This is an automated email from the ASF dual-hosted git repository.
coheigea pushed a commit to branch coheigea/saml-refactor-new
in repository https://gitbox.apache.org/repos/asf/ws-wss4j.git
The following commit(s) were added to refs/heads/coheigea/saml-refactor-new by
this push:
new 8da5464cf Getting SAML credentials from previously processed results
8da5464cf is described below
commit 8da5464cf6870c658cc3b3e80778f4cd0cc38d93
Author: Colm O hEigeartaigh <[email protected]>
AuthorDate: Tue Jun 24 10:15:15 2025 +0100
Getting SAML credentials from previously processed results
---
.../wss4j/dom/processor/SAMLTokenProcessor.java | 17 ++++++++++++
.../wss4j/dom/str/DerivedKeyTokenSTRParser.java | 21 ++++++---------
.../wss4j/dom/str/EncryptedKeySTRParser.java | 20 +++++++-------
.../wss4j/dom/str/SecurityTokenRefSTRParser.java | 15 ++++++++---
.../apache/wss4j/dom/str/SignatureSTRParser.java | 31 ++++++++++++----------
5 files changed, 64 insertions(+), 40 deletions(-)
diff --git
a/ws-security-dom/src/main/java/org/apache/wss4j/dom/processor/SAMLTokenProcessor.java
b/ws-security-dom/src/main/java/org/apache/wss4j/dom/processor/SAMLTokenProcessor.java
index 8206acb5a..ff5573aab 100644
---
a/ws-security-dom/src/main/java/org/apache/wss4j/dom/processor/SAMLTokenProcessor.java
+++
b/ws-security-dom/src/main/java/org/apache/wss4j/dom/processor/SAMLTokenProcessor.java
@@ -151,6 +151,23 @@ public class SAMLTokenProcessor implements Processor {
}
result.put(WSSecurityEngineResult.TAG_SUBJECT,
credential.getSubject());
}
+
+ // Save subject certs and secrets for further processing
+ SAMLKeyInfo keyInfo =
+ SAMLUtil.getCredentialFromSubject(samlAssertion, new
WSSSAMLKeyInfoProcessor(data),
+ data.getSigVerCrypto());
+ if (keyInfo != null) {
+ if (keyInfo.getPublicKey() != null) {
+ result.put(WSSecurityEngineResult.TAG_PUBLIC_KEY,
keyInfo.getPublicKey());
+ }
+ if (keyInfo.getCerts() != null) {
+ result.put(WSSecurityEngineResult.TAG_X509_CERTIFICATES,
keyInfo.getCerts());
+ }
+ if (keyInfo.getSecret() != null) {
+ result.put(WSSecurityEngineResult.TAG_SECRET,
keyInfo.getSecret());
+ }
+ }
+
data.getWsDocInfo().addResult(result);
return java.util.Collections.singletonList(result);
}
diff --git
a/ws-security-dom/src/main/java/org/apache/wss4j/dom/str/DerivedKeyTokenSTRParser.java
b/ws-security-dom/src/main/java/org/apache/wss4j/dom/str/DerivedKeyTokenSTRParser.java
index c5573a6cf..ef34ae06c 100644
---
a/ws-security-dom/src/main/java/org/apache/wss4j/dom/str/DerivedKeyTokenSTRParser.java
+++
b/ws-security-dom/src/main/java/org/apache/wss4j/dom/str/DerivedKeyTokenSTRParser.java
@@ -26,9 +26,6 @@ import java.util.List;
import org.apache.wss4j.common.crypto.Crypto;
import org.apache.wss4j.common.ext.WSPasswordCallback;
import org.apache.wss4j.common.ext.WSSecurityException;
-import org.apache.wss4j.common.saml.SAMLKeyInfo;
-import org.apache.wss4j.common.saml.SAMLUtil;
-import org.apache.wss4j.common.saml.SamlAssertionWrapper;
import org.apache.wss4j.common.token.BinarySecurity;
import org.apache.wss4j.common.token.SecurityTokenReference;
import org.apache.wss4j.common.util.KeyUtils;
@@ -36,7 +33,7 @@ import org.apache.wss4j.common.util.XMLUtils;
import org.apache.wss4j.common.dom.WSConstants;
import org.apache.wss4j.common.dom.engine.WSSecurityEngineResult;
import org.apache.wss4j.common.dom.RequestData;
-import org.apache.wss4j.dom.saml.WSSSAMLKeyInfoProcessor;
+import org.w3c.dom.Element;
/**
* This implementation of STRParser is for parsing a SecurityTokenReference
element associated
@@ -105,15 +102,13 @@ public class DerivedKeyTokenSTRParser implements
STRParser {
parserResult.setSecretKey(secretKey);
} else if (action != null
&& (WSConstants.ST_UNSIGNED == action.intValue() ||
WSConstants.ST_SIGNED == action.intValue())) {
- SamlAssertionWrapper samlAssertion =
-
(SamlAssertionWrapper)result.get(WSSecurityEngineResult.TAG_SAML_ASSERTION);
- STRParserUtil.checkSamlTokenBSPCompliance(secRef,
samlAssertion.getSaml2() != null, data.getBSPEnforcer());
-
- SAMLKeyInfo keyInfo =
- SAMLUtil.getCredentialFromSubject(samlAssertion, new
WSSSAMLKeyInfoProcessor(data), data.getSigVerCrypto());
- // TODO Handle malformed SAML tokens where they don't have the
- // secret in them
- byte[] secretKey = keyInfo.getSecret();
+ // Check BSP compliance
+ Element token =
(Element)result.get(WSSecurityEngineResult.TAG_TOKEN_ELEMENT);
+ boolean saml2Token =
"urn:oasis:names:tc:SAML:2.0:assertion".equals(token.getNamespaceURI());
+ STRParserUtil.checkSamlTokenBSPCompliance(secRef, saml2Token,
data.getBSPEnforcer());
+
+ // TODO Handle malformed SAML tokens where they don't have the
secret in them
+ byte[] secretKey =
(byte[])result.get(WSSecurityEngineResult.TAG_SECRET);
parserResult.setSecretKey(secretKey);
} else {
throw new WSSecurityException(
diff --git
a/ws-security-dom/src/main/java/org/apache/wss4j/dom/str/EncryptedKeySTRParser.java
b/ws-security-dom/src/main/java/org/apache/wss4j/dom/str/EncryptedKeySTRParser.java
index da0540e92..ed2a0f55b 100644
---
a/ws-security-dom/src/main/java/org/apache/wss4j/dom/str/EncryptedKeySTRParser.java
+++
b/ws-security-dom/src/main/java/org/apache/wss4j/dom/str/EncryptedKeySTRParser.java
@@ -19,6 +19,7 @@
package org.apache.wss4j.dom.str;
+import java.security.PublicKey;
import java.security.cert.X509Certificate;
import javax.xml.namespace.QName;
@@ -105,15 +106,16 @@ public class EncryptedKeySTRParser implements STRParser {
parserResult.setCerts(certs);
} else if (action != null
&& (WSConstants.ST_UNSIGNED == action.intValue() ||
WSConstants.ST_SIGNED == action.intValue())) {
- SamlAssertionWrapper samlAssertion =
-
(SamlAssertionWrapper)result.get(WSSecurityEngineResult.TAG_SAML_ASSERTION);
- STRParserUtil.checkSamlTokenBSPCompliance(secRef,
samlAssertion.getSaml2() != null, data.getBSPEnforcer());
-
- SAMLKeyInfo keyInfo =
- SAMLUtil.getCredentialFromSubject(samlAssertion, new
WSSSAMLKeyInfoProcessor(data),
- data.getSigVerCrypto());
- parserResult.setCerts(keyInfo.getCerts());
- parserResult.setPublicKey(keyInfo.getPublicKey());
+ // Check BSP compliance
+ Element token =
(Element)result.get(WSSecurityEngineResult.TAG_TOKEN_ELEMENT);
+ boolean saml2Token =
"urn:oasis:names:tc:SAML:2.0:assertion".equals(token.getNamespaceURI());
+ STRParserUtil.checkSamlTokenBSPCompliance(secRef, saml2Token,
data.getBSPEnforcer());
+
+ // Get certificates and public key from the SAML assertion that
was previously processed
+ X509Certificate[] certs =
(X509Certificate[])result.get(WSSecurityEngineResult.TAG_X509_CERTIFICATES);
+ parserResult.setCerts(certs);
+ PublicKey publicKey =
(PublicKey)result.get(WSSecurityEngineResult.TAG_PUBLIC_KEY);
+ parserResult.setPublicKey(publicKey);
} else {
throw new WSSecurityException(
WSSecurityException.ErrorCode.UNSUPPORTED_SECURITY_TOKEN,
diff --git
a/ws-security-dom/src/main/java/org/apache/wss4j/dom/str/SecurityTokenRefSTRParser.java
b/ws-security-dom/src/main/java/org/apache/wss4j/dom/str/SecurityTokenRefSTRParser.java
index cf119571d..3e952147a 100644
---
a/ws-security-dom/src/main/java/org/apache/wss4j/dom/str/SecurityTokenRefSTRParser.java
+++
b/ws-security-dom/src/main/java/org/apache/wss4j/dom/str/SecurityTokenRefSTRParser.java
@@ -134,10 +134,17 @@ public class SecurityTokenRefSTRParser implements
STRParser {
parserResult.setPrincipal(dkt.createPrincipal());
} else if (action != null
&& (WSConstants.ST_UNSIGNED == action.intValue() ||
WSConstants.ST_SIGNED == action.intValue())) {
- SamlAssertionWrapper samlAssertion =
-
(SamlAssertionWrapper)result.get(WSSecurityEngineResult.TAG_SAML_ASSERTION);
- byte[] secretKey =
- getSecretKeyFromAssertion(samlAssertion, secRef, data);
+ // Check BSP compliance
+ Element token =
(Element)result.get(WSSecurityEngineResult.TAG_TOKEN_ELEMENT);
+ boolean saml2Token =
"urn:oasis:names:tc:SAML:2.0:assertion".equals(token.getNamespaceURI());
+ STRParserUtil.checkSamlTokenBSPCompliance(secRef, saml2Token,
data.getBSPEnforcer());
+
+ byte[] secretKey =
(byte[])result.get(WSSecurityEngineResult.TAG_SECRET);
+ if (secretKey == null) {
+ throw new WSSecurityException(
+ WSSecurityException.ErrorCode.FAILED_CHECK,
"invalidSAMLToken",
+ new Object[] {"No Secret Key"});
+ }
parserResult.setSecretKey(secretKey);
} else if (action != null
&& (WSConstants.SCT == action.intValue() || WSConstants.BST ==
action.intValue())) {
diff --git
a/ws-security-dom/src/main/java/org/apache/wss4j/dom/str/SignatureSTRParser.java
b/ws-security-dom/src/main/java/org/apache/wss4j/dom/str/SignatureSTRParser.java
index caa4780b0..cd23bd3d5 100644
---
a/ws-security-dom/src/main/java/org/apache/wss4j/dom/str/SignatureSTRParser.java
+++
b/ws-security-dom/src/main/java/org/apache/wss4j/dom/str/SignatureSTRParser.java
@@ -20,6 +20,7 @@
package org.apache.wss4j.dom.str;
import java.security.Principal;
+import java.security.PublicKey;
import java.security.cert.CertificateEncodingException;
import java.security.cert.X509Certificate;
import java.util.Arrays;
@@ -297,22 +298,24 @@ public class SignatureSTRParser implements STRParser {
parserResult.setSecretKey(dkt.deriveKey(keyLength, secret));
} else if (action != null
&& (WSConstants.ST_UNSIGNED == action.intValue() ||
WSConstants.ST_SIGNED == action.intValue())) {
+ // Check BSP compliance
+ Element token =
(Element)result.get(WSSecurityEngineResult.TAG_TOKEN_ELEMENT);
+ boolean saml2Token =
"urn:oasis:names:tc:SAML:2.0:assertion".equals(token.getNamespaceURI());
+ STRParserUtil.checkSamlTokenBSPCompliance(secRef, saml2Token,
data.getBSPEnforcer());
+
+ // Get certificates and public key from the SAML assertion that
was previously processed
+ X509Certificate[] certs =
(X509Certificate[])result.get(WSSecurityEngineResult.TAG_X509_CERTIFICATES);
+ if (certs != null && certs.length > 0) {
+ parserResult.setCerts(new X509Certificate[]{certs[0]});
+ }
+ PublicKey publicKey =
(PublicKey)result.get(WSSecurityEngineResult.TAG_PUBLIC_KEY);
+ parserResult.setPublicKey(publicKey);
+ byte[] secretKey =
(byte[])result.get(WSSecurityEngineResult.TAG_SECRET);
+ parserResult.setSecretKey(secretKey);
+
+ // TODO revisit this part
SamlAssertionWrapper samlAssertion =
(SamlAssertionWrapper)result.get(WSSecurityEngineResult.TAG_SAML_ASSERTION);
- STRParserUtil.checkSamlTokenBSPCompliance(secRef,
samlAssertion.getSaml2() != null, data.getBSPEnforcer());
-
- SAMLKeyInfo keyInfo = samlAssertion.getSubjectKeyInfo();
- if (keyInfo == null) {
- throw new WSSecurityException(
- WSSecurityException.ErrorCode.FAILURE,
"invalidSAMLsecurity"
- );
- }
- X509Certificate[] foundCerts = keyInfo.getCerts();
- if (foundCerts != null && foundCerts.length > 0) {
- parserResult.setCerts(new X509Certificate[]{foundCerts[0]});
- }
- parserResult.setSecretKey(keyInfo.getSecret());
- parserResult.setPublicKey(keyInfo.getPublicKey());
parserResult.setPrincipal(createPrincipalFromSAML(samlAssertion,
parserResult));
}
