/** * @param caminhoCertificado * @param senhaCertificado * @paaram senhaCertificado * @param caminhoArquivo * @return * @throws Exception */ public static String assinarDocumento( String caminhoCertificado, String senhaCertificado, String caminhoArquivo) throws Exception { final KeyStore keyStore = KeyStore.getInstance("PKCS12"); try (InputStream certificadoStream = new FileInputStream(new File(caminhoCertificado))) { keyStore.load(certificadoStream, senhaCertificado.toCharArray()); } final KeyStore.PrivateKeyEntry keyEntry = (KeyStore.PrivateKeyEntry) keyStore.getEntry( keyStore.aliases().nextElement(), new KeyStore.PasswordProtection(senhaCertificado.toCharArray())); final XMLSignatureFactory signatureFactory = XMLSignatureFactory.getInstance("DOM"); final List<Transform> transforms = new ArrayList<>(2); transforms.add( signatureFactory.newTransform(Transform.ENVELOPED, (TransformParameterSpec) null)); transforms.add( signatureFactory.newTransform(C14N_TRANSFORM_METHOD, (TransformParameterSpec) null)); final KeyInfoFactory keyInfoFactory = signatureFactory.getKeyInfoFactory(); final X509Data x509Data = keyInfoFactory.newX509Data( Collections.singletonList((X509Certificate) keyEntry.getCertificate())); final KeyInfo keyInfo = keyInfoFactory.newKeyInfo(Collections.singletonList(x509Data)); final DocumentBuilderFactory documentBuilderFactory = DocumentBuilderFactory.newInstance(); documentBuilderFactory.setNamespaceAware(true); final Document document = documentBuilderFactory.newDocumentBuilder().parse(new File(caminhoArquivo)); for (final String elementoAssinavel : ELEMENTOS_ASSINAVEIS) { final NodeList elements = document.getElementsByTagName(elementoAssinavel); for (int i = 0; i < elements.getLength(); i++) { final Element element = (Element) elements.item(i); final String id = element.getAttribute("Id"); element.setIdAttribute("Id", true); final Reference reference = signatureFactory.newReference( "#" + id, signatureFactory.newDigestMethod(DigestMethod.SHA1, null), transforms, null, null); final SignedInfo signedInfo = signatureFactory.newSignedInfo( signatureFactory.newCanonicalizationMethod( CanonicalizationMethod.INCLUSIVE, (C14NMethodParameterSpec) null), signatureFactory.newSignatureMethod(SignatureMethod.RSA_SHA1, null), Collections.singletonList(reference)); final XMLSignature signature = signatureFactory.newXMLSignature(signedInfo, keyInfo); signature.sign(new DOMSignContext(keyEntry.getPrivateKey(), element.getParentNode())); } } try (ByteArrayOutputStream outputStream = new ByteArrayOutputStream()) { final Transformer transformer = TransformerFactory.newInstance().newTransformer(); transformer.setOutputProperty(OutputKeys.OMIT_XML_DECLARATION, "yes"); transformer.transform(new DOMSource(document), new StreamResult(outputStream)); return outputStream.toString(); } }
/** * @param context JAXBFilterProcessingContext * @return errorCode * @throws XWSSecurityException */ public static int sign(JAXBFilterProcessingContext context) throws XWSSecurityException { try { SignaturePolicy signaturePolicy = (SignaturePolicy) context.getSecurityPolicy(); ((NamespaceContextEx) context.getNamespaceContext()).addSignatureNS(); WSSPolicy keyBinding = (WSSPolicy) signaturePolicy.getKeyBinding(); if (logger.isLoggable(Level.FINEST)) { logger.log(Level.FINEST, "KeyBinding is " + keyBinding); } Key signingKey = null; SignatureElementFactory signFactory = new SignatureElementFactory(); KeyInfo keyInfo = null; SecurityHeader securityHeader = context.getSecurityHeader(); // Get the Signing key and KeyInfo from TokenProcessor TokenProcessor tokenProcessor = new TokenProcessor(signaturePolicy, context); BuilderResult builderResult = tokenProcessor.process(); signingKey = builderResult.getDataProtectionKey(); keyInfo = builderResult.getKeyInfo(); if (keyInfo != null || !keyBinding.isOptional()) { SignedInfo signedInfo = signFactory.constructSignedInfo(context); JAXBSignContext signContext = new JAXBSignContext(signingKey); signContext.setURIDereferencer(DSigResolver.getInstance()); XMLSignature signature = signFactory.constructSignature(signedInfo, keyInfo, signaturePolicy.getUUID()); signContext.put(MessageConstants.WSS_PROCESSING_CONTEXT, context); NamespaceAndPrefixMapper npMapper = new NamespaceAndPrefixMapper( context.getNamespaceContext(), context.getDisableIncPrefix()); signContext.put(NamespaceAndPrefixMapper.NS_PREFIX_MAPPER, npMapper); signContext.putNamespacePrefix(MessageConstants.DSIG_NS, MessageConstants.DSIG_PREFIX); signature.sign(signContext); JAXBSignatureHeaderElement jaxBSign = new JAXBSignatureHeaderElement( (com.sun.xml.ws.security.opt.crypto.dsig.Signature) signature, context.getSOAPVersion()); securityHeader.add(jaxBSign); // For SignatureConfirmation List scList = (ArrayList) context.getExtraneousProperty("SignatureConfirmation"); if (scList != null) { scList.add(Base64.encode(signature.getSignatureValue().getValue())); } } // End SignatureConfirmation specific code } catch (XWSSecurityException xe) { logger.log(Level.SEVERE, LogStringsMessages.WSS_1701_SIGN_FAILED(), xe); throw xe; } catch (Exception ex) { logger.log(Level.SEVERE, LogStringsMessages.WSS_1701_SIGN_FAILED(), ex); throw new XWSSecurityException(ex); } return 0; }
/** * Signs a SoapMessage with the holder-of-key configuration provided on class creation. This * method changes the SoapMessage. * * @param message cannot be null * @return The signed SoapMessage * @throws ParserException * @throws SignatureException */ @Override public final SoapMessage sign(SoapMessage message) throws ParserException, SignatureException { assert message != null; Provider securityProvider = holderOfKeyConfig.getSecurityProvider(); XMLSignatureFactory xmlSigFactory = (securityProvider != null) ? XMLSignatureFactory.getInstance("DOM", securityProvider) : XMLSignatureFactory.getInstance(); try { String bodyUuid = createSoapBodyUuid(message); CanonicalizationMethod canonicalizationMethod = xmlSigFactory.newCanonicalizationMethod( CanonicalizationMethod.EXCLUSIVE, (C14NMethodParameterSpec) null); SignatureMethod signatureMethod = getSignatureMethod(xmlSigFactory); ArrayList<String> refList = new ArrayList<String>(); refList.add(bodyUuid); refList.add(createTimestampUuid(message)); List<Reference> references = createSignatureReferences(xmlSigFactory, refList); SignedInfo signedInfo = xmlSigFactory.newSignedInfo(canonicalizationMethod, signatureMethod, references); KeyInfoFactory kif = KeyInfoFactory.getInstance(); KeyInfo ki = kif.newKeyInfo( Collections.singletonList(new DOMStructure(createKeyInfoContent(message)))); XMLSignature signature = xmlSigFactory.newXMLSignature(signedInfo, ki, null, addUseKeySignatureId(message), null); DOMSignContext dsc = new DOMSignContext( holderOfKeyConfig.getPrivateKey(), message.getHeader().getFirstChild()); dsc.putNamespacePrefix(XMLSignature.XMLNS, DIGITAL_SIGNATURE_NAMESPACE_PREFIX); signature.sign(dsc); log.debug("Message with SOAPBody id: " + bodyUuid + " is signed."); } catch (NoSuchAlgorithmException e) { log.debug(CREATING_SIGNATURE_ERR_MSG); throw new SignatureException(CREATING_SIGNATURE_ERR_MSG, e); } catch (InvalidAlgorithmParameterException e) { log.debug(CREATING_SIGNATURE_ERR_MSG); throw new SignatureException(CREATING_SIGNATURE_ERR_MSG, e); } catch (MarshalException e) { log.debug(CREATING_SIGNATURE_ERR_MSG); throw new SignatureException(CREATING_SIGNATURE_ERR_MSG, e); } catch (XMLSignatureException e) { log.debug(CREATING_SIGNATURE_ERR_MSG); throw new SignatureException(CREATING_SIGNATURE_ERR_MSG, e); } return message; }
private static void signImpl( DOMSignContext dsc, String digestMethod, String signatureMethod, String referenceURI, PublicKey publicKey, X509Certificate x509Certificate) throws GeneralSecurityException, MarshalException, XMLSignatureException { dsc.setDefaultNamespacePrefix("dsig"); DigestMethod digestMethodObj = fac.newDigestMethod(digestMethod, null); Transform transform1 = fac.newTransform(Transform.ENVELOPED, (TransformParameterSpec) null); Transform transform2 = fac.newTransform("http://www.w3.org/2001/10/xml-exc-c14n#", (TransformParameterSpec) null); List<Transform> transformList = new ArrayList<Transform>(); transformList.add(transform1); transformList.add(transform2); Reference ref = fac.newReference(referenceURI, digestMethodObj, transformList, null, null); CanonicalizationMethod canonicalizationMethod = fac.newCanonicalizationMethod(canonicalizationMethodType, (C14NMethodParameterSpec) null); List<Reference> referenceList = Collections.singletonList(ref); SignatureMethod signatureMethodObj = fac.newSignatureMethod(signatureMethod, null); SignedInfo si = fac.newSignedInfo(canonicalizationMethod, signatureMethodObj, referenceList); KeyInfo ki = null; if (includeKeyInfoInSignature) { ki = createKeyInfo(publicKey, x509Certificate); } XMLSignature signature = fac.newXMLSignature(si, ki); signature.sign(dsc); }
/** * @param chnlId * @param xmlStr * @param chnlStr * @return */ public String processXMLForChnls(String chnlId, String xmlStr, final String chnlStr) { if ("106".equals(chnlId) || "102".equals(chnlId)) { try { xmlStr = URLEncoder.encode(xmlStr.trim(), "UTF-8"); } catch (UnsupportedEncodingException e) { } xmlStr = "xml=".concat(xmlStr); } else if ("103".equals(chnlId) && !"Route1_CONT".equals(chnlStr)) { xmlStr = "<soap:Envelope xmlns:soap=\"http://schemas.xmlsoap.org/soap/envelope/\">" + "<soap:Header>" + "<SOAP-SEC:Signature xmlns:SOAP-SEC=\"http://schemas.xmlsoap.org/soap/security/2000-12\">" + "</SOAP-SEC:Signature>" + "</soap:Header>".concat(xmlStr).concat("</soap:Envelope>"); try { // Create a DOM XMLSignatureFactory that will be used to // generate the enveloped signature. XMLSignatureFactory fac = XMLSignatureFactory.getInstance("DOM"); Reference ref = fac.newReference( "#Body", fac.newDigestMethod(DigestMethod.SHA1, null), Collections.singletonList( fac.newTransform( "http://www.w3.org/2001/10/xml-exc-c14n#", (TransformParameterSpec) null)), null, null); // Create the SignedInfo. SignedInfo si = fac.newSignedInfo( fac.newCanonicalizationMethod( CanonicalizationMethod.EXCLUSIVE, (C14NMethodParameterSpec) null), fac.newSignatureMethod(SignatureMethod.RSA_SHA1, null), Collections.singletonList(ref)); // Load the KeyStore and get the signing key and // certificate. KeyStore ks = KeyStore.getInstance("JKS"); String certFileNm = ""; // commonConfigHelper.getConfigMap().get( // "ROUTE1_CERTIFICATE_JSK"); String pwd = ""; // commonConfigHelper.getConfigMap().get( // "ROUTE1_CERTIFICATE_PASSWORD"); String aliasNm = ""; // commonConfigHelper.getConfigMap().get( // "ROUTE1_CERTIFICATE_ALIAS"); ks.load(new FileInputStream(certFileNm), pwd.toCharArray()); KeyStore.PrivateKeyEntry keyEntry = (KeyStore.PrivateKeyEntry) ks.getEntry(aliasNm, new KeyStore.PasswordProtection(pwd.toCharArray())); X509Certificate cert = (X509Certificate) keyEntry.getCertificate(); // Create the KeyInfo containing the X509Data. KeyInfoFactory kif = fac.getKeyInfoFactory(); List x509Content = new ArrayList(); // x509Content.add(cert.getSubjectX500Principal().getName()); x509Content.add(cert.getIssuerX500Principal().getName()); X509Data xd = kif.newX509Data(x509Content); KeyInfo ki = kif.newKeyInfo(Collections.singletonList(xd)); // Instantiate the document to be signed. // Document doc = xmlUtil.getDocumentFromString(xmlStr); Document doc = null; // Create a DOMSignContext and specify the RSA PrivateKey // and // location of the resulting XMLSignature's parent element. DOMSignContext dsc = new DOMSignContext(keyEntry.getPrivateKey(), doc.getDocumentElement()); // Create the XMLSignature, but don't sign it yet. XMLSignature signature = fac.newXMLSignature(si, ki); // Marshal, generate, and sign the enveloped signature. signature.sign(dsc); // Output the resulting document. xmlStr = xmlUtil.convertXMLDocToString(doc); } catch (Exception e) { } } return xmlStr; }
@Test public void testXmlSignature() throws Exception { String providerName = System.getProperty("jsr105Provider", "org.jcp.xml.dsig.internal.dom.XMLDSigRI"); XMLSignatureFactory factory = XMLSignatureFactory.getInstance( "DOM", (Provider) Class.forName(providerName).newInstance()); DigestMethod digestMethod = factory.newDigestMethod(DigestMethod.SHA1, null); Transform transform = factory.newTransform(Transform.ENVELOPED, (TransformParameterSpec) null); Reference reference = factory.newReference("", digestMethod, Collections.singletonList(transform), null, null); CanonicalizationMethod canonicalizationMethod = factory.newCanonicalizationMethod( CanonicalizationMethod.INCLUSIVE_WITH_COMMENTS, (C14NMethodParameterSpec) null); SignatureMethod signatureMethod = factory.newSignatureMethod(SignatureMethod.RSA_SHA1, null); SignedInfo signedInfo = factory.newSignedInfo( canonicalizationMethod, signatureMethod, Collections.singletonList(reference)); KeyStore ks = KeyStore.getInstance("JKS"); InputStream fis = XMLSigSpike.class.getClassLoader().getResourceAsStream("dev.jks"); ks.load(fis, "devjks".toCharArray()); fis.close(); PrivateKey prv = (PrivateKey) ks.getKey("vgr-pdl", "devjks".toCharArray()); final Certificate cert = ks.getCertificate("vgr-pdl"); final Certificate cacert = ks.getCertificate("vgr-ca"); DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance(); dbf.setNamespaceAware(true); Document doc = dbf.newDocumentBuilder() .parse(XMLSigSpike.class.getClassLoader().getResourceAsStream("bfr.xml")); final X509Certificate x509Cert = (X509Certificate) cert; List<X509Certificate> x509 = Arrays.asList(x509Cert); KeyInfoFactory keyInfoFactory = factory.getKeyInfoFactory(); X509Data x509Data = keyInfoFactory.newX509Data(x509); List items = new ArrayList(); items.add(x509Data); // items.add(pub); KeyInfo keyInfo = keyInfoFactory.newKeyInfo(items); DOMSignContext dsc = new DOMSignContext(prv, doc.getDocumentElement()); XMLSignature signature = factory.newXMLSignature(signedInfo, keyInfo); signature.sign(dsc); FileOutputStream fos = new FileOutputStream("mySignedFile.xml"); TransformerFactory tf = TransformerFactory.newInstance(); Transformer transformer = tf.newTransformer(); transformer.transform(new DOMSource(doc), new StreamResult(fos)); fos.close(); Document signedDoc = dbf.newDocumentBuilder().parse(new FileInputStream("mySignedFile.xml")); // Find Signature element. NodeList nl = doc.getElementsByTagNameNS(XMLSignature.XMLNS, "Signature"); if (nl.getLength() == 0) { throw new Exception("Cannot find Signature element"); } KeySelector selector = new KeySelector() { @Override public KeySelectorResult select( final KeyInfo keyInfo, final Purpose purpose, final AlgorithmMethod algorithmMethod, final XMLCryptoContext xmlCryptoContext) throws KeySelectorException { return new KeySelectorResult() { @Override public Key getKey() { List<X509Data> dataList = keyInfo.getContent(); List<X509Certificate> certList = dataList.get(0).getContent(); X509Certificate cert = certList.get(0); try { x509Cert.verify(cacert.getPublicKey()); } catch (CertificateException e) { throw new RuntimeException(e); } catch (NoSuchAlgorithmException e) { throw new RuntimeException(e); } catch (InvalidKeyException e) { throw new RuntimeException(e); } catch (NoSuchProviderException e) { throw new RuntimeException(e); } catch (SignatureException e) { throw new RuntimeException(e); } return cert.getPublicKey(); } }; } }; // Create a DOMValidateContext and specify a KeySelector // and document context. DOMValidateContext valContext = new DOMValidateContext(selector, nl.item(0)); // Unmarshal the XMLSignature. XMLSignature xmlSignature = factory.unmarshalXMLSignature(valContext); // Validate the XMLSignature. boolean coreValidity = signature.validate(valContext); assertTrue(coreValidity); }
/** * Cria a assinatura para o objeto informado no construtor. * * @return Assinatura gerada. * @throws SignatureException Caso ocorra algum erro ao gerar a assinatura. */ @SuppressWarnings({"rawtypes", "unchecked"}) public SignatureType createSignature() throws SignatureException { try { final X509Certificate certificate = Configuration.getInstance().getCertificate(); // Cria a assinatura com a API do Java. final XMLSignatureFactory factory = XMLSignatureFactory.getInstance("DOM"); final List<Transform> transformList = new ArrayList<Transform>(); transformList.add(factory.newTransform(Transform.ENVELOPED, (TransformParameterSpec) null)); transformList.add( factory.newTransform(CanonicalizationMethod.INCLUSIVE, (TransformParameterSpec) null)); final Reference reference = factory.newReference( this.referenceUri, factory.newDigestMethod(DigestMethod.SHA1, null), transformList, null, null); final SignedInfo signedInfo = factory.newSignedInfo( factory.newCanonicalizationMethod( CanonicalizationMethod.INCLUSIVE, (C14NMethodParameterSpec) null), factory.newSignatureMethod(SignatureMethod.RSA_SHA1, null), Collections.singletonList(reference)); final KeyInfoFactory keyInfoFactory = factory.getKeyInfoFactory(); final List x509Content = new ArrayList(); x509Content.add(certificate.getSubjectX500Principal().getName()); x509Content.add(certificate); final X509Data x509Data = keyInfoFactory.newX509Data(x509Content); final KeyInfo keyInfo = keyInfoFactory.newKeyInfo(Collections.singletonList(x509Data)); final DOMSignContext domSignContext = new DOMSignContext( Configuration.getInstance().getPrivateKey(), this.document.getDocumentElement()); final XMLSignature newXMLSignature = factory.newXMLSignature(signedInfo, keyInfo); newXMLSignature.sign(domSignContext); // Remove tags nao recomendadas. final String[] unnecessaryElements = new String[] { "X509SubjectName", "X509IssuerSerial", "X509IssuerName", "X509IssuerName", "X509SKI", "KeyValue", "RSAKeyValue", "Modulus", "Exponent" }; final XPathFactory xpathFactory = XPathFactory.newInstance(); for (final String elementName : unnecessaryElements) { final XPathExpression xpath = xpathFactory.newXPath().compile("//*[name()='" + elementName + "']"); final Node node = (Node) xpath.evaluate(this.document, XPathConstants.NODE); if (null != node) { node.getParentNode().removeChild(node); } } final XPathExpression xpath = xpathFactory.newXPath().compile("//*[name()='Signature']"); return JAXB.unmarshal( new DOMSource((Node) xpath.evaluate(this.document, XPathConstants.NODE)), SignatureType.class); } catch (Exception e) { throw new SignatureException("Um erro ocorreu ao criar a assinatura.", e); } }