Search in sources :

Example 36 with XMLSignature

use of org.apache.xml.security.signature.XMLSignature in project santuario-java by apache.

the class SignatureVerificationTest method testAllowMD5Algorithm.

@Test
public void testAllowMD5Algorithm() throws Exception {
    String jsv = System.getProperty("java.specification.version");
    if (Double.parseDouble(jsv) > 1.7) {
        System.out.println("testAllowMD5Algorithm skipped");
        return;
    }
    // Read in plaintext document
    InputStream sourceDocument = this.getClass().getClassLoader().getResourceAsStream("ie/baltimore/merlin-examples/merlin-xmlenc-five/plaintext.xml");
    DocumentBuilder builder = XMLUtils.createDocumentBuilder(false);
    Document document = builder.parse(sourceDocument);
    // Set up the Key
    KeyStore keyStore = KeyStore.getInstance("jks");
    keyStore.load(this.getClass().getClassLoader().getResource("transmitter.jks").openStream(), "default".toCharArray());
    Key key = keyStore.getKey("transmitter", "default".toCharArray());
    X509Certificate cert = (X509Certificate) keyStore.getCertificate("transmitter");
    // Sign using DOM
    List<String> localNames = new ArrayList<>();
    localNames.add("PaymentInfo");
    XMLSignature sig = signUsingDOM("http://www.w3.org/2001/04/xmldsig-more#rsa-md5", document, localNames, key);
    // Add KeyInfo
    sig.addKeyInfo(cert);
    // Convert Document to a Stream Reader
    javax.xml.transform.Transformer transformer = transformerFactory.newTransformer();
    ByteArrayOutputStream baos = new ByteArrayOutputStream();
    transformer.transform(new DOMSource(document), new StreamResult(baos));
    XMLStreamReader xmlStreamReader = null;
    try (InputStream is = new ByteArrayInputStream(baos.toByteArray())) {
        xmlStreamReader = xmlInputFactory.createXMLStreamReader(is);
    }
    // Verify signature
    XMLSecurityProperties properties = new XMLSecurityProperties();
    InboundXMLSec inboundXMLSec = XMLSec.getInboundWSSec(properties);
    TestSecurityEventListener securityEventListener = new TestSecurityEventListener();
    XMLStreamReader securityStreamReader = inboundXMLSec.processInMessage(xmlStreamReader, null, securityEventListener);
    try {
        TestUtils.switchAllowMD5Algorithm(true);
        document = StAX2DOM.readDoc(XMLUtils.createDocumentBuilder(false), securityStreamReader);
    } finally {
        TestUtils.switchAllowMD5Algorithm(false);
    }
}
Also used : DOMSource(javax.xml.transform.dom.DOMSource) XMLStreamReader(javax.xml.stream.XMLStreamReader) StreamResult(javax.xml.transform.stream.StreamResult) ByteArrayInputStream(java.io.ByteArrayInputStream) InputStream(java.io.InputStream) ArrayList(java.util.ArrayList) ByteArrayOutputStream(java.io.ByteArrayOutputStream) Document(org.w3c.dom.Document) KeyStore(java.security.KeyStore) X509Certificate(java.security.cert.X509Certificate) DocumentBuilder(javax.xml.parsers.DocumentBuilder) ByteArrayInputStream(java.io.ByteArrayInputStream) XMLSignature(org.apache.xml.security.signature.XMLSignature) Key(java.security.Key) SecretKey(javax.crypto.SecretKey) Test(org.junit.Test)

Example 37 with XMLSignature

use of org.apache.xml.security.signature.XMLSignature in project santuario-java by apache.

the class SignatureVerificationTest method testMaximumAllowedReferencesPerManifest.

@Test
public void testMaximumAllowedReferencesPerManifest() throws Exception {
    // Read in plaintext document
    InputStream sourceDocument = this.getClass().getClassLoader().getResourceAsStream("ie/baltimore/merlin-examples/merlin-xmlenc-five/plaintext.xml");
    DocumentBuilder builder = XMLUtils.createDocumentBuilder(false);
    Document document = builder.parse(sourceDocument);
    // Set up the Key
    KeyStore keyStore = KeyStore.getInstance("jks");
    keyStore.load(this.getClass().getClassLoader().getResource("transmitter.jks").openStream(), "default".toCharArray());
    Key key = keyStore.getKey("transmitter", "default".toCharArray());
    X509Certificate cert = (X509Certificate) keyStore.getCertificate("transmitter");
    // Sign using DOM
    List<String> localNames = new ArrayList<>();
    localNames.add("Item");
    localNames.add("PaymentInfo");
    localNames.add("ShippingAddress");
    XMLSignature sig = signUsingDOM("http://www.w3.org/2000/09/xmldsig#rsa-sha1", document, localNames, key);
    // Add KeyInfo
    sig.addKeyInfo(cert);
    // Convert Document to a Stream Reader
    javax.xml.transform.Transformer transformer = transformerFactory.newTransformer();
    ByteArrayOutputStream baos = new ByteArrayOutputStream();
    transformer.transform(new DOMSource(document), new StreamResult(baos));
    XMLStreamReader xmlStreamReader = null;
    try (InputStream is = new ByteArrayInputStream(baos.toByteArray())) {
        xmlStreamReader = xmlInputFactory.createXMLStreamReader(is);
    }
    // Verify signature
    XMLSecurityProperties properties = new XMLSecurityProperties();
    InboundXMLSec inboundXMLSec = XMLSec.getInboundWSSec(properties);
    TestSecurityEventListener securityEventListener = new TestSecurityEventListener();
    XMLStreamReader securityStreamReader = inboundXMLSec.processInMessage(xmlStreamReader, null, securityEventListener);
    int oldval = 0;
    try {
        oldval = TestUtils.changeValueOfMaximumAllowedReferencesPerManifest(2);
        document = StAX2DOM.readDoc(XMLUtils.createDocumentBuilder(false), securityStreamReader);
        fail("Exception expected");
    } catch (XMLStreamException e) {
        assertTrue(e.getCause() instanceof XMLSecurityException);
        assertEquals("4 references are contained in the Manifest, maximum 2 are allowed. You can raise the maximum " + "via the \"MaximumAllowedReferencesPerManifest\" property in the configuration.", e.getCause().getMessage());
    } finally {
        TestUtils.changeValueOfMaximumAllowedReferencesPerManifest(oldval);
    }
}
Also used : DOMSource(javax.xml.transform.dom.DOMSource) XMLStreamReader(javax.xml.stream.XMLStreamReader) StreamResult(javax.xml.transform.stream.StreamResult) ByteArrayInputStream(java.io.ByteArrayInputStream) InputStream(java.io.InputStream) ArrayList(java.util.ArrayList) ByteArrayOutputStream(java.io.ByteArrayOutputStream) Document(org.w3c.dom.Document) KeyStore(java.security.KeyStore) X509Certificate(java.security.cert.X509Certificate) XMLSecurityException(org.apache.xml.security.exceptions.XMLSecurityException) XMLStreamException(javax.xml.stream.XMLStreamException) DocumentBuilder(javax.xml.parsers.DocumentBuilder) ByteArrayInputStream(java.io.ByteArrayInputStream) XMLSignature(org.apache.xml.security.signature.XMLSignature) Key(java.security.Key) SecretKey(javax.crypto.SecretKey) Test(org.junit.Test)

Example 38 with XMLSignature

use of org.apache.xml.security.signature.XMLSignature in project santuario-java by apache.

the class SignatureVerificationTest method testSignatureVerification.

@Test
public void testSignatureVerification() throws Exception {
    // Read in plaintext document
    InputStream sourceDocument = this.getClass().getClassLoader().getResourceAsStream("ie/baltimore/merlin-examples/merlin-xmlenc-five/plaintext.xml");
    DocumentBuilder builder = XMLUtils.createDocumentBuilder(false);
    Document document = builder.parse(sourceDocument);
    // Set up the Key
    KeyStore keyStore = KeyStore.getInstance("jks");
    keyStore.load(this.getClass().getClassLoader().getResource("transmitter.jks").openStream(), "default".toCharArray());
    Key key = keyStore.getKey("transmitter", "default".toCharArray());
    X509Certificate cert = (X509Certificate) keyStore.getCertificate("transmitter");
    // Sign using DOM
    List<String> localNames = new ArrayList<>();
    localNames.add("PaymentInfo");
    XMLSignature sig = signUsingDOM("http://www.w3.org/2000/09/xmldsig#rsa-sha1", document, localNames, key);
    // Add KeyInfo
    sig.addKeyInfo(cert);
    // XMLUtils.outputDOM(document, System.out);
    // Convert Document to a Stream Reader
    javax.xml.transform.Transformer transformer = transformerFactory.newTransformer();
    ByteArrayOutputStream baos = new ByteArrayOutputStream();
    transformer.transform(new DOMSource(document), new StreamResult(baos));
    XMLStreamReader xmlStreamReader = null;
    try (InputStream is = new ByteArrayInputStream(baos.toByteArray())) {
        xmlStreamReader = xmlInputFactory.createXMLStreamReader(is);
    }
    // Verify signature
    XMLSecurityProperties properties = new XMLSecurityProperties();
    InboundXMLSec inboundXMLSec = XMLSec.getInboundWSSec(properties);
    TestSecurityEventListener securityEventListener = new TestSecurityEventListener();
    XMLStreamReader securityStreamReader = inboundXMLSec.processInMessage(xmlStreamReader, null, securityEventListener);
    document = StAX2DOM.readDoc(XMLUtils.createDocumentBuilder(false), securityStreamReader);
    // Check the SecurityEvents
    checkSecurityEvents(securityEventListener);
    checkSignedElementSecurityEvents(securityEventListener);
    checkSignatureToken(securityEventListener, cert, null, SecurityTokenConstants.KeyIdentifier_X509KeyIdentifier);
    SignedElementSecurityEvent signedElementSecurityEvent = securityEventListener.getSecurityEvent(SecurityEventConstants.SignedElement);
    X509TokenSecurityEvent x509TokenSecurityEvent = securityEventListener.getSecurityEvent(SecurityEventConstants.X509Token);
    String signedElementCorrelationID = signedElementSecurityEvent.getCorrelationID();
    String x509TokenCorrelationID = x509TokenSecurityEvent.getCorrelationID();
    List<SecurityEvent> signatureSecurityEvents = new ArrayList<>();
    List<SecurityEvent> signedElementSecurityEvents = new ArrayList<>();
    List<SecurityEvent> securityEvents = securityEventListener.getSecurityEvents();
    for (int i = 0; i < securityEvents.size(); i++) {
        SecurityEvent securityEvent = securityEvents.get(i);
        if (securityEvent.getCorrelationID().equals(signedElementCorrelationID)) {
            signedElementSecurityEvents.add(securityEvent);
        } else if (securityEvent.getCorrelationID().equals(x509TokenCorrelationID)) {
            signatureSecurityEvents.add(securityEvent);
        }
    }
    Assert.assertEquals(4, signatureSecurityEvents.size());
    Assert.assertEquals(3, signedElementSecurityEvents.size());
    Assert.assertEquals(securityEventListener.getSecurityEvents().size(), signatureSecurityEvents.size() + signedElementSecurityEvents.size());
}
Also used : DOMSource(javax.xml.transform.dom.DOMSource) XMLStreamReader(javax.xml.stream.XMLStreamReader) ArrayList(java.util.ArrayList) Document(org.w3c.dom.Document) XMLSignature(org.apache.xml.security.signature.XMLSignature) StreamResult(javax.xml.transform.stream.StreamResult) ByteArrayInputStream(java.io.ByteArrayInputStream) InputStream(java.io.InputStream) ByteArrayOutputStream(java.io.ByteArrayOutputStream) KeyStore(java.security.KeyStore) X509Certificate(java.security.cert.X509Certificate) DocumentBuilder(javax.xml.parsers.DocumentBuilder) ByteArrayInputStream(java.io.ByteArrayInputStream) Key(java.security.Key) SecretKey(javax.crypto.SecretKey) Test(org.junit.Test)

Example 39 with XMLSignature

use of org.apache.xml.security.signature.XMLSignature in project santuario-java by apache.

the class SignatureVerificationTest method testDisallowMD5Algorithm.

@Test
public void testDisallowMD5Algorithm() throws Exception {
    // Read in plaintext document
    InputStream sourceDocument = this.getClass().getClassLoader().getResourceAsStream("ie/baltimore/merlin-examples/merlin-xmlenc-five/plaintext.xml");
    DocumentBuilder builder = XMLUtils.createDocumentBuilder(false);
    Document document = builder.parse(sourceDocument);
    // Set up the Key
    KeyStore keyStore = KeyStore.getInstance("jks");
    keyStore.load(this.getClass().getClassLoader().getResource("transmitter.jks").openStream(), "default".toCharArray());
    Key key = keyStore.getKey("transmitter", "default".toCharArray());
    X509Certificate cert = (X509Certificate) keyStore.getCertificate("transmitter");
    // Sign using DOM
    List<String> localNames = new ArrayList<>();
    localNames.add("PaymentInfo");
    XMLSignature sig = signUsingDOM("http://www.w3.org/2001/04/xmldsig-more#rsa-md5", document, localNames, key);
    // Add KeyInfo
    sig.addKeyInfo(cert);
    // Convert Document to a Stream Reader
    javax.xml.transform.Transformer transformer = transformerFactory.newTransformer();
    ByteArrayOutputStream baos = new ByteArrayOutputStream();
    transformer.transform(new DOMSource(document), new StreamResult(baos));
    XMLStreamReader xmlStreamReader = null;
    try (InputStream is = new ByteArrayInputStream(baos.toByteArray())) {
        xmlStreamReader = xmlInputFactory.createXMLStreamReader(is);
    }
    // Verify signature
    XMLSecurityProperties properties = new XMLSecurityProperties();
    InboundXMLSec inboundXMLSec = XMLSec.getInboundWSSec(properties);
    TestSecurityEventListener securityEventListener = new TestSecurityEventListener();
    XMLStreamReader securityStreamReader = inboundXMLSec.processInMessage(xmlStreamReader, null, securityEventListener);
    try {
        document = StAX2DOM.readDoc(XMLUtils.createDocumentBuilder(false), securityStreamReader);
        fail("Exception expected");
    } catch (XMLStreamException e) {
        assertTrue(e.getCause() instanceof XMLSecurityException);
        assertEquals("The use of MD5 algorithm is strongly discouraged. Nonetheless can it be enabled via the " + "\"AllowMD5Algorithm\" property in the configuration.", e.getCause().getMessage());
    }
}
Also used : DOMSource(javax.xml.transform.dom.DOMSource) XMLStreamReader(javax.xml.stream.XMLStreamReader) StreamResult(javax.xml.transform.stream.StreamResult) ByteArrayInputStream(java.io.ByteArrayInputStream) InputStream(java.io.InputStream) ArrayList(java.util.ArrayList) ByteArrayOutputStream(java.io.ByteArrayOutputStream) Document(org.w3c.dom.Document) KeyStore(java.security.KeyStore) X509Certificate(java.security.cert.X509Certificate) XMLSecurityException(org.apache.xml.security.exceptions.XMLSecurityException) XMLStreamException(javax.xml.stream.XMLStreamException) DocumentBuilder(javax.xml.parsers.DocumentBuilder) ByteArrayInputStream(java.io.ByteArrayInputStream) XMLSignature(org.apache.xml.security.signature.XMLSignature) Key(java.security.Key) SecretKey(javax.crypto.SecretKey) Test(org.junit.Test)

Example 40 with XMLSignature

use of org.apache.xml.security.signature.XMLSignature in project santuario-java by apache.

the class SignatureVerificationTest method testMultipleElements.

@Test
public void testMultipleElements() throws Exception {
    // Read in plaintext document
    InputStream sourceDocument = this.getClass().getClassLoader().getResourceAsStream("ie/baltimore/merlin-examples/merlin-xmlenc-five/plaintext.xml");
    DocumentBuilder builder = XMLUtils.createDocumentBuilder(false);
    Document document = builder.parse(sourceDocument);
    // Set up the Key
    KeyStore keyStore = KeyStore.getInstance("jks");
    keyStore.load(this.getClass().getClassLoader().getResource("transmitter.jks").openStream(), "default".toCharArray());
    Key key = keyStore.getKey("transmitter", "default".toCharArray());
    X509Certificate cert = (X509Certificate) keyStore.getCertificate("transmitter");
    // Sign using DOM
    List<String> localNames = new ArrayList<>();
    localNames.add("PaymentInfo");
    localNames.add("ShippingAddress");
    XMLSignature sig = signUsingDOM("http://www.w3.org/2000/09/xmldsig#rsa-sha1", document, localNames, key);
    // Add KeyInfo
    sig.addKeyInfo(cert);
    // XMLUtils.outputDOM(document, System.out);
    // Convert Document to a Stream Reader
    javax.xml.transform.Transformer transformer = transformerFactory.newTransformer();
    ByteArrayOutputStream baos = new ByteArrayOutputStream();
    transformer.transform(new DOMSource(document), new StreamResult(baos));
    XMLStreamReader xmlStreamReader = null;
    try (InputStream is = new ByteArrayInputStream(baos.toByteArray())) {
        xmlStreamReader = xmlInputFactory.createXMLStreamReader(is);
    }
    // Verify signature
    XMLSecurityProperties properties = new XMLSecurityProperties();
    InboundXMLSec inboundXMLSec = XMLSec.getInboundWSSec(properties);
    TestSecurityEventListener securityEventListener = new TestSecurityEventListener();
    XMLStreamReader securityStreamReader = inboundXMLSec.processInMessage(xmlStreamReader, null, securityEventListener);
    document = StAX2DOM.readDoc(XMLUtils.createDocumentBuilder(false), securityStreamReader);
    // Check the SecurityEvents
    checkSecurityEvents(securityEventListener);
    checkSignedElementMultipleSecurityEvents(securityEventListener);
    checkSignatureToken(securityEventListener, cert, null, SecurityTokenConstants.KeyIdentifier_X509KeyIdentifier);
    List<SignedElementSecurityEvent> signedElementSecurityEventList = securityEventListener.getSecurityEvents(SecurityEventConstants.SignedElement);
    Assert.assertEquals(2, signedElementSecurityEventList.size());
    X509TokenSecurityEvent x509TokenSecurityEvent = securityEventListener.getSecurityEvent(SecurityEventConstants.X509Token);
    String signedElementCorrelationID1 = signedElementSecurityEventList.get(0).getCorrelationID();
    String signedElementCorrelationID2 = signedElementSecurityEventList.get(1).getCorrelationID();
    String x509TokenCorrelationID = x509TokenSecurityEvent.getCorrelationID();
    List<SecurityEvent> signatureSecurityEvents = new ArrayList<>();
    List<SecurityEvent> signedElementSecurityEvents1 = new ArrayList<>();
    List<SecurityEvent> signedElementSecurityEvents2 = new ArrayList<>();
    List<SecurityEvent> securityEvents = securityEventListener.getSecurityEvents();
    for (int i = 0; i < securityEvents.size(); i++) {
        SecurityEvent securityEvent = securityEvents.get(i);
        if (securityEvent.getCorrelationID().equals(signedElementCorrelationID1)) {
            signedElementSecurityEvents1.add(securityEvent);
        } else if (securityEvent.getCorrelationID().equals(signedElementCorrelationID2)) {
            signedElementSecurityEvents2.add(securityEvent);
        } else if (securityEvent.getCorrelationID().equals(x509TokenCorrelationID)) {
            signatureSecurityEvents.add(securityEvent);
        }
    }
    Assert.assertEquals(4, signatureSecurityEvents.size());
    Assert.assertEquals(3, signedElementSecurityEvents1.size());
    Assert.assertEquals(3, signedElementSecurityEvents2.size());
    Assert.assertEquals(securityEventListener.getSecurityEvents().size(), signatureSecurityEvents.size() + signedElementSecurityEvents1.size() + signedElementSecurityEvents2.size());
}
Also used : DOMSource(javax.xml.transform.dom.DOMSource) XMLStreamReader(javax.xml.stream.XMLStreamReader) ArrayList(java.util.ArrayList) Document(org.w3c.dom.Document) XMLSignature(org.apache.xml.security.signature.XMLSignature) StreamResult(javax.xml.transform.stream.StreamResult) ByteArrayInputStream(java.io.ByteArrayInputStream) InputStream(java.io.InputStream) ByteArrayOutputStream(java.io.ByteArrayOutputStream) KeyStore(java.security.KeyStore) X509Certificate(java.security.cert.X509Certificate) DocumentBuilder(javax.xml.parsers.DocumentBuilder) ByteArrayInputStream(java.io.ByteArrayInputStream) Key(java.security.Key) SecretKey(javax.crypto.SecretKey) Test(org.junit.Test)

Aggregations

XMLSignature (org.apache.xml.security.signature.XMLSignature)137 Document (org.w3c.dom.Document)92 Element (org.w3c.dom.Element)69 X509Certificate (java.security.cert.X509Certificate)60 Test (org.junit.Test)60 DocumentBuilder (javax.xml.parsers.DocumentBuilder)52 InputStream (java.io.InputStream)51 ByteArrayInputStream (java.io.ByteArrayInputStream)50 ByteArrayOutputStream (java.io.ByteArrayOutputStream)49 KeyStore (java.security.KeyStore)48 ArrayList (java.util.ArrayList)48 XMLStreamReader (javax.xml.stream.XMLStreamReader)43 Key (java.security.Key)42 DOMSource (javax.xml.transform.dom.DOMSource)42 StreamResult (javax.xml.transform.stream.StreamResult)42 Transforms (org.apache.xml.security.transforms.Transforms)29 SecretKey (javax.crypto.SecretKey)28 XPath (javax.xml.xpath.XPath)23 KeyInfo (org.apache.xml.security.keys.KeyInfo)22 XPathFactory (javax.xml.xpath.XPathFactory)19