Class XMLSignature
java.lang.Object
org.apache.xml.security.utils.ElementProxy
org.apache.xml.security.utils.SignatureElementProxy
org.apache.xml.security.signature.XMLSignature
Handles
<ds:Signature> elements.
This is the main class that deals with creating and verifying signatures.
There are 2 types of constructors for this class. The ones that take a document, baseURI and 1 or more Java Objects. This is mostly used for signing purposes. The other constructor is the one that takes a DOM Element and a baseURI. This is used mostly with for verifying, when you have a SignatureElement. There are a few different types of methods:
- The addDocument* methods are used to add References with optional transforms during signing.
- addKeyInfo* methods are to add Certificates and Keys to the KeyInfo tags during signing.
- appendObject allows a user to add any XML Structure as an ObjectContainer during signing.
- sign and checkSignatureValue methods are used to sign and validate the signature.
-
Field Summary
FieldsModifier and TypeFieldDescriptionstatic final StringHMAC - NOT Recommended HMAC-MD5static final StringHMAC - Optional HMAC-RIPEMD160static final StringMAC - Required HMAC-SHA1static final StringHMAC - Optional HMAC-SHA2224static final StringHMAC - Optional HMAC-SHA256static final StringHMAC - Optional HMAC-SHA284static final StringHMAC - Optional HMAC-SHA512static final StringSignature - Required DSAwithSHA1 (DSS)static final StringSignature - Optional DSAwithSHA256static final StringSignature - Optional ECDSAwithRIPEMD160static final StringSignature - Optional ECDSAwithSHA1static final StringSignature - Optional ECDSAwithSHA224static final StringSignature - Optional ECDSAwithSHA256static final StringSignature - Optional ECDSAwithSHA384static final StringSignature - Optional ECDSAwithSHA512static final StringSignature - NOT Recommended RSAwithMD5static final StringSignature - Recommended RSAwithSHA1static final StringSignature - Optional RSAwithRIPEMD160static final StringSignature - Recommended RSAwithSHA1static final StringSignature - Optional RSAwithSHA1andMGF1static final StringSignature - Optional RSAwithSHA224static final StringSignature - Optional RSAwithSHA224andMGF1static final StringSignature - Optional RSAwithSHA256static final StringSignature - Optional RSAwithSHA256andMGF1static final StringSignature - Optional RSAwithSHA3_224andMGF1static final StringSignature - Optional RSAwithSHA3_256andMGF1static final StringSignature - Optional RSAwithSHA3_384andMGF1static final StringSignature - Optional RSAwithSHA3_512andMGF1static final StringSignature - Optional RSAwithSHA384static final StringSignature - Optional RSAwithSHA384andMGF1static final StringSignature - Optional RSAwithSHA512static final StringSignature - Optional RSAwithSHA512andMGF1Fields inherited from class org.apache.xml.security.utils.ElementProxy
baseURI -
Constructor Summary
ConstructorsConstructorDescriptionXMLSignature(Document doc, String baseURI, String signatureMethodURI) This creates a newds:SignatureElement and adds an emptyds:SignedInfo.XMLSignature(Document doc, String baseURI, String signatureMethodURI, int hmacOutputLength) Constructor XMLSignatureXMLSignature(Document doc, String baseURI, String signatureMethodURI, int hmacOutputLength, String canonicalizationMethodURI) Constructor XMLSignatureXMLSignature(Document doc, String baseURI, String signatureMethodURI, String canonicalizationMethodURI) Constructor XMLSignatureXMLSignature(Document doc, String baseURI, Element SignatureMethodElem, Element CanonicalizationMethodElem) Creates a XMLSignature in a DocumentXMLSignature(Element element, String baseURI) This will parse the element and construct the Java Objects.XMLSignature(Element element, String baseURI, boolean secureValidation) This will parse the element and construct the Java Objects. -
Method Summary
Modifier and TypeMethodDescriptionvoidaddDocument(String referenceURI) Add a Reference with just this URI.voidaddDocument(String referenceURI, Transforms trans) Adds a Reference with just the URI and the transforms.voidaddDocument(String referenceURI, Transforms trans, String digestURI) This method is a proxy method for theManifest.addDocument(java.lang.String, java.lang.String, org.apache.xml.security.transforms.Transforms, java.lang.String, java.lang.String, java.lang.String)method.voidaddDocument(String referenceURI, Transforms trans, String digestURI, String referenceId, String referenceType) Add a Reference with full parameters to this SignaturevoidaddKeyInfo(X509Certificate cert) Add an X509 Certificate to the KeyInfo.voidaddKeyInfo(PublicKey pk) Add this public key to the KeyInfo.voidaddResourceResolver(ResourceResolver resolver) Adds aResourceResolverto enable the retrieval of resources.voidaddResourceResolver(ResourceResolverSpi resolver) Adds aResourceResolverSpito enable the retrieval of resources.voidappendObject(ObjectContainer object) Appends an Object (not ajava.lang.Objectbut an Object element) to the Signature.booleanExtracts the public key from the certificate and verifies if the signature is valid by re-digesting all References, comparing those against the stored DigestValues and then checking to see if the Signatures match on the SignedInfo.booleanVerifies if the signature is valid by redigesting all References, comparing those against the stored DigestValues and then checking to see if the Signatures match on the SignedInfo.createSecretKey(byte[] secretKeyBytes) Proxy method forSignedInfo.createSecretKey(byte[]).Get the local name of this elementgetId()Returns theIdattributeReturns the KeyInfo child.getObjectItem(int i) Returns theithds:Objectchild of the signature or null if no suchds:Objectelement exists.intReturns the number of allds:Objectelements.byte[]Returns the octet value of the SignatureValue element.Returns the completely parsedSignedInfoobject.voidsetFollowNestedManifests(boolean followManifests) Signal whether Manifest should be automatically validated.voidSets theIdattributevoidDigests all References in the SignedInfo, calculates the signature value and sets it in the SignatureValue Element.Methods inherited from class org.apache.xml.security.utils.SignatureElementProxy
getBaseNamespaceMethods inherited from class org.apache.xml.security.utils.ElementProxy
addBase64Element, addBase64Text, addBigIntegerElement, addReturnToSelf, addText, addTextElement, appendOther, appendSelf, appendSelf, createElementForFamily, createElementForFamilyLocal, createText, getBaseURI, getBigIntegerFromChildElement, getBytesFromTextChild, getDefaultPrefix, getDocument, getElement, getElementPlusReturns, getFirstChild, getLocalAttribute, getTextFromChildElement, getTextFromTextChild, length, registerDefaultPrefixes, setDefaultPrefix, setDocument, setElement, setElement, setLocalAttribute, setLocalIdAttribute, setXPathNamespaceContext
-
Field Details
-
ALGO_ID_MAC_HMAC_SHA1
MAC - Required HMAC-SHA1- See Also:
-
ALGO_ID_SIGNATURE_DSA
Signature - Required DSAwithSHA1 (DSS)- See Also:
-
ALGO_ID_SIGNATURE_DSA_SHA256
Signature - Optional DSAwithSHA256- See Also:
-
ALGO_ID_SIGNATURE_RSA
Signature - Recommended RSAwithSHA1- See Also:
-
ALGO_ID_SIGNATURE_RSA_SHA1
Signature - Recommended RSAwithSHA1- See Also:
-
ALGO_ID_SIGNATURE_NOT_RECOMMENDED_RSA_MD5
Signature - NOT Recommended RSAwithMD5- See Also:
-
ALGO_ID_SIGNATURE_RSA_RIPEMD160
Signature - Optional RSAwithRIPEMD160- See Also:
-
ALGO_ID_SIGNATURE_RSA_SHA224
Signature - Optional RSAwithSHA224- See Also:
-
ALGO_ID_SIGNATURE_RSA_SHA256
Signature - Optional RSAwithSHA256- See Also:
-
ALGO_ID_SIGNATURE_RSA_SHA384
Signature - Optional RSAwithSHA384- See Also:
-
ALGO_ID_SIGNATURE_RSA_SHA512
Signature - Optional RSAwithSHA512- See Also:
-
ALGO_ID_SIGNATURE_RSA_SHA1_MGF1
Signature - Optional RSAwithSHA1andMGF1- See Also:
-
ALGO_ID_SIGNATURE_RSA_SHA224_MGF1
Signature - Optional RSAwithSHA224andMGF1- See Also:
-
ALGO_ID_SIGNATURE_RSA_SHA256_MGF1
Signature - Optional RSAwithSHA256andMGF1- See Also:
-
ALGO_ID_SIGNATURE_RSA_SHA384_MGF1
Signature - Optional RSAwithSHA384andMGF1- See Also:
-
ALGO_ID_SIGNATURE_RSA_SHA512_MGF1
Signature - Optional RSAwithSHA512andMGF1- See Also:
-
ALGO_ID_SIGNATURE_RSA_SHA3_224_MGF1
Signature - Optional RSAwithSHA3_224andMGF1- See Also:
-
ALGO_ID_SIGNATURE_RSA_SHA3_256_MGF1
Signature - Optional RSAwithSHA3_256andMGF1- See Also:
-
ALGO_ID_SIGNATURE_RSA_SHA3_384_MGF1
Signature - Optional RSAwithSHA3_384andMGF1- See Also:
-
ALGO_ID_SIGNATURE_RSA_SHA3_512_MGF1
Signature - Optional RSAwithSHA3_512andMGF1- See Also:
-
ALGO_ID_MAC_HMAC_NOT_RECOMMENDED_MD5
HMAC - NOT Recommended HMAC-MD5- See Also:
-
ALGO_ID_MAC_HMAC_RIPEMD160
HMAC - Optional HMAC-RIPEMD160- See Also:
-
ALGO_ID_MAC_HMAC_SHA224
HMAC - Optional HMAC-SHA2224- See Also:
-
ALGO_ID_MAC_HMAC_SHA256
HMAC - Optional HMAC-SHA256- See Also:
-
ALGO_ID_MAC_HMAC_SHA384
HMAC - Optional HMAC-SHA284- See Also:
-
ALGO_ID_MAC_HMAC_SHA512
HMAC - Optional HMAC-SHA512- See Also:
-
ALGO_ID_SIGNATURE_ECDSA_SHA1
Signature - Optional ECDSAwithSHA1- See Also:
-
ALGO_ID_SIGNATURE_ECDSA_SHA224
Signature - Optional ECDSAwithSHA224- See Also:
-
ALGO_ID_SIGNATURE_ECDSA_SHA256
Signature - Optional ECDSAwithSHA256- See Also:
-
ALGO_ID_SIGNATURE_ECDSA_SHA384
Signature - Optional ECDSAwithSHA384- See Also:
-
ALGO_ID_SIGNATURE_ECDSA_SHA512
Signature - Optional ECDSAwithSHA512- See Also:
-
ALGO_ID_SIGNATURE_ECDSA_RIPEMD160
Signature - Optional ECDSAwithRIPEMD160- See Also:
-
-
Constructor Details
-
XMLSignature
public XMLSignature(Document doc, String baseURI, String signatureMethodURI) throws XMLSecurityException This creates a newds:SignatureElement and adds an emptyds:SignedInfo. Theds:SignedInfois initialized with the specified Signature algorithm and Canonicalizer.ALGO_ID_C14N_OMIT_COMMENTS which is REQUIRED by the spec. This method's main use is for creating a new signature.- Parameters:
doc- Document in which the signature will be appended after creation.baseURI- URI to be used as context for all relative URIs.signatureMethodURI- signature algorithm to use.- Throws:
XMLSecurityException
-
XMLSignature
public XMLSignature(Document doc, String baseURI, String signatureMethodURI, int hmacOutputLength) throws XMLSecurityException Constructor XMLSignature- Parameters:
doc-baseURI-signatureMethodURI- the Signature method to be used.hmacOutputLength-- Throws:
XMLSecurityException
-
XMLSignature
public XMLSignature(Document doc, String baseURI, String signatureMethodURI, String canonicalizationMethodURI) throws XMLSecurityException Constructor XMLSignature- Parameters:
doc-baseURI-signatureMethodURI- the Signature method to be used.canonicalizationMethodURI- the canonicalization algorithm to be used to c14nize the SignedInfo element.- Throws:
XMLSecurityException
-
XMLSignature
public XMLSignature(Document doc, String baseURI, String signatureMethodURI, int hmacOutputLength, String canonicalizationMethodURI) throws XMLSecurityException Constructor XMLSignature- Parameters:
doc-baseURI-signatureMethodURI-hmacOutputLength-canonicalizationMethodURI-- Throws:
XMLSecurityException
-
XMLSignature
public XMLSignature(Document doc, String baseURI, Element SignatureMethodElem, Element CanonicalizationMethodElem) throws XMLSecurityException Creates a XMLSignature in a Document- Parameters:
doc-baseURI-SignatureMethodElem-CanonicalizationMethodElem-- Throws:
XMLSecurityException
-
XMLSignature
public XMLSignature(Element element, String baseURI) throws XMLSignatureException, XMLSecurityException This will parse the element and construct the Java Objects. That will allow a user to validate the signature.- Parameters:
element- ds:Signature element that contains the whole signaturebaseURI- URI to be prepended to all relative URIs- Throws:
XMLSecurityExceptionXMLSignatureException- if the signature is badly formatted
-
XMLSignature
public XMLSignature(Element element, String baseURI, boolean secureValidation) throws XMLSignatureException, XMLSecurityException This will parse the element and construct the Java Objects. That will allow a user to validate the signature.- Parameters:
element- ds:Signature element that contains the whole signaturebaseURI- URI to be prepended to all relative URIssecureValidation- whether secure secureValidation is enabled or not- Throws:
XMLSecurityExceptionXMLSignatureException- if the signature is badly formatted
-
-
Method Details
-
setId
Sets theIdattribute- Parameters:
id- Id value for the id attribute on the Signature Element
-
getId
Returns theIdattribute- Returns:
- the
Idattribute
-
getSignedInfo
Returns the completely parsedSignedInfoobject.- Returns:
- the completely parsed
SignedInfoobject.
-
getSignatureValue
Returns the octet value of the SignatureValue element. Throws an XMLSignatureException if it has no or wrong content.- Returns:
- the value of the SignatureValue element.
- Throws:
XMLSignatureException- If there is no content
-
getKeyInfo
Returns the KeyInfo child. If we are in signing mode and the KeyInfo does not exist yet, it is created on demand and added to the Signature.
This allows to add arbitrary content to the KeyInfo during signing.- Returns:
- the KeyInfo object
-
appendObject
Appends an Object (not ajava.lang.Objectbut an Object element) to the Signature. Please note that this is only possible when signing.- Parameters:
object- ds:Object to be appended.- Throws:
XMLSignatureException- When this object is used to verify.
-
getObjectItem
Returns theithds:Objectchild of the signature or null if no suchds:Objectelement exists.- Parameters:
i-- Returns:
- the
ithds:Objectchild of the signature or null if no suchds:Objectelement exists.
-
getObjectLength
public int getObjectLength()Returns the number of allds:Objectelements.- Returns:
- the number of all
ds:Objectelements.
-
sign
Digests all References in the SignedInfo, calculates the signature value and sets it in the SignatureValue Element.- Parameters:
signingKey- thePrivateKeyorSecretKeythat is used to sign.- Throws:
XMLSignatureException
-
addResourceResolver
Adds aResourceResolverto enable the retrieval of resources.- Parameters:
resolver-
-
addResourceResolver
Adds aResourceResolverSpito enable the retrieval of resources.- Parameters:
resolver-
-
checkSignatureValue
Extracts the public key from the certificate and verifies if the signature is valid by re-digesting all References, comparing those against the stored DigestValues and then checking to see if the Signatures match on the SignedInfo.- Parameters:
cert- Certificate that contains the public key part of the keypair that was used to sign.- Returns:
- true if the signature is valid, false otherwise
- Throws:
XMLSignatureException
-
checkSignatureValue
Verifies if the signature is valid by redigesting all References, comparing those against the stored DigestValues and then checking to see if the Signatures match on the SignedInfo.- Parameters:
pk-PublicKeypart of the keypair orSecretKeythat was used to sign- Returns:
- true if the signature is valid, false otherwise
- Throws:
XMLSignatureException
-
addDocument
public void addDocument(String referenceURI, Transforms trans, String digestURI, String referenceId, String referenceType) throws XMLSignatureException Add a Reference with full parameters to this Signature- Parameters:
referenceURI- URI of the resource to be signed. Can be null in which case the dereferencing is application specific. Can be "" in which it's the parent node (or parent document?). There can only be one "" in each signature.trans- Optional list of transformations to be done before digestingdigestURI- Mandatory URI of the digesting algorithm to use.referenceId- Optional id attribute for this ReferencereferenceType- Optional mimetype for the URI- Throws:
XMLSignatureException
-
addDocument
public void addDocument(String referenceURI, Transforms trans, String digestURI) throws XMLSignatureException This method is a proxy method for theManifest.addDocument(java.lang.String, java.lang.String, org.apache.xml.security.transforms.Transforms, java.lang.String, java.lang.String, java.lang.String)method.- Parameters:
referenceURI- URI according to the XML Signature specification.trans- List of transformations to be applied.digestURI- URI of the digest algorithm to be used.- Throws:
XMLSignatureException- See Also:
-
addDocument
Adds a Reference with just the URI and the transforms. This used the SHA1 algorithm as a default digest algorithm.- Parameters:
referenceURI- URI according to the XML Signature specification.trans- List of transformations to be applied.- Throws:
XMLSignatureException
-
addDocument
Add a Reference with just this URI. It uses SHA1 by default as the digest algorithm- Parameters:
referenceURI- URI according to the XML Signature specification.- Throws:
XMLSignatureException
-
addKeyInfo
Add an X509 Certificate to the KeyInfo. This will include the whole cert inside X509Data/X509Certificate tags.- Parameters:
cert- Certificate to be included. This should be the certificate of the key that was used to sign.- Throws:
XMLSecurityException
-
addKeyInfo
Add this public key to the KeyInfo. This will include the complete key in the KeyInfo structure.- Parameters:
pk-
-
createSecretKey
Proxy method forSignedInfo.createSecretKey(byte[]). If you want to create a MAC, this method helps you to obtain theSecretKeyfrom octets.- Parameters:
secretKeyBytes-- Returns:
- the secret key created.
- See Also:
-
setFollowNestedManifests
public void setFollowNestedManifests(boolean followManifests) Signal whether Manifest should be automatically validated. Checking the digests in References in a Signature are mandatory, but for References inside a Manifest it is application specific. This boolean is to indicate that the References inside Manifests should be validated.- Parameters:
followManifests-- See Also:
-
getBaseLocalName
Get the local name of this element- Specified by:
getBaseLocalNamein classElementProxy- Returns:
- Constants._TAG_SIGNATURE
-