This is an automated email from the ASF dual-hosted git repository.
coheigea pushed a commit to branch coheigea/saml-refactor-new
in repository https://gitbox.apache.org/repos/asf/ws-wss4j.git
commit 402e49f257a3a6d4eae1c4adf1ffa75a60686e10
Author: Colm O hEigeartaigh <cohei...@apache.org>
AuthorDate: Tue Jun 17 10:07:52 2025 +0100
Moving transform package to ws-security-common
---
.../transform/AttachmentCiphertextTransform.java | 6 +-
.../AttachmentCompleteSignatureTransform.java | 6 +-
...tachmentCompleteSignatureTransformProvider.java | 4 +-
.../AttachmentContentSignatureTransform.java | 9 +-
...ttachmentContentSignatureTransformProvider.java | 4 +-
.../AttachmentTransformParameterSpec.java | 2 +-
.../wss4j/common}/dom/transform/STRTransform.java | 13 +-
.../dom/transform/STRTransformProvider.java | 4 +-
.../common/dom/transform/STRTransformUtil.java | 276 +++++++++++++++++++++
.../org/apache/wss4j/dom/engine/WSSConfig.java | 8 +-
.../org/apache/wss4j/dom/message/WSSecDKSign.java | 2 +-
.../apache/wss4j/dom/message/WSSecSignature.java | 2 +-
.../wss4j/dom/message/WSSecSignatureBase.java | 4 +-
.../wss4j/dom/processor/SignatureProcessor.java | 6 +-
.../apache/wss4j/dom/saml/WSSecSignatureSAML.java | 2 +-
.../wss4j/dom/transform/STRTransformUtil.java | 142 -----------
16 files changed, 313 insertions(+), 177 deletions(-)
diff --git
a/ws-security-dom/src/main/java/org/apache/wss4j/dom/transform/AttachmentCiphertextTransform.java
b/ws-security-common/src/main/java/org/apache/wss4j/common/dom/transform/AttachmentCiphertextTransform.java
similarity index 92%
rename from
ws-security-dom/src/main/java/org/apache/wss4j/dom/transform/AttachmentCiphertextTransform.java
rename to
ws-security-common/src/main/java/org/apache/wss4j/common/dom/transform/AttachmentCiphertextTransform.java
index 9145f6b03..23dbdd74d 100644
---
a/ws-security-dom/src/main/java/org/apache/wss4j/dom/transform/AttachmentCiphertextTransform.java
+++
b/ws-security-common/src/main/java/org/apache/wss4j/common/dom/transform/AttachmentCiphertextTransform.java
@@ -16,14 +16,14 @@
* specific language governing permissions and limitations
* under the License.
*/
-package org.apache.wss4j.dom.transform;
+package org.apache.wss4j.common.dom.transform;
import java.io.IOException;
import java.io.OutputStream;
import javax.xml.parsers.ParserConfigurationException;
-import org.apache.wss4j.dom.WSConstants;
+import org.apache.wss4j.common.WSS4JConstants;
import org.apache.xml.security.c14n.CanonicalizationException;
import org.apache.xml.security.c14n.InvalidCanonicalizerException;
import org.apache.xml.security.signature.XMLSignatureInput;
@@ -39,7 +39,7 @@ public class AttachmentCiphertextTransform extends
TransformSpi {
@Override
protected String engineGetURI() {
- return WSConstants.SWA_ATTACHMENT_CIPHERTEXT_TRANS;
+ return WSS4JConstants.SWA_ATTACHMENT_CIPHERTEXT_TRANS;
}
@Override
diff --git
a/ws-security-dom/src/main/java/org/apache/wss4j/dom/transform/AttachmentCompleteSignatureTransform.java
b/ws-security-common/src/main/java/org/apache/wss4j/common/dom/transform/AttachmentCompleteSignatureTransform.java
similarity index 95%
rename from
ws-security-dom/src/main/java/org/apache/wss4j/dom/transform/AttachmentCompleteSignatureTransform.java
rename to
ws-security-common/src/main/java/org/apache/wss4j/common/dom/transform/AttachmentCompleteSignatureTransform.java
index 861c44e2e..3b51b61b5 100644
---
a/ws-security-dom/src/main/java/org/apache/wss4j/dom/transform/AttachmentCompleteSignatureTransform.java
+++
b/ws-security-common/src/main/java/org/apache/wss4j/common/dom/transform/AttachmentCompleteSignatureTransform.java
@@ -16,7 +16,7 @@
* specific language governing permissions and limitations
* under the License.
*/
-package org.apache.wss4j.dom.transform;
+package org.apache.wss4j.common.dom.transform;
import java.io.ByteArrayInputStream;
import java.io.ByteArrayOutputStream;
@@ -24,9 +24,9 @@ import java.io.IOException;
import java.io.OutputStream;
import org.apache.jcp.xml.dsig.internal.dom.ApacheOctetStreamData;
+import org.apache.wss4j.common.WSS4JConstants;
import org.apache.wss4j.common.ext.Attachment;
import org.apache.wss4j.common.util.AttachmentUtils;
-import org.apache.wss4j.dom.WSConstants;
import javax.xml.crypto.Data;
import javax.xml.crypto.OctetStreamData;
@@ -35,7 +35,7 @@ import javax.xml.crypto.dsig.TransformException;
public class AttachmentCompleteSignatureTransform extends
AttachmentContentSignatureTransform {
- public static final String TRANSFORM_URI =
WSConstants.SWA_ATTACHMENT_COMPLETE_SIG_TRANS;
+ public static final String TRANSFORM_URI =
WSS4JConstants.SWA_ATTACHMENT_COMPLETE_SIG_TRANS;
@Override
public Data transform(Data data, XMLCryptoContext context) throws
TransformException {
diff --git
a/ws-security-dom/src/main/java/org/apache/wss4j/dom/transform/AttachmentCompleteSignatureTransformProvider.java
b/ws-security-common/src/main/java/org/apache/wss4j/common/dom/transform/AttachmentCompleteSignatureTransformProvider.java
similarity index 90%
rename from
ws-security-dom/src/main/java/org/apache/wss4j/dom/transform/AttachmentCompleteSignatureTransformProvider.java
rename to
ws-security-common/src/main/java/org/apache/wss4j/common/dom/transform/AttachmentCompleteSignatureTransformProvider.java
index a52d1d35d..f534f093a 100644
---
a/ws-security-dom/src/main/java/org/apache/wss4j/dom/transform/AttachmentCompleteSignatureTransformProvider.java
+++
b/ws-security-common/src/main/java/org/apache/wss4j/common/dom/transform/AttachmentCompleteSignatureTransformProvider.java
@@ -16,7 +16,7 @@
* specific language governing permissions and limitations
* under the License.
*/
-package org.apache.wss4j.dom.transform;
+package org.apache.wss4j.common.dom.transform;
import java.security.Provider;
@@ -28,7 +28,7 @@ public class AttachmentCompleteSignatureTransformProvider
extends Provider {
super("AttachmentCompleteSignatureTransform", "2.5", "Attachment
Complete Signature Transform Provider");
put(
"TransformService." +
AttachmentCompleteSignatureTransform.TRANSFORM_URI,
-
"org.apache.wss4j.dom.transform.AttachmentCompleteSignatureTransform"
+
"org.apache.wss4j.common.dom.transform.AttachmentCompleteSignatureTransform"
);
put("TransformService." +
AttachmentCompleteSignatureTransform.TRANSFORM_URI + " MechanismType", "DOM");
}
diff --git
a/ws-security-dom/src/main/java/org/apache/wss4j/dom/transform/AttachmentContentSignatureTransform.java
b/ws-security-common/src/main/java/org/apache/wss4j/common/dom/transform/AttachmentContentSignatureTransform.java
similarity index 97%
rename from
ws-security-dom/src/main/java/org/apache/wss4j/dom/transform/AttachmentContentSignatureTransform.java
rename to
ws-security-common/src/main/java/org/apache/wss4j/common/dom/transform/AttachmentContentSignatureTransform.java
index 7c722f2b5..bad65bac6 100644
---
a/ws-security-dom/src/main/java/org/apache/wss4j/dom/transform/AttachmentContentSignatureTransform.java
+++
b/ws-security-common/src/main/java/org/apache/wss4j/common/dom/transform/AttachmentContentSignatureTransform.java
@@ -16,16 +16,17 @@
* specific language governing permissions and limitations
* under the License.
*/
-package org.apache.wss4j.dom.transform;
+package org.apache.wss4j.common.dom.transform;
import org.apache.jcp.xml.dsig.internal.dom.ApacheOctetStreamData;
+import org.apache.wss4j.common.WSS4JConstants;
import org.apache.wss4j.common.ext.Attachment;
import org.apache.wss4j.common.ext.AttachmentRequestCallback;
import org.apache.wss4j.common.ext.AttachmentResultCallback;
import org.apache.wss4j.common.ext.WSSecurityException;
import org.apache.wss4j.common.util.AttachmentUtils;
import org.apache.wss4j.common.util.CRLFOutputStream;
-import org.apache.wss4j.dom.WSConstants;
+
import org.apache.xml.security.c14n.CanonicalizationException;
import org.apache.xml.security.c14n.Canonicalizer;
import org.apache.xml.security.c14n.InvalidCanonicalizerException;
@@ -57,7 +58,7 @@ import java.util.List;
public class AttachmentContentSignatureTransform extends TransformService {
- public static final String TRANSFORM_URI =
WSConstants.SWA_ATTACHMENT_CONTENT_SIG_TRANS;
+ public static final String TRANSFORM_URI =
WSS4JConstants.SWA_ATTACHMENT_CONTENT_SIG_TRANS;
public static final String ATTACHMENT_CALLBACKHANDLER =
"AttachmentContentTransform.attachmentCallbackHandler";
private AttachmentTransformParameterSpec attachmentTransformParameterSpec;
@@ -198,7 +199,7 @@ public class AttachmentContentSignatureTransform extends
TransformService {
* supports context changes. The InclusiveNamespace PrefixList
* attribute SHOULD be empty or not present.
*/
- Canonicalizer canon =
Canonicalizer.getInstance(WSConstants.C14N_EXCL_OMIT_COMMENTS);
+ Canonicalizer canon =
Canonicalizer.getInstance(WSS4JConstants.C14N_EXCL_OMIT_COMMENTS);
XMLSignatureInput xmlSignatureInput = new
XMLSignatureStreamInput(inputStream); //NOPMD
canon.canonicalizeXPathNodeSet(xmlSignatureInput.getNodeSet(),
outputStream);
diff --git
a/ws-security-dom/src/main/java/org/apache/wss4j/dom/transform/AttachmentContentSignatureTransformProvider.java
b/ws-security-common/src/main/java/org/apache/wss4j/common/dom/transform/AttachmentContentSignatureTransformProvider.java
similarity index 90%
rename from
ws-security-dom/src/main/java/org/apache/wss4j/dom/transform/AttachmentContentSignatureTransformProvider.java
rename to
ws-security-common/src/main/java/org/apache/wss4j/common/dom/transform/AttachmentContentSignatureTransformProvider.java
index 4bdc898c1..8611781be 100644
---
a/ws-security-dom/src/main/java/org/apache/wss4j/dom/transform/AttachmentContentSignatureTransformProvider.java
+++
b/ws-security-common/src/main/java/org/apache/wss4j/common/dom/transform/AttachmentContentSignatureTransformProvider.java
@@ -16,7 +16,7 @@
* specific language governing permissions and limitations
* under the License.
*/
-package org.apache.wss4j.dom.transform;
+package org.apache.wss4j.common.dom.transform;
import java.security.Provider;
@@ -28,7 +28,7 @@ public class AttachmentContentSignatureTransformProvider
extends Provider {
super("AttachmentContentSignatureTransform", "2.5", "Attachment
Content Signature Transform Provider");
put(
"TransformService." +
AttachmentContentSignatureTransform.TRANSFORM_URI,
-
"org.apache.wss4j.dom.transform.AttachmentContentSignatureTransform"
+
"org.apache.wss4j.common.dom.transform.AttachmentContentSignatureTransform"
);
put("TransformService." +
AttachmentContentSignatureTransform.TRANSFORM_URI + " MechanismType", "DOM");
}
diff --git
a/ws-security-dom/src/main/java/org/apache/wss4j/dom/transform/AttachmentTransformParameterSpec.java
b/ws-security-common/src/main/java/org/apache/wss4j/common/dom/transform/AttachmentTransformParameterSpec.java
similarity index 97%
rename from
ws-security-dom/src/main/java/org/apache/wss4j/dom/transform/AttachmentTransformParameterSpec.java
rename to
ws-security-common/src/main/java/org/apache/wss4j/common/dom/transform/AttachmentTransformParameterSpec.java
index 0d23d596f..7ca1f0574 100644
---
a/ws-security-dom/src/main/java/org/apache/wss4j/dom/transform/AttachmentTransformParameterSpec.java
+++
b/ws-security-common/src/main/java/org/apache/wss4j/common/dom/transform/AttachmentTransformParameterSpec.java
@@ -16,7 +16,7 @@
* specific language governing permissions and limitations
* under the License.
*/
-package org.apache.wss4j.dom.transform;
+package org.apache.wss4j.common.dom.transform;
import org.apache.wss4j.common.ext.Attachment;
diff --git
a/ws-security-dom/src/main/java/org/apache/wss4j/dom/transform/STRTransform.java
b/ws-security-common/src/main/java/org/apache/wss4j/common/dom/transform/STRTransform.java
similarity index 95%
rename from
ws-security-dom/src/main/java/org/apache/wss4j/dom/transform/STRTransform.java
rename to
ws-security-common/src/main/java/org/apache/wss4j/common/dom/transform/STRTransform.java
index a1baa0881..52ddf166b 100644
---
a/ws-security-dom/src/main/java/org/apache/wss4j/dom/transform/STRTransform.java
+++
b/ws-security-common/src/main/java/org/apache/wss4j/common/dom/transform/STRTransform.java
@@ -17,7 +17,7 @@
* under the License.
*/
-package org.apache.wss4j.dom.transform;
+package org.apache.wss4j.common.dom.transform;
import java.io.ByteArrayInputStream;
import java.io.ByteArrayOutputStream;
@@ -37,12 +37,13 @@ import javax.xml.crypto.dsig.TransformException;
import javax.xml.crypto.dsig.TransformService;
import javax.xml.crypto.dsig.spec.TransformParameterSpec;
+import org.apache.wss4j.common.WSS4JConstants;
import org.apache.wss4j.common.bsp.BSPEnforcer;
import org.apache.wss4j.common.token.PKIPathSecurity;
import org.apache.wss4j.common.token.SecurityTokenReference;
import org.apache.wss4j.common.token.X509Security;
import org.apache.wss4j.common.util.XMLUtils;
-import org.apache.wss4j.dom.WSConstants;
+
import org.apache.wss4j.common.dom.WSDocInfo;
import org.apache.xml.security.c14n.Canonicalizer;
import org.apache.xml.security.signature.XMLSignatureInput;
@@ -134,12 +135,12 @@ public class STRTransform extends TransformService {
//
String canonAlgo = null;
Element transformParams = XMLUtils.getDirectChildElement(
- transformElement, "TransformationParameters", WSConstants.WSSE_NS
+ transformElement, "TransformationParameters",
WSS4JConstants.WSSE_NS
);
if (transformParams != null) {
Element canonElem =
XMLUtils.getDirectChildElement(
- transformParams, "CanonicalizationMethod",
WSConstants.SIG_NS
+ transformParams, "CanonicalizationMethod",
WSS4JConstants.SIG_NS
);
canonAlgo = canonElem.getAttributeNS(null, "Algorithm");
}
@@ -202,10 +203,10 @@ public class STRTransform extends TransformService {
// Add the WSSE/WSU namespaces to the element for C14n
//
XMLUtils.setNamespace(
- dereferencedToken, WSConstants.WSSE_NS,
WSConstants.WSSE_PREFIX
+ dereferencedToken, WSS4JConstants.WSSE_NS,
WSS4JConstants.WSSE_PREFIX
);
XMLUtils.setNamespace(
- dereferencedToken, WSConstants.WSU_NS,
WSConstants.WSU_PREFIX
+ dereferencedToken, WSS4JConstants.WSU_NS,
WSS4JConstants.WSU_PREFIX
);
}
}
diff --git
a/ws-security-dom/src/main/java/org/apache/wss4j/dom/transform/STRTransformProvider.java
b/ws-security-common/src/main/java/org/apache/wss4j/common/dom/transform/STRTransformProvider.java
similarity index 92%
rename from
ws-security-dom/src/main/java/org/apache/wss4j/dom/transform/STRTransformProvider.java
rename to
ws-security-common/src/main/java/org/apache/wss4j/common/dom/transform/STRTransformProvider.java
index f20cd7b19..115bbc518 100644
---
a/ws-security-dom/src/main/java/org/apache/wss4j/dom/transform/STRTransformProvider.java
+++
b/ws-security-common/src/main/java/org/apache/wss4j/common/dom/transform/STRTransformProvider.java
@@ -17,7 +17,7 @@
* under the License.
*/
-package org.apache.wss4j.dom.transform;
+package org.apache.wss4j.common.dom.transform;
import java.security.Provider;
@@ -35,7 +35,7 @@ public class STRTransformProvider extends Provider {
super("STRTransform", "2.5", "Security Token Reference Transform
Provider");
put(
"TransformService." + STRTransform.TRANSFORM_URI,
- "org.apache.wss4j.dom.transform.STRTransform"
+ "org.apache.wss4j.common.dom.transform.STRTransform"
);
put("TransformService." + STRTransform.TRANSFORM_URI + "
MechanismType", "DOM");
}
diff --git
a/ws-security-common/src/main/java/org/apache/wss4j/common/dom/transform/STRTransformUtil.java
b/ws-security-common/src/main/java/org/apache/wss4j/common/dom/transform/STRTransformUtil.java
new file mode 100644
index 000000000..10fcaeb7d
--- /dev/null
+++
b/ws-security-common/src/main/java/org/apache/wss4j/common/dom/transform/STRTransformUtil.java
@@ -0,0 +1,276 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.wss4j.common.dom.transform;
+
+import java.security.cert.CertificateEncodingException;
+import java.security.cert.X509Certificate;
+
+import javax.security.auth.callback.Callback;
+import javax.security.auth.callback.CallbackHandler;
+
+import org.apache.wss4j.common.ext.WSPasswordCallback;
+import org.apache.wss4j.common.ext.WSSecurityException;
+import org.apache.wss4j.common.token.Reference;
+import org.apache.wss4j.common.token.SecurityTokenReference;
+import org.apache.wss4j.common.token.X509Security;
+import org.apache.wss4j.common.util.XMLUtils;
+import org.apache.wss4j.common.WSS4JConstants;
+import org.apache.wss4j.common.dom.WSDocInfo;
+import org.apache.wss4j.common.dom.callback.CallbackLookup;
+import org.apache.wss4j.common.dom.callback.DOMCallbackLookup;
+
+import org.w3c.dom.Document;
+import org.w3c.dom.Element;
+import org.w3c.dom.Text;
+
+/**
+ * Utility class exposing the dereferencing LOG.c of the {@link STRTransform}
implementation.
+ */
+public final class STRTransformUtil {
+ private static final org.slf4j.Logger LOG =
+ org.slf4j.LoggerFactory.getLogger(STRTransformUtil.class);
+
+ /**
+ * Retrieves the element representing the referenced content of a STR.
+ *
+ * @return the element representing the referenced content. The element is
either
+ * extracted from {@code doc} or a new element is created in the
+ * case of a key identifier or issuer serial STR. {@code null} if
+ * {@code secRef} does not contain a direct reference, key
identifier, or
+ * issuer serial.
+ * @throws WSSecurityException
+ * If an issuer serial or key identifier is used in the STR and
+ * the certificate cannot be resolved from the crypto
+ * configuration or if there is an error working with the
resolved
+ * cert
+ */
+ public static Element dereferenceSTR(Document doc,
+ SecurityTokenReference secRef, WSDocInfo wsDocInfo) throws
WSSecurityException {
+ //
+ // First case: direct reference, according to chap 7.2 of OASIS WS
+ // specification (main document). Only in this case return a true
+ // reference to the BST or Assertion. Copying is done by the caller.
+ //
+ if (secRef.containsReference()) {
+ LOG.debug("STR: Reference");
+
+ Reference reference = secRef.getReference();
+ return getTokenElement(doc, wsDocInfo, null, reference.getURI(),
reference.getValueType());
+ } else if (secRef.containsX509Data() ||
secRef.containsX509IssuerSerial()) {
+ //
+ // second case: IssuerSerial, lookup in keystore, wrap in BST
according
+ // to specification
+ //
+ LOG.debug("STR: IssuerSerial");
+ X509Certificate[] certs =
+ secRef.getX509IssuerSerial(wsDocInfo.getCrypto());
+ if (certs == null || certs.length == 0 || certs[0] == null) {
+ throw new
WSSecurityException(WSSecurityException.ErrorCode.FAILED_CHECK);
+ }
+ return createBSTX509(doc, certs[0], secRef.getElement(),
secRef.getKeyIdentifierEncodingType());
+ } else if (secRef.containsKeyIdentifier()) {
+ //
+ // third case: KeyIdentifier. For SKI, lookup in keystore, wrap in
+ // BST according to specification. Otherwise if it's a
wsse:KeyIdentifier it could
+ // be a SAML assertion, so try and find the referenced element.
+ //
+ LOG.debug("STR: KeyIdentifier");
+ if
(WSS4JConstants.WSS_SAML_KI_VALUE_TYPE.equals(secRef.getKeyIdentifierValueType())
+ ||
WSS4JConstants.WSS_SAML2_KI_VALUE_TYPE.equals(secRef.getKeyIdentifierValueType()))
{
+ return getTokenElement(doc, wsDocInfo, null,
secRef.getKeyIdentifierValue(),
+
secRef.getKeyIdentifierValueType());
+ } else {
+ X509Certificate[] certs =
secRef.getKeyIdentifier(wsDocInfo.getCrypto());
+ if (certs == null || certs.length == 0 || certs[0] == null) {
+ throw new
WSSecurityException(WSSecurityException.ErrorCode.FAILED_CHECK);
+ }
+ return createBSTX509(doc, certs[0], secRef.getElement());
+ }
+ }
+ return null;
+ }
+
+ public static Element createBSTX509(Document doc, X509Certificate cert,
Element secRefE)
+ throws WSSecurityException {
+ return createBSTX509(doc, cert, secRefE, null);
+ }
+
+ public static Element createBSTX509(Document doc, X509Certificate cert,
Element secRefE,
+ String secRefEncType)
+ throws WSSecurityException {
+ byte[] data;
+ try {
+ data = cert.getEncoded();
+ } catch (CertificateEncodingException e) {
+ throw new WSSecurityException(
+ WSSecurityException.ErrorCode.SECURITY_TOKEN_UNAVAILABLE, e,
"encodeError"
+ );
+ }
+ String prefix = XMLUtils.getPrefixNS(WSS4JConstants.WSSE_NS, secRefE);
+ if (prefix == null) {
+ prefix = WSS4JConstants.WSSE_PREFIX;
+ }
+ Element elem = doc.createElementNS(WSS4JConstants.WSSE_NS, prefix +
":BinarySecurityToken");
+ XMLUtils.setNamespace(elem, WSS4JConstants.WSSE_NS, prefix);
+ // elem.setAttributeNS(WSConstants.XMLNS_NS, "xmlns", "");
+ elem.setAttributeNS(null, "ValueType", X509Security.X509_V3_TYPE);
+ if (secRefEncType != null) {
+ elem.setAttributeNS(null, "EncodingType", secRefEncType);
+ }
+ Text certText =
doc.createTextNode(org.apache.xml.security.utils.XMLUtils.encodeToString(data));
// no line wrap
+ elem.appendChild(certText);
+ return elem;
+ }
+
+ /**
+ * Hidden in utility class.
+ */
+ private STRTransformUtil() {
+ }
+
+ //
+ // TODO This was copied from STRParserUtil, remove once/if we copy that
across to this module
+ //
+
+ private static Element getTokenElement(
+ Document doc, WSDocInfo docInfo, CallbackHandler cb,
+ String uri, String valueType
+ ) throws WSSecurityException {
+ LOG.debug("Token reference uri: {}", uri);
+ LOG.debug("Token reference ValueType: {}", valueType);
+
+ if (uri == null) {
+ throw new WSSecurityException(
+ WSSecurityException.ErrorCode.INVALID_SECURITY,
"badReferenceURI"
+ );
+ }
+
+ Element tokElement =
+ findProcessedTokenElement(doc, docInfo, cb, uri, valueType);
+ if (tokElement == null) {
+ tokElement = findUnprocessedTokenElement(doc, docInfo, uri,
valueType);
+ }
+
+ if (tokElement == null) {
+ throw new WSSecurityException(
+ WSSecurityException.ErrorCode.SECURITY_TOKEN_UNAVAILABLE,
+ "noToken", new Object[] {uri});
+ }
+ return tokElement;
+ }
+
+ /**
+ * Find a token that has not been processed already - in other words, it
searches for
+ * the element, rather than trying to access previous results to find the
element
+ * @param doc Parent Document
+ * @param docInfo WSDocInfo instance
+ * @param uri URI of the element
+ * @param type Type of the element
+ * @return A DOM element
+ * @throws WSSecurityException
+ */
+ private static Element findUnprocessedTokenElement(
+ Document doc,
+ WSDocInfo docInfo,
+ String uri,
+ String type
+ ) throws WSSecurityException {
+ String id = XMLUtils.getIDFromReference(uri);
+ //
+ // Delegate finding the element to the CallbackLookup instance
+ //
+ CallbackLookup callbackLookup = null;
+ if (docInfo != null) {
+ callbackLookup = docInfo.getCallbackLookup();
+ }
+ if (callbackLookup == null) {
+ callbackLookup = new DOMCallbackLookup(doc);
+ }
+ return callbackLookup.getElement(id, type, true);
+ }
+
+ /**
+ * Find a token that has been processed already - in other words, it
access previous
+ * results to find the element, rather than conducting a general search
+ * @param doc Parent Document
+ * @param docInfo WSDocInfo instance
+ * @param cb CallbackHandler instance
+ * @param uri URI of the element
+ * @param type Type of the element
+ * @return A DOM element
+ * @throws WSSecurityException
+ */
+ private static Element findProcessedTokenElement(
+ Document doc,
+ WSDocInfo docInfo,
+ CallbackHandler cb,
+ String uri,
+ String type
+ ) throws WSSecurityException {
+ String id = XMLUtils.getIDFromReference(uri);
+ //
+ // Try to find it from the WSDocInfo instance first
+ //
+ if (docInfo != null) {
+ Element token = docInfo.getTokenElement(id);
+ if (token != null) {
+ return token;
+ }
+ }
+
+ //
+ // Try to find a custom token
+ //
+ if (cb != null && (WSS4JConstants.WSC_SCT.equals(type)
+ || WSS4JConstants.WSC_SCT_05_12.equals(type)
+ || WSS4JConstants.WSS_SAML_KI_VALUE_TYPE.equals(type)
+ || WSS4JConstants.WSS_SAML2_KI_VALUE_TYPE.equals(type)
+ || isKerberosToken(type))) {
+ //try to find a custom token
+ WSPasswordCallback pwcb =
+ new WSPasswordCallback(id, WSPasswordCallback.CUSTOM_TOKEN);
+ try {
+ cb.handle(new Callback[]{pwcb});
+ Element assertionElem = pwcb.getCustomToken();
+ if (assertionElem != null) {
+ return (Element)doc.importNode(assertionElem, true);
+ }
+ } catch (Exception e) {
+ LOG.debug(e.getMessage(), e);
+ // Consume this failure
+ }
+ }
+ return null;
+ }
+
+ /**
+ * Return true if the valueType represents a Kerberos Token
+ * @param valueType the valueType of the token
+ * @return true if the valueType represents a Kerberos Token
+ */
+ private static boolean isKerberosToken(String valueType) {
+ return WSS4JConstants.WSS_KRB_V5_AP_REQ.equals(valueType)
+ || WSS4JConstants.WSS_GSS_KRB_V5_AP_REQ.equals(valueType)
+ || WSS4JConstants.WSS_KRB_V5_AP_REQ1510.equals(valueType)
+ || WSS4JConstants.WSS_GSS_KRB_V5_AP_REQ1510.equals(valueType)
+ || WSS4JConstants.WSS_KRB_V5_AP_REQ4120.equals(valueType)
+ || WSS4JConstants.WSS_GSS_KRB_V5_AP_REQ4120.equals(valueType);
+ }
+}
diff --git
a/ws-security-dom/src/main/java/org/apache/wss4j/dom/engine/WSSConfig.java
b/ws-security-dom/src/main/java/org/apache/wss4j/dom/engine/WSSConfig.java
index 1d613ecc7..01a99f29e 100644
--- a/ws-security-dom/src/main/java/org/apache/wss4j/dom/engine/WSSConfig.java
+++ b/ws-security-dom/src/main/java/org/apache/wss4j/dom/engine/WSSConfig.java
@@ -38,9 +38,9 @@ import org.apache.wss4j.common.ext.WSSecurityException;
import org.apache.wss4j.common.util.WSCurrentTimeSource;
import org.apache.wss4j.common.util.WSTimeSource;
import org.apache.wss4j.dom.processor.Processor;
-import org.apache.wss4j.dom.transform.AttachmentCiphertextTransform;
-import
org.apache.wss4j.dom.transform.AttachmentCompleteSignatureTransformProvider;
-import
org.apache.wss4j.dom.transform.AttachmentContentSignatureTransformProvider;
+import org.apache.wss4j.common.dom.transform.AttachmentCiphertextTransform;
+import
org.apache.wss4j.common.dom.transform.AttachmentCompleteSignatureTransformProvider;
+import
org.apache.wss4j.common.dom.transform.AttachmentContentSignatureTransformProvider;
import org.apache.wss4j.dom.validate.Validator;
import org.apache.xml.security.stax.impl.util.IDGenerator;
import org.apache.xml.security.transforms.Transform;
@@ -321,7 +321,7 @@ public final class WSSConfig {
Security.removeProvider("STRTransform");
WSProviderConfig.appendJceProvider(
"STRTransform",
- new
org.apache.wss4j.dom.transform.STRTransformProvider()
+ new
org.apache.wss4j.common.dom.transform.STRTransformProvider()
);
Security.removeProvider("AttachmentContentSignatureTransform");
diff --git
a/ws-security-dom/src/main/java/org/apache/wss4j/dom/message/WSSecDKSign.java
b/ws-security-dom/src/main/java/org/apache/wss4j/dom/message/WSSecDKSign.java
index 2ae87bc4d..1fd93c1c4 100644
---
a/ws-security-dom/src/main/java/org/apache/wss4j/dom/message/WSSecDKSign.java
+++
b/ws-security-dom/src/main/java/org/apache/wss4j/dom/message/WSSecDKSign.java
@@ -49,7 +49,7 @@ import org.apache.wss4j.common.util.KeyUtils;
import org.apache.wss4j.common.util.XMLUtils;
import org.apache.wss4j.dom.WSConstants;
import org.apache.wss4j.common.dom.WSDocInfo;
-import org.apache.wss4j.dom.transform.STRTransform;
+import org.apache.wss4j.common.dom.transform.STRTransform;
import org.apache.wss4j.dom.util.WSSecurityUtil;
/**
diff --git
a/ws-security-dom/src/main/java/org/apache/wss4j/dom/message/WSSecSignature.java
b/ws-security-dom/src/main/java/org/apache/wss4j/dom/message/WSSecSignature.java
index 1f87cd6e0..a38040f4a 100644
---
a/ws-security-dom/src/main/java/org/apache/wss4j/dom/message/WSSecSignature.java
+++
b/ws-security-dom/src/main/java/org/apache/wss4j/dom/message/WSSecSignature.java
@@ -62,7 +62,7 @@ import org.apache.wss4j.common.util.XMLUtils;
import org.apache.wss4j.dom.WSConstants;
import org.apache.wss4j.common.dom.WSDocInfo;
import org.apache.wss4j.dom.message.token.KerberosSecurity;
-import org.apache.wss4j.dom.transform.STRTransform;
+import org.apache.wss4j.common.dom.transform.STRTransform;
import org.apache.wss4j.dom.util.WSSecurityUtil;
import org.w3c.dom.Document;
import org.w3c.dom.Element;
diff --git
a/ws-security-dom/src/main/java/org/apache/wss4j/dom/message/WSSecSignatureBase.java
b/ws-security-dom/src/main/java/org/apache/wss4j/dom/message/WSSecSignatureBase.java
index 7e103c64f..bec82b1d2 100644
---
a/ws-security-dom/src/main/java/org/apache/wss4j/dom/message/WSSecSignatureBase.java
+++
b/ws-security-dom/src/main/java/org/apache/wss4j/dom/message/WSSecSignatureBase.java
@@ -44,8 +44,8 @@ import org.apache.wss4j.common.util.AttachmentUtils;
import org.apache.wss4j.common.util.XMLUtils;
import org.apache.wss4j.dom.WSConstants;
import org.apache.wss4j.common.dom.WSDocInfo;
-import org.apache.wss4j.dom.transform.AttachmentTransformParameterSpec;
-import org.apache.wss4j.dom.transform.STRTransform;
+import org.apache.wss4j.common.dom.transform.AttachmentTransformParameterSpec;
+import org.apache.wss4j.common.dom.transform.STRTransform;
import org.apache.wss4j.dom.util.SignatureUtils;
import org.apache.wss4j.dom.util.WSSecurityUtil;
import org.w3c.dom.Document;
diff --git
a/ws-security-dom/src/main/java/org/apache/wss4j/dom/processor/SignatureProcessor.java
b/ws-security-dom/src/main/java/org/apache/wss4j/dom/processor/SignatureProcessor.java
index ee0c5a73a..1ca301577 100644
---
a/ws-security-dom/src/main/java/org/apache/wss4j/dom/processor/SignatureProcessor.java
+++
b/ws-security-dom/src/main/java/org/apache/wss4j/dom/processor/SignatureProcessor.java
@@ -73,9 +73,9 @@ import org.apache.wss4j.dom.str.STRParser.REFERENCE_TYPE;
import org.apache.wss4j.dom.str.STRParserParameters;
import org.apache.wss4j.dom.str.STRParserResult;
import org.apache.wss4j.dom.str.SignatureSTRParser;
-import org.apache.wss4j.dom.transform.AttachmentContentSignatureTransform;
-import org.apache.wss4j.dom.transform.STRTransform;
-import org.apache.wss4j.dom.transform.STRTransformUtil;
+import
org.apache.wss4j.common.dom.transform.AttachmentContentSignatureTransform;
+import org.apache.wss4j.common.dom.transform.STRTransform;
+import org.apache.wss4j.common.dom.transform.STRTransformUtil;
import org.apache.wss4j.dom.util.EncryptionUtils;
import org.apache.wss4j.dom.util.WSSecurityUtil;
import org.apache.wss4j.dom.util.X509Util;
diff --git
a/ws-security-dom/src/main/java/org/apache/wss4j/dom/saml/WSSecSignatureSAML.java
b/ws-security-dom/src/main/java/org/apache/wss4j/dom/saml/WSSecSignatureSAML.java
index f735bc1f8..f87864ab7 100644
---
a/ws-security-dom/src/main/java/org/apache/wss4j/dom/saml/WSSecSignatureSAML.java
+++
b/ws-security-dom/src/main/java/org/apache/wss4j/dom/saml/WSSecSignatureSAML.java
@@ -52,7 +52,7 @@ import org.apache.wss4j.common.dom.WSDocInfo;
import org.apache.wss4j.dom.handler.RequestData;
import org.apache.wss4j.dom.message.WSSecHeader;
import org.apache.wss4j.dom.message.WSSecSignature;
-import org.apache.wss4j.dom.transform.STRTransform;
+import org.apache.wss4j.common.dom.transform.STRTransform;
import org.apache.wss4j.dom.util.WSSecurityUtil;
import org.w3c.dom.Document;
import org.w3c.dom.Element;
diff --git
a/ws-security-dom/src/main/java/org/apache/wss4j/dom/transform/STRTransformUtil.java
b/ws-security-dom/src/main/java/org/apache/wss4j/dom/transform/STRTransformUtil.java
deleted file mode 100644
index ae1d7b0b7..000000000
---
a/ws-security-dom/src/main/java/org/apache/wss4j/dom/transform/STRTransformUtil.java
+++ /dev/null
@@ -1,142 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-
-package org.apache.wss4j.dom.transform;
-
-import java.security.cert.CertificateEncodingException;
-import java.security.cert.X509Certificate;
-
-import org.apache.wss4j.common.ext.WSSecurityException;
-import org.apache.wss4j.common.token.Reference;
-import org.apache.wss4j.common.token.SecurityTokenReference;
-import org.apache.wss4j.common.token.X509Security;
-import org.apache.wss4j.common.util.XMLUtils;
-import org.apache.wss4j.dom.WSConstants;
-import org.apache.wss4j.common.dom.WSDocInfo;
-import org.apache.wss4j.dom.str.STRParserUtil;
-import org.w3c.dom.Document;
-import org.w3c.dom.Element;
-import org.w3c.dom.Text;
-
-/**
- * Utility class exposing the dereferencing LOG.c of the {@link STRTransform}
implementation.
- */
-public final class STRTransformUtil {
- private static final org.slf4j.Logger LOG =
- org.slf4j.LoggerFactory.getLogger(STRTransformUtil.class);
-
- /**
- * Retrieves the element representing the referenced content of a STR.
- *
- * @return the element representing the referenced content. The element is
either
- * extracted from {@code doc} or a new element is created in the
- * case of a key identifier or issuer serial STR. {@code null} if
- * {@code secRef} does not contain a direct reference, key
identifier, or
- * issuer serial.
- * @throws WSSecurityException
- * If an issuer serial or key identifier is used in the STR and
- * the certificate cannot be resolved from the crypto
- * configuration or if there is an error working with the
resolved
- * cert
- */
- public static Element dereferenceSTR(Document doc,
- SecurityTokenReference secRef, WSDocInfo wsDocInfo) throws
WSSecurityException {
- //
- // First case: direct reference, according to chap 7.2 of OASIS WS
- // specification (main document). Only in this case return a true
- // reference to the BST or Assertion. Copying is done by the caller.
- //
- if (secRef.containsReference()) {
- LOG.debug("STR: Reference");
-
- Reference reference = secRef.getReference();
- return STRParserUtil.getTokenElement(doc, wsDocInfo, null,
reference.getURI(), reference.getValueType());
- } else if (secRef.containsX509Data() ||
secRef.containsX509IssuerSerial()) {
- //
- // second case: IssuerSerial, lookup in keystore, wrap in BST
according
- // to specification
- //
- LOG.debug("STR: IssuerSerial");
- X509Certificate[] certs =
- secRef.getX509IssuerSerial(wsDocInfo.getCrypto());
- if (certs == null || certs.length == 0 || certs[0] == null) {
- throw new
WSSecurityException(WSSecurityException.ErrorCode.FAILED_CHECK);
- }
- return createBSTX509(doc, certs[0], secRef.getElement(),
secRef.getKeyIdentifierEncodingType());
- } else if (secRef.containsKeyIdentifier()) {
- //
- // third case: KeyIdentifier. For SKI, lookup in keystore, wrap in
- // BST according to specification. Otherwise if it's a
wsse:KeyIdentifier it could
- // be a SAML assertion, so try and find the referenced element.
- //
- LOG.debug("STR: KeyIdentifier");
- if
(WSConstants.WSS_SAML_KI_VALUE_TYPE.equals(secRef.getKeyIdentifierValueType())
- ||
WSConstants.WSS_SAML2_KI_VALUE_TYPE.equals(secRef.getKeyIdentifierValueType()))
{
- return STRParserUtil.getTokenElement(doc, wsDocInfo, null,
secRef.getKeyIdentifierValue(),
-
secRef.getKeyIdentifierValueType());
- } else {
- X509Certificate[] certs =
secRef.getKeyIdentifier(wsDocInfo.getCrypto());
- if (certs == null || certs.length == 0 || certs[0] == null) {
- throw new
WSSecurityException(WSSecurityException.ErrorCode.FAILED_CHECK);
- }
- return createBSTX509(doc, certs[0], secRef.getElement());
- }
- }
- return null;
- }
-
- public static Element createBSTX509(Document doc, X509Certificate cert,
Element secRefE)
- throws WSSecurityException {
- return createBSTX509(doc, cert, secRefE, null);
- }
-
- public static Element createBSTX509(Document doc, X509Certificate cert,
Element secRefE,
- String secRefEncType)
- throws WSSecurityException {
- byte[] data;
- try {
- data = cert.getEncoded();
- } catch (CertificateEncodingException e) {
- throw new WSSecurityException(
- WSSecurityException.ErrorCode.SECURITY_TOKEN_UNAVAILABLE, e,
"encodeError"
- );
- }
- String prefix = XMLUtils.getPrefixNS(WSConstants.WSSE_NS, secRefE);
- if (prefix == null) {
- prefix = WSConstants.WSSE_PREFIX;
- }
- Element elem = doc.createElementNS(WSConstants.WSSE_NS, prefix +
":BinarySecurityToken");
- XMLUtils.setNamespace(elem, WSConstants.WSSE_NS, prefix);
- // elem.setAttributeNS(WSConstants.XMLNS_NS, "xmlns", "");
- elem.setAttributeNS(null, "ValueType", X509Security.X509_V3_TYPE);
- if (secRefEncType != null) {
- elem.setAttributeNS(null, "EncodingType", secRefEncType);
- }
- Text certText =
doc.createTextNode(org.apache.xml.security.utils.XMLUtils.encodeToString(data));
// no line wrap
- elem.appendChild(certText);
- return elem;
- }
-
- /**
- * Hidden in utility class.
- */
- private STRTransformUtil() {
- }
-
-}
