Bug ID: JDK-8203460 Update xmldsig implementation to Apache Santuario 2.1.1

Type: CSR
Component: security-libs
Sub-Component: javax.xml.crypto
Priority: P3
Status: Closed
Resolution: Approved
Fix Versions: 11
Submitted: 2018-05-21
Updated: 2018-06-25
Resolved: 2018-06-06
Summary
-------

The current implementation of the XMLDSig implementation inside OpenJDK was integrated in 2013, and based on [Apache Santuario](https://santuario.apache.org/) version 1.5.4. We will update it to version 2.1.1 which was released in January 2018. 

Problem
-------

Apache Santuario has introduced some new algorithms since 1.5.4 based on SHA-224, RSASSA-PSS, and SHA-3. We should update the implementation to match the current release.

Solution
--------

Update the `java.xml.crypto` module to use code from Apache Santuario release 2.1.1, and re-apply necessary OpenJDK patches. Most of the patches were not integrated to upstream repository at Apache Santuario because they are JDK 9 only (Apache Santuario still supports JDK 8).

Specification
-------------

Add some constants into `DigestMethod.java` and `SignatureMethod.java`. All these algorithms can be found in [RFC 6931](https://tools.ietf.org/html/rfc6931).

In `src/java.xml.crypto/share/classes/javax/xml/crypto/dsig/DigestMethod.java`, add

    /**
     * The <a href="http://www.w3.org/2001/04/xmldsig-more#sha224">
     * SHA224</a> digest method algorithm URI.
     */
    String SHA224 = "http://www.w3.org/2001/04/xmldsig-more#sha224";

    /**
     * The <a href="http://www.w3.org/2001/04/xmldsig-more#sha384">
     * SHA384</a> digest method algorithm URI.
     */
    String SHA384 = "http://www.w3.org/2001/04/xmldsig-more#sha384";

    /**
     * The <a href="http://www.w3.org/2007/05/xmldsig-more#sha3-224">
     * SHA3-224</a> digest method algorithm URI.
     */
    String SHA3_224 = "http://www.w3.org/2007/05/xmldsig-more#sha3-224";

    /**
     * The <a href="http://www.w3.org/2007/05/xmldsig-more#sha3-256">
     * SHA3-256</a> digest method algorithm URI.
     */
    String SHA3_256 = "http://www.w3.org/2007/05/xmldsig-more#sha3-256";

    /**
     * The <a href="http://www.w3.org/2007/05/xmldsig-more#sha3-384">
     * SHA3-384</a> digest method algorithm URI.
     */
    String SHA3_384 = "http://www.w3.org/2007/05/xmldsig-more#sha3-384";

    /**
     * The <a href="http://www.w3.org/2007/05/xmldsig-more#sha3-512">
     * SHA3-512</a> digest method algorithm URI.
     */
    String SHA3_512 = "http://www.w3.org/2007/05/xmldsig-more#sha3-512";

In `src/java.xml.crypto/share/classes/javax/xml/crypto/dsig/SignatureMethod.java`, add

    /**
     * The <a href="http://www.w3.org/2009/xmldsig11#dsa-sha256">DSA-SHA256</a>
     * (DSS) signature method algorithm URI.
     */
    String DSA_SHA256 = "http://www.w3.org/2009/xmldsig11#dsa-sha256";

    /**
     * The <a href="http://www.w3.org/2001/04/xmldsig-more#rsa-sha224">
     * RSA-SHA224</a> (PKCS #1) signature method algorithm URI.
     */
    String RSA_SHA224 = "http://www.w3.org/2001/04/xmldsig-more#rsa-sha224";

    /**
     * The <a href="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256">
     * RSA-SHA256</a> (PKCS #1) signature method algorithm URI.
     */
    String RSA_SHA256 = "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256";

    /**
     * The <a href="http://www.w3.org/2001/04/xmldsig-more#rsa-sha384">
     * RSA-SHA384</a> (PKCS #1) signature method algorithm URI.
     */
    String RSA_SHA384 = "http://www.w3.org/2001/04/xmldsig-more#rsa-sha384";

    /**
     * The <a href="http://www.w3.org/2001/04/xmldsig-more#rsa-sha512">
     * RSA-SHA512</a> (PKCS #1) signature method algorithm URI.
     */
    String RSA_SHA512 = "http://www.w3.org/2001/04/xmldsig-more#rsa-sha512";

    /**
     * The <a href="http://www.w3.org/2007/05/xmldsig-more#sha1-rsa-MGF1">
     * SHA1-RSA-MGF1</a> (PKCS #1) signature method algorithm URI.
     */
    String SHA1_RSA_MGF1 = "http://www.w3.org/2007/05/xmldsig-more#sha1-rsa-MGF1";

    /**
     * The <a href="http://www.w3.org/2007/05/xmldsig-more#sha224-rsa-MGF1">
     * SHA224-RSA-MGF1</a> (PKCS #1) signature method algorithm URI.
     */
    String SHA224_RSA_MGF1 = "http://www.w3.org/2007/05/xmldsig-more#sha224-rsa-MGF1";

    /**
     * The <a href="http://www.w3.org/2007/05/xmldsig-more#sha256-rsa-MGF1">
     * SHA256-RSA-MGF1</a> (PKCS #1) signature method algorithm URI.
     */
    String SHA256_RSA_MGF1 = "http://www.w3.org/2007/05/xmldsig-more#sha256-rsa-MGF1";

    /**
     * The <a href="http://www.w3.org/2007/05/xmldsig-more#sha384-rsa-MGF1">
     * SHA384-RSA-MGF1</a> (PKCS #1) signature method algorithm URI.
     */
    String SHA384_RSA_MGF1 = "http://www.w3.org/2007/05/xmldsig-more#sha384-rsa-MGF1";

    /**
     * The <a href="http://www.w3.org/2007/05/xmldsig-more#sha512-rsa-MGF1">
     * SHA512-RSA-MGF1</a> (PKCS #1) signature method algorithm URI.
     */
    String SHA512_RSA_MGF1 = "http://www.w3.org/2007/05/xmldsig-more#sha512-rsa-MGF1";

    /**
     * The <a href="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha1">
     * ECDSA-SHA1</a> (FIPS 180-4) signature method algorithm URI.
     */
    String ECDSA_SHA1 = "http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha1";

    /**
     * The <a href="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha224">
     * ECDSA-SHA224</a> (FIPS 180-4) signature method algorithm URI.
     */
    String ECDSA_SHA224 = "http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha224";

    /**
     * The <a href="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha256">
     * ECDSA-SHA256</a> (FIPS 180-4) signature method algorithm URI.
     */
    String ECDSA_SHA256 = "http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha256";

    /**
     * The <a href="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha384">
     * ECDSA-SHA384</a> (FIPS 180-4) signature method algorithm URI.
     */
    String ECDSA_SHA384 = "http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha384";

    /**
     * The <a href="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha512">
     * ECDSA-SHA512</a> (FIPS 180-4) signature method algorithm URI.
     */
    String ECDSA_SHA512 = "http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha512";

    /**
     * The <a href="http://www.w3.org/2001/04/xmldsig-more#hmac-sha224">
     * HMAC-SHA224</a> MAC signature method algorithm URI.
     */
    String HMAC_SHA224 = "http://www.w3.org/2001/04/xmldsig-more#hmac-sha224";

    /**
     * The <a href="http://www.w3.org/2001/04/xmldsig-more#hmac-sha256">
     * HMAC-SHA256</a> MAC signature method algorithm URI.
     */
    String HMAC_SHA256 = "http://www.w3.org/2001/04/xmldsig-more#hmac-sha256";

    /**
     * The <a href="http://www.w3.org/2001/04/xmldsig-more#hmac-sha384">
     * HMAC-SHA384</a> MAC signature method algorithm URI.
     */
    String HMAC_SHA384 = "http://www.w3.org/2001/04/xmldsig-more#hmac-sha384";

    /**
     * The <a href="http://www.w3.org/2001/04/xmldsig-more#hmac-sha512">
     * HMAC-SHA512</a> MAC signature method algorithm URI.
     */
    String HMAC_SHA512 = "http://www.w3.org/2001/04/xmldsig-more#hmac-sha512";
Moving to Approved.
06-06-2018
Moving to Provisional.
06-06-2018
While there are changes in Java SE API, it's only new constant string fields. The scope is technically more likely to be "Implementation" because even without these fields a user can always use the string itself.
22-05-2018