You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@santuario.apache.org by co...@apache.org on 2011/11/25 13:00:06 UTC
svn commit: r1206130 - in /santuario/xml-security-java/trunk/src:
main/java/org/apache/jcp/xml/dsig/internal/dom/
main/java/org/apache/xml/security/keys/keyresolver/implementations/
test/java/org/apache/xml/security/test/keys/keyresolver/ test/java/org...
Author: coheigea
Date: Fri Nov 25 12:00:05 2011
New Revision: 1206130
URL: http://svn.apache.org/viewvc?rev=1206130&view=rev
Log:
Some fixes to prevent attacks on RetrievalMethods
Added:
santuario/xml-security-java/trunk/src/test/java/org/apache/xml/security/test/keys/keyresolver/RetrievalMethodResolverTest.java
santuario/xml-security-java/trunk/src/test/resources/org/apache/xml/security/keyresolver/
santuario/xml-security-java/trunk/src/test/resources/org/apache/xml/security/keyresolver/retrievalmethod1.xml
santuario/xml-security-java/trunk/src/test/resources/org/apache/xml/security/keyresolver/retrievalmethod2.xml
Modified:
santuario/xml-security-java/trunk/src/main/java/org/apache/jcp/xml/dsig/internal/dom/DOMRetrievalMethod.java
santuario/xml-security-java/trunk/src/main/java/org/apache/xml/security/keys/keyresolver/implementations/RetrievalMethodResolver.java
santuario/xml-security-java/trunk/src/test/java/org/apache/xml/security/test/signature/ECDSASignatureTest.java
Modified: santuario/xml-security-java/trunk/src/main/java/org/apache/jcp/xml/dsig/internal/dom/DOMRetrievalMethod.java
URL: http://svn.apache.org/viewvc/santuario/xml-security-java/trunk/src/main/java/org/apache/jcp/xml/dsig/internal/dom/DOMRetrievalMethod.java?rev=1206130&r1=1206129&r2=1206130&view=diff
==============================================================================
--- santuario/xml-security-java/trunk/src/main/java/org/apache/jcp/xml/dsig/internal/dom/DOMRetrievalMethod.java (original)
+++ santuario/xml-security-java/trunk/src/main/java/org/apache/jcp/xml/dsig/internal/dom/DOMRetrievalMethod.java Fri Nov 25 12:00:05 2011
@@ -36,6 +36,8 @@ import java.net.URI;
import java.net.URISyntaxException;
import java.security.Provider;
import java.util.*;
+
+import javax.xml.XMLConstants;
import javax.xml.crypto.*;
import javax.xml.crypto.dsig.*;
import javax.xml.crypto.dom.DOMCryptoContext;
@@ -225,6 +227,7 @@ public final class DOMRetrievalMethod ex
ApacheData data = (ApacheData)dereference(context);
DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
dbf.setNamespaceAware(true);
+ dbf.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, Boolean.TRUE);
DocumentBuilder db = dbf.newDocumentBuilder();
Document doc = db.parse(new ByteArrayInputStream
(data.getXMLSignatureInput().getBytes()));
Modified: santuario/xml-security-java/trunk/src/main/java/org/apache/xml/security/keys/keyresolver/implementations/RetrievalMethodResolver.java
URL: http://svn.apache.org/viewvc/santuario/xml-security-java/trunk/src/main/java/org/apache/xml/security/keys/keyresolver/implementations/RetrievalMethodResolver.java?rev=1206130&r1=1206129&r2=1206130&view=diff
==============================================================================
--- santuario/xml-security-java/trunk/src/main/java/org/apache/xml/security/keys/keyresolver/implementations/RetrievalMethodResolver.java (original)
+++ santuario/xml-security-java/trunk/src/main/java/org/apache/xml/security/keys/keyresolver/implementations/RetrievalMethodResolver.java Fri Nov 25 12:00:05 2011
@@ -89,7 +89,7 @@ public class RetrievalMethodResolver ext
// Create a retrieval method over the given element
RetrievalMethod rm = new RetrievalMethod(element, BaseURI);
String type = rm.getType();
- XMLSignatureInput resource = resolveInput(rm,BaseURI);
+ XMLSignatureInput resource = resolveInput(rm, BaseURI);
if (RetrievalMethod.TYPE_RAWX509.equals(type)) {
// a raw certificate, direct parsing is done!
X509Certificate cert = getRawCertificate(resource);
@@ -98,7 +98,22 @@ public class RetrievalMethodResolver ext
}
return null;
}
- Element e = obtainReferenceElement(resource);
+ Element e = obtainReferenceElement(resource);
+
+ // Check to make sure that the reference is not to another RetrievalMethod
+ // which points to this element
+ if (XMLUtils.elementIsInSignatureSpace(e, Constants._TAG_RETRIEVALMETHOD)) {
+ RetrievalMethod rm2 = new RetrievalMethod(e, BaseURI);
+ XMLSignatureInput resource2 = resolveInput(rm2, BaseURI);
+ Element e2 = obtainReferenceElement(resource2);
+ if (e2 == element) {
+ if (log.isDebugEnabled()) {
+ log.debug("Error: Can't have RetrievalMethods pointing to each other");
+ }
+ return null;
+ }
+ }
+
return resolveKey(e, BaseURI, storage);
} catch (XMLSecurityException ex) {
if (log.isDebugEnabled()) {
@@ -144,8 +159,24 @@ public class RetrievalMethodResolver ext
if (RetrievalMethod.TYPE_RAWX509.equals(type)) {
X509Certificate cert = getRawCertificate(resource);
return cert;
- }
+ }
+
Element e = obtainReferenceElement(resource);
+
+ // Check to make sure that the reference is not to another RetrievalMethod
+ // which points to this element
+ if (XMLUtils.elementIsInSignatureSpace(e, Constants._TAG_RETRIEVALMETHOD)) {
+ RetrievalMethod rm2 = new RetrievalMethod(e, BaseURI);
+ XMLSignatureInput resource2 = resolveInput(rm2, BaseURI);
+ Element e2 = obtainReferenceElement(resource2);
+ if (e2 == element) {
+ if (log.isDebugEnabled()) {
+ log.debug("Error: Can't have RetrievalMethods pointing to each other");
+ }
+ return null;
+ }
+ }
+
return resolveCertificate(e, BaseURI, storage);
} catch (XMLSecurityException ex) {
if (log.isDebugEnabled()) {
Added: santuario/xml-security-java/trunk/src/test/java/org/apache/xml/security/test/keys/keyresolver/RetrievalMethodResolverTest.java
URL: http://svn.apache.org/viewvc/santuario/xml-security-java/trunk/src/test/java/org/apache/xml/security/test/keys/keyresolver/RetrievalMethodResolverTest.java?rev=1206130&view=auto
==============================================================================
--- santuario/xml-security-java/trunk/src/test/java/org/apache/xml/security/test/keys/keyresolver/RetrievalMethodResolverTest.java (added)
+++ santuario/xml-security-java/trunk/src/test/java/org/apache/xml/security/test/keys/keyresolver/RetrievalMethodResolverTest.java Fri Nov 25 12:00:05 2011
@@ -0,0 +1,89 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.xml.security.test.keys.keyresolver;
+
+import java.io.FileInputStream;
+import java.security.Security;
+
+import javax.xml.parsers.DocumentBuilder;
+import javax.xml.parsers.DocumentBuilderFactory;
+
+import org.apache.jcp.xml.dsig.internal.dom.XMLDSigRI;
+import org.apache.xml.security.keys.KeyInfo;
+import org.w3c.dom.Document;
+
+
+/**
+ * Some tests on attacks against the RetrievalMethodResolver.
+ */
+public class RetrievalMethodResolverTest extends org.junit.Assert {
+
+ private static final String BASEDIR = System.getProperty("basedir");
+ private static final String SEP = System.getProperty("file.separator");
+
+ public RetrievalMethodResolverTest() {
+ org.apache.xml.security.Init.init();
+ Security.insertProviderAt(new XMLDSigRI(), 1);
+ }
+
+ @org.junit.Test
+ public void testReferenceToSameRetrievalMethod() throws Exception {
+ FileInputStream fis = null;
+ String filename = "src/test/resources/org/apache/xml/security/keyresolver/retrievalmethod1.xml";
+ if (BASEDIR != null && !"".equals(BASEDIR)) {
+ fis = new FileInputStream(BASEDIR + SEP + filename);
+ } else {
+ fis = new FileInputStream(filename);
+ }
+
+ DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
+ dbf.setNamespaceAware(true);
+ DocumentBuilder db = dbf.newDocumentBuilder();
+ Document doc = db.parse(fis);
+
+ KeyInfo keyInfo = new KeyInfo(doc.getDocumentElement(), null);
+
+ // Check neither of these give a StackOverflowError.
+ keyInfo.getPublicKey();
+ keyInfo.getX509Certificate();
+ }
+
+ @org.junit.Test
+ public void testLoopBetweenRetrievalMethods() throws Exception {
+ FileInputStream fis = null;
+ String filename = "src/test/resources/org/apache/xml/security/keyresolver/retrievalmethod2.xml";
+ if (BASEDIR != null && !"".equals(BASEDIR)) {
+ fis = new FileInputStream(BASEDIR + SEP + filename);
+ } else {
+ fis = new FileInputStream(filename);
+ }
+
+ DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
+ dbf.setNamespaceAware(true);
+ DocumentBuilder db = dbf.newDocumentBuilder();
+ Document doc = db.parse(fis);
+
+ KeyInfo keyInfo = new KeyInfo(doc.getDocumentElement(), null);
+
+ // Check neither of these give a StackOverflowError.
+ keyInfo.getPublicKey();
+ keyInfo.getX509Certificate();
+ }
+
+}
Modified: santuario/xml-security-java/trunk/src/test/java/org/apache/xml/security/test/signature/ECDSASignatureTest.java
URL: http://svn.apache.org/viewvc/santuario/xml-security-java/trunk/src/test/java/org/apache/xml/security/test/signature/ECDSASignatureTest.java?rev=1206130&r1=1206129&r2=1206130&view=diff
==============================================================================
--- santuario/xml-security-java/trunk/src/test/java/org/apache/xml/security/test/signature/ECDSASignatureTest.java (original)
+++ santuario/xml-security-java/trunk/src/test/java/org/apache/xml/security/test/signature/ECDSASignatureTest.java Fri Nov 25 12:00:05 2011
@@ -125,7 +125,7 @@ public class ECDSASignatureTest extends
}
File file =
- makeDataFile("data/org/apache/xml/security/samples/input/ecdsaSignature.xml");
+ makeDataFile("src/test/resources/org/apache/xml/security/samples/input/ecdsaSignature.xml");
InputStream is = new FileInputStream(file);
doVerify(is);
@@ -137,7 +137,7 @@ public class ECDSASignatureTest extends
return;
}
- File file = makeDataFile("data/at/buergerkarte/testresp.xml");
+ File file = makeDataFile("src/test/resources/at/buergerkarte/testresp.xml");
InputStream is = new FileInputStream(file);
doVerify(is);
Added: santuario/xml-security-java/trunk/src/test/resources/org/apache/xml/security/keyresolver/retrievalmethod1.xml
URL: http://svn.apache.org/viewvc/santuario/xml-security-java/trunk/src/test/resources/org/apache/xml/security/keyresolver/retrievalmethod1.xml?rev=1206130&view=auto
==============================================================================
--- santuario/xml-security-java/trunk/src/test/resources/org/apache/xml/security/keyresolver/retrievalmethod1.xml (added)
+++ santuario/xml-security-java/trunk/src/test/resources/org/apache/xml/security/keyresolver/retrievalmethod1.xml Fri Nov 25 12:00:05 2011
@@ -0,0 +1,3 @@
+<dsig:KeyInfo xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">
+ <dsig:RetrievalMethod xml:id="r1" URI="#r1"/>
+</dsig:KeyInfo>
Added: santuario/xml-security-java/trunk/src/test/resources/org/apache/xml/security/keyresolver/retrievalmethod2.xml
URL: http://svn.apache.org/viewvc/santuario/xml-security-java/trunk/src/test/resources/org/apache/xml/security/keyresolver/retrievalmethod2.xml?rev=1206130&view=auto
==============================================================================
--- santuario/xml-security-java/trunk/src/test/resources/org/apache/xml/security/keyresolver/retrievalmethod2.xml (added)
+++ santuario/xml-security-java/trunk/src/test/resources/org/apache/xml/security/keyresolver/retrievalmethod2.xml Fri Nov 25 12:00:05 2011
@@ -0,0 +1,4 @@
+<dsig:KeyInfo xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">
+ <dsig:RetrievalMethod xml:id="r1" URI="#r2"/>
+ <dsig:RetrievalMethod xml:id="r2" URI="#r1"/>
+</dsig:KeyInfo>
\ No newline at end of file