1 /*
2 * Copyright 2004,2005 The Apache Software Foundation.
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16
17 package org.apache.rampart.builder;
18
19 import org.apache.axiom.om.OMElement;
20 import org.apache.commons.logging.Log;
21 import org.apache.commons.logging.LogFactory;
22 import org.apache.rahas.TrustException;
23 import org.apache.rampart.RampartConstants;
24 import org.apache.rampart.RampartException;
25 import org.apache.rampart.RampartMessageData;
26 import org.apache.rampart.policy.RampartPolicyData;
27 import org.apache.rampart.policy.model.RampartConfig;
28 import org.apache.rampart.util.RampartUtil;
29 import org.apache.ws.secpolicy.SPConstants;
30 import org.apache.ws.secpolicy.model.AlgorithmSuite;
31 import org.apache.ws.secpolicy.model.SupportingToken;
32 import org.apache.ws.secpolicy.model.Token;
33 import org.apache.ws.security.WSConstants;
34 import org.apache.ws.security.WSEncryptionPart;
35 import org.apache.ws.security.WSSecurityException;
36 import org.apache.ws.security.conversation.ConversationException;
37 import org.apache.ws.security.handler.WSHandlerConstants;
38 import org.apache.ws.security.message.WSSecDKEncrypt;
39 import org.apache.ws.security.message.WSSecDKSign;
40 import org.apache.ws.security.message.WSSecEncrypt;
41 import org.apache.ws.security.message.WSSecEncryptedKey;
42 import org.apache.ws.security.message.WSSecSignature;
43 import org.w3c.dom.Document;
44 import org.w3c.dom.Element;
45
46 import java.util.HashMap;
47 import java.util.Iterator;
48 import java.util.Vector;
49
50 public class AsymmetricBindingBuilder extends BindingBuilder {
51
52 private static Log log = LogFactory.getLog(AsymmetricBindingBuilder.class);
53 private static Log tlog = LogFactory.getLog(RampartConstants.TIME_LOG);
54 private boolean dotDebug = false;
55
56 private Token sigToken;
57
58 private WSSecSignature sig;
59
60 private WSSecEncryptedKey encrKey;
61
62 private String encryptedKeyId;
63
64 private byte[] encryptedKeyValue;
65
66 private Vector signatureValues = new Vector();
67
68 private Element encrTokenElement;
69
70 private Element sigDKTElement;
71
72 private Element encrDKTElement;
73
74 private Vector sigParts = new Vector();
75
76 private Element signatureElement;
77
78 public AsymmetricBindingBuilder(){
79 dotDebug = tlog.isDebugEnabled();
80 }
81
82 public void build(RampartMessageData rmd) throws RampartException {
83 log.debug("AsymmetricBindingBuilder build invoked");
84
85 RampartPolicyData rpd = rmd.getPolicyData();
86 if (rpd.isIncludeTimestamp()) {
87 this.addTimestamp(rmd);
88 }
89
90 if (SPConstants.ENCRYPT_BEFORE_SIGNING.equals(rpd.getProtectionOrder())) {
91 this.doEncryptBeforeSig(rmd);
92 } else {
93 this.doSignBeforeEncrypt(rmd);
94 }
95
96 log.debug("AsymmetricBindingBuilder build invoked : DONE");
97 }
98
99 private void doEncryptBeforeSig(RampartMessageData rmd)
100 throws RampartException {
101
102 long t0 = 0, t1 = 0, t2 = 0;
103 if(dotDebug){
104 t0 = System.currentTimeMillis();
105 }
106 RampartPolicyData rpd = rmd.getPolicyData();
107 Document doc = rmd.getDocument();
108 RampartConfig config = rpd.getRampartConfig();
109
110 /*
111 * We need to hold on to these two element to use them as refence in the
112 * case of encypting the signature
113 */
114 Element encrDKTokenElem = null;
115 WSSecEncrypt encr = null;
116 Element refList = null;
117 WSSecDKEncrypt dkEncr = null;
118
119 /*
120 * We MUST use keys derived from the same token
121 */
122 Token encryptionToken = null;
123 if(rmd.isInitiator()) {
124 encryptionToken = rpd.getRecipientToken();
125 } else {
126 encryptionToken = rpd.getInitiatorToken();
127 }
128 Vector encrParts = RampartUtil.getEncryptedParts(rmd);
129
130 //Signed parts are determined before encryption because encrypted signed headers
131 //will not be included otherwise
132 this.sigParts = RampartUtil.getSignedParts(rmd);
133
134 if(encryptionToken == null && encrParts.size() > 0) {
135 throw new RampartException("encryptionTokenMissing");
136 }
137
138 if (encryptionToken != null && encrParts.size() > 0) {
139
140 //Check for RampartConfig assertion
141 if(rpd.getRampartConfig() == null) {
142 //We'er missing the extra info rampart needs
143 throw new RampartException("rampartConigMissing");
144 }
145
146 if (encryptionToken.isDerivedKeys()) {
147 try {
148 this.setupEncryptedKey(rmd, encryptionToken);
149 // Create the DK encryption builder
150 dkEncr = new WSSecDKEncrypt();
151 dkEncr.setParts(encrParts);
152 dkEncr.setExternalKey(this.encryptedKeyValue,
153 this.encryptedKeyId);
154 dkEncr.setDerivedKeyLength(rpd.getAlgorithmSuite().getEncryptionDerivedKeyLength()/8);
155 dkEncr.prepare(doc);
156
157 // Get and add the DKT element
158 this.encrDKTElement = dkEncr.getdktElement();
159 encrDKTokenElem = RampartUtil.appendChildToSecHeader(rmd, this.encrDKTElement);
160
161 refList = dkEncr.encryptForExternalRef(null, encrParts);
162
163 } catch (WSSecurityException e) {
164 throw new RampartException("errorCreatingEncryptedKey", e);
165 } catch (ConversationException e) {
166 throw new RampartException("errorInDKEncr", e);
167 }
168 } else {
169 try {
170 encr = new WSSecEncrypt();
171 encr.setParts(encrParts);
172 encr.setWsConfig(rmd.getConfig());
173 encr.setDocument(doc);
174 RampartUtil.setEncryptionUser(rmd, encr);
175 encr.setSymmetricEncAlgorithm(rpd.getAlgorithmSuite().getEncryption());
176 RampartUtil.setKeyIdentifierType(rpd,encr, encryptionToken);
177 encr.setKeyEncAlgo(rpd.getAlgorithmSuite().getAsymmetricKeyWrap());
178 encr.prepare(doc, RampartUtil.getEncryptionCrypto(config, rmd.getCustomClassLoader()));
179
180 Element bstElem = encr.getBinarySecurityTokenElement();
181 if (bstElem != null) {
182 RampartUtil.appendChildToSecHeader(rmd, bstElem);
183 }
184
185 this.encrTokenElement = encr.getEncryptedKeyElement();
186 this.encrTokenElement = RampartUtil.appendChildToSecHeader(rmd,
187 encrTokenElement);
188
189 refList = encr.encryptForExternalRef(null, encrParts);
190
191 } catch (WSSecurityException e) {
192 throw new RampartException("errorInEncryption", e);
193 }
194 }
195
196 RampartUtil.appendChildToSecHeader(rmd, refList);
197
198 if(dotDebug){
199 t1 = System.currentTimeMillis();
200 }
201
202 this.setInsertionLocation(encrTokenElement);
203
204 RampartUtil.handleEncryptedSignedHeaders(encrParts, this.sigParts, doc);
205
206 HashMap sigSuppTokMap = null;
207 HashMap endSuppTokMap = null;
208 HashMap sgndEndSuppTokMap = null;
209 HashMap sgndEncSuppTokMap = null;
210 HashMap endEncSuppTokMap = null;
211 HashMap sgndEndEncSuppTokMap = null;
212
213 if(this.timestampElement != null){
214 sigParts.add(new WSEncryptionPart(RampartUtil
215 .addWsuIdToElement((OMElement) this.timestampElement)));
216 }
217
218 if (rmd.isInitiator()) {
219
220 // Now add the supporting tokens
221 SupportingToken sgndSuppTokens = rpd.getSignedSupportingTokens();
222 sigSuppTokMap = this.handleSupportingTokens(rmd, sgndSuppTokens);
223
224 SupportingToken endSuppTokens = rpd.getEndorsingSupportingTokens();
225 endSuppTokMap = this.handleSupportingTokens(rmd, endSuppTokens);
226
227 SupportingToken sgndEndSuppTokens = rpd.getSignedEndorsingSupportingTokens();
228 sgndEndSuppTokMap = this.handleSupportingTokens(rmd, sgndEndSuppTokens);
229
230 SupportingToken sgndEncryptedSuppTokens = rpd.getSignedEncryptedSupportingTokens();
231 sgndEncSuppTokMap = this.handleSupportingTokens(rmd, sgndEncryptedSuppTokens);
232
233 SupportingToken endorsingEncryptedSuppTokens = rpd.getEndorsingEncryptedSupportingTokens();
234 endEncSuppTokMap = this.handleSupportingTokens(rmd, endorsingEncryptedSuppTokens);
235
236 SupportingToken sgndEndEncSuppTokens = rpd.getSignedEndorsingEncryptedSupportingTokens();
237 sgndEndEncSuppTokMap = this.handleSupportingTokens(rmd, sgndEndEncSuppTokens);
238
239 SupportingToken supportingToks = rpd.getSupportingTokens();
240 this.handleSupportingTokens(rmd, supportingToks);
241
242 SupportingToken encryptedSupportingToks = rpd.getEncryptedSupportingTokens();
243 this.handleSupportingTokens(rmd, encryptedSupportingToks);
244
245 //Setup signature parts
246 sigParts = addSignatureParts(sigSuppTokMap, sigParts);
247 sigParts = addSignatureParts(sgndEncSuppTokMap, sigParts);
248 sigParts = addSignatureParts(sgndEndSuppTokMap, sigParts);
249 sigParts = addSignatureParts(sgndEndEncSuppTokMap, sigParts);
250
251 } else {
252 addSignatureConfirmation(rmd, sigParts);
253 }
254
255 if(( sigParts.size() > 0 &&
256 rmd.isInitiator() && rpd.getInitiatorToken() != null) ||
257 (!rmd.isInitiator() && rpd.getRecipientToken() != null)) {
258 this.doSignature(rmd);
259 }
260
261 if (rmd.isInitiator()) {
262
263 endSuppTokMap.putAll(endEncSuppTokMap);
264 // Do endorsed signatures
265 Vector endSigVals = this.doEndorsedSignatures(rmd,
266 endSuppTokMap);
267 for (Iterator iter = endSigVals.iterator(); iter.hasNext();) {
268 signatureValues.add(iter.next());
269 }
270
271 sgndEndSuppTokMap.putAll(sgndEndEncSuppTokMap);
272 // Do signed endorsing signatures
273 Vector sigEndSigVals = this.doEndorsedSignatures(rmd,
274 sgndEndSuppTokMap);
275 for (Iterator iter = sigEndSigVals.iterator(); iter.hasNext();) {
276 signatureValues.add(iter.next());
277 }
278 }
279
280 if(dotDebug){
281 t2 = System.currentTimeMillis();
282 tlog.debug("Encryption took :" + (t1 - t0)
283 +", Signature tool :" + (t2 - t1) );
284 }
285
286 // Check for signature protection
287 if (rpd.isSignatureProtection() && this.mainSigId != null) {
288 long t3 = 0, t4 = 0;
289 if(dotDebug){
290 t3 = System.currentTimeMillis();
291 }
292 Vector secondEncrParts = new Vector();
293
294 // Now encrypt the signature using the above token
295 secondEncrParts.add(new WSEncryptionPart(this.mainSigId,
296 "Element"));
297
298 if(rmd.isInitiator()) {
299 for (int i = 0 ; i < encryptedTokensIdList.size(); i++) {
300 secondEncrParts.add(new WSEncryptionPart((String)encryptedTokensIdList.get(i),"Element"));
301 }
302 }
303
304 Element secondRefList = null;
305
306 if (encryptionToken.isDerivedKeys()) {
307 try {
308
309 secondRefList = dkEncr.encryptForExternalRef(null,
310 secondEncrParts);
311 RampartUtil.insertSiblingAfter(rmd, encrDKTokenElem,
312 secondRefList);
313
314 } catch (WSSecurityException e) {
315 throw new RampartException("errorCreatingEncryptedKey",
316 e);
317 }
318 } else {
319 try {
320 // Encrypt, get hold of the ref list and add it
321 secondRefList = encr.encryptForExternalRef(null,
322 secondEncrParts);
323
324 // Insert the ref list after the encrypted key elem
325 this.setInsertionLocation(RampartUtil
326 .insertSiblingAfter(rmd, encrTokenElement,
327 secondRefList));
328 } catch (WSSecurityException e) {
329 throw new RampartException("errorInEncryption", e);
330 }
331 }
332 if(dotDebug){
333 t4 = System.currentTimeMillis();
334 tlog.debug("Signature protection took :" + (t4 - t3));
335 }
336 }
337 }
338
339
340
341 }
342
343 private void doSignBeforeEncrypt(RampartMessageData rmd)
344 throws RampartException {
345
346 long t0 = 0, t1 = 0, t2 = 0;
347
348 RampartPolicyData rpd = rmd.getPolicyData();
349 Document doc = rmd.getDocument();
350
351 HashMap sigSuppTokMap = null;
352 HashMap endSuppTokMap = null;
353 HashMap sgndEndSuppTokMap = null;
354 HashMap sgndEncSuppTokMap = null;
355 HashMap endEncSuppTokMap = null;
356 HashMap sgndEndEncSuppTokMap = null;
357
358 sigParts = RampartUtil.getSignedParts(rmd);
359
360 //Add timestamp
361 if(this.timestampElement != null){
362 sigParts.add(new WSEncryptionPart(RampartUtil
363 .addWsuIdToElement((OMElement) this.timestampElement)));
364 }else{
365 this.setInsertionLocation(null);
366 }
367
368 if(dotDebug){
369 t0 = System.currentTimeMillis();
370 }
371
372 if (rmd.isInitiator()) {
373
374 // Now add the supporting tokens
375 SupportingToken sgndSuppTokens = rpd.getSignedSupportingTokens();
376 sigSuppTokMap = this.handleSupportingTokens(rmd, sgndSuppTokens);
377
378 SupportingToken endSuppTokens = rpd.getEndorsingSupportingTokens();
379 endSuppTokMap = this.handleSupportingTokens(rmd, endSuppTokens);
380
381 SupportingToken sgndEndSuppTokens = rpd.getSignedEndorsingSupportingTokens();
382 sgndEndSuppTokMap = this.handleSupportingTokens(rmd, sgndEndSuppTokens);
383
384 SupportingToken sgndEncryptedSuppTokens = rpd.getSignedEncryptedSupportingTokens();
385 sgndEncSuppTokMap = this.handleSupportingTokens(rmd, sgndEncryptedSuppTokens);
386
387 SupportingToken endorsingEncryptedSuppTokens = rpd.getEndorsingEncryptedSupportingTokens();
388 endEncSuppTokMap = this.handleSupportingTokens(rmd, endorsingEncryptedSuppTokens);
389
390 SupportingToken sgndEndEncSuppTokens = rpd.getSignedEndorsingEncryptedSupportingTokens();
391 sgndEndEncSuppTokMap = this.handleSupportingTokens(rmd, sgndEndEncSuppTokens);
392
393 SupportingToken supportingToks = rpd.getSupportingTokens();
394 this.handleSupportingTokens(rmd, supportingToks);
395
396 SupportingToken encryptedSupportingToks = rpd.getEncryptedSupportingTokens();
397 this.handleSupportingTokens(rmd, encryptedSupportingToks);
398
399 //Setup signature parts
400 sigParts = addSignatureParts(sigSuppTokMap, sigParts);
401 sigParts = addSignatureParts(sgndEncSuppTokMap, sigParts);
402 sigParts = addSignatureParts(sgndEndSuppTokMap, sigParts);
403 sigParts = addSignatureParts(sgndEndEncSuppTokMap, sigParts);
404
405 } else {
406 addSignatureConfirmation(rmd, sigParts);
407 }
408
409 if( sigParts.size() > 0 &&
410 ((rmd.isInitiator() && rpd.getInitiatorToken() != null) ||
411 (!rmd.isInitiator() && rpd.getRecipientToken() != null))) {
412 // Do signature
413 this.doSignature(rmd);
414 }
415
416 //Do endorsed signature
417
418 if (rmd.isInitiator()) {
419
420 // Adding the endorsing encrypted supporting tokens to endorsing supporting tokens
421 endSuppTokMap.putAll(endEncSuppTokMap);
422 // Do endorsed signatures
423 Vector endSigVals = this.doEndorsedSignatures(rmd,
424 endSuppTokMap);
425 for (Iterator iter = endSigVals.iterator(); iter.hasNext();) {
426 signatureValues.add(iter.next());
427 }
428
429 //Adding the signed endorsed encrypted tokens to signed endorsed supporting tokens
430 sgndEndSuppTokMap.putAll(sgndEndEncSuppTokMap);
431 // Do signed endorsing signatures
432 Vector sigEndSigVals = this.doEndorsedSignatures(rmd,
433 sgndEndSuppTokMap);
434 for (Iterator iter = sigEndSigVals.iterator(); iter.hasNext();) {
435 signatureValues.add(iter.next());
436 }
437 }
438
439 if(dotDebug){
440 t1 = System.currentTimeMillis();
441 }
442
443 Vector encrParts = RampartUtil.getEncryptedParts(rmd);
444
445 //Check for signature protection
446 if(rpd.isSignatureProtection() && this.mainSigId != null) {
447 encrParts.add(new WSEncryptionPart(RampartUtil.addWsuIdToElement((OMElement)this.signatureElement), "Element"));
448 }
449
450 if(rmd.isInitiator()) {
451 for (int i = 0 ; i < encryptedTokensIdList.size(); i++) {
452 encrParts.add(new WSEncryptionPart((String)encryptedTokensIdList.get(i),"Element"));
453 }
454 }
455
456 //Do encryption
457 Token encrToken = rpd.getRecipientToken();
458 if(encrToken != null && encrParts.size() > 0) {
459 Element refList = null;
460 AlgorithmSuite algorithmSuite = rpd.getAlgorithmSuite();
461 if(encrToken.isDerivedKeys()) {
462
463 try {
464 WSSecDKEncrypt dkEncr = new WSSecDKEncrypt();
465
466 if(this.encrKey == null) {
467 this.setupEncryptedKey(rmd, encrToken);
468 }
469
470 dkEncr.setExternalKey(this.encryptedKeyValue, this.encryptedKeyId);
471 dkEncr.setCustomValueType(WSConstants.SOAPMESSAGE_NS11 + "#"
472 + WSConstants.ENC_KEY_VALUE_TYPE);
473 dkEncr.setSymmetricEncAlgorithm(algorithmSuite.getEncryption());
474 dkEncr.setDerivedKeyLength(algorithmSuite.getEncryptionDerivedKeyLength()/8);
475 dkEncr.prepare(doc);
476
477
478 if(this.encrTokenElement != null) {
479 this.encrDKTElement = RampartUtil.insertSiblingAfter(
480 rmd, this.encrTokenElement, dkEncr.getdktElement());
481 } else {
482 this.encrDKTElement = RampartUtil.insertSiblingBefore(
483 rmd, this.sigDKTElement, dkEncr.getdktElement());
484 }
485
486 refList = dkEncr.encryptForExternalRef(null, encrParts);
487
488 RampartUtil.insertSiblingAfter(rmd,
489 this.encrDKTElement,
490 refList);
491
492 } catch (WSSecurityException e) {
493 throw new RampartException("errorInDKEncr", e);
494 } catch (ConversationException e) {
495 throw new RampartException("errorInDKEncr", e);
496 }
497 } else {
498 try {
499
500 WSSecEncrypt encr = new WSSecEncrypt();
501
502 RampartUtil.setKeyIdentifierType(rpd, encr, encrToken);
503
504 encr.setWsConfig(rmd.getConfig());
505
506 encr.setDocument(doc);
507 RampartUtil.setEncryptionUser(rmd, encr);
508 encr.setSymmetricEncAlgorithm(algorithmSuite.getEncryption());
509 encr.setKeyEncAlgo(algorithmSuite.getAsymmetricKeyWrap());
510 encr.prepare(doc, RampartUtil.getEncryptionCrypto(rpd
511 .getRampartConfig(), rmd.getCustomClassLoader()));
512
513 if(this.timestampElement != null){
514 this.setInsertionLocation(this.timestampElement);
515 }else{
516 this.setInsertionLocation(null);
517 }
518
519 if(encr.getBSTTokenId() != null) {
520 this.setInsertionLocation(RampartUtil
521 .insertSiblingAfterOrPrepend(rmd,
522 this.getInsertionLocation(),
523 encr.getBinarySecurityTokenElement()));
524 }
525
526
527 Element encryptedKeyElement = encr.getEncryptedKeyElement();
528
529 //Encrypt, get hold of the ref list and add it
530 refList = encr.encryptForInternalRef(null, encrParts);
531
532 //Add internal refs
533 encryptedKeyElement.appendChild(refList);
534
535 this.setInsertionLocation(RampartUtil
536 .insertSiblingAfterOrPrepend(rmd,
537 this.getInsertionLocation(),
538 encryptedKeyElement));
539
540 // RampartUtil.insertSiblingAfter(rmd,
541 // this.getInsertionLocation(),
542 // refList);
543 } catch (WSSecurityException e) {
544 throw new RampartException("errorInEncryption", e);
545 }
546 }
547 }
548
549 if(dotDebug){
550 t2 = System.currentTimeMillis();
551 tlog.debug("Signature took :" + (t1 - t0)
552 +", Encryption took :" + (t2 - t1) );
553 }
554
555 }
556
557 private void doSignature(RampartMessageData rmd) throws RampartException {
558
559 RampartPolicyData rpd = rmd.getPolicyData();
560 Document doc = rmd.getDocument();
561
562 long t0 = 0, t1 = 0;
563 if(dotDebug){
564 t0 = System.currentTimeMillis();
565 }
566 if(rmd.isInitiator()) {
567 sigToken = rpd.getInitiatorToken();
568 } else {
569 sigToken = rpd.getRecipientToken();
570 }
571
572 if (sigToken.isDerivedKeys()) {
573 // Set up the encrypted key to use
574 if(this.encrKey == null) {
575 setupEncryptedKey(rmd, sigToken);
576 }
577
578 WSSecDKSign dkSign = new WSSecDKSign();
579 dkSign.setExternalKey(this.encryptedKeyValue, this.encryptedKeyId);
580
581 // Set the algo info
582 dkSign.setSignatureAlgorithm(rpd.getAlgorithmSuite()
583 .getSymmetricSignature());
584 dkSign.setDerivedKeyLength(rpd.getAlgorithmSuite()
585 .getSignatureDerivedKeyLength() / 8);
586 dkSign.setCustomValueType(WSConstants.SOAPMESSAGE_NS11 + "#"
587 + WSConstants.ENC_KEY_VALUE_TYPE);
588 try {
589 dkSign.prepare(doc, rmd.getSecHeader());
590
591 if (rpd.isTokenProtection()) {
592 sigParts.add(new WSEncryptionPart(encrKey.getId()));
593 }
594
595 dkSign.setParts(sigParts);
596
597 dkSign.addReferencesToSign(sigParts, rmd.getSecHeader());
598
599 // Do signature
600 dkSign.computeSignature();
601
602 ;
603 // Add elements to header
604 this.sigDKTElement = RampartUtil.insertSiblingAfter(rmd,
605 this.getInsertionLocation(), dkSign.getdktElement());
606 this.setInsertionLocation(this.sigDKTElement);
607
608 this.setInsertionLocation(RampartUtil.insertSiblingAfter(rmd,
609 this.getInsertionLocation(), dkSign
610 .getSignatureElement()));
611
612 this.mainSigId = RampartUtil
613 .addWsuIdToElement((OMElement) dkSign
614 .getSignatureElement());
615
616 signatureValues.add(dkSign.getSignatureValue());
617
618 signatureElement = dkSign.getSignatureElement();
619 } catch (WSSecurityException e) {
620 throw new RampartException("errorInDerivedKeyTokenSignature", e);
621 } catch (ConversationException e) {
622 throw new RampartException("errorInDerivedKeyTokenSignature", e);
623 }
624
625 } else {
626 sig = this.getSignatureBuider(rmd, sigToken);
627 Element bstElem = sig.getBinarySecurityTokenElement();
628 if(bstElem != null) {
629 bstElem = RampartUtil.insertSiblingAfter(rmd, this
630 .getInsertionLocation(), bstElem);
631 this.setInsertionLocation(bstElem);
632 }
633
634 if (rmd.getPolicyData().isTokenProtection()
635 && sig.getBSTTokenId() != null) {
636 sigParts.add(new WSEncryptionPart(sig.getBSTTokenId()));
637 }
638
639 try {
640 sig.addReferencesToSign(sigParts, rmd.getSecHeader());
641 sig.computeSignature();
642
643 signatureElement = sig.getSignatureElement();
644
645 this.setInsertionLocation(RampartUtil.insertSiblingAfter(
646 rmd, this.getInsertionLocation(), signatureElement));
647
648 this.mainSigId = RampartUtil.addWsuIdToElement((OMElement) signatureElement);
649 } catch (WSSecurityException e) {
650 throw new RampartException("errorInSignatureWithX509Token", e);
651 }
652 signatureValues.add(sig.getSignatureValue());
653 }
654
655 if(dotDebug){
656 t1 = System.currentTimeMillis();
657 tlog.debug("Signature took :" + (t1 - t0));
658 }
659
660 }
661
662 /**
663 * @param rmd
664 * @throws RampartException
665 */
666 private void setupEncryptedKey(RampartMessageData rmd, Token token)
667 throws RampartException {
668 if(!rmd.isInitiator() && token.isDerivedKeys()) {
669
670 //If we already have them, simply return
671 if(this.encryptedKeyId != null && this.encryptedKeyValue != null) {
672 return;
673 }
674
675 //Use the secret from the incoming EncryptedKey element
676 Object resultsObj = rmd.getMsgContext().getProperty(WSHandlerConstants.RECV_RESULTS);
677 if(resultsObj != null) {
678 encryptedKeyId = RampartUtil.getRequestEncryptedKeyId((Vector)resultsObj);
679 encryptedKeyValue = RampartUtil.getRequestEncryptedKeyValue((Vector)resultsObj);
680
681 //In the case where we don't have the EncryptedKey in the
682 //request, for the control to have reached this state,
683 //the scenario MUST be a case where this is the response
684 //message by a listener created for an async client
685 //Therefor we will create a new EncryptedKey
686 if(encryptedKeyId == null && encryptedKeyValue == null) {
687 createEncryptedKey(rmd, token);
688 }
689 } else {
690 throw new RampartException("noSecurityResults");
691 }
692 } else {
693 createEncryptedKey(rmd, token);
694 }
695
696 }
697
698 /**
699 * Create an encrypted key element
700 * @param rmd
701 * @param token
702 * @throws RampartException
703 */
704 private void createEncryptedKey(RampartMessageData rmd, Token token) throws RampartException {
705 //Set up the encrypted key to use
706 encrKey = this.getEncryptedKeyBuilder(rmd, token);
707
708 Element bstElem = encrKey.getBinarySecurityTokenElement();
709 if (bstElem != null) {
710 // If a BST is available then use it
711 RampartUtil.appendChildToSecHeader(rmd, bstElem);
712 }
713
714 // Add the EncryptedKey
715 encrTokenElement = encrKey.getEncryptedKeyElement();
716 this.encrTokenElement = RampartUtil.appendChildToSecHeader(rmd,
717 encrTokenElement);
718 encryptedKeyValue = encrKey.getEphemeralKey();
719 encryptedKeyId = encrKey.getId();
720
721 //Store the token for client - response verification
722 // and server - response creation
723 try {
724 org.apache.rahas.Token tok = new org.apache.rahas.Token(
725 encryptedKeyId, (OMElement)encrTokenElement , null, null);
726 tok.setSecret(encryptedKeyValue);
727 rmd.getTokenStorage().add(tok);
728 } catch (TrustException e) {
729 throw new RampartException("errorInAddingTokenIntoStore", e);
730 }
731 }
732 }