sig.addResourceResolver(EnvelopeIdResolver.getInstance());
X509Certificate[] certs = null;
KeyInfo info = sig.getKeyInfo();
byte[] secretKey = null;
UsernameToken ut = null;
DerivedKeyToken dkt = null;
if (info != null) {
Node node = WSSecurityUtil.getDirectChild(info.getElement(),
SecurityTokenReference.SECURITY_TOKEN_REFERENCE,
WSConstants.WSSE_NS);
if (node == null) {
throw new WSSecurityException(
WSSecurityException.INVALID_SECURITY,
"unsupportedKeyInfo");
}
SecurityTokenReference secRef = new SecurityTokenReference((Element) node);
int docHash = elem.getOwnerDocument().hashCode();
/*
* Her we get some information about the document that is being
* processed, in partucular the crypto implementation, and already
* detected BST that may be used later during dereferencing.
*/
WSDocInfo wsDocInfo = WSDocInfoStore.lookup(docHash);
if (secRef.containsReference()) {
Element token = secRef.getTokenElement(elem.getOwnerDocument(),
wsDocInfo);
/*
* at this point check token type: UsernameToken, Binary, SAML
* Crypto required only for Binary and SAML
*/
QName el = new QName(token.getNamespaceURI(), token
.getLocalName());
if (el.equals(WSSecurityEngine.usernameToken)) {
ut = new UsernameToken(token);
secretKey = ut.getSecretKey();
} else if(el.equals(WSSecurityEngine.DERIVED_KEY_TOKEN_05_02) ||
el.equals(WSSecurityEngine.DERIVED_KEY_TOKEN_05_12)) {
dkt = new DerivedKeyToken(token);
String id = dkt.getID();
DerivedKeyTokenProcessor dktProcessor = (DerivedKeyTokenProcessor) wsDocInfo
.getProcessor(id);
String signatureMethodURI = sig.getSignedInfo().getSignatureMethodURI();
int keyLength = (dkt.getLength() > 0) ? dkt.getLength() :
WSSecurityUtil.getKeyLength(signatureMethodURI);
secretKey = dktProcessor.getKeyBytes(keyLength);
} else {
if (crypto == null) {
throw new WSSecurityException(WSSecurityException.FAILURE,
"noSigCryptoFile");
}
if (el.equals(WSSecurityEngine.binaryToken)) {
certs = getCertificatesTokenReference((Element) token,
crypto);
} else if (el.equals(WSSecurityEngine.SAML_TOKEN)) {
certs = SAMLUtil.getCertificatesFromSAML((Element) token);
} else {
throw new WSSecurityException(
WSSecurityException.INVALID_SECURITY,
"unsupportedKeyInfo", new Object[]{el
.toString()});
}
}
} else if (secRef.containsX509Data() || secRef.containsX509IssuerSerial()) {
certs = secRef.getX509IssuerSerial(crypto);
} else if (secRef.containsKeyIdentifier()) {
certs = secRef.getKeyIdentifier(crypto);
} else {
throw new WSSecurityException(
WSSecurityException.INVALID_SECURITY,
"unsupportedKeyInfo", new Object[]{node.toString()});
}
} else {
if (crypto == null) {
throw new WSSecurityException(WSSecurityException.FAILURE,
"noSigCryptoFile");
}
if (crypto.getDefaultX509Alias() != null) {
certs = crypto.getCertificates(crypto.getDefaultX509Alias());
} else {
throw new WSSecurityException(
WSSecurityException.INVALID_SECURITY,
"unsupportedKeyInfo");
}
}
if (tlog.isDebugEnabled()) {
t1 = System.currentTimeMillis();
}
if ((certs == null || certs.length == 0 || certs[0] == null) && secretKey == null) {
throw new WSSecurityException(WSSecurityException.FAILED_CHECK);
}
if (certs != null) {
try {
certs[0].checkValidity();
} catch (CertificateExpiredException e) {
throw new WSSecurityException(WSSecurityException.FAILED_CHECK,
"invalidCert");
} catch (CertificateNotYetValidException e) {
throw new WSSecurityException(WSSecurityException.FAILED_CHECK,
"invalidCert");
}
}
try {
boolean signatureOk = false;
if (certs != null) {
signatureOk = sig.checkSignatureValue(certs[0]);
} else {
signatureOk = sig.checkSignatureValue(sig
.createSecretKey(secretKey));
}
if (signatureOk) {
if (tlog.isDebugEnabled()) {
t2 = System.currentTimeMillis();
tlog.debug("Verify: total= " + (t2 - t0)
+ ", prepare-cert= " + (t1 - t0) + ", verify= "
+ (t2 - t1));
}
signatureValue[0] = sig.getSignatureValue();
/*
* Now dig into the Signature element to get the elements that
* this Signature covers. Build the QName of these Elements and
* return them to caller
*/
SignedInfo si = sig.getSignedInfo();
int numReferences = si.getLength();
Vector qvec = new Vector(numReferences);
for (int i = 0; i < numReferences; i++) {
Reference siRef;
try {
siRef = si.item(i);
} catch (XMLSecurityException e3) {
throw new WSSecurityException(
WSSecurityException.FAILED_CHECK);
}
String uri = siRef.getURI();
Element se = WSSecurityUtil.getElementByWsuId(elem.getOwnerDocument(), uri);
if (se == null) {
se = WSSecurityUtil.getElementByGenId(elem
.getOwnerDocument(), uri);
}
if (se == null) {
throw new WSSecurityException(
WSSecurityException.FAILED_CHECK);
}
returnElements.add(WSSecurityUtil.getIDfromReference(uri));
}
if (certs != null) {
returnCert[0] = certs[0];
return certs[0].getSubjectDN();
} else if(ut != null){
WSUsernameTokenPrincipal principal = new WSUsernameTokenPrincipal(
ut.getName(), ut.isHashed());
principal.setNonce(ut.getNonce());
principal.setPassword(ut.getPassword());
principal.setCreatedTime(ut.getCreated());
return principal;
} else if (dkt != null) {
WSDerivedKeyTokenPrincipal principal = new WSDerivedKeyTokenPrincipal(dkt.getID());
principal.setNonce(dkt.getNonce());
principal.setLabel(dkt.getLabel());