You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@santuario.apache.org by co...@apache.org on 2021/08/23 11:31:28 UTC
[santuario-xml-security-java] branch 2.2.x-fixes updated:
SANTUARIO-572 - Disallow a KeyInfoReference to refer to a RetrievalMethod
This is an automated email from the ASF dual-hosted git repository.
coheigea pushed a commit to branch 2.2.x-fixes
in repository https://gitbox.apache.org/repos/asf/santuario-xml-security-java.git
The following commit(s) were added to refs/heads/2.2.x-fixes by this push:
new faae16e SANTUARIO-572 - Disallow a KeyInfoReference to refer to a RetrievalMethod
faae16e is described below
commit faae16ed620df0f66acefd1fea35ea47c39ef160
Author: Colm O hEigeartaigh <co...@apache.org>
AuthorDate: Wed Aug 11 08:57:14 2021 +0100
SANTUARIO-572 - Disallow a KeyInfoReference to refer to a RetrievalMethod
---
.../implementations/KeyInfoReferenceResolver.java | 3 ++-
.../security/resource/xmlsecurity_en.properties | 3 ++-
.../xml/security/signature/XMLSignatureInput.java | 2 +-
.../transforms/implementations/TransformXPath.java | 6 +-----
.../keyresolver/KeyInfoReferenceResolverTest.java | 21 +++++++++++++++++++++
.../KeyInfoReference-RSA-RetrievalMethod.xml | 22 ++++++++++++++++++++++
6 files changed, 49 insertions(+), 8 deletions(-)
diff --git a/src/main/java/org/apache/xml/security/keys/keyresolver/implementations/KeyInfoReferenceResolver.java b/src/main/java/org/apache/xml/security/keys/keyresolver/implementations/KeyInfoReferenceResolver.java
index 9d2a8df..9641632 100644
--- a/src/main/java/org/apache/xml/security/keys/keyresolver/implementations/KeyInfoReferenceResolver.java
+++ b/src/main/java/org/apache/xml/security/keys/keyresolver/implementations/KeyInfoReferenceResolver.java
@@ -158,6 +158,7 @@ public class KeyInfoReferenceResolver extends KeyResolverSpi {
validateReference(referentElement, secureValidation);
KeyInfo referent = new KeyInfo(referentElement, baseURI);
+ referent.setSecureValidation(secureValidation);
referent.addStorageResolver(storage);
return referent;
}
@@ -177,7 +178,7 @@ public class KeyInfoReferenceResolver extends KeyResolverSpi {
}
KeyInfo referent = new KeyInfo(referentElement, "");
- if (referent.containsKeyInfoReference()) {
+ if (referent.containsKeyInfoReference() || referent.containsRetrievalMethod()) {
if (secureValidation) {
throw new XMLSecurityException("KeyInfoReferenceResolver.InvalidReferentElement.ReferenceWithSecure");
} else {
diff --git a/src/main/java/org/apache/xml/security/resource/xmlsecurity_en.properties b/src/main/java/org/apache/xml/security/resource/xmlsecurity_en.properties
index adb3146..0543720 100644
--- a/src/main/java/org/apache/xml/security/resource/xmlsecurity_en.properties
+++ b/src/main/java/org/apache/xml/security/resource/xmlsecurity_en.properties
@@ -126,6 +126,7 @@ signature.Transform.ForbiddenTransform = Transform {0} is forbidden when secure
signature.Transform.NotYetImplemented = Transform {0} not yet implemented
signature.Transform.NullPointerTransform = Null pointer as URI. Programming bug?
signature.Transform.UnknownTransform = Unknown transformation. No handler installed for URI {0}
+signature.Transform.XPathError = Error evaluating XPath expression
signature.Transform.node = Current Node: {0}
signature.Transform.nodeAndType = Current Node: {0}, type: {1}
signature.Util.BignumNonPositive = bigInteger.signum() must be positive
@@ -196,4 +197,4 @@ stax.signature.keyNameMissing = KeyName not configured.
stax.keyNotFoundForName = No key configured for KeyName: {0}
stax.keyTypeNotSupported = Key of type {0} not supported for a KeyName lookup
stax.idsetbutnotgenerated = An Id attribute is specified, but Id generation is disabled
-stax.idgenerationdisablewithmultipleparts = Id generation must not be disabled when multiple parts need signing
\ No newline at end of file
+stax.idgenerationdisablewithmultipleparts = Id generation must not be disabled when multiple parts need signing
diff --git a/src/main/java/org/apache/xml/security/signature/XMLSignatureInput.java b/src/main/java/org/apache/xml/security/signature/XMLSignatureInput.java
index 43882cc..7a5f8bc 100644
--- a/src/main/java/org/apache/xml/security/signature/XMLSignatureInput.java
+++ b/src/main/java/org/apache/xml/security/signature/XMLSignatureInput.java
@@ -541,7 +541,7 @@ public class XMLSignatureInput {
convertToNodes();
} catch (Exception e) {
throw new XMLSecurityRuntimeException(
- "signature.XMLSignatureInput.nodesetReference", e
+ "signature.XMLSignatureInput.nodesetReference"
);
}
}
diff --git a/src/main/java/org/apache/xml/security/transforms/implementations/TransformXPath.java b/src/main/java/org/apache/xml/security/transforms/implementations/TransformXPath.java
index e1a10b6..c8c019e 100644
--- a/src/main/java/org/apache/xml/security/transforms/implementations/TransformXPath.java
+++ b/src/main/java/org/apache/xml/security/transforms/implementations/TransformXPath.java
@@ -140,11 +140,7 @@ public class TransformXPath extends TransformSpi {
}
return 0;
} catch (TransformerException e) {
- Object[] eArgs = {currentNode};
- throw new XMLSecurityRuntimeException("signature.Transform.node", eArgs, e);
- } catch (Exception e) {
- Object[] eArgs = {currentNode, currentNode.getNodeType()};
- throw new XMLSecurityRuntimeException("signature.Transform.nodeAndType",eArgs, e);
+ throw new XMLSecurityRuntimeException("signature.Transform.XPathError");
}
}
diff --git a/src/test/java/org/apache/xml/security/test/dom/keys/keyresolver/KeyInfoReferenceResolverTest.java b/src/test/java/org/apache/xml/security/test/dom/keys/keyresolver/KeyInfoReferenceResolverTest.java
index d4f5608..2f81cfd 100644
--- a/src/test/java/org/apache/xml/security/test/dom/keys/keyresolver/KeyInfoReferenceResolverTest.java
+++ b/src/test/java/org/apache/xml/security/test/dom/keys/keyresolver/KeyInfoReferenceResolverTest.java
@@ -125,6 +125,19 @@ public class KeyInfoReferenceResolverTest {
assertNull(keyInfo.getPublicKey());
}
+ @org.junit.jupiter.api.Test
+ public void testKeyInfoReferenceToRetrievalMethodNotAllowed() throws Exception {
+ Document doc = loadXML("KeyInfoReference-RSA-RetrievalMethod.xml");
+ markKeyInfoIdAttrs(doc);
+ markEncodedKeyValueIdAttrs(doc);
+
+ Element referenceElement = doc.getElementById("theReference");
+ assertNotNull(referenceElement);
+
+ KeyInfo keyInfo = new KeyInfo(referenceElement, "");
+ assertNull(keyInfo.getPublicKey());
+ }
+
// Utility methods
private String getControlFilePath(String fileName) {
@@ -160,4 +173,12 @@ public class KeyInfoReferenceResolverTest {
}
}
+ private void markEncodedKeyValueIdAttrs(Document doc) {
+ NodeList nl = doc.getElementsByTagNameNS(Constants.SignatureSpec11NS, Constants._TAG_DERENCODEDKEYVALUE);
+ for (int i = 0; i < nl.getLength(); i++) {
+ Element keyInfoElement = (Element) nl.item(i);
+ keyInfoElement.setIdAttributeNS(null, Constants._ATT_ID, true);
+ }
+ }
+
}
\ No newline at end of file
diff --git a/src/test/resources/org/apache/xml/security/keyresolver/KeyInfoReference-RSA-RetrievalMethod.xml b/src/test/resources/org/apache/xml/security/keyresolver/KeyInfoReference-RSA-RetrievalMethod.xml
new file mode 100644
index 0000000..f34e3d5
--- /dev/null
+++ b/src/test/resources/org/apache/xml/security/keyresolver/KeyInfoReference-RSA-RetrievalMethod.xml
@@ -0,0 +1,22 @@
+<test:root xmlns:test="http://www.example.org/test">
+
+ <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#" Id="theRealKey">
+ <dsig11:DEREncodedKeyValue Id="theRealKey2" xmlns:dsig11="http://www.w3.org/2009/xmldsig11#">
+ MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAmDnHagSzfia3N7jOaMSp4VIZjK2lxZgN
+ X/2z98YLp1XE3cvpP+mOvX3gENWQuX3uoix+2qroZ0BFHzhzf4E7is5Q9+42ZFi5naFk3c/B0Q8A
+ jtHtWUEZ8VPPBZggz6uJ1ttJS7YDP6XVjaw6SN1bJSD4/lWNIVsh95kuhunbOef6x/kyIbBz9wF4
+ S0//G6zPD4GG7/jJ+sDXe+bAgPB1qwhLhrK3N1jGuDZkGGcY/c4b7aba0B0rognwKlygv16GoA/n
+ zWehxih7clhmMTzP2VWa3Q2GcN8ETe00dz68KtS7GF6W15qftjUvRXEKSoPz86ZsP30jIH1tvIrs
+ qSh/kwIDAQAB
+ </dsig11:DEREncodedKeyValue>
+ </ds:KeyInfo>
+
+ <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#" Id="retrievalMethod">
+ <ds:RetrievalMethod URI="#theRealKey2"/>
+ </ds:KeyInfo>
+
+ <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#" Id="theReference">
+ <dsig11:KeyInfoReference xmlns:dsig11="http://www.w3.org/2009/xmldsig11#" URI="#retrievalMethod" />
+ </ds:KeyInfo>
+
+</test:root>