public class SignatureAlgorithmValidator extends Object
Signature
's signature and digest algorithm URI's against
a supplied algorithm whitelist and blacklist.
The evaluation is based on the Signature's underlying DOM structure, therefore the Signature must have a cached DOM before this validator is used.
Modifier and Type | Field and Description |
---|---|
private static String |
ATTR_NAME_ALGORTHM
Local name of 'Algorithm' attribute.
|
private Collection<String> |
blacklistedAlgorithmURIs
The collection of algorithm URI's which are blacklisted.
|
private static QName |
ELEMENT_NAME_DIGEST_METHOD
QName of 'ds:DigestMethod' element.
|
private static QName |
ELEMENT_NAME_REFERENCE
QName of 'ds:Reference' element.
|
private static QName |
ELEMENT_NAME_SIGNATURE_METHOD
QName of 'ds:SignatureMethod' element.
|
private static QName |
ELEMENT_NAME_SIGNED_INFO
QName of 'ds:SignedInfo' element.
|
private org.slf4j.Logger |
log
Logger.
|
private Collection<String> |
whitelistedAlgorithmURIs
The collection of algorithm URI's which are whitelisted.
|
Constructor and Description |
---|
SignatureAlgorithmValidator(Collection<String> whitelistAlgos,
Collection<String> blacklistAlgos)
Constructor.
|
SignatureAlgorithmValidator(SignatureValidationParameters params)
Constructor.
|
Modifier and Type | Method and Description |
---|---|
protected void |
checkDOM(Signature signature)
Check that Signature XMLObject has a cached DOM Element.
|
protected List<String> |
getDigestMethods(Signature signatureXMLObject)
Get the list of Signature Reference DigestMethod algorithm URIs.
|
protected String |
getSignatureAlgorithm(Signature signatureXMLObject)
Get the signature algorithm.
|
void |
validate(Signature signature)
Validate the algorithms in the signature.
|
protected void |
validateAlgorithmURI(String algorithmURI)
Validate the supplied algorithm URI against the configured whitelist and blacklist.
|
private static final QName ELEMENT_NAME_SIGNED_INFO
private static final QName ELEMENT_NAME_SIGNATURE_METHOD
private static final QName ELEMENT_NAME_REFERENCE
private static final QName ELEMENT_NAME_DIGEST_METHOD
private static final String ATTR_NAME_ALGORTHM
private org.slf4j.Logger log
private Collection<String> whitelistedAlgorithmURIs
private Collection<String> blacklistedAlgorithmURIs
public SignatureAlgorithmValidator(@Nonnull @ParameterName(name="params") SignatureValidationParameters params)
params
- signature validation parameters containing the whitelist and blacklistpublic SignatureAlgorithmValidator(@Nullable @ParameterName(name="whitelistAlgos") Collection<String> whitelistAlgos, @Nullable @ParameterName(name="blacklistAlgos") Collection<String> blacklistAlgos)
whitelistAlgos
- the algorithm whitelistblacklistAlgos
- the algorithm blacklistpublic void validate(@Nonnull Signature signature) throws SignatureException
signature
- signature to validateSignatureException
- if validation failsprotected void checkDOM(@Nonnull Signature signature) throws SignatureException
signature
- the signature to evaluateSignatureException
- if signature does not have a cached DOM Element@Nonnull protected String getSignatureAlgorithm(@Nonnull Signature signatureXMLObject) throws SignatureException
signatureXMLObject
- the signature to evaluateSignatureException
- if signature algorithm can not be resolved@Nonnull protected List<String> getDigestMethods(@Nonnull Signature signatureXMLObject) throws SignatureException
signatureXMLObject
- the signature to evaluateSignatureException
- if a DigestMethod is found to have a null or empty Algorithm attributeprotected void validateAlgorithmURI(@Nonnull String algorithmURI) throws SignatureException
algorithmURI
- the algorithm URI to evaluateSignatureException
- if the algorithm URI does not satisfy the whitelist/blacklist policyCopyright © 1999–2020 Shibboleth Consortium. All rights reserved.