You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@santuario.apache.org by gi...@apache.org on 2015/11/22 12:11:06 UTC
svn commit: r1715624 - in /santuario/xml-security-java/trunk/src:
main/java/org/apache/xml/security/resource/
main/java/org/apache/xml/security/stax/impl/processor/input/
test/java/org/apache/xml/security/test/stax/signature/
Author: giger
Date: Sun Nov 22 11:11:06 2015
New Revision: 1715624
URL: http://svn.apache.org/viewvc?rev=1715624&view=rev
Log:
SANTUARIO-424: Throw an exception if a further signature is found because it is not supported by the stax impl.
Modified:
santuario/xml-security-java/trunk/src/main/java/org/apache/xml/security/resource/xmlsecurity_de.properties
santuario/xml-security-java/trunk/src/main/java/org/apache/xml/security/resource/xmlsecurity_en.properties
santuario/xml-security-java/trunk/src/main/java/org/apache/xml/security/stax/impl/processor/input/XMLSecurityInputProcessor.java
santuario/xml-security-java/trunk/src/test/java/org/apache/xml/security/test/stax/signature/SignatureEncryptionTest.java
santuario/xml-security-java/trunk/src/test/java/org/apache/xml/security/test/stax/signature/SignatureVerificationTest.java
Modified: santuario/xml-security-java/trunk/src/main/java/org/apache/xml/security/resource/xmlsecurity_de.properties
URL: http://svn.apache.org/viewvc/santuario/xml-security-java/trunk/src/main/java/org/apache/xml/security/resource/xmlsecurity_de.properties?rev=1715624&r1=1715623&r2=1715624&view=diff
==============================================================================
--- santuario/xml-security-java/trunk/src/main/java/org/apache/xml/security/resource/xmlsecurity_de.properties [iso-8859-1] (original)
+++ santuario/xml-security-java/trunk/src/main/java/org/apache/xml/security/resource/xmlsecurity_de.properties [iso-8859-1] Sun Nov 22 11:11:06 2015
@@ -157,6 +157,7 @@ secureProcessing.AllowMD5Algorithm = Vom
secureProcessing.AllowNotSameDocumentReferences = Externe Referenzen gefunden. Die Verarbeitung von externen Referenzen ist standardm\u00e4ssig ausgeschaltet. Es kann \u00fcber das Konfigurations-Property "AllowNotSameDocumentReferences" aktiviert werden.
secureProcessing.MaximumAllowedXMLStructureDepth = Die Maximum erlaubte Dokumenten-Tiefe von ({0}) wurde erreicht. Die Limite kann \u00fcber das Konfigurations-Property "MaximumAllowedXMLStructureDepth" erh\u00f6ht werden.
secureProcessing.inputStreamLimitReached = Maximal erlaubte Anzahl bytes ({0}) erreicht.
+stax.duplicateActions=Doppelte Actions sind nicht erlaubt.
stax.missingSecurityProperties = SecurityProperties darf nicht null sein\!
stax.noOutputAction = Keine ausgehenden "Actions" definiert.
stax.noKey = Kein Schl\u00fcssel geladen und es konnte kein Schl\u00fcssel gefunden werden f\u00fcr {0}
@@ -183,3 +184,4 @@ stax.ecParametersNotSupported = ECParame
stax.namedCurveMissing = NamedCurve fehlt.
stax.encryption.securePartNotFound = Part zum Verschl\u00fcsseln nicht gefunden: {0}
stax.signature.securePartNotFound = Part zum Signieren nicht gefunden: {0}
+stax.multipleSignaturesNotSupported = Mehrere Signaturen werden nicht unterstützt.
Modified: santuario/xml-security-java/trunk/src/main/java/org/apache/xml/security/resource/xmlsecurity_en.properties
URL: http://svn.apache.org/viewvc/santuario/xml-security-java/trunk/src/main/java/org/apache/xml/security/resource/xmlsecurity_en.properties?rev=1715624&r1=1715623&r2=1715624&view=diff
==============================================================================
--- santuario/xml-security-java/trunk/src/main/java/org/apache/xml/security/resource/xmlsecurity_en.properties [iso-8859-1] (original)
+++ santuario/xml-security-java/trunk/src/main/java/org/apache/xml/security/resource/xmlsecurity_en.properties [iso-8859-1] Sun Nov 22 11:11:06 2015
@@ -157,7 +157,7 @@ secureProcessing.AllowMD5Algorithm = The
secureProcessing.AllowNotSameDocumentReferences = External references found. Processing of external references is disabled by default. You can enable it via the \"AllowNotSameDocumentReferences\" property in the configuration.
secureProcessing.MaximumAllowedXMLStructureDepth = Maximum depth ({0}) of the XML structure reached. You can raise the maximum via the \"MaximumAllowedXMLStructureDepth\" property in the configuration.
secureProcessing.inputStreamLimitReached = Maximum byte count ({0}) reached.
-stax.duplicateActions = Duplicate Actions are not allowed
+stax.duplicateActions = Duplicate Actions are not allowed.
stax.missingSecurityProperties = SecurityProperties must not be null!
stax.noOutputAction = No outgoing actions specified.
stax.noKey = Key could not be resolved and no key was loaded for {0}
@@ -184,3 +184,4 @@ stax.ecParametersNotSupported = ECParame
stax.namedCurveMissing = NamedCurve is missing.
stax.encryption.securePartNotFound = Part to encrypt not found: {0}
stax.signature.securePartNotFound = Part to sign not found: {0}
+stax.multipleSignaturesNotSupported = Multiple signatures are not supported.
Modified: santuario/xml-security-java/trunk/src/main/java/org/apache/xml/security/stax/impl/processor/input/XMLSecurityInputProcessor.java
URL: http://svn.apache.org/viewvc/santuario/xml-security-java/trunk/src/main/java/org/apache/xml/security/stax/impl/processor/input/XMLSecurityInputProcessor.java?rev=1715624&r1=1715623&r2=1715624&view=diff
==============================================================================
--- santuario/xml-security-java/trunk/src/main/java/org/apache/xml/security/stax/impl/processor/input/XMLSecurityInputProcessor.java (original)
+++ santuario/xml-security-java/trunk/src/main/java/org/apache/xml/security/stax/impl/processor/input/XMLSecurityInputProcessor.java Sun Nov 22 11:11:06 2015
@@ -81,6 +81,9 @@ public class XMLSecurityInputProcessor e
final XMLSecStartElement xmlSecStartElement = xmlSecEvent.asStartElement();
if (!decryptOnly && xmlSecStartElement.getName().equals(XMLSecurityConstants.TAG_dsig_Signature)) {
+ if (signatureElementFound) {
+ throw new XMLSecurityException("stax.multipleSignaturesNotSupported");
+ }
signatureElementFound = true;
startIndexForProcessor = internalBufferProcessor.getXmlSecEventList().size() - 1;
} else if (xmlSecStartElement.getName().equals(XMLSecurityConstants.TAG_xenc_EncryptedData)) {
@@ -122,11 +125,15 @@ public class XMLSecurityInputProcessor e
inputProcessorChain.reset();
xmlSecEvent = inputProcessorChain.processEvent();
+ // no need to catch a possible signature element here because the decrypt processor
+ // is installed before this processor and therefore the decrypted signature element will
+ // flow as normal through this processor.
+ // for safety we do a check if this really true
//check if the decrypted element is a Signature element
if (!decryptOnly && xmlSecEvent.isStartElement() &&
- xmlSecEvent.asStartElement().getName().equals(XMLSecurityConstants.TAG_dsig_Signature)) {
- signatureElementFound = true;
- startIndexForProcessor = internalBufferProcessor.getXmlSecEventList().size() - 1;
+ xmlSecEvent.asStartElement().getName().equals(XMLSecurityConstants.TAG_dsig_Signature) &&
+ !signatureElementFound) {
+ throw new XMLSecurityException("Internal error");
}
}
break;
Modified: santuario/xml-security-java/trunk/src/test/java/org/apache/xml/security/test/stax/signature/SignatureEncryptionTest.java
URL: http://svn.apache.org/viewvc/santuario/xml-security-java/trunk/src/test/java/org/apache/xml/security/test/stax/signature/SignatureEncryptionTest.java?rev=1715624&r1=1715623&r2=1715624&view=diff
==============================================================================
--- santuario/xml-security-java/trunk/src/test/java/org/apache/xml/security/test/stax/signature/SignatureEncryptionTest.java (original)
+++ santuario/xml-security-java/trunk/src/test/java/org/apache/xml/security/test/stax/signature/SignatureEncryptionTest.java Sun Nov 22 11:11:06 2015
@@ -120,7 +120,149 @@ public class SignatureEncryptionTest ext
}
@Test
- public void testEnvelopedSignatureEncryption() throws Exception {
+ public void testSignatureEncryptionSameElement() throws Exception {
+ // Set up the Configuration
+ XMLSecurityProperties properties = new XMLSecurityProperties();
+ List<XMLSecurityConstants.Action> actions = new ArrayList<XMLSecurityConstants.Action>();
+ actions.add(XMLSecurityConstants.SIGNATURE);
+ actions.add(XMLSecurityConstants.ENCRYPT);
+ properties.setActions(actions);
+
+ // Set the key up
+ KeyStore keyStore = KeyStore.getInstance("jks");
+ keyStore.load(
+ this.getClass().getClassLoader().getResource("transmitter.jks").openStream(),
+ "default".toCharArray()
+ );
+ Key key = keyStore.getKey("transmitter", "default".toCharArray());
+ properties.setSignatureKey(key);
+ X509Certificate cert = (X509Certificate) keyStore.getCertificate("transmitter");
+ properties.setSignatureCerts(new X509Certificate[]{cert});
+
+ // Set the key up
+ SecretKey encryptionKey = generateDESSecretKey();
+ properties.setEncryptionKey(encryptionKey);
+ properties.setEncryptionSymAlgorithm("http://www.w3.org/2001/04/xmlenc#tripledes-cbc");
+
+ SecurePart signatureSecurePart =
+ new SecurePart(new QName("urn:example:po", "PaymentInfo"), SecurePart.Modifier.Element);
+ properties.addSignaturePart(signatureSecurePart);
+
+ SecurePart encryptionSecurePart =
+ new SecurePart(new QName("urn:example:po", "PaymentInfo"), SecurePart.Modifier.Element);
+ properties.addEncryptionPart(encryptionSecurePart);
+
+ OutboundXMLSec outboundXMLSec = XMLSec.getOutboundXMLSec(properties);
+ ByteArrayOutputStream baos = new ByteArrayOutputStream();
+ XMLStreamWriter xmlStreamWriter = outboundXMLSec.processOutMessage(baos, "UTF-8");
+
+ InputStream sourceDocument =
+ this.getClass().getClassLoader().getResourceAsStream(
+ "ie/baltimore/merlin-examples/merlin-xmlenc-five/plaintext.xml");
+ XMLStreamReader xmlStreamReader = xmlInputFactory.createXMLStreamReader(sourceDocument);
+
+ XmlReaderToWriter.writeAll(xmlStreamReader, xmlStreamWriter);
+ xmlStreamWriter.close();
+
+ // System.out.println("Got:\n" + new String(baos.toByteArray(), "UTF-8"));
+ Document document =
+ XMLUtils.createDocumentBuilder(false).parse(new ByteArrayInputStream(baos.toByteArray()));
+
+ // Decrypt using DOM API
+ Document doc =
+ decryptUsingDOM("http://www.w3.org/2001/04/xmlenc#tripledes-cbc", encryptionKey, null, document);
+
+ // Check the CreditCard decrypted ok
+ NodeList nodeList = doc.getElementsByTagNameNS("urn:example:po", "CreditCard");
+ Assert.assertEquals(nodeList.getLength(), 1);
+
+ // Verify using DOM
+ verifyUsingDOM(document, cert, properties.getSignatureSecureParts());
+
+ TestSecurityEventListener testSecurityEventListener =
+ verifyUsingStAX(baos.toByteArray(), encryptionKey, cert.getPublicKey());
+
+ Assert.assertEquals(1, testSecurityEventListener.getSecurityEvents(SecurityEventConstants.SignedElement).size());
+ Assert.assertEquals(1, testSecurityEventListener.getSecurityEvents(SecurityEventConstants.EncryptedElement).size());
+ }
+
+ @Test
+ public void testEnvelopedSignatureEncryptionElement() throws Exception {
+ // Set up the Configuration
+ XMLSecurityProperties properties = new XMLSecurityProperties();
+ List<XMLSecurityConstants.Action> actions = new ArrayList<XMLSecurityConstants.Action>();
+ actions.add(XMLSecurityConstants.SIGNATURE);
+ actions.add(XMLSecurityConstants.ENCRYPT);
+ properties.setActions(actions);
+
+ // Set the key up
+ KeyStore keyStore = KeyStore.getInstance("jks");
+ keyStore.load(
+ this.getClass().getClassLoader().getResource("transmitter.jks").openStream(),
+ "default".toCharArray()
+ );
+ Key key = keyStore.getKey("transmitter", "default".toCharArray());
+ properties.setSignatureKey(key);
+ X509Certificate cert = (X509Certificate) keyStore.getCertificate("transmitter");
+ properties.setSignatureCerts(new X509Certificate[]{cert});
+
+ // Set the key up
+ SecretKey encryptionKey = generateDESSecretKey();
+ properties.setEncryptionKey(encryptionKey);
+ properties.setEncryptionSymAlgorithm("http://www.w3.org/2001/04/xmlenc#tripledes-cbc");
+
+ SecurePart signatureSecurePart =
+ new SecurePart(
+ new QName("urn:example:po", "PurchaseOrder"),
+ SecurePart.Modifier.Content,
+ new String[]{
+ "http://www.w3.org/2000/09/xmldsig#enveloped-signature",
+ "http://www.w3.org/TR/2001/REC-xml-c14n-20010315"
+ },
+ "http://www.w3.org/2000/09/xmldsig#sha1"
+ );
+ properties.addSignaturePart(signatureSecurePart);
+
+ SecurePart encryptionSecurePart =
+ new SecurePart(new QName("urn:example:po", "PurchaseOrder"), SecurePart.Modifier.Element);
+ properties.addEncryptionPart(encryptionSecurePart);
+
+ OutboundXMLSec outboundXMLSec = XMLSec.getOutboundXMLSec(properties);
+ ByteArrayOutputStream baos = new ByteArrayOutputStream();
+ XMLStreamWriter xmlStreamWriter = outboundXMLSec.processOutMessage(baos, "UTF-8");
+
+ InputStream sourceDocument =
+ this.getClass().getClassLoader().getResourceAsStream(
+ "ie/baltimore/merlin-examples/merlin-xmlenc-five/plaintext.xml");
+ XMLStreamReader xmlStreamReader = xmlInputFactory.createXMLStreamReader(sourceDocument);
+
+ XmlReaderToWriter.writeAll(xmlStreamReader, xmlStreamWriter);
+ xmlStreamWriter.close();
+
+ // System.out.println("Got:\n" + new String(baos.toByteArray(), "UTF-8"));
+ Document document =
+ XMLUtils.createDocumentBuilder(false).parse(new ByteArrayInputStream(baos.toByteArray()));
+
+ // Decrypt using DOM API
+ Document doc =
+ decryptUsingDOM("http://www.w3.org/2001/04/xmlenc#tripledes-cbc", encryptionKey, null, document);
+
+ // Check the CreditCard decrypted ok
+ NodeList nodeList = doc.getElementsByTagNameNS("urn:example:po", "CreditCard");
+ Assert.assertEquals(nodeList.getLength(), 1);
+
+ // Verify using DOM
+ verifyUsingDOM(document, cert, properties.getSignatureSecureParts());
+
+ TestSecurityEventListener testSecurityEventListener =
+ verifyUsingStAX(baos.toByteArray(), encryptionKey, cert.getPublicKey());
+
+ Assert.assertEquals(1, testSecurityEventListener.getSecurityEvents(SecurityEventConstants.SignedElement).size());
+ Assert.assertEquals(1, testSecurityEventListener.getSecurityEvents(SecurityEventConstants.EncryptedElement).size());
+ }
+
+ @Test
+ public void testEnvelopedSignatureEncryptionContent() throws Exception {
// Set up the Configuration
XMLSecurityProperties properties = new XMLSecurityProperties();
List<XMLSecurityConstants.Action> actions = new ArrayList<XMLSecurityConstants.Action>();
Modified: santuario/xml-security-java/trunk/src/test/java/org/apache/xml/security/test/stax/signature/SignatureVerificationTest.java
URL: http://svn.apache.org/viewvc/santuario/xml-security-java/trunk/src/test/java/org/apache/xml/security/test/stax/signature/SignatureVerificationTest.java?rev=1715624&r1=1715623&r2=1715624&view=diff
==============================================================================
--- santuario/xml-security-java/trunk/src/test/java/org/apache/xml/security/test/stax/signature/SignatureVerificationTest.java (original)
+++ santuario/xml-security-java/trunk/src/test/java/org/apache/xml/security/test/stax/signature/SignatureVerificationTest.java Sun Nov 22 11:11:06 2015
@@ -244,7 +244,6 @@ public class SignatureVerificationTest e
}
@Test
- @org.junit.Ignore
public void testMultipleSignatures() throws Exception {
// Read in plaintext document
InputStream sourceDocument =
@@ -297,7 +296,11 @@ public class SignatureVerificationTest e
XMLStreamReader securityStreamReader =
inboundXMLSec.processInMessage(xmlStreamReader, null, securityEventListener);
- StAX2DOM.readDoc(XMLUtils.createDocumentBuilder(false), securityStreamReader);
+ try {
+ StAX2DOM.readDoc(XMLUtils.createDocumentBuilder(false), securityStreamReader);
+ } catch (XMLStreamException ex) {
+ Assert.assertEquals("Multiple signatures are not supported.", ex.getCause().getMessage());
+ }
}
@Test