samlsignedobject.java

开放源代码的基于SAML的单点登录系统

/* 
 * The OpenSAML License, Version 1. 
 * Copyright (c) 2002 
 * University Corporation for Advanced Internet Development, Inc. 
 * All rights reserved
 * 
 * 
 * Redistribution and use in source and binary forms, with or without 
 * modification, are permitted provided that the following conditions are met:
 * 
 * Redistributions of source code must retain the above copyright notice, this 
 * list of conditions and the following disclaimer.
 * 
 * Redistributions in binary form must reproduce the above copyright notice, 
 * this list of conditions and the following disclaimer in the documentation 
 * and/or other materials provided with the distribution, if any, must include 
 * the following acknowledgment: "This product includes software developed by 
 * the University Corporation for Advanced Internet Development 
 * <http://www.ucaid.edu>Internet2 Project. Alternately, this acknowledegement 
 * may appear in the software itself, if and wherever such third-party 
 * acknowledgments normally appear.
 * 
 * Neither the name of OpenSAML nor the names of its contributors, nor 
 * Internet2, nor the University Corporation for Advanced Internet Development, 
 * Inc., nor UCAID may be used to endorse or promote products derived from this 
 * software without specific prior written permission. For written permission, 
 * please contact opensaml@opensaml.org
 * 
 * Products derived from this software may not be called OpenSAML, Internet2, 
 * UCAID, or the University Corporation for Advanced Internet Development, nor 
 * may OpenSAML appear in their name, without prior written permission of the 
 * University Corporation for Advanced Internet Development.
 * 
 * 
 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" 
 * AND WITH ALL FAULTS. ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT 
 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A 
 * PARTICULAR PURPOSE, AND NON-INFRINGEMENT ARE DISCLAIMED AND THE ENTIRE RISK 
 * OF SATISFACTORY QUALITY, PERFORMANCE, ACCURACY, AND EFFORT IS WITH LICENSEE. 
 * IN NO EVENT SHALL THE COPYRIGHT OWNER, CONTRIBUTORS OR THE UNIVERSITY 
 * CORPORATION FOR ADVANCED INTERNET DEVELOPMENT, INC. BE LIABLE FOR ANY DIRECT, 
 * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES 
 * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 
 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND 
 * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 
 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 
 * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 */
 
package org.opensaml;

import java.io.ByteArrayInputStream;
import java.io.ByteArrayOutputStream;
import java.security.Key;
import java.security.cert.Certificate;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Iterator;

import org.w3c.dom.*;
import org.xml.sax.SAXException;
import org.apache.xml.security.c14n.Canonicalizer;
import org.apache.xml.security.exceptions.XMLSecurityException;
import org.apache.xml.security.keys.KeyInfo;
import org.apache.xml.security.keys.content.X509Data;
import org.apache.xml.security.signature.Reference;
import org.apache.xml.security.signature.SignedInfo;
import org.apache.xml.security.signature.XMLSignature;
import org.apache.xml.security.transforms.Transforms;
import org.apache.xml.security.transforms.params.InclusiveNamespaces;

/**
 *  Abstract base class for all SAML objects that can be signed
 *
 * @author     Scott Cantor
 * @created    March 25, 2002
 */
public abstract class SAMLSignedObject extends SAMLObject implements Cloneable
{
    private XMLSignature sig = null;
    private boolean sig_from_parse = false;

    /**
     *  Debugging aid to access the internal XML Signature implementation
     *
     * @return      Returns a Java object corresponding to the native class
     *              used by the underlying XML Signature implementation to represent
     *              a signature. Be careful using this method, unless you're debugging
     *              or know what you're doing.
     */
    public Object getNativeSignature() {
        return sig;
    }

    /**
     *  Gets the ID of the signed object
     *
     * @return    The XML ID
     */
    public abstract String getId();


    /**
     * @see org.opensaml.SAMLObject#fromDOM(Element e)
     */
    public void fromDOM(Element e) throws SAMLException {
        super.fromDOM(e);
        
        // Locate the Signature beneath the root.
        Element n = XML.getFirstChildElement(e, XML.XMLSIG_NS, "Signature");
        if (n!=null) {
            try {
                sig=new XMLSignature((Element)n,null);
                sig_from_parse = true;
            }
            catch (XMLSecurityException ex) {
                throw new InvalidCryptoException("SAMLSignedObject.fromDOM() detected an XML security exception: " + ex.getMessage(),ex);
            }
            catch (java.io.IOException ex) {
                throw new InvalidCryptoException("SAMLSignedObject.fromDOM() detected an I/O exception: " + ex.getMessage(),ex);
            }
        }
    }

    /**
     * @see org.opensaml.SAMLObject#toDOM()
     */
    public Node toDOM() throws SAMLException {
        if (root != null)
            return root;

        // The purpose of the override is to reuse the document used to create
        // the signature, if we have one.
        if (sig != null)
            return toDOM(sig.getDocument());

        // If no signature, just let the base class handle it.
        return super.toDOM();
    }

    /**
     *  Places the signature into the object's DOM to prepare for signing<p>
     * 
     *  Must be overridden by subclass that knows where to place it</p>

     * @throws SAMLException    Thrown if an error occurs while placing the signature
     */
    protected abstract void insertSignature() throws SAMLException;
    
    /**
     *  Get the DOM element containing the signature
     * 
     * @return  The ds:Signature element of a signature
     */
    protected Element getSignatureElement()
    {
        return (sig!=null) ? sig.getElement() : null;
    }
    
    /**
     *  Remove the signature and turn this into an unsigned object.
     *  Modifying an object after signing will automatically unsign it.
     */
    public void unsign() {
        if (sig != null && sig.getElement().getParentNode() != null)
            sig.getElement().getParentNode().removeChild(sig.getElement());
        sig = null;
    }
    
    /**
     *  Sign the SAML object according to the input parameters
     * 
     * @param alg           The XML signature algorithm to apply
     * @param k             The secret or private key to sign the resulting digest
     * @param certs         The public key certificate(s) to embed in the object, if any
     * @throws SAMLException    Thrown if an error occurs while constructing the signature
     */
    public void sign(String alg, Key k, Collection certs)
        throws SAMLException
    {
        unsign();
        
        // Generate the DOM if not already built, and anchor the DOM in the document.
        toDOM();
        plantRoot();
        
        try
        {
            // Build the empty signature.
            sig=new XMLSignature(root.getOwnerDocument(),null,alg,Canonicalizer.ALGO_ID_C14N_EXCL_OMIT_COMMENTS);
            
            // Have the object place it in the proper place.
            insertSignature();
            
            Transforms transforms = new Transforms(sig.getDocument());
            transforms.addTransform(Transforms.TRANSFORM_ENVELOPED_SIGNATURE);
            transforms.addTransform(Transforms.TRANSFORM_C14N_EXCL_OMIT_COMMENTS);
            transforms.item(1).getElement().appendChild(
                    new InclusiveNamespaces(root.getOwnerDocument(),config.getProperty("org.opensaml.inclusive-namespace-prefixes")).getElement()
                    );

            if (config.getBooleanProperty("org.opensaml.compatibility-mode"))
                sig.addDocument("",transforms);
            else
                sig.addDocument("#" + getId(),transforms);

            // Add any X.509 certificates provided.
            X509Data x509 = new X509Data(root.getOwnerDocument());
            if (certs!=null)