RubyGems - wss4r - Versions diffs - 0.5 - Mend

wss4r 0.5

Files changed (39) hide show

data/README +300 -0
data/lib/wss4r/aws/utils.rb +37 -0
data/lib/wss4r/config/config.rb +105 -0
data/lib/wss4r/rpc/proxy.rb +26 -0
data/lib/wss4r/rpc/router.rb +46 -0
data/lib/wss4r/rpc/wssdriver.rb +19 -0
data/lib/wss4r/security/crypto/certificate.rb +21 -0
data/lib/wss4r/security/crypto/cipher.rb +161 -0
data/lib/wss4r/security/crypto/hash.rb +35 -0
data/lib/wss4r/security/exceptions/exceptions.rb +62 -0
data/lib/wss4r/security/resolver.rb +23 -0
data/lib/wss4r/security/security.rb +148 -0
data/lib/wss4r/security/util/hash_util.rb +39 -0
data/lib/wss4r/security/util/names.rb +38 -0
data/lib/wss4r/security/util/namespaces.rb +21 -0
data/lib/wss4r/security/util/reference_elements.rb +15 -0
data/lib/wss4r/security/util/soap_parser.rb +73 -0
data/lib/wss4r/security/util/transformer_factory.rb +29 -0
data/lib/wss4r/security/util/types.rb +25 -0
data/lib/wss4r/security/util/xmlcanonicalizer.rb +427 -0
data/lib/wss4r/security/util/xmlutils.rb +58 -0
data/lib/wss4r/security/xml/encrypted_data.rb +110 -0
data/lib/wss4r/security/xml/encrypted_key.rb +74 -0
data/lib/wss4r/security/xml/key_info.rb +52 -0
data/lib/wss4r/security/xml/reference.rb +53 -0
data/lib/wss4r/security/xml/reference_list.rb +24 -0
data/lib/wss4r/security/xml/security.rb +92 -0
data/lib/wss4r/security/xml/signature.rb +69 -0
data/lib/wss4r/security/xml/signature_value.rb +26 -0
data/lib/wss4r/security/xml/signed_info.rb +83 -0
data/lib/wss4r/security/xml/timestamp.rb +47 -0
data/lib/wss4r/security/xml/tokentypes.rb +180 -0
data/lib/wss4r/server/wssstandaloneserver.rb +27 -0
data/lib/wss4r/soap/processor.rb +92 -0
data/lib/wss4r/tokenresolver/authenticateuserresolver.rb +34 -0
data/lib/wss4r/tokenresolver/certificateresolver.rb +62 -0
data/lib/wss4r/tokenresolver/databaseresolver.rb +56 -0
data/lib/wss4r/tokenresolver/resolver.rb +13 -0
metadata +95 -0

data/lib/wss4r/security/util/xmlutils.rb ADDED

@@ -0,0 +1,58 @@
+require "rexml/document"
+include REXML
+class REXML::Element
+	def index_of(e)
+		return -1 if (e == nil)
+		children = self.children()
+		children.each_with_index {|child, i|
+			return i if (child.local_name() == e.local_name())
+		}
+		return -1
+	end
+end
+class REXML::Document
+	def select(xpath)
+		#XPath.first(document, "/env:Envelope/env:Header/wsse:Security/ds:Signature")
+		element = XPath.first(self, xpath)
+		if (element != nil)
+			return element
+		end
+		node_path = xpath.sub("/","").split("/")
+		element = self
+		node_path.each{|expr|
+			element = select_element(element, expr)
+			if (element == nil)
+				return nil
+			end
+		}
+		element
+	end
+	def select_element(element, name)
+		childs = Array.new()
+		element.each_child{|child|
+			if (child.node_type() == :element)
+				if (child.expanded_name() == name)
+					childs.push(child)
+					return child
+				end
+			end
+		}
+		nil
+	end
+	def element_with_attribute(key, value)
+	end
+end
+if __FILE__ == $0
+	document = REXML::Document.new(File.new(ARGV[0]))
+	element = document.select("/env:Envelope/env:Header/wsse:Security/ds:Signature")
+	puts("selected: " + element.to_s())
+end

data/lib/wss4r/security/xml/encrypted_data.rb ADDED

@@ -0,0 +1,110 @@
+module WSS4R
+  module Security
+    module Xml
+      class EncryptedData
+        attr_accessor :cipher_value, :ref_id, :algorithm, :sessionkey_algorithm, :security_token
+        def initialize(security_token=nil)
+          if (security_token != nil)
+            @security_token = security_token
+          end
+          @sessionkey_algorithm = Types::ALGORITHM_3DES_CBC
+        end
+        def unprocess(encrypted_data)
+          cipher_value = XPath.first(encrypted_data, "xenc:CipherData/xenc:CipherValue", {"xenc" => Namespaces::XENC})
+          algorithm = XPath.first(encrypted_data, "xenc:EncryptionMethod", {"xenc" => Namespaces::XENC})
+          ref_id = encrypted_data.attributes["Id"]
+          self.cipher_value=(cipher_value.text())
+          self.ref_id=(ref_id)
+          self.algorithm=(algorithm.attributes["Algorithm"])
+        end
+        def process(document)
+          root = document.root()
+          soap_ns = nil
+          soap_prefix = root.prefix()
+          root.attributes.each_attribute() {|attr|
+            if (attr.value() == Namespaces::S11)
+              soap_ns = Namespaces::S11
+            end
+            if (attr.value() == Namespaces::S12)
+              soap_ns = Namespaces::S12
+            end
+          }
+          old_soap_body = XPath.first(document, "/env:Envelope/env:Body", {SOAPParser::soap_prefix=>SOAPParser::soap_ns})
+          #old_soap_body = SOAPParser.part(SOAPParser::BODY)
+          soap_body_string = ""
+          if defined?(REXML::Formatters)
+            formatter = REXML::Formatters::Default.new
+            old_soap_body.each_element(){|e|
+              formatter.write(e, soap_body_string)
+            }
+          else
+            old_soap_body.each_element(){|e|
+              e.write(soap_body_string)
+            }
+          end
+          root.delete(old_soap_body)
+          soap_body = root.add_element(Names::BODY)
+          old_soap_body.attributes().each_attribute{|a|
+            soap_body.add_attribute(a.expanded_name(), a.value())
+            #puts(a.expanded_name() + " => " + a.value())
+          }
+          digest = CryptHash.new().digest_b64(soap_body.to_s()).strip()
+          encrypted_data = soap_body.add_element(Names::ENCRYPTED_DATA)
+          encrypted_data.add_namespace("xmlns:xenc", Namespaces::XENC)
+          @ref_id = "EncryptedContent-"+digest.to_s()
+          encrypted_data.add_attributes({"Type"=>Types::XENC_CONTENT, "Id"=>@ref_id})
+          if (@sessionkey_algorithm == Types::ALGORITHM_3DES_CBC)
+            symmetric_encrypter = TripleDESSymmetricEncrypter.new()
+          elsif (@sessionkey_algorithm == Types::ALGORITHM_AES_CBC)
+            symmetric_encrypter = AESSymmetricEncrypter.new()
+          elsif (@sessionkey_algorithm == Types::ALGORITHM_AES128_CBC)
+            symmetric_encrypter = AES128SymmetricEncrypter.new()
+          else
+            raise "Unsupported encryption algorithm #{@sessionkey_algorithm}"
+          end
+          encryption_method = encrypted_data.add_element(Names::ENCRYPTION_METHOD)
+          encryption_method.add_attribute("Algorithm", @sessionkey_algorithm)
+          encrypted_body = symmetric_encrypter.encrypt_to_b64(symmetric_encrypter.iv() + soap_body_string)
+          encrypted_key = EncryptedKey.new(@security_token, symmetric_encrypter, self)
+          cipher_data = encrypted_data.add_element(Names::CIPHER_DATA)
+          cipher_value = cipher_data.add_element(Names::CIPHER_VALUE)
+          cipher_value.text=(encrypted_body.gsub("\n",""))
+          encrypted_key.process(document)
+        end
+        def decrypt(document, encrypted_key)
+          if (algorithm == Types::ALGORITHM_3DES_CBC)
+            symmetric_encrypter = TripleDESSymmetricEncrypter.new(encrypted_key.symmetric_key())
+          elsif (algorithm == Types::ALGORITHM_AES_CBC)
+            symmetric_encrypter = AESSymmetricEncrypter.new(encrypted_key.symmetric_key())
+          elsif (algorithm == Types::ALGORITHM_AES128_CBC)
+            symmetric_encrypter = AES128SymmetricEncrypter.new(encrypted_key.symmetric_key())
+          else
+            raise "Unsupported encryption algorithm #{algorithm}"
+          end
+          raw_data = Base64.decode64(@cipher_value)
+          symmetric_encrypter.iv=(raw_data)
+          decrypted_element = symmetric_encrypter.decrypt(raw_data)
+          reference = encrypted_key.reference_list().uris()[0]
+          reference = reference[1..-1] # remove leading #
+          encrypted_element = XPath.first(document, "//*[@Id='"+reference+"']")
+          parent = encrypted_element.parent()
+          #document.root().delete_element("//" + Names::SECURITY)
+          parent.delete(encrypted_element)
+          new_element = Document.new(decrypted_element)
+          parent.add(new_element)
+          #puts("encrypted_data.decrypt: " + element.to_s())
+        end
+      end
+    end #Xml
+  end #Security
+end #WSS4R

data/lib/wss4r/security/xml/encrypted_key.rb ADDED

@@ -0,0 +1,74 @@
+module WSS4R
+module Security
+module Xml
+class EncryptedKey
+	attr_reader :x509security_token, :symmetric_encrypter, :symmetric_key, :reference_list
+   def initialize(x509security_token=nil, symmetric_encrypter=nil, encrypted_data = nil)
+      @x509security_token = x509security_token
+      @symmetric_encrypter = symmetric_encrypter
+      @encrypted_data = encrypted_data
+      @reference_list = nil
+   end
+   def unprocess(encrypted_key)
+		#key_info = SOAPParser.element(encrypted_key, SOAPParser::KEY_INFO)
+		algorithm = XPath.first(encrypted_key, "//xenc:EncryptionMethod", {"xenc" => Namespaces::XENC})
+		key_info_element = XPath.first(encrypted_key, "ds:KeyInfo", {"ds"=>Namespaces::DS})
+		key_info = KeyInfo.new(key_info_element)
+      resolver = WSS4R::Security::Security.new().resolver()
+      @reference_list = ReferenceList.new(encrypted_key.get_elements("//xenc:ReferenceList")[0])
+		private_key = resolver.private_key(key_info.security_token().certificate())
+		key_info.security_token().private_key=(private_key)
+      @x509security_token = key_info.security_token()
+		cipher_value = XPath.first(encrypted_key, "xenc:CipherData/xenc:CipherValue", {"xenc" => Namespaces::XENC})
+      @symmetric_key = @x509security_token.private_decrypt_b64(cipher_value.text())
+   end
+   def process(document)
+      #Encrypts the symmetric key with the public key from the certificate and add an EncryptedKey element to env:Body/wsse:Security
+		#@x509security_token.get_xml(document)
+		wsse_security = Security.new()
+		wsse_security = wsse_security.process(document)
+		security_token = @x509security_token.process(document)
+		children = wsse_security.children()
+		children.each{|child|
+			wsse_security.delete(child)
+		}
+		wsse_security.add_element(security_token)
+		encrypted_key = wsse_security.add_element(Names::ENCRYPTED_KEY)
+		children.each{|child|
+			wsse_security.add_element(child)
+		}
+      encrypted_key.add_namespace("xmlns:xenc", Namespaces::XENC)
+      document.add_namespace("xmlns:xenc", Namespaces::XENC)
+      encryption_method = encrypted_key.add_element(Names::ENCRYPTION_METHOD)
+      encryption_method.add_attribute("Algorithm", Types::ALGORITHM_RSA15)
+      key_info = encrypted_key.add_element(Names::KEY_INFO)
+		key_info.add_namespace("xmlns:ds",Namespaces::DS)
+      security_token_ref = key_info.add_element(Names::SECURITY_TOKEN_REFERENCE)
+		reference = security_token_ref.add_element("wsse:Reference")
+		reference.add_attribute("URI", "#"+@x509security_token.get_id())
+		reference.add_attribute("ValueType", "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3")
+      cipher_data = encrypted_key.add_element(Names::CIPHER_DATA)
+      cipher_value = cipher_data.add_element(Names::CIPHER_VALUE)
+      cipher_value.text = @x509security_token.public_encrypt_b64(@symmetric_encrypter.key()).gsub("\n","")
+      reference_list = encrypted_key.add_element(Names::REFERENCE_LIST)
+      data_reference = reference_list.add_element(Names::DATA_REFERENCE)
+		data_reference.add_attribute("URI", "#" + @encrypted_data.ref_id())
+   end
+   def symmetric_encrypter()
+      @symmetric_encrypter
+   end
+end
+end #Xml
+end #Security
+end #WSS4R

data/lib/wss4r/security/xml/key_info.rb ADDED

@@ -0,0 +1,52 @@
+module WSS4R
+module Security
+module Xml
+class KeyInfo
+	attr_accessor :security_token, :type, :key_identifier
+	KEY_IDENTIFIER = "KEY_IDENTIFIER"
+	REFERENCE = "REFERENCE"
+	def initialize(p, *type)
+		if (p.kind_of?(SecurityToken))
+			@security_token = p
+			if (type != nil)
+				@type = type
+			else
+				@type = KEY_IDENTIFIER
+			end
+		else
+			reference = XPath.first(p, "wsse:SecurityTokenReference/wsse:Reference", {"wsse" => Namespaces::WSSE})
+			@uri = reference.attribute("URI").value()[1..-1]
+			@value_type = reference.attribute("ValueType").value()
+			@ref_element = XPath.first(p.document(), "//*[@wsu:Id='"+@uri+"']")
+			@security_token = X509SecurityToken.new(@ref_element.text())
+		end
+	end
+	def get_xml(parent)
+		key_info = parent.add_element(Names::KEY_INFO)
+		security_token_ref = key_info.add_element(Names::SECURITY_TOKEN_REFERENCE)
+		security_token_ref.add_namespace("xmlns:wsu", Namespaces::WSU)
+		wsu_id = REXML::Attribute.new("wsu:Id",security_token_ref.object_id().to_s())
+		security_token_ref.add_attribute(wsu_id)
+		if (@type == "KEY_IDENTIFIER")
+			key_identifier = security_token_ref.add_element(Names::KEY_IDENTIFIER)
+			key_identifier.add_attribute("ValueType", Types::VALUE_KEYIDENTIFIER)
+			key_identifier.add_attribute("EncodingType", Types::ENCODING_X509V3)
+			key_identifier.text=(@security_token.key_identifier())
+		else
+			reference = security_token_ref.add_element(Names::REFERENCE_WSSE)
+			reference.add_attribute("ValueType", Types::REFERENCE_VALUETYPE_X509)
+			reference.add_attribute("URI", "#"+@security_token.get_id())
+		end
+		parent
+	end
+end
+end #Xml
+end #Security
+end #WSS4R

data/lib/wss4r/security/xml/reference.rb ADDED

@@ -0,0 +1,53 @@
+module WSS4R
+  module Security
+    module Xml
+      class Reference
+	attr_reader :uri
+	def initialize(element, prefix_list = nil)
+          @ref_element = nil
+          @transforms = Array.new()
+          @prefix_list = prefix_list
+          @uri = element.attribute("URI").to_s()[1..-1] #remove leading #
+          elements = XPath.match(element, "Transforms/Transform", {"ds:" => Namespaces::DS})
+          #element.each_element("ds:Transforms/ds:Transform"){|e|
+          elements.each{|e|
+            @transforms.push(e.attribute("Algorithm"))
+          }
+          elements = XPath.match(element, "ds:DigestMethod", {"ds" => Namespaces::DS})
+          #element.each_element("ds:DigestMethod"){|e|
+          elements.each{|e|
+            @digest_algorithm = e.attribute("Algorithm")
+          }
+          elements = XPath.match(element, "ds:DigestValue", {"ds" => Namespaces::DS})
+          #element.each_element("ds:DigestValue"){|e|
+          elements.each{|e|
+            @digest_value = e.text().strip()
+          }
+          @ref_element = XPath.first(element.document, "//*[@wsu:Id='"+@uri+"']")
+	end
+	def verify()
+          trans_element = nil
+          @transforms.each{|transform_algorithm|
+            transformer = TransformerFactory::get_instance(transform_algorithm)
+            transformer.prefix_list=(@prefix_list)
+            trans_element = transformer.canonicalize_element(@ref_element)
+          }
+          if (@transforms.size() == 0)
+            transformer = TransformerFactory::get_instance("http://www.w3.org/2001/10/xml-exc-c14n#")
+            transformer.prefix_list=(@prefix_list)
+            trans_element = transformer.canonicalize_element(@ref_element)
+          end
+          digester = DigestFactory::get_instance(@digest_algorithm.value())
+          digest = digester.digest_b64(trans_element)
+          return true if (digest == @digest_value)
+          false
+	end
+      end
+    end
+  end
+end

data/lib/wss4r/security/xml/reference_list.rb ADDED

@@ -0,0 +1,24 @@
+module WSS4R
+module Security
+module Xml
+class ReferenceList
+	attr_reader :uris
+   def initialize(referencelist)
+      @uris = parse_reference_list(referencelist)
+   end
+   def parse_reference_list(list)
+      @uris = Array.new()
+      elements = list.get_elements("//" + Names::DATA_REFERENCE)
+      elements.each{|e|
+         @uris.push(e.attribute("URI").value())
+      }
+      @uris
+   end
+end
+end #Xml
+end #Security
+end #WSS4R

data/lib/wss4r/security/xml/security.rb ADDED

@@ -0,0 +1,92 @@
+module WSS4R
+  module Security
+    module Xml
+      class Security
+	def initialize()
+	end
+	def process(document)
+          security = XPath.first(document, "/env:Envelope/env:Header/wsse:Security")#, {SOAPParser::soap_prefix=>SOAPParser::soap_ns})
+          return security if (security != nil)
+          header = XPath.first(document, "/env:Envelope/env:Header", {SOAPParser::soap_prefix=>SOAPParser::soap_ns})
+          security = header.add_element(Names::SECURITY, {"env:mustUnderstand"=>"1"})
+          security.add_namespace("xmlns:wsse", Namespaces::WSSE)
+          Timestamp.new().process(security)
+          security
+	end
+	def unprocess(document)
+          # Is the document signed?
+          #signature_element = SOAPParser.part(SOAPParser::SIGNATURE)
+          #wsse = XPath.first(document, "/soap:Envelope/soap:Header/wsse:Security", {"soap"=>Namespaces::SOAP})
+          wsse = XPath.first(document, "/env:Envelope/env:Header/wsse:Security")
+          timestamp = XPath.first(document, "/soap:Envelope/soap:Header/wsse:Security/wsu:Timestamp", {"soap"=>Namespaces::SOAP, "wsse"=>Namespaces::WSSE, "wsu"=>Namespaces::WSU})
+          #TODO: check timestamp, if it exists
+          if (timestamp != nil)
+            t = Timestamp.new()
+            t.unprocess(timestamp)
+            t.verify()
+          end
+          signature_element = XPath.first(document, "/env:Envelope/env:Header/wsse:Security/ds:Signature", {"env"=>Namespaces::SOAP, "ds"=>Namespaces::DS})
+          header = XPath.first(document, "/env:Envelope/env:Header", {"env"=>Namespaces::SOAP, "ds"=>Namespaces::DS})
+          encrypted_key_element = SOAPParser.part(SOAPParser::ENCRYPTED_KEY)
+          signature_index = wsse.index_of(signature_element) || 0
+          encryption_index = wsse.index_of(encrypted_key_element)
+          if (signature_index < encryption_index)
+            if (signature_element != nil)
+              handle_signature(signature_element)
+            end
+            encrypted_key_element = SOAPParser.part(SOAPParser::ENCRYPTED_KEY)
+            if (encrypted_key_element != nil)
+              handle_encryption(document, encrypted_key_element)
+            end
+          else
+            encrypted_key_element = SOAPParser.part(SOAPParser::ENCRYPTED_KEY)
+            if (encrypted_key_element != nil)
+              handle_encryption(document, encrypted_key_element)
+            end
+            signature_element = XPath.first(document, "/env:Envelope/env:Header/wsse:Security/ds:Signature", {"env"=>Namespaces::SOAP, "ds"=>Namespaces::DS})
+            if (signature_element != nil)
+              handle_signature(signature_element)
+            end
+          end
+          #UsernameToken in the document?
+          usernametoken = XPath.first(document, "/env:Envelope/env:Header/wsse:Security/wsse:UsernameToken", {"env"=>Namespaces::SOAP, "ds"=>Namespaces::DS})
+          if (usernametoken)
+            handle_usernametoken(document, usernametoken)
+          end
+	end
+	def handle_signature(signature_element)
+          signature = Signature.new(nil)
+          signature.unprocess(signature_element)
+          signature.verify()
+	end
+	def handle_encryption(document, encrypted_key_element)
+          encrypted_key = EncryptedKey.new()
+          encrypted_key.unprocess(encrypted_key_element)
+          encrypted_data = EncryptedData.new(encrypted_key.x509security_token())
+          body = SOAPParser.part(SOAPParser::BODY)
+          encrypted_data.unprocess(body.get_elements("//xenc:EncryptedData")[0])
+          encrypted_data.decrypt(document, encrypted_key)
+	end
+	def handle_usernametoken(document, token)
+          usernametoken = UsernameToken.new()
+          usernametoken.unprocess(token)
+          resolver = WSS4R::Security::Security.new().resolver()
+          success = resolver.authenticate_user(usernametoken)
+          return true if success
+          raise Exception.new("User not authenticated!") if (!success)
+	end
+      end
+    end #Xml
+  end #Security
+end #WSS4R