Details
-
Bug
-
Resolution: Fixed
-
P2
-
11, 12, 13
-
b11
-
generic
-
generic
-
Verified
Backports
| Issue | Fix Version | Assignee | Priority | Status | Resolution | Resolved In Build |
|---|---|---|---|---|---|---|
| JDK-8220455 | 12.0.2 | Sean Mullan | P2 | Closed | Fixed | b01 |
| JDK-8220629 | 11.0.4-oracle | Sean Coffey | P2 | Closed | Fixed | b01 |
| JDK-8220759 | 11.0.4 | Sean Mullan | P2 | Resolved | Fixed | b01 |
| JDK-8251915 | openjdk8u272 | Sean Mullan | P2 | Resolved | Fixed | b04 |
| JDK-8227281 | 8u241 | Sean Coffey | P2 | Resolved | Fixed | b01 |
| JDK-8227728 | 8u231 | Sean Coffey | P2 | Closed | Fixed | b03 |
| JDK-8235017 | emb-8u241 | Sean Coffey | P2 | Resolved | Fixed | team |
| JDK-8229670 | emb-8u231 | Sean Coffey | P2 | Resolved | Fixed | b03 |
Description
ADDITIONAL SYSTEM INFORMATION :
I verified this in Ubuntu 18.04 64bits and in MacOS Mojave 10.14.2
A DESCRIPTION OF THE PROBLEM :
The following code contains a test case to do XML signing using the ENVELOPING type: https://github.com/marianogonzalez/jdk11-xml-crypto-enveloping-issue/blob/master/src/test/java/com/mg/sign/enveloping/EnvelopingTestCase.java
That code works perfectly well when run in JDK 1.8 and produces the following output:
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<dsig:Signature xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">
<dsig:SignedInfo>
<dsig:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<dsig:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<dsig:Reference URI="#data">
<dsig:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<dsig:DigestValue>ihf/785BQpY0+MUQeP0IXrqcdENEap5sHpFw2NvBMv8=</dsig:DigestValue>
</dsig:Reference>
</dsig:SignedInfo>
<dsig:SignatureValue>gE5lSOnbxukfAiTG+YvPevBLnz5QjYycRSRVA9CCaHXJYQmLxJ2uBFBsOqdL89/vnPgg4g4mgsd1
F32KBi3AMvs169RDBs4gjNAxX5dq5DleqVmFvX6TzsiCLW3kAGF+g52GPFpcwz44zU+MDbQ7AmyO
CzjR6GMKr7mAT+9LEzQ=
</dsig:SignatureValue>
<dsig:KeyInfo>
<dsig:X509Data>
<dsig:X509SubjectName>CN=Unknown,OU=Unknown,O=Unknown,L=Unknown,ST=Unknown,C=Unknown</dsig:X509SubjectName>
<dsig:X509Certificate>MIICTzCCAbigAwIBAgIEUBXCNzANBgkqhkiG9w0BAQUFADBsMRAwDgYDVQQGEwdVbmtub3duMRAw
DgYDVQQIEwdVbmtub3duMRAwDgYDVQQHEwdVbmtub3duMRAwDgYDVQQKEwdVbmtub3duMRAwDgYD
VQQLEwdVbmtub3duMRAwDgYDVQQDEwdVbmtub3duMB4XDTEyMDcyOTIzMDczNVoXDTEyMTAyNzIz
MDczNVowbDEQMA4GA1UEBhMHVW5rbm93bjEQMA4GA1UECBMHVW5rbm93bjEQMA4GA1UEBxMHVW5r
bm93bjEQMA4GA1UEChMHVW5rbm93bjEQMA4GA1UECxMHVW5rbm93bjEQMA4GA1UEAxMHVW5rbm93
bjCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAkXqhit5u2/nt4330RFAXfnxwj3ULk8v7WJzo
a1+qyByijq9Btviiq2C594seo/ay4Sj7DyRecMRH+qS3q83Da54fOVCf/6uqAo82T4uVGZbMp6Vk
KlQLtqyUGo5ZR4QzevnMgaVygg6dxa0HNJw+gHYaRuHrlFpXv3oaq73usjECAwEAATANBgkqhkiG
9w0BAQUFAAOBgQBZmTNtqeZrD0noIizIBytXbiqiXXKgO9Y5JRNiEC2ZoAEzey9l5Oht+DCL6X2T
W1q5aHLfk14IALY3RYDyCSkz5Jg+Sv7fj4hC3Fs3kdjBWY27a9d+W1kzo6h3adcwimW51/mFlDU0
hXmRsLPZ/lGiPaUH5n4HEAwcJwQuO+uzMA==
</dsig:X509Certificate>
</dsig:X509Data>
</dsig:KeyInfo>
<dsig:Object Encoding="UTF-8" Id="data">
<PurchaseOrder>
<Item number="130046593231">
<Description>Video Game</Description>
<Price>10.29</Price>
</Item>
<Buyer id="8492340">
<Name>My Name</Name>
<Address>
<Street>One Network Drive</Street>
<Town>Burlington</Town>
<State>MA</State>
<Country>United States</Country>
<PostalCode>01803</PostalCode>
</Address>
</Buyer>
</PurchaseOrder>
</dsig:Object>
</dsig:Signature>
When the exact same code is run with JDK11, it produces this invalid output instead:
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<PurchaseOrder>
<Item number="130046593231">
<Description>Video Game</Description>
<Price>10.29</Price>
</Item>
<Buyer id="8492340">
<Name>My Name</Name>
<Address>
<Street>One Network Drive</Street>
<Town>Burlington</Town>
<State>MA</State>
<Country>United States</Country>
<PostalCode>01803</PostalCode>
</Address>
</Buyer>
</PurchaseOrder><dsig:Signature xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">
<dsig:SignedInfo>
<dsig:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<dsig:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<dsig:Reference URI="#data">
<dsig:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<dsig:DigestValue>ihf/785BQpY0+MUQeP0IXrqcdENEap5sHpFw2NvBMv8=</dsig:DigestValue>
</dsig:Reference>
</dsig:SignedInfo>
<dsig:SignatureValue>gE5lSOnbxukfAiTG+YvPevBLnz5QjYycRSRVA9CCaHXJYQmLxJ2uBFBsOqdL89/vnPgg4g4mgsd1
F32KBi3AMvs169RDBs4gjNAxX5dq5DleqVmFvX6TzsiCLW3kAGF+g52GPFpcwz44zU+MDbQ7AmyO
CzjR6GMKr7mAT+9LEzQ=
</dsig:SignatureValue>
<dsig:KeyInfo>
<dsig:X509Data>
<dsig:X509SubjectName>CN=Unknown,OU=Unknown,O=Unknown,L=Unknown,ST=Unknown,C=Unknown</dsig:X509SubjectName>
<dsig:X509Certificate>MIICTzCCAbigAwIBAgIEUBXCNzANBgkqhkiG9w0BAQUFADBsMRAwDgYDVQQGEwdVbmtub3duMRAw
DgYDVQQIEwdVbmtub3duMRAwDgYDVQQHEwdVbmtub3duMRAwDgYDVQQKEwdVbmtub3duMRAwDgYD
VQQLEwdVbmtub3duMRAwDgYDVQQDEwdVbmtub3duMB4XDTEyMDcyOTIzMDczNVoXDTEyMTAyNzIz
MDczNVowbDEQMA4GA1UEBhMHVW5rbm93bjEQMA4GA1UECBMHVW5rbm93bjEQMA4GA1UEBxMHVW5r
bm93bjEQMA4GA1UEChMHVW5rbm93bjEQMA4GA1UECxMHVW5rbm93bjEQMA4GA1UEAxMHVW5rbm93
bjCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAkXqhit5u2/nt4330RFAXfnxwj3ULk8v7WJzo
a1+qyByijq9Btviiq2C594seo/ay4Sj7DyRecMRH+qS3q83Da54fOVCf/6uqAo82T4uVGZbMp6Vk
KlQLtqyUGo5ZR4QzevnMgaVygg6dxa0HNJw+gHYaRuHrlFpXv3oaq73usjECAwEAATANBgkqhkiG
9w0BAQUFAAOBgQBZmTNtqeZrD0noIizIBytXbiqiXXKgO9Y5JRNiEC2ZoAEzey9l5Oht+DCL6X2T
W1q5aHLfk14IALY3RYDyCSkz5Jg+Sv7fj4hC3Fs3kdjBWY27a9d+W1kzo6h3adcwimW51/mFlDU0
hXmRsLPZ/lGiPaUH5n4HEAwcJwQuO+uzMA==
</dsig:X509Certificate>
</dsig:X509Data>
</dsig:KeyInfo>
<dsig:Object Encoding="UTF-8" Id="data">
<PurchaseOrder>
<Item number="130046593231">
<Description>Video Game</Description>
<Price>10.29</Price>
</Item>
<Buyer id="8492340">
<Name>My Name</Name>
<Address>
<Street>One Network Drive</Street>
<Town>Burlington</Town>
<State>MA</State>
<Country>United States</Country>
<PostalCode>01803</PostalCode>
</Address>
</Buyer>
</PurchaseOrder>
</dsig:Object>
</dsig:Signature>
As you can see, JDK8 replaces the document's root element with a Signature element that wraps the original content. That signature element becomes the document's only root element.
With JDK11, the Signature element is added to the document as a second root element, appended AFTER the original content.
REGRESSION : Last worked in version 8u192
STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
Run this test case using JDK 11.02: https://github.com/marianogonzalez/jdk11-xml-crypto-enveloping-issue/blob/master/src/test/java/com/mg/sign/enveloping/EnvelopingTestCase.java
EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
The same XML obtained using JDK 1.8
ACTUAL -
The broken XML attached in the description
---------- BEGIN SOURCE ----------
https://github.com/marianogonzalez/jdk11-xml-crypto-enveloping-issue/blob/master/src/test/java/com/mg/sign/enveloping/EnvelopingTestCase.java
---------- END SOURCE ----------
CUSTOMER SUBMITTED WORKAROUND :
To take the output Document an manually remove the original root element
FREQUENCY : always
I verified this in Ubuntu 18.04 64bits and in MacOS Mojave 10.14.2
A DESCRIPTION OF THE PROBLEM :
The following code contains a test case to do XML signing using the ENVELOPING type: https://github.com/marianogonzalez/jdk11-xml-crypto-enveloping-issue/blob/master/src/test/java/com/mg/sign/enveloping/EnvelopingTestCase.java
That code works perfectly well when run in JDK 1.8 and produces the following output:
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<dsig:Signature xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">
<dsig:SignedInfo>
<dsig:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<dsig:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<dsig:Reference URI="#data">
<dsig:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<dsig:DigestValue>ihf/785BQpY0+MUQeP0IXrqcdENEap5sHpFw2NvBMv8=</dsig:DigestValue>
</dsig:Reference>
</dsig:SignedInfo>
<dsig:SignatureValue>gE5lSOnbxukfAiTG+YvPevBLnz5QjYycRSRVA9CCaHXJYQmLxJ2uBFBsOqdL89/vnPgg4g4mgsd1
F32KBi3AMvs169RDBs4gjNAxX5dq5DleqVmFvX6TzsiCLW3kAGF+g52GPFpcwz44zU+MDbQ7AmyO
CzjR6GMKr7mAT+9LEzQ=
</dsig:SignatureValue>
<dsig:KeyInfo>
<dsig:X509Data>
<dsig:X509SubjectName>CN=Unknown,OU=Unknown,O=Unknown,L=Unknown,ST=Unknown,C=Unknown</dsig:X509SubjectName>
<dsig:X509Certificate>MIICTzCCAbigAwIBAgIEUBXCNzANBgkqhkiG9w0BAQUFADBsMRAwDgYDVQQGEwdVbmtub3duMRAw
DgYDVQQIEwdVbmtub3duMRAwDgYDVQQHEwdVbmtub3duMRAwDgYDVQQKEwdVbmtub3duMRAwDgYD
VQQLEwdVbmtub3duMRAwDgYDVQQDEwdVbmtub3duMB4XDTEyMDcyOTIzMDczNVoXDTEyMTAyNzIz
MDczNVowbDEQMA4GA1UEBhMHVW5rbm93bjEQMA4GA1UECBMHVW5rbm93bjEQMA4GA1UEBxMHVW5r
bm93bjEQMA4GA1UEChMHVW5rbm93bjEQMA4GA1UECxMHVW5rbm93bjEQMA4GA1UEAxMHVW5rbm93
bjCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAkXqhit5u2/nt4330RFAXfnxwj3ULk8v7WJzo
a1+qyByijq9Btviiq2C594seo/ay4Sj7DyRecMRH+qS3q83Da54fOVCf/6uqAo82T4uVGZbMp6Vk
KlQLtqyUGo5ZR4QzevnMgaVygg6dxa0HNJw+gHYaRuHrlFpXv3oaq73usjECAwEAATANBgkqhkiG
9w0BAQUFAAOBgQBZmTNtqeZrD0noIizIBytXbiqiXXKgO9Y5JRNiEC2ZoAEzey9l5Oht+DCL6X2T
W1q5aHLfk14IALY3RYDyCSkz5Jg+Sv7fj4hC3Fs3kdjBWY27a9d+W1kzo6h3adcwimW51/mFlDU0
hXmRsLPZ/lGiPaUH5n4HEAwcJwQuO+uzMA==
</dsig:X509Certificate>
</dsig:X509Data>
</dsig:KeyInfo>
<dsig:Object Encoding="UTF-8" Id="data">
<PurchaseOrder>
<Item number="130046593231">
<Description>Video Game</Description>
<Price>10.29</Price>
</Item>
<Buyer id="8492340">
<Name>My Name</Name>
<Address>
<Street>One Network Drive</Street>
<Town>Burlington</Town>
<State>MA</State>
<Country>United States</Country>
<PostalCode>01803</PostalCode>
</Address>
</Buyer>
</PurchaseOrder>
</dsig:Object>
</dsig:Signature>
When the exact same code is run with JDK11, it produces this invalid output instead:
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<PurchaseOrder>
<Item number="130046593231">
<Description>Video Game</Description>
<Price>10.29</Price>
</Item>
<Buyer id="8492340">
<Name>My Name</Name>
<Address>
<Street>One Network Drive</Street>
<Town>Burlington</Town>
<State>MA</State>
<Country>United States</Country>
<PostalCode>01803</PostalCode>
</Address>
</Buyer>
</PurchaseOrder><dsig:Signature xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">
<dsig:SignedInfo>
<dsig:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<dsig:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<dsig:Reference URI="#data">
<dsig:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<dsig:DigestValue>ihf/785BQpY0+MUQeP0IXrqcdENEap5sHpFw2NvBMv8=</dsig:DigestValue>
</dsig:Reference>
</dsig:SignedInfo>
<dsig:SignatureValue>gE5lSOnbxukfAiTG+YvPevBLnz5QjYycRSRVA9CCaHXJYQmLxJ2uBFBsOqdL89/vnPgg4g4mgsd1
F32KBi3AMvs169RDBs4gjNAxX5dq5DleqVmFvX6TzsiCLW3kAGF+g52GPFpcwz44zU+MDbQ7AmyO
CzjR6GMKr7mAT+9LEzQ=
</dsig:SignatureValue>
<dsig:KeyInfo>
<dsig:X509Data>
<dsig:X509SubjectName>CN=Unknown,OU=Unknown,O=Unknown,L=Unknown,ST=Unknown,C=Unknown</dsig:X509SubjectName>
<dsig:X509Certificate>MIICTzCCAbigAwIBAgIEUBXCNzANBgkqhkiG9w0BAQUFADBsMRAwDgYDVQQGEwdVbmtub3duMRAw
DgYDVQQIEwdVbmtub3duMRAwDgYDVQQHEwdVbmtub3duMRAwDgYDVQQKEwdVbmtub3duMRAwDgYD
VQQLEwdVbmtub3duMRAwDgYDVQQDEwdVbmtub3duMB4XDTEyMDcyOTIzMDczNVoXDTEyMTAyNzIz
MDczNVowbDEQMA4GA1UEBhMHVW5rbm93bjEQMA4GA1UECBMHVW5rbm93bjEQMA4GA1UEBxMHVW5r
bm93bjEQMA4GA1UEChMHVW5rbm93bjEQMA4GA1UECxMHVW5rbm93bjEQMA4GA1UEAxMHVW5rbm93
bjCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAkXqhit5u2/nt4330RFAXfnxwj3ULk8v7WJzo
a1+qyByijq9Btviiq2C594seo/ay4Sj7DyRecMRH+qS3q83Da54fOVCf/6uqAo82T4uVGZbMp6Vk
KlQLtqyUGo5ZR4QzevnMgaVygg6dxa0HNJw+gHYaRuHrlFpXv3oaq73usjECAwEAATANBgkqhkiG
9w0BAQUFAAOBgQBZmTNtqeZrD0noIizIBytXbiqiXXKgO9Y5JRNiEC2ZoAEzey9l5Oht+DCL6X2T
W1q5aHLfk14IALY3RYDyCSkz5Jg+Sv7fj4hC3Fs3kdjBWY27a9d+W1kzo6h3adcwimW51/mFlDU0
hXmRsLPZ/lGiPaUH5n4HEAwcJwQuO+uzMA==
</dsig:X509Certificate>
</dsig:X509Data>
</dsig:KeyInfo>
<dsig:Object Encoding="UTF-8" Id="data">
<PurchaseOrder>
<Item number="130046593231">
<Description>Video Game</Description>
<Price>10.29</Price>
</Item>
<Buyer id="8492340">
<Name>My Name</Name>
<Address>
<Street>One Network Drive</Street>
<Town>Burlington</Town>
<State>MA</State>
<Country>United States</Country>
<PostalCode>01803</PostalCode>
</Address>
</Buyer>
</PurchaseOrder>
</dsig:Object>
</dsig:Signature>
As you can see, JDK8 replaces the document's root element with a Signature element that wraps the original content. That signature element becomes the document's only root element.
With JDK11, the Signature element is added to the document as a second root element, appended AFTER the original content.
REGRESSION : Last worked in version 8u192
STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
Run this test case using JDK 11.02: https://github.com/marianogonzalez/jdk11-xml-crypto-enveloping-issue/blob/master/src/test/java/com/mg/sign/enveloping/EnvelopingTestCase.java
EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
The same XML obtained using JDK 1.8
ACTUAL -
The broken XML attached in the description
---------- BEGIN SOURCE ----------
https://github.com/marianogonzalez/jdk11-xml-crypto-enveloping-issue/blob/master/src/test/java/com/mg/sign/enveloping/EnvelopingTestCase.java
---------- END SOURCE ----------
CUSTOMER SUBMITTED WORKAROUND :
To take the output Document an manually remove the original root element
FREQUENCY : always
Attachments
Issue Links
- backported by
-
JDK-8220759 ENVELOPING XML signature no longer works
-
- Resolved
-
-
-
- Resolved
-
-
-
- Resolved
-
-
-
- Resolved
-
-
-
- Resolved
-
-
-
- Closed
-
-
-
- Closed
-
-
-
- Closed
-
- relates to
-
-
- Resolved
-
-
JDK-8177334 Update xmldsig implementation to Apache Santuario 2.1.1
-
- Resolved
-
-
-
- Resolved
-
-
-
- Resolved
-
(3 backported by, 4 relates to)