Source Code Cross Referenced for KeyResolver.java in  » 6.0-JDK-Modules-com.sun » xws-security » com » sun » xml » wss » impl » misc » Java Source Code / Java DocumentationJava Source Code and Java Documentation

Java Source Code / Java Documentation
1. 6.0 JDK Core
2. 6.0 JDK Modules
3. 6.0 JDK Modules com.sun
4. 6.0 JDK Modules com.sun.java
5. 6.0 JDK Modules sun
6. 6.0 JDK Platform
7. Ajax
8. Apache Harmony Java SE
9. Aspect oriented
10. Authentication Authorization
11. Blogger System
12. Build
13. Byte Code
14. Cache
15. Chart
16. Chat
17. Code Analyzer
18. Collaboration
19. Content Management System
20. Database Client
21. Database DBMS
22. Database JDBC Connection Pool
23. Database ORM
24. Development
25. EJB Server geronimo
26. EJB Server GlassFish
27. EJB Server JBoss 4.2.1
28. EJB Server resin 3.1.5
29. ERP CRM Financial
30. ESB
31. Forum
32. GIS
33. Graphic Library
34. Groupware
35. HTML Parser
36. IDE
37. IDE Eclipse
38. IDE Netbeans
39. Installer
40. Internationalization Localization
41. Inversion of Control
42. Issue Tracking
43. J2EE
44. JBoss
45. JMS
46. JMX
47. Library
48. Mail Clients
49. Net
50. Parser
51. PDF
52. Portal
53. Profiler
54. Project Management
55. Report
56. RSS RDF
57. Rule Engine
58. Science
59. Scripting
60. Search Engine
61. Security
62. Sevlet Container
63. Source Control
64. Swing Library
65. Template Engine
66. Test Coverage
67. Testing
68. UML
69. Web Crawler
70. Web Framework
71. Web Mail
72. Web Server
73. Web Services
74. Web Services apache cxf 2.0.1
75. Web Services AXIS2
76. Wiki Engine
77. Workflow Engines
78. XML
79. XML UI
Java
Java Tutorial
Java Open Source
Jar File Download
Java Articles
Java Products
Java by API
Photoshop Tutorials
Maya Tutorials
Flash Tutorials
3ds-Max Tutorials
Illustrator Tutorials
GIMP Tutorials
C# / C Sharp
C# / CSharp Tutorial
C# / CSharp Open Source
ASP.Net
ASP.NET Tutorial
JavaScript DHTML
JavaScript Tutorial
JavaScript Reference
HTML / CSS
HTML CSS Reference
C / ANSI-C
C Tutorial
C++
C++ Tutorial
Ruby
PHP
Python
Python Tutorial
Python Open Source
SQL Server / T-SQL
SQL Server / T-SQL Tutorial
Oracle PL / SQL
Oracle PL/SQL Tutorial
PostgreSQL
SQL / MySQL
MySQL Tutorial
VB.Net
VB.Net Tutorial
Flash / Flex / ActionScript
VBA / Excel / Access / Word
XML
XML Tutorial
Microsoft Office PowerPoint 2007 Tutorial
Microsoft Office Excel 2007 Tutorial
Microsoft Office Word 2007 Tutorial
Java Source Code / Java Documentation » 6.0 JDK Modules com.sun » xws security » com.sun.xml.wss.impl.misc 
Source Cross Referenced  Class Diagram Java Document (Java Doc) 


0001:        /*
0002:         * $Id: KeyResolver.java,v 1.18 2007/09/13 12:42:21 kumarjayanti Exp $
0003:         */
0004:
0005:        /*
0006:         * The contents of this file are subject to the terms
0007:         * of the Common Development and Distribution License
0008:         * (the License).  You may not use this file except in
0009:         * compliance with the License.
0010:         *
0011:         * You can obtain a copy of the license at
0012:         * https://glassfish.dev.java.net/public/CDDLv1.0.html.
0013:         * See the License for the specific language governing
0014:         * permissions and limitations under the License.
0015:         *
0016:         * When distributing Covered Code, include this CDDL
0017:         * Header Notice in each file and include the License file
0018:         * at https://glassfish.dev.java.net/public/CDDLv1.0.html.
0019:         * If applicable, add the following below the CDDL Header,
0020:         * with the fields enclosed by brackets [] replaced by
0021:         * you own identifying information:
0022:         * "Portions Copyrighted [year] [name of copyright owner]"
0023:         *
0024:         * Copyright 2006 Sun Microsystems Inc. All Rights Reserved
0025:         */
0026:
0027:        package com.sun.xml.wss.impl.misc;
0028:
0029:        import com.sun.xml.wss.core.EncryptedKeyToken;
0030:        import com.sun.xml.wss.impl.WssSoapFaultException;
0031:        import com.sun.xml.wss.impl.policy.mls.AuthenticationTokenPolicy;
0032:        import com.sun.xml.wss.impl.policy.mls.EncryptionPolicy;
0033:        import com.sun.xml.wss.impl.policy.mls.SignaturePolicy;
0034:        import com.sun.xml.wss.saml.AssertionUtil;
0035:        import com.sun.xml.wss.impl.dsig.SignatureProcessor;
0036:        import java.io.UnsupportedEncodingException;
0037:        import java.security.InvalidKeyException;
0038:
0039:        import java.security.Key;
0040:        import java.math.BigInteger;
0041:        import java.security.NoSuchAlgorithmException;
0042:        import java.security.cert.X509Certificate;
0043:        import java.security.MessageDigest;
0044:
0045:        import java.util.logging.Level;
0046:        import java.util.logging.Logger;
0047:        import com.sun.org.apache.xml.internal.security.keys.content.KeyValue;
0048:        import com.sun.org.apache.xml.internal.security.keys.content.X509Data;
0049:        import com.sun.org.apache.xml.internal.security.exceptions.Base64DecodingException;
0050:
0051:        import com.sun.xml.wss.impl.FilterProcessingContext;
0052:        import com.sun.xml.wss.impl.MessageConstants;
0053:        import com.sun.xml.wss.logging.LogDomainConstants;
0054:        import com.sun.xml.wss.XWSSecurityException;
0055:        import com.sun.xml.wss.impl.SecurableSoapMessage;
0056:
0057:        import com.sun.xml.wss.core.SecurityToken;
0058:        import com.sun.xml.wss.core.ReferenceElement;
0059:        import com.sun.xml.wss.core.X509SecurityToken;
0060:        import com.sun.xml.wss.core.KeyInfoHeaderBlock;
0061:        import com.sun.xml.wss.core.SecurityTokenReference;
0062:        import com.sun.xml.wss.core.DerivedKeyTokenHeaderBlock;
0063:
0064:        import com.sun.xml.wss.core.reference.KeyIdentifier;
0065:        import com.sun.xml.wss.core.reference.DirectReference;
0066:        import com.sun.xml.wss.core.reference.X509IssuerSerial;
0067:        import com.sun.xml.wss.impl.policy.MLSPolicy;
0068:        import com.sun.xml.wss.impl.policy.mls.DerivedTokenKeyBinding;
0069:        import com.sun.xml.wss.impl.policy.mls.SymmetricKeyBinding;
0070:        import com.sun.xml.wss.impl.policy.mls.SecureConversationTokenKeyBinding;
0071:        import com.sun.xml.wss.impl.policy.mls.IssuedTokenKeyBinding;
0072:        import com.sun.xml.wss.impl.PolicyTypeUtil;
0073:        import com.sun.xml.wss.saml.util.SAMLUtil;
0074:        import com.sun.xml.wss.impl.XMLUtil;
0075:
0076:        import org.w3c.dom.NodeList;
0077:
0078:        import java.util.HashMap;
0079:        import java.util.Enumeration;
0080:        import javax.xml.soap.SOAPElement;
0081:        import javax.crypto.spec.SecretKeySpec;
0082:        import org.w3c.dom.Node;
0083:        import org.w3c.dom.Element;
0084:        import javax.xml.namespace.QName;
0085:
0086:        import com.sun.xml.wss.core.SecurityContextTokenImpl;
0087:        import com.sun.xml.ws.security.SecurityContextToken;
0088:        import com.sun.xml.ws.security.IssuedTokenContext;
0089:        import com.sun.xml.ws.security.impl.DerivedKeyTokenImpl;
0090:        import com.sun.xml.ws.security.DerivedKeyToken;
0091:
0092:        import com.sun.xml.ws.security.trust.elements.BinarySecret;
0093:        import javax.security.auth.Subject;
0094:
0095:        public class KeyResolver {
0096:
0097:            private static Logger log = Logger.getLogger(
0098:                    LogDomainConstants.WSS_API_DOMAIN,
0099:                    LogDomainConstants.WSS_API_DOMAIN_BUNDLE);
0100:
0101:            /**
0102:             * If a SecurityTokenReference is present inside the KeyInfo,
0103:             * the return value is an instance of PrivateKey (if sig is false) or
0104:             * PublicKey (if sig is true).
0105:             * Else If a KeyName is present inside the KeyInfo, then the return
0106:             * value is an instance of SecretKey.
0107:             * Else, an XWSSecurityException is thrown.
0108:             *
0109:             * @param keyInfo
0110:             * @param sig
0111:             *     true if this method is called by a signature verifier, false if
0112:             *     called by a decrypter
0113:             * @param secureMsg
0114:             */
0115:
0116:            /*
0117:             *
0118:             * TODO:: SIG flag to be removed once JSR105 has been tested completly.-Venu
0119:             */
0120:            public static Key getKey(KeyInfoHeaderBlock keyInfo, boolean sig,
0121:                    FilterProcessingContext context)
0122:                    throws XWSSecurityException {
0123:
0124:                Key returnKey;
0125:                //HashMap tokenCache = context.getTokenCache();
0126:                try {
0127:                    SecurableSoapMessage secureMsg = context
0128:                            .getSecurableSoapMessage();
0129:                    if (keyInfo.containsSecurityTokenReference()) {
0130:                        return processSecurityTokenReference(keyInfo, sig,
0131:                                context);
0132:                    } else if (keyInfo.containsKeyName()) {
0133:                        EncryptionPolicy policy = (EncryptionPolicy) context
0134:                                .getInferredPolicy();
0135:
0136:                        String keynameString = keyInfo.getKeyNameString(0);
0137:                        if (policy != null) {
0138:                            SymmetricKeyBinding keyBinding = null;
0139:                            keyBinding = (SymmetricKeyBinding) policy
0140:                                    .newSymmetricKeyBinding();
0141:                            keyBinding.setKeyIdentifier(keynameString);
0142:
0143:                        }
0144:                        returnKey = context.getSecurityEnvironment()
0145:                                .getSecretKey(
0146:                                        context.getExtraneousProperties(),
0147:                                        keynameString, false);
0148:                    } else if (keyInfo.containsKeyValue()) {
0149:                        // resolve KeyValue
0150:                        returnKey = resolveKeyValue(secureMsg, keyInfo
0151:                                .getKeyValue(0), sig, context);
0152:                    } else if (keyInfo.containsX509Data()) {
0153:                        // resolve X509Data
0154:                        returnKey = resolveX509Data(secureMsg, keyInfo
0155:                                .getX509Data(0), sig, context);
0156:                    } else if (keyInfo.containsEncryptedKeyToken()) {
0157:                        EncryptedKeyToken token = keyInfo.getEncryptedKey(0);
0158:                        KeyInfoHeaderBlock kiHB = token.getKeyInfo();
0159:                        if (kiHB.containsSecurityTokenReference()) {
0160:                            SecurityTokenReference sectr = kiHB
0161:                                    .getSecurityTokenReference(0);
0162:                        } else {
0163:                            log.log(Level.SEVERE,
0164:                                    "WSS0335.unsupported.referencetype");
0165:                            throw new XWSSecurityException(
0166:                                    "Unsupported reference type under EncryptedKey");
0167:                        }
0168:                        //Default algo
0169:                        //String dataEncAlgo = MessageConstants.AES_BLOCK_ENCRYPTION_128;
0170:                        //restore backward compatibility
0171:                        String dataEncAlgo = MessageConstants.DEFAULT_DATA_ENC_ALGO;
0172:                        if (context.getAlgorithmSuite() != null) {
0173:                            dataEncAlgo = context.getAlgorithmSuite()
0174:                                    .getEncryptionAlgorithm();
0175:                        } else {
0176:                            if (context.getDataEncryptionAlgorithm() != null) {
0177:                                dataEncAlgo = context
0178:                                        .getDataEncryptionAlgorithm();
0179:                            }
0180:                        }
0181:                        returnKey = token.getSecretKey(getKey(kiHB, false,
0182:                                context), dataEncAlgo);
0183:                    } else if (keyInfo.containsBinarySecret()) {
0184:                        BinarySecret bs = keyInfo.getBinarySecret(0);
0185:                        // assuming the Binary Secret is of Type
0186:                        if ((bs.getType() == null)
0187:                                || bs.getType().equals(
0188:                                        BinarySecret.SYMMETRIC_KEY_TYPE)) {
0189:                            String algo = "AES"; // hardcoding for now
0190:                            if (context.getAlgorithmSuite() != null) {
0191:                                algo = SecurityUtil
0192:                                        .getSecretKeyAlgorithm(context
0193:                                                .getAlgorithmSuite()
0194:                                                .getEncryptionAlgorithm());
0195:                            }
0196:                            returnKey = new SecretKeySpec(bs.getRawValue(),
0197:                                    algo);
0198:                        } else {
0199:                            log
0200:                                    .log(Level.SEVERE,
0201:                                            "WSS0339.unsupported.keyinfo");
0202:                            throw new XWSSecurityException(
0203:                                    "Unsupported wst:BinarySecret Type");
0204:                        }
0205:
0206:                    } else {
0207:                        log.log(Level.SEVERE, "WSS0339.unsupported.keyinfo");
0208:                        XWSSecurityException xwsse = new XWSSecurityException(
0209:                                "Support for processing information in the given ds:KeyInfo is not present");
0210:                        throw SecurableSoapMessage.newSOAPFaultException(
0211:                                MessageConstants.WSSE_INVALID_SECURITY, xwsse
0212:                                        .getMessage(), xwsse);
0213:                    }
0214:                } catch (WssSoapFaultException wsse) {
0215:                    log.log(Level.SEVERE, "WSS0284.WSS.SOAP.Fault.Exception",
0216:                            wsse);
0217:                    throw wsse;
0218:                } catch (XWSSecurityException xwsse) {
0219:                    log.log(Level.SEVERE, "WSS0284.WSS.SOAP.Fault.Exception",
0220:                            xwsse);
0221:                    throw SecurableSoapMessage.newSOAPFaultException(
0222:                            MessageConstants.WSSE_SECURITY_TOKEN_UNAVAILABLE,
0223:                            xwsse.getMessage(), xwsse);
0224:                }
0225:
0226:                if (returnKey == null) {
0227:                    log.log(Level.SEVERE, "WSS0600.illegal.token.reference");
0228:                    XWSSecurityException xwsse = new XWSSecurityException(
0229:                            "Referenced security token could not be retrieved");
0230:                    throw SecurableSoapMessage.newSOAPFaultException(
0231:                            MessageConstants.WSSE_SECURITY_TOKEN_UNAVAILABLE,
0232:                            xwsse.getMessage(), xwsse);
0233:                }
0234:
0235:                return returnKey;
0236:            }
0237:
0238:            public static Key resolveSamlAssertion(
0239:                    SecurableSoapMessage secureMsg, Element samlAssertion,
0240:                    boolean sig, FilterProcessingContext context,
0241:                    String assertionID) throws XWSSecurityException {
0242:
0243:                try {
0244:                    Key key = (Key) context.getSamlIdVSKeyCache().get(
0245:                            assertionID);
0246:                    String samlSignatureResolved = (String) context
0247:                            .getExtraneousProperty(MessageConstants.SAML_SIG_RESOLVED);
0248:                    if (key != null) {
0249:                        return key;
0250:                    }
0251:
0252:                    //TODO: expensive conversion happening
0253:                    if (samlAssertion == null) {
0254:                        log.log(Level.SEVERE,
0255:                                "WSS0235.failed.locate.SAMLAssertion");
0256:                        throw new XWSSecurityException(
0257:                                "Cannot Locate SAML Assertion");
0258:                    }
0259:
0260:                    if ("false".equals(samlSignatureResolved)) {
0261:                        NodeList nl = samlAssertion.getElementsByTagNameNS(
0262:                                MessageConstants.DSIG_NS, "Signature");
0263:                        //verify the signature inside the SAML assertion
0264:                        if (nl.getLength() == 0) {
0265:                            XWSSecurityException e = new XWSSecurityException(
0266:                                    "Unsigned SAML Assertion encountered");
0267:                            log.log(Level.SEVERE,
0268:                                    "WSS1309.saml.signature.verify.failed", e);
0269:                            throw SecurableSoapMessage
0270:                                    .newSOAPFaultException(
0271:                                            MessageConstants.WSSE_INVALID_SECURITY,
0272:                                            "Exception during Signature verfication in SAML Assertion",
0273:                                            e);
0274:                        }
0275:                        SignaturePolicy policy = (SignaturePolicy) context
0276:                                .getInferredPolicy();
0277:                        // will be only during verify.
0278:                        //                AuthenticationTokenPolicy.SAMLAssertionBinding keyBinding = null;
0279:                        //
0280:                        //                if(policy != null){
0281:                        //                    keyBinding = (AuthenticationTokenPolicy.SAMLAssertionBinding) policy.newSAMLAssertionKeyBinding();
0282:                        //                }
0283:
0284:                        Element elem = (Element) nl.item(0);
0285:
0286:                        try {
0287:                            if (!SignatureProcessor.verifySignature(elem,
0288:                                    context)) {
0289:                                log.log(Level.SEVERE,
0290:                                        "WSS1310.saml.signature.invalid");
0291:                                throw SecurableSoapMessage
0292:                                        .newSOAPFaultException(
0293:                                                MessageConstants.WSSE_FAILED_AUTHENTICATION,
0294:                                                "SAML Assertion has invalid Signature",
0295:                                                new Exception(
0296:                                                        "SAML Assertion has invalid Signature"));
0297:                            }
0298:                        } catch (XWSSecurityException ex) {
0299:                            log.log(Level.SEVERE,
0300:                                    "WSS1310.saml.signature.invalid");
0301:                            throw SecurableSoapMessage
0302:                                    .newSOAPFaultException(
0303:                                            MessageConstants.WSSE_FAILED_AUTHENTICATION,
0304:                                            "SAML Assertion has invalid Signature",
0305:                                            ex);
0306:                        }
0307:                    }
0308:
0309:                    if ("false".equals(samlSignatureResolved)) {
0310:                        context.setExtraneousProperty(
0311:                                MessageConstants.SAML_SIG_RESOLVED, "true");
0312:                    }
0313:
0314:                    Element keyInfoElem = AssertionUtil
0315:                            .getSubjectConfirmationKeyInfo(samlAssertion);
0316:                    KeyInfoHeaderBlock keyInfo = new KeyInfoHeaderBlock(XMLUtil
0317:                            .convertToSoapElement(secureMsg.getSOAPPart(),
0318:                                    keyInfoElem));
0319:                    key = getKey(keyInfo, sig, context);
0320:                    context.getSamlIdVSKeyCache().put(assertionID, key);
0321:                    return key;
0322:                } catch (Exception e) {
0323:                    log.log(Level.SEVERE,
0324:                            "WSS0238.failed.Resolve.SAMLAssertion");
0325:                    throw new XWSSecurityException(e);
0326:                }
0327:            }
0328:
0329:            public static Key processSecurityTokenReference(
0330:                    KeyInfoHeaderBlock keyInfo, boolean sig,
0331:                    FilterProcessingContext context)
0332:                    throws XWSSecurityException {
0333:                Key returnKey = null;
0334:                HashMap tokenCache = context.getTokenCache();
0335:                SecurableSoapMessage secureMsg = context
0336:                        .getSecurableSoapMessage();
0337:                SecurityTokenReference str = keyInfo
0338:                        .getSecurityTokenReference(0);
0339:                ReferenceElement refElement = str.getReference();
0340:                EncryptionPolicy policy = (EncryptionPolicy) context
0341:                        .getInferredPolicy();
0342:                EncryptionPolicy inferredEncryptionPolicy = null;
0343:                boolean isWSITRecipient = (context.getMode() == FilterProcessingContext.WSDL_POLICY);
0344:                try {
0345:                    if (isWSITRecipient) {
0346:                        int i = context.getInferredSecurityPolicy().size() - 1;
0347:                        inferredEncryptionPolicy = (EncryptionPolicy) context
0348:                                .getInferredSecurityPolicy().get(i);
0349:                    }
0350:                } catch (Exception e) {
0351:                    log.log(Level.SEVERE,
0352:                            "WSS0239.failed.process.SecurityTokenReference", e);
0353:                    throw new XWSSecurityException(e);
0354:                }
0355:                // Do a case analysis based on the type of refElement.
0356:                // X509 Token Profile supports 3 kinds of reference mechanisms.
0357:                // Embedded Reference not considered.
0358:                if (refElement instanceof  KeyIdentifier) {
0359:                    KeyIdentifier keyId = (KeyIdentifier) refElement;
0360:
0361:                    if (MessageConstants.X509SubjectKeyIdentifier_NS
0362:                            .equals(keyId.getValueType())
0363:                            || MessageConstants.X509v3SubjectKeyIdentifier_NS
0364:                                    .equals(keyId.getValueType())) {
0365:                        if (policy != null) {
0366:                            AuthenticationTokenPolicy.X509CertificateBinding keyBinding = null;
0367:                            keyBinding = (AuthenticationTokenPolicy.X509CertificateBinding) policy
0368:                                    .newX509CertificateKeyBinding();
0369:                            keyBinding
0370:                                    .setReferenceType(MessageConstants.KEY_INDETIFIER_TYPE);
0371:                        }
0372:                        if (isWSITRecipient) {
0373:                            MLSPolicy inferredKB = inferredEncryptionPolicy
0374:                                    .getKeyBinding();
0375:                            AuthenticationTokenPolicy.X509CertificateBinding x509Binding = new AuthenticationTokenPolicy.X509CertificateBinding();
0376:                            x509Binding
0377:                                    .setValueType(MessageConstants.X509SubjectKeyIdentifier_NS);
0378:                            x509Binding
0379:                                    .setReferenceType(MessageConstants.KEY_INDETIFIER_TYPE);
0380:                            if (inferredKB == null) {
0381:                                inferredEncryptionPolicy
0382:                                        .setKeyBinding(x509Binding);
0383:                            } else if (PolicyTypeUtil
0384:                                    .symmetricKeyBinding(inferredKB)) {
0385:                                ((SymmetricKeyBinding) inferredKB)
0386:                                        .setKeyBinding(x509Binding);
0387:                            } else if (PolicyTypeUtil
0388:                                    .derivedTokenKeyBinding(inferredKB)) {
0389:                                DerivedTokenKeyBinding dktBind = (DerivedTokenKeyBinding) inferredKB;
0390:                                if (dktBind.getOriginalKeyBinding() == null)
0391:                                    ((DerivedTokenKeyBinding) inferredKB)
0392:                                            .setOriginalKeyBinding(x509Binding);
0393:                                else if (PolicyTypeUtil
0394:                                        .symmetricKeyBinding(dktBind
0395:                                                .getOriginalKeyBinding())) {
0396:                                    dktBind.getOriginalKeyBinding()
0397:                                            .setKeyBinding(x509Binding);
0398:                                }
0399:                            }
0400:
0401:                        }
0402:                        if (sig) {
0403:                            returnKey = context.getSecurityEnvironment()
0404:                                    .getPublicKey(
0405:                                            context.getExtraneousProperties(),
0406:                                            getDecodedBase64EncodedData(keyId
0407:                                                    .getReferenceValue()));
0408:                        } else {
0409:                            returnKey = context.getSecurityEnvironment()
0410:                                    .getPrivateKey(
0411:                                            context.getExtraneousProperties(),
0412:                                            getDecodedBase64EncodedData(keyId
0413:                                                    .getReferenceValue()));
0414:                        }
0415:
0416:                    } else if (MessageConstants.ThumbPrintIdentifier_NS
0417:                            .equals(keyId.getValueType())) {
0418:                        if (policy != null) {
0419:                            AuthenticationTokenPolicy.X509CertificateBinding keyBinding = null;
0420:                            keyBinding = (AuthenticationTokenPolicy.X509CertificateBinding) policy
0421:                                    .newX509CertificateKeyBinding();
0422:                            keyBinding
0423:                                    .setReferenceType(MessageConstants.THUMB_PRINT_TYPE);
0424:                        }
0425:                        if (isWSITRecipient) {
0426:                            MLSPolicy inferredKB = inferredEncryptionPolicy
0427:                                    .getKeyBinding();
0428:                            AuthenticationTokenPolicy.X509CertificateBinding x509Binding = new AuthenticationTokenPolicy.X509CertificateBinding();
0429:                            x509Binding
0430:                                    .setValueType(MessageConstants.ThumbPrintIdentifier_NS);
0431:                            x509Binding
0432:                                    .setReferenceType(MessageConstants.KEY_INDETIFIER_TYPE);
0433:                            if (inferredKB == null) {
0434:                                inferredEncryptionPolicy
0435:                                        .setKeyBinding(x509Binding);
0436:                            } else if (PolicyTypeUtil
0437:                                    .symmetricKeyBinding(inferredKB)) {
0438:                                ((SymmetricKeyBinding) inferredKB)
0439:                                        .setKeyBinding(x509Binding);
0440:                            } else if (PolicyTypeUtil
0441:                                    .derivedTokenKeyBinding(inferredKB)) {
0442:                                DerivedTokenKeyBinding dktBind = (DerivedTokenKeyBinding) inferredKB;
0443:                                if (dktBind.getOriginalKeyBinding() == null)
0444:                                    ((DerivedTokenKeyBinding) inferredKB)
0445:                                            .setOriginalKeyBinding(x509Binding);
0446:                                else if (PolicyTypeUtil
0447:                                        .symmetricKeyBinding(dktBind
0448:                                                .getOriginalKeyBinding())) {
0449:                                    dktBind.getOriginalKeyBinding()
0450:                                            .setKeyBinding(x509Binding);
0451:                                }
0452:                            }
0453:
0454:                        }
0455:                        if (sig) {
0456:                            returnKey = context.getSecurityEnvironment()
0457:                                    .getPublicKey(
0458:                                            context.getExtraneousProperties(),
0459:                                            getDecodedBase64EncodedData(keyId
0460:                                                    .getReferenceValue()),
0461:                                            MessageConstants.THUMB_PRINT_TYPE);
0462:                        } else {
0463:                            returnKey = context.getSecurityEnvironment()
0464:                                    .getPrivateKey(
0465:                                            context.getExtraneousProperties(),
0466:                                            getDecodedBase64EncodedData(keyId
0467:                                                    .getReferenceValue()),
0468:                                            MessageConstants.THUMB_PRINT_TYPE);
0469:                        }
0470:
0471:                    } else if (MessageConstants.EncryptedKeyIdentifier_NS
0472:                            .equals(keyId.getValueType())) {
0473:                        if (isWSITRecipient) {
0474:                            MLSPolicy inferredKB = inferredEncryptionPolicy
0475:                                    .getKeyBinding();
0476:                            SymmetricKeyBinding skBinding = new SymmetricKeyBinding();
0477:                            AuthenticationTokenPolicy.X509CertificateBinding x509Binding = new AuthenticationTokenPolicy.X509CertificateBinding();
0478:                            x509Binding
0479:                                    .setReferenceType(MessageConstants.KEY_INDETIFIER_TYPE);
0480:                            skBinding.setKeyBinding(x509Binding);
0481:                            //TODO: ReferenceType and ValueType not set on X509Binding
0482:                            if (inferredKB == null) {
0483:                                inferredEncryptionPolicy
0484:                                        .setKeyBinding(skBinding);
0485:                            } else if (PolicyTypeUtil
0486:                                    .derivedTokenKeyBinding(inferredKB)) {
0487:                                if (((DerivedTokenKeyBinding) inferredKB)
0488:                                        .getOriginalKeyBinding() == null)
0489:                                    ((DerivedTokenKeyBinding) inferredKB)
0490:                                            .setOriginalKeyBinding(skBinding);
0491:                            }
0492:                        }
0493:                        String ekSha1RefValue = (String) context
0494:                                .getExtraneousProperty("EncryptedKeySHA1");
0495:                        Key secretKey = (Key) context
0496:                                .getExtraneousProperty("SecretKey");
0497:                        String keyRefValue = keyId.getReferenceValue();
0498:                        if (ekSha1RefValue != null && secretKey != null) {
0499:                            if (ekSha1RefValue.equals(keyRefValue))
0500:                                returnKey = secretKey;
0501:                        } else {
0502:                            String message = "EncryptedKeySHA1 reference not correct";
0503:                            log
0504:                                    .log(Level.SEVERE,
0505:                                            "WSS0240.invalid.EncryptedKeySHA1.reference");
0506:                            throw new XWSSecurityException(message);
0507:                        }
0508:
0509:                    } else if (MessageConstants.WSSE_SAML_KEY_IDENTIFIER_VALUE_TYPE
0510:                            .equals(keyId.getValueType())
0511:                            || MessageConstants.WSSE_SAML_v2_0_KEY_IDENTIFIER_VALUE_TYPE
0512:                                    .equals(keyId.getValueType())) {
0513:                        // Its a SAML Assertion, retrieve the assertion
0514:                        if (policy != null) {
0515:                            AuthenticationTokenPolicy.SAMLAssertionBinding keyBinding = null;
0516:                            keyBinding = (AuthenticationTokenPolicy.SAMLAssertionBinding) policy
0517:                                    .newSAMLAssertionKeyBinding();
0518:                            keyBinding.setReferenceType(keyId.getValueType());
0519:                        }
0520:                        String assertionID = keyId.getDecodedReferenceValue();
0521:                        Element samlAssertion = resolveSAMLToken(str,
0522:                                assertionID, context);
0523:                        if (isWSITRecipient) {
0524:                            MLSPolicy inferredKB = inferredEncryptionPolicy
0525:                                    .getKeyBinding();
0526:                            IssuedTokenKeyBinding itkBinding = new IssuedTokenKeyBinding();
0527:                            if (inferredKB == null) {
0528:                                if (context.hasIssuedToken()) {
0529:                                    inferredEncryptionPolicy
0530:                                            .setKeyBinding(itkBinding);
0531:                                } else {
0532:                                    inferredEncryptionPolicy
0533:                                            .setKeyBinding(new AuthenticationTokenPolicy.SAMLAssertionBinding());
0534:                                }
0535:                            } else if (PolicyTypeUtil
0536:                                    .derivedTokenKeyBinding(inferredKB)) {
0537:                                if (((DerivedTokenKeyBinding) inferredKB)
0538:                                        .getOriginalKeyBinding() == null)
0539:                                    ((DerivedTokenKeyBinding) inferredKB)
0540:                                            .setOriginalKeyBinding(itkBinding);
0541:                            }
0542:                        }
0543:                        returnKey = resolveSamlAssertion(secureMsg,
0544:                                samlAssertion, sig, context, assertionID);
0545:                        if (context.hasIssuedToken()) {
0546:                            SecurityUtil.initInferredIssuedTokenContext(
0547:                                    context, str, returnKey);
0548:                        }
0549:
0550:                    } else {
0551:                        if (policy != null) {
0552:                            AuthenticationTokenPolicy.SAMLAssertionBinding keyBinding = null;
0553:                            keyBinding = (AuthenticationTokenPolicy.SAMLAssertionBinding) policy
0554:                                    .newSAMLAssertionKeyBinding();
0555:                        }
0556:                        Element samlAssertion = null;
0557:                        String assertionID = keyId.getDecodedReferenceValue();
0558:                        try {
0559:                            samlAssertion = resolveSAMLToken(str, assertionID,
0560:                                    context);
0561:                        } catch (Exception ex) {
0562:                            //ignore
0563:                        }
0564:                        if (samlAssertion != null) {
0565:                            if (isWSITRecipient) {
0566:                                MLSPolicy inferredKB = inferredEncryptionPolicy
0567:                                        .getKeyBinding();
0568:                                IssuedTokenKeyBinding itkBinding = new IssuedTokenKeyBinding();
0569:                                if (inferredKB == null) {
0570:                                    inferredEncryptionPolicy
0571:                                            .setKeyBinding(itkBinding);
0572:                                } else if (PolicyTypeUtil
0573:                                        .derivedTokenKeyBinding(inferredKB)) {
0574:                                    if (((DerivedTokenKeyBinding) inferredKB)
0575:                                            .getOriginalKeyBinding() == null)
0576:                                        ((DerivedTokenKeyBinding) inferredKB)
0577:                                                .setOriginalKeyBinding(itkBinding);
0578:                                }
0579:                            }
0580:                            returnKey = resolveSamlAssertion(secureMsg,
0581:                                    samlAssertion, sig, context, assertionID);
0582:                            if (context.hasIssuedToken()) {
0583:                                SecurityUtil.initInferredIssuedTokenContext(
0584:                                        context, str, returnKey);
0585:                            }
0586:                        } else {
0587:                            // now assume its an X509Token
0588:                            // Note: the code below assumes base64 EncodingType for X509 SKI
0589:                            if (isWSITRecipient) {
0590:                                MLSPolicy inferredKB = inferredEncryptionPolicy
0591:                                        .getKeyBinding();
0592:                                AuthenticationTokenPolicy.X509CertificateBinding x509Binding = new AuthenticationTokenPolicy.X509CertificateBinding();
0593:                                x509Binding
0594:                                        .setValueType(MessageConstants.X509SubjectKeyIdentifier_NS);
0595:                                x509Binding
0596:                                        .setReferenceType(MessageConstants.KEY_INDETIFIER_TYPE);
0597:                                if (inferredKB == null) {
0598:                                    inferredEncryptionPolicy
0599:                                            .setKeyBinding(x509Binding);
0600:                                } else if (PolicyTypeUtil
0601:                                        .symmetricKeyBinding(inferredKB)) {
0602:                                    ((SymmetricKeyBinding) inferredKB)
0603:                                            .setKeyBinding(x509Binding);
0604:                                } else if (PolicyTypeUtil
0605:                                        .derivedTokenKeyBinding(inferredKB)) {
0606:                                    DerivedTokenKeyBinding dktBind = (DerivedTokenKeyBinding) inferredKB;
0607:                                    if (dktBind.getOriginalKeyBinding() == null)
0608:                                        ((DerivedTokenKeyBinding) inferredKB)
0609:                                                .setOriginalKeyBinding(x509Binding);
0610:                                    else if (PolicyTypeUtil
0611:                                            .symmetricKeyBinding(dktBind
0612:                                                    .getOriginalKeyBinding())) {
0613:                                        dktBind.getOriginalKeyBinding()
0614:                                                .setKeyBinding(x509Binding);
0615:                                    }
0616:                                }
0617:
0618:                            }
0619:                            if (sig) {
0620:                                returnKey = context
0621:                                        .getSecurityEnvironment()
0622:                                        .getPublicKey(
0623:                                                context
0624:                                                        .getExtraneousProperties(),
0625:                                                getDecodedBase64EncodedData(keyId
0626:                                                        .getReferenceValue()));
0627:                            } else {
0628:                                returnKey = context
0629:                                        .getSecurityEnvironment()
0630:                                        .getPrivateKey(
0631:                                                context
0632:                                                        .getExtraneousProperties(),
0633:                                                getDecodedBase64EncodedData(keyId
0634:                                                        .getReferenceValue()));
0635:                            }
0636:                        }
0637:                    }
0638:                } else if (refElement instanceof  DirectReference) {
0639:                    String uri = ((DirectReference) refElement).getURI();
0640:
0641:                    // will be only during verify.
0642:                    AuthenticationTokenPolicy.X509CertificateBinding keyBinding = null;
0643:                    String valueType = ((DirectReference) refElement)
0644:                            .getValueType();
0645:                    if (MessageConstants.DKT_VALUETYPE.equals(valueType)) {
0646:                        //TODO: this will work for now but need to handle this case here later
0647:                        valueType = null;
0648:                    }
0649:
0650:                    if (policy != null) {
0651:                        keyBinding = (AuthenticationTokenPolicy.X509CertificateBinding) policy
0652:                                .newX509CertificateKeyBinding();
0653:                        keyBinding
0654:                                .setReferenceType(MessageConstants.DIRECT_REFERENCE_TYPE);
0655:                        keyBinding.setValueType(valueType);
0656:                    }
0657:
0658:                    if (MessageConstants.X509v3_NS.equals(valueType)
0659:                            || MessageConstants.X509v1_NS.equals(valueType)) {
0660:                        // its an X509 Token
0661:                        HashMap insertedX509Cache = context
0662:                                .getInsertedX509Cache();
0663:                        String wsuId = secureMsg.getIdFromFragmentRef(uri);
0664:                        X509SecurityToken token = (X509SecurityToken) insertedX509Cache
0665:                                .get(wsuId);
0666:                        if (token == null)
0667:                            token = (X509SecurityToken) resolveToken(wsuId,
0668:                                    context, secureMsg);
0669:                        if (isWSITRecipient) {
0670:                            MLSPolicy inferredKB = inferredEncryptionPolicy
0671:                                    .getKeyBinding();
0672:                            AuthenticationTokenPolicy.X509CertificateBinding x509Binding = new AuthenticationTokenPolicy.X509CertificateBinding();
0673:                            x509Binding
0674:                                    .setReferenceType(MessageConstants.DIRECT_REFERENCE_TYPE);
0675:                            x509Binding.setValueType(valueType);
0676:                            if (inferredKB == null) {
0677:                                inferredEncryptionPolicy
0678:                                        .setKeyBinding(x509Binding);
0679:                            } else if (PolicyTypeUtil
0680:                                    .symmetricKeyBinding(inferredKB)) {
0681:                                ((SymmetricKeyBinding) inferredKB)
0682:                                        .setKeyBinding(x509Binding);
0683:                            } else if (PolicyTypeUtil
0684:                                    .derivedTokenKeyBinding(inferredKB)) {
0685:                                DerivedTokenKeyBinding dktBind = (DerivedTokenKeyBinding) inferredKB;
0686:                                if (dktBind.getOriginalKeyBinding() == null)
0687:                                    dktBind.setOriginalKeyBinding(x509Binding);
0688:                                else if (PolicyTypeUtil
0689:                                        .symmetricKeyBinding(dktBind
0690:                                                .getOriginalKeyBinding()))
0691:                                    dktBind.getOriginalKeyBinding()
0692:                                            .setKeyBinding(x509Binding);
0693:                            }
0694:
0695:                        }
0696:                        returnKey = resolveX509Token(secureMsg, token, sig,
0697:                                context);
0698:
0699:                    } else if (MessageConstants.EncryptedKey_NS
0700:                            .equals(valueType)) {
0701:                        // Do default processing
0702:                        String wsuId = secureMsg.getIdFromFragmentRef(uri);
0703:                        SecurityToken token = resolveToken(wsuId, context,
0704:                                secureMsg);
0705:                        //TODO: STR is referring to EncryptedKey
0706:                        KeyInfoHeaderBlock kiHB = ((EncryptedKeyToken) token)
0707:                                .getKeyInfo();
0708:                        SecurityTokenReference sectr = kiHB
0709:                                .getSecurityTokenReference(0);
0710:
0711:                        //String dataEncAlgo = MessageConstants.AES_BLOCK_ENCRYPTION_128;
0712:                        // now that context will have AlgoSuite under WSIT, this should not be an issue
0713:                        // so restoring old value since it breaks Backward Compat otherwise
0714:                        String dataEncAlgo = MessageConstants.DEFAULT_DATA_ENC_ALGO;
0715:                        if (context.getAlgorithmSuite() != null) {
0716:                            dataEncAlgo = context.getAlgorithmSuite()
0717:                                    .getEncryptionAlgorithm();
0718:                        } else {
0719:                            if (context.getDataEncryptionAlgorithm() != null) {
0720:                                dataEncAlgo = context
0721:                                        .getDataEncryptionAlgorithm();
0722:                            }
0723:                        }
0724:                        try {
0725:                            Element cipherData = (Element) ((EncryptedKeyToken) token)
0726:                                    .getAsSoapElement()
0727:                                    .getChildElements(
0728:                                            new QName(
0729:                                                    MessageConstants.XENC_NS,
0730:                                                    "CipherData",
0731:                                                    MessageConstants.XENC_PREFIX))
0732:                                    .next();
0733:                            String cipherValue = cipherData
0734:                                    .getElementsByTagNameNS(
0735:                                            MessageConstants.XENC_NS,
0736:                                            "CipherValue").item(0)
0737:                                    .getTextContent();
0738:                            byte[] decodedCipher = Base64.decode(cipherValue);
0739:                            byte[] ekSha1 = MessageDigest.getInstance("SHA-1")
0740:                                    .digest(decodedCipher);
0741:                            String encEkSha1 = Base64.encode(ekSha1);
0742:                            context.setExtraneousProperty(
0743:                                    MessageConstants.EK_SHA1_VALUE, encEkSha1);
0744:
0745:                        } catch (Exception e) {
0746:                            log.log(Level.SEVERE,
0747:                                    "WSS0241.unable.set.EKSHA1.OnContext", e);
0748:                            throw new XWSSecurityException(e);
0749:                        }
0750:                        if (isWSITRecipient) {
0751:                            MLSPolicy inferredKB = inferredEncryptionPolicy
0752:                                    .getKeyBinding();
0753:                            SymmetricKeyBinding skBinding = new SymmetricKeyBinding();
0754:                            AuthenticationTokenPolicy.X509CertificateBinding x509Binding = new AuthenticationTokenPolicy.X509CertificateBinding();
0755:                            skBinding.setKeyBinding(x509Binding);
0756:                            //TODO: ReferenceType and ValueType not set on X509Binding
0757:                            if (inferredKB == null) {
0758:                                inferredEncryptionPolicy
0759:                                        .setKeyBinding(skBinding);
0760:                            } else if (PolicyTypeUtil
0761:                                    .symmetricKeyBinding(inferredKB)) {
0762:                                ((SymmetricKeyBinding) inferredKB)
0763:                                        .setKeyBinding(x509Binding);
0764:                            } else if (PolicyTypeUtil
0765:                                    .derivedTokenKeyBinding(inferredKB)) {
0766:                                DerivedTokenKeyBinding dktBind = (DerivedTokenKeyBinding) inferredKB;
0767:                                if (dktBind.getOriginalKeyBinding() == null)
0768:                                    dktBind.setOriginalKeyBinding(x509Binding);
0769:                                else if (PolicyTypeUtil
0770:                                        .symmetricKeyBinding(dktBind
0771:                                                .getOriginalKeyBinding()))
0772:                                    dktBind.getOriginalKeyBinding()
0773:                                            .setKeyBinding(x509Binding);
0774:                            }
0775:
0776:                        }
0777:                        returnKey = ((EncryptedKeyToken) token).getSecretKey(
0778:                                getKey(kiHB, sig, context), dataEncAlgo);
0779:                        context.setExtraneousProperty(
0780:                                MessageConstants.SECRET_KEY_VALUE, returnKey);
0781:
0782:                    } else if (MessageConstants.SCT_VALUETYPE.equals(valueType)) {
0783:                        // could be wsuId or SCT Session Id
0784:                        String sctId = secureMsg.getIdFromFragmentRef(uri);
0785:                        SecurityToken token = (SecurityToken) tokenCache
0786:                                .get(sctId);
0787:
0788:                        if (token == null) {
0789:                            token = SecurityUtil.locateBySCTId(context, uri);
0790:                            if (token == null) {
0791:                                token = resolveToken(sctId, context, secureMsg);
0792:                            }
0793:                            if (token == null) {
0794:                                log.log(Level.SEVERE,
0795:                                        "WSS0242.unableto.locate.SCT");
0796:                                throw new XWSSecurityException(
0797:                                        "SCT Token with Id " + sctId
0798:                                                + "not found");
0799:                            } else {
0800:                                tokenCache.put(sctId, token);
0801:                            }
0802:                        }
0803:
0804:                        if (token instanceof  SecurityContextToken) {
0805:                            //handling for SecurityContext Token
0806:                            byte[] proofKey = resolveSCT(context,
0807:                                    (SecurityContextTokenImpl) token, sig);
0808:                            String encAlgo = "AES"; //hardcoding for now
0809:                            if (context.getAlgorithmSuite() != null) {
0810:                                encAlgo = SecurityUtil
0811:                                        .getSecretKeyAlgorithm(context
0812:                                                .getAlgorithmSuite()
0813:                                                .getEncryptionAlgorithm());
0814:                            }
0815:                            if (isWSITRecipient) {
0816:                                MLSPolicy inferredKB = inferredEncryptionPolicy
0817:                                        .getKeyBinding();
0818:                                SecureConversationTokenKeyBinding sctBinding = new SecureConversationTokenKeyBinding();
0819:                                if (inferredKB == null) {
0820:                                    inferredEncryptionPolicy
0821:                                            .setKeyBinding(sctBinding);
0822:                                } else if (PolicyTypeUtil
0823:                                        .derivedTokenKeyBinding(inferredKB)) {
0824:                                    if (((DerivedTokenKeyBinding) inferredKB)
0825:                                            .getOriginalKeyBinding() == null)
0826:                                        ((DerivedTokenKeyBinding) inferredKB)
0827:                                                .setOriginalKeyBinding(sctBinding);
0828:                                }
0829:                            }
0830:                            returnKey = new SecretKeySpec(proofKey, encAlgo);
0831:
0832:                        } else {
0833:                            log.log(Level.SEVERE,
0834:                                    "WSS0243.invalid.valueType.NonSCTToken");
0835:                            throw new XWSSecurityException(
0836:                                    "Incorrect ValueType: "
0837:                                            + MessageConstants.SCT_VALUETYPE
0838:                                            + ", specified for a Non SCT Token");
0839:                        }
0840:
0841:                    } else if (null == valueType) {
0842:                        // Do default processing
0843:                        String wsuId = secureMsg.getIdFromFragmentRef(uri);
0844:                        SecurityToken token = SecurityUtil.locateBySCTId(
0845:                                context, wsuId);
0846:                        if (token == null) {
0847:                            token = resolveToken(wsuId, context, secureMsg);
0848:                        }
0849:                        if (token instanceof  X509SecurityToken) {
0850:                            if (isWSITRecipient) {
0851:                                MLSPolicy inferredKB = inferredEncryptionPolicy
0852:                                        .getKeyBinding();
0853:                                AuthenticationTokenPolicy.X509CertificateBinding x509Binding = new AuthenticationTokenPolicy.X509CertificateBinding();
0854:                                x509Binding
0855:                                        .setReferenceType(MessageConstants.DIRECT_REFERENCE_TYPE);
0856:                                if (inferredKB == null) {
0857:                                    inferredEncryptionPolicy
0858:                                            .setKeyBinding(x509Binding);
0859:                                } else if (PolicyTypeUtil
0860:                                        .derivedTokenKeyBinding(inferredKB)) {
0861:                                    if (((DerivedTokenKeyBinding) inferredKB)
0862:                                            .getOriginalKeyBinding() == null)
0863:                                        ((DerivedTokenKeyBinding) inferredKB)
0864:                                                .setOriginalKeyBinding(x509Binding);
0865:                                }
0866:                            }
0867:                            returnKey = resolveX509Token(secureMsg,
0868:                                    (X509SecurityToken) token, sig, context);
0869:                        } else if (token instanceof  EncryptedKeyToken) {
0870:                            //TODO: STR is referring to EncryptedKey
0871:                            KeyInfoHeaderBlock kiHB = ((EncryptedKeyToken) token)
0872:                                    .getKeyInfo();
0873:                            SecurityTokenReference sectr = kiHB
0874:                                    .getSecurityTokenReference(0);
0875:                            ReferenceElement refElem = sectr.getReference();
0876:                            String dataEncAlgo = MessageConstants.DEFAULT_DATA_ENC_ALGO;
0877:                            // now that context will have AlgoSuite under WSIT, this should not be an issue
0878:                            // so restoring old value since it breaks Backward Compat otherwise
0879:                            //String dataEncAlgo = MessageConstants.AES_BLOCK_ENCRYPTION_128;
0880:                            if (context.getAlgorithmSuite() != null) {
0881:                                dataEncAlgo = context.getAlgorithmSuite()
0882:                                        .getEncryptionAlgorithm();
0883:                            } else {
0884:                                if (context.getDataEncryptionAlgorithm() != null) {
0885:                                    dataEncAlgo = context
0886:                                            .getDataEncryptionAlgorithm();
0887:                                }
0888:                            }
0889:                            try {
0890:                                Element cipherData = (Element) ((EncryptedKeyToken) token)
0891:                                        .getAsSoapElement()
0892:                                        .getChildElements(
0893:                                                new QName(
0894:                                                        MessageConstants.XENC_NS,
0895:                                                        "CipherData",
0896:                                                        MessageConstants.XENC_PREFIX))
0897:                                        .next();
0898:                                String cipherValue = cipherData
0899:                                        .getElementsByTagNameNS(
0900:                                                MessageConstants.XENC_NS,
0901:                                                "CipherValue").item(0)
0902:                                        .getTextContent();
0903:                                byte[] decodedCipher = Base64
0904:                                        .decode(cipherValue);
0905:                                byte[] ekSha1 = MessageDigest.getInstance(
0906:                                        "SHA-1").digest(decodedCipher);
0907:                                String encEkSha1 = Base64.encode(ekSha1);
0908:                                context.setExtraneousProperty(
0909:                                        MessageConstants.EK_SHA1_VALUE,
0910:                                        encEkSha1);
0911:                            } catch (Exception e) {
0912:                                log
0913:                                        .log(
0914:                                                Level.SEVERE,
0915:                                                "WSS0241.unableto.set.EKSHA1.OnContext",
0916:                                                e);
0917:                                throw new XWSSecurityException(e);
0918:                            }
0919:                            if (isWSITRecipient) {
0920:                                MLSPolicy inferredKB = inferredEncryptionPolicy
0921:                                        .getKeyBinding();
0922:                                SymmetricKeyBinding skBinding = new SymmetricKeyBinding();
0923:                                AuthenticationTokenPolicy.X509CertificateBinding x509Binding = new AuthenticationTokenPolicy.X509CertificateBinding();
0924:                                skBinding.setKeyBinding(x509Binding);
0925:                                //TODO: ReferenceType and ValueType not set on X509Binding
0926:                                if (inferredKB == null) {
0927:                                    inferredEncryptionPolicy
0928:                                            .setKeyBinding(skBinding);
0929:                                } else if (PolicyTypeUtil
0930:                                        .derivedTokenKeyBinding(inferredKB)) {
0931:                                    if (((DerivedTokenKeyBinding) inferredKB)
0932:                                            .getOriginalKeyBinding() == null)
0933:                                        ((DerivedTokenKeyBinding) inferredKB)
0934:                                                .setOriginalKeyBinding(skBinding);
0935:                                }
0936:                            }
0937:                            returnKey = ((EncryptedKeyToken) token)
0938:                                    .getSecretKey(getKey(kiHB, sig, context),
0939:                                            dataEncAlgo);
0940:                            context.setExtraneousProperty(
0941:                                    MessageConstants.SECRET_KEY_VALUE,
0942:                                    returnKey);
0943:
0944:                        } else if (token instanceof  SecurityContextToken) {
0945:                            //handling for SecurityContext Token
0946:                            byte[] proofKey = resolveSCT(context,
0947:                                    (SecurityContextTokenImpl) token, sig);
0948:                            String encAlgo = "AES"; //default algo
0949:                            if (context.getAlgorithmSuite() != null) {
0950:                                encAlgo = SecurityUtil
0951:                                        .getSecretKeyAlgorithm(context
0952:                                                .getAlgorithmSuite()
0953:                                                .getEncryptionAlgorithm());
0954:                            }
0955:                            if (isWSITRecipient) {
0956:                                MLSPolicy inferredKB = inferredEncryptionPolicy
0957:                                        .getKeyBinding();
0958:                                SecureConversationTokenKeyBinding sctBinding = new SecureConversationTokenKeyBinding();
0959:                                if (inferredKB == null) {
0960:                                    inferredEncryptionPolicy
0961:                                            .setKeyBinding(sctBinding);
0962:                                } else if (PolicyTypeUtil
0963:                                        .derivedTokenKeyBinding(inferredKB)) {
0964:                                    if (((DerivedTokenKeyBinding) inferredKB)
0965:                                            .getOriginalKeyBinding() == null)
0966:                                        ((DerivedTokenKeyBinding) inferredKB)
0967:                                                .setOriginalKeyBinding(sctBinding);
0968:                                }
0969:                            }
0970:                            returnKey = new SecretKeySpec(proofKey, encAlgo);
0971:
0972:                        } else if (token instanceof  DerivedKeyTokenHeaderBlock) {
0973:                            if (isWSITRecipient) {
0974:                                MLSPolicy inferredKB = inferredEncryptionPolicy
0975:                                        .getKeyBinding();
0976:                                DerivedTokenKeyBinding dtkBinding = new DerivedTokenKeyBinding();
0977:                                if (inferredKB == null) {
0978:                                    inferredEncryptionPolicy
0979:                                            .setKeyBinding(dtkBinding);
0980:                                } else if (PolicyTypeUtil
0981:                                        .derivedTokenKeyBinding(inferredKB)) {
0982:                                    //already set - do nothing
0983:                                } else {
0984:                                    log.log(Level.SEVERE,
0985:                                            "WSS0244.invalid.level.DKT");
0986:                                    throw new XWSSecurityException(
0987:                                            "A derived Key Token should be a top level key binding");
0988:                                }
0989:                            }
0990:                            returnKey = resolveDKT(context,
0991:                                    (DerivedKeyTokenHeaderBlock) token);
0992:                        } else {
0993:                            String message = " Cannot Resolve URI " + uri;
0994:                            log.log(Level.SEVERE,
0995:                                    "WSS0337.unsupported.directref.mechanism",
0996:                                    new Object[] { message });
0997:                            XWSSecurityException xwsse = new XWSSecurityException(
0998:                                    message);
0999:                            throw SecurableSoapMessage
1000:                                    .newSOAPFaultException(
1001:                                            MessageConstants.WSSE_SECURITY_TOKEN_UNAVAILABLE,
1002:                                            xwsse.getMessage(), xwsse);
1003:                        }
1004:                    } else {
1005:                        log.log(Level.SEVERE,
1006:                                "WSS0337.unsupported.directref.mechanism",
1007:                                new Object[] { ((DirectReference) refElement)
1008:                                        .getValueType() });
1009:                        XWSSecurityException xwsse = new XWSSecurityException(
1010:                                "unsupported directreference ValueType "
1011:                                        + ((DirectReference) refElement)
1012:                                                .getValueType());
1013:                        throw SecurableSoapMessage.newSOAPFaultException(
1014:                                MessageConstants.WSSE_INVALID_SECURITY_TOKEN,
1015:                                xwsse.getMessage(), xwsse);
1016:                    }
1017:                } else if (refElement instanceof  X509IssuerSerial) {
1018:                    BigInteger serialNumber = ((X509IssuerSerial) refElement)
1019:                            .getSerialNumber();
1020:                    String issuerName = ((X509IssuerSerial) refElement)
1021:                            .getIssuerName();
1022:
1023:                    if (isWSITRecipient) {
1024:                        MLSPolicy inferredKB = inferredEncryptionPolicy
1025:                                .getKeyBinding();
1026:                        AuthenticationTokenPolicy.X509CertificateBinding x509Binding = new AuthenticationTokenPolicy.X509CertificateBinding();
1027:                        x509Binding
1028:                                .setReferenceType(MessageConstants.X509_ISSUER_TYPE);
1029:                        if (inferredKB == null) {
1030:                            inferredEncryptionPolicy.setKeyBinding(x509Binding);
1031:                        } else if (PolicyTypeUtil
1032:                                .symmetricKeyBinding(inferredKB)) {
1033:                            ((SymmetricKeyBinding) inferredKB)
1034:                                    .setKeyBinding(x509Binding);
1035:                        } else if (PolicyTypeUtil
1036:                                .derivedTokenKeyBinding(inferredKB)) {
1037:                            DerivedTokenKeyBinding dktBind = (DerivedTokenKeyBinding) inferredKB;
1038:                            if (dktBind.getOriginalKeyBinding() == null)
1039:                                dktBind.setOriginalKeyBinding(x509Binding);
1040:                            else if (PolicyTypeUtil.symmetricKeyBinding(dktBind
1041:                                    .getOriginalKeyBinding()))
1042:                                dktBind.getOriginalKeyBinding().setKeyBinding(
1043:                                        x509Binding);
1044:                        }
1045:
1046:                    }
1047:                    if (sig) {
1048:                        returnKey = context.getSecurityEnvironment()
1049:                                .getPublicKey(
1050:                                        context.getExtraneousProperties(),
1051:                                        serialNumber, issuerName);
1052:                    } else {
1053:                        returnKey = context.getSecurityEnvironment()
1054:                                .getPrivateKey(
1055:                                        context.getExtraneousProperties(),
1056:                                        serialNumber, issuerName);
1057:                    }
1058:                } else {
1059:                    log.log(Level.SEVERE,
1060:                            "WSS0338.unsupported.reference.mechanism");
1061:                    XWSSecurityException xwsse = new XWSSecurityException(
1062:                            "Key reference mechanism not supported");
1063:                    throw SecurableSoapMessage.newSOAPFaultException(
1064:                            MessageConstants.WSSE_UNSUPPORTED_SECURITY_TOKEN,
1065:                            xwsse.getMessage(), xwsse);
1066:                }
1067:                return returnKey;
1068:            }
1069:
1070:            public static Key resolveX509Token(SecurableSoapMessage secureMsg,
1071:                    X509SecurityToken token, boolean sig,
1072:                    FilterProcessingContext context)
1073:                    throws XWSSecurityException {
1074:
1075:                if (sig) {
1076:                    // Update the Subject of the sender
1077:                    X509Certificate cert = token.getCertificate();
1078:                    context.getSecurityEnvironment().updateOtherPartySubject(
1079:                            DefaultSecurityEnvironmentImpl.getSubject(context),
1080:                            cert);
1081:                    // updating other party credentials
1082:                    if (context.getTrustCredentialHolder() != null) {
1083:                        context.getTrustCredentialHolder()
1084:                                .setRequestorCertificate(cert);
1085:                    }
1086:                    return cert.getPublicKey();
1087:                } else {
1088:                    return context.getSecurityEnvironment().getPrivateKey(
1089:                            context.getExtraneousProperties(),
1090:                            token.getCertificate());
1091:                }
1092:            }
1093:
1094:            public static Key resolveKeyValue(SecurableSoapMessage secureMsg,
1095:                    KeyValue keyValue, boolean sig,
1096:                    FilterProcessingContext context)
1097:                    throws XWSSecurityException {
1098:                keyValue.getElement().normalize();
1099:                try {
1100:                    if (sig) {
1101:                        return keyValue.getPublicKey();
1102:                    } else {
1103:                        return context.getSecurityEnvironment().getPrivateKey(
1104:                                context.getExtraneousProperties(),
1105:                                keyValue.getPublicKey(), false);
1106:                    }
1107:                } catch (Exception e) {
1108:                    log.log(Level.SEVERE, "WSS0601.illegal.key.value", e
1109:                            .getMessage());
1110:                    throw new XWSSecurityException(e);
1111:                }
1112:            }
1113:
1114:            // not supporting CRL and SubjectName yet
1115:            // TODO: the support is incomplete here
1116:            public static Key resolveX509Data(SecurableSoapMessage secureMsg,
1117:                    X509Data x509Data, boolean sig,
1118:                    FilterProcessingContext context)
1119:                    throws XWSSecurityException {
1120:
1121:                // workaround for what seems to be a bug in XMLSecurity
1122:                // text node getting split
1123:                x509Data.getElement().normalize();
1124:                X509Certificate cert = null;
1125:
1126:                try {
1127:                    if (x509Data.containsCertificate()) {
1128:                        cert = (x509Data.itemCertificate(0))
1129:                                .getX509Certificate();
1130:                    } else if (x509Data.containsSKI()) {
1131:                        if (sig) {
1132:                            return context.getSecurityEnvironment()
1133:                                    .getPublicKey(
1134:                                            context.getExtraneousProperties(),
1135:                                            x509Data.itemSKI(0).getSKIBytes());
1136:                        } else {
1137:                            return context.getSecurityEnvironment()
1138:                                    .getPrivateKey(
1139:                                            context.getExtraneousProperties(),
1140:                                            x509Data.itemSKI(0).getSKIBytes());
1141:                        }
1142:                    } else if (x509Data.containsSubjectName()) {
1143:                        log.log(Level.SEVERE, "WSS0339.unsupported.keyinfo");
1144:                        throw new XWSSecurityException(
1145:                                "X509SubjectName child element of X509Data is not yet supported by our implementation");
1146:                    } else if (x509Data.containsIssuerSerial()) {
1147:                        if (sig) {
1148:                            return context.getSecurityEnvironment()
1149:                                    .getPublicKey(
1150:                                            context.getExtraneousProperties(),
1151:                                            x509Data.itemIssuerSerial(0)
1152:                                                    .getSerialNumber(),
1153:                                            x509Data.itemIssuerSerial(0)
1154:                                                    .getIssuerName());
1155:                        } else {
1156:                            return context.getSecurityEnvironment()
1157:                                    .getPrivateKey(
1158:                                            context.getExtraneousProperties(),
1159:                                            x509Data.itemIssuerSerial(0)
1160:                                                    .getSerialNumber(),
1161:                                            x509Data.itemIssuerSerial(0)
1162:                                                    .getIssuerName());
1163:                        }
1164:
1165:                    } else {
1166:                        log.log(Level.SEVERE, "WSS0339.unsupported.keyinfo");
1167:                        throw new XWSSecurityException(
1168:                                "Unsupported child element of X509Data encountered");
1169:                    }
1170:
1171:                    if (sig) {
1172:                        return cert.getPublicKey();
1173:                    } else {
1174:                        return context.getSecurityEnvironment().getPrivateKey(
1175:                                context.getExtraneousProperties(), cert);
1176:                    }
1177:                } catch (Exception e) {
1178:                    log.log(Level.SEVERE, "WSS0602.illegal.x509.data", e
1179:                            .getMessage());
1180:                    throw new XWSSecurityException(e);
1181:                }
1182:            }
1183:
1184:            private static byte[] getDecodedBase64EncodedData(String encodedData)
1185:                    throws XWSSecurityException {
1186:                try {
1187:                    return Base64.decode(encodedData);
1188:                } catch (Base64DecodingException e) {
1189:                    log.log(Level.SEVERE,
1190:                            "WSS0144.unableto.decode.base64.data", e);
1191:                    throw new XWSSecurityException(
1192:                            "Unable to decode Base64 encoded data", e);
1193:                }
1194:            }
1195:
1196:            private static SecurityToken resolveToken(String uri,
1197:                    FilterProcessingContext context,
1198:                    SecurableSoapMessage secureMsg) throws XWSSecurityException {
1199:                try {
1200:                    HashMap cache = context.getTokenCache();
1201:                    SecurityToken token = (SecurityToken) cache.get(uri);
1202:                    if (token != null) {
1203:                        return token;
1204:                    }
1205:                    if (token == null) {
1206:                        Node tokenNode = secureMsg.getElementById(uri);
1207:                        tokenNode.normalize();
1208:                        if (MessageConstants.WSSE_BINARY_SECURITY_TOKEN_LNAME
1209:                                .equals(tokenNode.getLocalName())) {
1210:                            token = new X509SecurityToken(
1211:                                    (SOAPElement) tokenNode);
1212:                        } else if (MessageConstants.ENCRYPTEDKEY_LNAME
1213:                                .equals(tokenNode.getLocalName())) {
1214:                            token = new EncryptedKeyToken(
1215:                                    (SOAPElement) tokenNode);
1216:                        } else if (MessageConstants.SECURITY_CONTEXT_TOKEN_LNAME
1217:                                .equals(tokenNode.getLocalName())) {
1218:                            token = new SecurityContextTokenImpl(
1219:                                    (SOAPElement) tokenNode);
1220:                        } else if (MessageConstants.DERIVEDKEY_TOKEN_LNAME
1221:                                .equals(tokenNode.getLocalName())) {
1222:                            token = new DerivedKeyTokenHeaderBlock(
1223:                                    (SOAPElement) tokenNode);
1224:                        }
1225:                    }
1226:                    cache.put(uri, token);
1227:                    return token;
1228:                } catch (Exception ex) {
1229:                    log.log(Level.SEVERE,
1230:                            "WSS0245.failed.resolve.SecurityToken", ex);
1231:                    throw new XWSSecurityException(ex);
1232:                }
1233:            }
1234:
1235:            private static Element resolveSAMLToken(
1236:                    SecurityTokenReference tokenRef, String assertionId,
1237:                    FilterProcessingContext context)
1238:                    throws XWSSecurityException {
1239:
1240:                Element clientSAMLAssertionCache = (Element) context
1241:                        .getExtraneousProperties().get(
1242:                                MessageConstants.SAML_ASSERTION_CLIENT_CACHE);
1243:
1244:                if (clientSAMLAssertionCache != null) {
1245:                    return clientSAMLAssertionCache;
1246:                }
1247:
1248:                Element tokenElement = context.getIssuedSAMLToken();
1249:                if (tokenElement != null) {
1250:                    context.setExtraneousProperty(
1251:                            MessageConstants.SAML_SIG_RESOLVED, "false");
1252:                }
1253:                if (tokenElement == null) {
1254:                    if (tokenRef.getSamlAuthorityBinding() != null) {
1255:                        tokenElement = context.getSecurityEnvironment()
1256:                                .locateSAMLAssertion(
1257:                                        context.getExtraneousProperties(),
1258:                                        tokenRef.getSamlAuthorityBinding(),
1259:                                        assertionId,
1260:                                        context.getSOAPMessage().getSOAPPart());
1261:                    } else {
1262:                        tokenElement = SAMLUtil.locateSamlAssertion(
1263:                                assertionId, context.getSOAPMessage()
1264:                                        .getSOAPPart());
1265:                        if (!("true"
1266:                                .equals((String) context
1267:                                        .getExtraneousProperty(MessageConstants.SAML_SIG_RESOLVED)))
1268:                                || "false"
1269:                                        .equals((String) context
1270:                                                .getExtraneousProperty(MessageConstants.SAML_SIG_RESOLVED))) {
1271:                            context
1272:                                    .setExtraneousProperty(
1273:                                            MessageConstants.SAML_SIG_RESOLVED,
1274:                                            "false");
1275:                        }
1276:                    }
1277:                }
1278:
1279:                addAuthorityId(tokenElement, context);
1280:
1281:                //TODO: expensive conversion happening here
1282:                try {
1283:                    // if it is an Encrypted SAML Assertion we cannot decrypt it
1284:                    // on the client side since we don't have the Private Key
1285:                    if ("EncryptedData".equals(tokenElement.getLocalName())) {
1286:                        return null;
1287:                    }
1288:                } catch (Exception e) {
1289:                    log.log(Level.SEVERE,
1290:                            "WSS0238.failed.Resolve.SAMLAssertion", e);
1291:                    throw new XWSSecurityException(e);
1292:                }
1293:
1294:                return tokenElement;
1295:            }
1296:
1297:            private static void addAuthorityId(Element assertion,
1298:                    FilterProcessingContext fp) {
1299:                EncryptionPolicy ep = (EncryptionPolicy) fp.getInferredPolicy();
1300:                if (ep != null) {
1301:                    AuthenticationTokenPolicy.SAMLAssertionBinding kb = (AuthenticationTokenPolicy.SAMLAssertionBinding) ep
1302:                            .newSAMLAssertionKeyBinding();
1303:                    String issuer = assertion.getAttribute("Issuer");
1304:                    kb.setAuthorityIdentifier(issuer);
1305:                }
1306:            }
1307:
1308:            // this method would be called on incoming client/server messages
1309:            private static byte[] resolveSCT(FilterProcessingContext context,
1310:                    SecurityContextTokenImpl token, boolean sig)
1311:                    throws XWSSecurityException {
1312:
1313:                // first set it into Extraneous Properties
1314:                context.setExtraneousProperty(MessageConstants.INCOMING_SCT,
1315:                        token);
1316:                // now get the SC ID
1317:                String scId = token.getSCId();
1318:
1319:                IssuedTokenContext ctx = context.getIssuedTokenContext(scId);
1320:                if (ctx == null) {
1321:                    // this can happen on client side where the map is based on tokenId
1322:                    Enumeration elements = context.getIssuedTokenContextMap()
1323:                            .elements();
1324:                    while (elements.hasMoreElements()) {
1325:                        IssuedTokenContext ictx = (IssuedTokenContext) elements
1326:                                .nextElement();
1327:                        Object tok = ictx.getSecurityToken();
1328:                        String ctxid = null;
1329:                        if (tok instanceof  SecurityContextToken) {
1330:                            ctxid = ((SecurityContextToken) tok)
1331:                                    .getIdentifier().toString();
1332:                            if (ctxid.equals(scId)) {
1333:                                ctx = ictx;
1334:                                break;
1335:                            }
1336:                        }
1337:
1338:                    }
1339:                }
1340:
1341:                if (ctx == null) {
1342:                    log
1343:                            .log(Level.SEVERE,
1344:                                    "WSS0246.unableto.locate.SecureConversationSession");
1345:                    throw new XWSSecurityException(
1346:                            "Could not locate SecureConversation session for Id:"
1347:                                    + scId);
1348:                }
1349:
1350:                Subject subj = ctx.getRequestorSubject();
1351:                if (subj != null) {
1352:                    // subj will be null if this is the client side execution
1353:                    if (context
1354:                            .getExtraneousProperty(MessageConstants.SCBOOTSTRAP_CRED_IN_SUBJ) == null) {
1355:                        //do it only once
1356:                        context.getSecurityEnvironment()
1357:                                .updateOtherPartySubject(
1358:                                        SecurityUtil.getSubject(context
1359:                                                .getExtraneousProperties()),
1360:                                        subj);
1361:                        context.getExtraneousProperties().put(
1362:                                MessageConstants.SCBOOTSTRAP_CRED_IN_SUBJ,
1363:                                "true");
1364:                    }
1365:                }
1366:
1367:                byte[] proofKey = ctx.getProofKey();
1368:                return proofKey;
1369:            }
1370:
1371:            private static Key resolveDKT(FilterProcessingContext context,
1372:                    DerivedKeyTokenHeaderBlock token)
1373:                    throws XWSSecurityException {
1374:
1375:                //TODO: hardcoded for testing -- need to obtain this from somewhere
1376:                String dataEncAlgo = MessageConstants.AES_BLOCK_ENCRYPTION_128;
1377:                if (context.getAlgorithmSuite() != null) {
1378:                    dataEncAlgo = context.getAlgorithmSuite()
1379:                            .getEncryptionAlgorithm();
1380:                }
1381:                //HashMap tokenCache = context.getTokenCache();
1382:                SecurableSoapMessage secureMsg = context
1383:                        .getSecurableSoapMessage();
1384:
1385:                EncryptionPolicy inferredEncryptionPolicy = null;
1386:                boolean isWSITRecipient = (context.getMode() == FilterProcessingContext.WSDL_POLICY);
1387:                try {
1388:                    if (isWSITRecipient) {
1389:                        int i = context.getInferredSecurityPolicy().size() - 1;
1390:                        inferredEncryptionPolicy = (EncryptionPolicy) context
1391:                                .getInferredSecurityPolicy().get(i);
1392:                    }
1393:                } catch (Exception e) {
1394:                    log.log(Level.SEVERE,
1395:                            "WSS0247.failed.resolve.DerivedKeyToken");
1396:                    throw new XWSSecurityException(e);
1397:                }
1398:
1399:                SecurityTokenReference sectr = token.getDerivedKeyElement();
1400:                if (sectr == null) {
1401:                    log.log(Level.SEVERE, "WSS0248.null.STR");
1402:                    throw new XWSSecurityException(
1403:                            "Invalid DerivedKey Token encountered, no STR found");
1404:                }
1405:                ReferenceElement refElement = sectr.getReference();
1406:                Key encKey = null;
1407:                byte[] secret = null;
1408:                if (refElement instanceof  DirectReference) {
1409:                    String uri = ((DirectReference) refElement).getURI();
1410:                    String valueType = ((DirectReference) refElement)
1411:                            .getValueType();
1412:                    String wsuId = secureMsg.getIdFromFragmentRef(uri);
1413:                    SecurityToken secToken = SecurityUtil.locateBySCTId(
1414:                            context, wsuId);
1415:                    if (secToken == null) {
1416:                        secToken = resolveToken(wsuId, context, secureMsg);
1417:                        //workaround for case where Reference does not have ValueType
1418:                        if ((valueType == null)
1419:                                && (secToken instanceof  EncryptedKeyToken)) {
1420:                            valueType = MessageConstants.EncryptedKey_NS;
1421:                        }
1422:                    }
1423:
1424:                    if (MessageConstants.EncryptedKey_NS.equals(valueType)) {
1425:                        try {
1426:                            Element cipherData = (Element) ((EncryptedKeyToken) secToken)
1427:                                    .getAsSoapElement()
1428:                                    .getChildElements(
1429:                                            new QName(
1430:                                                    MessageConstants.XENC_NS,
1431:                                                    "CipherData",
1432:                                                    MessageConstants.XENC_PREFIX))
1433:                                    .next();
1434:                            String cipherValue = cipherData
1435:                                    .getElementsByTagNameNS(
1436:                                            MessageConstants.XENC_NS,
1437:                                            "CipherValue").item(0)
1438:                                    .getTextContent();
1439:                            byte[] decodedCipher = Base64.decode(cipherValue);
1440:                            byte[] ekSha1 = MessageDigest.getInstance("SHA-1")
1441:                                    .digest(decodedCipher);
1442:                            String encEkSha1 = Base64.encode(ekSha1);
1443:                            context.setExtraneousProperty(
1444:                                    MessageConstants.EK_SHA1_VALUE, encEkSha1);
1445:                        } catch (Exception e) {
1446:                            log.log(Level.SEVERE,
1447:                                    "WSS0241.unableto.set.EKSHA1.OnContext", e);
1448:                            throw new XWSSecurityException(e);
1449:                        }
1450:
1451:                        if (isWSITRecipient) {
1452:                            MLSPolicy inferredKB = inferredEncryptionPolicy
1453:                                    .getKeyBinding();
1454:                            SymmetricKeyBinding skBinding = new SymmetricKeyBinding();
1455:                            AuthenticationTokenPolicy.X509CertificateBinding x509Binding = new AuthenticationTokenPolicy.X509CertificateBinding();
1456:                            skBinding.setKeyBinding(x509Binding);
1457:                            //TODO: ReferenceType and ValueType not set on X509Binding
1458:                            if (PolicyTypeUtil
1459:                                    .derivedTokenKeyBinding(inferredKB)) {
1460:                                if (((DerivedTokenKeyBinding) inferredKB)
1461:                                        .getOriginalKeyBinding() == null)
1462:                                    ((DerivedTokenKeyBinding) inferredKB)
1463:                                            .setOriginalKeyBinding(skBinding);
1464:                            }
1465:                        }
1466:
1467:                        KeyInfoHeaderBlock kiHB = ((EncryptedKeyToken) secToken)
1468:                                .getKeyInfo();
1469:                        encKey = ((EncryptedKeyToken) secToken).getSecretKey(
1470:                                getKey(kiHB, false, context), dataEncAlgo);
1471:                        secret = encKey.getEncoded();
1472:                        context.setExtraneousProperty(
1473:                                MessageConstants.SECRET_KEY_VALUE, encKey);
1474:                    } else if (MessageConstants.SCT_VALUETYPE.equals(valueType)) {
1475:                        if (secToken instanceof  SecurityContextToken) {
1476:                            if (isWSITRecipient) {
1477:                                MLSPolicy inferredKB = inferredEncryptionPolicy
1478:                                        .getKeyBinding();
1479:                                SecureConversationTokenKeyBinding sctBinding = new SecureConversationTokenKeyBinding();
1480:                                if (PolicyTypeUtil
1481:                                        .derivedTokenKeyBinding(inferredKB)) {
1482:                                    if (((DerivedTokenKeyBinding) inferredKB)
1483:                                            .getOriginalKeyBinding() == null)
1484:                                        ((DerivedTokenKeyBinding) inferredKB)
1485:                                                .setOriginalKeyBinding(sctBinding);
1486:                                }
1487:                            }
1488:                            //handling for SecurityContext Token
1489:                            secret = resolveSCT(context,
1490:                                    (SecurityContextTokenImpl) secToken, false);
1491:                        } else {
1492:                            log.log(Level.SEVERE,
1493:                                    "WSS0243.invalid.valueType.NonSCTToken");
1494:                            throw new XWSSecurityException(
1495:                                    "Incorrect ValueType: "
1496:                                            + MessageConstants.SCT_VALUETYPE
1497:                                            + ", specified for a Non SCT Token");
1498:                        }
1499:
1500:                    } else if (null == valueType) {
1501:                        if (secToken instanceof  SecurityContextToken) {
1502:                            if (isWSITRecipient) {
1503:                                MLSPolicy inferredKB = inferredEncryptionPolicy
1504:                                        .getKeyBinding();
1505:                                SecureConversationTokenKeyBinding sctBinding = new SecureConversationTokenKeyBinding();
1506:                                if (PolicyTypeUtil
1507:                                        .derivedTokenKeyBinding(inferredKB)) {
1508:                                    ((DerivedTokenKeyBinding) inferredKB)
1509:                                            .setOriginalKeyBinding(sctBinding);
1510:                                }
1511:                            }
1512:                            //handling for SecurityContext Token
1513:                            secret = resolveSCT(context,
1514:                                    (SecurityContextTokenImpl) secToken, false);
1515:                        } else {
1516:                            log.log(Level.SEVERE,
1517:                                    "WSS0249.unsupported.TokenType.DKT");
1518:                            throw new XWSSecurityException(
1519:                                    "Unsupported TokenType " + secToken
1520:                                            + " under DerivedKeyToken");
1521:                        }
1522:                    } else {
1523:                        log.log(Level.SEVERE,
1524:                                "WSS0249.unsupported.TokenType.DKT");
1525:                        throw new XWSSecurityException("Unsupported TokenType "
1526:                                + secToken + " under DerivedKeyToken");
1527:                    }
1528:                } else if (refElement instanceof  KeyIdentifier) {
1529:                    KeyIdentifier keyId = (KeyIdentifier) refElement;
1530:                    if (MessageConstants.EncryptedKeyIdentifier_NS.equals(keyId
1531:                            .getValueType())) {
1532:                        if (isWSITRecipient) {
1533:                            MLSPolicy inferredKB = inferredEncryptionPolicy
1534:                                    .getKeyBinding();
1535:                            SymmetricKeyBinding skBinding = new SymmetricKeyBinding();
1536:                            AuthenticationTokenPolicy.X509CertificateBinding x509Binding = new AuthenticationTokenPolicy.X509CertificateBinding();
1537:                            x509Binding
1538:                                    .setReferenceType(MessageConstants.KEY_INDETIFIER_TYPE);
1539:                            skBinding.setKeyBinding(x509Binding);
1540:                            //TODO: ReferenceType and ValueType not set on X509Binding
1541:                            if (PolicyTypeUtil
1542:                                    .derivedTokenKeyBinding(inferredKB)) {
1543:                                if (((DerivedTokenKeyBinding) inferredKB)
1544:                                        .getOriginalKeyBinding() == null)
1545:                                    ((DerivedTokenKeyBinding) inferredKB)
1546:                                            .setOriginalKeyBinding(skBinding);
1547:                            }
1548:                        }
1549:
1550:                        String ekSha1RefValue = (String) context
1551:                                .getExtraneousProperty("EncryptedKeySHA1");
1552:                        Key secretKey = (Key) context
1553:                                .getExtraneousProperty("SecretKey");
1554:                        String keyRefValue = keyId.getReferenceValue();
1555:                        if (ekSha1RefValue != null && secretKey != null) {
1556:                            if (ekSha1RefValue.equals(keyRefValue)) {
1557:                                encKey = secretKey;
1558:                                secret = encKey.getEncoded();
1559:                            } else {
1560:                                log
1561:                                        .log(Level.SEVERE,
1562:                                                "WSS0240.invalid.EncryptedKeySHA1.reference");
1563:                                throw new XWSSecurityException(
1564:                                        "EncryptedKeySHA1 reference not correct");
1565:                            }
1566:                        } else {
1567:                            log
1568:                                    .log(Level.SEVERE,
1569:                                            "WSS0240.invalid.EncryptedKeySHA1.reference");
1570:                            String message = "EncryptedKeySHA1 reference not correct";
1571:                            throw new XWSSecurityException(message);
1572:                        }
1573:                    } else if (MessageConstants.WSSE_SAML_KEY_IDENTIFIER_VALUE_TYPE
1574:                            .equals(keyId.getValueType())
1575:                            || MessageConstants.WSSE_SAML_v2_0_KEY_IDENTIFIER_VALUE_TYPE
1576:                                    .equals(keyId.getValueType())) {
1577:                        if (isWSITRecipient) {
1578:                            MLSPolicy inferredKB = inferredEncryptionPolicy
1579:                                    .getKeyBinding();
1580:                            IssuedTokenKeyBinding itkBinding = new IssuedTokenKeyBinding();
1581:                            if (PolicyTypeUtil
1582:                                    .derivedTokenKeyBinding(inferredKB)) {
1583:                                if (((DerivedTokenKeyBinding) inferredKB)
1584:                                        .getOriginalKeyBinding() == null)
1585:                                    ((DerivedTokenKeyBinding) inferredKB)
1586:                                            .setOriginalKeyBinding(itkBinding);
1587:                            }
1588:                        }
1589:
1590:                        String asId = keyId.getReferenceValue();
1591:                        Element assertion = resolveSAMLToken(sectr, asId,
1592:                                context);
1593:                        encKey = resolveSamlAssertion(secureMsg, assertion,
1594:                                true, context, asId);
1595:                        if (context.hasIssuedToken()) {
1596:                            SecurityUtil.initInferredIssuedTokenContext(
1597:                                    context, sectr, encKey);
1598:                        }
1599:                        secret = encKey.getEncoded();
1600:                    } else {
1601:                        log
1602:                                .log(Level.SEVERE,
1603:                                        "WSS0282.unsupported.KeyIdentifier.Reference.DKT");
1604:                        throw new XWSSecurityException(
1605:                                "Unsupported KeyIdentifier Reference " + keyId
1606:                                        + " under DerivedKeyToken");
1607:                    }
1608:                } else {
1609:                    log.log(Level.SEVERE,
1610:                            "WSS0283.unsupported.ReferenceType.DKT");
1611:                    throw new XWSSecurityException("Unsupported ReferenceType "
1612:                            + refElement + " under DerivedKeyToken");
1613:                }
1614:                long length = token.getLength();
1615:                long offset = token.getOffset();
1616:                byte[] nonce = token.getNonce();
1617:                DerivedKeyToken dkt = new DerivedKeyTokenImpl(offset, length,
1618:                        secret, nonce);
1619:                String jceAlgo = SecurityUtil
1620:                        .getSecretKeyAlgorithm(dataEncAlgo);
1621:
1622:                Key returnKey = null;
1623:                try {
1624:                    returnKey = dkt.generateSymmetricKey(jceAlgo);
1625:                } catch (InvalidKeyException ex) {
1626:                    log.log(Level.SEVERE,
1627:                            "WSS0247.failed.resolve.DerivedKeyToken");
1628:                    throw new XWSSecurityException(ex);
1629:                } catch (UnsupportedEncodingException ex) {
1630:                    log.log(Level.SEVERE,
1631:                            "WSS0247.failed.resolve.DerivedKeyToken");
1632:                    throw new XWSSecurityException(ex);
1633:                } catch (NoSuchAlgorithmException ex) {
1634:                    log.log(Level.SEVERE,
1635:                            "WSS0247.failed.resolve.DerivedKeyToken");
1636:                    throw new XWSSecurityException(ex);
1637:                }
1638:                return returnKey;
1639:
1640:            }
1641:
1642:            //TODO: called from KeySelector for Signature Related EncryptedKey Processing
1643:            // clean this up later use a restructured processSecurityTokenReference instead
1644:            public static Key processSTR(KeyInfoHeaderBlock keyInfo,
1645:                    boolean sig, FilterProcessingContext context)
1646:                    throws XWSSecurityException {
1647:                Key returnKey = null;
1648:                HashMap tokenCache = context.getTokenCache();
1649:                SecurableSoapMessage secureMsg = context
1650:                        .getSecurableSoapMessage();
1651:                SecurityTokenReference str = keyInfo
1652:                        .getSecurityTokenReference(0);
1653:                ReferenceElement refElement = str.getReference();
1654:                SignaturePolicy policy = (SignaturePolicy) context
1655:                        .getInferredPolicy();
1656:                SignaturePolicy inferredSignaturePolicy = null;
1657:                boolean isWSITRecipient = (context.getMode() == FilterProcessingContext.WSDL_POLICY);
1658:                try {
1659:                    if (isWSITRecipient) {
1660:                        int i = context.getInferredSecurityPolicy().size() - 1;
1661:                        inferredSignaturePolicy = (SignaturePolicy) context
1662:                                .getInferredSecurityPolicy().get(i);
1663:                    }
1664:                } catch (Exception e) {
1665:                    log.log(Level.SEVERE, "WSS0250.failed.process.STR", e);
1666:                    throw new XWSSecurityException(e);
1667:                }
1668:                // Do a case analysis based on the type of refElement.
1669:                // X509 Token Profile supports 3 kinds of reference mechanisms.
1670:                // Embedded Reference not considered.
1671:                if (refElement instanceof  KeyIdentifier) {
1672:                    KeyIdentifier keyId = (KeyIdentifier) refElement;
1673:
1674:                    if (MessageConstants.X509SubjectKeyIdentifier_NS
1675:                            .equals(keyId.getValueType())
1676:                            || MessageConstants.X509v3SubjectKeyIdentifier_NS
1677:                                    .equals(keyId.getValueType())) {
1678:                        if (policy != null) {
1679:                            AuthenticationTokenPolicy.X509CertificateBinding keyBinding = null;
1680:                            keyBinding = (AuthenticationTokenPolicy.X509CertificateBinding) policy
1681:                                    .newX509CertificateKeyBinding();
1682:                            keyBinding
1683:                                    .setReferenceType(MessageConstants.KEY_INDETIFIER_TYPE);
1684:                        }
1685:                        if (isWSITRecipient) {
1686:                            MLSPolicy inferredKB = inferredSignaturePolicy
1687:                                    .getKeyBinding();
1688:                            AuthenticationTokenPolicy.X509CertificateBinding x509Binding = new AuthenticationTokenPolicy.X509CertificateBinding();
1689:                            x509Binding
1690:                                    .setValueType(MessageConstants.X509SubjectKeyIdentifier_NS);
1691:                            x509Binding
1692:                                    .setReferenceType(MessageConstants.KEY_INDETIFIER_TYPE);
1693:                            if (inferredKB == null) {
1694:                                inferredSignaturePolicy
1695:                                        .setKeyBinding(x509Binding);
1696:                            } else if (PolicyTypeUtil
1697:                                    .derivedTokenKeyBinding(inferredKB)) {
1698:                                if (((DerivedTokenKeyBinding) inferredKB)
1699:                                        .getOriginalKeyBinding() == null)
1700:                                    ((DerivedTokenKeyBinding) inferredKB)
1701:                                            .setOriginalKeyBinding(x509Binding);
1702:                            }
1703:                        }
1704:                        if (sig) {
1705:                            returnKey = context.getSecurityEnvironment()
1706:                                    .getPublicKey(
1707:                                            context.getExtraneousProperties(),
1708:                                            getDecodedBase64EncodedData(keyId
1709:                                                    .getReferenceValue()));
1710:                        } else {
1711:                            returnKey = context.getSecurityEnvironment()
1712:                                    .getPrivateKey(
1713:                                            context.getExtraneousProperties(),
1714:                                            getDecodedBase64EncodedData(keyId
1715:                                                    .getReferenceValue()));
1716:                        }
1717:
1718:                    } else if (MessageConstants.ThumbPrintIdentifier_NS
1719:                            .equals(keyId.getValueType())) {
1720:                        if (policy != null) {
1721:                            AuthenticationTokenPolicy.X509CertificateBinding keyBinding = null;
1722:                            keyBinding = (AuthenticationTokenPolicy.X509CertificateBinding) policy
1723:                                    .newX509CertificateKeyBinding();
1724:                            keyBinding
1725:                                    .setReferenceType(MessageConstants.THUMB_PRINT_TYPE);
1726:                        }
1727:                        if (isWSITRecipient) {
1728:                            MLSPolicy inferredKB = inferredSignaturePolicy
1729:                                    .getKeyBinding();
1730:                            AuthenticationTokenPolicy.X509CertificateBinding x509Binding = new AuthenticationTokenPolicy.X509CertificateBinding();
1731:                            x509Binding
1732:                                    .setValueType(MessageConstants.ThumbPrintIdentifier_NS);
1733:                            x509Binding
1734:                                    .setReferenceType(MessageConstants.KEY_INDETIFIER_TYPE);
1735:                            if (inferredKB == null) {
1736:                                inferredSignaturePolicy
1737:                                        .setKeyBinding(x509Binding);
1738:                            } else if (PolicyTypeUtil
1739:                                    .derivedTokenKeyBinding(inferredKB)) {
1740:                                if (((DerivedTokenKeyBinding) inferredKB)
1741:                                        .getOriginalKeyBinding() == null)
1742:                                    ((DerivedTokenKeyBinding) inferredKB)
1743:                                            .setOriginalKeyBinding(x509Binding);
1744:                            }
1745:                        }
1746:                        if (sig) {
1747:                            returnKey = context.getSecurityEnvironment()
1748:                                    .getPublicKey(
1749:                                            context.getExtraneousProperties(),
1750:                                            getDecodedBase64EncodedData(keyId
1751:                                                    .getReferenceValue()),
1752:                                            MessageConstants.THUMB_PRINT_TYPE);
1753:                        } else {
1754:                            returnKey = context.getSecurityEnvironment()
1755:                                    .getPrivateKey(
1756:                                            context.getExtraneousProperties(),
1757:                                            getDecodedBase64EncodedData(keyId
1758:                                                    .getReferenceValue()),
1759:                                            MessageConstants.THUMB_PRINT_TYPE);
1760:                        }
1761:
1762:                    } else if (MessageConstants.EncryptedKeyIdentifier_NS
1763:                            .equals(keyId.getValueType())) {
1764:                        if (isWSITRecipient) {
1765:                            MLSPolicy inferredKB = inferredSignaturePolicy
1766:                                    .getKeyBinding();
1767:                            SymmetricKeyBinding skBinding = new SymmetricKeyBinding();
1768:                            AuthenticationTokenPolicy.X509CertificateBinding x509Binding = new AuthenticationTokenPolicy.X509CertificateBinding();
1769:                            skBinding.setKeyBinding(x509Binding);
1770:                            //TODO: ReferenceType and ValueType not set on X509Binding
1771:                            if (inferredKB == null) {
1772:                                inferredSignaturePolicy
1773:                                        .setKeyBinding(skBinding);
1774:                            } else if (PolicyTypeUtil
1775:                                    .derivedTokenKeyBinding(inferredKB)) {
1776:                                if (((DerivedTokenKeyBinding) inferredKB)
1777:                                        .getOriginalKeyBinding() == null)
1778:                                    ((DerivedTokenKeyBinding) inferredKB)
1779:                                            .setOriginalKeyBinding(skBinding);
1780:                            }
1781:                        }
1782:                        String ekSha1RefValue = (String) context
1783:                                .getExtraneousProperty("EncryptedKeySHA1");
1784:                        Key secretKey = (Key) context
1785:                                .getExtraneousProperty("SecretKey");
1786:                        String keyRefValue = keyId.getReferenceValue();
1787:                        if (ekSha1RefValue != null && secretKey != null) {
1788:                            if (ekSha1RefValue.equals(keyRefValue))
1789:                                returnKey = secretKey;
1790:                        } else {
1791:                            log
1792:                                    .log(Level.SEVERE,
1793:                                            "WSS0240.invalid.EncryptedKeySHA1.reference");
1794:                            String message = "EncryptedKeySHA1 reference not correct";
1795:                            throw new XWSSecurityException(message);
1796:                        }
1797:
1798:                    } else if (MessageConstants.WSSE_SAML_KEY_IDENTIFIER_VALUE_TYPE
1799:                            .equals(keyId.getValueType())
1800:                            || MessageConstants.WSSE_SAML_v2_0_KEY_IDENTIFIER_VALUE_TYPE
1801:                                    .equals(keyId.getValueType())) {
1802:                        // Its a SAML Assertion, retrieve the assertion
1803:                        if (policy != null) {
1804:                            AuthenticationTokenPolicy.SAMLAssertionBinding keyBinding = null;
1805:                            keyBinding = (AuthenticationTokenPolicy.SAMLAssertionBinding) policy
1806:                                    .newSAMLAssertionKeyBinding();
1807:                            keyBinding.setReferenceType(keyId.getValueType());
1808:                        }
1809:
1810:                        String assertionID = keyId.getDecodedReferenceValue();
1811:                        Element samlAssertion = resolveSAMLToken(str,
1812:                                assertionID, context);
1813:                        if (isWSITRecipient) {
1814:                            MLSPolicy inferredKB = inferredSignaturePolicy
1815:                                    .getKeyBinding();
1816:                            IssuedTokenKeyBinding itkBinding = new IssuedTokenKeyBinding();
1817:                            if (inferredKB == null) {
1818:                                if (context.hasIssuedToken()) {
1819:                                    inferredSignaturePolicy
1820:                                            .setKeyBinding(itkBinding);
1821:                                } else {
1822:                                    inferredSignaturePolicy
1823:                                            .setKeyBinding(new AuthenticationTokenPolicy.SAMLAssertionBinding());
1824:                                }
1825:                            } else if (PolicyTypeUtil
1826:                                    .derivedTokenKeyBinding(inferredKB)) {
1827:                                if (((DerivedTokenKeyBinding) inferredKB)
1828:                                        .getOriginalKeyBinding() == null)
1829:                                    ((DerivedTokenKeyBinding) inferredKB)
1830:                                            .setOriginalKeyBinding(itkBinding);
1831:                            }
1832:                        }
1833:                        returnKey = resolveSamlAssertion(secureMsg,
1834:                                samlAssertion, sig, context, assertionID);
1835:                        if (context.hasIssuedToken()) {
1836:                            SecurityUtil.initInferredIssuedTokenContext(
1837:                                    context, str, returnKey);
1838:                        }
1839:
1840:                    } else {
1841:                        if (policy != null) {
1842:                            AuthenticationTokenPolicy.SAMLAssertionBinding keyBinding = null;
1843:                            keyBinding = (AuthenticationTokenPolicy.SAMLAssertionBinding) policy
1844:                                    .newSAMLAssertionKeyBinding();
1845:                        }
1846:                        Element samlAssertion = null;
1847:                        String assertionID = keyId.getDecodedReferenceValue();
1848:                        try {
1849:                            samlAssertion = resolveSAMLToken(str, assertionID,
1850:                                    context);
1851:                        } catch (Exception ex) {
1852:                            //ignore
1853:                        }
1854:                        if (samlAssertion != null) {
1855:                            if (isWSITRecipient) {
1856:                                MLSPolicy inferredKB = inferredSignaturePolicy
1857:                                        .getKeyBinding();
1858:                                IssuedTokenKeyBinding itkBinding = new IssuedTokenKeyBinding();
1859:                                if (inferredKB == null) {
1860:                                    if (context.hasIssuedToken()) {
1861:                                        inferredSignaturePolicy
1862:                                                .setKeyBinding(itkBinding);
1863:                                    } else {
1864:                                        inferredSignaturePolicy
1865:                                                .setKeyBinding(new AuthenticationTokenPolicy.SAMLAssertionBinding());
1866:                                    }
1867:                                } else if (PolicyTypeUtil
1868:                                        .derivedTokenKeyBinding(inferredKB)) {
1869:                                    if (((DerivedTokenKeyBinding) inferredKB)
1870:                                            .getOriginalKeyBinding() == null)
1871:                                        ((DerivedTokenKeyBinding) inferredKB)
1872:                                                .setOriginalKeyBinding(itkBinding);
1873:                                }
1874:                            }
1875:                            returnKey = resolveSamlAssertion(secureMsg,
1876:                                    samlAssertion, sig, context, assertionID);
1877:                            if (context.hasIssuedToken()) {
1878:                                SecurityUtil.initInferredIssuedTokenContext(
1879:                                        context, str, returnKey);
1880:                            }
1881:                        } else {
1882:                            // now assume its an X509Token
1883:                            // Note: the code below assumes base64 EncodingType for X509 SKI
1884:                            if (isWSITRecipient) {
1885:                                MLSPolicy inferredKB = inferredSignaturePolicy
1886:                                        .getKeyBinding();
1887:                                AuthenticationTokenPolicy.X509CertificateBinding x509Binding = new AuthenticationTokenPolicy.X509CertificateBinding();
1888:                                x509Binding
1889:                                        .setValueType(MessageConstants.X509SubjectKeyIdentifier_NS);
1890:                                x509Binding
1891:                                        .setReferenceType(MessageConstants.KEY_INDETIFIER_TYPE);
1892:                                if (inferredKB == null) {
1893:                                    inferredSignaturePolicy
1894:                                            .setKeyBinding(x509Binding);
1895:                                } else if (PolicyTypeUtil
1896:                                        .derivedTokenKeyBinding(inferredKB)) {
1897:                                    if (((DerivedTokenKeyBinding) inferredKB)
1898:                                            .getOriginalKeyBinding() == null)
1899:                                        ((DerivedTokenKeyBinding) inferredKB)
1900:                                                .setOriginalKeyBinding(x509Binding);
1901:                                }
1902:                            }
1903:                            if (sig) {
1904:                                returnKey = context
1905:                                        .getSecurityEnvironment()
1906:                                        .getPublicKey(
1907:                                                context
1908:                                                        .getExtraneousProperties(),
1909:                                                getDecodedBase64EncodedData(keyId
1910:                                                        .getReferenceValue()));
1911:                            } else {
1912:                                returnKey = context
1913:                                        .getSecurityEnvironment()
1914:                                        .getPrivateKey(
1915:                                                context
1916:                                                        .getExtraneousProperties(),
1917:                                                getDecodedBase64EncodedData(keyId
1918:                                                        .getReferenceValue()));
1919:                            }
1920:                        }
1921:                    }
1922:                } else if (refElement instanceof  DirectReference) {
1923:                    String uri = ((DirectReference) refElement).getURI();
1924:
1925:                    // will be only during verify.
1926:                    AuthenticationTokenPolicy.X509CertificateBinding keyBinding = null;
1927:                    String valueType = ((DirectReference) refElement)
1928:                            .getValueType();
1929:                    if (MessageConstants.DKT_VALUETYPE.equals(valueType)) {
1930:                        //TODO: this will work for now but need to handle this case here later
1931:                        valueType = null;
1932:                    }
1933:
1934:                    if (policy != null) {
1935:                        keyBinding = (AuthenticationTokenPolicy.X509CertificateBinding) policy
1936:                                .newX509CertificateKeyBinding();
1937:                        keyBinding
1938:                                .setReferenceType(MessageConstants.DIRECT_REFERENCE_TYPE);
1939:                        keyBinding.setValueType(valueType);
1940:                    }
1941:
1942:                    if (MessageConstants.X509v3_NS.equals(valueType)
1943:                            || MessageConstants.X509v1_NS.equals(valueType)) {
1944:                        // its an X509 Token
1945:                        HashMap insertedX509Cache = context
1946:                                .getInsertedX509Cache();
1947:                        String wsuId = secureMsg.getIdFromFragmentRef(uri);
1948:                        X509SecurityToken token = (X509SecurityToken) insertedX509Cache
1949:                                .get(wsuId);
1950:                        if (token == null)
1951:                            token = (X509SecurityToken) resolveToken(wsuId,
1952:                                    context, secureMsg);
1953:                        if (isWSITRecipient) {
1954:                            MLSPolicy inferredKB = inferredSignaturePolicy
1955:                                    .getKeyBinding();
1956:                            AuthenticationTokenPolicy.X509CertificateBinding x509Binding = new AuthenticationTokenPolicy.X509CertificateBinding();
1957:                            x509Binding
1958:                                    .setReferenceType(MessageConstants.DIRECT_REFERENCE_TYPE);
1959:                            x509Binding.setValueType(valueType);
1960:                            if (inferredKB == null) {
1961:                                inferredSignaturePolicy
1962:                                        .setKeyBinding(x509Binding);
1963:                            } else if (PolicyTypeUtil
1964:                                    .derivedTokenKeyBinding(inferredKB)) {
1965:                                if (((DerivedTokenKeyBinding) inferredKB)
1966:                                        .getOriginalKeyBinding() == null)
1967:                                    ((DerivedTokenKeyBinding) inferredKB)
1968:                                            .setOriginalKeyBinding(x509Binding);
1969:                            }
1970:                        }
1971:                        returnKey = resolveX509Token(secureMsg, token, sig,
1972:                                context);
1973:
1974:                    } else if (MessageConstants.EncryptedKey_NS
1975:                            .equals(valueType)) {
1976:                        // Do default processing
1977:                        String wsuId = secureMsg.getIdFromFragmentRef(uri);
1978:                        SecurityToken token = resolveToken(wsuId, context,
1979:                                secureMsg);
1980:                        //TODO: STR is referring to EncryptedKey
1981:                        KeyInfoHeaderBlock kiHB = ((EncryptedKeyToken) token)
1982:                                .getKeyInfo();
1983:                        SecurityTokenReference sectr = kiHB
1984:                                .getSecurityTokenReference(0);
1985:
1986:                        //TODO: PLUGFEST Algorithm hardcoded for now
1987:                        //String dataEncAlgo = MessageConstants.AES_BLOCK_ENCRYPTION_128;
1988:                        // restore Backward compatibility
1989:                        String dataEncAlgo = MessageConstants.DEFAULT_DATA_ENC_ALGO;
1990:                        if (context.getAlgorithmSuite() != null) {
1991:                            dataEncAlgo = context.getAlgorithmSuite()
1992:                                    .getEncryptionAlgorithm();
1993:                        } else {
1994:                            if (context.getDataEncryptionAlgorithm() != null) {
1995:                                dataEncAlgo = context
1996:                                        .getDataEncryptionAlgorithm();
1997:                            }
1998:                        }
1999:                        try {
2000:                            Element cipherData = (Element) ((EncryptedKeyToken) token)
2001:                                    .getAsSoapElement()
2002:                                    .getChildElements(
2003:                                            new QName(
2004:                                                    MessageConstants.XENC_NS,
2005:                                                    "CipherData",
2006:                                                    MessageConstants.XENC_PREFIX))
2007:                                    .next();
2008:                            String cipherValue = cipherData
2009:                                    .getElementsByTagNameNS(
2010:                                            MessageConstants.XENC_NS,
2011:                                            "CipherValue").item(0)
2012:                                    .getTextContent();
2013:                            byte[] decodedCipher = Base64.decode(cipherValue);
2014:                            byte[] ekSha1 = MessageDigest.getInstance("SHA-1")
2015:                                    .digest(decodedCipher);
2016:                            String encEkSha1 = Base64.encode(ekSha1);
2017:                            context.setExtraneousProperty(
2018:                                    MessageConstants.EK_SHA1_VALUE, encEkSha1);
2019:                        } catch (Exception e) {
2020:                            log.log(Level.SEVERE,
2021:                                    "WSS0241.unableto.set.EKSHA1.OnContext", e);
2022:                            throw new XWSSecurityException(e);
2023:                        }
2024:                        if (isWSITRecipient) {
2025:                            MLSPolicy inferredKB = inferredSignaturePolicy
2026:                                    .getKeyBinding();
2027:                            SymmetricKeyBinding skBinding = new SymmetricKeyBinding();
2028:                            AuthenticationTokenPolicy.X509CertificateBinding x509Binding = new AuthenticationTokenPolicy.X509CertificateBinding();
2029:                            skBinding.setKeyBinding(x509Binding);
2030:                            //TODO: ReferenceType and ValueType not set on X509Binding
2031:                            if (inferredKB == null) {
2032:                                inferredSignaturePolicy
2033:                                        .setKeyBinding(skBinding);
2034:                            } else if (PolicyTypeUtil
2035:                                    .derivedTokenKeyBinding(inferredKB)) {
2036:                                if (((DerivedTokenKeyBinding) inferredKB)
2037:                                        .getOriginalKeyBinding() == null)
2038:                                    ((DerivedTokenKeyBinding) inferredKB)
2039:                                            .setOriginalKeyBinding(skBinding);
2040:                            }
2041:                        }
2042:                        returnKey = ((EncryptedKeyToken) token).getSecretKey(
2043:                                getKey(kiHB, sig, context), dataEncAlgo);
2044:                        context.setExtraneousProperty(
2045:                                MessageConstants.SECRET_KEY_VALUE, returnKey);
2046:
2047:                    } else if (MessageConstants.SCT_VALUETYPE.equals(valueType)) {
2048:                        // could be wsuId or SCT Session Id
2049:                        String sctId = secureMsg.getIdFromFragmentRef(uri);
2050:                        SecurityToken token = (SecurityToken) tokenCache
2051:                                .get(sctId);
2052:
2053:                        if (token == null) {
2054:                            token = SecurityUtil.locateBySCTId(context, uri);
2055:                            if (token == null) {
2056:                                token = resolveToken(sctId, context, secureMsg);
2057:                            }
2058:                            if (token == null) {
2059:                                log.log(Level.SEVERE,
2060:                                        "WSS0242.unableto.locate.SCT");
2061:                                throw new XWSSecurityException(
2062:                                        "SCT Token with Id " + sctId
2063:                                                + "not found");
2064:                            } else {
2065:                                tokenCache.put(sctId, token);
2066:                            }
2067:                        }
2068:
2069:                        if (token instanceof  SecurityContextToken) {
2070:                            //handling for SecurityContext Token
2071:                            byte[] proofKey = resolveSCT(context,
2072:                                    (SecurityContextTokenImpl) token, sig);
2073:                            String encAlgo = "AES"; //hardcoding for now
2074:                            if (context.getAlgorithmSuite() != null) {
2075:                                encAlgo = SecurityUtil
2076:                                        .getSecretKeyAlgorithm(context
2077:                                                .getAlgorithmSuite()
2078:                                                .getEncryptionAlgorithm());
2079:                            }
2080:                            if (isWSITRecipient) {
2081:                                MLSPolicy inferredKB = inferredSignaturePolicy
2082:                                        .getKeyBinding();
2083:                                SecureConversationTokenKeyBinding sctBinding = new SecureConversationTokenKeyBinding();
2084:                                if (inferredKB == null) {
2085:                                    inferredSignaturePolicy
2086:                                            .setKeyBinding(sctBinding);
2087:                                } else if (PolicyTypeUtil
2088:                                        .derivedTokenKeyBinding(inferredKB)) {
2089:                                    if (((DerivedTokenKeyBinding) inferredKB)
2090:                                            .getOriginalKeyBinding() == null)
2091:                                        ((DerivedTokenKeyBinding) inferredKB)
2092:                                                .setOriginalKeyBinding(sctBinding);
2093:                                }
2094:                            }
2095:                            returnKey = new SecretKeySpec(proofKey, encAlgo);
2096:
2097:                        } else {
2098:                            log.log(Level.SEVERE,
2099:                                    "WSS0243.invalid.valueType.NonSCTToken");
2100:                            throw new XWSSecurityException(
2101:                                    "Incorrect ValueType: "
2102:                                            + MessageConstants.SCT_VALUETYPE
2103:                                            + ", specified for a Non SCT Token");
2104:                        }
2105:
2106:                    } else if (null == valueType) {
2107:                        // Do default processing
2108:                        String wsuId = secureMsg.getIdFromFragmentRef(uri);
2109:                        SecurityToken token = SecurityUtil.locateBySCTId(
2110:                                context, wsuId);
2111:                        if (token == null) {
2112:                            token = resolveToken(wsuId, context, secureMsg);
2113:                        }
2114:                        if (token instanceof  X509SecurityToken) {
2115:                            if (isWSITRecipient) {
2116:                                MLSPolicy inferredKB = inferredSignaturePolicy
2117:                                        .getKeyBinding();
2118:                                AuthenticationTokenPolicy.X509CertificateBinding x509Binding = new AuthenticationTokenPolicy.X509CertificateBinding();
2119:                                x509Binding
2120:                                        .setReferenceType(MessageConstants.DIRECT_REFERENCE_TYPE);
2121:                                if (inferredKB == null) {
2122:                                    inferredSignaturePolicy
2123:                                            .setKeyBinding(x509Binding);
2124:                                } else if (PolicyTypeUtil
2125:                                        .derivedTokenKeyBinding(inferredKB)) {
2126:                                    if (((DerivedTokenKeyBinding) inferredKB)
2127:                                            .getOriginalKeyBinding() == null)
2128:                                        ((DerivedTokenKeyBinding) inferredKB)
2129:                                                .setOriginalKeyBinding(x509Binding);
2130:                                }
2131:                            }
2132:                            returnKey = resolveX509Token(secureMsg,
2133:                                    (X509SecurityToken) token, sig, context);
2134:                        } else if (token instanceof  EncryptedKeyToken) {
2135:                            //TODO: STR is referring to EncryptedKey
2136:                            KeyInfoHeaderBlock kiHB = ((EncryptedKeyToken) token)
2137:                                    .getKeyInfo();
2138:                            SecurityTokenReference sectr = kiHB
2139:                                    .getSecurityTokenReference(0);
2140:                            ReferenceElement refElem = sectr.getReference();
2141:                            String dataEncAlgo = MessageConstants.DEFAULT_DATA_ENC_ALGO;
2142:                            //restoring BC
2143:                            //String dataEncAlgo = MessageConstants.AES_BLOCK_ENCRYPTION_128;
2144:                            if (context.getAlgorithmSuite() != null) {
2145:                                dataEncAlgo = context.getAlgorithmSuite()
2146:                                        .getEncryptionAlgorithm();
2147:                            } else {
2148:                                if (context.getDataEncryptionAlgorithm() != null) {
2149:                                    dataEncAlgo = context
2150:                                            .getDataEncryptionAlgorithm();
2151:                                }
2152:                            }
2153:                            try {
2154:                                Element cipherData = (Element) ((EncryptedKeyToken) token)
2155:                                        .getAsSoapElement()
2156:                                        .getChildElements(
2157:                                                new QName(
2158:                                                        MessageConstants.XENC_NS,
2159:                                                        "CipherData",
2160:                                                        MessageConstants.XENC_PREFIX))
2161:                                        .next();
2162:                                String cipherValue = cipherData
2163:                                        .getElementsByTagNameNS(
2164:                                                MessageConstants.XENC_NS,
2165:                                                "CipherValue").item(0)
2166:                                        .getTextContent();
2167:                                byte[] decodedCipher = Base64
2168:                                        .decode(cipherValue);
2169:                                byte[] ekSha1 = MessageDigest.getInstance(
2170:                                        "SHA-1").digest(decodedCipher);
2171:                                String encEkSha1 = Base64.encode(ekSha1);
2172:                                context.setExtraneousProperty(
2173:                                        MessageConstants.EK_SHA1_VALUE,
2174:                                        encEkSha1);
2175:                            } catch (Exception e) {
2176:                                log
2177:                                        .log(
2178:                                                Level.SEVERE,
2179:                                                "WSS0241.unableto.set.EKSHA1.OnContext",
2180:                                                e);
2181:                                throw new XWSSecurityException(e);
2182:                            }
2183:                            if (isWSITRecipient) {
2184:                                MLSPolicy inferredKB = inferredSignaturePolicy
2185:                                        .getKeyBinding();
2186:                                SymmetricKeyBinding skBinding = new SymmetricKeyBinding();
2187:                                AuthenticationTokenPolicy.X509CertificateBinding x509Binding = new AuthenticationTokenPolicy.X509CertificateBinding();
2188:                                skBinding.setKeyBinding(x509Binding);
2189:                                //TODO: ReferenceType and ValueType not set on X509Binding
2190:                                if (inferredKB == null) {
2191:                                    inferredSignaturePolicy
2192:                                            .setKeyBinding(skBinding);
2193:                                } else if (PolicyTypeUtil
2194:                                        .derivedTokenKeyBinding(inferredKB)) {
2195:                                    if (((DerivedTokenKeyBinding) inferredKB)
2196:                                            .getOriginalKeyBinding() == null)
2197:                                        ((DerivedTokenKeyBinding) inferredKB)
2198:                                                .setOriginalKeyBinding(skBinding);
2199:                                }
2200:                            }
2201:                            returnKey = ((EncryptedKeyToken) token)
2202:                                    .getSecretKey(getKey(kiHB, sig, context),
2203:                                            dataEncAlgo);
2204:                            context.setExtraneousProperty(
2205:                                    MessageConstants.SECRET_KEY_VALUE,
2206:                                    returnKey);
2207:
2208:                        } else if (token instanceof  SecurityContextToken) {
2209:                            //handling for SecurityContext Token
2210:                            byte[] proofKey = resolveSCT(context,
2211:                                    (SecurityContextTokenImpl) token, sig);
2212:                            String encAlgo = "AES"; //default algo
2213:                            if (context.getAlgorithmSuite() != null) {
2214:                                encAlgo = SecurityUtil
2215:                                        .getSecretKeyAlgorithm(context
2216:                                                .getAlgorithmSuite()
2217:                                                .getEncryptionAlgorithm());
2218:                            }
2219:                            if (isWSITRecipient) {
2220:                                MLSPolicy inferredKB = inferredSignaturePolicy
2221:                                        .getKeyBinding();
2222:                                SecureConversationTokenKeyBinding sctBinding = new SecureConversationTokenKeyBinding();
2223:                                if (inferredKB == null) {
2224:                                    inferredSignaturePolicy
2225:                                            .setKeyBinding(sctBinding);
2226:                                } else if (PolicyTypeUtil
2227:                                        .derivedTokenKeyBinding(inferredKB)) {
2228:                                    if (((DerivedTokenKeyBinding) inferredKB)
2229:                                            .getOriginalKeyBinding() == null)
2230:                                        ((DerivedTokenKeyBinding) inferredKB)
2231:                                                .setOriginalKeyBinding(sctBinding);
2232:                                }
2233:                            }
2234:                            returnKey = new SecretKeySpec(proofKey, encAlgo);
2235:
2236:                        } else if (token instanceof  DerivedKeyTokenHeaderBlock) {
2237:                            if (isWSITRecipient) {
2238:                                MLSPolicy inferredKB = inferredSignaturePolicy
2239:                                        .getKeyBinding();
2240:                                DerivedTokenKeyBinding dtkBinding = new DerivedTokenKeyBinding();
2241:                                if (inferredKB == null) {
2242:                                    inferredSignaturePolicy
2243:                                            .setKeyBinding(dtkBinding);
2244:                                } else {
2245:                                    log.log(Level.SEVERE,
2246:                                            "WSS0244.invalid.level.DKT");
2247:                                    throw new XWSSecurityException(
2248:                                            "A derived Key Token should be a top level key binding");
2249:                                }
2250:                            }
2251:                            returnKey = resolveDKT(context,
2252:                                    (DerivedKeyTokenHeaderBlock) token);
2253:                        } else {
2254:                            String message = " Cannot Resolve URI " + uri;
2255:                            log.log(Level.SEVERE,
2256:                                    "WSS0337.unsupported.directref.mechanism",
2257:                                    new Object[] { message });
2258:                            XWSSecurityException xwsse = new XWSSecurityException(
2259:                                    message);
2260:                            throw SecurableSoapMessage
2261:                                    .newSOAPFaultException(
2262:                                            MessageConstants.WSSE_SECURITY_TOKEN_UNAVAILABLE,
2263:                                            xwsse.getMessage(), xwsse);
2264:                        }
2265:                    } else {
2266:                        log.log(Level.SEVERE,
2267:                                "WSS0337.unsupported.directref.mechanism",
2268:                                new Object[] { ((DirectReference) refElement)
2269:                                        .getValueType() });
2270:                        XWSSecurityException xwsse = new XWSSecurityException(
2271:                                "unsupported directreference ValueType "
2272:                                        + ((DirectReference) refElement)
2273:                                                .getValueType());
2274:                        throw SecurableSoapMessage.newSOAPFaultException(
2275:                                MessageConstants.WSSE_INVALID_SECURITY_TOKEN,
2276:                                xwsse.getMessage(), xwsse);
2277:                    }
2278:                } else if (refElement instanceof  X509IssuerSerial) {
2279:                    BigInteger serialNumber = ((X509IssuerSerial) refElement)
2280:                            .getSerialNumber();
2281:                    String issuerName = ((X509IssuerSerial) refElement)
2282:                            .getIssuerName();
2283:
2284:                    if (isWSITRecipient) {
2285:                        MLSPolicy inferredKB = inferredSignaturePolicy
2286:                                .getKeyBinding();
2287:                        AuthenticationTokenPolicy.X509CertificateBinding x509Binding = new AuthenticationTokenPolicy.X509CertificateBinding();
2288:                        x509Binding
2289:                                .setReferenceType(MessageConstants.X509_ISSUER_TYPE);
2290:                        if (inferredKB == null) {
2291:                            inferredSignaturePolicy.setKeyBinding(x509Binding);
2292:                        } else if (PolicyTypeUtil
2293:                                .derivedTokenKeyBinding(inferredKB)) {
2294:                            if (((DerivedTokenKeyBinding) inferredKB)
2295:                                    .getOriginalKeyBinding() == null)
2296:                                ((DerivedTokenKeyBinding) inferredKB)
2297:                                        .setOriginalKeyBinding(x509Binding);
2298:                        }
2299:                    }
2300:                    if (sig) {
2301:                        returnKey = context.getSecurityEnvironment()
2302:                                .getPublicKey(
2303:                                        context.getExtraneousProperties(),
2304:                                        serialNumber, issuerName);
2305:                    } else {
2306:                        returnKey = context.getSecurityEnvironment()
2307:                                .getPrivateKey(
2308:                                        context.getExtraneousProperties(),
2309:                                        serialNumber, issuerName);
2310:                    }
2311:                } else {
2312:                    log.log(Level.SEVERE,
2313:                            "WSS0338.unsupported.reference.mechanism");
2314:                    XWSSecurityException xwsse = new XWSSecurityException(
2315:                            "Key reference mechanism not supported");
2316:                    throw SecurableSoapMessage.newSOAPFaultException(
2317:                            MessageConstants.WSSE_UNSUPPORTED_SECURITY_TOKEN,
2318:                            xwsse.getMessage(), xwsse);
2319:                }
2320:                return returnKey;
2321:            }
2322:        }
www.java2java.com | Contact Us
Copyright 2009 - 12 Demo Source and Support. All rights reserved.
All other trademarks are property of their respective owners.