You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@santuario.apache.org by "Colm O hEigeartaigh (Jira)" <ji...@apache.org> on 2020/04/14 07:37:00 UTC

[jira] [Commented] (SANTUARIO-538) SignatureCreateReferenceURIResolverTest gives false positives

    [ https://issues.apache.org/jira/browse/SANTUARIO-538?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17082947#comment-17082947 ] 

Colm O hEigeartaigh commented on SANTUARIO-538:
-----------------------------------------------

[~peterdm] Good catch. I've added the functionality in OutboundXMLSec to properly set the SignedParts when they have external references, and the tests now correctly add the external references. Please check if the OutboundXMLSec changes require an update to some of your other patches, and I'll get to them later in the week.

> SignatureCreateReferenceURIResolverTest gives false positives
> -------------------------------------------------------------
>
>                 Key: SANTUARIO-538
>                 URL: https://issues.apache.org/jira/browse/SANTUARIO-538
>             Project: Santuario
>          Issue Type: Bug
>          Components: Java
>    Affects Versions: Java 2.1.5
>            Reporter: Peter De Maeyer
>            Assignee: Colm O hEigeartaigh
>            Priority: Major
>             Fix For: Java 2.2.0
>
>
> {{SignatureCreationReferenceURIResolverTest.testSignatureCreationWithExternal*}} gives false positives.
> The essence of these tests seems to be a {{SecurePart}} that has an external reference.
> These secure parts never match anything, in spite of the fact that they are required (by default).
> The reason they don't fail is because {{OutboundXMLSec.processOutMessage}} ignores them: because they have no {{getIdToSign()}}, no {{getName()}} and no {{isSecureEntireRequest()}}, they are never put ({{putAsMap}}) in the security context.
> You can just as well remove them from the tests, and the tests are still green.
> An example of a code snippet from {{SignatureCreationReferenceURIResolverTest}}:
> {code}
> File file = new File(BASEDIR + 
>                      "/src/test/resources/ie/baltimore/merlin-examples/merlin-xmlenc-five/plaintext.xml").getCanonicalFile();
> // Below securePart is ignored, nothing is verified, test is falsely green.
> securePart = new SecurePart(file.toURI().toString(),
>         new String[]{"http://www.w3.org/TR/2001/REC-xml-c14n-20010315"},
>         XMLSecurityConstants.NS_XMLDSIG_SHA1);
> properties.addSignaturePart(securePart);
> {code}
> If someone could explain to me what the intent of this feature is, I would be happy to fix them.
> I have the vague impression that they're tests for a feature that has not been implemented.
> I bumped into this in the context of SANTUARIO-532, where {{SignatureCreationReferenceURIResolverTest}} started failing on the requiredness once I no longer ignore the secure parts in {{OutboundXMLSec.processOutMessage}}.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)