JDK-8218629 : XML Digital Signature throws NAMESPACE_ERR exception on OpenJDK 11, works 8/9/10
  • Type: Bug
  • Component: security-libs
  • Sub-Component: javax.xml.crypto
  • Affected Version: 8,11.0.2
  • Priority: P3
  • Status: Resolved
  • Resolution: Fixed
  • OS: linux
  • CPU: x86_64
  • Submitted: 2019-01-30
  • Updated: 2020-08-17
  • Resolved: 2019-03-05
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
JDK 11 JDK 13 JDK 8 Other
11.0.4-oracleFixed 13 b11Fixed 8u231Fixed openjdk8u272Fixed
Related Reports
Relates :  
JDK-8235603 - 8u231 Transform of DOM to byte array adds ASCII carriage return to signed XML
Relates :  
JDK-8177334 - Update xmldsig implementation to Apache Santuario 2.1.1
Relates :  
JDK-8217878 - ENVELOPING XML signature no longer works
Description
ADDITIONAL SYSTEM INFORMATION :
Works Java 8:
java version "1.8.0_161"
Java(TM) SE Runtime Environment (build 1.8.0_161-b12)
Java HotSpot(TM) 64-Bit Server VM (build 25.161-b12, mixed mode)

Works Java 10:
java version "10.0.2" 2018-07-17
Java(TM) SE Runtime Environment 18.3 (build 10.0.2+13)
Java HotSpot(TM) 64-Bit Server VM 18.3 (build 10.0.2+13, mixed mode)

Broken on Java 11:
openjdk version "11.0.2" 2019-01-15
OpenJDK Runtime Environment 18.9 (build 11.0.2+9)
OpenJDK 64-Bit Server VM 18.9 (build 11.0.2+9, mixed mode)

A DESCRIPTION OF THE PROBLEM :
My XML Digital Signature code runs fine under Java 8 (1.8.0_161), but on upgrading to OpenJDK 11 (11.0.2, ), it now traps with an NAMESPACE_ERR exception:

org.w3c.dom.DOMException: NAMESPACE_ERR: An attempt is made to create or change an object in a way which is incorrect with regard to namespaces.

at java.xml/com.sun.org.apache.xerces.internal.dom.ElementNSImpl.setName(ElementNSImpl.java:109)
at java.xml/com.sun.org.apache.xerces.internal.dom.ElementNSImpl.<init>(ElementNSImpl.java:84)
at java.xml/com.sun.org.apache.xerces.internal.dom.CoreDocumentImpl.createElementNS(CoreDocumentImpl.java:2089)
at java.xml.crypto/org.jcp.xml.dsig.internal.dom.XmlWriterToTree.writeStartElement(XmlWriterToTree.java:99)
at java.xml.crypto/org.jcp.xml.dsig.internal.dom.Marshaller.marshalGenericNode(Marshaller.java:303)
at java.xml.crypto/org.jcp.xml.dsig.internal.dom.Marshaller.marshalGenericNode(Marshaller.java:286)
at java.xml.crypto/org.jcp.xml.dsig.internal.dom.Marshaller$14.marshalObject(Marshaller.java:251)
at java.xml.crypto/org.jcp.xml.dsig.internal.dom.Marshaller$14.marshalObject(Marshaller.java:247)
at java.xml.crypto/org.jcp.xml.dsig.internal.dom.XmlWriterToTree.marshalStructure(XmlWriterToTree.java:200)
at java.xml.crypto/org.jcp.xml.dsig.internal.dom.DOMXMLObject.marshal(DOMXMLObject.java:180)
at java.xml.crypto/org.jcp.xml.dsig.internl.dom.DOMXMLSignature.marshal(DOMXMLSignature.java:233)
at java.xml.crypto/org.jcp.xml.dsig.internal.dom.DOMXMLSignature.sign(DOMXMLSignature.java:325)
at com.esignforms.open.crypto.XmlDigitalSignature.sign(XmlDigitalSignature.java:208)

If I revert back to Java 8 or even Java 10, it works again.  

REGRESSION : Last worked in version 8u181


CUSTOMER SUBMITTED WORKAROUND :
Currently, we have to revert from JDK 11 to Java 8 or 10.

FREQUENCY : always
Comments
openjdk mail thread : http://mail.openjdk.java.net/pipermail/security-dev/2019-January/019270.html
31-01-2019