Skip to Content.
Sympa Menu

mace-opensaml-users - Re: Signature Validation Error: object not initialized for signature or verification

Subject: OpenSAML user discussion

List archive

Re: Signature Validation Error: object not initialized for signature or verification


Chronological Thread 
  • From: Brent Putman <>
  • To:
  • Subject: Re: Signature Validation Error: object not initialized for signature or verification
  • Date: Thu, 07 Feb 2008 20:13:28 -0500
Dave,

I did some diagnosis of this bug, see the xmlsec bugzilla entry.

However, it wasn't clear from your description if you were encountering this error under the same conditions, so I just wanted to confirm.  The error with the test case in the bugzilla entry happens when you initially use the same XMLSignature instance to both sign and verify something (in the same thread, actually), and then attempt to do more verifications (on another XMLSignature instance) using the same key (where "same" means by reference equality). 


Signing and then also immediately verifying is something you might do in units tests or test code or whatever, but not typically in production code, so I wanted to confirm that that was the condition under which you saw the error.

If so, the official line from the Apache xmlsec team has usually been:  don't use the Apache XMLSignature instance for both signing and verifying a signature.  Instead reconstitute a new XMLSignature around the ds:Signature Element and use that for verifying. (Yeah, they should fix so it will work correctly, but...).  For OpenSAML that would be accomplished by unmarshalling a new XMLObject tree around the DOM of your signed Response or whatever.


If on the other hand, you were for example processing a signed Response that you received from somewhere, and trying to just verify multiple signatures within it, then let me know.  That probably means it's a different sort of bug.  I've been looking at xmlsec bugs lately and would definitely want to add it to the list.  I'll say, though, offhand, from looking at the Apache signature code, I don't see how that could be happening.


Thanks,
Brent




Dave Badia wrote:
Hi -
        I encountered this issue and have since found a resolution, but wanted to pass the info along in case others have this problem.
While trying to process a SAML Response message with multiple digital signatures, I received the error "object not initialized for signature or verification".
        I mapped this error back to a bug in Apache XML Sec 1.4.1: http://issues.apache.org/bugzilla/show_bug.cgi?id=44204
Since the bug has not be resolved as of time of this writing, I found a workaround .  Basically, a new PublicKey object needs to be created on the Credential before each validation.
This will force the Apache XML Sec library to do full initialization of the necessary objects prior to each signature verification.

// Load java keystore to get java KeyPair, build credential object
// before each validation:
        RSAPublicKey publicKey = (RSAPublicKey) keyPair.getPublic();
        RSAPublicKeySpec spec = new RSAPublicKeySpec(publicKey.getModulus(), publicKey.getPublicExponent());
        KeyFactory keyFactory = KeyFactory.getInstance("RSA");
        RSAPublicKey newPublicKey = (RSAPublicKey) keyFactory.generatePublic(spec);
        credential.setPublicKey(newPublicKey);
        SignatureValidator validator = new SignatureValidator(credential);

Here is the original exception for reference:
Original Exception was java.security.SignatureException: object not initialized for signature or verification
        at org.apache.xml.security.utils.SignerOutputStream.write(SignerOutputStream.java:66)
        at org.apache.xml.security.utils.UnsyncBufferedOutputStream.flushBuffer(UnsyncBufferedOutputStream.java:69)
        at org.apache.xml.security.utils.UnsyncBufferedOutputStream.flush(UnsyncBufferedOutputStream.java:85)
        at org.apache.xml.security.utils.UnsyncBufferedOutputStream.close(UnsyncBufferedOutputStream.java:91)
        at org.apache.xml.security.c14n.implementations.CanonicalizerBase.engineCanonicalizeSubTree(CanonicalizerBase.java:207)
        at org.apache.xml.security.c14n.implementations.Canonicalizer20010315Excl.engineCanonicalizeSubTree(Canonicalizer20010315Excl.java:108)
        at org.apache.xml.security.c14n.implementations.Canonicalizer20010315Excl.engineCanonicalizeSubTree(Canonicalizer20010315Excl.java:82)
        at org.apache.xml.security.c14n.Canonicalizer.canonicalizeSubtree(Canonicalizer.java:242)
        at org.apache.xml.security.signature.SignedInfo.signInOctectStream(SignedInfo.java:280)
        at org.apache.xml.security.signature.XMLSignature.checkSignatureValue(XMLSignature.java:601)
        at org.opensaml.xml.signature.SignatureValidator.validate(SignatureValidator.java:68)

  • Re: Signature Validation Error: object not initialized for signature or verification, Brent Putman, 02/07/2008

Archive powered by MHonArc 2.6.16.

Top of Page