public void signAssertion(Document samlDocument) throws ProcessingException {
Element originalAssertionElement =
org.keycloak.saml.common.util.DocumentUtil.getChildElement(
samlDocument.getDocumentElement(),
new QName(
JBossSAMLURIConstants.ASSERTION_NSURI.get(), JBossSAMLConstants.ASSERTION.get()));
if (originalAssertionElement == null) return;
Node clonedAssertionElement = originalAssertionElement.cloneNode(true);
Document temporaryDocument;
try {
temporaryDocument = org.keycloak.saml.common.util.DocumentUtil.createDocument();
} catch (ConfigurationException e) {
throw new ProcessingException(e);
}
temporaryDocument.adoptNode(clonedAssertionElement);
temporaryDocument.appendChild(clonedAssertionElement);
signDocument(temporaryDocument);
samlDocument.adoptNode(clonedAssertionElement);
Element parentNode = (Element) originalAssertionElement.getParentNode();
parentNode.replaceChild(clonedAssertionElement, originalAssertionElement);
}
/**
* Sign a node in a document
*
* @param doc
* @param nodeToBeSigned
* @param keyPair
* @param publicKey
* @param digestMethod
* @param signatureMethod
* @param referenceURI
* @return
* @throws ParserConfigurationException
* @throws XMLSignatureException
* @throws MarshalException
* @throws GeneralSecurityException
*/
public static Document sign(
Document doc,
Node nodeToBeSigned,
KeyPair keyPair,
String digestMethod,
String signatureMethod,
String referenceURI,
X509Certificate x509Certificate)
throws ParserConfigurationException, GeneralSecurityException, MarshalException,
XMLSignatureException {
if (nodeToBeSigned == null) throw logger.nullArgumentError("Node to be signed");
if (logger.isTraceEnabled()) {
logger.trace("Document to be signed=" + DocumentUtil.asString(doc));
}
Node parentNode = nodeToBeSigned.getParentNode();
// Let us create a new Document
Document newDoc = DocumentUtil.createDocument();
// Import the node
Node signingNode = newDoc.importNode(nodeToBeSigned, true);
newDoc.appendChild(signingNode);
if (!referenceURI.isEmpty()) {
propagateIDAttributeSetup(nodeToBeSigned, newDoc.getDocumentElement());
}
newDoc = sign(newDoc, keyPair, digestMethod, signatureMethod, referenceURI, x509Certificate);
// if the signed element is a SAMLv2.0 assertion we need to move the signature element to the
// position
// specified in the schema (before the assertion subject element).
if (nodeToBeSigned.getLocalName().equals("Assertion")
&& WSTrustConstants.SAML2_ASSERTION_NS.equals(nodeToBeSigned.getNamespaceURI())) {
Node signatureNode =
DocumentUtil.getElement(newDoc, new QName(WSTrustConstants.DSIG_NS, "Signature"));
Node subjectNode =
DocumentUtil.getElement(
newDoc, new QName(WSTrustConstants.SAML2_ASSERTION_NS, "Subject"));
if (signatureNode != null && subjectNode != null) {
newDoc.getDocumentElement().removeChild(signatureNode);
newDoc.getDocumentElement().insertBefore(signatureNode, subjectNode);
}
}
// Now let us import this signed doc into the original document we got in the method call
Node signedNode = doc.importNode(newDoc.getFirstChild(), true);
if (!referenceURI.isEmpty()) {
propagateIDAttributeSetup(newDoc.getDocumentElement(), (Element) signedNode);
}
parentNode.replaceChild(signedNode, nodeToBeSigned);
// doc.getDocumentElement().replaceChild(signedNode, nodeToBeSigned);
return doc;
}