This is an automated email from the ASF dual-hosted git repository.

coheigea pushed a commit to branch coheigea/saml-refactor-new
in repository https://gitbox.apache.org/repos/asf/ws-wss4j.git


The following commit(s) were added to refs/heads/coheigea/saml-refactor-new by 
this push:
     new 213ffe90f Working on SignatureSTRParser
213ffe90f is described below

commit 213ffe90f79890a45f5dd7f6ac61a0ad1bf2266f
Author: Colm O hEigeartaigh <cohei...@apache.org>
AuthorDate: Wed Jun 25 15:30:29 2025 +0100

    Working on SignatureSTRParser
---
 .../org/apache/wss4j/common/saml/SAMLKeyInfo.java  | 28 ++++++++++++++++++++++
 .../wss4j/dom/saml/WSSSAMLKeyInfoProcessor.java    | 28 +++++++++++++++++++---
 .../apache/wss4j/dom/str/SignatureSTRParser.java   | 17 ++++++-------
 3 files changed, 60 insertions(+), 13 deletions(-)

diff --git 
a/ws-security-common/src/main/java/org/apache/wss4j/common/saml/SAMLKeyInfo.java
 
b/ws-security-common/src/main/java/org/apache/wss4j/common/saml/SAMLKeyInfo.java
index 9944cbc18..a68738954 100644
--- 
a/ws-security-common/src/main/java/org/apache/wss4j/common/saml/SAMLKeyInfo.java
+++ 
b/ws-security-common/src/main/java/org/apache/wss4j/common/saml/SAMLKeyInfo.java
@@ -42,6 +42,12 @@ public class SAMLKeyInfo {
      */
     private PublicKey publicKey;
 
+    private boolean isHolderOfKey;
+
+    private boolean isAssertionSigned;
+
+    private java.security.Principal samlPrincipal;
+
     public SAMLKeyInfo() {
     }
 
@@ -81,4 +87,26 @@ public class SAMLKeyInfo {
         this.publicKey = publicKey;
     }
 
+    public boolean isAssertionSigned() {
+        return isAssertionSigned;
+    }
+
+    public void setAssertionSigned(boolean isAssertionSigned) {
+        this.isAssertionSigned = isAssertionSigned;
+    }
+    public boolean isHolderOfKey() {
+        return isHolderOfKey;
+    }
+
+    public void setHolderOfKey(boolean isHolderOfKey) {
+        this.isHolderOfKey = isHolderOfKey;
+    }
+
+    public java.security.Principal getSamlPrincipal() {
+        return samlPrincipal;
+    }
+
+    public void setSamlPrincipal(java.security.Principal samlPrincipal) {
+        this.samlPrincipal = samlPrincipal;
+    }
 }
diff --git 
a/ws-security-dom/src/main/java/org/apache/wss4j/dom/saml/WSSSAMLKeyInfoProcessor.java
 
b/ws-security-dom/src/main/java/org/apache/wss4j/dom/saml/WSSSAMLKeyInfoProcessor.java
index ef8e7722e..8e8470a5a 100644
--- 
a/ws-security-dom/src/main/java/org/apache/wss4j/dom/saml/WSSSAMLKeyInfoProcessor.java
+++ 
b/ws-security-dom/src/main/java/org/apache/wss4j/dom/saml/WSSSAMLKeyInfoProcessor.java
@@ -31,7 +31,9 @@ import org.apache.wss4j.common.crypto.AlgorithmSuite;
 import org.apache.wss4j.common.crypto.AlgorithmSuiteValidator;
 import org.apache.wss4j.common.crypto.Crypto;
 import org.apache.wss4j.common.ext.WSSecurityException;
+import org.apache.wss4j.common.principal.SAMLTokenPrincipalImpl;
 import org.apache.wss4j.common.principal.WSDerivedKeyTokenPrincipal;
+import org.apache.wss4j.common.saml.OpenSAMLUtil;
 import org.apache.wss4j.common.saml.SAMLKeyInfo;
 import org.apache.wss4j.common.saml.SAMLKeyInfoProcessor;
 import org.apache.wss4j.common.saml.SAMLUtil;
@@ -64,8 +66,8 @@ public class WSSSAMLKeyInfoProcessor implements 
SAMLKeyInfoProcessor {
 
     public SAMLKeyInfo processSAMLKeyInfoFromAssertionElement(Element 
assertionElement, RequestData data, 
         Crypto userCrypto) throws WSSecurityException {
-        SamlAssertionWrapper assertion = new 
SamlAssertionWrapper(assertionElement);
-        return SAMLUtil.getCredentialFromSubject(assertion, this, data, 
userCrypto);
+        SamlAssertionWrapper samlAssertion = new 
SamlAssertionWrapper(assertionElement);
+        return processSAMLKeyInfoFromAssertion(samlAssertion, data, 
userCrypto);
     }
 
     public SAMLKeyInfo 
processSAMLKeyInfoFromSecurityTokenReference(SecurityTokenReference secRef,
@@ -74,7 +76,27 @@ public class WSSSAMLKeyInfoProcessor implements 
SAMLKeyInfoProcessor {
         SamlAssertionWrapper samlAssertion = 
STRParserUtil.getAssertionFromKeyIdentifier(secRef, secRef.getElement(), data);
         STRParserUtil.checkSamlTokenBSPCompliance(secRef, 
samlAssertion.getSaml2() != null, data.getBSPEnforcer());
 
-        return SAMLUtil.getCredentialFromSubject(samlAssertion, new 
WSSSAMLKeyInfoProcessor(), data, data.getSigVerCrypto());
+        return processSAMLKeyInfoFromAssertion(samlAssertion, data, 
data.getSigVerCrypto());
+    }
+
+    private SAMLKeyInfo processSAMLKeyInfoFromAssertion(SamlAssertionWrapper 
samlAssertion,
+        RequestData data,
+        Crypto crypto
+    ) throws WSSecurityException {
+        SAMLKeyInfo samlKeyInfo = 
+            SAMLUtil.getCredentialFromSubject(samlAssertion, new 
WSSSAMLKeyInfoProcessor(), data, crypto);
+
+        SAMLTokenPrincipalImpl samlPrincipal = new 
SAMLTokenPrincipalImpl(samlAssertion);
+        samlKeyInfo.setSamlPrincipal(samlPrincipal);
+        String confirmMethod = null;
+        List<String> methods = samlAssertion.getConfirmationMethods();
+        if (methods != null && !methods.isEmpty()) {
+            confirmMethod = methods.get(0);
+        }
+        
samlKeyInfo.setHolderOfKey(OpenSAMLUtil.isMethodHolderOfKey(confirmMethod));
+        samlKeyInfo.setAssertionSigned(samlAssertion.isSigned());
+
+        return samlKeyInfo;
     }
 
     public SAMLKeyInfo processSAMLKeyInfo(Element keyInfoElement, RequestData 
data) throws WSSecurityException {
diff --git 
a/ws-security-dom/src/main/java/org/apache/wss4j/dom/str/SignatureSTRParser.java
 
b/ws-security-dom/src/main/java/org/apache/wss4j/dom/str/SignatureSTRParser.java
index 011456211..c5d3e3d4f 100644
--- 
a/ws-security-dom/src/main/java/org/apache/wss4j/dom/str/SignatureSTRParser.java
+++ 
b/ws-security-dom/src/main/java/org/apache/wss4j/dom/str/SignatureSTRParser.java
@@ -36,7 +36,7 @@ import 
org.apache.wss4j.common.principal.SAMLTokenPrincipalImpl;
 import org.apache.wss4j.common.principal.WSDerivedKeyTokenPrincipal;
 import org.apache.wss4j.common.saml.OpenSAMLUtil;
 import org.apache.wss4j.common.saml.SAMLKeyInfo;
-import org.apache.wss4j.common.saml.SAMLUtil;
+import org.apache.wss4j.common.saml.SAMLKeyInfoProcessor;
 import org.apache.wss4j.common.saml.SamlAssertionWrapper;
 import org.apache.wss4j.common.token.BinarySecurity;
 import org.apache.wss4j.common.token.Reference;
@@ -131,22 +131,19 @@ public class SignatureSTRParser implements STRParser {
         byte[] secretKey = 
STRParserUtil.getSecretKeyFromToken(secRef.getKeyIdentifierValue(), valueType,
                                                                
WSPasswordCallback.SECRET_KEY, data);
         if (secretKey == null || secretKey.length == 0) {
-            SamlAssertionWrapper samlAssertion =
-                STRParserUtil.getAssertionFromKeyIdentifier(
-                    secRef, secRef.getElement(), data
-                );
-            STRParserUtil.checkSamlTokenBSPCompliance(secRef, 
samlAssertion.getSaml2() != null, data.getBSPEnforcer());
+            SAMLKeyInfoProcessor keyInfoProcessor = new 
WSSSAMLKeyInfoProcessor();
+            SAMLKeyInfo samlKi = 
keyInfoProcessor.processSAMLKeyInfoFromSecurityTokenReference(secRef, data);
 
-            SAMLKeyInfo samlKi =
-                SAMLUtil.getCredentialFromSubject(samlAssertion,
-                        new WSSSAMLKeyInfoProcessor(), data, 
data.getSigVerCrypto());
             X509Certificate[] foundCerts = samlKi.getCerts();
             if (foundCerts != null && foundCerts.length > 0) {
                 parserResult.setCerts(new X509Certificate[]{foundCerts[0]});
             }
             secretKey = samlKi.getSecret();
             parserResult.setPublicKey(samlKi.getPublicKey());
-            parserResult.setPrincipal(createPrincipalFromSAML(samlAssertion, 
parserResult));
+            parserResult.setPrincipal(samlKi.getSamlPrincipal());
+            if (samlKi.isHolderOfKey() && samlKi.isAssertionSigned()) {
+                parserResult.setTrustedCredential(true);
+            }
         }
         parserResult.setSecretKey(secretKey);
     }

Reply via email to