Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8203460

Update xmldsig implementation to Apache Santuario 2.1.1

XMLWordPrintable

    • Icon: CSR CSR
    • Resolution: Approved
    • Icon: P3 P3
    • 11
    • security-libs
    • None
    • behavioral
    • minimal
    • None.
    • Java API
    • SE

      Summary

      The current implementation of the XMLDSig implementation inside OpenJDK was integrated in 2013, and based on Apache Santuario version 1.5.4. We will update it to version 2.1.1 which was released in January 2018.

      Problem

      Apache Santuario has introduced some new algorithms since 1.5.4 based on SHA-224, RSASSA-PSS, and SHA-3. We should update the implementation to match the current release.

      Solution

      Update the java.xml.crypto module to use code from Apache Santuario release 2.1.1, and re-apply necessary OpenJDK patches. Most of the patches were not integrated to upstream repository at Apache Santuario because they are JDK 9 only (Apache Santuario still supports JDK 8).

      Specification

      Add some constants into DigestMethod.java and SignatureMethod.java. All these algorithms can be found in RFC 6931.

      In src/java.xml.crypto/share/classes/javax/xml/crypto/dsig/DigestMethod.java, add

      /**
 * The <a href="http://www.w3.org/2001/04/xmldsig-more#sha224">
 * SHA224</a> digest method algorithm URI.
 */
String SHA224 = "http://www.w3.org/2001/04/xmldsig-more#sha224";

/**
 * The <a href="http://www.w3.org/2001/04/xmldsig-more#sha384">
 * SHA384</a> digest method algorithm URI.
 */
String SHA384 = "http://www.w3.org/2001/04/xmldsig-more#sha384";

/**
 * The <a href="http://www.w3.org/2007/05/xmldsig-more#sha3-224">
 * SHA3-224</a> digest method algorithm URI.
 */
String SHA3_224 = "http://www.w3.org/2007/05/xmldsig-more#sha3-224";

/**
 * The <a href="http://www.w3.org/2007/05/xmldsig-more#sha3-256">
 * SHA3-256</a> digest method algorithm URI.
 */
String SHA3_256 = "http://www.w3.org/2007/05/xmldsig-more#sha3-256";

/**
 * The <a href="http://www.w3.org/2007/05/xmldsig-more#sha3-384">
 * SHA3-384</a> digest method algorithm URI.
 */
String SHA3_384 = "http://www.w3.org/2007/05/xmldsig-more#sha3-384";

/**
 * The <a href="http://www.w3.org/2007/05/xmldsig-more#sha3-512">
 * SHA3-512</a> digest method algorithm URI.
 */
String SHA3_512 = "http://www.w3.org/2007/05/xmldsig-more#sha3-512";

      In src/java.xml.crypto/share/classes/javax/xml/crypto/dsig/SignatureMethod.java, add

      /**
 * The <a href="http://www.w3.org/2009/xmldsig11#dsa-sha256">DSA-SHA256</a>
 * (DSS) signature method algorithm URI.
 */
String DSA_SHA256 = "http://www.w3.org/2009/xmldsig11#dsa-sha256";

/**
 * The <a href="http://www.w3.org/2001/04/xmldsig-more#rsa-sha224">
 * RSA-SHA224</a> (PKCS #1) signature method algorithm URI.
 */
String RSA_SHA224 = "http://www.w3.org/2001/04/xmldsig-more#rsa-sha224";

/**
 * The <a href="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256">
 * RSA-SHA256</a> (PKCS #1) signature method algorithm URI.
 */
String RSA_SHA256 = "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256";

/**
 * The <a href="http://www.w3.org/2001/04/xmldsig-more#rsa-sha384">
 * RSA-SHA384</a> (PKCS #1) signature method algorithm URI.
 */
String RSA_SHA384 = "http://www.w3.org/2001/04/xmldsig-more#rsa-sha384";

/**
 * The <a href="http://www.w3.org/2001/04/xmldsig-more#rsa-sha512">
 * RSA-SHA512</a> (PKCS #1) signature method algorithm URI.
 */
String RSA_SHA512 = "http://www.w3.org/2001/04/xmldsig-more#rsa-sha512";

/**
 * The <a href="http://www.w3.org/2007/05/xmldsig-more#sha1-rsa-MGF1">
 * SHA1-RSA-MGF1</a> (PKCS #1) signature method algorithm URI.
 */
String SHA1_RSA_MGF1 = "http://www.w3.org/2007/05/xmldsig-more#sha1-rsa-MGF1";

/**
 * The <a href="http://www.w3.org/2007/05/xmldsig-more#sha224-rsa-MGF1">
 * SHA224-RSA-MGF1</a> (PKCS #1) signature method algorithm URI.
 */
String SHA224_RSA_MGF1 = "http://www.w3.org/2007/05/xmldsig-more#sha224-rsa-MGF1";

/**
 * The <a href="http://www.w3.org/2007/05/xmldsig-more#sha256-rsa-MGF1">
 * SHA256-RSA-MGF1</a> (PKCS #1) signature method algorithm URI.
 */
String SHA256_RSA_MGF1 = "http://www.w3.org/2007/05/xmldsig-more#sha256-rsa-MGF1";

/**
 * The <a href="http://www.w3.org/2007/05/xmldsig-more#sha384-rsa-MGF1">
 * SHA384-RSA-MGF1</a> (PKCS #1) signature method algorithm URI.
 */
String SHA384_RSA_MGF1 = "http://www.w3.org/2007/05/xmldsig-more#sha384-rsa-MGF1";

/**
 * The <a href="http://www.w3.org/2007/05/xmldsig-more#sha512-rsa-MGF1">
 * SHA512-RSA-MGF1</a> (PKCS #1) signature method algorithm URI.
 */
String SHA512_RSA_MGF1 = "http://www.w3.org/2007/05/xmldsig-more#sha512-rsa-MGF1";

/**
 * The <a href="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha1">
 * ECDSA-SHA1</a> (FIPS 180-4) signature method algorithm URI.
 */
String ECDSA_SHA1 = "http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha1";

/**
 * The <a href="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha224">
 * ECDSA-SHA224</a> (FIPS 180-4) signature method algorithm URI.
 */
String ECDSA_SHA224 = "http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha224";

/**
 * The <a href="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha256">
 * ECDSA-SHA256</a> (FIPS 180-4) signature method algorithm URI.
 */
String ECDSA_SHA256 = "http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha256";

/**
 * The <a href="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha384">
 * ECDSA-SHA384</a> (FIPS 180-4) signature method algorithm URI.
 */
String ECDSA_SHA384 = "http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha384";

/**
 * The <a href="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha512">
 * ECDSA-SHA512</a> (FIPS 180-4) signature method algorithm URI.
 */
String ECDSA_SHA512 = "http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha512";

/**
 * The <a href="http://www.w3.org/2001/04/xmldsig-more#hmac-sha224">
 * HMAC-SHA224</a> MAC signature method algorithm URI.
 */
String HMAC_SHA224 = "http://www.w3.org/2001/04/xmldsig-more#hmac-sha224";

/**
 * The <a href="http://www.w3.org/2001/04/xmldsig-more#hmac-sha256">
 * HMAC-SHA256</a> MAC signature method algorithm URI.
 */
String HMAC_SHA256 = "http://www.w3.org/2001/04/xmldsig-more#hmac-sha256";

/**
 * The <a href="http://www.w3.org/2001/04/xmldsig-more#hmac-sha384">
 * HMAC-SHA384</a> MAC signature method algorithm URI.
 */
String HMAC_SHA384 = "http://www.w3.org/2001/04/xmldsig-more#hmac-sha384";

/**
 * The <a href="http://www.w3.org/2001/04/xmldsig-more#hmac-sha512">
 * HMAC-SHA512</a> MAC signature method algorithm URI.
 */
String HMAC_SHA512 = "http://www.w3.org/2001/04/xmldsig-more#hmac-sha512";

            weijun Weijun Wang
            mullan Sean Mullan
            Sean Mullan
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated:
              Resolved: