Santuario
  1. Santuario
  2. SANTUARIO-296

XMLSignatureInput fails with an IOException if constructed on a BufferedInputStream

    Details

    • Type: Bug Bug
    • Status: Closed
    • Priority: Blocker Blocker
    • Resolution: Fixed
    • Affects Version/s: Java 1.5
    • Fix Version/s: Java 1.5.1
    • Component/s: Java
    • Security Level: Public (Public issues, viewable by everyone)
    • Labels:
      None

      Description

      org.apache.xml.security.signature.XMLSignatureInput calls inputOctetStreamProxy.reset() after a successful check if inputOctetStreamProxy.markSupported() in a number of places. This behavior is incompatible with a general contract of java.io.InputStream.reset() (an IOException may be thrown if no mark has been set) and causes "java.io.IOException: Resetting to invalid mark" when a resource resolver returns XMLSignatureInput constructed on a BufferedInputStream:

      java.io.IOException: Resetting to invalid mark
      at java.io.BufferedInputStream.reset(BufferedInputStream.java:416)
      at org.apache.xml.security.signature.XMLSignatureInput.updateOutputStream(XMLSignatureInput.java:492)
      at org.apache.xml.security.signature.XMLSignatureInput.updateOutputStream(XMLSignatureInput.java:471)
      at org.apache.xml.security.signature.Reference.calculateDigest(Reference.java:718)
      at org.apache.xml.security.signature.Reference.verify(Reference.java:761)
      at org.apache.xml.security.signature.Manifest.verifyReferences(Manifest.java:336)
      at org.apache.xml.security.signature.SignedInfo.verify(SignedInfo.java:259)
      at org.apache.xml.security.signature.XMLSignature.checkSignatureValue(XMLSignature.java:724)
      <...>

      This issue is similar to SANTUARIO-39.

        Activity

        Giedrius Noreikis created issue -
        Hide
        Colm O hEigeartaigh added a comment -

        I'm going to follow the following comment in SANTUARIO-39:

        "The XMLSignatureInput class has no business of resetting the input stream
        becaus it does not if the input stream has been marked or not. The
        implementation of the resolve method should handle all the business of marking
        and resetting the input stream where appropriate."

        Fix committed. If you could test this it would be great.

        Colm.

        Show
        Colm O hEigeartaigh added a comment - I'm going to follow the following comment in SANTUARIO-39 : "The XMLSignatureInput class has no business of resetting the input stream becaus it does not if the input stream has been marked or not. The implementation of the resolve method should handle all the business of marking and resetting the input stream where appropriate." Fix committed. If you could test this it would be great. Colm.
        Colm O hEigeartaigh made changes -
        Field Original Value New Value
        Fix Version/s Java 1.5.1 [ 12319507 ]
        Colm O hEigeartaigh made changes -
        Status Open [ 1 ] Resolved [ 5 ]
        Resolution Fixed [ 1 ]
        Hide
        Giedrius Noreikis added a comment -

        I've tested this - the fix works for us, thanks.

        Show
        Giedrius Noreikis added a comment - I've tested this - the fix works for us, thanks.
        Colm O hEigeartaigh made changes -
        Status Resolved [ 5 ] Closed [ 6 ]
        Transition Time In Source Status Execution Times Last Executer Last Execution Date
        Open Open Resolved Resolved
        3d 12h 30m 1 Colm O hEigeartaigh 09/Feb/12 12:18
        Resolved Resolved Closed Closed
        14d 23h 34m 1 Colm O hEigeartaigh 24/Feb/12 11:52

          People

          • Assignee:
            Colm O hEigeartaigh
            Reporter:
            Giedrius Noreikis
          • Votes:
            1 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development