santuario-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Ruchith Fernando" <ruchith.ferna...@gmail.com>
Subject Re: Cannot sign-verify twice in the same thread with different XMLSignature instances
Date Sat, 04 Nov 2006 15:17:37 GMT
Hi Raul,

I was able to reproduce the issue.

Please drop the attached interop.jks file to your classpath along with
xml-sec and other pre-reqs and run the test case (TestSig.java). I ran
this inside my IDE within the xml-security project.

The exception stack trace is here :
http://rafb.net/paste/results/QSCZ1587.html

Thanks,
Ruchith

On 11/3/06, Raul Benito <raul@apache.org> wrote:
> Can you also post the exception backtrace?
> Regards,
>
> On 11/3/06, Raul Benito <raul@apache.org> wrote:
> > Hi Ruchith,
> > It is not feasible for me to checkout the whole wss4j in order to see
> > the problem.
> > Did the problem arise  when you do something like this?
> > PrivateKey xk; PublicKey pk=xk.getPublickKey();
> > XMLSignature s1=...;
> > XMLSignature s2=...;
> > s1.sign(xk);
> > s2.sign(xk);
> > s1.checkSignatureValue(pk);
> >
> > Or other kind of sequence?
> > Regards,
> >
> >
> >
> > On 11/3/06, Ruchith Fernando <ruchith.fernando@gmail.com> wrote:
> > > Hi Raul,
> > >
> > > I'm using the SVN head (revision : 470741).
> > >
> > > I'm working on fixing the issue dims reported yesterday[1] and fixing
> > > WSS4J/Rampart and AXIOM to work with the changes :-). And I have a
> > > patch for [1] which I will post soon.
> > >
> > > I will try to send a test case as soon as I possible,
> > >
> > > Until then you can easily reproduce the error with WSS4J test suite.
> > > You can get a chackout of [2] and simply run "ant clean test" to run
> > > the unit tests after replacing  the xml-sec-1.3.0.jar in the lib dir
> > > with the latest.
> > >
> > > Thanks,
> > > Ruchith
> > >
> > > [1] http://issues.apache.org/bugzilla/show_bug.cgi?id=40880
> > > [2] https://svn.apache.org/repos/asf/webservices/wss4j/trunk
> > >
> > > On 11/3/06, Raul Benito <raul@apache.org> wrote:
> > > > Hi Ruchith,
> > > >
> > > > It looks strange to me, because all the junits that we pass do in
> > > > essence what are you describing(several verifying in one thread). But
> > > > on the other hand your explanation looks sound.
> > > > What version of xmlsec are you using?
> > > > Can you post a simple test case that triggers this error?
> > > >
> > > > Regards,
> > > >
> > > > Raul
> > > >
> > > > On 11/3/06, Ruchith Fernando <ruchith.fernando@gmail.com> wrote:
> > > > > Hi Devs,
> > > > >
> > > > > I ran into an "java.security.SignatureException: object not
> > > > > initialized for verification" exception when trying to do sign and
> > > > > verify *twice* in the same thread, using different XMLSignature
> > > > > instances.
> > > > >
> > > > > I tracked this down to the use of "keysVerify" thread local tracker
in
> > > > > org.apache.xml.security.algorithms.SignatureAlgorithm to tack the
> > > > > initialization of the java.security.Signature instance with
> > > > > private/public keys.
> > > > >
> > > > > When the first signature verification occurs the public key is set
in
> > > > > "keysVerify" in SignatureAlgorithm#initVerify(). And it verifies
> > > > > successfully. But when we try to carryout the second verification
the
> > > > > "keysVerify" returns the same key for the thread and the
> > > > > java.security.Signature instance is not initialized with the public
> > > > > key. Therefore we run into the above exception.
> > > > >
> > > > > What do you folks think? Have I overlooked something in my scenario?
> > > > >
> > > > > Thanks,
> > > > > Ruchith
> > > > >
> > > > > --
> > > > > www.ruchith.org
> > > > >
> > > >
> > > >
> > > > --
> > > > http://r-bg.com
> > > >
> > >
> > >
> > > --
> > > www.ruchith.org
> > >
> >
> >
> > --
> > http://r-bg.com
> >
>
>
> --
> http://r-bg.com
>


-- 
www.ruchith.org

Mime
View raw message