[JDK-8149029] Secure validation of XML based digital signature always enabled when checking wrapping attacks - Java Bug System

Details

Type: Bug
Status: Resolved
Priority: P3
Resolution: Fixed
Affects Version/s: 8
Fix Version/s: 8u102
Component/s: security-libs
Labels:

Subcomponent:
javax.xml.crypto
Introduced In Build:
b100
Introduced In Version:

8
Resolved In Build:
b01

Backports

Issue	Fix Version	Assignee	Priority	Status	Resolution	Resolved In Build
JDK-8156312	8u111	Bhanu Prakash Gopularam	P3	Resolved	Fixed	b01
JDK-8162150	emb-8u111	Bhanu Prakash Gopularam	P3	Resolved	Fixed	b01
JDK-8175441	openjdk7u	Bhanu Prakash Gopularam	P3	Resolved	Fixed	master

Description

One should be able to enable or disable the XML secure validation of digital signature using the DOMValidateContext property "org.jcp.xml.dsig.secureValidation" . In 8u, even when property value is Boolean.FALSE or unset the validation is triggered.

Below code sets the org.jcp.xml.dsig.secureValidation to false

DOMValidateContext vc = new DOMValidateContext(keyValueKS, element);
vc.setBaseURI(base.toURI().toString());
vc.setProperty("org.jcp.xml.dsig.secureValidation", Boolean.FALSE);

Immediate call to vc.getProperty() gives correct value but the value is not being considered while XML processing.

Options
- Sort By Name
- Sort By Date
- Ascending
- Descending
- Download All

Attachments

signature-wrapping.xml

2016-02-04 05:47

2 kB

Bhanu Prakash Gopularam
TestSecure.java

2016-02-04 05:47

4 kB

Bhanu Prakash Gopularam

Issue Links

relates to

JDK-8046044 Fix raw and unchecked lint warnings in XML Signature Impl

JDK-8011547 Update XML Signature implementation to Apache Santuario 1.5.4

Activity

Ascending order - Click to sort in descending order

Hide

Permalink

Artem Kosarev (Inactive) added a comment - 2016-02-04 09:28 - edited

The changes you refer to were fixed in JDK 9 in ~~JDK-8046044~~.
But in JDK 9 Generification of the javax.xml.crypto API took place: ~~JDK-8046949~~.
We need to check if mentioned changes are applicable for JDK 8.

Show

Artem Kosarev (Inactive) added a comment - 2016-02-04 09:28 - edited The changes you refer to were fixed in JDK 9 in JDK-8046044 . But in JDK 9 Generification of the javax.xml.crypto API took place: JDK-8046949 . We need to check if mentioned changes are applicable for JDK 8.

Hide

Permalink

Sean Mullan added a comment - 2016-02-04 10:24

Only the patch to DOMURIDereferencer from ~~JDK-8046949~~ should be backported:

http://hg.openjdk.java.net/jdk9/jdk9/jdk/diff/7d6154df328c/src/share/classes/org/jcp/xml/dsig/internal/dom/DOMURIDereferencer.java

Show

Sean Mullan added a comment - 2016-02-04 10:24 Only the patch to DOMURIDereferencer from JDK-8046949 should be backported: http://hg.openjdk.java.net/jdk9/jdk9/jdk/diff/7d6154df328c/src/share/classes/org/jcp/xml/dsig/internal/dom/DOMURIDereferencer.java

Hide

Permalink

HG Updates added a comment - 2016-02-11 04:54

URL: http://hg.openjdk.java.net/jdk8u/jdk8u-dev/jdk/rev/84ed5919d06f
User: coffeys
Date: 2016-02-11 12:53:22 +0000

Show

HG Updates added a comment - 2016-02-11 04:54 URL: http://hg.openjdk.java.net/jdk8u/jdk8u-dev/jdk/rev/84ed5919d06f User: coffeys Date: 2016-02-11 12:53:22 +0000

Hide

Permalink

HG Updates added a comment - 2016-02-12 14:45

URL: http://hg.openjdk.java.net/jdk8u/jdk8u/jdk/rev/84ed5919d06f
User: robm
Date: 2016-02-12 22:41:47 +0000

Show

HG Updates added a comment - 2016-02-12 14:45 URL: http://hg.openjdk.java.net/jdk8u/jdk8u/jdk/rev/84ed5919d06f User: robm Date: 2016-02-12 22:41:47 +0000

People

Assignee:

Bhanu Prakash Gopularam

Reporter:

Bhanu Prakash Gopularam

Votes:

0 Vote for this issue

Watchers:

4 Start watching this issue

Dates

Created:

2016-02-04 05:38

Updated:

2017-02-22 10:50

Resolved:

2016-02-11 04:54

Agile

View on Board