From e8064300cbba0e0109656f0d0e101fd8f6346c5e Mon Sep 17 00:00:00 2001
From: Artem Smotrakov <asmotrak@openjdk.org>
Date: Mon, 18 May 2015 17:34:48 +0300
Subject: [PATCH] 8079138: Additional negative tests for XML signature
 processing

Reviewed-by: mullan
---
 .../xml/crypto/dsig/ValidationTests.java      | 34 ++++++++++++++++---
 .../signature-extra-text-in-signed-info.xml   |  3 ++
 .../dsig/data/signature-no-reference-uri.xml  |  3 ++
 ...rong-canonicalization-method-algorithm.xml |  3 ++
 ...ature-wrong-signature-method-algorithm.xml |  3 ++
 .../dsig/data/signature-wrong-tag-names.xml   |  3 ++
 .../signature-wrong-transform-algorithm.xml   |  4 +++
 7 files changed, 48 insertions(+), 5 deletions(-)
 create mode 100644 jdk/test/javax/xml/crypto/dsig/data/signature-extra-text-in-signed-info.xml
 create mode 100644 jdk/test/javax/xml/crypto/dsig/data/signature-no-reference-uri.xml
 create mode 100644 jdk/test/javax/xml/crypto/dsig/data/signature-wrong-canonicalization-method-algorithm.xml
 create mode 100644 jdk/test/javax/xml/crypto/dsig/data/signature-wrong-signature-method-algorithm.xml
 create mode 100644 jdk/test/javax/xml/crypto/dsig/data/signature-wrong-tag-names.xml
 create mode 100644 jdk/test/javax/xml/crypto/dsig/data/signature-wrong-transform-algorithm.xml

diff --git a/jdk/test/javax/xml/crypto/dsig/ValidationTests.java b/jdk/test/javax/xml/crypto/dsig/ValidationTests.java
index 3480f23b2be..d7384815f44 100644
--- a/jdk/test/javax/xml/crypto/dsig/ValidationTests.java
+++ b/jdk/test/javax/xml/crypto/dsig/ValidationTests.java
@@ -35,6 +35,7 @@ import java.io.FileInputStream;
 import java.security.*;
 import javax.xml.crypto.Data;
 import javax.xml.crypto.KeySelector;
+import javax.xml.crypto.MarshalException;
 import javax.xml.crypto.OctetStreamData;
 import javax.xml.crypto.URIDereferencer;
 import javax.xml.crypto.URIReference;
@@ -60,9 +61,17 @@ public class ValidationTests {
     static class Test {
         String file;
         KeySelector ks;
-        Test(String file, KeySelector ks) {
+        Class exception;
+
+        Test(String file, KeySelector ks, Class exception) {
             this.file = file;
             this.ks = ks;
+            this.exception = exception;
+        }
+
+        // XMLSignatureException is expected by default
+        Test(String file, KeySelector ks) {
+            this(file, ks, XMLSignatureException.class);
         }
     }
 
@@ -110,7 +119,17 @@ public class ValidationTests {
     private final static Test[] INVALID_TESTS = {
         new Test("signature-enveloping-hmac-sha1-40.xml", SKKS),
         new Test("signature-enveloping-hmac-sha1-trunclen-0-attack.xml", SKKS),
-        new Test("signature-enveloping-hmac-sha1-trunclen-8-attack.xml", SKKS)
+        new Test("signature-enveloping-hmac-sha1-trunclen-8-attack.xml", SKKS),
+        new Test("signature-extra-text-in-signed-info.xml", SKKS,
+                MarshalException.class),
+        new Test("signature-wrong-canonicalization-method-algorithm.xml", SKKS,
+                MarshalException.class),
+        new Test("signature-wrong-transform-algorithm.xml", SKKS,
+                MarshalException.class),
+        new Test("signature-no-reference-uri.xml", SKKS),
+        new Test("signature-wrong-signature-method-algorithm.xml", SKKS,
+                MarshalException.class),
+        new Test("signature-wrong-tag-names.xml", SKKS, MarshalException.class)
     };
 
     public static void main(String args[]) throws Exception {
@@ -143,9 +162,14 @@ public class ValidationTests {
                 test_signature(test);
                 System.out.println("FAILED");
                 atLeastOneFailed = true;
-            } catch (XMLSignatureException xse) {
-                System.out.println(xse.getMessage());
-                System.out.println("PASSED");
+            } catch (Exception e) {
+                System.out.println("Exception: " + e);
+                if (e.getClass() != test.exception) {
+                    System.out.println("FAILED: unexpected exception");
+                    atLeastOneFailed = true;
+                } else {
+                    System.out.println("PASSED");
+                }
             }
         }
 
diff --git a/jdk/test/javax/xml/crypto/dsig/data/signature-extra-text-in-signed-info.xml b/jdk/test/javax/xml/crypto/dsig/data/signature-extra-text-in-signed-info.xml
new file mode 100644
index 00000000000..578e7bb16e9
--- /dev/null
+++ b/jdk/test/javax/xml/crypto/dsig/data/signature-extra-text-in-signed-info.xml
@@ -0,0 +1,3 @@
+<test xmlns="http://example.org/envelope">test<Signature xmlns="http://www.w3.org/2000/09/xmldsig#"><SignedInfo xmlns="http://www.w3.org/2000/09/xmldsig#"><CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"></CanonicalizationMethod><SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"></SignatureMethod><Reference URI=""><Transforms><Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"></Transform></Transforms><DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></DigestMethod><DigestValue>1Bq8FsjajUBYPD7stQeJSc66GlM=</DigestValue><test>extra text</test></Reference></SignedInfo><SignatureValue>iTrgJERmYeD5hFwY8/MwJpkF+nd++AAOgf/Kxt9SwdE6BIYq2Vyxq4CQPhD+t2971BGTgvF6ejZd
++/Ko4Zs5Dqf4Lt65Vck0q43rM0PdP1e8gJov0IPYnZ1zeqFpah+N/OjmqTbshaZWRIjf3eqS6en5
+ZKjn+TkCQ1kOX/YUNDc=</SignatureValue></Signature></test>
\ No newline at end of file
diff --git a/jdk/test/javax/xml/crypto/dsig/data/signature-no-reference-uri.xml b/jdk/test/javax/xml/crypto/dsig/data/signature-no-reference-uri.xml
new file mode 100644
index 00000000000..eb199f79df2
--- /dev/null
+++ b/jdk/test/javax/xml/crypto/dsig/data/signature-no-reference-uri.xml
@@ -0,0 +1,3 @@
+<test xmlns="http://example.org/envelope">test<Signature xmlns="http://www.w3.org/2000/09/xmldsig#"><SignedInfo xmlns="http://www.w3.org/2000/09/xmldsig#"><CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"></CanonicalizationMethod><SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"></SignatureMethod><Reference><Transforms><Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"></Transform></Transforms><DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></DigestMethod><DigestValue>1Bq8FsjajUBYPD7stQeJSc66GlM=</DigestValue></Reference></SignedInfo><SignatureValue>BNPSYlNcyXcO/Tc1tr9mQ/KAZ40eFybLTDyB/HH1EHHMpc972A+nOX2EWBaLsVgG8apl0Isp1ZqV
+gmoDHNF6xrcJJQVydVJzU08GVV4GiXHMqRYQbted7STQLhlhssvNNdMEoVApsX5ByL66wxKZQXrT
+z1kZtOHAi88DOrmIJu0=</SignatureValue></Signature></test>
\ No newline at end of file
diff --git a/jdk/test/javax/xml/crypto/dsig/data/signature-wrong-canonicalization-method-algorithm.xml b/jdk/test/javax/xml/crypto/dsig/data/signature-wrong-canonicalization-method-algorithm.xml
new file mode 100644
index 00000000000..2ce430e1de9
--- /dev/null
+++ b/jdk/test/javax/xml/crypto/dsig/data/signature-wrong-canonicalization-method-algorithm.xml
@@ -0,0 +1,3 @@
+<test xmlns="http://example.org/envelope">test<Signature xmlns="http://www.w3.org/2000/09/xmldsig#"><SignedInfo xmlns="http://www.w3.org/2000/09/xmldsig#"><CanonicalizationMethod Algorithm="http://oracle.com"></CanonicalizationMethod><SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"></SignatureMethod><Reference URI=""><Transforms><Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"></Transform></Transforms><DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></DigestMethod><DigestValue>1Bq8FsjajUBYPD7stQeJSc66GlM=</DigestValue></Reference></SignedInfo><SignatureValue>EBbyEV7e+1CTUsyCTyxiN8p+U3/za1oTjK7q+kF8Q87r8e/7C1z4ndGWbk6zyI3w6leT+I2suW9U
+KkdvkrDXX2OyLw0GfgJfLkNn+1pGK6kyWpL95NoWJZhHkUAKKBZ0ikfZ4j33gYxrYK+IYCLeZYzr
+hlZjdXXXCiSH0Sq+weQ=</SignatureValue></Signature></test>
\ No newline at end of file
diff --git a/jdk/test/javax/xml/crypto/dsig/data/signature-wrong-signature-method-algorithm.xml b/jdk/test/javax/xml/crypto/dsig/data/signature-wrong-signature-method-algorithm.xml
new file mode 100644
index 00000000000..a2709caec76
--- /dev/null
+++ b/jdk/test/javax/xml/crypto/dsig/data/signature-wrong-signature-method-algorithm.xml
@@ -0,0 +1,3 @@
+<test xmlns="http://example.org/envelope">test<Signature xmlns="http://www.w3.org/2000/09/xmldsig#"><SignedInfo xmlns="http://www.w3.org/2000/09/xmldsig#"><CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"></CanonicalizationMethod><SignatureMethod Algorithm="bogus://bogus"></SignatureMethod><Reference URI=""><Transforms><Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"></Transform></Transforms><DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></DigestMethod><DigestValue>1Bq8FsjajUBYPD7stQeJSc66GlM=</DigestValue></Reference></SignedInfo><SignatureValue>RjL9nfQg9u6+KEFfAlBBH7E7ilFgB7YEQ5MxOIJN/fOdQmc5iDD+YuhiHzNGXGi/UOyo6t8LxTxl
+X4oFE1RNlPVkSAZK4LcTWhVa757WwgW1/EZo8PQYWp5NScLq6PumYaujoovSYBKW2N6+jQpnD/L6
+4cuEVNnwEFqvOLrjogY=</SignatureValue></Signature></test>
\ No newline at end of file
diff --git a/jdk/test/javax/xml/crypto/dsig/data/signature-wrong-tag-names.xml b/jdk/test/javax/xml/crypto/dsig/data/signature-wrong-tag-names.xml
new file mode 100644
index 00000000000..152eb791985
--- /dev/null
+++ b/jdk/test/javax/xml/crypto/dsig/data/signature-wrong-tag-names.xml
@@ -0,0 +1,3 @@
+<test xmlns="http://example.org/envelope">test<Signature xmlns="http://www.w3.org/2000/09/xmldsig#"><aSignedInfo xmlns="http://www.w3.org/2000/09/xmldsig#"><aCanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"></aCanonicalizationMethod><aSignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"></aSignatureMethod><aReference URI=""><Transforms><aTransform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"></aTransform></Transforms><aDigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></aDigestMethod><aDigestValue>1Bq8FsjajUBYPD7stQeJSc66GlM=</aDigestValue></aReference></aSignedInfo><aSignatureValue>cbNpPGavhM0BGUtrvLxvy2SCIt+I27BPpVEt0Q9mXrdPYurMqWF/67AdY9m5RqS7+ZZlwUtem083
+MczRYbKoOIq7sMbCqKKdzbSE/U6rfmky/ACQ5wgemZl8jtipwu5LhAUzjhzT8hhTjVqOYpHdkVJz
+l9dnd9eWbLmEr3BI0VA=</aSignatureValue></Signature></test>
\ No newline at end of file
diff --git a/jdk/test/javax/xml/crypto/dsig/data/signature-wrong-transform-algorithm.xml b/jdk/test/javax/xml/crypto/dsig/data/signature-wrong-transform-algorithm.xml
new file mode 100644
index 00000000000..a64abc75c46
--- /dev/null
+++ b/jdk/test/javax/xml/crypto/dsig/data/signature-wrong-transform-algorithm.xml
@@ -0,0 +1,4 @@
+<!-- This XML signature contains a Transform with wrong algorithm -->
+<test xmlns="http://example.org/envelope">test<Signature xmlns="http://www.w3.org/2000/09/xmldsig#"><SignedInfo xmlns="http://www.w3.org/2000/09/xmldsig#"><CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"></CanonicalizationMethod><SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"></SignatureMethod><Reference URI=""><Transforms><Transform Algorithm="bogus://bogus"></Transform></Transforms><DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></DigestMethod><DigestValue>1Bq8FsjajUBYPD7stQeJSc66GlM=</DigestValue></Reference></SignedInfo><SignatureValue>Wzyx3jgEKGwY+pBXBmqWLWhASHQYCCGZVii5sKKKeZUBKxNBthjiSVfzKANuLgX6zAt16XRycrSL
+zFKTPuvGeWVPDvd+KTNKCJxN9ccrG7v23EM7RY2eMJGu2r5DLfKwV7H6YuJPsOuWifVkKAhvq7gd
+6akJshxyAj9Ud+mjo48=</SignatureValue></Signature></test>
\ No newline at end of file