JDK-8235603 : 8u231 Transform of DOM to byte array adds ASCII carriage return to signed XML
  • Type: Bug
  • Component: security-libs
  • Sub-Component: javax.xml.crypto
  • Affected Version: 8u231,15
  • Priority: P3
  • Status: Resolved
  • Resolution: Duplicate
  • Submitted: 2019-12-09
  • Updated: 2020-09-04
  • Resolved: 2020-02-10
Related Reports
Duplicate :  
JDK-8236645 - JDK 8u231 introduces a regression with incompatible handling of XML messages
Relates :  
JDK-8177334 - Update xmldsig implementation to Apache Santuario 2.1.1
Relates :  
JDK-8219013 - Update Apache Santuario (XML Signature) to version 2.1.3
Relates :  
JDK-8205507 - jdk/javax/xml/crypto/dsig/GenerationTests.java timed out
Relates :  
JDK-8217878 - ENVELOPING XML signature no longer works
Relates :  
JDK-8218629 - XML Digital Signature throws NAMESPACE_ERR exception on OpenJDK 11, works 8/9/10
Relates :  
JDK-8210736 - jdk/javax/xml/crypto/dsig/GenerationTests.java slow on linux
Relates :  
JDK-8236645 - JDK 8u231 introduces a regression with incompatible handling of XML messages
Description
After updating from 8u221 to 8u231, serializing the DOM to a byte array using
transforms causes all lines in signed XML document to end with the  ASCII
character for carriage return.

This is the code that no longer works:
ByteArrayOutputStream writer = new ByteArrayOutputStream();
Transformer trans = TransformerFactory.newInstance().newTransformer();
trans.transform(new DOMSource(ownerDoc), new StreamResult(writer));
xmlSigned = writer.toByteArray();
Comments
Resolving as a duplicate of JDK-8236645. Please refer for more information.
10-02-2020
This change was made in the Apache Santuario codebase to be compliant with RFC 2045. Please refer : https://issues.apache.org/jira/browse/SANTUARIO-494 https://issues.apache.org/jira/browse/SANTUARIO-482 The recommended workaround is to set the "com.sun.org.apache.xml.internal.security.ignoreLineBreaks" system property to true. When set to true, the base64 encoded output will not contain linefeed/carriage return characters.
10-02-2020
This is due to a bug fix and is expected behavior. This change was made in the Apache Santuario codebase to be compliant with RFC 2045. There is more information about it in this discussion on the Santuario mailing list: "https://mail-archives.apache.org/mod_mbox/cxf-users/201802.mbox/%3cCAB8XdGCKPwsnc_1BaU95YRvnfnL1OGhLBd-r4VB+6RVo63cyzA@mail.gmail.com%3e" However, you can workaround this issue by setting the com.sun.org.apache.xml.internal.security.ignoreLineBreaks system property to true. When set to true, the base64 encoded output will not contain newline characters. Regarding whether the CRLF is part of the 76 character limit, it is not according to RFC 2045: "The 76 character limit does not count the trailing CRLF, but counts all other characters, including any equal signs."
16-01-2020
Tested on recent jdk-jdk build and seeing the same issue, the byte array ends with 
11-12-2019