Package org.certificateservices.messages.sweeid2.dssextenstions1_1

Class SweEID2DSSExtensionsMessageParser

  • public class SweEID2DSSExtensionsMessageParser
extends DSS1CoreMessageParser
    MessageParser for generating generate DSS 1.0 messages with Swedish Eid 2.0 DSS Extensions definet by http://www.elegnamnden.se.

    This message parser extends the DSS1 Core Message Parser

    Created by philip on 02/01/17.

    • Constructor Detail

      • SweEID2DSSExtensionsMessageParser

        public SweEID2DSSExtensionsMessageParser()

    • Method Detail

      • getDefaultSchemaLocations

        public java.lang.String[] getDefaultSchemaLocations()
                                             throws org.xml.sax.SAXException
        Overrides:
        getDefaultSchemaLocations in class DSS1CoreMessageParser
        Returns:
        an array of schema locations used by the parser. The string value should point to resources available using getResourceAsStream()
        Throws:
        org.xml.sax.SAXException

      • lookupSchemaForElement

        protected java.lang.String lookupSchemaForElement​(java.lang.String type,
                                                  java.lang.String namespaceURI,
                                                  java.lang.String publicId,
                                                  java.lang.String systemId,
                                                  java.lang.String baseURI)
        Description copied from class: BaseSAMLMessageParser
        Method to find Schema for a specific element related to the custom schema locations. The implementation only need to find it's related XSD, the basic datatypes and XML itself are not needed.
        Overrides:
        lookupSchemaForElement in class DSS1CoreMessageParser
        Parameters:
        type - The type of the resource being resolved. For XML [XML 1.0] resources (i.e. entities), applications must use the value "http://www.w3.org/TR/REC-xml". For XML Schema [XML Schema Part 1], applications must use the value "http://www.w3.org/2001/XMLSchema". Other types of resources are outside the scope of this specification and therefore should recommend an absolute URI in order to use this method.
        namespaceURI - The namespace of the resource being resolved, e.g. the target namespace of the XML Schema [XML Schema Part 1] when resolving XML Schema resources.
        publicId - The public identifier of the external entity being referenced, or null if no public identifier was supplied or if the resource is not an entity.
        systemId - The system identifier, a URI reference [IETF RFC 2396], of the external resource being referenced, or null if no system identifier was supplied.
        baseURI - The absolute base URI of the resource being parsed, or null if there is no base URI.
        Returns:
        the resource as stream path to related schema XSD, or null if no matching found.

      • genSignRequest

        public byte[] genSignRequest​(ContextMessageSecurityProvider.Context context,
                             java.lang.String requestID,
                             java.lang.String profile,
                             javax.xml.bind.JAXBElement<SignRequestExtensionType> signRequestExtension,
                             javax.xml.bind.JAXBElement<SignTasksType> signTasks,
                             boolean sign)
                      throws MessageProcessingException,
                             MessageContentException
        Special metod for generating a DSS 1.0 SignRequest with correct saml: prefix namespacing. This due to DSS 1.0 specification uses SAML 1 and Swedish EID Extensions use SAML 2.
        Parameters:
        context - message security related context. Use null if no signature should be used.
        requestID - This attribute is used to correlate requests with responses. When present in a request, the server MUST return it in the response. (Optional, use null to not set).
        profile - This attribute indicates a particular DSS profile. It may be used to select a profile if a server supports multiple profiles, or as a sanity-check to m
        signRequestExtension - the SignRequestExtension that will be added to OptionalInputs element.
        signTasks - the SignTasks Elemenet that will be added to the InputDocuments element.
        sign - if the message should be signed.
        Returns:
        a marshalled sign request.
        Throws:
        MessageProcessingException - if internal error occurred generating the message.
        MessageContentException - if bad message format was detected.

      • genSignResponse

        public byte[] genSignResponse​(ContextMessageSecurityProvider.Context context,
                              java.lang.String requestID,
                              java.lang.String profile,
                              Result result,
                              javax.xml.bind.JAXBElement<SignResponseExtensionType> signResponseExtension,
                              javax.xml.bind.JAXBElement<SignTasksType> signTasks,
                              boolean sign)
                       throws MessageProcessingException,
                              MessageContentException
        Special metod for generating a DSS 1.0 SignRequest with correct saml: prefix namespacing. This due to DSS 1.0 specification uses SAML 1 and Swedish EID Extensions use SAML 2.
        Parameters:
        context - message security related context. Use null if no signature should be used.
        requestID - This attribute is used to correlate requests with responses. When present in a request, the server MUST return it in the response. (Optional, use null to not set).
        profile - This attribute indicates a particular DSS profile. It may be used to select a profile if a server supports multiple profiles, or as a sanity-check to.
        result - the result to insert in the response
        signResponseExtension - the SignResponseExtension that will be added to OptionalInputs element.
        signTasks - the SignTasks Elemenet that will be added to the InputDocuments element.
        sign - if the message should be signed.
        Returns:
        a marshalled sign request.
        Throws:
        MessageProcessingException - if internal error occurred generating the message.
        MessageContentException - if bad message format was detected.

      • genSignRequestExtension

        public javax.xml.bind.JAXBElement<SignRequestExtensionType> genSignRequestExtension​(java.lang.String version,
                                                                                    java.util.Date requestTime,
                                                                                    ConditionsType conditionsType,
                                                                                    AttributeStatementType signer,
                                                                                    java.lang.String identityProvider,
                                                                                    java.lang.String signRequester,
                                                                                    java.lang.String signService,
                                                                                    java.lang.String requestedSignatureAlgorithm,
                                                                                    SignMessageType signMessage,
                                                                                    CertRequestPropertiesType certRequestProperties,
                                                                                    java.util.List<java.lang.Object> otherRequestInfo)
                                                                             throws MessageProcessingException
        The SignRequestExtension element allows a requesting service to add essential sign request information to a DSS Sign request. When present, this element MUST be included in the dss:OptionalInputs element in a DSS Sign Request.
        Parameters:
        version - The version of this specification. If absent, the version value defaults to "1.1". This attribute provides means for the receiving service to determine the expected syntax of the request based on the protocol version. (Optional, use null not to set. Default: 1.1)
        requestTime - The time when this request was created. (Required)
        conditionsType - Conditions that MUST be evaluated when assessing the validity of and/or when using the Sign Request. See Section 2.5 of [SAML2.0]for additional information on how to evaluate conditions. This element MUST include the attributes NotBefore and NotOnOrAfter and MUST includethe element saml:AudienceRestriction which in turn MUST contain one saml:Audience element, specifying the return URL for any resulting Sign Response message. (Required)
        signer - The identity of the signer expressed as a sequence of SAML attributes using the saml:AttributeStatementType complex type. If this element is present, then the Signing Service MUST verify that the authenticated identity of the signer is consistent with the attributes in this element. (Optional, use null not to set.)
        identityProvider - The SAML EntityID of the Identity Provider that MUST be used to authenticate the signer before signing. (Required)
        signRequester - The SAML EntityID of the service that sends this request to the Signing Service. (Required)
        signService - The SAML EntityID of the service to which this Sign Request is sent. (Required)
        requestedSignatureAlgorithm - An identifier of the signature algorithm the requesting service prefers when generating the requested signature. (Optional, use null not to set.)
        signMessage - Optional sign message with information to the signer about the requested signature. (Optional, use null not to set.)
        certRequestProperties - An optional set of requested properties of the signature certificate that is generated as part of the signature process. (Optional, use null not to set.)
        otherRequestInfo - Any additional inputs to the request extension. (Optional, use null not to set.)
        Returns:
        a newly created SignRequestExtension
        Throws:
        MessageProcessingException - if internal problems occurred generating message.

      • genSignRequestExtension

        public javax.xml.bind.JAXBElement<SignRequestExtensionType> genSignRequestExtension​(java.lang.String version,
                                                                                    java.util.Date requestTime,
                                                                                    ConditionsType conditionsType,
                                                                                    AttributeStatementType signer,
                                                                                    java.lang.String identityProvider,
                                                                                    java.lang.String authnProfile,
                                                                                    java.lang.String signRequester,
                                                                                    java.lang.String signService,
                                                                                    java.lang.String requestedSignatureAlgorithm,
                                                                                    SignMessageType signMessage,
                                                                                    CertRequestPropertiesType certRequestProperties,
                                                                                    java.util.List<java.lang.Object> otherRequestInfo)
                                                                             throws MessageProcessingException
        The SignRequestExtension element allows a requesting service to add essential sign request information to a DSS Sign request. When present, this element MUST be included in the dss:OptionalInputs element in a DSS Sign Request.
        Parameters:
        version - The version of this specification. If absent, the version value defaults to "1.1". This attribute provides means for the receiving service to determine the expected syntax of the request based on the protocol version. (Optional, use null not to set. Default: 1.1)
        requestTime - The time when this request was created. (Required)
        conditionsType - Conditions that MUST be evaluated when assessing the validity of and/or when using the Sign Request. See Section 2.5 of [SAML2.0]for additional information on how to evaluate conditions. This element MUST include the attributes NotBefore and NotOnOrAfter and MUST includethe element saml:AudienceRestriction which in turn MUST contain one saml:Audience element, specifying the return URL for any resulting Sign Response message. (Required)
        signer - The identity of the signer expressed as a sequence of SAML attributes using the saml:AttributeStatementType complex type. If this element is present, then the Signing Service MUST verify that the authenticated identity of the signer is consistent with the attributes in this element. (Optional, use null not to set.)
        identityProvider - The SAML EntityID of the Identity Provider that MUST be used to authenticate the signer before signing. (Required)
        authnProfile - An opaque string that can be used to inform the Signing Service about specific requirements regarding the user authentication at the given Identity Provider. (Optional)
        signRequester - The SAML EntityID of the service that sends this request to the Signing Service. (Required)
        signService - The SAML EntityID of the service to which this Sign Request is sent. (Required)
        requestedSignatureAlgorithm - An identifier of the signature algorithm the requesting service prefers when generating the requested signature. (Optional, use null not to set.)
        signMessage - Optional sign message with information to the signer about the requested signature. (Optional, use null not to set.)
        certRequestProperties - An optional set of requested properties of the signature certificate that is generated as part of the signature process. (Optional, use null not to set.)
        otherRequestInfo - Any additional inputs to the request extension. (Optional, use null not to set.)
        Returns:
        a newly created SignRequestExtension
        Throws:
        MessageProcessingException - if internal problems occurred generating message.

      • genSignRequestExtension

        public javax.xml.bind.JAXBElement<SignRequestExtensionType> genSignRequestExtension​(java.lang.String version,
                                                                                    java.util.Date requestTime,
                                                                                    ConditionsType conditionsType,
                                                                                    AttributeStatementType signer,
                                                                                    NameIDType identityProvider,
                                                                                    NameIDType signRequester,
                                                                                    NameIDType signService,
                                                                                    java.lang.String requestedSignatureAlgorithm,
                                                                                    SignMessageType signMessage,
                                                                                    CertRequestPropertiesType certRequestProperties,
                                                                                    java.util.List<java.lang.Object> otherRequestInfo)
                                                                             throws MessageProcessingException
        The SignRequestExtension element allows a requesting service to add essential sign request information to a DSS Sign request. When present, this element MUST be included in the dss:OptionalInputs element in a DSS Sign Request.
        Parameters:
        version - The version of this specification. If absent, the version value defaults to "1.1". This attribute provides means for the receiving service to determine the expected syntax of the request based on the protocol version. (Optional, use null not to set. Default: 1.1)
        requestTime - The time when this request was created. (Required)
        conditionsType - Conditions that MUST be evaluated when assessing the validity of and/or when using the Sign Request. See Section 2.5 of [SAML2.0]for additional information on how to evaluate conditions. This element MUST include the attributes NotBefore and NotOnOrAfter and MUST includethe element saml:AudienceRestriction which in turn MUST contain one saml:Audience element, specifying the return URL for any resulting Sign Response message. (Required)
        signer - The identity of the signer expressed as a sequence of SAML attributes using the saml:AttributeStatementType complex type. If this element is present, then the Signing Service MUST verify that the authenticated identity of the signer is consistent with the attributes in this element. (Optional, use null not to set.)
        identityProvider - The SAML EntityID of the Identity Provider that MUST be used to authenticate the signer before signing. The EntitID value is specified using the saml:NameIDType complex type and MUST include a Format attribute with the value urn:oasis:names:tc:SAML:2.0:nameid-format:entity. (Required)
        signRequester - The SAML EntityID of the service that sends this request to the Signing Service. The EntityID value is specified using the saml:NameIDType complex type and MUST include a Format attribute with the value urn:oasis:names:tc:SAML:2.0:nameid-format:entity. (Required)
        signService - The SAML EntityID of the service to which this Sign Request is sent. The EntityID value is specified using the saml:NameIDType complex type and MUST include a Format attribute with the value urn:oasis:names:tc:SAML:2.0:nameid-format:entity. (Required)
        requestedSignatureAlgorithm - An identifier of the signature algorithm the requesting service prefers when generating the requested signature. (Optional, use null not to set.)
        signMessage - Optional sign message with information to the signer about the requested signature. (Optional, use null not to set.)
        certRequestProperties - An optional set of requested properties of the signature certificate that is generated as part of the signature process. (Optional, use null not to set.)
        otherRequestInfo - Any additional inputs to the request extension. (Optional, use null not to set.)
        Returns:
        a newly created SignRequestExtension
        Throws:
        MessageProcessingException - if internal problems occurred generating message.

      • genSignRequestExtension

        public javax.xml.bind.JAXBElement<SignRequestExtensionType> genSignRequestExtension​(java.lang.String version,
                                                                                    java.util.Date requestTime,
                                                                                    ConditionsType conditionsType,
                                                                                    AttributeStatementType signer,
                                                                                    NameIDType identityProvider,
                                                                                    java.lang.String authnProfile,
                                                                                    NameIDType signRequester,
                                                                                    NameIDType signService,
                                                                                    java.lang.String requestedSignatureAlgorithm,
                                                                                    SignMessageType signMessage,
                                                                                    CertRequestPropertiesType certRequestProperties,
                                                                                    java.util.List<java.lang.Object> otherRequestInfo)
                                                                             throws MessageProcessingException
        The SignRequestExtension element allows a requesting service to add essential sign request information to a DSS Sign request. When present, this element MUST be included in the dss:OptionalInputs element in a DSS Sign Request.
        Parameters:
        version - The version of this specification. If absent, the version value defaults to "1.1". This attribute provides means for the receiving service to determine the expected syntax of the request based on the protocol version. (Optional, use null not to set. Default: 1.1)
        requestTime - The time when this request was created. (Required)
        conditionsType - Conditions that MUST be evaluated when assessing the validity of and/or when using the Sign Request. See Section 2.5 of [SAML2.0]for additional information on how to evaluate conditions. This element MUST include the attributes NotBefore and NotOnOrAfter and MUST includethe element saml:AudienceRestriction which in turn MUST contain one saml:Audience element, specifying the return URL for any resulting Sign Response message. (Required)
        signer - The identity of the signer expressed as a sequence of SAML attributes using the saml:AttributeStatementType complex type. If this element is present, then the Signing Service MUST verify that the authenticated identity of the signer is consistent with the attributes in this element. (Optional, use null not to set.)
        identityProvider - The SAML EntityID of the Identity Provider that MUST be used to authenticate the signer before signing. The EntitID value is specified using the saml:NameIDType complex type and MUST include a Format attribute with the value urn:oasis:names:tc:SAML:2.0:nameid-format:entity. (Required)
        authnProfile - An opaque string that can be used to inform the Signing Service about specific requirements regarding the user authentication at the given Identity Provider. (Optional)
        signRequester - The SAML EntityID of the service that sends this request to the Signing Service. The EntityID value is specified using the saml:NameIDType complex type and MUST include a Format attribute with the value urn:oasis:names:tc:SAML:2.0:nameid-format:entity. (Required)
        signService - The SAML EntityID of the service to which this Sign Request is sent. The EntityID value is specified using the saml:NameIDType complex type and MUST include a Format attribute with the value urn:oasis:names:tc:SAML:2.0:nameid-format:entity. (Required)
        requestedSignatureAlgorithm - An identifier of the signature algorithm the requesting service prefers when generating the requested signature. (Optional, use null not to set.)
        signMessage - Optional sign message with information to the signer about the requested signature. (Optional, use null not to set.)
        certRequestProperties - An optional set of requested properties of the signature certificate that is generated as part of the signature process. (Optional, use null not to set.)
        otherRequestInfo - Any additional inputs to the request extension. (Optional, use null not to set.)
        Returns:
        a newly created SignRequestExtension
        Throws:
        MessageProcessingException - if internal problems occurred generating message.

      • genBasicConditions

        public ConditionsType genBasicConditions​(java.util.Date notBefore,
                                         java.util.Date notOnOrAfter,
                                         java.lang.String audience)
                                  throws MessageProcessingException
        Method to generate basic conditions type to be used in SignRequestExtension
        Parameters:
        notBefore - not used before this date. (Required)
        notOnOrAfter - not used on or after this date. (Required)
        audience - the return URL for any resulting Sign Response message. (Required)
        Returns:
        a newly created ConditionsType
        Throws:
        MessageProcessingException - if internal problems occurred generating message.

      • genCertRequestProperties

        public CertRequestPropertiesType genCertRequestProperties​(CertType certType,
                                                          java.lang.String authnContextClassRef,
                                                          java.util.List<MappedAttributeType> requestedCertAttributes,
                                                          java.util.List<java.lang.Object> otherProperties)
        The CertRequestPropertiesType complex type is used to specify requested properties of the signature certificate that is associated with the generated signature.
        Parameters:
        certType - An enumeration of certificate types, default "PKC". The supported values are "PKC", "QC" and "QC/SSCD". "QC" means that the certificate is requested to be a Qualified Certificate according to legal definitions in national law governing the issuer. "QC/SSCD" means a Qualified Certificate where the private key is declared to be residing within a Secure Signature Creation Device according to national law. "PKC" (Public Key Certificate) means a certificate that is not a Qualified Certificate. (Optional, use null not to set, Default "PKC")
        authnContextClassRef - A URI identifying the requested level of assurance that authentication of the signature certificate subject MUST comply with in order to complete signing and certificate issuance. A Signing Service MUST NOT issue signature certificates and generate the requested signature unless the authentication process used to authenticate the requested signer meets the requested level of assurance expressed in this element. If this element is absent, the locally configured policy of the Signing Service is assumed. (Optional, use null not to set)
        requestedCertAttributes - Element holding a SAML Entity ID of an Attribute Authority that MAY be used to obtain an attribute value for the requested attribute. The EntityID value is specified using the saml:NameIDType complex type and MUST include a Format attribute with the value urn:oasis:names:tc:SAML:2.0:nameid-format:entity. (Optional, use null not to set)
        otherProperties - Other requested properties of the signature certificates. (Optional, use null not to set)
        Returns:
        a newly created CertRequestPropertiesType

      • genCertRequestProperties

        public CertRequestPropertiesType genCertRequestProperties​(CertType certType,
                                                          java.util.List<java.lang.String> authnContextClassRefs,
                                                          java.util.List<MappedAttributeType> requestedCertAttributes,
                                                          java.util.List<java.lang.Object> otherProperties)
        The CertRequestPropertiesType complex type is used to specify requested properties of the signature certificate that is associated with the generated signature.
        Parameters:
        certType - An enumeration of certificate types, default "PKC". The supported values are "PKC", "QC" and "QC/SSCD". "QC" means that the certificate is requested to be a Qualified Certificate according to legal definitions in national law governing the issuer. "QC/SSCD" means a Qualified Certificate where the private key is declared to be residing within a Secure Signature Creation Device according to national law. "PKC" (Public Key Certificate) means a certificate that is not a Qualified Certificate. (Optional, use null not to set, Default "PKC")
        authnContextClassRefs - A list of URI identifying the requested level of assurance that authentication of the signature certificate subject MUST comply with in order to complete signing and certificate issuance. A Signing Service MUST NOT issue signature certificates and generate the requested signature unless the authentication process used to authenticate the requested signer meets the requested level of assurance expressed in this element. If this element is absent, the locally configured policy of the Signing Service is assumed. (Optional, use null not to set)
        requestedCertAttributes - Element holding a SAML Entity ID of an Attribute Authority that MAY be used to obtain an attribute value for the requested attribute. The EntityID value is specified using the saml:NameIDType complex type and MUST include a Format attribute with the value urn:oasis:names:tc:SAML:2.0:nameid-format:entity. (Optional, use null not to set)
        otherProperties - Other requested properties of the signature certificates. (Optional, use null not to set)
        Returns:
        a newly created CertRequestPropertiesType

      • genMappedAttribute

        public MappedAttributeType genMappedAttribute​(java.lang.String certAttributeRef,
                                              CertNameType certNameType,
                                              java.lang.String friendlyName,
                                              java.lang.String defaultValue,
                                              java.lang.Boolean required,
                                              java.util.List<NameIDType> attributeAuthorities,
                                              java.util.List<PreferredSAMLAttributeNameType> samlAttributeNames)
        Generates a new populated MappedAttributeType
        Parameters:
        certAttributeRef - A reference to the certificate attribute or name type where the requester wants to store this attribute value. The information in this attribute depends on the selected CertNameType attribute value. If the CertNameType is "rdn" or "sda", then this attribute MUST contain a string representation of an object identifier (OID). If the CertNameType is "san" (Subject Alternative Name) and the target name is a GeneralName, then this attribute MUST hold a string representation of the tag value of the target GeneralName type, e.g. "1" for rfc822Name (E-mail) or "2" for dNSName. If the CertNameType is "san" and the target name form is an OtherName, then this attribute value MUST include a string representation of the object identifier of the target OtherName form. Representation of an OID as a string in this attribute MUST consist of a sequence of integers delimited by a dot. This string MUST not contain white space or line breaks. Example: "2.5.4.32". (Optional, use null to not set)
        certNameType - An enumeration of the target name form for storing the associated SAML attribute value in the certificate. The available values are "rdn" for storing the attribute value as an attribute in a Relative Distinguished Name in the subject field of the certificate, "san" for storing the attribute value in a subject alternative name extension and "sda" for storing the attribute value in a subject directory attribute extension. The default value for this attribute is "rdn". (Optional, use null to not set)
        friendlyName - An optional friendly name of the subject attribute, e.g. "givenName". Note that this name does not need to map to any particular naming convention and its value MUST NOT be used by the Signing Service for attribute type mapping. This name is present for display purposes only. (Optional, use null to not set)
        defaultValue - An optional default value for the requested attribute. This value MAY be used by the Signing Service if no authoritative value for the attribute can be obtained when the Signing Service authenticates the user. This value MUST NOT be used by the Signing Service unless th is value is consistent with a defined policy at the Signing Service. A typical valid use of this attribute is to hold a default countryName attribute value that matches a set of allowed countryName values. By accepting the default attribute value provided in this attribute, the Signing Service accept the requesting service as an authoritative source for this particular requested attribute. (Optional, use null to not set)
        required - If this attribute is set to true, the Signing Service MUST ensure that the signing certificate contains a subject attribute of the requested type, or else the Signing Service MUST NOT generate the requested signature. (Optional, use null to not set, default: false)
        attributeAuthorities - Element holding an Entity ID of an Attribute Authority that MAY be used to obtain an attribute value for the requested attribute. The EntityID value is specified using the saml:NameIDType complex type and MUST include a Format attribute with the value urn:oasis:names:tc:SAML:2.0:nameid-format:entity. (Optional, use null to not set)
        samlAttributeNames - Element of type PreferredSAMLAttributeNameType complex type holding a name of a SAML subject attribute that is allowed to provide the content value for the requested certificate attribute. (Optional, use null to not set)
        Returns:
        a new populated MappedAttributeType

      • genPreferredSAMLAttributeName

        public PreferredSAMLAttributeNameType genPreferredSAMLAttributeName​(java.lang.Integer order,
                                                                    java.lang.String value)
        The PreferredSAMLAttributeNameType complex type holds a string value of a SAML attribute name. This attribute name SHALL be mapped against attribute names in saml:Attribute elements representing the subject in a SAML assertion that is used to authenticate the signer.
        Parameters:
        order - An integer specifying the order of preference of this SAML attribute. If more than one SAML attribute is listed, the SAML attribute with the lowest order integer value that is present as a subject attribute in the SAML assertion, SHALL be used. SAML attributes with an absent order attribute SHALL be treated as having an order value of 0. Multiple SAML attributes with an identical order attribute values SHALL be treated as having equal priority. (Optional, use null to not set.)
        value - the value of the attribute name
        Returns:
        a populated PreferredSAMLAttributeNameType

      • genSignMessage

        public SignMessageType genSignMessage​(java.lang.Boolean mustShow,
                                      java.lang.String displayEntity,
                                      SignMessageMimeType mimeType,
                                      byte[] message,
                                      java.util.Map<javax.xml.namespace.QName,​java.lang.String> otherAttributes)
        Method to generate a SignMessageType with unencrypted message.
        Parameters:
        mustShow - When this attribute is set to true then the requested signature MUST NOT be created unless this message has been displayed and accepted by the signer. The default is false. (Optional, use null if not set.)
        displayEntity - The EntityID of the entity responsible for displaying the sign message to the signer. When the sign message is encrypted, then this entity is also the holder of the private decryption key necessary to decrypt the sign message. (Optional, use null if not set.)
        mimeType - The mime type defining the message format. This is an enumeration of the valid attribute values text (plain text), text/html (html) or text/markdown (markdown). This specification does not specify any particular restrictions on the provided message but it is RECOMMENDED that sign message content is restricted to a limited set of valid tags and attributes, and that the display entity performs filtering to enforce these restrictions before displaying the message. The means through which parties agree on such restrictions are outside the scope of this specification, but one valid option to communicate such restrictions could be through federation metadata. (Optional, use null if not set.)
        message - The base64 encoded sign message in unencrypted form. The message MUST be encoded using UTF-8. (Required).
        otherAttributes - Arbitrary namespace-qualified attributes (Optional, use null to not set).
        Returns:
        a populated SignMessage

      • genSignEncryptedMessage

        public SignMessageType genSignEncryptedMessage​(ContextMessageSecurityProvider.Context context,
                                               java.lang.Boolean mustShow,
                                               java.lang.String displayEntity,
                                               SignMessageMimeType mimeType,
                                               byte[] messageToEncrypt,
                                               java.util.Map<javax.xml.namespace.QName,​java.lang.String> otherAttributes,
                                               java.util.List<java.security.cert.X509Certificate> recipients)
                                        throws MessageProcessingException
        Method to generate a SignMessageType with encrypted message.
        Parameters:
        mustShow - When this attribute is set to true then the requested signature MUST NOT be created unless this message has been displayed and accepted by the signer. The default is false. (Optional, use null if not set.)
        displayEntity - The EntityID of the entity responsible for displaying the sign message to the signer. When the sign message is encrypted, then this entity is also the holder of the private decryption key necessary to decrypt the sign message. (Optional, use null if not set.)
        mimeType - The mime type defining the message format. This is an enumeration of the valid attribute values text (plain text), text/html (html) or text/markdown (markdown). This specification does not specify any particular restrictions on the provided message but it is RECOMMENDED that sign message content is restricted to a limited set of valid tags and attributes, and that the display entity performs filtering to enforce these restrictions before displaying the message. The means through which parties agree on such restrictions are outside the scope of this specification, but one valid option to communicate such restrictions could be through federation metadata. (Optional, use null if not set.)
        messageToEncrypt - An message element to encrypt. The message MUST be encoded using UTF-8. (Required).
        otherAttributes - Arbitrary namespace-qualified attributes (Optional, use null to not set).
        recipients - a list of reciepiets of the message.
        Returns:
        a populated SignMessage with a encrypted SignMessage.
        Throws:
        MessageProcessingException

      • genSignResponseExtension

        public javax.xml.bind.JAXBElement<SignResponseExtensionType> genSignResponseExtension​(java.lang.String version,
                                                                                      java.util.Date responseTime,
                                                                                      SignRequest request,
                                                                                      SignerAssertionInfoType signerAssertionInfo,
                                                                                      java.util.List<java.security.cert.X509Certificate> signatureCertificateChain,
                                                                                      java.util.List<java.lang.Object> otherResponseInfo)
                                                                               throws MessageProcessingException
        Method to generate a SignResponseExtensionType.
        Parameters:
        version - The version of this specification. If absent, the version value defaults to "1.0". This attribute provides means for the receiving service to determine the expected syntax of the response based on the protocol version. (Optional, use null if not set.)
        responseTime - The time when the sign response was created. (Required)
        request - A dss:SignRequest element that contains the request related to this sign response. This element MUST be present if signing was successfull. (Optional, use null if not set.)
        signerAssertionInfo - An element of type SignerAssertionInfoType holding information about how the signer was authenticated by the sign service as well as information about subject attribute values present in the SAML assertion authenticating the signer, which was incorporated into the signer certificate. This element MUST be present if signing was successful. (Optional, use null if not set.)
        signatureCertificateChain - An element of type CertificateChainType holding the signer certificate as well as other certificates that may be used to validate the signature. This element MUST be present if signing was successful and MUST contain all certificates that are necessary to compile a complete and functional signed document. Certificates in SignatureCertificateChain MUST be provided in sequence with the signature certificate first followed by any CA certificates that can be used to verify the previous certificate in the sequence, ending with a self-signed root certificate. (Optional, use null if not set.)
        otherResponseInfo - Optional sign response elements that will be included in the AnyTupe. (Optional, use null if not set.)
        Returns:
        a newly generated SignResponseExtensionType
        Throws:
        MessageProcessingException - if internal problems occurred generating message.

      • genSignResponseExtension

        public javax.xml.bind.JAXBElement<SignResponseExtensionType> genSignResponseExtension​(java.lang.String version,
                                                                                      java.util.Date responseTime,
                                                                                      byte[] requestData,
                                                                                      SignerAssertionInfoType signerAssertionInfo,
                                                                                      java.util.List<java.security.cert.X509Certificate> signatureCertificateChain,
                                                                                      java.util.List<java.lang.Object> otherResponseInfo)
                                                                               throws MessageProcessingException
        Method to generate a SignResponseExtensionType.
        Parameters:
        version - The version of this specification. If absent, the version value defaults to "1.0". This attribute provides means for the receiving service to determine the expected syntax of the response based on the protocol version. (Optional, use null if not set.)
        responseTime - The time when the sign response was created. (Required)
        requestData - A marshalled dss:SignRequest element that contains the request related to this sign response. This element MUST be present if signing was successfull. (Optional, use null if not set.)
        signerAssertionInfo - An element of type SignerAssertionInfoType holding information about how the signer was authenticated by the sign service as well as information about subject attribute values present in the SAML assertion authenticating the signer, which was incorporated into the signer certificate. This element MUST be present if signing was successful. (Optional, use null if not set.)
        signatureCertificateChain - An element of type CertificateChainType holding the signer certificate as well as other certificates that may be used to validate the signature. This element MUST be present if signing was successful and MUST contain all certificates that are necessary to compile a complete and functional signed document. Certificates in SignatureCertificateChain MUST be provided in sequence with the signature certificate first followed by any CA certificates that can be used to verify the previous certificate in the sequence, ending with a self-signed root certificate. (Optional, use null if not set.)
        otherResponseInfo - Optional sign response elements that will be included in the AnyTupe. (Optional, use null if not set.)
        Returns:
        a newly generated SignResponseExtensionType
        Throws:
        MessageProcessingException - if internal problems occurred generating message.

      • genSignerAssertionInfo

        public SignerAssertionInfoType genSignerAssertionInfo​(ContextInfoType contextInfo,
                                                      AttributeStatementType attributeStatement,
                                                      java.util.List<javax.xml.bind.JAXBElement<AssertionType>> assertions)
                                               throws MessageProcessingException
        Generates a new SignerAssertionInfoType
        Parameters:
        contextInfo - This element of type ContextInfoType holds information about SAML authentication context related to signer authentication through a SAML assertion. (Required)
        attributeStatement - This element of type saml:AttributeStatementType (see [SAML2.0]) holds subject attributes obtained from the SAML assertion used to authenticate the signer at the Signing Service. For integrity reasons, this element SHOULD only provide information about SAML attribute values that maps to subject identity information in the signer's certificate. (Required)
        assertions - Any number of relevant SAML assertions that was relevant for authenticating the sig ner and signer's identity attributes at the Signing Service. (Optional, use null not to set.)
        Returns:
        a newly created SignerAssertionInfoType
        Throws:
        MessageProcessingException - if internal problems occurred generating message.

      • genSignerAssertionInfoFromAssertionData

        public SignerAssertionInfoType genSignerAssertionInfoFromAssertionData​(ContextInfoType contextInfo,
                                                                       AttributeStatementType attributeStatement,
                                                                       java.util.List<byte[]> assertionDatas)
        Generates a new SignerAssertionInfoType
        Parameters:
        contextInfo - This element of type ContextInfoType holds information about SAML authentication context related to signer authentication through a SAML assertion. (Required)
        attributeStatement - This element of type saml:AttributeStatementType (see [SAML2.0]) holds subject attributes obtained from the SAML assertion used to authenticate the signer at the Signing Service. For integrity reasons, this element SHOULD only provide information about SAML attribute values that maps to subject identity information in the signer's certificate. (Required)
        assertionDatas - Any number of relevant marshalled SAML assertions that was relevant for authenticating the sig ner and signer's identity attributes at the Signing Service. (Optional, use null not to set.)
        Returns:
        a newly created SignerAssertionInfoType

      • genContextInfo

        public ContextInfoType genContextInfo​(NameIDType identityProvider,
                                      java.util.Date authenticationInstant,
                                      java.lang.String authnContextClassRef,
                                      java.lang.String serviceID,
                                      java.lang.String authType,
                                      java.lang.String assertionRef)
                               throws MessageProcessingException
        Generates a new ContextInfoType
        Parameters:
        identityProvider - The EntityID of the Identity Provider that authenticated the signer to the Signing Service. (Required)
        authenticationInstant - The time when the Signing Service authenticated the signer. (Required)
        authnContextClassRef - A URI reference to the authentication context class (see [SAML2.0]). (Required)
        serviceID - An arbitrary identifier of the instance of the Signing Service that authenticated the signer. (Optional, use null not to set)
        authType - An arbitrary identifier of the service used by the Signing Service to authenticate the signer (e.g. "shibboleth".) (Optional, use null not to set)
        assertionRef - A reference to the assertion used to identify the signer. This MAY be the ID attribute of a saml:Assertion element but MAY also be any other reference that can be used to locate and identify the assertion. (Optional, use null not to set)
        Returns:
        a newly created ContextInfoType
        Throws:
        MessageProcessingException - if internal problems occurred generating message.

      • genSignTaskData

        public SignTaskDataType genSignTaskData​(java.lang.String signTaskId,
                                        SigType sigType,
                                        AdESType adESType,
                                        java.lang.String processingRules,
                                        byte[] toBeSignedBytes,
                                        AdESObjectType adESObject,
                                        byte[] base64Signature,
                                        java.lang.String base64SignatureType,
                                        java.util.List<java.lang.Object> otherSignTaskData)
                                 throws MessageContentException
        Generates a populated SignTaskData
        Parameters:
        signTaskId - An identifier of the signature task that is represented by this element. If the request contains multiple instances of SignTaskData representing separate sign tasks, then each instance of the element MUST have a SignatureId attribute value that is unique among all sign tasks in the sign request. When this attribute is present, the same attribute value MUST be returned in the corresponding SignTaskData element in the response that holds corresponding signature result data. (Optional, use null not to set)
        sigType - Enumerated identifier of the type of signature format the canonicalized signed information octets in the ToBeSignedBytes element are associated with. This MUST be one of the enumerated values "XML", "PDF", "CMS" of "ASiC". (Required)
        adESType - Specifies the type of AdES signature. BES means that the signing certificate hash must be covered by the signature. EPES means that the signing certificate hash and a signature policy identifier must be covered by the signature. (Optional, use null not to set)
        processingRules - A URI identifying one or more processing rules that the Signing Service MUST apply when processing and using the provided signed information octets. The Signing Service MUST NOT process and complete the signature request if this attribute contains a URI that is not recognized by the Signing Service. When this attribute is present in the sign response, it represents a statement by the Signing Service that the identified processing rule was successfully executed. (Optional, use null not to set)
        toBeSignedBytes - The bytes to be hashed and signed when generating the requested signature. For an XML signature this MUST be the canonicalized octets of a dss:SignedInfo element. For a PDF signature this MUST be the octets of the DER encoded SignedAttrs value (signed attributes). If this data was altered by the signature process, for example as a result of changing a signing time attribute in PDF SignedAttrs, or as a result f adding a reference to a hash of the signature certificate in an XAdES signature, the altered data MUST be returned in the sign response using this element. (Required)
        adESObject - An element of type AdESObjectType complex type holding data to support generation of a signature according to any of the ETSI Advanced Electronic Signature (AdES) standard formats. (Optional, use null not to set)
        base64Signature - The output signature value of the signature creation process associated with this sign task. This element's optional Type attribute, if present, SHALL contain a URI indicating the signature algorithm that was used to generate the signature value. (Optional, use null not to set)
        base64SignatureType - The type to set as attribute to the Base64Signature
        otherSignTaskData - Other input or output data elements associated with the sign task. (Optional)
        Returns:
        a populated SignTaskDataType
        Throws:
        MessageContentException - if bad message format was detected.

      • genSignTasks

        public javax.xml.bind.JAXBElement<SignTasksType> genSignTasks​(java.util.List<SignTaskDataType> signTasks)
        This element holds information about sign tasks that are requested in a sign request and returned in a sign response. If information about a sign task is provided using this element in a sign request, then the corresponding signature result data MUST also be provided using this element in the sign response.
        Parameters:
        signTasks - Input and output data associated with a sign task. A request MAY contain several instances of this element. When multiple instances of this element are present in the request, this means that the Signing Service is requested to generate multiple signatures (one for each SignTaskData element) using the same signing key and signature certificate. This allows batch signing of several different documents in the same signing instance or creation of multiple signatures on the same document such as signing XML content of a PDF document with an XML signature, while signing the rest of the document with a PDF signature. (One is required.)
        Returns:
        a generated SignTasks

      • genNameIdWithEntityFormat

        protected NameIDType genNameIdWithEntityFormat​(java.lang.String value)
        Help method to set create a NameId with format "urn:oasis:names:tc:SAML:2.0:nameid-format:entity"
        Parameters:
        value - the value to set to the NameId
        Returns:
        createed NameID or null if value is null.

      • getDSSMarshaller

        protected javax.xml.bind.Marshaller getDSSMarshaller()
                                              throws javax.xml.bind.JAXBException
        Throws:
        javax.xml.bind.JAXBException

      • getDSSJAXBContext

        protected javax.xml.bind.JAXBContext getDSSJAXBContext()
                                                throws javax.xml.bind.JAXBException
        Help method maintaining the Extension specific JAXB Context to handle multiple SAML namespaces.
        Throws:
        javax.xml.bind.JAXBException

      • getSweEID2ExtensionMarshaller

        protected javax.xml.bind.Marshaller getSweEID2ExtensionMarshaller()
                                                           throws javax.xml.bind.JAXBException
        Throws:
        javax.xml.bind.JAXBException

      • getSweEID2ExtensionJAXBContext

        protected javax.xml.bind.JAXBContext getSweEID2ExtensionJAXBContext()
                                                             throws javax.xml.bind.JAXBException
        Help method maintaining the Extension specific JAXB Context to handle multiple SAML namespaces.
        Throws:
        javax.xml.bind.JAXBException