santuario-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Adrian Greiler ...@glue.ch>
Subject Re: Signing of big XMLs fails on Windows 8/10 using smart cards
Date Mon, 06 Jun 2016 07:02:37 GMT
I just tested with a way longer delay (more than 5 minutes) and it still 
worked. We have Siemens CardOS V4.3B (SuisseID) and there it fixes the 
problem.


Thanks for the hint / test case and kind regards

Adrian


Am 02.06.2016 um 12:29 schrieb Frank Cornelis:
>
> Sure that this fixes the issue? What happens when the user takes more 
> than 5 seconds to enter the smart card PIN code?
>
>
> Kind Regards,
> Frank.
>
> Op 02-06-16 om 10:54 schreef Colm O hEigeartaigh:
>> Could you create a JIRA here and submit a patch please?
>>
>> https://issues.apache.org/jira/browse/SANTUARIO
>>
>> Colm.
>>
>> On Thu, Jun 2, 2016 at 9:53 AM, Adrian Greiler <ag@glue.ch 
>> <mailto:ag@glue.ch>> wrote:
>>
>>     When signing XML files with Xades4j (which uses Apache Santuario
>>     underneath) using a smart card the latter will be reset by
>>     Windows when the signing process takes more than 5 seconds. This
>>     issue exists only on Windows 8+.
>>
>>     The problem is that the key store gets initialized before the
>>     digest values are computed. If this calculation takes more than 5
>>     seconds Windows resets the smart card because of an inactive
>>     transaction. (See the attached screen shot of the log of that
>>     event). After the calculations are done and the actual signing
>>     process starts the smartcard is no more available and the task fails.
>>
>>     This behavior is documented here
>>     https://msdn.microsoft.com/en-us/library/windows/desktop/aa379469%28v=vs.85%29.aspx
>>
>>     The solution is quite simple. The order of calculating the digest
>>     values and initializing the key store has to be changed. I
>>     located this in org.apache.xml.security.signature.XmlSignature on
>>     line 628 in method
>>
>>     public void sign(Key signingKey) throws XMLSignatureException {
>>     ...
>>      try {
>>                 //Create a SignatureAlgorithm object
>>                 SignedInfo si = this.getSignedInfo();
>>                 SignatureAlgorithm sa = si.getSignatureAlgorithm();
>>                 OutputStream so = null;
>>                 try {
>>     *                // initialize SignatureAlgorithm for signing**
>>     **sa.initSign(signingKey);**
>>     ****
>>     **                // generate digest values for all References in
>>     this SignedInfo**
>>     **si.generateDigestValues(); *
>>
>>                     so = new UnsyncBufferedOutputStream(new
>>     SignerOutputStream(sa));
>>                     // get the canonicalized bytes from SignedInfo
>>                     si.signInOctetStream(so);
>>                 } catch (XMLSecurityException ex) {
>>                     throw ex;
>>                 } finally {
>>     ...
>>
>>     To solve the problem it should be
>>
>>     public void sign(Key signingKey) throws XMLSignatureException {
>>     ...
>>      try {
>>                 //Create a SignatureAlgorithm object
>>                 SignedInfo si = this.getSignedInfo();
>>                 SignatureAlgorithm sa = si.getSignatureAlgorithm();
>>                 OutputStream so = null;
>>                 try {
>>     *                // generate digest values for all References in
>>     this SignedInfo**
>>     **si.generateDigestValues();**
>>     ****
>>     **                // initialize SignatureAlgorithm for signing**
>>     **sa.initSign(signingKey); *
>>
>>                     so = new UnsyncBufferedOutputStream(new
>>     SignerOutputStream(sa));
>>                     // get the canonicalized bytes from SignedInfo
>>                     si.signInOctetStream(so);
>>                 } catch (XMLSecurityException ex) {
>>                     throw ex;
>>                 } finally {
>>     ...
>>
>>     This code works for this particular setup and is able to sign an
>>     XML of 60GB on a Windows 10 machine. This task takes more than a
>>     minute and doesn't fail since Windows doesn't reset the smart
>>     card transaction.
>>
>>
>>     Kind regards
>>
>>     Adrian Greiler
>>
>>
>>     -- 
>>     Adrian Greiler
>>     Software Engineer
>>
>>     Glue Software Engineering AG | Schwarztorstrasse 31 | CH-3007 Bern |www.glue.ch
<http://www.glue.ch>
>>     adrian.greiler@glue.ch <mailto:adrian.greiler@glue.ch>  | Office :+41 31
385 30 11 <tel:%2B41%2031%20385%2030%2011>  | Direkt:+41 31 385 30 34 <tel:%2B41%2031%20385%2030%2034>
>>
>>
>>
>>
>> -- 
>> Colm O hEigeartaigh
>>
>> Talend Community Coder
>> http://coders.talend.com
>
> -- 
> Frank Cornelis
> e-Contract.be BVBA
> https://www.e-contract.be


Mime
View raw message