rspec/rules/S6377/java/rule.adoc

include::../description.adoc[]

== Noncompliant Code Example

The Java XML Digital Signature API doesn't use a strong signature validation mode by default (except when the application runs with a security manager):

[source,java]
----
DOMValidateContext valContext = new DOMValidateContext(new KeyValueKeySelector(), nl.item(0)); // Noncompliant
----

== Compliant Solution
The Java XML Digital Signature API offers a secure validation mode to protect against various https://docs.oracle.com/en/java/javase/14/security/java-xml-digital-signature-api-overview-and-tutorial.html#GUID-8618C294-3BFE-45C3-9A1E-C4629E337E68[security issues]. +
Change or set the ``org.jcp.xml.dsig.secureValidation`` property to ``TRUE``.

[source,java]
----
DOMValidateContext valContext = new DOMValidateContext(new KeyValueKeySelector(), nl.item(0));
valContext.setProperty("org.jcp.xml.dsig.secureValidation", Boolean.TRUE);
----


== See

* https://docs.oracle.com/en/java/javase/14/security/java-xml-digital-signature-api-overview-and-tutorial.html#GUID-DB46A001-6DBD-4571-BDBC-1BBC394BF61E[Oracle Java Documentation] - XML Digital Signature API Overview and Tutorial
* https://owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[OWASP Top 10 2017 Category A3] - Sensitive Data Exposure
* http://cwe.mitre.org/data/definitions/347.html[MITRE, CWE-347] - Improper Verification of Cryptographic Signature

ifdef::env-github,rspecator-view[]

'''
== Implementation Specification
(visible only on this page)

include::../message.adoc[]

'''
== Comments And Links
(visible only on this page)

include::../comments-and-links.adoc[]
endif::env-github,rspecator-view[]
Rule S6377[Java]: XML signatures must be validated securely (#567) 2022-01-25 10:52:20 +01:00			`include::../description.adoc[]`

			`== Noncompliant Code Example`

Modify rule S6377: better description (#929) 2022-04-06 14:39:18 +02:00			`The Java XML Digital Signature API doesn't use a strong signature validation mode by default (except when the application runs with a security manager):`
Rule S6377[Java]: XML signatures must be validated securely (#567) 2022-01-25 10:52:20 +01:00
RULEAPI-661: Add syntax coloring 2022-02-04 17:28:24 +01:00			`[source,java]`
Rule S6377[Java]: XML signatures must be validated securely (#567) 2022-01-25 10:52:20 +01:00			`----`
			`DOMValidateContext valContext = new DOMValidateContext(new KeyValueKeySelector(), nl.item(0)); // Noncompliant`
			`----`

			`== Compliant Solution`
Modify rule S6377: better description (#929) 2022-04-06 14:39:18 +02:00			`The Java XML Digital Signature API offers a secure validation mode to protect against various https://docs.oracle.com/en/java/javase/14/security/java-xml-digital-signature-api-overview-and-tutorial.html#GUID-8618C294-3BFE-45C3-9A1E-C4629E337E68[security issues]. +`
			Change or set the ``org.jcp.xml.dsig.secureValidation`` property to ``TRUE``.
Rule S6377[Java]: XML signatures must be validated securely (#567) 2022-01-25 10:52:20 +01:00
RULEAPI-661: Add syntax coloring 2022-02-04 17:28:24 +01:00			`[source,java]`
Rule S6377[Java]: XML signatures must be validated securely (#567) 2022-01-25 10:52:20 +01:00			`----`
			`DOMValidateContext valContext = new DOMValidateContext(new KeyValueKeySelector(), nl.item(0));`
			`valContext.setProperty("org.jcp.xml.dsig.secureValidation", Boolean.TRUE);`
			`----`


			`== See`

			`* https://docs.oracle.com/en/java/javase/14/security/java-xml-digital-signature-api-overview-and-tutorial.html#GUID-DB46A001-6DBD-4571-BDBC-1BBC394BF61E[Oracle Java Documentation] - XML Digital Signature API Overview and Tutorial`
			`* https://owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[OWASP Top 10 2017 Category A3] - Sensitive Data Exposure`
			`* http://cwe.mitre.org/data/definitions/347.html[MITRE, CWE-347] - Improper Verification of Cryptographic Signature`

			`ifdef::env-github,rspecator-view[]`

			`'''`
			`== Implementation Specification`
			`(visible only on this page)`

			`include::../message.adoc[]`

			`'''`
Document quick fixes for S2755, S6373, S6374, S6376 and S6377 (#745) 2022-01-25 13:38:33 +01:00			`== Comments And Links`
			`(visible only on this page)`

			`include::../comments-and-links.adoc[]`
Rule S6377[Java]: XML signatures must be validated securely (#567) 2022-01-25 10:52:20 +01:00			`endif::env-github,rspecator-view[]`