santuario-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Frank Cornelis <i...@e-contract.be>
Subject Re: Signing of big XMLs fails on Windows 8/10 using smart cards
Date Thu, 02 Jun 2016 10:29:52 GMT

Sure that this fixes the issue? What happens when the user takes more 
than 5 seconds to enter the smart card PIN code?


Kind Regards,
Frank.

Op 02-06-16 om 10:54 schreef Colm O hEigeartaigh:
> Could you create a JIRA here and submit a patch please?
>
> https://issues.apache.org/jira/browse/SANTUARIO
>
> Colm.
>
> On Thu, Jun 2, 2016 at 9:53 AM, Adrian Greiler <ag@glue.ch 
> <mailto:ag@glue.ch>> wrote:
>
>     When signing XML files with Xades4j (which uses Apache Santuario
>     underneath) using a smart card the latter will be reset by Windows
>     when the signing process takes more than 5 seconds. This issue
>     exists only on Windows 8+.
>
>     The problem is that the key store gets initialized before the
>     digest values are computed. If this calculation takes more than 5
>     seconds Windows resets the smart card because of an inactive
>     transaction. (See the attached screen shot of the log of that
>     event). After the calculations are done and the actual signing
>     process starts the smartcard is no more available and the task fails.
>
>     This behavior is documented here
>     https://msdn.microsoft.com/en-us/library/windows/desktop/aa379469%28v=vs.85%29.aspx
>
>     The solution is quite simple. The order of calculating the digest
>     values and initializing the key store has to be changed. I located
>     this in org.apache.xml.security.signature.XmlSignature on line 628
>     in method
>
>     public void sign(Key signingKey) throws XMLSignatureException {
>     ...
>      try {
>                 //Create a SignatureAlgorithm object
>                 SignedInfo si = this.getSignedInfo();
>                 SignatureAlgorithm sa = si.getSignatureAlgorithm();
>                 OutputStream so = null;
>                 try {
>     *                // initialize SignatureAlgorithm for signing**
>     **sa.initSign(signingKey);**
>     ****
>     **                // generate digest values for all References in
>     this SignedInfo**
>     **si.generateDigestValues(); *
>
>                     so = new UnsyncBufferedOutputStream(new
>     SignerOutputStream(sa));
>                     // get the canonicalized bytes from SignedInfo
>                     si.signInOctetStream(so);
>                 } catch (XMLSecurityException ex) {
>                     throw ex;
>                 } finally {
>     ...
>
>     To solve the problem it should be
>
>     public void sign(Key signingKey) throws XMLSignatureException {
>     ...
>      try {
>                 //Create a SignatureAlgorithm object
>                 SignedInfo si = this.getSignedInfo();
>                 SignatureAlgorithm sa = si.getSignatureAlgorithm();
>                 OutputStream so = null;
>                 try {
>     *                // generate digest values for all References in
>     this SignedInfo**
>     **si.generateDigestValues();**
>     ****
>     **                // initialize SignatureAlgorithm for signing**
>     **sa.initSign(signingKey); *
>
>                     so = new UnsyncBufferedOutputStream(new
>     SignerOutputStream(sa));
>                     // get the canonicalized bytes from SignedInfo
>                     si.signInOctetStream(so);
>                 } catch (XMLSecurityException ex) {
>                     throw ex;
>                 } finally {
>     ...
>
>     This code works for this particular setup and is able to sign an
>     XML of 60GB on a Windows 10 machine. This task takes more than a
>     minute and doesn't fail since Windows doesn't reset the smart card
>     transaction.
>
>
>     Kind regards
>
>     Adrian Greiler
>
>
>     -- 
>     Adrian Greiler
>     Software Engineer
>
>     Glue Software Engineering AG | Schwarztorstrasse 31 | CH-3007 Bern |www.glue.ch <http://www.glue.ch>
>     adrian.greiler@glue.ch <mailto:adrian.greiler@glue.ch>  | Office :+41 31 385
30 11 <tel:%2B41%2031%20385%2030%2011>  | Direkt:+41 31 385 30 34 <tel:%2B41%2031%20385%2030%2034>
>
>
>
>
> -- 
> Colm O hEigeartaigh
>
> Talend Community Coder
> http://coders.talend.com

-- 
Frank Cornelis
e-Contract.be BVBA
https://www.e-contract.be


Mime
View raw message