Uploaded image for project: 'Santuario'
  1. Santuario
  2. SANTUARIO-444

Signing of big XMLs fails on Windows 8/10 using smart cards

VotersWatch issueWatchersLinkCloneUpdate Comment AuthorReplace String in CommentUpdate Comment VisibilityDelete Comments


    • Type: Bug
    • Status: Closed
    • Priority: Trivial
    • Resolution: Fixed
    • Affects Version/s: Java 2.0.6
    • Fix Version/s: Java 2.0.7
    • Component/s: Java
    • Security Level: Public (Public issues, viewable by everyone)
    • Labels:
    • Environment:
      Windows 8+, smart card
    • Flags:


      When signing XML files using a smart card the latter will be reset by Windows when the signing process takes more than 5 seconds. This issue exists only on Windows 8+.

      The problem is that the key store gets initialized before the digest values are computed. If this calculation takes more than 5 seconds Windows resets the smart card because of an inactive transaction. After the calculations are done and the actual signing process starts the smartcard is no more available and the task fails.

      The reset is logged by Windows an listed in Event Viewer as a warning with source Smart Card Service: "The card in Smart Card Reader 'ACS CCID USB Reader 0' has been reset because an application held an exclusive transaction on the card for 5 seconds without activity. If this error persists, the application may not be functioning correctly."

      This behavior is documented in https://msdn.microsoft.com/en-us/library/windows/desktop/aa379469%28v=vs.85%29.aspx

      The solution is quite simple. The order of calculating the digest values and initializing the key store has to be changed.

      Testing however requires a Windows 8 or 10 machine (or vm), a smart card and a fairly large XML file.

      The patch to be applied:

      Index: src/main/java/org/apache/xml/security/signature/XMLSignature.java
      --- src/main/java/org/apache/xml/security/signature/XMLSignature.java	(revision 1746538)
      +++ src/main/java/org/apache/xml/security/signature/XMLSignature.java	(working copy)
      @@ -624,11 +624,12 @@
                   SignatureAlgorithm sa = si.getSignatureAlgorithm();
                   OutputStream so = null;
                   try {
      +                // generate digest values for all References in this SignedInfo
      +                si.generateDigestValues();
                       // initialize SignatureAlgorithm for signing
      -                // generate digest values for all References in this SignedInfo
      -                si.generateDigestValues();
                       so = new UnsyncBufferedOutputStream(new SignerOutputStream(sa));
                       // get the canonicalized bytes from SignedInfo


        1. WindowsEventLog.png
          63 kB
          Adrian Greiler
        2. Win8_10.patch
          0.9 kB
          Adrian Greiler



            • Assignee:
              coheigea Colm O hEigeartaigh
              greiler Adrian Greiler


              • Created:

                Issue deployment