Hi Raul, I was able to reproduce the issue.
Please drop the attached interop.jks file to your classpath along with xml-sec and other pre-reqs and run the test case (TestSig.java). I ran this inside my IDE within the xml-security project. The exception stack trace is here : http://rafb.net/paste/results/QSCZ1587.html Thanks, Ruchith On 11/3/06, Raul Benito <[EMAIL PROTECTED]> wrote:
Can you also post the exception backtrace? Regards, On 11/3/06, Raul Benito <[EMAIL PROTECTED]> wrote: > Hi Ruchith, > It is not feasible for me to checkout the whole wss4j in order to see > the problem. > Did the problem arise when you do something like this? > PrivateKey xk; PublicKey pk=xk.getPublickKey(); > XMLSignature s1=...; > XMLSignature s2=...; > s1.sign(xk); > s2.sign(xk); > s1.checkSignatureValue(pk); > > Or other kind of sequence? > Regards, > > > > On 11/3/06, Ruchith Fernando <[EMAIL PROTECTED]> wrote: > > Hi Raul, > > > > I'm using the SVN head (revision : 470741). > > > > I'm working on fixing the issue dims reported yesterday[1] and fixing > > WSS4J/Rampart and AXIOM to work with the changes :-). And I have a > > patch for [1] which I will post soon. > > > > I will try to send a test case as soon as I possible, > > > > Until then you can easily reproduce the error with WSS4J test suite. > > You can get a chackout of [2] and simply run "ant clean test" to run > > the unit tests after replacing the xml-sec-1.3.0.jar in the lib dir > > with the latest. > > > > Thanks, > > Ruchith > > > > [1] http://issues.apache.org/bugzilla/show_bug.cgi?id=40880 > > [2] https://svn.apache.org/repos/asf/webservices/wss4j/trunk > > > > On 11/3/06, Raul Benito <[EMAIL PROTECTED]> wrote: > > > Hi Ruchith, > > > > > > It looks strange to me, because all the junits that we pass do in > > > essence what are you describing(several verifying in one thread). But > > > on the other hand your explanation looks sound. > > > What version of xmlsec are you using? > > > Can you post a simple test case that triggers this error? > > > > > > Regards, > > > > > > Raul > > > > > > On 11/3/06, Ruchith Fernando <[EMAIL PROTECTED]> wrote: > > > > Hi Devs, > > > > > > > > I ran into an "java.security.SignatureException: object not > > > > initialized for verification" exception when trying to do sign and > > > > verify *twice* in the same thread, using different XMLSignature > > > > instances. > > > > > > > > I tracked this down to the use of "keysVerify" thread local tracker in > > > > org.apache.xml.security.algorithms.SignatureAlgorithm to tack the > > > > initialization of the java.security.Signature instance with > > > > private/public keys. > > > > > > > > When the first signature verification occurs the public key is set in > > > > "keysVerify" in SignatureAlgorithm#initVerify(). And it verifies > > > > successfully. But when we try to carryout the second verification the > > > > "keysVerify" returns the same key for the thread and the > > > > java.security.Signature instance is not initialized with the public > > > > key. Therefore we run into the above exception. > > > > > > > > What do you folks think? Have I overlooked something in my scenario? > > > > > > > > Thanks, > > > > Ruchith > > > > > > > > -- > > > > www.ruchith.org > > > > > > > > > > > > > -- > > > http://r-bg.com > > > > > > > > > -- > > www.ruchith.org > > > > > -- > http://r-bg.com > -- http://r-bg.com
-- www.ruchith.org
interop.jks
Description: Binary data
import org.apache.xml.security.algorithms.SignatureAlgorithm;
import org.apache.xml.security.c14n.Canonicalizer;
import org.apache.xml.security.keys.KeyInfo;
import org.apache.xml.security.samples.utils.resolver.OfflineResolver;
import org.apache.xml.security.signature.XMLSignature;
import org.apache.xml.security.transforms.Transforms;
import org.apache.xml.security.utils.Constants;
import org.apache.xml.security.utils.XMLUtils;
import org.apache.xpath.XPathAPI;
import org.w3c.dom.Element;
import java.io.File;
import java.io.FileInputStream;
import java.io.FileOutputStream;
import java.security.KeyStore;
import java.security.PrivateKey;
import java.security.PublicKey;
import java.security.cert.X509Certificate;
import junit.framework.TestCase;
/**
*
* @author Ruchith Fernando ([EMAIL PROTECTED])
*/
public class TestSig extends TestCase {
String keystoreType = "JKS";
String keystoreFile = "interop.jks";
String keystorePass = "password";
String privateKeyAlias = "bob";
String privateKeyPass = "password";
String certificateAlias = "bob";
KeyStore ks = null;
protected void setUp() throws Exception {
ks = KeyStore.getInstance(keystoreType);
FileInputStream fis = new FileInputStream(keystoreFile);
ks.load(fis, keystorePass.toCharArray());
}
public void testOne() {
org.apache.xml.security.Init.init();
File signedFile = new File("envelope1.xml");
try {
doSign(signedFile);
doVerify(signedFile);
} catch (Exception e) {
e.printStackTrace();
fail(e.getMessage());
}
}
public void testTwo() {
File signedFile = new File("envelope2.xml");
try {
doSign(signedFile);
doVerify(signedFile);
} catch (Exception e) {
e.printStackTrace();
fail(e.getMessage());
}
}
void doSign(File outputFile) throws Exception {
PrivateKey privateKey = (PrivateKey) ks.getKey(privateKeyAlias,
privateKeyPass.toCharArray());
javax.xml.parsers.DocumentBuilderFactory dbf = javax.xml.parsers.DocumentBuilderFactory
.newInstance();
dbf.setNamespaceAware(true);
javax.xml.parsers.DocumentBuilder db = dbf.newDocumentBuilder();
org.w3c.dom.Document doc = db.newDocument();
// Build a sample document. It will look something like:
// <!-- Comment before -->
// <apache:RootElement
// xmlns:apache="http://www.apache.org/ns/#app1";>Some simple text
// </apache:RootElement>
// <!-- Comment after -->
doc.appendChild(doc.createComment(" Comment before "));
Element root = doc.createElementNS("http://www.apache.org/ns/#app1";,
"apache:RootElement");
root.setAttributeNS(null, "attr1", "test1");
root.setAttributeNS(null, "attr2", "test2");
root.setAttributeNS(Constants.NamespaceSpecNS, "xmlns:foo",
"http://example.org/#foo";);
root.setAttributeNS("http://example.org/#foo";, "foo:attr1",
"foo's test");
root.setAttributeNS(Constants.NamespaceSpecNS, "xmlns:apache",
"http://www.apache.org/ns/#app1";);
doc.appendChild(root);
root.appendChild(doc.createTextNode("Some simple text\n"));
// The BaseURI is the URI that's used to prepend to relative URIs
String BaseURI = outputFile.toURL().toString();
Element canonElem = XMLUtils.createElementInSignatureSpace(doc,
Constants._TAG_CANONICALIZATIONMETHOD);
canonElem.setAttributeNS(null, Constants._ATT_ALGORITHM,
Canonicalizer.ALGO_ID_C14N_EXCL_OMIT_COMMENTS);
SignatureAlgorithm signatureAlgorithm = new SignatureAlgorithm(doc,
XMLSignature.ALGO_ID_SIGNATURE_RSA_SHA1);
XMLSignature sig = new XMLSignature(doc, null, signatureAlgorithm
.getElement(), canonElem);
root.appendChild(sig.getElement());
doc.appendChild(doc.createComment(" Comment after "));
sig
.getSignedInfo()
.addResourceResolver(
new org.apache.xml.security.samples.utils.resolver.OfflineResolver());
Transforms transforms = new Transforms(doc);
transforms.addTransform(Transforms.TRANSFORM_ENVELOPED_SIGNATURE);
transforms.addTransform(Transforms.TRANSFORM_C14N_WITH_COMMENTS);
sig.addDocument("", transforms, Constants.ALGO_ID_DIGEST_SHA1);
X509Certificate cert = (X509Certificate) ks
.getCertificate(certificateAlias);
sig.addKeyInfo(cert);
sig.addKeyInfo(cert.getPublicKey());
System.out.println("Start signing");
sig.sign(privateKey);
System.out.println("Finished signing");
FileOutputStream f = new FileOutputStream(outputFile);
XMLUtils.outputDOMc14nWithComments(doc, f);
f.close();
System.out.println("Wrote signature to " + BaseURI);
}
static void doVerify(File signedXML) throws Exception {
javax.xml.parsers.DocumentBuilderFactory dbf = javax.xml.parsers.DocumentBuilderFactory
.newInstance();
dbf.setNamespaceAware(true);
dbf.setAttribute("http://xml.org/sax/features/namespaces",Boolean.TRUE);
System.out.println("Try to verify " + signedXML.toURL().toString());
javax.xml.parsers.DocumentBuilder db = dbf.newDocumentBuilder();
db.setErrorHandler(new org.apache.xml.security.utils.IgnoreAllErrorHandler());
org.w3c.dom.Document doc = db.parse(new java.io.FileInputStream(signedXML));
Element nscontext = XMLUtils.createDSctx(doc, "ds",Constants.SignatureSpecNS);
Element sigElement = (Element) XPathAPI.selectSingleNode(doc,"//ds:Signature[1]", nscontext);
XMLSignature signature = new XMLSignature(sigElement, signedXML.toURL().toString());
signature.addResourceResolver(new OfflineResolver());
KeyInfo ki = signature.getKeyInfo();
if (ki != null) {
if (ki.containsX509Data()) {
System.out.println("Could find a X509Data element in the KeyInfo");
}
X509Certificate cert = signature.getKeyInfo().getX509Certificate();
if (cert != null) {
System.out.println("The XML signature in file "
+ signedXML.toURL().toString()
+ " is "
+ (signature.checkSignatureValue(cert) ? "valid (good)"
: "invalid !!!!! (bad)"));
} else {
System.out.println("Did not find a Certificate");
PublicKey pk = signature.getKeyInfo().getPublicKey();
if (pk != null) {
/*
* System.out.println( "I try to verify the signature using
* the public key: " + pk);
*/
System.out.println("The XML signature in file "
+ signedXML.toURL().toString()
+ " is "
+ (signature.checkSignatureValue(pk) ? "valid (good)"
: "invalid !!!!! (bad)"));
} else {
System.out.println("Did not find a public key, so I can't check the signature");
}
}
} else {
System.out.println("Did not find a KeyInfo");
}
}
}
