RFR: 8231507: Update Apache Santuario (XML Signature) to version 2.1.4

Fedor Burdun fedor.burdun at azul.com
Thu Oct 10 14:48:16 UTC 2019 

Hi Weijun,

I am glad to be helpful for community.
Thanks a lot for your notes.

In addition to all mentioned above and due to (8151893: Add security property to configure XML Signature secure validation mode)
it seems the checking of Policy.restrictRetrievalMethodLoops also should be reverted?
Please correct me if I'm wrong and it should not.

Andrew Brygin volunteered to be sponsor for this code change.

New webrev: http://cr.openjdk.java.net/~fijiol/8231507/webrev.01/
Tests: test/jdk/javax/xml/crypto/dsig/

Best regards,
Fedor




________________________________
От: Weijun Wang <weijun.wang at oracle.com>
Отправлено: 10 октября 2019 г. 13:08
Кому: Fedor Burdun
Копия: security-dev at openjdk.java.net
Тема: Re: RFR: 8231507: Update Apache Santuario (XML Signature) to version 2.1.4

Hi Fedor,

First, thanks a lot for the contribution. Overall the code change looks fine, but I have several comments:

1. The change in EncryptionConstants.java is not necessary. In this module we only do the signature part, but not encryption.

2. For the same reason, 5 new methods in XMLUtils.java about encryption.

3. In DOMRetrievalMethod.java, please revert to the use of "Policy.restrictNumTransforms(newTransforms.size())". The java.xml.crypto module inside OpenJDK is a little different from Santuario here and it uses a java.security property named "jdk.xml.dsig.secureValidationPolicy".

4. XMLDSigRI.java contains no actual change and can be kept unchanged.

Have you found a committer to sponsor your code change? If not, I'll be happy to do it.

Thanks,
Max


> On Oct 8, 2019, at 12:35 AM, Fedor Burdun <fedor.burdun at azul.com> wrote:
>
> Dear all,
>
> Would you please review the following change?
> Bug: https://bugs.openjdk.java.net/browse/JDK-8231507
> Webrev: http://cr.openjdk.java.net/~fijiol/8231507/webrev.00/
>
> This change upgrades Apache Santuario library to version 2.1.4
>
> Best regards,
> Fedor
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.openjdk.org/pipermail/security-dev/attachments/20191010/4b24c444/attachment.htm>

More information about the security-dev mailing list