You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by ow...@apache.org on 2013/10/25 22:17:56 UTC
svn commit: r1535850 - in /cxf/fediz/trunk:
plugins/core/src/main/java/org/apache/cxf/fediz/core/metadata/
plugins/core/src/main/java/org/apache/cxf/fediz/core/util/
services/idp/src/main/java/org/apache/cxf/fediz/service/idp/util/
Author: owulff
Date: Fri Oct 25 20:17:56 2013
New Revision: 1535850
URL: http://svn.apache.org/r1535850
Log:
[FEDIZ-67] Use same Canonicalization Method for Signatures for Metadata document as for SAML tokens
Added:
cxf/fediz/trunk/plugins/core/src/main/java/org/apache/cxf/fediz/core/util/CertsUtils.java
- copied, changed from r1535509, cxf/fediz/trunk/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/util/CertsUtils.java
cxf/fediz/trunk/plugins/core/src/main/java/org/apache/cxf/fediz/core/util/SignatureUtils.java
Removed:
cxf/fediz/trunk/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/util/CertsUtils.java
Modified:
cxf/fediz/trunk/plugins/core/src/main/java/org/apache/cxf/fediz/core/metadata/MetadataWriter.java
cxf/fediz/trunk/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/util/MetadataWriter.java
Modified: cxf/fediz/trunk/plugins/core/src/main/java/org/apache/cxf/fediz/core/metadata/MetadataWriter.java
URL: http://svn.apache.org/viewvc/cxf/fediz/trunk/plugins/core/src/main/java/org/apache/cxf/fediz/core/metadata/MetadataWriter.java?rev=1535850&r1=1535849&r2=1535850&view=diff
==============================================================================
--- cxf/fediz/trunk/plugins/core/src/main/java/org/apache/cxf/fediz/core/metadata/MetadataWriter.java (original)
+++ cxf/fediz/trunk/plugins/core/src/main/java/org/apache/cxf/fediz/core/metadata/MetadataWriter.java Fri Oct 25 20:17:56 2013
@@ -26,46 +26,23 @@ import java.io.ByteArrayOutputStream;
import java.io.InputStream;
import java.io.OutputStreamWriter;
import java.io.Writer;
-import java.security.PrivateKey;
-import java.security.cert.X509Certificate;
-import java.util.ArrayList;
-import java.util.Collections;
import java.util.List;
import javax.security.auth.callback.CallbackHandler;
-import javax.xml.crypto.dsig.CanonicalizationMethod;
-import javax.xml.crypto.dsig.DigestMethod;
-import javax.xml.crypto.dsig.Reference;
-import javax.xml.crypto.dsig.SignatureMethod;
-import javax.xml.crypto.dsig.SignedInfo;
-import javax.xml.crypto.dsig.Transform;
-import javax.xml.crypto.dsig.XMLSignature;
-import javax.xml.crypto.dsig.XMLSignatureFactory;
-import javax.xml.crypto.dsig.dom.DOMSignContext;
-import javax.xml.crypto.dsig.keyinfo.KeyInfo;
-import javax.xml.crypto.dsig.keyinfo.KeyInfoFactory;
-import javax.xml.crypto.dsig.keyinfo.X509Data;
-import javax.xml.crypto.dsig.spec.C14NMethodParameterSpec;
-import javax.xml.crypto.dsig.spec.TransformParameterSpec;
import javax.xml.parsers.DocumentBuilderFactory;
import javax.xml.stream.XMLOutputFactory;
import javax.xml.stream.XMLStreamWriter;
-import javax.xml.transform.Transformer;
-import javax.xml.transform.TransformerFactory;
-import javax.xml.transform.dom.DOMSource;
-import javax.xml.transform.stream.StreamResult;
import org.w3c.dom.Document;
import org.apache.cxf.fediz.core.config.Claim;
import org.apache.cxf.fediz.core.config.FederationContext;
import org.apache.cxf.fediz.core.config.FederationProtocol;
-import org.apache.cxf.fediz.core.config.KeyManager;
import org.apache.cxf.fediz.core.config.Protocol;
import org.apache.cxf.fediz.core.exception.ProcessingException;
import org.apache.cxf.fediz.core.util.DOMUtils;
+import org.apache.cxf.fediz.core.util.SignatureUtils;
-import org.apache.ws.security.components.crypto.CryptoType;
import org.apache.ws.security.util.UUIDGenerator;
import org.slf4j.Logger;
@@ -81,9 +58,7 @@ public class MetadataWriter {
private static final Logger LOG = LoggerFactory.getLogger(MetadataWriter.class);
private static final XMLOutputFactory XML_OUTPUT_FACTORY = XMLOutputFactory.newInstance();
- private static final XMLSignatureFactory XML_SIGNATURE_FACTORY = XMLSignatureFactory.getInstance("DOM");
private static final DocumentBuilderFactory DOC_BUILDER_FACTORY = DocumentBuilderFactory.newInstance();
- private static final TransformerFactory TRANSFORMER_FACTORY = TransformerFactory.newInstance();
static {
DOC_BUILDER_FACTORY.setNamespaceAware(true);
@@ -233,7 +208,8 @@ public class MetadataWriter {
LOG.info("No signingKey element found in config: " + ex.getMessage());
}
if (hasSigningKey) {
- ByteArrayOutputStream result = signMetaInfo(config, is, referenceID);
+ ByteArrayOutputStream result = SignatureUtils.signMetaInfo(
+ config.getSigningKey().getCrypto(), config.getSigningKey().getKeyAlias(), config.getSigningKey().getKeyPassword(), is, referenceID);
if (result != null) {
is = new ByteArrayInputStream(result.toByteArray());
} else {
@@ -250,92 +226,6 @@ public class MetadataWriter {
}
- private ByteArrayOutputStream signMetaInfo(FederationContext config, InputStream metaInfo, String referenceID) throws Exception {
- KeyManager keyManager = config.getSigningKey();
- String keyAlias = keyManager.getKeyAlias();
- String keypass = keyManager.getKeyPassword();
-
- // in case we did not specify the key alias, we assume there is only one key in the keystore ,
- // we use this key's alias as default.
- if (keyAlias == null || "".equals(keyAlias)) {
- //keyAlias = getDefaultX509Identifier(ks);
- keyAlias = keyManager.getCrypto().getDefaultX509Identifier();
- }
- CryptoType cryptoType = new CryptoType(CryptoType.TYPE.ALIAS);
- cryptoType.setAlias(keyAlias);
- X509Certificate[] issuerCerts = keyManager.getCrypto().getX509Certificates(cryptoType);
- if (issuerCerts == null || issuerCerts.length == 0) {
- throw new ProcessingException(
- "No issuer certs were found to sign the metadata using issuer name: "
- + keyAlias);
- }
- X509Certificate cert = issuerCerts[0];
-
- String signatureMethod = null;
- if ("SHA1withDSA".equals(cert.getSigAlgName())) {
- signatureMethod = SignatureMethod.DSA_SHA1;
- } else if ("SHA1withRSA".equals(cert.getSigAlgName())) {
- signatureMethod = SignatureMethod.RSA_SHA1;
- } else if ("SHA256withRSA".equals(cert.getSigAlgName())) {
- signatureMethod = SignatureMethod.RSA_SHA1;
- } else {
- LOG.error("Unsupported signature method: " + cert.getSigAlgName());
- throw new RuntimeException("Unsupported signature method: " + cert.getSigAlgName());
- }
-
- // Create a Reference to the enveloped document (in this case,
- // you are signing the whole document, so a URI of "" signifies
- // that, and also specify the SHA1 digest algorithm and
- // the ENVELOPED Transform.
- Reference ref = XML_SIGNATURE_FACTORY.newReference("#" + referenceID, XML_SIGNATURE_FACTORY.newDigestMethod(DigestMethod.SHA1, null), Collections
- .singletonList(XML_SIGNATURE_FACTORY.newTransform(Transform.ENVELOPED, (TransformParameterSpec)null)), null, null);
-
- // Create the SignedInfo.
- SignedInfo si = XML_SIGNATURE_FACTORY.newSignedInfo(XML_SIGNATURE_FACTORY.newCanonicalizationMethod(CanonicalizationMethod.INCLUSIVE,
- (C14NMethodParameterSpec)null), XML_SIGNATURE_FACTORY
- .newSignatureMethod(signatureMethod, null), Collections.singletonList(ref));
-
- // step 2
- // Load the KeyStore and get the signing key and certificate.
-
-
-
- PrivateKey keyEntry = keyManager.getCrypto().getPrivateKey(keyAlias, keypass);
-
-
- // Create the KeyInfo containing the X509Data.
- KeyInfoFactory kif = XML_SIGNATURE_FACTORY.getKeyInfoFactory();
- List<Object> x509Content = new ArrayList<Object>();
- x509Content.add(cert.getSubjectX500Principal().getName());
- x509Content.add(cert);
- X509Data xd = kif.newX509Data(x509Content);
- KeyInfo ki = kif.newKeyInfo(Collections.singletonList(xd));
-
- // step3
- // Instantiate the document to be signed.
- Document doc = DOC_BUILDER_FACTORY.newDocumentBuilder().parse(metaInfo);
-
- // Create a DOMSignContext and specify the RSA PrivateKey and
- // location of the resulting XMLSignature's parent element.
- //DOMSignContext dsc = new DOMSignContext(keyEntry.getPrivateKey(), doc.getDocumentElement());
- DOMSignContext dsc = new DOMSignContext(keyEntry, doc.getDocumentElement());
- dsc.setIdAttributeNS(doc.getDocumentElement(), null, "ID");
- dsc.setNextSibling(doc.getDocumentElement().getFirstChild());
-
- // Create the XMLSignature, but don't sign it yet.
- XMLSignature signature = XML_SIGNATURE_FACTORY.newXMLSignature(si, ki);
-
- // Marshal, generate, and sign the enveloped signature.
- signature.sign(dsc);
-
- // step 4
- // Output the resulting document.
-
- ByteArrayOutputStream os = new ByteArrayOutputStream(8192);
- Transformer trans = TRANSFORMER_FACTORY.newTransformer();
- trans.transform(new DOMSource(doc), new StreamResult(os));
- os.flush();
- return os;
- }
+
}
Copied: cxf/fediz/trunk/plugins/core/src/main/java/org/apache/cxf/fediz/core/util/CertsUtils.java (from r1535509, cxf/fediz/trunk/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/util/CertsUtils.java)
URL: http://svn.apache.org/viewvc/cxf/fediz/trunk/plugins/core/src/main/java/org/apache/cxf/fediz/core/util/CertsUtils.java?p2=cxf/fediz/trunk/plugins/core/src/main/java/org/apache/cxf/fediz/core/util/CertsUtils.java&p1=cxf/fediz/trunk/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/util/CertsUtils.java&r1=1535509&r2=1535850&rev=1535850&view=diff
==============================================================================
--- cxf/fediz/trunk/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/util/CertsUtils.java (original)
+++ cxf/fediz/trunk/plugins/core/src/main/java/org/apache/cxf/fediz/core/util/CertsUtils.java Fri Oct 25 20:17:56 2013
@@ -17,7 +17,7 @@
* under the License.
*/
-package org.apache.cxf.fediz.service.idp.util;
+package org.apache.cxf.fediz.core.util;
import java.io.BufferedInputStream;
import java.io.IOException;
Added: cxf/fediz/trunk/plugins/core/src/main/java/org/apache/cxf/fediz/core/util/SignatureUtils.java
URL: http://svn.apache.org/viewvc/cxf/fediz/trunk/plugins/core/src/main/java/org/apache/cxf/fediz/core/util/SignatureUtils.java?rev=1535850&view=auto
==============================================================================
--- cxf/fediz/trunk/plugins/core/src/main/java/org/apache/cxf/fediz/core/util/SignatureUtils.java (added)
+++ cxf/fediz/trunk/plugins/core/src/main/java/org/apache/cxf/fediz/core/util/SignatureUtils.java Fri Oct 25 20:17:56 2013
@@ -0,0 +1,175 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.cxf.fediz.core.util;
+
+import java.io.ByteArrayOutputStream;
+import java.io.InputStream;
+import java.security.PrivateKey;
+import java.security.cert.X509Certificate;
+import java.util.ArrayList;
+import java.util.Collections;
+import java.util.List;
+
+import javax.xml.crypto.dsig.CanonicalizationMethod;
+import javax.xml.crypto.dsig.DigestMethod;
+import javax.xml.crypto.dsig.Reference;
+import javax.xml.crypto.dsig.SignatureMethod;
+import javax.xml.crypto.dsig.SignedInfo;
+import javax.xml.crypto.dsig.Transform;
+import javax.xml.crypto.dsig.XMLSignature;
+import javax.xml.crypto.dsig.XMLSignatureFactory;
+import javax.xml.crypto.dsig.dom.DOMSignContext;
+import javax.xml.crypto.dsig.keyinfo.KeyInfo;
+import javax.xml.crypto.dsig.keyinfo.KeyInfoFactory;
+import javax.xml.crypto.dsig.keyinfo.X509Data;
+import javax.xml.crypto.dsig.spec.C14NMethodParameterSpec;
+import javax.xml.crypto.dsig.spec.TransformParameterSpec;
+import javax.xml.parsers.DocumentBuilderFactory;
+import javax.xml.transform.Transformer;
+import javax.xml.transform.TransformerFactory;
+import javax.xml.transform.dom.DOMSource;
+import javax.xml.transform.stream.StreamResult;
+
+import org.w3c.dom.Document;
+
+import org.apache.ws.security.components.crypto.Crypto;
+
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+public final class SignatureUtils {
+
+ private static final Logger LOG = LoggerFactory.getLogger(SignatureUtils.class);
+
+ private static final XMLSignatureFactory XML_SIGNATURE_FACTORY = XMLSignatureFactory.getInstance("DOM");
+ private static final DocumentBuilderFactory DOC_BUILDER_FACTORY = DocumentBuilderFactory.newInstance();
+ private static final TransformerFactory TRANSFORMER_FACTORY = TransformerFactory.newInstance();
+
+ private SignatureUtils() {
+ }
+
+
+ public static ByteArrayOutputStream signMetaInfo(Crypto crypto, String keyAlias, String keyPassword,
+ InputStream metaInfo, String referenceID) throws Exception {
+ if (keyAlias == null || "".equals(keyAlias)) {
+ keyAlias = crypto.getDefaultX509Identifier();
+ }
+ X509Certificate cert = CertsUtils.getX509Certificate(crypto, keyAlias);
+// }
+
+/* public static ByteArrayOutputStream signMetaInfo(FederationContext config, InputStream metaInfo,
+ String referenceID)
+ throws Exception {
+
+ KeyManager keyManager = config.getSigningKey();
+ String keyAlias = keyManager.getKeyAlias();
+ String keypass = keyManager.getKeyPassword();
+
+ // in case we did not specify the key alias, we assume there is only one key in the keystore ,
+ // we use this key's alias as default.
+ if (keyAlias == null || "".equals(keyAlias)) {
+ //keyAlias = getDefaultX509Identifier(ks);
+ keyAlias = keyManager.getCrypto().getDefaultX509Identifier();
+ }
+ CryptoType cryptoType = new CryptoType(CryptoType.TYPE.ALIAS);
+ cryptoType.setAlias(keyAlias);
+ X509Certificate[] issuerCerts = keyManager.getCrypto().getX509Certificates(cryptoType);
+ if (issuerCerts == null || issuerCerts.length == 0) {
+ throw new ProcessingException(
+ "No issuer certs were found to sign the metadata using issuer name: "
+ + keyAlias);
+ }
+ X509Certificate cert = issuerCerts[0];
+*/
+ String signatureMethod = null;
+ if ("SHA1withDSA".equals(cert.getSigAlgName())) {
+ signatureMethod = SignatureMethod.DSA_SHA1;
+ } else if ("SHA1withRSA".equals(cert.getSigAlgName())) {
+ signatureMethod = SignatureMethod.RSA_SHA1;
+ } else if ("SHA256withRSA".equals(cert.getSigAlgName())) {
+ signatureMethod = SignatureMethod.RSA_SHA1;
+ } else {
+ LOG.error("Unsupported signature method: " + cert.getSigAlgName());
+ throw new RuntimeException("Unsupported signature method: " + cert.getSigAlgName());
+ }
+
+ List<Transform> transformList = new ArrayList<Transform>();
+ transformList.add(XML_SIGNATURE_FACTORY.newTransform(Transform.ENVELOPED, (TransformParameterSpec)null));
+ transformList.add(XML_SIGNATURE_FACTORY.newCanonicalizationMethod(CanonicalizationMethod.EXCLUSIVE,
+ (C14NMethodParameterSpec)null));
+
+ // Create a Reference to the enveloped document (in this case,
+ // you are signing the whole document, so a URI of "" signifies
+ // that, and also specify the SHA1 digest algorithm and
+ // the ENVELOPED Transform.
+ Reference ref = XML_SIGNATURE_FACTORY.newReference(
+ "#" + referenceID,
+ XML_SIGNATURE_FACTORY.newDigestMethod(DigestMethod.SHA1, null),
+ transformList,
+ null, null);
+
+ // Create the SignedInfo.
+ SignedInfo si = XML_SIGNATURE_FACTORY.newSignedInfo(
+ XML_SIGNATURE_FACTORY.newCanonicalizationMethod(
+ CanonicalizationMethod.EXCLUSIVE, (C14NMethodParameterSpec)null),
+ XML_SIGNATURE_FACTORY.newSignatureMethod(
+ signatureMethod, null), Collections.singletonList(ref));
+
+ // step 2
+ // Load the KeyStore and get the signing key and certificate.
+
+ PrivateKey keyEntry = crypto.getPrivateKey(keyAlias, keyPassword);
+
+ // Create the KeyInfo containing the X509Data.
+ KeyInfoFactory kif = XML_SIGNATURE_FACTORY.getKeyInfoFactory();
+ List<Object> x509Content = new ArrayList<Object>();
+ x509Content.add(cert.getSubjectX500Principal().getName());
+ x509Content.add(cert);
+ X509Data xd = kif.newX509Data(x509Content);
+ KeyInfo ki = kif.newKeyInfo(Collections.singletonList(xd));
+
+ // step3
+ // Instantiate the document to be signed.
+ Document doc = DOC_BUILDER_FACTORY.newDocumentBuilder().parse(metaInfo);
+
+ // Create a DOMSignContext and specify the RSA PrivateKey and
+ // location of the resulting XMLSignature's parent element.
+ //DOMSignContext dsc = new DOMSignContext(keyEntry.getPrivateKey(), doc.getDocumentElement());
+ DOMSignContext dsc = new DOMSignContext(keyEntry, doc.getDocumentElement());
+ dsc.setIdAttributeNS(doc.getDocumentElement(), null, "ID");
+ dsc.setNextSibling(doc.getDocumentElement().getFirstChild());
+
+ // Create the XMLSignature, but don't sign it yet.
+ XMLSignature signature = XML_SIGNATURE_FACTORY.newXMLSignature(si, ki);
+
+ // Marshal, generate, and sign the enveloped signature.
+ signature.sign(dsc);
+
+ // step 4
+ // Output the resulting document.
+
+ ByteArrayOutputStream os = new ByteArrayOutputStream(8192);
+ Transformer trans = TRANSFORMER_FACTORY.newTransformer();
+ trans.transform(new DOMSource(doc), new StreamResult(os));
+ os.flush();
+ return os;
+ }
+
+}
Modified: cxf/fediz/trunk/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/util/MetadataWriter.java
URL: http://svn.apache.org/viewvc/cxf/fediz/trunk/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/util/MetadataWriter.java?rev=1535850&r1=1535849&r2=1535850&view=diff
==============================================================================
--- cxf/fediz/trunk/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/util/MetadataWriter.java (original)
+++ cxf/fediz/trunk/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/util/MetadataWriter.java Fri Oct 25 20:17:56 2013
@@ -24,37 +24,18 @@ import java.io.ByteArrayOutputStream;
import java.io.InputStream;
import java.io.OutputStreamWriter;
import java.io.Writer;
-import java.security.PrivateKey;
+
import java.security.cert.X509Certificate;
-import java.util.ArrayList;
-import java.util.Collections;
-import java.util.List;
-
-import javax.xml.crypto.dsig.CanonicalizationMethod;
-import javax.xml.crypto.dsig.DigestMethod;
-import javax.xml.crypto.dsig.Reference;
-import javax.xml.crypto.dsig.SignatureMethod;
-import javax.xml.crypto.dsig.SignedInfo;
-import javax.xml.crypto.dsig.Transform;
-import javax.xml.crypto.dsig.XMLSignature;
-import javax.xml.crypto.dsig.XMLSignatureFactory;
-import javax.xml.crypto.dsig.dom.DOMSignContext;
-import javax.xml.crypto.dsig.keyinfo.KeyInfo;
-import javax.xml.crypto.dsig.keyinfo.KeyInfoFactory;
-import javax.xml.crypto.dsig.keyinfo.X509Data;
-import javax.xml.crypto.dsig.spec.C14NMethodParameterSpec;
-import javax.xml.crypto.dsig.spec.TransformParameterSpec;
+
import javax.xml.parsers.DocumentBuilderFactory;
import javax.xml.stream.XMLOutputFactory;
import javax.xml.stream.XMLStreamWriter;
-import javax.xml.transform.Transformer;
-import javax.xml.transform.TransformerFactory;
-import javax.xml.transform.dom.DOMSource;
-import javax.xml.transform.stream.StreamResult;
import org.w3c.dom.Document;
+import org.apache.cxf.fediz.core.util.CertsUtils;
import org.apache.cxf.fediz.core.util.DOMUtils;
+import org.apache.cxf.fediz.core.util.SignatureUtils;
import org.apache.cxf.fediz.service.idp.model.IDPConfig;
import org.apache.ws.security.components.crypto.Crypto;
@@ -74,9 +55,7 @@ public class MetadataWriter {
private static final Logger LOG = LoggerFactory.getLogger(MetadataWriter.class);
private static final XMLOutputFactory XML_OUTPUT_FACTORY = XMLOutputFactory.newInstance();
- private static final XMLSignatureFactory XML_SIGNATURE_FACTORY = XMLSignatureFactory.getInstance("DOM");
private static final DocumentBuilderFactory DOC_BUILDER_FACTORY = DocumentBuilderFactory.newInstance();
- private static final TransformerFactory TRANSFORMER_FACTORY = TransformerFactory.newInstance();
static {
DOC_BUILDER_FACTORY.setNamespaceAware(true);
@@ -194,7 +173,7 @@ public class MetadataWriter {
InputStream is = new ByteArrayInputStream(bout.toByteArray());
- ByteArrayOutputStream result = signMetaInfo(crypto, config.getCertificatePassword(), is, referenceID);
+ ByteArrayOutputStream result = SignatureUtils.signMetaInfo(crypto, null, config.getCertificatePassword(), is, referenceID);
if (result != null) {
is = new ByteArrayInputStream(result.toByteArray());
} else {
@@ -211,66 +190,5 @@ public class MetadataWriter {
}
-
- private ByteArrayOutputStream signMetaInfo(Crypto crypto, String keyPassword, InputStream metaInfo, String referenceID) throws Exception {
- String keyAlias = crypto.getDefaultX509Identifier(); //only one key supported in JKS
- X509Certificate cert = CertsUtils.getX509Certificate(crypto, keyAlias);
-
- // Create a Reference to the enveloped document (in this case,
- // you are signing the whole document, so a URI of "" signifies
- // that, and also specify the SHA1 digest algorithm and
- // the ENVELOPED Transform.
- Reference ref = XML_SIGNATURE_FACTORY.newReference("#" + referenceID, XML_SIGNATURE_FACTORY.newDigestMethod(DigestMethod.SHA1, null), Collections
- .singletonList(XML_SIGNATURE_FACTORY.newTransform(Transform.ENVELOPED, (TransformParameterSpec)null)), null, null);
-
- String signatureMethod = null;
- if ("SHA1withDSA".equals(cert.getSigAlgName())) {
- signatureMethod = SignatureMethod.DSA_SHA1;
- } else if ("SHA1withRSA".equals(cert.getSigAlgName())) {
- signatureMethod = SignatureMethod.RSA_SHA1;
- } else if ("SHA256withRSA".equals(cert.getSigAlgName())) {
- signatureMethod = SignatureMethod.RSA_SHA1;
- } else {
- LOG.error("Unsupported signature method: " + cert.getSigAlgName());
- throw new RuntimeException("Unsupported signature method: " + cert.getSigAlgName());
- }
- // Create the SignedInfo.
- SignedInfo si = XML_SIGNATURE_FACTORY.newSignedInfo(XML_SIGNATURE_FACTORY.newCanonicalizationMethod(CanonicalizationMethod.INCLUSIVE,
- (C14NMethodParameterSpec)null), XML_SIGNATURE_FACTORY
- .newSignatureMethod(signatureMethod, null), Collections.singletonList(ref));
- // .newSignatureMethod(cert.getSigAlgOID(), null), Collections.singletonList(ref));
-
- PrivateKey keyEntry = crypto.getPrivateKey(keyAlias, keyPassword);
-
- // Create the KeyInfo containing the X509Data.
- KeyInfoFactory kif = XML_SIGNATURE_FACTORY.getKeyInfoFactory();
- List<Object> x509Content = new ArrayList<Object>();
- x509Content.add(cert.getSubjectX500Principal().getName());
- x509Content.add(cert);
- X509Data xd = kif.newX509Data(x509Content);
- KeyInfo ki = kif.newKeyInfo(Collections.singletonList(xd));
-
- // Instantiate the document to be signed.
- Document doc = DOC_BUILDER_FACTORY.newDocumentBuilder().parse(metaInfo);
-
- // Create a DOMSignContext and specify the RSA PrivateKey and
- // location of the resulting XMLSignature's parent element.
- DOMSignContext dsc = new DOMSignContext(keyEntry, doc.getDocumentElement());
- dsc.setIdAttributeNS(doc.getDocumentElement(), null, "ID");
- dsc.setNextSibling(doc.getDocumentElement().getFirstChild());
-
- // Create the XMLSignature, but don't sign it yet.
- XMLSignature signature = XML_SIGNATURE_FACTORY.newXMLSignature(si, ki);
-
- // Marshal, generate, and sign the enveloped signature.
- signature.sign(dsc);
-
- // Output the resulting document.
- ByteArrayOutputStream os = new ByteArrayOutputStream(8192);
- Transformer trans = TRANSFORMER_FACTORY.newTransformer();
- trans.transform(new DOMSource(doc), new StreamResult(os));
- os.flush();
- return os;
- }
}