You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@santuario.apache.org by co...@apache.org on 2021/08/18 14:46:09 UTC
[santuario-xml-security-java] branch master updated: SANTUARIO-574
- Enable secure validation by default
This is an automated email from the ASF dual-hosted git repository.
coheigea pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/santuario-xml-security-java.git
The following commit(s) were added to refs/heads/master by this push:
new bf85dbe SANTUARIO-574 - Enable secure validation by default
bf85dbe is described below
commit bf85dbe923b156d605033abdf7807c3752e913f4
Author: Colm O hEigeartaigh <co...@apache.org>
AuthorDate: Wed Aug 18 15:45:46 2021 +0100
SANTUARIO-574 - Enable secure validation by default
---
.../java/org/apache/jcp/xml/dsig/internal/dom/Utils.java | 14 +++++++-------
.../java/org/apache/xml/security/encryption/XMLCipher.java | 2 +-
.../org/apache/xml/security/encryption/XMLCipherInput.java | 2 +-
src/main/java/org/apache/xml/security/keys/KeyInfo.java | 2 +-
.../java/org/apache/xml/security/signature/Manifest.java | 2 +-
.../java/org/apache/xml/security/signature/Reference.java | 2 +-
.../apache/xml/security/signature/XMLSignatureInput.java | 2 +-
.../org/apache/xml/security/transforms/Transforms.java | 2 +-
src/test/java/javax/xml/crypto/test/dsig/C14N11Test.java | 2 +-
.../javax/xml/crypto/test/dsig/IaikCoreFeaturesTest.java | 2 +-
.../xml/crypto/test/dsig/JSRForbiddenRefCountTest.java | 5 +++--
.../javax/xml/crypto/test/dsig/SignatureValidator.java | 14 ++++++++++++--
12 files changed, 31 insertions(+), 20 deletions(-)
diff --git a/src/main/java/org/apache/jcp/xml/dsig/internal/dom/Utils.java b/src/main/java/org/apache/jcp/xml/dsig/internal/dom/Utils.java
index aa62dd2..10817f0 100644
--- a/src/main/java/org/apache/jcp/xml/dsig/internal/dom/Utils.java
+++ b/src/main/java/org/apache/jcp/xml/dsig/internal/dom/Utils.java
@@ -103,14 +103,14 @@ public final class Utils {
}
static boolean secureValidation(XMLCryptoContext xc) {
- if (xc == null) {
- return false;
+ boolean secureValidation = true;
+ if (xc != null) {
+ Boolean value = (Boolean)xc.getProperty("org.apache.jcp.xml.dsig.secureValidation");
+ if (value != null) {
+ secureValidation = value;
+ }
}
- return getBoolean(xc, "org.apache.jcp.xml.dsig.secureValidation");
+ return secureValidation;
}
- private static boolean getBoolean(XMLCryptoContext xc, String name) {
- Boolean value = (Boolean)xc.getProperty(name);
- return value != null && value;
- }
}
diff --git a/src/main/java/org/apache/xml/security/encryption/XMLCipher.java b/src/main/java/org/apache/xml/security/encryption/XMLCipher.java
index ebda4eb..6014b10 100644
--- a/src/main/java/org/apache/xml/security/encryption/XMLCipher.java
+++ b/src/main/java/org/apache/xml/security/encryption/XMLCipher.java
@@ -284,7 +284,7 @@ public class XMLCipher {
// (part of an UNWRAP operation)
private EncryptedData ed;
- private boolean secureValidation;
+ private boolean secureValidation = true;
private String digestAlg;
diff --git a/src/main/java/org/apache/xml/security/encryption/XMLCipherInput.java b/src/main/java/org/apache/xml/security/encryption/XMLCipherInput.java
index 327dc14..68598f7 100644
--- a/src/main/java/org/apache/xml/security/encryption/XMLCipherInput.java
+++ b/src/main/java/org/apache/xml/security/encryption/XMLCipherInput.java
@@ -50,7 +50,7 @@ public class XMLCipherInput {
/** The data we are working with */
private CipherData cipherData;
- private boolean secureValidation;
+ private boolean secureValidation = true;
/**
* Constructor for processing encrypted octets
diff --git a/src/main/java/org/apache/xml/security/keys/KeyInfo.java b/src/main/java/org/apache/xml/security/keys/KeyInfo.java
index 231d38e..b1c2b99 100644
--- a/src/main/java/org/apache/xml/security/keys/KeyInfo.java
+++ b/src/main/java/org/apache/xml/security/keys/KeyInfo.java
@@ -115,7 +115,7 @@ public class KeyInfo extends SignatureElementProxy {
*/
private List<KeyResolverSpi> internalKeyResolvers = new ArrayList<>();
- private boolean secureValidation;
+ private boolean secureValidation = true;
/**
* Constructor KeyInfo
diff --git a/src/main/java/org/apache/xml/security/signature/Manifest.java b/src/main/java/org/apache/xml/security/signature/Manifest.java
index 9e2817a..3a565b1 100644
--- a/src/main/java/org/apache/xml/security/signature/Manifest.java
+++ b/src/main/java/org/apache/xml/security/signature/Manifest.java
@@ -77,7 +77,7 @@ public class Manifest extends SignatureElementProxy {
/** Field perManifestResolvers */
private List<ResourceResolverSpi> perManifestResolvers;
- private boolean secureValidation;
+ private boolean secureValidation = true;
/**
* Constructs {@link Manifest}
diff --git a/src/main/java/org/apache/xml/security/signature/Reference.java b/src/main/java/org/apache/xml/security/signature/Reference.java
index a8a3527..5a6297a 100644
--- a/src/main/java/org/apache/xml/security/signature/Reference.java
+++ b/src/main/java/org/apache/xml/security/signature/Reference.java
@@ -112,7 +112,7 @@ public class Reference extends SignatureElementProxy {
*/
public static final int MAXIMUM_TRANSFORM_COUNT = 5;
- private boolean secureValidation;
+ private boolean secureValidation = true;
/**
* Look up useC14N11 system property. If true, an explicit C14N11 transform
diff --git a/src/main/java/org/apache/xml/security/signature/XMLSignatureInput.java b/src/main/java/org/apache/xml/security/signature/XMLSignatureInput.java
index 491d3f7..212270c 100644
--- a/src/main/java/org/apache/xml/security/signature/XMLSignatureInput.java
+++ b/src/main/java/org/apache/xml/security/signature/XMLSignatureInput.java
@@ -81,7 +81,7 @@ public class XMLSignatureInput {
* A cached bytes
*/
private byte[] bytes;
- private boolean secureValidation;
+ private boolean secureValidation = true;
/**
* Some Transforms may require explicit MIME type, charset (IANA registered
diff --git a/src/main/java/org/apache/xml/security/transforms/Transforms.java b/src/main/java/org/apache/xml/security/transforms/Transforms.java
index 34910db..2773255 100644
--- a/src/main/java/org/apache/xml/security/transforms/Transforms.java
+++ b/src/main/java/org/apache/xml/security/transforms/Transforms.java
@@ -103,7 +103,7 @@ public class Transforms extends SignatureElementProxy {
protected Transforms() { }
- private boolean secureValidation;
+ private boolean secureValidation = true;
/**
* Constructs {@link Transforms}.
diff --git a/src/test/java/javax/xml/crypto/test/dsig/C14N11Test.java b/src/test/java/javax/xml/crypto/test/dsig/C14N11Test.java
index 203d242..773e9d0 100644
--- a/src/test/java/javax/xml/crypto/test/dsig/C14N11Test.java
+++ b/src/test/java/javax/xml/crypto/test/dsig/C14N11Test.java
@@ -174,7 +174,7 @@ public class C14N11Test {
for (int i = 0; i < vendors.length; i++) {
String file = test + "-" + vendors[i] + ".xml";
// System.out.println("Validating " + file);
- boolean coreValidity = validator.validate(file, sks);
+ boolean coreValidity = validator.validate(file, sks, null, false);
assertTrue(coreValidity, file + " failed core validation");
}
}
diff --git a/src/test/java/javax/xml/crypto/test/dsig/IaikCoreFeaturesTest.java b/src/test/java/javax/xml/crypto/test/dsig/IaikCoreFeaturesTest.java
index 8c79a44..512c7ea 100644
--- a/src/test/java/javax/xml/crypto/test/dsig/IaikCoreFeaturesTest.java
+++ b/src/test/java/javax/xml/crypto/test/dsig/IaikCoreFeaturesTest.java
@@ -85,7 +85,7 @@ public class IaikCoreFeaturesTest {
boolean coreValidity = validator.validate
(file, new KeySelectors.KeyValueKeySelector(),
- new OfflineDereferencer());
+ new OfflineDereferencer(), false);
assertTrue(coreValidity, "Signature failed core validation");
}
diff --git a/src/test/java/javax/xml/crypto/test/dsig/JSRForbiddenRefCountTest.java b/src/test/java/javax/xml/crypto/test/dsig/JSRForbiddenRefCountTest.java
index 2f2dfb7..dd89d28 100644
--- a/src/test/java/javax/xml/crypto/test/dsig/JSRForbiddenRefCountTest.java
+++ b/src/test/java/javax/xml/crypto/test/dsig/JSRForbiddenRefCountTest.java
@@ -48,9 +48,7 @@ public class JSRForbiddenRefCountTest {
getSignedInfoElement("src/test/resources/interop/c14n/Y4", "signature-manifest.xml");
InternalDOMCryptoContext context = new InternalDOMCryptoContext();
- new DOMSignedInfo(signedInfoElement, context, null);
- context.setProperty("org.apache.jcp.xml.dsig.secureValidation", Boolean.TRUE);
try {
new DOMSignedInfo(signedInfoElement, context, null);
} catch (MarshalException ex) {
@@ -58,6 +56,9 @@ public class JSRForbiddenRefCountTest {
"A maxiumum of 30 references per Manifest are allowed with secure validation";
assertTrue(ex.getMessage().contains(error));
}
+
+ context.setProperty("org.apache.jcp.xml.dsig.secureValidation", Boolean.FALSE);
+ new DOMSignedInfo(signedInfoElement, context, null);
}
private static class InternalDOMCryptoContext extends DOMCryptoContext {
diff --git a/src/test/java/javax/xml/crypto/test/dsig/SignatureValidator.java b/src/test/java/javax/xml/crypto/test/dsig/SignatureValidator.java
index 205ed11..1d001d4 100644
--- a/src/test/java/javax/xml/crypto/test/dsig/SignatureValidator.java
+++ b/src/test/java/javax/xml/crypto/test/dsig/SignatureValidator.java
@@ -50,7 +50,11 @@ public class SignatureValidator {
return validate(fn, ks, null);
}
- public DOMValidateContext getValidateContext(String fn, KeySelector ks)
+ public DOMValidateContext getValidateContext(String fn, KeySelector ks) throws Exception {
+ return getValidateContext(fn, ks, true);
+ }
+
+ public DOMValidateContext getValidateContext(String fn, KeySelector ks, boolean secureValidation)
throws Exception {
Document doc = XMLUtils.read(new FileInputStream(new File(dir, fn)), false);
Element sigElement = getSignatureElement(doc);
@@ -59,13 +63,19 @@ public class SignatureValidator {
}
DOMValidateContext vc = new DOMValidateContext(ks, sigElement);
vc.setBaseURI(dir.toURI().toString());
+ vc.setProperty("org.apache.jcp.xml.dsig.secureValidation", secureValidation);
return vc;
}
public boolean validate(String fn, KeySelector ks, URIDereferencer ud)
throws Exception {
+ return validate(fn, ks, ud, true);
+ }
+
+ public boolean validate(String fn, KeySelector ks, URIDereferencer ud, boolean secureValidation)
+ throws Exception {
- DOMValidateContext vc = getValidateContext(fn, ks);
+ DOMValidateContext vc = getValidateContext(fn, ks, secureValidation);
if (ud != null) {
vc.setURIDereferencer(ud);
}