*/
@SuppressWarnings("unchecked")
public static int sign(FilterProcessingContext context) throws XWSSecurityException {
try{
SignaturePolicy signaturePolicy = (SignaturePolicy)context.getSecurityPolicy();
SOAPMessage soapMessage = context.getSOAPMessage();
//Dependant on secure soap meesage.
//discuss and refactor.
SecurableSoapMessage secureMessage = context.getSecurableSoapMessage();
WSSPolicy keyBinding = (WSSPolicy)signaturePolicy.getKeyBinding();
if(logger.isLoggable(Level.FINEST)){
logger.log(Level.FINEST, "KeyBinding is "+keyBinding);
}
Key signingKey = null;
Node nextSibling = null;
//TODO :: Creation of WSSPolicyConsumerImpl every time.
WSSPolicyConsumerImpl dsigHelper = WSSPolicyConsumerImpl.getInstance();
KeyInfo keyInfo = null;
SecurityHeader securityHeader = secureMessage.findOrCreateSecurityHeader();
SignaturePolicy.FeatureBinding featureBinding =
(SignaturePolicy.FeatureBinding)signaturePolicy.getFeatureBinding();
AlgorithmSuite algSuite = context.getAlgorithmSuite();
boolean wss11Receiver = "true".equals(context.getExtraneousProperty("EnableWSS11PolicyReceiver"));
boolean wss11Sender = "true".equals(context.getExtraneousProperty("EnableWSS11PolicySender"));
boolean wss10 = !wss11Sender;
boolean sendEKSHA1 = wss11Receiver && wss11Sender && (getEKSHA1Ref(context) != null);
if (PolicyTypeUtil.usernameTokenPolicy(keyBinding)) {
logger.log(Level.SEVERE, LogStringsMessages.WSS_1326_UNSUPPORTED_USERNAMETOKEN_KEYBINDING());
throw new XWSSecurityException("UsernameToken as KeyBinding for SignaturePolicy is Not Yet Supported");
} else if ( PolicyTypeUtil.derivedTokenKeyBinding(keyBinding)) {
DerivedTokenKeyBinding dtk = (DerivedTokenKeyBinding)keyBinding.clone();
WSSPolicy originalKeyBinding = dtk.getOriginalKeyBinding();
String algorithm = null;
if(algSuite != null){
algorithm = algSuite.getEncryptionAlgorithm();
}
String jceAlgo = SecurityUtil.getSecretKeyAlgorithm(algorithm);
//The offset and length to be used for DKT
//TODO: PLUGFEST the length here should be set correctly
long offset = 0; // Default 0
long length = SecurityUtil.getLengthFromAlgorithm(algorithm);
if(length == 32) length = 24;
if (PolicyTypeUtil.x509CertificateBinding(originalKeyBinding)) {
// this is becuase SecurityPolicy Converter never produces this combination
logger.log(Level.SEVERE, LogStringsMessages.WSS_1327_UNSUPPORTED_ASYMMETRICBINDING_DERIVEDKEY_X_509_TOKEN());
throw new XWSSecurityException("Asymmetric Binding with DerivedKeys under X509Token Policy Not Yet Supported");
} else if ( PolicyTypeUtil.symmetricKeyBinding(originalKeyBinding)) {
SymmetricKeyBinding skb = null;
if ( context.getSymmetricKeyBinding() != null) {
skb = context.getSymmetricKeyBinding();
context.setSymmetricKeyBinding(null);
}
//Construct a derivedKeyToken to be used
Key originalKey = null;
if(context.getCurrentSecret() != null){
originalKey = context.getCurrentSecret();
}else{
originalKey = skb.getSecretKey();
context.setCurrentSecret(originalKey);
}
byte[] secret = originalKey.getEncoded();
DerivedKeyToken dkt = new DerivedKeyTokenImpl(offset, length, secret);
//get the signing key for signature from derivedkeyToken
signingKey = dkt.generateSymmetricKey(jceAlgo);
Node[] nxtSiblingContainer = new Node[1];
keyInfo = prepareForSymmetricKeySignature(context, keyBinding, originalKey, signaturePolicy, nxtSiblingContainer, null, dkt);
nextSibling = nxtSiblingContainer[0];
} else if ( PolicyTypeUtil.issuedTokenKeyBinding(originalKeyBinding)) {
byte[] prfKey = context.getTrustContext().getProofKey();
if (prfKey == null) {
//handle Asymmetric Issued Token
X509Certificate cert =
context.getTrustContext().getRequestorCertificate();
if (cert == null){
logger.log(Level.SEVERE, LogStringsMessages.WSS_1328_ILLEGAL_CERTIFICATE_KEY_NULL());
throw new XWSSecurityException(
"Requestor Certificate and Proof Key are both null for Issued Token");
}
signingKey = context.getSecurityEnvironment().
getPrivateKey(context.getExtraneousProperties(), cert);
//Get the IssuedToken and insert it into the message
GenericToken issuedToken =
(GenericToken)context.getTrustContext().getSecurityToken();
Element elem = (Element)issuedToken.getTokenValue();
SOAPElement tokenElem =
XMLUtil.convertToSoapElement(secureMessage.getSOAPPart(), elem);
//FIX for Issue 26: We need an Id to cache and MS is not setting in
//some cases
String tokId = tokenElem.getAttribute("Id");
if ("".equals(tokId) &&
MessageConstants.ENCRYPTED_DATA_LNAME.equals(
tokenElem.getLocalName())) {
tokenElem.setAttribute("Id", secureMessage.generateId());
}
context.getTokenCache().put(keyBinding.getUUID(), tokenElem);
IssuedTokenKeyBinding ikb = (IssuedTokenKeyBinding)originalKeyBinding;
String iTokenType = ikb.getIncludeToken();
boolean includeToken = (ikb.INCLUDE_ALWAYS_TO_RECIPIENT.equals(iTokenType) ||
ikb.INCLUDE_ALWAYS.equals(iTokenType) ||
ikb.INCLUDE_ALWAYS_VER2.equals(iTokenType) ||
ikb.INCLUDE_ALWAYS_TO_RECIPIENT_VER2.equals(iTokenType)
);
Element strElem = null;
if (includeToken) {
strElem =(Element)context.getTrustContext().
getAttachedSecurityTokenReference().getTokenValue();
}else {
strElem = (Element)context.getTrustContext().
getUnAttachedSecurityTokenReference().getTokenValue();
}
//TODO: remove these expensive conversions
Element imported = (Element)
secureMessage.getSOAPPart().importNode(strElem,true);
SecurityTokenReference str = new SecurityTokenReference(
XMLUtil.convertToSoapElement(secureMessage.getSOAPPart(),
(Element)imported.cloneNode(true)), false);
if (tokenElem != null) {
if(includeToken) {
secureMessage.findOrCreateSecurityHeader().
insertHeaderBlockElement(tokenElem);
nextSibling = tokenElem.getNextSibling();
} else {
nextSibling = null;
}
context.setIssuedSAMLToken(tokenElem);
}
keyInfo = dsigHelper.constructKeyInfo(signaturePolicy,str);
SecurityUtil.updateSamlVsKeyCache(str, context, cert.getPublicKey());
} else {
DerivedKeyToken dkt = new DerivedKeyTokenImpl(offset, length, prfKey);
signingKey = dkt.generateSymmetricKey(jceAlgo);
Node[] nxtSiblingContainer = new Node[1];
//NOTE: passing the proofKey here as original key
String secretKeyAlg = "AES";
if (algSuite != null) {
secretKeyAlg = SecurityUtil.getSecretKeyAlgorithm(algSuite.getEncryptionAlgorithm());
}
Key originalKey = new SecretKeySpec(prfKey, secretKeyAlg);
keyInfo = prepareForSymmetricKeySignature(
context, keyBinding, originalKey, signaturePolicy, nxtSiblingContainer, null, dkt);
nextSibling = nxtSiblingContainer[0];
}
} else if (PolicyTypeUtil.secureConversationTokenKeyBinding(originalKeyBinding)) {
DerivedKeyToken dkt = new DerivedKeyTokenImpl(offset, length, context.getSecureConversationContext().getProofKey());
//get the signing key for signature from derivedkeyToken
signingKey = dkt.generateSymmetricKey(jceAlgo);
Node[] nxtSiblingContainer = new Node[1];
keyInfo = prepareForSymmetricKeySignature(context, keyBinding, null, signaturePolicy, nxtSiblingContainer, null, dkt);
nextSibling = nxtSiblingContainer[0];
}
} else if ( PolicyTypeUtil.issuedTokenKeyBinding(keyBinding)) {
Node[] nxtSiblingContainer = new Node[1];
// look for the proof token inside the IssuedToken
byte[] proofKey = context.getTrustContext().getProofKey();
if (proofKey == null) {
//handle Asymmetric Issued Token
X509Certificate cert =
context.getTrustContext().getRequestorCertificate();
if (cert == null){
logger.log(Level.SEVERE,LogStringsMessages.WSS_1328_ILLEGAL_CERTIFICATE_KEY_NULL());
throw new XWSSecurityException(
"Requestor Certificate and Proof Key are both null for Issued Token");
}
signingKey = context.getSecurityEnvironment().
getPrivateKey(context.getExtraneousProperties(), cert);
//Get the IssuedToken and insert it into the message
GenericToken issuedToken =
(GenericToken)context.getTrustContext().getSecurityToken();
Element elem = (Element)issuedToken.getTokenValue();
SOAPElement tokenElem =
XMLUtil.convertToSoapElement(secureMessage.getSOAPPart(), elem);
//FIX for Issue 26: We need an Id to cache and MS is not setting in
//some cases
String tokId = tokenElem.getAttribute("Id");
if ("".equals(tokId) &&
MessageConstants.ENCRYPTED_DATA_LNAME.equals(
tokenElem.getLocalName())) {
tokenElem.setAttribute("Id", secureMessage.generateId());
}
context.getTokenCache().put(keyBinding.getUUID(), tokenElem);
IssuedTokenKeyBinding ikb = (IssuedTokenKeyBinding)keyBinding;
String iTokenType = ikb.getIncludeToken();
boolean includeToken = (ikb.INCLUDE_ALWAYS_TO_RECIPIENT.equals(iTokenType) ||
ikb.INCLUDE_ALWAYS.equals(iTokenType) ||
ikb.INCLUDE_ALWAYS_VER2.equals(iTokenType) ||
ikb.INCLUDE_ALWAYS_TO_RECIPIENT_VER2.equals(iTokenType)
);
Element strElem = null;
if (includeToken) {
strElem =(Element)context.getTrustContext().
getAttachedSecurityTokenReference().getTokenValue();
}else {
strElem = (Element)context.getTrustContext().
getUnAttachedSecurityTokenReference().getTokenValue();
}
//TODO: remove these expensive conversions
Element imported = (Element)
secureMessage.getSOAPPart().importNode(strElem,true);
SecurityTokenReference str = new SecurityTokenReference(
XMLUtil.convertToSoapElement(secureMessage.getSOAPPart(),
(Element)imported.cloneNode(true)), false);
if (tokenElem != null) {
if(includeToken) {
secureMessage.findOrCreateSecurityHeader().
insertHeaderBlockElement(tokenElem);
nextSibling = tokenElem.getNextSibling();
} else {
nextSibling = null;
}
context.setIssuedSAMLToken(tokenElem);
}
keyInfo = dsigHelper.constructKeyInfo(signaturePolicy,str);
SecurityUtil.updateSamlVsKeyCache(str, context, cert.getPublicKey());
} else {
// symmetric issued
String secretKeyAlg = "AES"; // hardcoding to AES for now
if (algSuite != null) {
secretKeyAlg = SecurityUtil.getSecretKeyAlgorithm(algSuite.getEncryptionAlgorithm());
}
//TODO: assuming proofkey is a byte array in case of Trust as well
signingKey = new SecretKeySpec(proofKey, secretKeyAlg);
keyInfo = prepareForSymmetricKeySignature(
context, keyBinding, signingKey, signaturePolicy, nxtSiblingContainer, null, null);
nextSibling = nxtSiblingContainer[0];
}
} else if (PolicyTypeUtil.secureConversationTokenKeyBinding(keyBinding)) {
//Hack to get the nextSibling node from prepareForSymmetricKeySignature
Node[] nxtSiblingContainer = new Node[1];
keyInfo = prepareForSymmetricKeySignature(
context, keyBinding, null, signaturePolicy, nxtSiblingContainer, null, null);
// look for the proof token inside the secureConversationToken
String secretKeyAlg = "AES"; // hardcoding to AES for now
if (algSuite != null) {
secretKeyAlg = SecurityUtil.getSecretKeyAlgorithm(algSuite.getEncryptionAlgorithm());
}
signingKey = new SecretKeySpec(context.getSecureConversationContext().getProofKey(), secretKeyAlg);
nextSibling = nxtSiblingContainer[0];
} else if(PolicyTypeUtil.x509CertificateBinding(keyBinding)) {
AuthenticationTokenPolicy.X509CertificateBinding certInfo = null;
if ( context.getX509CertificateBinding() != null ) {
certInfo = context.getX509CertificateBinding();
context.setX509CertificateBinding(null);
} else {
certInfo = (AuthenticationTokenPolicy.X509CertificateBinding)keyBinding;
}
PrivateKeyBinding privKBinding = (PrivateKeyBinding)certInfo.getKeyBinding();
signingKey = privKBinding.getPrivateKey();
Node[] nxtSiblingContainer = new Node[1];
keyInfo = handleX509Binding(context, signaturePolicy, certInfo, nxtSiblingContainer);
nextSibling = nxtSiblingContainer[0];
} else if (PolicyTypeUtil.samlTokenPolicy(keyBinding)) {
// populate the policy, the handler should also add a privateKey binding for HOK
AuthenticationTokenPolicy.SAMLAssertionBinding samlBinding =
(AuthenticationTokenPolicy.SAMLAssertionBinding)keyBinding;
PrivateKeyBinding privKBinding = (PrivateKeyBinding)samlBinding.getKeyBinding();
if (privKBinding == null) {
logger.log(Level.SEVERE, LogStringsMessages.WSS_1329_NULL_PRIVATEKEYBINDING_SAML_POLICY());
throw new XWSSecurityException("PrivateKey binding not set for SAML Policy by CallbackHandler");
}
signingKey = privKBinding.getPrivateKey();
if (signingKey == null) {
logger.log(Level.SEVERE, LogStringsMessages.WSS_1330_NULL_PRIVATEKEY_SAML_POLICY());
throw new XWSSecurityException("PrivateKey null inside PrivateKeyBinding set for SAML Policy ");
}
String referenceType = samlBinding.getReferenceType();
if (referenceType.equals(MessageConstants.EMBEDDED_REFERENCE_TYPE)) {
logger.log(Level.SEVERE, LogStringsMessages.WSS_1331_UNSUPPORTED_EMBEDDED_REFERENCE_SAML());
throw new XWSSecurityException("Embedded Reference Type for SAML Assertions not supported yet");
}
String assertionId = samlBinding.getAssertionId();
Element _assertion = samlBinding.getAssertion();
Element _authorityBinding = samlBinding.getAuthorityBinding();
if (assertionId == null) {
if (_assertion == null) {
logger.log(Level.SEVERE, LogStringsMessages.WSS_1332_NULL_SAML_ASSERTION_SAML_ASSERTION_ID());
throw new XWSSecurityException(
"None of SAML Assertion, SAML Assertion Id information was set into " +
" the Policy by the CallbackHandler");
}
if(_assertion.getAttributeNode("ID") != null){
assertionId = _assertion.getAttribute("ID");
}else{
assertionId = _assertion.getAttribute("AssertionID");
}
}
SecurityTokenReference tokenRef = new SecurityTokenReference(secureMessage.getSOAPPart());
String strId = samlBinding.getSTRID();
if(strId == null){
strId = secureMessage.generateId();
}
tokenRef.setWsuId(strId);
// set wsse11:TokenType to SAML1.1 or SAML2.0
if(_assertion.getAttributeNode("ID") != null){
tokenRef.setTokenType(MessageConstants.WSSE_SAML_v2_0_TOKEN_TYPE);
}else{
tokenRef.setTokenType(MessageConstants.WSSE_SAML_v1_1_TOKEN_TYPE);
}
if (_authorityBinding != null) {
tokenRef.setSamlAuthorityBinding(_authorityBinding,
secureMessage.getSOAPPart());
}
if ((_assertion != null) && (_authorityBinding == null)) {
//insert the SAML Assertion
SamlAssertionHeaderBlock samlHeaderblock =
new SamlAssertionHeaderBlock(_assertion, secureMessage.getSOAPPart());
secureMessage.findOrCreateSecurityHeader().insertHeaderBlock(samlHeaderblock);
// setting ValueType of Keydentifier to SAML1.1 0r SAML2.0
KeyIdentifierStrategy strat = new KeyIdentifierStrategy(assertionId);
strat.insertKey(tokenRef, secureMessage);
keyInfo = dsigHelper.constructKeyInfo(signaturePolicy, tokenRef);
nextSibling = samlHeaderblock.getAsSoapElement().getNextSibling();
} else {
nextSibling = securityHeader.getNextSiblingOfTimestamp();
}
}else if(PolicyTypeUtil.symmetricKeyBinding(keyBinding)){
SymmetricKeyBinding skb = null;
if ( context.getSymmetricKeyBinding() != null) {
skb = context.getSymmetricKeyBinding();
context.setSymmetricKeyBinding(null);
} else {
skb = (SymmetricKeyBinding)keyBinding;
}
// sign method is HMACSHA-1 for symmetric keys
if(!skb.getKeyIdentifier().equals(MessageConstants._EMPTY)){
signingKey = skb.getSecretKey();
String symmetricKeyName = skb.getKeyIdentifier();
keyInfo = dsigHelper.constructKeyInfo(signaturePolicy, symmetricKeyName);
nextSibling = securityHeader.getNextSiblingOfTimestamp();
} else if(sendEKSHA1){
//get the signing key and EKSHA1 reference from the Subject, it was stored from the incoming message
String ekSha1Ref = getEKSHA1Ref(context);
signingKey = skb.getSecretKey();
SecurityTokenReference secTokenRef = new SecurityTokenReference(secureMessage.getSOAPPart());
EncryptedKeySHA1Identifier refElem = new EncryptedKeySHA1Identifier(secureMessage.getSOAPPart());
refElem.setReferenceValue(ekSha1Ref);
secTokenRef.setReference(refElem);
//set the wsse11:TokenType attribute as required by WSS 1.1
//secTokenRef.setTokenType(MessageConstants.EncryptedKey_NS);
keyInfo = dsigHelper.constructKeyInfo(signaturePolicy, secTokenRef);
nextSibling = securityHeader.getNextSiblingOfTimestamp();
//TODO: the below condition is always true
}else if(wss11Sender || wss10){
signingKey = skb.getSecretKey();
AuthenticationTokenPolicy.X509CertificateBinding x509Binding = null;
X509Certificate cert = null;
if(!skb.getCertAlias().equals(MessageConstants._EMPTY)){
x509Binding = new AuthenticationTokenPolicy.X509CertificateBinding();
x509Binding.newPrivateKeyBinding();
x509Binding.setCertificateIdentifier(skb.getCertAlias());
cert = context.getSecurityEnvironment().getCertificate(context.getExtraneousProperties(), x509Binding.getCertificateIdentifier(), false);
x509Binding.setX509Certificate(cert);
x509Binding.setReferenceType("Direct");
}else if ( context.getX509CertificateBinding() != null ) {
x509Binding = context.getX509CertificateBinding();
context.setX509CertificateBinding(null);
cert = x509Binding.getX509Certificate();
}
HashMap tokenCache = context.getTokenCache();
HashMap insertedX509Cache = context.getInsertedX509Cache();
String x509id = x509Binding.getUUID();
if(x509id == null || x509id.equals("")){
x509id = secureMessage.generateId();
}
SecurityUtil.checkIncludeTokenPolicy(context, x509Binding, x509id);
String keyEncAlgo = XMLCipher.RSA_v1dot5; //<--Harcoding of Algo
String tmp = null;
if(algSuite != null){
tmp = algSuite.getAsymmetricKeyAlgorithm();
}
if(tmp != null && !"".equals(tmp)){
keyEncAlgo = tmp;
}
String referenceType = x509Binding.getReferenceType();
if(referenceType.equals("Identifier") && x509Binding.getValueType().equals(MessageConstants.X509v1_NS)){
logger.log(Level.SEVERE, LogStringsMessages.WSS_1333_UNSUPPORTED_KEYIDENTIFER_X_509_V_1());
throw new XWSSecurityException("Key Identifier strategy in X509v1 is not supported");
}
KeyInfoStrategy strategy = KeyInfoStrategy.getInstance(referenceType);
KeyInfoHeaderBlock keyInfoBlock = null;
secureMessage = context.getSecurableSoapMessage();
dsigHelper = WSSPolicyConsumerImpl.getInstance();
//Check to see if same x509 token used for Signature and Encryption
X509SecurityToken token = null;
cert = x509Binding.getX509Certificate();
String x509TokenId = x509Binding.getUUID();
//String x509TokenId = x509Binding.getPolicyToken().getTokenId();
boolean tokenInserted = false;
//insert x509 token in tokencache always irrespective of reference type
if(x509TokenId == null || x509TokenId.equals("")){
x509TokenId = secureMessage.generateId();
}
token = (X509SecurityToken)tokenCache.get(x509TokenId);
//reference type adjustment in checkIncludePolicy might
// have inserted x509
X509SecurityToken insertedx509 =
(X509SecurityToken)context.getInsertedX509Cache().get(x509TokenId);
if (token == null) {
String valueType = x509Binding.getValueType();
if(valueType==null||valueType.equals("")){
//default valueType for X509 as v3
valueType = MessageConstants.X509v3_NS;
}
token = new X509SecurityToken(secureMessage.getSOAPPart(), cert, x509TokenId, valueType);
tokenCache.put(x509TokenId, token);
} else{
tokenInserted = true;
}
String id = null;
HashMap ekCache = context.getEncryptedKeyCache();
if(!tokenInserted){
context.setCurrentSecret(signingKey);
//Store SymmetricKey generated in ProcessingContext
context.setExtraneousProperty("SecretKey", signingKey);
keyInfoBlock = new KeyInfoHeaderBlock(secureMessage.getSOAPPart());
strategy.setCertificate(cert);
strategy.insertKey(keyInfoBlock, secureMessage, x509TokenId);
org.apache.xml.security.keys.KeyInfo apacheKeyInfo = keyInfoBlock.getKeyInfo();
//create an encrypted Key
EncryptedKey encryptedKey = null;
XMLCipher keyEncryptor = null;
try{
keyEncryptor = XMLCipher.getInstance(keyEncAlgo);
keyEncryptor.init(XMLCipher.WRAP_MODE, cert.getPublicKey());
if (keyEncryptor != null) {
encryptedKey = keyEncryptor.encryptKey(secureMessage.getSOAPPart(), signingKey);
}
}catch(Exception e){
logger.log(Level.SEVERE, LogStringsMessages.WSS_1334_ERROR_CREATING_ENCRYPTEDKEY());
throw new XWSSecurityException(e);
}
id = secureMessage.generateId();
encryptedKey.setId(id);
ekCache.put(x509TokenId, id);
// set its KeyInfo
encryptedKey.setKeyInfo(apacheKeyInfo);
// insert the EK into the SOAPMessage
SOAPElement se = (SOAPElement)keyEncryptor.martial(encryptedKey);
if (insertedx509 == null) {
secureMessage.findOrCreateSecurityHeader().insertHeaderBlockElement(se);
} else {
secureMessage.findOrCreateSecurityHeader().insertBefore(se,insertedx509.getNextSibling());
}
//store EKSHA1 of KeyValue contents in context
Element cipherData = (Element)se.getChildElements(new QName(MessageConstants.XENC_NS, "CipherData", MessageConstants.XENC_PREFIX)).next();
String cipherValue = cipherData.getElementsByTagNameNS(MessageConstants.XENC_NS, "CipherValue").item(0).getTextContent();
byte[] decodedCipher = Base64.decode(cipherValue);
byte[] ekSha1 = MessageDigest.getInstance("SHA-1").digest(decodedCipher);
String encEkSha1 = Base64.encode(ekSha1);
context.setExtraneousProperty("EncryptedKeySHA1", encEkSha1);
nextSibling = se.getNextSibling();
} else{
id = (String)ekCache.get(x509TokenId);
signingKey = context.getCurrentSecret();
nextSibling = secureMessage.getElementById(id).getNextSibling();
}
//insert the token as the first child in SecurityHeader -- if same token was not already
// inserted by Encryption
if (MessageConstants.DIRECT_REFERENCE_TYPE.equals(referenceType) && insertedx509 == null){
secureMessage.findOrCreateSecurityHeader().insertHeaderBlock(token);
insertedX509Cache.put(x509TokenId, token);
}
//STR for the KeyInfo of signature
SecurityTokenReference secTokenRef = new SecurityTokenReference(secureMessage.getSOAPPart());
DirectReference reference = new DirectReference();
String strId = x509Binding.getSTRID();
if(strId == null){
strId = secureMessage.generateId();
}
secTokenRef.setWsuId(strId);
//TODO: PLUGFEST Microsoft setting EK on reference inseatd of STR
//secTokenRef.setTokenType(MessageConstants.EncryptedKey_NS);
//set id of encrypted key
reference.setURI("#"+id);
reference.setValueType(MessageConstants.EncryptedKey_NS);
secTokenRef.setReference(reference);
keyInfo = dsigHelper.constructKeyInfo(signaturePolicy,secTokenRef);
}
}else {
logger.log(Level.SEVERE,LogStringsMessages.WSS_1335_UNSUPPORTED_KEYBINDING_SIGNATUREPOLICY());
throw new XWSSecurityException("Unsupported Key Binding for SignaturePolicy");
}
// Put UsernameToken above signature
NodeList nodeList = securityHeader.getElementsByTagNameNS(MessageConstants.WSSE_NS, MessageConstants.USERNAME_TOKEN_LNAME);
if(nodeList != null && nodeList.getLength() > 0){
nextSibling = nodeList.item(0).getNextSibling();
}
// if currentReflist is non-null it means we are doing E before S
Node refList = context.getCurrentRefList();
if (refList != null) {
nextSibling = refList;
//reset it after using once to null.
context.setCurrentReferenceList(null);
}
if(featureBinding.isEndorsingSignature()){
nextSibling = securityHeader.getLastChild().getNextSibling();
}
SignedInfo signedInfo = WSSPolicyConsumerImpl.getInstance().constructSignedInfo(context);
DOMSignContext signContext = null;
if(nextSibling == null){
signContext = new DOMSignContext(signingKey,securityHeader.getAsSoapElement());//firstChildElement);
}else{
signContext = new DOMSignContext(signingKey,securityHeader.getAsSoapElement(),nextSibling);
}
signContext.setURIDereferencer(DSigResolver.getInstance());
XMLSignature signature = dsigHelper.constructSignature(signedInfo, keyInfo, signaturePolicy.getUUID());
signContext.put(MessageConstants.WSS_PROCESSING_CONTEXT, context);
signContext.putNamespacePrefix(MessageConstants.DSIG_NS, MessageConstants.DSIG_PREFIX);
// XMLUtils.circumventBug2650(context.getSecurableSoapMessage().getSOAPPart());
signature.sign(signContext);