You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@wookie.apache.org by sc...@apache.org on 2013/03/05 16:49:41 UTC
svn commit: r1452862 -
/wookie/trunk/src/org/apache/wookie/util/digitalsignature/DigitalSignatureProcessor.java
Author: scottbw
Date: Tue Mar 5 15:49:41 2013
New Revision: 1452862
URL: http://svn.apache.org/r1452862
Log:
Perform additional digital signature validation checks as required by W3C spec
Modified:
wookie/trunk/src/org/apache/wookie/util/digitalsignature/DigitalSignatureProcessor.java
Modified: wookie/trunk/src/org/apache/wookie/util/digitalsignature/DigitalSignatureProcessor.java
URL: http://svn.apache.org/viewvc/wookie/trunk/src/org/apache/wookie/util/digitalsignature/DigitalSignatureProcessor.java?rev=1452862&r1=1452861&r2=1452862&view=diff
==============================================================================
--- wookie/trunk/src/org/apache/wookie/util/digitalsignature/DigitalSignatureProcessor.java (original)
+++ wookie/trunk/src/org/apache/wookie/util/digitalsignature/DigitalSignatureProcessor.java Tue Mar 5 15:49:41 2013
@@ -40,6 +40,7 @@ import org.apache.xml.security.keys.KeyI
import org.apache.xml.security.signature.XMLSignature;
import org.apache.xml.security.utils.Constants;
import org.w3c.dom.Element;
+import org.w3c.dom.NodeList;
/**
* verify widgets using digital signatures
@@ -237,6 +238,54 @@ public class DigitalSignatureProcessor i
XPath xpath = xpf.newXPath();
xpath.setNamespaceContext(new DSNamespaceContext());
+ //
+ // Verify signature properties
+ //
+ String pattern = "//ds:Signature[1]/ds:Object[1]/ds:SignatureProperties[1]/ds:SignatureProperty/dsp:Profile";
+ Element profileElement = (Element) xpath.evaluate(pattern, doc, XPathConstants.NODE);
+ pattern = "//ds:Signature[1]/ds:Object[1]/ds:SignatureProperties[1]/ds:SignatureProperty/dsp:Role";
+ Element roleElement = (Element) xpath.evaluate(pattern, doc, XPathConstants.NODE);
+ pattern = "//ds:Signature[1]/ds:Object[1]/ds:SignatureProperties[1]/ds:SignatureProperty/dsp:Identifier";
+ Element identifierElement = (Element) xpath.evaluate(pattern, doc, XPathConstants.NODE);
+
+ //
+ // Reject if there are more than one set of signature properties
+ //
+ pattern = "//ds:SignatureProperties";
+ NodeList nodes = (NodeList)xpath.evaluate(pattern, doc, XPathConstants.NODESET);
+ if (nodes.getLength() != 1){
+ _logger.debug("Incorrect number of signature properties elements");
+ return false;
+ }
+
+ //
+ // Reject if required properties are missing
+ //
+ if (profileElement == null || roleElement == null || identifierElement == null){
+ _logger.debug("Signature is missing a required property element");
+ return false;
+ }
+
+ //
+ // Reject if incorrect URI for Role
+ //
+ String uri = roleElement.getAttribute("URI");
+ if (role.equals("") && !uri.equals("http://www.w3.org/ns/widgets-digsig#role-distributor")){
+ _logger.debug("Role does not match Role URI");
+ return false;
+ }
+ if (role.equals("author") && !uri.equals("http://www.w3.org/ns/widgets-digsig#role-author")){
+ _logger.debug("Role does not match Role URI");
+ return false;
+ }
+
+ //
+ // Reject if incorrect URI for Profile
+ //
+ if (!profileElement.getAttribute("URI").equals("http://www.w3.org/ns/widgets-digsig#profile")){
+ _logger.debug("Profile URI is incorrect");
+ return false;
+ }
String expression = "//ds:Signature[1]";
Element sigElement = (Element) xpath.evaluate(expression, doc,
XPathConstants.NODE);