in ws-security-dom/src/main/java/org/apache/wss4j/dom/message/WSSecDerivedKeyBase.java [189:296]
public void prepare(byte[] ephemeralKey) throws WSSecurityException {
if (ephemeralKey == null || ephemeralKey.length == 0) {
LOG.debug("No ephemeral key is supplied for id: " + tokenIdentifier);
throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE);
}
// Create the derived keys
// At this point figure out the key length according to the symencAlgo
int offset = 0;
int length = getDerivedKeyLength();
byte[] label;
String labelText = clientLabel + serviceLabel;
label = labelText.getBytes(StandardCharsets.UTF_8);
byte[] nonce = UsernameTokenUtil.generateNonce(16);
byte[] seed = new byte[label.length + nonce.length];
System.arraycopy(label, 0, seed, 0, label.length);
System.arraycopy(nonce, 0, seed, label.length, nonce.length);
DerivationAlgorithm algo =
AlgoFactory.getInstance(ConversationConstants.DerivationAlgorithm.P_SHA_1);
derivedKeyBytes = algo.createKey(ephemeralKey, seed, offset, length);
// Add the DKTs
dkt = new DerivedKeyToken(wscVersion, getDocument());
dktId = getIdAllocator().createId("DK-", dkt);
dkt.setOffset(offset);
dkt.setLength(length);
dkt.setNonce(XMLUtils.encodeToString(nonce));
dkt.setID(dktId);
if (addWSUNamespace) {
dkt.addWSUNamespace();
}
if (strElem == null) {
SecurityTokenReference secRef = new SecurityTokenReference(getDocument());
String strUri = getIdAllocator().createSecureId("STR-", secRef);
secRef.setID(strUri);
if (addWSUNamespace) {
secRef.addWSUNamespace();
}
X509Certificate[] certs = getSigningCerts();
switch (keyIdentifierType) {
case WSConstants.X509_KEY_IDENTIFIER:
secRef.setKeyIdentifier(certs[0]);
break;
case WSConstants.SKI_KEY_IDENTIFIER:
secRef.setKeyIdentifierSKI(certs[0], crypto);
break;
case WSConstants.THUMBPRINT_IDENTIFIER:
secRef.setKeyIdentifierThumb(certs[0]);
break;
case WSConstants.CUSTOM_KEY_IDENTIFIER:
secRef.setKeyIdentifier(customValueType, tokenIdentifier);
if (WSConstants.WSS_SAML_KI_VALUE_TYPE.equals(customValueType)) {
secRef.addTokenType(WSConstants.WSS_SAML_TOKEN_TYPE);
} else if (WSConstants.WSS_SAML2_KI_VALUE_TYPE.equals(customValueType)) {
secRef.addTokenType(WSConstants.WSS_SAML2_TOKEN_TYPE);
} else if (WSConstants.WSS_ENC_KEY_VALUE_TYPE.equals(customValueType)) {
secRef.addTokenType(WSConstants.WSS_ENC_KEY_VALUE_TYPE);
}
break;
default:
Reference ref = new Reference(getDocument());
if (tokenIdDirectId) {
ref.setURI(tokenIdentifier);
} else {
ref.setURI("#" + tokenIdentifier);
}
if (customValueType != null && customValueType.length() != 0) {
ref.setValueType(customValueType);
}
if (WSConstants.WSS_SAML_KI_VALUE_TYPE.equals(customValueType)) {
secRef.addTokenType(WSConstants.WSS_SAML_TOKEN_TYPE);
ref.setValueType(customValueType);
} else if (WSConstants.WSS_SAML2_KI_VALUE_TYPE.equals(customValueType)) {
secRef.addTokenType(WSConstants.WSS_SAML2_TOKEN_TYPE);
} else if (WSConstants.WSS_ENC_KEY_VALUE_TYPE.equals(customValueType)) {
secRef.addTokenType(WSConstants.WSS_ENC_KEY_VALUE_TYPE);
ref.setValueType(customValueType);
} else if (KerberosSecurity.isKerberosToken(customValueType)) {
secRef.addTokenType(customValueType);
ref.setValueType(customValueType);
} else if (WSConstants.WSC_SCT.equals(customValueType)
|| WSConstants.WSC_SCT_05_12.equals(customValueType)) {
ref.setValueType(customValueType);
} else if (!WSConstants.WSS_USERNAME_TOKEN_VALUE_TYPE.equals(customValueType)) {
secRef.addTokenType(WSConstants.WSS_ENC_KEY_VALUE_TYPE);
}
secRef.setReference(ref);
break;
}
dkt.setSecurityTokenReference(secRef);
} else {
dkt.setSecurityTokenReference(strElem);
}
}