RFR 8177334: Update xmldsig implementation to Apache Santuario 2.1.1
Weijun Wang
weijun.wang at oracle.com
Fri Jun 15 00:18:40 UTC 2018
> On Jun 15, 2018, at 2:19 AM, Sean Mullan <sean.mullan at oracle.com> wrote:
>
> Here are some comments so far. I should be able to finish reviewing this by tomorrow.
>
> - src/java.xml.crypto/share/classes/com/sun/org/apache/xml/internal/security/utils/EncryptionConstants.java
The MessageDigest algorithms are registered under "http://www.w3.org/2001/04/xmlenc#", so this single constant is retained. I didn't move the constant to somewhere else or just inline it, because I want to modify the Santuario code as little as possible.
> - src/java.xml.crypto/share/classes/com/sun/org/apache/xml/internal/security/utils/EncryptionElementProxy.java
Good catch. This should have been removed, but my script got the added comment block wrong.
>
> Can we remove these 2 files since it looks like they are for XML Encryption?
>
> - src/java.xml.crypto/share/classes/javax/xml/crypto/dsig/DigestMethod.java
> - src/java.xml.crypto/share/classes/javax/xml/crypto/dsig/SignatureMethod.java
>
> Add @since 11 to the new constants.
Added.
>
> - src/java.xml.crypto/share/classes/com/sun/org/apache/xml/internal/security/stax/ext/XMLSecurityConstants.java
>
> Can we remove this since it is for the stax impl?
Yes. I remember the generateBytes() method there was used by something not in stax, but I cannot find it now.
No new webrev posted.
Thanks
Max
>
> --Sean
>
>
> On 6/13/18 8:32 AM, Weijun Wang wrote:
>> I've created my own Logger.java and LoggerFactory.java in com.sun.org.slf4j.internal. They has a slf4j-style interface but use java.util.logging.Logger inside.
>> --Max
>> [1] http://cr.openjdk.java.net/~weijun/8177334/webrev.01/src/java.xml.crypto/share/classes/com/sun/org/slf4j/internal/LoggerFactory.java.html
>> [2] http://cr.openjdk.java.net/~weijun/8177334/webrev.01/src/java.xml.crypto/share/classes/com/sun/org/slf4j/internal/Logger.java.html
>>> On Jun 13, 2018, at 8:17 PM, Sean Mullan <sean.mullan at oracle.com> wrote:
>>>
>>> In StorageResolver.java:
>>>
>>> 41 private static final com.sun.org.slf4j.internal.Logger LOG =
>>> 42 com.sun.org.slf4j.internal.LoggerFactory.getLogger(StorageResolver.class);
>>>
>>> Shouldn't the previous code using java.util.logging.Logger be retained? There is no com.sun.org.slf4j package in the JDK.
>>>
>>> --Sean
>>>
>>> On 5/24/18 1:50 AM, Weijun Wang wrote:
>>>> Please review the change at
>>>> webrev: http://cr.openjdk.java.net/~weijun/8177334/webrev.00/
>>>> CSR: https://bugs.openjdk.java.net/browse/JDK-8203460
>>>> New features include the support of SHA-224 and SHA-3 MessageMethod, and RSASSA-PSS SignatureMethods.
>>>> The change is done in 2 steps:
>>>> 1. Copying files from Apache Santuario Release 2.1.1 [1]. Making cosmetic changes like changing package names.
>>>> 2. More changes, including
>>>> a. Applying patches in OpenJDK that were not pushed to Apache Santuario (yet)
>>>> b. Using the RSASSA-PSS Signature algorithm in OpenJDK, because we don't have names like SHA256withRSAandMGF1
>>>> c. Copying standard digest method and signature method names into public API (see the CSR)
>>>> For your convenience, there is a separate webrev for step 2 above at
>>>> http://cr.openjdk.java.net/~weijun/8177334/changes/
>>>> Thanks
>>>> Max
>>>> [1] http://www.apache.org/dyn/closer.lua/santuario/java-library/2_1_1/xmlsec-2.1.1-source-release.zip
More information about the security-dev
mailing list