8344137: Update XML Security for Java to 3.0.5

Reviewed-by: mullan

Author: wangweij

src/java.xml.crypto/share/classes/com/sun/org/apache/xml/internal/security/algorithms/JCEMapper.java

@@ -207,6 +207,22 @@ public static void registerDefaultAlgorithms() {
             XMLSignature.ALGO_ID_SIGNATURE_ECDSA_SHA512,
             new Algorithm("EC", "SHA512withECDSA", "Signature")
         );
+        algorithmsMap.put(
+            XMLSignature.ALGO_ID_SIGNATURE_ECDSA_SHA3_224,
+            new Algorithm("EC", "SHA3-224withECDSA", "Signature")
+        );
+        algorithmsMap.put(
+            XMLSignature.ALGO_ID_SIGNATURE_ECDSA_SHA3_256,
+            new Algorithm("EC", "SHA3-256withECDSA", "Signature")
+        );
+        algorithmsMap.put(
+            XMLSignature.ALGO_ID_SIGNATURE_ECDSA_SHA3_384,
+            new Algorithm("EC", "SHA3-384withECDSA", "Signature")
+        );
+        algorithmsMap.put(
+            XMLSignature.ALGO_ID_SIGNATURE_ECDSA_SHA3_512,
+            new Algorithm("EC", "SHA3-512withECDSA", "Signature")
+        );
         algorithmsMap.put(
             XMLSignature.ALGO_ID_SIGNATURE_ECDSA_RIPEMD160,
             new Algorithm("EC", "RIPEMD160withECDSA", "Signature")

src/java.xml.crypto/share/classes/com/sun/org/apache/xml/internal/security/algorithms/MessageDigestAlgorithm.java

@@ -103,7 +103,7 @@ public static MessageDigestAlgorithm getInstance(
         return new MessageDigestAlgorithm(doc, algorithmURI);
     }
 
-    private static MessageDigest getDigestInstance(String algorithmURI) throws XMLSignatureException {
+    public static MessageDigest getDigestInstance(String algorithmURI) throws XMLSignatureException {
         String algorithmID = JCEMapper.translateURItoJCEID(algorithmURI);
 
         if (algorithmID == null) {

src/java.xml.crypto/share/classes/com/sun/org/apache/xml/internal/security/algorithms/SignatureAlgorithm.java

@@ -494,6 +494,18 @@ public static void registerDefaultAlgorithms() {
         algorithmHash.put(
             XMLSignature.ALGO_ID_SIGNATURE_ECDSA_SHA512, SignatureECDSA.SignatureECDSASHA512.class
         );
+        algorithmHash.put(
+            XMLSignature.ALGO_ID_SIGNATURE_ECDSA_SHA3_224, SignatureECDSA.SignatureECDSASHA3_224.class
+        );
+        algorithmHash.put(
+            XMLSignature.ALGO_ID_SIGNATURE_ECDSA_SHA3_256, SignatureECDSA.SignatureECDSASHA3_256.class
+        );
+        algorithmHash.put(
+                XMLSignature.ALGO_ID_SIGNATURE_ECDSA_SHA3_384, SignatureECDSA.SignatureECDSASHA3_384.class
+        );
+        algorithmHash.put(
+                XMLSignature.ALGO_ID_SIGNATURE_ECDSA_SHA3_512, SignatureECDSA.SignatureECDSASHA3_512.class
+        );
         algorithmHash.put(
             XMLSignature.ALGO_ID_SIGNATURE_ECDSA_RIPEMD160, SignatureECDSA.SignatureECDSARIPEMD160.class
         );

src/java.xml.crypto/share/classes/com/sun/org/apache/xml/internal/security/algorithms/implementations/ECDSAUtils.java

@@ -770,6 +770,46 @@ public static byte[] convertXMLDSIGtoASN1(byte[] xmldsigBytes) throws IOExceptio
                         "0340340340340340340340340340340340340340340340340340340323c313fab50589703b5ec68d3587fec60d161cc149c1ad4a91",
                         0x2760)
         );
+
+        ecCurveDefinitions.add(
+                new ECCurveDefinition(
+                        "brainpoolP256r1 [RFC 5639]",
+                        "1.3.36.3.3.2.8.1.1.7",
+                        "a9fb57dba1eea9bc3e660a909d838d726e3bf623d52620282013481d1f6e5377",
+                        "7d5a0975fc2c3057eef67530417affe7fb8055c126dc5c6ce94a4b44f330b5d9",
+                        "26dc5c6ce94a4b44f330b5d9bbd77cbf958416295cf7e1ce6bccdc18ff8c07b6",
+                        "8bd2aeb9cb7e57cb2c4b482ffc81b7afb9de27e1e3bd23c23a4453bd9ace3262",
+                        "547ef835c3dac4fd97f8461a14611dc9c27745132ded8e545c1d54c72f046997",
+                        "a9fb57dba1eea9bc3e660a909d838d718c397aa3b561a6f7901e0e82974856a7",
+                        1)
+        );
+
+        ecCurveDefinitions.add(
+                new ECCurveDefinition(
+                        "brainpoolP384r1 [RFC 5639]",
+                        "1.3.36.3.3.2.8.1.1.11",
+                        "8cb91e82a3386d280f5d6f7e50e641df152f7109ed5456b412b1da197fb71123acd3a729901d1a71874700133107ec53",
+                        "7bc382c63d8c150c3c72080ace05afa0c2bea28e4fb22787139165efba91f90f8aa5814a503ad4eb04a8c7dd22ce2826",
+                        "04a8c7dd22ce28268b39b55416f0447c2fb77de107dcd2a62e880ea53eeb62d57cb4390295dbc9943ab78696fa504c11",
+                        "1d1c64f068cf45ffa2a63a81b7c13f6b8847a3e77ef14fe3db7fcafe0cbd10e8e826e03436d646aaef87b2e247d4af1e",
+                        "8abe1d7520f9c2a45cb1eb8e95cfd55262b70b29feec5864e19c054ff99129280e4646217791811142820341263c5315",
+                        "8cb91e82a3386d280f5d6f7e50e641df152f7109ed5456b31f166e6cac0425a7cf3ab6af6b7fc3103b883202e9046565",
+                        1)
+        );
+
+        ecCurveDefinitions.add(
+                new ECCurveDefinition(
+                        "brainpoolP512r1 [RFC 5639]",
+                        "1.3.36.3.3.2.8.1.1.13",
+                        "aadd9db8dbe9c48b3fd4e6ae33c9fc07cb308db3b3c9d20ed6639cca703308717d4d9b009bc66842aecda12ae6a380e62881ff2f2d82c68528aa6056583a48f3",
+                        "7830a3318b603b89e2327145ac234cc594cbdd8d3df91610a83441caea9863bc2ded5d5aa8253aa10a2ef1c98b9ac8b57f1117a72bf2c7b9e7c1ac4d77fc94ca",
+                        "3df91610a83441caea9863bc2ded5d5aa8253aa10a2ef1c98b9ac8b57f1117a72bf2c7b9e7c1ac4d77fc94cadc083e67984050b75ebae5dd2809bd638016f723",
+                        "81aee4bdd82ed9645a21322e9c4c6a9385ed9f70b5d916c1b43b62eef4d0098eff3b1f78e2d0d48d50d1687b93b97d5f7c6d5047406a5e688b352209bcb9f822",
+                        "7dde385d566332ecc0eabfa9cf7822fdf209f70024a57b1aa000c55b881f8111b2dcde494a5f485e5bca4bd88a2763aed1ca2b2fa8f0540678cd1e0f3ad80892",
+                        "aadd9db8dbe9c48b3fd4e6ae33c9fc07cb308db3b3c9d20ed6639cca70330870553e5c414ca92619418661197fac10471db1d381085ddaddb58796829ca90069",
+                        1)
+        );
+
     }
 
     public static String getOIDFromPublicKey(ECPublicKey ecPublicKey) {

src/java.xml.crypto/share/classes/com/sun/org/apache/xml/internal/security/algorithms/implementations/SignatureBaseRSA.java

@@ -66,8 +66,7 @@ public SignatureBaseRSA() throws XMLSignatureException {
     public SignatureBaseRSA(Provider provider) throws XMLSignatureException {
         String algorithmID = JCEMapper.translateURItoJCEID(this.engineGetURI());
         this.signatureAlgorithm = getSignature(provider, algorithmID);
-        LOG.debug("Created SignatureRSA using {0} and provider {1}",
-            algorithmID, signatureAlgorithm.getProvider());
+        LOG.debug("Created SignatureRSA using {0}", algorithmID);
     }
 
     Signature getSignature(Provider provider, String algorithmID)

src/java.xml.crypto/share/classes/com/sun/org/apache/xml/internal/security/algorithms/implementations/SignatureECDSA.java

@@ -371,6 +371,110 @@ public String engineGetURI() {
         }
     }
 
+    /**
+     * Class SignatureECDSASHA3-224
+     *
+     */
+    public static class SignatureECDSASHA3_224 extends SignatureECDSA {
+
+        /**
+         * Constructor SignatureECDSASHA3-224
+         *
+         * @throws XMLSignatureException
+         */
+        public SignatureECDSASHA3_224() throws XMLSignatureException {
+            super();
+        }
+
+        public SignatureECDSASHA3_224(Provider provider) throws XMLSignatureException {
+            super(provider);
+        }
+
+        /** {@inheritDoc} */
+        @Override
+        public String engineGetURI() {
+            return XMLSignature.ALGO_ID_SIGNATURE_ECDSA_SHA3_224;
+        }
+    }
+
+    /**
+     * Class SignatureECDSASHA3-256
+     *
+     */
+    public static class SignatureECDSASHA3_256 extends SignatureECDSA {
+
+        /**
+         * Constructor SignatureECDSASHA3-256
+         *
+         * @throws XMLSignatureException
+         */
+        public SignatureECDSASHA3_256() throws XMLSignatureException {
+            super();
+        }
+
+        public SignatureECDSASHA3_256(Provider provider) throws XMLSignatureException {
+            super(provider);
+        }
+
+        /** {@inheritDoc} */
+        @Override
+        public String engineGetURI() {
+            return XMLSignature.ALGO_ID_SIGNATURE_ECDSA_SHA3_256;
+        }
+    }
+
+    /**
+     * Class SignatureECDSASHA3-384
+     *
+     */
+    public static class SignatureECDSASHA3_384 extends SignatureECDSA {
+
+        /**
+         * Constructor SignatureECDSASHA3-384
+         *
+         * @throws XMLSignatureException
+         */
+        public SignatureECDSASHA3_384() throws XMLSignatureException {
+            super();
+        }
+
+        public SignatureECDSASHA3_384(Provider provider) throws XMLSignatureException {
+            super(provider);
+        }
+
+        /** {@inheritDoc} */
+        @Override
+        public String engineGetURI() {
+            return XMLSignature.ALGO_ID_SIGNATURE_ECDSA_SHA3_384;
+        }
+    }
+
+    /**
+     * Class SignatureECDSASHA3-512
+     *
+     */
+    public static class SignatureECDSASHA3_512 extends SignatureECDSA {
+
+        /**
+         * Constructor SignatureECDSASHA3-512
+         *
+         * @throws XMLSignatureException
+         */
+        public SignatureECDSASHA3_512() throws XMLSignatureException {
+            super();
+        }
+
+        public SignatureECDSASHA3_512(Provider provider) throws XMLSignatureException {
+            super(provider);
+        }
+
+        /** {@inheritDoc} */
+        @Override
+        public String engineGetURI() {
+            return XMLSignature.ALGO_ID_SIGNATURE_ECDSA_SHA3_512;
+        }
+    }
+
     /**
      * Class SignatureECDSARIPEMD160
      */

src/java.xml.crypto/share/classes/com/sun/org/apache/xml/internal/security/keys/KeyInfo.java

@@ -32,15 +32,7 @@
 import javax.crypto.SecretKey;
 
 import com.sun.org.apache.xml.internal.security.exceptions.XMLSecurityException;
-import com.sun.org.apache.xml.internal.security.keys.content.DEREncodedKeyValue;
-import com.sun.org.apache.xml.internal.security.keys.content.KeyInfoReference;
-import com.sun.org.apache.xml.internal.security.keys.content.KeyName;
-import com.sun.org.apache.xml.internal.security.keys.content.KeyValue;
-import com.sun.org.apache.xml.internal.security.keys.content.MgmtData;
-import com.sun.org.apache.xml.internal.security.keys.content.PGPData;
-import com.sun.org.apache.xml.internal.security.keys.content.RetrievalMethod;
-import com.sun.org.apache.xml.internal.security.keys.content.SPKIData;
-import com.sun.org.apache.xml.internal.security.keys.content.X509Data;
+import com.sun.org.apache.xml.internal.security.keys.content.*;
 import com.sun.org.apache.xml.internal.security.keys.content.keyvalues.DSAKeyValue;
 import com.sun.org.apache.xml.internal.security.keys.content.keyvalues.RSAKeyValue;
 import com.sun.org.apache.xml.internal.security.keys.keyresolver.KeyResolver;
@@ -50,7 +42,6 @@
 import com.sun.org.apache.xml.internal.security.transforms.Transforms;
 import com.sun.org.apache.xml.internal.security.utils.Constants;
 import com.sun.org.apache.xml.internal.security.utils.ElementProxy;
-import com.sun.org.apache.xml.internal.security.utils.SignatureElementProxy;
 import com.sun.org.apache.xml.internal.security.utils.XMLUtils;
 import org.w3c.dom.Attr;
 import org.w3c.dom.Document;
@@ -88,7 +79,7 @@
  * contains the corresponding type.
  *
  */
-public class KeyInfo extends SignatureElementProxy {
+public class KeyInfo extends ElementProxy {
 
     private static final com.sun.org.slf4j.internal.Logger LOG =
         com.sun.org.slf4j.internal.LoggerFactory.getLogger(KeyInfo.class);
@@ -231,12 +222,24 @@ public void add(RSAKeyValue rsakeyvalue) {
     }
 
     /**
-     * Method add
+     * Method adds public key encoded as KeyValue. If public key type is not supported by KeyValue, then
+     * DEREncodedKeyValue is used. If public key type is not supported by DEREncodedKeyValue, then
+     * IllegalArgumentException is thrown.
      *
-     * @param pk
+     * @param pk public key to be added to KeyInfo
      */
-    public void add(PublicKey pk) {
-        this.add(new KeyValue(getDocument(), pk));
+    public void add(PublicKey pk)  {
+
+        if (KeyValue.isSupportedKeyType(pk)) {
+            this.add(new KeyValue(getDocument(), pk));
+            return;
+        }
+
+        try {
+            this.add(new DEREncodedKeyValue(getDocument(), pk));
+        } catch (XMLSecurityException ex) {
+            throw new IllegalArgumentException(ex);
+        }
     }
 
     /**
@@ -772,6 +775,7 @@ public boolean containsKeyInfoReference() {
         return this.lengthKeyInfoReference() > 0;
     }
 
+
     /**
      * This method returns the public key.
      *
@@ -1188,4 +1192,10 @@ public void addStorageResolver(StorageResolver storageResolver) {
     public String getBaseLocalName() {
         return Constants._TAG_KEYINFO;
     }
+
+    /** {@inheritDoc} */
+    @Override
+    public String getBaseNamespace() {
+        return Constants.SignatureSpecNS;
+    }
 }

src/java.xml.crypto/share/classes/com/sun/org/apache/xml/internal/security/keys/content/DEREncodedKeyValue.java

@@ -41,7 +41,10 @@
 public class DEREncodedKeyValue extends Signature11ElementProxy implements KeyInfoContent {
 
     /** JCA algorithm key types supported by this implementation. */
-    private static final String[] supportedKeyTypes = { "RSA", "DSA", "EC"};
+    private static final String[] supportedKeyTypes = { "RSA", "DSA", "EC",
+            "DiffieHellman", "DH", "XDH", "X25519", "X448",
+            "EdDSA", "Ed25519", "Ed448",
+            "RSASSA-PSS"};
 
     /**
      * Constructor DEREncodedKeyValue
@@ -144,5 +147,4 @@ protected byte[] getEncodedDER(PublicKey publicKey) throws XMLSecurityException
             throw new XMLSecurityException(e, "DEREncodedKeyValue.UnsupportedPublicKey", exArgs);
         }
     }
-
 }

src/java.xml.crypto/share/classes/com/sun/org/apache/xml/internal/security/keys/content/KeyValue.java

@@ -41,7 +41,6 @@
  * (section 6.4). The KeyValue element may include externally defined public
  * keys values represented as PCDATA or element types from an external
  * namespace.
- *
  */
 public class KeyValue extends SignatureElementProxy implements KeyInfoContent {
 
@@ -120,6 +119,20 @@ public KeyValue(Document doc, PublicKey pk) {
         }
     }
 
+    /**
+     * Verifies that the XML KeyValue encoding is supported for the given key type. If the
+     * encoding is supported, it returns true else false.
+     *
+     * @return true if the public key has a KeyValue encoding, false otherwise.
+     */
+    public static boolean isSupportedKeyType(PublicKey publicKey) {
+
+        return publicKey instanceof java.security.interfaces.DSAPublicKey
+                || publicKey instanceof java.security.interfaces.RSAPublicKey
+                || publicKey instanceof java.security.interfaces.ECPublicKey;
+
+    }
+
     /**
      * Constructor KeyValue
      *

src/java.xml.crypto/share/classes/com/sun/org/apache/xml/internal/security/keys/content/keyvalues/ECKeyValue.java

@@ -91,6 +91,45 @@ public class ECKeyValue extends Signature11ElementProxy implements KeyValueConte
         1
     );
 
+    /* Supported curve brainpoolP256r1 */
+    private static final Curve BRAINPOOLP256R1 = initializeCurve(
+            "brainpoolP256r1 [RFC 5639]",
+            "1.3.36.3.3.2.8.1.1.7",
+            "A9FB57DBA1EEA9BC3E660A909D838D726E3BF623D52620282013481D1F6E5377",
+            "7D5A0975FC2C3057EEF67530417AFFE7FB8055C126DC5C6CE94A4B44F330B5D9",
+            "26DC5C6CE94A4B44F330B5D9BBD77CBF958416295CF7E1CE6BCCDC18FF8C07B6",
+            "8BD2AEB9CB7E57CB2C4B482FFC81B7AFB9DE27E1E3BD23C23A4453BD9ACE3262",
+            "547EF835C3DAC4FD97F8461A14611DC9C27745132DED8E545C1D54C72F046997",
+            "A9FB57DBA1EEA9BC3E660A909D838D718C397AA3B561A6F7901E0E82974856A7",
+            1
+    );
+
+    /* Supported curve brainpoolP384r1 */
+    private static final Curve BRAINPOOLP384R1 = initializeCurve(
+            "brainpoolP384r1 [RFC 5639]",
+            "1.3.36.3.3.2.8.1.1.11",
+            "8CB91E82A3386D280F5D6F7E50E641DF152F7109ED5456B412B1DA197FB71123ACD3A729901D1A71874700133107EC53",
+            "7BC382C63D8C150C3C72080ACE05AFA0C2BEA28E4FB22787139165EFBA91F90F8AA5814A503AD4EB04A8C7DD22CE2826",
+            "04A8C7DD22CE28268B39B55416F0447C2FB77DE107DCD2A62E880EA53EEB62D57CB4390295DBC9943AB78696FA504C11",
+            "1D1C64F068CF45FFA2A63A81B7C13F6B8847A3E77EF14FE3DB7FCAFE0CBD10E8E826E03436D646AAEF87B2E247D4AF1E",
+            "8ABE1D7520F9C2A45CB1EB8E95CFD55262B70B29FEEC5864E19C054FF99129280E4646217791811142820341263C5315",
+            "8CB91E82A3386D280F5D6F7E50E641DF152F7109ED5456B31F166E6CAC0425A7CF3AB6AF6B7FC3103B883202E9046565",
+            1
+    );
+
+    /* Supported curve brainpoolP512r1 */
+    private static final Curve BRAINPOOLP512R1 = initializeCurve(
+            "brainpoolP512r1 [RFC 5639]",
+            "1.3.36.3.3.2.8.1.1.13",
+            "AADD9DB8DBE9C48B3FD4E6AE33C9FC07CB308DB3B3C9D20ED6639CCA703308717D4D9B009BC66842AECDA12AE6A380E62881FF2F2D82C68528AA6056583A48F3",
+            "7830A3318B603B89E2327145AC234CC594CBDD8D3DF91610A83441CAEA9863BC2DED5D5AA8253AA10A2EF1C98B9AC8B57F1117A72BF2C7B9E7C1AC4D77FC94CA",
+            "3DF91610A83441CAEA9863BC2DED5D5AA8253AA10A2EF1C98B9AC8B57F1117A72BF2C7B9E7C1AC4D77FC94CADC083E67984050B75EBAE5DD2809BD638016F723",
+            "81AEE4BDD82ED9645A21322E9C4C6A9385ED9F70B5D916C1B43B62EEF4D0098EFF3B1F78E2D0D48D50D1687B93B97D5F7C6D5047406A5E688B352209BCB9F822",
+            "7DDE385D566332ECC0EABFA9CF7822FDF209F70024A57B1AA000C55B881F8111B2DCDE494A5F485E5BCA4BD88A2763AED1CA2B2FA8F0540678CD1E0F3AD80892",
+            "AADD9DB8DBE9C48B3FD4E6AE33C9FC07CB308DB3B3C9D20ED6639CCA70330870553E5C414CA92619418661197FAC10471DB1D381085DDADDB58796829CA90069",
+            1
+    );
+
     private static Curve initializeCurve(String name, String oid,
             String sfield, String a, String b,
             String x, String y, String n, int h) {
@@ -264,7 +303,13 @@ private static String getCurveOid(ECParameterSpec params) {
             match = SECP384R1;
         } else if (matchCurve(params, SECP521R1)) {
             match = SECP521R1;
-        } else {
+        } else if (matchCurve(params, BRAINPOOLP256R1)) {
+            match = BRAINPOOLP256R1;
+        } else if (matchCurve(params, BRAINPOOLP384R1)) {
+            match = BRAINPOOLP384R1;
+        } else if (matchCurve(params, BRAINPOOLP512R1)) {
+            match = BRAINPOOLP512R1;
+        }else {
             return null;
         }
         return match.getObjectId();
@@ -332,6 +377,12 @@ private static ECParameterSpec getECParameterSpec(String oid) {
             return SECP384R1;
         } else if (oid.equals(SECP521R1.getObjectId())) {
             return SECP521R1;
+        } else if (oid.equals(BRAINPOOLP256R1.getObjectId())) {
+            return BRAINPOOLP256R1;
+        } else if (oid.equals(BRAINPOOLP384R1.getObjectId())) {
+            return BRAINPOOLP384R1;
+        } else if (oid.equals(BRAINPOOLP512R1.getObjectId())) {
+            return BRAINPOOLP512R1;
         } else {
             return null;
         }

src/java.xml.crypto/share/classes/com/sun/org/apache/xml/internal/security/resource/xmlsecurity_de.properties

@@ -30,7 +30,7 @@ algorithms.HMACOutputLengthMax = HMACOutputLength darf nicht grosser als {0} sei
 algorithms.HMACOutputLengthMin = HMACOutputLength darf nicht kleiner als {0} sein
 algorithms.HMACOutputLengthOnlyForHMAC = Die HMACOutputLength kann nur bei HMAC integrit\u00e4ts Algorithmen angegeben werden
 algorithms.MissingRSAPSSParams = RSAPSSParams is a required Element for http://www.w3.org/2007/05/xmldsig-more#rsa-pss
-algorithms.NoSuchAlgorithm = Der Algorithmus {0} ist nicht verf\u00fcgbar.
+algorithms.NoSuchAlgorithmNoEx = Der Algorithmus {0} ist nicht verf\u00fcgbar.
 algorithms.NoSuchAlgorithm = Der Algorithmus {0} ist nicht verf\u00fcgbar. Original Nachricht war\: {1}
 algorithms.NoSuchMap = Algorithmus URI "{0}" konnte auf keinen JCE Algorithmus gemappt werden
 algorithms.NoSuchProvider = Der angegebene Provider {0} existiert nicht. Original Nachricht war\: {1}

src/java.xml.crypto/share/classes/com/sun/org/apache/xml/internal/security/signature/XMLSignature.java

@@ -209,6 +209,23 @@ public final class XMLSignature extends SignatureElementProxy {
     public static final String ALGO_ID_SIGNATURE_EDDSA_ED448 =
             "http://www.w3.org/2021/04/xmldsig-more#eddsa-ed448";
 
+
+    /**Signature - SHA3-224withECDSA */
+    public static final String ALGO_ID_SIGNATURE_ECDSA_SHA3_224 =
+            "http://www.w3.org/2021/04/xmldsig-more#ecdsa-sha3-224";
+
+    /**Signature - SHA3-256withECDSA */
+    public static final String ALGO_ID_SIGNATURE_ECDSA_SHA3_256 =
+            "http://www.w3.org/2021/04/xmldsig-more#ecdsa-sha3-256";
+
+    /**Signature - SHA3-384withECDSA */
+    public static final String ALGO_ID_SIGNATURE_ECDSA_SHA3_384 =
+            "http://www.w3.org/2021/04/xmldsig-more#ecdsa-sha3-384";
+
+    /**Signature - SHA3-512withECDSA */
+    public static final String ALGO_ID_SIGNATURE_ECDSA_SHA3_512 =
+            "http://www.w3.org/2021/04/xmldsig-more#ecdsa-sha3-512";
+
     /** Signature - Optional RSASSA-PSS */
     public static final String ALGO_ID_SIGNATURE_RSA_PSS =
             Constants.XML_DSIG_NS_MORE_07_05 + "rsa-pss";

src/java.xml.crypto/share/classes/com/sun/org/apache/xml/internal/security/utils/Constants.java

@@ -71,6 +71,9 @@ public final class Constants {
     /** The (newer) URL for more algorithms **/
     public static final String XML_DSIG_NS_MORE_07_05 = "http://www.w3.org/2007/05/xmldsig-more#";
 
+    /** The 2021 xmldsig-more URL for Internet Engineering Task Force (IETF) algorithms **/
+    public static final String XML_DSIG_NS_MORE_21_04 = "http://www.w3.org/2021/04/xmldsig-more#";
+
     /** The URI for XML spec*/
     public static final String XML_LANG_SPACE_SpecNS = "http://www.w3.org/XML/1998/namespace";
 
@@ -144,6 +147,9 @@ public final class Constants {
     /** Tag of Element MaskGenerationFunction **/
     public static final String _TAG_MGF = "MaskGenerationFunction";
 
+    /** Tag of Element Salt **/
+    public static final String _TAG_SALT = "Salt";
+
     /** Tag of Element SaltLength **/
     public static final String _TAG_SALTLENGTH = "SaltLength";
 

src/java.xml.crypto/share/classes/com/sun/org/apache/xml/internal/security/utils/ElementProxy.java

@@ -512,6 +512,9 @@ public static void registerDefaultPrefixes() throws XMLSecurityException {
             "http://www.nue.et-inf.uni-siegen.de/~geuer-pollmann/#xpathFilter", "xx"
         );
         setNamespacePrefix("http://www.w3.org/2009/xmldsig11#", "dsig11");
+        setNamespacePrefix("http://www.w3.org/2001/04/xmldsig-more", "rfc4051");
+        setNamespacePrefix("http://www.w3.org/2007/05/xmldsig-more#", "rfc6931");
+        setNamespacePrefix("http://www.w3.org/2021/04/xmldsig-more#", "rfc9231");
     }
 
     /**

src/java.xml.crypto/share/classes/javax/xml/crypto/dsig/SignatureMethod.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2005, 2021, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2005, 2024, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -312,6 +312,42 @@ public interface SignatureMethod extends XMLStructure, AlgorithmMethod {
             "http://www.w3.org/2007/05/xmldsig-more#sha3-512-rsa-MGF1";
 
 
+    /**
+     * The <a href="http://www.w3.org/2021/04/xmldsig-more#ecdsa-sha3-224">
+     * ECDSA-SHA3-224</a> signature method algorithm URI.
+     *
+     * @since 25
+     */
+    String ECDSA_SHA3_224 =
+            "http://www.w3.org/2021/04/xmldsig-more#ecdsa-sha3-224";
+
+    /**
+     * The <a href="http://www.w3.org/2021/04/xmldsig-more#ecdsa-sha3-256">
+     * ECDSA-SHA3-256</a> signature method algorithm URI.
+     *
+     * @since 25
+     */
+    String ECDSA_SHA3_256 =
+            "http://www.w3.org/2021/04/xmldsig-more#ecdsa-sha3-256";
+
+    /**
+     * The <a href="http://www.w3.org/2021/04/xmldsig-more#ecdsa-sha3-384">
+     * ECDSA-SHA3-384</a> signature method algorithm URI.
+     *
+     * @since 25
+     */
+    String ECDSA_SHA3_384 =
+            "http://www.w3.org/2021/04/xmldsig-more#ecdsa-sha3-384";
+
+    /**
+     * The <a href="http://www.w3.org/2021/04/xmldsig-more#ecdsa-sha3-512">
+     * ECDSA-SHA3-512</a> signature method algorithm URI.
+     *
+     * @since 25
+     */
+    String ECDSA_SHA3_512 =
+            "http://www.w3.org/2021/04/xmldsig-more#ecdsa-sha3-512";
+
     /**
      * Returns the algorithm-specific input parameters of this
      * <code>SignatureMethod</code>.

src/java.xml.crypto/share/classes/org/jcp/xml/dsig/internal/dom/DOMKeyInfoFactory.java

@@ -81,7 +81,7 @@ public KeyValue newKeyValue(PublicKey key)  throws KeyException {
         String algorithm = key.getAlgorithm();
         if ("DSA".equals(algorithm)) {
             return new DOMKeyValue.DSA((DSAPublicKey) key);
-        } else if ("RSA".equals(algorithm)) {
+        } else if ("RSA".equals(algorithm) || "RSASSA-PSS".equals(algorithm)) {
             return new DOMKeyValue.RSA((RSAPublicKey) key);
         } else if ("EC".equals(algorithm)) {
             return new DOMKeyValue.EC((ECPublicKey) key);

src/java.xml.crypto/share/classes/org/jcp/xml/dsig/internal/dom/DOMKeyValue.java

@@ -241,6 +241,33 @@ RSAPublicKey unmarshalKeyValue(Element kvtElem)
             RSAPublicKeySpec spec = new RSAPublicKeySpec(modulus, exponent);
             return (RSAPublicKey) generatePublicKey(rsakf, spec);
         }
+
+        @Override
+        public boolean equals(Object obj) {
+            if (this == obj) {
+                return true;
+            }
+            if (!(obj instanceof KeyValue)) {
+                return false;
+            }
+            // This equality test allows RSA keys that have different
+            // algorithms (ex: RSA and RSASSA-PSS) to be equal as long
+            // as the key is the same.
+            try {
+                PublicKey otherKey = ((KeyValue)obj).getPublicKey();
+                if (!(otherKey instanceof RSAPublicKey)) {
+                    return false;
+                }
+                RSAPublicKey otherRSAKey = (RSAPublicKey)otherKey;
+                RSAPublicKey rsaKey = (RSAPublicKey)getPublicKey();
+                return rsaKey.getPublicExponent().equals(
+                            otherRSAKey.getPublicExponent())
+                        && rsaKey.getModulus().equals(otherRSAKey.getModulus());
+            } catch (KeyException ke) {
+                // no practical way to determine if the keys are equal
+                return false;
+            }
+        }
     }
 
     static final class DSA extends DOMKeyValue<DSAPublicKey> {
@@ -369,6 +396,42 @@ static final class EC extends DOMKeyValue<ECPublicKey> {
             1
         );
 
+        private static final Curve BRAINPOOLP256R1 = initializeCurve(
+                "brainpoolP256r1 [RFC 5639]",
+                "1.3.36.3.3.2.8.1.1.7",
+                "A9FB57DBA1EEA9BC3E660A909D838D726E3BF623D52620282013481D1F6E5377",
+                "7D5A0975FC2C3057EEF67530417AFFE7FB8055C126DC5C6CE94A4B44F330B5D9",
+                "26DC5C6CE94A4B44F330B5D9BBD77CBF958416295CF7E1CE6BCCDC18FF8C07B6",
+                "8BD2AEB9CB7E57CB2C4B482FFC81B7AFB9DE27E1E3BD23C23A4453BD9ACE3262",
+                "547EF835C3DAC4FD97F8461A14611DC9C27745132DED8E545C1D54C72F046997",
+                "A9FB57DBA1EEA9BC3E660A909D838D718C397AA3B561A6F7901E0E82974856A7",
+                1
+        );
+
+        private static final Curve BRAINPOOLP384R1 = initializeCurve(
+                "brainpoolP384r1 [RFC 5639]",
+                "1.3.36.3.3.2.8.1.1.11",
+                "8CB91E82A3386D280F5D6F7E50E641DF152F7109ED5456B412B1DA197FB71123ACD3A729901D1A71874700133107EC53",
+                "7BC382C63D8C150C3C72080ACE05AFA0C2BEA28E4FB22787139165EFBA91F90F8AA5814A503AD4EB04A8C7DD22CE2826",
+                "04A8C7DD22CE28268B39B55416F0447C2FB77DE107DCD2A62E880EA53EEB62D57CB4390295DBC9943AB78696FA504C11",
+                "1D1C64F068CF45FFA2A63A81B7C13F6B8847A3E77EF14FE3DB7FCAFE0CBD10E8E826E03436D646AAEF87B2E247D4AF1E",
+                "8ABE1D7520F9C2A45CB1EB8E95CFD55262B70B29FEEC5864E19C054FF99129280E4646217791811142820341263C5315",
+                "8CB91E82A3386D280F5D6F7E50E641DF152F7109ED5456B31F166E6CAC0425A7CF3AB6AF6B7FC3103B883202E9046565",
+                1
+        );
+
+        private static final Curve BRAINPOOLP512R1 = initializeCurve(
+                "brainpoolP512r1 [RFC 5639]",
+                "1.3.36.3.3.2.8.1.1.13",
+                "AADD9DB8DBE9C48B3FD4E6AE33C9FC07CB308DB3B3C9D20ED6639CCA703308717D4D9B009BC66842AECDA12AE6A380E62881FF2F2D82C68528AA6056583A48F3",
+                "7830A3318B603B89E2327145AC234CC594CBDD8D3DF91610A83441CAEA9863BC2DED5D5AA8253AA10A2EF1C98B9AC8B57F1117A72BF2C7B9E7C1AC4D77FC94CA",
+                "3DF91610A83441CAEA9863BC2DED5D5AA8253AA10A2EF1C98B9AC8B57F1117A72BF2C7B9E7C1AC4D77FC94CADC083E67984050B75EBAE5DD2809BD638016F723",
+                "81AEE4BDD82ED9645A21322E9C4C6A9385ED9F70B5D916C1B43B62EEF4D0098EFF3B1F78E2D0D48D50D1687B93B97D5F7C6D5047406A5E688B352209BCB9F822",
+                "7DDE385D566332ECC0EABFA9CF7822FDF209F70024A57B1AA000C55B881F8111B2DCDE494A5F485E5BCA4BD88A2763AED1CA2B2FA8F0540678CD1E0F3AD80892",
+                "AADD9DB8DBE9C48B3FD4E6AE33C9FC07CB308DB3B3C9D20ED6639CCA70330870553E5C414CA92619418661197FAC10471DB1D381085DDADDB58796829CA90069",
+                1
+        );
+
         private static Curve initializeCurve(String name, String oid,
                 String sfield, String a, String b,
                 String x, String y, String n, int h) {
@@ -448,6 +511,12 @@ private static String getCurveOid(ECParameterSpec params) {
                 match = SECP384R1;
             } else if (matchCurve(params, SECP521R1)) {
                 match = SECP521R1;
+            } else if (matchCurve(params, BRAINPOOLP256R1)) {
+                match = BRAINPOOLP256R1;
+            } else if (matchCurve(params, BRAINPOOLP384R1)) {
+                match = BRAINPOOLP384R1;
+            } else if (matchCurve(params, BRAINPOOLP512R1)) {
+                match = BRAINPOOLP512R1;
             } else {
                 return null;
             }
@@ -485,7 +554,7 @@ void marshalPublicKey(Node parent, Document doc, String dsPrefix,
             DOMUtils.setAttribute(namedCurveElem, "URI", "urn:oid:" + oid);
             String qname = (prefix == null || prefix.length() == 0)
                        ? "xmlns" : "xmlns:" + prefix;
-            namedCurveElem.setAttributeNS("http://www.w3.org/2000/xmlns/",
+            ecKeyValueElem.setAttributeNS("http://www.w3.org/2000/xmlns/",
                                           qname, XMLDSIG_11_XMLNS);
             ecKeyValueElem.appendChild(namedCurveElem);
             String encoded = XMLUtils.encodeToString(ecPublicKey);
@@ -555,6 +624,12 @@ private static ECParameterSpec getECParameterSpec(String oid) {
                 return SECP384R1;
             } else if (oid.equals(SECP521R1.getObjectId())) {
                 return SECP521R1;
+            } else if (oid.equals(BRAINPOOLP256R1.getObjectId())) {
+                return BRAINPOOLP256R1;
+            } else if (oid.equals(BRAINPOOLP384R1.getObjectId())) {
+                return BRAINPOOLP384R1;
+            } else if (oid.equals(BRAINPOOLP512R1.getObjectId())) {
+                return BRAINPOOLP512R1;
             } else {
                 return null;
             }

src/java.xml.crypto/share/classes/org/jcp/xml/dsig/internal/dom/DOMSignatureMethod.java

@@ -100,6 +100,14 @@ public abstract class DOMSignatureMethod extends AbstractDOMSignatureMethod {
         "http://www.w3.org/2021/04/xmldsig-more#eddsa-ed25519";
     static final String ED448 =
         "http://www.w3.org/2021/04/xmldsig-more#eddsa-ed448";
+    static final String ECDSA_SHA3_224 =
+        "http://www.w3.org/2021/04/xmldsig-more#ecdsa-sha3-224";
+    static final String ECDSA_SHA3_256 =
+        "http://www.w3.org/2021/04/xmldsig-more#ecdsa-sha3-256";
+    static final String ECDSA_SHA3_384 =
+        "http://www.w3.org/2021/04/xmldsig-more#ecdsa-sha3-384";
+    static final String ECDSA_SHA3_512 =
+        "http://www.w3.org/2021/04/xmldsig-more#ecdsa-sha3-512";
 
     // see RFC 6931 for these algorithm definitions
     static final String ECDSA_RIPEMD160 =
@@ -241,6 +249,14 @@ static SignatureMethod unmarshal(Element smElem) throws MarshalException {
             return new SHA384withECDSA(smElem);
         } else if (alg.equals(ECDSA_SHA512)) {
             return new SHA512withECDSA(smElem);
+        } else if (alg.equals(ECDSA_SHA3_224)) {
+            return new SHA3_224withECDSA(smElem);
+        } else if (alg.equals(ECDSA_SHA3_256)) {
+            return new SHA3_256withECDSA(smElem);
+        } else if (alg.equals(ECDSA_SHA3_384)) {
+            return new SHA3_384withECDSA(smElem);
+        } else if (alg.equals(ECDSA_SHA3_512)) {
+            return new SHA3_512withECDSA(smElem);
         } else if (alg.equals(ECDSA_RIPEMD160)) {
             return new RIPEMD160withECDSA(smElem);
         } else if (alg.equals(SignatureMethod.HMAC_SHA1)) {
@@ -1160,6 +1176,94 @@ String getJCAFallbackAlgorithm() {
         }
     }
 
+    static final class SHA3_224withECDSA extends AbstractECDSASignatureMethod {
+        SHA3_224withECDSA(AlgorithmParameterSpec params)
+                throws InvalidAlgorithmParameterException {
+            super(params);
+        }
+        SHA3_224withECDSA(Element dmElem) throws MarshalException {
+            super(dmElem);
+        }
+        @Override
+        public String getAlgorithm() {
+            return ECDSA_SHA3_224;
+        }
+        @Override
+        String getJCAAlgorithm() {
+            return "SHA3-224withECDSAinP1363Format";
+        }
+        @Override
+        String getJCAFallbackAlgorithm() {
+            return "SHA3-224withECDSA";
+        }
+    }
+
+    static final class SHA3_256withECDSA extends AbstractECDSASignatureMethod {
+        SHA3_256withECDSA(AlgorithmParameterSpec params)
+                throws InvalidAlgorithmParameterException {
+            super(params);
+        }
+        SHA3_256withECDSA(Element dmElem) throws MarshalException {
+            super(dmElem);
+        }
+        @Override
+        public String getAlgorithm() {
+            return ECDSA_SHA3_256;
+        }
+        @Override
+        String getJCAAlgorithm() {
+            return "SHA3-256withECDSAinP1363Format";
+        }
+        @Override
+        String getJCAFallbackAlgorithm() {
+            return "SHA3-256withECDSA";
+        }
+    }
+
+    static final class SHA3_384withECDSA extends AbstractECDSASignatureMethod {
+        SHA3_384withECDSA(AlgorithmParameterSpec params)
+                throws InvalidAlgorithmParameterException {
+            super(params);
+        }
+        SHA3_384withECDSA(Element dmElem) throws MarshalException {
+            super(dmElem);
+        }
+        @Override
+        public String getAlgorithm() {
+            return ECDSA_SHA3_384;
+        }
+        @Override
+        String getJCAAlgorithm() {
+            return "SHA3-384withECDSAinP1363Format";
+        }
+        @Override
+        String getJCAFallbackAlgorithm() {
+            return "SHA3-384withECDSA";
+        }
+    }
+
+    static final class SHA3_512withECDSA extends AbstractECDSASignatureMethod {
+        SHA3_512withECDSA(AlgorithmParameterSpec params)
+                throws InvalidAlgorithmParameterException {
+            super(params);
+        }
+        SHA3_512withECDSA(Element dmElem) throws MarshalException {
+            super(dmElem);
+        }
+        @Override
+        public String getAlgorithm() {
+            return ECDSA_SHA3_512;
+        }
+        @Override
+        String getJCAAlgorithm() {
+            return "SHA3-512withECDSAinP1363Format";
+        }
+        @Override
+        String getJCAFallbackAlgorithm() {
+            return "SHA3-512withECDSA";
+        }
+    }
+
     static final class RIPEMD160withECDSA extends AbstractECDSASignatureMethod {
         RIPEMD160withECDSA(AlgorithmParameterSpec params)
             throws InvalidAlgorithmParameterException {

src/java.xml.crypto/share/classes/org/jcp/xml/dsig/internal/dom/DOMXMLSignatureFactory.java

@@ -345,6 +345,14 @@ public SignatureMethod newSignatureMethod(String algorithm,
             return new DOMSignatureMethod.SHA384withECDSA(params);
         } else if (algorithm.equals(DOMSignatureMethod.ECDSA_SHA512)) {
             return new DOMSignatureMethod.SHA512withECDSA(params);
+        }  else if (algorithm.equals(DOMSignatureMethod.ECDSA_SHA3_224)) {
+            return new DOMSignatureMethod.SHA3_224withECDSA(params);
+        } else if (algorithm.equals(DOMSignatureMethod.ECDSA_SHA3_256)) {
+            return new DOMSignatureMethod.SHA3_256withECDSA(params);
+        } else if (algorithm.equals(DOMSignatureMethod.ECDSA_SHA3_384)) {
+            return new DOMSignatureMethod.SHA3_384withECDSA(params);
+        } else if (algorithm.equals(DOMSignatureMethod.ECDSA_SHA3_512)) {
+            return new DOMSignatureMethod.SHA3_512withECDSA(params);
         } else if (algorithm.equals(DOMSignatureMethod.ECDSA_RIPEMD160)) {
             return new DOMSignatureMethod.RIPEMD160withECDSA(params);
         } else if (algorithm.equals(DOMSignatureMethod.ED25519)) {

src/java.xml.crypto/share/classes/org/jcp/xml/dsig/internal/dom/XMLDSigRI.java

@@ -142,7 +142,7 @@ public Object newInstance(Object ctrParamObj)
     @SuppressWarnings("removal")
     public XMLDSigRI() {
         // This is the JDK XMLDSig provider, synced from
-        // Apache Santuario XML Security for Java, version 3.0.3
+        // Apache Santuario XML Security for Java, version 3.0.5
         super("XMLDSig", VER, INFO);
 
         final Provider p = this;

src/java.xml.crypto/share/legal/santuario.md

@@ -1,4 +1,4 @@
-## Apache Santuario v3.0.3
+## Apache Santuario v3.0.5
 
 ### Apache 2.0 License
 ```
@@ -211,7 +211,7 @@ limitations under the License.
 ```
 
 Apache Santuario - XML Security for Java
-Copyright 1999-2023 The Apache Software Foundation
+Copyright 1999-2024 The Apache Software Foundation
 
 This product includes software developed at
 The Apache Software Foundation (http://www.apache.org/).
@@ -223,5 +223,5 @@ The development of this software was partly funded by the European
 Commission in the <WebSig> project in the ISIS Programme.
 
 This product contains software that is
-copyright (c) 2021, Oracle and/or its affiliates.
+copyright (c) 2021, 2023, Oracle and/or its affiliates.
 ```

test/jdk/javax/xml/crypto/dsig/GenerationTests.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2005, 2023, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2005, 2024, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -24,7 +24,7 @@
 /**
  * @test
  * @bug 4635230 6283345 6303830 6824440 6867348 7094155 8038184 8038349 8046949
- *      8046724 8079693 8177334 8205507 8210736 8217878 8241306 8305972
+ *      8046724 8079693 8177334 8205507 8210736 8217878 8241306 8305972 8344137
  * @summary Basic unit tests for generating XML Signatures with JSR 105
  * @modules java.base/sun.security.util
  *          java.base/sun.security.x509
@@ -99,6 +99,7 @@ public class GenerationTests {
     private static SignatureMethod dsaSha1, dsaSha256,
             rsaSha1, rsaSha224, rsaSha256, rsaSha384, rsaSha512,
             ecdsaSha1, ecdsaSha224, ecdsaSha256, ecdsaSha384, ecdsaSha512,
+            ecdsaSha3_224, ecdsaSha3_256, ecdsaSha3_384, ecdsaSha3_512,
             hmacSha1, hmacSha224, hmacSha256, hmacSha384, hmacSha512,
             rsaSha1mgf1, rsaSha224mgf1, rsaSha256mgf1, rsaSha384mgf1, rsaSha512mgf1,
             rsaSha3_224mgf1, rsaSha3_256mgf1, rsaSha3_384mgf1, rsaSha3_512mgf1,
@@ -244,9 +245,9 @@ public class GenerationTests {
                 })
                 .toArray(String[]::new);
 
-    // As of JDK 22, the number of defined algorithms are...
+    // As of JDK 25, the number of defined algorithms are...
     static {
-        if (allSignatureMethods.length != 29
+        if (allSignatureMethods.length != 33
                 || allDigestMethods.length != 9) {
             System.out.println(Arrays.toString(allSignatureMethods));
             System.out.println(Arrays.toString(allDigestMethods));
@@ -305,6 +306,10 @@ public static void main(String args[]) throws Exception {
         test_create_signature_enveloping_p256_sha256();
         test_create_signature_enveloping_p256_sha384();
         test_create_signature_enveloping_p256_sha512();
+        test_create_signature_enveloping_p256_sha3_224();
+        test_create_signature_enveloping_p256_sha3_256();
+        test_create_signature_enveloping_p256_sha3_384();
+        test_create_signature_enveloping_p256_sha3_512();
         test_create_signature_enveloping_p384_sha1();
         test_create_signature_enveloping_p521_sha1();
         test_create_signature_enveloping_ed25519();
@@ -559,6 +564,10 @@ private static void setup() throws Exception {
         ecdsaSha256 = fac.newSignatureMethod(SignatureMethod.ECDSA_SHA256, null);
         ecdsaSha384 = fac.newSignatureMethod(SignatureMethod.ECDSA_SHA384, null);
         ecdsaSha512 = fac.newSignatureMethod(SignatureMethod.ECDSA_SHA512, null);
+        ecdsaSha3_224 = fac.newSignatureMethod(SignatureMethod.ECDSA_SHA3_224, null);
+        ecdsaSha3_256 = fac.newSignatureMethod(SignatureMethod.ECDSA_SHA3_256, null);
+        ecdsaSha3_384 = fac.newSignatureMethod(SignatureMethod.ECDSA_SHA3_384, null);
+        ecdsaSha3_512 = fac.newSignatureMethod(SignatureMethod.ECDSA_SHA3_512, null);
 
         ed25519 = fac.newSignatureMethod(SignatureMethod.ED25519, null);
         ed448 = fac.newSignatureMethod(SignatureMethod.ED448, null);
@@ -892,6 +901,34 @@ static void test_create_signature_enveloping_p256_sha512() throws Exception {
         System.out.println();
     }
 
+    static void test_create_signature_enveloping_p256_sha3_224() throws Exception {
+        System.out.println("* Generating signature-enveloping-p256-sha3_224.xml");
+        test_create_signature_enveloping(sha1, ecdsaSha3_224, p256ki,
+                getECPrivateKey("P256"), kvks, false, true);
+        System.out.println();
+    }
+
+    static void test_create_signature_enveloping_p256_sha3_256() throws Exception {
+        System.out.println("* Generating signature-enveloping-p256-sha3_256.xml");
+        test_create_signature_enveloping(sha1, ecdsaSha3_256, p256ki,
+                getECPrivateKey("P256"), kvks, false, true);
+        System.out.println();
+    }
+
+    static void test_create_signature_enveloping_p256_sha3_384() throws Exception {
+        System.out.println("* Generating signature-enveloping-p256-sha3_384.xml");
+        test_create_signature_enveloping(sha1, ecdsaSha3_384, p256ki,
+                getECPrivateKey("P256"), kvks, false, true);
+        System.out.println();
+    }
+
+    static void test_create_signature_enveloping_p256_sha3_512() throws Exception {
+        System.out.println("* Generating signature-enveloping-p256-sha3_512.xml");
+        test_create_signature_enveloping(sha1, ecdsaSha3_512, p256ki,
+                getECPrivateKey("P256"), kvks, false, true);
+        System.out.println();
+    }
+
     static void test_create_signature_enveloping_p384_sha1() throws Exception {
         System.out.println("* Generating signature-enveloping-p384-sha1.xml");
         test_create_signature_enveloping(sha1, ecdsaSha1, p384ki,

test/jdk/javax/xml/crypto/dsig/PSS.java

@@ -0,0 +1,61 @@
+/*
+ * Copyright (c) 2024, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+import jdk.test.lib.Asserts;
+import jdk.test.lib.security.XMLUtils;
+
+import javax.xml.crypto.dsig.DigestMethod;
+import javax.xml.crypto.dsig.SignatureMethod;
+import javax.xml.crypto.dsig.spec.RSAPSSParameterSpec;
+import java.security.KeyPairGenerator;
+import java.security.spec.MGF1ParameterSpec;
+import java.security.spec.PSSParameterSpec;
+
+/**
+ * @test
+ * @bug 8344137
+ * @summary check RSASSA-PSS key
+ * @library /test/lib
+ * @modules java.xml.crypto
+ */
+public class PSS {
+
+    public static void main(String[] args) throws Exception {
+
+        var doc = XMLUtils.string2doc("<a><b>Text</b>Raw</a>");
+        var kpg = KeyPairGenerator.getInstance("RSASSA-PSS");
+        kpg.initialize(2048);
+        var keyPair = kpg.generateKeyPair();
+
+        var pspec = new PSSParameterSpec("SHA-384", "MGF1",
+                MGF1ParameterSpec.SHA512, 48,
+                PSSParameterSpec.TRAILER_FIELD_BC);
+
+        var signed = XMLUtils.signer(keyPair.getPrivate(), keyPair.getPublic())
+                .dm(DigestMethod.SHA384)
+                .sm(SignatureMethod.RSA_PSS, new RSAPSSParameterSpec(pspec))
+                .sign(doc);
+
+        Asserts.assertTrue(XMLUtils.validator().validate(signed));
+    }
+}

test/lib/jdk/test/lib/security/XMLUtils.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2021, 2023, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2021, 2024, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -198,6 +198,7 @@ public static class Signer {
         String dm = DigestMethod.SHA256;
         String cm = CanonicalizationMethod.EXCLUSIVE;
         String tr = Transform.ENVELOPED;
+        Map<String, Object> props = new HashMap<>();
 
         public Signer(PrivateKey privateKey) {
             this.privateKey = Objects.requireNonNull(privateKey);
@@ -247,14 +248,19 @@ public Signer sm(String method) throws Exception {
             return sm(method, null);
         }
 
+        public Signer prop(String name, Object o) {
+            props.put(name, o);
+            return this;
+        }
+
         // Signs different sources
 
         // Signs an XML file in detached mode
         public Document sign(URI uri) throws Exception {
             Document newDocument = DocumentBuilderFactory.newInstance()
                     .newDocumentBuilder().newDocument();
             FAC.newXMLSignature(buildSignedInfo(uri.toString()), buildKeyInfo()).sign(
-                    new DOMSignContext(privateKey, newDocument));
+                    withProps(new DOMSignContext(privateKey, newDocument)));
             return newDocument;
         }
 
@@ -264,7 +270,8 @@ public Document sign(URI base, URI ref) throws Exception {
                     .newDocumentBuilder().newDocument();
             DOMSignContext ctxt = new DOMSignContext(privateKey, newDocument);
             ctxt.setBaseURI(base.toString());
-            FAC.newXMLSignature(buildSignedInfo(ref.toString()), buildKeyInfo()).sign(ctxt);
+            FAC.newXMLSignature(buildSignedInfo(ref.toString()), buildKeyInfo())
+                    .sign(withProps(ctxt));
             return newDocument;
         }
 
@@ -275,7 +282,7 @@ public Document sign(Document document) throws Exception {
                     .transform(new DOMSource(document), result);
             Document newDocument = (Document) result.getNode();
             FAC.newXMLSignature(buildSignedInfo(""), buildKeyInfo()).sign(
-                    new DOMSignContext(privateKey, newDocument.getDocumentElement()));
+                    withProps(new DOMSignContext(privateKey, newDocument.getDocumentElement())));
             return newDocument;
         }
 
@@ -290,7 +297,7 @@ public Document signEnveloping(Document document, String id, String ref) throws
                             id, null, null)),
                     null,
                     null)
-                    .sign(new DOMSignContext(privateKey, newDocument));
+                    .sign(withProps(new DOMSignContext(privateKey, newDocument)));
             return newDocument;
         }
 
@@ -308,7 +315,7 @@ public Document sign(byte[] data) throws Exception {
                             "object", null, null)),
                     null,
                     null)
-                    .sign(new DOMSignContext(privateKey, newDocument));
+                    .sign(withProps(new DOMSignContext(privateKey, newDocument)));
             return newDocument;
         }
 
@@ -325,10 +332,18 @@ public Document sign(String str) throws Exception {
                             "object", null, null)),
                     null,
                     null)
-                    .sign(new DOMSignContext(privateKey, newDocument));
+                    .sign(withProps(new DOMSignContext(privateKey, newDocument)));
             return newDocument;
         }
 
+        // Add props to a context
+        private DOMSignContext withProps(DOMSignContext ctxt) {
+            for (var e : props.entrySet()) {
+                ctxt.setProperty(e.getKey(), e.getValue());
+            }
+            return ctxt;
+        }
+
         // Builds a SignedInfo for a string reference
         private SignedInfo buildSignedInfo(String ref) throws Exception {
             return buildSignedInfo(FAC.newReference(
@@ -426,6 +441,7 @@ public static class Validator {
         private Boolean secureValidation = null;
         private String baseURI = null;
         private final KeyStore ks;
+        Map<String, Object> props = new HashMap<>();
 
         public Validator(KeyStore ks) {
             this.ks = ks;
@@ -441,6 +457,11 @@ public Validator baseURI(String base) {
             return this;
         }
 
+        public Validator prop(String name, Object o) {
+            props.put(name, o);
+            return this;
+        }
+
         public boolean validate(Document document) throws Exception {
             return validate(document, null);
         }
@@ -471,12 +492,21 @@ public KeySelectorResult select(KeyInfo ki, Purpose p,
                                 secureValidation);
                     }
                     return XMLSignatureFactory.getInstance("DOM")
-                            .unmarshalXMLSignature(valContext).validate(valContext);
+                            .unmarshalXMLSignature(valContext)
+                            .validate(withProps(valContext));
                 }
             }
             return false;
         }
 
+        // Add props to a context
+        private DOMValidateContext withProps(DOMValidateContext ctxt) {
+            for (var e : props.entrySet()) {
+                ctxt.setProperty(e.getKey(), e.getValue());
+            }
+            return ctxt;
+        }
+
         // Find public key from KeyInfo, ks will be used if it's KeyName
         private static class MyKeySelector extends KeySelector {
             private final KeyStore ks;