/** @inheritDoc */
public boolean engineCanResolve(Element element, String BaseURI, StorageResolver storage) {
if (element == null) {
return false;
}
boolean isKeyValue = XMLUtils.elementIsInSignatureSpace(element, Constants._TAG_KEYVALUE);
boolean isDSAKeyValue = XMLUtils.elementIsInSignatureSpace(element, Constants._TAG_DSAKEYVALUE);
if (isKeyValue) {
this._dsaKeyElement =
XMLUtils.selectDsNode(element.getFirstChild(), Constants._TAG_DSAKEYVALUE, 0);
if (this._dsaKeyElement != null) {
return true;
}
} else if (isDSAKeyValue) {
// this trick is needed to allow the RetrievalMethodResolver to eat a
// ds:DSAKeyValue directly (without KeyValue)
this._dsaKeyElement = element;
return true;
}
return false;
}
protected void circumventBugIfNeeded(XMLSignatureInput input)
throws CanonicalizationException, ParserConfigurationException, IOException, SAXException {
if (!input.isNeedsToBeExpanded()) {
return;
}
Document doc = null;
if (input.getSubNode() != null) {
doc = XMLUtils.getOwnerDocument(input.getSubNode());
} else {
doc = XMLUtils.getOwnerDocument(input.getNodeSet());
}
XMLUtils.circumventBug2650(doc);
}
/**
* Constructor XPath2FilterContainer04
*
* @param doc
* @param xpath2filter
* @param filterType
*/
private XPath2FilterContainer04(Document doc, String xpath2filter, String filterType) {
super(doc);
this._constructionElement.setAttributeNS(null, XPath2FilterContainer04._ATT_FILTER, filterType);
if ((xpath2filter.length() > 2) && (!Character.isWhitespace(xpath2filter.charAt(0)))) {
XMLUtils.addReturnToElement(this._constructionElement);
this._constructionElement.appendChild(doc.createTextNode(xpath2filter));
XMLUtils.addReturnToElement(this._constructionElement);
} else {
this._constructionElement.appendChild(doc.createTextNode(xpath2filter));
}
}
protected XMLSignatureInput enginePerformTransform(XMLSignatureInput input, OutputStream os)
throws CanonicalizationException {
try {
String inclusiveNamespaces = null;
if (this._transformObject.length(
InclusiveNamespaces.ExclusiveCanonicalizationNamespace,
InclusiveNamespaces._TAG_EC_INCLUSIVENAMESPACES)
== 1) {
Element inclusiveElement =
XMLUtils.selectNode(
this._transformObject.getElement().getFirstChild(),
InclusiveNamespaces.ExclusiveCanonicalizationNamespace,
InclusiveNamespaces._TAG_EC_INCLUSIVENAMESPACES,
0);
inclusiveNamespaces =
new InclusiveNamespaces(inclusiveElement, this._transformObject.getBaseURI())
.getInclusiveNamespaces();
}
Canonicalizer20010315ExclOmitComments c14n = new Canonicalizer20010315ExclOmitComments();
if (os != null) {
c14n.setWriter(os);
}
byte[] result;
if (input.isOctetStream()) {
result = c14n.engineCanonicalize(input.get_Bytes());
} else if (input.isElement()) {
org.w3c.dom.Node excl = input.getExcludeNode();
result = c14n.engineCanonicalizeSubTree(input.getSubNode(), inclusiveNamespaces, excl);
} else {
result = c14n.engineCanonicalizeXPathNodeSet(input.getNodeSet(), inclusiveNamespaces);
}
XMLSignatureInput output = new XMLSignatureInput(result);
if (os != null) {
output.setOutputStream(os);
}
return output;
} catch (IOException ex) {
throw new CanonicalizationException("empty", ex);
} catch (ParserConfigurationException ex) {
throw new CanonicalizationException("empty", ex);
} catch (XMLSecurityException ex) {
throw new CanonicalizationException("empty", ex);
} catch (SAXException ex) {
throw new CanonicalizationException("empty", ex);
}
}
/**
* Method engineCanResolve
*
* @param element
* @param BaseURI
* @param storage
* @return
*/
public boolean engineCanResolve(Element element, String BaseURI, StorageResolver storage) {
cat.debug("Can I resolve " + element.getTagName());
if (element == null) {
return false;
}
boolean isKeyValue = XMLUtils.elementIsInSignatureSpace(element, Constants._TAG_KEYVALUE);
boolean isRSAKeyValue = XMLUtils.elementIsInSignatureSpace(element, Constants._TAG_RSAKEYVALUE);
if (isKeyValue) {
try {
Element nscontext =
XMLUtils.createDSctx(element.getOwnerDocument(), "ds", Constants.SignatureSpecNS);
this._rsaKeyElement =
(Element)
XPathAPI.selectSingleNode(element, "./ds:" + Constants._TAG_RSAKEYVALUE, nscontext);
if (this._rsaKeyElement != null) {
return true;
}
} catch (TransformerException ex) {
}
} else if (isRSAKeyValue) {
// this trick is needed to allow the RetrievalMethodResolver to eat a
// ds:RSAKeyValue directly (without KeyValue)
this._rsaKeyElement = element;
return true;
}
return false;
}
/**
* Method engineCanonicalizeXPathNodeSet
*
* @inheritDoc
* @param xpathNodeSet
* @throws CanonicalizationException
*/
public byte[] engineCanonicalizeXPathNodeSet(Set xpathNodeSet) throws CanonicalizationException {
if (xpathNodeSet.size() == 0) {
return new byte[0];
}
this._xpathNodeSet = xpathNodeSet;
try {
Node rootNodeOfC14n = XMLUtils.getOwnerDocument(this._xpathNodeSet);
this.canonicalizeXPathNodeSet(rootNodeOfC14n, new NameSpaceSymbTable());
this._writer.close();
if (this._writer instanceof ByteArrayOutputStream) {
return ((ByteArrayOutputStream) this._writer).toByteArray();
}
return null;
} catch (UnsupportedEncodingException ex) {
throw new CanonicalizationException("empty", ex);
} catch (IOException ex) {
throw new CanonicalizationException("empty", ex);
}
}
/**
* Method main
*
* @param args
*/
public static void main(String[] args) {
XMLUtils.spitOutVersions(log);
boolean useTextUI = true;
if (useTextUI) {
junit.textui.TestRunner.run(suite());
} else {
String[] testCaseName = {"-noloading", ModuleTest.class.getName()};
try {
String lookAndFeelClass = "com.incors.plaf.kunststoff.KunststoffLookAndFeel";
javax.swing.LookAndFeel lnf =
(javax.swing.LookAndFeel) Class.forName(lookAndFeelClass).newInstance();
javax.swing.UIManager.setLookAndFeel(lnf);
} catch (Exception ex) {
}
junit.swingui.TestRunner.main(testCaseName);
}
}
/**
* Verifies signatures in entity descriptor represented by the <code>Document</code>.
*
* @param doc The document.
* @throws SAML2MetaException if unable to verify the entity descriptor.
*/
public static void verifySignature(Document doc) throws SAML2MetaException {
NodeList sigElements = null;
try {
Element nscontext =
org.apache.xml.security.utils.XMLUtils.createDSctx(doc, "ds", Constants.SignatureSpecNS);
sigElements = XPathAPI.selectNodeList(doc, "//ds:Signature", nscontext);
} catch (Exception ex) {
if (debug.messageEnabled()) {
debug.message("SAML2MetaSecurityUtils.verifySignature:", ex);
throw new SAML2MetaException(ex.getMessage());
}
}
int numSigs = sigElements.getLength();
if (debug.messageEnabled()) {
debug.message("SAML2MetaSecurityUtils.verifySignature:" + " # of signatures = " + numSigs);
}
if (numSigs == 0) {
return;
}
// If there are signatures then explicitly identify the ID Attribute, See comments section of
// http://bugs.java.com/bugdatabase/view_bug.do?bug_id=8017265
doc.getDocumentElement().setIdAttribute(SAML2Constants.ID, true);
initializeKeyStore();
for (int i = 0; i < numSigs; i++) {
Element sigElement = (Element) sigElements.item(i);
String sigParentName = sigElement.getParentNode().getLocalName();
Object[] objs = {sigParentName};
if (debug.messageEnabled()) {
debug.message(
"SAML2MetaSecurityUtils.verifySignature: "
+ "verifying signature under "
+ sigParentName);
}
try {
XMLSignature signature = new XMLSignature(sigElement, "");
signature.addResourceResolver(new com.sun.identity.saml.xmlsig.OfflineResolver());
KeyInfo ki = signature.getKeyInfo();
X509Certificate x509cert = null;
if (ki != null && ki.containsX509Data()) {
if (keyStore != null) {
StorageResolver sr = new StorageResolver(new KeyStoreResolver(keyStore));
ki.addStorageResolver(sr);
}
x509cert = ki.getX509Certificate();
}
if (x509cert == null) {
if (debug.messageEnabled()) {
debug.message(
"SAML2MetaSecurityUtils.verifySignature:" + " try to find cert in KeyDescriptor");
}
String xpath =
"following-sibling::*[local-name()=\""
+ TAG_KEY_DESCRIPTOR
+ "\" and namespace-uri()=\""
+ NS_META
+ "\"]";
Node node = XPathAPI.selectSingleNode(sigElement, xpath);
if (node != null) {
Element kd = (Element) node;
String use = kd.getAttributeNS(null, ATTR_USE);
if ((use.length() == 0) || use.equals("signing")) {
NodeList nl = kd.getChildNodes();
for (int j = 0; j < nl.getLength(); j++) {
Node child = nl.item(j);
if (child.getNodeType() == Node.ELEMENT_NODE) {
String localName = child.getLocalName();
String ns = child.getNamespaceURI();
if (TAG_KEY_INFO.equals(localName) && NS_XMLSIG.equals(ns)) {
ki = new KeyInfo((Element) child, "");
if (ki.containsX509Data()) {
if (keyStore != null) {
KeyStoreResolver ksr = new KeyStoreResolver(keyStore);
StorageResolver sr = new StorageResolver(ksr);
ki.addStorageResolver(sr);
}
x509cert = ki.getX509Certificate();
}
}
break;
}
}
}
}
}
if (x509cert == null) {
throw new SAML2MetaException("verify_no_cert", objs);
}
if (checkCert
&& ((keyProvider == null) || (keyProvider.getCertificateAlias(x509cert) == null))) {
throw new SAML2MetaException("untrusted_cert", objs);
}
PublicKey pk = x509cert.getPublicKey();
if (!signature.checkSignatureValue(pk)) {
throw new SAML2MetaException("verify_fail", objs);
}
} catch (SAML2MetaException sme) {
throw sme;
} catch (Exception ex) {
debug.error("SAML2MetaSecurityUtils.verifySignature: ", ex);
throw new SAML2MetaException(
Locale.getString(SAML2MetaUtils.resourceBundle, "verify_fail", objs)
+ "\n"
+ ex.getMessage());
}
}
}
/**
* Builds a SOAPEnvelope from DOM Document.
*
* @param doc - The dom document that contains a SOAP message
* @param useDoom
* @return
* @throws WSSecurityException
*/
public static SOAPEnvelope getSOAPEnvelopeFromDOMDocument(Document doc, boolean useDoom)
throws WSSecurityException {
if (useDoom) {
try {
// Get processed headers
SOAPEnvelope env = (SOAPEnvelope) doc.getDocumentElement();
ArrayList processedHeaderQNames = new ArrayList();
SOAPHeader soapHeader = env.getHeader();
if (soapHeader != null) {
Iterator headerBlocs = soapHeader.getChildElements();
while (headerBlocs.hasNext()) {
OMElement element = (OMElement) headerBlocs.next();
SOAPHeaderBlock header = null;
if (element instanceof SOAPHeaderBlock) {
header = (SOAPHeaderBlock) element;
// If a header block is not an instance of SOAPHeaderBlock, it means that
// it is a header we have added in rampart eg. EncryptedHeader and should
// be converted to SOAPHeaderBlock for processing
} else {
header = soapHeader.addHeaderBlock(element.getLocalName(), element.getNamespace());
Iterator attrIter = element.getAllAttributes();
while (attrIter.hasNext()) {
OMAttribute attr = (OMAttribute) attrIter.next();
header.addAttribute(
attr.getLocalName(), attr.getAttributeValue(), attr.getNamespace());
}
Iterator nsIter = element.getAllDeclaredNamespaces();
while (nsIter.hasNext()) {
OMNamespace ns = (OMNamespace) nsIter.next();
header.declareNamespace(ns);
}
// retrieve all child nodes (including any text nodes)
// and re-attach to header block
Iterator children = element.getChildren();
while (children.hasNext()) {
OMNode child = (OMNode) children.next();
child.detach();
header.addChild(child);
}
element.detach();
soapHeader.build();
header.setProcessed();
}
if (header.isProcessed()) {
processedHeaderQNames.add(element.getQName());
}
}
}
XMLStreamReader reader = ((OMElement) doc.getDocumentElement()).getXMLStreamReader();
StAXSOAPModelBuilder stAXSOAPModelBuilder = new StAXSOAPModelBuilder(reader, null);
SOAPEnvelope envelope = stAXSOAPModelBuilder.getSOAPEnvelope();
// Set the processed flag of the processed headers
SOAPHeader header = envelope.getHeader();
for (Iterator iter = processedHeaderQNames.iterator(); iter.hasNext(); ) {
QName name = (QName) iter.next();
Iterator omKids = header.getChildrenWithName(name);
if (omKids.hasNext()) {
((SOAPHeaderBlock) omKids.next()).setProcessed();
}
}
envelope.build();
return envelope;
} catch (FactoryConfigurationError e) {
throw new WSSecurityException(e.getMessage());
}
} else {
try {
ByteArrayOutputStream os = new ByteArrayOutputStream();
XMLUtils.outputDOM(doc.getDocumentElement(), os, true);
ByteArrayInputStream bais = new ByteArrayInputStream(os.toByteArray());
StAXSOAPModelBuilder stAXSOAPModelBuilder =
new StAXSOAPModelBuilder(
XMLInputFactory.newInstance().createXMLStreamReader(bais), null);
return stAXSOAPModelBuilder.getSOAPEnvelope();
} catch (Exception e) {
throw new WSSecurityException(e.getMessage());
}
}
}