santuario-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject DO NOT REPLY [Bug 44335] can't validate after invalid validation
Date Tue, 02 Dec 2008 03:38:56 GMT
https://issues.apache.org/bugzilla/show_bug.cgi?id=44335


Dominique LAURENT <lauredo@gmail.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |lauredo@gmail.com




--- Comment #4 from Dominique LAURENT <lauredo@gmail.com>  2008-12-01 19:38:55 PST ---
Hey,

I just got this bug.

I think there may be a quicker fix:

just move the two lines:

         //retrieve the byte[] from the stored signature
         byte sigBytes[] = this.getSignatureValue();

before the try/catch block:

      try {
         SignedInfo si=this.getSignedInfo();


This way, if the Base64 decoding fails, the SignatureAlgorithm hasn't yet been
updated and does not need to be reset.

This avoids having to call #verify() just to reset the SignatureAlgorithm.



The checkSignatureValue method would look like this:

    public boolean checkSignatureValue(Key pk) throws XMLSignatureException {

        if (pk == null) {
            Object exArgs[] = { "Didn't get a key" };

            throw new XMLSignatureException("empty", exArgs);
        }

        //retrieve the byte[] from the stored signature
        // Do this before calling the SignatureAlgorithm
        // that way if something goes bad, the sa isn't corrupted
        byte sigBytes[] = this.getSignatureValue();

        try {
            SignedInfo si=this.getSignedInfo();
            //create a SignatureAlgorithms from the SignatureMethod inside
            //SignedInfo. This is used to validate the signature.
            SignatureAlgorithm sa =si.getSignatureAlgorithm();
            if (log.isDebugEnabled()) {
                log.debug("SignatureMethodURI = " + sa.getAlgorithmURI());
                log.debug("jceSigAlgorithm    = " +
sa.getJCEAlgorithmString());
                log.debug("jceSigProvider     = " + sa.getJCEProviderName());
                log.debug("PublicKey = " + pk);
            }
            sa.initVerify(pk);

            // Get the canonicalized (normalized) SignedInfo
            SignerOutputStream so=new SignerOutputStream(sa);
            OutputStream bos=new UnsyncBufferedOutputStream(so);
            si.signInOctectStream(bos);
            try {
                bos.close();
            } catch (IOException e) {
                //Imposible
            }

            if (!sa.verify(sigBytes)) {
                log.warn("Signature verification failed.");
                return false;
            }

            return si.verify(this._followManifestsDuringValidation);
        } catch (XMLSecurityException ex) {
            throw new XMLSignatureException("empty", ex);
        }
    }


-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

Mime
View raw message