This is an automated email from the ASF dual-hosted git repository. coheigea pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/ws-wss4j.git
The following commit(s) were added to refs/heads/master by this push: new 412bc7b74 PMD updates for ws-security-stax - part I 412bc7b74 is described below commit 412bc7b745bffd1398b7083f87f1f22cbc60f300 Author: Colm O hEigeartaigh <cohei...@apache.org> AuthorDate: Fri Jun 10 08:15:19 2022 +0100 PMD updates for ws-security-stax - part I --- .../wss4j/stax/ext/WSSSecurityProperties.java | 8 ++-- .../processor/input/DecryptInputProcessor.java | 4 +- .../processor/input/SAMLTokenInputHandler.java | 44 ++++++++++---------- .../input/SecurityHeaderInputProcessor.java | 2 +- .../input/SecurityTokenReferenceInputHandler.java | 2 +- .../processor/input/UsernameTokenInputHandler.java | 2 +- .../WSSSignatureReferenceVerifyInputProcessor.java | 47 ++++++++++------------ .../processor/output/SAMLTokenOutputProcessor.java | 13 +++--- 8 files changed, 57 insertions(+), 65 deletions(-) diff --git a/ws-security-stax/src/main/java/org/apache/wss4j/stax/ext/WSSSecurityProperties.java b/ws-security-stax/src/main/java/org/apache/wss4j/stax/ext/WSSSecurityProperties.java index 4250587fe..7d765ef3d 100644 --- a/ws-security-stax/src/main/java/org/apache/wss4j/stax/ext/WSSSecurityProperties.java +++ b/ws-security-stax/src/main/java/org/apache/wss4j/stax/ext/WSSSecurityProperties.java @@ -334,7 +334,7 @@ public class WSSSecurityProperties extends XMLSecurityProperties { if (signatureWSSCrypto != null) { return signatureWSSCrypto.getCryptoProperties(); } - return null; + return null; //NOPMD } public void setSignatureCryptoProperties(Properties cryptoProperties) { @@ -409,7 +409,7 @@ public class WSSSecurityProperties extends XMLSecurityProperties { if (signatureVerificationWSSCrypto != null) { return signatureVerificationWSSCrypto.getCryptoProperties(); } - return null; + return null; //NOPMD } public void setSignatureVerificationCryptoProperties(Properties cryptoProperties) { @@ -488,7 +488,7 @@ public class WSSSecurityProperties extends XMLSecurityProperties { if (decryptionWSSCrypto != null) { return decryptionWSSCrypto.getCryptoProperties(); } - return null; + return null; //NOPMD } public void setDecryptionCryptoProperties(Properties cryptoProperties) { @@ -582,7 +582,7 @@ public class WSSSecurityProperties extends XMLSecurityProperties { if (encryptionWSSCrypto != null) { return encryptionWSSCrypto.getCryptoProperties(); } - return null; + return null; //NOPMD } public void setEncryptionCryptoProperties(Properties cryptoProperties) { diff --git a/ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/processor/input/DecryptInputProcessor.java b/ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/processor/input/DecryptInputProcessor.java index 40079a37f..709d8ca5a 100644 --- a/ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/processor/input/DecryptInputProcessor.java +++ b/ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/processor/input/DecryptInputProcessor.java @@ -200,7 +200,7 @@ public class DecryptInputProcessor extends AbstractDecryptInputProcessor { //1.) if an attachment is encrypted and signed the order is preserved //2.) the attachments are processed after the SOAP-Document which allows us to stream everything attachmentReferences.add( - new DeferredAttachment(encryptedDataType, cipher, inboundSecurityToken) + new DeferredAttachment(encryptedDataType, cipher, inboundSecurityToken) //NOPMD ); } } @@ -354,7 +354,7 @@ public class DecryptInputProcessor extends AbstractDecryptInputProcessor { final Key symmetricKey = inboundSecurityToken.getSecretKey(encAlgo, XMLSecurityConstants.Enc, encryptedDataType.getId()); - InputStream attachmentInputStream = + InputStream attachmentInputStream = //NOPMD AttachmentUtils.setupAttachmentDecryptionStream(encAlgo, cipher, symmetricKey, attachment.getSourceStream()); Attachment resultAttachment = new Attachment(); diff --git a/ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/processor/input/SAMLTokenInputHandler.java b/ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/processor/input/SAMLTokenInputHandler.java index d392a6679..c47c247f3 100644 --- a/ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/processor/input/SAMLTokenInputHandler.java +++ b/ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/processor/input/SAMLTokenInputHandler.java @@ -232,23 +232,22 @@ public class SAMLTokenInputHandler extends AbstractInputSecurityHeaderHandler { while (xmlSecEventIterator.hasNext()) { XMLSecEvent xmlSecEvent = xmlSecEventIterator.next(); idx++; - switch (xmlSecEvent.getEventType()) { - case XMLStreamConstants.START_ELEMENT: - QName elementName = xmlSecEvent.asStartElement().getName(); - if (WSSConstants.TAG_dsig_KeyInfo.equals(elementName)) { - List<QName> elementPath = xmlSecEvent.asStartElement().getElementPath(); - if (elementPath.size() >= 4) { - int lastIndex = elementPath.size() - 2; - if ("SubjectConfirmationData".equals(elementPath.get(lastIndex).getLocalPart()) + if (XMLStreamConstants.START_ELEMENT == xmlSecEvent.getEventType()) { + QName elementName = xmlSecEvent.asStartElement().getName(); + if (WSSConstants.TAG_dsig_KeyInfo.equals(elementName)) { + List<QName> elementPath = xmlSecEvent.asStartElement().getElementPath(); + if (elementPath.size() >= 4) { + int lastIndex = elementPath.size() - 2; + if ("SubjectConfirmationData".equals(elementPath.get(lastIndex).getLocalPart()) && "SubjectConfirmation".equals(elementPath.get(lastIndex - 1).getLocalPart()) && "Subject".equals(elementPath.get(lastIndex - 2).getLocalPart())) { - return idx; - } else if ("SubjectConfirmation".equals(elementPath.get(lastIndex).getLocalPart()) + return idx; + } else if ("SubjectConfirmation".equals(elementPath.get(lastIndex).getLocalPart()) && "Subject".equals(elementPath.get(lastIndex - 1).getLocalPart())) { - return idx; - } + return idx; } } + } } } return idx; @@ -260,19 +259,18 @@ public class SAMLTokenInputHandler extends AbstractInputSecurityHeaderHandler { while (xmlSecEventIterator.hasNext()) { XMLSecEvent xmlSecEvent = xmlSecEventIterator.next(); idx++; - switch (xmlSecEvent.getEventType()) { - case XMLStreamConstants.START_ELEMENT: - QName elementName = xmlSecEvent.asStartElement().getName(); - if (WSSConstants.TAG_dsig_KeyInfo.equals(elementName)) { - List<QName> elementPath = xmlSecEvent.asStartElement().getElementPath(); - if (elementPath.size() >= 4) { - int lastIndex = elementPath.size() - 2; - if ("Signature".equals(elementPath.get(lastIndex).getLocalPart()) + if (XMLStreamConstants.START_ELEMENT == xmlSecEvent.getEventType()) { + QName elementName = xmlSecEvent.asStartElement().getName(); + if (WSSConstants.TAG_dsig_KeyInfo.equals(elementName)) { + List<QName> elementPath = xmlSecEvent.asStartElement().getElementPath(); + if (elementPath.size() >= 4) { + int lastIndex = elementPath.size() - 2; + if ("Signature".equals(elementPath.get(lastIndex).getLocalPart()) && "Assertion".equals(elementPath.get(lastIndex - 1).getLocalPart())) { - return idx; - } + return idx; } } + } } } return idx; @@ -308,7 +306,7 @@ public class SAMLTokenInputHandler extends AbstractInputSecurityHeaderHandler { loop: while (xmlSecEventIterator.hasNext()) { xmlSecEvent = xmlSecEventIterator.next(); - switch (xmlSecEvent.getEventType()) { + switch (xmlSecEvent.getEventType()) { //NOPMD case XMLStreamConstants.END_ELEMENT: if (xmlSecEvent.asEndElement().getName().equals(elementName)) { break loop; diff --git a/ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/processor/input/SecurityHeaderInputProcessor.java b/ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/processor/input/SecurityHeaderInputProcessor.java index b9cb72406..8a9932c82 100644 --- a/ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/processor/input/SecurityHeaderInputProcessor.java +++ b/ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/processor/input/SecurityHeaderInputProcessor.java @@ -85,7 +85,7 @@ public class SecurityHeaderInputProcessor extends AbstractInputProcessor { subInputProcessorChain.reset(); xmlSecEvent = subInputProcessorChain.processHeaderEvent(); - switch (xmlSecEvent.getEventType()) { + switch (xmlSecEvent.getEventType()) { //NOPMD case XMLStreamConstants.START_ELEMENT: XMLSecStartElement xmlSecStartElement = xmlSecEvent.asStartElement(); int documentLevel = xmlSecStartElement.getDocumentLevel(); diff --git a/ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/processor/input/SecurityTokenReferenceInputHandler.java b/ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/processor/input/SecurityTokenReferenceInputHandler.java index 94708cbee..241900c9e 100644 --- a/ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/processor/input/SecurityTokenReferenceInputHandler.java +++ b/ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/processor/input/SecurityTokenReferenceInputHandler.java @@ -128,7 +128,7 @@ public class SecurityTokenReferenceInputHandler extends AbstractInputSecurityHea public XMLSecEvent processEvent(final InputProcessorChain inputProcessorChain) throws XMLStreamException, XMLSecurityException { XMLSecEvent xmlSecEvent = inputProcessorChain.processEvent(); - switch (xmlSecEvent.getEventType()) { + switch (xmlSecEvent.getEventType()) { //NOPMD case XMLStreamConstants.START_ELEMENT: XMLSecStartElement xmlSecStartElement = xmlSecEvent.asStartElement(); Attribute attribute = xmlSecStartElement.getAttributeByName(this.attribute); diff --git a/ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/processor/input/UsernameTokenInputHandler.java b/ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/processor/input/UsernameTokenInputHandler.java index 5046ea675..6ba7e9e56 100644 --- a/ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/processor/input/UsernameTokenInputHandler.java +++ b/ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/processor/input/UsernameTokenInputHandler.java @@ -76,7 +76,7 @@ public class UsernameTokenInputHandler extends AbstractInputSecurityHeaderHandle final WSSSecurityProperties wssSecurityProperties = (WSSSecurityProperties) securityProperties; Instant created = verifyCreated(wssSecurityProperties, usernameTokenType); - ReplayCache replayCache = wssSecurityProperties.getNonceReplayCache(); + ReplayCache replayCache = wssSecurityProperties.getNonceReplayCache(); //NOPMD final EncodedString encodedNonce = XMLSecurityUtils.getQNameType(usernameTokenType.getAny(), WSSConstants.TAG_WSSE_NONCE); if (encodedNonce != null && replayCache != null) { diff --git a/ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/processor/input/WSSSignatureReferenceVerifyInputProcessor.java b/ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/processor/input/WSSSignatureReferenceVerifyInputProcessor.java index 881d1bff7..8dd4f85ca 100644 --- a/ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/processor/input/WSSSignatureReferenceVerifyInputProcessor.java +++ b/ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/processor/input/WSSSignatureReferenceVerifyInputProcessor.java @@ -124,7 +124,7 @@ public class WSSSignatureReferenceVerifyInputProcessor extends AbstractSignature final Attachment attachment = attachments.get(0); - InputStream attachmentInputStream = attachment.getSourceStream(); + InputStream attachmentInputStream = attachment.getSourceStream(); //NOPMD if (!attachmentInputStream.markSupported()) { attachmentInputStream = new BufferedInputStream(attachmentInputStream); } @@ -134,30 +134,27 @@ public class WSSSignatureReferenceVerifyInputProcessor extends AbstractSignature try { DigestOutputStream digestOutputStream = createMessageDigestOutputStream(referenceType, inputProcessorChain.getSecurityContext()); - UnsyncBufferedOutputStream bufferedDigestOutputStream = - new UnsyncBufferedOutputStream(digestOutputStream); - - if (referenceType.getTransforms() != null) { - Transformer transformer = - buildTransformerChain(referenceType, bufferedDigestOutputStream, inputProcessorChain, null); - if (!(transformer instanceof AttachmentContentSignatureTransform)) { - throw new WSSecurityException( - WSSecurityException.ErrorCode.INVALID_SECURITY, - "empty", - new Object[] {"First transform must be Attachment[Content|Complete]SignatureTransform"} - ); - } - Map<String, Object> transformerProperties = new HashMap<>(2); - transformerProperties.put( - AttachmentContentSignatureTransform.ATTACHMENT, attachment); - transformer.setProperties(transformerProperties); - - transformer.transform(attachmentInputStream); + try (UnsyncBufferedOutputStream bufferedDigestOutputStream = + new UnsyncBufferedOutputStream(digestOutputStream)) { + if (referenceType.getTransforms() != null) { + Transformer transformer = + buildTransformerChain(referenceType, bufferedDigestOutputStream, inputProcessorChain, null); + if (!(transformer instanceof AttachmentContentSignatureTransform)) { + throw new WSSecurityException( + WSSecurityException.ErrorCode.INVALID_SECURITY, + "empty", + new Object[]{"First transform must be Attachment[Content|Complete]SignatureTransform"} + ); + } + Map<String, Object> transformerProperties = new HashMap<>(2); + transformerProperties.put( + AttachmentContentSignatureTransform.ATTACHMENT, attachment); + transformer.setProperties(transformerProperties); - bufferedDigestOutputStream.close(); - } else { - XMLSecurityUtils.copy(attachmentInputStream, bufferedDigestOutputStream); - bufferedDigestOutputStream.close(); + transformer.transform(attachmentInputStream); + } else { + XMLSecurityUtils.copy(attachmentInputStream, bufferedDigestOutputStream); + } } compareDigest(digestOutputStream.getDigestValue(), referenceType); @@ -310,7 +307,7 @@ public class WSSSignatureReferenceVerifyInputProcessor extends AbstractSignature private void detectReplayAttack(InputProcessorChain inputProcessorChain) throws WSSecurityException { TimestampSecurityEvent timestampSecurityEvent = inputProcessorChain.getSecurityContext().get(WSSConstants.PROP_TIMESTAMP_SECURITYEVENT); - ReplayCache replayCache = + ReplayCache replayCache = //NOPMD ((WSSSecurityProperties)getSecurityProperties()).getTimestampReplayCache(); if (timestampSecurityEvent != null && replayCache != null) { final String cacheKey = diff --git a/ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/processor/output/SAMLTokenOutputProcessor.java b/ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/processor/output/SAMLTokenOutputProcessor.java index 6eab257a0..3a4cd5aa2 100644 --- a/ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/processor/output/SAMLTokenOutputProcessor.java +++ b/ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/processor/output/SAMLTokenOutputProcessor.java @@ -335,7 +335,7 @@ public class SAMLTokenOutputProcessor extends AbstractOutputProcessor { return key; } byte[] secretKey = getSecretKeyUsingCallback(); - if (secretKey != null) { + if (secretKey != null && secretKey.length > 0) { String algoFamily = JCEAlgorithmMapper.getJCEKeyAlgorithmFromURI(algorithmURI); key = new SecretKeySpec(secretKey, algoFamily); setSecretKey(algorithmURI, key); @@ -398,7 +398,7 @@ public class SAMLTokenOutputProcessor extends AbstractOutputProcessor { } } - return null; + return new X509Certificate[0]; } @@ -413,7 +413,7 @@ public class SAMLTokenOutputProcessor extends AbstractOutputProcessor { } } - return null; + return new byte[0]; } @Override @@ -488,15 +488,12 @@ public class SAMLTokenOutputProcessor extends AbstractOutputProcessor { } private boolean includeBST() { - if (senderVouches + return senderVouches && getSecurityProperties().getSignatureKeyIdentifiers().contains( WSSecurityTokenConstants.KEYIDENTIFIER_SECURITY_TOKEN_DIRECT_REFERENCE) && securityToken != null && !(WSSConstants.SAML_TOKEN_SIGNED.equals(action) - && ((WSSSecurityProperties)getSecurityProperties()).isIncludeSignatureToken())) { - return true; - } - return false; + && ((WSSSecurityProperties)getSecurityProperties()).isIncludeSignatureToken()); } }