Re: Issue with support of RSASSA-PSS algorithms with implicit params in Oracle Java 17

Wed, 11 Oct 2023 20:44:04 -0700 

Hi,
Sorry this took longer to get to than I anticipated.  I wanted to report back on this before the upcoming Santuario releases. 


I have tested OpenSAML against a local build of xmlsec 3.0.3-SNAPSHOT, 
under JDK 17 which is the baseline for our current branch. The new 
RSASSA-PSS stuff seems to work ok.  I have unit tests that exercise 
signing and validation of all 9 of the PSS algorithm URIs, so I'd say 
it looks good as far as I can tell as this point.


Thanks for working on this!

Thanks,
Brent


On 9/13/23 1:31 PM, Brent Putman wrote:

Hi Sean,


Thanks for working on this.  I'll see about doing some local build 
testing in the next few days.


Thanks,
Brent


On 9/12/23 8:45 AM, Sean Mullan wrote:

Hi Brent,


I have fixed this issue [1] and it will be in the next 2.3.4 and 
3.0.3 releases of Santuario. However, if you have a chance to pull 
the latest sources and do a local build to see if it addresses your 
concerns, that would be great and provide more assurance that it is 
working.


Thanks,
Sean

[1] https://issues.apache.org/jira/browse/SANTUARIO-604

On 8/10/23 4:26 PM, Brent Putman wrote:


On 8/10/23 1:15 PM, Sean Mullan wrote:

Yes, sorry I guess I wasn't clear enough. This is a Santuario 
issue. I can probably post a PR in the next few days that 
addresses this.To me this is the best solution if you want to 
provide a solution that works both with BC and the JDK. 




Ok, thanks! Yes, I agree that it's the best solution, and should be 
transparent to users of the library.




Even if we did add direct support to the JDK for the PSS w/o param 
algorithm URIs as defined in RFC 9231, it would initially only be 
supported in the next version of JDK (22), and would need 
justification, etc in order to be backported to earlier releases.




Yes, and even if it was in 22, it wouldn't help us much 
(OpenSAML/Shib) as we baseline only on LTS releases and so the 
release of our new 5.0 in the next few weeks will be on 17.




Also for some reason, I thought you were a Santuario Committer, so 
sorry if I implied you could do the work. :)




Ah, understood.  Yeah, only Scott from our team is currently a 
Santuario committer.


--Brent

























					Reply via email to