org.apache.xml.security.signature
Class XMLSignature

java.lang.Object
  org.apache.xml.security.utils.ElementProxy
      org.apache.xml.security.utils.SignatureElementProxy
          org.apache.xml.security.signature.XMLSignature

public final class XMLSignature

extends SignatureElementProxy

Handles <ds:Signature> elements. This is the main class that deals with creating and verifying signatures.

There are 2 types of constructors for this class. The ones that take a document, baseURI and 1 or more Java Objects. This is mostly used for signing purposes. The other constructor is the one that takes a DOM Element and a BaseURI. This is used mostly with for verifying, when you have a SignatureElement. There are a few different types of methods:

• The addDocument* methods are used to add References with optional transforms during signing.
• addKeyInfo* methods are to add Certificates and Keys to the KeyInfo tags during signing.
• appendObject allows a user to add any XML Structure as an ObjectContainer during signing.
• sign and checkSignatureValue methods are used to sign and validate the signature.

Author:

$Author: mullan $

Field Summary

static java.lang.String	ALGO_ID_MAC_HMAC_NOT_RECOMMENDED_MD5 HMAC - NOT Recommended HMAC-MD5
static java.lang.String	ALGO_ID_MAC_HMAC_RIPEMD160 HMAC - Optional HMAC-RIPEMD160
static java.lang.String	ALGO_ID_MAC_HMAC_SHA1 MAC - Required HMAC-SHA1
static java.lang.String	ALGO_ID_MAC_HMAC_SHA256 HMAC - Optional HMAC-SHA256
static java.lang.String	ALGO_ID_MAC_HMAC_SHA384 HMAC - Optional HMAC-SHA284
static java.lang.String	ALGO_ID_MAC_HMAC_SHA512 HMAC - Optional HMAC-SHA512
static java.lang.String	ALGO_ID_SIGNATURE_DSA Signature - Required DSAwithSHA1 (DSS)
static java.lang.String	ALGO_ID_SIGNATURE_ECDSA_SHA1 Signature - Optional ECDSAwithSHA1
static java.lang.String	ALGO_ID_SIGNATURE_NOT_RECOMMENDED_RSA_MD5 Signature - NOT Recommended RSAwithMD5
static java.lang.String	ALGO_ID_SIGNATURE_RSA Signature - Recommended RSAwithSHA1
static java.lang.String	ALGO_ID_SIGNATURE_RSA_RIPEMD160 Signature - Optional RSAwithRIPEMD160
static java.lang.String	ALGO_ID_SIGNATURE_RSA_SHA1 Signature - Recommended RSAwithSHA1
static java.lang.String	ALGO_ID_SIGNATURE_RSA_SHA256 Signature - Optional RSAwithSHA256
static java.lang.String	ALGO_ID_SIGNATURE_RSA_SHA384 Signature - Optional RSAwithSHA384
static java.lang.String	ALGO_ID_SIGNATURE_RSA_SHA512 Signature - Optional RSAwithSHA512

Fields inherited from class org.apache.xml.security.utils.ElementProxy

_baseURI, _constructionElement, _doc

Constructor Summary

XMLSignature(org.w3c.dom.Document doc, java.lang.String BaseURI, org.w3c.dom.Element SignatureMethodElem, org.w3c.dom.Element CanonicalizationMethodElem)
Creates a XMLSignature in a Document

XMLSignature(org.w3c.dom.Document doc, java.lang.String BaseURI, java.lang.String SignatureMethodURI)
This creates a new ds:Signature Element and adds an empty ds:SignedInfo.

XMLSignature(org.w3c.dom.Document doc, java.lang.String BaseURI, java.lang.String SignatureMethodURI, int HMACOutputLength)
Constructor XMLSignature

XMLSignature(org.w3c.dom.Document doc, java.lang.String BaseURI, java.lang.String SignatureMethodURI, int HMACOutputLength, java.lang.String CanonicalizationMethodURI)
Constructor XMLSignature

XMLSignature(org.w3c.dom.Document doc, java.lang.String BaseURI, java.lang.String SignatureMethodURI, java.lang.String CanonicalizationMethodURI)
Constructor XMLSignature

XMLSignature(org.w3c.dom.Element element, java.lang.String BaseURI)
This will parse the element and construct the Java Objects.

Method Summary

void	addDocument(java.lang.String referenceURI) Add a Reference with just this URI.
void	addDocument(java.lang.String referenceURI, Transforms trans) Adds a Reference with just the URI and the transforms.
void	addDocument(java.lang.String referenceURI, Transforms trans, java.lang.String digestURI) This method is a proxy method for the Manifest.addDocument(java.lang.String, java.lang.String, org.apache.xml.security.transforms.Transforms, java.lang.String, java.lang.String, java.lang.String) method.
void	addDocument(java.lang.String referenceURI, Transforms trans, java.lang.String digestURI, java.lang.String ReferenceId, java.lang.String ReferenceType) Add a Reference with full parameters to this Signature
void	addKeyInfo(java.security.PublicKey pk) Add this public key to the KeyInfo.
void	addKeyInfo(java.security.cert.X509Certificate cert) Add an X509 Certificate to the KeyInfo.
void	addResourceResolver(ResourceResolver resolver) Adds a ResourceResolver to enable the retrieval of resources.
void	addResourceResolver(ResourceResolverSpi resolver) Adds a ResourceResolverSpi to enable the retrieval of resources.
void	appendObject(ObjectContainer object) Appends an Object (not a java.lang.Object but an Object element) to the Signature.
boolean	checkSignatureValue(java.security.Key pk) Verifies if the signature is valid by redigesting all References, comparing those against the stored DigestValues and then checking to see if the Signatures match on the SignedInfo.
boolean	checkSignatureValue(java.security.cert.X509Certificate cert) Extracts the public key from the certificate and verifies if the signature is valid by re-digesting all References, comparing those against the stored DigestValues and then checking to see if the Signatures match on the SignedInfo.
javax.crypto.SecretKey	createSecretKey(byte[] secretKeyBytes) Proxy method for SignedInfo.createSecretKey(byte[]).
java.lang.String	getBaseLocalName() Get the local name of this element
java.lang.String	getId() Returns the Id attribute
KeyInfo	getKeyInfo() Returns the KeyInfo child.
ObjectContainer	getObjectItem(int i) Returns the ith ds:Object child of the signature or null if no such ds:Object element exists.
int	getObjectLength() Returns the number of all ds:Object elements.
byte[]	getSignatureValue() Returns the octet value of the SignatureValue element.
SignedInfo	getSignedInfo() Returns the completely parsed SignedInfo object.
void	setFollowNestedManifests(boolean followManifests) Signal wether Manifest should be automatically validated.
void	setId(java.lang.String id) Sets the Id attribute
void	sign(java.security.Key signingKey) Digests all References in the SignedInfo, calculates the signature value and sets it in the SignatureValue Element.

Methods inherited from class org.apache.xml.security.utils.SignatureElementProxy

getBaseNamespace

Methods inherited from class org.apache.xml.security.utils.ElementProxy

addBase64Element, addBase64Text, addBigIntegerElement, addText, addTextElement, createElementForFamily, createElementForFamilyLocal, getBaseURI, getBigIntegerFromChildElement, getBytesFromChildElement, getBytesFromTextChild, getDefaultPrefix, getDefaultPrefixBindings, getDocument, getElement, getElementPlusReturns, getTextFromChildElement, getTextFromTextChild, length, setDefaultPrefix, setElement, setXPathNamespaceContext

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

ALGO_ID_MAC_HMAC_SHA1

public static final java.lang.String ALGO_ID_MAC_HMAC_SHA1

MAC - Required HMAC-SHA1

See Also:

Constant Field Values

ALGO_ID_SIGNATURE_DSA

public static final java.lang.String ALGO_ID_SIGNATURE_DSA

Signature - Required DSAwithSHA1 (DSS)

See Also:

Constant Field Values

ALGO_ID_SIGNATURE_RSA

public static final java.lang.String ALGO_ID_SIGNATURE_RSA

Signature - Recommended RSAwithSHA1

See Also:

Constant Field Values

ALGO_ID_SIGNATURE_RSA_SHA1

public static final java.lang.String ALGO_ID_SIGNATURE_RSA_SHA1

Signature - Recommended RSAwithSHA1

See Also:

Constant Field Values

ALGO_ID_SIGNATURE_NOT_RECOMMENDED_RSA_MD5

public static final java.lang.String ALGO_ID_SIGNATURE_NOT_RECOMMENDED_RSA_MD5

Signature - NOT Recommended RSAwithMD5

See Also:

Constant Field Values

ALGO_ID_SIGNATURE_RSA_RIPEMD160

public static final java.lang.String ALGO_ID_SIGNATURE_RSA_RIPEMD160

Signature - Optional RSAwithRIPEMD160

See Also:

Constant Field Values

ALGO_ID_SIGNATURE_RSA_SHA256

public static final java.lang.String ALGO_ID_SIGNATURE_RSA_SHA256

Signature - Optional RSAwithSHA256

See Also:

Constant Field Values

ALGO_ID_SIGNATURE_RSA_SHA384

public static final java.lang.String ALGO_ID_SIGNATURE_RSA_SHA384

Signature - Optional RSAwithSHA384

See Also:

Constant Field Values

ALGO_ID_SIGNATURE_RSA_SHA512

public static final java.lang.String ALGO_ID_SIGNATURE_RSA_SHA512

Signature - Optional RSAwithSHA512

See Also:

Constant Field Values

ALGO_ID_MAC_HMAC_NOT_RECOMMENDED_MD5

public static final java.lang.String ALGO_ID_MAC_HMAC_NOT_RECOMMENDED_MD5

HMAC - NOT Recommended HMAC-MD5

See Also:

Constant Field Values

ALGO_ID_MAC_HMAC_RIPEMD160

public static final java.lang.String ALGO_ID_MAC_HMAC_RIPEMD160

HMAC - Optional HMAC-RIPEMD160

See Also:

Constant Field Values

ALGO_ID_MAC_HMAC_SHA256

public static final java.lang.String ALGO_ID_MAC_HMAC_SHA256

HMAC - Optional HMAC-SHA256

See Also:

Constant Field Values

ALGO_ID_MAC_HMAC_SHA384

public static final java.lang.String ALGO_ID_MAC_HMAC_SHA384

HMAC - Optional HMAC-SHA284

See Also:

Constant Field Values

ALGO_ID_MAC_HMAC_SHA512

public static final java.lang.String ALGO_ID_MAC_HMAC_SHA512

HMAC - Optional HMAC-SHA512

See Also:

Constant Field Values

ALGO_ID_SIGNATURE_ECDSA_SHA1

public static final java.lang.String ALGO_ID_SIGNATURE_ECDSA_SHA1

Signature - Optional ECDSAwithSHA1

See Also:

Constant Field Values

Constructor Detail

XMLSignature

public XMLSignature(org.w3c.dom.Document doc,
                    java.lang.String BaseURI,
                    java.lang.String SignatureMethodURI)
             throws XMLSecurityException

This creates a new ds:Signature Element and adds an empty ds:SignedInfo. The ds:SignedInfo is initialized with the specified Signature algorithm and Canonicalizer.ALGO_ID_C14N_OMIT_COMMENTS which is REQUIRED by the spec. This method's main use is for creating a new signature.

Parameters:

doc - Document in which the signature will be appended after creation.

BaseURI - URI to be used as context for all relative URIs.

SignatureMethodURI - signature algorithm to use.

Throws:

XMLSecurityException

XMLSignature

public XMLSignature(org.w3c.dom.Document doc,
                    java.lang.String BaseURI,
                    java.lang.String SignatureMethodURI,
                    int HMACOutputLength)
             throws XMLSecurityException

Constructor XMLSignature

Parameters:

doc -

BaseURI -

SignatureMethodURI - the Signature method to be used.

HMACOutputLength -

Throws:

XMLSecurityException

XMLSignature

public XMLSignature(org.w3c.dom.Document doc,
                    java.lang.String BaseURI,
                    java.lang.String SignatureMethodURI,
                    java.lang.String CanonicalizationMethodURI)
             throws XMLSecurityException

Constructor XMLSignature

Parameters:

doc -

BaseURI -

SignatureMethodURI - the Signature method to be used.

CanonicalizationMethodURI - the canonicalization algorithm to be used to c14nize the SignedInfo element.

Throws:

XMLSecurityException

XMLSignature

public XMLSignature(org.w3c.dom.Document doc,
                    java.lang.String BaseURI,
                    java.lang.String SignatureMethodURI,
                    int HMACOutputLength,
                    java.lang.String CanonicalizationMethodURI)
             throws XMLSecurityException

Constructor XMLSignature

Parameters:

doc -

BaseURI -

SignatureMethodURI -

HMACOutputLength -

CanonicalizationMethodURI -

Throws:

XMLSecurityException

XMLSignature

public XMLSignature(org.w3c.dom.Document doc,
                    java.lang.String BaseURI,
                    org.w3c.dom.Element SignatureMethodElem,
                    org.w3c.dom.Element CanonicalizationMethodElem)
             throws XMLSecurityException

Creates a XMLSignature in a Document

Parameters:

doc -

BaseURI -

SignatureMethodElem -

CanonicalizationMethodElem -

Throws:

XMLSecurityException

XMLSignature

public XMLSignature(org.w3c.dom.Element element,
                    java.lang.String BaseURI)
             throws XMLSignatureException,
                    XMLSecurityException

This will parse the element and construct the Java Objects. That will allow a user to validate the signature.

Parameters:

element - ds:Signature element that contains the whole signature

BaseURI - URI to be prepended to all relative URIs

Throws:

XMLSecurityException

XMLSignatureException - if the signature is badly formatted

Method Detail

setId

public void setId(java.lang.String id)

Sets the Id attribute

Parameters:

id - Id value for the id attribute on the Signature Element

getId

public java.lang.String getId()

Returns the Id attribute

Returns:

the Id attribute

getSignedInfo

public SignedInfo getSignedInfo()

Returns the completely parsed SignedInfo object.

Returns:

the completely parsed SignedInfo object.

getSignatureValue

public byte[] getSignatureValue()
                         throws XMLSignatureException

Returns the octet value of the SignatureValue element. Throws an XMLSignatureException if it has no or wrong content.

Returns:

the value of the SignatureValue element.

Throws:

XMLSignatureException - If there is no content

getKeyInfo

public KeyInfo getKeyInfo()

Returns the KeyInfo child. If we are in signing mode and the KeyInfo does not exist yet, it is created on demand and added to the Signature.
This allows to add arbitrary content to the KeyInfo during signing.

Returns:

the KeyInfo object

appendObject

public void appendObject(ObjectContainer object)
                  throws XMLSignatureException

Appends an Object (not a java.lang.Object but an Object element) to the Signature. Please note that this is only possible when signing.

Parameters:

object - ds:Object to be appended.

Throws:

XMLSignatureException - When this object is used to verify.

getObjectItem

public ObjectContainer getObjectItem(int i)

Returns the ith ds:Object child of the signature or null if no such ds:Object element exists.

Parameters:

i -

Returns:

the ith ds:Object child of the signature or null if no such ds:Object element exists.

getObjectLength

public int getObjectLength()

Returns the number of all ds:Object elements.

Returns:

the number of all ds:Object elements.

sign

public void sign(java.security.Key signingKey)
          throws XMLSignatureException

Digests all References in the SignedInfo, calculates the signature value and sets it in the SignatureValue Element.

Parameters:

signingKey - the PrivateKey or SecretKey that is used to sign.

Throws:

XMLSignatureException

addResourceResolver

public void addResourceResolver(ResourceResolver resolver)

Adds a ResourceResolver to enable the retrieval of resources.

Parameters:

resolver -

addResourceResolver

public void addResourceResolver(ResourceResolverSpi resolver)

Adds a ResourceResolverSpi to enable the retrieval of resources.

Parameters:

resolver -

checkSignatureValue

public boolean checkSignatureValue(java.security.cert.X509Certificate cert)
                            throws XMLSignatureException

Extracts the public key from the certificate and verifies if the signature is valid by re-digesting all References, comparing those against the stored DigestValues and then checking to see if the Signatures match on the SignedInfo.

Parameters:

cert - Certificate that contains the public key part of the keypair that was used to sign.

Returns:

true if the signature is valid, false otherwise

Throws:

XMLSignatureException

checkSignatureValue

public boolean checkSignatureValue(java.security.Key pk)
                            throws XMLSignatureException

Verifies if the signature is valid by redigesting all References, comparing those against the stored DigestValues and then checking to see if the Signatures match on the SignedInfo.

Parameters:

pk - PublicKey part of the keypair or SecretKey that was used to sign

Returns:

true if the signature is valid, false otherwise

Throws:

XMLSignatureException

addDocument

public void addDocument(java.lang.String referenceURI,
                        Transforms trans,
                        java.lang.String digestURI,
                        java.lang.String ReferenceId,
                        java.lang.String ReferenceType)
                 throws XMLSignatureException

Add a Reference with full parameters to this Signature

Parameters:

referenceURI - URI of the resource to be signed. Can be null in which case the dereferencing is application specific. Can be "" in which it's the parent node (or parent document?). There can only be one "" in each signature.

trans - Optional list of transformations to be done before digesting

digestURI - Mandatory URI of the digesting algorithm to use.

ReferenceId - Optional id attribute for this Reference

ReferenceType - Optional mimetype for the URI

Throws:

XMLSignatureException

addDocument

public void addDocument(java.lang.String referenceURI,
                        Transforms trans,
                        java.lang.String digestURI)
                 throws XMLSignatureException

This method is a proxy method for the Manifest.addDocument(java.lang.String, java.lang.String, org.apache.xml.security.transforms.Transforms, java.lang.String, java.lang.String, java.lang.String) method.

Parameters:

referenceURI - URI according to the XML Signature specification.

trans - List of transformations to be applied.

digestURI - URI of the digest algorithm to be used.

Throws:

XMLSignatureException

See Also:

Manifest.addDocument(java.lang.String, java.lang.String, org.apache.xml.security.transforms.Transforms, java.lang.String, java.lang.String, java.lang.String)

addDocument

public void addDocument(java.lang.String referenceURI,
                        Transforms trans)
                 throws XMLSignatureException

Adds a Reference with just the URI and the transforms. This used the SHA1 algorithm as a default digest algorithm.

Parameters:

referenceURI - URI according to the XML Signature specification.

trans - List of transformations to be applied.

Throws:

XMLSignatureException

addDocument

public void addDocument(java.lang.String referenceURI)
                 throws XMLSignatureException

Add a Reference with just this URI. It uses SHA1 by default as the digest algorithm

Parameters:

referenceURI - URI according to the XML Signature specification.

Throws:

XMLSignatureException

addKeyInfo

public void addKeyInfo(java.security.cert.X509Certificate cert)
                throws XMLSecurityException

Add an X509 Certificate to the KeyInfo. This will include the whole cert inside X509Data/X509Certificate tags.

Parameters:

cert - Certificate to be included. This should be the certificate of the key that was used to sign.

Throws:

XMLSecurityException

addKeyInfo

public void addKeyInfo(java.security.PublicKey pk)

Add this public key to the KeyInfo. This will include the complete key in the KeyInfo structure.

Parameters:

pk -

createSecretKey

public javax.crypto.SecretKey createSecretKey(byte[] secretKeyBytes)

Proxy method for SignedInfo.createSecretKey(byte[]). If you want to create a MAC, this method helps you to obtain the SecretKey from octets.

Parameters:

secretKeyBytes -

Returns:

the secret key created.

See Also:

SignedInfo.createSecretKey(byte[])

setFollowNestedManifests

public void setFollowNestedManifests(boolean followManifests)

Signal wether Manifest should be automatically validated. Checking the digests in References in a Signature are mandatory, but for References inside a Manifest it is application specific. This boolean is to indicate that the References inside Manifests should be validated.

Parameters:

followManifests -

See Also:

Core validation section in the XML Signature Rec.

getBaseLocalName

public java.lang.String getBaseLocalName()

Get the local name of this element

Specified by:

getBaseLocalName in class ElementProxy

Returns:

Constants._TAG_SIGNATURE