X509Certificate[] certs = null;
KeyInfo info = sig.getKeyInfo();
byte[] secretKey = null;
UsernameToken ut = null;
DerivedKeyToken dkt = null;
SAMLKeyInfo samlKi = null;
String customTokenId = null;
java.security.PublicKey publicKey = null;
if (info != null && info.containsKeyValue()) {
try {
publicKey = info.getPublicKey();
} catch (Exception ex) {
throw new WSSecurityException(ex.getMessage(), ex);
}
} else if (info != null) {
Node node =
WSSecurityUtil.getDirectChild(
info.getElement(),
SecurityTokenReference.SECURITY_TOKEN_REFERENCE,
WSConstants.WSSE_NS
);
if (node == null) {
throw new WSSecurityException(
WSSecurityException.INVALID_SECURITY, "unsupportedKeyInfo"
);
}
SecurityTokenReference secRef = new SecurityTokenReference((Element) node);
int docHash = elem.getOwnerDocument().hashCode();
//
// Here we get some information about the document that is being
// processed, in particular the crypto implementation, and already
// detected BST that may be used later during dereferencing.
//
WSDocInfo wsDocInfo = WSDocInfoStore.lookup(docHash);
if (secRef.containsReference()) {
Element token = secRef.getTokenElement(elem.getOwnerDocument(), wsDocInfo, cb);
//
// at this point check token type: UsernameToken, Binary, SAML
// Crypto required only for Binary and SAML
//
QName el = new QName(token.getNamespaceURI(), token.getLocalName());
if (el.equals(WSSecurityEngine.usernameToken)) {
String id = token.getAttributeNS(WSConstants.WSU_NS, "Id");
UsernameTokenProcessor utProcessor =
(UsernameTokenProcessor) wsDocInfo.getProcessor(id);
ut = utProcessor.getUt();
if (ut.isDerivedKey()) {
secretKey = ut.getDerivedKey();
} else {
secretKey = ut.getSecretKey();
}
} else if (el.equals(WSSecurityEngine.DERIVED_KEY_TOKEN_05_02)
|| el.equals(WSSecurityEngine.DERIVED_KEY_TOKEN_05_12)) {
dkt = new DerivedKeyToken(token);
String id = dkt.getID();
DerivedKeyTokenProcessor dktProcessor =
(DerivedKeyTokenProcessor) wsDocInfo.getProcessor(id);
String signatureMethodURI = sig.getSignedInfo().getSignatureMethodURI();
int keyLength = (dkt.getLength() > 0) ? dkt.getLength() :
WSSecurityUtil.getKeyLength(signatureMethodURI);
secretKey = dktProcessor.getKeyBytes(keyLength);
} else {
if (el.equals(WSSecurityEngine.binaryToken)) {
// TODO: Use results from BinarySecurityTokenProcessor
certs = getCertificatesTokenReference(token, crypto);
} else if (el.equals(WSSecurityEngine.SAML_TOKEN)) {
if (crypto == null) {
throw new WSSecurityException(
WSSecurityException.FAILURE, "noSigCryptoFile"
);
}
samlKi = SAMLUtil.getSAMLKeyInfo(token, crypto, cb);
certs = samlKi.getCerts();
secretKey = samlKi.getSecret();
} else if (el.equals(WSSecurityEngine.ENCRYPTED_KEY)){
String encryptedKeyID = token.getAttributeNS(null,"Id");
EncryptedKeyProcessor encryptKeyProcessor =
(EncryptedKeyProcessor)wsDocInfo.getProcessor(encryptedKeyID);
if (encryptKeyProcessor == null ) {
if (crypto == null) {
throw new WSSecurityException(
WSSecurityException.FAILURE, "noSigCryptoFile"
);
}
encryptKeyProcessor = new EncryptedKeyProcessor();
encryptKeyProcessor.handleEncryptedKey((Element)token, cb, crypto);
}
secretKey = encryptKeyProcessor.getDecryptedBytes();
} else {
// Try custom token through callback handler
// try to find a custom token
String id = secRef.getReference().getURI();
if (id.charAt(0) == '#') {
id = id.substring(1);
}
WSPasswordCallback pwcb =
new WSPasswordCallback(id, WSPasswordCallback.CUSTOM_TOKEN);
try {
Callback[] callbacks = new Callback[]{pwcb};
cb.handle(callbacks);
} catch (Exception e) {
throw new WSSecurityException(
WSSecurityException.FAILURE,
"noPassword",
new Object[] {id},
e
);
}
secretKey = pwcb.getKey();
customTokenId = id;
if (secretKey == null) {
throw new WSSecurityException(
WSSecurityException.INVALID_SECURITY,
"unsupportedKeyInfo",
new Object[]{el.toString()}
);
}
}
}
} else if (secRef.containsX509Data() || secRef.containsX509IssuerSerial()) {
certs = secRef.getX509IssuerSerial(crypto);
} else if (secRef.containsKeyIdentifier()) {
if (secRef.getKeyIdentifierValueType().equals(SecurityTokenReference.ENC_KEY_SHA1_URI)) {
String id = secRef.getKeyIdentifierValue();
WSPasswordCallback pwcb =
new WSPasswordCallback(
id,
null,
SecurityTokenReference.ENC_KEY_SHA1_URI,
WSPasswordCallback.ENCRYPTED_KEY_TOKEN
);
try {
Callback[] callbacks = new Callback[]{pwcb};
cb.handle(callbacks);
} catch (Exception e) {
throw new WSSecurityException(
WSSecurityException.FAILURE,
"noPassword",
new Object[] {id},
e
);
}
secretKey = pwcb.getKey();
} else {
certs = secRef.getKeyIdentifier(crypto);
}
} else {
throw new WSSecurityException(
WSSecurityException.INVALID_SECURITY,
"unsupportedKeyInfo",
new Object[]{node.toString()}
);
}
} else {
if (crypto == null) {
throw new WSSecurityException(WSSecurityException.FAILURE, "noSigCryptoFile");
}
if (crypto.getDefaultX509Alias() != null) {
certs = crypto.getCertificates(crypto.getDefaultX509Alias());
} else {
throw new WSSecurityException(
WSSecurityException.INVALID_SECURITY, "unsupportedKeyInfo"
);
}
}
if (tlog.isDebugEnabled()) {
t1 = System.currentTimeMillis();
}
if ((certs == null || certs.length == 0 || certs[0] == null)
&& secretKey == null
&& publicKey == null) {
throw new WSSecurityException(WSSecurityException.FAILED_CHECK);
}
if (certs != null) {
try {
certs[0].checkValidity();
} catch (CertificateExpiredException e) {
throw new WSSecurityException(
WSSecurityException.FAILED_CHECK, "invalidCert", null, e
);
} catch (CertificateNotYetValidException e) {
throw new WSSecurityException(
WSSecurityException.FAILED_CHECK, "invalidCert", null, e
);
}
}
//
// Delegate verification of a public key to a Callback Handler
//
if (publicKey != null) {
PublicKeyCallback pwcb =
new PublicKeyCallback(publicKey);
try {
Callback[] callbacks = new Callback[]{pwcb};
cb.handle(callbacks);
if (!pwcb.isVerified()) {
throw new WSSecurityException(
WSSecurityException.FAILED_AUTHENTICATION, null, null, null
);
}
} catch (Exception e) {
throw new WSSecurityException(
WSSecurityException.FAILED_AUTHENTICATION, null, null, e
);
}
}
try {
boolean signatureOk = false;
if (certs != null) {
signatureOk = sig.checkSignatureValue(certs[0]);
} else if (publicKey != null) {
signatureOk = sig.checkSignatureValue(publicKey);
} else {
signatureOk = sig.checkSignatureValue(sig.createSecretKey(secretKey));
}
if (signatureOk) {
if (tlog.isDebugEnabled()) {
t2 = System.currentTimeMillis();
tlog.debug(
"Verify: total= " + (t2 - t0) + ", prepare-cert= " + (t1 - t0)
+ ", verify= " + (t2 - t1)
);
}
signatureValue[0] = sig.getSignatureValue();
//
// Now dig into the Signature element to get the elements that
// this Signature covers. Build the QName of these Elements and
// return them to caller
//
SignedInfo si = sig.getSignedInfo();
int numReferences = si.getLength();
for (int i = 0; i < numReferences; i++) {
Reference siRef;
try {
siRef = si.item(i);
} catch (XMLSecurityException e3) {
throw new WSSecurityException(
WSSecurityException.FAILED_CHECK, null, null, e3
);
}
String uri = siRef.getURI();
if (uri != null && !"".equals(uri)) {
Element se = WSSecurityUtil.getElementByWsuId(elem.getOwnerDocument(), uri);
if (se == null) {
se = WSSecurityUtil.getElementByGenId(elem.getOwnerDocument(), uri);
}
if (se == null) {
throw new WSSecurityException(WSSecurityException.FAILED_CHECK);
}
WSDataRef ref = new WSDataRef(uri);
ref.setWsuId(uri);
ref.setName(new QName(se.getNamespaceURI(), se.getLocalName()));
protectedElements.add(ref);
returnElements.add(WSSecurityUtil.getIDFromReference(uri));
} else {
// This is the case where the signed element is identified
// by a transform such as XPath filtering
// We add the complete reference element to the return
// elements
returnElements.add(siRef);
}
}
if (certs != null) {
returnCert[0] = certs[0];
return certs[0].getSubjectDN();
} else if (publicKey != null) {
return new PublicKeyPrincipal(publicKey);
} else if (ut != null) {
WSUsernameTokenPrincipal principal =
new WSUsernameTokenPrincipal(ut.getName(), ut.isHashed());
principal.setNonce(ut.getNonce());
principal.setPassword(ut.getPassword());
principal.setCreatedTime(ut.getCreated());
return principal;
} else if (dkt != null) {
WSDerivedKeyTokenPrincipal principal = new WSDerivedKeyTokenPrincipal(dkt.getID());
principal.setNonce(dkt.getNonce());
principal.setLabel(dkt.getLabel());
principal.setLength(dkt.getLength());
principal.setOffset(dkt.getOffset());
String basetokenId = null;
SecurityTokenReference securityTokenReference = dkt.getSecurityTokenReference();
if (securityTokenReference.containsReference()) {
basetokenId = securityTokenReference.getReference().getURI();
if (basetokenId.charAt(0) == '#') {
basetokenId = basetokenId.substring(1);
}
} else {
// KeyIdentifier
basetokenId = securityTokenReference.getKeyIdentifierValue();
}
principal.setBasetokenId(basetokenId);
return principal;
} else if (samlKi != null) {
final SAMLAssertion assertion = samlKi.getAssertion();
CustomTokenPrincipal principal = new CustomTokenPrincipal(assertion.getId());
principal.setTokenObject(assertion);
return principal;
} else if (secretKey != null) {
// This is the custom key scenario