org.opensaml.xml.signature.X509Data Java Examples

private static Signature setSignatureRaw(String signatureAlgorithm, X509Credential cred) throws SSOAgentException {
    Signature signature = (Signature) buildXMLObject(Signature.DEFAULT_ELEMENT_NAME);
    signature.setSigningCredential(cred);
    signature.setSignatureAlgorithm(signatureAlgorithm);
    signature.setCanonicalizationAlgorithm(Canonicalizer.ALGO_ID_C14N_EXCL_OMIT_COMMENTS);

    try {
        KeyInfo keyInfo = (KeyInfo) buildXMLObject(KeyInfo.DEFAULT_ELEMENT_NAME);
        X509Data data = (X509Data) buildXMLObject(X509Data.DEFAULT_ELEMENT_NAME);
        org.opensaml.xml.signature.X509Certificate cert =
                (org.opensaml.xml.signature.X509Certificate) buildXMLObject(org.opensaml.xml.signature.X509Certificate.DEFAULT_ELEMENT_NAME);
        String value =
                org.apache.xml.security.utils.Base64.encode(cred.getEntityCertificate().getEncoded());
        cert.setValue(value);
        data.getX509Certificates().add(cert);
        keyInfo.getX509Datas().add(data);
        signature.setKeyInfo(keyInfo);
        return signature;

    } catch (CertificateEncodingException e) {
        throw new SSOAgentException("Error getting certificate", e);
    }
}
 

/** Process the value of {@link X509Credential#getEntityCertificate()}.
 * 
 * @param keyInfo the KeyInfo that is being built
 * @param x509Data the X509Data that is being built
 * @param credential the Credential that is being processed
 * @throws SecurityException thrown if the certificate data can not be encoded from the Java certificate object
 */
protected void processEntityCertificate(KeyInfo keyInfo, X509Data x509Data, X509Credential credential) 
        throws SecurityException {
    
    if (credential.getEntityCertificate() == null) {
        return;
    }
    
    java.security.cert.X509Certificate javaCert = credential.getEntityCertificate();
    
    processCertX509DataOptions(x509Data, javaCert);
    processCertKeyNameOptions(keyInfo, javaCert);
    
    // The cert chain includes the entity cert, so don't add a duplicate
    if (options.emitEntityCertificate && ! options.emitEntityCertificateChain) {
        try {
            X509Certificate xmlCert = KeyInfoHelper.buildX509Certificate(javaCert);
            x509Data.getX509Certificates().add(xmlCert);
        } catch (CertificateEncodingException e) {
            throw new SecurityException("Error generating X509Certificate element " 
                    + "from credential's end-entity certificate", e);
        }
    }
    
}
 

@Override
public void setSignature(String signatureAlgorithm, X509Credential cred) throws IdentityProviderException {
    Signature signature = (Signature) buildXMLObject(Signature.DEFAULT_ELEMENT_NAME);
    signature.setSigningCredential(cred);
    signature.setSignatureAlgorithm(signatureAlgorithm);
    signature.setCanonicalizationAlgorithm(Canonicalizer.ALGO_ID_C14N_EXCL_OMIT_COMMENTS);

    try {
        KeyInfo keyInfo = (KeyInfo) buildXMLObject(KeyInfo.DEFAULT_ELEMENT_NAME);
        X509Data data = (X509Data) buildXMLObject(X509Data.DEFAULT_ELEMENT_NAME);
        X509Certificate cert = (X509Certificate) buildXMLObject(X509Certificate.DEFAULT_ELEMENT_NAME);
        String value = Base64.encode(cred.getEntityCertificate().getEncoded());
        cert.setValue(value);
        data.getX509Certificates().add(cert);
        keyInfo.getX509Datas().add(data);
        signature.setKeyInfo(keyInfo);
    } catch (CertificateEncodingException e) {
        log.error("Error while getting the encoded certificate", e);
        throw new IdentityProviderException("Error while getting the encoded certificate");
    }

    assertion.setSignature(signature);
    signatureList.add(signature);
}
 

@Override
public void setSignature(String signatureAlgorithm, X509Credential cred) throws IdentityProviderException {
    Signature signature = (Signature) buildXMLObject(Signature.DEFAULT_ELEMENT_NAME);
    signature.setSigningCredential(cred);
    signature.setSignatureAlgorithm(signatureAlgorithm);
    signature.setCanonicalizationAlgorithm(Canonicalizer.ALGO_ID_C14N_EXCL_OMIT_COMMENTS);

    try {
        KeyInfo keyInfo = (KeyInfo) buildXMLObject(KeyInfo.DEFAULT_ELEMENT_NAME);
        X509Data data = (X509Data) buildXMLObject(X509Data.DEFAULT_ELEMENT_NAME);
        X509Certificate cert = (X509Certificate) buildXMLObject(X509Certificate.DEFAULT_ELEMENT_NAME);
        String value = Base64.encode(cred.getEntityCertificate().getEncoded());
        cert.setValue(value);
        data.getX509Certificates().add(cert);
        keyInfo.getX509Datas().add(data);
        signature.setKeyInfo(keyInfo);
    } catch (CertificateEncodingException e) {
        log.error("Failed to get encoded certificate", e);
        throw new IdentityProviderException("Error while getting encoded certificate");
    }

    assertion.setSignature(signature);
    signatureList.add(signature);
}
 

/** Process the value of {@link X509Credential#getEntityCertificateChain()}.
 * 
 * @param keyInfo the KeyInfo that is being built
 * @param x509Data the X509Data that is being built
 * @param credential the Credential that is being processed
 * @throws SecurityException thrown if the certificate data can not be encoded from the Java certificate object
 */
protected void processEntityCertificateChain(KeyInfo keyInfo, X509Data x509Data, X509Credential credential) 
        throws SecurityException {
    
    if (options.emitEntityCertificateChain && credential.getEntityCertificateChain() != null) {
        for (java.security.cert.X509Certificate javaCert : credential.getEntityCertificateChain()) {
            try {
                X509Certificate xmlCert = KeyInfoHelper.buildX509Certificate(javaCert);
                x509Data.getX509Certificates().add(xmlCert);
            } catch (CertificateEncodingException e) {
                throw new SecurityException("Error generating X509Certificate element " 
                        + "from a certificate in credential's certificate chain", e);
            }
        }
    }
}
 

/** Process the value of {@link X509Credential#getCRLs()}.
 * 
 * @param keyInfo the KeyInfo that is being built
 * @param x509Data the X509Data that is being built
 * @param credential the Credential that is being processed
 * @throws SecurityException thrown if the CRL data can not be encoded from the Java certificate object
 */
protected void processCRLs(KeyInfo keyInfo, X509Data x509Data, X509Credential credential) 
        throws SecurityException {
    
    if (options.emitCRLs && credential.getCRLs() != null) {
        for (java.security.cert.X509CRL javaCRL : credential.getCRLs()) {
            try {
                X509CRL xmlCRL = KeyInfoHelper.buildX509CRL(javaCRL);
                x509Data.getX509CRLs().add(xmlCRL);
            } catch (CRLException e) {
                throw new SecurityException("Error generating X509CRL element " 
                        + "from a CRL in credential's CRL list", e);
            }
        }
    }
}
 

/**
 * Get a list of the Java {@link java.security.cert.X509Certificate} within the given KeyInfo.
 * 
 * @param keyInfo key info to extract the certificates from
 * 
 * @return a list of Java {@link java.security.cert.X509Certificate}s
 * 
 * @throws CertificateException thrown if there is a problem converting the 
 *          X509 data into {@link java.security.cert.X509Certificate}s.
 */
public static List<X509Certificate> getCertificates(KeyInfo keyInfo) throws CertificateException {
    List<X509Certificate> certList = new LinkedList<X509Certificate>();

    if (keyInfo == null) {
        return certList;
    }

    List<X509Data> x509Datas = keyInfo.getX509Datas();
    for (X509Data x509Data : x509Datas) {
        if (x509Data != null) {
            certList.addAll(getCertificates(x509Data));
        }
    }

    return certList;
}
 

/**
 * Get a list of the Java {@link java.security.cert.X509Certificate} within the given {@link X509Data}.
 * 
 * @param x509Data {@link X509Data} from which to extract the certificate
 * 
 * @return a list of Java {@link java.security.cert.X509Certificate}s
 * 
 * @throws CertificateException thrown if there is a problem converting the 
 *          X509 data into {@link java.security.cert.X509Certificate}s.
 */
public static List<X509Certificate> getCertificates(X509Data x509Data) throws CertificateException {
    List<X509Certificate> certList = new LinkedList<X509Certificate>();

    if (x509Data == null) {
        return certList;
    }

    for (org.opensaml.xml.signature.X509Certificate xmlCert : x509Data.getX509Certificates()) {
        if (xmlCert != null && xmlCert.getValue() != null) {
            X509Certificate newCert = getCertificate(xmlCert);
            certList.add(newCert);
        }
    }

    return certList;
}
 

/**
 * Get a list of the Java {@link java.security.cert.X509CRL}s within the given {@link KeyInfo}.
 * 
 * @param keyInfo the {@link KeyInfo} to extract the CRL's from
 * 
 * @return a list of Java {@link java.security.cert.X509CRL}s
 * 
 * @throws CRLException thrown if there is a problem converting the 
 *          CRL data into {@link java.security.cert.X509CRL}s
 */
public static List<X509CRL> getCRLs(KeyInfo keyInfo) throws CRLException {
    List<X509CRL> crlList = new LinkedList<X509CRL>();

    if (keyInfo == null) {
        return crlList;
    }

    List<X509Data> x509Datas = keyInfo.getX509Datas();
    for (X509Data x509Data : x509Datas) {
        if (x509Data != null) {
            crlList.addAll(getCRLs(x509Data));
        }
    }

    return crlList;
}
 

/**
 * Get a list of the Java {@link java.security.cert.X509CRL}s within the given {@link X509Data}.
 * 
 * @param x509Data {@link X509Data} to extract the CRLs from
 * 
 * @return a list of Java {@link java.security.cert.X509CRL}s
 * 
 * @throws CRLException thrown if there is a problem converting the 
 *          CRL data into {@link java.security.cert.X509CRL}s
 */
public static List<X509CRL> getCRLs(X509Data x509Data) throws CRLException {
    List<X509CRL> crlList = new LinkedList<X509CRL>();

    if (x509Data == null) {
        return crlList;
    }

    for (org.opensaml.xml.signature.X509CRL xmlCRL : x509Data.getX509CRLs()) {
        if (xmlCRL != null && xmlCRL.getValue() != null) {
            X509CRL newCRL = getCRL(xmlCRL);
            crlList.add(newCRL);
        }
    }

    return crlList;
}
 

/** {@inheritDoc} */
public KeyInfo generate(Credential credential) throws SecurityException {
    if ( ! (credential instanceof X509Credential) ) {
        log.warn("X509KeyInfoGenerator was passed a credential that was not an instance of X509Credential: {}",
                credential.getClass().getName());
        return null;
    }
    X509Credential x509Credential = (X509Credential) credential;
    
    KeyInfo keyInfo =  super.generate(credential);
    if (keyInfo == null) {
        keyInfo = keyInfoBuilder.buildObject();
    }
    X509Data x509Data = x509DataBuilder.buildObject();
    
    processEntityCertificate(keyInfo, x509Data, x509Credential);
    processEntityCertificateChain(keyInfo, x509Data, x509Credential);
    processCRLs(keyInfo, x509Data, x509Credential);
    
    List<XMLObject> x509DataChildren = x509Data.getOrderedChildren();
    if (x509DataChildren != null && x509DataChildren.size() > 0) {
        keyInfo.getX509Datas().add(x509Data);
    }
    
    List<XMLObject> keyInfoChildren = keyInfo.getOrderedChildren();
    if (keyInfoChildren != null && keyInfoChildren.size() > 0) {
        return keyInfo;
    } else {
        return null;
    }
}
 

/** {@inheritDoc} */
protected void processChildElement(XMLObject parentXMLObject, XMLObject childXMLObject)
        throws UnmarshallingException {
    X509Data x509Data = (X509Data) parentXMLObject;

    // X509Data contains a range of specific types, but also
    // support <any>, with an unbounded choice over all (no ordering)
    // so no need to distinguish.
    x509Data.getXMLObjects().add(childXMLObject);
}
 

/**
 * Validate that all children are either ones defined within the XML Signature schema,
 * or are from another namespace.
 * 
 * @param xmlObject the object to validate
 * @throws ValidationException thrown if the object is invalid
 */
protected void validateChildrenNamespaces(X509Data xmlObject) throws ValidationException {
    // Validate that any children are either the ones from the dsig schema,
    // or are from another namespace.
    for (XMLObject child : xmlObject.getXMLObjects()) {
        QName childName = child.getElementQName();
        if (! getValidDSChildNames().contains(childName) 
                && XMLConstants.XMLSIG_NS.equals(childName.getNamespaceURI())) {
            throw new ValidationException("X509Data contains an illegal child extension element: " + childName);
        }
    }
}
 

/**
 * Extract certificates from the X509Data.
 * 
 * @param x509Data the X509Data element
 * @return a list of X509Certificates
 * @throws SecurityException thrown if there is an error extracting certificates
 */
private List<X509Certificate> extractCertificates(X509Data x509Data) throws SecurityException {
    List<X509Certificate> certs = null;
    try {
        certs = KeyInfoHelper.getCertificates(x509Data);
    } catch (CertificateException e) {
        log.error("Error extracting certificates from X509Data", e);
        throw new SecurityException("Error extracting certificates from X509Data", e);
    }
    log.debug("Found {} X509Certificates", certs.size());
    return certs;
}
 

/**
 * Extract CRL's from the X509Data.
 * 
 * @param x509Data the X509Data element
 * @return a list of X509CRLs
 * @throws SecurityException thrown if there is an error extracting CRL's
 */
private List<X509CRL> extractCRLs(X509Data x509Data) throws SecurityException {
    List<X509CRL> crls = null;
    try {
        crls = KeyInfoHelper.getCRLs(x509Data);
    } catch (CRLException e) {
        log.error("Error extracting CRL's from X509Data", e);
        throw new SecurityException("Error extracting CRL's from X509Data", e);
    }
    
    log.debug("Found {} X509CRLs", crls.size());
    return crls;
}
 

/**
 * Process the options related to generation of the X509SKI child element of X509Data 
 * based on certificate data.
 * 
 * @param x509Data the X509Data element being processed.
 * @param cert the certificate being processed
 */ 
protected void processCertX509SKI(X509Data x509Data, java.security.cert.X509Certificate cert) {
    if (options.emitX509SKI) {
        X509SKI xmlSKI = KeyInfoHelper.buildX509SKI(cert);
        if (xmlSKI != null) {
            x509Data.getX509SKIs().add(xmlSKI);
        }
    }
}
 

/**
 * Process the options related to generation of the X509IssuerSerial child element of X509Data 
 * based on certificate data.
 * 
 * @param x509Data the X509Data element being processed.
 * @param cert the certificate being processed
 */ 
protected void processCertX509IssuerSerial(X509Data x509Data, java.security.cert.X509Certificate cert) {
    if (options.emitX509IssuerSerial) {
        String issuerNameValue = getIssuerName(cert);
        if (! DatatypeHelper.isEmpty(issuerNameValue)) {
            x509Data.getX509IssuerSerials().add( 
                    KeyInfoHelper.buildX509IssuerSerial(issuerNameValue, cert.getSerialNumber()) );
        }
    }
}
 

/**
 * Process the options related to generation of the X509SubjectDN child element of X509Data 
 * based on certificate data.
 * 
 * @param x509Data the X509Data element being processed.
 * @param cert the certificate being processed
 */
protected void processCertX509SubjectName(X509Data x509Data, java.security.cert.X509Certificate cert) {
    if (options.emitX509SubjectName) {
        String subjectNameValue = getSubjectName(cert);
        if (! DatatypeHelper.isEmpty(subjectNameValue)) {
            x509Data.getX509SubjectNames().add( KeyInfoHelper.buildX509SubjectName(subjectNameValue));
        }
    }
}
 

/**
 * Process the options related to generation of child elements of X509Data based on certificate data.
 * 
 * @param x509Data the X509Data element being processed.
 * @param cert the certificate being processed
 */
protected void processCertX509DataOptions(X509Data x509Data, java.security.cert.X509Certificate cert) {
    processCertX509SubjectName(x509Data, cert);
    processCertX509IssuerSerial(x509Data, cert);
    processCertX509SKI(x509Data, cert);
    processCertX509Digest(x509Data, cert);
}
 

/**
 * Constructor.
 * 
 * @param newOptions the options to be used by the generator
 */
protected X509KeyInfoGenerator(X509Options newOptions) {
    super(newOptions);
    options = newOptions;
    
    keyInfoBuilder = 
        (KeyInfoBuilder) Configuration.getBuilderFactory().getBuilder(KeyInfo.DEFAULT_ELEMENT_NAME);
    x509DataBuilder = 
        (X509DataBuilder) Configuration.getBuilderFactory().getBuilder(X509Data.DEFAULT_ELEMENT_NAME);
}
 

/** {@inheritDoc} */
public boolean handles(XMLObject keyInfoChild) {
    return keyInfoChild instanceof X509Data;
}
 

/**
 * Find the end-entity cert in the list of certs contained in the X509Data.
 * 
 * @param certs list of {@link java.security.cert.X509Certificate}
 * @param x509Data X509Data element which might contain other info helping to finding the end-entity cert
 * @param resolvedKey a key which might have previously been resolved from a KeyValue
 * @return the end-entity certificate, if found
 */
protected X509Certificate findEntityCert(List<X509Certificate> certs, X509Data x509Data, PublicKey resolvedKey) {
    if (certs == null || certs.isEmpty()) {
        return null;
    }
    
    // If there is only 1 certificate, treat it as the end-entity certificate
    if (certs.size() == 1) {
        log.debug("Single certificate was present, treating as end-entity certificate");
        return certs.get(0);
    }
    
    X509Certificate cert = null;
    
    //Check against public key already resolved in resolution context
    cert = findCertFromKey(certs, resolvedKey);
    if (cert != null) {
        log.debug("End-entity certificate resolved by matching previously resolved public key");
        return cert;
    }
 
    //Check against any subject names
    cert = findCertFromSubjectNames(certs, x509Data.getX509SubjectNames());
    if (cert != null) {
        log.debug("End-entity certificate resolved by matching X509SubjectName");
        return cert;
    }

    //Check against issuer serial
    cert = findCertFromIssuerSerials(certs, x509Data.getX509IssuerSerials());
    if (cert != null) {
        log.debug("End-entity certificate resolved by matching X509IssuerSerial");
        return cert;
    }

    //Check against any subject key identifiers
    cert = findCertFromSubjectKeyIdentifier(certs, x509Data.getX509SKIs());
    if (cert != null) {
        log.debug("End-entity certificate resolved by matching X509SKI");
        return cert;
    }
    
    cert = findCertFromDigest(certs, x509Data.getXMLObjects(X509Digest.DEFAULT_ELEMENT_NAME));
    if (cert != null) {
        log.debug("End-entity certificate resolved by matching X509Digest");
        return cert;
    }
    
    // TODO use some heuristic algorithm to try and figure it out based on the cert list alone.
    //      This would be in X509Utils or somewhere else external to this class.
    
    // As a final fallback, treat the first cert in the X509Data element as the entity cert
    log.debug("Treating the first certificate in the X509Data as the end-entity certificate");
    return certs.get(0);
}
 

/** {@inheritDoc} */
public void validate(X509Data xmlObject) throws ValidationException {
    validateChildrenPresence(xmlObject);
    validateChildrenNamespaces(xmlObject);
}
 

/** {@inheritDoc} */
public X509Data buildObject(String namespaceURI, String localName, String namespacePrefix) {
    return new X509DataImpl(namespaceURI, localName, namespacePrefix);
}
 

/** {@inheritDoc} */
public X509Data buildObject() {
    return buildObject(XMLConstants.XMLSIG_NS, X509Data.DEFAULT_ELEMENT_LOCAL_NAME, XMLConstants.XMLSIG_PREFIX);
}
 

/** {@inheritDoc} */
public List<X509Data> getX509Datas() {
    return (List<X509Data>) indexedChildren.subList(X509Data.DEFAULT_ELEMENT_NAME);
}
 

/**
 * Validate that at least child is present.
 * 
 * @param xmlObject the object to validate
 * @throws ValidationException  thrown if the object is invalid
 */
protected void validateChildrenPresence(X509Data xmlObject) throws ValidationException {
    if (xmlObject.getXMLObjects().isEmpty()) {
        throw new ValidationException("No children were present in the X509Data object");
    }
}