Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8149029

Secure validation of XML based digital signature always enabled when checking wrapping attacks

    XMLWordPrintable

Details

    • b100
    • 8
    • b01

    Backports

      Description

        One should be able to enable or disable the XML secure validation of digital signature using the DOMValidateContext property "org.jcp.xml.dsig.secureValidation" . In 8u, even when property value is Boolean.FALSE or unset the validation is triggered.

        Below code sets the org.jcp.xml.dsig.secureValidation to false

        DOMValidateContext vc = new DOMValidateContext(keyValueKS, element);
        vc.setBaseURI(base.toURI().toString());
        vc.setProperty("org.jcp.xml.dsig.secureValidation", Boolean.FALSE);

        Immediate call to vc.getProperty() gives correct value but the value is not being considered while XML processing.

        Attachments

          Issue Links

            Activity

              People

                bgopularam Bhanu Prakash Gopularam (Inactive)
                bgopularam Bhanu Prakash Gopularam (Inactive)
                Votes:
                0 Vote for this issue
                Watchers:
                4 Start watching this issue

                Dates

                  Created:
                  Updated:
                  Resolved: