ws-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cohei...@apache.org
Subject svn commit: r1663694 [2/2] - in /webservices/wss4j/trunk: ws-security-common/src/main/resources/messages/ ws-security-dom/src/main/java/org/apache/wss4j/dom/processor/ ws-security-dom/src/main/java/org/apache/wss4j/dom/saml/ ws-security-dom/src/main/ja...
Date Tue, 03 Mar 2015 13:06:26 GMT
Modified: webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/str/SignatureSTRParser.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/str/SignatureSTRParser.java?rev=1663694&r1=1663693&r2=1663694&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/str/SignatureSTRParser.java
(original)
+++ webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/str/SignatureSTRParser.java
Tue Mar  3 13:06:25 2015
@@ -20,14 +20,11 @@
 package org.apache.wss4j.dom.str;
 
 import java.security.Principal;
-import java.security.PublicKey;
 import java.security.cert.CertificateEncodingException;
 import java.security.cert.X509Certificate;
 import java.util.Arrays;
 import java.util.List;
-import java.util.Map;
 
-import javax.security.auth.callback.Callback;
 import javax.xml.namespace.QName;
 
 import org.apache.wss4j.common.principal.SAMLTokenPrincipalImpl;
@@ -41,7 +38,6 @@ import org.apache.wss4j.common.saml.Open
 import org.apache.wss4j.common.saml.SAMLKeyInfo;
 import org.apache.wss4j.common.saml.SAMLUtil;
 import org.apache.wss4j.common.saml.SamlAssertionWrapper;
-import org.apache.wss4j.common.util.KeyUtils;
 import org.apache.wss4j.dom.WSConstants;
 import org.apache.wss4j.dom.WSDocInfo;
 import org.apache.wss4j.dom.WSSecurityEngine;
@@ -66,40 +62,23 @@ import org.apache.xml.security.utils.Bas
 public class SignatureSTRParser implements STRParser {
     
     /**
-     * The Signature method. This is used when deriving a key to use for verifying the signature.
-     */
-    public static final String SIGNATURE_METHOD = "signature_method";
-    
-    private X509Certificate[] certs;
-    
-    private byte[] secretKey;
-    
-    private PublicKey publicKey;
-    
-    private Principal principal;
-    
-    private boolean trustedCredential;
-    
-    private REFERENCE_TYPE referenceType;
-    
-    /**
      * Parse a SecurityTokenReference element and extract credentials.
      * 
-     * @param strElement The SecurityTokenReference element
-     * @param data the RequestData associated with the request
-     * @param wsDocInfo The WSDocInfo object to access previous processing results
-     * @param parameters A set of implementation-specific parameters
+     * @param parameters The parameters to parse
+     * @return the STRParserResult Object containing the parsing results
      * @throws WSSecurityException
      */
-    public void parseSecurityTokenReference(
-        Element strElement,
-        RequestData data,
-        WSDocInfo wsDocInfo,
-        Map<String, Object> parameters
-    ) throws WSSecurityException {
-        Crypto crypto = data.getSigVerCrypto();
+    public STRParserResult parseSecurityTokenReference(STRParserParameters parameters) throws
WSSecurityException {
+        
+        if (parameters == null || parameters.getData() == null || parameters.getWsDocInfo()
== null
+            || parameters.getStrElement() == null) {
+            throw new WSSecurityException(
+                WSSecurityException.ErrorCode.FAILURE, "invalidSTRParserParameter"
+            );
+        }
+        
         SecurityTokenReference secRef = 
-            new SecurityTokenReference(strElement, data.getBSPEnforcer());
+            new SecurityTokenReference(parameters.getStrElement(), parameters.getData().getBSPEnforcer());
         //
         // Here we get some information about the document that is being
         // processed, in particular the crypto implementation, and already
@@ -111,167 +90,16 @@ public class SignatureSTRParser implemen
             if (uri.charAt(0) == '#') {
                 uri = uri.substring(1);
             }
-            referenceType = REFERENCE_TYPE.DIRECT_REF;
         } else if (secRef.containsKeyIdentifier()) {
             uri = secRef.getKeyIdentifierValue();
-            if (SecurityTokenReference.THUMB_URI.equals(secRef.getKeyIdentifierValueType()))
{
-                referenceType = REFERENCE_TYPE.THUMBPRINT_SHA1;
-            } else {
-                referenceType = REFERENCE_TYPE.KEY_IDENTIFIER;
-            }
         }
         
-        WSSecurityEngineResult result = wsDocInfo.getResult(uri);
+        WSSecurityEngineResult result = parameters.getWsDocInfo().getResult(uri);
         if (result != null) {
-            processPreviousResult(result, secRef, data, parameters);
-        } else if (secRef.containsReference()) {
-            Reference reference = secRef.getReference();
-            // Try asking the CallbackHandler for the secret key
-            secretKey = getSecretKeyFromToken(uri, reference.getValueType(), data);
-            principal = new CustomTokenPrincipal(uri);
-            
-            if (secretKey == null) {
-                Element token = 
-                    secRef.getTokenElement(strElement.getOwnerDocument(), wsDocInfo, data.getCallbackHandler());
-                QName el = new QName(token.getNamespaceURI(), token.getLocalName());
-                if (el.equals(WSSecurityEngine.BINARY_TOKEN)) {
-                    Processor proc = data.getWssConfig().getProcessor(WSSecurityEngine.BINARY_TOKEN);
-                    List<WSSecurityEngineResult> bstResult =
-                        proc.handleToken(token, data, wsDocInfo);
-                    BinarySecurity bstToken = 
-                        (BinarySecurity)bstResult.get(0).get(WSSecurityEngineResult.TAG_BINARY_SECURITY_TOKEN);
-                    STRParserUtil.checkBinarySecurityBSPCompliance(
-                        secRef, bstToken, data.getBSPEnforcer()
-                    );
-                    
-                    certs = (X509Certificate[])bstResult.get(0).get(WSSecurityEngineResult.TAG_X509_CERTIFICATES);
-                    secretKey = (byte[])bstResult.get(0).get(WSSecurityEngineResult.TAG_SECRET);
-                    principal = (Principal)bstResult.get(0).get(WSSecurityEngineResult.TAG_PRINCIPAL);
-                } else if (el.equals(WSSecurityEngine.SAML_TOKEN) 
-                    || el.equals(WSSecurityEngine.SAML2_TOKEN)) {
-                    Processor proc = data.getWssConfig().getProcessor(WSSecurityEngine.SAML_TOKEN);
-                    //
-                    // Just check to see whether the token was processed or not
-                    //
-                    Element processedToken = 
-                        secRef.findProcessedTokenElement(
-                            strElement.getOwnerDocument(), wsDocInfo, 
-                            data.getCallbackHandler(), uri, secRef.getReference().getValueType()
-                        );
-                    SamlAssertionWrapper samlAssertion = null;
-                    if (processedToken == null) {
-                        List<WSSecurityEngineResult> samlResult =
-                            proc.handleToken(token, data, wsDocInfo);
-                        samlAssertion =
-                            (SamlAssertionWrapper)samlResult.get(0).get(
-                                WSSecurityEngineResult.TAG_SAML_ASSERTION
-                            );
-                    } else {
-                        samlAssertion = new SamlAssertionWrapper(processedToken);
-                        samlAssertion.parseSubject(
-                            new WSSSAMLKeyInfoProcessor(data, wsDocInfo), 
-                            data.getSigVerCrypto(), data.getCallbackHandler()
-                        );
-                    }
-                    STRParserUtil.checkSamlTokenBSPCompliance(secRef, samlAssertion, data.getBSPEnforcer());
-                    
-                    SAMLKeyInfo keyInfo = samlAssertion.getSubjectKeyInfo();
-                    X509Certificate[] foundCerts = keyInfo.getCerts();
-                    if (foundCerts != null && foundCerts.length > 0) {
-                        certs = new X509Certificate[]{foundCerts[0]};
-                    }
-                    secretKey = keyInfo.getSecret();
-                    principal = createPrincipalFromSAML(samlAssertion);
-                } else if (el.equals(WSSecurityEngine.ENCRYPTED_KEY)) {
-                    STRParserUtil.checkEncryptedKeyBSPCompliance(secRef, data.getBSPEnforcer());
-                    Processor proc = data.getWssConfig().getProcessor(WSSecurityEngine.ENCRYPTED_KEY);
-                    List<WSSecurityEngineResult> encrResult =
-                        proc.handleToken(token, data, wsDocInfo);
-                    secretKey = 
-                        (byte[])encrResult.get(0).get(WSSecurityEngineResult.TAG_SECRET);
-                    principal = new CustomTokenPrincipal(token.getAttributeNS(null, "Id"));
-                }
-            }
-        } else if (secRef.containsX509Data() || secRef.containsX509IssuerSerial()) {
-            referenceType = REFERENCE_TYPE.ISSUER_SERIAL;
-            X509Certificate[] foundCerts = secRef.getX509IssuerSerial(crypto);
-            if (foundCerts != null && foundCerts.length > 0) {
-                certs = new X509Certificate[]{foundCerts[0]};
-            }
-        } else if (secRef.containsKeyIdentifier()) {
-            if (secRef.getKeyIdentifierValueType().equals(SecurityTokenReference.ENC_KEY_SHA1_URI))
{
-                STRParserUtil.checkEncryptedKeyBSPCompliance(secRef, data.getBSPEnforcer());
-                
-                String id = secRef.getKeyIdentifierValue();
-                secretKey = 
-                    getSecretKeyFromToken(id, SecurityTokenReference.ENC_KEY_SHA1_URI, data);
-                principal = new CustomTokenPrincipal(id);
-            } else if (WSConstants.WSS_SAML_KI_VALUE_TYPE.equals(secRef.getKeyIdentifierValueType())
-                || WSConstants.WSS_SAML2_KI_VALUE_TYPE.equals(secRef.getKeyIdentifierValueType()))
{
-                parseSAMLKeyIdentifier(secRef, wsDocInfo, data);
-            } else {
-                parseBSTKeyIdentifier(secRef, crypto, wsDocInfo, data);
-            }
-        } else {
-            throw new WSSecurityException(
-                    WSSecurityException.ErrorCode.INVALID_SECURITY,
-                    "unsupportedKeyInfo", strElement.toString());
+            return processPreviousResult(result, secRef, parameters);
         }
         
-        if (certs != null && certs.length > 0 && principal == null) {
-            principal = certs[0].getSubjectX500Principal();
-        }
-    }
-    
-    /**
-     * Get the X509Certificates associated with this SecurityTokenReference
-     * @return the X509Certificates associated with this SecurityTokenReference
-     */
-    public X509Certificate[] getCertificates() {
-        return certs;
-    }
-    
-    /**
-     * Get the Principal associated with this SecurityTokenReference
-     * @return the Principal associated with this SecurityTokenReference
-     */
-    public Principal getPrincipal() {
-        return principal;
-    }
-    
-    /**
-     * Get the PublicKey associated with this SecurityTokenReference
-     * @return the PublicKey associated with this SecurityTokenReference
-     */
-    public PublicKey getPublicKey() {
-        return publicKey;
-    }
-    
-    /**
-     * Get the Secret Key associated with this SecurityTokenReference
-     * @return the Secret Key associated with this SecurityTokenReference
-     */
-    public byte[] getSecretKey() {
-        return secretKey;
-    }
-    
-    /**
-     * Get whether the returned credential is already trusted or not. This is currently
-     * applicable in the case of a credential extracted from a trusted HOK SAML Assertion,
-     * and a BinarySecurityToken that has been processed by a Validator. In these cases,
-     * the SignatureProcessor does not need to verify trust on the credential.
-     * @return true if trust has already been verified on the returned Credential
-     */
-    public boolean isTrustedCredential() {
-        return trustedCredential;
-    }
-    
-    /**
-     * Get how the certificates were referenced
-     * @return how the certificates were referenced
-     */
-    public REFERENCE_TYPE getCertificatesReferenceType() {
-        return referenceType;
+        return processSTR(secRef, uri, parameters);
     }
     
     /**
@@ -280,7 +108,7 @@ public class SignatureSTRParser implemen
      * @return A principal
      */
     private Principal createPrincipalFromSAML(
-        SamlAssertionWrapper samlAssertion
+        SamlAssertionWrapper samlAssertion, STRParserResult parserResult
     ) {
         SAMLTokenPrincipalImpl samlPrincipal = new SAMLTokenPrincipalImpl(samlAssertion);
         String confirmMethod = null;
@@ -289,53 +117,23 @@ public class SignatureSTRParser implemen
             confirmMethod = methods.get(0);
         }
         if (OpenSAMLUtil.isMethodHolderOfKey(confirmMethod) && samlAssertion.isSigned())
{
-            trustedCredential = true;
+            parserResult.setTrustedCredential(true);
         }
         return samlPrincipal;
     }
     
     /**
-     * Get the Secret Key from a CallbackHandler
-     * @param id The id of the element
-     * @param type The type of the element (can be null)
-     * @return A Secret Key
-     * @throws WSSecurityException
-     */
-    private byte[] getSecretKeyFromToken(
-        String id,
-        String type,
-        RequestData data
-    ) throws WSSecurityException {
-        if (id.charAt(0) == '#') {
-            id = id.substring(1);
-        }
-        WSPasswordCallback pwcb = 
-            new WSPasswordCallback(id, null, type, WSPasswordCallback.SECRET_KEY);
-        try {
-            Callback[] callbacks = new Callback[]{pwcb};
-            if (data.getCallbackHandler() != null) {
-                data.getCallbackHandler().handle(callbacks);
-                return pwcb.getKey();
-            }
-        } catch (Exception e) {
-            throw new WSSecurityException(
-                WSSecurityException.ErrorCode.FAILURE,
-                "noPassword", e, id);
-        }
-
-        return null;
-    }
-    
-    /**
      * Parse the KeyIdentifier for a SAML Assertion
      */
     private void parseSAMLKeyIdentifier(
         SecurityTokenReference secRef,
         WSDocInfo wsDocInfo,
-        RequestData data
+        RequestData data,
+        STRParserResult parserResult
     ) throws WSSecurityException {
         String valueType = secRef.getKeyIdentifierValueType();
-        secretKey = getSecretKeyFromToken(secRef.getKeyIdentifierValue(), valueType, data);
+        byte[] secretKey = STRParserUtil.getSecretKeyFromToken(secRef.getKeyIdentifierValue(),
valueType, 
+                                                               WSPasswordCallback.SECRET_KEY,
data);
         if (secretKey == null) {
             SamlAssertionWrapper samlAssertion =
                 STRParserUtil.getAssertionFromKeyIdentifier(
@@ -349,12 +147,13 @@ public class SignatureSTRParser implemen
                         data.getSigVerCrypto(), data.getCallbackHandler());
             X509Certificate[] foundCerts = samlKi.getCerts();
             if (foundCerts != null && foundCerts.length > 0) {
-                certs = new X509Certificate[]{foundCerts[0]};
+                parserResult.setCerts(new X509Certificate[]{foundCerts[0]});
             }
             secretKey = samlKi.getSecret();
-            publicKey = samlKi.getPublicKey();
-            principal = createPrincipalFromSAML(samlAssertion);
+            parserResult.setPublicKey(samlKi.getPublicKey());
+            parserResult.setPrincipal(createPrincipalFromSAML(samlAssertion, parserResult));
         }
+        parserResult.setSecretKey(secretKey);
     }
     
     /**
@@ -364,14 +163,16 @@ public class SignatureSTRParser implemen
         SecurityTokenReference secRef,
         Crypto crypto,
         WSDocInfo wsDocInfo,
-        RequestData data
+        RequestData data,
+        STRParserResult parserResult
     ) throws WSSecurityException {
         STRParserUtil.checkBinarySecurityBSPCompliance(secRef, null, data.getBSPEnforcer());
         
         String valueType = secRef.getKeyIdentifierValueType();
         if (WSConstants.WSS_KRB_KI_VALUE_TYPE.equals(valueType)) {
-            secretKey = 
-                getSecretKeyFromToken(secRef.getKeyIdentifierValue(), valueType, data);
+            byte[] secretKey = 
+                STRParserUtil.getSecretKeyFromToken(secRef.getKeyIdentifierValue(), valueType,

+                                                    WSPasswordCallback.SECRET_KEY, data);
             if (secretKey == null) {
                 byte[] keyBytes = secRef.getSKIBytes();
                 List<WSSecurityEngineResult> resultsList = 
@@ -382,13 +183,14 @@ public class SignatureSTRParser implemen
                     byte[] tokenDigest = WSSecurityUtil.generateDigest(bstToken.getToken());
                     if (Arrays.equals(tokenDigest, keyBytes)) {
                         secretKey = (byte[])bstResult.get(WSSecurityEngineResult.TAG_SECRET);
-                        principal = (Principal)bstResult.get(WSSecurityEngineResult.TAG_PRINCIPAL);
+                        parserResult.setPrincipal((Principal)bstResult.get(WSSecurityEngineResult.TAG_PRINCIPAL));
                         break;
                     }
                 }
             } else {
-                principal = new CustomTokenPrincipal(secRef.getKeyIdentifierValue());
+                parserResult.setPrincipal(new CustomTokenPrincipal(secRef.getKeyIdentifierValue()));
             }
+            parserResult.setSecretKey(secretKey);
         } else {
             X509Certificate[] foundCerts = secRef.getKeyIdentifier(crypto);
             if (foundCerts == null) {
@@ -402,7 +204,7 @@ public class SignatureSTRParser implemen
                             (X509Certificate[])bstResult.get(WSSecurityEngineResult.TAG_X509_CERTIFICATES);
                         if (certs != null
                             && Arrays.equals(skiBytes, crypto.getSKIBytesFromCert(certs[0])))
{
-                            principal = (Principal)bstResult.get(WSSecurityEngineResult.TAG_PRINCIPAL);
+                            parserResult.setPrincipal((Principal)bstResult.get(WSSecurityEngineResult.TAG_PRINCIPAL));
                             foundCerts = certs;
                             break;
                         }
@@ -419,7 +221,8 @@ public class SignatureSTRParser implemen
                                 byte[] digest = WSSecurityUtil.generateDigest(certs[0].getEncoded());
                                 try {
                                     if (Arrays.equals(Base64.decode(kiValue), digest)) {
-                                        principal = (Principal)bstResult.get(WSSecurityEngineResult.TAG_PRINCIPAL);
+                                        parserResult.setPrincipal(
+                                            (Principal)bstResult.get(WSSecurityEngineResult.TAG_PRINCIPAL));
                                         foundCerts = certs;
                                         break;
                                     }
@@ -438,7 +241,7 @@ public class SignatureSTRParser implemen
                 }
             }
             if (foundCerts != null) {
-                certs = new X509Certificate[]{foundCerts[0]};
+                parserResult.setCerts(new X509Certificate[]{foundCerts[0]});
             }
         }
     }
@@ -446,12 +249,15 @@ public class SignatureSTRParser implemen
     /**
      * Process a previous security result
      */
-    private void processPreviousResult(
+    private STRParserResult processPreviousResult(
         WSSecurityEngineResult result,
         SecurityTokenReference secRef,
-        RequestData data,
-        Map<String, Object> parameters
+        STRParserParameters parameters
     ) throws WSSecurityException {
+        
+        STRParserResult parserResult = new STRParserResult();
+        RequestData data = parameters.getData();
+        
         int action = (Integer) result.get(WSSecurityEngineResult.TAG_ACTION);
         if (WSConstants.UT_NOPASSWORD == action || WSConstants.UT == action) {
             STRParserUtil.checkUsernameTokenBSPCompliance(secRef, data.getBSPEnforcer());
@@ -460,9 +266,9 @@ public class SignatureSTRParser implemen
                 (UsernameToken)result.get(WSSecurityEngineResult.TAG_USERNAME_TOKEN);
 
             usernameToken.setRawPassword(data);
-            secretKey = (byte[])result.get(WSSecurityEngineResult.TAG_SECRET);
+            parserResult.setSecretKey((byte[])result.get(WSSecurityEngineResult.TAG_SECRET));
            
-            principal = usernameToken.createPrincipal();
+            parserResult.setPrincipal(usernameToken.createPrincipal());
         } else if (WSConstants.BST == action) {
             BinarySecurity token = 
                 (BinarySecurity)result.get(
@@ -470,39 +276,39 @@ public class SignatureSTRParser implemen
                 );
             STRParserUtil.checkBinarySecurityBSPCompliance(secRef, token, data.getBSPEnforcer());
             
-            certs = 
-                (X509Certificate[])result.get(WSSecurityEngineResult.TAG_X509_CERTIFICATES);
-            secretKey = (byte[])result.get(WSSecurityEngineResult.TAG_SECRET);
+            parserResult.setCerts(
+                (X509Certificate[])result.get(WSSecurityEngineResult.TAG_X509_CERTIFICATES));
+            parserResult.setSecretKey((byte[])result.get(WSSecurityEngineResult.TAG_SECRET));
             Boolean validatedToken = 
                 (Boolean)result.get(WSSecurityEngineResult.TAG_VALIDATED_TOKEN);
             if (validatedToken) {
-                trustedCredential = true;
+                parserResult.setTrustedCredential(true);
             }
         } else if (WSConstants.ENCR == action) {
             STRParserUtil.checkEncryptedKeyBSPCompliance(secRef, data.getBSPEnforcer());
             
-            secretKey = (byte[])result.get(WSSecurityEngineResult.TAG_SECRET);
+            parserResult.setSecretKey((byte[])result.get(WSSecurityEngineResult.TAG_SECRET));
             String id = (String)result.get(WSSecurityEngineResult.TAG_ID);
-            principal = new CustomTokenPrincipal(id);
+            parserResult.setPrincipal(new CustomTokenPrincipal(id));
         } else if (WSConstants.SCT == action) {
-            secretKey = (byte[])result.get(WSSecurityEngineResult.TAG_SECRET);
+            parserResult.setSecretKey((byte[])result.get(WSSecurityEngineResult.TAG_SECRET));
             SecurityContextToken sct = 
                 (SecurityContextToken)result.get(
                         WSSecurityEngineResult.TAG_SECURITY_CONTEXT_TOKEN
                 );
-            principal = new CustomTokenPrincipal(sct.getIdentifier());
+            parserResult.setPrincipal(new CustomTokenPrincipal(sct.getIdentifier()));
         } else if (WSConstants.DKT == action) {
             DerivedKeyToken dkt = 
                 (DerivedKeyToken)result.get(WSSecurityEngineResult.TAG_DERIVED_KEY_TOKEN);
             int keyLength = dkt.getLength();
-            if (keyLength <= 0) {
-                String algorithm = (String)parameters.get(SIGNATURE_METHOD);
-                keyLength = KeyUtils.getKeyLength(algorithm);
+            if (keyLength <= 0 && parameters.getDerivationKeyLength() > 0)
{
+                keyLength = parameters.getDerivationKeyLength();
             }
             byte[] secret = (byte[])result.get(WSSecurityEngineResult.TAG_SECRET);
-            secretKey = dkt.deriveKey(keyLength, secret); 
-            principal = dkt.createPrincipal();
+            Principal principal = dkt.createPrincipal();
             ((WSDerivedKeyTokenPrincipal)principal).setSecret(secret);
+            parserResult.setPrincipal(principal);
+            parserResult.setSecretKey(dkt.deriveKey(keyLength, secret)); 
         } else if (WSConstants.ST_UNSIGNED == action || WSConstants.ST_SIGNED == action)
{
             SamlAssertionWrapper samlAssertion =
                 (SamlAssertionWrapper)result.get(WSSecurityEngineResult.TAG_SAML_ASSERTION);
@@ -516,13 +322,154 @@ public class SignatureSTRParser implemen
             }
             X509Certificate[] foundCerts = keyInfo.getCerts();
             if (foundCerts != null) {
-                certs = new X509Certificate[]{foundCerts[0]};
+                parserResult.setCerts(new X509Certificate[]{foundCerts[0]});
+            }
+            parserResult.setSecretKey(keyInfo.getSecret());
+            parserResult.setPublicKey(keyInfo.getPublicKey());
+            parserResult.setPrincipal(createPrincipalFromSAML(samlAssertion, parserResult));
+        }
+        
+        REFERENCE_TYPE referenceType = getReferenceType(secRef);
+        if (referenceType != null) {
+            parserResult.setReferenceType(referenceType);
+        }
+        
+        return parserResult;
+    }
+    
+    private STRParserResult processSTR(
+        SecurityTokenReference secRef,
+        String uri,
+        STRParserParameters parameters
+    ) throws WSSecurityException {
+        STRParserResult parserResult = new STRParserResult();
+        RequestData data = parameters.getData();
+        WSDocInfo wsDocInfo = parameters.getWsDocInfo();
+        Element strElement = parameters.getStrElement();
+
+        if (secRef.containsReference()) {
+            Reference reference = secRef.getReference();
+            // Try asking the CallbackHandler for the secret key
+            byte[] secretKey = STRParserUtil.getSecretKeyFromToken(uri, reference.getValueType(),

+                                                                   WSPasswordCallback.SECRET_KEY,
+                                                                   data);
+            Principal principal = new CustomTokenPrincipal(uri);
+            
+            if (secretKey == null) {
+                Element token = 
+                    secRef.getTokenElement(strElement.getOwnerDocument(), wsDocInfo, data.getCallbackHandler());
+                QName el = new QName(token.getNamespaceURI(), token.getLocalName());
+                if (el.equals(WSSecurityEngine.BINARY_TOKEN)) {
+                    Processor proc = data.getWssConfig().getProcessor(WSSecurityEngine.BINARY_TOKEN);
+                    List<WSSecurityEngineResult> bstResult =
+                        proc.handleToken(token, parameters.getData(), parameters.getWsDocInfo());
+                    BinarySecurity bstToken = 
+                        (BinarySecurity)bstResult.get(0).get(WSSecurityEngineResult.TAG_BINARY_SECURITY_TOKEN);
+                    STRParserUtil.checkBinarySecurityBSPCompliance(
+                        secRef, bstToken, data.getBSPEnforcer()
+                    );
+                    
+                    parserResult.setCerts(
+                        (X509Certificate[])bstResult.get(0).get(WSSecurityEngineResult.TAG_X509_CERTIFICATES));
+                    secretKey = (byte[])bstResult.get(0).get(WSSecurityEngineResult.TAG_SECRET);
+                    principal = (Principal)bstResult.get(0).get(WSSecurityEngineResult.TAG_PRINCIPAL);
+                } else if (el.equals(WSSecurityEngine.SAML_TOKEN) 
+                    || el.equals(WSSecurityEngine.SAML2_TOKEN)) {
+                    Processor proc = data.getWssConfig().getProcessor(WSSecurityEngine.SAML_TOKEN);
+                    //
+                    // Just check to see whether the token was processed or not
+                    //
+                    Element processedToken = 
+                        secRef.findProcessedTokenElement(
+                            strElement.getOwnerDocument(), wsDocInfo, 
+                            data.getCallbackHandler(), uri, secRef.getReference().getValueType()
+                        );
+                    SamlAssertionWrapper samlAssertion = null;
+                    if (processedToken == null) {
+                        List<WSSecurityEngineResult> samlResult =
+                            proc.handleToken(token, data, wsDocInfo);
+                        samlAssertion =
+                            (SamlAssertionWrapper)samlResult.get(0).get(
+                                WSSecurityEngineResult.TAG_SAML_ASSERTION
+                            );
+                    } else {
+                        samlAssertion = new SamlAssertionWrapper(processedToken);
+                        samlAssertion.parseSubject(
+                            new WSSSAMLKeyInfoProcessor(data, wsDocInfo), 
+                            data.getSigVerCrypto(), data.getCallbackHandler()
+                        );
+                    }
+                    STRParserUtil.checkSamlTokenBSPCompliance(secRef, samlAssertion, data.getBSPEnforcer());
+                    
+                    SAMLKeyInfo keyInfo = samlAssertion.getSubjectKeyInfo();
+                    X509Certificate[] foundCerts = keyInfo.getCerts();
+                    if (foundCerts != null && foundCerts.length > 0) {
+                        parserResult.setCerts(new X509Certificate[]{foundCerts[0]});
+                    }
+                    secretKey = keyInfo.getSecret();
+                    principal = createPrincipalFromSAML(samlAssertion, parserResult);
+                } else if (el.equals(WSSecurityEngine.ENCRYPTED_KEY)) {
+                    STRParserUtil.checkEncryptedKeyBSPCompliance(secRef, data.getBSPEnforcer());
+                    Processor proc = data.getWssConfig().getProcessor(WSSecurityEngine.ENCRYPTED_KEY);
+                    List<WSSecurityEngineResult> encrResult =
+                        proc.handleToken(token, data, wsDocInfo);
+                    secretKey = 
+                        (byte[])encrResult.get(0).get(WSSecurityEngineResult.TAG_SECRET);
+                    principal = new CustomTokenPrincipal(token.getAttributeNS(null, "Id"));
+                }
             }
-            secretKey = keyInfo.getSecret();
-            publicKey = keyInfo.getPublicKey();
-            principal = createPrincipalFromSAML(samlAssertion);
+            
+            parserResult.setSecretKey(secretKey);
+            parserResult.setPrincipal(principal);
+        } else if (secRef.containsX509Data() || secRef.containsX509IssuerSerial()) {
+            parserResult.setReferenceType(REFERENCE_TYPE.ISSUER_SERIAL);
+            Crypto crypto = data.getSigVerCrypto();
+            X509Certificate[] foundCerts = secRef.getX509IssuerSerial(crypto);
+            if (foundCerts != null && foundCerts.length > 0) {
+                parserResult.setCerts(new X509Certificate[]{foundCerts[0]});
+            }
+        } else if (secRef.containsKeyIdentifier()) {
+            if (secRef.getKeyIdentifierValueType().equals(SecurityTokenReference.ENC_KEY_SHA1_URI))
{
+                STRParserUtil.checkEncryptedKeyBSPCompliance(secRef, data.getBSPEnforcer());
+                
+                String id = secRef.getKeyIdentifierValue();
+                parserResult.setSecretKey( 
+                    STRParserUtil.getSecretKeyFromToken(id, SecurityTokenReference.ENC_KEY_SHA1_URI,

+                                                        WSPasswordCallback.SECRET_KEY, data));
+                parserResult.setPrincipal(new CustomTokenPrincipal(id));
+            } else if (WSConstants.WSS_SAML_KI_VALUE_TYPE.equals(secRef.getKeyIdentifierValueType())
+                || WSConstants.WSS_SAML2_KI_VALUE_TYPE.equals(secRef.getKeyIdentifierValueType()))
{
+                parseSAMLKeyIdentifier(secRef, wsDocInfo, data, parserResult);
+            } else {
+                Crypto crypto = data.getSigVerCrypto();
+                parseBSTKeyIdentifier(secRef, crypto, wsDocInfo, data, parserResult);
+            }
+        } else {
+            throw new WSSecurityException(
+                    WSSecurityException.ErrorCode.INVALID_SECURITY,
+                    "unsupportedKeyInfo", strElement.toString());
+        }
+        
+        REFERENCE_TYPE referenceType = getReferenceType(secRef);
+        if (referenceType != null) {
+            parserResult.setReferenceType(referenceType);
         }
+        
+        return parserResult;
     }
     
+    private REFERENCE_TYPE getReferenceType(SecurityTokenReference secRef) {
+        if (secRef.containsReference()) {
+            return REFERENCE_TYPE.DIRECT_REF;
+        } else if (secRef.containsKeyIdentifier()) {
+            if (SecurityTokenReference.THUMB_URI.equals(secRef.getKeyIdentifierValueType()))
{
+                return REFERENCE_TYPE.THUMBPRINT_SHA1;
+            } else {
+                return REFERENCE_TYPE.KEY_IDENTIFIER;
+            }
+        }
+        
+        return null;
+    }
     
 }



Mime
View raw message