-
Notifications
You must be signed in to change notification settings - Fork 208
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
8305972: Update XML Security for Java to 3.0.2 #2006
Conversation
👋 Welcome back goetz! A progress list of the required criteria for merging this PR into |
This backport pull request has now been updated with issue from the original commit. |
Webrevs
|
Looking at the files of your change, I find a few 'EDDSA' related ones. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
...ava.xml.crypto/share/classes/com/sun/org/apache/xml/internal/security/resource/config.xml
that looks strange, is that really intended ?
Unless required by applicable law or agreed to in writing,ons.SignatureBaseRSA$SignatureRSASHA3_512MGF1" />
12d0261
to
a41cd16
Compare
@GoeLin Please do not rebase or force-push to an active PR as it invalidates existing review comments. Note for future reference, the bots always squash all changes into a single commit automatically as part of the integration. See OpenJDK Developers’ Guide for more information. |
a41cd16
to
5b27137
Compare
@GoeLin Please do not rebase or force-push to an active PR as it invalidates existing review comments. Note for future reference, the bots always squash all changes into a single commit automatically as part of the integration. See OpenJDK Developers’ Guide for more information. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The deleted line in src/java.xml.crypto/share/classes/org/jcp/xml/dsig/internal/dom/DOMSignatureMethod.java
might be restored but otherwise looks okay to me.
src/java.xml.crypto/share/classes/org/jcp/xml/dsig/internal/dom/AbstractDOMSignatureMethod.java
Outdated
Show resolved
Hide resolved
src/java.xml.crypto/share/classes/com/sun/org/apache/xml/internal/security/resource/config.xml
Outdated
Show resolved
Hide resolved
@@ -1020,5 +1020,4 @@ Type getAlgorithmType() { | |||
return Type.ECDSA; | |||
} | |||
} | |||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Don#t think we need to delete this line, maybe it is a leftover from the removed EDDSA ?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Fixed, thanks
|
@GoeLin This pull request has been inactive for more than 4 weeks and will be automatically closed if another 4 weeks passes without any activity. To avoid this, simply add a new comment to the pull request. Feel free to ask for assistance if you need help with progressing this pull request towards integration! |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hi Goetz,
Thanks for proposing this backport.
One minor comment:
- test/jdk/javax/xml/crypto/dsig/GenerationTests.java
- The import of X509Certificate and the definition of x5ks are dead code.
Otherwise, looks good to me. I'll give my approval anyways, as this is a minor comment.
On a final note, I agree with your changes of removing EdDSA code and aligning to the approved CSR. However, I have to say that doing this for 17u does not only prevent users from the enhancement but also increases the maintenance cost as there will be more chances of updates not applying cleanly for the years to come. I would have treated 17u differently than previous releases.
Martin.-
Hi @GoeLin , I assume that in 21u you kept all the (implementation) code except for the public members. If so, I understand the motivations but personally prefer what you proposed for 17u in this PR. It makes the code more clear in terms of what is supported. For example, it would be misleading for someone who looks for "EdDSA" references in the code, finds many —even beyond defines— and assumes that it is supported. This is, of course, at the expense of higher chances of non-clean updates. We have taken this approach in other libraries before such as when we removed the implementation of DTLS in the 8u backport of the TLS engine. Martin.- |
Hi @martinuy, I prepared a minimal PR: #2116 that only removes the strings and replace their usage by the plain strings. The tests pass, our nightly testing passed for this PR, too. |
Hi @GoeLin , I personally prefer the approach taken in PR #2006 (here), for the reasons in my previous comment. With that said, I see your motivation. I would be interested in hearing @jerboaa view on this issue. |
From the 17, 11 and 8u CSR:
This suggests that EdDSA support was kept as this bug is about updating a bundled in-tree library from a third party (Apache Santuario). So changes to that third party code should be kept to a minimum, IMO. For JDK 11 and JDK 8 even a third party provider would be needed in order to be able to use EdDSA there. TLDR; Since this is a third-party library code upgrade, I'd suggest to go with #2116 HTH. |
Thanks for your help! Closing this PR. |
I backport this for parity with 17.0.11-oracle.
The backport was almost clean, except for two trivial resolves due to differences in whitespace in the context.
The change comes with a CSR, which is already approved for 17.
But the CSR requires changes wrt. to the original change.
In 17, no EDDSA support is added.
The PR comes with two commits:
Tests pass, SAP nightly testing passed.
Progress
Issue
Reviewers
Reviewing
Using
git
Checkout this PR locally:
$ git fetch https://git.openjdk.org/jdk17u-dev.git pull/2006/head:pull/2006
$ git checkout pull/2006
Update a local copy of the PR:
$ git checkout pull/2006
$ git pull https://git.openjdk.org/jdk17u-dev.git pull/2006/head
Using Skara CLI tools
Checkout this PR locally:
$ git pr checkout 2006
View PR using the GUI difftool:
$ git pr show -t 2006
Using diff file
Download this PR as a diff file:
https://git.openjdk.org/jdk17u-dev/pull/2006.diff
Webrev
Link to Webrev Comment