8259709: Disable SHA-1 XML Signatures

Reviewed-by: rhalade, weijun

src/java.base/share/conf/security/java.security

@@ -964,6 +964,11 @@ jdk.xml.dsig.secureValidationPolicy=\
     disallowAlg http://www.w3.org/2001/04/xmldsig-more#rsa-md5,\
     disallowAlg http://www.w3.org/2001/04/xmldsig-more#hmac-md5,\
     disallowAlg http://www.w3.org/2001/04/xmldsig-more#md5,\
+    disallowAlg http://www.w3.org/2000/09/xmldsig#sha1,\
+    disallowAlg http://www.w3.org/2000/09/xmldsig#dsa-sha1,\
+    disallowAlg http://www.w3.org/2000/09/xmldsig#rsa-sha1,\
+    disallowAlg http://www.w3.org/2007/05/xmldsig-more#sha1-rsa-MGF1,\
+    disallowAlg http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha1,\
     maxTransforms 5,\
     maxReferences 30,\
     disallowReferenceUriSchemes file http https,\

test/jdk/javax/xml/crypto/dsig/GenerationTests.java

@@ -30,6 +30,7 @@
  *          java.base/sun.security.x509
  *          java.xml.crypto/org.jcp.xml.dsig.internal.dom
  *          jdk.httpserver/com.sun.net.httpserver
+ * @library /test/lib
  * @compile -XDignore.symbol.file KeySelectors.java SignatureValidator.java
  *     X509KeySelector.java GenerationTests.java
  * @run main/othervm/timeout=300 -Dsun.net.httpserver.nodelay=true GenerationTests
@@ -91,6 +92,8 @@ import javax.xml.transform.dom.DOMSource;
 import javax.xml.transform.stream.StreamResult;
 import org.w3c.dom.*;
 
+import jdk.test.lib.security.SecurityUtils;
+
 /**
  * Test that recreates merlin-xmldsig-twenty-three test vectors (and more)
  * but with different keys and X.509 data.
@@ -284,6 +287,9 @@ public class GenerationTests {
     private static boolean result = true;
 
     public static void main(String args[]) throws Exception {
+        // Re-enable sha1 algs
+        SecurityUtils.removeAlgsFromDSigPolicy("sha1");
+
         setup();
         test_create_signature_enveloped_dsa(1024);
         test_create_signature_enveloped_dsa(2048);

test/jdk/javax/xml/crypto/dsig/SecureValidationPolicy.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2016, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2016, 2021, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -23,7 +23,7 @@
 
 /**
  * @test
- * @bug 8151893
+ * @bug 8151893 8259709
  * @summary Tests for the jdk.xml.dsig.secureValidationPolicy security property
  * @modules java.xml.crypto/org.jcp.xml.dsig.internal.dom
  */
@@ -42,7 +42,12 @@ public class SecureValidationPolicy {
             "http://www.w3.org/TR/1999/REC-xslt-19991116",
             "http://www.w3.org/2001/04/xmldsig-more#rsa-md5",
             "http://www.w3.org/2001/04/xmldsig-more#hmac-md5",
-            "http://www.w3.org/2001/04/xmldsig-more#md5");
+            "http://www.w3.org/2001/04/xmldsig-more#md5",
+            "http://www.w3.org/2000/09/xmldsig#sha1",
+            "http://www.w3.org/2000/09/xmldsig#dsa-sha1",
+            "http://www.w3.org/2000/09/xmldsig#rsa-sha1",
+            "http://www.w3.org/2007/05/xmldsig-more#sha1-rsa-MGF1",
+            "http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha1");
 
         // Test expected defaults
         System.out.println("Testing defaults");

test/jdk/javax/xml/crypto/dsig/ValidationTests.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2005, 2015, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2005, 2021, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -28,6 +28,7 @@
  * @modules java.base/sun.security.util
  *          java.base/sun.security.x509
  *          java.xml.crypto/org.jcp.xml.dsig.internal.dom
+ * @library /test/lib
  * @compile -XDignore.symbol.file KeySelectors.java SignatureValidator.java
  *     X509KeySelector.java ValidationTests.java
  * @run main/othervm ValidationTests
@@ -47,6 +48,8 @@ import javax.xml.crypto.XMLCryptoContext;
 import javax.xml.crypto.dsig.XMLSignatureException;
 import javax.xml.crypto.dsig.XMLSignatureFactory;
 
+import jdk.test.lib.security.SecurityUtils;
+
 public class ValidationTests {
 
     private static SignatureValidator validator;
@@ -138,6 +141,9 @@ public class ValidationTests {
     };
 
     public static void main(String args[]) throws Exception {
+        // Re-enable sha1 algs
+        SecurityUtils.removeAlgsFromDSigPolicy("sha1");
+
         httpUd = new HttpURIDereferencer();
 
         validator = new SignatureValidator(new File(DATA_DIR));

test/lib/jdk/test/lib/security/SecurityUtils.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2018, 2020, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2018, 2021, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -70,5 +70,32 @@ public final class SecurityUtils {
         Security.setProperty(prop, value);
     }
 
+    /**
+     * Removes the specified algorithms from the
+     * jdk.xml.dsig.secureValidationPolicy security property. Matches any
+     * part of the algorithm URI.
+     */
+    public static void removeAlgsFromDSigPolicy(String... algs) {
+        removeFromDSigPolicy("disallowAlg", List.<String>of(algs));
+    }
+
+    private static void removeFromDSigPolicy(String rule, List<String> algs) {
+        String value = Security.getProperty("jdk.xml.dsig.secureValidationPolicy");
+        value = Arrays.stream(value.split(","))
+                      .filter(v -> !v.contains(rule) ||
+                              !anyMatch(v, algs))
+                      .collect(Collectors.joining(","));
+        Security.setProperty("jdk.xml.dsig.secureValidationPolicy", value);
+    }
+
+    private static boolean anyMatch(String value, List<String> algs) {
+        for (String alg : algs) {
+           if (value.contains(alg)) {
+               return true;
+           }
+        }
+        return false;
+    }
+
     private SecurityUtils() {}
 }