How to use the XML Signature secure validation mode

In JDK 7u25, we introduced a new secure validation mode for XML Signatures. This mode is designed to protect you from XML Signatures that contain potentially hostile constructs that could cause denial-of-service or other types of security issues. 

The good news is that if you run your application with a SecurityManager, the secure validation mode is enabled by default, and there is no further action required.

Otherwise, a new property with the name org.jcp.xml.dsig.secureValidation has been defined to allow applications to enable the mode.

The property can be set by an application by calling the setProperty method of the javax.xml.crypto.dsig.dom.DOMValidateContext class with the name of the property above and a Boolean value. For example:

    DOMValidateContext context = new DOMValidateContext(key, element);
    context.setProperty("org.jcp.xml.dsig.secureValidation", Boolean.TRUE);

The property should be set before you validate an XML Signature. When set to true, this property instructs the implementation to process XML signatures more securely. This will set limits on various XML signature constructs to avoid conditions such as denial-of-service attacks. Specifically, it enforces the following restrictions:

  1. Forbids use of the XSLT Transform 
  2. Restricts the number of SignedInfo or Manifest References to 30 or less
  3. Restricts the number of Reference Transforms to 5 or less  
  4. Forbids the use of MD5 related signature or mac algorithms
  5. Ensures that Reference Ids are unique to help prevent signature wrapping attacks
  6. Forbids Reference URIs of type http or file
  7. Does not allow a RetrievalMethod to reference another RetrievalMethod

The feature is based on a similar  validation mode that was included in version 1.5.0 of  Apache Santuario XML Security. The JDK implementation is based on Apache Santuario.

This mode is also in the soon to be released JDK 8.

Comments:

Hello,

sorry to bother but I have couple of questions and I'd be very grateful if you could help me. I have a project on college to create XAdES Baseline and verify it, so I am using javax.xml.crypto.dsig for it. I've added couple of elements to xml dsig to create xades signature but I have some problems.

First, I want to add namespace prefix to my xades elements, eg <xades:SignedProperties> etc. But when I do that, verification fails on this reference so could you tell me what i need to do in process of generating the signature to make correct reference digest value. I've found that someone already had similar problem, https://www.java.net/node/668669, you gave your response too on this topic but the question in the last post remained unanswered and that question bothers me too. Without prefix everything works well...

Another thing I want to ask you, I need in my detached signature to create reference to detached file with URI that would have a relative path, ie URI would only have name of the file. How can I do that? And how can I validate that reference?

Thanks in advance,
Ivan Celija

Posted by guest on May 20, 2014 at 04:27 PM EDT #

Post a Comment:
  • HTML Syntax: NOT allowed
About

Sean Mullan

Search

Top Tags
Categories
Archives
« August 2015
SunMonTueWedThuFriSat
      
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
     
Today