SECURITY_CONTEXT_TOKEN)
{
oxs_buffer_t *key_buf = NULL;
session_key = oxs_key_create(env);
key_buf = sct_provider_get_secret(env, token, AXIS2_FALSE, rampart_context, msg_ctx);
if(!key_buf)
{
AXIS2_LOG_ERROR(env->log, AXIS2_LOG_SI,
"[rampart][rampart_signature]Cannot get shared secret of security context token");
oxs_key_free(session_key, env);
return AXIS2_FAILURE;
}
oxs_key_populate(session_key, env,
oxs_buffer_get_data(key_buf, env), "for-algo",
oxs_buffer_get_size(key_buf, env), OXS_KEY_USAGE_NONE);
rampart_context_set_signature_session_key(rampart_context, env, session_key);
}
else if(token_type == RP_PROPERTY_SAML_TOKEN)
{
rampart_saml_token_t *saml = NULL;
saml = rampart_context_get_saml_token(rampart_context, env, RAMPART_ST_TYPE_SIGNATURE_TOKEN);
if (!saml)
{
saml = rampart_context_get_saml_token(rampart_context, env, RAMPART_ST_TYPE_PROTECTION_TOKEN);
}
session_key = rampart_saml_token_get_session_key(saml, env);
if (!session_key)
{
AXIS2_LOG_ERROR(env->log, AXIS2_LOG_SI,
"[rampart][rampart_signature]Session key not specified.");
return AXIS2_FAILURE;
}
rampart_context_set_signature_session_key(rampart_context, env, session_key);
}
else
{
axis2_char_t *token_id = NULL;
token_id = rampart_context_get_signature_token_id(rampart_context, env, msg_ctx);
if(token_id)
{
int key_usage = OXS_KEY_USAGE_SESSION;
if(rampart_context_is_different_session_key_for_enc_and_sign(env, rampart_context))
key_usage = OXS_KEY_USAGE_SIGNATURE_SESSION;
session_key = rampart_context_get_key(rampart_context, env, token_id);
oxs_key_set_usage(session_key, env, key_usage);
}
else
{
session_key = oxs_key_create(env);
oxs_key_for_algo(session_key, env, rampart_context_get_algorithmsuite(rampart_context, env));
rampart_context_set_signature_session_key(rampart_context, env, session_key);
}
}
}
/*If we need to use derrived keys, we must sign using a derived key of the session key*/
use_derived_keys = rampart_context_check_is_derived_keys (env, token);
if(use_derived_keys)
{
oxs_key_t *derived_key = NULL;
/*Derive a new key*/
derived_key = oxs_key_create(env);
oxs_key_set_length(derived_key, env, rampart_context_get_signature_derived_key_len(rampart_context, env));
oxs_derivation_derive_key(env, session_key, derived_key, AXIS2_TRUE);
oxs_sign_ctx_set_secret(sign_ctx, env, derived_key);
}
else
{
/*No need to use derived keys, we use the same session key*/
oxs_sign_ctx_set_secret(sign_ctx, env, rampart_context_get_signature_session_key(rampart_context, env));
}
oxs_sign_ctx_set_sign_mtd_algo(sign_ctx, env, OXS_HREF_HMAC_SHA1);
oxs_sign_ctx_set_c14n_mtd(sign_ctx, env, OXS_HREF_XML_EXC_C14N);
oxs_sign_ctx_set_operation(sign_ctx, env, OXS_SIGN_OPERATION_SIGN);
return AXIS2_SUCCESS;
}
axis2_status_t AXIS2_CALL
rampart_sig_pack_for_asym(const axutil_env_t *env,
rampart_context_t *rampart_context,
oxs_sign_ctx_t *sign_ctx)
{
openssl_pkey_t *prvkey = NULL;
oxs_key_mgr_t *key_mgr = NULL;
axis2_char_t *asym_sig_algo = NULL;
key_mgr = rampart_context_get_key_mgr(rampart_context, env);
prvkey = oxs_key_mgr_get_prv_key(key_mgr, env);
if (!prvkey)
{
AXIS2_LOG_ERROR(env->log, AXIS2_LOG_SI,
"[rampart][rampart_signature]Private key cannot be loaded.");
return AXIS2_FAILURE;
}
/*Get the asymmetric signature algorithm*/
asym_sig_algo = rampart_context_get_asym_sig_algo(rampart_context, env);
/*These properties will set for creating signed info element*/
oxs_sign_ctx_set_private_key(sign_ctx, env, prvkey);
oxs_sign_ctx_set_sign_mtd_algo(sign_ctx, env, asym_sig_algo);
oxs_sign_ctx_set_c14n_mtd(sign_ctx, env, OXS_HREF_XML_EXC_C14N);
oxs_sign_ctx_set_operation(sign_ctx, env, OXS_SIGN_OPERATION_SIGN);
return AXIS2_SUCCESS;
}
/*Public functions*/
axis2_status_t AXIS2_CALL
rampart_sig_get_nodes_to_sign(
rampart_context_t *rampart_context,
const axutil_env_t *env,
axiom_soap_envelope_t *soap_envelope,
axutil_array_list_t *nodes_to_sign)
{
axis2_status_t status1 = AXIS2_SUCCESS;
axis2_status_t status2 = AXIS2_SUCCESS;
status1 = rampart_context_get_nodes_to_sign(
rampart_context, env, soap_envelope, nodes_to_sign);
status2 = rampart_context_get_elements_to_sign(
rampart_context, env, soap_envelope, nodes_to_sign);
if(status1 == AXIS2_SUCCESS || status2 == AXIS2_SUCCESS)
{
return AXIS2_SUCCESS;
}
else
{
return AXIS2_FAILURE;
}
}
AXIS2_EXTERN axis2_status_t AXIS2_CALL
rampart_sig_sign_message(
const axutil_env_t *env,
axis2_msg_ctx_t *msg_ctx,
rampart_context_t *rampart_context,
axiom_soap_envelope_t *soap_envelope,
axiom_node_t *sec_node,
axutil_array_list_t *sign_parts_list)
{
axutil_array_list_t *nodes_to_sign = NULL;
axis2_status_t status = AXIS2_FAILURE;
oxs_sign_ctx_t *sign_ctx = NULL;
/*axutil_array_list_t *tr_list = NULL;*/
axis2_bool_t server_side = AXIS2_FALSE;
rp_property_type_t token_type;
rp_property_type_t binding_type;
rp_property_t *token = NULL;
axis2_char_t *derived_key_version = NULL;
axiom_node_t *sig_node = NULL;
axis2_char_t *eki = NULL;
axis2_bool_t is_direct_reference = AXIS2_TRUE;
axis2_bool_t include = AXIS2_FALSE;
axiom_node_t *key_reference_node = NULL;
axis2_char_t *cert_id = NULL;
/*Get nodes to be signed*/
server_side = axis2_msg_ctx_get_server_side(msg_ctx, env);
nodes_to_sign = axutil_array_list_create(env, 0);
status = rampart_sig_get_nodes_to_sign(
rampart_context, env, soap_envelope, nodes_to_sign);
if(status != AXIS2_SUCCESS)
{
AXIS2_LOG_ERROR(env->log, AXIS2_LOG_SI,
"[rampart][rampart_signature] Error occured in Adding signed parts.");
axutil_array_list_free(nodes_to_sign, env);
nodes_to_sign = NULL;
return AXIS2_FAILURE;
}
if((axutil_array_list_size(nodes_to_sign, env)==0))
{
AXIS2_LOG_INFO(env->log, "[rampart][rampart_signature] No parts specified or specified parts can't be found for Signature.");
axutil_array_list_free(nodes_to_sign, env);
nodes_to_sign = NULL;
return AXIS2_SUCCESS;
}
#if 0 /* this block is moved to rampart_context_get_nodes_to_sign */
/*If Timestamp and usernametoken are in the message we should sign them.*/
if(rampart_context_get_require_timestamp(rampart_context, env))
{
axiom_node_t *ts_node = NULL;
ts_node = oxs_axiom_get_node_by_local_name(env, sec_node, RAMPART_SECURITY_TIMESTAMP);
if(!ts_node)
{
AXIS2_LOG_ERROR(env->log, AXIS2_LOG_SI,
"[rampart][rampart_signature] Required timestamp cannot be found.");
axutil_array_list_free(nodes_to_sign, env);
nodes_to_sign = NULL;
return AXIS2_FAILURE;
}
axutil_array_list_add(nodes_to_sign, env, ts_node);
}
if(!server_side)
{
if(rampart_context_get_require_ut(rampart_context, env))
{
axiom_node_t *ut_node = NULL;
ut_node = oxs_axiom_get_node_by_local_name(
env, sec_node, RAMPART_SECURITY_USERNAMETOKEN);
if(!ut_node)
{
AXIS2_LOG_ERROR(env->log, AXIS2_LOG_SI,
"[rampart][rampart_signature] Required username token cannot be found.");
axutil_array_list_free(nodes_to_sign, env);
nodes_to_sign = NULL;
return AXIS2_FAILURE;
}
axutil_array_list_add(nodes_to_sign, env, ut_node);
}
}
else
{
if(rampart_context_is_sig_confirmation_reqd(rampart_context, env))
{
axiom_node_t* cur_node = NULL;
cur_node = axiom_node_get_first_child(sec_node, env);
while(cur_node)
{
axis2_char_t *cur_local_name = NULL;
cur_local_name = axiom_util_get_localname(cur_node, env);
if(0 == axutil_strcmp(cur_local_name, OXS_NODE_SIGNATURE_CONFIRMATION))
{
axutil_array_list_add(nodes_to_sign, env, cur_node);
}
cur_node = axiom_node_get_next_sibling(cur_node, env);
}
}
}
#endif
/*Now we have to check whether a token is specified.*/
token = rampart_context_get_token(rampart_context, env, AXIS2_FALSE, server_side, AXIS2_FALSE);
if(!token)
{
AXIS2_LOG_ERROR(env->log, AXIS2_LOG_SI,
"[rampart][rampart_signature] Signature Token is not specified");
axutil_array_list_free(nodes_to_sign, env);
nodes_to_sign = NULL;
return AXIS2_FAILURE;
}
token_type = rp_property_get_type(token, env);
if(!rampart_context_is_token_type_supported(token_type, env))
{
AXIS2_LOG_ERROR(env->log, AXIS2_LOG_SI,
"[rampart][rampart_signature] Token type %d not supported", token_type);
axutil_array_list_free(nodes_to_sign, env);
nodes_to_sign = NULL;
return AXIS2_FAILURE;
}
/* Determine weather we need to include the token */
include = rampart_context_is_token_include(rampart_context, token,
token_type, server_side,
AXIS2_FALSE, env);
derived_key_version = rampart_context_get_derived_key_version(env, token);
if (token_type == RP_PROPERTY_X509_TOKEN)
{
if (include)
{
cert_id = oxs_util_generate_id(env,(axis2_char_t*)OXS_CERT_ID);
if (!rampart_sig_add_x509_token(env, rampart_context, sec_node, cert_id))
{
axutil_array_list_free(nodes_to_sign, env);
nodes_to_sign = NULL;
return AXIS2_FAILURE;
}
/*This flag will be useful when creating key Info element.*/
is_direct_reference = AXIS2_TRUE;
eki = RAMPART_STR_DIRECT_REFERENCE;
}
else
{
eki = rampart_context_get_key_identifier(rampart_context, token, env);
if(!eki)
{
AXIS2_LOG_ERROR(env->log, AXIS2_LOG_SI,
"[rampart][rampart_signature] Cannot attach the token.");
axutil_array_list_free(nodes_to_sign, env);
nodes_to_sign = NULL;
return AXIS2_FAILURE;
}
is_direct_reference = AXIS2_FALSE;
}
}
else if (token_type == RP_PROPERTY_SECURITY_CONTEXT_TOKEN)
{
if(include)
{
axiom_node_t *security_context_token_node = NULL;
/*include the security context token and set the AttachedReference to key_reference_node*/
security_context_token_node = oxs_axiom_get_node_by_local_name(env, sec_node, OXS_NODE_SECURITY_CONTEXT_TOKEN);
if((!security_context_token_node) || (rampart_context_is_different_session_key_for_enc_and_sign(env, rampart_context)))
{
security_context_token_node = sct_provider_get_token(env, token, AXIS2_FALSE, rampart_context, msg_ctx);
if(!security_context_token_node)
{
AXIS2_LOG_ERROR(env->log, AXIS2_LOG_SI,
"[rampart][rampart_signature] Cannot get security context token");
axutil_array_list_free(nodes_to_sign, env);
nodes_to_sign = NULL;
return AXIS2_FAILURE;
}
axiom_node_add_child(sec_node, env, security_context_token_node);
}
key_reference_node = sct_provider_get_attached_reference(env, token, AXIS2_FALSE, rampart_context, msg_ctx);
}
else
{
/*get the unattachedReference and set to key_reference_node*/
key_reference_node = sct_provider_get_unattached_reference(env, token, AXIS2_FALSE, rampart_context, msg_ctx);
}
}
else if (token_type == RP_PROPERTY_SAML_TOKEN)
{
if (include)
{
axiom_node_t *assertion = NULL;
rampart_saml_token_t *saml = NULL;
/* Get the saml info from context.First check weather it is a signature token.*/
saml = rampart_context_get_saml_token(rampart_context, env, RAMPART_ST_TYPE_SIGNATURE_TOKEN);
if (!saml)
{
saml = rampart_context_get_saml_token(rampart_context, env, RAMPART_ST_TYPE_PROTECTION_TOKEN);
}
if (!saml)
{
AXIS2_LOG_ERROR(env->log, AXIS2_LOG_SI,"[rampart][rampart_signature] SAML token not specified.");
return AXIS2_FAILURE;
}
/* If not already added to the header */
if (!rampart_saml_token_is_added_to_header(saml, env))
{
assertion = rampart_saml_token_get_assertion(saml, env);
if (!assertion)
{
AXIS2_LOG_ERROR(env->log, AXIS2_LOG_SI,"[rampart][rampart_signature] SAML token not specified.");
return AXIS2_FAILURE;
}
axiom_node_add_child(sec_node, env, assertion);
/* we are sure that key reference node is not added to the header */
key_reference_node = rampart_saml_token_get_str(saml, env);
if (!key_reference_node)
{
key_reference_node = oxs_saml_token_build_key_identifier_reference_local(env, NULL, assertion);
}
}
}
else
{
AXIS2_LOG_ERROR(env->log, AXIS2_LOG_SI,"[rampart][rampart_signature] SAML tokens with unattached reference not supported.");
return AXIS2_FAILURE;
}
}
sign_ctx = oxs_sign_ctx_create(env);
/* Set which parts to be signed*/
oxs_sign_ctx_set_sign_parts(sign_ctx, env,
rampart_sig_create_sign_parts(env, rampart_context, nodes_to_sign, server_side, sign_parts_list));
/*Get the binding type. Either symmetric or asymmetric for signature*/
binding_type = rampart_context_get_binding_type(rampart_context,env);
if(RP_PROPERTY_ASYMMETRIC_BINDING == binding_type)
{
/* Pack for asymmetric signature*/
status = rampart_sig_pack_for_asym(env, rampart_context, sign_ctx);
}
else if(RP_PROPERTY_SYMMETRIC_BINDING == binding_type)
{
/* Pack for symmetric signature*/
status = rampart_sig_pack_for_sym(env, rampart_context, sign_ctx, msg_ctx);
}
else
{
/*We do not support*/
AXIS2_LOG_ERROR(env->log, AXIS2_LOG_SI,"[rampart][rampart_signature] Signature support only symmetric and asymmetric bindings.");
return AXIS2_FAILURE;
}
/* All the things are ready for signing. So lets try signing*/
status = oxs_xml_sig_sign(env, sign_ctx, sec_node, &sig_node);
if(status!=AXIS2_SUCCESS)
{
AXIS2_LOG_ERROR(env->log, AXIS2_LOG_SI, "[rampart][rampart_signature] Message signing failed.");
return AXIS2_FAILURE;
}
/*build the key info inside signature node*/
if(RP_PROPERTY_ASYMMETRIC_BINDING == binding_type)
{
rampart_sig_prepare_key_info_for_asym_binding(env, rampart_context, sign_ctx, sig_node , cert_id, eki, is_direct_reference);
}
else if(RP_PROPERTY_SYMMETRIC_BINDING == binding_type)
{
oxs_key_t *signed_key = NULL;
oxs_key_t *session_key = NULL;
signed_key = oxs_sign_ctx_get_secret(sign_ctx, env);
session_key = rampart_context_get_signature_session_key(rampart_context, env);
if(token_type == RP_PROPERTY_SECURITY_CONTEXT_TOKEN)
{
if(0 == axutil_strcmp(oxs_key_get_name(session_key, env), oxs_key_get_name(signed_key, env)))
{
/*Now then... we have used the security context token to sign*/
axiom_node_t* key_info_node = NULL;
key_info_node = oxs_token_build_key_info_element(env, sig_node);
axiom_node_add_child(key_info_node, env, key_reference_node);
}
else
{
axiom_node_t *dk_token = NULL;
/*We have used a derived key to sign. Note the NULL we pass for the enc_key_id*/
rampart_sig_prepare_key_info_for_sym_binding(env, rampart_context, sign_ctx, sig_node, signed_key, NULL);
/*In addition we need to add a DerivedKeyToken*/
dk_token = oxs_derivation_build_derived_key_token_with_stre(env, signed_key, sec_node, key_reference_node, derived_key_version);
/*We need to make DerivedKeyToken to appear before the sginature node*/
oxs_axiom_interchange_nodes(env, dk_token, sig_node);
}
}
else if(token_type == RP_PROPERTY_SAML_TOKEN)
{
if(0 == axutil_strcmp(oxs_key_get_name(session_key, env), oxs_key_get_name(signed_key, env)))
{
/*Now then... we have used the security context token to sign*/
axiom_node_t* key_info_node = NULL;
key_info_node = oxs_token_build_key_info_element(env, sig_node);
axiom_node_add_child(key_info_node, env, key_reference_node);
}
else
{
axiom_node_t *dk_token = NULL;
/*We have used a derived key to sign. Note the NULL we pass for the enc_key_id*/
rampart_sig_prepare_key_info_for_sym_binding(env, rampart_context, sign_ctx, sig_node, signed_key, NULL);
/*In addition we need to add a DerivedKeyToken*/
dk_token = oxs_derivation_build_derived_key_token_with_stre(env, signed_key, sec_node, key_reference_node, derived_key_version);
/*We need to make DerivedKeyToken to appear before the sginature node*/
oxs_axiom_interchange_nodes(env, dk_token, sig_node);
}
}
else
{
if(server_side)
{
/*have to send EncryptedKeySHA1*/
axis2_char_t *encrypted_key_hash = NULL;
axiom_node_t *identifier_token = NULL;
encrypted_key_hash = oxs_key_get_key_sha(session_key, env);
key_reference_node = oxs_token_build_security_token_reference_element(env, NULL);
identifier_token = oxs_token_build_key_identifier_element(env, key_reference_node,
OXS_ENCODING_BASE64BINARY, OXS_X509_ENCRYPTED_KEY_SHA1, encrypted_key_hash);
if(0 == axutil_strcmp(oxs_key_get_name(session_key, env), oxs_key_get_name(signed_key, env)))
{
/*Now then... we have used the session key to sign*/
axiom_node_t* key_info_node = NULL;
key_info_node = oxs_token_build_key_info_element(env, sig_node);
axiom_node_add_child(key_info_node, env, key_reference_node);
}
else
{
axiom_node_t *dk_token = NULL;
/*We have used a derived key to sign. Note the NULL we pass for the enc_key_id*/
rampart_sig_prepare_key_info_for_sym_binding(env, rampart_context, sign_ctx, sig_node, signed_key, NULL);
/*In addition we need to add a DerivedKeyToken*/
dk_token = oxs_derivation_build_derived_key_token_with_stre(env, signed_key, sec_node, key_reference_node, derived_key_version);
/*We need to make DerivedKeyToken to appear before the sginature node*/
oxs_axiom_interchange_nodes(env, dk_token, sig_node);
}
}
else
{
axiom_node_t *encrypted_key_node = NULL;
axis2_char_t *enc_key_id = NULL;
axis2_bool_t free_enc_key_id = AXIS2_FALSE;
/*If there is an EncryptedKey element use the Id. If not, generate an Id and use it*/
encrypted_key_node = oxs_axiom_get_node_by_local_name(env, sec_node, OXS_NODE_ENCRYPTED_KEY);
if(!encrypted_key_node)
{
/*There is no EncryptedKey so generate one*/
status = rampart_enc_encrypt_session_key(env, session_key, msg_ctx, rampart_context, sec_node, NULL );
if(AXIS2_FAILURE == status)
{
AXIS2_LOG_ERROR(env->log, AXIS2_LOG_SI, "[rampart][rampart_signature] Cannot encrypt the session key " );
return AXIS2_FAILURE;
}
encrypted_key_node = oxs_axiom_get_node_by_local_name(env, sec_node, OXS_NODE_ENCRYPTED_KEY);
/*Add Id attribute*/
enc_key_id = oxs_util_generate_id(env, (axis2_char_t*)OXS_ENCKEY_ID);
free_enc_key_id = AXIS2_TRUE;
oxs_axiom_add_attribute(env, encrypted_key_node, NULL, NULL, OXS_ATTR_ID, enc_key_id);
/*And we have to make sure that we place this newly generated EncryptedKey node above the Signature node*/
oxs_axiom_interchange_nodes(env, encrypted_key_node, sig_node);
}
else
{
/*There is the encrypted key. May be used by the encryption process. So get the Id and use it*/
enc_key_id = oxs_axiom_get_attribute_value_of_node_by_name(env, encrypted_key_node, OXS_ATTR_ID, NULL);
}
/* Now if the signed key is the session key. We need to Encrypt it. If it's a derived key, we need to Attach a
* DerivedKeyToken and encrypt the session key if not done already */
if(0 == axutil_strcmp(oxs_key_get_name(session_key, env), oxs_key_get_name(signed_key, env)))
{
/*Now then... we have used the session key to sign*/
rampart_sig_prepare_key_info_for_sym_binding(env, rampart_context, sign_ctx, sig_node, signed_key, enc_key_id);
}
else
{
axiom_node_t *dk_token = NULL;
/*We have used a derived key to sign. Note the NULL we pass for the enc_key_id*/
rampart_sig_prepare_key_info_for_sym_binding(env, rampart_context, sign_ctx, sig_node, signed_key, NULL );
/*In addition we need to add a DerivedKeyToken after the EncryptedKey*/
dk_token = oxs_derivation_build_derived_key_token(env, signed_key, sec_node, enc_key_id ,OXS_WSS_11_VALUE_TYPE_ENCRYPTED_KEY, derived_key_version);
/*We need to make DerivedKeyToken to appear before the sginature node*/
oxs_axiom_interchange_nodes(env, dk_token, sig_node);
}
if (free_enc_key_id)
{
AXIS2_FREE(env->allocator, enc_key_id);
}
}
}
}
/*If we have used derived keys, then we need to free the key in sign_ctx*/
if((RP_PROPERTY_SYMMETRIC_BINDING == binding_type) && (rampart_context_check_is_derived_keys (env, token)))
{
oxs_key_t *sig_ctx_dk = NULL;
sig_ctx_dk = oxs_sign_ctx_get_secret(sign_ctx, env);
if(sig_ctx_dk && (OXS_KEY_USAGE_DERIVED == oxs_key_get_usage(sig_ctx_dk, env)))
{
oxs_key_free(sig_ctx_dk, env);
sig_ctx_dk = NULL;
}
}
/*Free sig ctx*/
oxs_sign_ctx_free(sign_ctx, env);
sign_ctx = NULL;
if(status)
{
return rampart_sig_endorse_sign(env, msg_ctx, rampart_context, soap_envelope, sec_node);
}
return status;
}
AXIS2_EXTERN axis2_status_t AXIS2_CALL
rampart_sig_confirm_signature(const axutil_env_t *env,
axis2_msg_ctx_t *msg_ctx,
rampart_context_t *rampart_context,
axiom_node_t *sec_node)
{
axis2_char_t *id = NULL;
axis2_char_t *sig_val = NULL;
/*Check whether the request was signed*/
/*If there is no signature. @Value is not present*/
/*If the request has signed, then the @Value = contents of <ds:SignatureValue>*/
/*Generate an Id*/
/*id = oxs_util_generate_id(env,(axis2_char_t*)OXS_SIG_CONF_ID);*/
/*Get SPR*/
sig_val = (axis2_char_t*)rampart_get_security_processed_result(env, msg_ctx, RAMPART_SPR_SIG_VALUE);
/*Build wsse11:SignatureConfirmation element */
oxs_token_build_signature_confirmation_element(env, sec_node, id, sig_val);
/*id = oxs_util_generate_id(env,(axis2_char_t*)OXS_SIG_CONF_ID);*/
sig_val = (axis2_char_t*)rampart_get_security_processed_result(env, msg_ctx, RAMPART_SPR_ENDORSED_VALUE);
if(sig_val)
{
oxs_token_build_signature_confirmation_element(env, sec_node, id, sig_val);
}
return AXIS2_SUCCESS;
}
axis2_status_t AXIS2_CALL
rampart_sig_add_x509_token(const axutil_env_t *env,
rampart_context_t *rampart_context,
axiom_node_t *sec_node,
axis2_char_t *cert_id)
{
oxs_x509_cert_t *cert = NULL;
axiom_node_t *bst_node = NULL;
axis2_char_t *bst_data = NULL;
oxs_key_mgr_t *key_mgr = NULL;
key_mgr = rampart_context_get_key_mgr(rampart_context, env);
/*
* If the requirement is to include the token we should build the binary security
* token element here.
*/
cert = oxs_key_mgr_get_certificate(key_mgr, env);
if (!cert)
{
AXIS2_LOG_ERROR(env->log, AXIS2_LOG_SI,
"[rampart][rampart_signature] Cannot get certificate");
return AXIS2_FAILURE;
}
bst_data = oxs_x509_cert_get_data(cert, env);
if (!bst_data)
{
AXIS2_LOG_ERROR(env->log, AXIS2_LOG_SI,
"[rampart][rampart_signature] Certificate data cannot be loaded from the cert.");
return AXIS2_FAILURE;
}
bst_node = oxs_token_build_binary_security_token_element(env, sec_node,
cert_id , OXS_ENCODING_BASE64BINARY, OXS_VALUE_X509V3, bst_data);
if (!bst_node)
{
AXIS2_LOG_ERROR(env->log, AXIS2_LOG_SI,
"[rampart][rampart_signature] Binary Security Token creation failed.");
return AXIS2_FAILURE;
}
oxs_x509_cert_free(cert, env);
cert = NULL;
return AXIS2_SUCCESS;
}
axutil_array_list_t * AXIS2_CALL
rampart_sig_create_sign_parts(const axutil_env_t *env,
rampart_context_t *rampart_context,
axutil_array_list_t *nodes_to_sign,
axis2_bool_t server_side,
axutil_array_list_t *sign_parts)
{
int i = 0;
axis2_char_t *digest_method = NULL;
axiom_node_t *node_to_sign = NULL;
axis2_char_t *id = NULL;
oxs_sign_part_t *sign_part = NULL;
oxs_transform_t *tr = NULL;
axutil_array_list_t *tr_list = NULL;
/*content of sign_parts + sign parts created from nodes_to_sign will be copied to
this list. We can put everything to sign_parts, but hard to keep track of who has to delete
sign_parts in case if there is an error. Since it is copied, sign_parts can be deleted in
rampart_shb_build_message retardless of return status. Modified due to SAML modifications*/
axutil_array_list_t *new_sign_parts = NULL;
new_sign_parts = axutil_array_list_create(env, 0);
digest_method = rampart_context_get_digest_mtd(rampart_context, env);
/*copy the content of sign_parts to new_sign_parts*/
for(i = 0; i < axutil_array_list_size(sign_parts, env); i++)
{
sign_part = (oxs_sign_part_t*)axutil_array_list_get(sign_parts, env, i);
if(sign_part)
{
axutil_array_list_add(new_sign_parts, env, sign_part);
}
}
/*Now we should create sign part for each node in the arraylist.*/
for (i=0 ; i < axutil_array_list_size(nodes_to_sign, env); i++)
{
node_to_sign = (axiom_node_t *)axutil_array_list_get(nodes_to_sign, env, i);
if (node_to_sign)
{
sign_part = oxs_sign_part_create(env);
tr_list = axutil_array_list_create(env, 0);
id = oxs_util_generate_id(env, (axis2_char_t*)OXS_SIG_ID);
tr = oxs_transforms_factory_produce_transform(env,
OXS_HREF_TRANSFORM_XML_EXC_C14N);
axutil_array_list_add(tr_list, env, tr);
oxs_sign_part_set_transforms(sign_part, env, tr_list);
/*oxs_axiom_add_attribute(env, node_to_sign, OXS_WSU, RAMPART_WSU_XMLNS,OXS_ATTR_ID,id);*/
oxs_axiom_add_attribute(env, node_to_sign,
RAMPART_WSU, RAMPART_WSU_XMLNS,OXS_ATTR_ID, id);
oxs_sign_part_set_node(sign_part, env, node_to_sign);
oxs_sign_part_set_digest_mtd(sign_part, env, digest_method);
axutil_array_list_add(new_sign_parts, env, sign_part);
AXIS2_FREE(env->allocator, id);
id = NULL;
}
}
/*if (rampart_context_is_include_supporting_token(rampart_context, env, server_side, AXIS2_FALSE, RP_PROPERTY_SAML_TOKEN))
{
axiom_element_t *stre = NULL;
axiom_node_t *strn = NULL, *assertion = NULL;
axutil_qname_t *qname = NULL;*/
/* These properties are guaranteed to exsists. If not we cannot reach this point. */
/*rampart_saml_token_t *saml = rampart_context_get_saml_token(rampart_context, env, RP_PROPERTY_SIGNED_SUPPORTING_TOKEN);
strn = rampart_saml_token_get_str(saml, env);
assertion = rampart_saml_token_get_assertion(saml, env);
stre = axiom_node_get_data_element(strn, env);
qname = axutil_qname_create(env, OXS_NODE_SECURITY_TOKEN_REFRENCE, OXS_WSSE_XMLNS, NULL);
sign_part = oxs_sign_part_create(env);
tr_list = axutil_array_list_create(env, 0);*/
/* If ID is not present we add it */
/*id = axiom_element_get_attribute_value(stre, env, qname);
if (!id)
{
id = oxs_util_generate_id(env, (axis2_char_t*)OXS_SIG_ID);
oxs_axiom_add_attribute(env, strn,
RAMPART_WSU, RAMPART_WSU_XMLNS, OXS_ATTR_ID, id);
}
oxs_sign_part_set_id(sign_part, env, id);
tr = oxs_transforms_factory_produce_transform(env,
OXS_HREF_TRANSFORM_STR_TRANSFORM);
axutil_array_list_add(tr_list, env, tr);
oxs_sign_part_set_transforms(sign_part, env, tr_list); */
/* Sign the assertion, not the securitytokenreference */
/* oxs_sign_part_set_node(sign_part, env, strn);
oxs_sign_part_set_digest_mtd(sign_part, env, digest_method);
axutil_array_list_add(sign_parts, env, sign_part);
AXIS2_FREE(env->allocator, id);
id = NULL;
}*/
/*Free array list*/
axutil_array_list_free(nodes_to_sign, env);
nodes_to_sign = NULL;
return new_sign_parts;
}
static axis2_status_t
rampart_sig_endorse_sign(
const axutil_env_t *env,
axis2_msg_ctx_t *msg_ctx,
rampart_context_t *rampart_context,
axiom_soap_envelope_t *soap_envelope,
axiom_node_t *sec_node)
{
axis2_bool_t server_side = AXIS2_FALSE;
axiom_node_t *node_to_sign = NULL;
rp_property_t *token = NULL;
rp_property_type_t token_type;
axis2_bool_t include = AXIS2_FALSE;
axis2_bool_t is_direct_reference = AXIS2_TRUE;
oxs_sign_ctx_t *sign_ctx = NULL;
axutil_array_list_t *nodes_to_sign = NULL;
axis2_char_t *cert_id = NULL;
axis2_char_t *eki = NULL;
oxs_sign_part_t *sign_part = NULL;
axutil_array_list_t *tr_list = NULL;
oxs_transform_t *tr = NULL;
axis2_char_t *digest_method = NULL;
axis2_status_t status = AXIS2_FAILURE;
axiom_node_t *sig_node = NULL;
axiom_namespace_t *sign_ns = NULL;
/*endorsing will be only for client*/
server_side = axis2_msg_ctx_get_server_side(msg_ctx, env);
if(server_side)
return AXIS2_SUCCESS;
/*if signature is not found, can't continue*/
node_to_sign = oxs_axiom_get_node_by_local_name(env, sec_node, OXS_NODE_SIGNATURE);
if(!node_to_sign)
{
AXIS2_LOG_ERROR(env->log, AXIS2_LOG_SI,
"[rampart][rampart_signature]Endorsing signature, Sigature Not found");
return AXIS2_FAILURE;
}
/*Now we have to check whether a token is specified. If not specified then no need to endorse*/
token = rampart_context_get_endorsing_token(rampart_context, env);
if(!token)
{
AXIS2_LOG_INFO(env->log,
"[rampart][rampart_signature] Endorsing Token is not specified. No need to endorse");
return AXIS2_SUCCESS;
}
token_type = rp_property_get_type(token, env);
if(!rampart_context_is_token_type_supported(token_type, env))
{
AXIS2_LOG_ERROR(env->log, AXIS2_LOG_SI,
"[rampart][rampart_signature] Token type %d not supported", token_type);
return AXIS2_FAILURE;
}
/*this implementaion supports only x509 to endorse signature*/
if(token_type != RP_PROPERTY_X509_TOKEN)
{
AXIS2_LOG_ERROR(env->log, AXIS2_LOG_SI,
"[rampart][rampart_signature] Token type %d not supported for endorsing", token_type);
return AXIS2_FAILURE;
}
/* Determine weather we need to include the token */
include = rampart_context_is_token_include(rampart_context, token,
token_type, server_side,
AXIS2_FALSE, env);
if (token_type == RP_PROPERTY_X509_TOKEN)
{
if (include)
{
cert_id = oxs_util_generate_id(env,(axis2_char_t*)OXS_CERT_ID);
if (!rampart_sig_add_x509_token(env, rampart_context, sec_node, cert_id))
{
return AXIS2_FAILURE;
}
/*This flag will be useful when creating key Info element.*/
is_direct_reference = AXIS2_TRUE;
eki = RAMPART_STR_DIRECT_REFERENCE;
}
else
{
eki = rampart_context_get_key_identifier(rampart_context, token, env);
if(!eki)
{
AXIS2_LOG_ERROR(env->log, AXIS2_LOG_SI,
"[rampart][rampart_signature] Cannot attach the token.");
axutil_array_list_free(nodes_to_sign, env);
nodes_to_sign = NULL;
return AXIS2_FAILURE;
}
is_direct_reference = AXIS2_FALSE;
}
}
sign_ctx = oxs_sign_ctx_create(env);
/* Set signatures to be endorsed*/
nodes_to_sign = axutil_array_list_create(env, 0);
digest_method = rampart_context_get_digest_mtd(rampart_context, env);
sign_part = oxs_sign_part_create(env);
sign_ns = axiom_namespace_create(env, NULL, NULL); /*we have to get the id from "Id" of signature, not from "wsu:Id"*/
oxs_sign_part_set_sign_namespace(sign_part, env, sign_ns);
tr_list = axutil_array_list_create(env, 0);
tr = oxs_transforms_factory_produce_transform(env,
OXS_HREF_TRANSFORM_XML_EXC_C14N);
axutil_array_list_add(tr_list, env, tr);
oxs_sign_part_set_transforms(sign_part, env, tr_list);
oxs_sign_part_set_node(sign_part, env, node_to_sign);
oxs_sign_part_set_digest_mtd(sign_part, env, digest_method);
axutil_array_list_add(nodes_to_sign, env, sign_part);
oxs_sign_ctx_set_sign_parts(sign_ctx, env, nodes_to_sign);
/* We support asymmetric endorsing only for this release. So, pack for asymmetric signature*/
status = rampart_sig_pack_for_asym(env, rampart_context, sign_ctx);
/* All the things are ready for signing. So lets try signing*/
status = oxs_xml_sig_sign(env, sign_ctx, sec_node, &sig_node);
if(status!=AXIS2_SUCCESS)
{
AXIS2_LOG_ERROR(env->log, AXIS2_LOG_SI, "[rampart][rampart_signature] Message endorsing failed.");
return AXIS2_FAILURE;
}
/* We support asymmetric endorsing only for this release.
* So, build the key info inside signature node for asymmetric signature
*/
rampart_sig_prepare_key_info_for_asym_binding(env, rampart_context, sign_ctx, sig_node , cert_id, eki, is_direct_reference);
/*Free sig ctx*/
oxs_sign_ctx_free(sign_ctx, env);
sign_ctx = NULL;
return status;
}