author | mullan |
Fri, 21 Nov 2014 15:23:36 -0500 | |
changeset 27747 | 3a271dc8b758 |
parent 24251 | da7dc40edb67 |
child 28308 | 5fdc6e6c0b97 |
permissions | -rw-r--r-- |
2 | 1 |
/* |
24251
da7dc40edb67
8038349: Signing XML with DSA throws Exception when key is larger than 1024 bits
mullan
parents:
11674
diff
changeset
|
2 |
* Copyright (c) 2005, 2014, Oracle and/or its affiliates. All rights reserved. |
2 | 3 |
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. |
4 |
* |
|
5 |
* This code is free software; you can redistribute it and/or modify it |
|
6 |
* under the terms of the GNU General Public License version 2 only, as |
|
7 |
* published by the Free Software Foundation. |
|
8 |
* |
|
9 |
* This code is distributed in the hope that it will be useful, but WITHOUT |
|
10 |
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or |
|
11 |
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License |
|
12 |
* version 2 for more details (a copy is included in the LICENSE file that |
|
13 |
* accompanied this code). |
|
14 |
* |
|
15 |
* You should have received a copy of the GNU General Public License version |
|
16 |
* 2 along with this work; if not, write to the Free Software Foundation, |
|
17 |
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. |
|
18 |
* |
|
5506 | 19 |
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA |
20 |
* or visit www.oracle.com if you need additional information or have any |
|
21 |
* questions. |
|
2 | 22 |
*/ |
23 |
||
24 |
import java.io.*; |
|
11674
a657f8ba55fc
7131084: XMLDSig XPathFilter2Transform regression involving intersect filter
mullan
parents:
5506
diff
changeset
|
25 |
import java.security.Key; |
a657f8ba55fc
7131084: XMLDSig XPathFilter2Transform regression involving intersect filter
mullan
parents:
5506
diff
changeset
|
26 |
import java.security.KeyException; |
a657f8ba55fc
7131084: XMLDSig XPathFilter2Transform regression involving intersect filter
mullan
parents:
5506
diff
changeset
|
27 |
import java.security.PublicKey; |
2 | 28 |
import java.security.cert.*; |
29 |
import java.util.*; |
|
30 |
import javax.crypto.SecretKey; |
|
31 |
import javax.xml.crypto.*; |
|
32 |
import javax.xml.crypto.dsig.*; |
|
33 |
import javax.xml.crypto.dom.*; |
|
34 |
import javax.xml.crypto.dsig.keyinfo.*; |
|
35 |
import javax.xml.parsers.DocumentBuilderFactory; |
|
36 |
import javax.xml.parsers.DocumentBuilder; |
|
37 |
import org.w3c.dom.Document; |
|
38 |
import org.w3c.dom.Node; |
|
39 |
import org.w3c.dom.Element; |
|
40 |
import org.w3c.dom.traversal.*; |
|
41 |
import sun.security.util.DerValue; |
|
42 |
import sun.security.x509.X500Name; |
|
43 |
||
44 |
/** |
|
45 |
* This is a class which supplies several KeySelector implementations |
|
46 |
*/ |
|
47 |
class KeySelectors { |
|
48 |
||
49 |
/** |
|
50 |
* KeySelector which would always return the secret key specified in its |
|
51 |
* constructor. |
|
52 |
*/ |
|
53 |
static class SecretKeySelector extends KeySelector { |
|
54 |
private SecretKey key; |
|
55 |
SecretKeySelector(byte[] bytes) { |
|
56 |
key = wrapBytes(bytes); |
|
57 |
} |
|
58 |
SecretKeySelector(SecretKey key) { |
|
59 |
this.key = key; |
|
60 |
} |
|
61 |
||
62 |
public KeySelectorResult select(KeyInfo ki, |
|
63 |
KeySelector.Purpose purpose, |
|
64 |
AlgorithmMethod method, |
|
65 |
XMLCryptoContext context) |
|
66 |
throws KeySelectorException { |
|
67 |
return new SimpleKSResult(key); |
|
68 |
} |
|
69 |
||
70 |
private SecretKey wrapBytes(final byte[] bytes) { |
|
71 |
return new SecretKey() { |
|
72 |
public String getFormat() { |
|
73 |
return "RAW"; |
|
74 |
} |
|
75 |
||
76 |
public String getAlgorithm() { |
|
77 |
return "Secret key"; |
|
78 |
} |
|
79 |
||
80 |
public byte[] getEncoded() { |
|
11674
a657f8ba55fc
7131084: XMLDSig XPathFilter2Transform regression involving intersect filter
mullan
parents:
5506
diff
changeset
|
81 |
return bytes.clone(); |
2 | 82 |
} |
83 |
}; |
|
84 |
} |
|
85 |
} |
|
86 |
||
87 |
/** |
|
88 |
* KeySelector which would retrieve the X509Certificate out of the |
|
89 |
* KeyInfo element and return the public key. |
|
90 |
* NOTE: If there is an X509CRL in the KeyInfo element, then revoked |
|
91 |
* certificate will be ignored. |
|
92 |
*/ |
|
93 |
static class RawX509KeySelector extends KeySelector { |
|
94 |
||
95 |
public KeySelectorResult select(KeyInfo keyInfo, |
|
96 |
KeySelector.Purpose purpose, |
|
97 |
AlgorithmMethod method, |
|
98 |
XMLCryptoContext context) |
|
99 |
throws KeySelectorException { |
|
100 |
if (keyInfo == null) { |
|
101 |
throw new KeySelectorException("Null KeyInfo object!"); |
|
102 |
} |
|
103 |
// search for X509Data in keyinfo |
|
27747 | 104 |
for (XMLStructure kiType : keyInfo.getContent()) { |
2 | 105 |
if (kiType instanceof X509Data) { |
106 |
X509Data xd = (X509Data) kiType; |
|
107 |
Object[] entries = xd.getContent().toArray(); |
|
108 |
X509CRL crl = null; |
|
109 |
// Looking for CRL before finding certificates |
|
110 |
for (int i = 0; (i<entries.length&&crl != null); i++) { |
|
111 |
if (entries[i] instanceof X509CRL) { |
|
112 |
crl = (X509CRL) entries[i]; |
|
113 |
} |
|
114 |
} |
|
115 |
boolean hasCRL = false; |
|
27747 | 116 |
for (Object o : xd.getContent()) { |
2 | 117 |
// skip non-X509Certificate entries |
118 |
if (o instanceof X509Certificate) { |
|
119 |
if ((purpose != KeySelector.Purpose.VERIFY) && |
|
120 |
(crl != null) && |
|
121 |
crl.isRevoked((X509Certificate)o)) { |
|
122 |
continue; |
|
123 |
} else { |
|
124 |
return new SimpleKSResult |
|
125 |
(((X509Certificate)o).getPublicKey()); |
|
126 |
} |
|
127 |
} |
|
128 |
} |
|
129 |
} |
|
130 |
} |
|
131 |
throw new KeySelectorException("No X509Certificate found!"); |
|
132 |
} |
|
133 |
} |
|
134 |
||
135 |
/** |
|
136 |
* KeySelector which would retrieve the public key out of the |
|
137 |
* KeyValue element and return it. |
|
138 |
* NOTE: If the key algorithm doesn't match signature algorithm, |
|
139 |
* then the public key will be ignored. |
|
140 |
*/ |
|
141 |
static class KeyValueKeySelector extends KeySelector { |
|
142 |
public KeySelectorResult select(KeyInfo keyInfo, |
|
143 |
KeySelector.Purpose purpose, |
|
144 |
AlgorithmMethod method, |
|
145 |
XMLCryptoContext context) |
|
146 |
throws KeySelectorException { |
|
147 |
if (keyInfo == null) { |
|
148 |
throw new KeySelectorException("Null KeyInfo object!"); |
|
149 |
} |
|
150 |
SignatureMethod sm = (SignatureMethod) method; |
|
151 |
||
27747 | 152 |
for (XMLStructure xmlStructure : keyInfo.getContent()) { |
2 | 153 |
if (xmlStructure instanceof KeyValue) { |
154 |
PublicKey pk = null; |
|
155 |
try { |
|
156 |
pk = ((KeyValue)xmlStructure).getPublicKey(); |
|
157 |
} catch (KeyException ke) { |
|
158 |
throw new KeySelectorException(ke); |
|
159 |
} |
|
160 |
// make sure algorithm is compatible with method |
|
161 |
if (algEquals(sm.getAlgorithm(), pk.getAlgorithm())) { |
|
162 |
return new SimpleKSResult(pk); |
|
163 |
} |
|
164 |
} |
|
165 |
} |
|
166 |
throw new KeySelectorException("No KeyValue element found!"); |
|
167 |
} |
|
168 |
||
169 |
//@@@FIXME: this should also work for key types other than DSA/RSA |
|
170 |
static boolean algEquals(String algURI, String algName) { |
|
171 |
if (algName.equalsIgnoreCase("DSA") && |
|
24251
da7dc40edb67
8038349: Signing XML with DSA throws Exception when key is larger than 1024 bits
mullan
parents:
11674
diff
changeset
|
172 |
algURI.equals(SignatureMethod.DSA_SHA1) || |
da7dc40edb67
8038349: Signing XML with DSA throws Exception when key is larger than 1024 bits
mullan
parents:
11674
diff
changeset
|
173 |
algURI.equals("http://www.w3.org/2009/xmldsig11#dsa-sha256")) { |
2 | 174 |
return true; |
175 |
} else if (algName.equalsIgnoreCase("RSA") && |
|
176 |
(algURI.equals(SignatureMethod.RSA_SHA1) || |
|
177 |
algURI.equals |
|
178 |
("http://www.w3.org/2001/04/xmldsig-more#rsa-sha256") || |
|
179 |
algURI.equals |
|
180 |
("http://www.w3.org/2001/04/xmldsig-more#rsa-sha384") || |
|
181 |
algURI.equals |
|
182 |
("http://www.w3.org/2001/04/xmldsig-more#rsa-sha512"))) { |
|
183 |
return true; |
|
184 |
} else { |
|
185 |
return false; |
|
186 |
} |
|
187 |
} |
|
188 |
} |
|
189 |
||
190 |
/** |
|
191 |
* KeySelector which would perform special lookup as documented |
|
192 |
* by the ie/baltimore/merlin-examples testcases and return the |
|
193 |
* matching public key. |
|
194 |
*/ |
|
195 |
static class CollectionKeySelector extends KeySelector { |
|
11674
a657f8ba55fc
7131084: XMLDSig XPathFilter2Transform regression involving intersect filter
mullan
parents:
5506
diff
changeset
|
196 |
private CertificateFactory cf; |
2 | 197 |
private File certDir; |
11674
a657f8ba55fc
7131084: XMLDSig XPathFilter2Transform regression involving intersect filter
mullan
parents:
5506
diff
changeset
|
198 |
private Vector<X509Certificate> certs; |
2 | 199 |
private static final int MATCH_SUBJECT = 0; |
200 |
private static final int MATCH_ISSUER = 1; |
|
201 |
private static final int MATCH_SERIAL = 2; |
|
202 |
private static final int MATCH_SUBJECT_KEY_ID = 3; |
|
203 |
private static final int MATCH_CERTIFICATE = 4; |
|
204 |
||
205 |
CollectionKeySelector(File dir) { |
|
206 |
certDir = dir; |
|
207 |
try { |
|
11674
a657f8ba55fc
7131084: XMLDSig XPathFilter2Transform regression involving intersect filter
mullan
parents:
5506
diff
changeset
|
208 |
cf = CertificateFactory.getInstance("X509"); |
2 | 209 |
} catch (CertificateException ex) { |
210 |
// not going to happen |
|
211 |
} |
|
11674
a657f8ba55fc
7131084: XMLDSig XPathFilter2Transform regression involving intersect filter
mullan
parents:
5506
diff
changeset
|
212 |
certs = new Vector<X509Certificate>(); |
2 | 213 |
File[] files = new File(certDir, "certs").listFiles(); |
214 |
for (int i = 0; i < files.length; i++) { |
|
11674
a657f8ba55fc
7131084: XMLDSig XPathFilter2Transform regression involving intersect filter
mullan
parents:
5506
diff
changeset
|
215 |
try (FileInputStream fis = new FileInputStream(files[i])) { |
a657f8ba55fc
7131084: XMLDSig XPathFilter2Transform regression involving intersect filter
mullan
parents:
5506
diff
changeset
|
216 |
certs.add((X509Certificate)cf.generateCertificate(fis)); |
2 | 217 |
} catch (Exception ex) { } |
218 |
} |
|
219 |
} |
|
220 |
||
11674
a657f8ba55fc
7131084: XMLDSig XPathFilter2Transform regression involving intersect filter
mullan
parents:
5506
diff
changeset
|
221 |
Vector<X509Certificate> match(int matchType, Object value, |
a657f8ba55fc
7131084: XMLDSig XPathFilter2Transform regression involving intersect filter
mullan
parents:
5506
diff
changeset
|
222 |
Vector<X509Certificate> pool) { |
a657f8ba55fc
7131084: XMLDSig XPathFilter2Transform regression involving intersect filter
mullan
parents:
5506
diff
changeset
|
223 |
Vector<X509Certificate> matchResult = new Vector<>(); |
2 | 224 |
for (int j=0; j < pool.size(); j++) { |
11674
a657f8ba55fc
7131084: XMLDSig XPathFilter2Transform regression involving intersect filter
mullan
parents:
5506
diff
changeset
|
225 |
X509Certificate c = pool.get(j); |
2 | 226 |
switch (matchType) { |
227 |
case MATCH_SUBJECT: |
|
228 |
try { |
|
229 |
if (c.getSubjectDN().equals(new X500Name((String)value))) { |
|
230 |
matchResult.add(c); |
|
231 |
} |
|
232 |
} catch (IOException ioe) { } |
|
233 |
break; |
|
234 |
case MATCH_ISSUER: |
|
235 |
try { |
|
236 |
if (c.getIssuerDN().equals(new X500Name((String)value))) { |
|
237 |
matchResult.add(c); |
|
238 |
} |
|
239 |
} catch (IOException ioe) { } |
|
240 |
break; |
|
241 |
case MATCH_SERIAL: |
|
242 |
if (c.getSerialNumber().equals(value)) { |
|
243 |
matchResult.add(c); |
|
244 |
} |
|
245 |
||
246 |
break; |
|
247 |
case MATCH_SUBJECT_KEY_ID: |
|
248 |
byte[] extension = c.getExtensionValue("2.5.29.14"); |
|
249 |
if (extension != null) { |
|
250 |
try { |
|
251 |
DerValue derValue = new DerValue(extension); |
|
252 |
DerValue derValue2 = new DerValue(derValue.getOctetString()); |
|
253 |
byte[] extVal = derValue2.getOctetString(); |
|
254 |
||
255 |
if (Arrays.equals(extVal, (byte[]) value)) { |
|
256 |
matchResult.add(c); |
|
257 |
} |
|
258 |
} catch (IOException ex) { } |
|
259 |
} |
|
260 |
break; |
|
261 |
case MATCH_CERTIFICATE: |
|
262 |
if (c.equals(value)) { |
|
263 |
matchResult.add(c); |
|
264 |
} |
|
265 |
break; |
|
266 |
} |
|
267 |
} |
|
268 |
return matchResult; |
|
269 |
} |
|
270 |
||
271 |
public KeySelectorResult select(KeyInfo keyInfo, |
|
272 |
KeySelector.Purpose purpose, |
|
273 |
AlgorithmMethod method, |
|
274 |
XMLCryptoContext context) |
|
275 |
throws KeySelectorException { |
|
276 |
if (keyInfo == null) { |
|
277 |
throw new KeySelectorException("Null KeyInfo object!"); |
|
278 |
} |
|
27747 | 279 |
for (XMLStructure xmlStructure : keyInfo.getContent()) { |
2 | 280 |
try { |
281 |
if (xmlStructure instanceof KeyName) { |
|
282 |
String name = ((KeyName)xmlStructure).getName(); |
|
283 |
PublicKey pk = null; |
|
11674
a657f8ba55fc
7131084: XMLDSig XPathFilter2Transform regression involving intersect filter
mullan
parents:
5506
diff
changeset
|
284 |
File certFile = new File(new File(certDir, "certs"), |
a657f8ba55fc
7131084: XMLDSig XPathFilter2Transform regression involving intersect filter
mullan
parents:
5506
diff
changeset
|
285 |
name.toLowerCase() + ".crt"); |
a657f8ba55fc
7131084: XMLDSig XPathFilter2Transform regression involving intersect filter
mullan
parents:
5506
diff
changeset
|
286 |
try (FileInputStream fis = new FileInputStream(certFile)) { |
2 | 287 |
// Lookup the public key using the key name 'Xxx', |
288 |
// i.e. the public key is in "certs/xxx.crt". |
|
289 |
X509Certificate cert = (X509Certificate) |
|
11674
a657f8ba55fc
7131084: XMLDSig XPathFilter2Transform regression involving intersect filter
mullan
parents:
5506
diff
changeset
|
290 |
cf.generateCertificate(fis); |
2 | 291 |
pk = cert.getPublicKey(); |
292 |
} catch (FileNotFoundException e) { |
|
293 |
// assume KeyName contains subject DN and search |
|
294 |
// collection of certs for match |
|
11674
a657f8ba55fc
7131084: XMLDSig XPathFilter2Transform regression involving intersect filter
mullan
parents:
5506
diff
changeset
|
295 |
Vector<X509Certificate> result = |
2 | 296 |
match(MATCH_SUBJECT, name, certs); |
297 |
int numOfMatches = (result==null? 0:result.size()); |
|
298 |
if (numOfMatches != 1) { |
|
299 |
throw new KeySelectorException |
|
300 |
((numOfMatches==0?"No":"More than one") + |
|
301 |
" match found"); |
|
302 |
} |
|
11674
a657f8ba55fc
7131084: XMLDSig XPathFilter2Transform regression involving intersect filter
mullan
parents:
5506
diff
changeset
|
303 |
pk = result.get(0).getPublicKey(); |
2 | 304 |
} |
305 |
return new SimpleKSResult(pk); |
|
306 |
} else if (xmlStructure instanceof RetrievalMethod) { |
|
307 |
// Lookup the public key using the retrievel method. |
|
308 |
// NOTE: only X509Certificate type is supported. |
|
309 |
RetrievalMethod rm = (RetrievalMethod) xmlStructure; |
|
310 |
String type = rm.getType(); |
|
311 |
if (type.equals(X509Data.RAW_X509_CERTIFICATE_TYPE)) { |
|
312 |
String uri = rm.getURI(); |
|
11674
a657f8ba55fc
7131084: XMLDSig XPathFilter2Transform regression involving intersect filter
mullan
parents:
5506
diff
changeset
|
313 |
try (FileInputStream fis = |
a657f8ba55fc
7131084: XMLDSig XPathFilter2Transform regression involving intersect filter
mullan
parents:
5506
diff
changeset
|
314 |
new FileInputStream(new File(certDir, uri))) { |
a657f8ba55fc
7131084: XMLDSig XPathFilter2Transform regression involving intersect filter
mullan
parents:
5506
diff
changeset
|
315 |
X509Certificate cert = (X509Certificate) |
a657f8ba55fc
7131084: XMLDSig XPathFilter2Transform regression involving intersect filter
mullan
parents:
5506
diff
changeset
|
316 |
cf.generateCertificate(fis); |
a657f8ba55fc
7131084: XMLDSig XPathFilter2Transform regression involving intersect filter
mullan
parents:
5506
diff
changeset
|
317 |
return new SimpleKSResult(cert.getPublicKey()); |
a657f8ba55fc
7131084: XMLDSig XPathFilter2Transform regression involving intersect filter
mullan
parents:
5506
diff
changeset
|
318 |
} |
2 | 319 |
} else { |
320 |
throw new KeySelectorException |
|
321 |
("Unsupported RetrievalMethod type"); |
|
322 |
} |
|
323 |
} else if (xmlStructure instanceof X509Data) { |
|
324 |
List content = ((X509Data)xmlStructure).getContent(); |
|
11674
a657f8ba55fc
7131084: XMLDSig XPathFilter2Transform regression involving intersect filter
mullan
parents:
5506
diff
changeset
|
325 |
Vector<X509Certificate> result = null; |
2 | 326 |
// Lookup the public key using the information |
327 |
// specified in X509Data element, i.e. searching |
|
328 |
// over the collection of certificate files under |
|
329 |
// "certs" subdirectory and return those match. |
|
27747 | 330 |
for (Object obj : content) { |
2 | 331 |
if (obj instanceof String) { |
332 |
result = match(MATCH_SUBJECT, obj, certs); |
|
333 |
} else if (obj instanceof byte[]) { |
|
334 |
result = match(MATCH_SUBJECT_KEY_ID, obj, |
|
335 |
certs); |
|
336 |
} else if (obj instanceof X509Certificate) { |
|
337 |
result = match(MATCH_CERTIFICATE, obj, certs); |
|
338 |
} else if (obj instanceof X509IssuerSerial) { |
|
339 |
X509IssuerSerial is = (X509IssuerSerial) obj; |
|
340 |
result = match(MATCH_SERIAL, |
|
341 |
is.getSerialNumber(), certs); |
|
342 |
result = match(MATCH_ISSUER, |
|
343 |
is.getIssuerName(), result); |
|
344 |
} else { |
|
345 |
throw new KeySelectorException("Unsupported X509Data: " + obj); |
|
346 |
} |
|
347 |
} |
|
348 |
int numOfMatches = (result==null? 0:result.size()); |
|
349 |
if (numOfMatches != 1) { |
|
350 |
throw new KeySelectorException |
|
351 |
((numOfMatches==0?"No":"More than one") + |
|
352 |
" match found"); |
|
353 |
} |
|
11674
a657f8ba55fc
7131084: XMLDSig XPathFilter2Transform regression involving intersect filter
mullan
parents:
5506
diff
changeset
|
354 |
return new SimpleKSResult(result.get(0).getPublicKey()); |
2 | 355 |
} |
356 |
} catch (Exception ex) { |
|
357 |
throw new KeySelectorException(ex); |
|
358 |
} |
|
359 |
} |
|
360 |
throw new KeySelectorException("No matching key found!"); |
|
361 |
} |
|
362 |
} |
|
363 |
||
364 |
static class ByteUtil { |
|
365 |
||
366 |
private static String mapping = "0123456789ABCDEF"; |
|
367 |
private static int numBytesPerRow = 6; |
|
368 |
||
369 |
private static String getHex(byte value) { |
|
370 |
int low = value & 0x0f; |
|
371 |
int high = ((value >> 4) & 0x0f); |
|
372 |
char[] res = new char[2]; |
|
373 |
res[0] = mapping.charAt(high); |
|
374 |
res[1] = mapping.charAt(low); |
|
375 |
return new String(res); |
|
376 |
} |
|
377 |
||
378 |
static String dumpArray(byte[] in) { |
|
379 |
int numDumped = 0; |
|
380 |
StringBuffer buf = new StringBuffer(512); |
|
381 |
buf.append("{"); |
|
382 |
for (int i=0;i<(in.length/numBytesPerRow); i++) { |
|
383 |
for (int j=0; j<(numBytesPerRow); j++) { |
|
384 |
buf.append("(byte)0x" + getHex(in[i*numBytesPerRow+j]) + |
|
385 |
", "); |
|
386 |
} |
|
387 |
numDumped += numBytesPerRow; |
|
388 |
} |
|
389 |
while (numDumped < in.length) { |
|
390 |
buf.append("(byte)0x" + getHex(in[numDumped]) + " "); |
|
391 |
numDumped += 1; |
|
392 |
} |
|
393 |
buf.append("}"); |
|
394 |
return buf.toString(); |
|
395 |
} |
|
396 |
} |
|
397 |
} |
|
398 |
||
399 |
class SimpleKSResult implements KeySelectorResult { |
|
400 |
private final Key key; |
|
401 |
||
402 |
SimpleKSResult(Key key) { this.key = key; } |
|
403 |
||
404 |
public Key getKey() { return key; } |
|
405 |
} |