JDK6 and xmlsec-1.4.2 issue (unsupported signature algorithm)

>
> Hi,
>
> I migrated my application from JDK5 (with external xmlsec-1.4.2.jar) to
> JDK6 (where xmlsec is included now).
>
> After that I got
> javax.xml.crypto.MarshalException: unsupported signature algorithm:
> http://www.w3.org/2001/04/xmldsig-more#rsa-sha256
>                 at
> org.jcp.xml.dsig.internal.dom.DOMSignatureMethod.unmarshal(DOMSignatureMethod.java:86)
>                 at
> org.jcp.xml.dsig.internal.dom.DOMSignedInfo.<init>(DOMSignedInfo.java:122)
>                 at
> org.jcp.xml.dsig.internal.dom.DOMXMLSignature.<init>(DOMXMLSignature.java:119)
>                 at
> org.jcp.xml.dsig.internal.dom.DOMXMLSignatureFactory.unmarshal(DOMXMLSignatureFactory.java:152)
>                 at
> org.jcp.xml.dsig.internal.dom.DOMXMLSignatureFactory.unmarshalXMLSignature(DOMXMLSignatureFactory.java:116)
>
> so I tried the lib\endorsed workaround, and put xmlsec-1.4.2 and
> commons-logging into that folder.
> That worked fine for me - but not for my collegues.
>
> They than run into "NoClassDefFoundError" from different points - one
> were missing the Log4J Logger class implementation (could be resolved by
> putting log4j.jar to lib\endorsed), the others had trouble with WSS4J
> and so on.
>
> I wouldn´t like to put all our libraries in the lib\endorsed folder - is
> there another way to use xmlsec-1.4.2 in JDK6.0 ?

>
> Hi Sean and all others,
>
> JDK6u16 is out now since a while, but I still get
>
> _java.lang.RuntimeException_: _javax.xml.crypto.MarshalException_:
> unsupported signature algorithm:
> http://www.w3.org/2001/04/xmldsig-more#rsa-sha256
>
> => Are the stronger algorithms SHA256-RSA re-targeted to another Update
> of JDK6 ?
>
> Please let me know, if there is any solution in sight, or any other
> workaround,
> since I can´t use the endorsed mechanism due to a lot of side-effects
> for others.....
>
> thanx, Torsten
>
>
>
> *Sean Mullan <Sean.Mullan@...>*
> Gesendet von: Sean.Mullan@...
>
> 27.05.2009 20:37
> Bitte antworten an
> security-dev@...
>
>
>
> An
> security-dev@...
> Kopie
>
> Thema
> Re: JDK6 and xmlsec-1.4.2 issue (unsupported signature algorithm)
>
>
>
>
>
>
>
>
> torsten.reinhard@... wrote:
>  >
>  > Hi,
>  >
>  > I migrated my application from JDK5 (with external xmlsec-1.4.2.jar) to
>  > JDK6 (where xmlsec is included now).
>  >
>  > After that I got
>  > javax.xml.crypto.MarshalException: unsupported signature algorithm:
>  > http://www.w3.org/2001/04/xmldsig-more#rsa-sha256
>  >                 at
>  >
> org.jcp.xml.dsig.internal.dom.DOMSignatureMethod.unmarshal(DOMSignatureMethod.java:86)
>  >                 at
>  >
> org.jcp.xml.dsig.internal.dom.DOMSignedInfo.<init>(DOMSignedInfo.java:122)
>  >                 at
>  >
> org.jcp.xml.dsig.internal.dom.DOMXMLSignature.<init>(DOMXMLSignature.java:119)
>  >                 at
>  >
> org.jcp.xml.dsig.internal.dom.DOMXMLSignatureFactory.unmarshal(DOMXMLSignatureFactory.java:152)
>  >                 at
>  >
> org.jcp.xml.dsig.internal.dom.DOMXMLSignatureFactory.unmarshalXMLSignature(DOMXMLSignatureFactory.java:116)
>  >
>  > so I tried the lib\endorsed workaround, and put xmlsec-1.4.2 and
>  > commons-logging into that folder.
>  > That worked fine for me - but not for my collegues.
>  >
>  > They than run into "NoClassDefFoundError" from different points - one
>  > were missing the Log4J Logger class implementation (could be resolved by
>  > putting log4j.jar to lib\endorsed), the others had trouble with WSS4J
>  > and so on.
>  >
>  > I wouldn´t like to put all our libraries in the lib\endorsed folder - is
>  > there another way to use xmlsec-1.4.2 in JDK6.0 ?
>
>  > Is there a plan to include xmlsec-1.4.2 in one of the next JDK patches
>  > (>=1.6.0_14) ?
>
> We don't have plans to integrate the entire xmlsec-1.4.2 in Sun's JDK 6.
> XMLSec 1.4.2 is already in JDK 7 (via OpenJDK:
> https://jdk7.dev.java.net/). However, I have just opened an RFE to add
> support for the stronger SHA256-RSA and SHA512-RSA algorithms and
> targeted it to JDK 6u16. In the meantime the only workaround I know is
> to use the endorsed libraries mechanism.
>
> --Sean
>

> Hello Torsten,
>
>
> Besides Sean reply before (which is good!), maybe the issue is also
> related to the application server your app is using. I'm still on Java5,
> but I use the Metro WS Stack, and it includes XmlSec as well, so I faced
> a similar problem (although related to classpath library order).
>
> In Tomcat, there is also a endorsed folder, and I had to include the
> xmlsec and CL libraries there as well. Maybe there is
> a similar mechanism in your app server.
>
> Sean, what is the right way to have these enhancement in Metro as well?
> post an issue there?

>
> Gerardo
>
> On Tue, Sep 8, 2009 at 9:28 AM, <torsten.reinhard@...
> <mailto:torsten.reinhard@...>> wrote:
>
>
>     Hi Sean and all others,
>
>     JDK6u16 is out now since a while, but I still get
>
>     _java.lang.RuntimeException_: _javax.xml.crypto.MarshalException_:
>     unsupported signature algorithm:
>     http://www.w3.org/2001/04/xmldsig-more#rsa-sha256
>
>     => Are the stronger algorithms SHA256-RSA re-targeted to another
>     Update of JDK6 ?
>
>     Please let me know, if there is any solution in sight, or any other
>     workaround,
>     since I can´t use the endorsed mechanism due to a lot of
>     side-effects for others.....
>
>     thanx, Torsten
>
>
>
>     *Sean Mullan <Sean.Mullan@...>*
>     Gesendet von: Sean.Mullan@...
>
>     27.05.2009 20:37
>
>     Bitte antworten an
>     security-dev@... <mailto:security-dev@...>
>
>
>    
>     An
>     security-dev@... <mailto:security-dev@...>
>     Kopie
>    
>     Thema
>     Re: JDK6 and xmlsec-1.4.2 issue (unsupported signature algorithm)
>
>
>    
>
>
>
>
>
>     torsten.reinhard@... <mailto:torsten.reinhard@...> wrote:
>      >
>      > Hi,
>      >
>      > I migrated my application from JDK5 (with external
>     xmlsec-1.4.2.jar) to
>      > JDK6 (where xmlsec is included now).
>      >
>      > After that I got
>      > javax.xml.crypto.MarshalException: unsupported signature algorithm:
>      > http://www.w3.org/2001/04/xmldsig-more#rsa-sha256
>      >                 at
>      >
>     org.jcp.xml.dsig.internal.dom.DOMSignatureMethod.unmarshal(DOMSignatureMethod.java:86)
>      >                 at
>      >
>     org.jcp.xml.dsig.internal.dom.DOMSignedInfo.<init>(DOMSignedInfo.java:122)
>      >                 at
>      >
>     org.jcp.xml.dsig.internal.dom.DOMXMLSignature.<init>(DOMXMLSignature.java:119)
>      >                 at
>      >
>     org.jcp.xml.dsig.internal.dom.DOMXMLSignatureFactory.unmarshal(DOMXMLSignatureFactory.java:152)
>      >                 at
>      >
>     org.jcp.xml.dsig.internal.dom.DOMXMLSignatureFactory.unmarshalXMLSignature(DOMXMLSignatureFactory.java:116)
>      >
>      > so I tried the lib\endorsed workaround, and put xmlsec-1.4.2 and
>      > commons-logging into that folder.
>      > That worked fine for me - but not for my collegues.
>      >
>      > They than run into "NoClassDefFoundError" from different points -
>     one
>      > were missing the Log4J Logger class implementation (could be
>     resolved by
>      > putting log4j.jar to lib\endorsed), the others had trouble with
>     WSS4J
>      > and so on.
>      >
>      > I wouldn´t like to put all our libraries in the lib\endorsed
>     folder - is
>      > there another way to use xmlsec-1.4.2 in JDK6.0 ?
>
>      > Is there a plan to include xmlsec-1.4.2 in one of the next JDK
>     patches
>      > (>=1.6.0_14) ?
>
>     We don't have plans to integrate the entire xmlsec-1.4.2 in Sun's
>     JDK 6.
>     XMLSec 1.4.2 is already in JDK 7 (via OpenJDK:
>     https://jdk7.dev.java.net/). However, I have just opened an RFE to add
>     support for the stronger SHA256-RSA and SHA512-RSA algorithms and
>     targeted it to JDK 6u16. In the meantime the only workaround I know is
>     to use the endorsed libraries mechanism.
>
>     --Sean
>
>