Package org.opensaml.xmlsec.signature.support.impl

Class SignatureAlgorithmValidator

  • public class SignatureAlgorithmValidator
extends Object
    Component which validates a Signature's signature and digest algorithm URI's against a supplied algorithm whitelist and blacklist.

    The evaluation is based on the Signature's underlying DOM structure, therefore the Signature must have a cached DOM before this validator is used.

    • Field Detail

      • ELEMENT_NAME_SIGNED_INFO

        private static final QName ELEMENT_NAME_SIGNED_INFO
        QName of 'ds:SignedInfo' element.

      • ELEMENT_NAME_SIGNATURE_METHOD

        private static final QName ELEMENT_NAME_SIGNATURE_METHOD
        QName of 'ds:SignatureMethod' element.

      • ELEMENT_NAME_REFERENCE

        private static final QName ELEMENT_NAME_REFERENCE
        QName of 'ds:Reference' element.

      • ELEMENT_NAME_DIGEST_METHOD

        private static final QName ELEMENT_NAME_DIGEST_METHOD
        QName of 'ds:DigestMethod' element.

      • ATTR_NAME_ALGORTHM

        private static final String ATTR_NAME_ALGORTHM
        Local name of 'Algorithm' attribute.
        See Also:
        Constant Field Values

      • log

        private org.slf4j.Logger log
        Logger.

      • whitelistedAlgorithmURIs

        private Collection<String> whitelistedAlgorithmURIs
        The collection of algorithm URI's which are whitelisted.

      • blacklistedAlgorithmURIs

        private Collection<String> blacklistedAlgorithmURIs
        The collection of algorithm URI's which are blacklisted.

    • Constructor Detail

      • SignatureAlgorithmValidator

        public SignatureAlgorithmValidator​(@Nonnull @ParameterName(name="params")
                                   org.opensaml.xmlsec.SignatureValidationParameters params)
        Constructor.
        Parameters:
        params - signature validation parameters containing the whitelist and blacklist

      • SignatureAlgorithmValidator

        public SignatureAlgorithmValidator​(@Nullable @ParameterName(name="whitelistAlgos")
                                   Collection<String> whitelistAlgos,
                                   @Nullable @ParameterName(name="blacklistAlgos")
                                   Collection<String> blacklistAlgos)
        Constructor.
        Parameters:
        whitelistAlgos - the algorithm whitelist
        blacklistAlgos - the algorithm blacklist

    • Method Detail

      • validate

        public void validate​(@Nonnull
                     org.opensaml.xmlsec.signature.Signature signature)
              throws org.opensaml.xmlsec.signature.support.SignatureException
        Validate the algorithms in the signature.
        Parameters:
        signature - signature to validate
        Throws:
        org.opensaml.xmlsec.signature.support.SignatureException - if validation fails

      • checkDOM

        protected void checkDOM​(@Nonnull
                        org.opensaml.xmlsec.signature.Signature signature)
                 throws org.opensaml.xmlsec.signature.support.SignatureException
        Check that Signature XMLObject has a cached DOM Element.
        Parameters:
        signature - the signature to evaluate
        Throws:
        org.opensaml.xmlsec.signature.support.SignatureException - if signature does not have a cached DOM Element

      • getSignatureAlgorithm

        @Nonnull
protected String getSignatureAlgorithm​(@Nonnull
                                       org.opensaml.xmlsec.signature.Signature signatureXMLObject)
                                throws org.opensaml.xmlsec.signature.support.SignatureException
        Get the signature algorithm.
        Parameters:
        signatureXMLObject - the signature to evaluate
        Returns:
        the signature algorithm
        Throws:
        org.opensaml.xmlsec.signature.support.SignatureException - if signature algorithm can not be resolved

      • getDigestMethods

        @Nonnull
protected List<String> getDigestMethods​(@Nonnull
                                        org.opensaml.xmlsec.signature.Signature signatureXMLObject)
                                 throws org.opensaml.xmlsec.signature.support.SignatureException
        Get the list of Signature Reference DigestMethod algorithm URIs.
        Parameters:
        signatureXMLObject - the signature to evaluate
        Returns:
        list of algorithm URIs
        Throws:
        org.opensaml.xmlsec.signature.support.SignatureException - if a DigestMethod is found to have a null or empty Algorithm attribute

      • validateAlgorithmURI

        protected void validateAlgorithmURI​(@Nonnull
                                    String algorithmURI)
                             throws org.opensaml.xmlsec.signature.support.SignatureException
        Validate the supplied algorithm URI against the configured whitelist and blacklist.
        Parameters:
        algorithmURI - the algorithm URI to evaluate
        Throws:
        org.opensaml.xmlsec.signature.support.SignatureException - if the algorithm URI does not satisfy the whitelist/blacklist policy