archive/jdk
1
0
Fork 0
mirror of https://github.com/openjdk/jdk.git synced 2025-09-19 02:24:40 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions

8259709: Disable SHA-1 XML Signatures

Browse source 
Reviewed-by: rhalade, weijun
This commit is contained in:
Sean Mullan 2021-03-04 17:21:37 +00:00
parent ef5e13d263
commit a6427c85ee
5 changed files with 54 additions and 5 deletions
Download patch file Download diff file Expand all files Collapse all files

5
src/java.base/share/conf/security/java.security
View file

@ -964,6 +964,11 @@ jdk.xml.dsig.secureValidationPolicy=\
disallowAlg http://www.w3.org/2001/04/xmldsig-more#rsa-md5,\
disallowAlg http://www.w3.org/2001/04/xmldsig-more#hmac-md5,\
disallowAlg http://www.w3.org/2001/04/xmldsig-more#md5,\
disallowAlg http://www.w3.org/2000/09/xmldsig#sha1,\
disallowAlg http://www.w3.org/2000/09/xmldsig#dsa-sha1,\
disallowAlg http://www.w3.org/2000/09/xmldsig#rsa-sha1,\
disallowAlg http://www.w3.org/2007/05/xmldsig-more#sha1-rsa-MGF1,\
disallowAlg http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha1,\
maxTransforms 5,\
maxReferences 30,\
disallowReferenceUriSchemes file http https,\

6
test/jdk/javax/xml/crypto/dsig/GenerationTests.java
View file

@ -30,6 +30,7 @@
* java.base/sun.security.x509
* java.xml.crypto/org.jcp.xml.dsig.internal.dom
* jdk.httpserver/com.sun.net.httpserver
* @library /test/lib
* @compile -XDignore.symbol.file KeySelectors.java SignatureValidator.java
* X509KeySelector.java GenerationTests.java
* @run main/othervm/timeout=300 -Dsun.net.httpserver.nodelay=true GenerationTests
@ -91,6 +92,8 @@ import javax.xml.transform.dom.DOMSource;
import javax.xml.transform.stream.StreamResult;
import org.w3c.dom.*;
import jdk.test.lib.security.SecurityUtils;
/**
* Test that recreates merlin-xmldsig-twenty-three test vectors (and more)
* but with different keys and X.509 data.
@ -284,6 +287,9 @@ public class GenerationTests {
private static boolean result = true;
public static void main(String args[]) throws Exception {
// Re-enable sha1 algs
SecurityUtils.removeAlgsFromDSigPolicy("sha1");
setup();
test_create_signature_enveloped_dsa(1024);
test_create_signature_enveloped_dsa(2048);

11
test/jdk/javax/xml/crypto/dsig/SecureValidationPolicy.java
View file

@ -1,5 +1,5 @@
/*
* Copyright (c) 2016, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2016, 2021, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -23,7 +23,7 @@
/**
* @test
* @bug 8151893
* @bug 8151893 8259709
* @summary Tests for the jdk.xml.dsig.secureValidationPolicy security property
* @modules java.xml.crypto/org.jcp.xml.dsig.internal.dom
*/
@ -42,7 +42,12 @@ public class SecureValidationPolicy {
"http://www.w3.org/TR/1999/REC-xslt-19991116",
"http://www.w3.org/2001/04/xmldsig-more#rsa-md5",
"http://www.w3.org/2001/04/xmldsig-more#hmac-md5",
"http://www.w3.org/2001/04/xmldsig-more#md5");
"http://www.w3.org/2001/04/xmldsig-more#md5",
"http://www.w3.org/2000/09/xmldsig#sha1",
"http://www.w3.org/2000/09/xmldsig#dsa-sha1",
"http://www.w3.org/2000/09/xmldsig#rsa-sha1",
"http://www.w3.org/2007/05/xmldsig-more#sha1-rsa-MGF1",
"http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha1");
// Test expected defaults
System.out.println("Testing defaults");

8
test/jdk/javax/xml/crypto/dsig/ValidationTests.java
View file

@ -1,5 +1,5 @@
/*
* Copyright (c) 2005, 2015, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2005, 2021, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -28,6 +28,7 @@
* @modules java.base/sun.security.util
* java.base/sun.security.x509
* java.xml.crypto/org.jcp.xml.dsig.internal.dom
* @library /test/lib
* @compile -XDignore.symbol.file KeySelectors.java SignatureValidator.java
* X509KeySelector.java ValidationTests.java
* @run main/othervm ValidationTests
@ -47,6 +48,8 @@ import javax.xml.crypto.XMLCryptoContext;
import javax.xml.crypto.dsig.XMLSignatureException;
import javax.xml.crypto.dsig.XMLSignatureFactory;
import jdk.test.lib.security.SecurityUtils;
public class ValidationTests {
private static SignatureValidator validator;
@ -138,6 +141,9 @@ public class ValidationTests {
};
public static void main(String args[]) throws Exception {
// Re-enable sha1 algs
SecurityUtils.removeAlgsFromDSigPolicy("sha1");
httpUd = new HttpURIDereferencer();
validator = new SignatureValidator(new File(DATA_DIR));

29
test/lib/jdk/test/lib/security/SecurityUtils.java
View file

@ -1,5 +1,5 @@
/*
* Copyright (c) 2018, 2020, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2018, 2021, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -70,5 +70,32 @@ public final class SecurityUtils {
Security.setProperty(prop, value);
}
/**
* Removes the specified algorithms from the
* jdk.xml.dsig.secureValidationPolicy security property. Matches any
* part of the algorithm URI.
*/
public static void removeAlgsFromDSigPolicy(String... algs) {
removeFromDSigPolicy("disallowAlg", List.<String>of(algs));
}
private static void removeFromDSigPolicy(String rule, List<String> algs) {
String value = Security.getProperty("jdk.xml.dsig.secureValidationPolicy");
value = Arrays.stream(value.split(","))
.filter(v -> !v.contains(rule) ||
!anyMatch(v, algs))
.collect(Collectors.joining(","));
Security.setProperty("jdk.xml.dsig.secureValidationPolicy", value);
}
private static boolean anyMatch(String value, List<String> algs) {
for (String alg : algs) {
if (value.contains(alg)) {
return true;
}
}
return false;
}
private SecurityUtils() {}
}