public SymmetricBindingHandler( WSSConfig config, SymmetricBinding binding, SOAPMessage saaj, WSSecHeader secHeader, AssertionInfoMap aim, SoapMessage message) { super(config, binding, saaj, secHeader, aim, message); this.sbinding = binding; tokenStore = getTokenStore(); protectionOrder = binding.getProtectionOrder(); }
public void handleBinding() { WSSecTimestamp timestamp = createTimestamp(); handleLayout(timestamp); if (isRequestor()) { // Setup required tokens initializeTokens(); } if (sbinding.getProtectionOrder() == SPConstants.ProtectionOrder.EncryptBeforeSigning) { doEncryptBeforeSign(); } else { doSignBeforeEncrypt(); } // REVIST - what to do with these policies? policyAsserted(SP11Constants.TRUST_10); policyAsserted(SP12Constants.TRUST_13); }
private void processAlternatives( List assertions, SymmetricBinding symmetricBinding, SPConstants consts) { Assertion assertion; QName name; for (Iterator iterator = assertions.iterator(); iterator.hasNext(); ) { assertion = (Assertion) iterator.next(); name = assertion.getName(); if (!consts.getNamespace().equals(name.getNamespaceURI()) && !SP12Constants.INSTANCE.getNamespace().equals(name.getNamespaceURI())) { continue; } if (SPConstants.ALGO_SUITE.equals(name.getLocalPart())) { symmetricBinding.setAlgorithmSuite((AlgorithmSuite) assertion); } else if (SPConstants.LAYOUT.equals(name.getLocalPart())) { symmetricBinding.setLayout((Layout) assertion); } else if (SPConstants.INCLUDE_TIMESTAMP.equals(name.getLocalPart())) { symmetricBinding.setIncludeTimestamp(true); } else if (SPConstants.PROTECTION_TOKEN.equals(name.getLocalPart())) { symmetricBinding.setProtectionToken((ProtectionToken) assertion); } else if (SPConstants.ENCRYPT_BEFORE_SIGNING.equals(name.getLocalPart())) { symmetricBinding.setProtectionOrder(SPConstants.ProtectionOrder.EncryptBeforeSigning); } else if (SPConstants.SIGN_BEFORE_ENCRYPTING.equals(name.getLocalPart())) { symmetricBinding.setProtectionOrder(SPConstants.ProtectionOrder.SignBeforeEncrypting); } else if (SPConstants.ONLY_SIGN_ENTIRE_HEADERS_AND_BODY.equals(name.getLocalPart())) { symmetricBinding.setEntireHeadersAndBodySignatures(true); } else if (SPConstants.ENCRYPT_SIGNATURE.equals(name.getLocalPart())) { symmetricBinding.setSignatureProtection(true); } } }
private TokenWrapper getEncryptionToken() { if (sbinding.getProtectionToken() != null) { return sbinding.getProtectionToken(); } return sbinding.getEncryptionToken(); }
private byte[] doSignature( List<WSEncryptionPart> sigs, TokenWrapper policyTokenWrapper, Token policyToken, SecurityToken tok, boolean included) throws WSSecurityException { if (policyToken.isDerivedKeys()) { return doSignatureDK(sigs, policyTokenWrapper, policyToken, tok, included); } else { WSSecSignature sig = new WSSecSignature(wssConfig); sig.setWsConfig(wssConfig); // If a EncryptedKeyToken is used, set the correct value type to // be used in the wsse:Reference in ds:KeyInfo int type = included ? WSConstants.CUSTOM_SYMM_SIGNING : WSConstants.CUSTOM_SYMM_SIGNING_DIRECT; if (policyToken instanceof X509Token) { if (isRequestor()) { sig.setCustomTokenValueType( WSConstants.SOAPMESSAGE_NS11 + "#" + WSConstants.ENC_KEY_VALUE_TYPE); sig.setKeyIdentifierType(type); } else { // the tok has to be an EncryptedKey token sig.setEncrKeySha1value(tok.getSHA1()); sig.setKeyIdentifierType(WSConstants.ENCRYPTED_KEY_SHA1_IDENTIFIER); } } else if (policyToken instanceof UsernameToken) { sig.setCustomTokenValueType(WSConstants.WSS_USERNAME_TOKEN_VALUE_TYPE); sig.setKeyIdentifierType(type); } else { // Setting the AttachedReference or the UnattachedReference according to the flag Element ref; if (included) { ref = tok.getAttachedReference(); } else { ref = tok.getUnattachedReference(); } if (ref != null) { SecurityTokenReference secRef = new SecurityTokenReference(cloneElement(ref), false); sig.setSecurityTokenReference(secRef); sig.setKeyIdentifierType(WSConstants.CUSTOM_KEY_IDENTIFIER); } else { String tokenType = tok.getTokenType(); if (WSConstants.WSS_SAML_TOKEN_TYPE.equals(tokenType) || WSConstants.SAML_NS.equals(tokenType)) { sig.setCustomTokenValueType(WSConstants.WSS_SAML_KI_VALUE_TYPE); sig.setKeyIdentifierType(WSConstants.CUSTOM_KEY_IDENTIFIER); } else if (WSConstants.WSS_SAML2_TOKEN_TYPE.equals(tokenType) || WSConstants.SAML2_NS.equals(tokenType)) { sig.setCustomTokenValueType(WSConstants.WSS_SAML2_KI_VALUE_TYPE); sig.setKeyIdentifierType(WSConstants.CUSTOM_KEY_IDENTIFIER); } else { sig.setCustomTokenValueType(tokenType); sig.setKeyIdentifierType(type); } } } String sigTokId; if (included) { sigTokId = tok.getWsuId(); if (sigTokId == null) { if (policyToken instanceof SecureConversationToken || policyToken instanceof SecurityContextToken) { sig.setKeyIdentifierType(WSConstants.CUSTOM_SYMM_SIGNING_DIRECT); } sigTokId = tok.getId(); } if (sigTokId.startsWith("#")) { sigTokId = sigTokId.substring(1); } } else { sigTokId = tok.getId(); } if (included && sbinding.isTokenProtection()) { sigs.add(new WSEncryptionPart(sigTokId)); } sig.setCustomTokenId(sigTokId); sig.setSecretKey(tok.getSecret()); sig.setSignatureAlgorithm(sbinding.getAlgorithmSuite().getSymmetricSignature()); Crypto crypto = null; if (sbinding.getProtectionToken() != null) { crypto = getEncryptionCrypto(sbinding.getProtectionToken()); } else { crypto = getSignatureCrypto(policyTokenWrapper); } this.message.getExchange().put(SecurityConstants.SIGNATURE_CRYPTO, crypto); sig.prepare(saaj.getSOAPPart(), crypto, secHeader); sig.setParts(sigs); List<Reference> referenceList = sig.addReferencesToSign(sigs, secHeader); // Do signature if (bottomUpElement == null) { sig.computeSignature(referenceList, false, null); } else { sig.computeSignature(referenceList, true, bottomUpElement); } bottomUpElement = sig.getSignatureElement(); this.mainSigId = sig.getId(); return sig.getSignatureValue(); } }
private byte[] doSignatureDK( List<WSEncryptionPart> sigs, TokenWrapper policyTokenWrapper, Token policyToken, SecurityToken tok, boolean included) throws WSSecurityException { Document doc = saaj.getSOAPPart(); WSSecDKSign dkSign = new WSSecDKSign(wssConfig); if (policyTokenWrapper.getToken().getSPConstants() == SP12Constants.INSTANCE) { dkSign.setWscVersion(ConversationConstants.VERSION_05_12); } // Check for whether the token is attached in the message or not boolean attached = false; if (includeToken(policyToken.getInclusion())) { attached = true; } // Setting the AttachedReference or the UnattachedReference according to the flag Element ref; if (attached) { ref = tok.getAttachedReference(); } else { ref = tok.getUnattachedReference(); } if (ref != null) { dkSign.setExternalKey(tok.getSecret(), cloneElement(ref)); } else if (!isRequestor() && policyToken.isDerivedKeys() && tok.getSHA1() != null) { // If the Encrypted key used to create the derived key is not // attached use key identifier as defined in WSS1.1 section // 7.7 Encrypted Key reference SecurityTokenReference tokenRef = new SecurityTokenReference(doc); if (tok.getSHA1() != null) { tokenRef.setKeyIdentifierEncKeySHA1(tok.getSHA1()); String tokenType = tok.getTokenType(); if (tokenType == null) { tokenType = WSConstants.WSS_ENC_KEY_VALUE_TYPE; } tokenRef.addTokenType(tokenType); } dkSign.setExternalKey(tok.getSecret(), tokenRef.getElement()); } else { if ((!attached && !isRequestor()) || policyToken instanceof SecureConversationToken || policyToken instanceof SecurityContextToken) { dkSign.setTokenIdDirectId(true); } dkSign.setExternalKey(tok.getSecret(), tok.getId()); } // Set the algo info dkSign.setSignatureAlgorithm(sbinding.getAlgorithmSuite().getSymmetricSignature()); dkSign.setDerivedKeyLength(sbinding.getAlgorithmSuite().getSignatureDerivedKeyLength() / 8); if (tok.getSHA1() != null) { // Set the value type of the reference String tokenType = tok.getTokenType(); if (tokenType == null) { tokenType = WSConstants.WSS_ENC_KEY_VALUE_TYPE; } dkSign.setCustomValueType(tokenType); } else { String tokenType = tok.getTokenType(); if (WSConstants.WSS_SAML_TOKEN_TYPE.equals(tokenType) || WSConstants.SAML_NS.equals(tokenType)) { dkSign.setKeyIdentifierType(WSConstants.CUSTOM_KEY_IDENTIFIER); dkSign.setCustomValueType(WSConstants.WSS_SAML_KI_VALUE_TYPE); } else if (WSConstants.WSS_SAML2_TOKEN_TYPE.equals(tokenType) || WSConstants.SAML2_NS.equals(tokenType)) { dkSign.setKeyIdentifierType(WSConstants.CUSTOM_KEY_IDENTIFIER); dkSign.setCustomValueType(WSConstants.WSS_SAML2_KI_VALUE_TYPE); } else if (policyToken instanceof UsernameToken) { dkSign.setCustomValueType(WSConstants.WSS_USERNAME_TOKEN_VALUE_TYPE); } else { dkSign.setCustomValueType(tokenType); } } try { dkSign.prepare(doc, secHeader); } catch (ConversationException e) { throw new WSSecurityException(e.getMessage(), e); } if (sbinding.isTokenProtection()) { String sigTokId = tok.getId(); if (included) { sigTokId = tok.getWsuId(); if (sigTokId == null) { sigTokId = tok.getId(); } if (sigTokId.startsWith("#")) { sigTokId = sigTokId.substring(1); } } sigs.add(new WSEncryptionPart(sigTokId)); } dkSign.setParts(sigs); List<Reference> referenceList = dkSign.addReferencesToSign(sigs, secHeader); // Add elements to header Element el = dkSign.getdktElement(); addDerivedKeyElement(el); // Do signature if (bottomUpElement == null) { dkSign.computeSignature(referenceList, false, null); } else { dkSign.computeSignature(referenceList, true, bottomUpElement); } bottomUpElement = dkSign.getSignatureElement(); this.mainSigId = dkSign.getSignatureId(); return dkSign.getSignatureValue(); }
private WSSecBase doEncryption( TokenWrapper recToken, SecurityToken encrTok, boolean attached, List<WSEncryptionPart> encrParts, boolean atEnd) { // Do encryption if (recToken != null && recToken.getToken() != null && encrParts.size() > 0) { Token encrToken = recToken.getToken(); policyAsserted(recToken); policyAsserted(encrToken); AlgorithmSuite algorithmSuite = sbinding.getAlgorithmSuite(); if (encrToken.isDerivedKeys()) { return doEncryptionDerived(recToken, encrTok, encrToken, attached, encrParts, atEnd); } else { try { WSSecEncrypt encr = new WSSecEncrypt(wssConfig); String encrTokId = encrTok.getId(); if (attached) { encrTokId = encrTok.getWsuId(); if (encrTokId == null && (encrToken instanceof SecureConversationToken || encrToken instanceof SecurityContextToken)) { encr.setEncKeyIdDirectId(true); encrTokId = encrTok.getId(); } else if (encrTokId == null) { encrTokId = encrTok.getId(); } if (encrTokId.startsWith("#")) { encrTokId = encrTokId.substring(1); } } else { encr.setEncKeyIdDirectId(true); } if (encrTok.getTokenType() != null) { encr.setCustomReferenceValue(encrTok.getTokenType()); } encr.setEncKeyId(encrTokId); encr.setEphemeralKey(encrTok.getSecret()); Crypto crypto = getEncryptionCrypto(recToken); if (crypto != null) { this.message.getExchange().put(SecurityConstants.ENCRYPT_CRYPTO, crypto); setEncryptionUser(encr, recToken, false, crypto); } encr.setDocument(saaj.getSOAPPart()); encr.setEncryptSymmKey(false); encr.setSymmetricEncAlgorithm(algorithmSuite.getEncryption()); if (encrToken instanceof IssuedToken || encrToken instanceof SpnegoContextToken) { // Setting the AttachedReference or the UnattachedReference according to the flag Element ref; if (attached) { ref = encrTok.getAttachedReference(); } else { ref = encrTok.getUnattachedReference(); } String tokenType = encrTok.getTokenType(); if (ref != null) { SecurityTokenReference secRef = new SecurityTokenReference(cloneElement(ref), false); encr.setSecurityTokenReference(secRef); } else if (WSConstants.WSS_SAML_TOKEN_TYPE.equals(tokenType) || WSConstants.SAML_NS.equals(tokenType)) { encr.setCustomReferenceValue(WSConstants.WSS_SAML_KI_VALUE_TYPE); encr.setKeyIdentifierType(WSConstants.CUSTOM_KEY_IDENTIFIER); } else if (WSConstants.WSS_SAML2_TOKEN_TYPE.equals(tokenType) || WSConstants.SAML2_NS.equals(tokenType)) { encr.setCustomReferenceValue(WSConstants.WSS_SAML2_KI_VALUE_TYPE); encr.setKeyIdentifierType(WSConstants.CUSTOM_KEY_IDENTIFIER); } else { encr.setCustomReferenceValue(tokenType); encr.setKeyIdentifierType(WSConstants.CUSTOM_KEY_IDENTIFIER); } } else if (encrToken instanceof UsernameToken) { encr.setCustomReferenceValue(WSConstants.WSS_USERNAME_TOKEN_VALUE_TYPE); } else if (!isRequestor()) { if (encrTok.getSHA1() != null) { encr.setCustomReferenceValue(encrTok.getSHA1()); encr.setKeyIdentifierType(WSConstants.ENCRYPTED_KEY_SHA1_IDENTIFIER); } else { encr.setKeyIdentifierType(WSConstants.EMBED_SECURITY_TOKEN_REF); } } encr.prepare(saaj.getSOAPPart(), crypto); if (encr.getBSTTokenId() != null) { encr.prependBSTElementToHeader(secHeader); } Element refList = encr.encryptForRef(null, encrParts); if (atEnd) { this.insertBeforeBottomUp(refList); } else { this.addDerivedKeyElement(refList); } return encr; } catch (WSSecurityException e) { policyNotAsserted(recToken, e); } } } return null; }
private WSSecBase doEncryptionDerived( TokenWrapper recToken, SecurityToken encrTok, Token encrToken, boolean attached, List<WSEncryptionPart> encrParts, boolean atEnd) { try { WSSecDKEncrypt dkEncr = new WSSecDKEncrypt(wssConfig); if (recToken.getToken().getSPConstants() == SP12Constants.INSTANCE) { dkEncr.setWscVersion(ConversationConstants.VERSION_05_12); } if (attached && encrTok.getAttachedReference() != null) { dkEncr.setExternalKey(encrTok.getSecret(), cloneElement(encrTok.getAttachedReference())); } else if (encrTok.getUnattachedReference() != null) { dkEncr.setExternalKey(encrTok.getSecret(), cloneElement(encrTok.getUnattachedReference())); } else if (!isRequestor() && encrTok.getSHA1() != null) { // If the Encrypted key used to create the derived key is not // attached use key identifier as defined in WSS1.1 section // 7.7 Encrypted Key reference SecurityTokenReference tokenRef = new SecurityTokenReference(saaj.getSOAPPart()); tokenRef.setKeyIdentifierEncKeySHA1(encrTok.getSHA1()); String tokenType = encrTok.getTokenType(); if (tokenType == null) { tokenType = WSConstants.WSS_ENC_KEY_VALUE_TYPE; } tokenRef.addTokenType(tokenType); dkEncr.setExternalKey(encrTok.getSecret(), tokenRef.getElement()); } else { if (attached) { String id = encrTok.getWsuId(); if (id == null && (encrToken instanceof SecureConversationToken || encrToken instanceof SecurityContextToken)) { dkEncr.setTokenIdDirectId(true); id = encrTok.getId(); } else if (id == null) { id = encrTok.getId(); } if (id.startsWith("#")) { id = id.substring(1); } dkEncr.setExternalKey(encrTok.getSecret(), id); } else { dkEncr.setTokenIdDirectId(true); dkEncr.setExternalKey(encrTok.getSecret(), encrTok.getId()); } } if (encrTok.getSHA1() != null) { String tokenType = encrTok.getTokenType(); if (tokenType == null) { tokenType = WSConstants.WSS_ENC_KEY_VALUE_TYPE; } dkEncr.setCustomValueType(tokenType); } else { String tokenType = encrTok.getTokenType(); if (WSConstants.WSS_SAML_TOKEN_TYPE.equals(tokenType) || WSConstants.SAML_NS.equals(tokenType)) { dkEncr.setKeyIdentifierType(WSConstants.CUSTOM_KEY_IDENTIFIER); dkEncr.setCustomValueType(WSConstants.WSS_SAML_KI_VALUE_TYPE); } else if (WSConstants.WSS_SAML2_TOKEN_TYPE.equals(tokenType) || WSConstants.SAML2_NS.equals(tokenType)) { dkEncr.setKeyIdentifierType(WSConstants.CUSTOM_KEY_IDENTIFIER); dkEncr.setCustomValueType(WSConstants.WSS_SAML2_KI_VALUE_TYPE); } else if (encrToken instanceof UsernameToken) { dkEncr.setCustomValueType(WSConstants.WSS_USERNAME_TOKEN_VALUE_TYPE); } else { dkEncr.setCustomValueType(tokenType); } } dkEncr.setSymmetricEncAlgorithm(sbinding.getAlgorithmSuite().getEncryption()); dkEncr.setDerivedKeyLength(sbinding.getAlgorithmSuite().getEncryptionDerivedKeyLength() / 8); dkEncr.prepare(saaj.getSOAPPart()); Element encrDKTokenElem = null; encrDKTokenElem = dkEncr.getdktElement(); addDerivedKeyElement(encrDKTokenElem); Element refList = dkEncr.encryptForExternalRef(null, encrParts); if (atEnd) { this.insertBeforeBottomUp(refList); } else { this.addDerivedKeyElement(refList); } return dkEncr; } catch (Exception e) { policyNotAsserted(recToken, e); } return null; }
private void doSignBeforeEncrypt() { TokenWrapper sigTokenWrapper = getSignatureToken(); Token sigToken = sigTokenWrapper.getToken(); String sigTokId = null; Element sigTokElem = null; try { SecurityToken sigTok = null; if (sigToken != null) { if (sigToken instanceof SecureConversationToken || sigToken instanceof SecurityContextToken || sigToken instanceof IssuedToken || sigToken instanceof KerberosToken || sigToken instanceof SpnegoContextToken) { sigTok = getSecurityToken(); } else if (sigToken instanceof X509Token) { if (isRequestor()) { sigTokId = setupEncryptedKey(sigTokenWrapper, sigToken); } else { sigTokId = getEncryptedKey(); } } else if (sigToken instanceof UsernameToken) { if (isRequestor()) { sigTokId = setupUTDerivedKey((UsernameToken) sigToken); } else { sigTokId = getUTDerivedKey(); } } } else { policyNotAsserted(sbinding, "No signature token"); return; } if (sigTok == null && StringUtils.isEmpty(sigTokId)) { policyNotAsserted(sigTokenWrapper, "No signature token id"); return; } else { policyAsserted(sigTokenWrapper); } if (sigTok == null) { sigTok = tokenStore.getToken(sigTokId); } // if (sigTok == null) { // REVISIT - no token? // } boolean tokIncluded = true; if (includeToken(sigToken.getInclusion())) { Element el = sigTok.getToken(); sigTokElem = cloneElement(el); this.addEncryptedKeyElement(sigTokElem); } else if (isRequestor() && sigToken instanceof X509Token) { Element el = sigTok.getToken(); sigTokElem = cloneElement(el); this.addEncryptedKeyElement(sigTokElem); } else { tokIncluded = false; } // Add timestamp List<WSEncryptionPart> sigs = getSignedParts(); if (timestampEl != null) { WSEncryptionPart timestampPart = convertToEncryptionPart(timestampEl.getElement()); sigs.add(timestampPart); } if (isRequestor()) { addSupportingTokens(sigs); if (!sigs.isEmpty()) { signatures.add(doSignature(sigs, sigTokenWrapper, sigToken, sigTok, tokIncluded)); } doEndorse(); } else { // confirm sig assertSupportingTokens(sigs); addSignatureConfirmation(sigs); if (!sigs.isEmpty()) { doSignature(sigs, sigTokenWrapper, sigToken, sigTok, tokIncluded); } } // Encryption TokenWrapper encrTokenWrapper = getEncryptionToken(); Token encrToken = encrTokenWrapper.getToken(); SecurityToken encrTok = null; if (sigToken.equals(encrToken)) { // Use the same token encrTok = sigTok; } else { policyNotAsserted(sbinding, "Encryption token does not equal signature token"); return; } List<WSEncryptionPart> enc = getEncryptedParts(); // Check for signature protection if (sbinding.isSignatureProtection()) { if (mainSigId != null) { WSEncryptionPart sigPart = new WSEncryptionPart(mainSigId, "Element"); sigPart.setElement(bottomUpElement); enc.add(sigPart); } if (sigConfList != null && !sigConfList.isEmpty()) { enc.addAll(sigConfList); } } if (isRequestor()) { enc.addAll(encryptedTokensList); } doEncryption(encrTokenWrapper, encrTok, tokIncluded, enc, false); } catch (Exception e) { throw new Fault(e); } }
private void doEncryptBeforeSign() { try { TokenWrapper encryptionWrapper = getEncryptionToken(); Token encryptionToken = encryptionWrapper.getToken(); List<WSEncryptionPart> encrParts = getEncryptedParts(); List<WSEncryptionPart> sigParts = getSignedParts(); // if (encryptionToken == null && encrParts.size() > 0) { // REVISIT - nothing to encrypt? // } if (encryptionToken != null && encrParts.size() > 0) { // The encryption token can be an IssuedToken or a // SecureConversationToken String tokenId = null; SecurityToken tok = null; if (encryptionToken instanceof IssuedToken || encryptionToken instanceof KerberosToken || encryptionToken instanceof SecureConversationToken || encryptionToken instanceof SecurityContextToken || encryptionToken instanceof SpnegoContextToken) { tok = getSecurityToken(); } else if (encryptionToken instanceof X509Token) { if (isRequestor()) { tokenId = setupEncryptedKey(encryptionWrapper, encryptionToken); } else { tokenId = getEncryptedKey(); } } else if (encryptionToken instanceof UsernameToken) { if (isRequestor()) { tokenId = setupUTDerivedKey((UsernameToken) encryptionToken); } else { tokenId = getUTDerivedKey(); } } if (tok == null) { // if (tokenId == null || tokenId.length() == 0) { // REVISIT - no tokenId? Exception? // } if (tokenId != null && tokenId.startsWith("#")) { tokenId = tokenId.substring(1); } /* * Get hold of the token from the token storage */ tok = tokenStore.getToken(tokenId); } boolean attached = false; if (includeToken(encryptionToken.getInclusion())) { Element el = tok.getToken(); this.addEncryptedKeyElement(cloneElement(el)); attached = true; } else if (encryptionToken instanceof X509Token && isRequestor()) { Element el = tok.getToken(); this.addEncryptedKeyElement(cloneElement(el)); attached = true; } WSSecBase encr = doEncryption(encryptionWrapper, tok, attached, encrParts, true); handleEncryptedSignedHeaders(encrParts, sigParts); if (timestampEl != null) { WSEncryptionPart timestampPart = convertToEncryptionPart(timestampEl.getElement()); sigParts.add(timestampPart); } if (isRequestor()) { this.addSupportingTokens(sigParts); } else { addSignatureConfirmation(sigParts); } // Sign the message // We should use the same key in the case of EncryptBeforeSig if (sigParts.size() > 0) { signatures.add( this.doSignature(sigParts, encryptionWrapper, encryptionToken, tok, attached)); } if (isRequestor()) { this.doEndorse(); } // Check for signature protection and encryption of UsernameToken if (sbinding.isSignatureProtection() || encryptedTokensList.size() > 0 && isRequestor()) { List<WSEncryptionPart> secondEncrParts = new ArrayList<WSEncryptionPart>(); // Now encrypt the signature using the above token if (sbinding.isSignatureProtection()) { if (this.mainSigId != null) { WSEncryptionPart sigPart = new WSEncryptionPart(this.mainSigId, "Element"); sigPart.setElement(bottomUpElement); secondEncrParts.add(sigPart); } if (sigConfList != null && !sigConfList.isEmpty()) { secondEncrParts.addAll(sigConfList); } } if (isRequestor()) { secondEncrParts.addAll(encryptedTokensList); } Element secondRefList = null; if (encryptionToken.isDerivedKeys() && !secondEncrParts.isEmpty()) { secondRefList = ((WSSecDKEncrypt) encr).encryptForExternalRef(null, secondEncrParts); this.addDerivedKeyElement(secondRefList); } else if (!secondEncrParts.isEmpty()) { // Encrypt, get hold of the ref list and add it secondRefList = ((WSSecEncrypt) encr).encryptForRef(null, encrParts); this.addDerivedKeyElement(secondRefList); } } } } catch (RuntimeException ex) { throw ex; } catch (Exception ex) { throw new Fault(ex); } }