use of org.apache.xml.security.transforms.Transforms in project verify-hub by alphagov.
the class BuilderHelper method createXMLSignature.
public static XMLSignature createXMLSignature(final SignatureAlgorithm signatureAlgorithm, final DigestAlgorithm digestAlgorithm) {
DocumentBuilder documentBuilder = null;
XMLSignature xmlSignature = null;
try {
documentBuilder = XMLUtils.createDocumentBuilder(false);
} catch (ParserConfigurationException e) {
}
Document doc = documentBuilder.newDocument();
Element rootElement = doc.createElementNS("https://www.verify.gov.uk/", "root");
rootElement.appendChild(doc.createTextNode("Welcome to Verify GOV.UK!"));
doc.appendChild(rootElement);
try {
xmlSignature = new XMLSignature(doc, "", signatureAlgorithm.getURI());
Element root = doc.getDocumentElement();
root.appendChild(xmlSignature.getElement());
xmlSignature.getSignedInfo().addResourceResolver(new ResolverXPointer());
Transforms transforms = new Transforms(doc);
transforms.addTransform(Transforms.TRANSFORM_ENVELOPED_SIGNATURE);
transforms.addTransform(Transforms.TRANSFORM_C14N_WITH_COMMENTS);
xmlSignature.addDocument("", transforms, digestAlgorithm.getURI());
} catch (org.apache.xml.security.exceptions.XMLSecurityException e) {
}
return xmlSignature;
}
use of org.apache.xml.security.transforms.Transforms in project OpenAM by OpenRock.
the class AMSignatureProvider method signXML.
/**
* Sign part of the xml document referered by the supplied a list
* of id attributes of nodes
* @param doc XML dom object
* @param certAlias Signer's certificate alias name
* @param algorithm XML signature algorithm
* @param transformAlag XML siganture transform algorithm
* Those transfer constants are defined as
* SAMLConstants.TRANSFORM_XXX.
* @param ids list of id attribute values of nodes to be signed
* @return signature dom object
* @throws XMLSignatureException if the document could not be signed
*/
public org.w3c.dom.Element signXML(org.w3c.dom.Document doc, java.lang.String certAlias, java.lang.String algorithm, java.lang.String transformAlag, java.util.List ids) throws XMLSignatureException {
if (doc == null) {
SAMLUtilsCommon.debug.error("signXML: doc is null.");
throw new XMLSignatureException(SAMLUtilsCommon.bundle.getString("nullInput"));
}
if (certAlias == null || certAlias.length() == 0) {
SAMLUtilsCommon.debug.error("signXML: certAlias is null.");
throw new XMLSignatureException(SAMLUtilsCommon.bundle.getString("nullInput"));
}
org.w3c.dom.Element root = doc.getDocumentElement();
XMLSignature signature = null;
try {
ElementProxy.setDefaultPrefix(Constants.SignatureSpecNS, SAMLConstants.PREFIX_DS);
PrivateKey privateKey = (PrivateKey) keystore.getPrivateKey(certAlias);
if (privateKey == null) {
SAMLUtilsCommon.debug.error("private key is null");
throw new XMLSignatureException(SAMLUtilsCommon.bundle.getString("nullprivatekey"));
}
if (algorithm == null || algorithm.length() == 0) {
algorithm = getKeyAlgorithm(privateKey);
}
if (!isValidAlgorithm(algorithm)) {
throw new XMLSignatureException(SAMLUtilsCommon.bundle.getString("invalidalgorithm"));
}
signature = new XMLSignature(doc, "", algorithm, Canonicalizer.ALGO_ID_C14N_EXCL_OMIT_COMMENTS);
root.appendChild(signature.getElement());
int size = ids.size();
for (int i = 0; i < size; ++i) {
Transforms transforms = new Transforms(doc);
if (transformAlag != null) {
transforms.addTransform(transformAlag);
}
transforms.addTransform(Transforms.TRANSFORM_C14N_EXCL_OMIT_COMMENTS);
String id = (String) ids.get(i);
if (SAMLUtilsCommon.debug.messageEnabled()) {
SAMLUtilsCommon.debug.message("id = " + id);
}
signature.addDocument("#" + id, transforms, Constants.ALGO_ID_DIGEST_SHA1);
}
X509Certificate cert = (X509Certificate) keystore.getX509Certificate(certAlias);
signature.addKeyInfo(cert);
signature.sign(privateKey);
} catch (Exception e) {
SAMLUtilsCommon.debug.error("signXML Exception: ", e);
throw new XMLSignatureException(e.getMessage());
}
return (signature.getElement());
}
use of org.apache.xml.security.transforms.Transforms in project OpenAM by OpenRock.
the class AMSignatureProvider method signXMLUsingKeyPass.
/**
* Sign part of the XML document referred by the supplied id attribute
* using enveloped signatures and use exclusive XML canonicalization.
* @param doc XML dom object
* @param certAlias Signer's certificate alias name
* @param encryptedKeyPass Use the supplied encrypted key password to get the private key
* @param algorithm XML signature algorithm
* @param idAttrName attribute name for the id attribute of the node to be
* signed.
* @param id id attribute value of the node to be signed
* @param includeCert if true, include the signing certificate in
* <code>KeyInfo</code>.
* if false, does not include the signing certificate.
* @param xpath expression should uniquely identify a node before which
* @return a signed dom object
* @throws XMLSignatureException if the document could not be signed
*/
public Element signXMLUsingKeyPass(Document doc, String certAlias, String encryptedKeyPass, String algorithm, String idAttrName, String id, boolean includeCert, String xpath) throws XMLSignatureException {
if (doc == null) {
SAMLUtilsCommon.debug.error("signXML: doc is null.");
throw new XMLSignatureException(SAMLUtilsCommon.bundle.getString("nullInput"));
}
if (certAlias == null || certAlias.length() == 0) {
SAMLUtilsCommon.debug.error("signXML: certAlias is null.");
throw new XMLSignatureException(SAMLUtilsCommon.bundle.getString("nullInput"));
}
Element root = null;
XMLSignature sig = null;
try {
ElementProxy.setDefaultPrefix(Constants.SignatureSpecNS, SAMLConstants.PREFIX_DS);
PrivateKey privateKey;
if (encryptedKeyPass == null || encryptedKeyPass.isEmpty()) {
privateKey = keystore.getPrivateKey(certAlias);
} else {
privateKey = keystore.getPrivateKey(certAlias, encryptedKeyPass);
}
if (privateKey == null) {
SAMLUtilsCommon.debug.error("private key is null");
throw new XMLSignatureException(SAMLUtilsCommon.bundle.getString("nullprivatekey"));
}
root = (Element) XPathAPI.selectSingleNode(doc, "//*[@" + idAttrName + "=\"" + id + "\"]");
if (root == null) {
SAMLUtilsCommon.debug.error("signXML: could not" + " resolv id attribute");
throw new XMLSignatureException(SAMLUtilsCommon.bundle.getString("invalidIDAttribute"));
}
// Set the ID attribute if idAttrName is not the default.
if (!idAttrName.equals(DEF_ID_ATTRIBUTE)) {
root.setIdAttribute(idAttrName, true);
}
if (algorithm == null || algorithm.length() == 0) {
algorithm = getKeyAlgorithm(privateKey);
;
}
if (!isValidAlgorithm(algorithm)) {
throw new XMLSignatureException(SAMLUtilsCommon.bundle.getString("invalidalgorithm"));
}
sig = new XMLSignature(doc, "", algorithm, Canonicalizer.ALGO_ID_C14N_EXCL_OMIT_COMMENTS);
if (xpath == null) {
root.appendChild(sig.getElement());
} else {
Node beforeNode = XPathAPI.selectSingleNode(doc, xpath);
root.insertBefore(sig.getElement(), beforeNode);
}
sig.getSignedInfo().addResourceResolver(new OfflineResolver());
// do transform
Transforms transforms = new Transforms(doc);
transforms.addTransform(Transforms.TRANSFORM_ENVELOPED_SIGNATURE);
transforms.addTransform(Transforms.TRANSFORM_C14N_EXCL_OMIT_COMMENTS);
String ref = "#" + id;
sig.addDocument(ref, transforms, Constants.ALGO_ID_DIGEST_SHA1);
if (includeCert) {
X509Certificate cert = (X509Certificate) keystore.getX509Certificate(certAlias);
sig.addKeyInfo(cert);
}
sig.sign(privateKey);
} catch (Exception e) {
SAMLUtilsCommon.debug.error("signXML Exception: ", e);
throw new XMLSignatureException(e.getMessage());
}
return (sig.getElement());
}
use of org.apache.xml.security.transforms.Transforms in project OpenAM by OpenRock.
the class AMSignatureProvider method signXML.
/**
* Sign the xml document using enveloped signatures.
* @param doc XML dom object
* @param certAlias Signer's certificate alias name
* @param algorithm XML signature algorithm
* @return signature dom object
* @throws XMLSignatureException if the document could not be signed
*/
public org.w3c.dom.Element signXML(org.w3c.dom.Document doc, java.lang.String certAlias, java.lang.String algorithm) throws XMLSignatureException {
if (doc == null) {
SAMLUtilsCommon.debug.error("signXML: doc is null.");
throw new XMLSignatureException(SAMLUtilsCommon.bundle.getString("nullInput"));
}
if (certAlias == null || certAlias.length() == 0) {
SAMLUtilsCommon.debug.error("signXML: certAlias is null.");
throw new XMLSignatureException(SAMLUtilsCommon.bundle.getString("nullInput"));
}
org.w3c.dom.Element root = null;
XMLSignature sig = null;
try {
ElementProxy.setDefaultPrefix(Constants.SignatureSpecNS, SAMLConstants.PREFIX_DS);
if (keystore == null) {
throw new XMLSignatureException(SAMLUtilsCommon.bundle.getString("nullkeystore"));
}
PrivateKey privateKey = (PrivateKey) keystore.getPrivateKey(certAlias);
if (privateKey == null) {
SAMLUtilsCommon.debug.error("private key is null");
throw new XMLSignatureException(SAMLUtilsCommon.bundle.getString("nullprivatekey"));
}
root = doc.getDocumentElement();
if (algorithm == null || algorithm.length() == 0) {
algorithm = getKeyAlgorithm(privateKey);
}
if (!isValidAlgorithm(algorithm)) {
throw new XMLSignatureException(SAMLUtilsCommon.bundle.getString("invalidalgorithm"));
}
if (c14nMethod == null || c14nMethod.length() == 0) {
sig = new XMLSignature(doc, "", algorithm);
} else {
if (!isValidCanonicalizationMethod(c14nMethod)) {
throw new XMLSignatureException(SAMLUtilsCommon.bundle.getString("invalidCanonicalizationMethod"));
}
sig = new XMLSignature(doc, "", algorithm, c14nMethod);
}
root.appendChild(sig.getElement());
sig.getSignedInfo().addResourceResolver(new com.sun.identity.saml.xmlsig.OfflineResolver());
// do transform
Transforms transforms = new Transforms(doc);
transforms.addTransform(Transforms.TRANSFORM_ENVELOPED_SIGNATURE);
// such transform due to performance reason.
if (transformAlg != null && transformAlg.length() != 0) {
if (!isValidTransformAlgorithm(transformAlg)) {
throw new XMLSignatureException(SAMLUtilsCommon.bundle.getString("invalidTransformAlgorithm"));
}
transforms.addTransform(transformAlg);
}
sig.addDocument("", transforms, Constants.ALGO_ID_DIGEST_SHA1);
// add certificate
X509Certificate cert = (X509Certificate) keystore.getX509Certificate(certAlias);
sig.addKeyInfo(cert);
sig.sign(privateKey);
} catch (Exception e) {
SAMLUtilsCommon.debug.error("signXML Exception: ", e);
throw new XMLSignatureException(e.getMessage());
}
return (sig.getElement());
}
use of org.apache.xml.security.transforms.Transforms in project OpenAM by OpenRock.
the class AMSignatureProvider method signWithWSSX509TokenProfile.
/**
* Sign part of the xml document referered by the supplied a list
* of id attributes of nodes
* @param doc XML dom object
* @param cert Signer's certificate
* @param algorithm XML signature algorithm
* @param ids list of id attribute values of nodes to be signed
* @param wsfVersion the web services version.
* @return X509 Security Token signature
* @throws XMLSignatureException if the document could not be signed
*/
public Element signWithWSSX509TokenProfile(Document doc, java.security.cert.Certificate cert, String algorithm, List ids, String wsfVersion) throws XMLSignatureException {
if (doc == null) {
SAMLUtilsCommon.debug.error("signXML: doc is null.");
throw new XMLSignatureException(SAMLUtilsCommon.bundle.getString("nullInput"));
}
if (SAMLUtilsCommon.debug.messageEnabled()) {
SAMLUtilsCommon.debug.message("Soap Envlope: " + XMLUtils.print(doc.getDocumentElement()));
}
this.wsfVersion = wsfVersion;
String wsseNS = SAMLConstants.NS_WSSE;
String wsuNS = SAMLConstants.NS_WSU;
if ((wsfVersion != null) && (wsfVersion.equals(SOAPBindingConstants.WSF_11_VERSION))) {
wsseNS = WSSEConstants.NS_WSSE_WSF11;
wsuNS = WSSEConstants.NS_WSU_WSF11;
}
Element root = (Element) doc.getDocumentElement().getElementsByTagNameNS(wsseNS, SAMLConstants.TAG_SECURITY).item(0);
XMLSignature signature = null;
try {
ElementProxy.setDefaultPrefix(Constants.SignatureSpecNS, SAMLConstants.PREFIX_DS);
Element wsucontext = org.apache.xml.security.utils.XMLUtils.createDSctx(doc, "wsu", wsuNS);
NodeList wsuNodes = (NodeList) XPathAPI.selectNodeList(doc, "//*[@wsu:Id]", wsucontext);
if ((wsuNodes != null) && (wsuNodes.getLength() != 0)) {
for (int i = 0; i < wsuNodes.getLength(); i++) {
Element elem = (Element) wsuNodes.item(i);
String id = elem.getAttributeNS(wsuNS, "Id");
if (id != null && id.length() != 0) {
elem.setIdAttributeNS(wsuNS, "Id", true);
}
}
}
String certAlias = keystore.getCertificateAlias(cert);
PrivateKey privateKey = (PrivateKey) keystore.getPrivateKey(certAlias);
if (privateKey == null) {
SAMLUtilsCommon.debug.error("private key is null");
throw new XMLSignatureException(SAMLUtilsCommon.bundle.getString("nullprivatekey"));
}
// to avoid code duplication
if (algorithm == null || algorithm.length() == 0) {
algorithm = getKeyAlgorithm(privateKey);
}
if (!isValidAlgorithm(algorithm)) {
throw new XMLSignatureException(SAMLUtilsCommon.bundle.getString("invalidalgorithm"));
}
signature = new XMLSignature(doc, "", algorithm, Canonicalizer.ALGO_ID_C14N_EXCL_OMIT_COMMENTS);
root.appendChild(signature.getElement());
int size = ids.size();
for (int i = 0; i < size; ++i) {
Transforms transforms = new Transforms(doc);
transforms.addTransform(Transforms.TRANSFORM_C14N_EXCL_OMIT_COMMENTS);
String id = (String) ids.get(i);
if (SAMLUtilsCommon.debug.messageEnabled()) {
SAMLUtilsCommon.debug.message("id = " + id);
}
signature.addDocument("#" + id, transforms, Constants.ALGO_ID_DIGEST_SHA1);
}
KeyInfo keyInfo = signature.getKeyInfo();
Element securityTokenRef = doc.createElementNS(wsseNS, SAMLConstants.TAG_SECURITYTOKENREFERENCE);
keyInfo.addUnknownElement(securityTokenRef);
securityTokenRef.setAttributeNS(SAMLConstants.NS_XMLNS, SAMLConstants.TAG_XMLNS, wsseNS);
securityTokenRef.setAttributeNS(SAMLConstants.NS_XMLNS, SAMLConstants.TAG_XMLNS_SEC, SAMLConstants.NS_SEC);
securityTokenRef.setAttributeNS(null, SAMLConstants.TAG_USAGE, SAMLConstants.TAG_SEC_MESSAGEAUTHENTICATION);
Element bsf = (Element) root.getElementsByTagNameNS(wsseNS, SAMLConstants.BINARYSECURITYTOKEN).item(0);
String certId = bsf.getAttributeNS(wsuNS, SAMLConstants.TAG_ID);
Element reference = doc.createElementNS(wsseNS, SAMLConstants.TAG_REFERENCE);
securityTokenRef.appendChild(reference);
reference.setAttributeNS(null, SAMLConstants.TAG_URI, "#" + certId);
signature.sign(privateKey);
} catch (Exception e) {
SAMLUtilsCommon.debug.error("signWithWSSX509TokenProfile" + " Exception: ", e);
throw new XMLSignatureException(e.getMessage());
}
return (signature.getElement());
}
Aggregations