1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17 package org.opensaml.xml.signature.impl;
18
19 import org.opensaml.xml.security.CriteriaSet;
20 import org.opensaml.xml.security.SecurityException;
21 import org.opensaml.xml.security.credential.Credential;
22 import org.opensaml.xml.security.keyinfo.KeyInfoCredentialResolver;
23 import org.opensaml.xml.security.keyinfo.KeyInfoCriteria;
24 import org.opensaml.xml.signature.Signature;
25 import org.opensaml.xml.signature.SignatureTrustEngine;
26 import org.opensaml.xml.signature.SignatureValidator;
27 import org.opensaml.xml.util.DatatypeHelper;
28 import org.opensaml.xml.validation.ValidationException;
29 import org.slf4j.Logger;
30 import org.slf4j.LoggerFactory;
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51 public abstract class BaseSignatureTrustEngine<TrustBasisType> implements SignatureTrustEngine {
52
53
54 private final Logger log = LoggerFactory.getLogger(BaseSignatureTrustEngine.class);
55
56
57 private KeyInfoCredentialResolver keyInfoCredentialResolver;
58
59
60
61
62
63
64
65 public BaseSignatureTrustEngine(KeyInfoCredentialResolver keyInfoResolver) {
66 if (keyInfoResolver == null) {
67 throw new IllegalArgumentException("KeyInfo credential resolver may not be null");
68 }
69
70 keyInfoCredentialResolver = keyInfoResolver;
71 }
72
73
74 public KeyInfoCredentialResolver getKeyInfoResolver() {
75 return keyInfoCredentialResolver;
76 }
77
78
79
80
81
82
83
84
85
86
87
88
89 protected boolean validate(Signature signature, TrustBasisType trustBasis) throws SecurityException {
90
91 log.debug("Attempting to verify signature and establish trust using KeyInfo-derived credentials");
92
93 if (signature.getKeyInfo() != null) {
94
95 KeyInfoCriteria keyInfoCriteria = new KeyInfoCriteria(signature.getKeyInfo());
96 CriteriaSet keyInfoCriteriaSet = new CriteriaSet(keyInfoCriteria);
97
98 for (Credential kiCred : getKeyInfoResolver().resolve(keyInfoCriteriaSet)) {
99 if (verifySignature(signature, kiCred)) {
100 log.debug("Successfully verified signature using KeyInfo-derived credential");
101 log.debug("Attempting to establish trust of KeyInfo-derived credential");
102 if (evaluateTrust(kiCred, trustBasis)) {
103 log.debug("Successfully established trust of KeyInfo-derived credential");
104 return true;
105 } else {
106 log.debug("Failed to establish trust of KeyInfo-derived credential");
107 }
108 }
109 }
110 } else {
111 log.info("Signature contained no KeyInfo element, could not resolve verification credentials");
112 }
113
114 log.debug("Failed to verify signature and/or establish trust using any KeyInfo-derived credentials");
115 return false;
116 }
117
118
119
120
121
122
123
124
125
126
127
128 protected abstract boolean evaluateTrust(Credential untrustedCredential, TrustBasisType trustBasis)
129 throws SecurityException;
130
131
132
133
134
135
136
137
138 protected boolean verifySignature(Signature signature, Credential credential) {
139 SignatureValidator validator = new SignatureValidator(credential);
140 try {
141 validator.validate(signature);
142 } catch (ValidationException e) {
143 log.debug("Signature validation using candidate validation credential failed", e);
144 return false;
145 }
146
147 log.debug("Signature validation using candidate credential was successful");
148 return true;
149 }
150
151
152
153
154
155
156
157
158 protected void checkParams(Signature signature, CriteriaSet trustBasisCriteria) throws SecurityException {
159
160 if (signature == null) {
161 throw new SecurityException("Signature was null");
162 }
163 if (trustBasisCriteria == null) {
164 throw new SecurityException("Trust basis criteria set was null");
165 }
166 if (trustBasisCriteria.isEmpty()) {
167 throw new SecurityException("Trust basis criteria set was empty");
168 }
169 }
170
171
172
173
174
175
176
177
178
179
180 protected void checkParamsRaw(byte[] signature, byte[] content, String algorithmURI, CriteriaSet trustBasisCriteria)
181 throws SecurityException {
182
183 if (signature == null || signature.length == 0) {
184 throw new SecurityException("Signature byte array was null or empty");
185 }
186 if (content == null || content.length == 0) {
187 throw new SecurityException("Content byte array was null or empty");
188 }
189 if (DatatypeHelper.isEmpty(algorithmURI)) {
190 throw new SecurityException("Signature algorithm was null or empty");
191 }
192 if (trustBasisCriteria == null) {
193 throw new SecurityException("Trust basis criteria set was null");
194 }
195 if (trustBasisCriteria.isEmpty()) {
196 throw new SecurityException("Trust basis criteria set was empty");
197 }
198 }
199
200 }