boolean sig, FilterProcessingContext context)throws XWSSecurityException{
Key returnKey = null;
HashMap tokenCache = context.getTokenCache();
SecurableSoapMessage secureMsg = context.getSecurableSoapMessage();
SecurityTokenReference str = keyInfo.getSecurityTokenReference(0);
ReferenceElement refElement = str.getReference();
SignaturePolicy policy = (SignaturePolicy)context.getInferredPolicy();
SignaturePolicy inferredSignaturePolicy = null;
boolean isWSITRecipient = (context.getMode()== FilterProcessingContext.WSDL_POLICY);
try{
if(isWSITRecipient){
int i = context.getInferredSecurityPolicy().size() - 1;
inferredSignaturePolicy = (SignaturePolicy)context.getInferredSecurityPolicy().get(i);
}
} catch(Exception e){
log.log(Level.SEVERE, LogStringsMessages.WSS_0250_FAILED_PROCESS_STR(), e);
throw new XWSSecurityException(e);
}
// Do a case analysis based on the type of refElement.
// X509 Token Profile supports 3 kinds of reference mechanisms.
// Embedded Reference not considered.
if (refElement instanceof KeyIdentifier) {
KeyIdentifier keyId = (KeyIdentifier)refElement;
if (MessageConstants.X509SubjectKeyIdentifier_NS.equals(keyId.getValueType()) ||
MessageConstants.X509v3SubjectKeyIdentifier_NS.equals(keyId.getValueType())) {
if(policy != null){
AuthenticationTokenPolicy.X509CertificateBinding keyBinding = null;
keyBinding = (AuthenticationTokenPolicy.X509CertificateBinding) policy.newX509CertificateKeyBinding();
keyBinding.setReferenceType(MessageConstants.KEY_INDETIFIER_TYPE);
}
if(isWSITRecipient){
MLSPolicy inferredKB = inferredSignaturePolicy.getKeyBinding();
AuthenticationTokenPolicy.X509CertificateBinding x509Binding = new AuthenticationTokenPolicy.X509CertificateBinding();
x509Binding.setValueType(MessageConstants.X509SubjectKeyIdentifier_NS);
x509Binding.setReferenceType(MessageConstants.KEY_INDETIFIER_TYPE);
if(inferredKB == null){
inferredSignaturePolicy.setKeyBinding(x509Binding);
} else if(PolicyTypeUtil.derivedTokenKeyBinding(inferredKB)){
if(((DerivedTokenKeyBinding)inferredKB).getOriginalKeyBinding() == null)
((DerivedTokenKeyBinding)inferredKB).setOriginalKeyBinding(x509Binding);
}
}
if (sig) {
returnKey =
context.getSecurityEnvironment().getPublicKey(context.getExtraneousProperties(),
getDecodedBase64EncodedData(keyId.getReferenceValue()));
} else {
returnKey =
context.getSecurityEnvironment().getPrivateKey(context.getExtraneousProperties(),
getDecodedBase64EncodedData(keyId.getReferenceValue()));
}
} else if (MessageConstants.ThumbPrintIdentifier_NS.equals(keyId.getValueType())) {
if(policy != null){
AuthenticationTokenPolicy.X509CertificateBinding keyBinding = null;
keyBinding = (AuthenticationTokenPolicy.X509CertificateBinding) policy.newX509CertificateKeyBinding();
keyBinding.setReferenceType(MessageConstants.THUMB_PRINT_TYPE);
}
if(isWSITRecipient){
MLSPolicy inferredKB = inferredSignaturePolicy.getKeyBinding();
AuthenticationTokenPolicy.X509CertificateBinding x509Binding = new AuthenticationTokenPolicy.X509CertificateBinding();
x509Binding.setValueType(MessageConstants.ThumbPrintIdentifier_NS);
x509Binding.setReferenceType(MessageConstants.KEY_INDETIFIER_TYPE);
if(inferredKB == null){
inferredSignaturePolicy.setKeyBinding(x509Binding);
} else if(PolicyTypeUtil.derivedTokenKeyBinding(inferredKB)){
if(((DerivedTokenKeyBinding)inferredKB).getOriginalKeyBinding() == null)
((DerivedTokenKeyBinding)inferredKB).setOriginalKeyBinding(x509Binding);
}
}
if (sig) {
returnKey =
context.getSecurityEnvironment().getPublicKey(
context.getExtraneousProperties(),
getDecodedBase64EncodedData(keyId.getReferenceValue()),
MessageConstants.THUMB_PRINT_TYPE
);
} else {
returnKey =
context.getSecurityEnvironment().getPrivateKey(
context.getExtraneousProperties(),
getDecodedBase64EncodedData(keyId.getReferenceValue()),
MessageConstants.THUMB_PRINT_TYPE
);
}
} else if(MessageConstants.EncryptedKeyIdentifier_NS.equals(keyId.getValueType())){
if(isWSITRecipient){
MLSPolicy inferredKB = inferredSignaturePolicy.getKeyBinding();
SymmetricKeyBinding skBinding = new SymmetricKeyBinding();
AuthenticationTokenPolicy.X509CertificateBinding x509Binding = new AuthenticationTokenPolicy.X509CertificateBinding();
skBinding.setKeyBinding(x509Binding);
//TODO: ReferenceType and ValueType not set on X509Binding
if(inferredKB == null){
inferredSignaturePolicy.setKeyBinding(skBinding);
} else if(PolicyTypeUtil.derivedTokenKeyBinding(inferredKB)){
if(((DerivedTokenKeyBinding)inferredKB).getOriginalKeyBinding() == null)
((DerivedTokenKeyBinding)inferredKB).setOriginalKeyBinding(skBinding);
}
}
String ekSha1RefValue = (String)context.getExtraneousProperty("EncryptedKeySHA1");
Key secretKey = (Key)context.getExtraneousProperty("SecretKey");
String keyRefValue = keyId.getReferenceValue();
if(ekSha1RefValue != null && secretKey != null){
if(ekSha1RefValue.equals(keyRefValue))
returnKey = secretKey;
} else{
log.log(Level.SEVERE, LogStringsMessages.WSS_0240_INVALID_ENCRYPTED_KEY_SHA_1_REFERENCE());
String message = "EncryptedKeySHA1 reference not correct";
throw new XWSSecurityException(message);
}
} else if (MessageConstants.WSSE_SAML_KEY_IDENTIFIER_VALUE_TYPE.equals(keyId.getValueType()) ||
MessageConstants.WSSE_SAML_v2_0_KEY_IDENTIFIER_VALUE_TYPE.equals(keyId.getValueType())) {
// Its a SAML Assertion, retrieve the assertion
if(policy != null){
AuthenticationTokenPolicy.SAMLAssertionBinding keyBinding = null;
keyBinding = (AuthenticationTokenPolicy.SAMLAssertionBinding) policy.newSAMLAssertionKeyBinding();
keyBinding.setReferenceType(keyId.getValueType());
}
String assertionID = keyId.getDecodedReferenceValue();
Element samlAssertion = resolveSAMLToken(str, assertionID,context);
if(isWSITRecipient){
MLSPolicy inferredKB = inferredSignaturePolicy.getKeyBinding();
IssuedTokenKeyBinding itkBinding = new IssuedTokenKeyBinding();
if(inferredKB == null){
if (context.hasIssuedToken()){
inferredSignaturePolicy.setKeyBinding(itkBinding);
}else{
inferredSignaturePolicy.setKeyBinding(new AuthenticationTokenPolicy.SAMLAssertionBinding());
}
} else if(PolicyTypeUtil.derivedTokenKeyBinding(inferredKB)){
if(((DerivedTokenKeyBinding)inferredKB).getOriginalKeyBinding() == null)
((DerivedTokenKeyBinding)inferredKB).setOriginalKeyBinding(itkBinding);
}
}
returnKey = resolveSamlAssertion(secureMsg,samlAssertion, sig,context, assertionID);
if (context.hasIssuedToken() && returnKey != null){
SecurityUtil.initInferredIssuedTokenContext(context,str, returnKey);
}
} else {
if(policy != null){
AuthenticationTokenPolicy.SAMLAssertionBinding keyBinding = null;
keyBinding = (AuthenticationTokenPolicy.SAMLAssertionBinding) policy.newSAMLAssertionKeyBinding();
}
Element samlAssertion = null;
String assertionID = keyId.getDecodedReferenceValue();
try{
samlAssertion = resolveSAMLToken(str, assertionID,context);
}catch(Exception ex){
//ignore
}
if (samlAssertion != null) {
if(isWSITRecipient){
MLSPolicy inferredKB = inferredSignaturePolicy.getKeyBinding();
IssuedTokenKeyBinding itkBinding = new IssuedTokenKeyBinding();
if(inferredKB == null){
if (context.hasIssuedToken()){
inferredSignaturePolicy.setKeyBinding(itkBinding);
}else{
inferredSignaturePolicy.setKeyBinding(new AuthenticationTokenPolicy.SAMLAssertionBinding());
}
} else if(PolicyTypeUtil.derivedTokenKeyBinding(inferredKB)){
if(((DerivedTokenKeyBinding)inferredKB).getOriginalKeyBinding() == null)
((DerivedTokenKeyBinding)inferredKB).setOriginalKeyBinding(itkBinding);
}
}
returnKey = resolveSamlAssertion(secureMsg,samlAssertion, sig,context, assertionID);
if (context.hasIssuedToken() && returnKey != null){
SecurityUtil.initInferredIssuedTokenContext(context,str, returnKey);
}
} else {
// now assume its an X509Token
// Note: the code below assumes base64 EncodingType for X509 SKI
if(isWSITRecipient){
MLSPolicy inferredKB = inferredSignaturePolicy.getKeyBinding();
AuthenticationTokenPolicy.X509CertificateBinding x509Binding = new AuthenticationTokenPolicy.X509CertificateBinding();
x509Binding.setValueType(MessageConstants.X509SubjectKeyIdentifier_NS);
x509Binding.setReferenceType(MessageConstants.KEY_INDETIFIER_TYPE);
if(inferredKB == null){
inferredSignaturePolicy.setKeyBinding(x509Binding);
} else if(PolicyTypeUtil.derivedTokenKeyBinding(inferredKB)){
if(((DerivedTokenKeyBinding)inferredKB).getOriginalKeyBinding() == null)
((DerivedTokenKeyBinding)inferredKB).setOriginalKeyBinding(x509Binding);
}
}
if (sig) {
returnKey =
context.getSecurityEnvironment().getPublicKey(context.getExtraneousProperties(),
getDecodedBase64EncodedData(keyId.getReferenceValue()));
} else {
returnKey =
context.getSecurityEnvironment().getPrivateKey(context.getExtraneousProperties(),
getDecodedBase64EncodedData(keyId.getReferenceValue()));
}
}
}
} else if (refElement instanceof DirectReference) {
String uri = ((DirectReference) refElement).getURI();
// will be only during verify.
AuthenticationTokenPolicy.X509CertificateBinding keyBinding = null;
String valueType = ((DirectReference) refElement).getValueType();
if (MessageConstants.DKT_VALUETYPE.equals(valueType) ||
MessageConstants.DKT_13_VALUETYPE.equals(valueType)){
//TODO: this will work for now but need to handle this case here later
valueType = null;
}
if(policy != null){
keyBinding = (AuthenticationTokenPolicy.X509CertificateBinding) policy.newX509CertificateKeyBinding();
keyBinding.setReferenceType(MessageConstants.DIRECT_REFERENCE_TYPE);
keyBinding.setValueType(valueType);
}
if (MessageConstants.X509v3_NS.equals(valueType)||MessageConstants.X509v1_NS.equals(valueType)) {
// its an X509 Token
HashMap insertedX509Cache = context.getInsertedX509Cache();
String wsuId = secureMsg.getIdFromFragmentRef(uri);
X509SecurityToken token = (X509SecurityToken)insertedX509Cache.get(wsuId);
if(token == null)
token =(X509SecurityToken)resolveToken(wsuId,context,secureMsg);
if(isWSITRecipient){
MLSPolicy inferredKB = inferredSignaturePolicy.getKeyBinding();
AuthenticationTokenPolicy.X509CertificateBinding x509Binding = new AuthenticationTokenPolicy.X509CertificateBinding();
x509Binding.setReferenceType(MessageConstants.DIRECT_REFERENCE_TYPE);
x509Binding.setValueType(valueType);
if(inferredKB == null){
inferredSignaturePolicy.setKeyBinding(x509Binding);
} else if(PolicyTypeUtil.derivedTokenKeyBinding(inferredKB)){
if(((DerivedTokenKeyBinding)inferredKB).getOriginalKeyBinding() == null)
((DerivedTokenKeyBinding)inferredKB).setOriginalKeyBinding(x509Binding);
}
}
returnKey = resolveX509Token(secureMsg, token, sig,context);
} else if(MessageConstants.EncryptedKey_NS.equals(valueType)){
// Do default processing
String wsuId = secureMsg.getIdFromFragmentRef(uri);
SecurityToken token =resolveToken(wsuId,context,secureMsg);
//TODO: STR is referring to EncryptedKey
KeyInfoHeaderBlock kiHB = ((EncryptedKeyToken)token).getKeyInfo();
SecurityTokenReference sectr = kiHB.getSecurityTokenReference(0);
//TODO: PLUGFEST Algorithm hardcoded for now
//String dataEncAlgo = MessageConstants.AES_BLOCK_ENCRYPTION_128;
// restore Backward compatibility
String dataEncAlgo = MessageConstants.DEFAULT_DATA_ENC_ALGO;
if (context.getAlgorithmSuite() != null) {
dataEncAlgo = context.getAlgorithmSuite().getEncryptionAlgorithm();
}else{
if (context.getDataEncryptionAlgorithm() != null){
dataEncAlgo = context.getDataEncryptionAlgorithm();
}
}
try{
Element cipherData = (Element)((EncryptedKeyToken)token).getAsSoapElement().getChildElements(new QName(MessageConstants.XENC_NS, "CipherData", MessageConstants.XENC_PREFIX)).next();
String cipherValue = cipherData.getElementsByTagNameNS(MessageConstants.XENC_NS, "CipherValue").item(0).getTextContent();
byte[] decodedCipher = Base64.decode(cipherValue);
byte[] ekSha1 = MessageDigest.getInstance("SHA-1").digest(decodedCipher);
String encEkSha1 = Base64.encode(ekSha1);
context.setExtraneousProperty(MessageConstants.EK_SHA1_VALUE, encEkSha1);
} catch(Exception e){
log.log(Level.SEVERE, LogStringsMessages.WSS_0241_UNABLETO_SET_EKSHA_1_ON_CONTEXT(), e);
throw new XWSSecurityException(e);
}
if(isWSITRecipient){
MLSPolicy inferredKB = inferredSignaturePolicy.getKeyBinding();
SymmetricKeyBinding skBinding = new SymmetricKeyBinding();
AuthenticationTokenPolicy.X509CertificateBinding x509Binding = new AuthenticationTokenPolicy.X509CertificateBinding();
skBinding.setKeyBinding(x509Binding);
//TODO: ReferenceType and ValueType not set on X509Binding
if(inferredKB == null){
inferredSignaturePolicy.setKeyBinding(skBinding);
} else if(PolicyTypeUtil.derivedTokenKeyBinding(inferredKB)){
if(((DerivedTokenKeyBinding)inferredKB).getOriginalKeyBinding() == null)
((DerivedTokenKeyBinding)inferredKB).setOriginalKeyBinding(skBinding);
}
}
returnKey = ((EncryptedKeyToken)token).getSecretKey(getKey(kiHB, sig, context), dataEncAlgo);
context.setExtraneousProperty(MessageConstants.SECRET_KEY_VALUE, returnKey);
} else if (MessageConstants.SCT_VALUETYPE.equals(valueType) || MessageConstants.SCT_13_VALUETYPE.equals(valueType)) {
// could be wsuId or SCT Session Id
String sctId = secureMsg.getIdFromFragmentRef(uri);
SecurityToken token = (SecurityToken)tokenCache.get(sctId);
if(token == null){
token = SecurityUtil.locateBySCTId(context, uri);
if (token == null) {
token = resolveToken(sctId, context, secureMsg);
}
if(token == null){
log.log(Level.SEVERE, LogStringsMessages.WSS_0242_UNABLETO_LOCATE_SCT());
throw new XWSSecurityException("SCT Token with Id "+sctId+ "not found");
}else{
tokenCache.put(sctId, token);
}
}
if (token instanceof SecurityContextToken) {
//handling for SecurityContext Token
byte[] proofKey = resolveSCT(context, (SecurityContextTokenImpl)token, sig);
String encAlgo = "AES"; //hardcoding for now
if (context.getAlgorithmSuite() != null) {
encAlgo = SecurityUtil.getSecretKeyAlgorithm(context.getAlgorithmSuite().getEncryptionAlgorithm());
}
if(isWSITRecipient){
MLSPolicy inferredKB = inferredSignaturePolicy.getKeyBinding();
SecureConversationTokenKeyBinding sctBinding = new SecureConversationTokenKeyBinding();
if(inferredKB == null){
inferredSignaturePolicy.setKeyBinding(sctBinding);
} else if(PolicyTypeUtil.derivedTokenKeyBinding(inferredKB)){
if(((DerivedTokenKeyBinding)inferredKB).getOriginalKeyBinding() == null)
((DerivedTokenKeyBinding)inferredKB).setOriginalKeyBinding(sctBinding);
}
}
returnKey = new SecretKeySpec(proofKey, encAlgo);
} else {
log.log(Level.SEVERE, LogStringsMessages.WSS_0243_INVALID_VALUE_TYPE_NON_SCT_TOKEN());
throw new XWSSecurityException("Incorrect ValueType: " + MessageConstants.SCT_VALUETYPE + ", specified for a Non SCT Token");
}
} else if (null == valueType) {
// Do default processing
String wsuId = secureMsg.getIdFromFragmentRef(uri);
SecurityToken token = SecurityUtil.locateBySCTId(context, wsuId);
if (token == null) {
token =resolveToken(wsuId,context,secureMsg);
}
if (token instanceof X509SecurityToken) {
if(isWSITRecipient){
MLSPolicy inferredKB = inferredSignaturePolicy.getKeyBinding();
AuthenticationTokenPolicy.X509CertificateBinding x509Binding = new AuthenticationTokenPolicy.X509CertificateBinding();
x509Binding.setReferenceType(MessageConstants.DIRECT_REFERENCE_TYPE);
if(inferredKB == null){
inferredSignaturePolicy.setKeyBinding(x509Binding);
} else if(PolicyTypeUtil.derivedTokenKeyBinding(inferredKB)){
if(((DerivedTokenKeyBinding)inferredKB).getOriginalKeyBinding() == null)
((DerivedTokenKeyBinding)inferredKB).setOriginalKeyBinding(x509Binding);
}
}
returnKey = resolveX509Token(secureMsg, (X509SecurityToken)token, sig,context);
} else if (token instanceof EncryptedKeyToken) {
//TODO: STR is referring to EncryptedKey
KeyInfoHeaderBlock kiHB = ((EncryptedKeyToken)token).getKeyInfo();
SecurityTokenReference sectr = kiHB.getSecurityTokenReference(0);
ReferenceElement refElem = sectr.getReference();
String dataEncAlgo = MessageConstants.DEFAULT_DATA_ENC_ALGO;
//restoring BC
//String dataEncAlgo = MessageConstants.AES_BLOCK_ENCRYPTION_128;
if (context.getAlgorithmSuite() != null) {
dataEncAlgo = context.getAlgorithmSuite().getEncryptionAlgorithm();