Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8149029

Secure validation of XML based digital signature always enabled when checking wrapping attacks

          Details

          • Subcomponent:
          • Introduced In Build:
            b100
          • Introduced In Version:
            8
          • Resolved In Build:
            b01

            Backports

              Description

              One should be able to enable or disable the XML secure validation of digital signature using the DOMValidateContext property "org.jcp.xml.dsig.secureValidation" . In 8u, even when property value is Boolean.FALSE or unset the validation is triggered.

              Below code sets the org.jcp.xml.dsig.secureValidation to false

              DOMValidateContext vc = new DOMValidateContext(keyValueKS, element);
              vc.setBaseURI(base.toURI().toString());
              vc.setProperty("org.jcp.xml.dsig.secureValidation", Boolean.FALSE);

              Immediate call to vc.getProperty() gives correct value but the value is not being considered while XML processing.

                Attachments

                  Issue Links

                  backported by

                  Backport - A issue that is required to port a Bug or Feature into another product release. This issue type is generally associated with the main Bug/Feature to represent each individual release of the port. JDK-8156312 Secure validation of XML based digital signature always enabled when checking wrapping attacks

                  • P3 - Major loss of function.
                  • Resolved

                  Backport - A issue that is required to port a Bug or Feature into another product release. This issue type is generally associated with the main Bug/Feature to represent each individual release of the port. JDK-8162150 Secure validation of XML based digital signature always enabled when checking wrapping attacks

                  • P3 - Major loss of function.
                  • Resolved

                  Backport - A issue that is required to port a Bug or Feature into another product release. This issue type is generally associated with the main Bug/Feature to represent each individual release of the port. JDK-8175441 Secure validation of XML based digital signature always enabled when checking wrapping attacks

                  • P3 - Major loss of function.
                  • Resolved
                  relates to

                  Sub-task - The sub-task of the issue JDK-8046044 Fix raw and unchecked lint warnings in XML Signature Impl

                  • P4 - Minor loss of function, or other problem where easy workaround is present.
                  • Resolved

                  Enhancement - null JDK-8011547 Update XML Signature implementation to Apache Santuario 1.5.4

                  • P3 - Major loss of function.
                  • Closed

                    Activity

                      People

                      • Assignee:
                        bgopularam Bhanu Prakash Gopularam
                        Reporter:
                        bgopularam Bhanu Prakash Gopularam
                      • Votes:
                        0 Vote for this issue
                        Watchers:
                        4 Start watching this issue

                        Dates

                        • Created:
                          Updated:
                          Resolved: