WSSecurityTokenConstants.KeyIdentifier keyIdentifier,
WSSConstants.DerivedKeyTokenReference derivedKeyTokenReference,
boolean useSingleCertificate)
throws XMLStreamException, XMLSecurityException {
SecurityToken wrappingToken = securityToken.getKeyWrappingToken();
List<XMLSecAttribute> attributes = new ArrayList<XMLSecAttribute>(2);
attributes.add(createAttribute(WSSConstants.ATT_wsu_Id, IDGenerator.generateID(null)));
if (WSSecurityTokenConstants.KeyIdentifier_SecurityTokenDirectReference.equals(keyIdentifier) && !useSingleCertificate) {
attributes.add(createAttribute(WSSConstants.ATT_wsse11_TokenType, WSSConstants.NS_X509PKIPathv1));
} else if (derivedKeyTokenReference == WSSConstants.DerivedKeyTokenReference.EncryptedKey
|| WSSecurityTokenConstants.KeyIdentifier_EncryptedKeySha1Identifier.equals(keyIdentifier)) {
attributes.add(createAttribute(WSSConstants.ATT_wsse11_TokenType, WSSConstants.NS_WSS_ENC_KEY_VALUE_TYPE));
} else if (WSSecurityTokenConstants.KerberosToken.equals(wrappingToken.getTokenType())) {
attributes.add(createAttribute(WSSConstants.ATT_wsse11_TokenType, WSSConstants.NS_GSS_Kerberos5_AP_REQ));
}
createStartElementAndOutputAsEvent(outputProcessorChain, WSSConstants.TAG_wsse_SecurityTokenReference, false, attributes);
X509Certificate[] x509Certificates = wrappingToken.getX509Certificates();
String tokenId = wrappingToken.getId();
if (derivedKeyTokenReference == WSSConstants.DerivedKeyTokenReference.EncryptedKey) {
String valueType = WSSConstants.NS_WSS_ENC_KEY_VALUE_TYPE;
WSSUtils.createBSTReferenceStructure(this, outputProcessorChain, tokenId, valueType, true);
} else if (WSSecurityTokenConstants.KeyIdentifier_IssuerSerial.equals(keyIdentifier)) {
WSSUtils.createX509IssuerSerialStructure(this, outputProcessorChain, x509Certificates);
} else if (WSSecurityTokenConstants.KeyIdentifier_SkiKeyIdentifier.equals(keyIdentifier)) {
WSSUtils.createX509SubjectKeyIdentifierStructure(this, outputProcessorChain, x509Certificates);
} else if (WSSecurityTokenConstants.KeyIdentifier_X509KeyIdentifier.equals(keyIdentifier)) {
WSSUtils.createX509KeyIdentifierStructure(this, outputProcessorChain, x509Certificates);
} else if (WSSecurityTokenConstants.KeyIdentifier_KerberosSha1Identifier.equals(keyIdentifier)) {
String identifier = wrappingToken.getSha1Identifier();
WSSUtils.createKerberosSha1IdentifierStructure(this, outputProcessorChain, identifier);
} else if (WSSecurityTokenConstants.KeyIdentifier_ThumbprintIdentifier.equals(keyIdentifier)) {
WSSUtils.createThumbprintKeyIdentifierStructure(this, outputProcessorChain, x509Certificates);
} else if (WSSecurityTokenConstants.KeyIdentifier_SecurityTokenDirectReference.equals(keyIdentifier)) {
String valueType;
if (WSSecurityTokenConstants.KerberosToken.equals(wrappingToken.getTokenType())) {
valueType = WSSConstants.NS_GSS_Kerberos5_AP_REQ;
} else if (WSSecurityTokenConstants.SpnegoContextToken.equals(wrappingToken.getTokenType())
|| WSSecurityTokenConstants.SecurityContextToken.equals(wrappingToken.getTokenType())
|| WSSecurityTokenConstants.SecureConversationToken.equals(wrappingToken.getTokenType())) {
boolean use200512Namespace = ((WSSSecurityProperties)getSecurityProperties()).isUse200512Namespace();
if (use200512Namespace) {
valueType = WSSConstants.NS_WSC_05_12 + "/sct";
} else {
valueType = WSSConstants.NS_WSC_05_02 + "/sct";