use of javax.xml.crypto.dsig.XMLSignature in project OpenAttestation by OpenAttestation.
the class SAMLSignature method signSAMLObject.
/**
* Adds an enveloped signature to the given element. Then moves the
* signature element so that it is in the correct position according to the
* SAML assertion and protocol schema: it must immediately follow any Issuer
* and precede everything else.
*/
public void signSAMLObject(Element target) throws GeneralSecurityException, XMLSignatureException, MarshalException {
Reference ref = factory.newReference("#" + target.getAttribute("ID"), factory.newDigestMethod(DigestMethod.SHA1, null), Collections.singletonList(factory.newTransform(Transform.ENVELOPED, (TransformParameterSpec) null)), null, null);
SignedInfo signedInfo = factory.newSignedInfo(factory.newCanonicalizationMethod(CanonicalizationMethod.INCLUSIVE_WITH_COMMENTS, (C14NMethodParameterSpec) null), factory.newSignatureMethod(SignatureMethod.RSA_SHA1, null), Collections.singletonList(ref));
XMLSignature signature = factory.newXMLSignature(signedInfo, keyInfo);
DOMSignContext signContext = new DOMSignContext(keyPair.getPrivate(), target);
signature.sign(signContext);
// For the result to be schema-valid, we have to move the signature
// element from its place at the end of the child list to live
// between Issuer and Subject elements. So, deep breath, and:
Node signatureElement = target.getLastChild();
boolean foundIssuer = false;
Node elementAfterIssuer = null;
NodeList children = target.getChildNodes();
for (int c = 0; c < children.getLength(); ++c) {
Node child = children.item(c);
if (foundIssuer) {
elementAfterIssuer = child;
break;
}
if (child.getNodeType() == Node.ELEMENT_NODE && child.getLocalName().equals("Issuer")) {
foundIssuer = true;
}
}
// Place after the Issuer, or as first element if no Issuer:
if (!foundIssuer || elementAfterIssuer != null) {
target.removeChild(signatureElement);
target.insertBefore(signatureElement, foundIssuer ? elementAfterIssuer : target.getFirstChild());
}
}
use of javax.xml.crypto.dsig.XMLSignature in project poi by apache.
the class SignatureInfo method preSign.
/**
* Helper method for adding informations before the signing.
* Normally {@link #confirmSignature()} is sufficient to be used.
*/
@SuppressWarnings("unchecked")
public DigestInfo preSign(Document document, List<DigestInfo> digestInfos) throws XMLSignatureException, MarshalException {
signatureConfig.init(false);
// it's necessary to explicitly set the mdssi namespace, but the sign() method has no
// normal way to interfere with, so we need to add the namespace under the hand ...
EventTarget target = (EventTarget) document;
EventListener creationListener = signatureConfig.getSignatureMarshalListener();
if (creationListener != null) {
if (creationListener instanceof SignatureMarshalListener) {
((SignatureMarshalListener) creationListener).setEventTarget(target);
}
SignatureMarshalListener.setListener(target, creationListener, true);
}
/*
* Signature context construction.
*/
XMLSignContext xmlSignContext = new DOMSignContext(signatureConfig.getKey(), document);
URIDereferencer uriDereferencer = signatureConfig.getUriDereferencer();
if (null != uriDereferencer) {
xmlSignContext.setURIDereferencer(uriDereferencer);
}
for (Map.Entry<String, String> me : signatureConfig.getNamespacePrefixes().entrySet()) {
xmlSignContext.putNamespacePrefix(me.getKey(), me.getValue());
}
xmlSignContext.setDefaultNamespacePrefix("");
// signatureConfig.getNamespacePrefixes().get(XML_DIGSIG_NS));
brokenJvmWorkaround(xmlSignContext);
XMLSignatureFactory signatureFactory = signatureConfig.getSignatureFactory();
/*
* Add ds:References that come from signing client local files.
*/
List<Reference> references = new ArrayList<Reference>();
for (DigestInfo digestInfo : safe(digestInfos)) {
byte[] documentDigestValue = digestInfo.digestValue;
String uri = new File(digestInfo.description).getName();
Reference reference = SignatureFacet.newReference(uri, null, null, null, documentDigestValue, signatureConfig);
references.add(reference);
}
/*
* Invoke the signature facets.
*/
List<XMLObject> objects = new ArrayList<XMLObject>();
for (SignatureFacet signatureFacet : signatureConfig.getSignatureFacets()) {
LOG.log(POILogger.DEBUG, "invoking signature facet: " + signatureFacet.getClass().getSimpleName());
signatureFacet.preSign(document, references, objects);
}
/*
* ds:SignedInfo
*/
SignedInfo signedInfo;
try {
SignatureMethod signatureMethod = signatureFactory.newSignatureMethod(signatureConfig.getSignatureMethodUri(), null);
CanonicalizationMethod canonicalizationMethod = signatureFactory.newCanonicalizationMethod(signatureConfig.getCanonicalizationMethod(), (C14NMethodParameterSpec) null);
signedInfo = signatureFactory.newSignedInfo(canonicalizationMethod, signatureMethod, references);
} catch (GeneralSecurityException e) {
throw new XMLSignatureException(e);
}
/*
* JSR105 ds:Signature creation
*/
String signatureValueId = signatureConfig.getPackageSignatureId() + "-signature-value";
javax.xml.crypto.dsig.XMLSignature xmlSignature = signatureFactory.newXMLSignature(signedInfo, null, objects, signatureConfig.getPackageSignatureId(), signatureValueId);
/*
* ds:Signature Marshalling.
*/
xmlSignature.sign(xmlSignContext);
/*
* Completion of undigested ds:References in the ds:Manifests.
*/
for (XMLObject object : objects) {
LOG.log(POILogger.DEBUG, "object java type: " + object.getClass().getName());
List<XMLStructure> objectContentList = object.getContent();
for (XMLStructure objectContent : objectContentList) {
LOG.log(POILogger.DEBUG, "object content java type: " + objectContent.getClass().getName());
if (!(objectContent instanceof Manifest))
continue;
Manifest manifest = (Manifest) objectContent;
List<Reference> manifestReferences = manifest.getReferences();
for (Reference manifestReference : manifestReferences) {
if (manifestReference.getDigestValue() != null)
continue;
DOMReference manifestDOMReference = (DOMReference) manifestReference;
manifestDOMReference.digest(xmlSignContext);
}
}
}
/*
* Completion of undigested ds:References.
*/
List<Reference> signedInfoReferences = signedInfo.getReferences();
for (Reference signedInfoReference : signedInfoReferences) {
DOMReference domReference = (DOMReference) signedInfoReference;
// ds:Reference with external digest value
if (domReference.getDigestValue() != null)
continue;
domReference.digest(xmlSignContext);
}
/*
* Calculation of XML signature digest value.
*/
DOMSignedInfo domSignedInfo = (DOMSignedInfo) signedInfo;
ByteArrayOutputStream dataStream = new ByteArrayOutputStream();
domSignedInfo.canonicalize(xmlSignContext, dataStream);
byte[] octets = dataStream.toByteArray();
/*
* TODO: we could be using DigestOutputStream here to optimize memory
* usage.
*/
MessageDigest md = CryptoFunctions.getMessageDigest(signatureConfig.getDigestAlgo());
byte[] digestValue = md.digest(octets);
String description = signatureConfig.getSignatureDescription();
return new DigestInfo(digestValue, signatureConfig.getDigestAlgo(), description);
}
use of javax.xml.crypto.dsig.XMLSignature in project testcases by coheigea.
the class SignatureJSR105EnvelopedTest method testSignatureUsingJSR105.
// Sign + Verify an XML Document using the JSR-105 API
@org.junit.Test
public void testSignatureUsingJSR105() throws Exception {
// Read in plaintext document
InputStream sourceDocument = this.getClass().getClassLoader().getResourceAsStream("plaintext.xml");
DocumentBuilder builder = XMLUtils.createDocumentBuilder(false);
Document document = builder.parse(sourceDocument);
// Set up the Key
KeyStore keyStore = KeyStore.getInstance("jks");
keyStore.load(this.getClass().getClassLoader().getResource("clientstore.jks").openStream(), "cspass".toCharArray());
Key key = keyStore.getKey("myclientkey", "ckpass".toCharArray());
X509Certificate cert = (X509Certificate) keyStore.getCertificate("myclientkey");
String signatureId = "_" + UUID.randomUUID().toString();
String signaturePropertyId = "_" + UUID.randomUUID().toString();
// Sign using DOM
XMLSignatureFactory signatureFactory = XMLSignatureFactory.getInstance("DOM");
CanonicalizationMethod c14nMethod = signatureFactory.newCanonicalizationMethod("http://www.w3.org/2001/10/xml-exc-c14n#", (C14NMethodParameterSpec) null);
KeyInfoFactory keyInfoFactory = signatureFactory.getKeyInfoFactory();
X509Data x509Data = keyInfoFactory.newX509Data(Collections.singletonList(cert));
javax.xml.crypto.dsig.keyinfo.KeyInfo keyInfo = keyInfoFactory.newKeyInfo(Collections.singletonList(x509Data));
SignatureMethod signatureMethod = signatureFactory.newSignatureMethod("http://www.w3.org/2000/09/xmldsig#rsa-sha1", null);
Transform transform = signatureFactory.newTransform(Transform.ENVELOPED, (TransformParameterSpec) null);
DigestMethod digestMethod = signatureFactory.newDigestMethod("http://www.w3.org/2000/09/xmldsig#sha1", null);
Reference reference = signatureFactory.newReference("", digestMethod, Collections.singletonList(transform), null, null);
Transform objectTransform = signatureFactory.newTransform("http://www.w3.org/2001/10/xml-exc-c14n#", (TransformParameterSpec) null);
Reference objectReference = signatureFactory.newReference("#" + signaturePropertyId, digestMethod, Collections.singletonList(objectTransform), "http://www.w3.org/2000/09/xmldsig#SignatureProperties", null);
List<Reference> references = new ArrayList<>();
references.add(reference);
references.add(objectReference);
SignedInfo signedInfo = signatureFactory.newSignedInfo(c14nMethod, signatureMethod, references);
// Add a SignatureProperty containing a Timestamp
Element timestamp = document.createElementNS(null, "Timestamp");
timestamp.setTextContent(new Date().toString());
XMLStructure content = new DOMStructure(timestamp);
SignatureProperty signatureProperty = signatureFactory.newSignatureProperty(Collections.singletonList(content), "#" + signatureId, signaturePropertyId);
SignatureProperties signatureProperties = signatureFactory.newSignatureProperties(Collections.singletonList(signatureProperty), null);
XMLObject object = signatureFactory.newXMLObject(Collections.singletonList(signatureProperties), null, null, null);
XMLSignature sig = signatureFactory.newXMLSignature(signedInfo, keyInfo, Collections.singletonList(object), signatureId, null);
XMLSignContext signContext = new DOMSignContext(key, document.getDocumentElement());
sig.sign(signContext);
// XMLUtils.outputDOM(document, System.out);
// Verify using JSR-105
// Find the Signature Element
Element sigElement = SignatureUtils.getSignatureElement(document);
Assert.assertNotNull(sigElement);
XMLValidateContext context = new DOMValidateContext(cert.getPublicKey(), sigElement);
context.setProperty("javax.xml.crypto.dsig.cacheReference", Boolean.TRUE);
context.setProperty("org.apache.jcp.xml.dsig.secureValidation", Boolean.TRUE);
context.setProperty("org.jcp.xml.dsig.secureValidation", Boolean.TRUE);
signatureFactory = XMLSignatureFactory.getInstance("DOM");
XMLSignature xmlSignature = signatureFactory.unmarshalXMLSignature(context);
// Check the Signature value
Assert.assertTrue(xmlSignature.validate(context));
// First find the Timestamp
SignatureProperty timestampSignatureProperty = getTimestampSignatureProperty(xmlSignature);
assertNotNull(timestampSignatureProperty);
// Check that what was signed is what we expected to be signed.
boolean foundEnvelopedSig = false;
boolean foundSignedTimestamp = false;
for (Object refObject : signedInfo.getReferences()) {
Reference ref = (Reference) refObject;
if ("".equals(ref.getURI())) {
List<Transform> transforms = (List<Transform>) ref.getTransforms();
if (transforms != null && transforms.stream().anyMatch(t -> t.getAlgorithm().equals(Transform.ENVELOPED))) {
foundEnvelopedSig = true;
}
} else if ("http://www.w3.org/2000/09/xmldsig#SignatureProperties".equals(ref.getType()) && ref.getURI().equals("#" + timestampSignatureProperty.getId())) {
// Found matching SignatureProperties Object
// Now validate Timestamp
validateTimestamp(signatureProperty, cert);
foundSignedTimestamp = true;
}
}
assertEquals(sigElement.getParentNode(), document.getDocumentElement());
assertTrue(foundEnvelopedSig);
assertTrue(foundSignedTimestamp);
}
use of javax.xml.crypto.dsig.XMLSignature in project OpenOLAT by OpenOLAT.
the class XMLDigitalSignatureUtil method signDetached.
/**
* Create a separate XML file with the XML Digital Signature.
*
* of the specified XML file.
* @param xmlFile The XML File to sign
* @param outputSignatureFile Where the Digital Signature is saved
* @param signatureDoc A DOM which hold the signature (optional but if you give one, the root element must exists)
* @throws ParserConfigurationException
* @throws GeneralSecurityException
* @throws NoSuchAlgorithmException
* @throws XMLSignatureException
* @throws MarshalException
* @throws TransformerException
*/
public static void signDetached(String uri, File xmlFile, File outputSignatureFile, Document signatureDoc, String keyName, X509Certificate x509Cert, PrivateKey privateKey) throws IOException, SAXException, ParserConfigurationException, NoSuchAlgorithmException, GeneralSecurityException, MarshalException, XMLSignatureException, TransformerException {
Document doc = getDocument(xmlFile);
// Create the signature factory for creating the signature.
XMLSignatureFactory sigFactory = XMLSignatureFactory.getInstance("DOM");
List<Transform> transforms = new ArrayList<Transform>();
// Transform envelopped = sigFactory.newTransform(Transform.ENVELOPED, (TransformParameterSpec) null);
// transforms.add(envelopped);
// Create the canonicalization transform to be applied after the XSLT.
CanonicalizationMethod c14n = sigFactory.newCanonicalizationMethod(CanonicalizationMethod.EXCLUSIVE, (C14NMethodParameterSpec) null);
transforms.add(c14n);
// Create the Reference to the XML to be signed specifying the hash algorithm to be used
// and the list of transforms to apply. Also specify the XML to be signed as the current
// document (specified by the first parameter being an empty string).
Reference reference = sigFactory.newReference(uri, sigFactory.newDigestMethod(DigestMethod.SHA256, null), transforms, null, null);
// Create the Signed Info node of the signature by specifying the canonicalization method
// to use (INCLUSIVE), the signing method (RSA_SHA1), and the Reference node to be signed.
SignedInfo si = sigFactory.newSignedInfo(c14n, sigFactory.newSignatureMethod(SignatureMethod.RSA_SHA1, null), Collections.singletonList(reference));
// Create the KeyInfo node containing the public key information to include in the signature.
KeyInfoFactory kif = sigFactory.getKeyInfoFactory();
X509Data xd = kif.newX509Data(Collections.singletonList(x509Cert));
List<Object> keyInfoList = new ArrayList<>();
if (StringHelper.containsNonWhitespace(keyName)) {
keyInfoList.add(kif.newKeyName(keyName));
}
keyInfoList.add(xd);
KeyInfo ki = kif.newKeyInfo(keyInfoList);
// Get the node to attach the signature.
Node signatureInfoNode = doc.getDocumentElement();
// Create a signing context using the private key.
DOMSignContext dsc = new DOMSignContext(privateKey, signatureInfoNode);
dsc.setBaseURI(uri);
dsc.setURIDereferencer(new FileURIDereferencer(uri, xmlFile));
// Create the signature from the signing context and key info
XMLSignature signature = sigFactory.newXMLSignature(si, ki);
signature.sign(dsc);
NodeList nl = doc.getElementsByTagName("Signature");
if (nl.getLength() == 1) {
if (signatureDoc != null && signatureDoc.getDocumentElement() != null) {
Element rootEl = signatureDoc.getDocumentElement();
rootEl.appendChild(signatureDoc.importNode(nl.item(0), true));
write(rootEl, outputSignatureFile);
} else {
write(nl.item(0), outputSignatureFile);
}
}
}
use of javax.xml.crypto.dsig.XMLSignature in project OpenOLAT by OpenOLAT.
the class XMLDigitalSignatureUtil method validate.
public static boolean validate(File signedXmlFile, PublicKey publicKey) throws ParserConfigurationException, SAXException, IOException, MarshalException, XMLSignatureException {
Document doc = getDocument(signedXmlFile);
NodeList nl = doc.getElementsByTagName("Signature");
if (nl.getLength() == 0) {
return false;
}
DOMValidateContext validContext = new DOMValidateContext(publicKey, nl.item(0));
XMLSignatureFactory fac = XMLSignatureFactory.getInstance("DOM");
XMLSignature signature = fac.unmarshalXMLSignature(validContext);
boolean validFlag = signature.validate(validContext);
if (!validFlag) {
// log and throw if not valid
boolean sv = signature.getSignatureValue().validate(validContext);
String msg = "signature validation status: " + sv;
int numOfReferences = signature.getSignedInfo().getReferences().size();
for (int j = 0; j < numOfReferences; j++) {
Reference ref = (Reference) signature.getSignedInfo().getReferences().get(j);
boolean refValid = ref.validate(validContext);
msg += " ref[" + j + "] validity status: " + refValid;
}
log.warn(msg);
}
return validFlag;
}
Aggregations