author | mullan |
Mon, 13 May 2013 17:50:14 -0400 | |
changeset 18266 | 26e69da689b9 |
parent 18240 | cda839ac048f |
child 18780 | f47b920867e7 |
permissions | -rw-r--r-- |
2 | 1 |
/* |
1337 | 2 |
* reserved comment block |
3 |
* DO NOT REMOVE OR ALTER! |
|
4 |
*/ |
|
5 |
/* |
|
6 |
* Copyright 2005 The Apache Software Foundation. |
|
2 | 7 |
* |
1337 | 8 |
* Licensed under the Apache License, Version 2.0 (the "License"); |
9 |
* you may not use this file except in compliance with the License. |
|
10 |
* You may obtain a copy of the License at |
|
2 | 11 |
* |
1337 | 12 |
* http://www.apache.org/licenses/LICENSE-2.0 |
2 | 13 |
* |
1337 | 14 |
* Unless required by applicable law or agreed to in writing, software |
15 |
* distributed under the License is distributed on an "AS IS" BASIS, |
|
16 |
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
|
17 |
* See the License for the specific language governing permissions and |
|
18 |
* limitations under the License. |
|
2 | 19 |
* |
20 |
*/ |
|
1337 | 21 |
/* |
5506 | 22 |
* Copyright (c) 2005, Oracle and/or its affiliates. All rights reserved. |
1337 | 23 |
*/ |
2 | 24 |
/* |
25 |
* =========================================================================== |
|
26 |
* |
|
27 |
* (C) Copyright IBM Corp. 2003 All Rights Reserved. |
|
28 |
* |
|
29 |
* =========================================================================== |
|
30 |
*/ |
|
31 |
/* |
|
1337 | 32 |
* $Id: DOMRetrievalMethod.java,v 1.2 2008/07/24 15:20:32 mullan Exp $ |
2 | 33 |
*/ |
34 |
package org.jcp.xml.dsig.internal.dom; |
|
35 |
||
36 |
import java.io.ByteArrayInputStream; |
|
37 |
import java.net.URI; |
|
38 |
import java.net.URISyntaxException; |
|
1337 | 39 |
import java.security.Provider; |
2 | 40 |
import java.util.*; |
18240 | 41 |
import javax.xml.XMLConstants; |
2 | 42 |
import javax.xml.crypto.*; |
43 |
import javax.xml.crypto.dsig.*; |
|
44 |
import javax.xml.crypto.dom.DOMCryptoContext; |
|
45 |
import javax.xml.crypto.dom.DOMURIReference; |
|
46 |
import javax.xml.crypto.dsig.keyinfo.RetrievalMethod; |
|
47 |
import javax.xml.parsers.*; |
|
48 |
import org.w3c.dom.Attr; |
|
49 |
import org.w3c.dom.Document; |
|
50 |
import org.w3c.dom.Element; |
|
51 |
import org.w3c.dom.Node; |
|
52 |
||
53 |
import com.sun.org.apache.xml.internal.security.signature.XMLSignatureInput; |
|
54 |
||
55 |
/** |
|
56 |
* DOM-based implementation of RetrievalMethod. |
|
57 |
* |
|
58 |
* @author Sean Mullan |
|
59 |
* @author Joyce Leung |
|
60 |
*/ |
|
61 |
public final class DOMRetrievalMethod extends DOMStructure |
|
62 |
implements RetrievalMethod, DOMURIReference { |
|
63 |
||
64 |
private final List transforms; |
|
65 |
private String uri; |
|
66 |
private String type; |
|
67 |
private Attr here; |
|
68 |
||
69 |
/** |
|
70 |
* Creates a <code>DOMRetrievalMethod</code> containing the specified |
|
71 |
* URIReference and List of Transforms. |
|
72 |
* |
|
73 |
* @param uri the URI |
|
74 |
* @param type the type |
|
75 |
* @param transforms a list of {@link Transform}s. The list is defensively |
|
76 |
* copied to prevent subsequent modification. May be <code>null</code> |
|
77 |
* or empty. |
|
78 |
* @throws IllegalArgumentException if the format of <code>uri</code> is |
|
79 |
* invalid, as specified by Reference's URI attribute in the W3C |
|
80 |
* specification for XML-Signature Syntax and Processing |
|
81 |
* @throws NullPointerException if <code>uriReference</code> |
|
82 |
* is <code>null</code> |
|
83 |
* @throws ClassCastException if <code>transforms</code> contains any |
|
84 |
* entries that are not of type {@link Transform} |
|
85 |
*/ |
|
86 |
public DOMRetrievalMethod(String uri, String type, List transforms) { |
|
87 |
if (uri == null) { |
|
88 |
throw new NullPointerException("uri cannot be null"); |
|
89 |
} |
|
90 |
if (transforms == null || transforms.isEmpty()) { |
|
91 |
this.transforms = Collections.EMPTY_LIST; |
|
92 |
} else { |
|
93 |
List transformsCopy = new ArrayList(transforms); |
|
94 |
for (int i = 0, size = transformsCopy.size(); i < size; i++) { |
|
95 |
if (!(transformsCopy.get(i) instanceof Transform)) { |
|
96 |
throw new ClassCastException |
|
97 |
("transforms["+i+"] is not a valid type"); |
|
98 |
} |
|
99 |
} |
|
100 |
this.transforms = Collections.unmodifiableList(transformsCopy); |
|
101 |
} |
|
102 |
this.uri = uri; |
|
103 |
if ((uri != null) && (!uri.equals(""))) { |
|
104 |
try { |
|
105 |
new URI(uri); |
|
106 |
} catch (URISyntaxException e) { |
|
107 |
throw new IllegalArgumentException(e.getMessage()); |
|
108 |
} |
|
109 |
} |
|
110 |
||
111 |
this.type = type; |
|
112 |
} |
|
113 |
||
114 |
/** |
|
115 |
* Creates a <code>DOMRetrievalMethod</code> from an element. |
|
116 |
* |
|
117 |
* @param rmElem a RetrievalMethod element |
|
118 |
*/ |
|
1337 | 119 |
public DOMRetrievalMethod(Element rmElem, XMLCryptoContext context, |
120 |
Provider provider) throws MarshalException { |
|
2 | 121 |
// get URI and Type attributes |
122 |
uri = DOMUtils.getAttributeValue(rmElem, "URI"); |
|
123 |
type = DOMUtils.getAttributeValue(rmElem, "Type"); |
|
124 |
||
125 |
// get here node |
|
126 |
here = rmElem.getAttributeNodeNS(null, "URI"); |
|
127 |
||
18240 | 128 |
boolean secVal = Utils.secureValidation(context); |
129 |
||
2 | 130 |
// get Transforms, if specified |
131 |
List transforms = new ArrayList(); |
|
132 |
Element transformsElem = DOMUtils.getFirstChildElement(rmElem); |
|
18240 | 133 |
|
134 |
int transformCount = 0; |
|
2 | 135 |
if (transformsElem != null) { |
136 |
Element transformElem = |
|
137 |
DOMUtils.getFirstChildElement(transformsElem); |
|
138 |
while (transformElem != null) { |
|
1337 | 139 |
transforms.add |
140 |
(new DOMTransform(transformElem, context, provider)); |
|
2 | 141 |
transformElem = DOMUtils.getNextSiblingElement(transformElem); |
18240 | 142 |
|
143 |
transformCount++; |
|
144 |
if (secVal && |
|
145 |
(transformCount > DOMReference.MAXIMUM_TRANSFORM_COUNT)) |
|
146 |
{ |
|
147 |
String error = "A maxiumum of " + |
|
148 |
DOMReference.MAXIMUM_TRANSFORM_COUNT + |
|
149 |
" transforms per Reference are allowed" + |
|
150 |
" with secure validation"; |
|
151 |
throw new MarshalException(error); |
|
152 |
} |
|
2 | 153 |
} |
154 |
} |
|
155 |
if (transforms.isEmpty()) { |
|
156 |
this.transforms = Collections.EMPTY_LIST; |
|
157 |
} else { |
|
158 |
this.transforms = Collections.unmodifiableList(transforms); |
|
159 |
} |
|
160 |
} |
|
161 |
||
162 |
public String getURI() { |
|
163 |
return uri; |
|
164 |
} |
|
165 |
||
166 |
public String getType() { |
|
167 |
return type; |
|
168 |
} |
|
169 |
||
170 |
public List getTransforms() { |
|
171 |
return transforms; |
|
172 |
} |
|
173 |
||
174 |
public void marshal(Node parent, String dsPrefix, DOMCryptoContext context) |
|
175 |
throws MarshalException { |
|
176 |
Document ownerDoc = DOMUtils.getOwnerDocument(parent); |
|
177 |
||
178 |
Element rmElem = DOMUtils.createElement |
|
179 |
(ownerDoc, "RetrievalMethod", XMLSignature.XMLNS, dsPrefix); |
|
180 |
||
181 |
// add URI and Type attributes |
|
182 |
DOMUtils.setAttribute(rmElem, "URI", uri); |
|
183 |
DOMUtils.setAttribute(rmElem, "Type", type); |
|
184 |
||
185 |
// add Transforms elements |
|
186 |
if (!transforms.isEmpty()) { |
|
187 |
Element transformsElem = DOMUtils.createElement |
|
188 |
(ownerDoc, "Transforms", XMLSignature.XMLNS, dsPrefix); |
|
189 |
rmElem.appendChild(transformsElem); |
|
190 |
for (int i = 0, size = transforms.size(); i < size; i++) { |
|
191 |
((DOMTransform) transforms.get(i)).marshal |
|
192 |
(transformsElem, dsPrefix, context); |
|
193 |
} |
|
194 |
} |
|
195 |
||
196 |
parent.appendChild(rmElem); |
|
197 |
||
198 |
// save here node |
|
199 |
here = rmElem.getAttributeNodeNS(null, "URI"); |
|
200 |
} |
|
201 |
||
202 |
public Node getHere() { |
|
203 |
return here; |
|
204 |
} |
|
205 |
||
206 |
public Data dereference(XMLCryptoContext context) |
|
207 |
throws URIReferenceException { |
|
208 |
||
209 |
if (context == null) { |
|
210 |
throw new NullPointerException("context cannot be null"); |
|
211 |
} |
|
212 |
||
213 |
/* |
|
214 |
* If URIDereferencer is specified in context; use it, otherwise use |
|
215 |
* built-in. |
|
216 |
*/ |
|
217 |
URIDereferencer deref = context.getURIDereferencer(); |
|
218 |
if (deref == null) { |
|
219 |
deref = DOMURIDereferencer.INSTANCE; |
|
220 |
} |
|
221 |
||
222 |
Data data = deref.dereference(this, context); |
|
223 |
||
224 |
// pass dereferenced data through Transforms |
|
225 |
try { |
|
226 |
for (int i = 0, size = transforms.size(); i < size; i++) { |
|
227 |
Transform transform = (Transform) transforms.get(i); |
|
228 |
data = ((DOMTransform) transform).transform(data, context); |
|
229 |
} |
|
230 |
} catch (Exception e) { |
|
231 |
throw new URIReferenceException(e); |
|
232 |
} |
|
18266
26e69da689b9
8010714: XML DSig API allows a RetrievalMethod to reference another RetrievalMethod
mullan
parents:
18240
diff
changeset
|
233 |
|
26e69da689b9
8010714: XML DSig API allows a RetrievalMethod to reference another RetrievalMethod
mullan
parents:
18240
diff
changeset
|
234 |
// guard against RetrievalMethod loops |
26e69da689b9
8010714: XML DSig API allows a RetrievalMethod to reference another RetrievalMethod
mullan
parents:
18240
diff
changeset
|
235 |
if ((data instanceof NodeSetData) && Utils.secureValidation(context)) { |
26e69da689b9
8010714: XML DSig API allows a RetrievalMethod to reference another RetrievalMethod
mullan
parents:
18240
diff
changeset
|
236 |
NodeSetData nsd = (NodeSetData)data; |
26e69da689b9
8010714: XML DSig API allows a RetrievalMethod to reference another RetrievalMethod
mullan
parents:
18240
diff
changeset
|
237 |
Iterator i = nsd.iterator(); |
26e69da689b9
8010714: XML DSig API allows a RetrievalMethod to reference another RetrievalMethod
mullan
parents:
18240
diff
changeset
|
238 |
if (i.hasNext()) { |
26e69da689b9
8010714: XML DSig API allows a RetrievalMethod to reference another RetrievalMethod
mullan
parents:
18240
diff
changeset
|
239 |
Node root = (Node)i.next(); |
26e69da689b9
8010714: XML DSig API allows a RetrievalMethod to reference another RetrievalMethod
mullan
parents:
18240
diff
changeset
|
240 |
if ("RetrievalMethod".equals(root.getLocalName())) { |
26e69da689b9
8010714: XML DSig API allows a RetrievalMethod to reference another RetrievalMethod
mullan
parents:
18240
diff
changeset
|
241 |
throw new URIReferenceException( |
26e69da689b9
8010714: XML DSig API allows a RetrievalMethod to reference another RetrievalMethod
mullan
parents:
18240
diff
changeset
|
242 |
"It is forbidden to have one RetrievalMethod point " + |
26e69da689b9
8010714: XML DSig API allows a RetrievalMethod to reference another RetrievalMethod
mullan
parents:
18240
diff
changeset
|
243 |
"to another when secure validation is enabled"); |
26e69da689b9
8010714: XML DSig API allows a RetrievalMethod to reference another RetrievalMethod
mullan
parents:
18240
diff
changeset
|
244 |
} |
26e69da689b9
8010714: XML DSig API allows a RetrievalMethod to reference another RetrievalMethod
mullan
parents:
18240
diff
changeset
|
245 |
} |
26e69da689b9
8010714: XML DSig API allows a RetrievalMethod to reference another RetrievalMethod
mullan
parents:
18240
diff
changeset
|
246 |
} |
26e69da689b9
8010714: XML DSig API allows a RetrievalMethod to reference another RetrievalMethod
mullan
parents:
18240
diff
changeset
|
247 |
|
2 | 248 |
return data; |
249 |
} |
|
250 |
||
251 |
public XMLStructure dereferenceAsXMLStructure(XMLCryptoContext context) |
|
252 |
throws URIReferenceException { |
|
253 |
||
254 |
try { |
|
255 |
ApacheData data = (ApacheData) dereference(context); |
|
256 |
DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance(); |
|
257 |
dbf.setNamespaceAware(true); |
|
18240 | 258 |
dbf.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, |
259 |
Boolean.TRUE); |
|
2 | 260 |
DocumentBuilder db = dbf.newDocumentBuilder(); |
261 |
Document doc = db.parse(new ByteArrayInputStream |
|
262 |
(data.getXMLSignatureInput().getBytes())); |
|
263 |
Element kiElem = doc.getDocumentElement(); |
|
264 |
if (kiElem.getLocalName().equals("X509Data")) { |
|
265 |
return new DOMX509Data(kiElem); |
|
266 |
} else { |
|
267 |
return null; // unsupported |
|
268 |
} |
|
269 |
} catch (Exception e) { |
|
270 |
throw new URIReferenceException(e); |
|
271 |
} |
|
272 |
} |
|
273 |
||
274 |
public boolean equals(Object obj) { |
|
275 |
if (this == obj) { |
|
276 |
return true; |
|
277 |
} |
|
278 |
if (!(obj instanceof RetrievalMethod)) { |
|
279 |
return false; |
|
280 |
} |
|
281 |
RetrievalMethod orm = (RetrievalMethod) obj; |
|
282 |
||
283 |
boolean typesEqual = (type == null ? orm.getType() == null : |
|
284 |
type.equals(orm.getType())); |
|
285 |
||
286 |
return (uri.equals(orm.getURI()) && |
|
287 |
transforms.equals(orm.getTransforms()) && typesEqual); |
|
288 |
} |
|
289 |
} |