8275082: Update XML Security for Java to 2.3.0

Reviewed-by: mullan
This commit is contained in:
Weijun Wang 2021-12-06 18:00:54 +00:00
parent 70bad89b01
commit 2c31a1735d
32 changed files with 138 additions and 350 deletions

View File

@ -84,7 +84,7 @@ public class Init {
}
@SuppressWarnings("removal")
InputStream is =
InputStream is = //NOPMD
AccessController.doPrivileged(
(PrivilegedAction<InputStream>)
() -> {
@ -351,6 +351,9 @@ public class Init {
* @param callingClass The Class object of the calling object
*/
public static URL getResource(String resourceName, Class<?> callingClass) {
if (resourceName == null) {
throw new NullPointerException();
}
URL url = Thread.currentThread().getContextClassLoader().getResource(resourceName);
if (url == null && resourceName.charAt(0) == '/') {
//certain classloaders need it without the leading /
@ -404,6 +407,9 @@ public class Init {
* @param callingClass The Class object of the calling object
*/
private static List<URL> getResources(String resourceName, Class<?> callingClass) {
if (resourceName == null) {
throw new NullPointerException();
}
List<URL> ret = new ArrayList<>();
Enumeration<URL> urls = new Enumeration<URL>() {
public boolean hasMoreElements() {
@ -479,7 +485,7 @@ public class Init {
}
if (ret.isEmpty() && resourceName != null && resourceName.charAt(0) != '/') {
if (ret.isEmpty() && resourceName.charAt(0) != '/') {
return getResources('/' + resourceName, callingClass);
}
return ret;

View File

@ -309,7 +309,7 @@ public abstract class IntegrityHmac extends SignatureAlgorithmSpi {
Node n = XMLUtils.selectDsNode(element.getFirstChild(), Constants._TAG_HMACOUTPUTLENGTH, 0);
if (n != null) {
String hmacLength = XMLUtils.getFullTextChildrenFromNode(n);
if (hmacLength != null && !"".equals(hmacLength)) {
if (hmacLength != null && hmacLength.length() != 0) {
this.hmacOutputLength = new HMACOutputLength(Integer.parseInt(hmacLength));
}
}

View File

@ -125,7 +125,7 @@ public abstract class Canonicalizer20010315 extends CanonicalizerBase {
* Output the Attr[]s for the given element.
* <br>
* The code of this method is a copy of
* {@link #outputAttributes(Element, NameSpaceSymbTable, Map)},
* {@link #outputAttributes(Element, NameSpaceSymbTable, Map, OutputStream)},
* whereas it takes into account that subtree-c14n is -- well -- subtree-based.
* So if the element in question isRoot of c14n, it's parent is not in the
* node set, as well as all other ancestors.

View File

@ -211,7 +211,7 @@ public abstract class CanonicalizerBase extends CanonicalizerSpi {
Node sibling = null;
Node parentNode = null;
Map<String, byte[]> cache = new HashMap<>();
do {
do { //NOPMD
switch (currentNode.getNodeType()) {
case Node.ENTITY_NODE :
@ -338,7 +338,7 @@ public abstract class CanonicalizerBase extends CanonicalizerSpi {
Node parentNode = null;
int documentLevel = NODE_BEFORE_DOCUMENT_ELEMENT;
Map<String, byte[]> cache = new HashMap<>();
do {
do { //NOPMD
switch (currentNode.getNodeType()) {
case Node.ENTITY_NODE :
@ -560,7 +560,7 @@ public abstract class CanonicalizerBase extends CanonicalizerSpi {
}
parents.clear();
Attr nsprefix = ns.getMappingWithoutRendered(XMLNS);
if (nsprefix != null && "".equals(nsprefix.getValue())) {
if (nsprefix != null && nsprefix.getValue().length() == 0) {
ns.addMappingAndRender(
XMLNS, "", getNullNode(nsprefix.getOwnerDocument()));
}

View File

@ -110,7 +110,7 @@ public class CanonicalizerPhysical extends CanonicalizerBase {
* Output the Attr[]s for the given element.
* <br>
* The code of this method is a copy of
* {@link #outputAttributes(Element, NameSpaceSymbTable, Map)},
* {@link #outputAttributes(Element, NameSpaceSymbTable, Map, OutputStream)},
* whereas it takes into account that subtree-c14n is -- well -- subtree-based.
* So if the element in question isRoot of c14n, it's parent is not in the
* node set, as well as all other ancestors.

View File

@ -348,7 +348,7 @@ class SymbMap implements Cloneable {
List<NameSpaceSymbEntry> entrySet() {
List<NameSpaceSymbEntry> a = new ArrayList<>();
for (int i = 0;i < entries.length;i++) {
if (entries[i] != null && !"".equals(entries[i].uri)) {
if (entries[i] != null && entries[i].uri.length() != 0) {
a.add(entries[i]);
}
}

View File

@ -1,181 +0,0 @@
/*
* reserved comment block
* DO NOT REMOVE OR ALTER!
*/
/**
* Licensed to the Apache Software Foundation (ASF) under one
* or more contributor license agreements. See the NOTICE file
* distributed with this work for additional information
* regarding copyright ownership. The ASF licenses this file
* to you under the Apache License, Version 2.0 (the
* "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing,
* software distributed under the License is distributed on an
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
* KIND, either express or implied. See the License for the
* specific language governing permissions and limitations
* under the License.
*/
package com.sun.org.apache.xml.internal.security.exceptions;
import java.text.MessageFormat;
import com.sun.org.apache.xml.internal.security.utils.Constants;
import com.sun.org.apache.xml.internal.security.utils.I18n;
/**
* The mother of all runtime Exceptions in this bundle. It allows exceptions to have
* their messages translated to the different locales.
*
* The {@code xmlsecurity_en.properties} file contains this line:
* <pre>
* xml.WrongElement = Can't create a {0} from a {1} element
* </pre>
*
* Usage in the Java source is:
* <pre>
* {
* Object[] exArgs = { Constants._TAG_TRANSFORMS, "BadElement" };
*
* throw new XMLSecurityException("xml.WrongElement", exArgs);
* }
* </pre>
*
* Additionally, if another Exception has been caught, we can supply it, too
* <pre>
* try {
* ...
* } catch (Exception oldEx) {
* Object[] exArgs = { Constants._TAG_TRANSFORMS, "BadElement" };
*
* throw new XMLSecurityException("xml.WrongElement", exArgs, oldEx);
* }
* </pre>
*
*
*/
public class XMLSecurityRuntimeException extends RuntimeException {
private static final long serialVersionUID = 1L;
/** Field msgID */
protected String msgID;
/**
* Constructor XMLSecurityRuntimeException
*
*/
public XMLSecurityRuntimeException() {
super("Missing message string");
this.msgID = null;
}
/**
* Constructor XMLSecurityRuntimeException
*
* @param msgID
*/
public XMLSecurityRuntimeException(String msgID) {
super(I18n.getExceptionMessage(msgID));
this.msgID = msgID;
}
/**
* Constructor XMLSecurityRuntimeException
*
* @param msgID
* @param exArgs
*/
public XMLSecurityRuntimeException(String msgID, Object[] exArgs) {
super(MessageFormat.format(I18n.getExceptionMessage(msgID), exArgs));
this.msgID = msgID;
}
/**
* Constructor XMLSecurityRuntimeException
*
* @param originalException
*/
public XMLSecurityRuntimeException(Exception originalException) {
super("Missing message ID to locate message string in resource bundle \""
+ Constants.exceptionMessagesResourceBundleBase
+ "\". Original Exception was a "
+ originalException.getClass().getName() + " and message "
+ originalException.getMessage(), originalException);
}
/**
* Constructor XMLSecurityRuntimeException
*
* @param msgID
* @param originalException
*/
public XMLSecurityRuntimeException(String msgID, Exception originalException) {
super(I18n.getExceptionMessage(msgID, originalException), originalException);
this.msgID = msgID;
}
/**
* Constructor XMLSecurityRuntimeException
*
* @param msgID
* @param exArgs
* @param originalException
*/
public XMLSecurityRuntimeException(String msgID, Object[] exArgs, Exception originalException) {
super(MessageFormat.format(I18n.getExceptionMessage(msgID), exArgs), originalException);
this.msgID = msgID;
}
/**
* Method getMsgID
*
* @return the messageId
*/
public String getMsgID() {
if (msgID == null) {
return "Missing message ID";
}
return msgID;
}
/** {@inheritDoc} */
public String toString() {
String s = this.getClass().getName();
String message = super.getLocalizedMessage();
if (message != null) {
message = s + ": " + message;
} else {
message = s;
}
if (this.getCause() != null) {
message = message + "\nOriginal Exception was " + this.getCause().toString();
}
return message;
}
/**
* Method getOriginalException
*
* @return the original exception
*/
public Exception getOriginalException() {
if (this.getCause() instanceof Exception) {
return (Exception)this.getCause();
}
return null;
}
}

View File

@ -170,8 +170,8 @@ public class KeyResolver {
ClassNotFoundException, IllegalAccessException,
InstantiationException, InvocationTargetException {
JavaUtils.checkRegisterPermission();
KeyResolverSpi keyResolverSpi =
(KeyResolverSpi) JavaUtils.newInstanceWithEmptyConstructor(ClassLoaderUtils.loadClass(className, KeyResolver.class));
KeyResolverSpi keyResolverSpi = (KeyResolverSpi)
JavaUtils.newInstanceWithEmptyConstructor(ClassLoaderUtils.loadClass(className, KeyResolver.class));
register(keyResolverSpi, false);
}
@ -193,8 +193,8 @@ public class KeyResolver {
KeyResolverSpi keyResolverSpi = null;
Exception ex = null;
try {
keyResolverSpi = (KeyResolverSpi) JavaUtils.newInstanceWithEmptyConstructor(
ClassLoaderUtils.loadClass(className, KeyResolver.class));
keyResolverSpi = (KeyResolverSpi)
JavaUtils.newInstanceWithEmptyConstructor(ClassLoaderUtils.loadClass(className, KeyResolver.class));
register(keyResolverSpi, true);
} catch (ClassNotFoundException | IllegalAccessException | InstantiationException | InvocationTargetException e) {
ex = e;
@ -253,8 +253,8 @@ public class KeyResolver {
JavaUtils.checkRegisterPermission();
List<KeyResolverSpi> keyResolverList = new ArrayList<>(classNames.size());
for (String className : classNames) {
KeyResolverSpi keyResolverSpi = (KeyResolverSpi)JavaUtils
.newInstanceWithEmptyConstructor(ClassLoaderUtils.loadClass(className, KeyResolver.class));
KeyResolverSpi keyResolverSpi = (KeyResolverSpi)
JavaUtils.newInstanceWithEmptyConstructor(ClassLoaderUtils.loadClass(className, KeyResolver.class));
keyResolverList.add(keyResolverSpi);
}
resolverList.addAll(keyResolverList);

View File

@ -162,6 +162,7 @@ public class KeyInfoReferenceResolver extends KeyResolverSpi {
validateReference(referentElement, secureValidation);
KeyInfo referent = new KeyInfo(referentElement, baseURI);
referent.setSecureValidation(secureValidation);
referent.addStorageResolver(storage);
return referent;
}
@ -181,7 +182,7 @@ public class KeyInfoReferenceResolver extends KeyResolverSpi {
}
KeyInfo referent = new KeyInfo(referentElement, "");
if (referent.containsKeyInfoReference()) {
if (referent.containsKeyInfoReference() || referent.containsRetrievalMethod()) {
if (secureValidation) {
throw new XMLSecurityException("KeyInfoReferenceResolver.InvalidReferentElement.ReferenceWithSecure");
} else {

View File

@ -96,8 +96,6 @@
<SignatureAlgorithm URI="http://www.w3.org/2001/04/xmldsig-more#rsa-sha512"
JAVACLASS="com.sun.org.apache.xml.internal.security.algorithms.implementations.SignatureBaseRSA$SignatureRSASHA512" />
<SignatureAlgorithm URI="http://www.w3.org/2007/05/xmldsig-more#ripemd160-rsa-MGF1"
JAVACLASS="com.sun.org.apache.xml.internal.security.algorithms.implementations.SignatureBaseRSA$SignatureRSARIPEMD160MGF1" />
<SignatureAlgorithm URI="http://www.w3.org/2007/05/xmldsig-more#sha1-rsa-MGF1"
JAVACLASS="com.sun.org.apache.xml.internal.security.algorithms.implementations.SignatureBaseRSA$SignatureRSASHA1MGF1" />
<SignatureAlgorithm URI="http://www.w3.org/2007/05/xmldsig-more#sha224-rsa-MGF1"

View File

@ -126,6 +126,7 @@ signature.Transform.ForbiddenTransform = Transform {0} is forbidden when secure
signature.Transform.NotYetImplemented = Transform {0} not yet implemented
signature.Transform.NullPointerTransform = Null pointer as URI. Programming bug?
signature.Transform.UnknownTransform = Unknown transformation. No handler installed for URI {0}
signature.Transform.XPathError = Error evaluating XPath expression
signature.Transform.node = Current Node: {0}
signature.Transform.nodeAndType = Current Node: {0}, type: {1}
signature.Util.BignumNonPositive = bigInteger.signum() must be positive
@ -196,4 +197,4 @@ stax.signature.keyNameMissing = KeyName not configured.
stax.keyNotFoundForName = No key configured for KeyName: {0}
stax.keyTypeNotSupported = Key of type {0} not supported for a KeyName lookup
stax.idsetbutnotgenerated = An Id attribute is specified, but Id generation is disabled
stax.idgenerationdisablewithmultipleparts = Id generation must not be disabled when multiple parts need signing
stax.idgenerationdisablewithmultipleparts = Id generation must not be disabled when multiple parts need signing

View File

@ -36,7 +36,6 @@ import com.sun.org.apache.xml.internal.security.c14n.CanonicalizationException;
import com.sun.org.apache.xml.internal.security.c14n.implementations.Canonicalizer11_OmitComments;
import com.sun.org.apache.xml.internal.security.c14n.implementations.Canonicalizer20010315OmitComments;
import com.sun.org.apache.xml.internal.security.c14n.implementations.CanonicalizerBase;
import com.sun.org.apache.xml.internal.security.exceptions.XMLSecurityRuntimeException;
import com.sun.org.apache.xml.internal.security.parser.XMLParserException;
import com.sun.org.apache.xml.internal.security.utils.JavaUtils;
import com.sun.org.apache.xml.internal.security.utils.XMLUtils;
@ -141,7 +140,7 @@ public class XMLSignatureInput {
/**
* Construct a XMLSignatureInput from a subtree rooted by rootNode. This
* method included the node and <I>all</I> his descendants in the output.
* method included the node and <I>all</I> its descendants in the output.
*
* @param rootNode
*/
@ -528,7 +527,7 @@ public class XMLSignatureInput {
if (inputOctetStreamProxy == null) {
return null;
}
try {
try { //NOPMD
bytes = JavaUtils.getBytesFromStream(inputOctetStreamProxy);
} finally {
inputOctetStreamProxy.close();
@ -539,15 +538,9 @@ public class XMLSignatureInput {
/**
* @param filter
*/
public void addNodeFilter(NodeFilter filter) {
public void addNodeFilter(NodeFilter filter) throws XMLParserException, IOException {
if (isOctetStream()) {
try {
convertToNodes();
} catch (Exception e) {
throw new XMLSecurityRuntimeException(
"signature.XMLSignatureInput.nodesetReference", e
);
}
convertToNodes();
}
nodeFilters.add(filter);
}

View File

@ -60,7 +60,7 @@ public class TransformC14N extends TransformSpi {
Canonicalizer20010315 c14n = getCanonicalizer();
if (os == null) {
if (os == null && (input.isOctetStream() || input.isElement() || input.isNodeSet())) {
try (ByteArrayOutputStream writer = new ByteArrayOutputStream()) {
c14n.engineCanonicalize(input, writer, secureValidation);
writer.flush();

View File

@ -82,7 +82,7 @@ public class TransformC14NExclusive extends TransformSpi {
Canonicalizer20010315Excl c14n = getCanonicalizer();
if (os == null) {
if (os == null && (input.isOctetStream() || input.isElement() || input.isNodeSet())) {
try (ByteArrayOutputStream writer = new ByteArrayOutputStream()) {
c14n.engineCanonicalize(input, inclusiveNamespaces, writer, secureValidation);
writer.flush();

View File

@ -22,8 +22,10 @@
*/
package com.sun.org.apache.xml.internal.security.transforms.implementations;
import java.io.IOException;
import java.io.OutputStream;
import com.sun.org.apache.xml.internal.security.parser.XMLParserException;
import com.sun.org.apache.xml.internal.security.signature.NodeFilter;
import com.sun.org.apache.xml.internal.security.signature.XMLSignatureInput;
import com.sun.org.apache.xml.internal.security.transforms.TransformSpi;
@ -71,7 +73,11 @@ public class TransformEnvelopedSignature extends TransformSpi {
Node signatureElement = searchSignatureElement(transformElement);
input.setExcludeNode(signatureElement);
input.addNodeFilter(new EnvelopedNodeFilter(signatureElement));
try {
input.addNodeFilter(new EnvelopedNodeFilter(signatureElement));
} catch (XMLParserException | IOException ex) {
throw new TransformationException(ex);
}
return input;
}

View File

@ -22,11 +22,12 @@
*/
package com.sun.org.apache.xml.internal.security.transforms.implementations;
import java.io.IOException;
import java.io.OutputStream;
import javax.xml.transform.TransformerException;
import com.sun.org.apache.xml.internal.security.exceptions.XMLSecurityRuntimeException;
import com.sun.org.apache.xml.internal.security.parser.XMLParserException;
import com.sun.org.apache.xml.internal.security.signature.NodeFilter;
import com.sun.org.apache.xml.internal.security.signature.XMLSignatureInput;
import com.sun.org.apache.xml.internal.security.transforms.TransformSpi;
@ -51,6 +52,9 @@ import org.w3c.dom.Node;
*/
public class TransformXPath extends TransformSpi {
private static final com.sun.org.slf4j.internal.Logger LOG =
com.sun.org.slf4j.internal.LoggerFactory.getLogger(TransformXPath.class);
/**
* {@inheritDoc}
*/
@ -102,7 +106,7 @@ public class TransformXPath extends TransformSpi {
input.addNodeFilter(new XPathNodeFilter(xpathElement, xpathnode, str, xpathAPIInstance));
input.setNodeSet(true);
return input;
} catch (DOMException ex) {
} catch (XMLParserException | IOException | DOMException ex) {
throw new TransformationException(ex);
}
}
@ -144,11 +148,8 @@ public class TransformXPath extends TransformSpi {
}
return 0;
} catch (TransformerException e) {
Object[] eArgs = {currentNode};
throw new XMLSecurityRuntimeException("signature.Transform.node", eArgs, e);
} catch (Exception e) {
Object[] eArgs = {currentNode, currentNode.getNodeType()};
throw new XMLSecurityRuntimeException("signature.Transform.nodeAndType",eArgs, e);
LOG.debug("Error evaluating XPath expression", e);
return 0;
}
}

View File

@ -43,6 +43,7 @@ import org.w3c.dom.Text;
* @see com.sun.org.apache.xml.internal.security.transforms.implementations.TransformBase64Decode
*/
@Deprecated
@SuppressWarnings("PMD")
public final class Base64 {
/** Field BASE64DEFAULTLENGTH */

View File

@ -127,11 +127,11 @@ public class DOMNamespaceContext implements NamespaceContext {
return DEFAULT_NS_PREFIX;
}
}
if (namespaceURI == null) {
if (namespaceURI == null && context != null) {
return context.lookupNamespaceURI(null) != null ? null : DEFAULT_NS_PREFIX;
} else if (namespaceURI.equals(XML_NS_URI)) {
} else if (XML_NS_URI.equals(namespaceURI)) {
return XML_NS_PREFIX;
} else if (namespaceURI.equals(XMLNS_ATTRIBUTE_NS_URI)) {
} else if (XMLNS_ATTRIBUTE_NS_URI.equals(namespaceURI)) {
return XMLNS_ATTRIBUTE;
}
return null;

View File

@ -190,20 +190,21 @@ public class RFC2253Parser {
if (value.startsWith("\"")) {
StringBuilder sb = new StringBuilder();
StringReader sr = new StringReader(value.substring(1, value.length() - 1));
int i = 0;
char c;
try (StringReader sr = new StringReader(value.substring(1, value.length() - 1))) {
int i = 0;
char c;
while ((i = sr.read()) > -1) {
c = (char) i;
while ((i = sr.read()) > -1) {
c = (char) i;
//the following char is defined at 4.Relationship with RFC1779 and LDAPv2 inrfc2253
if (c == ',' || c == '=' || c == '+' || c == '<'
|| c == '>' || c == '#' || c == ';') {
sb.append('\\');
//the following char is defined at 4.Relationship with RFC1779 and LDAPv2 inrfc2253
if (c == ',' || c == '=' || c == '+' || c == '<'
|| c == '>' || c == '#' || c == ';') {
sb.append('\\');
}
sb.append(c);
}
sb.append(c);
}
value = trim(sb.toString());
@ -263,37 +264,38 @@ public class RFC2253Parser {
*/
static String changeLess32toRFC(String string) throws IOException {
StringBuilder sb = new StringBuilder();
StringReader sr = new StringReader(string);
int i = 0;
char c;
while ((i = sr.read()) > -1) {
c = (char) i;
try (StringReader sr = new StringReader(string)) {
while ((i = sr.read()) > -1) {
c = (char) i;
if (c == '\\') {
sb.append(c);
if (c == '\\') {
sb.append(c);
char c1 = (char) sr.read();
char c2 = (char) sr.read();
char c1 = (char) sr.read();
char c2 = (char) sr.read();
//65 (A) 97 (a)
if ((c1 >= 48 && c1 <= 57 || c1 >= 65 && c1 <= 70 || c1 >= 97 && c1 <= 102)
&& (c2 >= 48 && c2 <= 57
|| c2 >= 65 && c2 <= 70
|| c2 >= 97 && c2 <= 102)) {
try {
char ch = (char) Byte.parseByte("" + c1 + c2, 16);
//65 (A) 97 (a)
if ((c1 >= 48 && c1 <= 57 || c1 >= 65 && c1 <= 70 || c1 >= 97 && c1 <= 102)
&& (c2 >= 48 && c2 <= 57
|| c2 >= 65 && c2 <= 70
|| c2 >= 97 && c2 <= 102)) {
try {
char ch = (char) Byte.parseByte("" + c1 + c2, 16);
sb.append(ch);
} catch (NumberFormatException ex) {
throw new IOException(ex);
sb.append(ch);
} catch (NumberFormatException ex) {
throw new IOException(ex);
}
} else {
sb.append(c1);
sb.append(c2);
}
} else {
sb.append(c1);
sb.append(c2);
sb.append(c);
}
} else {
sb.append(c);
}
}
@ -309,15 +311,16 @@ public class RFC2253Parser {
*/
static String changeLess32toXML(String string) throws IOException {
StringBuilder sb = new StringBuilder();
StringReader sr = new StringReader(string);
int i = 0;
while ((i = sr.read()) > -1) {
if (i < 32) {
sb.append('\\');
sb.append(Integer.toHexString(i));
} else {
sb.append((char) i);
try (StringReader sr = new StringReader(string)) {
while ((i = sr.read()) > -1) {
if (i < 32) {
sb.append('\\');
sb.append(Integer.toHexString(i));
} else {
sb.append((char) i);
}
}
}
@ -333,28 +336,29 @@ public class RFC2253Parser {
*/
static String changeWStoXML(String string) throws IOException {
StringBuilder sb = new StringBuilder();
StringReader sr = new StringReader(string);
int i = 0;
char c;
while ((i = sr.read()) > -1) {
c = (char) i;
try (StringReader sr = new StringReader(string)) {
while ((i = sr.read()) > -1) {
c = (char) i;
if (c == '\\') {
char c1 = (char) sr.read();
if (c == '\\') {
char c1 = (char) sr.read();
if (c1 == ' ') {
sb.append('\\');
if (c1 == ' ') {
sb.append('\\');
String s = "20";
String s = "20";
sb.append(s);
sb.append(s);
} else {
sb.append('\\');
sb.append(c1);
}
} else {
sb.append('\\');
sb.append(c1);
sb.append(c);
}
} else {
sb.append(c);
}
}

View File

@ -583,7 +583,7 @@ public final class XMLUtils {
Node parent = null;
Node sibling = null;
final String namespaceNs = Constants.NamespaceSpecNS;
do {
do { //NOPMD
switch (node.getNodeType()) {
case Node.ELEMENT_NODE :
Element element = (Element) node;

View File

@ -122,8 +122,8 @@ public class ResourceResolver {
List<ResourceResolverSpi> resourceResolversToAdd = new ArrayList<>(classNames.size());
for (String className : classNames) {
ResourceResolverSpi resourceResolverSpi = (ResourceResolverSpi)JavaUtils
.newInstanceWithEmptyConstructor(ClassLoaderUtils.loadClass(className, ResourceResolver.class));
ResourceResolverSpi resourceResolverSpi = (ResourceResolverSpi)
JavaUtils.newInstanceWithEmptyConstructor(ClassLoaderUtils.loadClass(className, ResourceResolver.class));
resourceResolversToAdd.add(resourceResolverSpi);
}
resolverList.addAll(resourceResolversToAdd);
@ -159,15 +159,6 @@ public class ResourceResolver {
LOG.debug("check resolvability by class {}", resolver.getClass().getName());
if (resolver.engineCanResolveURI(context)) {
// Check to see whether the Resolver is allowed
if (context.secureValidation
&& (resolver instanceof ResolverLocalFilesystem
|| resolver instanceof ResolverDirectHTTP)) {
Object[] exArgs = { resolver.getClass().getName() };
throw new ResourceResolverException(
"signature.Reference.ForbiddenResolver", exArgs, context.uriToResolve, context.baseUri
);
}
return resolver.engineResolveURI(context);
}
}

View File

@ -54,5 +54,4 @@ public class ResourceResolverContext {
public Map<String, String> getProperties() {
return properties;
}
}

View File

@ -219,7 +219,8 @@ public class ResolverDirectHTTP extends ResourceResolverSpi {
LOG.debug("I was asked whether I can resolve {}", context.uriToResolve);
if (context.uriToResolve.startsWith("http:") ||
context.baseUri != null && context.baseUri.startsWith("http:")) {
context.uriToResolve.startsWith("https:") ||
context.baseUri != null && (context.baseUri.startsWith("http:") || context.baseUri.startsWith("https:"))) {
LOG.debug("I state that I can resolve {}", context.uriToResolve);
return true;
}
@ -231,7 +232,7 @@ public class ResolverDirectHTTP extends ResourceResolverSpi {
private static URI getNewURI(String uri, String baseURI) throws URISyntaxException {
URI newUri = null;
if (baseURI == null || "".equals(baseURI)) {
if (baseURI == null || baseURI.length() == 0) {
newUri = new URI(uri);
} else {
newUri = new URI(baseURI).resolve(uri);

View File

@ -38,8 +38,6 @@ import com.sun.org.apache.xml.internal.security.utils.resolver.ResourceResolverS
*/
public class ResolverLocalFilesystem extends ResourceResolverSpi {
private static final int FILE_URI_LENGTH = "file:/".length();
private static final com.sun.org.slf4j.internal.Logger LOG =
com.sun.org.slf4j.internal.LoggerFactory.getLogger(ResolverLocalFilesystem.class);
@ -53,9 +51,7 @@ public class ResolverLocalFilesystem extends ResourceResolverSpi {
// calculate new URI
URI uriNew = getNewURI(context.uriToResolve, context.baseUri);
String fileName =
ResolverLocalFilesystem.translateUriToFilename(uriNew.toString());
InputStream inputStream = Files.newInputStream(Paths.get(fileName));
InputStream inputStream = Files.newInputStream(Paths.get(uriNew)); //NOPMD
XMLSignatureInput result = new XMLSignatureInput(inputStream);
result.setSecureValidation(context.secureValidation);
@ -67,41 +63,6 @@ public class ResolverLocalFilesystem extends ResourceResolverSpi {
}
}
/**
* Method translateUriToFilename
*
* @param uri
* @return the string of the filename
*/
private static String translateUriToFilename(String uri) {
String subStr = uri.substring(FILE_URI_LENGTH);
if (subStr.indexOf("%20") > -1) {
int offset = 0;
int index = 0;
StringBuilder temp = new StringBuilder(subStr.length());
do {
index = subStr.indexOf("%20",offset);
if (index == -1) {
temp.append(subStr.substring(offset));
} else {
temp.append(subStr.substring(offset, index));
temp.append(' ');
offset = index + 3;
}
} while(index != -1);
subStr = temp.toString();
}
if (subStr.charAt(1) == ':') {
// we're running M$ Windows, so this works fine
return subStr;
}
// we're running some UNIX, so we have to prepend a slash
return "/" + subStr;
}
/**
* {@inheritDoc}
*/
@ -111,7 +72,7 @@ public class ResolverLocalFilesystem extends ResourceResolverSpi {
}
if (context.uriToResolve.isEmpty() || context.uriToResolve.charAt(0) == '#' ||
context.uriToResolve.startsWith("http:")) {
context.uriToResolve.startsWith("http:") || context.uriToResolve.startsWith("https:")) {
return false;
}
@ -133,7 +94,7 @@ public class ResolverLocalFilesystem extends ResourceResolverSpi {
private static URI getNewURI(String uri, String baseURI) throws URISyntaxException {
URI newUri = null;
if (baseURI == null || "".equals(baseURI)) {
if (baseURI == null || baseURI.length() == 0) {
newUri = new URI(uri);
} else {
newUri = new URI(baseURI).resolve(uri);

View File

@ -239,9 +239,6 @@ public abstract class ApacheCanonicalizer extends TransformService {
try {
in = apacheTransform.performTransform(in, os, secVal);
if (!in.isNodeSet() && !in.isElement()) {
return null;
}
if (in.isOctetStream()) {
return new ApacheOctetStreamData(in);
} else {

View File

@ -447,7 +447,7 @@ public final class DOMReference extends DOMStructure
}
Data data = dereferencedData;
XMLSignatureInput xi = null;
try (OutputStream os = new UnsyncBufferedOutputStream(dos)) {
try (OutputStream os = new UnsyncBufferedOutputStream(dos)) { //NOPMD
for (int i = 0, size = transforms.size(); i < size; i++) {
DOMTransform transform = (DOMTransform)transforms.get(i);
if (i < size - 1) {

View File

@ -116,7 +116,7 @@ public class DOMTransform extends DOMStructure implements Transform {
Document ownerDoc = DOMUtils.getOwnerDocument(parent);
Element transformElem = null;
if (parent.getLocalName().equals("Transforms")) {
if ("Transforms".equals(parent.getLocalName())) {
transformElem = DOMUtils.createElement(ownerDoc, "Transform",
XMLSignature.XMLNS,
dsPrefix);

View File

@ -138,7 +138,7 @@ public final class DOMURIDereferencer implements URIDereferencer {
}
try {
ResourceResolverContext resContext = new ResourceResolverContext(uriAttr, baseURI, false);
ResourceResolverContext resContext = new ResourceResolverContext(uriAttr, baseURI, secVal);
XMLSignatureInput in = ResourceResolver.resolve(resContext);
if (in.isOctetStream()) {
return new ApacheOctetStreamData(in);

View File

@ -43,14 +43,13 @@ import java.util.Set;
*/
public final class Policy {
// all restrictions are initialized to be unconstrained
private static Set<URI> disallowedAlgs = new HashSet<>();
private static int maxTrans = Integer.MAX_VALUE;
private static int maxRefs = Integer.MAX_VALUE;
private static Set<String> disallowedRefUriSchemes = new HashSet<>();
private static Map<String, Integer> minKeyMap = new HashMap<>();
private static boolean noDuplicateIds = false;
private static boolean noRMLoops = false;
private static Set<URI> disallowedAlgs;
private static int maxTrans;
private static int maxRefs;
private static Set<String> disallowedRefUriSchemes;
private static Map<String, Integer> minKeyMap;
private static boolean noDuplicateIds;
private static boolean noRMLoops;
static {
try {
@ -64,6 +63,16 @@ public final class Policy {
private Policy() {}
private static void initialize() {
// First initialized to be unconstrained and then parse the
// security property "jdk.xml.dsig.secureValidationPolicy"
disallowedAlgs = new HashSet<>();
maxTrans = Integer.MAX_VALUE;
maxRefs = Integer.MAX_VALUE;
disallowedRefUriSchemes = new HashSet<>();
minKeyMap = new HashMap<>();
noDuplicateIds = false;
noRMLoops = false;
@SuppressWarnings("removal")
String prop =
AccessController.doPrivileged((PrivilegedAction<String>) () ->

View File

@ -114,7 +114,7 @@ public final class Utils {
}
private static boolean getBoolean(XMLCryptoContext xc, String name) {
Boolean value = (Boolean)xc.getProperty(name);
Boolean value = (Boolean) xc.getProperty(name);
return value != null && value;
}
}

View File

@ -134,7 +134,7 @@ public final class XMLDSigRI extends Provider {
@SuppressWarnings("removal")
public XMLDSigRI() {
// This is the JDK XMLDSig provider, synced from
// Apache Santuario XML Security for Java, version 2.2.1
// Apache Santuario XML Security for Java, version 2.3.0
super("XMLDSig", VER, INFO);
final Provider p = this;

View File

@ -1,4 +1,4 @@
## Apache Santuario v2.2.1
## Apache Santuario v2.3.0
### Apache Santuario Notice
<pre>