41520 – Cannot generate signatures with the same key but different algorithms in sucession

Bug 41520 - Cannot generate signatures with the same key but different algorithms in sucession

Summary: Cannot generate signatures with the same key but different algorithms in suce...

Status:	CLOSED FIXED

Alias:	None

Product:	Security - Now in JIRA
Classification:	Unclassified
Component:	Signature (show other bugs)
Version:	Java 1.3
Hardware:	All All

Importance:	P2 major
Target Milestone:	---
Assignee:	XML Security Developers Mailing List

URL:
Keywords:	PatchAvailable

Duplicates (1):	41519 (view as bug list)
Depends on:
Blocks:

Reported:	2007-02-01 13:37 UTC by Lijun Liao
Modified:	2007-09-19 12:28 UTC (History)
CC List:	0 users

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Lijun Liao 2007-02-01 13:37:11 UTC

If you issue a second signature but with different algorithm, e.g., RSAWithSHA1
for the first signature, and RSAWithRipeMD160 for the second, you will get the
exception that says:
 org.apache.xml.security.signature.XMLSignatureException: object not initialized
for signature or verification
Original Exception was java.security.SignatureException: object not initialized
for signature or verification
	at
org.apache.xml.security.algorithms.implementations.SignatureBaseRSA.engineUpdate(SignatureBaseRSA.java:203)
	at
org.apache.xml.security.algorithms.SignatureAlgorithm.update(SignatureAlgorithm.java:249)
	at
org.apache.xml.security.utils.SignerOutputStream.write(SignerOutputStream.java:64)
	at
org.apache.xml.security.utils.UnsyncBufferedOutputStream.flushBuffer(UnsyncBufferedOutputStream.java:69)
	at
org.apache.xml.security.utils.UnsyncBufferedOutputStream.flush(UnsyncBufferedOutputStream.java:85)
	at
org.apache.xml.security.utils.UnsyncBufferedOutputStream.close(UnsyncBufferedOutputStream.java:91)
	at
org.apache.xml.security.c14n.implementations.CanonicalizerBase.engineCanonicalizeSubTree(CanonicalizerBase.java:207)
	at
org.apache.xml.security.c14n.implementations.CanonicalizerBase.engineCanonicalizeSubTree(CanonicalizerBase.java:121)
	at
org.apache.xml.security.c14n.Canonicalizer.canonicalizeSubtree(Canonicalizer.java:268)
	at
org.apache.xml.security.signature.SignedInfo.signInOctectStream(SignedInfo.java:286)
	at org.apache.xml.security.signature.XMLSignature.sign(XMLSignature.java:501)
	at
org.apache.xml.security.samples.signature.CopyOfCreateSignature.sign(CopyOfCreateSignature.java:172)
	at
org.apache.xml.security.samples.signature.CopyOfCreateSignature.main(CopyOfCreateSignature.java:83)
java.security.SignatureException: object not initialized for signature or
verification
	at java.security.Signature.update(Signature.java:690)
	at
org.apache.xml.security.algorithms.implementations.SignatureBaseRSA.engineUpdate(SignatureBaseRSA.java:201)
	at
org.apache.xml.security.algorithms.SignatureAlgorithm.update(SignatureAlgorithm.java:249)
	at
org.apache.xml.security.utils.SignerOutputStream.write(SignerOutputStream.java:64)
	at
org.apache.xml.security.utils.UnsyncBufferedOutputStream.flushBuffer(UnsyncBufferedOutputStream.java:69)
	at
org.apache.xml.security.utils.UnsyncBufferedOutputStream.flush(UnsyncBufferedOutputStream.java:85)
	at
org.apache.xml.security.utils.UnsyncBufferedOutputStream.close(UnsyncBufferedOutputStream.java:91)
	at
org.apache.xml.security.c14n.implementations.CanonicalizerBase.engineCanonicalizeSubTree(CanonicalizerBase.java:207)
	at
org.apache.xml.security.c14n.implementations.CanonicalizerBase.engineCanonicalizeSubTree(CanonicalizerBase.java:121)
	at
org.apache.xml.security.c14n.Canonicalizer.canonicalizeSubtree(Canonicalizer.java:268)
	at
org.apache.xml.security.signature.SignedInfo.signInOctectStream(SignedInfo.java:286)
	at org.apache.xml.security.signature.XMLSignature.sign(XMLSignature.java:501)
	at
org.apache.xml.security.samples.signature.CopyOfCreateSignature.sign(CopyOfCreateSignature.java:172)
	at
org.apache.xml.security.samples.signature.CopyOfCreateSignature.main(CopyOfCreateSignature.java:83).
This problem is caused by the initSign method in class SignatureAlgorithm:
[1]   public void initSign(Key signingKey) throws XMLSignatureException {	   
[2]	   initializeAlgorithm(true);
[3]	    if (keysSigning.get()==signingKey) {
[4]    	   return;
[5]       }
[6]       keysSigning.set(signingKey);
[7]	   this._signatureAlgorithm.engineInitSign(signingKey);
[8]   }
The lines 3-5 should be commented to solve above problem.

Comment 1 Lijun Liao 2007-02-02 02:48:09 UTC

There is the same problem if you try to verify two signatures with the same
public key but with different signature algorithms. 
[1]   public void initVerify(Key verificationKey) throws XMLSignatureException {
[2]	   initializeAlgorithm(false);
[3]	   if (keysVerify.get()==verificationKey) {
[4]    	   return;
[5]       }
[6]	   keysVerify.set(verificationKey);
[7]	   this._signatureAlgorithm.engineInitVerify(verificationKey);
[8]   }

The the code in lines 3-5 should be commented to solve the problem.

Comment 2 sean.mullan 2007-02-21 08:29:53 UTC

*** Bug 41519 has been marked as a duplicate of this bug. ***

Comment 3 Raul Benito 2007-03-07 02:45:28 UTC

Fixed in SVN head, fixed without removing the optimization or not reinitializing
the Signer (a little expensive operation).

Thanks for notifying and your patch.

Can you test svn head to see if it works for you?

Comment 4 sean.mullan 2007-09-19 12:28:01 UTC

Closing old bugs. Fixed in 1.4.1