Re: [VOTE] - Release Apache Santuario - XML Security for Java 4.0.2/3.0.4

+1 --Sean On 2/19/24 5:38 AM, Colm O hEigeartaigh wrote: This is a vote to release Apache Santuario - XML Security for Java 4.0.2 and 3.0.4. They contain a new feature to support Key Agreement using ECDH-ES. 4.0.2: Release notes:

Re: [VOTE] - Release Apache Santuario - XML Security for Java 4.0.1

+1. —Sean > On Nov 24, 2023, at 9:50 AM, Colm O hEigeartaigh wrote: > > This is a vote to release Apache Santuario XML Security for Java > 4.0.1. It contains a bug fix > https://issues.apache.org/jira/browse/SANTUARIO-609 "Remove call to > Signature.getProvider() in debug log" > > Artifacts:

Re: [VOTE] - Release Apache Santuario - XML Security for Java 3.0.3, 2.3.4 and 2.2.6

+1 —Sean > On Oct 13, 2023, at 10:05 AM, Colm O hEigeartaigh wrote: > > This is a vote to release Apache Santuario - XML Security for Java > 3.0.3, 2.3.4 and 2.2.6. These are all bug fix releases. > > All artifacts are in the same maven repo for release: >

Re: Issue with support of RSASSA-PSS algorithms with implicit params in Oracle Java 17

Thanks for working on this! Thanks, Brent On 9/13/23 1:31 PM, Brent Putman wrote: Hi Sean, Thanks for working on this. I'll see about doing some local build testing in the next few days. Thanks, Brent On 9/12/23 8:45 AM, Sean Mullan wrote: Hi Brent, I have fixed this is

Re: Issue with support of RSASSA-PSS algorithms with implicit params in Oracle Java 17

. Thanks, Sean [1] https://issues.apache.org/jira/browse/SANTUARIO-604 On 8/10/23 4:26 PM, Brent Putman wrote: On 8/10/23 1:15 PM, Sean Mullan wrote: Yes, sorry I guess I wasn't clear enough. This is a Santuario issue. I can probably post a PR in the next few days that addresses this.To me

Re: [VOTE] - Release Apache Santuario - XML Security for Java 4.0.0-M1

+1 --Sean On 8/28/23 9:12 AM, Colm O hEigeartaigh wrote: This is a vote to release Apache Santuario - XML Security for Java 4.0.0-M1. It is a milestone release and not meant for production. The main new features of the release come from this PR

Re: [VOTE] - Release Apache Santuario - XML Security for Java 2.2.5

+1 --Sean On 8/16/23 2:50 AM, Colm O hEigeartaigh wrote: Hi Scott, You can review all changes between 2.2.5 and 2.2.4 here: https://github.com/apache/santuario-xml-security-java/compare/xmlsec-2.2.4...xmlsec-2.2.5 Essentially it's just Xalan, BouncyCastle, Woodstox and Jetty upgrades. Colm.

Re: Issue with support of RSASSA-PSS algorithms with implicit params in Oracle Java 17

Hi Brent, On 8/8/23 7:39 PM, Brent Putman wrote: Hi Sean, On 8/8/23 4:05 PM, Sean Mullan wrote: As mentioned before, you can implement this in the Santuario layer by instantiating the algorithms as "RSASSA-PSS" and passing in an appropriate PSSParameterSpec with the defa

Re: Issue with support of RSASSA-PSS algorithms with implicit params in Oracle Java 17

On 8/4/23 3:26 PM, Brent Putman wrote: Ok, great, thanks for looking into it! --Brent On 8/4/23 3:12 PM, Sean Mullan wrote: Yeah, I get it, I need to chat with some folks here first that worked on this before I can give you a better response. --Sean On 8/4/23 2:55 PM, Brent Putman wrote: Hi

Re: Issue with support of RSASSA-PSS algorithms with implicit params in Oracle Java 17

those algorithm IDs are in fact documented in Java 17 for SunRsaSign, but yet do not actually work. The code in Santuario's JCEMapper and SignatureBaseRSA agrees with this understanding.  Running with BC loaded works fine also, so they have the same understanding. Thanks Brent On 8/4/23 2:13 P

Re: Issue with support of RSASSA-PSS algorithms with implicit params in Oracle Java 17

Hi Brent, You need to pass the MGF and other parameters in a PSSParameterSpec to the Signature algorithm, like so: Signature sig = Signature.getInstance("RSASSA-PSS", "SunRsaSign") sig.setParameter(new PSSParameterSpec("SHA-256", "MGF1", MGF1ParameterSpec.SHA256, 32,

Re: [VOTE] - Release Apache Santuario - XML Security for Java 3.0.2 and 2.3.3

+1. --Sean On 3/27/23 7:02 AM, Colm O hEigeartaigh wrote: This is a vote to release Apache Santuario - XML Security for Java 3.0.2 and 2.3.3. 3.0.2: - Issues fixed: https://issues.apache.org/jira/projects/SANTUARIO/versions/12352305 - Artifacts:

Re: Remove Xalan and here() function support

Colm, Should SANTUARIO-583 [1] also be closed or marked as a duplicate of SANTUARIO-593 [2]? --Sean [1] https://issues.apache.org/jira/browse/SANTUARIO-583 [2] https://issues.apache.org/jira/browse/SANTUARIO-593 On 8/30/22 8:03 AM, Sean Mullan wrote: I support this proposal. I think

Re: Remove Xalan and here() function support

I support this proposal. I think the "here" function was never specified correctly anyway as I have been told a while ago by an XPath expert that it should have been defined in a namespace in order to be properly processed as an XPath extension. --Sean On 8/30/22 4:04 AM, Colm O hEigeartaigh

Re: [VOTE] - Release Apache Santuario - XML Security for Java 2.2.4

+1 --Sean On 4/29/22 2:25 AM, Colm O hEigeartaigh wrote: This is a vote to release Apache Sanutario - XML Security for Java 2.2.4.

Re: [VOTE] - Release Apache Santuario - XML Security for Java 2.1.8

+1 --Sean On 4/29/22 2:46 AM, Colm O hEigeartaigh wrote: This is a vote to release Apache Santuario - XML Security for Java 2.1.8. This is the last planned release on this branch.

Re: [VOTE] - Release Apache Santuario - XML Security for Java 3.0.0

On 4/28/22 3:17 AM, Colm O hEigeartaigh wrote: This is a vote to release Apache Santuario - XML Security for Java 3.0.0. This is a new major release which has switched to use the Jakarta namespace. +1. --Sean

Re: [VOTE] - Release Apache Santuario - XML Security for Java 2.3.1

On 4/28/22 4:18 AM, Colm O hEigeartaigh wrote: This is a vote to release Apache Santuario - XML Security for Java 2.3.1. +1. --Sean

Re: Proposed release of xml-security-c 2.0.4 - Call for Vote

+1. --Sean On 11/1/21 8:25 AM, Cantor, Scott wrote: I have posted a release candidate for 2.0.4 [1] to correct a regression on OpenSSL 1.0.0 and older from the DSA bug fix included in the release last week. The only change apart from the versioning bits is [2], inlining a small function

Re: [VOTE] - Release Apache Santuario - XML Security for Java 2.3.0

+1 --Sean On 10/25/21 6:52 AM, Colm O hEigeartaigh wrote: This is a vote to release Apache Santuario - XML Security for Java 2.3.0. This is a major new release of the library. Some of the significant changes include:

Re: [VOTE] - Release Apache Santuario - XML Security for Java 2.1.7

On 9/10/21 9:38 AM, Colm O hEigeartaigh wrote: This is a vote to release Apache Santuario - XML Security for Java 2.1.7 +1. --Sean

Re: [VOTE] - Release Apache Santuario - XML Security for Java 2.2.3

On 9/10/21 9:37 AM, Colm O hEigeartaigh wrote: This is a vote to release Apache Santuario - XML Security for Java 2.2.3. +1 --Sean

Re: [VOTE] - Release Apache Santuario - XML Security for Java 2.2.2

+1. --Sean On 4/30/21 5:18 AM, Colm O hEigeartaigh wrote: This is a vote to release Apache Santuario - XML Security for Java 2.2.2. Artifacts:

Re: [VOTE] - Release Apache Santuario - XML Security for Java 2.2.0

+1 --Sean On 5/26/20 2:45 AM, Colm O hEigeartaigh wrote: This is a vote to release Apache Santuario - XML Security for Java 2.2.0. This is a new major release with the following features:  * Added support for RSASSA-PSS with Parameters  * Extensive refactoring and code simplification  *

Re: CRLF change in Java 8 patch

On 10/17/19 11:49 AM, Cantor, Scott wrote: To be honest, it *is* possible that the Java 8 change we observed could have been that they suddenly moved it from shadowing xmlsec 2.0.x to 2.1.x, but I think it's more plausible that just the Base64 class changed (or they revved a 2.0.x release)

Re: xml-security-c 2.0.2 (call for vote)

+1 --Sean On 10/30/18 4:30 PM, Cantor, Scott wrote: I have a couple of small patches to release to address another bug [1] and I've had a colleague beating on the code to try and find any other similar problems and we haven't found anything else to this point, so I'd like to get this patch

Re: Call for vote on xml-security-c 2.0.1

+1 --Sean On 8/2/18 9:32 AM, Cantor, Scott wrote: I'd like to get a couple of votes by end of week if possible, today preferably. The changes are these two commits, just adding null string and node checks. http://svn.apache.org/viewvc?view=revision=1837236

Re: [VOTE] - Release Apache Santuario - XML Security for Java 2.1.2 (take III)

+1. --Sean On 6/8/18 12:05 PM, Colm O hEigeartaigh wrote: This is a vote (take III) to release Apache Santuario - XML Security for Java 2.1.2. Issues fixed: https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12311231=12342674 SVN tag:

Re: [VOTE] - Release Apache Santuario - XML Security for Java 2.0.10

+1 --Sean On 1/22/18 12:45 PM, Colm O hEigeartaigh wrote: This is a vote to release Apache Santuario - XML Security for Java 2.0.10. Issues fixed: https://issues.apache.org/jira/projects/SANTUARIO/versions/12341414 SVN tag:

Re: [VOTE] - Release Apache Santuario - XML Security for Java 2.1.0

+1 --Sean On 8/14/17 6:23 AM, Colm O hEigeartaigh wrote: This is a vote to release Apache Santuario - XML Security for Java 2.1.0. The main features of this new major release are as follows: a) JDK-9 support. All tests pass with the latest JDK 9 candidate. b) JDK 8 is the minimum supported

Re: [VOTE] - Release Apache Santuario - XML Security for Java 2.0.9

+1 --Sean On 8/14/17 7:10 AM, Colm O hEigeartaigh wrote: This is a vote to release Apache Santuario - XML Security for Java 2.0.9. This is a minor bug fix release - perhaps the most significant fix is to allow setting default algorithms without invoking the SecurityManager, and so to allow

Re: [VOTE] - Release Apache Santuario - XML Security for Java 2.0.8

+1 --Sean On 12/1/16 8:39 AM, Colm O hEigeartaigh wrote: This is a vote to release Apache Santuario - XML Security for Java 2.0.8. Issues fixed: https://issues.apache.org/jira/browse/SANTUARIO/fixforversion/12336742 Maven artifacts:

Re: [VOTE] - Release Apache Santuario - XML Security for Java 2.0.7

+1. --Sean On 06/13/2016 12:59 PM, Colm O hEigeartaigh wrote: This is a vote to release Apache Santuario - XML Security for Java 2.0.7. Issues fixed: https://issues.apache.org/jira/browse/SANTUARIO/fixforversion/12334297 Artifacts:

Re: X509Digest

This is not going to work. You are mixing 2 different APIs together. To understand this better, I need to explain a bit more. The original Apache Java XML Signature library consisted of APIs in the org.apache.xml.security namespace. Later, JSR 105 based the implementation of the standard

Re: [VOTE] - Release Apache Santuario - XML Security for Java 2.0.6

+1 --Sean On 12/04/2015 07:37 AM, Colm O hEigeartaigh wrote: This is a vote to release Apache Santuario - XML Security for Java 2.0.6. Issues fixed: https://issues.apache.org/jira/browse/SANTUARIO/fixforversion/12333015 Maven artifacts:

Re: EdDSA Ed25519/Ed448 for XML Digital Signatures

On 12/02/2015 03:43 PM, Simon Josefsson wrote: On 12/2/15, 9:29 AM, "Simon Josefsson" wrote: Hi. I have prepared a writeup on how to add the EdDSA Ed25519/Ed448 public-key digital signature algorithm to XMLDSIG.

Re: Release 2.0.6?

On 11/30/2015 08:16 AM, Colm O hEigeartaigh wrote: We have a few issues fixed now for 2.0.6: https://issues.apache.org/jira/browse/SANTUARIO-430?jql=project%20%3D%20SANTUARIO%20AND%20fixVersion%20%3D%20%22Java%202.0.6%22%20AND%20status%20%3D%20Resolved%20ORDER%20BY%20priority%20DESC Is there

Re: [VOTE] - Release Apache Santuario - XML Security for Java 2.0.5

+1. --Sean On 07/10/2015 11:25 AM, Colm O hEigeartaigh wrote: This is a vote to release Apache Santuario - XML Security for Java 2.0.5. Artifacts: https://repository.apache.org/content/repositories/orgapachesantuario-1009/ SVN tag:

Re: [VOTE] - Release Apache Santuario - XML Security for Java 2.0.4

+1 --Sean On 04/15/2015 11:06 AM, Colm O hEigeartaigh wrote: This is a vote to release Apache Santuario - XML Security for Java 2.0.4. Issues fixed: https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12311231version=12329273 Maven artifacts:

Re: Santuario xml-security-c 1.7.3 release candidate posted, call for vote

+1 from me. --Sean On 03/13/2015 11:31 AM, Cantor, Scott wrote: On 3/10/15, 2:12 PM, Cantor, Scott canto...@osu.edu wrote: I've uploaded a release candidate of the 1.7.3 patch release [1] for the vote. There have been no changes since the beta last week and I've encountered no issues

Re: [VOTE] - Release Apache Santuario - XML Security for Java 2.0.3

+1 --Sean On 01/09/2015 10:32 AM, Colm O hEigeartaigh wrote: This is a vote to release Apache Santuario - XML Security for Java 2.0.3. The issues fixed are here: https://issues.apache.org/jira/browse/SANTUARIO/fixforversion/12328679 Maven artifacts:

Re: [VOTE] - Release Apache Santuario - XML Security for Java 1.5.7

+1 --Sean On 06/27/2014 11:08 AM, Colm O hEigeartaigh wrote: This is a vote to release Apache Santuario - XML Security for Java 1.5.7. The issues fixed are here: https://issues.apache.org/jira/browse/SANTUARIO/fixforversion/12325592 The maven artifacts are here:

Re: Defining a new SignatureMethod

On 06/03/2014 05:21 AM, Colm O hEigeartaigh wrote: Hi Frank, Would you be interested in contributing a patch to make this more flexible? So long as it's compatible with the existing API that is... Yes, a patch would be useful. Regarding API changes to JSR 105 (javax.xml.crypto and

Re: XMLDsig and XML Signature API

On 03/20/2014 11:00 AM, M. D. wrote: Okay, thanks a lot for your responses! (: So to sum things up: 1] It is not a very common usecase to have multiple certificates embedded in a document I don't think that's true, since that would require the relying party to be able to discover a chain

Re: Is still example still valid?

On 03/30/2013 09:57 AM, Alex O'Ree wrote: I was looking at the sample signature validation code from the distribution xml-security-1_5_3\samples\javax\xml\crypto\dsig\samples\Validate.java I've seen other signature validation code that looks nearly identical, except for the following snippet:

Re: [VOTE] - Release Apache XML Security for Java 1.5.4

+1. On 03/15/2013 06:39 AM, Colm O hEigeartaigh wrote: This is a vote to release Apache XML Security for Java 1.5.4. Here are the issues fixed: https://issues.apache.org/jira/browse/SANTUARIO/fixforversion/12323381 Here are the Maven artifacts:

Re: Detached Signature?

On 8/9/12 4:41 AM, Hariprasath wrote: Hi, Im trying to implement detached signature using the Java. Im not able to find the option for changing the type of the signature (enveloped, detached etc.) Can you guys point me to the right option for building detached signatures?

Re: Supported Canonicalization methods

On 06/01/2012 01:28 PM, David Wall wrote: Not sure who to ask, but is there a list of supported canonicalization methods? I'm not sure if it is documented anywhere, but the config.xml file in the source code lists all of the supported CanonicalizationMethod algorithms. See:

Re: Problem with an XSLT transformation

I don't have time to debug your code, but the exception indicates that the XSLT Transform cannot find the stylesheet element. My guess is that the XSLT stylesheet is located in an external document than the document that will contain the XML Signature. This is a problem. You will need to import

Re: Santuario port using GenXDM - how to do secure parsing with StAX API?

Did you check with the StAX developers? We don't support StAX here, so I'm not sure. --Sean On 5/24/12 9:48 AM, Eric Johnson wrote: I apologize in advance if this seems somewhat off topic, but this problem came up in the context of porting 1.5.0 of Santuario to use GenXDM (a project I've

Re: [VOTE] - Release Apache XML Security for Java 1.5.2

+1 --Sean On 05/09/2012 06:25 AM, Colm O hEigeartaigh wrote: This is a vote to release Apache XML Security for Java 1.5.2. Svn tag: https://svn.apache.org/repos/asf/santuario/xml-security-java/tags/1.5.2/ Distribution: http://people.apache.org/~coheigea/stage/xmlsec/1.5.2/dist/ Maven

Re: 1.4.7 and 1.5.2 Java releases

Looks good to me. --Sean On 4/23/12 5:06 AM, Colm O hEigeartaigh wrote: Is there anything else anyone would like to see go into 1.4.7 and 1.5.2? Currently there are 5 issues fixed for 1.4.7: https://issues.apache.org/jira/browse/SANTUARIO/fixforversion/12318844 and 8 for 1.5.2:

Re: Checkout bug

. -- -Original Message- From: Sean Mullan [mailto:sean.mul...@oracle.com] Sent: Wednesday, April 11, 2012 3:10 PM To: dev@santuario.apache.org Cc: George Stanchev Subject: Re: Checkout bug On 4/10/12 9:37 PM, George Stanchev wrote: I hit the same error. Can someone please fix it? Hmm, that should

Re: Source download - duplicated files

On 02/13/2012 09:42 AM, Eric Johnson wrote: To whom it may concern, I just downloaded the source zip for the latest Java Santuario release (1.5.0), and noticed duplicated files in the source zip release, as well as in the Subversion tags for the project. Specifically: This download:

Re: Id Resolution Observations and Suggestions

Are you still thinking we should also scan the document for duplicate IDs? --Sean On 12/21/11 7:14 AM, Chad La Joie wrote: So, last night I spent some time digging in to the new code and discussing with some things with Scott. Here's where we ended up. The IdResolver is not designed in a

Re: XML Security Java 1.5.0-RC1 available

On 12/20/2011 10:19 AM, Chad La Joie wrote: On Tue, Dec 20, 2011 at 04:58, Colm O hEigeartaighcohei...@apache.org wrote: This is already available via the JSR-105 API by setting the javax.xml.crypto.dsig.cacheReference property to true. Apache WSS4J uses this to build a set of protected

Re: XML Security Java 1.5.0-RC1 available

On 12/20/2011 10:37 AM, Chad La Joie wrote: That code would be part of the solution. But does the entire tree get walked or does the IdResolver just stop once it finds a match (which I thought was what happened). It no longer searches. All IDs have to be pre-registered. It knows about IDs in

Re: XML Security Java 1.5.0-RC1 available

On 12/20/2011 10:59 AM, Cantor, Scott wrote: On 12/20/11 10:55 AM, Sean Mullansean.mul...@oracle.com wrote: It no longer searches. All IDs have to be pre-registered. It knows about IDs in the XML signature namespace so pre-registers those itself. Does that imply you no longer rely on

Re: XML Security Java 1.5.0-RC1 available

On 12/20/2011 11:06 AM, Chad La Joie wrote: On Tue, Dec 20, 2011 at 10:55, Sean Mullansean.mul...@oracle.com wrote: It no longer searches. All IDs have to be pre-registered. It knows about IDs in the XML signature namespace so pre-registers those itself. I guess I'm missing something. How

Re: XML Security Java 1.5.0-RC1 available

On 12/20/2011 11:21 AM, Cantor, Scott wrote: On 12/20/11 11:12 AM, Sean Mullansean.mul...@oracle.com wrote: The code does still call DOM Document.getElementById, but how does that make it possible to do an attack? If you mark known ID attributes as IDs by calling setIdAtribute, Xerces will

Re: XML Security Java 1.5.0-RC1 available

On 12/20/2011 02:29 PM, Cantor, Scott wrote: On 12/20/11 2:11 PM, Sean Mullansean.mul...@oracle.com wrote: I did a grep of the source tree, and our code never calls Element.setIdAttribute. Yes, but apps do. My code does. That's currently the way for schema validation *and* manual ID setting

Re: Issue Endorsing Santuario

On 11/2/11 7:19 PM, Chad La Joie wrote: On Wed, Nov 2, 2011 at 18:13, Sean Mullan sean.mul...@oracle.com wrote: The JDK and Santuario implementations use different logging APIs. Right, that is the reason you have to put the commons logging library in the endorsed directory and the cause

Re: Issue Endorsing Santuario

On 11/3/11 11:28 AM, Chad La Joie wrote: Okay, so, I think the question is still the same. Do we, or not, want to have to requirement the logging library on the classpath. As an aside, given the choice between endorsing the library and editing the java.security file and adding the lib to

Re: Issue Endorsing Santuario

On 11/2/11 12:40 PM, Chad La Joie wrote: I've been planning to move our Shib code over to use the JSR105 APIs for signature work. One of our testers today was trying to use SHA256 within their signatures and received the error that this wasn't supported by the JVM-shipped implementation of

Re: Issue Endorsing Santuario

of classes) within the endorsed directory are visible on the classpath and obviously logging frameworks are one of those things where there is a lot of variability. On Wed, Nov 2, 2011 at 12:50, Sean Mullan sean.mul...@oracle.com wrote: On 11/2/11 12:40 PM, Chad La Joie wrote: I've been planning

Re: Question on DOMXMLObject implementation in 1.4.6

change to preserve namespaces doesn't preserve those attributes, but perhaps it should? Yes, if you are using C14N 1.1 : http://www.w3.org/TR/xml-c14n11/ --Sean -Eric. On 10/26/11 5:40 PM, Sean Mullan wrote: On 10/26/11 8:30 AM, Eric Johnson wrote: In the 1.4.6 release of Santuario

Re: Question on DOMXMLObject implementation in 1.4.6

On 10/26/11 8:30 AM, Eric Johnson wrote: In the 1.4.6 release of Santuario Java, the DOMXMLObject class underwent a small set of changes. Specifically, it appears that the class now holds on to the objElem passed to the constructor: public DOMXMLObject(Element objElem, XMLCryptoContext

Re: [VOTE] Release Apache XML Security for Java 1.4.6

+1 --Sean On 10/17/11 6:14 AM, Colm O hEigeartaigh wrote: It's been a while since the 1.4.5 release of the Java library, so we might as well release 1.4.6 to get the bug fixes out. Svn tag: https://svn.apache.org/repos/asf/santuario/xml-security-java/tags/1.4.6/ Issues fixed:

Re: [VOTE] Release Apache XML Security for Java 1.4.5

Hi Colm, Did we want to also try to address SANTUARIO-273 before releasing? --Sean On 05/19/2011 11:46 AM, Colm O hEigeartaigh wrote: This is a vote to release Apache XML Security for Java 1.4.5. This distribution was built from the following svn tag:

Re: Small milestone for genxdm-based port of Santuario - works with Axiom!

On 4/20/11 1:43 PM, Eric Johnson wrote: A quick email to note an interesting milestone that we just achieved. For those who missed my previous emails, over at Apache Extras [1], we've been working on the santuario-genxdm [2] project, which is a port of the Santuario project to work using GenXDM

Re: SignatureMethod http://www.w3.org/2001/04/xmldsig-more#rsa-sha512

On 03/16/2011 12:56 PM, David Wall wrote: I am using Java 6 with its bundled XML Digital Signature library, and while I noted that there's a DigestMethod.SHA512, there is not SignatureMethod.RSA_SHA512, and I'm limited to the older SignatureMethod.RSA_SHA1. Is this supported somehow that I