If you issue a second signature but with different algorithm, e.g., RSAWithSHA1 for the first signature, and RSAWithRipeMD160 for the second, you will get the exception that says: org.apache.xml.security.signature.XMLSignatureException: object not initialized for signature or verification Original Exception was java.security.SignatureException: object not initialized for signature or verification at org.apache.xml.security.algorithms.implementations.SignatureBaseRSA.engineUpdate(SignatureBaseRSA.java:203) at org.apache.xml.security.algorithms.SignatureAlgorithm.update(SignatureAlgorithm.java:249) at org.apache.xml.security.utils.SignerOutputStream.write(SignerOutputStream.java:64) at org.apache.xml.security.utils.UnsyncBufferedOutputStream.flushBuffer(UnsyncBufferedOutputStream.java:69) at org.apache.xml.security.utils.UnsyncBufferedOutputStream.flush(UnsyncBufferedOutputStream.java:85) at org.apache.xml.security.utils.UnsyncBufferedOutputStream.close(UnsyncBufferedOutputStream.java:91) at org.apache.xml.security.c14n.implementations.CanonicalizerBase.engineCanonicalizeSubTree(CanonicalizerBase.java:207) at org.apache.xml.security.c14n.implementations.CanonicalizerBase.engineCanonicalizeSubTree(CanonicalizerBase.java:121) at org.apache.xml.security.c14n.Canonicalizer.canonicalizeSubtree(Canonicalizer.java:268) at org.apache.xml.security.signature.SignedInfo.signInOctectStream(SignedInfo.java:286) at org.apache.xml.security.signature.XMLSignature.sign(XMLSignature.java:501) at org.apache.xml.security.samples.signature.CopyOfCreateSignature.sign(CopyOfCreateSignature.java:172) at org.apache.xml.security.samples.signature.CopyOfCreateSignature.main(CopyOfCreateSignature.java:83) java.security.SignatureException: object not initialized for signature or verification at java.security.Signature.update(Signature.java:690) at org.apache.xml.security.algorithms.implementations.SignatureBaseRSA.engineUpdate(SignatureBaseRSA.java:201) at org.apache.xml.security.algorithms.SignatureAlgorithm.update(SignatureAlgorithm.java:249) at org.apache.xml.security.utils.SignerOutputStream.write(SignerOutputStream.java:64) at org.apache.xml.security.utils.UnsyncBufferedOutputStream.flushBuffer(UnsyncBufferedOutputStream.java:69) at org.apache.xml.security.utils.UnsyncBufferedOutputStream.flush(UnsyncBufferedOutputStream.java:85) at org.apache.xml.security.utils.UnsyncBufferedOutputStream.close(UnsyncBufferedOutputStream.java:91) at org.apache.xml.security.c14n.implementations.CanonicalizerBase.engineCanonicalizeSubTree(CanonicalizerBase.java:207) at org.apache.xml.security.c14n.implementations.CanonicalizerBase.engineCanonicalizeSubTree(CanonicalizerBase.java:121) at org.apache.xml.security.c14n.Canonicalizer.canonicalizeSubtree(Canonicalizer.java:268) at org.apache.xml.security.signature.SignedInfo.signInOctectStream(SignedInfo.java:286) at org.apache.xml.security.signature.XMLSignature.sign(XMLSignature.java:501) at org.apache.xml.security.samples.signature.CopyOfCreateSignature.sign(CopyOfCreateSignature.java:172) at org.apache.xml.security.samples.signature.CopyOfCreateSignature.main(CopyOfCreateSignature.java:83). This problem is caused by the initSign method in class SignatureAlgorithm: [1] public void initSign(Key signingKey) throws XMLSignatureException { [2] initializeAlgorithm(true); [3] if (keysSigning.get()==signingKey) { [4] return; [5] } [6] keysSigning.set(signingKey); [7] this._signatureAlgorithm.engineInitSign(signingKey); [8] } The lines 3-5 should be commented to solve above problem.
*** This bug has been marked as a duplicate of 14520 ***
I think somebody has close this wrongly. Is an issue. I will try to take a look at it.
Maybe this was intended to be closed as a dup of bug 41520?
(In reply to comment #3) > Maybe this was intended to be closed as a dup of bug 41520? Yes it clearly is. It looks like when Lijun originally closed it as a dup, there was a typo in the bug number: 14520 instead of 41520. I have closed it as a duplicate of 41520. *** This bug has been marked as a duplicate of 41520 ***
Closing old bugs.