SANTUARIO-572 - Disallow a KeyInfoReference to refer to a RetrievalMethod
diff --git a/src/main/java/org/apache/xml/security/keys/keyresolver/implementations/KeyInfoReferenceResolver.java b/src/main/java/org/apache/xml/security/keys/keyresolver/implementations/KeyInfoReferenceResolver.java
index 4571cc3..97b2fcf 100644
--- a/src/main/java/org/apache/xml/security/keys/keyresolver/implementations/KeyInfoReferenceResolver.java
+++ b/src/main/java/org/apache/xml/security/keys/keyresolver/implementations/KeyInfoReferenceResolver.java
@@ -176,6 +176,7 @@
validateReference(referentElement);
KeyInfo referent = new KeyInfo(referentElement, baseURI);
+ referent.setSecureValidation(secureValidation);
referent.addStorageResolver(storage);
return referent;
}
@@ -194,7 +195,7 @@
}
KeyInfo referent = new KeyInfo(referentElement, "");
- if (referent.containsKeyInfoReference()) {
+ if (referent.containsKeyInfoReference() || referent.containsRetrievalMethod()) {
if (secureValidation) {
throw new XMLSecurityException("KeyInfoReferenceResolver.InvalidReferentElement.ReferenceWithSecure");
} else {
diff --git a/src/main/java/org/apache/xml/security/resource/xmlsecurity_en.properties b/src/main/java/org/apache/xml/security/resource/xmlsecurity_en.properties
index ede945c..b999f9a 100644
--- a/src/main/java/org/apache/xml/security/resource/xmlsecurity_en.properties
+++ b/src/main/java/org/apache/xml/security/resource/xmlsecurity_en.properties
@@ -124,6 +124,7 @@
signature.Transform.NotYetImplemented = Transform {0} not yet implemented
signature.Transform.NullPointerTransform = Null pointer as URI. Programming bug?
signature.Transform.UnknownTransform = Unknown transformation. No handler installed for URI {0}
+signature.Transform.XPathError = Error evaluating XPath expression
signature.Transform.node = Current Node: {0}
signature.Transform.nodeAndType = Current Node: {0}, type: {1}
signature.Util.BignumNonPositive = bigInteger.signum() must be positive
@@ -194,4 +195,4 @@
stax.keyNotFoundForName = No key configured for KeyName: {0}
stax.keyTypeNotSupported = Key of type {0} not supported for a KeyName lookup
stax.idsetbutnotgenerated = An Id attribute is specified, but Id generation is disabled
-stax.idgenerationdisablewithmultipleparts = Id generation must not be disabled when multiple parts need signing
\ No newline at end of file
+stax.idgenerationdisablewithmultipleparts = Id generation must not be disabled when multiple parts need signing
diff --git a/src/main/java/org/apache/xml/security/signature/XMLSignatureInput.java b/src/main/java/org/apache/xml/security/signature/XMLSignatureInput.java
index 474c211..f717c33 100644
--- a/src/main/java/org/apache/xml/security/signature/XMLSignatureInput.java
+++ b/src/main/java/org/apache/xml/security/signature/XMLSignatureInput.java
@@ -544,7 +544,7 @@
convertToNodes();
} catch (Exception e) {
throw new XMLSecurityRuntimeException(
- "signature.XMLSignatureInput.nodesetReference", e
+ "signature.XMLSignatureInput.nodesetReference"
);
}
}
diff --git a/src/main/java/org/apache/xml/security/transforms/implementations/TransformXPath.java b/src/main/java/org/apache/xml/security/transforms/implementations/TransformXPath.java
index d6cd2a8..b93172c 100644
--- a/src/main/java/org/apache/xml/security/transforms/implementations/TransformXPath.java
+++ b/src/main/java/org/apache/xml/security/transforms/implementations/TransformXPath.java
@@ -143,11 +143,7 @@
}
return 0;
} catch (TransformerException e) {
- Object[] eArgs = {currentNode};
- throw new XMLSecurityRuntimeException("signature.Transform.node", eArgs, e);
- } catch (Exception e) {
- Object[] eArgs = {currentNode, currentNode.getNodeType()};
- throw new XMLSecurityRuntimeException("signature.Transform.nodeAndType",eArgs, e);
+ throw new XMLSecurityRuntimeException("signature.Transform.XPathError");
}
}
diff --git a/src/test/java/org/apache/xml/security/test/dom/keys/keyresolver/KeyInfoReferenceResolverTest.java b/src/test/java/org/apache/xml/security/test/dom/keys/keyresolver/KeyInfoReferenceResolverTest.java
index 3dbf8fb..a81fbcd 100644
--- a/src/test/java/org/apache/xml/security/test/dom/keys/keyresolver/KeyInfoReferenceResolverTest.java
+++ b/src/test/java/org/apache/xml/security/test/dom/keys/keyresolver/KeyInfoReferenceResolverTest.java
@@ -121,6 +121,19 @@
assertNull(keyInfo.getPublicKey());
}
+ @org.junit.Test
+ public void testKeyInfoReferenceToRetrievalMethodNotAllowed() throws Exception {
+ Document doc = loadXML("KeyInfoReference-RSA-RetrievalMethod.xml");
+ markKeyInfoIdAttrs(doc);
+ markEncodedKeyValueIdAttrs(doc);
+
+ Element referenceElement = doc.getElementById("theReference");
+ assertNotNull(referenceElement);
+
+ KeyInfo keyInfo = new KeyInfo(referenceElement, "");
+ assertNull(keyInfo.getPublicKey());
+ }
+
// Utility methods
private String getControlFilePath(String fileName) {
@@ -156,4 +169,13 @@
}
}
+ private void markEncodedKeyValueIdAttrs(Document doc) {
+ NodeList nl = doc.getElementsByTagNameNS(Constants.SignatureSpec11NS, Constants._TAG_DERENCODEDKEYVALUE);
+ for (int i = 0; i < nl.getLength(); i++) {
+ Element keyInfoElement = (Element) nl.item(i);
+ keyInfoElement.setIdAttributeNS(null, Constants._ATT_ID, true);
+ }
+ }
+
}
+
diff --git a/src/test/resources/org/apache/xml/security/keyresolver/KeyInfoReference-RSA-RetrievalMethod.xml b/src/test/resources/org/apache/xml/security/keyresolver/KeyInfoReference-RSA-RetrievalMethod.xml
new file mode 100644
index 0000000..f34e3d5
--- /dev/null
+++ b/src/test/resources/org/apache/xml/security/keyresolver/KeyInfoReference-RSA-RetrievalMethod.xml
@@ -0,0 +1,22 @@
+<test:root xmlns:test="http://www.example.org/test">
+
+ <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#" Id="theRealKey">
+ <dsig11:DEREncodedKeyValue Id="theRealKey2" xmlns:dsig11="http://www.w3.org/2009/xmldsig11#">
+ MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAmDnHagSzfia3N7jOaMSp4VIZjK2lxZgN
+ X/2z98YLp1XE3cvpP+mOvX3gENWQuX3uoix+2qroZ0BFHzhzf4E7is5Q9+42ZFi5naFk3c/B0Q8A
+ jtHtWUEZ8VPPBZggz6uJ1ttJS7YDP6XVjaw6SN1bJSD4/lWNIVsh95kuhunbOef6x/kyIbBz9wF4
+ S0//G6zPD4GG7/jJ+sDXe+bAgPB1qwhLhrK3N1jGuDZkGGcY/c4b7aba0B0rognwKlygv16GoA/n
+ zWehxih7clhmMTzP2VWa3Q2GcN8ETe00dz68KtS7GF6W15qftjUvRXEKSoPz86ZsP30jIH1tvIrs
+ qSh/kwIDAQAB
+ </dsig11:DEREncodedKeyValue>
+ </ds:KeyInfo>
+
+ <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#" Id="retrievalMethod">
+ <ds:RetrievalMethod URI="#theRealKey2"/>
+ </ds:KeyInfo>
+
+ <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#" Id="theReference">
+ <dsig11:KeyInfoReference xmlns:dsig11="http://www.w3.org/2009/xmldsig11#" URI="#retrievalMethod" />
+ </ds:KeyInfo>
+
+</test:root>