19 * KIND, either express or implied. See the License for the |
19 * KIND, either express or implied. See the License for the |
20 * specific language governing permissions and limitations |
20 * specific language governing permissions and limitations |
21 * under the License. |
21 * under the License. |
22 */ |
22 */ |
23 /* |
23 /* |
24 * Copyright (c) 2005, 2014, Oracle and/or its affiliates. All rights reserved. |
24 * Copyright (c) 2005, 2016, Oracle and/or its affiliates. All rights reserved. |
25 */ |
25 */ |
26 /* |
26 /* |
27 * $Id: DOMURIDereferencer.java 1231033 2012-01-13 12:12:12Z coheigea $ |
27 * $Id: DOMURIDereferencer.java 1231033 2012-01-13 12:12:12Z coheigea $ |
28 */ |
28 */ |
29 package org.jcp.xml.dsig.internal.dom; |
29 package org.jcp.xml.dsig.internal.dom; |
71 DOMCryptoContext dcc = (DOMCryptoContext) context; |
71 DOMCryptoContext dcc = (DOMCryptoContext) context; |
72 String baseURI = context.getBaseURI(); |
72 String baseURI = context.getBaseURI(); |
73 |
73 |
74 boolean secVal = Utils.secureValidation(context); |
74 boolean secVal = Utils.secureValidation(context); |
75 |
75 |
|
76 if (secVal && Policy.restrictReferenceUriScheme(uri)) { |
|
77 throw new URIReferenceException( |
|
78 "Uri " + uri + " is forbidden when secure validation is enabled"); |
|
79 } |
|
80 |
76 // Check if same-document URI and already registered on the context |
81 // Check if same-document URI and already registered on the context |
77 if (uri != null && uri.length() != 0 && uri.charAt(0) == '#') { |
82 if (uri != null && uri.length() != 0 && uri.charAt(0) == '#') { |
78 String id = uri.substring(1); |
83 String id = uri.substring(1); |
79 |
84 |
80 if (id.startsWith("xpointer(id(")) { |
85 if (id.startsWith("xpointer(id(")) { |
81 int i1 = id.indexOf('\''); |
86 int i1 = id.indexOf('\''); |
82 int i2 = id.indexOf('\'', i1+1); |
87 int i2 = id.indexOf('\'', i1+1); |
83 id = id.substring(i1+1, i2); |
88 id = id.substring(i1+1, i2); |
84 } |
89 } |
85 |
90 |
86 Node referencedElem = dcc.getElementById(id); |
91 // check if element is registered by Id |
|
92 Node referencedElem = uriAttr.getOwnerDocument().getElementById(id); |
|
93 if (referencedElem == null) { |
|
94 // see if element is registered in DOMCryptoContext |
|
95 referencedElem = dcc.getElementById(id); |
|
96 } |
87 if (referencedElem != null) { |
97 if (referencedElem != null) { |
88 if (secVal) { |
98 if (secVal && Policy.restrictDuplicateIds()) { |
89 Element start = referencedElem.getOwnerDocument().getDocumentElement(); |
99 Element start = referencedElem.getOwnerDocument().getDocumentElement(); |
90 if (!XMLUtils.protectAgainstWrappingAttack(start, (Element)referencedElem, id)) { |
100 if (!XMLUtils.protectAgainstWrappingAttack(start, (Element)referencedElem, id)) { |
91 String error = "Multiple Elements with the same ID " + id + " were detected"; |
101 String error = "Multiple Elements with the same ID " |
|
102 + id + " detected when secure validation" |
|
103 + " is enabled"; |
92 throw new URIReferenceException(error); |
104 throw new URIReferenceException(error); |
93 } |
105 } |
94 } |
106 } |
95 |
107 |
96 XMLSignatureInput result = new XMLSignatureInput(referencedElem); |
108 XMLSignatureInput result = new XMLSignatureInput(referencedElem); |
108 } |
120 } |
109 } |
121 } |
110 |
122 |
111 try { |
123 try { |
112 ResourceResolver apacheResolver = |
124 ResourceResolver apacheResolver = |
113 ResourceResolver.getInstance(uriAttr, baseURI, secVal); |
125 ResourceResolver.getInstance(uriAttr, baseURI, false); |
114 XMLSignatureInput in = apacheResolver.resolve(uriAttr, |
126 XMLSignatureInput in = apacheResolver.resolve(uriAttr, |
115 baseURI, secVal); |
127 baseURI, false); |
116 if (in.isOctetStream()) { |
128 if (in.isOctetStream()) { |
117 return new ApacheOctetStreamData(in); |
129 return new ApacheOctetStreamData(in); |
118 } else { |
130 } else { |
119 return new ApacheNodeSetData(in); |
131 return new ApacheNodeSetData(in); |
120 } |
132 } |