(ws-wss4j) branch coheigea/saml-refactor-new updated: More work on SignatureSTRParser

Thu, 26 Jun 2025 06:39:24 -0700 

This is an automated email from the ASF dual-hosted git repository.

coheigea pushed a commit to branch coheigea/saml-refactor-new
in repository https://gitbox.apache.org/repos/asf/ws-wss4j.git


The following commit(s) were added to refs/heads/coheigea/saml-refactor-new by 
this push:
     new ee493a9fd More work on SignatureSTRParser
ee493a9fd is described below

commit ee493a9fdbec9c0cd1adb34993ab62b38eadd43e
Author: Colm O hEigeartaigh <[email protected]>
AuthorDate: Thu Jun 26 14:39:04 2025 +0100

    More work on SignatureSTRParser
---
 .../common/dom/engine/WSSecurityEngineResult.java  |  5 +++++
 .../wss4j/dom/processor/SAMLTokenProcessor.java    |  1 +
 .../wss4j/dom/saml/WSSSAMLKeyInfoProcessor.java    | 26 ++--------------------
 .../apache/wss4j/dom/str/SignatureSTRParser.java   |  9 ++++----
 .../org/apache/wss4j/common/saml/SAMLUtil.java     | 22 ++++++++++++++----
 5 files changed, 31 insertions(+), 32 deletions(-)

diff --git 
a/ws-security-common/src/main/java/org/apache/wss4j/common/dom/engine/WSSecurityEngineResult.java
 
b/ws-security-common/src/main/java/org/apache/wss4j/common/dom/engine/WSSecurityEngineResult.java
index 9798b8f6e..7ce7585e8 100644
--- 
a/ws-security-common/src/main/java/org/apache/wss4j/common/dom/engine/WSSecurityEngineResult.java
+++ 
b/ws-security-common/src/main/java/org/apache/wss4j/common/dom/engine/WSSecurityEngineResult.java
@@ -166,6 +166,11 @@ public class WSSecurityEngineResult extends 
java.util.HashMap<String, Object> {
      */
     public static final String TAG_PUBLIC_KEY = "public-key";
 
+    /**
+     * Tag denoting a SAMLKeyInfo associated with this token
+     */
+    public static final String TAG_SAML_KEYINFO = "saml-keyinfo";
+
     //
     // General tags
     //
diff --git 
a/ws-security-dom/src/main/java/org/apache/wss4j/dom/processor/SAMLTokenProcessor.java
 
b/ws-security-dom/src/main/java/org/apache/wss4j/dom/processor/SAMLTokenProcessor.java
index 43cfbcfe1..c12443e2c 100644
--- 
a/ws-security-dom/src/main/java/org/apache/wss4j/dom/processor/SAMLTokenProcessor.java
+++ 
b/ws-security-dom/src/main/java/org/apache/wss4j/dom/processor/SAMLTokenProcessor.java
@@ -166,6 +166,7 @@ public class SAMLTokenProcessor implements Processor {
             if (keyInfo.getSecret() != null) {
                 result.put(WSSecurityEngineResult.TAG_SECRET, 
keyInfo.getSecret());
             }
+            result.put(WSSecurityEngineResult.TAG_SAML_KEYINFO, keyInfo);
         }
 
         data.getWsDocInfo().addResult(result);
diff --git 
a/ws-security-dom/src/main/java/org/apache/wss4j/dom/saml/WSSSAMLKeyInfoProcessor.java
 
b/ws-security-dom/src/main/java/org/apache/wss4j/dom/saml/WSSSAMLKeyInfoProcessor.java
index 8e8470a5a..e229d6f77 100644
--- 
a/ws-security-dom/src/main/java/org/apache/wss4j/dom/saml/WSSSAMLKeyInfoProcessor.java
+++ 
b/ws-security-dom/src/main/java/org/apache/wss4j/dom/saml/WSSSAMLKeyInfoProcessor.java
@@ -31,9 +31,7 @@ import org.apache.wss4j.common.crypto.AlgorithmSuite;
 import org.apache.wss4j.common.crypto.AlgorithmSuiteValidator;
 import org.apache.wss4j.common.crypto.Crypto;
 import org.apache.wss4j.common.ext.WSSecurityException;
-import org.apache.wss4j.common.principal.SAMLTokenPrincipalImpl;
 import org.apache.wss4j.common.principal.WSDerivedKeyTokenPrincipal;
-import org.apache.wss4j.common.saml.OpenSAMLUtil;
 import org.apache.wss4j.common.saml.SAMLKeyInfo;
 import org.apache.wss4j.common.saml.SAMLKeyInfoProcessor;
 import org.apache.wss4j.common.saml.SAMLUtil;
@@ -67,7 +65,7 @@ public class WSSSAMLKeyInfoProcessor implements 
SAMLKeyInfoProcessor {
     public SAMLKeyInfo processSAMLKeyInfoFromAssertionElement(Element 
assertionElement, RequestData data, 
         Crypto userCrypto) throws WSSecurityException {
         SamlAssertionWrapper samlAssertion = new 
SamlAssertionWrapper(assertionElement);
-        return processSAMLKeyInfoFromAssertion(samlAssertion, data, 
userCrypto);
+        return SAMLUtil.getCredentialFromSubject(samlAssertion, new 
WSSSAMLKeyInfoProcessor(), data, userCrypto);
     }
 
     public SAMLKeyInfo 
processSAMLKeyInfoFromSecurityTokenReference(SecurityTokenReference secRef,
@@ -76,27 +74,7 @@ public class WSSSAMLKeyInfoProcessor implements 
SAMLKeyInfoProcessor {
         SamlAssertionWrapper samlAssertion = 
STRParserUtil.getAssertionFromKeyIdentifier(secRef, secRef.getElement(), data);
         STRParserUtil.checkSamlTokenBSPCompliance(secRef, 
samlAssertion.getSaml2() != null, data.getBSPEnforcer());
 
-        return processSAMLKeyInfoFromAssertion(samlAssertion, data, 
data.getSigVerCrypto());
-    }
-
-    private SAMLKeyInfo processSAMLKeyInfoFromAssertion(SamlAssertionWrapper 
samlAssertion,
-        RequestData data,
-        Crypto crypto
-    ) throws WSSecurityException {
-        SAMLKeyInfo samlKeyInfo = 
-            SAMLUtil.getCredentialFromSubject(samlAssertion, new 
WSSSAMLKeyInfoProcessor(), data, crypto);
-
-        SAMLTokenPrincipalImpl samlPrincipal = new 
SAMLTokenPrincipalImpl(samlAssertion);
-        samlKeyInfo.setSamlPrincipal(samlPrincipal);
-        String confirmMethod = null;
-        List<String> methods = samlAssertion.getConfirmationMethods();
-        if (methods != null && !methods.isEmpty()) {
-            confirmMethod = methods.get(0);
-        }
-        
samlKeyInfo.setHolderOfKey(OpenSAMLUtil.isMethodHolderOfKey(confirmMethod));
-        samlKeyInfo.setAssertionSigned(samlAssertion.isSigned());
-
-        return samlKeyInfo;
+        return SAMLUtil.getCredentialFromSubject(samlAssertion, new 
WSSSAMLKeyInfoProcessor(), data, data.getSigVerCrypto());
     }
 
     public SAMLKeyInfo processSAMLKeyInfo(Element keyInfoElement, RequestData 
data) throws WSSecurityException {
diff --git 
a/ws-security-dom/src/main/java/org/apache/wss4j/dom/str/SignatureSTRParser.java
 
b/ws-security-dom/src/main/java/org/apache/wss4j/dom/str/SignatureSTRParser.java
index c5d3e3d4f..315658f09 100644
--- 
a/ws-security-dom/src/main/java/org/apache/wss4j/dom/str/SignatureSTRParser.java
+++ 
b/ws-security-dom/src/main/java/org/apache/wss4j/dom/str/SignatureSTRParser.java
@@ -310,10 +310,11 @@ public class SignatureSTRParser implements STRParser {
             byte[] secretKey = 
(byte[])result.get(WSSecurityEngineResult.TAG_SECRET);
             parserResult.setSecretKey(secretKey);
 
-            // TODO revisit this part
-            SamlAssertionWrapper samlAssertion =
-                
(SamlAssertionWrapper)result.get(WSSecurityEngineResult.TAG_SAML_ASSERTION);
-            parserResult.setPrincipal(createPrincipalFromSAML(samlAssertion, 
parserResult));
+            SAMLKeyInfo samlKeyInfo = 
(SAMLKeyInfo)result.get(WSSecurityEngineResult.TAG_SAML_KEYINFO);
+            if (samlKeyInfo != null && samlKeyInfo.isHolderOfKey() && 
samlKeyInfo.isAssertionSigned()) {
+                parserResult.setTrustedCredential(true);
+            }
+            
parserResult.setPrincipal((Principal)result.get(WSSecurityEngineResult.TAG_PRINCIPAL));
         }
 
         REFERENCE_TYPE referenceType = getReferenceType(secRef);
diff --git 
a/ws-security-saml/src/main/java/org/apache/wss4j/common/saml/SAMLUtil.java 
b/ws-security-saml/src/main/java/org/apache/wss4j/common/saml/SAMLUtil.java
index 698c70e6b..85cae9b11 100644
--- a/ws-security-saml/src/main/java/org/apache/wss4j/common/saml/SAMLUtil.java
+++ b/ws-security-saml/src/main/java/org/apache/wss4j/common/saml/SAMLUtil.java
@@ -38,6 +38,7 @@ import org.apache.wss4j.common.crypto.Crypto;
 import org.apache.wss4j.common.crypto.CryptoType;
 import org.apache.wss4j.common.dom.RequestData;
 import org.apache.wss4j.common.ext.WSSecurityException;
+import org.apache.wss4j.common.principal.SAMLTokenPrincipalImpl;
 import org.apache.wss4j.common.util.XMLUtils;
 import org.opensaml.saml.saml2.core.SubjectConfirmationData;
 import org.w3c.dom.Element;
@@ -81,18 +82,31 @@ public final class SAMLUtil {
         RequestData data,
         Crypto sigCrypto
     ) throws WSSecurityException {
+        SAMLKeyInfo samlKeyInfo = null;
         if (samlAssertion.getSaml1() != null) {
-            return getCredentialFromSubject(
+            samlKeyInfo = getCredentialFromSubject(
                 samlAssertion.getSaml1(), keyInfoProcessor, data, sigCrypto
             );
         } else if (samlAssertion.getSaml2() != null) {
-            return getCredentialFromSubject(
+            samlKeyInfo = getCredentialFromSubject(
                 samlAssertion.getSaml2(), keyInfoProcessor, data, sigCrypto
             );
+        } else {
+            throw new 
WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "empty",
+                                      new Object[] {"Cannot get credentials 
from an unknown SAML Assertion"});
         }
 
-        throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, 
"empty",
-                                      new Object[] {"Cannot get credentials 
from an unknown SAML Assertion"});
+        if (samlKeyInfo != null) {
+            List<String> methods = samlAssertion.getConfirmationMethods();
+            if (methods != null && !methods.isEmpty()) {
+                String confirmMethod = methods.get(0);
+                
samlKeyInfo.setHolderOfKey(OpenSAMLUtil.isMethodHolderOfKey(confirmMethod));
+            }
+            samlKeyInfo.setAssertionSigned(samlAssertion.isSigned());
+            samlKeyInfo.setSamlPrincipal(new 
SAMLTokenPrincipalImpl(samlAssertion));
+        }
+
+        return samlKeyInfo;
     }
 
     /**

Reply via email to