New version, Java 11, System.Logger, AutoCloseable, XmlSignatureInput types (#192)

* Start of the development od version 4.0.0

Signed-off-by: David Matějček <david.matejcek@omnifish.ee>

* POM Updates

- JDK11 instead of JDK8
- Added failsafe (skipped by default)
- Removed JDK profiles
- Removed dependency on SLF4J and LOGJ, XML-APIs
- Updated dependency: Jetty, Maven
- To be continued ...

Signed-off-by: David Matějček <david.matejcek@omnifish.ee>

* Using System.Logger instead SLF4J - except tests

- Allows to use also SLF4J2, previous version wasn't compatible

Signed-off-by: David Matějček <david.matejcek@omnifish.ee>

* Added module-info.java

Signed-off-by: David Matějček <david.matejcek@omnifish.ee>

* Fixed version in XMLDSigRI

Signed-off-by: David Matějček <david.matejcek@omnifish.ee>

* Added AutoCloseable to readers and writers

Signed-off-by: David Matějček <david.matejcek@omnifish.ee>

* Method getBytesFromFile made deprecated

- Used just in tests, but might be used by users

Signed-off-by: David Matějček <david.matejcek@omnifish.ee>

* BufferedStreams replaced by Files.new*Stream calls

Signed-off-by: David Matějček <david.matejcek@omnifish.ee>

* JMH tests targetting performance (and leaks)

- PerformanceIT is able to detect leaks
  - has limited memory
  - slows down with executions in a single batch
  - fails if executions significantly slow down
  - fails if iterations don't pass limits
  - now fails DOM tests, seems there is some leak.
  - replaces two ignored tests PerformanceMemoryTest and PerformanceTimingTest
  - is executed by the failsafe plugin just on demand: use -DskipIT=false

Signed-off-by: David Matějček <david.matejcek@omnifish.ee>

* Cleanups in tests - using Java11+ features

- Created JmhUtils to help JMH
- System.Logger usages instead of slf4j
- Fixed some IO leaks in tests - unclosed streams
- XMLUtilsPerformanceTest now uses JMH
- Removed log4j2.properties

Signed-off-by: David Matějček <david.matejcek@omnifish.ee>

* Updated xml.bind versions

Signed-off-by: David Matějček <david.matejcek@omnifish.ee>

* Fixed dependencies based on tests with GlassFish and Metro Webservices

Signed-off-by: David Matějček <david.matejcek@omnifish.ee>

* Tolerate returning a null byte array

Signed-off-by: David Matějček <david.matejcek@omnifish.ee>

* Properly closing streams in tests - added readResource method

- also added several utility methods just for tests
- reduced copy and paste

Signed-off-by: David Matějček <david.matejcek@omnifish.ee>

* First clean field references, then close

- close may throw an exception

Signed-off-by: David Matějček <david.matejcek@omnifish.ee>

* Yet some resource leaks in tests fixed/prevented + fixed calls

Signed-off-by: David Matějček <david.matejcek@omnifish.ee>

* Sources and target Java version set to 11 without overriding

Signed-off-by: David Matějček <david.matejcek@omnifish.ee>

* Fixed license

Signed-off-by: David Matějček <david.matejcek@omnifish.ee>

* Cleanups based on PMD, javadoc

Signed-off-by: David Matějček <david.matejcek@omnifish.ee>

* XMLUtils benchmark moved under the failsafe plugin too

Signed-off-by: David Matějček <david.matejcek@omnifish.ee>

* Added buffers to XmlUtils

- nearly 10 times faster DOM benchmarks
- lower variability in benchmark results

Signed-off-by: David Matějček <david.matejcek@omnifish.ee>

# Conflicts:
#	src/main/java/org/apache/xml/security/utils/XMLUtils.java

* Updated PMD

Signed-off-by: David Matějček <david.matejcek@omnifish.ee>

* Larger buffers, 8K is quite standard these days


Signed-off-by: David Matějček <david.matejcek@omnifish.ee>

* XMLSignatureInput vs. resource leaks

- I have noticed that in tests a new FileInputStream is given as an argument
  to this class, and then there's no control over it's lifecycle.
- Therefore I have added the finalize method to print warnings at least
  until I would be able to change it to more reliable implementation.

Signed-off-by: David Matějček <david.matejcek@omnifish.ee>

* JaCoCo configuration

Signed-off-by: David Matějček <david.matejcek@omnifish.ee>

* Refactoring around XMLSignatureInput

- It was split to several classes based on the type of the input data.
- Shouldn't those backed by an InputStream be AutoCloseable?
  - I have seen unclosed file input streams in logs after some failures
  - The class is also extended in other projects (WSIT, for example)

Signed-off-by: David Matějček <david.matejcek@omnifish.ee>

* Refactored PerformanceIT - each class has own file

Signed-off-by: David Matějček <david.matejcek@omnifish.ee>

* JUnit5 tests should not be public, says PMD

Signed-off-by: David Matějček <david.matejcek@omnifish.ee>

* Following PMD advices for tests

Signed-off-by: David Matějček <david.matejcek@omnifish.ee>

* XMLSignatureStreamInput: finalize replaced by close

- Safer implementation which allows better control over the stream closure.
- Allows also different implementations.

Signed-off-by: David Matějček <david.matejcek@omnifish.ee>

* Fixed XMLSignatureEdDSATest

Signed-off-by: David Matějček <david.matejcek@omnifish.ee>

# Conflicts:
#	src/test/java/org/apache/xml/security/test/javax/xml/crypto/dsig/SignatureValidator.java
#	src/test/java/org/apache/xml/security/test/javax/xml/crypto/dsig/XMLSignatureEdDSATest.java

* Making PMD happy

- BeanMembersShouldSerialize was replaced by NonSerializableClass
- TestClassWithoutTestCases has false positives
- JUnit5 tests should be package protected

Signed-off-by: David Matějček <david.matejcek@omnifish.ee>

# Conflicts:
#	src/test/java/org/apache/xml/security/test/dom/signature/EDDSASignatureTest.java

* Updated JAXB Runtime and Jakarta Activation

Signed-off-by: David Matějček <david.matejcek@omnifish.ee>

* Removed nonexisting sourceEncoding property from the PMD config

Signed-off-by: David Matějček <david.matejcek@omnifish.ee>

* The test_sixteen_bad_signature made compliant with rules

Signed-off-by: David Matějček <david.matejcek@omnifish.ee>

* Fixed logging of Jetty + level in tests made configurable again

- mvn clean install -Dtest.logging.level=FINEST
- using nanoseconds in logs

Signed-off-by: David Matějček <david.matejcek@omnifish.ee>

# Conflicts:
#	pom.xml

* Upgraded PMD to 3.21.0

Signed-off-by: David Matějček <david.matejcek@omnifish.ee>

* Fixed lost @test (reported by PMD)

Signed-off-by: David Matějček <david.matejcek@omnifish.ee>

* Don't swallow exceptions

Signed-off-by: David Matějček <david.matejcek@omnifish.ee>

* Updated jaxb runtime to 4.0.3

Signed-off-by: David Matějček <david.matejcek@omnifish.ee>

* Updated GitHub Actions configuration

Signed-off-by: David Matějček <david.matejcek@omnifish.ee>

* Reverted changes which are not necessary and just improved the code quality

Signed-off-by: David Matějček <david.matejcek@omnifish.ee>

* Pom cleanup

- using activation-api.version
- synced compiler, javadoc and modernizer release options
  - javadoc uses compiler settings by default
  - modernizer needs an explicit value
  - compiler uses the maven.compiler.release property
- removed redundant junit version property

Signed-off-by: David Matějček <david.matejcek@omnifish.ee>

* Javadoc lost in rebase is back

Signed-off-by: David Matějček <david.matejcek@omnifish.ee>

* Fixed method name (canonicalize)

Signed-off-by: David Matějček <david.matejcek@omnifish.ee>

---------

Signed-off-by: David Matějček <david.matejcek@omnifish.ee>

Author: dmatej

.github/workflows/pull-request-build.yaml

@@ -16,13 +16,14 @@ jobs:
     timeout-minutes: 130
     steps:
       - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.0
-      - name: Set up JDK 8
-        uses: actions/setup-java@cd89f46ac9d01407894225f350157564c9c7cee2 # v3.12.0
+      - name: Set up JDK 11
+        uses: actions/setup-java@5ffc13f4174014e2d4d4572b3d74c3fa61aeb2c2 # v3.11.0
         with:
-          java-version: '8'
+          java-version: '11'
           distribution: 'temurin'
           cache: maven
       - name: Build with Apache Maven
         run: mvn -U clean install -Djava.awt.headless=true -fae -B
     env: 
        MAVEN_OPTS: "-Xmx1024M"
+

etc/santuario-pmd-ruleset.xml

@@ -91,7 +91,6 @@
      <exclude name="AvoidDuplicateLiterals" />
      <exclude name="AvoidFieldNameMatchingMethodName" />
      <exclude name="AvoidLiteralsInIfCondition" />
-     <exclude name="BeanMembersShouldSerialize" />
      <exclude name="CompareObjectsWithEquals" />
      <exclude name="ConstructorCallsOverridableMethod" />
      <exclude name="DataflowAnomalyAnalysis" />
@@ -100,10 +99,13 @@
      <exclude name="InvalidLogMessageFormat" />
      <exclude name="JUnitSpelling" />
      <exclude name="MissingSerialVersionUID" />
+     <exclude name="NonSerializableClass" />
      <exclude name="NullAssignment" />
+     <exclude name="ReturnEmptyCollectionRatherThanNull" />
      <exclude name="SingletonClassReturningNewInstance" />
      <exclude name="SingleMethodSingleton" />
      <exclude name="SuspiciousEqualsMethodName" />
+     <exclude name="TestClassWithoutTestCases" />
      <exclude name="UseLocaleWithCaseConversions" />
      <exclude name="UseProperClassLoader" />
   </rule>
@@ -129,5 +131,5 @@
   <rule ref="category/java/security.xml" >
      <exclude name="HardCodedCryptoKey" />
   </rule>
-      
+
 </ruleset>

pom.xml

@@ -0,0 +1,73 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+/**
+ * @author David Matejcek
+ */
+module org.apache.santuario.xmlsec {
+
+    requires transitive jakarta.activation;
+    requires transitive jakarta.xml.bind;
+    requires java.base;
+    requires java.management;
+    requires java.xml;
+    requires java.xml.crypto;
+    requires org.apache.commons.codec;
+
+    exports org.apache.jcp.xml.dsig.internal.dom;
+    exports org.apache.xml.security;
+    exports org.apache.xml.security.algorithms;
+    exports org.apache.xml.security.algorithms.implementations;
+    exports org.apache.xml.security.c14n;
+    exports org.apache.xml.security.c14n.helper;
+    exports org.apache.xml.security.c14n.implementations;
+    exports org.apache.xml.security.configuration;
+    exports org.apache.xml.security.encryption;
+    exports org.apache.xml.security.exceptions;
+    exports org.apache.xml.security.keys;
+    exports org.apache.xml.security.keys.content;
+    exports org.apache.xml.security.keys.content.keyvalues;
+    exports org.apache.xml.security.keys.content.x509;
+    exports org.apache.xml.security.keys.keyresolver.implementations;
+    exports org.apache.xml.security.keys.storage.implementations;
+    exports org.apache.xml.security.signature;
+    exports org.apache.xml.security.stax.ext;
+    exports org.apache.xml.security.transforms;
+    exports org.apache.xml.security.transforms.implementations;
+    exports org.apache.xml.security.transforms.params;
+    exports org.apache.xml.security.utils;
+    exports org.apache.xml.security.utils.resolver;
+    exports org.apache.xml.security.utils.resolver.implementations;
+
+    opens org.apache.jcp.xml.dsig.internal.dom;
+    opens org.apache.xml.security;
+    opens org.apache.xml.security.binding.excc14n;
+    opens org.apache.xml.security.binding.xmldsig;
+    opens org.apache.xml.security.binding.xmldsig11;
+    opens org.apache.xml.security.binding.xmlenc;
+    opens org.apache.xml.security.binding.xmlenc11;
+    opens org.apache.xml.security.binding.xop;
+    opens org.apache.xml.security.configuration;
+    opens org.apache.xml.security.algorithms.implementations;
+    opens org.apache.xml.security.c14n.implementations;
+    opens org.apache.xml.security.keys.keyresolver.implementations;
+    opens org.apache.xml.security.keys.storage.implementations;
+    opens org.apache.xml.security.transforms.implementations;
+    opens org.apache.xml.security.utils.resolver.implementations;
+}

src/main/java/module-info.java

@@ -25,6 +25,8 @@
 import java.io.IOException;
 import java.io.InputStream;
 import java.io.OutputStream;
+import java.lang.System.Logger;
+import java.lang.System.Logger.Level;
 import java.security.MessageDigest;
 
 import org.apache.xml.security.utils.UnsyncByteArrayOutputStream;
@@ -37,8 +39,8 @@
  *
  */
 public class DigesterOutputStream extends OutputStream {
-    private static final org.slf4j.Logger LOG =
-        org.slf4j.LoggerFactory.getLogger(DigesterOutputStream.class);
+    private static final Logger LOG = System.getLogger(DigesterOutputStream.class.getName());
+
 
     private final boolean buffer;
     private UnsyncByteArrayOutputStream bos;
@@ -80,13 +82,13 @@ public void write(byte[] input, int offset, int len) {
         if (buffer) {
             bos.write(input, offset, len);
         }
-        if (LOG.isDebugEnabled()) {
-            LOG.debug("Pre-digested input:");
+        if (LOG.isLoggable(Level.DEBUG)) {
+            LOG.log(Level.DEBUG, "Pre-digested input:");
             StringBuilder sb = new StringBuilder(len);
             for (int i = offset; i < (offset + len); i++) {
                 sb.append((char)input[i]);
             }
-            LOG.debug(sb.toString());
+            LOG.log(Level.DEBUG, sb.toString());
         }
         md.update(input, offset, len);
     }

src/main/java/org/apache/jcp/xml/dsig/internal/DigesterOutputStream.java

@@ -24,6 +24,8 @@
 import java.io.ByteArrayInputStream;
 import java.io.ByteArrayOutputStream;
 import java.io.OutputStream;
+import java.lang.System.Logger;
+import java.lang.System.Logger.Level;
 import java.security.InvalidAlgorithmParameterException;
 import java.security.spec.AlgorithmParameterSpec;
 import java.util.Set;
@@ -42,6 +44,9 @@
 import org.apache.xml.security.c14n.Canonicalizer;
 import org.apache.xml.security.c14n.InvalidCanonicalizerException;
 import org.apache.xml.security.signature.XMLSignatureInput;
+import org.apache.xml.security.signature.XMLSignatureNodeInput;
+import org.apache.xml.security.signature.XMLSignatureNodeSetInput;
+import org.apache.xml.security.signature.XMLSignatureStreamInput;
 import org.apache.xml.security.transforms.Transform;
 import org.w3c.dom.Document;
 import org.w3c.dom.Element;
@@ -53,8 +58,7 @@ public abstract class ApacheCanonicalizer extends TransformService {
         org.apache.xml.security.Init.init();
     }
 
-    private static final org.slf4j.Logger LOG =
-        org.slf4j.LoggerFactory.getLogger(ApacheCanonicalizer.class);
+    private static final Logger LOG = System.getLogger(ApacheCanonicalizer.class.getName());
     protected Canonicalizer canonicalizer;
     private Transform apacheTransform;
     protected String inclusiveNamespaces;
@@ -118,7 +122,7 @@ public Data canonicalize(Data data, XMLCryptoContext xc, OutputStream os)
         if (canonicalizer == null) {
             try {
                 canonicalizer = Canonicalizer.getInstance(getAlgorithm());
-                LOG.debug("Created canonicalizer for algorithm: {}", getAlgorithm());
+                LOG.log(Level.DEBUG, "Created canonicalizer for algorithm: {0}", getAlgorithm());
             } catch (InvalidCanonicalizerException ice) {
                 throw new TransformException
                     ("Couldn't find Canonicalizer for: " + getAlgorithm() +
@@ -145,7 +149,7 @@ public Data canonicalize(Data data, XMLCryptoContext xc, OutputStream os)
                 } else if (in.isNodeSet()) {
                     nodeSet = in.getNodeSet();
                 } else {
-                    canonicalizer.canonicalize(Utils.readBytesFromStream(in.getOctetStream()), writer, secVal);
+                    canonicalizer.canonicalize(Utils.readBytesFromStream(in.getUnprocessedInput()), writer, secVal);
                     return new OctetStreamData(new ByteArrayInputStream(getC14nBytes(writer, isByteArrayOutputStream)));
                 }
             } else if (data instanceof DOMSubTreeData) {
@@ -163,7 +167,7 @@ public Data canonicalize(Data data, XMLCryptoContext xc, OutputStream os)
                 @SuppressWarnings("unchecked")
                 Set<Node> ns = Utils.toNodeSet(nsd.iterator());
                 nodeSet = ns;
-                LOG.debug("Canonicalizing {} nodes", nodeSet.size());
+                LOG.log(Level.DEBUG, "Canonicalizing {0} nodes", nodeSet.size());
             } else {
                 canonicalizer.canonicalize(Utils.readBytesFromStream(((OctetStreamData)data).getOctetStream()), writer, secVal);
                 return new OctetStreamData(new ByteArrayInputStream(getC14nBytes(writer, isByteArrayOutputStream)));
@@ -208,7 +212,7 @@ public Data transform(Data data, XMLCryptoContext xc, OutputStream os)
                 apacheTransform =
                     new Transform(ownerDoc, getAlgorithm(), transformElem.getChildNodes());
                 apacheTransform.setElement(transformElem, xc.getBaseURI());
-                LOG.debug("Created transform for algorithm: {}", getAlgorithm());
+                LOG.log(Level.DEBUG, "Created transform for algorithm: {0}", getAlgorithm());
             } catch (Exception ex) {
                 throw new TransformException
                     ("Couldn't find Transform for: " + getAlgorithm(), ex);
@@ -217,25 +221,23 @@ public Data transform(Data data, XMLCryptoContext xc, OutputStream os)
 
         XMLSignatureInput in;
         if (data instanceof ApacheData) {
-            LOG.debug("ApacheData = true");
+            LOG.log(Level.DEBUG, "ApacheData = true");
             in = ((ApacheData)data).getXMLSignatureInput();
         } else if (data instanceof NodeSetData) {
-            LOG.debug("isNodeSet() = true");
+            LOG.log(Level.DEBUG, "isNodeSet() = true");
             if (data instanceof DOMSubTreeData) {
                 DOMSubTreeData subTree = (DOMSubTreeData)data;
-                in = new XMLSignatureInput(subTree.getRoot());
+                in = new XMLSignatureNodeInput(subTree.getRoot());
                 in.setExcludeComments(subTree.excludeComments());
             } else {
-                @SuppressWarnings("unchecked")
-                Set<Node> nodeSet =
-                    Utils.toNodeSet(((NodeSetData)data).iterator());
-                in = new XMLSignatureInput(nodeSet);
+                @SuppressWarnings({"unchecked", "rawtypes"})
+                Set<Node> nodeSet = Utils.toNodeSet(((NodeSetData) data).iterator());
+                in = new XMLSignatureNodeSetInput(nodeSet);
             }
         } else {
-            LOG.debug("isNodeSet() = false");
+            LOG.log(Level.DEBUG, "isNodeSet() = false");
             try {
-                in = new XMLSignatureInput
-                    (((OctetStreamData)data).getOctetStream());
+                in = new XMLSignatureStreamInput(((OctetStreamData) data).getOctetStream());
             } catch (Exception ex) {
                 throw new TransformException(ex);
             }
@@ -246,7 +248,7 @@ public Data transform(Data data, XMLCryptoContext xc, OutputStream os)
 
         try {
             in = apacheTransform.performTransform(in, os, secVal);
-            if (in.isOctetStream()) {
+            if (in.hasUnprocessedInput()) {
                 return new ApacheOctetStreamData(in);
             } else {
                 return new ApacheNodeSetData(in);

src/main/java/org/apache/jcp/xml/dsig/internal/dom/ApacheCanonicalizer.java

@@ -35,7 +35,7 @@ public class ApacheOctetStreamData extends OctetStreamData
     public ApacheOctetStreamData(XMLSignatureInput xi)
         throws IOException
     {
-        super(xi.getOctetStream(), xi.getSourceURI(), xi.getMIMEType());
+        super(xi.getUnprocessedInput(), xi.getSourceURI(), xi.getMIMEType());
         this.xi = xi;
     }
 

src/main/java/org/apache/jcp/xml/dsig/internal/dom/ApacheOctetStreamData.java

@@ -22,6 +22,8 @@
 package org.apache.jcp.xml.dsig.internal.dom;
 
 import java.io.OutputStream;
+import java.lang.System.Logger;
+import java.lang.System.Logger.Level;
 import java.security.InvalidAlgorithmParameterException;
 import java.security.spec.AlgorithmParameterSpec;
 import java.util.Set;
@@ -38,6 +40,9 @@
 import javax.xml.crypto.dsig.spec.TransformParameterSpec;
 
 import org.apache.xml.security.signature.XMLSignatureInput;
+import org.apache.xml.security.signature.XMLSignatureNodeInput;
+import org.apache.xml.security.signature.XMLSignatureNodeSetInput;
+import org.apache.xml.security.signature.XMLSignatureStreamInput;
 import org.apache.xml.security.transforms.Transform;
 import org.apache.xml.security.transforms.Transforms;
 import org.w3c.dom.Document;
@@ -55,8 +60,8 @@ public abstract class ApacheTransform extends TransformService {
         org.apache.xml.security.Init.init();
     }
 
-    private static final org.slf4j.Logger LOG =
-        org.slf4j.LoggerFactory.getLogger(ApacheTransform.class);
+    private static final Logger LOG = System.getLogger(ApacheTransform.class.getName());
+
     private Transform transform;
     protected Document ownerDoc;
     protected Element transformElem;
@@ -140,7 +145,7 @@ private Data transformIt(Data data, XMLCryptoContext xc, OutputStream os)
                 transform =
                     new Transform(ownerDoc, getAlgorithm(), transformElem.getChildNodes());
                 transform.setElement(transformElem, xc.getBaseURI());
-                LOG.debug("Created transform for algorithm: {}", getAlgorithm());
+                LOG.log(Level.DEBUG, "Created transform for algorithm: {0}", getAlgorithm());
             } catch (Exception ex) {
                 throw new TransformException("Couldn't find Transform for: " +
                                              getAlgorithm(), ex);
@@ -158,26 +163,25 @@ private Data transformIt(Data data, XMLCryptoContext xc, OutputStream os)
 
         XMLSignatureInput in;
         if (data instanceof ApacheData) {
-            LOG.debug("ApacheData = true");
+            LOG.log(Level.DEBUG, "ApacheData = true");
             in = ((ApacheData)data).getXMLSignatureInput();
         } else if (data instanceof NodeSetData) {
-            LOG.debug("isNodeSet() = true");
+            LOG.log(Level.DEBUG, "isNodeSet() = true");
             if (data instanceof DOMSubTreeData) {
-                LOG.debug("DOMSubTreeData = true");
+                LOG.log(Level.DEBUG, "DOMSubTreeData = true");
                 DOMSubTreeData subTree = (DOMSubTreeData)data;
-                in = new XMLSignatureInput(subTree.getRoot());
+                in = new XMLSignatureNodeInput(subTree.getRoot());
                 in.setExcludeComments(subTree.excludeComments());
             } else {
-                @SuppressWarnings("unchecked")
+                @SuppressWarnings({"unchecked", "rawtypes"})
                 Set<Node> nodeSet =
                     Utils.toNodeSet(((NodeSetData)data).iterator());
-                in = new XMLSignatureInput(nodeSet);
+                in = new XMLSignatureNodeSetInput(nodeSet);
             }
         } else {
-            LOG.debug("isNodeSet() = false");
+            LOG.log(Level.DEBUG, "isNodeSet() = false");
             try {
-                in = new XMLSignatureInput
-                    (((OctetStreamData)data).getOctetStream());
+                in = new XMLSignatureStreamInput(((OctetStreamData) data).getOctetStream());
             } catch (Exception ex) {
                 throw new TransformException(ex);
             }
@@ -194,7 +198,7 @@ private Data transformIt(Data data, XMLCryptoContext xc, OutputStream os)
             } else {
                 in = transform.performTransform(in, secVal);
             }
-            if (in.isOctetStream()) {
+            if (in.hasUnprocessedInput()) {
                 return new ApacheOctetStreamData(in);
             } else {
                 return new ApacheNodeSetData(in);

src/main/java/org/apache/jcp/xml/dsig/internal/dom/ApacheTransform.java

@@ -21,6 +21,8 @@
  */
 package org.apache.jcp.xml.dsig.internal.dom;
 
+import java.lang.System.Logger;
+import java.lang.System.Logger.Level;
 import java.security.InvalidAlgorithmParameterException;
 import java.security.InvalidKeyException;
 import java.security.Key;
@@ -54,8 +56,8 @@ public abstract class DOMHMACSignatureMethod extends AbstractDOMSignatureMethod
 
     private static final String DOM_SIGNATURE_PROVIDER = "org.jcp.xml.dsig.internal.dom.MacProvider";
 
-    private static final org.slf4j.Logger LOG =
-        org.slf4j.LoggerFactory.getLogger(DOMHMACSignatureMethod.class);
+    private static final Logger LOG = System.getLogger(DOMHMACSignatureMethod.class.getName());
+
 
     // see RFC 4051 for these algorithm definitions
     static final String HMAC_SHA224 =
@@ -115,7 +117,7 @@ void checkParams(SignatureMethodParameterSpec params)
             }
             outputLength = ((HMACParameterSpec)params).getOutputLength();
             outputLengthSet = true;
-            LOG.debug("Setting outputLength from HMACParameterSpec to: {}", outputLength);
+            LOG.log(Level.DEBUG, "Setting outputLength from HMACParameterSpec to: {0}", outputLength);
         }
     }
 
@@ -134,7 +136,7 @@ SignatureMethodParameterSpec unmarshalParams(Element paramsElem)
             throw new MarshalException("Invalid output length supplied: " + paramsElem.getFirstChild().getNodeValue());
         }
         outputLengthSet = true;
-        LOG.debug("unmarshalled outputLength: {}", outputLength);
+        LOG.log(Level.DEBUG, "unmarshalled outputLength: {0}", outputLength);
         return new HMACParameterSpec(outputLength);
     }