下面列出了怎么用javax.xml.crypto.dsig.dom.DOMValidateContext的API类实例代码及写法,或者点击链接到github查看源代码。
private static String explainValidationProblem(
DOMValidateContext context, XMLSignature signature)
throws XMLSignatureException {
@SuppressWarnings("unchecked") // Safe by specification.
List<Reference> references = signature.getSignedInfo().getReferences();
StringBuilder builder = new StringBuilder();
builder.append("Signature failed core validation\n");
boolean sv = signature.getSignatureValue().validate(context);
builder.append(String.format("Signature validation status: %s\n", sv));
for (Reference ref : references) {
builder.append("references[");
builder.append(ref.getURI());
builder.append("] validity status: ");
builder.append(ref.validate(context));
builder.append("\n");
}
return builder.toString();
}
public XMLSignature unmarshalXMLSignature(XMLValidateContext context)
throws MarshalException {
if (context == null) {
throw new NullPointerException("context cannot be null");
}
return unmarshal(((DOMValidateContext) context).getNode(), context);
}
XMLSignature getValidXMLSignature(InputStream fileStream)
throws ParserConfigurationException,
IOException,
SAXException,
MarshalException,
XMLSignatureException,
DOMException
{
DocumentBuilderFactory dbFactory = DocumentBuilderFactory.newInstance();
dbFactory.setNamespaceAware(true);
DocumentBuilder dBuilder = dbFactory.newDocumentBuilder();
Document xml = dBuilder.parse(fileStream);
xml.getDocumentElement().normalize();
// Find Signature element
NodeList nl = xml.getElementsByTagNameNS(XMLSignature.XMLNS, "Signature");
if (nl.getLength() == 0)
{
throw new DOMException(DOMException.INDEX_SIZE_ERR, "Missing elements");
}
// Create a DOM XMLSignatureFactory that will be used to unmarshal the
// document containing the XMLSignature
XMLSignatureFactory fac = XMLSignatureFactory.getInstance("DOM");
// Create a DOMValidateContext and specify a KeyValue KeySelector
// and document context
DOMValidateContext valContext = new DOMValidateContext(new SigningCertSelector(), nl.item(0));
// unmarshal the XMLSignature
XMLSignature signature = fac.unmarshalXMLSignature(valContext);
boolean validSig = signature.validate(valContext);
if(!validSig)
{
throw new XMLSignatureException("Invalid XML signature");
}
return signature;
}
public XMLSignature unmarshalXMLSignature(XMLValidateContext context)
throws MarshalException {
if (context == null) {
throw new NullPointerException("context cannot be null");
}
return unmarshal(((DOMValidateContext) context).getNode(), context);
}
public XMLSignature unmarshalXMLSignature(XMLValidateContext context)
throws MarshalException {
if (context == null) {
throw new NullPointerException("context cannot be null");
}
return unmarshal(((DOMValidateContext) context).getNode(), context);
}
public static boolean verifySignature(Document doc , X509Certificate cert) {
try{
if (doc.getElementsByTagNameNS(XMLSignature.XMLNS, "Signature").getLength() == 0)
throw new Exception("Cannot find Signature element");
DOMValidateContext valContext = new DOMValidateContext(cert.getPublicKey(), doc.getElementsByTagNameNS(XMLSignature.XMLNS, "Signature").item(0));
XMLSignature signature = XMLSignatureFactory.getInstance("DOM").unmarshalXMLSignature(valContext);
return signature.validate(valContext);
}catch(Exception e){e.printStackTrace();}
return false;
}
public XMLSignature unmarshalXMLSignature(XMLValidateContext context)
throws MarshalException {
if (context == null) {
throw new NullPointerException("context cannot be null");
}
return unmarshal(((DOMValidateContext) context).getNode(), context);
}
public XMLSignature unmarshalXMLSignature(XMLValidateContext context)
throws MarshalException {
if (context == null) {
throw new NullPointerException("context cannot be null");
}
return unmarshal(((DOMValidateContext) context).getNode(), context);
}
public XMLSignature unmarshalXMLSignature(XMLValidateContext context)
throws MarshalException {
if (context == null) {
throw new NullPointerException("context cannot be null");
}
return unmarshal(((DOMValidateContext) context).getNode(), context);
}
public XMLSignature unmarshalXMLSignature(XMLValidateContext context)
throws MarshalException {
if (context == null) {
throw new NullPointerException("context cannot be null");
}
return unmarshal(((DOMValidateContext) context).getNode(), context);
}
/**
* Verifies that signed mark data contains a valid signature.
*
* <p>This method DOES NOT check if the SMD ID is revoked. It's only concerned with the
* cryptographic stuff.
*
* @throws GeneralSecurityException for unsupported protocols, certs not signed by the TMCH,
* incorrect keys, and for invalid, old, not-yet-valid or revoked certificates.
*/
public void verify(byte[] smdXml)
throws GeneralSecurityException, IOException, MarshalException, ParserConfigurationException,
SAXException, XMLSignatureException {
checkArgument(smdXml.length > 0);
Document doc = parseSmdDocument(new ByteArrayInputStream(smdXml));
NodeList signatureNodes = doc.getElementsByTagNameNS(XMLSignature.XMLNS, "Signature");
if (signatureNodes.getLength() != 1) {
throw new XMLSignatureException("Expected exactly one <ds:Signature> element.");
}
XMLSignatureFactory factory = XMLSignatureFactory.getInstance("DOM");
KeyValueKeySelector selector = new KeyValueKeySelector(tmchCertificateAuthority);
DOMValidateContext context = new DOMValidateContext(selector, signatureNodes.item(0));
XMLSignature signature = factory.unmarshalXMLSignature(context);
boolean isValid;
try {
isValid = signature.validate(context);
} catch (XMLSignatureException e) {
throwIfInstanceOf(getRootCause(e), GeneralSecurityException.class);
throw e;
}
if (!isValid) {
throw new XMLSignatureException(explainValidationProblem(context, signature));
}
}
private static void test_create_signature_enveloping
(DigestMethod dm, SignatureMethod sm, KeyInfo ki, Key signingKey,
KeySelector ks, boolean b64) throws Exception {
// create reference
Reference ref;
if (b64) {
ref = fac.newReference("#object", dm, Collections.singletonList
(fac.newTransform(Transform.BASE64,
(TransformParameterSpec) null)), null, null);
} else {
ref = fac.newReference("#object", dm);
}
// create SignedInfo
SignedInfo si = fac.newSignedInfo(withoutComments, sm,
Collections.singletonList(ref));
Document doc = db.newDocument();
// create Objects
String text = b64 ? "c29tZSB0ZXh0" : "some text";
XMLObject obj = fac.newXMLObject(Collections.singletonList
(new DOMStructure(doc.createTextNode(text))),
"object", null, null);
// create XMLSignature
XMLSignature sig = fac.newXMLSignature
(si, ki, Collections.singletonList(obj), null, null);
DOMSignContext dsc = new DOMSignContext(signingKey, doc);
sig.sign(dsc);
// dumpDocument(doc, new FileWriter("/tmp/foo.xml"));
DOMValidateContext dvc = new DOMValidateContext
(ks, doc.getDocumentElement());
XMLSignature sig2 = fac.unmarshalXMLSignature(dvc);
if (sig.equals(sig2) == false) {
throw new Exception
("Unmarshalled signature is not equal to generated signature");
}
if (sig2.validate(dvc) == false) {
throw new Exception("Validation of generated signature failed");
}
}
boolean validate(String fn, KeySelector ks, URIDereferencer ud,
boolean cache) throws Exception {
DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
dbf.setNamespaceAware(true);
dbf.setValidating(false);
Document doc = dbf.newDocumentBuilder().parse(new File(dir, fn));
NodeList nl =
doc.getElementsByTagNameNS(XMLSignature.XMLNS, "Signature");
if (nl.getLength() == 0) {
throw new Exception("Couldn't find signature Element");
}
Element sigElement = (Element) nl.item(0);
DOMValidateContext vc = new DOMValidateContext(ks, sigElement);
vc.setBaseURI(dir.toURI().toString());
if (cache) {
vc.setProperty("javax.xml.crypto.dsig.cacheReference", Boolean.TRUE);
}
XMLSignatureFactory factory = XMLSignatureFactory.getInstance();
XMLSignature signature = factory.unmarshalXMLSignature(vc);
if (ud != null) {
vc.setURIDereferencer(ud);
}
boolean coreValidity = signature.validate(vc);
// Check reference cache
if (cache) {
Iterator i = signature.getSignedInfo().getReferences().iterator();
for (int j=0; i.hasNext(); j++) {
Reference ref = (Reference) i.next();
if (!digestInputEqual(ref)) {
throw new Exception
("cached data for Reference[" + j + "] is not correct");
}
// check that dereferenced data does not contain comment nodes
if (ref.getURI() == "") {
System.out.println("checking deref data");
NodeSetData data = (NodeSetData) ref.getDereferencedData();
Iterator ni = data.iterator();
while (ni.hasNext()) {
Node n = (Node) ni.next();
if (n.getNodeType() == Node.COMMENT_NODE) {
throw new Exception("dereferenced data for " +
" Reference[" + j + " contains comment node");
}
}
}
}
}
return coreValidity;
}
static void test_create_signature_with_attr_in_no_namespace()
throws Exception
{
System.out.println
("* Generating signature-with-attr-in-no-namespace.xml");
// create references
List<Reference> refs = Collections.singletonList
(fac.newReference("#unknown", sha1));
// create SignedInfo
SignedInfo si = fac.newSignedInfo(withoutComments, rsaSha1, refs);
// create object-1
Document doc = db.newDocument();
Element nc = doc.createElementNS(null, "NonCommentandus");
// add attribute with no namespace
nc.setAttribute("Id", "unknown");
XMLObject obj = fac.newXMLObject(Collections.singletonList
(new DOMStructure(nc)), "object-1", null, null);
// create XMLSignature
XMLSignature sig = fac.newXMLSignature(si, rsa,
Collections.singletonList(obj),
"signature", null);
DOMSignContext dsc = new DOMSignContext(getPrivateKey("RSA", 512), doc);
dsc.setIdAttributeNS(nc, null, "Id");
sig.sign(dsc);
// dumpDocument(doc, new PrintWriter(System.out));
DOMValidateContext dvc = new DOMValidateContext
(kvks, doc.getDocumentElement());
dvc.setIdAttributeNS(nc, null, "Id");
XMLSignature sig2 = fac.unmarshalXMLSignature(dvc);
if (sig.equals(sig2) == false) {
throw new Exception
("Unmarshalled signature is not equal to generated signature");
}
if (sig2.validate(dvc) == false) {
throw new Exception("Validation of generated signature failed");
}
System.out.println();
}
static void test_create_signature_reference_dependency() throws Exception {
System.out.println("* Generating signature-reference-dependency.xml");
// create references
List<Reference> refs = Collections.singletonList
(fac.newReference("#object-1", sha1));
// create SignedInfo
SignedInfo si = fac.newSignedInfo(withoutComments, rsaSha1, refs);
// create objects
List<XMLStructure> objs = new ArrayList<XMLStructure>();
// Object 1
List<Reference> manRefs = Collections.singletonList
(fac.newReference("#object-2", sha1));
objs.add(fac.newXMLObject(Collections.singletonList
(fac.newManifest(manRefs, "manifest-1")), "object-1", null, null));
// Object 2
Document doc = db.newDocument();
Element nc = doc.createElementNS(null, "NonCommentandus");
nc.setAttributeNS("http://www.w3.org/2000/xmlns/", "xmlns", "");
nc.appendChild(doc.createComment(" Commentandum "));
objs.add(fac.newXMLObject(Collections.singletonList
(new DOMStructure(nc)), "object-2", null, null));
// create XMLSignature
XMLSignature sig = fac.newXMLSignature(si, rsa, objs, "signature", null);
DOMSignContext dsc = new DOMSignContext(getPrivateKey("RSA", 512), doc);
sig.sign(dsc);
// dumpDocument(doc, new PrintWriter(System.out));
DOMValidateContext dvc = new DOMValidateContext
(kvks, doc.getDocumentElement());
XMLSignature sig2 = fac.unmarshalXMLSignature(dvc);
if (sig.equals(sig2) == false) {
throw new Exception
("Unmarshalled signature is not equal to generated signature");
}
if (sig2.validate(dvc) == false) {
throw new Exception("Validation of generated signature failed");
}
System.out.println();
}
static void test_create_signature_reference_dependency() throws Exception {
System.out.println("* Generating signature-reference-dependency.xml");
// create references
List<Reference> refs = Collections.singletonList
(fac.newReference("#object-1", sha1));
// create SignedInfo
SignedInfo si = fac.newSignedInfo(withoutComments, rsaSha1, refs);
// create objects
List<XMLStructure> objs = new ArrayList<XMLStructure>();
// Object 1
List<Reference> manRefs = Collections.singletonList
(fac.newReference("#object-2", sha1));
objs.add(fac.newXMLObject(Collections.singletonList
(fac.newManifest(manRefs, "manifest-1")), "object-1", null, null));
// Object 2
Document doc = db.newDocument();
Element nc = doc.createElementNS(null, "NonCommentandus");
nc.setAttributeNS("http://www.w3.org/2000/xmlns/", "xmlns", "");
nc.appendChild(doc.createComment(" Commentandum "));
objs.add(fac.newXMLObject(Collections.singletonList
(new DOMStructure(nc)), "object-2", null, null));
// create XMLSignature
XMLSignature sig = fac.newXMLSignature(si, rsa, objs, "signature", null);
DOMSignContext dsc = new DOMSignContext(getPrivateKey("RSA", 512), doc);
sig.sign(dsc);
// dumpDocument(doc, new PrintWriter(System.out));
DOMValidateContext dvc = new DOMValidateContext
(kvks, doc.getDocumentElement());
XMLSignature sig2 = fac.unmarshalXMLSignature(dvc);
if (sig.equals(sig2) == false) {
throw new Exception
("Unmarshalled signature is not equal to generated signature");
}
if (sig2.validate(dvc) == false) {
throw new Exception("Validation of generated signature failed");
}
System.out.println();
}
static void test_create_signature_with_attr_in_no_namespace()
throws Exception
{
System.out.println
("* Generating signature-with-attr-in-no-namespace.xml");
// create references
List<Reference> refs = Collections.singletonList
(fac.newReference("#unknown", sha1));
// create SignedInfo
SignedInfo si = fac.newSignedInfo(withoutComments, rsaSha1, refs);
// create object-1
Document doc = db.newDocument();
Element nc = doc.createElementNS(null, "NonCommentandus");
// add attribute with no namespace
nc.setAttribute("Id", "unknown");
XMLObject obj = fac.newXMLObject(Collections.singletonList
(new DOMStructure(nc)), "object-1", null, null);
// create XMLSignature
XMLSignature sig = fac.newXMLSignature(si, rsa,
Collections.singletonList(obj),
"signature", null);
DOMSignContext dsc = new DOMSignContext(getPrivateKey("RSA", 512), doc);
dsc.setIdAttributeNS(nc, null, "Id");
sig.sign(dsc);
// dumpDocument(doc, new PrintWriter(System.out));
DOMValidateContext dvc = new DOMValidateContext
(kvks, doc.getDocumentElement());
dvc.setIdAttributeNS(nc, null, "Id");
XMLSignature sig2 = fac.unmarshalXMLSignature(dvc);
if (sig.equals(sig2) == false) {
throw new Exception
("Unmarshalled signature is not equal to generated signature");
}
if (sig2.validate(dvc) == false) {
throw new Exception("Validation of generated signature failed");
}
System.out.println();
}
private static void test_create_signature_external
(SignatureMethod sm, KeyInfo ki, Key signingKey, KeySelector ks,
boolean b64) throws Exception {
// create reference
Reference ref;
if (b64) {
ref = fac.newReference
(STYLESHEET_B64,
sha1, Collections.singletonList
(fac.newTransform(Transform.BASE64,
(TransformParameterSpec) null)), null, null);
} else {
ref = fac.newReference(STYLESHEET, sha1);
}
// create SignedInfo
SignedInfo si = fac.newSignedInfo(withoutComments, sm,
Collections.singletonList(ref));
Document doc = db.newDocument();
// create XMLSignature
XMLSignature sig = fac.newXMLSignature(si, ki);
DOMSignContext dsc = new DOMSignContext(signingKey, doc);
dsc.setURIDereferencer(httpUd);
sig.sign(dsc);
DOMValidateContext dvc = new DOMValidateContext
(ks, doc.getDocumentElement());
File f = new File(DATA_DIR);
dvc.setBaseURI(f.toURI().toString());
dvc.setURIDereferencer(httpUd);
XMLSignature sig2 = fac.unmarshalXMLSignature(dvc);
if (sig.equals(sig2) == false) {
throw new Exception
("Unmarshalled signature is not equal to generated signature");
}
if (sig2.validate(dvc) == false) {
throw new Exception("Validation of generated signature failed");
}
}
static void test_create_sign_spec() throws Exception {
System.out.println("* Generating sign-spec.xml");
List<Reference> refs = new ArrayList<Reference>(2);
// create reference 1
List<XPathType> types = new ArrayList<XPathType>(3);
types.add(new XPathType(" //ToBeSigned ", XPathType.Filter.INTERSECT));
types.add(new XPathType(" //NotToBeSigned ",
XPathType.Filter.SUBTRACT));
types.add(new XPathType(" //ReallyToBeSigned ",
XPathType.Filter.UNION));
XPathFilter2ParameterSpec xp1 = new XPathFilter2ParameterSpec(types);
refs.add(fac.newReference
("", fac.newDigestMethod(DigestMethod.SHA1, null),
Collections.singletonList(fac.newTransform(Transform.XPATH2, xp1)),
null, null));
// create reference 2
List<Transform> trans2 = new ArrayList<Transform>(2);
trans2.add(fac.newTransform(Transform.ENVELOPED,
(TransformParameterSpec) null));
XPathFilter2ParameterSpec xp2 = new XPathFilter2ParameterSpec
(Collections.singletonList
(new XPathType(" / ", XPathType.Filter.UNION)));
trans2.add(fac.newTransform(Transform.XPATH2, xp2));
refs.add(fac.newReference("#signature-value",
fac.newDigestMethod(DigestMethod.SHA1, null), trans2, null, null));
// create SignedInfo
SignedInfo si = fac.newSignedInfo(
fac.newCanonicalizationMethod
(CanonicalizationMethod.INCLUSIVE,
(C14NMethodParameterSpec) null),
fac.newSignatureMethod(SignatureMethod.DSA_SHA1, null), refs);
// create KeyInfo
List<XMLStructure> kits = new ArrayList<XMLStructure>(2);
kits.add(kifac.newKeyValue(validatingKey));
List<Object> xds = new ArrayList<Object>(2);
xds.add("CN=User");
xds.add(signingCert);
kits.add(kifac.newX509Data(xds));
KeyInfo ki = kifac.newKeyInfo(kits);
// create XMLSignature
XMLSignature sig = fac.newXMLSignature
(si, ki, null, null, "signature-value");
Document doc = db.newDocument();
Element tbs1 = doc.createElementNS(null, "ToBeSigned");
Comment tbs1Com = doc.createComment(" comment ");
Element tbs1Data = doc.createElementNS(null, "Data");
Element tbs1ntbs = doc.createElementNS(null, "NotToBeSigned");
Element tbs1rtbs = doc.createElementNS(null, "ReallyToBeSigned");
Comment tbs1rtbsCom = doc.createComment(" comment ");
Element tbs1rtbsData = doc.createElementNS(null, "Data");
tbs1rtbs.appendChild(tbs1rtbsCom);
tbs1rtbs.appendChild(tbs1rtbsData);
tbs1ntbs.appendChild(tbs1rtbs);
tbs1.appendChild(tbs1Com);
tbs1.appendChild(tbs1Data);
tbs1.appendChild(tbs1ntbs);
Element tbs2 = doc.createElementNS(null, "ToBeSigned");
Element tbs2Data = doc.createElementNS(null, "Data");
Element tbs2ntbs = doc.createElementNS(null, "NotToBeSigned");
Element tbs2ntbsData = doc.createElementNS(null, "Data");
tbs2ntbs.appendChild(tbs2ntbsData);
tbs2.appendChild(tbs2Data);
tbs2.appendChild(tbs2ntbs);
Element document = doc.createElementNS(null, "Document");
document.appendChild(tbs1);
document.appendChild(tbs2);
doc.appendChild(document);
DOMSignContext dsc = new DOMSignContext(signingKey, document);
sig.sign(dsc);
// dumpDocument(doc, new FileWriter("/tmp/foo.xml"));
DOMValidateContext dvc = new DOMValidateContext
(new KeySelectors.KeyValueKeySelector(), document.getLastChild());
XMLSignature sig2 = fac.unmarshalXMLSignature(dvc);
if (sig.equals(sig2) == false) {
throw new Exception
("Unmarshalled signature is not equal to generated signature");
}
if (sig2.validate(dvc) == false) {
throw new Exception("Validation of generated signature failed");
}
System.out.println();
}
static void test_create_exc_signature() throws Exception {
System.out.println("* Generating exc_signature.xml");
List<Reference> refs = new ArrayList<Reference>(4);
// create reference 1
refs.add(fac.newReference
("#xpointer(id('to-be-signed'))",
fac.newDigestMethod(DigestMethod.SHA1, null),
Collections.singletonList
(fac.newTransform(CanonicalizationMethod.EXCLUSIVE,
(TransformParameterSpec) null)),
null, null));
// create reference 2
List<String> prefixList = new ArrayList<String>(2);
prefixList.add("bar");
prefixList.add("#default");
ExcC14NParameterSpec params = new ExcC14NParameterSpec(prefixList);
refs.add(fac.newReference
("#xpointer(id('to-be-signed'))",
fac.newDigestMethod(DigestMethod.SHA1, null),
Collections.singletonList
(fac.newTransform(CanonicalizationMethod.EXCLUSIVE, params)),
null, null));
// create reference 3
refs.add(fac.newReference
("#xpointer(id('to-be-signed'))",
fac.newDigestMethod(DigestMethod.SHA1, null),
Collections.singletonList(fac.newTransform
(CanonicalizationMethod.EXCLUSIVE_WITH_COMMENTS,
(TransformParameterSpec) null)),
null, null));
// create reference 4
prefixList = new ArrayList<String>(2);
prefixList.add("bar");
prefixList.add("#default");
params = new ExcC14NParameterSpec(prefixList);
refs.add(fac.newReference
("#xpointer(id('to-be-signed'))",
fac.newDigestMethod(DigestMethod.SHA1, null),
Collections.singletonList(fac.newTransform
(CanonicalizationMethod.EXCLUSIVE_WITH_COMMENTS, params)),
null, null));
// create SignedInfo
SignedInfo si = fac.newSignedInfo(
fac.newCanonicalizationMethod
(CanonicalizationMethod.EXCLUSIVE,
(C14NMethodParameterSpec) null),
fac.newSignatureMethod(SignatureMethod.DSA_SHA1, null), refs);
// create KeyInfo
List<XMLStructure> kits = new ArrayList<XMLStructure>(2);
kits.add(kifac.newKeyValue(validatingKey));
KeyInfo ki = kifac.newKeyInfo(kits);
// create Objects
Document doc = db.newDocument();
Element baz = doc.createElementNS("urn:bar", "bar:Baz");
Comment com = doc.createComment(" comment ");
baz.appendChild(com);
XMLObject obj = fac.newXMLObject(Collections.singletonList
(new DOMStructure(baz)), "to-be-signed", null, null);
// create XMLSignature
XMLSignature sig = fac.newXMLSignature
(si, ki, Collections.singletonList(obj), null, null);
Element foo = doc.createElementNS("urn:foo", "Foo");
foo.setAttributeNS("http://www.w3.org/2000/xmlns/", "xmlns", "urn:foo");
foo.setAttributeNS
("http://www.w3.org/2000/xmlns/", "xmlns:bar", "urn:bar");
doc.appendChild(foo);
DOMSignContext dsc = new DOMSignContext(signingKey, foo);
dsc.putNamespacePrefix(XMLSignature.XMLNS, "dsig");
sig.sign(dsc);
// dumpDocument(doc, new FileWriter("/tmp/foo.xml"));
DOMValidateContext dvc = new DOMValidateContext
(new KeySelectors.KeyValueKeySelector(), foo.getLastChild());
XMLSignature sig2 = fac.unmarshalXMLSignature(dvc);
if (sig.equals(sig2) == false) {
throw new Exception
("Unmarshalled signature is not equal to generated signature");
}
if (sig2.validate(dvc) == false) {
throw new Exception("Validation of generated signature failed");
}
System.out.println();
}
static void test_create_sign_spec() throws Exception {
System.out.println("* Generating sign-spec.xml");
List<Reference> refs = new ArrayList<Reference>(2);
// create reference 1
List<XPathType> types = new ArrayList<XPathType>(3);
types.add(new XPathType(" //ToBeSigned ", XPathType.Filter.INTERSECT));
types.add(new XPathType(" //NotToBeSigned ",
XPathType.Filter.SUBTRACT));
types.add(new XPathType(" //ReallyToBeSigned ",
XPathType.Filter.UNION));
XPathFilter2ParameterSpec xp1 = new XPathFilter2ParameterSpec(types);
refs.add(fac.newReference
("", fac.newDigestMethod(DigestMethod.SHA1, null),
Collections.singletonList(fac.newTransform(Transform.XPATH2, xp1)),
null, null));
// create reference 2
List<Transform> trans2 = new ArrayList<Transform>(2);
trans2.add(fac.newTransform(Transform.ENVELOPED,
(TransformParameterSpec) null));
XPathFilter2ParameterSpec xp2 = new XPathFilter2ParameterSpec
(Collections.singletonList
(new XPathType(" / ", XPathType.Filter.UNION)));
trans2.add(fac.newTransform(Transform.XPATH2, xp2));
refs.add(fac.newReference("#signature-value",
fac.newDigestMethod(DigestMethod.SHA1, null), trans2, null, null));
// create SignedInfo
SignedInfo si = fac.newSignedInfo(
fac.newCanonicalizationMethod
(CanonicalizationMethod.INCLUSIVE,
(C14NMethodParameterSpec) null),
fac.newSignatureMethod(SignatureMethod.DSA_SHA1, null), refs);
// create KeyInfo
List<XMLStructure> kits = new ArrayList<XMLStructure>(2);
kits.add(kifac.newKeyValue(validatingKey));
List<Object> xds = new ArrayList<Object>(2);
xds.add("CN=User");
xds.add(signingCert);
kits.add(kifac.newX509Data(xds));
KeyInfo ki = kifac.newKeyInfo(kits);
// create XMLSignature
XMLSignature sig = fac.newXMLSignature
(si, ki, null, null, "signature-value");
Document doc = db.newDocument();
Element tbs1 = doc.createElementNS(null, "ToBeSigned");
Comment tbs1Com = doc.createComment(" comment ");
Element tbs1Data = doc.createElementNS(null, "Data");
Element tbs1ntbs = doc.createElementNS(null, "NotToBeSigned");
Element tbs1rtbs = doc.createElementNS(null, "ReallyToBeSigned");
Comment tbs1rtbsCom = doc.createComment(" comment ");
Element tbs1rtbsData = doc.createElementNS(null, "Data");
tbs1rtbs.appendChild(tbs1rtbsCom);
tbs1rtbs.appendChild(tbs1rtbsData);
tbs1ntbs.appendChild(tbs1rtbs);
tbs1.appendChild(tbs1Com);
tbs1.appendChild(tbs1Data);
tbs1.appendChild(tbs1ntbs);
Element tbs2 = doc.createElementNS(null, "ToBeSigned");
Element tbs2Data = doc.createElementNS(null, "Data");
Element tbs2ntbs = doc.createElementNS(null, "NotToBeSigned");
Element tbs2ntbsData = doc.createElementNS(null, "Data");
tbs2ntbs.appendChild(tbs2ntbsData);
tbs2.appendChild(tbs2Data);
tbs2.appendChild(tbs2ntbs);
Element document = doc.createElementNS(null, "Document");
document.appendChild(tbs1);
document.appendChild(tbs2);
doc.appendChild(document);
DOMSignContext dsc = new DOMSignContext(signingKey, document);
sig.sign(dsc);
// dumpDocument(doc, new FileWriter("/tmp/foo.xml"));
DOMValidateContext dvc = new DOMValidateContext
(new KeySelectors.KeyValueKeySelector(), document.getLastChild());
XMLSignature sig2 = fac.unmarshalXMLSignature(dvc);
if (sig.equals(sig2) == false) {
throw new Exception
("Unmarshalled signature is not equal to generated signature");
}
if (sig2.validate(dvc) == false) {
throw new Exception("Validation of generated signature failed");
}
System.out.println();
}
static void test_create_signature_with_attr_in_no_namespace()
throws Exception
{
System.out.println
("* Generating signature-with-attr-in-no-namespace.xml");
// create references
List<Reference> refs = Collections.singletonList
(fac.newReference("#unknown", sha1));
// create SignedInfo
SignedInfo si = fac.newSignedInfo(withoutComments, rsaSha1, refs);
// create object-1
Document doc = db.newDocument();
Element nc = doc.createElementNS(null, "NonCommentandus");
// add attribute with no namespace
nc.setAttribute("Id", "unknown");
XMLObject obj = fac.newXMLObject(Collections.singletonList
(new DOMStructure(nc)), "object-1", null, null);
// create XMLSignature
XMLSignature sig = fac.newXMLSignature(si, rsa,
Collections.singletonList(obj),
"signature", null);
DOMSignContext dsc = new DOMSignContext(getPrivateKey("RSA"), doc);
dsc.setIdAttributeNS(nc, null, "Id");
sig.sign(dsc);
// dumpDocument(doc, new PrintWriter(System.out));
DOMValidateContext dvc = new DOMValidateContext
(kvks, doc.getDocumentElement());
dvc.setIdAttributeNS(nc, null, "Id");
XMLSignature sig2 = fac.unmarshalXMLSignature(dvc);
if (sig.equals(sig2) == false) {
throw new Exception
("Unmarshalled signature is not equal to generated signature");
}
if (sig2.validate(dvc) == false) {
throw new Exception("Validation of generated signature failed");
}
System.out.println();
}
XMLDSigWithSecMgr() throws Exception {
setup();
Document doc = db.newDocument();
Element envelope = doc.createElementNS
("http://example.org/envelope", "Envelope");
envelope.setAttributeNS("http://www.w3.org/2000/xmlns/",
"xmlns", "http://example.org/envelope");
doc.appendChild(envelope);
KeyPairGenerator kpg = KeyPairGenerator.getInstance("RSA");
KeyPair kp = kpg.genKeyPair();
// the policy only grants this test SocketPermission to accept, resolve
// and connect to localhost so that it can dereference 2nd reference
URI policyURI =
new File(System.getProperty("test.src", "."), "policy").toURI();
Policy.setPolicy
(Policy.getInstance("JavaPolicy", new URIParameter(policyURI)));
System.setSecurityManager(new SecurityManager());
try {
// generate a signature with SecurityManager enabled
ArrayList refs = new ArrayList();
refs.add(fac.newReference
("", sha1,
Collections.singletonList
(fac.newTransform(Transform.ENVELOPED,
(TransformParameterSpec) null)), null, null));
refs.add(fac.newReference("http://localhost:" + ss.getLocalPort()
+ "/anything.txt", sha1));
SignedInfo si = fac.newSignedInfo(withoutComments,
fac.newSignatureMethod(SignatureMethod.RSA_SHA1, null), refs);
XMLSignature sig = fac.newXMLSignature(si, null);
DOMSignContext dsc = new DOMSignContext(kp.getPrivate(), envelope);
sig.sign(dsc);
// validate a signature with SecurityManager enabled
DOMValidateContext dvc = new DOMValidateContext
(kp.getPublic(), envelope.getFirstChild());
// disable secure validation mode so that http reference will work
dvc.setProperty("org.jcp.xml.dsig.secureValidation", Boolean.FALSE);
sig = fac.unmarshalXMLSignature(dvc);
if (!sig.validate(dvc)) {
throw new Exception
("XMLDSigWithSecMgr signature validation FAILED");
}
} catch (SecurityException se) {
throw new Exception("XMLDSigWithSecMgr FAILED", se);
}
ss.close();
}
XMLDSigWithSecMgr() throws Exception {
setup();
Document doc = db.newDocument();
Element envelope = doc.createElementNS
("http://example.org/envelope", "Envelope");
envelope.setAttributeNS("http://www.w3.org/2000/xmlns/",
"xmlns", "http://example.org/envelope");
doc.appendChild(envelope);
KeyPairGenerator kpg = KeyPairGenerator.getInstance("RSA");
KeyPair kp = kpg.genKeyPair();
// the policy only grants this test SocketPermission to accept, resolve
// and connect to localhost so that it can dereference 2nd reference
System.setProperty("java.security.policy",
System.getProperty("test.src", ".") + File.separator + "policy");
System.setSecurityManager(new SecurityManager());
try {
// generate a signature with SecurityManager enabled
ArrayList refs = new ArrayList();
refs.add(fac.newReference
("", sha1,
Collections.singletonList
(fac.newTransform(Transform.ENVELOPED,
(TransformParameterSpec) null)), null, null));
refs.add(fac.newReference("http://localhost:" + ss.getLocalPort()
+ "/anything.txt", sha1));
SignedInfo si = fac.newSignedInfo(withoutComments,
fac.newSignatureMethod(SignatureMethod.RSA_SHA1, null), refs);
XMLSignature sig = fac.newXMLSignature(si, null);
DOMSignContext dsc = new DOMSignContext(kp.getPrivate(), envelope);
sig.sign(dsc);
// validate a signature with SecurityManager enabled
DOMValidateContext dvc = new DOMValidateContext
(kp.getPublic(), envelope.getFirstChild());
// disable secure validation mode so that http reference will work
dvc.setProperty("org.jcp.xml.dsig.secureValidation", Boolean.FALSE);
sig = fac.unmarshalXMLSignature(dvc);
if (!sig.validate(dvc)) {
throw new Exception
("XMLDSigWithSecMgr signature validation FAILED");
}
} catch (SecurityException se) {
throw new Exception("XMLDSigWithSecMgr FAILED", se);
}
ss.close();
}
private static void test_create_signature_external
(SignatureMethod sm, KeyInfo ki, Key signingKey, KeySelector ks,
boolean b64) throws Exception {
// create reference
Reference ref;
if (b64) {
ref = fac.newReference
(STYLESHEET_B64,
sha1, Collections.singletonList
(fac.newTransform(Transform.BASE64,
(TransformParameterSpec) null)), null, null);
} else {
ref = fac.newReference(STYLESHEET, sha1);
}
// create SignedInfo
SignedInfo si = fac.newSignedInfo(withoutComments, sm,
Collections.singletonList(ref));
Document doc = db.newDocument();
// create XMLSignature
XMLSignature sig = fac.newXMLSignature(si, ki);
DOMSignContext dsc = new DOMSignContext(signingKey, doc);
dsc.setURIDereferencer(httpUd);
sig.sign(dsc);
DOMValidateContext dvc = new DOMValidateContext
(ks, doc.getDocumentElement());
File f = new File(DATA_DIR);
dvc.setBaseURI(f.toURI().toString());
dvc.setURIDereferencer(httpUd);
XMLSignature sig2 = fac.unmarshalXMLSignature(dvc);
if (sig.equals(sig2) == false) {
throw new Exception
("Unmarshalled signature is not equal to generated signature");
}
if (sig2.validate(dvc) == false) {
throw new Exception("Validation of generated signature failed");
}
}
static void test_create_signature_reference_dependency() throws Exception {
System.out.println("* Generating signature-reference-dependency.xml");
// create references
List<Reference> refs = Collections.singletonList
(fac.newReference("#object-1", sha1));
// create SignedInfo
SignedInfo si = fac.newSignedInfo(withoutComments, rsaSha1, refs);
// create objects
List<XMLStructure> objs = new ArrayList<XMLStructure>();
// Object 1
List<Reference> manRefs = Collections.singletonList
(fac.newReference("#object-2", sha1));
objs.add(fac.newXMLObject(Collections.singletonList
(fac.newManifest(manRefs, "manifest-1")), "object-1", null, null));
// Object 2
Document doc = db.newDocument();
Element nc = doc.createElementNS(null, "NonCommentandus");
nc.setAttributeNS("http://www.w3.org/2000/xmlns/", "xmlns", "");
nc.appendChild(doc.createComment(" Commentandum "));
objs.add(fac.newXMLObject(Collections.singletonList
(new DOMStructure(nc)), "object-2", null, null));
// create XMLSignature
XMLSignature sig = fac.newXMLSignature(si, rsa, objs, "signature", null);
DOMSignContext dsc = new DOMSignContext(getPrivateKey("RSA", 512), doc);
sig.sign(dsc);
// dumpDocument(doc, new PrintWriter(System.out));
DOMValidateContext dvc = new DOMValidateContext
(kvks, doc.getDocumentElement());
XMLSignature sig2 = fac.unmarshalXMLSignature(dvc);
if (sig.equals(sig2) == false) {
throw new Exception
("Unmarshalled signature is not equal to generated signature");
}
if (sig2.validate(dvc) == false) {
throw new Exception("Validation of generated signature failed");
}
System.out.println();
}
static void test_create_signature_with_attr_in_no_namespace()
throws Exception
{
System.out.println
("* Generating signature-with-attr-in-no-namespace.xml");
// create references
List<Reference> refs = Collections.singletonList
(fac.newReference("#unknown", sha1));
// create SignedInfo
SignedInfo si = fac.newSignedInfo(withoutComments, rsaSha1, refs);
// create object-1
Document doc = db.newDocument();
Element nc = doc.createElementNS(null, "NonCommentandus");
// add attribute with no namespace
nc.setAttribute("Id", "unknown");
XMLObject obj = fac.newXMLObject(Collections.singletonList
(new DOMStructure(nc)), "object-1", null, null);
// create XMLSignature
XMLSignature sig = fac.newXMLSignature(si, rsa,
Collections.singletonList(obj),
"signature", null);
DOMSignContext dsc = new DOMSignContext(getPrivateKey("RSA", 512), doc);
dsc.setIdAttributeNS(nc, null, "Id");
sig.sign(dsc);
// dumpDocument(doc, new PrintWriter(System.out));
DOMValidateContext dvc = new DOMValidateContext
(kvks, doc.getDocumentElement());
dvc.setIdAttributeNS(nc, null, "Id");
XMLSignature sig2 = fac.unmarshalXMLSignature(dvc);
if (sig.equals(sig2) == false) {
throw new Exception
("Unmarshalled signature is not equal to generated signature");
}
if (sig2.validate(dvc) == false) {
throw new Exception("Validation of generated signature failed");
}
System.out.println();
}
private static void test_create_signature_external
(SignatureMethod sm, KeyInfo ki, Key signingKey, KeySelector ks,
boolean b64) throws Exception {
// create reference
Reference ref;
if (b64) {
ref = fac.newReference
(STYLESHEET_B64,
sha1, Collections.singletonList
(fac.newTransform(Transform.BASE64,
(TransformParameterSpec) null)), null, null);
} else {
ref = fac.newReference(STYLESHEET, sha1);
}
// create SignedInfo
SignedInfo si = fac.newSignedInfo(withoutComments, sm,
Collections.singletonList(ref));
Document doc = db.newDocument();
// create XMLSignature
XMLSignature sig = fac.newXMLSignature(si, ki);
DOMSignContext dsc = new DOMSignContext(signingKey, doc);
dsc.setURIDereferencer(httpUd);
sig.sign(dsc);
DOMValidateContext dvc = new DOMValidateContext
(ks, doc.getDocumentElement());
File f = new File(DATA_DIR);
dvc.setBaseURI(f.toURI().toString());
dvc.setURIDereferencer(httpUd);
XMLSignature sig2 = fac.unmarshalXMLSignature(dvc);
if (sig.equals(sig2) == false) {
throw new Exception
("Unmarshalled signature is not equal to generated signature");
}
if (sig2.validate(dvc) == false) {
throw new Exception("Validation of generated signature failed");
}
}
static void test_create_signature_with_attr_in_no_namespace()
throws Exception
{
System.out.println
("* Generating signature-with-attr-in-no-namespace.xml");
// create references
List<Reference> refs = Collections.singletonList
(fac.newReference("#unknown", sha1));
// create SignedInfo
SignedInfo si = fac.newSignedInfo(withoutComments, rsaSha1, refs);
// create object-1
Document doc = db.newDocument();
Element nc = doc.createElementNS(null, "NonCommentandus");
// add attribute with no namespace
nc.setAttribute("Id", "unknown");
XMLObject obj = fac.newXMLObject(Collections.singletonList
(new DOMStructure(nc)), "object-1", null, null);
// create XMLSignature
XMLSignature sig = fac.newXMLSignature(si, rsa,
Collections.singletonList(obj),
"signature", null);
DOMSignContext dsc = new DOMSignContext(getPrivateKey("RSA"), doc);
dsc.setIdAttributeNS(nc, null, "Id");
sig.sign(dsc);
// dumpDocument(doc, new PrintWriter(System.out));
DOMValidateContext dvc = new DOMValidateContext
(kvks, doc.getDocumentElement());
dvc.setIdAttributeNS(nc, null, "Id");
XMLSignature sig2 = fac.unmarshalXMLSignature(dvc);
if (sig.equals(sig2) == false) {
throw new Exception
("Unmarshalled signature is not equal to generated signature");
}
if (sig2.validate(dvc) == false) {
throw new Exception("Validation of generated signature failed");
}
System.out.println();
}
static void test_create_sign_spec() throws Exception {
System.out.println("* Generating sign-spec.xml");
List<Reference> refs = new ArrayList<Reference>(2);
// create reference 1
List<XPathType> types = new ArrayList<XPathType>(3);
types.add(new XPathType(" //ToBeSigned ", XPathType.Filter.INTERSECT));
types.add(new XPathType(" //NotToBeSigned ",
XPathType.Filter.SUBTRACT));
types.add(new XPathType(" //ReallyToBeSigned ",
XPathType.Filter.UNION));
XPathFilter2ParameterSpec xp1 = new XPathFilter2ParameterSpec(types);
refs.add(fac.newReference
("", fac.newDigestMethod(DigestMethod.SHA1, null),
Collections.singletonList(fac.newTransform(Transform.XPATH2, xp1)),
null, null));
// create reference 2
List<Transform> trans2 = new ArrayList<Transform>(2);
trans2.add(fac.newTransform(Transform.ENVELOPED,
(TransformParameterSpec) null));
XPathFilter2ParameterSpec xp2 = new XPathFilter2ParameterSpec
(Collections.singletonList
(new XPathType(" / ", XPathType.Filter.UNION)));
trans2.add(fac.newTransform(Transform.XPATH2, xp2));
refs.add(fac.newReference("#signature-value",
fac.newDigestMethod(DigestMethod.SHA1, null), trans2, null, null));
// create SignedInfo
SignedInfo si = fac.newSignedInfo(
fac.newCanonicalizationMethod
(CanonicalizationMethod.INCLUSIVE,
(C14NMethodParameterSpec) null),
fac.newSignatureMethod(SignatureMethod.DSA_SHA1, null), refs);
// create KeyInfo
List<XMLStructure> kits = new ArrayList<XMLStructure>(2);
kits.add(kifac.newKeyValue(validatingKey));
List<Object> xds = new ArrayList<Object>(2);
xds.add("CN=User");
xds.add(signingCert);
kits.add(kifac.newX509Data(xds));
KeyInfo ki = kifac.newKeyInfo(kits);
// create XMLSignature
XMLSignature sig = fac.newXMLSignature
(si, ki, null, null, "signature-value");
Document doc = db.newDocument();
Element tbs1 = doc.createElementNS(null, "ToBeSigned");
Comment tbs1Com = doc.createComment(" comment ");
Element tbs1Data = doc.createElementNS(null, "Data");
Element tbs1ntbs = doc.createElementNS(null, "NotToBeSigned");
Element tbs1rtbs = doc.createElementNS(null, "ReallyToBeSigned");
Comment tbs1rtbsCom = doc.createComment(" comment ");
Element tbs1rtbsData = doc.createElementNS(null, "Data");
tbs1rtbs.appendChild(tbs1rtbsCom);
tbs1rtbs.appendChild(tbs1rtbsData);
tbs1ntbs.appendChild(tbs1rtbs);
tbs1.appendChild(tbs1Com);
tbs1.appendChild(tbs1Data);
tbs1.appendChild(tbs1ntbs);
Element tbs2 = doc.createElementNS(null, "ToBeSigned");
Element tbs2Data = doc.createElementNS(null, "Data");
Element tbs2ntbs = doc.createElementNS(null, "NotToBeSigned");
Element tbs2ntbsData = doc.createElementNS(null, "Data");
tbs2ntbs.appendChild(tbs2ntbsData);
tbs2.appendChild(tbs2Data);
tbs2.appendChild(tbs2ntbs);
Element document = doc.createElementNS(null, "Document");
document.appendChild(tbs1);
document.appendChild(tbs2);
doc.appendChild(document);
DOMSignContext dsc = new DOMSignContext(signingKey, document);
sig.sign(dsc);
// dumpDocument(doc, new FileWriter("/tmp/foo.xml"));
DOMValidateContext dvc = new DOMValidateContext
(new KeySelectors.KeyValueKeySelector(), document.getLastChild());
XMLSignature sig2 = fac.unmarshalXMLSignature(dvc);
if (sig.equals(sig2) == false) {
throw new Exception
("Unmarshalled signature is not equal to generated signature");
}
if (sig2.validate(dvc) == false) {
throw new Exception("Validation of generated signature failed");
}
System.out.println();
}