--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/jdk/src/share/classes/com/sun/org/apache/xml/internal/security/signature/XMLSignature.java Sat Dec 01 00:00:00 2007 +0000
@@ -0,0 +1,758 @@
+/*
+ * reserved comment block
+ * DO NOT REMOVE OR ALTER!
+ */
+/*
+ * Copyright 1999-2004 The Apache Software Foundation.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+package com.sun.org.apache.xml.internal.security.signature;
+
+
+
+import java.io.IOException;
+import java.io.OutputStream;
+import java.security.Key;
+import java.security.PublicKey;
+import java.security.cert.X509Certificate;
+
+import javax.crypto.SecretKey;
+
+import com.sun.org.apache.xml.internal.security.algorithms.SignatureAlgorithm;
+import com.sun.org.apache.xml.internal.security.c14n.CanonicalizationException;
+import com.sun.org.apache.xml.internal.security.c14n.Canonicalizer;
+import com.sun.org.apache.xml.internal.security.c14n.InvalidCanonicalizerException;
+import com.sun.org.apache.xml.internal.security.exceptions.Base64DecodingException;
+import com.sun.org.apache.xml.internal.security.exceptions.XMLSecurityException;
+import com.sun.org.apache.xml.internal.security.keys.KeyInfo;
+import com.sun.org.apache.xml.internal.security.keys.content.X509Data;
+import com.sun.org.apache.xml.internal.security.transforms.Transforms;
+import com.sun.org.apache.xml.internal.security.utils.Base64;
+import com.sun.org.apache.xml.internal.security.utils.Constants;
+import com.sun.org.apache.xml.internal.security.utils.I18n;
+import com.sun.org.apache.xml.internal.security.utils.IdResolver;
+import com.sun.org.apache.xml.internal.security.utils.SignatureElementProxy;
+import com.sun.org.apache.xml.internal.security.utils.SignerOutputStream;
+import com.sun.org.apache.xml.internal.security.utils.UnsyncBufferedOutputStream;
+import com.sun.org.apache.xml.internal.security.utils.XMLUtils;
+import com.sun.org.apache.xml.internal.security.utils.resolver.ResourceResolver;
+import com.sun.org.apache.xml.internal.security.utils.resolver.ResourceResolverSpi;
+import org.w3c.dom.Document;
+import org.w3c.dom.Element;
+import org.w3c.dom.Node;
+import org.w3c.dom.Text;
+
+
+/**
+ * Handles <code><ds:Signature></code> elements.
+ * This is the main class that deals with creating and verifying signatures.
+ *
+ * <p>There are 2 types of constructors for this class. The ones that take a
+ * document, baseURI and 1 or more Java Objects. This is mostly used for
+ * signing purposes.
+ * The other constructor is the one that takes a DOM Element and a BaseURI.
+ * This is used mostly with for verifying, when you have a SignatureElement.
+ *
+ * There are a few different types of methods:
+ * <ul><li>The addDocument* methods are used to add References with optional
+ * transforms during signing. </li>
+ * <li>addKeyInfo* methods are to add Certificates and Keys to the
+ * KeyInfo tags during signing. </li>
+ * <li>appendObject allows a user to add any XML Structure as an
+ * ObjectContainer during signing.</li>
+ * <li>sign and checkSignatureValue methods are used to sign and validate the
+ * signature. </li></ul>
+ *
+ * @author $Author: raul $
+ */
+public final class XMLSignature extends SignatureElementProxy {
+
+ /** {@link java.util.logging} logging facility */
+ static java.util.logging.Logger log =
+ java.util.logging.Logger.getLogger(XMLSignature.class.getName());
+
+ //J-
+ /** MAC - Required HMAC-SHA1 */
+ public static final String ALGO_ID_MAC_HMAC_SHA1 = Constants.SignatureSpecNS + "hmac-sha1";
+
+ /** Signature - Required DSAwithSHA1 (DSS) */
+ public static final String ALGO_ID_SIGNATURE_DSA = Constants.SignatureSpecNS + "dsa-sha1";
+
+ /** Signature - Recommended RSAwithSHA1 */
+ public static final String ALGO_ID_SIGNATURE_RSA = Constants.SignatureSpecNS + "rsa-sha1";
+ /** Signature - Recommended RSAwithSHA1 */
+ public static final String ALGO_ID_SIGNATURE_RSA_SHA1 = Constants.SignatureSpecNS + "rsa-sha1";
+ /** Signature - NOT Recommended RSAwithMD5 */
+ public static final String ALGO_ID_SIGNATURE_NOT_RECOMMENDED_RSA_MD5 = Constants.MoreAlgorithmsSpecNS + "rsa-md5";
+ /** Signature - Optional RSAwithRIPEMD160 */
+ public static final String ALGO_ID_SIGNATURE_RSA_RIPEMD160 = Constants.MoreAlgorithmsSpecNS + "rsa-ripemd160";
+ /** Signature - Optional RSAwithSHA256 */
+ public static final String ALGO_ID_SIGNATURE_RSA_SHA256 = Constants.MoreAlgorithmsSpecNS + "rsa-sha256";
+ /** Signature - Optional RSAwithSHA384 */
+ public static final String ALGO_ID_SIGNATURE_RSA_SHA384 = Constants.MoreAlgorithmsSpecNS + "rsa-sha384";
+ /** Signature - Optional RSAwithSHA512 */
+ public static final String ALGO_ID_SIGNATURE_RSA_SHA512 = Constants.MoreAlgorithmsSpecNS + "rsa-sha512";
+
+ /** HMAC - NOT Recommended HMAC-MD5 */
+ public static final String ALGO_ID_MAC_HMAC_NOT_RECOMMENDED_MD5 = Constants.MoreAlgorithmsSpecNS + "hmac-md5";
+ /** HMAC - Optional HMAC-RIPEMD160 */
+ public static final String ALGO_ID_MAC_HMAC_RIPEMD160 = Constants.MoreAlgorithmsSpecNS + "hmac-ripemd160";
+ /** HMAC - Optional HMAC-SHA256 */
+ public static final String ALGO_ID_MAC_HMAC_SHA256 = Constants.MoreAlgorithmsSpecNS + "hmac-sha256";
+ /** HMAC - Optional HMAC-SHA284 */
+ public static final String ALGO_ID_MAC_HMAC_SHA384 = Constants.MoreAlgorithmsSpecNS + "hmac-sha384";
+ /** HMAC - Optional HMAC-SHA512 */
+ public static final String ALGO_ID_MAC_HMAC_SHA512 = Constants.MoreAlgorithmsSpecNS + "hmac-sha512";
+ //J+
+
+ /** ds:Signature.ds:SignedInfo element */
+ private SignedInfo _signedInfo = null;
+
+ /** ds:Signature.ds:KeyInfo */
+ private KeyInfo _keyInfo = null;
+
+ /**
+ * Checking the digests in References in a Signature are mandatory, but for
+ * References inside a Manifest it is application specific. This boolean is
+ * to indicate that the References inside Manifests should be validated.
+ */
+ private boolean _followManifestsDuringValidation = false;
+
+ /**
+ * This creates a new <CODE>ds:Signature</CODE> Element and adds an empty
+ * <CODE>ds:SignedInfo</CODE>.
+ * The <code>ds:SignedInfo</code> is initialized with the specified Signature
+ * algorithm and Canonicalizer.ALGO_ID_C14N_OMIT_COMMENTS which is REQUIRED
+ * by the spec. This method's main use is for creating a new signature.
+ *
+ * @param doc Document in which the signature will be appended after creation.
+ * @param BaseURI URI to be used as context for all relative URIs.
+ * @param SignatureMethodURI signature algorithm to use.
+ * @throws XMLSecurityException
+ */
+ public XMLSignature(Document doc, String BaseURI, String SignatureMethodURI)
+ throws XMLSecurityException {
+ this(doc, BaseURI, SignatureMethodURI, 0,
+ Canonicalizer.ALGO_ID_C14N_OMIT_COMMENTS);
+ }
+
+ /**
+ * Constructor XMLSignature
+ *
+ * @param doc
+ * @param BaseURI
+ * @param SignatureMethodURI the Signature method to be used.
+ * @param HMACOutputLength
+ * @throws XMLSecurityException
+ */
+ public XMLSignature(
+ Document doc, String BaseURI, String SignatureMethodURI, int HMACOutputLength)
+ throws XMLSecurityException {
+ this(doc, BaseURI, SignatureMethodURI, HMACOutputLength,
+ Canonicalizer.ALGO_ID_C14N_OMIT_COMMENTS);
+ }
+
+ /**
+ * Constructor XMLSignature
+ *
+ * @param doc
+ * @param BaseURI
+ * @param SignatureMethodURI the Signature method to be used.
+ * @param CanonicalizationMethodURI the canonicalization algorithm to be used to c14nize the SignedInfo element.
+ * @throws XMLSecurityException
+ */
+ public XMLSignature(
+ Document doc, String BaseURI, String SignatureMethodURI, String CanonicalizationMethodURI)
+ throws XMLSecurityException {
+ this(doc, BaseURI, SignatureMethodURI, 0, CanonicalizationMethodURI);
+ }
+
+ /**
+ * Constructor XMLSignature
+ *
+ * @param doc
+ * @param BaseURI
+ * @param SignatureMethodURI
+ * @param HMACOutputLength
+ * @param CanonicalizationMethodURI
+ * @throws XMLSecurityException
+ */
+ public XMLSignature(
+ Document doc, String BaseURI, String SignatureMethodURI, int HMACOutputLength, String CanonicalizationMethodURI)
+ throws XMLSecurityException {
+
+ super(doc);
+
+ XMLUtils.addReturnToElement(this._constructionElement);
+
+ this._baseURI = BaseURI;
+ this._signedInfo = new SignedInfo(this._doc, SignatureMethodURI,
+ HMACOutputLength,
+ CanonicalizationMethodURI);
+
+ this._constructionElement.appendChild(this._signedInfo.getElement());
+ XMLUtils.addReturnToElement(this._constructionElement);
+
+ // create an empty SignatureValue; this is filled by setSignatureValueElement
+ Element signatureValueElement =
+ XMLUtils.createElementInSignatureSpace(this._doc,
+ Constants._TAG_SIGNATUREVALUE);
+
+ this._constructionElement.appendChild(signatureValueElement);
+ XMLUtils.addReturnToElement(this._constructionElement);
+ }
+ /**
+ * Creates a XMLSignature in a Document
+ * @param doc
+ * @param BaseURI
+ * @param SignatureMethodElem
+ * @param CanonicalizationMethodElem
+ * @throws XMLSecurityException
+ */
+ public XMLSignature(
+ Document doc, String BaseURI, Element SignatureMethodElem, Element CanonicalizationMethodElem)
+ throws XMLSecurityException {
+
+ super(doc);
+
+ XMLUtils.addReturnToElement(this._constructionElement);
+
+ this._baseURI = BaseURI;
+ this._signedInfo = new SignedInfo(this._doc, SignatureMethodElem, CanonicalizationMethodElem);
+
+ this._constructionElement.appendChild(this._signedInfo.getElement());
+ XMLUtils.addReturnToElement(this._constructionElement);
+
+ // create an empty SignatureValue; this is filled by setSignatureValueElement
+ Element signatureValueElement =
+ XMLUtils.createElementInSignatureSpace(this._doc,
+ Constants._TAG_SIGNATUREVALUE);
+
+ this._constructionElement.appendChild(signatureValueElement);
+ XMLUtils.addReturnToElement(this._constructionElement);
+ }
+
+ /**
+ * This will parse the element and construct the Java Objects.
+ * That will allow a user to validate the signature.
+ *
+ * @param element ds:Signature element that contains the whole signature
+ * @param BaseURI URI to be prepended to all relative URIs
+ * @throws XMLSecurityException
+ * @throws XMLSignatureException if the signature is badly formatted
+ */
+ public XMLSignature(Element element, String BaseURI)
+ throws XMLSignatureException, XMLSecurityException {
+
+ super(element, BaseURI);
+
+ // check out SignedInfo child
+ Element signedInfoElem = XMLUtils.selectDsNode(this._constructionElement.getFirstChild(),
+ Constants._TAG_SIGNEDINFO,0);
+
+ // check to see if it is there
+ if (signedInfoElem == null) {
+ Object exArgs[] = { Constants._TAG_SIGNEDINFO,
+ Constants._TAG_SIGNATURE };
+
+ throw new XMLSignatureException("xml.WrongContent", exArgs);
+ }
+
+ // create a SignedInfo object from that element
+ this._signedInfo = new SignedInfo(signedInfoElem, BaseURI);
+
+ // check out SignatureValue child
+ Element signatureValueElement = XMLUtils.selectDsNode(this._constructionElement.getFirstChild(),
+ Constants._TAG_SIGNATUREVALUE,0);
+
+ // check to see if it exists
+ if (signatureValueElement == null) {
+ Object exArgs[] = { Constants._TAG_SIGNATUREVALUE,
+ Constants._TAG_SIGNATURE };
+
+ throw new XMLSignatureException("xml.WrongContent", exArgs);
+ }
+
+ // <element ref="ds:KeyInfo" minOccurs="0"/>
+ Element keyInfoElem =XMLUtils.selectDsNode(this._constructionElement.getFirstChild(),
+ Constants._TAG_KEYINFO,0);
+
+ // If it exists use it, but it's not mandatory
+ if (keyInfoElem != null) {
+ this._keyInfo = new KeyInfo(keyInfoElem, BaseURI);
+ }
+ }
+
+ /**
+ * Sets the <code>Id</code> attribute
+ *
+ * @param Id Id value to be used by the id attribute on the Signature Element
+ */
+ public void setId(String Id) {
+
+ if ((this._state == MODE_SIGN) && (Id != null)) {
+ this._constructionElement.setAttributeNS(null, Constants._ATT_ID, Id);
+ IdResolver.registerElementById(this._constructionElement, Id);
+ }
+ }
+
+ /**
+ * Returns the <code>Id</code> attribute
+ *
+ * @return the <code>Id</code> attribute
+ */
+ public String getId() {
+ return this._constructionElement.getAttributeNS(null, Constants._ATT_ID);
+ }
+
+ /**
+ * Returns the completely parsed <code>SignedInfo</code> object.
+ *
+ * @return the completely parsed <code>SignedInfo</code> object.
+ */
+ public SignedInfo getSignedInfo() {
+ return this._signedInfo;
+ }
+
+ /**
+ * Returns the octet value of the SignatureValue element.
+ * Throws an XMLSignatureException if it has no or wrong content.
+ *
+ * @return the value of the SignatureValue element.
+ * @throws XMLSignatureException If there is no content
+ */
+ public byte[] getSignatureValue() throws XMLSignatureException {
+
+ try {
+ Element signatureValueElem = XMLUtils.selectDsNode(this._constructionElement.getFirstChild(),
+ Constants._TAG_SIGNATUREVALUE,0);
+ byte[] signatureValue = Base64.decode(signatureValueElem);
+
+ return signatureValue;
+ } catch (Base64DecodingException ex) {
+ throw new XMLSignatureException("empty", ex);
+ }
+ }
+
+ /**
+ * Base64 encodes and sets the bytes as the content of the SignatureValue
+ * Node.
+ *
+ * @param bytes bytes to be used by SignatureValue before Base64 encoding
+ */
+ private void setSignatureValueElement(byte[] bytes)
+ {
+
+ if (this._state == MODE_SIGN) {
+ Element signatureValueElem = XMLUtils.selectDsNode(this._constructionElement.getFirstChild(),
+ Constants._TAG_SIGNATUREVALUE,0);
+ while (signatureValueElem.hasChildNodes()) {
+ signatureValueElem.removeChild(signatureValueElem.getFirstChild());
+ }
+
+ String base64codedValue = Base64.encode(bytes);
+
+ if (base64codedValue.length() > 76) {
+ base64codedValue = "\n" + base64codedValue + "\n";
+ }
+
+ Text t = this._doc.createTextNode(base64codedValue);
+
+ signatureValueElem.appendChild(t);
+ }
+ }
+
+ /**
+ * Returns the KeyInfo child. If we are in signing mode and the KeyInfo
+ * does not exist yet, it is created on demand and added to the Signature.
+ * <br>
+ * This allows to add arbitrary content to the KeyInfo during signing.
+ *
+ * @return the KeyInfo object
+ */
+ public KeyInfo getKeyInfo() {
+
+ // check to see if we are signing and if we have to create a keyinfo
+ if ((this._state == MODE_SIGN) && (this._keyInfo == null)) {
+
+ // create the KeyInfo
+ this._keyInfo = new KeyInfo(this._doc);
+
+ // get the Element from KeyInfo
+ Element keyInfoElement = this._keyInfo.getElement();
+ Element firstObject=null;
+ Node sibling= this._constructionElement.getFirstChild();
+ firstObject = XMLUtils.selectDsNode(sibling,Constants._TAG_OBJECT,0);
+
+ if (firstObject != null) {
+
+ // add it before the object
+ this._constructionElement.insertBefore(keyInfoElement,
+ firstObject);
+ this._constructionElement
+ .insertBefore(this._doc.createTextNode("\n"), firstObject);
+ } else {
+
+ // add it as the last element to the signature
+ this._constructionElement.appendChild(keyInfoElement);
+ XMLUtils.addReturnToElement(this._constructionElement);
+ }
+ }
+
+ return this._keyInfo;
+ }
+
+ /**
+ * Appends an Object (not a <code>java.lang.Object</code> but an Object
+ * element) to the Signature. Please note that this is only possible
+ * when signing.
+ *
+ * @param object ds:Object to be appended.
+ * @throws XMLSignatureException When this object is used to verify.
+ */
+ public void appendObject(ObjectContainer object)
+ throws XMLSignatureException {
+
+ try {
+ if (this._state != MODE_SIGN) {
+ throw new XMLSignatureException(
+ "signature.operationOnlyBeforeSign");
+ }
+
+ this._constructionElement.appendChild(object.getElement());
+ XMLUtils.addReturnToElement(this._constructionElement);
+ } catch (XMLSecurityException ex) {
+ throw new XMLSignatureException("empty", ex);
+ }
+ }
+
+ /**
+ * Returns the <code>i<code>th <code>ds:Object</code> child of the signature
+ * or null if no such <code>ds:Object</code> element exists.
+ *
+ * @param i
+ * @return the <code>i<code>th <code>ds:Object</code> child of the signature or null if no such <code>ds:Object</code> element exists.
+ */
+ public ObjectContainer getObjectItem(int i) {
+
+ Element objElem = XMLUtils.selectDsNode(this._constructionElement.getFirstChild(),
+ Constants._TAG_OBJECT,i);
+
+ try {
+ return new ObjectContainer(objElem, this._baseURI);
+ } catch (XMLSecurityException ex) {
+ return null;
+ }
+ }
+
+ /**
+ * Returns the number of all <code>ds:Object</code> elements.
+ *
+ * @return the number of all <code>ds:Object</code> elements.
+ */
+ public int getObjectLength() {
+ return this.length(Constants.SignatureSpecNS, Constants._TAG_OBJECT);
+ }
+
+ /**
+ * Digests all References in the SignedInfo, calculates the signature value and
+ * sets it in the SignatureValue Element.
+ *
+ * @param signingKey the {@link java.security.PrivateKey} or {@link javax.crypto.SecretKey} that is used to sign.
+ * @throws XMLSignatureException
+ */
+ public void sign(Key signingKey) throws XMLSignatureException {
+
+ if (signingKey instanceof PublicKey) {
+ throw new IllegalArgumentException(I18n
+ .translate("algorithms.operationOnlyVerification"));
+ }
+
+ try {
+ if (this._state == MODE_SIGN) {
+
+ // XMLUtils.indentSignature(this._constructionElement, " ", 0);
+ // get the SignatureMethodElement
+ Element signatureMethodElement =
+ this._signedInfo.getSignatureMethodElement();
+
+ //Create a SignatureAlgorithm object
+ SignatureAlgorithm sa =
+ new SignatureAlgorithm(signatureMethodElement,
+ this.getBaseURI());
+
+ // initialize SignatureAlgorithm for signing
+ sa.initSign(signingKey);
+
+ SignedInfo si = this.getSignedInfo();
+
+ // generate digest values for all References in this SignedInfo
+ si.generateDigestValues();
+ OutputStream so=new UnsyncBufferedOutputStream(new SignerOutputStream(sa));
+ try {
+ so.close();
+ } catch (IOException e) {
+ //Imposible
+ }
+ // get the canonicalized bytes from SignedInfo
+ si.signInOctectStream(so);
+
+ byte jcebytes[] = sa.sign();
+
+ // set them on the SignateValue element
+ this.setSignatureValueElement(jcebytes);
+ }
+ } catch (CanonicalizationException ex) {
+ throw new XMLSignatureException("empty", ex);
+ } catch (InvalidCanonicalizerException ex) {
+ throw new XMLSignatureException("empty", ex);
+ } catch (XMLSecurityException ex) {
+ throw new XMLSignatureException("empty", ex);
+ }
+ }
+
+ /**
+ * Adds a {@link ResourceResolver} to enable the retrieval of resources.
+ *
+ * @param resolver
+ */
+ public void addResourceResolver(ResourceResolver resolver) {
+ this.getSignedInfo().addResourceResolver(resolver);
+ }
+
+ /**
+ * Adds a {@link ResourceResolverSpi} to enable the retrieval of resources.
+ *
+ * @param resolver
+ */
+ public void addResourceResolver(ResourceResolverSpi resolver) {
+ this.getSignedInfo().addResourceResolver(resolver);
+ }
+
+ /**
+ * Extracts the public key from the certificate and verifies if the signature
+ * is valid by re-digesting all References, comparing those against the
+ * stored DigestValues and then checking to see if the Signatures match on
+ * the SignedInfo.
+ *
+ * @param cert Certificate that contains the public key part of the keypair that was used to sign.
+ * @return true if the signature is valid, false otherwise
+ * @throws XMLSignatureException
+ */
+ public boolean checkSignatureValue(X509Certificate cert)
+ throws XMLSignatureException {
+
+ // see if cert is null
+ if (cert != null) {
+
+ //check the values with the public key from the cert
+ return this.checkSignatureValue(cert.getPublicKey());
+ }
+
+ Object exArgs[] = { "Didn't get a certificate" };
+ throw new XMLSignatureException("empty", exArgs);
+
+ }
+
+ /**
+ * Verifies if the signature is valid by redigesting all References,
+ * comparing those against the stored DigestValues and then checking to see
+ * if the Signatures match on the SignedInfo.
+ *
+ * @param pk {@link java.security.PublicKey} part of the keypair or {@link javax.crypto.SecretKey} that was used to sign
+ * @return true if the signature is valid, false otherwise
+ * @throws XMLSignatureException
+ */
+ public boolean checkSignatureValue(Key pk) throws XMLSignatureException {
+
+ //COMMENT: pk suggests it can only be a public key?
+ //check to see if the key is not null
+ if (pk == null) {
+ Object exArgs[] = { "Didn't get a key" };
+
+ throw new XMLSignatureException("empty", exArgs);
+ }
+
+ // all references inside the signedinfo need to be dereferenced and
+ // digested again to see if the outcome matches the stored value in the
+ // SignedInfo.
+ // If _followManifestsDuringValidation is true it will do the same for
+ // References inside a Manifest.
+ try {
+ if (!this.getSignedInfo()
+ .verify(this._followManifestsDuringValidation)) {
+ return false;
+ }
+
+ //create a SignatureAlgorithms from the SignatureMethod inside
+ //SignedInfo. This is used to validate the signature.
+ SignatureAlgorithm sa =
+ new SignatureAlgorithm(this.getSignedInfo()
+ .getSignatureMethodElement(), this.getBaseURI());
+ if (true) {
+ if (log.isLoggable(java.util.logging.Level.FINE)) log.log(java.util.logging.Level.FINE, "SignatureMethodURI = " + sa.getAlgorithmURI());
+ if (log.isLoggable(java.util.logging.Level.FINE)) log.log(java.util.logging.Level.FINE, "jceSigAlgorithm = " + sa.getJCEAlgorithmString());
+ if (log.isLoggable(java.util.logging.Level.FINE)) log.log(java.util.logging.Level.FINE, "jceSigProvider = " + sa.getJCEProviderName());
+ if (log.isLoggable(java.util.logging.Level.FINE)) log.log(java.util.logging.Level.FINE, "PublicKey = " + pk);
+ }
+ sa.initVerify(pk);
+
+ // Get the canonicalized (normalized) SignedInfo
+ SignerOutputStream so=new SignerOutputStream(sa);
+ OutputStream bos=new UnsyncBufferedOutputStream(so);
+ this._signedInfo.signInOctectStream(bos);
+ try {
+ bos.close();
+ } catch (IOException e) {
+ //Imposible
+ }
+
+ //retrieve the byte[] from the stored signature
+ byte sigBytes[] = this.getSignatureValue();
+
+
+ //Have SignatureAlgorithm sign the input bytes and compare them to the
+ //bytes that were stored in the signature.
+ boolean verify = sa.verify(sigBytes);
+
+ return verify;
+ } catch (XMLSecurityException ex) {
+ throw new XMLSignatureException("empty", ex);
+ }
+ }
+
+ /**
+ * Add a Reference with full parameters to this Signature
+ *
+ * @param referenceURI URI of the resource to be signed. Can be null in which
+ * case the dereferencing is application specific. Can be "" in which it's
+ * the parent node (or parent document?). There can only be one "" in each
+ * signature.
+ * @param trans Optional list of transformations to be done before digesting
+ * @param digestURI Mandatory URI of the digesting algorithm to use.
+ * @param ReferenceId Optional id attribute for this Reference
+ * @param ReferenceType Optional mimetype for the URI
+ * @throws XMLSignatureException
+ */
+ public void addDocument(
+ String referenceURI, Transforms trans, String digestURI, String ReferenceId, String ReferenceType)
+ throws XMLSignatureException {
+ this._signedInfo.addDocument(this._baseURI, referenceURI, trans,
+ digestURI, ReferenceId, ReferenceType);
+ }
+
+ /**
+ * This method is a proxy method for the {@link Manifest#addDocument} method.
+ *
+ * @param referenceURI URI according to the XML Signature specification.
+ * @param trans List of transformations to be applied.
+ * @param digestURI URI of the digest algorithm to be used.
+ * @see Manifest#addDocument
+ * @throws XMLSignatureException
+ */
+ public void addDocument(
+ String referenceURI, Transforms trans, String digestURI)
+ throws XMLSignatureException {
+ this._signedInfo.addDocument(this._baseURI, referenceURI, trans,
+ digestURI, null, null);
+ }
+
+ /**
+ * Adds a Reference with just the URI and the transforms. This used the
+ * SHA1 algorithm as a default digest algorithm.
+ *
+ * @param referenceURI URI according to the XML Signature specification.
+ * @param trans List of transformations to be applied.
+ * @throws XMLSignatureException
+ */
+ public void addDocument(String referenceURI, Transforms trans)
+ throws XMLSignatureException {
+ this._signedInfo.addDocument(this._baseURI, referenceURI, trans,
+ Constants.ALGO_ID_DIGEST_SHA1, null, null);
+ }
+
+ /**
+ * Add a Reference with just this URI. It uses SHA1 by default as the digest
+ * algorithm
+ *
+ * @param referenceURI URI according to the XML Signature specification.
+ * @throws XMLSignatureException
+ */
+ public void addDocument(String referenceURI) throws XMLSignatureException {
+ this._signedInfo.addDocument(this._baseURI, referenceURI, null,
+ Constants.ALGO_ID_DIGEST_SHA1, null, null);
+ }
+
+ /**
+ * Add an X509 Certificate to the KeyInfo. This will include the whole cert
+ * inside X509Data/X509Certificate tags.
+ *
+ * @param cert Certificate to be included. This should be the certificate of the key that was used to sign.
+ * @throws XMLSecurityException
+ */
+ public void addKeyInfo(X509Certificate cert) throws XMLSecurityException {
+
+ X509Data x509data = new X509Data(this._doc);
+
+ x509data.addCertificate(cert);
+ this.getKeyInfo().add(x509data);
+ }
+
+ /**
+ * Add this public key to the KeyInfo. This will include the complete key in
+ * the KeyInfo structure.
+ *
+ * @param pk
+ */
+ public void addKeyInfo(PublicKey pk) {
+ this.getKeyInfo().add(pk);
+ }
+
+ /**
+ * Proxy method for {@link SignedInfo#createSecretKey(byte[])}. If you want to
+ * create a MAC, this method helps you to obtain the {@link javax.crypto.SecretKey}
+ * from octets.
+ *
+ * @param secretKeyBytes
+ * @return the secret key created.
+ * @see SignedInfo#createSecretKey(byte[])
+ */
+ public SecretKey createSecretKey(byte[] secretKeyBytes)
+ {
+ return this.getSignedInfo().createSecretKey(secretKeyBytes);
+ }
+
+ /**
+ * Signal wether Manifest should be automatically validated.
+ * Checking the digests in References in a Signature are mandatory, but for
+ * References inside a Manifest it is application specific. This boolean is
+ * to indicate that the References inside Manifests should be validated.
+ *
+ * @param followManifests
+ * @see <a href="http://www.w3.org/TR/xmldsig-core/#sec-CoreValidation">Core validation section in the XML Signature Rec.</a>
+ */
+ public void setFollowNestedManifests(boolean followManifests) {
+ this._followManifestsDuringValidation = followManifests;
+ }
+
+ /**
+ * Get the local name of this element
+ *
+ * @return Constant._TAG_SIGNATURE
+ */
+ public String getBaseLocalName() {
+ return Constants._TAG_SIGNATURE;
+ }
+}