[OpenSAML] Error with Signer.signObject()

[Jason Countryman]

Hopefully someone has run across this before.  I'm having an issue trying to sign my assertion.  I've got a fully loaded up BasicX509Credential in privateCredential.  I'm not sure what's fallling apart here.

Here's my code:

                 Signature signature = (Signature) Configuration.getBuilderFactory().getBuilder(Signature.DEFAULT_ELEMENT_NAME).buildObject(Signature.DEFAULT_ELEMENT_NAME);

                 signature.setSigningCredential(privateCredential);

                 signature.setSignatureAlgorithm(SignatureConstants.ALGO_ID_SIGNATURE_RSA_SHA1);

                 signature.setCanonicalizationAlgorithm(SignatureConstants.ALGO_ID_C14N_EXCL_OMIT_COMMENTS);

                 KeyInfoBuilder keyInfoBuilder = (KeyInfoBuilder) builderFactory.getBuilder(KeyInfo.DEFAULT_ELEMENT_NAME);

                 KeyInfo keyinfo = (KeyInfo) keyInfoBuilder.buildObject(KeyInfo.DEFAULT_ELEMENT_NAME); 

                 X509Certificate certificate = privateCredential.getEntityCertificate(); 

                 KeyInfoHelper.addCertificate(keyinfo, certificate);

                 KeyInfoHelper.addPublicKey(keyinfo, privateCredential.getPublicKey());

                 signature.setKeyInfo(keyinfo);

                 

                 assertion.setSignature(signature);

                 

                 if (sLogger.isDebugEnabled())

                     sLogger.debug("Marshalling Assertion");

                 

                 try {

                     Configuration.getMarshallerFactory().getMarshaller(assertion).marshall(assertion);

                 } catch (MarshallingException e) {

                     sLogger.error("Error getting Asssertion Marshaller");

                 }

                 try {

                     Signer.signObject(signature);

                 } catch (SignatureException e) {

                     sLogger.error("Error signing object");

                 }

Here's my stack trace:

java.lang.RuntimeException: org.apache.xml.security.signature.XMLSignatureException: object not initialized for signature or verification

Original Exception was java.security.SignatureException: object not initialized for signature or verification

at org.apache.xml.security.utils.SignerOutputStream.write(Unknown Source)

at org.apache.xml.security.utils.UnsyncBufferedOutputStream.flushBuffer(Unknown Source)

at org.apache.xml.security.utils.UnsyncBufferedOutputStream.flush(Unknown Source)

at org.apache.xml.security.utils.UnsyncBufferedOutputStream.close(Unknown Source)

at org.apache.xml.security.c14n.implementations.CanonicalizerBase.engineCanonicalizeSubTree(Unknown Source)

at org.apache.xml.security.c14n.implementations.Canonicalizer20010315Excl.engineCanonicalizeSubTree(Unknown Source)

at org.apache.xml.security.c14n.implementations.Canonicalizer20010315Excl.engineCanonicalizeSubTree(Unknown Source)

at org.apache.xml.security.c14n.Canonicalizer.canonicalizeSubtree(Unknown Source)

at org.apache.xml.security.signature.SignedInfo.signInOctectStream(Unknown Source)

at org.apache.xml.security.signature.XMLSignature.sign(Unknown Source)

at org.opensaml.xml.signature.Signer.signObject(Signer.java:78)

at org.openhealthtools.ihe.xua.xuser.XUser.getSHINNYToken(XUser.java:447)

______________________________
Jason T. Countryman
Programmer
Community Computer Service

This message has been scanned for viruses and dangerous content by MailScanner, SpamAssassin & ClamAV.

This message and any attachments may contain information that is protected by law as privileged and confidential, and
is transmitted for the sole use of the intended recipient(s). If you are not the intended recipient, you are hereby notified
that any use, dissemination, copying or retention of this e-mail or the information contained herein is strictly prohibited.
If you received this e-mail in error, please immediately notify the sender by e-mail, and permanently delete this e-mail.

[Brent Putman]

On 4/8/10 2:23 PM, Jason Countryman wrote:
> Hopefully someone has run across this before. I'm having an issue
> trying to sign my assertion. I've got a fully loaded up
> BasicX509Credential in privateCredential. I'm not sure what's fallling
> apart here.
>
> Here's my code:
>

Your OpenSAML code looks fine, nothing wrong there.

>
> Here's my stack trace:
>
> java.lang.RuntimeException:
> org.apache.xml.security.signature.XMLSignatureException: object not
> initialized for signature or verification
> Original Exception was java.security.SignatureException: object not
> initialized for signature or verification
> at org.apache.xml.security.utils.SignerOutputStream.write(Unknown Source)
> at

I know this error occurs in Apache xmlsec in some cases when you are
trying to re-use the same PublicKey/PrivateKey pair in the same thread
for both signing and validation. It tries to optimize with some caching
of Java Signature objects as ThreadLocals, and it is (or was) basically
broken. Are you doing anything like that here?

Google for "object not initialized for signature or verification", you
should get several relevant hits. They (Apache xmlsec developers)
reported xmlsec 1.4.3 was supposed to have fixed these, but maybe not.
What version of OpenSAML and Apache xmlsec are you using? Do you by
chance have an older version of xmlsec mixed in there?

[Jason Countryman]

I'm using 1.4.3, so that should be fine.  I'm trying to do something a little odd, something like this:

<saml2:Assertion xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:exc14n="http://www.w3.org/2001/10/xml-exc-c14n#" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" xmlns:xs="http://www.w3.org/2001/XMLSchema" ID="b3c912d8-7e2e-4f82-a7d9-aab731f32129" IssueInstant="2010-01-30T23:01:32.177Z" Version="2.0"> 

<saml2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:X509SubjectName">CN=*.axolotl.com,OU=Secure Link SSL Wildcard,O=Axolotl Corp.,STREET=160 W. Santa Clara Street,STREET=Suite 1000,L=San Jose,S=CA,PostalCode=95113,C=US</saml2:Issuer> 

<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> 

<ds:SignedInfo> 

<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /> 

<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" /> 

<ds:Reference URI="#b3c912d8-7e2e-4f82-a7d9-aab731f32129"> 

<ds:Transforms> 

<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" /> 

<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /> 

</ds:Transforms> 

<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" /> 

<ds:DigestValue>fulLe53nXAE/Yl6j2c8Z6nsedms=</ds:DigestValue> 

</ds:Reference> 

</ds:SignedInfo> 

<ds:SignatureValue>nZosX2PJKB8qqG1l0XSgouuBBNa6R/HWEiidN2OdY898g6KB0wnZfAVzYP3B2XT7+BnUY+nnHlyu

nqZLS8/EfzNTTu65ujoaKWxqH46MdPQZcKcEv5gHG4JK7nW7nuuFexrAJEUvdzBwL0eIsSormzHe

/+IR5/SLYhSZDaYAzbA=</ds:SignatureValue> 

<ds:KeyInfo> 

<wsse:SecurityTokenReference xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"> 

<wsse:KeyIdentifier EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentifier">3raZ5aO0xAe4wDjsmsyplkWRW0E=</wsse:KeyIdentifier> 

</wsse:SecurityTokenReference> 

</ds:KeyInfo> 

</ds:Signature> 

<saml2:Subject> 

<saml2:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:X509SubjectName">CN=*.axolotl.com,OU=Secure Link SSL Wildcard,O=Axolotl Corp.,STREET=160 W. Santa Clara Street,STREET=Suite 1000,L=San Jose,S=CA,PostalCode=95113,C=US</saml2:NameID> 

<saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:sender-vouches"> 

<saml2:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:X509SubjectName">CN=*.axolotl.com,OU=Secure Link SSL Wildcard,O=Axolotl Corp.,STREET=160 W. Santa Clara Street,STREET=Suite 1000,L=San Jose,S=CA,PostalCode=95113,C=US</saml2:NameID> 

</saml2:SubjectConfirmation> 

</saml2:Subject> 

<saml2:Conditions NotBefore="2010-01-30T22:01:32.200Z" NotOnOrAfter="2010-01-31T00:01:32.200Z" /> 

<saml2:AuthnStatement AuthnInstant="2010-01-30T23:01:32.177Z"> 

<saml2:SubjectLocality Address="192.168.1.10" DNSName="SJCKDESAI.axolotl.com" /> 

<saml2:AuthnContext> 

<saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:X509</saml2:AuthnContextClassRef> 

<saml2:AuthenticatingAuthority>CN=*.axolotl.com,OU=Secure Link SSL Wildcard,O=Axolotl Corp.,STREET=160 W. Santa Clara Street,STREET=Suite 1000,L=San Jose,S=CA,PostalCode=95113,C=US</saml2:AuthenticatingAuthority> 

</saml2:AuthnContext> 

</saml2:AuthnStatement> 

<saml2:AttributeStatement> 

<saml2:Attribute Name="UserName" NameFormat="http://www.hhs.gov/healthit/nhin"> 

<saml2:AttributeValue xmlns:ns6="http://www.w3.org/2001/XMLSchema-instance" xmlns:ns7="http://www.w3.org/2001/XMLSchema" ns6:type="ns7:string">Batman</saml2:AttributeValue> 

</saml2:Attribute> 

<saml2:Attribute Name="UserOrganization" NameFormat="http://www.hhs.gov/healthit/nhin"> 

<saml2:AttributeValue xmlns:ns6="http://www.w3.org/2001/XMLSchema-instance" xmlns:ns7="http://www.w3.org/2001/XMLSchema" ns6:type="ns7:string">Gotham City</saml2:AttributeValue> 

</saml2:Attribute> 

<saml2:Attribute Name="UserOrganizationOID" NameFormat="http://www.hhs.gov/healthit/nhin"> 

<saml2:AttributeValue xmlns:ns6="http://www.w3.org/2001/XMLSchema-instance" xmlns:ns7="http://www.w3.org/2001/XMLSchema" ns6:type="ns7:string">12345</saml2:AttributeValue> 

</saml2:Attribute> 

<saml2:Attribute Name="UserRole" NameFormat="http://www.hhs.gov/healthit/nhin"> 

<saml2:AttributeValue> 

<nhin:Role xmlns:nhin="http://www.hhs.gov/healthit/nhin" code="224608005" codeSystem="2.16.840.1.113883.6.96" codeSystemName="SNOMED CT" displayName="Administrative Healthcare Staff" /> 

</saml2:AttributeValue> 

</saml2:Attribute> 

<saml2:Attribute Name="PurposeForUse" NameFormat="http://www.hhs.gov/healthit/nhin"> 

<saml2:AttributeValue> 

<nhin:PurposeForUse xmlns:nhin="http://www.hhs.gov/healthit/nhin" code="TREATMENT" codeSystem="2.16.840.1.113883.18.7.1" codeSystemName="nhin-purpose" displayName="treatment" /> 

</saml2:AttributeValue> 

</saml2:Attribute> 

</saml2:AttributeStatement> 

</saml2:Assertion>

I get the rest just fine, its the signature that bombs out.

[Brent Putman]

On 4/8/10 3:48 PM, Jason Countryman wrote:
> I'm using 1.4.3, so that should be fine. I'm trying to do something a
> little odd, something like this:
>
>

It might be a little odd SAML-wise, or not, but: none of that should
really have anything to do with your problem, it's much more low level
than that.

> I get the rest just fine, its the signature that bombs out.
>

The actual exception that's being thrown:

java.security.SignatureException: object not initialized for signature
or verification

is actually coming from the java.security.Signature instance, which is
instantiated and managed by Apache xmlsec. The OpenSAML code doesn't
interact with that at all, at least directly.

The only possible thing to check is that you are supplying a non-null
PrivateKey in your privateCredential instance, and based on your
SignatureMethod value, that it is an RSA private key.

If you are doing that, then you're doing what is expected - and the
error is caused by triggering some bug in Apache xmlsec. The old way
that this happened (supposedly fixed, maybe not) was non-intuitive and
easy to miss - one ordinarily doesn't think that a previous operation in
a given thread should cause issues with a later operation in that
thread. One of the dangers of the improper or sloppy use of ThreadLocal.


--
Subscription settings: http://groups.google.com/group/opensaml-users/subscribe?hl=en