1 /*
   2  * reserved comment block
   3  * DO NOT REMOVE OR ALTER!
   4  */
   5 /**
   6  * Licensed to the Apache Software Foundation (ASF) under one
   7  * or more contributor license agreements. See the NOTICE file
   8  * distributed with this work for additional information
   9  * regarding copyright ownership. The ASF licenses this file
  10  * to you under the Apache License, Version 2.0 (the
  11  * "License"); you may not use this file except in compliance
  12  * with the License. You may obtain a copy of the License at
  13  *
  14  * http://www.apache.org/licenses/LICENSE-2.0
  15  *
  16  * Unless required by applicable law or agreed to in writing,
  17  * software distributed under the License is distributed on an
  18  * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
  19  * KIND, either express or implied. See the License for the
  20  * specific language governing permissions and limitations
  21  * under the License.
  22  */
  23 /*
  24  * Copyright (c) 2005, 2013, Oracle and/or its affiliates. All rights reserved.
  25  */
  26 /*
  27  * $Id: DOMSignedInfo.java 1333415 2012-05-03 12:03:51Z coheigea $
  28  */
  29 package org.jcp.xml.dsig.internal.dom;
  30 
  31 import javax.xml.crypto.*;
  32 import javax.xml.crypto.dom.DOMCryptoContext;
  33 import javax.xml.crypto.dsig.*;
  34 
  35 import java.io.ByteArrayInputStream;
  36 import java.io.ByteArrayOutputStream;
  37 import java.io.InputStream;
  38 import java.io.OutputStream;
  39 import java.io.IOException;
  40 import java.security.Provider;
  41 import java.util.*;
  42 
  43 import org.w3c.dom.Document;
  44 import org.w3c.dom.Element;
  45 import org.w3c.dom.Node;
  46 
  47 import com.sun.org.apache.xml.internal.security.utils.Base64;
  48 import com.sun.org.apache.xml.internal.security.utils.Constants;
  49 import com.sun.org.apache.xml.internal.security.utils.UnsyncBufferedOutputStream;
  50 
  51 /**
  52  * DOM-based implementation of SignedInfo.
  53  *
  54  * @author Sean Mullan
  55  */
  56 public final class DOMSignedInfo extends DOMStructure implements SignedInfo {
  57 
  58     /**
  59      * The maximum number of references per Manifest, if secure validation is enabled.
  60      */
  61     public static final int MAXIMUM_REFERENCE_COUNT = 30;
  62 
  63     private static java.util.logging.Logger log =
  64         java.util.logging.Logger.getLogger("org.jcp.xml.dsig.internal.dom");
  65 
  66     /** Signature - NOT Recommended RSAwithMD5 */
  67     private static final String ALGO_ID_SIGNATURE_NOT_RECOMMENDED_RSA_MD5 =
  68         Constants.MoreAlgorithmsSpecNS + "rsa-md5";
  69 
  70     /** HMAC - NOT Recommended HMAC-MD5 */
  71     private static final String ALGO_ID_MAC_HMAC_NOT_RECOMMENDED_MD5 =
  72         Constants.MoreAlgorithmsSpecNS + "hmac-md5";
  73 
  74     private List<Reference> references;
  75     private CanonicalizationMethod canonicalizationMethod;
  76     private SignatureMethod signatureMethod;
  77     private String id;
  78     private Document ownerDoc;
  79     private Element localSiElem;
  80     private InputStream canonData;
  81 
  82     /**
  83      * Creates a <code>DOMSignedInfo</code> from the specified parameters. Use
  84      * this constructor when the <code>Id</code> is not specified.
  85      *
  86      * @param cm the canonicalization method
  87      * @param sm the signature method
  88      * @param references the list of references. The list is copied.
  89      * @throws NullPointerException if
  90      *    <code>cm</code>, <code>sm</code>, or <code>references</code> is
  91      *    <code>null</code>
  92      * @throws IllegalArgumentException if <code>references</code> is empty
  93      * @throws ClassCastException if any of the references are not of
  94      *    type <code>Reference</code>
  95      */
  96     public DOMSignedInfo(CanonicalizationMethod cm, SignatureMethod sm,
  97                          List<? extends Reference> references) {
  98         if (cm == null || sm == null || references == null) {
  99             throw new NullPointerException();
 100         }
 101         this.canonicalizationMethod = cm;
 102         this.signatureMethod = sm;
 103         this.references = Collections.unmodifiableList(
 104             new ArrayList<Reference>(references));
 105         if (this.references.isEmpty()) {
 106             throw new IllegalArgumentException("list of references must " +
 107                 "contain at least one entry");
 108         }
 109         for (int i = 0, size = this.references.size(); i < size; i++) {
 110             Object obj = this.references.get(i);
 111             if (!(obj instanceof Reference)) {
 112                 throw new ClassCastException("list of references contains " +
 113                     "an illegal type");
 114             }
 115         }
 116     }
 117 
 118     /**
 119      * Creates a <code>DOMSignedInfo</code> from the specified parameters.
 120      *
 121      * @param cm the canonicalization method
 122      * @param sm the signature method
 123      * @param references the list of references. The list is copied.
 124      * @param id an optional identifer that will allow this
 125      *    <code>SignedInfo</code> to be referenced by other signatures and
 126      *    objects
 127      * @throws NullPointerException if <code>cm</code>, <code>sm</code>,
 128      *    or <code>references</code> is <code>null</code>
 129      * @throws IllegalArgumentException if <code>references</code> is empty
 130      * @throws ClassCastException if any of the references are not of
 131      *    type <code>Reference</code>
 132      */
 133     public DOMSignedInfo(CanonicalizationMethod cm, SignatureMethod sm,
 134                          List<? extends Reference> references, String id) {
 135         this(cm, sm, references);
 136         this.id = id;
 137     }
 138 
 139     /**
 140      * Creates a <code>DOMSignedInfo</code> from an element.
 141      *
 142      * @param siElem a SignedInfo element
 143      */
 144     public DOMSignedInfo(Element siElem, XMLCryptoContext context, Provider provider)
 145         throws MarshalException {
 146         localSiElem = siElem;
 147         ownerDoc = siElem.getOwnerDocument();
 148 
 149         // get Id attribute, if specified
 150         id = DOMUtils.getAttributeValue(siElem, "Id");
 151 
 152         // unmarshal CanonicalizationMethod
 153         Element cmElem = DOMUtils.getFirstChildElement(siElem,
 154                                                        "CanonicalizationMethod");
 155         canonicalizationMethod = new DOMCanonicalizationMethod(cmElem, context,
 156                                                                provider);
 157 
 158         // unmarshal SignatureMethod
 159         Element smElem = DOMUtils.getNextSiblingElement(cmElem,
 160                                                         "SignatureMethod");
 161         signatureMethod = DOMSignatureMethod.unmarshal(smElem);
 162 
 163         boolean secVal = Utils.secureValidation(context);
 164 
 165         String signatureMethodAlgorithm = signatureMethod.getAlgorithm();
 166         if (secVal && ((ALGO_ID_MAC_HMAC_NOT_RECOMMENDED_MD5.equals(signatureMethodAlgorithm)
 167                 || ALGO_ID_SIGNATURE_NOT_RECOMMENDED_RSA_MD5.equals(signatureMethodAlgorithm)))) {
 168             throw new MarshalException(
 169                 "It is forbidden to use algorithm " + signatureMethod + " when secure validation is enabled"
 170             );
 171         }
 172 
 173         // unmarshal References
 174         ArrayList<Reference> refList = new ArrayList<Reference>(5);
 175         Element refElem = DOMUtils.getNextSiblingElement(smElem, "Reference");
 176         refList.add(new DOMReference(refElem, context, provider));
 177 
 178         refElem = DOMUtils.getNextSiblingElement(refElem);
 179         while (refElem != null) {
 180             String name = refElem.getLocalName();
 181             if (!name.equals("Reference")) {
 182                 throw new MarshalException("Invalid element name: " +
 183                                            name + ", expected Reference");
 184             }
 185             refList.add(new DOMReference(refElem, context, provider));
 186 
 187             if (secVal && (refList.size() > MAXIMUM_REFERENCE_COUNT)) {
 188                 String error = "A maxiumum of " + MAXIMUM_REFERENCE_COUNT + " "
 189                     + "references per Manifest are allowed with secure validation";
 190                 throw new MarshalException(error);
 191             }
 192             refElem = DOMUtils.getNextSiblingElement(refElem);
 193         }
 194         references = Collections.unmodifiableList(refList);
 195     }
 196 
 197     public CanonicalizationMethod getCanonicalizationMethod() {
 198         return canonicalizationMethod;
 199     }
 200 
 201     public SignatureMethod getSignatureMethod() {
 202         return signatureMethod;
 203     }
 204 
 205     public String getId() {
 206         return id;
 207     }
 208 
 209     public List<Reference> getReferences() {
 210         return references;
 211     }
 212 
 213     public InputStream getCanonicalizedData() {
 214         return canonData;
 215     }
 216 
 217     public void canonicalize(XMLCryptoContext context, ByteArrayOutputStream bos)
 218         throws XMLSignatureException {
 219         if (context == null) {
 220             throw new NullPointerException("context cannot be null");
 221         }
 222 
 223         OutputStream os = new UnsyncBufferedOutputStream(bos);
 224         try {
 225             os.close();
 226         } catch (IOException e) {
 227             if (log.isLoggable(java.util.logging.Level.FINE)) {
 228                 log.log(java.util.logging.Level.FINE, e.getMessage(), e);
 229             }
 230             // Impossible
 231         }
 232 
 233         DOMSubTreeData subTree = new DOMSubTreeData(localSiElem, true);
 234 
 235         try {
 236             ((DOMCanonicalizationMethod)
 237                 canonicalizationMethod).canonicalize(subTree, context, bos);
 238         } catch (TransformException te) {
 239             throw new XMLSignatureException(te);
 240         }
 241 
 242         byte[] signedInfoBytes = bos.toByteArray();
 243 
 244         // this whole block should only be done if logging is enabled
 245         if (log.isLoggable(java.util.logging.Level.FINE)) {
 246             log.log(java.util.logging.Level.FINE, "Canonicalized SignedInfo:");
 247             StringBuilder sb = new StringBuilder(signedInfoBytes.length);
 248             for (int i = 0; i < signedInfoBytes.length; i++) {
 249                 sb.append((char)signedInfoBytes[i]);
 250             }
 251             log.log(java.util.logging.Level.FINE, sb.toString());
 252             log.log(java.util.logging.Level.FINE, "Data to be signed/verified:" + Base64.encode(signedInfoBytes));
 253         }
 254 
 255         this.canonData = new ByteArrayInputStream(signedInfoBytes);
 256     }
 257 
 258     public void marshal(Node parent, String dsPrefix, DOMCryptoContext context)
 259         throws MarshalException
 260     {
 261         ownerDoc = DOMUtils.getOwnerDocument(parent);
 262         Element siElem = DOMUtils.createElement(ownerDoc, "SignedInfo",
 263                                                 XMLSignature.XMLNS, dsPrefix);
 264 
 265         // create and append CanonicalizationMethod element
 266         DOMCanonicalizationMethod dcm =
 267             (DOMCanonicalizationMethod)canonicalizationMethod;
 268         dcm.marshal(siElem, dsPrefix, context);
 269 
 270         // create and append SignatureMethod element
 271         ((DOMStructure)signatureMethod).marshal(siElem, dsPrefix, context);
 272 
 273         // create and append Reference elements
 274         for (Reference reference : references) {
 275             ((DOMReference)reference).marshal(siElem, dsPrefix, context);
 276         }
 277 
 278         // append Id attribute
 279         DOMUtils.setAttributeID(siElem, "Id", id);
 280 
 281         parent.appendChild(siElem);
 282         localSiElem = siElem;
 283     }
 284 
 285     @Override
 286     public boolean equals(Object o) {
 287         if (this == o) {
 288             return true;
 289         }
 290 
 291         if (!(o instanceof SignedInfo)) {
 292             return false;
 293         }
 294         SignedInfo osi = (SignedInfo)o;
 295 
 296         boolean idEqual = (id == null ? osi.getId() == null
 297                                       : id.equals(osi.getId()));
 298 
 299         return (canonicalizationMethod.equals(osi.getCanonicalizationMethod())
 300                 && signatureMethod.equals(osi.getSignatureMethod()) &&
 301                 references.equals(osi.getReferences()) && idEqual);
 302     }
 303 
 304     @Override
 305     public int hashCode() {
 306         int result = 17;
 307         if (id != null) {
 308             result = 31 * result + id.hashCode();
 309         }
 310         result = 31 * result + canonicalizationMethod.hashCode();
 311         result = 31 * result + signatureMethod.hashCode();
 312         result = 31 * result + references.hashCode();
 313 
 314         return result;
 315     }
 316 }