8275082: Update XML Security for Java to 2.3.0
Reviewed-by: mullan
This commit is contained in:
parent
70bad89b01
commit
2c31a1735d
@ -84,7 +84,7 @@ public class Init {
|
||||
}
|
||||
|
||||
@SuppressWarnings("removal")
|
||||
InputStream is =
|
||||
InputStream is = //NOPMD
|
||||
AccessController.doPrivileged(
|
||||
(PrivilegedAction<InputStream>)
|
||||
() -> {
|
||||
@ -351,6 +351,9 @@ public class Init {
|
||||
* @param callingClass The Class object of the calling object
|
||||
*/
|
||||
public static URL getResource(String resourceName, Class<?> callingClass) {
|
||||
if (resourceName == null) {
|
||||
throw new NullPointerException();
|
||||
}
|
||||
URL url = Thread.currentThread().getContextClassLoader().getResource(resourceName);
|
||||
if (url == null && resourceName.charAt(0) == '/') {
|
||||
//certain classloaders need it without the leading /
|
||||
@ -404,6 +407,9 @@ public class Init {
|
||||
* @param callingClass The Class object of the calling object
|
||||
*/
|
||||
private static List<URL> getResources(String resourceName, Class<?> callingClass) {
|
||||
if (resourceName == null) {
|
||||
throw new NullPointerException();
|
||||
}
|
||||
List<URL> ret = new ArrayList<>();
|
||||
Enumeration<URL> urls = new Enumeration<URL>() {
|
||||
public boolean hasMoreElements() {
|
||||
@ -479,7 +485,7 @@ public class Init {
|
||||
}
|
||||
|
||||
|
||||
if (ret.isEmpty() && resourceName != null && resourceName.charAt(0) != '/') {
|
||||
if (ret.isEmpty() && resourceName.charAt(0) != '/') {
|
||||
return getResources('/' + resourceName, callingClass);
|
||||
}
|
||||
return ret;
|
||||
|
@ -309,7 +309,7 @@ public abstract class IntegrityHmac extends SignatureAlgorithmSpi {
|
||||
Node n = XMLUtils.selectDsNode(element.getFirstChild(), Constants._TAG_HMACOUTPUTLENGTH, 0);
|
||||
if (n != null) {
|
||||
String hmacLength = XMLUtils.getFullTextChildrenFromNode(n);
|
||||
if (hmacLength != null && !"".equals(hmacLength)) {
|
||||
if (hmacLength != null && hmacLength.length() != 0) {
|
||||
this.hmacOutputLength = new HMACOutputLength(Integer.parseInt(hmacLength));
|
||||
}
|
||||
}
|
||||
|
@ -125,7 +125,7 @@ public abstract class Canonicalizer20010315 extends CanonicalizerBase {
|
||||
* Output the Attr[]s for the given element.
|
||||
* <br>
|
||||
* The code of this method is a copy of
|
||||
* {@link #outputAttributes(Element, NameSpaceSymbTable, Map)},
|
||||
* {@link #outputAttributes(Element, NameSpaceSymbTable, Map, OutputStream)},
|
||||
* whereas it takes into account that subtree-c14n is -- well -- subtree-based.
|
||||
* So if the element in question isRoot of c14n, it's parent is not in the
|
||||
* node set, as well as all other ancestors.
|
||||
|
@ -211,7 +211,7 @@ public abstract class CanonicalizerBase extends CanonicalizerSpi {
|
||||
Node sibling = null;
|
||||
Node parentNode = null;
|
||||
Map<String, byte[]> cache = new HashMap<>();
|
||||
do {
|
||||
do { //NOPMD
|
||||
switch (currentNode.getNodeType()) {
|
||||
|
||||
case Node.ENTITY_NODE :
|
||||
@ -338,7 +338,7 @@ public abstract class CanonicalizerBase extends CanonicalizerSpi {
|
||||
Node parentNode = null;
|
||||
int documentLevel = NODE_BEFORE_DOCUMENT_ELEMENT;
|
||||
Map<String, byte[]> cache = new HashMap<>();
|
||||
do {
|
||||
do { //NOPMD
|
||||
switch (currentNode.getNodeType()) {
|
||||
|
||||
case Node.ENTITY_NODE :
|
||||
@ -560,7 +560,7 @@ public abstract class CanonicalizerBase extends CanonicalizerSpi {
|
||||
}
|
||||
parents.clear();
|
||||
Attr nsprefix = ns.getMappingWithoutRendered(XMLNS);
|
||||
if (nsprefix != null && "".equals(nsprefix.getValue())) {
|
||||
if (nsprefix != null && nsprefix.getValue().length() == 0) {
|
||||
ns.addMappingAndRender(
|
||||
XMLNS, "", getNullNode(nsprefix.getOwnerDocument()));
|
||||
}
|
||||
|
@ -110,7 +110,7 @@ public class CanonicalizerPhysical extends CanonicalizerBase {
|
||||
* Output the Attr[]s for the given element.
|
||||
* <br>
|
||||
* The code of this method is a copy of
|
||||
* {@link #outputAttributes(Element, NameSpaceSymbTable, Map)},
|
||||
* {@link #outputAttributes(Element, NameSpaceSymbTable, Map, OutputStream)},
|
||||
* whereas it takes into account that subtree-c14n is -- well -- subtree-based.
|
||||
* So if the element in question isRoot of c14n, it's parent is not in the
|
||||
* node set, as well as all other ancestors.
|
||||
|
@ -348,7 +348,7 @@ class SymbMap implements Cloneable {
|
||||
List<NameSpaceSymbEntry> entrySet() {
|
||||
List<NameSpaceSymbEntry> a = new ArrayList<>();
|
||||
for (int i = 0;i < entries.length;i++) {
|
||||
if (entries[i] != null && !"".equals(entries[i].uri)) {
|
||||
if (entries[i] != null && entries[i].uri.length() != 0) {
|
||||
a.add(entries[i]);
|
||||
}
|
||||
}
|
||||
|
@ -1,181 +0,0 @@
|
||||
/*
|
||||
* reserved comment block
|
||||
* DO NOT REMOVE OR ALTER!
|
||||
*/
|
||||
/**
|
||||
* Licensed to the Apache Software Foundation (ASF) under one
|
||||
* or more contributor license agreements. See the NOTICE file
|
||||
* distributed with this work for additional information
|
||||
* regarding copyright ownership. The ASF licenses this file
|
||||
* to you under the Apache License, Version 2.0 (the
|
||||
* "License"); you may not use this file except in compliance
|
||||
* with the License. You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing,
|
||||
* software distributed under the License is distributed on an
|
||||
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
|
||||
* KIND, either express or implied. See the License for the
|
||||
* specific language governing permissions and limitations
|
||||
* under the License.
|
||||
*/
|
||||
package com.sun.org.apache.xml.internal.security.exceptions;
|
||||
|
||||
import java.text.MessageFormat;
|
||||
|
||||
import com.sun.org.apache.xml.internal.security.utils.Constants;
|
||||
import com.sun.org.apache.xml.internal.security.utils.I18n;
|
||||
|
||||
/**
|
||||
* The mother of all runtime Exceptions in this bundle. It allows exceptions to have
|
||||
* their messages translated to the different locales.
|
||||
*
|
||||
* The {@code xmlsecurity_en.properties} file contains this line:
|
||||
* <pre>
|
||||
* xml.WrongElement = Can't create a {0} from a {1} element
|
||||
* </pre>
|
||||
*
|
||||
* Usage in the Java source is:
|
||||
* <pre>
|
||||
* {
|
||||
* Object[] exArgs = { Constants._TAG_TRANSFORMS, "BadElement" };
|
||||
*
|
||||
* throw new XMLSecurityException("xml.WrongElement", exArgs);
|
||||
* }
|
||||
* </pre>
|
||||
*
|
||||
* Additionally, if another Exception has been caught, we can supply it, too
|
||||
* <pre>
|
||||
* try {
|
||||
* ...
|
||||
* } catch (Exception oldEx) {
|
||||
* Object[] exArgs = { Constants._TAG_TRANSFORMS, "BadElement" };
|
||||
*
|
||||
* throw new XMLSecurityException("xml.WrongElement", exArgs, oldEx);
|
||||
* }
|
||||
* </pre>
|
||||
*
|
||||
*
|
||||
*/
|
||||
public class XMLSecurityRuntimeException extends RuntimeException {
|
||||
|
||||
private static final long serialVersionUID = 1L;
|
||||
|
||||
/** Field msgID */
|
||||
protected String msgID;
|
||||
|
||||
/**
|
||||
* Constructor XMLSecurityRuntimeException
|
||||
*
|
||||
*/
|
||||
public XMLSecurityRuntimeException() {
|
||||
super("Missing message string");
|
||||
|
||||
this.msgID = null;
|
||||
}
|
||||
|
||||
/**
|
||||
* Constructor XMLSecurityRuntimeException
|
||||
*
|
||||
* @param msgID
|
||||
*/
|
||||
public XMLSecurityRuntimeException(String msgID) {
|
||||
super(I18n.getExceptionMessage(msgID));
|
||||
|
||||
this.msgID = msgID;
|
||||
}
|
||||
|
||||
/**
|
||||
* Constructor XMLSecurityRuntimeException
|
||||
*
|
||||
* @param msgID
|
||||
* @param exArgs
|
||||
*/
|
||||
public XMLSecurityRuntimeException(String msgID, Object[] exArgs) {
|
||||
super(MessageFormat.format(I18n.getExceptionMessage(msgID), exArgs));
|
||||
|
||||
this.msgID = msgID;
|
||||
}
|
||||
|
||||
/**
|
||||
* Constructor XMLSecurityRuntimeException
|
||||
*
|
||||
* @param originalException
|
||||
*/
|
||||
public XMLSecurityRuntimeException(Exception originalException) {
|
||||
super("Missing message ID to locate message string in resource bundle \""
|
||||
+ Constants.exceptionMessagesResourceBundleBase
|
||||
+ "\". Original Exception was a "
|
||||
+ originalException.getClass().getName() + " and message "
|
||||
+ originalException.getMessage(), originalException);
|
||||
}
|
||||
|
||||
/**
|
||||
* Constructor XMLSecurityRuntimeException
|
||||
*
|
||||
* @param msgID
|
||||
* @param originalException
|
||||
*/
|
||||
public XMLSecurityRuntimeException(String msgID, Exception originalException) {
|
||||
super(I18n.getExceptionMessage(msgID, originalException), originalException);
|
||||
|
||||
this.msgID = msgID;
|
||||
}
|
||||
|
||||
/**
|
||||
* Constructor XMLSecurityRuntimeException
|
||||
*
|
||||
* @param msgID
|
||||
* @param exArgs
|
||||
* @param originalException
|
||||
*/
|
||||
public XMLSecurityRuntimeException(String msgID, Object[] exArgs, Exception originalException) {
|
||||
super(MessageFormat.format(I18n.getExceptionMessage(msgID), exArgs), originalException);
|
||||
|
||||
this.msgID = msgID;
|
||||
}
|
||||
|
||||
/**
|
||||
* Method getMsgID
|
||||
*
|
||||
* @return the messageId
|
||||
*/
|
||||
public String getMsgID() {
|
||||
if (msgID == null) {
|
||||
return "Missing message ID";
|
||||
}
|
||||
return msgID;
|
||||
}
|
||||
|
||||
/** {@inheritDoc} */
|
||||
public String toString() {
|
||||
String s = this.getClass().getName();
|
||||
String message = super.getLocalizedMessage();
|
||||
|
||||
if (message != null) {
|
||||
message = s + ": " + message;
|
||||
} else {
|
||||
message = s;
|
||||
}
|
||||
|
||||
if (this.getCause() != null) {
|
||||
message = message + "\nOriginal Exception was " + this.getCause().toString();
|
||||
}
|
||||
|
||||
return message;
|
||||
}
|
||||
|
||||
/**
|
||||
* Method getOriginalException
|
||||
*
|
||||
* @return the original exception
|
||||
*/
|
||||
public Exception getOriginalException() {
|
||||
if (this.getCause() instanceof Exception) {
|
||||
return (Exception)this.getCause();
|
||||
}
|
||||
return null;
|
||||
}
|
||||
|
||||
}
|
@ -170,8 +170,8 @@ public class KeyResolver {
|
||||
ClassNotFoundException, IllegalAccessException,
|
||||
InstantiationException, InvocationTargetException {
|
||||
JavaUtils.checkRegisterPermission();
|
||||
KeyResolverSpi keyResolverSpi =
|
||||
(KeyResolverSpi) JavaUtils.newInstanceWithEmptyConstructor(ClassLoaderUtils.loadClass(className, KeyResolver.class));
|
||||
KeyResolverSpi keyResolverSpi = (KeyResolverSpi)
|
||||
JavaUtils.newInstanceWithEmptyConstructor(ClassLoaderUtils.loadClass(className, KeyResolver.class));
|
||||
register(keyResolverSpi, false);
|
||||
}
|
||||
|
||||
@ -193,8 +193,8 @@ public class KeyResolver {
|
||||
KeyResolverSpi keyResolverSpi = null;
|
||||
Exception ex = null;
|
||||
try {
|
||||
keyResolverSpi = (KeyResolverSpi) JavaUtils.newInstanceWithEmptyConstructor(
|
||||
ClassLoaderUtils.loadClass(className, KeyResolver.class));
|
||||
keyResolverSpi = (KeyResolverSpi)
|
||||
JavaUtils.newInstanceWithEmptyConstructor(ClassLoaderUtils.loadClass(className, KeyResolver.class));
|
||||
register(keyResolverSpi, true);
|
||||
} catch (ClassNotFoundException | IllegalAccessException | InstantiationException | InvocationTargetException e) {
|
||||
ex = e;
|
||||
@ -253,8 +253,8 @@ public class KeyResolver {
|
||||
JavaUtils.checkRegisterPermission();
|
||||
List<KeyResolverSpi> keyResolverList = new ArrayList<>(classNames.size());
|
||||
for (String className : classNames) {
|
||||
KeyResolverSpi keyResolverSpi = (KeyResolverSpi)JavaUtils
|
||||
.newInstanceWithEmptyConstructor(ClassLoaderUtils.loadClass(className, KeyResolver.class));
|
||||
KeyResolverSpi keyResolverSpi = (KeyResolverSpi)
|
||||
JavaUtils.newInstanceWithEmptyConstructor(ClassLoaderUtils.loadClass(className, KeyResolver.class));
|
||||
keyResolverList.add(keyResolverSpi);
|
||||
}
|
||||
resolverList.addAll(keyResolverList);
|
||||
|
@ -162,6 +162,7 @@ public class KeyInfoReferenceResolver extends KeyResolverSpi {
|
||||
validateReference(referentElement, secureValidation);
|
||||
|
||||
KeyInfo referent = new KeyInfo(referentElement, baseURI);
|
||||
referent.setSecureValidation(secureValidation);
|
||||
referent.addStorageResolver(storage);
|
||||
return referent;
|
||||
}
|
||||
@ -181,7 +182,7 @@ public class KeyInfoReferenceResolver extends KeyResolverSpi {
|
||||
}
|
||||
|
||||
KeyInfo referent = new KeyInfo(referentElement, "");
|
||||
if (referent.containsKeyInfoReference()) {
|
||||
if (referent.containsKeyInfoReference() || referent.containsRetrievalMethod()) {
|
||||
if (secureValidation) {
|
||||
throw new XMLSecurityException("KeyInfoReferenceResolver.InvalidReferentElement.ReferenceWithSecure");
|
||||
} else {
|
||||
|
@ -96,8 +96,6 @@
|
||||
<SignatureAlgorithm URI="http://www.w3.org/2001/04/xmldsig-more#rsa-sha512"
|
||||
JAVACLASS="com.sun.org.apache.xml.internal.security.algorithms.implementations.SignatureBaseRSA$SignatureRSASHA512" />
|
||||
|
||||
<SignatureAlgorithm URI="http://www.w3.org/2007/05/xmldsig-more#ripemd160-rsa-MGF1"
|
||||
JAVACLASS="com.sun.org.apache.xml.internal.security.algorithms.implementations.SignatureBaseRSA$SignatureRSARIPEMD160MGF1" />
|
||||
<SignatureAlgorithm URI="http://www.w3.org/2007/05/xmldsig-more#sha1-rsa-MGF1"
|
||||
JAVACLASS="com.sun.org.apache.xml.internal.security.algorithms.implementations.SignatureBaseRSA$SignatureRSASHA1MGF1" />
|
||||
<SignatureAlgorithm URI="http://www.w3.org/2007/05/xmldsig-more#sha224-rsa-MGF1"
|
||||
|
@ -126,6 +126,7 @@ signature.Transform.ForbiddenTransform = Transform {0} is forbidden when secure
|
||||
signature.Transform.NotYetImplemented = Transform {0} not yet implemented
|
||||
signature.Transform.NullPointerTransform = Null pointer as URI. Programming bug?
|
||||
signature.Transform.UnknownTransform = Unknown transformation. No handler installed for URI {0}
|
||||
signature.Transform.XPathError = Error evaluating XPath expression
|
||||
signature.Transform.node = Current Node: {0}
|
||||
signature.Transform.nodeAndType = Current Node: {0}, type: {1}
|
||||
signature.Util.BignumNonPositive = bigInteger.signum() must be positive
|
||||
@ -196,4 +197,4 @@ stax.signature.keyNameMissing = KeyName not configured.
|
||||
stax.keyNotFoundForName = No key configured for KeyName: {0}
|
||||
stax.keyTypeNotSupported = Key of type {0} not supported for a KeyName lookup
|
||||
stax.idsetbutnotgenerated = An Id attribute is specified, but Id generation is disabled
|
||||
stax.idgenerationdisablewithmultipleparts = Id generation must not be disabled when multiple parts need signing
|
||||
stax.idgenerationdisablewithmultipleparts = Id generation must not be disabled when multiple parts need signing
|
||||
|
@ -36,7 +36,6 @@ import com.sun.org.apache.xml.internal.security.c14n.CanonicalizationException;
|
||||
import com.sun.org.apache.xml.internal.security.c14n.implementations.Canonicalizer11_OmitComments;
|
||||
import com.sun.org.apache.xml.internal.security.c14n.implementations.Canonicalizer20010315OmitComments;
|
||||
import com.sun.org.apache.xml.internal.security.c14n.implementations.CanonicalizerBase;
|
||||
import com.sun.org.apache.xml.internal.security.exceptions.XMLSecurityRuntimeException;
|
||||
import com.sun.org.apache.xml.internal.security.parser.XMLParserException;
|
||||
import com.sun.org.apache.xml.internal.security.utils.JavaUtils;
|
||||
import com.sun.org.apache.xml.internal.security.utils.XMLUtils;
|
||||
@ -141,7 +140,7 @@ public class XMLSignatureInput {
|
||||
|
||||
/**
|
||||
* Construct a XMLSignatureInput from a subtree rooted by rootNode. This
|
||||
* method included the node and <I>all</I> his descendants in the output.
|
||||
* method included the node and <I>all</I> its descendants in the output.
|
||||
*
|
||||
* @param rootNode
|
||||
*/
|
||||
@ -528,7 +527,7 @@ public class XMLSignatureInput {
|
||||
if (inputOctetStreamProxy == null) {
|
||||
return null;
|
||||
}
|
||||
try {
|
||||
try { //NOPMD
|
||||
bytes = JavaUtils.getBytesFromStream(inputOctetStreamProxy);
|
||||
} finally {
|
||||
inputOctetStreamProxy.close();
|
||||
@ -539,15 +538,9 @@ public class XMLSignatureInput {
|
||||
/**
|
||||
* @param filter
|
||||
*/
|
||||
public void addNodeFilter(NodeFilter filter) {
|
||||
public void addNodeFilter(NodeFilter filter) throws XMLParserException, IOException {
|
||||
if (isOctetStream()) {
|
||||
try {
|
||||
convertToNodes();
|
||||
} catch (Exception e) {
|
||||
throw new XMLSecurityRuntimeException(
|
||||
"signature.XMLSignatureInput.nodesetReference", e
|
||||
);
|
||||
}
|
||||
convertToNodes();
|
||||
}
|
||||
nodeFilters.add(filter);
|
||||
}
|
||||
|
@ -60,7 +60,7 @@ public class TransformC14N extends TransformSpi {
|
||||
|
||||
Canonicalizer20010315 c14n = getCanonicalizer();
|
||||
|
||||
if (os == null) {
|
||||
if (os == null && (input.isOctetStream() || input.isElement() || input.isNodeSet())) {
|
||||
try (ByteArrayOutputStream writer = new ByteArrayOutputStream()) {
|
||||
c14n.engineCanonicalize(input, writer, secureValidation);
|
||||
writer.flush();
|
||||
|
@ -82,7 +82,7 @@ public class TransformC14NExclusive extends TransformSpi {
|
||||
|
||||
Canonicalizer20010315Excl c14n = getCanonicalizer();
|
||||
|
||||
if (os == null) {
|
||||
if (os == null && (input.isOctetStream() || input.isElement() || input.isNodeSet())) {
|
||||
try (ByteArrayOutputStream writer = new ByteArrayOutputStream()) {
|
||||
c14n.engineCanonicalize(input, inclusiveNamespaces, writer, secureValidation);
|
||||
writer.flush();
|
||||
|
@ -22,8 +22,10 @@
|
||||
*/
|
||||
package com.sun.org.apache.xml.internal.security.transforms.implementations;
|
||||
|
||||
import java.io.IOException;
|
||||
import java.io.OutputStream;
|
||||
|
||||
import com.sun.org.apache.xml.internal.security.parser.XMLParserException;
|
||||
import com.sun.org.apache.xml.internal.security.signature.NodeFilter;
|
||||
import com.sun.org.apache.xml.internal.security.signature.XMLSignatureInput;
|
||||
import com.sun.org.apache.xml.internal.security.transforms.TransformSpi;
|
||||
@ -71,7 +73,11 @@ public class TransformEnvelopedSignature extends TransformSpi {
|
||||
|
||||
Node signatureElement = searchSignatureElement(transformElement);
|
||||
input.setExcludeNode(signatureElement);
|
||||
input.addNodeFilter(new EnvelopedNodeFilter(signatureElement));
|
||||
try {
|
||||
input.addNodeFilter(new EnvelopedNodeFilter(signatureElement));
|
||||
} catch (XMLParserException | IOException ex) {
|
||||
throw new TransformationException(ex);
|
||||
}
|
||||
return input;
|
||||
}
|
||||
|
||||
|
@ -22,11 +22,12 @@
|
||||
*/
|
||||
package com.sun.org.apache.xml.internal.security.transforms.implementations;
|
||||
|
||||
import java.io.IOException;
|
||||
import java.io.OutputStream;
|
||||
|
||||
import javax.xml.transform.TransformerException;
|
||||
|
||||
import com.sun.org.apache.xml.internal.security.exceptions.XMLSecurityRuntimeException;
|
||||
import com.sun.org.apache.xml.internal.security.parser.XMLParserException;
|
||||
import com.sun.org.apache.xml.internal.security.signature.NodeFilter;
|
||||
import com.sun.org.apache.xml.internal.security.signature.XMLSignatureInput;
|
||||
import com.sun.org.apache.xml.internal.security.transforms.TransformSpi;
|
||||
@ -51,6 +52,9 @@ import org.w3c.dom.Node;
|
||||
*/
|
||||
public class TransformXPath extends TransformSpi {
|
||||
|
||||
private static final com.sun.org.slf4j.internal.Logger LOG =
|
||||
com.sun.org.slf4j.internal.LoggerFactory.getLogger(TransformXPath.class);
|
||||
|
||||
/**
|
||||
* {@inheritDoc}
|
||||
*/
|
||||
@ -102,7 +106,7 @@ public class TransformXPath extends TransformSpi {
|
||||
input.addNodeFilter(new XPathNodeFilter(xpathElement, xpathnode, str, xpathAPIInstance));
|
||||
input.setNodeSet(true);
|
||||
return input;
|
||||
} catch (DOMException ex) {
|
||||
} catch (XMLParserException | IOException | DOMException ex) {
|
||||
throw new TransformationException(ex);
|
||||
}
|
||||
}
|
||||
@ -144,11 +148,8 @@ public class TransformXPath extends TransformSpi {
|
||||
}
|
||||
return 0;
|
||||
} catch (TransformerException e) {
|
||||
Object[] eArgs = {currentNode};
|
||||
throw new XMLSecurityRuntimeException("signature.Transform.node", eArgs, e);
|
||||
} catch (Exception e) {
|
||||
Object[] eArgs = {currentNode, currentNode.getNodeType()};
|
||||
throw new XMLSecurityRuntimeException("signature.Transform.nodeAndType",eArgs, e);
|
||||
LOG.debug("Error evaluating XPath expression", e);
|
||||
return 0;
|
||||
}
|
||||
}
|
||||
|
||||
|
@ -43,6 +43,7 @@ import org.w3c.dom.Text;
|
||||
* @see com.sun.org.apache.xml.internal.security.transforms.implementations.TransformBase64Decode
|
||||
*/
|
||||
@Deprecated
|
||||
@SuppressWarnings("PMD")
|
||||
public final class Base64 {
|
||||
|
||||
/** Field BASE64DEFAULTLENGTH */
|
||||
|
@ -127,11 +127,11 @@ public class DOMNamespaceContext implements NamespaceContext {
|
||||
return DEFAULT_NS_PREFIX;
|
||||
}
|
||||
}
|
||||
if (namespaceURI == null) {
|
||||
if (namespaceURI == null && context != null) {
|
||||
return context.lookupNamespaceURI(null) != null ? null : DEFAULT_NS_PREFIX;
|
||||
} else if (namespaceURI.equals(XML_NS_URI)) {
|
||||
} else if (XML_NS_URI.equals(namespaceURI)) {
|
||||
return XML_NS_PREFIX;
|
||||
} else if (namespaceURI.equals(XMLNS_ATTRIBUTE_NS_URI)) {
|
||||
} else if (XMLNS_ATTRIBUTE_NS_URI.equals(namespaceURI)) {
|
||||
return XMLNS_ATTRIBUTE;
|
||||
}
|
||||
return null;
|
||||
|
@ -190,20 +190,21 @@ public class RFC2253Parser {
|
||||
|
||||
if (value.startsWith("\"")) {
|
||||
StringBuilder sb = new StringBuilder();
|
||||
StringReader sr = new StringReader(value.substring(1, value.length() - 1));
|
||||
int i = 0;
|
||||
char c;
|
||||
try (StringReader sr = new StringReader(value.substring(1, value.length() - 1))) {
|
||||
int i = 0;
|
||||
char c;
|
||||
|
||||
while ((i = sr.read()) > -1) {
|
||||
c = (char) i;
|
||||
while ((i = sr.read()) > -1) {
|
||||
c = (char) i;
|
||||
|
||||
//the following char is defined at 4.Relationship with RFC1779 and LDAPv2 inrfc2253
|
||||
if (c == ',' || c == '=' || c == '+' || c == '<'
|
||||
|| c == '>' || c == '#' || c == ';') {
|
||||
sb.append('\\');
|
||||
//the following char is defined at 4.Relationship with RFC1779 and LDAPv2 inrfc2253
|
||||
if (c == ',' || c == '=' || c == '+' || c == '<'
|
||||
|| c == '>' || c == '#' || c == ';') {
|
||||
sb.append('\\');
|
||||
}
|
||||
|
||||
sb.append(c);
|
||||
}
|
||||
|
||||
sb.append(c);
|
||||
}
|
||||
|
||||
value = trim(sb.toString());
|
||||
@ -263,37 +264,38 @@ public class RFC2253Parser {
|
||||
*/
|
||||
static String changeLess32toRFC(String string) throws IOException {
|
||||
StringBuilder sb = new StringBuilder();
|
||||
StringReader sr = new StringReader(string);
|
||||
int i = 0;
|
||||
char c;
|
||||
|
||||
while ((i = sr.read()) > -1) {
|
||||
c = (char) i;
|
||||
try (StringReader sr = new StringReader(string)) {
|
||||
while ((i = sr.read()) > -1) {
|
||||
c = (char) i;
|
||||
|
||||
if (c == '\\') {
|
||||
sb.append(c);
|
||||
if (c == '\\') {
|
||||
sb.append(c);
|
||||
|
||||
char c1 = (char) sr.read();
|
||||
char c2 = (char) sr.read();
|
||||
char c1 = (char) sr.read();
|
||||
char c2 = (char) sr.read();
|
||||
|
||||
//65 (A) 97 (a)
|
||||
if ((c1 >= 48 && c1 <= 57 || c1 >= 65 && c1 <= 70 || c1 >= 97 && c1 <= 102)
|
||||
&& (c2 >= 48 && c2 <= 57
|
||||
|| c2 >= 65 && c2 <= 70
|
||||
|| c2 >= 97 && c2 <= 102)) {
|
||||
try {
|
||||
char ch = (char) Byte.parseByte("" + c1 + c2, 16);
|
||||
//65 (A) 97 (a)
|
||||
if ((c1 >= 48 && c1 <= 57 || c1 >= 65 && c1 <= 70 || c1 >= 97 && c1 <= 102)
|
||||
&& (c2 >= 48 && c2 <= 57
|
||||
|| c2 >= 65 && c2 <= 70
|
||||
|| c2 >= 97 && c2 <= 102)) {
|
||||
try {
|
||||
char ch = (char) Byte.parseByte("" + c1 + c2, 16);
|
||||
|
||||
sb.append(ch);
|
||||
} catch (NumberFormatException ex) {
|
||||
throw new IOException(ex);
|
||||
sb.append(ch);
|
||||
} catch (NumberFormatException ex) {
|
||||
throw new IOException(ex);
|
||||
}
|
||||
} else {
|
||||
sb.append(c1);
|
||||
sb.append(c2);
|
||||
}
|
||||
} else {
|
||||
sb.append(c1);
|
||||
sb.append(c2);
|
||||
sb.append(c);
|
||||
}
|
||||
} else {
|
||||
sb.append(c);
|
||||
}
|
||||
}
|
||||
|
||||
@ -309,15 +311,16 @@ public class RFC2253Parser {
|
||||
*/
|
||||
static String changeLess32toXML(String string) throws IOException {
|
||||
StringBuilder sb = new StringBuilder();
|
||||
StringReader sr = new StringReader(string);
|
||||
int i = 0;
|
||||
|
||||
while ((i = sr.read()) > -1) {
|
||||
if (i < 32) {
|
||||
sb.append('\\');
|
||||
sb.append(Integer.toHexString(i));
|
||||
} else {
|
||||
sb.append((char) i);
|
||||
try (StringReader sr = new StringReader(string)) {
|
||||
while ((i = sr.read()) > -1) {
|
||||
if (i < 32) {
|
||||
sb.append('\\');
|
||||
sb.append(Integer.toHexString(i));
|
||||
} else {
|
||||
sb.append((char) i);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
@ -333,28 +336,29 @@ public class RFC2253Parser {
|
||||
*/
|
||||
static String changeWStoXML(String string) throws IOException {
|
||||
StringBuilder sb = new StringBuilder();
|
||||
StringReader sr = new StringReader(string);
|
||||
int i = 0;
|
||||
char c;
|
||||
|
||||
while ((i = sr.read()) > -1) {
|
||||
c = (char) i;
|
||||
try (StringReader sr = new StringReader(string)) {
|
||||
while ((i = sr.read()) > -1) {
|
||||
c = (char) i;
|
||||
|
||||
if (c == '\\') {
|
||||
char c1 = (char) sr.read();
|
||||
if (c == '\\') {
|
||||
char c1 = (char) sr.read();
|
||||
|
||||
if (c1 == ' ') {
|
||||
sb.append('\\');
|
||||
if (c1 == ' ') {
|
||||
sb.append('\\');
|
||||
|
||||
String s = "20";
|
||||
String s = "20";
|
||||
|
||||
sb.append(s);
|
||||
sb.append(s);
|
||||
} else {
|
||||
sb.append('\\');
|
||||
sb.append(c1);
|
||||
}
|
||||
} else {
|
||||
sb.append('\\');
|
||||
sb.append(c1);
|
||||
sb.append(c);
|
||||
}
|
||||
} else {
|
||||
sb.append(c);
|
||||
}
|
||||
}
|
||||
|
||||
|
@ -583,7 +583,7 @@ public final class XMLUtils {
|
||||
Node parent = null;
|
||||
Node sibling = null;
|
||||
final String namespaceNs = Constants.NamespaceSpecNS;
|
||||
do {
|
||||
do { //NOPMD
|
||||
switch (node.getNodeType()) {
|
||||
case Node.ELEMENT_NODE :
|
||||
Element element = (Element) node;
|
||||
|
@ -122,8 +122,8 @@ public class ResourceResolver {
|
||||
|
||||
List<ResourceResolverSpi> resourceResolversToAdd = new ArrayList<>(classNames.size());
|
||||
for (String className : classNames) {
|
||||
ResourceResolverSpi resourceResolverSpi = (ResourceResolverSpi)JavaUtils
|
||||
.newInstanceWithEmptyConstructor(ClassLoaderUtils.loadClass(className, ResourceResolver.class));
|
||||
ResourceResolverSpi resourceResolverSpi = (ResourceResolverSpi)
|
||||
JavaUtils.newInstanceWithEmptyConstructor(ClassLoaderUtils.loadClass(className, ResourceResolver.class));
|
||||
resourceResolversToAdd.add(resourceResolverSpi);
|
||||
}
|
||||
resolverList.addAll(resourceResolversToAdd);
|
||||
@ -159,15 +159,6 @@ public class ResourceResolver {
|
||||
LOG.debug("check resolvability by class {}", resolver.getClass().getName());
|
||||
|
||||
if (resolver.engineCanResolveURI(context)) {
|
||||
// Check to see whether the Resolver is allowed
|
||||
if (context.secureValidation
|
||||
&& (resolver instanceof ResolverLocalFilesystem
|
||||
|| resolver instanceof ResolverDirectHTTP)) {
|
||||
Object[] exArgs = { resolver.getClass().getName() };
|
||||
throw new ResourceResolverException(
|
||||
"signature.Reference.ForbiddenResolver", exArgs, context.uriToResolve, context.baseUri
|
||||
);
|
||||
}
|
||||
return resolver.engineResolveURI(context);
|
||||
}
|
||||
}
|
||||
|
@ -54,5 +54,4 @@ public class ResourceResolverContext {
|
||||
public Map<String, String> getProperties() {
|
||||
return properties;
|
||||
}
|
||||
|
||||
}
|
||||
|
@ -219,7 +219,8 @@ public class ResolverDirectHTTP extends ResourceResolverSpi {
|
||||
LOG.debug("I was asked whether I can resolve {}", context.uriToResolve);
|
||||
|
||||
if (context.uriToResolve.startsWith("http:") ||
|
||||
context.baseUri != null && context.baseUri.startsWith("http:")) {
|
||||
context.uriToResolve.startsWith("https:") ||
|
||||
context.baseUri != null && (context.baseUri.startsWith("http:") || context.baseUri.startsWith("https:"))) {
|
||||
LOG.debug("I state that I can resolve {}", context.uriToResolve);
|
||||
return true;
|
||||
}
|
||||
@ -231,7 +232,7 @@ public class ResolverDirectHTTP extends ResourceResolverSpi {
|
||||
|
||||
private static URI getNewURI(String uri, String baseURI) throws URISyntaxException {
|
||||
URI newUri = null;
|
||||
if (baseURI == null || "".equals(baseURI)) {
|
||||
if (baseURI == null || baseURI.length() == 0) {
|
||||
newUri = new URI(uri);
|
||||
} else {
|
||||
newUri = new URI(baseURI).resolve(uri);
|
||||
|
@ -38,8 +38,6 @@ import com.sun.org.apache.xml.internal.security.utils.resolver.ResourceResolverS
|
||||
*/
|
||||
public class ResolverLocalFilesystem extends ResourceResolverSpi {
|
||||
|
||||
private static final int FILE_URI_LENGTH = "file:/".length();
|
||||
|
||||
private static final com.sun.org.slf4j.internal.Logger LOG =
|
||||
com.sun.org.slf4j.internal.LoggerFactory.getLogger(ResolverLocalFilesystem.class);
|
||||
|
||||
@ -53,9 +51,7 @@ public class ResolverLocalFilesystem extends ResourceResolverSpi {
|
||||
// calculate new URI
|
||||
URI uriNew = getNewURI(context.uriToResolve, context.baseUri);
|
||||
|
||||
String fileName =
|
||||
ResolverLocalFilesystem.translateUriToFilename(uriNew.toString());
|
||||
InputStream inputStream = Files.newInputStream(Paths.get(fileName));
|
||||
InputStream inputStream = Files.newInputStream(Paths.get(uriNew)); //NOPMD
|
||||
XMLSignatureInput result = new XMLSignatureInput(inputStream);
|
||||
result.setSecureValidation(context.secureValidation);
|
||||
|
||||
@ -67,41 +63,6 @@ public class ResolverLocalFilesystem extends ResourceResolverSpi {
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* Method translateUriToFilename
|
||||
*
|
||||
* @param uri
|
||||
* @return the string of the filename
|
||||
*/
|
||||
private static String translateUriToFilename(String uri) {
|
||||
|
||||
String subStr = uri.substring(FILE_URI_LENGTH);
|
||||
|
||||
if (subStr.indexOf("%20") > -1) {
|
||||
int offset = 0;
|
||||
int index = 0;
|
||||
StringBuilder temp = new StringBuilder(subStr.length());
|
||||
do {
|
||||
index = subStr.indexOf("%20",offset);
|
||||
if (index == -1) {
|
||||
temp.append(subStr.substring(offset));
|
||||
} else {
|
||||
temp.append(subStr.substring(offset, index));
|
||||
temp.append(' ');
|
||||
offset = index + 3;
|
||||
}
|
||||
} while(index != -1);
|
||||
subStr = temp.toString();
|
||||
}
|
||||
|
||||
if (subStr.charAt(1) == ':') {
|
||||
// we're running M$ Windows, so this works fine
|
||||
return subStr;
|
||||
}
|
||||
// we're running some UNIX, so we have to prepend a slash
|
||||
return "/" + subStr;
|
||||
}
|
||||
|
||||
/**
|
||||
* {@inheritDoc}
|
||||
*/
|
||||
@ -111,7 +72,7 @@ public class ResolverLocalFilesystem extends ResourceResolverSpi {
|
||||
}
|
||||
|
||||
if (context.uriToResolve.isEmpty() || context.uriToResolve.charAt(0) == '#' ||
|
||||
context.uriToResolve.startsWith("http:")) {
|
||||
context.uriToResolve.startsWith("http:") || context.uriToResolve.startsWith("https:")) {
|
||||
return false;
|
||||
}
|
||||
|
||||
@ -133,7 +94,7 @@ public class ResolverLocalFilesystem extends ResourceResolverSpi {
|
||||
|
||||
private static URI getNewURI(String uri, String baseURI) throws URISyntaxException {
|
||||
URI newUri = null;
|
||||
if (baseURI == null || "".equals(baseURI)) {
|
||||
if (baseURI == null || baseURI.length() == 0) {
|
||||
newUri = new URI(uri);
|
||||
} else {
|
||||
newUri = new URI(baseURI).resolve(uri);
|
||||
|
@ -239,9 +239,6 @@ public abstract class ApacheCanonicalizer extends TransformService {
|
||||
|
||||
try {
|
||||
in = apacheTransform.performTransform(in, os, secVal);
|
||||
if (!in.isNodeSet() && !in.isElement()) {
|
||||
return null;
|
||||
}
|
||||
if (in.isOctetStream()) {
|
||||
return new ApacheOctetStreamData(in);
|
||||
} else {
|
||||
|
@ -447,7 +447,7 @@ public final class DOMReference extends DOMStructure
|
||||
}
|
||||
Data data = dereferencedData;
|
||||
XMLSignatureInput xi = null;
|
||||
try (OutputStream os = new UnsyncBufferedOutputStream(dos)) {
|
||||
try (OutputStream os = new UnsyncBufferedOutputStream(dos)) { //NOPMD
|
||||
for (int i = 0, size = transforms.size(); i < size; i++) {
|
||||
DOMTransform transform = (DOMTransform)transforms.get(i);
|
||||
if (i < size - 1) {
|
||||
|
@ -116,7 +116,7 @@ public class DOMTransform extends DOMStructure implements Transform {
|
||||
Document ownerDoc = DOMUtils.getOwnerDocument(parent);
|
||||
|
||||
Element transformElem = null;
|
||||
if (parent.getLocalName().equals("Transforms")) {
|
||||
if ("Transforms".equals(parent.getLocalName())) {
|
||||
transformElem = DOMUtils.createElement(ownerDoc, "Transform",
|
||||
XMLSignature.XMLNS,
|
||||
dsPrefix);
|
||||
|
@ -138,7 +138,7 @@ public final class DOMURIDereferencer implements URIDereferencer {
|
||||
}
|
||||
|
||||
try {
|
||||
ResourceResolverContext resContext = new ResourceResolverContext(uriAttr, baseURI, false);
|
||||
ResourceResolverContext resContext = new ResourceResolverContext(uriAttr, baseURI, secVal);
|
||||
XMLSignatureInput in = ResourceResolver.resolve(resContext);
|
||||
if (in.isOctetStream()) {
|
||||
return new ApacheOctetStreamData(in);
|
||||
|
@ -43,14 +43,13 @@ import java.util.Set;
|
||||
*/
|
||||
public final class Policy {
|
||||
|
||||
// all restrictions are initialized to be unconstrained
|
||||
private static Set<URI> disallowedAlgs = new HashSet<>();
|
||||
private static int maxTrans = Integer.MAX_VALUE;
|
||||
private static int maxRefs = Integer.MAX_VALUE;
|
||||
private static Set<String> disallowedRefUriSchemes = new HashSet<>();
|
||||
private static Map<String, Integer> minKeyMap = new HashMap<>();
|
||||
private static boolean noDuplicateIds = false;
|
||||
private static boolean noRMLoops = false;
|
||||
private static Set<URI> disallowedAlgs;
|
||||
private static int maxTrans;
|
||||
private static int maxRefs;
|
||||
private static Set<String> disallowedRefUriSchemes;
|
||||
private static Map<String, Integer> minKeyMap;
|
||||
private static boolean noDuplicateIds;
|
||||
private static boolean noRMLoops;
|
||||
|
||||
static {
|
||||
try {
|
||||
@ -64,6 +63,16 @@ public final class Policy {
|
||||
private Policy() {}
|
||||
|
||||
private static void initialize() {
|
||||
// First initialized to be unconstrained and then parse the
|
||||
// security property "jdk.xml.dsig.secureValidationPolicy"
|
||||
disallowedAlgs = new HashSet<>();
|
||||
maxTrans = Integer.MAX_VALUE;
|
||||
maxRefs = Integer.MAX_VALUE;
|
||||
disallowedRefUriSchemes = new HashSet<>();
|
||||
minKeyMap = new HashMap<>();
|
||||
noDuplicateIds = false;
|
||||
noRMLoops = false;
|
||||
|
||||
@SuppressWarnings("removal")
|
||||
String prop =
|
||||
AccessController.doPrivileged((PrivilegedAction<String>) () ->
|
||||
|
@ -114,7 +114,7 @@ public final class Utils {
|
||||
}
|
||||
|
||||
private static boolean getBoolean(XMLCryptoContext xc, String name) {
|
||||
Boolean value = (Boolean)xc.getProperty(name);
|
||||
Boolean value = (Boolean) xc.getProperty(name);
|
||||
return value != null && value;
|
||||
}
|
||||
}
|
||||
|
@ -134,7 +134,7 @@ public final class XMLDSigRI extends Provider {
|
||||
@SuppressWarnings("removal")
|
||||
public XMLDSigRI() {
|
||||
// This is the JDK XMLDSig provider, synced from
|
||||
// Apache Santuario XML Security for Java, version 2.2.1
|
||||
// Apache Santuario XML Security for Java, version 2.3.0
|
||||
super("XMLDSig", VER, INFO);
|
||||
|
||||
final Provider p = this;
|
||||
|
@ -1,4 +1,4 @@
|
||||
## Apache Santuario v2.2.1
|
||||
## Apache Santuario v2.3.0
|
||||
|
||||
### Apache Santuario Notice
|
||||
<pre>
|
||||
|
Loading…
Reference in New Issue
Block a user