You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ws.apache.org by co...@apache.org on 2012/03/07 11:39:43 UTC
svn commit: r1297924 -
/webservices/wss4j/trunk/src/main/java/org/apache/ws/security/str/SignatureSTRParser.java
Author: coheigea
Date: Wed Mar 7 10:39:42 2012
New Revision: 1297924
URL: http://svn.apache.org/viewvc?rev=1297924&view=rev
Log:
[WSS-357] - WSS4J can't handle thumbprint/ski references to a token in the security header
Modified:
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/str/SignatureSTRParser.java
Modified: webservices/wss4j/trunk/src/main/java/org/apache/ws/security/str/SignatureSTRParser.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/main/java/org/apache/ws/security/str/SignatureSTRParser.java?rev=1297924&r1=1297923&r2=1297924&view=diff
==============================================================================
--- webservices/wss4j/trunk/src/main/java/org/apache/ws/security/str/SignatureSTRParser.java (original)
+++ webservices/wss4j/trunk/src/main/java/org/apache/ws/security/str/SignatureSTRParser.java Wed Mar 7 10:39:42 2012
@@ -41,11 +41,13 @@ import org.apache.ws.security.saml.SAMLK
import org.apache.ws.security.saml.SAMLUtil;
import org.apache.ws.security.saml.ext.AssertionWrapper;
import org.apache.ws.security.saml.ext.OpenSAMLUtil;
+import org.apache.ws.security.util.Base64;
import org.apache.ws.security.util.WSSecurityUtil;
import org.w3c.dom.Element;
import java.security.Principal;
import java.security.PublicKey;
+import java.security.cert.CertificateEncodingException;
import java.security.cert.X509Certificate;
import java.util.Arrays;
import java.util.List;
@@ -371,6 +373,47 @@ public class SignatureSTRParser implemen
}
} else {
X509Certificate[] foundCerts = secRef.getKeyIdentifier(crypto);
+ if (foundCerts == null) {
+ // The reference may be to a BST in the security header rather than in the keystore
+ if (SecurityTokenReference.SKI_URI.equals(valueType)) {
+ byte[] skiBytes = secRef.getSKIBytes();
+ List<WSSecurityEngineResult> resultsList =
+ wsDocInfo.getResultsByTag(WSConstants.BST);
+ for (WSSecurityEngineResult bstResult : resultsList) {
+ X509Certificate[] certs =
+ (X509Certificate[])bstResult.get(WSSecurityEngineResult.TAG_X509_CERTIFICATES);
+ if (certs != null
+ && Arrays.equals(skiBytes, crypto.getSKIBytesFromCert(certs[0]))) {
+ principal = (Principal)bstResult.get(WSSecurityEngineResult.TAG_PRINCIPAL);
+ foundCerts = certs;
+ break;
+ }
+ }
+ } else if (SecurityTokenReference.THUMB_URI.equals(valueType)) {
+ String kiValue = secRef.getKeyIdentifierValue();
+ List<WSSecurityEngineResult> resultsList =
+ wsDocInfo.getResultsByTag(WSConstants.BST);
+ for (WSSecurityEngineResult bstResult : resultsList) {
+ X509Certificate[] certs =
+ (X509Certificate[])bstResult.get(WSSecurityEngineResult.TAG_X509_CERTIFICATES);
+ if (certs != null) {
+ try {
+ byte[] digest = WSSecurityUtil.generateDigest(certs[0].getEncoded());
+ if (Arrays.equals(Base64.decode(kiValue), digest)) {
+ principal = (Principal)bstResult.get(WSSecurityEngineResult.TAG_PRINCIPAL);
+ foundCerts = certs;
+ break;
+ }
+ } catch (CertificateEncodingException ex) {
+ throw new WSSecurityException(
+ WSSecurityException.SECURITY_TOKEN_UNAVAILABLE, "encodeError",
+ null, ex
+ );
+ }
+ }
+ }
+ }
+ }
if (foundCerts != null) {
certs = new X509Certificate[]{foundCerts[0]};
}