org.opensaml.saml.security.impl

Class SAMLSignatureProfileValidator

java.lang.Object

org.opensaml.saml.security.impl.SAMLSignatureProfileValidator

All Implemented Interfaces:

org.opensaml.xmlsec.signature.support.SignaturePrevalidator

public class SAMLSignatureProfileValidator
extends Object
implements org.opensaml.xmlsec.signature.support.SignaturePrevalidator

A validator for instances of Signature, which validates that the signature meets security-related requirements indicated by the SAML profile of XML Signature.

Field Summary

Fields

Modifier and Type	Field and Description
private Logger	log Class logger.

Constructor Summary

Constructors

Constructor and Description
SAMLSignatureProfileValidator()

Method Summary

Methods

Modifier and Type	Method and Description
void	validate(org.opensaml.xmlsec.signature.Signature signature)
protected void	validateObjectChildren(XMLSignature apacheSig) Validate that the Signature instance does not contain any ds:Object children.
protected Reference	validateReference(XMLSignature apacheSig) Validate the Signature's SignedInfo Reference.
protected void	validateReferenceURI(String uri, SignableSAMLObject signableObject) Validate the Signature's Reference URI.
protected void	validateReferenceURI(String uri, String id) Validate the Reference URI and parent ID attribute values.
protected void	validateSignatureImpl(SignatureImpl sigImpl) Validate an instance of SignatureImpl, which is in turn based on underlying Apache XML Security XMLSignature instance.
protected void	validateTransforms(Reference reference) Validate the transforms included in the Signature Reference.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

log

private final Logger log

Class logger.

Constructor Detail

SAMLSignatureProfileValidator

public SAMLSignatureProfileValidator()

Method Detail

validate

public void validate(@Nonnull
            org.opensaml.xmlsec.signature.Signature signature)
              throws org.opensaml.xmlsec.signature.support.SignatureException

Specified by:

validate in interface org.opensaml.xmlsec.signature.support.SignaturePrevalidator

Throws:

org.opensaml.xmlsec.signature.support.SignatureException

validateSignatureImpl

protected void validateSignatureImpl(SignatureImpl sigImpl)
                              throws org.opensaml.xmlsec.signature.support.SignatureException

Validate an instance of SignatureImpl, which is in turn based on underlying Apache XML Security XMLSignature instance.

Parameters:

sigImpl - the signature implementation object to validate

Throws:

org.opensaml.xmlsec.signature.support.SignatureException - thrown if the signature is not valid with respect to the profile

validateReference

protected Reference validateReference(XMLSignature apacheSig)
                               throws org.opensaml.xmlsec.signature.support.SignatureException

Validate the Signature's SignedInfo Reference. The SignedInfo must contain exactly 1 Reference.

Parameters:

apacheSig - the Apache XML Signature instance

Returns:

the valid Reference contained within the SignedInfo

Throws:

org.opensaml.xmlsec.signature.support.SignatureException - thrown if the Signature does not contain exactly 1 Reference, or if there is an error obtaining the Reference instance

validateReferenceURI

protected void validateReferenceURI(String uri,
                        SignableSAMLObject signableObject)
                             throws org.opensaml.xmlsec.signature.support.SignatureException

Validate the Signature's Reference URI. First validate the Reference URI against the parent's ID itself. Then validate that the URI (if non-empty) resolves to the same Element node as is cached by the SignableSAMLObject.

Parameters:

uri - the Signature Reference URI attribute value

signableObject - the SignableSAMLObject whose signature is being validated

Throws:

org.opensaml.xmlsec.signature.support.SignatureException - if the URI is invalid or doesn't resolve to the expected DOM node

validateReferenceURI

protected void validateReferenceURI(String uri,
                        String id)
                             throws org.opensaml.xmlsec.signature.support.SignatureException

Validate the Reference URI and parent ID attribute values. The URI must either be null or empty (indicating that the entire enclosing document was signed), or else it must be a local document fragment reference and point to the SAMLObject parent via the latter's ID attribute value.

Parameters:

uri - the Signature Reference URI attribute value

id - the Signature parents ID attribute value

Throws:

org.opensaml.xmlsec.signature.support.SignatureException - thrown if the URI or ID attribute values are invalid

validateTransforms

protected void validateTransforms(Reference reference)
                           throws org.opensaml.xmlsec.signature.support.SignatureException

Validate the transforms included in the Signature Reference. The Reference may contain at most 2 transforms. One of them must be the Enveloped signature transform. An Exclusive Canonicalization transform (with or without comments) may also be present. No other transforms are allowed.

Parameters:

reference - the Signature reference containing the transforms to evaluate

Throws:

org.opensaml.xmlsec.signature.support.SignatureException - thrown if the set of transforms is invalid

validateObjectChildren

protected void validateObjectChildren(XMLSignature apacheSig)
                               throws org.opensaml.xmlsec.signature.support.SignatureException

Validate that the Signature instance does not contain any ds:Object children.

Parameters:

apacheSig - the Apache XML Signature instance

Throws:

org.opensaml.xmlsec.signature.support.SignatureException - if the signature contains ds:Object children