Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8012288

XML DSig API allows wrong tag names and extra elements in SignedInfo

    Details

    • Subcomponent:
    • Resolved In Build:
      b102
    • CPU:
      generic
    • OS:
      generic
    • Verification:
      Verified

      Backports

        Description

        XML Dsig implementation ignores tag names and extra elements in SignedInfo. For example, the following XML passes validation:

        ...
        <aSignedInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
        <aCanonicalizationMethod
        Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"></aCanonicalizationMethod>

        <aSignatureMethod
        Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"></aSignatureMethod>

        <aReference URI="">
        <Transforms>
              <aTransform
        Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"></aTransform>

        </Transforms>
        <aDigestMethod
        Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></aDigestMethod>
        <aDigestValue>1Bq8FsjajUBYPD7stQeJSc66GlM=</aDigestValue>
            <test>some extra text</test>
        </aReference>
        </aSignedInfo>
        <aSignatureValue>cbNpPGavhM0...</aSignatureValue>
        ...

        Only Transforms tag is not affected.

          Attachments

            Issue Links

              Activity

                People

                • Assignee:
                  mullan Sean Mullan
                  Reporter:
                  asmotrak Artem Smotrakov
                • Votes:
                  0 Vote for this issue
                  Watchers:
                  4 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved: