in rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/SymmetricBindingHandler.java [150:300]
private void doEncryptBeforeSign() {
try {
AbstractTokenWrapper encryptionWrapper = getEncryptionToken();
assertTokenWrapper(encryptionWrapper);
AbstractToken encryptionToken = encryptionWrapper.getToken();
if (encryptionToken != null) {
//The encryption token can be an IssuedToken or a
//SecureConversationToken
String tokenId = null;
SecurityToken tok = null;
if (encryptionToken instanceof IssuedToken
|| encryptionToken instanceof KerberosToken
|| encryptionToken instanceof SecureConversationToken
|| encryptionToken instanceof SecurityContextToken
|| encryptionToken instanceof SpnegoContextToken) {
tok = getSecurityToken();
} else if (encryptionToken instanceof X509Token) {
if (isRequestor()) {
tokenId = setupEncryptedKey(encryptionWrapper, encryptionToken);
} else {
tok = getEncryptedKey();
}
} else if (encryptionToken instanceof UsernameToken) {
if (isRequestor()) {
tokenId = setupUTDerivedKey((UsernameToken)encryptionToken);
} else {
tok = getUTDerivedKey();
}
}
if (tok == null) {
//if (tokenId == null || tokenId.length() == 0) {
//REVISIT - no tokenId? Exception?
//}
if (tokenId != null && tokenId.startsWith("#")) {
tokenId = tokenId.substring(1);
}
/*
* Get hold of the token from the token storage
*/
tok = tokenStore.getToken(tokenId);
}
boolean attached = false;
if (isTokenRequired(encryptionToken.getIncludeTokenType())) {
Element el = tok.getToken();
this.addEncryptedKeyElement(cloneElement(el));
attached = true;
} else if (encryptionToken instanceof X509Token && isRequestor()) {
Element el = tok.getToken();
this.addEncryptedKeyElement(cloneElement(el));
attached = true;
}
List<WSEncryptionPart> sigParts = new ArrayList<>();
if (timestampEl != null) {
WSEncryptionPart timestampPart =
convertToEncryptionPart(timestampEl.getElement());
sigParts.add(timestampPart);
}
addSupportingTokens(sigParts);
sigParts.addAll(this.getSignedParts(null));
List<WSEncryptionPart> encrParts = getEncryptedParts();
WSSecBase encr = null;
SecretKey symmetricKey = null;
if (encryptionWrapper.getToken() != null && !encrParts.isEmpty()) {
if (encryptionWrapper.getToken().getDerivedKeys() == DerivedKeys.RequireDerivedKeys) {
encr = doEncryptionDerived(encryptionWrapper, tok, attached, encrParts, true);
} else {
byte[] ephemeralKey = tok.getSecret();
String symEncAlgorithm = sbinding.getAlgorithmSuite().getAlgorithmSuiteType().getEncryption();
if (ephemeralKey != null) {
symmetricKey = KeyUtils.prepareSecretKey(symEncAlgorithm, ephemeralKey);
} else {
KeyGenerator keyGen = KeyUtils.getKeyGenerator(symEncAlgorithm);
symmetricKey = keyGen.generateKey();
}
encr = doEncryption(encryptionWrapper, tok, attached, encrParts, true, symmetricKey);
}
}
handleEncryptedSignedHeaders(encrParts, sigParts);
if (!isRequestor()) {
addSignatureConfirmation(sigParts);
}
//Sign the message
//We should use the same key in the case of EncryptBeforeSig
if (!sigParts.isEmpty()) {
addSig(this.doSignature(sigParts, encryptionWrapper, encryptionToken,
tok, attached));
}
if (isRequestor()) {
this.doEndorse();
}
//Check for signature protection and encryption of UsernameToken
if (sbinding.isEncryptSignature()
|| !encryptedTokensList.isEmpty() && isRequestor()) {
List<WSEncryptionPart> secondEncrParts = new ArrayList<>();
//Now encrypt the signature using the above token
if (sbinding.isEncryptSignature()) {
if (this.mainSigId != null) {
WSEncryptionPart sigPart =
new WSEncryptionPart(this.mainSigId, "Element");
sigPart.setElement(bottomUpElement);
secondEncrParts.add(sigPart);
}
if (sigConfList != null && !sigConfList.isEmpty()) {
secondEncrParts.addAll(sigConfList);
}
assertPolicy(
new QName(sbinding.getName().getNamespaceURI(), SPConstants.ENCRYPT_SIGNATURE));
}
if (isRequestor()) {
secondEncrParts.addAll(encryptedTokensList);
}
if (!secondEncrParts.isEmpty()) {
final Element secondRefList;
if (encryptionToken.getDerivedKeys() == DerivedKeys.RequireDerivedKeys) {
secondRefList = ((WSSecDKEncrypt)encr).encryptForExternalRef(null, secondEncrParts);
} else {
//Encrypt, get hold of the ref list and add it
secondRefList = ((WSSecEncrypt)encr).encryptForRef(null, secondEncrParts, symmetricKey);
}
if (secondRefList != null) {
this.addDerivedKeyElement(secondRefList);
}
}
}
if (encr != null) {
encr.clean();
}
}
} catch (RuntimeException ex) {
LOG.log(Level.FINE, ex.getMessage(), ex);
throw ex;
} catch (Exception ex) {
LOG.log(Level.FINE, ex.getMessage(), ex);
throw new Fault(ex);
}
}