Return-Path: Delivered-To: apmail-xml-security-dev-archive@www.apache.org Received: (qmail 193 invoked from network); 24 Mar 2009 01:10:35 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.3) by minotaur.apache.org with SMTP; 24 Mar 2009 01:10:35 -0000 Received: (qmail 90378 invoked by uid 500); 24 Mar 2009 01:10:34 -0000 Delivered-To: apmail-xml-security-dev-archive@xml.apache.org Received: (qmail 90329 invoked by uid 500); 24 Mar 2009 01:10:34 -0000 Mailing-List: contact security-dev-help@xml.apache.org; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: Reply-To: security-dev@xml.apache.org List-Id: Delivered-To: mailing list security-dev@xml.apache.org Received: (qmail 90321 invoked by uid 99); 24 Mar 2009 01:10:34 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 24 Mar 2009 01:10:34 +0000 X-ASF-Spam-Status: No, hits=-1.0 required=10.0 tests=RCVD_IN_DNSWL_LOW,SPF_HELO_PASS,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (athena.apache.org: domain of ap-security-dev@m.gmane.org designates 80.91.229.2 as permitted sender) Received: from [80.91.229.2] (HELO ciao.gmane.org) (80.91.229.2) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 24 Mar 2009 01:10:26 +0000 Received: from root by ciao.gmane.org with local (Exim 4.43) id 1Llv9W-0007jG-AE for security-dev@xml.apache.org; Tue, 24 Mar 2009 01:10:02 +0000 Received: from rain.gmane.org ([80.91.229.7]) by main.gmane.org with esmtp (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Tue, 24 Mar 2009 01:10:02 +0000 Received: from Bruno.Harbulot by rain.gmane.org with local (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Tue, 24 Mar 2009 01:10:02 +0000 X-Injected-Via-Gmane: http://gmane.org/ To: security-dev@xml.apache.org From: Bruno Harbulot Subject: Reusing XMLSignature for signing and verifying Date: Mon, 23 Mar 2009 23:59:56 +0000 Lines: 114 Message-ID: Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="------------010809090306030203050101" X-Complaints-To: usenet@ger.gmane.org X-Gmane-NNTP-Posting-Host: rain.gmane.org User-Agent: Thunderbird 2.0.0.21 (Macintosh/20090302) Sender: news X-Virus-Checked: Checked by ClamAV on apache.org This is a multi-part message in MIME format. --------------010809090306030203050101 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Hello, I've been writing a test based on OpenSAML, which uses Apache XML Security 1.4.2. In this test, I'm signing an org.opensaml.xml.XMLObject and verifying it shortly after. In OpenSAML, org.opensaml.xml.signature.impl.SignatureImpl (an XMLObject that models the XML signature) keeps an association between the DOM element and the instance of org.apache.xml.security.signature.XMLSignature. Unfortunately, if the nodes are reused, the same instance of XMLSignature is used for verifying after being used for signing. This causes an exception: org.apache.xml.security.signature.XMLSignatureException: object not initialized for verification If I run the verification on a different thread, it works fine. This problem isn't specific to OpenSAML and can be reproduced when re-using the same instance of XMLSignature for signing and verifying. Unless this behaviour was intentional, I've tracked down the problem to be due to org.apache.xml.security.algorithms.SignatureAlgorithm#initializeAlgorithm(boolean): private void initializeAlgorithm(boolean isForSigning) throws XMLSignatureException { if (_signatureAlgorithm!=null) { return; } _signatureAlgorithm=isForSigning ? getInstanceForSigning(algorithmURI) : getInstanceForVerify(algorithmURI); this._signatureAlgorithm .engineGetContextFromElement(this._constructionElement); } If '_signatureAlgorithm' has already been initialised, even if it's not for the purpose intended for another use, it won't be initialised again. Commenting out the 'if' block solves the problem. I've noticed that there was an 'isForSigning' field commented out in revision 515521, which completely disappeared in revision 695520 (current one). I guess it might have been the original intent for this flag. I'm attaching a small Maven test case. Best wishes, Bruno. --------------010809090306030203050101 Content-Type: application/x-gzip; name="xmlsig-reuse-test.tar.gz" Content-Transfer-Encoding: base64 Content-Disposition: inline; filename="xmlsig-reuse-test.tar.gz" H4sIAG0gyEkAA+1a62/bOBLPV+ev4Po+rNJLaCvxA9c4QV3HbY02TmB5210cDgYjM7YSWTJI Kg8s+r/f8KGXH4nTNunerQZtLJEzw+H8hsORqHk4w3czf+s5qQrUqNXUb7NRV79A8e9+3W5s 2bbd2K9Wa9WDxlbVtg+aB1uo+qxWGYq4IAyhrQsWBeEDfLdTSp/XTT+FWnMWXlFXIAiCgB+V p0LMX1cqM3JDA0zmxJ1SHLJJ5fzstFLDVVwta87Xd9xLuG9vb/HtgeIDDO3K76efHBCckT0v APcGLi1vl0DgNVetn0KXCC8MNhgNreNQDXs3tVF1VMV3fFw+3i61ZuGY+p8p46D8WMm3Krk2 4JmwMJr3xsfRNSYunoFxU8oFZZi5HKsgwMYl+3azVYnZQZIw4V0SV8BdliPTDExg4TWZeMHk +IqwViW9hb4bYwXYhe09p98+dz6cDVuVm9S6gMxoTrtqgI6I+cdrfNGqyM5tYLqIPF9aAWb4 EYzK5XV8o65zs9A+dMPZ3PMp29NsCxOSIm4YXHqTiCnQdFupxcOIufTYxo1WxVybHlhPEyp0 j7nWeirLisBDiXHxtbS6VTFzgcsxndNgTAPXo2pCacO91hFjBL6I3cJJICLCvDCLYH72EMac ukvTTVCycQ3vZ8GRk3bDOT0WEDAwaXWt7M4a9JCBV1HgifUWme51BtVw7ceaA8jPwoDv+eFE huh6w5YY1/vM/rEmSkivOPcj4fn8Ac/FLHtypD2Xyi4PsgzlDxlb/RaAs7cqIiFu9YI93v7Z 2fzpxJlbee4x1L5fr6/b/9V1vP83Gzbs/1AuNLZQ/bkNk/Q33/8l/jPiBc8ZBJvjb9f2ZZ1o 2/VGs8D/JUjiL9PdXwb/A4V/Y98u8H8JSvC/IjfkmYLgSfnflvl/v14r8H8RyuMfXT9HCGyK v90ELoX/gd2sFfi/BC3hT358PfgN+Nfrxf7/IrQK//SlyI8JhafjX2/a1QL/l6BH8Gcu//4Y eDr+jVqzWP8vQhvgrzzzPVHwdPybjf1i/38R2hj/9KX0k0PhCc9/B80mtO/bdbte4P8S9C34 O94kICJidAhMWAo+PIYEeP35n12z7YMY/2at1txSJ4KN4vzvJUgfUFG00XHY4fa2N5uHTCAJ OvZC3AvmkXAEo2R2mOvj1I2YJ+7xR3rviJDRNd3nzLshggLXOobowvfcpX75th93g2hG9WlS 3rQ7eaaN54Rxyjg+CV3gC8RbeaRE2eHGnO+IC6bfrxAQjAT8MmQz7KizrwdZhvHVyrFX8m0y 8jic4ZOz0w0M4AogrHEaUB75IvVX5tRMSiWO7wWeOHyMicepAMsz3/jmG8W6dy6dazAfkU+m xlOn8Uel1AkR7oTqTFpsys8oD/0bWBHA7VMZHSrgOB6Yjt/PQy8QGWy55HCVWnWkh9scokvg V7kRdddbehkuOEx3yNyaa749cDXkJkZXdna1hYDuXK0b5PqEc5TL2OjP7ZLpvfQC4sf2Qnh4 wQSdOKO+g47Q6sP9aqX6rwp4aQwQ/qMM4zykqtMdDHvvep32sOuMTnqDbmd4NvhD6pbakkO7 Sva8rgJKH9L5sfuHA1q6o/O243w5G5yMnOGg138vtcqNTP5fp8KdEvbv/yyrANl1auWpIBZh ByTbjJF7a0fOufLq1XYJvUKfQjLmSEwp+tUPXeJPQy5+Rdf0nsuUhy5ZOFO90qikGStR9ecN o4BKsKr/jZiy8JajZFHI1koyrzitogkV8bW1gxaFJNalhPeay5maOwySPfN5hlU+/9hx7P0y zK5UyiR1EPGkUEeGkZwtZeosXwo7YC6V6UQloDbXEtZq0PW3AaV/onLiKDyPB7zm2Afdlhxs dxkKw+Nx7Pohp5a6N567hmVc+pqGYbJdSMckN497Jr44yjtUjpTZZVo6CI8R8T3CqfRMLIlN k5a5nXo+RZZpw1PCT4HHrE7g2VHDl0xMKzbQFbMH9E4YXq2u5F0iKxnJ42BgNxDsXg8Qa0t8 kkG4ky4tw4zzjlHqv27r/0ZBEPn+gluTbVr5Nbn7eznWSie+k/Oy9ISSWBe9j3s4TuvSTWfM m8i8FbelXh7KH3IBLpCGrS5X0PjiEua8uhNccJusemUacMOWJ/pkRjlsgrR9SwAgwSKquhfU gHLQLWVA0UKflRNA49BVrFlOnT5LBgPEwjDGQ7KGLnYhh4gYz75jxbsQ7Lf0jsgdWO1E5V2F S1kq0Dkkowo2c/l9RgdCZWylSocAfj8cQ7L7QH0/RF9C5o9/Ke9oLwBbViyjTptsgAM+g9sb J5rPoTjgXwgLINi4VY6CiNNxeQdA1YGCbkJvjMYen/vkPvFB1kNrkF0uBZGIL47Qcu8yrBke JJ0rMpyZPs2sa0j5ZZ+5OkLAhpLqUnpRM2ZKSMSzN1oi22/pDQKHkVCyIi3brGSk3ZwWPUYi Bo8eUFn5gfVQe2YNZYtJJGvMp7h8UdjMKNss3bCLyib4sj24/en92agHVUPvfb89/A3W/8Bp j5wPbVunukzAm0iHdR5blUtJkiUXimCLZE6YdDyaVmkBHfeCy9DawWQ8jrfjuDi15BwWK9VY R1o7o7SiNvNO+xLwM1U3jJQwWMNMNT5o9513Z4PTUbf/ufvp7LybccnTlXTsWn/0pTf8MOqc nZ52+0NH6ZBzB+EEXUAkM4FdlJT4CSwnvfddZxjjkaqAxK18l98Tk0FkDFkLG56Wr1SWlrV2 U5oqQDhOFbrKT+JUZQXIub/N12V2+fCFPfijYyKdENeQq6Bz5tTtO5CDLr07qzzm5Xg5vJFl fn40Y+ymO8uK6a3clx4YUda00lRIjetGyS3R79D/mTLv8h4u3kHBPaDq09F00T6yeZp9auXw h4tGxkshXs/Jg6xsAC1WvGfESzyuTN7eD8lE7rGwp6knLLOBJWaWd7AH6c2qKv1LmUxfrUhJ OQtkctIxmNbB4DP5c4QW6z7gIurBdAh7faoHw3Owe50M8Jn40KuVfAsc3TuPC7j+YXisdc0K oDZzxM/xgwPBAB6g8NyzI2PhL+cU+JfMYBAFgTKKmRhc6kkdt2uU6t0Ms8js37LUZlgk8/vl SJXBpsZW7SjTf2gq5gw2TL6MMWUCdH2n/+mcMFkW/pUx+H4A9PRQXKCZ2TJTkcmX38Z8ga+g OngeqBKI4hcx6q3U8uSSV2wcJW1yyARgH8ShLQUoZ8Mi20UY+pQEiJlXnqWkLl+NVZZjER6F mRlg2fer9e0uaUk86HG8GCKJCbo7iYp4/JJyZC7Y1doyKuHJIH5YNQX5RqlMP50ilwh3iqyV r2MRjZ+D04g4QjT7XPt1++v/4MfvBRVUUEEFFVRQQQUVVFBBBRVUUEEFFVRQQQUVVFBB/4f0 X/Tp/9QAUAAA --------------010809090306030203050101--