Santuario
  1. Santuario
  2. SANTUARIO-296

XMLSignatureInput fails with an IOException if constructed on a BufferedInputStream

    Details

    • Type: Bug Bug
    • Status: Closed
    • Priority: Blocker Blocker
    • Resolution: Fixed
    • Affects Version/s: Java 1.5
    • Fix Version/s: Java 1.5.1
    • Component/s: Java
    • Security Level: Public (Public issues, viewable by everyone)
    • Labels:
      None

      Description

      org.apache.xml.security.signature.XMLSignatureInput calls inputOctetStreamProxy.reset() after a successful check if inputOctetStreamProxy.markSupported() in a number of places. This behavior is incompatible with a general contract of java.io.InputStream.reset() (an IOException may be thrown if no mark has been set) and causes "java.io.IOException: Resetting to invalid mark" when a resource resolver returns XMLSignatureInput constructed on a BufferedInputStream:

      java.io.IOException: Resetting to invalid mark
      at java.io.BufferedInputStream.reset(BufferedInputStream.java:416)
      at org.apache.xml.security.signature.XMLSignatureInput.updateOutputStream(XMLSignatureInput.java:492)
      at org.apache.xml.security.signature.XMLSignatureInput.updateOutputStream(XMLSignatureInput.java:471)
      at org.apache.xml.security.signature.Reference.calculateDigest(Reference.java:718)
      at org.apache.xml.security.signature.Reference.verify(Reference.java:761)
      at org.apache.xml.security.signature.Manifest.verifyReferences(Manifest.java:336)
      at org.apache.xml.security.signature.SignedInfo.verify(SignedInfo.java:259)
      at org.apache.xml.security.signature.XMLSignature.checkSignatureValue(XMLSignature.java:724)
      <...>

      This issue is similar to SANTUARIO-39.

        Activity

        Colm O hEigeartaigh made changes -
        Status Resolved [ 5 ] Closed [ 6 ]
        Hide
        Giedrius Noreikis added a comment -

        I've tested this - the fix works for us, thanks.

        Show
        Giedrius Noreikis added a comment - I've tested this - the fix works for us, thanks.
        Colm O hEigeartaigh made changes -
        Status Open [ 1 ] Resolved [ 5 ]
        Resolution Fixed [ 1 ]
        Colm O hEigeartaigh made changes -
        Field Original Value New Value
        Fix Version/s Java 1.5.1 [ 12319507 ]
        Colm O hEigeartaigh committed 1242292 (2 files)
        Reviews: none

        [SANTUARIO-296] - XMLSignatureInput fails with an IOException if constructed on a BufferedInputStream

        Hide
        Colm O hEigeartaigh added a comment -

        I'm going to follow the following comment in SANTUARIO-39:

        "The XMLSignatureInput class has no business of resetting the input stream
        becaus it does not if the input stream has been marked or not. The
        implementation of the resolve method should handle all the business of marking
        and resetting the input stream where appropriate."

        Fix committed. If you could test this it would be great.

        Colm.

        Show
        Colm O hEigeartaigh added a comment - I'm going to follow the following comment in SANTUARIO-39 : "The XMLSignatureInput class has no business of resetting the input stream becaus it does not if the input stream has been marked or not. The implementation of the resolve method should handle all the business of marking and resetting the input stream where appropriate." Fix committed. If you could test this it would be great. Colm.
        Giedrius Noreikis created issue -

          People

          • Assignee:
            Colm O hEigeartaigh
            Reporter:
            Giedrius Noreikis
          • Votes:
            1 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development