cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cohei...@apache.org
Subject [1/3] cxf git commit: Refactoring how tokens are encrypted in the STS
Date Wed, 11 Nov 2015 17:20:07 GMT
Repository: cxf
Updated Branches:
  refs/heads/3.1.x-fixes ac1dbc498 -> b297eed6d


Refactoring how tokens are encrypted in the STS


Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/fc54f211
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/fc54f211
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/fc54f211

Branch: refs/heads/3.1.x-fixes
Commit: fc54f21168a9294f2900bd6bc30d1b2eb5a172e7
Parents: ac1dbc4
Author: Colm O hEigeartaigh <coheigea@apache.org>
Authored: Wed Nov 11 15:02:59 2015 +0000
Committer: Colm O hEigeartaigh <coheigea@apache.org>
Committed: Wed Nov 11 17:19:43 2015 +0000

----------------------------------------------------------------------
 .../cxf/sts/operation/AbstractOperation.java    | 125 +----------------
 .../cxf/sts/operation/TokenIssueOperation.java  |  16 +--
 .../cxf/sts/operation/TokenRenewOperation.java  |  11 +-
 .../sts/token/provider/SAMLTokenProvider.java   |  11 +-
 .../cxf/sts/token/provider/SCTProvider.java     |  14 +-
 .../token/provider/TokenProviderParameters.java |   9 ++
 .../sts/token/provider/TokenProviderUtils.java  | 135 +++++++++++++++++++
 .../cxf/sts/operation/DummyTokenProvider.java   |  13 ++
 8 files changed, 186 insertions(+), 148 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cxf/blob/fc54f211/services/sts/sts-core/src/main/java/org/apache/cxf/sts/operation/AbstractOperation.java
----------------------------------------------------------------------
diff --git a/services/sts/sts-core/src/main/java/org/apache/cxf/sts/operation/AbstractOperation.java
b/services/sts/sts-core/src/main/java/org/apache/cxf/sts/operation/AbstractOperation.java
index d7c2c45..e47287c 100644
--- a/services/sts/sts-core/src/main/java/org/apache/cxf/sts/operation/AbstractOperation.java
+++ b/services/sts/sts-core/src/main/java/org/apache/cxf/sts/operation/AbstractOperation.java
@@ -21,9 +21,7 @@ package org.apache.cxf.sts.operation;
 
 import java.net.URI;
 import java.security.Principal;
-import java.security.cert.X509Certificate;
 import java.util.ArrayList;
-import java.util.Collections;
 import java.util.Date;
 import java.util.List;
 import java.util.Set;
@@ -77,19 +75,12 @@ import org.apache.cxf.ws.security.sts.provider.model.secext.ReferenceType;
 import org.apache.cxf.ws.security.sts.provider.model.secext.SecurityTokenReferenceType;
 import org.apache.cxf.ws.security.sts.provider.model.utility.AttributedDateTime;
 import org.apache.cxf.ws.security.tokenstore.TokenStore;
-import org.apache.cxf.ws.security.wss4j.WSS4JUtils;
-import org.apache.wss4j.common.WSEncryptionPart;
 import org.apache.wss4j.common.ext.WSSecurityException;
 import org.apache.wss4j.common.util.XMLUtils;
 import org.apache.wss4j.dom.WSConstants;
-import org.apache.wss4j.dom.handler.WSHandlerConstants;
-import org.apache.wss4j.dom.handler.WSHandlerResult;
-import org.apache.wss4j.dom.message.WSSecEncrypt;
 import org.apache.wss4j.dom.message.WSSecEncryptedKey;
 import org.apache.wss4j.dom.util.XmlSchemaDateFormat;
-import org.apache.wss4j.stax.securityEvent.WSSecurityEventConstants;
 import org.apache.xml.security.exceptions.XMLSecurityException;
-import org.apache.xml.security.stax.securityEvent.AbstractSecuredElementSecurityEvent;
 import org.apache.xml.security.stax.securityEvent.SecurityEvent;
 import org.apache.xml.security.stax.securityEvent.SecurityEventConstants;
 import org.apache.xml.security.stax.securityEvent.TokenSecurityEvent;
@@ -312,80 +303,6 @@ public abstract class AbstractOperation {
     }
     
     /**
-     * Encrypt a Token element using the given arguments.
-     */
-    protected Element encryptToken(
-        Element element, 
-        String id, 
-        EncryptionProperties encryptionProperties,
-        KeyRequirements keyRequirements,
-        WebServiceContext context
-    ) throws WSSecurityException {
-        String name = encryptionProperties.getEncryptionName();
-        if (name == null) {
-            name = stsProperties.getEncryptionUsername();
-        }
-        if (name == null) {
-            LOG.fine("No encryption alias is configured");
-            return element;
-        }
-        
-        // Get the encryption algorithm to use
-        String encryptionAlgorithm = keyRequirements.getEncryptionAlgorithm();
-        if (encryptionAlgorithm == null) {
-            // If none then default to what is configured
-            encryptionAlgorithm = encryptionProperties.getEncryptionAlgorithm();
-        } else {
-            List<String> supportedAlgorithms = 
-                encryptionProperties.getAcceptedEncryptionAlgorithms();
-            if (!supportedAlgorithms.contains(encryptionAlgorithm)) {
-                encryptionAlgorithm = encryptionProperties.getEncryptionAlgorithm();
-                if (LOG.isLoggable(Level.FINE)) {
-                    LOG.fine("EncryptionAlgorithm not supported, defaulting to: " + encryptionAlgorithm);
-                }
-            }
-        }
-        // Get the key-wrap algorithm to use
-        String keyWrapAlgorithm = keyRequirements.getKeywrapAlgorithm();
-        if (keyWrapAlgorithm == null) {
-            // If none then default to what is configured
-            keyWrapAlgorithm = encryptionProperties.getKeyWrapAlgorithm();
-        } else {
-            List<String> supportedAlgorithms = 
-                encryptionProperties.getAcceptedKeyWrapAlgorithms();
-            if (!supportedAlgorithms.contains(keyWrapAlgorithm)) {
-                keyWrapAlgorithm = encryptionProperties.getKeyWrapAlgorithm();
-                if (LOG.isLoggable(Level.FINE)) {
-                    LOG.fine("KeyWrapAlgorithm not supported, defaulting to: " + keyWrapAlgorithm);
-                }
-            }
-        }
-        
-        WSSecEncrypt builder = new WSSecEncrypt();
-        if (WSHandlerConstants.USE_REQ_SIG_CERT.equals(name)) {
-            X509Certificate cert = getReqSigCert(context.getMessageContext());
-            builder.setUseThisCert(cert);
-        } else {
-            builder.setUserInfo(name);
-        }
-        builder.setKeyIdentifierType(encryptionProperties.getKeyIdentifierType());
-        builder.setSymmetricEncAlgorithm(encryptionAlgorithm);
-        builder.setKeyEncAlgo(keyWrapAlgorithm);
-        builder.setEmbedEncryptedKey(true);
-        
-        WSEncryptionPart encryptionPart = new WSEncryptionPart(id, "Element");
-        encryptionPart.setElement(element);
-        
-        Document doc = element.getOwnerDocument();
-        doc.appendChild(element);
-                                 
-        builder.prepare(element.getOwnerDocument(), stsProperties.getEncryptionCrypto());
-        builder.encryptForRef(null, Collections.singletonList(encryptionPart));
-        
-        return doc.getDocumentElement();
-    }
-    
-    /**
      * Encrypt a secret using the given arguments producing a DOM EncryptedKey element
      */
     protected Element encryptSecret(
@@ -475,6 +392,7 @@ public abstract class AbstractOperation {
         providerParameters.setPrincipal(context.getUserPrincipal());
         providerParameters.setWebServiceContext(context);
         providerParameters.setTokenStore(getTokenStore());
+        providerParameters.setEncryptToken(encryptIssuedToken);
         
         KeyRequirements keyRequirements = requestRequirements.getKeyRequirements();
         TokenRequirements tokenRequirements = requestRequirements.getTokenRequirements();
@@ -542,47 +460,6 @@ public abstract class AbstractOperation {
         return providerParameters;
     }
     
-    /**
-     * Get the X509Certificate associated with the signature that was received. This cert
is to be used
-     * for encrypting the issued token.
-     */
-    private X509Certificate getReqSigCert(MessageContext context) {
-        @SuppressWarnings("unchecked")
-        List<WSHandlerResult> results = 
-            (List<WSHandlerResult>) context.get(WSHandlerConstants.RECV_RESULTS);
-        // DOM
-        X509Certificate cert = WSS4JUtils.getReqSigCert(results);
-        if (cert != null) {
-            return cert;
-        }
-        
-        // Streaming
-        @SuppressWarnings("unchecked")
-        final List<SecurityEvent> incomingEventList = 
-            (List<SecurityEvent>) context.get(SecurityEvent.class.getName() + ".in");
-        if (incomingEventList != null) {
-            for (SecurityEvent incomingEvent : incomingEventList) {
-                if (WSSecurityEventConstants.SignedPart == incomingEvent.getSecurityEventType()
-                    || WSSecurityEventConstants.SignedElement 
-                        == incomingEvent.getSecurityEventType()) {
-                    org.apache.xml.security.stax.securityToken.SecurityToken token = 
-                        ((AbstractSecuredElementSecurityEvent)incomingEvent).getSecurityToken();
-                    try {
-                        if (token != null && token.getX509Certificates() != null
-                            && token.getX509Certificates().length > 0) {
-                            return token.getX509Certificates()[0];
-                        }
-                    } catch (XMLSecurityException ex) {
-                        LOG.log(Level.FINE, ex.getMessage(), ex);
-                        return null;
-                    }
-                }
-            }
-        }
-        
-        return null;
-    }
-    
     protected TokenValidatorResponse validateReceivedToken(
             WebServiceContext context, String realm,
             TokenRequirements tokenRequirements, ReceivedToken token) {

http://git-wip-us.apache.org/repos/asf/cxf/blob/fc54f211/services/sts/sts-core/src/main/java/org/apache/cxf/sts/operation/TokenIssueOperation.java
----------------------------------------------------------------------
diff --git a/services/sts/sts-core/src/main/java/org/apache/cxf/sts/operation/TokenIssueOperation.java
b/services/sts/sts-core/src/main/java/org/apache/cxf/sts/operation/TokenIssueOperation.java
index 39f5b6b..383535e 100644
--- a/services/sts/sts-core/src/main/java/org/apache/cxf/sts/operation/TokenIssueOperation.java
+++ b/services/sts/sts-core/src/main/java/org/apache/cxf/sts/operation/TokenIssueOperation.java
@@ -288,7 +288,10 @@ public class TokenIssueOperation extends AbstractOperation implements
IssueOpera
         JAXBElement<RequestedSecurityTokenType> requestedToken = 
             QNameConstants.WS_TRUST_FACTORY.createRequestedSecurityToken(requestedTokenType);
         LOG.fine("Encrypting Issued Token: " + encryptIssuedToken);
-        if (!encryptIssuedToken) {
+        if (encryptIssuedToken) {
+            requestedTokenType.setAny(tokenResponse.getToken());
+            response.getAny().add(requestedToken);
+        } else {
             if (tokenResponse.getToken() instanceof String) {
                 Document doc = DOMUtils.newDocument();
                 Element requestedTokenEl = doc.createElementNS(STSConstants.WST_NS_05_12,

@@ -299,17 +302,6 @@ public class TokenIssueOperation extends AbstractOperation implements
IssueOpera
                 requestedTokenType.setAny(tokenResponse.getToken());
                 response.getAny().add(requestedToken);
             }
-        } else {
-            if (!(tokenResponse.getToken() instanceof Element)) {
-                throw new STSException("Error in creating the response", STSException.REQUEST_FAILED);
-            }
-            requestedTokenType.setAny(
-                encryptToken(
-                    (Element)tokenResponse.getToken(), tokenResponse.getTokenId(), 
-                    encryptionProperties, keyRequirements, webServiceContext
-                )
-            );
-            response.getAny().add(requestedToken);
         }
 
         if (returnReferences) {

http://git-wip-us.apache.org/repos/asf/cxf/blob/fc54f211/services/sts/sts-core/src/main/java/org/apache/cxf/sts/operation/TokenRenewOperation.java
----------------------------------------------------------------------
diff --git a/services/sts/sts-core/src/main/java/org/apache/cxf/sts/operation/TokenRenewOperation.java
b/services/sts/sts-core/src/main/java/org/apache/cxf/sts/operation/TokenRenewOperation.java
index e7cba56..f4815f4 100644
--- a/services/sts/sts-core/src/main/java/org/apache/cxf/sts/operation/TokenRenewOperation.java
+++ b/services/sts/sts-core/src/main/java/org/apache/cxf/sts/operation/TokenRenewOperation.java
@@ -225,16 +225,7 @@ public class TokenRenewOperation extends AbstractOperation implements
RenewOpera
         JAXBElement<RequestedSecurityTokenType> requestedToken = 
             QNameConstants.WS_TRUST_FACTORY.createRequestedSecurityToken(requestedTokenType);
         LOG.fine("Encrypting Issued Token: " + encryptIssuedToken);
-        if (!encryptIssuedToken) {
-            requestedTokenType.setAny(tokenRenewerResponse.getToken());
-        } else {
-            requestedTokenType.setAny(
-                encryptToken(
-                    tokenRenewerResponse.getToken(), tokenRenewerResponse.getTokenId(), 
-                    encryptionProperties, keyRequirements, webServiceContext
-                )
-            );
-        }
+        requestedTokenType.setAny(tokenRenewerResponse.getToken());
         response.getAny().add(requestedToken);
 
         if (returnReferences) {

http://git-wip-us.apache.org/repos/asf/cxf/blob/fc54f211/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/provider/SAMLTokenProvider.java
----------------------------------------------------------------------
diff --git a/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/provider/SAMLTokenProvider.java
b/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/provider/SAMLTokenProvider.java
index 3d5d762..ad6b386 100644
--- a/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/provider/SAMLTokenProvider.java
+++ b/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/provider/SAMLTokenProvider.java
@@ -137,7 +137,7 @@ public class SAMLTokenProvider extends AbstractSAMLTokenProvider implements
Toke
             }
             
             TokenProviderResponse response = new TokenProviderResponse();
-            response.setToken(token);
+            
             String tokenType = tokenRequirements.getTokenType();
             if (WSConstants.WSS_SAML2_TOKEN_TYPE.equals(tokenType) 
                 || WSConstants.SAML2_NS.equals(tokenType)) {
@@ -146,6 +146,15 @@ public class SAMLTokenProvider extends AbstractSAMLTokenProvider implements
Toke
                 response.setTokenId(token.getAttributeNS(null, "AssertionID"));
             }
             
+            if (tokenParameters.isEncryptToken()) {
+                token = TokenProviderUtils.encryptToken(token, response.getTokenId(), 
+                                                        tokenParameters.getStsProperties(),

+                                                        tokenParameters.getEncryptionProperties(),

+                                                        keyRequirements,
+                                                        tokenParameters.getWebServiceContext());
+            }
+            response.setToken(token);
+            
             DateTime validFrom = null;
             DateTime validTill = null;
             if (assertion.getSamlVersion().equals(SAMLVersion.VERSION_20)) {

http://git-wip-us.apache.org/repos/asf/cxf/blob/fc54f211/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/provider/SCTProvider.java
----------------------------------------------------------------------
diff --git a/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/provider/SCTProvider.java
b/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/provider/SCTProvider.java
index c00af45..93f3a08 100644
--- a/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/provider/SCTProvider.java
+++ b/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/provider/SCTProvider.java
@@ -26,6 +26,8 @@ import java.util.logging.Level;
 import java.util.logging.Logger;
 
 import org.w3c.dom.Document;
+import org.w3c.dom.Element;
+
 import org.apache.cxf.common.logging.LogUtils;
 import org.apache.cxf.helpers.DOMUtils;
 import org.apache.cxf.sts.STSConstants;
@@ -123,7 +125,6 @@ public class SCTProvider implements TokenProvider {
             sct.setID(wssConfig.getIdAllocator().createId("sctId-", sct));
     
             TokenProviderResponse response = new TokenProviderResponse();
-            response.setToken(sct.getElement());
             response.setTokenId(sct.getIdentifier());
             if (returnEntropy) {
                 response.setEntropy(keyHandler.getEntropyBytes());
@@ -173,6 +174,17 @@ public class SCTProvider implements TokenProvider {
             }
             
             tokenParameters.getTokenStore().add(token);
+            
+            if (tokenParameters.isEncryptToken()) {
+                Element el = TokenProviderUtils.encryptToken(sct.getElement(), response.getTokenId(),

+                                                        tokenParameters.getStsProperties(),

+                                                        tokenParameters.getEncryptionProperties(),

+                                                        tokenParameters.getKeyRequirements(),
+                                                        tokenParameters.getWebServiceContext());
+                response.setToken(el);
+            } else {
+                response.setToken(sct.getElement());
+            }
 
             // Create the references
             TokenReference attachedReference = new TokenReference();

http://git-wip-us.apache.org/repos/asf/cxf/blob/fc54f211/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/provider/TokenProviderParameters.java
----------------------------------------------------------------------
diff --git a/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/provider/TokenProviderParameters.java
b/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/provider/TokenProviderParameters.java
index 35841b6..aeb5798 100644
--- a/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/provider/TokenProviderParameters.java
+++ b/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/provider/TokenProviderParameters.java
@@ -52,6 +52,7 @@ public class TokenProviderParameters {
     private Map<String, Object> additionalProperties;
     private TokenStore tokenStore;
     private String realm;
+    private boolean encryptToken;
     
     public TokenStore getTokenStore() {
         return tokenStore;
@@ -156,5 +157,13 @@ public class TokenProviderParameters {
     public void setRequestedSecondaryClaims(ClaimCollection requestedSecondaryClaims) {
         this.requestedSecondaryClaims = requestedSecondaryClaims;
     }
+
+    public boolean isEncryptToken() {
+        return encryptToken;
+    }
+
+    public void setEncryptToken(boolean encryptToken) {
+        this.encryptToken = encryptToken;
+    }
     
 }

http://git-wip-us.apache.org/repos/asf/cxf/blob/fc54f211/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/provider/TokenProviderUtils.java
----------------------------------------------------------------------
diff --git a/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/provider/TokenProviderUtils.java
b/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/provider/TokenProviderUtils.java
index 406c02e..53ef14b 100644
--- a/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/provider/TokenProviderUtils.java
+++ b/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/provider/TokenProviderUtils.java
@@ -18,17 +18,37 @@
  */
 package org.apache.cxf.sts.token.provider;
 
+import java.security.cert.X509Certificate;
+import java.util.Collections;
+import java.util.List;
+import java.util.logging.Level;
 import java.util.logging.Logger;
 
 import javax.xml.bind.JAXBElement;
 import javax.xml.namespace.QName;
+import javax.xml.ws.WebServiceContext;
+import javax.xml.ws.handler.MessageContext;
 
+import org.w3c.dom.Document;
 import org.w3c.dom.Element;
 
 import org.apache.cxf.common.logging.LogUtils;
 import org.apache.cxf.helpers.DOMUtils;
 import org.apache.cxf.sts.STSConstants;
+import org.apache.cxf.sts.STSPropertiesMBean;
+import org.apache.cxf.sts.request.KeyRequirements;
+import org.apache.cxf.sts.service.EncryptionProperties;
 import org.apache.cxf.ws.addressing.EndpointReferenceType;
+import org.apache.cxf.ws.security.wss4j.WSS4JUtils;
+import org.apache.wss4j.common.WSEncryptionPart;
+import org.apache.wss4j.common.ext.WSSecurityException;
+import org.apache.wss4j.dom.handler.WSHandlerConstants;
+import org.apache.wss4j.dom.handler.WSHandlerResult;
+import org.apache.wss4j.dom.message.WSSecEncrypt;
+import org.apache.wss4j.stax.securityEvent.WSSecurityEventConstants;
+import org.apache.xml.security.exceptions.XMLSecurityException;
+import org.apache.xml.security.stax.securityEvent.AbstractSecuredElementSecurityEvent;
+import org.apache.xml.security.stax.securityEvent.SecurityEvent;
 
 public final class TokenProviderUtils {
     
@@ -79,4 +99,119 @@ public final class TokenProviderUtils {
         return null;
     }
 
+    /**
+     * Encrypt a Token element using the given arguments.
+     */
+    public static Element encryptToken(
+        Element element, 
+        String id, 
+        STSPropertiesMBean stsProperties,
+        EncryptionProperties encryptionProperties,
+        KeyRequirements keyRequirements,
+        WebServiceContext context
+    ) throws WSSecurityException {
+        String name = encryptionProperties.getEncryptionName();
+        if (name == null) {
+            name = stsProperties.getEncryptionUsername();
+        }
+        if (name == null) {
+            LOG.fine("No encryption alias is configured");
+            return element;
+        }
+        
+        // Get the encryption algorithm to use
+        String encryptionAlgorithm = keyRequirements.getEncryptionAlgorithm();
+        if (encryptionAlgorithm == null) {
+            // If none then default to what is configured
+            encryptionAlgorithm = encryptionProperties.getEncryptionAlgorithm();
+        } else {
+            List<String> supportedAlgorithms = 
+                encryptionProperties.getAcceptedEncryptionAlgorithms();
+            if (!supportedAlgorithms.contains(encryptionAlgorithm)) {
+                encryptionAlgorithm = encryptionProperties.getEncryptionAlgorithm();
+                if (LOG.isLoggable(Level.FINE)) {
+                    LOG.fine("EncryptionAlgorithm not supported, defaulting to: " + encryptionAlgorithm);
+                }
+            }
+        }
+        // Get the key-wrap algorithm to use
+        String keyWrapAlgorithm = keyRequirements.getKeywrapAlgorithm();
+        if (keyWrapAlgorithm == null) {
+            // If none then default to what is configured
+            keyWrapAlgorithm = encryptionProperties.getKeyWrapAlgorithm();
+        } else {
+            List<String> supportedAlgorithms = 
+                encryptionProperties.getAcceptedKeyWrapAlgorithms();
+            if (!supportedAlgorithms.contains(keyWrapAlgorithm)) {
+                keyWrapAlgorithm = encryptionProperties.getKeyWrapAlgorithm();
+                if (LOG.isLoggable(Level.FINE)) {
+                    LOG.fine("KeyWrapAlgorithm not supported, defaulting to: " + keyWrapAlgorithm);
+                }
+            }
+        }
+        
+        WSSecEncrypt builder = new WSSecEncrypt();
+        if (WSHandlerConstants.USE_REQ_SIG_CERT.equals(name)) {
+            X509Certificate cert = getReqSigCert(context.getMessageContext());
+            builder.setUseThisCert(cert);
+        } else {
+            builder.setUserInfo(name);
+        }
+        builder.setKeyIdentifierType(encryptionProperties.getKeyIdentifierType());
+        builder.setSymmetricEncAlgorithm(encryptionAlgorithm);
+        builder.setKeyEncAlgo(keyWrapAlgorithm);
+        builder.setEmbedEncryptedKey(true);
+        
+        WSEncryptionPart encryptionPart = new WSEncryptionPart(id, "Element");
+        encryptionPart.setElement(element);
+        
+        Document doc = element.getOwnerDocument();
+        doc.appendChild(element);
+                                 
+        builder.prepare(element.getOwnerDocument(), stsProperties.getEncryptionCrypto());
+        builder.encryptForRef(null, Collections.singletonList(encryptionPart));
+        
+        return doc.getDocumentElement();
+    }
+    
+    /**
+     * Get the X509Certificate associated with the signature that was received. This cert
is to be used
+     * for encrypting the issued token.
+     */
+    public static X509Certificate getReqSigCert(MessageContext context) {
+        @SuppressWarnings("unchecked")
+        List<WSHandlerResult> results = 
+            (List<WSHandlerResult>) context.get(WSHandlerConstants.RECV_RESULTS);
+        // DOM
+        X509Certificate cert = WSS4JUtils.getReqSigCert(results);
+        if (cert != null) {
+            return cert;
+        }
+        
+        // Streaming
+        @SuppressWarnings("unchecked")
+        final List<SecurityEvent> incomingEventList = 
+            (List<SecurityEvent>) context.get(SecurityEvent.class.getName() + ".in");
+        if (incomingEventList != null) {
+            for (SecurityEvent incomingEvent : incomingEventList) {
+                if (WSSecurityEventConstants.SignedPart == incomingEvent.getSecurityEventType()
+                    || WSSecurityEventConstants.SignedElement 
+                        == incomingEvent.getSecurityEventType()) {
+                    org.apache.xml.security.stax.securityToken.SecurityToken token = 
+                        ((AbstractSecuredElementSecurityEvent)incomingEvent).getSecurityToken();
+                    try {
+                        if (token != null && token.getX509Certificates() != null
+                            && token.getX509Certificates().length > 0) {
+                            return token.getX509Certificates()[0];
+                        }
+                    } catch (XMLSecurityException ex) {
+                        LOG.log(Level.FINE, ex.getMessage(), ex);
+                        return null;
+                    }
+                }
+            }
+        }
+        
+        return null;
+    }
 }

http://git-wip-us.apache.org/repos/asf/cxf/blob/fc54f211/services/sts/sts-core/src/test/java/org/apache/cxf/sts/operation/DummyTokenProvider.java
----------------------------------------------------------------------
diff --git a/services/sts/sts-core/src/test/java/org/apache/cxf/sts/operation/DummyTokenProvider.java
b/services/sts/sts-core/src/test/java/org/apache/cxf/sts/operation/DummyTokenProvider.java
index 87b7ea3..b8d590f 100644
--- a/services/sts/sts-core/src/test/java/org/apache/cxf/sts/operation/DummyTokenProvider.java
+++ b/services/sts/sts-core/src/test/java/org/apache/cxf/sts/operation/DummyTokenProvider.java
@@ -20,10 +20,12 @@
 package org.apache.cxf.sts.operation;
 
 import org.w3c.dom.Document;
+import org.w3c.dom.Element;
 import org.apache.cxf.helpers.DOMUtils;
 import org.apache.cxf.sts.token.provider.TokenProvider;
 import org.apache.cxf.sts.token.provider.TokenProviderParameters;
 import org.apache.cxf.sts.token.provider.TokenProviderResponse;
+import org.apache.cxf.sts.token.provider.TokenProviderUtils;
 import org.apache.cxf.ws.security.sts.provider.STSException;
 import org.apache.wss4j.common.token.BinarySecurity;
 import org.apache.wss4j.dom.WSConstants;
@@ -64,6 +66,17 @@ public class DummyTokenProvider implements TokenProvider {
             response.setToken(bst.getElement());
             response.setTokenId(id);
             
+            if (tokenParameters.isEncryptToken()) {
+                Element el = TokenProviderUtils.encryptToken(bst.getElement(), response.getTokenId(),

+                                                        tokenParameters.getStsProperties(),

+                                                        tokenParameters.getEncryptionProperties(),

+                                                        tokenParameters.getKeyRequirements(),
+                                                        tokenParameters.getWebServiceContext());
+                response.setToken(el);
+            } else {
+                response.setToken(bst.getElement());
+            }
+            
             return response;
         } catch (Exception e) {
             throw new STSException("Can't serialize SAML assertion", e, STSException.REQUEST_FAILED);


Mime
View raw message