public List<X509Certificate> verifySAMLProtocolSignature(ConversationID id)
throws SamlSignatureException {
Document document = getSAMLDocument(id);
if (null == document) {
throw new SamlSignatureException("DOM parser error");
}
Element protocolSignatureElement = findProtocolSignatureElement(document);
if (null == protocolSignatureElement) {
throw new SamlSignatureException("No protocol XML signature present");
}
XMLSignature xmlSignature;
try {
xmlSignature = new XMLSignature(protocolSignatureElement, "");
} catch (XMLSignatureException ex) {
throw new SamlSignatureException("Invalid protocol XML Signature", ex);
} catch (XMLSecurityException ex) {
throw new SamlSignatureException("XML security error", ex);
}
KeyInfo keyInfo = xmlSignature.getKeyInfo();
X509Certificate signingCertificate;
try {
signingCertificate = keyInfo.getX509Certificate();
} catch (KeyResolverException ex) {
throw new SamlSignatureException("X509 certificate not present", ex);
}
boolean signatureValid;
try {
signatureValid = xmlSignature.checkSignatureValue(signingCertificate);
} catch (XMLSignatureException ex) {
throw new SamlSignatureException("signature error: " + ex.getMessage());
}
if (false == signatureValid) {
throw new SamlSignatureException("invalid");
}
List<X509Certificate> certificateChain = new LinkedList<X509Certificate>();
if (false == keyInfo.containsX509Data()) {
throw new SamlSignatureException("no X509 data in KeyInfo");
}
for (int x509DataItemIdx = 0; x509DataItemIdx < keyInfo.lengthX509Data(); x509DataItemIdx++) {
try {
X509Data x509Data = keyInfo.itemX509Data(x509DataItemIdx);
if (false == x509Data.containsCertificate()) {
continue;
}
int certificateCount = x509Data.lengthCertificate();
for (int certificateIdx = 0; certificateIdx < certificateCount; certificateIdx++) {
XMLX509Certificate xmlX509Certificate = x509Data.itemCertificate(certificateIdx);
X509Certificate certificate = xmlX509Certificate.getX509Certificate();
certificateChain.add(certificate);
}
} catch (XMLSecurityException ex) {
throw new SamlSignatureException("X509 data error", ex);
}
}
return certificateChain;
}
public boolean protocolSignatureDigestsAssertions(ConversationID id) {
Document document = getSAMLDocument(id);
if (null == document) {
return false;
}
Element protocolSignatureElement = findProtocolSignatureElement(document);
if (null == protocolSignatureElement) {
return false;
}
NodeList saml2AssertionNodeList =
document.getElementsByTagNameNS("urn:oasis:names:tc:SAML:2.0:assertion", "Assertion");
if (0 != saml2AssertionNodeList.getLength()) {
try {
return isDigested(saml2AssertionNodeList, protocolSignatureElement);
} catch (XMLSignatureException ex) {
this._logger.log(Level.WARNING, "XML signature error: {0}", ex.getMessage());
} catch (XMLSecurityException ex) {
this._logger.log(Level.WARNING, "XML security error: {0}", ex.getMessage());
}
}
NodeList saml1AssertionNodeList =
document.getElementsByTagNameNS("urn:oasis:names:tc:SAML:1.0:assertion", "Assertion");
if (0 != saml1AssertionNodeList.getLength()) {
try {
return isDigested(saml1AssertionNodeList, protocolSignatureElement);
} catch (XMLSignatureException ex) {
this._logger.log(Level.WARNING, "XML signature error: {0}", ex.getMessage());
} catch (XMLSecurityException ex) {
this._logger.log(Level.WARNING, "XML security error: {0}", ex.getMessage());
}
}
return false;
}