simplesignatureverifier.java

一个完整的XACML工程,学习XACML技术的好例子!

/*
* Copyright (c) 2000-2005, University of Salford
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without 
* modification, are permitted provided that the following conditions are met:
*
* Redistributions of source code must retain the above copyright notice, this 
* list of conditions and the following disclaimer.
* 
* Redistributions in binary form must reproduce the above copyright notice, 
* this list of conditions and the following disclaimer in the documentation 
* and/or other materials provided with the distribution. 
*
* Neither the name of the University of Salford nor the names of its 
* contributors may be used to endorse or promote products derived from this 
* software without specific prior written permission. 
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" 
* AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
* ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE 
* LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 
* CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 
* SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 
* INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 
* CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 
* POSSIBILITY OF SUCH DAMAGE.
*/

package issrg.pba.rbac;

/**
 * This class takes an issrg.security.Verifier object and lets do simple 
 * signature verification. Generally, it gets the signer's Public Key 
 * Certificates and applies them in turn. If any of them succeeds, the 
 * signature verification succeeds.
 *
 * @author A Otenko
 * @version 1.0
 */

public class SimpleSignatureVerifier implements issrg.pba.rbac.SignatureVerifier {

  private issrg.security.Verifier sv = null;

  protected SimpleSignatureVerifier() {
  }

  /**
   * This constructor builds a SimpleSignatureVerifier given a Verifier. 
   */
  public SimpleSignatureVerifier(issrg.security.Verifier verifier){
    sv = verifier;
  }

  /**
   * This method checks if there is any Public Key Certificate that can verify
   * the digital signature.
   *
   * @param data - the byte array that has been signed
   * @param signature - the byte array of the digital signature
   * @param algID - the signature algorithm identifier; normally it is a 
   *   standard algorithm identifier (e.g. an OID), but can be an
   *   implementation-specific identifier, if the Verifier can understand it
   * @param signer - the TokenLocator pointing to the signer's entry with 
   *   Public Key Certificates
   */
  public boolean checkSignature(byte [] data, byte [] signature, String algID, issrg.utils.repository.TokenLocator signer) throws issrg.pba.rbac.PkiException {
    try{
      java.security.cert.X509Certificate[] certs = sv.getVerificationCertificates(signer);

        //System.out.println("got "+certs.length+" signature validation PKCs"); //*************

      if (certs!=null){
        for (int i=0; i<certs.length; i++){
	        //System.out.println("PKC["+i+"] sigAlgOID="+certs[i].getSigAlgOID()+"; actual signature alg OID="+algID); //*************
          //if (certs[i].getSigAlgOID().equals(algID)){ // looking for particular PKCs only (with the right algID)
          if (signer.getEntry().getEntryName().equals(certs[i].getSubjectDN())){ // make sure the PKC belongs to the signer
            if (sv.verify(data, signature, algID, new java.security.cert.X509Certificate[]{certs[i]})){ // but there can be several PKCs with the same aldID; so try all of them, until the signature matches
	        //System.out.println("signature verified"); //*************
              return true;
            }
	        //System.out.println("signature didn't verify"); //*************
          }
        }
      }

      return false;
    }catch (Throwable th){
        //System.out.println("Exception has been thrown: "+th.getMessage()); //*************
	//th.printStackTrace(); //************
      throw new PkiException(th.getMessage(), th);
    }
  }
}