You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@santuario.apache.org by mu...@apache.org on 2008/10/16 17:42:57 UTC
svn commit: r705261 - in /xml/security/trunk/src/org/apache/xml/security:
resource/xmlsecurity_en.properties signature/SignedInfo.java
transforms/implementations/TransformEnvelopedSignature.java
Author: mullan
Date: Thu Oct 16 08:42:56 2008
New Revision: 705261
URL: http://svn.apache.org/viewvc?rev=705261&view=rev
Log:
Fixed bug 45961: verify with own canonicalization method
Modified:
xml/security/trunk/src/org/apache/xml/security/resource/xmlsecurity_en.properties
xml/security/trunk/src/org/apache/xml/security/signature/SignedInfo.java
xml/security/trunk/src/org/apache/xml/security/transforms/implementations/TransformEnvelopedSignature.java
Modified: xml/security/trunk/src/org/apache/xml/security/resource/xmlsecurity_en.properties
URL: http://svn.apache.org/viewvc/xml/security/trunk/src/org/apache/xml/security/resource/xmlsecurity_en.properties?rev=705261&r1=705260&r2=705261&view=diff
==============================================================================
Binary files - no diff available.
Modified: xml/security/trunk/src/org/apache/xml/security/signature/SignedInfo.java
URL: http://svn.apache.org/viewvc/xml/security/trunk/src/org/apache/xml/security/signature/SignedInfo.java?rev=705261&r1=705260&r2=705261&view=diff
==============================================================================
--- xml/security/trunk/src/org/apache/xml/security/signature/SignedInfo.java (original)
+++ xml/security/trunk/src/org/apache/xml/security/signature/SignedInfo.java Thu Oct 16 08:42:56 2008
@@ -79,8 +79,7 @@
* @throws XMLSecurityException
*/
public SignedInfo(Document doc, String signatureMethodURI,
- String canonicalizationMethodURI)
- throws XMLSecurityException {
+ String canonicalizationMethodURI) throws XMLSecurityException {
this(doc, signatureMethodURI, 0, canonicalizationMethodURI);
}
@@ -159,41 +158,51 @@
throws XMLSecurityException {
// Parse the Reference children and Id attribute in the Manifest
- super(element, baseURI);
+ super(reparseSignedInfoElem(element), baseURI);
+
+ c14nMethod = XMLUtils.getNextElement(element.getFirstChild());
+ signatureMethod = XMLUtils.getNextElement(c14nMethod.getNextSibling());
+ this._signatureAlgorithm =
+ new SignatureAlgorithm(signatureMethod, this.getBaseURI());
+ }
+
+ private static Element reparseSignedInfoElem(Element element)
+ throws XMLSecurityException {
- /* canonicalize ds:SignedInfo, reparse it into a new document
+ /*
+ * If a custom canonicalizationMethod is used, canonicalize
+ * ds:SignedInfo, reparse it into a new document
* and replace the original not-canonicalized ds:SignedInfo by
* the re-parsed canonicalized one.
*/
- c14nMethod = XMLUtils.getNextElement(element.getFirstChild());
- String c14nMethodURI = this.getCanonicalizationMethodURI();
+ Element c14nMethod = XMLUtils.getNextElement(element.getFirstChild());
+ String c14nMethodURI =
+ c14nMethod.getAttributeNS(null, Constants._ATT_ALGORITHM);
if (!(c14nMethodURI.equals(Canonicalizer.ALGO_ID_C14N_OMIT_COMMENTS) ||
- c14nMethodURI.equals(Canonicalizer.ALGO_ID_C14N_WITH_COMMENTS) ||
- c14nMethodURI.equals(Canonicalizer.ALGO_ID_C14N_EXCL_OMIT_COMMENTS) ||
- c14nMethodURI.equals(Canonicalizer.ALGO_ID_C14N_EXCL_WITH_COMMENTS) ||
- c14nMethodURI.equals(Canonicalizer.ALGO_ID_C14N11_OMIT_COMMENTS) ||
- c14nMethodURI.equals(Canonicalizer.ALGO_ID_C14N11_WITH_COMMENTS))) {
+ c14nMethodURI.equals(Canonicalizer.ALGO_ID_C14N_WITH_COMMENTS) ||
+ c14nMethodURI.equals(Canonicalizer.ALGO_ID_C14N_EXCL_OMIT_COMMENTS) ||
+ c14nMethodURI.equals(Canonicalizer.ALGO_ID_C14N_EXCL_WITH_COMMENTS) ||
+ c14nMethodURI.equals(Canonicalizer.ALGO_ID_C14N11_OMIT_COMMENTS) ||
+ c14nMethodURI.equals(Canonicalizer.ALGO_ID_C14N11_WITH_COMMENTS))) {
// the c14n is not a secure one and can rewrite the URIs or like
- // that reparse the SignedInfo to be sure
+ // so reparse the SignedInfo to be sure
try {
Canonicalizer c14nizer =
- Canonicalizer.getInstance(this.getCanonicalizationMethodURI());
+ Canonicalizer.getInstance(c14nMethodURI);
- this._c14nizedBytes =
- c14nizer.canonicalizeSubtree(this._constructionElement);
+ byte[] c14nizedBytes = c14nizer.canonicalizeSubtree(element);
javax.xml.parsers.DocumentBuilderFactory dbf =
javax.xml.parsers.DocumentBuilderFactory.newInstance();
dbf.setNamespaceAware(true);
javax.xml.parsers.DocumentBuilder db = dbf.newDocumentBuilder();
- org.w3c.dom.Document newdoc =
- db.parse(new ByteArrayInputStream(this._c14nizedBytes));
- Node imported =
- this._doc.importNode(newdoc.getDocumentElement(), true);
+ Document newdoc =
+ db.parse(new ByteArrayInputStream(c14nizedBytes));
+ Node imported = element.getOwnerDocument().importNode
+ (newdoc.getDocumentElement(), true);
- this._constructionElement.getParentNode().replaceChild(imported,
- this._constructionElement);
+ element.getParentNode().replaceChild(imported, element);
- this._constructionElement = (Element) imported;
+ return (Element) imported;
} catch (ParserConfigurationException ex) {
throw new XMLSecurityException("empty", ex);
} catch (IOException ex) {
@@ -202,184 +211,172 @@
throw new XMLSecurityException("empty", ex);
}
}
- signatureMethod = XMLUtils.getNextElement(c14nMethod.getNextSibling());
- this._signatureAlgorithm =
- new SignatureAlgorithm(signatureMethod, this.getBaseURI());
+ return element;
}
- /**
- * Tests core validation process
- *
- * @return true if verification was successful
- * @throws MissingResourceFailureException
- * @throws XMLSecurityException
- */
- public boolean verify()
+ /**
+ * Tests core validation process
+ *
+ * @return true if verification was successful
+ * @throws MissingResourceFailureException
+ * @throws XMLSecurityException
+ */
+ public boolean verify()
throws MissingResourceFailureException, XMLSecurityException {
- return super.verifyReferences(false);
- }
+ return super.verifyReferences(false);
+ }
- /**
- * Tests core validation process
- *
- * @param followManifests defines whether the verification process has to verify referenced <CODE>ds:Manifest</CODE>s, too
- * @return true if verification was successful
- * @throws MissingResourceFailureException
- * @throws XMLSecurityException
- */
- public boolean verify(boolean followManifests)
+ /**
+ * Tests core validation process
+ *
+ * @param followManifests defines whether the verification process has to verify referenced <CODE>ds:Manifest</CODE>s, too
+ * @return true if verification was successful
+ * @throws MissingResourceFailureException
+ * @throws XMLSecurityException
+ */
+ public boolean verify(boolean followManifests)
throws MissingResourceFailureException, XMLSecurityException {
- return super.verifyReferences(followManifests);
- }
+ return super.verifyReferences(followManifests);
+ }
- /**
- * Returns getCanonicalizedOctetStream
- *
- * @return the canonicalization result octedt stream of <code>SignedInfo</code> element
- * @throws CanonicalizationException
- * @throws InvalidCanonicalizerException
- * @throws XMLSecurityException
- */
- public byte[] getCanonicalizedOctetStream()
+ /**
+ * Returns getCanonicalizedOctetStream
+ *
+ * @return the canonicalization result octet stream of <code>SignedInfo</code> element
+ * @throws CanonicalizationException
+ * @throws InvalidCanonicalizerException
+ * @throws XMLSecurityException
+ */
+ public byte[] getCanonicalizedOctetStream()
throws CanonicalizationException, InvalidCanonicalizerException,
XMLSecurityException {
- if ((this._c14nizedBytes == null)
- /*&& (this._state == ElementProxy.MODE_SIGN)*/) {
- Canonicalizer c14nizer =
- Canonicalizer.getInstance(this.getCanonicalizationMethodURI());
-
- this._c14nizedBytes =
- c14nizer.canonicalizeSubtree(this._constructionElement);
- }
-
- // make defensive copy
- byte[] output = new byte[this._c14nizedBytes.length];
+ if (this._c14nizedBytes == null) {
+ Canonicalizer c14nizer =
+ Canonicalizer.getInstance(this.getCanonicalizationMethodURI());
- System.arraycopy(this._c14nizedBytes, 0, output, 0, output.length);
+ this._c14nizedBytes =
+ c14nizer.canonicalizeSubtree(this._constructionElement);
+ }
- return output;
- }
+ // make defensive copy
+ return (byte[]) this._c14nizedBytes.clone();
+ }
- /**
- * Output the C14n stream to the give outputstream.
- * @param os
- * @throws CanonicalizationException
- * @throws InvalidCanonicalizerException
- * @throws XMLSecurityException
- */
- public void signInOctectStream(OutputStream os)
- throws CanonicalizationException, InvalidCanonicalizerException,
- XMLSecurityException {
-
- if ((this._c14nizedBytes == null)) {
- Canonicalizer c14nizer =
- Canonicalizer.getInstance(this.getCanonicalizationMethodURI());
- c14nizer.setWriter(os);
- String inclusiveNamespaces = this.getInclusiveNamespaces();
-
- if(inclusiveNamespaces == null)
- c14nizer.canonicalizeSubtree(this._constructionElement);
- else
- c14nizer.canonicalizeSubtree(this._constructionElement, inclusiveNamespaces);
- } else {
- try {
- os.write(this._c14nizedBytes);
- } catch (IOException e) {
- throw new RuntimeException(""+e);
- }
- }
- }
-
- /**
- * Returns the Canonicalization method URI
- *
- * @return the Canonicalization method URI
- */
- public String getCanonicalizationMethodURI() {
-
-
- return c14nMethod.getAttributeNS(null, Constants._ATT_ALGORITHM);
- }
-
- /**
- * Returns the Signature method URI
- *
- * @return the Signature method URI
- */
- public String getSignatureMethodURI() {
-
- Element signatureElement = this.getSignatureMethodElement();
-
- if (signatureElement != null) {
- return signatureElement.getAttributeNS(null, Constants._ATT_ALGORITHM);
- }
-
- return null;
- }
-
- /**
- * Method getSignatureMethodElement
- * @return gets The SignatureMethod Node.
- *
- */
- public Element getSignatureMethodElement() {
- return signatureMethod;
- }
-
- /**
- * Creates a SecretKey for the appropriate Mac algorithm based on a
- * byte[] array password.
- *
- * @param secretKeyBytes
- * @return the secret key for the SignedInfo element.
- */
- public SecretKey createSecretKey(byte[] secretKeyBytes)
- {
+ /**
+ * Output the C14n stream to the given OutputStream.
+ * @param os
+ * @throws CanonicalizationException
+ * @throws InvalidCanonicalizerException
+ * @throws XMLSecurityException
+ */
+ public void signInOctectStream(OutputStream os)
+ throws CanonicalizationException, InvalidCanonicalizerException,
+ XMLSecurityException {
- return new SecretKeySpec(secretKeyBytes,
- this._signatureAlgorithm
- .getJCEAlgorithmString());
- }
+ if (this._c14nizedBytes == null) {
+ Canonicalizer c14nizer =
+ Canonicalizer.getInstance(this.getCanonicalizationMethodURI());
+ c14nizer.setWriter(os);
+ String inclusiveNamespaces = this.getInclusiveNamespaces();
- protected SignatureAlgorithm getSignatureAlgorithm() {
- return _signatureAlgorithm;
- }
- /**
- * Method getBaseLocalName
- * @inheritDoc
- *
- */
- public String getBaseLocalName() {
- return Constants._TAG_SIGNEDINFO;
- }
-
- public String getInclusiveNamespaces() {
-
-
-
- String c14nMethodURI = c14nMethod.getAttributeNS(null, Constants._ATT_ALGORITHM);
- if(!(c14nMethodURI.equals("http://www.w3.org/2001/10/xml-exc-c14n#") ||
- c14nMethodURI.equals("http://www.w3.org/2001/10/xml-exc-c14n#WithComments"))) {
- return null;
+ if (inclusiveNamespaces == null) {
+ c14nizer.canonicalizeSubtree(this._constructionElement);
+ } else {
+ c14nizer.canonicalizeSubtree
+ (this._constructionElement, inclusiveNamespaces);
}
+ } else {
+ try {
+ os.write(this._c14nizedBytes);
+ } catch (IOException e) {
+ throw new RuntimeException(e);
+ }
+ }
+ }
- Element inclusiveElement = XMLUtils.getNextElement(
- c14nMethod.getFirstChild());
+ /**
+ * Returns the Canonicalization method URI
+ *
+ * @return the Canonicalization method URI
+ */
+ public String getCanonicalizationMethodURI() {
+ return c14nMethod.getAttributeNS(null, Constants._ATT_ALGORITHM);
+ }
+
+ /**
+ * Returns the Signature method URI
+ *
+ * @return the Signature method URI
+ */
+ public String getSignatureMethodURI() {
+
+ Element signatureElement = this.getSignatureMethodElement();
+
+ if (signatureElement != null) {
+ return signatureElement.getAttributeNS(null, Constants._ATT_ALGORITHM);
+ }
+
+ return null;
+ }
+
+ /**
+ * Method getSignatureMethodElement
+ * @return returns the SignatureMethod Element
+ *
+ */
+ public Element getSignatureMethodElement() {
+ return signatureMethod;
+ }
+
+ /**
+ * Creates a SecretKey for the appropriate Mac algorithm based on a
+ * byte[] array password.
+ *
+ * @param secretKeyBytes
+ * @return the secret key for the SignedInfo element.
+ */
+ public SecretKey createSecretKey(byte[] secretKeyBytes) {
+
+ return new SecretKeySpec(secretKeyBytes,
+ this._signatureAlgorithm
+ .getJCEAlgorithmString());
+ }
+
+ protected SignatureAlgorithm getSignatureAlgorithm() {
+ return _signatureAlgorithm;
+ }
+
+ /**
+ * Method getBaseLocalName
+ * @inheritDoc
+ *
+ */
+ public String getBaseLocalName() {
+ return Constants._TAG_SIGNEDINFO;
+ }
+
+ public String getInclusiveNamespaces() {
+
+ String c14nMethodURI = c14nMethod.getAttributeNS(null, Constants._ATT_ALGORITHM);
+ if (!(c14nMethodURI.equals("http://www.w3.org/2001/10/xml-exc-c14n#") ||
+ c14nMethodURI.equals("http://www.w3.org/2001/10/xml-exc-c14n#WithComments"))) {
+ return null;
+ }
- if(inclusiveElement != null)
- {
- try
- {
- String inclusiveNamespaces = new InclusiveNamespaces(inclusiveElement,
- InclusiveNamespaces.ExclusiveCanonicalizationNamespace).getInclusiveNamespaces();
- return inclusiveNamespaces;
- }
- catch (XMLSecurityException e)
- {
- return null;
- }
- }
- return null;
+ Element inclusiveElement = XMLUtils.getNextElement(
+ c14nMethod.getFirstChild());
+
+ if (inclusiveElement != null) {
+ try {
+ String inclusiveNamespaces = new InclusiveNamespaces
+ (inclusiveElement,
+ InclusiveNamespaces.ExclusiveCanonicalizationNamespace).getInclusiveNamespaces();
+ return inclusiveNamespaces;
+ } catch (XMLSecurityException e) {
+ return null;
+ }
+ }
+ return null;
}
}
Modified: xml/security/trunk/src/org/apache/xml/security/transforms/implementations/TransformEnvelopedSignature.java
URL: http://svn.apache.org/viewvc/xml/security/trunk/src/org/apache/xml/security/transforms/implementations/TransformEnvelopedSignature.java?rev=705261&r1=705260&r2=705261&view=diff
==============================================================================
--- xml/security/trunk/src/org/apache/xml/security/transforms/implementations/TransformEnvelopedSignature.java (original)
+++ xml/security/trunk/src/org/apache/xml/security/transforms/implementations/TransformEnvelopedSignature.java Thu Oct 16 08:42:56 2008
@@ -48,69 +48,63 @@
return implementedTransformURI;
}
- /**
- * @inheritDoc
- */
- protected XMLSignatureInput enginePerformTransform(XMLSignatureInput input, Transform _transformObject)
- throws TransformationException {
-
-
-
- /**
- * If the actual input is an octet stream, then the application MUST
- * convert the octet stream to an XPath node-set suitable for use by
- * Canonical XML with Comments. (A subsequent application of the
- * REQUIRED Canonical XML algorithm would strip away these comments.)
- *
- * ...
- *
- * The evaluation of this expression includes all of the document's nodes
- * (including comments) in the node-set representing the octet stream.
- */
+ /**
+ * @inheritDoc
+ */
+ protected XMLSignatureInput enginePerformTransform(XMLSignatureInput input,
+ Transform _transformObject) throws TransformationException {
+
+ /**
+ * If the actual input is an octet stream, then the application MUST
+ * convert the octet stream to an XPath node-set suitable for use by
+ * Canonical XML with Comments. (A subsequent application of the
+ * REQUIRED Canonical XML algorithm would strip away these comments.)
+ *
+ * ...
+ *
+ * The evaluation of this expression includes all of the document's nodes
+ * (including comments) in the node-set representing the octet stream.
+ */
- Node signatureElement = _transformObject.getElement();
-
+ Node signatureElement = _transformObject.getElement();
- signatureElement = searchSignatureElement(signatureElement);
- input.setExcludeNode(signatureElement);
- input.addNodeFilter(new EnvelopedNodeFilter(signatureElement));
- return input;
-
- //
-
-
- }
+ signatureElement = searchSignatureElement(signatureElement);
+ input.setExcludeNode(signatureElement);
+ input.addNodeFilter(new EnvelopedNodeFilter(signatureElement));
+ return input;
+ }
- /**
- * @param signatureElement
- * @return the node that is the signature
- * @throws TransformationException
- */
- private static Node searchSignatureElement(Node signatureElement) throws TransformationException {
- boolean found=false;
+ /**
+ * @param signatureElement
+ * @return the node that is the signature
+ * @throws TransformationException
+ */
+ private static Node searchSignatureElement(Node signatureElement)
+ throws TransformationException {
+ boolean found = false;
- while (true) {
- if ((signatureElement == null)
- || (signatureElement.getNodeType() == Node.DOCUMENT_NODE)) {
- break;
- }
- Element el=(Element)signatureElement;
- if (el.getNamespaceURI().equals(Constants.SignatureSpecNS)
- &&
- el.getLocalName().equals(Constants._TAG_SIGNATURE)) {
- found = true;
- break;
- }
-
- signatureElement = signatureElement.getParentNode();
- }
-
- if (!found) {
- throw new TransformationException(
- "envelopedSignatureTransformNotInSignatureElement");
- }
- return signatureElement;
+ while (true) {
+ if (signatureElement == null
+ || signatureElement.getNodeType() == Node.DOCUMENT_NODE) {
+ break;
+ }
+ Element el = (Element) signatureElement;
+ if (el.getNamespaceURI().equals(Constants.SignatureSpecNS)
+ && el.getLocalName().equals(Constants._TAG_SIGNATURE)) {
+ found = true;
+ break;
+ }
+
+ signatureElement = signatureElement.getParentNode();
+ }
+
+ if (!found) {
+ throw new TransformationException(
+ "transform.envelopedSignatureTransformNotInSignatureElement");
+ }
+ return signatureElement;
}
+
static class EnvelopedNodeFilter implements NodeFilter {
Node exclude;
EnvelopedNodeFilter(Node n) {