Details
-
Bug
-
Status: Closed
-
Blocker
-
Resolution: Fixed
-
Java 1.5
-
Security Level: Public (Public issues, viewable by everyone)
-
None
Description
org.apache.xml.security.signature.XMLSignatureInput calls inputOctetStreamProxy.reset() after a successful check if inputOctetStreamProxy.markSupported() in a number of places. This behavior is incompatible with a general contract of java.io.InputStream.reset() (an IOException may be thrown if no mark has been set) and causes "java.io.IOException: Resetting to invalid mark" when a resource resolver returns XMLSignatureInput constructed on a BufferedInputStream:
java.io.IOException: Resetting to invalid mark
at java.io.BufferedInputStream.reset(BufferedInputStream.java:416)
at org.apache.xml.security.signature.XMLSignatureInput.updateOutputStream(XMLSignatureInput.java:492)
at org.apache.xml.security.signature.XMLSignatureInput.updateOutputStream(XMLSignatureInput.java:471)
at org.apache.xml.security.signature.Reference.calculateDigest(Reference.java:718)
at org.apache.xml.security.signature.Reference.verify(Reference.java:761)
at org.apache.xml.security.signature.Manifest.verifyReferences(Manifest.java:336)
at org.apache.xml.security.signature.SignedInfo.verify(SignedInfo.java:259)
at org.apache.xml.security.signature.XMLSignature.checkSignatureValue(XMLSignature.java:724)
<...>
This issue is similar to SANTUARIO-39.