XmlSignature.java

  1. /*
  2.  * GovWay - A customizable API Gateway 
  3.  * https://govway.org
  4.  * 
  5.  * Copyright (c) 2005-2025 Link.it srl (https://link.it). 
  6.  * 
  7.  * This program is free software: you can redistribute it and/or modify
  8.  * it under the terms of the GNU General Public License version 3, as published by
  9.  * the Free Software Foundation.
  10.  *
  11.  * This program is distributed in the hope that it will be useful,
  12.  * but WITHOUT ANY WARRANTY; without even the implied warranty of
  13.  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  14.  * GNU General Public License for more details.
  15.  *
  16.  * You should have received a copy of the GNU General Public License
  17.  * along with this program.  If not, see <http://www.gnu.org/licenses/>.
  18.  *
  19.  */


  22. package org.openspcoop2.utils.security;

  24. import java.security.PrivateKey;
  25. import java.security.Security;
  26. import java.security.cert.Certificate;
  27. import java.security.cert.X509Certificate;
  28. import java.util.ArrayList;
  29. import java.util.Collections;
  30. import java.util.List;

  32. import javax.xml.crypto.dsig.CanonicalizationMethod;
  33. import javax.xml.crypto.dsig.DigestMethod;
  34. import javax.xml.crypto.dsig.Reference;
  35. import javax.xml.crypto.dsig.SignatureMethod;
  36. import javax.xml.crypto.dsig.SignedInfo;
  37. import javax.xml.crypto.dsig.Transform;
  38. import javax.xml.crypto.dsig.XMLSignature;
  39. import javax.xml.crypto.dsig.XMLSignatureFactory;
  40. import javax.xml.crypto.dsig.dom.DOMSignContext;
  41. import javax.xml.crypto.dsig.keyinfo.KeyInfo;
  42. import javax.xml.crypto.dsig.spec.C14NMethodParameterSpec;
  43. import javax.xml.crypto.dsig.spec.TransformParameterSpec;

  45. import org.bouncycastle.jce.provider.BouncyCastleProvider;
  46. import org.openspcoop2.utils.UtilsException;
  47. import org.openspcoop2.utils.certificate.KeyStore;
  48. import org.w3c.dom.Document;
  49. import org.w3c.dom.Element;

  51. /** 
  52.  * Signature
  53.  *
  54.  * @author Poli Andrea (apoli@link.it)
  55.  * @author $Author$
  56.  * @version $Rev$, $Date$
  57.  */
  58. public class XmlSignature {

  60.     public static final String DEFAULT_SIGNATURE_METHOD = "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"; // SignatureMethod.RSA_SHA1
  61.     public static final String DEFAULT_DIGEST_METHOD = DigestMethod.SHA256;
  62.     public static final String DEFAULT_CANONICALIZATION_METHOD = CanonicalizationMethod.INCLUSIVE_WITH_COMMENTS;
  63.     
  64.     private KeyStore keystore;
  65.     private PrivateKey privateKey;
  66.     private String alias;
  67.     
  68.     private String referenceUri;
  69.     
  70.     private java.util.List<Transform> transforms = new ArrayList<Transform>();
  71.     
  72.     private XMLSignatureFactory xmlSignatureFactory;
  73.     
  74.     private javax.xml.crypto.dsig.keyinfo.KeyInfoFactory keyInfoFactory;
  75.     
  76.     private KeyInfo keyInfo;
  77.     
  78.     public XmlSignature(java.security.KeyStore keystore, String alias, String passwordPrivateKey) throws UtilsException{
  79.         this(new KeyStore(keystore), alias, passwordPrivateKey, false);
  80.     }
  81.     public XmlSignature(java.security.KeyStore keystore, String alias, String passwordPrivateKey, boolean addBouncyCastleProvider) throws UtilsException{
  82.         this(new KeyStore(keystore), alias, passwordPrivateKey, addBouncyCastleProvider);
  83.     }
  84.     public XmlSignature(KeyStore keystore, String alias, String passwordPrivateKey) throws UtilsException{
  85.         this(keystore, alias, passwordPrivateKey, false);
  86.     }
  87.     public XmlSignature(KeyStore keystore, String alias, String passwordPrivateKey, boolean addBouncyCastleProvider) throws UtilsException{
  88.         this.keystore = keystore;
  89.         this.privateKey = this.keystore.getPrivateKey(alias, passwordPrivateKey);
  90.         this.alias = alias;
  91.         
  92.         try{
  93.         
  94.             // Providers
  95.             if(addBouncyCastleProvider){
  96.                 BouncyCastleProvider bouncyCastleProvider = new BouncyCastleProvider();
  97.                 Security.addProvider(bouncyCastleProvider);
  98.             }
  99.             
  100.             // We assemble the different parts of the Signature element into an XMLSignature object. 
  101.             // These objects are all created and assembled using an XMLSignatureFactory object.
  102.             // An application obtains a DOM implementation of XMLSignatureFactory by calling the following line of code:
  103.             this.xmlSignatureFactory = XMLSignatureFactory.getInstance("DOM");
  104.             
  105.             // *** default init ***
  106.             //The URI of the object to be signed (We specify a URI of "", which implies the root of the document.)
  107.             this.referenceUri = ""; 
  108.             // A single Transform, the enveloped Transform, which is required for enveloped signatures so that the signature itself is removed before calculating the signature value
  109.             this.addTransform(this.xmlSignatureFactory.newTransform(Transform.ENVELOPED,(TransformParameterSpec) null));
  110.             
  111.         }catch(Exception e){
  112.             throw new UtilsException(e.getMessage(),e);
  113.         }
  114.     }
  115.     
  116.     public String getReferenceUri() {
  117.         return this.referenceUri;
  118.     }
  119.     public void setReferenceUri(String referenceUri) {
  120.         this.referenceUri = referenceUri;
  121.     }
  122.     
  123.     public java.util.List<Transform> getTransforms() {
  124.         return this.transforms;
  125.     }
  126.     public void setTransforms(java.util.List<Transform> transforms) {
  127.         this.transforms = transforms;
  128.     }
  129.     public void addTransform(Transform transform){
  130.         this.transforms.add(transform);
  131.     }
  132.     
  133.     public javax.xml.crypto.dsig.keyinfo.KeyInfoFactory getKeyInfoFactory(){
  134.         if(this.keyInfoFactory==null){
  135.             this.initKeyInfoFactory();
  136.         }
  137.         return this.keyInfoFactory;
  138.     }
  139.     private synchronized void initKeyInfoFactory(){
  140.         if(this.keyInfoFactory==null){
  141.             // Next, we create the optional KeyInfo object, which contains information that enables the recipient to find the key needed to validate the signature. 
  142.             // In this example, we add a KeyValue object containing the public key. 
  143.             // To create KeyInfo and its various subtypes, we use a KeyInfoFactory object, which can be obtained by invoking the getKeyInfoFactory method of the XMLSignatureFactory, as follows:
  144.             this.keyInfoFactory=this.xmlSignatureFactory.getKeyInfoFactory(); 
  145.         }
  146.     }
  147.     
  148.     public KeyInfo getKeyInfo() {
  149.         return this.keyInfo;
  150.     }
  151.     public void setKeyInfo(KeyInfo keyInfo) {
  152.         this.keyInfo = keyInfo;
  153.     }
  154.     public void addRSAKeyInfo() throws UtilsException {
  155.         this.addRSAKeyInfo(this.alias);
  156.     }
  157.     public void addRSAKeyInfo(String alias) throws UtilsException {
  158.         try{
  159.             // We then use the KeyInfoFactory to create the KeyValue object and add it to a KeyInfo object:
  160.             javax.xml.crypto.dsig.keyinfo.KeyValue keyValue = this.getKeyInfoFactory().newKeyValue(this.keystore.getCertificate(alias).getPublicKey());
  161.             this.keyInfo = this.getKeyInfoFactory().newKeyInfo(Collections.singletonList(keyValue)); 
  162.         }catch(Exception e){
  163.             throw new UtilsException(e.getMessage(),e);
  164.         }
  165.         
  166.     }
  167.     
  168.     public void addX509KeyInfo() throws UtilsException {
  169.         this.addX509KeyInfo(this.alias);
  170.     }
  171.     public void addX509KeyInfo(String alias) throws UtilsException {
  172.         try{
  173.             List<Object> x509Content = new ArrayList<>();
  174.             Certificate cert = this.keystore.getCertificate(alias);
  175.             if(cert instanceof X509Certificate){
  176.                 x509Content.add(((X509Certificate)cert).getSubjectX500Principal().getName());
  177.             }
  178.             x509Content.add(cert);
  179.             javax.xml.crypto.dsig.keyinfo.X509Data x509Data = this.getKeyInfoFactory().newX509Data(x509Content);
  180.             this.keyInfo = this.getKeyInfoFactory().newKeyInfo(Collections.singletonList(x509Data));
  181.         }catch(Exception e){
  182.             throw new UtilsException(e.getMessage(),e);
  183.         }
  184.     }
  185.     
  186.     
  187.     public void sign(Document element) throws UtilsException{
  188.         this._sign(element.getDocumentElement(), DEFAULT_SIGNATURE_METHOD, DEFAULT_DIGEST_METHOD, DEFAULT_CANONICALIZATION_METHOD);
  189.     }
  190.     public void sign(Element element) throws UtilsException{
  191.         this._sign(element, DEFAULT_SIGNATURE_METHOD, DEFAULT_DIGEST_METHOD, DEFAULT_CANONICALIZATION_METHOD);
  192.     }
  193.     
  194.     public void sign(Document element, String signatureMethod, String digestMethod, String canonicalizationMethod) throws UtilsException{
  195.         this._sign(element.getDocumentElement(), signatureMethod, digestMethod, canonicalizationMethod);
  196.     }
  197.     public void sign(Element element, String signatureMethod, String digestMethod, String canonicalizationMethod) throws UtilsException{
  198.         this._sign(element, signatureMethod, digestMethod, canonicalizationMethod);
  199.     }
  200.     
  201.     public void sign(Document element, SignatureMethod signatureMethod, DigestMethod digestMethod, CanonicalizationMethod canonicalizationMethod) throws UtilsException{
  202.         this._sign(element.getDocumentElement(), signatureMethod, digestMethod, canonicalizationMethod);
  203.     }
  204.     public void sign(Element element, SignatureMethod signatureMethod, DigestMethod digestMethod, CanonicalizationMethod canonicalizationMethod) throws UtilsException{
  205.         this._sign(element, signatureMethod, digestMethod, canonicalizationMethod);
  206.     }
  207.     
  208.     private void _sign(Element element, String signatureMethod, String digestMethod, String canonicalizationMethod) throws UtilsException{
  209.         try{
  210.             this._sign(element, 
  211.                     this.xmlSignatureFactory.newSignatureMethod(signatureMethod, null), 
  212.                     this.xmlSignatureFactory.newDigestMethod(digestMethod, null), 
  213.                     this.xmlSignatureFactory.newCanonicalizationMethod(canonicalizationMethod,(C14NMethodParameterSpec) null));
  214.         }catch(Exception e){
  215.             throw new UtilsException(e.getMessage(),e);
  216.         }
  217.     }
  218.     private void _sign(Element element, SignatureMethod signatureMethod, DigestMethod digestMethod, CanonicalizationMethod canonicalizationMethod) throws UtilsException{
  219.         try{
  220.             
  221.             // We create an XML Digital Signature XMLSignContext containing input parameters for generating the signature. 
  222.             // Since we are using DOM, we instantiate a DOMSignContext (a subclass of XMLSignContext), and pass it two parameters, 
  223.             // the private key that will be used to sign the document and the root of the document to be signed:
  224.             DOMSignContext domSignContext = new DOMSignContext(this.privateKey, element); 
  225.                     
  226.             // We create a Reference object che indica l'elemento da firmare
  227.             Reference signedReference = this.xmlSignatureFactory.newReference(
  228.                     this.referenceUri, 
  229.                     digestMethod,
  230.                     this.transforms, null, null); 

  232.             // Next, we create the SignedInfo object, which is the object that is actually signed
  233.             SignedInfo signedInfo = this.xmlSignatureFactory.newSignedInfo(
  234.                         canonicalizationMethod,
  235.                         signatureMethod,
  236.                         Collections.singletonList(signedReference)); // A list of References da firmare
  237.             
  238.             // Finally, we create the XMLSignature object, passing as parameters the SignedInfo and KeyInfo objects that we created earlier:
  239.             XMLSignature xmlSignatureEngine = this.xmlSignatureFactory.newXMLSignature(signedInfo,this.keyInfo);
  240.             
  241.             // Notice that we haven't actually generated the signature yet; we'll do that in the next step.
  242.             // Now we are ready to generate the signature, which we do by invoking the sign method on the XMLSignature object, and pass it the signing context as follows:
  243.             xmlSignatureEngine.sign(domSignContext);
  244.             
  245.         }catch(Exception e){
  246.             throw new UtilsException(e.getMessage(),e);
  247.         }
  248.     }


  251. }
Created with JaCoCo 0.8.8.202204050719