/**
    * Licensed to the Apache Software Foundation (ASF) under one
    * or more contributor license agreements. See the NOTICE file
    * distributed with this work for additional information
    * regarding copyright ownership. The ASF licenses this file
    * to you under the Apache License, Version 2.0 (the
    * "License"); you may not use this file except in compliance
    * with the License. You may obtain a copy of the License at
    *
   * http://www.apache.org/licenses/LICENSE-2.0
   *
   * Unless required by applicable law or agreed to in writing,
   * software distributed under the License is distributed on an
   * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
   * KIND, either express or implied. See the License for the
   * specific language governing permissions and limitations
   * under the License.
   */
  
  package org.apache.ws.security.saml.ext;
  
  import org.apache.ws.security.WSDocInfo;
  import org.apache.ws.security.WSSecurityException;
  import org.apache.ws.security.components.crypto.Crypto;
  import org.apache.ws.security.components.crypto.CryptoType;
  import org.apache.ws.security.handler.RequestData;
  import org.apache.ws.security.saml.SAMLKeyInfo;
  import org.apache.ws.security.saml.SAMLUtil;
  import org.apache.ws.security.saml.ext.builder.SAML1ComponentBuilder;
  import org.apache.ws.security.saml.ext.builder.SAML2ComponentBuilder;
  
  import org.apache.ws.security.util.DOM2Writer;
  import org.apache.ws.security.util.UUIDGenerator;
  import org.apache.xml.security.exceptions.XMLSecurityException;
  import org.apache.xml.security.signature.XMLSignature;
  import org.apache.xml.security.signature.XMLSignatureException;
  
  import org.opensaml.common.SAMLVersion;
  import org.opensaml.common.SignableSAMLObject;
  import org.opensaml.saml1.core.AttributeStatement;
  import org.opensaml.saml1.core.AuthenticationStatement;
  import org.opensaml.saml1.core.AuthorizationDecisionStatement;
  import org.opensaml.saml1.core.ConfirmationMethod;
  import org.opensaml.saml1.core.Subject;
  import org.opensaml.saml1.core.SubjectConfirmation;
  import org.opensaml.saml1.core.SubjectStatement;
  import org.opensaml.saml2.core.AuthnStatement;
  import org.opensaml.saml2.core.AuthzDecisionStatement;
  import org.opensaml.saml2.core.Issuer;
  import org.opensaml.security.SAMLSignatureProfileValidator;
  import org.opensaml.xml.XMLObject;
  import org.opensaml.xml.security.x509.BasicX509Credential;
  import org.opensaml.xml.security.x509.X509KeyInfoGeneratorFactory;
  import org.opensaml.xml.signature.KeyInfo;
  import org.opensaml.xml.signature.Signature;
  import org.opensaml.xml.signature.SignatureConstants;
  import org.opensaml.xml.signature.SignatureValidator;
  import org.opensaml.xml.validation.ValidationException;
  
  import org.w3c.dom.Document;
  import org.w3c.dom.Element;
  
  import javax.security.auth.callback.CallbackHandler;
  import javax.security.auth.callback.UnsupportedCallbackException;
  
  import java.io.IOException;
  import java.security.PrivateKey;
  import java.security.cert.X509Certificate;
  import java.util.ArrayList;
  import java.util.List;
  
  /**
   * Class AssertionWrapper can generate, sign, and validate both SAML v1.1
   * and SAML v2.0 assertions.
   * <p/>
   * Created on May 18, 2009
   */
  public class AssertionWrapper {
      /**
       * Field log
       */
      private static final org.apache.commons.logging.Log LOG = 
          org.apache.commons.logging.LogFactory.getLog(AssertionWrapper.class);
  
      /**
       * Raw SAML assertion data
       */
      private XMLObject xmlObject = null;
  
      /**
       * Typed SAML v1.1 assertion
       */
      private org.opensaml.saml1.core.Assertion saml1 = null;
  
      /**
       * Typed SAML v2.0 assertion
       */
      private org.opensaml.saml2.core.Assertion saml2 = null;
  
     /**
      * Which SAML specification to use (currently, only v1.1 and v2.0 are supported)
      */
     private SAMLVersion samlVersion;
 
     /**
      * Fully qualified class name of the SAML callback handler implementation to use.
      * NOTE: Each application should provide a unique implementation of this 
      * <code>CallbackHandler</code> that is able to extract any dynamic data from the
      * local environment that should be included in the generated SAML statements.
      */
     private CallbackHandler samlCallbackHandler = null;
     
     /**
      * The Assertion as a DOM element
      */
     private Element assertionElement;
     
     /**
      * The SAMLKeyInfo object associated with the Subject KeyInfo
      */
     private SAMLKeyInfo subjectKeyInfo;
     
     /**
      * The SAMLKeyInfo object associated with the Signature on the Assertion
      */
     private SAMLKeyInfo signatureKeyInfo;
 
     /**
      * Default Canonicalization algorithm used for signing.
      */
     private final String defaultCanonicalizationAlgorithm = SignatureConstants.ALGO_ID_C14N_EXCL_OMIT_COMMENTS;
 
     /**
      * Default RSA Signature algorithm used for signing.
      */
     private final String defaultRSASignatureAlgorithm = SignatureConstants.ALGO_ID_SIGNATURE_RSA_SHA1;
 
     /**
      * Default DSA Signature algorithm used for signing.
      */
     private final String defaultDSASignatureAlgorithm = SignatureConstants.ALGO_ID_SIGNATURE_DSA;
     
     /**
      * Whether this object was instantiated with a DOM Element or an XMLObject initially
      */
     private final boolean fromDOM;
     
     /**
      * Constructor AssertionWrapper creates a new AssertionWrapper instance.
      *
      * @param element of type Element
      * @throws UnmarshallingException when
      */
     public AssertionWrapper(Element element) throws WSSecurityException {
         OpenSAMLUtil.initSamlEngine();
         
         parseElement(element);
         fromDOM = true;
     }
 
     /**
      * Constructor AssertionWrapper creates a new AssertionWrapper instance.
      *
      * @param saml2 of type Assertion
      */
     public AssertionWrapper(org.opensaml.saml2.core.Assertion saml2) {
         this((XMLObject)saml2);
     }
 
     /**
      * Constructor AssertionWrapper creates a new AssertionWrapper instance.
      *
      * @param saml1 of type Assertion
      */
     public AssertionWrapper(org.opensaml.saml1.core.Assertion saml1) {
         this((XMLObject)saml1);
     }
 
     /**
      * Constructor AssertionWrapper creates a new AssertionWrapper instance.
      * This is the primary constructor.  All other constructor calls should
      * be routed to this method to ensure that the wrapper is initialized
      * correctly.
      *
      * @param xmlObject of type XMLObject
      */
     public AssertionWrapper(XMLObject xmlObject) {
         OpenSAMLUtil.initSamlEngine();
         
         this.xmlObject = xmlObject;
         if (xmlObject instanceof org.opensaml.saml1.core.Assertion) {
             this.saml1 = (org.opensaml.saml1.core.Assertion) xmlObject;
             samlVersion = SAMLVersion.VERSION_11;
         } else if (xmlObject instanceof org.opensaml.saml2.core.Assertion) {
             this.saml2 = (org.opensaml.saml2.core.Assertion) xmlObject;
             samlVersion = SAMLVersion.VERSION_20;
         } else {
             LOG.error(
                 "AssertionWrapper: found unexpected type " 
                 + (xmlObject != null ? xmlObject.getClass().getName() : null)
             );
         }
         fromDOM = false;
     }
 
     /**
      * Constructor AssertionWrapper creates a new AssertionWrapper instance.
      * This constructor is primarily called on the client side to initialize
      * the wrapper from a configuration file. <br>
      *
      * @param parms of type SAMLParms
      */
     public AssertionWrapper(SAMLParms parms) throws WSSecurityException {
         OpenSAMLUtil.initSamlEngine();
         
         //
         // Create the SAML callback that the handler will use to get the required data from the 
         // client application.
         //
         SAMLCallback[] samlCallbacks = new SAMLCallback[] { new SAMLCallback() };
 
         try {
             // Get the SAML source data using the currently configured callback implementation.
             samlCallbackHandler = parms.getCallbackHandler();
             samlCallbackHandler.handle(samlCallbacks);
         } catch (IOException e) {
             throw new IllegalStateException(
                 "IOException while creating SAML assertion wrapper", e
             );
         } catch (UnsupportedCallbackException e) {
             throw new IllegalStateException(
                 "UnsupportedCallbackException while creating SAML assertion wrapper", e
             );
         }
         
         // See if we already have a DOM element in SAMLCallback
         if (samlCallbacks[0].getAssertionElement() != null) {
             parseElement(samlCallbacks[0].getAssertionElement());
             fromDOM = true;
         } else {
             // If not then parse the SAMLCallback object
             parseCallback(samlCallbacks[0], parms);
             fromDOM = false;
         }
     }
 
     /**
      * Method getSaml1 returns the saml1 of this AssertionWrapper object.
      *
      * @return the saml1 (type Assertion) of this AssertionWrapper object.
      */
     public org.opensaml.saml1.core.Assertion getSaml1() {
         return saml1;
     }
 
     /**
      * Method getSaml2 returns the saml2 of this AssertionWrapper object.
      *
      * @return the saml2 (type Assertion) of this AssertionWrapper object.
      */
     public org.opensaml.saml2.core.Assertion getSaml2() {
         return saml2;
     }
 
     /**
      * Method getXmlObject returns the xmlObject of this AssertionWrapper object.
      *
      * @return the xmlObject (type XMLObject) of this AssertionWrapper object.
      */
     public XMLObject getXmlObject() {
         return xmlObject;
     }
 
     /**
      * Method isCreated returns the created of this AssertionWrapper object.
      *
      * @return the created (type boolean) of this AssertionWrapper object.
      */
     public boolean isCreated() {
         return saml1 != null || saml2 != null;
     }
 
 
     /**
      * Create a DOM from the current XMLObject content. If the user-supplied doc is not null,
      * reparent the returned Element so that it is compatible with the user-supplied document.
      *
      * @param doc of type Document
      * @return Element
      */
     public Element toDOM(Document doc) throws WSSecurityException {
         if (fromDOM && assertionElement != null) {
             parseElement(assertionElement);
             if (doc != null) {
                 return (Element)doc.importNode(assertionElement, true);
             }
             return assertionElement;
         }
         assertionElement = OpenSAMLUtil.toDom(xmlObject, doc);
         return assertionElement;
     }
 
     /**
      * Method assertionToString ...
      *
      * @return String
      */
     public String assertionToString() throws WSSecurityException {
         if (assertionElement == null) {
             Element element = toDOM(null);
             return DOM2Writer.nodeToString(element);
         }
         return DOM2Writer.nodeToString(assertionElement);
     }
 
     /**
      * Method getId returns the id of this AssertionWrapper object.
      *
      * @return the id (type String) of this AssertionWrapper object.
      */
     public String getId() {
         String id = null;
         if (saml2 != null) {
             id = saml2.getID();
         } else if (saml1 != null) {
             id = saml1.getID();
         } else {
             LOG.error("AssertionWrapper: unable to return ID - no saml assertion object");
         }
         if (id == null || id.length() == 0) {
             LOG.error("AssertionWrapper: ID was null, seeting a new ID value");
             id = "_" + UUIDGenerator.getUUID();
             if (saml2 != null) {
                 saml2.setID(id);
             } else if (saml1 != null) {
                 saml1.setID(id);
             }
         }
         return id;
     }
 
     /**
      * Method getIssuerString returns the issuerString of this AssertionWrapper object.
      *
      * @return the issuerString (type String) of this AssertionWrapper object.
      */
     public String getIssuerString() {
         if (saml2 != null && saml2.getIssuer() != null) {
             return saml2.getIssuer().getValue();
         } else if (saml1 != null) {
             return saml1.getIssuer();
         }
         LOG.error(
             "AssertionWrapper: unable to return Issuer string - no saml assertion "
             + "object or issuer is null"
         );
         return null;
     }
 
     /**
      * Method getConfirmationMethods returns the confirmationMethods of this 
      * AssertionWrapper object.
      *
      * @return the confirmationMethods of this AssertionWrapper object.
      */
     public List<String> getConfirmationMethods() {
         List<String> methods = new ArrayList<String>();
         if (saml2 != null) {
             org.opensaml.saml2.core.Subject subject = saml2.getSubject();
             List<org.opensaml.saml2.core.SubjectConfirmation> confirmations = 
                 subject.getSubjectConfirmations();
             for (org.opensaml.saml2.core.SubjectConfirmation confirmation : confirmations) {
                 methods.add(confirmation.getMethod());
             }
         } else if (saml1 != null) {
             List<SubjectStatement> subjectStatements = new ArrayList<SubjectStatement>();
             subjectStatements.addAll(saml1.getSubjectStatements());
             subjectStatements.addAll(saml1.getAuthenticationStatements());
             subjectStatements.addAll(saml1.getAttributeStatements());
             subjectStatements.addAll(saml1.getAuthorizationDecisionStatements());
             for (SubjectStatement subjectStatement : subjectStatements) {
                 Subject subject = subjectStatement.getSubject();
                 if (subject != null) {
                     SubjectConfirmation confirmation = subject.getSubjectConfirmation();
                     if (confirmation != null) {
                         XMLObject data = confirmation.getSubjectConfirmationData();
                         if (data instanceof ConfirmationMethod) {
                             ConfirmationMethod method = (ConfirmationMethod) data;
                             methods.add(method.getConfirmationMethod());
                         }
                         List<ConfirmationMethod> confirmationMethods = 
                             confirmation.getConfirmationMethods();
                         for (ConfirmationMethod confirmationMethod : confirmationMethods) {
                             methods.add(confirmationMethod.getConfirmationMethod());
                         }
                     }
                 }
             }
         }
         return methods;
     }
 
     /**
      * Method isSigned returns the signed of this AssertionWrapper object.
      *
      * @return the signed (type boolean) of this AssertionWrapper object.
      */
     public boolean isSigned() {
         if (saml2 != null) {
             return saml2.isSigned() || saml2.getSignature() != null;
         } else if (saml1 != null) {
             return saml1.isSigned() || saml1.getSignature() != null;
         }
         return false;
     }
 
     /**
      * Method setSignature sets the signature of this AssertionWrapper object.
      *
      * @param signature the signature of this AssertionWrapper object.
      */
     public void setSignature(Signature signature) {
         if (xmlObject instanceof SignableSAMLObject) {
             SignableSAMLObject signableObject = (SignableSAMLObject) xmlObject;
             signableObject.setSignature(signature);
             signableObject.releaseDOM();
             signableObject.releaseChildrenDOM(true);
         } else {
             LOG.error("Attempt to sign an unsignable object " + xmlObject.getClass().getName());
         }
     }
     
     /**
      * Create an enveloped signature on the assertion that has been created.
      * 
      * @param issuerKeyName the Issuer KeyName to use with the issuerCrypto argument
      * @param issuerKeyPassword the Issuer Password to use with the issuerCrypto argument
      * @param issuerCrypto the Issuer Crypto instance
      * @param sendKeyValue whether to send the key value or not
      * @throws WSSecurityException
      */
     public void signAssertion(String issuerKeyName, String issuerKeyPassword,
             Crypto issuerCrypto, boolean sendKeyValue)
             throws WSSecurityException {
 
         signAssertion(issuerKeyName, issuerKeyPassword, issuerCrypto,
                 sendKeyValue, defaultCanonicalizationAlgorithm,
                 defaultRSASignatureAlgorithm);
     }
     
     /**
      * Create an enveloped signature on the assertion that has been created.
      * 
      * @param issuerKeyName the Issuer KeyName to use with the issuerCrypto argument
      * @param issuerKeyPassword the Issuer Password to use with the issuerCrypto argument
      * @param issuerCrypto the Issuer Crypto instance
      * @param sendKeyValue whether to send the key value or not
      * @param canonicalizationAlgorithm the canonicalization algorithm to be used for signing
      * @param signatureAlgorithm the signature algorithm to be used for signing
      * @throws WSSecurityException
      */
     public void signAssertion(String issuerKeyName, String issuerKeyPassword,
             Crypto issuerCrypto, boolean sendKeyValue,
             String canonicalizationAlgorithm, String signatureAlgorithm)
             throws WSSecurityException {
         //
         // Create the signature
         //
         Signature signature = OpenSAMLUtil.buildSignature();
         signature.setCanonicalizationAlgorithm(canonicalizationAlgorithm);
         LOG.debug("Using Canonicalization algorithm " + canonicalizationAlgorithm);
         // prepare to sign the SAML token
         CryptoType cryptoType = new CryptoType(CryptoType.TYPE.ALIAS);
         cryptoType.setAlias(issuerKeyName);
         X509Certificate[] issuerCerts = issuerCrypto.getX509Certificates(cryptoType);
         if (issuerCerts == null) {
             throw new WSSecurityException(
                     "No issuer certs were found to sign the SAML Assertion using issuer name: "
                             + issuerKeyName);
         }
 
         String sigAlgo = signatureAlgorithm;
         String pubKeyAlgo = issuerCerts[0].getPublicKey().getAlgorithm();
         if (LOG.isDebugEnabled()) {
             LOG.debug("automatic sig algo detection: " + pubKeyAlgo);
         }
         if (pubKeyAlgo.equalsIgnoreCase("DSA")) {
             sigAlgo = defaultDSASignatureAlgorithm;
         }
         LOG.debug("Using Signature algorithm " + sigAlgo);
         PrivateKey privateKey = null;
         try {
             privateKey = issuerCrypto.getPrivateKey(issuerKeyName, issuerKeyPassword);
         } catch (Exception ex) {
             throw new WSSecurityException(ex.getMessage(), ex);
         }
 
         signature.setSignatureAlgorithm(sigAlgo);
 
         BasicX509Credential signingCredential = new BasicX509Credential();
         signingCredential.setEntityCertificate(issuerCerts[0]);
         signingCredential.setPrivateKey(privateKey);
 
         signature.setSigningCredential(signingCredential);
 
         X509KeyInfoGeneratorFactory kiFactory = new X509KeyInfoGeneratorFactory();
         if (sendKeyValue) {
             kiFactory.setEmitPublicKeyValue(true);
         } else {
             kiFactory.setEmitEntityCertificate(true);
         }
         try {
             KeyInfo keyInfo = kiFactory.newInstance().generate(
                     signingCredential);
             signature.setKeyInfo(keyInfo);
         } catch (org.opensaml.xml.security.SecurityException ex) {
             throw new WSSecurityException(
                     "Error generating KeyInfo from signing credential", ex);
         }
 
         // add the signature to the assertion
         setSignature(signature);
     }
 
     /**
      * Verify the signature of this assertion
      *
      * @throws ValidationException
      */
     public void verifySignature(
         RequestData data, WSDocInfo docInfo
     ) throws WSSecurityException {
         Signature sig = null;
         if (saml2 != null && saml2.getSignature() != null) {
             sig = saml2.getSignature();
         } else if (saml1 != null && saml1.getSignature() != null) {
             sig = saml1.getSignature();
         }
         if (sig != null) {
             KeyInfo keyInfo = sig.getKeyInfo();
             SAMLKeyInfo samlKeyInfo = 
                 SAMLUtil.getCredentialDirectlyFromKeyInfo(keyInfo.getDOM(), data);
             verifySignature(samlKeyInfo);
         } else {
             LOG.debug("AssertionWrapper: no signature to validate");
         }
 
     }
     
     /**
      * Verify the signature of this assertion
      *
      * @throws ValidationException
      */
     public void verifySignature(SAMLKeyInfo samlKeyInfo) throws WSSecurityException {
         Signature sig = getSignature();
         if (sig != null) {
             if (samlKeyInfo == null) {
                 throw new WSSecurityException(
                     WSSecurityException.FAILURE, "invalidSAMLsecurity",
                     new Object[]{"cannot get certificate or key"}
                 );
             }
             SAMLSignatureProfileValidator validator = new SAMLSignatureProfileValidator();
             try {
                 validator.validate(sig);
             } catch (ValidationException ex) {
                 throw new WSSecurityException("SAML signature validation failed", ex);
             }
             
             BasicX509Credential credential = new BasicX509Credential();
             if (samlKeyInfo.getCerts() != null) {
                 credential.setEntityCertificate(samlKeyInfo.getCerts()[0]);
             } else if (samlKeyInfo.getPublicKey() != null) {
                 credential.setPublicKey(samlKeyInfo.getPublicKey());
             } else {
                 throw new WSSecurityException(
                     WSSecurityException.FAILURE, "invalidSAMLsecurity",
                     new Object[]{"cannot get certificate or key"}
                 );
             }
             SignatureValidator sigValidator = new SignatureValidator(credential);
             try {
                 sigValidator.validate(sig);
             } catch (ValidationException ex) {
                 throw new WSSecurityException("SAML signature validation failed", ex);
             }
             signatureKeyInfo = samlKeyInfo;
         } else {
             LOG.debug("AssertionWrapper: no signature to validate");
         }
     }
     
     public Signature getSignature() {
         Signature sig = null;
         if (saml2 != null && saml2.getSignature() != null) {
             sig = saml2.getSignature();
         } else if (saml1 != null && saml1.getSignature() != null) {
             sig = saml1.getSignature();
         }
         return sig;
     }
 
     
     /**
      * This method parses the KeyInfo of the Subject for the holder-of-key confirmation
      * method, as required by the SAML Token spec. It then stores the SAMLKeyInfo object that
      * has been obtained for future processing by the SignatureProcessor.
      * @throws WSSecurityException
      */
     public void parseHOKSubject(
         RequestData data, WSDocInfo docInfo
     ) throws WSSecurityException {
         String confirmMethod = null;
         List<String> methods = getConfirmationMethods();
         if (methods != null && methods.size() > 0) {
             confirmMethod = methods.get(0);
         }
         if (OpenSAMLUtil.isMethodHolderOfKey(confirmMethod)) {
             if (saml1 != null) {
                 subjectKeyInfo = 
                     SAMLUtil.getCredentialFromSubject(saml1, data, docInfo, 
                                                       data.getWssConfig().isWsiBSPCompliant());
             } else if (saml2 != null) {
                 subjectKeyInfo = 
                     SAMLUtil.getCredentialFromSubject(saml2, data, docInfo, 
                                                       data.getWssConfig().isWsiBSPCompliant());
             }
         }
     }
     
 
     /**
      * Method getSamlVersion returns the samlVersion of this AssertionWrapper object.
      *
      * @return the samlVersion (type SAMLVersion) of this AssertionWrapper object.
      */
     public SAMLVersion getSamlVersion() {
         if (samlVersion == null) {
             // Try to set the version.
             if (LOG.isDebugEnabled()) {
                 LOG.debug(
                     "The SAML version was null in getSamlVersion(). Recomputing SAML version..."
                 );
             }
             if (saml1 != null && saml2 == null) {
                 samlVersion = SAMLVersion.VERSION_11;
             } else if (saml1 == null && saml2 != null) {
                 samlVersion = SAMLVersion.VERSION_20;
             } else {
                 // We are only supporting SAML v1.1 or SAML v2.0 at this time.
                 throw new IllegalStateException(
                     "Could not determine the SAML version number. Check your "
                     + "configuration and try again."
                 );
             }
         }
         return samlVersion;
     }
 
     /**
      * Get the Assertion as a DOM Element.
      * @return the assertion as a DOM Element
      */
     public Element getElement() {
         return assertionElement;
     }
     
     /**
      * Get the SAMLKeyInfo associated with the signature of the assertion
      * @return the SAMLKeyInfo associated with the signature of the assertion
      */
     public SAMLKeyInfo getSignatureKeyInfo() {
         return signatureKeyInfo;
     }
     
     /**
      * Get the SAMLKeyInfo associated with the Subject KeyInfo
      * @return the SAMLKeyInfo associated with the Subject KeyInfo
      */
     public SAMLKeyInfo getSubjectKeyInfo() {
         return subjectKeyInfo;
     }
     
     /**
      * Get the SignatureValue bytes of the signed SAML Assertion 
      * @return the SignatureValue bytes of the signed SAML Assertion 
      * @throws WSSecurityException
      */
     public byte[] getSignatureValue() throws WSSecurityException {
         Signature sig = null;
         if (saml2 != null && saml2.getSignature() != null) {
             sig = saml2.getSignature();
         } else if (saml1 != null && saml1.getSignature() != null) {
             sig = saml1.getSignature();
         }
         if (sig != null) {
             Element signatureElement = sig.getDOM();
             
             try {
                 // Use XML-Security class to obtain SignatureValue
                 XMLSignature xmlSignature = new XMLSignature(signatureElement, "");
                 return xmlSignature.getSignatureValue();
             } catch (XMLSignatureException e) {
                 throw new WSSecurityException(
                     WSSecurityException.FAILURE, "invalidSAMLsecurity", null, e
                 );
             } catch (XMLSecurityException e) {
                 throw new WSSecurityException(
                     WSSecurityException.FAILURE, "invalidSAMLsecurity", null, e
                 );
             }
         }
         return null;
     }
     
     /**
      * Parse the DOM Element into Opensaml objects.
      */
     private void parseElement(Element element) throws WSSecurityException {
         this.xmlObject = OpenSAMLUtil.fromDom(element);
         if (xmlObject instanceof org.opensaml.saml1.core.Assertion) {
             this.saml1 = (org.opensaml.saml1.core.Assertion) xmlObject;
             samlVersion = SAMLVersion.VERSION_11;
         } else if (xmlObject instanceof org.opensaml.saml2.core.Assertion) {
             this.saml2 = (org.opensaml.saml2.core.Assertion) xmlObject;
             samlVersion = SAMLVersion.VERSION_20;
         } else {
             LOG.error(
                 "AssertionWrapper: found unexpected type " 
                 + (xmlObject != null ? xmlObject.getClass().getName() : xmlObject)
             );
         }
         
         assertionElement = element;
     }
     
     /**
      * Parse a SAMLCallback object to create a SAML Assertion
      */
     private void parseCallback(
         SAMLCallback samlCallback, SAMLParms parms
     ) throws WSSecurityException {
         samlVersion = samlCallback.getSamlVersion();
         if (samlVersion == null) {
             samlVersion = parms.getSAMLVersion();
         }
         String issuer = samlCallback.getIssuer();
         if (issuer == null && parms.getIssuer() != null) {
             issuer = parms.getIssuer();
         }
         if (samlVersion.equals(SAMLVersion.VERSION_11)) {
             // Build a SAML v1.1 assertion
             saml1 = SAML1ComponentBuilder.createSamlv1Assertion(issuer);
 
             try {
                 // Process the SAML authentication statement(s)
                 List<AuthenticationStatement> authenticationStatements = 
                     SAML1ComponentBuilder.createSamlv1AuthenticationStatement(
                         samlCallback.getAuthenticationStatementData()
                     );
                 saml1.getAuthenticationStatements().addAll(authenticationStatements);
     
                 // Process the SAML attribute statement(s)            
                 List<AttributeStatement> attributeStatements =
                         SAML1ComponentBuilder.createSamlv1AttributeStatement(
                             samlCallback.getAttributeStatementData()
                         );
                 saml1.getAttributeStatements().addAll(attributeStatements);
     
                 // Process the SAML authorization decision statement(s)
                 List<AuthorizationDecisionStatement> authDecisionStatements =
                         SAML1ComponentBuilder.createSamlv1AuthorizationDecisionStatement(
                             samlCallback.getAuthDecisionStatementData()
                         );
                 saml1.getAuthorizationDecisionStatements().addAll(authDecisionStatements);
     
                 // Build the complete assertion
                 org.opensaml.saml1.core.Conditions conditions = 
                     SAML1ComponentBuilder.createSamlv1Conditions(samlCallback.getConditions());
                 saml1.setConditions(conditions);
             } catch (org.opensaml.xml.security.SecurityException ex) {
                 throw new WSSecurityException(
                     "Error generating KeyInfo from signing credential", ex
                 );
             }
 
             // Set the OpenSaml2 XMLObject instance
             xmlObject = saml1;
 
         } else if (samlVersion.equals(SAMLVersion.VERSION_20)) {
             // Build a SAML v2.0 assertion
             saml2 = SAML2ComponentBuilder.createAssertion();
             Issuer samlIssuer = SAML2ComponentBuilder.createIssuer(issuer);
 
             // Authn Statement(s)
             List<AuthnStatement> authnStatements = 
                 SAML2ComponentBuilder.createAuthnStatement(
                     samlCallback.getAuthenticationStatementData()
                 );
             saml2.getAuthnStatements().addAll(authnStatements);
 
             // Attribute statement(s)
             List<org.opensaml.saml2.core.AttributeStatement> attributeStatements = 
                 SAML2ComponentBuilder.createAttributeStatement(
                     samlCallback.getAttributeStatementData()
                 );
             saml2.getAttributeStatements().addAll(attributeStatements);
 
             // AuthzDecisionStatement(s)
             List<AuthzDecisionStatement> authDecisionStatements =
                     SAML2ComponentBuilder.createAuthorizationDecisionStatement(
                         samlCallback.getAuthDecisionStatementData()
                     );
             saml2.getAuthzDecisionStatements().addAll(authDecisionStatements);
 
             // Build the SAML v2.0 assertion
             saml2.setIssuer(samlIssuer);
             
             try {
                 org.opensaml.saml2.core.Subject subject = 
                     SAML2ComponentBuilder.createSaml2Subject(samlCallback.getSubject());
                 saml2.setSubject(subject);
             } catch (org.opensaml.xml.security.SecurityException ex) {
                 throw new WSSecurityException(
                     "Error generating KeyInfo from signing credential", ex
                 );
             }
             
             org.opensaml.saml2.core.Conditions conditions = 
                 SAML2ComponentBuilder.createConditions(samlCallback.getConditions());
             saml2.setConditions(conditions);
 
             // Set the OpenSaml2 XMLObject instance
             xmlObject = saml2;
         }
     }
 
 }