ws-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cohei...@apache.org
Subject svn commit: r1663694 [1/2] - in /webservices/wss4j/trunk: ws-security-common/src/main/resources/messages/ ws-security-dom/src/main/java/org/apache/wss4j/dom/processor/ ws-security-dom/src/main/java/org/apache/wss4j/dom/saml/ ws-security-dom/src/main/ja...
Date Tue, 03 Mar 2015 13:06:26 GMT
Author: coheigea
Date: Tue Mar  3 13:06:25 2015
New Revision: 1663694

URL: http://svn.apache.org/r1663694
Log:
STRParser review + refactor

Added:
    webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/str/STRParserParameters.java
    webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/str/STRParserResult.java
      - copied, changed from r1663268, webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/str/STRParser.java
Modified:
    webservices/wss4j/trunk/ws-security-common/src/main/resources/messages/wss4j_errors.properties
    webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/processor/DerivedKeyTokenProcessor.java
    webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/processor/EncryptedDataProcessor.java
    webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/processor/EncryptedKeyProcessor.java
    webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/processor/ReferenceListProcessor.java
    webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/processor/SignatureProcessor.java
    webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/saml/WSSSAMLKeyInfoProcessor.java
    webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/str/DerivedKeyTokenSTRParser.java
    webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/str/EncryptedKeySTRParser.java
    webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/str/STRParser.java
    webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/str/STRParserUtil.java
    webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/str/SecurityTokenRefSTRParser.java
    webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/str/SignatureSTRParser.java

Modified: webservices/wss4j/trunk/ws-security-common/src/main/resources/messages/wss4j_errors.properties
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-common/src/main/resources/messages/wss4j_errors.properties?rev=1663694&r1=1663693&r2=1663694&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-common/src/main/resources/messages/wss4j_errors.properties (original)
+++ webservices/wss4j/trunk/ws-security-common/src/main/resources/messages/wss4j_errors.properties Tue Mar  3 13:06:25 2015
@@ -95,6 +95,7 @@ unsupportedKeyInfo = Unsupported KeyInfo
 unsupportedKeyTransp = unsupported key transport encryption algorithm: {0}
 unsupportedSecurityToken = Unsupported SecurityToken {0}
 secureProcessing.AllowRSA15KeyTransportAlgorithm = The use of RSAv1.5 key transport algorithm is discouraged. Nonetheless can it be enabled via the \"AllowRSA15KeyTransportAlgorithm\" property in the configuration.
+invalidSTRParserParameter = A required parameter was not supplied to an STRParser implementation
 
 BadContextToken = The requested context elements are insufficient or unsupported
 UnsupportedContextToken = Not all of the values associated with the SCT are supported

Modified: webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/processor/DerivedKeyTokenProcessor.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/processor/DerivedKeyTokenProcessor.java?rev=1663694&r1=1663693&r2=1663694&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/processor/DerivedKeyTokenProcessor.java (original)
+++ webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/processor/DerivedKeyTokenProcessor.java Tue Mar  3 13:06:25 2015
@@ -21,7 +21,6 @@ package org.apache.wss4j.dom.processor;
 
 import java.util.Collections;
 import java.util.List;
-import java.util.Map;
 
 import org.w3c.dom.Element;
 import org.apache.wss4j.dom.WSConstants;
@@ -34,6 +33,8 @@ import org.apache.wss4j.dom.handler.Requ
 import org.apache.wss4j.dom.message.token.DerivedKeyToken;
 import org.apache.wss4j.dom.str.DerivedKeyTokenSTRParser;
 import org.apache.wss4j.dom.str.STRParser;
+import org.apache.wss4j.dom.str.STRParserParameters;
+import org.apache.wss4j.dom.str.STRParserResult;
 
 /**
  * The processor to process <code>wsc:DerivedKeyToken</code>.
@@ -61,12 +62,14 @@ public class DerivedKeyTokenProcessor im
         byte[] secret = null;
         Element secRefElement = dkt.getSecurityTokenReferenceElement();
         if (secRefElement != null) {
+            STRParserParameters parameters = new STRParserParameters();
+            parameters.setData(data);
+            parameters.setWsDocInfo(wsDocInfo);
+            parameters.setStrElement(secRefElement);
+            
             STRParser strParser = new DerivedKeyTokenSTRParser();
-            Map<String, Object> parameters = Collections.emptyMap();
-            strParser.parseSecurityTokenReference(
-                secRefElement, data, wsDocInfo, parameters
-            );
-            secret = strParser.getSecretKey();
+            STRParserResult parserResult = strParser.parseSecurityTokenReference(parameters);
+            secret = parserResult.getSecretKey();
         } else {
             throw new WSSecurityException(WSSecurityException.ErrorCode.FAILED_CHECK, "noReference");
         }

Modified: webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/processor/EncryptedDataProcessor.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/processor/EncryptedDataProcessor.java?rev=1663694&r1=1663693&r2=1663694&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/processor/EncryptedDataProcessor.java (original)
+++ webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/processor/EncryptedDataProcessor.java Tue Mar  3 13:06:25 2015
@@ -22,10 +22,8 @@ package org.apache.wss4j.dom.processor;
 import java.security.Principal;
 import java.util.ArrayList;
 import java.util.Collections;
-import java.util.HashMap;
 import java.util.LinkedList;
 import java.util.List;
-import java.util.Map;
 
 import javax.crypto.SecretKey;
 import javax.xml.namespace.QName;
@@ -45,6 +43,8 @@ import org.apache.wss4j.dom.WSSecurityEn
 import org.apache.wss4j.dom.bsp.BSPEnforcer;
 import org.apache.wss4j.dom.handler.RequestData;
 import org.apache.wss4j.dom.str.STRParser;
+import org.apache.wss4j.dom.str.STRParserParameters;
+import org.apache.wss4j.dom.str.STRParserResult;
 import org.apache.wss4j.dom.str.SecurityTokenRefSTRParser;
 import org.apache.wss4j.dom.util.WSSecurityUtil;
 
@@ -101,15 +101,18 @@ public class EncryptedDataProcessor impl
         List<WSSecurityEngineResult> encrKeyResults = null;
         Principal principal = null;
         if (secRefToken != null) {
+            STRParserParameters parameters = new STRParserParameters();
+            parameters.setData(request);
+            parameters.setWsDocInfo(wsDocInfo);
+            parameters.setStrElement(secRefToken);
+            if (symEncAlgo != null) {
+                parameters.setDerivationKeyLength(KeyUtils.getKeyLength(symEncAlgo));
+            }
+            
             STRParser strParser = new SecurityTokenRefSTRParser();
-            Map<String, Object> parameters = new HashMap<String, Object>(1);
-            parameters.put(SecurityTokenRefSTRParser.SIGNATURE_METHOD, symEncAlgo);
-            strParser.parseSecurityTokenReference(
-                secRefToken, request,
-                wsDocInfo, parameters
-            );
-            byte[] secretKey = strParser.getSecretKey();
-            principal = strParser.getPrincipal();
+            STRParserResult parserResult = strParser.parseSecurityTokenReference(parameters);
+            byte[] secretKey = parserResult.getSecretKey();
+            principal = parserResult.getPrincipal();
             key = KeyUtils.prepareSecretKey(symEncAlgo, secretKey);
             encrKeyResults = new ArrayList<>();
         } else if (encryptedKeyElement != null) {

Modified: webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/processor/EncryptedKeyProcessor.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/processor/EncryptedKeyProcessor.java?rev=1663694&r1=1663693&r2=1663694&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/processor/EncryptedKeyProcessor.java (original)
+++ webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/processor/EncryptedKeyProcessor.java Tue Mar  3 13:06:25 2015
@@ -29,7 +29,6 @@ import java.util.ArrayList;
 import java.util.Collections;
 import java.util.LinkedList;
 import java.util.List;
-import java.util.Map;
 
 import javax.crypto.Cipher;
 import javax.crypto.KeyGenerator;
@@ -57,6 +56,8 @@ import org.apache.wss4j.dom.message.toke
 import org.apache.wss4j.dom.message.token.SecurityTokenReference;
 import org.apache.wss4j.dom.str.EncryptedKeySTRParser;
 import org.apache.wss4j.dom.str.STRParser;
+import org.apache.wss4j.dom.str.STRParserParameters;
+import org.apache.wss4j.dom.str.STRParserResult;
 import org.apache.wss4j.dom.util.WSSecurityUtil;
 import org.apache.xml.security.algorithms.JCEMapper;
 import org.apache.xml.security.exceptions.Base64DecodingException;
@@ -141,9 +142,31 @@ public class EncryptedKeyProcessor imple
             throw new WSSecurityException(WSSecurityException.ErrorCode.INVALID_SECURITY, "noCipher");
         }
         
-        STRParser strParser = new EncryptedKeySTRParser();
-        X509Certificate[] certs = 
-            getCertificatesFromEncryptedKey(elem, data, wsDocInfo, strParser);
+        Element keyInfoChildElement = getKeyInfoChildElement(elem, data);
+        
+        X509Certificate[] certs = null;
+        STRParser.REFERENCE_TYPE referenceType = null;
+        if (SecurityTokenReference.SECURITY_TOKEN_REFERENCE.equals(keyInfoChildElement.getLocalName()) 
+            && WSConstants.WSSE_NS.equals(keyInfoChildElement.getNamespaceURI())) {
+            STRParserParameters parameters = new STRParserParameters();
+            parameters.setData(data);
+            parameters.setWsDocInfo(wsDocInfo);
+            parameters.setStrElement(keyInfoChildElement);
+            
+            STRParser strParser = new EncryptedKeySTRParser();
+            STRParserResult parserResult = strParser.parseSecurityTokenReference(parameters);
+
+            certs = parserResult.getCertificates();
+            referenceType = parserResult.getCertificatesReferenceType();
+        } else {
+            certs = getCertificatesFromX509Data(keyInfoChildElement, data);
+        }
+        
+        if (certs == null || certs.length < 1 || certs[0] == null) {
+            throw new WSSecurityException(
+                                          WSSecurityException.ErrorCode.FAILURE,
+                                          "noCertsFound", "decryption (KeyId)");
+        }
 
         // Check for compliance against the defined AlgorithmSuite
         if (algorithmSuite != null) {
@@ -234,7 +257,7 @@ public class EncryptedKeyProcessor imple
         if (!"".equals(tokenId)) {
             result.put(WSSecurityEngineResult.TAG_ID, tokenId);
         }
-        result.put(WSSecurityEngineResult.TAG_X509_REFERENCE_TYPE, strParser.getCertificatesReferenceType());
+        result.put(WSSecurityEngineResult.TAG_X509_REFERENCE_TYPE, referenceType);
         wsDocInfo.addResult(result);
         wsDocInfo.addTokenElement(elem);
         return Collections.singletonList(result);
@@ -348,20 +371,11 @@ public class EncryptedKeyProcessor imple
         return null;
     }
     
-    /**
-     * @return the Certificate(s) corresponding to the public key reference in the 
-     * EncryptedKey Element
-     */
-    private X509Certificate[] getCertificatesFromEncryptedKey(
-        Element xencEncryptedKey,
-        RequestData data,
-        WSDocInfo wsDocInfo,
-        STRParser strParser
+    private Element getKeyInfoChildElement(
+        Element xencEncryptedKey, RequestData data
     ) throws WSSecurityException {
         Element keyInfo = 
-            WSSecurityUtil.getDirectChildElement(
-                xencEncryptedKey, "KeyInfo", WSConstants.SIG_NS
-            );
+            WSSecurityUtil.getDirectChildElement(xencEncryptedKey, "KeyInfo", WSConstants.SIG_NS);
         if (keyInfo != null) {
             Element strElement = null;
 
@@ -378,55 +392,50 @@ public class EncryptedKeyProcessor imple
                 data.getBSPEnforcer().handleBSPRule(BSPRule.R5424);
             }
 
-            if (strElement == null || strParser == null) {
+            if (strElement == null) {
                 throw new WSSecurityException(
                     WSSecurityException.ErrorCode.INVALID_SECURITY, "noSecTokRef"
                 );
             }
-            
-            X509Certificate[] certs = null;
-            if (SecurityTokenReference.SECURITY_TOKEN_REFERENCE.equals(strElement.getLocalName()) 
-                && WSConstants.WSSE_NS.equals(strElement.getNamespaceURI())) {
-                Map<String, Object> parameters = Collections.emptyMap();
-                strParser.parseSecurityTokenReference(strElement, data, wsDocInfo, parameters);
-                
-                certs = strParser.getCertificates();
-            } else if (WSConstants.SIG_NS.equals(strElement.getNamespaceURI())
-                && WSConstants.X509_DATA_LN.equals(strElement.getLocalName())) {
-                data.getBSPEnforcer().handleBSPRule(BSPRule.R5426);
-                
-                Element x509Child = getFirstElement(strElement);
-                
-                if (x509Child != null && WSConstants.SIG_NS.equals(x509Child.getNamespaceURI())) {
-                    if (WSConstants.X509_ISSUER_SERIAL_LN.equals(x509Child.getLocalName())) {
-                        DOMX509IssuerSerial issuerSerial = new DOMX509IssuerSerial(x509Child);
-                        CryptoType cryptoType = new CryptoType(CryptoType.TYPE.ISSUER_SERIAL);
-                        cryptoType.setIssuerSerial(issuerSerial.getIssuer(), issuerSerial.getSerialNumber());
-                        certs = data.getDecCrypto().getX509Certificates(cryptoType);
-                    } else if (WSConstants.X509_CERT_LN.equals(x509Child.getLocalName())) {
-                        byte[] token = getToken(x509Child);
-                        if (token == null) {
-                            throw new WSSecurityException(
-                                WSSecurityException.ErrorCode.FAILURE, "invalidCertData", 0);
-                        }
-                        InputStream in = new ByteArrayInputStream(token);
-                        X509Certificate cert = data.getDecCrypto().loadCertificate(in);
-                        if (cert != null) {
-                            certs = new X509Certificate[]{cert};
-                        }
+
+            return strElement;
+        } else {
+            throw new WSSecurityException(WSSecurityException.ErrorCode.INVALID_SECURITY, "noKeyinfo");
+        }
+    }
+
+    private X509Certificate[] getCertificatesFromX509Data(
+        Element strElement,
+        RequestData data
+    ) throws WSSecurityException {
+
+        if (WSConstants.SIG_NS.equals(strElement.getNamespaceURI())
+            && WSConstants.X509_DATA_LN.equals(strElement.getLocalName())) {
+            data.getBSPEnforcer().handleBSPRule(BSPRule.R5426);
+
+            Element x509Child = getFirstElement(strElement);
+
+            if (x509Child != null && WSConstants.SIG_NS.equals(x509Child.getNamespaceURI())) {
+                if (WSConstants.X509_ISSUER_SERIAL_LN.equals(x509Child.getLocalName())) {
+                    DOMX509IssuerSerial issuerSerial = new DOMX509IssuerSerial(x509Child);
+                    CryptoType cryptoType = new CryptoType(CryptoType.TYPE.ISSUER_SERIAL);
+                    cryptoType.setIssuerSerial(issuerSerial.getIssuer(), issuerSerial.getSerialNumber());
+                    return data.getDecCrypto().getX509Certificates(cryptoType);
+                } else if (WSConstants.X509_CERT_LN.equals(x509Child.getLocalName())) {
+                    byte[] token = getToken(x509Child);
+                    if (token == null) {
+                        throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidCertData", 0);
+                    }
+                    InputStream in = new ByteArrayInputStream(token);
+                    X509Certificate cert = data.getDecCrypto().loadCertificate(in);
+                    if (cert != null) {
+                        return new X509Certificate[]{cert};
                     }
                 }
             }
-            
-            if (certs == null || certs.length < 1 || certs[0] == null) {
-                throw new WSSecurityException(
-                    WSSecurityException.ErrorCode.FAILURE,
-                    "noCertsFound", "decryption (KeyId)");
-            }
-            return certs;
-        } else {
-            throw new WSSecurityException(WSSecurityException.ErrorCode.INVALID_SECURITY, "noKeyinfo");
         }
+
+        return null;
     }
     
     private Element getFirstElement(Element element) {
@@ -500,7 +509,7 @@ public class EncryptedKeyProcessor imple
         if (dataRefURIs == null || dataRefURIs.isEmpty()) {
             return null;
         }
-        List<WSDataRef> dataRefs = new ArrayList<>();
+        List<WSDataRef> dataRefs = new ArrayList<>(dataRefURIs.size());
         for (String dataRefURI : dataRefURIs) {
             WSDataRef dataRef = 
                 decryptDataRef(doc, dataRefURI, docInfo, decryptedBytes, data);

Modified: webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/processor/ReferenceListProcessor.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/processor/ReferenceListProcessor.java?rev=1663694&r1=1663693&r2=1663694&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/processor/ReferenceListProcessor.java (original)
+++ webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/processor/ReferenceListProcessor.java Tue Mar  3 13:06:25 2015
@@ -25,9 +25,7 @@ import java.security.NoSuchAlgorithmExce
 import java.security.Principal;
 import java.util.ArrayList;
 import java.util.Collections;
-import java.util.HashMap;
 import java.util.List;
-import java.util.Map;
 
 import javax.crypto.Cipher;
 import javax.crypto.NoSuchPaddingException;
@@ -60,6 +58,8 @@ import org.apache.wss4j.dom.handler.Requ
 import org.apache.wss4j.dom.message.CallbackLookup;
 import org.apache.wss4j.dom.message.token.SecurityTokenReference;
 import org.apache.wss4j.dom.str.STRParser;
+import org.apache.wss4j.dom.str.STRParserParameters;
+import org.apache.wss4j.dom.str.STRParserResult;
 import org.apache.wss4j.dom.str.SecurityTokenRefSTRParser;
 import org.apache.wss4j.dom.util.WSSecurityUtil;
 import org.apache.xml.security.encryption.XMLCipher;
@@ -182,15 +182,18 @@ public class ReferenceListProcessor impl
         if (secRefToken == null) {
             symmetricKey = X509Util.getSharedKey(keyInfoElement, symEncAlgo, data.getCallbackHandler());
         } else {
+            STRParserParameters parameters = new STRParserParameters();
+            parameters.setData(data);
+            parameters.setWsDocInfo(wsDocInfo);
+            parameters.setStrElement(secRefToken);
+            if (symEncAlgo != null) {
+                parameters.setDerivationKeyLength(KeyUtils.getKeyLength(symEncAlgo));
+            }
+            
             STRParser strParser = new SecurityTokenRefSTRParser();
-            Map<String, Object> parameters = new HashMap<String, Object>(1);
-            parameters.put(SecurityTokenRefSTRParser.SIGNATURE_METHOD, symEncAlgo);
-            strParser.parseSecurityTokenReference(
-                secRefToken, data,
-                wsDocInfo, parameters
-            );
-            byte[] secretKey = strParser.getSecretKey();
-            principal = strParser.getPrincipal();
+            STRParserResult parserResult = strParser.parseSecurityTokenReference(parameters);
+            byte[] secretKey = parserResult.getSecretKey();
+            principal = parserResult.getPrincipal();
             symmetricKey = KeyUtils.prepareSecretKey(symEncAlgo, secretKey);
         }
         

Modified: webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/processor/SignatureProcessor.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/processor/SignatureProcessor.java?rev=1663694&r1=1663693&r2=1663694&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/processor/SignatureProcessor.java (original)
+++ webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/processor/SignatureProcessor.java Tue Mar  3 13:06:25 2015
@@ -29,9 +29,7 @@ import java.text.DateFormat;
 import java.util.ArrayList;
 import java.util.Arrays;
 import java.util.Date;
-import java.util.HashMap;
 import java.util.List;
-import java.util.Map;
 
 import javax.xml.crypto.Data;
 import javax.xml.crypto.MarshalException;
@@ -77,6 +75,8 @@ import org.apache.wss4j.dom.message.toke
 import org.apache.wss4j.dom.message.token.Timestamp;
 import org.apache.wss4j.dom.str.STRParser;
 import org.apache.wss4j.dom.str.STRParser.REFERENCE_TYPE;
+import org.apache.wss4j.dom.str.STRParserParameters;
+import org.apache.wss4j.dom.str.STRParserResult;
 import org.apache.wss4j.dom.str.SignatureSTRParser;
 import org.apache.wss4j.dom.transform.AttachmentContentSignatureTransform;
 import org.apache.wss4j.dom.transform.STRTransform;
@@ -158,19 +158,23 @@ public class SignatureProcessor implemen
                     credential = validator.validate(credential, data);
                 }
             } else {
+                STRParserParameters parameters = new STRParserParameters();
+                parameters.setData(data);
+                parameters.setWsDocInfo(wsDocInfo);
+                parameters.setStrElement(child);
+                if (signatureMethod != null) {
+                    parameters.setDerivationKeyLength(KeyUtils.getKeyLength(signatureMethod));
+                }
+                
                 STRParser strParser = new SignatureSTRParser();
-                Map<String, Object> parameters = new HashMap<>(1);
-                parameters.put(SignatureSTRParser.SIGNATURE_METHOD, signatureMethod);
-                strParser.parseSecurityTokenReference(
-                    child, data, wsDocInfo, parameters
-                );
-                principal = strParser.getPrincipal();
-                certs = strParser.getCertificates();
-                publicKey = strParser.getPublicKey();
-                secretKey = strParser.getSecretKey();
-                referenceType = strParser.getCertificatesReferenceType();
+                STRParserResult parserResult = strParser.parseSecurityTokenReference(parameters);
+                principal = parserResult.getPrincipal();
+                certs = parserResult.getCertificates();
+                publicKey = parserResult.getPublicKey();
+                secretKey = parserResult.getSecretKey();
+                referenceType = parserResult.getCertificatesReferenceType();
                 
-                boolean trusted = strParser.isTrustedCredential();
+                boolean trusted = parserResult.isTrustedCredential();
                 if (trusted && LOG.isDebugEnabled()) {
                     LOG.debug("Direct Trust for SAML/BST credential");
                 }

Modified: webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/saml/WSSSAMLKeyInfoProcessor.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/saml/WSSSAMLKeyInfoProcessor.java?rev=1663694&r1=1663693&r2=1663694&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/saml/WSSSAMLKeyInfoProcessor.java (original)
+++ webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/saml/WSSSAMLKeyInfoProcessor.java Tue Mar  3 13:06:25 2015
@@ -20,9 +20,7 @@
 package org.apache.wss4j.dom.saml;
 
 import java.security.Principal;
-import java.util.Collections;
 import java.util.List;
-import java.util.Map;
 
 import javax.xml.namespace.QName;
 
@@ -42,6 +40,8 @@ import org.apache.wss4j.dom.handler.Requ
 import org.apache.wss4j.dom.message.token.SecurityTokenReference;
 import org.apache.wss4j.dom.processor.EncryptedKeyProcessor;
 import org.apache.wss4j.dom.str.STRParser;
+import org.apache.wss4j.dom.str.STRParserParameters;
+import org.apache.wss4j.dom.str.STRParserResult;
 import org.apache.wss4j.dom.str.SignatureSTRParser;
 import org.apache.xml.security.utils.Base64;
 
@@ -97,16 +97,18 @@ public class WSSSAMLKeyInfoProcessor imp
                                 "decoding.general", e);
                     }
                 } else if (SecurityTokenReference.STR_QNAME.equals(el)) {
+                    STRParserParameters parameters = new STRParserParameters();
+                    parameters.setData(data);
+                    parameters.setWsDocInfo(docInfo);
+                    parameters.setStrElement((Element)node);
+                    
                     STRParser strParser = new SignatureSTRParser();
-                    Map<String, Object> parameters = Collections.emptyMap();
-                    strParser.parseSecurityTokenReference(
-                        (Element)node, data, docInfo, parameters
-                    );
-                    SAMLKeyInfo samlKeyInfo = new SAMLKeyInfo(strParser.getCertificates());
-                    samlKeyInfo.setPublicKey(strParser.getPublicKey());
-                    samlKeyInfo.setSecret(strParser.getSecretKey());
+                    STRParserResult parserResult = strParser.parseSecurityTokenReference(parameters);
+                    SAMLKeyInfo samlKeyInfo = new SAMLKeyInfo(parserResult.getCertificates());
+                    samlKeyInfo.setPublicKey(parserResult.getPublicKey());
+                    samlKeyInfo.setSecret(parserResult.getSecretKey());
                     
-                    Principal principal = strParser.getPrincipal();
+                    Principal principal = parserResult.getPrincipal();
                     
                     // Check for compliance against the defined AlgorithmSuite
                     AlgorithmSuite algorithmSuite = data.getSamlAlgorithmSuite(); 

Modified: webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/str/DerivedKeyTokenSTRParser.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/str/DerivedKeyTokenSTRParser.java?rev=1663694&r1=1663693&r2=1663694&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/str/DerivedKeyTokenSTRParser.java (original)
+++ webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/str/DerivedKeyTokenSTRParser.java Tue Mar  3 13:06:25 2015
@@ -19,14 +19,9 @@
 
 package org.apache.wss4j.dom.str;
 
-import java.security.Principal;
-import java.security.PublicKey;
 import java.security.cert.X509Certificate;
 import java.util.Arrays;
 import java.util.List;
-import java.util.Map;
-
-import javax.security.auth.callback.Callback;
 
 import org.apache.wss4j.common.crypto.Crypto;
 import org.apache.wss4j.common.ext.WSPasswordCallback;
@@ -35,14 +30,12 @@ import org.apache.wss4j.common.saml.Saml
 import org.apache.wss4j.common.saml.SAMLKeyInfo;
 import org.apache.wss4j.common.saml.SAMLUtil;
 import org.apache.wss4j.dom.WSConstants;
-import org.apache.wss4j.dom.WSDocInfo;
 import org.apache.wss4j.dom.WSSecurityEngineResult;
 import org.apache.wss4j.dom.handler.RequestData;
 import org.apache.wss4j.dom.message.token.BinarySecurity;
 import org.apache.wss4j.dom.message.token.SecurityTokenReference;
 import org.apache.wss4j.dom.saml.WSSSAMLKeyInfoProcessor;
 import org.apache.wss4j.dom.util.WSSecurityUtil;
-import org.w3c.dom.Element;
 
 /**
  * This implementation of STRParser is for parsing a SecurityTokenReference element associated
@@ -50,26 +43,24 @@ import org.w3c.dom.Element;
  */
 public class DerivedKeyTokenSTRParser implements STRParser {
     
-    private byte[] secretKey;
-    
     /**
      * Parse a SecurityTokenReference element and extract credentials.
      * 
-     * @param strElement The SecurityTokenReference element
-     * @param data the RequestData associated with the request
-     * @param wsDocInfo The WSDocInfo object to access previous processing results
-     * @param parameters A set of implementation-specific parameters
+     * @param parameters The parameters to parse
+     * @return the STRParserResult Object containing the parsing results
      * @throws WSSecurityException
      */
-    public void parseSecurityTokenReference(
-        Element strElement,
-        RequestData data,
-        WSDocInfo wsDocInfo,
-        Map<String, Object> parameters
-    ) throws WSSecurityException {
-        Crypto crypto = data.getDecCrypto();
+    public STRParserResult parseSecurityTokenReference(STRParserParameters parameters) throws WSSecurityException {
+        
+        if (parameters == null || parameters.getData() == null || parameters.getWsDocInfo() == null
+            || parameters.getStrElement() == null) {
+            throw new WSSecurityException(
+                WSSecurityException.ErrorCode.FAILURE, "invalidSTRParserParameter"
+            );
+        }
+        
         SecurityTokenReference secRef = 
-            new SecurityTokenReference(strElement, data.getBSPEnforcer());
+            new SecurityTokenReference(parameters.getStrElement(), parameters.getData().getBSPEnforcer());
         
         String uri = null;
         if (secRef.containsReference()) {
@@ -81,29 +72,88 @@ public class DerivedKeyTokenSTRParser im
             uri = secRef.getKeyIdentifierValue();
         }
         
-        WSSecurityEngineResult result = wsDocInfo.getResult(uri);
+        WSSecurityEngineResult result = parameters.getWsDocInfo().getResult(uri);
         if (result != null) {
-            processPreviousResult(result, secRef, data, wsDocInfo);
-        } else if (secRef.containsReference()) { 
+            return processPreviousResult(result, secRef, parameters);
+        }
+        
+        return processSTR(secRef, uri, parameters);
+    }
+    
+    /**
+     * Process a previous security result
+     */
+    private STRParserResult processPreviousResult(
+        WSSecurityEngineResult result,
+        SecurityTokenReference secRef,
+        STRParserParameters parameters
+    ) throws WSSecurityException {
+        STRParserResult parserResult = new STRParserResult();
+        RequestData data = parameters.getData();
+        
+        int action = ((Integer)result.get(WSSecurityEngineResult.TAG_ACTION));
+        if (WSConstants.UT_NOPASSWORD == action || WSConstants.UT == action) {
+            STRParserUtil.checkUsernameTokenBSPCompliance(secRef, data.getBSPEnforcer());
+            byte[] secretKey = (byte[])result.get(WSSecurityEngineResult.TAG_SECRET);
+            parserResult.setSecretKey(secretKey);
+        } else if (WSConstants.ENCR == action) {
+            STRParserUtil.checkEncryptedKeyBSPCompliance(secRef, data.getBSPEnforcer());
+            byte[] secretKey = (byte[])result.get(WSSecurityEngineResult.TAG_SECRET);
+            parserResult.setSecretKey(secretKey);
+        } else if (WSConstants.SCT == action || WSConstants.BST == action) {
+            byte[] secretKey = (byte[])result.get(WSSecurityEngineResult.TAG_SECRET);
+            parserResult.setSecretKey(secretKey);
+        } else if (WSConstants.ST_UNSIGNED == action || WSConstants.ST_SIGNED == action) {
+            SamlAssertionWrapper samlAssertion =
+                (SamlAssertionWrapper)result.get(WSSecurityEngineResult.TAG_SAML_ASSERTION);
+            STRParserUtil.checkSamlTokenBSPCompliance(secRef, samlAssertion, data.getBSPEnforcer());
+           
+            SAMLKeyInfo keyInfo = 
+                SAMLUtil.getCredentialFromSubject(samlAssertion,
+                        new WSSSAMLKeyInfoProcessor(data, parameters.getWsDocInfo()), 
+                        data.getSigVerCrypto(), data.getCallbackHandler());
+            // TODO Handle malformed SAML tokens where they don't have the 
+            // secret in them
+            byte[] secretKey = keyInfo.getSecret();
+            parserResult.setSecretKey(secretKey);
+        } else {
+            throw new WSSecurityException(
+                WSSecurityException.ErrorCode.FAILED_CHECK, "unsupportedKeyId"
+            );
+        }
+        
+        return parserResult;
+    }
+    
+    private STRParserResult processSTR(
+        SecurityTokenReference secRef,
+        String uri,
+        STRParserParameters parameters
+    ) throws WSSecurityException {
+        STRParserResult parserResult = new STRParserResult();
+        RequestData data = parameters.getData();
+        
+        if (secRef.containsReference()) { 
             // Now use the callback and get it
-            secretKey = 
-                getSecretKeyFromToken(uri, null, WSPasswordCallback.SECURITY_CONTEXT_TOKEN, data);
+            byte[] secretKey = 
+                STRParserUtil.getSecretKeyFromToken(uri, null, WSPasswordCallback.SECURITY_CONTEXT_TOKEN, data);
             if (secretKey == null) {
                 throw new WSSecurityException(
                     WSSecurityException.ErrorCode.FAILED_CHECK, "unsupportedKeyId", uri);
             }
+            parserResult.setSecretKey(secretKey);
         } else if (secRef.containsKeyIdentifier()) {
             String keyIdentifierValueType = secRef.getKeyIdentifierValueType();
             if (WSConstants.WSS_KRB_KI_VALUE_TYPE.equals(keyIdentifierValueType)) {
-                secretKey = 
-                    getSecretKeyFromToken(
+                byte[] secretKey = 
+                    STRParserUtil.getSecretKeyFromToken(
                         secRef.getKeyIdentifierValue(), keyIdentifierValueType, 
                         WSPasswordCallback.SECRET_KEY, data
                     );
                 if (secretKey == null) {
                     byte[] keyBytes = secRef.getSKIBytes();
                     List<WSSecurityEngineResult> resultsList = 
-                        wsDocInfo.getResultsByTag(WSConstants.BST);
+                        parameters.getWsDocInfo().getResultsByTag(WSConstants.BST);
                     for (WSSecurityEngineResult bstResult : resultsList) {
                         BinarySecurity bstToken = 
                             (BinarySecurity)bstResult.get(WSSecurityEngineResult.TAG_BINARY_SECURITY_TOKEN);
@@ -118,14 +168,16 @@ public class DerivedKeyTokenSTRParser im
                     throw new WSSecurityException(
                         WSSecurityException.ErrorCode.FAILED_CHECK, "unsupportedKeyId", uri);
                 }
+                parserResult.setSecretKey(secretKey);
             } else {
                 if (keyIdentifierValueType.equals(SecurityTokenReference.ENC_KEY_SHA1_URI)) {
                     STRParserUtil.checkEncryptedKeyBSPCompliance(secRef, data.getBSPEnforcer());
                 }
+                Crypto crypto = data.getDecCrypto();
                 X509Certificate[] certs = secRef.getKeyIdentifier(crypto);
                 if (certs == null || certs.length < 1 || certs[0] == null) {
-                    secretKey = 
-                        this.getSecretKeyFromToken(
+                    byte[] secretKey = 
+                        STRParserUtil.getSecretKeyFromToken(
                             secRef.getKeyIdentifierValue(), keyIdentifierValueType, 
                             WSPasswordCallback.SECRET_KEY, data
                        ); 
@@ -133,8 +185,10 @@ public class DerivedKeyTokenSTRParser im
                         throw new WSSecurityException(
                             WSSecurityException.ErrorCode.FAILED_CHECK, "unsupportedKeyId", uri);
                     }
+                    parserResult.setSecretKey(secretKey);
                 } else {
-                    secretKey = crypto.getPrivateKey(certs[0], data.getCallbackHandler()).getEncoded();
+                    byte[] secretKey = crypto.getPrivateKey(certs[0], data.getCallbackHandler()).getEncoded();
+                    parserResult.setSecretKey(secretKey);
                 }
             }
         } else {
@@ -142,127 +196,8 @@ public class DerivedKeyTokenSTRParser im
                 WSSecurityException.ErrorCode.FAILED_CHECK, "unsupportedKeyId"
             );
         }
+        
+        return parserResult;
     }
     
-    /**
-     * Get the X509Certificates associated with this SecurityTokenReference
-     * @return the X509Certificates associated with this SecurityTokenReference
-     */
-    public X509Certificate[] getCertificates() {
-        return null;
-    }
-    
-    /**
-     * Get the Principal associated with this SecurityTokenReference
-     * @return the Principal associated with this SecurityTokenReference
-     */
-    public Principal getPrincipal() {
-        return null;
-    }
-    
-    /**
-     * Get the PublicKey associated with this SecurityTokenReference
-     * @return the PublicKey associated with this SecurityTokenReference
-     */
-    public PublicKey getPublicKey() {
-        return null;
-    }
-    
-    /**
-     * Get the Secret Key associated with this SecurityTokenReference
-     * @return the Secret Key associated with this SecurityTokenReference
-     */
-    public byte[] getSecretKey() {
-        return secretKey;
-    }
-    
-    /**
-     * Get whether the returned credential is already trusted or not. This is currently
-     * applicable in the case of a credential extracted from a trusted HOK SAML Assertion,
-     * and a BinarySecurityToken that has been processed by a Validator. In these cases,
-     * the SignatureProcessor does not need to verify trust on the credential.
-     * @return true if trust has already been verified on the returned Credential
-     */
-    public boolean isTrustedCredential() {
-        return false;
-    }
-    
-    /**
-     * Get how the certificates were referenced
-     * @return how the certificates were referenced
-     */
-    public REFERENCE_TYPE getCertificatesReferenceType() {
-        return null;
-    }
-
-    /**
-     * Get the Secret Key from a CallbackHandler
-     * @param id The id of the element
-     * @param type The type of the element (may be null)
-     * @param cb The CallbackHandler object
-     * @return A Secret Key
-     * @throws WSSecurityException
-     */
-    private byte[] getSecretKeyFromToken(
-        String id,
-        String type,
-        int identifier,
-        RequestData data
-    ) throws WSSecurityException {
-        if (id.charAt(0) == '#') {
-            id = id.substring(1);
-        }
-        WSPasswordCallback pwcb = 
-            new WSPasswordCallback(id, null, type, identifier);
-        try {
-            Callback[] callbacks = new Callback[]{pwcb};
-            if (data.getCallbackHandler() != null) {
-                data.getCallbackHandler().handle(callbacks);
-                return pwcb.getKey();
-            }
-        } catch (Exception e) {
-            throw new WSSecurityException(
-                WSSecurityException.ErrorCode.FAILURE,
-                "noPassword", e, id);
-        }
-
-        return null;
-    }
-    
-    /**
-     * Process a previous security result
-     */
-    private void processPreviousResult(
-        WSSecurityEngineResult result,
-        SecurityTokenReference secRef,
-        RequestData data,
-        WSDocInfo wsDocInfo
-    ) throws WSSecurityException {
-        int action = ((Integer)result.get(WSSecurityEngineResult.TAG_ACTION));
-        if (WSConstants.UT_NOPASSWORD == action || WSConstants.UT == action) {
-            STRParserUtil.checkUsernameTokenBSPCompliance(secRef, data.getBSPEnforcer());
-            secretKey = (byte[])result.get(WSSecurityEngineResult.TAG_SECRET);
-        } else if (WSConstants.ENCR == action) {
-            STRParserUtil.checkEncryptedKeyBSPCompliance(secRef, data.getBSPEnforcer());
-            secretKey = (byte[])result.get(WSSecurityEngineResult.TAG_SECRET);
-        } else if (WSConstants.SCT == action || WSConstants.BST == action) {
-            secretKey = (byte[])result.get(WSSecurityEngineResult.TAG_SECRET);
-        } else if (WSConstants.ST_UNSIGNED == action || WSConstants.ST_SIGNED == action) {
-            SamlAssertionWrapper samlAssertion =
-                (SamlAssertionWrapper)result.get(WSSecurityEngineResult.TAG_SAML_ASSERTION);
-            STRParserUtil.checkSamlTokenBSPCompliance(secRef, samlAssertion, data.getBSPEnforcer());
-           
-            SAMLKeyInfo keyInfo = 
-                SAMLUtil.getCredentialFromSubject(samlAssertion,
-                        new WSSSAMLKeyInfoProcessor(data, wsDocInfo), 
-                        data.getSigVerCrypto(), data.getCallbackHandler());
-            // TODO Handle malformed SAML tokens where they don't have the 
-            // secret in them
-            secretKey = keyInfo.getSecret();
-        } else {
-            throw new WSSecurityException(
-                WSSecurityException.ErrorCode.FAILED_CHECK, "unsupportedKeyId"
-            );
-        }
-    }
 }

Modified: webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/str/EncryptedKeySTRParser.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/str/EncryptedKeySTRParser.java?rev=1663694&r1=1663693&r2=1663694&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/str/EncryptedKeySTRParser.java (original)
+++ webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/str/EncryptedKeySTRParser.java Tue Mar  3 13:06:25 2015
@@ -19,10 +19,7 @@
 
 package org.apache.wss4j.dom.str;
 
-import java.security.Principal;
-import java.security.PublicKey;
 import java.security.cert.X509Certificate;
-import java.util.Map;
 
 import javax.xml.namespace.QName;
 
@@ -48,31 +45,23 @@ import org.w3c.dom.Element;
  */
 public class EncryptedKeySTRParser implements STRParser {
     
-    private static final org.slf4j.Logger LOG = 
-        org.slf4j.LoggerFactory.getLogger(EncryptedKeySTRParser.class);
-    
-    private X509Certificate[] certs;
-    
-    private REFERENCE_TYPE referenceType;
-    
     /**
      * Parse a SecurityTokenReference element and extract credentials.
      * 
-     * @param strElement The SecurityTokenReference element
-     * @param data the RequestData associated with the request
-     * @param wsDocInfo The WSDocInfo object to access previous processing results
-     * @param parameters A set of implementation-specific parameters
+     * @param parameters The parameters to parse
+     * @return the STRParserResult Object containing the parsing results
      * @throws WSSecurityException
      */
-    public void parseSecurityTokenReference(
-        Element strElement,
-        RequestData data,
-        WSDocInfo wsDocInfo,
-        Map<String, Object> parameters
-    ) throws WSSecurityException {
-        Crypto crypto = data.getDecCrypto();
+    public STRParserResult parseSecurityTokenReference(STRParserParameters parameters) throws WSSecurityException {
+        if (parameters == null || parameters.getData() == null || parameters.getWsDocInfo() == null
+            || parameters.getStrElement() == null) {
+            throw new WSSecurityException(
+                WSSecurityException.ErrorCode.FAILURE, "invalidSTRParserParameter"
+            );
+        }
+        
         SecurityTokenReference secRef = 
-            new SecurityTokenReference(strElement, data.getBSPEnforcer());
+            new SecurityTokenReference(parameters.getStrElement(), parameters.getData().getBSPEnforcer());
         
         String uri = null;
         if (secRef.containsReference()) {
@@ -80,20 +69,75 @@ public class EncryptedKeySTRParser imple
             if (uri.charAt(0) == '#') {
                 uri = uri.substring(1);
             }
-            referenceType = REFERENCE_TYPE.DIRECT_REF;
         } else if (secRef.containsKeyIdentifier()) {
             uri = secRef.getKeyIdentifierValue();
-            if (SecurityTokenReference.THUMB_URI.equals(secRef.getKeyIdentifierValueType())) {
-                referenceType = REFERENCE_TYPE.THUMBPRINT_SHA1;
-            } else {
-                referenceType = REFERENCE_TYPE.KEY_IDENTIFIER;
-            }
         }
         
-        WSSecurityEngineResult result = wsDocInfo.getResult(uri);
+        WSSecurityEngineResult result = parameters.getWsDocInfo().getResult(uri);
         if (result != null) {
-            processPreviousResult(result, secRef, data, wsDocInfo);
-        } else if (secRef.containsKeyIdentifier()) {
+            return processPreviousResult(result, secRef, parameters);
+        }
+        
+        return processSTR(secRef, parameters);
+    }
+    
+    /**
+     * Process a previous security result
+     */
+    private STRParserResult processPreviousResult(
+        WSSecurityEngineResult result,
+        SecurityTokenReference secRef,
+        STRParserParameters parameters
+    ) throws WSSecurityException {
+        STRParserResult parserResult = new STRParserResult();
+        RequestData data = parameters.getData();
+        
+        int action = (Integer) result.get(WSSecurityEngineResult.TAG_ACTION);
+        if (WSConstants.BST == action) {
+            BinarySecurity token = 
+                (BinarySecurity)result.get(
+                    WSSecurityEngineResult.TAG_BINARY_SECURITY_TOKEN
+                );
+            STRParserUtil.checkBinarySecurityBSPCompliance(secRef, token, data.getBSPEnforcer());
+            X509Certificate[] certs = 
+                (X509Certificate[])result.get(
+                    WSSecurityEngineResult.TAG_X509_CERTIFICATES
+                );
+            parserResult.setCerts(certs);
+        } else if (WSConstants.ST_UNSIGNED == action || WSConstants.ST_SIGNED == action) {
+            SamlAssertionWrapper samlAssertion =
+                (SamlAssertionWrapper)result.get(WSSecurityEngineResult.TAG_SAML_ASSERTION);
+            STRParserUtil.checkSamlTokenBSPCompliance(secRef, samlAssertion, data.getBSPEnforcer());
+          
+            SAMLKeyInfo keyInfo = 
+                SAMLUtil.getCredentialFromSubject(samlAssertion,
+                        new WSSSAMLKeyInfoProcessor(data, parameters.getWsDocInfo()), 
+                        data.getSigVerCrypto(), data.getCallbackHandler());
+            parserResult.setCerts(keyInfo.getCerts());
+        } else {
+            throw new WSSecurityException(
+                WSSecurityException.ErrorCode.UNSUPPORTED_SECURITY_TOKEN,
+                "unsupportedBinaryTokenType"
+            );
+        }
+        
+        REFERENCE_TYPE referenceType = getReferenceType(secRef);
+        if (referenceType != null) {
+            parserResult.setReferenceType(referenceType);
+        }
+        return parserResult;
+    }
+    
+    private STRParserResult processSTR(
+        SecurityTokenReference secRef, STRParserParameters parameters
+    ) throws WSSecurityException {
+        STRParserResult parserResult = new STRParserResult();
+        RequestData data = parameters.getData();
+        Element strElement = parameters.getStrElement();
+        WSDocInfo wsDocInfo = parameters.getWsDocInfo();
+        Crypto crypto = data.getDecCrypto();
+        
+        if (secRef.containsKeyIdentifier()) {
             if (WSConstants.WSS_SAML_KI_VALUE_TYPE.equals(secRef.getKeyIdentifierValueType())
                 || WSConstants.WSS_SAML2_KI_VALUE_TYPE.equals(secRef.getKeyIdentifierValueType())) {
                 SamlAssertionWrapper samlAssertion =
@@ -106,14 +150,14 @@ public class EncryptedKeySTRParser imple
                     SAMLUtil.getCredentialFromSubject(samlAssertion,
                             new WSSSAMLKeyInfoProcessor(data, wsDocInfo), 
                             data.getSigVerCrypto(), data.getCallbackHandler());
-                certs = samlKi.getCerts();
+                parserResult.setCerts(samlKi.getCerts());
             } else {
                 STRParserUtil.checkBinarySecurityBSPCompliance(secRef, null, data.getBSPEnforcer());
-                certs = secRef.getKeyIdentifier(crypto);
+                parserResult.setCerts(secRef.getKeyIdentifier(crypto));
             }
         } else if (secRef.containsX509Data() || secRef.containsX509IssuerSerial()) {
-            referenceType = REFERENCE_TYPE.ISSUER_SERIAL;
-            certs = secRef.getX509IssuerSerial(crypto);
+            parserResult.setReferenceType(REFERENCE_TYPE.ISSUER_SERIAL);
+            parserResult.setCerts(secRef.getX509IssuerSerial(crypto));
         } else if (secRef.containsReference()) {
             Element bstElement = 
                 secRef.getTokenElement(strElement.getOwnerDocument(), wsDocInfo, data.getCallbackHandler());
@@ -123,7 +167,7 @@ public class EncryptedKeySTRParser imple
             if (el.equals(WSSecurityEngine.BINARY_TOKEN)) {
                 X509Security token = new X509Security(bstElement, data.getBSPEnforcer());
                 STRParserUtil.checkBinarySecurityBSPCompliance(secRef, token, data.getBSPEnforcer());
-                certs = new X509Certificate[]{token.getX509Certificate(crypto)};
+                parserResult.setCerts(new X509Certificate[]{token.getX509Certificate(crypto)});
             } else {
                 throw new WSSecurityException(
                     WSSecurityException.ErrorCode.UNSUPPORTED_SECURITY_TOKEN,
@@ -131,99 +175,26 @@ public class EncryptedKeySTRParser imple
                 );
             }
         } 
-        
-        if (LOG.isDebugEnabled() && certs != null && certs[0] != null) {
-            LOG.debug("cert: " + certs[0]);
+
+        REFERENCE_TYPE referenceType = getReferenceType(secRef);
+        if (referenceType != null) {
+            parserResult.setReferenceType(referenceType);
         }
+        
+        return parserResult;
     }
     
-    /**
-     * Get the X509Certificates associated with this SecurityTokenReference
-     * @return the X509Certificates associated with this SecurityTokenReference
-     */
-    public X509Certificate[] getCertificates() {
-        return certs;
-    }
-    
-    /**
-     * Get the Principal associated with this SecurityTokenReference
-     * @return the Principal associated with this SecurityTokenReference
-     */
-    public Principal getPrincipal() {
-        return null;
-    }
-    
-    /**
-     * Get the PublicKey associated with this SecurityTokenReference
-     * @return the PublicKey associated with this SecurityTokenReference
-     */
-    public PublicKey getPublicKey() {
-        return null;
-    }
-    
-    /**
-     * Get the Secret Key associated with this SecurityTokenReference
-     * @return the Secret Key associated with this SecurityTokenReference
-     */
-    public byte[] getSecretKey() {
-        return null;
-    }
-    
-    /**
-     * Get whether the returned credential is already trusted or not. This is currently
-     * applicable in the case of a credential extracted from a trusted HOK SAML Assertion,
-     * and a BinarySecurityToken that has been processed by a Validator. In these cases,
-     * the SignatureProcessor does not need to verify trust on the credential.
-     * @return true if trust has already been verified on the returned Credential
-     */
-    public boolean isTrustedCredential() {
-        return false;
-    }
-    
-    /**
-     * Get how the certificates were referenced
-     * @return how the certificates were referenced
-     */
-    public REFERENCE_TYPE getCertificatesReferenceType() {
-        return referenceType;
-    }
-    
-    /**
-     * Process a previous security result
-     */
-    private void processPreviousResult(
-        WSSecurityEngineResult result,
-        SecurityTokenReference secRef,
-        RequestData data,
-        WSDocInfo wsDocInfo
-    ) throws WSSecurityException {
-        int action = (Integer) result.get(WSSecurityEngineResult.TAG_ACTION);
-        if (WSConstants.BST == action) {
-            BinarySecurity token = 
-                (BinarySecurity)result.get(
-                    WSSecurityEngineResult.TAG_BINARY_SECURITY_TOKEN
-                );
-            STRParserUtil.checkBinarySecurityBSPCompliance(secRef, token, data.getBSPEnforcer());
-            certs = 
-                (X509Certificate[])result.get(
-                    WSSecurityEngineResult.TAG_X509_CERTIFICATES
-                );
-        } else if (WSConstants.ST_UNSIGNED == action || WSConstants.ST_SIGNED == action) {
-            SamlAssertionWrapper samlAssertion =
-                (SamlAssertionWrapper)result.get(WSSecurityEngineResult.TAG_SAML_ASSERTION);
-            STRParserUtil.checkSamlTokenBSPCompliance(secRef, samlAssertion, data.getBSPEnforcer());
-          
-            SAMLKeyInfo keyInfo = 
-                SAMLUtil.getCredentialFromSubject(samlAssertion,
-                        new WSSSAMLKeyInfoProcessor(data, wsDocInfo), 
-                        data.getSigVerCrypto(), data.getCallbackHandler());
-            certs = keyInfo.getCerts();
-        } else {
-            throw new WSSecurityException(
-                WSSecurityException.ErrorCode.UNSUPPORTED_SECURITY_TOKEN,
-                "unsupportedBinaryTokenType"
-            );
+    private REFERENCE_TYPE getReferenceType(SecurityTokenReference secRef) {
+        if (secRef.containsReference()) {
+            return REFERENCE_TYPE.DIRECT_REF;
+        } else if (secRef.containsKeyIdentifier()) {
+            if (SecurityTokenReference.THUMB_URI.equals(secRef.getKeyIdentifierValueType())) {
+                return REFERENCE_TYPE.THUMBPRINT_SHA1;
+            } else {
+                return REFERENCE_TYPE.KEY_IDENTIFIER;
+            }
         }
+        
+        return null;
     }
-    
 }

Modified: webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/str/STRParser.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/str/STRParser.java?rev=1663694&r1=1663693&r2=1663694&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/str/STRParser.java (original)
+++ webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/str/STRParser.java Tue Mar  3 13:06:25 2015
@@ -19,16 +19,7 @@
 
 package org.apache.wss4j.dom.str;
 
-import org.apache.wss4j.dom.WSDocInfo;
 import org.apache.wss4j.common.ext.WSSecurityException;
-import org.apache.wss4j.dom.handler.RequestData;
-
-import org.w3c.dom.Element;
-
-import java.security.Principal;
-import java.security.PublicKey;
-import java.security.cert.X509Certificate;
-import java.util.Map;
 
 /**
  * This interface describes a pluggable way of extracting credentials from SecurityTokenReference
@@ -51,56 +42,10 @@ public interface STRParser {
     /**
      * Parse a SecurityTokenReference element and extract credentials.
      * 
-     * @param strElement The SecurityTokenReference element
-     * @param data the RequestData associated with the request
-     * @param wsDocInfo The WSDocInfo object to access previous processing results
-     * @param parameters A set of implementation-specific parameters
+     * @param parameters The parameters to parse
+     * @return the STRParserResult Object containing the parsing results
      * @throws WSSecurityException
      */
-    void parseSecurityTokenReference(
-        Element strElement,
-        RequestData data,
-        WSDocInfo wsDocInfo,
-        Map<String, Object> parameters
-    ) throws WSSecurityException;
-    
-    /**
-     * Get the X509Certificates associated with this SecurityTokenReference
-     * @return the X509Certificates associated with this SecurityTokenReference
-     */
-    X509Certificate[] getCertificates();
-    
-    /**
-     * Get the Principal associated with this SecurityTokenReference
-     * @return the Principal associated with this SecurityTokenReference
-     */
-    Principal getPrincipal();
-    
-    /**
-     * Get the PublicKey associated with this SecurityTokenReference
-     * @return the PublicKey associated with this SecurityTokenReference
-     */
-    PublicKey getPublicKey();
-    
-    /**
-     * Get the Secret Key associated with this SecurityTokenReference
-     * @return the Secret Key associated with this SecurityTokenReference
-     */
-    byte[] getSecretKey();
-    
-    /**
-     * Get whether the returned credential is already trusted or not. This is currently
-     * applicable in the case of a credential extracted from a trusted HOK SAML Assertion,
-     * and a BinarySecurityToken that has been processed by a Validator. In these cases,
-     * the SignatureProcessor does not need to verify trust on the credential.
-     * @return true if trust has already been verified on the returned Credential
-     */
-    boolean isTrustedCredential();
-
-    /**
-     * Get how the certificates were referenced
-     * @return how the certificates were referenced
-     */
-    REFERENCE_TYPE getCertificatesReferenceType();
+    STRParserResult parseSecurityTokenReference(STRParserParameters parameters) throws WSSecurityException;
     
 }

Added: webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/str/STRParserParameters.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/str/STRParserParameters.java?rev=1663694&view=auto
==============================================================================
--- webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/str/STRParserParameters.java (added)
+++ webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/str/STRParserParameters.java Tue Mar  3 13:06:25 2015
@@ -0,0 +1,70 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.wss4j.dom.str;
+
+import org.w3c.dom.Element;
+
+import org.apache.wss4j.dom.WSDocInfo;
+import org.apache.wss4j.dom.handler.RequestData;
+
+/**
+ * This class holds the parameters for parsing a SecurityTokenReference Element by a STRParser implementation.
+ */
+public class STRParserParameters {
+    
+    private int derivationKeyLength;
+    private Element strElement;
+    private RequestData data;
+    private WSDocInfo wsDocInfo;
+    
+    public int getDerivationKeyLength() {
+        return derivationKeyLength;
+    }
+    
+    public void setDerivationKeyLength(int derivationKeyLength) {
+        this.derivationKeyLength = derivationKeyLength;
+    }
+    
+    public Element getStrElement() {
+        return strElement;
+    }
+    
+    public void setStrElement(Element strElement) {
+        this.strElement = strElement;
+    }
+    
+    public RequestData getData() {
+        return data;
+    }
+    
+    public void setData(RequestData data) {
+        this.data = data;
+    }
+    
+    public WSDocInfo getWsDocInfo() {
+        return wsDocInfo;
+    }
+    
+    public void setWsDocInfo(WSDocInfo wsDocInfo) {
+        this.wsDocInfo = wsDocInfo;
+    }
+
+    
+}

Copied: webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/str/STRParserResult.java (from r1663268, webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/str/STRParser.java)
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/str/STRParserResult.java?p2=webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/str/STRParserResult.java&p1=webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/str/STRParser.java&r1=1663268&r2=1663694&rev=1663694&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/str/STRParser.java (original)
+++ webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/str/STRParserResult.java Tue Mar  3 13:06:25 2015
@@ -19,74 +19,64 @@
 
 package org.apache.wss4j.dom.str;
 
-import org.apache.wss4j.dom.WSDocInfo;
-import org.apache.wss4j.common.ext.WSSecurityException;
-import org.apache.wss4j.dom.handler.RequestData;
-
-import org.w3c.dom.Element;
-
 import java.security.Principal;
 import java.security.PublicKey;
 import java.security.cert.X509Certificate;
-import java.util.Map;
+
+import org.apache.wss4j.dom.str.STRParser.REFERENCE_TYPE;
 
 /**
- * This interface describes a pluggable way of extracting credentials from SecurityTokenReference
- * elements. The implementations are used by various processors.
+ * This class holds the results from parsing a SecurityTokenReference Element by a STRParser implementation.
  */
-public interface STRParser {
+public class STRParserResult {
     
-    /**
-     * ISSUER_SERIAL - A certificate (chain) is located by the issuer name and serial number of the 
-     * (root) cert
-     * THUMBPRINT_SHA1 - A certificate (chain) is located by the SHA1 thumbprint of the (root) cert
-     * KEY_IDENTIFIER - A certificate (chain) is located via a Key Identifier Element
-     * DIRECT_REF - A certificate (chain) is located directly via an Id to another security token
-     * Note that a Thumbprint reference is also a KeyIdentifier, but takes precedence over it.
-     */
-    enum REFERENCE_TYPE {
-        ISSUER_SERIAL, THUMBPRINT_SHA1, KEY_IDENTIFIER, DIRECT_REF
-    }
+    private X509Certificate[] certs;
     
-    /**
-     * Parse a SecurityTokenReference element and extract credentials.
-     * 
-     * @param strElement The SecurityTokenReference element
-     * @param data the RequestData associated with the request
-     * @param wsDocInfo The WSDocInfo object to access previous processing results
-     * @param parameters A set of implementation-specific parameters
-     * @throws WSSecurityException
-     */
-    void parseSecurityTokenReference(
-        Element strElement,
-        RequestData data,
-        WSDocInfo wsDocInfo,
-        Map<String, Object> parameters
-    ) throws WSSecurityException;
+    private byte[] secretKey;
+    
+    private PublicKey publicKey;
+    
+    private Principal principal;
+    
+    private boolean trustedCredential;
+    
+    private REFERENCE_TYPE referenceType;
     
     /**
      * Get the X509Certificates associated with this SecurityTokenReference
      * @return the X509Certificates associated with this SecurityTokenReference
      */
-    X509Certificate[] getCertificates();
+    public X509Certificate[] getCertificates() {
+        return certs;
+    }
     
     /**
      * Get the Principal associated with this SecurityTokenReference
      * @return the Principal associated with this SecurityTokenReference
      */
-    Principal getPrincipal();
+    public Principal getPrincipal() {
+        if (principal == null && certs != null && certs.length > 0) {
+            principal = certs[0].getSubjectX500Principal();
+        }
+        
+        return principal;
+    }
     
     /**
      * Get the PublicKey associated with this SecurityTokenReference
      * @return the PublicKey associated with this SecurityTokenReference
      */
-    PublicKey getPublicKey();
+    public PublicKey getPublicKey() {
+        return publicKey;
+    }
     
     /**
      * Get the Secret Key associated with this SecurityTokenReference
      * @return the Secret Key associated with this SecurityTokenReference
      */
-    byte[] getSecretKey();
+    public byte[] getSecretKey() {
+        return secretKey;
+    }
     
     /**
      * Get whether the returned credential is already trusted or not. This is currently
@@ -95,12 +85,41 @@ public interface STRParser {
      * the SignatureProcessor does not need to verify trust on the credential.
      * @return true if trust has already been verified on the returned Credential
      */
-    boolean isTrustedCredential();
+    public boolean isTrustedCredential() {
+        return trustedCredential;
+    }
 
     /**
      * Get how the certificates were referenced
      * @return how the certificates were referenced
      */
-    REFERENCE_TYPE getCertificatesReferenceType();
+    public REFERENCE_TYPE getCertificatesReferenceType() {
+        return referenceType;
+    }
+    
+    public void setCerts(X509Certificate[] certs) {
+        this.certs = certs;
+    }
+
+    public void setSecretKey(byte[] secretKey) {
+        this.secretKey = secretKey;
+    }
+
+    public void setPublicKey(PublicKey publicKey) {
+        this.publicKey = publicKey;
+    }
+
+    public void setPrincipal(Principal principal) {
+        this.principal = principal;
+    }
+
+    public void setTrustedCredential(boolean trustedCredential) {
+        this.trustedCredential = trustedCredential;
+    }
+
+    public void setReferenceType(REFERENCE_TYPE referenceType) {
+        this.referenceType = referenceType;
+    }
+
     
 }

Modified: webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/str/STRParserUtil.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/str/STRParserUtil.java?rev=1663694&r1=1663693&r2=1663694&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/str/STRParserUtil.java (original)
+++ webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/str/STRParserUtil.java Tue Mar  3 13:06:25 2015
@@ -21,7 +21,10 @@ package org.apache.wss4j.dom.str;
 
 import java.util.List;
 
+import javax.security.auth.callback.Callback;
+
 import org.apache.wss4j.common.bsp.BSPRule;
+import org.apache.wss4j.common.ext.WSPasswordCallback;
 import org.apache.wss4j.common.ext.WSSecurityException;
 import org.apache.wss4j.common.saml.SamlAssertionWrapper;
 import org.apache.wss4j.dom.WSConstants;
@@ -247,5 +250,37 @@ public final class STRParserUtil {
         }
     }
 
-    
+    /**
+     * Get the Secret Key from a CallbackHandler
+     * @param id The id of the element
+     * @param type The type of the element (may be null)
+     * @param cb The CallbackHandler object
+     * @return A Secret Key
+     * @throws WSSecurityException
+     */
+    public static byte[] getSecretKeyFromToken(
+        String id,
+        String type,
+        int identifier,
+        RequestData data
+    ) throws WSSecurityException {
+        if (id.charAt(0) == '#') {
+            id = id.substring(1);
+        }
+        WSPasswordCallback pwcb = 
+            new WSPasswordCallback(id, null, type, identifier);
+        try {
+            Callback[] callbacks = new Callback[]{pwcb};
+            if (data.getCallbackHandler() != null) {
+                data.getCallbackHandler().handle(callbacks);
+                return pwcb.getKey();
+            }
+        } catch (Exception e) {
+            throw new WSSecurityException(
+                WSSecurityException.ErrorCode.FAILURE,
+                "noPassword", e, id);
+        }
+
+        return null;
+    }
 }

Modified: webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/str/SecurityTokenRefSTRParser.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/str/SecurityTokenRefSTRParser.java?rev=1663694&r1=1663693&r2=1663694&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/str/SecurityTokenRefSTRParser.java (original)
+++ webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/str/SecurityTokenRefSTRParser.java Tue Mar  3 13:06:25 2015
@@ -19,14 +19,9 @@
 
 package org.apache.wss4j.dom.str;
 
-import java.security.Principal;
-import java.security.PublicKey;
-import java.security.cert.X509Certificate;
 import java.util.Arrays;
 import java.util.List;
-import java.util.Map;
 
-import javax.security.auth.callback.Callback;
 import javax.xml.namespace.QName;
 
 import org.apache.wss4j.common.ext.WSPasswordCallback;
@@ -34,7 +29,6 @@ import org.apache.wss4j.common.ext.WSSec
 import org.apache.wss4j.common.saml.SamlAssertionWrapper;
 import org.apache.wss4j.common.saml.SAMLKeyInfo;
 import org.apache.wss4j.common.saml.SAMLUtil;
-import org.apache.wss4j.common.util.KeyUtils;
 import org.apache.wss4j.dom.WSConstants;
 import org.apache.wss4j.dom.WSDocInfo;
 import org.apache.wss4j.dom.WSSecurityEngine;
@@ -57,30 +51,23 @@ import org.w3c.dom.Element;
 public class SecurityTokenRefSTRParser implements STRParser {
     
     /**
-     * The Signature method. This is used when deriving a key.
-     */
-    public static final String SIGNATURE_METHOD = "signature_method";
-    
-    private byte[] secretKey;
-    private Principal principal;
-    
-    /**
      * Parse a SecurityTokenReference element and extract credentials.
      * 
-     * @param strElement The SecurityTokenReference element
-     * @param data the RequestData associated with the request
-     * @param wsDocInfo The WSDocInfo object to access previous processing results
-     * @param parameters A set of implementation-specific parameters
+     * @param parameters The parameters to parse
+     * @return the STRParserResult Object containing the parsing results
      * @throws WSSecurityException
      */
-    public void parseSecurityTokenReference(
-        Element strElement,
-        RequestData data,
-        WSDocInfo wsDocInfo,
-        Map<String, Object> parameters
-    ) throws WSSecurityException {
+    public STRParserResult parseSecurityTokenReference(STRParserParameters parameters) throws WSSecurityException {
+        
+        if (parameters == null || parameters.getData() == null || parameters.getWsDocInfo() == null
+            || parameters.getStrElement() == null) {
+            throw new WSSecurityException(
+                WSSecurityException.ErrorCode.FAILURE, "invalidSTRParserParameter"
+            );
+        }
+        
         SecurityTokenReference secRef = 
-            new SecurityTokenReference(strElement, data.getBSPEnforcer());
+            new SecurityTokenReference(parameters.getStrElement(), parameters.getData().getBSPEnforcer());
         
         String uri = null;
         if (secRef.containsReference()) {
@@ -92,18 +79,103 @@ public class SecurityTokenRefSTRParser i
             uri = secRef.getKeyIdentifierValue();
         }
         
-        WSSecurityEngineResult result = wsDocInfo.getResult(uri);
+        WSSecurityEngineResult result = parameters.getWsDocInfo().getResult(uri);
         if (result != null) {
-            processPreviousResult(result, secRef, data, parameters, wsDocInfo);
+            return processPreviousResult(result, secRef, uri, parameters);
+        }
             
-            if (secretKey == null) {
-                throw new WSSecurityException(
-                    WSSecurityException.ErrorCode.FAILED_CHECK, "unsupportedKeyId", uri);
-            }
-        } else if (secRef.containsReference()) {
+        return processSTR(secRef, uri, parameters);
+    }
+    
+    /**
+     * Get a SecretKey from a SAML Assertion
+     */
+    private byte[] getSecretKeyFromAssertion(
+        SamlAssertionWrapper samlAssertion,
+        SecurityTokenReference secRef,
+        RequestData data,
+        WSDocInfo wsDocInfo
+    ) throws WSSecurityException {
+        STRParserUtil.checkSamlTokenBSPCompliance(secRef, samlAssertion, data.getBSPEnforcer());
+        SAMLKeyInfo samlKi = 
+            SAMLUtil.getCredentialFromSubject(samlAssertion,
+                    new WSSSAMLKeyInfoProcessor(data, wsDocInfo), 
+                    data.getSigVerCrypto(), data.getCallbackHandler());
+        if (samlKi == null) {
+            throw new WSSecurityException(
+                WSSecurityException.ErrorCode.FAILED_CHECK, "invalidSAMLToken", "No Secret Key");
+        }
+        return samlKi.getSecret();
+    }
+    
+    /**
+     * Process a previous security result
+     */
+    private STRParserResult processPreviousResult(
+        WSSecurityEngineResult result,
+        SecurityTokenReference secRef,
+        String uri,
+        STRParserParameters parameters
+    ) throws WSSecurityException {
+        STRParserResult parserResult = new STRParserResult();
+        RequestData data = parameters.getData();
+        
+        int action = (Integer) result.get(WSSecurityEngineResult.TAG_ACTION);
+        if (WSConstants.ENCR == action) {
+            STRParserUtil.checkEncryptedKeyBSPCompliance(secRef, data.getBSPEnforcer());
+            byte[] secretKey = (byte[])result.get(WSSecurityEngineResult.TAG_SECRET);
+            parserResult.setSecretKey(secretKey);
+        } else if (WSConstants.DKT == action) {
+            DerivedKeyToken dkt = 
+                (DerivedKeyToken)result.get(WSSecurityEngineResult.TAG_DERIVED_KEY_TOKEN);
+            byte[] secret = 
+                (byte[])result.get(WSSecurityEngineResult.TAG_SECRET);
+            byte[] secretKey = dkt.deriveKey(parameters.getDerivationKeyLength(), secret);
+            parserResult.setSecretKey(secretKey);
+            parserResult.setPrincipal(dkt.createPrincipal());
+        } else if (WSConstants.ST_UNSIGNED == action || WSConstants.ST_SIGNED == action) {
+            SamlAssertionWrapper samlAssertion =
+                (SamlAssertionWrapper)result.get(WSSecurityEngineResult.TAG_SAML_ASSERTION);
+            byte[] secretKey = 
+                getSecretKeyFromAssertion(samlAssertion, secRef, data, parameters.getWsDocInfo());
+            parserResult.setSecretKey(secretKey);
+        } else if (WSConstants.SCT == action || WSConstants.BST == action) {
+            byte[] secretKey = (byte[])result.get(WSSecurityEngineResult.TAG_SECRET);
+            parserResult.setSecretKey(secretKey);
+        } else if (WSConstants.UT_NOPASSWORD == action || WSConstants.UT == action) {
+            STRParserUtil.checkUsernameTokenBSPCompliance(secRef, data.getBSPEnforcer());
+            UsernameToken usernameToken = 
+                (UsernameToken)result.get(WSSecurityEngineResult.TAG_USERNAME_TOKEN);
+
+            usernameToken.setRawPassword(data);
+            byte[] secretKey = usernameToken.getDerivedKey(data.getBSPEnforcer());
+            parserResult.setSecretKey(secretKey);
+        }
+        
+        if (parserResult.getSecretKey() == null) {
+            throw new WSSecurityException(
+                WSSecurityException.ErrorCode.FAILED_CHECK, "unsupportedKeyId", uri);
+        }
+        
+        return parserResult;
+    }
+    
+    private STRParserResult processSTR(
+        SecurityTokenReference secRef,
+        String uri,
+        STRParserParameters parameters
+    ) throws WSSecurityException {
+        STRParserResult parserResult = new STRParserResult();
+        RequestData data = parameters.getData();
+        Element strElement = parameters.getStrElement();
+        WSDocInfo wsDocInfo = parameters.getWsDocInfo();
+
+        if (secRef.containsReference()) {
             Reference reference = secRef.getReference();
             // Try asking the CallbackHandler for the secret key
-            secretKey = getSecretKeyFromToken(uri, reference.getValueType(), data);
+            byte[] secretKey = 
+                STRParserUtil.getSecretKeyFromToken(uri, reference.getValueType(), 
+                                                    WSPasswordCallback.SECRET_KEY, data);
             if (secretKey == null) {
                 Element token = 
                     secRef.getTokenElement(strElement.getOwnerDocument(), wsDocInfo, data.getCallbackHandler());
@@ -122,12 +194,14 @@ public class SecurityTokenRefSTRParser i
                 throw new WSSecurityException(
                     WSSecurityException.ErrorCode.FAILED_CHECK, "unsupportedKeyId", uri);
             }
+            parserResult.setSecretKey(secretKey);
         } else if (secRef.containsKeyIdentifier()) {
             String valueType = secRef.getKeyIdentifierValueType();
             if (WSConstants.WSS_SAML_KI_VALUE_TYPE.equals(valueType)
                 || WSConstants.WSS_SAML2_KI_VALUE_TYPE.equals(valueType)) {
-                secretKey = 
-                    getSecretKeyFromToken(secRef.getKeyIdentifierValue(), valueType, data);
+                byte[] secretKey = 
+                    STRParserUtil.getSecretKeyFromToken(secRef.getKeyIdentifierValue(), valueType, 
+                                                        WSPasswordCallback.SECRET_KEY, data);
                 if (secretKey == null) {
                     SamlAssertionWrapper samlAssertion =
                         STRParserUtil.getAssertionFromKeyIdentifier(
@@ -136,9 +210,11 @@ public class SecurityTokenRefSTRParser i
                         );
                     secretKey = getSecretKeyFromAssertion(samlAssertion, secRef, data, wsDocInfo);
                 }
+                parserResult.setSecretKey(secretKey);
             } else if (WSConstants.WSS_KRB_KI_VALUE_TYPE.equals(valueType)) {
-                secretKey = 
-                    getSecretKeyFromToken(secRef.getKeyIdentifierValue(), valueType, data);
+                byte[] secretKey = 
+                    STRParserUtil.getSecretKeyFromToken(secRef.getKeyIdentifierValue(), valueType, 
+                                                        WSPasswordCallback.SECRET_KEY, data);
                 if (secretKey == null) {
                     byte[] keyBytes = secRef.getSKIBytes();
                     List<WSSecurityEngineResult> resultsList = 
@@ -157,166 +233,27 @@ public class SecurityTokenRefSTRParser i
                     throw new WSSecurityException(
                         WSSecurityException.ErrorCode.FAILED_CHECK, "unsupportedKeyId", uri);
                 }
+                parserResult.setSecretKey(secretKey);
             } else {
                 if (SecurityTokenReference.ENC_KEY_SHA1_URI.equals(valueType)) {
                     STRParserUtil.checkEncryptedKeyBSPCompliance(secRef, data.getBSPEnforcer());
                 } 
-                secretKey = 
-                    getSecretKeyFromToken(
-                        secRef.getKeyIdentifierValue(), secRef.getKeyIdentifierValueType(), data
+                byte[] secretKey = 
+                    STRParserUtil.getSecretKeyFromToken(
+                        secRef.getKeyIdentifierValue(), secRef.getKeyIdentifierValueType(), 
+                        WSPasswordCallback.SECRET_KEY, data
                     );
                 if (secretKey == null) {
                     throw new WSSecurityException(
                         WSSecurityException.ErrorCode.FAILED_CHECK, "unsupportedKeyId", uri);
                 }
+                parserResult.setSecretKey(secretKey);
             }
         } else {
             throw new WSSecurityException(WSSecurityException.ErrorCode.FAILED_CHECK, "noReference");
         }
+        
+        return parserResult;
     }
     
-    /**
-     * Get the X509Certificates associated with this SecurityTokenReference
-     * @return the X509Certificates associated with this SecurityTokenReference
-     */
-    public X509Certificate[] getCertificates() {
-        return null;
-    }
-    
-    /**
-     * Get the Principal associated with this SecurityTokenReference
-     * @return the Principal associated with this SecurityTokenReference
-     */
-    public Principal getPrincipal() {
-        return principal;
-    }
-    
-    /**
-     * Get the PublicKey associated with this SecurityTokenReference
-     * @return the PublicKey associated with this SecurityTokenReference
-     */
-    public PublicKey getPublicKey() {
-        return null;
-    }
-    
-    /**
-     * Get the Secret Key associated with this SecurityTokenReference
-     * @return the Secret Key associated with this SecurityTokenReference
-     */
-    public byte[] getSecretKey() {
-        return secretKey;
-    }
-    
-    /**
-     * Get how the certificates were referenced
-     * @return how the certificates were referenced
-     */
-    public REFERENCE_TYPE getCertificatesReferenceType() {
-        return null;
-    }
-    
-    /**
-     * Get whether the returned credential is already trusted or not. This is currently
-     * applicable in the case of a credential extracted from a trusted HOK SAML Assertion,
-     * and a BinarySecurityToken that has been processed by a Validator. In these cases,
-     * the SignatureProcessor does not need to verify trust on the credential.
-     * @return true if trust has already been verified on the returned Credential
-     */
-    public boolean isTrustedCredential() {
-        return false;
-    }
-    
-    /**
-     * Get the Secret Key from a CallbackHandler
-     * @param id The id of the element
-     * @param type The type of the element (may be null)
-     * @param cb The CallbackHandler object
-     * @return A Secret Key
-     * @throws WSSecurityException
-     */
-    private byte[] getSecretKeyFromToken(
-        String id,
-        String type,
-        RequestData data
-    ) throws WSSecurityException {
-        if (id.charAt(0) == '#') {
-            id = id.substring(1);
-        }
-        WSPasswordCallback pwcb = 
-            new WSPasswordCallback(id, null, type, WSPasswordCallback.SECRET_KEY);
-        try {
-            Callback[] callbacks = new Callback[]{pwcb};
-            if (data.getCallbackHandler() != null) {
-                data.getCallbackHandler().handle(callbacks);
-                return pwcb.getKey();
-            }
-        } catch (Exception e) {
-            throw new WSSecurityException(
-                WSSecurityException.ErrorCode.FAILURE,
-                "noPassword", e, id);
-        }
-
-        return null;
-    }
-    
-    /**
-     * Get a SecretKey from a SAML Assertion
-     */
-    private byte[] getSecretKeyFromAssertion(
-        SamlAssertionWrapper samlAssertion,
-        SecurityTokenReference secRef,
-        RequestData data,
-        WSDocInfo wsDocInfo
-    ) throws WSSecurityException {
-        STRParserUtil.checkSamlTokenBSPCompliance(secRef, samlAssertion, data.getBSPEnforcer());
-        SAMLKeyInfo samlKi = 
-            SAMLUtil.getCredentialFromSubject(samlAssertion,
-                    new WSSSAMLKeyInfoProcessor(data, wsDocInfo), 
-                    data.getSigVerCrypto(), data.getCallbackHandler());
-        if (samlKi == null) {
-            throw new WSSecurityException(
-                WSSecurityException.ErrorCode.FAILED_CHECK, "invalidSAMLToken", "No Secret Key");
-        }
-        return samlKi.getSecret();
-    }
-    
-    /**
-     * Process a previous security result
-     */
-    private void processPreviousResult(
-        WSSecurityEngineResult result,
-        SecurityTokenReference secRef,
-        RequestData data,
-        Map<String, Object> parameters,
-        WSDocInfo wsDocInfo
-    ) throws WSSecurityException {
-        int action = (Integer) result.get(WSSecurityEngineResult.TAG_ACTION);
-        if (WSConstants.ENCR == action) {
-            STRParserUtil.checkEncryptedKeyBSPCompliance(secRef, data.getBSPEnforcer());
-            secretKey = (byte[])result.get(WSSecurityEngineResult.TAG_SECRET);
-        } else if (WSConstants.DKT == action) {
-            DerivedKeyToken dkt = 
-                (DerivedKeyToken)result.get(WSSecurityEngineResult.TAG_DERIVED_KEY_TOKEN);
-            byte[] secret = 
-                (byte[])result.get(WSSecurityEngineResult.TAG_SECRET);
-            String algorithm = (String)parameters.get(SIGNATURE_METHOD);
-            secretKey = dkt.deriveKey(KeyUtils.getKeyLength(algorithm), secret);
-            principal = dkt.createPrincipal();
-        } else if (WSConstants.ST_UNSIGNED == action || WSConstants.ST_SIGNED == action) {
-            SamlAssertionWrapper samlAssertion =
-                (SamlAssertionWrapper)result.get(WSSecurityEngineResult.TAG_SAML_ASSERTION);
-            secretKey = getSecretKeyFromAssertion(samlAssertion, secRef, data, wsDocInfo);
-        } else if (WSConstants.SCT == action || WSConstants.BST == action) {
-            secretKey = (byte[])result.get(WSSecurityEngineResult.TAG_SECRET);
-        } else if (WSConstants.UT_NOPASSWORD == action || WSConstants.UT == action) {
-            STRParserUtil.checkUsernameTokenBSPCompliance(secRef, data.getBSPEnforcer());
-            UsernameToken usernameToken = 
-                (UsernameToken)result.get(WSSecurityEngineResult.TAG_USERNAME_TOKEN);
-
-            usernameToken.setRawPassword(data);
-            secretKey = usernameToken.getDerivedKey(data.getBSPEnforcer());
-        } 
-    }
-    
-    
 }



Mime
View raw message