Examples of javax.xml.crypto.dsig.XMLSignatureFactory

• javax.xml.crypto.dsig.XMLSignatureFactory
  A factory for creating {@link XMLSignature} objects from scratch or for unmarshalling an XMLSignature object from a corresponding XML representation.

  XMLSignatureFactory Type

  Each instance of XMLSignatureFactory supports a specific XML mechanism type. To create an XMLSignatureFactory, call one of the static {@link #getInstance getInstance} methods, passing in the XML mechanism type desired, for example:

  XMLSignatureFactory factory = XMLSignatureFactory.getInstance("DOM");

  The objects that this factory produces will be based on DOM and abide by the DOM interoperability requirements as defined in the DOM Mechanism Requirements section of the API overview. See the Service Providers section of the API overview for a list of standard mechanism types.

  XMLSignatureFactory implementations are registered and loaded using the {@link java.security.Provider} mechanism. For example, a service provider that supports the DOM mechanism would be specified in the Provider subclass as:

   put("XMLSignatureFactory.DOM", "org.example.DOMXMLSignatureFactory"); 

  An implementation MUST minimally support the default mechanism type: DOM.

  Note that a caller must use the same XMLSignatureFactory instance to create the XMLStructures of a particular XMLSignature that is to be generated. The behavior is undefined if XMLStructures from different providers or different mechanism types are used together.

  Also, the XMLStructures that are created by this factory may contain state specific to the XMLSignature and are not intended to be reusable.

  Creating XMLSignatures from scratch

  Once the XMLSignatureFactory has been created, objects can be instantiated by calling the appropriate method. For example, a {@link Reference} instance may be created by invoking one of the{@link #newReference newReference} methods.

  Unmarshalling XMLSignatures from XML

  Alternatively, an XMLSignature may be created from an existing XML representation by invoking the {@link #unmarshalXMLSignature unmarshalXMLSignature} method and passing it a mechanism-specific {@link XMLValidateContext} instance containing the XML content:

   DOMValidateContext context = new DOMValidateContext(key, signatureElement); XMLSignature signature = factory.unmarshalXMLSignature(context); 

  Each XMLSignatureFactory must support the required XMLValidateContext types for that factory type, but may support others. A DOM XMLSignatureFactory must support {@link DOMValidateContext} objects.

  Signing and marshalling XMLSignatures to XML

  Each XMLSignature created by the factory can also be marshalled to an XML representation and signed, by invoking the {@link XMLSignature#sign sign} method of the {@link XMLSignature} object and passing it a mechanism-specific {@link XMLSignContext} object containing the signing key and marshalling parameters (see {@link DOMSignContext}). For example:

   DOMSignContext context = new DOMSignContext(privateKey, document); signature.sign(context); 

  Concurrent Access

  The static methods of this class are guaranteed to be thread-safe. Multiple threads may concurrently invoke the static methods defined in this class with no ill effects.

  However, this is not true for the non-static methods defined by this class. Unless otherwise documented by a specific provider, threads that need to access a single XMLSignatureFactory instance concurrently should synchronize amongst themselves and provide the necessary locking. Multiple threads each manipulating a different XMLSignatureFactory instance need not synchronize. @author Sean Mullan @author JSR 105 Expert Group

        // Create a DOMValidateContext and specify a KeySelector
        // and document context.
        DOMValidateContext valContext = new DOMValidateContext(new CloudsealKeySelector(idpPublicKey), nl.item(0));

        XMLSignatureFactory factory = XMLSignatureFactory.getInstance("DOM");
        boolean valid = false;
        try {
            XMLSignature signature = factory.unmarshalXMLSignature(valContext);
            valid = signature.validate(valContext);
        } catch (MarshalException ex) {
            throw new VerificationException("Response verification failed");
        } catch (XMLSignatureException ex) {
            throw new VerificationException("Response verification failed");

        LOG.debug("Verification of XML signature document started");
        final Document doc = parseInput(input);

        Node signatureNode = getSignatureNode(doc);

        XMLSignatureFactory fac;
        // Try to install the Santuario Provider - fall back to the JDK provider if this does
        // not work
        try {
            fac = XMLSignatureFactory.getInstance("DOM", "ApacheXMLDSig");
        } catch (NoSuchProviderException ex) {
            fac = XMLSignatureFactory.getInstance("DOM");
        }

        KeySelector selector = getConfiguration().getKeySelector();
        if (selector == null) {
            throw new IllegalStateException("Wrong configuration. Key selector is missing.");
        }

        DOMValidateContext valContext = new DOMValidateContext(selector, signatureNode);
        valContext.setProperty("javax.xml.crypto.dsig.cacheReference", Boolean.TRUE);
        valContext.setProperty("org.jcp.xml.dsig.validateManifests", Boolean.TRUE);

        if (getConfiguration().getSecureValidation() == Boolean.TRUE) {
            valContext.setProperty("org.apache.jcp.xml.dsig.secureValidation", Boolean.TRUE);
            valContext.setProperty("org.jcp.xml.dsig.secureValidation", Boolean.TRUE);
        }
        setUriDereferencerAndBaseUri(valContext);

        setCryptoContextProperties(valContext);

        final XMLSignature signature = fac.unmarshalXMLSignature(valContext);

        executeApplicationCheck(out, doc, signature);

        boolean coreValidity;
        try {

     * By default, we include the keyinfo in the signature
     */
    private static boolean includeKeyInfoInSignature = true;

    private static XMLSignatureFactory getXMLSignatureFactory() {
        XMLSignatureFactory xsf = null;

        try {
            xsf = XMLSignatureFactory.getInstance("DOM", "ApacheXMLDSig");
        } catch (NoSuchProviderException ex) {
            try {

    private SignedInfo generateSignedInfo(FilterProcessingContext fpContext)
    throws PolicyGenerationException,NoSuchAlgorithmException,InvalidAlgorithmParameterException ,XWSSecurityException{
        SignaturePolicy signaturePolicy = (SignaturePolicy) fpContext.getSecurityPolicy();
        SignaturePolicy.FeatureBinding featureBinding = (SignaturePolicy.FeatureBinding)signaturePolicy.getFeatureBinding();
        MLSPolicy keyBinding = signaturePolicy.getKeyBinding();
        XMLSignatureFactory signatureFactory = getSignatureFactory();
        SecurableSoapMessage secureMessage = fpContext.getSecurableSoapMessage();
        String canonicalAlgo = featureBinding.getCanonicalizationAlgorithm();
        boolean disableInclusivePrefix = featureBinding.getDisableInclusivePrefix();
        //String digestAlgo = featureBinding.getDigestAlgorithm();
        ArrayList targetList = featureBinding.getTargetBindings();
        String keyAlgo = null;
        String algo = MessageConstants.RSA_SHA1;
        if (fpContext.getAlgorithmSuite() != null) {
            algo = fpContext.getAlgorithmSuite().getSignatureAlgorithm();
        }

        keyAlgo = SecurityUtil.getKeyAlgo(algo);

        if(PolicyTypeUtil.x509CertificateBinding(keyBinding)) {
            AuthenticationTokenPolicy.X509CertificateBinding certificateBinding =
                    (AuthenticationTokenPolicy.X509CertificateBinding)keyBinding;
            if (!"".equals(certificateBinding.getKeyAlgorithm())) {
                keyAlgo = certificateBinding.getKeyAlgorithm();
            }
        } else if (PolicyTypeUtil.samlTokenPolicy(keyBinding)) {
            AuthenticationTokenPolicy.SAMLAssertionBinding samlBinding =
                    (AuthenticationTokenPolicy.SAMLAssertionBinding)keyBinding;
            if (!"".equals(samlBinding.getKeyAlgorithm())) {
                keyAlgo = samlBinding.getKeyAlgorithm();
            }
        }else if(PolicyTypeUtil.symmetricKeyBinding(keyBinding)){
            SymmetricKeyBinding symmetricKeybinding = (SymmetricKeyBinding)keyBinding;
            if (!"".equals(symmetricKeybinding.getKeyAlgorithm())) {
                keyAlgo = symmetricKeybinding.getKeyAlgorithm();
            } else {
                keyAlgo = MessageConstants.HMAC_SHA1_SIGMETHOD;
            }
        } else if (PolicyTypeUtil.secureConversationTokenKeyBinding(keyBinding)) {
            keyAlgo = MessageConstants.HMAC_SHA1_SIGMETHOD;
        } else if (PolicyTypeUtil.derivedTokenKeyBinding(keyBinding)) {
           keyAlgo = MessageConstants.HMAC_SHA1_SIGMETHOD;
           if(PolicyTypeUtil.issuedTokenKeyBinding(((DerivedTokenKeyBinding)keyBinding).getOriginalKeyBinding())){
               if(fpContext.getTrustContext().getProofKey() == null){
                   keyAlgo = MessageConstants.RSA_SHA1_SIGMETHOD;
               }
           }
       } else if (PolicyTypeUtil.issuedTokenKeyBinding(keyBinding)) {
           //TODO: verify if this is always correct
           keyAlgo = MessageConstants.HMAC_SHA1_SIGMETHOD;
           if(fpContext.getTrustContext().getProofKey() == null){
               keyAlgo = MessageConstants.RSA_SHA1_SIGMETHOD;
           }
       } else {
            logger.log(Level.SEVERE, LogStringsMessages.WSS_1335_UNSUPPORTED_KEYBINDING_SIGNATUREPOLICY());
            throw new XWSSecurityException("Unsupported KeyBinding for SignaturePolicy");
       }

        C14NMethodParameterSpec spec = null;
        if (MessageConstants.TRANSFORM_C14N_EXCL_OMIT_COMMENTS.equalsIgnoreCase(canonicalAlgo)) {
            //List inc = getInclusiveNamespacePrefixes(secureMessage.findSecurityHeader(), false);
            //spec = new ExcC14NParameterSpec(inc);
            //NOTE: looking at BSP flag on sending side just for
            //ExC14N parameterList. Because XWSS11(xmlsec.jar) cannot
            //process the PrefixList, thereby breaking BC
            if (featureBinding.isBSP() || !disableInclusivePrefix) {
                List inc = getInclusiveNamespacePrefixes(secureMessage.findSecurityHeader(), false);
                spec = new ExcC14NParameterSpec(inc);
            } else {
                spec = null;
            }

        }
        CanonicalizationMethod canonicalMethod=
                signatureFactory.newCanonicalizationMethod(canonicalAlgo,spec);

        SignatureMethod signatureMethod = signatureFactory.newSignatureMethod(keyAlgo, null);
        //Note : Signature algorithm parameters null for now , fix me.
        SignedInfo signedInfo = signatureFactory.newSignedInfo(canonicalMethod,signatureMethod,
                generateReferenceList(targetList,signatureFactory,secureMessage,fpContext,false, featureBinding.isEndorsingSignature()),null);
        //Note : Id is now null , check ?,
        return signedInfo;
    }

    }

    public List generateReferenceList(List targetList,SecurableSoapMessage secureMessage,FilterProcessingContext fpContext,
            boolean verify, boolean isEndorsing)
    throws PolicyGenerationException,NoSuchAlgorithmException,InvalidAlgorithmParameterException,XWSSecurityException {
        XMLSignatureFactory factory = getSignatureFactory();
        return generateReferenceList(targetList,factory,secureMessage,fpContext,verify, isEndorsing);
    }

    throws NoSuchAlgorithmException, InvalidAlgorithmParameterException, XWSSecurityException{
        SignaturePolicy signaturePolicy = (SignaturePolicy) fpContext.getSecurityPolicy();
        SignaturePolicy.FeatureBinding featureBinding = (SignaturePolicy.FeatureBinding)signaturePolicy.getFeatureBinding();
        MLSPolicy keyBinding = signaturePolicy.getKeyBinding();

        XMLSignatureFactory signatureFactory = getSignatureFactory();
        String canonicalAlgo = featureBinding.getCanonicalizationAlgorithm();
        ArrayList targetList = featureBinding.getTargetBindings();
        ArrayList cloneList = targetList;
        if (signaturePolicy.getKeyBinding() instanceof LazyKeyBinding) {
            LazyKeyBinding lkb = (LazyKeyBinding) signaturePolicy.getKeyBinding();
            if (lkb.getRealId() != null) {
                cloneList = (ArrayList) targetList.clone();
                Iterator it = cloneList.iterator();
                while (it.hasNext()) {
                    SignatureTarget o = (SignatureTarget) it.next();
                    if (o.getValue().equals("#" + lkb.getSTRID())) {
                        o.setValue("#" + lkb.getRealId());
                    }
                }
            }
        }
        String keyAlgo = null;
        String algo = fpContext.getAlgorithmSuite().getSignatureAlgorithm();

         keyAlgo = SecurityUtil.getKeyAlgo(algo);

        if(PolicyTypeUtil.usernameTokenBinding(keyBinding)){
            AuthenticationTokenPolicy.UsernameTokenBinding untBinding =
                    (AuthenticationTokenPolicy.UsernameTokenBinding)keyBinding;
            if (!"".equals(untBinding.getKeyAlgorithm())) {
                keyAlgo = untBinding.getKeyAlgorithm();
            } else {
                keyAlgo = MessageConstants.HMAC_SHA1_SIGMETHOD;
            }
        }else if(PolicyTypeUtil.x509CertificateBinding(keyBinding)) {
            AuthenticationTokenPolicy.X509CertificateBinding certificateBinding =
                    (AuthenticationTokenPolicy.X509CertificateBinding)keyBinding;
            if (!"".equals(certificateBinding.getKeyAlgorithm())) {
                keyAlgo = certificateBinding.getKeyAlgorithm();
            }
        } else if (PolicyTypeUtil.samlTokenPolicy(keyBinding)) {
            AuthenticationTokenPolicy.SAMLAssertionBinding samlBinding =
                    (AuthenticationTokenPolicy.SAMLAssertionBinding)keyBinding;
            if (!"".equals(samlBinding.getKeyAlgorithm())) {
                keyAlgo = samlBinding.getKeyAlgorithm();
            }
        }else if(PolicyTypeUtil.symmetricKeyBinding(keyBinding)){
            SymmetricKeyBinding symmetricKeybinding = (SymmetricKeyBinding)keyBinding;
            if (!"".equals(symmetricKeybinding.getKeyAlgorithm())) {
                keyAlgo = symmetricKeybinding.getKeyAlgorithm();
            } else {
                keyAlgo = MessageConstants.HMAC_SHA1_SIGMETHOD;
            }
        } else if (PolicyTypeUtil.secureConversationTokenKeyBinding(keyBinding)) {
            keyAlgo = MessageConstants.HMAC_SHA1_SIGMETHOD;
        } else if (PolicyTypeUtil.derivedTokenKeyBinding(keyBinding)) {
            keyAlgo = MessageConstants.HMAC_SHA1_SIGMETHOD;
            DerivedTokenKeyBinding dtkBinding = (DerivedTokenKeyBinding)keyBinding;
            //This check is done because DerivedKeys is ignored for Assymetric case
            if(fpContext.getTrustContext() != null && fpContext.getTrustContext().getProofKey() == null &&
                   PolicyTypeUtil.issuedTokenKeyBinding( dtkBinding.getOriginalKeyBinding())){
                keyAlgo = MessageConstants.RSA_SHA1_SIGMETHOD;
                //keyAlgo = fpContext.getAlgorithmSuite().getAsymmetricKeySignatureAlgorithm();
            }
        } else if (PolicyTypeUtil.issuedTokenKeyBinding(keyBinding)) {
            //TODO: verify if this is always correct
            if(fpContext.getTrustContext() != null){
                keyAlgo = fpContext.getTrustContext().getSignWith();
            }
            if(keyAlgo == null){
                keyAlgo = MessageConstants.HMAC_SHA1_SIGMETHOD;
            }
            //keyAlgo = fpContext.getAlgorithmSuite().getSymmetricKeySignatureAlgorithm();
            if(fpContext.getTrustContext() != null  && fpContext.getTrustContext().getProofKey() == null){
                //keyAlgo = fpContext.getAlgorithmSuite().getAsymmetricKeySignatureAlgorithm();
                if(fpContext.getTrustContext().getSignWith() == null){
                    keyAlgo = MessageConstants.RSA_SHA1_SIGMETHOD;
                }
            }
        }else if (PolicyTypeUtil.keyValueTokenBinding(keyBinding)) {
            keyAlgo = MessageConstants.RSA_SHA1_SIGMETHOD;
        }else{
            logger.log(Level.SEVERE, LogStringsMessages.WSS_1703_UNSUPPORTED_KEYBINDING_SIGNATUREPOLICY(keyBinding));
            throw new XWSSecurityException("Unsupported KeyBinding for SignaturePolicy");
        }
        C14NMethodParameterSpec spec = null;
        if (MessageConstants.TRANSFORM_C14N_EXCL_OMIT_COMMENTS.equalsIgnoreCase(canonicalAlgo)) {
            if(!fpContext.getDisableIncPrefix()){
                List inc = new ArrayList();
                inc.add("wsse"); inc.add("S");
                spec = new ExcC14NParameterSpec(inc);
            }
            ((NamespaceContextEx)fpContext.getNamespaceContext()).addExc14NS();
        }
        CanonicalizationMethod canonicalMethod =
                signatureFactory.newCanonicalizationMethod(canonicalAlgo,spec);
        if(!fpContext.getDisableIncPrefix()){
            List contentList = setInclusiveNamespaces((ExcC14NParameterSpec)spec);
            ((com.sun.xml.ws.security.opt.crypto.dsig.CanonicalizationMethod)canonicalMethod).setContent(contentList);
        }

        SignatureMethod signatureMethod = signatureFactory.newSignatureMethod(keyAlgo, null);
        //Note : Signature algorithm parameters null for now , fix me.
        SignedInfo signedInfo = signatureFactory.newSignedInfo(canonicalMethod,signatureMethod,
                generateReferenceList(cloneList, signatureFactory, fpContext, false), null);
        //Note : Id is now null
        return signedInfo;
    }

//      tagIdAttributes(xmlDoc);
//    }

    X509Certificate cert = certificate.getX509Cert();
    DOMValidateContext ctx = new DOMValidateContext(cert.getPublicKey(), nodes.item(0));
    XMLSignatureFactory sigF = XMLSignatureFactory.getInstance("DOM");
    XMLSignature xmlSignature = sigF.unmarshalXMLSignature(ctx);

    return xmlSignature.validate(ctx);
  }

            if (nl.getLength() == 0) {
                throw new XWSSecurityException("Unsigned SAML Assertion encountered while verifying the SAML signature");
            }
            Element signElement = (Element) nl.item(0);
            DOMValidateContext validationContext = new DOMValidateContext(pubKey, signElement);
            XMLSignatureFactory signatureFactory = WSSPolicyConsumerImpl.getInstance().getSignatureFactory();

            // unmarshal the XMLSignature
            XMLSignature xmlSignature = signatureFactory.unmarshalXMLSignature(validationContext);
            validationContext.setURIDereferencer(new DSigResolver(map, samlAssertion));
            boolean coreValidity = xmlSignature.validate(validationContext);
            return coreValidity;
        } catch (Exception ex) {
            throw new XWSSecurityException(ex);

                        localName));
                context.isPrimaryPolicyViolation(true);
                return 0;
            }
            DOMValidateContext validationContext = new DOMValidateContext(KeySelectorImpl.getInstance(), signElement);
            XMLSignatureFactory signatureFactory = WSSPolicyConsumerImpl.getInstance().getSignatureFactory();
            // unmarshal the XMLSignature
            XMLSignature signature = signatureFactory.unmarshalXMLSignature(validationContext);
            verifySignatureAlgorithm(signature);

            //For SignatureConfirmation
            List scList = (ArrayList)context.getExtraneousProperty("receivedSignValues");
            if(scList != null){

        try {


            DOMValidateContext validationContext =
                    new DOMValidateContext(KeySelectorImpl.getInstance(), signElement);
            XMLSignatureFactory signatureFactory = WSSPolicyConsumerImpl.getInstance().getSignatureFactory();
            // unmarshal the XMLSignature
            XMLSignature signature = signatureFactory.unmarshalXMLSignature(validationContext);
            validationContext.setURIDereferencer(DSigResolver.getInstance());
            // Validate the XMLSignature (generated above)
            validationContext.put(MessageConstants.WSS_PROCESSING_CONTEXT, context);
            boolean coreValidity = signature.validate(validationContext);
            if (coreValidity == false){