1818 */
1919package org .apache .xml .security .extension .xades ;
2020
21- import org .apache .xml .security .algorithms .JCEMapper ;
21+ import org .apache .xml .security .algorithms .MessageDigestAlgorithm ;
2222import org .apache .xml .security .encryption .XMLCipher ;
23+ import org .apache .xml .security .exceptions .XMLSecurityException ;
2324import org .apache .xml .security .extension .SignatureExtensionException ;
2425import org .apache .xml .security .extension .SignatureProcessor ;
2526import org .apache .xml .security .signature .ObjectContainer ;
3031import org .apache .xml .security .transforms .Transforms ;
3132import org .w3c .dom .Document ;
3233
33- import java .security .MessageDigest ;
34- import java .security .NoSuchAlgorithmException ;
3534import java .security .cert .CertificateEncodingException ;
3635import java .security .cert .X509Certificate ;
3736import java .time .OffsetDateTime ;
@@ -143,12 +142,6 @@ private SignedSignatureProperties buildSignedSignatureProperties(Document doc)
143142 }
144143
145144 private SigningCertificate buildSigningCertificate (Document doc ) throws XMLSignatureException {
146- String jceAlgorithm = JCEMapper .translateURItoJCEID (certificateDigestAlgorithmURI );
147- if (jceAlgorithm == null ) {
148- throw new SignatureExtensionException (
149- "Unknown digest algorithm URI: " + certificateDigestAlgorithmURI );
150- }
151-
152145 byte [] certDer ;
153146 try {
154147 certDer = certificate .getEncoded ();
@@ -158,8 +151,8 @@ private SigningCertificate buildSigningCertificate(Document doc) throws XMLSigna
158151
159152 byte [] digest ;
160153 try {
161- digest = MessageDigest . getInstance ( jceAlgorithm ).digest (certDer );
162- } catch (NoSuchAlgorithmException e ) {
154+ digest = MessageDigestAlgorithm . getDigestInstance ( certificateDigestAlgorithmURI ).digest (certDer );
155+ } catch (XMLSecurityException e ) {
163156 throw new SignatureExtensionException (
164157 "Digest algorithm not available: " + certificateDigestAlgorithmURI , e );
165158 }
@@ -175,13 +168,13 @@ private SigningCertificate buildSigningCertificate(Document doc) throws XMLSigna
175168 return sc ;
176169 }
177170
178- private void ensureSignatureId (XMLSignature signature ) throws XMLSignatureException {
171+ private void ensureSignatureId (XMLSignature signature ) {
179172 if (isBlank (signature .getId ())) {
180173 signature .setId (IDGenerator .generateID (ID_PREFIX_SIG ));
181174 }
182175 }
183176
184- private void ensureSignatureValueId (XMLSignature signature ) throws XMLSignatureException {
177+ private void ensureSignatureValueId (XMLSignature signature ){
185178 if (isBlank (signature .getSignatureValueId ())) {
186179 signature .setSignatureValueId (IDGenerator .generateID (ID_PREFIX_SIG_VAL ));
187180 }
@@ -220,6 +213,7 @@ private static boolean isBlank(String value) {
220213 */
221214 public static final class Builder {
222215
216+ private boolean allowWeakAlgorithms = false ;
223217 private final X509Certificate certificate ;
224218 private String certificateDigestAlgorithmURI = XMLCipher .SHA256 ;
225219 private boolean signaturePolicyImplied = false ;
@@ -261,6 +255,12 @@ public Builder withSignatureCountryName(String countryName) {
261255 return this ;
262256 }
263257
258+ /** When {@code true}, allows weak digest algorithms (e.g. SHA-1) to be used for certificate digest. */
259+ public Builder withAllowWeakAlgorithms (boolean allowWeakAlgorithms ) {
260+ this .allowWeakAlgorithms = allowWeakAlgorithms ;
261+ return this ;
262+ }
263+
264264 /**
265265 * Adds a canonicalization or transform algorithm URI to apply to the
266266 * {@code SignedProperties} reference before digesting. Algorithms are applied in
@@ -273,6 +273,11 @@ public Builder addReferenceTransformAlgorithm(String algorithm) {
273273
274274 public XAdESSignatureProcessor build () {
275275 Objects .requireNonNull (certificateDigestAlgorithmURI , "certificateDigestAlgorithmURI" );
276+ if (!this .allowWeakAlgorithms && !XAdESConstants .APPROVED_CERT_DIGEST_ALGORITHM_URIS .contains (certificateDigestAlgorithmURI )) {
277+ throw new IllegalArgumentException (
278+ "certificateDigestAlgorithmURI uses a weak or disallowed digest algorithm: "
279+ + certificateDigestAlgorithmURI );
280+ }
276281 return new XAdESSignatureProcessor (this );
277282 }
278283 }
0 commit comments