Examples with X509Data org.apache.xml.security.keys.content.X509Data used on opensource projects

Example 1 with X509Data

use of org.apache.xml.security.keys.content.X509Data in project OpenAM by OpenRock.

the class KeyInfoFactoryImpl method generatePublicKeyInfo.

/*
    This method modeled after the example here:
    https://svn.apache.org/repos/asf/santuario/xml-security-java/trunk/samples/org/apache/xml/security/samples/keys/CreateKeyInfo.java
     */
@Override
public Element generatePublicKeyInfo(X509Certificate recipientCert) throws ParserConfigurationException, XMLSecurityException {
    Document sharedDocument = xmlUtilities.newSafeDocument(XMLUtils.isValidating());
    KeyInfo keyInfo = new KeyInfo(sharedDocument);
    sharedDocument.appendChild(keyInfo.getElement());
    X509Data x509Data = new X509Data(sharedDocument);
    keyInfo.add(x509Data);
    x509Data.addCertificate(recipientCert);
    return keyInfo.getElement();
}

Example 2 with X509Data

use of org.apache.xml.security.keys.content.X509Data in project xades4j by luisgoncalves.

the class KeyInfoBuilder method buildKeyInfo.

void buildKeyInfo(X509Certificate signingCertificate, XMLSignature xmlSig) throws KeyingDataException, UnsupportedAlgorithmException {
    // Check key usage.
    // - KeyUsage[0] = digitalSignature
    // - KeyUsage[1] = nonRepudiation
    boolean[] keyUsage = signingCertificate.getKeyUsage();
    if (keyUsage != null && !keyUsage[0] && !keyUsage[1]) {
        throw new SigningCertKeyUsageException(signingCertificate);
    }
    try {
        signingCertificate.checkValidity();
    } catch (CertificateException ce) {
        // CertificateExpiredException or CertificateNotYetValidException
        throw new SigningCertValidityException(signingCertificate);
    }
    if (this.basicSignatureOptionsProvider.includeSigningCertificate()) {
        try {
            X509Data x509Data = new X509Data(xmlSig.getDocument());
            x509Data.addCertificate(signingCertificate);
            x509Data.addSubjectName(signingCertificate);
            x509Data.addIssuerSerial(signingCertificate.getIssuerX500Principal().getName(), signingCertificate.getSerialNumber());
            xmlSig.getKeyInfo().add(x509Data);
            if (this.basicSignatureOptionsProvider.signSigningCertificate()) {
                String keyInfoId = xmlSig.getId() + "-keyinfo";
                xmlSig.getKeyInfo().setId(keyInfoId);
                // Use same canonicalization URI as specified in the ds:CanonicalizationMethod for Signature.
                Algorithm canonAlg = this.algorithmsProvider.getCanonicalizationAlgorithmForSignature();
                CanonicalizerUtils.checkC14NAlgorithm(canonAlg);
                Transforms transforms = TransformUtils.createTransforms(canonAlg, this.algorithmsParametersMarshaller, xmlSig.getDocument());
                xmlSig.addDocument('#' + keyInfoId, transforms, this.algorithmsProvider.getDigestAlgorithmForDataObjsReferences());
            }
        } catch (XMLSignatureException ex) {
            throw new UnsupportedAlgorithmException("Digest algorithm not supported in the XML Signature provider", this.algorithmsProvider.getDigestAlgorithmForDataObjsReferences(), ex);
        } catch (XMLSecurityException ex) {
            throw new KeyingDataException(ex.getMessage(), ex);
        }
    }
    if (this.basicSignatureOptionsProvider.includePublicKey()) {
        xmlSig.addKeyInfo(signingCertificate.getPublicKey());
    }
}

Example 3 with X509Data

use of org.apache.xml.security.keys.content.X509Data in project xades4j by luisgoncalves.

the class SignatureUtils method processKeyInfo.

static KeyInfoRes processKeyInfo(KeyInfo keyInfo) throws CertificateValidationException {
    if (null == keyInfo || !keyInfo.containsX509Data()) {
        throw new InvalidKeyInfoDataException("No X509Data to identify the leaf certificate");
    }
    List<X509Certificate> keyInfoCerts = new ArrayList<X509Certificate>(1);
    XMLX509IssuerSerial issuerSerial = null;
    X509CertSelector certSelector = new X509CertSelector();
    // XML-DSIG 4.4.4: "Any X509IssuerSerial, X509SKI, and X509SubjectName elements
    // that appear MUST refer to the certificate or certificates containing the
    // validation key."
    // "All certificates appearing in an X509Data element MUST relate to the
    // validation key by either containing it or being part of a certification
    // chain that terminates in a certificate containing the validation key".
    // Scan ds:X509Data to find ds:IssuerSerial or ds:SubjectName elements. The
    // first to be found is used to select the leaf certificate. If none of those
    // elements is present, the first ds:X509Certificate is assumed as the signing
    // certificate.
    boolean hasSelectionCriteria = false;
    try {
        for (int i = 0; i < keyInfo.lengthX509Data(); ++i) {
            X509Data x509Data = keyInfo.itemX509Data(i);
            if (!hasSelectionCriteria) {
                if (x509Data.containsIssuerSerial()) {
                    issuerSerial = x509Data.itemIssuerSerial(0);
                    certSelector.setIssuer(new X500Principal(issuerSerial.getIssuerName()));
                    certSelector.setSerialNumber(issuerSerial.getSerialNumber());
                    hasSelectionCriteria = true;
                } else if (x509Data.containsSubjectName()) {
                    certSelector.setSubject(new X500Principal(x509Data.itemSubjectName(0).getSubjectName()));
                    hasSelectionCriteria = true;
                }
            }
            // Collect all certificates as they may be needed to build the cert path.
            if (x509Data.containsCertificate()) {
                for (int j = 0; j < x509Data.lengthCertificate(); ++j) {
                    keyInfoCerts.add(x509Data.itemCertificate(j).getX509Certificate());
                }
            }
        }
        if (!hasSelectionCriteria) {
            if (keyInfoCerts.isEmpty()) {
                // find the "bottom" certificate.
                throw new InvalidKeyInfoDataException("No criteria to select the leaf certificate");
            }
            certSelector.setCertificate(keyInfoCerts.get(0));
        }
    } catch (XMLSecurityException ex) {
        throw new InvalidKeyInfoDataException("Cannot process X509Data", ex);
    }
    return new KeyInfoRes(keyInfoCerts, certSelector, issuerSerial);
}

Example 4 with X509Data

use of org.apache.xml.security.keys.content.X509Data in project santuario-java by apache.

the class PrivateKeyResolver method resolveX509Data.

private PrivateKey resolveX509Data(Element element, String baseURI) {
    LOG.debug("Can I resolve X509Data?");
    try {
        X509Data x509Data = new X509Data(element, baseURI);
        int len = x509Data.lengthSKI();
        for (int i = 0; i < len; i++) {
            XMLX509SKI x509SKI = x509Data.itemSKI(i);
            PrivateKey privKey = resolveX509SKI(x509SKI);
            if (privKey != null) {
                return privKey;
            }
        }
        len = x509Data.lengthIssuerSerial();
        for (int i = 0; i < len; i++) {
            XMLX509IssuerSerial x509Serial = x509Data.itemIssuerSerial(i);
            PrivateKey privKey = resolveX509IssuerSerial(x509Serial);
            if (privKey != null) {
                return privKey;
            }
        }
        len = x509Data.lengthSubjectName();
        for (int i = 0; i < len; i++) {
            XMLX509SubjectName x509SubjectName = x509Data.itemSubjectName(i);
            PrivateKey privKey = resolveX509SubjectName(x509SubjectName);
            if (privKey != null) {
                return privKey;
            }
        }
        len = x509Data.lengthCertificate();
        for (int i = 0; i < len; i++) {
            XMLX509Certificate x509Cert = x509Data.itemCertificate(i);
            PrivateKey privKey = resolveX509Certificate(x509Cert);
            if (privKey != null) {
                return privKey;
            }
        }
    } catch (XMLSecurityException e) {
        LOG.debug("XMLSecurityException", e);
    } catch (KeyStoreException e) {
        LOG.debug("KeyStoreException", e);
    }
    return null;
}

Example 5 with X509Data

use of org.apache.xml.security.keys.content.X509Data in project santuario-java by apache.

the class BaltimoreEncTest method findKey.

/**
 * Method findKey
 *
 * Given an encryptedData structure, return the key that will decrypt
 * it
 *
 * @param encryptedData EncryptedData to get key for
 */
private Key findKey(EncryptedData encryptedData) throws Exception {
    KeyInfo ki = encryptedData.getKeyInfo();
    Key key = null;
    Key kek = null;
    if (ki == null) {
        return null;
    }
    // First check for a known key name
    KeyName keyName = ki.itemKeyName(0);
    if (keyName != null) {
        return mapKeyName(keyName.getKeyName());
    }
    // Decrypt any encryptedKey structures
    EncryptedKey encryptedKey = ki.itemEncryptedKey(0);
    if (encryptedKey == null) {
        return null;
    }
    KeyInfo kiek = encryptedKey.getKeyInfo();
    if (kiek == null) {
        return null;
    }
    KeyName kekKeyName = kiek.itemKeyName(0);
    if (kekKeyName != null) {
        kek = mapKeyName(kekKeyName.getKeyName());
    } else {
        X509Data certData = kiek.itemX509Data(0);
        XMLX509Certificate xcert = certData.itemCertificate(0);
        X509Certificate cert = xcert.getX509Certificate();
        if (cert != null && cert.getSerialNumber().toString().equals(rsaCertSerialNumber)) {
            kek = rsaKey;
        }
    }
    if (kek != null) {
        XMLCipher cipher = XMLCipher.getInstance();
        cipher.init(XMLCipher.UNWRAP_MODE, kek);
        key = cipher.decryptKey(encryptedKey, encryptedData.getEncryptionMethod().getAlgorithm());
    }
    return key;
}