8259709: Disable SHA-1 XML Signatures
Reviewed-by: rhalade, weijun
diff --git a/src/java.base/share/conf/security/java.security b/src/java.base/share/conf/security/java.security
index 052c187..a6bb9e1 100644
--- a/src/java.base/share/conf/security/java.security
+++ b/src/java.base/share/conf/security/java.security
@@ -964,6 +964,11 @@
disallowAlg http://www.w3.org/2001/04/xmldsig-more#rsa-md5,\
disallowAlg http://www.w3.org/2001/04/xmldsig-more#hmac-md5,\
disallowAlg http://www.w3.org/2001/04/xmldsig-more#md5,\
+ disallowAlg http://www.w3.org/2000/09/xmldsig#sha1,\
+ disallowAlg http://www.w3.org/2000/09/xmldsig#dsa-sha1,\
+ disallowAlg http://www.w3.org/2000/09/xmldsig#rsa-sha1,\
+ disallowAlg http://www.w3.org/2007/05/xmldsig-more#sha1-rsa-MGF1,\
+ disallowAlg http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha1,\
maxTransforms 5,\
maxReferences 30,\
disallowReferenceUriSchemes file http https,\
diff --git a/test/jdk/javax/xml/crypto/dsig/GenerationTests.java b/test/jdk/javax/xml/crypto/dsig/GenerationTests.java
index 9d53a37..20d883c 100644
--- a/test/jdk/javax/xml/crypto/dsig/GenerationTests.java
+++ b/test/jdk/javax/xml/crypto/dsig/GenerationTests.java
@@ -30,6 +30,7 @@
* java.base/sun.security.x509
* java.xml.crypto/org.jcp.xml.dsig.internal.dom
* jdk.httpserver/com.sun.net.httpserver
+ * @library /test/lib
* @compile -XDignore.symbol.file KeySelectors.java SignatureValidator.java
* X509KeySelector.java GenerationTests.java
* @run main/othervm/timeout=300 -Dsun.net.httpserver.nodelay=true GenerationTests
@@ -91,6 +92,8 @@
import javax.xml.transform.stream.StreamResult;
import org.w3c.dom.*;
+import jdk.test.lib.security.SecurityUtils;
+
/**
* Test that recreates merlin-xmldsig-twenty-three test vectors (and more)
* but with different keys and X.509 data.
@@ -284,6 +287,9 @@
private static boolean result = true;
public static void main(String args[]) throws Exception {
+ // Re-enable sha1 algs
+ SecurityUtils.removeAlgsFromDSigPolicy("sha1");
+
setup();
test_create_signature_enveloped_dsa(1024);
test_create_signature_enveloped_dsa(2048);
diff --git a/test/jdk/javax/xml/crypto/dsig/SecureValidationPolicy.java b/test/jdk/javax/xml/crypto/dsig/SecureValidationPolicy.java
index 53642c0..e55d146 100644
--- a/test/jdk/javax/xml/crypto/dsig/SecureValidationPolicy.java
+++ b/test/jdk/javax/xml/crypto/dsig/SecureValidationPolicy.java
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2016, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2016, 2021, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -23,7 +23,7 @@
/**
* @test
- * @bug 8151893
+ * @bug 8151893 8259709
* @summary Tests for the jdk.xml.dsig.secureValidationPolicy security property
* @modules java.xml.crypto/org.jcp.xml.dsig.internal.dom
*/
@@ -42,7 +42,12 @@
"http://www.w3.org/TR/1999/REC-xslt-19991116",
"http://www.w3.org/2001/04/xmldsig-more#rsa-md5",
"http://www.w3.org/2001/04/xmldsig-more#hmac-md5",
- "http://www.w3.org/2001/04/xmldsig-more#md5");
+ "http://www.w3.org/2001/04/xmldsig-more#md5",
+ "http://www.w3.org/2000/09/xmldsig#sha1",
+ "http://www.w3.org/2000/09/xmldsig#dsa-sha1",
+ "http://www.w3.org/2000/09/xmldsig#rsa-sha1",
+ "http://www.w3.org/2007/05/xmldsig-more#sha1-rsa-MGF1",
+ "http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha1");
// Test expected defaults
System.out.println("Testing defaults");
diff --git a/test/jdk/javax/xml/crypto/dsig/ValidationTests.java b/test/jdk/javax/xml/crypto/dsig/ValidationTests.java
index 5695ea9..b5e093a 100644
--- a/test/jdk/javax/xml/crypto/dsig/ValidationTests.java
+++ b/test/jdk/javax/xml/crypto/dsig/ValidationTests.java
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2005, 2015, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2005, 2021, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -28,6 +28,7 @@
* @modules java.base/sun.security.util
* java.base/sun.security.x509
* java.xml.crypto/org.jcp.xml.dsig.internal.dom
+ * @library /test/lib
* @compile -XDignore.symbol.file KeySelectors.java SignatureValidator.java
* X509KeySelector.java ValidationTests.java
* @run main/othervm ValidationTests
@@ -47,6 +48,8 @@
import javax.xml.crypto.dsig.XMLSignatureException;
import javax.xml.crypto.dsig.XMLSignatureFactory;
+import jdk.test.lib.security.SecurityUtils;
+
public class ValidationTests {
private static SignatureValidator validator;
@@ -138,6 +141,9 @@
};
public static void main(String args[]) throws Exception {
+ // Re-enable sha1 algs
+ SecurityUtils.removeAlgsFromDSigPolicy("sha1");
+
httpUd = new HttpURIDereferencer();
validator = new SignatureValidator(new File(DATA_DIR));
diff --git a/test/lib/jdk/test/lib/security/SecurityUtils.java b/test/lib/jdk/test/lib/security/SecurityUtils.java
index 6bfcfa7..5dbda4d 100644
--- a/test/lib/jdk/test/lib/security/SecurityUtils.java
+++ b/test/lib/jdk/test/lib/security/SecurityUtils.java
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2018, 2020, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2018, 2021, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -70,5 +70,32 @@
Security.setProperty(prop, value);
}
+ /**
+ * Removes the specified algorithms from the
+ * jdk.xml.dsig.secureValidationPolicy security property. Matches any
+ * part of the algorithm URI.
+ */
+ public static void removeAlgsFromDSigPolicy(String... algs) {
+ removeFromDSigPolicy("disallowAlg", List.<String>of(algs));
+ }
+
+ private static void removeFromDSigPolicy(String rule, List<String> algs) {
+ String value = Security.getProperty("jdk.xml.dsig.secureValidationPolicy");
+ value = Arrays.stream(value.split(","))
+ .filter(v -> !v.contains(rule) ||
+ !anyMatch(v, algs))
+ .collect(Collectors.joining(","));
+ Security.setProperty("jdk.xml.dsig.secureValidationPolicy", value);
+ }
+
+ private static boolean anyMatch(String value, List<String> algs) {
+ for (String alg : algs) {
+ if (value.contains(alg)) {
+ return true;
+ }
+ }
+ return false;
+ }
+
private SecurityUtils() {}
}
