16f6c0aecf
Inline adoc files when they are included exactly once. Also fix language tags because this inlining gives us better information on what language the code is written in.
59 lines
2.3 KiB
Plaintext
59 lines
2.3 KiB
Plaintext
== Why is this an issue?
|
|
|
|
include::../description.adoc[]
|
|
|
|
=== Noncompliant code example
|
|
|
|
[source,java]
|
|
----
|
|
NodeList signatureElement = doc.getElementsByTagNameNS(XMLSignature.XMLNS, "Signature");
|
|
|
|
XMLSignatureFactory fac = XMLSignatureFactory.getInstance("DOM");
|
|
DOMValidateContext valContext = new DOMValidateContext(new KeyValueKeySelector(), signatureElement.item(0)); // Noncompliant
|
|
XMLSignature signature = fac.unmarshalXMLSignature(valContext);
|
|
|
|
boolean signatureValidity = signature.validate(valContext);
|
|
----
|
|
|
|
=== Compliant solution
|
|
In order to benefit from this secure validation mode, set the DOMValidateContext's ``org.jcp.xml.dsig.secureValidation`` property to ``TRUE``.
|
|
|
|
[source,java]
|
|
----
|
|
NodeList signatureElement = doc.getElementsByTagNameNS(XMLSignature.XMLNS, "Signature");
|
|
|
|
XMLSignatureFactory fac = XMLSignatureFactory.getInstance("DOM");
|
|
DOMValidateContext valContext = new DOMValidateContext(new KeyValueKeySelector(), signatureElement.item(0));
|
|
valContext.setProperty("org.jcp.xml.dsig.secureValidation", Boolean.TRUE);
|
|
XMLSignature signature = fac.unmarshalXMLSignature(valContext);
|
|
|
|
boolean signatureValidity = signature.validate(valContext);
|
|
----
|
|
|
|
|
|
== Resources
|
|
|
|
* https://docs.oracle.com/en/java/javase/14/security/java-xml-digital-signature-api-overview-and-tutorial.html#GUID-DB46A001-6DBD-4571-BDBC-1BBC394BF61E[Oracle Java Documentation] - XML Digital Signature API Overview and Tutorial
|
|
* https://owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[OWASP Top 10 2017 Category A3] - Sensitive Data Exposure
|
|
* https://cwe.mitre.org/data/definitions/347[MITRE, CWE-347] - Improper Verification of Cryptographic Signature
|
|
|
|
ifdef::env-github,rspecator-view[]
|
|
|
|
'''
|
|
== Implementation Specification
|
|
(visible only on this page)
|
|
|
|
=== Message
|
|
|
|
Set the 'org.jcp.xml.dsig.secureValidation' property to true on the 'DOMValidateContext' to validate this XML signature securely.
|
|
|
|
|
|
'''
|
|
== Comments And Links
|
|
(visible only on this page)
|
|
|
|
=== on 25 Jan 2022, 10:34:00 Quentin Jaquier wrote:
|
|
Quick fixes (for Java): even if it is technically possible to provide a fix that would result in compliant code, it does not sound wise to set properties blindly, as it can have side effects. Fixing the issue requires a careful and good understanding of the overall context of the code.
|
|
|
|
endif::env-github,rspecator-view[]
|