[#730] Bump xml-sec 2.1.7 -> 3.0.4 (#732)

* [#730] Bump xml-sec 2.1.7 -> 2.2.6

Direct vulnerabilities:
CVE-2023-44483

Vulnerabilities from dependencies:
CVE-2023-36479
CVE-2023-33202
CVE-2023-33201
CVE-2023-26049
CVE-2023-26048
CVE-2022-40156
CVE-2022-40155
CVE-2022-40154
CVE-2022-40153
CVE-2022-40152
CVE-2022-34169
CVE-2022-23437
CVE-2021-34428
CVE-2021-28169
CVE-2021-28165
CVE-2020-27223
CVE-2020-27218
CVE-2020-14338

* <artifactId>xmlsec</artifactId><version>3.0.4</version>

* error: package javax.xml.bind.annotation does not exist

Author: vharseko

openam-federation/OpenFM/src/main/java/com/sun/identity/wss/security/KeyIdentifier.java

@@ -32,6 +32,8 @@
 import java.security.cert.X509Certificate;
 import javax.xml.transform.TransformerException;
 import java.util.ResourceBundle;
+
+import com.sun.identity.saml.xmlsig.AMSignatureProvider;
 import org.w3c.dom.Element;
 import org.w3c.dom.Document;
 import org.w3c.dom.Text;
@@ -186,8 +188,7 @@ public Element getTokenElement(Document doc) throws SecurityException {
                       doc,  "//*[@ID=\"" + value + "\"]");
             } else {
                Element nscontext =
-                   org.apache.xml.security.utils.
-                   XMLUtils.createDSctx(doc, WSSConstants.WSU_TAG,
+                       AMSignatureProvider.createDSctx(doc, WSSConstants.WSU_TAG,
                                         WSSConstants.WSU_NS);
                tokenElement =  (Element) XPathAPI.selectSingleNode(
                      doc,  "//*[@" + "wsu:Id" + "=\"" + value + "\"]");

openam-federation/OpenFM/src/main/java/com/sun/identity/wss/security/STRTransform.java

@@ -29,7 +29,9 @@
 
 package com.sun.identity.wss.security;
 
+import java.io.ByteArrayOutputStream;
 import java.io.IOException;
+import java.io.OutputStream;
 import java.security.cert.X509Certificate;
 import org.w3c.dom.Document;
 import org.w3c.dom.Element;
@@ -44,6 +46,9 @@
 import org.apache.xml.security.transforms.TransformationException;
 import org.apache.xml.security.keys.content.X509Data;
 import com.sun.identity.shared.xml.XMLUtils;
+import org.xml.sax.SAXException;
+
+import javax.xml.parsers.ParserConfigurationException;
 
 /**
  * This class <code>STRTransform</code> extends from <code>TransformSpi</code>
@@ -67,13 +72,64 @@ public class STRTransform extends TransformSpi {
        }
     }
 
+
+
     /**
      * Returns the transformation engine URI.
      */
     protected String engineGetURI() {
         return STR_TRANSFORM_URI;
     }
 
+    @Override
+    protected XMLSignatureInput enginePerformTransform(XMLSignatureInput input, OutputStream outputStream, Element element, String s, boolean b) throws IOException, CanonicalizationException, InvalidCanonicalizerException, TransformationException, ParserConfigurationException, SAXException {
+        WSSUtils.debug.message("STRTransform.enginePerformTransform:: Start");
+        //Document doc = transformObject.getDocument();
+        Element str = null;
+        if(input.isElement()) {
+        } else {
+            WSSUtils.debug.error("STRTransform.enginePerformTransform:: Input" +
+                    " is not an element");
+            throw new  CanonicalizationException(
+                    WSSUtils.bundle.getString("invalidElement"));
+        }
+        //Element element = (Element)input.getSubNode();
+        if(!WSSConstants.TAG_SECURITYTOKEN_REFERENCE.equals(
+                element.getLocalName())) {
+            WSSUtils.debug.error("STRTransform.enginePerformTransform:: input" +
+                    " must be security token reference");
+            throw new IOException(
+                    WSSUtils.bundle.getString("invalidElement"));
+        }
+        Element dereferencedToken = null;
+        SecurityTokenReference ref = null;
+        try {
+            ref = new SecurityTokenReference(element);
+            //dereferencedToken = dereferenceSTR(doc, ref);
+            dereferencedToken=element;
+        } catch (SecurityException se) {
+            WSSUtils.debug.error("STRTransform.enginePerformTransform:: error",
+                    se);
+            throw new TransformationException(
+                    WSSUtils.bundle.getString("transformfailed"));
+        }
+        String canonAlgo = s;//getCanonicalizationAlgo(transformObject);
+        Canonicalizer canon = Canonicalizer.getInstance(canonAlgo);
+        ByteArrayOutputStream os=new ByteArrayOutputStream();
+        canon.canonicalizeSubtree(dereferencedToken, "#default",os);
+        StringBuffer bf = new StringBuffer(new String(os.toByteArray()));
+        String bf1 = bf.toString();
+
+        int lt = bf1.indexOf("<");
+        int gt = bf1.indexOf(">");
+        int idx = bf1.indexOf(XMLNS);
+        if (idx < 0 || idx > gt) {
+            idx = bf1.indexOf(" ");
+            bf.insert(idx + 1, "xmlns=\"\" ");
+            bf1 = bf.toString();
+        }
+        return new XMLSignatureInput(bf1.getBytes());
+    }
     /**
      * Perform the XMLSignature transformation for the given input.
      */
@@ -112,8 +168,9 @@ protected XMLSignatureInput enginePerformTransform(XMLSignatureInput input, Tran
         }
         String canonAlgo = getCanonicalizationAlgo(transformObject);
         Canonicalizer canon = Canonicalizer.getInstance(canonAlgo);
-        byte[] buf = canon.canonicalizeSubtree(dereferencedToken, "#default");
-        StringBuffer bf = new StringBuffer(new String(buf));
+        ByteArrayOutputStream os=new ByteArrayOutputStream();
+        canon.canonicalizeSubtree(dereferencedToken, "#default",os);
+        StringBuffer bf = new StringBuffer(new String(os.toByteArray()));
         String bf1 = bf.toString();
 
         int lt = bf1.indexOf("<");

openam-federation/OpenFM/src/main/java/com/sun/identity/wss/security/SecurityTokenReference.java

@@ -31,6 +31,8 @@
 
 import java.util.ResourceBundle;
 import javax.xml.transform.TransformerException;
+
+import com.sun.identity.saml.xmlsig.AMSignatureProvider;
 import org.w3c.dom.Document;
 import org.w3c.dom.Element;
 import org.w3c.dom.Node;
@@ -238,9 +240,8 @@ public Element getTokenElement(Document doc) throws SecurityException {
                tokenElement = (Element) XPathAPI.selectSingleNode(
                       doc,  "//*[@ID=\"" + uri + "\"]");
             } else {
-               Element nscontext =  
-                   org.apache.xml.security.utils.
-                   XMLUtils.createDSctx(doc, WSSConstants.WSU_TAG, 
+               Element nscontext =
+                       AMSignatureProvider.createDSctx(doc, WSSConstants.WSU_TAG,
                                         WSSConstants.WSU_NS);
                tokenElement =  (Element) XPathAPI.selectSingleNode(
                      doc,  "//*[@" + "wsu:Id" + "=\"" + uri + "\"]");

openam-federation/OpenFM/src/main/java/com/sun/identity/wss/security/WSSUtils.java

@@ -30,6 +30,7 @@
 package com.sun.identity.wss.security;
 
 import java.io.ByteArrayInputStream;
+import java.io.ByteArrayOutputStream;
 import java.util.Set;
 import java.util.Collection;
 import java.util.ResourceBundle;
@@ -1108,10 +1109,11 @@ public static Element getCanonicalElement(Node node) {
         try {
             Canonicalizer c14n = Canonicalizer.getInstance(
                 "http://www.w3.org/2001/10/xml-exc-c14n#");
-            byte outputBytes[] = c14n.canonicalizeSubtree(node);
+            ByteArrayOutputStream os=new ByteArrayOutputStream();
+            c14n.canonicalizeSubtree(node,os);
             DocumentBuilder documentBuilder = XMLUtils.getSafeDocumentBuilder(false);
             Document doc = documentBuilder.parse(
-                new ByteArrayInputStream(outputBytes));
+                new ByteArrayInputStream(os.toByteArray()));
             Element result = doc.getDocumentElement();
             return result;
         } catch (Exception e) {

openam-federation/OpenFM/src/main/java/com/sun/identity/wss/xmlsig/WSSSignatureProvider.java

@@ -196,8 +196,7 @@ public org.w3c.dom.Element signWithSAMLToken(
                            WSSUtils.bundle.getString("invalidalgorithm"));
               }
             }
-            Element wsucontext = org.apache.xml.security.utils.
-                    XMLUtils.createDSctx(doc, "wsu", WSSConstants.WSU_NS);
+            Element wsucontext = AMSignatureProvider.createDSctx(doc, "wsu", WSSConstants.WSU_NS);
 
             NodeList wsuNodes = (NodeList)XPathAPI.selectNodeList(doc,
                     "//*[@wsu:Id]", wsucontext);
@@ -429,8 +428,7 @@ private org.w3c.dom.Element signWithBinarySecurityToken(
                            SAMLUtils.bundle.getString("invalidalgorithm"));
             }
 
-            Element wsucontext = org.apache.xml.security.utils.
-                XMLUtils.createDSctx(doc, "wsu", WSSConstants.WSU_NS);
+            Element wsucontext = AMSignatureProvider.createDSctx(doc, "wsu", WSSConstants.WSU_NS);
 
             NodeList wsuNodes = (NodeList)XPathAPI.selectNodeList(doc,
                     "//*[@wsu:Id]", wsucontext);
@@ -575,8 +573,7 @@ public boolean verifyWSSSignature(org.w3c.dom.Document doc,
         }
 
         try {
-            Element wsucontext = org.apache.xml.security.utils.
-                    XMLUtils.createDSctx(doc, "wsu", WSSConstants.WSU_NS);
+            Element wsucontext = AMSignatureProvider.createDSctx(doc, "wsu", WSSConstants.WSU_NS);
 
             NodeList wsuNodes = (NodeList)XPathAPI.selectNodeList(doc,
                     "//*[@wsu:Id]", wsucontext);
@@ -603,8 +600,7 @@ public boolean verifyWSSSignature(org.w3c.dom.Document doc,
                 }
             }
 
-            Element nscontext = org.apache.xml.security.utils.
-                  XMLUtils.createDSctx (doc,"ds",Constants.SignatureSpecNS);
+            Element nscontext = AMSignatureProvider.createDSctx (doc,"ds",Constants.SignatureSpecNS);
             NodeList sigElements = XPathAPI.selectNodeList (doc,
                 "//ds:Signature", nscontext);
             int sigElementsLength = sigElements.getLength();
@@ -733,8 +729,7 @@ private PublicKey getPublicKeyFromWSSToken(Document doc) {
                return null;
             }
 
-            Element nscontext = org.apache.xml.security.utils.
-                XMLUtils.createDSctx(doc,"ds",Constants.SignatureSpecNS);
+            Element nscontext = AMSignatureProvider.createDSctx(doc,"ds",Constants.SignatureSpecNS);
             Element sigElement = (Element) XPathAPI.selectSingleNode(
                           securityElement, "ds:Signature[1]", nscontext);
 
@@ -750,8 +745,7 @@ private PublicKey getPublicKeyFromWSSToken(Document doc) {
             if (reference != null) {
                 String id = reference.getAttribute(SAMLConstants.TAG_URI);
                 id = id.substring(1);
-                nscontext = org.apache.xml.security.utils.
-                    XMLUtils.createDSctx(doc,SAMLConstants.PREFIX_WSU,
+                nscontext = AMSignatureProvider.createDSctx(doc,SAMLConstants.PREFIX_WSU,
                                          WSSConstants.WSU_NS);
                 Node n = XPathAPI.selectSingleNode(
                     doc, "//*[@"+ SAMLConstants.PREFIX_WSU + ":" +
@@ -853,8 +847,7 @@ public org.w3c.dom.Element signWithKerberosToken(
                            SAMLUtils.bundle.getString("invalidalgorithm"));
             }
 
-            Element wsucontext = org.apache.xml.security.utils.
-                XMLUtils.createDSctx(doc, "wsu", WSSConstants.WSU_NS);
+            Element wsucontext = AMSignatureProvider.createDSctx(doc, "wsu", WSSConstants.WSU_NS);
 
             NodeList wsuNodes = (NodeList)XPathAPI.selectNodeList(doc,
                     "//*[@wsu:Id]", wsucontext);

openam-federation/openam-federation-library/src/main/java/com/sun/identity/saml/common/SAMLUtils.java

@@ -31,6 +31,7 @@
 
 import static org.forgerock.openam.utils.Time.*;
 
+import java.io.*;
 import java.util.Collections;
 import java.util.Date;
 import java.util.Map;
@@ -45,10 +46,6 @@
 
 import java.text.StringCharacterIterator;
 import java.text.CharacterIterator;
-import java.io.UnsupportedEncodingException;
-import java.io.PrintWriter;
-import java.io.IOException;
-import java.io.ByteArrayInputStream;
 
 import java.security.MessageDigest;
 
@@ -1716,11 +1713,12 @@ public static Element getCanonicalElement(Node node) {
           try {
               Canonicalizer c14n = Canonicalizer.getInstance(
                   "http://www.w3.org/TR/2001/REC-xml-c14n-20010315");
-              byte outputBytes[] = c14n.canonicalizeSubtree(node);
-              DocumentBuilder documentBuilder = 
+              ByteArrayOutputStream os=new ByteArrayOutputStream();
+              c14n.canonicalizeSubtree(node,os);
+              DocumentBuilder documentBuilder =
                  XMLUtils.getSafeDocumentBuilder(false);
               Document doc = documentBuilder.parse(
-                  new ByteArrayInputStream(outputBytes));
+                  new ByteArrayInputStream(os.toByteArray()));
               Element result = doc.getDocumentElement();
               return result;
           } catch (Exception e) {

openam-federation/openam-federation-library/src/main/java/com/sun/identity/saml/xmlsig/AMSignatureProvider.java

@@ -755,6 +755,17 @@ public Element signWithWSSSAMLTokenProfile(Document doc,
             ids, SOAPBindingConstants.WSF_10_VERSION);
     }
 
+    public static Element createDSctx(Document doc, String prefix, String namespace) {
+        if ((prefix == null) || (prefix.trim().length() == 0)) {
+            throw new IllegalArgumentException("You must supply a prefix");
+        }
+
+        Element ctx = doc.createElementNS(null, "namespaceContext");
+
+        ctx.setAttributeNS(Constants.NamespaceSpecNS, "xmlns:" + prefix.trim(), namespace);
+
+        return ctx;
+    }
     /**
      * Sign part of the xml document referered by the supplied a list
      * of id attributes of nodes
@@ -805,8 +816,7 @@ public Element signWithWSSSAMLTokenProfile(Document doc,
         XMLSignature signature = null;
         try {
             ElementProxy.setDefaultPrefix(Constants.SignatureSpecNS, SAMLConstants.PREFIX_DS);
-            Element wsucontext = org.apache.xml.security.utils.
-                      XMLUtils.createDSctx(doc, "wsu", wsuNS);
+            Element wsucontext = createDSctx(doc, "wsu", wsuNS);
             NodeList wsuNodes = (NodeList)XPathAPI.selectNodeList(doc,
                                 "//*[@wsu:Id]", wsucontext);
             if(wsuNodes != null && wsuNodes.getLength() != 0) {
@@ -945,8 +955,7 @@ public Element signWithWSSX509TokenProfile(Document doc,
         XMLSignature signature = null;
         try {
             ElementProxy.setDefaultPrefix(Constants.SignatureSpecNS, SAMLConstants.PREFIX_DS);
-            Element wsucontext = org.apache.xml.security.utils.
-                XMLUtils.createDSctx(doc, "wsu", wsuNS);
+            Element wsucontext = createDSctx(doc, "wsu", wsuNS);
             NodeList wsuNodes = (NodeList)XPathAPI.selectNodeList(doc,
                 "//*[@wsu:Id]", wsucontext);
             if ((wsuNodes != null) && (wsuNodes.getLength() != 0)) {
@@ -1073,7 +1082,7 @@ public boolean verifyXMLSignature(String wsfVersion, String certAlias,
                wsseNS = WSSEConstants.NS_WSSE_WSF11;
             }
 
-            Element wsucontext = org.apache.xml.security.utils.XMLUtils.createDSctx(doc, "wsu", wsuNS);
+            Element wsucontext = createDSctx(doc, "wsu", wsuNS);
 
             NodeList wsuNodes = (NodeList) XPathAPI.selectNodeList(doc, "//*[@wsu:Id]", wsucontext);
 
@@ -1087,8 +1096,7 @@ public boolean verifyXMLSignature(String wsfVersion, String certAlias,
                 }
             }
 
-            Element nscontext = org.apache.xml.security.utils.
-                  XMLUtils.createDSctx (doc,"ds",Constants.SignatureSpecNS); 
+            Element nscontext = createDSctx (doc,"ds",Constants.SignatureSpecNS);
             NodeList sigElements = XPathAPI.selectNodeList (doc,  
                 "//ds:Signature", nscontext);    
 	    if (SAMLUtilsCommon.debug.messageEnabled()) {
@@ -1388,8 +1396,7 @@ public boolean verifyXMLSignature(Document doc,
                                       java.lang.String certAlias)
         throws XMLSignatureException {
         try {
-            Element nscontext = org.apache.xml.security.utils.
-                 XMLUtils.createDSctx(doc,"ds",Constants.SignatureSpecNS);
+            Element nscontext = createDSctx(doc,"ds",Constants.SignatureSpecNS);
             Element sigElement = (Element) XPathAPI.selectSingleNode(doc,
                                  "//ds:Signature[1]", nscontext);
             Element refElement;
@@ -1564,8 +1571,7 @@ private PublicKey getWSSTokenProfilePublicKey(Document doc) {
                 return null;
             }
 
-            Element nscontext = org.apache.xml.security.utils.
-                XMLUtils.createDSctx(doc,"ds",Constants.SignatureSpecNS);
+            Element nscontext = createDSctx(doc,"ds",Constants.SignatureSpecNS);
             Element sigElement = (Element) XPathAPI.selectSingleNode(
 					securityElement, "ds:Signature[1]",
 					nscontext);
@@ -1580,8 +1586,7 @@ private PublicKey getWSSTokenProfilePublicKey(Document doc) {
             if (reference != null) {
 	        String id = reference.getAttribute(SAMLConstants.TAG_URI);
 	        id = id.substring(1);
-	        nscontext = org.apache.xml.security.utils.
-                    XMLUtils.createDSctx(doc, SAMLConstants.PREFIX_WSU, wsuNS);
+	        nscontext = createDSctx(doc, SAMLConstants.PREFIX_WSU, wsuNS);
 	        Node n = XPathAPI.selectSingleNode(
 		    doc, "//*[@"+ SAMLConstants.PREFIX_WSU + ":" +
                     SAMLConstants.TAG_ID +"=\"" + id + "\"]", nscontext);

openam-federation/openam-federation-library/src/main/java/com/sun/identity/saml2/meta/SAML2MetaSecurityUtils.java

@@ -40,6 +40,7 @@
 
 import javax.xml.bind.JAXBException;
 
+import com.sun.identity.saml.xmlsig.AMSignatureProvider;
 import com.sun.identity.saml2.jaxb.metadata.KeyDescriptorType;
 import com.sun.identity.saml2.jaxb.metadata.SSODescriptorType;
 import org.forgerock.openam.utils.CollectionUtils;
@@ -241,7 +242,7 @@ public static void verifySignature(Document doc)
         NodeList sigElements = null;
         try {
             Element nscontext =
-                    org.apache.xml.security.utils.XMLUtils
+                    AMSignatureProvider
                             .createDSctx (doc,"ds", Constants.SignatureSpecNS);
             sigElements =
                     XPathAPI.selectNodeList(doc, "//ds:Signature", nscontext);

openam-federation/openam-federation-library/src/main/java/com/sun/identity/saml2/xmlsig/FMSigProvider.java

@@ -36,6 +36,7 @@
 
 import javax.xml.xpath.XPathException;
 
+import com.sun.identity.saml.xmlsig.AMSignatureProvider;
 import org.forgerock.openam.utils.StringUtils;
 import org.w3c.dom.Document;
 import org.w3c.dom.Node;
@@ -256,7 +257,7 @@ public boolean verify(
             );
         }
         Element nscontext =
-                org.apache.xml.security.utils.XMLUtils.
+                AMSignatureProvider.
                         createDSctx(doc, "ds", Constants.SignatureSpecNS);
         Element sigElement = null;
         try {