Great - thanks for testing! —Sean
On Oct 11, 2023, at 11:43 PM, Brent Putman <[email protected]<mailto:[email protected]>> wrote: Hi, Sorry this took longer to get to than I anticipated. I wanted to report back on this before the upcoming Santuario releases. I have tested OpenSAML against a local build of xmlsec 3.0.3-SNAPSHOT, under JDK 17 which is the baseline for our current branch. The new RSASSA-PSS stuff seems to work ok. I have unit tests that exercise signing and validation of all 9 of the PSS algorithm URIs, so I'd say it looks good as far as I can tell as this point. Thanks for working on this! Thanks, Brent On 9/13/23 1:31 PM, Brent Putman wrote: Hi Sean, Thanks for working on this. I'll see about doing some local build testing in the next few days. Thanks, Brent On 9/12/23 8:45 AM, Sean Mullan wrote: Hi Brent, I have fixed this issue [1] and it will be in the next 2.3.4 and 3.0.3 releases of Santuario. However, if you have a chance to pull the latest sources and do a local build to see if it addresses your concerns, that would be great and provide more assurance that it is working. Thanks, Sean [1] https://issues.apache.org/jira/browse/SANTUARIO-604 On 8/10/23 4:26 PM, Brent Putman wrote: On 8/10/23 1:15 PM, Sean Mullan wrote: Yes, sorry I guess I wasn't clear enough. This is a Santuario issue. I can probably post a PR in the next few days that addresses this.To me this is the best solution if you want to provide a solution that works both with BC and the JDK. Ok, thanks! Yes, I agree that it's the best solution, and should be transparent to users of the library. Even if we did add direct support to the JDK for the PSS w/o param algorithm URIs as defined in RFC 9231, it would initially only be supported in the next version of JDK (22), and would need justification, etc in order to be backported to earlier releases. Yes, and even if it was in 22, it wouldn't help us much (OpenSAML/Shib) as we baseline only on LTS releases and so the release of our new 5.0 in the next few weeks will be on 17. Also for some reason, I thought you were a Santuario Committer, so sorry if I implied you could do the work. :) Ah, understood. Yeah, only Scott from our team is currently a Santuario committer. --Brent
