1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18 package org.apache.ws.security;
19
20 import org.apache.xml.security.c14n.Canonicalizer;
21 import org.apache.xml.security.signature.XMLSignature;
22 import org.apache.xml.security.utils.EncryptionConstants;
23
24 /***
25 * Constants in WS-Security spec.
26 */
27 public class WSConstants {
28
29
30 public static final int OASIS_2002_07 = 1;
31 public static final int OASIS_2002_12 = 2;
32 public static final int OASIS_2003_06 = 3;
33 public static final int OASIS_1_0 = 4;
34
35 /***
36 * Set the specification compliance mode. This affects namespaces as well
37 * as how certain items are constructed in security headers.
38 * <p/>
39 * Currently this can only be set at compile time. The valid values are:
40 * <ul>
41 * <li> {@link #OASIS_2002_07} </li>
42 * <li> {@link #OASIS_2002_12} </li>
43 * <li> {@link #OASIS_2003_06} </li>
44 * <li> {@link #OASIS_1_0} OASIS WS-Security v1.0 as released on March 2004. This is the default and recommended setting</li>
45 * </ul>
46 * <p/>
47 * Using {@link #OASIS_2002} enhances chances of interoperability with other
48 * WSS implementations that do not fully adhere to the OASIS v1.0 March 2004
49 * specs yet.
50 *
51 * @param specs instructs WSS4J on which standard to follow
52 */
53 public static final int COMPLIANCE_MODE = OASIS_1_0;
54
55
56
57
58 public static final String WSSE_NS_OASIS_2002_07 = "http://schemas.xmlsoap.org/ws/2002/07/secext";
59 public static final String WSSE_NS_OASIS_2002_12 = "http://schemas.xmlsoap.org/ws/2002/12/secext";
60 public static final String WSSE_NS_OASIS_2003_06 = "http://schemas.xmlsoap.org/ws/2003/06/secext";
61 public static final String WSSE_NS_OASIS_1_0 = "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";
62 public static String WSSE_NS = WSSE_NS_OASIS_1_0;
63 public static final String[] WSSE_NS_ARRAY =
64 new String[]{WSSE_NS_OASIS_1_0,
65 WSSE_NS_OASIS_2003_06,
66 WSSE_NS_OASIS_2002_12,
67 WSSE_NS_OASIS_2002_07};
68 public static final String USERNAMETOKEN_NS = "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0";
69 public static final String SOAPMESSAGE_NS = "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0";
70 public static final String X509TOKEN_NS = "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0";
71 public static final String WSSE_PREFIX = "wsse";
72 public static final String WSSE_LN = "Security";
73 public static final String WSU_NS_OASIS_2002_07 = "http://schemas.xmlsoap.org/ws/2002/07/utility";
74 public static final String WSU_NS_OASIS_2002_12 = "http://schemas.xmlsoap.org/ws/2002/12/utility";
75 public static final String WSU_NS_OASIS_2003_06 = "http://schemas.xmlsoap.org/ws/2003/06/utility";
76 public static final String WSU_NS_OASIS_1_0 = "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
77 public static String WSU_NS = WSU_NS_OASIS_1_0;
78 public static final String[] WSU_NS_ARRAY =
79 new String[]{WSU_NS_OASIS_1_0,
80 WSU_NS_OASIS_2003_06,
81 WSU_NS_OASIS_2002_12,
82 WSU_NS_OASIS_2002_07};
83 public static final String WSU_PREFIX = "wsu";
84 public static final String SIG_NS = "http://www.w3.org/2000/09/xmldsig#";
85 public static final String SIG_PREFIX = "ds";
86 public static final String SIG_LN = "Signature";
87 public static final String ENC_NS = "http://www.w3.org/2001/04/xmlenc#";
88 public static final String ENC_PREFIX = "xenc";
89 public static final String ENC_KEY_LN = "EncryptedKey";
90 public static final String REF_LIST_LN = "ReferenceList";
91
92 public static final String XMLNS_NS = "http://www.w3.org/2000/xmlns/";
93 public static final String XML_NS = "http://www.w3.org/XML/1998/namespace";
94 public static final String USERNAME_TOKEN_LN = "UsernameToken";
95 public static final String BINARY_TOKEN_LN = "BinarySecurityToken";
96 public static final String TIMESTAMP_TOKEN_LN = "Timestamp";
97 public static final String USERNAME_LN = "Username";
98 public static final String PASSWORD_LN = "Password";
99 public static final String PASSWORD_TYPE_ATTR = "Type";
100 public static final String NONCE_LN = "Nonce";
101 public static final String CREATED_LN = "Created";
102 public static final String EXPIRES_LN = "Expires";
103
104 public static final String SAML_NS = "urn:oasis:names:tc:SAML:1.0:assertion";
105 public static final String SAMLP_NS = "urn:oasis:names:tc:SAML:1.0:protocol";
106 public static final String ASSERTION_LN = "Assertion";
107 public static final String WSS_SAML_NS = "http://docs.oasis-open.org/wss/2004/XX/oasis-2004XX-wss-saml-token-profile-1.0#";
108 public static final String WSS_SAML_ASSERTION = "SAMLAssertion-1.1";
109
110
111
112
113 public static final String URI_SOAP11_ENV =
114 "http://schemas.xmlsoap.org/soap/envelope/";
115 public static final String URI_SOAP12_ENV =
116 "http://www.w3.org/2003/05/soap-envelope";
117
118 public static final String[] URIS_SOAP_ENV = {
119 URI_SOAP11_ENV,
120 URI_SOAP12_ENV,
121 };
122
123
124 public static final String URI_SOAP11_NEXT_ACTOR =
125 "http://schemas.xmlsoap.org/soap/actor/next";
126 public static final String URI_SOAP12_NEXT_ROLE =
127 "http://www.w3.org/2003/05/soap-envelope/role/next";
128 public static final String URI_SOAP12_NONE_ROLE =
129 "http://www.w3.org/2003/05/soap-envelope/role/none";
130 public static final String URI_SOAP12_ULTIMATE_ROLE =
131 "http://www.w3.org/2003/05/soap-envelope/role/ultimateReceiver";
132
133 public static final String ELEM_ENVELOPE = "Envelope";
134 public static final String ELEM_HEADER = "Header";
135 public static final String ELEM_BODY = "Body";
136
137 public static final String ATTR_MUST_UNDERSTAND = "mustUnderstand";
138 public static final String ATTR_ACTOR = "actor";
139 public static final String ATTR_ROLE = "role";
140
141 public static final String NULL_NS = "Null";
142 /***
143 * Sets the {@link org.apache.ws.security.message.WSSAddUsernameToken#build(Document, String, String) UserNameToken}
144 * method to use a password digest to send the password information
145 * <p/>
146 * This is a required method as defined by WS Specification, Username token profile.
147 */
148 public static final String PW_DIGEST = "PasswordDigest";
149 public static final String PASSWORD_DIGEST = USERNAMETOKEN_NS + "#PasswordDigest";
150
151 /***
152 * Sets the {@link org.apache.ws.security.message.WSSAddUsernameToken#build(Document, String, String) UserNameToken}
153 * method to send the password in clear
154 * <p/>
155 * This is a required method as defined by WS Specification, Username token profile.
156 */
157 public static final String PW_TEXT = "PasswordText";
158
159 public static final String PASSWORD_TEXT = USERNAMETOKEN_NS + "#PasswordText";
160
161 /***
162 * Sets the {@link org.apache.ws.security.message.WSEncryptBody#build(Document, Crypto) encryption}
163 * method to encrypt the symmetric data encryption key with the RSA algoritm.
164 * <p/>
165 * This is a required method as defined by XML encryption.
166 */
167 public static final String KEYTRANSPORT_RSA15 = EncryptionConstants.ALGO_ID_KEYTRANSPORT_RSA15;
168
169 /***
170 * Sets the {@link org.apache.ws.security.message.WSEncryptBody#build(Document, Crypto) encryption}
171 * method to encrypt the symmetric data encryption key with the RSA algoritm.
172 * <p/>
173 * This is a required method as defined by XML encryption.
174 * <p/>
175 * NOTE: This algorithm is not yet supported by WSS4J
176 */
177 public static final String KEYTRANSPORT_RSAOEP = EncryptionConstants.ALGO_ID_KEYTRANSPORT_RSAOAEP;
178
179 /***
180 * Sets the {@link org.apache.ws.security.message.WSEncryptBody#build(Document, Crypto) encryption}
181 * method to use triple DES as the symmetric algorithm to encrypt data.
182 * <p/>
183 * This is a required method as defined by XML encryption.
184 */
185 public static final String TRIPLE_DES = EncryptionConstants.ALGO_ID_BLOCKCIPHER_TRIPLEDES;
186
187 /***
188 * Sets the {@link org.apache.ws.security.message.WSEncryptBody#build(Document, Crypto) encryption}
189 * method to use AES with 128 bit key as the symmetric algorithm to encrypt data.
190 * <p/>
191 * This is a required method as defined by XML encryption.
192 */
193 public static final String AES_128 = EncryptionConstants.ALGO_ID_BLOCKCIPHER_AES128;
194
195 /***
196 * Sets the {@link org.apache.ws.security.message.WSEncryptBody#build(Document, Crypto) encryption}
197 * method to use AES with 256 bit key as the symmetric algorithm to encrypt data.
198 * <p/>
199 * This is a required method as defined by XML encryption.
200 */
201 public static final String AES_256 = EncryptionConstants.ALGO_ID_BLOCKCIPHER_AES256;
202
203 /***
204 * Sets the {@link org.apache.ws.security.message.WSEncryptBody#build(Document, Crypto) encryption}
205 * method to use AES with 192 bit key as the symmetric algorithm to encrypt data.
206 * <p/>
207 * This is a optional method as defined by XML encryption.
208 */
209 public static final String AES_192 = EncryptionConstants.ALGO_ID_BLOCKCIPHER_AES192;
210
211 /***
212 * Sets the {@link org.apache.ws.security.message.WSSignEnvelope#build(Document, Crypto) signature}
213 * method to use DSA with SHA1 (DSS) to sign data.
214 * <p/>
215 * This is a required method as defined by XML signature.
216 */
217 public static final String DSA = XMLSignature.ALGO_ID_SIGNATURE_DSA;
218
219 /***
220 * Sets the {@link org.apache.ws.security.message.WSSignEnvelope#build(Document, Crypto) signature}
221 * method to use RSA with SHA to sign data.
222 * <p/>
223 * This is a recommended method as defined by XML signature.
224 */
225 public static final String RSA = XMLSignature.ALGO_ID_SIGNATURE_RSA_SHA1;
226
227 public static final String C14N_OMIT_COMMENTS = Canonicalizer.ALGO_ID_C14N_OMIT_COMMENTS;
228 public static final String C14N_WITH_COMMENTS = Canonicalizer.ALGO_ID_C14N_WITH_COMMENTS;
229 public static final String C14N_EXCL_OMIT_COMMENTS = Canonicalizer.ALGO_ID_C14N_EXCL_OMIT_COMMENTS;
230 public static final String C14N_EXCL_WITH_COMMENTS = Canonicalizer.ALGO_ID_C14N_EXCL_WITH_COMMENTS;
231
232 /***
233 * Sets the {@link org.apache.ws.security.message.WSSignEnvelope#build(Document, Crypto) signing}
234 * method to send the signing certificate as a
235 * <code>BinarySecurityToken</code>.
236 * <p/>
237 * The signing method takes the signing certificate, converts it to a
238 * <code>BinarySecurityToken</code>, puts it in the security header,
239 * and inserts a <code>Reference</code> to the binary security token
240 * into the <code>wsse:SecurityReferenceToken</code>. Thus the whole
241 * signing certificate is transfered to the receiver.
242 * The X509 profile recommends to use {@link #ISSUER_SERIAL} instead
243 * of sending the whole certificate.
244 * <p/>
245 * Please refer to WS Security specification X509 profile, chapter 3.3.2
246 * and to WS Security specification, chapter 7.2
247 * <p/>
248 * Note: only local refernces to BinarySecurityToken are supported
249 */
250 public static final int BST_DIRECT_REFERENCE = 1;
251
252 /***
253 * Sets the {@link org.apache.ws.security.message.WSSignEnvelope#build(Document, Crypto) signing}
254 * or the {@link org.apache.ws.security.message.WSEncryptBody#build(Document, Crypto) encryption}
255 * method to send the issuer name and the serial number of a
256 * certificate to the receiver.
257 * <p/>
258 * In contrast to {@link #BST_DIRECT_REFERENCE} only the issuer name
259 * and the serial number of the signiung certificate are sent to the
260 * receiver. This reduces the amount of data being sent. The ecnryption
261 * method uses the private key associated with this certificate to encrypt
262 * the symmetric key used to encrypt data.
263 * <p/>
264 * Please refer to WS Security specification X509 profile, chapter 3.3.3
265 */
266 public static final int ISSUER_SERIAL = 2;
267
268 /***
269 * Sets the {@link org.apache.ws.security.message.WSEncryptBody#build(Document, Crypto) encryption}
270 * method to send the certificate used to encrypt the symmetric key.
271 * <p/>
272 * The encryption method uses the private key associated with this certificate
273 * to encrypr the symmetric key used to encrypt data. The certificate is
274 * converted into a <code>KeyIdentfier</code> token and sent to the receiver.
275 * Thus the complete certificate data is transfered to receiver.
276 * The X509 profile recommends to use {@link #ISSUER_SERIAL} instead
277 * of sending the whole certificate.
278 * <p/>
279 * <p/>
280 * Please refer to WS Security specification X509 profile, chapter 7.3
281 */
282 public static final int X509_KEY_IDENTIFIER = 3;
283 /***
284 * Sets the
285 * {@link org.apache.ws.security.message.WSSignEnvelope#build(Document, Crypto)
286 * signing}
287 * method to send a <code>SubjectKeyIdentifier</code> to identify
288 * the signing certificate.
289 * <p/>
290 * Refer to WS Security specification X509 profile, chapter 3.3.1
291 * This identification token is not yet fully tested by WSS4J. The
292 * WsDoAllSender does not include the X.509 certificate as
293 * <code>BinarySecurityToken</code> in the request message.
294 */
295 public static final int SKI_KEY_IDENTIFIER = 4;
296
297 /***
298 * Embeds a keyinfo/key name into the EncryptedData element.
299 * <p/>
300 * Refer to WS Security specification X509 profile
301 */
302 public static final int EMBEDDED_KEYNAME = 5;
303 /***
304 * Embeds a keyinfo/wsse:SecurityTokenReference into EncryptedData element.
305 */
306 public static final int EMBED_SECURITY_TOKEN_REF = 6;
307
308 /***
309 * <code>UT_SIGNING</code> is used interally only to set a specific Signature
310 * behaviour.
311 *
312 * The signing token is constructed from values in the UsernameToken according
313 * to WS-Trust specification.
314 */
315 public static final int UT_SIGNING = 7;
316
317 public static final int NO_SECURITY = 0;
318 public static final int UT = 0x1;
319 public static final int SIGN = 0x2;
320 public static final int ENCR = 0x4;
321
322
323
324
325
326
327 public static final int ST_UNSIGNED = 0x8;
328 public static final int ST_SIGNED = 0x10;
329
330 public static final int TS = 0x20;
331 public static final int UT_SIGN = 0x40;
332
333 public static final int NO_SERIALIZE = 0x100;
334 public static final int SERIALIZE = 0x200;
335
336 /***
337 * Length of UsernameToken derived key used by .NET WSE to sign a message.
338 */
339 public static final int WSE_DERIVED_KEY_LEN = 16;
340 public static final String LABEL_FOR_DERIVED_KEY = "WS-Security";
341
342 static {
343 setComplianceMode();
344 }
345
346 /***
347 * init various constants to the chosen compliance mode
348 */
349 private static void setComplianceMode() {
350 switch (COMPLIANCE_MODE) {
351 case OASIS_1_0:
352 WSSE_NS = WSSE_NS_OASIS_1_0;
353 WSU_NS = WSU_NS_OASIS_1_0;
354 break;
355 case OASIS_2003_06:
356 WSSE_NS = WSSE_NS_OASIS_2003_06;
357 WSU_NS = WSU_NS_OASIS_2003_06;
358 break;
359 case OASIS_2002_12:
360 WSSE_NS = WSSE_NS_OASIS_2002_12;
361 WSU_NS = WSU_NS_OASIS_2002_12;
362 break;
363 case OASIS_2002_07:
364 WSSE_NS = WSSE_NS_OASIS_2002_07;
365 WSU_NS = WSU_NS_OASIS_2002_07;
366 break;
367 default:
368 WSSE_NS = WSSE_NS_OASIS_1_0;
369 WSU_NS = WSU_NS_OASIS_1_0;
370 }
371 }
372 }
373