Details
-
Bug
-
Status: Closed
-
Minor
-
Resolution: Fixed
-
Java 2.1.4
-
None
Description
InĀ org.apache.xml.security.signature.XMLSignature's parsing constructor, it looks like ds:KeyInfo elements are processed twice: first as KeyInfo as expected, but then a second time as if it were a ds:Object.
Around line 533 in the current trunk:
Element keyInfoElem = XMLUtils.getNextElement(signatureValueElement.getNextSibling()); // If it exists use it, but it's not mandatory if (keyInfoElem != null .... } // <element ref="ds:Object" minOccurs="0" maxOccurs="unbounded"/> Element objectElem = XMLUtils.getNextElement(signatureValueElement.getNextSibling());
Note that objectElem is derived in exactly the same way as keyInfoElem, as the next sibling of the signatureValueElement.
Again, it looks to me as if this means that any KeyInfo element will be additionally processed as if it were a ds:Object. The subsequent code doesn't bother to check the element's name (which is perhaps a separate concern) and instead examines every child element to see if their names are one of a couple of different specific strings without regard to namespace (only the local part of the name is compared).
This seems unintended, and in principle undesirable. I can't think of a way offhand to build an exploit around this behaviour, but perhaps someone with more imagination could...