Details
-
Bug
-
Status: Closed
-
Major
-
Resolution: Fixed
-
Java 2.0.10
-
None
Description
Note: Since it is not a functional bug, I've labelled it as a bug considering it as a performance bug since it could cause multiple internet connections searching for a single resource. If you consider only bugs the functional ones, then it should be changed to improvement. My apologies in this case.
The class org.apache.xml.security.signature.Reference
has a method private byte[] calculateDigest(boolean validating)
which, at the beginning calls to:
XMLSignatureInput input = this.getContentsBeforeTransformation();
Inside getContentsBeforeTransformation the resourceResolvers are called.
This XMLSignatureInput input is only used for checking if it's a precalculated digest.
Later on calculateDigest method, there's a call to:
XMLSignatureInput output = this.dereferenceURIandPerformTransforms(os);
The first thing that dereferenceURIandPerformTransforms method does is calling again to
XMLSignatureInput input = this.getContentsBeforeTransformation();
which makes a performance loss since it's calling again to resourceResolvers, which could mean connecting again to internet searching for the resource.