RFR: 8231507: Update Apache Santuario (XML Signature) to version 2.1.4
Weijun Wang
weijun.wang at oracle.com
Mon Nov 25 01:55:59 UTC 2019
Pushed to https://hg.openjdk.java.net/jdk/jdk/rev/b3116877866f.
Thanks,
Max
> On Nov 20, 2019, at 8:27 AM, Weijun Wang <weijun.wang at oracle.com> wrote:
>
> Hi Fedor,
>
> Sorry for the delay. Everything looks fine except that the version info in santuario.md should be updated. I've also updated XMLDSigRI.java to match the recent code change for JDK-8232357. A new webrev is now available at
>
> http://cr.openjdk.java.net/~weijun/8231507/webrev.00/
>
> If no one else has any more comment, I'll push this change myself.
>
> Thanks,
> Max
>
>> On Oct 10, 2019, at 10:48 PM, Fedor Burdun <fedor.burdun at azul.com> wrote:
>>
>> Hi Weijun,
>>
>> I am glad to be helpful for community.
>> Thanks a lot for your notes.
>>
>> In addition to all mentioned above and due to (8151893: Add security property to configure XML Signature secure validation mode)
>> it seems the checking of Policy.restrictRetrievalMethodLoops also should be reverted?
>> Please correct me if I'm wrong and it should not.
>>
>> Andrew Brygin volunteered to be sponsor for this code change.
>>
>> New webrev: http://cr.openjdk.java.net/~fijiol/8231507/webrev.01/
>> Tests: test/jdk/javax/xml/crypto/dsig/
>>
>> Best regards,
>> Fedor
>>
>>
>>
>>
>> От: Weijun Wang <weijun.wang at oracle.com>
>> Отправлено: 10 октября 2019 г. 13:08
>> Кому: Fedor Burdun
>> Копия: security-dev at openjdk.java.net
>> Тема: Re: RFR: 8231507: Update Apache Santuario (XML Signature) to version 2.1.4
>>
>> Hi Fedor,
>>
>> First, thanks a lot for the contribution. Overall the code change looks fine, but I have several comments:
>>
>> 1. The change in EncryptionConstants.java is not necessary. In this module we only do the signature part, but not encryption.
>>
>> 2. For the same reason, 5 new methods in XMLUtils.java about encryption.
>>
>> 3. In DOMRetrievalMethod.java, please revert to the use of "Policy.restrictNumTransforms(newTransforms.size())". The java.xml.crypto module inside OpenJDK is a little different from Santuario here and it uses a java.security property named "jdk.xml.dsig.secureValidationPolicy".
>>
>> 4. XMLDSigRI.java contains no actual change and can be kept unchanged.
>>
>> Have you found a committer to sponsor your code change? If not, I'll be happy to do it.
>>
>> Thanks,
>> Max
>>
>>
>>> On Oct 8, 2019, at 12:35 AM, Fedor Burdun <fedor.burdun at azul.com> wrote:
>>>
>>> Dear all,
>>>
>>> Would you please review the following change?
>>> Bug: https://bugs.openjdk.java.net/browse/JDK-8231507
>>> Webrev: http://cr.openjdk.java.net/~fijiol/8231507/webrev.00/
>>>
>>> This change upgrades Apache Santuario library to version 2.1.4
>>>
>>> Best regards,
>>> Fedor
>
More information about the security-dev
mailing list