a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Copyright (c) 2006 Sun Microsystems Inc. All Rights Reserved
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * The contents of this file are subject to the terms
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * of the Common Development and Distribution License
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * (the License). You may not use this file except in
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * compliance with the License.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * You can obtain a copy of the License at
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * https://opensso.dev.java.net/public/CDDLv1.0.html or
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * See the License for the specific language governing
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * permission and limitations under the License.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * When distributing Covered Code, include this CDDL
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Header Notice in each file and include the License file
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * If applicable, add the following below the CDDL Header,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * with the fields enclosed by brackets [] replaced by
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * your own identifying information:
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * "Portions Copyrighted [year] [name of copyright owner]"
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * $Id: AMSignatureProvider.java,v 1.11 2009/08/29 03:06:47 mallas Exp $
9e34f70f789dbd049eed2b273ca9b7d2cd26fd51cweng * Portions Copyrighted 2013-2016 ForgeRock AS.
9e34f70f789dbd049eed2b273ca9b7d2cd26fd51cwengimport com.sun.identity.liberty.ws.common.wsse.WSSEConstants;
9e34f70f789dbd049eed2b273ca9b7d2cd26fd51cwengimport com.sun.identity.liberty.ws.soapbinding.SOAPBindingConstants;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.common.SystemConfigurationUtil;
272ac8a1a482b3baeff7293aac5de828cfd1ee69Mark de Reeperimport org.apache.xml.security.c14n.Canonicalizer;
272ac8a1a482b3baeff7293aac5de828cfd1ee69Mark de Reeperimport org.apache.xml.security.signature.XMLSignature;
272ac8a1a482b3baeff7293aac5de828cfd1ee69Mark de Reeperimport org.apache.xml.security.keys.content.keyvalues.DSAKeyValue;
272ac8a1a482b3baeff7293aac5de828cfd1ee69Mark de Reeperimport org.apache.xml.security.keys.content.keyvalues.RSAKeyValue;
272ac8a1a482b3baeff7293aac5de828cfd1ee69Mark de Reeperimport org.apache.xml.security.keys.storage.StorageResolver;
272ac8a1a482b3baeff7293aac5de828cfd1ee69Mark de Reeperimport org.apache.xml.security.keys.storage.implementations.KeyStoreResolver;
272ac8a1a482b3baeff7293aac5de828cfd1ee69Mark de Reeperimport org.apache.xml.security.keys.keyresolver.implementations.X509CertificateResolver;
272ac8a1a482b3baeff7293aac5de828cfd1ee69Mark de Reeperimport org.apache.xml.security.keys.keyresolver.implementations.X509SubjectNameResolver;
272ac8a1a482b3baeff7293aac5de828cfd1ee69Mark de Reeperimport org.apache.xml.security.keys.keyresolver.implementations.X509IssuerSerialResolver;
272ac8a1a482b3baeff7293aac5de828cfd1ee69Mark de Reeperimport org.apache.xml.security.keys.keyresolver.implementations.X509SKIResolver;
272ac8a1a482b3baeff7293aac5de828cfd1ee69Mark de Reeperimport org.apache.xml.security.utils.Constants;
272ac8a1a482b3baeff7293aac5de828cfd1ee69Mark de Reeperimport org.apache.xml.security.utils.ElementProxy;
272ac8a1a482b3baeff7293aac5de828cfd1ee69Mark de Reeperimport org.apache.xml.security.transforms.Transforms;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * <code>SignatureProvider</code> is an interface
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * to be implemented to sign and verify xml signature
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterpublic class AMSignatureProvider implements SignatureProvider {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // define default id attribute name
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster private static final String DEF_ID_ATTRIBUTE = "id";
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // flag to check if the partner's signing cert is in the keystore.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Default Constructor
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String kprovider = SystemConfigurationUtil.getProperty(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster keystore= (KeyProvider) Class.forName(kprovider).newInstance();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAMLUtilsCommon.debug.error("AMSignatureProvider: " +
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "constructor error");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster c14nMethod = SystemConfigurationUtil.getProperty(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAMLConstants.ALGO_ID_C14N_EXCL_OMIT_COMMENTS);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster transformAlg = SystemConfigurationUtil.getProperty(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAMLConstants.ALGO_ID_C14N_EXCL_OMIT_COMMENTS);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster defaultSigAlg = SystemConfigurationUtil.getProperty(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String valCert = SystemConfigurationUtil.getProperty(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "com.sun.identity.saml.checkcert");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }else if (valCert.trim().equalsIgnoreCase("on")) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAMLUtilsCommon.debug.message("SystemConfigurationUtil:"
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + " com.sun.identity.saml.checkcert has"
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + " invalid value. Choose default, turn"
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + " ON checkcert.");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Constructor
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster public void initialize(KeyProvider keyProvider) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAMLUtilsCommon.debug.error("Key Provider is null");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Sign the xml document using enveloped signatures.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param doc XML dom object
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param certAlias Signer's certificate alias name
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @return signature Element object
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @throws XMLSignatureException if the document could not be signed
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster public org.w3c.dom.Element signXML(org.w3c.dom.Document doc,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Sign the xml document using enveloped signatures.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param doc XML dom object
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param certAlias Signer's certificate alias name
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param algorithm XML signature algorithm
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @return signature dom object
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @throws XMLSignatureException if the document could not be signed
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster public org.w3c.dom.Element signXML(org.w3c.dom.Document doc,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAMLUtilsCommon.debug.error("signXML: doc is null.");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAMLUtilsCommon.bundle.getString("nullInput"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (certAlias == null || certAlias.length() == 0) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAMLUtilsCommon.debug.error("signXML: certAlias is null.");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAMLUtilsCommon.bundle.getString("nullInput"));
272ac8a1a482b3baeff7293aac5de828cfd1ee69Mark de Reeper ElementProxy.setDefaultPrefix(Constants.SignatureSpecNS, SAMLConstants.PREFIX_DS);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAMLUtilsCommon.bundle.getString("nullkeystore"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster (PrivateKey) keystore.getPrivateKey(certAlias);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAMLUtilsCommon.debug.error("private key is null");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAMLUtilsCommon.bundle.getString("nullprivatekey"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (algorithm == null || algorithm.length() == 0) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAMLUtilsCommon.bundle.getString("invalidalgorithm"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (c14nMethod == null || c14nMethod.length() == 0) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (!isValidCanonicalizationMethod(c14nMethod)) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster sig = new XMLSignature(doc, "", algorithm, c14nMethod);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster new com.sun.identity.saml.xmlsig.OfflineResolver());
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // do transform
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster transforms.addTransform(Transforms.TRANSFORM_ENVELOPED_SIGNATURE);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // If exclusive canonicalization is presented in the saml locale
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // file, we will add a transform for it. Otherwise, will not do
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // such transform due to performance reason.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (transformAlg != null && transformAlg.length() != 0) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (!isValidTransformAlgorithm(transformAlg)) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "invalidTransformAlgorithm"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // add certificate
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster (X509Certificate) keystore.getX509Certificate(certAlias);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAMLUtilsCommon.debug.error("signXML Exception: ", e);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster throw new XMLSignatureException(e.getMessage());
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Sign the xml string using enveloped signatures.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param xmlString xml string to be signed
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param certAlias Signer's certificate alias name
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @return XML signature string
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @throws XMLSignatureException if the xml string could not be signed
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster public java.lang.String signXML(java.lang.String xmlString,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Sign the xml string using enveloped signatures.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param xmlString xml string to be signed
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param certAlias Signer's certificate alias name
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param algorithm XML Signature algorithm
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @return XML signature string
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @throws XMLSignatureException if the xml string could not be signed
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster public java.lang.String signXML(java.lang.String xmlString,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (xmlString == null || xmlString.length() == 0) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAMLUtilsCommon.debug.error("signXML: xmlString is null.");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAMLUtilsCommon.bundle.getString("nullInput"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (certAlias == null || certAlias.length() == 0) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAMLUtilsCommon.debug.error("signXML: certAlias is null.");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAMLUtilsCommon.bundle.getString("nullInput"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster Document doc = XMLUtils.toDOMDocument(xmlString,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAMLUtilsCommon.debug.error("signXML Exception: ", e);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster throw new XMLSignatureException(e.getMessage());
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Sign part of the xml document referered by the supplied id attribute
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * using enveloped signatures and use exclusive xml canonicalization.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param doc XML dom object
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param certAlias Signer's certificate alias name
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param algorithm XML signature algorithm
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param id id attribute value of the node to be signed
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @return signature dom object
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @throws XMLSignatureException if the document could not be signed
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster public org.w3c.dom.Element signXML(org.w3c.dom.Document doc,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster return signXML(doc, certAlias, algorithm, DEF_ID_ATTRIBUTE,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Sign part of the xml document referered by the supplied id attribute
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * using enveloped signatures and use exclusive xml canonicalization.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param doc XML dom object
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param certAlias Signer's certificate alias name
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param algorithm XML signature algorithm
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param id id attribute value of the node to be signed
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param xpath expression should uniquly identify a node before which
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @return signature dom object
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @throws XMLSignatureException if the document could not be signed
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster public org.w3c.dom.Element signXML(org.w3c.dom.Document doc,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster return signXML(doc, certAlias, algorithm, DEF_ID_ATTRIBUTE,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Sign part of the xml document referered by the supplied id attribute
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * using enveloped signatures and use exclusive xml canonicalization.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param doc XML dom object
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param certAlias Signer's certificate alias name
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param algorithm XML signature algorithm
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param idAttrName attribute name for the id attribute of the node to
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param id id attribute value of the node to be signed
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param includeCert if true, include the signing certificate in KeyInfo.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * if false, does not include the signing certificate.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @return signature dom object
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @throws XMLSignatureException if the document could not be signed
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster public org.w3c.dom.Element signXML(org.w3c.dom.Document doc,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster return signXML(doc, certAlias, algorithm, idAttrName,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Sign part of the xml document referered by the supplied id attribute
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * using enveloped signatures and use exclusive xml canonicalization.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param xmlString a string representing XML dom object
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param certAlias Signer's certificate alias name
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param algorithm XML signature algorithm
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param idAttrName attribute name for the id attribute of the node to be
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param id id attribute value of the node to be signed
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param includeCert if true, include the signing certificate in KeyInfo.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * if false, does not include the signing certificate.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @return a string representing signature dom object
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @throws XMLSignatureException if the document could not be signed
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster public java.lang.String signXML(java.lang.String xmlString,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (xmlString == null || xmlString.length() == 0) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAMLUtilsCommon.debug.error("signXML: xmlString is null.");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAMLUtilsCommon.bundle.getString("nullInput"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster doc = XMLUtils.toDOMDocument(xmlString, SAMLUtilsCommon.debug);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAMLUtilsCommon.debug.error("signXML Exception: ", e);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster throw new XMLSignatureException(e.getMessage());
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster Element el = signXML(doc, certAlias, algorithm, idAttrName,
0cd8368ca65c58915ee90bc73d84e65f3da9e120Mark de Reeper * Sign part of the xml document referred by the supplied id attribute
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * using enveloped signatures and use exclusive xml canonicalization.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param doc XML dom object
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param certAlias Signer's certificate alias name
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param algorithm XML signature algorithm
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param idAttrName attribute name for the id attribute of the node to
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param id id attribute value of the node to be signed
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param includeCert if true, include the signing certificate in KeyInfo.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * if false, does not include the signing certificate.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param xpath expression should uniquly identify a node before which
0cd8368ca65c58915ee90bc73d84e65f3da9e120Mark de Reeper * @return a signed dom object
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @throws XMLSignatureException if the document could not be signed
0cd8368ca65c58915ee90bc73d84e65f3da9e120Mark de Reeper * Sign part of the XML document referred by the supplied id attribute
0cd8368ca65c58915ee90bc73d84e65f3da9e120Mark de Reeper * using enveloped signatures and use exclusive XML canonicalization.
0cd8368ca65c58915ee90bc73d84e65f3da9e120Mark de Reeper * @param doc XML dom object
0cd8368ca65c58915ee90bc73d84e65f3da9e120Mark de Reeper * @param certAlias Signer's certificate alias name
0cd8368ca65c58915ee90bc73d84e65f3da9e120Mark de Reeper * @param encryptedKeyPass Use the supplied encrypted key password to get the private key
0cd8368ca65c58915ee90bc73d84e65f3da9e120Mark de Reeper * @param algorithm XML signature algorithm
0cd8368ca65c58915ee90bc73d84e65f3da9e120Mark de Reeper * @param idAttrName attribute name for the id attribute of the node to be
0cd8368ca65c58915ee90bc73d84e65f3da9e120Mark de Reeper * @param id id attribute value of the node to be signed
0cd8368ca65c58915ee90bc73d84e65f3da9e120Mark de Reeper * @param includeCert if true, include the signing certificate in
0cd8368ca65c58915ee90bc73d84e65f3da9e120Mark de Reeper * <code>KeyInfo</code>.
0cd8368ca65c58915ee90bc73d84e65f3da9e120Mark de Reeper * if false, does not include the signing certificate.
0cd8368ca65c58915ee90bc73d84e65f3da9e120Mark de Reeper * @param xpath expression should uniquely identify a node before which
0cd8368ca65c58915ee90bc73d84e65f3da9e120Mark de Reeper * @return a signed dom object
0cd8368ca65c58915ee90bc73d84e65f3da9e120Mark de Reeper * @throws XMLSignatureException if the document could not be signed
0cd8368ca65c58915ee90bc73d84e65f3da9e120Mark de Reeper public Element signXMLUsingKeyPass(Document doc,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAMLUtilsCommon.debug.error("signXML: doc is null.");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAMLUtilsCommon.bundle.getString("nullInput"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (certAlias == null || certAlias.length() == 0) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAMLUtilsCommon.debug.error("signXML: certAlias is null.");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAMLUtilsCommon.bundle.getString("nullInput"));
272ac8a1a482b3baeff7293aac5de828cfd1ee69Mark de Reeper ElementProxy.setDefaultPrefix(Constants.SignatureSpecNS, SAMLConstants.PREFIX_DS);
0cd8368ca65c58915ee90bc73d84e65f3da9e120Mark de Reeper if (encryptedKeyPass == null || encryptedKeyPass.isEmpty()) {
0cd8368ca65c58915ee90bc73d84e65f3da9e120Mark de Reeper privateKey = keystore.getPrivateKey(certAlias);
0cd8368ca65c58915ee90bc73d84e65f3da9e120Mark de Reeper privateKey = keystore.getPrivateKey(certAlias, encryptedKeyPass);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAMLUtilsCommon.debug.error("private key is null");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAMLUtilsCommon.bundle.getString("nullprivatekey"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster doc, "//*[@" + idAttrName + "=\"" + id + "\"]");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAMLUtilsCommon.debug.error("signXML: could not"
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + " resolv id attribute");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAMLUtilsCommon.bundle.getString("invalidIDAttribute"));
f109a33a8b5c6b0e4b6e49035f28b5febd5c84cdMark de Reeper // Set the ID attribute if idAttrName is not the default.
f109a33a8b5c6b0e4b6e49035f28b5febd5c84cdMark de Reeper if (algorithm == null || algorithm.length() == 0) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAMLUtilsCommon.bundle.getString("invalidalgorithm"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster Canonicalizer.ALGO_ID_C14N_EXCL_OMIT_COMMENTS);
0cd8368ca65c58915ee90bc73d84e65f3da9e120Mark de Reeper Node beforeNode = XPathAPI.selectSingleNode(doc, xpath);
0cd8368ca65c58915ee90bc73d84e65f3da9e120Mark de Reeper root.insertBefore(sig.getElement(), beforeNode);
0cd8368ca65c58915ee90bc73d84e65f3da9e120Mark de Reeper sig.getSignedInfo().addResourceResolver(new OfflineResolver());
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // do transform
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster transforms.addTransform(Transforms.TRANSFORM_ENVELOPED_SIGNATURE);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster (X509Certificate) keystore.getX509Certificate(certAlias);
0cd8368ca65c58915ee90bc73d84e65f3da9e120Mark de Reeper SAMLUtilsCommon.debug.error("signXML Exception: ", e);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster throw new XMLSignatureException(e.getMessage());
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Sign the xml string using enveloped signatures.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param xmlString xml string to be signed
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param certAlias Signer's certificate alias name
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param algorithm XML Signature algorithm
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param id id attribute value of the node to be signed
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @return XML signature string
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @throws XMLSignatureException if the xml string could not be signed
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster public java.lang.String signXML(java.lang.String xmlString,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (xmlString == null || xmlString.length() == 0) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAMLUtilsCommon.debug.error("signXML: xmlString is null.");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAMLUtilsCommon.bundle.getString("nullInput"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (certAlias == null || certAlias.length() == 0) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAMLUtilsCommon.debug.error("signXML: certAlias is null.");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAMLUtilsCommon.bundle.getString("nullInput"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster Document doc = XMLUtils.toDOMDocument(xmlString,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAMLUtilsCommon.debug.error("signXML Exception: ", e);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster throw new XMLSignatureException(e.getMessage());
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Sign part of the xml document referered by the supplied a list
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * of id attributes of nodes
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param doc XML dom object
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param certAlias Signer's certificate alias name
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param algorithm XML signature algorithm
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param ids list of id attribute values of nodes to be signed
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @return signature dom object
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @throws XMLSignatureException if the document could not be signed
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster public org.w3c.dom.Element signXML(org.w3c.dom.Document doc,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster return signXML(doc, certAlias, algorithm, null, ids);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Sign part of the xml document referered by the supplied a list
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * of id attributes of nodes
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param doc XML dom object
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param certAlias Signer's certificate alias name
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param algorithm XML signature algorithm
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param transformAlag XML siganture transform algorithm
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Those transfer constants are defined as
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * SAMLConstants.TRANSFORM_XXX.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param ids list of id attribute values of nodes to be signed
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @return signature dom object
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @throws XMLSignatureException if the document could not be signed
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster public org.w3c.dom.Element signXML(org.w3c.dom.Document doc,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAMLUtilsCommon.debug.error("signXML: doc is null.");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAMLUtilsCommon.bundle.getString("nullInput"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (certAlias == null || certAlias.length() == 0) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAMLUtilsCommon.debug.error("signXML: certAlias is null.");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAMLUtilsCommon.bundle.getString("nullInput"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster org.w3c.dom.Element root = doc.getDocumentElement();
272ac8a1a482b3baeff7293aac5de828cfd1ee69Mark de Reeper ElementProxy.setDefaultPrefix(Constants.SignatureSpecNS, SAMLConstants.PREFIX_DS);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster (PrivateKey) keystore.getPrivateKey(certAlias);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAMLUtilsCommon.debug.error("private key is null");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAMLUtilsCommon.bundle.getString("nullprivatekey"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (algorithm == null || algorithm.length() == 0) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAMLUtilsCommon.bundle.getString("invalidalgorithm"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster signature = new XMLSignature(doc, "", algorithm,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster Canonicalizer.ALGO_ID_C14N_EXCL_OMIT_COMMENTS);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster (X509Certificate) keystore.getX509Certificate(certAlias);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAMLUtilsCommon.debug.error("signXML Exception: ", e);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster throw new XMLSignatureException(e.getMessage());
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Sign part of the xml document referered by the supplied a list
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * of id attributes of nodes
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param xmlString XML.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param certAlias Signer's certificate alias name
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param algorithm XML signature algorithm
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param ids list of id attribute values of nodes to be signed
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @return XML signature string
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @throws XMLSignatureException if the document could not be signed
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster public java.lang.String signXML(java.lang.String xmlString,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (xmlString == null || xmlString.length() == 0) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAMLUtilsCommon.debug.error("signXML: xmlString is null.");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAMLUtilsCommon.bundle.getString("nullInput"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (certAlias == null || certAlias.length() == 0) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAMLUtilsCommon.debug.error("signXML: certAlias is null.");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAMLUtilsCommon.bundle.getString("nullInput"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster Document doc = XMLUtils.toDOMDocument(xmlString,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster throw new XMLSignatureException(e.getMessage());
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Sign part of the xml document referered by the supplied a list
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * of id attributes of nodes
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param doc XML dom object
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param cert Signer's certificate
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param assertionID assertion ID
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param algorithm XML signature algorithm
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param ids list of id attribute values of nodes to be signed
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @return SAML Security Token signature
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @throws XMLSignatureException if the document could not be signed
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster public Element signWithWSSSAMLTokenProfile(Document doc,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster java.security.cert.Certificate cert, String assertionID,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String algorithm, List ids) throws XMLSignatureException {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster return signWithWSSSAMLTokenProfile(doc, cert, assertionID, algorithm,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Sign part of the xml document referered by the supplied a list
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * of id attributes of nodes
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param doc XML dom object
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param cert Signer's certificate
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param assertionID assertion ID
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param algorithm XML signature algorithm
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param ids list of id attribute values of nodes to be signed
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param wsfVersion the web services version.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @return SAML Security Token signature
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @throws XMLSignatureException if the document could not be signed
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster public Element signWithWSSSAMLTokenProfile(Document doc,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster java.security.cert.Certificate cert, String assertionID,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAMLUtilsCommon.debug.error("signXML: doc is null.");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAMLUtilsCommon.bundle.getString("nullInput"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAMLUtilsCommon.debug.error("signWithWSSSAMLTokenProfile: " +
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "Certificate is null");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAMLUtilsCommon.bundle.getString("nullInput"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAMLUtilsCommon.debug.error("signWithWSSSAMLTokenProfile: " +
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "AssertionID is null");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAMLUtilsCommon.bundle.getString("nullInput"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster (wsfVersion.equals(SOAPBindingConstants.WSF_11_VERSION))) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster Element root = (Element)doc.getDocumentElement().
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster getElementsByTagNameNS(wsseNS, SAMLConstants.TAG_SECURITY).item(0);
272ac8a1a482b3baeff7293aac5de828cfd1ee69Mark de Reeper ElementProxy.setDefaultPrefix(Constants.SignatureSpecNS, SAMLConstants.PREFIX_DS);
272ac8a1a482b3baeff7293aac5de828cfd1ee69Mark de Reeper Element wsucontext = org.apache.xml.security.utils.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster NodeList wsuNodes = (NodeList)XPathAPI.selectNodeList(doc,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if(wsuNodes != null && wsuNodes.getLength() != 0) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String certAlias = keystore.getCertificateAlias(cert);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster (PrivateKey) keystore.getPrivateKey(certAlias);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAMLUtilsCommon.debug.error("private key is null");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAMLUtilsCommon.bundle.getString("nullprivatekey"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (algorithm == null || algorithm.length() == 0) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAMLUtilsCommon.bundle.getString("invalidalgorithm"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster signature = new XMLSignature(doc, "", algorithm,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster Canonicalizer.ALGO_ID_C14N_EXCL_OMIT_COMMENTS);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster Element securityTokenRef = doc.createElementNS(wsseNS,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster securityTokenRef.setAttributeNS(SAMLConstants.NS_XMLNS,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster securityTokenRef.setAttributeNS(SAMLConstants.NS_XMLNS,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAMLConstants.TAG_XMLNS_SEC, SAMLConstants.NS_SEC);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster securityTokenRef.setAttributeNS(null, SAMLConstants.TAG_USAGE,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster Element reference = doc.createElementNS(wsseNS,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster reference.setAttributeNS(null, SAMLConstants.TAG_URI,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAMLUtilsCommon.debug.error("signWithWSSX509TokenProfile " +
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "Exception: ", e);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster throw new XMLSignatureException(e.getMessage());
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAMLUtilsCommon.debug.message("SAML Signed doc = " +
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Sign part of the xml document referered by the supplied a list
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * of id attributes of nodes
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param doc XML dom object
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param cert Signer's certificate
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param algorithm XML signature algorithm
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param ids list of id attribute values of nodes to be signed
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @return X509 Security Token signature
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @throws XMLSignatureException if the document could not be signed
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster public Element signWithWSSX509TokenProfile(Document doc,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster java.security.cert.Certificate cert, String algorithm, List ids)
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster return signWithWSSX509TokenProfile(doc, cert, algorithm, ids,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Sign part of the xml document referered by the supplied a list
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * of id attributes of nodes
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param doc XML dom object
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param cert Signer's certificate
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param algorithm XML signature algorithm
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param ids list of id attribute values of nodes to be signed
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param wsfVersion the web services version.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @return X509 Security Token signature
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @throws XMLSignatureException if the document could not be signed
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster public Element signWithWSSX509TokenProfile(Document doc,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster java.security.cert.Certificate cert, String algorithm, List ids,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String wsfVersion) throws XMLSignatureException {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAMLUtilsCommon.debug.error("signXML: doc is null.");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAMLUtilsCommon.bundle.getString("nullInput"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAMLUtilsCommon.debug.message("Soap Envlope: " +
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster (wsfVersion.equals(SOAPBindingConstants.WSF_11_VERSION))) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster Element root = (Element)doc.getDocumentElement().
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster getElementsByTagNameNS(wsseNS, SAMLConstants.TAG_SECURITY).item(0);
272ac8a1a482b3baeff7293aac5de828cfd1ee69Mark de Reeper ElementProxy.setDefaultPrefix(Constants.SignatureSpecNS, SAMLConstants.PREFIX_DS);
272ac8a1a482b3baeff7293aac5de828cfd1ee69Mark de Reeper Element wsucontext = org.apache.xml.security.utils.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster NodeList wsuNodes = (NodeList)XPathAPI.selectNodeList(doc,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if ((wsuNodes != null) && (wsuNodes.getLength() != 0)) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String certAlias = keystore.getCertificateAlias(cert);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster (PrivateKey) keystore.getPrivateKey(certAlias);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAMLUtilsCommon.debug.error("private key is null");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAMLUtilsCommon.bundle.getString("nullprivatekey"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // TODO: code clean up
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // should find cert alias, add security token and call signXML
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // to avoid code duplication
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (algorithm == null || algorithm.length() == 0) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAMLUtilsCommon.bundle.getString("invalidalgorithm"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster signature = new XMLSignature(doc, "", algorithm,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster Canonicalizer.ALGO_ID_C14N_EXCL_OMIT_COMMENTS);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster Element securityTokenRef = doc.createElementNS(wsseNS,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster securityTokenRef.setAttributeNS(SAMLConstants.NS_XMLNS,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster securityTokenRef.setAttributeNS(SAMLConstants.NS_XMLNS,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAMLConstants.TAG_XMLNS_SEC, SAMLConstants.NS_SEC);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster securityTokenRef.setAttributeNS(null, SAMLConstants.TAG_USAGE,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster Element bsf = (Element)root.getElementsByTagNameNS(wsseNS,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String certId = bsf.getAttributeNS(wsuNS, SAMLConstants.TAG_ID);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster Element reference = doc.createElementNS(wsseNS,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster reference.setAttributeNS(null, SAMLConstants.TAG_URI, "#"+certId);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAMLUtilsCommon.debug.error("signWithWSSX509TokenProfile" +
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster " Exception: ", e);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster throw new XMLSignatureException(e.getMessage());
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Verify all the signatures of the xml document
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param doc XML dom document whose signature to be verified
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param certAlias certAlias alias for Signer's certificate, this is used
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * to search signer's public certificate if it is not presented in
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * ds:KeyInfo
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @return true if the xml signature is verified, false otherwise
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @throws XMLSignatureException if problem occurs during verification
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster public boolean verifyXMLSignature(Document doc, String certAlias)
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster return verifyXMLSignature(SOAPBindingConstants.WSF_10_VERSION,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Verify all the signatures of the xml document
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param wsfVersion the web services version.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param doc XML dom document whose signature to be verified
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param certAlias certAlias alias for Signer's certificate, this is used
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * to search signer's public certificate if it is not presented in
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * ds:KeyInfo
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @return true if the xml signature is verified, false otherwise
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @exception XMLSignatureException if problem occurs during verification
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster public boolean verifyXMLSignature(String wsfVersion, String certAlias,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAMLUtilsCommon.debug.error("verifyXMLSignature:" +
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster " document is null.");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAMLUtilsCommon.bundle.getString("nullInput"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster (wsfVersion.equals(SOAPBindingConstants.WSF_11_VERSION))) {
a42b587e0c12c51b3a8d90508064508d5abe13e8Peter Major Element wsucontext = org.apache.xml.security.utils.XMLUtils.createDSctx(doc, "wsu", wsuNS);
a42b587e0c12c51b3a8d90508064508d5abe13e8Peter Major NodeList wsuNodes = (NodeList) XPathAPI.selectNodeList(doc, "//*[@wsu:Id]", wsucontext);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if ((wsuNodes != null) && (wsuNodes.getLength() != 0)) {
a42b587e0c12c51b3a8d90508064508d5abe13e8Peter Major for (int i = 0; i < wsuNodes.getLength(); i++) {
272ac8a1a482b3baeff7293aac5de828cfd1ee69Mark de Reeper Element nscontext = org.apache.xml.security.utils.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster XMLUtils.createDSctx (doc,"ds",Constants.SignatureSpecNS);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster NodeList sigElements = XPathAPI.selectNodeList (doc,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAMLUtilsCommon.debug.message("verifyXMLSignature: " +
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "sigElements size = " + sigElements.getLength());
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster X509Certificate newcert= keystore.getX509Certificate (certAlias);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster PublicKey key = keystore.getPublicKey (certAlias);
a42b587e0c12c51b3a8d90508064508d5abe13e8Peter Major for (int i = 0; i < sigElements.getLength(); i++) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAMLUtilsCommon.debug.message("Sig(" + i + ") = " +
a42b587e0c12c51b3a8d90508064508d5abe13e8Peter Major refElement = (Element) XPathAPI.selectSingleNode(sigElement, "//ds:Reference[1]", nscontext);
a42b587e0c12c51b3a8d90508064508d5abe13e8Peter Major Element parentElement = (Element) sigElement.getParentNode();
a42b587e0c12c51b3a8d90508064508d5abe13e8Peter Major if ("Assertion".equals(parentElement.getLocalName())) {
a42b587e0c12c51b3a8d90508064508d5abe13e8Peter Major } else if ("Response".equals(parentElement.getLocalName())) {
a42b587e0c12c51b3a8d90508064508d5abe13e8Peter Major } else if ("Request".equals(parentElement.getLocalName())) {
a42b587e0c12c51b3a8d90508064508d5abe13e8Peter Major throw new UnsupportedOperationException("Enveloping and detached XML signatures are no longer"
a42b587e0c12c51b3a8d90508064508d5abe13e8Peter Major + " supported");
a42b587e0c12c51b3a8d90508064508d5abe13e8Peter Major signedId = parentElement.getAttribute(idAttrName);
a42b587e0c12c51b3a8d90508064508d5abe13e8Peter Major //NB: this validation only works with enveloped XML signatures, enveloping and detached signatures are
a42b587e0c12c51b3a8d90508064508d5abe13e8Peter Major //no longer supported.
a42b587e0c12c51b3a8d90508064508d5abe13e8Peter Major if (refUri == null || signedId == null || !refUri.substring(1).equals(signedId)) {
a42b587e0c12c51b3a8d90508064508d5abe13e8Peter Major SAMLUtilsCommon.debug.error("Signature reference ID does not match with element ID");
a42b587e0c12c51b3a8d90508064508d5abe13e8Peter Major throw new XMLSignatureException(SAMLUtilsCommon.bundle.getString("uriNoMatchWithId"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster XMLSignature signature = new XMLSignature (sigElement, "");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster new com.sun.identity.saml.xmlsig.OfflineResolver ());
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // verify using public key
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "verifyXMLSignature:" +
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "verifyXMLSignature:" +
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster " Signature Verfication failed");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster return false;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (certAlias == null || certAlias.equals ("")) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "verifyXMLSignature:" +
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "Certificate Alias is null");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster return false;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "Could not find a KeyInfo, " +
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "try to use certAlias");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "verifyXMLSignature:" +
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster return false;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "verifyXMLSignature: Signature " + i +
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster " verified");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster return false;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "Could not find public key"
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + " based on certAlias to verify signature");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster return false;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster return true;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAMLUtilsCommon.debug.error("verifyXMLSignature Exception: ", ex);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster throw new XMLSignatureException (ex.getMessage ());
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Verify the signature of the xml document
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param doc XML dom document whose signature to be verified
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @return true if the xml signature is verified, false otherwise
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @throws XMLSignatureException if problem occurs during verification
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster public boolean verifyXMLSignature(org.w3c.dom.Document doc)
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "verifyXMLSignature: document is null.");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAMLUtilsCommon.bundle.getString("nullInput"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Verify the signature of the xml element.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param element XML dom element whose signature to be verified
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @return true if the xml signature is verified, false otherwise
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @throws XMLSignatureException if problem occurs during verification
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster public boolean verifyXMLSignature(org.w3c.dom.Element element)
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAMLUtilsCommon.debug.error("signXML: element is null.");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAMLUtilsCommon.bundle.getString("nullInput"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster return verifyXMLSignature(XMLUtils.print(element));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Verify the signature of the xml document
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param element XML Element whose signature to be verified
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param certAlias certAlias alias for Signer's certificate, this is used
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster to search signer's public certificate if it is not
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster presented in ds:KeyInfo
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @return true if the xml signature is verified, false otherwise
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @throws XMLSignatureException if problem occurs during verification
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster public boolean verifyXMLSignature(org.w3c.dom.Element element,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster return verifyXMLSignature(element, DEF_ID_ATTRIBUTE, certAlias);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Verify the signature of the xml document
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param element XML Element whose signature to be verified
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param idAttrName Attribute name for the id attribute
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param certAlias certAlias alias for Signer's certificate, this is used
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster to search signer's public certificate if it is not
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster presented in ds:KeyInfo
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @return true if the xml signature is verified, false otherwise
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @throws XMLSignatureException if problem occurs during verification
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster public boolean verifyXMLSignature(org.w3c.dom.Element element,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAMLUtilsCommon.debug.error("signXML: element is null.");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAMLUtilsCommon.bundle.getString("nullInput"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster doc.appendChild(doc.importNode(element, true));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAMLUtilsCommon.debug.error("verifyXMLSignature Exception: ", ex);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster throw new XMLSignatureException(ex.getMessage());
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Verify the signature of the xml document
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param doc XML dom document whose signature to be verified
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param cert Signer's certificate, this is used to search signer's
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster public certificate if it is not presented in ds:KeyInfo
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @return true if the xml signature is verified, false otherwise
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @throws XMLSignatureException if problem occurs during verification
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster public boolean verifyXMLSignature(org.w3c.dom.Document doc,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAMLUtilsCommon.debug.error("verifyXMLSignature: " +
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "document is null.");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAMLUtilsCommon.bundle.getString("nullInput"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String certAlias = keystore.getCertificateAlias(cert);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Verify the signature of the xml string
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param xmlString XML string whose signature to be verified
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @return true if the xml signature is verified, false otherwise
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @throws XMLSignatureException if problem occurs during verification
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster public boolean verifyXMLSignature(java.lang.String xmlString)
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Verify the signature of the xml string
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param xmlString XML string whose signature to be verified
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param certAlias certAlias alias for Signer's certificate, this is used
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster to search signer's public certificate if it is not
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster presented in ds:KeyInfo
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @return true if the xml signature is verified, false otherwise
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @throws XMLSignatureException if problem occurs during verification
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster public boolean verifyXMLSignature(java.lang.String xmlString,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster return verifyXMLSignature(xmlString, DEF_ID_ATTRIBUTE, certAlias);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Verify the signature of the xml string
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param xmlString XML string whose signature to be verified
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param idAttrName Attribute name for the id attribute
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param certAlias certAlias alias for Signer's certificate, this is used
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster to search signer's public certificate if it is not
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster presented in ds:KeyInfo
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @return true if the xml signature is verified, false otherwise
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @throws XMLSignatureException if problem occurs during verification
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster public boolean verifyXMLSignature(java.lang.String xmlString,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (xmlString == null || xmlString.length() == 0) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAMLUtilsCommon.debug.error("signXML: xmlString is null.");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAMLUtilsCommon.bundle.getString("nullInput"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster Document doc = XMLUtils.toDOMDocument(xmlString,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster return verifyXMLSignature(doc, idAttrName, certAlias);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAMLUtilsCommon.debug.error("verifyXMLSignature Exception: ", ex);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster throw new XMLSignatureException(ex.getMessage());
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Verify the signature of a DOM Document
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param doc a DOM Document
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param idAttrName Attribute name for the id attribute
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param certAlias certAlias alias for Signer's certificate, this is used
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster to search signer's public certificate if it is not
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster presented in ds:KeyInfo
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @return true if the xml signature is verified, false otherwise
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @throws XMLSignatureException if problem occurs during verification
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster public boolean verifyXMLSignature(Document doc,
272ac8a1a482b3baeff7293aac5de828cfd1ee69Mark de Reeper Element nscontext = org.apache.xml.security.utils.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster XMLUtils.createDSctx(doc,"ds",Constants.SignatureSpecNS);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster Element sigElement = (Element) XPathAPI.selectSingleNode(doc,
a42b587e0c12c51b3a8d90508064508d5abe13e8Peter Major refElement = (Element) XPathAPI.selectSingleNode(sigElement, "//ds:Reference[1]", nscontext);
a42b587e0c12c51b3a8d90508064508d5abe13e8Peter Major String signedId = ((Element) sigElement.getParentNode()).getAttribute(idAttrName);
a42b587e0c12c51b3a8d90508064508d5abe13e8Peter Major if (refUri == null || signedId == null || !refUri.substring(1).equals(signedId)) {
a42b587e0c12c51b3a8d90508064508d5abe13e8Peter Major SAMLUtilsCommon.debug.error("Signature reference ID does not match with element ID");
a42b587e0c12c51b3a8d90508064508d5abe13e8Peter Major throw new XMLSignatureException(SAMLUtilsCommon.bundle.getString("uriNoMatchWithId"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster XMLSignature signature = new XMLSignature(sigElement, "");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster new com.sun.identity.saml.xmlsig.OfflineResolver());
a42b587e0c12c51b3a8d90508064508d5abe13e8Peter Major doc.getDocumentElement().setIdAttribute(idAttrName, true);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // verify using public key
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster return true;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster return false;
3dd14ff693adc8590cfb1cafb1365f2e394cf82cJon Thomas SAMLUtilsCommon.debug.warning("Could not find a KeyInfo and certAlias was not defined");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster return false;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAMLUtilsCommon.debug.message("Could not find a KeyInfo, "
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + "try to use certAlias");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster return true;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster return false;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster PublicKey key = keystore.getPublicKey(certAlias);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster return true;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster return false;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAMLUtilsCommon.debug.error("Could not find " +
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "public key based on certAlias to verify" +
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster " signature");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster return false;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAMLUtilsCommon.debug.error("verifyXMLSignature Exception: ", ex);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster throw new XMLSignatureException(ex.getMessage());
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Get the real key provider
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @return KeyProvider
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Get the X509Certificate embedded in the KeyInfo
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param keyinfo KeyInfo
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @return a X509Certificate
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster protected PublicKey getX509PublicKey(Document doc, KeyInfo keyinfo) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster StorageResolver storageResolver = new StorageResolver(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster keyinfo.registerInternalKeyResolver(new X509SKIResolver());
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAMLUtilsCommon.debug.message("Found X509Data" +
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster " element in the KeyInfo");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster //use a systemproperty com.sun.identity.saml.checkcert
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster //defined in AMConfig.properties, as a nob to check the
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // the validity of the cert.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // validate the X509Certificate
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (keystore.getCertificateAlias(certificate)==null) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAMLUtilsCommon.debug.error ("verifyXMLSignature:"
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + " certificate is not trusted.");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "untrustedCertificate"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "verifyXMLSignature:"+
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster " certificate is trused.");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "Skip checking whether the"
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster +" cert in the cert db.");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // Do we need to check if the public key is in the
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // keystore!?
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "getX509Certificate(KeyInfo) Exception: ", e);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Get the PublicKey embedded in the Security Token profile
80849398a45dca1fb917716907d6ec99be6222c2Peter Major * @param doc the document to be verified
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @return a PublicKey
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster private PublicKey getWSSTokenProfilePublicKey(Document doc) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAMLUtilsCommon.debug.message("getWSSTTokenProfilePublicKey:"+
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster " entering");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster (wsfVersion.equals(SOAPBindingConstants.WSF_11_VERSION)) ) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster Element securityElement = (Element) doc.getDocumentElement().
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster getElementsByTagNameNS(wsseNS, SAMLConstants.TAG_SECURITY).
272ac8a1a482b3baeff7293aac5de828cfd1ee69Mark de Reeper Element nscontext = org.apache.xml.security.utils.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster XMLUtils.createDSctx(doc,"ds",Constants.SignatureSpecNS);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster Element sigElement = (Element) XPathAPI.selectSingleNode(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster Element keyinfo = (Element) sigElement.getElementsByTagNameNS(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster Constants.SignatureSpecNS, SAMLConstants.TAG_KEYINFO).item(0);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster Element str = (Element) keyinfo.getElementsByTagNameNS(wsseNS,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAMLConstants.TAG_SECURITYTOKENREFERENCE).item(0);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster Element reference = (Element) keyinfo.getElementsByTagNameNS(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String id = reference.getAttribute(SAMLConstants.TAG_URI);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster XMLUtils.createDSctx(doc, SAMLConstants.PREFIX_WSU, wsuNS);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAMLConstants.TAG_ID +"=\"" + id + "\"]", nscontext);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (n != null) { // X509 Security Token profile
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster pubKey = getPublicKey(getCertificate(certString, format));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster } else { // SAML Token profile
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster reference = (Element) XPathAPI.selectSingleNode(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAMLUtilsCommon.debug.message("SAML Assertion = " +
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // The SAML Statements contain keyinfo, they should be
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // all the same. get the first keyinfo!
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster reference = (Element) reference.getElementsByTagNameNS(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "getWSSTokenProfilePublicKey:" +
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster " no KeyInfo found!");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAMLUtilsCommon.bundle.getString("nullKeyInfo"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (x509Data !=null) { // Keyinfo constains certificate
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster reference = (Element) x509Data.getChildNodes().item(0);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String certString = x509Data.getChildNodes().item(0).
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAMLUtilsCommon.debug.message("certString = " +
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster return getPublicKey(getCertificate(certString, null));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster } else { // it should contains RSA/DSA key
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster pubKey = getPublicKeybyDSARSAkeyValue(doc, reference);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAMLUtilsCommon.debug.error("getWSSTokenProfilePublicKey:" +
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster " unknow Security Token Reference");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "getWSSTokenProfilePublicKey Exception: ", e);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster protected PublicKey getPublicKeybyDSARSAkeyValue(Document doc,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster Element dsaKey = (Element) reference.getElementsByTagNameNS(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (currentNode.getNodeType() == Node.ELEMENT_NODE) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster Node sub = currentNode.getChildNodes().item(0);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "errorObtainPK"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster DSAKeyValue dsaKeyValue = new DSAKeyValue(doc, p, q, g, y);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAMLUtilsCommon.bundle.getString("errorObtainPK"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (currentNode.getNodeType() == Node.ELEMENT_NODE) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster Node sub = currentNode.getChildNodes().item(0);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "errorObtainPK"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAMLUtilsCommon.bundle.getString("errorObtainPK"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Get the X509Certificate from encoded cert string
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param certString BASE64 or PKCS7 encoded certtificate string
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param format encoded format
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @return a X509Certificate
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster protected X509Certificate getCertificate(String certString,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAMLUtilsCommon.debug.message("getCertificate(Assertion) : " +
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster CertificateFactory cf = CertificateFactory.getInstance("X.509");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster ByteArrayInputStream bais = new ByteArrayInputStream(barr);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster format.equals(SAMLConstants.TAG_PKCS7)) { // PKCS7 format
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster while (i.hasNext()) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster cert = (java.security.cert.X509Certificate) i.next();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster } else { //X509:v3 format
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAMLUtilsCommon.debug.error("getCertificate Exception: ", e);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Returns the public key from the certificate embedded in the KeyInfo.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param cert X509 Certificate
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @return a public key from the certificate embedded in the KeyInfo.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster protected PublicKey getPublicKey(X509Certificate cert) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster protected boolean isValidAlgorithm(String algorithm) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (algorithm.equals(SAMLConstants.ALGO_ID_MAC_HMAC_SHA1) ||
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster algorithm.equals(SAMLConstants.ALGO_ID_SIGNATURE_DSA) ||
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster algorithm.equals(SAMLConstants.ALGO_ID_SIGNATURE_RSA) ||
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster algorithm.equals(SAMLConstants.ALGO_ID_SIGNATURE_RSA_SHA1) ||
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster algorithm.equals(SAMLConstants.ALGO_ID_SIGNATURE_RSA_RIPEMD160) ||
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster algorithm.equals(SAMLConstants.ALGO_ID_SIGNATURE_RSA_SHA256) ||
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster algorithm.equals(SAMLConstants.ALGO_ID_SIGNATURE_RSA_SHA384) ||
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster algorithm.equals(SAMLConstants.ALGO_ID_SIGNATURE_RSA_SHA512) ||
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster algorithm.equals(SAMLConstants.ALGO_ID_MAC_HMAC_NOT_RECOMMENDED_MD5) ||
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster algorithm.equals(SAMLConstants.ALGO_ID_MAC_HMAC_RIPEMD160) ||
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster algorithm.equals(SAMLConstants.ALGO_ID_MAC_HMAC_SHA256) ||
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster algorithm.equals(SAMLConstants.ALGO_ID_MAC_HMAC_SHA384) ||
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster algorithm.equals(SAMLConstants.ALGO_ID_MAC_HMAC_SHA512)) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster return true;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster return false;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster private boolean isValidCanonicalizationMethod(String algorithm) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (algorithm.equals(SAMLConstants.ALGO_ID_C14N_OMIT_COMMENTS) ||
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster algorithm.equals(SAMLConstants.ALGO_ID_C14N_WITH_COMMENTS) ||
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster algorithm.equals(SAMLConstants.ALGO_ID_C14N_EXCL_OMIT_COMMENTS) ||
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster algorithm.equals(SAMLConstants.ALGO_ID_C14N_EXCL_WITH_COMMENTS)) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster return true;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster return false;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster private boolean isValidTransformAlgorithm(String algorithm) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (algorithm.equals(SAMLConstants.TRANSFORM_C14N_OMIT_COMMENTS) ||
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster algorithm.equals(SAMLConstants.TRANSFORM_C14N_WITH_COMMENTS) ||
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster algorithm.equals(SAMLConstants.TRANSFORM_C14N_EXCL_OMIT_COMMENTS) ||
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster algorithm.equals(SAMLConstants.TRANSFORM_C14N_EXCL_WITH_COMMENTS) ||
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster algorithm.equals(SAMLConstants.TRANSFORM_XSLT) ||
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster algorithm.equals(SAMLConstants.TRANSFORM_BASE64_DECODE) ||
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster algorithm.equals(SAMLConstants.TRANSFORM_XPATH ) ||
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster algorithm.equals(SAMLConstants.TRANSFORM_ENVELOPED_SIGNATURE) ||
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster algorithm.equals(SAMLConstants.TRANSFORM_XPOINTER) ||
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster algorithm.equals(SAMLConstants.TRANSFORM_XPATH2FILTER04) ||
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster algorithm.equals(SAMLConstants.TRANSFORM_XPATH2FILTER) ||
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster algorithm.equals(SAMLConstants.TRANSFORM_XPATHFILTERCHGP)) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster return true;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster return false;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster private String getKeyAlgorithm(PrivateKey pk) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (defaultSigAlg != null && !defaultSigAlg.equals("")) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (pk.getAlgorithm().equalsIgnoreCase("DSA")) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster return SAMLConstants.ALGO_ID_SIGNATURE_RSA_SHA1;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Sign part of the xml document referered by the supplied a list
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * of id attributes of nodes
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param doc XML dom object
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param cert Signer's certificate
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param assertionID assertion ID
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param algorithm XML signature algorithm
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param ids list of id attribute values of nodes to be signed
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @return SAML Security Token signature
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @throws XMLSignatureException if the document could not be signed
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Sign part of the XML document referred by the supplied a list
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * of id attributes of nodes using SAML Token.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param doc XML dom object
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param key the key that will be used to sign the document.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param symmetricKey true if the supplied key is a symmetric key type.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param sigingCert signer's Certificate. If present, this certificate
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * will be added as part of signature <code>KeyInfo</code>.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param encryptCert the certificate if present will be used to encrypt
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * the symmetric key and replay it as part of <code>KeyInfo</code>
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param assertionID assertion ID for the SAML Security Token
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param algorithm XML signature algorithm
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param ids list of id attribute values of nodes to be signed
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @return SAML Security Token signature
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @throws XMLSignatureException if the document could not be signed
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster public org.w3c.dom.Element signWithKerberosToken(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Sign part of the xml document referered by the supplied a list
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * of id attributes of nodes
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param doc XML dom object
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param cert Signer's certificate
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param algorithm XML signature algorithm
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param ids list of id attribute values of nodes to be signed
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @return X509 Security Token signature
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @throws XMLSignatureException if the document could not be signed
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster public org.w3c.dom.Element signWithUserNameToken(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Sign part of the xml document referered by the supplied a list
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * of id attributes of nodes
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param doc XML dom object
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param cert Signer's certificate
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param algorithm XML signature algorithm
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param ids list of id attribute values of nodes to be signed
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param referenceType signed element reference type
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @return X509 Security Token signature
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @throws XMLSignatureException if the document could not be signed
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster public org.w3c.dom.Element signWithBinarySecurityToken(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Verify all the signatures of the XML document for the
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * web services security.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param document XML dom document whose signature to be verified
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param certAlias alias for Signer's certificate, this is used to search
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * signer's public certificate if it is not presented in
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * <code>ds:KeyInfo</code>.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @return true if the XML signature is verified, false otherwise
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @throws XMLSignatureException if problem occurs during verification
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster public boolean verifyWSSSignature(org.w3c.dom.Document document,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster return false;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Verify web services message signature using specified key
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param document the document to be validated
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param key the secret key to be used for validating signature
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @return true if verification is successful.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @throws com.sun.identity.saml.xmlsig.XMLSignatureException
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster public boolean verifyWSSSignature(org.w3c.dom.Document document,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster return false;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Verify web services message signature using specified key
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param document the document to be validated
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param key the secret key to be used for validating signature
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param certAlias the certificate alias used for validating the signature
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * if the key is not available.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param encryptAlias the certificate alias that may be used to decrypt
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * the symmetric key that may be part of <code>KeyInfo</code>
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @return true if verification is successful.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @throws com.sun.identity.saml.xmlsig.XMLSignatureException
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster public boolean verifyWSSSignature(org.w3c.dom.Document document,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster return false;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Return algorithm URI for the given algorithm.