You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@santuario.apache.org by co...@apache.org on 2021/09/09 08:48:27 UTC
[santuario-xml-security-java] branch 2.1.x-fixes updated (7eb5b06
-> 56ec216)
This is an automated email from the ASF dual-hosted git repository.
coheigea pushed a change to branch 2.1.x-fixes
in repository https://gitbox.apache.org/repos/asf/santuario-xml-security-java.git.
from 7eb5b06 Updating version after release
new 442c6f6 Updating BouncyCastle to 1.68
new d059c72 Updating BouncyCastle to 1.69
new 56ec216 SANTUARIO-572 - Disallow a KeyInfoReference to refer to a RetrievalMethod
The 3 revisions listed above as "new" are entirely new to this
repository and will be described in separate emails. The revisions
listed as "add" were already present in the repository and have only
been added to this reference.
Summary of changes:
pom.xml | 2 +-
.../implementations/KeyInfoReferenceResolver.java | 3 ++-
.../security/resource/xmlsecurity_en.properties | 3 ++-
.../xml/security/signature/XMLSignatureInput.java | 2 +-
.../transforms/implementations/TransformXPath.java | 6 +-----
.../keyresolver/KeyInfoReferenceResolverTest.java | 22 ++++++++++++++++++++++
...ml => KeyInfoReference-RSA-RetrievalMethod.xml} | 12 ++++++------
7 files changed, 35 insertions(+), 15 deletions(-)
copy src/test/resources/org/apache/xml/security/keyresolver/{KeyInfoReference-ReferenceChain.xml => KeyInfoReference-RSA-RetrievalMethod.xml} (78%)
[santuario-xml-security-java] 02/03: Updating BouncyCastle to 1.69
Posted by co...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
coheigea pushed a commit to branch 2.1.x-fixes
in repository https://gitbox.apache.org/repos/asf/santuario-xml-security-java.git
commit d059c72d3d376a0da74d54a823f125c42718de15
Author: Colm O hEigeartaigh <co...@apache.org>
AuthorDate: Tue Jun 22 12:26:16 2021 +0100
Updating BouncyCastle to 1.69
---
pom.xml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/pom.xml b/pom.xml
index 703e55b..a3b0ed3 100644
--- a/pom.xml
+++ b/pom.xml
@@ -527,7 +527,7 @@
<xerces.version>2.12.0</xerces.version>
<junit.version>4.13.1</junit.version>
<log4j.version>1.2.17</log4j.version>
- <bcprov.version>1.68</bcprov.version>
+ <bcprov.version>1.69</bcprov.version>
<hamcrest.version>2.2</hamcrest.version>
<xmlunit.version>1.6</xmlunit.version>
<commons.codec.version>1.15</commons.codec.version>
[santuario-xml-security-java] 03/03: SANTUARIO-572 - Disallow a
KeyInfoReference to refer to a RetrievalMethod
Posted by co...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
coheigea pushed a commit to branch 2.1.x-fixes
in repository https://gitbox.apache.org/repos/asf/santuario-xml-security-java.git
commit 56ec2160c161c6bc41e5c297eed077e8ecece312
Author: Colm O hEigeartaigh <co...@apache.org>
AuthorDate: Wed Aug 11 08:57:14 2021 +0100
SANTUARIO-572 - Disallow a KeyInfoReference to refer to a RetrievalMethod
---
.../implementations/KeyInfoReferenceResolver.java | 3 ++-
.../security/resource/xmlsecurity_en.properties | 3 ++-
.../xml/security/signature/XMLSignatureInput.java | 2 +-
.../transforms/implementations/TransformXPath.java | 6 +-----
.../keyresolver/KeyInfoReferenceResolverTest.java | 22 ++++++++++++++++++++++
.../KeyInfoReference-RSA-RetrievalMethod.xml | 22 ++++++++++++++++++++++
6 files changed, 50 insertions(+), 8 deletions(-)
diff --git a/src/main/java/org/apache/xml/security/keys/keyresolver/implementations/KeyInfoReferenceResolver.java b/src/main/java/org/apache/xml/security/keys/keyresolver/implementations/KeyInfoReferenceResolver.java
index 4571cc3..97b2fcf 100644
--- a/src/main/java/org/apache/xml/security/keys/keyresolver/implementations/KeyInfoReferenceResolver.java
+++ b/src/main/java/org/apache/xml/security/keys/keyresolver/implementations/KeyInfoReferenceResolver.java
@@ -176,6 +176,7 @@ public class KeyInfoReferenceResolver extends KeyResolverSpi {
validateReference(referentElement);
KeyInfo referent = new KeyInfo(referentElement, baseURI);
+ referent.setSecureValidation(secureValidation);
referent.addStorageResolver(storage);
return referent;
}
@@ -194,7 +195,7 @@ public class KeyInfoReferenceResolver extends KeyResolverSpi {
}
KeyInfo referent = new KeyInfo(referentElement, "");
- if (referent.containsKeyInfoReference()) {
+ if (referent.containsKeyInfoReference() || referent.containsRetrievalMethod()) {
if (secureValidation) {
throw new XMLSecurityException("KeyInfoReferenceResolver.InvalidReferentElement.ReferenceWithSecure");
} else {
diff --git a/src/main/java/org/apache/xml/security/resource/xmlsecurity_en.properties b/src/main/java/org/apache/xml/security/resource/xmlsecurity_en.properties
index ede945c..b999f9a 100644
--- a/src/main/java/org/apache/xml/security/resource/xmlsecurity_en.properties
+++ b/src/main/java/org/apache/xml/security/resource/xmlsecurity_en.properties
@@ -124,6 +124,7 @@ signature.Transform.ForbiddenTransform = Transform {0} is forbidden when secure
signature.Transform.NotYetImplemented = Transform {0} not yet implemented
signature.Transform.NullPointerTransform = Null pointer as URI. Programming bug?
signature.Transform.UnknownTransform = Unknown transformation. No handler installed for URI {0}
+signature.Transform.XPathError = Error evaluating XPath expression
signature.Transform.node = Current Node: {0}
signature.Transform.nodeAndType = Current Node: {0}, type: {1}
signature.Util.BignumNonPositive = bigInteger.signum() must be positive
@@ -194,4 +195,4 @@ stax.signature.keyNameMissing = KeyName not configured.
stax.keyNotFoundForName = No key configured for KeyName: {0}
stax.keyTypeNotSupported = Key of type {0} not supported for a KeyName lookup
stax.idsetbutnotgenerated = An Id attribute is specified, but Id generation is disabled
-stax.idgenerationdisablewithmultipleparts = Id generation must not be disabled when multiple parts need signing
\ No newline at end of file
+stax.idgenerationdisablewithmultipleparts = Id generation must not be disabled when multiple parts need signing
diff --git a/src/main/java/org/apache/xml/security/signature/XMLSignatureInput.java b/src/main/java/org/apache/xml/security/signature/XMLSignatureInput.java
index 474c211..f717c33 100644
--- a/src/main/java/org/apache/xml/security/signature/XMLSignatureInput.java
+++ b/src/main/java/org/apache/xml/security/signature/XMLSignatureInput.java
@@ -544,7 +544,7 @@ public class XMLSignatureInput {
convertToNodes();
} catch (Exception e) {
throw new XMLSecurityRuntimeException(
- "signature.XMLSignatureInput.nodesetReference", e
+ "signature.XMLSignatureInput.nodesetReference"
);
}
}
diff --git a/src/main/java/org/apache/xml/security/transforms/implementations/TransformXPath.java b/src/main/java/org/apache/xml/security/transforms/implementations/TransformXPath.java
index d6cd2a8..b93172c 100644
--- a/src/main/java/org/apache/xml/security/transforms/implementations/TransformXPath.java
+++ b/src/main/java/org/apache/xml/security/transforms/implementations/TransformXPath.java
@@ -143,11 +143,7 @@ public class TransformXPath extends TransformSpi {
}
return 0;
} catch (TransformerException e) {
- Object[] eArgs = {currentNode};
- throw new XMLSecurityRuntimeException("signature.Transform.node", eArgs, e);
- } catch (Exception e) {
- Object[] eArgs = {currentNode, currentNode.getNodeType()};
- throw new XMLSecurityRuntimeException("signature.Transform.nodeAndType",eArgs, e);
+ throw new XMLSecurityRuntimeException("signature.Transform.XPathError");
}
}
diff --git a/src/test/java/org/apache/xml/security/test/dom/keys/keyresolver/KeyInfoReferenceResolverTest.java b/src/test/java/org/apache/xml/security/test/dom/keys/keyresolver/KeyInfoReferenceResolverTest.java
index 3dbf8fb..a81fbcd 100644
--- a/src/test/java/org/apache/xml/security/test/dom/keys/keyresolver/KeyInfoReferenceResolverTest.java
+++ b/src/test/java/org/apache/xml/security/test/dom/keys/keyresolver/KeyInfoReferenceResolverTest.java
@@ -121,6 +121,19 @@ public class KeyInfoReferenceResolverTest extends Assert {
assertNull(keyInfo.getPublicKey());
}
+ @org.junit.Test
+ public void testKeyInfoReferenceToRetrievalMethodNotAllowed() throws Exception {
+ Document doc = loadXML("KeyInfoReference-RSA-RetrievalMethod.xml");
+ markKeyInfoIdAttrs(doc);
+ markEncodedKeyValueIdAttrs(doc);
+
+ Element referenceElement = doc.getElementById("theReference");
+ assertNotNull(referenceElement);
+
+ KeyInfo keyInfo = new KeyInfo(referenceElement, "");
+ assertNull(keyInfo.getPublicKey());
+ }
+
// Utility methods
private String getControlFilePath(String fileName) {
@@ -156,4 +169,13 @@ public class KeyInfoReferenceResolverTest extends Assert {
}
}
+ private void markEncodedKeyValueIdAttrs(Document doc) {
+ NodeList nl = doc.getElementsByTagNameNS(Constants.SignatureSpec11NS, Constants._TAG_DERENCODEDKEYVALUE);
+ for (int i = 0; i < nl.getLength(); i++) {
+ Element keyInfoElement = (Element) nl.item(i);
+ keyInfoElement.setIdAttributeNS(null, Constants._ATT_ID, true);
+ }
+ }
+
}
+
diff --git a/src/test/resources/org/apache/xml/security/keyresolver/KeyInfoReference-RSA-RetrievalMethod.xml b/src/test/resources/org/apache/xml/security/keyresolver/KeyInfoReference-RSA-RetrievalMethod.xml
new file mode 100644
index 0000000..f34e3d5
--- /dev/null
+++ b/src/test/resources/org/apache/xml/security/keyresolver/KeyInfoReference-RSA-RetrievalMethod.xml
@@ -0,0 +1,22 @@
+<test:root xmlns:test="http://www.example.org/test">
+
+ <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#" Id="theRealKey">
+ <dsig11:DEREncodedKeyValue Id="theRealKey2" xmlns:dsig11="http://www.w3.org/2009/xmldsig11#">
+ MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAmDnHagSzfia3N7jOaMSp4VIZjK2lxZgN
+ X/2z98YLp1XE3cvpP+mOvX3gENWQuX3uoix+2qroZ0BFHzhzf4E7is5Q9+42ZFi5naFk3c/B0Q8A
+ jtHtWUEZ8VPPBZggz6uJ1ttJS7YDP6XVjaw6SN1bJSD4/lWNIVsh95kuhunbOef6x/kyIbBz9wF4
+ S0//G6zPD4GG7/jJ+sDXe+bAgPB1qwhLhrK3N1jGuDZkGGcY/c4b7aba0B0rognwKlygv16GoA/n
+ zWehxih7clhmMTzP2VWa3Q2GcN8ETe00dz68KtS7GF6W15qftjUvRXEKSoPz86ZsP30jIH1tvIrs
+ qSh/kwIDAQAB
+ </dsig11:DEREncodedKeyValue>
+ </ds:KeyInfo>
+
+ <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#" Id="retrievalMethod">
+ <ds:RetrievalMethod URI="#theRealKey2"/>
+ </ds:KeyInfo>
+
+ <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#" Id="theReference">
+ <dsig11:KeyInfoReference xmlns:dsig11="http://www.w3.org/2009/xmldsig11#" URI="#retrievalMethod" />
+ </ds:KeyInfo>
+
+</test:root>
[santuario-xml-security-java] 01/03: Updating BouncyCastle to 1.68
Posted by co...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
coheigea pushed a commit to branch 2.1.x-fixes
in repository https://gitbox.apache.org/repos/asf/santuario-xml-security-java.git
commit 442c6f6be2d0b546998a00345c8acc914e63aa38
Author: Colm O hEigeartaigh <co...@apache.org>
AuthorDate: Mon Jan 4 07:12:38 2021 +0000
Updating BouncyCastle to 1.68
---
pom.xml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/pom.xml b/pom.xml
index 5097be4..703e55b 100644
--- a/pom.xml
+++ b/pom.xml
@@ -527,7 +527,7 @@
<xerces.version>2.12.0</xerces.version>
<junit.version>4.13.1</junit.version>
<log4j.version>1.2.17</log4j.version>
- <bcprov.version>1.67</bcprov.version>
+ <bcprov.version>1.68</bcprov.version>
<hamcrest.version>2.2</hamcrest.version>
<xmlunit.version>1.6</xmlunit.version>
<commons.codec.version>1.15</commons.codec.version>