コード例 #1
0
  public void signAssertion(Document samlDocument) throws ProcessingException {
    Element originalAssertionElement =
        org.keycloak.saml.common.util.DocumentUtil.getChildElement(
            samlDocument.getDocumentElement(),
            new QName(
                JBossSAMLURIConstants.ASSERTION_NSURI.get(), JBossSAMLConstants.ASSERTION.get()));
    if (originalAssertionElement == null) return;
    Node clonedAssertionElement = originalAssertionElement.cloneNode(true);
    Document temporaryDocument;

    try {
      temporaryDocument = org.keycloak.saml.common.util.DocumentUtil.createDocument();
    } catch (ConfigurationException e) {
      throw new ProcessingException(e);
    }

    temporaryDocument.adoptNode(clonedAssertionElement);
    temporaryDocument.appendChild(clonedAssertionElement);

    signDocument(temporaryDocument);

    samlDocument.adoptNode(clonedAssertionElement);

    Element parentNode = (Element) originalAssertionElement.getParentNode();

    parentNode.replaceChild(clonedAssertionElement, originalAssertionElement);
  }
コード例 #2
0
  /**
   * Sign a node in a document
   *
   * @param doc
   * @param nodeToBeSigned
   * @param keyPair
   * @param publicKey
   * @param digestMethod
   * @param signatureMethod
   * @param referenceURI
   * @return
   * @throws ParserConfigurationException
   * @throws XMLSignatureException
   * @throws MarshalException
   * @throws GeneralSecurityException
   */
  public static Document sign(
      Document doc,
      Node nodeToBeSigned,
      KeyPair keyPair,
      String digestMethod,
      String signatureMethod,
      String referenceURI,
      X509Certificate x509Certificate)
      throws ParserConfigurationException, GeneralSecurityException, MarshalException,
          XMLSignatureException {
    if (nodeToBeSigned == null) throw logger.nullArgumentError("Node to be signed");

    if (logger.isTraceEnabled()) {
      logger.trace("Document to be signed=" + DocumentUtil.asString(doc));
    }

    Node parentNode = nodeToBeSigned.getParentNode();

    // Let us create a new Document
    Document newDoc = DocumentUtil.createDocument();
    // Import the node
    Node signingNode = newDoc.importNode(nodeToBeSigned, true);
    newDoc.appendChild(signingNode);

    if (!referenceURI.isEmpty()) {
      propagateIDAttributeSetup(nodeToBeSigned, newDoc.getDocumentElement());
    }
    newDoc = sign(newDoc, keyPair, digestMethod, signatureMethod, referenceURI, x509Certificate);

    // if the signed element is a SAMLv2.0 assertion we need to move the signature element to the
    // position
    // specified in the schema (before the assertion subject element).
    if (nodeToBeSigned.getLocalName().equals("Assertion")
        && WSTrustConstants.SAML2_ASSERTION_NS.equals(nodeToBeSigned.getNamespaceURI())) {
      Node signatureNode =
          DocumentUtil.getElement(newDoc, new QName(WSTrustConstants.DSIG_NS, "Signature"));
      Node subjectNode =
          DocumentUtil.getElement(
              newDoc, new QName(WSTrustConstants.SAML2_ASSERTION_NS, "Subject"));
      if (signatureNode != null && subjectNode != null) {
        newDoc.getDocumentElement().removeChild(signatureNode);
        newDoc.getDocumentElement().insertBefore(signatureNode, subjectNode);
      }
    }

    // Now let us import this signed doc into the original document we got in the method call
    Node signedNode = doc.importNode(newDoc.getFirstChild(), true);

    if (!referenceURI.isEmpty()) {
      propagateIDAttributeSetup(newDoc.getDocumentElement(), (Element) signedNode);
    }

    parentNode.replaceChild(signedNode, nodeToBeSigned);
    // doc.getDocumentElement().replaceChild(signedNode, nodeToBeSigned);

    return doc;
  }