Examples with XMLSignature org.apache.xml.security.signature.XMLSignature used on opensource projects

Search in sources :

Example 36 with XMLSignature

use of org.apache.xml.security.signature.XMLSignature in project santuario-java by apache.

the class SignatureVerificationTest method testAllowMD5Algorithm.

@Test
public void testAllowMD5Algorithm() throws Exception {
    String jsv = System.getProperty("java.specification.version");
    if (Double.parseDouble(jsv) > 1.7) {
        System.out.println("testAllowMD5Algorithm skipped");
        return;
    }
    // Read in plaintext document
    InputStream sourceDocument = this.getClass().getClassLoader().getResourceAsStream("ie/baltimore/merlin-examples/merlin-xmlenc-five/plaintext.xml");
    DocumentBuilder builder = XMLUtils.createDocumentBuilder(false);
    Document document = builder.parse(sourceDocument);
    // Set up the Key
    KeyStore keyStore = KeyStore.getInstance("jks");
    keyStore.load(this.getClass().getClassLoader().getResource("transmitter.jks").openStream(), "default".toCharArray());
    Key key = keyStore.getKey("transmitter", "default".toCharArray());
    X509Certificate cert = (X509Certificate) keyStore.getCertificate("transmitter");
    // Sign using DOM
    List<String> localNames = new ArrayList<>();
    localNames.add("PaymentInfo");
    XMLSignature sig = signUsingDOM("http://www.w3.org/2001/04/xmldsig-more#rsa-md5", document, localNames, key);
    // Add KeyInfo
    sig.addKeyInfo(cert);
    // Convert Document to a Stream Reader
    javax.xml.transform.Transformer transformer = transformerFactory.newTransformer();
    ByteArrayOutputStream baos = new ByteArrayOutputStream();
    transformer.transform(new DOMSource(document), new StreamResult(baos));
    XMLStreamReader xmlStreamReader = null;
    try (InputStream is = new ByteArrayInputStream(baos.toByteArray())) {
        xmlStreamReader = xmlInputFactory.createXMLStreamReader(is);
    }
    // Verify signature
    XMLSecurityProperties properties = new XMLSecurityProperties();
    InboundXMLSec inboundXMLSec = XMLSec.getInboundWSSec(properties);
    TestSecurityEventListener securityEventListener = new TestSecurityEventListener();
    XMLStreamReader securityStreamReader = inboundXMLSec.processInMessage(xmlStreamReader, null, securityEventListener);
    try {
        TestUtils.switchAllowMD5Algorithm(true);
        document = StAX2DOM.readDoc(XMLUtils.createDocumentBuilder(false), securityStreamReader);
    } finally {
        TestUtils.switchAllowMD5Algorithm(false);
    }
}
Also used : DOMSource(javax.xml.transform.dom.DOMSource) XMLStreamReader(javax.xml.stream.XMLStreamReader) StreamResult(javax.xml.transform.stream.StreamResult) ByteArrayInputStream(java.io.ByteArrayInputStream) InputStream(java.io.InputStream) ArrayList(java.util.ArrayList) ByteArrayOutputStream(java.io.ByteArrayOutputStream) Document(org.w3c.dom.Document) KeyStore(java.security.KeyStore) X509Certificate(java.security.cert.X509Certificate) DocumentBuilder(javax.xml.parsers.DocumentBuilder) ByteArrayInputStream(java.io.ByteArrayInputStream) XMLSignature(org.apache.xml.security.signature.XMLSignature) Key(java.security.Key) SecretKey(javax.crypto.SecretKey) Test(org.junit.Test)

Example 37 with XMLSignature

use of org.apache.xml.security.signature.XMLSignature in project santuario-java by apache.

the class SignatureVerificationTest method testMaximumAllowedReferencesPerManifest.

@Test
public void testMaximumAllowedReferencesPerManifest() throws Exception {
    // Read in plaintext document
    InputStream sourceDocument = this.getClass().getClassLoader().getResourceAsStream("ie/baltimore/merlin-examples/merlin-xmlenc-five/plaintext.xml");
    DocumentBuilder builder = XMLUtils.createDocumentBuilder(false);
    Document document = builder.parse(sourceDocument);
    // Set up the Key
    KeyStore keyStore = KeyStore.getInstance("jks");
    keyStore.load(this.getClass().getClassLoader().getResource("transmitter.jks").openStream(), "default".toCharArray());
    Key key = keyStore.getKey("transmitter", "default".toCharArray());
    X509Certificate cert = (X509Certificate) keyStore.getCertificate("transmitter");
    // Sign using DOM
    List<String> localNames = new ArrayList<>();
    localNames.add("Item");
    localNames.add("PaymentInfo");
    localNames.add("ShippingAddress");
    XMLSignature sig = signUsingDOM("http://www.w3.org/2000/09/xmldsig#rsa-sha1", document, localNames, key);
    // Add KeyInfo
    sig.addKeyInfo(cert);
    // Convert Document to a Stream Reader
    javax.xml.transform.Transformer transformer = transformerFactory.newTransformer();
    ByteArrayOutputStream baos = new ByteArrayOutputStream();
    transformer.transform(new DOMSource(document), new StreamResult(baos));
    XMLStreamReader xmlStreamReader = null;
    try (InputStream is = new ByteArrayInputStream(baos.toByteArray())) {
        xmlStreamReader = xmlInputFactory.createXMLStreamReader(is);
    }
    // Verify signature
    XMLSecurityProperties properties = new XMLSecurityProperties();
    InboundXMLSec inboundXMLSec = XMLSec.getInboundWSSec(properties);
    TestSecurityEventListener securityEventListener = new TestSecurityEventListener();
    XMLStreamReader securityStreamReader = inboundXMLSec.processInMessage(xmlStreamReader, null, securityEventListener);
    int oldval = 0;
    try {
        oldval = TestUtils.changeValueOfMaximumAllowedReferencesPerManifest(2);
        document = StAX2DOM.readDoc(XMLUtils.createDocumentBuilder(false), securityStreamReader);
        fail("Exception expected");
    } catch (XMLStreamException e) {
        assertTrue(e.getCause() instanceof XMLSecurityException);
        assertEquals("4 references are contained in the Manifest, maximum 2 are allowed. You can raise the maximum " + "via the \"MaximumAllowedReferencesPerManifest\" property in the configuration.", e.getCause().getMessage());
    } finally {
        TestUtils.changeValueOfMaximumAllowedReferencesPerManifest(oldval);
    }
}
Also used : DOMSource(javax.xml.transform.dom.DOMSource) XMLStreamReader(javax.xml.stream.XMLStreamReader) StreamResult(javax.xml.transform.stream.StreamResult) ByteArrayInputStream(java.io.ByteArrayInputStream) InputStream(java.io.InputStream) ArrayList(java.util.ArrayList) ByteArrayOutputStream(java.io.ByteArrayOutputStream) Document(org.w3c.dom.Document) KeyStore(java.security.KeyStore) X509Certificate(java.security.cert.X509Certificate) XMLSecurityException(org.apache.xml.security.exceptions.XMLSecurityException) XMLStreamException(javax.xml.stream.XMLStreamException) DocumentBuilder(javax.xml.parsers.DocumentBuilder) ByteArrayInputStream(java.io.ByteArrayInputStream) XMLSignature(org.apache.xml.security.signature.XMLSignature) Key(java.security.Key) SecretKey(javax.crypto.SecretKey) Test(org.junit.Test)

Example 38 with XMLSignature

use of org.apache.xml.security.signature.XMLSignature in project santuario-java by apache.

the class SignatureVerificationTest method testSignatureVerification.

@Test
public void testSignatureVerification() throws Exception {
    // Read in plaintext document
    InputStream sourceDocument = this.getClass().getClassLoader().getResourceAsStream("ie/baltimore/merlin-examples/merlin-xmlenc-five/plaintext.xml");
    DocumentBuilder builder = XMLUtils.createDocumentBuilder(false);
    Document document = builder.parse(sourceDocument);
    // Set up the Key
    KeyStore keyStore = KeyStore.getInstance("jks");
    keyStore.load(this.getClass().getClassLoader().getResource("transmitter.jks").openStream(), "default".toCharArray());
    Key key = keyStore.getKey("transmitter", "default".toCharArray());
    X509Certificate cert = (X509Certificate) keyStore.getCertificate("transmitter");
    // Sign using DOM
    List<String> localNames = new ArrayList<>();
    localNames.add("PaymentInfo");
    XMLSignature sig = signUsingDOM("http://www.w3.org/2000/09/xmldsig#rsa-sha1", document, localNames, key);
    // Add KeyInfo
    sig.addKeyInfo(cert);
    // XMLUtils.outputDOM(document, System.out);
    // Convert Document to a Stream Reader
    javax.xml.transform.Transformer transformer = transformerFactory.newTransformer();
    ByteArrayOutputStream baos = new ByteArrayOutputStream();
    transformer.transform(new DOMSource(document), new StreamResult(baos));
    XMLStreamReader xmlStreamReader = null;
    try (InputStream is = new ByteArrayInputStream(baos.toByteArray())) {
        xmlStreamReader = xmlInputFactory.createXMLStreamReader(is);
    }
    // Verify signature
    XMLSecurityProperties properties = new XMLSecurityProperties();
    InboundXMLSec inboundXMLSec = XMLSec.getInboundWSSec(properties);
    TestSecurityEventListener securityEventListener = new TestSecurityEventListener();
    XMLStreamReader securityStreamReader = inboundXMLSec.processInMessage(xmlStreamReader, null, securityEventListener);
    document = StAX2DOM.readDoc(XMLUtils.createDocumentBuilder(false), securityStreamReader);
    // Check the SecurityEvents
    checkSecurityEvents(securityEventListener);
    checkSignedElementSecurityEvents(securityEventListener);
    checkSignatureToken(securityEventListener, cert, null, SecurityTokenConstants.KeyIdentifier_X509KeyIdentifier);
    SignedElementSecurityEvent signedElementSecurityEvent = securityEventListener.getSecurityEvent(SecurityEventConstants.SignedElement);
    X509TokenSecurityEvent x509TokenSecurityEvent = securityEventListener.getSecurityEvent(SecurityEventConstants.X509Token);
    String signedElementCorrelationID = signedElementSecurityEvent.getCorrelationID();
    String x509TokenCorrelationID = x509TokenSecurityEvent.getCorrelationID();
    List<SecurityEvent> signatureSecurityEvents = new ArrayList<>();
    List<SecurityEvent> signedElementSecurityEvents = new ArrayList<>();
    List<SecurityEvent> securityEvents = securityEventListener.getSecurityEvents();
    for (int i = 0; i < securityEvents.size(); i++) {
        SecurityEvent securityEvent = securityEvents.get(i);
        if (securityEvent.getCorrelationID().equals(signedElementCorrelationID)) {
            signedElementSecurityEvents.add(securityEvent);
        } else if (securityEvent.getCorrelationID().equals(x509TokenCorrelationID)) {
            signatureSecurityEvents.add(securityEvent);
        }
    }
    Assert.assertEquals(4, signatureSecurityEvents.size());
    Assert.assertEquals(3, signedElementSecurityEvents.size());
    Assert.assertEquals(securityEventListener.getSecurityEvents().size(), signatureSecurityEvents.size() + signedElementSecurityEvents.size());
}
Also used : DOMSource(javax.xml.transform.dom.DOMSource) XMLStreamReader(javax.xml.stream.XMLStreamReader) ArrayList(java.util.ArrayList) Document(org.w3c.dom.Document) XMLSignature(org.apache.xml.security.signature.XMLSignature) StreamResult(javax.xml.transform.stream.StreamResult) ByteArrayInputStream(java.io.ByteArrayInputStream) InputStream(java.io.InputStream) ByteArrayOutputStream(java.io.ByteArrayOutputStream) KeyStore(java.security.KeyStore) X509Certificate(java.security.cert.X509Certificate) DocumentBuilder(javax.xml.parsers.DocumentBuilder) ByteArrayInputStream(java.io.ByteArrayInputStream) Key(java.security.Key) SecretKey(javax.crypto.SecretKey) Test(org.junit.Test)

Example 39 with XMLSignature

use of org.apache.xml.security.signature.XMLSignature in project santuario-java by apache.

the class SignatureVerificationTest method testDisallowMD5Algorithm.

@Test
public void testDisallowMD5Algorithm() throws Exception {
    // Read in plaintext document
    InputStream sourceDocument = this.getClass().getClassLoader().getResourceAsStream("ie/baltimore/merlin-examples/merlin-xmlenc-five/plaintext.xml");
    DocumentBuilder builder = XMLUtils.createDocumentBuilder(false);
    Document document = builder.parse(sourceDocument);
    // Set up the Key
    KeyStore keyStore = KeyStore.getInstance("jks");
    keyStore.load(this.getClass().getClassLoader().getResource("transmitter.jks").openStream(), "default".toCharArray());
    Key key = keyStore.getKey("transmitter", "default".toCharArray());
    X509Certificate cert = (X509Certificate) keyStore.getCertificate("transmitter");
    // Sign using DOM
    List<String> localNames = new ArrayList<>();
    localNames.add("PaymentInfo");
    XMLSignature sig = signUsingDOM("http://www.w3.org/2001/04/xmldsig-more#rsa-md5", document, localNames, key);
    // Add KeyInfo
    sig.addKeyInfo(cert);
    // Convert Document to a Stream Reader
    javax.xml.transform.Transformer transformer = transformerFactory.newTransformer();
    ByteArrayOutputStream baos = new ByteArrayOutputStream();
    transformer.transform(new DOMSource(document), new StreamResult(baos));
    XMLStreamReader xmlStreamReader = null;
    try (InputStream is = new ByteArrayInputStream(baos.toByteArray())) {
        xmlStreamReader = xmlInputFactory.createXMLStreamReader(is);
    }
    // Verify signature
    XMLSecurityProperties properties = new XMLSecurityProperties();
    InboundXMLSec inboundXMLSec = XMLSec.getInboundWSSec(properties);
    TestSecurityEventListener securityEventListener = new TestSecurityEventListener();
    XMLStreamReader securityStreamReader = inboundXMLSec.processInMessage(xmlStreamReader, null, securityEventListener);
    try {
        document = StAX2DOM.readDoc(XMLUtils.createDocumentBuilder(false), securityStreamReader);
        fail("Exception expected");
    } catch (XMLStreamException e) {
        assertTrue(e.getCause() instanceof XMLSecurityException);
        assertEquals("The use of MD5 algorithm is strongly discouraged. Nonetheless can it be enabled via the " + "\"AllowMD5Algorithm\" property in the configuration.", e.getCause().getMessage());
    }
}
Also used : DOMSource(javax.xml.transform.dom.DOMSource) XMLStreamReader(javax.xml.stream.XMLStreamReader) StreamResult(javax.xml.transform.stream.StreamResult) ByteArrayInputStream(java.io.ByteArrayInputStream) InputStream(java.io.InputStream) ArrayList(java.util.ArrayList) ByteArrayOutputStream(java.io.ByteArrayOutputStream) Document(org.w3c.dom.Document) KeyStore(java.security.KeyStore) X509Certificate(java.security.cert.X509Certificate) XMLSecurityException(org.apache.xml.security.exceptions.XMLSecurityException) XMLStreamException(javax.xml.stream.XMLStreamException) DocumentBuilder(javax.xml.parsers.DocumentBuilder) ByteArrayInputStream(java.io.ByteArrayInputStream) XMLSignature(org.apache.xml.security.signature.XMLSignature) Key(java.security.Key) SecretKey(javax.crypto.SecretKey) Test(org.junit.Test)

Example 40 with XMLSignature

use of org.apache.xml.security.signature.XMLSignature in project santuario-java by apache.

the class SignatureVerificationTest method testMultipleElements.

@Test
public void testMultipleElements() throws Exception {
    // Read in plaintext document
    InputStream sourceDocument = this.getClass().getClassLoader().getResourceAsStream("ie/baltimore/merlin-examples/merlin-xmlenc-five/plaintext.xml");
    DocumentBuilder builder = XMLUtils.createDocumentBuilder(false);
    Document document = builder.parse(sourceDocument);
    // Set up the Key
    KeyStore keyStore = KeyStore.getInstance("jks");
    keyStore.load(this.getClass().getClassLoader().getResource("transmitter.jks").openStream(), "default".toCharArray());
    Key key = keyStore.getKey("transmitter", "default".toCharArray());
    X509Certificate cert = (X509Certificate) keyStore.getCertificate("transmitter");
    // Sign using DOM
    List<String> localNames = new ArrayList<>();
    localNames.add("PaymentInfo");
    localNames.add("ShippingAddress");
    XMLSignature sig = signUsingDOM("http://www.w3.org/2000/09/xmldsig#rsa-sha1", document, localNames, key);
    // Add KeyInfo
    sig.addKeyInfo(cert);
    // XMLUtils.outputDOM(document, System.out);
    // Convert Document to a Stream Reader
    javax.xml.transform.Transformer transformer = transformerFactory.newTransformer();
    ByteArrayOutputStream baos = new ByteArrayOutputStream();
    transformer.transform(new DOMSource(document), new StreamResult(baos));
    XMLStreamReader xmlStreamReader = null;
    try (InputStream is = new ByteArrayInputStream(baos.toByteArray())) {
        xmlStreamReader = xmlInputFactory.createXMLStreamReader(is);
    }
    // Verify signature
    XMLSecurityProperties properties = new XMLSecurityProperties();
    InboundXMLSec inboundXMLSec = XMLSec.getInboundWSSec(properties);
    TestSecurityEventListener securityEventListener = new TestSecurityEventListener();
    XMLStreamReader securityStreamReader = inboundXMLSec.processInMessage(xmlStreamReader, null, securityEventListener);
    document = StAX2DOM.readDoc(XMLUtils.createDocumentBuilder(false), securityStreamReader);
    // Check the SecurityEvents
    checkSecurityEvents(securityEventListener);
    checkSignedElementMultipleSecurityEvents(securityEventListener);
    checkSignatureToken(securityEventListener, cert, null, SecurityTokenConstants.KeyIdentifier_X509KeyIdentifier);
    List<SignedElementSecurityEvent> signedElementSecurityEventList = securityEventListener.getSecurityEvents(SecurityEventConstants.SignedElement);
    Assert.assertEquals(2, signedElementSecurityEventList.size());
    X509TokenSecurityEvent x509TokenSecurityEvent = securityEventListener.getSecurityEvent(SecurityEventConstants.X509Token);
    String signedElementCorrelationID1 = signedElementSecurityEventList.get(0).getCorrelationID();
    String signedElementCorrelationID2 = signedElementSecurityEventList.get(1).getCorrelationID();
    String x509TokenCorrelationID = x509TokenSecurityEvent.getCorrelationID();
    List<SecurityEvent> signatureSecurityEvents = new ArrayList<>();
    List<SecurityEvent> signedElementSecurityEvents1 = new ArrayList<>();
    List<SecurityEvent> signedElementSecurityEvents2 = new ArrayList<>();
    List<SecurityEvent> securityEvents = securityEventListener.getSecurityEvents();
    for (int i = 0; i < securityEvents.size(); i++) {
        SecurityEvent securityEvent = securityEvents.get(i);
        if (securityEvent.getCorrelationID().equals(signedElementCorrelationID1)) {
            signedElementSecurityEvents1.add(securityEvent);
        } else if (securityEvent.getCorrelationID().equals(signedElementCorrelationID2)) {
            signedElementSecurityEvents2.add(securityEvent);
        } else if (securityEvent.getCorrelationID().equals(x509TokenCorrelationID)) {
            signatureSecurityEvents.add(securityEvent);
        }
    }
    Assert.assertEquals(4, signatureSecurityEvents.size());
    Assert.assertEquals(3, signedElementSecurityEvents1.size());
    Assert.assertEquals(3, signedElementSecurityEvents2.size());
    Assert.assertEquals(securityEventListener.getSecurityEvents().size(), signatureSecurityEvents.size() + signedElementSecurityEvents1.size() + signedElementSecurityEvents2.size());
}
Also used : DOMSource(javax.xml.transform.dom.DOMSource) XMLStreamReader(javax.xml.stream.XMLStreamReader) ArrayList(java.util.ArrayList) Document(org.w3c.dom.Document) XMLSignature(org.apache.xml.security.signature.XMLSignature) StreamResult(javax.xml.transform.stream.StreamResult) ByteArrayInputStream(java.io.ByteArrayInputStream) InputStream(java.io.InputStream) ByteArrayOutputStream(java.io.ByteArrayOutputStream) KeyStore(java.security.KeyStore) X509Certificate(java.security.cert.X509Certificate) DocumentBuilder(javax.xml.parsers.DocumentBuilder) ByteArrayInputStream(java.io.ByteArrayInputStream) Key(java.security.Key) SecretKey(javax.crypto.SecretKey) Test(org.junit.Test)

Aggregations

XMLSignature (org.apache.xml.security.signature.XMLSignature)137 Document (org.w3c.dom.Document)92 Element (org.w3c.dom.Element)69 X509Certificate (java.security.cert.X509Certificate)60 Test (org.junit.Test)60 DocumentBuilder (javax.xml.parsers.DocumentBuilder)52 InputStream (java.io.InputStream)51 ByteArrayInputStream (java.io.ByteArrayInputStream)50 ByteArrayOutputStream (java.io.ByteArrayOutputStream)49 KeyStore (java.security.KeyStore)48 ArrayList (java.util.ArrayList)48 XMLStreamReader (javax.xml.stream.XMLStreamReader)43 Key (java.security.Key)42 DOMSource (javax.xml.transform.dom.DOMSource)42 StreamResult (javax.xml.transform.stream.StreamResult)42 Transforms (org.apache.xml.security.transforms.Transforms)29 SecretKey (javax.crypto.SecretKey)28 XPath (javax.xml.xpath.XPath)23 KeyInfo (org.apache.xml.security.keys.KeyInfo)22 XPathFactory (javax.xml.xpath.XPathFactory)19
About Me
UseOf

Java Tutorials :

Simple Java RabbitMQ Example with Spring
Simple Springboot JPA Eclipeslink Example
Simple SpringBoot JPA Hibernate Example
Jackson JSON @JsonIgnore and @JsonIgnoreProperties Examples
Java Infinite recursion (StackOverflowError) Jackson solutions
Simple Java Jackson Serialize Objects to JSON and convert them back To Object
ElasticSearch 5 - Upload files using Java API in binary field Example
Java JAXB marshall unmarshall Examples from String and Stream
Java 8 forEach List and Map examples
ElasticSearch 5 Java API SearchRequestBuilder examples
Java ElasticSearch 5 examples with node index and mapping - running local
Convert String to int or Integer Java 8
Java 9 in action - JShell - Ubuntu
Java - removing invalid characters from a file name
Hello world!? or Hello Tutorial