RampartPolicyData rpd = rmd.getPolicyData();
if (policyToken.isDerivedKeys()) {
try {
WSSecDKSign dkSign = new WSSecDKSign();
// Check whether it is security policy 1.2 and use the secure conversation
// accordingly
if (SPConstants.SP_V12 == policyToken.getVersion()) {
dkSign.setWscVersion(ConversationConstants.VERSION_05_12);
}
// Check for whether the token is attached in the message or not
boolean attached = false;
if (SPConstants.INCLUDE_TOEKN_ALWAYS == policyToken.getInclusion()
|| SPConstants.INCLUDE_TOKEN_ONCE == policyToken.getInclusion()
|| (rmd.isInitiator() && SPConstants.INCLUDE_TOEKN_ALWAYS_TO_RECIPIENT == policyToken
.getInclusion())) {
attached = true;
}
// Setting the AttachedReference or the UnattachedReference according to the flag
OMElement ref;
if (attached == true) {
ref = tok.getAttachedReference();
} else {
ref = tok.getUnattachedReference();
}
if (ref != null) {
dkSign.setExternalKey(tok.getSecret(),
(Element) doc.importNode((Element) ref, true));
} else if (!rmd.isInitiator() && policyToken.isDerivedKeys()) {
// If the Encrypted key used to create the derived key is not
// attached use key identifier as defined in WSS1.1 section
// 7.7 Encrypted Key reference
SecurityTokenReference tokenRef = new SecurityTokenReference(doc);
if (tok instanceof EncryptedKeyToken) {
tokenRef.setKeyIdentifierEncKeySHA1(((EncryptedKeyToken) tok).getSHA1());
;
}
dkSign.setExternalKey(tok.getSecret(), tokenRef.getElement());
} else {
dkSign.setExternalKey(tok.getSecret(), tok.getId());
}
// Set the algo info
dkSign.setSignatureAlgorithm(rpd.getAlgorithmSuite().getSymmetricSignature());
dkSign.setDerivedKeyLength(rpd.getAlgorithmSuite().getSignatureDerivedKeyLength() / 8);
if (tok instanceof EncryptedKeyToken) {
// Set the value type of the reference
dkSign.setCustomValueType(WSConstants.SOAPMESSAGE_NS11 + "#"
+ WSConstants.ENC_KEY_VALUE_TYPE);
}
dkSign.prepare(doc, rmd.getSecHeader());
if (rpd.isTokenProtection()) {
// Hack to handle reference id issues
// TODO Need a better fix
String sigTokId = tok.getId();
if (sigTokId.startsWith("#")) {
sigTokId = sigTokId.substring(1);
}
sigParts.add(new WSEncryptionPart(sigTokId));
}
dkSign.setParts(sigParts);
dkSign.addReferencesToSign(sigParts, rmd.getSecHeader());
// Do signature
dkSign.computeSignature();
// Add elements to header
if (rpd.getProtectionOrder().equals(SPConstants.ENCRYPT_BEFORE_SIGNING)
&& this.getInsertionLocation() == null) {
this.setInsertionLocation(RampartUtil
.insertSiblingBefore(rmd, this.mainRefListElement, dkSign.getdktElement()));
this.setInsertionLocation(RampartUtil.insertSiblingAfter(rmd,
this.getInsertionLocation(), dkSign.getSignatureElement()));
} else {
this.setInsertionLocation(RampartUtil
.insertSiblingAfter(rmd, this.getInsertionLocation(), dkSign.getdktElement()));
this.setInsertionLocation(RampartUtil.insertSiblingAfter(rmd,
this.getInsertionLocation(), dkSign.getSignatureElement()));
}
return dkSign.getSignatureValue();
} catch (ConversationException e) {
throw new RampartException("errorInDerivedKeyTokenSignature", e);
} catch (WSSecurityException e) {
throw new RampartException("errorInDerivedKeyTokenSignature", e);