Santuario
  1. Santuario
  2. SANTUARIO-296

XMLSignatureInput fails with an IOException if constructed on a BufferedInputStream

    Details

    • Type: Bug Bug
    • Status: Closed
    • Priority: Blocker Blocker
    • Resolution: Fixed
    • Affects Version/s: Java 1.5
    • Fix Version/s: Java 1.5.1
    • Component/s: Java
    • Security Level: Public (Public issues, viewable by everyone)
    • Labels:
      None

      Description

      org.apache.xml.security.signature.XMLSignatureInput calls inputOctetStreamProxy.reset() after a successful check if inputOctetStreamProxy.markSupported() in a number of places. This behavior is incompatible with a general contract of java.io.InputStream.reset() (an IOException may be thrown if no mark has been set) and causes "java.io.IOException: Resetting to invalid mark" when a resource resolver returns XMLSignatureInput constructed on a BufferedInputStream:

      java.io.IOException: Resetting to invalid mark
      at java.io.BufferedInputStream.reset(BufferedInputStream.java:416)
      at org.apache.xml.security.signature.XMLSignatureInput.updateOutputStream(XMLSignatureInput.java:492)
      at org.apache.xml.security.signature.XMLSignatureInput.updateOutputStream(XMLSignatureInput.java:471)
      at org.apache.xml.security.signature.Reference.calculateDigest(Reference.java:718)
      at org.apache.xml.security.signature.Reference.verify(Reference.java:761)
      at org.apache.xml.security.signature.Manifest.verifyReferences(Manifest.java:336)
      at org.apache.xml.security.signature.SignedInfo.verify(SignedInfo.java:259)
      at org.apache.xml.security.signature.XMLSignature.checkSignatureValue(XMLSignature.java:724)
      <...>

      This issue is similar to SANTUARIO-39.

        Activity

        Hide
        Colm O hEigeartaigh added a comment -

        I'm going to follow the following comment in SANTUARIO-39:

        "The XMLSignatureInput class has no business of resetting the input stream
        becaus it does not if the input stream has been marked or not. The
        implementation of the resolve method should handle all the business of marking
        and resetting the input stream where appropriate."

        Fix committed. If you could test this it would be great.

        Colm.

        Show
        Colm O hEigeartaigh added a comment - I'm going to follow the following comment in SANTUARIO-39 : "The XMLSignatureInput class has no business of resetting the input stream becaus it does not if the input stream has been marked or not. The implementation of the resolve method should handle all the business of marking and resetting the input stream where appropriate." Fix committed. If you could test this it would be great. Colm.
        Hide
        Giedrius Noreikis added a comment -

        I've tested this - the fix works for us, thanks.

        Show
        Giedrius Noreikis added a comment - I've tested this - the fix works for us, thanks.

          People

          • Assignee:
            Colm O hEigeartaigh
            Reporter:
            Giedrius Noreikis
          • Votes:
            1 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development