You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ws.apache.org by co...@apache.org on 2021/05/13 09:16:03 UTC
[ws-wss4j] branch 2_3_x-fixes updated: Catching some
NumberFormatExceptions
This is an automated email from the ASF dual-hosted git repository.
coheigea pushed a commit to branch 2_3_x-fixes
in repository https://gitbox.apache.org/repos/asf/ws-wss4j.git
The following commit(s) were added to refs/heads/2_3_x-fixes by this push:
new b98317d Catching some NumberFormatExceptions
b98317d is described below
commit b98317d892cb33167ec6162c8af91ea78722847d
Author: Colm O hEigeartaigh <co...@apache.org>
AuthorDate: Thu May 13 10:03:01 2021 +0100
Catching some NumberFormatExceptions
---
.../wss4j/dom/message/token/DerivedKeyToken.java | 70 +++++++++++++++-------
.../wss4j/dom/message/token/UsernameToken.java | 51 +++++++++-------
2 files changed, 76 insertions(+), 45 deletions(-)
diff --git a/ws-security-dom/src/main/java/org/apache/wss4j/dom/message/token/DerivedKeyToken.java b/ws-security-dom/src/main/java/org/apache/wss4j/dom/message/token/DerivedKeyToken.java
index 17e70d6..adb92f8 100755
--- a/ws-security-dom/src/main/java/org/apache/wss4j/dom/message/token/DerivedKeyToken.java
+++ b/ws-security-dom/src/main/java/org/apache/wss4j/dom/message/token/DerivedKeyToken.java
@@ -67,6 +67,9 @@ public class DerivedKeyToken {
private Element elementLength;
private Element elementLabel;
private Element elementNonce;
+ private int length = 32;
+ private int offset = 0;
+ private int generation = -1;
private String ns;
@@ -149,6 +152,45 @@ public class DerivedKeyToken {
XMLUtils.getDirectChildElement(
element, ConversationConstants.NONCE_LN, ns
);
+
+ if (elementLength != null) {
+ Text text = getFirstNode(elementLength);
+ if (text != null) {
+ try {
+ length = Integer.parseInt(text.getData());
+ } catch (NumberFormatException ex) {
+ throw new WSSecurityException(
+ WSSecurityException.ErrorCode.FAILURE, ex, "decoding.general"
+ );
+ }
+ }
+ }
+
+ if (elementOffset != null) {
+ Text text = getFirstNode(elementOffset);
+ if (text != null) {
+ try {
+ offset = Integer.parseInt(text.getData());
+ } catch (NumberFormatException ex) {
+ throw new WSSecurityException(
+ WSSecurityException.ErrorCode.FAILURE, ex, "decoding.general"
+ );
+ }
+ }
+ }
+
+ if (elementGeneration != null) {
+ Text text = getFirstNode(elementGeneration);
+ if (text != null) {
+ try {
+ generation = Integer.parseInt(text.getData());
+ } catch (NumberFormatException ex) {
+ throw new WSSecurityException(
+ WSSecurityException.ErrorCode.FAILURE, ex, "decoding.general"
+ );
+ }
+ }
+ }
}
/**
@@ -297,16 +339,11 @@ public class DerivedKeyToken {
element.getOwnerDocument().createTextNode(Long.toString(length))
);
element.appendChild(elementLength);
+ this.length = length;
}
public int getLength() {
- if (elementLength != null) {
- Text text = getFirstNode(elementLength);
- if (text != null) {
- return Integer.parseInt(text.getData());
- }
- }
- return 32;
+ return length;
}
/**
@@ -328,17 +365,11 @@ public class DerivedKeyToken {
} else {
throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "offsetError");
}
-
+ this.offset = offset;
}
public int getOffset() {
- if (elementOffset != null) {
- Text text = getFirstNode(elementOffset);
- if (text != null) {
- return Integer.parseInt(text.getData());
- }
- }
- return 0;
+ return offset;
}
/**
@@ -360,16 +391,11 @@ public class DerivedKeyToken {
} else {
throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "offsetError");
}
+ this.generation = generation;
}
public int getGeneration() {
- if (elementGeneration != null) {
- Text text = getFirstNode(elementGeneration);
- if (text != null) {
- return Integer.parseInt(text.getData());
- }
- }
- return -1;
+ return generation;
}
/**
diff --git a/ws-security-dom/src/main/java/org/apache/wss4j/dom/message/token/UsernameToken.java b/ws-security-dom/src/main/java/org/apache/wss4j/dom/message/token/UsernameToken.java
index 1ecd68b..5ce2ec1 100644
--- a/ws-security-dom/src/main/java/org/apache/wss4j/dom/message/token/UsernameToken.java
+++ b/ws-security-dom/src/main/java/org/apache/wss4j/dom/message/token/UsernameToken.java
@@ -70,6 +70,7 @@ public class UsernameToken {
private Element elementCreated;
private Element elementSalt;
private Element elementIteration;
+ private int iteration = DEFAULT_ITERATION;
private String passwordType;
private boolean hashed = true;
private boolean passwordsAreEncoded;
@@ -131,36 +132,37 @@ public class UsernameToken {
new Object[] {"Username is missing"}
);
}
-
checkBSPCompliance(bspEnforcer);
-
hashed = false;
- if (elementSalt != null) {
+ if (elementSalt != null && (elementPassword != null || elementIteration == null)) {
//
// If the UsernameToken is to be used for key derivation, the (1.1)
// spec says that it cannot contain a password, and it must contain
// an Iteration element
//
- if (elementPassword != null || elementIteration == null) {
- throw new WSSecurityException(
- WSSecurityException.ErrorCode.INVALID_SECURITY_TOKEN,
- "badUsernameToken",
- new Object[] {"Password is missing"}
- );
- }
- return;
+ throw new WSSecurityException(
+ WSSecurityException.ErrorCode.INVALID_SECURITY_TOKEN,
+ "badUsernameToken",
+ new Object[] {"Password is missing"}
+ );
}
// Guard against a malicious user sending a bogus iteration value
if (elementIteration != null) {
String iter = XMLUtils.getElementText(elementIteration);
if (iter != null) {
- int iterInt = Integer.parseInt(iter);
- if (iterInt < 0 || iterInt > 10000) {
+ try {
+ iteration = Integer.parseInt(iter);
+ if (iteration < 0 || iteration > 10000) {
+ throw new WSSecurityException(
+ WSSecurityException.ErrorCode.INVALID_SECURITY_TOKEN,
+ "badUsernameToken",
+ new Object[] {"Iteration is missing"}
+ );
+ }
+ } catch (NumberFormatException ex) {
throw new WSSecurityException(
- WSSecurityException.ErrorCode.INVALID_SECURITY_TOKEN,
- "badUsernameToken",
- new Object[] {"Iteration is missing"}
+ WSSecurityException.ErrorCode.FAILURE, ex, "decoding.general"
);
}
}
@@ -352,6 +354,7 @@ public class UsernameToken {
XMLUtils.setNamespace(element, WSConstants.WSSE11_NS, WSConstants.WSSE11_PREFIX);
elementIteration.appendChild(doc.createTextNode(text));
element.appendChild(elementIteration);
+ this.iteration = iteration;
}
/**
@@ -446,11 +449,7 @@ public class UsernameToken {
* is returned.
*/
public int getIteration() {
- String iter = XMLUtils.getElementText(elementIteration);
- if (iter != null) {
- return Integer.parseInt(iter);
- }
- return DEFAULT_ITERATION;
+ return iteration;
}
/**
@@ -596,8 +595,14 @@ public class UsernameToken {
bspEnforcer.handleBSPRule(BSPRule.R4218);
} else {
String iter = XMLUtils.getElementText(elementIteration);
- if (iter == null || Integer.parseInt(iter) < 1000) {
- bspEnforcer.handleBSPRule(BSPRule.R4218);
+ try {
+ if (iter == null || Integer.parseInt(iter) < 1000) {
+ bspEnforcer.handleBSPRule(BSPRule.R4218);
+ }
+ } catch (NumberFormatException ex) {
+ throw new WSSecurityException(
+ WSSecurityException.ErrorCode.FAILURE, ex, "decoding.general"
+ );
}
}