Re: [PR] Bump org.gaul:modernizer-maven-plugin from 2.6.0 to 2.8.0 [santuario-xml-security-java]
dependabot[bot] commented on PR #282: URL: https://github.com/apache/santuario-xml-security-java/pull/282#issuecomment-2128394435 Superseded by #324. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@santuario.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
Re: [PR] Bump org.gaul:modernizer-maven-plugin from 2.6.0 to 2.8.0 [santuario-xml-security-java]
dependabot[bot] closed pull request #282: Bump org.gaul:modernizer-maven-plugin from 2.6.0 to 2.8.0 URL: https://github.com/apache/santuario-xml-security-java/pull/282 -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@santuario.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[PR] Bump org.gaul:modernizer-maven-plugin from 2.6.0 to 2.9.0 [santuario-xml-security-java]
dependabot[bot] opened a new pull request, #324: URL: https://github.com/apache/santuario-xml-security-java/pull/324 Bumps [org.gaul:modernizer-maven-plugin](https://github.com/gaul/modernizer-maven-plugin) from 2.6.0 to 2.9.0. Release notes Sourced from https://github.com/gaul/modernizer-maven-plugin/releases;>org.gaul:modernizer-maven-plugin's releases. Modernizer Maven Plugin 2.9.0 Upgrade to ASM 9.7 Revert unneeded Maven core dependency from 3.9.5 to 3.2.5, https://redirect.github.com/gaul/modernizer-maven-plugin/issues/241;>#241 Thanks https://github.com/cstamas;>@cstamas for sending pull requests to improve Modernizer! Modernizer Maven Plugin 2.8.0 Add m2e hint, https://redirect.github.com/gaul/modernizer-maven-plugin/issues/213;>#213 Add support for different output formats and add codeclimate as an output format, https://redirect.github.com/gaul/modernizer-maven-plugin/issues/235;>#235 Upgrade to ASM 9.6, https://redirect.github.com/gaul/modernizer-maven-plugin/issues/222;>#222 Thanks https://github.com/hazendaz;>@hazendaz and https://github.com/themadprofessor;>@themadprofessor for sending pull requests to improve Modernizer! Modernizer Maven Plugin 2.7.0 Add Enumeration and Stack violations, https://redirect.github.com/gaul/modernizer-maven-plugin/issues/183;>#183, https://redirect.github.com/gaul/modernizer-maven-plugin/issues/185;>#185 Upgrade to ASM 9.5 for Java 21 compatibility, https://redirect.github.com/gaul/modernizer-maven-plugin/issues/198;>#198 Thanks https://github.com/delanym;>@delanym for sending pull requests to improve Modernizer! Commits https://github.com/gaul/modernizer-maven-plugin/commit/8ddb06e85d9aa4cdb45504f937d6d4f9ec15d57d;>8ddb06e modernizer-maven-plugin 2.9.0 release https://github.com/gaul/modernizer-maven-plugin/commit/6da2deeb31437ac7f188e3086a62c2d48b01a69f;>6da2dee Bump Java requirement to 8 https://github.com/gaul/modernizer-maven-plugin/commit/a1a76876cdf4587b18bd3b09b4130c3ec53c3fd0;>a1a7687 Bump org.apache.maven.plugins:maven-invoker-plugin from 3.6.0 to 3.6.1 https://github.com/gaul/modernizer-maven-plugin/commit/f1b89c8a2cb84f81d801992e99713e7e3f1a6b09;>f1b89c8 Bump commons-codec:commons-codec from 1.16.1 to 1.17.0 https://github.com/gaul/modernizer-maven-plugin/commit/c4e89696d4b3f3b2c8d628b4b9886d95e9405a8c;>c4e8969 Bump org.apache.maven.plugins:maven-source-plugin from 3.3.0 to 3.3.1 https://github.com/gaul/modernizer-maven-plugin/commit/95cf270262f6ad629e851ab6db30a37a2916970e;>95cf270 Bump org.apache.maven.plugin-tools:maven-plugin-annotations https://github.com/gaul/modernizer-maven-plugin/commit/195962de0a4f7015463ca705c99880faff805de9;>195962d Bump org.apache.maven.plugins:maven-gpg-plugin from 3.2.1 to 3.2.2 https://github.com/gaul/modernizer-maven-plugin/commit/8bf26900c1851d6f9be252f34d199580f5790a69;>8bf2690 Bump asm.version from 9.6 to 9.7 https://github.com/gaul/modernizer-maven-plugin/commit/58492bd4c995dea89bad95ee49af7931a5a88139;>58492bd Bump org.apache.commons:commons-lang3 from 3.13.0 to 3.14.0 https://github.com/gaul/modernizer-maven-plugin/commit/a3ca0913d286b14b1e707763bd4cbe7a7bce891b;>a3ca091 [renormalize] Correct line endings on mvnw.cmd Additional commits viewable in https://github.com/gaul/modernizer-maven-plugin/compare/modernizer-maven-plugin-2.6.0...modernizer-maven-plugin-2.9.0;>compare view [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=org.gaul:modernizer-maven-plugin=maven=2.6.0=2.9.0)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- Dependabot commands and options You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot
[PR] Bump github/codeql-action from 2.13.4 to 3.25.5 [santuario-xml-security-java]
dependabot[bot] opened a new pull request, #323: URL: https://github.com/apache/santuario-xml-security-java/pull/323 Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2.13.4 to 3.25.5. Release notes Sourced from https://github.com/github/codeql-action/releases;>github/codeql-action's releases. CodeQL Bundle v2.17.3 Bundles CodeQL CLI v2.17.3 (https://github.com/github/codeql-cli-binaries/blob/HEAD/CHANGELOG.md;>changelog, https://github.com/github/codeql-cli-binaries/releases/tag/v2.17.3;>release) Includes the following CodeQL language packs from https://github.com/github/codeql/tree/codeql-cli/v2.17.3;>github/codeql@codeql-cli/v2.17.3: codeql/cpp-queries (https://github.com/github/codeql/tree/codeql-cli/v2.17.3/cpp/ql/src/CHANGELOG.md;>changelog, https://github.com/github/codeql/tree/codeql-cli/v2.17.3/cpp/ql/src;>source) codeql/cpp-all (https://github.com/github/codeql/tree/codeql-cli/v2.17.3/cpp/ql/lib/CHANGELOG.md;>changelog, https://github.com/github/codeql/tree/codeql-cli/v2.17.3/cpp/ql/lib;>source) codeql/csharp-queries (https://github.com/github/codeql/tree/codeql-cli/v2.17.3/csharp/ql/src/CHANGELOG.md;>changelog, https://github.com/github/codeql/tree/codeql-cli/v2.17.3/csharp/ql/src;>source) codeql/csharp-all (https://github.com/github/codeql/tree/codeql-cli/v2.17.3/csharp/ql/lib/CHANGELOG.md;>changelog, https://github.com/github/codeql/tree/codeql-cli/v2.17.3/csharp/ql/lib;>source) codeql/go-queries (https://github.com/github/codeql/tree/codeql-cli/v2.17.3/go/ql/src/CHANGELOG.md;>changelog, https://github.com/github/codeql/tree/codeql-cli/v2.17.3/go/ql/src;>source) codeql/go-all (https://github.com/github/codeql/tree/codeql-cli/v2.17.3/go/ql/lib/CHANGELOG.md;>changelog, https://github.com/github/codeql/tree/codeql-cli/v2.17.3/go/ql/lib;>source) codeql/java-queries (https://github.com/github/codeql/tree/codeql-cli/v2.17.3/java/ql/src/CHANGELOG.md;>changelog, https://github.com/github/codeql/tree/codeql-cli/v2.17.3/java/ql/src;>source) codeql/java-all (https://github.com/github/codeql/tree/codeql-cli/v2.17.3/java/ql/lib/CHANGELOG.md;>changelog, https://github.com/github/codeql/tree/codeql-cli/v2.17.3/java/ql/lib;>source) codeql/javascript-queries (https://github.com/github/codeql/tree/codeql-cli/v2.17.3/javascript/ql/src/CHANGELOG.md;>changelog, https://github.com/github/codeql/tree/codeql-cli/v2.17.3/javascript/ql/src;>source) codeql/javascript-all (https://github.com/github/codeql/tree/codeql-cli/v2.17.3/javascript/ql/lib/CHANGELOG.md;>changelog, https://github.com/github/codeql/tree/codeql-cli/v2.17.3/javascript/ql/lib;>source) codeql/python-queries (https://github.com/github/codeql/tree/codeql-cli/v2.17.3/python/ql/src/CHANGELOG.md;>changelog, https://github.com/github/codeql/tree/codeql-cli/v2.17.3/python/ql/src;>source) codeql/python-all (https://github.com/github/codeql/tree/codeql-cli/v2.17.3/python/ql/lib/CHANGELOG.md;>changelog, https://github.com/github/codeql/tree/codeql-cli/v2.17.3/python/ql/lib;>source) codeql/ruby-queries (https://github.com/github/codeql/tree/codeql-cli/v2.17.3/ruby/ql/src/CHANGELOG.md;>changelog, https://github.com/github/codeql/tree/codeql-cli/v2.17.3/ruby/ql/src;>source) codeql/ruby-all (https://github.com/github/codeql/tree/codeql-cli/v2.17.3/ruby/ql/lib/CHANGELOG.md;>changelog, https://github.com/github/codeql/tree/codeql-cli/v2.17.3/ruby/ql/lib;>source) codeql/swift-queries (https://github.com/github/codeql/tree/codeql-cli/v2.17.3/swift/ql/src/CHANGELOG.md;>changelog, https://github.com/github/codeql/tree/codeql-cli/v2.17.3/swift/ql/src;>source) codeql/swift-all (https://github.com/github/codeql/tree/codeql-cli/v2.17.3/swift/ql/lib/CHANGELOG.md;>changelog, https://github.com/github/codeql/tree/codeql-cli/v2.17.3/swift/ql/lib;>source) CodeQL Bundle v2.17.2 Bundles CodeQL CLI v2.17.2 (https://github.com/github/codeql-cli-binaries/blob/HEAD/CHANGELOG.md;>changelog, https://github.com/github/codeql-cli-binaries/releases/tag/v2.17.2;>release) Includes the following CodeQL language packs from https://github.com/github/codeql/tree/codeql-cli/v2.17.2;>github/codeql@codeql-cli/v2.17.2: codeql/cpp-queries (https://github.com/github/codeql/tree/codeql-cli/v2.17.2/cpp/ql/src/CHANGELOG.md;>changelog, https://github.com/github/codeql/tree/codeql-cli/v2.17.2/cpp/ql/src;>source) codeql/cpp-all (https://github.com/github/codeql/tree/codeql-cli/v2.17.2/cpp/ql/lib/CHANGELOG.md;>changelog, https://github.com/github/codeql/tree/codeql-cli/v2.17.2/cpp/ql/lib;>source) codeql/csharp-queries (https://github.com/github/codeql/tree/codeql-cli/v2.17.2/csharp/ql/src/CHANGELOG.md;>changelog, https://github.com/github/codeql/tree/codeql-cli/v2.17.2/csharp/ql/src;>source) codeql/csharp-all (https://github.com/github/codeql/tree/codeql-cli/v2.17.2/csharp/ql/lib/CHANGELOG.md;>changelog,
[PR] Bump actions/checkout from 4.1.5 to 4.1.6 [santuario-xml-security-java]
dependabot[bot] opened a new pull request, #322: URL: https://github.com/apache/santuario-xml-security-java/pull/322 Bumps [actions/checkout](https://github.com/actions/checkout) from 4.1.5 to 4.1.6. Release notes Sourced from https://github.com/actions/checkout/releases;>actions/checkout's releases. v4.1.6 What's Changed Check platform to set archive extension appropriately by https://github.com/cory-miller;>@cory-miller in https://redirect.github.com/actions/checkout/pull/1732;>actions/checkout#1732 Update for 4.1.6 release by https://github.com/cory-miller;>@cory-miller in https://redirect.github.com/actions/checkout/pull/1733;>actions/checkout#1733 Full Changelog: https://github.com/actions/checkout/compare/v4.1.5...v4.1.6;>https://github.com/actions/checkout/compare/v4.1.5...v4.1.6 Changelog Sourced from https://github.com/actions/checkout/blob/main/CHANGELOG.md;>actions/checkout's changelog. Changelog v4.1.6 Check platform to set archive extension appropriately by https://github.com/cory-miller;>@cory-miller in https://redirect.github.com/actions/checkout/pull/1732;>actions/checkout#1732 v4.1.5 Update NPM dependencies by https://github.com/cory-miller;>@cory-miller in https://redirect.github.com/actions/checkout/pull/1703;>actions/checkout#1703 Bump github/codeql-action from 2 to 3 by https://github.com/dependabot;>@dependabot in https://redirect.github.com/actions/checkout/pull/1694;>actions/checkout#1694 Bump actions/setup-node from 1 to 4 by https://github.com/dependabot;>@dependabot in https://redirect.github.com/actions/checkout/pull/1696;>actions/checkout#1696 Bump actions/upload-artifact from 2 to 4 by https://github.com/dependabot;>@dependabot in https://redirect.github.com/actions/checkout/pull/1695;>actions/checkout#1695 README: Suggest user.email to be 41898282+github-actions[bot]@users.noreply.github.com by https://github.com/cory-miller;>@cory-miller in https://redirect.github.com/actions/checkout/pull/1707;>actions/checkout#1707 v4.1.4 Disable extensions.worktreeConfig when disabling sparse-checkout by https://github.com/jww3;>@jww3 in https://redirect.github.com/actions/checkout/pull/1692;>actions/checkout#1692 Add dependabot config by https://github.com/cory-miller;>@cory-miller in https://redirect.github.com/actions/checkout/pull/1688;>actions/checkout#1688 Bump the minor-actions-dependencies group with 2 updates by https://github.com/dependabot;>@dependabot in https://redirect.github.com/actions/checkout/pull/1693;>actions/checkout#1693 Bump word-wrap from 1.2.3 to 1.2.5 by https://github.com/dependabot;>@dependabot in https://redirect.github.com/actions/checkout/pull/1643;>actions/checkout#1643 v4.1.3 Check git version before attempting to disable sparse-checkout by https://github.com/jww3;>@jww3 in https://redirect.github.com/actions/checkout/pull/1656;>actions/checkout#1656 Add SSH user parameter by https://github.com/cory-miller;>@cory-miller in https://redirect.github.com/actions/checkout/pull/1685;>actions/checkout#1685 Update actions/checkout version in update-main-version.yml by https://github.com/jww3;>@jww3 in https://redirect.github.com/actions/checkout/pull/1650;>actions/checkout#1650 v4.1.2 Fix: Disable sparse checkout whenever sparse-checkout option is not present https://github.com/dscho;>@dscho in https://redirect.github.com/actions/checkout/pull/1598;>actions/checkout#1598 v4.1.1 Correct link to GitHub Docs by https://github.com/peterbe;>@peterbe in https://redirect.github.com/actions/checkout/pull/1511;>actions/checkout#1511 Link to release page from what's new section by https://github.com/cory-miller;>@cory-miller in https://redirect.github.com/actions/checkout/pull/1514;>actions/checkout#1514 v4.1.0 https://redirect.github.com/actions/checkout/pull/1396;>Add support for partial checkout filters v4.0.0 https://redirect.github.com/actions/checkout/pull/1067;>Support fetching without the --progress option https://redirect.github.com/actions/checkout/pull/1436;>Update to node20 v3.6.0 https://redirect.github.com/actions/checkout/pull/1377;>Fix: Mark test scripts with Bash'isms to be run via Bash https://redirect.github.com/actions/checkout/pull/579;>Add option to fetch tags even if fetch-depth 0 v3.5.3 https://redirect.github.com/actions/checkout/pull/1196;>Fix: Checkout fail in self-hosted runners when faulty submodule are checked-in https://redirect.github.com/actions/checkout/pull/1287;>Fix typos found by codespell https://redirect.github.com/actions/checkout/pull/1369;>Add support for sparse checkouts v3.5.2 https://redirect.github.com/actions/checkout/pull/1289;>Fix api endpoint for GHES v3.5.1 ... (truncated) Commits
Re: [PR] Implementation of the HKDF derivation function [santuario-xml-security-java]
jrihtarsic commented on PR #271: URL: https://github.com/apache/santuario-xml-security-java/pull/271#issuecomment-2115123240 > @jrihtarsic Do you need this merged to 3.0.x as well? @coheigea, yes indeed we would need it in 3.0.x so that we can use the latest feature with current apache/cxf -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@santuario.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
Re: [PR] Implementation of the HKDF derivation function [santuario-xml-security-java]
coheigea commented on PR #271: URL: https://github.com/apache/santuario-xml-security-java/pull/271#issuecomment-2115108545 @jrihtarsic Do you need this merged to 3.0.x as well? -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@santuario.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
Re: [PR] Bump ossf/scorecard-action from 2.3.1 to 2.3.3 [santuario-xml-security-java]
coheigea merged PR #320: URL: https://github.com/apache/santuario-xml-security-java/pull/320 -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@santuario.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
Re: [PR] Bump actions/checkout from 4.1.4 to 4.1.5 [santuario-xml-security-java]
coheigea merged PR #321: URL: https://github.com/apache/santuario-xml-security-java/pull/321 -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@santuario.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
Re: [PR] Implementation of the HKDF derivation function [santuario-xml-security-java]
jrihtarsic commented on PR #271: URL: https://github.com/apache/santuario-xml-security-java/pull/271#issuecomment-2112478786 > > @seanjmullan Is it ready to be merged from your PoV? > > Yes, although I think we should try to add the secureValidation mode support before we post the next release. @seanjmullan I can make the PR for this by the end of the next week. The scope is shortly described here: SANTUARIO-620, please let me know if I should implement anything else. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@santuario.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
Re: [PR] Implementation of the HKDF derivation function [santuario-xml-security-java]
seanjmullan commented on PR #271: URL: https://github.com/apache/santuario-xml-security-java/pull/271#issuecomment-2112457974 > @seanjmullan Is it ready to be merged from your PoV? Yes, although I think we should try to add the secureValidation mode support before we post the next release. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@santuario.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
Re: [PR] Implementation of the HKDF derivation function [santuario-xml-security-java]
jrihtarsic commented on code in PR #271: URL: https://github.com/apache/santuario-xml-security-java/pull/271#discussion_r1600182025 ## src/main/java/org/apache/xml/security/encryption/keys/content/derivedKey/HKDF.java: ## @@ -0,0 +1,182 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ +package org.apache.xml.security.encryption.keys.content.derivedKey; + +import org.apache.xml.security.encryption.XMLCipherUtil; +import org.apache.xml.security.encryption.params.HKDFParams; +import org.apache.xml.security.exceptions.XMLSecurityException; +import org.apache.xml.security.utils.I18n; + +import javax.crypto.Mac; +import javax.crypto.spec.SecretKeySpec; +import java.nio.ByteBuffer; +import java.security.InvalidKeyException; +import java.security.NoSuchAlgorithmException; + +import static java.lang.System.Logger.Level.DEBUG; + +/** + * The implementation of the HMAC-based Extract-and-Expand Key Derivation Function (HKDF) + * as defined in https://datatracker.ietf.org/doc/html/rfc5869;>RFC 5869. + * + * The HKDF algorithm is defined as follows: + * + * N = ceil(L/HashLen) + * T = T(1) | T(2) | T(3) | ... | T(N) + * OKM = first L bytes of T + * where: + * T(0) = empty string (zero length) + * T(1) = HMAC-Hash(PRK, T(0) | info | 0x01) + * T(2) = HMAC-Hash(PRK, T(1) | info | 0x02) + * T(3) = HMAC-Hash(PRK, T(2) | info | 0x03) + * ... + * + */ +public class HKDF implements DerivationAlgorithm { + + +private static final System.Logger LOG = System.getLogger(HKDF.class.getName()); + +/** + * Derive a key using the HMAC-based Extract-and-Expand Key Derivation Function (HKDF) + * as defined in https://datatracker.ietf.org/doc/html/rfc5869;>RFC 5869. + * + * @param secret The "shared" secret to use for key derivation + * @param params The key derivation parameters (salt, info, key length, ...) + * @return The derived key of the specified length in bytes defined in the params + * @throws IllegalArgumentException if the parameters are missing + * @throws XMLSecurityException if the hmac hash algorithm is not supported + */ +@Override +public byte[] deriveKey(byte[] secret, HKDFParams params) throws XMLSecurityException { +// check if the parameters are set +if (params == null) { +throw new IllegalArgumentException(I18n.translate("KeyDerivation.MissingParameters")); +} + +String jceAlgorithmName; +try { +jceAlgorithmName = XMLCipherUtil.getJCEMacHashForUri(params.getHmacHashAlgorithm()); +} catch (NoSuchAlgorithmException e) { +throw new XMLSecurityException(e, "KeyDerivation.NotSupportedParameter", new Object[]{params.getHmacHashAlgorithm()}); +} + +byte[] prk = extractKey(jceAlgorithmName, params.getSalt(), secret); +return expandKey(jceAlgorithmName, prk, params.getInfo(), params.getKeyLength()); +} + +/** + * The method "extracts" the pseudo-random key (PRK) based on HMAC-Hash function + * (optional) salt value (a non-secret random value) and the shared secret/input + * keying material (IKM). + * Calculation of the extracted key: + * PRK = HMAC-Hash(salt, IKM) + * + * @param jceAlgorithmName the java JCE HMAC algorithm name to use for key derivation + * (e.g. HmacSHA256, HmacSHA384, HmacSHA512) + * @param salt the optional salt value (a non-secret random value); + * @param secret the shared secret/input keying material (IKM) to use for + * key derivation + * @return the pseudo-random key bytes + * @throws XMLSecurityException if the jceAlgorithmName is not supported + */ +public byte[] extractKey(String jceAlgorithmName, byte[] salt, byte[] secret) throws XMLSecurityException { +Mac hMac = initHMac(jceAlgorithmName, salt, true); +hMac.reset(); +return hMac.doFinal(secret); +} + +/** + * The method inits Hash-MAC with given PRK (as salt) and output OKM is calculated as follows: + * + * T(0) = empty string (zero length) + * T(1) = HMAC-Hash(PRK, T(0) | info | 0x01) +
Re: [PR] Implementation of the HKDF derivation function [santuario-xml-security-java]
seanjmullan commented on code in PR #271: URL: https://github.com/apache/santuario-xml-security-java/pull/271#discussion_r1599989548 ## src/main/java/org/apache/xml/security/encryption/keys/content/derivedKey/HKDF.java: ## @@ -0,0 +1,182 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ +package org.apache.xml.security.encryption.keys.content.derivedKey; + +import org.apache.xml.security.encryption.XMLCipherUtil; +import org.apache.xml.security.encryption.params.HKDFParams; +import org.apache.xml.security.exceptions.XMLSecurityException; +import org.apache.xml.security.utils.I18n; + +import javax.crypto.Mac; +import javax.crypto.spec.SecretKeySpec; +import java.nio.ByteBuffer; +import java.security.InvalidKeyException; +import java.security.NoSuchAlgorithmException; + +import static java.lang.System.Logger.Level.DEBUG; + +/** + * The implementation of the HMAC-based Extract-and-Expand Key Derivation Function (HKDF) + * as defined in https://datatracker.ietf.org/doc/html/rfc5869;>RFC 5869. + * + * The HKDF algorithm is defined as follows: + * + * N = ceil(L/HashLen) + * T = T(1) | T(2) | T(3) | ... | T(N) + * OKM = first L bytes of T + * where: + * T(0) = empty string (zero length) + * T(1) = HMAC-Hash(PRK, T(0) | info | 0x01) + * T(2) = HMAC-Hash(PRK, T(1) | info | 0x02) + * T(3) = HMAC-Hash(PRK, T(2) | info | 0x03) + * ... + * + */ +public class HKDF implements DerivationAlgorithm { + + +private static final System.Logger LOG = System.getLogger(HKDF.class.getName()); + +/** + * Derive a key using the HMAC-based Extract-and-Expand Key Derivation Function (HKDF) + * as defined in https://datatracker.ietf.org/doc/html/rfc5869;>RFC 5869. + * + * @param secret The "shared" secret to use for key derivation + * @param params The key derivation parameters (salt, info, key length, ...) + * @return The derived key of the specified length in bytes defined in the params + * @throws IllegalArgumentException if the parameters are missing + * @throws XMLSecurityException if the hmac hash algorithm is not supported + */ +@Override +public byte[] deriveKey(byte[] secret, HKDFParams params) throws XMLSecurityException { +// check if the parameters are set +if (params == null) { +throw new IllegalArgumentException(I18n.translate("KeyDerivation.MissingParameters")); +} + +String jceAlgorithmName; +try { +jceAlgorithmName = XMLCipherUtil.getJCEMacHashForUri(params.getHmacHashAlgorithm()); +} catch (NoSuchAlgorithmException e) { +throw new XMLSecurityException(e, "KeyDerivation.NotSupportedParameter", new Object[]{params.getHmacHashAlgorithm()}); +} + +byte[] prk = extractKey(jceAlgorithmName, params.getSalt(), secret); +return expandKey(jceAlgorithmName, prk, params.getInfo(), params.getKeyLength()); +} + +/** + * The method "extracts" the pseudo-random key (PRK) based on HMAC-Hash function + * (optional) salt value (a non-secret random value) and the shared secret/input + * keying material (IKM). + * Calculation of the extracted key: + * PRK = HMAC-Hash(salt, IKM) + * + * @param jceAlgorithmName the java JCE HMAC algorithm name to use for key derivation + * (e.g. HmacSHA256, HmacSHA384, HmacSHA512) + * @param salt the optional salt value (a non-secret random value); + * @param secret the shared secret/input keying material (IKM) to use for + * key derivation + * @return the pseudo-random key bytes + * @throws XMLSecurityException if the jceAlgorithmName is not supported + */ +public byte[] extractKey(String jceAlgorithmName, byte[] salt, byte[] secret) throws XMLSecurityException { +Mac hMac = initHMac(jceAlgorithmName, salt, true); +hMac.reset(); +return hMac.doFinal(secret); +} + +/** + * The method inits Hash-MAC with given PRK (as salt) and output OKM is calculated as follows: + * + * T(0) = empty string (zero length) + * T(1) = HMAC-Hash(PRK, T(0) | info | 0x01) +
Re: [PR] Implementation of the HKDF derivation function [santuario-xml-security-java]
jrihtarsic commented on code in PR #271: URL: https://github.com/apache/santuario-xml-security-java/pull/271#discussion_r1598354663 ## src/main/java/org/apache/xml/security/utils/KeyUtils.java: ## @@ -247,34 +245,76 @@ } } - /** - * Derive a key encryption key from a shared secret and keyDerivationParameter. Currently only the ConcatKDF is supported. + * Derive a key encryption key from a shared secret and keyDerivationParameter. + * Currently only the ConcatKDF and HMAC-base Extract-and-Expand Key Derivation + * Function (HKDF) are supported. + * * @param sharedSecret the shared secret * @param keyDerivationParameter the key derivation parameters * @return the derived key encryption key + * @throws IllegalArgumentException if the keyDerivationParameter is null * @throws XMLSecurityException if the key derivation algorithm is not supported */ public static byte[] deriveKeyEncryptionKey(byte[] sharedSecret, KeyDerivationParameters keyDerivationParameter) throws XMLSecurityException { -int iKeySize = keyDerivationParameter.getKeyBitLength()/8; + +if (keyDerivationParameter == null) { +throw new IllegalArgumentException(I18n.translate("KeyDerivation.MissingParameters")); +} + String keyDerivationAlgorithm = keyDerivationParameter.getAlgorithm(); -if (!EncryptionConstants.ALGO_ID_KEYDERIVATION_CONCATKDF.equals(keyDerivationAlgorithm)) { -throw new XMLEncryptionException( "unknownAlgorithm", -keyDerivationAlgorithm); +if (keyDerivationParameter instanceof HKDFParams) { +return deriveKeyEncryptionKey(sharedSecret, (HKDFParams) keyDerivationParameter); +} else if (keyDerivationParameter instanceof ConcatKDFParams) { +return deriveKeyEncryptionKey(sharedSecret, (ConcatKDFParams) keyDerivationParameter); +} + +throw new XMLEncryptionException("KeyDerivation.UnsupportedAlgorithm", keyDerivationAlgorithm, +keyDerivationParameter.getClass().getName()); +} + +/** + * Derive a key using the HMAC-based Extract-and-Expand Key Derivation + * Function (HKDF) with implementation instance {@link HKDFParams}. + * + * @param sharedSecret the shared secret + * @param hkdfParameter the HKDF parameters + * @return the derived key encryption key. + * @throws XMLSecurityException if the key derivation parameters are invalid or + * the hmac algorithm is not supported. + */ +public static byte[] deriveKeyEncryptionKey(byte[] sharedSecret, HKDFParams hkdfParameter) Review Comment: Method renamed ## src/main/java/org/apache/xml/security/utils/KeyUtils.java: ## @@ -247,34 +245,76 @@ } } - /** - * Derive a key encryption key from a shared secret and keyDerivationParameter. Currently only the ConcatKDF is supported. + * Derive a key encryption key from a shared secret and keyDerivationParameter. + * Currently only the ConcatKDF and HMAC-base Extract-and-Expand Key Derivation + * Function (HKDF) are supported. + * * @param sharedSecret the shared secret * @param keyDerivationParameter the key derivation parameters * @return the derived key encryption key + * @throws IllegalArgumentException if the keyDerivationParameter is null * @throws XMLSecurityException if the key derivation algorithm is not supported */ public static byte[] deriveKeyEncryptionKey(byte[] sharedSecret, KeyDerivationParameters keyDerivationParameter) throws XMLSecurityException { -int iKeySize = keyDerivationParameter.getKeyBitLength()/8; + +if (keyDerivationParameter == null) { +throw new IllegalArgumentException(I18n.translate("KeyDerivation.MissingParameters")); +} + String keyDerivationAlgorithm = keyDerivationParameter.getAlgorithm(); -if (!EncryptionConstants.ALGO_ID_KEYDERIVATION_CONCATKDF.equals(keyDerivationAlgorithm)) { -throw new XMLEncryptionException( "unknownAlgorithm", -keyDerivationAlgorithm); +if (keyDerivationParameter instanceof HKDFParams) { +return deriveKeyEncryptionKey(sharedSecret, (HKDFParams) keyDerivationParameter); +} else if (keyDerivationParameter instanceof ConcatKDFParams) { +return deriveKeyEncryptionKey(sharedSecret, (ConcatKDFParams) keyDerivationParameter); +} + +throw new XMLEncryptionException("KeyDerivation.UnsupportedAlgorithm", keyDerivationAlgorithm, +keyDerivationParameter.getClass().getName()); +} + +/** + * Derive a key using the HMAC-based Extract-and-Expand Key Derivation + * Function (HKDF) with implementation instance {@link HKDFParams}. + * + * @param sharedSecret the shared secret +
Re: [PR] Implementation of the HKDF derivation function [santuario-xml-security-java]
jrihtarsic commented on PR #271: URL: https://github.com/apache/santuario-xml-security-java/pull/271#issuecomment-2107386673 The branch is now updated with latest changes from the main, the build after the merge should pass now. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@santuario.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
Re: [PR] Implementation of the HKDF derivation function [santuario-xml-security-java]
jrihtarsic commented on code in PR #271: URL: https://github.com/apache/santuario-xml-security-java/pull/271#discussion_r1598253284 ## src/main/java/org/apache/xml/security/encryption/keys/content/derivedKey/HKDF.java: ## @@ -0,0 +1,182 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ +package org.apache.xml.security.encryption.keys.content.derivedKey; + +import org.apache.xml.security.encryption.XMLCipherUtil; +import org.apache.xml.security.encryption.params.HKDFParams; +import org.apache.xml.security.exceptions.XMLSecurityException; +import org.apache.xml.security.utils.I18n; + +import javax.crypto.Mac; +import javax.crypto.spec.SecretKeySpec; +import java.nio.ByteBuffer; +import java.security.InvalidKeyException; +import java.security.NoSuchAlgorithmException; + +import static java.lang.System.Logger.Level.DEBUG; + +/** + * The implementation of the HMAC-based Extract-and-Expand Key Derivation Function (HKDF) + * as defined in https://datatracker.ietf.org/doc/html/rfc5869;>RFC 5869. + * + * The HKDF algorithm is defined as follows: + * + * N = ceil(L/HashLen) + * T = T(1) | T(2) | T(3) | ... | T(N) + * OKM = first L bytes of T + * where: + * T(0) = empty string (zero length) + * T(1) = HMAC-Hash(PRK, T(0) | info | 0x01) + * T(2) = HMAC-Hash(PRK, T(1) | info | 0x02) + * T(3) = HMAC-Hash(PRK, T(2) | info | 0x03) + * ... + * + */ +public class HKDF implements DerivationAlgorithm { + + +private static final System.Logger LOG = System.getLogger(HKDF.class.getName()); + +/** + * Derive a key using the HMAC-based Extract-and-Expand Key Derivation Function (HKDF) + * as defined in https://datatracker.ietf.org/doc/html/rfc5869;>RFC 5869. + * + * @param secret The "shared" secret to use for key derivation + * @param params The key derivation parameters (salt, info, key length, ...) + * @return The derived key of the specified length in bytes defined in the params + * @throws IllegalArgumentException if the parameters are missing + * @throws XMLSecurityException if the hmac hash algorithm is not supported + */ +@Override +public byte[] deriveKey(byte[] secret, HKDFParams params) throws XMLSecurityException { +// check if the parameters are set +if (params == null) { +throw new IllegalArgumentException(I18n.translate("KeyDerivation.MissingParameters")); +} + +String jceAlgorithmName; +try { +jceAlgorithmName = XMLCipherUtil.getJCEMacHashForUri(params.getHmacHashAlgorithm()); +} catch (NoSuchAlgorithmException e) { +throw new XMLSecurityException(e, "KeyDerivation.NotSupportedParameter", new Object[]{params.getHmacHashAlgorithm()}); +} + +byte[] prk = extractKey(jceAlgorithmName, params.getSalt(), secret); +return expandKey(jceAlgorithmName, prk, params.getInfo(), params.getKeyLength()); +} + +/** + * The method "extracts" the pseudo-random key (PRK) based on HMAC-Hash function + * (optional) salt value (a non-secret random value) and the shared secret/input + * keying material (IKM). + * Calculation of the extracted key: + * PRK = HMAC-Hash(salt, IKM) + * + * @param jceAlgorithmName the java JCE HMAC algorithm name to use for key derivation + * (e.g. HmacSHA256, HmacSHA384, HmacSHA512) + * @param salt the optional salt value (a non-secret random value); + * @param secret the shared secret/input keying material (IKM) to use for + * key derivation + * @return the pseudo-random key bytes + * @throws XMLSecurityException if the jceAlgorithmName is not supported + */ +public byte[] extractKey(String jceAlgorithmName, byte[] salt, byte[] secret) throws XMLSecurityException { +Mac hMac = initHMac(jceAlgorithmName, salt, true); +hMac.reset(); +return hMac.doFinal(secret); +} + +/** + * The method inits Hash-MAC with given PRK (as salt) and output OKM is calculated as follows: + * + * T(0) = empty string (zero length) + * T(1) = HMAC-Hash(PRK, T(0) | info | 0x01) +
[PR] Bump actions/checkout from 4.1.4 to 4.1.5 [santuario-xml-security-java]
dependabot[bot] opened a new pull request, #321: URL: https://github.com/apache/santuario-xml-security-java/pull/321 Bumps [actions/checkout](https://github.com/actions/checkout) from 4.1.4 to 4.1.5. Release notes Sourced from https://github.com/actions/checkout/releases;>actions/checkout's releases. v4.1.5 What's Changed Update NPM dependencies by https://github.com/cory-miller;>@cory-miller in https://redirect.github.com/actions/checkout/pull/1703;>actions/checkout#1703 Bump github/codeql-action from 2 to 3 by https://github.com/dependabot;>@dependabot in https://redirect.github.com/actions/checkout/pull/1694;>actions/checkout#1694 Bump actions/setup-node from 1 to 4 by https://github.com/dependabot;>@dependabot in https://redirect.github.com/actions/checkout/pull/1696;>actions/checkout#1696 Bump actions/upload-artifact from 2 to 4 by https://github.com/dependabot;>@dependabot in https://redirect.github.com/actions/checkout/pull/1695;>actions/checkout#1695 README: Suggest user.email to be 41898282+github-actions[bot]@users.noreply.github.com by https://github.com/cory-miller;>@cory-miller in https://redirect.github.com/actions/checkout/pull/1707;>actions/checkout#1707 Full Changelog: https://github.com/actions/checkout/compare/v4.1.4...v4.1.5;>https://github.com/actions/checkout/compare/v4.1.4...v4.1.5 Commits https://github.com/actions/checkout/commit/44c2b7a8a4ea60a981eaca3cf939b5f4305c123b;>44c2b7a README: Suggest user.email to be `41898282+github-actions[bot]https://github.com/users;>@users.norepl... https://github.com/actions/checkout/commit/8459bc0c7e3759cdf591f513d9f141a95fef0a8f;>8459bc0 Bump actions/upload-artifact from 2 to 4 (https://redirect.github.com/actions/checkout/issues/1695;>#1695) https://github.com/actions/checkout/commit/3f603f6d5e9f40714f97b2f017aa0df2a443192a;>3f603f6 Bump actions/setup-node from 1 to 4 (https://redirect.github.com/actions/checkout/issues/1696;>#1696) https://github.com/actions/checkout/commit/fd084cde189b7b76ec305d52e27be545a0172823;>fd084cd Bump github/codeql-action from 2 to 3 (https://redirect.github.com/actions/checkout/issues/1694;>#1694) https://github.com/actions/checkout/commit/9c1e94e0ad997d618b6113a2171b055037589028;>9c1e94e Update NPM dependencies (https://redirect.github.com/actions/checkout/issues/1703;>#1703) See full diff in https://github.com/actions/checkout/compare/0ad4b8fadaa221de15dcec353f45205ec38ea70b...44c2b7a8a4ea60a981eaca3cf939b5f4305c123b;>compare view [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=actions/checkout=github_actions=4.1.4=4.1.5)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- Dependabot commands and options You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@santuario.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[PR] Bump ossf/scorecard-action from 2.3.1 to 2.3.3 [santuario-xml-security-java]
dependabot[bot] opened a new pull request, #320: URL: https://github.com/apache/santuario-xml-security-java/pull/320 Bumps [ossf/scorecard-action](https://github.com/ossf/scorecard-action) from 2.3.1 to 2.3.3. Release notes Sourced from https://github.com/ossf/scorecard-action/releases;>ossf/scorecard-action's releases. v2.3.3 [!NOTE] There is no v2.3.2 release as a step was skipped in the release process. This was fixed and re-released under the v2.3.3 tag What's Changed :seedling: Bump github.com/ossf/scorecard/v4 (v4.13.1) to github.com/ossf/scorecard/v5 (v5.0.0-rc1) by https://github.com/spencerschrock;>@spencerschrock in https://redirect.github.com/ossf/scorecard-action/pull/1366;>ossf/scorecard-action#1366 :seedling: Bump github.com/ossf/scorecard/v5 from v5.0.0-rc1 to v5.0.0-rc2 by https://github.com/spencerschrock;>@spencerschrock in https://redirect.github.com/ossf/scorecard-action/pull/1374;>ossf/scorecard-action#1374 :seedling: Bump github.com/ossf/scorecard/v5 from v5.0.0-rc2 to v5.0.0-rc2.0.20240509182734-7ce860946928 by https://github.com/spencerschrock;>@spencerschrock in https://redirect.github.com/ossf/scorecard-action/pull/1377;>ossf/scorecard-action#1377 For a full changelist of what these include, see the https://github.com/ossf/scorecard/releases/tag/v5.0.0-rc1;>v5.0.0-rc1 and https://github.com/ossf/scorecard/releases/tag/v5.0.0-rc2;>v5.0.0-rc2 release notes. Documentation :book: Move token discussion out of main README. by https://github.com/spencerschrock;>@spencerschrock in https://redirect.github.com/ossf/scorecard-action/pull/1279;>ossf/scorecard-action#1279 :book: link to ossf/scorecard workflow instead of maintaining an example by https://github.com/spencerschrock;>@spencerschrock in https://redirect.github.com/ossf/scorecard-action/pull/1352;>ossf/scorecard-action#1352 :book: update api links to new scorecard.dev site by https://github.com/spencerschrock;>@spencerschrock in https://redirect.github.com/ossf/scorecard-action/pull/1376;>ossf/scorecard-action#1376 Full Changelog: https://github.com/ossf/scorecard-action/compare/v2.3.1...v2.3.3;>https://github.com/ossf/scorecard-action/compare/v2.3.1...v2.3.3 Commits https://github.com/ossf/scorecard-action/commit/dc50aa9510b46c811795eb24b2f1ba02a914e534;>dc50aa9 :seedling: Bump docker tag for v2.3.3 release (https://redirect.github.com/ossf/scorecard-action/issues/1368;>#1368) https://github.com/ossf/scorecard-action/commit/8ff570017382a0ef795f21f71e519b27a9b5f29e;>8ff5700 :seedling: Bump github.com/ossf/scorecard/v5 from v5.0.0-rc2 to v5.0.0-rc2.0 https://github.com/ossf/scorecard-action/commit/8ba5e73d11a5fd0917494d02ab01dfd7866d2191;>8ba5e73 update api links to new scorecard.dev site (https://redirect.github.com/ossf/scorecard-action/issues/1376;>#1376) https://github.com/ossf/scorecard-action/commit/92ddde3eaffd7e147638317c023642a6adc8a874;>92ddde3 Bump github.com/ossf/scorecard/v5 from v5.0.0-rc1 to v5.0.0-rc2 (https://redirect.github.com/ossf/scorecard-action/issues/1374;>#1374) https://github.com/ossf/scorecard-action/commit/6c55905542a1ce814c7ec177a96904f5bc74aab5;>6c55905 :seedling: Bump golang.org/x/net from 0.24.0 to 0.25.0 (https://redirect.github.com/ossf/scorecard-action/issues/1373;>#1373) https://github.com/ossf/scorecard-action/commit/09bb953b6a0e34c84fb453985435a07cc2baa3a3;>09bb953 :seedling: Bump distroless/base in the docker-images group (https://redirect.github.com/ossf/scorecard-action/issues/1372;>#1372) https://github.com/ossf/scorecard-action/commit/1511e1305b9d7e51245388421563264573c77bc7;>1511e13 :seedling: Bump the github-actions group across 1 directory with 6 updates (#... https://github.com/ossf/scorecard-action/commit/df66cd8fd834fab4483ac0031b8d8ff819b62422;>df66cd8 :seedling: Bump the docker-images group with 2 updates (https://redirect.github.com/ossf/scorecard-action/issues/1370;>#1370) https://github.com/ossf/scorecard-action/commit/fad9a3cc533bb069b1f01f272f1f630895cd690a;>fad9a3c :seedling: Bump distroless/base in the docker-images group (https://redirect.github.com/ossf/scorecard-action/issues/1364;>#1364) https://github.com/ossf/scorecard-action/commit/1e01a309c1de65b6221c25768bcfc322bac8ccee;>1e01a30 :seedling: Bump the github-actions group with 3 updates (https://redirect.github.com/ossf/scorecard-action/issues/1365;>#1365) Additional commits viewable in https://github.com/ossf/scorecard-action/compare/0864cf19026789058feabb7e87baa5f140aac736...dc50aa9510b46c811795eb24b2f1ba02a914e534;>compare view [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=ossf/scorecard-action=github_actions=2.3.1=2.3.3)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
Re: [PR] Implementation of the HKDF derivation function [santuario-xml-security-java]
github-advanced-security[bot] commented on code in PR #271: URL: https://github.com/apache/santuario-xml-security-java/pull/271#discussion_r159388 ## src/main/java/org/apache/xml/security/encryption/keys/content/derivedKey/HKDF.java: ## @@ -0,0 +1,182 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ +package org.apache.xml.security.encryption.keys.content.derivedKey; + +import org.apache.xml.security.encryption.XMLCipherUtil; +import org.apache.xml.security.encryption.params.HKDFParams; +import org.apache.xml.security.exceptions.XMLSecurityException; +import org.apache.xml.security.utils.I18n; + +import javax.crypto.Mac; +import javax.crypto.spec.SecretKeySpec; +import java.nio.ByteBuffer; +import java.security.InvalidKeyException; +import java.security.NoSuchAlgorithmException; + +import static java.lang.System.Logger.Level.DEBUG; + +/** + * The implementation of the HMAC-based Extract-and-Expand Key Derivation Function (HKDF) + * as defined in https://datatracker.ietf.org/doc/html/rfc5869;>RFC 5869. + * + * The HKDF algorithm is defined as follows: + * + * N = ceil(L/HashLen) + * T = T(1) | T(2) | T(3) | ... | T(N) + * OKM = first L bytes of T + * where: + * T(0) = empty string (zero length) + * T(1) = HMAC-Hash(PRK, T(0) | info | 0x01) + * T(2) = HMAC-Hash(PRK, T(1) | info | 0x02) + * T(3) = HMAC-Hash(PRK, T(2) | info | 0x03) + * ... + * + */ +public class HKDF implements DerivationAlgorithm { + + +private static final System.Logger LOG = System.getLogger(HKDF.class.getName()); + +/** + * Derive a key using the HMAC-based Extract-and-Expand Key Derivation Function (HKDF) + * as defined in https://datatracker.ietf.org/doc/html/rfc5869;>RFC 5869. + * + * @param secret The "shared" secret to use for key derivation + * @param params The key derivation parameters (salt, info, key length, ...) + * @return The derived key of the specified length in bytes defined in the params + * @throws IllegalArgumentException if the parameters are missing + * @throws XMLSecurityException if the hmac hash algorithm is not supported + */ +@Override +public byte[] deriveKey(byte[] secret, HKDFParams params) throws XMLSecurityException { +// check if the parameters are set +if (params == null) { +throw new IllegalArgumentException(I18n.translate("KeyDerivation.MissingParameters")); +} + +String jceAlgorithmName; +try { +jceAlgorithmName = XMLCipherUtil.getJCEMacHashForUri(params.getHmacHashAlgorithm()); +} catch (NoSuchAlgorithmException e) { +throw new XMLSecurityException(e, "KeyDerivation.NotSupportedParameter", new Object[]{params.getHmacHashAlgorithm()}); +} + +byte[] prk = extractKey(jceAlgorithmName, params.getSalt(), secret); +return expandKey(jceAlgorithmName, prk, params.getInfo(), params.getKeyLength()); +} + +/** + * The method "extracts" the pseudo-random key (PRK) based on HMAC-Hash function + * (optional) salt value (a non-secret random value) and the shared secret/input + * keying material (IKM). + * Calculation of the extracted key: + * PRK = HMAC-Hash(salt, IKM) + * + * @param jceAlgorithmName the java JCE HMAC algorithm name to use for key derivation + * (e.g. HmacSHA256, HmacSHA384, HmacSHA512) + * @param salt the optional salt value (a non-secret random value); + * @param secret the shared secret/input keying material (IKM) to use for + * key derivation + * @return the pseudo-random key bytes + * @throws XMLSecurityException if the jceAlgorithmName is not supported + */ +public byte[] extractKey(String jceAlgorithmName, byte[] salt, byte[] secret) throws XMLSecurityException { +Mac hMac = initHMac(jceAlgorithmName, salt, true); +hMac.reset(); +return hMac.doFinal(secret); +} + +/** + * The method inits Hash-MAC with given PRK (as salt) and output OKM is calculated as follows: + * + * T(0) = empty string (zero length) + * T(1) = HMAC-Hash(PRK, T(0) |
Re: [PR] Implementation of the HKDF derivation function [santuario-xml-security-java]
coheigea commented on PR #271: URL: https://github.com/apache/santuario-xml-security-java/pull/271#issuecomment-2100372554 @jrihtarsic There is a build error: ``` [INFO] - Error: COMPILATION ERROR : [INFO] - Error: /home/runner/work/santuario-xml-security-java/santuario-xml-security-java/src/test/java/org/apache/xml/security/test/dom/encryption/XMLCipherTest.java:[581,58] ConcatKDFParams(int,java.lang.String) has protected access in org.apache.xml.security.encryption.params.ConcatKDFParams Error: /home/runner/work/santuario-xml-security-java/santuario-xml-security-java/src/test/java/org/apache/xml/security/test/dom/encryption/XMLEncryption11BrainpoolTest.java:[123,58] ConcatKDFParams(int,java.lang.String) has protected access in org.apache.xml.security.encryption.params.ConcatKDFParams ``` -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@santuario.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
Re: [PR] Implementation of the HKDF derivation function [santuario-xml-security-java]
coheigea commented on PR #271: URL: https://github.com/apache/santuario-xml-security-java/pull/271#issuecomment-2100369954 @seanjmullan Is it ready to be merged from your PoV? -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@santuario.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
Re: [PR] Implementation of the HKDF derivation function [santuario-xml-security-java]
jrihtarsic commented on code in PR #271: URL: https://github.com/apache/santuario-xml-security-java/pull/271#discussion_r1593378838 ## src/main/java/org/apache/xml/security/encryption/XMLCipherUtil.java: ## @@ -274,13 +274,18 @@ public static KeyAgreementParameters constructAgreementParameters(String agreeme * @param keyDerivationMethod element with the key derivation method data * @param keyBitLengthexpected derived key length in bits * @return KeyDerivationParameters data - * @throws XMLSecurityException if the invalid key derivation parameters are provide - * @throws XMLEncryptionException if the invalid key derivation is not supported + * @throws XMLEncryptionException throwen in case if KDFParams cannot be created or the Review Comment: Thanks for the warning about the typo, I fixed the description now. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@santuario.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
Re: [PR] [SANTUARIO-614] Tests for the EC Brainpool key types [santuario-xml-security-java]
coheigea merged PR #298: URL: https://github.com/apache/santuario-xml-security-java/pull/298 -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@santuario.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
Re: [PR] Bump advanced-security/maven-dependency-submission-action from 4.0.2 to 4.0.3 [santuario-xml-security-java]
coheigea merged PR #319: URL: https://github.com/apache/santuario-xml-security-java/pull/319 -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@santuario.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
Re: [PR] Bump com.google.errorprone:error_prone_core from 2.27.0 to 2.27.1 [santuario-xml-security-java]
coheigea merged PR #318: URL: https://github.com/apache/santuario-xml-security-java/pull/318 -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@santuario.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
Re: [PR] Implementation of the HKDF derivation function [santuario-xml-security-java]
seanjmullan commented on code in PR #271: URL: https://github.com/apache/santuario-xml-security-java/pull/271#discussion_r1592394464 ## src/main/java/org/apache/xml/security/encryption/XMLCipherUtil.java: ## @@ -274,13 +274,18 @@ public static KeyAgreementParameters constructAgreementParameters(String agreeme * @param keyDerivationMethod element with the key derivation method data * @param keyBitLengthexpected derived key length in bits * @return KeyDerivationParameters data - * @throws XMLSecurityException if the invalid key derivation parameters are provide - * @throws XMLEncryptionException if the invalid key derivation is not supported + * @throws XMLEncryptionException throwen in case if KDFParams cannot be created or the Review Comment: typo: "throwen", but I would just remove "thrown in case" as that is implied. Also, a nit but you don't need to end with a period. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@santuario.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
Re: [PR] Implementation of the HKDF derivation function [santuario-xml-security-java]
jrihtarsic commented on code in PR #271: URL: https://github.com/apache/santuario-xml-security-java/pull/271#discussion_r1592359981 ## src/main/java/org/apache/xml/security/encryption/XMLCipherUtil.java: ## @@ -271,93 +272,42 @@ public static KeyAgreementParameters constructAgreementParameters(String agreeme * Construct a KeyDerivationParameter object from the given keyDerivationMethod and keyBitLength * * @param keyDerivationMethod element with the key derivation method data - * @param keyBitLength expected derived key length + * @param keyBitLengthexpected derived key length in bits * @return KeyDerivationParameters data - * @throws XMLSecurityException if the keyDerivationMethod is not supported or invalid parameters are provided + * @throws XMLSecurityException if the invalid key derivation parameters are provide Review Comment: I updated the code now to ensure that only the XMLEncryptionException can be thrown. I made changes to the XMLCipherUtil.constructKeyDerivationParameter method only and retained the XMLSecurityException in the interface KeyDerivationMethod.getKDFParams; because the interface implementation may be used for key derivation functions used for other purposes than just the encryption in the future. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@santuario.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
Re: [PR] Implementation of the HKDF derivation function [santuario-xml-security-java]
seanjmullan commented on code in PR #271: URL: https://github.com/apache/santuario-xml-security-java/pull/271#discussion_r1583144930 ## src/main/java/org/apache/xml/security/encryption/XMLCipherUtil.java: ## @@ -271,93 +272,42 @@ public static KeyAgreementParameters constructAgreementParameters(String agreeme * Construct a KeyDerivationParameter object from the given keyDerivationMethod and keyBitLength * * @param keyDerivationMethod element with the key derivation method data - * @param keyBitLength expected derived key length + * @param keyBitLengthexpected derived key length in bits * @return KeyDerivationParameters data - * @throws XMLSecurityException if the keyDerivationMethod is not supported or invalid parameters are provided + * @throws XMLSecurityException if the invalid key derivation parameters are provide Review Comment: Can this method still throw XMLSecurityException? Can it throw XMLEncryptionException instead? -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@santuario.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[PR] Bump advanced-security/maven-dependency-submission-action from 4.0.2 to 4.0.3 [santuario-xml-security-java]
dependabot[bot] opened a new pull request, #319: URL: https://github.com/apache/santuario-xml-security-java/pull/319 Bumps [advanced-security/maven-dependency-submission-action](https://github.com/advanced-security/maven-dependency-submission-action) from 4.0.2 to 4.0.3. Release notes Sourced from https://github.com/advanced-security/maven-dependency-submission-action/releases;>advanced-security/maven-dependency-submission-action's releases. v4.0.3 Updating the build process and tooling for Node 20 support in the CLI executables which were introduced when the dependency-submission-toolkit transitioned in to an ESM module Fixes https://redirect.github.com/advanced-security/maven-dependency-submission-action/issues/69;>#69 https://redirect.github.com/advanced-security/maven-dependency-submission-action/issues/61;>#61 Commits https://github.com/advanced-security/maven-dependency-submission-action/commit/5d0f9011b55d6268922128af45275986303459c3;>5d0f901 chore: Updating release files https://github.com/advanced-security/maven-dependency-submission-action/commit/b2d39725028b73541b5033a7458f2e72ab7b9b09;>b2d3972 4.0.3 https://github.com/advanced-security/maven-dependency-submission-action/commit/fbe856a96b62d446f5054aa24af716829509bdc6;>fbe856a Merge pull request https://redirect.github.com/advanced-security/maven-dependency-submission-action/issues/74;>#74 from advanced-security/cli-fixes https://github.com/advanced-security/maven-dependency-submission-action/commit/720e32508972ef69fcdd28a24ddab51986d9f9ff;>720e325 Updating devcontainer base image for Node.js 20 support https://github.com/advanced-security/maven-dependency-submission-action/commit/b014938af99abb9776541ef309b6dac661233a45;>b014938 Updating actions workflows https://github.com/advanced-security/maven-dependency-submission-action/commit/c4c9c2ae33d8b9b614f8fca02ba0c9f547e1b922;>c4c9c2a CLI generation fixes to support ESM backed libraries See full diff in https://github.com/advanced-security/maven-dependency-submission-action/compare/bfd2106013da0957cdede0b6c39fb5ca25ae375e...5d0f9011b55d6268922128af45275986303459c3;>compare view [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=advanced-security/maven-dependency-submission-action=github_actions=4.0.2=4.0.3)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- Dependabot commands and options You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@santuario.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
Re: [PR] [SANTUIARIO-614] Tests for the EC Brainpool key types [santuario-xml-security-java]
seanjmullan commented on code in PR #298: URL: https://github.com/apache/santuario-xml-security-java/pull/298#discussion_r1589580667 ## src/test/resources/org/apache/xml/security/samples/input/README.txt: ## Review Comment: I think we should work towards a guideline where we don't accept any more binary files into the source tree, unless there is a very good reason. Binary files are difficult to review, don't fit well with source code repositories and for other reasons, should be discouraged. I have looked at the contents of the `ecbrainpool.p12` file and so I am ok with approving it this time. But for future tests, `keytool` can be used to create certificates and keystores, and supports most common extensions and you can use `ProcessBuilder` to execute it. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@santuario.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
Re: [PR] [SANTUARIO-616] enable manual decryption of the EncryptedKey with KeyAgreement [santuario-xml-security-java]
coheigea merged PR #305: URL: https://github.com/apache/santuario-xml-security-java/pull/305 -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@santuario.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
Re: [PR] [SANTUARIO-616] enable manual decryption of the EncryptedKey with KeyAgreement [santuario-xml-security-java]
seanjmullan commented on PR #305: URL: https://github.com/apache/santuario-xml-security-java/pull/305#issuecomment-2091198896 LGTM. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@santuario.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[PR] Bump com.google.errorprone:error_prone_core from 2.27.0 to 2.27.1 [santuario-xml-security-java]
dependabot[bot] opened a new pull request, #318: URL: https://github.com/apache/santuario-xml-security-java/pull/318 Bumps [com.google.errorprone:error_prone_core](https://github.com/google/error-prone) from 2.27.0 to 2.27.1. Release notes Sourced from https://github.com/google/error-prone/releases;>com.google.errorprone:error_prone_core's releases. Error Prone 2.27.1 This release contains all of the changes in https://github.com/google/error-prone/releases/tag/v2.27.0;>2.27.0, plus a bug fix to https://errorprone.info/bugpattern/ClassInitializationDeadlock;>ClassInitializationDeadlock (https://redirect.github.com/google/error-prone/issues/4378;>google/error-prone#4378) Full Changelog: https://github.com/google/error-prone/compare/v2.27.0...v2.27.1;>https://github.com/google/error-prone/compare/v2.27.0...v2.27.1 Commits https://github.com/google/error-prone/commit/464bb93d292123c750fe107984dcefc6f0905f00;>464bb93 Release Error Prone 2.27.1 https://github.com/google/error-prone/commit/bc3309a7dbe95d006ee190fb36f2d654779858d4;>bc3309a Flag comparisons of SomeEnum.valueOf(...) to null. https://github.com/google/error-prone/commit/6a8f4936b20e0a432d73930dac5f78517103af2f;>6a8f493 Don't scan into nested enums in ClassInitializationDeadlock https://github.com/google/error-prone/commit/c8df502ab7cc8ce16b1a2e53533e7c247eba4a85;>c8df502 Make the logic of detecting at least one allowed usage more explicit. See full diff in https://github.com/google/error-prone/compare/v2.27.0...v2.27.1;>compare view [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=com.google.errorprone:error_prone_core=maven=2.27.0=2.27.1)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- Dependabot commands and options You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@santuario.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
Re: [PR] Bump actions/upload-artifact from 4.3.2 to 4.3.3 [santuario-xml-security-java]
coheigea merged PR #314: URL: https://github.com/apache/santuario-xml-security-java/pull/314 -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@santuario.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
Re: [PR] Bump com.google.errorprone:error_prone_core from 2.26.1 to 2.27.0 [santuario-xml-security-java]
coheigea merged PR #315: URL: https://github.com/apache/santuario-xml-security-java/pull/315 -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@santuario.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
Re: [PR] Bump actions/checkout from 4.1.3 to 4.1.4 [santuario-xml-security-java]
coheigea merged PR #313: URL: https://github.com/apache/santuario-xml-security-java/pull/313 -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@santuario.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
Re: [PR] Bump commons-codec:commons-codec from 1.16.1 to 1.17.0 [santuario-xml-security-java]
coheigea merged PR #316: URL: https://github.com/apache/santuario-xml-security-java/pull/316 -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@santuario.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
Re: [PR] Bump xmlunit.version from 2.9.1 to 2.10.0 [santuario-xml-security-java]
coheigea merged PR #317: URL: https://github.com/apache/santuario-xml-security-java/pull/317 -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@santuario.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[PR] Bump xmlunit.version from 2.9.1 to 2.10.0 [santuario-xml-security-java]
dependabot[bot] opened a new pull request, #317: URL: https://github.com/apache/santuario-xml-security-java/pull/317 Bumps `xmlunit.version` from 2.9.1 to 2.10.0. Updates `org.xmlunit:xmlunit-core` from 2.9.1 to 2.10.0 Release notes Sourced from https://github.com/xmlunit/xmlunit/releases;>org.xmlunit:xmlunit-core's releases. XMLUnit for Java 2.10.0 add a new ElementSelectors.byNameAndAllAttributes variant that filters attributes before deciding whether elements can be compared. Inspired by Issue https://redirect.github.com/xmlunit/xmlunit/issues/259;>#259 By default the TransformerFactorys created will now try to disable extension functions. If you need extension functions for your transformations you may want to pass in your own instance of TransformerFactory and TransformerFactoryConfigurer may help with that. Inspired by Issue https://redirect.github.com/xmlunit/xmlunit/issues/264;>#264 JAXPXPathEngine will now try to disable the execution of extension functions by default but uses XPathFactory#setProperty which is not available prior to Java 18. You may want to enable secure processing on an XPathFactory instance you pass to JAXPXPathEngine instead - and XPathFactoryConfigurer may help with that. Changelog Sourced from https://github.com/xmlunit/xmlunit/blob/main/RELEASE_NOTES.md;>org.xmlunit:xmlunit-core's changelog. XMLUnit for Java 2.10.0 - /Released 2024-04-28/ add a new ElementSelectors.byNameAndAllAttributes variant that filters attributes before deciding whether elements can be compared. Inspired by Issue https://redirect.github.com/xmlunit/xmlunit/issues/259;>#259 By default the TransformerFactorys created will now try to disable extension functions. If you need extension functions for your transformations you may want to pass in your own instance of TransformerFactory and TransformerFactoryConfigurer may help with that. Inspired by Issue https://redirect.github.com/xmlunit/xmlunit/issues/264;>#264 JAXPXPathEngine will now try to disable the execution of extension functions by default but uses XPathFactory#setProperty which is not available prior to Java 18. You may want to enable secure processing on an XPathFactory instance you pass to JAXPXPathEngine instead - and XPathFactoryConfigurer may help with that. Commits https://github.com/xmlunit/xmlunit/commit/33a5d6a28712878fc1355802571aab074d2145c1;>33a5d6a fix release number https://github.com/xmlunit/xmlunit/commit/eceec4ab6f1edce3138e32a12bf3d2e1755ba73b;>eceec4a javadocs https://github.com/xmlunit/xmlunit/commit/75828fdc6952da5d8e4ae3ef509d15cfb8f2b728;>75828fd Create SECURITY.md https://github.com/xmlunit/xmlunit/commit/dcaafe9174e69d18c9bcf27b9a40862f3bab360a;>dcaafe9 record extension function changes https://github.com/xmlunit/xmlunit/commit/611f6beb4dbce136d4ef608239695b07d7bd7006;>611f6be try to disable extension functions for XPaths https://github.com/xmlunit/xmlunit/commit/b81d48b71dfd2868bdfc30a3e17ff973f32bc15b;>b81d48b disable XSLT extension functions by default, add more configurers https://github.com/xmlunit/xmlunit/commit/ba149098c97c9c845a0877c905d6b9d84e6568d0;>ba14909 XMLUnit 1.x is no longer maintained https://github.com/xmlunit/xmlunit/commit/cd6731e34ab7f6dbe0c7cf6b22c85af16ac3ff8e;>cd6731e this is going to be a feature release, not a bugfix release https://github.com/xmlunit/xmlunit/commit/c47d390d36d81708b9f3ebb196a6c7391198d6c1;>c47d390 record last changes https://github.com/xmlunit/xmlunit/commit/514191511f2ade5078a4fea02e37d0d281368e78;>5141915 add byNameAndAllAttributes that uses an attrbute filter Additional commits viewable in https://github.com/xmlunit/xmlunit/compare/v2.9.1...v2.10.0;>compare view Updates `org.xmlunit:xmlunit-matchers` from 2.9.1 to 2.10.0 Release notes Sourced from https://github.com/xmlunit/xmlunit/releases;>org.xmlunit:xmlunit-matchers's releases. XMLUnit for Java 2.10.0 add a new ElementSelectors.byNameAndAllAttributes variant that filters attributes before deciding whether elements can be compared. Inspired by Issue https://redirect.github.com/xmlunit/xmlunit/issues/259;>#259 By default the TransformerFactorys created will now try to disable extension functions. If you need extension functions for your transformations you may want to pass in your own instance of TransformerFactory and TransformerFactoryConfigurer may help with that. Inspired by Issue https://redirect.github.com/xmlunit/xmlunit/issues/264;>#264 JAXPXPathEngine will now try to disable the execution of extension functions by default but uses XPathFactory#setProperty which is not available prior to Java 18. You may want to enable secure processing on an XPathFactory instance you pass to JAXPXPathEngine
[PR] Bump commons-codec:commons-codec from 1.16.1 to 1.17.0 [santuario-xml-security-java]
dependabot[bot] opened a new pull request, #316: URL: https://github.com/apache/santuario-xml-security-java/pull/316 Bumps [commons-codec:commons-codec](https://github.com/apache/commons-codec) from 1.16.1 to 1.17.0. Changelog Sourced from https://github.com/apache/commons-codec/blob/master/RELEASE-NOTES.txt;>commons-codec:commons-codec's changelog. Apache Commons Codec 1.17.0 RELEASE NOTES The Apache Commons Codec component contains encoders and decoders for various formats such as Base16, Base32, Base64, digest, and Hexadecimal. In addition to these widely used encoders and decoders, the codec package also maintains a collection of phonetic encoding utilities. Feature and fix release. Requires a minimum of Java 8. New features Add override org.apache.commons.codec.language.bm.Rule.PhonemeExpr.size(). Thanks to Gary Gregory. Add support for Base64 custom alphabets [#266](https://github.com/apache/commons-codec/issues/266). Thanks to Chris Kocel, Gary Gregory. Add Base64.Builder (allows custom alphabets). Thanks to Gary Gregory. Add Base32.Builder (allows custom alphabets). Thanks to Gary Gregory. Add Base64 support for a custom padding byte (like Base32). Thanks to Gary Gregory. Fixed Bugs CODEC-320: Wrong output of DoubleMetaphone in 1.16.1. Thanks to Martin Frydl, Gary Gregory. Optimize memory allocation in PhoneticEngine. Thanks to Gary Gregory. BCodec and QCodec encode() methods throw UnsupportedCharsetException instead of EncoderException. Thanks to Gary Gregory. Set Javadoc link to latest Java API LTS version. Thanks to Gary Gregory. Base32 constructor fails-fast with a NullPointerException if the custom alphabet array is null. Thanks to Gary Gregory. Base32 constructor makes a defensive copy of the line separator array. Thanks to Gary Gregory. Base64 constructor makes a defensive copy of the line separator array. Thanks to Gary Gregory. Base64 constructor makes a defensive copy of a custom alphabet array. Thanks to Gary Gregory. Changes Bump org.apache.commons:commons-parent from 66 to 69 [#250](https://github.com/apache/commons-codec/issues/250), [#261](https://github.com/apache/commons-codec/issues/261). Thanks to Dependabot, Gary Gregory. Bump commons-io:commons-io from 2.15.1 to 2.16.1 [#258](https://github.com/apache/commons-codec/issues/258), [#265](https://github.com/apache/commons-codec/issues/265). Thanks to Dependabot, Gary Gregory. For complete information on Apache Commons Codec, including instructions on how to submit bug reports, patches, or suggestions for improvement, see the Apache Commons Codec website: https://commons.apache.org/proper/commons-codec/;>https://commons.apache.org/proper/commons-codec/ Download page: https://commons.apache.org/proper/commons-codec/download_codec.cgi;>https://commons.apache.org/proper/commons-codec/download_codec.cgi Commits https://github.com/apache/commons-codec/commit/5d809fe3d729bde9b507a51d2b2ed659da053692;>5d809fe Prepare for the next release candidate https://github.com/apache/commons-codec/commit/9a59c1c47b02ca795270b758c8d0591f5925b10f;>9a59c1c Prepare for the next release candidate https://github.com/apache/commons-codec/commit/5f0cfd46c89df69b579f37562ff1eded7ffd4b5c;>5f0cfd4 Longer lines https://github.com/apache/commons-codec/commit/8714b5f62bb5fa5950aa5e8908bd0d8d3334dba5;>8714b5f Remove dead comment https://github.com/apache/commons-codec/commit/c56b95664913aab406f768c66f9264481b28c1bb;>c56b956 Bullet-proof internals https://github.com/apache/commons-codec/commit/d2215d5dec3031f819c3bb514587d92a6aec8eff;>d2215d5 Base32 constructor fails-fast with a NullPointerException if the custom https://github.com/apache/commons-codec/commit/fcc70e6fa1271158dd8f3a90350fa2589713f257;>fcc70e6 Base32 constructor makes a defensive copy of the line separator https://github.com/apache/commons-codec/commit/ebe805a2730ad38886f9f04bd4d242e0a8c9caaa;>ebe805a Base64 constructor makes a defensive copy of a custom alphabet array https://github.com/apache/commons-codec/commit/55043334240eb2a1838e37ea1c8a6e434d328fdf;>5504333 Better exception message https://github.com/apache/commons-codec/commit/c6c5f11eae145d8e8c655e622f0fc5dd74e6db2a;>c6c5f11 Base64 constructor makes a better defensive copy of the line separator Additional commits viewable in https://github.com/apache/commons-codec/compare/rel/commons-codec-1.16.1...rel/commons-codec-1.17.0;>compare view [![Dependabot compatibility
[PR] Bump com.google.errorprone:error_prone_core from 2.26.1 to 2.27.0 [santuario-xml-security-java]
dependabot[bot] opened a new pull request, #315: URL: https://github.com/apache/santuario-xml-security-java/pull/315 Bumps [com.google.errorprone:error_prone_core](https://github.com/google/error-prone) from 2.26.1 to 2.27.0. Release notes Sourced from https://github.com/google/error-prone/releases;>com.google.errorprone:error_prone_core's releases. Error Prone 2.27.0 New checks: https://errorprone.info/bugpattern/ClassInitializationDeadlock;>ClassInitializationDeadlock detects class initializers that reference subtypes of the current class, which can result in deadlocks. https://errorprone.info/bugpattern/MockitoDoSetup;>MockitoDoSetup suggests using when/thenReturn over doReturn/when for additional type safety. https://errorprone.info/bugpattern/VoidUsed;>VoidUsed suggests using a literal null instead of referring to a Void-typed variable. Modified checks: TruthSelfEquals has been renamed and generalized as https://errorprone.info/bugpattern/SelfAssertion;>SelfAssertion https://errorprone.info/bugpattern/RedundantSetterCall;>RedundantSetterCall has been improved, and enabled as an error oby default Closed issues: https://redirect.github.com/google/error-prone/issues/4291;>#4291. https://redirect.github.com/google/error-prone/issues/4308;>#4308, https://redirect.github.com/google/error-prone/issues/4343;>#4343, https://redirect.github.com/google/error-prone/issues/4320;>#4320 Full Changelog: https://github.com/google/error-prone/compare/v2.26.1...v2.27.0;>https://github.com/google/error-prone/compare/v2.26.1...v2.27.0 Commits https://github.com/google/error-prone/commit/ebe0a014edf7a50345c3b9e958e876e8a9177f60;>ebe0a01 Release Error Prone 2.27.0 https://github.com/google/error-prone/commit/fd9b826d595cabe56a66c060ce52504cd24630af;>fd9b826 Remove a very literal change-detector test, and move the comment to the produ... https://github.com/google/error-prone/commit/f289d9ef8f523ba76b433c5273a539b4e526134f;>f289d9e VoidUsed: flag Void variables being used, where they can simply be repl... https://github.com/google/error-prone/commit/3ee6f41416ba8007eb7366c7dc644bcf1655f97f;>3ee6f41 Fix for a crash in RedundantSetterCall. https://github.com/google/error-prone/commit/92c106da53f08cf876f2e37c5946e5a8d3c12d29;>92c106d Encourage when/thenReturn over doReturn/when. https://github.com/google/error-prone/commit/07c1a7c80b9e3cc0b8c38a3a46b464fda373f5b7;>07c1a7c Stop mentioning @Var in[] https://github.com/google/error-prone/commit/9d662726ccffcc9e9ec8746f0c2469f825a55ba2;>9d66272 Correction to UseCorrectAssertInTests. https://github.com/google/error-prone/commit/a6ab21a1ad985820462d3b631ac369415c9630b3;>a6ab21a Fix a crash in JUnitIncompatibleType https://github.com/google/error-prone/commit/5a7b8d9b41a19aaf6cc917bc295ab5201cc2f328;>5a7b8d9 NearbyCallers: scan the body of expression lambdas. https://github.com/google/error-prone/commit/53d787c7803dbb505b83df47c2a535ac9084e97e;>53d787c Don't suggest ImmutableSet if ImmutableList is unused. Additional commits viewable in https://github.com/google/error-prone/compare/v2.26.1...v2.27.0;>compare view [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=com.google.errorprone:error_prone_core=maven=2.26.1=2.27.0)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- Dependabot commands and options You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR
[PR] Bump actions/upload-artifact from 4.3.2 to 4.3.3 [santuario-xml-security-java]
dependabot[bot] opened a new pull request, #314: URL: https://github.com/apache/santuario-xml-security-java/pull/314 Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact) from 4.3.2 to 4.3.3. Release notes Sourced from https://github.com/actions/upload-artifact/releases;>actions/upload-artifact's releases. v4.3.3 What's Changed updating @actions/artifact dependency to v2.1.6 by https://github.com/eggyhead;>@eggyhead in https://redirect.github.com/actions/upload-artifact/pull/565;>actions/upload-artifact#565 Full Changelog: https://github.com/actions/upload-artifact/compare/v4.3.2...v4.3.3;>https://github.com/actions/upload-artifact/compare/v4.3.2...v4.3.3 Commits https://github.com/actions/upload-artifact/commit/65462800fd760344b1a7b4382951275a0abb4808;>6546280 updating package version https://github.com/actions/upload-artifact/commit/c004fb4bf6b1e87680ce1b219a3ad0b8e5dfb7ec;>c004fb4 Merge branch 'main' into eggyhead/use-artifact-v2.1.6 https://github.com/actions/upload-artifact/commit/90aba496fcaa311fd7e784d55e568deabe0fa288;>90aba49 updating toolkit artifact dependency to 2.1.6 https://github.com/actions/upload-artifact/commit/b06cde36fc32a3ee94080e87258567f73f921537;>b06cde3 Merge pull request https://redirect.github.com/actions/upload-artifact/issues/563;>#563 from actions/eggyhead/release-4.3.2 See full diff in https://github.com/actions/upload-artifact/compare/1746f4ab65b179e0ea60a494b83293b640dd5bba...65462800fd760344b1a7b4382951275a0abb4808;>compare view [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=actions/upload-artifact=github_actions=4.3.2=4.3.3)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- Dependabot commands and options You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@santuario.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[PR] Bump actions/checkout from 4.1.3 to 4.1.4 [santuario-xml-security-java]
dependabot[bot] opened a new pull request, #313: URL: https://github.com/apache/santuario-xml-security-java/pull/313 Bumps [actions/checkout](https://github.com/actions/checkout) from 4.1.3 to 4.1.4. Release notes Sourced from https://github.com/actions/checkout/releases;>actions/checkout's releases. v4.1.4 What's Changed Disable extensions.worktreeConfig when disabling sparse-checkout by https://github.com/jww3;>@jww3 in https://redirect.github.com/actions/checkout/pull/1692;>actions/checkout#1692 Add dependabot config by https://github.com/cory-miller;>@cory-miller in https://redirect.github.com/actions/checkout/pull/1688;>actions/checkout#1688 Bump word-wrap from 1.2.3 to 1.2.5 by https://github.com/dependabot;>@dependabot in https://redirect.github.com/actions/checkout/pull/1643;>actions/checkout#1643 Bump the minor-actions-dependencies group with 2 updates by https://github.com/dependabot;>@dependabot in https://redirect.github.com/actions/checkout/pull/1693;>actions/checkout#1693 Full Changelog: https://github.com/actions/checkout/compare/v4.1.3...v4.1.4;>https://github.com/actions/checkout/compare/v4.1.3...v4.1.4 Changelog Sourced from https://github.com/actions/checkout/blob/main/CHANGELOG.md;>actions/checkout's changelog. Changelog v4.1.4 Disable extensions.worktreeConfig when disabling sparse-checkout by https://github.com/jww3;>@jww3 in https://redirect.github.com/actions/checkout/pull/1692;>actions/checkout#1692 Add dependabot config by https://github.com/cory-miller;>@cory-miller in https://redirect.github.com/actions/checkout/pull/1688;>actions/checkout#1688 Bump the minor-actions-dependencies group with 2 updates by https://github.com/dependabot;>@dependabot in https://redirect.github.com/actions/checkout/pull/1693;>actions/checkout#1693 Bump word-wrap from 1.2.3 to 1.2.5 by https://github.com/dependabot;>@dependabot in https://redirect.github.com/actions/checkout/pull/1643;>actions/checkout#1643 v4.1.3 Check git version before attempting to disable sparse-checkout by https://github.com/jww3;>@jww3 in https://redirect.github.com/actions/checkout/pull/1656;>actions/checkout#1656 Add SSH user parameter by https://github.com/cory-miller;>@cory-miller in https://redirect.github.com/actions/checkout/pull/1685;>actions/checkout#1685 Update actions/checkout version in update-main-version.yml by https://github.com/jww3;>@jww3 in https://redirect.github.com/actions/checkout/pull/1650;>actions/checkout#1650 v4.1.2 Fix: Disable sparse checkout whenever sparse-checkout option is not present https://github.com/dscho;>@dscho in https://redirect.github.com/actions/checkout/pull/1598;>actions/checkout#1598 v4.1.1 Correct link to GitHub Docs by https://github.com/peterbe;>@peterbe in https://redirect.github.com/actions/checkout/pull/1511;>actions/checkout#1511 Link to release page from what's new section by https://github.com/cory-miller;>@cory-miller in https://redirect.github.com/actions/checkout/pull/1514;>actions/checkout#1514 v4.1.0 https://redirect.github.com/actions/checkout/pull/1396;>Add support for partial checkout filters v4.0.0 https://redirect.github.com/actions/checkout/pull/1067;>Support fetching without the --progress option https://redirect.github.com/actions/checkout/pull/1436;>Update to node20 v3.6.0 https://redirect.github.com/actions/checkout/pull/1377;>Fix: Mark test scripts with Bash'isms to be run via Bash https://redirect.github.com/actions/checkout/pull/579;>Add option to fetch tags even if fetch-depth 0 v3.5.3 https://redirect.github.com/actions/checkout/pull/1196;>Fix: Checkout fail in self-hosted runners when faulty submodule are checked-in https://redirect.github.com/actions/checkout/pull/1287;>Fix typos found by codespell https://redirect.github.com/actions/checkout/pull/1369;>Add support for sparse checkouts v3.5.2 https://redirect.github.com/actions/checkout/pull/1289;>Fix api endpoint for GHES v3.5.1 https://redirect.github.com/actions/checkout/pull/1246;>Fix slow checkout on Windows v3.5.0 https://redirect.github.com/actions/checkout/pull/1237;>Add new public key for known_hosts v3.4.0 https://redirect.github.com/actions/checkout/pull/1209;>Upgrade codeql actions to v2 https://redirect.github.com/actions/checkout/pull/1210;>Upgrade dependencies https://redirect.github.com/actions/checkout/pull/1225;>Upgrade @actions/io ... (truncated) Commits https://github.com/actions/checkout/commit/0ad4b8fadaa221de15dcec353f45205ec38ea70b;>0ad4b8f Prep Release v4.1.4 (https://redirect.github.com/actions/checkout/issues/1704;>#1704) https://github.com/actions/checkout/commit/43045ae669be728bd34ed56fcd1a230c0dc4d8e2;>43045ae Disable
Re: [PR] Implementation of the HKDF derivation function [santuario-xml-security-java]
jrihtarsic commented on code in PR #271: URL: https://github.com/apache/santuario-xml-security-java/pull/271#discussion_r1581874128 ## src/main/java/org/apache/xml/security/encryption/keys/content/derivedKey/KeyDerivationMethodImpl.java: ## @@ -71,29 +73,43 @@ public String getAlgorithm() { return getLocalAttribute(EncryptionConstants._ATT_ALGORITHM); } -public ConcatKDFParamsImpl getConcatKDFParams() throws XMLSecurityException { -if (concatKDFParams != null) { -return concatKDFParams; -} +@Override +public KDFParams getKDFParams() throws XMLSecurityException { -Element concatKDFParamsElement = -XMLUtils.selectXenc11Node(getElement().getFirstChild(), EncryptionConstants._TAG_CONCATKDFPARAMS, 0); +if (kdfParams != null) { +LOG.log(DEBUG, "Returning cached KDFParams"); +return kdfParams; +} -if (concatKDFParamsElement == null) { -return null; +String kdfAlgorithm = getAlgorithm(); +if (EncryptionConstants.ALGO_ID_KEYDERIVATION_CONCATKDF.equals(kdfAlgorithm)) { +Element concatKDFParamsElement = +XMLUtils.selectXenc11Node(getElement().getFirstChild(), +EncryptionConstants._TAG_CONCATKDFPARAMS, 0); +kdfParams = new ConcatKDFParamsImpl(concatKDFParamsElement, getBaseURI()); +} else if (EncryptionConstants.ALGO_ID_KEYDERIVATION_HKDF.equals(kdfAlgorithm)) { +Element hkdfParamsElement = +XMLUtils.selectNode(getElement().getFirstChild(), +Constants.XML_DSIG_NS_MORE_21_04, +EncryptionConstants._TAG_HKDFPARAMS, 0); +kdfParams = new HKDFParamsImpl(hkdfParamsElement, Constants.XML_DSIG_NS_MORE_07_05); } -concatKDFParams = new ConcatKDFParamsImpl(concatKDFParamsElement, getBaseURI()); -return concatKDFParams; +return kdfParams; } -public void setConcatKDFParams(ConcatKDFParamsImpl concatKDFParams) { -this.concatKDFParams = concatKDFParams; -appendSelf(concatKDFParams); -addReturnToSelf(); +public void setKDFParams(KDFParams kdfParams) { Review Comment: Added the validation and if KDF Params are not supported and error is thrown. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@santuario.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
Re: [PR] Implementation of the HKDF derivation function [santuario-xml-security-java]
jrihtarsic commented on code in PR #271: URL: https://github.com/apache/santuario-xml-security-java/pull/271#discussion_r1581874128 ## src/main/java/org/apache/xml/security/encryption/keys/content/derivedKey/KeyDerivationMethodImpl.java: ## @@ -71,29 +73,43 @@ public String getAlgorithm() { return getLocalAttribute(EncryptionConstants._ATT_ALGORITHM); } -public ConcatKDFParamsImpl getConcatKDFParams() throws XMLSecurityException { -if (concatKDFParams != null) { -return concatKDFParams; -} +@Override +public KDFParams getKDFParams() throws XMLSecurityException { -Element concatKDFParamsElement = -XMLUtils.selectXenc11Node(getElement().getFirstChild(), EncryptionConstants._TAG_CONCATKDFPARAMS, 0); +if (kdfParams != null) { +LOG.log(DEBUG, "Returning cached KDFParams"); +return kdfParams; +} -if (concatKDFParamsElement == null) { -return null; +String kdfAlgorithm = getAlgorithm(); +if (EncryptionConstants.ALGO_ID_KEYDERIVATION_CONCATKDF.equals(kdfAlgorithm)) { +Element concatKDFParamsElement = +XMLUtils.selectXenc11Node(getElement().getFirstChild(), +EncryptionConstants._TAG_CONCATKDFPARAMS, 0); +kdfParams = new ConcatKDFParamsImpl(concatKDFParamsElement, getBaseURI()); +} else if (EncryptionConstants.ALGO_ID_KEYDERIVATION_HKDF.equals(kdfAlgorithm)) { +Element hkdfParamsElement = +XMLUtils.selectNode(getElement().getFirstChild(), +Constants.XML_DSIG_NS_MORE_21_04, +EncryptionConstants._TAG_HKDFPARAMS, 0); +kdfParams = new HKDFParamsImpl(hkdfParamsElement, Constants.XML_DSIG_NS_MORE_07_05); } -concatKDFParams = new ConcatKDFParamsImpl(concatKDFParamsElement, getBaseURI()); -return concatKDFParams; +return kdfParams; } -public void setConcatKDFParams(ConcatKDFParamsImpl concatKDFParams) { -this.concatKDFParams = concatKDFParams; -appendSelf(concatKDFParams); -addReturnToSelf(); +public void setKDFParams(KDFParams kdfParams) { Review Comment: Done -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@santuario.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
Re: [PR] Implementation of the HKDF derivation function [santuario-xml-security-java]
jrihtarsic commented on code in PR #271: URL: https://github.com/apache/santuario-xml-security-java/pull/271#discussion_r1581872323 ## src/main/java/org/apache/xml/security/encryption/keys/content/derivedKey/HKDF.java: ## @@ -0,0 +1,177 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ +package org.apache.xml.security.encryption.keys.content.derivedKey; + +import org.apache.xml.security.encryption.XMLCipherUtil; +import org.apache.xml.security.exceptions.XMLSecurityException; + +import javax.crypto.Mac; +import javax.crypto.spec.SecretKeySpec; +import java.nio.ByteBuffer; +import java.security.InvalidKeyException; +import java.security.NoSuchAlgorithmException; + +import static java.lang.System.Logger.Level.DEBUG; + +/** + * The implementation of the HMAC-based Extract-and-Expand Key Derivation Function (HKDF) as defined in RFC 5869. + * + * The HKDF algorithm is defined as follows: + * + * N = ceil(L/HashLen) + * T = T(1) | T(2) | T(3) | ... | T(N) + * OKM = first L bytes of T + * where: + * T(0) = empty string (zero length) + * T(1) = HMAC-Hash(PRK, T(0) | info | 0x01) + * T(2) = HMAC-Hash(PRK, T(1) | info | 0x02) + * T(3) = HMAC-Hash(PRK, T(2) | info | 0x03) + * ... + * + */ +public class HKDF implements DerivationAlgorithm { + +private static final System.Logger LOG = System.getLogger(HKDF.class.getName()); +private final String hmacHashAlgorithmURI; +private final Mac hmac; + +/** + * Constructor HKDF initializes the Mac object with the given algorithmURI and salt. + * + * @param hmacHashAlgorithmURI the Hash algorithm + * @param salt the salt value to initialize the MAC algorithm. + * @throws XMLSecurityException if the key derivation initialization fails for any reason + */ +public HKDF(String hmacHashAlgorithmURI, byte[] salt) throws XMLSecurityException { Review Comment: Done -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@santuario.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
Re: [PR] Implementation of the HKDF derivation function [santuario-xml-security-java]
jrihtarsic commented on code in PR #271: URL: https://github.com/apache/santuario-xml-security-java/pull/271#discussion_r1581872304 ## src/main/java/org/apache/xml/security/encryption/keys/content/derivedKey/HKDF.java: ## @@ -0,0 +1,177 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ +package org.apache.xml.security.encryption.keys.content.derivedKey; + +import org.apache.xml.security.encryption.XMLCipherUtil; +import org.apache.xml.security.exceptions.XMLSecurityException; + +import javax.crypto.Mac; +import javax.crypto.spec.SecretKeySpec; +import java.nio.ByteBuffer; +import java.security.InvalidKeyException; +import java.security.NoSuchAlgorithmException; + +import static java.lang.System.Logger.Level.DEBUG; + +/** + * The implementation of the HMAC-based Extract-and-Expand Key Derivation Function (HKDF) as defined in RFC 5869. + * + * The HKDF algorithm is defined as follows: + * + * N = ceil(L/HashLen) + * T = T(1) | T(2) | T(3) | ... | T(N) + * OKM = first L bytes of T + * where: + * T(0) = empty string (zero length) + * T(1) = HMAC-Hash(PRK, T(0) | info | 0x01) + * T(2) = HMAC-Hash(PRK, T(1) | info | 0x02) + * T(3) = HMAC-Hash(PRK, T(2) | info | 0x03) + * ... + * + */ +public class HKDF implements DerivationAlgorithm { + +private static final System.Logger LOG = System.getLogger(HKDF.class.getName()); +private final String hmacHashAlgorithmURI; +private final Mac hmac; + +/** + * Constructor HKDF initializes the Mac object with the given algorithmURI and salt. + * + * @param hmacHashAlgorithmURI the Hash algorithm + * @param salt the salt value to initialize the MAC algorithm. + * @throws XMLSecurityException if the key derivation initialization fails for any reason + */ +public HKDF(String hmacHashAlgorithmURI, byte[] salt) throws XMLSecurityException { +this.hmacHashAlgorithmURI = hmacHashAlgorithmURI; +LOG.log(DEBUG, "Init HmacHash AlgorithmURI: [{}]", hmacHashAlgorithmURI); +hmac = initHMac(salt, true); +} + +/** + * Derives a key from the given secret and info. Method extracts the key and then expands it to the keyLength. + * + * @param secretThe "shared" secret to use for key derivation + * @param info The "info" parameter for key derivation describing purpose or derivation key context + * @param offsetthe starting position in derived keying material of size: offset + keyLength + * @param keyLength The length of the key to derive + * @return the derived key using HKDF for the given parameters. + * @throws XMLSecurityException if the key derivation fails for any reason + */ +@Override +public byte[] deriveKey(byte[] secret, byte[] info, int offset, long keyLength) throws XMLSecurityException { Review Comment: The interface is changed to have a more generic method as suggested in another comment. I will update the WSS4J to use this interface as it can be more easily extended with new key derivation parameters. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@santuario.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
Re: [PR] Implementation of the HKDF derivation function [santuario-xml-security-java]
jrihtarsic commented on code in PR #271: URL: https://github.com/apache/santuario-xml-security-java/pull/271#discussion_r1581872000 ## src/main/java/org/apache/xml/security/encryption/params/HKDFParams.java: ## @@ -0,0 +1,76 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ +package org.apache.xml.security.encryption.params; + +import org.apache.xml.security.signature.XMLSignature; +import org.apache.xml.security.utils.EncryptionConstants; + +/** + * Class HMacKeyDerivationParameter (HKDF parameter) is used to specify Review Comment: done -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@santuario.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
Re: [PR] Implementation of the HKDF derivation function [santuario-xml-security-java]
jrihtarsic commented on code in PR #271: URL: https://github.com/apache/santuario-xml-security-java/pull/271#discussion_r1581871542 ## src/main/java/org/apache/xml/security/utils/KeyUtils.java: ## @@ -248,7 +246,6 @@ public static int getAESKeyBitSizeForWrapAlgorithm(String keyWrapAlg) throws XML } } - /** * Derive a key encryption key from a shared secret and keyDerivationParameter. Currently only the ConcatKDF is supported. Review Comment: Good catch, I updated the description -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@santuario.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
Re: [PR] Implementation of the HKDF derivation function [santuario-xml-security-java]
jrihtarsic commented on code in PR #271: URL: https://github.com/apache/santuario-xml-security-java/pull/271#discussion_r1581871338 ## src/main/java/org/apache/xml/security/encryption/keys/content/derivedKey/KeyDerivationMethodImpl.java: ## @@ -71,29 +73,43 @@ public String getAlgorithm() { return getLocalAttribute(EncryptionConstants._ATT_ALGORITHM); } -public ConcatKDFParamsImpl getConcatKDFParams() throws XMLSecurityException { -if (concatKDFParams != null) { -return concatKDFParams; -} +@Override +public KDFParams getKDFParams() throws XMLSecurityException { -Element concatKDFParamsElement = -XMLUtils.selectXenc11Node(getElement().getFirstChild(), EncryptionConstants._TAG_CONCATKDFPARAMS, 0); +if (kdfParams != null) { +LOG.log(DEBUG, "Returning cached KDFParams"); +return kdfParams; +} -if (concatKDFParamsElement == null) { -return null; +String kdfAlgorithm = getAlgorithm(); +if (EncryptionConstants.ALGO_ID_KEYDERIVATION_CONCATKDF.equals(kdfAlgorithm)) { +Element concatKDFParamsElement = +XMLUtils.selectXenc11Node(getElement().getFirstChild(), +EncryptionConstants._TAG_CONCATKDFPARAMS, 0); +kdfParams = new ConcatKDFParamsImpl(concatKDFParamsElement, getBaseURI()); +} else if (EncryptionConstants.ALGO_ID_KEYDERIVATION_HKDF.equals(kdfAlgorithm)) { +Element hkdfParamsElement = +XMLUtils.selectNode(getElement().getFirstChild(), +Constants.XML_DSIG_NS_MORE_21_04, +EncryptionConstants._TAG_HKDFPARAMS, 0); +kdfParams = new HKDFParamsImpl(hkdfParamsElement, Constants.XML_DSIG_NS_MORE_07_05); } -concatKDFParams = new ConcatKDFParamsImpl(concatKDFParamsElement, getBaseURI()); -return concatKDFParams; +return kdfParams; Review Comment: Fixed the behavior of the method - to match the description. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@santuario.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
Re: [PR] Implementation of the HKDF derivation function [santuario-xml-security-java]
jrihtarsic commented on code in PR #271: URL: https://github.com/apache/santuario-xml-security-java/pull/271#discussion_r1581870899 ## src/main/java/org/apache/xml/security/encryption/KeyDerivationMethod.java: ## @@ -19,10 +19,15 @@ package org.apache.xml.security.encryption; +import org.apache.xml.security.encryption.keys.content.derivedKey.KDFParams; +import org.apache.xml.security.exceptions.XMLSecurityException; + /** - * The key derivation is to generate new cryptographic key material from existing key material such as the shared - * secret and any other (private or public) information. The purpose of the key derivation is an extension of a given - * but limited set of original key materials and to limit the use (exposure) of such key material. + * The key derivation is to generate new cryptographic key material from existing + * key material such as the shared secret and any other (private or public) + * information. The purpose of the key derivation is an extension of a given + * but limited set of original key materials and to limit the use (exposure) + * of such key material. Review Comment: Indeed it was a bit philosophical :) I updated the class description. Hope it's more readable now. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@santuario.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
Re: [PR] Add brainpool curves for EC key generation/cypher (main branch) [santuario-xml-security-java]
seanjmullan commented on code in PR #293: URL: https://github.com/apache/santuario-xml-security-java/pull/293#discussion_r1579643152 ## src/test/java/org/apache/xml/security/test/dom/encryption/XMLCipherBrainpoolTest.java: ## @@ -0,0 +1,247 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ +package org.apache.xml.security.test.dom.encryption; + + +import static org.junit.jupiter.api.Assertions.assertEquals; + +import java.io.ByteArrayOutputStream; +import java.io.File; +import java.io.FileInputStream; +import java.io.IOException; +import java.lang.reflect.Constructor; +import java.nio.charset.StandardCharsets; +import java.nio.file.Files; +import java.nio.file.Paths; +import java.security.Key; +import java.security.KeyPair; +import java.security.NoSuchAlgorithmException; +import java.security.PrivateKey; +import java.security.Provider; +import java.security.PublicKey; +import java.security.Security; +import java.security.spec.AlgorithmParameterSpec; +import javax.crypto.Cipher; +import javax.crypto.KeyGenerator; +import javax.crypto.NoSuchPaddingException; +import org.apache.xml.security.algorithms.JCEMapper; +import org.apache.xml.security.algorithms.MessageDigestAlgorithm; +import org.apache.xml.security.c14n.Canonicalizer; +import org.apache.xml.security.encryption.EncryptedData; +import org.apache.xml.security.encryption.EncryptedKey; +import org.apache.xml.security.encryption.XMLCipher; +import org.apache.xml.security.encryption.keys.KeyInfoEnc; +import org.apache.xml.security.encryption.params.ConcatKDFParams; +import org.apache.xml.security.encryption.params.KeyAgreementParameters; +import org.apache.xml.security.encryption.params.KeyDerivationParameters; +import org.apache.xml.security.keys.KeyInfo; +import org.apache.xml.security.parser.XMLParserException; +import org.apache.xml.security.testutils.JDKTestUtils; +import org.apache.xml.security.testutils.KeyTestUtils; +import org.apache.xml.security.utils.EncryptionConstants; +import org.apache.xml.security.utils.KeyUtils; +import org.apache.xml.security.utils.XMLUtils; +import org.junit.jupiter.api.AfterAll; +import org.junit.jupiter.api.Assumptions; +import org.junit.jupiter.params.ParameterizedTest; +import org.junit.jupiter.params.provider.EnumSource; +import org.w3c.dom.Document; +import org.w3c.dom.Element; +import org.w3c.dom.Node; + + +/** + * + */ +class XMLCipherBrainpoolTest { + +static { +org.apache.xml.security.Init.init(); +} +private final String documentName; +private final String elementName; +private final String elementIndex; +private final String basedir; +private boolean haveISOPadding; + +private static boolean bcInstalled; + +public XMLCipherBrainpoolTest() throws Exception { +basedir = System.getProperty("basedir","."); +documentName = System.getProperty("org.apache.xml.enc.test.doc", + basedir + "/pom.xml"); +elementName = System.getProperty("org.apache.xml.enc.test.elem", "project"); +elementIndex = System.getProperty("org.apache.xml.enc.test.idx", "0"); + +// Determine if we have ISO 10126 Padding - needed for Bulk AES or +// 3DES encryption + +haveISOPadding = false; +String algorithmId = + JCEMapper.translateURItoJCEID(EncryptionConstants.ALGO_ID_BLOCKCIPHER_AES128); + +if (algorithmId != null) { +try { +if (Cipher.getInstance(algorithmId) != null) { +haveISOPadding = true; +} +} catch (NoSuchAlgorithmException nsae) { +// +} catch (NoSuchPaddingException nspe) { +// +} +} + +// +// If the BouncyCastle provider is not installed, then try to load it +// via reflection. +// +if (Security.getProvider("BC") == null) { +Constructor cons = null; +try { +Class c = Class.forName("org.bouncycastle.jce.provider.BouncyCastleProvider"); +cons = c.getConstructor(new Class[] {}); +} catch (Exception e) { +//ignore +
Re: [PR] Add brainpool curves for EC key generation/cypher (main branch) [santuario-xml-security-java]
seanjmullan commented on PR #293: URL: https://github.com/apache/santuario-xml-security-java/pull/293#issuecomment-2077122293 It would be nice to define the curves in one place. Right now they are duplicated in both DOMKeyValue and ECDSAUtils. If you have time, please consider it. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@santuario.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
Re: [PR] Implementation of the HKDF derivation function [santuario-xml-security-java]
jrihtarsic commented on code in PR #271: URL: https://github.com/apache/santuario-xml-security-java/pull/271#discussion_r1576280611 ## src/main/java/org/apache/xml/security/encryption/XMLCipherUtil.java: ## @@ -140,7 +140,7 @@ public static OAEPParameterSpec constructOAEPParameters( public static MGF1ParameterSpec constructMGF1Parameter(String mgh1AlgorithmURI) { LOG.log(Level.DEBUG, "Creating MGF1ParameterSpec for [{0}]", mgh1AlgorithmURI); if (mgh1AlgorithmURI == null || mgh1AlgorithmURI.isEmpty()) { -LOG.log(Level.WARNING,"MGF1 algorithm URI is null or empty. Using SHA-1 as default."); +LOG.log(Level.WARNING, "MGF1 algorithm URI is null or empty. Using SHA-1 as default."); Review Comment: Created a ticket [SANTUARIO-618](https://issues.apache.org/jira/browse/SANTUARIO-618) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@santuario.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
Re: [PR] Bump org.bouncycastle:bcprov-jdk18on from 1.78 to 1.78.1 [santuario-xml-security-java]
coheigea merged PR #310: URL: https://github.com/apache/santuario-xml-security-java/pull/310 -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@santuario.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
Re: [PR] Bump actions/checkout from 4.1.2 to 4.1.3 [santuario-xml-security-java]
coheigea merged PR #311: URL: https://github.com/apache/santuario-xml-security-java/pull/311 -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@santuario.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
Re: [PR] Bump actions/upload-artifact from 4.3.1 to 4.3.2 [santuario-xml-security-java]
coheigea merged PR #312: URL: https://github.com/apache/santuario-xml-security-java/pull/312 -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@santuario.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
Re: [PR] Implementation of the HKDF derivation function [santuario-xml-security-java]
jrihtarsic commented on code in PR #271: URL: https://github.com/apache/santuario-xml-security-java/pull/271#discussion_r1576234627 ## src/main/java/org/apache/xml/security/encryption/keys/content/derivedKey/HKDF.java: ## @@ -0,0 +1,177 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ +package org.apache.xml.security.encryption.keys.content.derivedKey; + +import org.apache.xml.security.encryption.XMLCipherUtil; +import org.apache.xml.security.exceptions.XMLSecurityException; + +import javax.crypto.Mac; +import javax.crypto.spec.SecretKeySpec; +import java.nio.ByteBuffer; +import java.security.InvalidKeyException; +import java.security.NoSuchAlgorithmException; + +import static java.lang.System.Logger.Level.DEBUG; + +/** + * The implementation of the HMAC-based Extract-and-Expand Key Derivation Function (HKDF) as defined in RFC 5869. + * + * The HKDF algorithm is defined as follows: + * + * N = ceil(L/HashLen) + * T = T(1) | T(2) | T(3) | ... | T(N) + * OKM = first L bytes of T + * where: + * T(0) = empty string (zero length) + * T(1) = HMAC-Hash(PRK, T(0) | info | 0x01) + * T(2) = HMAC-Hash(PRK, T(1) | info | 0x02) + * T(3) = HMAC-Hash(PRK, T(2) | info | 0x03) + * ... + * + */ +public class HKDF implements DerivationAlgorithm { + +private static final System.Logger LOG = System.getLogger(HKDF.class.getName()); +private final String hmacHashAlgorithmURI; +private final Mac hmac; + +/** + * Constructor HKDF initializes the Mac object with the given algorithmURI and salt. + * + * @param hmacHashAlgorithmURI the Hash algorithm + * @param salt the salt value to initialize the MAC algorithm. + * @throws XMLSecurityException if the key derivation initialization fails for any reason + */ +public HKDF(String hmacHashAlgorithmURI, byte[] salt) throws XMLSecurityException { +this.hmacHashAlgorithmURI = hmacHashAlgorithmURI; +LOG.log(DEBUG, "Init HmacHash AlgorithmURI: [{}]", hmacHashAlgorithmURI); +hmac = initHMac(salt, true); +} + +/** + * Derives a key from the given secret and info. Method extracts the key and then expands it to the keyLength. + * + * @param secretThe "shared" secret to use for key derivation + * @param info The "info" parameter for key derivation describing purpose or derivation key context + * @param offsetthe starting position in derived keying material of size: offset + keyLength + * @param keyLength The length of the key to derive + * @return the derived key using HKDF for the given parameters. + * @throws XMLSecurityException if the key derivation fails for any reason + */ +@Override +public byte[] deriveKey(byte[] secret, byte[] info, int offset, long keyLength) throws XMLSecurityException { Review Comment: Indeed it is hard to imagine key size to need long type. But the interface for DerivationAlgorithm was taken from ws-wss4 project https://github.com/apache/ws-wss4j/blob/master/ws-security-common/src/main/java/org/apache/wss4j/common/derivedKey/DerivationAlgorithm.java The idea behind was to reduce duplication of the code there (wss4j) and use methods from xmlsec .. to make wss4j slimmer/cleaner Anyhow will change to int. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@santuario.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
Re: [PR] Implementation of the HKDF derivation function [santuario-xml-security-java]
seanjmullan commented on code in PR #271: URL: https://github.com/apache/santuario-xml-security-java/pull/271#discussion_r1576208433 ## src/main/java/org/apache/xml/security/encryption/XMLCipherUtil.java: ## @@ -140,7 +140,7 @@ public static OAEPParameterSpec constructOAEPParameters( public static MGF1ParameterSpec constructMGF1Parameter(String mgh1AlgorithmURI) { LOG.log(Level.DEBUG, "Creating MGF1ParameterSpec for [{0}]", mgh1AlgorithmURI); if (mgh1AlgorithmURI == null || mgh1AlgorithmURI.isEmpty()) { -LOG.log(Level.WARNING,"MGF1 algorithm URI is null or empty. Using SHA-1 as default."); +LOG.log(Level.WARNING, "MGF1 algorithm URI is null or empty. Using SHA-1 as default."); Review Comment: I think the XML Encryption recommendation made a mistake to allow defaults for algorithms, but I don't think we need to necessarily adhere to that. That said, this could introduce interop issues if we treat a missing DigestMethod as SHA-256 instead of SHA-1. Instead, we could require the application to always specify the MGF digest method and no longer allow null to be passed in as the parameter. This may be best handled as a separate issue so that all APIs which have defaults are checked - for example, RSA-OAEP also defaults to SHA-1 for the digest algorithm. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@santuario.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
Re: [PR] Implementation of the HKDF derivation function [santuario-xml-security-java]
seanjmullan commented on code in PR #271: URL: https://github.com/apache/santuario-xml-security-java/pull/271#discussion_r1576158626 ## src/main/java/org/apache/xml/security/encryption/keys/content/derivedKey/HKDF.java: ## @@ -0,0 +1,177 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ +package org.apache.xml.security.encryption.keys.content.derivedKey; + +import org.apache.xml.security.encryption.XMLCipherUtil; +import org.apache.xml.security.exceptions.XMLSecurityException; + +import javax.crypto.Mac; +import javax.crypto.spec.SecretKeySpec; +import java.nio.ByteBuffer; +import java.security.InvalidKeyException; +import java.security.NoSuchAlgorithmException; + +import static java.lang.System.Logger.Level.DEBUG; + +/** + * The implementation of the HMAC-based Extract-and-Expand Key Derivation Function (HKDF) as defined in RFC 5869. + * + * The HKDF algorithm is defined as follows: + * + * N = ceil(L/HashLen) + * T = T(1) | T(2) | T(3) | ... | T(N) + * OKM = first L bytes of T + * where: + * T(0) = empty string (zero length) + * T(1) = HMAC-Hash(PRK, T(0) | info | 0x01) + * T(2) = HMAC-Hash(PRK, T(1) | info | 0x02) + * T(3) = HMAC-Hash(PRK, T(2) | info | 0x03) + * ... + * + */ +public class HKDF implements DerivationAlgorithm { + +private static final System.Logger LOG = System.getLogger(HKDF.class.getName()); +private final String hmacHashAlgorithmURI; +private final Mac hmac; + +/** + * Constructor HKDF initializes the Mac object with the given algorithmURI and salt. + * + * @param hmacHashAlgorithmURI the Hash algorithm + * @param salt the salt value to initialize the MAC algorithm. + * @throws XMLSecurityException if the key derivation initialization fails for any reason + */ +public HKDF(String hmacHashAlgorithmURI, byte[] salt) throws XMLSecurityException { +this.hmacHashAlgorithmURI = hmacHashAlgorithmURI; +LOG.log(DEBUG, "Init HmacHash AlgorithmURI: [{}]", hmacHashAlgorithmURI); +hmac = initHMac(salt, true); +} + +/** + * Derives a key from the given secret and info. Method extracts the key and then expands it to the keyLength. + * + * @param secretThe "shared" secret to use for key derivation + * @param info The "info" parameter for key derivation describing purpose or derivation key context + * @param offsetthe starting position in derived keying material of size: offset + keyLength + * @param keyLength The length of the key to derive + * @return the derived key using HKDF for the given parameters. + * @throws XMLSecurityException if the key derivation fails for any reason + */ +@Override +public byte[] deriveKey(byte[] secret, byte[] info, int offset, long keyLength) throws XMLSecurityException { Review Comment: Why is `keyLength` a long instead of an int? Do we really think derived keys will be that large? ## src/main/java/org/apache/xml/security/encryption/keys/content/derivedKey/HKDF.java: ## @@ -0,0 +1,177 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ +package org.apache.xml.security.encryption.keys.content.derivedKey; + +import org.apache.xml.security.encryption.XMLCipherUtil; +import org.apache.xml.security.exceptions.XMLSecurityException; + +import javax.crypto.Mac; +import javax.crypto.spec.SecretKeySpec; +import java.nio.ByteBuffer; +import
Re: [PR] Implementation of the HKDF derivation function [santuario-xml-security-java]
jrihtarsic commented on code in PR #271: URL: https://github.com/apache/santuario-xml-security-java/pull/271#discussion_r1575668885 ## src/main/java/org/apache/xml/security/encryption/XMLCipherUtil.java: ## @@ -140,7 +140,7 @@ public static OAEPParameterSpec constructOAEPParameters( public static MGF1ParameterSpec constructMGF1Parameter(String mgh1AlgorithmURI) { LOG.log(Level.DEBUG, "Creating MGF1ParameterSpec for [{0}]", mgh1AlgorithmURI); if (mgh1AlgorithmURI == null || mgh1AlgorithmURI.isEmpty()) { -LOG.log(Level.WARNING,"MGF1 algorithm URI is null or empty. Using SHA-1 as default."); +LOG.log(Level.WARNING, "MGF1 algorithm URI is null or empty. Using SHA-1 as default."); Review Comment: Totally agree with the comment. But this wold change the existing behavior and mya break some "useges" which is following the https://www.w3.org/TR/xmlenc-core1/#sec-RSA-OAEP `The message digest function SHOULD be specified using the Algorithm attribute of the ds:DigestMethod child element of the xenc:EncryptionMethod element. If it is not specified, the default value of SHA1 is to be used. ` @coheigea if you agree I will change this to SHA-256, and I suggest that this is duly noted in the release notes. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@santuario.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
Re: [PR] Implementation of the HKDF derivation function [santuario-xml-security-java]
seanjmullan commented on code in PR #271: URL: https://github.com/apache/santuario-xml-security-java/pull/271#discussion_r1575198060 ## src/main/java/org/apache/xml/security/encryption/KeyDerivationMethod.java: ## @@ -38,9 +43,21 @@ public interface KeyDerivationMethod { /** - * Returns the algorithm URI of this KeyDerivationMethod. + * Returns the algorithm URI of this KeyDerivationMethod * * @return the algorithm URI of this KeyDerivationMethod */ String getAlgorithm(); + +/** + * Returns the KDF parameters used by the key derivation algorithm. + * Currently supported types are: + * {@link org.apache.xml.security.encryption.params.ConcatKDFParams} and + * {@link org.apache.xml.security.encryption.params.HKDFParams} Review Comment: There should be a period at the end of the sentence here. ## src/main/java/org/apache/xml/security/encryption/KeyDerivationMethod.java: ## @@ -38,9 +43,21 @@ public interface KeyDerivationMethod { /** - * Returns the algorithm URI of this KeyDerivationMethod. + * Returns the algorithm URI of this KeyDerivationMethod Review Comment: There should be a period at the end of the sentence here. ## src/main/java/org/apache/xml/security/encryption/keys/content/derivedKey/KeyDerivationMethodImpl.java: ## @@ -71,29 +73,43 @@ public String getAlgorithm() { return getLocalAttribute(EncryptionConstants._ATT_ALGORITHM); } -public ConcatKDFParamsImpl getConcatKDFParams() throws XMLSecurityException { -if (concatKDFParams != null) { -return concatKDFParams; -} +@Override +public KDFParams getKDFParams() throws XMLSecurityException { -Element concatKDFParamsElement = -XMLUtils.selectXenc11Node(getElement().getFirstChild(), EncryptionConstants._TAG_CONCATKDFPARAMS, 0); +if (kdfParams != null) { +LOG.log(DEBUG, "Returning cached KDFParams"); +return kdfParams; +} -if (concatKDFParamsElement == null) { -return null; +String kdfAlgorithm = getAlgorithm(); +if (EncryptionConstants.ALGO_ID_KEYDERIVATION_CONCATKDF.equals(kdfAlgorithm)) { +Element concatKDFParamsElement = +XMLUtils.selectXenc11Node(getElement().getFirstChild(), +EncryptionConstants._TAG_CONCATKDFPARAMS, 0); +kdfParams = new ConcatKDFParamsImpl(concatKDFParamsElement, getBaseURI()); +} else if (EncryptionConstants.ALGO_ID_KEYDERIVATION_HKDF.equals(kdfAlgorithm)) { +Element hkdfParamsElement = +XMLUtils.selectNode(getElement().getFirstChild(), +Constants.XML_DSIG_NS_MORE_21_04, +EncryptionConstants._TAG_HKDFPARAMS, 0); +kdfParams = new HKDFParamsImpl(hkdfParamsElement, Constants.XML_DSIG_NS_MORE_07_05); } -concatKDFParams = new ConcatKDFParamsImpl(concatKDFParamsElement, getBaseURI()); -return concatKDFParams; +return kdfParams; } -public void setConcatKDFParams(ConcatKDFParamsImpl concatKDFParams) { -this.concatKDFParams = concatKDFParams; -appendSelf(concatKDFParams); -addReturnToSelf(); +public void setKDFParams(KDFParams kdfParams) { Review Comment: Should you check if the KDFParams are of a supported type and throw an Exception if not? ## src/main/java/org/apache/xml/security/utils/KeyUtils.java: ## @@ -248,7 +246,6 @@ public static int getAESKeyBitSizeForWrapAlgorithm(String keyWrapAlg) throws XML } } - /** * Derive a key encryption key from a shared secret and keyDerivationParameter. Currently only the ConcatKDF is supported. Review Comment: The second sentence should be updated now that HKDF is also supported. ## src/main/java/org/apache/xml/security/encryption/XMLCipherUtil.java: ## @@ -243,48 +270,55 @@ public static KeyAgreementParameters constructAgreementParameters(String agreeme /** * Construct a KeyDerivationParameter object from the given keyDerivationMethod and keyBitLength * - * @param keyDerivationMethod element to parse - * @param keyBitLengthexpected derived key length - * @return KeyDerivationParameter object - * @throws XMLSecurityException if the keyDerivationMethod is not supported + * @param keyDerivationMethod element with the key derivation method data + * @param keyBitLength expected derived key length + * @return KeyDerivationParameters data + * @throws XMLSecurityException if the keyDerivationMethod is not supported or invalid parameters are provided */ public static KeyDerivationParameters constructKeyDerivationParameter(KeyDerivationMethod keyDerivationMethod, int keyBitLength) throws
[PR] Bump actions/upload-artifact from 4.3.1 to 4.3.2 [santuario-xml-security-java]
dependabot[bot] opened a new pull request, #312: URL: https://github.com/apache/santuario-xml-security-java/pull/312 Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact) from 4.3.1 to 4.3.2. Release notes Sourced from https://github.com/actions/upload-artifact/releases;>actions/upload-artifact's releases. v4.3.2 What's Changed Update release-new-action-version.yml by https://github.com/konradpabjan;>@konradpabjan in https://redirect.github.com/actions/upload-artifact/pull/516;>actions/upload-artifact#516 Minor fix to the migration readme by https://github.com/andrewakim;>@andrewakim in https://redirect.github.com/actions/upload-artifact/pull/523;>actions/upload-artifact#523 Update readme with v3/v2/v1 deprecation notice by https://github.com/robherley;>@robherley in https://redirect.github.com/actions/upload-artifact/pull/561;>actions/upload-artifact#561 updating @actions/artifact dependency to v2.1.5 and @actions/core to v1.0.1 by https://github.com/eggyhead;>@eggyhead in https://redirect.github.com/actions/upload-artifact/pull/562;>actions/upload-artifact#562 New Contributors https://github.com/andrewakim;>@andrewakim made their first contribution in https://redirect.github.com/actions/upload-artifact/pull/523;>actions/upload-artifact#523 Full Changelog: https://github.com/actions/upload-artifact/compare/v4.3.1...v4.3.2;>https://github.com/actions/upload-artifact/compare/v4.3.1...v4.3.2 Commits https://github.com/actions/upload-artifact/commit/1746f4ab65b179e0ea60a494b83293b640dd5bba;>1746f4a Revert updating to release 4.3.2 https://github.com/actions/upload-artifact/commit/31685d04a0d6557fe2be4174c3ea69ee4cbfa6bb;>31685d0 updating to release 4.3.2 https://github.com/actions/upload-artifact/commit/18bf333cd2249fbbbdb605fd9d9ed57efd7adf34;>18bf333 Merge pull request https://redirect.github.com/actions/upload-artifact/issues/562;>#562 from actions/eggyhead/update-artifact-v215 https://github.com/actions/upload-artifact/commit/dac413befa086181ab17cf3db942667aede55e0d;>dac413b update package lock version https://github.com/actions/upload-artifact/commit/bb3b4a3cdbef901e2e185ca492d513e798fd1b9f;>bb3b4a3 updating package version https://github.com/actions/upload-artifact/commit/3e3da837d2a1e030e44fe2bb5c4b9f63c25f33e3;>3e3da83 updating artifact and core dependencies https://github.com/actions/upload-artifact/commit/e35774f165aac0e3b0c8273137b1845a2ac8c5f1;>e35774f Merge pull request https://redirect.github.com/actions/upload-artifact/issues/561;>#561 from actions/robherley/deprecation-notice https://github.com/actions/upload-artifact/commit/e63ea677fb182f6827027a7b74f61debfca990ab;>e63ea67 Update readme with v3/v2/v1 deprecation notice https://github.com/actions/upload-artifact/commit/ef09cdac3e2d3e60d8ccadda691f4f1cec5035cb;>ef09cda Merge pull request https://redirect.github.com/actions/upload-artifact/issues/523;>#523 from andrewakim/andrewakim/migration-readme-fix https://github.com/actions/upload-artifact/commit/00e36f94d817ea235422592a23d468b262071bf4;>00e36f9 Minor fix to the migration readme Additional commits viewable in https://github.com/actions/upload-artifact/compare/5d5d22a31266ced268874388b861e4b58bb5c2f3...1746f4ab65b179e0ea60a494b83293b640dd5bba;>compare view [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=actions/upload-artifact=github_actions=4.3.1=4.3.2)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- Dependabot commands and options You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) -
[PR] Bump actions/checkout from 4.1.2 to 4.1.3 [santuario-xml-security-java]
dependabot[bot] opened a new pull request, #311: URL: https://github.com/apache/santuario-xml-security-java/pull/311 Bumps [actions/checkout](https://github.com/actions/checkout) from 4.1.2 to 4.1.3. Release notes Sourced from https://github.com/actions/checkout/releases;>actions/checkout's releases. v4.1.3 What's Changed Update actions/checkout version in update-main-version.yml by https://github.com/jww3;>@jww3 in https://redirect.github.com/actions/checkout/pull/1650;>actions/checkout#1650 Check git version before attempting to disable sparse-checkout by https://github.com/jww3;>@jww3 in https://redirect.github.com/actions/checkout/pull/1656;>actions/checkout#1656 Add SSH user parameter by https://github.com/cory-miller;>@cory-miller in https://redirect.github.com/actions/checkout/pull/1685;>actions/checkout#1685 Full Changelog: https://github.com/actions/checkout/compare/v4.1.2...v4.1.3;>https://github.com/actions/checkout/compare/v4.1.2...v4.1.3 Commits https://github.com/actions/checkout/commit/1d96c772d19495a3b5c517cd2bc0cb401ea0529f;>1d96c77 Add SSH user parameter (https://redirect.github.com/actions/checkout/issues/1685;>#1685) https://github.com/actions/checkout/commit/cd7d8d697e10461458bc61a30d094dc601a8b017;>cd7d8d6 Check git version before attempting to disable sparse-checkout (https://redirect.github.com/actions/checkout/issues/1656;>#1656) https://github.com/actions/checkout/commit/8410ad0602e1e429cee44a835ae9f77f654a6694;>8410ad0 Update actions/checkout version in update-main-version.yml (https://redirect.github.com/actions/checkout/issues/1650;>#1650) See full diff in https://github.com/actions/checkout/compare/9bb56186c3b09b4f86b1c65136769dd318469633...1d96c772d19495a3b5c517cd2bc0cb401ea0529f;>compare view [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=actions/checkout=github_actions=4.1.2=4.1.3)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- Dependabot commands and options You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@santuario.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[PR] Bump org.bouncycastle:bcprov-jdk18on from 1.78 to 1.78.1 [santuario-xml-security-java]
dependabot[bot] opened a new pull request, #310: URL: https://github.com/apache/santuario-xml-security-java/pull/310 Bumps [org.bouncycastle:bcprov-jdk18on](https://github.com/bcgit/bc-java) from 1.78 to 1.78.1. Commits See full diff in https://github.com/bcgit/bc-java/commits;>compare view [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=org.bouncycastle:bcprov-jdk18on=maven=1.78=1.78.1)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- Dependabot commands and options You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@santuario.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
Re: [PR] Bump org.apache:apache from 31 to 32 [santuario-xml-security-java]
coheigea merged PR #309: URL: https://github.com/apache/santuario-xml-security-java/pull/309 -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@santuario.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
Re: [PR] [SANTUIARIO-614] Tests for the EC Brainpool key types [santuario-xml-security-java]
jrihtarsic commented on PR #298: URL: https://github.com/apache/santuario-xml-security-java/pull/298#issuecomment-2060774819 @coheigea, I am not sure if this helps, but I updated the instructions for generating certificates, now "the instruction" is using openssl because java/keytool doesn't support these EC key types anymore. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@santuario.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[PR] Bump org.apache:apache from 31 to 32 [santuario-xml-security-java]
dependabot[bot] opened a new pull request, #309: URL: https://github.com/apache/santuario-xml-security-java/pull/309 Bumps [org.apache:apache](https://github.com/apache/maven-apache-parent) from 31 to 32. Release notes Sourced from https://github.com/apache/maven-apache-parent/releases;>org.apache:apache's releases. Apache Parent POM version 32 Improvement [https://issues.apache.org/jira/browse/MPOM-264;>MPOM-264] - Parameterize maven-compiler-plugin with parameter release when running on JDK 9+ [https://issues.apache.org/jira/browse/MPOM-452;>MPOM-452] - Apache Parent POM - Use property for Apache Repository IDs [https://issues.apache.org/jira/browse/MPOM-478;>MPOM-478] - Remove manually maintained history from site [https://issues.apache.org/jira/browse/MPOM-480;>MPOM-480] - Remove maven-site-plugin:attach-descriptor from ASF parent [https://issues.apache.org/jira/browse/MPOM-481;>MPOM-481] - Improve description of maven-gpg-plugin settings [https://issues.apache.org/jira/browse/MPOM-483;>MPOM-483] - Make a separate module for documentation [https://issues.apache.org/jira/browse/MPOM-486;>MPOM-486] - Enable autoVersionSubmodules for maven-release-plugin Task [https://issues.apache.org/jira/browse/MPOM-467;>MPOM-467] - Remove old property maven.plugin.tools.version Dependency upgrade [https://issues.apache.org/jira/browse/MPOM-456;>MPOM-456] - Bump surefire/failsafe from 3.2.2 to 3.2.5 [https://issues.apache.org/jira/browse/MPOM-457;>MPOM-457] - Bump org.apache.maven.plugins:maven-compiler-plugin from 3.11.0 to 3.13.0 [https://issues.apache.org/jira/browse/MPOM-458;>MPOM-458] - Bump org.apache.maven.plugins:maven-javadoc-plugin from 3.6.2 to 3.6.3 [https://issues.apache.org/jira/browse/MPOM-465;>MPOM-465] - Bump org.apache.maven.plugins:maven-project-info-reports-plugin from 3.4.5 to 3.5.0 [https://issues.apache.org/jira/browse/MPOM-466;>MPOM-466] - Bump org.apache.rat:apache-rat-plugin from 0.15 to 0.16.1 [https://issues.apache.org/jira/browse/MPOM-469;>MPOM-469] - Bump org.apache.maven.plugins:maven-shade-plugin from 3.5.1 to 3.5.2 [https://issues.apache.org/jira/browse/MPOM-470;>MPOM-470] - Bump org.apache.maven.plugins:maven-remote-resources-plugin from 3.1.0 to 3.2.0 [https://issues.apache.org/jira/browse/MPOM-471;>MPOM-471] - Bump org.apache.maven.plugins:maven-assembly-plugin from 3.6.0 to 3.7.1 [https://issues.apache.org/jira/browse/MPOM-472;>MPOM-472] - Bump org.apache.maven.plugins:maven-gpg-plugin from 3.1.0 to 3.2.3 [https://issues.apache.org/jira/browse/MPOM-475;>MPOM-475] - Bump org.apache.maven.plugins:maven-invoker-plugin from 3.6.0 to 3.6.1 [https://issues.apache.org/jira/browse/MPOM-476;>MPOM-476] - Bump version.maven-plugin-tools from 3.10.2 to 3.12.0 [https://issues.apache.org/jira/browse/MPOM-479;>MPOM-479] - Bump org.apache.maven.plugins:maven-source-plugin from 3.3.0 to 3.3.1 [https://issues.apache.org/jira/browse/MPOM-484;>MPOM-484] - Bump org.apache.maven.plugins:maven-jar-plugin from 3.3.0 to 3.4.0 Commits See full diff in https://github.com/apache/maven-apache-parent/commits;>compare view [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=org.apache:apache=maven=31=32)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- Dependabot commands and options You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it
Re: [PR] Bump org.slf4j:slf4j-jdk14 from 2.0.12 to 2.0.13 [santuario-xml-security-java]
coheigea merged PR #308: URL: https://github.com/apache/santuario-xml-security-java/pull/308 -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@santuario.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[PR] Bump org.slf4j:slf4j-jdk14 from 2.0.12 to 2.0.13 [santuario-xml-security-java]
dependabot[bot] opened a new pull request, #308: URL: https://github.com/apache/santuario-xml-security-java/pull/308 Bumps org.slf4j:slf4j-jdk14 from 2.0.12 to 2.0.13. [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=org.slf4j:slf4j-jdk14=maven=2.0.12=2.0.13)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- Dependabot commands and options You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@santuario.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
Re: [PR] [SANTUARIO-616] enable manual decryption of the EncryptedKey with KeyAgreement [santuario-xml-security-java]
seanjmullan commented on PR #305: URL: https://github.com/apache/santuario-xml-security-java/pull/305#issuecomment-2052516342 > LGTM. @seanjmullan please take a look Sorry been busy with work, etc so the *earliest* I can get to this and other reviews that are pending my review is end of next week sometime. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@santuario.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
Re: [PR] [SANTUARIO-616] enable manual decryption of the EncryptedKey with KeyAgreement [santuario-xml-security-java]
jrihtarsic commented on PR #305: URL: https://github.com/apache/santuario-xml-security-java/pull/305#issuecomment-2051938393 The conflicts are resolved now. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@santuario.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
Re: [PR] [SANTUIARIO-614] Tests for the EC Brainpool key types [santuario-xml-security-java]
jrihtarsic commented on PR #298: URL: https://github.com/apache/santuario-xml-security-java/pull/298#issuecomment-2051892186 @coheigea The new tests are carried out using the identical "test pattern" employed for other key types". And these tests uses the certificates, not just the keys . Is there a particular reason why the keystore approach is not suitable Certificates using this type of key? -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@santuario.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
Re: [PR] [SANTUARIO-617] remove mgf element in case of rsa-oaep-mgf1p [santuario-xml-security-java]
coheigea merged PR #306: URL: https://github.com/apache/santuario-xml-security-java/pull/306 -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@santuario.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
Re: [PR] Bump org.bouncycastle:bcprov-jdk18on from 1.77 to 1.78 [santuario-xml-security-java]
coheigea merged PR #307: URL: https://github.com/apache/santuario-xml-security-java/pull/307 -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@santuario.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
Re: [PR] [SANTUARIO-611] Add support of ECDSA with SHA3 algorithms [santuario-xml-security-java]
coheigea merged PR #302: URL: https://github.com/apache/santuario-xml-security-java/pull/302 -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@santuario.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[PR] Bump org.bouncycastle:bcprov-jdk18on from 1.77 to 1.78 [santuario-xml-security-java]
dependabot[bot] opened a new pull request, #307: URL: https://github.com/apache/santuario-xml-security-java/pull/307 Bumps [org.bouncycastle:bcprov-jdk18on](https://github.com/bcgit/bc-java) from 1.77 to 1.78. Changelog Sourced from https://github.com/bcgit/bc-java/blob/main/docs/releasenotes.html;>org.bouncycastle:bcprov-jdk18on's changelog. 2.1.1 Version Release: 1.78 Date: 2024, 7th April. ... (truncated) Commits See full diff in https://github.com/bcgit/bc-java/commits;>compare view [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=org.bouncycastle:bcprov-jdk18on=maven=1.77=1.78)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- Dependabot commands and options You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@santuario.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[PR] [SANTUARIO-617] remove mgf element in case of rsa-oaep-mgf1p [santuario-xml-security-java]
jrihtarsic opened a new pull request, #306: URL: https://github.com/apache/santuario-xml-security-java/pull/306 sanuario/xml library have several option to created DOM structure or to serialize EncryptionMethod as example: XMLCipher.newEncryptionMethod(Element element) { XMLCipher.EncryptionMethodImpl.getEncryptionMethod()).toElement() AbstractInternalEncryptionOutputProcessor.createKeyInfoStructure ... And some of them does not omit MGF element in case of "rsa-oaep-mgf1p" The purpose of the PR is to add the missing checks and provide regression tests to verify that the MGF element is omitted in the case of "rsa-oaep-mgf1p For details see the [SANTUARIO-617](https://issues.apache.org/jira/browse/SANTUARIO-617) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@santuario.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
Re: [PR] Bump com.fasterxml.woodstox:woodstox-core from 6.6.1 to 6.6.2 [santuario-xml-security-java]
coheigea merged PR #303: URL: https://github.com/apache/santuario-xml-security-java/pull/303 -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@santuario.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
Re: [PR] Bump org.jacoco:jacoco-maven-plugin from 0.8.11 to 0.8.12 [santuario-xml-security-java]
coheigea merged PR #304: URL: https://github.com/apache/santuario-xml-security-java/pull/304 -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@santuario.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[PR] Bump org.jacoco:jacoco-maven-plugin from 0.8.11 to 0.8.12 [santuario-xml-security-java]
dependabot[bot] opened a new pull request, #304: URL: https://github.com/apache/santuario-xml-security-java/pull/304 Bumps [org.jacoco:jacoco-maven-plugin](https://github.com/jacoco/jacoco) from 0.8.11 to 0.8.12. Release notes Sourced from https://github.com/jacoco/jacoco/releases;>org.jacoco:jacoco-maven-plugin's releases. 0.8.12 New Features JaCoCo now officially supports Java 22 (GitHub https://redirect.github.com/jacoco/jacoco/issues/1596;>#1596). Experimental support for Java 23 class files (GitHub https://redirect.github.com/jacoco/jacoco/issues/1553;>#1553). Fixed bugs Branches added by the Kotlin compiler for functions with default arguments and having more than 32 parameters are filtered out during generation of report (GitHub https://redirect.github.com/jacoco/jacoco/issues/1556;>#1556). Branch added by the Kotlin compiler version 1.5.0 and above for reading from lateinit property is filtered out during generation of report (GitHub https://redirect.github.com/jacoco/jacoco/issues/1568;>#1568). Non-functional Changes JaCoCo now depends on ASM 9.7 (GitHub https://redirect.github.com/jacoco/jacoco/issues/1600;>#1600). Commits https://github.com/jacoco/jacoco/commit/dbfb6f2ad904158b5b40a93fea222e263aeaf9ab;>dbfb6f2 Prepare release 0.8.12 https://github.com/jacoco/jacoco/commit/a50585b9e0770c363c56d887a8f639dc05411073;>a50585b Upgrade maven-plugin-plugin to 3.6.4 (https://redirect.github.com/jacoco/jacoco/issues/1604;>#1604) https://github.com/jacoco/jacoco/commit/fd63cc5478bcd7b32e2070d93ead8c879b423841;>fd63cc5 Configure labels that Dependabot assigns to PRs (https://redirect.github.com/jacoco/jacoco/issues/1603;>#1603) https://github.com/jacoco/jacoco/commit/03a53334c1e3a28ed587feb5adbfa3c0aa536990;>03a5333 Add configuration for Dependabot to simplify updates of ASM (https://redirect.github.com/jacoco/jacoco/issues/1601;>#1601) https://github.com/jacoco/jacoco/commit/40ff9fb3b13bb484344936dde4a90b083b79cdbd;>40ff9fb Upgrade ASM to 9.7 (https://redirect.github.com/jacoco/jacoco/issues/1600;>#1600) https://github.com/jacoco/jacoco/commit/907717832435f5085b67d02e1eeec5b63b0f415b;>9077178 Happy birthday Java 22! (https://redirect.github.com/jacoco/jacoco/issues/1596;>#1596) https://github.com/jacoco/jacoco/commit/7edd1b511a174a663f633c34ae8c951a0ae77d20;>7edd1b5 Bump actions/setup-java from 4.1.0 to 4.2.1 (https://redirect.github.com/jacoco/jacoco/issues/1594;>#1594) https://github.com/jacoco/jacoco/commit/e50b547bc26ff198acfd16311c028f340af38699;>e50b547 Upgrade ECJ to 3.37.0 (https://redirect.github.com/jacoco/jacoco/issues/1590;>#1590) https://github.com/jacoco/jacoco/commit/a1144d02ff0f89d6603214676730a2d5616cf466;>a1144d0 Upgrade maven-site-plugin to 3.12.1 (https://redirect.github.com/jacoco/jacoco/issues/1586;>#1586) https://github.com/jacoco/jacoco/commit/04b0141d6ae5e6d1f00f15341b29dd4734ab778a;>04b0141 Bump actions/setup-java from 4.0.0 to 4.1.0 (https://redirect.github.com/jacoco/jacoco/issues/1587;>#1587) Additional commits viewable in https://github.com/jacoco/jacoco/compare/v0.8.11...v0.8.12;>compare view [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=org.jacoco:jacoco-maven-plugin=maven=0.8.11=0.8.12)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- Dependabot commands and options You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it
Re: [PR] [SANTUARIO-611] Add support of ECDSA with SHA3 algorithms [santuario-xml-security-java]
jrihtarsic commented on PR #302: URL: https://github.com/apache/santuario-xml-security-java/pull/302#issuecomment-2024985746 Sure, I added them now (I should already know this by now :) ) For the future tests I created an abstract class `XMLSignatureAbstract` with methods ``` doSignWithJcpApi assertValidSignatureWithJcpApi ``` I updated the test class `XMLSignatureEdDSATest` with the new method And when this PR will be merged I can update the test `XMLSignatureBrainpoolTest` in the PR #298 -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@santuario.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[PR] Bump com.fasterxml.woodstox:woodstox-core from 6.6.1 to 6.6.2 [santuario-xml-security-java]
dependabot[bot] opened a new pull request, #303: URL: https://github.com/apache/santuario-xml-security-java/pull/303 Bumps [com.fasterxml.woodstox:woodstox-core](https://github.com/FasterXML/woodstox) from 6.6.1 to 6.6.2. Commits https://github.com/FasterXML/woodstox/commit/3bed26213d3446e50408a2f10f8eabf5219c9035;>3bed262 [maven-release-plugin] prepare release woodstox-core-6.6.2 https://github.com/FasterXML/woodstox/commit/06dfc28437aed9a4c850e0b03c002bb5e1781daa;>06dfc28 Update release notes wrt https://redirect.github.com/FasterXML/woodstox/issues/200;>#200 https://github.com/FasterXML/woodstox/commit/d4431712fba049843cbb55031543d9b5a7b16236;>d443171 Fix shading of isorelax (https://redirect.github.com/FasterXML/woodstox/issues/200;>#200). (https://redirect.github.com/FasterXML/woodstox/issues/202;>#202) https://github.com/FasterXML/woodstox/commit/ef10fdca71b298d3a20bdb7434e68e0e798a6812;>ef10fdc Fix indentation of test class (remove tabs) https://github.com/FasterXML/woodstox/commit/4a256472344435d4fd6954298753b7fea68d1f44;>4a25647 Update oss-parent ref https://github.com/FasterXML/woodstox/commit/85551aa596515a5689c8c892cfa8a25425ea3440;>85551aa [maven-release-plugin] prepare for next development iteration See full diff in https://github.com/FasterXML/woodstox/compare/woodstox-core-6.6.1...woodstox-core-6.6.2;>compare view [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=com.fasterxml.woodstox:woodstox-core=maven=6.6.1=6.6.2)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- Dependabot commands and options You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@santuario.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
Re: [PR] Implementation of the HKDF derivation function [santuario-xml-security-java]
jrihtarsic commented on code in PR #271: URL: https://github.com/apache/santuario-xml-security-java/pull/271#discussion_r1537411909 ## src/main/java/org/apache/xml/security/resource/xmlsecurity_en.properties: ## @@ -111,7 +111,9 @@ KeyStore.registerStore.register = Registration error for type {0} KeyValue.IllegalArgument = Cannot create a {0} from {1} KeyDerivation.TooShortParameter = Key derivation parameter {0} is too short KeyDerivation.InvalidParameter = Key derivation parameter {0} is illegal +KeyDerivation.InvalidParametersType = Algorithm {0} requires key derivation parameters of type {1} to be provided. Review Comment: Done -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@santuario.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[PR] [SANTUARIO-611] Add support of ECDSA with SHA3 algorithms [santuario-xml-security-java]
jrihtarsic opened a new pull request, #302: URL: https://github.com/apache/santuario-xml-security-java/pull/302 Added support for ECDSA SHA3 signatures: For details see the ticker: [SANTUARIO-611](https://issues.apache.org/jira/browse/SANTUARIO-611) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@santuario.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
Re: [PR] Bump org.cyclonedx:cyclonedx-maven-plugin from 2.7.11 to 2.8.0 [santuario-xml-security-java]
coheigea merged PR #301: URL: https://github.com/apache/santuario-xml-security-java/pull/301 -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@santuario.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
Re: [PR] Bump actions/cache from 4.0.1 to 4.0.2 [santuario-xml-security-java]
coheigea merged PR #300: URL: https://github.com/apache/santuario-xml-security-java/pull/300 -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@santuario.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[PR] Bump org.cyclonedx:cyclonedx-maven-plugin from 2.7.11 to 2.8.0 [santuario-xml-security-java]
dependabot[bot] opened a new pull request, #301: URL: https://github.com/apache/santuario-xml-security-java/pull/301 Bumps [org.cyclonedx:cyclonedx-maven-plugin](https://github.com/CycloneDX/cyclonedx-maven-plugin) from 2.7.11 to 2.8.0. Release notes Sourced from https://github.com/CycloneDX/cyclonedx-maven-plugin/releases;>org.cyclonedx:cyclonedx-maven-plugin's releases. 2.8.0 Update CycloneDX Description Text (https://redirect.github.com/CycloneDX/cyclonedx-maven-plugin/pull/461;>#461) https://github.com/msymons;>@msymons New features and improvements convert external reference type by value instead of CONSTANT_NAME (https://redirect.github.com/CycloneDX/cyclonedx-maven-plugin/pull/480;>#480) https://github.com/hboutemy;>@hboutemy distribution-intake external reference is more accurate (https://redirect.github.com/CycloneDX/cyclonedx-maven-plugin/pull/477;>#477) https://github.com/hboutemy;>@hboutemy add 'build' lifecycle when CDX 1.5 (https://redirect.github.com/CycloneDX/cyclonedx-maven-plugin/pull/462;>#462) https://github.com/hboutemy;>@hboutemy document SBOM external references (https://redirect.github.com/CycloneDX/cyclonedx-maven-plugin/pull/459;>#459) https://github.com/hboutemy;>@hboutemy improve site generation (https://redirect.github.com/CycloneDX/cyclonedx-maven-plugin/pull/458;>#458) https://github.com/hboutemy;>@hboutemy upgrade to CycloneDX 1.5 (https://redirect.github.com/CycloneDX/cyclonedx-maven-plugin/pull/457;>#457) https://github.com/hboutemy;>@hboutemy Bug Fixes check if configured schemaVersion is supported (https://redirect.github.com/CycloneDX/cyclonedx-maven-plugin/pull/479;>#479) https://github.com/hboutemy;>@hboutemy Dependency updates Bump org.apache.maven.plugins:maven-compiler-plugin from 3.12.1 to 3.13.0 (https://redirect.github.com/CycloneDX/cyclonedx-maven-plugin/pull/478;>#478) https://github.com/dependabot;>@dependabot Bump actions/checkout from 4.1.1 to 4.1.2 (https://redirect.github.com/CycloneDX/cyclonedx-maven-plugin/pull/474;>#474) https://github.com/dependabot;>@dependabot Bump org.apache.commons:commons-compress from 1.24.0 to 1.26.0 in /src/it/makeAggregateBom/util (https://redirect.github.com/CycloneDX/cyclonedx-maven-plugin/pull/468;>#468) https://github.com/dependabot;>@dependabot Bump org.junit:junit-bom from 5.10.1 to 5.10.2 (https://redirect.github.com/CycloneDX/cyclonedx-maven-plugin/pull/465;>#465) https://github.com/dependabot;>@dependabot Bump release-drafter/release-drafter from 5 to 6 (https://redirect.github.com/CycloneDX/cyclonedx-maven-plugin/pull/464;>#464) https://github.com/dependabot;>@dependabot Bump commons-codec:commons-codec from 1.16.0 to 1.16.1 (https://redirect.github.com/CycloneDX/cyclonedx-maven-plugin/pull/466;>#466) https://github.com/dependabot;>@dependabot Commits https://github.com/CycloneDX/cyclonedx-maven-plugin/commit/90e38178a7480b10b0f225cf6c2bc2f26b5a6eab;>90e3817 [maven-release-plugin] prepare release cyclonedx-maven-plugin-2.8.0 https://github.com/CycloneDX/cyclonedx-maven-plugin/commit/eed838e3a76712054ff8eeeb0af04c64a7d0bd26;>eed838e convert external reference type by value instead of default CONSTANT_NAME https://github.com/CycloneDX/cyclonedx-maven-plugin/commit/3fd83bf3fef57fb5569cff378637b903ca39bf45;>3fd83bf Bump org.apache.maven.plugins:maven-compiler-plugin https://github.com/CycloneDX/cyclonedx-maven-plugin/commit/343c62dfe4a8bd983c1c77e06d37b8f285f09dbb;>343c62d check if configured schemaVersion is supported https://github.com/CycloneDX/cyclonedx-maven-plugin/commit/d0015429ef13f79503bb6d17e3b66f59a1b408a2;>d001542 distribution-intake external reference is more accurate https://github.com/CycloneDX/cyclonedx-maven-plugin/commit/fa5541d39a58d6f09ec3b7a9a2ad1b8d7682bb18;>fa5541d Bump actions/checkout from 4.1.1 to 4.1.2 https://github.com/CycloneDX/cyclonedx-maven-plugin/commit/a43cd056f3d6f319ff6e3de83cb62ebd9b2e29ec;>a43cd05 Bump org.apache.commons:commons-compress https://github.com/CycloneDX/cyclonedx-maven-plugin/commit/31ff1f46643f888f91a27f02d9e82828f9b5590d;>31ff1f4 Bump org.junit:junit-bom from 5.10.1 to 5.10.2 https://github.com/CycloneDX/cyclonedx-maven-plugin/commit/ce8a6e70afbf2c7307f9a4a449ce8f4c80e03dc2;>ce8a6e7 Bump release-drafter/release-drafter from 5 to 6 https://github.com/CycloneDX/cyclonedx-maven-plugin/commit/16dcb5b62fefe642cd29360141c512fd1ddcf2c0;>16dcb5b Bump commons-codec:commons-codec from 1.16.0 to 1.16.1 Additional commits viewable in https://github.com/CycloneDX/cyclonedx-maven-plugin/compare/cyclonedx-maven-plugin-2.7.11...cyclonedx-maven-plugin-2.8.0;>compare view [![Dependabot compatibility
[PR] Bump actions/cache from 4.0.1 to 4.0.2 [santuario-xml-security-java]
dependabot[bot] opened a new pull request, #300: URL: https://github.com/apache/santuario-xml-security-java/pull/300 Bumps [actions/cache](https://github.com/actions/cache) from 4.0.1 to 4.0.2. Release notes Sourced from https://github.com/actions/cache/releases;>actions/cache's releases. v4.0.2 What's Changed Fix fail-on-cache-miss not working by https://github.com/cdce8p;>@cdce8p in https://redirect.github.com/actions/cache/pull/1327;>actions/cache#1327 Full Changelog: https://github.com/actions/cache/compare/v4.0.1...v4.0.2;>https://github.com/actions/cache/compare/v4.0.1...v4.0.2 Changelog Sourced from https://github.com/actions/cache/blob/main/RELEASES.md;>actions/cache's changelog. Releases 4.0.2 Fixed restore fail-on-cache-miss not working. 4.0.1 Updated isGhes check 4.0.0 Updated minimum runner version support from node 12 - node 20 3.3.3 Updates @actions/cache to v3.2.3 to fix accidental mutated path arguments to getCacheVersion https://redirect.github.com/actions/toolkit/pull/1378;>actions/toolkit#1378 Additional audit fixes of npm package(s) 3.3.2 Fixes bug with Azure SDK causing blob downloads to get stuck. 3.3.1 Reduced segment size to 128MB and segment timeout to 10 minutes to fail fast in case the cache download is stuck. 3.3.0 Added option to lookup cache without downloading it. 3.2.6 Fix zstd not being used after zstd version upgrade to 1.5.4 on hosted runners. 3.2.5 Added fix to prevent from setting MYSYS environment variable globally. 3.2.4 Added option to fail job on cache miss. 3.2.3 Support cross os caching on Windows as an opt-in feature. Fix issue with symlink restoration on Windows for cross-os caches. 3.2.2 ... (truncated) Commits https://github.com/actions/cache/commit/0c45773b623bea8c8e75f6c82b208c3cf94ea4f9;>0c45773 Merge pull request https://redirect.github.com/actions/cache/issues/1327;>#1327 from cdce8p/fix-fail-on-cache-miss https://github.com/actions/cache/commit/8a55f839aa4b4578e47bdc8a52828637cbb9a454;>8a55f83 Add test case for process exit https://github.com/actions/cache/commit/3884cace147bdf9307fcc52a277f421af7b30798;>3884cac Bump version https://github.com/actions/cache/commit/e29dad3e36390db18fc19fb666cb1302f4929002;>e29dad3 Fix fail-on-cache-miss not working See full diff in https://github.com/actions/cache/compare/ab5e6d0c87105b4c9c2047343972218f562e4319...0c45773b623bea8c8e75f6c82b208c3cf94ea4f9;>compare view [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=actions/cache=github_actions=4.0.1=4.0.2)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- Dependabot commands and options You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@santuario.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[PR] [SANTUARIO-615] Implementation pre-post processing extension with xades (basic) example. [santuario-xml-security-java]
jrihtarsic opened a new pull request, #299: URL: https://github.com/apache/santuario-xml-security-java/pull/299 The purpose of this PR is to present the proposals [SANTUARIO-615] for the pre/post processor for the signatures. The use case is the request for XAdES support as requested in SANTUARIO-402 and SANTUARIO-416. The use-case already supports (Basic Signatures profile) and (with the right certificate) it pass the validation by EC DSS tool: https://ec.europa.eu/digital-building-blocks/DSS/webapp-demo/validation Please note that for "composing" the "XAdES" data, the generated jaxb objects are used from the xades scheme v1.4.1 and v1.3.2. This is a experimental PR. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@santuario.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[PR] [SANTUIARIO-614] Tests for the EC Brainpool key types [santuario-xml-security-java]
jrihtarsic opened a new pull request, #298: URL: https://github.com/apache/santuario-xml-security-java/pull/298 The purpose of the contributions is to verify (and implement unit tests) for signing and encryption with the EC Brainpool key types. For details see the PR #293 and [SANTUARIO-614](https://issues.apache.org/jira/browse/SANTUARIO-614) The code is contributed on behalf of the European Commission’s edelivery project to support [eDelivery AS4 2.0 profile](https://ec.europa.eu/digital-building-blocks/sites/pages/viewpage.action?pageId=708412318). -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@santuario.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
Re: [PR] Add brainpool curves for EC key generation/cypher (main branch) [santuario-xml-security-java]
jrihtarsic commented on PR #293: URL: https://github.com/apache/santuario-xml-security-java/pull/293#issuecomment-2014462177 @yklymenko @seanjmullan I can do that. I have already internal task to do verify it for eDelivery AS4 profile and I can implement also the required tests to santuario. I created a task: https://issues.apache.org/jira/browse/SANTUARIO-614 And I will provide the PR today for it. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@santuario.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
Re: [PR] Implementation of the HKDF derivation function [santuario-xml-security-java]
jrihtarsic commented on PR #271: URL: https://github.com/apache/santuario-xml-security-java/pull/271#issuecomment-2014385650 @seanjmullan Thank you for checking it. And no worries about time. I'd rather see my code thoroughly vetted by a security expert than to skip/miss some security issues or bugs. So take as much time as you need. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@santuario.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
Re: [PR] Implementation of the HKDF derivation function [santuario-xml-security-java]
seanjmullan commented on code in PR #271: URL: https://github.com/apache/santuario-xml-security-java/pull/271#discussion_r1534523455 ## src/main/java/org/apache/xml/security/resource/xmlsecurity_en.properties: ## @@ -111,7 +111,9 @@ KeyStore.registerStore.register = Registration error for type {0} KeyValue.IllegalArgument = Cannot create a {0} from {1} KeyDerivation.TooShortParameter = Key derivation parameter {0} is too short KeyDerivation.InvalidParameter = Key derivation parameter {0} is illegal +KeyDerivation.InvalidParametersType = Algorithm {0} requires key derivation parameters of type {1} to be provided. Review Comment: Nit: most of the other error messages don't end in a period, so suggest removing it. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@santuario.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
Re: [PR] Implementation of the HKDF derivation function [santuario-xml-security-java]
seanjmullan commented on code in PR #271: URL: https://github.com/apache/santuario-xml-security-java/pull/271#discussion_r1534523455 ## src/main/java/org/apache/xml/security/resource/xmlsecurity_en.properties: ## @@ -111,7 +111,9 @@ KeyStore.registerStore.register = Registration error for type {0} KeyValue.IllegalArgument = Cannot create a {0} from {1} KeyDerivation.TooShortParameter = Key derivation parameter {0} is too short KeyDerivation.InvalidParameter = Key derivation parameter {0} is illegal +KeyDerivation.InvalidParametersType = Algorithm {0} requires key derivation parameters of type {1} to be provided. Review Comment: Nit: most of the other error messages end in a period, so suggest removing it. ## src/main/java/org/apache/xml/security/resource/xmlsecurity_en.properties: ## @@ -111,7 +111,9 @@ KeyStore.registerStore.register = Registration error for type {0} KeyValue.IllegalArgument = Cannot create a {0} from {1} KeyDerivation.TooShortParameter = Key derivation parameter {0} is too short KeyDerivation.InvalidParameter = Key derivation parameter {0} is illegal +KeyDerivation.InvalidParametersType = Algorithm {0} requires key derivation parameters of type {1} to be provided. KeyDerivation.NotSupportedParameter = Key derivation parameter {0} is not supported +KeyDerivation.UnsupportedAlgorithm = Unsupported Key derivation Algorithm: {0} for class {1} Review Comment: s/Key/key s/Algorithm:/algorithm (no need for colon) ## src/main/java/org/apache/xml/security/encryption/params/HKDFParams.java: ## @@ -0,0 +1,76 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ +package org.apache.xml.security.encryption.params; + +import org.apache.xml.security.algorithms.MessageDigestAlgorithm; +import org.apache.xml.security.signature.XMLSignature; +import org.apache.xml.security.utils.EncryptionConstants; + +/** + * Class HMacKeyDerivationParameter (HKDF parameter) is used to specify parameters for the HMAC-based Extract-and-Expand Review Comment: s/HMacKeyDerivationParameter/HKDFParams/ Try to break lines at around 80 chars. ## src/main/java/org/apache/xml/security/encryption/KeyDerivationMethod.java: ## @@ -43,4 +46,15 @@ public interface KeyDerivationMethod { * @return the algorithm URI of this KeyDerivationMethod */ String getAlgorithm(); + +/** + * Returns the KDF parameters used by the key derivation algorithm. Currently supported types are + * {@link org.apache.xml.security.encryption.params.ConcatKDFParams} and + * {@link org.apache.xml.security.encryption.params.HKDFParams}. + * + * @return the KDFParams used by the key derivation algorithm + * @throws XMLSecurityException if the KDFParams cannot be created. Review Comment: Nit: no need for period. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@santuario.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
Re: [PR] Add brainpool curves for EC key generation/cypher (main branch) [santuario-xml-security-java]
seanjmullan commented on PR #293: URL: https://github.com/apache/santuario-xml-security-java/pull/293#issuecomment-2013323175 > > > > Looks fine. It would be nice if there was also a test using the `javax.xml.crypto.dsig` API. > > > > > > > > > @seanjmullan you mean, something like org.apache.xml.security.test.dom.signature.EDDSASignatureTest ? I could try in the next days create such test > > > > > > Yes, something like that would be great. > > @seanjmullan I've added the test. I have some problem to run org.apache.xml.security.utils.KeyUtilsTest unter jdk17 with profile bouncecastle. The "DH" Case for generateEphemeralDHKeyPair seems to be broken. org.apache.xml.security.utils.KeyUtils.KeyType#DH declaration use 1.2.840.113549.1.3.1 oid, but 1.2.840.10046.2.1 seems to be the correct one (http://oid-info.com/get/1.2.840.10046.2.1). Or may be I'm wrong? This is still using the Santuario API (org.apache.xml.security). Sorry, I missed the package name of the test you said above when I said that would be great. What I meant is something like test/java/org/apache/xml/security/test/javax/xml/crypto/dsig/XMLSignatureEdDSATest.java -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@santuario.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
Re: [PR] Add brainpool curves for EC key generation/cypher (main branch) [santuario-xml-security-java]
coheigea merged PR #293: URL: https://github.com/apache/santuario-xml-security-java/pull/293 -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@santuario.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
Re: [PR] [SANTUARIO-613] Remove DH KeyType from the KeyUtils.KeyType enumeration [santuario-xml-security-java]
coheigea merged PR #297: URL: https://github.com/apache/santuario-xml-security-java/pull/297 -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@santuario.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
Re: [PR] Implementation of the HKDF derivation function [santuario-xml-security-java]
jrihtarsic commented on PR #271: URL: https://github.com/apache/santuario-xml-security-java/pull/271#issuecomment-2011501924 I reverted the "cleaning of the code" (empty lines) from commit [PR updates (docs and clean empty lines)](https://github.com/apache/santuario-xml-security-java/pull/271/commits/491a7d36b69837b8db2b8192be5af117984ebb68) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@santuario.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
Re: [PR] Implementation of the HKDF derivation function [santuario-xml-security-java]
coheigea commented on PR #271: URL: https://github.com/apache/santuario-xml-security-java/pull/271#issuecomment-2011343108 @jrihtarsic Can you remove the whitespace changes in this PR? It makes it difficult to get to the actual changes -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@santuario.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org