/*
* eID Applet Project.
* Copyright (C) 2010 FedICT.
*
* This is free software; you can redistribute it and/or modify it
* under the terms of the GNU Lesser General Public License version
* 3.0 as published by the Free Software Foundation.
*
* This software is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public
* License along with this software; if not, see
* http://www.gnu.org/licenses/.
*/
package be.fedict.eid.applet.service.signer.facets;
import java.security.InvalidAlgorithmParameterException;
import java.security.NoSuchAlgorithmException;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.HashMap;
import java.util.LinkedList;
import java.util.List;
import java.util.Map;
import javax.xml.crypto.dsig.CanonicalizationMethod;
import javax.xml.crypto.dsig.DigestMethod;
import javax.xml.crypto.dsig.Reference;
import javax.xml.crypto.dsig.Transform;
import javax.xml.crypto.dsig.XMLObject;
import javax.xml.crypto.dsig.XMLSignatureFactory;
import javax.xml.crypto.dsig.spec.TransformParameterSpec;
import javax.xml.crypto.dsig.spec.XPathFilter2ParameterSpec;
import javax.xml.crypto.dsig.spec.XPathType;
import org.w3c.dom.Document;
import org.w3c.dom.Element;
import be.fedict.eid.applet.service.signer.DigestAlgo;
import be.fedict.eid.applet.service.signer.SignatureFacet;
/**
* Signature facet to create multiple independent signatures, a.k.a
* co-signatures.
*
* @author Frank Cornelis
*
*/
public class CoSignatureFacet implements SignatureFacet {
private final DigestAlgo digestAlgo;
private final String dsReferenceId;
/**
* Default constructor. Digest algorithm will be SHA-1.
*/
public CoSignatureFacet() {
this(DigestAlgo.SHA1);
}
/**
* Main constructor.
*
* @param digestAlgorithm
* the digest algorithm to be used within the ds:Reference
* element. Possible values: "SHA-1", "SHA-256, or "SHA-512".
*/
public CoSignatureFacet(DigestAlgo digestAlgorithm) {
this(digestAlgorithm, "");
}
/**
* Main constructor.
*
* @param digestAlgorithm
* the digest algorithm to be used within the ds:Reference
* element. Possible values: "SHA-1", "SHA-256, or "SHA-512".
* @param dsReferenceId
* the optional Id to be used on the ds:Reference element.
*/
public CoSignatureFacet(DigestAlgo digestAlgorithm, String dsReferenceId) {
this.digestAlgo = digestAlgorithm;
this.dsReferenceId = dsReferenceId;
}
public void preSign(XMLSignatureFactory signatureFactory, Document document, String signatureId,
List<X509Certificate> signingCertificateChain, List<Reference> references, List<XMLObject> objects)
throws NoSuchAlgorithmException, InvalidAlgorithmParameterException {
DigestMethod digestMethod = signatureFactory.newDigestMethod(this.digestAlgo.getXmlAlgoId(), null);
List<Transform> transforms = new LinkedList<Transform>();
Map<String, String> xpathNamespaceMap = new HashMap<String, String>();
xpathNamespaceMap.put("ds", "http://www.w3.org/2000/09/xmldsig#");
// XPath v1 - slow...
// Transform envelopedTransform = signatureFactory.newTransform(
// CanonicalizationMethod.XPATH, new XPathFilterParameterSpec(
// "not(ancestor-or-self::ds:Signature)",
// xpathNamespaceMap));
// XPath v2 - fast...
List<XPathType> types = new ArrayList<XPathType>(1);
types.add(new XPathType("/descendant::*[name()='ds:Signature']", XPathType.Filter.SUBTRACT, xpathNamespaceMap));
Transform envelopedTransform = signatureFactory.newTransform(CanonicalizationMethod.XPATH2,
new XPathFilter2ParameterSpec(types));
transforms.add(envelopedTransform);
Transform exclusiveTransform = signatureFactory.newTransform(CanonicalizationMethod.EXCLUSIVE,
(TransformParameterSpec) null);
transforms.add(exclusiveTransform);
Reference reference = signatureFactory.newReference("", digestMethod, transforms, null, this.dsReferenceId);
references.add(reference);
}
public void postSign(Element signatureElement, List<X509Certificate> signingCertificateChain) {
// empty
}
}