keyBinding = dtk;
}
}
//SignaturePolicy.FeatureBinding featureBinding = (SignaturePolicy.FeatureBinding) policy.getFeatureBinding();
if (PolicyTypeUtil.usernameTokenBinding(keyBinding)) {
UsernameTokenBinding binding = createUntBinding(context,(UsernameTokenBinding)keyBinding,MessageConstants.VALUE_FOR_SIGNATURE);
context.setUsernameTokenBinding(binding);
}else if (PolicyTypeUtil.x509CertificateBinding(keyBinding)) {
try {
AuthenticationTokenPolicy.X509CertificateBinding binding = (AuthenticationTokenPolicy.X509CertificateBinding)keyBinding.clone();
String certIdentifier = binding.getCertificateIdentifier();
String algorithm = binding.getKeyAlgorithm();
if(MessageConstants.HMAC_SHA1_SIGMETHOD.equals(algorithm)){
X509Certificate cert = context.getSecurityEnvironment().getCertificate(context.getExtraneousProperties(), certIdentifier, false);
binding.setX509Certificate(cert);
}else {
if(certIdentifier == null || "".equals(certIdentifier)) {
WSSPolicy ckBinding = (WSSPolicy) binding.getKeyBinding();
if (ckBinding == null) {
ckBinding = (WSSPolicy)binding.newPrivateKeyBinding();
}
if (context.getSecurityEnvironment().getClass().getName().equals(
"com.sun.xml.wss.impl.misc.DefaultSecurityEnvironmentImpl")) {
SignatureKeyCallback.PrivKeyCertRequest request =
((DefaultSecurityEnvironmentImpl)context.getSecurityEnvironment()).
getDefaultPrivKeyCertRequest(context.getExtraneousProperties());
binding.setX509Certificate(request.getX509Certificate());
if(request.getX509Certificate() == null){
log.log(Level.SEVERE, LogStringsMessages.WSS_1421_NO_DEFAULT_X_509_CERTIFICATE_PROVIDED());
throw new XWSSecurityException("No default X509Certificate was provided");
}
((PrivateKeyBinding) ckBinding).setPrivateKey(request.getPrivateKey());
}else {
X509Certificate cert = context.getSecurityEnvironment().
getDefaultCertificate(context.getExtraneousProperties());
if(cert == null){
log.log(Level.SEVERE, LogStringsMessages.WSS_1421_NO_DEFAULT_X_509_CERTIFICATE_PROVIDED());
throw new XWSSecurityException("No default X509Certificate was provided");
}
binding.setX509Certificate(cert);
PrivateKey pk = context.getSecurityEnvironment().getPrivateKey(
context.getExtraneousProperties(), cert);
((PrivateKeyBinding) ckBinding).setPrivateKey(pk);
}
} else {
if (context.getSecurityEnvironment().getClass().getName().equals(
"com.sun.xml.wss.impl.misc.DefaultSecurityEnvironmentImpl")) {
SignatureKeyCallback.AliasPrivKeyCertRequest request =
((DefaultSecurityEnvironmentImpl)context.getSecurityEnvironment()).
getAliasPrivKeyCertRequest(certIdentifier);
binding.setX509Certificate(request.getX509Certificate());
if(request.getX509Certificate() == null){
log.log(Level.SEVERE,LogStringsMessages.WSS_1421_NO_DEFAULT_X_509_CERTIFICATE_PROVIDED());
throw new XWSSecurityException("No X509Certificate was provided");
}
WSSPolicy ckBinding = (WSSPolicy) binding.getKeyBinding();
if (PolicyTypeUtil.privateKeyBinding(ckBinding)) {
((PrivateKeyBinding) ckBinding).setPrivateKey(request.getPrivateKey());
} else {
if (ckBinding == null) {
// keyBinding un-defined
((PrivateKeyBinding) binding.newPrivateKeyBinding()).
setPrivateKey(request.getPrivateKey());
} else {
log.log(Level.SEVERE, LogStringsMessages.WSS_1416_UNSUPPORTED_KEYBINDING());
throw new XWSSecurityException(
"Unsupported KeyBinding for X509CertificateBinding");
}
}
} else {
// not handling symmetric key for provider
X509Certificate cert = context.getSecurityEnvironment().
getCertificate(
context.getExtraneousProperties(), certIdentifier,true);
binding.setX509Certificate(cert);
WSSPolicy ckBinding = (WSSPolicy) binding.getKeyBinding();
PrivateKey key = context.getSecurityEnvironment().getPrivateKey(
context.getExtraneousProperties(), certIdentifier);
if (PolicyTypeUtil.privateKeyBinding(ckBinding)) {
((PrivateKeyBinding) ckBinding).setPrivateKey(key);
} else {
if (ckBinding == null) {
// keyBinding un-defined
((PrivateKeyBinding) binding.newPrivateKeyBinding()).
setPrivateKey(key);
} else {
log.log(Level.SEVERE, LogStringsMessages.WSS_1416_UNSUPPORTED_KEYBINDING());
throw new XWSSecurityException(
"Unsupported KeyBinding for X509CertificateBinding");
}
}
}
}
}
context.setX509CertificateBinding(binding);
} catch (Exception e) {
log.log(Level.SEVERE, LogStringsMessages.WSS_1417_EXCEPTION_PROCESSING_SIGNATURE(new Object[] {e.getMessage()}));
throw new XWSSecurityException(e);
}
} else if(PolicyTypeUtil.kerberosTokenBinding(keyBinding)) {
AuthenticationTokenPolicy.KerberosTokenBinding binding = (AuthenticationTokenPolicy.KerberosTokenBinding)keyBinding.clone();
String algorithm = binding.getKeyAlgorithm();
//String ktPolicyId = binding.getUUID();
String encodedRef = (String)context.getExtraneousProperty(MessageConstants.KERBEROS_SHA1_VALUE);
KerberosContext krbContext = null;
if(encodedRef != null){
krbContext = context.getKerberosContext();
}
String dataEncAlgo = null;
if (context.getAlgorithmSuite() != null) {
dataEncAlgo = context.getAlgorithmSuite().getEncryptionAlgorithm();
} else {
dataEncAlgo = MessageConstants.DEFAULT_DATA_ENC_ALGO;
// warn about using default
}
if(krbContext != null){
byte[] kerberosToken = krbContext.getKerberosToken();
binding.setTokenValue(kerberosToken);
SecretKey sKey = krbContext.getSecretKey(SecurityUtil.getSecretKeyAlgorithm(dataEncAlgo));
binding.setSecretKey(sKey);
}else{
log.log(Level.SEVERE, LogStringsMessages.WSS_1423_KERBEROS_CONTEXT_NOTSET());
throw new XWSSecurityException("WSS1423.kerberos.context.notset");
}
context.setKerberosTokenBinding(binding);
} else if (PolicyTypeUtil.samlTokenPolicy(keyBinding)) {
//resolvedPolicy = (SignaturePolicy)policy.clone();
keyBinding =(WSSPolicy) ((SignaturePolicy) policy).getKeyBinding();
AuthenticationTokenPolicy.SAMLAssertionBinding binding =
(AuthenticationTokenPolicy.SAMLAssertionBinding) keyBinding;
if(binding.getAssertion() != null || binding.getAssertionReader() != null ||
binding.getAuthorityBinding() != null){
binding.setAssertion((org.w3c.dom.Element)null);
binding.setAuthorityBinding(null);
binding.setAssertion((javax.xml.stream.XMLStreamReader)null);
}
binding.isReadOnly(true);
DynamicApplicationContext dynamicContext =
new DynamicApplicationContext(context.getPolicyContext());
dynamicContext.setMessageIdentifier(context.getMessageIdentifier());
dynamicContext.inBoundMessage(false);
AuthenticationTokenPolicy.SAMLAssertionBinding resolvedSAMLBinding =
(AuthenticationTokenPolicy.SAMLAssertionBinding)
context.getExtraneousProperties().get(MessageConstants.SAML_ASSERTION_CLIENT_CACHE);
if (resolvedSAMLBinding == null) {
//try to obtain the HOK assertion
resolvedSAMLBinding =
context.getSecurityEnvironment().populateSAMLPolicy(context.getExtraneousProperties(), binding, dynamicContext);
context.getExtraneousProperties().put(MessageConstants.SAML_ASSERTION_CLIENT_CACHE, resolvedSAMLBinding);
}
if ((resolvedSAMLBinding.getAssertion() == null) &&
(resolvedSAMLBinding.getAuthorityBinding() == null) && (resolvedSAMLBinding.getAssertionReader() == null) ) {
log.log(Level.SEVERE, LogStringsMessages.WSS_1418_SAML_INFO_NOTSET());
throw new XWSSecurityException(
"None of SAML Assertion, SAML AuthorityBinding information was set into " +
" the Policy by the CallbackHandler");
}
policy.setKeyBinding(resolvedSAMLBinding);
resolvedPolicy = (SignaturePolicy)policy;
}else if (PolicyTypeUtil.symmetricKeyBinding(keyBinding)) {
try {
String dataEncAlgo = null;
if (context.getAlgorithmSuite() != null) {
dataEncAlgo = context.getAlgorithmSuite().getEncryptionAlgorithm();
} else {
dataEncAlgo = MessageConstants.DEFAULT_DATA_ENC_ALGO;
// warn about using default
}
SymmetricKeyBinding binding = (SymmetricKeyBinding)keyBinding.clone();
String keyIdentifier = binding.getKeyIdentifier();
SecretKey sKey = null;
WSSPolicy ckBinding = (WSSPolicy) binding.getKeyBinding();
boolean wss11Receiver = "true".equals(context.getExtraneousProperty("EnableWSS11PolicyReceiver"));
boolean wss11Sender = "true".equals(context.getExtraneousProperty("EnableWSS11PolicySender"));
boolean wss10 = !wss11Sender;
boolean sendEKSHA1 = wss11Receiver && wss11Sender && (getReceivedSecret(context) != null);
if (PolicyTypeUtil.usernameTokenBinding(ckBinding)) {
try {
if (!sendEKSHA1) {
AuthenticationTokenPolicy.UsernameTokenBinding untbinding = createUntBinding(context, (UsernameTokenBinding) ckBinding, MessageConstants.VALUE_FOR_ENCRYPTION);
context.setUsernameTokenBinding(untbinding);
sKey = untbinding.getSecretKey();
}
} catch (Exception e) {
log.log(Level.SEVERE, LogStringsMessages.WSS_1433_ERROR_EXTRACTING_USERNAMETOKEN(), e);
throw new XWSSecurityException(e);
}
}else if (PolicyTypeUtil.x509CertificateBinding(ckBinding)) {
try {
if (!sendEKSHA1) {
AuthenticationTokenPolicy.X509CertificateBinding ckBindingClone =
(AuthenticationTokenPolicy.X509CertificateBinding)ckBinding.clone();
String certIdentifier = ckBindingClone.getCertificateIdentifier();
X509Certificate cert = context.getSecurityEnvironment().
getCertificate(context.getExtraneousProperties(), certIdentifier, false);
ckBindingClone.setX509Certificate(cert);
context.setX509CertificateBinding(ckBindingClone);
}
} catch (Exception e) {
log.log(Level.SEVERE, LogStringsMessages.WSS_1413_ERROR_EXTRACTING_CERTIFICATE(), e);
throw new XWSSecurityException(e);
}
} else if(PolicyTypeUtil.kerberosTokenBinding(ckBinding)){
AuthenticationTokenPolicy.KerberosTokenBinding ckBindingClone =
(AuthenticationTokenPolicy.KerberosTokenBinding)ckBinding;
//String ktPolicyId = ckBindingClone.getUUID();
String encodedRef = (String)context.getExtraneousProperty(MessageConstants.KERBEROS_SHA1_VALUE);
KerberosContext krbContext = null;
if(encodedRef != null){
krbContext = context.getKerberosContext();
}
if(krbContext != null){
byte[] kerberosToken = krbContext.getKerberosToken();
ckBindingClone.setTokenValue(kerberosToken);
sKey = krbContext.getSecretKey(SecurityUtil.getSecretKeyAlgorithm(dataEncAlgo));
ckBindingClone.setSecretKey(sKey);
}else{
log.log(Level.SEVERE, LogStringsMessages.WSS_1423_KERBEROS_CONTEXT_NOTSET());
throw new XWSSecurityException("WSS1423.kerberos.context.notset");
}
context.setKerberosTokenBinding(ckBindingClone);
}
if((!PolicyTypeUtil.kerberosTokenBinding(ckBinding))){
if(!binding.getKeyIdentifier().equals(MessageConstants._EMPTY)){
sKey = context.getSecurityEnvironment().getSecretKey(
context.getExtraneousProperties(),
keyIdentifier, true);
} else if(sendEKSHA1){
sKey = getReceivedSecret(context);
}else if(wss11Sender || wss10){
sKey = SecurityUtil.generateSymmetricKey(dataEncAlgo);
}
}
binding.setSecretKey(sKey);
context.setSymmetricKeyBinding(binding);
} catch (Exception e) {
//TODO: this error message should come only in Symm Keystore case
log.log(Level.SEVERE, LogStringsMessages.WSS_1414_ERROR_EXTRACTING_SYMMETRICKEY(new Object[] { e.getMessage()}));
throw new XWSSecurityException(e);