in ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/processor/output/WSSSignatureEndingOutputProcessor.java [86:199]
protected void createKeyInfoStructureForSignature(
OutputProcessorChain outputProcessorChain,
OutboundSecurityToken securityToken,
boolean useSingleCertificate)
throws XMLStreamException, XMLSecurityException {
if (securityToken.getCustomTokenReference() != null) {
outputDOMElement(securityToken.getCustomTokenReference(), outputProcessorChain);
return;
}
WSSecurityTokenConstants.KeyIdentifier keyIdentifier = null;
if (!getSecurityProperties().getSignatureKeyIdentifiers().isEmpty()) {
keyIdentifier = getSecurityProperties().getSignatureKeyIdentifiers().get(0);
}
X509Certificate[] x509Certificates = securityToken.getX509Certificates();
if (WSSecurityTokenConstants.KeyIdentifier_KeyValue.equals(keyIdentifier)) {
WSSUtils.createKeyValueTokenStructure(this, outputProcessorChain, x509Certificates);
} else {
boolean isSAMLToken = false;
List<XMLSecAttribute> attributes = new ArrayList<>(2);
attributes.add(createAttribute(WSSConstants.ATT_WSU_ID, IDGenerator.generateID(null)));
if (WSSecurityTokenConstants.SAML_10_TOKEN.equals(securityToken.getTokenType())
|| WSSecurityTokenConstants.SAML_11_TOKEN.equals(securityToken.getTokenType())) {
attributes.add(createAttribute(WSSConstants.ATT_WSSE11_TOKEN_TYPE, WSSConstants.NS_SAML11_TOKEN_PROFILE_TYPE));
isSAMLToken = true;
} else if (WSSecurityTokenConstants.SAML_20_TOKEN.equals(securityToken.getTokenType())) {
attributes.add(createAttribute(WSSConstants.ATT_WSSE11_TOKEN_TYPE, WSSConstants.NS_SAML20_TOKEN_PROFILE_TYPE));
isSAMLToken = true;
} else if (WSSecurityTokenConstants.KERBEROS_TOKEN.equals(securityToken.getTokenType())) {
attributes.add(createAttribute(WSSConstants.ATT_WSSE11_TOKEN_TYPE, WSSConstants.NS_GSS_KERBEROS5_AP_REQ));
} else if (WSSecurityTokenConstants.EncryptedKeyToken.equals(securityToken.getTokenType())
|| WSSecurityTokenConstants.KEYIDENTIFIER_ENCRYPTED_KEY_SHA1_IDENTIFIER.equals(keyIdentifier)
|| WSSecurityTokenConstants.KeyIdentifier_EncryptedKey.equals(keyIdentifier)) {
attributes.add(createAttribute(WSSConstants.ATT_WSSE11_TOKEN_TYPE, WSSConstants.NS_WSS_ENC_KEY_VALUE_TYPE));
} else if (WSSecurityTokenConstants.KEYIDENTIFIER_SECURITY_TOKEN_DIRECT_REFERENCE.equals(keyIdentifier)
&& !useSingleCertificate) {
attributes.add(createAttribute(WSSConstants.ATT_WSSE11_TOKEN_TYPE, WSSConstants.NS_X509_PKIPATH_V1));
}
createStartElementAndOutputAsEvent(outputProcessorChain, WSSConstants.TAG_WSSE_SECURITY_TOKEN_REFERENCE, false, attributes);
String tokenId = securityToken.getId();
if (isSAMLToken) {
// Always use KeyIdentifier regardless of the configured KeyIdentifier value
WSSUtils.createSAMLKeyIdentifierStructure(this, outputProcessorChain, securityToken.getTokenType(), tokenId);
} else if (WSSecurityTokenConstants.KEYIDENTIFIER_ENCRYPTED_KEY_SHA1_IDENTIFIER.equals(keyIdentifier)) {
String identifier = securityToken.getSha1Identifier();
if (identifier != null) {
WSSUtils.createEncryptedKeySha1IdentifierStructure(this, outputProcessorChain, identifier);
} else {
Key key = securityToken.getSecretKey(getSecurityProperties().getSignatureAlgorithm());
WSSUtils.createEncryptedKeySha1IdentifierStructure(this, outputProcessorChain, key);
}
} else if (WSSecurityTokenConstants.KEYIDENTIFIER_KERBEROS_SHA1_IDENTIFIER.equals(keyIdentifier)) {
String identifier = securityToken.getSha1Identifier();
WSSUtils.createKerberosSha1IdentifierStructure(this, outputProcessorChain, identifier);
} else if (WSSecurityTokenConstants.EncryptedKeyToken.equals(securityToken.getTokenType())
|| WSSecurityTokenConstants.KeyIdentifier_EncryptedKey.equals(keyIdentifier)) {
String id = securityToken.getId();
WSSUtils.createBSTReferenceStructure(this, outputProcessorChain, id, WSSConstants.NS_WSS_ENC_KEY_VALUE_TYPE, true);
} else if (WSSecurityTokenConstants.KeyIdentifier_IssuerSerial.equals(keyIdentifier)) {
WSSUtils.createX509IssuerSerialStructure(this, outputProcessorChain, x509Certificates);
} else if (WSSecurityTokenConstants.KeyIdentifier_SkiKeyIdentifier.equals(keyIdentifier)) {
WSSUtils.createX509SubjectKeyIdentifierStructure(this, outputProcessorChain, x509Certificates);
} else if (WSSecurityTokenConstants.KeyIdentifier_X509KeyIdentifier.equals(keyIdentifier)) {
WSSUtils.createX509KeyIdentifierStructure(this, outputProcessorChain, x509Certificates);
} else if (WSSecurityTokenConstants.KEYIDENTIFIER_THUMBPRINT_IDENTIFIER.equals(keyIdentifier)) {
WSSUtils.createThumbprintKeyIdentifierStructure(this, outputProcessorChain, x509Certificates);
} else if (WSSecurityTokenConstants.KEYIDENTIFIER_SECURITY_TOKEN_DIRECT_REFERENCE.equals(keyIdentifier)) {
String valueType;
boolean included = true;
if (WSSecurityTokenConstants.SAML_20_TOKEN.equals(securityToken.getTokenType())) {
valueType = null;
} else if (WSSecurityTokenConstants.KERBEROS_TOKEN.equals(securityToken.getTokenType())) {
valueType = WSSConstants.NS_GSS_KERBEROS5_AP_REQ;
} else if (WSSecurityTokenConstants.DerivedKeyToken.equals(securityToken.getTokenType())) {
boolean use200512Namespace = ((WSSSecurityProperties)getSecurityProperties()).isUse200512Namespace();
if (use200512Namespace) {
valueType = WSSConstants.NS_WSC_05_12 + "/dk";
} else {
valueType = WSSConstants.NS_WSC_05_02 + "/dk";
}
} else if (WSSecurityTokenConstants.SPNEGO_CONTEXT_TOKEN.equals(securityToken.getTokenType())
|| WSSecurityTokenConstants.SECURITY_CONTEXT_TOKEN.equals(securityToken.getTokenType())
|| WSSecurityTokenConstants.SECURE_CONVERSATION_TOKEN.equals(securityToken.getTokenType())) {
boolean use200512Namespace = ((WSSSecurityProperties)getSecurityProperties()).isUse200512Namespace();
if (use200512Namespace) {
valueType = WSSConstants.NS_WSC_05_12 + "/sct";
} else {
valueType = WSSConstants.NS_WSC_05_02 + "/sct";
}
included = ((WSSSecurityProperties)getSecurityProperties()).isIncludeSignatureToken();
} else {
if (useSingleCertificate) {
valueType = WSSConstants.NS_X509_V3_TYPE;
} else {
valueType = WSSConstants.NS_X509_PKIPATH_V1;
}
}
WSSUtils.createBSTReferenceStructure(this, outputProcessorChain, tokenId, valueType, included);
} else if (WSSecurityTokenConstants.KEYIDENTIFIER_EMBEDDED_KEY_IDENTIFIER_REF.equals(keyIdentifier)) {
WSSUtils.createEmbeddedKeyIdentifierStructure(this, outputProcessorChain, securityToken.getTokenType(), tokenId);
} else if (WSSecurityTokenConstants.KEYIDENTIFIER_USERNAME_TOKEN_REFERENCE.equals(keyIdentifier)) {
WSSUtils.createUsernameTokenReferenceStructure(this, outputProcessorChain, tokenId);
} else {
throw new WSSecurityException(WSSecurityException.ErrorCode.FAILED_SIGNATURE, "unsupportedSecurityToken",
new Object[] {keyIdentifier});
}
createEndElementAndOutputAsEvent(outputProcessorChain, WSSConstants.TAG_WSSE_SECURITY_TOKEN_REFERENCE);
}
}