Skip to content
Permalink
Browse files
8259709: Disable SHA-1 XML Signatures
Reviewed-by: rhalade, weijun
  • Loading branch information
seanjmullan committed Mar 4, 2021
1 parent ef5e13d commit a6427c85eeb06fe080864bcad1d44447150d10a6
Show file tree
Hide file tree
Showing 5 changed files with 54 additions and 5 deletions.
@@ -964,6 +964,11 @@ jdk.xml.dsig.secureValidationPolicy=\
disallowAlg http://www.w3.org/2001/04/xmldsig-more#rsa-md5,\
disallowAlg http://www.w3.org/2001/04/xmldsig-more#hmac-md5,\
disallowAlg http://www.w3.org/2001/04/xmldsig-more#md5,\
disallowAlg http://www.w3.org/2000/09/xmldsig#sha1,\
disallowAlg http://www.w3.org/2000/09/xmldsig#dsa-sha1,\
disallowAlg http://www.w3.org/2000/09/xmldsig#rsa-sha1,\
disallowAlg http://www.w3.org/2007/05/xmldsig-more#sha1-rsa-MGF1,\
disallowAlg http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha1,\
maxTransforms 5,\
maxReferences 30,\
disallowReferenceUriSchemes file http https,\
@@ -30,6 +30,7 @@
* java.base/sun.security.x509
* java.xml.crypto/org.jcp.xml.dsig.internal.dom
* jdk.httpserver/com.sun.net.httpserver
* @library /test/lib
* @compile -XDignore.symbol.file KeySelectors.java SignatureValidator.java
* X509KeySelector.java GenerationTests.java
* @run main/othervm/timeout=300 -Dsun.net.httpserver.nodelay=true GenerationTests
@@ -91,6 +92,8 @@
import javax.xml.transform.stream.StreamResult;
import org.w3c.dom.*;

import jdk.test.lib.security.SecurityUtils;

/**
* Test that recreates merlin-xmldsig-twenty-three test vectors (and more)
* but with different keys and X.509 data.
@@ -284,6 +287,9 @@ private static enum KeyInfoType {
private static boolean result = true;

public static void main(String args[]) throws Exception {
// Re-enable sha1 algs
SecurityUtils.removeAlgsFromDSigPolicy("sha1");

setup();
test_create_signature_enveloped_dsa(1024);
test_create_signature_enveloped_dsa(2048);
@@ -1,5 +1,5 @@
/*
* Copyright (c) 2016, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2016, 2021, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -23,7 +23,7 @@

/**
* @test
* @bug 8151893
* @bug 8151893 8259709
* @summary Tests for the jdk.xml.dsig.secureValidationPolicy security property
* @modules java.xml.crypto/org.jcp.xml.dsig.internal.dom
*/
@@ -42,7 +42,12 @@ public static void main(String[] args) throws Exception {
"http://www.w3.org/TR/1999/REC-xslt-19991116",
"http://www.w3.org/2001/04/xmldsig-more#rsa-md5",
"http://www.w3.org/2001/04/xmldsig-more#hmac-md5",
"http://www.w3.org/2001/04/xmldsig-more#md5");
"http://www.w3.org/2001/04/xmldsig-more#md5",
"http://www.w3.org/2000/09/xmldsig#sha1",
"http://www.w3.org/2000/09/xmldsig#dsa-sha1",
"http://www.w3.org/2000/09/xmldsig#rsa-sha1",
"http://www.w3.org/2007/05/xmldsig-more#sha1-rsa-MGF1",
"http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha1");

// Test expected defaults
System.out.println("Testing defaults");
@@ -1,5 +1,5 @@
/*
* Copyright (c) 2005, 2015, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2005, 2021, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -28,6 +28,7 @@
* @modules java.base/sun.security.util
* java.base/sun.security.x509
* java.xml.crypto/org.jcp.xml.dsig.internal.dom
* @library /test/lib
* @compile -XDignore.symbol.file KeySelectors.java SignatureValidator.java
* X509KeySelector.java ValidationTests.java
* @run main/othervm ValidationTests
@@ -47,6 +48,8 @@
import javax.xml.crypto.dsig.XMLSignatureException;
import javax.xml.crypto.dsig.XMLSignatureFactory;

import jdk.test.lib.security.SecurityUtils;

public class ValidationTests {

private static SignatureValidator validator;
@@ -138,6 +141,9 @@ static class Test {
};

public static void main(String args[]) throws Exception {
// Re-enable sha1 algs
SecurityUtils.removeAlgsFromDSigPolicy("sha1");

httpUd = new HttpURIDereferencer();

validator = new SignatureValidator(new File(DATA_DIR));
@@ -1,5 +1,5 @@
/*
* Copyright (c) 2018, 2020, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2018, 2021, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -70,5 +70,32 @@ private static void removeFromDisabledAlgs(String prop, List<String> algs) {
Security.setProperty(prop, value);
}

/**
* Removes the specified algorithms from the
* jdk.xml.dsig.secureValidationPolicy security property. Matches any
* part of the algorithm URI.
*/
public static void removeAlgsFromDSigPolicy(String... algs) {
removeFromDSigPolicy("disallowAlg", List.<String>of(algs));
}

private static void removeFromDSigPolicy(String rule, List<String> algs) {
String value = Security.getProperty("jdk.xml.dsig.secureValidationPolicy");
value = Arrays.stream(value.split(","))
.filter(v -> !v.contains(rule) ||
!anyMatch(v, algs))
.collect(Collectors.joining(","));
Security.setProperty("jdk.xml.dsig.secureValidationPolicy", value);
}

private static boolean anyMatch(String value, List<String> algs) {
for (String alg : algs) {
if (value.contains(alg)) {
return true;
}
}
return false;
}

private SecurityUtils() {}
}

0 comments on commit a6427c8

Please sign in to comment.