You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@santuario.apache.org by "Marc Giger (JIRA)" <ji...@apache.org> on 2016/01/18 19:08:39 UTC

[jira] [Commented] (SANTUARIO-424) Multiple Signatures cause a NPE on verification in the streaming code

    [ https://issues.apache.org/jira/browse/SANTUARIO-424?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15105605#comment-15105605 ] 

Marc Giger commented on SANTUARIO-424:
--------------------------------------

Hi Loeiz,

My previous statement was incorrect. Chaining XML(Sec)StreamReaders does not work for multiple signatures since
we have at minimum two factors that counts:
First, the implementation must process just one signature and ignore the others (not given ATM).
Secondly, the signature must be processed in the correct order (In the case one signature covers the other).
So chaining is only a good option when you do different operations. e.g. decrypt and verify signature or the opposite way. Then in theory you can do something like the following:

XMLSecurityProperties sigProperties = new XMLSecurityProperties();
InboundXMLSec inboundSigXMLSec = XMLSec.getInboundWSSec(sigPropertis);
XMLStreamReader sigSecurityStreamReader = inboundSigXMLSec.processInMessage(originalStreamReader);

XMLSecurityProperties decProperties = new XMLSecurityProperties();
InboundXMLSec inboundDecXMLSec = XMLSec.getInboundWSSec(decProperties);
XMLStreamReader decSecurityStreamReader = inboundDecXMLSec.processInMessage(sigSecurityStreamReader);

With proper settings this would even be the most efficient way atm - memory wise - to process a signature and decrypt 
at the same time. But as said this does not work for multiple signatures or multiple encryptions.

Marc

> Multiple Signatures cause a NPE on verification in the streaming code
> ---------------------------------------------------------------------
>
>                 Key: SANTUARIO-424
>                 URL: https://issues.apache.org/jira/browse/SANTUARIO-424
>             Project: Santuario
>          Issue Type: Bug
>            Reporter: Colm O hEigeartaigh
>            Assignee: Marc Giger
>             Fix For: Java 2.0.6
>
>
> Multiple Signatures cause a NPE on verification with the streaming code. The XMLSecurityInputProcessor is only really designed to process a single Signature (i.e. the internalBufferProcessor gets removed on processing a single signature). Not sure how feasible it is to support multiple signatures here.
> Ignored Test case added as part of this commit: http://svn.apache.org/viewvc?view=revision&revision=1693244



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)