Example 1 with X509Data
use of javax.xml.crypto.dsig.keyinfo.X509Data in project OpenAttestation by OpenAttestation.
the class SamlUtil method verifySAMLSignature.
/**
Seeks out the signature element in the given tree, and validates it.
Searches the configured keystore (asking it to function also as a
truststore) for a certificate with a matching fingerprint.
*
* Certificates trusted for SAML-signing must be marked with the
* tag "(saml)" or "(SAML)" in their alias
*
@return true if the signature validates and we know the signer;
false otherwise
*/
public boolean verifySAMLSignature(Element target, X509Certificate[] trustedSigners) throws MarshalException, XMLSignatureException, KeyStoreException {
// Validate the signature -- i.e. SAML object is pristine:
NodeList nl = target.getElementsByTagNameNS(XMLSignature.XMLNS, "Signature");
if (nl.getLength() == 0) {
throw new IllegalArgumentException("Cannot find Signature element");
}
DOMValidateContext context = new DOMValidateContext(new KeyValueKeySelector(), nl.item(0));
// MarshalException
XMLSignature signature = factory.unmarshalXMLSignature(context);
log.debug("signature.validate(context): " + signature.validate(context));
for (Object keyInfoItem : signature.getKeyInfo().getContent()) {
if (keyInfoItem instanceof X509Data) {
for (Object X509Item : ((X509Data) keyInfoItem).getContent()) {
if (X509Item instanceof X509Certificate) {
X509Certificate theirCert = (X509Certificate) X509Item;
log.debug("Found X509 certificate in XML: {}", theirCert.getSubjectX500Principal().getName());
//theirCert.get
for (X509Certificate ourCert : trustedSigners) {
if (ourCert.equals(theirCert)) {
log.debug("Bingo!! match for cert: " + ourCert.getSubjectX500Principal().getName());
return true;
} else {
log.info("No match for cert: " + ourCert.getSubjectX500Principal().getName());
}
}
}
}
}
}
if (!signature.validate(context)) {
// XMLSignatureException
log.warn("XML signature is not valid");
return false;
}
// Find a trusted cert -- i.e. the signer is actually someone we trust:
for (Object keyInfoItem : signature.getKeyInfo().getContent()) {
if (keyInfoItem instanceof X509Data) {
for (Object X509Item : ((X509Data) keyInfoItem).getContent()) {
if (X509Item instanceof X509Certificate) {
X509Certificate theirCert = (X509Certificate) X509Item;
log.debug("Found X509 certificate in XML: {}", theirCert.getSubjectX500Principal().getName());
for (X509Certificate ourCert : trustedSigners) {
if (ourCert.equals(theirCert)) {
return true;
}
}
}
}
}
}
log.warn("Signature was valid, but signer was not known.");
return false;
}
Also used :
XMLSignature(javax.xml.crypto.dsig.XMLSignature)
NodeList(org.w3c.dom.NodeList)
DOMValidateContext(javax.xml.crypto.dsig.dom.DOMValidateContext)
X509Data(javax.xml.crypto.dsig.keyinfo.X509Data)
X509Certificate(java.security.cert.X509Certificate)
Example 2 with X509Data
use of javax.xml.crypto.dsig.keyinfo.X509Data in project poi by apache.
the class KeyInfoKeySelector method select.
@SuppressWarnings("unchecked")
@Override
public KeySelectorResult select(KeyInfo keyInfo, Purpose purpose, AlgorithmMethod method, XMLCryptoContext context) throws KeySelectorException {
LOG.log(POILogger.DEBUG, "select key");
if (null == keyInfo) {
throw new KeySelectorException("no ds:KeyInfo present");
}
List<XMLStructure> keyInfoContent = keyInfo.getContent();
certChain.clear();
for (XMLStructure keyInfoStructure : keyInfoContent) {
if (!(keyInfoStructure instanceof X509Data)) {
continue;
}
X509Data x509Data = (X509Data) keyInfoStructure;
List<?> x509DataList = x509Data.getContent();
for (Object x509DataObject : x509DataList) {
if (!(x509DataObject instanceof X509Certificate)) {
continue;
}
X509Certificate certificate = (X509Certificate) x509DataObject;
LOG.log(POILogger.DEBUG, "certificate", certificate.getSubjectX500Principal());
certChain.add(certificate);
}
}
if (certChain.isEmpty()) {
throw new KeySelectorException("No key found!");
}
return this;
}
Also used :
KeySelectorException(javax.xml.crypto.KeySelectorException)
XMLStructure(javax.xml.crypto.XMLStructure)
X509Data(javax.xml.crypto.dsig.keyinfo.X509Data)
X509Certificate(java.security.cert.X509Certificate)
Example 3 with X509Data
use of javax.xml.crypto.dsig.keyinfo.X509Data in project poi by apache.
the class KeyInfoSignatureFacet method postSign.
@Override
public void postSign(Document document) throws MarshalException {
LOG.log(POILogger.DEBUG, "postSign");
NodeList nl = document.getElementsByTagNameNS(XML_DIGSIG_NS, "Object");
/*
* Make sure we insert right after the ds:SignatureValue element, just
* before the first ds:Object element.
*/
Node nextSibling = (nl.getLength() == 0) ? null : nl.item(0);
/*
* Construct the ds:KeyInfo element using JSR 105.
*/
KeyInfoFactory keyInfoFactory = signatureConfig.getKeyInfoFactory();
List<Object> x509DataObjects = new ArrayList<Object>();
X509Certificate signingCertificate = signatureConfig.getSigningCertificateChain().get(0);
List<XMLStructure> keyInfoContent = new ArrayList<XMLStructure>();
if (signatureConfig.isIncludeKeyValue()) {
KeyValue keyValue;
try {
keyValue = keyInfoFactory.newKeyValue(signingCertificate.getPublicKey());
} catch (KeyException e) {
throw new RuntimeException("key exception: " + e.getMessage(), e);
}
keyInfoContent.add(keyValue);
}
if (signatureConfig.isIncludeIssuerSerial()) {
x509DataObjects.add(keyInfoFactory.newX509IssuerSerial(signingCertificate.getIssuerX500Principal().toString(), signingCertificate.getSerialNumber()));
}
if (signatureConfig.isIncludeEntireCertificateChain()) {
x509DataObjects.addAll(signatureConfig.getSigningCertificateChain());
} else {
x509DataObjects.add(signingCertificate);
}
if (!x509DataObjects.isEmpty()) {
X509Data x509Data = keyInfoFactory.newX509Data(x509DataObjects);
keyInfoContent.add(x509Data);
}
KeyInfo keyInfo = keyInfoFactory.newKeyInfo(keyInfoContent);
DOMKeyInfo domKeyInfo = (DOMKeyInfo) keyInfo;
Key key = new Key() {
private static final long serialVersionUID = 1L;
public String getAlgorithm() {
return null;
}
public byte[] getEncoded() {
return null;
}
public String getFormat() {
return null;
}
};
Element n = document.getDocumentElement();
DOMSignContext domSignContext = (nextSibling == null) ? new DOMSignContext(key, n) : new DOMSignContext(key, n, nextSibling);
for (Map.Entry<String, String> me : signatureConfig.getNamespacePrefixes().entrySet()) {
domSignContext.putNamespacePrefix(me.getKey(), me.getValue());
}
DOMStructure domStructure = new DOMStructure(n);
domKeyInfo.marshal(domStructure, domSignContext);
// move keyinfo into the right place
if (nextSibling != null) {
NodeList kiNl = document.getElementsByTagNameNS(XML_DIGSIG_NS, "KeyInfo");
if (kiNl.getLength() != 1) {
throw new RuntimeException("KeyInfo wasn't set");
}
nextSibling.getParentNode().insertBefore(kiNl.item(0), nextSibling);
}
}
Also used :
KeyValue(javax.xml.crypto.dsig.keyinfo.KeyValue)
NodeList(org.w3c.dom.NodeList)
Node(org.w3c.dom.Node)
Element(org.w3c.dom.Element)
ArrayList(java.util.ArrayList)
XMLStructure(javax.xml.crypto.XMLStructure)
X509Data(javax.xml.crypto.dsig.keyinfo.X509Data)
X509Certificate(java.security.cert.X509Certificate)
KeyException(java.security.KeyException)
KeyInfoFactory(javax.xml.crypto.dsig.keyinfo.KeyInfoFactory)
KeyInfo(javax.xml.crypto.dsig.keyinfo.KeyInfo)
DOMKeyInfo(org.apache.jcp.xml.dsig.internal.dom.DOMKeyInfo)
DOMSignContext(javax.xml.crypto.dsig.dom.DOMSignContext)
DOMKeyInfo(org.apache.jcp.xml.dsig.internal.dom.DOMKeyInfo)
DOMStructure(javax.xml.crypto.dom.DOMStructure)
Map(java.util.Map)
Key(java.security.Key)
Example 4 with X509Data
use of javax.xml.crypto.dsig.keyinfo.X509Data in project camel by apache.
the class DefaultKeyAccessor method createKeyInfo.
private KeyInfo createKeyInfo(KeyInfoFactory kif) throws Exception {
X509Certificate[] chain = getCertificateChain();
if (chain == null) {
return null;
}
X509Data x509D = kif.newX509Data(Arrays.asList(chain));
return kif.newKeyInfo(Collections.singletonList(x509D), "_" + UUID.randomUUID().toString());
}
Also used :
X509Data(javax.xml.crypto.dsig.keyinfo.X509Data)
X509Certificate(java.security.cert.X509Certificate)
Example 5 with X509Data
use of javax.xml.crypto.dsig.keyinfo.X509Data in project jdk8u_jdk by JetBrains.
the class DOMX509Data method equals.
@Override
public boolean equals(Object o) {
if (this == o) {
return true;
}
if (!(o instanceof X509Data)) {
return false;
}
X509Data oxd = (X509Data) o;
@SuppressWarnings("unchecked") List<Object> ocontent = oxd.getContent();
int size = content.size();
if (size != ocontent.size()) {
return false;
}
for (int i = 0; i < size; i++) {
Object x = content.get(i);
Object ox = ocontent.get(i);
if (x instanceof byte[]) {
if (!(ox instanceof byte[]) || !Arrays.equals((byte[]) x, (byte[]) ox)) {
return false;
}
} else {
if (!(x.equals(ox))) {
return false;
}
}
}
return true;
}
Also used :
X509Data(javax.xml.crypto.dsig.keyinfo.X509Data)
Aggregations
X509Data (javax.xml.crypto.dsig.keyinfo.X509Data)5
X509Certificate (java.security.cert.X509Certificate)4
XMLStructure (javax.xml.crypto.XMLStructure)2
NodeList (org.w3c.dom.NodeList)2
Key (java.security.Key)1
KeyException (java.security.KeyException)1
ArrayList (java.util.ArrayList)1
Map (java.util.Map)1
KeySelectorException (javax.xml.crypto.KeySelectorException)1
DOMStructure (javax.xml.crypto.dom.DOMStructure)1
XMLSignature (javax.xml.crypto.dsig.XMLSignature)1
DOMSignContext (javax.xml.crypto.dsig.dom.DOMSignContext)1
DOMValidateContext (javax.xml.crypto.dsig.dom.DOMValidateContext)1
KeyInfo (javax.xml.crypto.dsig.keyinfo.KeyInfo)1
KeyInfoFactory (javax.xml.crypto.dsig.keyinfo.KeyInfoFactory)1
KeyValue (javax.xml.crypto.dsig.keyinfo.KeyValue)1
DOMKeyInfo (org.apache.jcp.xml.dsig.internal.dom.DOMKeyInfo)1
Element (org.w3c.dom.Element)1
Node (org.w3c.dom.Node)1
