in ws-security-dom/src/main/java/org/apache/wss4j/dom/str/SignatureSTRParser.java [327:442]
private STRParserResult processSTR(
SecurityTokenReference secRef,
String uri,
STRParserParameters parameters
) throws WSSecurityException {
STRParserResult parserResult = new STRParserResult();
RequestData data = parameters.getData();
WSDocInfo wsDocInfo = data.getWsDocInfo();
Element strElement = parameters.getStrElement();
if (secRef.containsReference()) {
Reference reference = secRef.getReference();
// Try asking the CallbackHandler for the secret key
byte[] secretKey = STRParserUtil.getSecretKeyFromToken(uri, reference.getValueType(),
WSPasswordCallback.SECRET_KEY,
data);
Principal principal = new CustomTokenPrincipal(uri);
if (secretKey == null || secretKey.length == 0) {
Element token =
STRParserUtil.getTokenElement(strElement.getOwnerDocument(), wsDocInfo, data.getCallbackHandler(),
uri, reference.getValueType());
QName el = new QName(token.getNamespaceURI(), token.getLocalName());
if (el.equals(WSConstants.BINARY_TOKEN)) {
Processor proc = data.getWssConfig().getProcessor(WSConstants.BINARY_TOKEN);
List<WSSecurityEngineResult> bstResult = proc.handleToken(token, parameters.getData());
BinarySecurity bstToken =
(BinarySecurity)bstResult.get(0).get(WSSecurityEngineResult.TAG_BINARY_SECURITY_TOKEN);
STRParserUtil.checkBinarySecurityBSPCompliance(
secRef, bstToken, data.getBSPEnforcer()
);
parserResult.setCerts(
(X509Certificate[])bstResult.get(0).get(WSSecurityEngineResult.TAG_X509_CERTIFICATES));
secretKey = (byte[])bstResult.get(0).get(WSSecurityEngineResult.TAG_SECRET);
principal = (Principal)bstResult.get(0).get(WSSecurityEngineResult.TAG_PRINCIPAL);
} else if (el.equals(WSConstants.SAML_TOKEN) || el.equals(WSConstants.SAML2_TOKEN)) {
Processor proc = data.getWssConfig().getProcessor(WSConstants.SAML_TOKEN);
//
// Just check to see whether the token was processed or not
//
Element processedToken =
STRParserUtil.findProcessedTokenElement(
strElement.getOwnerDocument(), wsDocInfo,
data.getCallbackHandler(), uri, secRef.getReference().getValueType()
);
SamlAssertionWrapper samlAssertion = null;
if (processedToken == null) {
List<WSSecurityEngineResult> samlResult = proc.handleToken(token, data);
samlAssertion =
(SamlAssertionWrapper)samlResult.get(0).get(
WSSecurityEngineResult.TAG_SAML_ASSERTION
);
} else {
samlAssertion = new SamlAssertionWrapper(processedToken);
samlAssertion.parseSubject(
new WSSSAMLKeyInfoProcessor(data), data.getSigVerCrypto()
);
}
STRParserUtil.checkSamlTokenBSPCompliance(secRef, samlAssertion, data.getBSPEnforcer());
SAMLKeyInfo keyInfo = samlAssertion.getSubjectKeyInfo();
X509Certificate[] foundCerts = keyInfo.getCerts();
if (foundCerts != null && foundCerts.length > 0) {
parserResult.setCerts(new X509Certificate[]{foundCerts[0]});
}
secretKey = keyInfo.getSecret();
principal = createPrincipalFromSAML(samlAssertion, parserResult);
} else if (el.equals(WSConstants.ENCRYPTED_KEY)) {
STRParserUtil.checkEncryptedKeyBSPCompliance(secRef, data.getBSPEnforcer());
Processor proc = data.getWssConfig().getProcessor(WSConstants.ENCRYPTED_KEY);
List<WSSecurityEngineResult> encrResult = proc.handleToken(token, data);
secretKey =
(byte[])encrResult.get(0).get(WSSecurityEngineResult.TAG_SECRET);
principal = new CustomTokenPrincipal(token.getAttributeNS(null, "Id"));
}
}
parserResult.setSecretKey(secretKey);
parserResult.setPrincipal(principal);
} else if (secRef.containsX509Data() || secRef.containsX509IssuerSerial()) {
parserResult.setReferenceType(REFERENCE_TYPE.ISSUER_SERIAL);
Crypto crypto = data.getSigVerCrypto();
X509Certificate[] foundCerts = secRef.getX509IssuerSerial(crypto);
if (foundCerts != null && foundCerts.length > 0) {
parserResult.setCerts(new X509Certificate[]{foundCerts[0]});
}
} else if (secRef.containsKeyIdentifier()) {
if (secRef.getKeyIdentifierValueType().equals(SecurityTokenReference.ENC_KEY_SHA1_URI)) {
STRParserUtil.checkEncryptedKeyBSPCompliance(secRef, data.getBSPEnforcer());
String id = secRef.getKeyIdentifierValue();
parserResult.setSecretKey(
STRParserUtil.getSecretKeyFromToken(id, SecurityTokenReference.ENC_KEY_SHA1_URI,
WSPasswordCallback.SECRET_KEY, data));
parserResult.setPrincipal(new CustomTokenPrincipal(id));
} else if (WSConstants.WSS_SAML_KI_VALUE_TYPE.equals(secRef.getKeyIdentifierValueType())
|| WSConstants.WSS_SAML2_KI_VALUE_TYPE.equals(secRef.getKeyIdentifierValueType())) {
parseSAMLKeyIdentifier(secRef, data, parserResult);
} else {
Crypto crypto = data.getSigVerCrypto();
parseBSTKeyIdentifier(secRef, crypto, data, parserResult);
}
} else {
throw new WSSecurityException(
WSSecurityException.ErrorCode.INVALID_SECURITY,
"unsupportedKeyInfo", new Object[] {strElement.toString()});
}
REFERENCE_TYPE referenceType = getReferenceType(secRef);
if (referenceType != null) {
parserResult.setReferenceType(referenceType);
}
return parserResult;
}