1
/*
2
 * Copyright (c) 2005, 2020, Oracle and/or its affiliates. All rights reserved.
3
 * Copyright (c) 2020 Red Hat, Inc.
4
 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
5
 *
6
 * This code is free software; you can redistribute it and/or modify it
7
 * under the terms of the GNU General Public License version 2 only, as
8
 * published by the Free Software Foundation.
9
 *
10
 * This code is distributed in the hope that it will be useful, but WITHOUT
11
 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
12
 * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
13
 * version 2 for more details (a copy is included in the LICENSE file that
14
 * accompanied this code).
15
 *
16
 * You should have received a copy of the GNU General Public License version
17
 * 2 along with this work; if not, write to the Free Software Foundation,
18
 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
19
 *
20
 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
21
 * or visit www.oracle.com if you need additional information or have any
22
 * questions.
23
 */
24

25
import java.io.File;
26
import java.io.FileInputStream;
27
import java.io.StringWriter;
28
import java.security.Key;
29
import java.security.KeyStore;
30
import java.security.cert.Certificate;
31
import java.util.Base64;
32
import java.util.Collections;
33

34
import javax.xml.crypto.Data;
35
import javax.xml.crypto.OctetStreamData;
36
import javax.xml.crypto.URIDereferencer;
37
import javax.xml.crypto.URIReference;
38
import javax.xml.crypto.URIReferenceException;
39
import javax.xml.crypto.XMLCryptoContext;
40
import javax.xml.crypto.dsig.CanonicalizationMethod;
41
import javax.xml.crypto.dsig.DigestMethod;
42
import javax.xml.crypto.dsig.Reference;
43
import javax.xml.crypto.dsig.SignatureMethod;
44
import javax.xml.crypto.dsig.SignedInfo;
45
import javax.xml.crypto.dsig.XMLSignature;
46
import javax.xml.crypto.dsig.XMLSignatureFactory;
47
import javax.xml.crypto.dsig.dom.DOMSignContext;
48
import javax.xml.crypto.dsig.keyinfo.KeyInfo;
49
import javax.xml.crypto.dsig.keyinfo.KeyInfoFactory;
50
import javax.xml.crypto.dsig.spec.C14NMethodParameterSpec;
51
import javax.xml.parsers.DocumentBuilder;
52
import javax.xml.parsers.DocumentBuilderFactory;
53
import javax.xml.transform.OutputKeys;
54
import javax.xml.transform.Transformer;
55
import javax.xml.transform.TransformerFactory;
56
import javax.xml.transform.dom.DOMSource;
57
import javax.xml.transform.stream.StreamResult;
58

59
import org.w3c.dom.Document;
60
import org.w3c.dom.Node;
61
import org.w3c.dom.NodeList;
62

63
/* @test
64
 * @bug 8236645
65
 * @summary Test "lineFeedOnly" property prevents CR in Base64 encoded output
66
 * @run main/othervm/timeout=300 -Dcom.sun.org.apache.xml.internal.security.lineFeedOnly=false LineFeedOnlyTest
67
 * @run main/othervm/timeout=300 -Dcom.sun.org.apache.xml.internal.security.lineFeedOnly=true LineFeedOnlyTest
68
 * @run main/othervm/timeout=300 -Dcom.sun.org.apache.xml.internal.security.lineFeedOnly=true
69
 *     -Dcom.sun.org.apache.xml.internal.security.ignoreLineBreaks=true LineFeedOnlyTest
70
 * @run main/othervm/timeout=300 LineFeedOnlyTest
71
 */
72
public class LineFeedOnlyTest {
73

74
    private final static String DIR = System.getProperty("test.src", ".");
75
    private final static String DATA_DIR =
76
            DIR + System.getProperty("file.separator") + "data";
77
    private final static String KEYSTORE =
78
            DATA_DIR + System.getProperty("file.separator") + "certs" +
79
            System.getProperty("file.separator") + "test.jks";
80
    private final static String STYLESHEET =
81
            "http://www.w3.org/TR/xml-stylesheet";
82

83
    private static XMLSignatureFactory fac;
84
    private static KeyInfoFactory kifac;
85
    private static DocumentBuilder db;
86
    private static CanonicalizationMethod withoutComments;
87
    private static SignatureMethod dsaSha1;
88
    private static DigestMethod sha1;
89
    private static Key signingKey;
90
    private static Certificate signingCert;
91
    private static KeyStore ks;
92
    private static URIDereferencer httpUd;
93

94
    // Much of this test is derived from GenerationTests. We use a separate file in order to test
95
    // when the system property "com.sun.org.apache.xml.internal.security.lineFeedOnly" is enabled/disabled.
96
    public static void main(String[] args) throws Exception {
97
        boolean lineFeedOnly = Boolean.getBoolean("com.sun.org.apache.xml.internal.security.lineFeedOnly");
98
        boolean ignoreLineBreaks = Boolean.getBoolean("com.sun.org.apache.xml.internal.security.ignoreLineBreaks");
99

100
        setup();
101
        test_create_signature_line_endings(lineFeedOnly, ignoreLineBreaks);
102
    }
103

104
    private static void setup() throws Exception {
105
        fac = XMLSignatureFactory.getInstance();
106
        kifac = fac.getKeyInfoFactory();
107
        DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
108
        dbf.setNamespaceAware(true);
109
        db = dbf.newDocumentBuilder();
110

111
        // get key & self-signed certificate from keystore
112
        FileInputStream fis = new FileInputStream(KEYSTORE);
113
        ks = KeyStore.getInstance("JKS");
114
        ks.load(fis, "changeit".toCharArray());
115
        signingKey = ks.getKey("user", "changeit".toCharArray());
116
        signingCert = ks.getCertificate("user");
117

118
        // create common objects
119
        withoutComments = fac.newCanonicalizationMethod
120
            (CanonicalizationMethod.INCLUSIVE, (C14NMethodParameterSpec)null);
121
        dsaSha1 = fac.newSignatureMethod(SignatureMethod.DSA_SHA1, null);
122
        sha1 = fac.newDigestMethod(DigestMethod.SHA1, null);
123

124
        httpUd = new HttpURIDereferencer();
125
    }
126

127
    private static void test_create_signature_line_endings(boolean lineFeedOnly,
128
        boolean ignoreLineBreaks) throws Exception {
129
        System.out.println("* Generating signature-line-endings.xml");
130
        System.out.println("* com.sun.org.apache.xml.internal.security.lineFeedOnly is "
131
                + String.valueOf(lineFeedOnly));
132
        System.out.println("* com.sun.org.apache.xml.internal.security.ignoreLineBreaks is "
133
                + String.valueOf(ignoreLineBreaks));
134

135
        // create reference
136
        Reference ref = fac.newReference(STYLESHEET, sha1);
137

138
        // create SignedInfo
139
        SignedInfo si = fac.newSignedInfo(withoutComments, dsaSha1,
140
                Collections.singletonList(ref));
141

142
        Document doc = db.newDocument();
143

144
        // create XMLSignature
145
        KeyInfo crt = kifac.newKeyInfo(Collections.singletonList
146
                (kifac.newX509Data(Collections.singletonList(signingCert))));
147
        XMLSignature sig = fac.newXMLSignature(si, crt);
148

149
        DOMSignContext dsc = new DOMSignContext(signingKey, doc);
150
        dsc.setURIDereferencer(httpUd);
151

152
        sig.sign(dsc);
153

154
        NodeList list = doc.getElementsByTagName("X509Certificate");
155
        if (list.getLength() != 1) {
156
            throw new Exception("Expected exactly one X509Certificate tag");
157
        }
158
        Node item = list.item(0);
159
        StringWriter writer = new StringWriter();
160
        Transformer tr = TransformerFactory.newInstance().newTransformer();
161
        tr.setOutputProperty(OutputKeys.METHOD, "xml");
162
        tr.setOutputProperty(OutputKeys.OMIT_XML_DECLARATION, "yes");
163
        tr.transform(new DOMSource(item.getFirstChild()), new StreamResult(writer));
164
        String actual = writer.toString();
165

166
        String expected;
167
        if (ignoreLineBreaks) {
168
            expected = Base64.getEncoder().encodeToString(signingCert.getEncoded());
169
        } else if (lineFeedOnly) {
170
            expected = Base64.getMimeEncoder(76, new byte[] {'\n'}).encodeToString(signingCert.getEncoded());
171
        } else {
172
            expected = Base64.getMimeEncoder().encodeToString(signingCert.getEncoded());
173
        }
174

175
        if (!expected.equals(actual)) {
176
            if (ignoreLineBreaks && actual.contains("\n")) {
177
                throw new Exception("ignoreLineBreaks did not take precedence over lineFeedOnly");
178
            } else if (lineFeedOnly && actual.contains("\r\n")) {
179
                throw new Exception("Expected LF only, but found CRLF");
180
            } else if (!lineFeedOnly && !actual.contains("\r\n")) {
181
                throw new Exception("Expected CRLF, but found LF only");
182
            }
183
            throw new Exception("Unexpected output in encoded certificate");
184
        }
185
    }
186

187
    /**
188
     * This URIDereferencer returns locally cached copies of http content to
189
     * avoid test failures due to network glitches, etc.
190
     */
191
    private static class HttpURIDereferencer implements URIDereferencer {
192
        private URIDereferencer defaultUd;
193

194
        HttpURIDereferencer() {
195
            defaultUd = XMLSignatureFactory.getInstance().getURIDereferencer();
196
        }
197

198
        public Data dereference(final URIReference ref, XMLCryptoContext ctx)
199
        throws URIReferenceException {
200
            String uri = ref.getURI();
201
            if (uri.equals(STYLESHEET)) {
202
                try {
203
                    FileInputStream fis = new FileInputStream(new File
204
                        (DATA_DIR, uri.substring(uri.lastIndexOf('/'))));
205
                    return new OctetStreamData(fis,ref.getURI(),ref.getType());
206
                } catch (Exception e) { throw new URIReferenceException(e); }
207
            }
208

209
            // fallback on builtin deref
210
            return defaultUd.dereference(ref, ctx);
211
        }
212
    }
213

214
}
215

216