use of org.apache.xml.security.signature.XMLSignature in project santuario-java by apache.
the class SignatureVerificationTest method testPartialSignedDocumentTampered_SignatureFirst.
@Test
public void testPartialSignedDocumentTampered_SignatureFirst() throws Exception {
// Read in plaintext document
InputStream sourceDocument = this.getClass().getClassLoader().getResourceAsStream("ie/baltimore/merlin-examples/merlin-xmlenc-five/plaintext.xml");
DocumentBuilder builder = XMLUtils.createDocumentBuilder(false);
Document document = builder.parse(sourceDocument);
// Set up the Key
KeyStore keyStore = KeyStore.getInstance("jks");
keyStore.load(this.getClass().getClassLoader().getResource("transmitter.jks").openStream(), "default".toCharArray());
Key key = keyStore.getKey("transmitter", "default".toCharArray());
X509Certificate cert = (X509Certificate) keyStore.getCertificate("transmitter");
// Sign using DOM
List<String> localNames = new ArrayList<>();
localNames.add("PaymentInfo");
XMLSignature sig = signUsingDOM("http://www.w3.org/2000/09/xmldsig#rsa-sha1", document, localNames, key);
// Add KeyInfo
sig.addKeyInfo(cert);
// Now modify the context of PaymentInfo
Element paymentInfoElement = (Element) document.getElementsByTagNameNS("urn:example:po", "BillingAddress").item(0);
paymentInfoElement.setTextContent("Dig PLC, 1 First Ave, Dublin 1, US");
// move signature below root element
Element sigElement = (Element) document.getElementsByTagNameNS(XMLSecurityConstants.TAG_dsig_Signature.getNamespaceURI(), XMLSecurityConstants.TAG_dsig_Signature.getLocalPart()).item(0);
document.getDocumentElement().insertBefore(sigElement, XMLUtils.getNextElement(document.getDocumentElement().getFirstChild()));
// Convert Document to a Stream Reader
javax.xml.transform.Transformer transformer = transformerFactory.newTransformer();
ByteArrayOutputStream baos = new ByteArrayOutputStream();
transformer.transform(new DOMSource(document), new StreamResult(baos));
XMLStreamReader xmlStreamReader = null;
try (InputStream is = new ByteArrayInputStream(baos.toByteArray())) {
xmlStreamReader = xmlInputFactory.createXMLStreamReader(is);
}
// Verify signature
XMLSecurityProperties properties = new XMLSecurityProperties();
InboundXMLSec inboundXMLSec = XMLSec.getInboundWSSec(properties);
TestSecurityEventListener securityEventListener = new TestSecurityEventListener();
XMLStreamReader securityStreamReader = inboundXMLSec.processInMessage(xmlStreamReader, null, securityEventListener);
try {
StAX2DOM.readDoc(XMLUtils.createDocumentBuilder(false), securityStreamReader);
fail("Failure expected on a modified document");
} catch (XMLStreamException ex) {
Assert.assertTrue(ex.getMessage().contains("Invalid digest of reference"));
}
}
use of org.apache.xml.security.signature.XMLSignature in project santuario-java by apache.
the class SignatureVerificationTest method testCustomC14nAlgo.
@Test
public void testCustomC14nAlgo() throws Exception {
final String customC14N = "customC14N";
Transform.register(customC14N, TransformC14N.class);
Canonicalizer.register(customC14N, Canonicalizer20010315OmitComments.class);
Field algorithmsClassMapInField = TransformerAlgorithmMapper.class.getDeclaredField("algorithmsClassMapIn");
algorithmsClassMapInField.setAccessible(true);
@SuppressWarnings("unchecked") Map<String, Class<?>> transformMap = (Map<String, Class<?>>) algorithmsClassMapInField.get(null);
transformMap.put(customC14N, org.apache.xml.security.stax.impl.transformer.canonicalizer.Canonicalizer20010315_OmitCommentsTransformer.class);
// Read in plaintext document
InputStream sourceDocument = this.getClass().getClassLoader().getResourceAsStream("ie/baltimore/merlin-examples/merlin-xmlenc-five/plaintext.xml");
DocumentBuilder builder = XMLUtils.createDocumentBuilder(false);
Document document = builder.parse(sourceDocument);
// Set up the Key
KeyStore keyStore = KeyStore.getInstance("jks");
keyStore.load(this.getClass().getClassLoader().getResource("transmitter.jks").openStream(), "default".toCharArray());
Key key = keyStore.getKey("transmitter", "default".toCharArray());
X509Certificate cert = (X509Certificate) keyStore.getCertificate("transmitter");
// Sign using DOM
List<String> localNames = new ArrayList<>();
localNames.add("PaymentInfo");
XMLSignature sig = signUsingDOM("http://www.w3.org/2000/09/xmldsig#rsa-sha1", document, localNames, key, customC14N, (List<ReferenceInfo>) null);
// Add KeyInfo
sig.addKeyInfo(cert);
// XMLUtils.outputDOM(document, System.out);
// Convert Document to a Stream Reader
javax.xml.transform.Transformer transformer = transformerFactory.newTransformer();
ByteArrayOutputStream baos = new ByteArrayOutputStream();
transformer.transform(new DOMSource(document), new StreamResult(baos));
XMLStreamReader xmlStreamReader = null;
try (InputStream is = new ByteArrayInputStream(baos.toByteArray())) {
xmlStreamReader = xmlInputFactory.createXMLStreamReader(is);
}
// Verify signature
XMLSecurityProperties properties = new XMLSecurityProperties();
properties.setSignatureVerificationKey(cert.getPublicKey());
InboundXMLSec inboundXMLSec = XMLSec.getInboundWSSec(properties);
XMLStreamReader securityStreamReader = inboundXMLSec.processInMessage(xmlStreamReader);
StAX2DOM.readDoc(XMLUtils.createDocumentBuilder(false), securityStreamReader);
}
use of org.apache.xml.security.signature.XMLSignature in project santuario-java by apache.
the class SignatureVerificationTest method testHMACSignatureVerificationWrongKey.
@Test
public void testHMACSignatureVerificationWrongKey() throws Exception {
// Read in plaintext document
InputStream sourceDocument = this.getClass().getClassLoader().getResourceAsStream("ie/baltimore/merlin-examples/merlin-xmlenc-five/plaintext.xml");
DocumentBuilder builder = XMLUtils.createDocumentBuilder(false);
Document document = builder.parse(sourceDocument);
// Set up the Key
byte[] hmacKey = "secret".getBytes(StandardCharsets.US_ASCII);
SecretKey key = new SecretKeySpec(hmacKey, "http://www.w3.org/2000/09/xmldsig#hmac-sha1");
// Sign using DOM
List<String> localNames = new ArrayList<>();
localNames.add("PaymentInfo");
XMLSignature sig = signUsingDOM("http://www.w3.org/2000/09/xmldsig#hmac-sha1", document, localNames, key);
// Add KeyInfo
KeyInfo keyInfo = sig.getKeyInfo();
KeyName keyName = new KeyName(document, "SecretKey");
keyInfo.add(keyName);
// XMLUtils.outputDOM(document, System.out);
// Convert Document to a Stream Reader
javax.xml.transform.Transformer transformer = transformerFactory.newTransformer();
ByteArrayOutputStream baos = new ByteArrayOutputStream();
transformer.transform(new DOMSource(document), new StreamResult(baos));
XMLStreamReader xmlStreamReader = null;
try (InputStream is = new ByteArrayInputStream(baos.toByteArray())) {
xmlStreamReader = xmlInputFactory.createXMLStreamReader(is);
}
// Verify signature
XMLSecurityProperties properties = new XMLSecurityProperties();
byte[] badKey = "secret2".getBytes(StandardCharsets.US_ASCII);
key = new SecretKeySpec(badKey, "http://www.w3.org/2000/09/xmldsig#hmac-sha1");
properties.setSignatureVerificationKey(key);
InboundXMLSec inboundXMLSec = XMLSec.getInboundWSSec(properties);
XMLStreamReader securityStreamReader = inboundXMLSec.processInMessage(xmlStreamReader);
try {
StAX2DOM.readDoc(XMLUtils.createDocumentBuilder(false), securityStreamReader);
fail("Failure expected on a bad key");
} catch (XMLStreamException ex) {
Assert.assertTrue(ex.getCause() instanceof XMLSecurityException);
Assert.assertEquals("INVALID signature -- core validation failed.", ex.getCause().getMessage());
}
}
use of org.apache.xml.security.signature.XMLSignature in project santuario-java by apache.
the class SignatureVerificationTest method testSignatureVerificationTransformBase64.
@Test
public void testSignatureVerificationTransformBase64() throws Exception {
// Read in plaintext document
InputStream sourceDocument = this.getClass().getClassLoader().getResourceAsStream("ie/baltimore/merlin-examples/merlin-xmlenc-five/plaintext-base64.xml");
DocumentBuilder builder = XMLUtils.createDocumentBuilder(false);
Document document = builder.parse(sourceDocument);
// Set up the Key
KeyStore keyStore = KeyStore.getInstance("jks");
keyStore.load(this.getClass().getClassLoader().getResource("transmitter.jks").openStream(), "default".toCharArray());
Key key = keyStore.getKey("transmitter", "default".toCharArray());
X509Certificate cert = (X509Certificate) keyStore.getCertificate("transmitter");
// Sign using DOM
List<String> localNames = new ArrayList<>();
localNames.add("PaymentInfo");
XMLSignature sig = signUsingDOM("http://www.w3.org/2000/09/xmldsig#rsa-sha1", document, localNames, "http://www.w3.org/2000/09/xmldsig#base64", key);
// Add KeyInfo
sig.addKeyInfo(cert);
// XMLUtils.outputDOM(document, System.out);
// Convert Document to a Stream Reader
javax.xml.transform.Transformer transformer = transformerFactory.newTransformer();
ByteArrayOutputStream baos = new ByteArrayOutputStream();
transformer.transform(new DOMSource(document), new StreamResult(baos));
XMLStreamReader xmlStreamReader = null;
try (InputStream is = new ByteArrayInputStream(baos.toByteArray())) {
xmlStreamReader = xmlInputFactory.createXMLStreamReader(is);
}
// Verify signature
XMLSecurityProperties properties = new XMLSecurityProperties();
InboundXMLSec inboundXMLSec = XMLSec.getInboundWSSec(properties);
TestSecurityEventListener securityEventListener = new TestSecurityEventListener();
XMLStreamReader securityStreamReader = inboundXMLSec.processInMessage(xmlStreamReader, null, securityEventListener);
document = StAX2DOM.readDoc(XMLUtils.createDocumentBuilder(false), securityStreamReader);
SignedElementSecurityEvent signedElementSecurityEvent = securityEventListener.getSecurityEvent(SecurityEventConstants.SignedElement);
X509TokenSecurityEvent x509TokenSecurityEvent = securityEventListener.getSecurityEvent(SecurityEventConstants.X509Token);
String signedElementCorrelationID = signedElementSecurityEvent.getCorrelationID();
String x509TokenCorrelationID = x509TokenSecurityEvent.getCorrelationID();
List<SecurityEvent> signatureSecurityEvents = new ArrayList<>();
List<SecurityEvent> signedElementSecurityEvents = new ArrayList<>();
List<SecurityEvent> securityEvents = securityEventListener.getSecurityEvents();
for (int i = 0; i < securityEvents.size(); i++) {
SecurityEvent securityEvent = securityEvents.get(i);
if (securityEvent.getCorrelationID().equals(signedElementCorrelationID)) {
signedElementSecurityEvents.add(securityEvent);
} else if (securityEvent.getCorrelationID().equals(x509TokenCorrelationID)) {
signatureSecurityEvents.add(securityEvent);
}
}
Assert.assertEquals(4, signatureSecurityEvents.size());
Assert.assertEquals(3, signedElementSecurityEvents.size());
Assert.assertEquals(securityEventListener.getSecurityEvents().size(), signatureSecurityEvents.size() + signedElementSecurityEvents.size());
}
use of org.apache.xml.security.signature.XMLSignature in project santuario-java by apache.
the class SignatureVerificationTest method testECDSASignatureVerification.
@Test
public void testECDSASignatureVerification() throws Exception {
if (Security.getProvider("BC") == null) {
return;
}
//
if ("IBM Corporation".equals(System.getProperty("java.vendor"))) {
return;
}
// Read in plaintext document
InputStream sourceDocument = this.getClass().getClassLoader().getResourceAsStream("ie/baltimore/merlin-examples/merlin-xmlenc-five/plaintext.xml");
DocumentBuilder builder = XMLUtils.createDocumentBuilder(false);
Document document = builder.parse(sourceDocument);
// Set up the Key
KeyStore keyStore = KeyStore.getInstance("jks");
keyStore.load(this.getClass().getClassLoader().getResource("org/apache/xml/security/samples/input/ecdsa.jks").openStream(), "security".toCharArray());
Key key = keyStore.getKey("ECDSA", "security".toCharArray());
X509Certificate cert = (X509Certificate) keyStore.getCertificate("ECDSA");
// Sign using DOM
List<String> localNames = new ArrayList<>();
localNames.add("PaymentInfo");
XMLSignature sig = signUsingDOM("http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha1", document, localNames, key);
// Add KeyInfo
sig.addKeyInfo(cert);
// XMLUtils.outputDOM(document, System.out);
// Convert Document to a Stream Reader
javax.xml.transform.Transformer transformer = transformerFactory.newTransformer();
ByteArrayOutputStream baos = new ByteArrayOutputStream();
transformer.transform(new DOMSource(document), new StreamResult(baos));
XMLStreamReader xmlStreamReader = null;
try (InputStream is = new ByteArrayInputStream(baos.toByteArray())) {
xmlStreamReader = xmlInputFactory.createXMLStreamReader(is);
}
// Verify signature
XMLSecurityProperties properties = new XMLSecurityProperties();
InboundXMLSec inboundXMLSec = XMLSec.getInboundWSSec(properties);
TestSecurityEventListener securityEventListener = new TestSecurityEventListener();
XMLStreamReader securityStreamReader = inboundXMLSec.processInMessage(xmlStreamReader, null, securityEventListener);
document = StAX2DOM.readDoc(XMLUtils.createDocumentBuilder(false), securityStreamReader);
// Check the SecurityEvents
checkSecurityEvents(securityEventListener, "http://www.w3.org/2001/10/xml-exc-c14n#", "http://www.w3.org/2000/09/xmldsig#sha1", "http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha1");
checkSignedElementSecurityEvents(securityEventListener);
checkSignatureToken(securityEventListener, cert, null, SecurityTokenConstants.KeyIdentifier_X509KeyIdentifier);
SignedElementSecurityEvent signedElementSecurityEvent = securityEventListener.getSecurityEvent(SecurityEventConstants.SignedElement);
X509TokenSecurityEvent x509TokenSecurityEvent = securityEventListener.getSecurityEvent(SecurityEventConstants.X509Token);
String signedElementCorrelationID = signedElementSecurityEvent.getCorrelationID();
String x509TokenCorrelationID = x509TokenSecurityEvent.getCorrelationID();
List<SecurityEvent> signatureSecurityEvents = new ArrayList<>();
List<SecurityEvent> signedElementSecurityEvents = new ArrayList<>();
List<SecurityEvent> securityEvents = securityEventListener.getSecurityEvents();
for (int i = 0; i < securityEvents.size(); i++) {
SecurityEvent securityEvent = securityEvents.get(i);
if (securityEvent.getCorrelationID().equals(signedElementCorrelationID)) {
signedElementSecurityEvents.add(securityEvent);
} else if (securityEvent.getCorrelationID().equals(x509TokenCorrelationID)) {
signatureSecurityEvents.add(securityEvent);
}
}
Assert.assertEquals(4, signatureSecurityEvents.size());
Assert.assertEquals(3, signedElementSecurityEvents.size());
Assert.assertEquals(securityEventListener.getSecurityEvents().size(), signatureSecurityEvents.size() + signedElementSecurityEvents.size());
}
Aggregations