Maybe the solution as suggested in section "Disable Smart Card Plug and Play through Group Policy for managed computers" of https://support.microsoft.com/en-us/kb/976832 works.
Kind Regards, Lijun On Thu, Jun 2, 2016 at 12:29 PM, Frank Cornelis <[email protected]> wrote: > > Sure that this fixes the issue? What happens when the user takes more than > 5 seconds to enter the smart card PIN code? > > > Kind Regards, > Frank. > > Op 02-06-16 om 10:54 schreef Colm O hEigeartaigh: > > Could you create a JIRA here and submit a patch please? > > https://issues.apache.org/jira/browse/SANTUARIO > > Colm. > > On Thu, Jun 2, 2016 at 9:53 AM, Adrian Greiler <[email protected]> wrote: > >> When signing XML files with Xades4j (which uses Apache Santuario >> underneath) using a smart card the latter will be reset by Windows when the >> signing process takes more than 5 seconds. This issue exists only on >> Windows 8+. >> >> The problem is that the key store gets initialized before the digest >> values are computed. If this calculation takes more than 5 seconds Windows >> resets the smart card because of an inactive transaction. (See the attached >> screen shot of the log of that event). After the calculations are done and >> the actual signing process starts the smartcard is no more available and >> the task fails. >> >> This behavior is documented here >> https://msdn.microsoft.com/en-us/library/windows/desktop/aa379469%28v=vs.85%29.aspx >> >> The solution is quite simple. The order of calculating the digest values >> and initializing the key store has to be changed. I located this in >> org.apache.xml.security.signature.XmlSignature on line 628 in method >> >> public void sign(Key signingKey) throws XMLSignatureException { >> ... >> try { >> //Create a SignatureAlgorithm object >> SignedInfo si = this.getSignedInfo(); >> SignatureAlgorithm sa = si.getSignatureAlgorithm(); >> OutputStream so = null; >> try { >> * // initialize SignatureAlgorithm for signing* >> * sa.initSign(signingKey);* >> >> * // generate digest values for all References in this >> SignedInfo* >> * si.generateDigestValues(); * >> >> so = new UnsyncBufferedOutputStream(new >> SignerOutputStream(sa)); >> // get the canonicalized bytes from SignedInfo >> si.signInOctetStream(so); >> } catch (XMLSecurityException ex) { >> throw ex; >> } finally { >> ... >> >> To solve the problem it should be >> >> public void sign(Key signingKey) throws XMLSignatureException { >> ... >> try { >> //Create a SignatureAlgorithm object >> SignedInfo si = this.getSignedInfo(); >> SignatureAlgorithm sa = si.getSignatureAlgorithm(); >> OutputStream so = null; >> try { >> * // generate digest values for all References in this >> SignedInfo* >> * si.generateDigestValues();* >> >> * // initialize SignatureAlgorithm for signing* >> * sa.initSign(signingKey); * >> >> so = new UnsyncBufferedOutputStream(new >> SignerOutputStream(sa)); >> // get the canonicalized bytes from SignedInfo >> si.signInOctetStream(so); >> } catch (XMLSecurityException ex) { >> throw ex; >> } finally { >> ... >> >> This code works for this particular setup and is able to sign an XML of >> 60GB on a Windows 10 machine. This task takes more than a minute and >> doesn't fail since Windows doesn't reset the smart card transaction. >> >> >> Kind regards >> >> Adrian Greiler >> >> -- >> Adrian Greiler >> Software Engineer >> >> Glue Software Engineering AG | Schwarztorstrasse 31 | CH-3007 Bern | >> [email protected] | Office : +41 31 385 30 11 | Direkt: +41 >> 31 385 30 34 >> >> > > > -- > Colm O hEigeartaigh > > Talend Community Coder > http://coders.talend.com > > > -- > Frank Cornelis > e-Contract.be BVBAhttps://www.e-contract.be > > -- Lijun Liao
