packages/pki-core
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Compare commits

base: packages:b678c311fff3101aa05bb37c15c06605b6e70d8a
Branches Tags
packages:main
..
compare: packages:1f7cd1a2c4c70efbbffd6369181460c348f844aa
Branches Tags
packages:main

No commits in common. "b678c311fff3101aa05bb37c15c06605b6e70d8a" and "1f7cd1a2c4c70efbbffd6369181460c348f844aa" have entirely different histories.
b678c311ff ... 1f7cd1a2c4

3 changed files with 13 additions and 1041 deletions
Show Stats Expand all files Collapse all files

928
0001-Disable-access-to-external-entities-when-parsing-XML.patch
View File

@ -1,928 +0,0 @@
From b176837c317216185930a09e6eae916a39bbbe5e Mon Sep 17 00:00:00 2001
From: rpm-build <rpm-build>
Date: Fri, 15 Jul 2022 09:36:00 +0800
Subject: [PATCH] Disable access to external entities when parsing XML
This reduces the vulnerability of XML parsers to XXE (XML external
entity) injection.
The best way to prevent XXE is to stop using XML altogether, which we do
plan to do. Until that happens I consider it worthwhile to tighten the
security here though.
---
.../main/java/com/netscape/certsrv/account/Account.java | 4 ++++
.../java/com/netscape/certsrv/base/PKIException.java | 4 ++++
.../main/java/com/netscape/certsrv/base/RESTMessage.java | 4 ++++
.../main/java/com/netscape/certsrv/cert/CertData.java | 4 ++++
.../java/com/netscape/certsrv/cert/CertDataInfo.java | 4 ++++
.../java/com/netscape/certsrv/cert/CertDataInfos.java | 4 ++++
.../com/netscape/certsrv/cert/CertEnrollmentRequest.java | 4 ++++
.../java/com/netscape/certsrv/cert/CertRequestInfo.java | 4 ++++
.../java/com/netscape/certsrv/cert/CertRequestInfos.java | 4 ++++
.../com/netscape/certsrv/cert/CertRetrievalRequest.java | 4 ++++
.../com/netscape/certsrv/cert/CertRevokeRequest.java | 4 ++++
.../com/netscape/certsrv/cert/CertSearchRequest.java | 4 ++++
.../netscape/certsrv/key/AsymKeyGenerationRequest.java | 1 +
.../com/netscape/certsrv/key/KeyArchivalRequest.java | 1 +
.../java/com/netscape/certsrv/key/KeyRequestInfo.java | 4 ++++
.../netscape/certsrv/key/KeyRequestInfoCollection.java | 4 ++++
.../netscape/certsrv/key/SymKeyGenerationRequest.java | 1 +
.../com/netscape/certsrv/profile/PolicyConstraint.java | 4 ++++
.../netscape/certsrv/profile/PolicyConstraintValue.java | 4 ++++
.../java/com/netscape/certsrv/profile/PolicyDefault.java | 4 ++++
.../com/netscape/certsrv/profile/ProfileAttribute.java | 4 ++++
.../java/com/netscape/certsrv/profile/ProfileData.java | 4 ++++
.../com/netscape/certsrv/profile/ProfileDataInfo.java | 4 ++++
.../com/netscape/certsrv/profile/ProfileDataInfos.java | 4 ++++
.../java/com/netscape/certsrv/profile/ProfileInput.java | 4 ++++
.../java/com/netscape/certsrv/profile/ProfileOutput.java | 4 ++++
.../com/netscape/certsrv/profile/ProfileParameter.java | 4 ++++
.../com/netscape/certsrv/request/CMSRequestInfo.java | 4 ++++
base/common/src/main/java/org/dogtagpki/common/Info.java | 4 ++++
.../cms/servlet/csadmin/SecurityDomainProcessor.java | 6 +++++-
.../main/java/com/netscape/cmscore/apps/ServerXml.java | 1 +
.../main/java/com/netscape/cmsutil/xml/XMLObject.java | 9 +++++++++
32 files changed, 122 insertions(+), 1 deletion(-)
diff --git a/base/common/src/main/java/com/netscape/certsrv/account/Account.java b/base/common/src/main/java/com/netscape/certsrv/account/Account.java
index 7447bfa..6aaca9c 100644
--- a/base/common/src/main/java/com/netscape/certsrv/account/Account.java
+++ b/base/common/src/main/java/com/netscape/certsrv/account/Account.java
@@ -23,6 +23,7 @@ import java.io.StringWriter;
import java.util.Collection;
import java.util.TreeSet;
+import javax.xml.XMLConstants;
import javax.xml.parsers.DocumentBuilder;
import javax.xml.parsers.DocumentBuilderFactory;
import javax.xml.transform.OutputKeys;
@@ -209,6 +210,8 @@ public class Account extends RESTMessage {
document.appendChild(accountElement);
TransformerFactory transformerFactory = TransformerFactory.newInstance();
+ transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
+ transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET,"");
Transformer transformer = transformerFactory.newTransformer();
transformer.setOutputProperty(OutputKeys.INDENT, "yes");
transformer.setOutputProperty("{http://xml.apache.org/xslt}indent-amount", "4");
@@ -224,6 +227,7 @@ public class Account extends RESTMessage {
public static Account fromXML(String xml) throws Exception {
DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
+ factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
DocumentBuilder builder = factory.newDocumentBuilder();
Document document = builder.parse(new InputSource(new StringReader(xml)));
diff --git a/base/common/src/main/java/com/netscape/certsrv/base/PKIException.java b/base/common/src/main/java/com/netscape/certsrv/base/PKIException.java
index f4876f8..6ea5c3d 100644
--- a/base/common/src/main/java/com/netscape/certsrv/base/PKIException.java
+++ b/base/common/src/main/java/com/netscape/certsrv/base/PKIException.java
@@ -21,6 +21,7 @@ import java.io.StringReader;
import java.io.StringWriter;
import javax.ws.rs.core.Response;
+import javax.xml.XMLConstants;
import javax.xml.parsers.DocumentBuilder;
import javax.xml.parsers.DocumentBuilderFactory;
import javax.xml.transform.OutputKeys;
@@ -158,6 +159,8 @@ public class PKIException extends RuntimeException {
document.appendChild(element);
TransformerFactory transformerFactory = TransformerFactory.newInstance();
+ transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
+ transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");
Transformer transformer = transformerFactory.newTransformer();
transformer.setOutputProperty(OutputKeys.INDENT, "yes");
transformer.setOutputProperty("{http://xml.apache.org/xslt}indent-amount", "4");
@@ -173,6 +176,7 @@ public class PKIException extends RuntimeException {
public static Data fromXML(String xml) throws Exception {
DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
+ factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
DocumentBuilder builder = factory.newDocumentBuilder();
Document document = builder.parse(new InputSource(new StringReader(xml)));
diff --git a/base/common/src/main/java/com/netscape/certsrv/base/RESTMessage.java b/base/common/src/main/java/com/netscape/certsrv/base/RESTMessage.java
index a62a1ae..e8bc5eb 100644
--- a/base/common/src/main/java/com/netscape/certsrv/base/RESTMessage.java
+++ b/base/common/src/main/java/com/netscape/certsrv/base/RESTMessage.java
@@ -10,6 +10,7 @@ import java.util.List;
import java.util.Map;
import javax.ws.rs.core.MultivaluedMap;
+import javax.xml.XMLConstants;
import javax.xml.parsers.DocumentBuilder;
import javax.xml.parsers.DocumentBuilderFactory;
import javax.xml.transform.OutputKeys;
@@ -317,11 +318,14 @@ public class RESTMessage implements JSONSerializer {
document.appendChild(element);
TransformerFactory transformerFactory = TransformerFactory.newInstance();
+ transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
+ transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");
Transformer transformer = transformerFactory.newTransformer();
transformer.setOutputProperty(OutputKeys.INDENT, "yes");
transformer.setOutputProperty("{http://xml.apache.org/xslt}indent-amount", "4");
DOMSource domSource = new DOMSource(document);
+ factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
StringWriter sw = new StringWriter();
StreamResult streamResult = new StreamResult(sw);
transformer.transform(domSource, streamResult);
diff --git a/base/common/src/main/java/com/netscape/certsrv/cert/CertData.java b/base/common/src/main/java/com/netscape/certsrv/cert/CertData.java
index 2a47c3c..a3a19e7 100644
--- a/base/common/src/main/java/com/netscape/certsrv/cert/CertData.java
+++ b/base/common/src/main/java/com/netscape/certsrv/cert/CertData.java
@@ -23,6 +23,7 @@ import java.security.Principal;
import java.security.cert.X509Certificate;
import java.util.Date;
+import javax.xml.XMLConstants;
import javax.xml.parsers.DocumentBuilder;
import javax.xml.parsers.DocumentBuilderFactory;
import javax.xml.transform.OutputKeys;
@@ -475,6 +476,8 @@ public class CertData implements JSONSerializer {
document.appendChild(infoElement);
TransformerFactory transformerFactory = TransformerFactory.newInstance();
+ transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
+ transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");
Transformer transformer = transformerFactory.newTransformer();
transformer.setOutputProperty(OutputKeys.INDENT, "yes");
transformer.setOutputProperty("{http://xml.apache.org/xslt}indent-amount", "4");
@@ -490,6 +493,7 @@ public class CertData implements JSONSerializer {
public static CertData fromXML(String xml) throws Exception {
DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
+ factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
DocumentBuilder builder = factory.newDocumentBuilder();
Document document = builder.parse(new InputSource(new StringReader(xml)));
diff --git a/base/common/src/main/java/com/netscape/certsrv/cert/CertDataInfo.java b/base/common/src/main/java/com/netscape/certsrv/cert/CertDataInfo.java
index 847e32b..516fac9 100644
--- a/base/common/src/main/java/com/netscape/certsrv/cert/CertDataInfo.java
+++ b/base/common/src/main/java/com/netscape/certsrv/cert/CertDataInfo.java
@@ -24,6 +24,7 @@ import java.io.StringReader;
import java.io.StringWriter;
import java.util.Date;
+import javax.xml.XMLConstants;
import javax.xml.parsers.DocumentBuilder;
import javax.xml.parsers.DocumentBuilderFactory;
import javax.xml.transform.OutputKeys;
@@ -513,6 +514,8 @@ public class CertDataInfo implements JSONSerializer {
document.appendChild(infoElement);
TransformerFactory transformerFactory = TransformerFactory.newInstance();
+ transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
+ transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");
Transformer transformer = transformerFactory.newTransformer();
transformer.setOutputProperty(OutputKeys.INDENT, "yes");
transformer.setOutputProperty("{http://xml.apache.org/xslt}indent-amount", "4");
@@ -528,6 +531,7 @@ public class CertDataInfo implements JSONSerializer {
public static CertDataInfo fromXML(String xml) throws Exception {
DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
+ factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
DocumentBuilder builder = factory.newDocumentBuilder();
Document document = builder.parse(new InputSource(new StringReader(xml)));
diff --git a/base/common/src/main/java/com/netscape/certsrv/cert/CertDataInfos.java b/base/common/src/main/java/com/netscape/certsrv/cert/CertDataInfos.java
index 8554da4..2262739 100644
--- a/base/common/src/main/java/com/netscape/certsrv/cert/CertDataInfos.java
+++ b/base/common/src/main/java/com/netscape/certsrv/cert/CertDataInfos.java
@@ -20,6 +20,7 @@ package com.netscape.certsrv.cert;
import java.io.StringReader;
import java.io.StringWriter;
+import javax.xml.XMLConstants;
import javax.xml.parsers.DocumentBuilder;
import javax.xml.parsers.DocumentBuilderFactory;
import javax.xml.transform.OutputKeys;
@@ -74,6 +75,8 @@ public class CertDataInfos extends DataCollection<CertDataInfo> {
toDOM(document);
TransformerFactory transformerFactory = TransformerFactory.newInstance();
+ transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
+ transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");
Transformer transformer = transformerFactory.newTransformer();
transformer.setOutputProperty(OutputKeys.INDENT, "yes");
transformer.setOutputProperty("{http://xml.apache.org/xslt}indent-amount", "4");
@@ -118,6 +121,7 @@ public class CertDataInfos extends DataCollection<CertDataInfo> {
public static CertDataInfos fromXML(String xml) throws Exception {
DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
+ factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
DocumentBuilder builder = factory.newDocumentBuilder();
Document document = builder.parse(new InputSource(new StringReader(xml)));
diff --git a/base/common/src/main/java/com/netscape/certsrv/cert/CertEnrollmentRequest.java b/base/common/src/main/java/com/netscape/certsrv/cert/CertEnrollmentRequest.java
index 88de02e..f48fa56 100644
--- a/base/common/src/main/java/com/netscape/certsrv/cert/CertEnrollmentRequest.java
+++ b/base/common/src/main/java/com/netscape/certsrv/cert/CertEnrollmentRequest.java
@@ -28,6 +28,7 @@ import java.util.Collection;
import java.util.HashMap;
import javax.ws.rs.core.MultivaluedMap;
+import javax.xml.XMLConstants;
import javax.xml.parsers.DocumentBuilder;
import javax.xml.parsers.DocumentBuilderFactory;
import javax.xml.transform.OutputKeys;
@@ -514,6 +515,8 @@ public class CertEnrollmentRequest extends RESTMessage {
document.appendChild(element);
TransformerFactory transformerFactory = TransformerFactory.newInstance();
+ transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
+ transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");
Transformer transformer = transformerFactory.newTransformer();
transformer.setOutputProperty(OutputKeys.INDENT, "yes");
transformer.setOutputProperty("{http://xml.apache.org/xslt}indent-amount", "4");
@@ -527,6 +530,7 @@ public class CertEnrollmentRequest extends RESTMessage {
public static CertEnrollmentRequest fromXML(String xml) throws Exception {
DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
+ factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
DocumentBuilder builder = factory.newDocumentBuilder();
Document document = builder.parse(new InputSource(new StringReader(xml)));
diff --git a/base/common/src/main/java/com/netscape/certsrv/cert/CertRequestInfo.java b/base/common/src/main/java/com/netscape/certsrv/cert/CertRequestInfo.java
index 79bff39..b7aa718 100644
--- a/base/common/src/main/java/com/netscape/certsrv/cert/CertRequestInfo.java
+++ b/base/common/src/main/java/com/netscape/certsrv/cert/CertRequestInfo.java
@@ -21,6 +21,7 @@ package com.netscape.certsrv.cert;
import java.io.StringReader;
import java.io.StringWriter;
+import javax.xml.XMLConstants;
import javax.xml.parsers.DocumentBuilder;
import javax.xml.parsers.DocumentBuilderFactory;
import javax.xml.transform.OutputKeys;
@@ -246,6 +247,8 @@ public class CertRequestInfo extends CMSRequestInfo {
document.appendChild(element);
TransformerFactory transformerFactory = TransformerFactory.newInstance();
+ transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
+ transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");
Transformer transformer = transformerFactory.newTransformer();
transformer.setOutputProperty(OutputKeys.INDENT, "yes");
transformer.setOutputProperty("{http://xml.apache.org/xslt}indent-amount", "4");
@@ -261,6 +264,7 @@ public class CertRequestInfo extends CMSRequestInfo {
public static CertRequestInfo fromXML(String xml) throws Exception {
DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
+ factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
DocumentBuilder builder = factory.newDocumentBuilder();
Document document = builder.parse(new InputSource(new StringReader(xml)));
diff --git a/base/common/src/main/java/com/netscape/certsrv/cert/CertRequestInfos.java b/base/common/src/main/java/com/netscape/certsrv/cert/CertRequestInfos.java
index 8365e33..4720bc4 100644
--- a/base/common/src/main/java/com/netscape/certsrv/cert/CertRequestInfos.java
+++ b/base/common/src/main/java/com/netscape/certsrv/cert/CertRequestInfos.java
@@ -21,6 +21,7 @@ import java.io.StringReader;
import java.io.StringWriter;
import java.util.Collection;
+import javax.xml.XMLConstants;
import javax.xml.parsers.DocumentBuilder;
import javax.xml.parsers.DocumentBuilderFactory;
import javax.xml.transform.OutputKeys;
@@ -108,6 +109,8 @@ public class CertRequestInfos extends DataCollection<CertRequestInfo> implements
document.appendChild(element);
TransformerFactory transformerFactory = TransformerFactory.newInstance();
+ transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
+ transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");
Transformer transformer = transformerFactory.newTransformer();
transformer.setOutputProperty(OutputKeys.INDENT, "yes");
transformer.setOutputProperty("{http://xml.apache.org/xslt}indent-amount", "4");
@@ -152,6 +155,7 @@ public class CertRequestInfos extends DataCollection<CertRequestInfo> implements
public static CertRequestInfos fromXML(String xml) throws Exception {
DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
+ factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
DocumentBuilder builder = factory.newDocumentBuilder();
Document document = builder.parse(new InputSource(new StringReader(xml)));
diff --git a/base/common/src/main/java/com/netscape/certsrv/cert/CertRetrievalRequest.java b/base/common/src/main/java/com/netscape/certsrv/cert/CertRetrievalRequest.java
index db16917..bde7e99 100644
--- a/base/common/src/main/java/com/netscape/certsrv/cert/CertRetrievalRequest.java
+++ b/base/common/src/main/java/com/netscape/certsrv/cert/CertRetrievalRequest.java
@@ -25,6 +25,7 @@ import java.io.StringReader;
import java.io.StringWriter;
import java.util.Objects;
+import javax.xml.XMLConstants;
import javax.xml.parsers.DocumentBuilder;
import javax.xml.parsers.DocumentBuilderFactory;
import javax.xml.transform.OutputKeys;
@@ -126,6 +127,8 @@ public class CertRetrievalRequest implements JSONSerializer {
document.appendChild(requestElement);
TransformerFactory transformerFactory = TransformerFactory.newInstance();
+ transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
+ transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");
Transformer transformer = transformerFactory.newTransformer();
transformer.setOutputProperty(OutputKeys.INDENT, "yes");
transformer.setOutputProperty("{http://xml.apache.org/xslt}indent-amount", "4");
@@ -141,6 +144,7 @@ public class CertRetrievalRequest implements JSONSerializer {
public static CertRetrievalRequest fromXML(String xml) throws Exception {
DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
+ factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
DocumentBuilder builder = factory.newDocumentBuilder();
Document document = builder.parse(new InputSource(new StringReader(xml)));
diff --git a/base/common/src/main/java/com/netscape/certsrv/cert/CertRevokeRequest.java b/base/common/src/main/java/com/netscape/certsrv/cert/CertRevokeRequest.java
index 5f0a9f4..709db38 100644
--- a/base/common/src/main/java/com/netscape/certsrv/cert/CertRevokeRequest.java
+++ b/base/common/src/main/java/com/netscape/certsrv/cert/CertRevokeRequest.java
@@ -22,6 +22,7 @@ import java.io.StringReader;
import java.io.StringWriter;
import java.util.Date;
+import javax.xml.XMLConstants;
import javax.xml.parsers.DocumentBuilder;
import javax.xml.parsers.DocumentBuilderFactory;
import javax.xml.transform.OutputKeys;
@@ -226,6 +227,8 @@ public class CertRevokeRequest implements JSONSerializer {
document.appendChild(requestElement);
TransformerFactory transformerFactory = TransformerFactory.newInstance();
+ transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
+ transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");
Transformer transformer = transformerFactory.newTransformer();
transformer.setOutputProperty(OutputKeys.INDENT, "yes");
transformer.setOutputProperty("{http://xml.apache.org/xslt}indent-amount", "4");
@@ -241,6 +244,7 @@ public class CertRevokeRequest implements JSONSerializer {
public static CertRevokeRequest fromXML(String xml) throws Exception {
DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
+ factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
DocumentBuilder builder = factory.newDocumentBuilder();
Document document = builder.parse(new InputSource(new StringReader(xml)));
diff --git a/base/common/src/main/java/com/netscape/certsrv/cert/CertSearchRequest.java b/base/common/src/main/java/com/netscape/certsrv/cert/CertSearchRequest.java
index 1d178b6..67da3c1 100644
--- a/base/common/src/main/java/com/netscape/certsrv/cert/CertSearchRequest.java
+++ b/base/common/src/main/java/com/netscape/certsrv/cert/CertSearchRequest.java
@@ -25,6 +25,7 @@ import java.io.StringWriter;
import java.util.Objects;
import javax.ws.rs.core.MultivaluedMap;
+import javax.xml.XMLConstants;
import javax.xml.parsers.DocumentBuilder;
import javax.xml.parsers.DocumentBuilderFactory;
import javax.xml.transform.OutputKeys;
@@ -1079,6 +1080,8 @@ public class CertSearchRequest implements JSONSerializer {
document.appendChild(rootElement);
TransformerFactory transformerFactory = TransformerFactory.newInstance();
+ transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
+ transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");
Transformer transformer = transformerFactory.newTransformer();
transformer.setOutputProperty(OutputKeys.INDENT, "yes");
transformer.setOutputProperty("{http://xml.apache.org/xslt}indent-amount", "4");
@@ -1094,6 +1097,7 @@ public class CertSearchRequest implements JSONSerializer {
public static CertSearchRequest fromXML(String xml) throws Exception {
DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
+ factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
DocumentBuilder builder = factory.newDocumentBuilder();
Document document = builder.parse(new InputSource(new StringReader(xml)));
diff --git a/base/common/src/main/java/com/netscape/certsrv/key/AsymKeyGenerationRequest.java b/base/common/src/main/java/com/netscape/certsrv/key/AsymKeyGenerationRequest.java
index 05303b2..fc1fe0f 100644
--- a/base/common/src/main/java/com/netscape/certsrv/key/AsymKeyGenerationRequest.java
+++ b/base/common/src/main/java/com/netscape/certsrv/key/AsymKeyGenerationRequest.java
@@ -114,6 +114,7 @@ public class AsymKeyGenerationRequest extends KeyGenerationRequest {
public static AsymKeyGenerationRequest fromXML(String xml) throws Exception {
DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
+ factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
DocumentBuilder builder = factory.newDocumentBuilder();
Document document = builder.parse(new InputSource(new StringReader(xml)));
diff --git a/base/common/src/main/java/com/netscape/certsrv/key/KeyArchivalRequest.java b/base/common/src/main/java/com/netscape/certsrv/key/KeyArchivalRequest.java
index 3152e88..462f228 100644
--- a/base/common/src/main/java/com/netscape/certsrv/key/KeyArchivalRequest.java
+++ b/base/common/src/main/java/com/netscape/certsrv/key/KeyArchivalRequest.java
@@ -256,6 +256,7 @@ public class KeyArchivalRequest extends RESTMessage {
public static KeyArchivalRequest fromXML(String xml) throws Exception {
DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
+ factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
DocumentBuilder builder = factory.newDocumentBuilder();
Document document = builder.parse(new InputSource(new StringReader(xml)));
diff --git a/base/common/src/main/java/com/netscape/certsrv/key/KeyRequestInfo.java b/base/common/src/main/java/com/netscape/certsrv/key/KeyRequestInfo.java
index 8970a70..dca3f01 100644
--- a/base/common/src/main/java/com/netscape/certsrv/key/KeyRequestInfo.java
+++ b/base/common/src/main/java/com/netscape/certsrv/key/KeyRequestInfo.java
@@ -21,6 +21,7 @@ package com.netscape.certsrv.key;
import java.io.StringReader;
import java.io.StringWriter;
+import javax.xml.XMLConstants;
import javax.xml.parsers.DocumentBuilder;
import javax.xml.parsers.DocumentBuilderFactory;
import javax.xml.transform.OutputKeys;
@@ -139,6 +140,8 @@ public class KeyRequestInfo extends CMSRequestInfo {
document.appendChild(element);
TransformerFactory transformerFactory = TransformerFactory.newInstance();
+ transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
+ transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");
Transformer transformer = transformerFactory.newTransformer();
transformer.setOutputProperty(OutputKeys.INDENT, "yes");
transformer.setOutputProperty("{http://xml.apache.org/xslt}indent-amount", "4");
@@ -154,6 +157,7 @@ public class KeyRequestInfo extends CMSRequestInfo {
public static KeyRequestInfo fromXML(String xml) throws Exception {
DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
+ factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
DocumentBuilder builder = factory.newDocumentBuilder();
Document document = builder.parse(new InputSource(new StringReader(xml)));
diff --git a/base/common/src/main/java/com/netscape/certsrv/key/KeyRequestInfoCollection.java b/base/common/src/main/java/com/netscape/certsrv/key/KeyRequestInfoCollection.java
index c471f69..6cc9840 100644
--- a/base/common/src/main/java/com/netscape/certsrv/key/KeyRequestInfoCollection.java
+++ b/base/common/src/main/java/com/netscape/certsrv/key/KeyRequestInfoCollection.java
@@ -21,6 +21,7 @@ import java.io.StringReader;
import java.io.StringWriter;
import java.util.Collection;
+import javax.xml.XMLConstants;
import javax.xml.parsers.DocumentBuilder;
import javax.xml.parsers.DocumentBuilderFactory;
import javax.xml.transform.OutputKeys;
@@ -99,6 +100,8 @@ public class KeyRequestInfoCollection extends DataCollection<KeyRequestInfo> imp
document.appendChild(element);
TransformerFactory transformerFactory = TransformerFactory.newInstance();
+ transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
+ transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");
Transformer transformer = transformerFactory.newTransformer();
transformer.setOutputProperty(OutputKeys.INDENT, "yes");
transformer.setOutputProperty("{http://xml.apache.org/xslt}indent-amount", "4");
@@ -143,6 +146,7 @@ public class KeyRequestInfoCollection extends DataCollection<KeyRequestInfo> imp
public static KeyRequestInfoCollection fromXML(String xml) throws Exception {
DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
+ factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
DocumentBuilder builder = factory.newDocumentBuilder();
Document document = builder.parse(new InputSource(new StringReader(xml)));
diff --git a/base/common/src/main/java/com/netscape/certsrv/key/SymKeyGenerationRequest.java b/base/common/src/main/java/com/netscape/certsrv/key/SymKeyGenerationRequest.java
index f86bba2..e7542f6 100644
--- a/base/common/src/main/java/com/netscape/certsrv/key/SymKeyGenerationRequest.java
+++ b/base/common/src/main/java/com/netscape/certsrv/key/SymKeyGenerationRequest.java
@@ -103,6 +103,7 @@ public class SymKeyGenerationRequest extends KeyGenerationRequest {
public static SymKeyGenerationRequest fromXML(String xml) throws Exception {
DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
+ factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
DocumentBuilder builder = factory.newDocumentBuilder();
Document document = builder.parse(new InputSource(new StringReader(xml)));
diff --git a/base/common/src/main/java/com/netscape/certsrv/profile/PolicyConstraint.java b/base/common/src/main/java/com/netscape/certsrv/profile/PolicyConstraint.java
index 763eaae..5d43bf1 100644
--- a/base/common/src/main/java/com/netscape/certsrv/profile/PolicyConstraint.java
+++ b/base/common/src/main/java/com/netscape/certsrv/profile/PolicyConstraint.java
@@ -22,6 +22,7 @@ import java.io.StringWriter;
import java.util.ArrayList;
import java.util.List;
+import javax.xml.XMLConstants;
import javax.xml.parsers.DocumentBuilder;
import javax.xml.parsers.DocumentBuilderFactory;
import javax.xml.transform.OutputKeys;
@@ -228,6 +229,8 @@ public class PolicyConstraint implements JSONSerializer {
document.appendChild(accountElement);
TransformerFactory transformerFactory = TransformerFactory.newInstance();
+ transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
+ transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");
Transformer transformer = transformerFactory.newTransformer();
transformer.setOutputProperty(OutputKeys.INDENT, "yes");
transformer.setOutputProperty("{http://xml.apache.org/xslt}indent-amount", "4");
@@ -242,6 +245,7 @@ public class PolicyConstraint implements JSONSerializer {
public static PolicyConstraint fromXML(String xml) throws Exception {
DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
+ factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
DocumentBuilder builder = factory.newDocumentBuilder();
Document document = builder.parse(new InputSource(new StringReader(xml)));
diff --git a/base/common/src/main/java/com/netscape/certsrv/profile/PolicyConstraintValue.java b/base/common/src/main/java/com/netscape/certsrv/profile/PolicyConstraintValue.java
index be84f08..9986837 100644
--- a/base/common/src/main/java/com/netscape/certsrv/profile/PolicyConstraintValue.java
+++ b/base/common/src/main/java/com/netscape/certsrv/profile/PolicyConstraintValue.java
@@ -20,6 +20,7 @@ package com.netscape.certsrv.profile;
import java.io.StringReader;
import java.io.StringWriter;
+import javax.xml.XMLConstants;
import javax.xml.parsers.DocumentBuilder;
import javax.xml.parsers.DocumentBuilderFactory;
import javax.xml.transform.OutputKeys;
@@ -169,6 +170,8 @@ public class PolicyConstraintValue implements JSONSerializer {
document.appendChild(pcvElement);
TransformerFactory transformerFactory = TransformerFactory.newInstance();
+ transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
+ transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");
Transformer transformer = transformerFactory.newTransformer();
transformer.setOutputProperty(OutputKeys.INDENT, "yes");
transformer.setOutputProperty("{http://xml.apache.org/xslt}indent-amount", "4");
@@ -183,6 +186,7 @@ public class PolicyConstraintValue implements JSONSerializer {
public static PolicyConstraintValue fromXML(String xml) throws Exception {
DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
+ factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
DocumentBuilder builder = factory.newDocumentBuilder();
Document document = builder.parse(new InputSource(new StringReader(xml)));
diff --git a/base/common/src/main/java/com/netscape/certsrv/profile/PolicyDefault.java b/base/common/src/main/java/com/netscape/certsrv/profile/PolicyDefault.java
index 49e2598..b4602c6 100644
--- a/base/common/src/main/java/com/netscape/certsrv/profile/PolicyDefault.java
+++ b/base/common/src/main/java/com/netscape/certsrv/profile/PolicyDefault.java
@@ -22,6 +22,7 @@ import java.io.StringWriter;
import java.util.ArrayList;
import java.util.List;
+import javax.xml.XMLConstants;
import javax.xml.parsers.DocumentBuilder;
import javax.xml.parsers.DocumentBuilderFactory;
import javax.xml.transform.OutputKeys;
@@ -231,6 +232,8 @@ public class PolicyDefault implements JSONSerializer {
document.appendChild(pdElement);
TransformerFactory transformerFactory = TransformerFactory.newInstance();
+ transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
+ transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");
Transformer transformer = transformerFactory.newTransformer();
transformer.setOutputProperty(OutputKeys.INDENT, "yes");
transformer.setOutputProperty("{http://xml.apache.org/xslt}indent-amount", "4");
@@ -245,6 +248,7 @@ public class PolicyDefault implements JSONSerializer {
public static PolicyDefault fromXML(String xml) throws Exception {
DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
+ factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
DocumentBuilder builder = factory.newDocumentBuilder();
Document document = builder.parse(new InputSource(new StringReader(xml)));
diff --git a/base/common/src/main/java/com/netscape/certsrv/profile/ProfileAttribute.java b/base/common/src/main/java/com/netscape/certsrv/profile/ProfileAttribute.java
index 0e43db8..7abd149 100644
--- a/base/common/src/main/java/com/netscape/certsrv/profile/ProfileAttribute.java
+++ b/base/common/src/main/java/com/netscape/certsrv/profile/ProfileAttribute.java
@@ -20,6 +20,7 @@ package com.netscape.certsrv.profile;
import java.io.StringReader;
import java.io.StringWriter;
+import javax.xml.XMLConstants;
import javax.xml.parsers.DocumentBuilder;
import javax.xml.parsers.DocumentBuilderFactory;
import javax.xml.transform.OutputKeys;
@@ -180,6 +181,8 @@ public class ProfileAttribute implements JSONSerializer {
document.appendChild(accountElement);
TransformerFactory transformerFactory = TransformerFactory.newInstance();
+ transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
+ transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");
Transformer transformer = transformerFactory.newTransformer();
transformer.setOutputProperty(OutputKeys.INDENT, "yes");
transformer.setOutputProperty("{http://xml.apache.org/xslt}indent-amount", "4");
@@ -193,6 +196,7 @@ public class ProfileAttribute implements JSONSerializer {
public static ProfileAttribute fromXML(String xml) throws Exception {
DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
+ factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
DocumentBuilder builder = factory.newDocumentBuilder();
Document document = builder.parse(new InputSource(new StringReader(xml)));
diff --git a/base/common/src/main/java/com/netscape/certsrv/profile/ProfileData.java b/base/common/src/main/java/com/netscape/certsrv/profile/ProfileData.java
index f80c0d5..450b832 100644
--- a/base/common/src/main/java/com/netscape/certsrv/profile/ProfileData.java
+++ b/base/common/src/main/java/com/netscape/certsrv/profile/ProfileData.java
@@ -31,6 +31,7 @@ import java.util.Map.Entry;
import java.util.Objects;
import java.util.Vector;
+import javax.xml.XMLConstants;
import javax.xml.parsers.DocumentBuilder;
import javax.xml.parsers.DocumentBuilderFactory;
import javax.xml.transform.OutputKeys;
@@ -554,6 +555,8 @@ public class ProfileData implements JSONSerializer {
document.appendChild(pdElement);
TransformerFactory transformerFactory = TransformerFactory.newInstance();
+ transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
+ transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");
Transformer transformer = transformerFactory.newTransformer();
transformer.setOutputProperty(OutputKeys.INDENT, "yes");
transformer.setOutputProperty("{http://xml.apache.org/xslt}indent-amount", "4");
@@ -568,6 +571,7 @@ public class ProfileData implements JSONSerializer {
public static ProfileData fromXML(String xml) throws Exception {
DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
+ factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
DocumentBuilder builder = factory.newDocumentBuilder();
Document document = builder.parse(new InputSource(new StringReader(xml)));
diff --git a/base/common/src/main/java/com/netscape/certsrv/profile/ProfileDataInfo.java b/base/common/src/main/java/com/netscape/certsrv/profile/ProfileDataInfo.java
index 8f1744e..a67d697 100644
--- a/base/common/src/main/java/com/netscape/certsrv/profile/ProfileDataInfo.java
+++ b/base/common/src/main/java/com/netscape/certsrv/profile/ProfileDataInfo.java
@@ -21,6 +21,7 @@ import java.io.StringReader;
import java.io.StringWriter;
import java.util.Objects;
+import javax.xml.XMLConstants;
import javax.xml.parsers.DocumentBuilder;
import javax.xml.parsers.DocumentBuilderFactory;
import javax.xml.transform.OutputKeys;
@@ -177,6 +178,8 @@ public class ProfileDataInfo implements JSONSerializer {
document.appendChild(profileParameterElement);
TransformerFactory transformerFactory = TransformerFactory.newInstance();
+ transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
+ transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");
Transformer transformer = transformerFactory.newTransformer();
transformer.setOutputProperty(OutputKeys.INDENT, "yes");
transformer.setOutputProperty("{http://xml.apache.org/xslt}indent-amount", "4");
@@ -191,6 +194,7 @@ public class ProfileDataInfo implements JSONSerializer {
public static ProfileDataInfo fromXML(String xml) throws Exception {
DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
+ factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
DocumentBuilder builder = factory.newDocumentBuilder();
Document document = builder.parse(new InputSource(new StringReader(xml)));
diff --git a/base/common/src/main/java/com/netscape/certsrv/profile/ProfileDataInfos.java b/base/common/src/main/java/com/netscape/certsrv/profile/ProfileDataInfos.java
index 7225c83..8975bc6 100644
--- a/base/common/src/main/java/com/netscape/certsrv/profile/ProfileDataInfos.java
+++ b/base/common/src/main/java/com/netscape/certsrv/profile/ProfileDataInfos.java
@@ -20,6 +20,7 @@ package com.netscape.certsrv.profile;
import java.io.StringReader;
import java.io.StringWriter;
+import javax.xml.XMLConstants;
import javax.xml.parsers.DocumentBuilder;
import javax.xml.parsers.DocumentBuilderFactory;
import javax.xml.transform.OutputKeys;
@@ -74,6 +75,8 @@ public class ProfileDataInfos extends DataCollection<ProfileDataInfo> {
document.appendChild(element);
TransformerFactory transformerFactory = TransformerFactory.newInstance();
+ transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
+ transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");
Transformer transformer = transformerFactory.newTransformer();
transformer.setOutputProperty(OutputKeys.INDENT, "yes");
transformer.setOutputProperty("{http://xml.apache.org/xslt}indent-amount", "4");
@@ -118,6 +121,7 @@ public class ProfileDataInfos extends DataCollection<ProfileDataInfo> {
public static ProfileDataInfos fromXML(String xml) throws Exception {
DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
+ factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
DocumentBuilder builder = factory.newDocumentBuilder();
Document document = builder.parse(new InputSource(new StringReader(xml)));
diff --git a/base/common/src/main/java/com/netscape/certsrv/profile/ProfileInput.java b/base/common/src/main/java/com/netscape/certsrv/profile/ProfileInput.java
index 303785d..aac8f0d 100644
--- a/base/common/src/main/java/com/netscape/certsrv/profile/ProfileInput.java
+++ b/base/common/src/main/java/com/netscape/certsrv/profile/ProfileInput.java
@@ -23,6 +23,7 @@ import java.util.ArrayList;
import java.util.Collection;
import java.util.List;
+import javax.xml.XMLConstants;
import javax.xml.parsers.DocumentBuilder;
import javax.xml.parsers.DocumentBuilderFactory;
import javax.xml.transform.OutputKeys;
@@ -354,6 +355,8 @@ public class ProfileInput implements JSONSerializer {
document.appendChild(element);
TransformerFactory transformerFactory = TransformerFactory.newInstance();
+ transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
+ transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");
Transformer transformer = transformerFactory.newTransformer();
transformer.setOutputProperty(OutputKeys.INDENT, "yes");
transformer.setOutputProperty("{http://xml.apache.org/xslt}indent-amount", "4");
@@ -367,6 +370,7 @@ public class ProfileInput implements JSONSerializer {
public static ProfileInput fromXML(String xml) throws Exception {
DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
+ factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
DocumentBuilder builder = factory.newDocumentBuilder();
Document document = builder.parse(new InputSource(new StringReader(xml)));
diff --git a/base/common/src/main/java/com/netscape/certsrv/profile/ProfileOutput.java b/base/common/src/main/java/com/netscape/certsrv/profile/ProfileOutput.java
index b2442c7..c85bfed 100644
--- a/base/common/src/main/java/com/netscape/certsrv/profile/ProfileOutput.java
+++ b/base/common/src/main/java/com/netscape/certsrv/profile/ProfileOutput.java
@@ -22,6 +22,7 @@ import java.io.StringWriter;
import java.util.ArrayList;
import java.util.List;
+import javax.xml.XMLConstants;
import javax.xml.parsers.DocumentBuilder;
import javax.xml.parsers.DocumentBuilderFactory;
import javax.xml.transform.OutputKeys;
@@ -234,6 +235,8 @@ public class ProfileOutput implements JSONSerializer {
document.appendChild(pdElement);
TransformerFactory transformerFactory = TransformerFactory.newInstance();
+ transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
+ transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");
Transformer transformer = transformerFactory.newTransformer();
transformer.setOutputProperty(OutputKeys.INDENT, "yes");
transformer.setOutputProperty("{http://xml.apache.org/xslt}indent-amount", "4");
@@ -248,6 +251,7 @@ public class ProfileOutput implements JSONSerializer {
public static ProfileOutput fromXML(String xml) throws Exception {
DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
+ factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
DocumentBuilder builder = factory.newDocumentBuilder();
Document document = builder.parse(new InputSource(new StringReader(xml)));
diff --git a/base/common/src/main/java/com/netscape/certsrv/profile/ProfileParameter.java b/base/common/src/main/java/com/netscape/certsrv/profile/ProfileParameter.java
index 55e07b4..b6a007f 100644
--- a/base/common/src/main/java/com/netscape/certsrv/profile/ProfileParameter.java
+++ b/base/common/src/main/java/com/netscape/certsrv/profile/ProfileParameter.java
@@ -21,6 +21,7 @@ import java.io.StringReader;
import java.io.StringWriter;
import java.util.Objects;
+import javax.xml.XMLConstants;
import javax.xml.parsers.DocumentBuilder;
import javax.xml.parsers.DocumentBuilderFactory;
import javax.xml.transform.OutputKeys;
@@ -128,6 +129,8 @@ public class ProfileParameter implements JSONSerializer {
document.appendChild(profileParameterElement);
TransformerFactory transformerFactory = TransformerFactory.newInstance();
+ transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
+ transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");
Transformer transformer = transformerFactory.newTransformer();
transformer.setOutputProperty(OutputKeys.INDENT, "yes");
transformer.setOutputProperty("{http://xml.apache.org/xslt}indent-amount", "4");
@@ -142,6 +145,7 @@ public class ProfileParameter implements JSONSerializer {
public static ProfileParameter fromXML(String xml) throws Exception {
DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
+ factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
DocumentBuilder builder = factory.newDocumentBuilder();
Document document = builder.parse(new InputSource(new StringReader(xml)));
diff --git a/base/common/src/main/java/com/netscape/certsrv/request/CMSRequestInfo.java b/base/common/src/main/java/com/netscape/certsrv/request/CMSRequestInfo.java
index b6c2fa4..661355a 100644
--- a/base/common/src/main/java/com/netscape/certsrv/request/CMSRequestInfo.java
+++ b/base/common/src/main/java/com/netscape/certsrv/request/CMSRequestInfo.java
@@ -20,6 +20,7 @@ package com.netscape.certsrv.request;
import java.io.StringReader;
import java.io.StringWriter;
+import javax.xml.XMLConstants;
import javax.xml.parsers.DocumentBuilder;
import javax.xml.parsers.DocumentBuilderFactory;
import javax.xml.transform.OutputKeys;
@@ -229,6 +230,8 @@ public class CMSRequestInfo implements JSONSerializer {
document.appendChild(element);
TransformerFactory transformerFactory = TransformerFactory.newInstance();
+ transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
+ transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");
Transformer transformer = transformerFactory.newTransformer();
transformer.setOutputProperty(OutputKeys.INDENT, "yes");
transformer.setOutputProperty("{http://xml.apache.org/xslt}indent-amount", "4");
@@ -244,6 +247,7 @@ public class CMSRequestInfo implements JSONSerializer {
public static CMSRequestInfo fromXML(String xml) throws Exception {
DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
+ factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
DocumentBuilder builder = factory.newDocumentBuilder();
Document document = builder.parse(new InputSource(new StringReader(xml)));
diff --git a/base/common/src/main/java/org/dogtagpki/common/Info.java b/base/common/src/main/java/org/dogtagpki/common/Info.java
index 0929ada..3d1b693 100644
--- a/base/common/src/main/java/org/dogtagpki/common/Info.java
+++ b/base/common/src/main/java/org/dogtagpki/common/Info.java
@@ -21,6 +21,7 @@ package org.dogtagpki.common;
import java.io.StringReader;
import java.io.StringWriter;
+import javax.xml.XMLConstants;
import javax.xml.parsers.DocumentBuilder;
import javax.xml.parsers.DocumentBuilderFactory;
import javax.xml.transform.OutputKeys;
@@ -183,6 +184,8 @@ public class Info extends RESTMessage {
document.appendChild(element);
TransformerFactory transformerFactory = TransformerFactory.newInstance();
+ transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
+ transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");
Transformer transformer = transformerFactory.newTransformer();
transformer.setOutputProperty(OutputKeys.INDENT, "yes");
transformer.setOutputProperty("{http://xml.apache.org/xslt}indent-amount", "4");
@@ -198,6 +201,7 @@ public class Info extends RESTMessage {
public static Info fromXML(String xml) throws Exception {
DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
+ factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
DocumentBuilder builder = factory.newDocumentBuilder();
Document document = builder.parse(new InputSource(new StringReader(xml)));
diff --git a/base/server/src/main/java/com/netscape/cms/servlet/csadmin/SecurityDomainProcessor.java b/base/server/src/main/java/com/netscape/cms/servlet/csadmin/SecurityDomainProcessor.java
index bdd485e..07fae1a 100644
--- a/base/server/src/main/java/com/netscape/cms/servlet/csadmin/SecurityDomainProcessor.java
+++ b/base/server/src/main/java/com/netscape/cms/servlet/csadmin/SecurityDomainProcessor.java
@@ -24,6 +24,7 @@ import java.util.Enumeration;
import java.util.Locale;
import java.util.Vector;
+import javax.xml.XMLConstants;
import javax.xml.parsers.ParserConfigurationException;
import javax.xml.transform.OutputKeys;
import javax.xml.transform.Transformer;
@@ -697,7 +698,10 @@ public class SecurityDomainProcessor extends Processor {
XMLObject xmlObject = convertDomainInfoToXMLObject(before);
Document document = xmlObject.getDocument();
- Transformer transformer = TransformerFactory.newInstance().newTransformer();
+ TransformerFactory transformerFactory = TransformerFactory.newInstance();
+ transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
+ transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");
+ Transformer transformer = transformerFactory.newTransformer();
transformer.setOutputProperty(OutputKeys.INDENT, "yes");
transformer.setOutputProperty("{http://xml.apache.org/xslt}indent-amount", "4");
diff --git a/base/server/src/main/java/com/netscape/cmscore/apps/ServerXml.java b/base/server/src/main/java/com/netscape/cmscore/apps/ServerXml.java
index 2a02d72..d9ac572 100644
--- a/base/server/src/main/java/com/netscape/cmscore/apps/ServerXml.java
+++ b/base/server/src/main/java/com/netscape/cmscore/apps/ServerXml.java
@@ -41,6 +41,7 @@ public class ServerXml {
ServerXml serverXml = new ServerXml();
DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
+ factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
DocumentBuilder builder = factory.newDocumentBuilder();
Document document = builder.parse(filename);
diff --git a/base/util/src/main/java/com/netscape/cmsutil/xml/XMLObject.java b/base/util/src/main/java/com/netscape/cmsutil/xml/XMLObject.java
index 81fdbf4..1043bcb 100644
--- a/base/util/src/main/java/com/netscape/cmsutil/xml/XMLObject.java
+++ b/base/util/src/main/java/com/netscape/cmsutil/xml/XMLObject.java
@@ -25,6 +25,7 @@ import java.io.OutputStream;
import java.io.StringWriter;
import java.util.Vector;
+import javax.xml.XMLConstants;
import javax.xml.parsers.DocumentBuilder;
import javax.xml.parsers.DocumentBuilderFactory;
import javax.xml.parsers.ParserConfigurationException;
@@ -56,6 +57,7 @@ public class XMLObject {
public XMLObject(InputStream s)
throws SAXException, IOException, ParserConfigurationException {
DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
+ factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
DocumentBuilder docBuilder = factory.newDocumentBuilder();
mDoc = docBuilder.parse(s);
}
@@ -63,6 +65,7 @@ public class XMLObject {
public XMLObject(File f)
throws SAXException, IOException, ParserConfigurationException {
DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
+ factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
DocumentBuilder docBuilder = factory.newDocumentBuilder();
mDoc = docBuilder.parse(f);
}
@@ -159,6 +162,8 @@ public class XMLObject {
public byte[] toByteArray() throws TransformerConfigurationException, TransformerException {
ByteArrayOutputStream bos = new ByteArrayOutputStream();
TransformerFactory tranFactory = TransformerFactory.newInstance();
+ tranFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
+ tranFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");
Transformer aTransformer = tranFactory.newTransformer();
Source src = new DOMSource(mDoc);
Result dest = new StreamResult(bos);
@@ -169,6 +174,8 @@ public class XMLObject {
public void output(OutputStream os)
throws TransformerConfigurationException, TransformerException {
TransformerFactory tranFactory = TransformerFactory.newInstance();
+ tranFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
+ tranFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");
Transformer aTransformer = tranFactory.newTransformer();
Source src = new DOMSource(mDoc);
Result dest = new StreamResult(os);
@@ -177,6 +184,8 @@ public class XMLObject {
public String toXMLString() throws TransformerConfigurationException, TransformerException {
TransformerFactory tranFactory = TransformerFactory.newInstance();
+ tranFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
+ tranFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");
Transformer transformer = tranFactory.newTransformer();
Source src = new DOMSource(mDoc);
StreamResult dest = new StreamResult(new StringWriter());
--
2.33.0

60
backport-CVE-2023-4727-Fix-token-authentication-bypass-vulner.patch
View File

@ -1,60 +0,0 @@
From aa7161ba378caf5cf0471aafb679a842679c8388 Mon Sep 17 00:00:00 2001
From: "Endi S. Dewata" <edewata@redhat.com>
Date: Mon, 11 Sep 2023 15:40:32 -0500
Subject: [PATCH] CVE-2023-4727 Fix token authentication bypass vulnerability
Previously the LDAPSecurityDomainSessionTable.sessionExists()
and getStringValue() were using user-provided session ID as
is in an LDAP filter which could be exploited to bypass token
authentication.
To fix the problem the code has been modified to escape all
special characters in the session ID before using it in the
LDAP filter.
Resolves: CVE-2023-4727
---
.../session/LDAPSecurityDomainSessionTable.java | 13 +++++++++++--
1 file changed, 11 insertions(+), 2 deletions(-)
diff --git a/base/server/src/main/java/com/netscape/cmscore/session/LDAPSecurityDomainSessionTable.java b/base/server/src/main/java/com/netscape/cmscore/session/LDAPSecurityDomainSessionTable.java
index 1783823..fa03c99 100644
--- a/base/server/src/main/java/com/netscape/cmscore/session/LDAPSecurityDomainSessionTable.java
+++ b/base/server/src/main/java/com/netscape/cmscore/session/LDAPSecurityDomainSessionTable.java
@@ -31,6 +31,7 @@ import com.netscape.cmscore.apps.EngineConfig;
import com.netscape.cmscore.ldapconn.LDAPConfig;
import com.netscape.cmscore.ldapconn.LdapBoundConnFactory;
import com.netscape.cmscore.ldapconn.PKISocketConfig;
+import com.netscape.cmsutil.ldap.LDAPUtil;
import netscape.ldap.LDAPAttribute;
import netscape.ldap.LDAPAttributeSet;
@@ -179,7 +180,11 @@ public class LDAPSecurityDomainSessionTable
try {
String basedn = ldapConfig.getBaseDN();
String sessionsdn = "ou=sessions,ou=Security Domain," + basedn;
- String filter = "(cn=" + sessionId + ")";
+
+ // CVE-2023-4727
+ // escape session ID in LDAP search filter
+ String filter = "(cn=" + LDAPUtil.escapeFilter(sessionId) + ")";
+
String[] attrs = { "cn" };
conn = mLdapConnFactory.getConn();
@@ -262,7 +267,11 @@ public class LDAPSecurityDomainSessionTable
try {
String basedn = ldapConfig.getBaseDN();
String sessionsdn = "ou=sessions,ou=Security Domain," + basedn;
- String filter = "(cn=" + sessionId + ")";
+
+ // CVE-2023-4727
+ // escape session ID in LDAP search filter
+ String filter = "(cn=" + LDAPUtil.escapeFilter(sessionId) + ")";
+
String[] attrs = { attr };
conn = mLdapConnFactory.getConn();
--
2.33.0

66
pki-core.spec
View File

@ -1,19 +1,20 @@
%define package_option() %bcond_with %1
%define debug_package %{nil}
%define _unpackaged_files_terminate_build 0
%define java_devel java-18-openjdk-devel
%define java_headless java-18-openjdk-headless
%define java_home /usr/lib/jvm/jre-18-openjdk
Name: pki-core
Version: 11.0.0
Release: 8
Release: 1
Summary: The PKI Core Package
License: GPLv2 and LGPLv2
URL: http://www.dogtagpki.org/
Source0: https://github.com/dogtagpki/pki/archive/v%{version}/pki-v%{version}.tar.gz
Source1: https://github.com/cpuguy83/go-md2man/archive/v1.0.10.tar.gz
Patch0001: 0001-Disable-access-to-external-entities-when-parsing-XML.patch
Patch3000: backport-CVE-2023-4727-Fix-token-authentication-bypass-vulner.patch
BuildRequires: make cmake >= 2.8.9-1 gcc-c++ zip java-latest-openjdk-devel java-latest-openjdk-headless
BuildRequires: git make cmake >= 2.8.9-1 gcc-c++ zip java-latest-openjdk-devel java-latest-openjdk-headless
BuildRequires: ldapjdk >= 4.21.0 apache-commons-cli apache-commons-codec apache-commons-io
BuildRequires: apache-commons-lang jakarta-commons-httpclient glassfish-jaxb-api slf4j
BuildRequires: slf4j-jdk14 nspr-devel nss-devel >= 3.36.1 python3-lxml python3-sphinx
@ -28,7 +29,7 @@ BuildRequires: python3 python3-devel python3-cryptography python3-lxml pyt
BuildRequires: python3-nss python3-requests >= 2.6.0 systemd-units tomcat >= 1:9.0.7
BuildRequires: junit jpackage-utils >= 0:1.7.5-10 jss >= 4.6.0 tomcatjss >= 7.4.1
BuildRequires: apr-devel apr-util-devel cyrus-sasl-devel httpd-devel >= 2.4.2 pcre-devel
BuildRequires: systemd zlib zlib-devel nss-tools openssl golang chrpath
BuildRequires: systemd zlib zlib-devel nss-tools openssl golang
%description
Dogtag PKI is a designed enterprise software system
manage enterprise Public Key Infrastructure deployments.
@ -61,8 +62,7 @@ Summary: The PKI Python 3 Package
BuildArch: noarch
Obsoletes: pki-base-python3 < %{version}
Provides: pki-base-python3 = %{version}
Provides: python3-pki = %{version}
Provides: python-pki = %{version}
%{?python_provide:%python_provide python3-pki}
Requires: pki-base = %{version} python3-cryptography python3-lxml
Requires: python3-requests >= 2.6.0 python3-six python3-nss
%description -n python3-pki
@ -208,9 +208,6 @@ The PKI console is a Java application used to manage the PKI server.
tar -xf %{SOURCE1}
%build
openjdk_latest_version=`rpm -qi java-latest-openjdk-headless | grep Version | cut -b 15-16`
java_home=/usr/lib/jvm/jre-${openjdk_latest_version}-openjdk
tomcat_version=`/usr/sbin/tomcat version | sed -n 's/Server number: *\([0-9]\+\.[0-9]\+\).*/\1/p'`
if [ $tomcat_version == "9.0" ]; then
app_server=tomcat-9.0
@ -218,16 +215,16 @@ else
app_server=tomcat-$tomcat_version
fi
# generate go-md2man
mkdir -p ${HOME}/rpmbuild/bin/
mkdir -p /home/abuild/rpmbuild/bin/
cd go-md2man-*
go build -mod=vendor -o ${HOME}/rpmbuild/bin/
go build -mod=vendor -o /home/abuild/rpmbuild/bin/
cd -
mkdir -p build
cd build
%cmake \
--no-warn-unused-cli -DVERSION=%{version}-%{release} \
-DVAR_INSTALL_DIR:PATH=/var -DJAVA_HOME=${java_home} \
-DVAR_INSTALL_DIR:PATH=/var -DJAVA_HOME=%{java_home} \
-DJAVA_LIB_INSTALL_DIR=%{_jnidir} -DSYSTEMD_LIB_INSTALL_DIR=%{_unitdir} \
-DAPP_SERVER=$app_server \
-DJAXRS_API_JAR=/usr/share/java/jboss-jaxrs-2.0-api.jar \
@ -240,7 +237,7 @@ cd build
..
%install
export PATH=$PATH:${HOME}/rpmbuild/bin/
export PATH=$PATH:/home/abuild/rpmbuild/bin/
cd build
%make_build \
VERBOSE=%{?_verbose} CMAKE_NO_VERBOSE=1 \
@ -257,12 +254,6 @@ cd build
ln -sf /usr/share/java/jboss-annotations-1.2-api/jboss-annotations-api_1.2_spec.jar\
%{buildroot}%{_datadir}/pki/server/common/lib/jboss-annotations-api_1.2_spec.jar
chrpath -d %{buildroot}/%{_bindir}/tpsclient
chrpath -d %{buildroot}/%{_libdir}/tps/libtokendb.so
chrpath -d %{buildroot}/%{_libdir}/tps/libtps.so
mkdir -p %{buildroot}/etc/ld.so.conf.d
echo "%{_libdir}/tps" > %{buildroot}/etc/ld.so.conf.d/%{name}-%{_arch}.conf
%pretrans -n pki-base -p <lua>
function test(a)
if posix.stat(a) then
@ -323,12 +314,6 @@ then
systemctl daemon-reload
fi
%post -n pki-tps
/sbin/ldconfig
%postun -n pki-tps
/sbin/ldconfig
%files -n pki-symkey
%doc base/symkey/LICENSE
%{_jnidir}/symkey.jar
@ -441,7 +426,6 @@ fi
%{_datadir}/pki/tps/{applets/,conf/,setup/,webapps/}
%{_bindir}/tpsclient
%{_libdir}/tps/{libtps.so,libtokendb.so}
%config(noreplace) /etc/ld.so.conf.d/*
%files -n pki-help
%{_javadocdir}/pki/
@ -457,30 +441,6 @@ fi
%endif
%changelog
* Sun Oct 13 2024 liningjie <liningjie@xfusion.com> - 11.0.0-8
- Fix CVE-2023-4727
* Thu Apr 11 2024 liyanan <liyanan61@h-partners.com> - 11.0.0-7
- Replace unrecognized macros
* Tue Sep 19 2023 Jia Chao <jiac13@chinaunicom.cn> - 11.0.0-6
- Fix: use ${HOME} replace hard code '/home/abuild'.
* Thu Dec 01 2022 xu_ping <xuping33@h-partners.com> - 11.0.0-5
- remove unuse buildrequires git packages
* Wed Nov 23 2022 wulei <wulei80@h-partners.com> - 11.0.0-4
- Rectify the pki-core compilation failure caused by the openjdk-latest upgrade
* Wed Aug 24 2022 wangkai <wangkai385@h-partners.com> - 11.0.0-3
- Remove rpath and enable debuginfo
* Fri Jul 15 2022 yinyongkang <yinyongkang@kylinos.cn> - 11.0.0-2
- Type:CVE
- ID:CVE-2022-2414
- SUG:NA
- DESC:Fix CVE-2022-2414
* Thu Jun 16 2022 liyanan <liyanan32@h-partners.com> - 11.0.0-1
- Update to 11.0.0