RFR: 8231507: Update Apache Santuario (XML Signature) to version 2.1.4

Weijun Wang weijun.wang at oracle.com
Thu Oct 10 10:08:54 UTC 2019


Hi Fedor,

First, thanks a lot for the contribution. Overall the code change looks fine, but I have several comments:

1. The change in EncryptionConstants.java is not necessary. In this module we only do the signature part, but not encryption.

2. For the same reason, 5 new methods in XMLUtils.java about encryption.

3. In DOMRetrievalMethod.java, please revert to the use of "Policy.restrictNumTransforms(newTransforms.size())". The java.xml.crypto module inside OpenJDK is a little different from Santuario here and it uses a java.security property named "jdk.xml.dsig.secureValidationPolicy".

4. XMLDSigRI.java contains no actual change and can be kept unchanged.

Have you found a committer to sponsor your code change? If not, I'll be happy to do it.

Thanks,
Max


> On Oct 8, 2019, at 12:35 AM, Fedor Burdun <fedor.burdun at azul.com> wrote:
> 
> Dear all,
> 
> Would you please review the following change?
> Bug: https://bugs.openjdk.java.net/browse/JDK-8231507
> Webrev: http://cr.openjdk.java.net/~fijiol/8231507/webrev.00/
> 
> This change upgrades Apache Santuario library to version 2.1.4
> 
> Best regards,
> Fedor




More information about the security-dev mailing list