Class SignatureAlgorithmValidator
- java.lang.Object
-
- org.opensaml.xmlsec.signature.support.impl.SignatureAlgorithmValidator
-
public class SignatureAlgorithmValidator extends Object
Component which validates aSignature
's signature and digest algorithm URI's against a supplied algorithm whitelist and blacklist.The evaluation is based on the Signature's underlying DOM structure, therefore the Signature must have a cached DOM before this validator is used.
-
-
Field Summary
Fields Modifier and Type Field Description private static String
ATTR_NAME_ALGORTHM
Local name of 'Algorithm' attribute.private Collection<String>
blacklistedAlgorithmURIs
The collection of algorithm URI's which are blacklisted.private static QName
ELEMENT_NAME_DIGEST_METHOD
QName of 'ds:DigestMethod' element.private static QName
ELEMENT_NAME_REFERENCE
QName of 'ds:Reference' element.private static QName
ELEMENT_NAME_SIGNATURE_METHOD
QName of 'ds:SignatureMethod' element.private static QName
ELEMENT_NAME_SIGNED_INFO
QName of 'ds:SignedInfo' element.private org.slf4j.Logger
log
Logger.private Collection<String>
whitelistedAlgorithmURIs
The collection of algorithm URI's which are whitelisted.
-
Constructor Summary
Constructors Constructor Description SignatureAlgorithmValidator(Collection<String> whitelistAlgos, Collection<String> blacklistAlgos)
Constructor.SignatureAlgorithmValidator(SignatureValidationParameters params)
Constructor.
-
Method Summary
All Methods Instance Methods Concrete Methods Modifier and Type Method Description protected void
checkDOM(Signature signature)
Check that Signature XMLObject has a cached DOM Element.protected List<String>
getDigestMethods(Signature signatureXMLObject)
Get the list of Signature Reference DigestMethod algorithm URIs.protected String
getSignatureAlgorithm(Signature signatureXMLObject)
Get the signature algorithm.void
validate(Signature signature)
Validate the algorithms in the signature.protected void
validateAlgorithmURI(String algorithmURI)
Validate the supplied algorithm URI against the configured whitelist and blacklist.
-
-
-
Field Detail
-
ELEMENT_NAME_SIGNED_INFO
private static final QName ELEMENT_NAME_SIGNED_INFO
QName of 'ds:SignedInfo' element.
-
ELEMENT_NAME_SIGNATURE_METHOD
private static final QName ELEMENT_NAME_SIGNATURE_METHOD
QName of 'ds:SignatureMethod' element.
-
ELEMENT_NAME_REFERENCE
private static final QName ELEMENT_NAME_REFERENCE
QName of 'ds:Reference' element.
-
ELEMENT_NAME_DIGEST_METHOD
private static final QName ELEMENT_NAME_DIGEST_METHOD
QName of 'ds:DigestMethod' element.
-
ATTR_NAME_ALGORTHM
private static final String ATTR_NAME_ALGORTHM
Local name of 'Algorithm' attribute.- See Also:
- Constant Field Values
-
log
private org.slf4j.Logger log
Logger.
-
whitelistedAlgorithmURIs
private Collection<String> whitelistedAlgorithmURIs
The collection of algorithm URI's which are whitelisted.
-
blacklistedAlgorithmURIs
private Collection<String> blacklistedAlgorithmURIs
The collection of algorithm URI's which are blacklisted.
-
-
Constructor Detail
-
SignatureAlgorithmValidator
public SignatureAlgorithmValidator(@Nonnull @ParameterName(name="params") SignatureValidationParameters params)
Constructor.- Parameters:
params
- signature validation parameters containing the whitelist and blacklist
-
SignatureAlgorithmValidator
public SignatureAlgorithmValidator(@Nullable @ParameterName(name="whitelistAlgos") Collection<String> whitelistAlgos, @Nullable @ParameterName(name="blacklistAlgos") Collection<String> blacklistAlgos)
Constructor.- Parameters:
whitelistAlgos
- the algorithm whitelistblacklistAlgos
- the algorithm blacklist
-
-
Method Detail
-
validate
public void validate(@Nonnull Signature signature) throws SignatureException
Validate the algorithms in the signature.- Parameters:
signature
- signature to validate- Throws:
SignatureException
- if validation fails
-
checkDOM
protected void checkDOM(@Nonnull Signature signature) throws SignatureException
Check that Signature XMLObject has a cached DOM Element.- Parameters:
signature
- the signature to evaluate- Throws:
SignatureException
- if signature does not have a cached DOM Element
-
getSignatureAlgorithm
@Nonnull protected String getSignatureAlgorithm(@Nonnull Signature signatureXMLObject) throws SignatureException
Get the signature algorithm.- Parameters:
signatureXMLObject
- the signature to evaluate- Returns:
- the signature algorithm
- Throws:
SignatureException
- if signature algorithm can not be resolved
-
getDigestMethods
@Nonnull protected List<String> getDigestMethods(@Nonnull Signature signatureXMLObject) throws SignatureException
Get the list of Signature Reference DigestMethod algorithm URIs.- Parameters:
signatureXMLObject
- the signature to evaluate- Returns:
- list of algorithm URIs
- Throws:
SignatureException
- if a DigestMethod is found to have a null or empty Algorithm attribute
-
validateAlgorithmURI
protected void validateAlgorithmURI(@Nonnull String algorithmURI) throws SignatureException
Validate the supplied algorithm URI against the configured whitelist and blacklist.- Parameters:
algorithmURI
- the algorithm URI to evaluate- Throws:
SignatureException
- if the algorithm URI does not satisfy the whitelist/blacklist policy
-
-