}
SecurityTokenProvider<OutboundSecurityToken> wrappingSecurityTokenProvider = outputProcessorChain.getSecurityContext().getSecurityTokenProvider(tokenId);
if (wrappingSecurityTokenProvider == null) {
throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE);
}
final OutboundSecurityToken wrappingSecurityToken = wrappingSecurityTokenProvider.getSecurityToken();
if (wrappingSecurityToken == null) {
throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE);
}
final String wsuIdDKT = IDGenerator.generateID(null);
int offset = 0;
int length = 0;
XMLSecurityConstants.Action action = getAction();
if (WSSConstants.SIGNATURE_WITH_DERIVED_KEY.equals(action)) {
if (((WSSSecurityProperties)getSecurityProperties()).getDerivedSignatureKeyLength() > 0) {
length = ((WSSSecurityProperties)getSecurityProperties()).getDerivedSignatureKeyLength();
} else {
length = JCEAlgorithmMapper.getKeyLengthFromURI(getSecurityProperties().getSignatureAlgorithm()) / 8;
}
} else if (WSSConstants.ENCRYPT_WITH_DERIVED_KEY.equals(action)) {
if (((WSSSecurityProperties)getSecurityProperties()).getDerivedEncryptionKeyLength() > 0) {
length = ((WSSSecurityProperties)getSecurityProperties()).getDerivedEncryptionKeyLength();
} else {
length = JCEAlgorithmMapper.getKeyLengthFromURI(getSecurityProperties().getEncryptionSymAlgorithm()) / 8;
}
}
byte[] label;
try {
String defaultLabel = WSSConstants.WS_SecureConversation_DEFAULT_LABEL + WSSConstants.WS_SecureConversation_DEFAULT_LABEL;
label = defaultLabel.getBytes("UTF-8");
} catch (UnsupportedEncodingException e) {
throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "empty", "UTF-8 encoding is not supported", e);
}
byte[] nonce = new byte[16];
WSSConstants.secureRandom.nextBytes(nonce);
byte[] seed = new byte[label.length + nonce.length];
System.arraycopy(label, 0, seed, 0, label.length);
System.arraycopy(nonce, 0, seed, label.length, nonce.length);
DerivationAlgorithm derivationAlgorithm;
try {
derivationAlgorithm = AlgoFactory.getInstance(WSSConstants.P_SHA_1);
} catch (ConversationException e) {
throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, e);
}
final byte[] derivedKeyBytes;
try {
byte[] secret;
if (WSSecurityTokenConstants.SecurityContextToken.equals(wrappingSecurityToken.getTokenType())) {
WSPasswordCallback passwordCallback = new WSPasswordCallback(wsuIdDKT, WSPasswordCallback.Usage.SECRET_KEY);
WSSUtils.doSecretKeyCallback(((WSSSecurityProperties)securityProperties).getCallbackHandler(), passwordCallback, wsuIdDKT);
if (passwordCallback.getKey() == null) {
throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "noKey", wsuIdDKT);
}
secret = passwordCallback.getKey();
} else {
secret = wrappingSecurityToken.getSecretKey("").getEncoded();
}
derivedKeyBytes = derivationAlgorithm.createKey(secret, seed, offset, length);
} catch (ConversationException e) {
throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, e);
}
final GenericOutboundSecurityToken derivedKeySecurityToken =
new GenericOutboundSecurityToken(wsuIdDKT, WSSecurityTokenConstants.DerivedKeyToken) {
@Override
public Key getSecretKey(String algorithmURI) throws WSSecurityException {
Key key = null;
try {
key = super.getSecretKey(algorithmURI);
} catch (XMLSecurityException e) {
throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, e);
}
if (key != null) {
return key;
}
String algoFamily = JCEAlgorithmMapper.getJCEKeyAlgorithmFromURI(algorithmURI);
key = new SecretKeySpec(derivedKeyBytes, algoFamily);
setSecretKey(algorithmURI, key);
return key;
}
};
derivedKeySecurityToken.setKeyWrappingToken(wrappingSecurityToken);
wrappingSecurityToken.addWrappedToken(derivedKeySecurityToken);
SecurityTokenProvider<OutboundSecurityToken> derivedKeysecurityTokenProvider =
new SecurityTokenProvider<OutboundSecurityToken>() {
@Override
public OutboundSecurityToken getSecurityToken() throws WSSecurityException {
return derivedKeySecurityToken;
}
@Override
public String getId() {
return wsuIdDKT;
}
};
if (WSSConstants.SIGNATURE_WITH_DERIVED_KEY.equals(action)) {
outputProcessorChain.getSecurityContext().put(WSSConstants.PROP_USE_THIS_TOKEN_ID_FOR_SIGNATURE, wsuIdDKT);
} else if (WSSConstants.ENCRYPT_WITH_DERIVED_KEY.equals(action)) {
outputProcessorChain.getSecurityContext().put(WSSConstants.PROP_USE_THIS_TOKEN_ID_FOR_ENCRYPTION, wsuIdDKT);
}
outputProcessorChain.getSecurityContext().registerSecurityTokenProvider(wsuIdDKT, derivedKeysecurityTokenProvider);
FinalDerivedKeyTokenOutputProcessor finalDerivedKeyTokenOutputProcessor =
new FinalDerivedKeyTokenOutputProcessor(derivedKeySecurityToken, offset, length, new String(Base64.encodeBase64(nonce)),
((WSSSecurityProperties)getSecurityProperties()).isUse200512Namespace(),
wrappingSecurityToken.getSha1Identifier());
finalDerivedKeyTokenOutputProcessor.setXMLSecurityProperties(getSecurityProperties());
finalDerivedKeyTokenOutputProcessor.setAction(getAction());
if (wrappingSecurityToken.getProcessor() != null) {
finalDerivedKeyTokenOutputProcessor.addBeforeProcessor(wrappingSecurityToken.getProcessor());
} else {
finalDerivedKeyTokenOutputProcessor.addAfterProcessor(EncryptEndingOutputProcessor.class.getName());
}
finalDerivedKeyTokenOutputProcessor.init(outputProcessorChain);
derivedKeySecurityToken.setProcessor(finalDerivedKeyTokenOutputProcessor);