logger.log(Level.FINEST, "KeySelectorResult::select Algorithm is " + method.getAlgorithm());
logger.log(Level.FINEST, "KeySelectorResult::select ParameterSpec is " + method.getParameterSpec());
}
try {
SignatureMethod sm = (SignatureMethod) method;
List list = keyInfo.getContent();
JAXBFilterProcessingContext wssContext = (JAXBFilterProcessingContext) context.get(MessageConstants.WSS_PROCESSING_CONTEXT);
SecurityPolicy securityPolicy = wssContext.getSecurityPolicy();
boolean isBSP = false;
if (securityPolicy != null) {
if (PolicyTypeUtil.messagePolicy(securityPolicy)) {
isBSP = ((MessagePolicy) securityPolicy).isBSP();
} else {
isBSP = ((WSSPolicy) securityPolicy).isBSP();
}
}
if (isBSP && list.size() > 1) {
logger.log(Level.SEVERE, LogStringsMessages.WSS_1350_ILLEGAL_BSP_VIOLATION_KEY_INFO());
throw SOAPUtil.newSOAPFaultException(MessageConstants.WSSE_INVALID_SECURITY_TOKEN,
"BSP Violation of R5402: KeyInfo MUST have exactly one child", null);
}
boolean isStr = false;
for (int i = 0; i < list.size(); i++) {
XMLStructure xmlStructure = (XMLStructure) list.get(i);
if (xmlStructure instanceof KeyValue) {
PublicKey pk = null;
try {
pk = ((KeyValue) xmlStructure).getPublicKey();
} catch (KeyException ke) {
throw new KeySelectorException(ke);
}
//if the purpose is signature verification, we need to make sure we
//trust the certificate. in case of HOK SAML this can be the cert of the IP
if (purpose == Purpose.VERIFY) {
X509Certificate cert = wssContext.getSecurityEnvironment().getCertificate(wssContext.getExtraneousProperties(), pk, false);
wssContext.getSecurityEnvironment().validateCertificate(cert, wssContext.getExtraneousProperties());
}
// make sure algorithm is compatible with method
if (algEquals(sm.getAlgorithm(), pk.getAlgorithm())) {
return new SimpleKeySelectorResult(pk);
}
} else if (xmlStructure instanceof JAXBStructure) {
JAXBElement reference = ((JAXBStructure) xmlStructure).getJAXBElement();
if (isSecurityTokenReference(reference)) {
isStr = true;
final Key key = resolve(reference, context, purpose);
return new KeySelectorResult() {
public Key getKey() {
return key;
}
};
}
} else if (xmlStructure instanceof KeyName) {
KeyName keyName = (KeyName) xmlStructure;
Key returnKey = wssContext.getSecurityEnvironment().getSecretKey(
wssContext.getExtraneousProperties(), keyName.getName(), false);
if (returnKey == null) {
X509Certificate cert = wssContext.getSecurityEnvironment().getCertificate(
wssContext.getExtraneousProperties(), keyName.getName(), false);
if (cert != null && algEquals(sm.getAlgorithm(), cert.getPublicKey().getAlgorithm())) {
return new SimpleKeySelectorResult(cert.getPublicKey());
}
} else {
return new SimpleKeySelectorResult(returnKey);
}