/*
* reserved comment block
* DO NOT REMOVE OR ALTER!
*/
/**
* Licensed to the Apache Software Foundation (ASF) under one
* or more contributor license agreements. See the NOTICE file
* distributed with this work for additional information
* regarding copyright ownership. The ASF licenses this file
* to you under the Apache License, Version 2.0 (the
* "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing,
* software distributed under the License is distributed on an
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
* KIND, either express or implied. See the License for the
* specific language governing permissions and limitations
* under the License.
*/
package com.sun.org.apache.xml.internal.security.signature;
import java.io.IOException;
import java.io.OutputStream;
import java.security.AccessController;
import java.security.PrivilegedAction;
import java.util.HashSet;
import java.util.Iterator;
import java.util.Set;
import com.sun.org.apache.xml.internal.security.algorithms.MessageDigestAlgorithm;
import com.sun.org.apache.xml.internal.security.c14n.CanonicalizationException;
import com.sun.org.apache.xml.internal.security.c14n.InvalidCanonicalizerException;
import com.sun.org.apache.xml.internal.security.exceptions.Base64DecodingException;
import com.sun.org.apache.xml.internal.security.exceptions.XMLSecurityException;
import com.sun.org.apache.xml.internal.security.signature.reference.ReferenceData;
import com.sun.org.apache.xml.internal.security.signature.reference.ReferenceNodeSetData;
import com.sun.org.apache.xml.internal.security.signature.reference.ReferenceOctetStreamData;
import com.sun.org.apache.xml.internal.security.signature.reference.ReferenceSubTreeData;
import com.sun.org.apache.xml.internal.security.transforms.InvalidTransformException;
import com.sun.org.apache.xml.internal.security.transforms.Transform;
import com.sun.org.apache.xml.internal.security.transforms.TransformationException;
import com.sun.org.apache.xml.internal.security.transforms.Transforms;
import com.sun.org.apache.xml.internal.security.transforms.params.InclusiveNamespaces;
import com.sun.org.apache.xml.internal.security.utils.Base64;
import com.sun.org.apache.xml.internal.security.utils.Constants;
import com.sun.org.apache.xml.internal.security.utils.DigesterOutputStream;
import com.sun.org.apache.xml.internal.security.utils.SignatureElementProxy;
import com.sun.org.apache.xml.internal.security.utils.UnsyncBufferedOutputStream;
import com.sun.org.apache.xml.internal.security.utils.XMLUtils;
import com.sun.org.apache.xml.internal.security.utils.resolver.ResourceResolver;
import com.sun.org.apache.xml.internal.security.utils.resolver.ResourceResolverException;
import org.w3c.dom.Attr;
import org.w3c.dom.Document;
import org.w3c.dom.Element;
import org.w3c.dom.Node;
import org.w3c.dom.Text;
/**
* Handles <ds:Reference>
elements.
*
* This includes:
*
* Constuct a ds:Reference
from an {@link org.w3c.dom.Element}.
*
*
Create a new reference
** Document doc; * MessageDigestAlgorithm sha1 = MessageDigestAlgorithm.getInstance("http://#sha1"); * Reference ref = new Reference(new XMLSignatureInput(new FileInputStream("1.gif"), * "http://localhost/1.gif", * (Transforms) null, sha1); * Element refElem = ref.toElement(doc); ** *
Verify a reference
** Element refElem = doc.getElement("Reference"); // PSEUDO * Reference ref = new Reference(refElem); * String url = ref.getURI(); * ref.setData(new XMLSignatureInput(new FileInputStream(url))); * if (ref.verify()) { * System.out.println("verified"); * } ** *
* <element name="Reference" type="ds:ReferenceType"/> * <complexType name="ReferenceType"> * <sequence> * <element ref="ds:Transforms" minOccurs="0"/> * <element ref="ds:DigestMethod"/> * <element ref="ds:DigestValue"/> * </sequence> * <attribute name="Id" type="ID" use="optional"/> * <attribute name="URI" type="anyURI" use="optional"/> * <attribute name="Type" type="anyURI" use="optional"/> * </complexType> ** * @author Christian Geuer-Pollmann * @see ObjectContainer * @see Manifest */ public class Reference extends SignatureElementProxy { /** Field OBJECT_URI */ public static final String OBJECT_URI = Constants.SignatureSpecNS + Constants._TAG_OBJECT; /** Field MANIFEST_URI */ public static final String MANIFEST_URI = Constants.SignatureSpecNS + Constants._TAG_MANIFEST; /** * The maximum number of transforms per reference, if secure validation is enabled. */ public static final int MAXIMUM_TRANSFORM_COUNT = 5; private boolean secureValidation; /** * Look up useC14N11 system property. If true, an explicit C14N11 transform * will be added if necessary when generating the signature. See section * 3.1.1 of http://www.w3.org/2007/xmlsec/Drafts/xmldsig-core/ for more info. */ private static boolean useC14N11 = ( AccessController.doPrivileged(new PrivilegedAction
XMLsignature
is placed
* @param baseURI the URI of the resource where the XML instance will be stored
* @param referenceURI URI indicate where is data which will digested
* @param manifest
* @param transforms {@link Transforms} applied to data
* @param messageDigestAlgorithm {@link MessageDigestAlgorithm Digest algorithm} which is
* applied to the data
* TODO should we throw XMLSignatureException if MessageDigestAlgoURI is wrong?
* @throws XMLSignatureException
*/
protected Reference(
Document doc, String baseURI, String referenceURI, Manifest manifest,
Transforms transforms, String messageDigestAlgorithm
) throws XMLSignatureException {
super(doc);
XMLUtils.addReturnToElement(this.constructionElement);
this.baseURI = baseURI;
this.manifest = manifest;
this.setURI(referenceURI);
// important: The ds:Reference must be added to the associated ds:Manifest
// or ds:SignedInfo _before_ the this.resolverResult() is called.
// this.manifest.appendChild(this.constructionElement);
// this.manifest.appendChild(this.doc.createTextNode("\n"));
if (transforms != null) {
this.transforms=transforms;
this.constructionElement.appendChild(transforms.getElement());
XMLUtils.addReturnToElement(this.constructionElement);
}
MessageDigestAlgorithm mda =
MessageDigestAlgorithm.getInstance(this.doc, messageDigestAlgorithm);
digestMethodElem = mda.getElement();
this.constructionElement.appendChild(digestMethodElem);
XMLUtils.addReturnToElement(this.constructionElement);
digestValueElement =
XMLUtils.createElementInSignatureSpace(this.doc, Constants._TAG_DIGESTVALUE);
this.constructionElement.appendChild(digestValueElement);
XMLUtils.addReturnToElement(this.constructionElement);
}
/**
* Build a {@link Reference} from an {@link Element}
*
* @param element Reference
element
* @param baseURI the URI of the resource where the XML instance was stored
* @param manifest is the {@link Manifest} of {@link SignedInfo} in which the Reference occurs.
* We need this because the Manifest has the individual {@link ResourceResolver}s which have
* been set by the user
* @throws XMLSecurityException
*/
protected Reference(Element element, String baseURI, Manifest manifest) throws XMLSecurityException {
this(element, baseURI, manifest, false);
}
/**
* Build a {@link Reference} from an {@link Element}
*
* @param element Reference
element
* @param baseURI the URI of the resource where the XML instance was stored
* @param manifest is the {@link Manifest} of {@link SignedInfo} in which the Reference occurs.
* @param secureValidation whether secure validation is enabled or not
* We need this because the Manifest has the individual {@link ResourceResolver}s which have
* been set by the user
* @throws XMLSecurityException
*/
protected Reference(Element element, String baseURI, Manifest manifest, boolean secureValidation)
throws XMLSecurityException {
super(element, baseURI);
this.secureValidation = secureValidation;
this.baseURI = baseURI;
Element el = XMLUtils.getNextElement(element.getFirstChild());
if (Constants._TAG_TRANSFORMS.equals(el.getLocalName())
&& Constants.SignatureSpecNS.equals(el.getNamespaceURI())) {
transforms = new Transforms(el, this.baseURI);
transforms.setSecureValidation(secureValidation);
if (secureValidation && transforms.getLength() > MAXIMUM_TRANSFORM_COUNT) {
Object exArgs[] = { transforms.getLength(), MAXIMUM_TRANSFORM_COUNT };
throw new XMLSecurityException("signature.tooManyTransforms", exArgs);
}
el = XMLUtils.getNextElement(el.getNextSibling());
}
digestMethodElem = el;
digestValueElement = XMLUtils.getNextElement(digestMethodElem.getNextSibling());
this.manifest = manifest;
}
/**
* Returns {@link MessageDigestAlgorithm}
*
*
* @return {@link MessageDigestAlgorithm}
*
* @throws XMLSignatureException
*/
public MessageDigestAlgorithm getMessageDigestAlgorithm() throws XMLSignatureException {
if (digestMethodElem == null) {
return null;
}
String uri = digestMethodElem.getAttributeNS(null, Constants._ATT_ALGORITHM);
if (uri == null) {
return null;
}
if (secureValidation && MessageDigestAlgorithm.ALGO_ID_DIGEST_NOT_RECOMMENDED_MD5.equals(uri)) {
Object exArgs[] = { uri };
throw new XMLSignatureException("signature.signatureAlgorithm", exArgs);
}
return MessageDigestAlgorithm.getInstance(this.doc, uri);
}
/**
* Sets the URI
of this Reference
element
*
* @param uri the URI
of this Reference
element
*/
public void setURI(String uri) {
if (uri != null) {
this.constructionElement.setAttributeNS(null, Constants._ATT_URI, uri);
}
}
/**
* Returns the URI
of this Reference
element
*
* @return URI the URI
of this Reference
element
*/
public String getURI() {
return this.constructionElement.getAttributeNS(null, Constants._ATT_URI);
}
/**
* Sets the Id
attribute of this Reference
element
*
* @param id the Id
attribute of this Reference
element
*/
public void setId(String id) {
if (id != null) {
this.constructionElement.setAttributeNS(null, Constants._ATT_ID, id);
this.constructionElement.setIdAttributeNS(null, Constants._ATT_ID, true);
}
}
/**
* Returns the Id
attribute of this Reference
element
*
* @return Id the Id
attribute of this Reference
element
*/
public String getId() {
return this.constructionElement.getAttributeNS(null, Constants._ATT_ID);
}
/**
* Sets the type
atttibute of the Reference indicate whether an
* ds:Object
, ds:SignatureProperty
, or ds:Manifest
* element.
*
* @param type the type
attribute of the Reference
*/
public void setType(String type) {
if (type != null) {
this.constructionElement.setAttributeNS(null, Constants._ATT_TYPE, type);
}
}
/**
* Return the type
atttibute of the Reference indicate whether an
* ds:Object
, ds:SignatureProperty
, or ds:Manifest
* element
*
* @return the type
attribute of the Reference
*/
public String getType() {
return this.constructionElement.getAttributeNS(null, Constants._ATT_TYPE);
}
/**
* Method isReferenceToObject
*
* This returns true if the Type
attribute of the
* Reference
element points to a #Object
element
*
* @return true if the Reference type indicates that this Reference points to an
* Object
*/
public boolean typeIsReferenceToObject() {
if (Reference.OBJECT_URI.equals(this.getType())) {
return true;
}
return false;
}
/**
* Method isReferenceToManifest
*
* This returns true if the Type
attribute of the
* Reference
element points to a #Manifest
element
*
* @return true if the Reference type indicates that this Reference points to a
* {@link Manifest}
*/
public boolean typeIsReferenceToManifest() {
if (Reference.MANIFEST_URI.equals(this.getType())) {
return true;
}
return false;
}
/**
* Method setDigestValueElement
*
* @param digestValue
*/
private void setDigestValueElement(byte[] digestValue) {
Node n = digestValueElement.getFirstChild();
while (n != null) {
digestValueElement.removeChild(n);
n = n.getNextSibling();
}
String base64codedValue = Base64.encode(digestValue);
Text t = this.doc.createTextNode(base64codedValue);
digestValueElement.appendChild(t);
}
/**
* Method generateDigestValue
*
* @throws ReferenceNotInitializedException
* @throws XMLSignatureException
*/
public void generateDigestValue()
throws XMLSignatureException, ReferenceNotInitializedException {
this.setDigestValueElement(this.calculateDigest(false));
}
/**
* Returns the XMLSignatureInput which is created by de-referencing the URI attribute.
* @return the XMLSignatureInput of the source of this reference
* @throws ReferenceNotInitializedException If the resolver found any
* problem resolving the reference
*/
public XMLSignatureInput getContentsBeforeTransformation()
throws ReferenceNotInitializedException {
try {
Attr uriAttr =
this.constructionElement.getAttributeNodeNS(null, Constants._ATT_URI);
ResourceResolver resolver =
ResourceResolver.getInstance(
uriAttr, this.baseURI, this.manifest.getPerManifestResolvers(), secureValidation
);
resolver.addProperties(this.manifest.getResolverProperties());
return resolver.resolve(uriAttr, this.baseURI, secureValidation);
} catch (ResourceResolverException ex) {
throw new ReferenceNotInitializedException("empty", ex);
}
}
private XMLSignatureInput getContentsAfterTransformation(
XMLSignatureInput input, OutputStream os
) throws XMLSignatureException {
try {
Transforms transforms = this.getTransforms();
XMLSignatureInput output = null;
if (transforms != null) {
output = transforms.performTransforms(input, os);
this.transformsOutput = output;//new XMLSignatureInput(output.getBytes());
//this.transformsOutput.setSourceURI(output.getSourceURI());
} else {
output = input;
}
return output;
} catch (ResourceResolverException ex) {
throw new XMLSignatureException("empty", ex);
} catch (CanonicalizationException ex) {
throw new XMLSignatureException("empty", ex);
} catch (InvalidCanonicalizerException ex) {
throw new XMLSignatureException("empty", ex);
} catch (TransformationException ex) {
throw new XMLSignatureException("empty", ex);
} catch (XMLSecurityException ex) {
throw new XMLSignatureException("empty", ex);
}
}
/**
* Returns the XMLSignatureInput which is the result of the Transforms.
* @return a XMLSignatureInput with all transformations applied.
* @throws XMLSignatureException
*/
public XMLSignatureInput getContentsAfterTransformation()
throws XMLSignatureException {
XMLSignatureInput input = this.getContentsBeforeTransformation();
cacheDereferencedElement(input);
return this.getContentsAfterTransformation(input, null);
}
/**
* This method returns the XMLSignatureInput which represents the node set before
* some kind of canonicalization is applied for the first time.
* @return Gets a the node doing everything till the first c14n is needed
*
* @throws XMLSignatureException
*/
public XMLSignatureInput getNodesetBeforeFirstCanonicalization()
throws XMLSignatureException {
try {
XMLSignatureInput input = this.getContentsBeforeTransformation();
cacheDereferencedElement(input);
XMLSignatureInput output = input;
Transforms transforms = this.getTransforms();
if (transforms != null) {
doTransforms: for (int i = 0; i < transforms.getLength(); i++) {
Transform t = transforms.item(i);
String uri = t.getURI();
if (uri.equals(Transforms.TRANSFORM_C14N_EXCL_OMIT_COMMENTS)
|| uri.equals(Transforms.TRANSFORM_C14N_EXCL_WITH_COMMENTS)
|| uri.equals(Transforms.TRANSFORM_C14N_OMIT_COMMENTS)
|| uri.equals(Transforms.TRANSFORM_C14N_WITH_COMMENTS)) {
break doTransforms;
}
output = t.performTransform(output, null);
}
output.setSourceURI(input.getSourceURI());
}
return output;
} catch (IOException ex) {
throw new XMLSignatureException("empty", ex);
} catch (ResourceResolverException ex) {
throw new XMLSignatureException("empty", ex);
} catch (CanonicalizationException ex) {
throw new XMLSignatureException("empty", ex);
} catch (InvalidCanonicalizerException ex) {
throw new XMLSignatureException("empty", ex);
} catch (TransformationException ex) {
throw new XMLSignatureException("empty", ex);
} catch (XMLSecurityException ex) {
throw new XMLSignatureException("empty", ex);
}
}
/**
* Method getHTMLRepresentation
* @return The HTML of the transformation
* @throws XMLSignatureException
*/
public String getHTMLRepresentation() throws XMLSignatureException {
try {
XMLSignatureInput nodes = this.getNodesetBeforeFirstCanonicalization();
Transforms transforms = this.getTransforms();
Transform c14nTransform = null;
if (transforms != null) {
doTransforms: for (int i = 0; i < transforms.getLength(); i++) {
Transform t = transforms.item(i);
String uri = t.getURI();
if (uri.equals(Transforms.TRANSFORM_C14N_EXCL_OMIT_COMMENTS)
|| uri.equals(Transforms.TRANSFORM_C14N_EXCL_WITH_COMMENTS)) {
c14nTransform = t;
break doTransforms;
}
}
}
SetURI
Attribute.
* @param os where to write the transformation can be null.
* @return the element to digest
*
* @throws XMLSignatureException
* @see Manifest#verifyReferences()
*/
protected XMLSignatureInput dereferenceURIandPerformTransforms(OutputStream os)
throws XMLSignatureException {
try {
XMLSignatureInput input = this.getContentsBeforeTransformation();
cacheDereferencedElement(input);
XMLSignatureInput output = this.getContentsAfterTransformation(input, os);
this.transformsOutput = output;
return output;
} catch (XMLSecurityException ex) {
throw new ReferenceNotInitializedException("empty", ex);
}
}
/**
* Store the dereferenced Element(s) so that it/they can be retrieved later.
*/
private void cacheDereferencedElement(XMLSignatureInput input) {
if (input.isNodeSet()) {
try {
final Set