net.shibboleth.metadata.dom

Class XMLSignatureValidator

java.lang.Object

net.shibboleth.metadata.dom.XMLSignatureValidator

final class XMLSignatureValidator
extends Object

A class that encapsulates the various stages in validation of XML signatures as methods. Failures, and the reason for the failure, are represented by exceptions. This code largely derives from XmlSecTool V1.2, with the abrupt program termination method of reporting issues replaced by throwing an exception. The intention is that this code might be reintegrated with XmlSecTool in a later release.

Nested Class Summary

Nested Classes

Modifier and Type	Class and Description
static class	XMLSignatureValidator.ValidationException Exception class representing a failure to validate.

Field Summary

Fields

Modifier and Type	Field and Description
private Set<String>	blacklistedDigests Set of blacklisted digest algorithms.
private Set<String>	blacklistedSignatureMethods Set of blacklisted signature methods.
private boolean	emptyReferencePermitted Whether an empty reference is permitted.
private Logger	log Class logger.
private PublicKey	verificationKey Public key used to verify signatures.

Constructor Summary

Constructors

Constructor and Description
XMLSignatureValidator(PublicKey key, Set<String> blacklistDigests, Set<String> blacklistSignatureMethods, boolean emptyRefPermitted) Constructor.

Method Summary

Methods

Modifier and Type	Method and Description
private Reference	extractReference(XMLSignature signature) Extract the reference within the provided XML signature while ensuring that there is only one such reference, and that (if appropriate) it is not empty.
Element	getSignatureElement(Element docElement) Gets the signature element from the document.
private void	markIdAttribute(Element docElement, Reference reference) Reconcile the given reference with the document element, by making sure that the appropriate attribute is marked as an ID attribute.
private void	validateSignatureReference(Element docElement, Reference ref) Validates the reference within the XML signature by performing the following checks.
private void	validateSignatureReferenceUri(Element expectedSignedNode, Reference reference) Validates that the element resolved by the signature validation layer is the same as the element resolved by the DOM layer.
private void	validateSignatureTransforms(Reference reference) Validate the transforms included in the Signature Reference.
void	verifySignature(Element docElement, Element signatureElement) Verifies that the signature on a document is valid.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

log

private final Logger log

Class logger.

verificationKey

private final PublicKey verificationKey

Public key used to verify signatures.

blacklistedDigests

private final Set<String> blacklistedDigests

Set of blacklisted digest algorithms.

blacklistedSignatureMethods

private final Set<String> blacklistedSignatureMethods

Set of blacklisted signature methods.

emptyReferencePermitted

private final boolean emptyReferencePermitted

Whether an empty reference is permitted.

Constructor Detail

XMLSignatureValidator

XMLSignatureValidator(@Nonnull
                     PublicKey key,
                     @Nullable
                     Set<String> blacklistDigests,
                     @Nullable
                     Set<String> blacklistSignatureMethods,
                     boolean emptyRefPermitted)

Constructor.

Parameters:

key - public key with which to verify signatures

blacklistDigests - set of blacklisted digest algorithm URIs, or null

blacklistSignatureMethods - set of blacklisted signature method URIs, or null

emptyRefPermitted - true if empty references are permitted

Method Detail

markIdAttribute

private void markIdAttribute(@Nonnull
                   Element docElement,
                   @Nonnull
                   Reference reference)
                      throws XMLSignatureValidator.ValidationException

Reconcile the given reference with the document element, by making sure that the appropriate attribute is marked as an ID attribute.

Parameters:

docElement - document element whose appropriate attribute should be marked

reference - reference which references the document element

Throws:

XMLSignatureValidator.ValidationException - if the reference is neither empty nor to a fragment

verifySignature

public void verifySignature(@Nonnull
                   Element docElement,
                   @Nonnull
                   Element signatureElement)
                     throws XMLSignatureValidator.ValidationException

Verifies that the signature on a document is valid.

Parameters:

docElement - document element whose signature will be validated

signatureElement - element containing the signature to be validated

Throws:

XMLSignatureValidator.ValidationException - if any of a number of invalid conditions are detected

extractReference

private Reference extractReference(@Nonnull
                         XMLSignature signature)
                            throws XMLSignatureValidator.ValidationException

Extract the reference within the provided XML signature while ensuring that there is only one such reference, and that (if appropriate) it is not empty.

Parameters:

signature - signature to extract the reference from

Returns:

the extracted reference

Throws:

XMLSignatureValidator.ValidationException - if a reference could not be extracted

validateSignatureReference

private void validateSignatureReference(@Nonnull
                              Element docElement,
                              @Nonnull
                              Reference ref)
                                 throws XMLSignatureValidator.ValidationException

Validates the reference within the XML signature by performing the following checks.

• check that the XML signature layer resolves that reference to the same element as the DOM layer does
• check that only enveloped and, optionally, exclusive canonicalization transforms are used

Parameters:

docElement - document element

ref - reference to be verified

Throws:

XMLSignatureValidator.ValidationException - if any of the checks fail

validateSignatureReferenceUri

private void validateSignatureReferenceUri(@Nonnull
                                 Element expectedSignedNode,
                                 @Nonnull
                                 Reference reference)
                                    throws XMLSignatureValidator.ValidationException

Validates that the element resolved by the signature validation layer is the same as the element resolved by the DOM layer.

Parameters:

expectedSignedNode - the node expected as the result of the reference

reference - the reference to be validated

Throws:

XMLSignatureValidator.ValidationException - if validation fails

validateSignatureTransforms

private void validateSignatureTransforms(@Nonnull
                               Reference reference)
                                  throws XMLSignatureValidator.ValidationException

Validate the transforms included in the Signature Reference. The Reference may contain at most 2 transforms. One of them must be the Enveloped signature transform. An Exclusive Canonicalization transform (with or without comments) may also be present. No other transforms are allowed.

Parameters:

reference - the Signature reference containing the transforms to evaluate

Throws:

XMLSignatureValidator.ValidationException - if the transforms are incorrect

getSignatureElement

@Nullable
public Element getSignatureElement(@Nonnull
                                   Element docElement)
                            throws XMLSignatureValidator.ValidationException

Gets the signature element from the document. The signature must be a child of the document root.

Parameters:

docElement - document element from which to pull the signature

Returns:

the signature element, or null

Throws:

XMLSignatureValidator.ValidationException - if more than one signature element is present