Modify rule S6377: Enhance the Noncompliant / Compliant examples (#946)

rules/S6377/description.adoc

@@ -1,7 +1,10 @@
 XML signature validations work by parsing third-party data that cannot be trusted until it is actually validated.
 
-As with any other parsing process, unrestricted validation of third-party XML signatures can lead to security vulnerabilities. In this case, threats range from denial of service to confidentiality breaches. +
-To protect the application from these vulnerabilities, the ``org.jcp.xml.dsig.secureValidation`` attribute enforces the following restrictions:
+As with any other parsing process, unrestricted validation of third-party XML signatures can lead to security vulnerabilities. In this case, threats range from denial of service to confidentiality breaches.
+
+By default, the Java XML Digital Signature API does not apply restrictions on XML signature validation, unless the application runs with a security manager. +
+To protect the application from these vulnerabilities, set the ``org.jcp.xml.dsig.secureValidation`` attribute to ``true`` with the ``javax.xml.crypto.dsig.dom.DOMValidateContext.setProperty`` method. +
+This attribute ensures that the code enforces the following restrictions:
 
 * Forbids the use of XSLT transforms
 * Restricts the number of ``SignedInfo`` or ``Manifest Reference`` elements to 30 or less
@@ -11,5 +14,3 @@ To protect the application from these vulnerabilities, the ``org.jcp.xml.dsig.se
 * Forbids Reference URIs of type ``http``, ``https``, or ``file``
 * Does not allow a ``RetrievalMethod`` element to reference another ``RetrievalMethod`` element
 * Forbids RSA or DSA keys less than 1024 bits
-
-In addition, the ``jdk.xml.dsig.secureValidationPolicy`` Security Property can be used to control and fine-tune the restrictions listed previously or add additional restrictions.

rules/S6377/java/rule.adoc

@@ -2,21 +2,30 @@ include::../description.adoc[]
 
 == Noncompliant Code Example
 
-The Java XML Digital Signature API doesn't use a strong signature validation mode by default (except when the application runs with a security manager):
-
 [source,java]
 ----
-DOMValidateContext valContext = new DOMValidateContext(new KeyValueKeySelector(), nl.item(0)); // Noncompliant
+NodeList signatureElement = doc.getElementsByTagNameNS(XMLSignature.XMLNS, "Signature");
+
+XMLSignatureFactory fac = XMLSignatureFactory.getInstance("DOM");
+DOMValidateContext valContext = new DOMValidateContext(new KeyValueKeySelector(), signatureElement.item(0)); // Noncompliant
+XMLSignature signature = fac.unmarshalXMLSignature(valContext);
+
+boolean signatureValidity = signature.validate(valContext);
 ----
 
 == Compliant Solution
-The Java XML Digital Signature API offers a secure validation mode to protect against various https://docs.oracle.com/en/java/javase/14/security/java-xml-digital-signature-api-overview-and-tutorial.html#GUID-8618C294-3BFE-45C3-9A1E-C4629E337E68[security issues]. +
-Change or set the ``org.jcp.xml.dsig.secureValidation`` property to ``TRUE``.
+In order to benefit from this secure validation mode, set the DOMValidateContext's ``org.jcp.xml.dsig.secureValidation`` property to ``TRUE``.
 
 [source,java]
 ----
-DOMValidateContext valContext = new DOMValidateContext(new KeyValueKeySelector(), nl.item(0));
+NodeList signatureElement = doc.getElementsByTagNameNS(XMLSignature.XMLNS, "Signature");
+
+XMLSignatureFactory fac = XMLSignatureFactory.getInstance("DOM");
+DOMValidateContext valContext = new DOMValidateContext(new KeyValueKeySelector(), signatureElement.item(0));
 valContext.setProperty("org.jcp.xml.dsig.secureValidation", Boolean.TRUE);
+XMLSignature signature = fac.unmarshalXMLSignature(valContext);
+
+boolean signatureValidity = signature.validate(valContext);
 ----
 
 

rules/S6377/message.adoc

@@ -1,5 +1,5 @@
 === Message
 
-Use the secure validation mode when validating this XML signature.
+Set the 'org.jcp.xml.dsig.secureValidation' property to true on the 'DOMValidateContext' to validate this XML signature securely.