throw new WSSPolicyException("Expected a X509TokenSecurityEvent but got " + tokenSecurityEvent.getClass().getName());
}
X509Token x509Token = (X509Token) abstractToken;
SecurityToken securityToken = tokenSecurityEvent.getSecurityToken();
WSSecurityTokenConstants.TokenType tokenType = securityToken.getTokenType();
if (!(WSSecurityTokenConstants.X509V3Token.equals(tokenType)
|| WSSecurityTokenConstants.X509V1Token.equals(tokenType)
|| WSSecurityTokenConstants.X509Pkcs7Token.equals(tokenType)
|| WSSecurityTokenConstants.X509PkiPathV1Token.equals(tokenType))) {
throw new WSSPolicyException("Invalid Token for this assertion");
}
try {
X509Certificate x509Certificate = securityToken.getX509Certificates()[0];
if (x509Token.getIssuerName() != null) {
final String certificateIssuerName = x509Certificate.getIssuerX500Principal().getName();
if (!x509Token.getIssuerName().equals(certificateIssuerName)) {
setErrorMessage("IssuerName in Policy (" + x509Token.getIssuerName() +
") didn't match with the one in the certificate (" + certificateIssuerName + ")");
return false;
}
}
if (x509Token.isRequireKeyIdentifierReference() &&
!(WSSecurityTokenConstants.KeyIdentifier_X509KeyIdentifier.equals(securityToken.getKeyIdentifier())
|| WSSecurityTokenConstants.KeyIdentifier_SkiKeyIdentifier.equals(securityToken.getKeyIdentifier()))) {
setErrorMessage("Policy enforces KeyIdentifierReference but we got " + securityToken.getKeyIdentifier());
return false;
} else if (x509Token.isRequireIssuerSerialReference() &&
!WSSecurityTokenConstants.KeyIdentifier_IssuerSerial.equals(securityToken.getKeyIdentifier())) {
setErrorMessage("Policy enforces IssuerSerialReference but we got " + securityToken.getKeyIdentifier());
return false;
} else if (x509Token.isRequireEmbeddedTokenReference() &&
!WSSecurityTokenConstants.KeyIdentifier_SecurityTokenDirectReference.equals(securityToken.getKeyIdentifier())) {
setErrorMessage("Policy enforces EmbeddedTokenReference but we got " + securityToken.getKeyIdentifier());
return false;
} else if (x509Token.isRequireThumbprintReference() &&
!WSSecurityTokenConstants.KeyIdentifier_ThumbprintIdentifier.equals(securityToken.getKeyIdentifier())) {
setErrorMessage("Policy enforces ThumbprintReference but we got " + securityToken.getKeyIdentifier());
return false;
}
if (x509Certificate.getVersion() == 2) {
setErrorMessage("X509Certificate Version " + x509Certificate.getVersion() + " not supported");
return false;
}
if (x509Token.getTokenType() != null) {
switch (x509Token.getTokenType()) {
case WssX509V3Token10:
case WssX509V3Token11:
if (!WSSecurityTokenConstants.X509V3Token.equals(securityToken.getTokenType()) ||
x509Certificate.getVersion() != 3) {
setErrorMessage("X509Certificate Version " + x509Certificate.getVersion() +
" mismatch; Policy enforces " + x509Token.getTokenType());
return false;
}
break;
case WssX509V1Token11:
if (!WSSecurityTokenConstants.X509V1Token.equals(securityToken.getTokenType()) ||
x509Certificate.getVersion() != 1) {
setErrorMessage("X509Certificate Version " + x509Certificate.getVersion() +
" mismatch; Policy enforces " + x509Token.getTokenType());
return false;
}
break;
case WssX509PkiPathV1Token10:
case WssX509PkiPathV1Token11:
if (!WSSecurityTokenConstants.X509PkiPathV1Token.equals(securityToken.getTokenType())) {
setErrorMessage("Policy enforces " + x509Token.getTokenType() +
" but we got " + securityToken.getTokenType());
return false;
}
break;
case WssX509Pkcs7Token10:
case WssX509Pkcs7Token11:
setErrorMessage("Unsupported token type: " + securityToken.getTokenType());
return false;
}
}
} catch (XMLSecurityException e) {
setErrorMessage(e.getMessage());