private void doSignBeforeEncrypt() { TokenWrapper sigTokenWrapper = getSignatureToken(); Token sigToken = sigTokenWrapper.getToken(); String sigTokId = null; Element sigTokElem = null; try { SecurityToken sigTok = null; if (sigToken != null) { if (sigToken instanceof SecureConversationToken || sigToken instanceof SecurityContextToken || sigToken instanceof IssuedToken || sigToken instanceof KerberosToken || sigToken instanceof SpnegoContextToken) { sigTok = getSecurityToken(); } else if (sigToken instanceof X509Token) { if (isRequestor()) { sigTokId = setupEncryptedKey(sigTokenWrapper, sigToken); } else { sigTokId = getEncryptedKey(); } } else if (sigToken instanceof UsernameToken) { if (isRequestor()) { sigTokId = setupUTDerivedKey((UsernameToken) sigToken); } else { sigTokId = getUTDerivedKey(); } } } else { policyNotAsserted(sbinding, "No signature token"); return; } if (sigTok == null && StringUtils.isEmpty(sigTokId)) { policyNotAsserted(sigTokenWrapper, "No signature token id"); return; } else { policyAsserted(sigTokenWrapper); } if (sigTok == null) { sigTok = tokenStore.getToken(sigTokId); } // if (sigTok == null) { // REVISIT - no token? // } boolean tokIncluded = true; if (includeToken(sigToken.getInclusion())) { Element el = sigTok.getToken(); sigTokElem = cloneElement(el); this.addEncryptedKeyElement(sigTokElem); } else if (isRequestor() && sigToken instanceof X509Token) { Element el = sigTok.getToken(); sigTokElem = cloneElement(el); this.addEncryptedKeyElement(sigTokElem); } else { tokIncluded = false; } // Add timestamp List<WSEncryptionPart> sigs = getSignedParts(); if (timestampEl != null) { WSEncryptionPart timestampPart = convertToEncryptionPart(timestampEl.getElement()); sigs.add(timestampPart); } if (isRequestor()) { addSupportingTokens(sigs); if (!sigs.isEmpty()) { signatures.add(doSignature(sigs, sigTokenWrapper, sigToken, sigTok, tokIncluded)); } doEndorse(); } else { // confirm sig assertSupportingTokens(sigs); addSignatureConfirmation(sigs); if (!sigs.isEmpty()) { doSignature(sigs, sigTokenWrapper, sigToken, sigTok, tokIncluded); } } // Encryption TokenWrapper encrTokenWrapper = getEncryptionToken(); Token encrToken = encrTokenWrapper.getToken(); SecurityToken encrTok = null; if (sigToken.equals(encrToken)) { // Use the same token encrTok = sigTok; } else { policyNotAsserted(sbinding, "Encryption token does not equal signature token"); return; } List<WSEncryptionPart> enc = getEncryptedParts(); // Check for signature protection if (sbinding.isSignatureProtection()) { if (mainSigId != null) { WSEncryptionPart sigPart = new WSEncryptionPart(mainSigId, "Element"); sigPart.setElement(bottomUpElement); enc.add(sigPart); } if (sigConfList != null && !sigConfList.isEmpty()) { enc.addAll(sigConfList); } } if (isRequestor()) { enc.addAll(encryptedTokensList); } doEncryption(encrTokenWrapper, encrTok, tokIncluded, enc, false); } catch (Exception e) { throw new Fault(e); } }
private void doEncryptBeforeSign() { try { TokenWrapper encryptionWrapper = getEncryptionToken(); Token encryptionToken = encryptionWrapper.getToken(); List<WSEncryptionPart> encrParts = getEncryptedParts(); List<WSEncryptionPart> sigParts = getSignedParts(); // if (encryptionToken == null && encrParts.size() > 0) { // REVISIT - nothing to encrypt? // } if (encryptionToken != null && encrParts.size() > 0) { // The encryption token can be an IssuedToken or a // SecureConversationToken String tokenId = null; SecurityToken tok = null; if (encryptionToken instanceof IssuedToken || encryptionToken instanceof KerberosToken || encryptionToken instanceof SecureConversationToken || encryptionToken instanceof SecurityContextToken || encryptionToken instanceof SpnegoContextToken) { tok = getSecurityToken(); } else if (encryptionToken instanceof X509Token) { if (isRequestor()) { tokenId = setupEncryptedKey(encryptionWrapper, encryptionToken); } else { tokenId = getEncryptedKey(); } } else if (encryptionToken instanceof UsernameToken) { if (isRequestor()) { tokenId = setupUTDerivedKey((UsernameToken) encryptionToken); } else { tokenId = getUTDerivedKey(); } } if (tok == null) { // if (tokenId == null || tokenId.length() == 0) { // REVISIT - no tokenId? Exception? // } if (tokenId != null && tokenId.startsWith("#")) { tokenId = tokenId.substring(1); } /* * Get hold of the token from the token storage */ tok = tokenStore.getToken(tokenId); } boolean attached = false; if (includeToken(encryptionToken.getInclusion())) { Element el = tok.getToken(); this.addEncryptedKeyElement(cloneElement(el)); attached = true; } else if (encryptionToken instanceof X509Token && isRequestor()) { Element el = tok.getToken(); this.addEncryptedKeyElement(cloneElement(el)); attached = true; } WSSecBase encr = doEncryption(encryptionWrapper, tok, attached, encrParts, true); handleEncryptedSignedHeaders(encrParts, sigParts); if (timestampEl != null) { WSEncryptionPart timestampPart = convertToEncryptionPart(timestampEl.getElement()); sigParts.add(timestampPart); } if (isRequestor()) { this.addSupportingTokens(sigParts); } else { addSignatureConfirmation(sigParts); } // Sign the message // We should use the same key in the case of EncryptBeforeSig if (sigParts.size() > 0) { signatures.add( this.doSignature(sigParts, encryptionWrapper, encryptionToken, tok, attached)); } if (isRequestor()) { this.doEndorse(); } // Check for signature protection and encryption of UsernameToken if (sbinding.isSignatureProtection() || encryptedTokensList.size() > 0 && isRequestor()) { List<WSEncryptionPart> secondEncrParts = new ArrayList<WSEncryptionPart>(); // Now encrypt the signature using the above token if (sbinding.isSignatureProtection()) { if (this.mainSigId != null) { WSEncryptionPart sigPart = new WSEncryptionPart(this.mainSigId, "Element"); sigPart.setElement(bottomUpElement); secondEncrParts.add(sigPart); } if (sigConfList != null && !sigConfList.isEmpty()) { secondEncrParts.addAll(sigConfList); } } if (isRequestor()) { secondEncrParts.addAll(encryptedTokensList); } Element secondRefList = null; if (encryptionToken.isDerivedKeys() && !secondEncrParts.isEmpty()) { secondRefList = ((WSSecDKEncrypt) encr).encryptForExternalRef(null, secondEncrParts); this.addDerivedKeyElement(secondRefList); } else if (!secondEncrParts.isEmpty()) { // Encrypt, get hold of the ref list and add it secondRefList = ((WSSecEncrypt) encr).encryptForRef(null, encrParts); this.addDerivedKeyElement(secondRefList); } } } } catch (RuntimeException ex) { throw ex; } catch (Exception ex) { throw new Fault(ex); } }