santuario-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject DO NOT REPLY [Bug 47097] New: Reusing XMLSignature for signing and verifying fails on same thread
Date Sun, 26 Apr 2009 13:45:41 GMT
https://issues.apache.org/bugzilla/show_bug.cgi?id=47097

           Summary: Reusing XMLSignature for signing and verifying fails
                    on same thread
           Product: Security
           Version: Java 1.4.2
          Platform: PC
               URL: http://mail-archives.apache.org/mod_mbox/xml-security-
                    dev/200903.mbox/%3Cgq97pt$e5c$1@ger.gmane.org%3E
        OS/Version: Mac OS X 10.4
            Status: NEW
          Severity: normal
          Priority: P2
         Component: Signature
        AssignedTo: security-dev@xml.apache.org
        ReportedBy: Bruno.Harbulot@manchester.ac.uk


Created an attachment (id=23543)
 --> (https://issues.apache.org/bugzilla/attachment.cgi?id=23543)
Maven2 test-case

If the same instance of XMLSignature is used on the same thread for verifying
after being used for signing, this exception occurs:
org.apache.xml.security.signature.XMLSignatureException: object not initialized
for verification 
If the verification is done on a different thread, it works fine.

I believe this is due to:

due to
org.apache.xml.security.algorithms.SignatureAlgorithm#initializeAlgorithm(boolean):

    private void initializeAlgorithm(boolean isForSigning)
        throws XMLSignatureException {
        if (_signatureAlgorithm!=null) {
       return;
        }
        _signatureAlgorithm=isForSigning ? getInstanceForSigning(algorithmURI)
:
            getInstanceForVerify(algorithmURI);   
    this._signatureAlgorithm
            .engineGetContextFromElement(this._constructionElement);
    }


If '_signatureAlgorithm' has already been initialised, even if it's not for the
purpose intended for another use, it won't be initialised again. Commenting out
the 'if' block solves the problem.

I've noticed that there was an 'isForSigning' field commented out in revision
515521 ( https://svn.apache.org/viewcvs.cgi?view=rev&rev=515521 ), which completely disappeared
in revision 695520 ( https://svn.apache.org/viewcvs.cgi?view=rev&rev=695520 ) (current
one). I guess
it might have been the original intent for this flag.

-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

Mime
View raw message