ws-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cohei...@apache.org
Subject svn commit: r1297924 - /webservices/wss4j/trunk/src/main/java/org/apache/ws/security/str/SignatureSTRParser.java
Date Wed, 07 Mar 2012 10:39:43 GMT
Author: coheigea
Date: Wed Mar  7 10:39:42 2012
New Revision: 1297924

URL: http://svn.apache.org/viewvc?rev=1297924&view=rev
Log:
[WSS-357] - WSS4J can't handle thumbprint/ski references to a token in the security header

Modified:
    webservices/wss4j/trunk/src/main/java/org/apache/ws/security/str/SignatureSTRParser.java

Modified: webservices/wss4j/trunk/src/main/java/org/apache/ws/security/str/SignatureSTRParser.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/main/java/org/apache/ws/security/str/SignatureSTRParser.java?rev=1297924&r1=1297923&r2=1297924&view=diff
==============================================================================
--- webservices/wss4j/trunk/src/main/java/org/apache/ws/security/str/SignatureSTRParser.java
(original)
+++ webservices/wss4j/trunk/src/main/java/org/apache/ws/security/str/SignatureSTRParser.java
Wed Mar  7 10:39:42 2012
@@ -41,11 +41,13 @@ import org.apache.ws.security.saml.SAMLK
 import org.apache.ws.security.saml.SAMLUtil;
 import org.apache.ws.security.saml.ext.AssertionWrapper;
 import org.apache.ws.security.saml.ext.OpenSAMLUtil;
+import org.apache.ws.security.util.Base64;
 import org.apache.ws.security.util.WSSecurityUtil;
 import org.w3c.dom.Element;
 
 import java.security.Principal;
 import java.security.PublicKey;
+import java.security.cert.CertificateEncodingException;
 import java.security.cert.X509Certificate;
 import java.util.Arrays;
 import java.util.List;
@@ -371,6 +373,47 @@ public class SignatureSTRParser implemen
             }
         } else {
             X509Certificate[] foundCerts = secRef.getKeyIdentifier(crypto);
+            if (foundCerts == null) {
+                // The reference may be to a BST in the security header rather than in the
keystore
+                if (SecurityTokenReference.SKI_URI.equals(valueType)) {
+                    byte[] skiBytes = secRef.getSKIBytes();
+                    List<WSSecurityEngineResult> resultsList = 
+                        wsDocInfo.getResultsByTag(WSConstants.BST);
+                    for (WSSecurityEngineResult bstResult : resultsList) {
+                        X509Certificate[] certs = 
+                            (X509Certificate[])bstResult.get(WSSecurityEngineResult.TAG_X509_CERTIFICATES);
+                        if (certs != null
+                            && Arrays.equals(skiBytes, crypto.getSKIBytesFromCert(certs[0])))
{
+                            principal = (Principal)bstResult.get(WSSecurityEngineResult.TAG_PRINCIPAL);
+                            foundCerts = certs;
+                            break;
+                        }
+                    }
+                } else if (SecurityTokenReference.THUMB_URI.equals(valueType)) {
+                    String kiValue = secRef.getKeyIdentifierValue();
+                    List<WSSecurityEngineResult> resultsList = 
+                        wsDocInfo.getResultsByTag(WSConstants.BST);
+                    for (WSSecurityEngineResult bstResult : resultsList) {
+                        X509Certificate[] certs = 
+                            (X509Certificate[])bstResult.get(WSSecurityEngineResult.TAG_X509_CERTIFICATES);
+                        if (certs != null) {
+                            try {
+                                byte[] digest = WSSecurityUtil.generateDigest(certs[0].getEncoded());
+                                if (Arrays.equals(Base64.decode(kiValue), digest)) {
+                                    principal = (Principal)bstResult.get(WSSecurityEngineResult.TAG_PRINCIPAL);
+                                    foundCerts = certs;
+                                    break;
+                                }
+                            } catch (CertificateEncodingException ex) {
+                                throw new WSSecurityException(
+                                    WSSecurityException.SECURITY_TOKEN_UNAVAILABLE, "encodeError",
+                                    null, ex
+                                );
+                            }
+                        }
+                    }
+                }
+            }
             if (foundCerts != null) {
                 certs = new X509Certificate[]{foundCerts[0]};
             }



Mime
View raw message