axis-java-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Marjorie Lindsey (JIRA)" <j...@apache.org>
Subject [jira] [Updated] (RAMPART-437) SHA256 not supported for DigestAlgorithm for TransportBinding when specified correctly in policy.xml
Date Fri, 12 Aug 2016 21:31:20 GMT

     [ https://issues.apache.org/jira/browse/RAMPART-437?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Marjorie Lindsey updated RAMPART-437:
-------------------------------------
    Description: 
TransportBinding is not recognizing SHA256 when specified in the policy.xml on the DigestAlgorithm. SignatureAlgorithm however is recognizing SHA256. This is because org.apache.rampart.builder.TransportBindingBuilder.java is not setting the digestAlgorithm, and thus using the default of SHA1.  To correct this, add this line in 3 locations in this class:
  sig.setDigestAlgo(rpd.getAlgorithmSuite().getDigest());
and add this line in 1 location in this class:
  dkSig.setDigestAlgorithm(rpd.getAlgorithmSuite().getDigest());

Listed below is the entire class with the lines inserted for reference. Thank you.

/*
 * =============================================================================
 *
 * Copyright (c) 2003-2013 Hewitt Associates, LLC.
 * 100 Half Day Road, Lincolnshire, Illinois, 60069, U.S.A.
 * All rights reserved.
 *
 * This program contains proprietary and confidential information and trade
 * secrets of Hewitt Associates LLC. This program may not be duplicated,
 * disclosed or provided to any third parties without the prior written consent
 * of Hewitt Associates LLC. Disassembly or decompilation of the software and
 * reverse engineering of the object code are prohibited.
 *
 * =============================================================================
 */
package org.apache.rampart.builder;

import org.apache.axiom.om.OMElement;
import org.apache.axiom.soap.SOAPEnvelope;

import org.apache.axis2.context.MessageContext;

import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;

import org.apache.rahas.RahasConstants;
import org.apache.rahas.TrustException;

import org.apache.rampart.RampartConstants;
import org.apache.rampart.RampartException;
import org.apache.rampart.RampartMessageData;
import org.apache.rampart.policy.RampartPolicyData;
import org.apache.rampart.util.RampartUtil;

import org.apache.ws.secpolicy.SPConstants;
import org.apache.ws.secpolicy.model.AlgorithmSuite;
import org.apache.ws.secpolicy.model.Header;
import org.apache.ws.secpolicy.model.IssuedToken;
import org.apache.ws.secpolicy.model.SecureConversationToken;
import org.apache.ws.secpolicy.model.SignedEncryptedParts;
import org.apache.ws.secpolicy.model.SupportingToken;
import org.apache.ws.secpolicy.model.Token;
import org.apache.ws.secpolicy.model.UsernameToken;
import org.apache.ws.secpolicy.model.X509Token;
import org.apache.ws.security.WSConstants;
import org.apache.ws.security.WSEncryptionPart;
import org.apache.ws.security.WSSecurityException;
import org.apache.ws.security.conversation.ConversationException;
import org.apache.ws.security.handler.WSHandlerConstants;
import org.apache.ws.security.message.*;

import org.w3c.dom.Document;
import org.w3c.dom.Element;

import java.util.ArrayList;
import java.util.Iterator;
import java.util.List;

import javax.xml.crypto.dsig.Reference;


/**
 * DOCUMENT ME!
 *
 * @hahistory 8/11/16 $author$ Initial creation.
 * @since 1.0
 */
public class TransportBindingBuilder extends BindingBuilder
{

    /**
     * DOCUMENT ME!
     *
     * @since 1.0
     */
    private static Log log = LogFactory.getLog(TransportBindingBuilder.class);

    /**
     * DOCUMENT ME!
     *
     * @since 1.0
     */
    private static Log tlog = LogFactory.getLog(RampartConstants.TIME_LOG);

    /**
     * DOCUMENT ME!
     *
     * @since 1.0
     *
     * @param rmd DOCUMENT ME!
     *
     * @throws RampartException DOCUMENT ME!
     */
    public void build(RampartMessageData rmd) throws RampartException
    {

        log.debug("TransportBindingBuilder build invoked");

        long t0 = 0, t1 = 0;

        if (tlog.isDebugEnabled())
        {
            t1 = System.currentTimeMillis();
        }

        RampartPolicyData rpd = rmd.getPolicyData();

        if (rpd.isIncludeTimestamp())
        {
            addTimestamp(rmd);
        }

        /*
         * Process Supporting tokens
         */
        if (rmd.isInitiator())
        {

            List<byte[]> signatureValues = new ArrayList<byte[]>();

            SupportingToken sgndSuppTokens = rpd.getSignedSupportingTokens();

            if (
                (sgndSuppTokens != null) &&
                    (sgndSuppTokens.getTokens() != null) &&
                    (sgndSuppTokens.getTokens()
                                       .size() > 0)
            )
            {

                log.debug("Processing signed supporting tokens");

                ArrayList tokens = sgndSuppTokens.getTokens();

                for (Object signedSupportingToken : tokens)
                {

                    Token token = (Token)signedSupportingToken;

                    if (token instanceof UsernameToken)
                    {

                        WSSecUsernameToken utBuilder =
                            addUsernameToken(rmd, (UsernameToken)token);

                        utBuilder.prepare(rmd.getDocument());

                        //Add the UT
                        utBuilder.appendToHeader(rmd.getSecHeader());

                    }
                    else
                    {
                        throw new RampartException(
                            "unsupportedSignedSupportingToken",
                            new String[]
                            {
                                "{" + token.getName()
                                           .getNamespaceURI() + "}" +
                                token.getName()
                                     .getLocalPart()
                            }
                            );
                    }
                }
            }

            SupportingToken sgndEndSuppTokens =
                rpd.getSignedEndorsingSupportingTokens();

            if (
                (sgndEndSuppTokens != null) &&
                    (sgndEndSuppTokens.getTokens() != null) &&
                    (sgndEndSuppTokens.getTokens()
                                          .size() > 0)
            )
            {

                log.debug("Processing endorsing signed supporting tokens");

                ArrayList tokens = sgndEndSuppTokens.getTokens();
                SignedEncryptedParts signdParts =
                    sgndEndSuppTokens.getSignedParts();

                for (Object objectToken : tokens)
                {

                    Token token = (Token)objectToken;

                    if (token instanceof IssuedToken && rmd.isInitiator())
                    {
                        signatureValues.add(
                            doIssuedTokenSignature(rmd, token, signdParts)
                            );
                    }
                    else if (token instanceof X509Token)
                    {
                        signatureValues.add(
                            doX509TokenSignature(rmd, token, signdParts)
                            );
                    }
                }
            }

            SupportingToken endSupptokens = rpd.getEndorsingSupportingTokens();

            if (
                (endSupptokens != null) &&
                    (endSupptokens.getTokens() != null) &&
                    (endSupptokens.getTokens()
                                      .size() > 0)
            )
            {
                log.debug("Processing endorsing supporting tokens");

                ArrayList tokens = endSupptokens.getTokens();
                SignedEncryptedParts signdParts =
                    endSupptokens.getSignedParts();

                for (Object objectToken : tokens)
                {

                    Token token = (Token)objectToken;

                    if (token instanceof IssuedToken && rmd.isInitiator())
                    {
                        signatureValues.add(
                            doIssuedTokenSignature(rmd, token, signdParts)
                            );
                    }
                    else if (token instanceof X509Token)
                    {
                        signatureValues.add(
                            doX509TokenSignature(rmd, token, signdParts)
                            );
                    }
                    else if (token instanceof SecureConversationToken)
                    {
                        handleSecureConversationTokens(
                            rmd, (SecureConversationToken)token
                            );
                        signatureValues.add(
                            doSecureConversationSignature(
                                rmd, token, signdParts
                                )
                            );
                    }
                }
            }


            List<SupportingToken> supportingToks =
                rpd.getSupportingTokensList();

            for (SupportingToken supportingTok : supportingToks)
            {
                this.handleSupportingTokens(rmd, supportingTok);
            }


            //Store the signature values list
            rmd.getMsgContext()
               .setProperty(WSHandlerConstants.SEND_SIGV, signatureValues);
        }
        else
        {
            addSignatureConfirmation(rmd, null);
        }

        if (tlog.isDebugEnabled())
        {
            t1 = System.currentTimeMillis();
            tlog.debug("Transport binding build took " + (t1 - t0));
        }
    }

    /**
     * DOCUMENT ME!
     *
     * @since 1.0
     *
     * @param secHeader DOCUMENT ME!
     * @param appendingChild DOCUMENT ME!
     */
    private void appendToHeader(WSSecHeader secHeader, Element appendingChild)
    {

        // TODO this is bit dubious, before migration code was like "dkSig.appendSigToHeader(rmd.getSecHeader())"
        // but WSS4J has remove append methods. Need to find why ?
        Element secHeaderElement = secHeader.getSecurityHeader();
        secHeaderElement.appendChild(appendingChild);

    }


    /**
     * IssuedToken signature
     *
     * @param rmd
     * @param token
     * @param signdParts
     *
     * @return DOCUMENT ME!
     *
     * @throws RampartException
     */
    private byte[] doIssuedTokenSignature(
        RampartMessageData rmd, Token token, SignedEncryptedParts signdParts
        ) throws RampartException
    {

        RampartPolicyData rpd = rmd.getPolicyData();
        Document doc = rmd.getDocument();

        //Get the issued token
        String id = RampartUtil.getIssuedToken(rmd, (IssuedToken)token);

        int inclusion = token.getInclusion();
        org.apache.rahas.Token tok = null;

        try
        {
            tok = rmd.getTokenStorage()
                     .getToken(id);
        }
        catch (TrustException e)
        {
            throw new RampartException(
                "errorExtractingToken", new String[] {id}, e
                );
        }

        boolean tokenIncluded = false;

        if (
            (inclusion == SPConstants.INCLUDE_TOEKN_ALWAYS) ||
                (
                    (
                        (
                            inclusion ==
                            SPConstants.INCLUDE_TOEKN_ALWAYS_TO_RECIPIENT
                        ) || (inclusion == SPConstants.INCLUDE_TOKEN_ONCE)
                    ) && rmd.isInitiator()
                )
        )
        {

            //Add the token
            rmd.getSecHeader()
               .getSecurityHeader()
               .appendChild(doc.importNode((Element)tok.getToken(), true));

            tokenIncluded = true;
        }

        List<WSEncryptionPart> sigParts = new ArrayList<WSEncryptionPart>();

        if (this.timestampElement != null)
        {
            sigParts.add(new WSEncryptionPart(rmd.getTimestampId()));
        }


        if (rpd.isTokenProtection() && tokenIncluded)
        {
            sigParts.add(new WSEncryptionPart(id));
        }

        if (signdParts != null)
        {

            if (signdParts.isBody())
            {

                SOAPEnvelope env = rmd.getMsgContext()
                                      .getEnvelope();
                sigParts.add(
                    new WSEncryptionPart(
                        RampartUtil.addWsuIdToElement(env.getBody())
                        )
                    );
            }

            ArrayList headers = signdParts.getHeaders();

            for (Object signedHeader : headers)
            {

                Header header = (Header)signedHeader;
                WSEncryptionPart wep =
                    new WSEncryptionPart(
                        header.getName(), header.getNamespace(), "Content"
                        );
                sigParts.add(wep);
            }
        }

        //check for derived keys
        AlgorithmSuite algorithmSuite = rpd.getAlgorithmSuite();

        if (token.isDerivedKeys())
        {

            //Create a derived key and add
            try
            {

                //Do Signature with derived keys
                WSSecDKSign dkSign = new WSSecDKSign();

                // Setting the AttachedReference or the UnattachedReference according to the flag
                OMElement ref;

                if (tokenIncluded)
                {
                    ref = tok.getAttachedReference();
                }
                else
                {
                    ref = tok.getUnattachedReference();
                }

                if (ref != null)
                {
                    dkSign.setExternalKey(
                        tok.getSecret(),
                        (Element)doc.importNode((Element)ref, true)
                        );
                }
                else
                {
                    dkSign.setExternalKey(tok.getSecret(), tok.getId());
                }

                //Set the algo info
                dkSign.setSignatureAlgorithm(
                    algorithmSuite.getSymmetricSignature()
                    );
                dkSign.setDerivedKeyLength(
                    algorithmSuite.getSignatureDerivedKeyLength()
                    );

                dkSign.prepare(doc);

                /**
                 * Add <wsc:DerivedKeyToken>..</wsc:DerivedKeyToken> to security
                 * header. We need to add this just after Encrypted Key and just before <Signature>..</Signature>
                 * elements. (As a convention)
                 */
                dkSign.appendDKElementToHeader(rmd.getSecHeader());

                dkSign.setParts(sigParts);

                List<Reference> referenceList =
                    dkSign.addReferencesToSign(sigParts, rmd.getSecHeader());

                //Do signature
                dkSign.computeSignature(referenceList, false, null);

                // TODO verify before migration - dkSign.appendSigToHeader(rmd.getSecHeader())
                // this.appendToHeader(rmd.getSecHeader(), dkSign.getSignatureElement());

                return dkSign.getSignatureValue();

            }
            catch (ConversationException e)
            {
                throw new RampartException(
                    "errorInDerivedKeyTokenSignature", e
                    );
            }
            catch (WSSecurityException e)
            {
                throw new RampartException(
                    "errorInDerivedKeyTokenSignature", e
                    );
            }

        }
        else
        {

            try
            {

                WSSecSignature sig = new WSSecSignature();
                sig.setWsConfig(rmd.getConfig());

                String tokId = tok.getId();

                if (tokId.charAt(0) == '#')
                {
                    tokId = tokId.substring(1);
                }

                sig.setCustomTokenId(tokId);
                sig.setCustomTokenValueType(
                    RampartUtil.getSAML10AssertionNamespace()
                    );
                sig.setSecretKey(tok.getSecret());
                sig.setSignatureAlgorithm(
                    algorithmSuite.getAsymmetricSignature()
                    );
                sig.setSignatureAlgorithm(
                    algorithmSuite.getSymmetricSignature()
                    );
                sig.setKeyIdentifierType(WSConstants.CUSTOM_SYMM_SIGNING);
                sig.prepare(
                    rmd.getDocument(),
                    RampartUtil.getSignatureCrypto(
                        rpd.getRampartConfig(), rmd.getCustomClassLoader()
                        ), rmd.getSecHeader()
                    );

                sig.setParts(sigParts);

                //Added by MRL
                sig.setDigestAlgo(rpd.getAlgorithmSuite().getDigest());

                List<javax.xml.crypto.dsig.Reference> referenceList =
                    sig.addReferencesToSign(sigParts, rmd.getSecHeader());

                //Do signature
                sig.computeSignature(referenceList);

                //Add elements to header
                this.setInsertionLocation(
                    RampartUtil.insertSiblingAfter(
                        rmd, this.getInsertionLocation(),
                        sig.getSignatureElement()
                        )
                    );

                return sig.getSignatureValue();

            }
            catch (WSSecurityException e)
            {
                throw new RampartException(
                    "errorInSignatureWithACustomToken", e
                    );
            }
        }
    }

    /**
     * DOCUMENT ME!
     *
     * @since 1.0
     *
     * @param rmd DOCUMENT ME!
     * @param token DOCUMENT ME!
     * @param signdParts DOCUMENT ME!
     *
     * @return DOCUMENT ME!
     *
     * @throws RampartException DOCUMENT ME!
     */
    private byte[] doSecureConversationSignature(
        RampartMessageData rmd, Token token, SignedEncryptedParts signdParts
        ) throws RampartException
    {

        RampartPolicyData rpd = rmd.getPolicyData();
        Document doc = rmd.getDocument();

        //Get the issued token
        String id = rmd.getSecConvTokenId();

        int inclusion = token.getInclusion();
        org.apache.rahas.Token tok = null;

        try
        {
            tok = rmd.getTokenStorage()
                     .getToken(id);
        }
        catch (TrustException e)
        {
            throw new RampartException(
                "errorExtractingToken", new String[] {id}, e
                );
        }

        boolean tokenIncluded = false;

        if (
            (inclusion == SPConstants.INCLUDE_TOEKN_ALWAYS) ||
                (
                    (
                        (
                            inclusion ==
                            SPConstants.INCLUDE_TOEKN_ALWAYS_TO_RECIPIENT
                        ) || (inclusion == SPConstants.INCLUDE_TOKEN_ONCE)
                    ) && rmd.isInitiator()
                )
        )
        {

            //Add the token
            rmd.getSecHeader()
               .getSecurityHeader()
               .appendChild(doc.importNode((Element)tok.getToken(), true));

            tokenIncluded = true;
        }

        List<WSEncryptionPart> sigParts = new ArrayList<WSEncryptionPart>();

        if (this.timestampElement != null)
        {
            sigParts.add(new WSEncryptionPart(rmd.getTimestampId()));
        }


        if (rpd.isTokenProtection() && tokenIncluded)
        {
            sigParts.add(new WSEncryptionPart(id));
        }

        if (signdParts != null)
        {

            if (signdParts.isBody())
            {

                SOAPEnvelope env = rmd.getMsgContext()
                                      .getEnvelope();
                sigParts.add(
                    new WSEncryptionPart(
                        RampartUtil.addWsuIdToElement(env.getBody())
                        )
                    );
            }

            ArrayList headers = signdParts.getHeaders();

            for (Object objectHeader : headers)
            {

                Header header = (Header)objectHeader;
                WSEncryptionPart wep =
                    new WSEncryptionPart(
                        header.getName(), header.getNamespace(), "Content"
                        );
                sigParts.add(wep);
            }
        }

        //check for derived keys
        AlgorithmSuite algorithmSuite = rpd.getAlgorithmSuite();

        if (token.isDerivedKeys())
        {

            //Create a derived key and add
            try
            {

                //Do Signature with derived keys
                WSSecDKSign dkSign = new WSSecDKSign();

                // Setting the AttachedReference or the UnattachedReference according to the flag
                OMElement ref;

                if (tokenIncluded)
                {
                    ref = tok.getAttachedReference();
                }
                else
                {
                    ref = tok.getUnattachedReference();
                }

                if (ref != null)
                {
                    dkSign.setExternalKey(
                        tok.getSecret(),
                        (Element)doc.importNode((Element)ref, true)
                        );
                }
                else
                {
                    dkSign.setExternalKey(tok.getSecret(), tok.getId());
                }

                //Set the algo info
                dkSign.setSignatureAlgorithm(
                    algorithmSuite.getSymmetricSignature()
                    );
                dkSign.setDerivedKeyLength(
                    algorithmSuite.getSignatureDerivedKeyLength()
                    );

                dkSign.prepare(doc);

                /**
                 * Add <wsc:DerivedKeyToken>..</wsc:DerivedKeyToken> to security
                 * header. We need to add this just after Encrypted Key and just before <Signature>..</Signature>
                 * elements. (As a convention)
                 */
                dkSign.appendDKElementToHeader(rmd.getSecHeader());

                dkSign.setParts(sigParts);

                List<Reference> referenceList =
                    dkSign.addReferencesToSign(sigParts, rmd.getSecHeader());

                //Do signature
                dkSign.computeSignature(referenceList, false, null);

                //this.appendToHeader(rmd.getSecHeader(), dkSign.getSignatureElement());

                return dkSign.getSignatureValue();

            }
            catch (ConversationException e)
            {
                throw new RampartException(
                    "errorInDerivedKeyTokenSignature", e
                    );
            }
            catch (WSSecurityException e)
            {
                throw new RampartException(
                    "errorInDerivedKeyTokenSignature", e
                    );
            }

        }
        else
        {

            try
            {

                WSSecSignature sig = new WSSecSignature();
                sig.setWsConfig(rmd.getConfig());
                sig.setCustomTokenId(tok.getId().substring(1));
                sig.setCustomTokenValueType(
                    RampartUtil.getSAML10AssertionNamespace()
                    );
                sig.setSecretKey(tok.getSecret());
                sig.setSignatureAlgorithm(
                    algorithmSuite.getAsymmetricSignature()
                    );
                sig.setSignatureAlgorithm(
                    algorithmSuite.getSymmetricSignature()
                    );
                sig.setKeyIdentifierType(WSConstants.CUSTOM_SYMM_SIGNING);
                sig.prepare(
                    rmd.getDocument(),
                    RampartUtil.getSignatureCrypto(
                        rpd.getRampartConfig(), rmd.getCustomClassLoader()
                        ), rmd.getSecHeader()
                    );

                sig.setParts(sigParts);

                //Added by MRL
                sig.setDigestAlgo(rpd.getAlgorithmSuite().getDigest());

                List<Reference> referenceList =
                    sig.addReferencesToSign(sigParts, rmd.getSecHeader());

                //Do signature
                sig.computeSignature(
                    referenceList, false, this.getInsertionLocation()
                    );

                //Add elements to header
                this.setInsertionLocation(sig.getSignatureElement());

                return sig.getSignatureValue();

            }
            catch (WSSecurityException e)
            {
                throw new RampartException(
                    "errorInSignatureWithACustomToken", e
                    );
            }
        }
    }


    /**
     * X.509 signature
     *
     * @param rmd
     * @param token
     * @param signdParts
     *
     * @return DOCUMENT ME!
     *
     * @throws RampartException DOCUMENT ME!
     */
    private byte[] doX509TokenSignature(
        RampartMessageData rmd, Token token, SignedEncryptedParts signdParts
        ) throws RampartException
    {

        RampartPolicyData rpd = rmd.getPolicyData();
        Document doc = rmd.getDocument();

        List<WSEncryptionPart> sigParts = new ArrayList<WSEncryptionPart>();

        if (this.timestampElement != null)
        {
            sigParts.add(new WSEncryptionPart(rmd.getTimestampId()));
        }

        if (signdParts != null)
        {

            if (signdParts.isBody())
            {

                SOAPEnvelope env = rmd.getMsgContext()
                                      .getEnvelope();
                sigParts.add(
                    new WSEncryptionPart(
                        RampartUtil.addWsuIdToElement(env.getBody())
                        )
                    );
            }

            ArrayList headers = signdParts.getHeaders();

            for (Iterator iterator = headers.iterator(); iterator.hasNext();)
            {

                Header header = (Header)iterator.next();
                WSEncryptionPart wep =
                    new WSEncryptionPart(
                        header.getName(), header.getNamespace(), "Content"
                        );
                sigParts.add(wep);
            }
        }

        if (token.isDerivedKeys())
        {

            //In this case we will have to encrypt the ephmeral key with the
            //other party's key and then use it as the parent key of the
            // derived keys
            try
            {

                WSSecEncryptedKey encrKey = getEncryptedKeyBuilder(rmd, token);

                Element bstElem = encrKey.getBinarySecurityTokenElement();

                if (bstElem != null)
                {
                    RampartUtil.appendChildToSecHeader(rmd, bstElem);
                }

                // Add <xenc:EncryptedKey Id="EncKeyId-E67B75302ACB3BEDF313277587471272">..</xenc:EncryptedKey>
                // to security header.
                encrKey.appendToHeader(rmd.getSecHeader());

                WSSecDKSign dkSig = new WSSecDKSign();

                dkSig.setWsConfig(rmd.getConfig());

                dkSig.setSigCanonicalization(
                    rpd.getAlgorithmSuite().getInclusiveC14n()
                    );
                dkSig.setSignatureAlgorithm(
                    rpd.getAlgorithmSuite().getSymmetricSignature()
                    );
                dkSig.setDerivedKeyLength(
                    rpd.getAlgorithmSuite().getSignatureDerivedKeyLength() / 8
                    );

                /**
                 * Add a reference to encrypted key in the derived key
                 */
                dkSig.setExternalKey(
                    encrKey.getEphemeralKey(), encrKey.getId()
                    );

                dkSig.prepare(doc, rmd.getSecHeader());


                if (rpd.isTokenProtection())
                {
                    sigParts.add(new WSEncryptionPart(encrKey.getBSTTokenId()));
                }

                dkSig.setParts(sigParts);

                //Added by MRL
                dkSig.setDigestAlgorithm(rpd.getAlgorithmSuite().getDigest());

                List<Reference> referenceList =
                    dkSig.addReferencesToSign(sigParts, rmd.getSecHeader());


                /**
                 * Add <wsc:DerivedKeyToken>..</wsc:DerivedKeyToken> to security
                 * header. We need to add this just after Encrypted Key and just before <Signature>..</Signature>
                 * elements. (As a convention)
                 */
                dkSig.appendDKElementToHeader(rmd.getSecHeader());

                //Do signature and append to the security header
                dkSig.computeSignature(referenceList, false, null);


                // TODO this is bit dubious, before migration code was like "dkSig.appendSigToHeader(rmd.getSecHeader())"
                // but WSS4J has remove append methods. Need to find why ?
                //this.appendToHeader(rmd.getSecHeader(), dkSig.getSignatureElement());

                return dkSig.getSignatureValue();

            }
            catch (WSSecurityException e)
            {
                throw new RampartException(
                    "errorInDerivedKeyTokenSignature", e
                    );
            }
            catch (ConversationException e)
            {
                throw new RampartException(
                    "errorInDerivedKeyTokenSignature", e
                    );
            }

        }
        else
        {

            try
            {

                WSSecSignature sig = this.getSignatureBuilder(rmd, token);


                sig.appendBSTElementToHeader(rmd.getSecHeader());

                if (
                    rpd.isTokenProtection() &&
                        !(
                            SPConstants.INCLUDE_TOKEN_NEVER ==
                            token.getInclusion()
                        )
                )
                {
                    sigParts.add(new WSEncryptionPart(sig.getBSTTokenId()));
                }

                //Added by MRL
                sig.setDigestAlgo(rpd.getAlgorithmSuite().getDigest());

                List<Reference> referenceList =
                    sig.addReferencesToSign(sigParts, rmd.getSecHeader());

                // TODO changed the order - verify
                // Compute signature and append to the header
                sig.computeSignature(referenceList, false, null);

                return sig.getSignatureValue();
            }
            catch (WSSecurityException e)
            {
                throw new RampartException("errorInSignatureWithX509Token", e);
            }


        }

    }

    /**
     * DOCUMENT ME!
     *
     * @since 1.0
     *
     * @param rmd DOCUMENT ME!
     * @param secConvTok DOCUMENT ME!
     *
     * @throws RampartException DOCUMENT ME!
     */
    private void handleSecureConversationTokens(
        RampartMessageData rmd, SecureConversationToken secConvTok
        ) throws RampartException
    {


        MessageContext msgContext = rmd.getMsgContext();

        String secConvTokenId = rmd.getSecConvTokenId();

        //The RSTR has to be secured with the cancelled token
        String action = msgContext.getOptions()
                                  .getAction();
        boolean cancelReqResp =
            action.equals(
                RahasConstants.WST_NS_05_02 +
                RahasConstants.RSTR_ACTION_CANCEL_SCT
                ) ||
            action.equals(
                RahasConstants.WST_NS_05_02 +
                RahasConstants.RSTR_ACTION_CANCEL_SCT
                ) ||
            action.equals(
                RahasConstants.WST_NS_05_02 +
                RahasConstants.RST_ACTION_CANCEL_SCT
                ) ||
            action.equals(
                RahasConstants.WST_NS_05_02 +
                RahasConstants.RST_ACTION_CANCEL_SCT
                );

        //In the case of the cancel req or resp we should mark the token as cancelled
        if ((secConvTokenId != null) && cancelReqResp)
        {

            try
            {
                rmd.getTokenStorage()
                   .getToken(secConvTokenId)
                   .setState(org.apache.rahas.Token.CANCELLED);
                msgContext.setProperty(
                    RampartMessageData.SCT_ID, secConvTokenId
                    );

                //remove from the local map of contexts
                String contextIdentifierKey =
                    RampartUtil.getContextIdentifierKey(msgContext);
                RampartUtil.getContextMap(msgContext)
                           .remove(contextIdentifierKey);
            }
            catch (TrustException e)
            {
                throw new RampartException("errorExtractingToken", e);
            }
        }

        if (
            (secConvTokenId == null) ||
                (
                    (secConvTokenId != null) &&
                    (
                        !RampartUtil.isTokenValid(rmd, secConvTokenId) &&
                        !cancelReqResp
                    )
                )
        )
        {

            log.debug(
                "No SecureConversationToken found, requesting a new token"
                );

            try
            {

                secConvTokenId = RampartUtil.getSecConvToken(rmd, secConvTok);
                rmd.setSecConvTokenId(secConvTokenId);

            }
            catch (TrustException e)
            {
                throw new RampartException("errorInObtainingSct", e);
            }
        }

/*          org.apache.rahas.Token token;
            try {
                token = rmd.getTokenStorage().getToken(secConvTokenId);
            } catch (TrustException e) {
                throw new RampartException("errorExtractingToken", e);
            }


            //Add the token to the header
           Element siblingElem = RampartUtil
                    .insertSiblingAfter(rmd, this.getInsertionLocation(),
                            (Element) token.getToken());
            this.setInsertionLocation(siblingElem);*/

    }
}


This is the policy.xml being used:

<wsp:Policy wsu:Id="WSHttpBinding_ISecureService_policy" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy" xmlns:wsaw="http://www.w3.org/2006/05/addressing/wsdl">
	<wsp:ExactlyOne>
		<wsp:All>
			<sp:TransportBinding xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
				<wsp:Policy>
					<sp:TransportToken>
						<wsp:Policy>
							<sp:HttpsToken RequireClientCertificate="false" />
						</wsp:Policy>
					</sp:TransportToken>
					<sp:AlgorithmSuite>
						<wsp:Policy>
							<sp:Basic256Sha256 /> 
						</wsp:Policy>
					</sp:AlgorithmSuite>
					<sp:Layout>
						<wsp:Policy>
							<sp:Strict />
						</wsp:Policy>
					</sp:Layout>
					<sp:IncludeTimestamp />
				</wsp:Policy>
			</sp:TransportBinding>
			<sp:EndorsingSupportingTokens xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
				<wsp:Policy>
					<sp:X509Token sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient">
						<wsp:Policy>
							<sp:RequireThumbprintReference />
							<sp:WssX509V3Token10 />
						</wsp:Policy>
					</sp:X509Token>
					<sp:SignedParts>
						<sp:Header Name="To" Namespace="http://www.w3.org/2005/08/addressing" />
					</sp:SignedParts>
				</wsp:Policy>
			</sp:EndorsingSupportingTokens>
			<sp:Wss11 xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
				<wsp:Policy>
					<sp:MustSupportRefKeyIdentifier />
					<sp:MustSupportRefIssuerSerial />
					<sp:MustSupportRefThumbprint />
					<sp:MustSupportRefEncryptedKey />
				</wsp:Policy>
			</sp:Wss11>
			<sp:Trust10 xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
				<wsp:Policy>
					<sp:MustSupportIssuedTokens />
					<sp:RequireClientEntropy />
					<sp:RequireServerEntropy />
				</wsp:Policy>
			</sp:Trust10>
			<wsaw:UsingAddressing />	
			
    		<ramp:RampartConfig xmlns:ramp="http://ws.apache.org/rampart/policy"> 
	    		<ramp:user>aliasName</ramp:user>
		    	<ramp:passwordCallbackClass>com.test.hro.benefits.fndt.security.ClientPasswordCallback</ramp:passwordCallbackClass>
			    	
				    <ramp:signatureCrypto>
					    <ramp:crypto provider="com.test.hro.benefits.fndt.security.HAWebServicesCrypto">
						    <ramp:property name="org.apache.ws.security.crypto.keystore.type">JKS</ramp:property>
						    <ramp:property name="org.apache.ws.security.crypto.keystore.path">keys/KeyStore</ramp:property>
				    	</ramp:crypto>
			    	</ramp:signatureCrypto>
		    </ramp:RampartConfig>
		</wsp:All>
	</wsp:ExactlyOne>
</wsp:Policy>


  was:
TransportBinding is not recognizing SHA256 when specified in the policy.xml on the DigestAlgorithm. SignatureAlgorithm however is recognizing SHA256. This is because org.apache.rampart.builder.TransportBindingBuilder.java is not setting the digestAlgorithm, and thus using the default of SHA1.  To correct this, add this line in 3 locations in this class:
  sig.setDigestAlgo(rpd.getAlgorithmSuite().getDigest());
and add this line in 1 location in this class:
  dkSig.setDigestAlgorithm(rpd.getAlgorithmSuite().getDigest());

Listed below is the entire class with the lines inserted for reference. Thank you.

/*
 * =============================================================================
 *
 * Copyright (c) 2003-2013 Hewitt Associates, LLC.
 * 100 Half Day Road, Lincolnshire, Illinois, 60069, U.S.A.
 * All rights reserved.
 *
 * This program contains proprietary and confidential information and trade
 * secrets of Hewitt Associates LLC. This program may not be duplicated,
 * disclosed or provided to any third parties without the prior written consent
 * of Hewitt Associates LLC. Disassembly or decompilation of the software and
 * reverse engineering of the object code are prohibited.
 *
 * =============================================================================
 */
package org.apache.rampart.builder;

import org.apache.axiom.om.OMElement;
import org.apache.axiom.soap.SOAPEnvelope;

import org.apache.axis2.context.MessageContext;

import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;

import org.apache.rahas.RahasConstants;
import org.apache.rahas.TrustException;

import org.apache.rampart.RampartConstants;
import org.apache.rampart.RampartException;
import org.apache.rampart.RampartMessageData;
import org.apache.rampart.policy.RampartPolicyData;
import org.apache.rampart.util.RampartUtil;

import org.apache.ws.secpolicy.SPConstants;
import org.apache.ws.secpolicy.model.AlgorithmSuite;
import org.apache.ws.secpolicy.model.Header;
import org.apache.ws.secpolicy.model.IssuedToken;
import org.apache.ws.secpolicy.model.SecureConversationToken;
import org.apache.ws.secpolicy.model.SignedEncryptedParts;
import org.apache.ws.secpolicy.model.SupportingToken;
import org.apache.ws.secpolicy.model.Token;
import org.apache.ws.secpolicy.model.UsernameToken;
import org.apache.ws.secpolicy.model.X509Token;
import org.apache.ws.security.WSConstants;
import org.apache.ws.security.WSEncryptionPart;
import org.apache.ws.security.WSSecurityException;
import org.apache.ws.security.conversation.ConversationException;
import org.apache.ws.security.handler.WSHandlerConstants;
import org.apache.ws.security.message.*;

import org.w3c.dom.Document;
import org.w3c.dom.Element;

import java.util.ArrayList;
import java.util.Iterator;
import java.util.List;

import javax.xml.crypto.dsig.Reference;


/**
 * DOCUMENT ME!
 *
 * @hahistory 8/11/16 $author$ Initial creation.
 * @since 1.0
 */
public class TransportBindingBuilder extends BindingBuilder
{

    /**
     * DOCUMENT ME!
     *
     * @since 1.0
     */
    private static Log log = LogFactory.getLog(TransportBindingBuilder.class);

    /**
     * DOCUMENT ME!
     *
     * @since 1.0
     */
    private static Log tlog = LogFactory.getLog(RampartConstants.TIME_LOG);

    /**
     * DOCUMENT ME!
     *
     * @since 1.0
     *
     * @param rmd DOCUMENT ME!
     *
     * @throws RampartException DOCUMENT ME!
     */
    public void build(RampartMessageData rmd) throws RampartException
    {

        log.debug("TransportBindingBuilder build invoked");

        long t0 = 0, t1 = 0;

        if (tlog.isDebugEnabled())
        {
            t1 = System.currentTimeMillis();
        }

        RampartPolicyData rpd = rmd.getPolicyData();

        if (rpd.isIncludeTimestamp())
        {
            addTimestamp(rmd);
        }

        /*
         * Process Supporting tokens
         */
        if (rmd.isInitiator())
        {

            List<byte[]> signatureValues = new ArrayList<byte[]>();

            SupportingToken sgndSuppTokens = rpd.getSignedSupportingTokens();

            if (
                (sgndSuppTokens != null) &&
                    (sgndSuppTokens.getTokens() != null) &&
                    (sgndSuppTokens.getTokens()
                                       .size() > 0)
            )
            {

                log.debug("Processing signed supporting tokens");

                ArrayList tokens = sgndSuppTokens.getTokens();

                for (Object signedSupportingToken : tokens)
                {

                    Token token = (Token)signedSupportingToken;

                    if (token instanceof UsernameToken)
                    {

                        WSSecUsernameToken utBuilder =
                            addUsernameToken(rmd, (UsernameToken)token);

                        utBuilder.prepare(rmd.getDocument());

                        //Add the UT
                        utBuilder.appendToHeader(rmd.getSecHeader());

                    }
                    else
                    {
                        throw new RampartException(
                            "unsupportedSignedSupportingToken",
                            new String[]
                            {
                                "{" + token.getName()
                                           .getNamespaceURI() + "}" +
                                token.getName()
                                     .getLocalPart()
                            }
                            );
                    }
                }
            }

            SupportingToken sgndEndSuppTokens =
                rpd.getSignedEndorsingSupportingTokens();

            if (
                (sgndEndSuppTokens != null) &&
                    (sgndEndSuppTokens.getTokens() != null) &&
                    (sgndEndSuppTokens.getTokens()
                                          .size() > 0)
            )
            {

                log.debug("Processing endorsing signed supporting tokens");

                ArrayList tokens = sgndEndSuppTokens.getTokens();
                SignedEncryptedParts signdParts =
                    sgndEndSuppTokens.getSignedParts();

                for (Object objectToken : tokens)
                {

                    Token token = (Token)objectToken;

                    if (token instanceof IssuedToken && rmd.isInitiator())
                    {
                        signatureValues.add(
                            doIssuedTokenSignature(rmd, token, signdParts)
                            );
                    }
                    else if (token instanceof X509Token)
                    {
                        signatureValues.add(
                            doX509TokenSignature(rmd, token, signdParts)
                            );
                    }
                }
            }

            SupportingToken endSupptokens = rpd.getEndorsingSupportingTokens();

            if (
                (endSupptokens != null) &&
                    (endSupptokens.getTokens() != null) &&
                    (endSupptokens.getTokens()
                                      .size() > 0)
            )
            {
                log.debug("Processing endorsing supporting tokens");

                ArrayList tokens = endSupptokens.getTokens();
                SignedEncryptedParts signdParts =
                    endSupptokens.getSignedParts();

                for (Object objectToken : tokens)
                {

                    Token token = (Token)objectToken;

                    if (token instanceof IssuedToken && rmd.isInitiator())
                    {
                        signatureValues.add(
                            doIssuedTokenSignature(rmd, token, signdParts)
                            );
                    }
                    else if (token instanceof X509Token)
                    {
                        signatureValues.add(
                            doX509TokenSignature(rmd, token, signdParts)
                            );
                    }
                    else if (token instanceof SecureConversationToken)
                    {
                        handleSecureConversationTokens(
                            rmd, (SecureConversationToken)token
                            );
                        signatureValues.add(
                            doSecureConversationSignature(
                                rmd, token, signdParts
                                )
                            );
                    }
                }
            }


            List<SupportingToken> supportingToks =
                rpd.getSupportingTokensList();

            for (SupportingToken supportingTok : supportingToks)
            {
                this.handleSupportingTokens(rmd, supportingTok);
            }


            //Store the signature values list
            rmd.getMsgContext()
               .setProperty(WSHandlerConstants.SEND_SIGV, signatureValues);
        }
        else
        {
            addSignatureConfirmation(rmd, null);
        }

        if (tlog.isDebugEnabled())
        {
            t1 = System.currentTimeMillis();
            tlog.debug("Transport binding build took " + (t1 - t0));
        }
    }

    /**
     * DOCUMENT ME!
     *
     * @since 1.0
     *
     * @param secHeader DOCUMENT ME!
     * @param appendingChild DOCUMENT ME!
     */
    private void appendToHeader(WSSecHeader secHeader, Element appendingChild)
    {

        // TODO this is bit dubious, before migration code was like "dkSig.appendSigToHeader(rmd.getSecHeader())"
        // but WSS4J has remove append methods. Need to find why ?
        Element secHeaderElement = secHeader.getSecurityHeader();
        secHeaderElement.appendChild(appendingChild);

    }


    /**
     * IssuedToken signature
     *
     * @param rmd
     * @param token
     * @param signdParts
     *
     * @return DOCUMENT ME!
     *
     * @throws RampartException
     */
    private byte[] doIssuedTokenSignature(
        RampartMessageData rmd, Token token, SignedEncryptedParts signdParts
        ) throws RampartException
    {

        RampartPolicyData rpd = rmd.getPolicyData();
        Document doc = rmd.getDocument();

        //Get the issued token
        String id = RampartUtil.getIssuedToken(rmd, (IssuedToken)token);

        int inclusion = token.getInclusion();
        org.apache.rahas.Token tok = null;

        try
        {
            tok = rmd.getTokenStorage()
                     .getToken(id);
        }
        catch (TrustException e)
        {
            throw new RampartException(
                "errorExtractingToken", new String[] {id}, e
                );
        }

        boolean tokenIncluded = false;

        if (
            (inclusion == SPConstants.INCLUDE_TOEKN_ALWAYS) ||
                (
                    (
                        (
                            inclusion ==
                            SPConstants.INCLUDE_TOEKN_ALWAYS_TO_RECIPIENT
                        ) || (inclusion == SPConstants.INCLUDE_TOKEN_ONCE)
                    ) && rmd.isInitiator()
                )
        )
        {

            //Add the token
            rmd.getSecHeader()
               .getSecurityHeader()
               .appendChild(doc.importNode((Element)tok.getToken(), true));

            tokenIncluded = true;
        }

        List<WSEncryptionPart> sigParts = new ArrayList<WSEncryptionPart>();

        if (this.timestampElement != null)
        {
            sigParts.add(new WSEncryptionPart(rmd.getTimestampId()));
        }


        if (rpd.isTokenProtection() && tokenIncluded)
        {
            sigParts.add(new WSEncryptionPart(id));
        }

        if (signdParts != null)
        {

            if (signdParts.isBody())
            {

                SOAPEnvelope env = rmd.getMsgContext()
                                      .getEnvelope();
                sigParts.add(
                    new WSEncryptionPart(
                        RampartUtil.addWsuIdToElement(env.getBody())
                        )
                    );
            }

            ArrayList headers = signdParts.getHeaders();

            for (Object signedHeader : headers)
            {

                Header header = (Header)signedHeader;
                WSEncryptionPart wep =
                    new WSEncryptionPart(
                        header.getName(), header.getNamespace(), "Content"
                        );
                sigParts.add(wep);
            }
        }

        //check for derived keys
        AlgorithmSuite algorithmSuite = rpd.getAlgorithmSuite();

        if (token.isDerivedKeys())
        {

            //Create a derived key and add
            try
            {

                //Do Signature with derived keys
                WSSecDKSign dkSign = new WSSecDKSign();

                // Setting the AttachedReference or the UnattachedReference according to the flag
                OMElement ref;

                if (tokenIncluded)
                {
                    ref = tok.getAttachedReference();
                }
                else
                {
                    ref = tok.getUnattachedReference();
                }

                if (ref != null)
                {
                    dkSign.setExternalKey(
                        tok.getSecret(),
                        (Element)doc.importNode((Element)ref, true)
                        );
                }
                else
                {
                    dkSign.setExternalKey(tok.getSecret(), tok.getId());
                }

                //Set the algo info
                dkSign.setSignatureAlgorithm(
                    algorithmSuite.getSymmetricSignature()
                    );
                dkSign.setDerivedKeyLength(
                    algorithmSuite.getSignatureDerivedKeyLength()
                    );

                dkSign.prepare(doc);

                /**
                 * Add <wsc:DerivedKeyToken>..</wsc:DerivedKeyToken> to security
                 * header. We need to add this just after Encrypted Key and just before <Signature>..</Signature>
                 * elements. (As a convention)
                 */
                dkSign.appendDKElementToHeader(rmd.getSecHeader());

                dkSign.setParts(sigParts);

                List<Reference> referenceList =
                    dkSign.addReferencesToSign(sigParts, rmd.getSecHeader());

                //Do signature
                dkSign.computeSignature(referenceList, false, null);

                // TODO verify before migration - dkSign.appendSigToHeader(rmd.getSecHeader())
                // this.appendToHeader(rmd.getSecHeader(), dkSign.getSignatureElement());

                return dkSign.getSignatureValue();

            }
            catch (ConversationException e)
            {
                throw new RampartException(
                    "errorInDerivedKeyTokenSignature", e
                    );
            }
            catch (WSSecurityException e)
            {
                throw new RampartException(
                    "errorInDerivedKeyTokenSignature", e
                    );
            }

        }
        else
        {

            try
            {

                WSSecSignature sig = new WSSecSignature();
                sig.setWsConfig(rmd.getConfig());

                String tokId = tok.getId();

                if (tokId.charAt(0) == '#')
                {
                    tokId = tokId.substring(1);
                }

                sig.setCustomTokenId(tokId);
                sig.setCustomTokenValueType(
                    RampartUtil.getSAML10AssertionNamespace()
                    );
                sig.setSecretKey(tok.getSecret());
                sig.setSignatureAlgorithm(
                    algorithmSuite.getAsymmetricSignature()
                    );
                sig.setSignatureAlgorithm(
                    algorithmSuite.getSymmetricSignature()
                    );
                sig.setKeyIdentifierType(WSConstants.CUSTOM_SYMM_SIGNING);
                sig.prepare(
                    rmd.getDocument(),
                    RampartUtil.getSignatureCrypto(
                        rpd.getRampartConfig(), rmd.getCustomClassLoader()
                        ), rmd.getSecHeader()
                    );

                sig.setParts(sigParts);

                //Added by MRL
                sig.setDigestAlgo(rpd.getAlgorithmSuite().getDigest());

                List<javax.xml.crypto.dsig.Reference> referenceList =
                    sig.addReferencesToSign(sigParts, rmd.getSecHeader());

                //Do signature
                sig.computeSignature(referenceList);

                //Add elements to header
                this.setInsertionLocation(
                    RampartUtil.insertSiblingAfter(
                        rmd, this.getInsertionLocation(),
                        sig.getSignatureElement()
                        )
                    );

                return sig.getSignatureValue();

            }
            catch (WSSecurityException e)
            {
                throw new RampartException(
                    "errorInSignatureWithACustomToken", e
                    );
            }
        }
    }

    /**
     * DOCUMENT ME!
     *
     * @since 1.0
     *
     * @param rmd DOCUMENT ME!
     * @param token DOCUMENT ME!
     * @param signdParts DOCUMENT ME!
     *
     * @return DOCUMENT ME!
     *
     * @throws RampartException DOCUMENT ME!
     */
    private byte[] doSecureConversationSignature(
        RampartMessageData rmd, Token token, SignedEncryptedParts signdParts
        ) throws RampartException
    {

        RampartPolicyData rpd = rmd.getPolicyData();
        Document doc = rmd.getDocument();

        //Get the issued token
        String id = rmd.getSecConvTokenId();

        int inclusion = token.getInclusion();
        org.apache.rahas.Token tok = null;

        try
        {
            tok = rmd.getTokenStorage()
                     .getToken(id);
        }
        catch (TrustException e)
        {
            throw new RampartException(
                "errorExtractingToken", new String[] {id}, e
                );
        }

        boolean tokenIncluded = false;

        if (
            (inclusion == SPConstants.INCLUDE_TOEKN_ALWAYS) ||
                (
                    (
                        (
                            inclusion ==
                            SPConstants.INCLUDE_TOEKN_ALWAYS_TO_RECIPIENT
                        ) || (inclusion == SPConstants.INCLUDE_TOKEN_ONCE)
                    ) && rmd.isInitiator()
                )
        )
        {

            //Add the token
            rmd.getSecHeader()
               .getSecurityHeader()
               .appendChild(doc.importNode((Element)tok.getToken(), true));

            tokenIncluded = true;
        }

        List<WSEncryptionPart> sigParts = new ArrayList<WSEncryptionPart>();

        if (this.timestampElement != null)
        {
            sigParts.add(new WSEncryptionPart(rmd.getTimestampId()));
        }


        if (rpd.isTokenProtection() && tokenIncluded)
        {
            sigParts.add(new WSEncryptionPart(id));
        }

        if (signdParts != null)
        {

            if (signdParts.isBody())
            {

                SOAPEnvelope env = rmd.getMsgContext()
                                      .getEnvelope();
                sigParts.add(
                    new WSEncryptionPart(
                        RampartUtil.addWsuIdToElement(env.getBody())
                        )
                    );
            }

            ArrayList headers = signdParts.getHeaders();

            for (Object objectHeader : headers)
            {

                Header header = (Header)objectHeader;
                WSEncryptionPart wep =
                    new WSEncryptionPart(
                        header.getName(), header.getNamespace(), "Content"
                        );
                sigParts.add(wep);
            }
        }

        //check for derived keys
        AlgorithmSuite algorithmSuite = rpd.getAlgorithmSuite();

        if (token.isDerivedKeys())
        {

            //Create a derived key and add
            try
            {

                //Do Signature with derived keys
                WSSecDKSign dkSign = new WSSecDKSign();

                // Setting the AttachedReference or the UnattachedReference according to the flag
                OMElement ref;

                if (tokenIncluded)
                {
                    ref = tok.getAttachedReference();
                }
                else
                {
                    ref = tok.getUnattachedReference();
                }

                if (ref != null)
                {
                    dkSign.setExternalKey(
                        tok.getSecret(),
                        (Element)doc.importNode((Element)ref, true)
                        );
                }
                else
                {
                    dkSign.setExternalKey(tok.getSecret(), tok.getId());
                }

                //Set the algo info
                dkSign.setSignatureAlgorithm(
                    algorithmSuite.getSymmetricSignature()
                    );
                dkSign.setDerivedKeyLength(
                    algorithmSuite.getSignatureDerivedKeyLength()
                    );

                dkSign.prepare(doc);

                /**
                 * Add <wsc:DerivedKeyToken>..</wsc:DerivedKeyToken> to security
                 * header. We need to add this just after Encrypted Key and just before <Signature>..</Signature>
                 * elements. (As a convention)
                 */
                dkSign.appendDKElementToHeader(rmd.getSecHeader());

                dkSign.setParts(sigParts);

                List<Reference> referenceList =
                    dkSign.addReferencesToSign(sigParts, rmd.getSecHeader());

                //Do signature
                dkSign.computeSignature(referenceList, false, null);

                //this.appendToHeader(rmd.getSecHeader(), dkSign.getSignatureElement());

                return dkSign.getSignatureValue();

            }
            catch (ConversationException e)
            {
                throw new RampartException(
                    "errorInDerivedKeyTokenSignature", e
                    );
            }
            catch (WSSecurityException e)
            {
                throw new RampartException(
                    "errorInDerivedKeyTokenSignature", e
                    );
            }

        }
        else
        {

            try
            {

                WSSecSignature sig = new WSSecSignature();
                sig.setWsConfig(rmd.getConfig());
                sig.setCustomTokenId(tok.getId().substring(1));
                sig.setCustomTokenValueType(
                    RampartUtil.getSAML10AssertionNamespace()
                    );
                sig.setSecretKey(tok.getSecret());
                sig.setSignatureAlgorithm(
                    algorithmSuite.getAsymmetricSignature()
                    );
                sig.setSignatureAlgorithm(
                    algorithmSuite.getSymmetricSignature()
                    );
                sig.setKeyIdentifierType(WSConstants.CUSTOM_SYMM_SIGNING);
                sig.prepare(
                    rmd.getDocument(),
                    RampartUtil.getSignatureCrypto(
                        rpd.getRampartConfig(), rmd.getCustomClassLoader()
                        ), rmd.getSecHeader()
                    );

                sig.setParts(sigParts);

                //Added by MRL
                sig.setDigestAlgo(rpd.getAlgorithmSuite().getDigest());

                List<Reference> referenceList =
                    sig.addReferencesToSign(sigParts, rmd.getSecHeader());

                //Do signature
                sig.computeSignature(
                    referenceList, false, this.getInsertionLocation()
                    );

                //Add elements to header
                this.setInsertionLocation(sig.getSignatureElement());

                return sig.getSignatureValue();

            }
            catch (WSSecurityException e)
            {
                throw new RampartException(
                    "errorInSignatureWithACustomToken", e
                    );
            }
        }
    }


    /**
     * X.509 signature
     *
     * @param rmd
     * @param token
     * @param signdParts
     *
     * @return DOCUMENT ME!
     *
     * @throws RampartException DOCUMENT ME!
     */
    private byte[] doX509TokenSignature(
        RampartMessageData rmd, Token token, SignedEncryptedParts signdParts
        ) throws RampartException
    {

        RampartPolicyData rpd = rmd.getPolicyData();
        Document doc = rmd.getDocument();

        List<WSEncryptionPart> sigParts = new ArrayList<WSEncryptionPart>();

        if (this.timestampElement != null)
        {
            sigParts.add(new WSEncryptionPart(rmd.getTimestampId()));
        }

        if (signdParts != null)
        {

            if (signdParts.isBody())
            {

                SOAPEnvelope env = rmd.getMsgContext()
                                      .getEnvelope();
                sigParts.add(
                    new WSEncryptionPart(
                        RampartUtil.addWsuIdToElement(env.getBody())
                        )
                    );
            }

            ArrayList headers = signdParts.getHeaders();

            for (Iterator iterator = headers.iterator(); iterator.hasNext();)
            {

                Header header = (Header)iterator.next();
                WSEncryptionPart wep =
                    new WSEncryptionPart(
                        header.getName(), header.getNamespace(), "Content"
                        );
                sigParts.add(wep);
            }
        }

        if (token.isDerivedKeys())
        {

            //In this case we will have to encrypt the ephmeral key with the
            //other party's key and then use it as the parent key of the
            // derived keys
            try
            {

                WSSecEncryptedKey encrKey = getEncryptedKeyBuilder(rmd, token);

                Element bstElem = encrKey.getBinarySecurityTokenElement();

                if (bstElem != null)
                {
                    RampartUtil.appendChildToSecHeader(rmd, bstElem);
                }

                // Add <xenc:EncryptedKey Id="EncKeyId-E67B75302ACB3BEDF313277587471272">..</xenc:EncryptedKey>
                // to security header.
                encrKey.appendToHeader(rmd.getSecHeader());

                WSSecDKSign dkSig = new WSSecDKSign();

                dkSig.setWsConfig(rmd.getConfig());

                dkSig.setSigCanonicalization(
                    rpd.getAlgorithmSuite().getInclusiveC14n()
                    );
                dkSig.setSignatureAlgorithm(
                    rpd.getAlgorithmSuite().getSymmetricSignature()
                    );
                dkSig.setDerivedKeyLength(
                    rpd.getAlgorithmSuite().getSignatureDerivedKeyLength() / 8
                    );

                /**
                 * Add a reference to encrypted key in the derived key
                 */
                dkSig.setExternalKey(
                    encrKey.getEphemeralKey(), encrKey.getId()
                    );

                dkSig.prepare(doc, rmd.getSecHeader());


                if (rpd.isTokenProtection())
                {
                    sigParts.add(new WSEncryptionPart(encrKey.getBSTTokenId()));
                }

                dkSig.setParts(sigParts);

                //Added by MRL
                dkSig.setDigestAlgorithm(rpd.getAlgorithmSuite().getDigest());

                List<Reference> referenceList =
                    dkSig.addReferencesToSign(sigParts, rmd.getSecHeader());


                /**
                 * Add <wsc:DerivedKeyToken>..</wsc:DerivedKeyToken> to security
                 * header. We need to add this just after Encrypted Key and just before <Signature>..</Signature>
                 * elements. (As a convention)
                 */
                dkSig.appendDKElementToHeader(rmd.getSecHeader());

                //Do signature and append to the security header
                dkSig.computeSignature(referenceList, false, null);


                // TODO this is bit dubious, before migration code was like "dkSig.appendSigToHeader(rmd.getSecHeader())"
                // but WSS4J has remove append methods. Need to find why ?
                //this.appendToHeader(rmd.getSecHeader(), dkSig.getSignatureElement());

                return dkSig.getSignatureValue();

            }
            catch (WSSecurityException e)
            {
                throw new RampartException(
                    "errorInDerivedKeyTokenSignature", e
                    );
            }
            catch (ConversationException e)
            {
                throw new RampartException(
                    "errorInDerivedKeyTokenSignature", e
                    );
            }

        }
        else
        {

            try
            {

                WSSecSignature sig = this.getSignatureBuilder(rmd, token);


                sig.appendBSTElementToHeader(rmd.getSecHeader());

                if (
                    rpd.isTokenProtection() &&
                        !(
                            SPConstants.INCLUDE_TOKEN_NEVER ==
                            token.getInclusion()
                        )
                )
                {
                    sigParts.add(new WSEncryptionPart(sig.getBSTTokenId()));
                }

                //Added by MRL
                sig.setDigestAlgo(rpd.getAlgorithmSuite().getDigest());

                List<Reference> referenceList =
                    sig.addReferencesToSign(sigParts, rmd.getSecHeader());

                // TODO changed the order - verify
                // Compute signature and append to the header
                sig.computeSignature(referenceList, false, null);

                return sig.getSignatureValue();
            }
            catch (WSSecurityException e)
            {
                throw new RampartException("errorInSignatureWithX509Token", e);
            }


        }

    }

    /**
     * DOCUMENT ME!
     *
     * @since 1.0
     *
     * @param rmd DOCUMENT ME!
     * @param secConvTok DOCUMENT ME!
     *
     * @throws RampartException DOCUMENT ME!
     */
    private void handleSecureConversationTokens(
        RampartMessageData rmd, SecureConversationToken secConvTok
        ) throws RampartException
    {


        MessageContext msgContext = rmd.getMsgContext();

        String secConvTokenId = rmd.getSecConvTokenId();

        //The RSTR has to be secured with the cancelled token
        String action = msgContext.getOptions()
                                  .getAction();
        boolean cancelReqResp =
            action.equals(
                RahasConstants.WST_NS_05_02 +
                RahasConstants.RSTR_ACTION_CANCEL_SCT
                ) ||
            action.equals(
                RahasConstants.WST_NS_05_02 +
                RahasConstants.RSTR_ACTION_CANCEL_SCT
                ) ||
            action.equals(
                RahasConstants.WST_NS_05_02 +
                RahasConstants.RST_ACTION_CANCEL_SCT
                ) ||
            action.equals(
                RahasConstants.WST_NS_05_02 +
                RahasConstants.RST_ACTION_CANCEL_SCT
                );

        //In the case of the cancel req or resp we should mark the token as cancelled
        if ((secConvTokenId != null) && cancelReqResp)
        {

            try
            {
                rmd.getTokenStorage()
                   .getToken(secConvTokenId)
                   .setState(org.apache.rahas.Token.CANCELLED);
                msgContext.setProperty(
                    RampartMessageData.SCT_ID, secConvTokenId
                    );

                //remove from the local map of contexts
                String contextIdentifierKey =
                    RampartUtil.getContextIdentifierKey(msgContext);
                RampartUtil.getContextMap(msgContext)
                           .remove(contextIdentifierKey);
            }
            catch (TrustException e)
            {
                throw new RampartException("errorExtractingToken", e);
            }
        }

        if (
            (secConvTokenId == null) ||
                (
                    (secConvTokenId != null) &&
                    (
                        !RampartUtil.isTokenValid(rmd, secConvTokenId) &&
                        !cancelReqResp
                    )
                )
        )
        {

            log.debug(
                "No SecureConversationToken found, requesting a new token"
                );

            try
            {

                secConvTokenId = RampartUtil.getSecConvToken(rmd, secConvTok);
                rmd.setSecConvTokenId(secConvTokenId);

            }
            catch (TrustException e)
            {
                throw new RampartException("errorInObtainingSct", e);
            }
        }

/*          org.apache.rahas.Token token;
            try {
                token = rmd.getTokenStorage().getToken(secConvTokenId);
            } catch (TrustException e) {
                throw new RampartException("errorExtractingToken", e);
            }


            //Add the token to the header
           Element siblingElem = RampartUtil
                    .insertSiblingAfter(rmd, this.getInsertionLocation(),
                            (Element) token.getToken());
            this.setInsertionLocation(siblingElem);*/

    }
}




> SHA256 not supported for DigestAlgorithm for TransportBinding when specified correctly in policy.xml
> ----------------------------------------------------------------------------------------------------
>
>                 Key: RAMPART-437
>                 URL: https://issues.apache.org/jira/browse/RAMPART-437
>             Project: Rampart
>          Issue Type: Bug
>          Components: rampart-core
>    Affects Versions: 1.6.2, 1.6.3, 1.6.4, 1.7.0
>         Environment: I am using version 1.6.2, but see the code is not fixed in version 1.7.0 yet either.
>            Reporter: Marjorie Lindsey
>            Priority: Minor
>
> TransportBinding is not recognizing SHA256 when specified in the policy.xml on the DigestAlgorithm. SignatureAlgorithm however is recognizing SHA256. This is because org.apache.rampart.builder.TransportBindingBuilder.java is not setting the digestAlgorithm, and thus using the default of SHA1.  To correct this, add this line in 3 locations in this class:
>   sig.setDigestAlgo(rpd.getAlgorithmSuite().getDigest());
> and add this line in 1 location in this class:
>   dkSig.setDigestAlgorithm(rpd.getAlgorithmSuite().getDigest());
> Listed below is the entire class with the lines inserted for reference. Thank you.
> /*
>  * =============================================================================
>  *
>  * Copyright (c) 2003-2013 Hewitt Associates, LLC.
>  * 100 Half Day Road, Lincolnshire, Illinois, 60069, U.S.A.
>  * All rights reserved.
>  *
>  * This program contains proprietary and confidential information and trade
>  * secrets of Hewitt Associates LLC. This program may not be duplicated,
>  * disclosed or provided to any third parties without the prior written consent
>  * of Hewitt Associates LLC. Disassembly or decompilation of the software and
>  * reverse engineering of the object code are prohibited.
>  *
>  * =============================================================================
>  */
> package org.apache.rampart.builder;
> import org.apache.axiom.om.OMElement;
> import org.apache.axiom.soap.SOAPEnvelope;
> import org.apache.axis2.context.MessageContext;
> import org.apache.commons.logging.Log;
> import org.apache.commons.logging.LogFactory;
> import org.apache.rahas.RahasConstants;
> import org.apache.rahas.TrustException;
> import org.apache.rampart.RampartConstants;
> import org.apache.rampart.RampartException;
> import org.apache.rampart.RampartMessageData;
> import org.apache.rampart.policy.RampartPolicyData;
> import org.apache.rampart.util.RampartUtil;
> import org.apache.ws.secpolicy.SPConstants;
> import org.apache.ws.secpolicy.model.AlgorithmSuite;
> import org.apache.ws.secpolicy.model.Header;
> import org.apache.ws.secpolicy.model.IssuedToken;
> import org.apache.ws.secpolicy.model.SecureConversationToken;
> import org.apache.ws.secpolicy.model.SignedEncryptedParts;
> import org.apache.ws.secpolicy.model.SupportingToken;
> import org.apache.ws.secpolicy.model.Token;
> import org.apache.ws.secpolicy.model.UsernameToken;
> import org.apache.ws.secpolicy.model.X509Token;
> import org.apache.ws.security.WSConstants;
> import org.apache.ws.security.WSEncryptionPart;
> import org.apache.ws.security.WSSecurityException;
> import org.apache.ws.security.conversation.ConversationException;
> import org.apache.ws.security.handler.WSHandlerConstants;
> import org.apache.ws.security.message.*;
> import org.w3c.dom.Document;
> import org.w3c.dom.Element;
> import java.util.ArrayList;
> import java.util.Iterator;
> import java.util.List;
> import javax.xml.crypto.dsig.Reference;
> /**
>  * DOCUMENT ME!
>  *
>  * @hahistory 8/11/16 $author$ Initial creation.
>  * @since 1.0
>  */
> public class TransportBindingBuilder extends BindingBuilder
> {
>     /**
>      * DOCUMENT ME!
>      *
>      * @since 1.0
>      */
>     private static Log log = LogFactory.getLog(TransportBindingBuilder.class);
>     /**
>      * DOCUMENT ME!
>      *
>      * @since 1.0
>      */
>     private static Log tlog = LogFactory.getLog(RampartConstants.TIME_LOG);
>     /**
>      * DOCUMENT ME!
>      *
>      * @since 1.0
>      *
>      * @param rmd DOCUMENT ME!
>      *
>      * @throws RampartException DOCUMENT ME!
>      */
>     public void build(RampartMessageData rmd) throws RampartException
>     {
>         log.debug("TransportBindingBuilder build invoked");
>         long t0 = 0, t1 = 0;
>         if (tlog.isDebugEnabled())
>         {
>             t1 = System.currentTimeMillis();
>         }
>         RampartPolicyData rpd = rmd.getPolicyData();
>         if (rpd.isIncludeTimestamp())
>         {
>             addTimestamp(rmd);
>         }
>         /*
>          * Process Supporting tokens
>          */
>         if (rmd.isInitiator())
>         {
>             List<byte[]> signatureValues = new ArrayList<byte[]>();
>             SupportingToken sgndSuppTokens = rpd.getSignedSupportingTokens();
>             if (
>                 (sgndSuppTokens != null) &&
>                     (sgndSuppTokens.getTokens() != null) &&
>                     (sgndSuppTokens.getTokens()
>                                        .size() > 0)
>             )
>             {
>                 log.debug("Processing signed supporting tokens");
>                 ArrayList tokens = sgndSuppTokens.getTokens();
>                 for (Object signedSupportingToken : tokens)
>                 {
>                     Token token = (Token)signedSupportingToken;
>                     if (token instanceof UsernameToken)
>                     {
>                         WSSecUsernameToken utBuilder =
>                             addUsernameToken(rmd, (UsernameToken)token);
>                         utBuilder.prepare(rmd.getDocument());
>                         //Add the UT
>                         utBuilder.appendToHeader(rmd.getSecHeader());
>                     }
>                     else
>                     {
>                         throw new RampartException(
>                             "unsupportedSignedSupportingToken",
>                             new String[]
>                             {
>                                 "{" + token.getName()
>                                            .getNamespaceURI() + "}" +
>                                 token.getName()
>                                      .getLocalPart()
>                             }
>                             );
>                     }
>                 }
>             }
>             SupportingToken sgndEndSuppTokens =
>                 rpd.getSignedEndorsingSupportingTokens();
>             if (
>                 (sgndEndSuppTokens != null) &&
>                     (sgndEndSuppTokens.getTokens() != null) &&
>                     (sgndEndSuppTokens.getTokens()
>                                           .size() > 0)
>             )
>             {
>                 log.debug("Processing endorsing signed supporting tokens");
>                 ArrayList tokens = sgndEndSuppTokens.getTokens();
>                 SignedEncryptedParts signdParts =
>                     sgndEndSuppTokens.getSignedParts();
>                 for (Object objectToken : tokens)
>                 {
>                     Token token = (Token)objectToken;
>                     if (token instanceof IssuedToken && rmd.isInitiator())
>                     {
>                         signatureValues.add(
>                             doIssuedTokenSignature(rmd, token, signdParts)
>                             );
>                     }
>                     else if (token instanceof X509Token)
>                     {
>                         signatureValues.add(
>                             doX509TokenSignature(rmd, token, signdParts)
>                             );
>                     }
>                 }
>             }
>             SupportingToken endSupptokens = rpd.getEndorsingSupportingTokens();
>             if (
>                 (endSupptokens != null) &&
>                     (endSupptokens.getTokens() != null) &&
>                     (endSupptokens.getTokens()
>                                       .size() > 0)
>             )
>             {
>                 log.debug("Processing endorsing supporting tokens");
>                 ArrayList tokens = endSupptokens.getTokens();
>                 SignedEncryptedParts signdParts =
>                     endSupptokens.getSignedParts();
>                 for (Object objectToken : tokens)
>                 {
>                     Token token = (Token)objectToken;
>                     if (token instanceof IssuedToken && rmd.isInitiator())
>                     {
>                         signatureValues.add(
>                             doIssuedTokenSignature(rmd, token, signdParts)
>                             );
>                     }
>                     else if (token instanceof X509Token)
>                     {
>                         signatureValues.add(
>                             doX509TokenSignature(rmd, token, signdParts)
>                             );
>                     }
>                     else if (token instanceof SecureConversationToken)
>                     {
>                         handleSecureConversationTokens(
>                             rmd, (SecureConversationToken)token
>                             );
>                         signatureValues.add(
>                             doSecureConversationSignature(
>                                 rmd, token, signdParts
>                                 )
>                             );
>                     }
>                 }
>             }
>             List<SupportingToken> supportingToks =
>                 rpd.getSupportingTokensList();
>             for (SupportingToken supportingTok : supportingToks)
>             {
>                 this.handleSupportingTokens(rmd, supportingTok);
>             }
>             //Store the signature values list
>             rmd.getMsgContext()
>                .setProperty(WSHandlerConstants.SEND_SIGV, signatureValues);
>         }
>         else
>         {
>             addSignatureConfirmation(rmd, null);
>         }
>         if (tlog.isDebugEnabled())
>         {
>             t1 = System.currentTimeMillis();
>             tlog.debug("Transport binding build took " + (t1 - t0));
>         }
>     }
>     /**
>      * DOCUMENT ME!
>      *
>      * @since 1.0
>      *
>      * @param secHeader DOCUMENT ME!
>      * @param appendingChild DOCUMENT ME!
>      */
>     private void appendToHeader(WSSecHeader secHeader, Element appendingChild)
>     {
>         // TODO this is bit dubious, before migration code was like "dkSig.appendSigToHeader(rmd.getSecHeader())"
>         // but WSS4J has remove append methods. Need to find why ?
>         Element secHeaderElement = secHeader.getSecurityHeader();
>         secHeaderElement.appendChild(appendingChild);
>     }
>     /**
>      * IssuedToken signature
>      *
>      * @param rmd
>      * @param token
>      * @param signdParts
>      *
>      * @return DOCUMENT ME!
>      *
>      * @throws RampartException
>      */
>     private byte[] doIssuedTokenSignature(
>         RampartMessageData rmd, Token token, SignedEncryptedParts signdParts
>         ) throws RampartException
>     {
>         RampartPolicyData rpd = rmd.getPolicyData();
>         Document doc = rmd.getDocument();
>         //Get the issued token
>         String id = RampartUtil.getIssuedToken(rmd, (IssuedToken)token);
>         int inclusion = token.getInclusion();
>         org.apache.rahas.Token tok = null;
>         try
>         {
>             tok = rmd.getTokenStorage()
>                      .getToken(id);
>         }
>         catch (TrustException e)
>         {
>             throw new RampartException(
>                 "errorExtractingToken", new String[] {id}, e
>                 );
>         }
>         boolean tokenIncluded = false;
>         if (
>             (inclusion == SPConstants.INCLUDE_TOEKN_ALWAYS) ||
>                 (
>                     (
>                         (
>                             inclusion ==
>                             SPConstants.INCLUDE_TOEKN_ALWAYS_TO_RECIPIENT
>                         ) || (inclusion == SPConstants.INCLUDE_TOKEN_ONCE)
>                     ) && rmd.isInitiator()
>                 )
>         )
>         {
>             //Add the token
>             rmd.getSecHeader()
>                .getSecurityHeader()
>                .appendChild(doc.importNode((Element)tok.getToken(), true));
>             tokenIncluded = true;
>         }
>         List<WSEncryptionPart> sigParts = new ArrayList<WSEncryptionPart>();
>         if (this.timestampElement != null)
>         {
>             sigParts.add(new WSEncryptionPart(rmd.getTimestampId()));
>         }
>         if (rpd.isTokenProtection() && tokenIncluded)
>         {
>             sigParts.add(new WSEncryptionPart(id));
>         }
>         if (signdParts != null)
>         {
>             if (signdParts.isBody())
>             {
>                 SOAPEnvelope env = rmd.getMsgContext()
>                                       .getEnvelope();
>                 sigParts.add(
>                     new WSEncryptionPart(
>                         RampartUtil.addWsuIdToElement(env.getBody())
>                         )
>                     );
>             }
>             ArrayList headers = signdParts.getHeaders();
>             for (Object signedHeader : headers)
>             {
>                 Header header = (Header)signedHeader;
>                 WSEncryptionPart wep =
>                     new WSEncryptionPart(
>                         header.getName(), header.getNamespace(), "Content"
>                         );
>                 sigParts.add(wep);
>             }
>         }
>         //check for derived keys
>         AlgorithmSuite algorithmSuite = rpd.getAlgorithmSuite();
>         if (token.isDerivedKeys())
>         {
>             //Create a derived key and add
>             try
>             {
>                 //Do Signature with derived keys
>                 WSSecDKSign dkSign = new WSSecDKSign();
>                 // Setting the AttachedReference or the UnattachedReference according to the flag
>                 OMElement ref;
>                 if (tokenIncluded)
>                 {
>                     ref = tok.getAttachedReference();
>                 }
>                 else
>                 {
>                     ref = tok.getUnattachedReference();
>                 }
>                 if (ref != null)
>                 {
>                     dkSign.setExternalKey(
>                         tok.getSecret(),
>                         (Element)doc.importNode((Element)ref, true)
>                         );
>                 }
>                 else
>                 {
>                     dkSign.setExternalKey(tok.getSecret(), tok.getId());
>                 }
>                 //Set the algo info
>                 dkSign.setSignatureAlgorithm(
>                     algorithmSuite.getSymmetricSignature()
>                     );
>                 dkSign.setDerivedKeyLength(
>                     algorithmSuite.getSignatureDerivedKeyLength()
>                     );
>                 dkSign.prepare(doc);
>                 /**
>                  * Add <wsc:DerivedKeyToken>..</wsc:DerivedKeyToken> to security
>                  * header. We need to add this just after Encrypted Key and just before <Signature>..</Signature>
>                  * elements. (As a convention)
>                  */
>                 dkSign.appendDKElementToHeader(rmd.getSecHeader());
>                 dkSign.setParts(sigParts);
>                 List<Reference> referenceList =
>                     dkSign.addReferencesToSign(sigParts, rmd.getSecHeader());
>                 //Do signature
>                 dkSign.computeSignature(referenceList, false, null);
>                 // TODO verify before migration - dkSign.appendSigToHeader(rmd.getSecHeader())
>                 // this.appendToHeader(rmd.getSecHeader(), dkSign.getSignatureElement());
>                 return dkSign.getSignatureValue();
>             }
>             catch (ConversationException e)
>             {
>                 throw new RampartException(
>                     "errorInDerivedKeyTokenSignature", e
>                     );
>             }
>             catch (WSSecurityException e)
>             {
>                 throw new RampartException(
>                     "errorInDerivedKeyTokenSignature", e
>                     );
>             }
>         }
>         else
>         {
>             try
>             {
>                 WSSecSignature sig = new WSSecSignature();
>                 sig.setWsConfig(rmd.getConfig());
>                 String tokId = tok.getId();
>                 if (tokId.charAt(0) == '#')
>                 {
>                     tokId = tokId.substring(1);
>                 }
>                 sig.setCustomTokenId(tokId);
>                 sig.setCustomTokenValueType(
>                     RampartUtil.getSAML10AssertionNamespace()
>                     );
>                 sig.setSecretKey(tok.getSecret());
>                 sig.setSignatureAlgorithm(
>                     algorithmSuite.getAsymmetricSignature()
>                     );
>                 sig.setSignatureAlgorithm(
>                     algorithmSuite.getSymmetricSignature()
>                     );
>                 sig.setKeyIdentifierType(WSConstants.CUSTOM_SYMM_SIGNING);
>                 sig.prepare(
>                     rmd.getDocument(),
>                     RampartUtil.getSignatureCrypto(
>                         rpd.getRampartConfig(), rmd.getCustomClassLoader()
>                         ), rmd.getSecHeader()
>                     );
>                 sig.setParts(sigParts);
>                 //Added by MRL
>                 sig.setDigestAlgo(rpd.getAlgorithmSuite().getDigest());
>                 List<javax.xml.crypto.dsig.Reference> referenceList =
>                     sig.addReferencesToSign(sigParts, rmd.getSecHeader());
>                 //Do signature
>                 sig.computeSignature(referenceList);
>                 //Add elements to header
>                 this.setInsertionLocation(
>                     RampartUtil.insertSiblingAfter(
>                         rmd, this.getInsertionLocation(),
>                         sig.getSignatureElement()
>                         )
>                     );
>                 return sig.getSignatureValue();
>             }
>             catch (WSSecurityException e)
>             {
>                 throw new RampartException(
>                     "errorInSignatureWithACustomToken", e
>                     );
>             }
>         }
>     }
>     /**
>      * DOCUMENT ME!
>      *
>      * @since 1.0
>      *
>      * @param rmd DOCUMENT ME!
>      * @param token DOCUMENT ME!
>      * @param signdParts DOCUMENT ME!
>      *
>      * @return DOCUMENT ME!
>      *
>      * @throws RampartException DOCUMENT ME!
>      */
>     private byte[] doSecureConversationSignature(
>         RampartMessageData rmd, Token token, SignedEncryptedParts signdParts
>         ) throws RampartException
>     {
>         RampartPolicyData rpd = rmd.getPolicyData();
>         Document doc = rmd.getDocument();
>         //Get the issued token
>         String id = rmd.getSecConvTokenId();
>         int inclusion = token.getInclusion();
>         org.apache.rahas.Token tok = null;
>         try
>         {
>             tok = rmd.getTokenStorage()
>                      .getToken(id);
>         }
>         catch (TrustException e)
>         {
>             throw new RampartException(
>                 "errorExtractingToken", new String[] {id}, e
>                 );
>         }
>         boolean tokenIncluded = false;
>         if (
>             (inclusion == SPConstants.INCLUDE_TOEKN_ALWAYS) ||
>                 (
>                     (
>                         (
>                             inclusion ==
>                             SPConstants.INCLUDE_TOEKN_ALWAYS_TO_RECIPIENT
>                         ) || (inclusion == SPConstants.INCLUDE_TOKEN_ONCE)
>                     ) && rmd.isInitiator()
>                 )
>         )
>         {
>             //Add the token
>             rmd.getSecHeader()
>                .getSecurityHeader()
>                .appendChild(doc.importNode((Element)tok.getToken(), true));
>             tokenIncluded = true;
>         }
>         List<WSEncryptionPart> sigParts = new ArrayList<WSEncryptionPart>();
>         if (this.timestampElement != null)
>         {
>             sigParts.add(new WSEncryptionPart(rmd.getTimestampId()));
>         }
>         if (rpd.isTokenProtection() && tokenIncluded)
>         {
>             sigParts.add(new WSEncryptionPart(id));
>         }
>         if (signdParts != null)
>         {
>             if (signdParts.isBody())
>             {
>                 SOAPEnvelope env = rmd.getMsgContext()
>                                       .getEnvelope();
>                 sigParts.add(
>                     new WSEncryptionPart(
>                         RampartUtil.addWsuIdToElement(env.getBody())
>                         )
>                     );
>             }
>             ArrayList headers = signdParts.getHeaders();
>             for (Object objectHeader : headers)
>             {
>                 Header header = (Header)objectHeader;
>                 WSEncryptionPart wep =
>                     new WSEncryptionPart(
>                         header.getName(), header.getNamespace(), "Content"
>                         );
>                 sigParts.add(wep);
>             }
>         }
>         //check for derived keys
>         AlgorithmSuite algorithmSuite = rpd.getAlgorithmSuite();
>         if (token.isDerivedKeys())
>         {
>             //Create a derived key and add
>             try
>             {
>                 //Do Signature with derived keys
>                 WSSecDKSign dkSign = new WSSecDKSign();
>                 // Setting the AttachedReference or the UnattachedReference according to the flag
>                 OMElement ref;
>                 if (tokenIncluded)
>                 {
>                     ref = tok.getAttachedReference();
>                 }
>                 else
>                 {
>                     ref = tok.getUnattachedReference();
>                 }
>                 if (ref != null)
>                 {
>                     dkSign.setExternalKey(
>                         tok.getSecret(),
>                         (Element)doc.importNode((Element)ref, true)
>                         );
>                 }
>                 else
>                 {
>                     dkSign.setExternalKey(tok.getSecret(), tok.getId());
>                 }
>                 //Set the algo info
>                 dkSign.setSignatureAlgorithm(
>                     algorithmSuite.getSymmetricSignature()
>                     );
>                 dkSign.setDerivedKeyLength(
>                     algorithmSuite.getSignatureDerivedKeyLength()
>                     );
>                 dkSign.prepare(doc);
>                 /**
>                  * Add <wsc:DerivedKeyToken>..</wsc:DerivedKeyToken> to security
>                  * header. We need to add this just after Encrypted Key and just before <Signature>..</Signature>
>                  * elements. (As a convention)
>                  */
>                 dkSign.appendDKElementToHeader(rmd.getSecHeader());
>                 dkSign.setParts(sigParts);
>                 List<Reference> referenceList =
>                     dkSign.addReferencesToSign(sigParts, rmd.getSecHeader());
>                 //Do signature
>                 dkSign.computeSignature(referenceList, false, null);
>                 //this.appendToHeader(rmd.getSecHeader(), dkSign.getSignatureElement());
>                 return dkSign.getSignatureValue();
>             }
>             catch (ConversationException e)
>             {
>                 throw new RampartException(
>                     "errorInDerivedKeyTokenSignature", e
>                     );
>             }
>             catch (WSSecurityException e)
>             {
>                 throw new RampartException(
>                     "errorInDerivedKeyTokenSignature", e
>                     );
>             }
>         }
>         else
>         {
>             try
>             {
>                 WSSecSignature sig = new WSSecSignature();
>                 sig.setWsConfig(rmd.getConfig());
>                 sig.setCustomTokenId(tok.getId().substring(1));
>                 sig.setCustomTokenValueType(
>                     RampartUtil.getSAML10AssertionNamespace()
>                     );
>                 sig.setSecretKey(tok.getSecret());
>                 sig.setSignatureAlgorithm(
>                     algorithmSuite.getAsymmetricSignature()
>                     );
>                 sig.setSignatureAlgorithm(
>                     algorithmSuite.getSymmetricSignature()
>                     );
>                 sig.setKeyIdentifierType(WSConstants.CUSTOM_SYMM_SIGNING);
>                 sig.prepare(
>                     rmd.getDocument(),
>                     RampartUtil.getSignatureCrypto(
>                         rpd.getRampartConfig(), rmd.getCustomClassLoader()
>                         ), rmd.getSecHeader()
>                     );
>                 sig.setParts(sigParts);
>                 //Added by MRL
>                 sig.setDigestAlgo(rpd.getAlgorithmSuite().getDigest());
>                 List<Reference> referenceList =
>                     sig.addReferencesToSign(sigParts, rmd.getSecHeader());
>                 //Do signature
>                 sig.computeSignature(
>                     referenceList, false, this.getInsertionLocation()
>                     );
>                 //Add elements to header
>                 this.setInsertionLocation(sig.getSignatureElement());
>                 return sig.getSignatureValue();
>             }
>             catch (WSSecurityException e)
>             {
>                 throw new RampartException(
>                     "errorInSignatureWithACustomToken", e
>                     );
>             }
>         }
>     }
>     /**
>      * X.509 signature
>      *
>      * @param rmd
>      * @param token
>      * @param signdParts
>      *
>      * @return DOCUMENT ME!
>      *
>      * @throws RampartException DOCUMENT ME!
>      */
>     private byte[] doX509TokenSignature(
>         RampartMessageData rmd, Token token, SignedEncryptedParts signdParts
>         ) throws RampartException
>     {
>         RampartPolicyData rpd = rmd.getPolicyData();
>         Document doc = rmd.getDocument();
>         List<WSEncryptionPart> sigParts = new ArrayList<WSEncryptionPart>();
>         if (this.timestampElement != null)
>         {
>             sigParts.add(new WSEncryptionPart(rmd.getTimestampId()));
>         }
>         if (signdParts != null)
>         {
>             if (signdParts.isBody())
>             {
>                 SOAPEnvelope env = rmd.getMsgContext()
>                                       .getEnvelope();
>                 sigParts.add(
>                     new WSEncryptionPart(
>                         RampartUtil.addWsuIdToElement(env.getBody())
>                         )
>                     );
>             }
>             ArrayList headers = signdParts.getHeaders();
>             for (Iterator iterator = headers.iterator(); iterator.hasNext();)
>             {
>                 Header header = (Header)iterator.next();
>                 WSEncryptionPart wep =
>                     new WSEncryptionPart(
>                         header.getName(), header.getNamespace(), "Content"
>                         );
>                 sigParts.add(wep);
>             }
>         }
>         if (token.isDerivedKeys())
>         {
>             //In this case we will have to encrypt the ephmeral key with the
>             //other party's key and then use it as the parent key of the
>             // derived keys
>             try
>             {
>                 WSSecEncryptedKey encrKey = getEncryptedKeyBuilder(rmd, token);
>                 Element bstElem = encrKey.getBinarySecurityTokenElement();
>                 if (bstElem != null)
>                 {
>                     RampartUtil.appendChildToSecHeader(rmd, bstElem);
>                 }
>                 // Add <xenc:EncryptedKey Id="EncKeyId-E67B75302ACB3BEDF313277587471272">..</xenc:EncryptedKey>
>                 // to security header.
>                 encrKey.appendToHeader(rmd.getSecHeader());
>                 WSSecDKSign dkSig = new WSSecDKSign();
>                 dkSig.setWsConfig(rmd.getConfig());
>                 dkSig.setSigCanonicalization(
>                     rpd.getAlgorithmSuite().getInclusiveC14n()
>                     );
>                 dkSig.setSignatureAlgorithm(
>                     rpd.getAlgorithmSuite().getSymmetricSignature()
>                     );
>                 dkSig.setDerivedKeyLength(
>                     rpd.getAlgorithmSuite().getSignatureDerivedKeyLength() / 8
>                     );
>                 /**
>                  * Add a reference to encrypted key in the derived key
>                  */
>                 dkSig.setExternalKey(
>                     encrKey.getEphemeralKey(), encrKey.getId()
>                     );
>                 dkSig.prepare(doc, rmd.getSecHeader());
>                 if (rpd.isTokenProtection())
>                 {
>                     sigParts.add(new WSEncryptionPart(encrKey.getBSTTokenId()));
>                 }
>                 dkSig.setParts(sigParts);
>                 //Added by MRL
>                 dkSig.setDigestAlgorithm(rpd.getAlgorithmSuite().getDigest());
>                 List<Reference> referenceList =
>                     dkSig.addReferencesToSign(sigParts, rmd.getSecHeader());
>                 /**
>                  * Add <wsc:DerivedKeyToken>..</wsc:DerivedKeyToken> to security
>                  * header. We need to add this just after Encrypted Key and just before <Signature>..</Signature>
>                  * elements. (As a convention)
>                  */
>                 dkSig.appendDKElementToHeader(rmd.getSecHeader());
>                 //Do signature and append to the security header
>                 dkSig.computeSignature(referenceList, false, null);
>                 // TODO this is bit dubious, before migration code was like "dkSig.appendSigToHeader(rmd.getSecHeader())"
>                 // but WSS4J has remove append methods. Need to find why ?
>                 //this.appendToHeader(rmd.getSecHeader(), dkSig.getSignatureElement());
>                 return dkSig.getSignatureValue();
>             }
>             catch (WSSecurityException e)
>             {
>                 throw new RampartException(
>                     "errorInDerivedKeyTokenSignature", e
>                     );
>             }
>             catch (ConversationException e)
>             {
>                 throw new RampartException(
>                     "errorInDerivedKeyTokenSignature", e
>                     );
>             }
>         }
>         else
>         {
>             try
>             {
>                 WSSecSignature sig = this.getSignatureBuilder(rmd, token);
>                 sig.appendBSTElementToHeader(rmd.getSecHeader());
>                 if (
>                     rpd.isTokenProtection() &&
>                         !(
>                             SPConstants.INCLUDE_TOKEN_NEVER ==
>                             token.getInclusion()
>                         )
>                 )
>                 {
>                     sigParts.add(new WSEncryptionPart(sig.getBSTTokenId()));
>                 }
>                 //Added by MRL
>                 sig.setDigestAlgo(rpd.getAlgorithmSuite().getDigest());
>                 List<Reference> referenceList =
>                     sig.addReferencesToSign(sigParts, rmd.getSecHeader());
>                 // TODO changed the order - verify
>                 // Compute signature and append to the header
>                 sig.computeSignature(referenceList, false, null);
>                 return sig.getSignatureValue();
>             }
>             catch (WSSecurityException e)
>             {
>                 throw new RampartException("errorInSignatureWithX509Token", e);
>             }
>         }
>     }
>     /**
>      * DOCUMENT ME!
>      *
>      * @since 1.0
>      *
>      * @param rmd DOCUMENT ME!
>      * @param secConvTok DOCUMENT ME!
>      *
>      * @throws RampartException DOCUMENT ME!
>      */
>     private void handleSecureConversationTokens(
>         RampartMessageData rmd, SecureConversationToken secConvTok
>         ) throws RampartException
>     {
>         MessageContext msgContext = rmd.getMsgContext();
>         String secConvTokenId = rmd.getSecConvTokenId();
>         //The RSTR has to be secured with the cancelled token
>         String action = msgContext.getOptions()
>                                   .getAction();
>         boolean cancelReqResp =
>             action.equals(
>                 RahasConstants.WST_NS_05_02 +
>                 RahasConstants.RSTR_ACTION_CANCEL_SCT
>                 ) ||
>             action.equals(
>                 RahasConstants.WST_NS_05_02 +
>                 RahasConstants.RSTR_ACTION_CANCEL_SCT
>                 ) ||
>             action.equals(
>                 RahasConstants.WST_NS_05_02 +
>                 RahasConstants.RST_ACTION_CANCEL_SCT
>                 ) ||
>             action.equals(
>                 RahasConstants.WST_NS_05_02 +
>                 RahasConstants.RST_ACTION_CANCEL_SCT
>                 );
>         //In the case of the cancel req or resp we should mark the token as cancelled
>         if ((secConvTokenId != null) && cancelReqResp)
>         {
>             try
>             {
>                 rmd.getTokenStorage()
>                    .getToken(secConvTokenId)
>                    .setState(org.apache.rahas.Token.CANCELLED);
>                 msgContext.setProperty(
>                     RampartMessageData.SCT_ID, secConvTokenId
>                     );
>                 //remove from the local map of contexts
>                 String contextIdentifierKey =
>                     RampartUtil.getContextIdentifierKey(msgContext);
>                 RampartUtil.getContextMap(msgContext)
>                            .remove(contextIdentifierKey);
>             }
>             catch (TrustException e)
>             {
>                 throw new RampartException("errorExtractingToken", e);
>             }
>         }
>         if (
>             (secConvTokenId == null) ||
>                 (
>                     (secConvTokenId != null) &&
>                     (
>                         !RampartUtil.isTokenValid(rmd, secConvTokenId) &&
>                         !cancelReqResp
>                     )
>                 )
>         )
>         {
>             log.debug(
>                 "No SecureConversationToken found, requesting a new token"
>                 );
>             try
>             {
>                 secConvTokenId = RampartUtil.getSecConvToken(rmd, secConvTok);
>                 rmd.setSecConvTokenId(secConvTokenId);
>             }
>             catch (TrustException e)
>             {
>                 throw new RampartException("errorInObtainingSct", e);
>             }
>         }
> /*          org.apache.rahas.Token token;
>             try {
>                 token = rmd.getTokenStorage().getToken(secConvTokenId);
>             } catch (TrustException e) {
>                 throw new RampartException("errorExtractingToken", e);
>             }
>             //Add the token to the header
>            Element siblingElem = RampartUtil
>                     .insertSiblingAfter(rmd, this.getInsertionLocation(),
>                             (Element) token.getToken());
>             this.setInsertionLocation(siblingElem);*/
>     }
> }
> This is the policy.xml being used:
> <wsp:Policy wsu:Id="WSHttpBinding_ISecureService_policy" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy" xmlns:wsaw="http://www.w3.org/2006/05/addressing/wsdl">
> 	<wsp:ExactlyOne>
> 		<wsp:All>
> 			<sp:TransportBinding xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
> 				<wsp:Policy>
> 					<sp:TransportToken>
> 						<wsp:Policy>
> 							<sp:HttpsToken RequireClientCertificate="false" />
> 						</wsp:Policy>
> 					</sp:TransportToken>
> 					<sp:AlgorithmSuite>
> 						<wsp:Policy>
> 							<sp:Basic256Sha256 /> 
> 						</wsp:Policy>
> 					</sp:AlgorithmSuite>
> 					<sp:Layout>
> 						<wsp:Policy>
> 							<sp:Strict />
> 						</wsp:Policy>
> 					</sp:Layout>
> 					<sp:IncludeTimestamp />
> 				</wsp:Policy>
> 			</sp:TransportBinding>
> 			<sp:EndorsingSupportingTokens xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
> 				<wsp:Policy>
> 					<sp:X509Token sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient">
> 						<wsp:Policy>
> 							<sp:RequireThumbprintReference />
> 							<sp:WssX509V3Token10 />
> 						</wsp:Policy>
> 					</sp:X509Token>
> 					<sp:SignedParts>
> 						<sp:Header Name="To" Namespace="http://www.w3.org/2005/08/addressing" />
> 					</sp:SignedParts>
> 				</wsp:Policy>
> 			</sp:EndorsingSupportingTokens>
> 			<sp:Wss11 xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
> 				<wsp:Policy>
> 					<sp:MustSupportRefKeyIdentifier />
> 					<sp:MustSupportRefIssuerSerial />
> 					<sp:MustSupportRefThumbprint />
> 					<sp:MustSupportRefEncryptedKey />
> 				</wsp:Policy>
> 			</sp:Wss11>
> 			<sp:Trust10 xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
> 				<wsp:Policy>
> 					<sp:MustSupportIssuedTokens />
> 					<sp:RequireClientEntropy />
> 					<sp:RequireServerEntropy />
> 				</wsp:Policy>
> 			</sp:Trust10>
> 			<wsaw:UsingAddressing />	
> 			
>     		<ramp:RampartConfig xmlns:ramp="http://ws.apache.org/rampart/policy"> 
> 	    		<ramp:user>aliasName</ramp:user>
> 		    	<ramp:passwordCallbackClass>com.test.hro.benefits.fndt.security.ClientPasswordCallback</ramp:passwordCallbackClass>
> 			    	
> 				    <ramp:signatureCrypto>
> 					    <ramp:crypto provider="com.test.hro.benefits.fndt.security.HAWebServicesCrypto">
> 						    <ramp:property name="org.apache.ws.security.crypto.keystore.type">JKS</ramp:property>
> 						    <ramp:property name="org.apache.ws.security.crypto.keystore.path">keys/KeyStore</ramp:property>
> 				    	</ramp:crypto>
> 			    	</ramp:signatureCrypto>
> 		    </ramp:RampartConfig>
> 		</wsp:All>
> 	</wsp:ExactlyOne>
> </wsp:Policy>



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: java-dev-unsubscribe@axis.apache.org
For additional commands, e-mail: java-dev-help@axis.apache.org


Mime
View raw message