This is an automated email from the ASF dual-hosted git repository.
billblough pushed a commit to branch RAMPART-252
in repository https://gitbox.apache.org/repos/asf/axis-axis2-java-rampart.git
commit 609035130e561170310bbfedafa526ba044c430a
Merge: f20bf07 465a881
Author: Andreas Veithen <veit...@apache.org>
AuthorDate: Sun Jan 29 15:06:54 2017 +0000
Merge r1052172 from trunk.
.../rampart/PolicyBasedResultsValidator.java | 46 ++++++++++++++++------
.../java/org/apache/rampart/util/Axis2Util.java | 4 +-
2 files changed, 36 insertions(+), 14 deletions(-)
diff --cc
modules/rampart-core/src/main/java/org/apache/rampart/PolicyBasedResultsValidator.java
index 5f4ddff,24db745..f362f26
---
a/modules/rampart-core/src/main/java/org/apache/rampart/PolicyBasedResultsValidator.java
+++
b/modules/rampart-core/src/main/java/org/apache/rampart/PolicyBasedResultsValidator.java
@@@ -556,44 -554,36 +557,62 @@@ public class PolicyBasedResultsValidato
// Find elements that are signed
Vector actuallySigned = new Vector();
- if (actionResults != null) {
+ if (actionResults != null) {
+
+ AlgorithmSuite suite = rpd.getAlgorithmSuite();
+
for (int j = 0; j < actionResults.length; j++) {
+
WSSecurityEngineResult actionResult = actionResults[j];
+
+ // Validate signature algorithms
+ String sigMethod = null;
+ String canonMethod = null;
+ sigMethod = (String)
actionResult.get(WSSecurityEngineResult.TAG_SIGNATURE_METHOD);
+ canonMethod = (String) actionResult
+
.get(WSSecurityEngineResult.TAG_CANONICALIZATION_METHOD);
+
+ if (sigMethod == null || canonMethod == null) {
+ throw new RampartException("algorithmNotFound");
+ }
+ // Check whether signature algorithm is correct
+ if (!(sigMethod.equals(suite.getAsymmetricSignature()) ||
sigMethod.equals(suite
+ .getSymmetricSignature()))) {
+ throw new RampartException("invalidAlgorithm", new
String[] {
+ suite.getAsymmetricSignature(), sigMethod });
+ }
+ // Check whether the canonicalization algorithm is correct
+ if (!canonMethod.equals(suite.getInclusiveC14n())) {
+ throw new RampartException("invalidAlgorithm", new
String[] {
+ suite.getInclusiveC14n(), canonMethod });
+ }
+
- Set signedIDs = (Set) actionResult
- .get(WSSecurityEngineResult.TAG_SIGNED_ELEMENT_IDS);
- for (Iterator i = signedIDs.iterator(); i.hasNext();) {
- String e = (String) i.next();
-
- Element element =
WSSecurityUtil.findElementById(envelope, e,
- WSConstants.WSU_NS);
- actuallySigned.add(element);
+ List wsDataRefs =
(List)actionResult.get(WSSecurityEngineResult.TAG_DATA_REF_URIS);
+
+ // if header was encrypted before it was signed, protected
+ // element is 'EncryptedHeader.' the actual element is
+ // first child element
+
+ for (Iterator k = wsDataRefs.iterator(); k.hasNext();) {
+ WSDataRef wsDataRef = (WSDataRef)k.next();
+ Element protectedElement =
wsDataRef.getProtectedElement();
+ if
(protectedElement.getLocalName().equals("EncryptedHeader")) {
+ NodeList nodeList = protectedElement.getChildNodes();
+ for (int x = 0; x < nodeList.getLength(); x++) {
+ if (nodeList.item(x).getNodeType() ==
Node.ELEMENT_NODE) {
+ String ns =
((Element)nodeList.item(x)).getNamespaceURI();
+ String ln =
((Element)nodeList.item(x)).getLocalName();
+ actuallySigned.add(new QName(ns,ln));
+ break;
+ }
+ }
+ } else {
+ String ns = protectedElement.getNamespaceURI();
+ String ln = protectedElement.getLocalName();
+ actuallySigned.add(new QName(ns,ln));
+ }
}
+
}
}
