RFR [13] 8217878: ENVELOPING XML signature no longer works in JDK 11
Sean Mullan
sean.mullan at oracle.com
Mon Mar 4 20:11:13 UTC 2019
Updated webrev:
http://cr.openjdk.java.net/~mullan/webrevs/8217878/webrev.01/
Changes:
- Added DOMCryptoBinary.java
- Changed Base64 calls to XMLUtils in DOMKeyValue, DOMPGPData,
DOMReference, DOMSignedInfo, DOMX509Data, and DOMXMLSignature
Thanks,
Sean
On 3/4/19 8:33 AM, Sean Mullan wrote:
> On 3/3/19 10:32 PM, Weijun Wang wrote:
>> Two questions:
>>
>> 1. There is no DOMCryptoBinary.java. Maybe you forgot "hg add"?
>
> Yes, I did. I will add it.
>
>> 2. The Base64 class is called directly in several places. Aren't the
>> helper methods in XMLUtils enough?
>
> Good catch, since that code is not using XMLUtils, it is not checking
> the linebreaks property to see if linebreaks should be inserted
> (com.sun.org.apache.xml.internal.security.ignoreLineBreaks). Let me fix
> that to use XMLUtils and I'll follow up with another webrev.
>
> Thanks,
> Sean
>
>>
>> Thanks,
>> Max
>>
>>> On Feb 26, 2019, at 4:46 AM, Sean Mullan <sean.mullan at oracle.com> wrote:
>>>
>>> In JDK 11, we included an updated version of Apache Santuario (which
>>> the JDK XML Signature implementation is based on) [1]. This contained
>>> a newer XML marshalling implementation, which has caused a couple of
>>> serious regressions (this one and JDK-8218629 [2]).
>>>
>>> After unsuccessfully trying to patch the current implementation, we
>>> decided to back it out and restore the previous code, which had been
>>> very stable for many years. The newer implementation is different in
>>> subtle ways and doesn't really offer any advantages other than a bit
>>> of reduction in lines of code. The Apache Santuario Project also has
>>> backed out the implementation.
>>>
>>> webrev: http://cr.openjdk.java.net/~mullan/webrevs/8217878/webrev.00/
>>> bug: https://bugs.openjdk.java.net/browse/JDK-8217878
>>>
>>> New test cases have also been added for the regressions.
>>>
>>> Note that this also fixes JDK-8218629 [2]. Since technically they are
>>> different issues, I will probably include both bug-ids in this
>>> changeset.
>>>
>>> --Sean
>>>
>>> [1] https://bugs.openjdk.java.net/browse/JDK-8177334
>>> [2] https://bugs.openjdk.java.net/browse/JDK-8218629
>>
More information about the security-dev
mailing list