use of org.apache.xml.security.keys.keyresolver.KeyResolverException in project OpenAM by OpenRock.
the class FMSigProvider method verify.
public boolean verify(String xmlString, String idValue, Set<X509Certificate> verificationCerts) throws SAML2Exception {
String classMethod = "FMSigProvider.verify: ";
if (xmlString == null || xmlString.length() == 0 || idValue == null || idValue.length() == 0) {
SAML2SDKUtils.debug.error(classMethod + "Either input xmlString or idValue is null.");
throw new SAML2Exception(SAML2SDKUtils.bundle.getString("nullInput"));
}
Document doc = XMLUtils.toDOMDocument(xmlString, SAML2SDKUtils.debug);
if (doc == null) {
throw new SAML2Exception(SAML2SDKUtils.bundle.getString("errorObtainingElement"));
}
Element nscontext = org.apache.xml.security.utils.XMLUtils.createDSctx(doc, "ds", Constants.SignatureSpecNS);
Element sigElement = null;
try {
sigElement = (Element) org.apache.xpath.XPathAPI.selectSingleNode(doc, "//ds:Signature[1]", nscontext);
} catch (TransformerException te) {
throw new SAML2Exception(te);
}
Element refElement;
try {
refElement = (Element) XPathAPI.selectSingleNode(doc, "//ds:Reference[1]", nscontext);
} catch (TransformerException te) {
throw new SAML2Exception(te);
}
String refUri = refElement.getAttribute("URI");
String signedId = ((Element) sigElement.getParentNode()).getAttribute(SAML2Constants.ID);
if (refUri == null || signedId == null || !refUri.substring(1).equals(signedId)) {
SAML2SDKUtils.debug.error(classMethod + "Signature reference ID does " + "not match with element ID");
throw new SAML2Exception(SAML2SDKUtils.bundle.getString("uriNoMatchWithId"));
}
doc.getDocumentElement().setIdAttribute(SAML2Constants.ID, true);
XMLSignature signature = null;
try {
signature = new XMLSignature((Element) sigElement, "");
} catch (XMLSignatureException sige) {
throw new SAML2Exception(sige);
} catch (XMLSecurityException xse) {
throw new SAML2Exception(xse);
}
signature.addResourceResolver(new com.sun.identity.saml.xmlsig.OfflineResolver());
KeyInfo ki = signature.getKeyInfo();
X509Certificate certToUse = null;
if (ki != null && ki.containsX509Data()) {
try {
certToUse = ki.getX509Certificate();
} catch (KeyResolverException kre) {
SAML2SDKUtils.debug.error(classMethod + "Could not obtain a certificate " + "from inside the document.");
certToUse = null;
}
if (certToUse != null && checkCert) {
if (!verificationCerts.contains(certToUse)) {
SAML2SDKUtils.debug.error(classMethod + "The cert contained in the document is NOT trusted");
throw new SAML2Exception(SAML2SDKUtils.bundle.getString("invalidCertificate"));
}
if (SAML2SDKUtils.debug.messageEnabled()) {
SAML2SDKUtils.debug.message(classMethod + "The cert contained in the document is trusted");
}
}
}
if (certToUse != null) {
verificationCerts = Collections.singleton(certToUse);
}
if (!isValidSignature(signature, verificationCerts)) {
SAML2SDKUtils.debug.error(classMethod + "Signature verification failed.");
return false;
}
if (SAML2SDKUtils.debug.messageEnabled()) {
SAML2SDKUtils.debug.message(classMethod + "Signature verification successful.");
}
return true;
}
use of org.apache.xml.security.keys.keyresolver.KeyResolverException in project santuario-java by apache.
the class X509DigestResolver method resolveCertificate.
/**
* Resolves from the storage resolver the actual certificate represented by the digest.
*
* @param element
* @param baseURI
* @param storage
* @return the certificate represented by the digest.
* @throws XMLSecurityException
*/
private X509Certificate resolveCertificate(Element element, String baseURI, StorageResolver storage) throws XMLSecurityException {
XMLX509Digest[] x509Digests = null;
Element[] x509childNodes = XMLUtils.selectDs11Nodes(element.getFirstChild(), Constants._TAG_X509DIGEST);
if (x509childNodes == null || x509childNodes.length <= 0) {
return null;
}
try {
checkStorage(storage);
x509Digests = new XMLX509Digest[x509childNodes.length];
for (int i = 0; i < x509childNodes.length; i++) {
x509Digests[i] = new XMLX509Digest(x509childNodes[i], baseURI);
}
Iterator<Certificate> storageIterator = storage.getIterator();
while (storageIterator.hasNext()) {
X509Certificate cert = (X509Certificate) storageIterator.next();
for (int i = 0; i < x509Digests.length; i++) {
XMLX509Digest keyInfoDigest = x509Digests[i];
byte[] certDigestBytes = XMLX509Digest.getDigestBytesFromCert(cert, keyInfoDigest.getAlgorithm());
if (Arrays.equals(keyInfoDigest.getDigestBytes(), certDigestBytes)) {
LOG.debug("Found certificate with: {}", cert.getSubjectX500Principal().getName());
return cert;
}
}
}
} catch (XMLSecurityException ex) {
throw new KeyResolverException(ex);
}
return null;
}
use of org.apache.xml.security.keys.keyresolver.KeyResolverException in project santuario-java by apache.
the class BobKeyResolver method engineLookupAndResolveSecretKey.
/**
* Method engineResolveSecretKey
*
* @param element
* @param BaseURI
* @param storage
*
* @throws KeyResolverException
*/
public SecretKey engineLookupAndResolveSecretKey(Element element, String BaseURI, StorageResolver storage) throws KeyResolverException {
if (engineCanResolve(element, BaseURI, storage)) {
try {
DESedeKeySpec keySpec = new DESedeKeySpec("abcdefghijklmnopqrstuvwx".getBytes(StandardCharsets.US_ASCII));
SecretKeyFactory keyFactory = SecretKeyFactory.getInstance("DESede");
SecretKey key = keyFactory.generateSecret(keySpec);
return key;
} catch (Exception e) {
throw new KeyResolverException("Something badly wrong in creation of bob's key");
}
}
return null;
}
use of org.apache.xml.security.keys.keyresolver.KeyResolverException in project santuario-java by apache.
the class X509CertificateResolver method engineLookupResolveX509Certificate.
/**
* Method engineResolveX509Certificate
* {@inheritDoc}
* @param element
* @param baseURI
* @param storage
*
* @throws KeyResolverException
*/
public X509Certificate engineLookupResolveX509Certificate(Element element, String baseURI, StorageResolver storage) throws KeyResolverException {
try {
Element[] els = XMLUtils.selectDsNodes(element.getFirstChild(), Constants._TAG_X509CERTIFICATE);
if (els == null || els.length == 0) {
Element el = XMLUtils.selectDsNode(element.getFirstChild(), Constants._TAG_X509DATA, 0);
if (el != null) {
return engineLookupResolveX509Certificate(el, baseURI, storage);
}
return null;
}
// populate Object array
for (int i = 0; i < els.length; i++) {
XMLX509Certificate xmlCert = new XMLX509Certificate(els[i], baseURI);
X509Certificate cert = xmlCert.getX509Certificate();
if (cert != null) {
return cert;
}
}
return null;
} catch (XMLSecurityException ex) {
LOG.debug("Security Exception", ex);
throw new KeyResolverException(ex);
}
}
use of org.apache.xml.security.keys.keyresolver.KeyResolverException in project santuario-java by apache.
the class X509SubjectNameResolver method engineLookupResolveX509Certificate.
/**
* Method engineResolveX509Certificate
* {@inheritDoc}
* @param element
* @param baseURI
* @param storage
*
* @throws KeyResolverException
*/
public X509Certificate engineLookupResolveX509Certificate(Element element, String baseURI, StorageResolver storage) throws KeyResolverException {
LOG.debug("Can I resolve {}?", element.getTagName());
Element[] x509childNodes = null;
XMLX509SubjectName[] x509childObject = null;
if (!XMLUtils.elementIsInSignatureSpace(element, Constants._TAG_X509DATA)) {
LOG.debug("I can't");
return null;
}
x509childNodes = XMLUtils.selectDsNodes(element.getFirstChild(), Constants._TAG_X509SUBJECTNAME);
if (!(x509childNodes != null && x509childNodes.length > 0)) {
LOG.debug("I can't");
return null;
}
try {
if (storage == null) {
Object[] exArgs = { Constants._TAG_X509SUBJECTNAME };
KeyResolverException ex = new KeyResolverException("KeyResolver.needStorageResolver", exArgs);
LOG.debug("", ex);
throw ex;
}
x509childObject = new XMLX509SubjectName[x509childNodes.length];
for (int i = 0; i < x509childNodes.length; i++) {
x509childObject[i] = new XMLX509SubjectName(x509childNodes[i], baseURI);
}
Iterator<Certificate> storageIterator = storage.getIterator();
while (storageIterator.hasNext()) {
X509Certificate cert = (X509Certificate) storageIterator.next();
XMLX509SubjectName certSN = new XMLX509SubjectName(element.getOwnerDocument(), cert);
LOG.debug("Found Certificate SN: {}", certSN.getSubjectName());
for (int i = 0; i < x509childObject.length; i++) {
LOG.debug("Found Element SN: {}", x509childObject[i].getSubjectName());
if (certSN.equals(x509childObject[i])) {
LOG.debug("match !!! ");
return cert;
}
LOG.debug("no match...");
}
}
return null;
} catch (XMLSecurityException ex) {
LOG.debug("XMLSecurityException", ex);
throw new KeyResolverException(ex);
}
}
Aggregations