diff --git a/rules/S6377/description.adoc b/rules/S6377/description.adoc index e4a808facc..f07f0b8ef9 100644 --- a/rules/S6377/description.adoc +++ b/rules/S6377/description.adoc @@ -1,7 +1,10 @@ XML signature validations work by parsing third-party data that cannot be trusted until it is actually validated. -As with any other parsing process, unrestricted validation of third-party XML signatures can lead to security vulnerabilities. In this case, threats range from denial of service to confidentiality breaches. + -To protect the application from these vulnerabilities, the ``org.jcp.xml.dsig.secureValidation`` attribute enforces the following restrictions: +As with any other parsing process, unrestricted validation of third-party XML signatures can lead to security vulnerabilities. In this case, threats range from denial of service to confidentiality breaches. + +By default, the Java XML Digital Signature API does not apply restrictions on XML signature validation, unless the application runs with a security manager. + +To protect the application from these vulnerabilities, set the ``org.jcp.xml.dsig.secureValidation`` attribute to ``true`` with the ``javax.xml.crypto.dsig.dom.DOMValidateContext.setProperty`` method. + +This attribute ensures that the code enforces the following restrictions: * Forbids the use of XSLT transforms * Restricts the number of ``SignedInfo`` or ``Manifest Reference`` elements to 30 or less @@ -11,5 +14,3 @@ To protect the application from these vulnerabilities, the ``org.jcp.xml.dsig.se * Forbids Reference URIs of type ``http``, ``https``, or ``file`` * Does not allow a ``RetrievalMethod`` element to reference another ``RetrievalMethod`` element * Forbids RSA or DSA keys less than 1024 bits - -In addition, the ``jdk.xml.dsig.secureValidationPolicy`` Security Property can be used to control and fine-tune the restrictions listed previously or add additional restrictions. diff --git a/rules/S6377/java/rule.adoc b/rules/S6377/java/rule.adoc index faf2aa4a3e..e31ee0fec9 100644 --- a/rules/S6377/java/rule.adoc +++ b/rules/S6377/java/rule.adoc @@ -2,21 +2,30 @@ include::../description.adoc[] == Noncompliant Code Example -The Java XML Digital Signature API doesn't use a strong signature validation mode by default (except when the application runs with a security manager): - [source,java] ---- -DOMValidateContext valContext = new DOMValidateContext(new KeyValueKeySelector(), nl.item(0)); // Noncompliant +NodeList signatureElement = doc.getElementsByTagNameNS(XMLSignature.XMLNS, "Signature"); + +XMLSignatureFactory fac = XMLSignatureFactory.getInstance("DOM"); +DOMValidateContext valContext = new DOMValidateContext(new KeyValueKeySelector(), signatureElement.item(0)); // Noncompliant +XMLSignature signature = fac.unmarshalXMLSignature(valContext); + +boolean signatureValidity = signature.validate(valContext); ---- == Compliant Solution -The Java XML Digital Signature API offers a secure validation mode to protect against various https://docs.oracle.com/en/java/javase/14/security/java-xml-digital-signature-api-overview-and-tutorial.html#GUID-8618C294-3BFE-45C3-9A1E-C4629E337E68[security issues]. + -Change or set the ``org.jcp.xml.dsig.secureValidation`` property to ``TRUE``. +In order to benefit from this secure validation mode, set the DOMValidateContext's ``org.jcp.xml.dsig.secureValidation`` property to ``TRUE``. [source,java] ---- -DOMValidateContext valContext = new DOMValidateContext(new KeyValueKeySelector(), nl.item(0)); +NodeList signatureElement = doc.getElementsByTagNameNS(XMLSignature.XMLNS, "Signature"); + +XMLSignatureFactory fac = XMLSignatureFactory.getInstance("DOM"); +DOMValidateContext valContext = new DOMValidateContext(new KeyValueKeySelector(), signatureElement.item(0)); valContext.setProperty("org.jcp.xml.dsig.secureValidation", Boolean.TRUE); +XMLSignature signature = fac.unmarshalXMLSignature(valContext); + +boolean signatureValidity = signature.validate(valContext); ---- diff --git a/rules/S6377/message.adoc b/rules/S6377/message.adoc index f2166b41d2..cb8e37bffa 100644 --- a/rules/S6377/message.adoc +++ b/rules/S6377/message.adoc @@ -1,5 +1,5 @@ === Message -Use the secure validation mode when validating this XML signature. +Set the 'org.jcp.xml.dsig.secureValidation' property to true on the 'DOMValidateContext' to validate this XML signature securely.