Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / libcore / 319a3b994703aac84df7bcde272adfcb3cdbbbf0 / . / jdk / src / share / classes / com / sun / org / apache / xml / internal / security / signature / XMLSignature.java
blob: 336d3af6b07973a861e449bc649e8d2a6ac28c70 [file] [log] [blame]
J. Duke319a3b92007-12-01 00:00:00 +0000[diff] [blame^]1/*
2 * reserved comment block
3 * DO NOT REMOVE OR ALTER!
4 */
5/*
6 * Copyright 1999-2004 The Apache Software Foundation.
7 *
8 * Licensed under the Apache License, Version 2.0 (the "License");
9 * you may not use this file except in compliance with the License.
10 * You may obtain a copy of the License at
11 *
12 * http://www.apache.org/licenses/LICENSE-2.0
13 *
14 * Unless required by applicable law or agreed to in writing, software
15 * distributed under the License is distributed on an "AS IS" BASIS,
16 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
17 * See the License for the specific language governing permissions and
18 * limitations under the License.
19 *
20 */
21package com.sun.org.apache.xml.internal.security.signature;
22
23
24
25import java.io.IOException;
26import java.io.OutputStream;
27import java.security.Key;
28import java.security.PublicKey;
29import java.security.cert.X509Certificate;
30
31import javax.crypto.SecretKey;
32
33import com.sun.org.apache.xml.internal.security.algorithms.SignatureAlgorithm;
34import com.sun.org.apache.xml.internal.security.c14n.CanonicalizationException;
35import com.sun.org.apache.xml.internal.security.c14n.Canonicalizer;
36import com.sun.org.apache.xml.internal.security.c14n.InvalidCanonicalizerException;
37import com.sun.org.apache.xml.internal.security.exceptions.Base64DecodingException;
38import com.sun.org.apache.xml.internal.security.exceptions.XMLSecurityException;
39import com.sun.org.apache.xml.internal.security.keys.KeyInfo;
40import com.sun.org.apache.xml.internal.security.keys.content.X509Data;
41import com.sun.org.apache.xml.internal.security.transforms.Transforms;
42import com.sun.org.apache.xml.internal.security.utils.Base64;
43import com.sun.org.apache.xml.internal.security.utils.Constants;
44import com.sun.org.apache.xml.internal.security.utils.I18n;
45import com.sun.org.apache.xml.internal.security.utils.IdResolver;
46import com.sun.org.apache.xml.internal.security.utils.SignatureElementProxy;
47import com.sun.org.apache.xml.internal.security.utils.SignerOutputStream;
48import com.sun.org.apache.xml.internal.security.utils.UnsyncBufferedOutputStream;
49import com.sun.org.apache.xml.internal.security.utils.XMLUtils;
50import com.sun.org.apache.xml.internal.security.utils.resolver.ResourceResolver;
51import com.sun.org.apache.xml.internal.security.utils.resolver.ResourceResolverSpi;
52import org.w3c.dom.Document;
53import org.w3c.dom.Element;
54import org.w3c.dom.Node;
55import org.w3c.dom.Text;
56
57
58/**
59 * Handles <code>&lt;ds:Signature&gt;</code> elements.
60 * This is the main class that deals with creating and verifying signatures.
61 *
62 * <p>There are 2 types of constructors for this class. The ones that take a
63 * document, baseURI and 1 or more Java Objects. This is mostly used for
64 * signing purposes.
65 * The other constructor is the one that takes a DOM Element and a BaseURI.
66 * This is used mostly with for verifying, when you have a SignatureElement.
67 *
68 * There are a few different types of methods:
69 * <ul><li>The addDocument* methods are used to add References with optional
70 * transforms during signing. </li>
71 * <li>addKeyInfo* methods are to add Certificates and Keys to the
72 * KeyInfo tags during signing. </li>
73 * <li>appendObject allows a user to add any XML Structure as an
74 * ObjectContainer during signing.</li>
75 * <li>sign and checkSignatureValue methods are used to sign and validate the
76 * signature. </li></ul>
77 *
78 * @author $Author: raul $
79 */
80public final class XMLSignature extends SignatureElementProxy {
81
82 /** {@link java.util.logging} logging facility */
83 static java.util.logging.Logger log =
84 java.util.logging.Logger.getLogger(XMLSignature.class.getName());
85
86 //J-
87 /** MAC - Required HMAC-SHA1 */
88 public static final String ALGO_ID_MAC_HMAC_SHA1 = Constants.SignatureSpecNS + "hmac-sha1";
89
90 /** Signature - Required DSAwithSHA1 (DSS) */
91 public static final String ALGO_ID_SIGNATURE_DSA = Constants.SignatureSpecNS + "dsa-sha1";
92
93 /** Signature - Recommended RSAwithSHA1 */
94 public static final String ALGO_ID_SIGNATURE_RSA = Constants.SignatureSpecNS + "rsa-sha1";
95 /** Signature - Recommended RSAwithSHA1 */
96 public static final String ALGO_ID_SIGNATURE_RSA_SHA1 = Constants.SignatureSpecNS + "rsa-sha1";
97 /** Signature - NOT Recommended RSAwithMD5 */
98 public static final String ALGO_ID_SIGNATURE_NOT_RECOMMENDED_RSA_MD5 = Constants.MoreAlgorithmsSpecNS + "rsa-md5";
99 /** Signature - Optional RSAwithRIPEMD160 */
100 public static final String ALGO_ID_SIGNATURE_RSA_RIPEMD160 = Constants.MoreAlgorithmsSpecNS + "rsa-ripemd160";
101 /** Signature - Optional RSAwithSHA256 */
102 public static final String ALGO_ID_SIGNATURE_RSA_SHA256 = Constants.MoreAlgorithmsSpecNS + "rsa-sha256";
103 /** Signature - Optional RSAwithSHA384 */
104 public static final String ALGO_ID_SIGNATURE_RSA_SHA384 = Constants.MoreAlgorithmsSpecNS + "rsa-sha384";
105 /** Signature - Optional RSAwithSHA512 */
106 public static final String ALGO_ID_SIGNATURE_RSA_SHA512 = Constants.MoreAlgorithmsSpecNS + "rsa-sha512";
107
108 /** HMAC - NOT Recommended HMAC-MD5 */
109 public static final String ALGO_ID_MAC_HMAC_NOT_RECOMMENDED_MD5 = Constants.MoreAlgorithmsSpecNS + "hmac-md5";
110 /** HMAC - Optional HMAC-RIPEMD160 */
111 public static final String ALGO_ID_MAC_HMAC_RIPEMD160 = Constants.MoreAlgorithmsSpecNS + "hmac-ripemd160";
112 /** HMAC - Optional HMAC-SHA256 */
113 public static final String ALGO_ID_MAC_HMAC_SHA256 = Constants.MoreAlgorithmsSpecNS + "hmac-sha256";
114 /** HMAC - Optional HMAC-SHA284 */
115 public static final String ALGO_ID_MAC_HMAC_SHA384 = Constants.MoreAlgorithmsSpecNS + "hmac-sha384";
116 /** HMAC - Optional HMAC-SHA512 */
117 public static final String ALGO_ID_MAC_HMAC_SHA512 = Constants.MoreAlgorithmsSpecNS + "hmac-sha512";
118 //J+
119
120 /** ds:Signature.ds:SignedInfo element */
121 private SignedInfo _signedInfo = null;
122
123 /** ds:Signature.ds:KeyInfo */
124 private KeyInfo _keyInfo = null;
125
126 /**
127 * Checking the digests in References in a Signature are mandatory, but for
128 * References inside a Manifest it is application specific. This boolean is
129 * to indicate that the References inside Manifests should be validated.
130 */
131 private boolean _followManifestsDuringValidation = false;
132
133 /**
134 * This creates a new <CODE>ds:Signature</CODE> Element and adds an empty
135 * <CODE>ds:SignedInfo</CODE>.
136 * The <code>ds:SignedInfo</code> is initialized with the specified Signature
137 * algorithm and Canonicalizer.ALGO_ID_C14N_OMIT_COMMENTS which is REQUIRED
138 * by the spec. This method's main use is for creating a new signature.
139 *
140 * @param doc Document in which the signature will be appended after creation.
141 * @param BaseURI URI to be used as context for all relative URIs.
142 * @param SignatureMethodURI signature algorithm to use.
143 * @throws XMLSecurityException
144 */
145 public XMLSignature(Document doc, String BaseURI, String SignatureMethodURI)
146 throws XMLSecurityException {
147 this(doc, BaseURI, SignatureMethodURI, 0,
148 Canonicalizer.ALGO_ID_C14N_OMIT_COMMENTS);
149 }
150
151 /**
152 * Constructor XMLSignature
153 *
154 * @param doc
155 * @param BaseURI
156 * @param SignatureMethodURI the Signature method to be used.
157 * @param HMACOutputLength
158 * @throws XMLSecurityException
159 */
160 public XMLSignature(
161 Document doc, String BaseURI, String SignatureMethodURI, int HMACOutputLength)
162 throws XMLSecurityException {
163 this(doc, BaseURI, SignatureMethodURI, HMACOutputLength,
164 Canonicalizer.ALGO_ID_C14N_OMIT_COMMENTS);
165 }
166
167 /**
168 * Constructor XMLSignature
169 *
170 * @param doc
171 * @param BaseURI
172 * @param SignatureMethodURI the Signature method to be used.
173 * @param CanonicalizationMethodURI the canonicalization algorithm to be used to c14nize the SignedInfo element.
174 * @throws XMLSecurityException
175 */
176 public XMLSignature(
177 Document doc, String BaseURI, String SignatureMethodURI, String CanonicalizationMethodURI)
178 throws XMLSecurityException {
179 this(doc, BaseURI, SignatureMethodURI, 0, CanonicalizationMethodURI);
180 }
181
182 /**
183 * Constructor XMLSignature
184 *
185 * @param doc
186 * @param BaseURI
187 * @param SignatureMethodURI
188 * @param HMACOutputLength
189 * @param CanonicalizationMethodURI
190 * @throws XMLSecurityException
191 */
192 public XMLSignature(
193 Document doc, String BaseURI, String SignatureMethodURI, int HMACOutputLength, String CanonicalizationMethodURI)
194 throws XMLSecurityException {
195
196 super(doc);
197
198 XMLUtils.addReturnToElement(this._constructionElement);
199
200 this._baseURI = BaseURI;
201 this._signedInfo = new SignedInfo(this._doc, SignatureMethodURI,
202 HMACOutputLength,
203 CanonicalizationMethodURI);
204
205 this._constructionElement.appendChild(this._signedInfo.getElement());
206 XMLUtils.addReturnToElement(this._constructionElement);
207
208 // create an empty SignatureValue; this is filled by setSignatureValueElement
209 Element signatureValueElement =
210 XMLUtils.createElementInSignatureSpace(this._doc,
211 Constants._TAG_SIGNATUREVALUE);
212
213 this._constructionElement.appendChild(signatureValueElement);
214 XMLUtils.addReturnToElement(this._constructionElement);
215 }
216 /**
217 * Creates a XMLSignature in a Document
218 * @param doc
219 * @param BaseURI
220 * @param SignatureMethodElem
221 * @param CanonicalizationMethodElem
222 * @throws XMLSecurityException
223 */
224 public XMLSignature(
225 Document doc, String BaseURI, Element SignatureMethodElem, Element CanonicalizationMethodElem)
226 throws XMLSecurityException {
227
228 super(doc);
229
230 XMLUtils.addReturnToElement(this._constructionElement);
231
232 this._baseURI = BaseURI;
233 this._signedInfo = new SignedInfo(this._doc, SignatureMethodElem, CanonicalizationMethodElem);
234
235 this._constructionElement.appendChild(this._signedInfo.getElement());
236 XMLUtils.addReturnToElement(this._constructionElement);
237
238 // create an empty SignatureValue; this is filled by setSignatureValueElement
239 Element signatureValueElement =
240 XMLUtils.createElementInSignatureSpace(this._doc,
241 Constants._TAG_SIGNATUREVALUE);
242
243 this._constructionElement.appendChild(signatureValueElement);
244 XMLUtils.addReturnToElement(this._constructionElement);
245 }
246
247 /**
248 * This will parse the element and construct the Java Objects.
249 * That will allow a user to validate the signature.
250 *
251 * @param element ds:Signature element that contains the whole signature
252 * @param BaseURI URI to be prepended to all relative URIs
253 * @throws XMLSecurityException
254 * @throws XMLSignatureException if the signature is badly formatted
255 */
256 public XMLSignature(Element element, String BaseURI)
257 throws XMLSignatureException, XMLSecurityException {
258
259 super(element, BaseURI);
260
261 // check out SignedInfo child
262 Element signedInfoElem = XMLUtils.selectDsNode(this._constructionElement.getFirstChild(),
263 Constants._TAG_SIGNEDINFO,0);
264
265 // check to see if it is there
266 if (signedInfoElem == null) {
267 Object exArgs[] = { Constants._TAG_SIGNEDINFO,
268 Constants._TAG_SIGNATURE };
269
270 throw new XMLSignatureException("xml.WrongContent", exArgs);
271 }
272
273 // create a SignedInfo object from that element
274 this._signedInfo = new SignedInfo(signedInfoElem, BaseURI);
275
276 // check out SignatureValue child
277 Element signatureValueElement = XMLUtils.selectDsNode(this._constructionElement.getFirstChild(),
278 Constants._TAG_SIGNATUREVALUE,0);
279
280 // check to see if it exists
281 if (signatureValueElement == null) {
282 Object exArgs[] = { Constants._TAG_SIGNATUREVALUE,
283 Constants._TAG_SIGNATURE };
284
285 throw new XMLSignatureException("xml.WrongContent", exArgs);
286 }
287
288 // <element ref="ds:KeyInfo" minOccurs="0"/>
289 Element keyInfoElem =XMLUtils.selectDsNode(this._constructionElement.getFirstChild(),
290 Constants._TAG_KEYINFO,0);
291
292 // If it exists use it, but it's not mandatory
293 if (keyInfoElem != null) {
294 this._keyInfo = new KeyInfo(keyInfoElem, BaseURI);
295 }
296 }
297
298 /**
299 * Sets the <code>Id</code> attribute
300 *
301 * @param Id Id value to be used by the id attribute on the Signature Element
302 */
303 public void setId(String Id) {
304
305 if ((this._state == MODE_SIGN) && (Id != null)) {
306 this._constructionElement.setAttributeNS(null, Constants._ATT_ID, Id);
307 IdResolver.registerElementById(this._constructionElement, Id);
308 }
309 }
310
311 /**
312 * Returns the <code>Id</code> attribute
313 *
314 * @return the <code>Id</code> attribute
315 */
316 public String getId() {
317 return this._constructionElement.getAttributeNS(null, Constants._ATT_ID);
318 }
319
320 /**
321 * Returns the completely parsed <code>SignedInfo</code> object.
322 *
323 * @return the completely parsed <code>SignedInfo</code> object.
324 */
325 public SignedInfo getSignedInfo() {
326 return this._signedInfo;
327 }
328
329 /**
330 * Returns the octet value of the SignatureValue element.
331 * Throws an XMLSignatureException if it has no or wrong content.
332 *
333 * @return the value of the SignatureValue element.
334 * @throws XMLSignatureException If there is no content
335 */
336 public byte[] getSignatureValue() throws XMLSignatureException {
337
338 try {
339 Element signatureValueElem = XMLUtils.selectDsNode(this._constructionElement.getFirstChild(),
340 Constants._TAG_SIGNATUREVALUE,0);
341 byte[] signatureValue = Base64.decode(signatureValueElem);
342
343 return signatureValue;
344 } catch (Base64DecodingException ex) {
345 throw new XMLSignatureException("empty", ex);
346 }
347 }
348
349 /**
350 * Base64 encodes and sets the bytes as the content of the SignatureValue
351 * Node.
352 *
353 * @param bytes bytes to be used by SignatureValue before Base64 encoding
354 */
355 private void setSignatureValueElement(byte[] bytes)
356 {
357
358 if (this._state == MODE_SIGN) {
359 Element signatureValueElem = XMLUtils.selectDsNode(this._constructionElement.getFirstChild(),
360 Constants._TAG_SIGNATUREVALUE,0);
361 while (signatureValueElem.hasChildNodes()) {
362 signatureValueElem.removeChild(signatureValueElem.getFirstChild());
363 }
364
365 String base64codedValue = Base64.encode(bytes);
366
367 if (base64codedValue.length() > 76) {
368 base64codedValue = "\n" + base64codedValue + "\n";
369 }
370
371 Text t = this._doc.createTextNode(base64codedValue);
372
373 signatureValueElem.appendChild(t);
374 }
375 }
376
377 /**
378 * Returns the KeyInfo child. If we are in signing mode and the KeyInfo
379 * does not exist yet, it is created on demand and added to the Signature.
380 * <br>
381 * This allows to add arbitrary content to the KeyInfo during signing.
382 *
383 * @return the KeyInfo object
384 */
385 public KeyInfo getKeyInfo() {
386
387 // check to see if we are signing and if we have to create a keyinfo
388 if ((this._state == MODE_SIGN) && (this._keyInfo == null)) {
389
390 // create the KeyInfo
391 this._keyInfo = new KeyInfo(this._doc);
392
393 // get the Element from KeyInfo
394 Element keyInfoElement = this._keyInfo.getElement();
395 Element firstObject=null;
396 Node sibling= this._constructionElement.getFirstChild();
397 firstObject = XMLUtils.selectDsNode(sibling,Constants._TAG_OBJECT,0);
398
399 if (firstObject != null) {
400
401 // add it before the object
402 this._constructionElement.insertBefore(keyInfoElement,
403 firstObject);
404 this._constructionElement
405 .insertBefore(this._doc.createTextNode("\n"), firstObject);
406 } else {
407
408 // add it as the last element to the signature
409 this._constructionElement.appendChild(keyInfoElement);
410 XMLUtils.addReturnToElement(this._constructionElement);
411 }
412 }
413
414 return this._keyInfo;
415 }
416
417 /**
418 * Appends an Object (not a <code>java.lang.Object</code> but an Object
419 * element) to the Signature. Please note that this is only possible
420 * when signing.
421 *
422 * @param object ds:Object to be appended.
423 * @throws XMLSignatureException When this object is used to verify.
424 */
425 public void appendObject(ObjectContainer object)
426 throws XMLSignatureException {
427
428 try {
429 if (this._state != MODE_SIGN) {
430 throw new XMLSignatureException(
431 "signature.operationOnlyBeforeSign");
432 }
433
434 this._constructionElement.appendChild(object.getElement());
435 XMLUtils.addReturnToElement(this._constructionElement);
436 } catch (XMLSecurityException ex) {
437 throw new XMLSignatureException("empty", ex);
438 }
439 }
440
441 /**
442 * Returns the <code>i<code>th <code>ds:Object</code> child of the signature
443 * or null if no such <code>ds:Object</code> element exists.
444 *
445 * @param i
446 * @return the <code>i<code>th <code>ds:Object</code> child of the signature or null if no such <code>ds:Object</code> element exists.
447 */
448 public ObjectContainer getObjectItem(int i) {
449
450 Element objElem = XMLUtils.selectDsNode(this._constructionElement.getFirstChild(),
451 Constants._TAG_OBJECT,i);
452
453 try {
454 return new ObjectContainer(objElem, this._baseURI);
455 } catch (XMLSecurityException ex) {
456 return null;
457 }
458 }
459
460 /**
461 * Returns the number of all <code>ds:Object</code> elements.
462 *
463 * @return the number of all <code>ds:Object</code> elements.
464 */
465 public int getObjectLength() {
466 return this.length(Constants.SignatureSpecNS, Constants._TAG_OBJECT);
467 }
468
469 /**
470 * Digests all References in the SignedInfo, calculates the signature value and
471 * sets it in the SignatureValue Element.
472 *
473 * @param signingKey the {@link java.security.PrivateKey} or {@link javax.crypto.SecretKey} that is used to sign.
474 * @throws XMLSignatureException
475 */
476 public void sign(Key signingKey) throws XMLSignatureException {
477
478 if (signingKey instanceof PublicKey) {
479 throw new IllegalArgumentException(I18n
480 .translate("algorithms.operationOnlyVerification"));
481 }
482
483 try {
484 if (this._state == MODE_SIGN) {
485
486 // XMLUtils.indentSignature(this._constructionElement, " ", 0);
487 // get the SignatureMethodElement
488 Element signatureMethodElement =
489 this._signedInfo.getSignatureMethodElement();
490
491 //Create a SignatureAlgorithm object
492 SignatureAlgorithm sa =
493 new SignatureAlgorithm(signatureMethodElement,
494 this.getBaseURI());
495
496 // initialize SignatureAlgorithm for signing
497 sa.initSign(signingKey);
498
499 SignedInfo si = this.getSignedInfo();
500
501 // generate digest values for all References in this SignedInfo
502 si.generateDigestValues();
503 OutputStream so=new UnsyncBufferedOutputStream(new SignerOutputStream(sa));
504 try {
505 so.close();
506 } catch (IOException e) {
507 //Imposible
508 }
509 // get the canonicalized bytes from SignedInfo
510 si.signInOctectStream(so);
511
512 byte jcebytes[] = sa.sign();
513
514 // set them on the SignateValue element
515 this.setSignatureValueElement(jcebytes);
516 }
517 } catch (CanonicalizationException ex) {
518 throw new XMLSignatureException("empty", ex);
519 } catch (InvalidCanonicalizerException ex) {
520 throw new XMLSignatureException("empty", ex);
521 } catch (XMLSecurityException ex) {
522 throw new XMLSignatureException("empty", ex);
523 }
524 }
525
526 /**
527 * Adds a {@link ResourceResolver} to enable the retrieval of resources.
528 *
529 * @param resolver
530 */
531 public void addResourceResolver(ResourceResolver resolver) {
532 this.getSignedInfo().addResourceResolver(resolver);
533 }
534
535 /**
536 * Adds a {@link ResourceResolverSpi} to enable the retrieval of resources.
537 *
538 * @param resolver
539 */
540 public void addResourceResolver(ResourceResolverSpi resolver) {
541 this.getSignedInfo().addResourceResolver(resolver);
542 }
543
544 /**
545 * Extracts the public key from the certificate and verifies if the signature
546 * is valid by re-digesting all References, comparing those against the
547 * stored DigestValues and then checking to see if the Signatures match on
548 * the SignedInfo.
549 *
550 * @param cert Certificate that contains the public key part of the keypair that was used to sign.
551 * @return true if the signature is valid, false otherwise
552 * @throws XMLSignatureException
553 */
554 public boolean checkSignatureValue(X509Certificate cert)
555 throws XMLSignatureException {
556
557 // see if cert is null
558 if (cert != null) {
559
560 //check the values with the public key from the cert
561 return this.checkSignatureValue(cert.getPublicKey());
562 }
563
564 Object exArgs[] = { "Didn't get a certificate" };
565 throw new XMLSignatureException("empty", exArgs);
566
567 }
568
569 /**
570 * Verifies if the signature is valid by redigesting all References,
571 * comparing those against the stored DigestValues and then checking to see
572 * if the Signatures match on the SignedInfo.
573 *
574 * @param pk {@link java.security.PublicKey} part of the keypair or {@link javax.crypto.SecretKey} that was used to sign
575 * @return true if the signature is valid, false otherwise
576 * @throws XMLSignatureException
577 */
578 public boolean checkSignatureValue(Key pk) throws XMLSignatureException {
579
580 //COMMENT: pk suggests it can only be a public key?
581 //check to see if the key is not null
582 if (pk == null) {
583 Object exArgs[] = { "Didn't get a key" };
584
585 throw new XMLSignatureException("empty", exArgs);
586 }
587
588 // all references inside the signedinfo need to be dereferenced and
589 // digested again to see if the outcome matches the stored value in the
590 // SignedInfo.
591 // If _followManifestsDuringValidation is true it will do the same for
592 // References inside a Manifest.
593 try {
594 if (!this.getSignedInfo()
595 .verify(this._followManifestsDuringValidation)) {
596 return false;
597 }
598
599 //create a SignatureAlgorithms from the SignatureMethod inside
600 //SignedInfo. This is used to validate the signature.
601 SignatureAlgorithm sa =
602 new SignatureAlgorithm(this.getSignedInfo()
603 .getSignatureMethodElement(), this.getBaseURI());
604 if (true) {
605 if (log.isLoggable(java.util.logging.Level.FINE)) log.log(java.util.logging.Level.FINE, "SignatureMethodURI = " + sa.getAlgorithmURI());
606 if (log.isLoggable(java.util.logging.Level.FINE)) log.log(java.util.logging.Level.FINE, "jceSigAlgorithm = " + sa.getJCEAlgorithmString());
607 if (log.isLoggable(java.util.logging.Level.FINE)) log.log(java.util.logging.Level.FINE, "jceSigProvider = " + sa.getJCEProviderName());
608 if (log.isLoggable(java.util.logging.Level.FINE)) log.log(java.util.logging.Level.FINE, "PublicKey = " + pk);
609 }
610 sa.initVerify(pk);
611
612 // Get the canonicalized (normalized) SignedInfo
613 SignerOutputStream so=new SignerOutputStream(sa);
614 OutputStream bos=new UnsyncBufferedOutputStream(so);
615 this._signedInfo.signInOctectStream(bos);
616 try {
617 bos.close();
618 } catch (IOException e) {
619 //Imposible
620 }
621
622 //retrieve the byte[] from the stored signature
623 byte sigBytes[] = this.getSignatureValue();
624
625
626 //Have SignatureAlgorithm sign the input bytes and compare them to the
627 //bytes that were stored in the signature.
628 boolean verify = sa.verify(sigBytes);
629
630 return verify;
631 } catch (XMLSecurityException ex) {
632 throw new XMLSignatureException("empty", ex);
633 }
634 }
635
636 /**
637 * Add a Reference with full parameters to this Signature
638 *
639 * @param referenceURI URI of the resource to be signed. Can be null in which
640 * case the dereferencing is application specific. Can be "" in which it's
641 * the parent node (or parent document?). There can only be one "" in each
642 * signature.
643 * @param trans Optional list of transformations to be done before digesting
644 * @param digestURI Mandatory URI of the digesting algorithm to use.
645 * @param ReferenceId Optional id attribute for this Reference
646 * @param ReferenceType Optional mimetype for the URI
647 * @throws XMLSignatureException
648 */
649 public void addDocument(
650 String referenceURI, Transforms trans, String digestURI, String ReferenceId, String ReferenceType)
651 throws XMLSignatureException {
652 this._signedInfo.addDocument(this._baseURI, referenceURI, trans,
653 digestURI, ReferenceId, ReferenceType);
654 }
655
656 /**
657 * This method is a proxy method for the {@link Manifest#addDocument} method.
658 *
659 * @param referenceURI URI according to the XML Signature specification.
660 * @param trans List of transformations to be applied.
661 * @param digestURI URI of the digest algorithm to be used.
662 * @see Manifest#addDocument
663 * @throws XMLSignatureException
664 */
665 public void addDocument(
666 String referenceURI, Transforms trans, String digestURI)
667 throws XMLSignatureException {
668 this._signedInfo.addDocument(this._baseURI, referenceURI, trans,
669 digestURI, null, null);
670 }
671
672 /**
673 * Adds a Reference with just the URI and the transforms. This used the
674 * SHA1 algorithm as a default digest algorithm.
675 *
676 * @param referenceURI URI according to the XML Signature specification.
677 * @param trans List of transformations to be applied.
678 * @throws XMLSignatureException
679 */
680 public void addDocument(String referenceURI, Transforms trans)
681 throws XMLSignatureException {
682 this._signedInfo.addDocument(this._baseURI, referenceURI, trans,
683 Constants.ALGO_ID_DIGEST_SHA1, null, null);
684 }
685
686 /**
687 * Add a Reference with just this URI. It uses SHA1 by default as the digest
688 * algorithm
689 *
690 * @param referenceURI URI according to the XML Signature specification.
691 * @throws XMLSignatureException
692 */
693 public void addDocument(String referenceURI) throws XMLSignatureException {
694 this._signedInfo.addDocument(this._baseURI, referenceURI, null,
695 Constants.ALGO_ID_DIGEST_SHA1, null, null);
696 }
697
698 /**
699 * Add an X509 Certificate to the KeyInfo. This will include the whole cert
700 * inside X509Data/X509Certificate tags.
701 *
702 * @param cert Certificate to be included. This should be the certificate of the key that was used to sign.
703 * @throws XMLSecurityException
704 */
705 public void addKeyInfo(X509Certificate cert) throws XMLSecurityException {
706
707 X509Data x509data = new X509Data(this._doc);
708
709 x509data.addCertificate(cert);
710 this.getKeyInfo().add(x509data);
711 }
712
713 /**
714 * Add this public key to the KeyInfo. This will include the complete key in
715 * the KeyInfo structure.
716 *
717 * @param pk
718 */
719 public void addKeyInfo(PublicKey pk) {
720 this.getKeyInfo().add(pk);
721 }
722
723 /**
724 * Proxy method for {@link SignedInfo#createSecretKey(byte[])}. If you want to
725 * create a MAC, this method helps you to obtain the {@link javax.crypto.SecretKey}
726 * from octets.
727 *
728 * @param secretKeyBytes
729 * @return the secret key created.
730 * @see SignedInfo#createSecretKey(byte[])
731 */
732 public SecretKey createSecretKey(byte[] secretKeyBytes)
733 {
734 return this.getSignedInfo().createSecretKey(secretKeyBytes);
735 }
736
737 /**
738 * Signal wether Manifest should be automatically validated.
739 * Checking the digests in References in a Signature are mandatory, but for
740 * References inside a Manifest it is application specific. This boolean is
741 * to indicate that the References inside Manifests should be validated.
742 *
743 * @param followManifests
744 * @see <a href="http://www.w3.org/TR/xmldsig-core/#sec-CoreValidation">Core validation section in the XML Signature Rec.</a>
745 */
746 public void setFollowNestedManifests(boolean followManifests) {
747 this._followManifestsDuringValidation = followManifests;
748 }
749
750 /**
751 * Get the local name of this element
752 *
753 * @return Constant._TAG_SIGNATURE
754 */
755 public String getBaseLocalName() {
756 return Constants._TAG_SIGNATURE;
757 }
758}