Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

XML Signing with ENVELOPING type no longer works in JDK 11 #864

Closed
marianogonzalez opened this issue Jan 25, 2019 · 3 comments
Closed

XML Signing with ENVELOPING type no longer works in JDK 11 #864

marianogonzalez opened this issue Jan 25, 2019 · 3 comments
Labels
bug Issues that are problems in the code as reported by the community Reported to OpenJDK / JBS Issues that have been reported upstream to the OpenJDK community
Milestone
January 2019

Comments

@marianogonzalez
Copy link

Platform: Open JDK 11.02, running on Ubuntu 18.04 or MacOS Mojave 10.14.2

Architecture: 64 bit

Please consider this test case: https://github.com/marianogonzalez/jdk11-xml-crypto-enveloping-issue/blob/master/src/test/java/com/mg/sign/enveloping/EnvelopingTestCase.java.

When run with JDK 1.8, that code works perfectly and outputs the following XML:

<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<dsig:Signature xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">
    <dsig:SignedInfo>
        <dsig:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
        <dsig:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
        <dsig:Reference URI="#data">
            <dsig:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
            <dsig:DigestValue>ihf/785BQpY0+MUQeP0IXrqcdENEap5sHpFw2NvBMv8=</dsig:DigestValue>
        </dsig:Reference>
    </dsig:SignedInfo>
    <dsig:SignatureValue>gE5lSOnbxukfAiTG+YvPevBLnz5QjYycRSRVA9CCaHXJYQmLxJ2uBFBsOqdL89/vnPgg4g4mgsd1
        F32KBi3AMvs169RDBs4gjNAxX5dq5DleqVmFvX6TzsiCLW3kAGF+g52GPFpcwz44zU+MDbQ7AmyO
        CzjR6GMKr7mAT+9LEzQ=
    </dsig:SignatureValue>
    <dsig:KeyInfo>
        <dsig:X509Data>
            <dsig:X509SubjectName>CN=Unknown,OU=Unknown,O=Unknown,L=Unknown,ST=Unknown,C=Unknown</dsig:X509SubjectName>
            <dsig:X509Certificate>MIICTzCCAbigAwIBAgIEUBXCNzANBgkqhkiG9w0BAQUFADBsMRAwDgYDVQQGEwdVbmtub3duMRAw
                DgYDVQQIEwdVbmtub3duMRAwDgYDVQQHEwdVbmtub3duMRAwDgYDVQQKEwdVbmtub3duMRAwDgYD
                VQQLEwdVbmtub3duMRAwDgYDVQQDEwdVbmtub3duMB4XDTEyMDcyOTIzMDczNVoXDTEyMTAyNzIz
                MDczNVowbDEQMA4GA1UEBhMHVW5rbm93bjEQMA4GA1UECBMHVW5rbm93bjEQMA4GA1UEBxMHVW5r
                bm93bjEQMA4GA1UEChMHVW5rbm93bjEQMA4GA1UECxMHVW5rbm93bjEQMA4GA1UEAxMHVW5rbm93
                bjCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAkXqhit5u2/nt4330RFAXfnxwj3ULk8v7WJzo
                a1+qyByijq9Btviiq2C594seo/ay4Sj7DyRecMRH+qS3q83Da54fOVCf/6uqAo82T4uVGZbMp6Vk
                KlQLtqyUGo5ZR4QzevnMgaVygg6dxa0HNJw+gHYaRuHrlFpXv3oaq73usjECAwEAATANBgkqhkiG
                9w0BAQUFAAOBgQBZmTNtqeZrD0noIizIBytXbiqiXXKgO9Y5JRNiEC2ZoAEzey9l5Oht+DCL6X2T
                W1q5aHLfk14IALY3RYDyCSkz5Jg+Sv7fj4hC3Fs3kdjBWY27a9d+W1kzo6h3adcwimW51/mFlDU0
                hXmRsLPZ/lGiPaUH5n4HEAwcJwQuO+uzMA==
            </dsig:X509Certificate>
        </dsig:X509Data>
    </dsig:KeyInfo>
    <dsig:Object Encoding="UTF-8" Id="data">
        <PurchaseOrder>
            <Item number="130046593231">
                <Description>Video Game</Description>
                <Price>10.29</Price>
            </Item>
            <Buyer id="8492340">
                <Name>My Name</Name>
                <Address>
                    <Street>One Network Drive</Street>
                    <Town>Burlington</Town>
                    <State>MA</State>
                    <Country>United States</Country>
                    <PostalCode>01803</PostalCode>
                </Address>
            </Buyer>
        </PurchaseOrder>
    </dsig:Object>
</dsig:Signature>

When the same code is run with with Open JDK 11.02, the following error is obtained:

org.w3c.dom.DOMException: HIERARCHY_REQUEST_ERR: An attempt was made to insert a node where it is not permitted.

	at java.xml/com.sun.org.apache.xerces.internal.dom.CoreDocumentImpl.insertBefore(CoreDocumentImpl.java:439)
	at java.xml/com.sun.org.apache.xerces.internal.dom.NodeImpl.appendChild(NodeImpl.java:237)
	at java.xml.crypto/org.jcp.xml.dsig.internal.dom.XmlWriterToTree.writeStartElement(XmlWriterToTree.java:104)
	at java.xml.crypto/org.jcp.xml.dsig.internal.dom.DOMXMLSignature.marshal(DOMXMLSignature.java:213)
	at java.xml.crypto/org.jcp.xml.dsig.internal.dom.DOMXMLSignature.sign(DOMXMLSignature.java:325)
	at com.mg.sign.enveloping.EnvelopingTestCase.enveloping(EnvelopingTestCase.java:96)
	at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
	at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	at java.base/java.lang.reflect.Method.invoke(Method.java:566)
	at org.junit.runners.model.FrameworkMethod$1.runReflectiveCall(FrameworkMethod.java:50)
	at org.junit.internal.runners.model.ReflectiveCallable.run(ReflectiveCallable.java:12)
	at org.junit.runners.model.FrameworkMethod.invokeExplosively(FrameworkMethod.java:47)
	at org.junit.internal.runners.statements.InvokeMethod.evaluate(InvokeMethod.java:17)
	at org.junit.runners.ParentRunner.runLeaf(ParentRunner.java:325)
	at org.junit.runners.BlockJUnit4ClassRunner.runChild(BlockJUnit4ClassRunner.java:78)
	at org.junit.runners.BlockJUnit4ClassRunner.runChild(BlockJUnit4ClassRunner.java:57)
	at org.junit.runners.ParentRunner$3.run(ParentRunner.java:290)
	at org.junit.runners.ParentRunner$1.schedule(ParentRunner.java:71)
	at org.junit.runners.ParentRunner.runChildren(ParentRunner.java:288)
	at org.junit.runners.ParentRunner.access$000(ParentRunner.java:58)
	at org.junit.runners.ParentRunner$2.evaluate(ParentRunner.java:268)
	at org.junit.runners.ParentRunner.run(ParentRunner.java:363)
	at org.junit.runner.JUnitCore.run(JUnitCore.java:137)
	at com.intellij.junit4.JUnit4IdeaTestRunner.startRunnerWithArgs(JUnit4IdeaTestRunner.java:68)
	at com.intellij.rt.execution.junit.IdeaTestRunner$Repeater.startRunnerWithArgs(IdeaTestRunner.java:47)
	at com.intellij.rt.execution.junit.JUnitStarter.prepareStreamsAndStart(JUnitStarter.java:242)
	at com.intellij.rt.execution.junit.JUnitStarter.main(JUnitStarter.java:70)

By disabling the document's strict checking option, you can see that the problem is that the signed XML looks like this:

<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<PurchaseOrder>
    <Item number="130046593231">
        <Description>Video Game</Description>
        <Price>10.29</Price>
    </Item>
    <Buyer id="8492340">
        <Name>My Name</Name>
        <Address>
            <Street>One Network Drive</Street>
            <Town>Burlington</Town>
            <State>MA</State>
            <Country>United States</Country>
            <PostalCode>01803</PostalCode>
        </Address>
    </Buyer>
</PurchaseOrder><dsig:Signature xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">
<dsig:SignedInfo>
    <dsig:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
    <dsig:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
    <dsig:Reference URI="#data">
        <dsig:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
        <dsig:DigestValue>ihf/785BQpY0+MUQeP0IXrqcdENEap5sHpFw2NvBMv8=</dsig:DigestValue>
    </dsig:Reference>
</dsig:SignedInfo>
<dsig:SignatureValue>gE5lSOnbxukfAiTG+YvPevBLnz5QjYycRSRVA9CCaHXJYQmLxJ2uBFBsOqdL89/vnPgg4g4mgsd1&#13;
    F32KBi3AMvs169RDBs4gjNAxX5dq5DleqVmFvX6TzsiCLW3kAGF+g52GPFpcwz44zU+MDbQ7AmyO&#13;
    CzjR6GMKr7mAT+9LEzQ=
</dsig:SignatureValue>
<dsig:KeyInfo>
    <dsig:X509Data>
        <dsig:X509SubjectName>CN=Unknown,OU=Unknown,O=Unknown,L=Unknown,ST=Unknown,C=Unknown</dsig:X509SubjectName>
        <dsig:X509Certificate>MIICTzCCAbigAwIBAgIEUBXCNzANBgkqhkiG9w0BAQUFADBsMRAwDgYDVQQGEwdVbmtub3duMRAw&#13;
            DgYDVQQIEwdVbmtub3duMRAwDgYDVQQHEwdVbmtub3duMRAwDgYDVQQKEwdVbmtub3duMRAwDgYD&#13;
            VQQLEwdVbmtub3duMRAwDgYDVQQDEwdVbmtub3duMB4XDTEyMDcyOTIzMDczNVoXDTEyMTAyNzIz&#13;
            MDczNVowbDEQMA4GA1UEBhMHVW5rbm93bjEQMA4GA1UECBMHVW5rbm93bjEQMA4GA1UEBxMHVW5r&#13;
            bm93bjEQMA4GA1UEChMHVW5rbm93bjEQMA4GA1UECxMHVW5rbm93bjEQMA4GA1UEAxMHVW5rbm93&#13;
            bjCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAkXqhit5u2/nt4330RFAXfnxwj3ULk8v7WJzo&#13;
            a1+qyByijq9Btviiq2C594seo/ay4Sj7DyRecMRH+qS3q83Da54fOVCf/6uqAo82T4uVGZbMp6Vk&#13;
            KlQLtqyUGo5ZR4QzevnMgaVygg6dxa0HNJw+gHYaRuHrlFpXv3oaq73usjECAwEAATANBgkqhkiG&#13;
            9w0BAQUFAAOBgQBZmTNtqeZrD0noIizIBytXbiqiXXKgO9Y5JRNiEC2ZoAEzey9l5Oht+DCL6X2T&#13;
            W1q5aHLfk14IALY3RYDyCSkz5Jg+Sv7fj4hC3Fs3kdjBWY27a9d+W1kzo6h3adcwimW51/mFlDU0&#13;
            hXmRsLPZ/lGiPaUH5n4HEAwcJwQuO+uzMA==
        </dsig:X509Certificate>
    </dsig:X509Data>
</dsig:KeyInfo>
<dsig:Object Encoding="UTF-8" Id="data">
    <PurchaseOrder>
        <Item number="130046593231">
            <Description>Video Game</Description>
            <Price>10.29</Price>
        </Item>
        <Buyer id="8492340">
            <Name>My Name</Name>
            <Address>
                <Street>One Network Drive</Street>
                <Town>Burlington</Town>
                <State>MA</State>
                <Country>United States</Country>
                <PostalCode>01803</PostalCode>
            </Address>
        </Buyer>
    </PurchaseOrder>
</dsig:Object>
</dsig:Signature>

The problem is that the generated <dsig:Signature> element no longer replaces the original root element, but instead is appended as a sibling of it.

This is a behavior change with respect to 1.8 that produces an invalid document.

Workaround: to disable the document's strict checking and manually removing the original root element.
@karianna karianna added the bug Issues that are problems in the code as reported by the community label Jan 27, 2019
@karianna
Copy link
Contributor

@marianogonzalez Does this occur with both an AdoptOpenJDK 11.0.2 binaries and an Oracle Java 11.0.2 binary? Trying to narrow down whether this should be reported upstream.

@karianna karianna added the Waiting on OP Issues that are awaiting a response from the original author of the ticket label Jan 27, 2019
@karianna karianna added this to the January 2019 milestone Jan 27, 2019
@wangweij
Copy link

This also fails with Oracle's JDK and it has been reported to https://bugs.openjdk.java.net/browse/JDK-8217878.

@karianna karianna added reported to Eclipse OpenJ9 Issues that have been reported upstream to the OpenJ9 group and removed Waiting on OP Issues that are awaiting a response from the original author of the ticket labels Jan 31, 2019
@karianna
Copy link
Contributor

OK thanks, we'll close that here then

@karianna karianna added Reported to OpenJDK / JBS Issues that have been reported upstream to the OpenJDK community and removed reported to Eclipse OpenJ9 Issues that have been reported upstream to the OpenJ9 group labels Aug 15, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Issues that are problems in the code as reported by the community Reported to OpenJDK / JBS Issues that have been reported upstream to the OpenJDK community
Projects
None yet
Milestone
January 2019
Development

No branches or pull requests
3 participants
@karianna @wangweij @marianogonzalez