You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@santuario.apache.org by gi...@apache.org on 2012/09/13 20:46:14 UTC
svn commit: r1384467 [1/2] - in /santuario/xml-security-java/trunk/src:
main/java/org/apache/xml/security/stax/ext/
main/java/org/apache/xml/security/stax/impl/
main/java/org/apache/xml/security/stax/impl/processor/input/
main/java/org/apache/xml/secur...
Author: giger
Date: Thu Sep 13 18:46:13 2012
New Revision: 1384467
URL: http://svn.apache.org/viewvc?rev=1384467&view=rev
Log:
SANTUARIO-327 - secure validation
Added:
santuario/xml-security-java/trunk/src/test/java/org/apache/xml/security/test/stax/utils/TestUtils.java (with props)
Modified:
santuario/xml-security-java/trunk/src/main/java/org/apache/xml/security/stax/ext/XMLSecurityConstants.java
santuario/xml-security-java/trunk/src/main/java/org/apache/xml/security/stax/impl/SecurityContextImpl.java
santuario/xml-security-java/trunk/src/main/java/org/apache/xml/security/stax/impl/processor/input/AbstractDecryptInputProcessor.java
santuario/xml-security-java/trunk/src/main/java/org/apache/xml/security/stax/impl/processor/input/AbstractSignatureReferenceVerifyInputProcessor.java
santuario/xml-security-java/trunk/src/main/java/org/apache/xml/security/stax/impl/processor/input/XMLEventReaderInputProcessor.java
santuario/xml-security-java/trunk/src/main/java/org/apache/xml/security/stax/impl/securityToken/AbstractInboundSecurityToken.java
santuario/xml-security-java/trunk/src/main/resources/messages/errors.properties
santuario/xml-security-java/trunk/src/main/resources/security-config.xml
santuario/xml-security-java/trunk/src/test/java/org/apache/xml/security/test/stax/InputProcessorChainTest.java
santuario/xml-security-java/trunk/src/test/java/org/apache/xml/security/test/stax/OutputProcessorChainTest.java
santuario/xml-security-java/trunk/src/test/java/org/apache/xml/security/test/stax/XMLSecurityStreamReaderTest.java
santuario/xml-security-java/trunk/src/test/java/org/apache/xml/security/test/stax/XMLSecurityStreamWriterTest.java
santuario/xml-security-java/trunk/src/test/java/org/apache/xml/security/test/stax/encryption/DecryptionTest.java
santuario/xml-security-java/trunk/src/test/java/org/apache/xml/security/test/stax/signature/AbstractSignatureVerificationTest.java
santuario/xml-security-java/trunk/src/test/java/org/apache/xml/security/test/stax/signature/BaltimoreTest.java
santuario/xml-security-java/trunk/src/test/java/org/apache/xml/security/test/stax/signature/IAIKTest.java
santuario/xml-security-java/trunk/src/test/java/org/apache/xml/security/test/stax/signature/PhaosTest.java
santuario/xml-security-java/trunk/src/test/java/org/apache/xml/security/test/stax/signature/SignatureVerificationReferenceURIResolverTest.java
santuario/xml-security-java/trunk/src/test/java/org/apache/xml/security/test/stax/signature/SignatureVerificationTest.java
santuario/xml-security-java/trunk/src/test/java/org/apache/xml/security/test/stax/transformer/TransformBase64DecodeTest.java
santuario/xml-security-java/trunk/src/test/java/org/apache/xml/security/test/stax/transformer/TransformCanonicalizerTest.java
santuario/xml-security-java/trunk/src/test/java/org/apache/xml/security/test/stax/transformer/TransformEnvelopedSignatureTest.java
santuario/xml-security-java/trunk/src/test/java/org/apache/xml/security/test/stax/transformer/TransformIdentityTest.java
Modified: santuario/xml-security-java/trunk/src/main/java/org/apache/xml/security/stax/ext/XMLSecurityConstants.java
URL: http://svn.apache.org/viewvc/santuario/xml-security-java/trunk/src/main/java/org/apache/xml/security/stax/ext/XMLSecurityConstants.java?rev=1384467&r1=1384466&r2=1384467&view=diff
==============================================================================
--- santuario/xml-security-java/trunk/src/main/java/org/apache/xml/security/stax/ext/XMLSecurityConstants.java (original)
+++ santuario/xml-security-java/trunk/src/main/java/org/apache/xml/security/stax/ext/XMLSecurityConstants.java Thu Sep 13 18:46:13 2012
@@ -223,6 +223,7 @@ public class XMLSecurityConstants {
public static final String NS_XMLDSIG_SHA1 = NS_DSIG + "sha1";
public static final String NS_XMLDSIG_HMACSHA1 = NS_DSIG + "hmac-sha1";
public static final String NS_XMLDSIG_RSASHA1 = NS_DSIG + "rsa-sha1";
+ public static final String NS_XMLDSIG_MANIFEST = NS_DSIG + "Manifest";
public static final String NS_XENC_TRIPLE_DES = NS_XMLENC + "tripledes-cbc";
public static final String NS_XENC_AES128 = NS_XMLENC + "aes128-cbc";
Modified: santuario/xml-security-java/trunk/src/main/java/org/apache/xml/security/stax/impl/SecurityContextImpl.java
URL: http://svn.apache.org/viewvc/santuario/xml-security-java/trunk/src/main/java/org/apache/xml/security/stax/impl/SecurityContextImpl.java?rev=1384467&r1=1384466&r2=1384467&view=diff
==============================================================================
--- santuario/xml-security-java/trunk/src/main/java/org/apache/xml/security/stax/impl/SecurityContextImpl.java (original)
+++ santuario/xml-security-java/trunk/src/main/java/org/apache/xml/security/stax/impl/SecurityContextImpl.java Thu Sep 13 18:46:13 2012
@@ -18,10 +18,13 @@
*/
package org.apache.xml.security.stax.impl;
+import org.apache.xml.security.stax.config.ConfigurationProperties;
import org.apache.xml.security.stax.ext.SecurityContext;
import org.apache.xml.security.stax.ext.SecurityTokenProvider;
import org.apache.xml.security.stax.ext.XMLSecurityException;
+import org.apache.xml.security.stax.securityEvent.AlgorithmSuiteSecurityEvent;
import org.apache.xml.security.stax.securityEvent.SecurityEvent;
+import org.apache.xml.security.stax.securityEvent.SecurityEventConstants;
import org.apache.xml.security.stax.securityEvent.SecurityEventListener;
import java.util.*;
@@ -34,11 +37,11 @@ import java.util.*;
*/
public class SecurityContextImpl implements SecurityContext {
+ private static final Boolean allowMD5Algorithm = Boolean.valueOf(ConfigurationProperties.getProperty("AllowMD5Algorithm"));
private final Map<String, SecurityTokenProvider> securityTokenProviders = new HashMap<String, SecurityTokenProvider>();
@SuppressWarnings("unchecked")
private final Map content = Collections.synchronizedMap(new HashMap());
-
private final List<SecurityEventListener> securityEventListeners = new ArrayList<SecurityEventListener>(2);
public void addSecurityEventListener(SecurityEventListener securityEventListener) {
@@ -52,6 +55,16 @@ public class SecurityContextImpl impleme
}
protected void forwardSecurityEvent(SecurityEvent securityEvent) throws XMLSecurityException {
+ if (!allowMD5Algorithm && SecurityEventConstants.AlgorithmSuite.equals(securityEvent.getSecurityEventType())) {
+ AlgorithmSuiteSecurityEvent algorithmSuiteSecurityEvent = (AlgorithmSuiteSecurityEvent)securityEvent;
+ if (algorithmSuiteSecurityEvent.getAlgorithmURI().contains("md5") ||
+ algorithmSuiteSecurityEvent.getAlgorithmURI().contains("MD5")) {
+ throw new XMLSecurityException(
+ XMLSecurityException.ErrorCode.INVALID_SECURITY,
+ "secureProcessing.AllowMD5Algorithm"
+ );
+ }
+ }
for (int i = 0; i < securityEventListeners.size(); i++) {
SecurityEventListener securityEventListener = securityEventListeners.get(i);
securityEventListener.registerSecurityEvent(securityEvent);
Modified: santuario/xml-security-java/trunk/src/main/java/org/apache/xml/security/stax/impl/processor/input/AbstractDecryptInputProcessor.java
URL: http://svn.apache.org/viewvc/santuario/xml-security-java/trunk/src/main/java/org/apache/xml/security/stax/impl/processor/input/AbstractDecryptInputProcessor.java?rev=1384467&r1=1384466&r2=1384467&view=diff
==============================================================================
--- santuario/xml-security-java/trunk/src/main/java/org/apache/xml/security/stax/impl/processor/input/AbstractDecryptInputProcessor.java (original)
+++ santuario/xml-security-java/trunk/src/main/java/org/apache/xml/security/stax/impl/processor/input/AbstractDecryptInputProcessor.java Thu Sep 13 18:46:13 2012
@@ -28,6 +28,7 @@ import org.apache.xml.security.binding.x
import org.apache.xml.security.binding.xmlenc.EncryptedKeyType;
import org.apache.xml.security.binding.xmlenc.ReferenceList;
import org.apache.xml.security.binding.xmlenc.ReferenceType;
+import org.apache.xml.security.stax.config.ConfigurationProperties;
import org.apache.xml.security.stax.config.JCEAlgorithmMapper;
import org.apache.xml.security.stax.config.TransformerAlgorithmMapper;
import org.apache.xml.security.stax.ext.*;
@@ -73,6 +74,9 @@ public abstract class AbstractDecryptInp
private static final transient Log logger = LogFactory.getLog(AbstractDecryptInputProcessor.class);
+ protected static final Integer maximumAllowedXMLStructureDepth =
+ Integer.valueOf(ConfigurationProperties.getProperty("MaximumAllowedXMLStructureDepth"));
+
private final KeyInfoType keyInfoType;
private final Map<String, ReferenceType> references;
private final List<ReferenceType> processedReferences;
@@ -256,6 +260,7 @@ public abstract class AbstractDecryptInp
XMLSecurityUtils.getQNameType(referenceType.getAny(), XMLSecurityConstants.TAG_dsig_Transforms);
if (transformsType != null) {
List<TransformType> transformTypes = transformsType.getTransform();
+ //to do don't forget to limit the count of transformations if more transformations will be supported!
if (transformTypes.size() > 1) {
throw new XMLSecurityException(XMLSecurityException.ErrorCode.INVALID_SECURITY);
}
@@ -552,6 +557,7 @@ public abstract class AbstractDecryptInp
public abstract class AbstractDecryptedEventReaderInputProcessor
extends AbstractInputProcessor implements Thread.UncaughtExceptionHandler {
+ private int currentXMLStructureDepth = 0;
private XMLStreamReader xmlStreamReader;
private XMLSecStartElement parentXmlSecStartElement;
private boolean encryptedHeader = false;
@@ -573,6 +579,10 @@ public abstract class AbstractDecryptInp
this.securityToken = securityToken;
this.parentXmlSecStartElement = xmlSecStartElement;
this.encryptedDataType = encryptedDataType;
+ //xmlSecStartElement can be null when the root element is the EncryptedData element:
+ if (xmlSecStartElement != null) {
+ this.currentXMLStructureDepth = xmlSecStartElement.getDocumentLevel();
+ }
}
public void setXmlStreamReader(XMLStreamReader xmlStreamReader) {
@@ -601,14 +611,24 @@ public abstract class AbstractDecryptInp
//instead from the processor-chain as we normally would do
switch (xmlSecEvent.getEventType()) {
case XMLStreamConstants.START_ELEMENT:
- parentXmlSecStartElement = xmlSecEvent.asStartElement();
+ currentXMLStructureDepth++;
+ if (currentXMLStructureDepth > maximumAllowedXMLStructureDepth) {
+ throw new XMLSecurityException(
+ XMLSecurityException.ErrorCode.INVALID_SECURITY,
+ "secureProcessing.MaximumAllowedXMLStructureDepth",
+ maximumAllowedXMLStructureDepth
+ );
+ }
+ parentXmlSecStartElement = xmlSecEvent.asStartElement();
if (!rootElementProcessed) {
handleEncryptedElement(inputProcessorChain, parentXmlSecStartElement, this.securityToken, encryptedDataType);
rootElementProcessed = true;
}
break;
case XMLStreamConstants.END_ELEMENT:
+ currentXMLStructureDepth--;
+
if (parentXmlSecStartElement != null) {
parentXmlSecStartElement = parentXmlSecStartElement.getParentXMLSecStartElement();
}
Modified: santuario/xml-security-java/trunk/src/main/java/org/apache/xml/security/stax/impl/processor/input/AbstractSignatureReferenceVerifyInputProcessor.java
URL: http://svn.apache.org/viewvc/santuario/xml-security-java/trunk/src/main/java/org/apache/xml/security/stax/impl/processor/input/AbstractSignatureReferenceVerifyInputProcessor.java?rev=1384467&r1=1384466&r2=1384467&view=diff
==============================================================================
--- santuario/xml-security-java/trunk/src/main/java/org/apache/xml/security/stax/impl/processor/input/AbstractSignatureReferenceVerifyInputProcessor.java (original)
+++ santuario/xml-security-java/trunk/src/main/java/org/apache/xml/security/stax/impl/processor/input/AbstractSignatureReferenceVerifyInputProcessor.java Thu Sep 13 18:46:13 2012
@@ -26,6 +26,7 @@ import org.apache.xml.security.binding.e
import org.apache.xml.security.binding.xmldsig.ReferenceType;
import org.apache.xml.security.binding.xmldsig.SignatureType;
import org.apache.xml.security.binding.xmldsig.TransformType;
+import org.apache.xml.security.stax.config.ConfigurationProperties;
import org.apache.xml.security.stax.config.JCEAlgorithmMapper;
import org.apache.xml.security.stax.config.ResourceResolverMapper;
import org.apache.xml.security.stax.ext.*;
@@ -56,6 +57,15 @@ public abstract class AbstractSignatureR
private static final transient Log logger = LogFactory.getLog(AbstractSignatureReferenceVerifyInputProcessor.class);
+ protected static final Integer maximumAllowedReferencesPerManifest =
+ Integer.valueOf(ConfigurationProperties.getProperty("MaximumAllowedReferencesPerManifest"));
+ protected static final Integer maximumAllowedTransformsPerReference =
+ Integer.valueOf(ConfigurationProperties.getProperty("MaximumAllowedTransformsPerReference"));
+ protected static final Boolean doNotThrowExceptionForManifests =
+ Boolean.valueOf(ConfigurationProperties.getProperty("DoNotThrowExceptionForManifests"));
+ protected static final Boolean allowNotSameDocumentReferences =
+ Boolean.valueOf(ConfigurationProperties.getProperty("AllowNotSameDocumentReferences"));
+
private final SignatureType signatureType;
private final SecurityToken securityToken;
private final Map<ResourceResolver, ReferenceType> sameDocumentReferences;
@@ -71,6 +81,13 @@ public abstract class AbstractSignatureR
this.securityToken = securityToken;
List<ReferenceType> referencesTypeList = signatureType.getSignedInfo().getReference();
+ if (referencesTypeList.size() > maximumAllowedReferencesPerManifest) {
+ throw new XMLSecurityException(
+ XMLSecurityException.ErrorCode.INVALID_SECURITY,
+ "secureProcessing.MaximumAllowedReferencesPerManifest",
+ referencesTypeList.size(),
+ maximumAllowedReferencesPerManifest);
+ }
sameDocumentReferences = new HashMap<ResourceResolver, ReferenceType>(referencesTypeList.size() + 1);
externalReferences = new HashMap<ResourceResolver, ReferenceType>(referencesTypeList.size() + 1);
processedReferences = new ArrayList<ReferenceType>(referencesTypeList.size());
@@ -78,6 +95,12 @@ public abstract class AbstractSignatureR
Iterator<ReferenceType> referenceTypeIterator = referencesTypeList.iterator();
while (referenceTypeIterator.hasNext()) {
ReferenceType referenceType = referenceTypeIterator.next();
+ if (!doNotThrowExceptionForManifests && XMLSecurityConstants.NS_XMLDSIG_MANIFEST.equals(referenceType.getType())) {
+ throw new XMLSecurityException(
+ XMLSecurityException.ErrorCode.INVALID_SECURITY,
+ "secureProcessing.DoNotThrowExceptionForManifests"
+ );
+ }
if (referenceType.getURI() == null) {
throw new XMLSecurityException(XMLSecurityException.ErrorCode.FAILED_CHECK);
}
@@ -91,6 +114,12 @@ public abstract class AbstractSignatureR
if (resourceResolver.isSameDocumentReference()) {
sameDocumentReferences.put(resourceResolver, referenceType);
} else {
+ if (!allowNotSameDocumentReferences) {
+ throw new XMLSecurityException(
+ XMLSecurityException.ErrorCode.INVALID_SECURITY,
+ "secureProcessing.AllowNotSameDocumentReferences"
+ );
+ }
externalReferences.put(resourceResolver, referenceType);
}
}
@@ -298,6 +327,14 @@ public abstract class AbstractSignatureR
transformTypeList.add(transformType);
}
+ if (transformTypeList.size() > maximumAllowedTransformsPerReference) {
+ throw new XMLSecurityException(
+ XMLSecurityException.ErrorCode.INVALID_SECURITY,
+ "secureProcessing.MaximumAllowedTransformsPerReference",
+ transformTypeList.size(),
+ maximumAllowedTransformsPerReference);
+ }
+
Transformer parentTransformer = null;
for (int i = transformTypeList.size() - 1; i >= 0; i--) {
TransformType transformType = transformTypeList.get(i);
@@ -359,7 +396,19 @@ public abstract class AbstractSignatureR
this.digestOutputStream = createMessageDigestOutputStream(referenceType, inputProcessorChain.getSecurityContext());
this.bufferedDigestOutputStream = new BufferedOutputStream(this.getDigestOutputStream());
this.transformer = buildTransformerChain(referenceType, bufferedDigestOutputStream, inputProcessorChain);
- } catch (Exception e) {
+ } catch (NoSuchMethodException e) {
+ throw new XMLSecurityException(XMLSecurityException.ErrorCode.FAILED_CHECK, e);
+ } catch (IllegalAccessException e) {
+ throw new XMLSecurityException(XMLSecurityException.ErrorCode.FAILED_CHECK, e);
+ } catch (NoSuchAlgorithmException e) {
+ throw new XMLSecurityException(XMLSecurityException.ErrorCode.FAILED_CHECK, e);
+ } catch (InstantiationException e) {
+ throw new XMLSecurityException(XMLSecurityException.ErrorCode.FAILED_CHECK, e);
+ } catch (XMLStreamException e) {
+ throw new XMLSecurityException(XMLSecurityException.ErrorCode.FAILED_CHECK, e);
+ } catch (NoSuchProviderException e) {
+ throw new XMLSecurityException(XMLSecurityException.ErrorCode.FAILED_CHECK, e);
+ } catch (InvocationTargetException e) {
throw new XMLSecurityException(XMLSecurityException.ErrorCode.FAILED_CHECK, e);
}
}
Modified: santuario/xml-security-java/trunk/src/main/java/org/apache/xml/security/stax/impl/processor/input/XMLEventReaderInputProcessor.java
URL: http://svn.apache.org/viewvc/santuario/xml-security-java/trunk/src/main/java/org/apache/xml/security/stax/impl/processor/input/XMLEventReaderInputProcessor.java?rev=1384467&r1=1384466&r2=1384467&view=diff
==============================================================================
--- santuario/xml-security-java/trunk/src/main/java/org/apache/xml/security/stax/impl/processor/input/XMLEventReaderInputProcessor.java (original)
+++ santuario/xml-security-java/trunk/src/main/java/org/apache/xml/security/stax/impl/processor/input/XMLEventReaderInputProcessor.java Thu Sep 13 18:46:13 2012
@@ -18,6 +18,7 @@
*/
package org.apache.xml.security.stax.impl.processor.input;
+import org.apache.xml.security.stax.config.ConfigurationProperties;
import org.apache.xml.security.stax.ext.*;
import org.apache.xml.security.stax.ext.stax.XMLSecEvent;
import org.apache.xml.security.stax.ext.stax.XMLSecEventFactory;
@@ -37,6 +38,9 @@ import java.util.NoSuchElementException;
*/
public class XMLEventReaderInputProcessor extends AbstractInputProcessor {
+ private static final Integer maximumAllowedXMLStructureDepth =
+ Integer.valueOf(ConfigurationProperties.getProperty("MaximumAllowedXMLStructureDepth"));
+ private int currentXMLStructureDepth = 0;
private final XMLStreamReader xmlStreamReader;
private XMLSecStartElement parentXmlSecStartElement;
private boolean EOF = false;
@@ -63,9 +67,21 @@ public class XMLEventReaderInputProcesso
XMLSecEvent xmlSecEvent = XMLSecEventFactory.allocate(xmlStreamReader, parentXmlSecStartElement);
switch (xmlSecEvent.getEventType()) {
case XMLStreamConstants.START_ELEMENT:
+ currentXMLStructureDepth++;
+ if (currentXMLStructureDepth > maximumAllowedXMLStructureDepth) {
+ XMLSecurityException xmlSecurityException = new XMLSecurityException(
+ XMLSecurityException.ErrorCode.INVALID_SECURITY,
+ "secureProcessing.MaximumAllowedXMLStructureDepth",
+ maximumAllowedXMLStructureDepth
+ );
+ throw new XMLStreamException(xmlSecurityException);
+ }
+
parentXmlSecStartElement = (XMLSecStartElement) xmlSecEvent;
break;
case XMLStreamConstants.END_ELEMENT:
+ currentXMLStructureDepth--;
+
if (parentXmlSecStartElement != null) {
parentXmlSecStartElement = parentXmlSecStartElement.getParentXMLSecStartElement();
}
Modified: santuario/xml-security-java/trunk/src/main/java/org/apache/xml/security/stax/impl/securityToken/AbstractInboundSecurityToken.java
URL: http://svn.apache.org/viewvc/santuario/xml-security-java/trunk/src/main/java/org/apache/xml/security/stax/impl/securityToken/AbstractInboundSecurityToken.java?rev=1384467&r1=1384466&r2=1384467&view=diff
==============================================================================
--- santuario/xml-security-java/trunk/src/main/java/org/apache/xml/security/stax/impl/securityToken/AbstractInboundSecurityToken.java (original)
+++ santuario/xml-security-java/trunk/src/main/java/org/apache/xml/security/stax/impl/securityToken/AbstractInboundSecurityToken.java Thu Sep 13 18:46:13 2012
@@ -44,7 +44,7 @@ import java.util.*;
public abstract class AbstractInboundSecurityToken implements SecurityToken {
//prevent recursive key references
- private boolean invocated = false;
+ private boolean invoked = false;
private SecurityContext securityContext;
private CallbackHandler callbackHandler;
@@ -68,14 +68,14 @@ public abstract class AbstractInboundSec
}
private void testAndSetInvocation() throws XMLSecurityException {
- if (invocated) {
+ if (invoked) {
throw new XMLSecurityException(XMLSecurityException.ErrorCode.INVALID_SECURITY_TOKEN);
}
- invocated = true;
+ invoked = true;
}
private void unsetInvocation() {
- invocated = false;
+ invoked = false;
}
public XMLSecurityConstants.KeyIdentifierType getKeyIdentifierType() {
Modified: santuario/xml-security-java/trunk/src/main/resources/messages/errors.properties
URL: http://svn.apache.org/viewvc/santuario/xml-security-java/trunk/src/main/resources/messages/errors.properties?rev=1384467&r1=1384466&r2=1384467&view=diff
==============================================================================
--- santuario/xml-security-java/trunk/src/main/resources/messages/errors.properties (original)
+++ santuario/xml-security-java/trunk/src/main/resources/messages/errors.properties Thu Sep 13 18:46:13 2012
@@ -76,3 +76,9 @@ unsupportedSecurityToken = Unsupported S
resolver.noClass = Could not find a resolver for URI {0}
signatureVerificationKeyStoreNotSet = Signature verification KeyStore is not set
+secureProcessing.MaximumAllowedTransformsPerReference = {0} transforms are contained in the Reference, maximum {1} are allowed. You can raise the maximum via the \"MaximumAllowedTransformsPerReference\" property in the configuration.
+secureProcessing.MaximumAllowedReferencesPerManifest = {0} references are contained in the Manifest, maximum {1} are allowed. You can raise the maximum via the \"MaximumAllowedReferencesPerManifest\" property in the configuration.
+secureProcessing.DoNotThrowExceptionForManifests = Signature Manifests are not supported. You can disable throwing of an exception via the \"DoNotThrowExceptionForManifests\" property in the configuration.
+secureProcessing.AllowMD5Algorithm = The use of MD5 algorithm is strongly discouraged. Nonetheless can it be enabled via the \"AllowMD5Algorithm\" property in the configuration.
+secureProcessing.AllowNotSameDocumentReferences = External references found. Processing of external references is disabled by default. You can enable it via the \"AllowNotSameDocumentReferences\" property in the configuration.
+secureProcessing.MaximumAllowedXMLStructureDepth = Maximum depth ({0}) of the XML structure reached. You can raise the maximum via the \"MaximumAllowedXMLStructureDepth\" property in the configuration.
Modified: santuario/xml-security-java/trunk/src/main/resources/security-config.xml
URL: http://svn.apache.org/viewvc/santuario/xml-security-java/trunk/src/main/resources/security-config.xml?rev=1384467&r1=1384466&r2=1384467&view=diff
==============================================================================
--- santuario/xml-security-java/trunk/src/main/resources/security-config.xml (original)
+++ santuario/xml-security-java/trunk/src/main/resources/security-config.xml Thu Sep 13 18:46:13 2012
@@ -4,8 +4,12 @@
<Properties>
<Property NAME="securityTokenFactory" VAL="org.apache.xml.security.stax.impl.securityToken.SecurityTokenFactoryImpl"/>
<Property NAME="CACertKeyStorePassword" VAL="changeit"/>
- <!--<Property NAME="CertProvider" VAL="BC"/>-->
- <!--<Property NAME="DefaultX509Alias" VAL="sigEnc"/>-->
+ <Property NAME="MaximumAllowedTransformsPerReference" VAL="5"/>
+ <Property NAME="MaximumAllowedReferencesPerManifest" VAL="30"/>
+ <Property NAME="DoNotThrowExceptionForManifests" VAL="false"/>
+ <Property NAME="AllowMD5Algorithm" VAL="false"/>
+ <Property NAME="AllowNotSameDocumentReferences" VAL="false"/>
+ <Property NAME="MaximumAllowedXMLStructureDepth" VAL="100"/>
</Properties>
<SecurityHeaderHandlers>
</SecurityHeaderHandlers>
Modified: santuario/xml-security-java/trunk/src/test/java/org/apache/xml/security/test/stax/InputProcessorChainTest.java
URL: http://svn.apache.org/viewvc/santuario/xml-security-java/trunk/src/test/java/org/apache/xml/security/test/stax/InputProcessorChainTest.java?rev=1384467&r1=1384466&r2=1384467&view=diff
==============================================================================
--- santuario/xml-security-java/trunk/src/test/java/org/apache/xml/security/test/stax/InputProcessorChainTest.java (original)
+++ santuario/xml-security-java/trunk/src/test/java/org/apache/xml/security/test/stax/InputProcessorChainTest.java Thu Sep 13 18:46:13 2012
@@ -18,7 +18,9 @@
*/
package org.apache.xml.security.test.stax;
+import org.apache.xml.security.stax.config.Init;
import org.junit.Assert;
+import org.junit.Before;
import org.junit.Test;
import org.apache.xml.security.stax.ext.InputProcessor;
@@ -39,6 +41,11 @@ import java.util.Set;
*/
public class InputProcessorChainTest extends org.junit.Assert {
+ @Before
+ public void setUp() throws Exception {
+ Init.init(this.getClass().getClassLoader().getResource("security-config.xml").toURI());
+ }
+
abstract class AbstractInputProcessor implements InputProcessor {
private XMLSecurityConstants.Phase phase = XMLSecurityConstants.Phase.PROCESSING;
Modified: santuario/xml-security-java/trunk/src/test/java/org/apache/xml/security/test/stax/OutputProcessorChainTest.java
URL: http://svn.apache.org/viewvc/santuario/xml-security-java/trunk/src/test/java/org/apache/xml/security/test/stax/OutputProcessorChainTest.java?rev=1384467&r1=1384466&r2=1384467&view=diff
==============================================================================
--- santuario/xml-security-java/trunk/src/test/java/org/apache/xml/security/test/stax/OutputProcessorChainTest.java (original)
+++ santuario/xml-security-java/trunk/src/test/java/org/apache/xml/security/test/stax/OutputProcessorChainTest.java Thu Sep 13 18:46:13 2012
@@ -18,7 +18,9 @@
*/
package org.apache.xml.security.test.stax;
+import org.apache.xml.security.stax.config.Init;
import org.junit.Assert;
+import org.junit.Before;
import org.junit.Test;
import org.apache.xml.security.stax.ext.*;
@@ -36,6 +38,11 @@ import java.util.Set;
*/
public class OutputProcessorChainTest extends org.junit.Assert {
+ @Before
+ public void setUp() throws Exception {
+ Init.init(this.getClass().getClassLoader().getResource("security-config.xml").toURI());
+ }
+
abstract class AbstractOutputProcessor implements OutputProcessor {
private XMLSecurityConstants.Phase phase = XMLSecurityConstants.Phase.PROCESSING;
Modified: santuario/xml-security-java/trunk/src/test/java/org/apache/xml/security/test/stax/XMLSecurityStreamReaderTest.java
URL: http://svn.apache.org/viewvc/santuario/xml-security-java/trunk/src/test/java/org/apache/xml/security/test/stax/XMLSecurityStreamReaderTest.java?rev=1384467&r1=1384466&r2=1384467&view=diff
==============================================================================
--- santuario/xml-security-java/trunk/src/test/java/org/apache/xml/security/test/stax/XMLSecurityStreamReaderTest.java (original)
+++ santuario/xml-security-java/trunk/src/test/java/org/apache/xml/security/test/stax/XMLSecurityStreamReaderTest.java Thu Sep 13 18:46:13 2012
@@ -18,7 +18,9 @@
*/
package org.apache.xml.security.test.stax;
+import org.apache.xml.security.stax.config.Init;
import org.junit.Assert;
+import org.junit.Before;
import org.junit.Test;
import org.custommonkey.xmlunit.XMLAssert;
@@ -50,6 +52,11 @@ import java.util.Set;
*/
public class XMLSecurityStreamReaderTest extends org.junit.Assert {
+ @Before
+ public void setUp() throws Exception {
+ Init.init(this.getClass().getClassLoader().getResource("security-config.xml").toURI());
+ }
+
@Test
public void testPassThroughDocumentEvents() throws Exception {
XMLSecurityProperties securityProperties = new XMLSecurityProperties();
Modified: santuario/xml-security-java/trunk/src/test/java/org/apache/xml/security/test/stax/XMLSecurityStreamWriterTest.java
URL: http://svn.apache.org/viewvc/santuario/xml-security-java/trunk/src/test/java/org/apache/xml/security/test/stax/XMLSecurityStreamWriterTest.java?rev=1384467&r1=1384466&r2=1384467&view=diff
==============================================================================
--- santuario/xml-security-java/trunk/src/test/java/org/apache/xml/security/test/stax/XMLSecurityStreamWriterTest.java (original)
+++ santuario/xml-security-java/trunk/src/test/java/org/apache/xml/security/test/stax/XMLSecurityStreamWriterTest.java Thu Sep 13 18:46:13 2012
@@ -18,7 +18,9 @@
*/
package org.apache.xml.security.test.stax;
+import org.apache.xml.security.stax.config.Init;
import org.junit.Assert;
+import org.junit.Before;
import org.junit.Test;
import org.custommonkey.xmlunit.XMLAssert;
@@ -43,6 +45,11 @@ import java.util.*;
*/
public class XMLSecurityStreamWriterTest extends org.junit.Assert {
+ @Before
+ public void setUp() throws Exception {
+ Init.init(this.getClass().getClassLoader().getResource("security-config.xml").toURI());
+ }
+
@Test
public void testIdentityTransformResult() throws Exception {
StringWriter securityStringWriter = new StringWriter();
Modified: santuario/xml-security-java/trunk/src/test/java/org/apache/xml/security/test/stax/encryption/DecryptionTest.java
URL: http://svn.apache.org/viewvc/santuario/xml-security-java/trunk/src/test/java/org/apache/xml/security/test/stax/encryption/DecryptionTest.java?rev=1384467&r1=1384466&r2=1384467&view=diff
==============================================================================
--- santuario/xml-security-java/trunk/src/test/java/org/apache/xml/security/test/stax/encryption/DecryptionTest.java (original)
+++ santuario/xml-security-java/trunk/src/test/java/org/apache/xml/security/test/stax/encryption/DecryptionTest.java Thu Sep 13 18:46:13 2012
@@ -38,6 +38,7 @@ import javax.crypto.spec.SecretKeySpec;
import javax.xml.parsers.DocumentBuilder;
import javax.xml.parsers.DocumentBuilderFactory;
import javax.xml.stream.XMLInputFactory;
+import javax.xml.stream.XMLStreamException;
import javax.xml.stream.XMLStreamReader;
import javax.xml.transform.TransformerFactory;
import javax.xml.transform.dom.DOMSource;
@@ -66,14 +67,10 @@ import org.apache.xml.security.test.dom.
import org.apache.xml.security.test.stax.signature.TestSecurityEventListener;
import org.apache.xml.security.test.stax.utils.StAX2DOM;
import org.apache.xml.security.test.stax.utils.XMLSecEventAllocator;
-// import org.apache.xml.security.utils.XMLUtils;
import org.junit.Assert;
import org.junit.Before;
import org.junit.Test;
-import org.w3c.dom.Attr;
-import org.w3c.dom.Document;
-import org.w3c.dom.Element;
-import org.w3c.dom.NodeList;
+import org.w3c.dom.*;
/**
* A set of test-cases for Decryption.
@@ -1122,5 +1119,56 @@ public class DecryptionTest extends org.
assertTrue(matchedKeywrapAlgorithm);
}
}
-
+
+ @Test
+ public void testMaximumAllowedXMLStructureDepth() throws Exception {
+ // Read in plaintext document
+ InputStream sourceDocument =
+ this.getClass().getClassLoader().getResourceAsStream(
+ "ie/baltimore/merlin-examples/merlin-xmlenc-five/plaintext.xml");
+ DocumentBuilder builder = documentBuilderFactory.newDocumentBuilder();
+ Document document = builder.parse(sourceDocument);
+
+ for (int i = 0; i < 7; i++) {
+ NodeList nodeList = document.getElementsByTagNameNS("urn:example:po", "CreditCard");
+ Element creditCardElement = (Element)nodeList.item(nodeList.getLength() - 1);
+ creditCardElement.appendChild(document.getDocumentElement().cloneNode(true));
+ }
+
+ // Set up the Key
+ SecretKey secretKey = generateSecretKey();
+
+ // Encrypt using DOM
+ List<String> localNames = new ArrayList<String>();
+ localNames.add("PaymentInfo");
+ encryptUsingDOM(
+ "http://www.w3.org/2001/04/xmlenc#tripledes-cbc", secretKey, null, null, document,
+ localNames, false
+ );
+
+ // Convert Document to a Stream Reader
+ javax.xml.transform.Transformer transformer = transformerFactory.newTransformer();
+ ByteArrayOutputStream baos = new ByteArrayOutputStream();
+ transformer.transform(new DOMSource(document), new StreamResult(baos));
+ final XMLStreamReader xmlStreamReader =
+ xmlInputFactory.createXMLStreamReader(new ByteArrayInputStream(baos.toByteArray()));
+
+ // Decrypt
+ XMLSecurityProperties properties = new XMLSecurityProperties();
+ properties.setDecryptionKey(secretKey);
+ InboundXMLSec inboundXMLSec = XMLSec.getInboundWSSec(properties);
+ TestSecurityEventListener securityEventListener = new TestSecurityEventListener();
+ XMLStreamReader securityStreamReader =
+ inboundXMLSec.processInMessage(xmlStreamReader, null, securityEventListener);
+
+ try {
+ document = StAX2DOM.readDoc(documentBuilderFactory.newDocumentBuilder(), securityStreamReader);
+ fail("Exception expected");
+ } catch (XMLStreamException e) {
+ assertTrue(e.getCause() instanceof XMLSecurityException);
+ assertEquals("An error was discovered processing the <wsse:Security> header " +
+ "(Maximum depth (100) of the XML structure reached. You can raise the maximum via the " +
+ "\"MaximumAllowedXMLStructureDepth\" property in the configuration.)", e.getCause().getMessage());
+ }
+ }
}
Modified: santuario/xml-security-java/trunk/src/test/java/org/apache/xml/security/test/stax/signature/AbstractSignatureVerificationTest.java
URL: http://svn.apache.org/viewvc/santuario/xml-security-java/trunk/src/test/java/org/apache/xml/security/test/stax/signature/AbstractSignatureVerificationTest.java?rev=1384467&r1=1384466&r2=1384467&view=diff
==============================================================================
--- santuario/xml-security-java/trunk/src/test/java/org/apache/xml/security/test/stax/signature/AbstractSignatureVerificationTest.java (original)
+++ santuario/xml-security-java/trunk/src/test/java/org/apache/xml/security/test/stax/signature/AbstractSignatureVerificationTest.java Thu Sep 13 18:46:13 2012
@@ -35,6 +35,7 @@ import org.junit.Assert;
import org.junit.Before;
import org.w3c.dom.Document;
import org.w3c.dom.Element;
+import org.w3c.dom.NodeList;
import javax.xml.parsers.DocumentBuilderFactory;
import javax.xml.stream.XMLInputFactory;
@@ -227,16 +228,19 @@ public class AbstractSignatureVerificati
for (String localName : localNames) {
String expression = "//*[local-name()='" + localName + "']";
- Element elementToSign =
- (Element) xpath.evaluate(expression, document, XPathConstants.NODE);
- Assert.assertNotNull(elementToSign);
- String id = UUID.randomUUID().toString();
- elementToSign.setAttributeNS(null, "Id", id);
- elementToSign.setIdAttributeNS(null, "Id", true);
-
- Transforms transforms = new Transforms(document);
- transforms.addTransform(referenceC14NMethod);
- sig.addDocument("#" + id, transforms, digestMethod);
+ NodeList elementsToSign =
+ (NodeList) xpath.evaluate(expression, document, XPathConstants.NODESET);
+ for (int i = 0; i < elementsToSign.getLength(); i++) {
+ Element elementToSign = (Element)elementsToSign.item(i);
+ Assert.assertNotNull(elementToSign);
+ String id = UUID.randomUUID().toString();
+ elementToSign.setAttributeNS(null, "Id", id);
+ elementToSign.setIdAttributeNS(null, "Id", true);
+
+ Transforms transforms = new Transforms(document);
+ transforms.addTransform(referenceC14NMethod);
+ sig.addDocument("#" + id, transforms, digestMethod);
+ }
}
if (additionalReferences != null) {
Modified: santuario/xml-security-java/trunk/src/test/java/org/apache/xml/security/test/stax/signature/BaltimoreTest.java
URL: http://svn.apache.org/viewvc/santuario/xml-security-java/trunk/src/test/java/org/apache/xml/security/test/stax/signature/BaltimoreTest.java?rev=1384467&r1=1384466&r2=1384467&view=diff
==============================================================================
--- santuario/xml-security-java/trunk/src/test/java/org/apache/xml/security/test/stax/signature/BaltimoreTest.java (original)
+++ santuario/xml-security-java/trunk/src/test/java/org/apache/xml/security/test/stax/signature/BaltimoreTest.java Thu Sep 13 18:46:13 2012
@@ -63,6 +63,7 @@ import org.apache.xml.security.stax.secu
import org.apache.xml.security.stax.securityEvent.X509TokenSecurityEvent;
import org.apache.xml.security.test.stax.utils.HttpRequestRedirectorProxy;
import org.apache.xml.security.test.stax.utils.StAX2DOM;
+import org.apache.xml.security.test.stax.utils.TestUtils;
import org.apache.xml.security.test.stax.utils.XMLSecEventAllocator;
import org.apache.xml.security.utils.resolver.implementations.ResolverDirectHTTP;
import org.junit.Assert;
@@ -338,6 +339,8 @@ public class BaltimoreTest extends org.j
resolverDirectHTTP.engineSetProperty("http.proxy.host", ((InetSocketAddress) proxy.address()).getAddress().getHostAddress());
resolverDirectHTTP.engineSetProperty("http.proxy.port", "" + ((InetSocketAddress) proxy.address()).getPort());
+ TestUtils.switchAllowNotSameDocumentReferences(true);
+
// Read in plaintext document
InputStream sourceDocument =
this.getClass().getClassLoader().getResourceAsStream(
@@ -371,6 +374,7 @@ public class BaltimoreTest extends org.j
checkSignatureToken(securityEventListener, getPublicKey("DSA", 15),
XMLSecurityConstants.XMLKeyIdentifierType.KEY_VALUE);
} finally {
+ TestUtils.switchAllowNotSameDocumentReferences(false);
HttpRequestRedirectorProxy.stopHttpEngine();
}
}
@@ -387,6 +391,9 @@ public class BaltimoreTest extends org.j
ResolverDirectHTTP resolverDirectHTTP = new ResolverDirectHTTP();
resolverDirectHTTP.engineSetProperty("http.proxy.host", ((InetSocketAddress) proxy.address()).getAddress().getHostAddress());
resolverDirectHTTP.engineSetProperty("http.proxy.port", "" + ((InetSocketAddress) proxy.address()).getPort());
+
+ TestUtils.switchAllowNotSameDocumentReferences(true);
+
// Read in plaintext document
InputStream sourceDocument =
this.getClass().getClassLoader().getResourceAsStream(
@@ -420,6 +427,7 @@ public class BaltimoreTest extends org.j
checkSignatureToken(securityEventListener, getPublicKey("DSA", 15),
XMLSecurityConstants.XMLKeyIdentifierType.KEY_VALUE);
} finally {
+ TestUtils.switchAllowNotSameDocumentReferences(false);
HttpRequestRedirectorProxy.stopHttpEngine();
}
}
@@ -648,6 +656,8 @@ public class BaltimoreTest extends org.j
resolverDirectHTTP.engineSetProperty("http.proxy.host", ((InetSocketAddress) proxy.address()).getAddress().getHostAddress());
resolverDirectHTTP.engineSetProperty("http.proxy.port", "" + ((InetSocketAddress) proxy.address()).getPort());
+ TestUtils.switchAllowNotSameDocumentReferences(true);
+
// Read in plaintext document
InputStream sourceDocument =
this.getClass().getClassLoader().getResourceAsStream(
@@ -681,6 +691,7 @@ public class BaltimoreTest extends org.j
checkSignatureToken(securityEventListener, getPublicKey("RSA", 23),
XMLSecurityConstants.XMLKeyIdentifierType.KEY_VALUE);
} finally {
+ TestUtils.switchAllowNotSameDocumentReferences(false);
HttpRequestRedirectorProxy.stopHttpEngine();
}
}
@@ -698,6 +709,8 @@ public class BaltimoreTest extends org.j
resolverDirectHTTP.engineSetProperty("http.proxy.host", ((InetSocketAddress) proxy.address()).getAddress().getHostAddress());
resolverDirectHTTP.engineSetProperty("http.proxy.port", "" + ((InetSocketAddress) proxy.address()).getPort());
+ TestUtils.switchAllowNotSameDocumentReferences(true);
+
// Read in plaintext document
InputStream sourceDocument =
this.getClass().getClassLoader().getResourceAsStream(
@@ -731,6 +744,7 @@ public class BaltimoreTest extends org.j
checkSignatureToken(securityEventListener, getPublicKey("RSA", 23),
XMLSecurityConstants.XMLKeyIdentifierType.KEY_VALUE);
} finally {
+ TestUtils.switchAllowNotSameDocumentReferences(false);
HttpRequestRedirectorProxy.stopHttpEngine();
}
}
@@ -748,6 +762,8 @@ public class BaltimoreTest extends org.j
resolverDirectHTTP.engineSetProperty("http.proxy.host", ((InetSocketAddress) proxy.address()).getAddress().getHostAddress());
resolverDirectHTTP.engineSetProperty("http.proxy.port", "" + ((InetSocketAddress) proxy.address()).getPort());
+ TestUtils.switchAllowNotSameDocumentReferences(true);
+
// Read in plaintext document
InputStream sourceDocument =
this.getClass().getClassLoader().getResourceAsStream(
@@ -786,6 +802,7 @@ public class BaltimoreTest extends org.j
checkSignatureToken(securityEventListener, cert.getPublicKey(),
XMLSecurityConstants.XMLKeyIdentifierType.KEY_NAME);
} finally {
+ TestUtils.switchAllowNotSameDocumentReferences(false);
HttpRequestRedirectorProxy.stopHttpEngine();
}
}
@@ -803,6 +820,8 @@ public class BaltimoreTest extends org.j
resolverDirectHTTP.engineSetProperty("http.proxy.host", ((InetSocketAddress) proxy.address()).getAddress().getHostAddress());
resolverDirectHTTP.engineSetProperty("http.proxy.port", "" + ((InetSocketAddress) proxy.address()).getPort());
+ TestUtils.switchAllowNotSameDocumentReferences(true);
+
// Read in plaintext document
InputStream sourceDocument =
this.getClass().getClassLoader().getResourceAsStream(
@@ -835,6 +854,7 @@ public class BaltimoreTest extends org.j
StAX2DOM.readDoc(documentBuilderFactory.newDocumentBuilder(), securityStreamReader);
} finally {
+ TestUtils.switchAllowNotSameDocumentReferences(false);
HttpRequestRedirectorProxy.stopHttpEngine();
}
}
@@ -852,6 +872,8 @@ public class BaltimoreTest extends org.j
resolverDirectHTTP.engineSetProperty("http.proxy.host", ((InetSocketAddress) proxy.address()).getAddress().getHostAddress());
resolverDirectHTTP.engineSetProperty("http.proxy.port", "" + ((InetSocketAddress) proxy.address()).getPort());
+ TestUtils.switchAllowNotSameDocumentReferences(true);
+
// Read in plaintext document
InputStream sourceDocument =
this.getClass().getClassLoader().getResourceAsStream(
@@ -875,6 +897,7 @@ public class BaltimoreTest extends org.j
StAX2DOM.readDoc(documentBuilderFactory.newDocumentBuilder(), securityStreamReader);
} finally {
+ TestUtils.switchAllowNotSameDocumentReferences(false);
HttpRequestRedirectorProxy.stopHttpEngine();
}
}
@@ -892,6 +915,8 @@ public class BaltimoreTest extends org.j
resolverDirectHTTP.engineSetProperty("http.proxy.host", ((InetSocketAddress) proxy.address()).getAddress().getHostAddress());
resolverDirectHTTP.engineSetProperty("http.proxy.port", "" + ((InetSocketAddress) proxy.address()).getPort());
+ TestUtils.switchAllowNotSameDocumentReferences(true);
+
// Read in plaintext document
InputStream sourceDocument =
this.getClass().getClassLoader().getResourceAsStream(
@@ -915,6 +940,7 @@ public class BaltimoreTest extends org.j
StAX2DOM.readDoc(documentBuilderFactory.newDocumentBuilder(), securityStreamReader);
} finally {
+ TestUtils.switchAllowNotSameDocumentReferences(false);
HttpRequestRedirectorProxy.stopHttpEngine();
}
}
@@ -932,6 +958,8 @@ public class BaltimoreTest extends org.j
resolverDirectHTTP.engineSetProperty("http.proxy.host", ((InetSocketAddress) proxy.address()).getAddress().getHostAddress());
resolverDirectHTTP.engineSetProperty("http.proxy.port", "" + ((InetSocketAddress) proxy.address()).getPort());
+ TestUtils.switchAllowNotSameDocumentReferences(true);
+
// Read in plaintext document
InputStream sourceDocument =
this.getClass().getClassLoader().getResourceAsStream(
@@ -970,6 +998,7 @@ public class BaltimoreTest extends org.j
checkSignatureToken(securityEventListener, cert.getPublicKey(),
XMLSecurityConstants.XMLKeyIdentifierType.X509_ISSUER_SERIAL);
} finally {
+ TestUtils.switchAllowNotSameDocumentReferences(false);
HttpRequestRedirectorProxy.stopHttpEngine();
}
}
@@ -987,6 +1016,8 @@ public class BaltimoreTest extends org.j
resolverDirectHTTP.engineSetProperty("http.proxy.host", ((InetSocketAddress) proxy.address()).getAddress().getHostAddress());
resolverDirectHTTP.engineSetProperty("http.proxy.port", "" + ((InetSocketAddress) proxy.address()).getPort());
+ TestUtils.switchAllowNotSameDocumentReferences(true);
+
// Read in plaintext document
InputStream sourceDocument =
this.getClass().getClassLoader().getResourceAsStream(
@@ -1019,6 +1050,7 @@ public class BaltimoreTest extends org.j
StAX2DOM.readDoc(documentBuilderFactory.newDocumentBuilder(), securityStreamReader);
} finally {
+ TestUtils.switchAllowNotSameDocumentReferences(false);
HttpRequestRedirectorProxy.stopHttpEngine();
}
}
@@ -1036,6 +1068,8 @@ public class BaltimoreTest extends org.j
resolverDirectHTTP.engineSetProperty("http.proxy.host", ((InetSocketAddress) proxy.address()).getAddress().getHostAddress());
resolverDirectHTTP.engineSetProperty("http.proxy.port", "" + ((InetSocketAddress) proxy.address()).getPort());
+ TestUtils.switchAllowNotSameDocumentReferences(true);
+
// Read in plaintext document
InputStream sourceDocument =
this.getClass().getClassLoader().getResourceAsStream(
@@ -1074,6 +1108,7 @@ public class BaltimoreTest extends org.j
checkSignatureToken(securityEventListener, cert.getPublicKey(),
XMLSecurityConstants.XMLKeyIdentifierType.X509_SUBJECT_NAME);
} finally {
+ TestUtils.switchAllowNotSameDocumentReferences(false);
HttpRequestRedirectorProxy.stopHttpEngine();
}
}
@@ -1116,6 +1151,8 @@ public class BaltimoreTest extends org.j
resolverDirectHTTP.engineSetProperty("http.proxy.host", ((InetSocketAddress) proxy.address()).getAddress().getHostAddress());
resolverDirectHTTP.engineSetProperty("http.proxy.port", "" + ((InetSocketAddress) proxy.address()).getPort());
+ TestUtils.switchAllowNotSameDocumentReferences(true);
+
// Read in plaintext document
InputStream sourceDocument =
this.getClass().getClassLoader().getResourceAsStream(
@@ -1154,6 +1191,7 @@ public class BaltimoreTest extends org.j
checkSignatureToken(securityEventListener, cert.getPublicKey(),
XMLSecurityConstants.XMLKeyIdentifierType.KEY_NAME);
} finally {
+ TestUtils.switchAllowNotSameDocumentReferences(false);
HttpRequestRedirectorProxy.stopHttpEngine();
}
}
@@ -1171,6 +1209,8 @@ public class BaltimoreTest extends org.j
resolverDirectHTTP.engineSetProperty("http.proxy.host", ((InetSocketAddress) proxy.address()).getAddress().getHostAddress());
resolverDirectHTTP.engineSetProperty("http.proxy.port", "" + ((InetSocketAddress) proxy.address()).getPort());
+ TestUtils.switchAllowNotSameDocumentReferences(true);
+
// Read in plaintext document
InputStream sourceDocument =
this.getClass().getClassLoader().getResourceAsStream(
@@ -1203,6 +1243,7 @@ public class BaltimoreTest extends org.j
StAX2DOM.readDoc(documentBuilderFactory.newDocumentBuilder(), securityStreamReader);
} finally {
+ TestUtils.switchAllowNotSameDocumentReferences(false);
HttpRequestRedirectorProxy.stopHttpEngine();
}
}
@@ -1220,6 +1261,8 @@ public class BaltimoreTest extends org.j
resolverDirectHTTP.engineSetProperty("http.proxy.host", ((InetSocketAddress) proxy.address()).getAddress().getHostAddress());
resolverDirectHTTP.engineSetProperty("http.proxy.port", "" + ((InetSocketAddress) proxy.address()).getPort());
+ TestUtils.switchAllowNotSameDocumentReferences(true);
+
// Read in plaintext document
InputStream sourceDocument =
this.getClass().getClassLoader().getResourceAsStream(
@@ -1243,6 +1286,7 @@ public class BaltimoreTest extends org.j
StAX2DOM.readDoc(documentBuilderFactory.newDocumentBuilder(), securityStreamReader);
} finally {
+ TestUtils.switchAllowNotSameDocumentReferences(false);
HttpRequestRedirectorProxy.stopHttpEngine();
}
}
@@ -1260,6 +1304,8 @@ public class BaltimoreTest extends org.j
resolverDirectHTTP.engineSetProperty("http.proxy.host", ((InetSocketAddress) proxy.address()).getAddress().getHostAddress());
resolverDirectHTTP.engineSetProperty("http.proxy.port", "" + ((InetSocketAddress) proxy.address()).getPort());
+ TestUtils.switchAllowNotSameDocumentReferences(true);
+
// Read in plaintext document
InputStream sourceDocument =
this.getClass().getClassLoader().getResourceAsStream(
@@ -1283,6 +1329,7 @@ public class BaltimoreTest extends org.j
StAX2DOM.readDoc(documentBuilderFactory.newDocumentBuilder(), securityStreamReader);
} finally {
+ TestUtils.switchAllowNotSameDocumentReferences(false);
HttpRequestRedirectorProxy.stopHttpEngine();
}
}
@@ -1300,6 +1347,8 @@ public class BaltimoreTest extends org.j
resolverDirectHTTP.engineSetProperty("http.proxy.host", ((InetSocketAddress) proxy.address()).getAddress().getHostAddress());
resolverDirectHTTP.engineSetProperty("http.proxy.port", "" + ((InetSocketAddress) proxy.address()).getPort());
+ TestUtils.switchAllowNotSameDocumentReferences(true);
+
// Read in plaintext document
InputStream sourceDocument =
this.getClass().getClassLoader().getResourceAsStream(
@@ -1338,6 +1387,7 @@ public class BaltimoreTest extends org.j
checkSignatureToken(securityEventListener, cert.getPublicKey(),
XMLSecurityConstants.XMLKeyIdentifierType.X509_ISSUER_SERIAL);
} finally {
+ TestUtils.switchAllowNotSameDocumentReferences(false);
HttpRequestRedirectorProxy.stopHttpEngine();
}
}
@@ -1355,6 +1405,8 @@ public class BaltimoreTest extends org.j
resolverDirectHTTP.engineSetProperty("http.proxy.host", ((InetSocketAddress) proxy.address()).getAddress().getHostAddress());
resolverDirectHTTP.engineSetProperty("http.proxy.port", "" + ((InetSocketAddress) proxy.address()).getPort());
+ TestUtils.switchAllowNotSameDocumentReferences(true);
+
// Read in plaintext document
InputStream sourceDocument =
this.getClass().getClassLoader().getResourceAsStream(
@@ -1387,6 +1439,7 @@ public class BaltimoreTest extends org.j
StAX2DOM.readDoc(documentBuilderFactory.newDocumentBuilder(), securityStreamReader);
} finally {
+ TestUtils.switchAllowNotSameDocumentReferences(false);
HttpRequestRedirectorProxy.stopHttpEngine();
}
}
@@ -1404,6 +1457,8 @@ public class BaltimoreTest extends org.j
resolverDirectHTTP.engineSetProperty("http.proxy.host", ((InetSocketAddress) proxy.address()).getAddress().getHostAddress());
resolverDirectHTTP.engineSetProperty("http.proxy.port", "" + ((InetSocketAddress) proxy.address()).getPort());
+ TestUtils.switchAllowNotSameDocumentReferences(true);
+
// Read in plaintext document
InputStream sourceDocument =
this.getClass().getClassLoader().getResourceAsStream(
@@ -1442,6 +1497,7 @@ public class BaltimoreTest extends org.j
checkSignatureToken(securityEventListener, cert.getPublicKey(),
XMLSecurityConstants.XMLKeyIdentifierType.X509_SUBJECT_NAME);
} finally {
+ TestUtils.switchAllowNotSameDocumentReferences(false);
HttpRequestRedirectorProxy.stopHttpEngine();
}
}
Modified: santuario/xml-security-java/trunk/src/test/java/org/apache/xml/security/test/stax/signature/IAIKTest.java
URL: http://svn.apache.org/viewvc/santuario/xml-security-java/trunk/src/test/java/org/apache/xml/security/test/stax/signature/IAIKTest.java?rev=1384467&r1=1384466&r2=1384467&view=diff
==============================================================================
--- santuario/xml-security-java/trunk/src/test/java/org/apache/xml/security/test/stax/signature/IAIKTest.java (original)
+++ santuario/xml-security-java/trunk/src/test/java/org/apache/xml/security/test/stax/signature/IAIKTest.java Thu Sep 13 18:46:13 2012
@@ -58,6 +58,7 @@ import org.apache.xml.security.stax.secu
import org.apache.xml.security.stax.securityEvent.SecurityEventConstants;
import org.apache.xml.security.stax.securityEvent.X509TokenSecurityEvent;
import org.apache.xml.security.test.stax.utils.StAX2DOM;
+import org.apache.xml.security.test.stax.utils.TestUtils;
import org.apache.xml.security.test.stax.utils.XMLSecEventAllocator;
import org.junit.Assert;
import org.junit.Before;
@@ -266,7 +267,12 @@ public class IAIKTest extends org.junit.
XMLStreamReader securityStreamReader =
inboundXMLSec.processInMessage(xmlStreamReader, null, securityEventListener);
- StAX2DOM.readDoc(documentBuilderFactory.newDocumentBuilder(), securityStreamReader);
+ try {
+ TestUtils.switchAllowNotSameDocumentReferences(true);
+ StAX2DOM.readDoc(documentBuilderFactory.newDocumentBuilder(), securityStreamReader);
+ } finally {
+ TestUtils.switchAllowNotSameDocumentReferences(false);
+ }
// Check the SecurityEvents
checkSignatureToken(securityEventListener, getPublicKey("RSA"),
@@ -295,7 +301,12 @@ public class IAIKTest extends org.junit.
XMLStreamReader securityStreamReader =
inboundXMLSec.processInMessage(xmlStreamReader, null, securityEventListener);
- StAX2DOM.readDoc(documentBuilderFactory.newDocumentBuilder(), securityStreamReader);
+ try {
+ TestUtils.switchAllowNotSameDocumentReferences(true);
+ StAX2DOM.readDoc(documentBuilderFactory.newDocumentBuilder(), securityStreamReader);
+ } finally {
+ TestUtils.switchAllowNotSameDocumentReferences(false);
+ }
// Check the SecurityEvents
checkSignatureToken(securityEventListener, getPublicKey("RSA"),
Modified: santuario/xml-security-java/trunk/src/test/java/org/apache/xml/security/test/stax/signature/PhaosTest.java
URL: http://svn.apache.org/viewvc/santuario/xml-security-java/trunk/src/test/java/org/apache/xml/security/test/stax/signature/PhaosTest.java?rev=1384467&r1=1384466&r2=1384467&view=diff
==============================================================================
--- santuario/xml-security-java/trunk/src/test/java/org/apache/xml/security/test/stax/signature/PhaosTest.java (original)
+++ santuario/xml-security-java/trunk/src/test/java/org/apache/xml/security/test/stax/signature/PhaosTest.java Thu Sep 13 18:46:13 2012
@@ -26,6 +26,7 @@ import org.apache.xml.security.stax.ext.
import org.apache.xml.security.stax.impl.resourceResolvers.ResolverHttp;
import org.apache.xml.security.test.stax.utils.HttpRequestRedirectorProxy;
import org.apache.xml.security.test.stax.utils.StAX2DOM;
+import org.apache.xml.security.test.stax.utils.TestUtils;
import org.apache.xml.security.test.stax.utils.XMLSecEventAllocator;
import org.apache.xml.security.utils.resolver.implementations.ResolverDirectHTTP;
import org.junit.Assert;
@@ -88,6 +89,8 @@ public class PhaosTest extends org.junit
resolverDirectHTTP.engineSetProperty("http.proxy.host", ((InetSocketAddress) proxy.address()).getAddress().getHostAddress());
resolverDirectHTTP.engineSetProperty("http.proxy.port", "" + ((InetSocketAddress) proxy.address()).getPort());
+ TestUtils.switchAllowNotSameDocumentReferences(true);
+
// Read in plaintext document
InputStream sourceDocument =
this.getClass().getClassLoader().getResourceAsStream(
@@ -113,6 +116,7 @@ public class PhaosTest extends org.junit
StAX2DOM.readDoc(documentBuilderFactory.newDocumentBuilder(), securityStreamReader);
} finally {
+ TestUtils.switchAllowNotSameDocumentReferences(false);
HttpRequestRedirectorProxy.stopHttpEngine();
}
}
@@ -187,6 +191,8 @@ public class PhaosTest extends org.junit
resolverDirectHTTP.engineSetProperty("http.proxy.host", ((InetSocketAddress) proxy.address()).getAddress().getHostAddress());
resolverDirectHTTP.engineSetProperty("http.proxy.port", "" + ((InetSocketAddress) proxy.address()).getPort());
+ TestUtils.switchAllowNotSameDocumentReferences(true);
+
// Read in plaintext document
InputStream sourceDocument =
this.getClass().getClassLoader().getResourceAsStream(
@@ -217,6 +223,7 @@ public class PhaosTest extends org.junit
StAX2DOM.readDoc(documentBuilderFactory.newDocumentBuilder(), securityStreamReader);
} finally {
+ TestUtils.switchAllowNotSameDocumentReferences(false);
HttpRequestRedirectorProxy.stopHttpEngine();
}
}
@@ -285,7 +292,12 @@ public class PhaosTest extends org.junit
XMLStreamReader securityStreamReader =
inboundXMLSec.processInMessage(xmlStreamReader, null, securityEventListener);
- StAX2DOM.readDoc(documentBuilderFactory.newDocumentBuilder(), securityStreamReader);
+ try {
+ TestUtils.switchDoNotThrowExceptionForManifests(true);
+ StAX2DOM.readDoc(documentBuilderFactory.newDocumentBuilder(), securityStreamReader);
+ } finally {
+ TestUtils.switchDoNotThrowExceptionForManifests(false);
+ }
}
// See SANTUARIO-319
@@ -301,6 +313,8 @@ public class PhaosTest extends org.junit
resolverDirectHTTP.engineSetProperty("http.proxy.host", ((InetSocketAddress) proxy.address()).getAddress().getHostAddress());
resolverDirectHTTP.engineSetProperty("http.proxy.port", "" + ((InetSocketAddress) proxy.address()).getPort());
+ TestUtils.switchAllowNotSameDocumentReferences(true);
+
// Read in plaintext document
InputStream sourceDocument =
this.getClass().getClassLoader().getResourceAsStream(
@@ -326,6 +340,7 @@ public class PhaosTest extends org.junit
StAX2DOM.readDoc(documentBuilderFactory.newDocumentBuilder(), securityStreamReader);
} finally {
+ TestUtils.switchAllowNotSameDocumentReferences(false);
HttpRequestRedirectorProxy.stopHttpEngine();
}
}
Modified: santuario/xml-security-java/trunk/src/test/java/org/apache/xml/security/test/stax/signature/SignatureVerificationReferenceURIResolverTest.java
URL: http://svn.apache.org/viewvc/santuario/xml-security-java/trunk/src/test/java/org/apache/xml/security/test/stax/signature/SignatureVerificationReferenceURIResolverTest.java?rev=1384467&r1=1384466&r2=1384467&view=diff
==============================================================================
--- santuario/xml-security-java/trunk/src/test/java/org/apache/xml/security/test/stax/signature/SignatureVerificationReferenceURIResolverTest.java (original)
+++ santuario/xml-security-java/trunk/src/test/java/org/apache/xml/security/test/stax/signature/SignatureVerificationReferenceURIResolverTest.java Thu Sep 13 18:46:13 2012
@@ -46,6 +46,7 @@ import org.apache.xml.security.stax.impl
import org.apache.xml.security.test.dom.DSNamespaceContext;
import org.apache.xml.security.test.stax.utils.HttpRequestRedirectorProxy;
import org.apache.xml.security.test.stax.utils.StAX2DOM;
+import org.apache.xml.security.test.stax.utils.TestUtils;
import org.apache.xml.security.utils.resolver.implementations.ResolverDirectHTTP;
import org.junit.Assert;
import org.junit.Test;
@@ -114,7 +115,12 @@ public class SignatureVerificationRefere
InboundXMLSec inboundXMLSec = XMLSec.getInboundWSSec(properties);
XMLStreamReader securityStreamReader = inboundXMLSec.processInMessage(xmlStreamReader);
- StAX2DOM.readDoc(documentBuilderFactory.newDocumentBuilder(), securityStreamReader);
+ try {
+ TestUtils.switchAllowNotSameDocumentReferences(true);
+ StAX2DOM.readDoc(documentBuilderFactory.newDocumentBuilder(), securityStreamReader);
+ } finally {
+ TestUtils.switchAllowNotSameDocumentReferences(false);
+ }
}
@Test
@@ -173,7 +179,12 @@ public class SignatureVerificationRefere
InboundXMLSec inboundXMLSec = XMLSec.getInboundWSSec(properties);
XMLStreamReader securityStreamReader = inboundXMLSec.processInMessage(xmlStreamReader);
- StAX2DOM.readDoc(documentBuilderFactory.newDocumentBuilder(), securityStreamReader);
+ try {
+ TestUtils.switchAllowNotSameDocumentReferences(true);
+ StAX2DOM.readDoc(documentBuilderFactory.newDocumentBuilder(), securityStreamReader);
+ } finally {
+ TestUtils.switchAllowNotSameDocumentReferences(false);
+ }
}
@Test
@@ -188,6 +199,8 @@ public class SignatureVerificationRefere
resolverDirectHTTP.engineSetProperty("http.proxy.host", ((InetSocketAddress)proxy.address()).getAddress().getHostAddress());
resolverDirectHTTP.engineSetProperty("http.proxy.port", "" + ((InetSocketAddress)proxy.address()).getPort());
+ TestUtils.switchAllowNotSameDocumentReferences(true);
+
// Read in plaintext document
InputStream sourceDocument =
this.getClass().getClassLoader().getResourceAsStream(
@@ -245,6 +258,7 @@ public class SignatureVerificationRefere
StAX2DOM.readDoc(documentBuilderFactory.newDocumentBuilder(), securityStreamReader);
} finally {
+ TestUtils.switchAllowNotSameDocumentReferences(false);
HttpRequestRedirectorProxy.stopHttpEngine();
}
}
Modified: santuario/xml-security-java/trunk/src/test/java/org/apache/xml/security/test/stax/signature/SignatureVerificationTest.java
URL: http://svn.apache.org/viewvc/santuario/xml-security-java/trunk/src/test/java/org/apache/xml/security/test/stax/signature/SignatureVerificationTest.java?rev=1384467&r1=1384466&r2=1384467&view=diff
==============================================================================
--- santuario/xml-security-java/trunk/src/test/java/org/apache/xml/security/test/stax/signature/SignatureVerificationTest.java (original)
+++ santuario/xml-security-java/trunk/src/test/java/org/apache/xml/security/test/stax/signature/SignatureVerificationTest.java Thu Sep 13 18:46:13 2012
@@ -46,9 +46,9 @@ import org.apache.xml.security.keys.cont
import org.apache.xml.security.signature.XMLSignature;
import org.apache.xml.security.stax.config.Init;
import org.apache.xml.security.stax.ext.*;
-import org.apache.xml.security.stax.impl.securityToken.KeyNameSecurityToken;
import org.apache.xml.security.stax.securityEvent.*;
import org.apache.xml.security.test.stax.utils.StAX2DOM;
+import org.apache.xml.security.test.stax.utils.TestUtils;
import org.apache.xml.security.test.stax.utils.XMLSecEventAllocator;
import org.junit.Assert;
import org.junit.Before;
@@ -152,7 +152,8 @@ public class SignatureVerificationTest e
Assert.assertEquals(4, signatureSecurityEvents.size());
Assert.assertEquals(3, signedElementSecurityEvents.size());
- Assert.assertEquals(securityEventListener.getSecurityEvents().size(), signatureSecurityEvents.size() + signedElementSecurityEvents.size());
+ Assert.assertEquals(securityEventListener.getSecurityEvents().size(),
+ signatureSecurityEvents.size() + signedElementSecurityEvents.size());
}
@Test
@@ -311,7 +312,8 @@ public class SignatureVerificationTest e
Assert.assertEquals(4, signatureSecurityEvents.size());
Assert.assertEquals(3, signedElementSecurityEvents.size());
- Assert.assertEquals(securityEventListener.getSecurityEvents().size(), signatureSecurityEvents.size() + signedElementSecurityEvents.size());
+ Assert.assertEquals(securityEventListener.getSecurityEvents().size(),
+ signatureSecurityEvents.size() + signedElementSecurityEvents.size());
}
@Test
@@ -447,7 +449,8 @@ public class SignatureVerificationTest e
Assert.assertEquals(4, signatureSecurityEvents.size());
Assert.assertEquals(3, signedElementSecurityEvents.size());
- Assert.assertEquals(securityEventListener.getSecurityEvents().size(), signatureSecurityEvents.size() + signedElementSecurityEvents.size());
+ Assert.assertEquals(securityEventListener.getSecurityEvents().size(),
+ signatureSecurityEvents.size() + signedElementSecurityEvents.size());
}
@Test
@@ -526,7 +529,8 @@ public class SignatureVerificationTest e
Assert.assertEquals(4, signatureSecurityEvents.size());
Assert.assertEquals(3, signedElementSecurityEvents.size());
- Assert.assertEquals(securityEventListener.getSecurityEvents().size(), signatureSecurityEvents.size() + signedElementSecurityEvents.size());
+ Assert.assertEquals(securityEventListener.getSecurityEvents().size(),
+ signatureSecurityEvents.size() + signedElementSecurityEvents.size());
}
@Test
@@ -605,7 +609,8 @@ public class SignatureVerificationTest e
Assert.assertEquals(4, signatureSecurityEvents.size());
Assert.assertEquals(3, signedElementSecurityEvents.size());
- Assert.assertEquals(securityEventListener.getSecurityEvents().size(), signatureSecurityEvents.size() + signedElementSecurityEvents.size());
+ Assert.assertEquals(securityEventListener.getSecurityEvents().size(),
+ signatureSecurityEvents.size() + signedElementSecurityEvents.size());
}
@Test
@@ -684,7 +689,8 @@ public class SignatureVerificationTest e
Assert.assertEquals(4, signatureSecurityEvents.size());
Assert.assertEquals(3, signedElementSecurityEvents.size());
- Assert.assertEquals(securityEventListener.getSecurityEvents().size(), signatureSecurityEvents.size() + signedElementSecurityEvents.size());
+ Assert.assertEquals(securityEventListener.getSecurityEvents().size(),
+ signatureSecurityEvents.size() + signedElementSecurityEvents.size());
}
@Test
@@ -765,7 +771,8 @@ public class SignatureVerificationTest e
Assert.assertEquals(4, signatureSecurityEvents.size());
Assert.assertEquals(3, signedElementSecurityEvents.size());
- Assert.assertEquals(securityEventListener.getSecurityEvents().size(), signatureSecurityEvents.size() + signedElementSecurityEvents.size());
+ Assert.assertEquals(securityEventListener.getSecurityEvents().size(),
+ signatureSecurityEvents.size() + signedElementSecurityEvents.size());
}
@Test
@@ -844,7 +851,8 @@ public class SignatureVerificationTest e
Assert.assertEquals(4, signatureSecurityEvents.size());
Assert.assertEquals(3, signedElementSecurityEvents.size());
- Assert.assertEquals(securityEventListener.getSecurityEvents().size(), signatureSecurityEvents.size() + signedElementSecurityEvents.size());
+ Assert.assertEquals(securityEventListener.getSecurityEvents().size(),
+ signatureSecurityEvents.size() + signedElementSecurityEvents.size());
}
@Test
@@ -923,7 +931,8 @@ public class SignatureVerificationTest e
Assert.assertEquals(4, signatureSecurityEvents.size());
Assert.assertEquals(3, signedElementSecurityEvents.size());
- Assert.assertEquals(securityEventListener.getSecurityEvents().size(), signatureSecurityEvents.size() + signedElementSecurityEvents.size());
+ Assert.assertEquals(securityEventListener.getSecurityEvents().size(),
+ signatureSecurityEvents.size() + signedElementSecurityEvents.size());
}
@Test
@@ -999,7 +1008,8 @@ public class SignatureVerificationTest e
Assert.assertEquals(4, signatureSecurityEvents.size());
Assert.assertEquals(3, signedElementSecurityEvents.size());
- Assert.assertEquals(securityEventListener.getSecurityEvents().size(), signatureSecurityEvents.size() + signedElementSecurityEvents.size());
+ Assert.assertEquals(securityEventListener.getSecurityEvents().size(),
+ signatureSecurityEvents.size() + signedElementSecurityEvents.size());
}
@Test
@@ -1069,6 +1079,284 @@ public class SignatureVerificationTest e
Assert.assertEquals(4, signatureSecurityEvents.size());
Assert.assertEquals(3, signedElementSecurityEvents.size());
- Assert.assertEquals(securityEventListener.getSecurityEvents().size(), signatureSecurityEvents.size() + signedElementSecurityEvents.size());
+ Assert.assertEquals(securityEventListener.getSecurityEvents().size(),
+ signatureSecurityEvents.size() + signedElementSecurityEvents.size());
+ }
+
+ @Test
+ public void testMaximumAllowedReferencesPerManifest() throws Exception {
+ // Read in plaintext document
+ InputStream sourceDocument =
+ this.getClass().getClassLoader().getResourceAsStream(
+ "ie/baltimore/merlin-examples/merlin-xmlenc-five/plaintext.xml");
+ DocumentBuilder builder = documentBuilderFactory.newDocumentBuilder();
+ Document document = builder.parse(sourceDocument);
+
+ // Set up the Key
+ KeyStore keyStore = KeyStore.getInstance("jks");
+ keyStore.load(
+ this.getClass().getClassLoader().getResource("transmitter.jks").openStream(),
+ "default".toCharArray()
+ );
+ Key key = keyStore.getKey("transmitter", "default".toCharArray());
+ X509Certificate cert = (X509Certificate)keyStore.getCertificate("transmitter");
+
+ // Sign using DOM
+ List<String> localNames = new ArrayList<String>();
+ localNames.add("Item");
+ localNames.add("PaymentInfo");
+ localNames.add("ShippingAddress");
+ XMLSignature sig = signUsingDOM(
+ "http://www.w3.org/2000/09/xmldsig#rsa-sha1", document, localNames, key
+ );
+
+ // Add KeyInfo
+ sig.addKeyInfo(cert);
+
+ // Convert Document to a Stream Reader
+ javax.xml.transform.Transformer transformer = transformerFactory.newTransformer();
+ ByteArrayOutputStream baos = new ByteArrayOutputStream();
+ transformer.transform(new DOMSource(document), new StreamResult(baos));
+ final XMLStreamReader xmlStreamReader =
+ xmlInputFactory.createXMLStreamReader(new ByteArrayInputStream(baos.toByteArray()));
+
+ // Verify signature
+ XMLSecurityProperties properties = new XMLSecurityProperties();
+ InboundXMLSec inboundXMLSec = XMLSec.getInboundWSSec(properties);
+ TestSecurityEventListener securityEventListener = new TestSecurityEventListener();
+ XMLStreamReader securityStreamReader =
+ inboundXMLSec.processInMessage(xmlStreamReader, null, securityEventListener);
+
+ int oldval = 0;
+ try {
+ oldval = TestUtils.changeValueOfMaximumAllowedReferencesPerManifest(2);
+ document = StAX2DOM.readDoc(documentBuilderFactory.newDocumentBuilder(), securityStreamReader);
+ fail("Exception expected");
+ } catch (XMLStreamException e) {
+ assertTrue(e.getCause() instanceof XMLSecurityException);
+ assertEquals("An error was discovered processing the <wsse:Security> header (4 references are contained in " +
+ "the Manifest, maximum 2 are allowed. You can raise the maximum via the " +
+ "\"MaximumAllowedReferencesPerManifest\" property in the configuration.)", e.getCause().getMessage());
+ } finally {
+ TestUtils.changeValueOfMaximumAllowedReferencesPerManifest(oldval);
+ }
+ }
+
+ @Test
+ public void testMaximumAllowedTransformsPerReference() throws Exception {
+ // Read in plaintext document
+ InputStream sourceDocument =
+ this.getClass().getClassLoader().getResourceAsStream(
+ "ie/baltimore/merlin-examples/merlin-xmlenc-five/plaintext.xml");
+ DocumentBuilder builder = documentBuilderFactory.newDocumentBuilder();
+ Document document = builder.parse(sourceDocument);
+
+ // Set up the Key
+ KeyStore keyStore = KeyStore.getInstance("jks");
+ keyStore.load(
+ this.getClass().getClassLoader().getResource("transmitter.jks").openStream(),
+ "default".toCharArray()
+ );
+ Key key = keyStore.getKey("transmitter", "default".toCharArray());
+ X509Certificate cert = (X509Certificate)keyStore.getCertificate("transmitter");
+
+ // Sign using DOM
+ List<String> localNames = new ArrayList<String>();
+ localNames.add("PaymentInfo");
+ XMLSignature sig = signUsingDOM(
+ "http://www.w3.org/2000/09/xmldsig#rsa-sha1", document, localNames, key
+ );
+
+ // Add KeyInfo
+ sig.addKeyInfo(cert);
+
+ // Convert Document to a Stream Reader
+ javax.xml.transform.Transformer transformer = transformerFactory.newTransformer();
+ ByteArrayOutputStream baos = new ByteArrayOutputStream();
+ transformer.transform(new DOMSource(document), new StreamResult(baos));
+ final XMLStreamReader xmlStreamReader =
+ xmlInputFactory.createXMLStreamReader(new ByteArrayInputStream(baos.toByteArray()));
+
+ // Verify signature
+ XMLSecurityProperties properties = new XMLSecurityProperties();
+ InboundXMLSec inboundXMLSec = XMLSec.getInboundWSSec(properties);
+ TestSecurityEventListener securityEventListener = new TestSecurityEventListener();
+ XMLStreamReader securityStreamReader =
+ inboundXMLSec.processInMessage(xmlStreamReader, null, securityEventListener);
+
+ int oldval = 0;
+ try {
+ oldval = TestUtils.changeValueOfMaximumAllowedTransformsPerReference(0);
+ document = StAX2DOM.readDoc(documentBuilderFactory.newDocumentBuilder(), securityStreamReader);
+ fail("Exception expected");
+ } catch (XMLStreamException e) {
+ assertTrue(e.getCause() instanceof XMLSecurityException);
+ assertEquals("An error was discovered processing the <wsse:Security> header " +
+ "(1 transforms are contained in the Reference, maximum 0 are allowed. You can raise the maximum " +
+ "via the \"MaximumAllowedTransformsPerReference\" property in the configuration.)",
+ e.getCause().getMessage());
+ } finally {
+ TestUtils.changeValueOfMaximumAllowedTransformsPerReference(oldval);
+ }
+ }
+
+ @Test
+ public void testDisallowMD5Algorithm() throws Exception {
+ // Read in plaintext document
+ InputStream sourceDocument =
+ this.getClass().getClassLoader().getResourceAsStream(
+ "ie/baltimore/merlin-examples/merlin-xmlenc-five/plaintext.xml");
+ DocumentBuilder builder = documentBuilderFactory.newDocumentBuilder();
+ Document document = builder.parse(sourceDocument);
+
+ // Set up the Key
+ KeyStore keyStore = KeyStore.getInstance("jks");
+ keyStore.load(
+ this.getClass().getClassLoader().getResource("transmitter.jks").openStream(),
+ "default".toCharArray()
+ );
+ Key key = keyStore.getKey("transmitter", "default".toCharArray());
+ X509Certificate cert = (X509Certificate)keyStore.getCertificate("transmitter");
+
+ // Sign using DOM
+ List<String> localNames = new ArrayList<String>();
+ localNames.add("PaymentInfo");
+ XMLSignature sig = signUsingDOM(
+ "http://www.w3.org/2001/04/xmldsig-more#rsa-md5", document, localNames, key
+ );
+
+ // Add KeyInfo
+ sig.addKeyInfo(cert);
+
+ // Convert Document to a Stream Reader
+ javax.xml.transform.Transformer transformer = transformerFactory.newTransformer();
+ ByteArrayOutputStream baos = new ByteArrayOutputStream();
+ transformer.transform(new DOMSource(document), new StreamResult(baos));
+ final XMLStreamReader xmlStreamReader =
+ xmlInputFactory.createXMLStreamReader(new ByteArrayInputStream(baos.toByteArray()));
+
+ // Verify signature
+ XMLSecurityProperties properties = new XMLSecurityProperties();
+ InboundXMLSec inboundXMLSec = XMLSec.getInboundWSSec(properties);
+ TestSecurityEventListener securityEventListener = new TestSecurityEventListener();
+ XMLStreamReader securityStreamReader =
+ inboundXMLSec.processInMessage(xmlStreamReader, null, securityEventListener);
+
+ try {
+ document = StAX2DOM.readDoc(documentBuilderFactory.newDocumentBuilder(), securityStreamReader);
+ fail("Exception expected");
+ } catch (XMLStreamException e) {
+ assertTrue(e.getCause() instanceof XMLSecurityException);
+ assertEquals("An error was discovered processing the <wsse:Security> header " +
+ "(The use of MD5 algorithm is strongly discouraged. Nonetheless can it be enabled via the " +
+ "\"AllowMD5Algorithm\" property in the configuration.)", e.getCause().getMessage());
+ }
+ }
+
+ @Test
+ public void testAllowMD5Algorithm() throws Exception {
+ // Read in plaintext document
+ InputStream sourceDocument =
+ this.getClass().getClassLoader().getResourceAsStream(
+ "ie/baltimore/merlin-examples/merlin-xmlenc-five/plaintext.xml");
+ DocumentBuilder builder = documentBuilderFactory.newDocumentBuilder();
+ Document document = builder.parse(sourceDocument);
+
+ // Set up the Key
+ KeyStore keyStore = KeyStore.getInstance("jks");
+ keyStore.load(
+ this.getClass().getClassLoader().getResource("transmitter.jks").openStream(),
+ "default".toCharArray()
+ );
+ Key key = keyStore.getKey("transmitter", "default".toCharArray());
+ X509Certificate cert = (X509Certificate)keyStore.getCertificate("transmitter");
+
+ // Sign using DOM
+ List<String> localNames = new ArrayList<String>();
+ localNames.add("PaymentInfo");
+ XMLSignature sig = signUsingDOM(
+ "http://www.w3.org/2001/04/xmldsig-more#rsa-md5", document, localNames, key
+ );
+
+ // Add KeyInfo
+ sig.addKeyInfo(cert);
+
+ // Convert Document to a Stream Reader
+ javax.xml.transform.Transformer transformer = transformerFactory.newTransformer();
+ ByteArrayOutputStream baos = new ByteArrayOutputStream();
+ transformer.transform(new DOMSource(document), new StreamResult(baos));
+ final XMLStreamReader xmlStreamReader =
+ xmlInputFactory.createXMLStreamReader(new ByteArrayInputStream(baos.toByteArray()));
+
+ // Verify signature
+ XMLSecurityProperties properties = new XMLSecurityProperties();
+ InboundXMLSec inboundXMLSec = XMLSec.getInboundWSSec(properties);
+ TestSecurityEventListener securityEventListener = new TestSecurityEventListener();
+ XMLStreamReader securityStreamReader =
+ inboundXMLSec.processInMessage(xmlStreamReader, null, securityEventListener);
+
+ try {
+ TestUtils.switchAllowMD5Algorithm(true);
+ document = StAX2DOM.readDoc(documentBuilderFactory.newDocumentBuilder(), securityStreamReader);
+ } finally {
+ TestUtils.switchAllowMD5Algorithm(false);
+ }
+ }
+
+ @Test
+ public void testMaximumAllowedXMLStructureDepth() throws Exception {
+ // Read in plaintext document
+ InputStream sourceDocument =
+ this.getClass().getClassLoader().getResourceAsStream(
+ "ie/baltimore/merlin-examples/merlin-xmlenc-five/plaintext.xml");
+ DocumentBuilder builder = documentBuilderFactory.newDocumentBuilder();
+ Document document = builder.parse(sourceDocument);
+
+ // Set up the Key
+ KeyStore keyStore = KeyStore.getInstance("jks");
+ keyStore.load(
+ this.getClass().getClassLoader().getResource("transmitter.jks").openStream(),
+ "default".toCharArray()
+ );
+ Key key = keyStore.getKey("transmitter", "default".toCharArray());
+ X509Certificate cert = (X509Certificate)keyStore.getCertificate("transmitter");
+
+ // Sign using DOM
+ List<String> localNames = new ArrayList<String>();
+ localNames.add("PaymentInfo");
+ XMLSignature sig = signUsingDOM(
+ "http://www.w3.org/2000/09/xmldsig#rsa-sha1", document, localNames, key
+ );
+
+ // Add KeyInfo
+ sig.addKeyInfo(cert);
+
+ // Convert Document to a Stream Reader
+ javax.xml.transform.Transformer transformer = transformerFactory.newTransformer();
+ ByteArrayOutputStream baos = new ByteArrayOutputStream();
+ transformer.transform(new DOMSource(document), new StreamResult(baos));
+ final XMLStreamReader xmlStreamReader =
+ xmlInputFactory.createXMLStreamReader(new ByteArrayInputStream(baos.toByteArray()));
+
+ // Verify signature
+ XMLSecurityProperties properties = new XMLSecurityProperties();
+ InboundXMLSec inboundXMLSec = XMLSec.getInboundWSSec(properties);
+ TestSecurityEventListener securityEventListener = new TestSecurityEventListener();
+ XMLStreamReader securityStreamReader =
+ inboundXMLSec.processInMessage(xmlStreamReader, null, securityEventListener);
+
+ int oldval = 0;
+ try {
+ oldval = TestUtils.changeValueOfMaximumAllowedXMLStructureDepth(5);
+ document = StAX2DOM.readDoc(documentBuilderFactory.newDocumentBuilder(), securityStreamReader);
+ fail("Exception expected");
+ } catch (XMLStreamException e) {
+ assertTrue(e.getCause() instanceof XMLSecurityException);
+ assertEquals("An error was discovered processing the <wsse:Security> header " +
+ "(Maximum depth (5) of the XML structure reached. You can raise the maximum via the " +
+ "\"MaximumAllowedXMLStructureDepth\" property in the configuration.)", e.getCause().getMessage());
+ } finally {
+ TestUtils.changeValueOfMaximumAllowedXMLStructureDepth(oldval);
+ }
}
}
Modified: santuario/xml-security-java/trunk/src/test/java/org/apache/xml/security/test/stax/transformer/TransformBase64DecodeTest.java
URL: http://svn.apache.org/viewvc/santuario/xml-security-java/trunk/src/test/java/org/apache/xml/security/test/stax/transformer/TransformBase64DecodeTest.java?rev=1384467&r1=1384466&r2=1384467&view=diff
==============================================================================
--- santuario/xml-security-java/trunk/src/test/java/org/apache/xml/security/test/stax/transformer/TransformBase64DecodeTest.java (original)
+++ santuario/xml-security-java/trunk/src/test/java/org/apache/xml/security/test/stax/transformer/TransformBase64DecodeTest.java Thu Sep 13 18:46:13 2012
@@ -20,6 +20,7 @@ package org.apache.xml.security.test.sta
import junit.framework.Assert;
import org.apache.commons.compress.utils.IOUtils;
+import org.apache.xml.security.stax.config.Init;
import org.apache.xml.security.stax.ext.Transformer;
import org.apache.xml.security.stax.ext.XMLSecurityConstants;
import org.apache.xml.security.stax.ext.XMLSecurityException;
@@ -50,6 +51,7 @@ public class TransformBase64DecodeTest e
@Before
public void setUp() throws Exception {
+ Init.init(this.getClass().getClassLoader().getResource("security-config.xml").toURI());
this.xmlInputFactory = XMLInputFactory.newInstance();
this.xmlInputFactory.setEventAllocator(new XMLSecEventAllocator());
}