Search in sources :

Example 51 with Transforms

use of org.apache.xml.security.transforms.Transforms in project verify-hub by alphagov.

the class BuilderHelper method createXMLSignature.

public static XMLSignature createXMLSignature(final SignatureAlgorithm signatureAlgorithm, final DigestAlgorithm digestAlgorithm) {
    DocumentBuilder documentBuilder = null;
    XMLSignature xmlSignature = null;
    try {
        documentBuilder = XMLUtils.createDocumentBuilder(false);
    } catch (ParserConfigurationException e) {
    }
    Document doc = documentBuilder.newDocument();
    Element rootElement = doc.createElementNS("https://www.verify.gov.uk/", "root");
    rootElement.appendChild(doc.createTextNode("Welcome to Verify GOV.UK!"));
    doc.appendChild(rootElement);
    try {
        xmlSignature = new XMLSignature(doc, "", signatureAlgorithm.getURI());
        Element root = doc.getDocumentElement();
        root.appendChild(xmlSignature.getElement());
        xmlSignature.getSignedInfo().addResourceResolver(new ResolverXPointer());
        Transforms transforms = new Transforms(doc);
        transforms.addTransform(Transforms.TRANSFORM_ENVELOPED_SIGNATURE);
        transforms.addTransform(Transforms.TRANSFORM_C14N_WITH_COMMENTS);
        xmlSignature.addDocument("", transforms, digestAlgorithm.getURI());
    } catch (org.apache.xml.security.exceptions.XMLSecurityException e) {
    }
    return xmlSignature;
}
Also used : ResolverXPointer(org.apache.xml.security.utils.resolver.implementations.ResolverXPointer) DocumentBuilder(javax.xml.parsers.DocumentBuilder) XMLSignature(org.apache.xml.security.signature.XMLSignature) Element(org.w3c.dom.Element) Transforms(org.apache.xml.security.transforms.Transforms) ParserConfigurationException(javax.xml.parsers.ParserConfigurationException) Document(org.w3c.dom.Document)

Example 52 with Transforms

use of org.apache.xml.security.transforms.Transforms in project OpenAM by OpenRock.

the class AMSignatureProvider method signXML.

/**  
     * Sign part of the xml document referered by the supplied a list
     * of id attributes of nodes
     * @param doc XML dom object
     * @param certAlias Signer's certificate alias name
     * @param algorithm XML signature algorithm
     * @param transformAlag XML siganture transform algorithm
     *        Those transfer constants are defined as
     *        SAMLConstants.TRANSFORM_XXX.       
     * @param ids list of id attribute values of nodes to be signed
     * @return signature dom object
     * @throws XMLSignatureException if the document could not be signed
     */
public org.w3c.dom.Element signXML(org.w3c.dom.Document doc, java.lang.String certAlias, java.lang.String algorithm, java.lang.String transformAlag, java.util.List ids) throws XMLSignatureException {
    if (doc == null) {
        SAMLUtilsCommon.debug.error("signXML: doc is null.");
        throw new XMLSignatureException(SAMLUtilsCommon.bundle.getString("nullInput"));
    }
    if (certAlias == null || certAlias.length() == 0) {
        SAMLUtilsCommon.debug.error("signXML: certAlias is null.");
        throw new XMLSignatureException(SAMLUtilsCommon.bundle.getString("nullInput"));
    }
    org.w3c.dom.Element root = doc.getDocumentElement();
    XMLSignature signature = null;
    try {
        ElementProxy.setDefaultPrefix(Constants.SignatureSpecNS, SAMLConstants.PREFIX_DS);
        PrivateKey privateKey = (PrivateKey) keystore.getPrivateKey(certAlias);
        if (privateKey == null) {
            SAMLUtilsCommon.debug.error("private key is null");
            throw new XMLSignatureException(SAMLUtilsCommon.bundle.getString("nullprivatekey"));
        }
        if (algorithm == null || algorithm.length() == 0) {
            algorithm = getKeyAlgorithm(privateKey);
        }
        if (!isValidAlgorithm(algorithm)) {
            throw new XMLSignatureException(SAMLUtilsCommon.bundle.getString("invalidalgorithm"));
        }
        signature = new XMLSignature(doc, "", algorithm, Canonicalizer.ALGO_ID_C14N_EXCL_OMIT_COMMENTS);
        root.appendChild(signature.getElement());
        int size = ids.size();
        for (int i = 0; i < size; ++i) {
            Transforms transforms = new Transforms(doc);
            if (transformAlag != null) {
                transforms.addTransform(transformAlag);
            }
            transforms.addTransform(Transforms.TRANSFORM_C14N_EXCL_OMIT_COMMENTS);
            String id = (String) ids.get(i);
            if (SAMLUtilsCommon.debug.messageEnabled()) {
                SAMLUtilsCommon.debug.message("id = " + id);
            }
            signature.addDocument("#" + id, transforms, Constants.ALGO_ID_DIGEST_SHA1);
        }
        X509Certificate cert = (X509Certificate) keystore.getX509Certificate(certAlias);
        signature.addKeyInfo(cert);
        signature.sign(privateKey);
    } catch (Exception e) {
        SAMLUtilsCommon.debug.error("signXML Exception: ", e);
        throw new XMLSignatureException(e.getMessage());
    }
    return (signature.getElement());
}
Also used : org.w3c.dom(org.w3c.dom) XMLSignature(org.apache.xml.security.signature.XMLSignature) Transforms(org.apache.xml.security.transforms.Transforms) TransformerException(javax.xml.transform.TransformerException)

Example 53 with Transforms

use of org.apache.xml.security.transforms.Transforms in project OpenAM by OpenRock.

the class AMSignatureProvider method signXMLUsingKeyPass.

/**
     * Sign part of the XML document referred by the supplied id attribute
     * using enveloped signatures and use exclusive XML canonicalization.
     * @param doc XML dom object
     * @param certAlias Signer's certificate alias name
     * @param encryptedKeyPass Use the supplied encrypted key password to get the private key
     * @param algorithm XML signature algorithm
     * @param idAttrName attribute name for the id attribute of the node to be
     *        signed.
     * @param id id attribute value of the node to be signed
     * @param includeCert if true, include the signing certificate in
     *        <code>KeyInfo</code>.
     *                    if false, does not include the signing certificate.
     * @param xpath expression should uniquely identify a node before which
     * @return a signed dom object
     * @throws XMLSignatureException if the document could not be signed
     */
public Element signXMLUsingKeyPass(Document doc, String certAlias, String encryptedKeyPass, String algorithm, String idAttrName, String id, boolean includeCert, String xpath) throws XMLSignatureException {
    if (doc == null) {
        SAMLUtilsCommon.debug.error("signXML: doc is null.");
        throw new XMLSignatureException(SAMLUtilsCommon.bundle.getString("nullInput"));
    }
    if (certAlias == null || certAlias.length() == 0) {
        SAMLUtilsCommon.debug.error("signXML: certAlias is null.");
        throw new XMLSignatureException(SAMLUtilsCommon.bundle.getString("nullInput"));
    }
    Element root = null;
    XMLSignature sig = null;
    try {
        ElementProxy.setDefaultPrefix(Constants.SignatureSpecNS, SAMLConstants.PREFIX_DS);
        PrivateKey privateKey;
        if (encryptedKeyPass == null || encryptedKeyPass.isEmpty()) {
            privateKey = keystore.getPrivateKey(certAlias);
        } else {
            privateKey = keystore.getPrivateKey(certAlias, encryptedKeyPass);
        }
        if (privateKey == null) {
            SAMLUtilsCommon.debug.error("private key is null");
            throw new XMLSignatureException(SAMLUtilsCommon.bundle.getString("nullprivatekey"));
        }
        root = (Element) XPathAPI.selectSingleNode(doc, "//*[@" + idAttrName + "=\"" + id + "\"]");
        if (root == null) {
            SAMLUtilsCommon.debug.error("signXML: could not" + " resolv id attribute");
            throw new XMLSignatureException(SAMLUtilsCommon.bundle.getString("invalidIDAttribute"));
        }
        // Set the ID attribute if idAttrName is not the default.
        if (!idAttrName.equals(DEF_ID_ATTRIBUTE)) {
            root.setIdAttribute(idAttrName, true);
        }
        if (algorithm == null || algorithm.length() == 0) {
            algorithm = getKeyAlgorithm(privateKey);
            ;
        }
        if (!isValidAlgorithm(algorithm)) {
            throw new XMLSignatureException(SAMLUtilsCommon.bundle.getString("invalidalgorithm"));
        }
        sig = new XMLSignature(doc, "", algorithm, Canonicalizer.ALGO_ID_C14N_EXCL_OMIT_COMMENTS);
        if (xpath == null) {
            root.appendChild(sig.getElement());
        } else {
            Node beforeNode = XPathAPI.selectSingleNode(doc, xpath);
            root.insertBefore(sig.getElement(), beforeNode);
        }
        sig.getSignedInfo().addResourceResolver(new OfflineResolver());
        // do transform   
        Transforms transforms = new Transforms(doc);
        transforms.addTransform(Transforms.TRANSFORM_ENVELOPED_SIGNATURE);
        transforms.addTransform(Transforms.TRANSFORM_C14N_EXCL_OMIT_COMMENTS);
        String ref = "#" + id;
        sig.addDocument(ref, transforms, Constants.ALGO_ID_DIGEST_SHA1);
        if (includeCert) {
            X509Certificate cert = (X509Certificate) keystore.getX509Certificate(certAlias);
            sig.addKeyInfo(cert);
        }
        sig.sign(privateKey);
    } catch (Exception e) {
        SAMLUtilsCommon.debug.error("signXML Exception: ", e);
        throw new XMLSignatureException(e.getMessage());
    }
    return (sig.getElement());
}
Also used : XMLSignature(org.apache.xml.security.signature.XMLSignature) Transforms(org.apache.xml.security.transforms.Transforms) TransformerException(javax.xml.transform.TransformerException)

Example 54 with Transforms

use of org.apache.xml.security.transforms.Transforms in project OpenAM by OpenRock.

the class AMSignatureProvider method signXML.

/**
     * Sign the xml document using enveloped signatures.
     * @param doc XML dom object 
     * @param certAlias Signer's certificate alias name
     * @param algorithm XML signature algorithm 
     * @return signature dom object 
     * @throws XMLSignatureException if the document could not be signed
     */
public org.w3c.dom.Element signXML(org.w3c.dom.Document doc, java.lang.String certAlias, java.lang.String algorithm) throws XMLSignatureException {
    if (doc == null) {
        SAMLUtilsCommon.debug.error("signXML: doc is null.");
        throw new XMLSignatureException(SAMLUtilsCommon.bundle.getString("nullInput"));
    }
    if (certAlias == null || certAlias.length() == 0) {
        SAMLUtilsCommon.debug.error("signXML: certAlias is null.");
        throw new XMLSignatureException(SAMLUtilsCommon.bundle.getString("nullInput"));
    }
    org.w3c.dom.Element root = null;
    XMLSignature sig = null;
    try {
        ElementProxy.setDefaultPrefix(Constants.SignatureSpecNS, SAMLConstants.PREFIX_DS);
        if (keystore == null) {
            throw new XMLSignatureException(SAMLUtilsCommon.bundle.getString("nullkeystore"));
        }
        PrivateKey privateKey = (PrivateKey) keystore.getPrivateKey(certAlias);
        if (privateKey == null) {
            SAMLUtilsCommon.debug.error("private key is null");
            throw new XMLSignatureException(SAMLUtilsCommon.bundle.getString("nullprivatekey"));
        }
        root = doc.getDocumentElement();
        if (algorithm == null || algorithm.length() == 0) {
            algorithm = getKeyAlgorithm(privateKey);
        }
        if (!isValidAlgorithm(algorithm)) {
            throw new XMLSignatureException(SAMLUtilsCommon.bundle.getString("invalidalgorithm"));
        }
        if (c14nMethod == null || c14nMethod.length() == 0) {
            sig = new XMLSignature(doc, "", algorithm);
        } else {
            if (!isValidCanonicalizationMethod(c14nMethod)) {
                throw new XMLSignatureException(SAMLUtilsCommon.bundle.getString("invalidCanonicalizationMethod"));
            }
            sig = new XMLSignature(doc, "", algorithm, c14nMethod);
        }
        root.appendChild(sig.getElement());
        sig.getSignedInfo().addResourceResolver(new com.sun.identity.saml.xmlsig.OfflineResolver());
        // do transform 
        Transforms transforms = new Transforms(doc);
        transforms.addTransform(Transforms.TRANSFORM_ENVELOPED_SIGNATURE);
        // such transform due to performance reason.    
        if (transformAlg != null && transformAlg.length() != 0) {
            if (!isValidTransformAlgorithm(transformAlg)) {
                throw new XMLSignatureException(SAMLUtilsCommon.bundle.getString("invalidTransformAlgorithm"));
            }
            transforms.addTransform(transformAlg);
        }
        sig.addDocument("", transforms, Constants.ALGO_ID_DIGEST_SHA1);
        // add certificate 
        X509Certificate cert = (X509Certificate) keystore.getX509Certificate(certAlias);
        sig.addKeyInfo(cert);
        sig.sign(privateKey);
    } catch (Exception e) {
        SAMLUtilsCommon.debug.error("signXML Exception: ", e);
        throw new XMLSignatureException(e.getMessage());
    }
    return (sig.getElement());
}
Also used : org.w3c.dom(org.w3c.dom) Transforms(org.apache.xml.security.transforms.Transforms) TransformerException(javax.xml.transform.TransformerException) XMLSignature(org.apache.xml.security.signature.XMLSignature)

Example 55 with Transforms

use of org.apache.xml.security.transforms.Transforms in project OpenAM by OpenRock.

the class AMSignatureProvider method signWithWSSX509TokenProfile.

/**
     * Sign part of the xml document referered by the supplied a list
     * of id attributes  of nodes
     * @param doc XML dom object
     * @param cert Signer's certificate
     * @param algorithm XML signature algorithm
     * @param ids list of id attribute values of nodes to be signed
     * @param wsfVersion the web services version.
     * @return X509 Security Token  signature
     * @throws XMLSignatureException if the document could not be signed
     */
public Element signWithWSSX509TokenProfile(Document doc, java.security.cert.Certificate cert, String algorithm, List ids, String wsfVersion) throws XMLSignatureException {
    if (doc == null) {
        SAMLUtilsCommon.debug.error("signXML: doc is null.");
        throw new XMLSignatureException(SAMLUtilsCommon.bundle.getString("nullInput"));
    }
    if (SAMLUtilsCommon.debug.messageEnabled()) {
        SAMLUtilsCommon.debug.message("Soap Envlope: " + XMLUtils.print(doc.getDocumentElement()));
    }
    this.wsfVersion = wsfVersion;
    String wsseNS = SAMLConstants.NS_WSSE;
    String wsuNS = SAMLConstants.NS_WSU;
    if ((wsfVersion != null) && (wsfVersion.equals(SOAPBindingConstants.WSF_11_VERSION))) {
        wsseNS = WSSEConstants.NS_WSSE_WSF11;
        wsuNS = WSSEConstants.NS_WSU_WSF11;
    }
    Element root = (Element) doc.getDocumentElement().getElementsByTagNameNS(wsseNS, SAMLConstants.TAG_SECURITY).item(0);
    XMLSignature signature = null;
    try {
        ElementProxy.setDefaultPrefix(Constants.SignatureSpecNS, SAMLConstants.PREFIX_DS);
        Element wsucontext = org.apache.xml.security.utils.XMLUtils.createDSctx(doc, "wsu", wsuNS);
        NodeList wsuNodes = (NodeList) XPathAPI.selectNodeList(doc, "//*[@wsu:Id]", wsucontext);
        if ((wsuNodes != null) && (wsuNodes.getLength() != 0)) {
            for (int i = 0; i < wsuNodes.getLength(); i++) {
                Element elem = (Element) wsuNodes.item(i);
                String id = elem.getAttributeNS(wsuNS, "Id");
                if (id != null && id.length() != 0) {
                    elem.setIdAttributeNS(wsuNS, "Id", true);
                }
            }
        }
        String certAlias = keystore.getCertificateAlias(cert);
        PrivateKey privateKey = (PrivateKey) keystore.getPrivateKey(certAlias);
        if (privateKey == null) {
            SAMLUtilsCommon.debug.error("private key is null");
            throw new XMLSignatureException(SAMLUtilsCommon.bundle.getString("nullprivatekey"));
        }
        // to avoid code duplication
        if (algorithm == null || algorithm.length() == 0) {
            algorithm = getKeyAlgorithm(privateKey);
        }
        if (!isValidAlgorithm(algorithm)) {
            throw new XMLSignatureException(SAMLUtilsCommon.bundle.getString("invalidalgorithm"));
        }
        signature = new XMLSignature(doc, "", algorithm, Canonicalizer.ALGO_ID_C14N_EXCL_OMIT_COMMENTS);
        root.appendChild(signature.getElement());
        int size = ids.size();
        for (int i = 0; i < size; ++i) {
            Transforms transforms = new Transforms(doc);
            transforms.addTransform(Transforms.TRANSFORM_C14N_EXCL_OMIT_COMMENTS);
            String id = (String) ids.get(i);
            if (SAMLUtilsCommon.debug.messageEnabled()) {
                SAMLUtilsCommon.debug.message("id = " + id);
            }
            signature.addDocument("#" + id, transforms, Constants.ALGO_ID_DIGEST_SHA1);
        }
        KeyInfo keyInfo = signature.getKeyInfo();
        Element securityTokenRef = doc.createElementNS(wsseNS, SAMLConstants.TAG_SECURITYTOKENREFERENCE);
        keyInfo.addUnknownElement(securityTokenRef);
        securityTokenRef.setAttributeNS(SAMLConstants.NS_XMLNS, SAMLConstants.TAG_XMLNS, wsseNS);
        securityTokenRef.setAttributeNS(SAMLConstants.NS_XMLNS, SAMLConstants.TAG_XMLNS_SEC, SAMLConstants.NS_SEC);
        securityTokenRef.setAttributeNS(null, SAMLConstants.TAG_USAGE, SAMLConstants.TAG_SEC_MESSAGEAUTHENTICATION);
        Element bsf = (Element) root.getElementsByTagNameNS(wsseNS, SAMLConstants.BINARYSECURITYTOKEN).item(0);
        String certId = bsf.getAttributeNS(wsuNS, SAMLConstants.TAG_ID);
        Element reference = doc.createElementNS(wsseNS, SAMLConstants.TAG_REFERENCE);
        securityTokenRef.appendChild(reference);
        reference.setAttributeNS(null, SAMLConstants.TAG_URI, "#" + certId);
        signature.sign(privateKey);
    } catch (Exception e) {
        SAMLUtilsCommon.debug.error("signWithWSSX509TokenProfile" + " Exception: ", e);
        throw new XMLSignatureException(e.getMessage());
    }
    return (signature.getElement());
}
Also used : KeyInfo(org.apache.xml.security.keys.KeyInfo) XMLSignature(org.apache.xml.security.signature.XMLSignature) Transforms(org.apache.xml.security.transforms.Transforms) TransformerException(javax.xml.transform.TransformerException)

Aggregations

Transforms (org.apache.xml.security.transforms.Transforms)94 XMLSignature (org.apache.xml.security.signature.XMLSignature)66 Element (org.w3c.dom.Element)57 Document (org.w3c.dom.Document)45 XPath (javax.xml.xpath.XPath)24 XPathFactory (javax.xml.xpath.XPathFactory)23 ByteArrayOutputStream (java.io.ByteArrayOutputStream)22 DSNamespaceContext (org.apache.xml.security.test.dom.DSNamespaceContext)22 PrivateKey (java.security.PrivateKey)20 InputStream (java.io.InputStream)17 ByteArrayInputStream (java.io.ByteArrayInputStream)16 XMLSecurityException (org.apache.xml.security.exceptions.XMLSecurityException)15 NodeList (org.w3c.dom.NodeList)14 SignatureAlgorithm (org.apache.xml.security.algorithms.SignatureAlgorithm)13 ObjectContainer (org.apache.xml.security.signature.ObjectContainer)13 FileInputStream (java.io.FileInputStream)12 XMLSignatureException (org.apache.xml.security.signature.XMLSignatureException)10 XPathContainer (org.apache.xml.security.transforms.params.XPathContainer)10 KeyStore (java.security.KeyStore)9 X509Certificate (java.security.cert.X509Certificate)8