org.apache.xml.security.keys.KeyInfo Java Examples
The following examples show how to use
org.apache.xml.security.keys.KeyInfo.
You can vote up the ones you like or vote down the ones you don't like,
and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example #1
| Source File: XmlSignatureBuilder.java From freehealth-connector with GNU Affero General Public License v3.0 | 6 votes |
|
private void verifyXmlDsigSignature(SignatureVerificationResult result, Element sigElement, Document signedContent, Map<String, Object> options) {
try {
String uri = IdGeneratorFactory.getIdGenerator("uuid").generateId();
XMLSignature xmlSignature = new XMLSignature(sigElement, uri);
Boolean followNestedManifest = (Boolean)SignatureUtils.getOption("followNestedManifest", options, Boolean.FALSE);
xmlSignature.setFollowNestedManifests(followNestedManifest);
xmlSignature.addResourceResolver(new DocumentResolver(signedContent));
KeyInfo keyInfo = xmlSignature.getKeyInfo();
keyInfo.setSecureValidation(false);
Extractor extractor = new X509DataExctractor();
result.getCertChain().addAll(extractor.extract(keyInfo));
X509Certificate signingCert = this.extractEndCertificate(result.getCertChain());
result.setSigningCert(signingCert);
if (!xmlSignature.checkSignatureValue(signingCert)) {
result.getErrors().add(SignatureVerificationError.SIGNATURE_COULD_NOT_BE_VERIFIED);
}
} catch (Exception var11) {
LOG.error("Unable to verify XmlDsig Signature", var11);
result.getErrors().add(SignatureVerificationError.SIGNATURE_COULD_NOT_BE_VERIFIED);
}
}
Example #2
| Source File: XmlSignatureBuilder.java From freehealth-connector with GNU Affero General Public License v3.0 | 6 votes |
|
private void verifyXmlDsigSignature(SignatureVerificationResult result, Element sigElement, Document signedContent, Map<String, Object> options) {
try {
String uri = IdGeneratorFactory.getIdGenerator("uuid").generateId();
XMLSignature xmlSignature = new XMLSignature(sigElement, uri);
Boolean followNestedManifest = (Boolean)SignatureUtils.getOption("followNestedManifest", options, Boolean.FALSE);
xmlSignature.setFollowNestedManifests(followNestedManifest);
xmlSignature.addResourceResolver(new DocumentResolver(signedContent));
KeyInfo keyInfo = xmlSignature.getKeyInfo();
keyInfo.setSecureValidation(false);
Extractor extractor = new X509DataExctractor();
result.getCertChain().addAll(extractor.extract(keyInfo));
X509Certificate signingCert = this.extractEndCertificate(result.getCertChain());
result.setSigningCert(signingCert);
if (!xmlSignature.checkSignatureValue(signingCert)) {
result.getErrors().add(SignatureVerificationError.SIGNATURE_COULD_NOT_BE_VERIFIED);
}
} catch (Exception var11) {
LOG.error("Unable to verify XmlDsig Signature", var11);
result.getErrors().add(SignatureVerificationError.SIGNATURE_COULD_NOT_BE_VERIFIED);
}
}
Example #3
| Source File: XmlSignatureBuilder.java From freehealth-connector with GNU Affero General Public License v3.0 | 6 votes |
|
private void verifyXmlDsigSignature(SignatureVerificationResult result, Element sigElement, Document signedContent, Map<String, Object> options) {
try {
String uri = IdGeneratorFactory.getIdGenerator("uuid").generateId();
XMLSignature xmlSignature = new XMLSignature(sigElement, uri);
Boolean followNestedManifest = (Boolean)SignatureUtils.getOption("followNestedManifest", options, Boolean.FALSE);
xmlSignature.setFollowNestedManifests(followNestedManifest.booleanValue());
xmlSignature.addResourceResolver(new DocumentResolver(signedContent));
KeyInfo keyInfo = xmlSignature.getKeyInfo();
keyInfo.setSecureValidation(false);
Extractor extractor = new X509DataExctractor();
result.getCertChain().addAll(extractor.extract(keyInfo));
X509Certificate signingCert = this.extractEndCertificate(result.getCertChain());
result.setSigningCert(signingCert);
if (!xmlSignature.checkSignatureValue(signingCert)) {
result.getErrors().add(SignatureVerificationError.SIGNATURE_COULD_NOT_BE_VERIFIED);
}
} catch (Exception var11) {
LOG.error("Unable to verify XmlDsig Signature", var11);
result.getErrors().add(SignatureVerificationError.SIGNATURE_COULD_NOT_BE_VERIFIED);
}
}
Example #4
| Source File: XmlSignatureBuilder.java From freehealth-connector with GNU Affero General Public License v3.0 | 6 votes |
|
private void verifyXmlDsigSignature(SignatureVerificationResult result, Element sigElement, Document signedContent, Map<String, Object> options) {
try {
String uri = IdGeneratorFactory.getIdGenerator("uuid").generateId();
XMLSignature xmlSignature = new XMLSignature(sigElement, uri);
Boolean followNestedManifest = (Boolean)SignatureUtils.getOption("followNestedManifest", options, Boolean.FALSE);
xmlSignature.setFollowNestedManifests(followNestedManifest);
xmlSignature.addResourceResolver(new DocumentResolver(signedContent));
KeyInfo keyInfo = xmlSignature.getKeyInfo();
keyInfo.setSecureValidation(false);
Extractor extractor = new X509DataExctractor();
result.getCertChain().addAll(extractor.extract(keyInfo));
X509Certificate signingCert = this.extractEndCertificate(result.getCertChain());
result.setSigningCert(signingCert);
if (!xmlSignature.checkSignatureValue(signingCert)) {
result.getErrors().add(SignatureVerificationError.SIGNATURE_COULD_NOT_BE_VERIFIED);
}
} catch (Exception var11) {
LOG.error("Unable to verify XmlDsig Signature", var11);
result.getErrors().add(SignatureVerificationError.SIGNATURE_COULD_NOT_BE_VERIFIED);
}
}
Example #5
| Source File: XmlSignatureBuilder.java From freehealth-connector with GNU Affero General Public License v3.0 | 6 votes |
|
private void verifyXmlDsigSignature(SignatureVerificationResult result, Element sigElement, Document signedContent, Map<String, Object> options) {
try {
String uri = IdGeneratorFactory.getIdGenerator("uuid").generateId();
XMLSignature xmlSignature = new XMLSignature(sigElement, uri);
Boolean followNestedManifest = (Boolean)SignatureUtils.getOption("followNestedManifest", options, Boolean.FALSE);
xmlSignature.setFollowNestedManifests(followNestedManifest);
xmlSignature.addResourceResolver(new DocumentResolver(signedContent));
KeyInfo keyInfo = xmlSignature.getKeyInfo();
keyInfo.setSecureValidation(false);
Extractor extractor = new X509DataExctractor();
result.getCertChain().addAll(extractor.extract(keyInfo));
X509Certificate signingCert = this.extractEndCertificate(result.getCertChain());
result.setSigningCert(signingCert);
if (!xmlSignature.checkSignatureValue(signingCert)) {
result.getErrors().add(SignatureVerificationError.SIGNATURE_COULD_NOT_BE_VERIFIED);
}
} catch (Exception var11) {
LOG.error("Unable to verify XmlDsig Signature", var11);
result.getErrors().add(SignatureVerificationError.SIGNATURE_COULD_NOT_BE_VERIFIED);
}
}
Example #6
| Source File: IdpTest.java From cxf-fediz with Apache License 2.0 | 5 votes |
|
@Test
public void testIdPMetadataDefault() throws Exception {
String url = "https://localhost:" + getIdpHttpsPort()
+ "/fediz-idp/metadata";
final WebClient webClient = new WebClient();
webClient.getOptions().setUseInsecureSSL(true);
webClient.getOptions().setSSLClientCertificate(
this.getClass().getClassLoader().getResource("client.jks"), "storepass", "jks");
final XmlPage rpPage = webClient.getPage(url);
final String xmlContent = rpPage.asXml();
Assert.assertTrue(xmlContent.startsWith("<md:EntityDescriptor"));
// Now validate the Signature
Document doc = rpPage.getXmlDocument();
doc.getDocumentElement().setIdAttributeNS(null, "ID", true);
Node signatureNode =
DOMUtils.getChild(doc.getDocumentElement(), "Signature");
Assert.assertNotNull(signatureNode);
XMLSignature signature = new XMLSignature((Element)signatureNode, "");
KeyInfo ki = signature.getKeyInfo();
Assert.assertNotNull(ki);
Assert.assertNotNull(ki.getX509Certificate());
Assert.assertTrue(signature.checkSignatureValue(ki.getX509Certificate()));
webClient.close();
}
Example #7
| Source File: IdpTest.java From cxf-fediz with Apache License 2.0 | 5 votes |
|
@Test
public void testIdPServiceMetadata() throws Exception {
String url = "https://localhost:" + getIdpHttpsPort()
+ "/fediz-idp/metadata/urn:org:apache:cxf:fediz:idp:realm-B";
final WebClient webClient = new WebClient();
webClient.getOptions().setUseInsecureSSL(true);
webClient.getOptions().setSSLClientCertificate(
this.getClass().getClassLoader().getResource("client.jks"), "storepass", "jks");
final XmlPage rpPage = webClient.getPage(url);
final String xmlContent = rpPage.asXml();
Assert.assertTrue(xmlContent.startsWith("<md:EntityDescriptor"));
// Now validate the Signature
Document doc = rpPage.getXmlDocument();
doc.getDocumentElement().setIdAttributeNS(null, "ID", true);
Node signatureNode =
DOMUtils.getChild(doc.getDocumentElement(), "Signature");
Assert.assertNotNull(signatureNode);
XMLSignature signature = new XMLSignature((Element)signatureNode, "");
KeyInfo ki = signature.getKeyInfo();
Assert.assertNotNull(ki);
Assert.assertNotNull(ki.getX509Certificate());
Assert.assertTrue(signature.checkSignatureValue(ki.getX509Certificate()));
webClient.close();
}
Example #8
| Source File: IdpTest.java From cxf-fediz with Apache License 2.0 | 5 votes |
|
@Test
public void testIdPMetadata() throws Exception {
String url = "https://localhost:" + getIdpHttpsPort()
+ "/fediz-idp/FederationMetadata/2007-06/FederationMetadata.xml";
final WebClient webClient = new WebClient();
webClient.getOptions().setUseInsecureSSL(true);
webClient.getOptions().setSSLClientCertificate(
this.getClass().getClassLoader().getResource("client.jks"), "storepass", "jks");
final XmlPage rpPage = webClient.getPage(url);
final String xmlContent = rpPage.asXml();
Assert.assertTrue(xmlContent.startsWith("<md:EntityDescriptor"));
// Now validate the Signature
Document doc = rpPage.getXmlDocument();
doc.getDocumentElement().setIdAttributeNS(null, "ID", true);
Node signatureNode =
DOMUtils.getChild(doc.getDocumentElement(), "Signature");
Assert.assertNotNull(signatureNode);
XMLSignature signature = new XMLSignature((Element)signatureNode, "");
KeyInfo ki = signature.getKeyInfo();
Assert.assertNotNull(ki);
Assert.assertNotNull(ki.getX509Certificate());
Assert.assertTrue(signature.checkSignatureValue(ki.getX509Certificate()));
webClient.close();
}
Example #9
| Source File: DSSXMLUtils.java From dss with GNU Lesser General Public License v2.1 | 5 votes |
|
/**
* Extracts signing certificate's public key from KeyInfo element of a given signature if present
* NOTE: can return null (the value is optional)
*
* @param signatureElement {@link Element} representing a signature to get KeyInfo signing certificate for
* @return {@link PublicKey} of the signature extracted from KeyInfo element if present
*/
public static PublicKey getKeyInfoSigningCertificatePublicKey(final Element signatureElement) {
Element keyInfoElement = DomUtils.getElement(signatureElement, XMLDSigPaths.KEY_INFO_PATH);
if (keyInfoElement != null) {
try {
KeyInfo keyInfo = new KeyInfo(keyInfoElement, "");
return keyInfo.getPublicKey();
} catch (XMLSecurityException e) {
LOG.warn("Unable to extract signing certificate's public key. Reason : {}", e.getMessage(), e);
}
}
LOG.warn("Unable to extract the public key. Reason : KeyInfo element is null");
return null;
}
Example #10
| Source File: ForkedExtractor.java From freehealth-connector with GNU Affero General Public License v3.0 | 5 votes |
|
public List<X509Certificate> extract(KeyInfo keyinfo) throws XMLSecurityException {
Extractor[] arr$ = this.extractors;
int len$ = arr$.length;
for(int i$ = 0; i$ < len$; ++i$) {
Extractor extractor = arr$[i$];
if (extractor.canExtract(keyinfo)) {
return extractor.extract(keyinfo);
}
}
return new ArrayList();
}
Example #11
| Source File: X509DataExctractor.java From freehealth-connector with GNU Affero General Public License v3.0 | 5 votes |
|
public List<X509Certificate> extract(KeyInfo keyInfo) throws XMLSecurityException {
List<X509Certificate> result = new ArrayList();
for(int i = 0; i < keyInfo.lengthX509Data(); ++i) {
X509Data data = keyInfo.itemX509Data(i);
for(int j = 0; j < data.lengthCertificate(); ++j) {
result.add(data.itemCertificate(j).getX509Certificate());
}
}
return result;
}
Example #12
| Source File: ForkedExtractor.java From freehealth-connector with GNU Affero General Public License v3.0 | 5 votes |
|
public List<X509Certificate> extract(KeyInfo keyinfo) throws XMLSecurityException {
Extractor[] arr$ = this.extractors;
int len$ = arr$.length;
for(int i$ = 0; i$ < len$; ++i$) {
Extractor extractor = arr$[i$];
if (extractor.canExtract(keyinfo)) {
return extractor.extract(keyinfo);
}
}
return new ArrayList();
}
Example #13
| Source File: ForkedExtractor.java From freehealth-connector with GNU Affero General Public License v3.0 | 5 votes |
|
public boolean canExtract(KeyInfo keyinfo) {
Extractor[] arr$ = this.extractors;
int len$ = arr$.length;
for(int i$ = 0; i$ < len$; ++i$) {
Extractor extractor = arr$[i$];
if (extractor.canExtract(keyinfo)) {
return true;
}
}
return false;
}
Example #14
| Source File: AbstractTests.java From cxf-fediz with Apache License 2.0 | 5 votes |
|
@Test
public void testRPMetadata() throws Exception {
if (!isWSFederation()) {
return;
}
String url = "https://localhost:" + getRpHttpsPort()
+ "/" + getServletContextName() + "/FederationMetadata/2007-06/FederationMetadata.xml";
final WebClient webClient = new WebClient();
webClient.getOptions().setUseInsecureSSL(true);
webClient.getOptions().setSSLClientCertificate(
this.getClass().getClassLoader().getResource("client.jks"), "storepass", "jks");
final XmlPage rpPage = webClient.getPage(url);
final String xmlContent = rpPage.asXml();
Assert.assertTrue(xmlContent.startsWith("<md:EntityDescriptor"));
// Now validate the Signature
Document doc = rpPage.getXmlDocument();
doc.getDocumentElement().setIdAttributeNS(null, "ID", true);
Node signatureNode =
DOMUtils.getChild(doc.getDocumentElement(), "Signature");
Assert.assertNotNull(signatureNode);
XMLSignature signature = new XMLSignature((Element)signatureNode, "");
KeyInfo ki = signature.getKeyInfo();
Assert.assertNotNull(ki);
Assert.assertNotNull(ki.getX509Certificate());
Assert.assertTrue(signature.checkSignatureValue(ki.getX509Certificate()));
webClient.close();
}
Example #15
| Source File: FederationMetaDataTest.java From cxf-fediz with Apache License 2.0 | 5 votes |
|
@org.junit.Test
public void validateMetaDataWithAlias() throws ProcessingException, XMLSignatureException, XMLSecurityException {
FedizContext config = loadConfig("ROOT");
FedizProcessor wfProc = new FederationProcessorImpl();
Document doc = wfProc.getMetaData(null, config);
Assert.assertNotNull(doc);
Node signatureNode = doc.getElementsByTagName("Signature").item(0);
Assert.assertNotNull(signatureNode);
doc.getDocumentElement().setIdAttributeNS(null, "ID", true);
try {
DOMUtils.writeXml(doc, System.out);
} catch (TransformerException e) {
fail("Exception not expected: " + e.getMessage());
}
// Validate the signature
XMLSignature signature = new XMLSignature((Element)signatureNode, "");
KeyInfo ki = signature.getKeyInfo();
Assert.assertNotNull(ki);
Assert.assertNotNull(ki.getX509Certificate());
Assert.assertTrue(signature.checkSignatureValue(ki.getX509Certificate()));
}
Example #16
| Source File: X509DataExctractor.java From freehealth-connector with GNU Affero General Public License v3.0 | 5 votes |
|
public List<X509Certificate> extract(KeyInfo keyInfo) throws XMLSecurityException {
List<X509Certificate> result = new ArrayList();
for(int i = 0; i < keyInfo.lengthX509Data(); ++i) {
X509Data data = keyInfo.itemX509Data(i);
for(int j = 0; j < data.lengthCertificate(); ++j) {
result.add(data.itemCertificate(j).getX509Certificate());
}
}
return result;
}
Example #17
| Source File: ForkedExtractor.java From freehealth-connector with GNU Affero General Public License v3.0 | 5 votes |
|
public boolean canExtract(KeyInfo keyinfo) {
Extractor[] arr$ = this.extractors;
int len$ = arr$.length;
for(int i$ = 0; i$ < len$; ++i$) {
Extractor extractor = arr$[i$];
if (extractor.canExtract(keyinfo)) {
return true;
}
}
return false;
}
Example #18
| Source File: ForkedExtractor.java From freehealth-connector with GNU Affero General Public License v3.0 | 5 votes |
|
public boolean canExtract(KeyInfo keyinfo) {
Extractor[] arr$ = this.extractors;
int len$ = arr$.length;
for(int i$ = 0; i$ < len$; ++i$) {
Extractor extractor = arr$[i$];
if (extractor.canExtract(keyinfo)) {
return true;
}
}
return false;
}
Example #19
| Source File: SAMLMetaDataTest.java From cxf-fediz with Apache License 2.0 | 5 votes |
|
@org.junit.Test
public void validateMetaDataWithAlias() throws ProcessingException, XMLSignatureException, XMLSecurityException {
FedizContext config = loadConfig("ROOT");
FedizProcessor wfProc = new FederationProcessorImpl();
HttpServletRequest req = EasyMock.createMock(HttpServletRequest.class);
EasyMock.expect(req.getRequestURL()).andReturn(new StringBuffer(TEST_REQUEST_URL)).times(2);
EasyMock.expect(req.getContextPath()).andReturn(CONTEXT_PATH).times(2);
EasyMock.replay(req);
Document doc = wfProc.getMetaData(req, config);
Assert.assertNotNull(doc);
Node signatureNode = doc.getElementsByTagName("Signature").item(0);
Assert.assertNotNull(signatureNode);
doc.getDocumentElement().setIdAttributeNS(null, "ID", true);
try {
DOMUtils.writeXml(doc, System.out);
} catch (TransformerException e) {
fail("Exception not expected: " + e.getMessage());
}
// Validate the signature
XMLSignature signature = new XMLSignature((Element)signatureNode, "");
KeyInfo ki = signature.getKeyInfo();
Assert.assertNotNull(ki);
Assert.assertNotNull(ki.getX509Certificate());
Assert.assertTrue(signature.checkSignatureValue(ki.getX509Certificate()));
}
Example #20
| Source File: X509DataExctractor.java From freehealth-connector with GNU Affero General Public License v3.0 | 5 votes |
|
public List<X509Certificate> extract(KeyInfo keyInfo) throws XMLSecurityException {
List<X509Certificate> result = new ArrayList();
for(int i = 0; i < keyInfo.lengthX509Data(); ++i) {
X509Data data = keyInfo.itemX509Data(i);
for(int j = 0; j < data.lengthCertificate(); ++j) {
result.add(data.itemCertificate(j).getX509Certificate());
}
}
return result;
}
Example #21
| Source File: ForkedExtractor.java From freehealth-connector with GNU Affero General Public License v3.0 | 5 votes |
|
public List<X509Certificate> extract(KeyInfo keyinfo) throws XMLSecurityException {
Extractor[] arr$ = this.extractors;
int len$ = arr$.length;
for(int i$ = 0; i$ < len$; ++i$) {
Extractor extractor = arr$[i$];
if (extractor.canExtract(keyinfo)) {
return extractor.extract(keyinfo);
}
}
return new ArrayList();
}
Example #22
| Source File: X509DataExctractor.java From freehealth-connector with GNU Affero General Public License v3.0 | 5 votes |
|
public List<X509Certificate> extract(KeyInfo keyInfo) throws XMLSecurityException {
List<X509Certificate> result = new ArrayList();
for(int i = 0; i < keyInfo.lengthX509Data(); ++i) {
X509Data data = keyInfo.itemX509Data(i);
for(int j = 0; j < data.lengthCertificate(); ++j) {
result.add(data.itemCertificate(j).getX509Certificate());
}
}
return result;
}
Example #23
| Source File: ForkedExtractor.java From freehealth-connector with GNU Affero General Public License v3.0 | 5 votes |
|
public boolean canExtract(KeyInfo keyinfo) {
Extractor[] arr$ = this.extractors;
int len$ = arr$.length;
for(int i$ = 0; i$ < len$; ++i$) {
Extractor extractor = arr$[i$];
if (extractor.canExtract(keyinfo)) {
return true;
}
}
return false;
}
Example #24
| Source File: ForkedExtractor.java From freehealth-connector with GNU Affero General Public License v3.0 | 5 votes |
|
public List<X509Certificate> extract(KeyInfo keyinfo) throws XMLSecurityException {
Extractor[] arr$ = this.extractors;
int len$ = arr$.length;
for(int i$ = 0; i$ < len$; ++i$) {
Extractor extractor = arr$[i$];
if (extractor.canExtract(keyinfo)) {
return extractor.extract(keyinfo);
}
}
return new ArrayList();
}
Example #25
| Source File: ForkedExtractor.java From freehealth-connector with GNU Affero General Public License v3.0 | 5 votes |
|
public List<X509Certificate> extract(KeyInfo keyinfo) throws XMLSecurityException {
Extractor[] arr$ = this.extractors;
int len$ = arr$.length;
for(int i$ = 0; i$ < len$; ++i$) {
Extractor extractor = arr$[i$];
if (extractor.canExtract(keyinfo)) {
return extractor.extract(keyinfo);
}
}
return new ArrayList();
}
Example #26
| Source File: ForkedExtractor.java From freehealth-connector with GNU Affero General Public License v3.0 | 5 votes |
|
public boolean canExtract(KeyInfo keyinfo) {
Extractor[] arr$ = this.extractors;
int len$ = arr$.length;
for(int i$ = 0; i$ < len$; ++i$) {
Extractor extractor = arr$[i$];
if (extractor.canExtract(keyinfo)) {
return true;
}
}
return false;
}
Example #27
| Source File: X509DataExctractor.java From freehealth-connector with GNU Affero General Public License v3.0 | 5 votes |
|
public List<X509Certificate> extract(KeyInfo keyInfo) throws XMLSecurityException {
List<X509Certificate> result = new ArrayList();
for(int i = 0; i < keyInfo.lengthX509Data(); ++i) {
X509Data data = keyInfo.itemX509Data(i);
for(int j = 0; j < data.lengthCertificate(); ++j) {
result.add(data.itemCertificate(j).getX509Certificate());
}
}
return result;
}
Example #28
| Source File: X509DataExctractor.java From freehealth-connector with GNU Affero General Public License v3.0 | 4 votes |
|
public boolean canExtract(KeyInfo keyinfo) {
return keyinfo.containsX509Data();
}
Example #29
| Source File: X509DataExctractor.java From freehealth-connector with GNU Affero General Public License v3.0 | 4 votes |
|
public boolean canExtract(KeyInfo keyinfo) {
return keyinfo.containsX509Data();
}
Example #30
| Source File: KeyInfoProcessor.java From xades4j with GNU Lesser General Public License v3.0 | 4 votes |
|
static KeyInfoRes process(
KeyInfo keyInfo, CertRef signingCertRef, X500NameStyleProvider x500NameStyleProvider) throws CertificateValidationException
{
if (null == keyInfo || !keyInfo.containsX509Data())
{
return tryUseSigningCertificateReference(signingCertRef, x500NameStyleProvider);
}
List<X509Certificate> keyInfoCerts = new ArrayList<X509Certificate>(1);
XMLX509IssuerSerial issuerSerial = null;
X509CertSelector certSelector = new X509CertSelector();
// XML-DSIG 4.4.4: "Any X509IssuerSerial, X509SKI, and X509SubjectName elements
// that appear MUST refer to the certificate or certificates containing the
// validation key."
// "All certificates appearing in an X509Data element MUST relate to the
// validation key by either containing it or being part of a certification
// chain that terminates in a certificate containing the validation key".
// Scan ds:X509Data to find ds:IssuerSerial or ds:SubjectName elements. The
// first to be found is used to select the leaf certificate. If none of those
// elements is present, the first ds:X509Certificate is assumed as the signing
// certificate.
boolean hasSelectionCriteria = false;
try
{
for (int i = 0; i < keyInfo.lengthX509Data(); ++i)
{
X509Data x509Data = keyInfo.itemX509Data(i);
if (!hasSelectionCriteria)
{
if (x509Data.containsIssuerSerial())
{
issuerSerial = x509Data.itemIssuerSerial(0);
certSelector.setIssuer(x500NameStyleProvider.fromString(issuerSerial.getIssuerName()));
certSelector.setSerialNumber(issuerSerial.getSerialNumber());
hasSelectionCriteria = true;
}
else if (x509Data.containsSubjectName())
{
certSelector.setSubject(x500NameStyleProvider.fromString(x509Data.itemSubjectName(0).getSubjectName()));
hasSelectionCriteria = true;
}
}
// Collect all certificates as they may be needed to build the cert path.
if (x509Data.containsCertificate())
{
for (int j = 0; j < x509Data.lengthCertificate(); ++j)
{
keyInfoCerts.add(x509Data.itemCertificate(j).getX509Certificate());
}
}
}
if (!hasSelectionCriteria)
{
if (keyInfoCerts.isEmpty())
{
return tryUseSigningCertificateReference(signingCertRef, x500NameStyleProvider);
}
certSelector.setCertificate(keyInfoCerts.get(0));
}
}
catch (XMLSecurityException ex)
{
throw new InvalidKeyInfoDataException("Cannot process X509Data", ex);
}
return new KeyInfoRes(certSelector, keyInfoCerts, issuerSerial);
}
