Search in sources :

Example 1 with SignedInfo

use of org.apache.xml.security.signature.SignedInfo in project cxf by apache.

the class AbstractXmlSigInHandler method checkSignature.

protected void checkSignature(Message message) {
    Document doc = getDocument(message);
    if (doc == null) {
        return;
    }
    Element root = doc.getDocumentElement();
    Element signatureElement = getSignatureElement(root);
    if (signatureElement == null) {
        throwFault("XML Signature is not available", null);
    }
    String cryptoKey = null;
    String propKey = null;
    if (RSSecurityUtils.isSignedAndEncryptedTwoWay(message)) {
        cryptoKey = SecurityConstants.ENCRYPT_CRYPTO;
        propKey = SecurityConstants.ENCRYPT_PROPERTIES;
    } else {
        cryptoKey = SecurityConstants.SIGNATURE_CRYPTO;
        propKey = SecurityConstants.SIGNATURE_PROPERTIES;
    }
    Crypto crypto = null;
    try {
        CryptoLoader loader = new CryptoLoader();
        crypto = loader.getCrypto(message, cryptoKey, propKey);
    } catch (Exception ex) {
        throwFault("Crypto can not be loaded", ex);
    }
    boolean valid = false;
    Reference ref = null;
    try {
        XMLSignature signature = new XMLSignature(signatureElement, "", true);
        if (sigProps != null) {
            SignedInfo sInfo = signature.getSignedInfo();
            if (sigProps.getSignatureAlgo() != null && !sigProps.getSignatureAlgo().equals(sInfo.getSignatureMethodURI())) {
                throwFault("Signature Algorithm is not supported", null);
            }
            if (sigProps.getSignatureC14nMethod() != null && !sigProps.getSignatureC14nMethod().equals(sInfo.getCanonicalizationMethodURI())) {
                throwFault("Signature C14n Algorithm is not supported", null);
            }
        }
        ref = getReference(signature);
        Element signedElement = validateReference(root, ref);
        if (signedElement.hasAttributeNS(null, "ID")) {
            signedElement.setIdAttributeNS(null, "ID", true);
        }
        if (signedElement.hasAttributeNS(null, "Id")) {
            signedElement.setIdAttributeNS(null, "Id", true);
        }
        X509Certificate cert = null;
        PublicKey publicKey = null;
        // See also WSS4J SAMLUtil.getCredentialFromKeyInfo
        KeyInfo keyInfo = signature.getKeyInfo();
        if (keyInfo != null) {
            cert = keyInfo.getX509Certificate();
            if (cert != null) {
                valid = signature.checkSignatureValue(cert);
            } else {
                publicKey = keyInfo.getPublicKey();
                if (publicKey != null) {
                    valid = signature.checkSignatureValue(publicKey);
                }
            }
        } else if (!keyInfoMustBeAvailable) {
            String user = getUserName(crypto, message);
            cert = RSSecurityUtils.getCertificates(crypto, user)[0];
            publicKey = cert.getPublicKey();
            valid = signature.checkSignatureValue(cert);
        }
        // validate trust
        new TrustValidator().validateTrust(crypto, cert, publicKey, getSubjectContraints(message));
        if (valid && persistSignature) {
            if (signature.getKeyInfo() != null) {
                message.put(SIGNING_CERT, signature.getKeyInfo().getX509Certificate());
            }
            if (signature.getKeyInfo() != null) {
                message.put(SIGNING_PUBLIC_KEY, signature.getKeyInfo().getPublicKey());
            }
            message.setContent(Element.class, signedElement);
        }
    } catch (Exception ex) {
        throwFault("Signature validation failed", ex);
    }
    if (!valid) {
        throwFault("Signature validation failed", null);
    }
    if (removeSignature) {
        if (!isEnveloping(root)) {
            Element signedEl = getSignedElement(root, ref);
            signedEl.removeAttribute("ID");
            root.removeChild(signatureElement);
        } else {
            Element actualBody = getActualBody(root);
            Document newDoc = DOMUtils.createDocument();
            newDoc.adoptNode(actualBody);
            root = actualBody;
        }
    }
    message.setContent(XMLStreamReader.class, new W3CDOMStreamReader(root));
    message.setContent(InputStream.class, null);
}
Also used : TrustValidator(org.apache.cxf.rs.security.common.TrustValidator) Reference(org.apache.xml.security.signature.Reference) PublicKey(java.security.PublicKey) Element(org.w3c.dom.Element) CryptoLoader(org.apache.cxf.rs.security.common.CryptoLoader) Document(org.w3c.dom.Document) PatternSyntaxException(java.util.regex.PatternSyntaxException) XMLSecurityException(org.apache.xml.security.exceptions.XMLSecurityException) X509Certificate(java.security.cert.X509Certificate) SignedInfo(org.apache.xml.security.signature.SignedInfo) Crypto(org.apache.wss4j.common.crypto.Crypto) KeyInfo(org.apache.xml.security.keys.KeyInfo) W3CDOMStreamReader(org.apache.cxf.staxutils.W3CDOMStreamReader) XMLSignature(org.apache.xml.security.signature.XMLSignature)

Aggregations

PublicKey (java.security.PublicKey)1 X509Certificate (java.security.cert.X509Certificate)1 PatternSyntaxException (java.util.regex.PatternSyntaxException)1 CryptoLoader (org.apache.cxf.rs.security.common.CryptoLoader)1 TrustValidator (org.apache.cxf.rs.security.common.TrustValidator)1 W3CDOMStreamReader (org.apache.cxf.staxutils.W3CDOMStreamReader)1 Crypto (org.apache.wss4j.common.crypto.Crypto)1 XMLSecurityException (org.apache.xml.security.exceptions.XMLSecurityException)1 KeyInfo (org.apache.xml.security.keys.KeyInfo)1 Reference (org.apache.xml.security.signature.Reference)1 SignedInfo (org.apache.xml.security.signature.SignedInfo)1 XMLSignature (org.apache.xml.security.signature.XMLSignature)1 Document (org.w3c.dom.Document)1 Element (org.w3c.dom.Element)1