/**
* Licensed to the Apache Software Foundation (ASF) under one
* or more contributor license agreements. See the NOTICE file
* distributed with this work for additional information
* regarding copyright ownership. The ASF licenses this file
* to you under the Apache License, Version 2.0 (the
* "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing,
* software distributed under the License is distributed on an
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
* KIND, either express or implied. See the License for the
* specific language governing permissions and limitations
* under the License.
*/
package org.apache.ws.security.message;
import org.apache.ws.security.WSConstants;
import org.apache.ws.security.WSDocInfo;
import org.apache.ws.security.WSEncryptionPart;
import org.apache.ws.security.WSSConfig;
import org.apache.ws.security.WSSecurityException;
import org.apache.ws.security.components.crypto.Crypto;
import org.apache.ws.security.components.crypto.CryptoType;
import org.apache.ws.security.message.token.BinarySecurity;
import org.apache.ws.security.message.token.DOMX509Data;
import org.apache.ws.security.message.token.DOMX509IssuerSerial;
import org.apache.ws.security.message.token.KerberosSecurity;
import org.apache.ws.security.message.token.PKIPathSecurity;
import org.apache.ws.security.message.token.Reference;
import org.apache.ws.security.message.token.SecurityTokenReference;
import org.apache.ws.security.message.token.X509Security;
import org.apache.ws.security.transform.STRTransform;
import org.apache.ws.security.util.Base64;
import org.apache.ws.security.util.WSSecurityUtil;
import org.w3c.dom.Document;
import org.w3c.dom.Element;
import org.w3c.dom.Node;
import java.security.NoSuchProviderException;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.List;
import javax.xml.crypto.XMLStructure;
import javax.xml.crypto.dom.DOMStructure;
import javax.xml.crypto.dsig.CanonicalizationMethod;
import javax.xml.crypto.dsig.SignatureMethod;
import javax.xml.crypto.dsig.SignedInfo;
import javax.xml.crypto.dsig.XMLSignature;
import javax.xml.crypto.dsig.XMLSignatureFactory;
import javax.xml.crypto.dsig.XMLSignContext;
import javax.xml.crypto.dsig.dom.DOMSignContext;
import javax.xml.crypto.dsig.keyinfo.KeyInfo;
import javax.xml.crypto.dsig.keyinfo.KeyInfoFactory;
import javax.xml.crypto.dsig.keyinfo.KeyValue;
import javax.xml.crypto.dsig.spec.C14NMethodParameterSpec;
import javax.xml.crypto.dsig.spec.ExcC14NParameterSpec;
/**
* Creates a Signature according to WS Specification, X509 profile.
*
* This class is a re-factored implementation of the previous WSS4J class
* <code>WSSignEnvelope</code>. This new class allows better control of
* the process to create a Signature and to add it to the Security header.
*
* The flexibility and fine granular control is required to implement a handler
* that uses WSSecurityPolicy files to control the setup of a Security header.
*
* @author Davanum Srinivas (dims@yahoo.com)
* @author Werner Dittmann (werner@apache.org)
*/
public class WSSecSignature extends WSSecSignatureBase {
private static org.apache.commons.logging.Log log =
org.apache.commons.logging.LogFactory.getLog(WSSecSignature.class);
protected boolean useSingleCert = true;
protected String sigAlgo = null;
protected String canonAlgo = WSConstants.C14N_EXCL_OMIT_COMMENTS;
protected byte[] signatureValue = null;
protected Document document = null;
protected WSDocInfo wsDocInfo = null;
protected String certUri = null;
protected String keyInfoUri = null;
protected SecurityTokenReference secRef = null;
protected String strUri = null;
protected BinarySecurity bstToken = null;
protected KeyInfoFactory keyInfoFactory;
protected XMLSignatureFactory signatureFactory;
protected KeyInfo keyInfo;
protected CanonicalizationMethod c14nMethod;
protected XMLSignature sig;
protected byte[] secretKey = null;
protected String customTokenValueType;
protected String customTokenId;
private String encrKeySha1value = null;
private Crypto crypto = null;
private String digestAlgo = WSConstants.SHA1;
private X509Certificate useThisCert = null;
private Element securityHeader = null;
private boolean useCustomSecRef;
private boolean bstAddedToSecurityHeader = false;
public WSSecSignature() {
super();
init();
}
public WSSecSignature(WSSConfig config) {
super(config);
init();
}
private void init() {
// Try to install the Santuario Provider - fall back to the JDK provider if this does
// not work
try {
signatureFactory = XMLSignatureFactory.getInstance("DOM", "ApacheXMLDSig");
} catch (NoSuchProviderException ex) {
signatureFactory = XMLSignatureFactory.getInstance("DOM");
}
try {
keyInfoFactory = KeyInfoFactory.getInstance("DOM", "ApacheXMLDSig");
} catch (NoSuchProviderException ex) {
keyInfoFactory = KeyInfoFactory.getInstance("DOM");
}
}
/**
* Initialize a WSSec Signature.
*
* The method sets up and initializes a WSSec Signature structure after the
* relevant information was set. After setup of the references to elements
* to sign may be added. After all references are added they can be signed.
*
* This method does not add the Signature element to the security header.
* See <code>prependSignatureElementToHeader()</code> method.
*
* @param doc The SOAP envelope as <code>Document</code>
* @param cr An instance of the Crypto API to handle keystore and certificates
* @param secHeader The security header that will hold the Signature. This is used
* to construct namespace prefixes for Signature. This method
* @throws WSSecurityException
*/
public void prepare(Document doc, Crypto cr, WSSecHeader secHeader)
throws WSSecurityException {
//
// Gather some info about the document to process and store it for
// retrieval
//
crypto = cr;
document = doc;
wsDocInfo = new WSDocInfo(doc);
wsDocInfo.setCrypto(cr);
securityHeader = secHeader.getSecurityHeader();
//
// At first get the security token (certificate) according to the parameters.
//
X509Certificate[] certs = getSigningCerts();
try {
C14NMethodParameterSpec c14nSpec = null;
if (getWsConfig().isWsiBSPCompliant() && canonAlgo.equals(WSConstants.C14N_EXCL_OMIT_COMMENTS)) {
List<String> prefixes =
getInclusivePrefixes(secHeader.getSecurityHeader(), false);
c14nSpec = new ExcC14NParameterSpec(prefixes);
}
c14nMethod = signatureFactory.newCanonicalizationMethod(canonAlgo, c14nSpec);
} catch (Exception ex) {
log.error("", ex);
throw new WSSecurityException(
WSSecurityException.FAILED_SIGNATURE, "noXMLSig", null, ex
);
}
keyInfoUri = getWsConfig().getIdAllocator().createSecureId("KI-", keyInfo);
if (!useCustomSecRef) {
secRef = new SecurityTokenReference(doc);
strUri = getWsConfig().getIdAllocator().createSecureId("STR-", secRef);
secRef.setID(strUri);
//
// Get an initialized XMLSignature element.
//
//
// Prepare and setup the token references for this Signature
//
switch (keyIdentifierType) {
case WSConstants.BST_DIRECT_REFERENCE:
Reference ref = new Reference(document);
ref.setURI("#" + certUri);
if (!useSingleCert) {
bstToken = new PKIPathSecurity(document);
((PKIPathSecurity) bstToken).setX509Certificates(certs, crypto);
secRef.addTokenType(PKIPathSecurity.PKI_TYPE);
} else {
bstToken = new X509Security(document);
((X509Security) bstToken).setX509Certificate(certs[0]);
}
ref.setValueType(bstToken.getValueType());
secRef.setReference(ref);
bstToken.setID(certUri);
wsDocInfo.addTokenElement(bstToken.getElement(), false);
break;
case WSConstants.ISSUER_SERIAL:
String issuer = certs[0].getIssuerX500Principal().getName();
java.math.BigInteger serialNumber = certs[0].getSerialNumber();
DOMX509IssuerSerial domIssuerSerial =
new DOMX509IssuerSerial(doc, issuer, serialNumber);
DOMX509Data domX509Data = new DOMX509Data(doc, domIssuerSerial);
secRef.setX509Data(domX509Data);
break;
case WSConstants.X509_KEY_IDENTIFIER:
secRef.setKeyIdentifier(certs[0]);
break;
case WSConstants.SKI_KEY_IDENTIFIER:
secRef.setKeyIdentifierSKI(certs[0], crypto);
break;
case WSConstants.THUMBPRINT_IDENTIFIER:
secRef.setKeyIdentifierThumb(certs[0]);
break;
case WSConstants.ENCRYPTED_KEY_SHA1_IDENTIFIER:
if (encrKeySha1value != null) {
secRef.setKeyIdentifierEncKeySHA1(encrKeySha1value);
} else {
byte[] digestBytes = WSSecurityUtil.generateDigest(secretKey);
secRef.setKeyIdentifierEncKeySHA1(Base64.encode(digestBytes));
}
secRef.addTokenType(WSConstants.WSS_ENC_KEY_VALUE_TYPE);
break;
case WSConstants.CUSTOM_SYMM_SIGNING :
Reference refCust = new Reference(document);
if (WSConstants.WSS_SAML_KI_VALUE_TYPE.equals(customTokenValueType)) {
secRef.addTokenType(WSConstants.WSS_SAML_TOKEN_TYPE);
refCust.setValueType(customTokenValueType);
} else if (WSConstants.WSS_SAML2_KI_VALUE_TYPE.equals(customTokenValueType)) {
secRef.addTokenType(WSConstants.WSS_SAML2_TOKEN_TYPE);
} else if (WSConstants.WSS_ENC_KEY_VALUE_TYPE.equals(customTokenValueType)) {
secRef.addTokenType(WSConstants.WSS_ENC_KEY_VALUE_TYPE);
refCust.setValueType(customTokenValueType);
} else if (KerberosSecurity.isKerberosToken(customTokenValueType)) {
secRef.addTokenType(customTokenValueType);
refCust.setValueType(customTokenValueType);
} else {
refCust.setValueType(customTokenValueType);
}
refCust.setURI("#" + customTokenId);
secRef.setReference(refCust);
break;
case WSConstants.CUSTOM_SYMM_SIGNING_DIRECT :
Reference refCustd = new Reference(document);
if (WSConstants.WSS_SAML_KI_VALUE_TYPE.equals(customTokenValueType)) {
secRef.addTokenType(WSConstants.WSS_SAML_TOKEN_TYPE);
refCustd.setValueType(customTokenValueType);
} else if (WSConstants.WSS_SAML2_KI_VALUE_TYPE.equals(customTokenValueType)) {
secRef.addTokenType(WSConstants.WSS_SAML2_TOKEN_TYPE);
} else if (WSConstants.WSS_ENC_KEY_VALUE_TYPE.equals(customTokenValueType)) {
secRef.addTokenType(WSConstants.WSS_ENC_KEY_VALUE_TYPE);
refCustd.setValueType(customTokenValueType);
} else if (KerberosSecurity.isKerberosToken(customTokenValueType)) {
secRef.addTokenType(customTokenValueType);
refCustd.setValueType(customTokenValueType);
} else {
refCustd.setValueType(customTokenValueType);
}
refCustd.setURI(customTokenId);
secRef.setReference(refCustd);
break;
case WSConstants.CUSTOM_KEY_IDENTIFIER:
if (WSConstants.WSS_SAML_KI_VALUE_TYPE.equals(customTokenValueType)) {
secRef.setKeyIdentifier(customTokenValueType, customTokenId);
secRef.addTokenType(WSConstants.WSS_SAML_TOKEN_TYPE);
} else if (WSConstants.WSS_SAML2_KI_VALUE_TYPE.equals(customTokenValueType)) {
secRef.setKeyIdentifier(customTokenValueType, customTokenId);
secRef.addTokenType(WSConstants.WSS_SAML2_TOKEN_TYPE);
} else if (WSConstants.WSS_ENC_KEY_VALUE_TYPE.equals(customTokenValueType)) {
secRef.setKeyIdentifier(customTokenValueType, customTokenId, true);
secRef.addTokenType(WSConstants.WSS_ENC_KEY_VALUE_TYPE);
} else if (SecurityTokenReference.ENC_KEY_SHA1_URI.equals(customTokenValueType)) {
secRef.setKeyIdentifier(customTokenValueType, customTokenId, true);
secRef.addTokenType(WSConstants.WSS_ENC_KEY_VALUE_TYPE);
} else if (WSConstants.WSS_KRB_KI_VALUE_TYPE.equals(customTokenValueType)) {
secRef.setKeyIdentifier(customTokenValueType, customTokenId, true);
secRef.addTokenType(WSConstants.WSS_GSS_KRB_V5_AP_REQ);
}
break;
case WSConstants.KEY_VALUE:
java.security.PublicKey publicKey = certs[0].getPublicKey();
try {
KeyValue keyValue = keyInfoFactory.newKeyValue(publicKey);
keyInfo =
keyInfoFactory.newKeyInfo(
java.util.Collections.singletonList(keyValue), keyInfoUri
);
} catch (java.security.KeyException ex) {
log.error("", ex);
throw new WSSecurityException(
WSSecurityException.FAILED_SIGNATURE, "noXMLSig", null, ex
);
}
break;
default:
throw new WSSecurityException(WSSecurityException.FAILURE, "unsupportedKeyId");
}
}
if (keyIdentifierType != WSConstants.KEY_VALUE) {
XMLStructure structure = new DOMStructure(secRef.getElement());
wsDocInfo.addTokenElement(secRef.getElement(), false);
keyInfo =
keyInfoFactory.newKeyInfo(
java.util.Collections.singletonList(structure), keyInfoUri
);
}
}
/**
* Builds a signed soap envelope.
*
* This is a convenience method and for backward compatibility. The method
* creates a Signature and puts it into the Security header. It does so by
* calling the single functions in order to perform a <i>one shot signature</i>.
* This method is compatible with the build method of the previous version
* with the exception of the additional WSSecHeader parameter.
*
* @param doc The unsigned SOAP envelope as <code>Document</code>
* @param cr An instance of the Crypto API to handle keystore and certificates
* @param secHeader the security header element to hold the encrypted key element.
* @return A signed SOAP envelope as <code>Document</code>
* @throws WSSecurityException
*/
public Document build(Document doc, Crypto cr, WSSecHeader secHeader)
throws WSSecurityException {
doDebug = log.isDebugEnabled();
if (doDebug) {
log.debug("Beginning signing...");
}
prepare(doc, cr, secHeader);
if (parts == null) {
parts = new ArrayList<WSEncryptionPart>(1);
String soapNamespace = WSSecurityUtil.getSOAPNamespace(doc.getDocumentElement());
WSEncryptionPart encP =
new WSEncryptionPart(
WSConstants.ELEM_BODY,
soapNamespace,
"Content"
);
parts.add(encP);
} else {
for (WSEncryptionPart part : parts) {
if ("STRTransform".equals(part.getName()) && part.getId() == null) {
part.setId(strUri);
}
}
}
List<javax.xml.crypto.dsig.Reference> referenceList =
addReferencesToSign(parts, secHeader);
computeSignature(referenceList);
//
// if we have a BST prepend it in front of the Signature according to
// strict layout rules.
//
if (bstToken != null) {
prependBSTElementToHeader(secHeader);
}
return doc;
}
/**
* This method adds references to the Signature.
*
* @param references The list of references to sign
* @param secHeader The Security Header
* @throws WSSecurityException
*/
public List<javax.xml.crypto.dsig.Reference> addReferencesToSign(
List<WSEncryptionPart> references,
WSSecHeader secHeader
) throws WSSecurityException {
return
addReferencesToSign(
document,
references,
wsDocInfo,
signatureFactory,
secHeader,
getWsConfig(),
digestAlgo
);
}
/**
* Returns the SignatureElement.
* The method can be called any time after <code>prepare()</code>.
* @return The DOM Element of the signature.
*/
public Element getSignatureElement() {
return
WSSecurityUtil.getDirectChildElement(
securityHeader,
WSConstants.SIG_LN,
WSConstants.SIG_NS
);
}
/**
* Prepend the BinarySecurityToken to the elements already in the Security
* header.
*
* The method can be called any time after <code>prepare()</code>.
* This allows to insert the BST element at any position in the Security
* header.
*
* @param secHeader The security header
*/
public void prependBSTElementToHeader(WSSecHeader secHeader) {
if (bstToken != null && !bstAddedToSecurityHeader) {
WSSecurityUtil.prependChildElement(secHeader.getSecurityHeader(), bstToken.getElement());
bstAddedToSecurityHeader = true;
}
}
/**
* Append the BinarySecurityToken to the security header.
* @param secHeader The security header
*/
public void appendBSTElementToHeader(WSSecHeader secHeader) {
if (bstToken != null && !bstAddedToSecurityHeader) {
Element secHeaderElement = secHeader.getSecurityHeader();
secHeaderElement.appendChild(bstToken.getElement());
bstAddedToSecurityHeader = true;
}
}
/**
* Compute the Signature over the references. The signature element will be
* prepended to the security header.
*
* This method can be called any time after the references were set. See
* <code>addReferencesToSign()</code>.
*
* @param referenceList The list of references to sign
*
* @throws WSSecurityException
*/
public void computeSignature(
List<javax.xml.crypto.dsig.Reference> referenceList
) throws WSSecurityException {
computeSignature(referenceList, true, null);
}
/**
* Compute the Signature over the references.
*
* This method can be called any time after the references were set. See
* <code>addReferencesToSign()</code>.
*
* @param referenceList The list of references to sign
* @param prepend Whether to prepend the signature element to the security header
* @param siblingElement If prepending, then prepend before this sibling Element
*
* @throws WSSecurityException
*/
public void computeSignature(
List<javax.xml.crypto.dsig.Reference> referenceList,
boolean prepend,
Element siblingElement
) throws WSSecurityException {
try {
java.security.Key key;
if (secretKey == null) {
key = crypto.getPrivateKey(user, password);
} else {
key = WSSecurityUtil.prepareSecretKey(sigAlgo, secretKey);
}
SignatureMethod signatureMethod =
signatureFactory.newSignatureMethod(sigAlgo, null);
SignedInfo signedInfo =
signatureFactory.newSignedInfo(c14nMethod, signatureMethod, referenceList);
sig = signatureFactory.newXMLSignature(
signedInfo,
keyInfo,
null,
getWsConfig().getIdAllocator().createId("SIG-", null),
null);
//
// Figure out where to insert the signature element
//
XMLSignContext signContext = null;
if (prepend) {
if (siblingElement == null) {
Node child = securityHeader.getFirstChild();
while (child != null && child.getNodeType() != Node.ELEMENT_NODE) {
child = child.getNextSibling();
}
siblingElement = (Element)child;
}
if (siblingElement == null) {
signContext = new DOMSignContext(key, securityHeader);
} else {
signContext = new DOMSignContext(key, securityHeader, siblingElement);
}
} else {
signContext = new DOMSignContext(key, securityHeader);
}
signContext.putNamespacePrefix(WSConstants.SIG_NS, WSConstants.SIG_PREFIX);
if (WSConstants.C14N_EXCL_OMIT_COMMENTS.equals(canonAlgo)) {
signContext.putNamespacePrefix(
WSConstants.C14N_EXCL_OMIT_COMMENTS,
WSConstants.C14N_EXCL_OMIT_COMMENTS_PREFIX
);
}
signContext.setProperty(STRTransform.TRANSFORM_WS_DOC_INFO, wsDocInfo);
wsDocInfo.setCallbackLookup(callbackLookup);
// Add the elements to sign to the Signature Context
wsDocInfo.setTokensOnContext((DOMSignContext)signContext);
if (secRef != null && secRef.getElement() != null) {
WSSecurityUtil.storeElementInContext((DOMSignContext)signContext, secRef.getElement());
}
sig.sign(signContext);
signatureValue = sig.getSignatureValue().getValue();
} catch (Exception ex) {
log.error(ex);
throw new WSSecurityException(
WSSecurityException.FAILED_SIGNATURE, null, null, ex
);
}
}
/**
* Set the single cert flag.
*
* @param useSingleCert
*/
public void setUseSingleCertificate(boolean useSingleCert) {
this.useSingleCert = useSingleCert;
}
/**
* Get the single cert flag.
*
* @return A boolean if single certificate is set.
*/
public boolean isUseSingleCertificate() {
return useSingleCert;
}
/**
* Set the name (uri) of the signature encryption algorithm to use.
*
* If the algorithm is not set then an automatic detection of the signature
* algorithm to use is performed during the <code>prepare()</code>
* method. Refer to WSConstants which algorithms are supported.
*
* @param algo the name of the signature algorithm
* @see WSConstants#RSA
* @see WSConstants#DSA
*/
public void setSignatureAlgorithm(String algo) {
sigAlgo = algo;
}
/**
* Get the name (uri) of the signature algorithm that is being used.
*
* Call this method after <code>prepare</code> to get the information
* which signature algorithm was automatically detected if no signature
* algorithm was preset.
*
* @return the identifier URI of the signature algorithm
*/
public String getSignatureAlgorithm() {
return sigAlgo;
}
/**
* Set the canonicalization method to use.
*
* If the canonicalization method is not set then the recommended Exclusive
* XML Canonicalization is used by default. Refer to WSConstants which
* algorithms are supported.
*
* @param algo Is the name of the signature algorithm
* @see WSConstants#C14N_OMIT_COMMENTS
* @see WSConstants#C14N_WITH_COMMENTS
* @see WSConstants#C14N_EXCL_OMIT_COMMENTS
* @see WSConstants#C14N_EXCL_WITH_COMMENTS
*/
public void setSigCanonicalization(String algo) {
canonAlgo = algo;
}
/**
* Get the canonicalization method.
*
* If the canonicalization method was not set then Exclusive XML
* Canonicalization is used by default.
*
* @return The string describing the canonicalization algorithm.
*/
public String getSigCanonicalization() {
return canonAlgo;
}
/**
* @return the digest algorithm to use
*/
public String getDigestAlgo() {
return digestAlgo;
}
/**
* Set the string that defines which digest algorithm to use.
* The default is Constants.ALGO_ID_DIGEST_SHA1.
*
* @param digestAlgo the digestAlgo to set
*/
public void setDigestAlgo(String digestAlgo) {
this.digestAlgo = digestAlgo;
}
/**
* Returns the computed Signature value.
*
* Call this method after <code>computeSignature()</code> or <code>build()</code>
* methods were called.
*
* @return Returns the signatureValue.
*/
public byte[] getSignatureValue() {
return signatureValue;
}
/**
* Get the id generated during <code>prepare()</code>.
*
* Returns the the value of wsu:Id attribute of the Signature element.
*
* @return Return the wsu:Id of this token or null if <code>prepare()</code>
* was not called before.
*/
public String getId() {
if (sig == null) {
return null;
}
return sig.getId();
}
/**
* Get the id of the BST generated during <code>prepare()</code>.
*
* @return Returns the the value of wsu:Id attribute of the
* BinaruSecurityToken element.
*/
public String getBSTTokenId() {
if (bstToken == null) {
return null;
}
return bstToken.getID();
}
/**
* Set the secret key to use
* @param secretKey the secret key to use
*/
public void setSecretKey(byte[] secretKey) {
this.secretKey = secretKey;
}
/**
* Set the custom token value type to use
* @param customTokenValueType the custom token value type to use
*/
public void setCustomTokenValueType(String customTokenValueType) {
this.customTokenValueType = customTokenValueType;
}
/**
* Set the custom token id
* @param customTokenId the custom token id
*/
public void setCustomTokenId(String customTokenId) {
this.customTokenId = customTokenId;
}
/**
* Set the encrypted key sha1 value
* @param encrKeySha1value the encrypted key sha1 value
*/
public void setEncrKeySha1value(String encrKeySha1value) {
this.encrKeySha1value = encrKeySha1value;
}
/**
* Set the X509 Certificate to use
* @param cer the X509 Certificate to use
*/
public void setX509Certificate(X509Certificate cer) {
this.useThisCert = cer;
}
/**
* Returns the BST Token element.
* The method can be called any time after <code>prepare()</code>.
* @return the BST Token element
*/
public Element getBinarySecurityTokenElement() {
if (bstToken != null) {
return bstToken.getElement();
}
return null;
}
/**
* @return the URI associated with the SecurityTokenReference
* (must be called after {@link #prepare(Document, Crypto, WSSecHeader)}
*/
public String getSecurityTokenReferenceURI() {
return strUri;
}
/**
* Get the SecurityTokenReference to be used in the KeyInfo element.
*/
public SecurityTokenReference getSecurityTokenReference() {
return secRef;
}
/**
* Set the SecurityTokenReference to be used in the KeyInfo element. If this
* method is not called, a SecurityTokenRefence will be generated.
*/
public void setSecurityTokenReference(SecurityTokenReference secRef) {
useCustomSecRef = true;
this.secRef = secRef;
}
/**
* Set up the X509 Certificate(s) for signing.
*/
private X509Certificate[] getSigningCerts() throws WSSecurityException {
X509Certificate[] certs = null;
if (!(keyIdentifierType == WSConstants.CUSTOM_SYMM_SIGNING
|| keyIdentifierType == WSConstants.CUSTOM_SYMM_SIGNING_DIRECT
|| keyIdentifierType == WSConstants.ENCRYPTED_KEY_SHA1_IDENTIFIER
|| keyIdentifierType == WSConstants.CUSTOM_KEY_IDENTIFIER)) {
if (useThisCert == null) {
CryptoType cryptoType = new CryptoType(CryptoType.TYPE.ALIAS);
cryptoType.setAlias(user);
if (crypto == null) {
throw new WSSecurityException(WSSecurityException.FAILURE, "noSigCryptoFile");
}
certs = crypto.getX509Certificates(cryptoType);
} else {
certs = new X509Certificate[] {useThisCert};
}
if (certs == null || certs.length <= 0) {
throw new WSSecurityException(
WSSecurityException.FAILURE,
"noUserCertsFound",
new Object[] { user, "signature" }
);
}
certUri = getWsConfig().getIdAllocator().createSecureId("X509-", certs[0]);
//
// If no signature algorithm was set try to detect it according to the
// data stored in the certificate.
//
if (sigAlgo == null) {
String pubKeyAlgo = certs[0].getPublicKey().getAlgorithm();
log.debug("Automatic signature algorithm detection: " + pubKeyAlgo);
if (pubKeyAlgo.equalsIgnoreCase("DSA")) {
sigAlgo = WSConstants.DSA;
} else if (pubKeyAlgo.equalsIgnoreCase("RSA")) {
sigAlgo = WSConstants.RSA;
} else {
throw new WSSecurityException(
WSSecurityException.FAILURE,
"unknownSignatureAlgorithm",
new Object[] {pubKeyAlgo}
);
}
}
}
return certs;
}
}