JDK-8151897 : Document the XML Signature secure validation mode
  • Type: Enhancement
  • Component: docs
  • Sub-Component: guides
  • Priority: P3
  • Status: Resolved
  • Resolution: Fixed
  • Submitted: 2016-03-15
  • Updated: 2018-03-27
  • Resolved: 2016-12-02
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
Related Reports
Relates :  
Relates :  
The XML Signature secure validation mode was introduced in JDK 7u25 but is only documented in release notes and my blog: https://blogs.oracle.com/mullan/entry/how_to_use_the_xml

We should add a section to the XML Signature Programming Guide (http://docs.oracle.com/javase/8/docs/technotes/guides/security/xmldsig/XMLDigitalSignature.html) as to how to enable this mode.

You can use the content of my blog as the basis.

Additionally, we should document the new security property that will be introduced to allow users to configure these restrictions: see JDK-8151893 for more information
The following fixes verified by Sean Mullan: New section: XML Signature Secure Validation Mode Secure validation mode for XML Signatures is a feature designed to protect you from XML Signatures that contain potentially hostile constructs that could cause denial-of-service or other types of security issues. Secure validation mode is enabled by default when you run your application with the Security Manager. To run the application with the default security manager, use the -Djava.security.manager option in the command line: java -Djava.security.manager <application> Secure validation mode can also be enabled by setting the org.jcp.xml.dsig.secureValidation property to TRUE. The property must be enabled before you validate the XML Signature. To set the property in an application, call the setProperty method of the javax.xml.crypto.dsig.dom.DOMValidateContext class: DOMValidateContext context = new DOMValidateContext(key, element); context.setProperty("org.jcp.xml.dsig.secureValidation", Boolean.TRUE); When secure validation mode is enabled, the XML signatures are processed more securely. It sets limits on various XML signature constructs to avoid conditions such as denial-of-service attacks. Specifically, it enforces the following restrictions: Forbids use of the XSLT Transform Restricts the number of SignedInfo or Manifest References to 30 or less Restricts the number of Reference Transforms to 5 or less Forbids the use of MD5 related signature or mac algorithms Ensures that Reference Ids are unique to help prevent signature wrapping attacks Forbids Reference URIs of type http or file Does not allow a RetrievalMethod to reference another RetrievalMethod Forbids RSA or DSA keys less than 1024 bits Links added to Validate.java, GenEnveloped.java, enveloped.xml and signature.xml in the XML Digital Signature API Examples section

Upgrading to P3 and targeting to 9. The TCK team has requested that this be done for 9 so they have a normative reference for TCK test specs.