String encrTokId = null;
String sigTokId = null;
org.apache.rahas.Token encrTok = null;
org.apache.rahas.Token sigTok = null;
WSSecKerberosToken krbToken = null;
Element sigTokElem = null;
Vector signatureValues = new Vector();
if (sigToken != null) {
if (sigToken instanceof SecureConversationToken) {
sigTokId = rmd.getSecConvTokenId();
} else if (sigToken instanceof IssuedToken) {
sigTokId = rmd.getIssuedSignatureTokenId();
} else if (sigToken instanceof X509Token) {
if (rmd.isInitiator()) {
sigTokId = setupEncryptedKey(rmd, sigToken);
} else {
sigTokId = getEncryptedKey(rmd);
}
} else if (sigToken instanceof KerberosToken) {
Date created = new Date();
Date expires = new Date();
// TODO make this lifetime configurable ???
expires.setTime(System.currentTimeMillis() + 300000);
krbToken = getKerberosTokenBuilder(rmd, sigToken);
sigTokId = krbToken.getBSTTokenId();
if (rmd.isInitiator()) {
sigTokElem = krbToken.getBinarySecurityTokenElement();
}
sigTok = new EncryptedKeyToken(sigTokId, created, expires);
sigTok.setSecret(krbToken.getSessionKey().getEncoded());
}
} else {
throw new RampartException("signatureTokenMissing");
}
if (sigTokId == null || sigTokId.length() == 0) {
throw new RampartException("noSecurityToken");
}
if (!(sigToken instanceof KerberosToken)) {
sigTok = this.getToken(rmd, sigTokId);
if (SPConstants.INCLUDE_TOEKN_ALWAYS == sigToken.getInclusion()
|| SPConstants.INCLUDE_TOKEN_ONCE == sigToken.getInclusion()
|| (rmd.isInitiator() && SPConstants.INCLUDE_TOEKN_ALWAYS_TO_RECIPIENT == sigToken
.getInclusion())) {
sigTokElem = RampartUtil.appendChildToSecHeader(rmd, sigTok.getToken());
} else if ((rmd.isInitiator() && sigToken instanceof X509Token)
|| sigToken instanceof SecureConversationToken) {
sigTokElem = RampartUtil.appendChildToSecHeader(rmd, sigTok.getToken());
}
}
if (sigTokElem != null) {
// Set the insertion location
this.setInsertionLocation(sigTokElem);
}
HashMap sigSuppTokMap = null;
HashMap endSuppTokMap = null;
HashMap sgndEndSuppTokMap = null;
HashMap sgndEncSuppTokMap = null;
HashMap endEncSuppTokMap = null;
HashMap sgndEndEncSuppTokMap = null;
Vector sigParts = RampartUtil.getSignedParts(rmd);
if (this.timestampElement != null) {
sigParts.add(new WSEncryptionPart(RampartUtil
.addWsuIdToElement((OMElement) this.timestampElement)));
}
if (rmd.isInitiator()) {
// Now add the supporting tokens
SupportingToken sgndSuppTokens = rpd.getSignedSupportingTokens();
sigSuppTokMap = this.handleSupportingTokens(rmd, sgndSuppTokens);
SupportingToken endSuppTokens = rpd.getEndorsingSupportingTokens();
endSuppTokMap = this.handleSupportingTokens(rmd, endSuppTokens);
SupportingToken sgndEndSuppTokens = rpd.getSignedEndorsingSupportingTokens();
sgndEndSuppTokMap = this.handleSupportingTokens(rmd, sgndEndSuppTokens);
SupportingToken sgndEncryptedSuppTokens = rpd.getSignedEncryptedSupportingTokens();
sgndEncSuppTokMap = this.handleSupportingTokens(rmd, sgndEncryptedSuppTokens);
SupportingToken endorsingEncryptedSuppTokens = rpd
.getEndorsingEncryptedSupportingTokens();
endEncSuppTokMap = this.handleSupportingTokens(rmd, endorsingEncryptedSuppTokens);
SupportingToken sgndEndEncSuppTokens = rpd
.getSignedEndorsingEncryptedSupportingTokens();
sgndEndEncSuppTokMap = this.handleSupportingTokens(rmd, sgndEndEncSuppTokens);
Vector supportingToks = rpd.getSupportingTokensList();
for (int i = 0; i < supportingToks.size(); i++) {
this.handleSupportingTokens(rmd, (SupportingToken) supportingToks.get(i));
}
SupportingToken encryptedSupportingToks = rpd.getEncryptedSupportingTokens();
this.handleSupportingTokens(rmd, encryptedSupportingToks);
// Setup signature parts
sigParts = addSignatureParts(sigSuppTokMap, sigParts);
sigParts = addSignatureParts(sgndEncSuppTokMap, sigParts);
sigParts = addSignatureParts(sgndEndSuppTokMap, sigParts);
sigParts = addSignatureParts(sgndEndEncSuppTokMap, sigParts);
} else {
addSignatureConfirmation(rmd, sigParts);
}
if (sigParts.size() > 0) {
if (sigToken instanceof KerberosToken) {
krbToken.setParts(sigParts);
try {
krbToken.signMessage();
} catch (WSSecurityException e) {
throw new RampartException("errorInSignatureWithKerberosToken");
}
this.setInsertionLocation(RampartUtil.insertSiblingAfter(rmd,
this.getInsertionLocation(), krbToken.getSignatureElement()));
signatureValues.add(krbToken.getSignatureValue());
} else {
// Sign the message
signatureValues.add(this.doSymmSignature(rmd, sigToken, sigTok, sigParts));
}
this.mainSigId = RampartUtil.addWsuIdToElement((OMElement) this.getInsertionLocation());
}
if (rmd.isInitiator()) {
// Adding the endorsing encrypted supporting tokens to endorsing supporting tokens
endSuppTokMap.putAll(endEncSuppTokMap);
// Do endorsed signatures
Vector endSigVals = this.doEndorsedSignatures(rmd, endSuppTokMap);
for (Iterator iter = endSigVals.iterator(); iter.hasNext();) {
signatureValues.add(iter.next());
}
// Adding the signed endorsed encrypted tokens to signed endorsed supporting tokens
sgndEndSuppTokMap.putAll(sgndEndEncSuppTokMap);
// Do signed endorsing signatures
Vector sigEndSigVals = this.doEndorsedSignatures(rmd, sgndEndSuppTokMap);
for (Iterator iter = sigEndSigVals.iterator(); iter.hasNext();) {
signatureValues.add(iter.next());
}
}
if (tlog.isDebugEnabled()) {
t1 = System.currentTimeMillis();
}
// Encryption
Token encrToken = rpd.getEncryptionToken();
boolean isIssuedToken = false;
if (encrToken instanceof IssuedToken) {
isIssuedToken = true;
}
Element encrTokElem = null;
if (sigToken.equals(encrToken)) {
// Use the same token
encrTokId = sigTokId;
encrTok = sigTok;
encrTokElem = sigTokElem;
} else {
encrTokId = rmd.getIssuedEncryptionTokenId();
encrTok = this.getToken(rmd, encrTokId);
if (SPConstants.INCLUDE_TOEKN_ALWAYS == encrToken.getInclusion()
|| SPConstants.INCLUDE_TOKEN_ONCE == encrToken.getInclusion()
|| (rmd.isInitiator() && SPConstants.INCLUDE_TOEKN_ALWAYS_TO_RECIPIENT == encrToken
.getInclusion())) {
encrTokElem = (Element) encrTok.getToken();
// Add the encrToken element before the sigToken element
RampartUtil.insertSiblingBefore(rmd, sigTokElem, encrTokElem);
}
}
Vector encrParts = RampartUtil.getEncryptedParts(rmd);
// Check for signature protection
if (rpd.isSignatureProtection() && this.mainSigId != null) {
// Now encrypt the signature using the above token
encrParts.add(new WSEncryptionPart(this.mainSigId, "Element"));
}
if (rmd.isInitiator()) {
for (int i = 0; i < encryptedTokensIdList.size(); i++) {
encrParts
.add(new WSEncryptionPart((String) encryptedTokensIdList.get(i), "Element"));
}
}
Element refList = null;
if (encrParts.size() > 0) {
// The sec conv token can be used without derived keys
if (encrToken.isDerivedKeys()) {
try {
WSSecDKEncrypt dkEncr = new WSSecDKEncrypt();
// Check whether it is security policy 1.2 and use the secure conversation
// accordingly
if (SPConstants.SP_V12 == encrToken.getVersion()) {
dkEncr.setWscVersion(ConversationConstants.VERSION_05_12);
}
if (encrTokElem != null && encrTok.getAttachedReference() != null) {
dkEncr.setExternalKey(encrTok.getSecret(), (Element) doc.importNode(
(Element) encrTok.getAttachedReference(), true));
} else if (encrTok.getUnattachedReference() != null) {
dkEncr.setExternalKey(encrTok.getSecret(), (Element) doc.importNode(
(Element) encrTok.getUnattachedReference(), true));
} else if (!rmd.isInitiator() && encrToken.isDerivedKeys()) {
// If the Encrypted key used to create the derived key is not
// attached use key identifier as defined in WSS1.1 section
// 7.7 Encrypted Key reference
SecurityTokenReference tokenRef = new SecurityTokenReference(doc);
if (encrTok instanceof EncryptedKeyToken) {
tokenRef.setKeyIdentifierEncKeySHA1(((EncryptedKeyToken) encrTok)
.getSHA1());
}
dkEncr.setExternalKey(encrTok.getSecret(), tokenRef.getElement());
} else {
dkEncr.setExternalKey(encrTok.getSecret(), encrTok.getId());
}
if (encrTok instanceof EncryptedKeyToken) {
dkEncr.setCustomValueType(WSConstants.SOAPMESSAGE_NS11 + "#"
+ WSConstants.ENC_KEY_VALUE_TYPE);
}
dkEncr.setSymmetricEncAlgorithm(rpd.getAlgorithmSuite().getEncryption());
dkEncr.setDerivedKeyLength(rpd.getAlgorithmSuite()
.getEncryptionDerivedKeyLength() / 8);
dkEncr.prepare(doc);
Element encrDKTokenElem = null;
encrDKTokenElem = dkEncr.getdktElement();
if (encrTokElem != null) {
RampartUtil.insertSiblingAfter(rmd, encrTokElem, encrDKTokenElem);
} else if (timestampElement != null) {
RampartUtil.insertSiblingAfter(rmd, this.timestampElement, encrDKTokenElem);
} else {
RampartUtil.insertSiblingBefore(rmd, this.getInsertionLocation(),
encrDKTokenElem);
}
refList = dkEncr.encryptForExternalRef(null, encrParts);
RampartUtil.insertSiblingAfter(rmd, encrDKTokenElem, refList);
} catch (WSSecurityException e) {
throw new RampartException("errorInDKEncr");
} catch (ConversationException e) {
throw new RampartException("errorInDKEncr");
}
} else {
try {
WSSecEncrypt encr = new WSSecEncrypt();
encr.setWsConfig(rmd.getConfig());
// Hack to handle reference id issues
// TODO Need a better fix
if (encrTokId.startsWith("#")) {
encrTokId = encrTokId.substring(1);
}
encr.setEncKeyId(encrTokId);
if (krbToken == null) {
encr.setEphemeralKey(encrTok.getSecret());
RampartUtil.setEncryptionUser(rmd, encr);
encr.setSymmetricEncAlgorithm(rpd.getAlgorithmSuite().getEncryption());
} else {
if (encrTok != null) {
byte[] secret = encrTok.getSecret();
int factor = 0;
if (rmd.getPolicyData().getRampartConfig() != null) {
KerberosConfig config = null;
String fac = null;
config = rmd.getPolicyData().getRampartConfig().getKerberosConfig();
if ((fac = config.getProp().getProperty(
KerberosConfig.KDC_DES_AES_FACTOR)) != null) {
try {
factor = Integer.parseInt(fac);
} catch (Exception e) {
factor = 0;
}
}
}
if (factor > 1) {
byte[] newSecret = new byte[secret.length * 4];
int j = 0;
for (int i = 0; i < newSecret.length; i++) {
newSecret[i] = secret[j++];
if (j == secret.length)
j = 0;
}
encr.setEphemeralKey(newSecret);
encrTok.setSecret(newSecret);
} else {
encr.setEphemeralKey(secret);
encrTok.setSecret(secret);
}
((EncryptedKeyToken) encrTok).setSHA1(krbToken.getKrbSession()
.getThumbPrintEncoded());
try {
rmd.getTokenStorage().add(sigTok);
} catch (TrustException e) {
throw new RampartException("errorAddingKerbTokenToStore");