JDK-8149029 : Secure validation of XML based digital signature always enabled when checking wrapping attacks
- Type: Bug
- Component: security-libs
- Sub-Component: javax.xml.crypto
- Affected Version: 8
- Priority: P3
- Status: Resolved
- Resolution: Fixed
- Submitted: 2016-02-04
- Updated: 2017-02-22
- Resolved: 2016-02-11
The Version table provides details related to the release that this issue/RFE will be addressed.
Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.
To download the current JDK release, click here.
Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.
To download the current JDK release, click here.
| JDK 8 | Other |
|---|---|
8u102 b01Fixed  |
openjdk7uFixed |
Related Reports
|
Relates :
|
|
|
Relates :
|
Description
One should be able to enable or disable the XML secure validation of digital signature using the DOMValidateContext property "org.jcp.xml.dsig.secureValidation" . In 8u, even when property value is Boolean.FALSE or unset the validation is triggered.
Below code sets the org.jcp.xml.dsig.secureValidation to false
DOMValidateContext vc = new DOMValidateContext(keyValueKS, element);
vc.setBaseURI(base.toURI().toString());
vc.setProperty("org.jcp.xml.dsig.secureValidation", Boolean.FALSE);
Immediate call to vc.getProperty() gives correct value but the value is not being considered while XML processing.
Comments
|