Bug 38655 - Canonicalizer gets exception in meny namespaces.
Summary: Canonicalizer gets exception in meny namespaces.
Status: RESOLVED FIXED
Alias: None
Product: Security - Now in JIRA
Classification: Unclassified
Component: Canonicalization (show other bugs)
Version: unspecified
Hardware: All All
: P2 normal
Target Milestone: ---
Assignee: XML Security Developers Mailing List
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2006-02-15 13:51 UTC by katoy
Modified: 2007-10-23 08:41 UTC (History)
0 users



Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description katoy 2006-02-15 13:51:01 UTC
Version: java xml-security 1.3.0.
OS:      all (actuary, I am using Windows-XP)

- Problem
 when xml data has many namespaces, Canonicalizer#canonicalizeSubtree() throws
exception.

- Reproduce:
[java code]
  public static String toString(final Node n) throws Exception {
    ByteArrayOutputStream baos = new ByteArrayOutputStream();
    Canonicalizer c14n =
Canonicalizer.getInstance(Canonicalizer.ALGO_ID_C14N_OMIT_COMMENTS);
    byte[] serBytes = c14n.canonicalizeSubtree(n);
    ...
  }

[using XML data]
  <?xml version="1.0"?>
  <wiki
      xmlns:generated-command="http://foo.com/command"
    xmlns:generated-event="http://foo.com/event"
    xmlns:command="http://foo.com/command"
    xmlns:ui="http://foo.com/ui"
    xmlns:event="http://foo.com/event"
    xmlns:instruction="http://foo/instruction"
    xmlns:directory="http://foo.com/io/directory"
    xmlns:function="http://foo.com/function"
    xmlns="http://www.w3.org/1999/xhtml"
    xmlns:ctrl="http://foo.com/controls"
    xmlns:wiki="http://foo.com/samples/wiki">
  <wiki:content>
    <wiki:paragraph />
  </wiki:content>
</wiki>

- Result
 java.lang.ArrayIndexOutOfBoundsException: 23
    at org.apache.xml.security.c14n.implementations.SymbMap.index(Unknown Source)
    at org.apache.xml.security.c14n.implementations.SymbMap.get(Unknown Source)
    at
org.apache.xml.security.c14n.implementations.NameSpaceSymbTable.addMappingAndRender(Unknown
Source)
    at
org.apache.xml.security.c14n.implementations.Canonicalizer20010315.handleAttributesSubtree(Unknown
Source)
    at
org.apache.xml.security.c14n.implementations.CanonicalizerBase.canonicalizeSubTree(Unknown
Source)
    at
org.apache.xml.security.c14n.implementations.CanonicalizerBase.engineCanonicalizeSubTree(Unknown
Source)
    at
org.apache.xml.security.c14n.implementations.CanonicalizerBase.engineCanonicalizeSubTree(Unknown
Source)
    at org.apache.xml.security.c14n.Canonicalizer.canonicalizeSubtree(Unknown
Source)
    ...

- My Solution
xml-security-1_3_0\src\org\apache\xml\security\c14n\implementations\NameSpaceSymbTable.java
line 359,

protected int index(Object obj) {
  Object[] set = keys;
  int length = set.length;
  //abs of index
  int index = (obj.hashCode() & 0x7fffffff) % length;
  Object cur = set[index];
  
  if (cur == null || (cur.equals( obj))) {
    return index;
  }
  do {
    index=index==length? 0:++index;  // <--- Why ?
    cur = set[index];
  } while (cur != null && (!cur.equals(obj)));
  return index;
}

when "index == length-1", "index==length? 0:++index" is evaluated length, 
it is OutOfBounds!
I edited the code to "(index+1) % length" , it works good.
Comment 1 Raul Benito 2006-04-07 16:31:08 UTC
Thanks for the pointing the problem.  Your solution was good but it will be slow
in a loop(division is a slow operation in several architectures).

Now is fixed in SVN.

Comment 2 Raul Benito 2006-08-06 18:04:10 UTC
Closing old bugs.
Comment 3 Francesca Merighi 2007-10-16 02:47:48 UTC
Same bug appears in jre 1.6.0_03 and previous. Any suggestion?
Comment 4 Raul Benito 2007-10-16 03:05:13 UTC
Can you post an example of the problem. The tests are working for this case.

Regards,
Comment 5 Francesca Merighi 2007-10-18 08:22:27 UTC
- Environment: Java version: 1.6.0_03 (suspected on all OS, but currently 
tested on Windows XP)

- Problem: when sign an xml document with more than one namespace, XML 
Signature throws an exception caused by the Canonicalizer

- Reproduce:

public static void main(String args[]) throws Exception {
	DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
	dbf.setNamespaceAware(true);
	Document doc = dbf.newDocumentBuilder().parse(
			new FileInputStream(args[0]));
	XMLSignatureFactory fac = XMLSignatureFactory.getInstance("DOM");
	DigestMethod digestMethod = fac.newDigestMethod(
			"http://www.w3.org/2000/09/xmldsig#sha1", null);
	
	SignedInfo signedInfo = fac.newSignedInfo(fac.newCanonicalizationMethod
(
			"http://www.w3.org/TR/2001/REC-xml-c14n-20010315",
			(C14NMethodParameterSpec) null), fac.newSignatureMethod
(
					"http://www.w3.org/2000/09/xmldsig#rsa-
sha1", null), Collections.singletonList(fac.newReference("", digestMethod, 
null,
			"http://www.w3.org/2000/09/xmldsig#object", null)));
	
	DOMSignContext signContext = new DOMSignContext( 
KeyPairGenerator.getInstance("RSA").generateKeyPair().getPrivate(), doc
			.getDocumentElement());
	fac.newXMLSignature(signedInfo, null).sign(signContext);
}

With XML input:

<?xml version="1.0"?>
  <wiki
      xmlns:generated-command="http://foo.com/command"
    xmlns:generated-event="http://foo.com/event"
    xmlns:command="http://foo.com/command"
    xmlns:ui="http://foo.com/ui"
    xmlns:event="http://foo.com/event"
    xmlns:instruction="http://foo/instruction"
    xmlns:directory="http://foo.com/io/directory"
    xmlns:function="http://foo.com/function"
    xmlns="http://www.w3.org/1999/xhtml"
    xmlns:ctrl="http://foo.com/controls"
    xmlns:wiki="http://foo.com/samples/wiki">
  <wiki:content>
    <wiki:paragraph />
  </wiki:content>
</wiki>

- Result:

Exception in thread "main" javax.xml.crypto.dsig.XMLSignatureException: 
java.lang.ArrayIndexOutOfBoundsException: 23
	at org.jcp.xml.dsig.internal.dom.DOMReference.transform(Unknown Source)
	at org.jcp.xml.dsig.internal.dom.DOMReference.digest(Unknown Source)
	at org.jcp.xml.dsig.internal.dom.DOMXMLSignature.digestReference
(Unknown Source)
	at org.jcp.xml.dsig.internal.dom.DOMXMLSignature.sign(Unknown Source)
	at CanonicalizerTest.main(CanonicalizerTest.java:32)
Caused by: java.lang.ArrayIndexOutOfBoundsException: 23
	at 
com.sun.org.apache.xml.internal.security.c14n.implementations.SymbMap.index
(Unknown Source)
	at 
com.sun.org.apache.xml.internal.security.c14n.implementations.SymbMap.get
(Unknown Source)
	at 
com.sun.org.apache.xml.internal.security.c14n.implementations.NameSpaceSymbTabl
e.addMappingAndRender(Unknown Source)
	at 
com.sun.org.apache.xml.internal.security.c14n.implementations.Canonicalizer2001
0315.handleAttributesSubtree(Unknown Source)
	at 
com.sun.org.apache.xml.internal.security.c14n.implementations.CanonicalizerBase
.canonicalizeSubTree(Unknown Source)
	at 
com.sun.org.apache.xml.internal.security.c14n.implementations.CanonicalizerBase
.engineCanonicalizeSubTree(Unknown Source)
	at 
com.sun.org.apache.xml.internal.security.c14n.implementations.CanonicalizerBase
.engineCanonicalize(Unknown Source)
	at 
com.sun.org.apache.xml.internal.security.signature.XMLSignatureInput.updateOutp
utStream(Unknown Source)
	... 5 more


This bug is critical for XML Signature: i've submitted it to Java Developer 
Bug Report too.
Comment 6 sean.mullan 2007-10-22 11:40:59 UTC
(In reply to comment #5)
> - Environment: Java version: 1.6.0_03 (suspected on all OS, but currently 
> tested on Windows XP)
> 
> This bug is critical for XML Signature: i've submitted it to Java Developer 
> Bug Report too.

This bug has been fixed in the Apache 1.4 release of XMLSec. It has not been
fixed in Sun's implementation that is bundled with JDK 6 (which is based on
Apache XMLSec 1.3). So you are correct to report it via Sun's JDC, however I am
changing this back to closed as it is fixed in the Apache 1.4 release.

Comment 7 Francesca Merighi 2007-10-23 08:41:14 UTC
Thank you very much, 
Best Regards