RFR 8149029: Secure validation of XML based digital signature always enabled when checking wrapping attacks
Bhanu Gopularam
bhanu.prakash.gopularam at oracle.com
Wed Feb 10 12:21:00 UTC 2016
Hi All,
Please review fix for following bug :
Bug - https://bugs.openjdk.java.net/browse/JDK-8149029
Issue - Secure validation is always enabled for XML based signature while checking wrapping attacks. The value of DOMValidateContext property org.jcp.xml.dsig.secureValidation is ignored during processing of XML based signature.
Solution - DOMURIDereferencer has the value of org.jcp.xml.dsig.secureValidation property locally, we need to pass this boolean flag value to apacheResolver.resolve method in org.jcp.xml.dsig.internal.dom.DOMURIDereferencer.dereference(URIreference, XMLCryptoContext) during call.
Webrev - http://cr.openjdk.java.net/~csahu/8149029/webrev.00/
Thanks,
Bhanu
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.openjdk.org/pipermail/security-dev/attachments/20160210/ab1212d7/attachment.htm>
More information about the security-dev
mailing list