Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8149029

Secure validation of XML based digital signature always enabled when checking wrapping attacks

    Details

    • Subcomponent:
    • Introduced In Build:
      b100
    • Introduced In Version:
      8
    • Resolved In Build:
      b01

      Backports

        Description

        One should be able to enable or disable the XML secure validation of digital signature using the DOMValidateContext property "org.jcp.xml.dsig.secureValidation" . In 8u, even when property value is Boolean.FALSE or unset the validation is triggered.

        Below code sets the org.jcp.xml.dsig.secureValidation to false

        DOMValidateContext vc = new DOMValidateContext(keyValueKS, element);
        vc.setBaseURI(base.toURI().toString());
        vc.setProperty("org.jcp.xml.dsig.secureValidation", Boolean.FALSE);

        Immediate call to vc.getProperty() gives correct value but the value is not being considered while XML processing.

        1. signature-wrapping.xml
          2 kB
          Bhanu Prakash Gopularam
        2. TestSecure.java
          4 kB
          Bhanu Prakash Gopularam

          Issue Links

            Activity

            Hide
            akosarev Artem Kosarev (Inactive) added a comment - - edited
            The changes you refer to were fixed in JDK 9 in JDK-8046044.
            But in JDK 9 Generification of the javax.xml.crypto API took place: JDK-8046949.
            We need to check if mentioned changes are applicable for JDK 8.
            Show
            akosarev Artem Kosarev (Inactive) added a comment - - edited The changes you refer to were fixed in JDK 9 in JDK-8046044 . But in JDK 9 Generification of the javax.xml.crypto API took place: JDK-8046949 . We need to check if mentioned changes are applicable for JDK 8.
            Show
            mullan Sean Mullan added a comment - Only the patch to DOMURIDereferencer from JDK-8046949 should be backported: http://hg.openjdk.java.net/jdk9/jdk9/jdk/diff/7d6154df328c/src/share/classes/org/jcp/xml/dsig/internal/dom/DOMURIDereferencer.java
            Hide
            hgupdate HG Updates added a comment -
            URL: http://hg.openjdk.java.net/jdk8u/jdk8u-dev/jdk/rev/84ed5919d06f
            User: coffeys
            Date: 2016-02-11 12:53:22 +0000
            Show
            hgupdate HG Updates added a comment - URL: http://hg.openjdk.java.net/jdk8u/jdk8u-dev/jdk/rev/84ed5919d06f User: coffeys Date: 2016-02-11 12:53:22 +0000
            Hide
            hgupdate HG Updates added a comment -
            URL: http://hg.openjdk.java.net/jdk8u/jdk8u/jdk/rev/84ed5919d06f
            User: robm
            Date: 2016-02-12 22:41:47 +0000
            Show
            hgupdate HG Updates added a comment - URL: http://hg.openjdk.java.net/jdk8u/jdk8u/jdk/rev/84ed5919d06f User: robm Date: 2016-02-12 22:41:47 +0000

              People

              • Assignee:
                bgopularam Bhanu Prakash Gopularam
                Reporter:
                bgopularam Bhanu Prakash Gopularam
              • Votes:
                0 Vote for this issue
                Watchers:
                4 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: