in ws-security-dom/src/main/java/org/apache/wss4j/dom/processor/EncryptedDataProcessor.java [63:201]
public List<WSSecurityEngineResult> handleToken(
Element elem,
RequestData data
) throws WSSecurityException {
LOG.debug("Found EncryptedData element");
final String encryptedDataId = elem.getAttributeNS(null, "Id");
Element kiElem =
XMLUtils.getDirectChildElement(elem, "KeyInfo", WSConstants.SIG_NS);
// KeyInfo cannot be null
if (kiElem == null) {
throw new WSSecurityException(
WSSecurityException.ErrorCode.UNSUPPORTED_ALGORITHM, "noKeyinfo"
);
}
String symEncAlgo = X509Util.getEncAlgo(elem);
checkBSPCompliance(symEncAlgo, data.getBSPEnforcer());
// Get the Key either via a SecurityTokenReference or an EncryptedKey
Element secRefToken =
XMLUtils.getDirectChildElement(
kiElem, "SecurityTokenReference", WSConstants.WSSE_NS
);
Element encryptedKeyElement =
XMLUtils.getDirectChildElement(
kiElem, WSConstants.ENC_KEY_LN, WSConstants.ENC_NS
);
Element retrievalMethodElement =
XMLUtils.getDirectChildElement(
kiElem, "RetrievalMethod", WSConstants.SIG_NS
);
if (data.isRequireSignedEncryptedDataElements()) {
List<WSSecurityEngineResult> signedResults =
data.getWsDocInfo().getResultsByTag(WSConstants.SIGN);
SignatureUtils.verifySignedElement(elem, signedResults);
}
SecretKey key = null;
List<WSSecurityEngineResult> encrKeyResults = null;
Principal principal = null;
if (secRefToken != null) {
STRParserParameters parameters = new STRParserParameters();
parameters.setData(data);
parameters.setStrElement(secRefToken);
if (symEncAlgo != null) {
parameters.setDerivationKeyLength(KeyUtils.getKeyLength(symEncAlgo));
}
STRParser strParser = new SecurityTokenRefSTRParser();
STRParserResult parserResult = strParser.parseSecurityTokenReference(parameters);
byte[] secretKey = parserResult.getSecretKey();
principal = parserResult.getPrincipal();
key = KeyUtils.prepareSecretKey(symEncAlgo, secretKey);
encrKeyResults = new ArrayList<>();
} else if (encryptedKeyElement != null && data.getWssConfig() != null) {
WSSConfig wssConfig = data.getWssConfig();
Processor encrKeyProc = wssConfig.getProcessor(WSConstants.ENCRYPTED_KEY);
encrKeyResults = encrKeyProc.handleToken(encryptedKeyElement, data);
byte[] symmKey =
(byte[])encrKeyResults.get(0).get(WSSecurityEngineResult.TAG_SECRET);
key = KeyUtils.prepareSecretKey(symEncAlgo, symmKey);
} else if (retrievalMethodElement != null
&& "http://www.w3.org/2001/04/xmlenc#EncryptedKey".equals(
retrievalMethodElement.getAttributeNS(null, "Type"))) {
String uri = retrievalMethodElement.getAttributeNS(null, "URI");
uri = XMLUtils.getIDFromReference(uri);
WSSecurityEngineResult result = data.getWsDocInfo().getResult(uri);
if (result != null) {
byte[] symmKey = (byte[])result.get(WSSecurityEngineResult.TAG_SECRET);
key = KeyUtils.prepareSecretKey(symEncAlgo, symmKey);
}
} else {
throw new WSSecurityException(
WSSecurityException.ErrorCode.UNSUPPORTED_ALGORITHM, "noEncKey"
);
}
if (key == null) {
throw new WSSecurityException(
WSSecurityException.ErrorCode.UNSUPPORTED_ALGORITHM, "noEncKey"
);
}
// Check for compliance against the defined AlgorithmSuite
AlgorithmSuite algorithmSuite = data.getAlgorithmSuite();
if (algorithmSuite != null) {
AlgorithmSuiteValidator algorithmSuiteValidator = new
AlgorithmSuiteValidator(algorithmSuite);
if (principal instanceof WSDerivedKeyTokenPrincipal) {
algorithmSuiteValidator.checkDerivedKeyAlgorithm(
((WSDerivedKeyTokenPrincipal)principal).getAlgorithm()
);
algorithmSuiteValidator.checkEncryptionDerivedKeyLength(
((WSDerivedKeyTokenPrincipal)principal).getLength()
);
}
algorithmSuiteValidator.checkSymmetricKeyLength(key.getEncoded().length);
algorithmSuiteValidator.checkSymmetricEncryptionAlgorithm(symEncAlgo);
}
WSDataRef dataRef = EncryptionUtils.decryptEncryptedData(
elem.getOwnerDocument(), encryptedDataId, elem, key, symEncAlgo,
data.getAttachmentCallbackHandler(), data.getEncryptionSerializer());
WSSecurityEngineResult result =
new WSSecurityEngineResult(WSConstants.ENCR, Collections.singletonList(dataRef));
if (encryptedDataId.length() != 0) {
result.put(WSSecurityEngineResult.TAG_ID, encryptedDataId);
}
data.getWsDocInfo().addResult(result);
data.getWsDocInfo().addTokenElement(elem);
List<WSSecurityEngineResult> completeResults = new LinkedList<>();
if (encrKeyResults != null) {
completeResults.addAll(encrKeyResults);
}
completeResults.add(result);
WSSConfig wssConfig = data.getWssConfig();
if (wssConfig != null) {
// Get hold of the plain text element
Element decryptedElem = dataRef.getProtectedElement();
if (decryptedElem != null) { //is null if we processed an attachment
QName el = new QName(decryptedElem.getNamespaceURI(), decryptedElem.getLocalName());
Processor proc = data.getWssConfig().getProcessor(el);
if (proc != null) {
LOG.debug("Processing decrypted element with: {}", proc.getClass().getName());
List<WSSecurityEngineResult> results = proc.handleToken(decryptedElem, data);
completeResults.addAll(0, results);
return completeResults;
}
}
}
return completeResults;
}