Skip navigation links

oracle.security.xmlsec.wss
Class WSSecurity

java.lang.Object
oracle.security.xmlsec.util.XMLNode
oracle.security.xmlsec.util.XMLElement
oracle.security.xmlsec.wss.WSSecurity

public class WSSecurity

extends oracle.security.xmlsec.util.XMLElement

This class represents a wsse:Security header block in a SOAPEnvelope. It provides methods for signing and encrypting messages and security tokens.

Creating WSSecurity objects

• From existing XML If you are parsing a WSSecurity header, and you already have the DOM Element, or SOAPHeaderElement you can create a WSSecurity wrapper around it by this function
  WSSecurity(Element)
  Or you can use one of
  • getAllSecurityHeaders(javax.xml.soap.SOAPEnvelope),
  • getSecurityHeaders(javax.xml.soap.SOAPEnvelope, String)
  • or getMustUnderstandSecurityHeaders(javax.xml.soap.SOAPEnvelope, String)
  to get the security headers in a given SOAPEnvelope
  Note: the WSecurity object and all other objects in WSS and XMLSEC OSDT are simply thin "wrappers" over the corresponding DOM Element. They have no member data and are extremely transient. i.e. the get methods always create a new wrapper.
• New XML If you are constructing a new WSSecurity header, you can use one of these methods
  newInstance(Document) to create a new Element and a new WSSecurity wrapper over it. Note the new Element is not appended to any DOM node
  newInstance(javax.xml.soap.SOAPEnvelope) to create a new SOAPHeaderElement and a new WSSecurity wrapper over it

Specifying keys and STRs

Whenever you encrypt or sign, you must provide the key that is to be used by OSDT to perform the encryption or signing. However you also need to provide a hint (which is typically a SecurityTokenReference) to the reciever, so that they do the corresponding decryption or verification.

There are a whole series of methods createSTR_foo to create these STRs. You need to use one of these methods to create an STR, and pass it as the KeyInfoData argument to the encrypt or sign methods. These methods will not try to dereference the STR, they will simply insert the STR into the document. But the verify and decrypt methods will try to dereference the STRs unless the key is provided.

• createSTR_X509_IssuerSerial(X509Certificate)
• createSTR_X509_SKI(X509Certificate)
• createSTR_X509_ThumbprintSHA1(X509Certificate)
• createSTR_X509_Ref(String). Before using this you must create an X509Certificate BST using createBST_X509(X509Certificate) or createBST_X509(CertPath), assign an id to the BST and pass the ID as the Uri .
• createSTR_SAML_AssertionIdv11(byte[])
• createSTR_SAML_AssertionIdv11(byte[], AuthorityBinding)
• createSTR_SAML_AssertionIdv20(byte[])
• createSTR_SAML_Assertion_Ref20(String)
• createSTR_Username_Ref(String)

Encryption

For encryption there are two main methods. All other encrypt methods are wrappers over these methods

• With EncryptedKey If you want to encrypt a bunch of elements (or attachments) using a common symmetric key (usually randomly generated), and then encrypt that symmetric key with the receipient's key, use this function:
  encryptWithEncKey(List, boolean[], String[], WSSEncryptionParams)
• With ReferenceList On the other hand if the recepient already knows a shared symmetric key, and you want to use that key for encrypting the elements (or attachments) then use:
  encryptNoEncKey(List, boolean[], String[], WSSEncryptionParams[])
  which allows each element to be encrypted by a different key. If you want to encrypt all elements (or attachments) by the same key, just pass in an array of size 1
  

Note: These methods take a list of objects to be encrypted, where each object can be either an XML Element , or any OSDT object that derives from OSDT XMLElement , or a SOAPHeader, or an AttachmentPart

Decryption

The simplest way to decrypt is to call decryptAll(SOAPMessage) which will go through all the top level ReferenceList and EncryptedKey elements and decrypt them. It will call the registered callbacks for obtaining the key to be used for decryption. The SOAPMessage parameter is only used for decrypting attachments, you can be null if you are not execting any attachments.

If you want to have more control over the decryption, you can call one of these methods

• With EncryptedKey When you want to decrypt all the elements (or attachments) mentioned in the ReferenceList of an EncryptedKey, use this :
  decrypt(XEEncryptedKey, PrivateKey, SOAPMessage), which will at first decrypt the EncryptedKey with the given PrivateKey to obtain a symmetric key, and then use this symmetric key to decrypt all the references inside the EncrytedKey.
  If you do not know the PrivateKey then call
  decrypt(XEEncryptedKey, SOAPMessage), which will look into the KeyInfo of the EncryptedKey and call the registered callbacks to obtain the private key
  On the other hand if you already know the decrypted form of the EncryptedKey then use this:
  decrypt(XEEncryptedKey, SecretKey, SOAPMessage), which will use the given symmetric key to decrypt all the references inside the EncryptedKey.
• With ReferenceList When you want to decrypt all the elements (or attachments) mentioned in a top level ReferenceList, use this:
  decrypt(XEReferenceList, SecretKey, SOAPMessage), which will use the given symmetric key to decrypt all the references inside the ReferenceList. This functions assumes that all the references are encrypted with the same key.
  If the do not know the SecretKey, or if all the references are not encryted with the same key then send in a null for the SecretKey, decrypt will then look into the KeyInfo of each of the EncrytedData and call the registerd callbacks to obtain the symmetric key
• With EncrytedData WSS 1.1 recommends that all EncryptedData SHOULD be referenced inside either a top level ReferenceList or a ReferenceList inside an EncryptedKey. However a client may choose not to do so, then the above two methods will not decrypt them. In that case you must use this method to directly decrypt each EncrytedData
  decrypt(XEEncryptedData, SecretKey, SOAPMessage) which will decrypt the EncryptedData with the given symmetric key
  If you do not know the SecretKey then send in a null instead, decrypt will then will look into the KeyInfo of the EncrytedData and call the registered callbacks to obtain the symmetric key

Signing

Use WSSignatureParams.WSSignatureParams(byte[], PrivateKey) to create a signature params object with the specified signing key, and then call some set methods to set the signing parameters and finally call
sign(String[], WSSecurityTokenReference[], WSSignatureParams) to sign a list of URIs which can be URIs to local elements, external uris, or cid references to attachments. You must set the WSSignatureParams.setSOAPMessage(SOAPMessage) if you have any cid references. Most of the other sign methods are deprecated.

Verification

The simplest way to decrypt is to call verifyAll(SOAPMessage) which will go through all the top level Signature elements and verify them. It will call the registered callbacks for obtaining the key to be used for verification.

If you want to have more control over the verification, you shoulcd at first search for all the signature elements inside the WSSecurity header, and verify them individually

• Use verify(XSSignature, byte[], PublicKey, SOAPMessage) if you already know the verification key
• Use verify(XSSignature, boolean, SOAPMessage) if you want to look inside the KeyInfo to find out the verification key

Field Summary

Fields inherited from class oracle.security.xmlsec.util.XMLNode

node, systemId

Constructor Summary

WSSecurity(org.w3c.dom.Element element)
Creates a new WSSecurity instance from the given Element node.

WSSecurity(org.w3c.dom.Element element, java.lang.String systemId)
Creates a new WSSecurity instance from the given Element node.

Method Summary

void	addKerberosToken(KerberosBinarySecurityToken token) Add a Kerberos Token.
void	addSAML2AssertionToken(SAML2AssertionToken token) Add a SAML2 Assertion Token.
void	addSAMLAssertionToken(SAMLAssertionToken token) Add a SAML Assertion Token.
void	addSecurityToken(org.w3c.dom.Element token) Add a Security Token.
void	addSecurityTokenReference(WSSecurityTokenReference ref) Add a Security Token Reference.
WSSignatureConfirmation	addSignatureConfirmation(java.lang.String signatureValue) Create a SignatureConfirmation element and prepend it this WSSecurity element
void	addSignatureConfirmation(WSSignatureConfirmation sigConfirm) Prepend a SignatureConfirmation element to this WSSecurity element Does a simple insert into the DOM To insert at some other user regular DOM insert/append calls
void	addUsernameToken(UsernameToken token) Add a Username Token.
static void	addWsuIdToElement(java.lang.String id, org.w3c.dom.Element element) Deprecated. replaced by WSSUtils.addWsuIdToElement(String, Element)
void	addX509CertificateToken(X509BinarySecurityToken token) Add a X.509 Certificate Token.
static byte[]	computeEncKeySHA1(oracle.security.xmlsec.enc.XEEncryptedKey encKey) Utility method to compute the SHA1 of an EncryptedKey
KerberosBinarySecurityToken	createBST_Kerberos(byte[] ap_req, java.lang.String valueType) Create a BST from an Kerberos AP_REQ packet or a GSS wrapped AP_REQ packet
X509BinarySecurityToken	createBST_X509(java.security.cert.CertPath certpath) Create an BST from an X509Certificate CertPath
X509BinarySecurityToken	createBST_X509(java.security.cert.X509Certificate cert) Create an BST from an X509Certificate cert.
oracle.security.xmlsec.enc.XEEncryptedData	createEncryptedData(java.lang.String dataType) Creates a new XEEncryptedData element in this WSSecurity's document, but does not append it to the WSSecurity element.
oracle.security.xmlsec.enc.XEEncryptedKey	createEncryptedKey() Creates a new XEEncryptedKey element in this WSSecurity's document, but does not append it to the WSSecurity element.
oracle.security.xmlsec.dsig.XSSignature	createSignature() Creates a new XSSignature element in this WSSecurity's document, but does not append it to the WSSecurity element.
oracle.security.xmlsec.dsig.XSSignature	createSignature(java.lang.String id) Creates a new Signature element in this document, but does not append it to the WSSecurity element.
java.util.List	createSignatureConfirmations(org.w3c.dom.Document doc) Create a List of SignatureConfirmation elements correspnding to the Signature elements in this WSSecurity element.
WSSecurityTokenReference	createSTR_EncKeyRef(java.lang.String uri) Create an STR to an EncryptedKey that is in the document.
WSSecurityTokenReference	createSTR_EncKeySHA1(byte[] sha1) Create an STR to an EncryptedKey that is NOT in the document.
WSSecurityTokenReference	createSTR_KerberosKeyIdSHA1(byte[] ap_req, java.lang.String valueType) Create an STR to a Kerberos ap-req may not be in the document.
WSSecurityTokenReference	createSTR_KerberosKeyRef(java.lang.String uri, java.lang.String valueType) Create an STR to a Keberos BST that is in the document.
WSSecurityTokenReference	createSTR_SAML_Assertion_Ref20(java.lang.String uri) Create an STR to local or remote SAML v2.0 Assertion.
WSSecurityTokenReference	createSTR_SAML_AssertionIdv11(byte[] assertionId) Create an STR to local SAML v1.1 AssertionID.
WSSecurityTokenReference	createSTR_SAML_AssertionIdv11(byte[] assertionId, oracle.security.xmlsec.saml.AuthorityBinding authorityBinding) Create an STR to an external SAML v1.1 AssertionID.
WSSecurityTokenReference	createSTR_SAML_AssertionIdv20(byte[] assertionId) Create an STR to local SAML v2.0 AssertionID.
WSSecurityTokenReference	createSTR_Username_Ref(java.lang.String uri) Create an STR to an UsernameToken.
WSSecurityTokenReference	createSTR_X509_IssuerSerial(java.security.cert.X509Certificate cert) Create an STR to an X509Certificate cert.
WSSecurityTokenReference	createSTR_X509_Ref(java.lang.String uri) Create an STR to an X509Certificate cert.
WSSecurityTokenReference	createSTR_X509_SKI(java.security.cert.X509Certificate cert) Create an STR to an X509Certificate cert.
WSSecurityTokenReference	createSTR_X509_ThumbprintSHA1(java.security.cert.X509Certificate cert) Create an STR to an X509Certificate cert.
static java.lang.Object	decrypt(oracle.security.xmlsec.enc.XEEncryptedData encData) Decrypts the EncrypedData element.
static java.lang.Object	decrypt(oracle.security.xmlsec.enc.XEEncryptedData encData, javax.crypto.SecretKey dataDecKey) Decrypts the EncrypedData element with the given key
static java.lang.Object	decrypt(oracle.security.xmlsec.enc.XEEncryptedData encData, javax.crypto.SecretKey dataDecKey, javax.xml.soap.SOAPMessage msg) Decrypts the EncrypedData element with the given key
static java.util.List	decrypt(oracle.security.xmlsec.enc.XEEncryptedKey encKey) Decrypts all the EncrypedData elements referenced by the given EncryptedKey element
static java.util.List	decrypt(oracle.security.xmlsec.enc.XEEncryptedKey encKey, java.security.PrivateKey keyDecKey) Decrypts all the EncrypedData elements referenced by the given EncryptedKey element
static java.util.List	decrypt(oracle.security.xmlsec.enc.XEEncryptedKey encKey, java.security.PrivateKey keyDecKey, javax.xml.soap.SOAPMessage msg) Decrypts all the EncrypedData elements referenced by the given EncryptedKey element
static java.util.List	decrypt(oracle.security.xmlsec.enc.XEEncryptedKey encKey, javax.crypto.SecretKey dataDecKey) Decrypts all the EncrypedData elements referenced by the given EncryptedKey element
static java.util.List	decrypt(oracle.security.xmlsec.enc.XEEncryptedKey encKey, javax.crypto.SecretKey dataDecKey, javax.xml.soap.SOAPMessage msg) Decrypts all the EncrypedData elements referenced by the given EncryptedKey element
static java.util.List	decrypt(oracle.security.xmlsec.enc.XEEncryptedKey encKey, javax.xml.soap.SOAPMessage msg) Decrypts all the EncrypedData elements referenced by the given EncryptedKey element
static java.util.List	decrypt(oracle.security.xmlsec.enc.XEReferenceList refList) Decrypts the EncrypedData/EncryptedHeader elements referenced by the given ReferenceList element in this structure.
static java.util.List	decrypt(oracle.security.xmlsec.enc.XEReferenceList refList, javax.crypto.SecretKey symKey) Decrypts the EncrypedData/EncryptedHeader elements referenced by the given ReferenceList element in this structure.
static java.util.List	decrypt(oracle.security.xmlsec.enc.XEReferenceList refList, javax.crypto.SecretKey symKey, javax.xml.soap.SOAPMessage msg)
void	decryptAll() Decrypts all the EncryptedData child elements and replaces the EncrypteData element with the decrypted XML result.
void	decryptAll(javax.xml.soap.SOAPMessage msg)
void	encrypt(org.w3c.dom.Element element, boolean contentOnly, java.lang.String dataEncAlg, javax.crypto.SecretKey dataEncKey, java.security.PublicKey keyEncKey, java.lang.String keyEncAlg, java.lang.String keyEncKeyName, byte[] certId) Perform encryption of the Security Header content.
void	encrypt(org.w3c.dom.Element element, boolean contentOnly, java.lang.String dataEncAlg, javax.crypto.SecretKey dataEncKey, java.security.cert.X509Certificate keyEncCert, java.lang.String keyEncAlg) Perform encryption of the Security Header content.
void	encrypt(org.w3c.dom.Element element, boolean contentOnly, java.lang.String dataEncAlg, java.lang.String usernameTokenURI, KeyDerivator keyDerivator) Deprecated.
void	encrypt(org.w3c.dom.Element element, boolean contentOnly, java.lang.String dataEncAlg, java.lang.String keyEncKeyURI, java.lang.String keyEncAlg) Perform encryption of the Security Header content.
void	encrypt(org.w3c.dom.Element element, boolean contentOnly, java.lang.String dataEncAlg, java.lang.String certTokenURI, java.lang.String keyEncAlg, javax.crypto.SecretKey dataEncKey) Perform encryption of the Security Header content.
void	encrypt(org.w3c.dom.Element element, boolean contentOnly, java.lang.String encDataId, WSSEncryptionParams encParam) Encrypt an element with a content key.
void	encrypt(org.w3c.dom.Element element, boolean contentOnly, WSSEncryptionParams encParams) Deprecated. Replaced by encrypt(Element, boolean, String, SecretKey, PublicKey, String, String, byte[])
void	encrypt(java.util.List elements, boolean[] contentOnlys, java.lang.String dataEncAlg, javax.crypto.SecretKey dataEncKey, java.security.PublicKey keyEncKey, java.lang.String keyEncAlg, java.lang.String keyEncKeyName, byte[] certId) Perform encryption of a list of elements, all with the same content key.
void	encrypt(java.util.List elements, boolean[] contentOnlys, java.lang.String dataEncAlg, javax.crypto.SecretKey dataEncKey, java.security.cert.X509Certificate keyEncCert, java.lang.String keyEncAlg) Perform encryption of a list of elements, all with the same content key.
void	encrypt(java.util.List elements, boolean[] contentOnlys, java.lang.String dataEncAlgURI, java.lang.String usernameTokenURI, KeyDerivator keyDerivator) Deprecated.
void	encrypt(java.util.List elements, boolean[] contentOnlys, java.lang.String dataEncAlg, java.lang.String keyEncKeyURI, java.lang.String keyEncAlg) Perform encryption of the Security Header content.
void	encrypt(java.util.List elements, boolean[] contentOnlys, java.lang.String dataEncAlg, java.lang.String certTokenURI, java.lang.String keyEncAlg, javax.crypto.SecretKey dataEncKey) Perform encryption of the Security Header content.
void	encrypt(java.util.List elements, boolean[] contentOnlys, WSSEncryptionParams encParams) Deprecated. Replaced by encrypt(List, boolean[], String, SecretKey, PublicKey, String, String, byte[])
oracle.security.xmlsec.enc.XEReferenceList	encryptNoEncKey(java.util.List elements, boolean[] contentOnlys, java.lang.String[] encDataIds, WSSEncryptionParams[] encParams) Encrypt a list of elements (or attachments), each with a different content key.
oracle.security.xmlsec.enc.XEEncryptedKey	encryptWithEncKey(java.util.List elements, boolean[] contentOnlys, java.lang.String[] encDataIds, WSSEncryptionParams encParam) Encrypt of a list of elements, all with the same content key and encrypt that content key with a public key.
static WSSecurity[]	getAllSecurityHeaders(javax.xml.soap.SOAPEnvelope env) Get all the wsse:Security headers in this envelope.
java.util.List	getBinaryTokens() Returns the list of Binary Security Tokens.
java.util.List	getEncryptedAssertions() Returns the list of EncryptedAssertion (SAML2) Elements.
java.util.List	getEncryptedData() Returns all the EncryptedData elements in this WSSecurity block.
java.util.List	getEncryptedKeys() Returns all the EncryptedKey elements in this WSSecurity block.
static WSSecurity[]	getMustUnderstandSecurityHeaders(javax.xml.soap.SOAPEnvelope env, java.lang.String actor) Get all the wsse:Security headers in this envelope.
java.util.List	getReferenceLists() Returns all the ReferenceList elements in this WSSecurity block.
java.util.List	getSAML2AssertionTokens() Returns the list of SAML2 Assertion Security Tokens.
java.util.List	getSAMLAssertionTokens() Returns the list of SAML Assertion Security Tokens.
static WSSecurity[]	getSecurityHeaders(javax.xml.soap.SOAPEnvelope env, java.lang.String actor) Get all the wsse:Security headers in this envelope.
WSSecurityToken	getSecurityTokenByWsuID(java.lang.String id) Get the Security token corresponding to the WSU identifier.
java.util.List	getSignatures() Returns all the Signature elements in this WSSecurity header block.
java.lang.String[]	getSignatureValues() Return a list of Signature values of all the top level Signature elements in this WSSecurity element.
WSUTimestamp	getTimestamp() Get the token Timestamp.
java.util.List	getUsernameTokens() Returns the list of Username Security Tokens.
static WSSecurity	newInstance(org.w3c.dom.Document owner) Creates a new WSSecurity instance using the given owner document, but does not append it to any element.
static WSSecurity	newInstance(org.w3c.dom.Document owner, java.lang.String id) Creates a new WSSecurity instance using the given owner document, but does not append it to any element.
static WSSecurity	newInstance(javax.xml.soap.SOAPEnvelope env) Create a new WSSecurity instance using the given SOAPEnvelope.
static WSSecurity	newInstance(java.lang.String id) Creates a new WSSecurity instance in a new owner document, and makes it the root element of the document.
void	setTimestamp(WSUTimestamp timeStamp) Set the token Timestamp.
void	sign(java.lang.String[] uris, UsernameToken token, KeyDerivator keyDerivator, java.lang.String digestAlg, java.lang.String c14NAlg, java.lang.String signatureAlg, boolean usingDecryptionTransform) Deprecated. KeyDerivator was used before WSS 1.1, Instead use UsernameToken.deriveKey(char[], byte[], int) to derive the password, and call the regular sign method
void	sign(java.lang.String[] uris, UsernameToken token, KeyDerivator keyDerivator, java.lang.String digestAlg, java.lang.String c14NAlg, java.lang.String signatureAlg, oracle.security.xmlsec.dsig.XSAlgorithmIdentifier[] trans, boolean usingDecryptionTransform) Deprecated.
void	sign(java.lang.String[] uris, WSSecurityTokenReference[] refs, WSSignatureParams sigParams) Deprecated. Combine the uris and the refs into one list of uris and call sign(String[], WSSignatureParams, XSAlgorithmIdentifier[][])
oracle.security.xmlsec.dsig.XSSignature	sign(java.lang.String[] uris, WSSignatureParams sigParams, oracle.security.xmlsec.dsig.XSAlgorithmIdentifier[][] trans) Signs a list of URIs using an HMAC key or a PrivateKey.
void	sign(java.lang.String[] uris, WSSKeyIdentifier keyId, java.security.PrivateKey privKey, java.lang.String digestAlg, java.lang.String c14NAlg, java.lang.String signatureAlg, boolean usingDecryptionTransform) Deprecated. Use sign(String[], WSSignatureParams, XSAlgorithmIdentifier[][]) instead
void	sign(java.lang.String[] uris, WSSKeyIdentifier keyId, java.security.PrivateKey privKey, java.lang.String digestAlg, java.lang.String c14NAlg, java.lang.String signatureAlg, oracle.security.xmlsec.dsig.XSAlgorithmIdentifier[] trans, boolean usingDecryptionTransform) Deprecated. Use the createSTR_XXX methods to create a KeyIdentifier and then pass it to sign(String[], WSSignatureParams, XSAlgorithmIdentifier[][])
void	sign(java.lang.String[] uris, X509BinarySecurityToken token, java.security.PrivateKey privKey, java.lang.String digestAlg, java.lang.String c14NAlg, java.lang.String signatureAlg, boolean usingDecryptionTransform) Deprecated. Use createSTR_X509_IssuerSerial(X509Certificate) to create an STR, and then send that to sign(String[], WSSignatureParams, XSAlgorithmIdentifier[][])
void	sign(java.lang.String[] uris, X509BinarySecurityToken token, java.security.PrivateKey privKey, java.lang.String digestAlg, java.lang.String c14NAlg, java.lang.String signatureAlg, oracle.security.xmlsec.dsig.XSAlgorithmIdentifier[] trans, boolean usingDecryptionTransform) Deprecated. Use createSTR_X509_IssuerSerial(X509Certificate) to create an STR, and then send that to sign(String[], WSSignatureParams, XSAlgorithmIdentifier[][])
void	sign(java.lang.String[] uris, X509IssuerSerial certIASN, java.security.PrivateKey privKey, java.lang.String digestAlg, java.lang.String c14NAlg, java.lang.String signatureAlg, boolean usingDecryptionTransform) Deprecated. Use createSTR_X509_IssuerSerial(X509Certificate) to create an STR, and then send that to sign(String[], WSSignatureParams, XSAlgorithmIdentifier[][])
void	sign(java.lang.String[] uris, X509IssuerSerial certIASN, java.security.PrivateKey privKey, java.lang.String digestAlg, java.lang.String c14NAlg, java.lang.String signatureAlg, oracle.security.xmlsec.dsig.XSAlgorithmIdentifier[] trans, boolean usingDecryptionTransform) Deprecated. Use createSTR_X509_IssuerSerial(X509Certificate) to create an STR, and then send that to sign(String[], WSSignatureParams, XSAlgorithmIdentifier[][])
void	sign(java.lang.String uri, UsernameToken token, KeyDerivator keyDerivator, java.lang.String digestAlg, java.lang.String c14NAlg, java.lang.String signatureAlg, boolean usingDecryptionTransform) Deprecated. KeyDerivator was used before WSS 1.1, Instead use UsernameToken.deriveKey(char[], byte[], int) to derive the password, and call the regular sign method
void	sign(java.lang.String uri, WSSignatureParams sigParams) Sign a single URI.
void	sign(WSSecurityTokenReference ref, WSSignatureParams sigParams) Deprecated. Use sign(String, WSSignatureParams) which can sign both regular URIs and URIs to STRs.
boolean	verify(oracle.security.xmlsec.dsig.XSSignature sig) Verifies the given XSSignature, following the ds:Signature and ds:Reference validation process defined in [XML-SIG].
static boolean	verify(oracle.security.xmlsec.dsig.XSSignature sig, boolean searchDocument) Verifies the given XSSignature, following the ds:Signature and ds:Reference validation process defined in [XML-SIG].
static boolean	verify(oracle.security.xmlsec.dsig.XSSignature sig, boolean searchDocument, javax.xml.soap.SOAPMessage msg) Verifies the given XSSignature, following the ds:Signature and ds:Reference validation process defined in [XML-SIG].
static boolean	verify(oracle.security.xmlsec.dsig.XSSignature sig, byte[] hmacKey, java.security.PublicKey pubKey, javax.xml.soap.SOAPMessage msg) Verifies the given XSSignature using either the hmacKey or the pubKey, following the ds:Signature and ds:Reference validation process defined in [XML-SIG].
boolean	verify(oracle.security.xmlsec.dsig.XSSignature sig, javax.xml.soap.SOAPMessage msg) Verifies the given XSSignature, following the ds:Signature and ds:Reference validation process defined in [XML-SIG].
boolean	verifyAll() Verifies all of the XSSignatures in this wsse:Security header in accordance with the ds:Signature and ds:Reference validation process defined in [XML-SIG].
boolean	verifyAll(javax.xml.soap.SOAPMessage msg) Verifies all of the XSSignatures in this wsse:Security header in accordance with the ds:Signature and ds:Reference validation process defined in [XML-SIG].
boolean	verifySignatureConfirmations(java.lang.String[] sigValues) Verify the signature confirmations in this WSSecurity following the response processing rules for Signature Confirmation in the WS SEcurity 1.1 spec.

Methods inherited from class oracle.security.xmlsec.util.XMLElement

addNSPrefixAttr, addNSPrefixAttr, addNSPrefixAttrDefault, addNSPrefixAttrDefault, getAttribute, getAttributeNode, getAttributeNodeNS, getAttributeNS, getChildElementsByTagName, getChildElementsByTagName, getChildElementsByTagNameNS, getChildElementsByTagNameNS, getDefaultNSPrefix, getElement, getElementsByTagName, getElementsByTagNameNS, getTagName, hasAttribute, hasAttributeNS, removeAttribute, removeAttributeNode, removeAttributeNS, setAttribute, setAttributeNode, setAttributeNodeNS, setAttributeNS, setDefaultNSPrefix

Methods inherited from class oracle.security.xmlsec.util.XMLNode

appendChild, appendChild, appendTo, cloneNode, getAttributes, getChildNodes, getFirstChild, getLastChild, getLocalName, getNamespaceURI, getNextSibling, getNode, getNodeName, getNodeType, getNodeValue, getOwnerDocument, getParentNode, getPrefix, getPreviousSibling, getSystemId, hasAttributes, hasChildNodes, insertBefore, insertBefore, isSupported, normalize, removeChild, removeChild, replaceChild, replaceChild, setNodeValue, setPrefix, setSystemId, toBytesXML, toStringXML

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Detail

WSSecurity

public WSSecurity(org.w3c.dom.Element element)

Creates a new WSSecurity instance from the given Element node.

Parameters:

element - An org.w3c.dom.Element that conforms to the wsse:Security schema.

WSSecurity

public WSSecurity(org.w3c.dom.Element element,
                  java.lang.String systemId)

Creates a new WSSecurity instance from the given Element node.

Parameters:

element - An org.w3c.dom.Element that conforms to the wsse:WSSecurity schema.

systemId - The URI string system ID for this XSSignature.

Method Detail

newInstance

public static WSSecurity newInstance(java.lang.String id)

Creates a new WSSecurity instance in a new owner document, and makes it the root element of the document.

Parameters:

id - An optional string ID name for the wsse:Security element.

Returns:

The new WSSecurity instance.

newInstance

public static WSSecurity newInstance(org.w3c.dom.Document owner)

Creates a new WSSecurity instance using the given owner document, but does not append it to any element.

Parameters:

owner - The XML Document to be used as the owner document of this structure.

Returns:

The new WSSecurity instance.

newInstance

public static WSSecurity newInstance(javax.xml.soap.SOAPEnvelope env)
                              throws javax.xml.soap.SOAPException

Create a new WSSecurity instance using the given SOAPEnvelope. This method uses SOAPHeader.addHeaderElement(javax.xml.soap.Name) to create the WSSecurity header, so you can get the underlying WSSecurity element by casting WSSecurity.getElement() to a SOAPHeaderElement

  WSSecurity ws = WSSecurity.newInstance(env); 
  SOAPHeaderElement el = (SOAPHeaderElement)ws.getElement();
 

Parameters:

env -

Returns:

The new WSSecurity instance.

Throws:

javax.xml.soap.SOAPException

newInstance

public static WSSecurity newInstance(org.w3c.dom.Document owner,
                                     java.lang.String id)

Creates a new WSSecurity instance using the given owner document, but does not append it to any element.

Parameters:

owner - The XML Document to be used as the owner document of this structure.

id - An optional string ID name for the wsse:Security element.

Returns:

The new WSSecurity instance.

getAllSecurityHeaders

public static WSSecurity[] getAllSecurityHeaders(javax.xml.soap.SOAPEnvelope env)
                                          throws javax.xml.soap.SOAPException

Get all the wsse:Security headers in this envelope. Calls SOAPHeader.examineAllHeaderElements() to get a list of headers, and of them returns the ones that are wsse:Security

Parameters:

env -

Returns:

an array of WSSecurity headers

Throws:

javax.xml.soap.SOAPException

getSecurityHeaders

public static WSSecurity[] getSecurityHeaders(javax.xml.soap.SOAPEnvelope env,
                                              java.lang.String actor)
                                       throws javax.xml.soap.SOAPException

Get all the wsse:Security headers in this envelope. Calls SOAPHeader.examineHeaderElements(String) to get a list of headers for a specified actor(in SOAP 1.1) or role (in SOAP 1.2), and of them returns the ones that are wsse:Security

Parameters:

env -

Returns:

an array of WSSecurity headers

Throws:

javax.xml.soap.SOAPException

getMustUnderstandSecurityHeaders

public static WSSecurity[] getMustUnderstandSecurityHeaders(javax.xml.soap.SOAPEnvelope env,
                                                            java.lang.String actor)
                                                     throws javax.xml.soap.SOAPException

Get all the wsse:Security headers in this envelope. Calls SOAPHeader.examineMustUnderstandHeaderElements(String) to get a list of headers for a specified actor(in SOAP 1.1) or role (in SOAP 1.2), which have mustUnderstand=true and of them returns the ones that are wsse:Security

Parameters:

env -

Returns:

an array of WSSecurity headers

Throws:

javax.xml.soap.SOAPException

createSignature

public oracle.security.xmlsec.dsig.XSSignature createSignature(java.lang.String id)

Creates a new Signature element in this document, but does not append it to the WSSecurity element.

Parameters:

id - An optional string ID name for the Signature element.

Returns:

A new XSSignature instance.

addUsernameToken

public void addUsernameToken(UsernameToken token)

Add a Username Token.

The Username Token will be imported if it is in a different org.w3c.dom.Document.

Parameters:

token - The Security Token to add.

addX509CertificateToken

public void addX509CertificateToken(X509BinarySecurityToken token)

Add a X.509 Certificate Token.

The X.509 Certificate Token will be imported if it is in a different org.w3c.dom.Document.

Parameters:

token - The Security Token to add.

addKerberosToken

public void addKerberosToken(KerberosBinarySecurityToken token)

Add a Kerberos Token.

The Kerberos Token will be imported if it is in a different org.w3c.dom.Document.

Parameters:

token - The Security Token to add.

addSAMLAssertionToken

public void addSAMLAssertionToken(SAMLAssertionToken token)

Add a SAML Assertion Token.

The SAML Assertione Token will be imported if it is in a different org.w3c.dom.Document.

Parameters:

token - The Security Token to add.

addSAML2AssertionToken

public void addSAML2AssertionToken(SAML2AssertionToken token)

Add a SAML2 Assertion Token.

The SAML2 Assertione Token will be imported if it is in a different org.w3c.dom.Document.

Parameters:

token - The Security Token to add.

addSecurityToken

public void addSecurityToken(org.w3c.dom.Element token)

Add a Security Token.

The input token element is not schema validated.

The Security Token will be imported if it is in a different org.w3c.dom.Document.

Parameters:

token - The Security Token element to add.

addSecurityTokenReference

public void addSecurityTokenReference(WSSecurityTokenReference ref)

Add a Security Token Reference.

Parameters:

ref - The Security Token reference to add.

setTimestamp

public void setTimestamp(WSUTimestamp timeStamp)

Set the token Timestamp.

Parameters:

timeStamp - The timestamp.

getTimestamp

public WSUTimestamp getTimestamp()

Get the token Timestamp.

Returns:

The timestamp.

encrypt

public void encrypt(org.w3c.dom.Element element,
                    boolean contentOnly,
                    java.lang.String dataEncAlg,
                    java.lang.String usernameTokenURI,
                    KeyDerivator keyDerivator)
             throws WSSException

Deprecated.

Perform encryption of the Security Header content.

The keyEncKeyURI must be a reference to a X.509 Token or a SAML Assertion token with a Holder of Key saml:ConfirmationMethod.

Parameters:

element - The element to encrypt.

contentOnly - If true only encrypt the children of the element else encrypt the whole element.

dataEncAlg - The content encryption algorithm.

usernameTokenURI - The UsernameToken URI.

keyDerivator - The key derivation interface to use.

Throws:

WSSException

encrypt

public void encrypt(java.util.List elements,
                    boolean[] contentOnlys,
                    java.lang.String dataEncAlgURI,
                    java.lang.String usernameTokenURI,
                    KeyDerivator keyDerivator)
             throws WSSException

Deprecated.

Perform encryption of the Security Header content.

The usernameTokenURI must be a reference to an Username Token.

Parameters:

elements - The list of org.w3c.dom.Elements to encrypt.

contentOnlys - The List of boolean values for each List elements.If true only encrypt the children of the corresponding List element else encrypt the entire corresponding List element.

dataEncAlgURI - The content encryption algorithm.

usernameTokenURI - The UsernameToken URI.

keyDerivator - The key derivation interface to use.

Throws:

WSSException

encrypt

public void encrypt(org.w3c.dom.Element element,
                    boolean contentOnly,
                    java.lang.String dataEncAlg,
                    java.lang.String certTokenURI,
                    java.lang.String keyEncAlg,
                    javax.crypto.SecretKey dataEncKey)
             throws WSSException

Perform encryption of the Security Header content.

The keyEncKeyURI must be a reference to a X.509 Token or a SAML Assertion token with a Holder of Key saml:ConfirmationMethod.

Parameters:

element - The element to encrypt.

contentOnly - If true only encrypt the children of the element else encrypt the whole element.

dataEncAlg - The content encryption algorithm.

certTokenURI - The X.509 certificate token URI.

keyEncAlg - The key key encryption algorithm.

dataEncKey - The content encryption key.

Throws:

WSSException

encrypt

public void encrypt(java.util.List elements,
                    boolean[] contentOnlys,
                    java.lang.String dataEncAlg,
                    java.lang.String certTokenURI,
                    java.lang.String keyEncAlg,
                    javax.crypto.SecretKey dataEncKey)
             throws WSSException

Perform encryption of the Security Header content.

The keyEncKeyURI must be a reference to a X.509 Token or a SAML Assertion token with a Holder of Key saml:ConfirmationMethod.

Parameters:

elements - The list of org.w3c.dom.Elements to encrypt.

contentOnlys - The List of boolean values for each List elements.If true only encrypt the children of the corresponding List element else encrypt the entire corresponding List element.

dataEncAlg - The content encryption algorithm.

certTokenURI - The X.509 certificate token URI.

keyEncAlg - The key key encryption algorithm.

dataEncKey - The content encryption key.

Throws:

WSSException

encrypt

public void encrypt(org.w3c.dom.Element element,
                    boolean contentOnly,
                    java.lang.String dataEncAlg,
                    java.lang.String keyEncKeyURI,
                    java.lang.String keyEncAlg)
             throws WSSException

Perform encryption of the Security Header content.

The keyEncKeyURI must be a reference to a X.509 Token or a SAML Assertion token with a Holder of Key saml:ConfirmationMethod.

Parameters:

element - The element to encrypt.

contentOnly - If true only encrypt the children of the element else encrypt the whole element.

dataEncAlg - The content encryption algorithm.

keyEncKeyURI - The key encryption certificate URI.

keyEncAlg - The key encryption algorithm.

Throws:

WSSException

encrypt

public void encrypt(java.util.List elements,
                    boolean[] contentOnlys,
                    java.lang.String dataEncAlg,
                    java.lang.String keyEncKeyURI,
                    java.lang.String keyEncAlg)
             throws WSSException

Perform encryption of the Security Header content.

The keyEncKeyURI must be a reference to a X.509 Token or a SAML Assertion token with a Holder of Key saml:ConfirmationMethod.

Parameters:

elements - The list of org.w3c.dom.Elements to encrypt.

contentOnlys - The List of boolean values for each List elements.If true only encrypt the children of the corresponding List element else encrypt the entire corresponding List element.

dataEncAlg - The content encryption algorithm.

keyEncKeyURI - The key encryption certificate URI.

keyEncAlg - The key encryption algorithm.

Throws:

WSSException

sign

public void sign(java.lang.String uri,
                 UsernameToken token,
                 KeyDerivator keyDerivator,
                 java.lang.String digestAlg,
                 java.lang.String c14NAlg,
                 java.lang.String signatureAlg,
                 boolean usingDecryptionTransform)
          throws WSSException

Deprecated. KeyDerivator was used before WSS 1.1, Instead use UsernameToken.deriveKey(char[], byte[], int) to derive the password, and call the regular sign method

Perform signing of the Security Header content using an HMAC key that is derived from the Username security token..

Parameters:

uri - The URI of the element to encrypt.

token - The Username security token used to derive the signing HMAC key.

keyDerivator - The key derivation class.

digestAlg - The message digest algorithm.

c14NAlg - The canonicalization algorithm.

signatureAlg - The signature algorithm.

usingDecryptionTransform - Indicates the use of the decryption transform.

Throws:

WSSException

sign

public void sign(java.lang.String[] uris,
                 UsernameToken token,
                 KeyDerivator keyDerivator,
                 java.lang.String digestAlg,
                 java.lang.String c14NAlg,
                 java.lang.String signatureAlg,
                 boolean usingDecryptionTransform)
          throws WSSException

Deprecated. KeyDerivator was used before WSS 1.1, Instead use UsernameToken.deriveKey(char[], byte[], int) to derive the password, and call the regular sign method

Perform signing of the Security Header content using an HMAC key that is derived from the Username security token..

Parameters:

uris - The URI list of org.w3c.dom.Elements to encrypt.

token - The Username security token used to derive the signing HMAC key.

keyDerivator - The key derivation class.

digestAlg - The message digest algorithm.

c14NAlg - The canonicalization algorithm.

signatureAlg - The signature algorithm.

usingDecryptionTransform - Indicates the use of the decryption transform.

Throws:

WSSException

sign

public void sign(java.lang.String[] uris,
                 UsernameToken token,
                 KeyDerivator keyDerivator,
                 java.lang.String digestAlg,
                 java.lang.String c14NAlg,
                 java.lang.String signatureAlg,
                 oracle.security.xmlsec.dsig.XSAlgorithmIdentifier[] trans,
                 boolean usingDecryptionTransform)
          throws WSSException

Deprecated.

Perform signing of the Security Header content using an HMAC key that is derived from the Username security token..

Parameters:

uris - The URI list of org.w3c.dom.Elements to encrypt.

token - The Username security token used to derive the signing HMAC key.

keyDerivator - The key derivation class.

digestAlg - The message digest algorithm.

c14NAlg - The canonicalization algorithm.

signatureAlg - The signature algorithm.

trans - The list of ds:Reference transforms

usingDecryptionTransform - Indicates the use of the decryption transform.

Throws:

WSSException

sign

public oracle.security.xmlsec.dsig.XSSignature sign(java.lang.String[] uris,
                                                    WSSignatureParams sigParams,
                                                    oracle.security.xmlsec.dsig.XSAlgorithmIdentifier[][] trans)
                                             throws WSSException

Signs a list of URIs using an HMAC key or a PrivateKey. Creates a Signature element that includes all the passed in references in the order they are given. Prepends this Signature element to this WSSecurity header and returns the Signature element

Note

• Some of the references can be "cid:" references, i.e. references to attachments. If so, You must set the WSSignatureParams.setSOAPMessage(SOAPMessage) so that the cid references can be resolved.
• If you want to include the KeyInfo in the signature, then use WSSignatureParams.setKeyInfoId(String) to set an id for the KeyInfo, and include that Id in the uris[]
• If you set the WSSignatureParams.setUsingSTRTransform(boolean) to true then all URIs that refer to KeyInfo or STRs will get automatically get an STRTransform

There are two ways of specifing the tranforms

• Simple Set trans to be null, and set the parameters
  WSSignatureParams.setAttachmentContentOnly(boolean),
  WSSignatureParams.setUsingSTRTransform(boolean)
WSSignatureParams.setUsingDecryptTranform(boolean)
  and WSSignatureParams.setCommonTrans(XSAlgorithmIdentifier[])
  In this case, each attachment reference gets a AttachmentContent or AttachmentComplete transform, and STR or KeyInfo references gets an STRTransform, and all other references get an excC14N transform
• Advanced Fill up the trans array with the exact list of transformations for each reference. If trans is not null, trans.length must be equal to uris.length otherwise and IllegalArgumentException is thrown. Also if trans is non null, the parameters mentioned above are ignored

  Parameters:

  uris - A list of references to be signed. Can have references to attachments as well i.e. cid: references

  sigParams - the signature parameters

  trans - advanced way of specifying transforms

  Returns:

  the newly created Signature element

  Throws:

  WSSException

  encrypt

  public void encrypt(org.w3c.dom.Element element,
                      boolean contentOnly,
                      WSSEncryptionParams encParams)
               throws WSSException
  

  Deprecated. Replaced by encrypt(Element, boolean, String, SecretKey, PublicKey, String, String, byte[])

  Perform encryption of the Security Header content.

  Parameters:

  element - The element to encrypt.

  contentOnly - If true only encrypt the children of the element else encrypt the whole element.

  encParams - The encryption algorithm and key parameters.

  Throws:

  WSSException

  encrypt

  public void encrypt(org.w3c.dom.Element element,
                      boolean contentOnly,
                      java.lang.String dataEncAlg,
                      javax.crypto.SecretKey dataEncKey,
                      java.security.PublicKey keyEncKey,
                      java.lang.String keyEncAlg,
                      java.lang.String keyEncKeyName,
                      byte[] certId)
               throws WSSException
  

  Perform encryption of the Security Header content.

  Parameters:

  element - The element to encrypt.

  contentOnly - If true only encrypt the children of the element else encrypt the whole element.

  dataEncAlg - The content encryption algorithm.

  dataEncKey - The content encryption key. If set to null, a randomly generated key will be used.

  keyEncKey - The key encryption key that will be used to secure the content encryption key.

  keyEncAlg - The key encryption algorithm.

  keyEncKeyName - The optional key encryption key name.

  certId - The optional key certificate identifier.

  Throws:

  WSSException

  encrypt

  public void encrypt(java.util.List elements,
                      boolean[] contentOnlys,
                      WSSEncryptionParams encParams)
               throws WSSException
  

  Deprecated. Replaced by encrypt(List, boolean[], String, SecretKey, PublicKey, String, String, byte[])

  Perform encryption of the Security Header content.

  Parameters:

  elements - The list of org.w3c.dom.Elements to encrypt.

  contentOnlys - The List of boolean values for each List elements.If true only encrypt the children of the corresponding List element else encrypt the entire corresponding List element.

  encParams - The encryption algorithm and key parameters.

  Throws:

  WSSException

  encrypt

  public void encrypt(org.w3c.dom.Element element,
                      boolean contentOnly,
                      java.lang.String dataEncAlg,
                      javax.crypto.SecretKey dataEncKey,
                      java.security.cert.X509Certificate keyEncCert,
                      java.lang.String keyEncAlg)
               throws WSSException
  

  Perform encryption of the Security Header content.

  Parameters:

  element - The org.w3c.dom.Elements to encrypt.

  contentOnly - If true only encrypt the children of the corresponding List element else encrypt the entire corresponding List element.

  dataEncAlg - The content encryption key.

  dataEncKey - The content encryption key. If set to null, a randomly generated key will be used.

  keyEncCert - The key encryption certificate that will be used to secure the content encryption key.

  keyEncAlg - The key encryption algorithm.

  Throws:

  WSSException

  encrypt

  public void encrypt(java.util.List elements,
                      boolean[] contentOnlys,
                      java.lang.String dataEncAlg,
                      javax.crypto.SecretKey dataEncKey,
                      java.security.cert.X509Certificate keyEncCert,
                      java.lang.String keyEncAlg)
               throws WSSException
  

  Perform encryption of a list of elements, all with the same content key.

  Parameters:

  elements - The list of org.w3c.dom.Elements to encrypt.

  contentOnlys - The List of boolean values for each List elements.If true only encrypt the children of the corresponding List element else encrypt the entire corresponding List element.

  dataEncAlg - The content encryption key.

  dataEncKey - The content encryption key. If set to null, a randomly generated key will be used.

  keyEncCert - The key encryption certificate that will be used to secure the content encryption key.

  keyEncAlg - The key encryption algorithm.

  Throws:

  WSSException

  encrypt

  public void encrypt(java.util.List elements,
                      boolean[] contentOnlys,
                      java.lang.String dataEncAlg,
                      javax.crypto.SecretKey dataEncKey,
                      java.security.PublicKey keyEncKey,
                      java.lang.String keyEncAlg,
                      java.lang.String keyEncKeyName,
                      byte[] certId)
               throws WSSException
  

  Perform encryption of a list of elements, all with the same content key.

  Parameters:

  elements - The list of org.w3c.dom.Elements to encrypt.

  contentOnlys - The List of boolean values for each List elements.If true only encrypt the children of the corresponding List element else encrypt the entire corresponding List element.

  dataEncAlg - The content encryption algorithm

  dataEncKey - The content encryption key. If set to null, a randomly generated key will be used.

  keyEncKey - The key encryption key that will be used to secure the content encryption key.

  keyEncAlg - The key encryption algorithm.

  keyEncKeyName - The optional key encryption key name.

  certId - The optional key certificate identifier.

  Throws:

  WSSException

  encrypt

  public void encrypt(org.w3c.dom.Element element,
                      boolean contentOnly,
                      java.lang.String encDataId,
                      WSSEncryptionParams encParam)
               throws WSSException
  

  Encrypt an element with a content key.

  Convenience method to call encryptNoEncKey(List, boolean[], String[], WSSEncryptionParams[]) when there is only one element to encrypt

  Throws:

  WSSException

  encryptNoEncKey

  public oracle.security.xmlsec.enc.XEReferenceList encryptNoEncKey(java.util.List elements,
                                                                    boolean[] contentOnlys,
                                                                    java.lang.String[] encDataIds,
                                                                    WSSEncryptionParams[] encParams)
                                                             throws WSSException
  

  Encrypt a list of elements (or attachments), each with a different content key.

  This function :

  • encrypts each of the given elements with the corresponding content key
  • adds the given ID (or randomly generated one) to each encrypted element
  • creates a <KeyInfo> element inside each encrypted element containing the correspondinf keyInfoData. The keyInfoData is what receiver uses to retrieve the content key
  • creates an <ReferenceList> to refer to all the encrypted elements by their IDs, amd prepends the ReferenceList into this WSSecurity header

  Parameters:

  elements - The list of org.w3c.dom.Elements to encrypt.

  contentOnlys - For each element (or attachment) whether to encrypt the body of the element only (or body of attachment only) or encrypt the entire element (or attachment body + selected headers). If set to null all items in this array are assumed to be false..

  encDataIds - The IDs to put in each encrypted element. If set to null the IDs are generated

  encParams - Used to obtain the parameters for encryption. If the same content encryption key is to be used for all elements (or attachments) pass in an array with only WSSEncryptionParam object.

  • WSSEncryptionParams.getDataEncryptionAlg() should return the content encryption Algorithm to be used for each element(or attachment)
  • WSSEncryptionParams.getDataEncryptionKey() should return the content encryption Key. to be used for each element (or attachment) If a null content encryption key set, a randomly generated key will be used.
  • WSSEncryptionParams.getKeyInfoData() should return the keyInfoData to be put inside each EncryptedData If set to null no KeyInfo will be added to the EncryptedData
  • WSSEncryptionParams.getIv() should return the Initialization vector, if null a random IV is generated. Use IV only for test programs where you want the cipher text to be the same in every run.

  Throws:

  WSSException

  java.lang.IllegalArgumentException

  encryptWithEncKey

  public oracle.security.xmlsec.enc.XEEncryptedKey encryptWithEncKey(java.util.List elements,
                                                                     boolean[] contentOnlys,
                                                                     java.lang.String[] encDataIds,
                                                                     WSSEncryptionParams encParam)
                                                              throws WSSException
  

  Encrypt of a list of elements, all with the same content key and encrypt that content key with a public key.

  This function :

  • generates a new content key if the given content key in null
  • encrypts each of the given elements (or attachments) with this content key
  • adds the given ID (or randomly generated one) to each encrypted element
  • encrypts the content key with the given public key
  • creates an <EncryptedKey> element to hold this encrypted content key and prepends it to this WSSecurity header
  • creates an <ReferenceList> inside the <EncryptedKey> to refer to all the encrypted elements by their IDs.
  • creates a <KeyInfo> element inside the <EncryptedKey> and inserts the given keyInfoData inside <KeyInfo>. The keyInfoData is what receiver uses to retrieve the PrivateKey corresponding to this PublicKey.

  Parameters:

  elements - The list of Element (or AttachmentPart) to encrypt.

  contentOnlys - For each element (or attachment) whether to encrypt the body of the element only (or body of attachment only) or encrypt the entire element (or attachment body + selected headers). If set to null all items in this array are assumed to be false.

  encDataIds - The IDs to put in each encrypted element. If set to null the IDs are generated

  encParam - Used to obtain the parameters for encryption

  • WSSEncryptionParams.getDataEncryptionAlg() should return the content encryption Algorithm
  • WSSEncryptionParams.getDataEncryptionKey() should return the content encryption Key. If a null content encryption key set, a randomly generated key will be used.
  • WSSEncryptionParams.getKeyEncryptionAlg() should return the content encryption Algorithm
  • WSSEncryptionParams.getKeyEncryptionKey() should return the content encryption Key
  • WSSEncryptionParams.getKeyInfoData() should return the keyInfoData to be put inside the EncryptedKey.
  • WSSEncryptionParams.getIv() should return the Initialization vector, if null a random IV is generated. Note, if you specify an IV, the same IV will be used for all the elements (or attachments), which is not secure. Use IV only for test programs where you want the cipher text to be the same in every run. If set to null no KeyInfo will be added to the EncryptedKey

  Throws:

  WSSException

  java.lang.IllegalArgumentException

  sign

  public void sign(java.lang.String[] uris,
                   X509BinarySecurityToken token,
                   java.security.PrivateKey privKey,
                   java.lang.String digestAlg,
                   java.lang.String c14NAlg,
                   java.lang.String signatureAlg,
                   boolean usingDecryptionTransform)
            throws WSSException,
                   oracle.security.xmlsec.keys.retrieval.KeyRetrievalException
  

  Deprecated. Use createSTR_X509_IssuerSerial(X509Certificate) to create an STR, and then send that to sign(String[], WSSignatureParams, XSAlgorithmIdentifier[][])

  Perform signing of the Security Header content.

  Parameters:

  uris - The URI List of the elements to encrypt.

  token - The X.509 certificate security token.

  privKey - The signing key.

  digestAlg - The message digest algorithm.

  c14NAlg - The canonicalization algorithm.

  signatureAlg - The signature algorithm.

  usingDecryptionTransform - Indicates the use of the decryption transform.

  Throws:

  WSSException

  oracle.security.xmlsec.keys.retrieval.KeyRetrievalException

  sign

  public void sign(java.lang.String[] uris,
                   X509BinarySecurityToken token,
                   java.security.PrivateKey privKey,
                   java.lang.String digestAlg,
                   java.lang.String c14NAlg,
                   java.lang.String signatureAlg,
                   oracle.security.xmlsec.dsig.XSAlgorithmIdentifier[] trans,
                   boolean usingDecryptionTransform)
            throws WSSException,
                   oracle.security.xmlsec.keys.retrieval.KeyRetrievalException
  

  Deprecated. Use createSTR_X509_IssuerSerial(X509Certificate) to create an STR, and then send that to sign(String[], WSSignatureParams, XSAlgorithmIdentifier[][])

  Perform signing of the Security Header content.

  Parameters:

  uris - The URI List of the elements to encrypt.

  token - The X.509 certificate security token.

  privKey - The signing key.

  digestAlg - The message digest algorithm.

  c14NAlg - The canonicalization algorithm.

  signatureAlg - The signature algorithm.

  trans - The list of ds:Reference transforms.

  usingDecryptionTransform - Indicates the use of the decryption transform.

  Throws:

  WSSException

  oracle.security.xmlsec.keys.retrieval.KeyRetrievalException

  sign

  public void sign(java.lang.String[] uris,
                   X509IssuerSerial certIASN,
                   java.security.PrivateKey privKey,
                   java.lang.String digestAlg,
                   java.lang.String c14NAlg,
                   java.lang.String signatureAlg,
                   boolean usingDecryptionTransform)
            throws WSSException,
                   oracle.security.xmlsec.keys.retrieval.KeyRetrievalException
  

  Deprecated. Use createSTR_X509_IssuerSerial(X509Certificate) to create an STR, and then send that to sign(String[], WSSignatureParams, XSAlgorithmIdentifier[][])

  Perform signing of the Security Header content.

  Parameters:

  uris - The URI List of the elements to encrypt.

  certIASN - The issuer and serial number of signing certificate.

  privKey - The signing key.

  digestAlg - The message digest algorithm.

  c14NAlg - The canonicalization algorithm.

  signatureAlg - The signature algorithm.

  usingDecryptionTransform - Indicates the use of the decryption transform.

  Throws:

  WSSException

  oracle.security.xmlsec.keys.retrieval.KeyRetrievalException

  sign

  public void sign(java.lang.String[] uris,
                   X509IssuerSerial certIASN,
                   java.security.PrivateKey privKey,
                   java.lang.String digestAlg,
                   java.lang.String c14NAlg,
                   java.lang.String signatureAlg,
                   oracle.security.xmlsec.dsig.XSAlgorithmIdentifier[] trans,
                   boolean usingDecryptionTransform)
            throws WSSException,
                   oracle.security.xmlsec.keys.retrieval.KeyRetrievalException
  

  Deprecated. Use createSTR_X509_IssuerSerial(X509Certificate) to create an STR, and then send that to sign(String[], WSSignatureParams, XSAlgorithmIdentifier[][])

  Perform signing of the Security Header content.

  Parameters:

  uris - The URI List of the elements to encrypt.

  certIASN - The issuer and serial number of signing certificate.

  privKey - The signing key.

  digestAlg - The message digest algorithm.

  c14NAlg - The canonicalization algorithm.

  signatureAlg - The signature algorithm.

  trans - The list of ds:Reference transforms.

  usingDecryptionTransform - Indicates the use of the decryption transform.

  Throws:

  WSSException

  oracle.security.xmlsec.keys.retrieval.KeyRetrievalException

  sign

  public void sign(java.lang.String[] uris,
                   WSSKeyIdentifier keyId,
                   java.security.PrivateKey privKey,
                   java.lang.String digestAlg,
                   java.lang.String c14NAlg,
                   java.lang.String signatureAlg,
                   boolean usingDecryptionTransform)
            throws WSSException,
                   oracle.security.xmlsec.keys.retrieval.KeyRetrievalException
  

  Deprecated. Use sign(String[], WSSignatureParams, XSAlgorithmIdentifier[][]) instead

  Perform signing of the Security Header content.

  Parameters:

  uris - The URI List of the elements to encrypt.

  keyId - The signing certificate public key identifier.

  privKey - The signing key. If null, the X509KeyIdentifierResolver will be used.

  digestAlg - The message digest algorithm.

  c14NAlg - The canonicalization algorithm.

  signatureAlg - The signature algorithm.

  usingDecryptionTransform - Indicates the use of the decryption transform.

  Throws:

  WSSException

  oracle.security.xmlsec.keys.retrieval.KeyRetrievalException

  sign

  public void sign(java.lang.String[] uris,
                   WSSKeyIdentifier keyId,
                   java.security.PrivateKey privKey,
                   java.lang.String digestAlg,
                   java.lang.String c14NAlg,
                   java.lang.String signatureAlg,
                   oracle.security.xmlsec.dsig.XSAlgorithmIdentifier[] trans,
                   boolean usingDecryptionTransform)
            throws WSSException,
                   oracle.security.xmlsec.keys.retrieval.KeyRetrievalException
  

  Deprecated. Use the createSTR_XXX methods to create a KeyIdentifier and then pass it to sign(String[], WSSignatureParams, XSAlgorithmIdentifier[][])

  Perform signing of the Security Header content.

  Parameters:

  uris - The URI List of the elements to encrypt.

  keyId - The signing certificate public key identifier.

  privKey - The signing key. If null, the X509KeyIdentifierResolver will be used.

  digestAlg - The message digest algorithm.

  c14NAlg - The canonicalization algorithm.

  signatureAlg - The signature algorithm.

  trans - The list of ds:Reference transforms.

  usingDecryptionTransform - Indicates the use of the decryption transform.

  Throws:

  WSSException

  oracle.security.xmlsec.keys.retrieval.KeyRetrievalException

  sign

  public void sign(java.lang.String uri,
                   WSSignatureParams sigParams)
            throws WSSException
  

  Sign a single URI. Shortcut for calling sign(String[], WSSignatureParams, XSAlgorithmIdentifier[][]) with only one uri and no transformations.

  Parameters:

  uri - The reference URI.

  sigParams - The signature algorithm and key parameters.

  Throws:

  WSSException

  sign

  public void sign(WSSecurityTokenReference ref,
                   WSSignatureParams sigParams)
            throws WSSException
  

  Deprecated. Use sign(String, WSSignatureParams) which can sign both regular URIs and URIs to STRs.

  Sign a single security token reference.

  Parameters:

  ref - The security token reference.

  sigParams - The signature algorithm and key parameters.

  Throws:

  WSSException

  sign

  public void sign(java.lang.String[] uris,
                   WSSecurityTokenReference[] refs,
                   WSSignatureParams sigParams)
            throws WSSException
  

  Deprecated. Combine the uris and the refs into one list of uris and call sign(String[], WSSignatureParams, XSAlgorithmIdentifier[][])

  Sign the security tokens and token references.

  Parameters:

  uris - The reference URI list.

  refs - The security token reference list.

  sigParams - The signature algorithm and key parameters.

  Throws:

  WSSException

  decryptAll

  public void decryptAll()
                  throws WSSException
  

  Decrypts all the EncryptedData child elements and replaces the EncrypteData element with the decrypted XML result. The decryption key is obtained by resolving the KeyInfo element. The decryption key for the bottom of the EncryptedData/EncryptedKey chain is obtained using the KeyRetriever facility.

  Throws:

  WSSException

  decryptAll

  public void decryptAll(javax.xml.soap.SOAPMessage msg)
                  throws WSSException
  

  Throws:

  WSSException

  getReferenceLists

  public java.util.List getReferenceLists()
  

  Returns all the ReferenceList elements in this WSSecurity block.

  Returns:

  The List of xenc:ReferenceList elements.

  decrypt

  public static java.util.List decrypt(oracle.security.xmlsec.enc.XEReferenceList refList,
                                       javax.crypto.SecretKey symKey)
                                throws WSSException
  

  Decrypts the EncrypedData/EncryptedHeader elements referenced by the given ReferenceList element in this structure.

  Parameters:

  refList - The list of encrypted references.

  symKey - The content decryption key.

  Throws:

  WSSException

  decrypt

  public static java.util.List decrypt(oracle.security.xmlsec.enc.XEReferenceList refList,
                                       javax.crypto.SecretKey symKey,
                                       javax.xml.soap.SOAPMessage msg)
                                throws WSSException
  

  Throws:

  WSSException

  decrypt

  public static java.util.List decrypt(oracle.security.xmlsec.enc.XEReferenceList refList)
                                throws WSSException
  

  Decrypts the EncrypedData/EncryptedHeader elements referenced by the given ReferenceList element in this structure. Each Encrypted should specify its own key in its keyInfo section

  Parameters:

  refList - The list of encrypted references.

  Throws:

  WSSException

  getEncryptedKeys

  public java.util.List getEncryptedKeys()
  

  Returns all the EncryptedKey elements in this WSSecurity block.

  Returns:

  The List of EncryptedKey elements (oracle.security.xmlsec.enc.XEEncryptedKey).

  getEncryptedData

  public java.util.List getEncryptedData()
  

  Returns all the EncryptedData elements in this WSSecurity block.

  Returns:

  The List of EncryptedData elements (oracle.security.xmlsec.enc.XEEncryptedData).

  decrypt

  public static java.util.List decrypt(oracle.security.xmlsec.enc.XEEncryptedKey encKey,
                                       java.security.PrivateKey keyDecKey)
                                throws WSSException
  

  Decrypts all the EncrypedData elements referenced by the given EncryptedKey element

  Parameters:

  encKey - The EncryptedKey element whose references will be decrypted.

  keyDecKey - The key to decrypt the content encryption key.

  Returns:

  a list of decrypted Elements

  Throws:

  WSSException

  decrypt

  public static java.util.List decrypt(oracle.security.xmlsec.enc.XEEncryptedKey encKey,
                                       java.security.PrivateKey keyDecKey,
                                       javax.xml.soap.SOAPMessage msg)
                                throws WSSException
  

  Decrypts all the EncrypedData elements referenced by the given EncryptedKey element

  Parameters:

  encKey - The EncryptedKey element whose references will be decrypted.

  keyDecKey - The key to decrypt the content encryption key.

  Returns:

  a list of decrypted Elements or AttachmentParts

  Throws:

  WSSException

  decrypt

  public static java.util.List decrypt(oracle.security.xmlsec.enc.XEEncryptedKey encKey)
                                throws WSSException
  

  Decrypts all the EncrypedData elements referenced by the given EncryptedKey element

  The decryption key is obtained from the KeyRetriever facility.

  Parameters:

  encKey - The EncryptedKey element whose references are to be decrypted.

  Returns:

  a list of decrypted Elements

  Throws:

  WSSException

  oracle.security.xmlsec.keys.retrieval.KeyRetrievalException

  decrypt

  public static java.util.List decrypt(oracle.security.xmlsec.enc.XEEncryptedKey encKey,
                                       javax.xml.soap.SOAPMessage msg)
                                throws WSSException
  

  Decrypts all the EncrypedData elements referenced by the given EncryptedKey element

  The decryption key is obtained from the KeyRetriever facility.

  Parameters:

  encKey - The EncryptedKey element whose references are to be decrypted.

  Returns:

  a list of decrypted Elements or AttachmentParts

  Throws:

  WSSException

  oracle.security.xmlsec.keys.retrieval.KeyRetrievalException

  decrypt

  public static java.lang.Object decrypt(oracle.security.xmlsec.enc.XEEncryptedData encData,
                                         javax.crypto.SecretKey dataDecKey)
                                  throws WSSException
  

  Decrypts the EncrypedData element with the given key

  Parameters:

  encData - The EncryptedData element.

  dataDecKey - the key to be used for decrypting the data

  Returns:

  a decrypted Element

  Throws:

  WSSException

  oracle.security.xmlsec.keys.retrieval.KeyRetrievalException

  decrypt

  public static java.lang.Object decrypt(oracle.security.xmlsec.enc.XEEncryptedData encData,
                                         javax.crypto.SecretKey dataDecKey,
                                         javax.xml.soap.SOAPMessage msg)
                                  throws WSSException
  

  Decrypts the EncrypedData element with the given key

  Parameters:

  encData - The EncryptedData element.

  dataDecKey - the key to be used for decrypting the data

  msg -

  Returns:

  a decrypted Element or AttachmentPart

  Throws:

  WSSException

  decrypt

  public static java.lang.Object decrypt(oracle.security.xmlsec.enc.XEEncryptedData encData)
                                  throws WSSException
  

  Decrypts the EncrypedData element.

  The decryption key is obtained from the KeyRetriever facility.

  Parameters:

  encData - The EncryptedData element.

  Returns:

  a decrypted Element

  Throws:

  WSSException

  oracle.security.xmlsec.keys.retrieval.KeyRetrievalException

  decrypt

  public static java.util.List decrypt(oracle.security.xmlsec.enc.XEEncryptedKey encKey,
                                       javax.crypto.SecretKey dataDecKey)
                                throws WSSException
  

  Decrypts all the EncrypedData elements referenced by the given EncryptedKey element

  Parameters:

  encKey - The encrypted key instance.

  dataDecKey - The content decryption key to use to decrypt the EncryptedData elements, if null is passed, then the EncryptedKey will be decrypted with a key obtained from the keyretriever to get the dataDecKey

  Returns:

  a list of decrypted Elements

  Throws:

  WSSException

  decrypt

  public static java.util.List decrypt(oracle.security.xmlsec.enc.XEEncryptedKey encKey,
                                       javax.crypto.SecretKey dataDecKey,
                                       javax.xml.soap.SOAPMessage msg)
                                throws WSSException
  

  Decrypts all the EncrypedData elements referenced by the given EncryptedKey element

  Parameters:

  encKey - The encrypted key instance.

  dataDecKey - The content decryption key to use to decrypt the EncryptedData elements, if null is passed, then the EncryptedKey will be decrypted with a key obtained from the keyretriever to get the dataDecKey

  msg - required for decrypting attachments

  Returns:

  a list of decrypted Elements or AttachmentParts

  Throws:

  WSSException

  getSignatures

  public java.util.List getSignatures()
  

  Returns all the Signature elements in this WSSecurity header block.

  Returns:

  The List of Signature elements.

  verify

  public boolean verify(oracle.security.xmlsec.dsig.XSSignature sig)
                 throws WSSException
  

  Verifies the given XSSignature, following the ds:Signature and ds:Reference validation process defined in [XML-SIG].

  Parameters:

  sig - The signature instance to verify.

  Returns:

  true if the signature verifies correctly, false if the signature cannot be verified.

  Throws:

  WSSException

  verify

  public boolean verify(oracle.security.xmlsec.dsig.XSSignature sig,
                        javax.xml.soap.SOAPMessage msg)
                 throws WSSException
  

  Verifies the given XSSignature, following the ds:Signature and ds:Reference validation process defined in [XML-SIG].

  Parameters:

  sig - The signature instance to verify.

  msg - The SOAPMessage for resolving attachment references

  Returns:

  true if the signature verifies correctly, false if the signature cannot be verified.

  Throws:

  WSSException

  verify

  public static boolean verify(oracle.security.xmlsec.dsig.XSSignature sig,
                               boolean searchDocument)
                        throws WSSException
  

  Verifies the given XSSignature, following the ds:Signature and ds:Reference validation process defined in [XML-SIG].

  Parameters:

  sig - The signature instance to verify.

  searchDocument - If available, use the signing certificate present in the same Document.

  Returns:

  true if the signature verifies correctly, false if the signature cannot be verified.

  Throws:

  WSSException

  verify

  public static boolean verify(oracle.security.xmlsec.dsig.XSSignature sig,
                               byte[] hmacKey,
                               java.security.PublicKey pubKey,
                               javax.xml.soap.SOAPMessage msg)
                        throws WSSException
  

  Verifies the given XSSignature using either the hmacKey or the pubKey, following the ds:Signature and ds:Reference validation process defined in [XML-SIG].

  Parameters:

  sig - The signature instance to verify.

  hmacKey - hmac verification key

  pubKey - public key for vertification

  msg - used only for attachment verification

  Returns:

  true if the signature verifies correctly, false if the signature cannot be verified.

  Throws:

  WSSException

  java.lang.NullPointerException - if both hmacKey and pubKey are null

  verify

  public static boolean verify(oracle.security.xmlsec.dsig.XSSignature sig,
                               boolean searchDocument,
                               javax.xml.soap.SOAPMessage msg)
                        throws WSSException
  

  Verifies the given XSSignature, following the ds:Signature and ds:Reference validation process defined in [XML-SIG].

  Parameters:

  sig - The signature instance to verify.

  searchDocument - If available, use the signing certificate present in the same Document.

  msg - used only for attachment verification

  Returns:

  true if the signature verifies correctly, false if the signature cannot be verified.

  Throws:

  WSSException

  verifyAll

  public boolean verifyAll()
                    throws WSSException
  

  Verifies all of the XSSignatures in this wsse:Security header in accordance with the ds:Signature and ds:Reference validation process defined in [XML-SIG].

  Returns:

  true if all the signatures verify correctly, false if at least one signature cannot be verified.

  Throws:

  WSSException

  verifyAll

  public boolean verifyAll(javax.xml.soap.SOAPMessage msg)
                    throws WSSException
  

  Verifies all of the XSSignatures in this wsse:Security header in accordance with the ds:Signature and ds:Reference validation process defined in [XML-SIG].

  Parameters:

  msg - The SOAPMessage for resolving attachment references

  Returns:

  true if all the signatures verify correctly, false if at least one signature cannot be verified.

  Throws:

  WSSException

  addWsuIdToElement

  public static void addWsuIdToElement(java.lang.String id,
                                       org.w3c.dom.Element element)
  

  Deprecated. replaced by WSSUtils.addWsuIdToElement(String, Element)

  Adds a global wsu:Id attribute to the given element in this SOAPEnvelope.

  Parameters:

  id - The attribute value.

  element - The org.w3c.dom.Element whose wsu:Id attribute will be set.

  createSignature

  public oracle.security.xmlsec.dsig.XSSignature createSignature()
                                                          throws org.w3c.dom.DOMException
  

  Creates a new XSSignature element in this WSSecurity's document, but does not append it to the WSSecurity element.

  Returns:

  A new XSSignature.

  Throws:

  org.w3c.dom.DOMException

  createEncryptedData

  public oracle.security.xmlsec.enc.XEEncryptedData createEncryptedData(java.lang.String dataType)
                                                                 throws org.w3c.dom.DOMException
  

  Creates a new XEEncryptedData element in this WSSecurity's document, but does not append it to the WSSecurity element.

  Parameters:

  dataType - Type information identifying the content.

  Returns:

  A new XEEncryptedData.

  Throws:

  org.w3c.dom.DOMException

  createEncryptedKey

  public oracle.security.xmlsec.enc.XEEncryptedKey createEncryptedKey()
                                                               throws org.w3c.dom.DOMException
  

  Creates a new XEEncryptedKey element in this WSSecurity's document, but does not append it to the WSSecurity element.

  Returns:

  A new XEEncryptedKey.

  Throws:

  org.w3c.dom.DOMException

  getSecurityTokenByWsuID

  public WSSecurityToken getSecurityTokenByWsuID(java.lang.String id)
  

  Get the Security token corresponding to the WSU identifier.

  Parameters:

  id - The wsu:Id value.

  Returns:

  The security token if present or null otherwise.

  getUsernameTokens

  public java.util.List getUsernameTokens()
  

  Returns the list of Username Security Tokens.

  Returns:

  The list of UsernameToken elements.

  getBinaryTokens

  public java.util.List getBinaryTokens()
  

  Returns the list of Binary Security Tokens.

  Returns:

  The list of BinarySecurityToken elements.

  getSAML2AssertionTokens

  public java.util.List getSAML2AssertionTokens()
  

  Returns the list of SAML2 Assertion Security Tokens.

  Returns:

  The list of SAML2AssertionToken elements.

  getSAMLAssertionTokens

  public java.util.List getSAMLAssertionTokens()
  

  Returns the list of SAML Assertion Security Tokens.

  Returns:

  The list of SAMLAssertionToken elements.

  getEncryptedAssertions

  public java.util.List getEncryptedAssertions()
  

  Returns the list of EncryptedAssertion (SAML2) Elements.

  Returns:

  The list of EncryptedAssertion elements.

  addSignatureConfirmation

  public void addSignatureConfirmation(WSSignatureConfirmation sigConfirm)
  

  Prepend a SignatureConfirmation element to this WSSecurity element Does a simple insert into the DOM To insert at some other user regular DOM insert/append calls

  Parameters:

  sigConfirm -

  addSignatureConfirmation

  public WSSignatureConfirmation addSignatureConfirmation(java.lang.String signatureValue)
  

  Create a SignatureConfirmation element and prepend it this WSSecurity element

  Parameters:

  signatureValue -

  createSignatureConfirmations

  public java.util.List createSignatureConfirmations(org.w3c.dom.Document doc)
  

  Create a List of SignatureConfirmation elements correspnding to the Signature elements in this WSSecurity element. The SignatureConfirmation elements are created in a different document, because SignatureConfirmation elements are to be in the response, whereas SignatureElements are in the request

  The signatureConfirmationElements are not inserted into the document

  Parameters:

  doc - The Document in which the SignatureConfirmation elements should be created

  Returns:

  a list of SignatureConfirmation elements

  getSignatureValues

  public java.lang.String[] getSignatureValues()
  

  Return a list of Signature values of all the top level Signature elements in this WSSecurity element. These are the signatures that will have SignatureConfirmations If there are no signatures, this will return an empty array

  Returns:

  an array of signature values

  verifySignatureConfirmations

  public boolean verifySignatureConfirmations(java.lang.String[] sigValues)
  

  Verify the signature confirmations in this WSSecurity following the response processing rules for Signature Confirmation in the WS SEcurity 1.1 spec.

  Parameters:

  sigValues - an array of signature values. Use getSignatureValues to construct such an an array from the response packet.

  Returns:

  true is the all the signatureConfirmations are valid

  createSTR_X509_SKI

  public WSSecurityTokenReference createSTR_X509_SKI(java.security.cert.X509Certificate cert)
  

  Create an STR to an X509Certificate cert.

    <wsse:SecurityTokenReference>
      <wsse:KeyIdentifier EncodingType="...#Base64Binary" ValueType="...#X509SubjectKeyIdentifier">
        base64 SKI
      </wsse:KeyIdenfier>
    </wsse:SecurityTokenReference>
   
  

  Parameters:

  cert -

  Returns:

  the created STR

  Throws:

  java.lang.IllegalArgumentException - if no SKI was found in the cert

  createSTR_X509_IssuerSerial

  public WSSecurityTokenReference createSTR_X509_IssuerSerial(java.security.cert.X509Certificate cert)
  

  Create an STR to an X509Certificate cert. The STR is not appended anywhere.

    <wsse:SecurityTokenReference>
      <ds:X509Data>
        <ds:X509IssuerSerial>
          <ds:X509IssuerName>issuer</ds:X509IssuerName>
          <ds:X509SerialNumber>serial</ds:X509SerialNumber>
        </ds:X509IssuerSerial>
      </ds:X509Data>
    </wsse:SecurityTokenReference>
   
  

  Parameters:

  cert -

  Returns:

  the created STR

  createSTR_X509_ThumbprintSHA1

  public WSSecurityTokenReference createSTR_X509_ThumbprintSHA1(java.security.cert.X509Certificate cert)
  

  Create an STR to an X509Certificate cert. The STR is not appended anywhere.

    <wsse:SecurityTokenReference>
      <wsse:KeyIdentifier EncodingType="...#Base64Binary"  ValueType="...#ThumbPrintSHA1"">
        base64 SHA1 of cert bytes
      </wsse:KeyIdenfier>
    </wsse:SecurityTokenReference>
   
   
  

  Parameters:

  cert -

  Returns:

  the created STR

  createSTR_X509_Ref

  public WSSecurityTokenReference createSTR_X509_Ref(java.lang.String uri)
  

  Create an STR to an X509Certificate cert. The STR is not appended anywhere. Doesn't attempt to resolve the uri.

    <wsse:SecurityTokenReference>
      <wsse:Reference URI="..."/>
    </wsse:SecurityTokenReference>
   
   
  

  Parameters:

  uri -

  Returns:

  the created STR

  createBST_X509

  public X509BinarySecurityToken createBST_X509(java.security.cert.X509Certificate cert)
                                         throws java.security.cert.CertificateEncodingException
  

  Create an BST from an X509Certificate cert. The BST is not appended anywhere.

    <wsse:BinarySecurityToken ValueType="...#X509v3" EncodingType="...#Base64Binary">
       base64 encoded cert contents
    </wsse:BinarySecurityToken>
   
  

  Parameters:

  cert -

  Returns:

  the created BST

  Throws:

  java.security.cert.CertificateEncodingException

  createBST_X509

  public X509BinarySecurityToken createBST_X509(java.security.cert.CertPath certpath)
                                         throws java.security.cert.CertificateEncodingException
  

  Create an BST from an X509Certificate CertPath

    <wsse:BinarySecurityToken ValueType="..."#X509PKIPathv1" EncodingType="...#Base64Binary">
       base64 encoded PKI path contents
    </wsse:BinarySecurityToken>
   
  

  Parameters:

  certpath -

  Returns:

  the created BST

  Throws:

  java.security.cert.CertificateEncodingException

  createBST_Kerberos

  public KerberosBinarySecurityToken createBST_Kerberos(byte[] ap_req,
                                                        java.lang.String valueType)
  

  Create a BST from an Kerberos AP_REQ packet or a GSS wrapped AP_REQ packet

    <wsse:BinarySecurityToken ValueType="valueType" EncodingType="...#Base64Binary">
       base64 encoded AP_REQ contents
    </wsse:BinarySecurityToken>
   
  

  Parameters:

  ap_req -

  valueType -

  Returns:

  createSTR_Username_Ref

  public WSSecurityTokenReference createSTR_Username_Ref(java.lang.String uri)
  

  Create an STR to an UsernameToken. The STR is not appended anywhere. Doesn't attempt to resolve the uri.

    <wsse:SecurityTokenReference>
      <wsse:Reference URI="..." ValueType="...#UsernameToken" />
    </wsse:SecurityTokenReference>
   
   
  

  Parameters:

  uri -

  Returns:

  the created STR

  createSTR_SAML_AssertionIdv11

  public WSSecurityTokenReference createSTR_SAML_AssertionIdv11(byte[] assertionId)
  

  Create an STR to local SAML v1.1 AssertionID. The STR is not appended anywhere.

    <wsse:SecurityTokenReference TokenType="...#SAMLV1.1">
      <wsse:KeyIdentifier ValueType="...#SAMLAssertionID">
        assertion id 
      </wsse:KeyIdenfier>
    </wsse:SecurityTokenReference>
   
   
  

  Parameters:

  assertionId -

  Returns:

  the created STR

  createSTR_SAML_AssertionIdv11

  public WSSecurityTokenReference createSTR_SAML_AssertionIdv11(byte[] assertionId,
                                                                oracle.security.xmlsec.saml.AuthorityBinding authorityBinding)
  

  Create an STR to an external SAML v1.1 AssertionID. The STR is not appended anywhere.

    <wsse:SecurityTokenReference TokenType="...#SAMLV1.1">
      <saml:AuthorityBinding ... />
      <wsse:KeyIdentifier ValueType="...#SAMLAssertionID">
        assertion id 
      </wsse:KeyIdenfier>
    </wsse:SecurityTokenReference>
   
   
  

  Parameters:

  assertionId -

  authorityBinding -

  Returns:

  the created STR

  createSTR_SAML_AssertionIdv20

  public WSSecurityTokenReference createSTR_SAML_AssertionIdv20(byte[] assertionId)
  

  Create an STR to local SAML v2.0 AssertionID. The STR is not appended anywhere.

    <wsse:SecurityTokenReference TokenType="...#SAMLV2.0">
      <wsse:KeyIdentifier ValueType="...#SAMLID">
        assertion id 
      </wsse:KeyIdenfier>
    </wsse:SecurityTokenReference>
   
   
  

  Parameters:

  assertionId -

  Returns:

  the created STR

  createSTR_SAML_Assertion_Ref20

  public WSSecurityTokenReference createSTR_SAML_Assertion_Ref20(java.lang.String uri)
  

  Create an STR to local or remote SAML v2.0 Assertion. The STR is not appended anywhere. Doesn't attempt to resolve the uri.

    <wsse:SecurityTokenReference TokenType="...#SAMLV2.0">
      <wsse:Reference URI="uri"/>
    </wsse:SecurityTokenReference>
   
   
  

  Parameters:

  uri -

  Returns:

  the created STR

  Throws:

  WSSException

  createSTR_EncKeyRef

  public WSSecurityTokenReference createSTR_EncKeyRef(java.lang.String uri)
  

  Create an STR to an EncryptedKey that is in the document. The STR is not appended anywhere. Doesn't attempt to resolve the uri.

    <wsse:SecurityTokenReference >
      <wsse:Reference URI="uri"/>
    </wsse:SecurityTokenReference>
   
   
  

  Parameters:

  uri -

  Returns:

  the created STR

  createSTR_KerberosKeyRef

  public WSSecurityTokenReference createSTR_KerberosKeyRef(java.lang.String uri,
                                                           java.lang.String valueType)
  

  Create an STR to a Keberos BST that is in the document. The STR is not appended anywhere. Doesn't attempt to resolve the uri.

    <wsse:SecurityTokenReference TokenType="valueType">
      <wsse:Reference URI="uri"/>
    </wsse:SecurityTokenReference>
   
   
  

  Parameters:

  uri -

  valueType - should be one of the WSSURI.vt_Kerberos* or WSSURI.vt_GSSKerberos*

  Returns:

  the created STR

  createSTR_KerberosKeyIdSHA1

  public WSSecurityTokenReference createSTR_KerberosKeyIdSHA1(byte[] ap_req,
                                                              java.lang.String valueType)
  

  Create an STR to a Kerberos ap-req may not be in the document. The STR is not appended anywhere.

    <wsse:SecurityTokenReference TokenType="valueType">
      <wsse:KeyIdentifier ValueType="...#Kerberosv5APREQSHA1">
        base64 encoding of the Sha1 dgested ap_req bytes 
      </wsse:KeyIdentifier>
    </wsse:SecurityTokenReference>
   
   
  

  Parameters:

  ap_req - Kerberos AP_REQ packet or GSS wrapped AP_REQ packet

  valueType - should be one of the WSSURI.vt_Kerberos* or WSSURI.vt_GSSKerberos*

  Returns:

  the created STR

  computeEncKeySHA1

  public static byte[] computeEncKeySHA1(oracle.security.xmlsec.enc.XEEncryptedKey encKey)
  

  Utility method to compute the SHA1 of an EncryptedKey

  Parameters:

  encKey -

  Returns:

  sha1 bytes

  createSTR_EncKeySHA1

  public WSSecurityTokenReference createSTR_EncKeySHA1(byte[] sha1)
  

  Create an STR to an EncryptedKey that is NOT in the document. The STR is not appended anywhere.

    <wsse:SecurityTokenReference TokenType="...#EncrytpedKey" >
      <wsse:KeyIdentifier EncodingType="...#Base64Binary" ValueType="...#EncrpytedKeySHA1">
        assertion id 
      </wsse:KeyIdenfier>
    </wsse:SecurityTokenReference>
   
   
  

  Parameters:

  sha1 -

  Returns:

  the created STR

  See Also:

  computeEncKeySHA1(XEEncryptedKey)