Refactor of DOM parsing

plugins/core/src/main/java/org/apache/cxf/fediz/core/metadata/MetadataWriter.java

@@ -30,7 +30,6 @@
 import java.util.List;
 
 import javax.servlet.http.HttpServletRequest;
-import javax.xml.parsers.DocumentBuilderFactory;
 import javax.xml.stream.XMLOutputFactory;
 import javax.xml.stream.XMLStreamException;
 import javax.xml.stream.XMLStreamWriter;
@@ -61,11 +60,6 @@ public class MetadataWriter {
     private static final Logger LOG = LoggerFactory.getLogger(MetadataWriter.class);
 
     private static final XMLOutputFactory XML_OUTPUT_FACTORY = XMLOutputFactory.newInstance();
-    private static final DocumentBuilderFactory DOC_BUILDER_FACTORY = DocumentBuilderFactory.newInstance();
-
-    static {
-        DOC_BUILDER_FACTORY.setNamespaceAware(true);
-    }
 
     //CHECKSTYLE:OFF
     public Document getMetaData(
@@ -128,8 +122,10 @@ public Document getMetaData(
             }
             try (InputStream is = new ByteArrayInputStream(bout.toByteArray())) {
                 if (hasSigningKey) {
+                    Document doc = DOMUtils.readXml(is);
                     Document result = SignatureUtils.signMetaInfo(
-                        config.getSigningKey().getCrypto(), config.getSigningKey().getKeyAlias(), config.getSigningKey().getKeyPassword(), is, referenceID);
+                        config.getSigningKey().getCrypto(), config.getSigningKey().getKeyAlias(), config.getSigningKey().getKeyPassword(), 
+                        doc, referenceID);
                     if (result != null) {
                         return result;
                     } else {

plugins/core/src/main/java/org/apache/cxf/fediz/core/util/DOMUtils.java

@@ -75,11 +75,13 @@ private static DocumentBuilder getBuilder() throws ParserConfigurationException
             loader = DOMUtils.class.getClassLoader();
         }
         if (loader == null) {
-            return XMLUtils.getParser();
+            DocumentBuilderFactory dbf = createDocumentBuilderFactory();
+            return dbf.newDocumentBuilder();
         }
         DocumentBuilder builder = DOCUMENT_BUILDERS.get(loader);
         if (builder == null) {
-            builder = XMLUtils.getParser();
+            DocumentBuilderFactory dbf = createDocumentBuilderFactory();
+            builder = dbf.newDocumentBuilder();
             DOCUMENT_BUILDERS.put(loader, builder);
         }
         return builder;
@@ -421,76 +423,50 @@ public InputSource resolveEntity(String publicId, String systemId) throws SAXExc
             return new InputSource(new StringReader(""));
         }
     }
-
-    /**
-     * Read XML as DOM.
-     */
-    public static Document readXml(InputStream is) throws SAXException, IOException,
-        ParserConfigurationException {
+
+    private static DocumentBuilderFactory createDocumentBuilderFactory() throws ParserConfigurationException {
         DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
+        dbf.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING , true);
 
         dbf.setValidating(false);
         dbf.setIgnoringComments(false);
         dbf.setIgnoringElementContentWhitespace(true);
         dbf.setNamespaceAware(true);
         // dbf.setCoalescing(true);
         // dbf.setExpandEntityReferences(true);
+
+        return dbf;
+    }
 
-        DocumentBuilder db = null;
-        db = dbf.newDocumentBuilder();
-        db.setEntityResolver(new NullResolver());
-
-        // db.setErrorHandler( new MyErrorHandler());
-
+    /**
+     * Read XML as DOM.
+     */
+    public static Document readXml(InputStream is) throws SAXException, IOException,
+        ParserConfigurationException {
+        DocumentBuilder db = getBuilder();
         return db.parse(is);
     }
 
     public static Document readXml(Reader is) throws SAXException, IOException, ParserConfigurationException {
-        DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
-
-        dbf.setValidating(false);
-        dbf.setIgnoringComments(false);
-        dbf.setIgnoringElementContentWhitespace(true);
-        dbf.setNamespaceAware(true);
-        // dbf.setCoalescing(true);
-        // dbf.setExpandEntityReferences(true);
-
-        DocumentBuilder db = null;
-        db = dbf.newDocumentBuilder();
-        db.setEntityResolver(new NullResolver());
-
-        // db.setErrorHandler( new MyErrorHandler());
         InputSource ips = new InputSource(is);
+        DocumentBuilder db = getBuilder();
         return db.parse(ips);
     }
 
     public static Document readXml(StreamSource is) throws SAXException, IOException,
         ParserConfigurationException {
-
-        DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
-
-        dbf.setValidating(false);
-        dbf.setIgnoringComments(false);
-        dbf.setIgnoringElementContentWhitespace(true);
-        dbf.setNamespaceAware(true);
-        // dbf.setCoalescing(true);
-        // dbf.setExpandEntityReferences(true);
-
-        DocumentBuilder db = null;
-        db = dbf.newDocumentBuilder();
-        db.setEntityResolver(new NullResolver());
-
-        // db.setErrorHandler( new MyErrorHandler());
         InputSource is2 = new InputSource();
         is2.setSystemId(is.getSystemId());
         is2.setByteStream(is.getInputStream());
         is2.setCharacterStream(is.getReader());
 
+        DocumentBuilder db = getBuilder();
         return db.parse(is2);
     }
 
     public static void writeXml(Node n, OutputStream os) throws TransformerException {
         TransformerFactory tf = TransformerFactory.newInstance();
+        tf.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING , true);
         // identity
         Transformer t = tf.newTransformer();
         t.setOutputProperty(OutputKeys.INDENT, "yes");

plugins/core/src/main/java/org/apache/cxf/fediz/core/util/SignatureUtils.java

@@ -19,7 +19,6 @@
 
 package org.apache.cxf.fediz.core.util;
 
-import java.io.InputStream;
 import java.security.PrivateKey;
 import java.security.cert.X509Certificate;
 import java.util.ArrayList;
@@ -40,7 +39,6 @@
 import javax.xml.crypto.dsig.keyinfo.X509Data;
 import javax.xml.crypto.dsig.spec.C14NMethodParameterSpec;
 import javax.xml.crypto.dsig.spec.TransformParameterSpec;
-import javax.xml.parsers.DocumentBuilderFactory;
 
 import org.w3c.dom.Document;
 
@@ -53,18 +51,12 @@ public final class SignatureUtils {
     private static final Logger LOG = LoggerFactory.getLogger(SignatureUtils.class);
 
     private static final XMLSignatureFactory XML_SIGNATURE_FACTORY = XMLSignatureFactory.getInstance("DOM");
-    private static final DocumentBuilderFactory DOC_BUILDER_FACTORY = DocumentBuilderFactory.newInstance();
-
-    static {
-        DOC_BUILDER_FACTORY.setNamespaceAware(true);
-    }
 
     private SignatureUtils() {
     }
 
-
     public static Document signMetaInfo(Crypto crypto, String keyAlias, String keyPassword,
-                                              InputStream metaInfo, String referenceID) throws Exception {
+                                              Document doc, String referenceID) throws Exception {
         if (keyAlias == null || "".equals(keyAlias)) {
             keyAlias = crypto.getDefaultX509Identifier();
         }
@@ -143,8 +135,6 @@ public static Document signMetaInfo(Crypto crypto, String keyAlias, String keyPa
         KeyInfo ki = kif.newKeyInfo(Collections.singletonList(xd));
 
         // step3
-        // Instantiate the document to be signed.
-        Document doc = DOC_BUILDER_FACTORY.newDocumentBuilder().parse(metaInfo);
 
         // Create a DOMSignContext and specify the RSA PrivateKey and
         // location of the resulting XMLSignature's parent element.