Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8354666

Disable XPath in XML Signatures

XMLWordPrintable

    • Icon: CSR CSR
    • Resolution: Unresolved
    • Icon: P4 P4
    • None
    • security-libs
    • None
    • behavioral
    • low
    • Hide
      Use of the XPath Transform should be rare. It is not allowed in SAML, which is one of the most common use cases of XML Signature. Also, the XPath Filter 2.0 Transform (https://www.w3.org/TR/xmldsig-filter2/) is an alternative that was designed to address the complexity and performance issues of the XPath Transform - it is still enabled by default and can be used instead.

      Users can, at their own risk, re-enable the XPath Transform by removing it from the jdk.xml.dsig.secureValidationPolicy security property.
      Show
      Use of the XPath Transform should be rare. It is not allowed in SAML, which is one of the most common use cases of XML Signature. Also, the XPath Filter 2.0 Transform ( https://www.w3.org/TR/xmldsig-filter2/ ) is an alternative that was designed to address the complexity and performance issues of the XPath Transform - it is still enabled by default and can be used instead. Users can, at their own risk, re-enable the XPath Transform by removing it from the jdk.xml.dsig.secureValidationPolicy security property.
    • System or security property
    • JDK

      Summary

      Disable the XPath Transform in XML Signatures.

      Problem

      The XPath Transform is rarely used, introduces complexity, and is not recommended by the XML Signature Best Practices document. Applications should use the XPath Transform 2.0 Filter instead, which was designed to be an alternative to the XPath Transform. We should disable the XPath Transform by default.

      Solution

      Disable the XPath Transform in XML Signatures by adding it to the jdk.xml.dsig.secureValidationPolicy security property in the java.security configuration file.

      Specification

      diff --git a/src/java.base/share/conf/security/java.security b/src/java.base/share/conf/security/java.security
index b115d479838..98c752c4aa3 100644
--- a/src/java.base/share/conf/security/java.security
+++ b/src/java.base/share/conf/security/java.security
@@ -1005,20 +1005,21 @@ crypto.policy=crypto.policydir-tbd
 jdk.xml.dsig.secureValidationPolicy=\
     disallowAlg http://www.w3.org/TR/1999/REC-xslt-19991116,\
     disallowAlg http://www.w3.org/2001/04/xmldsig-more#rsa-md5,\
     disallowAlg http://www.w3.org/2001/04/xmldsig-more#hmac-md5,\
     disallowAlg http://www.w3.org/2001/04/xmldsig-more#md5,\
     disallowAlg http://www.w3.org/2000/09/xmldsig#sha1,\
     disallowAlg http://www.w3.org/2000/09/xmldsig#dsa-sha1,\
     disallowAlg http://www.w3.org/2000/09/xmldsig#rsa-sha1,\
     disallowAlg http://www.w3.org/2007/05/xmldsig-more#sha1-rsa-MGF1,\
     disallowAlg http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha1,\
+    disallowAlg http://www.w3.org/TR/1999/REC-xpath-19991116,\
     maxTransforms 5,\
     maxReferences 30,\
     disallowReferenceUriSchemes file http https,\
     minKeySize RSA 1024,\
     minKeySize DSA 1024,\
     minKeySize EC 224,\
     noDuplicateIds,\
     noRetrievalMethodLoops

            mullan Sean Mullan
            cushon Liam Miller-Cushon
            Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

              Created:
              Updated: