Element rstDec = rst;
String id = findID(rar, rur, rstDec);
if (StringUtils.isEmpty(id)) {
throw new TrustException("NO_ID", LOG);
SecurityToken token = new SecurityToken(id, rstDec, lte);
byte[] secret = null;
if (rpt != null) {
Element child = DOMUtils.getFirstElement(rpt);
QName childQname = DOMUtils.getElementQName(child);
if (childQname.equals(new QName(namespace, "BinarySecret"))) {
// First check for the binary secret
String b64Secret = DOMUtils.getContent(child);
secret = Base64.decode(b64Secret);
} else if (childQname.equals(new QName(WSConstants.ENC_NS, WSConstants.ENC_KEY_LN))) {
secret = decryptKey(child);
} else if (childQname.equals(new QName(namespace, "ComputedKey"))) {
// Handle the computed key
Element computedKeyChild = entropy == null ? null : DOMUtils.getFirstElement(entropy);
byte[] serviceEntr = null;
if (computedKeyChild != null) {
QName computedKeyChildQName = DOMUtils.getElementQName(computedKeyChild);
if (computedKeyChildQName.equals(new QName(WSConstants.ENC_NS, WSConstants.ENC_KEY_LN))) {
serviceEntr = decryptKey(computedKeyChild);
} else if (computedKeyChildQName.equals(new QName(namespace, "BinarySecret"))) {
String content = DOMUtils.getContent(computedKeyChild);
serviceEntr = Base64.decode(content);
if (serviceEntr != null) {
// Right now we only use PSHA1 as the computed key algo
P_SHA1 psha1 = new P_SHA1();
int length = 0;
if (retKeySize != null) {
try {
length = Integer.parseInt(retKeySize);
} catch (NumberFormatException ex) {
// do nothing
} else {
length = keySize;
if (length <= 0) {
length = 256;
try {
secret = psha1.createKey(requestorEntropy, serviceEntr, 0, length / 8);
} catch (ConversationException e) {
throw new TrustException("DERIVED_KEY_ERROR", LOG, e);
} else {
// Service entropy missing
throw new TrustException("NO_ENTROPY", LOG);
} else if (requestorEntropy != null) {
// Use requester entropy as the key
secret = requestorEntropy;
return token;