org.apache.juddi.v3.client.cryptor

Class DigSigUtil

java.lang.Object

org.apache.juddi.v3.client.cryptor.DigSigUtil

public class DigSigUtil
extends Object

A utility class for signing and verifying JAXB Objects, such as UDDI entities. Notes: This class only supports elements that are signed once. Multiple signature are not currently supported.

Author:

Alex O'Ree

Field Summary

Fields

Modifier and Type	Field and Description
static String	CANONICALIZATIONMETHOD default is CanonicalizationMethod.EXCLUSIVE http://www.w3.org/2001/10/xml-exc-c14n#
static String	CHECK_REVOCATION_STATUS_CRL
static String	CHECK_REVOCATION_STATUS_OCSP
static String	CHECK_TIMESTAMPS When validating a signature, include this field will validate that the signature is still valid with regards to timestamps NotBefore and OnOrAfter Example
static String	CHECK_TRUST_CHAIN
static String	SIGNATURE_KEYSTORE_FILE This is the location of the keystore If referencing a Windows certificate store, use WINDOWS-MY as a value with a null password
static String	SIGNATURE_KEYSTORE_FILE_PASSWORD
static String	SIGNATURE_KEYSTORE_FILE_PASSWORD_CIPHER
static String	SIGNATURE_KEYSTORE_FILE_PASSWORD_PROVIDER
static String	SIGNATURE_KEYSTORE_FILE_PASSWORD_WASENC
static String	SIGNATURE_KEYSTORE_FILETYPE The type of file, such as JKS for most Java applications, or WINDOWS-MY to use the Windows certificate store of the current user or KeychainStore for MacOS
static String	SIGNATURE_KEYSTORE_KEY_ALIAS
static String	SIGNATURE_KEYSTORE_KEY_PASSWORD
static String	SIGNATURE_KEYSTORE_KEY_PASSWORD_CIPHER
static String	SIGNATURE_KEYSTORE_KEY_PASSWORD_PROVIDER
static String	SIGNATURE_KEYSTORE_KEY_PASSWORD_WAS_ENC
static String	SIGNATURE_METHOD default is http://www.w3.org/2000/09/xmldsig#rsa-sha1
static String	SIGNATURE_OPTION_CERT_INCLUSION_BASE64 Defines whether or not a certificate is included with the signature Values - Include whole X509 Public Key in the signature (recommended) (default) * Example
static String	SIGNATURE_OPTION_CERT_INCLUSION_SERIAL Include the signer's serial of the public key and the issuer's subject name Clients will not be able to validate the signature unless they have a copy of the signer's public key in a trust store or the full certificate is included out of band Example
static String	SIGNATURE_OPTION_CERT_INCLUSION_SUBJECTDN Include the signer's Subject DN of the public key.
static String	SIGNATURE_OPTION_DIGEST_METHOD Default value DigestMethod.SHA1 = "http://www.w3.org/2000/09/xmldsig#sha1"
static String	TRUSTSTORE_FILE trust loaded as follows system property via file programmatically specified map via file programmatically specified map thread classloader lookup programmatically specified map this class's classloader lookup windows trust store JDK provided trust store
static String	TRUSTSTORE_FILE_PASSWORD trust loaded as follows system property via file programmatically specified map via file programmatically specified map thread classloader lookup programmatically specified map this class's classloader lookup windows trust store JDK provided trust store
static String	TRUSTSTORE_FILE_PASSWORD_CIPHER
static String	TRUSTSTORE_FILE_PASSWORD_PROVIDER
static String	TRUSTSTORE_FILE_PASSWORD_WASENC
static String	TRUSTSTORE_FILETYPE trust loaded as follows system property via file programmatically specified map via file programmatically specified map thread classloader lookup programmatically specified map this class's classloader lookup windows trust store JDK provided trust store
static String	XML_DIGSIG_NS This is the namespace of the digital signature.

Constructor Summary

Constructors

Constructor and Description
DigSigUtil() Creates a new instance of the digital signature utility with no configuration options set.
DigSigUtil(Properties config) Expects a properties object containing the desired configuration

Method Summary

Modifier and Type	Method and Description
static sun.security.provider.certpath.OCSP.RevocationStatus	check(X509Certificate cert, X509Certificate issuerCert) wrapper to overcome JDK differences between oracle vs openjdk
void	clear() clears the configuration for reuse
X509Certificate	getSigningCertificatePublicKey(Object obj) returns the public key of the signing certificate used for a signed JAXB object.
static void	JAXB_ToStdOut(Object obj) Serializes a JAXB object and prints to stdout
static String	JAXB_ToString(Object obj) Serializes a JAXB object and prints to stdout
void	put(String key, String value)
<T> T	signUddiEntity(T jaxbObj) Digital signs a UDDI entity, such as a business, service, tmodel or binding template using the map to provide certificate key stores and credentials The UDDI entity MUST support XML Digital Signatures (tModel, Business, Service, Binding Template)
<T> T	signUddiEntity(T jaxbObj, Certificate publicKey, PrivateKey privateKey) Digitally signs a UDDI entity, such as a business, service, tmodel or binding template, provided you've already done the legwork to provide the signing keys The UDDI entity MUST support XML Digital Signatures (tModel, Business, Service, Binding Template)
boolean	verifySignedUddiEntity(Object obj, AtomicReference<String> OutErrorMessage) Verifies the signature on an enveloped digital signature on a UDDI entity, such as a business, service, tmodel or binding template.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

SIGNATURE_KEYSTORE_KEY_PASSWORD_PROVIDER

public static final String SIGNATURE_KEYSTORE_KEY_PASSWORD_PROVIDER

See Also:

Constant Field Values

SIGNATURE_KEYSTORE_KEY_PASSWORD_WAS_ENC

public static final String SIGNATURE_KEYSTORE_KEY_PASSWORD_WAS_ENC

See Also:

Constant Field Values

SIGNATURE_KEYSTORE_KEY_PASSWORD_CIPHER

public static final String SIGNATURE_KEYSTORE_KEY_PASSWORD_CIPHER

See Also:

Constant Field Values

SIGNATURE_KEYSTORE_FILE_PASSWORD_WASENC

public static final String SIGNATURE_KEYSTORE_FILE_PASSWORD_WASENC

See Also:

Constant Field Values

SIGNATURE_KEYSTORE_FILE_PASSWORD_PROVIDER

public static final String SIGNATURE_KEYSTORE_FILE_PASSWORD_PROVIDER

See Also:

Constant Field Values

TRUSTSTORE_FILE_PASSWORD_WASENC

public static final String TRUSTSTORE_FILE_PASSWORD_WASENC

See Also:

Constant Field Values

TRUSTSTORE_FILE_PASSWORD_PROVIDER

public static final String TRUSTSTORE_FILE_PASSWORD_PROVIDER

See Also:

Constant Field Values

SIGNATURE_KEYSTORE_FILE_PASSWORD_CIPHER

public static final String SIGNATURE_KEYSTORE_FILE_PASSWORD_CIPHER

See Also:

Constant Field Values

TRUSTSTORE_FILE_PASSWORD_CIPHER

public static final String TRUSTSTORE_FILE_PASSWORD_CIPHER

See Also:

Constant Field Values

SIGNATURE_KEYSTORE_FILE

public static final String SIGNATURE_KEYSTORE_FILE

This is the location of the keystore If referencing a Windows certificate store, use WINDOWS-MY as a value with a null password

See Also:

Constant Field Values

SIGNATURE_KEYSTORE_FILETYPE

public static final String SIGNATURE_KEYSTORE_FILETYPE

The type of file, such as JKS for most Java applications, or WINDOWS-MY to use the Windows certificate store of the current user or KeychainStore for MacOS

See Also:

Constant Field Values

SIGNATURE_KEYSTORE_FILE_PASSWORD

public static final String SIGNATURE_KEYSTORE_FILE_PASSWORD

See Also:

Constant Field Values

SIGNATURE_KEYSTORE_KEY_PASSWORD

public static final String SIGNATURE_KEYSTORE_KEY_PASSWORD

See Also:

Constant Field Values

SIGNATURE_KEYSTORE_KEY_ALIAS

public static final String SIGNATURE_KEYSTORE_KEY_ALIAS

See Also:

Constant Field Values

TRUSTSTORE_FILE

public static final String TRUSTSTORE_FILE

trust loaded as follows system property via file programmatically specified map via file programmatically specified map thread classloader lookup programmatically specified map this class's classloader lookup windows trust store JDK provided trust store

See Also:

Constant Field Values

TRUSTSTORE_FILETYPE

public static final String TRUSTSTORE_FILETYPE

trust loaded as follows system property via file programmatically specified map via file programmatically specified map thread classloader lookup programmatically specified map this class's classloader lookup windows trust store JDK provided trust store

See Also:

Constant Field Values

TRUSTSTORE_FILE_PASSWORD

public static final String TRUSTSTORE_FILE_PASSWORD

trust loaded as follows system property via file programmatically specified map via file programmatically specified map thread classloader lookup programmatically specified map this class's classloader lookup windows trust store JDK provided trust store

See Also:

Constant Field Values

CANONICALIZATIONMETHOD

public static final String CANONICALIZATIONMETHOD

default is CanonicalizationMethod.EXCLUSIVE http://www.w3.org/2001/10/xml-exc-c14n#

See Also:

CanonicalizationMethod, Constant Field Values

SIGNATURE_METHOD

public static final String SIGNATURE_METHOD

default is http://www.w3.org/2000/09/xmldsig#rsa-sha1

See Also:

SignatureMethod, Constant Field Values

SIGNATURE_OPTION_CERT_INCLUSION_BASE64

public static final String SIGNATURE_OPTION_CERT_INCLUSION_BASE64

Defines whether or not a certificate is included with the signature
Values - Include whole X509 Public Key in the signature (recommended) (default) * Example

 Map map = new HashMap();
 map.put(DigSigUtil.SIGNATURE_OPTION_CERT_INCLUSION_BASE64, "true");

any value can be used.

See Also:

Constant Field Values

SIGNATURE_OPTION_CERT_INCLUSION_SERIAL

public static final String SIGNATURE_OPTION_CERT_INCLUSION_SERIAL

Include the signer's serial of the public key and the issuer's subject name Clients will not be able to validate the signature unless they have a copy of the signer's public key in a trust store or the full certificate is included out of band Example

 Map map = new HashMap();
 map.put(DigSigUtil.SIGNATURE_OPTION_CERT_INCLUSION_SERIAL, "true");

any value can be used. see SIGNATURE_OPTION_CERT_INCLUSION_BASE64

See Also:

Constant Field Values

SIGNATURE_OPTION_CERT_INCLUSION_SUBJECTDN

public static final String SIGNATURE_OPTION_CERT_INCLUSION_SUBJECTDN

Include the signer's Subject DN of the public key. Clients will not be able to validate the signature unless they have a copy of the signer's public key in a trust store or the full certificate is included out of band Example

 Map map = new HashMap();
 map.put(DigSigUtil.SIGNATURE_OPTION_CERT_INCLUSION_SUBJECTDN, "true");

any value can be used. see SIGNATURE_OPTION_CERT_INCLUSION_BASE64

See Also:

Constant Field Values

XML_DIGSIG_NS

public static final String XML_DIGSIG_NS

This is the namespace of the digital signature.

See Also:

Constant Field Values

SIGNATURE_OPTION_DIGEST_METHOD

public static final String SIGNATURE_OPTION_DIGEST_METHOD

Default value DigestMethod.SHA1 = "http://www.w3.org/2000/09/xmldsig#sha1"

See Also:

DigestMethod, Constant Field Values

CHECK_TIMESTAMPS

public static final String CHECK_TIMESTAMPS

When validating a signature, include this field will validate that the signature is still valid with regards to timestamps NotBefore and OnOrAfter Example

 Map map = new HashMap();
 map.put(DigSigUtil.CHECK_TIMESTAMPS, true);

any value can be used.

See Also:

Constant Field Values

CHECK_REVOCATION_STATUS_OCSP

public static final String CHECK_REVOCATION_STATUS_OCSP

See Also:

Constant Field Values

CHECK_REVOCATION_STATUS_CRL

public static final String CHECK_REVOCATION_STATUS_CRL

See Also:

Constant Field Values

CHECK_TRUST_CHAIN

public static final String CHECK_TRUST_CHAIN

See Also:

Constant Field Values

Constructor Detail

DigSigUtil

public DigSigUtil(Properties config)
           throws CertificateException

Expects a properties object containing the desired configuration

Parameters:

config -

Throws:

CertificateException

DigSigUtil

public DigSigUtil()
           throws CertificateException

Creates a new instance of the digital signature utility with no configuration options set.

Throws:

CertificateException

Method Detail

put

public void put(String key,
                String value)

clear

public void clear()

clears the configuration for reuse

signUddiEntity

public <T> T signUddiEntity(T jaxbObj)

Digital signs a UDDI entity, such as a business, service, tmodel or binding template using the map to provide certificate key stores and credentials

The UDDI entity MUST support XML Digital Signatures (tModel, Business, Service, Binding Template)

Type Parameters:

T - Any UDDI entity that supports digital signatures

Parameters:

jaxbObj -

Returns:

an enveloped signed UDDI element, do not modify this object after signing

signUddiEntity

public <T> T signUddiEntity(T jaxbObj,
                            Certificate publicKey,
                            PrivateKey privateKey)

Digitally signs a UDDI entity, such as a business, service, tmodel or binding template, provided you've already done the legwork to provide the signing keys

The UDDI entity MUST support XML Digital Signatures (tModel, Business, Service, Binding Template)

Type Parameters:

T -

Parameters:

jaxbObj -

publicKey -

privateKey -

Returns:

a signed entity

JAXB_ToStdOut

public static void JAXB_ToStdOut(Object obj)

Serializes a JAXB object and prints to stdout

Parameters:

obj -

JAXB_ToString

public static String JAXB_ToString(Object obj)

Serializes a JAXB object and prints to stdout

Parameters:

obj -

Returns:

serialized text

getSigningCertificatePublicKey

public X509Certificate getSigningCertificatePublicKey(Object obj)
                                               throws IllegalArgumentException,
                                                      CertificateException

returns the public key of the signing certificate used for a signed JAXB object.

Parameters:

obj -

Returns:

null if the item is not signed or if it references a certificate that is not present in the current keystore

Throws:

IllegalArgumentException - for null input

CertificateException

check

public static sun.security.provider.certpath.OCSP.RevocationStatus check(X509Certificate cert,
                                                                         X509Certificate issuerCert)
                                                                  throws IOException,
                                                                         CertPathValidatorException,
                                                                         CertificateException

wrapper to overcome JDK differences between oracle vs openjdk

Throws:

IOException

CertPathValidatorException

CertificateException

verifySignedUddiEntity

public boolean verifySignedUddiEntity(Object obj,
                                      AtomicReference<String> OutErrorMessage)
                               throws IllegalArgumentException

Verifies the signature on an enveloped digital signature on a UDDI entity, such as a business, service, tmodel or binding template.

It is expected that either the public key of the signing certificate is included within the signature keyinfo section OR that sufficient information is provided in the signature to reference a public key located within the Trust Store provided

Optionally, this function also validate the signing certificate using the options provided to the configuration map.

Parameters:

obj - an enveloped signed JAXB object

OutErrorMessage - a human readable error message explaining the reason for failure

Returns:

true if the validation passes the signature validation test, and optionally any certificate validation or trust chain validation

Throws:

IllegalArgumentException - for null input