* Attach the token into the message based on token inclusion values
*/
boolean attached = false;
Element encrTokenElement = null;
Element refList = null;
WSSecDKEncrypt dkEncr = null;
WSSecEncrypt encr = null;
Element encrDKTokenElem = null;
if (SPConstants.INCLUDE_TOEKN_ALWAYS == encryptionToken.getInclusion()
|| SPConstants.INCLUDE_TOKEN_ONCE == encryptionToken.getInclusion()
|| (rmd.isInitiator() && SPConstants.INCLUDE_TOEKN_ALWAYS_TO_RECIPIENT == encryptionToken
.getInclusion())) {
encrTokenElement = RampartUtil.appendChildToSecHeader(rmd, tok.getToken());
attached = true;
} else if (encryptionToken instanceof X509Token && rmd.isInitiator()) {
encrTokenElement = RampartUtil.appendChildToSecHeader(rmd, tok.getToken());
}
Document doc = rmd.getDocument();
AlgorithmSuite algorithmSuite = rpd.getAlgorithmSuite();
if (encryptionToken.isDerivedKeys()) {
log.debug("Use drived keys");
dkEncr = new WSSecDKEncrypt();
if (attached && tok.getAttachedReference() != null) {
dkEncr.setExternalKey(tok.getSecret(),
(Element) doc.importNode((Element) tok.getAttachedReference(), true));
} else if (tok.getUnattachedReference() != null) {
dkEncr.setExternalKey(tok.getSecret(),
(Element) doc.importNode((Element) tok.getUnattachedReference(), true));
} else {
dkEncr.setExternalKey(tok.getSecret(), tok.getId());
}
try {
dkEncr.setSymmetricEncAlgorithm(algorithmSuite.getEncryption());
dkEncr.setDerivedKeyLength(algorithmSuite.getEncryptionDerivedKeyLength() / 8);
dkEncr.prepare(doc);
encrDKTokenElem = dkEncr.getdktElement();
RampartUtil.appendChildToSecHeader(rmd, encrDKTokenElem);
refList = dkEncr.encryptForExternalRef(null, encrParts);
} catch (WSSecurityException e) {
throw new RampartException("errorInDKEncr");
} catch (ConversationException e) {
throw new RampartException("errorInDKEncr");
}
} else {
log.debug("NO derived keys, use the shared secret");
encr = new WSSecEncrypt();
encr.setWsConfig(rmd.getConfig());
encr.setEncKeyId(tokenId);
RampartUtil.setEncryptionUser(rmd, encr);
encr.setEphemeralKey(tok.getSecret());
encr.setDocument(doc);
encr.setSymmetricEncAlgorithm(algorithmSuite.getEncryption());
// SymmKey is already encrypted, no need to do it again
encr.setEncryptSymmKey(false);
if (!rmd.isInitiator() && tok instanceof EncryptedKeyToken) {
encr.setUseKeyIdentifier(true);
encr.setCustomReferenceValue(((EncryptedKeyToken) tok).getSHA1());
encr.setKeyIdentifierType(WSConstants.ENCRYPTED_KEY_SHA1_IDENTIFIER);
}
try {
encr.prepare(
doc,
RampartUtil.getEncryptionCrypto(rpd.getRampartConfig(),
rmd.getCustomClassLoader()));
// Encrypt, get hold of the ref list and add it
refList = encr.encryptForExternalRef(null, encrParts);
} catch (WSSecurityException e) {
throw new RampartException("errorInEncryption", e);
}
}
this.mainRefListElement = RampartUtil.appendChildToSecHeader(rmd, refList);
if (tlog.isDebugEnabled()) {
t1 = System.currentTimeMillis();
}
// Sometimes encryption token is not included in the the message
if (encrTokenElement != null) {
this.setInsertionLocation(encrTokenElement);
} else if (timestampElement != null) {
this.setInsertionLocation(timestampElement);
}
RampartUtil.handleEncryptedSignedHeaders(encrParts, sigParts, doc);
HashMap sigSuppTokMap = null;
HashMap endSuppTokMap = null;
HashMap sgndEndSuppTokMap = null;
HashMap sgndEncSuppTokMap = null;
HashMap endEncSuppTokMap = null;
HashMap sgndEndEncSuppTokMap = null;
if (this.timestampElement != null) {
sigParts.add(new WSEncryptionPart(RampartUtil
.addWsuIdToElement((OMElement) this.timestampElement)));
}
if (rmd.isInitiator()) {
// Now add the supporting tokens
SupportingToken sgndSuppTokens = rpd.getSignedSupportingTokens();
sigSuppTokMap = this.handleSupportingTokens(rmd, sgndSuppTokens);
SupportingToken endSuppTokens = rpd.getEndorsingSupportingTokens();
endSuppTokMap = this.handleSupportingTokens(rmd, endSuppTokens);
SupportingToken sgndEndSuppTokens = rpd.getSignedEndorsingSupportingTokens();
sgndEndSuppTokMap = this.handleSupportingTokens(rmd, sgndEndSuppTokens);
SupportingToken sgndEncryptedSuppTokens = rpd.getSignedEncryptedSupportingTokens();
sgndEncSuppTokMap = this.handleSupportingTokens(rmd, sgndEncryptedSuppTokens);
SupportingToken endorsingEncryptedSuppTokens = rpd
.getEndorsingEncryptedSupportingTokens();
endEncSuppTokMap = this.handleSupportingTokens(rmd, endorsingEncryptedSuppTokens);
SupportingToken sgndEndEncSuppTokens = rpd
.getSignedEndorsingEncryptedSupportingTokens();
sgndEndEncSuppTokMap = this.handleSupportingTokens(rmd, sgndEndEncSuppTokens);
Vector supportingToks = rpd.getSupportingTokensList();
for (int i = 0; i < supportingToks.size(); i++) {
this.handleSupportingTokens(rmd, (SupportingToken) supportingToks.get(i));
}
SupportingToken encryptedSupportingToks = rpd.getEncryptedSupportingTokens();
this.handleSupportingTokens(rmd, encryptedSupportingToks);
// Setup signature parts
sigParts = addSignatureParts(sigSuppTokMap, sigParts);
sigParts = addSignatureParts(sgndEncSuppTokMap, sigParts);
sigParts = addSignatureParts(sgndEndSuppTokMap, sigParts);
sigParts = addSignatureParts(sgndEndEncSuppTokMap, sigParts);
} else {
addSignatureConfirmation(rmd, sigParts);
}
// Sign the message
// We should use the same key in the case of EncryptBeforeSig
if (sigParts.size() > 0) {
signatureValues.add(this.doSymmSignature(rmd, encryptionToken, tok, sigParts));
this.mainSigId = RampartUtil.addWsuIdToElement((OMElement) this
.getInsertionLocation());
}
if (rmd.isInitiator()) {
endSuppTokMap.putAll(endEncSuppTokMap);
// Do endorsed signatures
Vector endSigVals = this.doEndorsedSignatures(rmd, endSuppTokMap);
for (Iterator iter = endSigVals.iterator(); iter.hasNext();) {
signatureValues.add(iter.next());
}
sgndEndSuppTokMap.putAll(sgndEndEncSuppTokMap);
// Do signed endorsing signatures
Vector sigEndSigVals = this.doEndorsedSignatures(rmd, sgndEndSuppTokMap);
for (Iterator iter = sigEndSigVals.iterator(); iter.hasNext();) {
signatureValues.add(iter.next());
}
}
if (tlog.isDebugEnabled()) {
t2 = System.currentTimeMillis();
tlog.debug("Encryption took :" + (t1 - t0) + ", Signature tool :" + (t2 - t1));
}
// Check for signature protection and encryption of UsernameToken
if (rpd.isSignatureProtection() && this.mainSigId != null
|| encryptedTokensIdList.size() > 0 && rmd.isInitiator()) {
long t3 = 0, t4 = 0;
if (tlog.isDebugEnabled()) {
t3 = System.currentTimeMillis();
}
log.debug("Signature protection");
Vector secondEncrParts = new Vector();
// Now encrypt the signature using the above token
if (rpd.isSignatureProtection()) {
secondEncrParts.add(new WSEncryptionPart(this.mainSigId, "Element"));
}
if (rmd.isInitiator()) {
for (int i = 0; i < encryptedTokensIdList.size(); i++) {
secondEncrParts.add(new WSEncryptionPart((String) encryptedTokensIdList
.get(i), "Element"));
}
}
Element secondRefList = null;
if (encryptionToken.isDerivedKeys()) {
try {
secondRefList = dkEncr.encryptForExternalRef(null, secondEncrParts);
RampartUtil.insertSiblingAfter(rmd, encrDKTokenElem, secondRefList);
} catch (WSSecurityException e) {
throw new RampartException("errorInDKEncr");
}
} else {