Bump xmlsec to at least 2.3.0

luisgoncalves / xades4j

A Java library for XAdES signature services

GNU Lesser General Public License v3.0

111 stars 66 forks source link

Closed mjechow closed 2 years ago

mjechow commented 2 years ago

What steps will reproduce the problem?

It would nice to upgrade to the latest Santuario release. xades4j builds with xmlsec-2.2.3, Santuario is currently at 3.0.0

What is the expected output? What do you see instead?

What version of the product are you using? On what operating system?

Please provide any additional information below. In Versions below 2.2.3 Woodstox 5.2.1 is used and it has a know vulnerability https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15250 witch was fixed in https://mvnrepository.com/artifact/com.fasterxml.woodstox/woodstox-core/6.2.3

luisgoncalves commented 2 years ago

Upgrading within 2.X shouldn't be an issue. I'll check that soon.

luisgoncalves commented 2 years ago

xmlsec 2.3.0 removes the local file-system and HTTP resolvers by default: https://issues.apache.org/jira/browse/SANTUARIO-573.

Adding them if needed is easy, using one of the following:

Adding the corresponding resolvers to SignedDataObjects/SignatureSpecificVerificationOptions (see this commit)
Registering directly with xmlsec using ResourceResolver.register().

I'll release xades4j soon and add this on the release notes as well.

mjechow commented 2 years ago

Fantastic, thank you!