Examples of javax.xml.crypto.dsig.XMLSignatureFactory

• javax.xml.crypto.dsig.XMLSignatureFactory
  A factory for creating {@link XMLSignature} objects from scratch or for unmarshalling an XMLSignature object from a corresponding XML representation.

  XMLSignatureFactory Type

  Each instance of XMLSignatureFactory supports a specific XML mechanism type. To create an XMLSignatureFactory, call one of the static {@link #getInstance getInstance} methods, passing in the XML mechanism type desired, for example:

  XMLSignatureFactory factory = XMLSignatureFactory.getInstance("DOM");

  The objects that this factory produces will be based on DOM and abide by the DOM interoperability requirements as defined in the DOM Mechanism Requirements section of the API overview. See the Service Providers section of the API overview for a list of standard mechanism types.

  XMLSignatureFactory implementations are registered and loaded using the {@link java.security.Provider} mechanism. For example, a service provider that supports the DOM mechanism would be specified in the Provider subclass as:

   put("XMLSignatureFactory.DOM", "org.example.DOMXMLSignatureFactory"); 

  An implementation MUST minimally support the default mechanism type: DOM.

  Note that a caller must use the same XMLSignatureFactory instance to create the XMLStructures of a particular XMLSignature that is to be generated. The behavior is undefined if XMLStructures from different providers or different mechanism types are used together.

  Also, the XMLStructures that are created by this factory may contain state specific to the XMLSignature and are not intended to be reusable.

  Creating XMLSignatures from scratch

  Once the XMLSignatureFactory has been created, objects can be instantiated by calling the appropriate method. For example, a {@link Reference} instance may be created by invoking one of the{@link #newReference newReference} methods.

  Unmarshalling XMLSignatures from XML

  Alternatively, an XMLSignature may be created from an existing XML representation by invoking the {@link #unmarshalXMLSignature unmarshalXMLSignature} method and passing it a mechanism-specific {@link XMLValidateContext} instance containing the XML content:

   DOMValidateContext context = new DOMValidateContext(key, signatureElement); XMLSignature signature = factory.unmarshalXMLSignature(context); 

  Each XMLSignatureFactory must support the required XMLValidateContext types for that factory type, but may support others. A DOM XMLSignatureFactory must support {@link DOMValidateContext} objects.

  Signing and marshalling XMLSignatures to XML

  Each XMLSignature created by the factory can also be marshalled to an XML representation and signed, by invoking the {@link XMLSignature#sign sign} method of the {@link XMLSignature} object and passing it a mechanism-specific {@link XMLSignContext} object containing the signing key and marshalling parameters (see {@link DOMSignContext}). For example:

   DOMSignContext context = new DOMSignContext(privateKey, document); signature.sign(context); 

  Concurrent Access

  The static methods of this class are guaranteed to be thread-safe. Multiple threads may concurrently invoke the static methods defined in this class with no ill effects.

  However, this is not true for the non-static methods defined by this class. Unless otherwise documented by a specific provider, threads that need to access a single XMLSignatureFactory instance concurrently should synchronize amongst themselves and provide the necessary locking. Multiple threads each manipulating a different XMLSignatureFactory instance need not synchronize. @author Sean Mullan @author JSR 105 Expert Group

                return ks;
        }

        private XMLSignatureFactory initXMLSigFactory() {
                XMLSignatureFactory fac = XMLSignatureFactory.getInstance();
                return fac;
        }

        private boolean verifySignature(Element element, PublicKey validatingKey, AtomicReference<String> OutReadableErrorMessage) {
                if (OutReadableErrorMessage == null) {
                        OutReadableErrorMessage = new AtomicReference<String>();
                }
                XMLSignatureFactory fac = initXMLSigFactory();
                NodeList nl = element.getElementsByTagNameNS(XMLSignature.XMLNS, "Signature");
                if (nl.getLength() == 0) {
                        throw new RuntimeException("Cannot find Signature element");
                }
                DOMValidateContext valContext = new DOMValidateContext(validatingKey, nl.item(0));
                try {
                        valContext.setProperty("javax.xml.crypto.dsig.cacheReference", Boolean.TRUE);
                        XMLSignature signature = fac.unmarshalXMLSignature(valContext);
                        boolean coreValidity = signature.validate(valContext);
                        // Check core validation status.
                        if (coreValidity == false) {
                                logger.warn("Signature failed core validation");
                                boolean sv = signature.getSignatureValue().validate(valContext);

                }
                return sb.toString();
        }

        private void signDOM(Node node, PrivateKey privateKey, Certificate origCert) {
                XMLSignatureFactory fac = initXMLSigFactory();
                X509Certificate cert = (X509Certificate) origCert;
                // Create the KeyInfo containing the X509Data.

                KeyInfoFactory kif = fac.getKeyInfoFactory();

                List<Object> x509Content = null;//new ArrayList<Object>();
                List<X509Data> data = new ArrayList<X509Data>();
                if (map.containsKey(SIGNATURE_OPTION_CERT_INCLUSION_SUBJECTDN)) {
                        x509Content = new ArrayList<Object>();

                        x509Content.add(cert.getSubjectDN().getName());
            //  x509Content.add(cert);
                        //x509Content.add(cert.getSubjectDN().getName());
                        X509Data xd = kif.newX509Data(x509Content);
                        data.add(xd);
                }

        //  if (map.containsKey(SIGNATURE_OPTION_CERT_INCLUSION_X500_PRINICPAL)) {
                // }
                if (map.containsKey(SIGNATURE_OPTION_CERT_INCLUSION_BASE64)) {
                        x509Content = new ArrayList<Object>();
                        x509Content.add(cert);
                        //x509Content.add(cert.getSubjectX500Principal().getName());
                        X509Data xd = kif.newX509Data(x509Content);
                        data.add(xd);
                }
                if (map.containsKey(SIGNATURE_OPTION_CERT_INCLUSION_SERIAL)) {
                        x509Content = new ArrayList<Object>();

                        X509IssuerSerial issuer = kif.newX509IssuerSerial(cert.getIssuerX500Principal().getName(), cert.getSerialNumber());

                        x509Content.add(issuer);
                        X509Data xd = kif.newX509Data(x509Content);
                        data.add(xd);
                }

        //
                //x509Content.add(cert);
                KeyInfo ki = kif.newKeyInfo(data);

        // Create a DOMSignContext and specify the RSA PrivateKey and
                // location of the resulting XMLSignature's parent element.
                DOMSignContext dsc = new DOMSignContext(privateKey, node);
                dsc.putNamespacePrefix(XML_DIGSIG_NS, "ns2");

                // Create the XMLSignature, but don't sign it yet.
                try {
                        SignedInfo si = initSignedInfo(fac);
                        XMLSignature signature = fac.newXMLSignature(si, ki);

                        // Marshal, generate, and sign the enveloped signature.
                        signature.sign(dsc);
                } catch (Exception e) {
                        throw new RuntimeException(e);

    }

    protected Document sign(final Message out) throws Exception { //NOPMD

        try {
            XMLSignatureFactory fac;
            // Try to install the Santuario Provider - fall back to the JDK provider if this does
            // not work
            try {
                fac = XMLSignatureFactory.getInstance("DOM", "ApacheXMLDSig");
            } catch (NoSuchProviderException ex) {
                fac = XMLSignatureFactory.getInstance("DOM");
            }

            final Node node = getMessageBodyNode(out);

            Node parent = getParentOfSignature(out, node);

            final KeySelector keySelector = getConfiguration().getKeyAccessor().getKeySelector(out);
            if (keySelector == null) {
                throw new XmlSignatureNoKeyException(
                        "Key selector is missing for XML signature generation. Specify a key selector in the configuration.");
            }

            // the method KeyAccessor.getKeyInfo must be called after the method KeyAccessor.getKeySelector, this is part of the interface contract!
            final KeyInfo keyInfo = getConfiguration().getKeyAccessor().getKeyInfo(out, node, fac.getKeyInfoFactory());

            final String signatureId = "_" + UUID.randomUUID().toString();
            LOG.debug("Signature Id {}", signatureId);

            XmlSignatureProperties.Input input = new InputBuilder().contentDigestAlgorithm(getDigestAlgorithmUri()).keyInfo(keyInfo)
                    .message(out).messageBodyNode(node).parent(parent).signatureAlgorithm(getConfiguration().getSignatureAlgorithm())
                    .signatureFactory(fac).signatureId(signatureId).build();

            XmlSignatureProperties.Output properties = getSignatureProperties(input);

            List<? extends XMLObject> objects = getObjects(input, properties);
            List<? extends Reference> refs = getReferences(input, properties, getKeyInfoId(keyInfo));

            SignedInfo si = createSignedInfo(fac, refs);

            if (parent == null) {
                // for enveloping signature, create new document
                parent = XmlSignatureHelper.newDocumentBuilder(Boolean.TRUE).newDocument();
            }

            DOMSignContext dsc = createAndConfigureSignContext(parent, keySelector);

            XMLSignature signature = fac.newXMLSignature(si, keyInfo, objects, signatureId, null);
            // generate the signature
            signature.sign(dsc);

            return XmlSignatureHelper.getDocument(parent);

        LOG.debug("Verification of XML signature document started");
        final Document doc = parseInput(input);

        Node signatureNode = getSignatureNode(doc);

        XMLSignatureFactory fac;
        // Try to install the Santuario Provider - fall back to the JDK provider if this does
        // not work
        try {
            fac = XMLSignatureFactory.getInstance("DOM", "ApacheXMLDSig");
        } catch (NoSuchProviderException ex) {
            fac = XMLSignatureFactory.getInstance("DOM");
        }

        KeySelector selector = getConfiguration().getKeySelector();
        if (selector == null) {
            throw new IllegalStateException("Wrong configuration. Key selector is missing.");
        }

        DOMValidateContext valContext = new DOMValidateContext(selector, signatureNode);
        valContext.setProperty("javax.xml.crypto.dsig.cacheReference", Boolean.TRUE);
        valContext.setProperty("org.jcp.xml.dsig.validateManifests", Boolean.TRUE);

        if (getConfiguration().getSecureValidation() == Boolean.TRUE) {
            valContext.setProperty("org.apache.jcp.xml.dsig.secureValidation", Boolean.TRUE);
            valContext.setProperty("org.jcp.xml.dsig.secureValidation", Boolean.TRUE);
        }
        setUriDereferencerAndBaseUri(valContext);

        setCryptoContextProperties(valContext);

        final XMLSignature signature = fac.unmarshalXMLSignature(valContext);

        executeApplicationCheck(out, doc, signature);

        boolean coreValidity;
        try {

    }

    protected Document sign(final Message out) throws Exception { //NOPMD

        try {
            XMLSignatureFactory fac;
            // Try to install the Santuario Provider - fall back to the JDK provider if this does
            // not work
            try {
                fac = XMLSignatureFactory.getInstance("DOM", "ApacheXMLDSig");
            } catch (NoSuchProviderException ex) {
                fac = XMLSignatureFactory.getInstance("DOM");
            }

            final Node node = getMessageBodyNode(out);

            final KeySelector keySelector = getConfiguration().getKeyAccessor().getKeySelector(out);
            if (keySelector == null) {
                throw new XmlSignatureNoKeyException(
                        "Key selector is missing for XML signature generation. Specify a key selector in the configuration.");
            }

            SignatureType signatureType = determineSignatureType(out);

            final List<String> contentReferenceUris = getContentReferenceUris(out, signatureType, node);

            Node lastParent = null;
            // per content reference URI a signature is built; for enveloped and enveloping there is only one content reference URI;
            // only in the detached case there can be several
            for (final String contentReferenceUri : contentReferenceUris) {

                // the method KeyAccessor.getKeyInfo must be called after the method KeyAccessor.getKeySelector, this is part of the interface contract!
                // and this method must be called within the loop over the content reference URIs, because for each signature the key info ID must be different
                final KeyInfo keyInfo = getConfiguration().getKeyAccessor().getKeyInfo(out, node, fac.getKeyInfoFactory());

                String signatureId = getConfiguration().getSignatureId();
                if (signatureId == null) {
                    signatureId = "_" + UUID.randomUUID().toString();
                } else if (signatureId.isEmpty()) {
                    // indicator that no signature Id attribute shall be generated
                    signatureId = null;
                }

                // parent only relevant for enveloping or detached signature
                Node parent = getParentOfSignature(out, node, contentReferenceUri, signatureType);

                XmlSignatureProperties.Input input = new InputBuilder().contentDigestAlgorithm(getDigestAlgorithmUri()).keyInfo(keyInfo)
                        .message(out).messageBodyNode(node).parent(parent).signatureAlgorithm(getConfiguration().getSignatureAlgorithm())
                        .signatureFactory(fac).signatureId(signatureId).contentReferenceUri(contentReferenceUri)
                        .signatureType(signatureType).build();

                XmlSignatureProperties.Output properties = getSignatureProperties(input);

                List<? extends XMLObject> objects = getObjects(input, properties);
                List<? extends Reference> refs = getReferences(input, properties, getKeyInfoId(keyInfo));

                SignedInfo si = createSignedInfo(fac, refs);

                if (parent == null) {
                    // for enveloping signature, create new document
                    parent = XmlSignatureHelper.newDocumentBuilder(Boolean.TRUE).newDocument();
                }
                lastParent = parent;

                DOMSignContext dsc = createAndConfigureSignContext(parent, keySelector);

                XMLSignature signature = fac.newXMLSignature(si, keyInfo, objects, signatureId, null);
                // generate the signature
                signature.sign(dsc);
            }

            return XmlSignatureHelper.getDocument(lastParent);

            throw new URIReferenceException("Cannot resolve a URI of value 'null'.");
        }

        if (uriString != null && ((uriString.length() != 0 && uriString.charAt(0) == '#') || uriString.isEmpty())) {
            // same document uri
            XMLSignatureFactory fac = XMLSignatureFactory.getInstance("DOM");
            return fac.getURIDereferencer().dereference(uriReference, context);
        }

        throw new URIReferenceException(String.format("URI reference %s not supported", uriString));
    }

    @SuppressWarnings("unchecked")
    protected void verify(InputStream input, final Message out) throws Exception { //NOPMD
        LOG.debug("Verification of XML signature document started");
        final Document doc = parseInput(input, out);

        XMLSignatureFactory fac;
        // Try to install the Santuario Provider - fall back to the JDK provider if this does
        // not work
        try {
            fac = XMLSignatureFactory.getInstance("DOM", "ApacheXMLDSig");
        } catch (NoSuchProviderException ex) {
            fac = XMLSignatureFactory.getInstance("DOM");
        }

        KeySelector selector = getConfiguration().getKeySelector();
        if (selector == null) {
            throw new IllegalStateException("Wrong configuration. Key selector is missing.");
        }

        DOMValidateContext valContext = new DOMValidateContext(selector, doc);
        valContext.setProperty("javax.xml.crypto.dsig.cacheReference", Boolean.TRUE);
        valContext.setProperty("org.jcp.xml.dsig.validateManifests", Boolean.TRUE);

        if (getConfiguration().getSecureValidation() == Boolean.TRUE) {
            valContext.setProperty("org.apache.jcp.xml.dsig.secureValidation", Boolean.TRUE);
            valContext.setProperty("org.jcp.xml.dsig.secureValidation", Boolean.TRUE);
        }
        setUriDereferencerAndBaseUri(valContext);

        setCryptoContextProperties(valContext);

        NodeList signatureNodes = getSignatureNodes(doc);

        List<XMLObject> collectedObjects = new ArrayList<XMLObject>(3);
        List<Reference> collectedReferences = new ArrayList<Reference>(3);
        int totalCount = signatureNodes.getLength();
        for (int i = 0; i < totalCount; i++) {

            Element signatureNode = (Element) signatureNodes.item(i);

            valContext.setNode(signatureNode);
            final XMLSignature signature = fac.unmarshalXMLSignature(valContext);

            if (getConfiguration().getXmlSignatureChecker() != null) {
                XmlSignatureChecker.Input checkerInput = new CheckerInputBuilder().message(out).messageBodyDocument(doc)
                        .keyInfo(signature.getKeyInfo()).currentCountOfSignatures(i + 1).currentSignatureElement(signatureNode)
                        .objects(signature.getObjects()).signatureValue(signature.getSignatureValue())

            if (nl.getLength() == 0) {
                throw new XWSSecurityException("Unsigned SAML Assertion encountered while verifying the SAML signature");
            }
            Element signElement = (Element) nl.item(0);
            DOMValidateContext validationContext = new DOMValidateContext(pubKey, signElement);
            XMLSignatureFactory signatureFactory = WSSPolicyConsumerImpl.getInstance().getSignatureFactory();

            // unmarshal the XMLSignature
            XMLSignature xmlSignature = signatureFactory.unmarshalXMLSignature(validationContext);
            validationContext.setURIDereferencer(new DSigResolver(map, samlAssertion));
            boolean coreValidity = xmlSignature.validate(validationContext);
            return coreValidity;
        } catch (Exception ex) {
            throw new XWSSecurityException(ex);

            tagIdAttributes(xmlDoc);
        }

        X509Certificate cert = certificate.getX509Cert();
        DOMValidateContext ctx = new DOMValidateContext(cert.getPublicKey(), nodes.item(0));
        XMLSignatureFactory sigF = XMLSignatureFactory.getInstance("DOM");
        XMLSignature xmlSignature = sigF.unmarshalXMLSignature(ctx);

        return xmlSignature.validate(ctx);
    }