You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@santuario.apache.org by co...@apache.org on 2020/10/19 06:48:09 UTC
[santuario-xml-security-java] branch master updated (a4eb455 ->
2ea6154)
This is an automated email from the ASF dual-hosted git repository.
coheigea pushed a change to branch master
in repository https://gitbox.apache.org/repos/asf/santuario-xml-security-java.git.
from a4eb455 Call custom query suite directly from workflow
new 2c706ae Removing custom codeql config
new 2ea6154 Catching a few NumberFormatExceptions
The 2 revisions listed above as "new" are entirely new to this
repository and will be described in separate emails. The revisions
listed as "add" were already present in the repository and have only
been added to this reference.
Summary of changes:
.github/codeql/codeql-santuario-config.yml | 13 -------------
.../xml/dsig/internal/dom/DOMHMACSignatureMethod.java | 6 +++++-
.../dsig/internal/dom/DOMRSAPSSSignatureMethod.java | 17 ++++++++++++++---
.../algorithms/implementations/SignatureBaseRSA.java | 18 ++++++++++++++++--
.../org/apache/xml/security/utils/RFC2253Parser.java | 8 ++++++--
5 files changed, 41 insertions(+), 21 deletions(-)
delete mode 100644 .github/codeql/codeql-santuario-config.yml
[santuario-xml-security-java] 02/02: Catching a few
NumberFormatExceptions
Posted by co...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
coheigea pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/santuario-xml-security-java.git
commit 2ea6154b6bcb84af0d0074a05bd177e09124aaae
Author: Colm O hEigeartaigh <co...@apache.org>
AuthorDate: Mon Oct 19 07:47:52 2020 +0100
Catching a few NumberFormatExceptions
---
.../xml/dsig/internal/dom/DOMHMACSignatureMethod.java | 6 +++++-
.../dsig/internal/dom/DOMRSAPSSSignatureMethod.java | 17 ++++++++++++++---
.../algorithms/implementations/SignatureBaseRSA.java | 18 ++++++++++++++++--
.../org/apache/xml/security/utils/RFC2253Parser.java | 8 ++++++--
4 files changed, 41 insertions(+), 8 deletions(-)
diff --git a/src/main/java/org/apache/jcp/xml/dsig/internal/dom/DOMHMACSignatureMethod.java b/src/main/java/org/apache/jcp/xml/dsig/internal/dom/DOMHMACSignatureMethod.java
index 33ee578..601e35b 100644
--- a/src/main/java/org/apache/jcp/xml/dsig/internal/dom/DOMHMACSignatureMethod.java
+++ b/src/main/java/org/apache/jcp/xml/dsig/internal/dom/DOMHMACSignatureMethod.java
@@ -121,7 +121,11 @@ public abstract class DOMHMACSignatureMethod extends AbstractDOMSignatureMethod
SignatureMethodParameterSpec unmarshalParams(Element paramsElem)
throws MarshalException
{
- outputLength = Integer.parseInt(paramsElem.getFirstChild().getNodeValue());
+ try {
+ outputLength = Integer.parseInt(paramsElem.getFirstChild().getNodeValue());
+ } catch (NumberFormatException ex) {
+ throw new MarshalException("Invalid output length supplied: " + paramsElem.getFirstChild().getNodeValue());
+ }
outputLengthSet = true;
LOG.debug("unmarshalled outputLength: {}", outputLength);
return new HMACParameterSpec(outputLength);
diff --git a/src/main/java/org/apache/jcp/xml/dsig/internal/dom/DOMRSAPSSSignatureMethod.java b/src/main/java/org/apache/jcp/xml/dsig/internal/dom/DOMRSAPSSSignatureMethod.java
index ba98427..6d464a1 100644
--- a/src/main/java/org/apache/jcp/xml/dsig/internal/dom/DOMRSAPSSSignatureMethod.java
+++ b/src/main/java/org/apache/jcp/xml/dsig/internal/dom/DOMRSAPSSSignatureMethod.java
@@ -172,7 +172,14 @@ public abstract class DOMRSAPSSSignatureMethod extends AbstractDOMSignatureMetho
if (paramsElem != null) {
Element saltLengthNode = XMLUtils.selectNode(paramsElem.getFirstChild(), Constants.XML_DSIG_NS_MORE_07_05, Constants._TAG_SALTLENGTH, 0);
Element trailerFieldNode = XMLUtils.selectNode(paramsElem.getFirstChild(), Constants.XML_DSIG_NS_MORE_07_05, Constants._TAG_TRAILERFIELD, 0);
- int trailerField = trailerFieldNode == null ? 1: Integer.parseInt(trailerFieldNode.getTextContent());
+ int trailerField = 1;
+ if (trailerFieldNode != null) {
+ try {
+ trailerField = Integer.parseInt(trailerFieldNode.getTextContent());
+ } catch (NumberFormatException ex) {
+ throw new MarshalException("Invalid trailer field supplied: " + trailerFieldNode.getTextContent());
+ }
+ }
String xmlAlgorithm = XMLUtils.selectDsNode(paramsElem.getFirstChild(), Constants._TAG_DIGESTMETHOD, 0).getAttribute(Constants._ATT_ALGORITHM);
DigestAlgorithm digestAlgorithm;
try {
@@ -181,11 +188,15 @@ public abstract class DOMRSAPSSSignatureMethod extends AbstractDOMSignatureMetho
throw new MarshalException("Invalid digest algorithm supplied: " + xmlAlgorithm);
}
String digestName = digestAlgorithm.getDigestAlgorithm();
- int saltLength = saltLengthNode == null ? digestAlgorithm.getSaltLength() : Integer.parseInt(saltLengthNode.getTextContent());
RSAPSSParameterSpec params = new RSAPSSParameterSpec();
params.setTrailerField(trailerField);
- params.setSaltLength(saltLength);
+ try {
+ int saltLength = saltLengthNode == null ? digestAlgorithm.getSaltLength() : Integer.parseInt(saltLengthNode.getTextContent());
+ params.setSaltLength(saltLength);
+ } catch (NumberFormatException ex) {
+ throw new MarshalException("Invalid salt length supplied: " + saltLengthNode.getTextContent());
+ }
params.setDigestName(digestName);
return params;
}
diff --git a/src/main/java/org/apache/xml/security/algorithms/implementations/SignatureBaseRSA.java b/src/main/java/org/apache/xml/security/algorithms/implementations/SignatureBaseRSA.java
index 72d6e3c..964d9c5 100644
--- a/src/main/java/org/apache/xml/security/algorithms/implementations/SignatureBaseRSA.java
+++ b/src/main/java/org/apache/xml/security/algorithms/implementations/SignatureBaseRSA.java
@@ -686,11 +686,25 @@ public abstract class SignatureBaseRSA extends SignatureAlgorithmSpi {
Element saltLengthNode = XMLUtils.selectNode(rsaPssParams.getFirstChild(), Constants.XML_DSIG_NS_MORE_07_05, Constants._TAG_SALTLENGTH, 0);
Element trailerFieldNode = XMLUtils.selectNode(rsaPssParams.getFirstChild(), Constants.XML_DSIG_NS_MORE_07_05, Constants._TAG_TRAILERFIELD, 0);
- int trailerField = trailerFieldNode == null ? 1: Integer.parseInt(trailerFieldNode.getTextContent());
+ int trailerField = 1;
+ if (trailerFieldNode != null) {
+ try {
+ trailerField = Integer.parseInt(trailerFieldNode.getTextContent());
+ } catch (NumberFormatException ex) {
+ throw new XMLSignatureException("empty", new Object[] {"Invalid trailer field value supplied"});
+ }
+ }
String xmlAlgorithm = XMLUtils.selectDsNode(rsaPssParams.getFirstChild(), Constants._TAG_DIGESTMETHOD, 0).getAttribute(Constants._ATT_ALGORITHM);
DigestAlgorithm digestAlgorithm = DigestAlgorithm.fromXmlDigestAlgorithm(xmlAlgorithm);
String digestAlgorithmName = digestAlgorithm.getDigestAlgorithm();
- int saltLength = saltLengthNode == null ? digestAlgorithm.getSaltLength() : Integer.parseInt(saltLengthNode.getTextContent());
+ int saltLength = digestAlgorithm.getSaltLength();
+ if (saltLengthNode != null) {
+ try {
+ saltLength = Integer.parseInt(saltLengthNode.getTextContent());
+ } catch (NumberFormatException ex) {
+ throw new XMLSignatureException("empty", new Object[] {"Invalid salt length value supplied"});
+ }
+ }
engineSetParameter(new PSSParameterSpec(digestAlgorithmName, "MGF1", new MGF1ParameterSpec(digestAlgorithmName), saltLength, trailerField));
}
}
diff --git a/src/main/java/org/apache/xml/security/utils/RFC2253Parser.java b/src/main/java/org/apache/xml/security/utils/RFC2253Parser.java
index 83e9692..918183e 100644
--- a/src/main/java/org/apache/xml/security/utils/RFC2253Parser.java
+++ b/src/main/java/org/apache/xml/security/utils/RFC2253Parser.java
@@ -277,9 +277,13 @@ public class RFC2253Parser {
&& (c2 >= 48 && c2 <= 57
|| c2 >= 65 && c2 <= 70
|| c2 >= 97 && c2 <= 102)) {
- char ch = (char) Byte.parseByte("" + c1 + c2, 16);
+ try {
+ char ch = (char) Byte.parseByte("" + c1 + c2, 16);
- sb.append(ch);
+ sb.append(ch);
+ } catch (NumberFormatException ex) {
+ throw new IOException(ex);
+ }
} else {
sb.append(c1);
sb.append(c2);
[santuario-xml-security-java] 01/02: Removing custom codeql config
Posted by co...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
coheigea pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/santuario-xml-security-java.git
commit 2c706aeba6ae9435b1c8a8e7e77464356afab817
Author: Colm O hEigeartaigh <co...@apache.org>
AuthorDate: Mon Oct 19 06:50:05 2020 +0100
Removing custom codeql config
---
.github/codeql/codeql-santuario-config.yml | 13 -------------
1 file changed, 13 deletions(-)
diff --git a/.github/codeql/codeql-santuario-config.yml b/.github/codeql/codeql-santuario-config.yml
deleted file mode 100644
index 65c52c9..0000000
--- a/.github/codeql/codeql-santuario-config.yml
+++ /dev/null
@@ -1,13 +0,0 @@
-
-name: "Apache Santuario CodeQL config"
-
-disable-default-queries: true
-queries:
- - name: Custom Security and Quality
- uses: ./.github/codeql/santuario.qls
-
-
-#queries:
-# - uses: security-and-quality
-
-