in ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/processor/input/WSSSignatureReferenceVerifyInputProcessor.java [198:262]
private void checkBSPCompliance(WSInboundSecurityContext securityContext) throws WSSecurityException {
List<ReferenceType> references = getSignatureType().getSignedInfo().getReference();
for (int i = 0; i < references.size(); i++) {
ReferenceType referenceType = references.get(i);
if (referenceType.getTransforms() == null) {
securityContext.handleBSPRule(BSPRule.R5416);
} else if (referenceType.getTransforms().getTransform().isEmpty()) {
securityContext.handleBSPRule(BSPRule.R5411);
} else {
List<TransformType> transformTypes = referenceType.getTransforms().getTransform();
for (int j = 0; j < transformTypes.size(); j++) {
TransformType transformType = transformTypes.get(j);
final String algorithm = transformType.getAlgorithm();
if (!WSSConstants.NS_C14N_EXCL.equals(algorithm)
&& !WSSConstants.NS_XMLDSIG_FILTER2.equals(algorithm)
&& !WSSConstants.SOAPMESSAGE_NS10_STR_TRANSFORM.equals(algorithm)
&& !WSSConstants.NS_XMLDSIG_ENVELOPED_SIGNATURE.equals(algorithm)
&& !WSSConstants.SWA_ATTACHMENT_CONTENT_SIG_TRANS.equals(algorithm)
&& !WSSConstants.SWA_ATTACHMENT_COMPLETE_SIG_TRANS.equals(algorithm)) {
securityContext.handleBSPRule(BSPRule.R5423);
if (j == transformTypes.size() - 1
&& !WSSConstants.NS_C14N_EXCL.equals(algorithm)
&& !WSSConstants.SOAPMESSAGE_NS10_STR_TRANSFORM.equals(algorithm)
&& !WSSConstants.SWA_ATTACHMENT_CONTENT_SIG_TRANS.equals(algorithm)
&& !WSSConstants.SWA_ATTACHMENT_COMPLETE_SIG_TRANS.equals(algorithm)) {
securityContext.handleBSPRule(BSPRule.R5412);
}
InclusiveNamespaces inclusiveNamespacesType =
XMLSecurityUtils.getQNameType(transformType.getContent(),
XMLSecurityConstants.TAG_c14nExcl_InclusiveNamespaces);
if (WSSConstants.NS_C14N_EXCL.equals(algorithm)
&& inclusiveNamespacesType != null
&& inclusiveNamespacesType.getPrefixList().isEmpty()) {
securityContext.handleBSPRule(BSPRule.R5407);
}
if (WSSConstants.SOAPMESSAGE_NS10_STR_TRANSFORM.equals(algorithm)) {
if (inclusiveNamespacesType != null
&& inclusiveNamespacesType.getPrefixList().isEmpty()) {
securityContext.handleBSPRule(BSPRule.R5413);
}
TransformationParametersType transformationParametersType =
XMLSecurityUtils.getQNameType(transformType.getContent(),
WSSConstants.TAG_WSSE_TRANSFORMATION_PARAMETERS);
if (transformationParametersType == null) {
securityContext.handleBSPRule(BSPRule.R3065);
} else {
CanonicalizationMethodType canonicalizationMethodType =
XMLSecurityUtils.getQNameType(transformationParametersType.getAny(),
WSSConstants.TAG_dsig_CanonicalizationMethod);
if (canonicalizationMethodType == null) {
securityContext.handleBSPRule(BSPRule.R3065);
}
}
}
}
}
}
if (!(WSSConstants.NS_XMLDSIG_SHA1.equals(referenceType.getDigestMethod().getAlgorithm())
|| WSSConstants.NS_XENC_SHA256.equals(referenceType.getDigestMethod().getAlgorithm())
|| WSSConstants.NS_XENC_SHA512.equals(referenceType.getDigestMethod().getAlgorithm()))) {
// Weakening this a bit to allow SHA > 1
securityContext.handleBSPRule(BSPRule.R5420);
}
}
}