Uploaded image for project: 'Santuario'
  1. Santuario
  2. SANTUARIO-444

Signing of big XMLs fails on Windows 8/10 using smart cards

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Closed
    • Trivial
    • Resolution: Fixed
    • Java 2.0.6
    • Java 2.0.7
    • Java
    • Security Level: Public (Public issues, viewable by everyone)
    • Windows 8+, smart card
    • Patch

    Description

      When signing XML files using a smart card the latter will be reset by Windows when the signing process takes more than 5 seconds. This issue exists only on Windows 8+.

      The problem is that the key store gets initialized before the digest values are computed. If this calculation takes more than 5 seconds Windows resets the smart card because of an inactive transaction. After the calculations are done and the actual signing process starts the smartcard is no more available and the task fails.

      The reset is logged by Windows an listed in Event Viewer as a warning with source Smart Card Service: "The card in Smart Card Reader 'ACS CCID USB Reader 0' has been reset because an application held an exclusive transaction on the card for 5 seconds without activity. If this error persists, the application may not be functioning correctly."

      This behavior is documented in https://msdn.microsoft.com/en-us/library/windows/desktop/aa379469%28v=vs.85%29.aspx

      The solution is quite simple. The order of calculating the digest values and initializing the key store has to be changed.

      Testing however requires a Windows 8 or 10 machine (or vm), a smart card and a fairly large XML file.

      The patch to be applied:

      Index: src/main/java/org/apache/xml/security/signature/XMLSignature.java
===================================================================
--- src/main/java/org/apache/xml/security/signature/XMLSignature.java	(revision 1746538)
+++ src/main/java/org/apache/xml/security/signature/XMLSignature.java	(working copy)
@@ -624,11 +624,12 @@
             SignatureAlgorithm sa = si.getSignatureAlgorithm();
             OutputStream so = null;
             try {
+                // generate digest values for all References in this SignedInfo
+                si.generateDigestValues();
+
                 // initialize SignatureAlgorithm for signing
                 sa.initSign(signingKey);
 
-                // generate digest values for all References in this SignedInfo
-                si.generateDigestValues();
                 so = new UnsyncBufferedOutputStream(new SignerOutputStream(sa));
                 // get the canonicalized bytes from SignedInfo
                 si.signInOctetStream(so);

      Attachments

        1. Win8_10.patch
          0.9 kB
          Adrian Greiler
        2. WindowsEventLog.png
          63 kB
          Adrian Greiler

        Activity

          People

            coheigea Colm O hEigeartaigh
            greiler Adrian Greiler
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: