-
CSR
-
Resolution: Approved
-
P3
-
None
-
behavioral
-
medium
-
If necessary, and at their own risk, applications can workaround this by disabling the secure validation mode or adjusting the validation policy and re-enabling the SHA-1 algorithms.
-
System or security property
-
JDK
Summary
Disable by default XML Signatures that use SHA-1 based digest or signature algorithms. SHA-1 is no longer a recommended algorithm for digital signatures.
Problem
SHA-1 is no longer a recommended algorithm. This will improve out of the box security by restricting XML signatures that use SHA-1 algorithms.
Solution
Disable SHA-1 by adding the signature and digest algorithm URIs that use SHA-1 to the jdk.xml.dsig.secureValidationPolicy security property. The hmac-sha1 algorithm will not be disabled
however as it does not have the same security weaknesses.
Specification
Make the following changes to the java.security configuration file:
jdk.xml.dsig.secureValidationPolicy=\
disallowAlg http://www.w3.org/TR/1999/REC-xslt-19991116,\
disallowAlg http://www.w3.org/2001/04/xmldsig-more#rsa-md5,\
disallowAlg http://www.w3.org/2001/04/xmldsig-more#hmac-md5,\
disallowAlg http://www.w3.org/2001/04/xmldsig-more#md5,\
+ disallowAlg http://www.w3.org/2000/09/xmldsig#sha1,\
+ disallowAlg http://www.w3.org/2000/09/xmldsig#dsa-sha1,\
+ disallowAlg http://www.w3.org/2000/09/xmldsig#rsa-sha1,\
+ disallowAlg http://www.w3.org/2007/05/xmldsig-more#sha1-rsa-MGF1,\
+ disallowAlg http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha1,\
maxTransforms 5,\
maxReferences 30,\
disallowReferenceUriSchemes file http https,\
minKeySize RSA 1024,\
minKeySize DSA 1024,\- csr of
-
JDK-8259709 Disable SHA-1 XML Signatures
-
- Resolved
-