Mercurial > hg > release > icedtea7-forest-2.1 > jdk
changeset 4883:edc4404c1938
6741606: Integrate Apache Santuario
Reviewed-by: vinnie, hawtin
line wrap: on
line diff
--- a/src/share/classes/com/sun/org/apache/xml/internal/security/Init.java Fri Sep 14 09:38:27 2012 -0700 +++ b/src/share/classes/com/sun/org/apache/xml/internal/security/Init.java Wed Jun 12 14:56:51 2013 +0100 @@ -2,38 +2,43 @@ * reserved comment block * DO NOT REMOVE OR ALTER! */ -/* - * Copyright 1999-2004 The Apache Software Foundation. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at * - * http://www.apache.org/licenses/LICENSE-2.0 + * http://www.apache.org/licenses/LICENSE-2.0 * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. */ package com.sun.org.apache.xml.internal.security; import java.io.InputStream; import java.security.AccessController; import java.security.PrivilegedAction; +import java.util.ArrayList; +import java.util.List; + +import javax.xml.XMLConstants; import javax.xml.parsers.DocumentBuilder; import javax.xml.parsers.DocumentBuilderFactory; import com.sun.org.apache.xml.internal.security.algorithms.JCEMapper; import com.sun.org.apache.xml.internal.security.algorithms.SignatureAlgorithm; import com.sun.org.apache.xml.internal.security.c14n.Canonicalizer; -import com.sun.org.apache.xml.internal.security.keys.KeyInfo; import com.sun.org.apache.xml.internal.security.keys.keyresolver.KeyResolver; import com.sun.org.apache.xml.internal.security.transforms.Transform; +import com.sun.org.apache.xml.internal.security.utils.ElementProxy; import com.sun.org.apache.xml.internal.security.utils.I18n; -//import com.sun.org.apache.xml.internal.security.utils.PRNG; import com.sun.org.apache.xml.internal.security.utils.XMLUtils; import com.sun.org.apache.xml.internal.security.utils.resolver.ResourceResolver; import org.w3c.dom.Attr; @@ -47,367 +52,317 @@ * the mapping of Canonicalization and Transform algorithms. Initialization is * done by calling {@link Init#init} which should be done in any static block * of the files of this library. We ensure that this call is only executed once. - * - * @author $Author: mullan $ */ -public final class Init { +public class Init { - /** {@link java.util.logging} logging facility */ - static java.util.logging.Logger log = + /** The namespace for CONF file **/ + public static final String CONF_NS = "http://www.xmlsecurity.org/NS/#configuration"; + + /** {@link org.apache.commons.logging} logging facility */ + private static java.util.logging.Logger log = java.util.logging.Logger.getLogger(Init.class.getName()); - /** Field _initialized */ - private static boolean _alreadyInitialized = false; + /** Field alreadyInitialized */ + private static boolean alreadyInitialized = false; - /** The namespace for CONF file **/ - public static final String CONF_NS="http://www.xmlsecurity.org/NS/#configuration"; + /** + * Method isInitialized + * @return true if the library is already initialized. + */ + public static synchronized final boolean isInitialized() { + return Init.alreadyInitialized; + } + + /** + * Method init + * + */ + public static synchronized void init() { + if (alreadyInitialized) { + return; + } - /** - * Method isInitialized - * @return true if the librairy is already initialized. - * - */ - public static final boolean isInitialized() { - return Init._alreadyInitialized; - } + InputStream is = + AccessController.doPrivileged( + new PrivilegedAction<InputStream>() { + public InputStream run() { + String cfile = + System.getProperty("com.sun.org.apache.xml.internal.security.resource.config"); + if (cfile == null) { + return null; + } + return getClass().getResourceAsStream(cfile); + } + }); + if (is == null) { + dynamicInit(); + } else { + fileInit(is); + } - /** - * Method init - * - */ - public synchronized static void init() { + alreadyInitialized = true; + } + + /** + * Dynamically initialise the library by registering the default algorithms/implementations + */ + private static void dynamicInit() { + // + // Load the Resource Bundle - the default is the English resource bundle. + // To load another resource bundle, call I18n.init(...) before calling this + // method. + // + I18n.init("en", "US"); - if (_alreadyInitialized) { - return; - } - long XX_configure_i18n_end=0; - long XX_configure_reg_c14n_start=0; - long XX_configure_reg_c14n_end=0; - long XX_configure_reg_jcemapper_end=0; - long XX_configure_reg_keyInfo_start=0; - long XX_configure_reg_keyResolver_end=0; - long XX_configure_reg_prefixes_start=0; - long XX_configure_reg_resourceresolver_start=0; - long XX_configure_reg_sigalgos_end=0; - long XX_configure_reg_transforms_end=0; - long XX_configure_reg_keyInfo_end=0; - long XX_configure_reg_keyResolver_start=0; - _alreadyInitialized = true; + if (log.isLoggable(java.util.logging.Level.FINE)) { + log.log(java.util.logging.Level.FINE, "Registering default algorithms"); + } + try { + // + // Bind the default prefixes + // + ElementProxy.registerDefaultPrefixes(); + + // + // Set the default Transforms + // + Transform.registerDefaultAlgorithms(); + + // + // Set the default signature algorithms + // + SignatureAlgorithm.registerDefaultAlgorithms(); + + // + // Set the default JCE algorithms + // + JCEMapper.registerDefaultAlgorithms(); - try { - long XX_init_start = System.currentTimeMillis(); - long XX_prng_start = System.currentTimeMillis(); + // + // Set the default c14n algorithms + // + Canonicalizer.registerDefaultAlgorithms(); - //PRNG.init(new java.security.SecureRandom()); + // + // Register the default resolvers + // + ResourceResolver.registerDefaultResolvers(); - long XX_prng_end = System.currentTimeMillis(); + // + // Register the default key resolvers + // + KeyResolver.registerDefaultResolvers(); + } catch (Exception ex) { + log.log(java.util.logging.Level.SEVERE, ex.getMessage(), ex); + ex.printStackTrace(); + } + } + /** + * Initialise the library from a configuration file + */ + private static void fileInit(InputStream is) { + try { /* read library configuration file */ - long XX_parsing_start = System.currentTimeMillis(); DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance(); + dbf.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, Boolean.TRUE); dbf.setNamespaceAware(true); dbf.setValidating(false); DocumentBuilder db = dbf.newDocumentBuilder(); - // We don't allow users to override the Apache XML Security - // configuration in the JRE. Users should use the standard security - // provider mechanism instead if implementing their own - // transform or canonicalization algorithms. - // InputStream is = Class.forName("com.sun.org.apache.xml.internal.security.Init").getResourceAsStream("resource/config.xml"); - InputStream is = (InputStream) AccessController.doPrivileged( - new PrivilegedAction() { - public Object run() { -// String cfile = System.getProperty -// ("com.sun.org.apache.xml.internal.security.resource.config"); - return getClass().getResourceAsStream -// (cfile != null ? cfile : "resource/config.xml"); - ("resource/config.xml"); - } - }); - Document doc = db.parse(is); - long XX_parsing_end = System.currentTimeMillis(); - long XX_configure_i18n_start = 0; - - { - XX_configure_reg_keyInfo_start = System.currentTimeMillis(); - try { - KeyInfo.init(); - } catch (Exception e) { - e.printStackTrace(); - - throw e; - } - XX_configure_reg_keyInfo_end = System.currentTimeMillis(); - } - - long XX_configure_reg_transforms_start=0; - long XX_configure_reg_jcemapper_start=0; - long XX_configure_reg_sigalgos_start=0; - long XX_configure_reg_resourceresolver_end=0; - long XX_configure_reg_prefixes_end=0; - Node config=doc.getFirstChild(); - for (;config!=null;config=config.getNextSibling()) { + Node config = doc.getFirstChild(); + for (; config != null; config = config.getNextSibling()) { if ("Configuration".equals(config.getLocalName())) { - break; + break; } } - for (Node el=config.getFirstChild();el!=null;el=el.getNextSibling()) { - if (el.getNodeType() != Node.ELEMENT_NODE) { - continue; + if (config == null) { + log.log(java.util.logging.Level.SEVERE, "Error in reading configuration file - Configuration element not found"); + return; + } + for (Node el = config.getFirstChild(); el != null; el = el.getNextSibling()) { + if (Node.ELEMENT_NODE != el.getNodeType()) { + continue; + } + String tag = el.getLocalName(); + if (tag.equals("ResourceBundles")) { + Element resource = (Element)el; + /* configure internationalization */ + Attr langAttr = resource.getAttributeNode("defaultLanguageCode"); + Attr countryAttr = resource.getAttributeNode("defaultCountryCode"); + String languageCode = + (langAttr == null) ? null : langAttr.getNodeValue(); + String countryCode = + (countryAttr == null) ? null : countryAttr.getNodeValue(); + I18n.init(languageCode, countryCode); } - String tag=el.getLocalName(); -// -// Commented out: not supported in the JDK. We use the default locale. -// -// if (tag.equals("ResourceBundles")){ -// XX_configure_i18n_start = System.currentTimeMillis(); -// Element resource=(Element)el; -// /* configure internationalization */ -// Attr langAttr = resource.getAttributeNode("defaultLanguageCode"); -// Attr countryAttr = resource.getAttributeNode("defaultCountryCode"); -// String languageCode = (langAttr == null) -// ? null -// : langAttr.getNodeValue(); -// String countryCode = (countryAttr == null) -// ? null -// : countryAttr.getNodeValue(); -// -// I18n.init(languageCode, countryCode); -// XX_configure_i18n_end = System.currentTimeMillis(); -// } + + if (tag.equals("CanonicalizationMethods")) { + Element[] list = + XMLUtils.selectNodes(el.getFirstChild(), CONF_NS, "CanonicalizationMethod"); + + for (int i = 0; i < list.length; i++) { + String uri = list[i].getAttributeNS(null, "URI"); + String javaClass = + list[i].getAttributeNS(null, "JAVACLASS"); + try { + Canonicalizer.register(uri, javaClass); + if (log.isLoggable(java.util.logging.Level.FINE)) { + log.log(java.util.logging.Level.FINE, "Canonicalizer.register(" + uri + ", " + javaClass + ")"); + } + } catch (ClassNotFoundException e) { + Object exArgs[] = { uri, javaClass }; + log.log(java.util.logging.Level.SEVERE, I18n.translate("algorithm.classDoesNotExist", exArgs)); + } + } + } + + if (tag.equals("TransformAlgorithms")) { + Element[] tranElem = + XMLUtils.selectNodes(el.getFirstChild(), CONF_NS, "TransformAlgorithm"); - if (tag.equals("CanonicalizationMethods")){ - XX_configure_reg_c14n_start = System.currentTimeMillis(); - Canonicalizer.init(); - Element[] list=XMLUtils.selectNodes(el.getFirstChild(),CONF_NS,"CanonicalizationMethod"); + for (int i = 0; i < tranElem.length; i++) { + String uri = tranElem[i].getAttributeNS(null, "URI"); + String javaClass = + tranElem[i].getAttributeNS(null, "JAVACLASS"); + try { + Transform.register(uri, javaClass); + if (log.isLoggable(java.util.logging.Level.FINE)) { + log.log(java.util.logging.Level.FINE, "Transform.register(" + uri + ", " + javaClass + ")"); + } + } catch (ClassNotFoundException e) { + Object exArgs[] = { uri, javaClass }; - for (int i = 0; i < list.length; i++) { - String URI = list[i].getAttributeNS(null, - "URI"); - String JAVACLASS = - list[i].getAttributeNS(null, - "JAVACLASS"); - try { - Class.forName(JAVACLASS); -/* Method methods[] = c.getMethods(); + log.log(java.util.logging.Level.SEVERE, I18n.translate("algorithm.classDoesNotExist", exArgs)); + } catch (NoClassDefFoundError ex) { + log.log(java.util.logging.Level.WARNING, "Not able to found dependencies for algorithm, I'll keep working."); + } + } + } - for (int j = 0; j < methods.length; j++) { - Method currMeth = methods[j]; - - if (currMeth.getDeclaringClass().getName() - .equals(JAVACLASS)) { - log.log(java.util.logging.Level.FINE, currMeth.getDe claringClass().toString()); + if ("JCEAlgorithmMappings".equals(tag)) { + Node algorithmsNode = ((Element)el).getElementsByTagName("Algorithms").item(0); + if (algorithmsNode != null) { + Element[] algorithms = + XMLUtils.selectNodes(algorithmsNode.getFirstChild(), CONF_NS, "Algorithm"); + for (int i = 0; i < algorithms.length; i++) { + Element element = algorithms[i]; + String id = element.getAttribute("URI"); + JCEMapper.register(id, new JCEMapper.Algorithm(element)); } - }*/ - if (log.isLoggable(java.util.logging.Level.FINE)) - log.log(java.util.logging.Level.FINE, "Canonicalizer.register(" + URI + ", " - + JAVACLASS + ")"); - Canonicalizer.register(URI, JAVACLASS); - } catch (ClassNotFoundException e) { - Object exArgs[] = { URI, JAVACLASS }; + } + } + + if (tag.equals("SignatureAlgorithms")) { + Element[] sigElems = + XMLUtils.selectNodes(el.getFirstChild(), CONF_NS, "SignatureAlgorithm"); + + for (int i = 0; i < sigElems.length; i++) { + String uri = sigElems[i].getAttributeNS(null, "URI"); + String javaClass = + sigElems[i].getAttributeNS(null, "JAVACLASS"); + + /** $todo$ handle registering */ - log.log(java.util.logging.Level.SEVERE, I18n.translate("algorithm.classDoesNotExist", - exArgs)); - } - } - XX_configure_reg_c14n_end = System.currentTimeMillis(); - } + try { + SignatureAlgorithm.register(uri, javaClass); + if (log.isLoggable(java.util.logging.Level.FINE)) { + log.log(java.util.logging.Level.FINE, "SignatureAlgorithm.register(" + uri + ", " + + javaClass + ")"); + } + } catch (ClassNotFoundException e) { + Object exArgs[] = { uri, javaClass }; - if (tag.equals("TransformAlgorithms")){ - XX_configure_reg_transforms_start = System.currentTimeMillis(); - Transform.init(); + log.log(java.util.logging.Level.SEVERE, I18n.translate("algorithm.classDoesNotExist", exArgs)); + } + } + } - Element[] tranElem = XMLUtils.selectNodes(el.getFirstChild(),CONF_NS,"TransformAlgorithm"); + if (tag.equals("ResourceResolvers")) { + Element[]resolverElem = + XMLUtils.selectNodes(el.getFirstChild(), CONF_NS, "Resolver"); + + for (int i = 0; i < resolverElem.length; i++) { + String javaClass = + resolverElem[i].getAttributeNS(null, "JAVACLASS"); + String description = + resolverElem[i].getAttributeNS(null, "DESCRIPTION"); - for (int i = 0; i < tranElem.length; i++) { - String URI = tranElem[i].getAttributeNS(null, - "URI"); - String JAVACLASS = - tranElem[i].getAttributeNS(null, - "JAVACLASS"); - try { - Class.forName(JAVACLASS); - if (log.isLoggable(java.util.logging.Level.FINE)) - log.log(java.util.logging.Level.FINE, "Transform.register(" + URI + ", " + JAVACLASS + ")"); - Transform.register(URI, JAVACLASS); - } catch (ClassNotFoundException e) { - Object exArgs[] = { URI, JAVACLASS }; + if ((description != null) && (description.length() > 0)) { + if (log.isLoggable(java.util.logging.Level.FINE)) { + log.log(java.util.logging.Level.FINE, "Register Resolver: " + javaClass + ": " + + description); + } + } else { + if (log.isLoggable(java.util.logging.Level.FINE)) { + log.log(java.util.logging.Level.FINE, "Register Resolver: " + javaClass + + ": For unknown purposes"); + } + } + try { + ResourceResolver.register(javaClass); + } catch (Throwable e) { + log.log(java.util.logging.Level.WARNING, + "Cannot register:" + javaClass + + " perhaps some needed jars are not installed", + e + ); + } + } + } - log.log(java.util.logging.Level.SEVERE, I18n.translate("algorithm.classDoesNotExist", - exArgs)); + if (tag.equals("KeyResolver")){ + Element[] resolverElem = + XMLUtils.selectNodes(el.getFirstChild(), CONF_NS, "Resolver"); + List<String> classNames = new ArrayList<String>(resolverElem.length); + for (int i = 0; i < resolverElem.length; i++) { + String javaClass = + resolverElem[i].getAttributeNS(null, "JAVACLASS"); + String description = + resolverElem[i].getAttributeNS(null, "DESCRIPTION"); - } catch (NoClassDefFoundError ex) { - log.log(java.util.logging.Level.WARNING, "Not able to found dependecies for algorithm, I'm keep working."); - } - } - XX_configure_reg_transforms_end = System.currentTimeMillis(); - } - - - if ("JCEAlgorithmMappings".equals(tag)){ - XX_configure_reg_jcemapper_start = System.currentTimeMillis(); - JCEMapper.init((Element)el); - XX_configure_reg_jcemapper_end = System.currentTimeMillis(); - } - + if ((description != null) && (description.length() > 0)) { + if (log.isLoggable(java.util.logging.Level.FINE)) { + log.log(java.util.logging.Level.FINE, "Register Resolver: " + javaClass + ": " + + description); + } + } else { + if (log.isLoggable(java.util.logging.Level.FINE)) { + log.log(java.util.logging.Level.FINE, "Register Resolver: " + javaClass + + ": For unknown purposes"); + } + } + classNames.add(javaClass); + } + KeyResolver.registerClassNames(classNames); + } - if (tag.equals("SignatureAlgorithms")){ - XX_configure_reg_sigalgos_start = System.currentTimeMillis(); - SignatureAlgorithm.providerInit(); - - Element[] sigElems = XMLUtils.selectNodes(el.getFirstChild(), CONF_NS, - "SignatureAlgorithm"); - - for (int i = 0; i < sigElems.length; i++) { - String URI = sigElems[i].getAttributeNS(null, - "URI"); - String JAVACLASS = - sigElems[i].getAttributeNS(null, - "JAVACLASS"); - - /** $todo$ handle registering */ - - try { - Class.forName(JAVACLASS); - // Method methods[] = c.getMethods(); - -// for (int j = 0; j < methods.length; j++) { -// Method currMeth = methods[j]; -// -// if (currMeth.getDeclaringClass().getName() -// .equals(JAVACLASS)) { -// log.log(java.util.logging.Level.FINE, currMeth.getDe claringClass().toString()); -// } -// } - if (log.isLoggable(java.util.logging.Level.FINE)) - log.log(java.util.logging.Level.FINE, "SignatureAlgorithm.register(" + URI + ", " + JAVACLASS + ")"); - SignatureAlgorithm.register(URI, JAVACLASS); - } catch (ClassNotFoundException e) { - Object exArgs[] = { URI, JAVACLASS }; - - log.log(java.util.logging.Level.SEVERE, I18n.translate("algorithm.classDoesNotExist", - exArgs)); + if (tag.equals("PrefixMappings")){ + if (log.isLoggable(java.util.logging.Level.FINE)) { + log.log(java.util.logging.Level.FINE, "Now I try to bind prefixes:"); + } - } - } - XX_configure_reg_sigalgos_end = System.currentTimeMillis(); - } - - - - if (tag.equals("ResourceResolvers")){ - XX_configure_reg_resourceresolver_start = System.currentTimeMillis(); - ResourceResolver.init(); - - Element[]resolverElem = XMLUtils.selectNodes(el.getFirstChild(),CONF_NS, - "Resolver"); - - for (int i = 0; i < resolverElem.length; i++) { - String JAVACLASS = - resolverElem[i].getAttributeNS(null, - "JAVACLASS"); - String Description = - resolverElem[i].getAttributeNS(null, - "DESCRIPTION"); - - if ((Description != null) && (Description.length() > 0)) { - if (log.isLoggable(java.util.logging.Level.FINE)) - log.log(java.util.logging.Level.FINE, "Register Resolver: " + JAVACLASS + ": " + Description); - } else { - if (log.isLoggable(java.util.logging.Level.FINE)) - log.log(java.util.logging.Level.FINE, "Register Resolver: " + JAVACLASS + ": For unknown purposes"); - } - try { - ResourceResolver.register(JAVACLASS); - } catch (Throwable e) { - log.log(java.util.logging.Level.WARNING, "Cannot register:"+JAVACLASS+" perhaps some needed jars are not installed",e); - } - XX_configure_reg_resourceresolver_end = - System.currentTimeMillis(); - } + Element[] nl = + XMLUtils.selectNodes(el.getFirstChild(), CONF_NS, "PrefixMapping"); - } - - - - - - - if (tag.equals("KeyResolver")){ - XX_configure_reg_keyResolver_start =System.currentTimeMillis(); - KeyResolver.init(); - - Element[] resolverElem = XMLUtils.selectNodes(el.getFirstChild(), CONF_NS,"Resolver"); - - for (int i = 0; i < resolverElem.length; i++) { - String JAVACLASS = - resolverElem[i].getAttributeNS(null, - "JAVACLASS"); - String Description = - resolverElem[i].getAttributeNS(null, - "DESCRIPTION"); - - if ((Description != null) && (Description.length() > 0)) { - if (log.isLoggable(java.util.logging.Level.FINE)) - log.log(java.util.logging.Level.FINE, "Register Resolver: " + JAVACLASS + ": " + Description); - } else { - if (log.isLoggable(java.util.logging.Level.FINE)) - log.log(java.util.logging.Level.FINE, "Register Resolver: " + JAVACLASS + ": For unknown purposes"); - } - - KeyResolver.register(JAVACLASS); - } - XX_configure_reg_keyResolver_end = System.currentTimeMillis(); + for (int i = 0; i < nl.length; i++) { + String namespace = nl[i].getAttributeNS(null, "namespace"); + String prefix = nl[i].getAttributeNS(null, "prefix"); + if (log.isLoggable(java.util.logging.Level.FINE)) { + log.log(java.util.logging.Level.FINE, "Now I try to bind " + prefix + " to " + namespace); + } + ElementProxy.setDefaultPrefix(namespace, prefix); + } + } } - - - if (tag.equals("PrefixMappings")){ - XX_configure_reg_prefixes_start = System.currentTimeMillis(); - if (log.isLoggable(java.util.logging.Level.FINE)) - log.log(java.util.logging.Level.FINE, "Now I try to bind prefixes:"); - - Element[] nl = XMLUtils.selectNodes(el.getFirstChild(), CONF_NS,"PrefixMapping"); - - for (int i = 0; i < nl.length; i++) { - String namespace = nl[i].getAttributeNS(null, - "namespace"); - String prefix = nl[i].getAttributeNS(null, - "prefix"); - if (log.isLoggable(java.util.logging.Level.FINE)) - log.log(java.util.logging.Level.FINE, "Now I try to bind " + prefix + " to " + namespace); - com.sun.org.apache.xml.internal.security.utils.ElementProxy - .setDefaultPrefix(namespace, prefix); - } - XX_configure_reg_prefixes_end = System.currentTimeMillis(); - } - } - - long XX_init_end = System.currentTimeMillis(); - - //J- - if (log.isLoggable(java.util.logging.Level.FINE)) { - log.log(java.util.logging.Level.FINE, "XX_init " + ((int)(XX_init_end - XX_init_start)) + " ms"); - log.log(java.util.logging.Level.FINE, " XX_prng " + ((int)(XX_prng_end - XX_prng_start)) + " ms"); - log.log(java.util.logging.Level.FINE, " XX_parsing " + ((int)(XX_parsing_end - XX_parsing_start)) + " ms"); - log.log(java.util.logging.Level.FINE, " XX_configure_i18n " + ((int)(XX_configure_i18n_end- XX_configure_i18n_start)) + " ms"); - log.log(java.util.logging.Level.FINE, " XX_configure_reg_c14n " + ((int)(XX_configure_reg_c14n_end- XX_configure_reg_c14n_start)) + " ms"); - log.log(java.util.logging.Level.FINE, " XX_configure_reg_jcemapper " + ((int)(XX_configure_reg_jcemapper_end- XX_configure_reg_jcemapper_start)) + " ms"); - log.log(java.util.logging.Level.FINE, " XX_configure_reg_keyInfo " + ((int)(XX_configure_reg_keyInfo_end- XX_configure_reg_keyInfo_start)) + " ms"); - log.log(java.util.logging.Level.FINE, " XX_configure_reg_keyResolver " + ((int)(XX_configure_reg_keyResolver_end- XX_configure_reg_keyResolver_start)) + " ms"); - log.log(java.util.logging.Level.FINE, " XX_configure_reg_prefixes " + ((int)(XX_configure_reg_prefixes_end- XX_configure_reg_prefixes_start)) + " ms"); - log.log(java.util.logging.Level.FINE, " XX_configure_reg_resourceresolver " + ((int)(XX_configure_reg_resourceresolver_end- XX_configure_reg_resourceresolver_start)) + " ms"); - log.log(java.util.logging.Level.FINE, " XX_configure_reg_sigalgos " + ((int)(XX_configure_reg_sigalgos_end- XX_configure_reg_sigalgos_start)) + " ms"); - log.log(java.util.logging.Level.FINE, " XX_configure_reg_transforms " + ((int)(XX_configure_reg_transforms_end- XX_configure_reg_transforms_start)) + " ms"); - } - } catch (Exception e) { + } catch (Exception e) { log.log(java.util.logging.Level.SEVERE, "Bad: ", e); e.printStackTrace(); - } - - } - + } + } } +
--- a/src/share/classes/com/sun/org/apache/xml/internal/security/algorithms/JCEMapper.java Fri Sep 14 09:38:27 2012 -0700 +++ b/src/share/classes/com/sun/org/apache/xml/internal/security/algorithms/JCEMapper.java Wed Jun 12 14:56:51 2013 +0100 @@ -2,167 +2,316 @@ * reserved comment block * DO NOT REMOVE OR ALTER! */ -/* - * Copyright 1999-2004 The Apache Software Foundation. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at * - * http://www.apache.org/licenses/LICENSE-2.0 + * http://www.apache.org/licenses/LICENSE-2.0 * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. */ package com.sun.org.apache.xml.internal.security.algorithms; - - -import java.util.HashMap; import java.util.Map; +import java.util.concurrent.ConcurrentHashMap; - -import com.sun.org.apache.xml.internal.security.Init; -import com.sun.org.apache.xml.internal.security.utils.XMLUtils; +import com.sun.org.apache.xml.internal.security.encryption.XMLCipher; +import com.sun.org.apache.xml.internal.security.signature.XMLSignature; import org.w3c.dom.Element; - /** * This class maps algorithm identifier URIs to JAVA JCE class names. - * - * @author $Author: mullan $ */ public class JCEMapper { - /** {@link java.util.logging} logging facility */ - static java.util.logging.Logger log = + /** {@link org.apache.commons.logging} logging facility */ + private static java.util.logging.Logger log = java.util.logging.Logger.getLogger(JCEMapper.class.getName()); - - - private static Map uriToJCEName; - - private static Map algorithmsMap; + private static Map<String, Algorithm> algorithmsMap = + new ConcurrentHashMap<String, Algorithm>(); - private static String providerName = null; - /** - * Method init - * - * @param mappingElement - * @throws Exception - */ - public static void init(Element mappingElement) throws Exception { - - loadAlgorithms((Element)mappingElement.getElementsByTagName("Algorithms").item(0)); - } + private static String providerName = null; - static void loadAlgorithms( Element algorithmsEl) { - Element[] algorithms = XMLUtils.selectNodes(algorithmsEl.getFirstChild(),Init.CONF_NS,"Algorithm"); - uriToJCEName = new HashMap( algorithms.length * 2); - algorithmsMap = new HashMap( algorithms.length * 2); - for (int i = 0 ;i < algorithms.length ;i ++) { - Element el = algorithms[i]; - String id = el.getAttribute("URI"); - String jceName = el.getAttribute("JCEName"); - uriToJCEName.put(id, jceName); - algorithmsMap.put(id, new Algorithm(el)); - } - - } - - static Algorithm getAlgorithmMapping(String algoURI) { - return ((Algorithm)algorithmsMap.get(algoURI)); - } - - /** - * Method translateURItoJCEID - * - * @param AlgorithmURI - * @return the JCE standard name corresponding to the given URI - * - */ - public static String translateURItoJCEID(String AlgorithmURI) { - if (log.isLoggable(java.util.logging.Level.FINE)) - log.log(java.util.logging.Level.FINE, "Request for URI " + AlgorithmURI); - - String jceName = (String) uriToJCEName.get(AlgorithmURI); - return jceName; - } + /** + * Method register + * + * @param id + * @param algorithm + */ + public static void register(String id, Algorithm algorithm) { + algorithmsMap.put(id, algorithm); + } - /** - * Method getAlgorithmClassFromURI - * NOTE(Raul Benito) It seems a buggy function the loop doesn't do - * anything?? - * @param AlgorithmURI - * @return the class name that implements this algorithm - * - */ - public static String getAlgorithmClassFromURI(String AlgorithmURI) { - if (log.isLoggable(java.util.logging.Level.FINE)) - log.log(java.util.logging.Level.FINE, "Request for URI " + AlgorithmURI); - - return ((Algorithm) algorithmsMap.get(AlgorithmURI)).algorithmClass; - } - - /** - * Returns the keylength in bit for a particular algorithm. - * - * @param AlgorithmURI - * @return The length of the key used in the alogrithm - */ - public static int getKeyLengthFromURI(String AlgorithmURI) { - return Integer.parseInt(((Algorithm) algorithmsMap.get(AlgorithmURI)).keyLength); - } + /** + * This method registers the default algorithms. + */ + public static void registerDefaultAlgorithms() { + algorithmsMap.put( + MessageDigestAlgorithm.ALGO_ID_DIGEST_NOT_RECOMMENDED_MD5, + new Algorithm("", "MD5", "MessageDigest") + ); + algorithmsMap.put( + MessageDigestAlgorithm.ALGO_ID_DIGEST_RIPEMD160, + new Algorithm("", "RIPEMD160", "MessageDigest") + ); + algorithmsMap.put( + MessageDigestAlgorithm.ALGO_ID_DIGEST_SHA1, + new Algorithm("", "SHA-1", "MessageDigest") + ); + algorithmsMap.put( + MessageDigestAlgorithm.ALGO_ID_DIGEST_SHA256, + new Algorithm("", "SHA-256", "MessageDigest") + ); + algorithmsMap.put( + MessageDigestAlgorithm.ALGO_ID_DIGEST_SHA384, + new Algorithm("", "SHA-384", "MessageDigest") + ); + algorithmsMap.put( + MessageDigestAlgorithm.ALGO_ID_DIGEST_SHA512, + new Algorithm("", "SHA-512", "MessageDigest") + ); + algorithmsMap.put( + XMLSignature.ALGO_ID_SIGNATURE_DSA, + new Algorithm("", "SHA1withDSA", "Signature") + ); + algorithmsMap.put( + XMLSignature.ALGO_ID_SIGNATURE_NOT_RECOMMENDED_RSA_MD5, + new Algorithm("", "MD5withRSA", "Signature") + ); + algorithmsMap.put( + XMLSignature.ALGO_ID_SIGNATURE_RSA_RIPEMD160, + new Algorithm("", "RIPEMD160withRSA", "Signature") + ); + algorithmsMap.put( + XMLSignature.ALGO_ID_SIGNATURE_RSA_SHA1, + new Algorithm("", "SHA1withRSA", "Signature") + ); + algorithmsMap.put( + XMLSignature.ALGO_ID_SIGNATURE_RSA_SHA256, + new Algorithm("", "SHA256withRSA", "Signature") + ); + algorithmsMap.put( + XMLSignature.ALGO_ID_SIGNATURE_RSA_SHA384, + new Algorithm("", "SHA384withRSA", "Signature") + ); + algorithmsMap.put( + XMLSignature.ALGO_ID_SIGNATURE_RSA_SHA512, + new Algorithm("", "SHA512withRSA", "Signature") + ); + algorithmsMap.put( + XMLSignature.ALGO_ID_SIGNATURE_ECDSA_SHA1, + new Algorithm("", "SHA1withECDSA", "Signature") + ); + algorithmsMap.put( + XMLSignature.ALGO_ID_MAC_HMAC_NOT_RECOMMENDED_MD5, + new Algorithm("", "HmacMD5", "Mac") + ); + algorithmsMap.put( + XMLSignature.ALGO_ID_MAC_HMAC_RIPEMD160, + new Algorithm("", "HMACRIPEMD160", "Mac") + ); + algorithmsMap.put( + XMLSignature.ALGO_ID_MAC_HMAC_SHA1, + new Algorithm("", "HmacSHA1", "Mac") + ); + algorithmsMap.put( + XMLSignature.ALGO_ID_MAC_HMAC_SHA256, + new Algorithm("", "HmacSHA256", "Mac") + ); + algorithmsMap.put( + XMLSignature.ALGO_ID_MAC_HMAC_SHA384, + new Algorithm("", "HmacSHA384", "Mac") + ); + algorithmsMap.put( + XMLSignature.ALGO_ID_MAC_HMAC_SHA512, + new Algorithm("", "HmacSHA512", "Mac") + ); + algorithmsMap.put( + XMLCipher.TRIPLEDES, + new Algorithm("DESede", "DESede/CBC/ISO10126Padding", "BlockEncryption", 192) + ); + algorithmsMap.put( + XMLCipher.AES_128, + new Algorithm("AES", "AES/CBC/ISO10126Padding", "BlockEncryption", 128) + ); + algorithmsMap.put( + XMLCipher.AES_192, + new Algorithm("AES", "AES/CBC/ISO10126Padding", "BlockEncryption", 192) + ); + algorithmsMap.put( + XMLCipher.AES_256, + new Algorithm("AES", "AES/CBC/ISO10126Padding", "BlockEncryption", 256) + ); + algorithmsMap.put( + XMLCipher.RSA_v1dot5, + new Algorithm("RSA", "RSA/ECB/PKCS1Padding", "KeyTransport") + ); + algorithmsMap.put( + XMLCipher.RSA_OAEP, + new Algorithm("RSA", "RSA/ECB/OAEPPadding", "KeyTransport") + ); + algorithmsMap.put( + XMLCipher.DIFFIE_HELLMAN, + new Algorithm("", "", "KeyAgreement") + ); + algorithmsMap.put( + XMLCipher.TRIPLEDES_KeyWrap, + new Algorithm("DESede", "DESedeWrap", "SymmetricKeyWrap", 192) + ); + algorithmsMap.put( + XMLCipher.AES_128_KeyWrap, + new Algorithm("AES", "AESWrap", "SymmetricKeyWrap", 128) + ); + algorithmsMap.put( + XMLCipher.AES_192_KeyWrap, + new Algorithm("AES", "AESWrap", "SymmetricKeyWrap", 192) + ); + algorithmsMap.put( + XMLCipher.AES_256_KeyWrap, + new Algorithm("AES", "AESWrap", "SymmetricKeyWrap", 256) + ); + } - /** - * Method getJCEKeyAlgorithmFromURI - * - * @param AlgorithmURI - * @return The KeyAlgorithm for the given URI. - * - */ - public static String getJCEKeyAlgorithmFromURI(String AlgorithmURI) { + /** + * Method translateURItoJCEID + * + * @param algorithmURI + * @return the JCE standard name corresponding to the given URI + */ + public static String translateURItoJCEID(String algorithmURI) { + if (log.isLoggable(java.util.logging.Level.FINE)) { + log.log(java.util.logging.Level.FINE, "Request for URI " + algorithmURI); + } - return ((Algorithm) algorithmsMap.get(AlgorithmURI)).requiredKey; + Algorithm algorithm = algorithmsMap.get(algorithmURI); + if (algorithm != null) { + return algorithm.jceName; + } + return null; + } - } + /** + * Method getAlgorithmClassFromURI + * @param algorithmURI + * @return the class name that implements this algorithm + */ + public static String getAlgorithmClassFromURI(String algorithmURI) { + if (log.isLoggable(java.util.logging.Level.FINE)) { + log.log(java.util.logging.Level.FINE, "Request for URI " + algorithmURI); + } + + Algorithm algorithm = algorithmsMap.get(algorithmURI); + if (algorithm != null) { + return algorithm.algorithmClass; + } + return null; + } - /** - * Gets the default Provider for obtaining the security algorithms - * @return the default providerId. - */ - public static String getProviderId() { - return providerName; - } + /** + * Returns the keylength in bits for a particular algorithm. + * + * @param algorithmURI + * @return The length of the key used in the algorithm + */ + public static int getKeyLengthFromURI(String algorithmURI) { + if (log.isLoggable(java.util.logging.Level.FINE)) { + log.log(java.util.logging.Level.FINE, "Request for URI " + algorithmURI); + } + Algorithm algorithm = algorithmsMap.get(algorithmURI); + if (algorithm != null) { + return algorithm.keyLength; + } + return 0; + } - /** - * Sets the default Provider for obtaining the security algorithms - * @param provider the default providerId. - */ - public static void setProviderId(String provider) { - providerName=provider; - } + /** + * Method getJCEKeyAlgorithmFromURI + * + * @param algorithmURI + * @return The KeyAlgorithm for the given URI. + */ + public static String getJCEKeyAlgorithmFromURI(String algorithmURI) { + if (log.isLoggable(java.util.logging.Level.FINE)) { + log.log(java.util.logging.Level.FINE, "Request for URI " + algorithmURI); + } + Algorithm algorithm = algorithmsMap.get(algorithmURI); + if (algorithm != null) { + return algorithm.requiredKey; + } + return null; + } - /** - * Represents the Algorithm xml element - */ - public static class Algorithm { - String algorithmClass; - String keyLength; - String requiredKey; + /** + * Gets the default Provider for obtaining the security algorithms + * @return the default providerId. + */ + public static String getProviderId() { + return providerName; + } + + /** + * Sets the default Provider for obtaining the security algorithms + * @param provider the default providerId. + */ + public static void setProviderId(String provider) { + providerName = provider; + } + + /** + * Represents the Algorithm xml element + */ + public static class Algorithm { + + final String requiredKey; + final String jceName; + final String algorithmClass; + final int keyLength; + /** * Gets data from element * @param el */ public Algorithm(Element el) { - algorithmClass=el.getAttribute("AlgorithmClass"); - keyLength=el.getAttribute("KeyLength"); - requiredKey=el.getAttribute("RequiredKey"); + requiredKey = el.getAttribute("RequiredKey"); + jceName = el.getAttribute("JCEName"); + algorithmClass = el.getAttribute("AlgorithmClass"); + if (el.hasAttribute("KeyLength")) { + keyLength = Integer.parseInt(el.getAttribute("KeyLength")); + } else { + keyLength = 0; + } + } + + public Algorithm(String requiredKey, String jceName) { + this(requiredKey, jceName, null, 0); } - } + + public Algorithm(String requiredKey, String jceName, String algorithmClass) { + this(requiredKey, jceName, algorithmClass, 0); + } + + public Algorithm(String requiredKey, String jceName, int keyLength) { + this(requiredKey, jceName, null, keyLength); + } + + public Algorithm(String requiredKey, String jceName, String algorithmClass, int keyLength) { + this.requiredKey = requiredKey; + this.jceName = jceName; + this.algorithmClass = algorithmClass; + this.keyLength = keyLength; + } + } + }
--- a/src/share/classes/com/sun/org/apache/xml/internal/security/algorithms/SignatureAlgorithm.java Fri Sep 14 09:38:27 2012 -0700 +++ b/src/share/classes/com/sun/org/apache/xml/internal/security/algorithms/SignatureAlgorithm.java Wed Jun 12 14:56:51 2013 +0100 @@ -2,459 +2,446 @@ * reserved comment block * DO NOT REMOVE OR ALTER! */ -/* - * Copyright 1999-2004 The Apache Software Foundation. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at * - * http://www.apache.org/licenses/LICENSE-2.0 + * http://www.apache.org/licenses/LICENSE-2.0 * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. */ package com.sun.org.apache.xml.internal.security.algorithms; - import java.security.Key; import java.security.SecureRandom; import java.security.spec.AlgorithmParameterSpec; -import java.util.HashMap; import java.util.Map; +import java.util.concurrent.ConcurrentHashMap; import com.sun.org.apache.xml.internal.security.algorithms.implementations.IntegrityHmac; +import com.sun.org.apache.xml.internal.security.algorithms.implementations.SignatureBaseRSA; +import com.sun.org.apache.xml.internal.security.algorithms.implementations.SignatureDSA; +import com.sun.org.apache.xml.internal.security.algorithms.implementations.SignatureECDSA; import com.sun.org.apache.xml.internal.security.exceptions.AlgorithmAlreadyRegisteredException; import com.sun.org.apache.xml.internal.security.exceptions.XMLSecurityException; +import com.sun.org.apache.xml.internal.security.signature.XMLSignature; import com.sun.org.apache.xml.internal.security.signature.XMLSignatureException; +import com.sun.org.apache.xml.internal.security.utils.ClassLoaderUtils; import com.sun.org.apache.xml.internal.security.utils.Constants; +import org.w3c.dom.Attr; import org.w3c.dom.Document; import org.w3c.dom.Element; - /** - * Allows selection of digital signature's algorithm, private keys, other security parameters, and algorithm's ID. + * Allows selection of digital signature's algorithm, private keys, other + * security parameters, and algorithm's ID. * * @author Christian Geuer-Pollmann */ public class SignatureAlgorithm extends Algorithm { - /** {@link java.util.logging} logging facility */ - static java.util.logging.Logger log = + /** {@link org.apache.commons.logging} logging facility */ + private static java.util.logging.Logger log = java.util.logging.Logger.getLogger(SignatureAlgorithm.class.getName()); - /** Field _alreadyInitialized */ - static boolean _alreadyInitialized = false; + /** All available algorithm classes are registered here */ + private static Map<String, Class<? extends SignatureAlgorithmSpi>> algorithmHash = + new ConcurrentHashMap<String, Class<? extends SignatureAlgorithmSpi>>(); - /** All available algorithm classes are registered here */ - static HashMap _algorithmHash = null; + /** Field signatureAlgorithm */ + private final SignatureAlgorithmSpi signatureAlgorithm; + + private final String algorithmURI; - static ThreadLocal instancesSigning=new ThreadLocal() { - protected Object initialValue() { - return new HashMap(); - }; - }; + /** + * Constructor SignatureAlgorithm + * + * @param doc + * @param algorithmURI + * @throws XMLSecurityException + */ + public SignatureAlgorithm(Document doc, String algorithmURI) throws XMLSecurityException { + super(doc, algorithmURI); + this.algorithmURI = algorithmURI; - static ThreadLocal instancesVerify=new ThreadLocal() { - protected Object initialValue() { - return new HashMap(); - }; - }; + signatureAlgorithm = getSignatureAlgorithmSpi(algorithmURI); + signatureAlgorithm.engineGetContextFromElement(this._constructionElement); + } - static ThreadLocal keysSigning=new ThreadLocal() { - protected Object initialValue() { - return new HashMap(); - }; - }; - static ThreadLocal keysVerify=new ThreadLocal() { - protected Object initialValue() { - return new HashMap(); - }; - }; -// boolean isForSigning=false; + /** + * Constructor SignatureAlgorithm + * + * @param doc + * @param algorithmURI + * @param hmacOutputLength + * @throws XMLSecurityException + */ + public SignatureAlgorithm( + Document doc, String algorithmURI, int hmacOutputLength + ) throws XMLSecurityException { + super(doc, algorithmURI); + this.algorithmURI = algorithmURI; - /** Field _signatureAlgorithm */ - protected SignatureAlgorithmSpi _signatureAlgorithm = null; + signatureAlgorithm = getSignatureAlgorithmSpi(algorithmURI); + signatureAlgorithm.engineGetContextFromElement(this._constructionElement); - private String algorithmURI; + signatureAlgorithm.engineSetHMACOutputLength(hmacOutputLength); + ((IntegrityHmac)signatureAlgorithm).engineAddContextToElement(_constructionElement); + } - /** - * Constructor SignatureAlgorithm - * - * @param doc - * @param algorithmURI - * @throws XMLSecurityException - */ - public SignatureAlgorithm(Document doc, String algorithmURI) - throws XMLSecurityException { - super(doc, algorithmURI); - this.algorithmURI = algorithmURI; - } + /** + * Constructor SignatureAlgorithm + * + * @param element + * @param baseURI + * @throws XMLSecurityException + */ + public SignatureAlgorithm(Element element, String baseURI) throws XMLSecurityException { + this(element, baseURI, false); + } + /** + * Constructor SignatureAlgorithm + * + * @param element + * @param baseURI + * @param secureValidation + * @throws XMLSecurityException + */ + public SignatureAlgorithm( + Element element, String baseURI, boolean secureValidation + ) throws XMLSecurityException { + super(element, baseURI); + algorithmURI = this.getURI(); - private void initializeAlgorithm(boolean isForSigning) throws XMLSignatureException { - if (_signatureAlgorithm!=null) { - return; - } - _signatureAlgorithm=isForSigning ? getInstanceForSigning(algorithmURI) : getInstanceForVerify(algorithmURI); - this._signatureAlgorithm - .engineGetContextFromElement(this._constructionElement); - } - private static SignatureAlgorithmSpi getInstanceForSigning(String algorithmURI) throws XMLSignatureException { - SignatureAlgorithmSpi result=(SignatureAlgorithmSpi) ((Map)instancesSigning.get()).get(algorithmURI); - if (result!=null) { - result.reset(); - return result; - } - result=buildSigner(algorithmURI, result); - ((Map)instancesSigning.get()).put(algorithmURI,result); - return result; - } - private static SignatureAlgorithmSpi getInstanceForVerify(String algorithmURI) throws XMLSignatureException { - SignatureAlgorithmSpi result=(SignatureAlgorithmSpi) ((Map)instancesVerify.get()).get(algorithmURI); - if (result!=null) { - result.reset(); - return result; - } - result=buildSigner(algorithmURI, result); - ((Map)instancesVerify.get()).put(algorithmURI,result); - return result; - } + Attr attr = element.getAttributeNodeNS(null, "Id"); + if (attr != null) { + element.setIdAttributeNode(attr, true); + } + + if (secureValidation && (XMLSignature.ALGO_ID_MAC_HMAC_NOT_RECOMMENDED_MD5.equals(algorithmURI) + || XMLSignature.ALGO_ID_SIGNATURE_NOT_RECOMMENDED_RSA_MD5.equals(algorithmURI))) { + Object exArgs[] = { algorithmURI }; + + throw new XMLSecurityException("signature.signatureAlgorithm", exArgs); + } - private static SignatureAlgorithmSpi buildSigner(String algorithmURI, SignatureAlgorithmSpi result) throws XMLSignatureException { + signatureAlgorithm = getSignatureAlgorithmSpi(algorithmURI); + signatureAlgorithm.engineGetContextFromElement(this._constructionElement); + } + + /** + * Get a SignatureAlgorithmSpi object corresponding to the algorithmURI argument + */ + private static SignatureAlgorithmSpi getSignatureAlgorithmSpi(String algorithmURI) + throws XMLSignatureException { try { - Class implementingClass = - SignatureAlgorithm.getImplementingClass(algorithmURI); - if (log.isLoggable(java.util.logging.Level.FINE)) + Class<? extends SignatureAlgorithmSpi> implementingClass = + algorithmHash.get(algorithmURI); + if (log.isLoggable(java.util.logging.Level.FINE)) { log.log(java.util.logging.Level.FINE, "Create URI \"" + algorithmURI + "\" class \"" + implementingClass + "\""); - result=(SignatureAlgorithmSpi) implementingClass.newInstance(); - return result; - } catch (IllegalAccessException ex) { - Object exArgs[] = { algorithmURI, ex.getMessage() }; - - throw new XMLSignatureException("algorithms.NoSuchAlgorithm", exArgs, - ex); - } catch (InstantiationException ex) { - Object exArgs[] = { algorithmURI, ex.getMessage() }; - - throw new XMLSignatureException("algorithms.NoSuchAlgorithm", exArgs, - ex); - } catch (NullPointerException ex) { - Object exArgs[] = { algorithmURI, ex.getMessage() }; - - throw new XMLSignatureException("algorithms.NoSuchAlgorithm", exArgs, - ex); - } -} + } + return implementingClass.newInstance(); + } catch (IllegalAccessException ex) { + Object exArgs[] = { algorithmURI, ex.getMessage() }; + throw new XMLSignatureException("algorithms.NoSuchAlgorithm", exArgs, ex); + } catch (InstantiationException ex) { + Object exArgs[] = { algorithmURI, ex.getMessage() }; + throw new XMLSignatureException("algorithms.NoSuchAlgorithm", exArgs, ex); + } catch (NullPointerException ex) { + Object exArgs[] = { algorithmURI, ex.getMessage() }; + throw new XMLSignatureException("algorithms.NoSuchAlgorithm", exArgs, ex); + } + } - /** - * Constructor SignatureAlgorithm - * - * @param doc - * @param algorithmURI - * @param HMACOutputLength - * @throws XMLSecurityException - */ - public SignatureAlgorithm( - Document doc, String algorithmURI, int HMACOutputLength) - throws XMLSecurityException { - this(doc, algorithmURI); - this.algorithmURI=algorithmURI; - initializeAlgorithm(true); - this._signatureAlgorithm.engineSetHMACOutputLength(HMACOutputLength); - ((IntegrityHmac)this._signatureAlgorithm) - .engineAddContextToElement(this._constructionElement); - } + /** + * Proxy method for {@link java.security.Signature#sign()} + * which is executed on the internal {@link java.security.Signature} object. + * + * @return the result of the {@link java.security.Signature#sign()} method + * @throws XMLSignatureException + */ + public byte[] sign() throws XMLSignatureException { + return signatureAlgorithm.engineSign(); + } - /** - * Constructor SignatureAlgorithm - * - * @param element - * @param BaseURI - * @throws XMLSecurityException - */ - public SignatureAlgorithm(Element element, String BaseURI) - throws XMLSecurityException { + /** + * Proxy method for {@link java.security.Signature#getAlgorithm} + * which is executed on the internal {@link java.security.Signature} object. + * + * @return the result of the {@link java.security.Signature#getAlgorithm} method + */ + public String getJCEAlgorithmString() { + return signatureAlgorithm.engineGetJCEAlgorithmString(); + } - super(element, BaseURI); - algorithmURI = this.getURI(); - } + /** + * Method getJCEProviderName + * + * @return The Provider of this Signature Algorithm + */ + public String getJCEProviderName() { + return signatureAlgorithm.engineGetJCEProviderName(); + } - /** - * Proxy method for {@link java.security.Signature#sign()} - * which is executed on the internal {@link java.security.Signature} object. - * - * @return the result of the {@link java.security.Signature#sign()} method - * @throws XMLSignatureException - */ - public byte[] sign() throws XMLSignatureException { - return this._signatureAlgorithm.engineSign(); - } + /** + * Proxy method for {@link java.security.Signature#update(byte[])} + * which is executed on the internal {@link java.security.Signature} object. + * + * @param input + * @throws XMLSignatureException + */ + public void update(byte[] input) throws XMLSignatureException { + signatureAlgorithm.engineUpdate(input); + } - /** - * Proxy method for {@link java.security.Signature#getAlgorithm} - * which is executed on the internal {@link java.security.Signature} object. - * - * @return the result of the {@link java.security.Signature#getAlgorithm} method - */ - public String getJCEAlgorithmString() { - try { - return getInstanceForVerify(algorithmURI).engineGetJCEAlgorithmString(); - } catch (XMLSignatureException e) { - //Ignore. - return null; - } - } + /** + * Proxy method for {@link java.security.Signature#update(byte)} + * which is executed on the internal {@link java.security.Signature} object. + * + * @param input + * @throws XMLSignatureException + */ + public void update(byte input) throws XMLSignatureException { + signatureAlgorithm.engineUpdate(input); + } - /** - * Method getJCEProviderName - * - * @return The Provider of this Signature Alogrithm - */ - public String getJCEProviderName() { - try { - return getInstanceForVerify(algorithmURI).engineGetJCEProviderName(); - } catch (XMLSignatureException e) { - return null; - } - } + /** + * Proxy method for {@link java.security.Signature#update(byte[], int, int)} + * which is executed on the internal {@link java.security.Signature} object. + * + * @param buf + * @param offset + * @param len + * @throws XMLSignatureException + */ + public void update(byte buf[], int offset, int len) throws XMLSignatureException { + signatureAlgorithm.engineUpdate(buf, offset, len); + } - /** - * Proxy method for {@link java.security.Signature#update(byte[])} - * which is executed on the internal {@link java.security.Signature} object. - * - * @param input - * @throws XMLSignatureException - */ - public void update(byte[] input) throws XMLSignatureException { - this._signatureAlgorithm.engineUpdate(input); - } + /** + * Proxy method for {@link java.security.Signature#initSign(java.security.PrivateKey)} + * which is executed on the internal {@link java.security.Signature} object. + * + * @param signingKey + * @throws XMLSignatureException + */ + public void initSign(Key signingKey) throws XMLSignatureException { + signatureAlgorithm.engineInitSign(signingKey); + } - /** - * Proxy method for {@link java.security.Signature#update(byte)} - * which is executed on the internal {@link java.security.Signature} object. - * - * @param input - * @throws XMLSignatureException - */ - public void update(byte input) throws XMLSignatureException { - this._signatureAlgorithm.engineUpdate(input); - } + /** + * Proxy method for {@link java.security.Signature#initSign(java.security.PrivateKey, + * java.security.SecureRandom)} + * which is executed on the internal {@link java.security.Signature} object. + * + * @param signingKey + * @param secureRandom + * @throws XMLSignatureException + */ + public void initSign(Key signingKey, SecureRandom secureRandom) throws XMLSignatureException { + signatureAlgorithm.engineInitSign(signingKey, secureRandom); + } - /** - * Proxy method for {@link java.security.Signature#update(byte[], int, int)} - * which is executed on the internal {@link java.security.Signature} object. - * - * @param buf - * @param offset - * @param len - * @throws XMLSignatureException - */ - public void update(byte buf[], int offset, int len) - throws XMLSignatureException { - this._signatureAlgorithm.engineUpdate(buf, offset, len); - } + /** + * Proxy method for {@link java.security.Signature#initSign(java.security.PrivateKey)} + * which is executed on the internal {@link java.security.Signature} object. + * + * @param signingKey + * @param algorithmParameterSpec + * @throws XMLSignatureException + */ + public void initSign( + Key signingKey, AlgorithmParameterSpec algorithmParameterSpec + ) throws XMLSignatureException { + signatureAlgorithm.engineInitSign(signingKey, algorithmParameterSpec); + } - /** - * Proxy method for {@link java.security.Signature#initSign(java.security.PrivateKey)} - * which is executed on the internal {@link java.security.Signature} object. - * - * @param signingKey - * @throws XMLSignatureException - */ - public void initSign(Key signingKey) throws XMLSignatureException { - initializeAlgorithm(true); - Map map=(Map)keysSigning.get(); - if (map.get(this.algorithmURI)==signingKey) { - return; - } - map.put(this.algorithmURI,signingKey); - this._signatureAlgorithm.engineInitSign(signingKey); - } + /** + * Proxy method for {@link java.security.Signature#setParameter( + * java.security.spec.AlgorithmParameterSpec)} + * which is executed on the internal {@link java.security.Signature} object. + * + * @param params + * @throws XMLSignatureException + */ + public void setParameter(AlgorithmParameterSpec params) throws XMLSignatureException { + signatureAlgorithm.engineSetParameter(params); + } - /** - * Proxy method for {@link java.security.Signature#initSign(java.security.PrivateKey, java.security.SecureRandom)} - * which is executed on the internal {@link java.security.Signature} object. - * - * @param signingKey - * @param secureRandom - * @throws XMLSignatureException - */ - public void initSign(Key signingKey, SecureRandom secureRandom) - throws XMLSignatureException { - initializeAlgorithm(true); - this._signatureAlgorithm.engineInitSign(signingKey, secureRandom); - } + /** + * Proxy method for {@link java.security.Signature#initVerify(java.security.PublicKey)} + * which is executed on the internal {@link java.security.Signature} object. + * + * @param verificationKey + * @throws XMLSignatureException + */ + public void initVerify(Key verificationKey) throws XMLSignatureException { + signatureAlgorithm.engineInitVerify(verificationKey); + } - /** - * Proxy method for {@link java.security.Signature#initSign(java.security.PrivateKey)} - * which is executed on the internal {@link java.security.Signature} object. - * - * @param signingKey - * @param algorithmParameterSpec - * @throws XMLSignatureException - */ - public void initSign( - Key signingKey, AlgorithmParameterSpec algorithmParameterSpec) - throws XMLSignatureException { - initializeAlgorithm(true); - this._signatureAlgorithm.engineInitSign(signingKey, - algorithmParameterSpec); - } + /** + * Proxy method for {@link java.security.Signature#verify(byte[])} + * which is executed on the internal {@link java.security.Signature} object. + * + * @param signature + * @return true if if the signature is valid. + * + * @throws XMLSignatureException + */ + public boolean verify(byte[] signature) throws XMLSignatureException { + return signatureAlgorithm.engineVerify(signature); + } - /** - * Proxy method for {@link java.security.Signature#setParameter(java.security.spec.AlgorithmParameterSpec)} - * which is executed on the internal {@link java.security.Signature} object. - * - * @param params - * @throws XMLSignatureException - */ - public void setParameter(AlgorithmParameterSpec params) - throws XMLSignatureException { - this._signatureAlgorithm.engineSetParameter(params); - } + /** + * Returns the URI representation of Transformation algorithm + * + * @return the URI representation of Transformation algorithm + */ + public final String getURI() { + return _constructionElement.getAttributeNS(null, Constants._ATT_ALGORITHM); + } - /** - * Proxy method for {@link java.security.Signature#initVerify(java.security.PublicKey)} - * which is executed on the internal {@link java.security.Signature} object. - * - * @param verificationKey - * @throws XMLSignatureException - */ - public void initVerify(Key verificationKey) throws XMLSignatureException { - initializeAlgorithm(false); - Map map=(Map)keysVerify.get(); - if (map.get(this.algorithmURI)==verificationKey) { - return; - } - map.put(this.algorithmURI,verificationKey); - this._signatureAlgorithm.engineInitVerify(verificationKey); - } + /** + * Registers implementing class of the Transform algorithm with algorithmURI + * + * @param algorithmURI algorithmURI URI representation of <code>Transform algorithm</code>. + * @param implementingClass <code>implementingClass</code> the implementing class of + * {@link SignatureAlgorithmSpi} + * @throws AlgorithmAlreadyRegisteredException if specified algorithmURI is already registered + * @throws XMLSignatureException + */ + @SuppressWarnings("unchecked") + public static void register(String algorithmURI, String implementingClass) + throws AlgorithmAlreadyRegisteredException, ClassNotFoundException, + XMLSignatureException { + if (log.isLoggable(java.util.logging.Level.FINE)) { + log.log(java.util.logging.Level.FINE, "Try to register " + algorithmURI + " " + implementingClass); + } - /** - * Proxy method for {@link java.security.Signature#verify(byte[])} - * which is executed on the internal {@link java.security.Signature} object. - * - * @param signature - * @return true if if the signature is valid. - * - * @throws XMLSignatureException - */ - public boolean verify(byte[] signature) throws XMLSignatureException { - return this._signatureAlgorithm.engineVerify(signature); - } + // are we already registered? + Class<? extends SignatureAlgorithmSpi> registeredClass = algorithmHash.get(algorithmURI); + if (registeredClass != null) { + Object exArgs[] = { algorithmURI, registeredClass }; + throw new AlgorithmAlreadyRegisteredException( + "algorithm.alreadyRegistered", exArgs + ); + } + try { + Class<? extends SignatureAlgorithmSpi> clazz = + (Class<? extends SignatureAlgorithmSpi>) + ClassLoaderUtils.loadClass(implementingClass, SignatureAlgorithm.class); + algorithmHash.put(algorithmURI, clazz); + } catch (NullPointerException ex) { + Object exArgs[] = { algorithmURI, ex.getMessage() }; + throw new XMLSignatureException("algorithms.NoSuchAlgorithm", exArgs, ex); + } + } - /** - * Returns the URI representation of Transformation algorithm - * - * @return the URI representation of Transformation algorithm - */ - public final String getURI() { - return this._constructionElement.getAttributeNS(null, - Constants._ATT_ALGORITHM); - } - - /** - * Initalizes for this {@link com.sun.org.apache.xml.internal.security.transforms.Transform} - * - */ - public static void providerInit() { - - if (SignatureAlgorithm.log == null) { - SignatureAlgorithm.log = - java.util.logging.Logger - .getLogger(SignatureAlgorithm.class.getName()); - } - - log.log(java.util.logging.Level.FINE, "Init() called"); + /** + * Registers implementing class of the Transform algorithm with algorithmURI + * + * @param algorithmURI algorithmURI URI representation of <code>Transform algorithm</code>. + * @param implementingClass <code>implementingClass</code> the implementing class of + * {@link SignatureAlgorithmSpi} + * @throws AlgorithmAlreadyRegisteredException if specified algorithmURI is already registered + * @throws XMLSignatureException + */ + public static void register(String algorithmURI, Class<? extends SignatureAlgorithmSpi> implementingClass) + throws AlgorithmAlreadyRegisteredException, ClassNotFoundException, + XMLSignatureException { + if (log.isLoggable(java.util.logging.Level.FINE)) { + log.log(java.util.logging.Level.FINE, "Try to register " + algorithmURI + " " + implementingClass); + } - if (!SignatureAlgorithm._alreadyInitialized) { - SignatureAlgorithm._algorithmHash = new HashMap(10); - SignatureAlgorithm._alreadyInitialized = true; - } - } - - /** - * Registers implementing class of the Transform algorithm with algorithmURI - * - * @param algorithmURI algorithmURI URI representation of <code>Transform algorithm</code>. - * @param implementingClass <code>implementingClass</code> the implementing class of {@link SignatureAlgorithmSpi} - * @throws AlgorithmAlreadyRegisteredException if specified algorithmURI is already registered - * @throws XMLSignatureException - */ - public static void register(String algorithmURI, String implementingClass) - throws AlgorithmAlreadyRegisteredException,XMLSignatureException { - - { - if (log.isLoggable(java.util.logging.Level.FINE)) - log.log(java.util.logging.Level.FINE, "Try to register " + algorithmURI + " " + implementingClass); - - // are we already registered? - Class registeredClassClass = - SignatureAlgorithm.getImplementingClass(algorithmURI); - if (registeredClassClass!=null) { - String registeredClass = registeredClassClass.getName(); - - if ((registeredClass != null) && (registeredClass.length() != 0)) { - Object exArgs[] = { algorithmURI, registeredClass }; - - throw new AlgorithmAlreadyRegisteredException( - "algorithm.alreadyRegistered", exArgs); - } - } - try { - SignatureAlgorithm._algorithmHash.put(algorithmURI, Class.forName(implementingClass)); - } catch (ClassNotFoundException ex) { - Object exArgs[] = { algorithmURI, ex.getMessage() }; + // are we already registered? + Class<? extends SignatureAlgorithmSpi> registeredClass = algorithmHash.get(algorithmURI); + if (registeredClass != null) { + Object exArgs[] = { algorithmURI, registeredClass }; + throw new AlgorithmAlreadyRegisteredException( + "algorithm.alreadyRegistered", exArgs + ); + } + algorithmHash.put(algorithmURI, implementingClass); + } - throw new XMLSignatureException("algorithms.NoSuchAlgorithm", exArgs, - ex); - } catch (NullPointerException ex) { - Object exArgs[] = { algorithmURI, ex.getMessage() }; - - throw new XMLSignatureException("algorithms.NoSuchAlgorithm", exArgs, - ex); - } - - } - } - - /** - * Method getImplementingClass - * - * @param URI - * @return the class that implements the URI - */ - private static Class getImplementingClass(String URI) { + /** + * This method registers the default algorithms. + */ + public static void registerDefaultAlgorithms() { + algorithmHash.put( + XMLSignature.ALGO_ID_SIGNATURE_DSA, SignatureDSA.class + ); + algorithmHash.put( + XMLSignature.ALGO_ID_SIGNATURE_RSA_SHA1, SignatureBaseRSA.SignatureRSASHA1.class + ); + algorithmHash.put( + XMLSignature.ALGO_ID_MAC_HMAC_SHA1, IntegrityHmac.IntegrityHmacSHA1.class + ); + algorithmHash.put( + XMLSignature.ALGO_ID_SIGNATURE_NOT_RECOMMENDED_RSA_MD5, + SignatureBaseRSA.SignatureRSAMD5.class + ); + algorithmHash.put( + XMLSignature.ALGO_ID_SIGNATURE_RSA_RIPEMD160, + SignatureBaseRSA.SignatureRSARIPEMD160.class + ); + algorithmHash.put( + XMLSignature.ALGO_ID_SIGNATURE_RSA_SHA256, SignatureBaseRSA.SignatureRSASHA256.class + ); + algorithmHash.put( + XMLSignature.ALGO_ID_SIGNATURE_RSA_SHA384, SignatureBaseRSA.SignatureRSASHA384.class + ); + algorithmHash.put( + XMLSignature.ALGO_ID_SIGNATURE_RSA_SHA512, SignatureBaseRSA.SignatureRSASHA512.class + ); + algorithmHash.put( + XMLSignature.ALGO_ID_SIGNATURE_ECDSA_SHA1, SignatureECDSA.SignatureECDSASHA1.class + ); + algorithmHash.put( + XMLSignature.ALGO_ID_MAC_HMAC_NOT_RECOMMENDED_MD5, IntegrityHmac.IntegrityHmacMD5.class + ); + algorithmHash.put( + XMLSignature.ALGO_ID_MAC_HMAC_RIPEMD160, IntegrityHmac.IntegrityHmacRIPEMD160.class + ); + algorithmHash.put( + XMLSignature.ALGO_ID_MAC_HMAC_SHA256, IntegrityHmac.IntegrityHmacSHA256.class + ); + algorithmHash.put( + XMLSignature.ALGO_ID_MAC_HMAC_SHA384, IntegrityHmac.IntegrityHmacSHA384.class + ); + algorithmHash.put( + XMLSignature.ALGO_ID_MAC_HMAC_SHA512, IntegrityHmac.IntegrityHmacSHA512.class + ); + } - if (SignatureAlgorithm._algorithmHash == null) { - return null; - } - - return (Class) SignatureAlgorithm._algorithmHash.get(URI); - } + /** + * Method getBaseNamespace + * + * @return URI of this element + */ + public String getBaseNamespace() { + return Constants.SignatureSpecNS; + } - /** - * Method getBaseNamespace - * - * @return URI of this element - */ - public String getBaseNamespace() { - return Constants.SignatureSpecNS; - } - - /** - * Method getBaseLocalName - * - * @return Local name - */ - public String getBaseLocalName() { - return Constants._TAG_SIGNATUREMETHOD; - } + /** + * Method getBaseLocalName + * + * @return Local name + */ + public String getBaseLocalName() { + return Constants._TAG_SIGNATUREMETHOD; + } }
--- a/src/share/classes/com/sun/org/apache/xml/internal/security/c14n/Canonicalizer.java Fri Sep 14 09:38:27 2012 -0700 +++ b/src/share/classes/com/sun/org/apache/xml/internal/security/c14n/Canonicalizer.java Wed Jun 12 14:56:51 2013 +0100 @@ -2,33 +2,43 @@ * reserved comment block * DO NOT REMOVE OR ALTER! */ -/* - * Copyright 1999-2008 The Apache Software Foundation. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at * - * http://www.apache.org/licenses/LICENSE-2.0 + * http://www.apache.org/licenses/LICENSE-2.0 * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. */ package com.sun.org.apache.xml.internal.security.c14n; import java.io.ByteArrayInputStream; +import java.io.InputStream; import java.io.OutputStream; -import java.util.HashMap; import java.util.Map; import java.util.Set; +import java.util.concurrent.ConcurrentHashMap; +import javax.xml.XMLConstants; import javax.xml.parsers.DocumentBuilder; import javax.xml.parsers.DocumentBuilderFactory; +import com.sun.org.apache.xml.internal.security.c14n.implementations.Canonicalizer11_OmitComments; +import com.sun.org.apache.xml.internal.security.c14n.implementations.Canonicalizer11_WithComments; +import com.sun.org.apache.xml.internal.security.c14n.implementations.Canonicalizer20010315ExclOmitComments; +import com.sun.org.apache.xml.internal.security.c14n.implementations.Canonicalizer20010315ExclWithComments; +import com.sun.org.apache.xml.internal.security.c14n.implementations.Canonicalizer20010315OmitComments; +import com.sun.org.apache.xml.internal.security.c14n.implementations.Canonicalizer20010315WithComments; import com.sun.org.apache.xml.internal.security.exceptions.AlgorithmAlreadyRegisteredException; import org.w3c.dom.Document; import org.w3c.dom.Node; @@ -45,7 +55,7 @@ public static final String ENCODING = "UTF8"; /** - * XPath Expresion for selecting every node and continuous comments joined + * XPath Expression for selecting every node and continuous comments joined * in only one node */ public static final String XPATH_C14N_WITH_COMMENTS_SINGLE_NODE = @@ -82,22 +92,10 @@ public static final String ALGO_ID_C14N11_WITH_COMMENTS = ALGO_ID_C14N11_OMIT_COMMENTS + "#WithComments"; - static boolean _alreadyInitialized = false; - static Map _canonicalizerHash = null; - - protected CanonicalizerSpi canonicalizerSpi = null; + private static Map<String, Class<? extends CanonicalizerSpi>> canonicalizerHash = + new ConcurrentHashMap<String, Class<? extends CanonicalizerSpi>>(); - /** - * Method init - * - */ - public static void init() { - - if (!Canonicalizer._alreadyInitialized) { - Canonicalizer._canonicalizerHash = new HashMap(10); - Canonicalizer._alreadyInitialized = true; - } - } + private final CanonicalizerSpi canonicalizerSpi; /** * Constructor Canonicalizer @@ -105,20 +103,18 @@ * @param algorithmURI * @throws InvalidCanonicalizerException */ - private Canonicalizer(String algorithmURI) - throws InvalidCanonicalizerException { - + private Canonicalizer(String algorithmURI) throws InvalidCanonicalizerException { try { - Class implementingClass = getImplementingClass(algorithmURI); + Class<? extends CanonicalizerSpi> implementingClass = + canonicalizerHash.get(algorithmURI); - this.canonicalizerSpi = - (CanonicalizerSpi) implementingClass.newInstance(); - this.canonicalizerSpi.reset=true; + canonicalizerSpi = implementingClass.newInstance(); + canonicalizerSpi.reset = true; } catch (Exception e) { Object exArgs[] = { algorithmURI }; - throw new InvalidCanonicalizerException( - "signature.Canonicalizer.UnknownCanonicalizer", exArgs); + "signature.Canonicalizer.UnknownCanonicalizer", exArgs, e + ); } } @@ -126,15 +122,36 @@ * Method getInstance * * @param algorithmURI - * @return a Conicicalizer instance ready for the job + * @return a Canonicalizer instance ready for the job * @throws InvalidCanonicalizerException */ public static final Canonicalizer getInstance(String algorithmURI) - throws InvalidCanonicalizerException { + throws InvalidCanonicalizerException { + return new Canonicalizer(algorithmURI); + } - Canonicalizer c14nizer = new Canonicalizer(algorithmURI); + /** + * Method register + * + * @param algorithmURI + * @param implementingClass + * @throws AlgorithmAlreadyRegisteredException + */ + @SuppressWarnings("unchecked") + public static void register(String algorithmURI, String implementingClass) + throws AlgorithmAlreadyRegisteredException, ClassNotFoundException { + // check whether URI is already registered + Class<? extends CanonicalizerSpi> registeredClass = + canonicalizerHash.get(algorithmURI); - return c14nizer; + if (registeredClass != null) { + Object exArgs[] = { algorithmURI, registeredClass }; + throw new AlgorithmAlreadyRegisteredException("algorithm.alreadyRegistered", exArgs); + } + + canonicalizerHash.put( + algorithmURI, (Class<? extends CanonicalizerSpi>)Class.forName(implementingClass) + ); } /** @@ -144,24 +161,47 @@ * @param implementingClass * @throws AlgorithmAlreadyRegisteredException */ - public static void register(String algorithmURI, String implementingClass) - throws AlgorithmAlreadyRegisteredException { - + public static void register(String algorithmURI, Class<CanonicalizerSpi> implementingClass) + throws AlgorithmAlreadyRegisteredException, ClassNotFoundException { // check whether URI is already registered - Class registeredClass = getImplementingClass(algorithmURI); + Class<? extends CanonicalizerSpi> registeredClass = canonicalizerHash.get(algorithmURI); if (registeredClass != null) { Object exArgs[] = { algorithmURI, registeredClass }; - - throw new AlgorithmAlreadyRegisteredException( - "algorithm.alreadyRegistered", exArgs); + throw new AlgorithmAlreadyRegisteredException("algorithm.alreadyRegistered", exArgs); } - try { - _canonicalizerHash.put(algorithmURI, Class.forName(implementingClass)); - } catch (ClassNotFoundException e) { - throw new RuntimeException("c14n class not found"); - } + canonicalizerHash.put(algorithmURI, implementingClass); + } + + /** + * This method registers the default algorithms. + */ + public static void registerDefaultAlgorithms() { + canonicalizerHash.put( + Canonicalizer.ALGO_ID_C14N_OMIT_COMMENTS, + Canonicalizer20010315OmitComments.class + ); + canonicalizerHash.put( + Canonicalizer.ALGO_ID_C14N_WITH_COMMENTS, + Canonicalizer20010315WithComments.class + ); + canonicalizerHash.put( + Canonicalizer.ALGO_ID_C14N_EXCL_OMIT_COMMENTS, + Canonicalizer20010315ExclOmitComments.class + ); + canonicalizerHash.put( + Canonicalizer.ALGO_ID_C14N_EXCL_WITH_COMMENTS, + Canonicalizer20010315ExclWithComments.class + ); + canonicalizerHash.put( + Canonicalizer.ALGO_ID_C14N11_OMIT_COMMENTS, + Canonicalizer11_OmitComments.class + ); + canonicalizerHash.put( + Canonicalizer.ALGO_ID_C14N11_WITH_COMMENTS, + Canonicalizer11_WithComments.class + ); } /** @@ -170,7 +210,7 @@ * @return the URI defined for this c14n instance. */ public final String getURI() { - return this.canonicalizerSpi.engineGetURI(); + return canonicalizerSpi.engineGetURI(); } /** @@ -179,7 +219,7 @@ * @return true if the c14n respect the comments. */ public boolean getIncludeComments() { - return this.canonicalizerSpi.engineGetIncludeComments(); + return canonicalizerSpi.engineGetIncludeComments(); } /** @@ -188,33 +228,32 @@ * wrapped with a <CODE>>a<...>/a<</CODE>. * * @param inputBytes - * @return the result of the conicalization. + * @return the result of the canonicalization. * @throws CanonicalizationException * @throws java.io.IOException * @throws javax.xml.parsers.ParserConfigurationException * @throws org.xml.sax.SAXException */ public byte[] canonicalize(byte[] inputBytes) - throws javax.xml.parsers.ParserConfigurationException, - java.io.IOException, org.xml.sax.SAXException, - CanonicalizationException { - - ByteArrayInputStream bais = new ByteArrayInputStream(inputBytes); + throws javax.xml.parsers.ParserConfigurationException, + java.io.IOException, org.xml.sax.SAXException, CanonicalizationException { + InputStream bais = new ByteArrayInputStream(inputBytes); InputSource in = new InputSource(bais); DocumentBuilderFactory dfactory = DocumentBuilderFactory.newInstance(); + dfactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, Boolean.TRUE); dfactory.setNamespaceAware(true); - // needs to validate for ID attribute nomalization + // needs to validate for ID attribute normalization dfactory.setValidating(true); DocumentBuilder db = dfactory.newDocumentBuilder(); /* * for some of the test vectors from the specification, - * there has to be a validatin parser for ID attributes, default + * there has to be a validating parser for ID attributes, default * attribute values, NMTOKENS, etc. - * Unfortunaltely, the test vectors do use different DTDs or + * Unfortunately, the test vectors do use different DTDs or * even no DTD. So Xerces 1.3.1 fires many warnings about using * ErrorHandlers. * @@ -230,28 +269,23 @@ * declaration are used to help create the canonical form, even * though the document type declaration is not retained in the * canonical form. - * */ - db.setErrorHandler(new com.sun.org.apache.xml.internal.security.utils - .IgnoreAllErrorHandler()); + db.setErrorHandler(new com.sun.org.apache.xml.internal.security.utils.IgnoreAllErrorHandler()); Document document = db.parse(in); - byte result[] = this.canonicalizeSubtree(document); - - return result; + return this.canonicalizeSubtree(document); } /** * Canonicalizes the subtree rooted by <CODE>node</CODE>. * - * @param node The node to canicalize + * @param node The node to canonicalize * @return the result of the c14n. * * @throws CanonicalizationException */ - public byte[] canonicalizeSubtree(Node node) - throws CanonicalizationException { - return this.canonicalizerSpi.engineCanonicalizeSubTree(node); + public byte[] canonicalizeSubtree(Node node) throws CanonicalizationException { + return canonicalizerSpi.engineCanonicalizeSubTree(node); } /** @@ -263,9 +297,8 @@ * @throws CanonicalizationException */ public byte[] canonicalizeSubtree(Node node, String inclusiveNamespaces) - throws CanonicalizationException { - return this.canonicalizerSpi.engineCanonicalizeSubTree(node, - inclusiveNamespaces); + throws CanonicalizationException { + return canonicalizerSpi.engineCanonicalizeSubTree(node, inclusiveNamespaces); } /** @@ -277,8 +310,8 @@ * @throws CanonicalizationException */ public byte[] canonicalizeXPathNodeSet(NodeList xpathNodeSet) - throws CanonicalizationException { - return this.canonicalizerSpi.engineCanonicalizeXPathNodeSet(xpathNodeSet); + throws CanonicalizationException { + return canonicalizerSpi.engineCanonicalizeXPathNodeSet(xpathNodeSet); } /** @@ -291,10 +324,10 @@ * @throws CanonicalizationException */ public byte[] canonicalizeXPathNodeSet( - NodeList xpathNodeSet, String inclusiveNamespaces) - throws CanonicalizationException { - return this.canonicalizerSpi.engineCanonicalizeXPathNodeSet(xpathNodeSet, - inclusiveNamespaces); + NodeList xpathNodeSet, String inclusiveNamespaces + ) throws CanonicalizationException { + return + canonicalizerSpi.engineCanonicalizeXPathNodeSet(xpathNodeSet, inclusiveNamespaces); } /** @@ -304,9 +337,9 @@ * @return the result of the c14n. * @throws CanonicalizationException */ - public byte[] canonicalizeXPathNodeSet(Set xpathNodeSet) - throws CanonicalizationException { - return this.canonicalizerSpi.engineCanonicalizeXPathNodeSet(xpathNodeSet); + public byte[] canonicalizeXPathNodeSet(Set<Node> xpathNodeSet) + throws CanonicalizationException { + return canonicalizerSpi.engineCanonicalizeXPathNodeSet(xpathNodeSet); } /** @@ -317,10 +350,11 @@ * @return the result of the c14n. * @throws CanonicalizationException */ - public byte[] canonicalizeXPathNodeSet(Set xpathNodeSet, - String inclusiveNamespaces) throws CanonicalizationException { - return this.canonicalizerSpi.engineCanonicalizeXPathNodeSet(xpathNodeSet, - inclusiveNamespaces); + public byte[] canonicalizeXPathNodeSet( + Set<Node> xpathNodeSet, String inclusiveNamespaces + ) throws CanonicalizationException { + return + canonicalizerSpi.engineCanonicalizeXPathNodeSet(xpathNodeSet, inclusiveNamespaces); } /** @@ -329,7 +363,7 @@ * @param os */ public void setWriter(OutputStream os) { - this.canonicalizerSpi.setWriter(os); + canonicalizerSpi.setWriter(os); } /** @@ -338,23 +372,14 @@ * @return the name of the implementing {@link CanonicalizerSpi} class */ public String getImplementingCanonicalizerClass() { - return this.canonicalizerSpi.getClass().getName(); - } - - /** - * Method getImplementingClass - * - * @param URI - * @return the name of the class that implements the given URI - */ - private static Class getImplementingClass(String URI) { - return (Class) _canonicalizerHash.get(URI); + return canonicalizerSpi.getClass().getName(); } /** * Set the canonicalizer behaviour to not reset. */ public void notReset() { - this.canonicalizerSpi.reset = false; + canonicalizerSpi.reset = false; } + }
--- a/src/share/classes/com/sun/org/apache/xml/internal/security/c14n/CanonicalizerSpi.java Fri Sep 14 09:38:27 2012 -0700 +++ b/src/share/classes/com/sun/org/apache/xml/internal/security/c14n/CanonicalizerSpi.java Wed Jun 12 14:56:51 2013 +0100 @@ -26,8 +26,10 @@ import java.io.OutputStream; import java.util.Set; +import javax.xml.XMLConstants; import javax.xml.parsers.DocumentBuilder; import javax.xml.parsers.DocumentBuilderFactory; +import javax.xml.xpath.XPath; import com.sun.org.apache.xml.internal.security.utils.XMLUtils; import org.w3c.dom.Document; @@ -66,6 +68,7 @@ java.io.ByteArrayInputStream bais = new ByteArrayInputStream(inputBytes); InputSource in = new InputSource(bais); DocumentBuilderFactory dfactory = DocumentBuilderFactory.newInstance(); + dfactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, Boolean.TRUE); // needs to validate for ID attribute nomalization dfactory.setNamespaceAware(true); @@ -151,7 +154,7 @@ * @return the c14n bytes * @throws CanonicalizationException */ - public abstract byte[] engineCanonicalizeXPathNodeSet(Set xpathNodeSet) + public abstract byte[] engineCanonicalizeXPathNodeSet(Set<Node> xpathNodeSet) throws CanonicalizationException; /** @@ -162,7 +165,7 @@ * @return the c14n bytes * @throws CanonicalizationException */ - public abstract byte[] engineCanonicalizeXPathNodeSet(Set xpathNodeSet, String inclusiveNamespaces) + public abstract byte[] engineCanonicalizeXPathNodeSet(Set<Node> xpathNodeSet, String inclusiveNamespaces) throws CanonicalizationException; /**
--- a/src/share/classes/com/sun/org/apache/xml/internal/security/encryption/XMLCipher.java Fri Sep 14 09:38:27 2012 -0700 +++ b/src/share/classes/com/sun/org/apache/xml/internal/security/encryption/XMLCipher.java Wed Jun 12 14:56:51 2013 +0100 @@ -41,6 +41,7 @@ import javax.crypto.IllegalBlockSizeException; import javax.crypto.NoSuchPaddingException; import javax.crypto.spec.IvParameterSpec; +import javax.xml.XMLConstants; import javax.xml.parsers.DocumentBuilder; import javax.xml.parsers.DocumentBuilderFactory; import javax.xml.parsers.ParserConfigurationException; @@ -1981,22 +1982,23 @@ try { DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance(); - dbf.setNamespaceAware(true); - dbf.setAttribute("http://xml.org/sax/features/namespaces", Boolean.TRUE); - DocumentBuilder db = dbf.newDocumentBuilder(); - Document d = db.parse( - new InputSource(new StringReader(fragment))); - - Element fragElt = (Element) _contextDocument.importNode( + dbf.setNamespaceAware(true); + dbf.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, Boolean.TRUE); + dbf.setAttribute("http://xml.org/sax/features/namespaces", Boolean.TRUE); + DocumentBuilder db = dbf.newDocumentBuilder(); + Document d = db.parse( + new InputSource(new StringReader(fragment))); + + Element fragElt = (Element) _contextDocument.importNode( d.getDocumentElement(), true); - result = _contextDocument.createDocumentFragment(); - Node child = fragElt.getFirstChild(); - while (child != null) { - fragElt.removeChild(child); - result.appendChild(child); - child = fragElt.getFirstChild(); - } - // String outp = serialize(d); + result = _contextDocument.createDocumentFragment(); + Node child = fragElt.getFirstChild(); + while (child != null) { + fragElt.removeChild(child); + result.appendChild(child); + child = fragElt.getFirstChild(); + } + // String outp = serialize(d); } catch (SAXException se) { throw new XMLEncryptionException("empty", se);
--- a/src/share/classes/com/sun/org/apache/xml/internal/security/keys/KeyInfo.java Fri Sep 14 09:38:27 2012 -0700 +++ b/src/share/classes/com/sun/org/apache/xml/internal/security/keys/KeyInfo.java Wed Jun 12 14:56:51 2013 +0100 @@ -97,12 +97,12 @@ /** {@link java.util.logging} logging facility */ static java.util.logging.Logger log = java.util.logging.Logger.getLogger(KeyInfo.class.getName()); - List x509Datas=null; - List encryptedKeys=null; + List<X509Data> x509Datas=null; + List<EncryptedKey> encryptedKeys=null; - static final List nullList; + static final List<StorageResolver> nullList; static { - List list = new ArrayList(); + List<StorageResolver> list = new ArrayList<StorageResolver>(1); list.add(null); nullList = Collections.unmodifiableList(list); } @@ -297,7 +297,7 @@ */ public void add(X509Data x509data) { if (x509Datas==null) - x509Datas=new ArrayList(); + x509Datas=new ArrayList<X509Data>(); x509Datas.add(x509data); this._constructionElement.appendChild(x509data.getElement()); XMLUtils.addReturnToElement(this._constructionElement); @@ -313,7 +313,7 @@ public void add(EncryptedKey encryptedKey) throws XMLEncryptionException { if (encryptedKeys==null) - encryptedKeys=new ArrayList(); + encryptedKeys=new ArrayList<EncryptedKey>(); encryptedKeys.add(encryptedKey); XMLCipher cipher = XMLCipher.getInstance(); this._constructionElement.appendChild(cipher.martial(encryptedKey)); @@ -541,7 +541,7 @@ */ public X509Data itemX509Data(int i) throws XMLSecurityException { if (x509Datas!=null) { - return (X509Data) x509Datas.get(i); + return x509Datas.get(i); } Element e = XMLUtils.selectDsNode(this._constructionElement.getFirstChild(), Constants._TAG_X509DATA,i); @@ -562,7 +562,7 @@ public EncryptedKey itemEncryptedKey(int i) throws XMLSecurityException { if (encryptedKeys!=null) { - return (EncryptedKey) encryptedKeys.get(i); + return encryptedKeys.get(i); } Element e = XMLUtils.selectXencNode(this._constructionElement.getFirstChild(), @@ -719,42 +719,36 @@ return null; } - /** - * Searches the library wide keyresolvers for public keys - * - * @return The publick contained in this Node. - * @throws KeyResolverException - */ - PublicKey getPublicKeyFromStaticResolvers() throws KeyResolverException { - int length=KeyResolver.length(); - int storageLength=this._storageResolvers.size(); - Iterator it= KeyResolver.iterator(); - for (int i = 0; i < length; i++) { - KeyResolverSpi keyResolver = (KeyResolverSpi) it.next(); - Node currentChild=this._constructionElement.getFirstChild(); - String uri= this.getBaseURI(); - while (currentChild!=null) { - if (currentChild.getNodeType() == Node.ELEMENT_NODE) { - for (int k = 0; k < storageLength; k++) { - StorageResolver storage = - (StorageResolver) this._storageResolvers.get(k); + /** + * Searches the library wide keyresolvers for public keys + * + * @return The public key contained in this Node. + * @throws KeyResolverException + */ + PublicKey getPublicKeyFromStaticResolvers() throws KeyResolverException { + Iterator<KeyResolverSpi> it = KeyResolver.iterator(); + while (it.hasNext()) { + KeyResolverSpi keyResolver = it.next(); + Node currentChild = this._constructionElement.getFirstChild(); + String uri = this.getBaseURI(); + while (currentChild != null) { + if (currentChild.getNodeType() == Node.ELEMENT_NODE) { + for (StorageResolver storage : _storageResolvers) { + PublicKey pk = + keyResolver.engineLookupAndResolvePublicKey( + (Element) currentChild, uri, storage + ); - PublicKey pk = - keyResolver.engineLookupAndResolvePublicKey((Element) currentChild, - uri, - storage); - - if (pk != null) { - KeyResolver.hit(it); - return pk; - } - } + if (pk != null) { + return pk; + } + } + } + currentChild = currentChild.getNextSibling(); } - currentChild=currentChild.getNextSibling(); - } - } - return null; - } + } + return null; + } /** * Searches the per-KeyInfo keyresolvers for public keys @@ -776,7 +770,7 @@ if (currentChild.getNodeType() == Node.ELEMENT_NODE) { for (int k = 0; k < storageLength; k++) { StorageResolver storage = - (StorageResolver) this._storageResolvers.get(k); + this._storageResolvers.get(k); PublicKey pk = keyResolver .engineLookupAndResolvePublicKey((Element) currentChild, uri, storage); @@ -829,81 +823,83 @@ return null; } - /** - * This method uses each System-wide {@link KeyResolver} to search the - * child elements. Each combination of {@link KeyResolver} and child element - * is checked against all {@link StorageResolver}s. - * - * @return The certificate contined in this KeyInfo - * @throws KeyResolverException - */ - X509Certificate getX509CertificateFromStaticResolvers() - throws KeyResolverException { - if (log.isLoggable(java.util.logging.Level.FINE)) - log.log(java.util.logging.Level.FINE, "Start getX509CertificateFromStaticResolvers() with " - + KeyResolver.length() + " resolvers"); - String uri=this.getBaseURI(); - int length= KeyResolver.length(); - int storageLength=this._storageResolvers.size(); - Iterator it = KeyResolver.iterator(); - for (int i = 0; i <length; i++) { - KeyResolverSpi keyResolver = (KeyResolverSpi) it.next(); - X509Certificate cert= applyCurrentResolver(uri, storageLength, keyResolver); - if (cert!=null) { - KeyResolver.hit(it); - return cert; - } - } - return null; - } - - private X509Certificate applyCurrentResolver(String uri, int storageLength, KeyResolverSpi keyResolver) throws KeyResolverException { - Node currentChild=this._constructionElement.getFirstChild(); - while (currentChild!=null) { - if (currentChild.getNodeType() == Node.ELEMENT_NODE) { - for (int k = 0; k < storageLength; k++) { - StorageResolver storage = - (StorageResolver) this._storageResolvers.get(k); + /** + * This method uses each System-wide {@link KeyResolver} to search the + * child elements. Each combination of {@link KeyResolver} and child element + * is checked against all {@link StorageResolver}s. + * + * @return The certificate contained in this KeyInfo + * @throws KeyResolverException + */ + X509Certificate getX509CertificateFromStaticResolvers() + throws KeyResolverException { + if (log.isLoggable(java.util.logging.Level.FINE)) { + log.log(java.util.logging.Level.FINE, + "Start getX509CertificateFromStaticResolvers() with " + KeyResolver.length() + + " resolvers" + ); + } + String uri = this.getBaseURI(); + Iterator<KeyResolverSpi> it = KeyResolver.iterator(); + while (it.hasNext()) { + KeyResolverSpi keyResolver = it.next(); + X509Certificate cert = applyCurrentResolver(uri, keyResolver); + if (cert != null) { + return cert; + } + } + return null; + } - X509Certificate cert = keyResolver - .engineLookupResolveX509Certificate((Element) currentChild, uri, - storage); + private X509Certificate applyCurrentResolver( + String uri, KeyResolverSpi keyResolver + ) throws KeyResolverException { + Node currentChild = this._constructionElement.getFirstChild(); + while (currentChild != null) { + if (currentChild.getNodeType() == Node.ELEMENT_NODE) { + for (StorageResolver storage : _storageResolvers) { + X509Certificate cert = + keyResolver.engineLookupResolveX509Certificate( + (Element) currentChild, uri, storage + ); - if (cert != null) { - return cert; - } - } + if (cert != null) { + return cert; + } + } } - currentChild=currentChild.getNextSibling(); - } - return null; - } + currentChild = currentChild.getNextSibling(); + } + return null; + } - /** - * Method getX509CertificateFromInternalResolvers - * - * @return The certificate contined in this KeyInfo - * @throws KeyResolverException - */ - X509Certificate getX509CertificateFromInternalResolvers() - throws KeyResolverException { - if (log.isLoggable(java.util.logging.Level.FINE)) - log.log(java.util.logging.Level.FINE, "Start getX509CertificateFromInternalResolvers() with " - + this.lengthInternalKeyResolver() + " resolvers"); - String uri=this.getBaseURI(); - int storageLength=this._storageResolvers.size(); - for (int i = 0; i < this.lengthInternalKeyResolver(); i++) { - KeyResolverSpi keyResolver = this.itemInternalKeyResolver(i); - if (log.isLoggable(java.util.logging.Level.FINE)) + /** + * Method getX509CertificateFromInternalResolvers + * + * @return The certificate contined in this KeyInfo + * @throws KeyResolverException + */ + X509Certificate getX509CertificateFromInternalResolvers() + throws KeyResolverException { + if (log.isLoggable(java.util.logging.Level.FINE)) { + log.log(java.util.logging.Level.FINE, + "Start getX509CertificateFromInternalResolvers() with " + + this.lengthInternalKeyResolver() + " resolvers" + ); + } + String uri = this.getBaseURI(); + for (KeyResolverSpi keyResolver : _internalKeyResolvers) { + if (log.isLoggable(java.util.logging.Level.FINE)) { log.log(java.util.logging.Level.FINE, "Try " + keyResolver.getClass().getName()); - X509Certificate cert= applyCurrentResolver(uri, storageLength, keyResolver); - if (cert!=null) { - return cert; - } - } + } + X509Certificate cert = applyCurrentResolver(uri, keyResolver); + if (cert != null) { + return cert; + } + } - return null; - } + return null; + } /** * This method returns a secret (symmetric) key. This is for XML Encryption. @@ -944,9 +940,9 @@ SecretKey getSecretKeyFromStaticResolvers() throws KeyResolverException { final int length=KeyResolver.length(); int storageLength=this._storageResolvers.size(); - Iterator it = KeyResolver.iterator(); + Iterator<KeyResolverSpi> it = KeyResolver.iterator(); for (int i = 0; i < length; i++) { - KeyResolverSpi keyResolver = (KeyResolverSpi) it.next(); + KeyResolverSpi keyResolver = it.next(); Node currentChild=this._constructionElement.getFirstChild(); String uri=this.getBaseURI(); @@ -954,7 +950,7 @@ if (currentChild.getNodeType() == Node.ELEMENT_NODE) { for (int k = 0; k < storageLength; k++) { StorageResolver storage = - (StorageResolver) this._storageResolvers.get(k); + this._storageResolvers.get(k); SecretKey sk = keyResolver.engineLookupAndResolveSecretKey((Element) currentChild, @@ -992,7 +988,7 @@ if (currentChild.getNodeType() == Node.ELEMENT_NODE) { for (int k = 0; k < storageLength; k++) { StorageResolver storage = - (StorageResolver) this._storageResolvers.get(k); + this._storageResolvers.get(k); SecretKey sk = keyResolver .engineLookupAndResolveSecretKey((Element) currentChild, uri, storage); @@ -1012,7 +1008,7 @@ /** * Stores the individual (per-KeyInfo) {@link KeyResolver}s */ - List _internalKeyResolvers = null; + List<KeyResolverSpi> _internalKeyResolvers = null; /** * This method is used to add a custom {@link KeyResolverSpi} to a KeyInfo @@ -1022,7 +1018,7 @@ */ public void registerInternalKeyResolver(KeyResolverSpi realKeyResolver) { if (_internalKeyResolvers==null) { - _internalKeyResolvers=new ArrayList(); + _internalKeyResolvers=new ArrayList<KeyResolverSpi>(); } this._internalKeyResolvers.add(realKeyResolver); } @@ -1044,11 +1040,11 @@ * @return the KeyResolverSpi for the index. */ KeyResolverSpi itemInternalKeyResolver(int i) { - return (KeyResolverSpi) this._internalKeyResolvers.get(i); + return this._internalKeyResolvers.get(i); } /** Field _storageResolvers */ - List _storageResolvers = nullList; + private List<StorageResolver> _storageResolvers = nullList; /** * Method addStorageResolver @@ -1057,7 +1053,7 @@ */ public void addStorageResolver(StorageResolver storageResolver) { if (_storageResolvers == nullList ){ - _storageResolvers=new ArrayList(); + _storageResolvers=new ArrayList<StorageResolver>(); } this._storageResolvers.add(storageResolver);
--- a/src/share/classes/com/sun/org/apache/xml/internal/security/keys/keyresolver/KeyResolver.java Fri Sep 14 09:38:27 2012 -0700 +++ b/src/share/classes/com/sun/org/apache/xml/internal/security/keys/keyresolver/KeyResolver.java Wed Jun 12 14:56:51 2013 +0100 @@ -2,356 +2,402 @@ * reserved comment block * DO NOT REMOVE OR ALTER! */ -/* - * Copyright 1999-2004 The Apache Software Foundation. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at * - * http://www.apache.org/licenses/LICENSE-2.0 + * http://www.apache.org/licenses/LICENSE-2.0 * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. */ package com.sun.org.apache.xml.internal.security.keys.keyresolver; - - import java.security.PublicKey; import java.security.cert.X509Certificate; import java.util.ArrayList; import java.util.Iterator; import java.util.List; +import java.util.concurrent.CopyOnWriteArrayList; import javax.crypto.SecretKey; +import com.sun.org.apache.xml.internal.security.keys.keyresolver.implementations.DSAKeyValueResolver; +import com.sun.org.apache.xml.internal.security.keys.keyresolver.implementations.RSAKeyValueResolver; +import com.sun.org.apache.xml.internal.security.keys.keyresolver.implementations.RetrievalMethodResolver; +import com.sun.org.apache.xml.internal.security.keys.keyresolver.implementations.X509CertificateResolver; +import com.sun.org.apache.xml.internal.security.keys.keyresolver.implementations.X509IssuerSerialResolver; +import com.sun.org.apache.xml.internal.security.keys.keyresolver.implementations.X509SKIResolver; +import com.sun.org.apache.xml.internal.security.keys.keyresolver.implementations.X509SubjectNameResolver; import com.sun.org.apache.xml.internal.security.keys.storage.StorageResolver; import org.w3c.dom.Element; import org.w3c.dom.Node; - /** * KeyResolver is factory class for subclass of KeyResolverSpi that * represent child element of KeyInfo. - * - * @author $Author: mullan $ - * @version %I%, %G% */ public class KeyResolver { - /** {@link java.util.logging} logging facility */ - static java.util.logging.Logger log = + /** {@link org.apache.commons.logging} logging facility */ + private static java.util.logging.Logger log = java.util.logging.Logger.getLogger(KeyResolver.class.getName()); - /** Field _alreadyInitialized */ - static boolean _alreadyInitialized = false; + /** Field resolverVector */ + private static List<KeyResolver> resolverVector = new CopyOnWriteArrayList<KeyResolver>(); - /** Field _resolverVector */ - static List _resolverVector = null; + /** Field resolverSpi */ + private final KeyResolverSpi resolverSpi; - /** Field _resolverSpi */ - protected KeyResolverSpi _resolverSpi = null; + /** + * Constructor. + * + * @param keyResolverSpi a KeyResolverSpi instance + */ + private KeyResolver(KeyResolverSpi keyResolverSpi) { + resolverSpi = keyResolverSpi; + } - /** Field _storage */ - protected StorageResolver _storage = null; + /** + * Method length + * + * @return the length of resolvers registered + */ + public static int length() { + return resolverVector.size(); + } - /** - * Constructor ResourceResolver - * - * @param className - * @throws ClassNotFoundException - * @throws IllegalAccessException - * @throws InstantiationException - */ - private KeyResolver(String className) - throws ClassNotFoundException, IllegalAccessException, - InstantiationException { - this._resolverSpi = - (KeyResolverSpi) Class.forName(className).newInstance(); - this._resolverSpi.setGlobalResolver(true); - } + /** + * Method getX509Certificate + * + * @param element + * @param baseURI + * @param storage + * @return The certificate represented by the element. + * + * @throws KeyResolverException + */ + public static final X509Certificate getX509Certificate( + Element element, String baseURI, StorageResolver storage + ) throws KeyResolverException { + for (KeyResolver resolver : resolverVector) { + if (resolver == null) { + Object exArgs[] = { + (((element != null) + && (element.getNodeType() == Node.ELEMENT_NODE)) + ? element.getTagName() : "null") + }; - /** - * Method length - * - * @return the length of resolvers registed - */ - public static int length() { - return KeyResolver._resolverVector.size(); - } + throw new KeyResolverException("utils.resolver.noClass", exArgs); + } + if (log.isLoggable(java.util.logging.Level.FINE)) { + log.log(java.util.logging.Level.FINE, "check resolvability by class " + resolver.getClass()); + } - public static void hit(Iterator hintI) { - ResolverIterator hint = (ResolverIterator) hintI; - int i = hint.i; - if (i!=1 && hint.res ==_resolverVector) { - List resolverVector=(List)((ArrayList)_resolverVector).clone(); - Object ob=resolverVector.remove(i-1); - resolverVector.add(0,ob); - _resolverVector=resolverVector; - } else { - //System.out.println("KeyResolver hitting"); - } - } + X509Certificate cert = resolver.resolveX509Certificate(element, baseURI, storage); + if (cert != null) { + return cert; + } + } + + Object exArgs[] = { + (((element != null) && (element.getNodeType() == Node.ELEMENT_NODE)) + ? element.getTagName() : "null") + }; - /** - * Method getInstance - * - * @param element - * @param BaseURI - * @param storage - * @return The certificate represented by the element. - * - * @throws KeyResolverException - */ - public static final X509Certificate getX509Certificate( - Element element, String BaseURI, StorageResolver storage) - throws KeyResolverException { + throw new KeyResolverException("utils.resolver.noClass", exArgs); + } - // use the old vector to not be hit by updates - List resolverVector = KeyResolver._resolverVector; - for (int i = 0; i < resolverVector.size(); i++) { - KeyResolver resolver= - (KeyResolver) resolverVector.get(i); + /** + * Method getPublicKey + * + * @param element + * @param baseURI + * @param storage + * @return the public key contained in the element + * + * @throws KeyResolverException + */ + public static final PublicKey getPublicKey( + Element element, String baseURI, StorageResolver storage + ) throws KeyResolverException { + for (KeyResolver resolver : resolverVector) { + if (resolver == null) { + Object exArgs[] = { + (((element != null) + && (element.getNodeType() == Node.ELEMENT_NODE)) + ? element.getTagName() : "null") + }; - if (resolver==null) { - Object exArgs[] = { - (((element != null) - && (element.getNodeType() == Node.ELEMENT_NODE)) - ? element.getTagName() - : "null") }; - - throw new KeyResolverException("utils.resolver.noClass", exArgs); - } - if (log.isLoggable(java.util.logging.Level.FINE)) + throw new KeyResolverException("utils.resolver.noClass", exArgs); + } + if (log.isLoggable(java.util.logging.Level.FINE)) { log.log(java.util.logging.Level.FINE, "check resolvability by class " + resolver.getClass()); - - X509Certificate cert=resolver.resolveX509Certificate(element, BaseURI, storage); - if (cert!=null) { - return cert; - } - } + } - Object exArgs[] = { - (((element != null) && (element.getNodeType() == Node.ELEMENT_NODE)) - ? element.getTagName() - : "null") }; + PublicKey cert = resolver.resolvePublicKey(element, baseURI, storage); + if (cert != null) { + return cert; + } + } + + Object exArgs[] = { + (((element != null) && (element.getNodeType() == Node.ELEMENT_NODE)) + ? element.getTagName() : "null") + }; + + throw new KeyResolverException("utils.resolver.noClass", exArgs); + } - throw new KeyResolverException("utils.resolver.noClass", exArgs); - } - /** - * Method getInstance - * - * @param element - * @param BaseURI - * @param storage - * @return the public key contained in the element - * - * @throws KeyResolverException - */ - public static final PublicKey getPublicKey( - Element element, String BaseURI, StorageResolver storage) - throws KeyResolverException { - - List resolverVector = KeyResolver._resolverVector; - for (int i = 0; i < resolverVector.size(); i++) { - KeyResolver resolver= - (KeyResolver) resolverVector.get(i); - - if (resolver==null) { - Object exArgs[] = { - (((element != null) - && (element.getNodeType() == Node.ELEMENT_NODE)) - ? element.getTagName() - : "null") }; - - throw new KeyResolverException("utils.resolver.noClass", exArgs); - } - if (log.isLoggable(java.util.logging.Level.FINE)) - log.log(java.util.logging.Level.FINE, "check resolvability by class " + resolver.getClass()); + /** + * This method is used for registering {@link KeyResolverSpi}s which are + * available to <I>all</I> {@link com.sun.org.apache.xml.internal.security.keys.KeyInfo} objects. This means that + * personalized {@link KeyResolverSpi}s should only be registered directly + * to the {@link com.sun.org.apache.xml.internal.security.keys.KeyInfo} using + * {@link com.sun.org.apache.xml.internal.security.keys.KeyInfo#registerInternalKeyResolver}. + * Please note that this method will create a new copy of the underlying array, as the + * underlying collection is a CopyOnWriteArrayList. + * + * @param className + * @param globalResolver Whether the KeyResolverSpi is a global resolver or not + * @throws InstantiationException + * @throws IllegalAccessException + * @throws ClassNotFoundException + */ + public static void register(String className, boolean globalResolver) + throws ClassNotFoundException, IllegalAccessException, InstantiationException { + KeyResolverSpi keyResolverSpi = + (KeyResolverSpi) Class.forName(className).newInstance(); + keyResolverSpi.setGlobalResolver(globalResolver); + register(keyResolverSpi, false); + } - PublicKey cert=resolver.resolvePublicKey(element, BaseURI, storage); - if (cert!=null) { - if (i!=0 && resolverVector==_resolverVector) { - //update resolver. - resolverVector=(List)((ArrayList)_resolverVector).clone(); - Object ob=resolverVector.remove(i); - resolverVector.add(0,ob); - _resolverVector=resolverVector; - } - return cert; - } - } - - Object exArgs[] = { - (((element != null) && (element.getNodeType() == Node.ELEMENT_NODE)) - ? element.getTagName() - : "null") }; - - throw new KeyResolverException("utils.resolver.noClass", exArgs); - } - - /** - * The init() function is called by com.sun.org.apache.xml.internal.security.Init.init() - */ - public static void init() { + /** + * This method is used for registering {@link KeyResolverSpi}s which are + * available to <I>all</I> {@link com.sun.org.apache.xml.internal.security.keys.KeyInfo} objects. This means that + * personalized {@link KeyResolverSpi}s should only be registered directly + * to the {@link com.sun.org.apache.xml.internal.security.keys.KeyInfo} using + * {@link com.sun.org.apache.xml.internal.security.keys.KeyInfo#registerInternalKeyResolver}. + * Please note that this method will create a new copy of the underlying array, as the + * underlying collection is a CopyOnWriteArrayList. + * + * @param className + * @param globalResolver Whether the KeyResolverSpi is a global resolver or not + */ + public static void registerAtStart(String className, boolean globalResolver) { + KeyResolverSpi keyResolverSpi = null; + Exception ex = null; + try { + keyResolverSpi = (KeyResolverSpi) Class.forName(className).newInstance(); + } catch (ClassNotFoundException e) { + ex = e; + } catch (IllegalAccessException e) { + ex = e; + } catch (InstantiationException e) { + ex = e; + } - if (!KeyResolver._alreadyInitialized) { - KeyResolver._resolverVector = new ArrayList(10); - _alreadyInitialized = true; - } - } + if (ex != null) { + throw (IllegalArgumentException) new + IllegalArgumentException("Invalid KeyResolver class name").initCause(ex); + } + keyResolverSpi.setGlobalResolver(globalResolver); + register(keyResolverSpi, true); + } - /** - * This method is used for registering {@link KeyResolverSpi}s which are - * available to <I>all</I> {@link com.sun.org.apache.xml.internal.security.keys.KeyInfo} objects. This means that - * personalized {@link KeyResolverSpi}s should only be registered directly - * to the {@link com.sun.org.apache.xml.internal.security.keys.KeyInfo} using - * {@link com.sun.org.apache.xml.internal.security.keys.KeyInfo#registerInternalKeyResolver}. - * - * @param className - * @throws InstantiationException - * @throws IllegalAccessException - * @throws ClassNotFoundException - */ - public static void register(String className) throws ClassNotFoundException, IllegalAccessException, InstantiationException { - KeyResolver._resolverVector.add(new KeyResolver(className)); - } - - /** - * This method is used for registering {@link KeyResolverSpi}s which are - * available to <I>all</I> {@link com.sun.org.apache.xml.internal.security.keys.KeyInfo} objects. This means that - * personalized {@link KeyResolverSpi}s should only be registered directly - * to the {@link com.sun.org.apache.xml.internal.security.keys.KeyInfo} using {@link com.sun.org.apache.xml.internal.security.keys.KeyInfo#registerInternalKeyResolver}. - * - * @param className - */ - public static void registerAtStart(String className) { - KeyResolver._resolverVector.add(0, className); - } + /** + * This method is used for registering {@link KeyResolverSpi}s which are + * available to <I>all</I> {@link com.sun.org.apache.xml.internal.security.keys.KeyInfo} objects. This means that + * personalized {@link KeyResolverSpi}s should only be registered directly + * to the {@link com.sun.org.apache.xml.internal.security.keys.KeyInfo} using + * {@link com.sun.org.apache.xml.internal.security.keys.KeyInfo#registerInternalKeyResolver}. + * Please note that this method will create a new copy of the underlying array, as the + * underlying collection is a CopyOnWriteArrayList. + * + * @param keyResolverSpi a KeyResolverSpi instance to register + * @param start whether to register the KeyResolverSpi at the start of the list or not + */ + public static void register( + KeyResolverSpi keyResolverSpi, + boolean start + ) { + KeyResolver resolver = new KeyResolver(keyResolverSpi); + if (start) { + resolverVector.add(0, resolver); + } else { + resolverVector.add(resolver); + } + } - /** - * Method resolve - * - * @param element - * @param BaseURI - * @param storage - * @return resolved public key from the registered from the elements - * - * @throws KeyResolverException - */ - public PublicKey resolvePublicKey( - Element element, String BaseURI, StorageResolver storage) - throws KeyResolverException { - return this._resolverSpi.engineLookupAndResolvePublicKey(element, BaseURI, storage); - } + /** + * This method is used for registering {@link KeyResolverSpi}s which are + * available to <I>all</I> {@link com.sun.org.apache.xml.internal.security.keys.KeyInfo} objects. This means that + * personalized {@link KeyResolverSpi}s should only be registered directly + * to the {@link com.sun.org.apache.xml.internal.security.keys.KeyInfo} using + * {@link com.sun.org.apache.xml.internal.security.keys.KeyInfo#registerInternalKeyResolver}. + * The KeyResolverSpi instances are not registered as a global resolver. + * + * + * @param classNames + * @throws InstantiationException + * @throws IllegalAccessException + * @throws ClassNotFoundException + */ + public static void registerClassNames(List<String> classNames) + throws ClassNotFoundException, IllegalAccessException, InstantiationException { + List<KeyResolver> keyResolverList = new ArrayList<KeyResolver>(classNames.size()); + for (String className : classNames) { + KeyResolverSpi keyResolverSpi = + (KeyResolverSpi) Class.forName(className).newInstance(); + keyResolverSpi.setGlobalResolver(false); + keyResolverList.add(new KeyResolver(keyResolverSpi)); + } + resolverVector.addAll(keyResolverList); + } - /** - * Method resolveX509Certificate - * - * @param element - * @param BaseURI - * @param storage - * @return resolved X509certificate key from the registered from the elements - * - * @throws KeyResolverException - */ - public X509Certificate resolveX509Certificate( - Element element, String BaseURI, StorageResolver storage) - throws KeyResolverException { - return this._resolverSpi.engineLookupResolveX509Certificate(element, BaseURI, - storage); - } + /** + * This method registers the default resolvers. + */ + public static void registerDefaultResolvers() { + + List<KeyResolver> keyResolverList = new ArrayList<KeyResolver>(); + keyResolverList.add(new KeyResolver(new RSAKeyValueResolver())); + keyResolverList.add(new KeyResolver(new DSAKeyValueResolver())); + keyResolverList.add(new KeyResolver(new X509CertificateResolver())); + keyResolverList.add(new KeyResolver(new X509SKIResolver())); + keyResolverList.add(new KeyResolver(new RetrievalMethodResolver())); + keyResolverList.add(new KeyResolver(new X509SubjectNameResolver())); + keyResolverList.add(new KeyResolver(new X509IssuerSerialResolver())); + + resolverVector.addAll(keyResolverList); + } - /** - * @param element - * @param BaseURI - * @param storage - * @return resolved SecretKey key from the registered from the elements - * @throws KeyResolverException - */ - public SecretKey resolveSecretKey( - Element element, String BaseURI, StorageResolver storage) - throws KeyResolverException { - return this._resolverSpi.engineLookupAndResolveSecretKey(element, BaseURI, - storage); - } + /** + * Method resolvePublicKey + * + * @param element + * @param baseURI + * @param storage + * @return resolved public key from the registered from the elements + * + * @throws KeyResolverException + */ + public PublicKey resolvePublicKey( + Element element, String baseURI, StorageResolver storage + ) throws KeyResolverException { + return resolverSpi.engineLookupAndResolvePublicKey(element, baseURI, storage); + } + + /** + * Method resolveX509Certificate + * + * @param element + * @param baseURI + * @param storage + * @return resolved X509certificate key from the registered from the elements + * + * @throws KeyResolverException + */ + public X509Certificate resolveX509Certificate( + Element element, String baseURI, StorageResolver storage + ) throws KeyResolverException { + return resolverSpi.engineLookupResolveX509Certificate(element, baseURI, storage); + } - /** - * Method setProperty - * - * @param key - * @param value - */ - public void setProperty(String key, String value) { - this._resolverSpi.engineSetProperty(key, value); - } + /** + * @param element + * @param baseURI + * @param storage + * @return resolved SecretKey key from the registered from the elements + * @throws KeyResolverException + */ + public SecretKey resolveSecretKey( + Element element, String baseURI, StorageResolver storage + ) throws KeyResolverException { + return resolverSpi.engineLookupAndResolveSecretKey(element, baseURI, storage); + } - /** - * Method getProperty - * - * @param key - * @return the property setted for this resolver - */ - public String getProperty(String key) { - return this._resolverSpi.engineGetProperty(key); - } + /** + * Method setProperty + * + * @param key + * @param value + */ + public void setProperty(String key, String value) { + resolverSpi.engineSetProperty(key, value); + } + + /** + * Method getProperty + * + * @param key + * @return the property set for this resolver + */ + public String getProperty(String key) { + return resolverSpi.engineGetProperty(key); + } - /** - * Method understandsProperty - * - * @param propertyToTest - * @return true if the resolver understands property propertyToTest - */ - public boolean understandsProperty(String propertyToTest) { - return this._resolverSpi.understandsProperty(propertyToTest); - } + /** + * Method understandsProperty + * + * @param propertyToTest + * @return true if the resolver understands property propertyToTest + */ + public boolean understandsProperty(String propertyToTest) { + return resolverSpi.understandsProperty(propertyToTest); + } - /** - * Method resolverClassName - * - * @return the name of the resolver. - */ - public String resolverClassName() { - return this._resolverSpi.getClass().getName(); - } + /** + * Method resolverClassName + * + * @return the name of the resolver. + */ + public String resolverClassName() { + return resolverSpi.getClass().getName(); + } - static class ResolverIterator implements Iterator { - List res; - Iterator it; - int i; - public ResolverIterator(List list) { - res = list; - it = res.iterator(); + /** + * Iterate over the KeyResolverSpi instances + */ + static class ResolverIterator implements Iterator<KeyResolverSpi> { + List<KeyResolver> res; + Iterator<KeyResolver> it; + + public ResolverIterator(List<KeyResolver> list) { + res = list; + it = res.iterator(); } - public boolean hasNext() { - // TODO Auto-generated method stub - return it.hasNext(); - } + + public boolean hasNext() { + return it.hasNext(); + } - public Object next() { - i++; - KeyResolver resolver = (KeyResolver) it.next(); - if (resolver==null) { - throw new RuntimeException("utils.resolver.noClass"); - } + public KeyResolverSpi next() { + KeyResolver resolver = it.next(); + if (resolver == null) { + throw new RuntimeException("utils.resolver.noClass"); + } - return resolver._resolverSpi; - } - - public void remove() { - // TODO Auto-generated method stub + return resolver.resolverSpi; + } - } + public void remove() { + throw new UnsupportedOperationException("Can't remove resolvers using the iterator"); + } + }; - }; - public static Iterator iterator() { - return new ResolverIterator(_resolverVector); - } + public static Iterator<KeyResolverSpi> iterator() { + return new ResolverIterator(resolverVector); + } }
--- a/src/share/classes/com/sun/org/apache/xml/internal/security/keys/keyresolver/implementations/RetrievalMethodResolver.java Fri Sep 14 09:38:27 2012 -0700 +++ b/src/share/classes/com/sun/org/apache/xml/internal/security/keys/keyresolver/implementations/RetrievalMethodResolver.java Wed Jun 12 14:56:51 2013 +0100 @@ -34,6 +34,7 @@ import java.util.ListIterator; import java.util.Set; +import javax.xml.XMLConstants; import javax.xml.parsers.ParserConfigurationException; import com.sun.org.apache.xml.internal.security.c14n.CanonicalizationException; @@ -251,6 +252,7 @@ try { javax.xml.parsers.DocumentBuilderFactory dbf =javax.xml.parsers.DocumentBuilderFactory.newInstance(); dbf.setNamespaceAware(true); + dbf.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, Boolean.TRUE); javax.xml.parsers.DocumentBuilder db = dbf.newDocumentBuilder(); org.w3c.dom.Document doc = db.parse(new java.io.ByteArrayInputStream(bytes));
--- a/src/share/classes/com/sun/org/apache/xml/internal/security/resource/xmlsecurity_en.properties Fri Sep 14 09:38:27 2012 -0700 +++ b/src/share/classes/com/sun/org/apache/xml/internal/security/resource/xmlsecurity_en.properties Wed Jun 12 14:56:51 2013 +0100 @@ -1,123 +1,126 @@ -algorithm.alreadyRegistered = URI {0} already assigned to class {1} -algorithm.classDoesNotExist = Cannot register URI {0} to class {1} because this class does not exist in CLASSPATH -algorithm.ClassDoesNotExist = Class {0} does not exist -algorithm.extendsWrongClass = Cannot register URI {0} to class {1} because it does not extend {2} -algorithms.CannotUseAlgorithmParameterSpecOnDSA = Sorry, but you cannot use a AlgorithmParameterSpec object for creating DSA signatures. -algorithms.CannotUseAlgorithmParameterSpecOnRSA = Sorry, but you cannot use a AlgorithmParameterSpec object for creating RSA signatures. -algorithms.CannotUseSecureRandomOnMAC = Sorry, but you cannot use a SecureRandom object for creating MACs. -algorithms.HMACOutputLengthOnlyForHMAC = A HMACOutputLength can only be specified for HMAC integrity algorithms -algorithms.NoSuchAlgorithm = The requested algorithm {0} does not exist. Original Message was: {1} -algorithms.NoSuchMap = The algorithm URI "{0}" could not be mapped to a JCE algorithm -algorithms.NoSuchProvider = The specified Provider {0} does not exist. Original Message was: {1} -algorithms.operationOnlyVerification = A public key can only used for verification of a signature. -algorithms.WrongKeyForThisOperation = Sorry, you supplied the wrong key type for this operation! You supplied a {0} but a {1} is needed. -attributeValueIllegal = The attribute {0} has value {1} but must be {2} -c14n.Canonicalizer.Exception = Exception during Canonicalization: Original Message was {0} -c14n.Canonicalizer.IllegalNode = Illegal node type {0}, node name was {1} -c14n.Canonicalizer.NoSuchCanonicalizer = No canonicalizer found with URI {0} -c14n.Canonicalizer.ParserConfigurationException = ParserConfigurationException during Canonicalization: Original Message was {0} -c14n.Canonicalizer.RelativeNamespace = Element {0} has a relative namespace: {1}="{2}" -c14n.Canonicalizer.SAXException = SAXException during Canonicalization: Original Message was {0} -c14n.Canonicalizer.TraversalNotSupported = This DOM document does not support Traversal {0} -c14n.Canonicalizer.UnsupportedEncoding = Unsupported encoding {0} -c14n.Canonicalizer.UnsupportedOperation = This canonicalizer does not support this operation -c14n.XMLUtils.circumventBug2650forgotten = The tree has not been prepared for canonicalization using XMLUtils#circumventBug2650(Document) -certificate.noSki.lowVersion = Certificate cannot contain a SubjectKeyIdentifier because it is only X509v{0} -certificate.noSki.notOctetString = Certificates SubjectKeyIdentifier is not a OctetString -certificate.noSki.null = Certificate does not contain a SubjectKeyIdentifier -defaultNamespaceCannotBeSetHere = Default namespace cannot be set here -ElementProxy.nullElement = Cannot create an ElementProxy from a null argument -empty = {0} -encryption.algorithmCannotBeUsedForEncryptedData = encryption.algorithmCannotBeUsedForEncryptedData {0} -encryption.algorithmCannotEatInitParams = encryption.algorithmCannotEatInitParams -encryption.algorithmCannotEncryptDecrypt = encryption.algorithmCannotEncryptDecrypt -encryption.algorithmCannotWrapUnWrap = encryption.algorithmCannotWrapUnWrap -encryption.ExplicitKeySizeMismatch = The xenc:KeySize element requests a key size of {0} bit but the algorithm implements {1} bit -encryption.nonceLongerThanDecryptedPlaintext = The given nonce is longer than the available plaintext. I Cannot strip away this. -encryption.RSAOAEP.dataHashWrong = data hash wrong -encryption.RSAOAEP.dataStartWrong = data wrong start {0} -encryption.RSAOAEP.dataTooShort = data too short -encryption.RSAPKCS15.blockTruncated = block truncated -encryption.RSAPKCS15.noDataInBlock = no data in block -encryption.RSAPKCS15.unknownBlockType = unknown block type -encryption.nokey = No Key Encryption Key loaded and cannot determine using key resolvers -endorsed.jdk1.4.0 = Since it seems that nobody reads our installation notes, we must do it in the exception messages. Hope you read them. You did NOT use the endorsed mechanism from JDK 1.4 properly; look at <http://xml.apache.org/security/Java/installation.html> how to solve this problem. -errorMessages.InvalidDigestValueException = INVALID signature -- check reference resolution. -errorMessages.InvalidSignatureValueException = INVALID signature -- core validation failed. -errorMessages.IOException = Other file I/O and similar exceptions. -errorMessages.MissingKeyFailureException = Cannot verify because of missing public key. Provide it via addResource and try again. -errorMessages.MissingResourceFailureException = Cannot verify because of unresolved references. Provide it via addResource and try again. -errorMessages.NoSuchAlgorithmException = Unknown Algorithm {0} -errorMessages.NotYetImplementedException = Functionality not yet there. -errorMessages.XMLSignatureException = Verification failed for some other reason. -decoding.divisible.four = It should be divisible by four -decoding.general = Error while decoding -FileKeyStorageImpl.addToDefaultFromRemoteNotImplemented = Method addToDefaultFromRemote() not yet implemented. -FileKeyStorageImpl.NoCert.Context = Not found such a X509Certificate including context {0} -FileKeyStorageImpl.NoCert.IssNameSerNo = Not found such a X509Certificate with IssuerName {0} and serial number {1} -FileKeyStorageImpl.NoCert.SubjName = Not found such a X509Certificate including SubjectName {0} -generic.dontHaveConstructionElement = I do not have a construction Element -generic.EmptyMessage = {0} -generic.NotYetImplemented = {0} Not YET implemented ;-(( -java.security.InvalidKeyException = Invalid key -java.security.NoSuchProviderException = Unknown or unsupported provider -java.security.UnknownKeyType = Unknown or unsupported key type {0} -KeyInfo.needKeyResolver = More than one keyResovler have to be registered -KeyInfo.nokey = Cannot get key from {0} -KeyInfo.noKey = Cannot get the public key -KeyInfo.wrongNumberOfObject = Need {0} keyObjects -KeyInfo.wrongUse = This object was made for getting {0} -keyResolver.alreadyRegistered = {1} class has already been registered for {0} -KeyResolver.needStorageResolver = Need a StorageResolver to retrieve a Certificate from a {0} -KeyResoverSpiImpl.cannotGetCert = Cannot get the Certificate that include or in {1} in implement class {0} -KeyResoverSpiImpl.elementGeneration = Cannot make {1} element in implement class {0} -KeyResoverSpiImpl.getPoublicKey = Cannot get the public key from implement class {0} -KeyResoverSpiImpl.InvalidElement = Cannot set (2) Element in implement class {0} -KeyResoverSpiImpl.keyStore = KeyStorage error in implement class {0} -KeyResoverSpiImpl.need.Element = {1} type of Element is needed in implement class {0} -KeyResoverSpiImpl.wrongCRLElement = Cannot make CRL from {1} in implement class {0} -KeyResoverSpiImpl.wrongKeyObject = Need {1} type of KeyObject for generation Element in implement class{0} -KeyResoverSpiImpl.wrongNumberOfObject = Need {1} keyObject in implement class {0} -KeyStore.alreadyRegistered = {0} Class has already been registered for {1} -KeyStore.register = {1} type class register error in class {0} -KeyStore.registerStore.register = Registeration error for type {0} -KeyValue.IllegalArgument = Cannot create a {0} from {1} -namespacePrefixAlreadyUsedByOtherURI = Namespace prefix {0} already used by other URI {1} -notYetInitialized = The module {0} is not yet initialized -prefix.AlreadyAssigned = You want to assign {0} as prefix for namespace {1} but it is already assigned for {2} -signature.Canonicalizer.UnknownCanonicalizer = Unknown canonicalizer. No handler installed for URI {0} -signature.DSA.invalidFormat = Invalid ASN.1 encoding of the DSA signature -signature.Generation.signBeforeGetValue = You have to XMLSignature.sign(java.security.PrivateKey) first -signature.signaturePropertyHasNoTarget = The Target attribute of the SignatureProperty must be set -signature.Transform.ErrorDuringTransform = A {1} was thrown during the {0} transform -signature.Transform.NotYetImplemented = Transform {0} not yet implemented -signature.Transform.NullPointerTransform = Null pointer as URI. Programming bug? -signature.Transform.UnknownTransform = Unknown transformation. No handler installed for URI {0} -signature.Transform.node = Current Node: {0} -signature.Transform.nodeAndType = Current Node: {0}, type: {1} -signature.Util.BignumNonPositive = bigInteger.signum() must be positive -signature.Util.NonTextNode = Not a text node -signature.Util.TooManyChilds = Too many childs of Type {0} in {1} -signature.Verification.certificateError = Certificate error -signature.Verification.IndexOutOfBounds = Index {0} illegal. We only have {1} References -signature.Verification.internalError = Internal error -signature.Verification.InvalidDigestOrReference = Invalid digest of reference {0} -signature.Verification.keyStore = KeyStore error -signature.Verification.MissingID = Cannot resolve element with ID {0} -signature.Verification.MissingResources = Cannot resolve external resource {0} -signature.Verification.NoSignatureElement = Input document contains no {0} Element in namespace {1} -signature.Verification.Reference.NoInput = The Reference for URI {0} has no XMLSignatureInput -signature.Verification.SignatureError = Signature error -signature.XMLSignatureInput.MissingConstuctor = Cannot construct a XMLSignatureInput from class {0} -signature.XMLSignatureInput.SerializeDOM = Input initialized with DOM Element. Use Canonicalization to serialize it -signature.XMLSignatureInput.nodesetReference = Unable to convert to nodeset the reference -transform.Init.IllegalContextArgument = Invalid context argument of class {0}. Must be String, org.w3c.dom.NodeList or java.io.InputStream. -transform.init.NotInitialized = -transform.init.wrongURI = Initialized with wrong URI. How could this happen? We implement {0} but {1} was used during initialization -utils.Base64.IllegalBitlength = Illegal byte length; Data to be decoded must be a multiple of 4 -Base64Decoding = Error while decoding -utils.resolver.noClass = Could not find a resolver for URI {0} and Base {1} -xml.WrongContent = Cannot find {0} in {1} -xml.WrongElement = Cannot create a {0} from a {1} element -xpath.funcHere.documentsDiffer = The XPath is not in the same document as the context node -xpath.funcHere.noXPathContext = Try to evaluate an XPath which uses the here() function but XPath is not inside an ds:XPath Element. XPath was : {0} +algorithm.alreadyRegistered = URI {0} already assigned to class {1} +algorithm.classDoesNotExist = Cannot register URI {0} to class {1} because this class does not exist in CLASSPATH +algorithm.ClassDoesNotExist = Class {0} does not exist +algorithm.extendsWrongClass = Cannot register URI {0} to class {1} because it does not extend {2} +algorithms.CannotUseAlgorithmParameterSpecOnDSA = Sorry, but you cannot use a AlgorithmParameterSpec object for creating DSA signatures. +algorithms.CannotUseAlgorithmParameterSpecOnRSA = Sorry, but you cannot use a AlgorithmParameterSpec object for creating RSA signatures. +algorithms.CannotUseSecureRandomOnMAC = Sorry, but you cannot use a SecureRandom object for creating MACs. +algorithms.HMACOutputLengthOnlyForHMAC = A HMACOutputLength can only be specified for HMAC integrity algorithms +algorithms.NoSuchAlgorithm = The requested algorithm {0} does not exist. Original Message was: {1} +algorithms.NoSuchMap = The algorithm URI "{0}" could not be mapped to a JCE algorithm +algorithms.NoSuchProvider = The specified Provider {0} does not exist. Original Message was: {1} +algorithms.operationOnlyVerification = A public key can only used for verification of a signature. +algorithms.WrongKeyForThisOperation = Sorry, you supplied the wrong key type for this operation! You supplied a {0} but a {1} is needed. +attributeValueIllegal = The attribute {0} has value {1} but must be {2} +c14n.Canonicalizer.Exception = Exception during Canonicalization: Original Message was {0} +c14n.Canonicalizer.IllegalNode = Illegal node type {0}, node name was {1} +c14n.Canonicalizer.NoSuchCanonicalizer = No canonicalizer found with URI {0} +c14n.Canonicalizer.ParserConfigurationException = ParserConfigurationException during Canonicalization: Original Message was {0} +c14n.Canonicalizer.RelativeNamespace = Element {0} has a relative namespace: {1}="{2}" +c14n.Canonicalizer.SAXException = SAXException during Canonicalization: Original Message was {0} +c14n.Canonicalizer.TraversalNotSupported = This DOM document does not support Traversal {0} +c14n.Canonicalizer.UnsupportedEncoding = Unsupported encoding {0} +c14n.Canonicalizer.UnsupportedOperation = This canonicalizer does not support this operation +c14n.XMLUtils.circumventBug2650forgotten = The tree has not been prepared for canonicalization using XMLUtils#circumventBug2650(Document) +certificate.noSki.lowVersion = Certificate cannot contain a SubjectKeyIdentifier because it is only X509v{0} +certificate.noSki.notOctetString = Certificates SubjectKeyIdentifier is not a OctetString +certificate.noSki.null = Certificate does not contain a SubjectKeyIdentifier +defaultNamespaceCannotBeSetHere = Default namespace cannot be set here +ElementProxy.nullElement = Cannot create an ElementProxy from a null argument +empty = {0} +encryption.algorithmCannotBeUsedForEncryptedData = encryption.algorithmCannotBeUsedForEncryptedData {0} +encryption.algorithmCannotEatInitParams = encryption.algorithmCannotEatInitParams +encryption.algorithmCannotEncryptDecrypt = encryption.algorithmCannotEncryptDecrypt +encryption.algorithmCannotWrapUnWrap = encryption.algorithmCannotWrapUnWrap +encryption.ExplicitKeySizeMismatch = The xenc:KeySize element requests a key size of {0} bit but the algorithm implements {1} bit +encryption.nonceLongerThanDecryptedPlaintext = The given nonce is longer than the available plaintext. I Cannot strip away this. +encryption.RSAOAEP.dataHashWrong = data hash wrong +encryption.RSAOAEP.dataStartWrong = data wrong start {0} +encryption.RSAOAEP.dataTooShort = data too short +encryption.RSAPKCS15.blockTruncated = block truncated +encryption.RSAPKCS15.noDataInBlock = no data in block +encryption.RSAPKCS15.unknownBlockType = unknown block type +encryption.nokey = No Key Encryption Key loaded and cannot determine using key resolvers +endorsed.jdk1.4.0 = Since it seems that nobody reads our installation notes, we must do it in the exception messages. Hope you read them. You did NOT use the endorsed mechanism from JDK 1.4 properly; look at <http://xml.apache.org/security/Java/installation.html> how to solve this problem. +errorMessages.InvalidDigestValueException = INVALID signature -- check reference resolution. +errorMessages.InvalidSignatureValueException = INVALID signature -- core validation failed. +errorMessages.IOException = Other file I/O and similar exceptions. +errorMessages.MissingKeyFailureException = Cannot verify because of missing public key. Provide it via addResource and try again. +errorMessages.MissingResourceFailureException = Cannot verify because of unresolved references. Provide it via addResource and try again. +errorMessages.NoSuchAlgorithmException = Unknown Algorithm {0} +errorMessages.NotYetImplementedException = Functionality not yet there. +errorMessages.XMLSignatureException = Verification failed for some other reason. +decoding.divisible.four = It should be divisible by four +decoding.general = Error while decoding +FileKeyStorageImpl.addToDefaultFromRemoteNotImplemented = Method addToDefaultFromRemote() not yet implemented. +FileKeyStorageImpl.NoCert.Context = Not found such a X509Certificate including context {0} +FileKeyStorageImpl.NoCert.IssNameSerNo = Not found such a X509Certificate with IssuerName {0} and serial number {1} +FileKeyStorageImpl.NoCert.SubjName = Not found such a X509Certificate including SubjectName {0} +generic.dontHaveConstructionElement = I do not have a construction Element +generic.EmptyMessage = {0} +generic.NotYetImplemented = {0} Not YET implemented ;-(( +java.security.InvalidKeyException = Invalid key +java.security.NoSuchProviderException = Unknown or unsupported provider +java.security.UnknownKeyType = Unknown or unsupported key type {0} +KeyInfo.needKeyResolver = More than one keyResovler have to be registered +KeyInfo.nokey = Cannot get key from {0} +KeyInfo.noKey = Cannot get the public key +KeyInfo.wrongNumberOfObject = Need {0} keyObjects +KeyInfo.wrongUse = This object was made for getting {0} +keyResolver.alreadyRegistered = {1} class has already been registered for {0} +KeyResolver.needStorageResolver = Need a StorageResolver to retrieve a Certificate from a {0} +KeyResoverSpiImpl.cannotGetCert = Cannot get the Certificate that include or in {1} in implement class {0} +KeyResoverSpiImpl.elementGeneration = Cannot make {1} element in implement class {0} +KeyResoverSpiImpl.getPoublicKey = Cannot get the public key from implement class {0} +KeyResoverSpiImpl.InvalidElement = Cannot set (2) Element in implement class {0} +KeyResoverSpiImpl.keyStore = KeyStorage error in implement class {0} +KeyResoverSpiImpl.need.Element = {1} type of Element is needed in implement class {0} +KeyResoverSpiImpl.wrongCRLElement = Cannot make CRL from {1} in implement class {0} +KeyResoverSpiImpl.wrongKeyObject = Need {1} type of KeyObject for generation Element in implement class{0} +KeyResoverSpiImpl.wrongNumberOfObject = Need {1} keyObject in implement class {0} +KeyStore.alreadyRegistered = {0} Class has already been registered for {1} +KeyStore.register = {1} type class register error in class {0} +KeyStore.registerStore.register = Registeration error for type {0} +KeyValue.IllegalArgument = Cannot create a {0} from {1} +namespacePrefixAlreadyUsedByOtherURI = Namespace prefix {0} already used by other URI {1} +notYetInitialized = The module {0} is not yet initialized +prefix.AlreadyAssigned = You want to assign {0} as prefix for namespace {1} but it is already assigned for {2} +signature.Canonicalizer.UnknownCanonicalizer = Unknown canonicalizer. No handler installed for URI {0} +signature.DSA.invalidFormat = Invalid ASN.1 encoding of the DSA signature +signature.Generation.signBeforeGetValue = You have to XMLSignature.sign(java.security.PrivateKey) first +signature.Reference.ForbiddenResolver = It is forbidden to access resolver {0} when secure validation is enabled +signature.signatureAlgorithm = It is forbidden to use algorithm {0} when secure validation is enabled +signature.signaturePropertyHasNoTarget = The Target attribute of the SignatureProperty must be set +signature.Transform.ErrorDuringTransform = A {1} was thrown during the {0} transform +signature.Transform.NotYetImplemented = Transform {0} not yet implemented +signature.Transform.NullPointerTransform = Null pointer as URI. Programming bug? +signature.Transform.UnknownTransform = Unknown transformation. No handler installed for URI {0} +signature.Transform.node = Current Node: {0} +signature.Transform.nodeAndType = Current Node: {0}, type: {1} +signature.Util.BignumNonPositive = bigInteger.signum() must be positive +signature.Util.NonTextNode = Not a text node +signature.Util.TooManyChilds = Too many childs of Type {0} in {1} +signature.Verification.certificateError = Certificate error +signature.Verification.IndexOutOfBounds = Index {0} illegal. We only have {1} References +signature.Verification.internalError = Internal error +signature.Verification.InvalidDigestOrReference = Invalid digest of reference {0} +signature.Verification.keyStore = KeyStore error +signature.Verification.MissingID = Cannot resolve element with ID {0} +signature.Verification.MissingResources = Cannot resolve external resource {0} +signature.Verification.MultipleIDs = Multiple Elements with the same ID {0} were detected +signature.Verification.NoSignatureElement = Input document contains no {0} Element in namespace {1} +signature.Verification.Reference.NoInput = The Reference for URI {0} has no XMLSignatureInput +signature.Verification.SignatureError = Signature error +signature.XMLSignatureInput.MissingConstuctor = Cannot construct a XMLSignatureInput from class {0} +signature.XMLSignatureInput.SerializeDOM = Input initialized with DOM Element. Use Canonicalization to serialize it +signature.XMLSignatureInput.nodesetReference = Unable to convert to nodeset the reference +transform.Init.IllegalContextArgument = Invalid context argument of class {0}. Must be String, org.w3c.dom.NodeList or java.io.InputStream. +transform.init.NotInitialized = +transform.init.wrongURI = Initialized with wrong URI. How could this happen? We implement {0} but {1} was used during initialization +utils.Base64.IllegalBitlength = Illegal byte length; Data to be decoded must be a multiple of 4 +Base64Decoding = Error while decoding +utils.resolver.noClass = Could not find a resolver for URI {0} and Base {1} +xml.WrongContent = Cannot find {0} in {1} +xml.WrongElement = Cannot create a {0} from a {1} element +xpath.funcHere.documentsDiffer = The XPath is not in the same document as the context node +xpath.funcHere.noXPathContext = Try to evaluate an XPath which uses the here() function but XPath is not inside an ds:XPath Element. XPath was : {0}
--- a/src/share/classes/com/sun/org/apache/xml/internal/security/signature/SignedInfo.java Fri Sep 14 09:38:27 2012 -0700 +++ b/src/share/classes/com/sun/org/apache/xml/internal/security/signature/SignedInfo.java Wed Jun 12 14:56:51 2013 +0100 @@ -25,6 +25,7 @@ import java.io.OutputStream; import javax.crypto.SecretKey; import javax.crypto.spec.SecretKeySpec; +import javax.xml.XMLConstants; import javax.xml.parsers.ParserConfigurationException; import com.sun.org.apache.xml.internal.security.algorithms.SignatureAlgorithm; @@ -186,8 +187,10 @@ javax.xml.parsers.DocumentBuilderFactory dbf = javax.xml.parsers.DocumentBuilderFactory.newInstance(); dbf.setNamespaceAware(true); + dbf.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, + Boolean.TRUE); javax.xml.parsers.DocumentBuilder db = dbf.newDocumentBuilder(); - org.w3c.dom.Document newdoc = + Document newdoc = db.parse(new ByteArrayInputStream(this._c14nizedBytes)); Node imported = this._doc.importNode(newdoc.getDocumentElement(), true);
--- a/src/share/classes/com/sun/org/apache/xml/internal/security/signature/XMLSignature.java Fri Sep 14 09:38:27 2012 -0700 +++ b/src/share/classes/com/sun/org/apache/xml/internal/security/signature/XMLSignature.java Wed Jun 12 14:56:51 2013 +0100 @@ -201,14 +201,13 @@ super(doc); - String xmlnsDsPrefix = - getDefaultPrefixBindings(Constants.SignatureSpecNS); + String xmlnsDsPrefix = getDefaultPrefix(Constants.SignatureSpecNS); if (xmlnsDsPrefix == null) { this._constructionElement.setAttributeNS (Constants.NamespaceSpecNS, "xmlns", Constants.SignatureSpecNS); } else { this._constructionElement.setAttributeNS - (Constants.NamespaceSpecNS, xmlnsDsPrefix, Constants.SignatureSpecNS); + (Constants.NamespaceSpecNS, "xmlns:" + xmlnsDsPrefix, Constants.SignatureSpecNS); } XMLUtils.addReturnToElement(this._constructionElement); @@ -242,14 +241,13 @@ super(doc); - String xmlnsDsPrefix = - getDefaultPrefixBindings(Constants.SignatureSpecNS); + String xmlnsDsPrefix = getDefaultPrefix(Constants.SignatureSpecNS); if (xmlnsDsPrefix == null) { this._constructionElement.setAttributeNS (Constants.NamespaceSpecNS, "xmlns", Constants.SignatureSpecNS); } else { this._constructionElement.setAttributeNS - (Constants.NamespaceSpecNS, xmlnsDsPrefix, Constants.SignatureSpecNS); + (Constants.NamespaceSpecNS, "xmlns:" + xmlnsDsPrefix, Constants.SignatureSpecNS); } XMLUtils.addReturnToElement(this._constructionElement);
--- a/src/share/classes/com/sun/org/apache/xml/internal/security/signature/XMLSignatureInput.java Fri Sep 14 09:38:27 2012 -0700 +++ b/src/share/classes/com/sun/org/apache/xml/internal/security/signature/XMLSignatureInput.java Wed Jun 12 14:56:51 2013 +0100 @@ -31,6 +31,7 @@ import java.util.List; import java.util.Set; +import javax.xml.XMLConstants; import javax.xml.parsers.DocumentBuilder; import javax.xml.parsers.DocumentBuilderFactory; import javax.xml.parsers.ParserConfigurationException; @@ -601,6 +602,8 @@ DocumentBuilderFactory dfactory = DocumentBuilderFactory.newInstance(); dfactory.setValidating(false); dfactory.setNamespaceAware(true); + dfactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, + Boolean.TRUE); DocumentBuilder db = dfactory.newDocumentBuilder(); // select all nodes, also the comments. try {
--- a/src/share/classes/com/sun/org/apache/xml/internal/security/transforms/Transform.java Fri Sep 14 09:38:27 2012 -0700 +++ b/src/share/classes/com/sun/org/apache/xml/internal/security/transforms/Transform.java Wed Jun 12 14:56:51 2013 +0100 @@ -2,29 +2,30 @@ * reserved comment block * DO NOT REMOVE OR ALTER! */ -/* - * Copyright 1999-2004 The Apache Software Foundation. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at * - * http://www.apache.org/licenses/LICENSE-2.0 + * http://www.apache.org/licenses/LICENSE-2.0 * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. */ package com.sun.org.apache.xml.internal.security.transforms; import java.io.IOException; import java.io.OutputStream; -import java.security.AccessController; -import java.security.PrivilegedAction; -import java.util.HashMap; +import java.util.concurrent.ConcurrentHashMap; +import java.util.Map; import javax.xml.parsers.ParserConfigurationException; import com.sun.org.apache.xml.internal.security.c14n.CanonicalizationException; @@ -32,6 +33,18 @@ import com.sun.org.apache.xml.internal.security.exceptions.AlgorithmAlreadyRegisteredException; import com.sun.org.apache.xml.internal.security.exceptions.XMLSecurityException; import com.sun.org.apache.xml.internal.security.signature.XMLSignatureInput; +import com.sun.org.apache.xml.internal.security.transforms.implementations.TransformBase64Decode; +import com.sun.org.apache.xml.internal.security.transforms.implementations.TransformC14N; +import com.sun.org.apache.xml.internal.security.transforms.implementations.TransformC14N11; +import com.sun.org.apache.xml.internal.security.transforms.implementations.TransformC14N11_WithComments; +import com.sun.org.apache.xml.internal.security.transforms.implementations.TransformC14NExclusive; +import com.sun.org.apache.xml.internal.security.transforms.implementations.TransformC14NExclusiveWithComments; +import com.sun.org.apache.xml.internal.security.transforms.implementations.TransformC14NWithComments; +import com.sun.org.apache.xml.internal.security.transforms.implementations.TransformEnvelopedSignature; +import com.sun.org.apache.xml.internal.security.transforms.implementations.TransformXPath; +import com.sun.org.apache.xml.internal.security.transforms.implementations.TransformXPath2Filter; +import com.sun.org.apache.xml.internal.security.transforms.implementations.TransformXSLT; +import com.sun.org.apache.xml.internal.security.utils.ClassLoaderUtils; import com.sun.org.apache.xml.internal.security.utils.Constants; import com.sun.org.apache.xml.internal.security.utils.HelperNodeList; import com.sun.org.apache.xml.internal.security.utils.SignatureElementProxy; @@ -53,112 +66,31 @@ * @author Christian Geuer-Pollmann * @see Transforms * @see TransformSpi - * */ public final class Transform extends SignatureElementProxy { - /** {@link java.util.logging} logging facility */ - static java.util.logging.Logger log = + /** {@link org.apache.commons.logging} logging facility */ + private static java.util.logging.Logger log = java.util.logging.Logger.getLogger(Transform.class.getName()); - /** Field _alreadyInitialized */ - private static boolean alreadyInitialized = false; - /** All available Transform classes are registered here */ - private static HashMap transformClassHash = null; - - private static HashMap transformSpiHash = new HashMap(); - - private TransformSpi transformSpi = null; - - /** - * Constructs {@link Transform} - * - * @param doc the {@link Document} in which <code>Transform</code> will be - * placed - * @param algorithmURI URI representation of - * <code>Transform algorithm</code> which will be specified as parameter of - * {@link #getInstance(Document, String)}, when generated. </br> - * @param contextNodes the child node list of <code>Transform</code> element - * @throws InvalidTransformException - */ - public Transform(Document doc, String algorithmURI, NodeList contextNodes) - throws InvalidTransformException { - - super(doc); - - this._constructionElement.setAttributeNS - (null, Constants._ATT_ALGORITHM, algorithmURI); - - transformSpi = getTransformSpi(algorithmURI); - if (transformSpi == null) { - Object exArgs[] = { algorithmURI }; - throw new InvalidTransformException( - "signature.Transform.UnknownTransform", exArgs); - } - - if (log.isLoggable(java.util.logging.Level.FINE)) { - log.log(java.util.logging.Level.FINE, "Create URI \"" + algorithmURI + "\" class \"" - + transformSpi.getClass() + "\""); - log.log(java.util.logging.Level.FINE, "The NodeList is " + contextNodes); - } + private static Map<String, Class<? extends TransformSpi>> transformSpiHash = + new ConcurrentHashMap<String, Class<? extends TransformSpi>>(); - // give it to the current document - if (contextNodes != null) { - for (int i = 0; i < contextNodes.getLength(); i++) { - this._constructionElement.appendChild - (contextNodes.item(i).cloneNode(true)); - } - } - } - - /** - * This constructor can only be called from the {@link Transforms} object, - * so it's protected. - * - * @param element <code>ds:Transform</code> element - * @param BaseURI the URI of the resource where the XML instance was stored - * @throws InvalidTransformException - * @throws TransformationException - * @throws XMLSecurityException - */ - public Transform(Element element, String BaseURI) - throws InvalidTransformException, TransformationException, - XMLSecurityException { - - super(element, BaseURI); - - // retrieve Algorithm Attribute from ds:Transform - String algorithmURI = element.getAttributeNS(null, Constants._ATT_ALGORITHM); - - if (algorithmURI == null || algorithmURI.length() == 0) { - Object exArgs[] = { Constants._ATT_ALGORITHM, - Constants._TAG_TRANSFORM }; - throw new TransformationException("xml.WrongContent", exArgs); - } - - transformSpi = getTransformSpi(algorithmURI); - if (transformSpi == null) { - Object exArgs[] = { algorithmURI }; - throw new InvalidTransformException( - "signature.Transform.UnknownTransform", exArgs); - } - } + private final TransformSpi transformSpi; /** * Generates a Transform object that implements the specified * <code>Transform algorithm</code> URI. * + * @param doc the proxy {@link Document} * @param algorithmURI <code>Transform algorithm</code> URI representation, * such as specified in * <a href=http://www.w3.org/TR/xmldsig-core/#sec-TransformAlg>Transform algorithm </a> - * @param doc the proxy {@link Document} - * @return <code>{@link Transform}</code> object * @throws InvalidTransformException */ - public static Transform getInstance( - Document doc, String algorithmURI) throws InvalidTransformException { - return getInstance(doc, algorithmURI, (NodeList) null); + public Transform(Document doc, String algorithmURI) throws InvalidTransformException { + this(doc, algorithmURI, (NodeList)null); } /** @@ -170,82 +102,160 @@ * <a href=http://www.w3.org/TR/xmldsig-core/#sec-TransformAlg>Transform algorithm </a> * @param contextChild the child element of <code>Transform</code> element * @param doc the proxy {@link Document} - * @return <code>{@link Transform}</code> object * @throws InvalidTransformException */ - public static Transform getInstance( - Document doc, String algorithmURI, Element contextChild) + public Transform(Document doc, String algorithmURI, Element contextChild) throws InvalidTransformException { + super(doc); + HelperNodeList contextNodes = null; - HelperNodeList contextNodes = new HelperNodeList(); + if (contextChild != null) { + contextNodes = new HelperNodeList(); + + XMLUtils.addReturnToElement(doc, contextNodes); + contextNodes.appendChild(contextChild); + XMLUtils.addReturnToElement(doc, contextNodes); + } - XMLUtils.addReturnToElement(doc, contextNodes); - contextNodes.appendChild(contextChild); - XMLUtils.addReturnToElement(doc, contextNodes); + transformSpi = initializeTransform(algorithmURI, contextNodes); + } - return getInstance(doc, algorithmURI, contextNodes); + /** + * Constructs {@link Transform} + * + * @param doc the {@link Document} in which <code>Transform</code> will be + * placed + * @param algorithmURI URI representation of <code>Transform algorithm</code> + * @param contextNodes the child node list of <code>Transform</code> element + * @throws InvalidTransformException + */ + public Transform(Document doc, String algorithmURI, NodeList contextNodes) + throws InvalidTransformException { + super(doc); + transformSpi = initializeTransform(algorithmURI, contextNodes); } /** - * Generates a Transform object that implements the specified - * <code>Transform algorithm</code> URI. - * - * @param algorithmURI <code>Transform algorithm</code> URI form, such as - * specified in <a href=http://www.w3.org/TR/xmldsig-core/#sec-TransformAlg> - * Transform algorithm </a> - * @param contextNodes the child node list of <code>Transform</code> element - * @param doc the proxy {@link Document} - * @return <code>{@link Transform}</code> object + * @param element <code>ds:Transform</code> element + * @param BaseURI the URI of the resource where the XML instance was stored * @throws InvalidTransformException + * @throws TransformationException + * @throws XMLSecurityException */ - public static Transform getInstance( - Document doc, String algorithmURI, NodeList contextNodes) - throws InvalidTransformException { - return new Transform(doc, algorithmURI, contextNodes); - } + public Transform(Element element, String BaseURI) + throws InvalidTransformException, TransformationException, XMLSecurityException { + super(element, BaseURI); + + // retrieve Algorithm Attribute from ds:Transform + String algorithmURI = element.getAttributeNS(null, Constants._ATT_ALGORITHM); + + if (algorithmURI == null || algorithmURI.length() == 0) { + Object exArgs[] = { Constants._ATT_ALGORITHM, Constants._TAG_TRANSFORM }; + throw new TransformationException("xml.WrongContent", exArgs); + } - /** - * Initalizes for this {@link Transform}. - */ - public static void init() { - if (!alreadyInitialized) { - transformClassHash = new HashMap(10); - // make sure builtin algorithms are all registered first - com.sun.org.apache.xml.internal.security.Init.init(); - alreadyInitialized = true; + Class<? extends TransformSpi> transformSpiClass = transformSpiHash.get(algorithmURI); + if (transformSpiClass == null) { + Object exArgs[] = { algorithmURI }; + throw new InvalidTransformException("signature.Transform.UnknownTransform", exArgs); + } + try { + transformSpi = transformSpiClass.newInstance(); + } catch (InstantiationException ex) { + Object exArgs[] = { algorithmURI }; + throw new InvalidTransformException( + "signature.Transform.UnknownTransform", exArgs, ex + ); + } catch (IllegalAccessException ex) { + Object exArgs[] = { algorithmURI }; + throw new InvalidTransformException( + "signature.Transform.UnknownTransform", exArgs, ex + ); } } /** * Registers implementing class of the Transform algorithm with algorithmURI * - * @param algorithmURI algorithmURI URI representation of - * <code>Transform algorithm</code> will be specified as parameter of - * {@link #getInstance(Document, String)}, when generate. </br> + * @param algorithmURI algorithmURI URI representation of <code>Transform algorithm</code> + * @param implementingClass <code>implementingClass</code> the implementing + * class of {@link TransformSpi} + * @throws AlgorithmAlreadyRegisteredException if specified algorithmURI + * is already registered + */ + @SuppressWarnings("unchecked") + public static void register(String algorithmURI, String implementingClass) + throws AlgorithmAlreadyRegisteredException, ClassNotFoundException, + InvalidTransformException { + // are we already registered? + Class<? extends TransformSpi> transformSpi = transformSpiHash.get(algorithmURI); + if (transformSpi != null) { + Object exArgs[] = { algorithmURI, transformSpi }; + throw new AlgorithmAlreadyRegisteredException("algorithm.alreadyRegistered", exArgs); + } + Class<? extends TransformSpi> transformSpiClass = + (Class<? extends TransformSpi>) + ClassLoaderUtils.loadClass(implementingClass, Transform.class); + transformSpiHash.put(algorithmURI, transformSpiClass); + } + + /** + * Registers implementing class of the Transform algorithm with algorithmURI + * + * @param algorithmURI algorithmURI URI representation of <code>Transform algorithm</code> * @param implementingClass <code>implementingClass</code> the implementing * class of {@link TransformSpi} * @throws AlgorithmAlreadyRegisteredException if specified algorithmURI * is already registered */ - public static void register(String algorithmURI, String implementingClass) + public static void register(String algorithmURI, Class<? extends TransformSpi> implementingClass) throws AlgorithmAlreadyRegisteredException { - // are we already registered? - Class registeredClass = getImplementingClass(algorithmURI); - if ((registeredClass != null) ) { - Object exArgs[] = { algorithmURI, registeredClass }; - throw new AlgorithmAlreadyRegisteredException( - "algorithm.alreadyRegistered", exArgs); + Class<? extends TransformSpi> transformSpi = transformSpiHash.get(algorithmURI); + if (transformSpi != null) { + Object exArgs[] = { algorithmURI, transformSpi }; + throw new AlgorithmAlreadyRegisteredException("algorithm.alreadyRegistered", exArgs); } - - ClassLoader cl = Thread.currentThread().getContextClassLoader(); + transformSpiHash.put(algorithmURI, implementingClass); + } - try { - transformClassHash.put - (algorithmURI, Class.forName(implementingClass, true, cl)); - } catch (ClassNotFoundException e) { - throw new RuntimeException(e); - } + /** + * This method registers the default algorithms. + */ + public static void registerDefaultAlgorithms() { + transformSpiHash.put( + Transforms.TRANSFORM_BASE64_DECODE, TransformBase64Decode.class + ); + transformSpiHash.put( + Transforms.TRANSFORM_C14N_OMIT_COMMENTS, TransformC14N.class + ); + transformSpiHash.put( + Transforms.TRANSFORM_C14N_WITH_COMMENTS, TransformC14NWithComments.class + ); + transformSpiHash.put( + Transforms.TRANSFORM_C14N11_OMIT_COMMENTS, TransformC14N11.class + ); + transformSpiHash.put( + Transforms.TRANSFORM_C14N11_WITH_COMMENTS, TransformC14N11_WithComments.class + ); + transformSpiHash.put( + Transforms.TRANSFORM_C14N_EXCL_OMIT_COMMENTS, TransformC14NExclusive.class + ); + transformSpiHash.put( + Transforms.TRANSFORM_C14N_EXCL_WITH_COMMENTS, TransformC14NExclusiveWithComments.class + ); + transformSpiHash.put( + Transforms.TRANSFORM_XPATH, TransformXPath.class + ); + transformSpiHash.put( + Transforms.TRANSFORM_ENVELOPED_SIGNATURE, TransformEnvelopedSignature.class + ); + transformSpiHash.put( + Transforms.TRANSFORM_XSLT, TransformXSLT.class + ); + transformSpiHash.put( + Transforms.TRANSFORM_XPATH2FILTER, TransformXPath2Filter.class + ); } /** @@ -254,8 +264,7 @@ * @return the URI representation of Transformation algorithm */ public String getURI() { - return this._constructionElement.getAttributeNS - (null, Constants._ATT_ALGORITHM); + return this._constructionElement.getAttributeNS(null, Constants._ATT_ALGORITHM); } /** @@ -271,30 +280,15 @@ * @throws TransformationException */ public XMLSignatureInput performTransform(XMLSignatureInput input) - throws IOException, CanonicalizationException, - InvalidCanonicalizerException, TransformationException { - - XMLSignatureInput result = null; - - try { - result = transformSpi.enginePerformTransform(input, this); - } catch (ParserConfigurationException ex) { - Object exArgs[] = { this.getURI(), "ParserConfigurationException" }; - throw new CanonicalizationException( - "signature.Transform.ErrorDuringTransform", exArgs, ex); - } catch (SAXException ex) { - Object exArgs[] = { this.getURI(), "SAXException" }; - throw new CanonicalizationException( - "signature.Transform.ErrorDuringTransform", exArgs, ex); - } - - return result; + throws IOException, CanonicalizationException, + InvalidCanonicalizerException, TransformationException { + return performTransform(input, null); } /** * Transforms the input, and generates {@link XMLSignatureInput} as output. * - * @param input input {@link XMLSignatureInput} which can supplied Octet + * @param input input {@link XMLSignatureInput} which can supplied Octect * Stream and NodeSet as Input of Transformation * @param os where to output the result of the last transformation * @return the {@link XMLSignatureInput} class as the result of @@ -304,10 +298,10 @@ * @throws InvalidCanonicalizerException * @throws TransformationException */ - public XMLSignatureInput performTransform(XMLSignatureInput input, - OutputStream os) throws IOException, CanonicalizationException, + public XMLSignatureInput performTransform( + XMLSignatureInput input, OutputStream os + ) throws IOException, CanonicalizationException, InvalidCanonicalizerException, TransformationException { - XMLSignatureInput result = null; try { @@ -325,43 +319,52 @@ return result; } - /** - * Method getImplementingClass - * - * @param URI - * @return The name of the class implementing the URI. - */ - private static Class getImplementingClass(String URI) { - return (Class) transformClassHash.get(URI); - } - - private static TransformSpi getTransformSpi(String URI) - throws InvalidTransformException { - try { - Object value = transformSpiHash.get(URI); - if (value != null) { - return (TransformSpi) value; - } - Class cl = (Class) transformClassHash.get(URI); - if (cl != null) { - TransformSpi tr = (TransformSpi) cl.newInstance(); - transformSpiHash.put(URI, tr); - return tr; - } - } catch (InstantiationException ex) { - Object exArgs[] = { URI }; - throw new InvalidTransformException( - "signature.Transform.UnknownTransform", exArgs, ex); - } catch (IllegalAccessException ex) { - Object exArgs[] = { URI }; - throw new InvalidTransformException( - "signature.Transform.UnknownTransform", exArgs, ex); - } - return null; - } - /** @inheritDoc */ public String getBaseLocalName() { return Constants._TAG_TRANSFORM; } + + /** + * Initialize the transform object. + */ + private TransformSpi initializeTransform(String algorithmURI, NodeList contextNodes) + throws InvalidTransformException { + + this._constructionElement.setAttributeNS(null, Constants._ATT_ALGORITHM, algorithmURI); + + Class<? extends TransformSpi> transformSpiClass = transformSpiHash.get(algorithmURI); + if (transformSpiClass == null) { + Object exArgs[] = { algorithmURI }; + throw new InvalidTransformException("signature.Transform.UnknownTransform", exArgs); + } + TransformSpi newTransformSpi = null; + try { + newTransformSpi = transformSpiClass.newInstance(); + } catch (InstantiationException ex) { + Object exArgs[] = { algorithmURI }; + throw new InvalidTransformException( + "signature.Transform.UnknownTransform", exArgs, ex + ); + } catch (IllegalAccessException ex) { + Object exArgs[] = { algorithmURI }; + throw new InvalidTransformException( + "signature.Transform.UnknownTransform", exArgs, ex + ); + } + + if (log.isLoggable(java.util.logging.Level.FINE)) { + log.log(java.util.logging.Level.FINE, "Create URI \"" + algorithmURI + "\" class \"" + + newTransformSpi.getClass() + "\""); + log.log(java.util.logging.Level.FINE, "The NodeList is " + contextNodes); + } + + // give it to the current document + if (contextNodes != null) { + for (int i = 0; i < contextNodes.getLength(); i++) { + this._constructionElement.appendChild(contextNodes.item(i).cloneNode(true)); + } + } + return newTransformSpi; + } + }
--- a/src/share/classes/com/sun/org/apache/xml/internal/security/transforms/Transforms.java Fri Sep 14 09:38:27 2012 -0700 +++ b/src/share/classes/com/sun/org/apache/xml/internal/security/transforms/Transforms.java Wed Jun 12 14:56:51 2013 +0100 @@ -158,8 +158,7 @@ if (log.isLoggable(java.util.logging.Level.FINE)) log.log(java.util.logging.Level.FINE, "Transforms.addTransform(" + transformURI + ")"); - Transform transform = - Transform.getInstance(this._doc, transformURI); + Transform transform = new Transform(this._doc, transformURI); this.addTransform(transform); } catch (InvalidTransformException ex) { @@ -184,8 +183,7 @@ if (log.isLoggable(java.util.logging.Level.FINE)) log.log(java.util.logging.Level.FINE, "Transforms.addTransform(" + transformURI + ")"); - Transform transform = - Transform.getInstance(this._doc, transformURI, contextElement); + Transform transform = new Transform(this._doc, transformURI, contextElement); this.addTransform(transform); } catch (InvalidTransformException ex) { @@ -207,8 +205,7 @@ throws TransformationException { try { - Transform transform = - Transform.getInstance(this._doc, transformURI, contextNodes); + Transform transform = new Transform(this._doc, transformURI, contextNodes); this.addTransform(transform); } catch (InvalidTransformException ex) { throw new TransformationException("empty", ex);
--- a/src/share/classes/com/sun/org/apache/xml/internal/security/transforms/implementations/TransformBase64Decode.java Fri Sep 14 09:38:27 2012 -0700 +++ b/src/share/classes/com/sun/org/apache/xml/internal/security/transforms/implementations/TransformBase64Decode.java Wed Jun 12 14:56:51 2013 +0100 @@ -26,6 +26,7 @@ import java.io.IOException; import java.io.OutputStream; +import javax.xml.XMLConstants; import javax.xml.parsers.DocumentBuilderFactory; import javax.xml.parsers.ParserConfigurationException; @@ -145,11 +146,13 @@ } try { - //Exceptional case there is current not text case testing this(Before it was a - //a common case). + // Exceptional case there is current not text case testing this + // (before it was a a common case). + DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance(); + dbf.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, + Boolean.TRUE); Document doc = - DocumentBuilderFactory.newInstance().newDocumentBuilder().parse( - input.getOctetStream()); + dbf.newDocumentBuilder().parse(input.getOctetStream()); Element rootNode = doc.getDocumentElement(); StringBuffer sb = new StringBuffer(); @@ -157,13 +160,13 @@ byte[] decodedBytes = Base64.decode(sb.toString()); return new XMLSignatureInput(decodedBytes); - } catch (ParserConfigurationException e) { - throw new TransformationException("c14n.Canonicalizer.Exception",e); - } catch (SAXException e) { - throw new TransformationException("SAX exception", e); - } + } catch (ParserConfigurationException e) { + throw new TransformationException("c14n.Canonicalizer.Exception",e); + } catch (SAXException e) { + throw new TransformationException("SAX exception", e); + } } catch (Base64DecodingException e) { - throw new TransformationException("Base64Decoding", e); + throw new TransformationException("Base64Decoding", e); } }
--- a/src/share/classes/com/sun/org/apache/xml/internal/security/transforms/implementations/TransformXSLT.java Fri Sep 14 09:38:27 2012 -0700 +++ b/src/share/classes/com/sun/org/apache/xml/internal/security/transforms/implementations/TransformXSLT.java Wed Jun 12 14:56:51 2013 +0100 @@ -26,6 +26,7 @@ import java.io.OutputStream; import java.lang.reflect.Method; +import javax.xml.XMLConstants; import javax.xml.transform.Source; import javax.xml.transform.Transformer; import javax.xml.transform.TransformerConfigurationException; @@ -62,14 +63,6 @@ static final String defaultXSLTSpecNSprefix = "xslt"; static final String XSLTSTYLESHEET = "stylesheet"; - // check for secure processing feature - private static Class xClass = null; - static { - try { - xClass = Class.forName("javax.xml.XMLConstants"); - } catch (Exception e) {} - } - static java.util.logging.Logger log = java.util.logging.Logger.getLogger( TransformXSLT.class.getName()); @@ -101,10 +94,6 @@ protected XMLSignatureInput enginePerformTransform(XMLSignatureInput input,OutputStream baos, Transform _transformObject) throws IOException, TransformationException { - if (xClass == null) { - Object exArgs[] = { "SECURE_PROCESSING_FEATURE not supported" }; - throw new TransformationException("generic.EmptyMessage", exArgs); - } try { Element transformElement = _transformObject.getElement(); @@ -119,11 +108,10 @@ } TransformerFactory tFactory = TransformerFactory.newInstance(); - Class c = tFactory.getClass(); - Method m = c.getMethod("setFeature", new Class[] {String.class, boolean.class}); + // Process XSLT stylesheets in a secure manner - m.invoke(tFactory, new Object[] {"http://javax.xml.XMLConstants/feature/secure-processing", Boolean.TRUE}); - + tFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, + Boolean.TRUE); /* * This transform requires an octet stream as input. If the actual * input is an XPath node-set, then the signature application should @@ -193,18 +181,6 @@ Object exArgs[] = { ex.getMessage() }; throw new TransformationException("generic.EmptyMessage", exArgs, ex); - } catch (NoSuchMethodException ex) { - Object exArgs[] = { ex.getMessage() }; - - throw new TransformationException("generic.EmptyMessage", exArgs, ex); - } catch (IllegalAccessException ex) { - Object exArgs[] = { ex.getMessage() }; - - throw new TransformationException("generic.EmptyMessage", exArgs, ex); - } catch (java.lang.reflect.InvocationTargetException ex) { - Object exArgs[] = { ex.getMessage() }; - - throw new TransformationException("generic.EmptyMessage", exArgs, ex); } } }
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/src/share/classes/com/sun/org/apache/xml/internal/security/utils/ClassLoaderUtils.java Wed Jun 12 14:56:51 2013 +0100 @@ -0,0 +1,277 @@ +/* + * reserved comment block + * DO NOT REMOVE OR ALTER! + */ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +package com.sun.org.apache.xml.internal.security.utils; + +import java.io.IOException; +import java.io.InputStream; +import java.net.URL; +import java.util.ArrayList; +import java.util.Enumeration; +import java.util.List; + +/** + * This class is extremely useful for loading resources and classes in a fault + * tolerant manner that works across different applications servers. Do not + * touch this unless you're a grizzled classloading guru veteran who is going to + * verify any change on 6 different application servers. + */ +public final class ClassLoaderUtils { + + /** {@link org.apache.commons.logging} logging facility */ + private static final java.util.logging.Logger log = + java.util.logging.Logger.getLogger(ClassLoaderUtils.class.getName()); + + private ClassLoaderUtils() { + } + + /** + * Load a given resource. <p/> This method will try to load the resource + * using the following methods (in order): + * <ul> + * <li>From Thread.currentThread().getContextClassLoader() + * <li>From ClassLoaderUtil.class.getClassLoader() + * <li>callingClass.getClassLoader() + * </ul> + * + * @param resourceName The name of the resource to load + * @param callingClass The Class object of the calling object + */ + public static URL getResource(String resourceName, Class<?> callingClass) { + URL url = Thread.currentThread().getContextClassLoader().getResource(resourceName); + if (url == null && resourceName.startsWith("/")) { + //certain classloaders need it without the leading / + url = + Thread.currentThread().getContextClassLoader().getResource( + resourceName.substring(1) + ); + } + + ClassLoader cluClassloader = ClassLoaderUtils.class.getClassLoader(); + if (cluClassloader == null) { + cluClassloader = ClassLoader.getSystemClassLoader(); + } + if (url == null) { + url = cluClassloader.getResource(resourceName); + } + if (url == null && resourceName.startsWith("/")) { + //certain classloaders need it without the leading / + url = cluClassloader.getResource(resourceName.substring(1)); + } + + if (url == null) { + ClassLoader cl = callingClass.getClassLoader(); + + if (cl != null) { + url = cl.getResource(resourceName); + } + } + + if (url == null) { + url = callingClass.getResource(resourceName); + } + + if ((url == null) && (resourceName != null) && (resourceName.charAt(0) != '/')) { + return getResource('/' + resourceName, callingClass); + } + + return url; + } + + /** + * Load a given resources. <p/> This method will try to load the resources + * using the following methods (in order): + * <ul> + * <li>From Thread.currentThread().getContextClassLoader() + * <li>From ClassLoaderUtil.class.getClassLoader() + * <li>callingClass.getClassLoader() + * </ul> + * + * @param resourceName The name of the resource to load + * @param callingClass The Class object of the calling object + */ + public static List<URL> getResources(String resourceName, Class<?> callingClass) { + List<URL> ret = new ArrayList<URL>(); + Enumeration<URL> urls = new Enumeration<URL>() { + public boolean hasMoreElements() { + return false; + } + public URL nextElement() { + return null; + } + + }; + try { + urls = Thread.currentThread().getContextClassLoader().getResources(resourceName); + } catch (IOException e) { + if (log.isLoggable(java.util.logging.Level.FINE)) { + log.log(java.util.logging.Level.FINE, e.getMessage(), e); + } + //ignore + } + if (!urls.hasMoreElements() && resourceName.startsWith("/")) { + //certain classloaders need it without the leading / + try { + urls = + Thread.currentThread().getContextClassLoader().getResources( + resourceName.substring(1) + ); + } catch (IOException e) { + if (log.isLoggable(java.util.logging.Level.FINE)) { + log.log(java.util.logging.Level.FINE, e.getMessage(), e); + } + // ignore + } + } + + ClassLoader cluClassloader = ClassLoaderUtils.class.getClassLoader(); + if (cluClassloader == null) { + cluClassloader = ClassLoader.getSystemClassLoader(); + } + if (!urls.hasMoreElements()) { + try { + urls = cluClassloader.getResources(resourceName); + } catch (IOException e) { + if (log.isLoggable(java.util.logging.Level.FINE)) { + log.log(java.util.logging.Level.FINE, e.getMessage(), e); + } + // ignore + } + } + if (!urls.hasMoreElements() && resourceName.startsWith("/")) { + //certain classloaders need it without the leading / + try { + urls = cluClassloader.getResources(resourceName.substring(1)); + } catch (IOException e) { + if (log.isLoggable(java.util.logging.Level.FINE)) { + log.log(java.util.logging.Level.FINE, e.getMessage(), e); + } + // ignore + } + } + + if (!urls.hasMoreElements()) { + ClassLoader cl = callingClass.getClassLoader(); + + if (cl != null) { + try { + urls = cl.getResources(resourceName); + } catch (IOException e) { + if (log.isLoggable(java.util.logging.Level.FINE)) { + log.log(java.util.logging.Level.FINE, e.getMessage(), e); + } + // ignore + } + } + } + + if (!urls.hasMoreElements()) { + URL url = callingClass.getResource(resourceName); + if (url != null) { + ret.add(url); + } + } + while (urls.hasMoreElements()) { + ret.add(urls.nextElement()); + } + + + if (ret.isEmpty() && (resourceName != null) && (resourceName.charAt(0) != '/')) { + return getResources('/' + resourceName, callingClass); + } + return ret; + } + + + /** + * This is a convenience method to load a resource as a stream. <p/> The + * algorithm used to find the resource is given in getResource() + * + * @param resourceName The name of the resource to load + * @param callingClass The Class object of the calling object + */ + public static InputStream getResourceAsStream(String resourceName, Class<?> callingClass) { + URL url = getResource(resourceName, callingClass); + + try { + return (url != null) ? url.openStream() : null; + } catch (IOException e) { + if (log.isLoggable(java.util.logging.Level.FINE)) { + log.log(java.util.logging.Level.FINE, e.getMessage(), e); + } + return null; + } + } + + /** + * Load a class with a given name. <p/> It will try to load the class in the + * following order: + * <ul> + * <li>From Thread.currentThread().getContextClassLoader() + * <li>Using the basic Class.forName() + * <li>From ClassLoaderUtil.class.getClassLoader() + * <li>From the callingClass.getClassLoader() + * </ul> + * + * @param className The name of the class to load + * @param callingClass The Class object of the calling object + * @throws ClassNotFoundException If the class cannot be found anywhere. + */ + public static Class<?> loadClass(String className, Class<?> callingClass) + throws ClassNotFoundException { + try { + ClassLoader cl = Thread.currentThread().getContextClassLoader(); + + if (cl != null) { + return cl.loadClass(className); + } + } catch (ClassNotFoundException e) { + if (log.isLoggable(java.util.logging.Level.FINE)) { + log.log(java.util.logging.Level.FINE, e.getMessage(), e); + } + //ignore + } + return loadClass2(className, callingClass); + } + + private static Class<?> loadClass2(String className, Class<?> callingClass) + throws ClassNotFoundException { + try { + return Class.forName(className); + } catch (ClassNotFoundException ex) { + try { + if (ClassLoaderUtils.class.getClassLoader() != null) { + return ClassLoaderUtils.class.getClassLoader().loadClass(className); + } + } catch (ClassNotFoundException exc) { + if (callingClass != null && callingClass.getClassLoader() != null) { + return callingClass.getClassLoader().loadClass(className); + } + } + if (log.isLoggable(java.util.logging.Level.FINE)) { + log.log(java.util.logging.Level.FINE, ex.getMessage(), ex); + } + throw ex; + } + } +}
--- a/src/share/classes/com/sun/org/apache/xml/internal/security/utils/ElementProxy.java Fri Sep 14 09:38:27 2012 -0700 +++ b/src/share/classes/com/sun/org/apache/xml/internal/security/utils/ElementProxy.java Wed Jun 12 14:56:51 2013 +0100 @@ -2,28 +2,29 @@ * reserved comment block * DO NOT REMOVE OR ALTER! */ -/* - * Copyright 1999-2008 The Apache Software Foundation. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at * - * http://www.apache.org/licenses/LICENSE-2.0 + * http://www.apache.org/licenses/LICENSE-2.0 * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. */ package com.sun.org.apache.xml.internal.security.utils; - - import java.math.BigInteger; -import java.util.HashMap; +import java.util.concurrent.ConcurrentHashMap; +import java.util.Map; import com.sun.org.apache.xml.internal.security.exceptions.Base64DecodingException; import com.sun.org.apache.xml.internal.security.exceptions.XMLSecurityException; @@ -34,467 +35,432 @@ import org.w3c.dom.NodeList; import org.w3c.dom.Text; - /** * This is the base class to all Objects which have a direct 1:1 mapping to an * Element in a particular namespace. - * - * @author $Author: mullan $ */ public abstract class ElementProxy { - /** {@link java.util.logging} logging facility */ - static java.util.logging.Logger log = + protected static final java.util.logging.Logger log = java.util.logging.Logger.getLogger(ElementProxy.class.getName()); - /** - * Returns the namespace of the Elements of the sub-class. - * - * @return the namespace of the Elements of the sub-class. - */ - public abstract String getBaseNamespace(); + /** Field constructionElement */ + protected Element _constructionElement = null; + + /** Field baseURI */ + protected String _baseURI = null; + + /** Field doc */ + protected Document _doc = null; + + /** Field prefixMappings */ + private static Map<String, String> prefixMappings = new ConcurrentHashMap<String, String>(); - /** - * Returns the localname of the Elements of the sub-class. - * - * @return the localname of the Elements of the sub-class. - */ - public abstract String getBaseLocalName(); + /** + * Constructor ElementProxy + * + */ + public ElementProxy() { + } + + /** + * Constructor ElementProxy + * + * @param doc + */ + public ElementProxy(Document doc) { + if (doc == null) { + throw new RuntimeException("Document is null"); + } + + this._doc = doc; + this._constructionElement = + createElementForFamilyLocal(this._doc, this.getBaseNamespace(), this.getBaseLocalName()); + } - /** Field _constructionElement */ - protected Element _constructionElement = null; + /** + * Constructor ElementProxy + * + * @param element + * @param BaseURI + * @throws XMLSecurityException + */ + public ElementProxy(Element element, String BaseURI) throws XMLSecurityException { + if (element == null) { + throw new XMLSecurityException("ElementProxy.nullElement"); + } - /** Field _baseURI */ - protected String _baseURI = null; + if (log.isLoggable(java.util.logging.Level.FINE)) { + log.log(java.util.logging.Level.FINE, "setElement(\"" + element.getTagName() + "\", \"" + BaseURI + "\")"); + } - /** Field _doc */ - protected Document _doc = null; + this._doc = element.getOwnerDocument(); + this._constructionElement = element; + this._baseURI = BaseURI; + + this.guaranteeThatElementInCorrectSpace(); + } - /** - * Constructor ElementProxy - * - */ - public ElementProxy() { - } + /** + * Returns the namespace of the Elements of the sub-class. + * + * @return the namespace of the Elements of the sub-class. + */ + public abstract String getBaseNamespace(); + + /** + * Returns the localname of the Elements of the sub-class. + * + * @return the localname of the Elements of the sub-class. + */ + public abstract String getBaseLocalName(); + - /** - * Constructor ElementProxy - * - * @param doc - */ - public ElementProxy(Document doc) { - if (doc == null) { - throw new RuntimeException("Document is null"); - } + protected Element createElementForFamilyLocal( + Document doc, String namespace, String localName + ) { + Element result = null; + if (namespace == null) { + result = doc.createElementNS(null, localName); + } else { + String baseName = this.getBaseNamespace(); + String prefix = ElementProxy.getDefaultPrefix(baseName); + if ((prefix == null) || (prefix.length() == 0)) { + result = doc.createElementNS(namespace, localName); + result.setAttributeNS(Constants.NamespaceSpecNS, "xmlns", namespace); + } else { + result = doc.createElementNS(namespace, prefix + ":" + localName); + result.setAttributeNS(Constants.NamespaceSpecNS, "xmlns:" + prefix, namespace); + } + } + return result; + } + - this._doc = doc; - this._constructionElement = createElementForFamilyLocal(this._doc, - this.getBaseNamespace(), this.getBaseLocalName()); - } - protected Element createElementForFamilyLocal(Document doc, String namespace, - String localName) { - Element result = null; - if (namespace == null) { - result = doc.createElementNS(null, localName); - } else { - String baseName=this.getBaseNamespace(); - String prefix=ElementProxy.getDefaultPrefix(baseName); - if ((prefix == null) || (prefix.length() == 0)) { - result = doc.createElementNS(namespace, localName); + /** + * This method creates an Element in a given namespace with a given localname. + * It uses the {@link ElementProxy#getDefaultPrefix} method to decide whether + * a particular prefix is bound to that namespace. + * <BR /> + * This method was refactored out of the constructor. + * + * @param doc + * @param namespace + * @param localName + * @return The element created. + */ + public static Element createElementForFamily(Document doc, String namespace, String localName) { + Element result = null; + String prefix = ElementProxy.getDefaultPrefix(namespace); - result.setAttributeNS(Constants.NamespaceSpecNS, "xmlns", - namespace); - } else { - String tagName=null; - String defaultPrefixNaming=ElementProxy.getDefaultPrefixBindings(baseName); - StringBuffer sb=new StringBuffer(prefix); - sb.append(':'); - sb.append(localName); - tagName=sb.toString(); - result = doc.createElementNS(namespace, tagName ); + if (namespace == null) { + result = doc.createElementNS(null, localName); + } else { + if ((prefix == null) || (prefix.length() == 0)) { + result = doc.createElementNS(namespace, localName); + result.setAttributeNS(Constants.NamespaceSpecNS, "xmlns", namespace); + } else { + result = doc.createElementNS(namespace, prefix + ":" + localName); + result.setAttributeNS(Constants.NamespaceSpecNS, "xmlns:" + prefix, namespace); + } + } + + return result; + } - result.setAttributeNS(Constants.NamespaceSpecNS, defaultPrefixNaming, - namespace); - } - } - return result; -} + /** + * Method setElement + * + * @param element + * @param BaseURI + * @throws XMLSecurityException + */ + public void setElement(Element element, String BaseURI) throws XMLSecurityException { + if (element == null) { + throw new XMLSecurityException("ElementProxy.nullElement"); + } + + if (log.isLoggable(java.util.logging.Level.FINE)) { + log.log(java.util.logging.Level.FINE, "setElement(" + element.getTagName() + ", \"" + BaseURI + "\""); + } + + this._doc = element.getOwnerDocument(); + this._constructionElement = element; + this._baseURI = BaseURI; + } - /** - * This method creates an Element in a given namespace with a given localname. - * It uses the {@link ElementProxy#getDefaultPrefix} method to decide whether - * a particular prefix is bound to that namespace. - * <BR /> - * This method was refactored out of the constructor. - * - * @param doc - * @param namespace - * @param localName - * @return The element created. - */ - public static Element createElementForFamily(Document doc, String namespace, - String localName) { - //Element nscontext = XMLUtils.createDSctx(doc, "x", namespace); - Element result = null; - String prefix = ElementProxy.getDefaultPrefix(namespace); + /** + * Returns the Element which was constructed by the Object. + * + * @return the Element which was constructed by the Object. + */ + public final Element getElement() { + return this._constructionElement; + } - if (namespace == null) { - result = doc.createElementNS(null, localName); - } else { - if ((prefix == null) || (prefix.length() == 0)) { - result = doc.createElementNS(namespace, localName); + /** + * Returns the Element plus a leading and a trailing CarriageReturn Text node. + * + * @return the Element which was constructed by the Object. + */ + public final NodeList getElementPlusReturns() { - result.setAttributeNS(Constants.NamespaceSpecNS, "xmlns", - namespace); - } else { - result = doc.createElementNS(namespace, prefix + ":" + localName); + HelperNodeList nl = new HelperNodeList(); - result.setAttributeNS(Constants.NamespaceSpecNS, ElementProxy.getDefaultPrefixBindings(namespace), - namespace); - } - } + nl.appendChild(this._doc.createTextNode("\n")); + nl.appendChild(this.getElement()); + nl.appendChild(this._doc.createTextNode("\n")); - return result; - } + return nl; + } - /** - * Method setElement - * - * @param element - * @param BaseURI - * @throws XMLSecurityException - */ - public void setElement(Element element, String BaseURI) - throws XMLSecurityException { + /** + * Method getDocument + * + * @return the Document where this element is contained. + */ + public Document getDocument() { + return this._doc; + } - if (element == null) { - throw new XMLSecurityException("ElementProxy.nullElement"); - } - - if (log.isLoggable(java.util.logging.Level.FINE)) { - log.log(java.util.logging.Level.FINE, "setElement(" + element.getTagName() + ", \"" + BaseURI + "\""); - } - - this._doc = element.getOwnerDocument(); - this._constructionElement = element; - this._baseURI = BaseURI; - } + /** + * Method getBaseURI + * + * @return the base uri of the namespace of this element + */ + public String getBaseURI() { + return this._baseURI; + } - /** - * Constructor ElementProxy - * - * @param element - * @param BaseURI - * @throws XMLSecurityException - */ - public ElementProxy(Element element, String BaseURI) - throws XMLSecurityException { - if (element == null) { - throw new XMLSecurityException("ElementProxy.nullElement"); - } + /** + * Method guaranteeThatElementInCorrectSpace + * + * @throws XMLSecurityException + */ + void guaranteeThatElementInCorrectSpace() throws XMLSecurityException { + + String expectedLocalName = this.getBaseLocalName(); + String expectedNamespaceUri = this.getBaseNamespace(); - if (log.isLoggable(java.util.logging.Level.FINE)) { - log.log(java.util.logging.Level.FINE, "setElement(\"" + element.getTagName() + "\", \"" + BaseURI - + "\")"); - } + String actualLocalName = this._constructionElement.getLocalName(); + String actualNamespaceUri = this._constructionElement.getNamespaceURI(); - this._doc = element.getOwnerDocument(); - this._constructionElement = element; - this._baseURI = BaseURI; - - this.guaranteeThatElementInCorrectSpace(); - } + if(!expectedNamespaceUri.equals(actualNamespaceUri) + && !expectedLocalName.equals(actualLocalName)) { + Object exArgs[] = { actualNamespaceUri + ":" + actualLocalName, + expectedNamespaceUri + ":" + expectedLocalName}; + throw new XMLSecurityException("xml.WrongElement", exArgs); + } + } - /** - * Returns the Element which was constructed by the Object. - * - * @return the Element which was constructed by the Object. - */ - public final Element getElement() { - return this._constructionElement; - } + /** + * Method addBigIntegerElement + * + * @param bi + * @param localname + */ + public void addBigIntegerElement(BigInteger bi, String localname) { + if (bi != null) { + Element e = XMLUtils.createElementInSignatureSpace(this._doc, localname); - /** - * Returns the Element plus a leading and a trailing CarriageReturn Text node. - * - * @return the Element which was constructed by the Object. - */ - public final NodeList getElementPlusReturns() { - - HelperNodeList nl = new HelperNodeList(); - - nl.appendChild(this._doc.createTextNode("\n")); - nl.appendChild(this.getElement()); - nl.appendChild(this._doc.createTextNode("\n")); + Base64.fillElementWithBigInteger(e, bi); + this._constructionElement.appendChild(e); + XMLUtils.addReturnToElement(this._constructionElement); + } + } - return nl; - } + /** + * Method addBase64Element + * + * @param bytes + * @param localname + */ + public void addBase64Element(byte[] bytes, String localname) { + if (bytes != null) { + Element e = Base64.encodeToElement(this._doc, localname, bytes); - /** - * Method getDocument - * - * @return the Document where this element is contained. - */ - public Document getDocument() { - return this._doc; - } - - /** - * Method getBaseURI - * - * @return the base uri of the namespace of this element - */ - public String getBaseURI() { - return this._baseURI; - } - - static ElementChecker checker = new ElementCheckerImpl.InternedNsChecker(); + this._constructionElement.appendChild(e); + if (!XMLUtils.ignoreLineBreaks()) { + this._constructionElement.appendChild(this._doc.createTextNode("\n")); + } + } + } - /** - * Method guaranteeThatElementInCorrectSpace - * - * @throws XMLSecurityException - */ - void guaranteeThatElementInCorrectSpace() - throws XMLSecurityException { - - checker.guaranteeThatElementInCorrectSpace(this,this._constructionElement); - - } + /** + * Method addTextElement + * + * @param text + * @param localname + */ + public void addTextElement(String text, String localname) { + Element e = XMLUtils.createElementInSignatureSpace(this._doc, localname); + Text t = this._doc.createTextNode(text); - /** - * Method setVal - * - * @param bi - * @param localname - */ - public void addBigIntegerElement(BigInteger bi, String localname) { - - if (bi != null) { - Element e = XMLUtils.createElementInSignatureSpace(this._doc, - localname); + e.appendChild(t); + this._constructionElement.appendChild(e); + XMLUtils.addReturnToElement(this._constructionElement); + } - Base64.fillElementWithBigInteger(e, bi); - this._constructionElement.appendChild(e); - XMLUtils.addReturnToElement(this._constructionElement); - } - } - - /** - * Method addBase64Element - * - * @param bytes - * @param localname - */ - public void addBase64Element(byte[] bytes, String localname) { - - if (bytes != null) { + /** + * Method addBase64Text + * + * @param bytes + */ + public void addBase64Text(byte[] bytes) { + if (bytes != null) { + Text t = XMLUtils.ignoreLineBreaks() + ? this._doc.createTextNode(Base64.encode(bytes)) + : this._doc.createTextNode("\n" + Base64.encode(bytes) + "\n"); + this._constructionElement.appendChild(t); + } + } - Element e = Base64.encodeToElement(this._doc, localname, bytes); - - this._constructionElement.appendChild(e); - if (!XMLUtils.ignoreLineBreaks()) { - this._constructionElement.appendChild(this._doc.createTextNode("\n")); - } - } - } - - /** - * Method addTextElement - * - * @param text - * @param localname - */ - public void addTextElement(String text, String localname) { + /** + * Method addText + * + * @param text + */ + public void addText(String text) { + if (text != null) { + Text t = this._doc.createTextNode(text); - Element e = XMLUtils.createElementInSignatureSpace(this._doc, localname); - Text t = this._doc.createTextNode(text); - - e.appendChild(t); - this._constructionElement.appendChild(e); - XMLUtils.addReturnToElement(this._constructionElement); - } - - /** - * Method addBase64Text - * - * @param bytes - */ - public void addBase64Text(byte[] bytes) { + this._constructionElement.appendChild(t); + } + } - if (bytes != null) { - Text t = XMLUtils.ignoreLineBreaks() - ? this._doc.createTextNode(Base64.encode(bytes)) - : this._doc.createTextNode("\n" + Base64.encode(bytes) + "\n"); - this._constructionElement.appendChild(t); - } - } - - /** - * Method addText - * - * @param text - */ - public void addText(String text) { - - if (text != null) { - Text t = this._doc.createTextNode(text); - - this._constructionElement.appendChild(t); - } - } + /** + * Method getVal + * + * @param localname + * @param namespace + * @return The biginteger contained in the given element + * @throws Base64DecodingException + */ + public BigInteger getBigIntegerFromChildElement( + String localname, String namespace + ) throws Base64DecodingException { + return Base64.decodeBigIntegerFromText( + XMLUtils.selectNodeText( + this._constructionElement.getFirstChild(), namespace, localname, 0 + ) + ); + } - /** - * Method getVal - * - * @param localname - * @param namespace - * @return The biginter contained in the given element - * @throws Base64DecodingException - */ - public BigInteger getBigIntegerFromChildElement( - String localname, String namespace) throws Base64DecodingException { + /** + * Method getBytesFromChildElement + * @deprecated + * @param localname + * @param namespace + * @return the bytes + * @throws XMLSecurityException + */ + @Deprecated + public byte[] getBytesFromChildElement(String localname, String namespace) + throws XMLSecurityException { + Element e = + XMLUtils.selectNode( + this._constructionElement.getFirstChild(), namespace, localname, 0 + ); - return Base64.decodeBigIntegerFromText( - XMLUtils.selectNodeText(this._constructionElement.getFirstChild(), - namespace,localname,0)); - - } - - /** - * Method getBytesFromChildElement - * @deprecated - * @param localname - * @param namespace - * @return the bytes - * @throws XMLSecurityException - */ - public byte[] getBytesFromChildElement(String localname, String namespace) - throws XMLSecurityException { + return Base64.decode(e); + } - Element e = - XMLUtils.selectNode( - this._constructionElement.getFirstChild(), - namespace, - localname, - 0); - - return Base64.decode(e); - } + /** + * Method getTextFromChildElement + * + * @param localname + * @param namespace + * @return the Text of the textNode + */ + public String getTextFromChildElement(String localname, String namespace) { + return XMLUtils.selectNode( + this._constructionElement.getFirstChild(), + namespace, + localname, + 0).getTextContent(); + } - /** - * Method getTextFromChildElement - * - * @param localname - * @param namespace - * @return the Text of the textNode - */ - public String getTextFromChildElement(String localname, String namespace) { - - Text t = - (Text) XMLUtils.selectNode( - this._constructionElement.getFirstChild(), - namespace, - localname, - 0).getFirstChild(); - - return t.getData(); - } + /** + * Method getBytesFromTextChild + * + * @return The base64 bytes from the text children of this element + * @throws XMLSecurityException + */ + public byte[] getBytesFromTextChild() throws XMLSecurityException { + return Base64.decode(XMLUtils.getFullTextChildrenFromElement(this._constructionElement)); + } - /** - * Method getBytesFromTextChild - * - * @return The base64 bytes from the text children of this element - * @throws XMLSecurityException - */ - public byte[] getBytesFromTextChild() throws XMLSecurityException { - return Base64.decode - (XMLUtils.getFullTextChildrenFromElement(this._constructionElement)); - } - - /** - * Method getTextFromTextChild - * - * @return the Text obtained by concatenating all the text nodes of this - * element - */ - public String getTextFromTextChild() { - return XMLUtils.getFullTextChildrenFromElement(this._constructionElement); - } + /** + * Method getTextFromTextChild + * + * @return the Text obtained by concatenating all the text nodes of this + * element + */ + public String getTextFromTextChild() { + return XMLUtils.getFullTextChildrenFromElement(this._constructionElement); + } - /** - * Method length - * - * @param namespace - * @param localname - * @return the number of elements {namespace}:localname under this element - */ - public int length(String namespace, String localname) { - int number=0; - Node sibling=this._constructionElement.getFirstChild(); - while (sibling!=null) { - if (localname.equals(sibling.getLocalName()) - && - namespace==sibling.getNamespaceURI() ) { - number++; - } - sibling=sibling.getNextSibling(); + /** + * Method length + * + * @param namespace + * @param localname + * @return the number of elements {namespace}:localname under this element + */ + public int length(String namespace, String localname) { + int number = 0; + Node sibling = this._constructionElement.getFirstChild(); + while (sibling != null) { + if (localname.equals(sibling.getLocalName()) + && namespace.equals(sibling.getNamespaceURI())) { + number++; } - return number; - } + sibling = sibling.getNextSibling(); + } + return number; + } - /** - * Adds an xmlns: definition to the Element. This can be called as follows: - * - * <PRE> - * // set namespace with ds prefix - * xpathContainer.setXPathNamespaceContext("ds", "http://www.w3.org/2000/09/xmldsig#"); - * xpathContainer.setXPathNamespaceContext("xmlns:ds", "http://www.w3.org/2000/09/xmldsig#"); - * </PRE> - * - * @param prefix - * @param uri - * @throws XMLSecurityException - */ - public void setXPathNamespaceContext(String prefix, String uri) - throws XMLSecurityException { - - String ns; + /** + * Adds an xmlns: definition to the Element. This can be called as follows: + * + * <PRE> + * // set namespace with ds prefix + * xpathContainer.setXPathNamespaceContext("ds", "http://www.w3.org/2000/09/xmldsig#"); + * xpathContainer.setXPathNamespaceContext("xmlns:ds", "http://www.w3.org/2000/09/xmldsig#"); + * </PRE> + * + * @param prefix + * @param uri + * @throws XMLSecurityException + */ + public void setXPathNamespaceContext(String prefix, String uri) + throws XMLSecurityException { + String ns; - if ((prefix == null) || (prefix.length() == 0)) { - throw new XMLSecurityException("defaultNamespaceCannotBeSetHere"); - } else if (prefix.equals("xmlns")) { - throw new XMLSecurityException("defaultNamespaceCannotBeSetHere"); - } else if (prefix.startsWith("xmlns:")) { - ns = prefix;//"xmlns:" + prefix.substring("xmlns:".length()); - } else { - ns = "xmlns:" + prefix; - } + if ((prefix == null) || (prefix.length() == 0)) { + throw new XMLSecurityException("defaultNamespaceCannotBeSetHere"); + } else if (prefix.equals("xmlns")) { + throw new XMLSecurityException("defaultNamespaceCannotBeSetHere"); + } else if (prefix.startsWith("xmlns:")) { + ns = prefix;//"xmlns:" + prefix.substring("xmlns:".length()); + } else { + ns = "xmlns:" + prefix; + } - - - Attr a = this._constructionElement.getAttributeNodeNS(Constants.NamespaceSpecNS, ns); + Attr a = this._constructionElement.getAttributeNodeNS(Constants.NamespaceSpecNS, ns); - if (a != null) { - if (!a.getNodeValue().equals(uri)) { - Object exArgs[] = { ns, - this._constructionElement.getAttributeNS(null, - ns) }; + if (a != null) { + if (!a.getNodeValue().equals(uri)) { + Object exArgs[] = { ns, this._constructionElement.getAttributeNS(null, ns) }; - throw new XMLSecurityException("namespacePrefixAlreadyUsedByOtherURI", - exArgs); - } - return; - } + throw new XMLSecurityException("namespacePrefixAlreadyUsedByOtherURI", exArgs); + } + return; + } - this._constructionElement.setAttributeNS(Constants.NamespaceSpecNS, ns, - uri); - } - - /** Field _prefixMappings */ - static HashMap _prefixMappings = new HashMap(); - static HashMap _prefixMappingsBindings = new HashMap(); + this._constructionElement.setAttributeNS(Constants.NamespaceSpecNS, ns, uri); + } /** * Method setDefaultPrefix @@ -505,26 +471,39 @@ */ public static void setDefaultPrefix(String namespace, String prefix) throws XMLSecurityException { - - if (ElementProxy._prefixMappings.containsValue(prefix)) { - - Object storedNamespace=ElementProxy._prefixMappings.get(namespace); - if (!storedNamespace.equals(prefix)) { - Object exArgs[] = { prefix, namespace, storedNamespace }; + if (prefixMappings.containsValue(prefix)) { + String storedPrefix = prefixMappings.get(namespace); + if (!storedPrefix.equals(prefix)) { + Object exArgs[] = { prefix, namespace, storedPrefix }; throw new XMLSecurityException("prefix.AlreadyAssigned", exArgs); } } + if (Constants.SignatureSpecNS.equals(namespace)) { - XMLUtils.dsPrefix=prefix; + XMLUtils.setDsPrefix(prefix); + } + if (EncryptionConstants.EncryptionSpecNS.equals(namespace)) { + XMLUtils.setXencPrefix(prefix); } - ElementProxy._prefixMappings.put(namespace, prefix.intern()); - if (prefix.length() == 0) { - ElementProxy._prefixMappingsBindings.put(namespace, "xmlns"); - } else { - ElementProxy._prefixMappingsBindings.put(namespace, ("xmlns:"+prefix).intern()); - } - } + prefixMappings.put(namespace, prefix); + } + + /** + * This method registers the default prefixes. + */ + public static void registerDefaultPrefixes() throws XMLSecurityException { + setDefaultPrefix("http://www.w3.org/2000/09/xmldsig#", "ds"); + setDefaultPrefix("http://www.w3.org/2001/04/xmlenc#", "xenc"); + setDefaultPrefix("http://www.w3.org/2009/xmlenc11#", "xenc11"); + setDefaultPrefix("http://www.xmlsecurity.org/experimental#", "experimental"); + setDefaultPrefix("http://www.w3.org/2002/04/xmldsig-filter2", "dsig-xpath-old"); + setDefaultPrefix("http://www.w3.org/2002/06/xmldsig-filter2", "dsig-xpath"); + setDefaultPrefix("http://www.w3.org/2001/10/xml-exc-c14n#", "ec"); + setDefaultPrefix( + "http://www.nue.et-inf.uni-siegen.de/~geuer-pollmann/#xpathFilter", "xx" + ); + } /** * Method getDefaultPrefix @@ -533,10 +512,7 @@ * @return the default prefix bind to this element. */ public static String getDefaultPrefix(String namespace) { - return (String) ElementProxy._prefixMappings.get(namespace); + return prefixMappings.get(namespace); } - public static String getDefaultPrefixBindings(String namespace) { - return (String) ElementProxy._prefixMappingsBindings.get(namespace); - } }
--- a/src/share/classes/com/sun/org/apache/xml/internal/security/utils/I18n.java Fri Sep 14 09:38:27 2012 -0700 +++ b/src/share/classes/com/sun/org/apache/xml/internal/security/utils/I18n.java Wed Jun 12 14:56:51 2013 +0100 @@ -2,21 +2,23 @@ * reserved comment block * DO NOT REMOVE OR ALTER! */ -/* - * Copyright 1999-2004 The Apache Software Foundation. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at * - * http://www.apache.org/licenses/LICENSE-2.0 + * http://www.apache.org/licenses/LICENSE-2.0 * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. */ package com.sun.org.apache.xml.internal.security.utils; @@ -31,202 +33,136 @@ */ public class I18n { - /** Field NOT_INITIALIZED_MSG */ - public static final String NOT_INITIALIZED_MSG = - "You must initialize the xml-security library correctly before you use it. " - + "Call the static method \"com.sun.org.apache.xml.internal.security.Init.init();\" to do that " - + "before you use any functionality from that library."; + /** Field NOT_INITIALIZED_MSG */ + public static final String NOT_INITIALIZED_MSG = + "You must initialize the xml-security library correctly before you use it. " + + "Call the static method \"com.sun.org.apache.xml.internal.security.Init.init();\" to do that " + + "before you use any functionality from that library."; - /** Field defaultLanguageCode */ - private static String defaultLanguageCode; // will be set in static{} block - - /** Field defaultCountryCode */ - private static String defaultCountryCode; // will be set in static{} block - - /** Field resourceBundle */ - private static ResourceBundle resourceBundle = - ResourceBundle.getBundle - (Constants.exceptionMessagesResourceBundleBase, Locale.US); + /** Field resourceBundle */ + private static ResourceBundle resourceBundle; - /** Field alreadyInitialized */ - private static boolean alreadyInitialized = false; - - /** Field _languageCode */ - private static String _languageCode = null; - - /** Field _countryCode */ - private static String _countryCode = null; + /** Field alreadyInitialized */ + private static boolean alreadyInitialized = false; - /** - * Constructor I18n - * - */ - private I18n() { - - // we don't allow instantiation - } + /** + * Constructor I18n + * + */ + private I18n() { + // we don't allow instantiation + } - /** - * Method translate - * - * translates a message ID into an internationalized String, see alse - * <CODE>XMLSecurityException.getExceptionMEssage()</CODE>. The strings are - * stored in the <CODE>ResourceBundle</CODE>, which is identified in - * <CODE>exceptionMessagesResourceBundleBase</CODE> - * - * @param message - * @param args is an <CODE>Object[]</CODE> array of strings which are inserted into the String which is retrieved from the <CODE>ResouceBundle</CODE> - * @return message translated - */ - public static String translate(String message, Object[] args) { - return getExceptionMessage(message, args); - } - - /** - * Method translate - * - * translates a message ID into an internationalized String, see alse - * <CODE>XMLSecurityException.getExceptionMEssage()</CODE> - * - * @param message - * @return message translated - */ - public static String translate(String message) { - return getExceptionMessage(message); - } + /** + * Method translate + * + * translates a message ID into an internationalized String, see alse + * <CODE>XMLSecurityException.getExceptionMEssage()</CODE>. The strings are + * stored in the <CODE>ResourceBundle</CODE>, which is identified in + * <CODE>exceptionMessagesResourceBundleBase</CODE> + * + * @param message + * @param args is an <CODE>Object[]</CODE> array of strings which are inserted into + * the String which is retrieved from the <CODE>ResouceBundle</CODE> + * @return message translated + */ + public static String translate(String message, Object[] args) { + return getExceptionMessage(message, args); + } - /** - * Method getExceptionMessage - * - * @param msgID - * @return message translated - * - */ - public static String getExceptionMessage(String msgID) { - - try { - String s = resourceBundle.getString(msgID); - - return s; - } catch (Throwable t) { - if (com.sun.org.apache.xml.internal.security.Init.isInitialized()) { - return "No message with ID \"" + msgID - + "\" found in resource bundle \"" - + Constants.exceptionMessagesResourceBundleBase + "\""; - } - return I18n.NOT_INITIALIZED_MSG; - } - } - - /** - * Method getExceptionMessage - * - * @param msgID - * @param originalException - * @return message translated - */ - public static String getExceptionMessage(String msgID, - Exception originalException) { + /** + * Method translate + * + * translates a message ID into an internationalized String, see also + * <CODE>XMLSecurityException.getExceptionMessage()</CODE> + * + * @param message + * @return message translated + */ + public static String translate(String message) { + return getExceptionMessage(message); + } - try { - Object exArgs[] = { originalException.getMessage() }; - String s = MessageFormat.format(resourceBundle.getString(msgID), - exArgs); - - return s; - } catch (Throwable t) { - if (com.sun.org.apache.xml.internal.security.Init.isInitialized()) { - return "No message with ID \"" + msgID - + "\" found in resource bundle \"" - + Constants.exceptionMessagesResourceBundleBase - + "\". Original Exception was a " - + originalException.getClass().getName() + " and message " - + originalException.getMessage(); - } - return I18n.NOT_INITIALIZED_MSG; - } - } - - /** - * Method getExceptionMessage - * - * @param msgID - * @param exArgs - * @return message translated - */ - public static String getExceptionMessage(String msgID, Object exArgs[]) { - - try { - String s = MessageFormat.format(resourceBundle.getString(msgID), - exArgs); - - return s; - } catch (Throwable t) { - if (com.sun.org.apache.xml.internal.security.Init.isInitialized()) { - return "No message with ID \"" + msgID - + "\" found in resource bundle \"" - + Constants.exceptionMessagesResourceBundleBase + "\""; - } - return I18n.NOT_INITIALIZED_MSG; - } - } + /** + * Method getExceptionMessage + * + * @param msgID + * @return message translated + * + */ + public static String getExceptionMessage(String msgID) { + try { + return resourceBundle.getString(msgID); + } catch (Throwable t) { + if (com.sun.org.apache.xml.internal.security.Init.isInitialized()) { + return "No message with ID \"" + msgID + + "\" found in resource bundle \"" + + Constants.exceptionMessagesResourceBundleBase + "\""; + } + return I18n.NOT_INITIALIZED_MSG; + } + } -// -// Commented out because it modifies shared static -// state which could be maliciously called by untrusted code -// -// /** -// * Method init -// * -// * @param _defaultLanguageCode -// * @param _defaultCountryCode -// */ -// public static void init(String _defaultLanguageCode, -// String _defaultCountryCode) { -// -// I18n.defaultLanguageCode = _defaultLanguageCode; -// -// if (I18n.defaultLanguageCode == null) { -// I18n.defaultLanguageCode = Locale.getDefault().getLanguage(); -// } -// -// I18n.defaultCountryCode = _defaultCountryCode; -// -// if (I18n.defaultCountryCode == null) { -// I18n.defaultCountryCode = Locale.getDefault().getCountry(); -// } -// -// initLocale(I18n.defaultLanguageCode, I18n.defaultCountryCode); -// } + /** + * Method getExceptionMessage + * + * @param msgID + * @param originalException + * @return message translated + */ + public static String getExceptionMessage(String msgID, Exception originalException) { + try { + Object exArgs[] = { originalException.getMessage() }; + return MessageFormat.format(resourceBundle.getString(msgID), exArgs); + } catch (Throwable t) { + if (com.sun.org.apache.xml.internal.security.Init.isInitialized()) { + return "No message with ID \"" + msgID + + "\" found in resource bundle \"" + + Constants.exceptionMessagesResourceBundleBase + + "\". Original Exception was a " + + originalException.getClass().getName() + " and message " + + originalException.getMessage(); + } + return I18n.NOT_INITIALIZED_MSG; + } + } -// -// Commented out because it modifies shared static -// state which could be maliciously called by untrusted code -// -// /** -// * Method initLocale -// * -// * @param languageCode -// * @param countryCode -// */ -// public static void initLocale(String languageCode, String countryCode) { -// -// if (alreadyInitialized && languageCode.equals(_languageCode) -// && countryCode.equals(_countryCode)) { -// return; -// } -// -// if ((languageCode != null) && (countryCode != null) -// && (languageCode.length() > 0) && (countryCode.length() > 0)) { -// _languageCode = languageCode; -// _countryCode = countryCode; -// } else { -// _countryCode = I18n.defaultCountryCode; -// _languageCode = I18n.defaultLanguageCode; -// } -// -// I18n.resourceBundle = -// ResourceBundle.getBundle(Constants.exceptionMessagesResourceBundleBase, -// new Locale(_languageCode, _countryCode)); -// } + /** + * Method getExceptionMessage + * + * @param msgID + * @param exArgs + * @return message translated + */ + public static String getExceptionMessage(String msgID, Object exArgs[]) { + try { + return MessageFormat.format(resourceBundle.getString(msgID), exArgs); + } catch (Throwable t) { + if (com.sun.org.apache.xml.internal.security.Init.isInitialized()) { + return "No message with ID \"" + msgID + + "\" found in resource bundle \"" + + Constants.exceptionMessagesResourceBundleBase + "\""; + } + return I18n.NOT_INITIALIZED_MSG; + } + } + + /** + * Method init + * + * @param languageCode + * @param countryCode + */ + public synchronized static void init(String languageCode, String countryCode) { + if (alreadyInitialized) { + return; + } + + I18n.resourceBundle = + ResourceBundle.getBundle( + Constants.exceptionMessagesResourceBundleBase, + new Locale(languageCode, countryCode) + ); + alreadyInitialized = true; + } }
--- a/src/share/classes/com/sun/org/apache/xml/internal/security/utils/XMLUtils.java Fri Sep 14 09:38:27 2012 -0700 +++ b/src/share/classes/com/sun/org/apache/xml/internal/security/utils/XMLUtils.java Wed Jun 12 14:56:51 2013 +0100 @@ -21,14 +21,15 @@ package com.sun.org.apache.xml.internal.security.utils; - import java.io.IOException; import java.io.OutputStream; import java.security.AccessController; import java.security.PrivilegedAction; +import java.util.ArrayList; import java.util.HashMap; import java.util.HashSet; import java.util.Iterator; +import java.util.List; import java.util.Map; import java.util.Set; @@ -60,6 +61,12 @@ } }); + private static volatile String dsPrefix = "ds"; + private static volatile String xencPrefix = "xenc"; + + private static final java.util.logging.Logger log = + java.util.logging.Logger.getLogger(XMLUtils.class.getName()); + /** * Constructor XMLUtils * @@ -68,6 +75,23 @@ // we don't allow instantiation } + + /** + * Set the prefix for the digital signature namespace + * @param prefix the new prefix for the digital signature namespace + */ + public static void setDsPrefix(String prefix) { + dsPrefix = prefix; + } + + /** + * Set the prefix for the encryption namespace + * @param prefix the new prefix for the encryption namespace + */ + public static void setXencPrefix(String prefix) { + xencPrefix = prefix; + } + public static Element getNextElement(Node el) { while ((el!=null) && (el.getNodeType()!=Node.ELEMENT_NODE)) { el=el.getNextSibling(); @@ -82,13 +106,15 @@ * @param exclude * @param com wheather comments or not */ - public static void getSet(Node rootNode,Set result,Node exclude ,boolean com) { + public static void getSet(Node rootNode,Set<Node> result,Node exclude ,boolean com) { if ((exclude!=null) && isDescendantOrSelf(exclude,rootNode)){ return; } getSetRec(rootNode,result,exclude,com); } - static final void getSetRec(final Node rootNode,final Set result, + + @SuppressWarnings("fallthrough") + static final void getSetRec(final Node rootNode,final Set<Node> result, final Node exclude ,final boolean com) { //Set result = new HashSet(); if (rootNode==exclude) { @@ -104,7 +130,7 @@ result.add(nl.item(i)); } } - //no return keep working + //no return keep working - ignore fallthrough warning case Node.DOCUMENT_NODE: for (Node r=rootNode.getFirstChild();r!=null;r=r.getNextSibling()){ if (r.getNodeType()==Node.TEXT_NODE) { @@ -228,9 +254,8 @@ return sb.toString(); } + static Map<String, String> namePrefixes=new HashMap<String, String>(); - static String dsPrefix=null; - static Map namePrefixes=new HashMap(); /** * Creates an Element in the XML Signature specification namespace. * @@ -248,7 +273,7 @@ if ((dsPrefix == null) || (dsPrefix.length() == 0)) { return doc.createElementNS(Constants.SignatureSpecNS, elementName); } - String namePrefix=(String) namePrefixes.get(elementName); + String namePrefix= namePrefixes.get(elementName); if (namePrefix==null) { StringBuffer tag=new StringBuffer(dsPrefix); tag.append(':'); @@ -259,31 +284,38 @@ return doc.createElementNS(Constants.SignatureSpecNS, namePrefix); } - /** - * Returns true if the element is in XML Signature namespace and the local - * name equals the supplied one. - * - * @param element - * @param localName - * @return true if the element is in XML Signature namespace and the local name equals the supplied one - */ - public static boolean elementIsInSignatureSpace(Element element, - String localName) { - return ElementProxy.checker.isNamespaceElement(element, localName, Constants.SignatureSpecNS); - } + /** + * Returns true if the element is in XML Signature namespace and the local + * name equals the supplied one. + * + * @param element + * @param localName + * @return true if the element is in XML Signature namespace and the local name equals the supplied one + */ + public static boolean elementIsInSignatureSpace(Element element, String localName) { + if (element == null) { + return false; + } - /** - * Returns true if the element is in XML Encryption namespace and the local - * name equals the supplied one. - * - * @param element - * @param localName - * @return true if the element is in XML Encryption namespace and the local name equals the supplied one - */ - public static boolean elementIsInEncryptionSpace(Element element, - String localName) { - return ElementProxy.checker.isNamespaceElement(element, localName, EncryptionConstants.EncryptionSpecNS); - } + return Constants.SignatureSpecNS.equals(element.getNamespaceURI()) + && element.getLocalName().equals(localName); + } + + /** + * Returns true if the element is in XML Encryption namespace and the local + * name equals the supplied one. + * + * @param element + * @param localName + * @return true if the element is in XML Encryption namespace and the local name equals the supplied one + */ + public static boolean elementIsInEncryptionSpace(Element element, String localName) { + if (element == null) { + return false; + } + return EncryptionConstants.EncryptionSpecNS.equals(element.getNamespaceURI()) + && element.getLocalName().equals(localName); + } /** * This method returns the owner document of a particular node. @@ -318,11 +350,9 @@ * @param xpathNodeSet * @return the owner document */ - public static Document getOwnerDocument(Set xpathNodeSet) { + public static Document getOwnerDocument(Set<Node> xpathNodeSet) { NullPointerException npe = null; - Iterator iterator = xpathNodeSet.iterator(); - while(iterator.hasNext()) { - Node node = (Node) iterator.next(); + for (Node node : xpathNodeSet) { int nodeType =node.getNodeType(); if (nodeType == Node.DOCUMENT_NODE) { return (Document) node; @@ -397,14 +427,14 @@ * @param xpathNodeSet * @return the set with the nodelist */ - public static Set convertNodelistToSet(NodeList xpathNodeSet) { + public static Set<Node> convertNodelistToSet(NodeList xpathNodeSet) { if (xpathNodeSet == null) { - return new HashSet(); + return new HashSet<Node>(); } int length = xpathNodeSet.getLength(); - Set set = new HashSet(length); + Set<Node> set = new HashSet<Node>(length); for (int i = 0; i < length; i++) { set.add(xpathNodeSet.item(i)); @@ -446,6 +476,7 @@ * @param node * @see <A HREF="http://nagoya.apache.org/bugzilla/show_bug.cgi?id=2650">Namespace axis resolution is not XPath compliant </A> */ + @SuppressWarnings("fallthrough") private static void circumventBug2650internal(Node node) { Node parent=null; Node sibling=null; @@ -503,45 +534,45 @@ } while (true); } - /** - * @param sibling - * @param nodeName - * @param number - * @return nodes with the constrain - */ - public static Element selectDsNode(Node sibling, String nodeName, int number) { - while (sibling!=null) { - if (ElementProxy.checker.isNamespaceElement(sibling, nodeName, Constants.SignatureSpecNS )) { - if (number==0){ - return (Element)sibling; - } - number--; + /** + * @param sibling + * @param nodeName + * @param number + * @return nodes with the constrain + */ + public static Element selectDsNode(Node sibling, String nodeName, int number) { + while (sibling != null) { + if (Constants.SignatureSpecNS.equals(sibling.getNamespaceURI()) + && sibling.getLocalName().equals(nodeName)) { + if (number == 0){ + return (Element)sibling; } - sibling=sibling.getNextSibling(); + number--; + } + sibling = sibling.getNextSibling(); } return null; - } - - /** - * @param sibling - * @param nodeName - * @param number - * @return nodes with the constrain - */ + } - public static Element selectXencNode(Node sibling, String nodeName, int number) { - while (sibling!=null) { - if (ElementProxy.checker.isNamespaceElement(sibling, nodeName, EncryptionConstants.EncryptionSpecNS )) { - if (number==0){ - return (Element)sibling; - } - number--; + /** + * @param sibling + * @param nodeName + * @param number + * @return nodes with the constrain + */ + public static Element selectXencNode(Node sibling, String nodeName, int number) { + while (sibling != null) { + if (EncryptionConstants.EncryptionSpecNS.equals(sibling.getNamespaceURI()) + && sibling.getLocalName().equals(nodeName)) { + if (number == 0){ + return (Element)sibling; } - sibling=sibling.getNextSibling(); + number--; + } + sibling = sibling.getNextSibling(); } return null; - } - + } /** * @param sibling @@ -580,74 +611,65 @@ return (Text)n; } - /** - * @param sibling - * @param uri - * @param nodeName - * @param number - * @return nodes with the constrain - */ - public static Element selectNode(Node sibling, String uri,String nodeName, int number) { - while (sibling!=null) { - if (ElementProxy.checker.isNamespaceElement(sibling, nodeName, uri)) { - if (number==0){ - return (Element)sibling; - } - number--; + /** + * @param sibling + * @param uri + * @param nodeName + * @param number + * @return nodes with the constrain + */ + public static Element selectNode(Node sibling, String uri, String nodeName, int number) { + while (sibling != null) { + if (sibling.getNamespaceURI() != null && sibling.getNamespaceURI().equals(uri) + && sibling.getLocalName().equals(nodeName)) { + if (number == 0){ + return (Element)sibling; } - sibling=sibling.getNextSibling(); + number--; + } + sibling = sibling.getNextSibling(); } return null; - } + } + + /** + * @param sibling + * @param nodeName + * @return nodes with the constrain + */ + public static Element[] selectDsNodes(Node sibling, String nodeName) { + return selectNodes(sibling,Constants.SignatureSpecNS, nodeName); + } - /** - * @param sibling - * @param nodeName - * @return nodes with the constrain - */ - public static Element[] selectDsNodes(Node sibling,String nodeName) { - return selectNodes(sibling,Constants.SignatureSpecNS,nodeName); - } - /** - * @param sibling - * @param uri - * @param nodeName - * @return nodes with the constrain - */ - public static Element[] selectNodes(Node sibling,String uri,String nodeName) { - int size=20; - Element[] a= new Element[size]; - int curr=0; - //List list=new ArrayList(); - while (sibling!=null) { - if (ElementProxy.checker.isNamespaceElement(sibling, nodeName, uri)) { - a[curr++]=(Element)sibling; - if (size<=curr) { - int cursize= size<<2; - Element []cp=new Element[cursize]; - System.arraycopy(a,0,cp,0,size); - a=cp; - size=cursize; - } - } - sibling=sibling.getNextSibling(); + /** + * @param sibling + * @param uri + * @param nodeName + * @return nodes with the constrain + */ + public static Element[] selectNodes(Node sibling, String uri, String nodeName) { + List<Element> list = new ArrayList<Element>(); + while (sibling != null) { + if (sibling.getNamespaceURI() != null && sibling.getNamespaceURI().equals(uri) + && sibling.getLocalName().equals(nodeName)) { + list.add((Element)sibling); + } + sibling = sibling.getNextSibling(); } - Element []af=new Element[curr]; - System.arraycopy(a,0,af,0,curr); - return af; - } + return list.toArray(new Element[list.size()]); + } /** * @param signatureElement * @param inputSet * @return nodes with the constrain */ - public static Set excludeNodeFromSet(Node signatureElement, Set inputSet) { - Set resultSet = new HashSet(); - Iterator iterator = inputSet.iterator(); + public static Set<Node> excludeNodeFromSet(Node signatureElement, Set<Node> inputSet) { + Set<Node> resultSet = new HashSet<Node>(); + Iterator<Node> iterator = inputSet.iterator(); while (iterator.hasNext()) { - Node inputNode = (Node) iterator.next(); + Node inputNode = iterator.next(); if (!XMLUtils .isDescendantOrSelf(signatureElement, inputNode)) { @@ -693,4 +715,127 @@ public static boolean ignoreLineBreaks() { return ignoreLineBreaks; } + + /** + * This method is a tree-search to help prevent against wrapping attacks. + * It checks that no two Elements have ID Attributes that match the "value" + * argument, if this is the case then "false" is returned. Note that a + * return value of "true" does not necessarily mean that a matching Element + * has been found, just that no wrapping attack has been detected. + */ + public static boolean protectAgainstWrappingAttack(Node startNode, + String value) + { + Node startParent = startNode.getParentNode(); + Node processedNode = null; + Element foundElement = null; + + String id = value.trim(); + if (id.charAt(0) == '#') { + id = id.substring(1); + } + + while (startNode != null) { + if (startNode.getNodeType() == Node.ELEMENT_NODE) { + Element se = (Element) startNode; + + NamedNodeMap attributes = se.getAttributes(); + if (attributes != null) { + for (int i = 0; i < attributes.getLength(); i++) { + Attr attr = (Attr)attributes.item(i); + if (attr.isId() && id.equals(attr.getValue())) { + if (foundElement == null) { + // Continue searching to find duplicates + foundElement = attr.getOwnerElement(); + } else { + log.log(java.util.logging.Level.FINE, "Multiple elements with the same 'Id' attribute value!"); + return false; + } + } + } + } + } + + processedNode = startNode; + startNode = startNode.getFirstChild(); + + // no child, this node is done. + if (startNode == null) { + // close node processing, get sibling + startNode = processedNode.getNextSibling(); + } + + // no more siblings, get parent, all children + // of parent are processed. + while (startNode == null) { + processedNode = processedNode.getParentNode(); + if (processedNode == startParent) { + return true; + } + // close parent node processing (processed node now) + startNode = processedNode.getNextSibling(); + } + } + return true; + } + + /** + * This method is a tree-search to help prevent against wrapping attacks. + * It checks that no other Element than the given "knownElement" argument + * has an ID attribute that matches the "value" argument, which is the ID + * value of "knownElement". If this is the case then "false" is returned. + */ + public static boolean protectAgainstWrappingAttack(Node startNode, + Element knownElement, + String value) + { + Node startParent = startNode.getParentNode(); + Node processedNode = null; + + String id = value.trim(); + if (id.charAt(0) == '#') { + id = id.substring(1); + } + + while (startNode != null) { + if (startNode.getNodeType() == Node.ELEMENT_NODE) { + Element se = (Element) startNode; + + NamedNodeMap attributes = se.getAttributes(); + if (attributes != null) { + for (int i = 0; i < attributes.getLength(); i++) { + Attr attr = (Attr)attributes.item(i); + if (attr.isId() && id.equals(attr.getValue()) + && se != knownElement) + { + log.log(java.util.logging.Level.FINE, "Multiple elements with the same 'Id' attribute value!"); + return false; + } + } + } + } + + processedNode = startNode; + startNode = startNode.getFirstChild(); + + // no child, this node is done. + if (startNode == null) { + // close node processing, get sibling + startNode = processedNode.getNextSibling(); + } + + // no more siblings, get parent, all children + // of parent are processed. + while (startNode == null) { + processedNode = processedNode.getParentNode(); + if (processedNode == startParent) { + return true; + } + // close parent node processing (processed node now) + startNode = processedNode.getNextSibling(); + } + } + return true; + } + }
--- a/src/share/classes/com/sun/org/apache/xml/internal/security/utils/resolver/ResourceResolver.java Fri Sep 14 09:38:27 2012 -0700 +++ b/src/share/classes/com/sun/org/apache/xml/internal/security/utils/resolver/ResourceResolver.java Wed Jun 12 14:56:51 2013 +0100 @@ -2,21 +2,23 @@ * reserved comment block * DO NOT REMOVE OR ALTER! */ -/* - * Copyright 1999-2004 The Apache Software Foundation. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at * - * http://www.apache.org/licenses/LICENSE-2.0 + * http://www.apache.org/licenses/LICENSE-2.0 * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. */ package com.sun.org.apache.xml.internal.security.utils.resolver; @@ -25,300 +27,318 @@ import java.util.Map; import com.sun.org.apache.xml.internal.security.signature.XMLSignatureInput; +import com.sun.org.apache.xml.internal.security.utils.resolver.implementations.ResolverDirectHTTP; +import com.sun.org.apache.xml.internal.security.utils.resolver.implementations.ResolverFragment; +import com.sun.org.apache.xml.internal.security.utils.resolver.implementations.ResolverLocalFilesystem; +import com.sun.org.apache.xml.internal.security.utils.resolver.implementations.ResolverXPointer; import org.w3c.dom.Attr; /** * During reference validation, we have to retrieve resources from somewhere. * This is done by retrieving a Resolver. The resolver needs two arguments: The - * URI in which the link to the new resource is defined and the BaseURI of the - * file/entity in which the URI occurs (the BaseURI is the same as the SystemId. - * - * <UL xml:lang="DE" LANG="DE"> - * <LI> Verschiedene Implementierungen k??nnen sich als Resolver registrieren. - * <LI> Standardm????ig werden erste Implementierungen auf dem XML config file registrirt. - * <LI> Der Benutzer kann bei Bedarf Implementierungen voranstellen oder anf??gen. - * <LI> Implementierungen k??nnen mittels Features customized werden ?? - * (z.B. um Proxy-Passworter ??bergeben zu k??nnen). - * <LI> Jede Implementierung bekommt das URI Attribut und den Base URI - * ??bergeben und muss antworten, ob sie aufl??sen kann. - * <LI> Die erste Implementierung, die die Aufgabe erf??llt, f??hrt die Aufl??sung durch. - * </UL> - * - * @author $Author: mullan $ + * URI in which the link to the new resource is defined and the baseURI of the + * file/entity in which the URI occurs (the baseURI is the same as the SystemId). */ public class ResourceResolver { - /** {@link java.util.logging} logging facility */ - static java.util.logging.Logger log = + /** {@link org.apache.commons.logging} logging facility */ + private static java.util.logging.Logger log = java.util.logging.Logger.getLogger(ResourceResolver.class.getName()); - /** Field _alreadyInitialized */ - static boolean _alreadyInitialized = false; + /** these are the system-wide resolvers */ + private static List<ResourceResolver> resolverList = new ArrayList<ResourceResolver>(); - /** these are the system-wide resolvers */ - static List _resolverVector = null; - - static boolean allThreadSafeInList=true; - - /** Field transformSpi */ - protected ResourceResolverSpi _resolverSpi = null; + /** Field resolverSpi */ + private final ResourceResolverSpi resolverSpi; - /** - * Constructor ResourceResolver - * - * @param className - * @throws ClassNotFoundException - * @throws IllegalAccessException - * @throws InstantiationException - */ - private ResourceResolver(String className) - throws ClassNotFoundException, IllegalAccessException, - InstantiationException { - this._resolverSpi = - (ResourceResolverSpi) Class.forName(className).newInstance(); - } + /** + * Constructor ResourceResolver + * + * @param resourceResolver + */ + public ResourceResolver(ResourceResolverSpi resourceResolver) { + this.resolverSpi = resourceResolver; + } + + /** + * Method getInstance + * + * @param uri + * @param baseURI + * @return the instance + * + * @throws ResourceResolverException + */ + public static final ResourceResolver getInstance(Attr uri, String baseURI) + throws ResourceResolverException { + return getInstance(uri, baseURI, false); + } - /** - * Constructor ResourceResolver - * - * @param resourceResolver - */ - public ResourceResolver(ResourceResolverSpi resourceResolver) { - this._resolverSpi = resourceResolver; - } - + /** + * Method getInstance + * + * @param uri + * @param baseURI + * @param secureValidation + * @return the instance + * + * @throws ResourceResolverException + */ + public static final ResourceResolver getInstance( + Attr uri, String baseURI, boolean secureValidation + ) throws ResourceResolverException { + synchronized (resolverList) { + for (ResourceResolver resolver : resolverList) { + ResourceResolver resolverTmp = resolver; + if (!resolver.resolverSpi.engineIsThreadSafe()) { + try { + resolverTmp = + new ResourceResolver(resolver.resolverSpi.getClass().newInstance()); + } catch (InstantiationException e) { + throw new ResourceResolverException("", e, uri, baseURI); + } catch (IllegalAccessException e) { + throw new ResourceResolverException("", e, uri, baseURI); + } + } - /** - * Method getInstance - * - * @param uri - * @param BaseURI - * @return the instnace - * - * @throws ResourceResolverException - */ - public static final ResourceResolver getInstance(Attr uri, String BaseURI) - throws ResourceResolverException { - int length=ResourceResolver._resolverVector.size(); - for (int i = 0; i < length; i++) { - ResourceResolver resolver = - (ResourceResolver) ResourceResolver._resolverVector.get(i); - ResourceResolver resolverTmp=null; - try { - resolverTmp = allThreadSafeInList || resolver._resolverSpi.engineIsThreadSafe() ? resolver : - new ResourceResolver((ResourceResolverSpi)resolver._resolverSpi.getClass().newInstance()); - } catch (InstantiationException e) { - throw new ResourceResolverException("",e,uri,BaseURI); - } catch (IllegalAccessException e) { - throw new ResourceResolverException("",e,uri,BaseURI); - } - - if (log.isLoggable(java.util.logging.Level.FINE)) - log.log(java.util.logging.Level.FINE, "check resolvability by class " + resolver._resolverSpi.getClass().getName()); + if (log.isLoggable(java.util.logging.Level.FINE)) { + log.log(java.util.logging.Level.FINE, + "check resolvability by class " + resolverTmp.getClass().getName() + ); + } - if ((resolver != null) && resolverTmp.canResolve(uri, BaseURI)) { - if (i!=0) { - //update resolver. - //System.out.println("Swaping"); - List resolverVector=(List)((ArrayList)_resolverVector).clone(); - resolverVector.remove(i); - resolverVector.add(0,resolver); - _resolverVector=resolverVector; - } else { - //System.out.println("hitting"); - } + resolverTmp.resolverSpi.secureValidation = secureValidation; + if ((resolverTmp != null) && resolverTmp.canResolve(uri, baseURI)) { + // Check to see whether the Resolver is allowed + if (secureValidation + && (resolverTmp.resolverSpi instanceof ResolverLocalFilesystem + || resolverTmp.resolverSpi instanceof ResolverDirectHTTP)) { + Object exArgs[] = { resolverTmp.resolverSpi.getClass().getName() }; + throw new ResourceResolverException( + "signature.Reference.ForbiddenResolver", exArgs, uri, baseURI + ); + } + return resolverTmp; + } + } + } + + Object exArgs[] = { ((uri != null) ? uri.getNodeValue() : "null"), baseURI }; - return resolverTmp; - } - } + throw new ResourceResolverException("utils.resolver.noClass", exArgs, uri, baseURI); + } - Object exArgs[] = { ((uri != null) - ? uri.getNodeValue() - : "null"), BaseURI }; + /** + * Method getInstance + * + * @param uri + * @param baseURI + * @param individualResolvers + * @return the instance + * + * @throws ResourceResolverException + */ + public static ResourceResolver getInstance( + Attr uri, String baseURI, List<ResourceResolver> individualResolvers + ) throws ResourceResolverException { + return getInstance(uri, baseURI, individualResolvers, false); + } - throw new ResourceResolverException("utils.resolver.noClass", exArgs, - uri, BaseURI); - } - /** - * Method getInstance - * - * @param uri - * @param BaseURI - * @param individualResolvers - * @return the instance - * - * @throws ResourceResolverException - */ - public static final ResourceResolver getInstance( - Attr uri, String BaseURI, List individualResolvers) - throws ResourceResolverException { - if (log.isLoggable(java.util.logging.Level.FINE)) { - - log.log(java.util.logging.Level.FINE, "I was asked to create a ResourceResolver and got " + (individualResolvers==null? 0 : individualResolvers.size()) ); - log.log(java.util.logging.Level.FINE, " extra resolvers to my existing " + ResourceResolver._resolverVector.size() + " system-wide resolvers"); - } + /** + * Method getInstance + * + * @param uri + * @param baseURI + * @param individualResolvers + * @param secureValidation + * @return the instance + * + * @throws ResourceResolverException + */ + public static ResourceResolver getInstance( + Attr uri, String baseURI, List<ResourceResolver> individualResolvers, boolean secureValidation + ) throws ResourceResolverException { + if (log.isLoggable(java.util.logging.Level.FINE)) { + log.log(java.util.logging.Level.FINE, + "I was asked to create a ResourceResolver and got " + + (individualResolvers == null ? 0 : individualResolvers.size()) + ); + } - // first check the individual Resolvers - int size=0; - if ((individualResolvers != null) && ((size=individualResolvers.size()) > 0)) { - for (int i = 0; i < size; i++) { - ResourceResolver resolver = - (ResourceResolver) individualResolvers.get(i); + // first check the individual Resolvers + if (individualResolvers != null) { + for (int i = 0; i < individualResolvers.size(); i++) { + ResourceResolver resolver = individualResolvers.get(i); - if (resolver != null) { - String currentClass = resolver._resolverSpi.getClass().getName(); - if (log.isLoggable(java.util.logging.Level.FINE)) - log.log(java.util.logging.Level.FINE, "check resolvability by class " + currentClass); + if (resolver != null) { + if (log.isLoggable(java.util.logging.Level.FINE)) { + String currentClass = resolver.resolverSpi.getClass().getName(); + log.log(java.util.logging.Level.FINE, "check resolvability by class " + currentClass); + } - if (resolver.canResolve(uri, BaseURI)) { - return resolver; - } + resolver.resolverSpi.secureValidation = secureValidation; + if (resolver.canResolve(uri, baseURI)) { + return resolver; + } + } } - } - } - - return getInstance(uri,BaseURI); - } + } - /** - * The init() function is called by com.sun.org.apache.xml.internal.security.Init.init() - */ - public static void init() { - - if (!ResourceResolver._alreadyInitialized) { - ResourceResolver._resolverVector = new ArrayList(10); - _alreadyInitialized = true; - } - } + return getInstance(uri, baseURI, secureValidation); + } /** * Registers a ResourceResolverSpi class. This method logs a warning if * the class cannot be registered. * - * @param className the name of the ResourceResolverSpi class to be - * registered + * @param className the name of the ResourceResolverSpi class to be registered */ + @SuppressWarnings("unchecked") public static void register(String className) { - register(className, false); + try { + Class<ResourceResolverSpi> resourceResolverClass = + (Class<ResourceResolverSpi>) Class.forName(className); + register(resourceResolverClass, false); + } catch (ClassNotFoundException e) { + log.log(java.util.logging.Level.WARNING, "Error loading resolver " + className + " disabling it"); + } } /** * Registers a ResourceResolverSpi class at the beginning of the provider * list. This method logs a warning if the class cannot be registered. * - * @param className the name of the ResourceResolverSpi class to be - * registered + * @param className the name of the ResourceResolverSpi class to be registered */ + @SuppressWarnings("unchecked") public static void registerAtStart(String className) { - register(className, true); + try { + Class<ResourceResolverSpi> resourceResolverClass = + (Class<ResourceResolverSpi>) Class.forName(className); + register(resourceResolverClass, true); + } catch (ClassNotFoundException e) { + log.log(java.util.logging.Level.WARNING, "Error loading resolver " + className + " disabling it"); + } } - private static void register(String className, boolean start) { + /** + * Registers a ResourceResolverSpi class. This method logs a warning if the class + * cannot be registered. + * @param className + * @param start + */ + public static void register(Class<? extends ResourceResolverSpi> className, boolean start) { try { - ResourceResolver resolver = new ResourceResolver(className); + ResourceResolverSpi resourceResolverSpi = className.newInstance(); + register(resourceResolverSpi, start); + } catch (IllegalAccessException e) { + log.log(java.util.logging.Level.WARNING, "Error loading resolver " + className + " disabling it"); + } catch (InstantiationException e) { + log.log(java.util.logging.Level.WARNING, "Error loading resolver " + className + " disabling it"); + } + } + + /** + * Registers a ResourceResolverSpi instance. This method logs a warning if the class + * cannot be registered. + * @param resourceResolverSpi + * @param start + */ + public static void register(ResourceResolverSpi resourceResolverSpi, boolean start) { + synchronized(resolverList) { if (start) { - ResourceResolver._resolverVector.add(0, resolver); - log.log(java.util.logging.Level.FINE, "registered resolver"); + resolverList.add(0, new ResourceResolver(resourceResolverSpi)); } else { - ResourceResolver._resolverVector.add(resolver); + resolverList.add(new ResourceResolver(resourceResolverSpi)); } - if (!resolver._resolverSpi.engineIsThreadSafe()) { - allThreadSafeInList=false; + } + if (log.isLoggable(java.util.logging.Level.FINE)) { + log.log(java.util.logging.Level.FINE, "Registered resolver: " + resourceResolverSpi.toString()); } - } catch (Exception e) { - log.log(java.util.logging.Level.WARNING, "Error loading resolver " + className +" disabling it"); - } catch (NoClassDefFoundError e) { - log.log(java.util.logging.Level.WARNING, "Error loading resolver " + className +" disabling it"); + } + + /** + * This method registers the default resolvers. + */ + public static void registerDefaultResolvers() { + synchronized(resolverList) { + resolverList.add(new ResourceResolver(new ResolverFragment())); + resolverList.add(new ResourceResolver(new ResolverLocalFilesystem())); + resolverList.add(new ResourceResolver(new ResolverXPointer())); + resolverList.add(new ResourceResolver(new ResolverDirectHTTP())); } } - /** - * Method resolve - * - * @param uri - * @param BaseURI - * @return the resource - * - * @throws ResourceResolverException - */ - public static XMLSignatureInput resolveStatic(Attr uri, String BaseURI) - throws ResourceResolverException { - - ResourceResolver myResolver = ResourceResolver.getInstance(uri, BaseURI); - - return myResolver.resolve(uri, BaseURI); - } + /** + * Method resolve + * + * @param uri + * @param baseURI + * @return the resource + * + * @throws ResourceResolverException + */ + public XMLSignatureInput resolve(Attr uri, String baseURI) + throws ResourceResolverException { + return resolverSpi.engineResolve(uri, baseURI); + } - /** - * Method resolve - * - * @param uri - * @param BaseURI - * @return the resource - * - * @throws ResourceResolverException - */ - public XMLSignatureInput resolve(Attr uri, String BaseURI) - throws ResourceResolverException { - return this._resolverSpi.engineResolve(uri, BaseURI); - } + /** + * Method setProperty + * + * @param key + * @param value + */ + public void setProperty(String key, String value) { + resolverSpi.engineSetProperty(key, value); + } - /** - * Method setProperty - * - * @param key - * @param value - */ - public void setProperty(String key, String value) { - this._resolverSpi.engineSetProperty(key, value); - } + /** + * Method getProperty + * + * @param key + * @return the value of the property + */ + public String getProperty(String key) { + return resolverSpi.engineGetProperty(key); + } - /** - * Method getProperty - * - * @param key - * @return the value of the property - */ - public String getProperty(String key) { - return this._resolverSpi.engineGetProperty(key); - } + /** + * Method addProperties + * + * @param properties + */ + public void addProperties(Map<String, String> properties) { + resolverSpi.engineAddProperies(properties); + } - /** - * Method addProperties - * - * @param properties - */ - public void addProperties(Map properties) { - this._resolverSpi.engineAddProperies(properties); - } + /** + * Method getPropertyKeys + * + * @return all property keys. + */ + public String[] getPropertyKeys() { + return resolverSpi.engineGetPropertyKeys(); + } - /** - * Method getPropertyKeys - * - * @return all property keys. - */ - public String[] getPropertyKeys() { - return this._resolverSpi.engineGetPropertyKeys(); - } + /** + * Method understandsProperty + * + * @param propertyToTest + * @return true if the resolver understands the property + */ + public boolean understandsProperty(String propertyToTest) { + return resolverSpi.understandsProperty(propertyToTest); + } - /** - * Method understandsProperty - * - * @param propertyToTest - * @return true if the resolver understands the property - */ - public boolean understandsProperty(String propertyToTest) { - return this._resolverSpi.understandsProperty(propertyToTest); - } - - /** - * Method canResolve - * - * @param uri - * @param BaseURI - * @return true if it can resolve the uri - */ - private boolean canResolve(Attr uri, String BaseURI) { - return this._resolverSpi.engineCanResolve(uri, BaseURI); - } + /** + * Method canResolve + * + * @param uri + * @param baseURI + * @return true if it can resolve the uri + */ + private boolean canResolve(Attr uri, String baseURI) { + return resolverSpi.engineCanResolve(uri, baseURI); + } }
--- a/src/share/classes/com/sun/org/apache/xml/internal/security/utils/resolver/ResourceResolverSpi.java Fri Sep 14 09:38:27 2012 -0700 +++ b/src/share/classes/com/sun/org/apache/xml/internal/security/utils/resolver/ResourceResolverSpi.java Wed Jun 12 14:56:51 2013 +0100 @@ -41,7 +41,9 @@ ResourceResolverSpi.class.getName()); /** Field _properties */ - protected java.util.Map _properties = null; + protected java.util.Map<String,String> _properties = null; + + protected boolean secureValidation; /** * This is the workhorse method used to resolve resources. @@ -63,7 +65,7 @@ */ public void engineSetProperty(String key, String value) { if (_properties==null) { - _properties=new HashMap(); + _properties=new HashMap<String,String>(); } this._properties.put(key, value); } @@ -78,17 +80,17 @@ if (_properties==null) { return null; } - return (String) this._properties.get(key); + return this._properties.get(key); } /** * * @param properties */ - public void engineAddProperies(Map properties) { + public void engineAddProperies(Map<String,String> properties) { if (properties!=null) { if (_properties==null) { - _properties=new HashMap(); + _properties=new HashMap<String,String>(); } this._properties.putAll(properties); }
--- a/src/share/classes/com/sun/org/apache/xml/internal/security/utils/resolver/implementations/ResolverFragment.java Fri Sep 14 09:38:27 2012 -0700 +++ b/src/share/classes/com/sun/org/apache/xml/internal/security/utils/resolver/implementations/ResolverFragment.java Wed Jun 12 14:56:51 2013 +0100 @@ -23,11 +23,12 @@ import com.sun.org.apache.xml.internal.security.signature.XMLSignatureInput; -import com.sun.org.apache.xml.internal.security.utils.IdResolver; +import com.sun.org.apache.xml.internal.security.utils.XMLUtils; import com.sun.org.apache.xml.internal.security.utils.resolver.ResourceResolverException; import com.sun.org.apache.xml.internal.security.utils.resolver.ResourceResolverSpi; import org.w3c.dom.Attr; import org.w3c.dom.Document; +import org.w3c.dom.Element; import org.w3c.dom.Node; @@ -51,63 +52,68 @@ /** * Method engineResolve * - * Wird das gleiche Dokument referenziert? - * Wird ein anderes Dokument referenziert? * @inheritDoc * @param uri - * @param BaseURI - * + * @param baseURI */ - public XMLSignatureInput engineResolve(Attr uri, String BaseURI) + public XMLSignatureInput engineResolve(Attr uri, String baseURI) throws ResourceResolverException { - - String uriNodeValue = uri.getNodeValue(); - Document doc = uri.getOwnerElement().getOwnerDocument(); + String uriNodeValue = uri.getNodeValue(); + Document doc = uri.getOwnerElement().getOwnerDocument(); + Node selectedElem = null; + if (uriNodeValue.equals("")) { - Node selectedElem = null; - if (uriNodeValue.equals("")) { + /* + * Identifies the node-set (minus any comment nodes) of the XML + * resource containing the signature + */ - /* - * Identifies the node-set (minus any comment nodes) of the XML - * resource containing the signature - */ + log.log(java.util.logging.Level.FINE, "ResolverFragment with empty URI (means complete document)"); + selectedElem = doc; + } else { - log.log(java.util.logging.Level.FINE, "ResolverFragment with empty URI (means complete document)"); - selectedElem = doc; - } else { + /* + * URI="#chapter1" + * Identifies a node-set containing the element with ID attribute + * value 'chapter1' of the XML resource containing the signature. + * XML Signature (and its applications) modify this node-set to + * include the element plus all descendents including namespaces and + * attributes -- but not comments. + */ + String id = uriNodeValue.substring(1); - /* - * URI="#chapter1" - * Identifies a node-set containing the element with ID attribute - * value 'chapter1' of the XML resource containing the signature. - * XML Signature (and its applications) modify this node-set to - * include the element plus all descendents including namespaces and - * attributes -- but not comments. - */ - String id = uriNodeValue.substring(1); - - // Element selectedElem = doc.getElementById(id); - selectedElem = IdResolver.getElementById(doc, id); - if (selectedElem==null) { + selectedElem = doc.getElementById(id); + if (selectedElem == null) { Object exArgs[] = { id }; - throw new ResourceResolverException( - "signature.Verification.MissingID", exArgs, uri, BaseURI); - } - if (log.isLoggable(java.util.logging.Level.FINE)) + throw new ResourceResolverException( + "signature.Verification.MissingID", exArgs, uri, baseURI); + } + if (secureValidation) { + Element start = uri.getOwnerDocument().getDocumentElement(); + if (!XMLUtils.protectAgainstWrappingAttack(start, id)) { + Object exArgs[] = { id }; + throw new ResourceResolverException( + "signature.Verification.MultipleIDs", exArgs, + uri, baseURI); + } + } + if (log.isLoggable(java.util.logging.Level.FINE)) log.log(java.util.logging.Level.FINE, "Try to catch an Element with ID " + id + " and Element was " + selectedElem); - } + } - XMLSignatureInput result = new XMLSignatureInput(selectedElem); - result.setExcludeComments(true); + XMLSignatureInput result = new XMLSignatureInput(selectedElem); + result.setExcludeComments(true); - //log.log(java.util.logging.Level.FINE, "We return a nodeset with " + resultSet.size() + " nodes"); - result.setMIMEType("text/xml"); - result.setSourceURI((BaseURI != null) ? BaseURI.concat(uri.getNodeValue()) : - uri.getNodeValue()); - return result; - } + result.setMIMEType("text/xml"); + if (baseURI != null && baseURI.length() > 0) { + result.setSourceURI(baseURI.concat(uri.getNodeValue())); + } else { + result.setSourceURI(uri.getNodeValue()); + } + return result; + } /** * Method engineCanResolve
--- a/src/share/classes/com/sun/org/apache/xml/internal/security/utils/resolver/implementations/ResolverXPointer.java Fri Sep 14 09:38:27 2012 -0700 +++ b/src/share/classes/com/sun/org/apache/xml/internal/security/utils/resolver/implementations/ResolverXPointer.java Wed Jun 12 14:56:51 2013 +0100 @@ -23,11 +23,12 @@ import com.sun.org.apache.xml.internal.security.signature.XMLSignatureInput; -import com.sun.org.apache.xml.internal.security.utils.IdResolver; +import com.sun.org.apache.xml.internal.security.utils.XMLUtils; import com.sun.org.apache.xml.internal.security.utils.resolver.ResourceResolverException; import com.sun.org.apache.xml.internal.security.utils.resolver.ResourceResolverSpi; import org.w3c.dom.Attr; import org.w3c.dom.Document; +import org.w3c.dom.Element; import org.w3c.dom.Node; @@ -54,52 +55,55 @@ ResolverXPointer.class.getName()); public boolean engineIsThreadSafe() { - return true; - } - /** - * @inheritDoc - */ - public XMLSignatureInput engineResolve(Attr uri, String BaseURI) + return true; + } + + /** + * @inheritDoc + */ + public XMLSignatureInput engineResolve(Attr uri, String baseURI) throws ResourceResolverException { - Node resultNode = null; - Document doc = uri.getOwnerElement().getOwnerDocument(); + Node resultNode = null; + Document doc = uri.getOwnerElement().getOwnerDocument(); - String uriStr=uri.getNodeValue(); - if (isXPointerSlash(uriStr)) { + String uriStr = uri.getNodeValue(); + if (isXPointerSlash(uriStr)) { resultNode = doc; - } else if (isXPointerId(uriStr)) { + } else if (isXPointerId(uriStr)) { String id = getXPointerId(uriStr); - resultNode =IdResolver.getElementById(doc, id); + resultNode = doc.getElementById(id); - // log.log(java.util.logging.Level.FINE, "Use #xpointer(id('" + id + "')) on element " + selectedElem); + if (secureValidation) { + Element start = uri.getOwnerDocument().getDocumentElement(); + if (!XMLUtils.protectAgainstWrappingAttack(start, id)) { + Object exArgs[] = { id }; + throw new ResourceResolverException( + "signature.Verification.MultipleIDs", exArgs, + uri, baseURI); + } + } if (resultNode == null) { Object exArgs[] = { id }; throw new ResourceResolverException( - "signature.Verification.MissingID", exArgs, uri, BaseURI); + "signature.Verification.MissingID", exArgs, uri, baseURI); } - /* - resultNodes = - cXPathAPI - .selectNodeList(selectedElem, Canonicalizer - .XPATH_C14N_WITH_COMMENTS_SINGLE_NODE);*/ - } + } + XMLSignatureInput result = new XMLSignatureInput(resultNode); - XMLSignatureInput result = new XMLSignatureInput(resultNode); + result.setMIMEType("text/xml"); + if (baseURI != null && baseURI.length() > 0) { + result.setSourceURI(baseURI.concat(uri.getNodeValue())); + } else { + result.setSourceURI(uri.getNodeValue()); + } - result.setMIMEType("text/xml"); - if (BaseURI != null && BaseURI.length() > 0) { - result.setSourceURI(BaseURI.concat(uri.getNodeValue())); - } else { - result.setSourceURI(uri.getNodeValue()); - } - - return result; - } + return result; + } /** * @inheritDoc
--- a/src/share/classes/javax/xml/crypto/dsig/dom/DOMValidateContext.java Fri Sep 14 09:38:27 2012 -0700 +++ b/src/share/classes/javax/xml/crypto/dsig/dom/DOMValidateContext.java Wed Jun 12 14:56:51 2013 +0100 @@ -1,5 +1,5 @@ /* - * Copyright (c) 2005, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2005, 2013 Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -74,11 +74,7 @@ if (ks == null) { throw new NullPointerException("key selector is null"); } - if (node == null) { - throw new NullPointerException("node is null"); - } - setKeySelector(ks); - this.node = node; + init(node, ks); } /** @@ -97,11 +93,20 @@ if (validatingKey == null) { throw new NullPointerException("validatingKey is null"); } + init(node, KeySelector.singletonKeySelector(validatingKey)); + } + + private void init(Node node, KeySelector ks) { if (node == null) { throw new NullPointerException("node is null"); } - setKeySelector(KeySelector.singletonKeySelector(validatingKey)); + this.node = node; + super.setKeySelector(ks); + if (System.getSecurityManager() != null) { + super.setProperty("org.jcp.xml.dsig.secureValidation", + Boolean.TRUE); + } } /**
--- a/src/share/classes/org/jcp/xml/dsig/internal/dom/ApacheCanonicalizer.java Fri Sep 14 09:38:27 2012 -0700 +++ b/src/share/classes/org/jcp/xml/dsig/internal/dom/ApacheCanonicalizer.java Wed Jun 12 14:56:51 2013 +0100 @@ -193,7 +193,7 @@ if (apacheTransform == null) { try { - apacheTransform = Transform.getInstance + apacheTransform = new Transform (ownerDoc, getAlgorithm(), transformElem.getChildNodes()); apacheTransform.setElement(transformElem, xc.getBaseURI()); if (log.isLoggable(Level.FINE)) {
--- a/src/share/classes/org/jcp/xml/dsig/internal/dom/ApacheTransform.java Fri Sep 14 09:38:27 2012 -0700 +++ b/src/share/classes/org/jcp/xml/dsig/internal/dom/ApacheTransform.java Wed Jun 12 14:56:51 2013 +0100 @@ -38,6 +38,7 @@ import com.sun.org.apache.xml.internal.security.signature.XMLSignatureInput; import com.sun.org.apache.xml.internal.security.transforms.Transform; +import com.sun.org.apache.xml.internal.security.transforms.Transforms; import javax.xml.crypto.*; import javax.xml.crypto.dom.DOMCryptoContext; @@ -117,7 +118,7 @@ if (apacheTransform == null) { try { - apacheTransform = Transform.getInstance + apacheTransform = new Transform (ownerDoc, getAlgorithm(), transformElem.getChildNodes()); apacheTransform.setElement(transformElem, xc.getBaseURI()); if (log.isLoggable(Level.FINE)) { @@ -130,6 +131,15 @@ } } + if (Utils.secureValidation(xc)) { + String algorithm = getAlgorithm(); + if (Transforms.TRANSFORM_XSLT.equals(algorithm)) { + throw new TransformException( + "Transform " + algorithm + + " is forbidden when secure validation is enabled"); + } + } + XMLSignatureInput in; if (data instanceof ApacheData) { if (log.isLoggable(Level.FINE)) {
--- a/src/share/classes/org/jcp/xml/dsig/internal/dom/DOMKeyInfo.java Fri Sep 14 09:38:27 2012 -0700 +++ b/src/share/classes/org/jcp/xml/dsig/internal/dom/DOMKeyInfo.java Wed Jun 12 14:56:51 2013 +0100 @@ -34,6 +34,7 @@ import java.security.Provider; import java.util.*; +import org.w3c.dom.Attr; import org.w3c.dom.Document; import org.w3c.dom.Element; import org.w3c.dom.Node; @@ -87,7 +88,13 @@ public DOMKeyInfo(Element kiElem, XMLCryptoContext context, Provider provider) throws MarshalException { // get Id attribute, if specified - id = DOMUtils.getAttributeValue(kiElem, "Id"); + Attr attr = kiElem.getAttributeNodeNS(null, "Id"); + if (attr != null) { + id = attr.getValue(); + kiElem.setIdAttributeNode(attr, true); + } else { + id = null; + } // get all children nodes NodeList nl = kiElem.getChildNodes();
--- a/src/share/classes/org/jcp/xml/dsig/internal/dom/DOMManifest.java Fri Sep 14 09:38:27 2012 -0700 +++ b/src/share/classes/org/jcp/xml/dsig/internal/dom/DOMManifest.java Wed Jun 12 14:56:51 2013 +0100 @@ -32,6 +32,7 @@ import java.security.Provider; import java.util.*; +import org.w3c.dom.Attr; import org.w3c.dom.Document; import org.w3c.dom.Element; import org.w3c.dom.Node; @@ -85,12 +86,30 @@ */ public DOMManifest(Element manElem, XMLCryptoContext context, Provider provider) throws MarshalException { - this.id = DOMUtils.getAttributeValue(manElem, "Id"); + Attr attr = manElem.getAttributeNodeNS(null, "Id"); + if (attr != null) { + this.id = attr.getValue(); + manElem.setIdAttributeNode(attr, true); + } else { + this.id = null; + } + + boolean secVal = Utils.secureValidation(context); Element refElem = DOMUtils.getFirstChildElement(manElem); List refs = new ArrayList(); + int refCount = 0; while (refElem != null) { refs.add(new DOMReference(refElem, context, provider)); refElem = DOMUtils.getNextSiblingElement(refElem); + + refCount++; + if (secVal && (refCount > DOMSignedInfo.MAXIMUM_REFERENCE_COUNT)) { + String error = "A maxiumum of " + + DOMSignedInfo.MAXIMUM_REFERENCE_COUNT + + " references per Manifest are allowed with" + + " secure validation"; + throw new MarshalException(error); + } } this.references = Collections.unmodifiableList(refs); }
--- a/src/share/classes/org/jcp/xml/dsig/internal/dom/DOMReference.java Fri Sep 14 09:38:27 2012 -0700 +++ b/src/share/classes/org/jcp/xml/dsig/internal/dom/DOMReference.java Wed Jun 12 14:56:51 2013 +0100 @@ -51,6 +51,7 @@ import org.w3c.dom.Node; import org.jcp.xml.dsig.internal.DigesterOutputStream; +import com.sun.org.apache.xml.internal.security.algorithms.MessageDigestAlgorithm; import com.sun.org.apache.xml.internal.security.exceptions.Base64DecodingException; import com.sun.org.apache.xml.internal.security.signature.XMLSignatureInput; import com.sun.org.apache.xml.internal.security.utils.Base64; @@ -65,6 +66,12 @@ public final class DOMReference extends DOMStructure implements Reference, DOMURIReference { + /** + * The maximum number of transforms per reference, if secure validation + * is enabled. + */ + public static final int MAXIMUM_TRANSFORM_COUNT = 5; + /** * Look up useC14N11 system property. If true, an explicit C14N11 transform * will be added if necessary when generating the signature. See section @@ -184,15 +191,27 @@ */ public DOMReference(Element refElem, XMLCryptoContext context, Provider provider) throws MarshalException { + boolean secVal = Utils.secureValidation(context); + // unmarshal Transforms, if specified Element nextSibling = DOMUtils.getFirstChildElement(refElem); List transforms = new ArrayList(5); if (nextSibling.getLocalName().equals("Transforms")) { Element transformElem = DOMUtils.getFirstChildElement(nextSibling); + + int transformCount = 0; while (transformElem != null) { transforms.add (new DOMTransform(transformElem, context, provider)); transformElem = DOMUtils.getNextSiblingElement(transformElem); + + transformCount++; + if (secVal && (transformCount > MAXIMUM_TRANSFORM_COUNT)) { + String error = "A maxiumum of " + MAXIMUM_TRANSFORM_COUNT + + " transforms per Reference are allowed" + + " with secure validation"; + throw new MarshalException(error); + } } nextSibling = DOMUtils.getNextSiblingElement(nextSibling); } @@ -200,6 +219,14 @@ // unmarshal DigestMethod Element dmElem = nextSibling; this.digestMethod = DOMDigestMethod.unmarshal(dmElem); + String digestMethodAlgorithm = this.digestMethod.getAlgorithm(); + if (secVal + && MessageDigestAlgorithm.ALGO_ID_DIGEST_NOT_RECOMMENDED_MD5.equals(digestMethodAlgorithm)) + { + throw new MarshalException("It is forbidden to use algorithm " + + digestMethod + + " when secure validation is enabled"); + } // unmarshal DigestValue try { @@ -211,7 +238,14 @@ // unmarshal attributes this.uri = DOMUtils.getAttributeValue(refElem, "URI"); - this.id = DOMUtils.getAttributeValue(refElem, "Id"); + + Attr attr = refElem.getAttributeNodeNS(null, "Id"); + if (attr != null) { + this.id = attr.getValue(); + refElem.setIdAttributeNode(attr, true); + } else { + this.id = null; + } this.type = DOMUtils.getAttributeValue(refElem, "Type"); this.here = refElem.getAttributeNodeNS(null, "URI");
--- a/src/share/classes/org/jcp/xml/dsig/internal/dom/DOMRetrievalMethod.java Fri Sep 14 09:38:27 2012 -0700 +++ b/src/share/classes/org/jcp/xml/dsig/internal/dom/DOMRetrievalMethod.java Wed Jun 12 14:56:51 2013 +0100 @@ -38,6 +38,7 @@ import java.net.URISyntaxException; import java.security.Provider; import java.util.*; +import javax.xml.XMLConstants; import javax.xml.crypto.*; import javax.xml.crypto.dsig.*; import javax.xml.crypto.dom.DOMCryptoContext; @@ -124,9 +125,13 @@ // get here node here = rmElem.getAttributeNodeNS(null, "URI"); + boolean secVal = Utils.secureValidation(context); + // get Transforms, if specified List transforms = new ArrayList(); Element transformsElem = DOMUtils.getFirstChildElement(rmElem); + + int transformCount = 0; if (transformsElem != null) { Element transformElem = DOMUtils.getFirstChildElement(transformsElem); @@ -134,6 +139,17 @@ transforms.add (new DOMTransform(transformElem, context, provider)); transformElem = DOMUtils.getNextSiblingElement(transformElem); + + transformCount++; + if (secVal && + (transformCount > DOMReference.MAXIMUM_TRANSFORM_COUNT)) + { + String error = "A maxiumum of " + + DOMReference.MAXIMUM_TRANSFORM_COUNT + + " transforms per Reference are allowed" + + " with secure validation"; + throw new MarshalException(error); + } } } if (transforms.isEmpty()) { @@ -224,6 +240,8 @@ ApacheData data = (ApacheData) dereference(context); DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance(); dbf.setNamespaceAware(true); + dbf.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, + Boolean.TRUE); DocumentBuilder db = dbf.newDocumentBuilder(); Document doc = db.parse(new ByteArrayInputStream (data.getXMLSignatureInput().getBytes()));
--- a/src/share/classes/org/jcp/xml/dsig/internal/dom/DOMSignatureProperties.java Fri Sep 14 09:38:27 2012 -0700 +++ b/src/share/classes/org/jcp/xml/dsig/internal/dom/DOMSignatureProperties.java Wed Jun 12 14:56:51 2013 +0100 @@ -31,6 +31,7 @@ import javax.xml.crypto.dsig.*; import java.util.*; +import org.w3c.dom.Attr; import org.w3c.dom.Document; import org.w3c.dom.Element; import org.w3c.dom.Node; @@ -86,7 +87,13 @@ */ public DOMSignatureProperties(Element propsElem) throws MarshalException{ // unmarshal attributes - id = DOMUtils.getAttributeValue(propsElem, "Id"); + Attr attr = propsElem.getAttributeNodeNS(null, "Id"); + if (attr != null) { + id = attr.getValue(); + propsElem.setIdAttributeNode(attr, true); + } else { + id = null; + } NodeList nodes = propsElem.getChildNodes(); int length = nodes.getLength();
--- a/src/share/classes/org/jcp/xml/dsig/internal/dom/DOMSignatureProperty.java Fri Sep 14 09:38:27 2012 -0700 +++ b/src/share/classes/org/jcp/xml/dsig/internal/dom/DOMSignatureProperty.java Wed Jun 12 14:56:51 2013 +0100 @@ -31,6 +31,7 @@ import javax.xml.crypto.dsig.*; import java.util.*; +import org.w3c.dom.Attr; import org.w3c.dom.Document; import org.w3c.dom.Element; import org.w3c.dom.Node; @@ -94,7 +95,13 @@ if (target == null) { throw new MarshalException("target cannot be null"); } - id = DOMUtils.getAttributeValue(propElem, "Id"); + Attr attr = propElem.getAttributeNodeNS(null, "Id"); + if (attr != null) { + id = attr.getValue(); + propElem.setIdAttributeNode(attr, true); + } else { + id = null; + } NodeList nodes = propElem.getChildNodes(); int length = nodes.getLength();
--- a/src/share/classes/org/jcp/xml/dsig/internal/dom/DOMSignedInfo.java Fri Sep 14 09:38:27 2012 -0700 +++ b/src/share/classes/org/jcp/xml/dsig/internal/dom/DOMSignedInfo.java Wed Jun 12 14:56:51 2013 +0100 @@ -45,6 +45,7 @@ import org.w3c.dom.Node; import com.sun.org.apache.xml.internal.security.utils.Base64; +import com.sun.org.apache.xml.internal.security.utils.Constants; import com.sun.org.apache.xml.internal.security.utils.UnsyncBufferedOutputStream; import com.sun.org.apache.xml.internal.security.utils.XMLUtils; @@ -55,7 +56,22 @@ */ public final class DOMSignedInfo extends DOMStructure implements SignedInfo { + /** + * The maximum number of references per Manifest, if secure validation is + * enabled. + */ + public static final int MAXIMUM_REFERENCE_COUNT = 30; + private static Logger log = Logger.getLogger("org.jcp.xml.dsig.internal.dom"); + + /** Signature - NOT Recommended RSAwithMD5 */ + private static final String ALGO_ID_SIGNATURE_NOT_RECOMMENDED_RSA_MD5 = + Constants.MoreAlgorithmsSpecNS + "rsa-md5"; + + /** HMAC - NOT Recommended HMAC-MD5 */ + private static final String ALGO_ID_MAC_HMAC_NOT_RECOMMENDED_MD5 = + Constants.MoreAlgorithmsSpecNS + "hmac-md5"; + private List references; private CanonicalizationMethod canonicalizationMethod; private SignatureMethod signatureMethod; @@ -143,12 +159,31 @@ Element smElem = DOMUtils.getNextSiblingElement(cmElem); signatureMethod = DOMSignatureMethod.unmarshal(smElem); + boolean secVal = Utils.secureValidation(context); + String sigMethAlg = signatureMethod.getAlgorithm(); + if (secVal && ((ALGO_ID_MAC_HMAC_NOT_RECOMMENDED_MD5.equals(sigMethAlg) + || ALGO_ID_SIGNATURE_NOT_RECOMMENDED_RSA_MD5.equals(sigMethAlg)))) + { + throw new MarshalException("It is forbidden to use algorithm " + + signatureMethod + + " when secure validation is enabled"); + } + // unmarshal References ArrayList refList = new ArrayList(5); Element refElem = DOMUtils.getNextSiblingElement(smElem); + int refCount = 0; while (refElem != null) { refList.add(new DOMReference(refElem, context, provider)); refElem = DOMUtils.getNextSiblingElement(refElem); + + refCount++; + if (secVal && (refCount > MAXIMUM_REFERENCE_COUNT)) { + String error = "A maxiumum of " + MAXIMUM_REFERENCE_COUNT + + " references per SignedInfo are allowed with" + + " secure validation"; + throw new MarshalException(error); + } } references = Collections.unmodifiableList(refList); }
--- a/src/share/classes/org/jcp/xml/dsig/internal/dom/DOMURIDereferencer.java Fri Sep 14 09:38:27 2012 -0700 +++ b/src/share/classes/org/jcp/xml/dsig/internal/dom/DOMURIDereferencer.java Wed Jun 12 14:56:51 2013 +0100 @@ -31,7 +31,7 @@ import org.w3c.dom.Node; import com.sun.org.apache.xml.internal.security.Init; -import com.sun.org.apache.xml.internal.security.utils.IdResolver; +import com.sun.org.apache.xml.internal.security.utils.XMLUtils; import com.sun.org.apache.xml.internal.security.utils.resolver.ResourceResolver; import com.sun.org.apache.xml.internal.security.signature.XMLSignatureInput; @@ -68,8 +68,11 @@ Attr uriAttr = (Attr) domRef.getHere(); String uri = uriRef.getURI(); DOMCryptoContext dcc = (DOMCryptoContext) context; + String baseURI = context.getBaseURI(); - // Check if same-document URI and register ID + boolean secVal = Utils.secureValidation(context); + + // Check if same-document URI and already registered on the context if (uri != null && uri.length() != 0 && uri.charAt(0) == '#') { String id = uri.substring(1); @@ -79,19 +82,38 @@ id = id.substring(i1+1, i2); } - // this is a bit of a hack to check for registered - // IDRefs and manually register them with Apache's IdResolver - // map which includes builtin schema knowledge of DSig/Enc IDs - Node referencedElem = dcc.getElementById(id); - if (referencedElem != null) { - IdResolver.registerElementById((Element) referencedElem, id); + Node refElem = dcc.getElementById(id); + if (refElem != null) { + if (secVal) { + Element start = + refElem.getOwnerDocument().getDocumentElement(); + if (!XMLUtils.protectAgainstWrappingAttack(start, + (Element)refElem, + id)) { + String error = "Multiple Elements with the same ID " + + id + " were detected"; + throw new URIReferenceException(error); + } + } + + XMLSignatureInput result = new XMLSignatureInput(refElem); + if (!uri.substring(1).startsWith("xpointer(id(")) { + result.setExcludeComments(true); + } + + result.setMIMEType("text/xml"); + if (baseURI != null && baseURI.length() > 0) { + result.setSourceURI(baseURI.concat(uriAttr.getNodeValue())); + } else { + result.setSourceURI(uriAttr.getNodeValue()); + } + return new ApacheNodeSetData(result); } } try { - String baseURI = context.getBaseURI(); ResourceResolver apacheResolver = - ResourceResolver.getInstance(uriAttr, baseURI); + ResourceResolver.getInstance(uriAttr, baseURI, secVal); XMLSignatureInput in = apacheResolver.resolve(uriAttr, baseURI); if (in.isOctetStream()) { return new ApacheOctetStreamData(in);
--- a/src/share/classes/org/jcp/xml/dsig/internal/dom/DOMUtils.java Fri Sep 14 09:38:27 2012 -0700 +++ b/src/share/classes/org/jcp/xml/dsig/internal/dom/DOMUtils.java Wed Jun 12 14:56:51 2013 +0100 @@ -38,8 +38,6 @@ import javax.xml.crypto.dsig.*; import javax.xml.crypto.dsig.spec.*; -import com.sun.org.apache.xml.internal.security.utils.IdResolver; - /** * Useful static DOM utility methods. * @@ -107,7 +105,7 @@ public static void setAttributeID(Element elem, String name, String value) { if (value == null) return; elem.setAttributeNS(null, name, value); - IdResolver.registerElementById(elem, value); + elem.setIdAttributeNS(null, name, true); } /**
--- a/src/share/classes/org/jcp/xml/dsig/internal/dom/DOMXMLObject.java Fri Sep 14 09:38:27 2012 -0700 +++ b/src/share/classes/org/jcp/xml/dsig/internal/dom/DOMXMLObject.java Wed Jun 12 14:56:51 2013 +0100 @@ -32,6 +32,7 @@ import java.security.Provider; import java.util.*; +import org.w3c.dom.Attr; import org.w3c.dom.Document; import org.w3c.dom.Element; import org.w3c.dom.Node; @@ -91,7 +92,14 @@ Provider provider) throws MarshalException { // unmarshal attributes this.encoding = DOMUtils.getAttributeValue(objElem, "Encoding"); - this.id = DOMUtils.getAttributeValue(objElem, "Id"); + + Attr attr = objElem.getAttributeNodeNS(null, "Id"); + if (attr != null) { + this.id = attr.getValue(); + objElem.setIdAttributeNode(attr, true); + } else { + this.id = null; + } this.mimeType = DOMUtils.getAttributeValue(objElem, "MimeType"); NodeList nodes = objElem.getChildNodes();
--- a/src/share/classes/org/jcp/xml/dsig/internal/dom/DOMXMLSignature.java Fri Sep 14 09:38:27 2012 -0700 +++ b/src/share/classes/org/jcp/xml/dsig/internal/dom/DOMXMLSignature.java Wed Jun 12 14:56:51 2013 +0100 @@ -50,6 +50,7 @@ import java.util.List; import java.util.logging.Level; import java.util.logging.Logger; +import org.w3c.dom.Attr; import org.w3c.dom.Document; import org.w3c.dom.Element; import org.w3c.dom.Node; @@ -492,7 +493,13 @@ throw new MarshalException(bde); } - id = DOMUtils.getAttributeValue(sigValueElem, "Id"); + Attr attr = sigValueElem.getAttributeNodeNS(null, "Id"); + if (attr != null) { + id = attr.getValue(); + sigValueElem.setIdAttributeNode(attr, true); + } else { + id = null; + } this.sigValueElem = sigValueElem; }
--- a/src/share/classes/org/jcp/xml/dsig/internal/dom/Utils.java Fri Sep 14 09:38:27 2012 -0700 +++ b/src/share/classes/org/jcp/xml/dsig/internal/dom/Utils.java Wed Jun 12 14:56:51 2013 +0100 @@ -30,6 +30,7 @@ import java.io.InputStream; import java.io.IOException; import java.util.*; +import javax.xml.crypto.XMLCryptoContext; import org.w3c.dom.NamedNodeMap; import org.w3c.dom.Node; @@ -104,4 +105,13 @@ public static boolean sameDocumentURI(String uri) { return (uri != null && (uri.length() == 0 || uri.charAt(0) == '#')); } + + static boolean secureValidation(XMLCryptoContext xc) { + return getBoolean(xc, "org.jcp.xml.dsig.secureValidation"); + } + + private static boolean getBoolean(XMLCryptoContext xc, String name) { + Boolean value = (Boolean)xc.getProperty(name); + return (value != null && value.booleanValue()); + } }
--- a/src/share/lib/security/java.security Fri Sep 14 09:38:27 2012 -0700 +++ b/src/share/lib/security/java.security Wed Jun 12 14:56:51 2013 +0100 @@ -146,7 +146,9 @@ com.sun.org.apache.xml.internal.res.,\ com.sun.org.apache.xml.internal.serializer.utils.,\ com.sun.org.apache.xml.internal.utils.,\ - com.sun.org.glassfish. + com.sun.org.apache.xml.internal.security.,\ + com.sun.org.glassfish.,\ + org.jcp.xml.dsig.internal. # # List of comma-separated packages that start with or equal this string @@ -181,7 +183,9 @@ com.sun.org.apache.xml.internal.res.,\ com.sun.org.apache.xml.internal.serializer.utils.,\ com.sun.org.apache.xml.internal.utils.,\ - com.sun.org.glassfish. + com.sun.org.apache.xml.internal.security.,\ + com.sun.org.glassfish.,\ + org.jcp.xml.dsig.internal. # # Determines whether this properties file can be appended to
--- a/src/share/lib/security/java.security-solaris Fri Sep 14 09:38:27 2012 -0700 +++ b/src/share/lib/security/java.security-solaris Wed Jun 12 14:56:51 2013 +0100 @@ -147,7 +147,9 @@ com.sun.org.apache.xml.internal.res.,\ com.sun.org.apache.xml.internal.serializer.utils.,\ com.sun.org.apache.xml.internal.utils.,\ - com.sun.org.glassfish. + com.sun.org.apache.xml.internal.security.,\ + com.sun.org.glassfish.,\ + org.jcp.xml.dsig.internal. # # List of comma-separated packages that start with or equal this string @@ -182,7 +184,9 @@ com.sun.org.apache.xml.internal.res.,\ com.sun.org.apache.xml.internal.serializer.utils.,\ com.sun.org.apache.xml.internal.utils.,\ - com.sun.org.glassfish. + com.sun.org.apache.xml.internal.security.,\ + com.sun.org.glassfish.,\ + org.jcp.xml.dsig.internal. # # Determines whether this properties file can be appended to
--- a/src/share/lib/security/java.security-windows Fri Sep 14 09:38:27 2012 -0700 +++ b/src/share/lib/security/java.security-windows Wed Jun 12 14:56:51 2013 +0100 @@ -147,7 +147,9 @@ com.sun.org.apache.xml.internal.res.,\ com.sun.org.apache.xml.internal.serializer.utils.,\ com.sun.org.apache.xml.internal.utils.,\ + com.sun.org.apache.xml.internal.security.,\ com.sun.org.glassfish.,\ + org.jcp.xml.dsig.internal.\ com.sun.java.accessibility. # @@ -183,7 +185,9 @@ com.sun.org.apache.xml.internal.res.,\ com.sun.org.apache.xml.internal.serializer.utils.,\ com.sun.org.apache.xml.internal.utils.,\ + com.sun.org.apache.xml.internal.security.,\ com.sun.org.glassfish.,\ + org.jcp.xml.dsig.internal.\ com.sun.java.accessibility. #
--- a/test/javax/xml/crypto/dsig/GenerationTests.java Fri Sep 14 09:38:27 2012 -0700 +++ b/test/javax/xml/crypto/dsig/GenerationTests.java Wed Jun 12 14:56:51 2013 +0100 @@ -1,5 +1,5 @@ /* - * Copyright (c) 2005, 2009, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2005, 2013, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -27,7 +27,7 @@ * @summary Basic unit tests for generating XML Signatures with JSR 105 * @compile -XDignore.symbol.file KeySelectors.java SignatureValidator.java * X509KeySelector.java GenerationTests.java - * @run main GenerationTests + * @run main/othervm GenerationTests * @author Sean Mullan */ @@ -440,6 +440,7 @@ // create XMLSignature XMLSignature sig = fac.newXMLSignature(si, rsa, objs, "signature", null); DOMSignContext dsc = new DOMSignContext(getPrivateKey("RSA"), doc); + dsc.setIdAttributeNS(nc, null, "Id"); sig.sign(dsc); @@ -447,6 +448,7 @@ DOMValidateContext dvc = new DOMValidateContext (kvks, doc.getDocumentElement()); + dvc.setIdAttributeNS(nc, null, "Id"); XMLSignature sig2 = fac.unmarshalXMLSignature(dvc); if (sig.equals(sig2) == false) {
--- a/test/javax/xml/crypto/dsig/SecurityManager/XMLDSigWithSecMgr.java Fri Sep 14 09:38:27 2012 -0700 +++ b/test/javax/xml/crypto/dsig/SecurityManager/XMLDSigWithSecMgr.java Wed Jun 12 14:56:51 2013 +0100 @@ -1,5 +1,5 @@ /* - * Copyright (c) 2006, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2006, 2013, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -26,6 +26,7 @@ * @bug 6436919 6460930 * @summary check that XML Signatures can be generated and validated with * SecurityManager enabled and default policy + * @run main/othervm XMLDSigWithSecMgr * @author Sean Mullan */ import java.io.*; @@ -139,6 +140,10 @@ // validate a signature with SecurityManager enabled DOMValidateContext dvc = new DOMValidateContext (kp.getPublic(), envelope.getFirstChild()); + + // disable secure validation mode so that http reference will work + dvc.setProperty("org.jcp.xml.dsig.secureValidation", Boolean.FALSE); + sig = fac.unmarshalXMLSignature(dvc); if (!sig.validate(dvc)) { throw new Exception
--- a/test/javax/xml/crypto/dsig/ValidationTests.java Fri Sep 14 09:38:27 2012 -0700 +++ b/test/javax/xml/crypto/dsig/ValidationTests.java Wed Jun 12 14:56:51 2013 +0100 @@ -1,5 +1,5 @@ /* - * Copyright (c) 2005, 2009, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2005, 2013, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -27,7 +27,7 @@ * @summary Basic unit tests for validating XML Signatures with JSR 105 * @compile -XDignore.symbol.file KeySelectors.java SignatureValidator.java * X509KeySelector.java ValidationTests.java - * @run main ValidationTests + * @run main/othervm ValidationTests * @author Sean Mullan */ import java.io.File;