OpenSAML user discussion

[Hubert Le Van Gong <>]

Thanks Brent,

After double checking I found that I was performing a validity check  
on the
certificate used to sign the assertion. I removed it and it seems to  
be working
fine now, at least when it comes to signing SAML assertions; I have to
check this with non SAML classes like my EPRs. As you mentioned I'll  
need
to add a ContentReference to the signature too.
I presume a URIContentReference set to "" will point at the root of  
the EPR, correct?

Thanks again,
Hubert



On Sep 10, 2008, at 10:33 PM, Brent Putman wrote:

> Hubert Le Van Gong wrote:
> > Hi Guys,
> >
> > I'm following the example on the wiki to sign an XML object (either a
> > SAML2 Assertion or a class that extends AbstractSignableXMLObject).
> > The code I use is very much like the one on the wiki:
> >
> >
> > If I run this code on an assertion (myAssertion) I  get the following
> > exception:
> >
> > Exception in thread "main" java.lang.RuntimeException:
> > org.apache.xml.security.signature.XMLSignatureException: object not
> > initialized for signature or verification
> > Original Exception was java.security.SignatureException: object not
> > initialized for signature or verification
> >        at
> > org.apache.xml.security.utils.SignerOutputStream.write(Unknown  
> > Source)
> >        at
> > org 
> > .apache 
> > .xml.security.utils.UnsyncBufferedOutputStream.flushBuffer(Unknown
> > Source)
> >        at
> > org 
> > .apache.xml.security.utils.UnsyncBufferedOutputStream.flush(Unknown
> > Source)
> >        at
> > org 
> > .apache.xml.security.utils.UnsyncBufferedOutputStream.close(Unknown
> > Source)
> >        at
> > org 
> > .apache 
> > .xml 
> > .security 
> > .c14n 
> > .implementations.CanonicalizerBase.engineCanonicalizeSubTree(Unknown
> > Source)
> >        at
> > org 
> > .apache 
> > .xml 
> > .security 
> > .c14n 
> > .implementations 
> > .Canonicalizer20010315Excl.engineCanonicalizeSubTree(Unknown
> > Source)
> >        at
> > org 
> > .apache 
> > .xml 
> > .security 
> > .c14n 
> > .implementations 
> > .Canonicalizer20010315Excl.engineCanonicalizeSubTree(Unknown
> > Source)
> >        at
> > org 
> > .apache.xml.security.c14n.Canonicalizer.canonicalizeSubtree(Unknown
> > Source)
> >        at
> > org 
> > .apache.xml.security.signature.SignedInfo.signInOctectStream(Unknown
> > Source)
> >        at org.apache.xml.security.signature.XMLSignature.sign(Unknown
> > Source)
> >        at org.opensaml.xml.signature.Signer.signObject(Signer.java: 
> > 78)
> >
> > Any idea what went wrong?
>
> I don't see anything obviously wrong with the OpenSAML code there.   
> What
> versions of the opensaml stack library jars and Apache xmlsec jar are
> you using?
>
> As you just posted, this error is similar to an Apache xmlsec issue
> which I posted on in some detail:
> https://issues.apache.org/bugzilla/show_bug.cgi?id=44204
>
> What all are you doing in your code prior to this being called?  Are  
> you
> signing and/or verifying multiple things in the same thread?  That  
> exact
> bug report may not exactly apply here, but the Apache xmlsec code has
> some "interesting" optimizations which could cause it to fail here  
> (and
> should be fixed, IMHO).  You might be doing something to trigger it.  
> It
> caches some objects in ThreadLocal storage, and they don't always get
> reinitialized properly if you do multiple operations in the same  
> thread,
> with the same key, for the same algorithm URI.
>
>
>
> > If I run the same code on my own class, replacing:
> >    myAssertion.setSignature(signature);
> > with
> >    ep.EPR.setSignature(signature);
> > and the marshalling line
> >     
> > Configuration 
> > .getMarshallerFactory 
> > ().getMarshaller(myAssertion).marshall(myAssertion);
> >
> > with:
> >     
> > Configuration 
> > .getMarshallerFactory().getMarshaller(ep.EPR).marshall(ep.EPR);
> >
> >
> > I get another error (same place - calling Signer.signObject()):
> >
> > 1370 [main] ERROR org.opensaml.xml.signature.Signer - Unable to
> > compute signature, Signature XMLObject does not have the XMLSignature
> > created during marshalling.
> > SEVERE: null
> > org.opensaml.xml.signature.SignatureException: XMLObject does not  
> > have
> > an XMLSignature instance, unable to compute signature
> >        at org.opensaml.xml.signature.Signer.signObject(Signer.java: 
> > 75)
> >
> > That one is also surprising since the EPR class does extend
> > AbstractSignableXMLObject and does get the signature.
>
>
> This sounds like your Signature child isn't getting marshalled when  
> you
> marshall it's parent (the ep.EPR).  Check your EPR XMLObject's
> getOrderedChildren() method - I suspect you have neglected to include
> the Signature child in the list of child objects that is returned.   
> See
> some of the other XMLObject impl classes if you want an example of  
> what
> that method should look like.
>
> --Brent