in ws-security-dom/src/main/java/org/apache/wss4j/dom/str/SecurityTokenRefSTRParser.java [168:264]
private STRParserResult processSTR(
SecurityTokenReference secRef,
String uri,
STRParserParameters parameters
) throws WSSecurityException {
STRParserResult parserResult = new STRParserResult();
RequestData data = parameters.getData();
Element strElement = parameters.getStrElement();
WSDocInfo wsDocInfo = data.getWsDocInfo();
if (secRef.containsReference()) {
Reference reference = secRef.getReference();
// Try asking the CallbackHandler for the secret key
byte[] secretKey =
STRParserUtil.getSecretKeyFromToken(uri, reference.getValueType(),
WSPasswordCallback.SECRET_KEY, data);
if (secretKey == null || secretKey.length == 0) {
Element token =
STRParserUtil.getTokenElement(strElement.getOwnerDocument(), wsDocInfo, data.getCallbackHandler(),
uri, reference.getValueType());
QName el = new QName(token.getNamespaceURI(), token.getLocalName());
if (el.equals(WSConstants.BINARY_TOKEN)) {
Processor proc = data.getWssConfig().getProcessor(WSConstants.BINARY_TOKEN);
List<WSSecurityEngineResult> bstResult = proc.handleToken(token, data);
BinarySecurity bstToken =
(BinarySecurity)bstResult.get(0).get(WSSecurityEngineResult.TAG_BINARY_SECURITY_TOKEN);
STRParserUtil.checkBinarySecurityBSPCompliance(secRef, bstToken, data.getBSPEnforcer());
secretKey = (byte[])bstResult.get(0).get(WSSecurityEngineResult.TAG_SECRET);
}
}
if (secretKey == null) {
throw new WSSecurityException(
WSSecurityException.ErrorCode.FAILED_CHECK, "unsupportedKeyId",
new Object[] {uri});
}
parserResult.setSecretKey(secretKey);
} else if (secRef.containsKeyIdentifier()) {
String valueType = secRef.getKeyIdentifierValueType();
if (WSConstants.WSS_SAML_KI_VALUE_TYPE.equals(valueType)
|| WSConstants.WSS_SAML2_KI_VALUE_TYPE.equals(valueType)) {
byte[] secretKey =
STRParserUtil.getSecretKeyFromToken(secRef.getKeyIdentifierValue(), valueType,
WSPasswordCallback.SECRET_KEY, data);
if (secretKey == null || secretKey.length == 0) {
SamlAssertionWrapper samlAssertion =
STRParserUtil.getAssertionFromKeyIdentifier(
secRef, strElement, data
);
secretKey = getSecretKeyFromAssertion(samlAssertion, secRef, data);
}
parserResult.setSecretKey(secretKey);
} else if (WSConstants.WSS_KRB_KI_VALUE_TYPE.equals(valueType)) {
byte[] secretKey =
STRParserUtil.getSecretKeyFromToken(secRef.getKeyIdentifierValue(), valueType,
WSPasswordCallback.SECRET_KEY, data);
if (secretKey == null || secretKey.length == 0) {
byte[] keyBytes = secRef.getSKIBytes();
List<WSSecurityEngineResult> resultsList =
wsDocInfo.getResultsByTag(WSConstants.BST);
for (WSSecurityEngineResult bstResult : resultsList) {
BinarySecurity bstToken =
(BinarySecurity)bstResult.get(WSSecurityEngineResult.TAG_BINARY_SECURITY_TOKEN);
byte[] tokenDigest = KeyUtils.generateDigest(bstToken.getToken());
if (Arrays.equals(tokenDigest, keyBytes)) {
secretKey = (byte[])bstResult.get(WSSecurityEngineResult.TAG_SECRET);
break;
}
}
}
if (secretKey == null) {
throw new WSSecurityException(
WSSecurityException.ErrorCode.FAILED_CHECK, "unsupportedKeyId",
new Object[] {uri});
}
parserResult.setSecretKey(secretKey);
} else {
if (SecurityTokenReference.ENC_KEY_SHA1_URI.equals(valueType)) {
STRParserUtil.checkEncryptedKeyBSPCompliance(secRef, data.getBSPEnforcer());
}
byte[] secretKey =
STRParserUtil.getSecretKeyFromToken(
secRef.getKeyIdentifierValue(), secRef.getKeyIdentifierValueType(),
WSPasswordCallback.SECRET_KEY, data
);
if (secretKey == null || secretKey.length == 0) {
throw new WSSecurityException(
WSSecurityException.ErrorCode.FAILED_CHECK, "unsupportedKeyId",
new Object[] {uri});
}
parserResult.setSecretKey(secretKey);
}
} else {
throw new WSSecurityException(WSSecurityException.ErrorCode.FAILED_CHECK, "noReference");
}
return parserResult;
}