in ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/processor/output/DerivedKeyTokenOutputProcessor.java [61:196]
public void processEvent(XMLSecEvent xmlSecEvent, OutputProcessorChain outputProcessorChain)
throws XMLStreamException, XMLSecurityException {
try {
String tokenId = outputProcessorChain.getSecurityContext().get(WSSConstants.PROP_USE_THIS_TOKEN_ID_FOR_DERIVED_KEY);
if (tokenId == null) {
throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE);
}
SecurityTokenProvider<OutboundSecurityToken> wrappingSecurityTokenProvider =
outputProcessorChain.getSecurityContext().getSecurityTokenProvider(tokenId);
if (wrappingSecurityTokenProvider == null) {
throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE);
}
final OutboundSecurityToken wrappingSecurityToken = wrappingSecurityTokenProvider.getSecurityToken();
if (wrappingSecurityToken == null) {
throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE);
}
final String wsuIdDKT = IDGenerator.generateID(null);
int offset = 0;
int length = 0;
XMLSecurityConstants.Action action = getAction();
if (WSSConstants.SIGNATURE_WITH_DERIVED_KEY.equals(action)) {
if (((WSSSecurityProperties)getSecurityProperties()).getDerivedSignatureKeyLength() > 0) {
length = ((WSSSecurityProperties)getSecurityProperties()).getDerivedSignatureKeyLength();
} else {
length = JCEAlgorithmMapper.getKeyLengthFromURI(getSecurityProperties().getSignatureAlgorithm()) / 8;
if (length == 0) {
length = KeyUtils.getKeyLength(getSecurityProperties().getSignatureAlgorithm()) / 8;
}
}
} else if (WSSConstants.ENCRYPTION_WITH_DERIVED_KEY.equals(action)) {
if (((WSSSecurityProperties)getSecurityProperties()).getDerivedEncryptionKeyLength() > 0) {
length = ((WSSSecurityProperties)getSecurityProperties()).getDerivedEncryptionKeyLength();
} else {
length = JCEAlgorithmMapper.getKeyLengthFromURI(getSecurityProperties().getEncryptionSymAlgorithm()) / 8;
if (length == 0) {
length = KeyUtils.getKeyLength(getSecurityProperties().getEncryptionSymAlgorithm()) / 8;
}
}
}
String defaultLabel =
WSSConstants.WS_SEC_CONV_DEFAULT_LABEL + WSSConstants.WS_SEC_CONV_DEFAULT_LABEL;
byte[] label = defaultLabel.getBytes(StandardCharsets.UTF_8);
byte[] nonce = WSSConstants.generateBytes(16);
byte[] seed = new byte[label.length + nonce.length];
System.arraycopy(label, 0, seed, 0, label.length);
System.arraycopy(nonce, 0, seed, label.length, nonce.length);
DerivationAlgorithm derivationAlgorithm =
AlgoFactory.getInstance(WSSConstants.P_SHA_1);
byte[] secret;
if (WSSecurityTokenConstants.SECURITY_CONTEXT_TOKEN.equals(wrappingSecurityToken.getTokenType())) {
WSPasswordCallback passwordCallback = new WSPasswordCallback(wsuIdDKT, WSPasswordCallback.SECRET_KEY);
WSSUtils.doSecretKeyCallback(((WSSSecurityProperties)securityProperties).getCallbackHandler(), passwordCallback);
if (passwordCallback.getKey() == null) {
throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "noKey",
new Object[] {wsuIdDKT});
}
secret = passwordCallback.getKey();
} else {
secret = wrappingSecurityToken.getSecretKey("").getEncoded();
}
final byte[] derivedKeyBytes = derivationAlgorithm.createKey(secret, seed, offset, length);
final GenericOutboundSecurityToken derivedKeySecurityToken =
new GenericOutboundSecurityToken(wsuIdDKT, WSSecurityTokenConstants.DerivedKeyToken) {
@Override
public Key getSecretKey(String algorithmURI) throws WSSecurityException {
Key key = null;
try {
key = super.getSecretKey(algorithmURI);
} catch (XMLSecurityException e) {
throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, e);
}
if (key != null) {
return key;
}
String algoFamily = JCEAlgorithmMapper.getJCEKeyAlgorithmFromURI(algorithmURI);
key = new SecretKeySpec(derivedKeyBytes, algoFamily);
setSecretKey(algorithmURI, key);
return key;
}
};
derivedKeySecurityToken.setKeyWrappingToken(wrappingSecurityToken);
wrappingSecurityToken.addWrappedToken(derivedKeySecurityToken);
SecurityTokenProvider<OutboundSecurityToken> derivedKeysecurityTokenProvider =
new SecurityTokenProvider<OutboundSecurityToken>() {
@Override
public OutboundSecurityToken getSecurityToken() throws WSSecurityException {
return derivedKeySecurityToken;
}
@Override
public String getId() {
return wsuIdDKT;
}
};
if (WSSConstants.SIGNATURE_WITH_DERIVED_KEY.equals(action)) {
outputProcessorChain.getSecurityContext().put(WSSConstants.PROP_USE_THIS_TOKEN_ID_FOR_SIGNATURE, wsuIdDKT);
} else if (WSSConstants.ENCRYPTION_WITH_DERIVED_KEY.equals(action)) {
outputProcessorChain.getSecurityContext().put(WSSConstants.PROP_USE_THIS_TOKEN_ID_FOR_ENCRYPTION, wsuIdDKT);
}
outputProcessorChain.getSecurityContext().registerSecurityTokenProvider(wsuIdDKT, derivedKeysecurityTokenProvider);
FinalDerivedKeyTokenOutputProcessor finalDerivedKeyTokenOutputProcessor =
new FinalDerivedKeyTokenOutputProcessor(derivedKeySecurityToken, offset, length,
XMLUtils.encodeToString(nonce),
((WSSSecurityProperties)getSecurityProperties()).isUse200512Namespace(),
wrappingSecurityToken.getSha1Identifier());
finalDerivedKeyTokenOutputProcessor.setXMLSecurityProperties(getSecurityProperties());
finalDerivedKeyTokenOutputProcessor.setAction(getAction(), getActionOrder());
if (wrappingSecurityToken.getProcessor() != null) {
finalDerivedKeyTokenOutputProcessor.addBeforeProcessor(wrappingSecurityToken.getProcessor().getClass());
} else {
finalDerivedKeyTokenOutputProcessor.addAfterProcessor(ReferenceListOutputProcessor.class);
}
finalDerivedKeyTokenOutputProcessor.init(outputProcessorChain);
derivedKeySecurityToken.setProcessor(finalDerivedKeyTokenOutputProcessor);
} finally {
outputProcessorChain.removeProcessor(this);
}
outputProcessorChain.processEvent(xmlSecEvent);
}