This is an automated email from the ASF dual-hosted git repository.
coheigea pushed a commit to branch coheigea/saml-refactor-new
in repository https://gitbox.apache.org/repos/asf/ws-wss4j.git
The following commit(s) were added to refs/heads/coheigea/saml-refactor-new by
this push:
new 213ffe90f Working on SignatureSTRParser
213ffe90f is described below
commit 213ffe90f79890a45f5dd7f6ac61a0ad1bf2266f
Author: Colm O hEigeartaigh <[email protected]>
AuthorDate: Wed Jun 25 15:30:29 2025 +0100
Working on SignatureSTRParser
---
.../org/apache/wss4j/common/saml/SAMLKeyInfo.java | 28 ++++++++++++++++++++++
.../wss4j/dom/saml/WSSSAMLKeyInfoProcessor.java | 28 +++++++++++++++++++---
.../apache/wss4j/dom/str/SignatureSTRParser.java | 17 ++++++-------
3 files changed, 60 insertions(+), 13 deletions(-)
diff --git
a/ws-security-common/src/main/java/org/apache/wss4j/common/saml/SAMLKeyInfo.java
b/ws-security-common/src/main/java/org/apache/wss4j/common/saml/SAMLKeyInfo.java
index 9944cbc18..a68738954 100644
---
a/ws-security-common/src/main/java/org/apache/wss4j/common/saml/SAMLKeyInfo.java
+++
b/ws-security-common/src/main/java/org/apache/wss4j/common/saml/SAMLKeyInfo.java
@@ -42,6 +42,12 @@ public class SAMLKeyInfo {
*/
private PublicKey publicKey;
+ private boolean isHolderOfKey;
+
+ private boolean isAssertionSigned;
+
+ private java.security.Principal samlPrincipal;
+
public SAMLKeyInfo() {
}
@@ -81,4 +87,26 @@ public class SAMLKeyInfo {
this.publicKey = publicKey;
}
+ public boolean isAssertionSigned() {
+ return isAssertionSigned;
+ }
+
+ public void setAssertionSigned(boolean isAssertionSigned) {
+ this.isAssertionSigned = isAssertionSigned;
+ }
+ public boolean isHolderOfKey() {
+ return isHolderOfKey;
+ }
+
+ public void setHolderOfKey(boolean isHolderOfKey) {
+ this.isHolderOfKey = isHolderOfKey;
+ }
+
+ public java.security.Principal getSamlPrincipal() {
+ return samlPrincipal;
+ }
+
+ public void setSamlPrincipal(java.security.Principal samlPrincipal) {
+ this.samlPrincipal = samlPrincipal;
+ }
}
diff --git
a/ws-security-dom/src/main/java/org/apache/wss4j/dom/saml/WSSSAMLKeyInfoProcessor.java
b/ws-security-dom/src/main/java/org/apache/wss4j/dom/saml/WSSSAMLKeyInfoProcessor.java
index ef8e7722e..8e8470a5a 100644
---
a/ws-security-dom/src/main/java/org/apache/wss4j/dom/saml/WSSSAMLKeyInfoProcessor.java
+++
b/ws-security-dom/src/main/java/org/apache/wss4j/dom/saml/WSSSAMLKeyInfoProcessor.java
@@ -31,7 +31,9 @@ import org.apache.wss4j.common.crypto.AlgorithmSuite;
import org.apache.wss4j.common.crypto.AlgorithmSuiteValidator;
import org.apache.wss4j.common.crypto.Crypto;
import org.apache.wss4j.common.ext.WSSecurityException;
+import org.apache.wss4j.common.principal.SAMLTokenPrincipalImpl;
import org.apache.wss4j.common.principal.WSDerivedKeyTokenPrincipal;
+import org.apache.wss4j.common.saml.OpenSAMLUtil;
import org.apache.wss4j.common.saml.SAMLKeyInfo;
import org.apache.wss4j.common.saml.SAMLKeyInfoProcessor;
import org.apache.wss4j.common.saml.SAMLUtil;
@@ -64,8 +66,8 @@ public class WSSSAMLKeyInfoProcessor implements
SAMLKeyInfoProcessor {
public SAMLKeyInfo processSAMLKeyInfoFromAssertionElement(Element
assertionElement, RequestData data,
Crypto userCrypto) throws WSSecurityException {
- SamlAssertionWrapper assertion = new
SamlAssertionWrapper(assertionElement);
- return SAMLUtil.getCredentialFromSubject(assertion, this, data,
userCrypto);
+ SamlAssertionWrapper samlAssertion = new
SamlAssertionWrapper(assertionElement);
+ return processSAMLKeyInfoFromAssertion(samlAssertion, data,
userCrypto);
}
public SAMLKeyInfo
processSAMLKeyInfoFromSecurityTokenReference(SecurityTokenReference secRef,
@@ -74,7 +76,27 @@ public class WSSSAMLKeyInfoProcessor implements
SAMLKeyInfoProcessor {
SamlAssertionWrapper samlAssertion =
STRParserUtil.getAssertionFromKeyIdentifier(secRef, secRef.getElement(), data);
STRParserUtil.checkSamlTokenBSPCompliance(secRef,
samlAssertion.getSaml2() != null, data.getBSPEnforcer());
- return SAMLUtil.getCredentialFromSubject(samlAssertion, new
WSSSAMLKeyInfoProcessor(), data, data.getSigVerCrypto());
+ return processSAMLKeyInfoFromAssertion(samlAssertion, data,
data.getSigVerCrypto());
+ }
+
+ private SAMLKeyInfo processSAMLKeyInfoFromAssertion(SamlAssertionWrapper
samlAssertion,
+ RequestData data,
+ Crypto crypto
+ ) throws WSSecurityException {
+ SAMLKeyInfo samlKeyInfo =
+ SAMLUtil.getCredentialFromSubject(samlAssertion, new
WSSSAMLKeyInfoProcessor(), data, crypto);
+
+ SAMLTokenPrincipalImpl samlPrincipal = new
SAMLTokenPrincipalImpl(samlAssertion);
+ samlKeyInfo.setSamlPrincipal(samlPrincipal);
+ String confirmMethod = null;
+ List<String> methods = samlAssertion.getConfirmationMethods();
+ if (methods != null && !methods.isEmpty()) {
+ confirmMethod = methods.get(0);
+ }
+
samlKeyInfo.setHolderOfKey(OpenSAMLUtil.isMethodHolderOfKey(confirmMethod));
+ samlKeyInfo.setAssertionSigned(samlAssertion.isSigned());
+
+ return samlKeyInfo;
}
public SAMLKeyInfo processSAMLKeyInfo(Element keyInfoElement, RequestData
data) throws WSSecurityException {
diff --git
a/ws-security-dom/src/main/java/org/apache/wss4j/dom/str/SignatureSTRParser.java
b/ws-security-dom/src/main/java/org/apache/wss4j/dom/str/SignatureSTRParser.java
index 011456211..c5d3e3d4f 100644
---
a/ws-security-dom/src/main/java/org/apache/wss4j/dom/str/SignatureSTRParser.java
+++
b/ws-security-dom/src/main/java/org/apache/wss4j/dom/str/SignatureSTRParser.java
@@ -36,7 +36,7 @@ import
org.apache.wss4j.common.principal.SAMLTokenPrincipalImpl;
import org.apache.wss4j.common.principal.WSDerivedKeyTokenPrincipal;
import org.apache.wss4j.common.saml.OpenSAMLUtil;
import org.apache.wss4j.common.saml.SAMLKeyInfo;
-import org.apache.wss4j.common.saml.SAMLUtil;
+import org.apache.wss4j.common.saml.SAMLKeyInfoProcessor;
import org.apache.wss4j.common.saml.SamlAssertionWrapper;
import org.apache.wss4j.common.token.BinarySecurity;
import org.apache.wss4j.common.token.Reference;
@@ -131,22 +131,19 @@ public class SignatureSTRParser implements STRParser {
byte[] secretKey =
STRParserUtil.getSecretKeyFromToken(secRef.getKeyIdentifierValue(), valueType,
WSPasswordCallback.SECRET_KEY, data);
if (secretKey == null || secretKey.length == 0) {
- SamlAssertionWrapper samlAssertion =
- STRParserUtil.getAssertionFromKeyIdentifier(
- secRef, secRef.getElement(), data
- );
- STRParserUtil.checkSamlTokenBSPCompliance(secRef,
samlAssertion.getSaml2() != null, data.getBSPEnforcer());
+ SAMLKeyInfoProcessor keyInfoProcessor = new
WSSSAMLKeyInfoProcessor();
+ SAMLKeyInfo samlKi =
keyInfoProcessor.processSAMLKeyInfoFromSecurityTokenReference(secRef, data);
- SAMLKeyInfo samlKi =
- SAMLUtil.getCredentialFromSubject(samlAssertion,
- new WSSSAMLKeyInfoProcessor(), data,
data.getSigVerCrypto());
X509Certificate[] foundCerts = samlKi.getCerts();
if (foundCerts != null && foundCerts.length > 0) {
parserResult.setCerts(new X509Certificate[]{foundCerts[0]});
}
secretKey = samlKi.getSecret();
parserResult.setPublicKey(samlKi.getPublicKey());
- parserResult.setPrincipal(createPrincipalFromSAML(samlAssertion,
parserResult));
+ parserResult.setPrincipal(samlKi.getSamlPrincipal());
+ if (samlKi.isHolderOfKey() && samlKi.isAssertionSigned()) {
+ parserResult.setTrustedCredential(true);
+ }
}
parserResult.setSecretKey(secretKey);
}
