RFR [13] 8217878: ENVELOPING XML signature no longer works in JDK 11

Sean Mullan sean.mullan at oracle.com
Mon Mar 4 20:11:13 UTC 2019 

Updated webrev: 
http://cr.openjdk.java.net/~mullan/webrevs/8217878/webrev.01/

Changes:

   - Added DOMCryptoBinary.java
   - Changed Base64 calls to XMLUtils in DOMKeyValue, DOMPGPData, 
DOMReference, DOMSignedInfo, DOMX509Data, and DOMXMLSignature

Thanks,
Sean

On 3/4/19 8:33 AM, Sean Mullan wrote:
> On 3/3/19 10:32 PM, Weijun Wang wrote:
>> Two questions:
>>
>> 1. There is no DOMCryptoBinary.java. Maybe you forgot "hg add"?
> 
> Yes, I did. I will add it.
> 
>> 2. The Base64 class is called directly in several places. Aren't the 
>> helper methods in XMLUtils enough?
> 
> Good catch, since that code is not using XMLUtils, it is not checking 
> the linebreaks property to see if linebreaks should be inserted 
> (com.sun.org.apache.xml.internal.security.ignoreLineBreaks). Let me fix 
> that to use XMLUtils and I'll follow up with another webrev.
> 
> Thanks,
> Sean
> 
>>
>> Thanks,
>> Max
>>
>>> On Feb 26, 2019, at 4:46 AM, Sean Mullan <sean.mullan at oracle.com> wrote:
>>>
>>> In JDK 11, we included an updated version of Apache Santuario (which 
>>> the JDK XML Signature implementation is based on) [1]. This contained 
>>> a newer XML marshalling implementation, which has caused a couple of 
>>> serious regressions (this one and JDK-8218629 [2]).
>>>
>>> After unsuccessfully trying to patch the current implementation, we 
>>> decided to back it out and restore the previous code, which had been 
>>> very stable for many years. The newer implementation is different in 
>>> subtle ways and doesn't really offer any advantages other than a bit 
>>> of reduction in lines of code. The Apache Santuario Project also has 
>>> backed out the implementation.
>>>
>>> webrev: http://cr.openjdk.java.net/~mullan/webrevs/8217878/webrev.00/
>>> bug: https://bugs.openjdk.java.net/browse/JDK-8217878
>>>
>>> New test cases have also been added for the regressions.
>>>
>>> Note that this also fixes JDK-8218629 [2]. Since technically they are 
>>> different issues, I will probably include both bug-ids in this 
>>> changeset.
>>>
>>> --Sean
>>>
>>> [1] https://bugs.openjdk.java.net/browse/JDK-8177334
>>> [2] https://bugs.openjdk.java.net/browse/JDK-8218629
>>

More information about the security-dev mailing list