-
Bug
-
Resolution: Fixed
-
P3
-
7, 8
-
b102
-
generic
-
generic
-
Verified
| Issue | Fix Version | Assignee | Priority | Status | Resolution | Resolved In Build |
|---|---|---|---|---|---|---|
| JDK-8175436 | openjdk7u | Sean Mullan | P3 | Resolved | Fixed | master |
XML Dsig implementation ignores tag names and extra elements in SignedInfo. For example, the following XML passes validation:
...
<aSignedInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<aCanonicalizationMethod
Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"></aCanonicalizationMethod>
<aSignatureMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"></aSignatureMethod>
<aReference URI="">
<Transforms>
<aTransform
Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"></aTransform>
</Transforms>
<aDigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></aDigestMethod>
<aDigestValue>1Bq8FsjajUBYPD7stQeJSc66GlM=</aDigestValue>
<test>some extra text</test>
</aReference>
</aSignedInfo>
<aSignatureValue>cbNpPGavhM0...</aSignatureValue>
...
Only Transforms tag is not affected.
...
<aSignedInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<aCanonicalizationMethod
Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"></aCanonicalizationMethod>
<aSignatureMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"></aSignatureMethod>
<aReference URI="">
<Transforms>
<aTransform
Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"></aTransform>
</Transforms>
<aDigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></aDigestMethod>
<aDigestValue>1Bq8FsjajUBYPD7stQeJSc66GlM=</aDigestValue>
<test>some extra text</test>
</aReference>
</aSignedInfo>
<aSignatureValue>cbNpPGavhM0...</aSignatureValue>
...
Only Transforms tag is not affected.
- backported by
-
JDK-8175436 XML DSig API allows wrong tag names and extra elements in SignedInfo
-
- Resolved
-