santuario-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Sean Mullan <Sean.Mul...@Sun.COM>
Subject Re: DO NOT REPLY [Bug 40921] - XML <X509Certificate> contents modified and signature normallly validated.
Date Wed, 08 Nov 2006 19:20:19 GMT
jason marshall wrote:
> Okay.  In the Apache XMLSec code, this happens more or less
> automatically (That is, you verify the signature with
> checkSignatureValue, which takes a key as an argument, and may or may
> not also check references depending on what other settings you've
> specified).
> 
> I'm not really all that familiar with the JDK 1.6 API. In looking at
> it I see it changed quite considerably more than I expected, which
> probably explains most of my confusion.  I assumed that the bug was
> against the apache implementation (this is the apache bug database,
> right?), not JDK code.

Well I don't think it is a bug in either implementation, but it would 
probably help to explain the difference in the Apache and JDK 6 (1.6) 
XML Signature APIs/implementation.

The API included in JDK 6 is based on JSR 105 which was a standard XML 
Signature API defined via the Java Community Process. The reference 
implementation of JSR 105 that is included in JDK 6 is based on the 
Apache Java XML Security implementation.

The JSR 105 API and code was contributed back to the Apache Software 
Foundation. It will be included in the next Apache XML Security release 
(1.4) which should be available soon. You can download the source and 
build it yourself now if you choose.

Don't worry though - we plan to continue to include both the JSR 105 API 
and the current Apache XML Security API though I would encourage you to 
transition over time to the standard JSR 105 API.

--Sean

Mime
View raw message