1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20 package org.apache.wss4j.dom.saml;
21
22 import org.apache.wss4j.common.saml.SamlAssertionWrapper;
23 import org.apache.wss4j.common.util.SOAPUtil;
24 import org.apache.wss4j.dom.WSConstants;
25 import org.apache.wss4j.dom.WSDataRef;
26 import org.apache.wss4j.dom.common.KeystoreCallbackHandler;
27 import org.apache.wss4j.dom.common.SAML1CallbackHandler;
28 import org.apache.wss4j.dom.common.SAML2CallbackHandler;
29
30 import org.apache.wss4j.dom.engine.WSSConfig;
31 import org.apache.wss4j.dom.engine.WSSecurityEngine;
32 import org.apache.wss4j.dom.engine.WSSecurityEngineResult;
33 import org.apache.wss4j.dom.handler.RequestData;
34 import org.apache.wss4j.dom.handler.WSHandlerResult;
35 import org.apache.wss4j.common.bsp.BSPRule;
36 import org.apache.wss4j.common.crypto.Crypto;
37 import org.apache.wss4j.common.crypto.CryptoFactory;
38 import org.apache.wss4j.common.crypto.CryptoType;
39 import org.apache.wss4j.common.crypto.Merlin;
40 import org.apache.wss4j.common.saml.SAMLCallback;
41 import org.apache.wss4j.common.saml.SAMLUtil;
42 import org.apache.wss4j.common.saml.bean.KeyInfoBean.CERT_IDENTIFIER;
43 import org.apache.wss4j.common.saml.builder.SAML1Constants;
44 import org.apache.wss4j.common.saml.builder.SAML2Constants;
45 import org.apache.wss4j.common.util.Loader;
46 import org.apache.wss4j.common.util.XMLUtils;
47 import org.apache.wss4j.dom.message.WSSecHeader;
48 import org.apache.wss4j.dom.util.WSSecurityUtil;
49
50 import org.junit.jupiter.api.Test;
51 import org.w3c.dom.Document;
52 import org.w3c.dom.Element;
53
54 import javax.security.auth.callback.CallbackHandler;
55 import javax.xml.crypto.XMLStructure;
56 import javax.xml.crypto.dom.DOMCryptoContext;
57 import javax.xml.crypto.dom.DOMStructure;
58 import javax.xml.crypto.dsig.XMLSignatureFactory;
59 import javax.xml.crypto.dsig.keyinfo.KeyInfo;
60 import javax.xml.crypto.dsig.keyinfo.KeyInfoFactory;
61 import javax.xml.crypto.dsig.keyinfo.KeyValue;
62 import javax.xml.crypto.dsig.keyinfo.X509Data;
63 import javax.xml.parsers.DocumentBuilder;
64 import javax.xml.parsers.DocumentBuilderFactory;
65
66 import java.io.InputStream;
67 import java.security.KeyStore;
68 import java.security.Principal;
69 import java.security.cert.X509Certificate;
70 import java.util.ArrayList;
71 import java.util.Arrays;
72 import java.util.Collections;
73 import java.util.List;
74
75 import static org.junit.jupiter.api.Assertions.assertEquals;
76 import static org.junit.jupiter.api.Assertions.assertFalse;
77 import static org.junit.jupiter.api.Assertions.assertNotNull;
78 import static org.junit.jupiter.api.Assertions.assertTrue;
79
80
81
82
83
84
85 public class SignedSamlTokenHOKTest {
86 private static final org.slf4j.Logger LOG =
87 org.slf4j.LoggerFactory.getLogger(SignedSamlTokenHOKTest.class);
88 private WSSecurityEngine secEngine = new WSSecurityEngine();
89 private CallbackHandler callbackHandler = new KeystoreCallbackHandler();
90 private Crypto trustCrypto;
91 private Crypto issuerCrypto;
92 private Crypto userCrypto = CryptoFactory.getInstance("wss40.properties");
93
94 public SignedSamlTokenHOKTest() throws Exception {
95 WSSConfig.init();
96
97 issuerCrypto = new Merlin();
98 KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
99 ClassLoader loader = Loader.getClassLoader(SignedSamlTokenHOKTest.class);
100 InputStream input = Merlin.loadInputStream(loader, "keys/wss40_server.jks");
101 keyStore.load(input, "security".toCharArray());
102 input.close();
103 ((Merlin)issuerCrypto).setKeyStore(keyStore);
104
105
106 trustCrypto = new Merlin();
107 KeyStore trustStore = KeyStore.getInstance(KeyStore.getDefaultType());
108 input = Merlin.loadInputStream(loader, "keys/wss40CA.jks");
109 trustStore.load(input, "security".toCharArray());
110 input.close();
111 ((Merlin)trustCrypto).setTrustStore(trustStore);
112 }
113
114
115
116
117 @Test
118 @SuppressWarnings("unchecked")
119 public void testSAML1AuthnAssertion() throws Exception {
120 SAML1CallbackHandler callbackHandler = new SAML1CallbackHandler();
121 callbackHandler.setStatement(SAML1CallbackHandler.Statement.AUTHN);
122 callbackHandler.setConfirmationMethod(SAML1Constants.CONF_HOLDER_KEY);
123 callbackHandler.setIssuer("www.example.com");
124
125 SAMLCallback samlCallback = new SAMLCallback();
126 SAMLUtil.doSAMLCallback(callbackHandler, samlCallback);
127 SamlAssertionWrapper samlAssertion = new SamlAssertionWrapper(samlCallback);
128
129 samlAssertion.signAssertion("wss40_server", "security", issuerCrypto, false);
130
131 Document doc = SOAPUtil.toSOAPPart(SOAPUtil.SAMPLE_SOAP_MSG);
132 WSSecHeader secHeader = new WSSecHeader(doc);
133 secHeader.insertSecurityHeader();
134
135 WSSecSignatureSAML wsSign = new WSSecSignatureSAML(secHeader);
136 wsSign.setUserInfo("wss40", "security");
137 wsSign.setDigestAlgo("http://www.w3.org/2001/04/xmlenc#sha256");
138 wsSign.setSignatureAlgorithm("http://www.w3.org/2001/04/xmldsig-more#rsa-sha256");
139 wsSign.setKeyIdentifierType(WSConstants.BST_DIRECT_REFERENCE);
140
141 Document signedDoc =
142 wsSign.build(userCrypto, samlAssertion, null, null, null);
143
144 String outputString =
145 XMLUtils.prettyDocumentToString(signedDoc);
146 if (LOG.isDebugEnabled()) {
147 LOG.debug("Signed SAML 1.1 Authn Assertion (key holder):");
148 LOG.debug(outputString);
149 }
150 assertTrue(outputString.contains("http://www.w3.org/2001/04/xmlenc#sha256"));
151 assertTrue(outputString.contains("http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"));
152
153 WSHandlerResult results = verify(signedDoc, trustCrypto);
154
155
156 WSSecurityEngineResult actionResult =
157 results.getActionResults().get(WSConstants.ST_SIGNED).get(0);
158 SamlAssertionWrapper receivedSamlAssertion =
159 (SamlAssertionWrapper) actionResult.get(WSSecurityEngineResult.TAG_SAML_ASSERTION);
160 assertNotNull(receivedSamlAssertion);
161 assertTrue(receivedSamlAssertion.isSigned());
162 assertNotNull(receivedSamlAssertion.getSignatureValue());
163
164
165 List<WSDataRef> refs =
166 (List<WSDataRef>) actionResult.get(WSSecurityEngineResult.TAG_DATA_REF_URIS);
167 assertTrue(refs.size() == 1);
168
169 WSDataRef wsDataRef = refs.get(0);
170 String xpath = wsDataRef.getXpath();
171 assertEquals("/SOAP-ENV:Envelope/SOAP-ENV:Header/wsse:Security/saml1:Assertion", xpath);
172
173
174 actionResult = results.getActionResults().get(WSConstants.SIGN).get(0);
175 assertNotNull(actionResult);
176 assertFalse(actionResult.isEmpty());
177 refs = (List<WSDataRef>) actionResult.get(WSSecurityEngineResult.TAG_DATA_REF_URIS);
178 assertTrue(refs.size() == 1);
179
180 wsDataRef = refs.get(0);
181 xpath = wsDataRef.getXpath();
182 assertEquals("/SOAP-ENV:Envelope/SOAP-ENV:Body", xpath);
183 }
184
185
186
187
188 @Test
189 public void testSAML1AttrAssertion() throws Exception {
190 SAML1CallbackHandler callbackHandler = new SAML1CallbackHandler();
191 callbackHandler.setStatement(SAML1CallbackHandler.Statement.ATTR);
192 callbackHandler.setConfirmationMethod(SAML1Constants.CONF_HOLDER_KEY);
193 callbackHandler.setIssuer("www.example.com");
194
195 SAMLCallback samlCallback = new SAMLCallback();
196 SAMLUtil.doSAMLCallback(callbackHandler, samlCallback);
197 SamlAssertionWrapper samlAssertion = new SamlAssertionWrapper(samlCallback);
198
199 samlAssertion.signAssertion("wss40_server", "security", issuerCrypto, false);
200 byte[] ephemeralKey = callbackHandler.getEphemeralKey();
201
202 Document doc = SOAPUtil.toSOAPPart(SOAPUtil.SAMPLE_SOAP_MSG);
203 WSSecHeader secHeader = new WSSecHeader(doc);
204 secHeader.insertSecurityHeader();
205
206 WSSecSignatureSAML wsSign = new WSSecSignatureSAML(secHeader);
207 wsSign.setUserInfo("wss40", "security");
208 wsSign.setDigestAlgo("http://www.w3.org/2001/04/xmlenc#sha256");
209 wsSign.setSignatureAlgorithm(WSConstants.HMAC_SHA256);
210 wsSign.setKeyIdentifierType(WSConstants.X509_KEY_IDENTIFIER);
211 wsSign.setSecretKey(ephemeralKey);
212
213 Document signedDoc =
214 wsSign.build(userCrypto, samlAssertion, null, null, null);
215
216 String outputString =
217 XMLUtils.prettyDocumentToString(signedDoc);
218 if (LOG.isDebugEnabled()) {
219 LOG.debug("Signed SAML 1.1 Attr Assertion (key holder):");
220 LOG.debug(outputString);
221 }
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251 @Test
252 @SuppressWarnings("unchecked")
253 public void testSAML2AuthnAssertion() throws Exception {
254 SAML2CallbackHandler callbackHandler = new SAML2CallbackHandler();
255 callbackHandler.setStatement(SAML2CallbackHandler.Statement.AUTHN);
256 callbackHandler.setConfirmationMethod(SAML2Constants.CONF_HOLDER_KEY);
257 callbackHandler.setIssuer("www.example.com");
258
259 SAMLCallback samlCallback = new SAMLCallback();
260 SAMLUtil.doSAMLCallback(callbackHandler, samlCallback);
261 SamlAssertionWrapper samlAssertion = new SamlAssertionWrapper(samlCallback);
262
263 samlAssertion.signAssertion("wss40_server", "security", issuerCrypto, false);
264
265 Document doc = SOAPUtil.toSOAPPart(SOAPUtil.SAMPLE_SOAP_MSG);
266 WSSecHeader secHeader = new WSSecHeader(doc);
267 secHeader.insertSecurityHeader();
268
269 WSSecSignatureSAML wsSign = new WSSecSignatureSAML(secHeader);
270 wsSign.setUserInfo("wss40", "security");
271 wsSign.setDigestAlgo("http://www.w3.org/2001/04/xmlenc#sha256");
272 wsSign.setSignatureAlgorithm("http://www.w3.org/2001/04/xmldsig-more#rsa-sha256");
273 wsSign.setKeyIdentifierType(WSConstants.BST_DIRECT_REFERENCE);
274
275 Document signedDoc =
276 wsSign.build(userCrypto, samlAssertion, null, null, null);
277
278 String outputString =
279 XMLUtils.prettyDocumentToString(signedDoc);
280 if (LOG.isDebugEnabled()) {
281 LOG.debug("Signed SAML 2 Authn Assertion (key holder):");
282 LOG.debug(outputString);
283 }
284 assertTrue(outputString.contains("http://www.w3.org/2001/04/xmlenc#sha256"));
285 assertTrue(outputString.contains("http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"));
286
287 WSHandlerResult results = verify(signedDoc, trustCrypto);
288
289
290 WSSecurityEngineResult actionResult =
291 results.getActionResults().get(WSConstants.ST_SIGNED).get(0);
292 SamlAssertionWrapper receivedSamlAssertion =
293 (SamlAssertionWrapper) actionResult.get(WSSecurityEngineResult.TAG_SAML_ASSERTION);
294 assertNotNull(receivedSamlAssertion);
295 assertTrue(receivedSamlAssertion.isSigned());
296
297
298 actionResult = results.getActionResults().get(WSConstants.SIGN).get(0);
299 assertNotNull(actionResult);
300 assertFalse(actionResult.isEmpty());
301 final List<WSDataRef> refs =
302 (List<WSDataRef>) actionResult.get(WSSecurityEngineResult.TAG_DATA_REF_URIS);
303 assertTrue(refs.size() == 1);
304
305 WSDataRef wsDataRef = refs.get(0);
306 String xpath = wsDataRef.getXpath();
307 assertEquals("/SOAP-ENV:Envelope/SOAP-ENV:Body", xpath);
308 }
309
310
311
312
313 @Test
314 public void testSAML2AttrAssertion() throws Exception {
315 SAML2CallbackHandler callbackHandler = new SAML2CallbackHandler();
316 callbackHandler.setStatement(SAML2CallbackHandler.Statement.ATTR);
317 callbackHandler.setConfirmationMethod(SAML2Constants.CONF_HOLDER_KEY);
318 callbackHandler.setIssuer("www.example.com");
319
320 SAMLCallback samlCallback = new SAMLCallback();
321 SAMLUtil.doSAMLCallback(callbackHandler, samlCallback);
322 SamlAssertionWrapper samlAssertion = new SamlAssertionWrapper(samlCallback);
323
324 samlAssertion.signAssertion("wss40_server", "security", issuerCrypto, false);
325 byte[] ephemeralKey = callbackHandler.getEphemeralKey();
326
327 Document doc = SOAPUtil.toSOAPPart(SOAPUtil.SAMPLE_SOAP_MSG);
328 WSSecHeader secHeader = new WSSecHeader(doc);
329 secHeader.insertSecurityHeader();
330
331 WSSecSignatureSAML wsSign = new WSSecSignatureSAML(secHeader);
332 wsSign.setUserInfo("wss40", "security");
333 wsSign.setDigestAlgo("http://www.w3.org/2001/04/xmlenc#sha256");
334 wsSign.setSignatureAlgorithm(WSConstants.HMAC_SHA256);
335 wsSign.setKeyIdentifierType(WSConstants.X509_KEY_IDENTIFIER);
336 wsSign.setSecretKey(ephemeralKey);
337
338 Document signedDoc =
339 wsSign.build(userCrypto, samlAssertion, null, null, null);
340
341 String outputString =
342 XMLUtils.prettyDocumentToString(signedDoc);
343 if (LOG.isDebugEnabled()) {
344 LOG.debug("Signed SAML 2 Attr Assertion (key holder):");
345 LOG.debug(outputString);
346 }
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377 @Test
378 @SuppressWarnings("unchecked")
379 public void testSAML1AuthnAssertionIssuerSerial() throws Exception {
380 SAML1CallbackHandler callbackHandler = new SAML1CallbackHandler();
381 callbackHandler.setStatement(SAML1CallbackHandler.Statement.AUTHN);
382 callbackHandler.setConfirmationMethod(SAML1Constants.CONF_HOLDER_KEY);
383 callbackHandler.setCertIdentifier(CERT_IDENTIFIER.X509_ISSUER_SERIAL);
384 callbackHandler.setIssuer("www.example.com");
385
386 SAMLCallback samlCallback = new SAMLCallback();
387 SAMLUtil.doSAMLCallback(callbackHandler, samlCallback);
388 SamlAssertionWrapper samlAssertion = new SamlAssertionWrapper(samlCallback);
389
390 samlAssertion.signAssertion("wss40_server", "security", issuerCrypto, false);
391
392 Document doc = SOAPUtil.toSOAPPart(SOAPUtil.SAMPLE_SOAP_MSG);
393 WSSecHeader secHeader = new WSSecHeader(doc);
394 secHeader.insertSecurityHeader();
395
396 WSSecSignatureSAML wsSign = new WSSecSignatureSAML(secHeader);
397 wsSign.setUserInfo("wss40", "security");
398 wsSign.setDigestAlgo("http://www.w3.org/2001/04/xmlenc#sha256");
399 wsSign.setSignatureAlgorithm("http://www.w3.org/2001/04/xmldsig-more#rsa-sha256");
400 wsSign.setKeyIdentifierType(WSConstants.BST_DIRECT_REFERENCE);
401
402 Document signedDoc =
403 wsSign.build(userCrypto, samlAssertion, null, null, null);
404
405 String outputString =
406 XMLUtils.prettyDocumentToString(signedDoc);
407 if (LOG.isDebugEnabled()) {
408 LOG.debug("SAML 1.1 Authn Assertion Issuer Serial (holder-of-key):");
409 LOG.debug(outputString);
410 }
411 assertTrue(outputString.contains("X509IssuerSerial"));
412
413 WSHandlerResult results = verify(signedDoc, userCrypto);
414 WSSecurityEngineResult actionResult =
415 results.getActionResults().get(WSConstants.ST_SIGNED).get(0);
416 SamlAssertionWrapper receivedSamlAssertion =
417 (SamlAssertionWrapper) actionResult.get(WSSecurityEngineResult.TAG_SAML_ASSERTION);
418 assertNotNull(receivedSamlAssertion);
419 assertTrue(receivedSamlAssertion.isSigned());
420
421
422 actionResult = results.getActionResults().get(WSConstants.SIGN).get(0);
423 assertNotNull(actionResult);
424 assertFalse(actionResult.isEmpty());
425 final List<WSDataRef> refs =
426 (List<WSDataRef>) actionResult.get(WSSecurityEngineResult.TAG_DATA_REF_URIS);
427 assertTrue(refs.size() == 1);
428
429 WSDataRef wsDataRef = refs.get(0);
430 String xpath = wsDataRef.getXpath();
431 assertEquals("/SOAP-ENV:Envelope/SOAP-ENV:Body", xpath);
432 }
433
434
435
436
437
438 @Test
439 @SuppressWarnings("unchecked")
440 public void testSAML1AuthnAssertionKeyValue() throws Exception {
441 SAML1CallbackHandler callbackHandler = new SAML1CallbackHandler();
442 callbackHandler.setStatement(SAML1CallbackHandler.Statement.AUTHN);
443 callbackHandler.setConfirmationMethod(SAML1Constants.CONF_HOLDER_KEY);
444 callbackHandler.setCertIdentifier(CERT_IDENTIFIER.KEY_VALUE);
445 callbackHandler.setIssuer("www.example.com");
446
447 SAMLCallback samlCallback = new SAMLCallback();
448 SAMLUtil.doSAMLCallback(callbackHandler, samlCallback);
449 SamlAssertionWrapper samlAssertion = new SamlAssertionWrapper(samlCallback);
450
451 samlAssertion.signAssertion("wss40_server", "security", issuerCrypto, false);
452
453 Document doc = SOAPUtil.toSOAPPart(SOAPUtil.SAMPLE_SOAP_MSG);
454 WSSecHeader secHeader = new WSSecHeader(doc);
455 secHeader.insertSecurityHeader();
456
457 WSSecSignatureSAML wsSign = new WSSecSignatureSAML(secHeader);
458 wsSign.setUserInfo("wss40", "security");
459 wsSign.setDigestAlgo("http://www.w3.org/2001/04/xmlenc#sha256");
460 wsSign.setSignatureAlgorithm("http://www.w3.org/2001/04/xmldsig-more#rsa-sha256");
461 wsSign.setKeyIdentifierType(WSConstants.BST_DIRECT_REFERENCE);
462
463 Document signedDoc =
464 wsSign.build(userCrypto, samlAssertion, null, null, null);
465
466 String outputString =
467 XMLUtils.prettyDocumentToString(signedDoc);
468 if (LOG.isDebugEnabled()) {
469 LOG.debug("SAML 1.1 Authn Assertion Key Value (holder-of-key):");
470 LOG.debug(outputString);
471 }
472 assertTrue(outputString.contains("KeyValue"));
473
474 WSHandlerResult results = verify(signedDoc, userCrypto);
475 WSSecurityEngineResult actionResult =
476 results.getActionResults().get(WSConstants.ST_SIGNED).get(0);
477 SamlAssertionWrapper receivedSamlAssertion =
478 (SamlAssertionWrapper) actionResult.get(WSSecurityEngineResult.TAG_SAML_ASSERTION);
479 assertNotNull(receivedSamlAssertion);
480 assert receivedSamlAssertion.isSigned();
481
482
483 actionResult = results.getActionResults().get(WSConstants.SIGN).get(0);
484 assertNotNull(actionResult);
485 assertFalse(actionResult.isEmpty());
486 final List<WSDataRef> refs =
487 (List<WSDataRef>) actionResult.get(WSSecurityEngineResult.TAG_DATA_REF_URIS);
488 assertTrue(refs.size() == 1);
489
490 WSDataRef wsDataRef = refs.get(0);
491 String xpath = wsDataRef.getXpath();
492 assertEquals("/SOAP-ENV:Envelope/SOAP-ENV:Body", xpath);
493 }
494
495
496
497
498
499 @Test
500 @SuppressWarnings("unchecked")
501 public void testSAML2AuthnAssertionKeyValue() throws Exception {
502 SAML2CallbackHandler callbackHandler = new SAML2CallbackHandler();
503 callbackHandler.setStatement(SAML2CallbackHandler.Statement.AUTHN);
504 callbackHandler.setConfirmationMethod(SAML2Constants.CONF_HOLDER_KEY);
505 callbackHandler.setCertIdentifier(CERT_IDENTIFIER.KEY_VALUE);
506 callbackHandler.setIssuer("www.example.com");
507
508 SAMLCallback samlCallback = new SAMLCallback();
509 SAMLUtil.doSAMLCallback(callbackHandler, samlCallback);
510 SamlAssertionWrapper samlAssertion = new SamlAssertionWrapper(samlCallback);
511
512 samlAssertion.signAssertion("wss40_server", "security", issuerCrypto, false);
513
514 Document doc = SOAPUtil.toSOAPPart(SOAPUtil.SAMPLE_SOAP_MSG);
515 WSSecHeader secHeader = new WSSecHeader(doc);
516 secHeader.insertSecurityHeader();
517
518 WSSecSignatureSAML wsSign = new WSSecSignatureSAML(secHeader);
519 wsSign.setUserInfo("wss40", "security");
520 wsSign.setDigestAlgo("http://www.w3.org/2001/04/xmlenc#sha256");
521 wsSign.setSignatureAlgorithm("http://www.w3.org/2001/04/xmldsig-more#rsa-sha256");
522 wsSign.setKeyIdentifierType(WSConstants.BST_DIRECT_REFERENCE);
523
524 Document signedDoc =
525 wsSign.build(userCrypto, samlAssertion, null, null, null);
526
527 String outputString =
528 XMLUtils.prettyDocumentToString(signedDoc);
529 if (LOG.isDebugEnabled()) {
530 LOG.debug("SAML 2 Authn Assertion Key Value (holder-of-key):");
531 LOG.debug(outputString);
532 }
533 assertTrue(outputString.contains("KeyValue"));
534
535 WSHandlerResult results = verify(signedDoc, userCrypto);
536 WSSecurityEngineResult actionResult =
537 results.getActionResults().get(WSConstants.ST_SIGNED).get(0);
538 SamlAssertionWrapper receivedSamlAssertion =
539 (SamlAssertionWrapper) actionResult.get(WSSecurityEngineResult.TAG_SAML_ASSERTION);
540 assertNotNull(receivedSamlAssertion);
541 assertTrue(receivedSamlAssertion.isSigned());
542
543
544 actionResult = results.getActionResults().get(WSConstants.SIGN).get(0);
545 assertNotNull(actionResult);
546 assertFalse(actionResult.isEmpty());
547 final List<WSDataRef> refs =
548 (List<WSDataRef>) actionResult.get(WSSecurityEngineResult.TAG_DATA_REF_URIS);
549 assertTrue(refs.size() == 1);
550
551 WSDataRef wsDataRef = refs.get(0);
552 String xpath = wsDataRef.getXpath();
553 assertEquals("/SOAP-ENV:Envelope/SOAP-ENV:Body", xpath);
554 }
555
556
557
558
559
560
561 @Test
562 @SuppressWarnings("unchecked")
563 public void testSAML1AuthnAssertionTrust() throws Exception {
564 SAML1CallbackHandler callbackHandler = new SAML1CallbackHandler();
565 callbackHandler.setStatement(SAML1CallbackHandler.Statement.AUTHN);
566 callbackHandler.setConfirmationMethod(SAML1Constants.CONF_HOLDER_KEY);
567 callbackHandler.setIssuer("www.example.com");
568 Crypto crypto = CryptoFactory.getInstance("crypto.properties");
569 CryptoType cryptoType = new CryptoType(CryptoType.TYPE.ALIAS);
570 cryptoType.setAlias("16c73ab6-b892-458f-abf5-2f875f74882e");
571 X509Certificate[] certs = crypto.getX509Certificates(cryptoType);
572 callbackHandler.setCerts(certs);
573
574 SAMLCallback samlCallback = new SAMLCallback();
575 SAMLUtil.doSAMLCallback(callbackHandler, samlCallback);
576 SamlAssertionWrapper samlAssertion = new SamlAssertionWrapper(samlCallback);
577
578 samlAssertion.signAssertion("wss40_server", "security", issuerCrypto, false);
579
580 Document doc = SOAPUtil.toSOAPPart(SOAPUtil.SAMPLE_SOAP_MSG);
581 WSSecHeader secHeader = new WSSecHeader(doc);
582 secHeader.insertSecurityHeader();
583
584 WSSecSignatureSAML wsSign = new WSSecSignatureSAML(secHeader);
585 wsSign.setUserInfo("16c73ab6-b892-458f-abf5-2f875f74882e", "security");
586 wsSign.setDigestAlgo("http://www.w3.org/2001/04/xmlenc#sha256");
587 wsSign.setSignatureAlgorithm("http://www.w3.org/2001/04/xmldsig-more#rsa-sha256");
588 wsSign.setKeyIdentifierType(WSConstants.BST_DIRECT_REFERENCE);
589
590 Document signedDoc =
591 wsSign.build(crypto, samlAssertion, null, null, null);
592
593 String outputString =
594 XMLUtils.prettyDocumentToString(signedDoc);
595 if (LOG.isDebugEnabled()) {
596 LOG.debug("Signed SAML 1.1 Authn Assertion (key holder):");
597 LOG.debug(outputString);
598 }
599
600 WSHandlerResult results = verify(signedDoc, trustCrypto);
601
602
603 WSSecurityEngineResult actionResult =
604 results.getActionResults().get(WSConstants.ST_SIGNED).get(0);
605 SamlAssertionWrapper receivedSamlAssertion =
606 (SamlAssertionWrapper) actionResult.get(WSSecurityEngineResult.TAG_SAML_ASSERTION);
607 assertNotNull(receivedSamlAssertion);
608 assertTrue(receivedSamlAssertion.isSigned());
609
610
611 actionResult = results.getActionResults().get(WSConstants.SIGN).get(0);
612 assertNotNull(actionResult);
613 assertFalse(actionResult.isEmpty());
614 final List<WSDataRef> refs =
615 (List<WSDataRef>) actionResult.get(WSSecurityEngineResult.TAG_DATA_REF_URIS);
616 assertTrue(refs.size() == 1);
617
618 WSDataRef wsDataRef = refs.get(0);
619 String xpath = wsDataRef.getXpath();
620 assertEquals("/SOAP-ENV:Envelope/SOAP-ENV:Body", xpath);
621 }
622
623 @Test
624 @org.junit.jupiter.api.Disabled
625 public void testSAML2Advice() throws Exception {
626
627 SAML2CallbackHandler callbackHandler = new SAML2CallbackHandler();
628 callbackHandler.setStatement(SAML2CallbackHandler.Statement.ATTR);
629 callbackHandler.setConfirmationMethod(SAML2Constants.CONF_BEARER);
630 callbackHandler.setIssuer("www.example.com");
631
632 SAMLCallback samlCallback = new SAMLCallback();
633 SAMLUtil.doSAMLCallback(callbackHandler, samlCallback);
634 SamlAssertionWrapper samlAssertion = new SamlAssertionWrapper(samlCallback);
635
636 samlAssertion.signAssertion("wss40_server", "security", issuerCrypto, false);
637
638 Document doc = SOAPUtil.toSOAPPart(SOAPUtil.SAMPLE_SOAP_MSG);
639 Element adviceElement = samlAssertion.toDOM(doc);
640
641
642 callbackHandler = new SAML2CallbackHandler();
643 callbackHandler.setStatement(SAML2CallbackHandler.Statement.ATTR);
644 callbackHandler.setConfirmationMethod(SAML2Constants.CONF_HOLDER_KEY);
645 callbackHandler.setIssuer("www.example.com");
646 callbackHandler.setAssertionAdviceElement(adviceElement);
647
648 samlCallback = new SAMLCallback();
649 SAMLUtil.doSAMLCallback(callbackHandler, samlCallback);
650 samlAssertion = new SamlAssertionWrapper(samlCallback);
651
652 samlAssertion.signAssertion("wss40_server", "security", issuerCrypto, false);
653
654 byte[] ephemeralKey = callbackHandler.getEphemeralKey();
655
656 WSSecHeader secHeader = new WSSecHeader(doc);
657 secHeader.insertSecurityHeader();
658
659 WSSecSignatureSAML wsSign = new WSSecSignatureSAML(secHeader);
660 wsSign.setUserInfo("wss40", "security");
661 wsSign.setDigestAlgo("http://www.w3.org/2001/04/xmlenc#sha256");
662 wsSign.setSignatureAlgorithm(WSConstants.HMAC_SHA256);
663 wsSign.setKeyIdentifierType(WSConstants.X509_KEY_IDENTIFIER);
664 wsSign.setSecretKey(ephemeralKey);
665
666 Document signedDoc =
667 wsSign.build(userCrypto, samlAssertion, null, null, null);
668
669 String outputString =
670 XMLUtils.prettyDocumentToString(signedDoc);
671 if (LOG.isDebugEnabled()) {
672 LOG.debug("Signed SAML 2 Attr Assertion (key holder):");
673 LOG.debug(outputString);
674 }
675 System.out.println(outputString);
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872 private WSHandlerResult verify(Document doc, Crypto sigCrypto) throws Exception {
873 WSHandlerResult results =
874 secEngine.processSecurityHeader(
875 doc, null, callbackHandler, sigCrypto, userCrypto
876 );
877 String outputString =
878 XMLUtils.prettyDocumentToString(doc);
879 assertTrue(outputString.indexOf("counter_port_type") > 0 ? true : false);
880 return results;
881 }
882
883 }