OpenSAML user discussion

[Hubert Le Van Gong <>]

Hi Guys,

I'm following the example on the wiki to sign an XML object (either a
SAML2 Assertion or a class that extends AbstractSignableXMLObject).
The code I use is very much like the one on the wiki:

            BasicX509Credential stCred = new BasicX509Credential();
            stCred.setEntityCertificate(myApp.cert);

            Signature signature = (Signature)  
Configuration.getBuilderFactory()
                    .getBuilder(Signature.DEFAULT_ELEMENT_NAME)
                    .buildObject(Signature.DEFAULT_ELEMENT_NAME);
            signature.setSigningCredential(stCred);
             
signature 
.setSignatureAlgorithm(SignatureConstants.ALGO_ID_SIGNATURE_RSA_SHA1);
             
signature 
.setCanonicalizationAlgorithm 
(SignatureConstants.ALGO_ID_C14N_EXCL_OMIT_COMMENTS);
            myAssertion.setSignature(signature);
            try {
                 
Configuration 
.getMarshallerFactory 
().getMarshaller(myAssertion).marshall(myAssertion);
            } catch(MarshallingException e) {
                 
Logger.getLogger(Main.class.getName()).log(Level.SEVERE, null, e);
            }

            try {
                Signer.signObject(signature);
            } catch(SignatureException e) {
                 
Logger.getLogger(Main.class.getName()).log(Level.SEVERE, null, e);
            }

If I run this code on an assertion (myAssertion) I  get the following  
exception:

Exception in thread "main" java.lang.RuntimeException:  
org.apache.xml.security.signature.XMLSignatureException: object not  
initialized for signature or verification
Original Exception was java.security.SignatureException: object not  
initialized for signature or verification
        at  
org.apache.xml.security.utils.SignerOutputStream.write(Unknown Source)
        at  
org 
.apache 
.xml.security.utils.UnsyncBufferedOutputStream.flushBuffer(Unknown  
Source)
        at  
org.apache.xml.security.utils.UnsyncBufferedOutputStream.flush(Unknown  
Source)
        at  
org.apache.xml.security.utils.UnsyncBufferedOutputStream.close(Unknown  
Source)
        at  
org 
.apache 
.xml 
.security 
.c14n 
.implementations.CanonicalizerBase.engineCanonicalizeSubTree(Unknown  
Source)
        at  
org 
.apache 
.xml 
.security 
.c14n 
.implementations 
.Canonicalizer20010315Excl.engineCanonicalizeSubTree(Unknown Source)
        at  
org 
.apache 
.xml 
.security 
.c14n 
.implementations 
.Canonicalizer20010315Excl.engineCanonicalizeSubTree(Unknown Source)
        at  
org.apache.xml.security.c14n.Canonicalizer.canonicalizeSubtree(Unknown  
Source)
        at  
org 
.apache.xml.security.signature.SignedInfo.signInOctectStream(Unknown  
Source)
        at  
org.apache.xml.security.signature.XMLSignature.sign(Unknown Source)
        at org.opensaml.xml.signature.Signer.signObject(Signer.java:78)

Any idea what went wrong?

If I run the same code on my own class, replacing:
        myAssertion.setSignature(signature);
with
        ep.EPR.setSignature(signature);
and the marshalling line
	 
Configuration 
.getMarshallerFactory 
().getMarshaller(myAssertion).marshall(myAssertion);
with:
	 
Configuration 
.getMarshallerFactory().getMarshaller(ep.EPR).marshall(ep.EPR);

I get another error (same place - calling Signer.signObject()):

1370 [main] ERROR org.opensaml.xml.signature.Signer - Unable to  
compute signature, Signature XMLObject does not have the XMLSignature  
created during marshalling.
SEVERE: null
org.opensaml.xml.signature.SignatureException: XMLObject does not have  
an XMLSignature instance, unable to compute signature
        at org.opensaml.xml.signature.Signer.signObject(Signer.java:75)

That one is also surprising since the EPR class does extend  
AbstractSignableXMLObject and does get the signature.

Any hint greatly appreciated!

Hubert