0001: /*
0002: * $Id: KeyResolver.java,v 1.18 2007/09/13 12:42:21 kumarjayanti Exp $
0003: */
0004:
0005: /*
0006: * The contents of this file are subject to the terms
0007: * of the Common Development and Distribution License
0008: * (the License). You may not use this file except in
0009: * compliance with the License.
0010: *
0011: * You can obtain a copy of the license at
0012: * https://glassfish.dev.java.net/public/CDDLv1.0.html.
0013: * See the License for the specific language governing
0014: * permissions and limitations under the License.
0015: *
0016: * When distributing Covered Code, include this CDDL
0017: * Header Notice in each file and include the License file
0018: * at https://glassfish.dev.java.net/public/CDDLv1.0.html.
0019: * If applicable, add the following below the CDDL Header,
0020: * with the fields enclosed by brackets [] replaced by
0021: * you own identifying information:
0022: * "Portions Copyrighted [year] [name of copyright owner]"
0023: *
0024: * Copyright 2006 Sun Microsystems Inc. All Rights Reserved
0025: */
0026:
0027: package com.sun.xml.wss.impl.misc;
0028:
0029: import com.sun.xml.wss.core.EncryptedKeyToken;
0030: import com.sun.xml.wss.impl.WssSoapFaultException;
0031: import com.sun.xml.wss.impl.policy.mls.AuthenticationTokenPolicy;
0032: import com.sun.xml.wss.impl.policy.mls.EncryptionPolicy;
0033: import com.sun.xml.wss.impl.policy.mls.SignaturePolicy;
0034: import com.sun.xml.wss.saml.AssertionUtil;
0035: import com.sun.xml.wss.impl.dsig.SignatureProcessor;
0036: import java.io.UnsupportedEncodingException;
0037: import java.security.InvalidKeyException;
0038:
0039: import java.security.Key;
0040: import java.math.BigInteger;
0041: import java.security.NoSuchAlgorithmException;
0042: import java.security.cert.X509Certificate;
0043: import java.security.MessageDigest;
0044:
0045: import java.util.logging.Level;
0046: import java.util.logging.Logger;
0047: import com.sun.org.apache.xml.internal.security.keys.content.KeyValue;
0048: import com.sun.org.apache.xml.internal.security.keys.content.X509Data;
0049: import com.sun.org.apache.xml.internal.security.exceptions.Base64DecodingException;
0050:
0051: import com.sun.xml.wss.impl.FilterProcessingContext;
0052: import com.sun.xml.wss.impl.MessageConstants;
0053: import com.sun.xml.wss.logging.LogDomainConstants;
0054: import com.sun.xml.wss.XWSSecurityException;
0055: import com.sun.xml.wss.impl.SecurableSoapMessage;
0056:
0057: import com.sun.xml.wss.core.SecurityToken;
0058: import com.sun.xml.wss.core.ReferenceElement;
0059: import com.sun.xml.wss.core.X509SecurityToken;
0060: import com.sun.xml.wss.core.KeyInfoHeaderBlock;
0061: import com.sun.xml.wss.core.SecurityTokenReference;
0062: import com.sun.xml.wss.core.DerivedKeyTokenHeaderBlock;
0063:
0064: import com.sun.xml.wss.core.reference.KeyIdentifier;
0065: import com.sun.xml.wss.core.reference.DirectReference;
0066: import com.sun.xml.wss.core.reference.X509IssuerSerial;
0067: import com.sun.xml.wss.impl.policy.MLSPolicy;
0068: import com.sun.xml.wss.impl.policy.mls.DerivedTokenKeyBinding;
0069: import com.sun.xml.wss.impl.policy.mls.SymmetricKeyBinding;
0070: import com.sun.xml.wss.impl.policy.mls.SecureConversationTokenKeyBinding;
0071: import com.sun.xml.wss.impl.policy.mls.IssuedTokenKeyBinding;
0072: import com.sun.xml.wss.impl.PolicyTypeUtil;
0073: import com.sun.xml.wss.saml.util.SAMLUtil;
0074: import com.sun.xml.wss.impl.XMLUtil;
0075:
0076: import org.w3c.dom.NodeList;
0077:
0078: import java.util.HashMap;
0079: import java.util.Enumeration;
0080: import javax.xml.soap.SOAPElement;
0081: import javax.crypto.spec.SecretKeySpec;
0082: import org.w3c.dom.Node;
0083: import org.w3c.dom.Element;
0084: import javax.xml.namespace.QName;
0085:
0086: import com.sun.xml.wss.core.SecurityContextTokenImpl;
0087: import com.sun.xml.ws.security.SecurityContextToken;
0088: import com.sun.xml.ws.security.IssuedTokenContext;
0089: import com.sun.xml.ws.security.impl.DerivedKeyTokenImpl;
0090: import com.sun.xml.ws.security.DerivedKeyToken;
0091:
0092: import com.sun.xml.ws.security.trust.elements.BinarySecret;
0093: import javax.security.auth.Subject;
0094:
0095: public class KeyResolver {
0096:
0097: private static Logger log = Logger.getLogger(
0098: LogDomainConstants.WSS_API_DOMAIN,
0099: LogDomainConstants.WSS_API_DOMAIN_BUNDLE);
0100:
0101: /**
0102: * If a SecurityTokenReference is present inside the KeyInfo,
0103: * the return value is an instance of PrivateKey (if sig is false) or
0104: * PublicKey (if sig is true).
0105: * Else If a KeyName is present inside the KeyInfo, then the return
0106: * value is an instance of SecretKey.
0107: * Else, an XWSSecurityException is thrown.
0108: *
0109: * @param keyInfo
0110: * @param sig
0111: * true if this method is called by a signature verifier, false if
0112: * called by a decrypter
0113: * @param secureMsg
0114: */
0115:
0116: /*
0117: *
0118: * TODO:: SIG flag to be removed once JSR105 has been tested completly.-Venu
0119: */
0120: public static Key getKey(KeyInfoHeaderBlock keyInfo, boolean sig,
0121: FilterProcessingContext context)
0122: throws XWSSecurityException {
0123:
0124: Key returnKey;
0125: //HashMap tokenCache = context.getTokenCache();
0126: try {
0127: SecurableSoapMessage secureMsg = context
0128: .getSecurableSoapMessage();
0129: if (keyInfo.containsSecurityTokenReference()) {
0130: return processSecurityTokenReference(keyInfo, sig,
0131: context);
0132: } else if (keyInfo.containsKeyName()) {
0133: EncryptionPolicy policy = (EncryptionPolicy) context
0134: .getInferredPolicy();
0135:
0136: String keynameString = keyInfo.getKeyNameString(0);
0137: if (policy != null) {
0138: SymmetricKeyBinding keyBinding = null;
0139: keyBinding = (SymmetricKeyBinding) policy
0140: .newSymmetricKeyBinding();
0141: keyBinding.setKeyIdentifier(keynameString);
0142:
0143: }
0144: returnKey = context.getSecurityEnvironment()
0145: .getSecretKey(
0146: context.getExtraneousProperties(),
0147: keynameString, false);
0148: } else if (keyInfo.containsKeyValue()) {
0149: // resolve KeyValue
0150: returnKey = resolveKeyValue(secureMsg, keyInfo
0151: .getKeyValue(0), sig, context);
0152: } else if (keyInfo.containsX509Data()) {
0153: // resolve X509Data
0154: returnKey = resolveX509Data(secureMsg, keyInfo
0155: .getX509Data(0), sig, context);
0156: } else if (keyInfo.containsEncryptedKeyToken()) {
0157: EncryptedKeyToken token = keyInfo.getEncryptedKey(0);
0158: KeyInfoHeaderBlock kiHB = token.getKeyInfo();
0159: if (kiHB.containsSecurityTokenReference()) {
0160: SecurityTokenReference sectr = kiHB
0161: .getSecurityTokenReference(0);
0162: } else {
0163: log.log(Level.SEVERE,
0164: "WSS0335.unsupported.referencetype");
0165: throw new XWSSecurityException(
0166: "Unsupported reference type under EncryptedKey");
0167: }
0168: //Default algo
0169: //String dataEncAlgo = MessageConstants.AES_BLOCK_ENCRYPTION_128;
0170: //restore backward compatibility
0171: String dataEncAlgo = MessageConstants.DEFAULT_DATA_ENC_ALGO;
0172: if (context.getAlgorithmSuite() != null) {
0173: dataEncAlgo = context.getAlgorithmSuite()
0174: .getEncryptionAlgorithm();
0175: } else {
0176: if (context.getDataEncryptionAlgorithm() != null) {
0177: dataEncAlgo = context
0178: .getDataEncryptionAlgorithm();
0179: }
0180: }
0181: returnKey = token.getSecretKey(getKey(kiHB, false,
0182: context), dataEncAlgo);
0183: } else if (keyInfo.containsBinarySecret()) {
0184: BinarySecret bs = keyInfo.getBinarySecret(0);
0185: // assuming the Binary Secret is of Type
0186: if ((bs.getType() == null)
0187: || bs.getType().equals(
0188: BinarySecret.SYMMETRIC_KEY_TYPE)) {
0189: String algo = "AES"; // hardcoding for now
0190: if (context.getAlgorithmSuite() != null) {
0191: algo = SecurityUtil
0192: .getSecretKeyAlgorithm(context
0193: .getAlgorithmSuite()
0194: .getEncryptionAlgorithm());
0195: }
0196: returnKey = new SecretKeySpec(bs.getRawValue(),
0197: algo);
0198: } else {
0199: log
0200: .log(Level.SEVERE,
0201: "WSS0339.unsupported.keyinfo");
0202: throw new XWSSecurityException(
0203: "Unsupported wst:BinarySecret Type");
0204: }
0205:
0206: } else {
0207: log.log(Level.SEVERE, "WSS0339.unsupported.keyinfo");
0208: XWSSecurityException xwsse = new XWSSecurityException(
0209: "Support for processing information in the given ds:KeyInfo is not present");
0210: throw SecurableSoapMessage.newSOAPFaultException(
0211: MessageConstants.WSSE_INVALID_SECURITY, xwsse
0212: .getMessage(), xwsse);
0213: }
0214: } catch (WssSoapFaultException wsse) {
0215: log.log(Level.SEVERE, "WSS0284.WSS.SOAP.Fault.Exception",
0216: wsse);
0217: throw wsse;
0218: } catch (XWSSecurityException xwsse) {
0219: log.log(Level.SEVERE, "WSS0284.WSS.SOAP.Fault.Exception",
0220: xwsse);
0221: throw SecurableSoapMessage.newSOAPFaultException(
0222: MessageConstants.WSSE_SECURITY_TOKEN_UNAVAILABLE,
0223: xwsse.getMessage(), xwsse);
0224: }
0225:
0226: if (returnKey == null) {
0227: log.log(Level.SEVERE, "WSS0600.illegal.token.reference");
0228: XWSSecurityException xwsse = new XWSSecurityException(
0229: "Referenced security token could not be retrieved");
0230: throw SecurableSoapMessage.newSOAPFaultException(
0231: MessageConstants.WSSE_SECURITY_TOKEN_UNAVAILABLE,
0232: xwsse.getMessage(), xwsse);
0233: }
0234:
0235: return returnKey;
0236: }
0237:
0238: public static Key resolveSamlAssertion(
0239: SecurableSoapMessage secureMsg, Element samlAssertion,
0240: boolean sig, FilterProcessingContext context,
0241: String assertionID) throws XWSSecurityException {
0242:
0243: try {
0244: Key key = (Key) context.getSamlIdVSKeyCache().get(
0245: assertionID);
0246: String samlSignatureResolved = (String) context
0247: .getExtraneousProperty(MessageConstants.SAML_SIG_RESOLVED);
0248: if (key != null) {
0249: return key;
0250: }
0251:
0252: //TODO: expensive conversion happening
0253: if (samlAssertion == null) {
0254: log.log(Level.SEVERE,
0255: "WSS0235.failed.locate.SAMLAssertion");
0256: throw new XWSSecurityException(
0257: "Cannot Locate SAML Assertion");
0258: }
0259:
0260: if ("false".equals(samlSignatureResolved)) {
0261: NodeList nl = samlAssertion.getElementsByTagNameNS(
0262: MessageConstants.DSIG_NS, "Signature");
0263: //verify the signature inside the SAML assertion
0264: if (nl.getLength() == 0) {
0265: XWSSecurityException e = new XWSSecurityException(
0266: "Unsigned SAML Assertion encountered");
0267: log.log(Level.SEVERE,
0268: "WSS1309.saml.signature.verify.failed", e);
0269: throw SecurableSoapMessage
0270: .newSOAPFaultException(
0271: MessageConstants.WSSE_INVALID_SECURITY,
0272: "Exception during Signature verfication in SAML Assertion",
0273: e);
0274: }
0275: SignaturePolicy policy = (SignaturePolicy) context
0276: .getInferredPolicy();
0277: // will be only during verify.
0278: // AuthenticationTokenPolicy.SAMLAssertionBinding keyBinding = null;
0279: //
0280: // if(policy != null){
0281: // keyBinding = (AuthenticationTokenPolicy.SAMLAssertionBinding) policy.newSAMLAssertionKeyBinding();
0282: // }
0283:
0284: Element elem = (Element) nl.item(0);
0285:
0286: try {
0287: if (!SignatureProcessor.verifySignature(elem,
0288: context)) {
0289: log.log(Level.SEVERE,
0290: "WSS1310.saml.signature.invalid");
0291: throw SecurableSoapMessage
0292: .newSOAPFaultException(
0293: MessageConstants.WSSE_FAILED_AUTHENTICATION,
0294: "SAML Assertion has invalid Signature",
0295: new Exception(
0296: "SAML Assertion has invalid Signature"));
0297: }
0298: } catch (XWSSecurityException ex) {
0299: log.log(Level.SEVERE,
0300: "WSS1310.saml.signature.invalid");
0301: throw SecurableSoapMessage
0302: .newSOAPFaultException(
0303: MessageConstants.WSSE_FAILED_AUTHENTICATION,
0304: "SAML Assertion has invalid Signature",
0305: ex);
0306: }
0307: }
0308:
0309: if ("false".equals(samlSignatureResolved)) {
0310: context.setExtraneousProperty(
0311: MessageConstants.SAML_SIG_RESOLVED, "true");
0312: }
0313:
0314: Element keyInfoElem = AssertionUtil
0315: .getSubjectConfirmationKeyInfo(samlAssertion);
0316: KeyInfoHeaderBlock keyInfo = new KeyInfoHeaderBlock(XMLUtil
0317: .convertToSoapElement(secureMsg.getSOAPPart(),
0318: keyInfoElem));
0319: key = getKey(keyInfo, sig, context);
0320: context.getSamlIdVSKeyCache().put(assertionID, key);
0321: return key;
0322: } catch (Exception e) {
0323: log.log(Level.SEVERE,
0324: "WSS0238.failed.Resolve.SAMLAssertion");
0325: throw new XWSSecurityException(e);
0326: }
0327: }
0328:
0329: public static Key processSecurityTokenReference(
0330: KeyInfoHeaderBlock keyInfo, boolean sig,
0331: FilterProcessingContext context)
0332: throws XWSSecurityException {
0333: Key returnKey = null;
0334: HashMap tokenCache = context.getTokenCache();
0335: SecurableSoapMessage secureMsg = context
0336: .getSecurableSoapMessage();
0337: SecurityTokenReference str = keyInfo
0338: .getSecurityTokenReference(0);
0339: ReferenceElement refElement = str.getReference();
0340: EncryptionPolicy policy = (EncryptionPolicy) context
0341: .getInferredPolicy();
0342: EncryptionPolicy inferredEncryptionPolicy = null;
0343: boolean isWSITRecipient = (context.getMode() == FilterProcessingContext.WSDL_POLICY);
0344: try {
0345: if (isWSITRecipient) {
0346: int i = context.getInferredSecurityPolicy().size() - 1;
0347: inferredEncryptionPolicy = (EncryptionPolicy) context
0348: .getInferredSecurityPolicy().get(i);
0349: }
0350: } catch (Exception e) {
0351: log.log(Level.SEVERE,
0352: "WSS0239.failed.process.SecurityTokenReference", e);
0353: throw new XWSSecurityException(e);
0354: }
0355: // Do a case analysis based on the type of refElement.
0356: // X509 Token Profile supports 3 kinds of reference mechanisms.
0357: // Embedded Reference not considered.
0358: if (refElement instanceof KeyIdentifier) {
0359: KeyIdentifier keyId = (KeyIdentifier) refElement;
0360:
0361: if (MessageConstants.X509SubjectKeyIdentifier_NS
0362: .equals(keyId.getValueType())
0363: || MessageConstants.X509v3SubjectKeyIdentifier_NS
0364: .equals(keyId.getValueType())) {
0365: if (policy != null) {
0366: AuthenticationTokenPolicy.X509CertificateBinding keyBinding = null;
0367: keyBinding = (AuthenticationTokenPolicy.X509CertificateBinding) policy
0368: .newX509CertificateKeyBinding();
0369: keyBinding
0370: .setReferenceType(MessageConstants.KEY_INDETIFIER_TYPE);
0371: }
0372: if (isWSITRecipient) {
0373: MLSPolicy inferredKB = inferredEncryptionPolicy
0374: .getKeyBinding();
0375: AuthenticationTokenPolicy.X509CertificateBinding x509Binding = new AuthenticationTokenPolicy.X509CertificateBinding();
0376: x509Binding
0377: .setValueType(MessageConstants.X509SubjectKeyIdentifier_NS);
0378: x509Binding
0379: .setReferenceType(MessageConstants.KEY_INDETIFIER_TYPE);
0380: if (inferredKB == null) {
0381: inferredEncryptionPolicy
0382: .setKeyBinding(x509Binding);
0383: } else if (PolicyTypeUtil
0384: .symmetricKeyBinding(inferredKB)) {
0385: ((SymmetricKeyBinding) inferredKB)
0386: .setKeyBinding(x509Binding);
0387: } else if (PolicyTypeUtil
0388: .derivedTokenKeyBinding(inferredKB)) {
0389: DerivedTokenKeyBinding dktBind = (DerivedTokenKeyBinding) inferredKB;
0390: if (dktBind.getOriginalKeyBinding() == null)
0391: ((DerivedTokenKeyBinding) inferredKB)
0392: .setOriginalKeyBinding(x509Binding);
0393: else if (PolicyTypeUtil
0394: .symmetricKeyBinding(dktBind
0395: .getOriginalKeyBinding())) {
0396: dktBind.getOriginalKeyBinding()
0397: .setKeyBinding(x509Binding);
0398: }
0399: }
0400:
0401: }
0402: if (sig) {
0403: returnKey = context.getSecurityEnvironment()
0404: .getPublicKey(
0405: context.getExtraneousProperties(),
0406: getDecodedBase64EncodedData(keyId
0407: .getReferenceValue()));
0408: } else {
0409: returnKey = context.getSecurityEnvironment()
0410: .getPrivateKey(
0411: context.getExtraneousProperties(),
0412: getDecodedBase64EncodedData(keyId
0413: .getReferenceValue()));
0414: }
0415:
0416: } else if (MessageConstants.ThumbPrintIdentifier_NS
0417: .equals(keyId.getValueType())) {
0418: if (policy != null) {
0419: AuthenticationTokenPolicy.X509CertificateBinding keyBinding = null;
0420: keyBinding = (AuthenticationTokenPolicy.X509CertificateBinding) policy
0421: .newX509CertificateKeyBinding();
0422: keyBinding
0423: .setReferenceType(MessageConstants.THUMB_PRINT_TYPE);
0424: }
0425: if (isWSITRecipient) {
0426: MLSPolicy inferredKB = inferredEncryptionPolicy
0427: .getKeyBinding();
0428: AuthenticationTokenPolicy.X509CertificateBinding x509Binding = new AuthenticationTokenPolicy.X509CertificateBinding();
0429: x509Binding
0430: .setValueType(MessageConstants.ThumbPrintIdentifier_NS);
0431: x509Binding
0432: .setReferenceType(MessageConstants.KEY_INDETIFIER_TYPE);
0433: if (inferredKB == null) {
0434: inferredEncryptionPolicy
0435: .setKeyBinding(x509Binding);
0436: } else if (PolicyTypeUtil
0437: .symmetricKeyBinding(inferredKB)) {
0438: ((SymmetricKeyBinding) inferredKB)
0439: .setKeyBinding(x509Binding);
0440: } else if (PolicyTypeUtil
0441: .derivedTokenKeyBinding(inferredKB)) {
0442: DerivedTokenKeyBinding dktBind = (DerivedTokenKeyBinding) inferredKB;
0443: if (dktBind.getOriginalKeyBinding() == null)
0444: ((DerivedTokenKeyBinding) inferredKB)
0445: .setOriginalKeyBinding(x509Binding);
0446: else if (PolicyTypeUtil
0447: .symmetricKeyBinding(dktBind
0448: .getOriginalKeyBinding())) {
0449: dktBind.getOriginalKeyBinding()
0450: .setKeyBinding(x509Binding);
0451: }
0452: }
0453:
0454: }
0455: if (sig) {
0456: returnKey = context.getSecurityEnvironment()
0457: .getPublicKey(
0458: context.getExtraneousProperties(),
0459: getDecodedBase64EncodedData(keyId
0460: .getReferenceValue()),
0461: MessageConstants.THUMB_PRINT_TYPE);
0462: } else {
0463: returnKey = context.getSecurityEnvironment()
0464: .getPrivateKey(
0465: context.getExtraneousProperties(),
0466: getDecodedBase64EncodedData(keyId
0467: .getReferenceValue()),
0468: MessageConstants.THUMB_PRINT_TYPE);
0469: }
0470:
0471: } else if (MessageConstants.EncryptedKeyIdentifier_NS
0472: .equals(keyId.getValueType())) {
0473: if (isWSITRecipient) {
0474: MLSPolicy inferredKB = inferredEncryptionPolicy
0475: .getKeyBinding();
0476: SymmetricKeyBinding skBinding = new SymmetricKeyBinding();
0477: AuthenticationTokenPolicy.X509CertificateBinding x509Binding = new AuthenticationTokenPolicy.X509CertificateBinding();
0478: x509Binding
0479: .setReferenceType(MessageConstants.KEY_INDETIFIER_TYPE);
0480: skBinding.setKeyBinding(x509Binding);
0481: //TODO: ReferenceType and ValueType not set on X509Binding
0482: if (inferredKB == null) {
0483: inferredEncryptionPolicy
0484: .setKeyBinding(skBinding);
0485: } else if (PolicyTypeUtil
0486: .derivedTokenKeyBinding(inferredKB)) {
0487: if (((DerivedTokenKeyBinding) inferredKB)
0488: .getOriginalKeyBinding() == null)
0489: ((DerivedTokenKeyBinding) inferredKB)
0490: .setOriginalKeyBinding(skBinding);
0491: }
0492: }
0493: String ekSha1RefValue = (String) context
0494: .getExtraneousProperty("EncryptedKeySHA1");
0495: Key secretKey = (Key) context
0496: .getExtraneousProperty("SecretKey");
0497: String keyRefValue = keyId.getReferenceValue();
0498: if (ekSha1RefValue != null && secretKey != null) {
0499: if (ekSha1RefValue.equals(keyRefValue))
0500: returnKey = secretKey;
0501: } else {
0502: String message = "EncryptedKeySHA1 reference not correct";
0503: log
0504: .log(Level.SEVERE,
0505: "WSS0240.invalid.EncryptedKeySHA1.reference");
0506: throw new XWSSecurityException(message);
0507: }
0508:
0509: } else if (MessageConstants.WSSE_SAML_KEY_IDENTIFIER_VALUE_TYPE
0510: .equals(keyId.getValueType())
0511: || MessageConstants.WSSE_SAML_v2_0_KEY_IDENTIFIER_VALUE_TYPE
0512: .equals(keyId.getValueType())) {
0513: // Its a SAML Assertion, retrieve the assertion
0514: if (policy != null) {
0515: AuthenticationTokenPolicy.SAMLAssertionBinding keyBinding = null;
0516: keyBinding = (AuthenticationTokenPolicy.SAMLAssertionBinding) policy
0517: .newSAMLAssertionKeyBinding();
0518: keyBinding.setReferenceType(keyId.getValueType());
0519: }
0520: String assertionID = keyId.getDecodedReferenceValue();
0521: Element samlAssertion = resolveSAMLToken(str,
0522: assertionID, context);
0523: if (isWSITRecipient) {
0524: MLSPolicy inferredKB = inferredEncryptionPolicy
0525: .getKeyBinding();
0526: IssuedTokenKeyBinding itkBinding = new IssuedTokenKeyBinding();
0527: if (inferredKB == null) {
0528: if (context.hasIssuedToken()) {
0529: inferredEncryptionPolicy
0530: .setKeyBinding(itkBinding);
0531: } else {
0532: inferredEncryptionPolicy
0533: .setKeyBinding(new AuthenticationTokenPolicy.SAMLAssertionBinding());
0534: }
0535: } else if (PolicyTypeUtil
0536: .derivedTokenKeyBinding(inferredKB)) {
0537: if (((DerivedTokenKeyBinding) inferredKB)
0538: .getOriginalKeyBinding() == null)
0539: ((DerivedTokenKeyBinding) inferredKB)
0540: .setOriginalKeyBinding(itkBinding);
0541: }
0542: }
0543: returnKey = resolveSamlAssertion(secureMsg,
0544: samlAssertion, sig, context, assertionID);
0545: if (context.hasIssuedToken()) {
0546: SecurityUtil.initInferredIssuedTokenContext(
0547: context, str, returnKey);
0548: }
0549:
0550: } else {
0551: if (policy != null) {
0552: AuthenticationTokenPolicy.SAMLAssertionBinding keyBinding = null;
0553: keyBinding = (AuthenticationTokenPolicy.SAMLAssertionBinding) policy
0554: .newSAMLAssertionKeyBinding();
0555: }
0556: Element samlAssertion = null;
0557: String assertionID = keyId.getDecodedReferenceValue();
0558: try {
0559: samlAssertion = resolveSAMLToken(str, assertionID,
0560: context);
0561: } catch (Exception ex) {
0562: //ignore
0563: }
0564: if (samlAssertion != null) {
0565: if (isWSITRecipient) {
0566: MLSPolicy inferredKB = inferredEncryptionPolicy
0567: .getKeyBinding();
0568: IssuedTokenKeyBinding itkBinding = new IssuedTokenKeyBinding();
0569: if (inferredKB == null) {
0570: inferredEncryptionPolicy
0571: .setKeyBinding(itkBinding);
0572: } else if (PolicyTypeUtil
0573: .derivedTokenKeyBinding(inferredKB)) {
0574: if (((DerivedTokenKeyBinding) inferredKB)
0575: .getOriginalKeyBinding() == null)
0576: ((DerivedTokenKeyBinding) inferredKB)
0577: .setOriginalKeyBinding(itkBinding);
0578: }
0579: }
0580: returnKey = resolveSamlAssertion(secureMsg,
0581: samlAssertion, sig, context, assertionID);
0582: if (context.hasIssuedToken()) {
0583: SecurityUtil.initInferredIssuedTokenContext(
0584: context, str, returnKey);
0585: }
0586: } else {
0587: // now assume its an X509Token
0588: // Note: the code below assumes base64 EncodingType for X509 SKI
0589: if (isWSITRecipient) {
0590: MLSPolicy inferredKB = inferredEncryptionPolicy
0591: .getKeyBinding();
0592: AuthenticationTokenPolicy.X509CertificateBinding x509Binding = new AuthenticationTokenPolicy.X509CertificateBinding();
0593: x509Binding
0594: .setValueType(MessageConstants.X509SubjectKeyIdentifier_NS);
0595: x509Binding
0596: .setReferenceType(MessageConstants.KEY_INDETIFIER_TYPE);
0597: if (inferredKB == null) {
0598: inferredEncryptionPolicy
0599: .setKeyBinding(x509Binding);
0600: } else if (PolicyTypeUtil
0601: .symmetricKeyBinding(inferredKB)) {
0602: ((SymmetricKeyBinding) inferredKB)
0603: .setKeyBinding(x509Binding);
0604: } else if (PolicyTypeUtil
0605: .derivedTokenKeyBinding(inferredKB)) {
0606: DerivedTokenKeyBinding dktBind = (DerivedTokenKeyBinding) inferredKB;
0607: if (dktBind.getOriginalKeyBinding() == null)
0608: ((DerivedTokenKeyBinding) inferredKB)
0609: .setOriginalKeyBinding(x509Binding);
0610: else if (PolicyTypeUtil
0611: .symmetricKeyBinding(dktBind
0612: .getOriginalKeyBinding())) {
0613: dktBind.getOriginalKeyBinding()
0614: .setKeyBinding(x509Binding);
0615: }
0616: }
0617:
0618: }
0619: if (sig) {
0620: returnKey = context
0621: .getSecurityEnvironment()
0622: .getPublicKey(
0623: context
0624: .getExtraneousProperties(),
0625: getDecodedBase64EncodedData(keyId
0626: .getReferenceValue()));
0627: } else {
0628: returnKey = context
0629: .getSecurityEnvironment()
0630: .getPrivateKey(
0631: context
0632: .getExtraneousProperties(),
0633: getDecodedBase64EncodedData(keyId
0634: .getReferenceValue()));
0635: }
0636: }
0637: }
0638: } else if (refElement instanceof DirectReference) {
0639: String uri = ((DirectReference) refElement).getURI();
0640:
0641: // will be only during verify.
0642: AuthenticationTokenPolicy.X509CertificateBinding keyBinding = null;
0643: String valueType = ((DirectReference) refElement)
0644: .getValueType();
0645: if (MessageConstants.DKT_VALUETYPE.equals(valueType)) {
0646: //TODO: this will work for now but need to handle this case here later
0647: valueType = null;
0648: }
0649:
0650: if (policy != null) {
0651: keyBinding = (AuthenticationTokenPolicy.X509CertificateBinding) policy
0652: .newX509CertificateKeyBinding();
0653: keyBinding
0654: .setReferenceType(MessageConstants.DIRECT_REFERENCE_TYPE);
0655: keyBinding.setValueType(valueType);
0656: }
0657:
0658: if (MessageConstants.X509v3_NS.equals(valueType)
0659: || MessageConstants.X509v1_NS.equals(valueType)) {
0660: // its an X509 Token
0661: HashMap insertedX509Cache = context
0662: .getInsertedX509Cache();
0663: String wsuId = secureMsg.getIdFromFragmentRef(uri);
0664: X509SecurityToken token = (X509SecurityToken) insertedX509Cache
0665: .get(wsuId);
0666: if (token == null)
0667: token = (X509SecurityToken) resolveToken(wsuId,
0668: context, secureMsg);
0669: if (isWSITRecipient) {
0670: MLSPolicy inferredKB = inferredEncryptionPolicy
0671: .getKeyBinding();
0672: AuthenticationTokenPolicy.X509CertificateBinding x509Binding = new AuthenticationTokenPolicy.X509CertificateBinding();
0673: x509Binding
0674: .setReferenceType(MessageConstants.DIRECT_REFERENCE_TYPE);
0675: x509Binding.setValueType(valueType);
0676: if (inferredKB == null) {
0677: inferredEncryptionPolicy
0678: .setKeyBinding(x509Binding);
0679: } else if (PolicyTypeUtil
0680: .symmetricKeyBinding(inferredKB)) {
0681: ((SymmetricKeyBinding) inferredKB)
0682: .setKeyBinding(x509Binding);
0683: } else if (PolicyTypeUtil
0684: .derivedTokenKeyBinding(inferredKB)) {
0685: DerivedTokenKeyBinding dktBind = (DerivedTokenKeyBinding) inferredKB;
0686: if (dktBind.getOriginalKeyBinding() == null)
0687: dktBind.setOriginalKeyBinding(x509Binding);
0688: else if (PolicyTypeUtil
0689: .symmetricKeyBinding(dktBind
0690: .getOriginalKeyBinding()))
0691: dktBind.getOriginalKeyBinding()
0692: .setKeyBinding(x509Binding);
0693: }
0694:
0695: }
0696: returnKey = resolveX509Token(secureMsg, token, sig,
0697: context);
0698:
0699: } else if (MessageConstants.EncryptedKey_NS
0700: .equals(valueType)) {
0701: // Do default processing
0702: String wsuId = secureMsg.getIdFromFragmentRef(uri);
0703: SecurityToken token = resolveToken(wsuId, context,
0704: secureMsg);
0705: //TODO: STR is referring to EncryptedKey
0706: KeyInfoHeaderBlock kiHB = ((EncryptedKeyToken) token)
0707: .getKeyInfo();
0708: SecurityTokenReference sectr = kiHB
0709: .getSecurityTokenReference(0);
0710:
0711: //String dataEncAlgo = MessageConstants.AES_BLOCK_ENCRYPTION_128;
0712: // now that context will have AlgoSuite under WSIT, this should not be an issue
0713: // so restoring old value since it breaks Backward Compat otherwise
0714: String dataEncAlgo = MessageConstants.DEFAULT_DATA_ENC_ALGO;
0715: if (context.getAlgorithmSuite() != null) {
0716: dataEncAlgo = context.getAlgorithmSuite()
0717: .getEncryptionAlgorithm();
0718: } else {
0719: if (context.getDataEncryptionAlgorithm() != null) {
0720: dataEncAlgo = context
0721: .getDataEncryptionAlgorithm();
0722: }
0723: }
0724: try {
0725: Element cipherData = (Element) ((EncryptedKeyToken) token)
0726: .getAsSoapElement()
0727: .getChildElements(
0728: new QName(
0729: MessageConstants.XENC_NS,
0730: "CipherData",
0731: MessageConstants.XENC_PREFIX))
0732: .next();
0733: String cipherValue = cipherData
0734: .getElementsByTagNameNS(
0735: MessageConstants.XENC_NS,
0736: "CipherValue").item(0)
0737: .getTextContent();
0738: byte[] decodedCipher = Base64.decode(cipherValue);
0739: byte[] ekSha1 = MessageDigest.getInstance("SHA-1")
0740: .digest(decodedCipher);
0741: String encEkSha1 = Base64.encode(ekSha1);
0742: context.setExtraneousProperty(
0743: MessageConstants.EK_SHA1_VALUE, encEkSha1);
0744:
0745: } catch (Exception e) {
0746: log.log(Level.SEVERE,
0747: "WSS0241.unable.set.EKSHA1.OnContext", e);
0748: throw new XWSSecurityException(e);
0749: }
0750: if (isWSITRecipient) {
0751: MLSPolicy inferredKB = inferredEncryptionPolicy
0752: .getKeyBinding();
0753: SymmetricKeyBinding skBinding = new SymmetricKeyBinding();
0754: AuthenticationTokenPolicy.X509CertificateBinding x509Binding = new AuthenticationTokenPolicy.X509CertificateBinding();
0755: skBinding.setKeyBinding(x509Binding);
0756: //TODO: ReferenceType and ValueType not set on X509Binding
0757: if (inferredKB == null) {
0758: inferredEncryptionPolicy
0759: .setKeyBinding(skBinding);
0760: } else if (PolicyTypeUtil
0761: .symmetricKeyBinding(inferredKB)) {
0762: ((SymmetricKeyBinding) inferredKB)
0763: .setKeyBinding(x509Binding);
0764: } else if (PolicyTypeUtil
0765: .derivedTokenKeyBinding(inferredKB)) {
0766: DerivedTokenKeyBinding dktBind = (DerivedTokenKeyBinding) inferredKB;
0767: if (dktBind.getOriginalKeyBinding() == null)
0768: dktBind.setOriginalKeyBinding(x509Binding);
0769: else if (PolicyTypeUtil
0770: .symmetricKeyBinding(dktBind
0771: .getOriginalKeyBinding()))
0772: dktBind.getOriginalKeyBinding()
0773: .setKeyBinding(x509Binding);
0774: }
0775:
0776: }
0777: returnKey = ((EncryptedKeyToken) token).getSecretKey(
0778: getKey(kiHB, sig, context), dataEncAlgo);
0779: context.setExtraneousProperty(
0780: MessageConstants.SECRET_KEY_VALUE, returnKey);
0781:
0782: } else if (MessageConstants.SCT_VALUETYPE.equals(valueType)) {
0783: // could be wsuId or SCT Session Id
0784: String sctId = secureMsg.getIdFromFragmentRef(uri);
0785: SecurityToken token = (SecurityToken) tokenCache
0786: .get(sctId);
0787:
0788: if (token == null) {
0789: token = SecurityUtil.locateBySCTId(context, uri);
0790: if (token == null) {
0791: token = resolveToken(sctId, context, secureMsg);
0792: }
0793: if (token == null) {
0794: log.log(Level.SEVERE,
0795: "WSS0242.unableto.locate.SCT");
0796: throw new XWSSecurityException(
0797: "SCT Token with Id " + sctId
0798: + "not found");
0799: } else {
0800: tokenCache.put(sctId, token);
0801: }
0802: }
0803:
0804: if (token instanceof SecurityContextToken) {
0805: //handling for SecurityContext Token
0806: byte[] proofKey = resolveSCT(context,
0807: (SecurityContextTokenImpl) token, sig);
0808: String encAlgo = "AES"; //hardcoding for now
0809: if (context.getAlgorithmSuite() != null) {
0810: encAlgo = SecurityUtil
0811: .getSecretKeyAlgorithm(context
0812: .getAlgorithmSuite()
0813: .getEncryptionAlgorithm());
0814: }
0815: if (isWSITRecipient) {
0816: MLSPolicy inferredKB = inferredEncryptionPolicy
0817: .getKeyBinding();
0818: SecureConversationTokenKeyBinding sctBinding = new SecureConversationTokenKeyBinding();
0819: if (inferredKB == null) {
0820: inferredEncryptionPolicy
0821: .setKeyBinding(sctBinding);
0822: } else if (PolicyTypeUtil
0823: .derivedTokenKeyBinding(inferredKB)) {
0824: if (((DerivedTokenKeyBinding) inferredKB)
0825: .getOriginalKeyBinding() == null)
0826: ((DerivedTokenKeyBinding) inferredKB)
0827: .setOriginalKeyBinding(sctBinding);
0828: }
0829: }
0830: returnKey = new SecretKeySpec(proofKey, encAlgo);
0831:
0832: } else {
0833: log.log(Level.SEVERE,
0834: "WSS0243.invalid.valueType.NonSCTToken");
0835: throw new XWSSecurityException(
0836: "Incorrect ValueType: "
0837: + MessageConstants.SCT_VALUETYPE
0838: + ", specified for a Non SCT Token");
0839: }
0840:
0841: } else if (null == valueType) {
0842: // Do default processing
0843: String wsuId = secureMsg.getIdFromFragmentRef(uri);
0844: SecurityToken token = SecurityUtil.locateBySCTId(
0845: context, wsuId);
0846: if (token == null) {
0847: token = resolveToken(wsuId, context, secureMsg);
0848: }
0849: if (token instanceof X509SecurityToken) {
0850: if (isWSITRecipient) {
0851: MLSPolicy inferredKB = inferredEncryptionPolicy
0852: .getKeyBinding();
0853: AuthenticationTokenPolicy.X509CertificateBinding x509Binding = new AuthenticationTokenPolicy.X509CertificateBinding();
0854: x509Binding
0855: .setReferenceType(MessageConstants.DIRECT_REFERENCE_TYPE);
0856: if (inferredKB == null) {
0857: inferredEncryptionPolicy
0858: .setKeyBinding(x509Binding);
0859: } else if (PolicyTypeUtil
0860: .derivedTokenKeyBinding(inferredKB)) {
0861: if (((DerivedTokenKeyBinding) inferredKB)
0862: .getOriginalKeyBinding() == null)
0863: ((DerivedTokenKeyBinding) inferredKB)
0864: .setOriginalKeyBinding(x509Binding);
0865: }
0866: }
0867: returnKey = resolveX509Token(secureMsg,
0868: (X509SecurityToken) token, sig, context);
0869: } else if (token instanceof EncryptedKeyToken) {
0870: //TODO: STR is referring to EncryptedKey
0871: KeyInfoHeaderBlock kiHB = ((EncryptedKeyToken) token)
0872: .getKeyInfo();
0873: SecurityTokenReference sectr = kiHB
0874: .getSecurityTokenReference(0);
0875: ReferenceElement refElem = sectr.getReference();
0876: String dataEncAlgo = MessageConstants.DEFAULT_DATA_ENC_ALGO;
0877: // now that context will have AlgoSuite under WSIT, this should not be an issue
0878: // so restoring old value since it breaks Backward Compat otherwise
0879: //String dataEncAlgo = MessageConstants.AES_BLOCK_ENCRYPTION_128;
0880: if (context.getAlgorithmSuite() != null) {
0881: dataEncAlgo = context.getAlgorithmSuite()
0882: .getEncryptionAlgorithm();
0883: } else {
0884: if (context.getDataEncryptionAlgorithm() != null) {
0885: dataEncAlgo = context
0886: .getDataEncryptionAlgorithm();
0887: }
0888: }
0889: try {
0890: Element cipherData = (Element) ((EncryptedKeyToken) token)
0891: .getAsSoapElement()
0892: .getChildElements(
0893: new QName(
0894: MessageConstants.XENC_NS,
0895: "CipherData",
0896: MessageConstants.XENC_PREFIX))
0897: .next();
0898: String cipherValue = cipherData
0899: .getElementsByTagNameNS(
0900: MessageConstants.XENC_NS,
0901: "CipherValue").item(0)
0902: .getTextContent();
0903: byte[] decodedCipher = Base64
0904: .decode(cipherValue);
0905: byte[] ekSha1 = MessageDigest.getInstance(
0906: "SHA-1").digest(decodedCipher);
0907: String encEkSha1 = Base64.encode(ekSha1);
0908: context.setExtraneousProperty(
0909: MessageConstants.EK_SHA1_VALUE,
0910: encEkSha1);
0911: } catch (Exception e) {
0912: log
0913: .log(
0914: Level.SEVERE,
0915: "WSS0241.unableto.set.EKSHA1.OnContext",
0916: e);
0917: throw new XWSSecurityException(e);
0918: }
0919: if (isWSITRecipient) {
0920: MLSPolicy inferredKB = inferredEncryptionPolicy
0921: .getKeyBinding();
0922: SymmetricKeyBinding skBinding = new SymmetricKeyBinding();
0923: AuthenticationTokenPolicy.X509CertificateBinding x509Binding = new AuthenticationTokenPolicy.X509CertificateBinding();
0924: skBinding.setKeyBinding(x509Binding);
0925: //TODO: ReferenceType and ValueType not set on X509Binding
0926: if (inferredKB == null) {
0927: inferredEncryptionPolicy
0928: .setKeyBinding(skBinding);
0929: } else if (PolicyTypeUtil
0930: .derivedTokenKeyBinding(inferredKB)) {
0931: if (((DerivedTokenKeyBinding) inferredKB)
0932: .getOriginalKeyBinding() == null)
0933: ((DerivedTokenKeyBinding) inferredKB)
0934: .setOriginalKeyBinding(skBinding);
0935: }
0936: }
0937: returnKey = ((EncryptedKeyToken) token)
0938: .getSecretKey(getKey(kiHB, sig, context),
0939: dataEncAlgo);
0940: context.setExtraneousProperty(
0941: MessageConstants.SECRET_KEY_VALUE,
0942: returnKey);
0943:
0944: } else if (token instanceof SecurityContextToken) {
0945: //handling for SecurityContext Token
0946: byte[] proofKey = resolveSCT(context,
0947: (SecurityContextTokenImpl) token, sig);
0948: String encAlgo = "AES"; //default algo
0949: if (context.getAlgorithmSuite() != null) {
0950: encAlgo = SecurityUtil
0951: .getSecretKeyAlgorithm(context
0952: .getAlgorithmSuite()
0953: .getEncryptionAlgorithm());
0954: }
0955: if (isWSITRecipient) {
0956: MLSPolicy inferredKB = inferredEncryptionPolicy
0957: .getKeyBinding();
0958: SecureConversationTokenKeyBinding sctBinding = new SecureConversationTokenKeyBinding();
0959: if (inferredKB == null) {
0960: inferredEncryptionPolicy
0961: .setKeyBinding(sctBinding);
0962: } else if (PolicyTypeUtil
0963: .derivedTokenKeyBinding(inferredKB)) {
0964: if (((DerivedTokenKeyBinding) inferredKB)
0965: .getOriginalKeyBinding() == null)
0966: ((DerivedTokenKeyBinding) inferredKB)
0967: .setOriginalKeyBinding(sctBinding);
0968: }
0969: }
0970: returnKey = new SecretKeySpec(proofKey, encAlgo);
0971:
0972: } else if (token instanceof DerivedKeyTokenHeaderBlock) {
0973: if (isWSITRecipient) {
0974: MLSPolicy inferredKB = inferredEncryptionPolicy
0975: .getKeyBinding();
0976: DerivedTokenKeyBinding dtkBinding = new DerivedTokenKeyBinding();
0977: if (inferredKB == null) {
0978: inferredEncryptionPolicy
0979: .setKeyBinding(dtkBinding);
0980: } else if (PolicyTypeUtil
0981: .derivedTokenKeyBinding(inferredKB)) {
0982: //already set - do nothing
0983: } else {
0984: log.log(Level.SEVERE,
0985: "WSS0244.invalid.level.DKT");
0986: throw new XWSSecurityException(
0987: "A derived Key Token should be a top level key binding");
0988: }
0989: }
0990: returnKey = resolveDKT(context,
0991: (DerivedKeyTokenHeaderBlock) token);
0992: } else {
0993: String message = " Cannot Resolve URI " + uri;
0994: log.log(Level.SEVERE,
0995: "WSS0337.unsupported.directref.mechanism",
0996: new Object[] { message });
0997: XWSSecurityException xwsse = new XWSSecurityException(
0998: message);
0999: throw SecurableSoapMessage
1000: .newSOAPFaultException(
1001: MessageConstants.WSSE_SECURITY_TOKEN_UNAVAILABLE,
1002: xwsse.getMessage(), xwsse);
1003: }
1004: } else {
1005: log.log(Level.SEVERE,
1006: "WSS0337.unsupported.directref.mechanism",
1007: new Object[] { ((DirectReference) refElement)
1008: .getValueType() });
1009: XWSSecurityException xwsse = new XWSSecurityException(
1010: "unsupported directreference ValueType "
1011: + ((DirectReference) refElement)
1012: .getValueType());
1013: throw SecurableSoapMessage.newSOAPFaultException(
1014: MessageConstants.WSSE_INVALID_SECURITY_TOKEN,
1015: xwsse.getMessage(), xwsse);
1016: }
1017: } else if (refElement instanceof X509IssuerSerial) {
1018: BigInteger serialNumber = ((X509IssuerSerial) refElement)
1019: .getSerialNumber();
1020: String issuerName = ((X509IssuerSerial) refElement)
1021: .getIssuerName();
1022:
1023: if (isWSITRecipient) {
1024: MLSPolicy inferredKB = inferredEncryptionPolicy
1025: .getKeyBinding();
1026: AuthenticationTokenPolicy.X509CertificateBinding x509Binding = new AuthenticationTokenPolicy.X509CertificateBinding();
1027: x509Binding
1028: .setReferenceType(MessageConstants.X509_ISSUER_TYPE);
1029: if (inferredKB == null) {
1030: inferredEncryptionPolicy.setKeyBinding(x509Binding);
1031: } else if (PolicyTypeUtil
1032: .symmetricKeyBinding(inferredKB)) {
1033: ((SymmetricKeyBinding) inferredKB)
1034: .setKeyBinding(x509Binding);
1035: } else if (PolicyTypeUtil
1036: .derivedTokenKeyBinding(inferredKB)) {
1037: DerivedTokenKeyBinding dktBind = (DerivedTokenKeyBinding) inferredKB;
1038: if (dktBind.getOriginalKeyBinding() == null)
1039: dktBind.setOriginalKeyBinding(x509Binding);
1040: else if (PolicyTypeUtil.symmetricKeyBinding(dktBind
1041: .getOriginalKeyBinding()))
1042: dktBind.getOriginalKeyBinding().setKeyBinding(
1043: x509Binding);
1044: }
1045:
1046: }
1047: if (sig) {
1048: returnKey = context.getSecurityEnvironment()
1049: .getPublicKey(
1050: context.getExtraneousProperties(),
1051: serialNumber, issuerName);
1052: } else {
1053: returnKey = context.getSecurityEnvironment()
1054: .getPrivateKey(
1055: context.getExtraneousProperties(),
1056: serialNumber, issuerName);
1057: }
1058: } else {
1059: log.log(Level.SEVERE,
1060: "WSS0338.unsupported.reference.mechanism");
1061: XWSSecurityException xwsse = new XWSSecurityException(
1062: "Key reference mechanism not supported");
1063: throw SecurableSoapMessage.newSOAPFaultException(
1064: MessageConstants.WSSE_UNSUPPORTED_SECURITY_TOKEN,
1065: xwsse.getMessage(), xwsse);
1066: }
1067: return returnKey;
1068: }
1069:
1070: public static Key resolveX509Token(SecurableSoapMessage secureMsg,
1071: X509SecurityToken token, boolean sig,
1072: FilterProcessingContext context)
1073: throws XWSSecurityException {
1074:
1075: if (sig) {
1076: // Update the Subject of the sender
1077: X509Certificate cert = token.getCertificate();
1078: context.getSecurityEnvironment().updateOtherPartySubject(
1079: DefaultSecurityEnvironmentImpl.getSubject(context),
1080: cert);
1081: // updating other party credentials
1082: if (context.getTrustCredentialHolder() != null) {
1083: context.getTrustCredentialHolder()
1084: .setRequestorCertificate(cert);
1085: }
1086: return cert.getPublicKey();
1087: } else {
1088: return context.getSecurityEnvironment().getPrivateKey(
1089: context.getExtraneousProperties(),
1090: token.getCertificate());
1091: }
1092: }
1093:
1094: public static Key resolveKeyValue(SecurableSoapMessage secureMsg,
1095: KeyValue keyValue, boolean sig,
1096: FilterProcessingContext context)
1097: throws XWSSecurityException {
1098: keyValue.getElement().normalize();
1099: try {
1100: if (sig) {
1101: return keyValue.getPublicKey();
1102: } else {
1103: return context.getSecurityEnvironment().getPrivateKey(
1104: context.getExtraneousProperties(),
1105: keyValue.getPublicKey(), false);
1106: }
1107: } catch (Exception e) {
1108: log.log(Level.SEVERE, "WSS0601.illegal.key.value", e
1109: .getMessage());
1110: throw new XWSSecurityException(e);
1111: }
1112: }
1113:
1114: // not supporting CRL and SubjectName yet
1115: // TODO: the support is incomplete here
1116: public static Key resolveX509Data(SecurableSoapMessage secureMsg,
1117: X509Data x509Data, boolean sig,
1118: FilterProcessingContext context)
1119: throws XWSSecurityException {
1120:
1121: // workaround for what seems to be a bug in XMLSecurity
1122: // text node getting split
1123: x509Data.getElement().normalize();
1124: X509Certificate cert = null;
1125:
1126: try {
1127: if (x509Data.containsCertificate()) {
1128: cert = (x509Data.itemCertificate(0))
1129: .getX509Certificate();
1130: } else if (x509Data.containsSKI()) {
1131: if (sig) {
1132: return context.getSecurityEnvironment()
1133: .getPublicKey(
1134: context.getExtraneousProperties(),
1135: x509Data.itemSKI(0).getSKIBytes());
1136: } else {
1137: return context.getSecurityEnvironment()
1138: .getPrivateKey(
1139: context.getExtraneousProperties(),
1140: x509Data.itemSKI(0).getSKIBytes());
1141: }
1142: } else if (x509Data.containsSubjectName()) {
1143: log.log(Level.SEVERE, "WSS0339.unsupported.keyinfo");
1144: throw new XWSSecurityException(
1145: "X509SubjectName child element of X509Data is not yet supported by our implementation");
1146: } else if (x509Data.containsIssuerSerial()) {
1147: if (sig) {
1148: return context.getSecurityEnvironment()
1149: .getPublicKey(
1150: context.getExtraneousProperties(),
1151: x509Data.itemIssuerSerial(0)
1152: .getSerialNumber(),
1153: x509Data.itemIssuerSerial(0)
1154: .getIssuerName());
1155: } else {
1156: return context.getSecurityEnvironment()
1157: .getPrivateKey(
1158: context.getExtraneousProperties(),
1159: x509Data.itemIssuerSerial(0)
1160: .getSerialNumber(),
1161: x509Data.itemIssuerSerial(0)
1162: .getIssuerName());
1163: }
1164:
1165: } else {
1166: log.log(Level.SEVERE, "WSS0339.unsupported.keyinfo");
1167: throw new XWSSecurityException(
1168: "Unsupported child element of X509Data encountered");
1169: }
1170:
1171: if (sig) {
1172: return cert.getPublicKey();
1173: } else {
1174: return context.getSecurityEnvironment().getPrivateKey(
1175: context.getExtraneousProperties(), cert);
1176: }
1177: } catch (Exception e) {
1178: log.log(Level.SEVERE, "WSS0602.illegal.x509.data", e
1179: .getMessage());
1180: throw new XWSSecurityException(e);
1181: }
1182: }
1183:
1184: private static byte[] getDecodedBase64EncodedData(String encodedData)
1185: throws XWSSecurityException {
1186: try {
1187: return Base64.decode(encodedData);
1188: } catch (Base64DecodingException e) {
1189: log.log(Level.SEVERE,
1190: "WSS0144.unableto.decode.base64.data", e);
1191: throw new XWSSecurityException(
1192: "Unable to decode Base64 encoded data", e);
1193: }
1194: }
1195:
1196: private static SecurityToken resolveToken(String uri,
1197: FilterProcessingContext context,
1198: SecurableSoapMessage secureMsg) throws XWSSecurityException {
1199: try {
1200: HashMap cache = context.getTokenCache();
1201: SecurityToken token = (SecurityToken) cache.get(uri);
1202: if (token != null) {
1203: return token;
1204: }
1205: if (token == null) {
1206: Node tokenNode = secureMsg.getElementById(uri);
1207: tokenNode.normalize();
1208: if (MessageConstants.WSSE_BINARY_SECURITY_TOKEN_LNAME
1209: .equals(tokenNode.getLocalName())) {
1210: token = new X509SecurityToken(
1211: (SOAPElement) tokenNode);
1212: } else if (MessageConstants.ENCRYPTEDKEY_LNAME
1213: .equals(tokenNode.getLocalName())) {
1214: token = new EncryptedKeyToken(
1215: (SOAPElement) tokenNode);
1216: } else if (MessageConstants.SECURITY_CONTEXT_TOKEN_LNAME
1217: .equals(tokenNode.getLocalName())) {
1218: token = new SecurityContextTokenImpl(
1219: (SOAPElement) tokenNode);
1220: } else if (MessageConstants.DERIVEDKEY_TOKEN_LNAME
1221: .equals(tokenNode.getLocalName())) {
1222: token = new DerivedKeyTokenHeaderBlock(
1223: (SOAPElement) tokenNode);
1224: }
1225: }
1226: cache.put(uri, token);
1227: return token;
1228: } catch (Exception ex) {
1229: log.log(Level.SEVERE,
1230: "WSS0245.failed.resolve.SecurityToken", ex);
1231: throw new XWSSecurityException(ex);
1232: }
1233: }
1234:
1235: private static Element resolveSAMLToken(
1236: SecurityTokenReference tokenRef, String assertionId,
1237: FilterProcessingContext context)
1238: throws XWSSecurityException {
1239:
1240: Element clientSAMLAssertionCache = (Element) context
1241: .getExtraneousProperties().get(
1242: MessageConstants.SAML_ASSERTION_CLIENT_CACHE);
1243:
1244: if (clientSAMLAssertionCache != null) {
1245: return clientSAMLAssertionCache;
1246: }
1247:
1248: Element tokenElement = context.getIssuedSAMLToken();
1249: if (tokenElement != null) {
1250: context.setExtraneousProperty(
1251: MessageConstants.SAML_SIG_RESOLVED, "false");
1252: }
1253: if (tokenElement == null) {
1254: if (tokenRef.getSamlAuthorityBinding() != null) {
1255: tokenElement = context.getSecurityEnvironment()
1256: .locateSAMLAssertion(
1257: context.getExtraneousProperties(),
1258: tokenRef.getSamlAuthorityBinding(),
1259: assertionId,
1260: context.getSOAPMessage().getSOAPPart());
1261: } else {
1262: tokenElement = SAMLUtil.locateSamlAssertion(
1263: assertionId, context.getSOAPMessage()
1264: .getSOAPPart());
1265: if (!("true"
1266: .equals((String) context
1267: .getExtraneousProperty(MessageConstants.SAML_SIG_RESOLVED)))
1268: || "false"
1269: .equals((String) context
1270: .getExtraneousProperty(MessageConstants.SAML_SIG_RESOLVED))) {
1271: context
1272: .setExtraneousProperty(
1273: MessageConstants.SAML_SIG_RESOLVED,
1274: "false");
1275: }
1276: }
1277: }
1278:
1279: addAuthorityId(tokenElement, context);
1280:
1281: //TODO: expensive conversion happening here
1282: try {
1283: // if it is an Encrypted SAML Assertion we cannot decrypt it
1284: // on the client side since we don't have the Private Key
1285: if ("EncryptedData".equals(tokenElement.getLocalName())) {
1286: return null;
1287: }
1288: } catch (Exception e) {
1289: log.log(Level.SEVERE,
1290: "WSS0238.failed.Resolve.SAMLAssertion", e);
1291: throw new XWSSecurityException(e);
1292: }
1293:
1294: return tokenElement;
1295: }
1296:
1297: private static void addAuthorityId(Element assertion,
1298: FilterProcessingContext fp) {
1299: EncryptionPolicy ep = (EncryptionPolicy) fp.getInferredPolicy();
1300: if (ep != null) {
1301: AuthenticationTokenPolicy.SAMLAssertionBinding kb = (AuthenticationTokenPolicy.SAMLAssertionBinding) ep
1302: .newSAMLAssertionKeyBinding();
1303: String issuer = assertion.getAttribute("Issuer");
1304: kb.setAuthorityIdentifier(issuer);
1305: }
1306: }
1307:
1308: // this method would be called on incoming client/server messages
1309: private static byte[] resolveSCT(FilterProcessingContext context,
1310: SecurityContextTokenImpl token, boolean sig)
1311: throws XWSSecurityException {
1312:
1313: // first set it into Extraneous Properties
1314: context.setExtraneousProperty(MessageConstants.INCOMING_SCT,
1315: token);
1316: // now get the SC ID
1317: String scId = token.getSCId();
1318:
1319: IssuedTokenContext ctx = context.getIssuedTokenContext(scId);
1320: if (ctx == null) {
1321: // this can happen on client side where the map is based on tokenId
1322: Enumeration elements = context.getIssuedTokenContextMap()
1323: .elements();
1324: while (elements.hasMoreElements()) {
1325: IssuedTokenContext ictx = (IssuedTokenContext) elements
1326: .nextElement();
1327: Object tok = ictx.getSecurityToken();
1328: String ctxid = null;
1329: if (tok instanceof SecurityContextToken) {
1330: ctxid = ((SecurityContextToken) tok)
1331: .getIdentifier().toString();
1332: if (ctxid.equals(scId)) {
1333: ctx = ictx;
1334: break;
1335: }
1336: }
1337:
1338: }
1339: }
1340:
1341: if (ctx == null) {
1342: log
1343: .log(Level.SEVERE,
1344: "WSS0246.unableto.locate.SecureConversationSession");
1345: throw new XWSSecurityException(
1346: "Could not locate SecureConversation session for Id:"
1347: + scId);
1348: }
1349:
1350: Subject subj = ctx.getRequestorSubject();
1351: if (subj != null) {
1352: // subj will be null if this is the client side execution
1353: if (context
1354: .getExtraneousProperty(MessageConstants.SCBOOTSTRAP_CRED_IN_SUBJ) == null) {
1355: //do it only once
1356: context.getSecurityEnvironment()
1357: .updateOtherPartySubject(
1358: SecurityUtil.getSubject(context
1359: .getExtraneousProperties()),
1360: subj);
1361: context.getExtraneousProperties().put(
1362: MessageConstants.SCBOOTSTRAP_CRED_IN_SUBJ,
1363: "true");
1364: }
1365: }
1366:
1367: byte[] proofKey = ctx.getProofKey();
1368: return proofKey;
1369: }
1370:
1371: private static Key resolveDKT(FilterProcessingContext context,
1372: DerivedKeyTokenHeaderBlock token)
1373: throws XWSSecurityException {
1374:
1375: //TODO: hardcoded for testing -- need to obtain this from somewhere
1376: String dataEncAlgo = MessageConstants.AES_BLOCK_ENCRYPTION_128;
1377: if (context.getAlgorithmSuite() != null) {
1378: dataEncAlgo = context.getAlgorithmSuite()
1379: .getEncryptionAlgorithm();
1380: }
1381: //HashMap tokenCache = context.getTokenCache();
1382: SecurableSoapMessage secureMsg = context
1383: .getSecurableSoapMessage();
1384:
1385: EncryptionPolicy inferredEncryptionPolicy = null;
1386: boolean isWSITRecipient = (context.getMode() == FilterProcessingContext.WSDL_POLICY);
1387: try {
1388: if (isWSITRecipient) {
1389: int i = context.getInferredSecurityPolicy().size() - 1;
1390: inferredEncryptionPolicy = (EncryptionPolicy) context
1391: .getInferredSecurityPolicy().get(i);
1392: }
1393: } catch (Exception e) {
1394: log.log(Level.SEVERE,
1395: "WSS0247.failed.resolve.DerivedKeyToken");
1396: throw new XWSSecurityException(e);
1397: }
1398:
1399: SecurityTokenReference sectr = token.getDerivedKeyElement();
1400: if (sectr == null) {
1401: log.log(Level.SEVERE, "WSS0248.null.STR");
1402: throw new XWSSecurityException(
1403: "Invalid DerivedKey Token encountered, no STR found");
1404: }
1405: ReferenceElement refElement = sectr.getReference();
1406: Key encKey = null;
1407: byte[] secret = null;
1408: if (refElement instanceof DirectReference) {
1409: String uri = ((DirectReference) refElement).getURI();
1410: String valueType = ((DirectReference) refElement)
1411: .getValueType();
1412: String wsuId = secureMsg.getIdFromFragmentRef(uri);
1413: SecurityToken secToken = SecurityUtil.locateBySCTId(
1414: context, wsuId);
1415: if (secToken == null) {
1416: secToken = resolveToken(wsuId, context, secureMsg);
1417: //workaround for case where Reference does not have ValueType
1418: if ((valueType == null)
1419: && (secToken instanceof EncryptedKeyToken)) {
1420: valueType = MessageConstants.EncryptedKey_NS;
1421: }
1422: }
1423:
1424: if (MessageConstants.EncryptedKey_NS.equals(valueType)) {
1425: try {
1426: Element cipherData = (Element) ((EncryptedKeyToken) secToken)
1427: .getAsSoapElement()
1428: .getChildElements(
1429: new QName(
1430: MessageConstants.XENC_NS,
1431: "CipherData",
1432: MessageConstants.XENC_PREFIX))
1433: .next();
1434: String cipherValue = cipherData
1435: .getElementsByTagNameNS(
1436: MessageConstants.XENC_NS,
1437: "CipherValue").item(0)
1438: .getTextContent();
1439: byte[] decodedCipher = Base64.decode(cipherValue);
1440: byte[] ekSha1 = MessageDigest.getInstance("SHA-1")
1441: .digest(decodedCipher);
1442: String encEkSha1 = Base64.encode(ekSha1);
1443: context.setExtraneousProperty(
1444: MessageConstants.EK_SHA1_VALUE, encEkSha1);
1445: } catch (Exception e) {
1446: log.log(Level.SEVERE,
1447: "WSS0241.unableto.set.EKSHA1.OnContext", e);
1448: throw new XWSSecurityException(e);
1449: }
1450:
1451: if (isWSITRecipient) {
1452: MLSPolicy inferredKB = inferredEncryptionPolicy
1453: .getKeyBinding();
1454: SymmetricKeyBinding skBinding = new SymmetricKeyBinding();
1455: AuthenticationTokenPolicy.X509CertificateBinding x509Binding = new AuthenticationTokenPolicy.X509CertificateBinding();
1456: skBinding.setKeyBinding(x509Binding);
1457: //TODO: ReferenceType and ValueType not set on X509Binding
1458: if (PolicyTypeUtil
1459: .derivedTokenKeyBinding(inferredKB)) {
1460: if (((DerivedTokenKeyBinding) inferredKB)
1461: .getOriginalKeyBinding() == null)
1462: ((DerivedTokenKeyBinding) inferredKB)
1463: .setOriginalKeyBinding(skBinding);
1464: }
1465: }
1466:
1467: KeyInfoHeaderBlock kiHB = ((EncryptedKeyToken) secToken)
1468: .getKeyInfo();
1469: encKey = ((EncryptedKeyToken) secToken).getSecretKey(
1470: getKey(kiHB, false, context), dataEncAlgo);
1471: secret = encKey.getEncoded();
1472: context.setExtraneousProperty(
1473: MessageConstants.SECRET_KEY_VALUE, encKey);
1474: } else if (MessageConstants.SCT_VALUETYPE.equals(valueType)) {
1475: if (secToken instanceof SecurityContextToken) {
1476: if (isWSITRecipient) {
1477: MLSPolicy inferredKB = inferredEncryptionPolicy
1478: .getKeyBinding();
1479: SecureConversationTokenKeyBinding sctBinding = new SecureConversationTokenKeyBinding();
1480: if (PolicyTypeUtil
1481: .derivedTokenKeyBinding(inferredKB)) {
1482: if (((DerivedTokenKeyBinding) inferredKB)
1483: .getOriginalKeyBinding() == null)
1484: ((DerivedTokenKeyBinding) inferredKB)
1485: .setOriginalKeyBinding(sctBinding);
1486: }
1487: }
1488: //handling for SecurityContext Token
1489: secret = resolveSCT(context,
1490: (SecurityContextTokenImpl) secToken, false);
1491: } else {
1492: log.log(Level.SEVERE,
1493: "WSS0243.invalid.valueType.NonSCTToken");
1494: throw new XWSSecurityException(
1495: "Incorrect ValueType: "
1496: + MessageConstants.SCT_VALUETYPE
1497: + ", specified for a Non SCT Token");
1498: }
1499:
1500: } else if (null == valueType) {
1501: if (secToken instanceof SecurityContextToken) {
1502: if (isWSITRecipient) {
1503: MLSPolicy inferredKB = inferredEncryptionPolicy
1504: .getKeyBinding();
1505: SecureConversationTokenKeyBinding sctBinding = new SecureConversationTokenKeyBinding();
1506: if (PolicyTypeUtil
1507: .derivedTokenKeyBinding(inferredKB)) {
1508: ((DerivedTokenKeyBinding) inferredKB)
1509: .setOriginalKeyBinding(sctBinding);
1510: }
1511: }
1512: //handling for SecurityContext Token
1513: secret = resolveSCT(context,
1514: (SecurityContextTokenImpl) secToken, false);
1515: } else {
1516: log.log(Level.SEVERE,
1517: "WSS0249.unsupported.TokenType.DKT");
1518: throw new XWSSecurityException(
1519: "Unsupported TokenType " + secToken
1520: + " under DerivedKeyToken");
1521: }
1522: } else {
1523: log.log(Level.SEVERE,
1524: "WSS0249.unsupported.TokenType.DKT");
1525: throw new XWSSecurityException("Unsupported TokenType "
1526: + secToken + " under DerivedKeyToken");
1527: }
1528: } else if (refElement instanceof KeyIdentifier) {
1529: KeyIdentifier keyId = (KeyIdentifier) refElement;
1530: if (MessageConstants.EncryptedKeyIdentifier_NS.equals(keyId
1531: .getValueType())) {
1532: if (isWSITRecipient) {
1533: MLSPolicy inferredKB = inferredEncryptionPolicy
1534: .getKeyBinding();
1535: SymmetricKeyBinding skBinding = new SymmetricKeyBinding();
1536: AuthenticationTokenPolicy.X509CertificateBinding x509Binding = new AuthenticationTokenPolicy.X509CertificateBinding();
1537: x509Binding
1538: .setReferenceType(MessageConstants.KEY_INDETIFIER_TYPE);
1539: skBinding.setKeyBinding(x509Binding);
1540: //TODO: ReferenceType and ValueType not set on X509Binding
1541: if (PolicyTypeUtil
1542: .derivedTokenKeyBinding(inferredKB)) {
1543: if (((DerivedTokenKeyBinding) inferredKB)
1544: .getOriginalKeyBinding() == null)
1545: ((DerivedTokenKeyBinding) inferredKB)
1546: .setOriginalKeyBinding(skBinding);
1547: }
1548: }
1549:
1550: String ekSha1RefValue = (String) context
1551: .getExtraneousProperty("EncryptedKeySHA1");
1552: Key secretKey = (Key) context
1553: .getExtraneousProperty("SecretKey");
1554: String keyRefValue = keyId.getReferenceValue();
1555: if (ekSha1RefValue != null && secretKey != null) {
1556: if (ekSha1RefValue.equals(keyRefValue)) {
1557: encKey = secretKey;
1558: secret = encKey.getEncoded();
1559: } else {
1560: log
1561: .log(Level.SEVERE,
1562: "WSS0240.invalid.EncryptedKeySHA1.reference");
1563: throw new XWSSecurityException(
1564: "EncryptedKeySHA1 reference not correct");
1565: }
1566: } else {
1567: log
1568: .log(Level.SEVERE,
1569: "WSS0240.invalid.EncryptedKeySHA1.reference");
1570: String message = "EncryptedKeySHA1 reference not correct";
1571: throw new XWSSecurityException(message);
1572: }
1573: } else if (MessageConstants.WSSE_SAML_KEY_IDENTIFIER_VALUE_TYPE
1574: .equals(keyId.getValueType())
1575: || MessageConstants.WSSE_SAML_v2_0_KEY_IDENTIFIER_VALUE_TYPE
1576: .equals(keyId.getValueType())) {
1577: if (isWSITRecipient) {
1578: MLSPolicy inferredKB = inferredEncryptionPolicy
1579: .getKeyBinding();
1580: IssuedTokenKeyBinding itkBinding = new IssuedTokenKeyBinding();
1581: if (PolicyTypeUtil
1582: .derivedTokenKeyBinding(inferredKB)) {
1583: if (((DerivedTokenKeyBinding) inferredKB)
1584: .getOriginalKeyBinding() == null)
1585: ((DerivedTokenKeyBinding) inferredKB)
1586: .setOriginalKeyBinding(itkBinding);
1587: }
1588: }
1589:
1590: String asId = keyId.getReferenceValue();
1591: Element assertion = resolveSAMLToken(sectr, asId,
1592: context);
1593: encKey = resolveSamlAssertion(secureMsg, assertion,
1594: true, context, asId);
1595: if (context.hasIssuedToken()) {
1596: SecurityUtil.initInferredIssuedTokenContext(
1597: context, sectr, encKey);
1598: }
1599: secret = encKey.getEncoded();
1600: } else {
1601: log
1602: .log(Level.SEVERE,
1603: "WSS0282.unsupported.KeyIdentifier.Reference.DKT");
1604: throw new XWSSecurityException(
1605: "Unsupported KeyIdentifier Reference " + keyId
1606: + " under DerivedKeyToken");
1607: }
1608: } else {
1609: log.log(Level.SEVERE,
1610: "WSS0283.unsupported.ReferenceType.DKT");
1611: throw new XWSSecurityException("Unsupported ReferenceType "
1612: + refElement + " under DerivedKeyToken");
1613: }
1614: long length = token.getLength();
1615: long offset = token.getOffset();
1616: byte[] nonce = token.getNonce();
1617: DerivedKeyToken dkt = new DerivedKeyTokenImpl(offset, length,
1618: secret, nonce);
1619: String jceAlgo = SecurityUtil
1620: .getSecretKeyAlgorithm(dataEncAlgo);
1621:
1622: Key returnKey = null;
1623: try {
1624: returnKey = dkt.generateSymmetricKey(jceAlgo);
1625: } catch (InvalidKeyException ex) {
1626: log.log(Level.SEVERE,
1627: "WSS0247.failed.resolve.DerivedKeyToken");
1628: throw new XWSSecurityException(ex);
1629: } catch (UnsupportedEncodingException ex) {
1630: log.log(Level.SEVERE,
1631: "WSS0247.failed.resolve.DerivedKeyToken");
1632: throw new XWSSecurityException(ex);
1633: } catch (NoSuchAlgorithmException ex) {
1634: log.log(Level.SEVERE,
1635: "WSS0247.failed.resolve.DerivedKeyToken");
1636: throw new XWSSecurityException(ex);
1637: }
1638: return returnKey;
1639:
1640: }
1641:
1642: //TODO: called from KeySelector for Signature Related EncryptedKey Processing
1643: // clean this up later use a restructured processSecurityTokenReference instead
1644: public static Key processSTR(KeyInfoHeaderBlock keyInfo,
1645: boolean sig, FilterProcessingContext context)
1646: throws XWSSecurityException {
1647: Key returnKey = null;
1648: HashMap tokenCache = context.getTokenCache();
1649: SecurableSoapMessage secureMsg = context
1650: .getSecurableSoapMessage();
1651: SecurityTokenReference str = keyInfo
1652: .getSecurityTokenReference(0);
1653: ReferenceElement refElement = str.getReference();
1654: SignaturePolicy policy = (SignaturePolicy) context
1655: .getInferredPolicy();
1656: SignaturePolicy inferredSignaturePolicy = null;
1657: boolean isWSITRecipient = (context.getMode() == FilterProcessingContext.WSDL_POLICY);
1658: try {
1659: if (isWSITRecipient) {
1660: int i = context.getInferredSecurityPolicy().size() - 1;
1661: inferredSignaturePolicy = (SignaturePolicy) context
1662: .getInferredSecurityPolicy().get(i);
1663: }
1664: } catch (Exception e) {
1665: log.log(Level.SEVERE, "WSS0250.failed.process.STR", e);
1666: throw new XWSSecurityException(e);
1667: }
1668: // Do a case analysis based on the type of refElement.
1669: // X509 Token Profile supports 3 kinds of reference mechanisms.
1670: // Embedded Reference not considered.
1671: if (refElement instanceof KeyIdentifier) {
1672: KeyIdentifier keyId = (KeyIdentifier) refElement;
1673:
1674: if (MessageConstants.X509SubjectKeyIdentifier_NS
1675: .equals(keyId.getValueType())
1676: || MessageConstants.X509v3SubjectKeyIdentifier_NS
1677: .equals(keyId.getValueType())) {
1678: if (policy != null) {
1679: AuthenticationTokenPolicy.X509CertificateBinding keyBinding = null;
1680: keyBinding = (AuthenticationTokenPolicy.X509CertificateBinding) policy
1681: .newX509CertificateKeyBinding();
1682: keyBinding
1683: .setReferenceType(MessageConstants.KEY_INDETIFIER_TYPE);
1684: }
1685: if (isWSITRecipient) {
1686: MLSPolicy inferredKB = inferredSignaturePolicy
1687: .getKeyBinding();
1688: AuthenticationTokenPolicy.X509CertificateBinding x509Binding = new AuthenticationTokenPolicy.X509CertificateBinding();
1689: x509Binding
1690: .setValueType(MessageConstants.X509SubjectKeyIdentifier_NS);
1691: x509Binding
1692: .setReferenceType(MessageConstants.KEY_INDETIFIER_TYPE);
1693: if (inferredKB == null) {
1694: inferredSignaturePolicy
1695: .setKeyBinding(x509Binding);
1696: } else if (PolicyTypeUtil
1697: .derivedTokenKeyBinding(inferredKB)) {
1698: if (((DerivedTokenKeyBinding) inferredKB)
1699: .getOriginalKeyBinding() == null)
1700: ((DerivedTokenKeyBinding) inferredKB)
1701: .setOriginalKeyBinding(x509Binding);
1702: }
1703: }
1704: if (sig) {
1705: returnKey = context.getSecurityEnvironment()
1706: .getPublicKey(
1707: context.getExtraneousProperties(),
1708: getDecodedBase64EncodedData(keyId
1709: .getReferenceValue()));
1710: } else {
1711: returnKey = context.getSecurityEnvironment()
1712: .getPrivateKey(
1713: context.getExtraneousProperties(),
1714: getDecodedBase64EncodedData(keyId
1715: .getReferenceValue()));
1716: }
1717:
1718: } else if (MessageConstants.ThumbPrintIdentifier_NS
1719: .equals(keyId.getValueType())) {
1720: if (policy != null) {
1721: AuthenticationTokenPolicy.X509CertificateBinding keyBinding = null;
1722: keyBinding = (AuthenticationTokenPolicy.X509CertificateBinding) policy
1723: .newX509CertificateKeyBinding();
1724: keyBinding
1725: .setReferenceType(MessageConstants.THUMB_PRINT_TYPE);
1726: }
1727: if (isWSITRecipient) {
1728: MLSPolicy inferredKB = inferredSignaturePolicy
1729: .getKeyBinding();
1730: AuthenticationTokenPolicy.X509CertificateBinding x509Binding = new AuthenticationTokenPolicy.X509CertificateBinding();
1731: x509Binding
1732: .setValueType(MessageConstants.ThumbPrintIdentifier_NS);
1733: x509Binding
1734: .setReferenceType(MessageConstants.KEY_INDETIFIER_TYPE);
1735: if (inferredKB == null) {
1736: inferredSignaturePolicy
1737: .setKeyBinding(x509Binding);
1738: } else if (PolicyTypeUtil
1739: .derivedTokenKeyBinding(inferredKB)) {
1740: if (((DerivedTokenKeyBinding) inferredKB)
1741: .getOriginalKeyBinding() == null)
1742: ((DerivedTokenKeyBinding) inferredKB)
1743: .setOriginalKeyBinding(x509Binding);
1744: }
1745: }
1746: if (sig) {
1747: returnKey = context.getSecurityEnvironment()
1748: .getPublicKey(
1749: context.getExtraneousProperties(),
1750: getDecodedBase64EncodedData(keyId
1751: .getReferenceValue()),
1752: MessageConstants.THUMB_PRINT_TYPE);
1753: } else {
1754: returnKey = context.getSecurityEnvironment()
1755: .getPrivateKey(
1756: context.getExtraneousProperties(),
1757: getDecodedBase64EncodedData(keyId
1758: .getReferenceValue()),
1759: MessageConstants.THUMB_PRINT_TYPE);
1760: }
1761:
1762: } else if (MessageConstants.EncryptedKeyIdentifier_NS
1763: .equals(keyId.getValueType())) {
1764: if (isWSITRecipient) {
1765: MLSPolicy inferredKB = inferredSignaturePolicy
1766: .getKeyBinding();
1767: SymmetricKeyBinding skBinding = new SymmetricKeyBinding();
1768: AuthenticationTokenPolicy.X509CertificateBinding x509Binding = new AuthenticationTokenPolicy.X509CertificateBinding();
1769: skBinding.setKeyBinding(x509Binding);
1770: //TODO: ReferenceType and ValueType not set on X509Binding
1771: if (inferredKB == null) {
1772: inferredSignaturePolicy
1773: .setKeyBinding(skBinding);
1774: } else if (PolicyTypeUtil
1775: .derivedTokenKeyBinding(inferredKB)) {
1776: if (((DerivedTokenKeyBinding) inferredKB)
1777: .getOriginalKeyBinding() == null)
1778: ((DerivedTokenKeyBinding) inferredKB)
1779: .setOriginalKeyBinding(skBinding);
1780: }
1781: }
1782: String ekSha1RefValue = (String) context
1783: .getExtraneousProperty("EncryptedKeySHA1");
1784: Key secretKey = (Key) context
1785: .getExtraneousProperty("SecretKey");
1786: String keyRefValue = keyId.getReferenceValue();
1787: if (ekSha1RefValue != null && secretKey != null) {
1788: if (ekSha1RefValue.equals(keyRefValue))
1789: returnKey = secretKey;
1790: } else {
1791: log
1792: .log(Level.SEVERE,
1793: "WSS0240.invalid.EncryptedKeySHA1.reference");
1794: String message = "EncryptedKeySHA1 reference not correct";
1795: throw new XWSSecurityException(message);
1796: }
1797:
1798: } else if (MessageConstants.WSSE_SAML_KEY_IDENTIFIER_VALUE_TYPE
1799: .equals(keyId.getValueType())
1800: || MessageConstants.WSSE_SAML_v2_0_KEY_IDENTIFIER_VALUE_TYPE
1801: .equals(keyId.getValueType())) {
1802: // Its a SAML Assertion, retrieve the assertion
1803: if (policy != null) {
1804: AuthenticationTokenPolicy.SAMLAssertionBinding keyBinding = null;
1805: keyBinding = (AuthenticationTokenPolicy.SAMLAssertionBinding) policy
1806: .newSAMLAssertionKeyBinding();
1807: keyBinding.setReferenceType(keyId.getValueType());
1808: }
1809:
1810: String assertionID = keyId.getDecodedReferenceValue();
1811: Element samlAssertion = resolveSAMLToken(str,
1812: assertionID, context);
1813: if (isWSITRecipient) {
1814: MLSPolicy inferredKB = inferredSignaturePolicy
1815: .getKeyBinding();
1816: IssuedTokenKeyBinding itkBinding = new IssuedTokenKeyBinding();
1817: if (inferredKB == null) {
1818: if (context.hasIssuedToken()) {
1819: inferredSignaturePolicy
1820: .setKeyBinding(itkBinding);
1821: } else {
1822: inferredSignaturePolicy
1823: .setKeyBinding(new AuthenticationTokenPolicy.SAMLAssertionBinding());
1824: }
1825: } else if (PolicyTypeUtil
1826: .derivedTokenKeyBinding(inferredKB)) {
1827: if (((DerivedTokenKeyBinding) inferredKB)
1828: .getOriginalKeyBinding() == null)
1829: ((DerivedTokenKeyBinding) inferredKB)
1830: .setOriginalKeyBinding(itkBinding);
1831: }
1832: }
1833: returnKey = resolveSamlAssertion(secureMsg,
1834: samlAssertion, sig, context, assertionID);
1835: if (context.hasIssuedToken()) {
1836: SecurityUtil.initInferredIssuedTokenContext(
1837: context, str, returnKey);
1838: }
1839:
1840: } else {
1841: if (policy != null) {
1842: AuthenticationTokenPolicy.SAMLAssertionBinding keyBinding = null;
1843: keyBinding = (AuthenticationTokenPolicy.SAMLAssertionBinding) policy
1844: .newSAMLAssertionKeyBinding();
1845: }
1846: Element samlAssertion = null;
1847: String assertionID = keyId.getDecodedReferenceValue();
1848: try {
1849: samlAssertion = resolveSAMLToken(str, assertionID,
1850: context);
1851: } catch (Exception ex) {
1852: //ignore
1853: }
1854: if (samlAssertion != null) {
1855: if (isWSITRecipient) {
1856: MLSPolicy inferredKB = inferredSignaturePolicy
1857: .getKeyBinding();
1858: IssuedTokenKeyBinding itkBinding = new IssuedTokenKeyBinding();
1859: if (inferredKB == null) {
1860: if (context.hasIssuedToken()) {
1861: inferredSignaturePolicy
1862: .setKeyBinding(itkBinding);
1863: } else {
1864: inferredSignaturePolicy
1865: .setKeyBinding(new AuthenticationTokenPolicy.SAMLAssertionBinding());
1866: }
1867: } else if (PolicyTypeUtil
1868: .derivedTokenKeyBinding(inferredKB)) {
1869: if (((DerivedTokenKeyBinding) inferredKB)
1870: .getOriginalKeyBinding() == null)
1871: ((DerivedTokenKeyBinding) inferredKB)
1872: .setOriginalKeyBinding(itkBinding);
1873: }
1874: }
1875: returnKey = resolveSamlAssertion(secureMsg,
1876: samlAssertion, sig, context, assertionID);
1877: if (context.hasIssuedToken()) {
1878: SecurityUtil.initInferredIssuedTokenContext(
1879: context, str, returnKey);
1880: }
1881: } else {
1882: // now assume its an X509Token
1883: // Note: the code below assumes base64 EncodingType for X509 SKI
1884: if (isWSITRecipient) {
1885: MLSPolicy inferredKB = inferredSignaturePolicy
1886: .getKeyBinding();
1887: AuthenticationTokenPolicy.X509CertificateBinding x509Binding = new AuthenticationTokenPolicy.X509CertificateBinding();
1888: x509Binding
1889: .setValueType(MessageConstants.X509SubjectKeyIdentifier_NS);
1890: x509Binding
1891: .setReferenceType(MessageConstants.KEY_INDETIFIER_TYPE);
1892: if (inferredKB == null) {
1893: inferredSignaturePolicy
1894: .setKeyBinding(x509Binding);
1895: } else if (PolicyTypeUtil
1896: .derivedTokenKeyBinding(inferredKB)) {
1897: if (((DerivedTokenKeyBinding) inferredKB)
1898: .getOriginalKeyBinding() == null)
1899: ((DerivedTokenKeyBinding) inferredKB)
1900: .setOriginalKeyBinding(x509Binding);
1901: }
1902: }
1903: if (sig) {
1904: returnKey = context
1905: .getSecurityEnvironment()
1906: .getPublicKey(
1907: context
1908: .getExtraneousProperties(),
1909: getDecodedBase64EncodedData(keyId
1910: .getReferenceValue()));
1911: } else {
1912: returnKey = context
1913: .getSecurityEnvironment()
1914: .getPrivateKey(
1915: context
1916: .getExtraneousProperties(),
1917: getDecodedBase64EncodedData(keyId
1918: .getReferenceValue()));
1919: }
1920: }
1921: }
1922: } else if (refElement instanceof DirectReference) {
1923: String uri = ((DirectReference) refElement).getURI();
1924:
1925: // will be only during verify.
1926: AuthenticationTokenPolicy.X509CertificateBinding keyBinding = null;
1927: String valueType = ((DirectReference) refElement)
1928: .getValueType();
1929: if (MessageConstants.DKT_VALUETYPE.equals(valueType)) {
1930: //TODO: this will work for now but need to handle this case here later
1931: valueType = null;
1932: }
1933:
1934: if (policy != null) {
1935: keyBinding = (AuthenticationTokenPolicy.X509CertificateBinding) policy
1936: .newX509CertificateKeyBinding();
1937: keyBinding
1938: .setReferenceType(MessageConstants.DIRECT_REFERENCE_TYPE);
1939: keyBinding.setValueType(valueType);
1940: }
1941:
1942: if (MessageConstants.X509v3_NS.equals(valueType)
1943: || MessageConstants.X509v1_NS.equals(valueType)) {
1944: // its an X509 Token
1945: HashMap insertedX509Cache = context
1946: .getInsertedX509Cache();
1947: String wsuId = secureMsg.getIdFromFragmentRef(uri);
1948: X509SecurityToken token = (X509SecurityToken) insertedX509Cache
1949: .get(wsuId);
1950: if (token == null)
1951: token = (X509SecurityToken) resolveToken(wsuId,
1952: context, secureMsg);
1953: if (isWSITRecipient) {
1954: MLSPolicy inferredKB = inferredSignaturePolicy
1955: .getKeyBinding();
1956: AuthenticationTokenPolicy.X509CertificateBinding x509Binding = new AuthenticationTokenPolicy.X509CertificateBinding();
1957: x509Binding
1958: .setReferenceType(MessageConstants.DIRECT_REFERENCE_TYPE);
1959: x509Binding.setValueType(valueType);
1960: if (inferredKB == null) {
1961: inferredSignaturePolicy
1962: .setKeyBinding(x509Binding);
1963: } else if (PolicyTypeUtil
1964: .derivedTokenKeyBinding(inferredKB)) {
1965: if (((DerivedTokenKeyBinding) inferredKB)
1966: .getOriginalKeyBinding() == null)
1967: ((DerivedTokenKeyBinding) inferredKB)
1968: .setOriginalKeyBinding(x509Binding);
1969: }
1970: }
1971: returnKey = resolveX509Token(secureMsg, token, sig,
1972: context);
1973:
1974: } else if (MessageConstants.EncryptedKey_NS
1975: .equals(valueType)) {
1976: // Do default processing
1977: String wsuId = secureMsg.getIdFromFragmentRef(uri);
1978: SecurityToken token = resolveToken(wsuId, context,
1979: secureMsg);
1980: //TODO: STR is referring to EncryptedKey
1981: KeyInfoHeaderBlock kiHB = ((EncryptedKeyToken) token)
1982: .getKeyInfo();
1983: SecurityTokenReference sectr = kiHB
1984: .getSecurityTokenReference(0);
1985:
1986: //TODO: PLUGFEST Algorithm hardcoded for now
1987: //String dataEncAlgo = MessageConstants.AES_BLOCK_ENCRYPTION_128;
1988: // restore Backward compatibility
1989: String dataEncAlgo = MessageConstants.DEFAULT_DATA_ENC_ALGO;
1990: if (context.getAlgorithmSuite() != null) {
1991: dataEncAlgo = context.getAlgorithmSuite()
1992: .getEncryptionAlgorithm();
1993: } else {
1994: if (context.getDataEncryptionAlgorithm() != null) {
1995: dataEncAlgo = context
1996: .getDataEncryptionAlgorithm();
1997: }
1998: }
1999: try {
2000: Element cipherData = (Element) ((EncryptedKeyToken) token)
2001: .getAsSoapElement()
2002: .getChildElements(
2003: new QName(
2004: MessageConstants.XENC_NS,
2005: "CipherData",
2006: MessageConstants.XENC_PREFIX))
2007: .next();
2008: String cipherValue = cipherData
2009: .getElementsByTagNameNS(
2010: MessageConstants.XENC_NS,
2011: "CipherValue").item(0)
2012: .getTextContent();
2013: byte[] decodedCipher = Base64.decode(cipherValue);
2014: byte[] ekSha1 = MessageDigest.getInstance("SHA-1")
2015: .digest(decodedCipher);
2016: String encEkSha1 = Base64.encode(ekSha1);
2017: context.setExtraneousProperty(
2018: MessageConstants.EK_SHA1_VALUE, encEkSha1);
2019: } catch (Exception e) {
2020: log.log(Level.SEVERE,
2021: "WSS0241.unableto.set.EKSHA1.OnContext", e);
2022: throw new XWSSecurityException(e);
2023: }
2024: if (isWSITRecipient) {
2025: MLSPolicy inferredKB = inferredSignaturePolicy
2026: .getKeyBinding();
2027: SymmetricKeyBinding skBinding = new SymmetricKeyBinding();
2028: AuthenticationTokenPolicy.X509CertificateBinding x509Binding = new AuthenticationTokenPolicy.X509CertificateBinding();
2029: skBinding.setKeyBinding(x509Binding);
2030: //TODO: ReferenceType and ValueType not set on X509Binding
2031: if (inferredKB == null) {
2032: inferredSignaturePolicy
2033: .setKeyBinding(skBinding);
2034: } else if (PolicyTypeUtil
2035: .derivedTokenKeyBinding(inferredKB)) {
2036: if (((DerivedTokenKeyBinding) inferredKB)
2037: .getOriginalKeyBinding() == null)
2038: ((DerivedTokenKeyBinding) inferredKB)
2039: .setOriginalKeyBinding(skBinding);
2040: }
2041: }
2042: returnKey = ((EncryptedKeyToken) token).getSecretKey(
2043: getKey(kiHB, sig, context), dataEncAlgo);
2044: context.setExtraneousProperty(
2045: MessageConstants.SECRET_KEY_VALUE, returnKey);
2046:
2047: } else if (MessageConstants.SCT_VALUETYPE.equals(valueType)) {
2048: // could be wsuId or SCT Session Id
2049: String sctId = secureMsg.getIdFromFragmentRef(uri);
2050: SecurityToken token = (SecurityToken) tokenCache
2051: .get(sctId);
2052:
2053: if (token == null) {
2054: token = SecurityUtil.locateBySCTId(context, uri);
2055: if (token == null) {
2056: token = resolveToken(sctId, context, secureMsg);
2057: }
2058: if (token == null) {
2059: log.log(Level.SEVERE,
2060: "WSS0242.unableto.locate.SCT");
2061: throw new XWSSecurityException(
2062: "SCT Token with Id " + sctId
2063: + "not found");
2064: } else {
2065: tokenCache.put(sctId, token);
2066: }
2067: }
2068:
2069: if (token instanceof SecurityContextToken) {
2070: //handling for SecurityContext Token
2071: byte[] proofKey = resolveSCT(context,
2072: (SecurityContextTokenImpl) token, sig);
2073: String encAlgo = "AES"; //hardcoding for now
2074: if (context.getAlgorithmSuite() != null) {
2075: encAlgo = SecurityUtil
2076: .getSecretKeyAlgorithm(context
2077: .getAlgorithmSuite()
2078: .getEncryptionAlgorithm());
2079: }
2080: if (isWSITRecipient) {
2081: MLSPolicy inferredKB = inferredSignaturePolicy
2082: .getKeyBinding();
2083: SecureConversationTokenKeyBinding sctBinding = new SecureConversationTokenKeyBinding();
2084: if (inferredKB == null) {
2085: inferredSignaturePolicy
2086: .setKeyBinding(sctBinding);
2087: } else if (PolicyTypeUtil
2088: .derivedTokenKeyBinding(inferredKB)) {
2089: if (((DerivedTokenKeyBinding) inferredKB)
2090: .getOriginalKeyBinding() == null)
2091: ((DerivedTokenKeyBinding) inferredKB)
2092: .setOriginalKeyBinding(sctBinding);
2093: }
2094: }
2095: returnKey = new SecretKeySpec(proofKey, encAlgo);
2096:
2097: } else {
2098: log.log(Level.SEVERE,
2099: "WSS0243.invalid.valueType.NonSCTToken");
2100: throw new XWSSecurityException(
2101: "Incorrect ValueType: "
2102: + MessageConstants.SCT_VALUETYPE
2103: + ", specified for a Non SCT Token");
2104: }
2105:
2106: } else if (null == valueType) {
2107: // Do default processing
2108: String wsuId = secureMsg.getIdFromFragmentRef(uri);
2109: SecurityToken token = SecurityUtil.locateBySCTId(
2110: context, wsuId);
2111: if (token == null) {
2112: token = resolveToken(wsuId, context, secureMsg);
2113: }
2114: if (token instanceof X509SecurityToken) {
2115: if (isWSITRecipient) {
2116: MLSPolicy inferredKB = inferredSignaturePolicy
2117: .getKeyBinding();
2118: AuthenticationTokenPolicy.X509CertificateBinding x509Binding = new AuthenticationTokenPolicy.X509CertificateBinding();
2119: x509Binding
2120: .setReferenceType(MessageConstants.DIRECT_REFERENCE_TYPE);
2121: if (inferredKB == null) {
2122: inferredSignaturePolicy
2123: .setKeyBinding(x509Binding);
2124: } else if (PolicyTypeUtil
2125: .derivedTokenKeyBinding(inferredKB)) {
2126: if (((DerivedTokenKeyBinding) inferredKB)
2127: .getOriginalKeyBinding() == null)
2128: ((DerivedTokenKeyBinding) inferredKB)
2129: .setOriginalKeyBinding(x509Binding);
2130: }
2131: }
2132: returnKey = resolveX509Token(secureMsg,
2133: (X509SecurityToken) token, sig, context);
2134: } else if (token instanceof EncryptedKeyToken) {
2135: //TODO: STR is referring to EncryptedKey
2136: KeyInfoHeaderBlock kiHB = ((EncryptedKeyToken) token)
2137: .getKeyInfo();
2138: SecurityTokenReference sectr = kiHB
2139: .getSecurityTokenReference(0);
2140: ReferenceElement refElem = sectr.getReference();
2141: String dataEncAlgo = MessageConstants.DEFAULT_DATA_ENC_ALGO;
2142: //restoring BC
2143: //String dataEncAlgo = MessageConstants.AES_BLOCK_ENCRYPTION_128;
2144: if (context.getAlgorithmSuite() != null) {
2145: dataEncAlgo = context.getAlgorithmSuite()
2146: .getEncryptionAlgorithm();
2147: } else {
2148: if (context.getDataEncryptionAlgorithm() != null) {
2149: dataEncAlgo = context
2150: .getDataEncryptionAlgorithm();
2151: }
2152: }
2153: try {
2154: Element cipherData = (Element) ((EncryptedKeyToken) token)
2155: .getAsSoapElement()
2156: .getChildElements(
2157: new QName(
2158: MessageConstants.XENC_NS,
2159: "CipherData",
2160: MessageConstants.XENC_PREFIX))
2161: .next();
2162: String cipherValue = cipherData
2163: .getElementsByTagNameNS(
2164: MessageConstants.XENC_NS,
2165: "CipherValue").item(0)
2166: .getTextContent();
2167: byte[] decodedCipher = Base64
2168: .decode(cipherValue);
2169: byte[] ekSha1 = MessageDigest.getInstance(
2170: "SHA-1").digest(decodedCipher);
2171: String encEkSha1 = Base64.encode(ekSha1);
2172: context.setExtraneousProperty(
2173: MessageConstants.EK_SHA1_VALUE,
2174: encEkSha1);
2175: } catch (Exception e) {
2176: log
2177: .log(
2178: Level.SEVERE,
2179: "WSS0241.unableto.set.EKSHA1.OnContext",
2180: e);
2181: throw new XWSSecurityException(e);
2182: }
2183: if (isWSITRecipient) {
2184: MLSPolicy inferredKB = inferredSignaturePolicy
2185: .getKeyBinding();
2186: SymmetricKeyBinding skBinding = new SymmetricKeyBinding();
2187: AuthenticationTokenPolicy.X509CertificateBinding x509Binding = new AuthenticationTokenPolicy.X509CertificateBinding();
2188: skBinding.setKeyBinding(x509Binding);
2189: //TODO: ReferenceType and ValueType not set on X509Binding
2190: if (inferredKB == null) {
2191: inferredSignaturePolicy
2192: .setKeyBinding(skBinding);
2193: } else if (PolicyTypeUtil
2194: .derivedTokenKeyBinding(inferredKB)) {
2195: if (((DerivedTokenKeyBinding) inferredKB)
2196: .getOriginalKeyBinding() == null)
2197: ((DerivedTokenKeyBinding) inferredKB)
2198: .setOriginalKeyBinding(skBinding);
2199: }
2200: }
2201: returnKey = ((EncryptedKeyToken) token)
2202: .getSecretKey(getKey(kiHB, sig, context),
2203: dataEncAlgo);
2204: context.setExtraneousProperty(
2205: MessageConstants.SECRET_KEY_VALUE,
2206: returnKey);
2207:
2208: } else if (token instanceof SecurityContextToken) {
2209: //handling for SecurityContext Token
2210: byte[] proofKey = resolveSCT(context,
2211: (SecurityContextTokenImpl) token, sig);
2212: String encAlgo = "AES"; //default algo
2213: if (context.getAlgorithmSuite() != null) {
2214: encAlgo = SecurityUtil
2215: .getSecretKeyAlgorithm(context
2216: .getAlgorithmSuite()
2217: .getEncryptionAlgorithm());
2218: }
2219: if (isWSITRecipient) {
2220: MLSPolicy inferredKB = inferredSignaturePolicy
2221: .getKeyBinding();
2222: SecureConversationTokenKeyBinding sctBinding = new SecureConversationTokenKeyBinding();
2223: if (inferredKB == null) {
2224: inferredSignaturePolicy
2225: .setKeyBinding(sctBinding);
2226: } else if (PolicyTypeUtil
2227: .derivedTokenKeyBinding(inferredKB)) {
2228: if (((DerivedTokenKeyBinding) inferredKB)
2229: .getOriginalKeyBinding() == null)
2230: ((DerivedTokenKeyBinding) inferredKB)
2231: .setOriginalKeyBinding(sctBinding);
2232: }
2233: }
2234: returnKey = new SecretKeySpec(proofKey, encAlgo);
2235:
2236: } else if (token instanceof DerivedKeyTokenHeaderBlock) {
2237: if (isWSITRecipient) {
2238: MLSPolicy inferredKB = inferredSignaturePolicy
2239: .getKeyBinding();
2240: DerivedTokenKeyBinding dtkBinding = new DerivedTokenKeyBinding();
2241: if (inferredKB == null) {
2242: inferredSignaturePolicy
2243: .setKeyBinding(dtkBinding);
2244: } else {
2245: log.log(Level.SEVERE,
2246: "WSS0244.invalid.level.DKT");
2247: throw new XWSSecurityException(
2248: "A derived Key Token should be a top level key binding");
2249: }
2250: }
2251: returnKey = resolveDKT(context,
2252: (DerivedKeyTokenHeaderBlock) token);
2253: } else {
2254: String message = " Cannot Resolve URI " + uri;
2255: log.log(Level.SEVERE,
2256: "WSS0337.unsupported.directref.mechanism",
2257: new Object[] { message });
2258: XWSSecurityException xwsse = new XWSSecurityException(
2259: message);
2260: throw SecurableSoapMessage
2261: .newSOAPFaultException(
2262: MessageConstants.WSSE_SECURITY_TOKEN_UNAVAILABLE,
2263: xwsse.getMessage(), xwsse);
2264: }
2265: } else {
2266: log.log(Level.SEVERE,
2267: "WSS0337.unsupported.directref.mechanism",
2268: new Object[] { ((DirectReference) refElement)
2269: .getValueType() });
2270: XWSSecurityException xwsse = new XWSSecurityException(
2271: "unsupported directreference ValueType "
2272: + ((DirectReference) refElement)
2273: .getValueType());
2274: throw SecurableSoapMessage.newSOAPFaultException(
2275: MessageConstants.WSSE_INVALID_SECURITY_TOKEN,
2276: xwsse.getMessage(), xwsse);
2277: }
2278: } else if (refElement instanceof X509IssuerSerial) {
2279: BigInteger serialNumber = ((X509IssuerSerial) refElement)
2280: .getSerialNumber();
2281: String issuerName = ((X509IssuerSerial) refElement)
2282: .getIssuerName();
2283:
2284: if (isWSITRecipient) {
2285: MLSPolicy inferredKB = inferredSignaturePolicy
2286: .getKeyBinding();
2287: AuthenticationTokenPolicy.X509CertificateBinding x509Binding = new AuthenticationTokenPolicy.X509CertificateBinding();
2288: x509Binding
2289: .setReferenceType(MessageConstants.X509_ISSUER_TYPE);
2290: if (inferredKB == null) {
2291: inferredSignaturePolicy.setKeyBinding(x509Binding);
2292: } else if (PolicyTypeUtil
2293: .derivedTokenKeyBinding(inferredKB)) {
2294: if (((DerivedTokenKeyBinding) inferredKB)
2295: .getOriginalKeyBinding() == null)
2296: ((DerivedTokenKeyBinding) inferredKB)
2297: .setOriginalKeyBinding(x509Binding);
2298: }
2299: }
2300: if (sig) {
2301: returnKey = context.getSecurityEnvironment()
2302: .getPublicKey(
2303: context.getExtraneousProperties(),
2304: serialNumber, issuerName);
2305: } else {
2306: returnKey = context.getSecurityEnvironment()
2307: .getPrivateKey(
2308: context.getExtraneousProperties(),
2309: serialNumber, issuerName);
2310: }
2311: } else {
2312: log.log(Level.SEVERE,
2313: "WSS0338.unsupported.reference.mechanism");
2314: XWSSecurityException xwsse = new XWSSecurityException(
2315: "Key reference mechanism not supported");
2316: throw SecurableSoapMessage.newSOAPFaultException(
2317: MessageConstants.WSSE_UNSUPPORTED_SECURITY_TOKEN,
2318: xwsse.getMessage(), xwsse);
2319: }
2320: return returnKey;
2321: }
2322: }
|