This is an automated email from the ASF dual-hosted git repository. coheigea pushed a commit to branch coheigea/saml-refactor-new in repository https://gitbox.apache.org/repos/asf/ws-wss4j.git
The following commit(s) were added to refs/heads/coheigea/saml-refactor-new by this push: new 213ffe90f Working on SignatureSTRParser 213ffe90f is described below commit 213ffe90f79890a45f5dd7f6ac61a0ad1bf2266f Author: Colm O hEigeartaigh <cohei...@apache.org> AuthorDate: Wed Jun 25 15:30:29 2025 +0100 Working on SignatureSTRParser --- .../org/apache/wss4j/common/saml/SAMLKeyInfo.java | 28 ++++++++++++++++++++++ .../wss4j/dom/saml/WSSSAMLKeyInfoProcessor.java | 28 +++++++++++++++++++--- .../apache/wss4j/dom/str/SignatureSTRParser.java | 17 ++++++------- 3 files changed, 60 insertions(+), 13 deletions(-) diff --git a/ws-security-common/src/main/java/org/apache/wss4j/common/saml/SAMLKeyInfo.java b/ws-security-common/src/main/java/org/apache/wss4j/common/saml/SAMLKeyInfo.java index 9944cbc18..a68738954 100644 --- a/ws-security-common/src/main/java/org/apache/wss4j/common/saml/SAMLKeyInfo.java +++ b/ws-security-common/src/main/java/org/apache/wss4j/common/saml/SAMLKeyInfo.java @@ -42,6 +42,12 @@ public class SAMLKeyInfo { */ private PublicKey publicKey; + private boolean isHolderOfKey; + + private boolean isAssertionSigned; + + private java.security.Principal samlPrincipal; + public SAMLKeyInfo() { } @@ -81,4 +87,26 @@ public class SAMLKeyInfo { this.publicKey = publicKey; } + public boolean isAssertionSigned() { + return isAssertionSigned; + } + + public void setAssertionSigned(boolean isAssertionSigned) { + this.isAssertionSigned = isAssertionSigned; + } + public boolean isHolderOfKey() { + return isHolderOfKey; + } + + public void setHolderOfKey(boolean isHolderOfKey) { + this.isHolderOfKey = isHolderOfKey; + } + + public java.security.Principal getSamlPrincipal() { + return samlPrincipal; + } + + public void setSamlPrincipal(java.security.Principal samlPrincipal) { + this.samlPrincipal = samlPrincipal; + } } diff --git a/ws-security-dom/src/main/java/org/apache/wss4j/dom/saml/WSSSAMLKeyInfoProcessor.java b/ws-security-dom/src/main/java/org/apache/wss4j/dom/saml/WSSSAMLKeyInfoProcessor.java index ef8e7722e..8e8470a5a 100644 --- a/ws-security-dom/src/main/java/org/apache/wss4j/dom/saml/WSSSAMLKeyInfoProcessor.java +++ b/ws-security-dom/src/main/java/org/apache/wss4j/dom/saml/WSSSAMLKeyInfoProcessor.java @@ -31,7 +31,9 @@ import org.apache.wss4j.common.crypto.AlgorithmSuite; import org.apache.wss4j.common.crypto.AlgorithmSuiteValidator; import org.apache.wss4j.common.crypto.Crypto; import org.apache.wss4j.common.ext.WSSecurityException; +import org.apache.wss4j.common.principal.SAMLTokenPrincipalImpl; import org.apache.wss4j.common.principal.WSDerivedKeyTokenPrincipal; +import org.apache.wss4j.common.saml.OpenSAMLUtil; import org.apache.wss4j.common.saml.SAMLKeyInfo; import org.apache.wss4j.common.saml.SAMLKeyInfoProcessor; import org.apache.wss4j.common.saml.SAMLUtil; @@ -64,8 +66,8 @@ public class WSSSAMLKeyInfoProcessor implements SAMLKeyInfoProcessor { public SAMLKeyInfo processSAMLKeyInfoFromAssertionElement(Element assertionElement, RequestData data, Crypto userCrypto) throws WSSecurityException { - SamlAssertionWrapper assertion = new SamlAssertionWrapper(assertionElement); - return SAMLUtil.getCredentialFromSubject(assertion, this, data, userCrypto); + SamlAssertionWrapper samlAssertion = new SamlAssertionWrapper(assertionElement); + return processSAMLKeyInfoFromAssertion(samlAssertion, data, userCrypto); } public SAMLKeyInfo processSAMLKeyInfoFromSecurityTokenReference(SecurityTokenReference secRef, @@ -74,7 +76,27 @@ public class WSSSAMLKeyInfoProcessor implements SAMLKeyInfoProcessor { SamlAssertionWrapper samlAssertion = STRParserUtil.getAssertionFromKeyIdentifier(secRef, secRef.getElement(), data); STRParserUtil.checkSamlTokenBSPCompliance(secRef, samlAssertion.getSaml2() != null, data.getBSPEnforcer()); - return SAMLUtil.getCredentialFromSubject(samlAssertion, new WSSSAMLKeyInfoProcessor(), data, data.getSigVerCrypto()); + return processSAMLKeyInfoFromAssertion(samlAssertion, data, data.getSigVerCrypto()); + } + + private SAMLKeyInfo processSAMLKeyInfoFromAssertion(SamlAssertionWrapper samlAssertion, + RequestData data, + Crypto crypto + ) throws WSSecurityException { + SAMLKeyInfo samlKeyInfo = + SAMLUtil.getCredentialFromSubject(samlAssertion, new WSSSAMLKeyInfoProcessor(), data, crypto); + + SAMLTokenPrincipalImpl samlPrincipal = new SAMLTokenPrincipalImpl(samlAssertion); + samlKeyInfo.setSamlPrincipal(samlPrincipal); + String confirmMethod = null; + List<String> methods = samlAssertion.getConfirmationMethods(); + if (methods != null && !methods.isEmpty()) { + confirmMethod = methods.get(0); + } + samlKeyInfo.setHolderOfKey(OpenSAMLUtil.isMethodHolderOfKey(confirmMethod)); + samlKeyInfo.setAssertionSigned(samlAssertion.isSigned()); + + return samlKeyInfo; } public SAMLKeyInfo processSAMLKeyInfo(Element keyInfoElement, RequestData data) throws WSSecurityException { diff --git a/ws-security-dom/src/main/java/org/apache/wss4j/dom/str/SignatureSTRParser.java b/ws-security-dom/src/main/java/org/apache/wss4j/dom/str/SignatureSTRParser.java index 011456211..c5d3e3d4f 100644 --- a/ws-security-dom/src/main/java/org/apache/wss4j/dom/str/SignatureSTRParser.java +++ b/ws-security-dom/src/main/java/org/apache/wss4j/dom/str/SignatureSTRParser.java @@ -36,7 +36,7 @@ import org.apache.wss4j.common.principal.SAMLTokenPrincipalImpl; import org.apache.wss4j.common.principal.WSDerivedKeyTokenPrincipal; import org.apache.wss4j.common.saml.OpenSAMLUtil; import org.apache.wss4j.common.saml.SAMLKeyInfo; -import org.apache.wss4j.common.saml.SAMLUtil; +import org.apache.wss4j.common.saml.SAMLKeyInfoProcessor; import org.apache.wss4j.common.saml.SamlAssertionWrapper; import org.apache.wss4j.common.token.BinarySecurity; import org.apache.wss4j.common.token.Reference; @@ -131,22 +131,19 @@ public class SignatureSTRParser implements STRParser { byte[] secretKey = STRParserUtil.getSecretKeyFromToken(secRef.getKeyIdentifierValue(), valueType, WSPasswordCallback.SECRET_KEY, data); if (secretKey == null || secretKey.length == 0) { - SamlAssertionWrapper samlAssertion = - STRParserUtil.getAssertionFromKeyIdentifier( - secRef, secRef.getElement(), data - ); - STRParserUtil.checkSamlTokenBSPCompliance(secRef, samlAssertion.getSaml2() != null, data.getBSPEnforcer()); + SAMLKeyInfoProcessor keyInfoProcessor = new WSSSAMLKeyInfoProcessor(); + SAMLKeyInfo samlKi = keyInfoProcessor.processSAMLKeyInfoFromSecurityTokenReference(secRef, data); - SAMLKeyInfo samlKi = - SAMLUtil.getCredentialFromSubject(samlAssertion, - new WSSSAMLKeyInfoProcessor(), data, data.getSigVerCrypto()); X509Certificate[] foundCerts = samlKi.getCerts(); if (foundCerts != null && foundCerts.length > 0) { parserResult.setCerts(new X509Certificate[]{foundCerts[0]}); } secretKey = samlKi.getSecret(); parserResult.setPublicKey(samlKi.getPublicKey()); - parserResult.setPrincipal(createPrincipalFromSAML(samlAssertion, parserResult)); + parserResult.setPrincipal(samlKi.getSamlPrincipal()); + if (samlKi.isHolderOfKey() && samlKi.isAssertionSigned()) { + parserResult.setTrustedCredential(true); + } } parserResult.setSecretKey(secretKey); }