logger.log(Level.FINEST, "KeySelectorResult::select Purpose = "+purpose);
logger.log(Level.FINEST, "KeySelectorResult::select Algorithm is "+method.getAlgorithm());
logger.log(Level.FINEST, "KeySelectorResult::select ParameterSpec is "+method.getParameterSpec());
}
try{
SignatureMethod sm = (SignatureMethod) method;
List list = keyInfo.getContent();
FilterProcessingContext wssContext = (FilterProcessingContext)context.get(MessageConstants.WSS_PROCESSING_CONTEXT);
SecurityPolicy securityPolicy = wssContext.getSecurityPolicy();
boolean isBSP = false;
if(securityPolicy != null) {
if (PolicyTypeUtil.messagePolicy(securityPolicy)) {
isBSP = ((MessagePolicy)securityPolicy).isBSP();
} else {
isBSP = ((WSSPolicy)securityPolicy).isBSP();
}
}
if (isBSP && list.size() > 1) {
logger.log(Level.SEVERE, LogStringsMessages.WSS_1350_ILLEGAL_BSP_VIOLATION_KEY_INFO());
throw SecurableSoapMessage.newSOAPFaultException(MessageConstants.WSSE_INVALID_SECURITY_TOKEN,
"BSP Violation of R5402: KeyInfo MUST have exactly one child", null);
}
boolean isStr = false;
for (int i = 0; i < list.size(); i++) {
XMLStructure xmlStructure = (XMLStructure) list.get(i);
if (xmlStructure instanceof KeyValue) {
PublicKey pk = null;
try {
pk = ((KeyValue)xmlStructure).getPublicKey();
} catch (KeyException ke) {
logger.log(Level.SEVERE,LogStringsMessages.WSS_1351_EXCEPTION_KEYSELECTOR_PUBLICKEY(), ke);
throw new KeySelectorException(ke);
}
//if the purpose is signature verification, we need to make sure we
//trust the certificate. in case of HOK SAML this can be the cert of the IP
if (purpose == Purpose.VERIFY) {
X509Certificate cert = wssContext.getSecurityEnvironment().getCertificate(wssContext.getExtraneousProperties(),pk,false);
wssContext.getSecurityEnvironment().validateCertificate(cert, wssContext.getExtraneousProperties());
}
// make sure algorithm is compatible with method
if (algEquals(sm.getAlgorithm(), pk.getAlgorithm())) {
return new SimpleKeySelectorResult(pk);
}
} else if(xmlStructure instanceof DOMStructure) {
SOAPElement reference = (SOAPElement)((DOMStructure)xmlStructure).getNode();
if(isSecurityTokenReference(reference)){
isStr = true;
final Key key = resolve(reference, context, purpose);
return new KeySelectorResult(){
public Key getKey(){
return key;
}
};
}
}else if (xmlStructure instanceof KeyName) {
KeyName keyName = (KeyName) xmlStructure;
Key returnKey = wssContext.getSecurityEnvironment().getSecretKey(
wssContext.getExtraneousProperties(),keyName.getName(),false);
if(returnKey == null){
X509Certificate cert = wssContext.getSecurityEnvironment().getCertificate(
wssContext.getExtraneousProperties(),keyName.getName(), false);
if (cert != null && algEquals(sm.getAlgorithm(),cert.getPublicKey().getAlgorithm())) {
//update other party subject here
wssContext.getSecurityEnvironment().updateOtherPartySubject(
DefaultSecurityEnvironmentImpl.getSubject(wssContext), cert);
return new SimpleKeySelectorResult(cert.getPublicKey());
}