Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

8259709: Disable SHA-1 XML Signatures #2463

Closed
wants to merge 5 commits into from

Conversation

seanjmullan
Copy link
Member

@seanjmullan seanjmullan commented Feb 8, 2021

Please review this change to disable XML signatures that use SHA-1 based digest or signature algorithms. SHA-1 is weak and is not a recommended algorithm for digital signatures. This will improve out of the box security by restricting XML signatures that use SHA-1 algorithms.

CSR: https://bugs.openjdk.java.net/browse/JDK-8261246
Release Note: https://bugs.openjdk.java.net/browse/JDK-8261364


Progress

  • Change must not contain extraneous whitespace
  • Commit message must refer to an issue
  • Change must be properly reviewed

Issue

Reviewers

Download

$ git fetch https://git.openjdk.java.net/jdk pull/2463/head:pull/2463
$ git checkout pull/2463

@bridgekeeper
Copy link

bridgekeeper bot commented Feb 8, 2021

👋 Welcome back mullan! A progress list of the required criteria for merging this PR into master will be added to the body of your pull request. There are additional pull request commands available for use with this pull request.

@openjdk
Copy link

openjdk bot commented Feb 8, 2021

@seanjmullan The following label will be automatically applied to this pull request:

  • security

When this pull request is ready to be reviewed, an "RFR" email will be sent to the corresponding mailing list. If you would like to change these labels, use the /label pull request command.

@openjdk openjdk bot added the security security-dev@openjdk.org label Feb 8, 2021
@seanjmullan
Copy link
Member Author

seanjmullan commented Feb 8, 2021

/csr

@openjdk openjdk bot added the csr Pull request needs approved CSR before integration label Feb 8, 2021
@openjdk
Copy link

openjdk bot commented Feb 8, 2021

@seanjmullan this pull request will not be integrated until the CSR request JDK-8261246 for issue JDK-8259709 has been approved.

@openjdk openjdk bot added the rfr Pull request is ready for review label Feb 8, 2021
@mlbridge
Copy link

mlbridge bot commented Feb 8, 2021

Webrevs

rhalade
rhalade approved these changes Feb 9, 2021
Copy link
Contributor

@wangweij wangweij left a comment

Change looks good.

@openjdk openjdk bot removed the csr Pull request needs approved CSR before integration label Feb 9, 2021
@openjdk
Copy link

openjdk bot commented Feb 9, 2021

@seanjmullan This change now passes all automated pre-integration checks.

ℹ️ This project also has non-automated pre-integration requirements. Please see the file CONTRIBUTING.md for details.

After integration, the commit message for the final commit will be:

8259709: Disable SHA-1 XML Signatures

Reviewed-by: rhalade, weijun

You can use pull request commands such as /summary, /contributor and /issue to adjust it as needed.

At the time when this comment was updated there had been 283 new commits pushed to the master branch:

  • d2c4ed0: 8262000: jdk/jfr/event/gc/detailed/TestPromotionFailedEventWithParallelScavenge.java failed with "OutOfMemoryError: Java heap space"
  • 94f26e4: 8261450: JShell crashes with SIOOBE in tab completion
  • b817855: 8262935: Add missing logging to sun.net.httpserver.ServerImpl
  • 2251319: 8262828: Format of OS information is different on macOS
  • 4cfecce: 8261730: C2 compilation fails with assert(store->find_edge(load) != -1) failed: missing precedence edge
  • 7915a1f: 8262950: Restructure compiler/intrinsics/TestRotate.java for easier compilation
  • 84c93d5: 8257137: Revise smov and umov in aarch64 assembler
  • d93fa0d: 8253940: com/sun/jdi/JdwpAttachTest.java failed with "RuntimeException: ERROR: LingeredApp.startApp was able to attach"
  • 104a262: 8224775: test/jdk/com/sun/jdi/JdwpListenTest.java failed to attach
  • 2848938: 8262927: Explicitly state fields examined for BigDecimal.hashCode
  • ... and 273 more: https://git.openjdk.java.net/jdk/compare/52fc01b3ee4ddefd3be3e541a2c53c818d9292c7...master

As there are no conflicts, your changes will automatically be rebased on top of these commits when integrating. If you prefer to avoid this automatic rebasing, please check the documentation for the /integrate command for further details.

➡️ To integrate this PR with the above commit message to the master branch, type /integrate in a new comment.

@openjdk openjdk bot added the ready Pull request is ready to be integrated label Feb 9, 2021
@wangweij
Copy link
Contributor

wangweij commented Feb 19, 2021

All test changes are about re-enabling disabled algorithms. Do we have a test on ensuring disabled algorithms are indeed disabled? How about we set "org.jcp.xml.dsig.secureValidation" to false everywhere in the existing tests and add a new dedicated test to check for disabled algorithms/key sizes etc.

* jdk.xml.dsig.secureValidationPolicy security property. Matches any
* part of the algorithm URI.
*/
public static void removeAlgsFromDSigPolicy(List<String> algs) {
Copy link
Contributor

@wangweij wangweij Feb 22, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

How about using String... algs as arguments?

Copy link
Member Author

@seanjmullan seanjmullan Feb 24, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, that is nicer.

@seanjmullan
Copy link
Member Author

seanjmullan commented Feb 24, 2021

All test changes are about re-enabling disabled algorithms. Do we have a test on ensuring disabled algorithms are indeed disabled? How about we set "org.jcp.xml.dsig.secureValidation" to false everywhere in the existing tests and add a new dedicated test to check for disabled algorithms/key sizes etc.

That is what test/jdk/javax/xml/crypto/dsig/SecureValidationPolicy.java does, see this code block on lines 65-69:

        for (String alg : restrictedAlgs) {
            if (!Policy.restrictAlg(alg)) {
                throw new Exception(alg + " alg not restricted");
            }
        }

@wangweij
Copy link
Contributor

wangweij commented Feb 24, 2021

All test changes are about re-enabling disabled algorithms. Do we have a test on ensuring disabled algorithms are indeed disabled? How about we set "org.jcp.xml.dsig.secureValidation" to false everywhere in the existing tests and add a new dedicated test to check for disabled algorithms/key sizes etc.

That is what test/jdk/javax/xml/crypto/dsig/SecureValidationPolicy.java does, see this code block on lines 65-69:

        for (String alg : restrictedAlgs) {
            if (!Policy.restrictAlg(alg)) {
                throw new Exception(alg + " alg not restricted");
            }
        }

This is only about checking the parsing function of the Policy class. I would be more confident if an actual validation call is made.

I have a test on PSS at https://github.com/openjdk/jdk/blob/a79df58e0ad0b19aa8e0611cc55f5628383c2950/test/jdk/javax/xml/crypto/dsig/SecureValidation.java. Maybe I can enhance it to contain more algorithms.

@seanjmullan
Copy link
Member Author

seanjmullan commented Mar 4, 2021

/integrate

@openjdk openjdk bot closed this Mar 4, 2021
@openjdk openjdk bot added integrated Pull request has been integrated and removed ready Pull request is ready to be integrated rfr Pull request is ready for review labels Mar 4, 2021
@openjdk
Copy link

openjdk bot commented Mar 4, 2021

@seanjmullan Since your change was applied there have been 286 commits pushed to the master branch:

  • ef5e13d: 8263030: Remove Shenandoah leftovers from ReferenceProcessor
  • 222a17e: 8262122: [TESTBUG] Shenandoah-specific variant of TestReferenceRefersTo
  • a777e82: 8254717: isAssignableFrom checks in KeyFactorySpi.engineGetKeySpec appear to be backwards
  • d2c4ed0: 8262000: jdk/jfr/event/gc/detailed/TestPromotionFailedEventWithParallelScavenge.java failed with "OutOfMemoryError: Java heap space"
  • 94f26e4: 8261450: JShell crashes with SIOOBE in tab completion
  • b817855: 8262935: Add missing logging to sun.net.httpserver.ServerImpl
  • 2251319: 8262828: Format of OS information is different on macOS
  • 4cfecce: 8261730: C2 compilation fails with assert(store->find_edge(load) != -1) failed: missing precedence edge
  • 7915a1f: 8262950: Restructure compiler/intrinsics/TestRotate.java for easier compilation
  • 84c93d5: 8257137: Revise smov and umov in aarch64 assembler
  • ... and 276 more: https://git.openjdk.java.net/jdk/compare/52fc01b3ee4ddefd3be3e541a2c53c818d9292c7...master

Your commit was automatically rebased without conflicts.

Pushed as commit a6427c8.

💡 You may see a message that your pull request was closed with unmerged commits. This can be safely ignored.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
integrated Pull request has been integrated security security-dev@openjdk.org
3 participants