8263314: Enhance XML Dsig modes

Reviewed-by: coffeys, pkoppula Backport-of: fe318432e184c2df95d802212b4eb510d3729459
2025-12-06 09:29:38 +01:00 · 2021-08-05 10:00:55 +00:00
parent 55c8adf6c6
commit c3bbf5bd28
2 changed files with 28 additions and 4 deletions
--- a/src/java.xml.crypto/share/classes/org/jcp/xml/dsig/internal/dom/DOMURIDereferencer.java
+++ b/src/java.xml.crypto/share/classes/org/jcp/xml/dsig/internal/dom/DOMURIDereferencer.java
@@ -37,6 +37,7 @@ import com.sun.org.apache.xml.internal.security.signature.XMLSignatureInput;

 import javax.xml.crypto.*;
 import javax.xml.crypto.dom.*;
+import java.net.URI;

 /**
 * DOM-based implementation of URIDereferencer.
@@ -70,9 +71,27 @@ public final class DOMURIDereferencer implements URIDereferencer {

        boolean secVal = Utils.secureValidation(context);

-        if (secVal && Policy.restrictReferenceUriScheme(uri)) {
-            throw new URIReferenceException(
-                "Uri " + uri + " is forbidden when secure validation is enabled");
+        if (secVal) {
+            try {
+                if (Policy.restrictReferenceUriScheme(uri)) {
+                    throw new URIReferenceException(
+                            "URI " + uri + " is forbidden when secure validation is enabled");
+                }
+
+                if (uri != null && !uri.isEmpty() && uri.charAt(0) != '#' && URI.create(uri).getScheme() == null) {
+                    // beseURI will be used to dereference a relative uri
+                    try {
+                        if (Policy.restrictReferenceUriScheme(baseURI)) {
+                            throw new URIReferenceException(
+                                    "Base URI " + baseURI + " is forbidden when secure validation is enabled");
+                        }
+                    } catch (IllegalArgumentException e) { // thrown by Policy.restrictReferenceUriScheme
+                        throw new URIReferenceException("Invalid base URI " + baseURI);
+                    }
+                }
+            } catch (IllegalArgumentException e) { // thrown by Policy.restrictReferenceUriScheme or URI.create
+                throw new URIReferenceException("Invalid URI " + uri);
+            }
        }

        // Check if same-document URI and already registered on the context
--- a/test/jdk/javax/xml/crypto/dsig/GenerationTests.java
+++ b/test/jdk/javax/xml/crypto/dsig/GenerationTests.java
@@ -1454,7 +1454,6 @@ public class GenerationTests {
        DOMValidateContext dvc = new DOMValidateContext
            (ks, doc.getDocumentElement());
        File f = new File(DATA_DIR);
-        dvc.setBaseURI(f.toURI().toString());
        dvc.setURIDereferencer(httpUd);

        XMLSignature sig2 = fac.unmarshalXMLSignature(dvc);
@@ -2195,6 +2194,12 @@ public class GenerationTests {
                        (DATA_DIR, uri.substring(uri.lastIndexOf('/'))));
                    return new OctetStreamData(fis,ref.getURI(),ref.getType());
                } catch (Exception e) { throw new URIReferenceException(e); }
+            } else if (uri.startsWith("certs/")) {
+                try {
+                    FileInputStream fis = new FileInputStream(new File
+                            (DATA_DIR, uri));
+                    return new OctetStreamData(fis,ref.getURI(),ref.getType());
+                } catch (Exception e) { throw new URIReferenceException(e); }
            }

            // fallback on builtin deref