Package org.opensaml.xmlsec.signature.support.impl

Class SignatureAlgorithmValidator

java.lang.Object

org.opensaml.xmlsec.signature.support.impl.SignatureAlgorithmValidator

public class SignatureAlgorithmValidator
extends Object

Component which validates a Signature's signature and digest algorithm URI's against a supplied algorithm whitelist and blacklist.

The evaluation is based on the Signature's underlying DOM structure, therefore the Signature must have a cached DOM before this validator is used.

Field Summary

Fields

Modifier and Type	Field	Description
private static String	ATTR_NAME_ALGORTHM	Local name of 'Algorithm' attribute.
private Collection<String>	blacklistedAlgorithmURIs	The collection of algorithm URI's which are blacklisted.
private static QName	ELEMENT_NAME_DIGEST_METHOD	QName of 'ds:DigestMethod' element.
private static QName	ELEMENT_NAME_REFERENCE	QName of 'ds:Reference' element.
private static QName	ELEMENT_NAME_SIGNATURE_METHOD	QName of 'ds:SignatureMethod' element.
private static QName	ELEMENT_NAME_SIGNED_INFO	QName of 'ds:SignedInfo' element.
private org.slf4j.Logger	log	Logger.
private Collection<String>	whitelistedAlgorithmURIs	The collection of algorithm URI's which are whitelisted.

Constructor Summary

Constructors

Constructor	Description
SignatureAlgorithmValidator(Collection<String> whitelistAlgos, Collection<String> blacklistAlgos)	Constructor.
SignatureAlgorithmValidator(SignatureValidationParameters params)	Constructor.

Method Summary

Modifier and Type	Method	Description
protected void	checkDOM(Signature signature)	Check that Signature XMLObject has a cached DOM Element.
protected List<String>	getDigestMethods(Signature signatureXMLObject)	Get the list of Signature Reference DigestMethod algorithm URIs.
protected String	getSignatureAlgorithm(Signature signatureXMLObject)	Get the signature algorithm.
void	validate(Signature signature)	Validate the algorithms in the signature.
protected void	validateAlgorithmURI(String algorithmURI)	Validate the supplied algorithm URI against the configured whitelist and blacklist.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

ELEMENT_NAME_SIGNED_INFO

private static final QName ELEMENT_NAME_SIGNED_INFO

QName of 'ds:SignedInfo' element.

ELEMENT_NAME_SIGNATURE_METHOD

private static final QName ELEMENT_NAME_SIGNATURE_METHOD

QName of 'ds:SignatureMethod' element.

ELEMENT_NAME_REFERENCE

private static final QName ELEMENT_NAME_REFERENCE

QName of 'ds:Reference' element.

ELEMENT_NAME_DIGEST_METHOD

private static final QName ELEMENT_NAME_DIGEST_METHOD

QName of 'ds:DigestMethod' element.

ATTR_NAME_ALGORTHM

private static final String ATTR_NAME_ALGORTHM

Local name of 'Algorithm' attribute.

See Also:

Constant Field Values

log

private org.slf4j.Logger log

Logger.

whitelistedAlgorithmURIs

private Collection<String> whitelistedAlgorithmURIs

The collection of algorithm URI's which are whitelisted.

blacklistedAlgorithmURIs

private Collection<String> blacklistedAlgorithmURIs

The collection of algorithm URI's which are blacklisted.

Constructor Detail

SignatureAlgorithmValidator

public SignatureAlgorithmValidator(@Nonnull @ParameterName(name="params")
                                   SignatureValidationParameters params)

Constructor.

Parameters:

params - signature validation parameters containing the whitelist and blacklist

SignatureAlgorithmValidator

public SignatureAlgorithmValidator(@Nullable @ParameterName(name="whitelistAlgos")
                                   Collection<String> whitelistAlgos,
                                   @Nullable @ParameterName(name="blacklistAlgos")
                                   Collection<String> blacklistAlgos)

Constructor.

Parameters:

whitelistAlgos - the algorithm whitelist

blacklistAlgos - the algorithm blacklist

Method Detail

validate

public void validate(@Nonnull
                     Signature signature)
              throws SignatureException

Validate the algorithms in the signature.

Parameters:

signature - signature to validate

Throws:

SignatureException - if validation fails

checkDOM

protected void checkDOM(@Nonnull
                        Signature signature)
                 throws SignatureException

Check that Signature XMLObject has a cached DOM Element.

Parameters:

signature - the signature to evaluate

Throws:

SignatureException - if signature does not have a cached DOM Element

getSignatureAlgorithm

@Nonnull
protected String getSignatureAlgorithm(@Nonnull
                                       Signature signatureXMLObject)
                                throws SignatureException

Get the signature algorithm.

Parameters:

signatureXMLObject - the signature to evaluate

Returns:

the signature algorithm

Throws:

SignatureException - if signature algorithm can not be resolved

getDigestMethods

@Nonnull
protected List<String> getDigestMethods(@Nonnull
                                        Signature signatureXMLObject)
                                 throws SignatureException

Get the list of Signature Reference DigestMethod algorithm URIs.

Parameters:

signatureXMLObject - the signature to evaluate

Returns:

list of algorithm URIs

Throws:

SignatureException - if a DigestMethod is found to have a null or empty Algorithm attribute

validateAlgorithmURI

protected void validateAlgorithmURI(@Nonnull
                                    String algorithmURI)
                             throws SignatureException

Validate the supplied algorithm URI against the configured whitelist and blacklist.

Parameters:

algorithmURI - the algorithm URI to evaluate

Throws:

SignatureException - if the algorithm URI does not satisfy the whitelist/blacklist policy