Class SAMLSignatureProfileValidator

java.lang.Object
org.opensaml.saml.security.impl.SAMLSignatureProfileValidator
All Implemented Interfaces:
SignaturePrevalidator

public class SAMLSignatureProfileValidator
extends Object
implements SignaturePrevalidator
A validator for instances of Signature, which validates that the signature meets security-related requirements indicated by the SAML profile of XML Signature.
  • Field Details

    • log

      private final org.slf4j.Logger log
      Class logger.
  • Constructor Details

    • SAMLSignatureProfileValidator

      public SAMLSignatureProfileValidator()
  • Method Details

    • validate

      public void validate​(@Nonnull Signature signature) throws SignatureException
      Validate the signature according to the requirements represented by the validator.
      Specified by:
      validate in interface SignaturePrevalidator
      Parameters:
      signature - the signature to evaluate
      Throws:
      SignatureException - if the signature does not meet the validator's requirements
    • validateSignatureImpl

      protected void validateSignatureImpl​(SignatureImpl sigImpl) throws SignatureException
      Validate an instance of SignatureImpl, which is in turn based on underlying Apache XML Security XMLSignature instance.
      Parameters:
      sigImpl - the signature implementation object to validate
      Throws:
      SignatureException - thrown if the signature is not valid with respect to the profile
    • validateReference

      protected org.apache.xml.security.signature.Reference validateReference​(org.apache.xml.security.signature.XMLSignature apacheSig) throws SignatureException
      Validate the Signature's SignedInfo Reference. The SignedInfo must contain exactly 1 Reference.
      Parameters:
      apacheSig - the Apache XML Signature instance
      Returns:
      the valid Reference contained within the SignedInfo
      Throws:
      SignatureException - thrown if the Signature does not contain exactly 1 Reference, or if there is an error obtaining the Reference instance
    • validateReferenceURI

      protected void validateReferenceURI​(String uri, SignableSAMLObject signableObject) throws SignatureException
      Validate the Signature's Reference URI. First validate the Reference URI against the parent's ID itself. Then validate that the URI (if non-empty) resolves to the same Element node as is cached by the SignableSAMLObject.
      Parameters:
      uri - the Signature Reference URI attribute value
      signableObject - the SignableSAMLObject whose signature is being validated
      Throws:
      SignatureException - if the URI is invalid or doesn't resolve to the expected DOM node
    • validateReferenceURI

      protected void validateReferenceURI​(String uri, String id) throws SignatureException
      Validate the Reference URI and parent ID attribute values. The URI must either be null or empty (indicating that the entire enclosing document was signed), or else it must be a local document fragment reference and point to the SAMLObject parent via the latter's ID attribute value.
      Parameters:
      uri - the Signature Reference URI attribute value
      id - the Signature parents ID attribute value
      Throws:
      SignatureException - thrown if the URI or ID attribute values are invalid
    • validateTransforms

      protected void validateTransforms​(org.apache.xml.security.signature.Reference reference) throws SignatureException
      Validate the transforms included in the Signature Reference. The Reference may contain at most 2 transforms. One of them must be the Enveloped signature transform. An Exclusive Canonicalization transform (with or without comments) may also be present. No other transforms are allowed.
      Parameters:
      reference - the Signature reference containing the transforms to evaluate
      Throws:
      SignatureException - thrown if the set of transforms is invalid
    • validateObjectChildren

      protected void validateObjectChildren​(org.apache.xml.security.signature.XMLSignature apacheSig) throws SignatureException
      Validate that the Signature instance does not contain any ds:Object children.
      Parameters:
      apacheSig - the Apache XML Signature instance
      Throws:
      SignatureException - if the signature contains ds:Object children