RFR: 8231507: Update Apache Santuario (XML Signature) to version 2.1.4

Weijun Wang weijun.wang at oracle.com
Mon Nov 25 01:55:59 UTC 2019 

Pushed to https://hg.openjdk.java.net/jdk/jdk/rev/b3116877866f.

Thanks,
Max

> On Nov 20, 2019, at 8:27 AM, Weijun Wang <weijun.wang at oracle.com> wrote:
> 
> Hi Fedor,
> 
> Sorry for the delay. Everything looks fine except that the version info in santuario.md should be updated. I've also updated XMLDSigRI.java to match the recent code change for JDK-8232357. A new webrev is now available at
> 
>   http://cr.openjdk.java.net/~weijun/8231507/webrev.00/
> 
> If no one else has any more comment, I'll push this change myself.
> 
> Thanks,
> Max
> 
>> On Oct 10, 2019, at 10:48 PM, Fedor Burdun <fedor.burdun at azul.com> wrote:
>> 
>> Hi Weijun,
>> 
>> I am glad to be helpful for community.
>> Thanks a lot for your notes.
>> 
>> In addition to all mentioned above and due to (8151893: Add security property to configure XML Signature secure validation mode)
>> it seems the checking of Policy.restrictRetrievalMethodLoops also should be reverted?
>> Please correct me if I'm wrong and it should not.
>> 
>> Andrew Brygin volunteered to be sponsor for this code change.
>> 
>> New webrev: http://cr.openjdk.java.net/~fijiol/8231507/webrev.01/
>> Tests: test/jdk/javax/xml/crypto/dsig/
>> 
>> Best regards,
>> Fedor
>> 
>> 
>> 
>> 
>> От: Weijun Wang <weijun.wang at oracle.com>
>> Отправлено: 10 октября 2019 г. 13:08
>> Кому: Fedor Burdun
>> Копия: security-dev at openjdk.java.net
>> Тема: Re: RFR: 8231507: Update Apache Santuario (XML Signature) to version 2.1.4
>> 
>> Hi Fedor,
>> 
>> First, thanks a lot for the contribution. Overall the code change looks fine, but I have several comments:
>> 
>> 1. The change in EncryptionConstants.java is not necessary. In this module we only do the signature part, but not encryption.
>> 
>> 2. For the same reason, 5 new methods in XMLUtils.java about encryption.
>> 
>> 3. In DOMRetrievalMethod.java, please revert to the use of "Policy.restrictNumTransforms(newTransforms.size())". The java.xml.crypto module inside OpenJDK is a little different from Santuario here and it uses a java.security property named "jdk.xml.dsig.secureValidationPolicy".
>> 
>> 4. XMLDSigRI.java contains no actual change and can be kept unchanged.
>> 
>> Have you found a committer to sponsor your code change? If not, I'll be happy to do it.
>> 
>> Thanks,
>> Max
>> 
>> 
>>> On Oct 8, 2019, at 12:35 AM, Fedor Burdun <fedor.burdun at azul.com> wrote:
>>> 
>>> Dear all,
>>> 
>>> Would you please review the following change?
>>> Bug: https://bugs.openjdk.java.net/browse/JDK-8231507
>>> Webrev: http://cr.openjdk.java.net/~fijiol/8231507/webrev.00/
>>> 
>>> This change upgrades Apache Santuario library to version 2.1.4
>>> 
>>> Best regards,
>>> Fedor
>

More information about the security-dev mailing list