1 /* 2 * Copyright (c) 2010, 2013 Oracle and/or its affiliates. All rights reserved. 3 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. 4 * 5 * This code is free software; you can redistribute it and/or modify it 6 * under the terms of the GNU General Public License version 2 only, as 7 * published by the Free Software Foundation. 8 * 9 * This code is distributed in the hope that it will be useful, but WITHOUT 10 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or 11 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License 12 * version 2 for more details (a copy is included in the LICENSE file that 13 * accompanied this code). 14 * 15 * You should have received a copy of the GNU General Public License version 16 * 2 along with this work; if not, write to the Free Software Foundation, 17 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. 18 * 19 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA 20 * or visit www.oracle.com if you need additional information or have any 21 * questions. 22 */ 23 24 import java.io.File; 25 import java.io.IOException; 26 import java.io.OutputStream; 27 import javax.xml.crypto.dsig.XMLSignatureException; 28 import javax.xml.parsers.ParserConfigurationException; 29 import org.xml.sax.SAXException; 30 31 import com.sun.org.apache.xml.internal.security.c14n.CanonicalizationException; 32 import com.sun.org.apache.xml.internal.security.c14n.InvalidCanonicalizerException; 33 import com.sun.org.apache.xml.internal.security.signature.XMLSignatureInput; 34 import com.sun.org.apache.xml.internal.security.transforms.Transform; 35 import com.sun.org.apache.xml.internal.security.transforms.TransformationException; 36 import com.sun.org.apache.xml.internal.security.transforms.TransformSpi; 37 38 /** 39 * @test 40 * @bug 6994263 41 * @key closed-security 42 * @summary Check that standard transform algorithms can't be replaced 43 * @library ../../../../../../javax/xml/crypto/dsig 44 * @build KeySelectors SignatureValidator 45 * @compile -XDignore.symbol.file ReplaceTransform.java 46 * @run main ReplaceTransform 47 */ 48 public class ReplaceTransform { 49 50 public static void main(String args[]) throws Exception { 51 // try it twice 52 replaceTransform(); 53 replaceTransform(); 54 } 55 56 private static void replaceTransform() throws Exception { 57 try { 58 Transform.register 59 (javax.xml.crypto.dsig.CanonicalizationMethod.INCLUSIVE, 60 "ReplaceTransform$MyBogusC14NTransform"); 61 } catch (Exception e) { 62 // Exception expected, but continue and validate signature to be 63 // positive that transform has not been replaced 64 e.printStackTrace(); 65 } 66 67 String file = "signature-enveloping-dsa.xml"; 68 File d = new File(System.getProperty("test.src", ".")); 69 File f = new File(d, file); 70 71 SignatureValidator validator = new SignatureValidator(d); 72 System.out.println("Validating " + file); 73 try { 74 if (validator.validate 75 (file, new KeySelectors.KeyValueKeySelector(), false)) { 76 System.out.println("PASSED"); 77 } else { 78 System.err.println("FAILED: signature failed to validate"); 79 throw new Exception("Signature failed to validate"); 80 } 81 } catch (XMLSignatureException xse) { 82 System.err.println("FAILED: caught XMLSignatureException"); 83 // unwrap causes and look for message 84 Throwable cause = xse.getCause(); 85 while (cause != null) { 86 if (cause instanceof IOException && 87 cause.getMessage().equals("You have been attacked!")) { 88 System.err.println 89 ("Standard C14N Transform has been replaced"); 90 throw new Exception 91 ("Standard C14N Transform has been replaced", xse); 92 } 93 cause = cause.getCause(); 94 } 95 throw new Exception("Caught XMLSignatureException", xse); 96 } 97 } 98 99 public static class MyBogusC14NTransform extends TransformSpi { 100 protected String engineGetURI() { 101 return javax.xml.crypto.dsig.CanonicalizationMethod.INCLUSIVE; 102 } 103 104 protected XMLSignatureInput enginePerformTransform 105 (XMLSignatureInput input) throws IOException, 106 CanonicalizationException, InvalidCanonicalizerException, 107 TransformationException, ParserConfigurationException, 108 SAXException { 109 throw new IOException("You have been attacked!"); 110 } 111 112 protected XMLSignatureInput enginePerformTransform 113 (XMLSignatureInput input, Transform transform) throws IOException, 114 CanonicalizationException, InvalidCanonicalizerException, 115 TransformationException, ParserConfigurationException, 116 SAXException { 117 throw new IOException("You have been attacked!"); 118 } 119 120 protected XMLSignatureInput enginePerformTransform 121 (XMLSignatureInput input, OutputStream os, Transform transform) 122 throws IOException, CanonicalizationException, 123 InvalidCanonicalizerException, TransformationException, 124 ParserConfigurationException, SAXException { 125 throw new IOException("You have been attacked!"); 126 } 127 } 128 }