You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@santuario.apache.org by "Colm O hEigeartaigh (Closed) (JIRA)" <ji...@apache.org> on 2012/01/23 11:26:41 UTC
[jira] [Closed] (SANTUARIO-290) Add a secure validation switch for
signature processing
[ https://issues.apache.org/jira/browse/SANTUARIO-290?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Colm O hEigeartaigh closed SANTUARIO-290.
-----------------------------------------
> Add a secure validation switch for signature processing
> -------------------------------------------------------
>
> Key: SANTUARIO-290
> URL: https://issues.apache.org/jira/browse/SANTUARIO-290
> Project: Santuario
> Issue Type: Improvement
> Reporter: Colm O hEigeartaigh
> Assignee: Colm O hEigeartaigh
> Fix For: Java 1.5
>
>
> This task describes new functionality available in the 1.5 library. It involves supporting a boolean switch, which defaults to false, which allows more secure validation of signatures. When enabled, this functionality implements the following constraints:
> - Limits the number of Transforms per Reference to a maximum of 5.
> - Does not allow XSLT transforms.
> - Does not allow a RetrievalMethod to reference another RetrievalMethod.
> - Does not allow a Reference to call the ResolverLocalFilesystem or
> the ResolverDirectHTTP (references to local files and HTTP resources
> are forbidden).
> - Limits the number of references per Manifest (SignedInfo) to a maximum of 30.
> - MD5 is not allowed as a SignatureAlgorithm or DigestAlgorithm.
> - Guarantees that the Dereferenced Element returned via Document.getElementById is unique by performing a tree-search.
> This functionality is supported in the core library through additional method signatures which take a boolean, and in the JSR-105 API via the property "org.apache.jcp.xml.dsig.secureValidation".
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira