Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8149029

Secure validation of XML based digital signature always enabled when checking wrapping attacks

    XMLWordPrintable

    Details

    • Subcomponent:
    • Introduced In Build:
      b100
    • Introduced In Version:
      8
    • Resolved In Build:
      b01

      Backports

        Description

        One should be able to enable or disable the XML secure validation of digital signature using the DOMValidateContext property "org.jcp.xml.dsig.secureValidation" . In 8u, even when property value is Boolean.FALSE or unset the validation is triggered.

        Below code sets the org.jcp.xml.dsig.secureValidation to false

        DOMValidateContext vc = new DOMValidateContext(keyValueKS, element);
        vc.setBaseURI(base.toURI().toString());
        vc.setProperty("org.jcp.xml.dsig.secureValidation", Boolean.FALSE);

        Immediate call to vc.getProperty() gives correct value but the value is not being considered while XML processing.

          Attachments

            Issue Links

            backported by

            Backport - A issue that is required to port a Bug or Feature into another product release. This issue type is generally associated with the main Bug/Feature to represent each individual release of the port. JDK-8156312 Secure validation of XML based digital signature always enabled when checking wrapping attacks

            • P3 - Major loss of function.
            • Resolved

            Backport - A issue that is required to port a Bug or Feature into another product release. This issue type is generally associated with the main Bug/Feature to represent each individual release of the port. JDK-8162150 Secure validation of XML based digital signature always enabled when checking wrapping attacks

            • P3 - Major loss of function.
            • Resolved

            Backport - A issue that is required to port a Bug or Feature into another product release. This issue type is generally associated with the main Bug/Feature to represent each individual release of the port. JDK-8175441 Secure validation of XML based digital signature always enabled when checking wrapping attacks

            • P3 - Major loss of function.
            • Resolved
            relates to

            Sub-task - The sub-task of the issue JDK-8046044 Fix raw and unchecked lint warnings in XML Signature Impl

            • P4 - Minor loss of function, or other problem where easy workaround is present.
            • Resolved

            Enhancement - null JDK-8011547 Update XML Signature implementation to Apache Santuario 1.5.4

            • P3 - Major loss of function.
            • Closed

              Activity

                People

                Assignee:
                bgopularam Bhanu Prakash Gopularam (Inactive)
                Reporter:
                bgopularam Bhanu Prakash Gopularam (Inactive)
                Votes:
                0 Vote for this issue
                Watchers:
                4 Start watching this issue

                  Dates

                  Created:
                  Updated:
                  Resolved: