List Info

Thread: DO NOT REPLY New: - SignatureAlgorithm problem with initSign and initVerify methods (x
DO NOT REPLY New: - SignatureAlgorithm problem with initSign and initVerify methods (x
user name
 2007-06-12 10:40:12 
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG·
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=42
644>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND·
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=42644

           Summary: SignatureAlgorithm problem with initSign
and initVerify
                    methods (xmlsec-1.4.1)
           Product: Security
           Version: unspecified
          Platform: All
        OS/Version: Windows XP
            Status: NEW
          Severity: regression
          Priority: P2
         Component: Signature
        AssignedTo: security-devxml.apache.org
        ReportedBy: kevin.troydigitary.net


We're migrating a working web application from Java 1.4.2 to
Java 1.5.
Our 1.4.2 application used xmlsec-1.2.1 and worked fine.
We've upgraded
to xmlsec-1.4.1 in the process and we have encountered a
problem that
occurs when we try to sign/verify multiple documents with
the same key
pair:

Consider a scenario when multiple XML documents need to be
signed and
verified with the same key pair. (The verification is just
to confirm
that signing worked). Therefore, for a given KeyPair
instance, we do the
following on each iteration:

1. XMLSignature sig = new XMLSignature(....);
2. Sign XML document with PrivateKey
3. Verify XML document with PublicKey (sanity check)

The problem occurs on the second iteration. It appears that,
because we
are using the same PrivateKey to sign on each iteration, the
code
remains initialised for verification (a result of step 3
above), and is
not re-initialised for signing as it is using a cached
Private Key.

We were unable to find an API call to resolve this. We made
changes to
SignatureAlgorithm::initSign(Key) and
SignatureAlgorithm::initVerify(Key) so that cached keys were
no longer
used. We are therefore always calling the
engineInitSign(Key) and
engineInitVerify(Key) on the SignatureAlgorithm
implementation.

-- 
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=ema
il
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the
assignee.
DO NOT REPLY - SignatureAlgorithm problem with initSign and initVerify methods (xmlsec-
user name
 2007-06-12 10:48:55 
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG·
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=42
644>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND·
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=42644





------- Additional Comments From kevin.troydigitary.net  2007-06-12 08:48 -------
Created an attachment (id=20334)
 --> (http://issues.apache.org/bugzilla/attac
hment.cgi?id=20334&action=view)
Class highlighting problem when signing/verify a doc and
then signing new doc

This file copies the format used in
"CreateSignature.java" which is part of the
xmlsec1.4.1-src, dir ->
src_samplesorgapachexmlsecuritysamplessignature


-- 
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=ema
il
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the
assignee.
DO NOT REPLY - SignatureAlgorithm problem with initSign and initVerify methods (xmlsec-
user name
 2007-10-16 05:42:41 
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG·
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=42
644>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND·
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=42644


cionco_michelalibero.it changed:

           What    |Removed                     |Added
------------------------------------------------------------
----------------
            Version|unspecified                 |Java 1.4.1




-- 
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=ema
il
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the
assignee.
DO NOT REPLY - SignatureAlgorithm problem with initSign and initVerify methods (xmlsec-
user name
 2007-10-16 05:57:55 
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG·
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=42
644>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND·
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=42644


raul-infor-bg.com changed:

           What    |Removed                     |Added
------------------------------------------------------------
----------------
             Status|NEW                         |RESOLVED
         Resolution|                            |WONTFIX




------- Additional Comments From raul-infor-bg.com 
2007-10-16 03:57 -------
Please, for your own safety not use a object created for
signing to verify it.
It should work or not. We still inherit a lot of code from
the old times where
the objects create for signing cannot use to verify. If you
want to test the
verification, serialize it and deserialize it.

-- 
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=ema
il
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the
assignee.
[1-4]

about | contact  Other archives ( Real Estate discussion Medical topics )