if (MessageConstants.X509SubjectKeyIdentifier_NS.equals(keyId.getValueType()) ||
MessageConstants.X509v3SubjectKeyIdentifier_NS.equals(keyId.getValueType())) {
if(isPolicyRecipient && inferredSignaturePolicy != null){
MLSPolicy inferredKB = inferredSignaturePolicy.getKeyBinding();
AuthenticationTokenPolicy.X509CertificateBinding x509Binding = new AuthenticationTokenPolicy.X509CertificateBinding();
x509Binding.setValueType(MessageConstants.X509SubjectKeyIdentifier_NS);
x509Binding.setReferenceType(MessageConstants.KEY_INDETIFIER_TYPE);
if(inferredKB == null){
inferredSignaturePolicy.setKeyBinding(x509Binding);
} else if(PolicyTypeUtil.symmetricKeyBinding(inferredKB)){
((SymmetricKeyBinding)inferredKB).setKeyBinding(x509Binding);
isSymmetric = true;
} else if(PolicyTypeUtil.derivedTokenKeyBinding(inferredKB)){
DerivedTokenKeyBinding dktBind = (DerivedTokenKeyBinding)inferredKB;
if(dktBind.getOriginalKeyBinding() == null)
((DerivedTokenKeyBinding)inferredKB).setOriginalKeyBinding(x509Binding);
else if(PolicyTypeUtil.symmetricKeyBinding(dktBind.getOriginalKeyBinding())){
dktBind.getOriginalKeyBinding().setKeyBinding(x509Binding);
isSymmetric = true;
}
}
}
if (purpose == Purpose.VERIFY) {
byte[] keyIdBytes = XMLUtil.getDecodedBase64EncodedData(keyId.getReferenceValue());
wssContext.setExtraneousProperty(MessageConstants.REQUESTER_KEYID, new String(keyIdBytes));
// add missing update to other party certificate
X509Certificate cert = wssContext.getSecurityEnvironment().getCertificate(
wssContext.getExtraneousProperties(),keyIdBytes);
if (!isSymmetric) {
wssContext.getSecurityEnvironment().updateOtherPartySubject(
DefaultSecurityEnvironmentImpl.getSubject(wssContext), cert);
}
returnKey = cert.getPublicKey();
} else if(purpose == Purpose.SIGN){
returnKey =wssContext.getSecurityEnvironment().getPrivateKey(
wssContext.getExtraneousProperties(),
XMLUtil.getDecodedBase64EncodedData(keyId.getReferenceValue()));
}
} else if (MessageConstants.ThumbPrintIdentifier_NS.equals(keyId.getValueType())) {
if(isPolicyRecipient && inferredSignaturePolicy != null){
MLSPolicy inferredKB = inferredSignaturePolicy.getKeyBinding();
AuthenticationTokenPolicy.X509CertificateBinding x509Binding = new AuthenticationTokenPolicy.X509CertificateBinding();
x509Binding.setValueType(MessageConstants.ThumbPrintIdentifier_NS);
x509Binding.setReferenceType(MessageConstants.KEY_INDETIFIER_TYPE);
if(inferredKB == null){
inferredSignaturePolicy.setKeyBinding(x509Binding);
} else if(PolicyTypeUtil.symmetricKeyBinding(inferredKB)){
((SymmetricKeyBinding)inferredKB).setKeyBinding(x509Binding);
isSymmetric = true;
} else if(PolicyTypeUtil.derivedTokenKeyBinding(inferredKB)){
DerivedTokenKeyBinding dktBind = (DerivedTokenKeyBinding)inferredKB;
if(dktBind.getOriginalKeyBinding() == null)
((DerivedTokenKeyBinding)inferredKB).setOriginalKeyBinding(x509Binding);
else if(PolicyTypeUtil.symmetricKeyBinding(dktBind.getOriginalKeyBinding())){
dktBind.getOriginalKeyBinding().setKeyBinding(x509Binding);
isSymmetric = true;
}
}
}
if (purpose == Purpose.VERIFY) {
byte[] keyIdBytes = XMLUtil.getDecodedBase64EncodedData(keyId.getReferenceValue());
wssContext.setExtraneousProperty(MessageConstants.REQUESTER_KEYID, new String(keyIdBytes));
//update other party subject
X509Certificate cert = wssContext.getSecurityEnvironment().getCertificate(
wssContext.getExtraneousProperties(),keyIdBytes, MessageConstants.THUMB_PRINT_TYPE);
if (!isSymmetric) {
wssContext.getSecurityEnvironment().updateOtherPartySubject(
DefaultSecurityEnvironmentImpl.getSubject(wssContext), cert);
}
returnKey = cert.getPublicKey();
} else if(purpose == Purpose.SIGN){
returnKey =wssContext.getSecurityEnvironment().getPrivateKey(
wssContext.getExtraneousProperties(),
XMLUtil.getDecodedBase64EncodedData(keyId.getReferenceValue()), MessageConstants.THUMB_PRINT_TYPE);
}
}else if (MessageConstants.EncryptedKeyIdentifier_NS.equals(keyId.getValueType())){
if(isPolicyRecipient && inferredSignaturePolicy != null){
MLSPolicy inferredKB = inferredSignaturePolicy.getKeyBinding();
SymmetricKeyBinding skBinding = new SymmetricKeyBinding();
AuthenticationTokenPolicy.X509CertificateBinding x509Binding = new AuthenticationTokenPolicy.X509CertificateBinding();
x509Binding.setReferenceType(MessageConstants.KEY_INDETIFIER_TYPE);
skBinding.setKeyBinding(x509Binding);
//TODO: ReferenceType and ValueType not set on X509Binding
if(inferredKB == null){
inferredSignaturePolicy.setKeyBinding(skBinding);
} else if(PolicyTypeUtil.derivedTokenKeyBinding(inferredKB)){
if(((DerivedTokenKeyBinding)inferredKB).getOriginalKeyBinding() == null)
((DerivedTokenKeyBinding)inferredKB).setOriginalKeyBinding(skBinding);
}
}
//Set return key here
String ekSha1RefValue = (String)wssContext.getExtraneousProperty("EncryptedKeySHA1");
Key secretKey = (Key)wssContext.getExtraneousProperty("SecretKey");
String keyRefValue = keyId.getReferenceValue();
if(ekSha1RefValue != null && secretKey != null){
if(ekSha1RefValue.equals(keyRefValue))
returnKey = secretKey;
}else{
String message = "EncryptedKeySHA1 reference not correct";
logger.log(Level.SEVERE,LogStringsMessages.WSS_1306_UNSUPPORTED_KEY_IDENTIFIER_REFERENCE_TYPE(), new Object[] {message});
throw new KeySelectorException(message);
}
//returnKey = null;
} else if (MessageConstants.WSSE_SAML_KEY_IDENTIFIER_VALUE_TYPE.equals(keyId.getValueType()) ||
MessageConstants.WSSE_SAML_v2_0_KEY_IDENTIFIER_VALUE_TYPE.equals (keyId.getValueType ())) {
String assertionID = keyId.getReferenceValue();
Element tokenElement = wssContext.getIssuedSAMLToken();
if (tokenElement == null) {
Assertion samlAssertion = (Assertion)tokenCache.get(assertionID);
if (samlAssertion == null) {
if (str.getSamlAuthorityBinding() != null) {
tokenElement = wssContext.getSecurityEnvironment().
locateSAMLAssertion(
wssContext.getExtraneousProperties(), str.getSamlAuthorityBinding(), assertionID, secureMsg.getSOAPPart());
} else {
tokenElement = SAMLUtil.locateSamlAssertion(assertionID,secureMsg.getSOAPPart());
if (!("true".equals((String)wssContext.getExtraneousProperty(MessageConstants.SAML_SIG_RESOLVED))) ||
"false".equals((String)wssContext.getExtraneousProperty(MessageConstants.SAML_SIG_RESOLVED))){
wssContext.setExtraneousProperty(MessageConstants.SAML_SIG_RESOLVED,"false");
}
}
} else {
try {
tokenElement = samlAssertion.toElement(null);
} catch (Exception e) {
logger.log(Level.SEVERE,LogStringsMessages.WSS_1355_UNABLETO_RESOLVE_SAML_ASSERTION(),e.getMessage());
throw new KeySelectorException(e);
}
}
}
if(isPolicyRecipient && inferredSignaturePolicy != null){
MLSPolicy inferredKB = inferredSignaturePolicy.getKeyBinding();
IssuedTokenKeyBinding itkBinding = new IssuedTokenKeyBinding();
if(inferredKB == null){
if (wssContext.hasIssuedToken()){
inferredSignaturePolicy.setKeyBinding(itkBinding);
}else{
inferredSignaturePolicy.setKeyBinding(new AuthenticationTokenPolicy.SAMLAssertionBinding());
}
} else if(PolicyTypeUtil.derivedTokenKeyBinding(inferredKB)){
if(((DerivedTokenKeyBinding)inferredKB).getOriginalKeyBinding() == null)
((DerivedTokenKeyBinding)inferredKB).setOriginalKeyBinding(itkBinding);
}
}
returnKey = resolveSamlAssertion(context,tokenElement, purpose, assertionID);
addAuthorityId(tokenElement,wssContext);
if (wssContext.hasIssuedToken() && returnKey != null){
SecurityUtil.initInferredIssuedTokenContext(wssContext, str, returnKey);
}
} else {
// it could be SAML AssertionID without ValueType on KeyIdentifier
String assertionID = keyId.getDecodedReferenceValue();
Element samlAssertion = null;
try {
samlAssertion = resolveSAMLToken(str, assertionID, wssContext);
} catch (Exception e) {
if(logger.isLoggable(Level.FINEST)){
logger.log(Level.FINEST,"Error occurred while trying " +
"to resolve SAML assertion"+e.getMessage());
}
}
if (samlAssertion != null) {
if(isPolicyRecipient && inferredSignaturePolicy != null){
MLSPolicy inferredKB = inferredSignaturePolicy.getKeyBinding();
IssuedTokenKeyBinding itkBinding = new IssuedTokenKeyBinding();
if(inferredKB == null){
if (wssContext.hasIssuedToken()){
inferredSignaturePolicy.setKeyBinding(itkBinding);
}else{
inferredSignaturePolicy.setKeyBinding(new AuthenticationTokenPolicy.SAMLAssertionBinding());
}
} else if(PolicyTypeUtil.derivedTokenKeyBinding(inferredKB)){
if(((DerivedTokenKeyBinding)inferredKB).getOriginalKeyBinding() == null)
((DerivedTokenKeyBinding)inferredKB).setOriginalKeyBinding(itkBinding);
}
}
returnKey = resolveSamlAssertion(context,samlAssertion, purpose, assertionID);
addAuthorityId(samlAssertion,wssContext);
//whenever we have SAML we want to record the proofkey and str
if (wssContext.hasIssuedToken() && returnKey != null){
SecurityUtil.initInferredIssuedTokenContext(wssContext, str, returnKey);
}
} else {
// now assume its an X509Token
// Note: the code below assumes base64 EncodingType for X509 SKI
if(isPolicyRecipient && inferredSignaturePolicy != null){
MLSPolicy inferredKB = inferredSignaturePolicy.getKeyBinding();
AuthenticationTokenPolicy.X509CertificateBinding x509Binding = new AuthenticationTokenPolicy.X509CertificateBinding();
x509Binding.setValueType(MessageConstants.X509SubjectKeyIdentifier_NS);
x509Binding.setReferenceType(MessageConstants.KEY_INDETIFIER_TYPE);
if(inferredKB == null){
inferredSignaturePolicy.setKeyBinding(x509Binding);
} else if(PolicyTypeUtil.symmetricKeyBinding(inferredKB)){
((SymmetricKeyBinding)inferredKB).setKeyBinding(x509Binding);
} else if(PolicyTypeUtil.derivedTokenKeyBinding(inferredKB)){
DerivedTokenKeyBinding dktBind = (DerivedTokenKeyBinding)inferredKB;
if(dktBind.getOriginalKeyBinding() == null)
((DerivedTokenKeyBinding)inferredKB).setOriginalKeyBinding(x509Binding);
else if(PolicyTypeUtil.symmetricKeyBinding(dktBind.getOriginalKeyBinding())){
dktBind.getOriginalKeyBinding().setKeyBinding(x509Binding);
}
}
}
if (purpose == Purpose.VERIFY) {
byte[] keyIdBytes = XMLUtil.getDecodedBase64EncodedData(keyId.getReferenceValue());
wssContext.setExtraneousProperty(MessageConstants.REQUESTER_KEYID, new String(keyIdBytes));
//update other party certificate
X509Certificate cert = wssContext.getSecurityEnvironment().getCertificate(
wssContext.getExtraneousProperties(),
XMLUtil.getDecodedBase64EncodedData(keyId.getReferenceValue()));
wssContext.getSecurityEnvironment().updateOtherPartySubject(
DefaultSecurityEnvironmentImpl.getSubject(wssContext), cert);
returnKey = cert.getPublicKey();
} else if(purpose == Purpose.SIGN){
returnKey =wssContext.getSecurityEnvironment().getPrivateKey(
wssContext.getExtraneousProperties(),
XMLUtil.getDecodedBase64EncodedData(keyId.getReferenceValue()));
}
}
}
} else if (refElement instanceof DirectReference) {
if(keyBinding != null){
keyBinding.setReferenceType(MessageConstants.DIRECT_REFERENCE_TYPE);
}
String uri = ((DirectReference) refElement).getURI();
if (isBSP && !uri.startsWith("#")) {
logger.log(Level.SEVERE, LogStringsMessages.WSS_1356_VIOLATION_BSP_R_5204());
throw new XWSSecurityException("Violation of BSP R5204 "
+ ": When a SECURITY_TOKEN_REFERENCE uses a Direct Reference to an INTERNAL_SECURITY_TOKEN, it MUST use a Shorthand XPointer Reference");
}
String valueType = ((DirectReference) refElement).getValueType();
if (MessageConstants.DKT_VALUETYPE.equals(valueType) ||
MessageConstants.DKT_13_VALUETYPE.equals(valueType)){
//TODO: this will work for now but need to handle this case here later
valueType = null;
}
if (MessageConstants.X509v3_NS.equals(valueType)||MessageConstants.X509v1_NS.equals(valueType)) {
// its an X509 Token
if(keyBinding != null){
keyBinding.setValueType(valueType);
}
String wsuId = secureMsg.getIdFromFragmentRef(uri);
X509SecurityToken token = (X509SecurityToken) insertedX509Cache.get(wsuId);
//if(token == null)
// token =(X509SecurityToken) tokenCache.get(wsuId);
if(token == null){
token = (X509SecurityToken)resolveToken(wsuId,context);
if(token == null){
logger.log(Level.SEVERE, LogStringsMessages.WSS_1357_UNABLETO_LOCATE_TOKEN());
throw new KeySelectorException("Token with Id "+wsuId+ "not found");
}else{
tokenCache.put(wsuId, token);
}
}
if(isPolicyRecipient && inferredSignaturePolicy != null){
MLSPolicy inferredKB = inferredSignaturePolicy.getKeyBinding();
AuthenticationTokenPolicy.X509CertificateBinding x509Binding = new AuthenticationTokenPolicy.X509CertificateBinding();
x509Binding.setReferenceType(MessageConstants.DIRECT_REFERENCE_TYPE);
x509Binding.setValueType(valueType);
if(inferredKB == null){
inferredSignaturePolicy.setKeyBinding(x509Binding);
} else if(PolicyTypeUtil.symmetricKeyBinding(inferredKB)){
((SymmetricKeyBinding)inferredKB).setKeyBinding(x509Binding);
isSymmetric = true;
} else if(PolicyTypeUtil.derivedTokenKeyBinding(inferredKB)){
DerivedTokenKeyBinding dktBind = (DerivedTokenKeyBinding)inferredKB;
if(dktBind.getOriginalKeyBinding() == null)
dktBind.setOriginalKeyBinding(x509Binding);
else if(PolicyTypeUtil.symmetricKeyBinding(dktBind.getOriginalKeyBinding())){
dktBind.getOriginalKeyBinding().setKeyBinding(x509Binding);
isSymmetric = true;
}
}
}
returnKey = resolveX509Token(wssContext, token, purpose, isSymmetric);
} else if(MessageConstants.EncryptedKey_NS.equals(valueType)) {
String wsuId = secureMsg.getIdFromFragmentRef(uri);
SecurityToken token = (SecurityToken)tokenCache.get(wsuId);
if(token == null){
token = resolveToken(wsuId, context);
if(token == null){
logger.log(Level.SEVERE, LogStringsMessages.WSS_1357_UNABLETO_LOCATE_TOKEN());
throw new KeySelectorException("Token with Id "+wsuId+ "not found");//TODO LOG ::Venu
}else{
tokenCache.put(wsuId, token);
}
}
KeyInfoHeaderBlock kiHB = ((EncryptedKeyToken)token).getKeyInfo();
SecurityTokenReference sectr = kiHB.getSecurityTokenReference(0);
SOAPElement se = sectr.getAsSoapElement();
ReferenceElement refElem = sectr.getReference();
if(isPolicyRecipient && inferredSignaturePolicy != null){
MLSPolicy inferredKB = inferredSignaturePolicy.getKeyBinding();
SymmetricKeyBinding skBinding = new SymmetricKeyBinding();
AuthenticationTokenPolicy.X509CertificateBinding x509Binding = new AuthenticationTokenPolicy.X509CertificateBinding();
skBinding.setKeyBinding(x509Binding);
//TODO: ReferenceType and ValueType not set on X509Binding
if(inferredKB == null){
inferredSignaturePolicy.setKeyBinding(skBinding);
} else if(PolicyTypeUtil.derivedTokenKeyBinding(inferredKB)){
if(((DerivedTokenKeyBinding)inferredKB).getOriginalKeyBinding() == null)
((DerivedTokenKeyBinding)inferredKB).setOriginalKeyBinding(skBinding);
}
}
Key privKey = resolve(se, context, Purpose.SIGN);
Element cipherData = (Element)((EncryptedKeyToken)token).getAsSoapElement().getChildElements(new QName(MessageConstants.XENC_NS, "CipherData", MessageConstants.XENC_PREFIX)).next();
String cipherValue = cipherData.getElementsByTagNameNS(MessageConstants.XENC_NS, "CipherValue").item(0).getTextContent();
byte[] decodedCipher = Base64.decode(cipherValue);
byte[] ekSha1 = MessageDigest.getInstance("SHA-1").digest(decodedCipher);
String encEkSha1 = Base64.encode(ekSha1);
wssContext.setExtraneousProperty(MessageConstants.EK_SHA1_VALUE, encEkSha1);
returnKey = ((EncryptedKeyToken)token).getSecretKey(privKey, encAlgo);
wssContext.setExtraneousProperty(MessageConstants.SECRET_KEY_VALUE, returnKey);
} else if (MessageConstants.SCT_VALUETYPE.equals(valueType) || MessageConstants.SCT_13_VALUETYPE.equals(valueType)) {
// could be wsuId or SCT Session Id
String sctId = secureMsg.getIdFromFragmentRef(uri);
SecurityToken token = (SecurityToken)tokenCache.get(sctId);
if(token == null){
token = SecurityUtil.locateBySCTId(wssContext, uri);
if (token == null) {
token = resolveToken(sctId, context);
}
if(token == null){
logger.log(Level.SEVERE, LogStringsMessages.WSS_1358_UNABLETO_LOCATE_SCT_TOKEN());
throw new KeySelectorException("SCT Token with Id "+sctId+ "not found");
}else{
tokenCache.put(sctId, token);
}
}
if (token instanceof SecurityContextToken) {
//handling for SecurityContext Token
if(isPolicyRecipient && inferredSignaturePolicy != null){
MLSPolicy inferredKB = inferredSignaturePolicy.getKeyBinding();
SecureConversationTokenKeyBinding sctBinding = new SecureConversationTokenKeyBinding();
if(inferredKB == null){
inferredSignaturePolicy.setKeyBinding(sctBinding);
} else if(PolicyTypeUtil.derivedTokenKeyBinding(inferredKB)){
((DerivedTokenKeyBinding)inferredKB).setOriginalKeyBinding(sctBinding);
}
}
returnKey = resolveSCT(wssContext, (SecurityContextTokenImpl)token, purpose);
} else {
logger.log(Level.SEVERE, LogStringsMessages.WSS_1359_INVALID_VALUETYPE_NON_SC_TTOKEN());
throw new KeySelectorException("Incorrect ValueType: " + MessageConstants.SCT_VALUETYPE + ", specified for a Non SCT Token");
}
} else if (null == valueType) {
// Log fails BSP:R3059 and R3058
//logger.log(Level.WARNING, "Fails BSP requirements R3058 and 3059");
// Do default processing
String wsuId = secureMsg.getIdFromFragmentRef(uri);
SecurityToken token = (SecurityToken)tokenCache.get(wsuId);
if(token == null){
token = resolveToken(wsuId, context);
if (token == null) {
token = SecurityUtil.locateBySCTId(wssContext, uri);
}
if(token == null){
logger.log(Level.SEVERE, LogStringsMessages.WSS_1357_UNABLETO_LOCATE_TOKEN());
throw new KeySelectorException("Token with Id "+wsuId+ "not found");
}else{
tokenCache.put(wsuId, token);
}
}
if (token instanceof X509SecurityToken) {
if(isPolicyRecipient && inferredSignaturePolicy != null){
MLSPolicy inferredKB = inferredSignaturePolicy.getKeyBinding();
AuthenticationTokenPolicy.X509CertificateBinding x509Binding = new AuthenticationTokenPolicy.X509CertificateBinding();
x509Binding.setReferenceType(MessageConstants.DIRECT_REFERENCE_TYPE);
if(inferredKB == null){
inferredSignaturePolicy.setKeyBinding(x509Binding);
} else if(PolicyTypeUtil.symmetricKeyBinding(inferredKB)){
((SymmetricKeyBinding)inferredKB).setKeyBinding(x509Binding);
isSymmetric = true;
} else if(PolicyTypeUtil.derivedTokenKeyBinding(inferredKB)){
DerivedTokenKeyBinding dktBind = (DerivedTokenKeyBinding)inferredKB;
if(dktBind.getOriginalKeyBinding() == null)
dktBind.setOriginalKeyBinding(x509Binding);
else if(PolicyTypeUtil.symmetricKeyBinding(dktBind.getOriginalKeyBinding())){
dktBind.getOriginalKeyBinding().setKeyBinding(x509Binding);
isSymmetric = true;
}
}
}
returnKey = resolveX509Token(wssContext,(X509SecurityToken)token, purpose, isSymmetric);
} else if (token instanceof EncryptedKeyToken) {
if(isPolicyRecipient && inferredSignaturePolicy != null){
MLSPolicy inferredKB = inferredSignaturePolicy.getKeyBinding();
SymmetricKeyBinding skBinding = new SymmetricKeyBinding();
AuthenticationTokenPolicy.X509CertificateBinding x509Binding = new AuthenticationTokenPolicy.X509CertificateBinding();
skBinding.setKeyBinding(x509Binding);
//TODO: ReferenceType and ValueType not set on X509Binding
if(inferredKB == null){
inferredSignaturePolicy.setKeyBinding(skBinding);
} else if(PolicyTypeUtil.derivedTokenKeyBinding(inferredKB)){
if(((DerivedTokenKeyBinding)inferredKB).getOriginalKeyBinding() == null)
((DerivedTokenKeyBinding)inferredKB).setOriginalKeyBinding(skBinding);
}
}
KeyInfoHeaderBlock kiHB = ((EncryptedKeyToken)token).getKeyInfo();
SecurityTokenReference sectr = kiHB.getSecurityTokenReference(0);
SOAPElement se = sectr.getAsSoapElement();
ReferenceElement refElem = sectr.getReference();
Key privKey = resolve(se, context, Purpose.SIGN);
Element cipherData = (Element)((EncryptedKeyToken)token).getAsSoapElement().getChildElements(new QName(MessageConstants.XENC_NS, "CipherData", MessageConstants.XENC_PREFIX)).next();
String cipherValue = cipherData.getElementsByTagNameNS(MessageConstants.XENC_NS, "CipherValue").item(0).getTextContent();
byte[] decodedCipher = Base64.decode(cipherValue);
byte[] ekSha1 = MessageDigest.getInstance("SHA-1").digest(decodedCipher);
String encEkSha1 = Base64.encode(ekSha1);
wssContext.setExtraneousProperty(MessageConstants.EK_SHA1_VALUE, encEkSha1);
returnKey = ((EncryptedKeyToken)token).getSecretKey(privKey, encAlgo);
wssContext.setExtraneousProperty(MessageConstants.SECRET_KEY_VALUE, returnKey);
} else if (token instanceof SecurityContextToken) {
//handling for SecurityContext Token
if(isPolicyRecipient && inferredSignaturePolicy != null){
MLSPolicy inferredKB = inferredSignaturePolicy.getKeyBinding();
SecureConversationTokenKeyBinding sctBinding = new SecureConversationTokenKeyBinding();
if(inferredKB == null){
inferredSignaturePolicy.setKeyBinding(sctBinding);
} else if(PolicyTypeUtil.derivedTokenKeyBinding(inferredKB)){
((DerivedTokenKeyBinding)inferredKB).setOriginalKeyBinding(sctBinding);
}
}
returnKey = resolveSCT(wssContext, (SecurityContextTokenImpl)token, purpose);
} else if (token instanceof DerivedKeyTokenHeaderBlock){
if(isPolicyRecipient && inferredSignaturePolicy != null){
MLSPolicy inferredKB = inferredSignaturePolicy.getKeyBinding();
DerivedTokenKeyBinding dtkBinding = new DerivedTokenKeyBinding();
if(inferredKB == null){
inferredSignaturePolicy.setKeyBinding(dtkBinding);
} else if(PolicyTypeUtil.derivedTokenKeyBinding(inferredKB)) {
//already set - do nothing
} else{
logger.log(Level.SEVERE,LogStringsMessages.WSS_1360_INVALID_DERIVED_KEY_TOKEN());
throw new XWSSecurityException("A derived Key Token should be a top level key binding");
}
}
returnKey = resolveDKT(context, (DerivedKeyTokenHeaderBlock)token);
}
else {
String message = " Cannot Resolve URI " + uri;
logger.log(Level.SEVERE,LogStringsMessages.WSS_1307_UNSUPPORTED_DIRECTREF_MECHANISM(message), new Object[] {message});
KeySelectorException xwsse = new KeySelectorException(message);
//throw xwsse;
throw SecurableSoapMessage.newSOAPFaultException(MessageConstants.WSSE_SECURITY_TOKEN_UNAVAILABLE,xwsse.getMessage(),xwsse);
}
} else {
logger.log(Level.SEVERE,LogStringsMessages.WSS_1307_UNSUPPORTED_DIRECTREF_MECHANISM( new Object[] {((DirectReference)refElement).getValueType()}));
throw SecurableSoapMessage.newSOAPFaultException(MessageConstants.WSSE_INVALID_SECURITY_TOKEN,
"unsupported directreference ValueType "+ ((DirectReference) refElement).getValueType(),null);
}
} else if (refElement instanceof com.sun.xml.wss.core.reference.X509IssuerSerial) {
if(keyBinding != null){
keyBinding.setReferenceType(MessageConstants.X509_ISSUER_TYPE);
}
com.sun.xml.wss.core.reference.X509IssuerSerial xisElement=
(com.sun.xml.wss.core.reference.X509IssuerSerial)refElement;
BigInteger serialNumber = xisElement.getSerialNumber();
String issuerName = xisElement.getIssuerName();
if(isPolicyRecipient && inferredSignaturePolicy != null){
MLSPolicy inferredKB = inferredSignaturePolicy.getKeyBinding();
AuthenticationTokenPolicy.X509CertificateBinding x509Binding = new AuthenticationTokenPolicy.X509CertificateBinding();
x509Binding.setReferenceType(MessageConstants.X509_ISSUER_TYPE);
if(inferredKB == null){
inferredSignaturePolicy.setKeyBinding(x509Binding);
} else if(PolicyTypeUtil.symmetricKeyBinding(inferredKB)){