RFR 8177334: Update xmldsig implementation to Apache Santuario 2.1.1

Weijun Wang weijun.wang at oracle.com
Fri Jun 15 00:18:40 UTC 2018 


> On Jun 15, 2018, at 2:19 AM, Sean Mullan <sean.mullan at oracle.com> wrote:
> 
> Here are some comments so far. I should be able to finish reviewing this by tomorrow.
> 
> - src/java.xml.crypto/share/classes/com/sun/org/apache/xml/internal/security/utils/EncryptionConstants.java

The MessageDigest algorithms are registered under "http://www.w3.org/2001/04/xmlenc#", so this single constant is retained. I didn't move the constant to somewhere else or just inline it, because I want to modify the Santuario code as little as possible.

> - src/java.xml.crypto/share/classes/com/sun/org/apache/xml/internal/security/utils/EncryptionElementProxy.java

Good catch. This should have been removed, but my script got the added comment block wrong.

> 
> Can we remove these 2 files since it looks like they are for XML Encryption?
> 
> - src/java.xml.crypto/share/classes/javax/xml/crypto/dsig/DigestMethod.java
> - src/java.xml.crypto/share/classes/javax/xml/crypto/dsig/SignatureMethod.java
> 
> Add @since 11 to the new constants.

Added.

> 
> - src/java.xml.crypto/share/classes/com/sun/org/apache/xml/internal/security/stax/ext/XMLSecurityConstants.java
> 
> Can we remove this since it is for the stax impl?

Yes. I remember the generateBytes() method there was used by something not in stax, but I cannot find it now.

No new webrev posted.

Thanks
Max

> 
> --Sean
> 
> 
> On 6/13/18 8:32 AM, Weijun Wang wrote:
>> I've created my own Logger.java and LoggerFactory.java in com.sun.org.slf4j.internal. They has a slf4j-style interface but use java.util.logging.Logger inside.
>> --Max
>> [1] http://cr.openjdk.java.net/~weijun/8177334/webrev.01/src/java.xml.crypto/share/classes/com/sun/org/slf4j/internal/LoggerFactory.java.html
>> [2] http://cr.openjdk.java.net/~weijun/8177334/webrev.01/src/java.xml.crypto/share/classes/com/sun/org/slf4j/internal/Logger.java.html
>>> On Jun 13, 2018, at 8:17 PM, Sean Mullan <sean.mullan at oracle.com> wrote:
>>> 
>>> In StorageResolver.java:
>>> 
>>>  41     private static final com.sun.org.slf4j.internal.Logger LOG =
>>>  42 com.sun.org.slf4j.internal.LoggerFactory.getLogger(StorageResolver.class);
>>> 
>>> Shouldn't the previous code using java.util.logging.Logger be retained? There is no com.sun.org.slf4j package in the JDK.
>>> 
>>> --Sean
>>> 
>>> On 5/24/18 1:50 AM, Weijun Wang wrote:
>>>> Please review the change at
>>>>   webrev: http://cr.openjdk.java.net/~weijun/8177334/webrev.00/
>>>>      CSR: https://bugs.openjdk.java.net/browse/JDK-8203460
>>>> New features include the support of SHA-224 and SHA-3 MessageMethod, and RSASSA-PSS SignatureMethods.
>>>> The change is done in 2 steps:
>>>> 1. Copying files from Apache Santuario Release 2.1.1 [1]. Making cosmetic changes like changing package names.
>>>> 2. More changes, including
>>>>    a. Applying patches in OpenJDK that were not pushed to Apache Santuario (yet)
>>>>    b. Using the RSASSA-PSS Signature algorithm in OpenJDK, because we don't have names like SHA256withRSAandMGF1
>>>>    c. Copying standard digest method and signature method names into public API (see the CSR)
>>>> For your convenience, there is a separate webrev for step 2 above at
>>>>    http://cr.openjdk.java.net/~weijun/8177334/changes/
>>>> Thanks
>>>> Max
>>>> [1] http://www.apache.org/dyn/closer.lua/santuario/java-library/2_1_1/xmlsec-2.1.1-source-release.zip

More information about the security-dev mailing list