Package org.opensaml.saml.security.impl

Class SAMLSignatureProfileValidator

  • All Implemented Interfaces:
    org.opensaml.xmlsec.signature.support.SignaturePrevalidator
    public class SAMLSignatureProfileValidator
extends Object
implements org.opensaml.xmlsec.signature.support.SignaturePrevalidator
    A validator for instances of Signature, which validates that the signature meets security-related requirements indicated by the SAML profile of XML Signature.

    • Field Detail

      • log

        private final Logger log
        Class logger.

    • Constructor Detail

      • SAMLSignatureProfileValidator

        public SAMLSignatureProfileValidator()

    • Method Detail

      • validate

        public void validate​(@Nonnull
                     org.opensaml.xmlsec.signature.Signature signature)
              throws org.opensaml.xmlsec.signature.support.SignatureException
        Specified by:
        validate in interface org.opensaml.xmlsec.signature.support.SignaturePrevalidator
        Throws:
        org.opensaml.xmlsec.signature.support.SignatureException

      • validateSignatureImpl

        protected void validateSignatureImpl​(org.opensaml.xmlsec.signature.impl.SignatureImpl sigImpl)
                              throws org.opensaml.xmlsec.signature.support.SignatureException
        Validate an instance of SignatureImpl, which is in turn based on underlying Apache XML Security XMLSignature instance.
        Parameters:
        sigImpl - the signature implementation object to validate
        Throws:
        org.opensaml.xmlsec.signature.support.SignatureException - thrown if the signature is not valid with respect to the profile

      • validateReference

        protected Reference validateReference​(XMLSignature apacheSig)
                               throws org.opensaml.xmlsec.signature.support.SignatureException
        Validate the Signature's SignedInfo Reference. The SignedInfo must contain exactly 1 Reference.
        Parameters:
        apacheSig - the Apache XML Signature instance
        Returns:
        the valid Reference contained within the SignedInfo
        Throws:
        org.opensaml.xmlsec.signature.support.SignatureException - thrown if the Signature does not contain exactly 1 Reference, or if there is an error obtaining the Reference instance

      • validateReferenceURI

        protected void validateReferenceURI​(String uri,
                                    org.opensaml.saml.common.SignableSAMLObject signableObject)
                             throws org.opensaml.xmlsec.signature.support.SignatureException
        Validate the Signature's Reference URI. First validate the Reference URI against the parent's ID itself. Then validate that the URI (if non-empty) resolves to the same Element node as is cached by the SignableSAMLObject.
        Parameters:
        uri - the Signature Reference URI attribute value
        signableObject - the SignableSAMLObject whose signature is being validated
        Throws:
        org.opensaml.xmlsec.signature.support.SignatureException - if the URI is invalid or doesn't resolve to the expected DOM node

      • validateReferenceURI

        protected void validateReferenceURI​(String uri,
                                    String id)
                             throws org.opensaml.xmlsec.signature.support.SignatureException
        Validate the Reference URI and parent ID attribute values. The URI must either be null or empty (indicating that the entire enclosing document was signed), or else it must be a local document fragment reference and point to the SAMLObject parent via the latter's ID attribute value.
        Parameters:
        uri - the Signature Reference URI attribute value
        id - the Signature parents ID attribute value
        Throws:
        org.opensaml.xmlsec.signature.support.SignatureException - thrown if the URI or ID attribute values are invalid

      • validateTransforms

        protected void validateTransforms​(Reference reference)
                           throws org.opensaml.xmlsec.signature.support.SignatureException
        Validate the transforms included in the Signature Reference. The Reference may contain at most 2 transforms. One of them must be the Enveloped signature transform. An Exclusive Canonicalization transform (with or without comments) may also be present. No other transforms are allowed.
        Parameters:
        reference - the Signature reference containing the transforms to evaluate
        Throws:
        org.opensaml.xmlsec.signature.support.SignatureException - thrown if the set of transforms is invalid

      • validateObjectChildren

        protected void validateObjectChildren​(XMLSignature apacheSig)
                               throws org.opensaml.xmlsec.signature.support.SignatureException
        Validate that the Signature instance does not contain any ds:Object children.
        Parameters:
        apacheSig - the Apache XML Signature instance
        Throws:
        org.opensaml.xmlsec.signature.support.SignatureException - if the signature contains ds:Object children