SecurityUtil.checkIncludeTokenPolicy(context, x509Binding, x509id);
referenceType = x509Binding.getReferenceType();
strategy = KeyInfoStrategy.getInstance(referenceType);
X509SecurityToken token = null;
cert = x509Binding.getX509Certificate();
String x509TokenId = x509Binding.getUUID();
//Check to see if same x509 token used for Signature and Encryption
boolean tokenInserted = false;
if(x509TokenId == null || x509TokenId.equals("")){
x509TokenId = secureMessage.generateId();
}
// ReferenceType adjustment in checkIncludeTokenPolicy is also currently
// causing an insertion of the X509 into the Message
X509SecurityToken insertedx509 =
(X509SecurityToken)context.getInsertedX509Cache().get(x509TokenId);
// this one is used to determine if the whole BST + EK + DKT(opt)
// has been inserted by another filter such as Encryption running before
token = (X509SecurityToken)tokenCache.get(x509TokenId);
if (token == null) {
if (insertedx509 != null) {
token = insertedx509;
tokenCache.put(x509TokenId, insertedx509);
} else {
String valueType = x509Binding.getValueType();
if(valueType==null||valueType.equals("")){
//default valueType for X509 as v3
valueType = MessageConstants.X509v3_NS;
}
token = new X509SecurityToken(secureMessage.getSOAPPart(), cert, x509TokenId, valueType);
tokenCache.put(x509TokenId, token);
}
context.setCurrentSecret(originalKey);
} else{
tokenInserted = true;
}
String dktId = keyBinding.getUUID();
if (dktId == null) {
dktId = secureMessage.generateId();
}
String nonce = Base64.encode(dkt.getNonce());
HashMap ekCache = context.getEncryptedKeyCache();
String ekId = (String)ekCache.get(x509TokenId);
EncryptedKey encryptedKey = null;
XMLCipher keyEncryptor = null;
if(!tokenInserted){
//Store SymmetricKey generated in ProcessingContext
context.setExtraneousProperty("SecretKey", originalKey); //this is the originalKey
//keyinfo for encryptedKey
keyInfoBlock = new KeyInfoHeaderBlock(secureMessage.getSOAPPart());
strategy.setCertificate(cert);
strategy.insertKey(keyInfoBlock, secureMessage, x509TokenId);
com.sun.org.apache.xml.internal.security.keys.KeyInfo apacheKeyInfo = keyInfoBlock.getKeyInfo();
//create an encrypted Key --- it encrypts the original key
try{
keyEncryptor = XMLCipher.getInstance(keyEncAlgo);
keyEncryptor.init(XMLCipher.WRAP_MODE, cert.getPublicKey());
if (keyEncryptor != null) {
encryptedKey = keyEncryptor.encryptKey(secureMessage.getSOAPPart(), originalKey);
}
}catch(Exception e){
logger.log(Level.SEVERE, LogStringsMessages.WSS_1335_UNSUPPORTED_KEYBINDING_SIGNATUREPOLICY());
throw new XWSSecurityException(e);
}
ekId = secureMessage.generateId();
ekCache.put(x509TokenId, ekId);
encryptedKey.setId(ekId);
// set its KeyInfo
encryptedKey.setKeyInfo(apacheKeyInfo);
}
//STR for DerivedKeyToken
SecurityTokenReference tokenRef = new SecurityTokenReference(secureMessage.getSOAPPart());
DirectReference reference = new DirectReference();
//TODO: PLUGFEST commenting this as Microsoft puts Value type on reference itself
//tokenRef.setTokenType(MessageConstants.EncryptedKey_NS);
//set id of encrypted key in STR of DKT
reference.setValueType(MessageConstants.EncryptedKey_NS);
reference.setURI("#"+ekId);
tokenRef.setReference(reference);
DerivedKeyTokenHeaderBlock dktHeadrBlock =
new DerivedKeyTokenHeaderBlock(securityHeader.getOwnerDocument(), tokenRef, nonce, dkt.getOffset(), dkt.getLength() ,dktId);
if(!tokenInserted){
Node nsX509 = null;
if (insertedx509 != null) {
nsX509 = insertedx509.getNextSibling();
}
// move DKT below X509 if present
if (nsX509 == null) {
secureMessage.findOrCreateSecurityHeader().insertHeaderBlock(dktHeadrBlock);
} else {
secureMessage.findOrCreateSecurityHeader().insertBefore(dktHeadrBlock, nsX509);
}
// move EK above DKT but below X509
if (insertedx509 != null) {
nsX509 = insertedx509.getNextSibling();
}
// insert the EK into the SOAPMessage - this goes on top of DKT Header block
SOAPElement se = (SOAPElement)keyEncryptor.martial(encryptedKey);
if (nsX509 == null) {