/** * Validate the Reference URI and parent ID attribute values. * * The URI must either be null or empty (indicating that the entire enclosing document was signed), or else it must * be a local document fragment reference and point to the SAMLObject parent via the latter's ID attribute value. * * @param uri the Signature Reference URI attribute value * @param id the Signature parents ID attribute value * @throws SignatureException thrown if the URI or ID attribute values are invalid */ protected void validateReferenceURI(String uri, String id) throws SignatureException { if (!Strings.isNullOrEmpty(uri)) { if (!uri.startsWith("#")) { log.error("Signature Reference URI was not a document fragment reference: " + uri); throw new SignatureException("Signature Reference URI was not a document fragment reference"); } else if (Strings.isNullOrEmpty(id)) { log.error("SignableSAMLObject did not contain an ID attribute"); throw new SignatureException("SignableSAMLObject did not contain an ID attribute"); } else if (uri.length() < 2 || !id.equals(uri.substring(1))) { log.error("Reference URI '{}' did not point to SignableSAMLObject with ID '{}'", uri, id); throw new SignatureException("Reference URI did not point to parent ID"); } } }
signaturePrevalidator.validate(signature); } catch (SignatureException e) { String msg = String.format("Assertion Signature failed pre-validation: %s", e.getMessage()); log.warn(msg); context.setValidationFailureMessage(msg);
validator.validate(signature); } catch (SignatureException ex) { LOG.debug("Error in validating the SAML Signature: {}", ex.getMessage(), ex); throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity"); SignatureValidator.validate(signature, credential); } catch (SignatureException ex) { LOG.debug("Error in validating the SAML Signature: {}", ex.getMessage(), ex); throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity");
validator.validate(signature); } catch (SignatureException ex) { LOG.log(Level.FINE, "Error in validating the SAML Signature: " + ex.getMessage(), ex); throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity"); responseSignatureValidator.validate(signature, credential); } catch (SignatureException ex) { LOG.log(Level.FINE, "Error in validating the SAML Signature: " + ex.getMessage(), ex); throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity");
/** * Validate that the Signature instance does not contain any ds:Object children. * * @param apacheSig the Apache XML Signature instance * @throws SignatureException if the signature contains ds:Object children */ protected void validateObjectChildren(XMLSignature apacheSig) throws SignatureException { if (apacheSig.getObjectLength() > 0) { log.error("Signature contained {} ds:Object child element(s)", apacheSig.getObjectLength()); throw new SignatureException("Signature contained illegal ds:Object children"); } } }
} catch (XMLSecurityException e) { log.error("Apache XML Security error obtaining Transforms instance", e); throw new SignatureException("Apache XML Security error obtaining Transforms instance", e); throw new SignatureException("Transforms instance was null"); if (numTransforms > 2) { log.error("Invalid number of Transforms was present: " + numTransforms); throw new SignatureException("Invalid number of transforms"); } catch (TransformationException e) { log.error("Error obtaining transform instance", e); throw new SignatureException("Error obtaining transform instance", e); } else { log.error("Saw invalid signature transform: " + uri); throw new SignatureException("Signature contained an invalid transform"); throw new SignatureException("Transforms did not contain the required enveloped transform");
/** * Validate the Signature's SignedInfo Reference. * * The SignedInfo must contain exactly 1 Reference. * * @param apacheSig the Apache XML Signature instance * @return the valid Reference contained within the SignedInfo * @throws SignatureException thrown if the Signature does not contain exactly 1 Reference, or if there is an error * obtaining the Reference instance */ protected Reference validateReference(XMLSignature apacheSig) throws SignatureException { int numReferences = apacheSig.getSignedInfo().getLength(); if (numReferences != 1) { log.error("Signature SignedInfo had invalid number of References: " + numReferences); throw new SignatureException("Signature SignedInfo must have exactly 1 Reference element"); } Reference ref = null; try { ref = apacheSig.getSignedInfo().item(0); } catch (XMLSecurityException e) { log.error("Apache XML Security exception obtaining Reference", e); throw new SignatureException("Could not obtain Reference from Signature/SignedInfo", e); } if (ref == null) { log.error("Signature Reference was null"); throw new SignatureException("Signature Reference was null"); } return ref; }
if (expected == null) { log.error("SignableSAMLObject does not have a cached DOM Element."); throw new SignatureException("SignableSAMLObject does not have a cached DOM Element."); if (resolved == null) { log.error("Apache xmlsec IdResolver could not resolve the Element for id reference: {}", uriID); throw new SignatureException("Apache xmlsec IdResolver could not resolve the Element for id reference: " + uriID); throw new SignatureException("Signature Reference URI did not resolve to the expected parent Element");
/** * Validate an instance of {@link SignatureImpl}, which is in turn based on underlying Apache XML Security * <code>XMLSignature</code> instance. * * @param sigImpl the signature implementation object to validate * @throws SignatureException thrown if the signature is not valid with respect to the profile */ protected void validateSignatureImpl(SignatureImpl sigImpl) throws SignatureException { if (sigImpl.getXMLSignature() == null) { log.error("SignatureImpl did not contain the an Apache XMLSignature child"); throw new SignatureException("Apache XMLSignature does not exist on SignatureImpl"); } XMLSignature apacheSig = sigImpl.getXMLSignature(); if (!(sigImpl.getParent() instanceof SignableSAMLObject)) { log.error("Signature is not an immedidate child of a SignableSAMLObject"); throw new SignatureException("Signature is not an immediate child of a SignableSAMLObject."); } SignableSAMLObject signableObject = (SignableSAMLObject) sigImpl.getParent(); Reference ref = validateReference(apacheSig); validateReferenceURI(ref.getURI(), signableObject); validateTransforms(ref); validateObjectChildren(apacheSig); }