You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@santuario.apache.org by "Peter De Maeyer (Jira)" <ji...@apache.org> on 2020/02/09 13:13:00 UTC
[jira] [Commented] (SANTUARIO-525) Base64 encoded elements contain
"
" entity references
[ https://issues.apache.org/jira/browse/SANTUARIO-525?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17033192#comment-17033192 ]
Peter De Maeyer commented on SANTUARIO-525:
-------------------------------------------
Pull request created:
* Made Base64 line length and separator configurable on {{XMLSecurityProperties}}.
* Used a thread-local on {{XMLUtils}} to hold the Base64 parameters per thread. The alternative is to pass them as parameters to {{XMLUtils.encode}}, which is what I started doing at first, but it lead to a lot more code changes since the parameters have to be passed everywhere through the whole call stack. The approach with the thread-local seemed like a good alternative, certainly no worse than the configuration with the system property.
* Removed some ad-hoc usages of the static calls to {{XMLUtils.ignoreLineBreaks}} and {{isIgnoreLineBreaks}}.
* Deprecated both static methods {{ignoreLineBreaks}} and {{isIgnoreLineBreaks}}, because the new mechanism for configuring Base64 parameters is far more flexible. I considered removing those methods, but I decided not to because they're part of the public API of Santuario and it's probably not a good idea to remove them just yet.
* Kept the default CRLF and system property for backward compatibility. I considered removing the system property, but decided not to because I didn't want to affect existing behavior too much. It would be best to remove it at some point though.
* Added unit tests, including a test for concurrent usage.
> Base64 encoded elements contain "
" entity references
> ---------------------------------------------------------
>
> Key: SANTUARIO-525
> URL: https://issues.apache.org/jira/browse/SANTUARIO-525
> Project: Santuario
> Issue Type: Improvement
> Components: Java
> Affects Versions: Java 2.1.4
> Reporter: Peter De Maeyer
> Assignee: Colm O hEigeartaigh
> Priority: Major
>
> Base64 elements resulting from signing or encryption contain ugly entity reference "
", which is the encoded carriage return. The reason is that the RFC 4648 Base64 encoder uses CRLF as line separator, but XML encodes it as "
".
> This has a couple of drawbacks:
> * It prevents textual copy-pasting of content in the XML document as Base64, since the "
" itself is not part of the Base64 encoding and causes the copied text to be invalid as Base64.
> {code:xml}
> <PaymentInfo><xenc:EncryptedData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" Id="G1b451a56-51d2-4c77-ba0b-38e520f930cb" Type="http://www.w3.org/2001/04/xmlenc#Content"><xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc"/><dsig:KeyInfo xmlns:dsig="http://www.w3.org/200 0/09/xmldsig#"><xenc:EncryptedKey Id="EK1699d223-498c-4f78-876c-8f40bf1fde08"><xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5"/><xenc:CipherData><xenc:CipherValue>sO0Jq5RHTq1FLCrp0tHvEbnD098pdRedo8n3fW1hwO9iRIZgmTsebCFtUahszR8EjAQeF0/kaukT
> zrZVlhI7USL11T8/GKjCOgzoLgqXFq2bwMgqdpuInvMTWu26kujLpwz3FuqVT7+dPj3L7H37z6iT
> PS9vuM5jBBdrR+4v9Sw=</xenc:CipherValue></xenc:CipherData></xenc:EncryptedKey></dsig:KeyInfo><xenc:CipherData><xenc:CipherValue>VHzeKRWn0OReM+8PnXZ05oum2WYfmr8UM+cr9xFmPZ2gkT9vt8oth3NcqTyXReLdzqQTrKdZE/Le
> K8PnhehDsZQ2qRc7RLp1UxJcJOrEseefwjUT6HVCicjbgleL9k60GZCnw6vigLCB6Q5/GXKXIL9K
> 1vYaYtZNoYtR+zSRSQikoNPK4U9RgVOeg2/OxtdNo0ZOhbLCFO8frjC9+krPxlJ708NAZ1wn5/b6
> sB+WLNicPeg+ldNNH2dzHKIZe0DlgdVsiQHWFCOelAmFdbg4YaUaga8IrnKcIg8lUWEFmlCN2nqy
> IJLnnnhRuAo7Gh9r4imXhXJ9GiqkayRmNP02j9MxHVckZwWHcRAqf5ujiqU=
> </xenc:CipherValue></xenc:CipherData></xenc:EncryptedData></PaymentInfo>
> {code}
> As an improvement, I suggest to make this configurable.
> To some extent, that is already the case: using the system property "org.apache.xml.security.ignoreLineBreaks" it is already possible to disable Base64 line breaks altogether.
> I'm suggesting to make it more configurable per encryption, on the {{XMLSecurityProperties}} themselves.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)