Loading...

XML

Word

Printable

Subcomponent:
java.security
Resolved In Build:
b02
CPU:

generic
OS:

generic
Verification:
Verified

Issue	Fix Version	Assignee	Priority	Status	Resolution	Resolved In Build
JDK-8321568	22	Weijun Wang	P3	Resolved	Fixed	b28
JDK-8324002	21.0.3	Weijun Wang	P3	Resolved	Fixed	b01
JDK-8322086	21.0.2	Weijun Wang	P3	Closed	Fixed	b11
JDK-8322325	17.0.11-oracle	Jamil Nimeh	P3	Resolved	Fixed	b01
JDK-8322210	17.0.11	Alexey Bakhtin	P3	Resolved	Fixed	b01
JDK-8322850	17.0.10.0.1-oracle	Joakim Nordström	P3	Resolved	Fixed	b01
JDK-8322371	17.0.10-oracle	Prajwal Kumaraswamy	P3	Closed	Fixed	b11
JDK-8323842	17.0.10	Alexey Bakhtin	P3	Resolved	Fixed	b07
JDK-8322348	11.0.23-oracle	Prajwal Kumaraswamy	P3	Resolved	Fixed	b01
JDK-8322238	11.0.23	Alexey Bakhtin	P3	Resolved	Fixed	b01
JDK-8322843	11.0.22.0.1-oracle	Joakim Nordström	P3	Resolved	Fixed	b01
JDK-8322372	11.0.22-oracle	Prajwal Kumaraswamy	P3	Closed	Fixed	b09
JDK-8323850	11.0.22	Alexey Bakhtin	P3	Resolved	Fixed	b07
JDK-8322249	openjdk8u412	Alexey Bakhtin	P3	Resolved	Fixed	b01
JDK-8323871	openjdk8u402	Alexey Bakhtin	P3	Resolved	Fixed	b06
JDK-8322349	8u411	Prajwal Kumaraswamy	P3	Resolved	Fixed	b01
JDK-8322374	8u401	Prajwal Kumaraswamy	P3	Closed	Fixed	b10
JDK-8322351	7u421	Prajwal Kumaraswamy	P3	Resolved	Fixed	b01
JDK-8322414	7u411	Prajwal Kumaraswamy	P3	Closed	Fixed	b09

Updating Summary and Description to better reflect the cause:

The fix for ~~JDK-8302017~~ changed the way RSA signatures are verified, such that previously signed data that (incorrectly, according to RFC 8017) omitted the AlgorithmID params field instead of encoding it as an ASN.1 NULL can no longer be verified.

Original Summary and Description:

JDK 21.0.1 fails to validate signed XML (JDK < 21 and JDK 21+35 worked):

CI for Apache POI discovered a regression between JDK 21 and 21.0.1 when signing/validating XML documents.

See the reproducer project at https://github.com/centic9/poi-reproduce-signature

It basically performs javax.xml.crypto.dsig.XMLSignature.validate(), which returns "true" for most JDK versions, but started to report "false" for JDK 21.0.1

When executing the reproducer for various JDKs, we get the following results:
Successfully validated document with 1.8.0_382
Successfully validated document with 11.0.20
Successfully validated document with 17.0.3
Successfully validated document with 17.0.9
Successfully validated document with 21

However when runing with the recent JDK 21 patchlevel, I get the following:
Exception in thread "main" java.lang.IllegalStateException: Not valid for 21.0.1
Validate returned: false
HasNext: true, validate: false
at org.dstadler.poi.reproduce.Reproduce.main(Reproduce.java:105)

So it seems there was a change in JDK 21.0.1 which introduced this, but none of the changes listed in https://www.oracle.com/java/technologies/javase/21all-relnotes.html for 21.0.1 seems to be the culprit.

JDK used for compilation seems to not matter, changing the JDK used for execution seems to be enough to trigger the issue.

It is possible to try to reduce the test more and take out Apache POI dependency, but would be some more work, so please let me know if you would like to get a more refined test-case.

backported by

JDK-8321568 RSA signature verification fails on signed data that does not encode params correctly

Resolved

JDK-8322210 RSA signature verification fails on signed data that does not encode params correctly

Resolved

JDK-8322238 RSA signature verification fails on signed data that does not encode params correctly

Resolved

JDK-8322249 RSA signature verification fails on signed data that does not encode params correctly

Resolved

JDK-8322325 RSA signature verification fails on signed data that does not encode params correctly

Resolved

JDK-8322348 RSA signature verification fails on signed data that does not encode params correctly

Resolved

JDK-8322349 RSA signature verification fails on signed data that does not encode params correctly

Resolved

JDK-8322351 RSA signature verification fails on signed data that does not encode params correctly

Resolved

JDK-8322843 RSA signature verification fails on signed data that does not encode params correctly

Resolved

JDK-8322850 RSA signature verification fails on signed data that does not encode params correctly

Resolved

JDK-8323842 RSA signature verification fails on signed data that does not encode params correctly

Resolved

JDK-8323850 RSA signature verification fails on signed data that does not encode params correctly

Resolved

JDK-8323871 RSA signature verification fails on signed data that does not encode params correctly

Resolved

JDK-8324002 RSA signature verification fails on signed data that does not encode params correctly

Resolved

JDK-8322086 RSA signature verification fails on signed data that does not encode params correctly

Closed

JDK-8322371 RSA signature verification fails on signed data that does not encode params correctly

Closed

JDK-8322372 RSA signature verification fails on signed data that does not encode params correctly

Closed

JDK-8322374 RSA signature verification fails on signed data that does not encode params correctly

Closed

JDK-8322414 RSA signature verification fails on signed data that does not encode params correctly

Closed

relates to

JDK-8302017 Allocate BadPaddingException only if it will be thrown

Resolved

links to

Commit openjdk/jdk8u-dev/a645ef48

Commit openjdk/jdk11u-dev/4470c0a7

Commit openjdk/jdk17u-dev/5653d2d1

Commit openjdk/jdk21u/60b6a669

Commit openjdk/jdk22/7de0fb36

Commit openjdk/jdk/11e4a925

Review openjdk/jdk8u-dev/404

Review openjdk/jdk11u-dev/2384

Review openjdk/jdk17u-dev/2052

Review openjdk/jdk21u/426

Review openjdk/jdk22/1

Review openjdk/jdk/17002

(14 backported by, 1 relates to, 12 links to)

Assignee:: Weijun Wang

Reporter:: Dominik Stadler

Votes:: 0 Vote for this issue

Watchers:: 14 Start watching this issue

Created:: 2023-11-22 05:15

Updated:: 2024-07-08 10:25

Resolved:: 2023-12-07 15:28

Details

Backports

Description

Attachments

Issue Links

Activity

People

Dates