8263314: Enhance XML Dsig modes

wangweij · slowhog · commit a26f9db704a0 · 2021-10-19T18:25:58.000Z
Reviewed-by: rhalade, mschoene, valeriep, mullan
diff --git a/src/java.xml.crypto/share/classes/org/jcp/xml/dsig/internal/dom/DOMURIDereferencer.java b/src/java.xml.crypto/share/classes/org/jcp/xml/dsig/internal/dom/DOMURIDereferencer.java
@@ -37,6 +37,7 @@
 
 import javax.xml.crypto.*;
 import javax.xml.crypto.dom.*;
+import java.net.URI;
 
 /**
  * DOM-based implementation of URIDereferencer.
@@ -70,9 +71,27 @@ public Data dereference(URIReference uriRef, XMLCryptoContext context)
 
         boolean secVal = Utils.secureValidation(context);
 
-        if (secVal && Policy.restrictReferenceUriScheme(uri)) {
-            throw new URIReferenceException(
-                "Uri " + uri + " is forbidden when secure validation is enabled");
+        if (secVal) {
+            try {
+                if (Policy.restrictReferenceUriScheme(uri)) {
+                    throw new URIReferenceException(
+                            "URI " + uri + " is forbidden when secure validation is enabled");
+                }
+
+                if (uri != null && !uri.isEmpty() && uri.charAt(0) != '#' && URI.create(uri).getScheme() == null) {
+                    // beseURI will be used to dereference a relative uri
+                    try {
+                        if (Policy.restrictReferenceUriScheme(baseURI)) {
+                            throw new URIReferenceException(
+                                    "Base URI " + baseURI + " is forbidden when secure validation is enabled");
+                        }
+                    } catch (IllegalArgumentException e) { // thrown by Policy.restrictReferenceUriScheme
+                        throw new URIReferenceException("Invalid base URI " + baseURI);
+                    }
+                }
+            } catch (IllegalArgumentException e) { // thrown by Policy.restrictReferenceUriScheme or URI.create
+                throw new URIReferenceException("Invalid URI " + uri);
+            }
         }
 
         // Check if same-document URI and already registered on the context
diff --git a/test/jdk/javax/xml/crypto/dsig/GenerationTests.java b/test/jdk/javax/xml/crypto/dsig/GenerationTests.java
@@ -1454,7 +1454,6 @@ private static void dumpDocument(Document doc, Writer w) throws Exception {
         DOMValidateContext dvc = new DOMValidateContext
             (ks, doc.getDocumentElement());
         File f = new File(DATA_DIR);
-        dvc.setBaseURI(f.toURI().toString());
         dvc.setURIDereferencer(httpUd);
 
         XMLSignature sig2 = fac.unmarshalXMLSignature(dvc);
@@ -2195,6 +2194,12 @@ public Data dereference(final URIReference ref, XMLCryptoContext ctx)
                         (DATA_DIR, uri.substring(uri.lastIndexOf('/'))));
                     return new OctetStreamData(fis,ref.getURI(),ref.getType());
                 } catch (Exception e) { throw new URIReferenceException(e); }
+            } else if (uri.startsWith("certs/")) {
+                try {
+                    FileInputStream fis = new FileInputStream(new File
+                            (DATA_DIR, uri));
+                    return new OctetStreamData(fis,ref.getURI(),ref.getType());
+                } catch (Exception e) { throw new URIReferenceException(e); }
             }
 
             // fallback on builtin deref
