in ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/processor/input/WSSSignatureReferenceVerifyInputProcessor.java [331:435]
protected Transformer buildTransformerChain(
ReferenceType referenceType, OutputStream outputStream,
InputProcessorChain inputProcessorChain,
AbstractSignatureReferenceVerifyInputProcessor.InternalSignatureReferenceVerifier internalSignatureReferenceVerifier)
throws XMLSecurityException {
if (referenceType.getTransforms() == null || referenceType.getTransforms().getTransform().isEmpty()) {
throw new WSSecurityException(WSSecurityException.ErrorCode.INVALID_SECURITY);
}
List<TransformType> transformTypeList = referenceType.getTransforms().getTransform();
if (transformTypeList.size() > maximumAllowedTransformsPerReference) {
throw new WSSecurityException(WSSecurityException.ErrorCode.INVALID_SECURITY,
"secureProcessing.MaximumAllowedTransformsPerReference",
new Object[] {transformTypeList.size(), maximumAllowedTransformsPerReference});
}
String algorithm = null;
Transformer parentTransformer = null;
for (int i = transformTypeList.size() - 1; i >= 0; i--) {
TransformType transformType = transformTypeList.get(i);
TransformationParametersType transformationParametersType =
XMLSecurityUtils.getQNameType(transformType.getContent(), WSSConstants.TAG_WSSE_TRANSFORMATION_PARAMETERS);
if (transformationParametersType != null) {
CanonicalizationMethodType canonicalizationMethodType =
XMLSecurityUtils.getQNameType(transformationParametersType.getAny(),
WSSConstants.TAG_dsig_CanonicalizationMethod);
if (canonicalizationMethodType != null) {
algorithm = canonicalizationMethodType.getAlgorithm();
InclusiveNamespaces inclusiveNamespacesType =
XMLSecurityUtils.getQNameType(canonicalizationMethodType.getContent(),
XMLSecurityConstants.TAG_c14nExcl_InclusiveNamespaces);
Map<String, Object> transformerProperties = null;
if (inclusiveNamespacesType != null) {
transformerProperties = new HashMap<>();
transformerProperties.put(
Canonicalizer20010315_Excl.INCLUSIVE_NAMESPACES_PREFIX_LIST,
inclusiveNamespacesType.getPrefixList());
}
parentTransformer = WSSUtils.getTransformer(
null, outputStream, transformerProperties, algorithm, XMLSecurityConstants.DIRECTION.IN);
}
}
algorithm = transformType.getAlgorithm();
AlgorithmSuiteSecurityEvent algorithmSuiteSecurityEvent = new AlgorithmSuiteSecurityEvent();
algorithmSuiteSecurityEvent.setAlgorithmURI(algorithm);
algorithmSuiteSecurityEvent.setAlgorithmUsage(WSSConstants.SigTransform);
algorithmSuiteSecurityEvent.setCorrelationID(referenceType.getId());
inputProcessorChain.getSecurityContext().registerSecurityEvent(algorithmSuiteSecurityEvent);
InclusiveNamespaces inclusiveNamespacesType =
XMLSecurityUtils.getQNameType(transformType.getContent(),
XMLSecurityConstants.TAG_c14nExcl_InclusiveNamespaces);
Map<String, Object> transformerProperties = null;
if (inclusiveNamespacesType != null) {
transformerProperties = new HashMap<>();
transformerProperties.put(
Canonicalizer20010315_Excl.INCLUSIVE_NAMESPACES_PREFIX_LIST,
inclusiveNamespacesType.getPrefixList());
}
if (parentTransformer != null) {
parentTransformer = WSSUtils.getTransformer(
parentTransformer, null, transformerProperties, algorithm, XMLSecurityConstants.DIRECTION.IN);
} else {
parentTransformer = WSSUtils.getTransformer(
null, outputStream, transformerProperties, algorithm, XMLSecurityConstants.DIRECTION.IN);
}
}
if (WSSConstants.SOAPMESSAGE_NS10_STR_TRANSFORM.equals(algorithm)) {
internalSignatureReferenceVerifier.setTransformer(parentTransformer);
String uri = XMLSecurityUtils.dropReferenceMarker(referenceType.getURI());
SecurityTokenProvider<? extends InboundSecurityToken> securityTokenProvider =
inputProcessorChain.getSecurityContext().getSecurityTokenProvider(uri);
if (securityTokenProvider == null) {
throw new WSSecurityException(WSSecurityException.ErrorCode.INVALID_SECURITY_TOKEN, "noReference");
}
SecurityToken securityToken = securityTokenProvider.getSecurityToken();
if (!(securityToken instanceof SecurityTokenReference)) {
throw new WSSecurityException(WSSecurityException.ErrorCode.UNSUPPORTED_SECURITY_TOKEN);
}
SecurityTokenReference securityTokenReference = (SecurityTokenReference) securityToken;
//todo analyse and fix me: the following statement could be problematic
int index = inputProcessorChain.getProcessors().indexOf(internalSignatureReferenceVerifier);
inputProcessorChain.getDocumentContext().setIsInSignedContent(index, internalSignatureReferenceVerifier);
XMLSecStartElement xmlSecStartElement = securityTokenReference.getXmlSecEvents().getLast().asStartElement();
internalSignatureReferenceVerifier.setStartElement(xmlSecStartElement);
Iterator<XMLSecEvent> xmlSecEventIterator = securityTokenReference.getXmlSecEvents().descendingIterator();
try {
while (xmlSecEventIterator.hasNext()) {
internalSignatureReferenceVerifier.processEvent(xmlSecEventIterator.next(), inputProcessorChain);
}
} catch (XMLStreamException e) {
throw new WSSecurityException(WSSecurityException.ErrorCode.INVALID_SECURITY, e);
}
}
return parentTransformer;
}