Return-Path: Delivered-To: apmail-xml-security-dev-archive@www.apache.org Received: (qmail 97939 invoked from network); 12 Jun 2007 15:41:01 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.2) by minotaur.apache.org with SMTP; 12 Jun 2007 15:41:01 -0000 Received: (qmail 65634 invoked by uid 500); 12 Jun 2007 15:40:38 -0000 Delivered-To: apmail-xml-security-dev-archive@xml.apache.org Received: (qmail 65582 invoked by uid 500); 12 Jun 2007 15:40:38 -0000 Mailing-List: contact security-dev-help@xml.apache.org; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: Reply-To: security-dev@xml.apache.org List-Id: Delivered-To: mailing list security-dev@xml.apache.org Received: (qmail 65548 invoked by uid 99); 12 Jun 2007 15:40:38 -0000 Received: from herse.apache.org (HELO herse.apache.org) (140.211.11.133) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 12 Jun 2007 08:40:37 -0700 X-ASF-Spam-Status: No, hits=-99.5 required=10.0 tests=ALL_TRUSTED,NO_REAL_NAME X-Spam-Check-By: apache.org Received: from [140.211.11.4] (HELO brutus.apache.org) (140.211.11.4) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 12 Jun 2007 08:40:33 -0700 Received: by brutus.apache.org (Postfix, from userid 33) id 0BB3E71413D; Tue, 12 Jun 2007 08:40:12 -0700 (PDT) From: bugzilla@apache.org To: security-dev@xml.apache.org Subject: DO NOT REPLY [Bug 42644] New: - SignatureAlgorithm problem with initSign and initVerify methods (xmlsec-1.4.1) Message-ID: X-Bugzilla-Reason: AssignedTo Date: Tue, 12 Jun 2007 08:40:12 -0700 (PDT) X-Virus-Checked: Checked by ClamAV on apache.org DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG� RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT . ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND� INSERTED IN THE BUG DATABASE. http://issues.apache.org/bugzilla/show_bug.cgi?id=42644 Summary: SignatureAlgorithm problem with initSign and initVerify methods (xmlsec-1.4.1) Product: Security Version: unspecified Platform: All OS/Version: Windows XP Status: NEW Severity: regression Priority: P2 Component: Signature AssignedTo: security-dev@xml.apache.org ReportedBy: kevin.troy@digitary.net We're migrating a working web application from Java 1.4.2 to Java 1.5. Our 1.4.2 application used xmlsec-1.2.1 and worked fine. We've upgraded to xmlsec-1.4.1 in the process and we have encountered a problem that occurs when we try to sign/verify multiple documents with the same key pair: Consider a scenario when multiple XML documents need to be signed and verified with the same key pair. (The verification is just to confirm that signing worked). Therefore, for a given KeyPair instance, we do the following on each iteration: 1. XMLSignature sig = new XMLSignature(....); 2. Sign XML document with PrivateKey 3. Verify XML document with PublicKey (sanity check) The problem occurs on the second iteration. It appears that, because we are using the same PrivateKey to sign on each iteration, the code remains initialised for verification (a result of step 3 above), and is not re-initialised for signing as it is using a cached Private Key. We were unable to find an API call to resolve this. We made changes to SignatureAlgorithm::initSign(Key) and SignatureAlgorithm::initVerify(Key) so that cached keys were no longer used. We are therefore always calling the engineInitSign(Key) and engineInitVerify(Key) on the SignatureAlgorithm implementation. -- Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.