svn commit: r1452862 - /wookie/trunk/src/org/apache/wookie/util/digitalsignature/DigitalSignatureProcessor.java

Tue, 05 Mar 2013 07:50:03 -0800 

Author: scottbw
Date: Tue Mar  5 15:49:41 2013
New Revision: 1452862

URL: http://svn.apache.org/r1452862
Log:
Perform additional digital signature validation checks as required by W3C spec

Modified:
    
wookie/trunk/src/org/apache/wookie/util/digitalsignature/DigitalSignatureProcessor.java

Modified: 
wookie/trunk/src/org/apache/wookie/util/digitalsignature/DigitalSignatureProcessor.java
URL: 
http://svn.apache.org/viewvc/wookie/trunk/src/org/apache/wookie/util/digitalsignature/DigitalSignatureProcessor.java?rev=1452862&r1=1452861&r2=1452862&view=diff
==============================================================================
--- 
wookie/trunk/src/org/apache/wookie/util/digitalsignature/DigitalSignatureProcessor.java
 (original)
+++ 
wookie/trunk/src/org/apache/wookie/util/digitalsignature/DigitalSignatureProcessor.java
 Tue Mar  5 15:49:41 2013
@@ -40,6 +40,7 @@ import org.apache.xml.security.keys.KeyI
 import org.apache.xml.security.signature.XMLSignature;
 import org.apache.xml.security.utils.Constants;
 import org.w3c.dom.Element;
+import org.w3c.dom.NodeList;
 
 /**
  * verify widgets using digital signatures
@@ -237,6 +238,54 @@ public class DigitalSignatureProcessor i
     XPath xpath = xpf.newXPath();
     xpath.setNamespaceContext(new DSNamespaceContext());
 
+    //
+    // Verify signature properties
+    //
+    String pattern = 
"//ds:Signature[1]/ds:Object[1]/ds:SignatureProperties[1]/ds:SignatureProperty/dsp:Profile";
+    Element profileElement = (Element) xpath.evaluate(pattern, doc, 
XPathConstants.NODE);
+    pattern = 
"//ds:Signature[1]/ds:Object[1]/ds:SignatureProperties[1]/ds:SignatureProperty/dsp:Role";
+    Element roleElement = (Element) xpath.evaluate(pattern, doc, 
XPathConstants.NODE);
+    pattern = 
"//ds:Signature[1]/ds:Object[1]/ds:SignatureProperties[1]/ds:SignatureProperty/dsp:Identifier";
+    Element identifierElement = (Element) xpath.evaluate(pattern, doc, 
XPathConstants.NODE);
+    
+    //
+    // Reject if there are more than one set of signature properties
+    //
+    pattern = "//ds:SignatureProperties";
+    NodeList nodes = (NodeList)xpath.evaluate(pattern, doc, 
XPathConstants.NODESET);
+    if (nodes.getLength() != 1){
+       _logger.debug("Incorrect number of signature properties elements");
+       return false;           
+    }
+    
+    //
+    // Reject if required properties are missing
+    //
+    if (profileElement == null || roleElement == null || identifierElement == 
null){
+       _logger.debug("Signature is missing a required property element");
+       return false;
+    }
+    
+    //
+    // Reject if incorrect URI for Role 
+    //
+    String uri = roleElement.getAttribute("URI");
+    if (role.equals("") && 
!uri.equals("http://www.w3.org/ns/widgets-digsig#role-distributor";)){
+       _logger.debug("Role does not match Role URI");
+       return false;
+    }
+    if (role.equals("author") && 
!uri.equals("http://www.w3.org/ns/widgets-digsig#role-author";)){
+       _logger.debug("Role does not match Role URI");
+       return false;
+    }
+    
+    //
+    // Reject if incorrect URI for Profile
+    //
+    if 
(!profileElement.getAttribute("URI").equals("http://www.w3.org/ns/widgets-digsig#profile";)){
+       _logger.debug("Profile URI is incorrect");
+       return false;
+    }
     String expression = "//ds:Signature[1]";
     Element sigElement = (Element) xpath.evaluate(expression, doc,
         XPathConstants.NODE);

Reply via email to