(ws-wss4j) branch coheigea/saml-refactor-new updated: Moving STR parsing to the SAMLKeyInfoProcessor

Wed, 25 Jun 2025 05:02:57 -0700 

This is an automated email from the ASF dual-hosted git repository.

coheigea pushed a commit to branch coheigea/saml-refactor-new
in repository https://gitbox.apache.org/repos/asf/ws-wss4j.git


The following commit(s) were added to refs/heads/coheigea/saml-refactor-new by 
this push:
     new a005ea444 Moving STR parsing to the SAMLKeyInfoProcessor
a005ea444 is described below

commit a005ea4449794c8491512c0564ced45e5062c512
Author: Colm O hEigeartaigh <cohei...@apache.org>
AuthorDate: Wed Jun 25 13:00:37 2025 +0100

    Moving STR parsing to the SAMLKeyInfoProcessor
---
 .../wss4j/common/saml/SAMLKeyInfoProcessor.java    |  4 +++
 .../wss4j/dom/saml/WSSSAMLKeyInfoProcessor.java    | 10 +++++++
 .../wss4j/dom/str/EncryptedKeySTRParser.java       | 14 ++-------
 .../wss4j/dom/str/SecurityTokenRefSTRParser.java   | 35 ++++++----------------
 4 files changed, 26 insertions(+), 37 deletions(-)

diff --git 
a/ws-security-saml/src/main/java/org/apache/wss4j/common/saml/SAMLKeyInfoProcessor.java
 
b/ws-security-common/src/main/java/org/apache/wss4j/common/saml/SAMLKeyInfoProcessor.java
similarity index 87%
rename from 
ws-security-saml/src/main/java/org/apache/wss4j/common/saml/SAMLKeyInfoProcessor.java
rename to 
ws-security-common/src/main/java/org/apache/wss4j/common/saml/SAMLKeyInfoProcessor.java
index 4f9097f18..e62253069 100644
--- 
a/ws-security-saml/src/main/java/org/apache/wss4j/common/saml/SAMLKeyInfoProcessor.java
+++ 
b/ws-security-common/src/main/java/org/apache/wss4j/common/saml/SAMLKeyInfoProcessor.java
@@ -22,6 +22,7 @@ package org.apache.wss4j.common.saml;
 import org.apache.wss4j.common.crypto.Crypto;
 import org.apache.wss4j.common.dom.RequestData;
 import org.apache.wss4j.common.ext.WSSecurityException;
+import org.apache.wss4j.common.token.SecurityTokenReference;
 import org.w3c.dom.Element;
 
 /**
@@ -32,5 +33,8 @@ public interface SAMLKeyInfoProcessor {
     SAMLKeyInfo processSAMLKeyInfoFromAssertionElement(Element samlAssertion, 
RequestData data, 
         Crypto userCrypto) throws WSSecurityException;
 
+    SAMLKeyInfo 
processSAMLKeyInfoFromSecurityTokenReference(SecurityTokenReference secRef,
+        RequestData data) throws WSSecurityException;
+
     SAMLKeyInfo processSAMLKeyInfo(Element keyInfoElement, RequestData data) 
throws WSSecurityException;
 }
diff --git 
a/ws-security-dom/src/main/java/org/apache/wss4j/dom/saml/WSSSAMLKeyInfoProcessor.java
 
b/ws-security-dom/src/main/java/org/apache/wss4j/dom/saml/WSSSAMLKeyInfoProcessor.java
index 23834daa4..ef8e7722e 100644
--- 
a/ws-security-dom/src/main/java/org/apache/wss4j/dom/saml/WSSSAMLKeyInfoProcessor.java
+++ 
b/ws-security-dom/src/main/java/org/apache/wss4j/dom/saml/WSSSAMLKeyInfoProcessor.java
@@ -44,6 +44,7 @@ import org.apache.wss4j.common.dom.RequestData;
 import org.apache.wss4j.dom.str.STRParser;
 import org.apache.wss4j.dom.str.STRParserParameters;
 import org.apache.wss4j.dom.str.STRParserResult;
+import org.apache.wss4j.dom.str.STRParserUtil;
 import org.apache.wss4j.dom.str.SignatureSTRParser;
 import org.apache.xml.security.utils.XMLUtils;
 
@@ -67,6 +68,15 @@ public class WSSSAMLKeyInfoProcessor implements 
SAMLKeyInfoProcessor {
         return SAMLUtil.getCredentialFromSubject(assertion, this, data, 
userCrypto);
     }
 
+    public SAMLKeyInfo 
processSAMLKeyInfoFromSecurityTokenReference(SecurityTokenReference secRef,
+        RequestData data
+    ) throws WSSecurityException {
+        SamlAssertionWrapper samlAssertion = 
STRParserUtil.getAssertionFromKeyIdentifier(secRef, secRef.getElement(), data);
+        STRParserUtil.checkSamlTokenBSPCompliance(secRef, 
samlAssertion.getSaml2() != null, data.getBSPEnforcer());
+
+        return SAMLUtil.getCredentialFromSubject(samlAssertion, new 
WSSSAMLKeyInfoProcessor(), data, data.getSigVerCrypto());
+    }
+
     public SAMLKeyInfo processSAMLKeyInfo(Element keyInfoElement, RequestData 
data) throws WSSecurityException {
         //
         // First try to find an EncryptedKey, BinarySecret or a 
SecurityTokenReference via DOM
diff --git 
a/ws-security-dom/src/main/java/org/apache/wss4j/dom/str/EncryptedKeySTRParser.java
 
b/ws-security-dom/src/main/java/org/apache/wss4j/dom/str/EncryptedKeySTRParser.java
index 61c157865..2179c3399 100644
--- 
a/ws-security-dom/src/main/java/org/apache/wss4j/dom/str/EncryptedKeySTRParser.java
+++ 
b/ws-security-dom/src/main/java/org/apache/wss4j/dom/str/EncryptedKeySTRParser.java
@@ -27,8 +27,7 @@ import javax.xml.namespace.QName;
 import org.apache.wss4j.common.crypto.Crypto;
 import org.apache.wss4j.common.ext.WSSecurityException;
 import org.apache.wss4j.common.saml.SAMLKeyInfo;
-import org.apache.wss4j.common.saml.SAMLUtil;
-import org.apache.wss4j.common.saml.SamlAssertionWrapper;
+import org.apache.wss4j.common.saml.SAMLKeyInfoProcessor;
 import org.apache.wss4j.common.token.BinarySecurity;
 import org.apache.wss4j.common.token.Reference;
 import org.apache.wss4j.common.token.SecurityTokenReference;
@@ -142,15 +141,8 @@ public class EncryptedKeySTRParser implements STRParser {
         if (secRef.containsKeyIdentifier()) {
             if 
(WSConstants.WSS_SAML_KI_VALUE_TYPE.equals(secRef.getKeyIdentifierValueType())
                 || 
WSConstants.WSS_SAML2_KI_VALUE_TYPE.equals(secRef.getKeyIdentifierValueType())) 
{
-                SamlAssertionWrapper samlAssertion =
-                    STRParserUtil.getAssertionFromKeyIdentifier(
-                        secRef, strElement, data
-                    );
-                STRParserUtil.checkSamlTokenBSPCompliance(secRef, 
samlAssertion.getSaml2() != null, data.getBSPEnforcer());
-
-                SAMLKeyInfo samlKi =
-                    SAMLUtil.getCredentialFromSubject(samlAssertion,
-                            new WSSSAMLKeyInfoProcessor(), data, 
data.getSigVerCrypto());
+                SAMLKeyInfoProcessor keyInfoProcessor = new 
WSSSAMLKeyInfoProcessor();
+                SAMLKeyInfo samlKi = 
keyInfoProcessor.processSAMLKeyInfoFromSecurityTokenReference(secRef, data);
                 parserResult.setCerts(samlKi.getCerts());
                 parserResult.setPublicKey(samlKi.getPublicKey());
             } else {
diff --git 
a/ws-security-dom/src/main/java/org/apache/wss4j/dom/str/SecurityTokenRefSTRParser.java
 
b/ws-security-dom/src/main/java/org/apache/wss4j/dom/str/SecurityTokenRefSTRParser.java
index f9f1039ef..9727bc2d0 100644
--- 
a/ws-security-dom/src/main/java/org/apache/wss4j/dom/str/SecurityTokenRefSTRParser.java
+++ 
b/ws-security-dom/src/main/java/org/apache/wss4j/dom/str/SecurityTokenRefSTRParser.java
@@ -27,8 +27,7 @@ import javax.xml.namespace.QName;
 import org.apache.wss4j.common.ext.WSPasswordCallback;
 import org.apache.wss4j.common.ext.WSSecurityException;
 import org.apache.wss4j.common.saml.SAMLKeyInfo;
-import org.apache.wss4j.common.saml.SAMLUtil;
-import org.apache.wss4j.common.saml.SamlAssertionWrapper;
+import org.apache.wss4j.common.saml.SAMLKeyInfoProcessor;
 import org.apache.wss4j.common.token.BinarySecurity;
 import org.apache.wss4j.common.token.Reference;
 import org.apache.wss4j.common.token.SecurityTokenReference;
@@ -86,25 +85,6 @@ public class SecurityTokenRefSTRParser implements STRParser {
         return processSTR(secRef, uri, parameters);
     }
 
-    /**
-     * Get a SecretKey from a SAML Assertion
-     */
-    private byte[] getSecretKeyFromAssertion(
-        SamlAssertionWrapper samlAssertion,
-        SecurityTokenReference secRef,
-        RequestData data
-    ) throws WSSecurityException {
-        STRParserUtil.checkSamlTokenBSPCompliance(secRef, 
samlAssertion.getSaml2() != null, data.getBSPEnforcer());
-        SAMLKeyInfo samlKi =
-            SAMLUtil.getCredentialFromSubject(samlAssertion, new 
WSSSAMLKeyInfoProcessor(), data, data.getSigVerCrypto());
-        if (samlKi == null) {
-            throw new WSSecurityException(
-                WSSecurityException.ErrorCode.FAILED_CHECK, "invalidSAMLToken",
-                new Object[] {"No Secret Key"});
-        }
-        return samlKi.getSecret();
-    }
-
     /**
      * Process a previous security result
      */
@@ -216,11 +196,14 @@ public class SecurityTokenRefSTRParser implements 
STRParser {
                     
STRParserUtil.getSecretKeyFromToken(secRef.getKeyIdentifierValue(), valueType,
                                                         
WSPasswordCallback.SECRET_KEY, data);
                 if (secretKey == null || secretKey.length == 0) {
-                    SamlAssertionWrapper samlAssertion =
-                        STRParserUtil.getAssertionFromKeyIdentifier(
-                            secRef, strElement, data
-                        );
-                    secretKey = getSecretKeyFromAssertion(samlAssertion, 
secRef, data);
+                    SAMLKeyInfoProcessor keyInfoProcessor = new 
WSSSAMLKeyInfoProcessor();
+                    SAMLKeyInfo samlKi = 
keyInfoProcessor.processSAMLKeyInfoFromSecurityTokenReference(secRef, data);
+                    if (samlKi == null || samlKi.getSecret() == null) {
+                        throw new WSSecurityException(
+                            WSSecurityException.ErrorCode.FAILED_CHECK, 
"invalidSAMLToken",
+                            new Object[] {"No Secret Key"});
+                    }
+                    secretKey = samlKi.getSecret();
                 }
                 parserResult.setSecretKey(secretKey);
             } else if (WSConstants.WSS_KRB_KI_VALUE_TYPE.equals(valueType)) {

Reply via email to