8344137: Update XML Security for Java to 3.0.5

[pmikova]

I backport this for parity with 11.0.29-oracle from 17

Mostly clean backport:

src/java.xml.crypto/share/classes/com/sun/org/apache/xml/internal/security/utils/Constants.java did not apply cleanly for some reason, but no changes made
test/jdk/javax/xml/crypto/dsig/GenerationTests.java - keeping the changes but disabling the actual tests because of missing JDK-8166597
test/jdk/javax/xml/crypto/dsig/PSS.java test doesn't apply to the JDK11, as it is missing JDK-8241306 - disabling it for JDK < 17

Keeping the file and changes in tests for easier future backport resolving.

---

• I confirm that I make this contribution in accordance with the OpenJDK Interim AI Policy.

---

Progress

• Change must be properly reviewed (1 review required, with at least 1 Reviewer)
• Change requires CSR request JDK-8345822 to be approved
• Change must not contain extraneous whitespace
• JDK-8344137 needs maintainer approval
• Commit message must refer to an issue

Issues

• JDK-8344137: Update XML Security for Java to 3.0.5 (Enhancement - P3)
• JDK-8345822: Update XML Security for Java to 3.0.5 (CSR)

Reviewing

Using git

Checkout this PR locally:
$ git fetch https://git.openjdk.org/jdk11u-dev.git pull/3156/head:pull/3156
$ git checkout pull/3156

Update a local copy of the PR:
$ git checkout pull/3156
$ git pull https://git.openjdk.org/jdk11u-dev.git pull/3156/head

Using Skara CLI tools

Checkout this PR locally:
$ git pr checkout 3156

View PR using the GUI difftool:
$ git pr show -t 3156

Using diff file

Download this PR as a diff file:
https://git.openjdk.org/jdk11u-dev/pull/3156.diff

Using Webrev

Link to Webrev Comment

[bridgekeeper]

👋 Welcome back pmikova! A progress list of the required criteria for merging this PR into master will be added to the body of your pull request. There are additional pull request commands available for use with this pull request.

[openjdk]

❗ This change is not yet ready to be integrated.
See the Progress checklist in the description for automated requirements.

[openjdk]

This backport pull request has now been updated with issue from the original commit.

[mlbridge]

Webrevs

• 00: Full (2ad0f8db)

[gnu-andrew]

This mostly looks good. I think the issue with Constants.java is the context with 17u having _TAG_RSAPSSPARAMS where 11u doesn't (which may also relate to your issues with PSS.java.

I'll have to look at the two problematic tests to see what is going on there. If it's not something we can ever backport, there is no point having dead code in there, but at the moment, it's not clear to me if support is completely missing or just the variables in the Java spec which we can't backport. I'll try and get back to you on this tomorrow.

[bridgekeeper]

@pmikova This pull request has been inactive for more than 4 weeks and will be automatically closed if another 4 weeks passes without any activity. To avoid this, simply issue a /touch or /keepalive command to the pull request. Feel free to ask for assistance if you need help with progressing this pull request towards integration!

[pmikova]

/keepalive

[openjdk]

@pmikova The pull request is being re-evaluated and the inactivity timeout has been reset.

[bridgekeeper]

@pmikova This pull request has been inactive for more than 4 weeks and will be automatically closed if another 4 weeks passes without any activity. To avoid this, simply issue a /touch or /keepalive command to the pull request. Feel free to ask for assistance if you need help with progressing this pull request towards integration!

[pmikova]

/keepalive

[openjdk]

@pmikova The pull request is being re-evaluated and the inactivity timeout has been reset.

[bridgekeeper]

@pmikova This pull request has been inactive for more than 4 weeks and will be automatically closed if another 4 weeks passes without any activity. To avoid this, simply issue a /touch or /keepalive command to the pull request. Feel free to ask for assistance if you need help with progressing this pull request towards integration!

[pmikova]

/keepalive

[openjdk]

@pmikova The pull request is being re-evaluated and the inactivity timeout has been reset.

[gnu-andrew]

I'll get back to this one today. Sorry for the delay.

[gnu-andrew]

@pmikova you'll need to do /template append and then tick the "I didn't use a dumb AI bot" checkbox.

[pmikova]

/template append

[openjdk]

@pmikova The pull request template has been appended to the pull request body

[gnu-andrew]

Ok, I see now why the dead code was added; the updates to 3.0.2 and 3.0.3 took this approach as well. I think it would be better to just use this opportunity to clear out this unused code. It makes it slightly easier to backport (though as you've seen, it's still not clean anyway) but it causes confusion for someone looking at the test in 11u.

After some digging, I found that the additions from this patch and 3.0.3 to GenerationTests.java would need JDK-8172366: Support SHA-3 based signatures. The ed25519 and ed448 additions for 3.0.2 would need JDK-8166597: Crypto support for the EdDSA Signature Algorithm. I don't see any likelihood of these being added to 11u at this stage.

PSS.java fails because of JDK-8241306: Add SignatureMethodParameterSpec subclass for RSASSA-PSS params being absent. It's probably the closest to working with this time the missing code being specific to XML Security. I would just remove that test.

I would suggest adding gnu-andrew@4823976 on top of your branch. This removes the unused and unsupported code in these tests and documents why.

[gnu-andrew]

You'll want to merge with master too; I'm seeing Mac test failures a while ago and for Windows, you'll want to wait for this merge