Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8307507

Update XML Security for Java to 3.0.2

XMLWordPrintable

    • Icon: CSR CSR
    • Resolution: Approved
    • Icon: P3 P3
    • 21
    • security-libs
    • None
    • behavioral
    • minimal
    • By default, the here() function is still supported.
    • Java API
    • SE

      Summary

      Update the XML Signature implementation (in the java.xml.crypto module) in the JDK to version 3.0.2 of Apache Santuario.

      Problem

      The latest Apache Santuario release 3.0.2 contains the following change:

      1. Adds support for EdDSA. Two new standard SignatureMethod URIs are added for specifying EdDSA algorithms in XML signatures.

      2. Removes direct dependencies on Xalan. This dependency was necessary to support the here() XPath function defined at https://www.w3.org/TR/xmldsig-core1/#function-here.

      Solution

      Import Apache Santuario 3.0.2 with the new algorithm URIs defined.

      Santuario has discontinued the support of the here() function, as it required a dependency on Xalan internal APIs and cannot be supported using the standard Java XPath API. However, in this update, we will introduce a security property for the sake of backward compatibility, which allows users to decide if they want to maintain support for the function. If this property is set as "true" (which is the default value), the function will be supported, continuing the behavior of previous JDK releases. Otherwise, if set to "false", the function will not be supported, mirroring the latest approach of Santuario. A future JDK release is likely to change the default value to "false" when the compatibility risk is determined to be very low.

      Note: this CSR is for JDK 21 only. If a backport is required, the new algorithm URIs cannot be backported. The new security property can be backported.

      Specification

      New signature algorithms support

      Add two algorithm URIs for the EdDSA signature algorithm using the Ed25510 and Ed448 curves. The URIs are defined in Section 2.3.12 of RFC 9231. We also use this opportunity to add a new paragraph to the class description referencing the standards that define these URIs.

      A similar paragraph is added to the DigestMethod class although there are no new method URIs defined in it.

      package javax.xml.crypto.dsig;

/*
 * ....
 * <p>
 * The signature method algorithm URIs defined in this class are specified
 * in the <a href="https://www.w3.org/TR/xmldsig-core/">
 * W3C Recommendation for XML-Signature Syntax and Processing</a>
 * and <a href="https://www.rfc-editor.org/info/rfc9231">
 * RFC 9231: Additional XML Security Uniform Resource Identifiers (URIs)</a>
 * ....
 */
public interface SignatureMethod extends XMLStructure, AlgorithmMethod {
    ....
    /**
     * The <a href="http://www.w3.org/2021/04/xmldsig-more#eddsa-ed25519">
     * ED25519</a> signature method algorithm URI.
     *
     * @since 21
     */
    String ED25519 = "http://www.w3.org/2021/04/xmldsig-more#eddsa-ed25519";

    /**
     * The <a href="http://www.w3.org/2021/04/xmldsig-more#eddsa-ed448">
     * ED448</a> signature method algorithm URI.
     *
     * @since 21
     */
    String ED448 = "http://www.w3.org/2021/04/xmldsig-more#eddsa-ed448";
}

/*
 * ....
 * <p>
 * The digest method algorithm URIs defined in this class are specified
 * in the <a href="https://www.w3.org/TR/xmldsig-core/">
 * W3C Recommendation for XML-Signature Syntax and Processing</a>
 * and <a href="https://www.rfc-editor.org/info/rfc9231">
 * RFC 9231: Additional XML Security Uniform Resource Identifiers (URIs)</a>
 * ....
 */
public interface DigestMethod extends XMLStructure, AlgorithmMethod

      here() function support

      A security property "jdk.xml.dsig.hereFunctionSupported" is introduced. The following paragraph is added to conf/security/java.security:

      #
# Support for the here() function
#
# This security property determines whether the here() XPath function is
# supported in XML Signature generation and verification.
#
# If this property is set to false, the here() function is not supported.
# Generating an XML Signature that uses the here() function will throw an
# XMLSignatureException. Validating an existing XML Signature that uses the
# here() function will also throw an XMLSignatureException.
#
# The default value for this property is true.
#
# Note: This property is currently used by the JDK Reference implementation.
# It is not guaranteed to be examined and used by other implementations.
#
#jdk.xml.dsig.hereFunctionSupported=true

            weijun Weijun Wang
            weijun Weijun Wang
            Sean Mullan
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated:
              Resolved: