コード例 #1
0
 public List<X509Certificate> verifySAMLProtocolSignature(ConversationID id)
     throws SamlSignatureException {
   Document document = getSAMLDocument(id);
   if (null == document) {
     throw new SamlSignatureException("DOM parser error");
   }
   Element protocolSignatureElement = findProtocolSignatureElement(document);
   if (null == protocolSignatureElement) {
     throw new SamlSignatureException("No protocol XML signature present");
   }
   XMLSignature xmlSignature;
   try {
     xmlSignature = new XMLSignature(protocolSignatureElement, "");
   } catch (XMLSignatureException ex) {
     throw new SamlSignatureException("Invalid protocol XML Signature", ex);
   } catch (XMLSecurityException ex) {
     throw new SamlSignatureException("XML security error", ex);
   }
   KeyInfo keyInfo = xmlSignature.getKeyInfo();
   X509Certificate signingCertificate;
   try {
     signingCertificate = keyInfo.getX509Certificate();
   } catch (KeyResolverException ex) {
     throw new SamlSignatureException("X509 certificate not present", ex);
   }
   boolean signatureValid;
   try {
     signatureValid = xmlSignature.checkSignatureValue(signingCertificate);
   } catch (XMLSignatureException ex) {
     throw new SamlSignatureException("signature error: " + ex.getMessage());
   }
   if (false == signatureValid) {
     throw new SamlSignatureException("invalid");
   }
   List<X509Certificate> certificateChain = new LinkedList<X509Certificate>();
   if (false == keyInfo.containsX509Data()) {
     throw new SamlSignatureException("no X509 data in KeyInfo");
   }
   for (int x509DataItemIdx = 0; x509DataItemIdx < keyInfo.lengthX509Data(); x509DataItemIdx++) {
     try {
       X509Data x509Data = keyInfo.itemX509Data(x509DataItemIdx);
       if (false == x509Data.containsCertificate()) {
         continue;
       }
       int certificateCount = x509Data.lengthCertificate();
       for (int certificateIdx = 0; certificateIdx < certificateCount; certificateIdx++) {
         XMLX509Certificate xmlX509Certificate = x509Data.itemCertificate(certificateIdx);
         X509Certificate certificate = xmlX509Certificate.getX509Certificate();
         certificateChain.add(certificate);
       }
     } catch (XMLSecurityException ex) {
       throw new SamlSignatureException("X509 data error", ex);
     }
   }
   return certificateChain;
 }
コード例 #2
0
  public boolean protocolSignatureDigestsAssertions(ConversationID id) {
    Document document = getSAMLDocument(id);
    if (null == document) {
      return false;
    }
    Element protocolSignatureElement = findProtocolSignatureElement(document);
    if (null == protocolSignatureElement) {
      return false;
    }

    NodeList saml2AssertionNodeList =
        document.getElementsByTagNameNS("urn:oasis:names:tc:SAML:2.0:assertion", "Assertion");
    if (0 != saml2AssertionNodeList.getLength()) {
      try {
        return isDigested(saml2AssertionNodeList, protocolSignatureElement);
      } catch (XMLSignatureException ex) {
        this._logger.log(Level.WARNING, "XML signature error: {0}", ex.getMessage());
      } catch (XMLSecurityException ex) {
        this._logger.log(Level.WARNING, "XML security error: {0}", ex.getMessage());
      }
    }

    NodeList saml1AssertionNodeList =
        document.getElementsByTagNameNS("urn:oasis:names:tc:SAML:1.0:assertion", "Assertion");
    if (0 != saml1AssertionNodeList.getLength()) {
      try {
        return isDigested(saml1AssertionNodeList, protocolSignatureElement);
      } catch (XMLSignatureException ex) {
        this._logger.log(Level.WARNING, "XML signature error: {0}", ex.getMessage());
      } catch (XMLSecurityException ex) {
        this._logger.log(Level.WARNING, "XML security error: {0}", ex.getMessage());
      }
    }

    return false;
  }