Element token,
RequestData data,
Validator validator,
WSDocInfo docInfo
) throws WSSecurityException {
SamlAssertionWrapper samlAssertion = new SamlAssertionWrapper(token);
if (samlAssertion.isSigned()) {
// Check for compliance against the defined AlgorithmSuite
AlgorithmSuite algorithmSuite = data.getSamlAlgorithmSuite();
Signature sig = samlAssertion.getSignature();
KeyInfo keyInfo = sig.getKeyInfo();
if (keyInfo == null) {
throw new WSSecurityException(
WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity",
"cannot get certificate or key"
);
}
SAMLKeyInfo samlKeyInfo =
SAMLUtil.getCredentialFromKeyInfo(
keyInfo.getDOM(), new WSSSAMLKeyInfoProcessor(data, docInfo), data.getSigVerCrypto()
);
if (algorithmSuite != null) {
AlgorithmSuiteValidator algorithmSuiteValidator = new
AlgorithmSuiteValidator(algorithmSuite);
PublicKey key = null;
if (samlKeyInfo.getCerts() != null && samlKeyInfo.getCerts()[0] != null) {
key = samlKeyInfo.getCerts()[0].getPublicKey();
} else if (samlKeyInfo.getPublicKey() != null) {
key = samlKeyInfo.getPublicKey();
} else {
throw new WSSecurityException(
WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity",
"cannot get certificate or key");
}
// Not checking signature here, just marshalling into an XMLSignature
// structure for testing the transform/digest algorithms etc.
XMLValidateContext context = new DOMValidateContext(key, sig.getDOM());
context.setProperty("org.apache.jcp.xml.dsig.secureValidation", Boolean.TRUE);
context.setProperty("org.jcp.xml.dsig.secureValidation", Boolean.TRUE);
XMLSignature xmlSignature;
try {
xmlSignature = signatureFactory.unmarshalXMLSignature(context);
} catch (MarshalException ex) {
throw new WSSecurityException(
WSSecurityException.ErrorCode.FAILED_CHECK, "invalidSAMLsecurity",
ex, "cannot get certificate or key"
);
}
algorithmSuiteValidator.checkSignatureAlgorithms(xmlSignature);
algorithmSuiteValidator.checkAsymmetricKeyLength(key);
}
samlAssertion.verifySignature(samlKeyInfo);
}
// Parse the subject if it exists
samlAssertion.parseSubject(
new WSSSAMLKeyInfoProcessor(data, docInfo), data.getSigVerCrypto(),
data.getCallbackHandler()
);
// Now delegate the rest of the verification to the Validator