| Changelog for "Apache xml-security" <http://santuario.apache.org/> |
| New in v1.4.4-SNAPSHOT |
| Fixed Bug 49483: KeyResolver.registerAtStart() leads to ClassCastException. Thanks to Clement Pellerin. |
| Fixed Bug 49458: StorageResolver always exhausted after first use. Thanks to Clement Pellerin. |
| Fixed Bug 49456: StorageResolver.next() gives ClassCastException. Thanks to Clement Pellerin. |
| Fixed Bug 49450: KeyStoreResolver always exhausted after first use. Thanks to Clement Pellerin. |
| Fixed Bug 49447: KeyStoreResolver iterator returns null for symmetric keys. Thanks to Clement Pellerin. |
| Fixed Bug 48368: Digest Value of References inside Manifest - calculation order problem |
| Fixed Bug 47779: ConcurrentModificationException in XMLUtils. |
| Fixed Bug 47761: xmlns:xml namespace improperly emitted during excl c14n. Thanks to Scott Cantor. |
| Fixed Bug 36526: Out of memory error when signing or verifying big files. Thanks to Agnes Juhasz. |
| Fixed Bug 47784: ClassNotFoundException when init the xml security in OSGi plateform |
| Fixed Bug 47762: contextChild parameter of Transform.getInstance may be null |
| New in v1.4.3 |
| Fixed Bug 47526: XML signature HMAC truncation authentication bypass |
| Fixed Bug 47525: Fix checkstyle problems with source and tests. |
| Fixed Bug 42239: ECDSA signature value interopability patch. |
| Fixed Bug 45744: XPath transform and xml-stylesheet. |
| Fixed Bug 42986: The </#document> node inserted at the end of SOAPEnvelope. |
| Fixed Bug 47029: Unnecessary namespace declarations on EncryptedData children. |
| Fixed Bug 44335: Can't validate after invalid validation. |
| Fixed Bug 47260: Improve Java unit testing. |
| Fixed Bug 47265: Some website updates. |
| Fixed Bug 45388: We need a POM file added to the Maven repository. |
| Fixed Bug 47483: Remove JDK 1.5 API dependencies |
| Fixed bug 47057: Downgrade signature verification logging from "info". Thanks to Colm O hEigeartaigh. |
| Fixed bug 42061: Method to disable XMLUtils.addReturnToElement (reopened): changed Base64 code to ignore line breaks, if enabled. Thanks to Colm O hEigeartaigh. |
| Fixed bug 47097: Reusing XMLSignature for signing and verifying fails on same thread. Thanks to Bruno Harbulot. |
| Fixed bug 46732: Failed to add more than one child element to EncryptionMethod. |
| Fixed bug 46101: org.apache.xml.security.utils.IdResolver is not thread safe |
| Fixed bug 45961: verify with own canonicalization method. Thanks to Anton Kosyakov. |
| Fixed bug 45475: XMLSignature::getKeyInfo method modifies document |
| Fixed bug 45811: Fix XMLSec 1.4.2 problems reported by findbugs |
| Fixed bug 45706: Transform.register class loading and recursive instantiation problems |
| Fixed bug 45664: Some calls should be wrapped in AccessController.doPrivileged |
| Fixed bug 45634: Restore XMLUtils.createDSctx method. |
| Fixed bug 45095: log4j.properties in xmlsec sources and builds has side |
| effects in production environment. Thanks to Joachim Rousseau. |
| |
| New in v1.4.2rc1 |
| Fixed bug 44999: DOMException is thrown at XMLSignature creation. Thanks to Giedrius Noreikis. |
| Fixed bug 44863: Improved logging in signature handling. Thanks to Wally Dennis. |
| Fixed bug 44956: Concurrent creation of a XMLSignature instance produces an ArrayIndexOutOfBoundsException. Thanks to Giedrius Noreikis |
| Fixed bug 44991: Concurrent invocation of KeyInfo.getX509Certificate() occasionally fails. Thanks to Giedrius Noreikis |
| |
| New in v1.4.2beta2 |
| Fixed bug 44810: Add support for more XMLDSig algorithms listed in RFC 4051 |
| Fixed bug 44617: Regression when processing XPath transform (additional fix) |
| New in v1.4.2beta1 |
| Fixed bug 44629: Switch order of XML Signature validation steps |
| Fixed bug 44617: Regression when processing XPath transform |
| Fixed bug 44586: XMLX509IssuerSerial.getIssuerName incorrectly escapes '#' in hex values |
| Fixed rfe 42653: Add support for C14N 1.1 to Java implementation. Thanks |
| to Sean Mullan. |
| Fixed bug 44205: XMLX509Certificate.getX509Certificate() results in certificate parsing error. Thanks to Vishal Mahajan. |
| Fixed Bug 44177: when using xslt transformation there is problem with xalan newline. Thanks to Matej Spiller. |
| Small refactor for ElementProxy to get rid of the state, it was an old |
| vestige that where taking space and obfuscating the code. |
| Fixed bug 40897: String comparisons using '==' causes validation errors |
| with some parsers. Thanks Vishal Mahajan |
| Fixed bug 43056: Library does not allow specify provider for private key |
| operations. Thanks to Alon Bar-Lev. |
| Fixed bug 44102: XMLCipher loadEncryptedKey error. Thanks to Butler. |
| Fixed bug 43239: "No installed provider supports this key" when checking a |
| RSA signature against a DSA key before RSA key. Thanks to Matthias |
| Germann. |
| Fixed bug 42597: Unnecessary namespace declarations on Signature children |
| Thanks to Brent Putnam. |
| Fixed bug 42061: Method to disable XMLUtils.addReturnToElement. Thanks to |
| Michael McIntosh. |
| Fixed bug 42865: Problem with empty BaseURI in ResolverLocalFilesystem. |
| Thanks to Frank Cornelis. |
| Fixed bug 43230: Inclusive C14n doesn't always handle xml:space & xml:lang |
| attributes correctly |
| Fixed bug 38668: Add XMLCipher.encryptData method that takes serialized |
| data as parameter. Thanks to Vladimir Ionescu. |
| Fixed bug 42886: Error when removing encrypted content in 1.4.1. Thanks to |
| Julien Taupin and Daniele Gagliardi. |
| Fixed bug 42820: ClassLoader issue causing NoSuchAlgorithmException loading |
| Provider Implementation. Thanks to James Washington. |
| New in 1.4.1 |
| Fixed bug 42239: ECDSA signature value interoperability patch. Thanks to Wolfgang Glas for fix. |
| |
| New in v1.4.1beta1 |
| Fixed bug 41892: XML Security 1.4.0 does not build with IBM's JDK |
| Fixed bug 41927: Cannot canonicalize with XSLT transform. Thanks to |
| Lijun Liao for fix. |
| Fixed bug 41805: Resolution of SAML 1.x ID attributes, incorrect namespace. Thanks to |
| Brent Putman for fix. |
| Fixed bug 41474: two text nodes with the value '\n' in succession within |
| <ds:SignedInfo> and <ds:X509IssuerSerial>. Thanks to Lijun Liao for fix. |
| Fixed bug 41510: org.apache.xml.security.keys.content.KeyValue.getPublicKey() |
| returns null for DSA key. Thanks to Stepan Hrbacek for fix. |
| Fixed bug 41569: Cannot specify dynamically a specific JCE Provider with |
| the DSA Signature. Thanks to Julien Pasquier for fix. |
| Fixed bug 41573: XMLCipher StackOverflowError. Thanks to Marek Jablonski |
| for fix. |
| Fixed bug 41462: Xml canonization - UTF-8 encoding issue in Xml security 1.4.0 Thanks to Karol Rewera. |
| Fixed bug 41520: Cannot generate signatures with the same key but different algorithms in sucession. Thanks to Lijun Liao |
| New in 1.4 |
| Fixed bug 40896 |
| |
| New in 1.4RC4 |
| Fixed bug 40880 |
| |
| New in 1.4RC3 |
| Fixed bug 40796 |
| |
| New in 1.4RC2a |
| Fixed bug 40783 |
| |
| New in 1.4RC2 |
| Fixed bug 40512. Made TransformSPI backward compatible. Now it is possible |
| to use implementations for the >1.3 versions paying the performance hit |
| of the old implementation. |
| Fix a small & unneeded java 1.4 dependecy. |
| KeyResolver & ResourceResolver can work like <1.3 mode when used with old implementations. |
| |
| New in 1.4RC1 |
| Fixed bug 40290. |
| Fixed bug 40298. |
| Fixed bug 40360. Changed a little the way the IdResolver works when |
| Document.getElementById fails. |
| Fixed bug 40404. |
| |
| New in v1.4beta2 |
| Optimization in c14n in node-sets. |
| Optimization for the xml:* inheritance in inclusive c14n. |
| Added ECDSA signature thanks Markus Lindner |
| Optimization in RetrievelMethod handling. Don't reparse the bytes into a DOM tree if not needed thanks David Garcia. |
| Fixed bug 40215: Base64 is not working in EBCDIC platform. Thanks to |
| acastro.dit@aeat.es for fix. |
| Big optimizations in XPath2 transformation. |
| Fixed bug 40245 in XPATH2 transformation(only in development version) |
| Fixed bug no resolver for X509Data with just a X509Certificate. |
| Optimization in Base64 to do simple transformation from String to byte[] |
| |
| New in v1.4beta1 |
| Fixed bug 40032. Fixed BUG 40031 Fixed bug when the prefix digital signature uri is not null. |
| Changes in the NodeFilter API in order to let the transformations |
| do some optimizations take into account the c14n order. |
| Optimization in signature transformation in node-sets(xpath, xpath2), 20-40% speed-up. |
| |
| New in v1.4beta0 |
| Fixed bug 38668: Add XMLCipher.encryptData method that takes |
| serialized data as parameter (mullan) |
| Fixed bug 39273: JSR 105 DOMCryptoContext.setIdAttributeNS not working |
| when validating signatures (mullan) |
| Fixed bug 38405: ElementProxy.length() is not working (Java) (mullan) |
| Fixed bug 37708: Different behaviour with NodeSet and RootNode with |
| InclusiveNamespaces (mullan) |
| Fixed bug 37456: Signing throws an exception if custom resource |
| resolver is registered (mullan) |
| Fixed bug 38655 |
| Fixed bug 38444. |
| Fixed bug 38605. |
| Fixed bug 39200(API CHANGE) |
| Refactored the way keyresolver works instead of calling canResolve/resolveX only resolveX is used |
| and if it returns null it means it cannot resolve. |
| Minor Optimizations. |
| Lazy fields initialization, initialize with null and create the object only when needed |
| Registered Class reorder, in several parts the library contains a list of workers |
| that are asked if it can solve a problem. Now the one that said yes is move to the front |
| wishing that the next time it also hits. |
| API Change: Make Transform & TransformSpi reusable between threads. |
| remove setTransform(Transform t) method in TransformSpi and pass |
| the Transform object in enginePerformTransfor methods. |
| Fixed bug 39685: bugs reported by findbugs (mullan) |
| Added support for SHA256 & SHA512 DigestMethods to JSR 105. (mullan) |
| Fix JSR 105 unmarshaling bug: now recognizes PGPData. (mullan) |
| Optimization to not create instances of Signature or MessageDigest objects, but mantain one for thread. |
| Also don't change the key if it was already used. (raul) |
| |
| New in v1.3 |
| Init-Don't fail if a transformation don't have all of its dependecies. |
| Remove XPath initialization from Init and do only when xpath is needed. |
| Resolv-Removed the use of xpath expressions to search the elements to sign/verify, now use only plain DOM searching. |
| Resolvers-Remove wantsOctectStream wantsNodeSet and his returns pair they are not used, right now and some are incorrect. |
| Remove the Use of xalan or xerces class URI |
| Removed the expandSystemId |
| Changed from Vector<String> to List<Class>, so we don't need to use classForName everytime and used it just the first time. |
| Removed PRNG,HexDump,Version, X509CertificateValidator |
| Added an unsync buffer outputstream. |
| Changed Symbol table to a more efficient and simple structure |
| Fixed bug 34743 , Submitted by: Lee Coomber <lee.at.lshift.net> |
| Minor speedups in b64, Halved the table lookups. |
| Reduce Object creation during c14n, from one to level to one per c14n. |
| Change all Vector to List(ArrayList), we don't need synchronization safety. |
| *Refactor the way we handle c14n of nodesets: |
| Before this patch every transformation creates a set with the nodes that should |
| be outputed. Every set is obtaining visiting the whole dom tree every time, |
| and then do it other time at c14n time. So it does <number of transformations>+1 |
| visitings, very slow and memory costly. |
| Now every transformation just return a NodeFilter that tells if the node is included or not. |
| So only one visiting is done. |
| Unified http://www.w3.org/2002/06/xmldsig-filter2 and http://www.w3.org/2002/04/xmldsig-filter2 transformation implementations. |
| Removed http://www.nue.et-inf.uni-siegen.de/~geuer-pollmann/#xpathFilter transformation |
| Canonicalization tree travesing is not recursive. it gives better memory handling and performance. |
| Fixed bug 33936, Submited by: Raymond Wong <rwong.at.ariba.com> |
| Fixed bug 35919, Submited by: Luda <ludab.at.lanl.gov> |
| out of the box j2se 1.5 ready(no adding xalan in the classpath or endorsed if no |
| xpath transformation is needed) |
| |
| |
| New in v1.2.1 |
| * Fix the memory leak when using xpath or using ResourceResolver and not hitting |
| getElementByIdUsingDOM() [http://issues.apache.org/bugzilla/show_bug.cgi?id=32836] |
| * Fix the bug with using XPath2Filter and inclusive c14n |
| * Fix the bug arrouse in reusing Canonicalizers |
| * Fix base64transformation bug [http://issues.apache.org/bugzilla/show_bug.cgi?id=33393 ] |
| * Fix the XMLsignatureInput reset() bug. |
| * Clean unused jar (xmlParserAPI.jar,etc) and check and stored new versions. |
| * generated the dist jar with version (i.e. xmlsec-1.2.1.jar instead of plain xmlsec.jar) |
| * Clean unused build*.xml files. |
| |
| |
| ############################################################################## |
| # New in v1.0.3 24. May 2002 |
| ############################################################################## |
| |
| IMPORTANT: |
| |
| - The different classes do not call Init.init() any longer. This must be done |
| by YOU in your application. If you miss that, you'll get many |
| AlgorithmNotRegistered exceptions... |
| |
| -------------------------------- |
| |
| Summary: |
| |
| - The software is faster. Especially canonicalization is between |
| factor 5--80 faster than the old one. |
| |
| - Some deprecated methods in the Canonicalizer are deleted. |
| |
| - We support Exclusive Canonicalization |
| |
| - We support the XPath Filter version 2.0 Draft. |
| |
| -------------------------------- |
| |
| Optimizations and speed-up |
| |
| - canonicalization |
| - inclusive c14n is now faster (factor between 5 and 80) |
| - transforms |
| - enveloped-signature is now faster (no XPath ops any more) |
| - base64 is now faster (no XPath ops any more) |
| - c14n is now faster (due to faster c14n algo) |
| |
| -------------------------------- |
| |
| Signature package: |
| |
| - The XMLSignatureInput which is used for passing node sets and octet |
| streams into transforms and which is also the result of transforms |
| uses a java.util.Set now instead of a NodeList for the internal |
| representation of xpath node sets. This allows easier queries in the |
| form: Is node N part of the node set. |
| |
| The implication is that you can also pass a Set which contains the nodes |
| to be canonicalized to the Canonicalizers using |
| public byte[] canonicalizeXPathNodeSet(Set xpathNodeSet) |
| |
| -------------------------------- |
| |
| Canonicalizer: |
| |
| - A bug (well, my understanding of c14n) is corrected regarding the |
| canonicalization of node sets. That bug related to the xml:* |
| attributes. See xmldsig mailing list archive @ w3.org for details. |
| |
| - removed are the methods |
| |
| - public byte[] canonicalize(Node node) |
| - public byte[] canonicalizeDocument(Document doc) |
| - public byte[] canonicalizeSingleNode(Node rootNode) |
| |
| replaced by public byte[] canonicalizeSubtree(Node node) |
| |
| - public byte[] canonicalize(NodeList xpathNodeSet) |
| |
| replaced by public byte[] canonicalizeXPathNodeSet(NodeList xpathNodeSet) |
| |
| - public void setXPath(Object xpath) |
| - public Object getXPath() |
| - public String getXPathString() |
| - public void setXPathNodeSet(NodeList nodeList) |
| |
| These are no longer in use. If you want to c14nize an xpath |
| node set, select it using CachedXPathAPI and then apply |
| canonicalizeXPathNodeSet to the node set. |
| |
| - public void setRemoveNSAttrs(boolean remove) |
| - public boolean getRemoveNSAttrs() |
| |
| The c14nizers do not add any attributes (namespaces or xml:*) |
| to the document, so these method make no sense. |
| |
| - The Canonicalizer now supports "Exclusive XML Canonicalization |
| Version 1.0" <http://www.w3.org/Signature/Drafts/xml-exc-c14n>, Rev 1.58. |
| |
| For that reason, the c14n methods allow an additional String parameter |
| for passing the inclusive namespaces. |
| |
| public byte[] canonicalizeSubtree(Node node, |
| String inclusiveNamespaces) |
| public byte[] canonicalizeXPathNodeSet(NodeList xpathNodeSet, |
| String inclusiveNamespaces) |
| |
| Such a string looks e.g. like this |
| |
| String inclusiveNamespaces = "ds xenc ex #default"; |
| |
| For more on exclusive c14n, see the spec. If you pass this parameter to the |
| regular (inclusive) c14nizer, you'll get a |
| CanonicalizationException("c14n.Canonicalizer.UnsupportedOperation") |
| |
| -------------------------------- |
| |
| Transforms: |
| |
| - The exclusive c14n is also supported by the transform framework. |
| The parameter for the inclusive namespaces is the class |
| org.apache.xml.security.transforms.params.InclusiveNamespaces |
| |
| If you want to make a Transform like this, do that: |
| |
| Document doc = ...; |
| Transforms transforms = new Transforms(doc); |
| InclusiveNamespaces incNS = new InclusiveNamespaces(doc, "ns2"); |
| transforms.addTransform(Transforms.TRANSFORM_C14N_EXCL_OMIT_COMMENTS, |
| incNS.getElement()); |
| |
| - The XPathContainer for the XPath transform is now moved from the |
| org.apache.xml.security.c14n.helper package to |
| org.apache.xml.security.transforms.params.XPathContainer |
| |
| - The enveloped-signature transform is faster now. We don't do costly |
| XPath operations but 'simple' DOM ops. |
| |
| - Base64 is faster (no XPath ops). |
| |
| - The TransformXPath2Filter is now supported by the package. It can be used by |
| using the identifier Transforms.TRANSFORM_XPATH2FILTER in conjuction with the |
| XPath2FilterContainer for passing parameters. To know what xfilter2 is, see |
| http://www.w3.org/Signature/Drafts/xmldsig-xfilter2/ : |
| |
| Document doc = ...; |
| Transforms transforms = new Transforms(doc); |
| XPath2FilterContainer x2c = |
| // intersect |
| XPath2FilterContainer.newInstanceIntersect(doc, "//a"); |
| // subtract |
| XPath2FilterContainer.newInstanceSubtract(doc, "//a"); |
| // union |
| XPath2FilterContainer.newInstanceUnion(doc, "//a"); |
| |
| transforms.addTransform(Transforms.TRANSFORM_XPATH2FILTER, |
| x2c.getElement()); |
| |
| -------------------------------- |
| |