WSSSignatureProvider.java revision 272ac8a1a482b3baeff7293aac5de828cfd1ee69
/**
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
*
* Copyright (c) 2007 Sun Microsystems Inc. All Rights Reserved
*
* The contents of this file are subject to the terms
* of the Common Development and Distribution License
* (the License). You may not use this file except in
* compliance with the License.
*
* You can obtain a copy of the License at
* See the License for the specific language governing
* permission and limitations under the License.
*
* When distributing Covered Code, include this CDDL
* Header Notice in each file and include the License file
* at opensso/legal/CDDLv1.0.txt.
* If applicable, add the following below the CDDL Header,
* with the fields enclosed by brackets [] replaced by
* your own identifying information:
* "Portions Copyrighted [year] [name of copyright owner]"
*
* $Id: WSSSignatureProvider.java,v 1.13 2009/11/16 21:53:00 mallas Exp $
*
* Portions Copyrighted 2014 ForgeRock AS
*/
/**
* <code>WSSSignatureProvider</code> is a class for signing and
* signature verification of WSS XML Documents which implements
* <code>AMSignatureProvider</code>.
*/
public class WSSSignatureProvider extends AMSignatureProvider {
private static final String USE_STR_TRANSFORMATION =
"com.sun.identity.wss.signature.usestrtransformation";
private boolean isSTRTransformRegistered = false;
private boolean useSTRTransformation = true;
/** Creates a new instance of WSSSignatureProvider */
public WSSSignatureProvider() {
super();
}
private synchronized void registerSTRTransform() {
try {
STRTransform.class.getName());
isSTRTransformRegistered = true;
} catch (Exception e) {
" Transform is already registered");
}
}
}
/**
* Sign part of the xml document referered by the supplied a list
* of id attributes of nodes
* @param doc XML dom object
* @param cert Signer's certificate
* @param assertionID assertion ID
* @param algorithm XML signature algorithm
* @param ids list of id attribute values of nodes to be signed
* @return SAML Security Token signature
* @throws XMLSignatureException if the document could not be signed
*/
}
/**
* Sign part of the XML document referred by the supplied a list
* of id attributes of nodes using SAML Token.
* @param doc XML dom object
* @param key the key that will be used to sign the document.
* @param symmetricKey true if the supplied key is a symmetric key type.
* @param signingCert signer's Certificate. If present, this certificate
* will be added as part of signature <code>KeyInfo</code>.
* @param encCert the certificate if present will be used to encrypt
* the symmetric key and replay it as part of <code>KeyInfo</code>
* @param assertionID assertion ID for the SAML Security Token
* @param algorithm XML signature algorithm
* @param ids list of id attribute values of nodes to be signed
* @return SAML Security Token signature
* @throws XMLSignatureException if the document could not be signed
*/
boolean symmetricKey,
throws XMLSignatureException {
if(useSTRTransformation && !isSTRTransformRegistered) {
}
"document is null.");
throw new XMLSignatureException(
}
boolean isSAML2Token = false;
if(assertionElement != null) {
isSAML2Token = true;
}
if (assertionID == null) {
"Certificate is null");
throw new XMLSignatureException(
}
try {
if(symmetricKey) {
} else {
}
if (!isValidAlgorithm(algorithm)) {
throw new XMLSignatureException(
}
}
"//*[@wsu:Id]", wsucontext);
}
}
}
"ds:CanonicalizationMethod");
if(isSAML2Token) {
} else {
}
} else {
}
for (int i = 0; i < size; ++i) {
}
}
if(useSTRTransformation) {
}
SAMLUtils.generateID());
if(isSAML2Token) {
} else {
}
} catch (Exception e) {
" Exception: ", e);
throw new XMLSignatureException(e.getMessage());
}
}
return signature.getElement();
}
/**
* Sign part of the xml document referered by the supplied a list
* of id attributes of nodes
* @param doc XML dom object
* @param cert Signer's certificate
* @param algorithm XML signature algorithm
* @param ids list of id attribute values of nodes to be signed
* @return X509 Security Token signature
* @throws XMLSignatureException if the document could not be signed
*/
throws XMLSignatureException {
}
/**
* Sign part of the xml document referered by the supplied a list
* of id attributes of nodes
* @param doc XML dom object
* @param cert Signer's certificate
* @param algorithm XML signature algorithm
* @param ids list of id attribute values of nodes to be signed
* @return X509 Security Token signature
* @throws XMLSignatureException if the document could not be signed
*/
throws XMLSignatureException {
}
/**
* Sign part of the xml document referered by the supplied a list
* of id attributes of nodes
* @param doc XML dom object
* @param cert Signer's certificate
* @param algorithm XML signature algorithm
* @param ids list of id attribute values of nodes to be signed
* @param tokenType Token type
* @return X509 Security Token signature
* @throws XMLSignatureException if the document could not be signed
*/
throws XMLSignatureException {
if(useSTRTransformation && !isSTRTransformRegistered) {
}
"Token:: XML doc is null.");
throw new XMLSignatureException(
}
"Document to be signed : " +
}
try {
if (privateKey == null) {
" private key is null");
throw new XMLSignatureException(
}
}
if (!isValidAlgorithm(algorithm)) {
throw new XMLSignatureException(
}
"//*[@wsu:Id]", wsucontext);
}
}
}
"ds:CanonicalizationMethod");
for (int i = 0; i < size; ++i) {
}
}
}
+certId);
}
}
} else if(
if(keyIdentifier == null) {
throw new XMLSignatureException(
}
}
} catch (Exception e) {
"signWithBinaryTokenProfile Exception: ", e);
throw new XMLSignatureException(e.getMessage());
}
return (signature.getElement());
}
/**
* Verify all the signatures of the WSS xml document
* @param doc XML dom document whose signature to be verified
* @param certAlias certAlias alias for Signer's certificate, this is used
to search signer's public certificate if it is not
presented in ds:KeyInfo
* @return true if the xml signature is verified, false otherwise
* @throws XMLSignatureException if problem occurs during verification
*/
throws XMLSignatureException {
if(useSTRTransformation && !isSTRTransformRegistered) {
}
"document is null.");
throw new XMLSignatureException(
}
try {
"//*[@wsu:Id]", wsucontext);
}
}
}
for (int i = 0; i < len; i++) {
}
}
}
"//ds:Signature", nscontext);
}
if(sigElementsLength == 0) {
return false;
}
//loop
}
return true;
} else {
return false;
}
}
" Signature " + i + " verified");
}
} else {
" Signature Verfication failed");
}
return false;
}
} else {
"Certificate Alias is null");
}
return false;
}
"try to use certAlias");
}
" Signature " + i + " verified");
}
} else {
return false;
}
} else {
"verifyWSSSignature: Signature " + i +
" verified");
}
} else {
return false;
}
} else {
+ " based on certAlias to verify signature");
return false;
}
}
}
}
return true;
"verifyWSSSignature Exception: ", ex);
}
}
/**
* Returns the public key from the security token.
* This is required WS-Security.
*/
try {
if(securityElement == null) {
return null;
}
if (n != null) { // X509 Security Token profile
} else { // SAML Token profile
// The SAML Statements contain keyinfo, they should be
// all the same. get the first keyinfo!
throw new Exception(
}
getNodeValue();
}
}
}
} else {
"getPublicKeyFromWSSToken:" +
" unknow Security Token Reference");
}
} catch (Exception e) {
"getPublicKeyFromWSSToken Exception: ", e);
}
return pubKey;
}
/**
* Sign with Kerberos Token
* @param doc
* @param key
* @param algorithm
* @param ids
* @return Kerberos Security Token signature
* @throws com.sun.identity.saml.xmlsig.XMLSignatureException
*/
throws XMLSignatureException {
"Token:: XML doc is null.");
throw new XMLSignatureException(
}
"Document to be signed : " +
}
try {
if (!isValidAlgorithm(algorithm)) {
throw new XMLSignatureException(
}
"//*[@wsu:Id]", wsucontext);
}
}
}
"ds:CanonicalizationMethod");
for (int i = 0; i < size; ++i) {
}
}
+certId);
} catch (Exception e) {
"signWithBinaryTokenProfile Exception: ", e);
throw new XMLSignatureException(e.getMessage());
}
return (signature.getElement());
}
/**
* Verify web services message signature using specified key
* @param document the document to be validated
* @param key the secret key to be used for validating signature
* @return true if verification is successful.
* @throws com.sun.identity.saml.xmlsig.XMLSignatureException
*/
throws XMLSignatureException {
}
/**
* Verify web services message signature using specified key
* @param doc the document to be validated
* @param key the secret key to be used for validating signature
* @param certAlias the certificate alias used for validating the signature
* if the key is not available.
* @param encryptAlias the certificate alias that may be used to decrypt
* the symmetric key that is part of <code>KeyInfo</code>
* @return true if verification is successful.
* @throws com.sun.identity.saml.xmlsig.XMLSignatureException
*/
"document or key is null.");
throw new XMLSignatureException(
}
if(useSTRTransformation && !isSTRTransformRegistered) {
}
try {
"//*[@wsu:Id]", wsucontext);
}
}
}
"//ds:Signature", nscontext);
}
if(sigElementsLength == 0) {
return false;
}
//loop
}
continue;
}
return false;
} else {
continue;
}
}
//check if it's a symmetric key
return false;
} else {
continue;
}
}
}
return false;
} else {
continue;
}
}
}
return false;
}
return false;
}
return true;
"verifyWSSSignature Exception: ", ex);
}
}
/**
* Creates the key identifier reference using certificate.
* @param doc
* @param cert
* @return
*/
SAMLUtils.generateID());
return null;
}
return keyIdentifier;
}
return x509Data;
}
}