org.opensaml.xmlsec.signature.support.impl

Class SignatureAlgorithmValidator

java.lang.Object

org.opensaml.xmlsec.signature.support.impl.SignatureAlgorithmValidator

public class SignatureAlgorithmValidator
extends java.lang.Object

Component which validates a Signature's signature and digest algorithm URI's against a supplied algorithm whitelist and blacklist.

The evaluation is based on the Signature's underlying DOM structure, therefore the Signature must have a cached DOM before this validator is used.

Field Summary

Fields

Modifier and Type	Field and Description
private static java.lang.String	ATTR_NAME_ALGORTHM Local name of 'Algorithm' attribute.
private java.util.Collection<java.lang.String>	blacklistedAlgorithmURIs The collection of algorithm URI's which are blacklisted.
private static javax.xml.namespace.QName	ELEMENT_NAME_DIGEST_METHOD QName of 'ds:DigestMethod' element.
private static javax.xml.namespace.QName	ELEMENT_NAME_REFERENCE QName of 'ds:Reference' element.
private static javax.xml.namespace.QName	ELEMENT_NAME_SIGNATURE_METHOD QName of 'ds:SignatureMethod' element.
private static javax.xml.namespace.QName	ELEMENT_NAME_SIGNED_INFO QName of 'ds:SignedInfo' element.
private org.slf4j.Logger	log Logger.
private java.util.Collection<java.lang.String>	whitelistedAlgorithmURIs The collection of algorithm URI's which are whitelisted.

Constructor Summary

Constructors

Constructor and Description
SignatureAlgorithmValidator(java.util.Collection<java.lang.String> whitelistAlgos, java.util.Collection<java.lang.String> blacklistAlgos) Constructor.
SignatureAlgorithmValidator(SignatureValidationParameters params) Constructor.

Method Summary

Modifier and Type	Method and Description
protected void	checkDOM(Signature signature) Check that Signature XMLObject has a cached DOM Element.
protected java.util.List<java.lang.String>	getDigestMethods(Signature signatureXMLObject) Get the list of Signature Reference DigestMethod algorithm URIs.
protected java.lang.String	getSignatureAlgorithm(Signature signatureXMLObject) Get the signature algorithm.
void	validate(Signature signature) Validate the algorithms in the signature.
protected void	validateAlgorithmURI(java.lang.String algorithmURI) Validate the supplied algorithm URI against the configured whitelist and blacklist.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

ELEMENT_NAME_SIGNED_INFO

private static final javax.xml.namespace.QName ELEMENT_NAME_SIGNED_INFO

QName of 'ds:SignedInfo' element.

ELEMENT_NAME_SIGNATURE_METHOD

private static final javax.xml.namespace.QName ELEMENT_NAME_SIGNATURE_METHOD

QName of 'ds:SignatureMethod' element.

ELEMENT_NAME_REFERENCE

private static final javax.xml.namespace.QName ELEMENT_NAME_REFERENCE

QName of 'ds:Reference' element.

ELEMENT_NAME_DIGEST_METHOD

private static final javax.xml.namespace.QName ELEMENT_NAME_DIGEST_METHOD

QName of 'ds:DigestMethod' element.

ATTR_NAME_ALGORTHM

private static final java.lang.String ATTR_NAME_ALGORTHM

Local name of 'Algorithm' attribute.

See Also:

Constant Field Values

log

private org.slf4j.Logger log

Logger.

whitelistedAlgorithmURIs

private java.util.Collection<java.lang.String> whitelistedAlgorithmURIs

The collection of algorithm URI's which are whitelisted.

blacklistedAlgorithmURIs

private java.util.Collection<java.lang.String> blacklistedAlgorithmURIs

The collection of algorithm URI's which are blacklisted.

Constructor Detail

SignatureAlgorithmValidator

public SignatureAlgorithmValidator(@Nonnull
                                   SignatureValidationParameters params)

Constructor.

Parameters:

params - signature validation parameters containing the whitelist and blacklist

SignatureAlgorithmValidator

public SignatureAlgorithmValidator(@Nullable
                                   java.util.Collection<java.lang.String> whitelistAlgos,
                                   @Nullable
                                   java.util.Collection<java.lang.String> blacklistAlgos)

Constructor.

Parameters:

whitelistAlgos - the algorithm whitelist

blacklistAlgos - the algorithm blacklist

Method Detail

validate

public void validate(@Nonnull
                     Signature signature)
              throws SignatureException

Validate the algorithms in the signature.

Parameters:

signature - signature to validate

Throws:

SignatureException - if validation fails

checkDOM

protected void checkDOM(@Nonnull
                        Signature signature)
                 throws SignatureException

Check that Signature XMLObject has a cached DOM Element.

Parameters:

signature - the signature to evaluate

Throws:

SignatureException - if signature does not have a cached DOM Element

getSignatureAlgorithm

@Nonnull
protected java.lang.String getSignatureAlgorithm(@Nonnull
                                                          Signature signatureXMLObject)
                                                   throws SignatureException

Get the signature algorithm.

Parameters:

signatureXMLObject - the signature to evaluate

Returns:

the signature algorithm

Throws:

SignatureException - if signature algorithm can not be resolved

getDigestMethods

@Nonnull
protected java.util.List<java.lang.String> getDigestMethods(@Nonnull
                                                                     Signature signatureXMLObject)
                                                              throws SignatureException

Get the list of Signature Reference DigestMethod algorithm URIs.

Parameters:

signatureXMLObject - the signature to evaluate

Returns:

list of algorithm URIs

Throws:

SignatureException - if a DigestMethod is found to have a null or empty Algorithm attribute

validateAlgorithmURI

protected void validateAlgorithmURI(@Nonnull
                                    java.lang.String algorithmURI)
                             throws SignatureException

Validate the supplied algorithm URI against the configured whitelist and blacklist.

Parameters:

algorithmURI - the algorithm URI to evaluate

Throws:

SignatureException - if the algorithm URI does not satisfy the whitelist/blacklist policy