| Changelog for "Apache xml-security" <http://xml.apache.org/security/> |
| New in ... |
| Fixed bug 42820: ClassLoader issue causing NoSuchAlgorithmException loading |
| Provider Implementation. Thanks to James Washington. |
| New in 1.4.1 |
| Fixed bug 42239: ECDSA signature value interoperability patch. Thanks to Wolfgang Glas for fix. |
| |
| New in v1.4.1beta1 |
| Fixed bug 41892: XML Security 1.4.0 does not build with IBM's JDK |
| Fixed bug 41927: Cannot canonicalize with XSLT transform. Thanks to |
| Lijun Liao for fix. |
| Fixed bug 41805: Resolution of SAML 1.x ID attributes, incorrect namespace. Thanks to |
| Brent Putman for fix. |
| Fixed bug 41474: two text nodes with the value '\n' in succession within |
| <ds:SignedInfo> and <ds:X509IssuerSerial>. Thanks to Lijun Liao for fix. |
| Fixed bug 41510: org.apache.xml.security.keys.content.KeyValue.getPublicKey() |
| returns null for DSA key. Thanks to Stepan Hrbacek for fix. |
| Fixed bug 41569: Cannot specify dynamically a specific JCE Provider with |
| the DSA Signature. Thanks to Julien Pasquier for fix. |
| Fixed bug 41573: XMLCipher StackOverflowError. Thanks to Marek Jablonski |
| for fix. |
| Fixed bug 41462: Xml canonization - UTF-8 encoding issue in Xml security 1.4.0 Thanks to Karol Rewera. |
| Fixed bug 41520: Cannot generate signatures with the same key but different algorithms in sucession. Thanks to Lijun Liao |
| New in 1.4 |
| Fixed bug 40896 |
| |
| New in 1.4RC4 |
| Fixed bug 40880 |
| |
| New in 1.4RC3 |
| Fixed bug 40796 |
| |
| New in 1.4RC2a |
| Fixed bug 40783 |
| |
| New in 1.4RC2 |
| Fixed bug 40512. Made TransformSPI backward compatible. Now it is possible |
| to use implementations for the >1.3 versions paying the performance hit |
| of the old implementation. |
| Fix a small & unneeded java 1.4 dependecy. |
| KeyResolver & ResourceResolver can work like <1.3 mode when used with old implementations. |
| |
| New in 1.4RC1 |
| Fixed bug 40290. |
| Fixed bug 40298. |
| Fixed bug 40360. Changed a little the way the IdResolver works when |
| Document.getElementById fails. |
| Fixed bug 40404. |
| |
| New in v1.4beta2 |
| Optimization in c14n in node-sets. |
| Optimization for the xml:* inheritance in inclusive c14n. |
| Added ECDSA signature thanks Markus Lindner |
| Optimization in RetrievelMethod handling. Don't reparse the bytes into a DOM tree if not needed thanks David Garcia. |
| Fixed bug 40215: Base64 is not working in EBCDIC platform. Thanks to |
| acastro.dit@aeat.es for fix. |
| Big optimizations in XPath2 transformation. |
| Fixed bug 40245 in XPATH2 transformation(only in development version) |
| Fixed bug no resolver for X509Data with just a X509Certificate. |
| Optimization in Base64 to do simple transformation from String to byte[] |
| |
| New in v1.4beta1 |
| Fixed bug 40032. Fixed BUG 40031 Fixed bug when the prefix digital signature uri is not null. |
| Changes in the NodeFilter API in order to let the transformations |
| do some optimizations take into account the c14n order. |
| Optimization in signature transformation in node-sets(xpath, xpath2), 20-40% speed-up. |
| |
| New in v1.4beta0 |
| Fixed bug 38668: Add XMLCipher.encryptData method that takes |
| serialized data as parameter (mullan) |
| Fixed bug 39273: JSR 105 DOMCryptoContext.setIdAttributeNS not working |
| when validating signatures (mullan) |
| Fixed bug 38405: ElementProxy.length() is not working (Java) (mullan) |
| Fixed bug 37708: Different behaviour with NodeSet and RootNode with |
| InclusiveNamespaces (mullan) |
| Fixed bug 37456: Signing throws an exception if custom resource |
| resolver is registered (mullan) |
| Fixed bug 38655 |
| Fixed bug 38444. |
| Fixed bug 38605. |
| Fixed bug 39200(API CHANGE) |
| Refactored the way keyresolver works instead of calling canResolve/resolveX only resolveX is used |
| and if it returns null it means it cannot resolve. |
| Minor Optimizations. |
| Lazy fields initialization, initialize with null and create the object only when needed |
| Registered Class reorder, in several parts the library contains a list of workers |
| that are asked if it can solve a problem. Now the one that said yes is move to the front |
| wishing that the next time it also hits. |
| API Change: Make Transform & TransformSpi reusable between threads. |
| remove setTransform(Transform t) method in TransformSpi and pass |
| the Transform object in enginePerformTransfor methods. |
| Fixed bug 39685: bugs reported by findbugs (mullan) |
| Added support for SHA256 & SHA512 DigestMethods to JSR 105. (mullan) |
| Fix JSR 105 unmarshaling bug: now recognizes PGPData. (mullan) |
| Optimization to not create instances of Signature or MessageDigest objects, but mantain one for thread. |
| Also don't change the key if it was already used. (raul) |
| |
| New in v1.3 |
| Init-Don't fail if a transformation don't have all of its dependecies. |
| Remove XPath initialization from Init and do only when xpath is needed. |
| Resolv-Removed the use of xpath expressions to search the elements to sign/verify, now use only plain DOM searching. |
| Resolvers-Remove wantsOctectStream wantsNodeSet and his returns pair they are not used, right now and some are incorrect. |
| Remove the Use of xalan or xerces class URI |
| Removed the expandSystemId |
| Changed from Vector<String> to List<Class>, so we don't need to use classForName everytime and used it just the first time. |
| Removed PRNG,HexDump,Version, X509CertificateValidator |
| Added an unsync buffer outputstream. |
| Changed Symbol table to a more efficient and simple structure |
| Fixed bug 34743 , Submitted by: Lee Coomber <lee.at.lshift.net> |
| Minor speedups in b64, Halved the table lookups. |
| Reduce Object creation during c14n, from one to level to one per c14n. |
| Change all Vector to List(ArrayList), we don't need synchronization safety. |
| *Refactor the way we handle c14n of nodesets: |
| Before this patch every transformation creates a set with the nodes that should |
| be outputed. Every set is obtaining visiting the whole dom tree every time, |
| and then do it other time at c14n time. So it does <number of transformations>+1 |
| visitings, very slow and memory costly. |
| Now every transformation just return a NodeFilter that tells if the node is included or not. |
| So only one visiting is done. |
| Unified http://www.w3.org/2002/06/xmldsig-filter2 and http://www.w3.org/2002/04/xmldsig-filter2 transformation implementations. |
| Removed http://www.nue.et-inf.uni-siegen.de/~geuer-pollmann/#xpathFilter transformation |
| Canonicalization tree travesing is not recursive. it gives better memory handling and performance. |
| Fixed bug 33936, Submited by: Raymond Wong <rwong.at.ariba.com> |
| Fixed bug 35919, Submited by: Luda <ludab.at.lanl.gov> |
| out of the box j2se 1.5 ready(no adding xalan in the classpath or endorsed if no |
| xpath transformation is needed) |
| |
| |
| New in v1.2.1 |
| * Fix the memory leak when using xpath or using ResourceResolver and not hitting |
| getElementByIdUsingDOM() [http://issues.apache.org/bugzilla/show_bug.cgi?id=32836] |
| * Fix the bug with using XPath2Filter and inclusive c14n |
| * Fix the bug arrouse in reusing Canonicalizers |
| * Fix base64transformation bug [http://issues.apache.org/bugzilla/show_bug.cgi?id=33393 ] |
| * Fix the XMLsignatureInput reset() bug. |
| * Clean unused jar (xmlParserAPI.jar,etc) and check and stored new versions. |
| * generated the dist jar with version (i.e. xmlsec-1.2.1.jar instead of plain xmlsec.jar) |
| * Clean unused build*.xml files. |
| |
| |
| ############################################################################## |
| # New in v1.0.3 24. May 2002 |
| ############################################################################## |
| |
| IMPORTANT: |
| |
| - The different classes do not call Init.init() any longer. This must be done |
| by YOU in your application. If you miss that, you'll get many |
| AlgorithmNotRegistered exceptions... |
| |
| -------------------------------- |
| |
| Summary: |
| |
| - The software is faster. Especially canonicalization is between |
| factor 5--80 faster than the old one. |
| |
| - Some deprecated methods in the Canonicalizer are deleted. |
| |
| - We support Exclusive Canonicalization |
| |
| - We support the XPath Filter version 2.0 Draft. |
| |
| -------------------------------- |
| |
| Optimizations and speed-up |
| |
| - canonicalization |
| - inclusive c14n is now faster (factor between 5 and 80) |
| - transforms |
| - enveloped-signature is now faster (no XPath ops any more) |
| - base64 is now faster (no XPath ops any more) |
| - c14n is now faster (due to faster c14n algo) |
| |
| -------------------------------- |
| |
| Signature package: |
| |
| - The XMLSignatureInput which is used for passing node sets and octet |
| streams into transforms and which is also the result of transforms |
| uses a java.util.Set now instead of a NodeList for the internal |
| representation of xpath node sets. This allows easier queries in the |
| form: Is node N part of the node set. |
| |
| The implication is that you can also pass a Set which contains the nodes |
| to be canonicalized to the Canonicalizers using |
| public byte[] canonicalizeXPathNodeSet(Set xpathNodeSet) |
| |
| -------------------------------- |
| |
| Canonicalizer: |
| |
| - A bug (well, my understanding of c14n) is corrected regarding the |
| canonicalization of node sets. That bug related to the xml:* |
| attributes. See xmldsig mailing list archive @ w3.org for details. |
| |
| - removed are the methods |
| |
| - public byte[] canonicalize(Node node) |
| - public byte[] canonicalizeDocument(Document doc) |
| - public byte[] canonicalizeSingleNode(Node rootNode) |
| |
| replaced by public byte[] canonicalizeSubtree(Node node) |
| |
| - public byte[] canonicalize(NodeList xpathNodeSet) |
| |
| replaced by public byte[] canonicalizeXPathNodeSet(NodeList xpathNodeSet) |
| |
| - public void setXPath(Object xpath) |
| - public Object getXPath() |
| - public String getXPathString() |
| - public void setXPathNodeSet(NodeList nodeList) |
| |
| These are no longer in use. If you want to c14nize an xpath |
| node set, select it using CachedXPathAPI and then apply |
| canonicalizeXPathNodeSet to the node set. |
| |
| - public void setRemoveNSAttrs(boolean remove) |
| - public boolean getRemoveNSAttrs() |
| |
| The c14nizers do not add any attributes (namespaces or xml:*) |
| to the document, so these method make no sense. |
| |
| - The Canonicalizer now supports "Exclusive XML Canonicalization |
| Version 1.0" <http://www.w3.org/Signature/Drafts/xml-exc-c14n>, Rev 1.58. |
| |
| For that reason, the c14n methods allow an additional String parameter |
| for passing the inclusive namespaces. |
| |
| public byte[] canonicalizeSubtree(Node node, |
| String inclusiveNamespaces) |
| public byte[] canonicalizeXPathNodeSet(NodeList xpathNodeSet, |
| String inclusiveNamespaces) |
| |
| Such a string looks e.g. like this |
| |
| String inclusiveNamespaces = "ds xenc ex #default"; |
| |
| For more on exclusive c14n, see the spec. If you pass this parameter to the |
| regular (inclusive) c14nizer, you'll get a |
| CanonicalizationException("c14n.Canonicalizer.UnsupportedOperation") |
| |
| -------------------------------- |
| |
| Transforms: |
| |
| - The exclusive c14n is also supported by the transform framework. |
| The parameter for the inclusive namespaces is the class |
| org.apache.xml.security.transforms.params.InclusiveNamespaces |
| |
| If you want to make a Transform like this, do that: |
| |
| Document doc = ...; |
| Transforms transforms = new Transforms(doc); |
| InclusiveNamespaces incNS = new InclusiveNamespaces(doc, "ns2"); |
| transforms.addTransform(Transforms.TRANSFORM_C14N_EXCL_OMIT_COMMENTS, |
| incNS.getElement()); |
| |
| - The XPathContainer for the XPath transform is now moved from the |
| org.apache.xml.security.c14n.helper package to |
| org.apache.xml.security.transforms.params.XPathContainer |
| |
| - The enveloped-signature transform is faster now. We don't do costly |
| XPath operations but 'simple' DOM ops. |
| |
| - Base64 is faster (no XPath ops). |
| |
| - The TransformXPath2Filter is now supported by the package. It can be used by |
| using the identifier Transforms.TRANSFORM_XPATH2FILTER in conjuction with the |
| XPath2FilterContainer for passing parameters. To know what xfilter2 is, see |
| http://www.w3.org/Signature/Drafts/xmldsig-xfilter2/ : |
| |
| Document doc = ...; |
| Transforms transforms = new Transforms(doc); |
| XPath2FilterContainer x2c = |
| // intersect |
| XPath2FilterContainer.newInstanceIntersect(doc, "//a"); |
| // subtract |
| XPath2FilterContainer.newInstanceSubtract(doc, "//a"); |
| // union |
| XPath2FilterContainer.newInstanceUnion(doc, "//a"); |
| |
| transforms.addTransform(Transforms.TRANSFORM_XPATH2FILTER, |
| x2c.getElement()); |
| |
| -------------------------------- |
| |