Skip to Content.
Sympa Menu

mace-opensaml-users - Re: [OpenSAML] XML signature issue(s)

Subject: OpenSAML user discussion

List archive

Re: [OpenSAML] XML signature issue(s)


Chronological Thread 
  • From: Hubert Le Van Gong <>
  • To:
  • Subject: Re: [OpenSAML] XML signature issue(s)
  • Date: Thu, 11 Sep 2008 17:27:07 +0200

Thanks Brent,

After double checking I found that I was performing a validity check on the
certificate used to sign the assertion. I removed it and it seems to be working
fine now, at least when it comes to signing SAML assertions; I have to
check this with non SAML classes like my EPRs. As you mentioned I'll need
to add a ContentReference to the signature too.
I presume a URIContentReference set to "" will point at the root of the EPR, correct?

Thanks again,
Hubert



On Sep 10, 2008, at 10:33 PM, Brent Putman wrote:



Hubert Le Van Gong wrote:
Hi Guys,

I'm following the example on the wiki to sign an XML object (either a
SAML2 Assertion or a class that extends AbstractSignableXMLObject).
The code I use is very much like the one on the wiki:


If I run this code on an assertion (myAssertion) I get the following
exception:

Exception in thread "main" java.lang.RuntimeException:
org.apache.xml.security.signature.XMLSignatureException: object not
initialized for signature or verification
Original Exception was java.security.SignatureException: object not
initialized for signature or verification
at
org.apache.xml.security.utils.SignerOutputStream.write(Unknown Source)
at
org .apache .xml.security.utils.UnsyncBufferedOutputStream.flushBuffer(Unknown
Source)
at
org .apache.xml.security.utils.UnsyncBufferedOutputStream.flush(Unknown
Source)
at
org .apache.xml.security.utils.UnsyncBufferedOutputStream.close(Unknown
Source)
at
org .apache .xml .security .c14n .implementations.CanonicalizerBase.engineCanonicalizeSubTree(Unknown
Source)
at
org .apache .xml .security .c14n .implementations .Canonicalizer20010315Excl.engineCanonicalizeSubTree(Unknown
Source)
at
org .apache .xml .security .c14n .implementations .Canonicalizer20010315Excl.engineCanonicalizeSubTree(Unknown
Source)
at
org .apache.xml.security.c14n.Canonicalizer.canonicalizeSubtree(Unknown
Source)
at
org .apache.xml.security.signature.SignedInfo.signInOctectStream(Unknown
Source)
at org.apache.xml.security.signature.XMLSignature.sign(Unknown
Source)
at org.opensaml.xml.signature.Signer.signObject(Signer.java: 78)

Any idea what went wrong?


I don't see anything obviously wrong with the OpenSAML code there. What
versions of the opensaml stack library jars and Apache xmlsec jar are
you using?

As you just posted, this error is similar to an Apache xmlsec issue
which I posted on in some detail:
https://issues.apache.org/bugzilla/show_bug.cgi?id=44204

What all are you doing in your code prior to this being called? Are you
signing and/or verifying multiple things in the same thread? That exact
bug report may not exactly apply here, but the Apache xmlsec code has
some "interesting" optimizations which could cause it to fail here (and
should be fixed, IMHO). You might be doing something to trigger it. It
caches some objects in ThreadLocal storage, and they don't always get
reinitialized properly if you do multiple operations in the same thread,
with the same key, for the same algorithm URI.



If I run the same code on my own class, replacing:
myAssertion.setSignature(signature);
with
ep.EPR.setSignature(signature);
and the marshalling line
Configuration .getMarshallerFactory ().getMarshaller(myAssertion).marshall(myAssertion);

with:
Configuration .getMarshallerFactory().getMarshaller(ep.EPR).marshall(ep.EPR);


I get another error (same place - calling Signer.signObject()):

1370 [main] ERROR org.opensaml.xml.signature.Signer - Unable to
compute signature, Signature XMLObject does not have the XMLSignature
created during marshalling.
SEVERE: null
org.opensaml.xml.signature.SignatureException: XMLObject does not have
an XMLSignature instance, unable to compute signature
at org.opensaml.xml.signature.Signer.signObject(Signer.java: 75)

That one is also surprising since the EPR class does extend
AbstractSignableXMLObject and does get the signature.



This sounds like your Signature child isn't getting marshalled when you
marshall it's parent (the ep.EPR). Check your EPR XMLObject's
getOrderedChildren() method - I suspect you have neglected to include
the Signature child in the list of child objects that is returned. See
some of the other XMLObject impl classes if you want an example of what
that method should look like.

--Brent






Archive powered by MHonArc 2.6.16.

Top of Page