Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8203460

Update xmldsig implementation to Apache Santuario 2.1.1

    XMLWordPrintable

    Details

    • Type: CSR
    • Status: Closed
    • Priority: P3
    • Resolution: Approved
    • Fix Version/s: 11
    • Component/s: security-libs
    • Labels:
      None
    • Subcomponent:
    • Compatibility Kind:
      behavioral
    • Compatibility Risk:
      minimal
    • Compatibility Risk Description:
      None.
    • Interface Kind:
      Java API
    • Scope:
      SE

      Description

      Summary

      The current implementation of the XMLDSig implementation inside OpenJDK was integrated in 2013, and based on Apache Santuario version 1.5.4. We will update it to version 2.1.1 which was released in January 2018.

      Problem

      Apache Santuario has introduced some new algorithms since 1.5.4 based on SHA-224, RSASSA-PSS, and SHA-3. We should update the implementation to match the current release.

      Solution

      Update the java.xml.crypto module to use code from Apache Santuario release 2.1.1, and re-apply necessary OpenJDK patches. Most of the patches were not integrated to upstream repository at Apache Santuario because they are JDK 9 only (Apache Santuario still supports JDK 8).

      Specification

      Add some constants into DigestMethod.java and SignatureMethod.java. All these algorithms can be found in RFC 6931.

      In src/java.xml.crypto/share/classes/javax/xml/crypto/dsig/DigestMethod.java, add

      /**
       * The <a href="http://www.w3.org/2001/04/xmldsig-more#sha224">
       * SHA224</a> digest method algorithm URI.
       */
      String SHA224 = "http://www.w3.org/2001/04/xmldsig-more#sha224";
      
      /**
       * The <a href="http://www.w3.org/2001/04/xmldsig-more#sha384">
       * SHA384</a> digest method algorithm URI.
       */
      String SHA384 = "http://www.w3.org/2001/04/xmldsig-more#sha384";
      
      /**
       * The <a href="http://www.w3.org/2007/05/xmldsig-more#sha3-224">
       * SHA3-224</a> digest method algorithm URI.
       */
      String SHA3_224 = "http://www.w3.org/2007/05/xmldsig-more#sha3-224";
      
      /**
       * The <a href="http://www.w3.org/2007/05/xmldsig-more#sha3-256">
       * SHA3-256</a> digest method algorithm URI.
       */
      String SHA3_256 = "http://www.w3.org/2007/05/xmldsig-more#sha3-256";
      
      /**
       * The <a href="http://www.w3.org/2007/05/xmldsig-more#sha3-384">
       * SHA3-384</a> digest method algorithm URI.
       */
      String SHA3_384 = "http://www.w3.org/2007/05/xmldsig-more#sha3-384";
      
      /**
       * The <a href="http://www.w3.org/2007/05/xmldsig-more#sha3-512">
       * SHA3-512</a> digest method algorithm URI.
       */
      String SHA3_512 = "http://www.w3.org/2007/05/xmldsig-more#sha3-512";

      In src/java.xml.crypto/share/classes/javax/xml/crypto/dsig/SignatureMethod.java, add

      /**
       * The <a href="http://www.w3.org/2009/xmldsig11#dsa-sha256">DSA-SHA256</a>
       * (DSS) signature method algorithm URI.
       */
      String DSA_SHA256 = "http://www.w3.org/2009/xmldsig11#dsa-sha256";
      
      /**
       * The <a href="http://www.w3.org/2001/04/xmldsig-more#rsa-sha224">
       * RSA-SHA224</a> (PKCS #1) signature method algorithm URI.
       */
      String RSA_SHA224 = "http://www.w3.org/2001/04/xmldsig-more#rsa-sha224";
      
      /**
       * The <a href="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256">
       * RSA-SHA256</a> (PKCS #1) signature method algorithm URI.
       */
      String RSA_SHA256 = "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256";
      
      /**
       * The <a href="http://www.w3.org/2001/04/xmldsig-more#rsa-sha384">
       * RSA-SHA384</a> (PKCS #1) signature method algorithm URI.
       */
      String RSA_SHA384 = "http://www.w3.org/2001/04/xmldsig-more#rsa-sha384";
      
      /**
       * The <a href="http://www.w3.org/2001/04/xmldsig-more#rsa-sha512">
       * RSA-SHA512</a> (PKCS #1) signature method algorithm URI.
       */
      String RSA_SHA512 = "http://www.w3.org/2001/04/xmldsig-more#rsa-sha512";
      
      /**
       * The <a href="http://www.w3.org/2007/05/xmldsig-more#sha1-rsa-MGF1">
       * SHA1-RSA-MGF1</a> (PKCS #1) signature method algorithm URI.
       */
      String SHA1_RSA_MGF1 = "http://www.w3.org/2007/05/xmldsig-more#sha1-rsa-MGF1";
      
      /**
       * The <a href="http://www.w3.org/2007/05/xmldsig-more#sha224-rsa-MGF1">
       * SHA224-RSA-MGF1</a> (PKCS #1) signature method algorithm URI.
       */
      String SHA224_RSA_MGF1 = "http://www.w3.org/2007/05/xmldsig-more#sha224-rsa-MGF1";
      
      /**
       * The <a href="http://www.w3.org/2007/05/xmldsig-more#sha256-rsa-MGF1">
       * SHA256-RSA-MGF1</a> (PKCS #1) signature method algorithm URI.
       */
      String SHA256_RSA_MGF1 = "http://www.w3.org/2007/05/xmldsig-more#sha256-rsa-MGF1";
      
      /**
       * The <a href="http://www.w3.org/2007/05/xmldsig-more#sha384-rsa-MGF1">
       * SHA384-RSA-MGF1</a> (PKCS #1) signature method algorithm URI.
       */
      String SHA384_RSA_MGF1 = "http://www.w3.org/2007/05/xmldsig-more#sha384-rsa-MGF1";
      
      /**
       * The <a href="http://www.w3.org/2007/05/xmldsig-more#sha512-rsa-MGF1">
       * SHA512-RSA-MGF1</a> (PKCS #1) signature method algorithm URI.
       */
      String SHA512_RSA_MGF1 = "http://www.w3.org/2007/05/xmldsig-more#sha512-rsa-MGF1";
      
      /**
       * The <a href="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha1">
       * ECDSA-SHA1</a> (FIPS 180-4) signature method algorithm URI.
       */
      String ECDSA_SHA1 = "http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha1";
      
      /**
       * The <a href="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha224">
       * ECDSA-SHA224</a> (FIPS 180-4) signature method algorithm URI.
       */
      String ECDSA_SHA224 = "http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha224";
      
      /**
       * The <a href="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha256">
       * ECDSA-SHA256</a> (FIPS 180-4) signature method algorithm URI.
       */
      String ECDSA_SHA256 = "http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha256";
      
      /**
       * The <a href="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha384">
       * ECDSA-SHA384</a> (FIPS 180-4) signature method algorithm URI.
       */
      String ECDSA_SHA384 = "http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha384";
      
      /**
       * The <a href="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha512">
       * ECDSA-SHA512</a> (FIPS 180-4) signature method algorithm URI.
       */
      String ECDSA_SHA512 = "http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha512";
      
      /**
       * The <a href="http://www.w3.org/2001/04/xmldsig-more#hmac-sha224">
       * HMAC-SHA224</a> MAC signature method algorithm URI.
       */
      String HMAC_SHA224 = "http://www.w3.org/2001/04/xmldsig-more#hmac-sha224";
      
      /**
       * The <a href="http://www.w3.org/2001/04/xmldsig-more#hmac-sha256">
       * HMAC-SHA256</a> MAC signature method algorithm URI.
       */
      String HMAC_SHA256 = "http://www.w3.org/2001/04/xmldsig-more#hmac-sha256";
      
      /**
       * The <a href="http://www.w3.org/2001/04/xmldsig-more#hmac-sha384">
       * HMAC-SHA384</a> MAC signature method algorithm URI.
       */
      String HMAC_SHA384 = "http://www.w3.org/2001/04/xmldsig-more#hmac-sha384";
      
      /**
       * The <a href="http://www.w3.org/2001/04/xmldsig-more#hmac-sha512">
       * HMAC-SHA512</a> MAC signature method algorithm URI.
       */
      String HMAC_SHA512 = "http://www.w3.org/2001/04/xmldsig-more#hmac-sha512";

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              weijun Weijun Wang
              Reporter:
              mullan Sean Mullan
              Reviewed By:
              Sean Mullan
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: