You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@santuario.apache.org by "Peter De Maeyer (Jira)" <ji...@apache.org> on 2020/02/09 13:20:00 UTC
[jira] [Updated] (SANTUARIO-525) Base64 encoded elements contain " " entity references

     [ https://issues.apache.org/jira/browse/SANTUARIO-525?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Peter De Maeyer updated SANTUARIO-525:
--------------------------------------
    Attachment: SANTUARIO-525.patch

> Base64 encoded elements contain "&#xd;" entity references
> ---------------------------------------------------------
>
>                 Key: SANTUARIO-525
>                 URL: https://issues.apache.org/jira/browse/SANTUARIO-525
>             Project: Santuario
>          Issue Type: Improvement
>          Components: Java
>    Affects Versions: Java 2.1.4
>            Reporter: Peter De Maeyer
>            Assignee: Colm O hEigeartaigh
>            Priority: Major
>         Attachments: SANTUARIO-525.patch
>
>
> Base64 elements resulting from signing or encryption contain ugly entity reference "&#xd;", which is the encoded carriage return. The reason is that the RFC 4648 Base64 encoder uses CRLF as line separator, but XML  encodes it as "&#xd;".
> This has a couple of drawbacks:
> * It prevents textual copy-pasting of content in the XML document as Base64, since the "&#xd;" itself is not part of the Base64 encoding and causes the copied text to be invalid as Base64.
> {code:xml}
>   <PaymentInfo><xenc:EncryptedData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" Id="G1b451a56-51d2-4c77-ba0b-38e520f930cb" Type="http://www.w3.org/2001/04/xmlenc#Content"><xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc"/><dsig:KeyInfo xmlns:dsig="http://www.w3.org/200 0/09/xmldsig#"><xenc:EncryptedKey Id="EK1699d223-498c-4f78-876c-8f40bf1fde08"><xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5"/><xenc:CipherData><xenc:CipherValue>sO0Jq5RHTq1FLCrp0tHvEbnD098pdRedo8n3fW1hwO9iRIZgmTsebCFtUahszR8EjAQeF0/kaukT&#xd;
> zrZVlhI7USL11T8/GKjCOgzoLgqXFq2bwMgqdpuInvMTWu26kujLpwz3FuqVT7+dPj3L7H37z6iT&#xd;
> PS9vuM5jBBdrR+4v9Sw=</xenc:CipherValue></xenc:CipherData></xenc:EncryptedKey></dsig:KeyInfo><xenc:CipherData><xenc:CipherValue>VHzeKRWn0OReM+8PnXZ05oum2WYfmr8UM+cr9xFmPZ2gkT9vt8oth3NcqTyXReLdzqQTrKdZE/Le&#xd;
> K8PnhehDsZQ2qRc7RLp1UxJcJOrEseefwjUT6HVCicjbgleL9k60GZCnw6vigLCB6Q5/GXKXIL9K&#xd;
> 1vYaYtZNoYtR+zSRSQikoNPK4U9RgVOeg2/OxtdNo0ZOhbLCFO8frjC9+krPxlJ708NAZ1wn5/b6&#xd;
> sB+WLNicPeg+ldNNH2dzHKIZe0DlgdVsiQHWFCOelAmFdbg4YaUaga8IrnKcIg8lUWEFmlCN2nqy&#xd;
> IJLnnnhRuAo7Gh9r4imXhXJ9GiqkayRmNP02j9MxHVckZwWHcRAqf5ujiqU=&#xd;
> </xenc:CipherValue></xenc:CipherData></xenc:EncryptedData></PaymentInfo>
> {code}
> As an improvement, I suggest to make this configurable.
> To some extent, that is already the case: using the system property "org.apache.xml.security.ignoreLineBreaks" it is already possible to disable Base64 line breaks altogether.
> I'm suggesting to make it more configurable per encryption, on the {{XMLSecurityProperties}} themselves.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)