Search in sources :

Example 1 with KeyResolverException

use of org.apache.xml.security.keys.keyresolver.KeyResolverException in project OpenAM by OpenRock.

the class FMSigProvider method verify.

public boolean verify(String xmlString, String idValue, Set<X509Certificate> verificationCerts) throws SAML2Exception {
    String classMethod = "FMSigProvider.verify: ";
    if (xmlString == null || xmlString.length() == 0 || idValue == null || idValue.length() == 0) {
        SAML2SDKUtils.debug.error(classMethod + "Either input xmlString or idValue is null.");
        throw new SAML2Exception(SAML2SDKUtils.bundle.getString("nullInput"));
    }
    Document doc = XMLUtils.toDOMDocument(xmlString, SAML2SDKUtils.debug);
    if (doc == null) {
        throw new SAML2Exception(SAML2SDKUtils.bundle.getString("errorObtainingElement"));
    }
    Element nscontext = org.apache.xml.security.utils.XMLUtils.createDSctx(doc, "ds", Constants.SignatureSpecNS);
    Element sigElement = null;
    try {
        sigElement = (Element) org.apache.xpath.XPathAPI.selectSingleNode(doc, "//ds:Signature[1]", nscontext);
    } catch (TransformerException te) {
        throw new SAML2Exception(te);
    }
    Element refElement;
    try {
        refElement = (Element) XPathAPI.selectSingleNode(doc, "//ds:Reference[1]", nscontext);
    } catch (TransformerException te) {
        throw new SAML2Exception(te);
    }
    String refUri = refElement.getAttribute("URI");
    String signedId = ((Element) sigElement.getParentNode()).getAttribute(SAML2Constants.ID);
    if (refUri == null || signedId == null || !refUri.substring(1).equals(signedId)) {
        SAML2SDKUtils.debug.error(classMethod + "Signature reference ID does " + "not match with element ID");
        throw new SAML2Exception(SAML2SDKUtils.bundle.getString("uriNoMatchWithId"));
    }
    doc.getDocumentElement().setIdAttribute(SAML2Constants.ID, true);
    XMLSignature signature = null;
    try {
        signature = new XMLSignature((Element) sigElement, "");
    } catch (XMLSignatureException sige) {
        throw new SAML2Exception(sige);
    } catch (XMLSecurityException xse) {
        throw new SAML2Exception(xse);
    }
    signature.addResourceResolver(new com.sun.identity.saml.xmlsig.OfflineResolver());
    KeyInfo ki = signature.getKeyInfo();
    X509Certificate certToUse = null;
    if (ki != null && ki.containsX509Data()) {
        try {
            certToUse = ki.getX509Certificate();
        } catch (KeyResolverException kre) {
            SAML2SDKUtils.debug.error(classMethod + "Could not obtain a certificate " + "from inside the document.");
            certToUse = null;
        }
        if (certToUse != null && checkCert) {
            if (!verificationCerts.contains(certToUse)) {
                SAML2SDKUtils.debug.error(classMethod + "The cert contained in the document is NOT trusted");
                throw new SAML2Exception(SAML2SDKUtils.bundle.getString("invalidCertificate"));
            }
            if (SAML2SDKUtils.debug.messageEnabled()) {
                SAML2SDKUtils.debug.message(classMethod + "The cert contained in the document is trusted");
            }
        }
    }
    if (certToUse != null) {
        verificationCerts = Collections.singleton(certToUse);
    }
    if (!isValidSignature(signature, verificationCerts)) {
        SAML2SDKUtils.debug.error(classMethod + "Signature verification failed.");
        return false;
    }
    if (SAML2SDKUtils.debug.messageEnabled()) {
        SAML2SDKUtils.debug.message(classMethod + "Signature verification successful.");
    }
    return true;
}
Also used : Element(org.w3c.dom.Element) KeyResolverException(org.apache.xml.security.keys.keyresolver.KeyResolverException) Document(org.w3c.dom.Document) XMLSecurityException(org.apache.xml.security.exceptions.XMLSecurityException) X509Certificate(java.security.cert.X509Certificate) SAML2Exception(com.sun.identity.saml2.common.SAML2Exception) KeyInfo(org.apache.xml.security.keys.KeyInfo) XMLSignature(org.apache.xml.security.signature.XMLSignature) XMLSignatureException(org.apache.xml.security.signature.XMLSignatureException) TransformerException(javax.xml.transform.TransformerException)

Example 2 with KeyResolverException

use of org.apache.xml.security.keys.keyresolver.KeyResolverException in project santuario-java by apache.

the class X509DigestResolver method resolveCertificate.

/**
 * Resolves from the storage resolver the actual certificate represented by the digest.
 *
 * @param element
 * @param baseURI
 * @param storage
 * @return the certificate represented by the digest.
 * @throws XMLSecurityException
 */
private X509Certificate resolveCertificate(Element element, String baseURI, StorageResolver storage) throws XMLSecurityException {
    XMLX509Digest[] x509Digests = null;
    Element[] x509childNodes = XMLUtils.selectDs11Nodes(element.getFirstChild(), Constants._TAG_X509DIGEST);
    if (x509childNodes == null || x509childNodes.length <= 0) {
        return null;
    }
    try {
        checkStorage(storage);
        x509Digests = new XMLX509Digest[x509childNodes.length];
        for (int i = 0; i < x509childNodes.length; i++) {
            x509Digests[i] = new XMLX509Digest(x509childNodes[i], baseURI);
        }
        Iterator<Certificate> storageIterator = storage.getIterator();
        while (storageIterator.hasNext()) {
            X509Certificate cert = (X509Certificate) storageIterator.next();
            for (int i = 0; i < x509Digests.length; i++) {
                XMLX509Digest keyInfoDigest = x509Digests[i];
                byte[] certDigestBytes = XMLX509Digest.getDigestBytesFromCert(cert, keyInfoDigest.getAlgorithm());
                if (Arrays.equals(keyInfoDigest.getDigestBytes(), certDigestBytes)) {
                    LOG.debug("Found certificate with: {}", cert.getSubjectX500Principal().getName());
                    return cert;
                }
            }
        }
    } catch (XMLSecurityException ex) {
        throw new KeyResolverException(ex);
    }
    return null;
}
Also used : XMLX509Digest(org.apache.xml.security.keys.content.x509.XMLX509Digest) Element(org.w3c.dom.Element) KeyResolverException(org.apache.xml.security.keys.keyresolver.KeyResolverException) X509Certificate(java.security.cert.X509Certificate) XMLSecurityException(org.apache.xml.security.exceptions.XMLSecurityException) X509Certificate(java.security.cert.X509Certificate) Certificate(java.security.cert.Certificate)

Example 3 with KeyResolverException

use of org.apache.xml.security.keys.keyresolver.KeyResolverException in project santuario-java by apache.

the class BobKeyResolver method engineLookupAndResolveSecretKey.

/**
 * Method engineResolveSecretKey
 *
 * @param element
 * @param BaseURI
 * @param storage
 *
 * @throws KeyResolverException
 */
public SecretKey engineLookupAndResolveSecretKey(Element element, String BaseURI, StorageResolver storage) throws KeyResolverException {
    if (engineCanResolve(element, BaseURI, storage)) {
        try {
            DESedeKeySpec keySpec = new DESedeKeySpec("abcdefghijklmnopqrstuvwx".getBytes(StandardCharsets.US_ASCII));
            SecretKeyFactory keyFactory = SecretKeyFactory.getInstance("DESede");
            SecretKey key = keyFactory.generateSecret(keySpec);
            return key;
        } catch (Exception e) {
            throw new KeyResolverException("Something badly wrong in creation of bob's key");
        }
    }
    return null;
}
Also used : SecretKey(javax.crypto.SecretKey) DESedeKeySpec(javax.crypto.spec.DESedeKeySpec) KeyResolverException(org.apache.xml.security.keys.keyresolver.KeyResolverException) SecretKeyFactory(javax.crypto.SecretKeyFactory) KeyResolverException(org.apache.xml.security.keys.keyresolver.KeyResolverException)

Example 4 with KeyResolverException

use of org.apache.xml.security.keys.keyresolver.KeyResolverException in project santuario-java by apache.

the class X509CertificateResolver method engineLookupResolveX509Certificate.

/**
 * Method engineResolveX509Certificate
 * {@inheritDoc}
 * @param element
 * @param baseURI
 * @param storage
 *
 * @throws KeyResolverException
 */
public X509Certificate engineLookupResolveX509Certificate(Element element, String baseURI, StorageResolver storage) throws KeyResolverException {
    try {
        Element[] els = XMLUtils.selectDsNodes(element.getFirstChild(), Constants._TAG_X509CERTIFICATE);
        if (els == null || els.length == 0) {
            Element el = XMLUtils.selectDsNode(element.getFirstChild(), Constants._TAG_X509DATA, 0);
            if (el != null) {
                return engineLookupResolveX509Certificate(el, baseURI, storage);
            }
            return null;
        }
        // populate Object array
        for (int i = 0; i < els.length; i++) {
            XMLX509Certificate xmlCert = new XMLX509Certificate(els[i], baseURI);
            X509Certificate cert = xmlCert.getX509Certificate();
            if (cert != null) {
                return cert;
            }
        }
        return null;
    } catch (XMLSecurityException ex) {
        LOG.debug("Security Exception", ex);
        throw new KeyResolverException(ex);
    }
}
Also used : XMLX509Certificate(org.apache.xml.security.keys.content.x509.XMLX509Certificate) Element(org.w3c.dom.Element) KeyResolverException(org.apache.xml.security.keys.keyresolver.KeyResolverException) X509Certificate(java.security.cert.X509Certificate) XMLX509Certificate(org.apache.xml.security.keys.content.x509.XMLX509Certificate) XMLSecurityException(org.apache.xml.security.exceptions.XMLSecurityException)

Example 5 with KeyResolverException

use of org.apache.xml.security.keys.keyresolver.KeyResolverException in project santuario-java by apache.

the class X509SubjectNameResolver method engineLookupResolveX509Certificate.

/**
 * Method engineResolveX509Certificate
 * {@inheritDoc}
 * @param element
 * @param baseURI
 * @param storage
 *
 * @throws KeyResolverException
 */
public X509Certificate engineLookupResolveX509Certificate(Element element, String baseURI, StorageResolver storage) throws KeyResolverException {
    LOG.debug("Can I resolve {}?", element.getTagName());
    Element[] x509childNodes = null;
    XMLX509SubjectName[] x509childObject = null;
    if (!XMLUtils.elementIsInSignatureSpace(element, Constants._TAG_X509DATA)) {
        LOG.debug("I can't");
        return null;
    }
    x509childNodes = XMLUtils.selectDsNodes(element.getFirstChild(), Constants._TAG_X509SUBJECTNAME);
    if (!(x509childNodes != null && x509childNodes.length > 0)) {
        LOG.debug("I can't");
        return null;
    }
    try {
        if (storage == null) {
            Object[] exArgs = { Constants._TAG_X509SUBJECTNAME };
            KeyResolverException ex = new KeyResolverException("KeyResolver.needStorageResolver", exArgs);
            LOG.debug("", ex);
            throw ex;
        }
        x509childObject = new XMLX509SubjectName[x509childNodes.length];
        for (int i = 0; i < x509childNodes.length; i++) {
            x509childObject[i] = new XMLX509SubjectName(x509childNodes[i], baseURI);
        }
        Iterator<Certificate> storageIterator = storage.getIterator();
        while (storageIterator.hasNext()) {
            X509Certificate cert = (X509Certificate) storageIterator.next();
            XMLX509SubjectName certSN = new XMLX509SubjectName(element.getOwnerDocument(), cert);
            LOG.debug("Found Certificate SN: {}", certSN.getSubjectName());
            for (int i = 0; i < x509childObject.length; i++) {
                LOG.debug("Found Element SN:     {}", x509childObject[i].getSubjectName());
                if (certSN.equals(x509childObject[i])) {
                    LOG.debug("match !!! ");
                    return cert;
                }
                LOG.debug("no match...");
            }
        }
        return null;
    } catch (XMLSecurityException ex) {
        LOG.debug("XMLSecurityException", ex);
        throw new KeyResolverException(ex);
    }
}
Also used : Element(org.w3c.dom.Element) KeyResolverException(org.apache.xml.security.keys.keyresolver.KeyResolverException) XMLX509SubjectName(org.apache.xml.security.keys.content.x509.XMLX509SubjectName) X509Certificate(java.security.cert.X509Certificate) XMLSecurityException(org.apache.xml.security.exceptions.XMLSecurityException) X509Certificate(java.security.cert.X509Certificate) Certificate(java.security.cert.Certificate)

Aggregations

KeyResolverException (org.apache.xml.security.keys.keyresolver.KeyResolverException)11 XMLSecurityException (org.apache.xml.security.exceptions.XMLSecurityException)7 X509Certificate (java.security.cert.X509Certificate)6 Element (org.w3c.dom.Element)5 Certificate (java.security.cert.Certificate)4 SecretKey (javax.crypto.SecretKey)3 Key (java.security.Key)2 PrivateKey (java.security.PrivateKey)2 PublicKey (java.security.PublicKey)2 KeyInfo (org.apache.xml.security.keys.KeyInfo)2 XMLSignatureException (org.apache.xml.security.signature.XMLSignatureException)2 SAML2Exception (com.sun.identity.saml2.common.SAML2Exception)1 InvalidAlgorithmParameterException (java.security.InvalidAlgorithmParameterException)1 InvalidKeyException (java.security.InvalidKeyException)1 KeyStoreException (java.security.KeyStoreException)1 NoSuchAlgorithmException (java.security.NoSuchAlgorithmException)1 NoSuchProviderException (java.security.NoSuchProviderException)1 CertificateEncodingException (java.security.cert.CertificateEncodingException)1 AlgorithmParameterSpec (java.security.spec.AlgorithmParameterSpec)1 BadPaddingException (javax.crypto.BadPaddingException)1