in rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AsymmetricBindingHandler.java [663:805]
private void doSignature(AbstractTokenWrapper wrapper, List<WSEncryptionPart> sigParts, boolean attached)
throws WSSecurityException, SOAPException, TokenStoreException {
if (!isRequestor()) {
assertUnusedTokens(abinding.getInitiatorToken());
assertUnusedTokens(abinding.getInitiatorEncryptionToken());
assertUnusedTokens(abinding.getInitiatorSignatureToken());
} else {
assertUnusedTokens(abinding.getRecipientToken());
assertUnusedTokens(abinding.getRecipientEncryptionToken());
assertUnusedTokens(abinding.getRecipientSignatureToken());
}
AbstractToken sigToken = wrapper.getToken();
if (sigParts.isEmpty()) {
// Add the BST to the security header if required
if (!attached && isTokenRequired(sigToken.getIncludeTokenType())) {
WSSecSignature sig = getSignatureBuilder(sigToken, attached, false);
sig.appendBSTElementToHeader();
sig.clean();
}
return;
}
if (sigToken.getDerivedKeys() == DerivedKeys.RequireDerivedKeys) {
// Set up the encrypted key to use
setupEncryptedKey(sigToken);
WSSecDKSign dkSign = new WSSecDKSign(secHeader);
dkSign.setIdAllocator(wssConfig.getIdAllocator());
dkSign.setCallbackLookup(callbackLookup);
dkSign.setAttachmentCallbackHandler(new AttachmentCallbackHandler(message));
dkSign.setStoreBytesInAttachment(storeBytesInAttachment);
dkSign.setExpandXopInclude(isExpandXopInclude());
dkSign.setWsDocInfo(wsDocInfo);
if (wrapper.getToken().getVersion() == SPConstants.SPVersion.SP11) {
dkSign.setWscVersion(ConversationConstants.VERSION_05_02);
}
dkSign.setTokenIdentifier(this.encryptedKeyId);
// Set the algo info
dkSign.setSignatureAlgorithm(abinding.getAlgorithmSuite().getAlgorithmSuiteType().getSymmetricSignature());
dkSign.setSigCanonicalization(abinding.getAlgorithmSuite().getC14n().getValue());
AlgorithmSuiteType algType = abinding.getAlgorithmSuite().getAlgorithmSuiteType();
dkSign.setDigestAlgorithm(algType.getDigest());
dkSign.setDerivedKeyLength(algType.getSignatureDerivedKeyLength() / 8);
dkSign.setCustomValueType(WSS4JConstants.SOAPMESSAGE_NS11 + "#"
+ WSS4JConstants.ENC_KEY_VALUE_TYPE);
boolean includePrefixes =
MessageUtils.getContextualBoolean(
message, SecurityConstants.ADD_INCLUSIVE_PREFIXES, true
);
dkSign.setAddInclusivePrefixes(includePrefixes);
try {
dkSign.prepare(this.encryptedKeyValue);
if (abinding.isProtectTokens()) {
assertPolicy(
new QName(abinding.getName().getNamespaceURI(), SPConstants.PROTECT_TOKENS));
if (bstElement != null) {
WSEncryptionPart bstPart =
new WSEncryptionPart(bstElement.getAttributeNS(WSS4JConstants.WSU_NS, "Id"));
bstPart.setElement(bstElement);
sigParts.add(bstPart);
} else {
WSEncryptionPart ekPart =
new WSEncryptionPart(encrKey.getId());
ekPart.setElement(encrKey.getEncryptedKeyElement());
sigParts.add(ekPart);
}
}
dkSign.getParts().addAll(sigParts);
List<Reference> referenceList = dkSign.addReferencesToSign(sigParts);
if (!referenceList.isEmpty()) {
// Add elements to header
addDerivedKeyElement(dkSign.getdktElement());
//Do signature
if (bottomUpElement == null) {
dkSign.computeSignature(referenceList, false, null);
} else {
dkSign.computeSignature(referenceList, true, bottomUpElement);
}
bottomUpElement = dkSign.getSignatureElement();
addSig(dkSign.getSignatureValue());
mainSigId = dkSign.getSignatureId();
}
dkSign.clean();
} catch (Exception ex) {
LOG.log(Level.FINE, ex.getMessage(), ex);
throw new Fault(ex);
}
} else {
WSSecSignature sig = getSignatureBuilder(sigToken, attached, false);
if (abinding.isProtectTokens()) {
assertPolicy(
new QName(abinding.getName().getNamespaceURI(), SPConstants.PROTECT_TOKENS));
if (sig.getCustomTokenId() != null
&& (sigToken instanceof SamlToken || sigToken instanceof IssuedToken)) {
WSEncryptionPart samlPart =
new WSEncryptionPart(sig.getCustomTokenId());
sigParts.add(samlPart);
} else if (sig.getBSTTokenId() != null) {
// This action must occur before sig.prependBSTElementToHeader
WSEncryptionPart bstPart =
new WSEncryptionPart(sig.getBSTTokenId());
bstPart.setElement(sig.getBinarySecurityTokenElement());
sigParts.add(bstPart);
sig.prependBSTElementToHeader();
}
}
List<Reference> referenceList = sig.addReferencesToSign(sigParts);
if (!referenceList.isEmpty()) {
//Do signature
if (bottomUpElement == null) {
sig.computeSignature(referenceList, false, null);
} else {
sig.computeSignature(referenceList, true, bottomUpElement);
}
bottomUpElement = sig.getSignatureElement();
if (!abinding.isProtectTokens()) {
Element bstElement = sig.getBinarySecurityTokenElement();
if (bstElement != null) {
secHeader.getSecurityHeaderElement().insertBefore(bstElement, bottomUpElement);
}
}
addSig(sig.getSignatureValue());
mainSigId = sig.getId();
}
sig.clean();
}
}