Details
-
Bug
-
Status: Closed
-
Major
-
Resolution: Fixed
-
Java 1.4.4
-
Security Level: Public (Public issues, viewable by everyone)
-
None
Description
Various places call String.getBytes() without any encoding. This allows the JRE to use the "plattform" encoding, which can be any (even ISO-8859-1/UTF-8 totally incompatible) encoding - there are such JVMs out there.
This XML header implicates, that the following bytes stream is in UTF-8, therefore the header must be UTF-8 too:
diff --git a/src/org/apache/xml/security/utils/XMLUtils.java b/src/org/apache/xml/security/utils/XMLUtils.java
— a/src/org/apache/xml/security/utils/XMLUtils.java
+++ b/src/org/apache/xml/security/utils/XMLUtils.java
@@ -153,7 +153,7 @@ public class XMLUtils {
try {
if (addPreamble)
os.write(
RFC 2617 does not specify an encoding for the hashed password, but in practice they are in an ASCII compatible encoding (http://stackoverflow.com/questions/702629/utf-8-characters-mangled-in-http-basic-auth-username):
diff --git a/src/org/apache/xml/security/utils/resolver/implementations/ResolverDirectHTTP.java b/src/org/apache/xml/security/utils/resolver/implementations/ResolverDirectHTTP.java
— a/src/org/apache/xml/security/utils/resolver/implementations/ResolverDirectHTTP.java
+++ b/src/org/apache/xml/security/utils/resolver/implementations/ResolverDirectHTTP.java
@@ -161,7 +161,7 @@ public class ResolverDirectHTTP extends ResourceResolverSpi {
if ((proxyUser != null) && (proxyPass != null)) {
String password = proxyUser + ":" + proxyPass;
- String encodedPassword = Base64.encode(password.getBytes());
+ String encodedPassword = Base64.encode(password.getBytes("ISO-8859-1"));
// or was it Proxy-Authenticate ?
urlConnection.setRequestProperty("Proxy-Authorization",
@@ -190,7 +190,7 @@ public class ResolverDirectHTTP extends ResourceResolverSpi {
String password = user + ":" + pass;
String encodedPassword =
- Base64.encode(password.getBytes());
+ Base64.encode(password.getBytes("ISO-8859-1"));
// set authentication property in the http header
urlConnection.setRequestProperty("Authorization",
KANonce/OAEPparms are set/returned by the API as byte[] - internally they are converted to/from a string without specifing an encoding.
Therefore the result is platform dependant. I suggest specifying UTF-8, as UTF-8 is probably used on most plattforms:
diff --git a/src/org/apache/xml/security/encryption/XMLCipher.java b/src/org/apache/xml/security/encryption/XMLCipher.java
— a/src/org/apache/xml/security/encryption/XMLCipher.java
+++ b/src/org/apache/xml/security/encryption/XMLCipher.java
@@ -976,7 +976,7 @@ public class XMLCipher
logger.debug("Actual cipher.outputSize = " +
Integer.toString(encryptedBytes.length));
@@ -2042,7 +2042,11 @@ public class XMLCipher {
EncryptionConstants.EncryptionSpecNS,
EncryptionConstants._TAG_KA_NONCE).item(0);
if (null != kaNonceElement) {
- result.setKANonce(kaNonceElement.getNodeValue().getBytes());
+ try { + result.setKANonce(kaNonceElement.getNodeValue().getBytes("UTF-8")); + }catch(UnsupportedEncodingException e)
{ + throw new XMLEncryptionException("UTF-8 not supported", e); + }}
// TODO: ///////////////////////////////////////////////////////////
// Figure out how to make this pesky line work..
@@ -2411,8 +2415,12 @@ public class XMLCipher {
EncryptionConstants.EncryptionSpecNS,
EncryptionConstants._TAG_OAEPPARAMS).item(0);
if (null != oaepParamsElement) { - result.setOAEPparams(
- oaepParamsElement.getNodeValue().getBytes());
+ try { + result.setOAEPparams( + oaepParamsElement.getNodeValue().getBytes("UTF-8")); + }catch(UnsupportedEncodingException e)
{ + throw new RuntimeException("UTF-8 not supported", e); + }}
// TODO: Make this mess work
@@ -2743,11 +2751,15 @@ public class XMLCipher {
result.setAttributeNS(
null, EncryptionConstants._ATT_ALGORITHM, algorithmURI);
if (null != kaNonce) {
- result.appendChild(
- XMLUtils.createElementInEncryptionSpace(
- _contextDocument,
- EncryptionConstants._TAG_KA_NONCE)).appendChild(
- _contextDocument.createTextNode(new String(kaNonce)));
+ try { + result.appendChild( + XMLUtils.createElementInEncryptionSpace( + _contextDocument, + EncryptionConstants._TAG_KA_NONCE)).appendChild( + _contextDocument.createTextNode(new String(kaNonce, "UTF-8"))); + }catch(UnsupportedEncodingException e)
{ + throw new RuntimeException("UTF-8 not supported", e); + }
}
if (!agreementMethodInformation.isEmpty()) {
Iterator itr = agreementMethodInformation.iterator();
@@ -3428,11 +3440,15 @@ public class XMLCipher { String.valueOf(keySize)))); }
if (null != oaepParams) {
- result.appendChild(
- XMLUtils.createElementInEncryptionSpace(_contextDocument,
- EncryptionConstants._TAG_OAEPPARAMS).appendChild(
- _contextDocument.createTextNode(
- new String(oaepParams))));
+ try { + result.appendChild( + XMLUtils.createElementInEncryptionSpace(_contextDocument, + EncryptionConstants._TAG_OAEPPARAMS).appendChild( + _contextDocument.createTextNode( + new String(oaepParams, "UTF-8")))); + } catch(UnsupportedEncodingException e) {+ throw new RuntimeException("UTF-8 not supported", e);+ }}
Iterator itr = encryptionMethodInformation.iterator();
while (itr.hasNext()) {
The default encoding for an XML file is UTF-8 - make behaviour consistant for all plattforms:
diff --git a/src/org/apache/xml/security/signature/XMLSignatureInput.java b/src/org/apache/xml/security/signature/XMLSignatureInput.java
— a/src/org/apache/xml/security/signature/XMLSignatureInput.java
+++ b/src/org/apache/xml/security/signature/XMLSignatureInput.java
@@ -147,7 +147,11 @@ public class XMLSignatureInput implements Cloneable {
- @param inputStr the input String which including XML document or node
*/
public XMLSignatureInput(String inputStr) {
- this(inputStr.getBytes());
+ try { + this.bytes = inputStr.getBytes("UTF-8"); + }catch(UnsupportedEncodingException e)
{ + throw new RuntimeException("UTF-8 not supported", e); + }}
/**
@@ -614,9 +618,9 @@ public class XMLSignatureInput implements Cloneable {
// if a not-wellformed nodeset exists, put a container around it...
ByteArrayOutputStream baos = new ByteArrayOutputStream();
- baos.write("<container>".getBytes());
+ baos.write("<container>".getBytes("UTF-8"));
baos.write(this.getBytes()); - baos.write("</container>".getBytes());
+ baos.write("</container>".getBytes("UTF-8"));
byte result[] = baos.toByteArray();
Document document = db.parse(new ByteArrayInputStream(result));