in modules/rampart-trust/src/main/java/org/apache/rahas/client/STSClient.java [390:531]
protected Token processIssueResponse(int version, OMElement result,
String issuerAddress) throws TrustException {
OMElement rstr = result;
/**
* TODO :-
* There are 3 mechanisms to establish a security context token.
* They are,
* 1. Security context token created by a security token service
* 2. Security context token created by one of the communicating parties and propagated with a
* message
* 3. Security context token created through negotiation/exchanges
*
* As per now we are only supporting case 1. Therefore we always expect a
* wst:RequestSecurityTokenResponseCollection in the incoming message.
*
* This only applies when we use specification http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512
*/
if (version == RahasConstants.VERSION_05_12) {
//The WS-SX result will be an RSTRC
rstr = result.getFirstElement();
}
String ns = TrustUtil.getWSTNamespace(version);
//Get the RequestedAttachedReference
OMElement reqAttElem = rstr.getFirstChildWithName(new QName(
ns, RahasConstants.IssuanceBindingLocalNames.REQUESTED_ATTACHED_REFERENCE));
OMElement reqAttRef = reqAttElem == null ? null : reqAttElem.getFirstElement();
//Get the RequestedUnattachedReference
OMElement reqUnattElem =
rstr.getFirstChildWithName(new QName(ns,
RahasConstants.IssuanceBindingLocalNames.
REQUESTED_UNATTACHED_REFERENCE));
OMElement reqUnattRef = reqUnattElem == null ? null : reqUnattElem.getFirstElement();
//Get the security token
OMElement reqSecTok =
rstr.getFirstChildWithName(new QName(ns,
RahasConstants.IssuanceBindingLocalNames.
REQUESTED_SECURITY_TOKEN));
if (reqSecTok == null) {
throw new TrustException("reqestedSecTokMissing");
}
OMElement tokenElem = reqSecTok.getFirstElement();
String id = this.findIdentifier(reqAttRef, reqUnattRef, tokenElem);
if (id == null) {
throw new TrustException("cannotObtainTokenIdentifier");
}
OMElement lifeTimeEle =
rstr.getFirstChildWithName(new QName(ns,
RahasConstants.IssuanceBindingLocalNames.
LIFETIME));
Token token = new Token(id, tokenElem, lifeTimeEle);
token.setIssuerAddress(issuerAddress);
token.setAttachedReference(reqAttRef);
token.setUnattachedReference(reqUnattRef);
//Handle proof token
OMElement rpt =
rstr.getFirstChildWithName(new QName(ns,
RahasConstants.LocalNames.
REQUESTED_PROOF_TOKEN));
byte[] secret = null;
if (rpt != null) {
OMElement child = rpt.getFirstElement();
if (child == null) {
throw new TrustException("invalidRPT");
}
if (child.getQName().equals(new QName(ns,
RahasConstants.LocalNames.
BINARY_SECRET))) {
//First check for the binary secret
String b64Secret = child.getText();
secret = Base64Utils.decode(b64Secret);
} else if (child.getQName().equals(new QName(ns, WSConstants.ENC_KEY_LN))) {
Element domChild = (Element)OMXMLBuilderFactory.createStAXOMBuilder(
OMAbstractFactory.getMetaFactory(
OMAbstractFactory.FEATURE_DOM).getOMFactory(),
child.getXMLStreamReader()).getDocumentElement();
try {
secret = CommonUtil.getDecryptedBytes(this.cbHandler, this.crypto, domChild);
} catch (WSSecurityException e) {
log.error("Error decrypting encrypted key element", e);
throw new TrustException("errorInProcessingEncryptedKey", e);
}
} else if (child.getQName().equals(new QName(ns,
RahasConstants.IssuanceBindingLocalNames.
COMPUTED_KEY))) {
//Handle the computed key
//Get service entropy
OMElement serviceEntrElem = rstr
.getFirstChildWithName(new QName(ns,
RahasConstants.IssuanceBindingLocalNames.
ENTROPY));
OMElement binSecElem = serviceEntrElem.getFirstElement();
if (binSecElem != null && binSecElem.getText() != null
&& !"".equals(binSecElem.getText().trim())) {
byte[] serviceEntr = Base64Utils.decode(binSecElem.getText());
//Right now we only use PSHA1 as the computed key algo
P_SHA1 p_sha1 = new P_SHA1();
int length = (this.keySize > 0) ? keySize
: this.algorithmSuite
.getMaximumSymmetricKeyLength();
try {
secret = p_sha1.createKey(this.requestorEntropy, serviceEntr, 0, length/8);
} catch (WSSecurityException e) {
throw new TrustException("keyDerivationError", e);
}
} else {
//Service entropy missing
throw new TrustException("serviceEntropyMissing");
}
}
} else {
if (this.requestorEntropy != null) {
//Use requester entropy as the key
secret = this.requestorEntropy;
}
}
token.setSecret(secret);
return token;
}