OpenSAML user discussion

[Brent Putman <>]

Hubert Le Van Gong wrote:
> Hi Guys,
>
> I'm following the example on the wiki to sign an XML object (either a
> SAML2 Assertion or a class that extends AbstractSignableXMLObject).
> The code I use is very much like the one on the wiki:
>
>
> If I run this code on an assertion (myAssertion) I  get the following
> exception:
>
> Exception in thread "main" java.lang.RuntimeException:
> org.apache.xml.security.signature.XMLSignatureException: object not
> initialized for signature or verification
> Original Exception was java.security.SignatureException: object not
> initialized for signature or verification
>         at
> org.apache.xml.security.utils.SignerOutputStream.write(Unknown Source)
>         at
> org.apache.xml.security.utils.UnsyncBufferedOutputStream.flushBuffer(Unknown
> Source)
>         at
> org.apache.xml.security.utils.UnsyncBufferedOutputStream.flush(Unknown
> Source)
>         at
> org.apache.xml.security.utils.UnsyncBufferedOutputStream.close(Unknown
> Source)
>         at
> org.apache.xml.security.c14n.implementations.CanonicalizerBase.engineCanonicalizeSubTree(Unknown
> Source)
>         at
> org.apache.xml.security.c14n.implementations.Canonicalizer20010315Excl.engineCanonicalizeSubTree(Unknown
> Source)
>         at
> org.apache.xml.security.c14n.implementations.Canonicalizer20010315Excl.engineCanonicalizeSubTree(Unknown
> Source)
>         at
> org.apache.xml.security.c14n.Canonicalizer.canonicalizeSubtree(Unknown
> Source)
>         at
> org.apache.xml.security.signature.SignedInfo.signInOctectStream(Unknown
> Source)
>         at org.apache.xml.security.signature.XMLSignature.sign(Unknown
> Source)
>         at org.opensaml.xml.signature.Signer.signObject(Signer.java:78)
>
> Any idea what went wrong?
>

I don't see anything obviously wrong with the OpenSAML code there.  What
versions of the opensaml stack library jars and Apache xmlsec jar are
you using?

As you just posted, this error is similar to an Apache xmlsec issue
which I posted on in some detail: 
https://issues.apache.org/bugzilla/show_bug.cgi?id=44204

What all are you doing in your code prior to this being called?  Are you
signing and/or verifying multiple things in the same thread?  That exact
bug report may not exactly apply here, but the Apache xmlsec code has
some "interesting" optimizations which could cause it to fail here (and
should be fixed, IMHO).  You might be doing something to trigger it. It
caches some objects in ThreadLocal storage, and they don't always get
reinitialized properly if you do multiple operations in the same thread,
with the same key, for the same algorithm URI.



> If I run the same code on my own class, replacing:
>     myAssertion.setSignature(signature);
> with
>     ep.EPR.setSignature(signature);
> and the marshalling line
>     
> Configuration.getMarshallerFactory().getMarshaller(myAssertion).marshall(myAssertion);
>
> with:
>     
> Configuration.getMarshallerFactory().getMarshaller(ep.EPR).marshall(ep.EPR);
>
>
> I get another error (same place - calling Signer.signObject()):
>
> 1370 [main] ERROR org.opensaml.xml.signature.Signer - Unable to
> compute signature, Signature XMLObject does not have the XMLSignature
> created during marshalling.
> SEVERE: null
> org.opensaml.xml.signature.SignatureException: XMLObject does not have
> an XMLSignature instance, unable to compute signature
>         at org.opensaml.xml.signature.Signer.signObject(Signer.java:75)
>
> That one is also surprising since the EPR class does extend
> AbstractSignableXMLObject and does get the signature.
>


This sounds like your Signature child isn't getting marshalled when you
marshall it's parent (the ep.EPR).  Check your EPR XMLObject's
getOrderedChildren() method - I suspect you have neglected to include
the Signature child in the list of child objects that is returned.  See
some of the other XMLObject impl classes if you want an example of what
that method should look like.

--Brent