[wss4j] 11/15: Refreshed the patches
Emmanuel Bourg
ebourg-guest at moszumanska.debian.org
Tue Jun 27 21:05:11 UTC 2017
This is an automated email from the git hooks/post-receive script.
ebourg-guest pushed a commit to branch master
in repository wss4j.
commit c1edbdff831f1c585bac11e8e44c55d01b72bea6
Author: Emmanuel Bourg <ebourg at apache.org>
Date: Tue Jun 27 22:36:43 2017 +0200
Refreshed the patches
---
debian/changelog | 4 +-
debian/patches/01-no-saml.patch | 40 ++++++----
debian/patches/02-CVE-2015-0227.patch | 137 ----------------------------------
debian/patches/03-CVE-2015-0226.patch | 41 ----------
debian/patches/series | 2 -
5 files changed, 29 insertions(+), 195 deletions(-)
diff --git a/debian/changelog b/debian/changelog
index 61fd74e..adc193d 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,5 +1,7 @@
-wss4j (1.6.15-3) UNRELEASED; urgency=medium
+wss4j (1.6.19-1) UNRELEASED; urgency=medium
+ * New upstream release (Closes: #822192)
+ - Refreshed the patches
* Added the missing build dependency on junit4
* Let maven-debian-helper populate the package dependencies
* Build with the DH sequencer instead of CDBS
diff --git a/debian/patches/01-no-saml.patch b/debian/patches/01-no-saml.patch
index 3d820a2..9471c2a 100644
--- a/debian/patches/01-no-saml.patch
+++ b/debian/patches/01-no-saml.patch
@@ -4,7 +4,7 @@ Author: Emmanuel Bourg <ebourg at apache.org>
Forwarded: not-needed
--- a/pom.xml
+++ b/pom.xml
-@@ -250,6 +250,11 @@
+@@ -298,6 +298,11 @@
<configuration>
<source>1.5</source>
<target>1.5</target>
@@ -16,6 +16,18 @@ Forwarded: not-needed
</configuration>
</plugin>
<plugin>
+@@ -540,6 +545,11 @@
+ </exclusions>
+ </dependency>
+ <dependency>
++ <groupId>org.slf4j</groupId>
++ <artifactId>slf4j-api</artifactId>
++ <version>${slf4j.version}</version>
++ </dependency>
++ <dependency>
+ <groupId>junit</groupId>
+ <artifactId>junit</artifactId>
+ <version>${junit.version}</version>
--- a/src/main/java/org/apache/ws/security/str/SignatureSTRParser.java
+++ b/src/main/java/org/apache/ws/security/str/SignatureSTRParser.java
@@ -20,7 +20,6 @@
@@ -227,7 +239,7 @@ Forwarded: not-needed
import org.apache.ws.security.WSConstants;
import org.apache.ws.security.WSDocInfo;
import org.apache.ws.security.WSSConfig;
-@@ -92,6 +91,7 @@
+@@ -94,6 +93,7 @@
result.put(WSSecurityEngineResult.TAG_VALIDATED_TOKEN, Boolean.TRUE);
result.put(WSSecurityEngineResult.TAG_SECRET, returnedCredential.getSecretKey());
@@ -235,7 +247,7 @@ Forwarded: not-needed
if (returnedCredential.getTransformedToken() != null) {
result.put(
WSSecurityEngineResult.TAG_TRANSFORMED_TOKEN,
-@@ -104,7 +104,7 @@
+@@ -106,7 +106,7 @@
new SAMLTokenPrincipal(credential.getTransformedToken());
result.put(WSSecurityEngineResult.TAG_PRINCIPAL, samlPrincipal);
}
@@ -263,7 +275,7 @@ Forwarded: not-needed
private SecurityContextToken securityContextToken;
private Principal principal;
private byte[] secretKey;
-@@ -166,33 +163,41 @@
+@@ -167,33 +164,41 @@
* Set an AssertionWrapper to be validated
* @param assertion an AssertionWrapper to be validated
*/
@@ -315,7 +327,7 @@ Forwarded: not-needed
/**
* This class enforces processing rules for SecurityTokenReferences to various token elements,
-@@ -125,6 +124,7 @@
+@@ -126,6 +125,7 @@
* @param assertion The SAML Token AssertionWrapper object
* @throws WSSecurityException
*/
@@ -323,7 +335,7 @@ Forwarded: not-needed
public static void checkSamlTokenBSPCompliance(
SecurityTokenReference secRef,
AssertionWrapper assertion
-@@ -187,6 +187,7 @@
+@@ -188,6 +188,7 @@
}
}
}
@@ -341,7 +353,7 @@ Forwarded: not-needed
import java.security.Principal;
import java.security.cert.X509Certificate;
-@@ -233,6 +232,7 @@
+@@ -240,6 +239,7 @@
put(TAG_ACTION, Integer.valueOf(act));
}
@@ -349,7 +361,7 @@ Forwarded: not-needed
public WSSecurityEngineResult(
int act,
AssertionWrapper ass
-@@ -242,6 +242,7 @@
+@@ -249,6 +249,7 @@
put(TAG_VALIDATED_TOKEN, Boolean.FALSE);
put(TAG_TOKEN_ELEMENT, ass.getElement());
}
@@ -367,7 +379,7 @@ Forwarded: not-needed
import org.apache.ws.security.WSConstants;
import org.apache.ws.security.WSDocInfo;
import org.apache.ws.security.WSSConfig;
-@@ -82,6 +81,7 @@
+@@ -85,6 +84,7 @@
if (validator != null) {
result.put(WSSecurityEngineResult.TAG_VALIDATED_TOKEN, Boolean.TRUE);
@@ -375,7 +387,7 @@ Forwarded: not-needed
if (credential.getTransformedToken() != null) {
result.put(
WSSecurityEngineResult.TAG_TRANSFORMED_TOKEN, credential.getTransformedToken()
-@@ -93,7 +93,7 @@
+@@ -96,7 +96,7 @@
new SAMLTokenPrincipal(credential.getTransformedToken());
result.put(WSSecurityEngineResult.TAG_PRINCIPAL, samlPrincipal);
}
@@ -416,9 +428,9 @@ Forwarded: not-needed
);
+*/
tmp.put(
- WSSecurityEngine.ENCRYPTED_KEY,
- org.apache.ws.security.processor.EncryptedKeyProcessor.class
-@@ -181,6 +185,7 @@
+ WSSecurityEngine.ENCRYPTED_ASSERTION,
+ org.apache.ws.security.processor.EncryptedAssertionProcessor.class
+@@ -185,6 +189,7 @@
static {
final Map<QName, Class<?>> tmp = new HashMap<QName, Class<?>>();
try {
@@ -426,7 +438,7 @@ Forwarded: not-needed
tmp.put(
WSSecurityEngine.SAML_TOKEN,
org.apache.ws.security.validate.SamlAssertionValidator.class
-@@ -189,6 +194,7 @@
+@@ -193,6 +198,7 @@
WSSecurityEngine.SAML2_TOKEN,
org.apache.ws.security.validate.SamlAssertionValidator.class
);
diff --git a/debian/patches/02-CVE-2015-0227.patch b/debian/patches/02-CVE-2015-0227.patch
deleted file mode 100644
index 464a1a7..0000000
--- a/debian/patches/02-CVE-2015-0227.patch
+++ /dev/null
@@ -1,137 +0,0 @@
-Description: Fix CVE-2015-0227: WSS4J is still vulnerable to Bleichenbacher's attack (incomplete fix for CVE-2011-2487)
-Origin: backport, http://svn.apache.org/r1619359
-Bug-Debian: http://bugs.debian.org/777741
---- a/src/main/java/org/apache/ws/security/processor/EncryptedDataProcessor.java
-+++ b/src/main/java/org/apache/ws/security/processor/EncryptedDataProcessor.java
-@@ -91,7 +91,7 @@
- );
-
- if (elem != null && request.isRequireSignedEncryptedDataElements()) {
-- WSSecurityUtil.verifySignedElement(elem, elem.getOwnerDocument(), wsDocInfo.getSecurityHeader());
-+ WSSecurityUtil.verifySignedElement(elem, wsDocInfo);
- }
-
- SecretKey key = null;
---- a/src/main/java/org/apache/ws/security/processor/EncryptedKeyProcessor.java
-+++ b/src/main/java/org/apache/ws/security/processor/EncryptedKeyProcessor.java
-@@ -403,7 +403,7 @@
- Element encryptedDataElement =
- ReferenceListProcessor.findEncryptedDataElement(doc, docInfo, dataRefURI);
- if (encryptedDataElement != null && data.isRequireSignedEncryptedDataElements()) {
-- WSSecurityUtil.verifySignedElement(encryptedDataElement, doc, docInfo.getSecurityHeader());
-+ WSSecurityUtil.verifySignedElement(encryptedDataElement, docInfo);
- }
- //
- // Prepare the SecretKey object to decrypt EncryptedData
---- a/src/main/java/org/apache/ws/security/processor/ReferenceListProcessor.java
-+++ b/src/main/java/org/apache/ws/security/processor/ReferenceListProcessor.java
-@@ -132,7 +132,7 @@
- Element encryptedDataElement = findEncryptedDataElement(doc, wsDocInfo, dataRefURI);
-
- if (encryptedDataElement != null && asymBinding && data.isRequireSignedEncryptedDataElements()) {
-- WSSecurityUtil.verifySignedElement(encryptedDataElement, doc, wsDocInfo.getSecurityHeader());
-+ WSSecurityUtil.verifySignedElement(encryptedDataElement, wsDocInfo);
- }
- //
- // Prepare the SecretKey object to decrypt EncryptedData
---- a/src/main/java/org/apache/ws/security/util/WSSecurityUtil.java
-+++ b/src/main/java/org/apache/ws/security/util/WSSecurityUtil.java
-@@ -24,6 +24,7 @@
- import org.apache.ws.security.SOAPConstants;
- import org.apache.ws.security.WSConstants;
- import org.apache.ws.security.WSDataRef;
-+import org.apache.ws.security.WSDocInfo;
- import org.apache.ws.security.WSEncryptionPart;
- import org.apache.ws.security.WSSecurityEngineResult;
- import org.apache.ws.security.WSSecurityException;
-@@ -50,10 +51,8 @@
- import java.security.SecureRandom;
- import java.util.ArrayList;
- import java.util.Collections;
--import java.util.HashSet;
- import java.util.Iterator;
- import java.util.List;
--import java.util.Set;
-
- /**
- * WS-Security Utility methods. <p/>
-@@ -1350,56 +1349,39 @@
- }
- }
-
-- public static void verifySignedElement(Element elem, Document doc, Element securityHeader)
-- throws WSSecurityException {
-- final Element envelope = doc.getDocumentElement();
-- final Set<String> signatureRefIDs = getSignatureReferenceIDs(securityHeader);
-- if (!signatureRefIDs.isEmpty()) {
-- Node cur = elem;
-- while (!cur.isSameNode(envelope)) {
-- if (cur.getNodeType() == Node.ELEMENT_NODE) {
-- if (WSConstants.SIG_LN.equals(cur.getLocalName())
-- && WSConstants.SIG_NS.equals(cur.getNamespaceURI())) {
-- throw new WSSecurityException(WSSecurityException.FAILED_CHECK,
-- "requiredElementNotSigned", new Object[] {elem});
-- } else if (isLinkedBySignatureRefs((Element)cur, signatureRefIDs)) {
-- return;
-+ public static void verifySignedElement(Element elem, WSDocInfo wsDocInfo) throws WSSecurityException {
-+ List<WSSecurityEngineResult> signedResults = wsDocInfo.getResultsByTag(WSConstants.SIGN);
-+ if (signedResults != null) {
-+ for (WSSecurityEngineResult signedResult : signedResults) {
-+ @SuppressWarnings("unchecked")
-+ List<WSDataRef> dataRefs = (List<WSDataRef>) signedResult.get(WSSecurityEngineResult.TAG_DATA_REF_URIS);
-+ if (dataRefs != null) {
-+ for (WSDataRef dataRef : dataRefs) {
-+ if (isElementOrAncestorSigned(elem, dataRef.getProtectedElement())) {
-+ return;
-+ }
- }
- }
-- cur = cur.getParentNode();
- }
- }
- throw new WSSecurityException(
- WSSecurityException.FAILED_CHECK, "requiredElementNotSigned", new Object[] {elem});
- }
-
-- private static boolean isLinkedBySignatureRefs(Element elem, Set<String> allIDs) {
-- // Try the wsu:Id first
-- String attributeNS = elem.getAttributeNS(WSConstants.WSU_NS, "Id");
-- if (!"".equals(attributeNS) && allIDs.contains(attributeNS)) {
-- return true;
-- }
-- attributeNS = elem.getAttributeNS(null, "Id");
-- return (!"".equals(attributeNS) && allIDs.contains(attributeNS));
-- }
--
-- private static Set<String> getSignatureReferenceIDs(Element wsseHeader) throws WSSecurityException {
-- final Set<String> refs = new HashSet<String>();
-- final List<Element> signatures = WSSecurityUtil.getDirectChildElements(wsseHeader, WSConstants.SIG_LN, WSConstants.SIG_NS);
-- for (Element signature : signatures) {
-- Element sigInfo = WSSecurityUtil.getDirectChildElement(signature, WSConstants.SIG_INFO_LN, WSConstants.SIG_NS);
-- List<Element> references = WSSecurityUtil.getDirectChildElements(sigInfo, WSConstants.REF_LN, WSConstants.SIG_NS);
-- for (Element reference : references) {
-- String uri = reference.getAttributeNS(null, "URI");
-- if (!"".equals(uri)) {
-- boolean added = refs.add(WSSecurityUtil.getIDFromReference(uri));
-- if (!added) {
-- log.warn("Duplicated reference uri: " + uri);
-- }
-- }
-+ /**
-+ * Does the current element or some ancestor of it correspond to the known "signedElement"?
-+ */
-+ private static boolean isElementOrAncestorSigned(Element elem, Element signedElement) throws WSSecurityException {
-+ final Element envelope = elem.getOwnerDocument().getDocumentElement();
-+ Node cur = elem;
-+ while (!cur.isSameNode(envelope)) {
-+ if (cur.getNodeType() == Node.ELEMENT_NODE && cur.equals(signedElement)) {
-+ return true;
- }
-+ cur = cur.getParentNode();
- }
-- return refs;
-+
-+ return false;
- }
-
- }
diff --git a/debian/patches/03-CVE-2015-0226.patch b/debian/patches/03-CVE-2015-0226.patch
deleted file mode 100644
index 395eaa6..0000000
--- a/debian/patches/03-CVE-2015-0226.patch
+++ /dev/null
@@ -1,41 +0,0 @@
-Description: Fix CVE-2015-0226: WSS4J doesn't correctly enforce the requireSignedEncryptedDataElements property
-Origin: backport, http://svn.apache.org/r1621329
-Bug-Debian: http://bugs.debian.org/777741
---- a/src/main/java/org/apache/ws/security/processor/EncryptedKeyProcessor.java
-+++ b/src/main/java/org/apache/ws/security/processor/EncryptedKeyProcessor.java
-@@ -19,6 +19,7 @@
-
- package org.apache.ws.security.processor;
-
-+import java.security.NoSuchAlgorithmException;
- import java.security.PrivateKey;
- import java.security.cert.X509Certificate;
- import java.security.spec.MGF1ParameterSpec;
-@@ -209,7 +210,7 @@
- private static byte[] getRandomKey(List<String> dataRefURIs, Document doc, WSDocInfo wsDocInfo) throws WSSecurityException {
- try {
- String alg = "AES";
-- int size = 128;
-+ int size = 16;
- if (!dataRefURIs.isEmpty()) {
- String uri = dataRefURIs.iterator().next();
- Element ee = ReferenceListProcessor.findEncryptedDataElement(doc, wsDocInfo, uri);
-@@ -221,8 +222,16 @@
- kgen.init(size * 8);
- SecretKey k = kgen.generateKey();
- return k.getEncoded();
-- } catch (Exception ex) {
-- throw new WSSecurityException(WSSecurityException.FAILED_CHECK, null, null, ex);
-+ } catch (Throwable ex) {
-+ // Fallback to just using AES to avoid attacks on EncryptedData algorithms
-+ try {
-+ KeyGenerator kgen = KeyGenerator.getInstance("AES");
-+ kgen.init(128);
-+ SecretKey k = kgen.generateKey();
-+ return k.getEncoded();
-+ } catch (NoSuchAlgorithmException e) {
-+ throw new WSSecurityException(WSSecurityException.FAILED_CHECK, null, null, e);
-+ }
- }
- }
-
diff --git a/debian/patches/series b/debian/patches/series
index 14e908c..1591d9b 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,3 +1 @@
01-no-saml.patch
-02-CVE-2015-0227.patch
-03-CVE-2015-0226.patch
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-java/wss4j.git
More information about the pkg-java-commits
mailing list