-
Bug
-
Resolution: Not an Issue
-
P4
-
None
-
11, 15
ADDITIONAL SYSTEM INFORMATION :
Java 9 and higher
A DESCRIPTION OF THE PROBLEM :
the here() function was added in https://bugs.java.com/bugdatabase/view_bug.do?bug_id=8087283 , however using it silently fails. This produces xml signatures that seem to be valid, but that do not protect the content of the xml document from being altered, which can be a security risk.
STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
* Turn on logging as described in https://www.oracle.com/technical-resources/articles/java/dig-signature-api.html
* Create an xml signature on a document, the xml signature should contain a xpath transform using "here()":
DOMSignContext context = new DOMSignContext(privateKey, document.getDocumentElement());
XMLSignatureFactory xsf = XMLSignatureFactory.getInstance("DOM");
Reference ref = xsf.newReference(
"",
xsf.newDigestMethod(DigestMethod.SHA256, null),
List.of(
xsf.newTransform(Transform.ENVELOPED, (TransformParameterSpec) null),
xsf.newTransform(Transform.XPATH2, new XPathFilter2ParameterSpec(List.of(new XPathType("here()/ancestor::*[4]", Filter.INTERSECT)))),
xsf.newTransform(Transform.XPATH2, new XPathFilter2ParameterSpec(List.of(new XPathType("here()/ancestor::*[4]/*[namespace-uri()='http://www.w3.org/2000/09/xmldsig#' and local-name()='Signature']", Filter.SUBTRACT)))),
xsf.newTransform(CanonicalizationMethod.EXCLUSIVE, (TransformParameterSpec) null)
),
null,
null);
SignedInfo si = xsf.newSignedInfo(
xsf.newCanonicalizationMethod(CanonicalizationMethod.EXCLUSIVE, (C14NMethodParameterSpec) null),
xsf.newSignatureMethod(SignatureMethod.RSA_SHA256, null),
List.of(ref));
KeyInfoFactory kif = xsf.getKeyInfoFactory();
X509Data x509Data = kif.newX509Data(List.of(certificates));
KeyInfo keyInfo = kif.newKeyInfo(List.of(x509Data));
XMLSignature signature = xsf.newXMLSignature(si, keyInfo);
signature.sign(context);
EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
The produced signature protects the xml document.
ACTUAL -
The produced signature does not protect the xml document.
The logging shows:
Caused by: javax.xml.transform.TransformerException: Could not find function: here
at java.xml/com.sun.org.apache.xpath.internal.compiler.XPathParser.error(XPathParser.java:621)
at java.xml/com.sun.org.apache.xpath.internal.compiler.XPathParser.FunctionCall(XPathParser.java:1473)
at java.xml/com.sun.org.apache.xpath.internal.compiler.XPathParser.PrimaryExpr(XPathParser.java:1412)
at java.xml/com.sun.org.apache.xpath.internal.compiler.XPathParser.FilterExpr(XPathParser.java:1311)
at java.xml/com.sun.org.apache.xpath.internal.compiler.XPathParser.PathExpr(XPathParser.java:1244)
at java.xml/com.sun.org.apache.xpath.internal.compiler.XPathParser.UnionExpr(XPathParser.java:1202)
at java.xml/com.sun.org.apache.xpath.internal.compiler.XPathParser.UnaryExpr(XPathParser.java:1108)
at java.xml/com.sun.org.apache.xpath.internal.compiler.XPathParser.MultiplicativeExpr(XPathParser.java:1029)
at java.xml/com.sun.org.apache.xpath.internal.compiler.XPathParser.AdditiveExpr(XPathParser.java:971)
at java.xml/com.sun.org.apache.xpath.internal.compiler.XPathParser.RelationalExpr(XPathParser.java:896)
at java.xml/com.sun.org.apache.xpath.internal.compiler.XPathParser.EqualityExpr(XPathParser.java:836)
at java.xml/com.sun.org.apache.xpath.internal.compiler.XPathParser.AndExpr(XPathParser.java:800)
at java.xml/com.sun.org.apache.xpath.internal.compiler.XPathParser.OrExpr(XPathParser.java:773)
at java.xml/com.sun.org.apache.xpath.internal.compiler.XPathParser.Expr(XPathParser.java:756)
at java.xml/com.sun.org.apache.xpath.internal.compiler.XPathParser.initXPath(XPathParser.java:132)
at java.xml/com.sun.org.apache.xpath.internal.XPath.<init>(XPath.java:229)
... 41 more
probable cause: The createXPath function in com.sun.org.apache.xml.internal.security.utils passing a null funcTable.
FREQUENCY : always
Java 9 and higher
A DESCRIPTION OF THE PROBLEM :
the here() function was added in https://bugs.java.com/bugdatabase/view_bug.do?bug_id=8087283 , however using it silently fails. This produces xml signatures that seem to be valid, but that do not protect the content of the xml document from being altered, which can be a security risk.
STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
* Turn on logging as described in https://www.oracle.com/technical-resources/articles/java/dig-signature-api.html
* Create an xml signature on a document, the xml signature should contain a xpath transform using "here()":
DOMSignContext context = new DOMSignContext(privateKey, document.getDocumentElement());
XMLSignatureFactory xsf = XMLSignatureFactory.getInstance("DOM");
Reference ref = xsf.newReference(
"",
xsf.newDigestMethod(DigestMethod.SHA256, null),
List.of(
xsf.newTransform(Transform.ENVELOPED, (TransformParameterSpec) null),
xsf.newTransform(Transform.XPATH2, new XPathFilter2ParameterSpec(List.of(new XPathType("here()/ancestor::*[4]", Filter.INTERSECT)))),
xsf.newTransform(Transform.XPATH2, new XPathFilter2ParameterSpec(List.of(new XPathType("here()/ancestor::*[4]/*[namespace-uri()='http://www.w3.org/2000/09/xmldsig#' and local-name()='Signature']", Filter.SUBTRACT)))),
xsf.newTransform(CanonicalizationMethod.EXCLUSIVE, (TransformParameterSpec) null)
),
null,
null);
SignedInfo si = xsf.newSignedInfo(
xsf.newCanonicalizationMethod(CanonicalizationMethod.EXCLUSIVE, (C14NMethodParameterSpec) null),
xsf.newSignatureMethod(SignatureMethod.RSA_SHA256, null),
List.of(ref));
KeyInfoFactory kif = xsf.getKeyInfoFactory();
X509Data x509Data = kif.newX509Data(List.of(certificates));
KeyInfo keyInfo = kif.newKeyInfo(List.of(x509Data));
XMLSignature signature = xsf.newXMLSignature(si, keyInfo);
signature.sign(context);
EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
The produced signature protects the xml document.
ACTUAL -
The produced signature does not protect the xml document.
The logging shows:
Caused by: javax.xml.transform.TransformerException: Could not find function: here
at java.xml/com.sun.org.apache.xpath.internal.compiler.XPathParser.error(XPathParser.java:621)
at java.xml/com.sun.org.apache.xpath.internal.compiler.XPathParser.FunctionCall(XPathParser.java:1473)
at java.xml/com.sun.org.apache.xpath.internal.compiler.XPathParser.PrimaryExpr(XPathParser.java:1412)
at java.xml/com.sun.org.apache.xpath.internal.compiler.XPathParser.FilterExpr(XPathParser.java:1311)
at java.xml/com.sun.org.apache.xpath.internal.compiler.XPathParser.PathExpr(XPathParser.java:1244)
at java.xml/com.sun.org.apache.xpath.internal.compiler.XPathParser.UnionExpr(XPathParser.java:1202)
at java.xml/com.sun.org.apache.xpath.internal.compiler.XPathParser.UnaryExpr(XPathParser.java:1108)
at java.xml/com.sun.org.apache.xpath.internal.compiler.XPathParser.MultiplicativeExpr(XPathParser.java:1029)
at java.xml/com.sun.org.apache.xpath.internal.compiler.XPathParser.AdditiveExpr(XPathParser.java:971)
at java.xml/com.sun.org.apache.xpath.internal.compiler.XPathParser.RelationalExpr(XPathParser.java:896)
at java.xml/com.sun.org.apache.xpath.internal.compiler.XPathParser.EqualityExpr(XPathParser.java:836)
at java.xml/com.sun.org.apache.xpath.internal.compiler.XPathParser.AndExpr(XPathParser.java:800)
at java.xml/com.sun.org.apache.xpath.internal.compiler.XPathParser.OrExpr(XPathParser.java:773)
at java.xml/com.sun.org.apache.xpath.internal.compiler.XPathParser.Expr(XPathParser.java:756)
at java.xml/com.sun.org.apache.xpath.internal.compiler.XPathParser.initXPath(XPathParser.java:132)
at java.xml/com.sun.org.apache.xpath.internal.XPath.<init>(XPath.java:229)
... 41 more
probable cause: The createXPath function in com.sun.org.apache.xml.internal.security.utils passing a null funcTable.
FREQUENCY : always