1 /*
   2  * Copyright (c) 2010, 2013 Oracle and/or its affiliates. All rights reserved.
   3  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
   4  *
   5  * This code is free software; you can redistribute it and/or modify it
   6  * under the terms of the GNU General Public License version 2 only, as
   7  * published by the Free Software Foundation.
   8  *
   9  * This code is distributed in the hope that it will be useful, but WITHOUT
  10  * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
  11  * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  12  * version 2 for more details (a copy is included in the LICENSE file that
  13  * accompanied this code).
  14  *
  15  * You should have received a copy of the GNU General Public License version
  16  * 2 along with this work; if not, write to the Free Software Foundation,
  17  * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
  18  *
  19  * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
  20  * or visit www.oracle.com if you need additional information or have any
  21  * questions.
  22  */
  23 
  24 import java.io.File;
  25 import java.io.IOException;
  26 import java.io.OutputStream;
  27 import javax.xml.crypto.dsig.XMLSignatureException;
  28 import javax.xml.parsers.ParserConfigurationException;
  29 import org.xml.sax.SAXException;
  30 
  31 import com.sun.org.apache.xml.internal.security.c14n.CanonicalizationException;
  32 import com.sun.org.apache.xml.internal.security.c14n.InvalidCanonicalizerException;
  33 import com.sun.org.apache.xml.internal.security.signature.XMLSignatureInput;
  34 import com.sun.org.apache.xml.internal.security.transforms.Transform;
  35 import com.sun.org.apache.xml.internal.security.transforms.TransformationException;
  36 import com.sun.org.apache.xml.internal.security.transforms.TransformSpi;
  37 
  38 /**
  39  * @test
  40  * @bug 6994263
  41  * @key closed-security
  42  * @summary Check that standard transform algorithms can't be replaced
  43  * @library ../../../../../../javax/xml/crypto/dsig
  44  * @build KeySelectors SignatureValidator
  45  * @compile -XDignore.symbol.file ReplaceTransform.java
  46  * @run main ReplaceTransform
  47  */
  48 public class ReplaceTransform {
  49 
  50     public static void main(String args[]) throws Exception {
  51         // try it twice
  52         replaceTransform();
  53         replaceTransform();
  54     }
  55 
  56     private static void replaceTransform() throws Exception {
  57         try {
  58             Transform.register
  59                 (javax.xml.crypto.dsig.CanonicalizationMethod.INCLUSIVE,
  60                  "ReplaceTransform$MyBogusC14NTransform");
  61         } catch (Exception e) {
  62             // Exception expected, but continue and validate signature to be
  63             // positive that transform has not been replaced
  64             e.printStackTrace();
  65         }
  66 
  67         String file = "signature-enveloping-dsa.xml";
  68         File d = new File(System.getProperty("test.src", "."));
  69         File f = new File(d, file);
  70 
  71         SignatureValidator validator = new SignatureValidator(d);
  72         System.out.println("Validating " + file);
  73         try {
  74             if (validator.validate
  75                    (file, new KeySelectors.KeyValueKeySelector(), false)) {
  76                 System.out.println("PASSED");
  77             } else {
  78                 System.err.println("FAILED: signature failed to validate");
  79                 throw new Exception("Signature failed to validate");
  80             }
  81         } catch (XMLSignatureException xse) {
  82             System.err.println("FAILED: caught XMLSignatureException");
  83             // unwrap causes and look for message
  84             Throwable cause = xse.getCause();
  85             while (cause != null) {
  86                 if (cause instanceof IOException &&
  87                     cause.getMessage().equals("You have been attacked!")) {
  88                     System.err.println
  89                         ("Standard C14N Transform has been replaced");
  90                     throw new Exception
  91                         ("Standard C14N Transform has been replaced", xse);
  92                 }
  93                 cause = cause.getCause();
  94             }
  95             throw new Exception("Caught XMLSignatureException", xse);
  96         }
  97     }
  98 
  99     public static class MyBogusC14NTransform extends TransformSpi {
 100         protected String engineGetURI() {
 101             return javax.xml.crypto.dsig.CanonicalizationMethod.INCLUSIVE;
 102         }
 103 
 104         protected XMLSignatureInput enginePerformTransform
 105             (XMLSignatureInput input) throws IOException,
 106                 CanonicalizationException, InvalidCanonicalizerException,
 107                 TransformationException, ParserConfigurationException,
 108                 SAXException {
 109             throw new IOException("You have been attacked!");
 110         }
 111 
 112         protected XMLSignatureInput enginePerformTransform
 113             (XMLSignatureInput input, Transform transform) throws IOException,
 114                 CanonicalizationException, InvalidCanonicalizerException,
 115                 TransformationException, ParserConfigurationException,
 116                 SAXException {
 117             throw new IOException("You have been attacked!");
 118         }
 119 
 120         protected XMLSignatureInput enginePerformTransform
 121             (XMLSignatureInput input, OutputStream os, Transform transform)
 122                 throws IOException, CanonicalizationException,
 123                 InvalidCanonicalizerException, TransformationException,
 124                 ParserConfigurationException, SAXException {
 125             throw new IOException("You have been attacked!");
 126         }
 127     }
 128 }