List of usage examples for javax.xml.crypto.dsig Reference getType
String getType();
From source file:be.fedict.eid.dss.spi.utils.XAdESUtils.java
@SuppressWarnings("unchecked") public static String findReferenceUri(XMLSignature xmlSignature, String type) { SignedInfo signedInfo = xmlSignature.getSignedInfo(); List<Reference> references = signedInfo.getReferences(); for (Reference reference : references) { if (type.equals(reference.getType())) { return reference.getURI(); }/*from w w w.j a v a 2 s . c om*/ } return null; }
From source file:be.fedict.eid.dss.document.xml.XMLDSSDocumentService.java
private void verifyCoSignatureReference(XMLSignature xmlSignature, Document originalDomDocument) throws XMLSecurityException, TransformationException, XMLSignatureException, ReferenceNotInitializedException, Base64DecodingException { SignedInfo signedInfo = xmlSignature.getSignedInfo(); @SuppressWarnings("unchecked") List<Reference> references = signedInfo.getReferences(); for (Reference reference : references) { LOG.debug("reference type: " + reference.getType()); if (null != reference.getType()) { /*//w ww . j a v a2s . com * We skip XAdES and eID identity ds:Reference. */ continue; } String digestAlgo = reference.getDigestMethod().getAlgorithm(); LOG.debug("ds:Reference digest algo: " + digestAlgo); byte[] digestValue = reference.getDigestValue(); // xmlsec 1.5 changed the constructor org.apache.xml.security.signature.XMLSignature xmldsig = new org.apache.xml.security.signature.XMLSignature( originalDomDocument, "", org.apache.xml.security.signature.XMLSignature.ALGO_ID_SIGNATURE_RSA_SHA512, Canonicalizer.ALGO_ID_C14N_EXCL_WITH_COMMENTS); Transforms transforms = new Transforms(originalDomDocument); // XPath v1 - slow // XPathContainer xpath = new XPathContainer(originalDomDocument); // xpath.setXPathNamespaceContext("ds", Constants.SignatureSpecNS); // xpath.setXPath("not(ancestor-or-self::ds:Signature)"); // transforms.addTransform(Transforms.TRANSFORM_XPATH, // xpath.getElementPlusReturns()); // XPath v2 - fast XPath2FilterContainer xpath = XPath2FilterContainer.newInstanceSubtract(originalDomDocument, "/descendant::*[name()='ds:Signature']"); xpath.setXPathNamespaceContext("ds", Constants.SignatureSpecNS); transforms.addTransform(Transforms.TRANSFORM_XPATH2FILTER, xpath.getElementPlusReturns()); transforms.addTransform(Transforms.TRANSFORM_C14N_EXCL_OMIT_COMMENTS); xmldsig.addDocument("", transforms, digestAlgo); org.apache.xml.security.signature.SignedInfo apacheSignedInfo = xmldsig.getSignedInfo(); org.apache.xml.security.signature.Reference apacheReference = apacheSignedInfo.item(0); apacheReference.generateDigestValue(); byte[] originalDigestValue = apacheReference.getDigestValue(); if (false == Arrays.equals(originalDigestValue, digestValue)) { throw new RuntimeException("not original document"); } LOG.debug("co-signature ds:Reference checked"); } }
From source file:eu.europa.ec.markt.dss.validation.xades.XAdESSignature.java
@Override public List<AdvancedSignature> getCounterSignatures() { // see ETSI TS 101 903 V1.4.2 (2010-12) pp. 38/39/40 try {/*w w w . j a v a2 s .c o m*/ NodeList counterSigs = XMLUtils.getNodeList(signatureElement, "./ds:Object/xades:QualifyingProperties/xades:UnsignedProperties/xades:UnsignedSignatureProperties" + "/xades:CounterSignature"); if (counterSigs == null) { return null; } List<AdvancedSignature> xadesList = new ArrayList<AdvancedSignature>(); for (int i = 0; i < counterSigs.getLength(); i++) { Element counterSigEl = (Element) counterSigs.item(i); Element signatureEl = XMLUtils.getElement(counterSigEl, "./ds:Signature"); // Verify that the element is a proper signature by trying to build a XAdESSignature out of it XAdESSignature xCounterSig = new XAdESSignature(signatureEl); // Verify that there is a ds:Reference element with a Type set to: http://uri.etsi.org/01903#CountersignedSignature // (as per the XAdES spec) XMLSignatureFactory factory = XMLSignatureFactory.getInstance("DOM"); XMLSignature signature = factory.unmarshalXMLSignature(new DOMStructure(signatureEl)); LOG.info("Verifying countersignature References"); for (Object refobj : signature.getSignedInfo().getReferences()) { Reference ref = (Reference) refobj; if (ref.getType() != null && ref.getType().equals("http://uri.etsi.org/01903#CountersignedSignature")) { // Ok, this seems to be a countersignature // Verify that the digest is that of the signature value if (ref.validate(new DOMValidateContext(xCounterSig.getSigningCertificate().getPublicKey(), XMLUtils.getElement(signatureElement, "./ds:SignatureValue")))) { LOG.info("Reference verification succeeded, adding countersignature"); xadesList.add(xCounterSig); } else { LOG.warning( "Skipping countersignature because the Reference doesn't contain a hash of the embedding SignatureValue"); } break; } } } return xadesList; } catch (XPathExpressionException e) { throw new EncodingException(MSG.COUNTERSIGNATURE_ENCODING); } catch (MarshalException e) { throw new EncodingException(MSG.COUNTERSIGNATURE_ENCODING); } catch (XMLSignatureException e) { throw new EncodingException(MSG.COUNTERSIGNATURE_ENCODING); } }
From source file:be.fedict.eid.dss.document.zip.ZIPDSSDocumentService.java
@Override public List<SignatureInfo> verifySignatures(byte[] document, byte[] originalDocument) throws Exception { ZipInputStream zipInputStream = new ZipInputStream(new ByteArrayInputStream(document)); ZipEntry zipEntry;/*from w ww .j a va 2 s . c o m*/ while (null != (zipEntry = zipInputStream.getNextEntry())) { if (ODFUtil.isSignatureFile(zipEntry)) { break; } } List<SignatureInfo> signatureInfos = new LinkedList<SignatureInfo>(); if (null == zipEntry) { return signatureInfos; } XAdESValidation xadesValidation = new XAdESValidation(this.documentContext); Document documentSignaturesDocument = ODFUtil.loadDocument(zipInputStream); NodeList signatureNodeList = documentSignaturesDocument.getElementsByTagNameNS(XMLSignature.XMLNS, "Signature"); for (int idx = 0; idx < signatureNodeList.getLength(); idx++) { Element signatureElement = (Element) signatureNodeList.item(idx); xadesValidation.prepareDocument(signatureElement); KeyInfoKeySelector keySelector = new KeyInfoKeySelector(); DOMValidateContext domValidateContext = new DOMValidateContext(keySelector, signatureElement); ZIPURIDereferencer dereferencer = new ZIPURIDereferencer(document); domValidateContext.setURIDereferencer(dereferencer); XMLSignatureFactory xmlSignatureFactory = XMLSignatureFactory.getInstance(); XMLSignature xmlSignature = xmlSignatureFactory.unmarshalXMLSignature(domValidateContext); boolean valid = xmlSignature.validate(domValidateContext); if (!valid) { continue; } // check whether all files have been signed properly SignedInfo signedInfo = xmlSignature.getSignedInfo(); @SuppressWarnings("unchecked") List<Reference> references = signedInfo.getReferences(); Set<String> referenceUris = new HashSet<String>(); for (Reference reference : references) { String referenceUri = reference.getURI(); referenceUris.add(URLDecoder.decode(referenceUri, "UTF-8")); } zipInputStream = new ZipInputStream(new ByteArrayInputStream(document)); while (null != (zipEntry = zipInputStream.getNextEntry())) { if (ODFUtil.isSignatureFile(zipEntry)) { continue; } if (!referenceUris.contains(zipEntry.getName())) { LOG.warn("no ds:Reference for ZIP entry: " + zipEntry.getName()); return signatureInfos; } } if (null != originalDocument) { for (Reference reference : references) { if (null != reference.getType()) { /* * We skip XAdES and eID identity ds:Reference. */ continue; } String digestAlgo = reference.getDigestMethod().getAlgorithm(); LOG.debug("ds:Reference digest algo: " + digestAlgo); String referenceUri = reference.getURI(); LOG.debug("ds:Reference URI: " + referenceUri); byte[] digestValue = reference.getDigestValue(); org.apache.xml.security.signature.XMLSignature xmldsig = new org.apache.xml.security.signature.XMLSignature( documentSignaturesDocument, "", org.apache.xml.security.signature.XMLSignature.ALGO_ID_SIGNATURE_RSA_SHA512, Canonicalizer.ALGO_ID_C14N_EXCL_WITH_COMMENTS); xmldsig.addDocument(referenceUri, null, digestAlgo); ResourceResolverSpi zipResourceResolver = new ZIPResourceResolver(originalDocument); xmldsig.addResourceResolver(zipResourceResolver); org.apache.xml.security.signature.SignedInfo apacheSignedInfo = xmldsig.getSignedInfo(); org.apache.xml.security.signature.Reference apacheReference = apacheSignedInfo.item(0); apacheReference.generateDigestValue(); byte[] originalDigestValue = apacheReference.getDigestValue(); if (!Arrays.equals(originalDigestValue, digestValue)) { throw new RuntimeException("not original document"); } } /* * So we already checked whether no files were changed, and that * no files were added compared to the original document. Still * have to check whether no files were removed. */ ZipInputStream originalZipInputStream = new ZipInputStream( new ByteArrayInputStream(originalDocument)); ZipEntry originalZipEntry; Set<String> referencedEntryNames = new HashSet<String>(); for (Reference reference : references) { if (null != reference.getType()) { continue; } referencedEntryNames.add(reference.getURI()); } while (null != (originalZipEntry = originalZipInputStream.getNextEntry())) { if (ODFUtil.isSignatureFile(originalZipEntry)) { continue; } if (!referencedEntryNames.contains(originalZipEntry.getName())) { LOG.warn("missing ds:Reference for ZIP entry: " + originalZipEntry.getName()); throw new RuntimeException( "missing ds:Reference for ZIP entry: " + originalZipEntry.getName()); } } } X509Certificate signer = keySelector.getCertificate(); SignatureInfo signatureInfo = xadesValidation.validate(documentSignaturesDocument, xmlSignature, signatureElement, signer); signatureInfos.add(signatureInfo); } return signatureInfos; }
From source file:eu.europa.ec.markt.dss.validation102853.xades.XAdESSignature.java
@Override public List<AdvancedSignature> getCounterSignatures() { // see ETSI TS 101 903 V1.4.2 (2010-12) pp. 38/39/40 try {//from w w w . j a va 2 s. co m NodeList counterSigs = DSSXMLUtils.getNodeList(signatureElement, XPATH_COUNTER_SIGNATURE); if (counterSigs == null) { return null; } List<AdvancedSignature> xadesList = new ArrayList<AdvancedSignature>(); for (int i = 0; i < counterSigs.getLength(); i++) { Element counterSigEl = (Element) counterSigs.item(i); Element signatureEl = DSSXMLUtils.getElement(counterSigEl, XPATH_SIGNATURE); // Verify that the element is a proper signature by trying to build a XAdESSignature out of it XAdESSignature xCounterSig = new XAdESSignature(signatureEl, certPool); /* * Verify that there is a ds:Reference element with a Type set to: * http://uri.etsi.org/01903#CountersignedSignature (as per the XAdES spec) */ XMLSignatureFactory factory = XMLSignatureFactory.getInstance("DOM"); javax.xml.crypto.dsig.XMLSignature signature = factory .unmarshalXMLSignature(new DOMStructure(signatureEl)); LOG.info("Verifying countersignature References"); for (Object refobj : signature.getSignedInfo().getReferences()) { Reference ref = (Reference) refobj; if (ref.getType() != null && ref.getType().equals(XADES_COUNTERSIGNED_SIGNATURE)) { // Ok, this seems to be a CounterSignature // Verify that the digest is that of the signature value CertificateToken certToken = xCounterSig.getSigningCertificate().getCertToken(); PublicKey publicKey = certToken.getCertificate().getPublicKey(); if (ref.validate(new DOMValidateContext(publicKey, DSSXMLUtils.getElement(signatureElement, XPATH_SIGNATURE_VALUE)))) { LOG.info("Reference verification succeeded, adding countersignature"); xadesList.add(xCounterSig); } else { LOG.warning( "Skipping countersignature because the Reference doesn't contain a hash of the embedding SignatureValue"); } break; } } } return xadesList; } catch (MarshalException e) { throw new EncodingException(MSG.COUNTERSIGNATURE_ENCODING, e); } catch (XMLSignatureException e) { throw new EncodingException(MSG.COUNTERSIGNATURE_ENCODING, e); } }
From source file:org.apache.jcp.xml.dsig.internal.dom.DOMReference.java
@Override public boolean equals(Object o) { if (this == o) { return true; }/*www . ja v a 2 s . c o m*/ if (!(o instanceof Reference)) { return false; } Reference oref = (Reference) o; boolean idsEqual = (id == null ? oref.getId() == null : id.equals(oref.getId())); boolean urisEqual = (uri == null ? oref.getURI() == null : uri.equals(oref.getURI())); boolean typesEqual = (type == null ? oref.getType() == null : type.equals(oref.getType())); boolean digestValuesEqual = Arrays.equals(digestValue, oref.getDigestValue()); return digestMethod.equals(oref.getDigestMethod()) && idsEqual && urisEqual && typesEqual && allTransforms.equals(oref.getTransforms()) && digestValuesEqual; }
From source file:org.apache.juddi.v3.client.cryptor.DigSigUtil.java
private boolean verifySignature(Element element, PublicKey validatingKey, AtomicReference<String> OutReadableErrorMessage) { if (OutReadableErrorMessage == null) { OutReadableErrorMessage = new AtomicReference<String>(); }/* w w w . j a va 2 s .c om*/ XMLSignatureFactory fac = initXMLSigFactory(); NodeList nl = element.getElementsByTagNameNS(XMLSignature.XMLNS, "Signature"); if (nl.getLength() == 0) { throw new RuntimeException("Cannot find Signature element"); } DOMValidateContext valContext = new DOMValidateContext(validatingKey, nl.item(0)); try { valContext.setProperty("javax.xml.crypto.dsig.cacheReference", Boolean.TRUE); XMLSignature signature = fac.unmarshalXMLSignature(valContext); boolean coreValidity = signature.validate(valContext); // Check core validation status. if (coreValidity == false) { logger.warn("Signature failed core validation"); boolean sv = signature.getSignatureValue().validate(valContext); logger.debug("signature validation status: " + sv); OutReadableErrorMessage .set("signature validation failed: " + sv + "." + OutReadableErrorMessage.get()); // Check the validation status of each Reference. @SuppressWarnings("unchecked") Iterator<Reference> i = signature.getSignedInfo().getReferences().iterator(); //System.out.println("---------------------------------------------"); for (int j = 0; i.hasNext(); j++) { Reference ref = (Reference) i.next(); boolean refValid = ref.validate(valContext); logger.debug(j); logger.debug("ref[" + j + "] validity status: " + refValid); if (!refValid) { OutReadableErrorMessage .set("signature reference " + j + " invalid. " + OutReadableErrorMessage.get()); } logger.debug("Ref type: " + ref.getType() + ", URI: " + ref.getURI()); for (Object xform : ref.getTransforms()) { logger.debug("Transform: " + xform); } String calcDigValStr = digestToString(ref.getCalculatedDigestValue()); String expectedDigValStr = digestToString(ref.getDigestValue()); logger.warn(" Calc Digest: " + calcDigValStr); logger.warn("Expected Digest: " + expectedDigValStr); if (!calcDigValStr.equalsIgnoreCase(expectedDigValStr)) { OutReadableErrorMessage.set( "digest mismatch for signature ref " + j + "." + OutReadableErrorMessage.get()); } } } else { logger.info("Signature passed core validation"); } return coreValidity; } catch (Exception e) { OutReadableErrorMessage .set("signature validation failed: " + e.getMessage() + OutReadableErrorMessage.get()); logger.fatal(e); return false; } }