JDK-8320594 : Update XML Security for Java to 3.0.2
  • Type: CSR
  • Component: security-libs
  • Sub-Component: javax.xml.crypto
  • Priority: P3
  • Status: Closed
  • Resolution: Approved
  • Fix Versions: 8-pool,11-pool-oracle,17-pool-oracle
  • Submitted: 2023-11-22
  • Updated: 2024-01-23
  • Resolved: 2023-11-27
Related Reports
CSR :  
CSR :  
CSR :  
CSR :  
CSR :  
Relates :  
Description
Summary
-------

Update the XML Signature implementation (primarily in the com/sun/org/apache/xml/internal/ classes) in the JDK to version 3.0.2 of Apache Santuario.
This is a CSR request for the 17u/11u/8u requests.

The port is largely the same in terms of implementation as that done for JDK 21.

The javax.xml.crypto.dsig.SignatureMethod and javax.xml.crypto.dsig.DigestMethod  interfaces will not be updated. Instead, end users would define the newly added EdDSA Signature methods locally in application code. Unlike JDK 17 and later, 
JDK 11 and 8 doesn't have EdDSA support by default. A 3rd party security provider which supports `ed25519` and `ed448` would be required.

Problem
-------

The latest Apache Santuario release 3.0.2 contains the following changes:

1. Adds support for EdDSA. (`ed25519` and `ed448`)

2. Removes direct dependencies on Xalan. This dependency was necessary to support the `here()` XPath function defined at https://www.w3.org/TR/xmldsig-core1/#function-here.

Solution
--------

Import Apache Santuario 3.0.2 with EdDSA support. Unlike JDK 21, URIs for 2 new signature methods won't be defined for the Update releases. These URIs are string literals and applications may use them directly without referencing the 'SignatureMethod' class.

Santuario has discontinued the support of the `here()` function, as it required a dependency on Xalan internal APIs and cannot be supported using the standard Java XPath API. However a new security property will be introduced for the sake of backward compatibility, which allows users to decide if they want to maintain support for the function. Use of this property is identical to the JDK 21 solution. If this property is set as "true" (which is the default value), the function will be supported, continuing the behavior of previous JDK releases. Otherwise, if set to "false", the function will not be supported, mirroring the latest approach of Santuario. A future JDK release is likely to change the default value to "false" when the compatibility risk is determined to be very low.


Specification
-------------

### `here()` function support

A security property "jdk.xml.dsig.hereFunctionSupported" is introduced. The following paragraph is added to `conf/security/java.security`:

    #
    # Support for the here() function
    #
    # This security property determines whether the here() XPath function is
    # supported in XML Signature generation and verification.
    #
    # If this property is set to false, the here() function is not supported.
    # Generating an XML Signature that uses the here() function will throw an
    # XMLSignatureException. Validating an existing XML Signature that uses the
    # here() function will also throw an XMLSignatureException.
    #
    # The default value for this property is true.
    #
    # Note: This property is currently used by the JDK Reference implementation.
    # It is not guaranteed to be examined and used by other implementations.
    #
    #jdk.xml.dsig.hereFunctionSupported=true


Comments
Moving to Approved.
27-11-2023