+1
--Sean
On 2/19/24 5:38 AM, Colm O hEigeartaigh wrote:
This is a vote to release Apache Santuario - XML Security for Java
4.0.2 and 3.0.4. They contain a new feature to support Key Agreement
using ECDH-ES.
4.0.2:
Release notes:
+1.
—Sean
> On Nov 24, 2023, at 9:50 AM, Colm O hEigeartaigh wrote:
>
> This is a vote to release Apache Santuario XML Security for Java
> 4.0.1. It contains a bug fix
> https://issues.apache.org/jira/browse/SANTUARIO-609 "Remove call to
> Signature.getProvider() in debug log"
>
> Artifacts:
+1
—Sean
> On Oct 13, 2023, at 10:05 AM, Colm O hEigeartaigh wrote:
>
> This is a vote to release Apache Santuario - XML Security for Java
> 3.0.3, 2.3.4 and 2.2.6. These are all bug fix releases.
>
> All artifacts are in the same maven repo for release:
>
Thanks for working on this!
Thanks,
Brent
On 9/13/23 1:31 PM, Brent Putman wrote:
Hi Sean,
Thanks for working on this. I'll see about doing some local build testing in
the next few days.
Thanks,
Brent
On 9/12/23 8:45 AM, Sean Mullan wrote:
Hi Brent,
I have fixed this is
.
Thanks,
Sean
[1] https://issues.apache.org/jira/browse/SANTUARIO-604
On 8/10/23 4:26 PM, Brent Putman wrote:
On 8/10/23 1:15 PM, Sean Mullan wrote:
Yes, sorry I guess I wasn't clear enough. This is a Santuario issue. I
can probably post a PR in the next few days that addresses this.To me
+1
--Sean
On 8/28/23 9:12 AM, Colm O hEigeartaigh wrote:
This is a vote to release Apache Santuario - XML Security for Java
4.0.0-M1. It is a milestone release and not meant for production.
The main new features of the release come from this PR
+1
--Sean
On 8/16/23 2:50 AM, Colm O hEigeartaigh wrote:
Hi Scott,
You can review all changes between 2.2.5 and 2.2.4 here:
https://github.com/apache/santuario-xml-security-java/compare/xmlsec-2.2.4...xmlsec-2.2.5
Essentially it's just Xalan, BouncyCastle, Woodstox and Jetty upgrades.
Colm.
Hi Brent,
On 8/8/23 7:39 PM, Brent Putman wrote:
Hi Sean,
On 8/8/23 4:05 PM, Sean Mullan wrote:
As mentioned before, you can implement this in the Santuario layer by
instantiating the algorithms as "RSASSA-PSS" and passing in an
appropriate PSSParameterSpec with the defa
On 8/4/23 3:26 PM, Brent Putman wrote:
Ok, great, thanks for looking into it!
--Brent
On 8/4/23 3:12 PM, Sean Mullan wrote:
Yeah, I get it, I need to chat with some folks here first that worked
on this before I can give you a better response.
--Sean
On 8/4/23 2:55 PM, Brent Putman wrote:
Hi
those algorithm IDs are in fact documented in Java 17 for SunRsaSign,
but yet do not actually work.
The code in Santuario's JCEMapper and SignatureBaseRSA agrees with this
understanding. Running with BC loaded works fine also, so they have the
same understanding.
Thanks
Brent
On 8/4/23 2:13 P
Hi Brent,
You need to pass the MGF and other parameters in a PSSParameterSpec to
the Signature algorithm, like so:
Signature sig = Signature.getInstance("RSASSA-PSS", "SunRsaSign")
sig.setParameter(new PSSParameterSpec("SHA-256", "MGF1",
MGF1ParameterSpec.SHA256, 32,
+1.
--Sean
On 3/27/23 7:02 AM, Colm O hEigeartaigh wrote:
This is a vote to release Apache Santuario - XML Security for Java
3.0.2 and 2.3.3.
3.0.2:
- Issues fixed:
https://issues.apache.org/jira/projects/SANTUARIO/versions/12352305
- Artifacts:
Colm,
Should SANTUARIO-583 [1] also be closed or marked as a duplicate of
SANTUARIO-593 [2]?
--Sean
[1] https://issues.apache.org/jira/browse/SANTUARIO-583
[2] https://issues.apache.org/jira/browse/SANTUARIO-593
On 8/30/22 8:03 AM, Sean Mullan wrote:
I support this proposal. I think
I support this proposal. I think the "here" function was never specified
correctly anyway as I have been told a while ago by an XPath expert that
it should have been defined in a namespace in order to be properly
processed as an XPath extension.
--Sean
On 8/30/22 4:04 AM, Colm O hEigeartaigh
+1
--Sean
On 4/29/22 2:25 AM, Colm O hEigeartaigh wrote:
This is a vote to release Apache Sanutario - XML Security for Java 2.2.4.
+1
--Sean
On 4/29/22 2:46 AM, Colm O hEigeartaigh wrote:
This is a vote to release Apache Santuario - XML Security for Java
2.1.8. This is the last planned release on this branch.
On 4/28/22 3:17 AM, Colm O hEigeartaigh wrote:
This is a vote to release Apache Santuario - XML Security for Java
3.0.0. This is a new major release which has switched to use the
Jakarta namespace.
+1.
--Sean
On 4/28/22 4:18 AM, Colm O hEigeartaigh wrote:
This is a vote to release Apache Santuario - XML Security for Java 2.3.1.
+1.
--Sean
+1.
--Sean
On 11/1/21 8:25 AM, Cantor, Scott wrote:
I have posted a release candidate for 2.0.4 [1] to correct a regression on
OpenSSL 1.0.0 and older from the DSA bug fix included in the release last week.
The only change apart from the versioning bits is [2], inlining a small
function
+1
--Sean
On 10/25/21 6:52 AM, Colm O hEigeartaigh wrote:
This is a vote to release Apache Santuario - XML Security for Java
2.3.0. This is a major new release of the library. Some of the
significant changes include:
On 9/10/21 9:38 AM, Colm O hEigeartaigh wrote:
This is a vote to release Apache Santuario - XML Security for Java 2.1.7
+1.
--Sean
On 9/10/21 9:37 AM, Colm O hEigeartaigh wrote:
This is a vote to release Apache Santuario - XML Security for Java 2.2.3.
+1
--Sean
+1.
--Sean
On 4/30/21 5:18 AM, Colm O hEigeartaigh wrote:
This is a vote to release Apache Santuario - XML Security for Java 2.2.2.
Artifacts:
+1
--Sean
On 5/26/20 2:45 AM, Colm O hEigeartaigh wrote:
This is a vote to release Apache Santuario - XML Security for Java
2.2.0. This is a new major release with the following features:
* Added support for RSASSA-PSS with Parameters
* Extensive refactoring and code simplification
*
On 10/17/19 11:49 AM, Cantor, Scott wrote:
To be honest, it *is* possible that the Java 8 change we observed could have
been that they suddenly moved it from shadowing xmlsec 2.0.x to 2.1.x, but I
think it's more plausible that just the Base64 class changed (or they revved a
2.0.x release)
+1
--Sean
On 10/30/18 4:30 PM, Cantor, Scott wrote:
I have a couple of small patches to release to address another bug [1] and I've
had a colleague beating on the code to try and find any other similar problems
and we haven't found anything else to this point, so I'd like to get this patch
+1
--Sean
On 8/2/18 9:32 AM, Cantor, Scott wrote:
I'd like to get a couple of votes by end of week if possible, today preferably.
The changes are these two commits, just adding null string and node checks.
http://svn.apache.org/viewvc?view=revision=1837236
+1.
--Sean
On 6/8/18 12:05 PM, Colm O hEigeartaigh wrote:
This is a vote (take III) to release Apache Santuario - XML Security for
Java 2.1.2.
Issues fixed:
https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12311231=12342674
SVN tag:
+1
--Sean
On 1/22/18 12:45 PM, Colm O hEigeartaigh wrote:
This is a vote to release Apache Santuario - XML Security for Java 2.0.10.
Issues fixed:
https://issues.apache.org/jira/projects/SANTUARIO/versions/12341414
SVN tag:
+1
--Sean
On 8/14/17 6:23 AM, Colm O hEigeartaigh wrote:
This is a vote to release Apache Santuario - XML Security for Java
2.1.0. The main features of this new major release are as follows:
a) JDK-9 support. All tests pass with the latest JDK 9 candidate.
b) JDK 8 is the minimum supported
+1
--Sean
On 8/14/17 7:10 AM, Colm O hEigeartaigh wrote:
This is a vote to release Apache Santuario - XML Security for Java
2.0.9. This is a minor bug fix release - perhaps the most significant
fix is to allow setting default algorithms without invoking the
SecurityManager, and so to allow
+1
--Sean
On 12/1/16 8:39 AM, Colm O hEigeartaigh wrote:
This is a vote to release Apache Santuario - XML Security for Java 2.0.8.
Issues fixed:
https://issues.apache.org/jira/browse/SANTUARIO/fixforversion/12336742
Maven artifacts:
+1.
--Sean
On 06/13/2016 12:59 PM, Colm O hEigeartaigh wrote:
This is a vote to release Apache Santuario - XML Security for Java 2.0.7.
Issues fixed:
https://issues.apache.org/jira/browse/SANTUARIO/fixforversion/12334297
Artifacts:
This is not going to work. You are mixing 2 different APIs together. To
understand this better, I need to explain a bit more.
The original Apache Java XML Signature library consisted of APIs in the
org.apache.xml.security namespace.
Later, JSR 105 based the implementation of the standard
+1
--Sean
On 12/04/2015 07:37 AM, Colm O hEigeartaigh wrote:
This is a vote to release Apache Santuario - XML Security for Java 2.0.6.
Issues fixed:
https://issues.apache.org/jira/browse/SANTUARIO/fixforversion/12333015
Maven artifacts:
On 12/02/2015 03:43 PM, Simon Josefsson wrote:
On 12/2/15, 9:29 AM, "Simon Josefsson" wrote:
Hi. I have prepared a writeup on how to add the EdDSA Ed25519/Ed448
public-key digital signature algorithm to XMLDSIG.
On 11/30/2015 08:16 AM, Colm O hEigeartaigh wrote:
We have a few issues fixed now for 2.0.6:
https://issues.apache.org/jira/browse/SANTUARIO-430?jql=project%20%3D%20SANTUARIO%20AND%20fixVersion%20%3D%20%22Java%202.0.6%22%20AND%20status%20%3D%20Resolved%20ORDER%20BY%20priority%20DESC
Is there
+1.
--Sean
On 07/10/2015 11:25 AM, Colm O hEigeartaigh wrote:
This is a vote to release Apache Santuario - XML Security for Java 2.0.5.
Artifacts:
https://repository.apache.org/content/repositories/orgapachesantuario-1009/
SVN tag:
+1
--Sean
On 04/15/2015 11:06 AM, Colm O hEigeartaigh wrote:
This is a vote to release Apache Santuario - XML Security for Java 2.0.4.
Issues fixed:
https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12311231version=12329273
Maven artifacts:
+1 from me.
--Sean
On 03/13/2015 11:31 AM, Cantor, Scott wrote:
On 3/10/15, 2:12 PM, Cantor, Scott canto...@osu.edu wrote:
I've uploaded a release candidate of the 1.7.3 patch release [1] for the vote.
There have been no changes since the beta last week and I've encountered no
issues
+1
--Sean
On 01/09/2015 10:32 AM, Colm O hEigeartaigh wrote:
This is a vote to release Apache Santuario - XML Security for Java 2.0.3.
The issues fixed are here:
https://issues.apache.org/jira/browse/SANTUARIO/fixforversion/12328679
Maven artifacts:
+1
--Sean
On 06/27/2014 11:08 AM, Colm O hEigeartaigh wrote:
This is a vote to release Apache Santuario - XML Security for Java
1.5.7. The issues fixed are here:
https://issues.apache.org/jira/browse/SANTUARIO/fixforversion/12325592
The maven artifacts are here:
On 06/03/2014 05:21 AM, Colm O hEigeartaigh wrote:
Hi Frank,
Would you be interested in contributing a patch to make this more
flexible? So long as it's compatible with the existing API that is...
Yes, a patch would be useful. Regarding API changes to JSR 105
(javax.xml.crypto and
On 03/20/2014 11:00 AM, M. D. wrote:
Okay, thanks a lot for your responses! (:
So to sum things up:
1] It is not a very common usecase to have multiple certificates embedded in a
document
I don't think that's true, since that would require the relying party to
be able to discover a chain
On 03/30/2013 09:57 AM, Alex O'Ree wrote:
I was looking at the sample signature validation code from the
distribution
xml-security-1_5_3\samples\javax\xml\crypto\dsig\samples\Validate.java
I've seen other signature validation code that looks nearly identical,
except for the following snippet:
+1.
On 03/15/2013 06:39 AM, Colm O hEigeartaigh wrote:
This is a vote to release Apache XML Security for Java 1.5.4. Here are
the issues fixed:
https://issues.apache.org/jira/browse/SANTUARIO/fixforversion/12323381
Here are the Maven artifacts:
On 8/9/12 4:41 AM, Hariprasath wrote:
Hi,
Im trying to implement detached signature using the Java. Im not
able
to find the option for changing the type of the signature (enveloped,
detached
etc.) Can you guys point me to the right option for building detached
signatures?
On 06/01/2012 01:28 PM, David Wall wrote:
Not sure who to ask, but is there a list of supported canonicalization
methods?
I'm not sure if it is documented anywhere, but the config.xml file in
the source code lists all of the supported CanonicalizationMethod
algorithms. See:
I don't have time to debug your code, but the exception indicates that the XSLT
Transform cannot find the stylesheet element.
My guess is that the XSLT stylesheet is located in an external document than the
document that will contain the XML Signature. This is a problem. You will need
to import
Did you check with the StAX developers? We don't support StAX here, so I'm not
sure.
--Sean
On 5/24/12 9:48 AM, Eric Johnson wrote:
I apologize in advance if this seems somewhat off topic, but this
problem came up in the context of porting 1.5.0 of Santuario to use
GenXDM (a project I've
+1
--Sean
On 05/09/2012 06:25 AM, Colm O hEigeartaigh wrote:
This is a vote to release Apache XML Security for Java 1.5.2.
Svn tag:
https://svn.apache.org/repos/asf/santuario/xml-security-java/tags/1.5.2/
Distribution:
http://people.apache.org/~coheigea/stage/xmlsec/1.5.2/dist/
Maven
Looks good to me.
--Sean
On 4/23/12 5:06 AM, Colm O hEigeartaigh wrote:
Is there anything else anyone would like to see go into 1.4.7 and
1.5.2? Currently there are 5 issues fixed for 1.4.7:
https://issues.apache.org/jira/browse/SANTUARIO/fixforversion/12318844
and 8 for 1.5.2:
.
--
-Original Message-
From: Sean Mullan [mailto:sean.mul...@oracle.com]
Sent: Wednesday, April 11, 2012 3:10 PM
To: dev@santuario.apache.org
Cc: George Stanchev
Subject: Re: Checkout bug
On 4/10/12 9:37 PM, George Stanchev wrote:
I hit the same error. Can someone please fix it?
Hmm, that should
On 02/13/2012 09:42 AM, Eric Johnson wrote:
To whom it may concern,
I just downloaded the source zip for the latest Java Santuario release
(1.5.0), and noticed duplicated files in the source zip release, as well
as in the Subversion tags for the project.
Specifically:
This download:
Are you still thinking we should also scan the document for duplicate IDs?
--Sean
On 12/21/11 7:14 AM, Chad La Joie wrote:
So, last night I spent some time digging in to the new code and
discussing with some things with Scott. Here's where we ended up.
The IdResolver is not designed in a
On 12/20/2011 10:19 AM, Chad La Joie wrote:
On Tue, Dec 20, 2011 at 04:58, Colm O hEigeartaighcohei...@apache.org wrote:
This is already available via the JSR-105 API by setting the
javax.xml.crypto.dsig.cacheReference property to true. Apache WSS4J
uses this to build a set of protected
On 12/20/2011 10:37 AM, Chad La Joie wrote:
That code would be part of the solution. But does the entire tree get
walked or does the IdResolver just stop once it finds a match (which I
thought was what happened).
It no longer searches. All IDs have to be pre-registered. It knows about
IDs in
On 12/20/2011 10:59 AM, Cantor, Scott wrote:
On 12/20/11 10:55 AM, Sean Mullansean.mul...@oracle.com wrote:
It no longer searches. All IDs have to be pre-registered. It knows about
IDs in the XML signature namespace so pre-registers those itself.
Does that imply you no longer rely on
On 12/20/2011 11:06 AM, Chad La Joie wrote:
On Tue, Dec 20, 2011 at 10:55, Sean Mullansean.mul...@oracle.com wrote:
It no longer searches. All IDs have to be pre-registered. It knows about IDs
in the XML signature namespace so pre-registers those itself.
I guess I'm missing something. How
On 12/20/2011 11:21 AM, Cantor, Scott wrote:
On 12/20/11 11:12 AM, Sean Mullansean.mul...@oracle.com wrote:
The code does still call DOM Document.getElementById, but how does that
make it possible to do an attack?
If you mark known ID attributes as IDs by calling setIdAtribute, Xerces
will
On 12/20/2011 02:29 PM, Cantor, Scott wrote:
On 12/20/11 2:11 PM, Sean Mullansean.mul...@oracle.com wrote:
I did a grep of the source tree, and our code never calls
Element.setIdAttribute.
Yes, but apps do. My code does. That's currently the way for schema
validation *and* manual ID setting
On 11/2/11 7:19 PM, Chad La Joie wrote:
On Wed, Nov 2, 2011 at 18:13, Sean Mullan sean.mul...@oracle.com wrote:
The JDK and Santuario implementations use different logging APIs.
Right, that is the reason you have to put the commons logging library
in the endorsed directory and the cause
On 11/3/11 11:28 AM, Chad La Joie wrote:
Okay, so, I think the question is still the same. Do we, or not, want
to have to requirement the logging library on the classpath.
As an aside, given the choice between endorsing the library and editing
the java.security file and adding the lib to
On 11/2/11 12:40 PM, Chad La Joie wrote:
I've been planning to move our Shib code over to use the JSR105 APIs
for signature work. One of our testers today was trying to use SHA256
within their signatures and received the error that this wasn't
supported by the JVM-shipped implementation of
of classes) within the
endorsed directory are visible on the classpath and obviously logging
frameworks are one of those things where there is a lot of
variability.
On Wed, Nov 2, 2011 at 12:50, Sean Mullan sean.mul...@oracle.com wrote:
On 11/2/11 12:40 PM, Chad La Joie wrote:
I've been planning
change to preserve namespaces doesn't preserve those
attributes, but perhaps it should?
Yes, if you are using C14N 1.1 : http://www.w3.org/TR/xml-c14n11/
--Sean
-Eric.
On 10/26/11 5:40 PM, Sean Mullan wrote:
On 10/26/11 8:30 AM, Eric Johnson wrote:
In the 1.4.6 release of Santuario
On 10/26/11 8:30 AM, Eric Johnson wrote:
In the 1.4.6 release of Santuario Java, the DOMXMLObject class underwent
a small set of changes.
Specifically, it appears that the class now holds on to the objElem
passed to the constructor:
public DOMXMLObject(Element objElem, XMLCryptoContext
+1
--Sean
On 10/17/11 6:14 AM, Colm O hEigeartaigh wrote:
It's been a while since the 1.4.5 release of the Java library, so we
might as well release 1.4.6 to get the bug fixes out.
Svn tag:
https://svn.apache.org/repos/asf/santuario/xml-security-java/tags/1.4.6/
Issues fixed:
Hi Colm,
Did we want to also try to address SANTUARIO-273 before releasing?
--Sean
On 05/19/2011 11:46 AM, Colm O hEigeartaigh wrote:
This is a vote to release Apache XML Security for Java 1.4.5. This
distribution was built from the following svn tag:
On 4/20/11 1:43 PM, Eric Johnson wrote:
A quick email to note an interesting milestone that we just achieved.
For those who missed my previous emails, over at Apache Extras [1], we've been
working on the santuario-genxdm [2] project, which is a port of the Santuario
project to work using GenXDM
On 03/16/2011 12:56 PM, David Wall wrote:
I am using Java 6 with its bundled XML Digital Signature library, and
while I noted that there's a DigestMethod.SHA512, there is not
SignatureMethod.RSA_SHA512, and I'm limited to the older
SignatureMethod.RSA_SHA1.
Is this supported somehow that I
71 matches
Mail list logo