RFR: 8231507: Update Apache Santuario (XML Signature) to version 2.1.4

Weijun Wang weijun.wang at oracle.com
Wed Nov 20 00:27:01 UTC 2019 

Hi Fedor,

Sorry for the delay. Everything looks fine except that the version info in santuario.md should be updated. I've also updated XMLDSigRI.java to match the recent code change for JDK-8232357. A new webrev is now available at

   http://cr.openjdk.java.net/~weijun/8231507/webrev.00/

If no one else has any more comment, I'll push this change myself.

Thanks,
Max

> On Oct 10, 2019, at 10:48 PM, Fedor Burdun <fedor.burdun at azul.com> wrote:
> 
> Hi Weijun,
> 
> I am glad to be helpful for community.
> Thanks a lot for your notes.
> 
> In addition to all mentioned above and due to (8151893: Add security property to configure XML Signature secure validation mode)
> it seems the checking of Policy.restrictRetrievalMethodLoops also should be reverted?
> Please correct me if I'm wrong and it should not.
> 
> Andrew Brygin volunteered to be sponsor for this code change.
> 
> New webrev: http://cr.openjdk.java.net/~fijiol/8231507/webrev.01/
> Tests: test/jdk/javax/xml/crypto/dsig/
> 
> Best regards,
> Fedor
> 
> 
> 
> 
> От: Weijun Wang <weijun.wang at oracle.com>
> Отправлено: 10 октября 2019 г. 13:08
> Кому: Fedor Burdun
> Копия: security-dev at openjdk.java.net
> Тема: Re: RFR: 8231507: Update Apache Santuario (XML Signature) to version 2.1.4
>  
> Hi Fedor,
> 
> First, thanks a lot for the contribution. Overall the code change looks fine, but I have several comments:
> 
> 1. The change in EncryptionConstants.java is not necessary. In this module we only do the signature part, but not encryption.
> 
> 2. For the same reason, 5 new methods in XMLUtils.java about encryption.
> 
> 3. In DOMRetrievalMethod.java, please revert to the use of "Policy.restrictNumTransforms(newTransforms.size())". The java.xml.crypto module inside OpenJDK is a little different from Santuario here and it uses a java.security property named "jdk.xml.dsig.secureValidationPolicy".
> 
> 4. XMLDSigRI.java contains no actual change and can be kept unchanged.
> 
> Have you found a committer to sponsor your code change? If not, I'll be happy to do it.
> 
> Thanks,
> Max
> 
> 
> > On Oct 8, 2019, at 12:35 AM, Fedor Burdun <fedor.burdun at azul.com> wrote:
> > 
> > Dear all,
> > 
> > Would you please review the following change?
> > Bug: https://bugs.openjdk.java.net/browse/JDK-8231507
> > Webrev: http://cr.openjdk.java.net/~fijiol/8231507/webrev.00/
> > 
> > This change upgrades Apache Santuario library to version 2.1.4
> > 
> > Best regards,
> > Fedor

More information about the security-dev mailing list