RFR: 8259709: Disable SHA-1 XML Signatures

Weijun Wang weijun at openjdk.java.net
Wed Feb 24 22:33:38 UTC 2021

On Wed, 24 Feb 2021 22:02:45 GMT, Sean Mullan <mullan at openjdk.org> wrote:

> > All test changes are about re-enabling disabled algorithms. Do we have a test on ensuring disabled algorithms are indeed disabled? How about we set "org.jcp.xml.dsig.secureValidation" to false everywhere in the existing tests and add a new dedicated test to check for disabled algorithms/key sizes etc.
> That is what test/jdk/javax/xml/crypto/dsig/SecureValidationPolicy.java does, see this code block on lines 65-69:
> ```
>         for (String alg : restrictedAlgs) {
>             if (!Policy.restrictAlg(alg)) {
>                 throw new Exception(alg + " alg not restricted");
>             }
>         }
> ```

This is only about checking the parsing function of the Policy class. I would be more confident if an actual validation call is made.

I have a test on PSS at https://github.com/openjdk/jdk/blob/a79df58e0ad0b19aa8e0611cc55f5628383c2950/test/jdk/javax/xml/crypto/dsig/SecureValidation.java. Maybe I can enhance it to contain more algorithms.


PR: https://git.openjdk.java.net/jdk/pull/2463

More information about the security-dev mailing list