RFR: 8255255: Update Apache Santuario (XML Signature) to version 2.2.0

classic Classic list List threaded Threaded
13 messages Options
Reply | Threaded
Open this post in threaded view
|

RFR: 8255255: Update Apache Santuario (XML Signature) to version 2.2.0

Weijun Wang-2
This is a multi-commits PR that upgrades xmldsig to be equivalent to Santuario 2.2.0.

The first step is an auto-import. The JDK implementation is removed first and Santuario code are imported. Some unrelated files (Ex: encryption) are removed, and package names are renamed to be internal. There are also some bulk changes on company name, comment style, and white spaces.

Next steps are patches applied by JDK. Some are old patches before the last import. Some are new.

Several tests need to be updated because of internal method signature changes.

The "Support RSA-PSS with parameters" commit introduces a new public API and would need a CSR.

The last patch is one we just fixed several days ago.

-------------

Commit messages:
 - Reapply 8255559: Leak File Descriptors Because of ResolverLocalFilesystem#engineResolveURI()
 - Support RSA-PSS with parameters
 - Fix test failures
 - Supporting named RSASSA-PSS without parameters
 - Reapply 8008744: Rework part of fix for JDK-6741606
 - Reapply 8151893: Add security property to configure XML Signature secure validation mode
 - Reapply Reapply 8042967: Add variant of DSA Signature algorithms that do not ASN.1 encode the signature bytes
 - Reapply 8038913: Bolster XML support (Init.java part)
 - Various warnings, the version, and abnormal copyright lines
 - Remove lines related to XML encryption
 - ... and 2 more: https://git.openjdk.java.net/jdk/compare/e8b75b13...ccb0caf3

Changes: https://git.openjdk.java.net/jdk/pull/1206/files
 Webrev: https://webrevs.openjdk.java.net/?repo=jdk&pr=1206&range=00
  Issue: https://bugs.openjdk.java.net/browse/JDK-8255255
  Stats: 8044 lines in 188 files changed: 2705 ins; 3934 del; 1405 mod
  Patch: https://git.openjdk.java.net/jdk/pull/1206.diff
  Fetch: git fetch https://git.openjdk.java.net/jdk pull/1206/head:pull/1206

PR: https://git.openjdk.java.net/jdk/pull/1206
Reply | Threaded
Open this post in threaded view
|

Re: RFR: 8255255: Update Apache Santuario (XML Signature) to version 2.2.0 [v2]

Weijun Wang-2
> This is a multi-commits PR that upgrades xmldsig to be equivalent to Santuario 2.2.0.
>
> The first step is an auto-import. The JDK implementation is removed first and Santuario code are imported. Some unrelated files (Ex: encryption) are removed, and package names are renamed to be internal. There are also some bulk changes on company name, comment style, and white spaces.
>
> Next steps are patches applied by JDK. Some are old patches before the last import. Some are new.
>
> Several tests need to be updated because of internal method signature changes.
>
> The "Support RSA-PSS with parameters" commit introduces a new public API and would need a CSR.
>
> The last patch is one we just fixed several days ago.

Weijun Wang has refreshed the contents of this pull request, and previous commits have been removed. The incremental views will show differences compared to the previous content of the PR. The pull request contains two new commits since the last revision:

 - Support RSA-PSS with parameters
 - Reapply 8255559: Leak File Descriptors Because of ResolverLocalFilesystem#engineResolveURI()

-------------

Changes:
  - all: https://git.openjdk.java.net/jdk/pull/1206/files
  - new: https://git.openjdk.java.net/jdk/pull/1206/files/ccb0caf3..73c73381

Webrevs:
 - full: https://webrevs.openjdk.java.net/?repo=jdk&pr=1206&range=01
 - incr: https://webrevs.openjdk.java.net/?repo=jdk&pr=1206&range=00-01

  Stats: 141 lines in 3 files changed: 40 ins; 55 del; 46 mod
  Patch: https://git.openjdk.java.net/jdk/pull/1206.diff
  Fetch: git fetch https://git.openjdk.java.net/jdk pull/1206/head:pull/1206

PR: https://git.openjdk.java.net/jdk/pull/1206
Reply | Threaded
Open this post in threaded view
|

Re: RFR: 8255255: Update Apache Santuario (XML Signature) to version 2.2.0

Weijun Wang-2
In reply to this post by Weijun Wang-2
On Fri, 13 Nov 2020 17:22:10 GMT, Weijun Wang <[hidden email]> wrote:

> This is a multi-commits PR that upgrades xmldsig to be equivalent to Santuario 2.2.0.
>
> The first step is an auto-import. The JDK implementation is removed first and Santuario code are imported. Some unrelated files (Ex: encryption) are removed, and package names are renamed to be internal. There are also some bulk changes on company name, comment style, and white spaces.
>
> Next steps are patches applied by JDK. Some are old patches before the last import. Some are new.
>
> Several tests need to be updated because of internal method signature changes.
>
> The "Support RSA-PSS with parameters" commit introduces a new public API and would need a CSR.
>
> The last patch is one we just fixed several days ago.

The "Support RSA-PSS with parameters" commit is rewritten. Now a `PSSParameterSpec` object is encapsulated inside a `RSAPSSParameterSpec`.

Note: https://tools.ietf.org/html/rfc6931#section-2.3.9 define the algorithm name as RSASSA-PSS with URI fragment `#rsa-pss` (no SSA). So in comments I always use the long name but the `SignatureMethod` constant is named `RSA_PSS`. Hopefully this is fine.

-------------

PR: https://git.openjdk.java.net/jdk/pull/1206
Reply | Threaded
Open this post in threaded view
|

Withdrawn: 8255255: Update Apache Santuario (XML Signature) to version 2.2.0

Weijun Wang-2
In reply to this post by Weijun Wang-2
On Fri, 13 Nov 2020 17:22:10 GMT, Weijun Wang <[hidden email]> wrote:

> This is a multi-commits PR that upgrades xmldsig to be equivalent to Santuario 2.2.0.
>
> The first step is an auto-import. The JDK implementation is removed first and Santuario code are imported. Some unrelated files (Ex: encryption) are removed, and package names are renamed to be internal. There are also some bulk changes on company name, comment style, and white spaces.
>
> Next steps are patches applied by JDK. Some are old patches before the last import. Some are new.
>
> Several tests need to be updated because of internal method signature changes.
>
> The "Support RSA-PSS with parameters" commit introduces a new public API and would need a CSR.
>
> The last patch is one we just fixed several days ago.

This pull request has been closed without being integrated.

-------------

PR: https://git.openjdk.java.net/jdk/pull/1206
Reply | Threaded
Open this post in threaded view
|

Re: RFR: 8255255: Update Apache Santuario (XML Signature) to version 2.2.0

Weijun Wang-2
In reply to this post by Weijun Wang-2
On Fri, 13 Nov 2020 22:00:26 GMT, Weijun Wang <[hidden email]> wrote:

>> This is a multi-commits PR that upgrades xmldsig to be equivalent to Santuario 2.2.0.
>>
>> The first step is an auto-import. The JDK implementation is removed first and Santuario code are imported. Some unrelated files (Ex: encryption) are removed, and package names are renamed to be internal. There are also some bulk changes on company name, comment style, and white spaces.
>>
>> Next steps are patches applied by JDK. Some are old patches before the last import. Some are new.
>>
>> Several tests need to be updated because of internal method signature changes.
>>
>> The "Support RSA-PSS with parameters" commit introduces a new public API and would need a CSR.
>>
>> The last patch is one we just fixed several days ago.
>
> The "Support RSA-PSS with parameters" commit is rewritten. Now a `PSSParameterSpec` object is encapsulated inside a `RSAPSSParameterSpec`.
>
> Note: https://tools.ietf.org/html/rfc6931#section-2.3.9 define the algorithm name as RSASSA-PSS with URI fragment `#rsa-pss` (no SSA). So in comments I always use the long name but the `SignatureMethod` constant is named `RSA_PSS`. Hopefully this is fine.

> @wangweij This pull request has been inactive for more than 4 weeks and will be automatically closed if another 4 weeks passes without any activity. To avoid this, simply add a new comment to the pull request. Feel free to ask for assistance if you need help with progressing this pull request towards integration!

Sure.

-------------

PR: https://git.openjdk.java.net/jdk/pull/1206
Reply | Threaded
Open this post in threaded view
|

Re: RFR: 8255255: Update Apache Santuario (XML Signature) to version 2.2.0

Weijun Wang-2
On Sat, 12 Dec 2020 02:46:45 GMT, Weijun Wang <[hidden email]> wrote:

> @wangweij This pull request has been inactive for more than 4 weeks and will be automatically closed if another 4 weeks passes without any activity. To avoid this, simply add a new comment to the pull request. Feel free to ask for assistance if you need help with progressing this pull request towards integration!

Sure.

-------------

PR: https://git.openjdk.java.net/jdk/pull/1206
Reply | Threaded
Open this post in threaded view
|

Re: RFR: 8255255: Update Apache Santuario (XML Signature) to version 2.2.0 [v2]

Xue-Lei Andrew Fan
In reply to this post by Weijun Wang-2
On Fri, 13 Nov 2020 22:05:31 GMT, Weijun Wang <[hidden email]> wrote:

>> This is a multi-commits PR that upgrades xmldsig to be equivalent to Santuario 2.2.0.
>>
>> The first step is an auto-import. The JDK implementation is removed first and Santuario code are imported. Some unrelated files (Ex: encryption) are removed, and package names are renamed to be internal. There are also some bulk changes on company name, comment style, and white spaces.
>>
>> Next steps are patches applied by JDK. Some are old patches before the last import. Some are new.
>>
>> Several tests need to be updated because of internal method signature changes.
>>
>> The "Support RSA-PSS with parameters" commit introduces a new public API and would need a CSR.
>>
>> The last patch is one we just fixed several days ago.
>
> Weijun Wang has refreshed the contents of this pull request, and previous commits have been removed. The incremental views will show differences compared to the previous content of the PR.

Marked as reviewed by xuelei (Reviewer).

src/java.xml.crypto/share/classes/com/sun/org/apache/xml/internal/security/algorithms/SignatureAlgorithm.java line 196:

> 194:             @SuppressWarnings("deprecation")
> 195:             SignatureAlgorithmSpi result = implementingClass.newInstance();
> 196:             return result;

A IDE may have a warning for the result value as it is not really necessary, except for the suppress warnings.  Maybe, the @SuppressWarings could be placed in the method level.  Just for your reference, go ahead with your preference.

src/java.xml.crypto/share/classes/com/sun/org/apache/xml/internal/security/c14n/Canonicalizer.java line 112:

> 110:             @SuppressWarnings("deprecation")
> 111:             CanonicalizerSpi tmp = implementingClass.newInstance();
> 112:             canonicalizerSpi = tmp;

Same comment as the one in SignatureAlgorithm.java.

src/java.xml.crypto/share/classes/com/sun/org/apache/xml/internal/security/keys/keyresolver/KeyResolver.java line 198:

> 196:             @SuppressWarnings("deprecation")
> 197:             KeyResolverSpi tmp = (KeyResolverSpi) ClassLoaderUtils.loadClass(className, KeyResolver.class).newInstance();
> 198:             keyResolverSpi = tmp;

Same comment as the one in SignatureAlgorithm.java.

src/java.xml.crypto/share/classes/com/sun/org/apache/xml/internal/security/transforms/Transform.java line 204:

> 202:             @SuppressWarnings("deprecation")
> 203:             TransformSpi tmp = transformSpiClass.newInstance();
> 204:             transformSpiHash.put(algorithmURI, tmp);

Same comment as the one in SignatureAlgorithm.java.

src/java.xml.crypto/share/classes/com/sun/org/apache/xml/internal/security/transforms/Transform.java line 237:

> 235:             @SuppressWarnings("deprecation")
> 236:             TransformSpi tmp = implementingClass.newInstance();
> 237:             transformSpiHash.put(algorithmURI, tmp);

Same comment as the one in SignatureAlgorithm.java.

src/java.xml.crypto/share/classes/com/sun/org/apache/xml/internal/security/utils/XMLUtils.java line 73:

> 71:                                 @SuppressWarnings("deprecation")
> 72:                                 XMLParser tmp = (XMLParser) ClassLoaderUtils.loadClass(xmlParserClass, XMLUtils.class).newInstance();
> 73:                                 return tmp;

Same comment as the one in SignatureAlgorithm.java.

src/java.xml.crypto/share/classes/com/sun/org/apache/xml/internal/security/utils/resolver/ResourceResolver.java line 72:

> 70:         @SuppressWarnings("deprecation")
> 71:         ResourceResolverSpi tmp = resourceResolverClass.newInstance();
> 72:         register(tmp, false);

Same comment as the one in SignatureAlgorithm.java.

src/java.xml.crypto/share/classes/com/sun/org/apache/xml/internal/security/utils/resolver/ResourceResolver.java line 93:

> 91:         @SuppressWarnings("deprecation")
> 92:         ResourceResolverSpi tmp = resourceResolverClass.newInstance();
> 93:         register(tmp, true);

Same comment as the one in SignatureAlgorithm.java.

-------------

PR: https://git.openjdk.java.net/jdk/pull/1206
Reply | Threaded
Open this post in threaded view
|

Re: RFR: 8255255: Update Apache Santuario (XML Signature) to version 2.2.0 [v2]

Weijun Wang-2
On Sun, 10 Jan 2021 04:55:38 GMT, Xue-Lei Andrew Fan <[hidden email]> wrote:

>> Weijun Wang has refreshed the contents of this pull request, and previous commits have been removed. The incremental views will show differences compared to the previous content of the PR.
>
> src/java.xml.crypto/share/classes/com/sun/org/apache/xml/internal/security/algorithms/SignatureAlgorithm.java line 196:
>
>> 194:             @SuppressWarnings("deprecation")
>> 195:             SignatureAlgorithmSpi result = implementingClass.newInstance();
>> 196:             return result;
>
> A IDE may have a warning for the result value as it is not really necessary, except for the suppress warnings.  Maybe, the @SuppressWarings could be placed in the method level.  Just for your reference, go ahead with your preference.

I am using IntelliJ and there is not such a warning. I chose this style because that exactly where the suppressed warning happens and I don't want a reader to search for it.

That said, I'm now thinking of updating the `newInstance()` call with `getDeclaredConstructor().newInstance()`, as suggested by the `@deprecated` section of `newInstance()`. I'll also update to 2021.

-------------

PR: https://git.openjdk.java.net/jdk/pull/1206
Reply | Threaded
Open this post in threaded view
|

Re: RFR: 8255255: Update Apache Santuario (XML Signature) to version 2.2.0 [v3]

Weijun Wang-2
In reply to this post by Weijun Wang-2
> This is a multi-commits PR that upgrades xmldsig to be equivalent to Santuario 2.2.0.
>
> The first step is an auto-import. The JDK implementation is removed first and Santuario code are imported. Some unrelated files (Ex: encryption) are removed, and package names are renamed to be internal. There are also some bulk changes on company name, comment style, and white spaces.
>
> Next steps are patches applied by JDK. Some are old patches before the last import. Some are new.
>
> Several tests need to be updated because of internal method signature changes.
>
> The "Support RSA-PSS with parameters" commit introduces a new public API and would need a CSR.
>
> The last patch is one we just fixed several days ago.

Weijun Wang has updated the pull request with a new target base due to a merge or a rebase. The incremental webrev excludes the unrelated changes brought in by the merge/rebase. The pull request contains 13 additional commits since the last revision:

 - No more newInstance calls
 - Support RSA-PSS with parameters
 - Reapply 8255559: Leak File Descriptors Because of ResolverLocalFilesystem#engineResolveURI()
 - Fix test failures
 - Supporting named RSASSA-PSS without parameters
 - Reapply 8008744: Rework part of fix for JDK-6741606
 - Reapply 8151893: Add security property to configure XML Signature secure validation mode
   
   Reapply 8140353: Improve signature checking
 - Reapply Reapply 8042967: Add variant of DSA Signature algorithms that do not ASN.1 encode the signature bytes
 - Reapply 8038913: Bolster XML support (Init.java part)
 - Various warnings, the version, and abnormal copyright lines
 - ... and 3 more: https://git.openjdk.java.net/jdk/compare/3ab6657f...f7ee7648

-------------

Changes:
  - all: https://git.openjdk.java.net/jdk/pull/1206/files
  - new: https://git.openjdk.java.net/jdk/pull/1206/files/73c73381..f7ee7648

Webrevs:
 - full: https://webrevs.openjdk.java.net/?repo=jdk&pr=1206&range=02
 - incr: https://webrevs.openjdk.java.net/?repo=jdk&pr=1206&range=01-02

  Stats: 124959 lines in 1924 files changed: 67184 ins; 45132 del; 12643 mod
  Patch: https://git.openjdk.java.net/jdk/pull/1206.diff
  Fetch: git fetch https://git.openjdk.java.net/jdk pull/1206/head:pull/1206

PR: https://git.openjdk.java.net/jdk/pull/1206
Reply | Threaded
Open this post in threaded view
|

Re: RFR: 8255255: Update Apache Santuario (XML Signature) to version 2.2.0 [v3]

Weijun Wang-2
In reply to this post by Xue-Lei Andrew Fan
On Sun, 10 Jan 2021 05:17:23 GMT, Xue-Lei Andrew Fan <[hidden email]> wrote:

>> Weijun Wang has updated the pull request with a new target base due to a merge or a rebase. The pull request now contains 13 commits:
>>
>>  - No more newInstance calls
>>  - Support RSA-PSS with parameters
>>  - Reapply 8255559: Leak File Descriptors Because of ResolverLocalFilesystem#engineResolveURI()
>>  - Fix test failures
>>  - Supporting named RSASSA-PSS without parameters
>>  - Reapply 8008744: Rework part of fix for JDK-6741606
>>  - Reapply 8151893: Add security property to configure XML Signature secure validation mode
>>    
>>    Reapply 8140353: Improve signature checking
>>  - Reapply Reapply 8042967: Add variant of DSA Signature algorithms that do not ASN.1 encode the signature bytes
>>  - Reapply 8038913: Bolster XML support (Init.java part)
>>  - Various warnings, the version, and abnormal copyright lines
>>  - ... and 3 more: https://git.openjdk.java.net/jdk/compare/19bade02...f7ee7648
>
> Marked as reviewed by xuelei (Reviewer).

I've force pushed a new series of commits from scratch. The difference:

1. The `s/Portions copyright/Copyright/` change is inside auto import.
2. Some `s/Sun Microsystems/Oracle/` change in auto import
3. No more deprecated `newInstance()` calls, a new (the last one) commit is created for this

-------------

PR: https://git.openjdk.java.net/jdk/pull/1206
Reply | Threaded
Open this post in threaded view
|

Re: RFR: 8255255: Update Apache Santuario (XML Signature) to version 2.2.0 [v3]

Weijun Wang-2
On Mon, 11 Jan 2021 17:31:38 GMT, Weijun Wang <[hidden email]> wrote:

>> Marked as reviewed by xuelei (Reviewer).
>
> I've force pushed a new series of commits from scratch. The difference:
>
> 1. The `s/Portions copyright/Copyright/` change is inside auto import.
> 2. Some `s/Sun Microsystems/Oracle/` change in auto import
> 3. No more deprecated `newInstance()` calls, a new (the last one) commit is created for this

A CSR at https://bugs.openjdk.java.net/browse/JDK-8259575 is created. I'll remember to update the `@since 16` in source to 17 some time.

-------------

PR: https://git.openjdk.java.net/jdk/pull/1206
Reply | Threaded
Open this post in threaded view
|

Re: RFR: 8255255: Update Apache Santuario (XML Signature) to version 2.2.0 [v4]

Weijun Wang-2
In reply to this post by Weijun Wang-2
> This is a multi-commits PR that upgrades xmldsig to be equivalent to Santuario 2.2.0.
>
> The first step is an auto-import. The JDK implementation is removed first and Santuario code are imported. Some unrelated files (Ex: encryption) are removed, and package names are renamed to be internal. There are also some bulk changes on company name, comment style, and white spaces.
>
> Next steps are patches applied by JDK. Some are old patches before the last import. Some are new.
>
> Several tests need to be updated because of internal method signature changes.
>
> The "Support RSA-PSS with parameters" commit introduces a new public API and would need a CSR.
>
> The last patch is one we just fixed several days ago.

Weijun Wang has refreshed the contents of this pull request, and previous commits have been removed. The incremental views will show differences compared to the previous content of the PR. The pull request contains two new commits since the last revision:

 - Support RSA-PSS with parameters
   
   Header from folded patch '17':
   
   since 17
   
   Header from folded patch 'pss-policy':
   
   Restrict digest algorithms used inside PSSParameterSpec
 - No more newInstance calls

-------------

Changes:
  - all: https://git.openjdk.java.net/jdk/pull/1206/files
  - new: https://git.openjdk.java.net/jdk/pull/1206/files/f7ee7648..a79df58e

Webrevs:
 - full: https://webrevs.openjdk.java.net/?repo=jdk&pr=1206&range=03
 - incr: https://webrevs.openjdk.java.net/?repo=jdk&pr=1206&range=02-03

  Stats: 496 lines in 7 files changed: 462 ins; 25 del; 9 mod
  Patch: https://git.openjdk.java.net/jdk/pull/1206.diff
  Fetch: git fetch https://git.openjdk.java.net/jdk pull/1206/head:pull/1206

PR: https://git.openjdk.java.net/jdk/pull/1206
Reply | Threaded
Open this post in threaded view
|

Re: RFR: 8255255: Update Apache Santuario (XML Signature) to version 2.2.0 [v4]

Weijun Wang-2
In reply to this post by Weijun Wang-2
On Mon, 11 Jan 2021 17:58:03 GMT, Weijun Wang <[hidden email]> wrote:

>> I've force pushed a new series of commits from scratch. The difference:
>>
>> 1. The `s/Portions copyright/Copyright/` change is inside auto import.
>> 2. Some `s/Sun Microsystems/Oracle/` change in auto import
>> 3. No more deprecated `newInstance()` calls, a new (the last one) commit is created for this
>
> A CSR at https://bugs.openjdk.java.net/browse/JDK-8259575 is created. I'll remember to update the `@since 16` in source to 17 some time.

I've refreshed the "Support RSA-PSS with parameters" commit on secureValidation check and added a new test.

-------------

PR: https://git.openjdk.java.net/jdk/pull/1206