You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@santuario.apache.org by co...@apache.org on 2018/06/25 12:20:44 UTC
svn commit: r1834311 - in /santuario/xml-security-java/trunk/src:
main/java/org/apache/xml/security/signature/
test/java/org/apache/xml/security/test/dom/signature/
Author: coheigea
Date: Mon Jun 25 12:20:44 2018
New Revision: 1834311
URL: http://svn.apache.org/viewvc?rev=1834311&view=rev
Log:
SANTUARIO-489 - Unable to know why verification failed when signature contains a Manifest which has an invalid reference
Added:
santuario/xml-security-java/trunk/src/main/java/org/apache/xml/security/signature/VerifiedReference.java
Modified:
santuario/xml-security-java/trunk/src/main/java/org/apache/xml/security/signature/Manifest.java
santuario/xml-security-java/trunk/src/test/java/org/apache/xml/security/test/dom/signature/SignatureReferenceTest.java
Modified: santuario/xml-security-java/trunk/src/main/java/org/apache/xml/security/signature/Manifest.java
URL: http://svn.apache.org/viewvc/santuario/xml-security-java/trunk/src/main/java/org/apache/xml/security/signature/Manifest.java?rev=1834311&r1=1834310&r2=1834311&view=diff
==============================================================================
--- santuario/xml-security-java/trunk/src/main/java/org/apache/xml/security/signature/Manifest.java (original)
+++ santuario/xml-security-java/trunk/src/main/java/org/apache/xml/security/signature/Manifest.java Mon Jun 25 12:20:44 2018
@@ -22,6 +22,7 @@ import java.io.IOException;
import java.security.AccessController;
import java.security.PrivilegedAction;
import java.util.ArrayList;
+import java.util.Collections;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
@@ -71,7 +72,7 @@ public class Manifest extends SignatureE
private Element[] referencesEl;
/** Field verificationResults[] */
- private boolean[] verificationResults;
+ private List<VerifiedReference> verificationResults;
/** Field resolverProperties */
private Map<String, String> resolverProperties;
@@ -326,7 +327,7 @@ public class Manifest extends SignatureE
throw new XMLSecurityException("signature.tooManyReferences", exArgs);
}
- this.verificationResults = new boolean[referencesEl.length];
+ this.verificationResults = new ArrayList<>(referencesEl.length);
boolean verify = true;
for (int i = 0; i < this.referencesEl.length; i++) {
Reference currentRef =
@@ -338,13 +339,13 @@ public class Manifest extends SignatureE
try {
boolean currentRefVerified = currentRef.verify();
- this.setVerificationResult(i, currentRefVerified);
-
if (!currentRefVerified) {
verify = false;
}
LOG.debug("The Reference has Type {}", currentRef.getType());
+ List<VerifiedReference> manifestReferences = Collections.emptyList();
+
// was verification successful till now and do we want to verify the Manifest?
if (verify && followManifests && currentRef.typeIsReferenceToManifest()) {
LOG.debug("We have to follow a nested Manifest");
@@ -396,6 +397,8 @@ public class Manifest extends SignatureE
} else {
LOG.debug("The nested Manifest was valid (good)");
}
+
+ manifestReferences = referencedManifest.getVerificationResults();
} catch (IOException ex) {
throw new ReferenceNotInitializedException(ex);
} catch (ParserConfigurationException ex) {
@@ -404,6 +407,8 @@ public class Manifest extends SignatureE
throw new ReferenceNotInitializedException(ex);
}
}
+
+ verificationResults.add(new VerifiedReference(currentRefVerified, currentRef.getURI(), manifestReferences));
} catch (ReferenceNotInitializedException ex) {
Object exArgs[] = { currentRef.getURI() };
@@ -417,20 +422,6 @@ public class Manifest extends SignatureE
}
/**
- * Method setVerificationResult
- *
- * @param index
- * @param verify
- */
- private void setVerificationResult(int index, boolean verify) {
- if (this.verificationResults == null) {
- this.verificationResults = new boolean[this.getLength()];
- }
-
- this.verificationResults[index] = verify;
- }
-
- /**
* After verifying a {@link Manifest} or a {@link SignedInfo} using the
* {@link Manifest#verifyReferences()} or {@link SignedInfo#verify()} methods,
* the individual results can be retrieved with this method.
@@ -458,14 +449,24 @@ public class Manifest extends SignatureE
}
}
- return this.verificationResults[index];
+ return ((ArrayList<VerifiedReference>)verificationResults).get(index).isValid();
+ }
+
+ /**
+ * Get the list of verification result objects
+ */
+ public List<VerifiedReference> getVerificationResults() {
+ if (verificationResults == null) {
+ return Collections.emptyList();
+ }
+ return Collections.unmodifiableList(verificationResults);
}
/**
* Adds Resource Resolver for retrieving resources at specified <code>URI</code> attribute
* in <code>reference</code> element
*
- * @param resolver {@link ResourceResolver} can provide the implemenatin subclass of
+ * @param resolver {@link ResourceResolver} can provide the implementation subclass of
* {@link ResourceResolverSpi} for retrieving resource.
*/
public void addResourceResolver(ResourceResolver resolver) {
Added: santuario/xml-security-java/trunk/src/main/java/org/apache/xml/security/signature/VerifiedReference.java
URL: http://svn.apache.org/viewvc/santuario/xml-security-java/trunk/src/main/java/org/apache/xml/security/signature/VerifiedReference.java?rev=1834311&view=auto
==============================================================================
--- santuario/xml-security-java/trunk/src/main/java/org/apache/xml/security/signature/VerifiedReference.java (added)
+++ santuario/xml-security-java/trunk/src/main/java/org/apache/xml/security/signature/VerifiedReference.java Mon Jun 25 12:20:44 2018
@@ -0,0 +1,60 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.xml.security.signature;
+
+import java.util.Collections;
+import java.util.List;
+
+/**
+ * Holds the result of a Reference validation.
+ */
+public class VerifiedReference {
+
+ private final boolean valid;
+ private final String uri;
+ private final List<VerifiedReference> manifestReferences;
+
+ /**
+ * @param valid Whether this Reference was successfully validated or not
+ * @param uri The URI of this Reference
+ * @param manifestReferences If this reference is a reference to a Manifest, this holds the list
+ * of verified referenes associated with this Manifest
+ */
+ public VerifiedReference(boolean valid, String uri, List<VerifiedReference> manifestReferences) {
+ this.valid = valid;
+ this.uri = uri;
+ if (manifestReferences != null) {
+ this.manifestReferences = manifestReferences;
+ } else {
+ this.manifestReferences = Collections.emptyList();
+ }
+ }
+
+ public boolean isValid() {
+ return valid;
+ }
+
+ public String getUri() {
+ return uri;
+ }
+
+ public List<VerifiedReference> getManifestReferences() {
+ return Collections.unmodifiableList(manifestReferences);
+ }
+}
Modified: santuario/xml-security-java/trunk/src/test/java/org/apache/xml/security/test/dom/signature/SignatureReferenceTest.java
URL: http://svn.apache.org/viewvc/santuario/xml-security-java/trunk/src/test/java/org/apache/xml/security/test/dom/signature/SignatureReferenceTest.java?rev=1834311&r1=1834310&r2=1834311&view=diff
==============================================================================
--- santuario/xml-security-java/trunk/src/test/java/org/apache/xml/security/test/dom/signature/SignatureReferenceTest.java (original)
+++ santuario/xml-security-java/trunk/src/test/java/org/apache/xml/security/test/dom/signature/SignatureReferenceTest.java Mon Jun 25 12:20:44 2018
@@ -26,25 +26,36 @@ import java.security.KeyStore;
import java.security.PrivateKey;
import java.security.PublicKey;
import java.util.Enumeration;
+import java.util.List;
import javax.xml.crypto.dsig.DigestMethod;
import javax.xml.parsers.DocumentBuilder;
import javax.xml.parsers.ParserConfigurationException;
+import javax.xml.xpath.XPath;
+import javax.xml.xpath.XPathConstants;
+import javax.xml.xpath.XPathFactory;
import org.w3c.dom.Document;
import org.w3c.dom.Element;
import org.apache.xml.security.Init;
import org.apache.xml.security.exceptions.XMLSecurityException;
+import org.apache.xml.security.keys.KeyInfo;
import org.apache.xml.security.signature.Manifest;
import org.apache.xml.security.signature.Reference;
import org.apache.xml.security.signature.SignedInfo;
+import org.apache.xml.security.signature.VerifiedReference;
import org.apache.xml.security.signature.XMLSignature;
+import org.apache.xml.security.signature.XMLSignatureInput;
import org.apache.xml.security.signature.reference.ReferenceData;
import org.apache.xml.security.signature.reference.ReferenceNodeSetData;
+import org.apache.xml.security.test.dom.DSNamespaceContext;
import org.apache.xml.security.transforms.Transforms;
import org.apache.xml.security.utils.Constants;
import org.apache.xml.security.utils.ElementProxy;
import org.apache.xml.security.utils.XMLUtils;
+import org.apache.xml.security.utils.resolver.ResourceResolverContext;
+import org.apache.xml.security.utils.resolver.ResourceResolverException;
+import org.apache.xml.security.utils.resolver.ResourceResolverSpi;
import org.apache.xml.security.utils.resolver.implementations.ResolverXPointer;
/**
@@ -131,6 +142,56 @@ public class SignatureReferenceTest {
XMLUtils.repoolDocumentBuilder(db);
}
+ @org.junit.Test
+ public void testManifestReferences() throws Throwable {
+
+ XPathFactory xpf = XPathFactory.newInstance();
+ XPath xPath = xpf.newXPath();
+ xPath.setNamespaceContext(new DSNamespaceContext());
+
+ InputStream sourceDocument =
+ this.getClass().getClassLoader().getResourceAsStream(
+ "at/iaik/ixsil/coreFeatures/signatures/manifestSignature.xml");
+ DocumentBuilder builder = XMLUtils.createDocumentBuilder(false, false);
+ Document document = builder.parse(sourceDocument);
+
+ String expression = "//dsig:Signature[1]";
+ Element sigElement =
+ (Element) xPath.evaluate(expression, document, XPathConstants.NODE);
+
+ XMLSignature signatureToVerify = new XMLSignature(sigElement, "");
+
+ KeyInfo ki = signatureToVerify.getKeyInfo();
+ PublicKey publicKey = ki.getPublicKey();
+
+ boolean signResult = signatureToVerify.checkSignatureValue(publicKey);
+ assertTrue(signResult);
+
+ List<VerifiedReference> verifiedReferences = signatureToVerify.getSignedInfo().getVerificationResults();
+ assertEquals(verifiedReferences.size(), 1);
+ assertEquals("#manifest", verifiedReferences.get(0).getUri());
+ assertTrue(verifiedReferences.get(0).isValid());
+ assertTrue(verifiedReferences.get(0).getManifestReferences().isEmpty());
+
+ signatureToVerify = new XMLSignature(sigElement, "");
+ signatureToVerify.addResourceResolver(new DummyResourceResolver());
+ signatureToVerify.setFollowNestedManifests(true);
+
+ signResult = signatureToVerify.checkSignatureValue(publicKey);
+ assertFalse(signResult);
+
+ verifiedReferences = signatureToVerify.getSignedInfo().getVerificationResults();
+ assertEquals(verifiedReferences.size(), 1);
+ assertEquals("#manifest", verifiedReferences.get(0).getUri());
+ assertTrue(verifiedReferences.get(0).isValid());
+
+ assertEquals(1, verifiedReferences.get(0).getManifestReferences().size());
+ assertEquals("../samples/sampleXMLData.xml", verifiedReferences.get(0).getManifestReferences().get(0).getUri());
+ assertFalse(verifiedReferences.get(0).getManifestReferences().get(0).isValid());
+
+ XMLUtils.repoolDocumentBuilder(builder);
+ }
+
/**
* Loads the 'localhost' keystore from the test keystore.
*
@@ -203,4 +264,23 @@ public class SignatureReferenceTest {
super(element, baseURI, manifest);
}
}
+
+ private static class DummyResourceResolver extends ResourceResolverSpi {
+
+ @Override
+ public XMLSignatureInput engineResolveURI(ResourceResolverContext context)
+ throws ResourceResolverException {
+ XMLSignatureInput result = new XMLSignatureInput("xyz");
+
+ result.setSourceURI(context.uriToResolve);
+
+ return result;
+ }
+
+ @Override
+ public boolean engineCanResolveURI(ResourceResolverContext context) {
+ return context.uriToResolve.endsWith("sampleXMLData.xml");
+ }
+
+ }
}