You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@santuario.apache.org by co...@apache.org on 2017/06/08 09:48:32 UTC
svn commit: r1798037 - in
/santuario/xml-security-java/branches/2.0.x-fixes/src:
main/java/org/apache/xml/security/resource/
main/java/org/apache/xml/security/signature/
test/java/org/apache/xml/security/test/dom/signature/
Author: coheigea
Date: Thu Jun 8 09:48:32 2017
New Revision: 1798037
URL: http://svn.apache.org/viewvc?rev=1798037&view=rev
Log:
SANTUARIO-465 - SignedInfo Reference constructor does not check for case of zero child elements
Modified:
santuario/xml-security-java/branches/2.0.x-fixes/src/main/java/org/apache/xml/security/resource/xmlsecurity_de.properties
santuario/xml-security-java/branches/2.0.x-fixes/src/main/java/org/apache/xml/security/resource/xmlsecurity_en.properties
santuario/xml-security-java/branches/2.0.x-fixes/src/main/java/org/apache/xml/security/signature/Reference.java
santuario/xml-security-java/branches/2.0.x-fixes/src/test/java/org/apache/xml/security/test/dom/signature/SignatureReferenceTest.java
Modified: santuario/xml-security-java/branches/2.0.x-fixes/src/main/java/org/apache/xml/security/resource/xmlsecurity_de.properties
URL: http://svn.apache.org/viewvc/santuario/xml-security-java/branches/2.0.x-fixes/src/main/java/org/apache/xml/security/resource/xmlsecurity_de.properties?rev=1798037&r1=1798036&r2=1798037&view=diff
==============================================================================
--- santuario/xml-security-java/branches/2.0.x-fixes/src/main/java/org/apache/xml/security/resource/xmlsecurity_de.properties [iso-8859-1] (original)
+++ santuario/xml-security-java/branches/2.0.x-fixes/src/main/java/org/apache/xml/security/resource/xmlsecurity_de.properties [iso-8859-1] Thu Jun 8 09:48:32 2017
@@ -112,6 +112,8 @@ signature.Canonicalizer.UnknownCanonical
signature.DSA.invalidFormat = Ung\u00fcltige ASN.1 Kodierung der DSA Signatur
signature.Generation.signBeforeGetValue = Es muss zuerst XMLSignature.sign(java.security.PrivateKey) aufgerufen werden
signature.Reference.ForbiddenResolver = Der "Resolver" {0} ist bei aktivierter "secure validation" nicht erlaubt
+signature.Reference.NoDigestMethod = A Signature Reference Element must contain a DigestMethod child
+signature.Reference.NoDigestValue = A Signature Reference Element must contain a DigestValue child
signature.signatureAlgorithm = Der Algorithmus {0} ist bei aktivierter "secure validation" nicht erlaubt
signature.signaturePropertyHasNoTarget = Das Target Attribut der SignatureProperty muss gesetzt sein
signature.tooManyReferences = Das Manifest enth\u00e4lt {0} Referenzen, bei aktivierter "secure validation" sind aber maximal {1} erlaubt
Modified: santuario/xml-security-java/branches/2.0.x-fixes/src/main/java/org/apache/xml/security/resource/xmlsecurity_en.properties
URL: http://svn.apache.org/viewvc/santuario/xml-security-java/branches/2.0.x-fixes/src/main/java/org/apache/xml/security/resource/xmlsecurity_en.properties?rev=1798037&r1=1798036&r2=1798037&view=diff
==============================================================================
--- santuario/xml-security-java/branches/2.0.x-fixes/src/main/java/org/apache/xml/security/resource/xmlsecurity_en.properties [iso-8859-1] (original)
+++ santuario/xml-security-java/branches/2.0.x-fixes/src/main/java/org/apache/xml/security/resource/xmlsecurity_en.properties [iso-8859-1] Thu Jun 8 09:48:32 2017
@@ -112,6 +112,8 @@ signature.Canonicalizer.UnknownCanonical
signature.DSA.invalidFormat = Invalid ASN.1 encoding of the DSA signature
signature.Generation.signBeforeGetValue = You have to XMLSignature.sign(java.security.PrivateKey) first
signature.Reference.ForbiddenResolver = It is forbidden to access resolver {0} when secure validation is enabled
+signature.Reference.NoDigestMethod = A Signature Reference Element must contain a DigestMethod child
+signature.Reference.NoDigestValue = A Signature Reference Element must contain a DigestValue child
signature.signatureAlgorithm = It is forbidden to use algorithm {0} when secure validation is enabled
signature.signaturePropertyHasNoTarget = The Target attribute of the SignatureProperty must be set
signature.tooManyReferences = {0} references are contained in the Manifest, maximum {1} are allowed with secure validation
Modified: santuario/xml-security-java/branches/2.0.x-fixes/src/main/java/org/apache/xml/security/signature/Reference.java
URL: http://svn.apache.org/viewvc/santuario/xml-security-java/branches/2.0.x-fixes/src/main/java/org/apache/xml/security/signature/Reference.java?rev=1798037&r1=1798036&r2=1798037&view=diff
==============================================================================
--- santuario/xml-security-java/branches/2.0.x-fixes/src/main/java/org/apache/xml/security/signature/Reference.java (original)
+++ santuario/xml-security-java/branches/2.0.x-fixes/src/main/java/org/apache/xml/security/signature/Reference.java Thu Jun 8 09:48:32 2017
@@ -234,7 +234,8 @@ public class Reference extends Signature
this.secureValidation = secureValidation;
this.baseURI = baseURI;
Element el = XMLUtils.getNextElement(element.getFirstChild());
- if (Constants._TAG_TRANSFORMS.equals(el.getLocalName())
+
+ if (el != null && Constants._TAG_TRANSFORMS.equals(el.getLocalName())
&& Constants.SignatureSpecNS.equals(el.getNamespaceURI())) {
transforms = new Transforms(el, this.baseURI);
transforms.setSecureValidation(secureValidation);
@@ -245,8 +246,16 @@ public class Reference extends Signature
}
el = XMLUtils.getNextElement(el.getNextSibling());
}
+
digestMethodElem = el;
+ if (digestMethodElem == null) {
+ throw new XMLSecurityException("signature.Reference.NoDigestMethod");
+ }
+
digestValueElement = XMLUtils.getNextElement(digestMethodElem.getNextSibling());
+ if (digestValueElement == null) {
+ throw new XMLSecurityException("signature.Reference.NoDigestValue");
+ }
this.manifest = manifest;
}
Modified: santuario/xml-security-java/branches/2.0.x-fixes/src/test/java/org/apache/xml/security/test/dom/signature/SignatureReferenceTest.java
URL: http://svn.apache.org/viewvc/santuario/xml-security-java/branches/2.0.x-fixes/src/test/java/org/apache/xml/security/test/dom/signature/SignatureReferenceTest.java?rev=1798037&r1=1798036&r2=1798037&view=diff
==============================================================================
--- santuario/xml-security-java/branches/2.0.x-fixes/src/test/java/org/apache/xml/security/test/dom/signature/SignatureReferenceTest.java (original)
+++ santuario/xml-security-java/branches/2.0.x-fixes/src/test/java/org/apache/xml/security/test/dom/signature/SignatureReferenceTest.java Thu Jun 8 09:48:32 2017
@@ -25,11 +25,15 @@ import java.security.PrivateKey;
import java.security.PublicKey;
import java.util.Enumeration;
+import javax.xml.crypto.dsig.DigestMethod;
import javax.xml.parsers.DocumentBuilder;
+import javax.xml.parsers.ParserConfigurationException;
import org.w3c.dom.Document;
import org.w3c.dom.Element;
import org.apache.xml.security.Init;
+import org.apache.xml.security.exceptions.XMLSecurityException;
+import org.apache.xml.security.signature.Manifest;
import org.apache.xml.security.signature.Reference;
import org.apache.xml.security.signature.SignedInfo;
import org.apache.xml.security.signature.XMLSignature;
@@ -87,6 +91,44 @@ public class SignatureReferenceTest exte
assertEquals(referenceElement, originalElement);
}
+ // See SANTUARIO-465
+ @org.junit.Test
+ public void testNoReferenceChildren() throws ParserConfigurationException, XMLSecurityException {
+ DocumentBuilder db = XMLUtils.createDocumentBuilder(true);
+ Document doc = db.newDocument();
+ Element referenceElement = doc.createElementNS(Constants.SignatureSpecNS, "Reference");
+ referenceElement.setAttributeNS(null, "URI", "#_12345");
+
+ // No DigestMethod child
+ try {
+ new WrappedReference(referenceElement, "_54321", null);
+ fail("Failure expected on no Reference DigestMethod child element");
+ } catch (XMLSecurityException ex) {
+ // ex.printStackTrace();
+ // expected
+ }
+
+ // No DigestValue child
+ try {
+ Element digestMethod = doc.createElementNS(Constants.SignatureSpecNS, "DigestMethod");
+ digestMethod.setAttributeNS(null, "Algorithm", DigestMethod.SHA1);
+ referenceElement.appendChild(digestMethod);
+
+ new WrappedReference(referenceElement, "_54321", null);
+ fail("Failure expected on no Reference DigestValue child element");
+ } catch (XMLSecurityException ex) {
+ // expected
+ }
+
+ Element digestValue = doc.createElementNS(Constants.SignatureSpecNS, "DigestValue");
+ digestValue.setTextContent("abcabc");
+ referenceElement.appendChild(digestValue);
+
+ new WrappedReference(referenceElement, "_54321", null);
+
+ XMLUtils.repoolDocumentBuilder(db);
+ }
+
/**
* Loads the 'localhost' keystore from the test keystore.
*
@@ -153,4 +195,10 @@ public class SignatureReferenceTest exte
return sig;
}
+
+ private static class WrappedReference extends Reference {
+ public WrappedReference(Element element, String baseURI, Manifest manifest) throws XMLSecurityException {
+ super(element, baseURI, manifest);
+ }
+ }
}