stan/jdk-24
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

8259801: Enable XML Signature secure validation mode by default

Browse Source 
Reviewed-by: weijun, rhalade
This commit is contained in:
Sean Mullan 2021-01-28 14:28:27 +00:00
parent 20e7df506f
commit baf46bac41
3 changed files with 52 additions and 43 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
src/java.base/share/conf/security/java.security
View File

@ -925,10 +925,11 @@ jdk.tls.keyLimits=AES/GCM/NoPadding KeyUpdate 2^37
crypto.policy=crypto.policydir-tbd
#
# The policy for the XML Signature secure validation mode. The mode is
# enabled by setting the property "org.jcp.xml.dsig.secureValidation" to
# true with the javax.xml.crypto.XMLCryptoContext.setProperty() method,
# or by running the code with a SecurityManager.
# The policy for the XML Signature secure validation mode. Validation of
# XML Signatures that violate any of these constraints will fail. The
# mode is enforced by default. The mode can be disabled by setting the
# property "org.jcp.xml.dsig.secureValidation" to Boolean.FALSE with the
# javax.xml.crypto.XMLCryptoContext.setProperty() method.
#
# Policy:
# Constraint {"," Constraint }
@ -955,8 +956,8 @@ crypto.policy=crypto.policydir-tbd
# MaxReferencesConstraint or KeySizeConstraint (for the same key type) is
# specified more than once, only the last entry is enforced.
#
# Note: This property is currently used by the JDK Reference implementation. It
# is not guaranteed to be examined and used by other implementations.
# Note: This property is currently used by the JDK Reference implementation.
# It is not guaranteed to be examined and used by other implementations.
#
jdk.xml.dsig.secureValidationPolicy=\
disallowAlg http://www.w3.org/TR/1999/REC-xslt-19991116,\

15
src/java.xml.crypto/share/classes/javax/xml/crypto/dsig/dom/DOMValidateContext.java
View File

@ -1,5 +1,5 @@
/*
* Copyright (c) 2005, 2013, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2005, 2021, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -51,6 +51,14 @@ import org.w3c.dom.Node;
* (for example, you should not use the same <code>DOMValidateContext</code>
* instance to validate two different {@link XMLSignature} objects).
*
* @implNote
* By default, the JDK implementation enables a secure validation mode by
* setting the <code>org.jcp.xml.dsig.secureValidation</code> property to
* <code>Boolean.TRUE</code> (see the {@link #setProperty setProperty}
* method). When enabled, validation of XML signatures are subject to
* stricter checking of algorithms and other constraints as specified by the
* <code>jdk.xml.dsig.secureValidationPolicy</code> security property.
*
* @author Sean Mullan
* @author JSR 105 Expert Group
* @since 1.6
@ -103,10 +111,7 @@ public class DOMValidateContext extends DOMCryptoContext
this.node = node;
super.setKeySelector(ks);
if (System.getSecurityManager() != null) {
super.setProperty("org.jcp.xml.dsig.secureValidation",
Boolean.TRUE);
}
super.setProperty("org.jcp.xml.dsig.secureValidation", Boolean.TRUE);
}
/**

67
test/jdk/javax/xml/crypto/dsig/GenerationTests.java
View File

@ -1,5 +1,5 @@
/*
* Copyright (c) 2005, 2019, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2005, 2021, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -603,21 +603,21 @@ public class GenerationTests {
static void test_create_signature_enveloping_b64_dsa() throws Exception {
System.out.println("* Generating signature-enveloping-b64-dsa.xml");
test_create_signature_enveloping
(sha1, dsaSha1, dsa1024, signingKey, kvks, true);
(sha1, dsaSha1, dsa1024, signingKey, kvks, true, true);
System.out.println();
}
static void test_create_signature_enveloping_dsa() throws Exception {
System.out.println("* Generating signature-enveloping-dsa.xml");
test_create_signature_enveloping
(sha1, dsaSha1, dsa1024, signingKey, kvks, false);
(sha1, dsaSha1, dsa1024, signingKey, kvks, false, true);
System.out.println();
}
static void test_create_signature_enveloping_sha256_dsa() throws Exception {
System.out.println("* Generating signature-enveloping-sha256-dsa.xml");
test_create_signature_enveloping
(sha256, dsaSha1, dsa1024, signingKey, kvks, false);
(sha256, dsaSha1, dsa1024, signingKey, kvks, false, true);
System.out.println();
}
@ -626,7 +626,7 @@ public class GenerationTests {
System.out.println("* Generating signature-enveloping-hmac-sha1-40.xml");
try {
test_create_signature_enveloping(sha1, hmacSha1, null,
getSecretKey("secret".getBytes("ASCII")), sks, false);
getSecretKey("secret".getBytes("ASCII")), sks, false, true);
} catch (Exception e) {
if (!(e instanceof XMLSignatureException)) {
throw e;
@ -639,7 +639,7 @@ public class GenerationTests {
throws Exception {
System.out.println("* Generating signature-enveloping-hmac-sha256.xml");
test_create_signature_enveloping(sha1, hmacSha256, null,
getSecretKey("secret".getBytes("ASCII")), sks, false);
getSecretKey("secret".getBytes("ASCII")), sks, false, true);
System.out.println();
}
@ -647,7 +647,7 @@ public class GenerationTests {
throws Exception {
System.out.println("* Generating signature-enveloping-hmac-sha224.xml");
test_create_signature_enveloping(sha1, hmacSha224, null,
getSecretKey("secret".getBytes("ASCII")), sks, false);
getSecretKey("secret".getBytes("ASCII")), sks, false, true);
System.out.println();
}
@ -655,7 +655,7 @@ public class GenerationTests {
throws Exception {
System.out.println("* Generating signature-enveloping-hmac-sha384.xml");
test_create_signature_enveloping(sha1, hmacSha384, null,
getSecretKey("secret".getBytes("ASCII")), sks, false);
getSecretKey("secret".getBytes("ASCII")), sks, false, true);
System.out.println();
}
@ -663,14 +663,14 @@ public class GenerationTests {
throws Exception {
System.out.println("* Generating signature-enveloping-hmac-sha512.xml");
test_create_signature_enveloping(sha1, hmacSha512, null,
getSecretKey("secret".getBytes("ASCII")), sks, false);
getSecretKey("secret".getBytes("ASCII")), sks, false, true);
System.out.println();
}
static void test_create_signature_enveloping_rsa() throws Exception {
System.out.println("* Generating signature-enveloping-rsa.xml");
test_create_signature_enveloping(sha1, rsaSha1, rsa,
getPrivateKey("RSA", 512), kvks, false);
getPrivateKey("RSA", 512), kvks, false, false);
System.out.println();
}
@ -678,7 +678,7 @@ public class GenerationTests {
throws Exception {
System.out.println("* Generating signature-enveloping-sha384-rsa_sha256.xml");
test_create_signature_enveloping(sha384, rsaSha256, rsa,
getPrivateKey("RSA", 512), kvks, false);
getPrivateKey("RSA", 512), kvks, false, false);
System.out.println();
}
@ -686,7 +686,7 @@ public class GenerationTests {
throws Exception {
System.out.println("* Generating signature-enveloping-sha224-rsa_sha256.xml");
test_create_signature_enveloping(sha224, rsaSha256, rsa,
getPrivateKey("RSA", 512), kvks, false);
getPrivateKey("RSA", 512), kvks, false, false);
System.out.println();
}
@ -694,7 +694,7 @@ public class GenerationTests {
throws Exception {
System.out.println("* Generating signature-enveloping-sha3_224-rsa_sha256.xml");
test_create_signature_enveloping(sha3_224, rsaSha256, rsa,
getPrivateKey("RSA", 512), kvks, false);
getPrivateKey("RSA", 512), kvks, false, false);
System.out.println();
}
@ -702,7 +702,7 @@ public class GenerationTests {
throws Exception {
System.out.println("* Generating signature-enveloping-sha3_256-rsa_sha256.xml");
test_create_signature_enveloping(sha3_256, rsaSha256, rsa,
getPrivateKey("RSA", 512), kvks, false);
getPrivateKey("RSA", 512), kvks, false, false);
System.out.println();
}
@ -710,7 +710,7 @@ public class GenerationTests {
throws Exception {
System.out.println("* Generating signature-enveloping-sha3_384-rsa_sha256.xml");
test_create_signature_enveloping(sha3_384, rsaSha256, rsa,
getPrivateKey("RSA", 512), kvks, false);
getPrivateKey("RSA", 512), kvks, false, false);
System.out.println();
}
@ -718,7 +718,7 @@ public class GenerationTests {
throws Exception {
System.out.println("* Generating signature-enveloping-sha3_512-rsa_sha256.xml");
test_create_signature_enveloping(sha3_512, rsaSha256, rsa,
getPrivateKey("RSA", 512), kvks, false);
getPrivateKey("RSA", 512), kvks, false, false);
System.out.println();
}
@ -726,7 +726,7 @@ public class GenerationTests {
throws Exception {
System.out.println("* Generating signature-enveloping-sha512-rsa_sha384.xml");
test_create_signature_enveloping(sha512, rsaSha384, rsa1024,
getPrivateKey("RSA", 1024), kvks, false);
getPrivateKey("RSA", 1024), kvks, false, true);
System.out.println();
}
@ -734,7 +734,7 @@ public class GenerationTests {
throws Exception {
System.out.println("* Generating signature-enveloping-sha512-rsa_sha224.xml");
test_create_signature_enveloping(sha512, rsaSha224, rsa1024,
getPrivateKey("RSA", 1024), kvks, false);
getPrivateKey("RSA", 1024), kvks, false, true);
System.out.println();
}
@ -742,7 +742,7 @@ public class GenerationTests {
throws Exception {
System.out.println("* Generating signature-enveloping-sha512-rsa_sha512.xml");
test_create_signature_enveloping(sha512, rsaSha512, rsa1024,
getPrivateKey("RSA", 1024), kvks, false);
getPrivateKey("RSA", 1024), kvks, false, true);
System.out.println();
}
@ -750,7 +750,7 @@ public class GenerationTests {
throws Exception {
System.out.println("* Generating signature-enveloping-sha512-rsa_sha1_mgf1.xml");
test_create_signature_enveloping(sha512, rsaSha1mgf1, rsa1024,
getPrivateKey("RSA", 1024), kvks, false);
getPrivateKey("RSA", 1024), kvks, false, true);
System.out.println();
}
@ -758,7 +758,7 @@ public class GenerationTests {
throws Exception {
System.out.println("* Generating signature-enveloping-sha512-rsa_sha224_mgf1.xml");
test_create_signature_enveloping(sha512, rsaSha224mgf1, rsa1024,
getPrivateKey("RSA", 1024), kvks, false);
getPrivateKey("RSA", 1024), kvks, false, true);
System.out.println();
}
@ -766,7 +766,7 @@ public class GenerationTests {
throws Exception {
System.out.println("* Generating signature-enveloping-sha512-rsa_sha256_mgf1.xml");
test_create_signature_enveloping(sha512, rsaSha256mgf1, rsa1024,
getPrivateKey("RSA", 1024), kvks, false);
getPrivateKey("RSA", 1024), kvks, false, true);
System.out.println();
}
@ -774,7 +774,7 @@ public class GenerationTests {
throws Exception {
System.out.println("* Generating signature-enveloping-sha512-rsa_sha384_mgf1.xml");
test_create_signature_enveloping(sha512, rsaSha384mgf1, rsa1024,
getPrivateKey("RSA", 1024), kvks, false);
getPrivateKey("RSA", 1024), kvks, false, true);
System.out.println();
}
@ -782,56 +782,56 @@ public class GenerationTests {
throws Exception {
System.out.println("* Generating signature-enveloping-sha512-rsa_sha512_mgf1.xml");
test_create_signature_enveloping(sha512, rsaSha512mgf1, rsa2048,
getPrivateKey("RSA", 2048), kvks, false);
getPrivateKey("RSA", 2048), kvks, false, true);
System.out.println();
}
static void test_create_signature_enveloping_p256_sha1() throws Exception {
System.out.println("* Generating signature-enveloping-p256-sha1.xml");
test_create_signature_enveloping(sha1, ecdsaSha1, p256ki,
getECPrivateKey("P256"), kvks, false);
getECPrivateKey("P256"), kvks, false, true);
System.out.println();
}
static void test_create_signature_enveloping_p256_sha224() throws Exception {
System.out.println("* Generating signature-enveloping-p256-sha224.xml");
test_create_signature_enveloping(sha1, ecdsaSha224, p256ki,
getECPrivateKey("P256"), kvks, false);
getECPrivateKey("P256"), kvks, false, true);
System.out.println();
}
static void test_create_signature_enveloping_p256_sha256() throws Exception {
System.out.println("* Generating signature-enveloping-p256-sha256.xml");
test_create_signature_enveloping(sha1, ecdsaSha256, p256ki,
getECPrivateKey("P256"), kvks, false);
getECPrivateKey("P256"), kvks, false, true);
System.out.println();
}
static void test_create_signature_enveloping_p256_sha384() throws Exception {
System.out.println("* Generating signature-enveloping-p256-sha384.xml");
test_create_signature_enveloping(sha1, ecdsaSha384, p256ki,
getECPrivateKey("P256"), kvks, false);
getECPrivateKey("P256"), kvks, false, true);
System.out.println();
}
static void test_create_signature_enveloping_p256_sha512() throws Exception {
System.out.println("* Generating signature-enveloping-p256-sha512.xml");
test_create_signature_enveloping(sha1, ecdsaSha512, p256ki,
getECPrivateKey("P256"), kvks, false);
getECPrivateKey("P256"), kvks, false, true);
System.out.println();
}
static void test_create_signature_enveloping_p384_sha1() throws Exception {
System.out.println("* Generating signature-enveloping-p384-sha1.xml");
test_create_signature_enveloping(sha1, ecdsaSha1, p384ki,
getECPrivateKey("P384"), kvks, false);
getECPrivateKey("P384"), kvks, false, true);
System.out.println();
}
static void test_create_signature_enveloping_p521_sha1() throws Exception {
System.out.println("* Generating signature-enveloping-p521-sha1.xml");
test_create_signature_enveloping(sha1, ecdsaSha1, p521ki,
getECPrivateKey("P521"), kvks, false);
getECPrivateKey("P521"), kvks, false, true);
System.out.println();
}
@ -963,6 +963,7 @@ public class GenerationTests {
DOMValidateContext dvc = new DOMValidateContext
(kvks, doc.getDocumentElement());
dvc.setProperty("org.jcp.xml.dsig.secureValidation", false);
XMLSignature sig2 = fac.unmarshalXMLSignature(dvc);
if (sig.equals(sig2) == false) {
@ -1010,6 +1011,7 @@ public class GenerationTests {
DOMValidateContext dvc = new DOMValidateContext
(kvks, doc.getDocumentElement());
dvc.setProperty("org.jcp.xml.dsig.secureValidation", false);
dvc.setIdAttributeNS(nc, null, "Id");
XMLSignature sig2 = fac.unmarshalXMLSignature(dvc);
@ -1451,7 +1453,7 @@ public class GenerationTests {
private static void test_create_signature_enveloping
(DigestMethod dm, SignatureMethod sm, KeyInfo ki, Key signingKey,
KeySelector ks, boolean b64) throws Exception {
KeySelector ks, boolean b64, boolean secVal) throws Exception {
// create reference
Reference ref;
@ -1486,6 +1488,7 @@ public class GenerationTests {
DOMValidateContext dvc = new DOMValidateContext
(ks, doc.getDocumentElement());
dvc.setProperty("org.jcp.xml.dsig.secureValidation", secVal);
XMLSignature sig2 = fac.unmarshalXMLSignature(dvc);
if (sig.equals(sig2) == false) {