<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=koi8-r">
<style type="text/css" style="display:none;"><!-- P {margin-top:0;margin-bottom:0;} --></style>
</head>
<body dir="ltr">
<div id="divtagdefaultwrapper" style="font-size:12pt;color:#000000;font-family:Calibri,Helvetica,sans-serif;" dir="ltr">
<p></p>
<div>Hi Weijun,<br>
<br>
I am glad to be helpful for community.<br>
Thanks a lot for your notes.<br>
<br>
In addition to all mentioned above and due to (8151893: Add security property to configure XML Signature secure validation mode)<br>
it seems the checking of Policy.restrictRetrievalMethodLoops also should be reverted?<br>
Please correct me if I'm wrong and it should not.<br>
<br>
Andrew Brygin volunteered to be sponsor for this code change.<br>
<br>
New webrev: http://cr.openjdk.java.net/~fijiol/8231507/webrev.01/<br>
Tests: test/jdk/javax/xml/crypto/dsig/<br>
<br>
Best regards,<br>
Fedor<br>
<br>
</div>
<br>
<p></p>
<br>
<br>
<div style="color: rgb(0, 0, 0);">
<div>
<hr tabindex="-1" style="display:inline-block; width:98%">
<div id="x_divRplyFwdMsg" dir="ltr"><font style="font-size:11pt" face="Calibri, sans-serif" color="#000000"><b>От:</b> Weijun Wang <weijun.wang@oracle.com><br>
<b>Отправлено:</b> 10 октября 2019 г. 13:08<br>
<b>Кому:</b> Fedor Burdun<br>
<b>Копия:</b> security-dev@openjdk.java.net<br>
<b>Тема:</b> Re: RFR: 8231507: Update Apache Santuario (XML Signature) to version 2.1.4</font>
<div> </div>
</div>
</div>
<font size="2"><span style="font-size:10pt;">
<div class="PlainText">Hi Fedor,<br>
<br>
First, thanks a lot for the contribution. Overall the code change looks fine, but I have several comments:<br>
<br>
1. The change in EncryptionConstants.java is not necessary. In this module we only do the signature part, but not encryption.<br>
<br>
2. For the same reason, 5 new methods in XMLUtils.java about encryption.<br>
<br>
3. In DOMRetrievalMethod.java, please revert to the use of "Policy.restrictNumTransforms(newTransforms.size())". The java.xml.crypto module inside OpenJDK is a little different from Santuario here and it uses a java.security property named "jdk.xml.dsig.secureValidationPolicy".<br>
<br>
4. XMLDSigRI.java contains no actual change and can be kept unchanged.<br>
<br>
Have you found a committer to sponsor your code change? If not, I'll be happy to do it.<br>
<br>
Thanks,<br>
Max<br>
<br>
<br>
> On Oct 8, 2019, at 12:35 AM, Fedor Burdun <fedor.burdun@azul.com> wrote:<br>
> <br>
> Dear all,<br>
> <br>
> Would you please review the following change?<br>
> Bug: <a href="https://bugs.openjdk.java.net/browse/JDK-8231507" id="LPlnk328220" previewremoved="true">
https://bugs.openjdk.java.net/browse/JDK-8231507</a><br>
> Webrev: <a href="http://cr.openjdk.java.net/~fijiol/8231507/webrev.00/" id="LPlnk34221" previewremoved="true">
http://cr.openjdk.java.net/~fijiol/8231507/webrev.00/</a><br>
> <br>
> This change upgrades Apache Santuario library to version 2.1.4<br>
> <br>
> Best regards,<br>
> Fedor<br>
</div>
</span></font></div>
</div>
</body>
</html>