1 /*
2 * reserved comment block
3 * DO NOT REMOVE OR ALTER!
4 */
5 /*
6 * Copyright 1999-2004 The Apache Software Foundation.
7 *
8 * Licensed under the Apache License, Version 2.0 (the "License");
9 * you may not use this file except in compliance with the License.
10 * You may obtain a copy of the License at
11 *
12 * http://www.apache.org/licenses/LICENSE-2.0
13 *
14 * Unless required by applicable law or agreed to in writing, software
15 * distributed under the License is distributed on an "AS IS" BASIS,
16 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
17 * See the License for the specific language governing permissions and
18 * limitations under the License.
19 *
20 */
21 package com.sun.org.apache.xml.internal.security.signature;
22
23
24
25 import java.io.IOException;
26 import java.util.ArrayList;
27 import java.util.HashMap;
28 import java.util.Iterator;
29 import java.util.List;
30 import java.util.Set;
31 import java.util.Map;
32
33 import javax.xml.parsers.ParserConfigurationException;
34
35 import com.sun.org.apache.xml.internal.security.c14n.CanonicalizationException;
36 import com.sun.org.apache.xml.internal.security.c14n.InvalidCanonicalizerException;
37 import com.sun.org.apache.xml.internal.security.exceptions.XMLSecurityException;
38 import com.sun.org.apache.xml.internal.security.transforms.Transforms;
39 import com.sun.org.apache.xml.internal.security.utils.Constants;
40 import com.sun.org.apache.xml.internal.security.utils.I18n;
41 import com.sun.org.apache.xml.internal.security.utils.IdResolver;
42 import com.sun.org.apache.xml.internal.security.utils.SignatureElementProxy;
43 import com.sun.org.apache.xml.internal.security.utils.XMLUtils;
44 import com.sun.org.apache.xml.internal.security.utils.resolver.ResourceResolver;
45 import com.sun.org.apache.xml.internal.security.utils.resolver.ResourceResolverSpi;
46 import org.w3c.dom.Attr;
47 import org.w3c.dom.DOMException;
48 import org.w3c.dom.Document;
49 import org.w3c.dom.Element;
50 import org.w3c.dom.Node;
51 import org.xml.sax.SAXException;
52
53
54
55 /**
56 * Handles <code><ds:Manifest></code> elements.
57 * <p> This element holds the <code>Reference</code> elements</p>
58 * @author $author: $
59 */
60 public class Manifest extends SignatureElementProxy {
61
62 /** {@link java.util.logging} logging facility */
63 static java.util.logging.Logger log =
64 java.util.logging.Logger.getLogger(Manifest.class.getName());
65
66 /** Field _references */
67 List<Reference> _references;
68 Element[] _referencesEl;
69
70 /** Field verificationResults[] */
71 private boolean verificationResults[] = null;
72
73 /** Field _resolverProperties */
74 Map<String,String> _resolverProperties = null;
75
76 /** Field _perManifestResolvers */
77 List<ResourceResolver> _perManifestResolvers = null;
78
79 /**
80 * Consturts {@link Manifest}
81 *
82 * @param doc the {@link Document} in which <code>XMLsignature</code> is placed
83 */
84 public Manifest(Document doc) {
85
86 super(doc);
87
88 XMLUtils.addReturnToElement(this._constructionElement);
89
90 this._references = new ArrayList<Reference>();
91 }
92
93 /**
94 * Constructor Manifest
95 *
96 * @param element
97 * @param BaseURI
98 * @throws XMLSecurityException
99 */
100 public Manifest(Element element, String BaseURI)
101 throws XMLSecurityException {
102
103 super(element, BaseURI);
104
105 Attr attr = element.getAttributeNodeNS(null, "Id");
106 if (attr != null) {
107 element.setIdAttributeNode(attr, true);
108 }
109
110 // check out Reference children
111 this._referencesEl = XMLUtils.selectDsNodes(this._constructionElement.getFirstChild(),
112 Constants._TAG_REFERENCE);
113 int le = this._referencesEl.length;
114 {
115 if (le == 0) {
116
117 // At least one Reference must be present. Bad.
118 Object exArgs[] = { Constants._TAG_REFERENCE,
119 Constants._TAG_MANIFEST };
120
121 throw new DOMException(DOMException.WRONG_DOCUMENT_ERR,
122 I18n.translate("xml.WrongContent", exArgs));
123 }
124 }
125
126 // create Vector
127 this._references = new ArrayList<Reference>(le);
128
129 for (int i = 0; i < le; i++) {
130 Element refElem = this._referencesEl[i];
131 Attr refAttr = refElem.getAttributeNodeNS(null, "Id");
132 if (refAttr != null) {
133 refElem.setIdAttributeNode(refAttr, true);
134 }
135 this._references.add(null);
136 }
137 }
138
139 /**
140 * This <code>addDocument</code> method is used to add a new resource to the
141 * signed info. A {@link com.sun.org.apache.xml.internal.security.signature.Reference} is built
142 * from the supplied values.
143 *
144 * @param BaseURI the URI of the resource where the XML instance was stored
145 * @param referenceURI <code>URI</code> attribute in <code>Reference</code> for specifing where data is
146 * @param transforms com.sun.org.apache.xml.internal.security.signature.Transforms object with an ordered list of transformations to be performed.
147 * @param digestURI The digest algorthim URI to be used.
148 * @param ReferenceId
149 * @param ReferenceType
150 * @throws XMLSignatureException
151 */
152 public void addDocument(
153 String BaseURI, String referenceURI, Transforms transforms, String digestURI, String ReferenceId, String ReferenceType)
154 throws XMLSignatureException {
155
156 // the this._doc is handed implicitly by the this.getOwnerDocument()
157 Reference ref = new Reference(this._doc, BaseURI, referenceURI, this,
158 transforms, digestURI);
159
160 if (ReferenceId != null) {
161 ref.setId(ReferenceId);
162 }
163
164 if (ReferenceType != null) {
165 ref.setType(ReferenceType);
166 }
167
168 // add Reference object to our cache vector
169 this._references.add(ref);
170
171 // add the Element of the Reference object to the Manifest/SignedInfo
172 this._constructionElement.appendChild(ref.getElement());
173 XMLUtils.addReturnToElement(this._constructionElement);
174 }
175
176 /**
177 * The calculation of the DigestValues in the References must be after the
178 * References are already added to the document and during the signing
179 * process. This ensures that all neccesary data is in place.
180 *
181 * @throws ReferenceNotInitializedException
182 * @throws XMLSignatureException
183 */
184 public void generateDigestValues()
185 throws XMLSignatureException, ReferenceNotInitializedException {
186
187 for (int i = 0; i < this.getLength(); i++) {
188
189 // update the cached Reference object, the Element content is automatically updated
190 Reference currentRef = this._references.get(i);
191
192 currentRef.generateDigestValue();
193 }
194 }
195
196 /**
197 * Return the nonnegative number of added references.
198 *
199 * @return the number of references
200 */
201 public int getLength() {
202 return this._references.size();
203 }
204
205 /**
206 * Return the <it>i</it><sup>th</sup> reference. Valid <code>i</code>
207 * values are 0 to <code>{link@ getSize}-1</code>.
208 *
209 * @param i Index of the requested {@link Reference}
210 * @return the <it>i</it><sup>th</sup> reference
211 * @throws XMLSecurityException
212 */
213 public Reference item(int i) throws XMLSecurityException {
214
215 if (this._references.get(i) == null) {
216
217 // not yet constructed, so _we_ have to
218 Reference ref = new Reference(_referencesEl[i], this._baseURI, this);
219
220 this._references.set(i, ref);
221 }
222
223 return this._references.get(i);
224
225 }
226
227 /**
228 * Sets the <code>Id</code> attribute
229 *
230 * @param Id the <code>Id</code> attribute in <code>ds:Manifest</code>
231 */
232 public void setId(String Id) {
233
234 if (Id != null) {
235 setLocalIdAttribute(Constants._ATT_ID, Id);
236 }
237 }
238
239 /**
240 * Returns the <code>Id</code> attribute
241 *
242 * @return the <code>Id</code> attribute in <code>ds:Manifest</code>
243 */
244 public String getId() {
245 return this._constructionElement.getAttributeNS(null, Constants._ATT_ID);
246 }
247
248 /**
249 * Used to do a <A HREF="http://www.w3.org/TR/xmldsig-core/#def-ValidationReference">reference
250 * validation</A> of all enclosed references using the {@link Reference#verify} method.
251 *
252 * <p>This step loops through all {@link Reference}s and does verify the hash
253 * values. If one or more verifications fail, the method returns
254 * <code>false</code>. If <i>all</i> verifications are successful,
255 * it returns <code>true</code>. The results of the individual reference
256 * validations are available by using the {@link #getVerificationResult(int)} method
257 *
258 * @return true if all References verify, false if one or more do not verify.
259 * @throws MissingResourceFailureException if a {@link Reference} does not verify (throws a {@link com.sun.org.apache.xml.internal.security.signature.ReferenceNotInitializedException} because of an uninitialized {@link XMLSignatureInput}
260 * @see com.sun.org.apache.xml.internal.security.signature.Reference#verify
261 * @see com.sun.org.apache.xml.internal.security.signature.SignedInfo#verify()
262 * @see com.sun.org.apache.xml.internal.security.signature.MissingResourceFailureException
263 * @throws XMLSecurityException
264 */
265 public boolean verifyReferences()
266 throws MissingResourceFailureException, XMLSecurityException {
267 return this.verifyReferences(false);
268 }
269
270 /**
271 * Used to do a <A HREF="http://www.w3.org/TR/xmldsig-core/#def-ValidationReference">reference
272 * validation</A> of all enclosed references using the {@link Reference#verify} method.
273 *
274 * <p>This step loops through all {@link Reference}s and does verify the hash
275 * values. If one or more verifications fail, the method returns
276 * <code>false</code>. If <i>all</i> verifications are successful,
277 * it returns <code>true</code>. The results of the individual reference
278 * validations are available by using the {@link #getVerificationResult(int)} method
279 *
280 * @param followManifests
281 * @return true if all References verify, false if one or more do not verify.
282 * @throws MissingResourceFailureException if a {@link Reference} does not verify (throws a {@link com.sun.org.apache.xml.internal.security.signature.ReferenceNotInitializedException} because of an uninitialized {@link XMLSignatureInput}
283 * @see com.sun.org.apache.xml.internal.security.signature.Reference#verify
284 * @see com.sun.org.apache.xml.internal.security.signature.SignedInfo#verify(boolean)
285 * @see com.sun.org.apache.xml.internal.security.signature.MissingResourceFailureException
286 * @throws XMLSecurityException
287 */
288 public boolean verifyReferences(boolean followManifests)
289 throws MissingResourceFailureException, XMLSecurityException {
290 if (_referencesEl==null) {
291 this._referencesEl =
292 XMLUtils.selectDsNodes(this._constructionElement.getFirstChild(),
293 Constants._TAG_REFERENCE);
294 }
295 if (log.isLoggable(java.util.logging.Level.FINE)) {
296 log.log(java.util.logging.Level.FINE, "verify " +_referencesEl.length + " References");
297 log.log(java.util.logging.Level.FINE, "I am " + (followManifests
298 ? ""
299 : "not") + " requested to follow nested Manifests");
300 }
301 boolean verify = true;
302
303 if (_referencesEl.length==0) {
304 throw new XMLSecurityException("empty");
305 }
306
307 this.verificationResults =
308 new boolean[_referencesEl.length];
309
310 for (int i =
311 0; i < this._referencesEl.length; i++) {
312 Reference currentRef =
313 new Reference(_referencesEl[i], this._baseURI, this);
314
315 this._references.set(i, currentRef);
316
317 /* if only one item does not verify, the whole verification fails */
318 try {
319 boolean currentRefVerified = currentRef.verify();
320
321 this.setVerificationResult(i, currentRefVerified);
322
323 if (!currentRefVerified) {
324 verify = false;
325 }
326 if (log.isLoggable(java.util.logging.Level.FINE))
327 log.log(java.util.logging.Level.FINE, "The Reference has Type " + currentRef.getType());
328
329 // was verification successful till now and do we want to verify the Manifest?
330 if (verify && followManifests
331 && currentRef.typeIsReferenceToManifest()) {
332 log.log(java.util.logging.Level.FINE, "We have to follow a nested Manifest");
333
334 try {
335 XMLSignatureInput signedManifestNodes =
336 currentRef.dereferenceURIandPerformTransforms(null);
337 Set<Node> nl = signedManifestNodes.getNodeSet();
338 Manifest referencedManifest = null;
339 Iterator<Node> nlIterator = nl.iterator();
340
341 findManifest: while (nlIterator.hasNext()) {
342 Node n = nlIterator.next();
343
344 if ((n.getNodeType() == Node.ELEMENT_NODE) && ((Element) n)
345 .getNamespaceURI()
346 .equals(Constants.SignatureSpecNS) && ((Element) n)
347 .getLocalName().equals(Constants._TAG_MANIFEST)) {
348 try {
349 referencedManifest =
350 new Manifest((Element) n,
351 signedManifestNodes.getSourceURI());
352
353 break findManifest;
354 } catch (XMLSecurityException ex) {
355
356 // Hm, seems not to be a ds:Manifest
357 }
358 }
359 }
360
361 if (referencedManifest == null) {
362
363 // The Reference stated that it points to a ds:Manifest
364 // but we did not find a ds:Manifest in the signed area
365 throw new MissingResourceFailureException("empty",
366 currentRef);
367 }
368
369 referencedManifest._perManifestResolvers =
370 this._perManifestResolvers;
371 referencedManifest._resolverProperties =
372 this._resolverProperties;
373
374 boolean referencedManifestValid =
375 referencedManifest.verifyReferences(followManifests);
376
377 if (!referencedManifestValid) {
378 verify = false;
379
380 log.log(java.util.logging.Level.WARNING, "The nested Manifest was invalid (bad)");
381 } else {
382 log.log(java.util.logging.Level.FINE, "The nested Manifest was valid (good)");
383 }
384 } catch (IOException ex) {
385 throw new ReferenceNotInitializedException("empty", ex);
386 } catch (ParserConfigurationException ex) {
387 throw new ReferenceNotInitializedException("empty", ex);
388 } catch (SAXException ex) {
389 throw new ReferenceNotInitializedException("empty", ex);
390 }
391 }
392 } catch (ReferenceNotInitializedException ex) {
393 Object exArgs[] = { currentRef.getURI() };
394
395 throw new MissingResourceFailureException(
396 "signature.Verification.Reference.NoInput", exArgs, ex,
397 currentRef);
398 }
399 }
400
401 return verify;
402 }
403
404 /**
405 * Method setVerificationResult
406 *
407 * @param index
408 * @param verify
409 */
410 private void setVerificationResult(int index, boolean verify)
411 {
412
413 if (this.verificationResults == null) {
414 this.verificationResults = new boolean[this.getLength()];
415 }
416
417 this.verificationResults[index] = verify;
418 }
419
420 /**
421 * After verifying a {@link Manifest} or a {@link SignedInfo} using the
422 * {@link Manifest#verifyReferences()} or {@link SignedInfo#verify()} methods,
423 * the individual results can be retrieved with this method.
424 *
425 * @param index an index of into a {@link Manifest} or a {@link SignedInfo}
426 * @return the results of reference validation at the specified index
427 * @throws XMLSecurityException
428 */
429 public boolean getVerificationResult(int index) throws XMLSecurityException {
430
431 if ((index < 0) || (index > this.getLength() - 1)) {
432 Object exArgs[] = { Integer.toString(index),
433 Integer.toString(this.getLength()) };
434 Exception e =
435 new IndexOutOfBoundsException(I18n
436 .translate("signature.Verification.IndexOutOfBounds", exArgs));
437
438 throw new XMLSecurityException("generic.EmptyMessage", e);
439 }
440
441 if (this.verificationResults == null) {
442 try {
443 this.verifyReferences();
444 } catch (Exception ex) {
445 throw new XMLSecurityException("generic.EmptyMessage", ex);
446 }
447 }
448
449 return this.verificationResults[index];
450 }
451
452 /**
453 * Adds Resource Resolver for retrieving resources at specified <code>URI</code> attribute in <code>reference</code> element
454 *
455 * @param resolver {@link ResourceResolver} can provide the implemenatin subclass of {@link ResourceResolverSpi} for retrieving resource.
456 */
457 public void addResourceResolver(ResourceResolver resolver) {
458
459 if (resolver == null) {
460 return;
461 }
462 if (_perManifestResolvers==null)
463 _perManifestResolvers = new ArrayList<ResourceResolver>();
464 this._perManifestResolvers.add(resolver);
465
466 }
467
468 /**
469 * Adds Resource Resolver for retrieving resources at specified <code>URI</code> attribute in <code>reference</code> element
470 *
471 * @param resolverSpi the implemenatin subclass of {@link ResourceResolverSpi} for retrieving resource.
472 */
473 public void addResourceResolver(ResourceResolverSpi resolverSpi) {
474
475 if (resolverSpi == null) {
476 return;
477 }
478 if (_perManifestResolvers==null)
479 _perManifestResolvers = new ArrayList<ResourceResolver>();
480 this._perManifestResolvers.add(new ResourceResolver(resolverSpi));
481
482 }
483
484 /**
485 * Used to pass parameters like proxy servers etc to the ResourceResolver
486 * implementation.
487 *
488 * @param key the key
489 * @param value the value
490 */
491 public void setResolverProperty(String key, String value) {
492 if (_resolverProperties==null) {
493 _resolverProperties=new HashMap<String, String>(10);
494 }
495 this._resolverProperties.put(key, value);
496 }
497
498 /**
499 * Returns the value at specified key
500 *
501 * @param key the key
502 * @return the value
503 */
504 public String getResolverProperty(String key) {
505 return this._resolverProperties.get(key);
506 }
507
508 /**
509 * Method getSignedContentItem
510 *
511 * @param i
512 * @return The signed content of the i reference.
513 *
514 * @throws XMLSignatureException
515 */
516 public byte[] getSignedContentItem(int i) throws XMLSignatureException {
517
518 try {
519 return this.getReferencedContentAfterTransformsItem(i).getBytes();
520 } catch (IOException ex) {
521 throw new XMLSignatureException("empty", ex);
522 } catch (CanonicalizationException ex) {
523 throw new XMLSignatureException("empty", ex);
524 } catch (InvalidCanonicalizerException ex) {
525 throw new XMLSignatureException("empty", ex);
526 } catch (XMLSecurityException ex) {
527 throw new XMLSignatureException("empty", ex);
528 }
529 }
530
531 /**
532 * Method getReferencedContentPriorTransformsItem
533 *
534 * @param i
535 * @return The contents before transformation of the reference i.
536 * @throws XMLSecurityException
537 */
538 public XMLSignatureInput getReferencedContentBeforeTransformsItem(int i)
539 throws XMLSecurityException {
540 return this.item(i).getContentsBeforeTransformation();
541 }
542
543 /**
544 * Method getReferencedContentAfterTransformsItem
545 *
546 * @param i
547 * @return The contents after transformation of the reference i.
548 * @throws XMLSecurityException
549 */
550 public XMLSignatureInput getReferencedContentAfterTransformsItem(int i)
551 throws XMLSecurityException {
552 return this.item(i).getContentsAfterTransformation();
553 }
554
555 /**
556 * Method getSignedContentLength
557 *
558 * @return The nu,ber of references contained in this reference.
559 */
560 public int getSignedContentLength() {
561 return this.getLength();
562 }
563
564 /**
565 * Method getBaseLocalName
566 *
567 * @inheritDoc
568 */
569 public String getBaseLocalName() {
570 return Constants._TAG_MANIFEST;
571 }
572 }