[8u] RFR Backport 8177334: Update xmldsig implementation to Apache Santuario 2.1.1
Elliott Baron
ebaron at redhat.com
Thu Apr 16 23:54:05 UTC 2020
Hi,
I'd like to request a review to backport 8177334 to 8u.
Original fix:
https://bugs.openjdk.java.net/browse/JDK-8177334
http://hg.openjdk.java.net/jdk/jdk/rev/3810c9a2efa1
The JDK 11 fix did not apply cleanly. Below, I have detailed the
modifications I made in order to backport this fix to 8u. There are some
major changes that I believe may require some discussion, and many minor
changes outlined after those. The changes within each section are listed
roughly in order of the patch.
Thank you to Martin Balao for his assistance in tracking down the
dependencies for this fix.
I should point out that there are some known bugfixes that fix problems
introduced by this update. These should probably go into the same 8u
update as this fix. They are:
- 8217878: ENVELOPING XML signature no longer works
- 8218629: XML Digital Signature throws NAMESPACE_ERR exception on
OpenJDK 11, works 8/9/10 (I believe this is the same fix as above)
- 8236645: JDK 8u231 introduces a regression with incompatible handling
of XML messages
8u webrev:
https://cr.openjdk.java.net/~ebaron/jdk8u/JDK-8177334/webrev.00/
Testing: x86_64 build, jdk_tier1, jdk_security tests
Major changes
---------------
javax/xml/crypto/dsig/DigestMethod:
- New string constants referencing new algorithms have been removed, in
order to not introduce new public API. I'm not sure if this would
technically be a breakage.
javax/xml/crypto/dsig/SignatureMethod:
- New string constants have been removed, as in DigestMethod mentioned
above.
org/jcp/xml/dsig/internal/dom/DOMSignatureMethod:
- There is no "8042967: Add variant of DSA Signature algorithms that do
not ASN.1 encode the signature bytes" in 8u. This was a messy backport
and it appears to add a new feature. To limit the amount of
modifications done to this class, I opted to backport the "getSignature"
method only from 8042967.
- The class hierarchies of various nested DOMSignatureMethods have been
changed to exclude abstract classes that were introduced by 8042967.
- I'm a bit on the fence about these modifications, perhaps it would be
better to backport 8042967 after all.
test/javax/xml/crypto/dsig/GenerationTests:
- jtreg tag differs because of newer tests already in 8u, lack of
modules, and argument added by "8210736:
jdk/javax/xml/crypto/dsig/GenerationTests.java slow on linux".
- Test cases using missing SHA-3 algorithm have been removed, since
there is no support for it in 8u. This would require a backport of
"8000415: Add support for SHA-3" and possibly others.
- Constants in javax/xml/crypto/dsig/{Digest,Signature}Method that were
not backported are substituted with their String values.
- List.of, which doesn't exist in JDK 8, has been replaced with a static
initializer.
- For code added by "8206911: javax/xml/crypto/dsig/GenerationTests.java
fails in 8u-dev", rename call from "test_create_detached_signature" to
"test_create_detached_signature0". This reflects the method name change
introduced by this fix.
- Some context also required changes due to 8206911.
Minor changes
---------------
THIRD_PARTY_README: Bump version of Apache Santuario corresponding to
changes in share/legal/santuario.md from original fix.
com/sun/org/apache/xml/internal/security/algorithms/SignatureAlgorithm:
- Context slightly different due to "6850612: Deprecate
Class.newInstance since it violates the checked exception language
contract" not backported to 8u.
com/sun/org/apache/xml/internal/security/encryption/AbstractSerializer:
- Context differs due to lack of "8055723: Replace concat String to
append in StringBuilder parameters" in 8u. I chose not to backport this
since it relies on "8041679: Replace uses of StringBuffer with
StringBuilder within core library classes", which is another fairly
large patch.
- End result is unaffected since this file is deleted.
com/sun/org/apache/xml/internal/security/encryption/EncryptionMethod:
- Context differs due to lack of "8067377: My hobby: caning, then then
canning, the the can-can" in 8u. I didn't backport this since it's a
large doc fix and is easily worked around.
- End result is unaffected since this file is deleted.
com/sun/org/apache/xml/internal/security/encryption/EncryptionProperty:
- Context differs due to existing backport of "8133802: replace some
<tt> tags (obsolete in html5) in security-libs docs" being slightly
different.
- End result is unaffected since this file is deleted.
com/sun/org/apache/xml/internal/security/encryption/ReferenceList:
- Same differences/reasoning as EncryptionProperty above.
com/sun/org/apache/xml/internal/security/keys/KeyUtils:
- Comment to be patched differs slightly due to absent "8067377: My
hobby: caning, then then canning, the the can-can". End result matches
original fix.
com/sun/org/apache/xml/internal/security/keys/keyresolver/KeyResolver:
- A few differences in context due "6850612: Deprecate Class.newInstance
since it violates the checked exception language contract" not present
in 8u.
com/sun/org/apache/xml/internal/security/keys/keyresolver/KeyResolverSpi:
- Same difference/reasoning as in KeyResolver above.
com/sun/org/apache/xml/internal/security/transforms/implementations/FuncHere:
- One hunk removed that rearranges imports, because the import was added
by "8181150: Fix lint warnings in JAXP repo: rawtypes and unchecked". I
did not backport this to 8u since it's a large patch and is trivial to
work around in this backport.
com/sun/org/apache/xml/internal/security/transforms/params/InclusiveNamespaces:
- One line of context differs due to missing "8055723: Replace concat
String to append in StringBuilder parameters". See AbstractSerializer above.
com/sun/org/apache/xml/internal/security/utils/JavaUtils:
- Hunk moving "checkRegisterPermission" not required since it's already
located where it would be moved to in 8u.
com/sun/org/apache/xml/internal/security/utils/XalanXPathAPI:
- One change editing a log message has been removed, since the code that
introduced the log message is not in 8u. That changeset is "8087283: Add
support for the XML Signature here() function to the JDK XPath
implementation". It didn't seem worthwhile to backport for the sake of
this fix.
com/sun/org/apache/xml/internal/security/utils/resolver/ResourceResolver:
- Context differs in one hunk due to "6850612: Deprecate
Class.newInstance since it violates the checked exception language
contract" absent backported in 8u.
- Resulting code is the same, minus a @SuppressWarnings annotation.
org/jcp/xml/dsig/internal/dom/ApacheCanonicalizer:
- Context differs due to "8046949: Generify the javax.xml.crypto API"
not backported to 8u. Some minor changes unneeded since they revert
changes from 8046949.
org/jcp/xml/dsig/internal/dom/ApacheTransform:
- Removed change that reverts the removal of a "@SuppressWarnings"
annotation by "8046949: Generify the javax.xml.crypto API", since this
change was never backported in the first place.
org/jcp/xml/dsig/internal/dom/DOMExcC14NMethod:
- Two lines of context changed due to no 8u backport of "8041679:
Replace uses of StringBuffer with StringBuilder within core library
classes" and "8046949: Generify the javax.xml.crypto API".
org/jcp/xml/dsig/internal/dom/DOMKeyInfo:
- Changes that revert changes made by "8046949: Generify the
javax.xml.crypto API" have been removed since 8046949 is not in 8u.
org/jcp/xml/dsig/internal/dom/DOMKeyInfoFactory:
- The majority of changes here revert "8046949: Generify the
javax.xml.crypto API". Since this wasn't backported they aren't
applicable. Most of what remains is adding "@Override" annotations.
org/jcp/xml/dsig/internal/dom/DOMManifest:
- This required similar modifications to DOMKeyInfoFactory above.
org/jcp/xml/dsig/internal/dom/DOMPGPData:
- Changes reverting those introduced by "8046949: Generify the
javax.xml.crypto API" have been removed, similar to DOMKeyInfoFactory above.
- Different context for getKeyId and getKeyPacket methods due to
"8032733: Fix cast lint warnings in client libraries" not being
backported to 8u. This is a fairly large patch and was previously ruled
out for a backport to 8u.
org/jcp/xml/dsig/internal/dom/DOMReference:
- Modifications required here were done for the same reasons as
DOMPGPData above.
org/jcp/xml/dsig/internal/dom/DOMRetrievalMethod,
org/jcp/xml/dsig/internal/dom/DOMSignatureProperties,
org/jcp/xml/dsig/internal/dom/DOMSignatureProperty,
org/jcp/xml/dsig/internal/dom/DOMSignedInfo,
org/jcp/xml/dsig/internal/dom/DOMUtils,
org/jcp/xml/dsig/internal/dom/DOMX509Data,
org/jcp/xml/dsig/internal/dom/DOMXMLObject,
org/jcp/xml/dsig/internal/dom/DOMXMLSignatureFactory,
org/jcp/xml/dsig/internal/dom/DOMXPathFilter2Transform,
org/jcp/xml/dsig/internal/dom/DOMXPathTransform:
- These also remove inapplicable reversions for changes that would have
been done by "8046949: Generify the javax.xml.crypto API".
org/jcp/xml/dsig/internal/dom/DOMXMLSignature:
- Removed portions that don't apply due to lack of "8046949: Generify
the javax.xml.crypto API".
- A line of context needed to be changed because of "8032733: Fix cast
lint warnings in client libraries" not backported.
org/jcp/xml/dsig/internal/dom/Utils:
- Context surrounding changes is slightly different due to lack of
"8046949: Generify the javax.xml.crypto API" in 8u.
com/sun/org/apache/xml/internal/security/algorithms/package.html
com/sun/org/apache/xml/internal/security/keys/content/keyvalues/package.html
com/sun/org/apache/xml/internal/security/keys/content/package.html
com/sun/org/apache/xml/internal/security/keys/content/x509/package.html
com/sun/org/apache/xml/internal/security/keys/keyresolver/implementations/package.html
com/sun/org/apache/xml/internal/security/keys/keyresolver/package.html
com/sun/org/apache/xml/internal/security/keys/storage/implementations/package.html
com/sun/org/apache/xml/internal/security/keys/storage/package.html:
- Missing newline at end of file introduced by "8134984: Text files
should end in exactly one newline". Did not backport since these files
are all deleted.
Thanks,
Elliott
More information about the jdk8u-dev
mailing list