Bug 45475

Summary: XMLSignature::getKeyInfo method modifies document
Product: Security - Now in JIRA Reporter: Gill Bates <byby123452000>
Component: SignatureAssignee: XML Security Developers Mailing List <security-dev>
Status: RESOLVED FIXED    
Severity: critical    
Priority: P2    
Version: unspecified   
Target Milestone: ---   
Hardware: PC   
OS: Windows XP   

Description Gill Bates 2008-07-24 04:37:01 UTC 
The org.w3c.com.document that is assigned to an XMLSignature object through the document's signature element

Document doc=..;
Element sigElement = doc.get...;

XMLSignature signature = new XMLSignature(sigElement, null);
				 
signature.getKeyInfo();

-> original document is modified

That seems to happen, if no Key Information is present in the signature Element.

Result: document is modified, future verification fails (e.g. with another signature Element).

Happens with xml-sec 1.4.2, java version

xml-sec 1.4.0 did not contain this bug.
Comment 1 sean.mullan 2008-09-15 11:34:56 UTC 
Fixed in trunk/main branch.