RFR: 8259709: Disable SHA-1 XML Signatures
Weijun Wang
weijun at openjdk.java.net
Wed Feb 24 22:33:38 UTC 2021
On Wed, 24 Feb 2021 22:02:45 GMT, Sean Mullan <mullan at openjdk.org> wrote:
> > All test changes are about re-enabling disabled algorithms. Do we have a test on ensuring disabled algorithms are indeed disabled? How about we set "org.jcp.xml.dsig.secureValidation" to false everywhere in the existing tests and add a new dedicated test to check for disabled algorithms/key sizes etc.
>
> That is what test/jdk/javax/xml/crypto/dsig/SecureValidationPolicy.java does, see this code block on lines 65-69:
>
> ```
> for (String alg : restrictedAlgs) {
> if (!Policy.restrictAlg(alg)) {
> throw new Exception(alg + " alg not restricted");
> }
> }
> ```
This is only about checking the parsing function of the Policy class. I would be more confident if an actual validation call is made.
I have a test on PSS at https://github.com/openjdk/jdk/blob/a79df58e0ad0b19aa8e0611cc55f5628383c2950/test/jdk/javax/xml/crypto/dsig/SecureValidation.java. Maybe I can enhance it to contain more algorithms.
-------------
PR: https://git.openjdk.java.net/jdk/pull/2463
More information about the security-dev
mailing list