santuario-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Bruno Harbulot <Bruno.Harbu...@manchester.ac.uk>
Subject Reusing XMLSignature for signing and verifying
Date Mon, 23 Mar 2009 23:59:56 GMT
Hello,

I've been writing a test based on OpenSAML, which uses Apache XML 
Security 1.4.2. In this test, I'm signing an org.opensaml.xml.XMLObject 
and verifying it shortly after.
In OpenSAML, org.opensaml.xml.signature.impl.SignatureImpl (an XMLObject 
that models the XML signature) keeps an association between the DOM 
element and the instance of org.apache.xml.security.signature.XMLSignature.

Unfortunately, if the nodes are reused, the same instance of 
XMLSignature is used for verifying after being used for signing.
This causes an exception:
org.apache.xml.security.signature.XMLSignatureException: object not 
initialized for verification

If I run the verification on a different thread, it works fine.



This problem isn't specific to OpenSAML and can be reproduced when 
re-using the same instance of XMLSignature for signing and verifying.
Unless this behaviour was intentional, I've tracked down the problem to 
be due to 
org.apache.xml.security.algorithms.SignatureAlgorithm#initializeAlgorithm(boolean):

     private void initializeAlgorithm(boolean isForSigning)
         throws XMLSignatureException {
         if (_signatureAlgorithm!=null) {
	   return;
         }
         _signatureAlgorithm=isForSigning ? 
getInstanceForSigning(algorithmURI) :
             getInstanceForVerify(algorithmURI);	
	this._signatureAlgorithm
             .engineGetContextFromElement(this._constructionElement);
     }


If '_signatureAlgorithm' has already been initialised, even if it's not 
for the purpose intended for another use, it won't be initialised again. 
Commenting out the 'if' block solves the problem.

I've noticed that there was an 'isForSigning' field commented out in 
revision 515521, which completely disappeared in revision 695520 
(current one). I guess it might have been the original intent for this flag.

I'm attaching a small Maven test case.


Best wishes,

Bruno.

Mime
View raw message