Reputation: 1327
Is xmldsig apache santuario provider incompatible with jdk provider?
I'm creating a xml digital signature the same way it is mentioned in nearly all examples I have found:
String providerName = System.getProperty("jsr105Provider",
"org.jcp.xml.dsig.internal.dom.XMLDSigRI");
XMLSignatureFactory fac =
XMLSignatureFactory.getInstance("DOM",
(Provider) Class.forName(providerName).newInstance());
...and so on...
We are sending the resulting xml file to our customer who validates this signature. All tests passed and all worked fine till now.
In production system suddenly our customer sends back "digital signature is wrong". After restarting the application server all seems fine again and some of the files were verified successfully by the customer. But after some minutes/hours the customer sends back again "digital signature is wrong". Only restarting the application server was solving the problem temporarly.
I found out what is causing this issue but I don't understand it. Somewhere in the application WSS4J is used, the initialisation looks like the following(org.apache.ws.security.WSSConfig):
public static synchronized void init() {
if (!staticallyInitialized) {
if (addJceProviders) {
setXmlSecIgnoreLineBreak();
AccessController.doPrivileged(new PrivilegedAction<Boolean>() {
public Boolean run() {
addXMLDSigRI(); <-- this line causes the problem
addJceProvider("BC", "org.bouncycastle.jce.provider.BouncyCastleProvider");
Security.removeProvider("STRTransform");
appendJceProvider(
"STRTransform", new org.apache.ws.security.transform.STRTransformProvider()
);
return true;
}
});
}
staticallyInitialized = true;
}
}
addXMLDsigRI() adds the ApacheXMLDSig provider on place 2 when it's not existing in the current provider configuration(java.security). The default XMLDSig jdk provider is on place 8.
After this initialisation of WSS4J somehow the creation of the xml digital signature changes and the customer says "digital signature is wrong".
I can reproduce the customer error when I manually register the ApacheXMLDSig provider on place 2. If I add the provider at place 10(after the jdk provider) it works again.
Versions:
- xml security 1.5.6
- wss4j 1.6.10
- jdk1.7.0_13
- tomcat 7 application server
I'm explicitly using the jdk provider: org.jcp.xml.dsig.internal.dom.XMLDSigRI
Why is the registration of the apache provider "destroying" the functionallity of the jdk provider and how can I solve this?
Upvotes: 2
Views: 3099
Answers (2)
Reputation: 2509
The JDK registers its own version of xml security provider and when Wss4j initializes, the XMLSignatureFactory is taken from the JDK version, not from Xmlsec jar. In the newer versions of Wss4j this is fixed in 'addXMLDSigRI()' like this:
Security.removeProvider("ApacheXMLDSig");
addJceProvider("ApacheXMLDSig", SantuarioUtil.getSantuarioProvider());
Ie - first it removes the provider version registered by the JDK, then register its own. This prevents classloading issues caused when using JDKs from different providers (like Azul JDK).
Upvotes: 2
Reputation: 1900
You can disable the registration of the Apache Santuario provider in WSS4J by calling:
WSSConfig.setAddJceProviders(false);
See here:
Upvotes: 1
Related Questions
- What exactly is Apache Camel?
- How can I pad an integer with zeros on the left?
- Why is executing Java code in comments with certain Unicode characters allowed?
- How can I create an executable/runnable JAR with dependencies using Maven?
- What exactly to digest and sign on XMLDSIG and how? (or, OSX-native client mismatches XMLDSIG calculated on server)
- Android SDK installation doesn't find JDK
- Downloading Java JDK on Linux via wget is shown license page instead
- What is the difference between JDK and JRE?
- How to install the JDK on Ubuntu Linux
- Error when starting up cxf client for xsd containing xmldsig