SANTUARIO-525 Made Base64 line length and line separator configurable, such that "
" in Base64 encoded elements can be avoided

Author: peterdemaeyer

.gitignore

@@ -1,3 +1,5 @@
+/.idea
+/*.iml
 /.classpath
 /.project
 /target/

src/main/java/org/apache/xml/security/signature/XMLSignature.java

@@ -645,11 +645,6 @@ private void setSignatureValueElement(byte[] bytes) {
         }
 
         String base64codedValue = XMLUtils.encodeToString(bytes);
-
-        if (base64codedValue.length() > 76 && !XMLUtils.ignoreLineBreaks()) {
-            base64codedValue = "\n" + base64codedValue + "\n";
-        }
-
         Text t = createText(base64codedValue);
         signatureValueElement.appendChild(t);
     }

src/main/java/org/apache/xml/security/stax/ext/AbstractOutputProcessor.java

@@ -37,6 +37,7 @@
 import org.apache.xml.security.stax.ext.stax.XMLSecEventFactory;
 import org.apache.xml.security.stax.ext.stax.XMLSecNamespace;
 import org.apache.xml.security.stax.ext.stax.XMLSecStartElement;
+import org.apache.xml.security.utils.XMLUtils;
 import org.w3c.dom.Attr;
 import org.w3c.dom.Element;
 import org.w3c.dom.NamedNodeMap;
@@ -72,6 +73,7 @@ public void setAction(XMLSecurityConstants.Action action) {
 
     @Override
     public void init(OutputProcessorChain outputProcessorChain) throws XMLSecurityException {
+        XMLUtils.setThreadLocalBase64Parameters(securityProperties.getBase64LineLength(), securityProperties.getBase64LineSeparator());
         outputProcessorChain.addProcessor(this);
     }
 

src/main/java/org/apache/xml/security/stax/ext/XMLSecurityProperties.java

@@ -19,6 +19,7 @@
 package org.apache.xml.security.stax.ext;
 
 import org.apache.xml.security.stax.securityToken.SecurityTokenConstants;
+import org.apache.xml.security.utils.XMLUtils;
 
 import java.security.Key;
 import java.security.cert.X509Certificate;
@@ -78,6 +79,8 @@ public class XMLSecurityProperties {
 
     private QName signaturePositionQName;
     private boolean signaturePositionStart = false;
+    private int base64LineLength = XMLUtils.DEFAULT_BASE64_LINE_LENGTH;
+    private byte[] base64LineSeparator = XMLUtils.DEFAULT_BASE64_LINE_SEPARATOR;
 
     public XMLSecurityProperties() {
     }
@@ -117,6 +120,8 @@ protected XMLSecurityProperties(XMLSecurityProperties xmlSecurityProperties) {
         this.signatureIncludeDigestTransform = xmlSecurityProperties.signatureIncludeDigestTransform;
         this.signaturePositionQName = xmlSecurityProperties.signaturePositionQName;
         this.signaturePositionStart = xmlSecurityProperties.signaturePositionStart;
+        this.base64LineSeparator = xmlSecurityProperties.base64LineSeparator;
+        this.base64LineLength = xmlSecurityProperties.base64LineLength;
     }
 
     public boolean isSignaturePositionStart() {
@@ -528,4 +533,44 @@ public QName getSignaturePositionQName() {
     public void setSignaturePositionQName(QName signaturePositionQName) {
         this.signaturePositionQName = signaturePositionQName;
     }
+
+    /**
+     * @return the Base64 line separator, or {@code null} for no line separator.
+     */
+    public byte[] getBase64LineSeparator() {
+        return base64LineSeparator;
+    }
+
+    /**
+     * Sets the Base64 line separator to the given US-ASCII bytes.
+     * The default is CRLF.
+     * For no line separator, use the combination of {@code base64LineLength = 4} and
+     * {@code base64LineSeparator = null}.
+     *
+     * @param base64LineSeparator a Base64 line separator, or {@code null} for no line separator.
+     * @see #setBase64LineLength(int)
+     */
+    public void setBase64LineSeparator(byte[] base64LineSeparator) {
+        this.base64LineSeparator = base64LineSeparator;
+    }
+
+    /**
+     * @return the Base64 line length, possibly ≤ {@code 0} for no line separator.
+     */
+    public int getBase64LineLength() {
+        return base64LineLength;
+    }
+
+    /**
+     * Sets the Base64 line length, which must be a multiple of 4.
+     * The default is 76.
+     * For no line separator, use the combination of {@code base64LineLength = 4} and
+     * {@code base64LineSeparator = null}.
+     *
+     * @param base64LineLength a Base64 line length, or {@code 0} for no line separator.
+     * @see #setBase64LineSeparator(byte[])
+     */
+    public void setBase64LineLength(int base64LineLength) {
+        this.base64LineLength = base64LineLength;
+    }
 }

src/main/java/org/apache/xml/security/stax/impl/processor/output/AbstractEncryptOutputProcessor.java

@@ -174,12 +174,7 @@ public void init(OutputProcessorChain outputProcessorChain) throws XMLSecurityEx
                 symmetricCipher.init(Cipher.ENCRYPT_MODE, encryptionPartDef.getSymmetricKey(), parameterSpec);
 
                 characterEventGeneratorOutputStream = new CharacterEventGeneratorOutputStream();
-                Base64OutputStream base64EncoderStream = null;
-                if (XMLUtils.isIgnoreLineBreaks()) {
-                    base64EncoderStream = new Base64OutputStream(characterEventGeneratorOutputStream, true, 0, null);
-                } else {
-                    base64EncoderStream = new Base64OutputStream(characterEventGeneratorOutputStream, true);
-                }
+                Base64OutputStream base64EncoderStream = XMLUtils.createBase64OutputStream(characterEventGeneratorOutputStream, true);
                 base64EncoderStream.write(iv);
 
                 OutputStream outputStream = new CipherOutputStream(base64EncoderStream, symmetricCipher);

src/main/java/org/apache/xml/security/utils/ElementProxy.java

@@ -292,9 +292,6 @@ public void addBase64Element(byte[] bytes, String localname) {
             el.appendChild(text);
 
             appendSelf(el);
-            if (!XMLUtils.ignoreLineBreaks()) {
-                appendSelf(createText("\n"));
-            }
         }
     }
 
@@ -320,9 +317,7 @@ public void addTextElement(String text, String localname) {
      */
     public void addBase64Text(byte[] bytes) {
         if (bytes != null) {
-            Text t = XMLUtils.ignoreLineBreaks()
-                ? createText(XMLUtils.encodeToString(bytes))
-                : createText("\n" + XMLUtils.encodeToString(bytes) + "\n");
+            Text t = createText(XMLUtils.encodeToString(bytes));
             appendSelf(t);
         }
     }

src/main/java/org/apache/xml/security/utils/XMLUtils.java

@@ -40,9 +40,11 @@
 import javax.xml.parsers.DocumentBuilderFactory;
 import javax.xml.parsers.ParserConfigurationException;
 
+import org.apache.commons.codec.binary.Base64OutputStream;
 import org.apache.xml.security.c14n.CanonicalizationException;
 import org.apache.xml.security.c14n.Canonicalizer;
 import org.apache.xml.security.c14n.InvalidCanonicalizerException;
+import org.apache.xml.security.stax.impl.util.KeyValue;
 import org.w3c.dom.Attr;
 import org.w3c.dom.Document;
 import org.w3c.dom.Element;
@@ -80,6 +82,12 @@ public final class XMLUtils {
     private static final Map<ClassLoader, Queue<DocumentBuilder>> DOCUMENT_BUILDERS_DISALLOW_DOCTYPE =
         Collections.synchronizedMap(new WeakHashMap<ClassLoader, Queue<DocumentBuilder>>());
 
+    public static final int DEFAULT_BASE64_LINE_LENGTH = 76;
+    public static final byte[] DEFAULT_BASE64_LINE_SEPARATOR = {13, 10};
+    private static final KeyValue<Integer, byte[]> DEFAULT_BASE64_PARAMETERS = new KeyValue<>(DEFAULT_BASE64_LINE_LENGTH, DEFAULT_BASE64_LINE_SEPARATOR);
+    private static final KeyValue<Integer, byte[]> IGNORE_LINE_BREAKS_BASE64_PARAMETERS = new KeyValue<>(0, null);
+    private static final ThreadLocal<KeyValue<Integer, byte[]>> BASE64_PARAMETERS = ThreadLocal.withInitial(() -> DEFAULT_BASE64_PARAMETERS);
+
     /**
      * Constructor XMLUtils
      *
@@ -528,10 +536,20 @@ public static void addReturnBeforeChild(Element e, Node child) {
     }
 
     public static String encodeToString(byte[] bytes) {
-        if (ignoreLineBreaks) {
+        KeyValue<Integer, byte[]> base64Parameters = getEffectiveBase64Parameters();
+        int lineLength = base64Parameters.getKey();
+        byte[] lineSeparator = base64Parameters.getValue();
+        if (lineSeparator == null) {
             return Base64.getEncoder().encodeToString(bytes);
         }
-        return Base64.getMimeEncoder().encodeToString(bytes);
+        return Base64.getMimeEncoder(lineLength, lineSeparator).encodeToString(bytes);
+    }
+
+    private static KeyValue<Integer, byte[]> getEffectiveBase64Parameters() {
+        if (ignoreLineBreaks) {
+            return IGNORE_LINE_BREAKS_BASE64_PARAMETERS;
+        }
+        return BASE64_PARAMETERS.get();
     }
 
     public static byte[] decode(String encodedString) {
@@ -542,10 +560,24 @@ public static byte[] decode(byte[] encodedBytes) {
         return Base64.getMimeDecoder().decode(encodedBytes);
     }
 
+    @Deprecated
     public static boolean isIgnoreLineBreaks() {
         return ignoreLineBreaks;
     }
 
+    /**
+     * Creates a new Base64 output stream around a given output stream, using the thread-local Base64 parameters
+     * which were configured on this thread using {@link #setThreadLocalBase64Parameters(int, byte[])}.
+     *
+     * @param out The delegate output stream, which must not be {@code null}.
+     * @param doEncode {@code true} to encode, {@code false} to decode Base64.
+     * @return A new Base64 output stream, never {@code null}.
+     */
+    public static Base64OutputStream createBase64OutputStream(OutputStream out, boolean doEncode) {
+        KeyValue<Integer, byte[]> base64Parameters = getEffectiveBase64Parameters();
+        return new Base64OutputStream(out, true, base64Parameters.getKey(), base64Parameters.getValue());
+    }
+
     /**
      * Method convertNodelistToSet
      *
@@ -857,6 +889,7 @@ public static boolean isDescendantOrSelf(Node ctx, Node descendantOrSelf) {
         }
     }
 
+    @Deprecated
     public static boolean ignoreLineBreaks() {
         return ignoreLineBreaks;
     }
@@ -1125,4 +1158,16 @@ public ClassLoader run() {
         return clazz.getClassLoader();
     }
 
+    /**
+     * Sets the thread-local Base64 parameters that will be used by this thread in further calls to
+     * {@link #encodeToString(byte[])} and {@link #createBase64OutputStream(OutputStream, boolean)}.
+     * Any thread-local parameters set here will be overruled (have no effect) when the system property
+     * {@code "org.apache.xml.security.ignoreLineBreaks"} is set.
+     *
+     * @param lineLength a line length, 76 by default. Use 0 for no line separator.
+     * @param lineSeparator a line separator, CRLF {@code {13, 10}} by default. Use {@code null} for no line separator.
+     */
+    public static void setThreadLocalBase64Parameters(int lineLength, byte[] lineSeparator) {
+        BASE64_PARAMETERS.set(new KeyValue<>(lineLength, lineSeparator));
+    }
 }