XML document can be signed to ensure data integrity and authentication. The signature should be verified and validated to make sure it’s secure.
For instance, signatures based on weak cipher algorithms like MD5 should be rejected, and an XML document should not contain hostile constructs that
can lead to Denial of Services attacks, like a large number of SignedInfo
elements.
Noncompliant Code Example
The Java XML Digital Signature API doesn’t use a strong signature validation mode by default:
DOMValidateContext valContext = new DOMValidateContext(new KeyValueKeySelector(), nl.item(0)); // Noncompliant
Compliant Solution
The Java XML Digital Signature API offers a secure validation mode to protect against various security
issues:
DOMValidateContext valContext = new DOMValidateContext(new KeyValueKeySelector(), nl.item(0));
valContext.setProperty("org.jcp.xml.dsig.secureValidation", Boolean.TRUE);
See