You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ws.apache.org by co...@apache.org on 2015/03/03 14:06:26 UTC
svn commit: r1663694 [2/2] - in /webservices/wss4j/trunk:
ws-security-common/src/main/resources/messages/
ws-security-dom/src/main/java/org/apache/wss4j/dom/processor/
ws-security-dom/src/main/java/org/apache/wss4j/dom/saml/
ws-security-dom/src/main/ja...
Modified: webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/str/SignatureSTRParser.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/str/SignatureSTRParser.java?rev=1663694&r1=1663693&r2=1663694&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/str/SignatureSTRParser.java (original)
+++ webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/str/SignatureSTRParser.java Tue Mar 3 13:06:25 2015
@@ -20,14 +20,11 @@
package org.apache.wss4j.dom.str;
import java.security.Principal;
-import java.security.PublicKey;
import java.security.cert.CertificateEncodingException;
import java.security.cert.X509Certificate;
import java.util.Arrays;
import java.util.List;
-import java.util.Map;
-import javax.security.auth.callback.Callback;
import javax.xml.namespace.QName;
import org.apache.wss4j.common.principal.SAMLTokenPrincipalImpl;
@@ -41,7 +38,6 @@ import org.apache.wss4j.common.saml.Open
import org.apache.wss4j.common.saml.SAMLKeyInfo;
import org.apache.wss4j.common.saml.SAMLUtil;
import org.apache.wss4j.common.saml.SamlAssertionWrapper;
-import org.apache.wss4j.common.util.KeyUtils;
import org.apache.wss4j.dom.WSConstants;
import org.apache.wss4j.dom.WSDocInfo;
import org.apache.wss4j.dom.WSSecurityEngine;
@@ -66,40 +62,23 @@ import org.apache.xml.security.utils.Bas
public class SignatureSTRParser implements STRParser {
/**
- * The Signature method. This is used when deriving a key to use for verifying the signature.
- */
- public static final String SIGNATURE_METHOD = "signature_method";
-
- private X509Certificate[] certs;
-
- private byte[] secretKey;
-
- private PublicKey publicKey;
-
- private Principal principal;
-
- private boolean trustedCredential;
-
- private REFERENCE_TYPE referenceType;
-
- /**
* Parse a SecurityTokenReference element and extract credentials.
*
- * @param strElement The SecurityTokenReference element
- * @param data the RequestData associated with the request
- * @param wsDocInfo The WSDocInfo object to access previous processing results
- * @param parameters A set of implementation-specific parameters
+ * @param parameters The parameters to parse
+ * @return the STRParserResult Object containing the parsing results
* @throws WSSecurityException
*/
- public void parseSecurityTokenReference(
- Element strElement,
- RequestData data,
- WSDocInfo wsDocInfo,
- Map<String, Object> parameters
- ) throws WSSecurityException {
- Crypto crypto = data.getSigVerCrypto();
+ public STRParserResult parseSecurityTokenReference(STRParserParameters parameters) throws WSSecurityException {
+
+ if (parameters == null || parameters.getData() == null || parameters.getWsDocInfo() == null
+ || parameters.getStrElement() == null) {
+ throw new WSSecurityException(
+ WSSecurityException.ErrorCode.FAILURE, "invalidSTRParserParameter"
+ );
+ }
+
SecurityTokenReference secRef =
- new SecurityTokenReference(strElement, data.getBSPEnforcer());
+ new SecurityTokenReference(parameters.getStrElement(), parameters.getData().getBSPEnforcer());
//
// Here we get some information about the document that is being
// processed, in particular the crypto implementation, and already
@@ -111,167 +90,16 @@ public class SignatureSTRParser implemen
if (uri.charAt(0) == '#') {
uri = uri.substring(1);
}
- referenceType = REFERENCE_TYPE.DIRECT_REF;
} else if (secRef.containsKeyIdentifier()) {
uri = secRef.getKeyIdentifierValue();
- if (SecurityTokenReference.THUMB_URI.equals(secRef.getKeyIdentifierValueType())) {
- referenceType = REFERENCE_TYPE.THUMBPRINT_SHA1;
- } else {
- referenceType = REFERENCE_TYPE.KEY_IDENTIFIER;
- }
}
- WSSecurityEngineResult result = wsDocInfo.getResult(uri);
+ WSSecurityEngineResult result = parameters.getWsDocInfo().getResult(uri);
if (result != null) {
- processPreviousResult(result, secRef, data, parameters);
- } else if (secRef.containsReference()) {
- Reference reference = secRef.getReference();
- // Try asking the CallbackHandler for the secret key
- secretKey = getSecretKeyFromToken(uri, reference.getValueType(), data);
- principal = new CustomTokenPrincipal(uri);
-
- if (secretKey == null) {
- Element token =
- secRef.getTokenElement(strElement.getOwnerDocument(), wsDocInfo, data.getCallbackHandler());
- QName el = new QName(token.getNamespaceURI(), token.getLocalName());
- if (el.equals(WSSecurityEngine.BINARY_TOKEN)) {
- Processor proc = data.getWssConfig().getProcessor(WSSecurityEngine.BINARY_TOKEN);
- List<WSSecurityEngineResult> bstResult =
- proc.handleToken(token, data, wsDocInfo);
- BinarySecurity bstToken =
- (BinarySecurity)bstResult.get(0).get(WSSecurityEngineResult.TAG_BINARY_SECURITY_TOKEN);
- STRParserUtil.checkBinarySecurityBSPCompliance(
- secRef, bstToken, data.getBSPEnforcer()
- );
-
- certs = (X509Certificate[])bstResult.get(0).get(WSSecurityEngineResult.TAG_X509_CERTIFICATES);
- secretKey = (byte[])bstResult.get(0).get(WSSecurityEngineResult.TAG_SECRET);
- principal = (Principal)bstResult.get(0).get(WSSecurityEngineResult.TAG_PRINCIPAL);
- } else if (el.equals(WSSecurityEngine.SAML_TOKEN)
- || el.equals(WSSecurityEngine.SAML2_TOKEN)) {
- Processor proc = data.getWssConfig().getProcessor(WSSecurityEngine.SAML_TOKEN);
- //
- // Just check to see whether the token was processed or not
- //
- Element processedToken =
- secRef.findProcessedTokenElement(
- strElement.getOwnerDocument(), wsDocInfo,
- data.getCallbackHandler(), uri, secRef.getReference().getValueType()
- );
- SamlAssertionWrapper samlAssertion = null;
- if (processedToken == null) {
- List<WSSecurityEngineResult> samlResult =
- proc.handleToken(token, data, wsDocInfo);
- samlAssertion =
- (SamlAssertionWrapper)samlResult.get(0).get(
- WSSecurityEngineResult.TAG_SAML_ASSERTION
- );
- } else {
- samlAssertion = new SamlAssertionWrapper(processedToken);
- samlAssertion.parseSubject(
- new WSSSAMLKeyInfoProcessor(data, wsDocInfo),
- data.getSigVerCrypto(), data.getCallbackHandler()
- );
- }
- STRParserUtil.checkSamlTokenBSPCompliance(secRef, samlAssertion, data.getBSPEnforcer());
-
- SAMLKeyInfo keyInfo = samlAssertion.getSubjectKeyInfo();
- X509Certificate[] foundCerts = keyInfo.getCerts();
- if (foundCerts != null && foundCerts.length > 0) {
- certs = new X509Certificate[]{foundCerts[0]};
- }
- secretKey = keyInfo.getSecret();
- principal = createPrincipalFromSAML(samlAssertion);
- } else if (el.equals(WSSecurityEngine.ENCRYPTED_KEY)) {
- STRParserUtil.checkEncryptedKeyBSPCompliance(secRef, data.getBSPEnforcer());
- Processor proc = data.getWssConfig().getProcessor(WSSecurityEngine.ENCRYPTED_KEY);
- List<WSSecurityEngineResult> encrResult =
- proc.handleToken(token, data, wsDocInfo);
- secretKey =
- (byte[])encrResult.get(0).get(WSSecurityEngineResult.TAG_SECRET);
- principal = new CustomTokenPrincipal(token.getAttributeNS(null, "Id"));
- }
- }
- } else if (secRef.containsX509Data() || secRef.containsX509IssuerSerial()) {
- referenceType = REFERENCE_TYPE.ISSUER_SERIAL;
- X509Certificate[] foundCerts = secRef.getX509IssuerSerial(crypto);
- if (foundCerts != null && foundCerts.length > 0) {
- certs = new X509Certificate[]{foundCerts[0]};
- }
- } else if (secRef.containsKeyIdentifier()) {
- if (secRef.getKeyIdentifierValueType().equals(SecurityTokenReference.ENC_KEY_SHA1_URI)) {
- STRParserUtil.checkEncryptedKeyBSPCompliance(secRef, data.getBSPEnforcer());
-
- String id = secRef.getKeyIdentifierValue();
- secretKey =
- getSecretKeyFromToken(id, SecurityTokenReference.ENC_KEY_SHA1_URI, data);
- principal = new CustomTokenPrincipal(id);
- } else if (WSConstants.WSS_SAML_KI_VALUE_TYPE.equals(secRef.getKeyIdentifierValueType())
- || WSConstants.WSS_SAML2_KI_VALUE_TYPE.equals(secRef.getKeyIdentifierValueType())) {
- parseSAMLKeyIdentifier(secRef, wsDocInfo, data);
- } else {
- parseBSTKeyIdentifier(secRef, crypto, wsDocInfo, data);
- }
- } else {
- throw new WSSecurityException(
- WSSecurityException.ErrorCode.INVALID_SECURITY,
- "unsupportedKeyInfo", strElement.toString());
+ return processPreviousResult(result, secRef, parameters);
}
- if (certs != null && certs.length > 0 && principal == null) {
- principal = certs[0].getSubjectX500Principal();
- }
- }
-
- /**
- * Get the X509Certificates associated with this SecurityTokenReference
- * @return the X509Certificates associated with this SecurityTokenReference
- */
- public X509Certificate[] getCertificates() {
- return certs;
- }
-
- /**
- * Get the Principal associated with this SecurityTokenReference
- * @return the Principal associated with this SecurityTokenReference
- */
- public Principal getPrincipal() {
- return principal;
- }
-
- /**
- * Get the PublicKey associated with this SecurityTokenReference
- * @return the PublicKey associated with this SecurityTokenReference
- */
- public PublicKey getPublicKey() {
- return publicKey;
- }
-
- /**
- * Get the Secret Key associated with this SecurityTokenReference
- * @return the Secret Key associated with this SecurityTokenReference
- */
- public byte[] getSecretKey() {
- return secretKey;
- }
-
- /**
- * Get whether the returned credential is already trusted or not. This is currently
- * applicable in the case of a credential extracted from a trusted HOK SAML Assertion,
- * and a BinarySecurityToken that has been processed by a Validator. In these cases,
- * the SignatureProcessor does not need to verify trust on the credential.
- * @return true if trust has already been verified on the returned Credential
- */
- public boolean isTrustedCredential() {
- return trustedCredential;
- }
-
- /**
- * Get how the certificates were referenced
- * @return how the certificates were referenced
- */
- public REFERENCE_TYPE getCertificatesReferenceType() {
- return referenceType;
+ return processSTR(secRef, uri, parameters);
}
/**
@@ -280,7 +108,7 @@ public class SignatureSTRParser implemen
* @return A principal
*/
private Principal createPrincipalFromSAML(
- SamlAssertionWrapper samlAssertion
+ SamlAssertionWrapper samlAssertion, STRParserResult parserResult
) {
SAMLTokenPrincipalImpl samlPrincipal = new SAMLTokenPrincipalImpl(samlAssertion);
String confirmMethod = null;
@@ -289,53 +117,23 @@ public class SignatureSTRParser implemen
confirmMethod = methods.get(0);
}
if (OpenSAMLUtil.isMethodHolderOfKey(confirmMethod) && samlAssertion.isSigned()) {
- trustedCredential = true;
+ parserResult.setTrustedCredential(true);
}
return samlPrincipal;
}
/**
- * Get the Secret Key from a CallbackHandler
- * @param id The id of the element
- * @param type The type of the element (can be null)
- * @return A Secret Key
- * @throws WSSecurityException
- */
- private byte[] getSecretKeyFromToken(
- String id,
- String type,
- RequestData data
- ) throws WSSecurityException {
- if (id.charAt(0) == '#') {
- id = id.substring(1);
- }
- WSPasswordCallback pwcb =
- new WSPasswordCallback(id, null, type, WSPasswordCallback.SECRET_KEY);
- try {
- Callback[] callbacks = new Callback[]{pwcb};
- if (data.getCallbackHandler() != null) {
- data.getCallbackHandler().handle(callbacks);
- return pwcb.getKey();
- }
- } catch (Exception e) {
- throw new WSSecurityException(
- WSSecurityException.ErrorCode.FAILURE,
- "noPassword", e, id);
- }
-
- return null;
- }
-
- /**
* Parse the KeyIdentifier for a SAML Assertion
*/
private void parseSAMLKeyIdentifier(
SecurityTokenReference secRef,
WSDocInfo wsDocInfo,
- RequestData data
+ RequestData data,
+ STRParserResult parserResult
) throws WSSecurityException {
String valueType = secRef.getKeyIdentifierValueType();
- secretKey = getSecretKeyFromToken(secRef.getKeyIdentifierValue(), valueType, data);
+ byte[] secretKey = STRParserUtil.getSecretKeyFromToken(secRef.getKeyIdentifierValue(), valueType,
+ WSPasswordCallback.SECRET_KEY, data);
if (secretKey == null) {
SamlAssertionWrapper samlAssertion =
STRParserUtil.getAssertionFromKeyIdentifier(
@@ -349,12 +147,13 @@ public class SignatureSTRParser implemen
data.getSigVerCrypto(), data.getCallbackHandler());
X509Certificate[] foundCerts = samlKi.getCerts();
if (foundCerts != null && foundCerts.length > 0) {
- certs = new X509Certificate[]{foundCerts[0]};
+ parserResult.setCerts(new X509Certificate[]{foundCerts[0]});
}
secretKey = samlKi.getSecret();
- publicKey = samlKi.getPublicKey();
- principal = createPrincipalFromSAML(samlAssertion);
+ parserResult.setPublicKey(samlKi.getPublicKey());
+ parserResult.setPrincipal(createPrincipalFromSAML(samlAssertion, parserResult));
}
+ parserResult.setSecretKey(secretKey);
}
/**
@@ -364,14 +163,16 @@ public class SignatureSTRParser implemen
SecurityTokenReference secRef,
Crypto crypto,
WSDocInfo wsDocInfo,
- RequestData data
+ RequestData data,
+ STRParserResult parserResult
) throws WSSecurityException {
STRParserUtil.checkBinarySecurityBSPCompliance(secRef, null, data.getBSPEnforcer());
String valueType = secRef.getKeyIdentifierValueType();
if (WSConstants.WSS_KRB_KI_VALUE_TYPE.equals(valueType)) {
- secretKey =
- getSecretKeyFromToken(secRef.getKeyIdentifierValue(), valueType, data);
+ byte[] secretKey =
+ STRParserUtil.getSecretKeyFromToken(secRef.getKeyIdentifierValue(), valueType,
+ WSPasswordCallback.SECRET_KEY, data);
if (secretKey == null) {
byte[] keyBytes = secRef.getSKIBytes();
List<WSSecurityEngineResult> resultsList =
@@ -382,13 +183,14 @@ public class SignatureSTRParser implemen
byte[] tokenDigest = WSSecurityUtil.generateDigest(bstToken.getToken());
if (Arrays.equals(tokenDigest, keyBytes)) {
secretKey = (byte[])bstResult.get(WSSecurityEngineResult.TAG_SECRET);
- principal = (Principal)bstResult.get(WSSecurityEngineResult.TAG_PRINCIPAL);
+ parserResult.setPrincipal((Principal)bstResult.get(WSSecurityEngineResult.TAG_PRINCIPAL));
break;
}
}
} else {
- principal = new CustomTokenPrincipal(secRef.getKeyIdentifierValue());
+ parserResult.setPrincipal(new CustomTokenPrincipal(secRef.getKeyIdentifierValue()));
}
+ parserResult.setSecretKey(secretKey);
} else {
X509Certificate[] foundCerts = secRef.getKeyIdentifier(crypto);
if (foundCerts == null) {
@@ -402,7 +204,7 @@ public class SignatureSTRParser implemen
(X509Certificate[])bstResult.get(WSSecurityEngineResult.TAG_X509_CERTIFICATES);
if (certs != null
&& Arrays.equals(skiBytes, crypto.getSKIBytesFromCert(certs[0]))) {
- principal = (Principal)bstResult.get(WSSecurityEngineResult.TAG_PRINCIPAL);
+ parserResult.setPrincipal((Principal)bstResult.get(WSSecurityEngineResult.TAG_PRINCIPAL));
foundCerts = certs;
break;
}
@@ -419,7 +221,8 @@ public class SignatureSTRParser implemen
byte[] digest = WSSecurityUtil.generateDigest(certs[0].getEncoded());
try {
if (Arrays.equals(Base64.decode(kiValue), digest)) {
- principal = (Principal)bstResult.get(WSSecurityEngineResult.TAG_PRINCIPAL);
+ parserResult.setPrincipal(
+ (Principal)bstResult.get(WSSecurityEngineResult.TAG_PRINCIPAL));
foundCerts = certs;
break;
}
@@ -438,7 +241,7 @@ public class SignatureSTRParser implemen
}
}
if (foundCerts != null) {
- certs = new X509Certificate[]{foundCerts[0]};
+ parserResult.setCerts(new X509Certificate[]{foundCerts[0]});
}
}
}
@@ -446,12 +249,15 @@ public class SignatureSTRParser implemen
/**
* Process a previous security result
*/
- private void processPreviousResult(
+ private STRParserResult processPreviousResult(
WSSecurityEngineResult result,
SecurityTokenReference secRef,
- RequestData data,
- Map<String, Object> parameters
+ STRParserParameters parameters
) throws WSSecurityException {
+
+ STRParserResult parserResult = new STRParserResult();
+ RequestData data = parameters.getData();
+
int action = (Integer) result.get(WSSecurityEngineResult.TAG_ACTION);
if (WSConstants.UT_NOPASSWORD == action || WSConstants.UT == action) {
STRParserUtil.checkUsernameTokenBSPCompliance(secRef, data.getBSPEnforcer());
@@ -460,9 +266,9 @@ public class SignatureSTRParser implemen
(UsernameToken)result.get(WSSecurityEngineResult.TAG_USERNAME_TOKEN);
usernameToken.setRawPassword(data);
- secretKey = (byte[])result.get(WSSecurityEngineResult.TAG_SECRET);
+ parserResult.setSecretKey((byte[])result.get(WSSecurityEngineResult.TAG_SECRET));
- principal = usernameToken.createPrincipal();
+ parserResult.setPrincipal(usernameToken.createPrincipal());
} else if (WSConstants.BST == action) {
BinarySecurity token =
(BinarySecurity)result.get(
@@ -470,39 +276,39 @@ public class SignatureSTRParser implemen
);
STRParserUtil.checkBinarySecurityBSPCompliance(secRef, token, data.getBSPEnforcer());
- certs =
- (X509Certificate[])result.get(WSSecurityEngineResult.TAG_X509_CERTIFICATES);
- secretKey = (byte[])result.get(WSSecurityEngineResult.TAG_SECRET);
+ parserResult.setCerts(
+ (X509Certificate[])result.get(WSSecurityEngineResult.TAG_X509_CERTIFICATES));
+ parserResult.setSecretKey((byte[])result.get(WSSecurityEngineResult.TAG_SECRET));
Boolean validatedToken =
(Boolean)result.get(WSSecurityEngineResult.TAG_VALIDATED_TOKEN);
if (validatedToken) {
- trustedCredential = true;
+ parserResult.setTrustedCredential(true);
}
} else if (WSConstants.ENCR == action) {
STRParserUtil.checkEncryptedKeyBSPCompliance(secRef, data.getBSPEnforcer());
- secretKey = (byte[])result.get(WSSecurityEngineResult.TAG_SECRET);
+ parserResult.setSecretKey((byte[])result.get(WSSecurityEngineResult.TAG_SECRET));
String id = (String)result.get(WSSecurityEngineResult.TAG_ID);
- principal = new CustomTokenPrincipal(id);
+ parserResult.setPrincipal(new CustomTokenPrincipal(id));
} else if (WSConstants.SCT == action) {
- secretKey = (byte[])result.get(WSSecurityEngineResult.TAG_SECRET);
+ parserResult.setSecretKey((byte[])result.get(WSSecurityEngineResult.TAG_SECRET));
SecurityContextToken sct =
(SecurityContextToken)result.get(
WSSecurityEngineResult.TAG_SECURITY_CONTEXT_TOKEN
);
- principal = new CustomTokenPrincipal(sct.getIdentifier());
+ parserResult.setPrincipal(new CustomTokenPrincipal(sct.getIdentifier()));
} else if (WSConstants.DKT == action) {
DerivedKeyToken dkt =
(DerivedKeyToken)result.get(WSSecurityEngineResult.TAG_DERIVED_KEY_TOKEN);
int keyLength = dkt.getLength();
- if (keyLength <= 0) {
- String algorithm = (String)parameters.get(SIGNATURE_METHOD);
- keyLength = KeyUtils.getKeyLength(algorithm);
+ if (keyLength <= 0 && parameters.getDerivationKeyLength() > 0) {
+ keyLength = parameters.getDerivationKeyLength();
}
byte[] secret = (byte[])result.get(WSSecurityEngineResult.TAG_SECRET);
- secretKey = dkt.deriveKey(keyLength, secret);
- principal = dkt.createPrincipal();
+ Principal principal = dkt.createPrincipal();
((WSDerivedKeyTokenPrincipal)principal).setSecret(secret);
+ parserResult.setPrincipal(principal);
+ parserResult.setSecretKey(dkt.deriveKey(keyLength, secret));
} else if (WSConstants.ST_UNSIGNED == action || WSConstants.ST_SIGNED == action) {
SamlAssertionWrapper samlAssertion =
(SamlAssertionWrapper)result.get(WSSecurityEngineResult.TAG_SAML_ASSERTION);
@@ -516,13 +322,154 @@ public class SignatureSTRParser implemen
}
X509Certificate[] foundCerts = keyInfo.getCerts();
if (foundCerts != null) {
- certs = new X509Certificate[]{foundCerts[0]};
+ parserResult.setCerts(new X509Certificate[]{foundCerts[0]});
+ }
+ parserResult.setSecretKey(keyInfo.getSecret());
+ parserResult.setPublicKey(keyInfo.getPublicKey());
+ parserResult.setPrincipal(createPrincipalFromSAML(samlAssertion, parserResult));
+ }
+
+ REFERENCE_TYPE referenceType = getReferenceType(secRef);
+ if (referenceType != null) {
+ parserResult.setReferenceType(referenceType);
+ }
+
+ return parserResult;
+ }
+
+ private STRParserResult processSTR(
+ SecurityTokenReference secRef,
+ String uri,
+ STRParserParameters parameters
+ ) throws WSSecurityException {
+ STRParserResult parserResult = new STRParserResult();
+ RequestData data = parameters.getData();
+ WSDocInfo wsDocInfo = parameters.getWsDocInfo();
+ Element strElement = parameters.getStrElement();
+
+ if (secRef.containsReference()) {
+ Reference reference = secRef.getReference();
+ // Try asking the CallbackHandler for the secret key
+ byte[] secretKey = STRParserUtil.getSecretKeyFromToken(uri, reference.getValueType(),
+ WSPasswordCallback.SECRET_KEY,
+ data);
+ Principal principal = new CustomTokenPrincipal(uri);
+
+ if (secretKey == null) {
+ Element token =
+ secRef.getTokenElement(strElement.getOwnerDocument(), wsDocInfo, data.getCallbackHandler());
+ QName el = new QName(token.getNamespaceURI(), token.getLocalName());
+ if (el.equals(WSSecurityEngine.BINARY_TOKEN)) {
+ Processor proc = data.getWssConfig().getProcessor(WSSecurityEngine.BINARY_TOKEN);
+ List<WSSecurityEngineResult> bstResult =
+ proc.handleToken(token, parameters.getData(), parameters.getWsDocInfo());
+ BinarySecurity bstToken =
+ (BinarySecurity)bstResult.get(0).get(WSSecurityEngineResult.TAG_BINARY_SECURITY_TOKEN);
+ STRParserUtil.checkBinarySecurityBSPCompliance(
+ secRef, bstToken, data.getBSPEnforcer()
+ );
+
+ parserResult.setCerts(
+ (X509Certificate[])bstResult.get(0).get(WSSecurityEngineResult.TAG_X509_CERTIFICATES));
+ secretKey = (byte[])bstResult.get(0).get(WSSecurityEngineResult.TAG_SECRET);
+ principal = (Principal)bstResult.get(0).get(WSSecurityEngineResult.TAG_PRINCIPAL);
+ } else if (el.equals(WSSecurityEngine.SAML_TOKEN)
+ || el.equals(WSSecurityEngine.SAML2_TOKEN)) {
+ Processor proc = data.getWssConfig().getProcessor(WSSecurityEngine.SAML_TOKEN);
+ //
+ // Just check to see whether the token was processed or not
+ //
+ Element processedToken =
+ secRef.findProcessedTokenElement(
+ strElement.getOwnerDocument(), wsDocInfo,
+ data.getCallbackHandler(), uri, secRef.getReference().getValueType()
+ );
+ SamlAssertionWrapper samlAssertion = null;
+ if (processedToken == null) {
+ List<WSSecurityEngineResult> samlResult =
+ proc.handleToken(token, data, wsDocInfo);
+ samlAssertion =
+ (SamlAssertionWrapper)samlResult.get(0).get(
+ WSSecurityEngineResult.TAG_SAML_ASSERTION
+ );
+ } else {
+ samlAssertion = new SamlAssertionWrapper(processedToken);
+ samlAssertion.parseSubject(
+ new WSSSAMLKeyInfoProcessor(data, wsDocInfo),
+ data.getSigVerCrypto(), data.getCallbackHandler()
+ );
+ }
+ STRParserUtil.checkSamlTokenBSPCompliance(secRef, samlAssertion, data.getBSPEnforcer());
+
+ SAMLKeyInfo keyInfo = samlAssertion.getSubjectKeyInfo();
+ X509Certificate[] foundCerts = keyInfo.getCerts();
+ if (foundCerts != null && foundCerts.length > 0) {
+ parserResult.setCerts(new X509Certificate[]{foundCerts[0]});
+ }
+ secretKey = keyInfo.getSecret();
+ principal = createPrincipalFromSAML(samlAssertion, parserResult);
+ } else if (el.equals(WSSecurityEngine.ENCRYPTED_KEY)) {
+ STRParserUtil.checkEncryptedKeyBSPCompliance(secRef, data.getBSPEnforcer());
+ Processor proc = data.getWssConfig().getProcessor(WSSecurityEngine.ENCRYPTED_KEY);
+ List<WSSecurityEngineResult> encrResult =
+ proc.handleToken(token, data, wsDocInfo);
+ secretKey =
+ (byte[])encrResult.get(0).get(WSSecurityEngineResult.TAG_SECRET);
+ principal = new CustomTokenPrincipal(token.getAttributeNS(null, "Id"));
+ }
}
- secretKey = keyInfo.getSecret();
- publicKey = keyInfo.getPublicKey();
- principal = createPrincipalFromSAML(samlAssertion);
+
+ parserResult.setSecretKey(secretKey);
+ parserResult.setPrincipal(principal);
+ } else if (secRef.containsX509Data() || secRef.containsX509IssuerSerial()) {
+ parserResult.setReferenceType(REFERENCE_TYPE.ISSUER_SERIAL);
+ Crypto crypto = data.getSigVerCrypto();
+ X509Certificate[] foundCerts = secRef.getX509IssuerSerial(crypto);
+ if (foundCerts != null && foundCerts.length > 0) {
+ parserResult.setCerts(new X509Certificate[]{foundCerts[0]});
+ }
+ } else if (secRef.containsKeyIdentifier()) {
+ if (secRef.getKeyIdentifierValueType().equals(SecurityTokenReference.ENC_KEY_SHA1_URI)) {
+ STRParserUtil.checkEncryptedKeyBSPCompliance(secRef, data.getBSPEnforcer());
+
+ String id = secRef.getKeyIdentifierValue();
+ parserResult.setSecretKey(
+ STRParserUtil.getSecretKeyFromToken(id, SecurityTokenReference.ENC_KEY_SHA1_URI,
+ WSPasswordCallback.SECRET_KEY, data));
+ parserResult.setPrincipal(new CustomTokenPrincipal(id));
+ } else if (WSConstants.WSS_SAML_KI_VALUE_TYPE.equals(secRef.getKeyIdentifierValueType())
+ || WSConstants.WSS_SAML2_KI_VALUE_TYPE.equals(secRef.getKeyIdentifierValueType())) {
+ parseSAMLKeyIdentifier(secRef, wsDocInfo, data, parserResult);
+ } else {
+ Crypto crypto = data.getSigVerCrypto();
+ parseBSTKeyIdentifier(secRef, crypto, wsDocInfo, data, parserResult);
+ }
+ } else {
+ throw new WSSecurityException(
+ WSSecurityException.ErrorCode.INVALID_SECURITY,
+ "unsupportedKeyInfo", strElement.toString());
+ }
+
+ REFERENCE_TYPE referenceType = getReferenceType(secRef);
+ if (referenceType != null) {
+ parserResult.setReferenceType(referenceType);
}
+
+ return parserResult;
}
+ private REFERENCE_TYPE getReferenceType(SecurityTokenReference secRef) {
+ if (secRef.containsReference()) {
+ return REFERENCE_TYPE.DIRECT_REF;
+ } else if (secRef.containsKeyIdentifier()) {
+ if (SecurityTokenReference.THUMB_URI.equals(secRef.getKeyIdentifierValueType())) {
+ return REFERENCE_TYPE.THUMBPRINT_SHA1;
+ } else {
+ return REFERENCE_TYPE.KEY_IDENTIFIER;
+ }
+ }
+
+ return null;
+ }
}