You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@santuario.apache.org by co...@apache.org on 2021/08/11 07:57:58 UTC
[santuario-xml-security-java] 01/01: SANTUARIO-572 - Disallow a
KeyInfoReference to refer to a RetrievalMethod
This is an automated email from the ASF dual-hosted git repository.
coheigea pushed a commit to branch SANTUARIO-572
in repository https://gitbox.apache.org/repos/asf/santuario-xml-security-java.git
commit b512bd927c6132c80a0df397edd8aee14e3baebc
Author: Colm O hEigeartaigh <co...@apache.org>
AuthorDate: Wed Aug 11 08:57:14 2021 +0100
SANTUARIO-572 - Disallow a KeyInfoReference to refer to a RetrievalMethod
---
.../exceptions/XMLSecurityRuntimeException.java | 177 ---------------------
.../implementations/KeyInfoReferenceResolver.java | 3 +-
.../xml/security/signature/XMLSignatureInput.java | 11 +-
.../TransformEnvelopedSignature.java | 8 +-
.../transforms/implementations/TransformXPath.java | 15 +-
.../keyresolver/KeyInfoReferenceResolverTest.java | 21 +++
.../KeyInfoReference-RSA-RetrievalMethod.xml | 22 +++
7 files changed, 62 insertions(+), 195 deletions(-)
diff --git a/src/main/java/org/apache/xml/security/exceptions/XMLSecurityRuntimeException.java b/src/main/java/org/apache/xml/security/exceptions/XMLSecurityRuntimeException.java
deleted file mode 100644
index b889f77..0000000
--- a/src/main/java/org/apache/xml/security/exceptions/XMLSecurityRuntimeException.java
+++ /dev/null
@@ -1,177 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-package org.apache.xml.security.exceptions;
-
-import java.text.MessageFormat;
-
-import org.apache.xml.security.utils.Constants;
-import org.apache.xml.security.utils.I18n;
-
-/**
- * The mother of all runtime Exceptions in this bundle. It allows exceptions to have
- * their messages translated to the different locales.
- *
- * The <code>xmlsecurity_en.properties</code> file contains this line:
- * <pre>
- * xml.WrongElement = Can't create a {0} from a {1} element
- * </pre>
- *
- * Usage in the Java source is:
- * <pre>
- * {
- * Object[] exArgs = { Constants._TAG_TRANSFORMS, "BadElement" };
- *
- * throw new XMLSecurityException("xml.WrongElement", exArgs);
- * }
- * </pre>
- *
- * Additionally, if another Exception has been caught, we can supply it, too
- * <pre>
- * try {
- * ...
- * } catch (Exception oldEx) {
- * Object[] exArgs = { Constants._TAG_TRANSFORMS, "BadElement" };
- *
- * throw new XMLSecurityException("xml.WrongElement", exArgs, oldEx);
- * }
- * </pre>
- *
- *
- */
-public class XMLSecurityRuntimeException extends RuntimeException {
-
- private static final long serialVersionUID = 1L;
-
- /** Field msgID */
- protected String msgID;
-
- /**
- * Constructor XMLSecurityRuntimeException
- *
- */
- public XMLSecurityRuntimeException() {
- super("Missing message string");
-
- this.msgID = null;
- }
-
- /**
- * Constructor XMLSecurityRuntimeException
- *
- * @param msgID
- */
- public XMLSecurityRuntimeException(String msgID) {
- super(I18n.getExceptionMessage(msgID));
-
- this.msgID = msgID;
- }
-
- /**
- * Constructor XMLSecurityRuntimeException
- *
- * @param msgID
- * @param exArgs
- */
- public XMLSecurityRuntimeException(String msgID, Object[] exArgs) {
- super(MessageFormat.format(I18n.getExceptionMessage(msgID), exArgs));
-
- this.msgID = msgID;
- }
-
- /**
- * Constructor XMLSecurityRuntimeException
- *
- * @param originalException
- */
- public XMLSecurityRuntimeException(Exception originalException) {
- super("Missing message ID to locate message string in resource bundle \""
- + Constants.exceptionMessagesResourceBundleBase
- + "\". Original Exception was a "
- + originalException.getClass().getName() + " and message "
- + originalException.getMessage(), originalException);
- }
-
- /**
- * Constructor XMLSecurityRuntimeException
- *
- * @param msgID
- * @param originalException
- */
- public XMLSecurityRuntimeException(String msgID, Exception originalException) {
- super(I18n.getExceptionMessage(msgID, originalException), originalException);
-
- this.msgID = msgID;
- }
-
- /**
- * Constructor XMLSecurityRuntimeException
- *
- * @param msgID
- * @param exArgs
- * @param originalException
- */
- public XMLSecurityRuntimeException(String msgID, Object[] exArgs, Exception originalException) {
- super(MessageFormat.format(I18n.getExceptionMessage(msgID), exArgs), originalException);
-
- this.msgID = msgID;
- }
-
- /**
- * Method getMsgID
- *
- * @return the messageId
- */
- public String getMsgID() {
- if (msgID == null) {
- return "Missing message ID";
- }
- return msgID;
- }
-
- /** {@inheritDoc} */
- public String toString() {
- String s = this.getClass().getName();
- String message = super.getLocalizedMessage();
-
- if (message != null) {
- message = s + ": " + message;
- } else {
- message = s;
- }
-
- if (this.getCause() != null) {
- message = message + "\nOriginal Exception was " + this.getCause().toString();
- }
-
- return message;
- }
-
- /**
- * Method getOriginalException
- *
- * @return the original exception
- */
- public Exception getOriginalException() {
- if (this.getCause() instanceof Exception) {
- return (Exception)this.getCause();
- }
- return null;
- }
-
-}
diff --git a/src/main/java/org/apache/xml/security/keys/keyresolver/implementations/KeyInfoReferenceResolver.java b/src/main/java/org/apache/xml/security/keys/keyresolver/implementations/KeyInfoReferenceResolver.java
index 9d2a8df..9641632 100644
--- a/src/main/java/org/apache/xml/security/keys/keyresolver/implementations/KeyInfoReferenceResolver.java
+++ b/src/main/java/org/apache/xml/security/keys/keyresolver/implementations/KeyInfoReferenceResolver.java
@@ -158,6 +158,7 @@ public class KeyInfoReferenceResolver extends KeyResolverSpi {
validateReference(referentElement, secureValidation);
KeyInfo referent = new KeyInfo(referentElement, baseURI);
+ referent.setSecureValidation(secureValidation);
referent.addStorageResolver(storage);
return referent;
}
@@ -177,7 +178,7 @@ public class KeyInfoReferenceResolver extends KeyResolverSpi {
}
KeyInfo referent = new KeyInfo(referentElement, "");
- if (referent.containsKeyInfoReference()) {
+ if (referent.containsKeyInfoReference() || referent.containsRetrievalMethod()) {
if (secureValidation) {
throw new XMLSecurityException("KeyInfoReferenceResolver.InvalidReferentElement.ReferenceWithSecure");
} else {
diff --git a/src/main/java/org/apache/xml/security/signature/XMLSignatureInput.java b/src/main/java/org/apache/xml/security/signature/XMLSignatureInput.java
index 491d3f7..9d6ad5c 100644
--- a/src/main/java/org/apache/xml/security/signature/XMLSignatureInput.java
+++ b/src/main/java/org/apache/xml/security/signature/XMLSignatureInput.java
@@ -32,7 +32,6 @@ import org.apache.xml.security.c14n.CanonicalizationException;
import org.apache.xml.security.c14n.implementations.Canonicalizer11_OmitComments;
import org.apache.xml.security.c14n.implementations.Canonicalizer20010315OmitComments;
import org.apache.xml.security.c14n.implementations.CanonicalizerBase;
-import org.apache.xml.security.exceptions.XMLSecurityRuntimeException;
import org.apache.xml.security.parser.XMLParserException;
import org.apache.xml.security.utils.JavaUtils;
import org.apache.xml.security.utils.XMLUtils;
@@ -535,15 +534,9 @@ public class XMLSignatureInput {
/**
* @param filter
*/
- public void addNodeFilter(NodeFilter filter) {
+ public void addNodeFilter(NodeFilter filter) throws XMLParserException, IOException {
if (isOctetStream()) {
- try {
- convertToNodes();
- } catch (Exception e) {
- throw new XMLSecurityRuntimeException(
- "signature.XMLSignatureInput.nodesetReference", e
- );
- }
+ convertToNodes();
}
nodeFilters.add(filter);
}
diff --git a/src/main/java/org/apache/xml/security/transforms/implementations/TransformEnvelopedSignature.java b/src/main/java/org/apache/xml/security/transforms/implementations/TransformEnvelopedSignature.java
index c8987c9..5dab049 100644
--- a/src/main/java/org/apache/xml/security/transforms/implementations/TransformEnvelopedSignature.java
+++ b/src/main/java/org/apache/xml/security/transforms/implementations/TransformEnvelopedSignature.java
@@ -18,8 +18,10 @@
*/
package org.apache.xml.security.transforms.implementations;
+import java.io.IOException;
import java.io.OutputStream;
+import org.apache.xml.security.parser.XMLParserException;
import org.apache.xml.security.signature.NodeFilter;
import org.apache.xml.security.signature.XMLSignatureInput;
import org.apache.xml.security.transforms.TransformSpi;
@@ -67,7 +69,11 @@ public class TransformEnvelopedSignature extends TransformSpi {
Node signatureElement = searchSignatureElement(transformElement);
input.setExcludeNode(signatureElement);
- input.addNodeFilter(new EnvelopedNodeFilter(signatureElement));
+ try {
+ input.addNodeFilter(new EnvelopedNodeFilter(signatureElement));
+ } catch (XMLParserException | IOException ex) {
+ throw new TransformationException(ex);
+ }
return input;
}
diff --git a/src/main/java/org/apache/xml/security/transforms/implementations/TransformXPath.java b/src/main/java/org/apache/xml/security/transforms/implementations/TransformXPath.java
index e1a10b6..c70a4a5 100644
--- a/src/main/java/org/apache/xml/security/transforms/implementations/TransformXPath.java
+++ b/src/main/java/org/apache/xml/security/transforms/implementations/TransformXPath.java
@@ -18,11 +18,12 @@
*/
package org.apache.xml.security.transforms.implementations;
+import java.io.IOException;
import java.io.OutputStream;
import javax.xml.transform.TransformerException;
-import org.apache.xml.security.exceptions.XMLSecurityRuntimeException;
+import org.apache.xml.security.parser.XMLParserException;
import org.apache.xml.security.signature.NodeFilter;
import org.apache.xml.security.signature.XMLSignatureInput;
import org.apache.xml.security.transforms.TransformSpi;
@@ -47,6 +48,9 @@ import org.w3c.dom.Node;
*/
public class TransformXPath extends TransformSpi {
+ private static final org.slf4j.Logger LOG =
+ org.slf4j.LoggerFactory.getLogger(TransformXPath.class);
+
/**
* {@inheritDoc}
*/
@@ -98,7 +102,7 @@ public class TransformXPath extends TransformSpi {
input.addNodeFilter(new XPathNodeFilter(xpathElement, xpathnode, str, xpathAPIInstance));
input.setNodeSet(true);
return input;
- } catch (DOMException ex) {
+ } catch (XMLParserException | IOException | DOMException ex) {
throw new TransformationException(ex);
}
}
@@ -140,11 +144,8 @@ public class TransformXPath extends TransformSpi {
}
return 0;
} catch (TransformerException e) {
- Object[] eArgs = {currentNode};
- throw new XMLSecurityRuntimeException("signature.Transform.node", eArgs, e);
- } catch (Exception e) {
- Object[] eArgs = {currentNode, currentNode.getNodeType()};
- throw new XMLSecurityRuntimeException("signature.Transform.nodeAndType",eArgs, e);
+ LOG.debug("Error evaluating XPath expression", e);
+ return 0;
}
}
diff --git a/src/test/java/org/apache/xml/security/test/dom/keys/keyresolver/KeyInfoReferenceResolverTest.java b/src/test/java/org/apache/xml/security/test/dom/keys/keyresolver/KeyInfoReferenceResolverTest.java
index d4f5608..2f81cfd 100644
--- a/src/test/java/org/apache/xml/security/test/dom/keys/keyresolver/KeyInfoReferenceResolverTest.java
+++ b/src/test/java/org/apache/xml/security/test/dom/keys/keyresolver/KeyInfoReferenceResolverTest.java
@@ -125,6 +125,19 @@ public class KeyInfoReferenceResolverTest {
assertNull(keyInfo.getPublicKey());
}
+ @org.junit.jupiter.api.Test
+ public void testKeyInfoReferenceToRetrievalMethodNotAllowed() throws Exception {
+ Document doc = loadXML("KeyInfoReference-RSA-RetrievalMethod.xml");
+ markKeyInfoIdAttrs(doc);
+ markEncodedKeyValueIdAttrs(doc);
+
+ Element referenceElement = doc.getElementById("theReference");
+ assertNotNull(referenceElement);
+
+ KeyInfo keyInfo = new KeyInfo(referenceElement, "");
+ assertNull(keyInfo.getPublicKey());
+ }
+
// Utility methods
private String getControlFilePath(String fileName) {
@@ -160,4 +173,12 @@ public class KeyInfoReferenceResolverTest {
}
}
+ private void markEncodedKeyValueIdAttrs(Document doc) {
+ NodeList nl = doc.getElementsByTagNameNS(Constants.SignatureSpec11NS, Constants._TAG_DERENCODEDKEYVALUE);
+ for (int i = 0; i < nl.getLength(); i++) {
+ Element keyInfoElement = (Element) nl.item(i);
+ keyInfoElement.setIdAttributeNS(null, Constants._ATT_ID, true);
+ }
+ }
+
}
\ No newline at end of file
diff --git a/src/test/resources/org/apache/xml/security/keyresolver/KeyInfoReference-RSA-RetrievalMethod.xml b/src/test/resources/org/apache/xml/security/keyresolver/KeyInfoReference-RSA-RetrievalMethod.xml
new file mode 100644
index 0000000..f34e3d5
--- /dev/null
+++ b/src/test/resources/org/apache/xml/security/keyresolver/KeyInfoReference-RSA-RetrievalMethod.xml
@@ -0,0 +1,22 @@
+<test:root xmlns:test="http://www.example.org/test">
+
+ <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#" Id="theRealKey">
+ <dsig11:DEREncodedKeyValue Id="theRealKey2" xmlns:dsig11="http://www.w3.org/2009/xmldsig11#">
+ MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAmDnHagSzfia3N7jOaMSp4VIZjK2lxZgN
+ X/2z98YLp1XE3cvpP+mOvX3gENWQuX3uoix+2qroZ0BFHzhzf4E7is5Q9+42ZFi5naFk3c/B0Q8A
+ jtHtWUEZ8VPPBZggz6uJ1ttJS7YDP6XVjaw6SN1bJSD4/lWNIVsh95kuhunbOef6x/kyIbBz9wF4
+ S0//G6zPD4GG7/jJ+sDXe+bAgPB1qwhLhrK3N1jGuDZkGGcY/c4b7aba0B0rognwKlygv16GoA/n
+ zWehxih7clhmMTzP2VWa3Q2GcN8ETe00dz68KtS7GF6W15qftjUvRXEKSoPz86ZsP30jIH1tvIrs
+ qSh/kwIDAQAB
+ </dsig11:DEREncodedKeyValue>
+ </ds:KeyInfo>
+
+ <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#" Id="retrievalMethod">
+ <ds:RetrievalMethod URI="#theRealKey2"/>
+ </ds:KeyInfo>
+
+ <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#" Id="theReference">
+ <dsig11:KeyInfoReference xmlns:dsig11="http://www.w3.org/2009/xmldsig11#" URI="#retrievalMethod" />
+ </ds:KeyInfo>
+
+</test:root>