Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8320594

Update XML Security for Java to 3.0.2

    XMLWordPrintable

Details

    • behavioral
    • minimal
    • System or security property
    • JDK

    Description

      Summary

      Update the XML Signature implementation (primarily in the com/sun/org/apache/xml/internal/ classes) in the JDK to version 3.0.2 of Apache Santuario. This is a CSR request for the 17u/11u/8u requests.

      The port is largely the same in terms of implementation as that done for JDK 21.

      The javax.xml.crypto.dsig.SignatureMethod and javax.xml.crypto.dsig.DigestMethod interfaces will not be updated. Instead, end users would define the newly added EdDSA Signature methods locally in application code. Unlike JDK 17 and later, JDK 11 and 8 doesn't have EdDSA support by default. A 3rd party security provider which supports ed25519 and ed448 would be required.

      Problem

      The latest Apache Santuario release 3.0.2 contains the following changes:

      1. Adds support for EdDSA. (ed25519 and ed448)

      2. Removes direct dependencies on Xalan. This dependency was necessary to support the here() XPath function defined at https://www.w3.org/TR/xmldsig-core1/#function-here.

      Solution

      Import Apache Santuario 3.0.2 with EdDSA support. Unlike JDK 21, URIs for 2 new signature methods won't be defined for the Update releases. These URIs are string literals and applications may use them directly without referencing the 'SignatureMethod' class.

      Santuario has discontinued the support of the here() function, as it required a dependency on Xalan internal APIs and cannot be supported using the standard Java XPath API. However a new security property will be introduced for the sake of backward compatibility, which allows users to decide if they want to maintain support for the function. Use of this property is identical to the JDK 21 solution. If this property is set as "true" (which is the default value), the function will be supported, continuing the behavior of previous JDK releases. Otherwise, if set to "false", the function will not be supported, mirroring the latest approach of Santuario. A future JDK release is likely to change the default value to "false" when the compatibility risk is determined to be very low.

      Specification

      here() function support

      A security property "jdk.xml.dsig.hereFunctionSupported" is introduced. The following paragraph is added to conf/security/java.security:

      #
      # Support for the here() function
      #
      # This security property determines whether the here() XPath function is
      # supported in XML Signature generation and verification.
      #
      # If this property is set to false, the here() function is not supported.
      # Generating an XML Signature that uses the here() function will throw an
      # XMLSignatureException. Validating an existing XML Signature that uses the
      # here() function will also throw an XMLSignatureException.
      #
      # The default value for this property is true.
      #
      # Note: This property is currently used by the JDK Reference implementation.
      # It is not guaranteed to be examined and used by other implementations.
      #
      #jdk.xml.dsig.hereFunctionSupported=true

      Attachments

        Issue Links

          Activity

            People

              coffeys Sean Coffey
              weijun Weijun Wang
              Weijun Wang
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: