You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@santuario.apache.org by mu...@apache.org on 2014/04/16 23:31:53 UTC
svn commit: r1588077 - in /santuario/xml-security-java/trunk/src:
main/java/org/apache/xml/security/utils/XMLUtils.java
test/java/javax/xml/crypto/test/dsig/XMLSignatureTest.java
Author: mullan
Date: Wed Apr 16 21:31:53 2014
New Revision: 1588077
URL: http://svn.apache.org/r1588077
Log:
XMLSignature throws StringIndexOutOfBoundsException if ID attribute value is empty String
Modified:
santuario/xml-security-java/trunk/src/main/java/org/apache/xml/security/utils/XMLUtils.java
santuario/xml-security-java/trunk/src/test/java/javax/xml/crypto/test/dsig/XMLSignatureTest.java
Modified: santuario/xml-security-java/trunk/src/main/java/org/apache/xml/security/utils/XMLUtils.java
URL: http://svn.apache.org/viewvc/santuario/xml-security-java/trunk/src/main/java/org/apache/xml/security/utils/XMLUtils.java?rev=1588077&r1=1588076&r2=1588077&view=diff
==============================================================================
--- santuario/xml-security-java/trunk/src/main/java/org/apache/xml/security/utils/XMLUtils.java (original)
+++ santuario/xml-security-java/trunk/src/main/java/org/apache/xml/security/utils/XMLUtils.java Wed Apr 16 21:31:53 2014
@@ -917,7 +917,7 @@ public final class XMLUtils {
*/
public static boolean protectAgainstWrappingAttack(Node startNode, String value) {
String id = value.trim();
- if (id.charAt(0) == '#') {
+ if (!id.isEmpty() && id.charAt(0) == '#') {
id = id.substring(1);
}
@@ -981,7 +981,7 @@ public final class XMLUtils {
Node startNode, Element knownElement, String value
) {
String id = value.trim();
- if (id.charAt(0) == '#') {
+ if (!id.isEmpty() && id.charAt(0) == '#') {
id = id.substring(1);
}
Modified: santuario/xml-security-java/trunk/src/test/java/javax/xml/crypto/test/dsig/XMLSignatureTest.java
URL: http://svn.apache.org/viewvc/santuario/xml-security-java/trunk/src/test/java/javax/xml/crypto/test/dsig/XMLSignatureTest.java?rev=1588077&r1=1588076&r2=1588077&view=diff
==============================================================================
--- santuario/xml-security-java/trunk/src/test/java/javax/xml/crypto/test/dsig/XMLSignatureTest.java (original)
+++ santuario/xml-security-java/trunk/src/test/java/javax/xml/crypto/test/dsig/XMLSignatureTest.java Wed Apr 16 21:31:53 2014
@@ -337,6 +337,35 @@ public class XMLSignatureTest extends or
throw new Exception("Object namespace definition not retained");
}
+ @org.junit.Test
+ public void testCreateSignatureWithEmptyId() throws Exception {
+ // create references
+ DigestMethod dm = fac.newDigestMethod(DigestMethod.SHA1, null);
+ List<Reference> refs = Collections.singletonList
+ (fac.newReference("#", dm));
+
+ // create SignedInfo
+ CanonicalizationMethod cm = fac.newCanonicalizationMethod
+ (CanonicalizationMethod.INCLUSIVE, (C14NMethodParameterSpec) null);
+ SignedInfo si = fac.newSignedInfo(cm, SIG_METHODS[1], refs);
+
+ // create object with empty id
+ Document doc = TestUtils.newDocument();
+ XMLObject obj = fac.newXMLObject(Collections.singletonList
+ (new DOMStructure(doc.createTextNode("I am the text."))),
+ "", "text/plain", null);
+
+ KeyInfo ki = kifac.newKeyInfo(Collections.singletonList
+ (kifac.newKeyValue((PublicKey) VALIDATE_KEYS[1])));
+
+ // create XMLSignature
+ XMLSignature sig = fac.newXMLSignature(si, ki,
+ Collections.singletonList(obj),
+ "signature", null);
+ DOMSignContext dsc = new DOMSignContext(SIGN_KEYS[1], doc);
+ sig.sign(dsc);
+ }
+
private SignedInfo createSignedInfo(SignatureMethod sm) throws Exception {
// set up the building blocks
CanonicalizationMethod cm = fac.newCanonicalizationMethod