If you issue a second signature but with different algorithm, e.g., RSAWithSHA1 for the first signature, and RSAWithRipeMD160 for the second, you will get the exception that says: org.apache.xml.security.signature.XMLSignatureException: object not initialized for signature or verification Original Exception was java.security.SignatureException: object not initialized for signature or verification at org.apache.xml.security.algorithms.implementations.SignatureBaseRSA.engineUpdate(SignatureBaseRSA.java:203) at org.apache.xml.security.algorithms.SignatureAlgorithm.update(SignatureAlgorithm.java:249) at org.apache.xml.security.utils.SignerOutputStream.write(SignerOutputStream.java:64) at org.apache.xml.security.utils.UnsyncBufferedOutputStream.flushBuffer(UnsyncBufferedOutputStream.java:69) at org.apache.xml.security.utils.UnsyncBufferedOutputStream.flush(UnsyncBufferedOutputStream.java:85) at org.apache.xml.security.utils.UnsyncBufferedOutputStream.close(UnsyncBufferedOutputStream.java:91) at org.apache.xml.security.c14n.implementations.CanonicalizerBase.engineCanonicalizeSubTree(CanonicalizerBase.java:207) at org.apache.xml.security.c14n.implementations.CanonicalizerBase.engineCanonicalizeSubTree(CanonicalizerBase.java:121) at org.apache.xml.security.c14n.Canonicalizer.canonicalizeSubtree(Canonicalizer.java:268) at org.apache.xml.security.signature.SignedInfo.signInOctectStream(SignedInfo.java:286) at org.apache.xml.security.signature.XMLSignature.sign(XMLSignature.java:501) at org.apache.xml.security.samples.signature.CopyOfCreateSignature.sign(CopyOfCreateSignature.java:172) at org.apache.xml.security.samples.signature.CopyOfCreateSignature.main(CopyOfCreateSignature.java:83) java.security.SignatureException: object not initialized for signature or verification at java.security.Signature.update(Signature.java:690) at org.apache.xml.security.algorithms.implementations.SignatureBaseRSA.engineUpdate(SignatureBaseRSA.java:201) at org.apache.xml.security.algorithms.SignatureAlgorithm.update(SignatureAlgorithm.java:249) at org.apache.xml.security.utils.SignerOutputStream.write(SignerOutputStream.java:64) at org.apache.xml.security.utils.UnsyncBufferedOutputStream.flushBuffer(UnsyncBufferedOutputStream.java:69) at org.apache.xml.security.utils.UnsyncBufferedOutputStream.flush(UnsyncBufferedOutputStream.java:85) at org.apache.xml.security.utils.UnsyncBufferedOutputStream.close(UnsyncBufferedOutputStream.java:91) at org.apache.xml.security.c14n.implementations.CanonicalizerBase.engineCanonicalizeSubTree(CanonicalizerBase.java:207) at org.apache.xml.security.c14n.implementations.CanonicalizerBase.engineCanonicalizeSubTree(CanonicalizerBase.java:121) at org.apache.xml.security.c14n.Canonicalizer.canonicalizeSubtree(Canonicalizer.java:268) at org.apache.xml.security.signature.SignedInfo.signInOctectStream(SignedInfo.java:286) at org.apache.xml.security.signature.XMLSignature.sign(XMLSignature.java:501) at org.apache.xml.security.samples.signature.CopyOfCreateSignature.sign(CopyOfCreateSignature.java:172) at org.apache.xml.security.samples.signature.CopyOfCreateSignature.main(CopyOfCreateSignature.java:83). This problem is caused by the initSign method in class SignatureAlgorithm: [1] public void initSign(Key signingKey) throws XMLSignatureException { [2] initializeAlgorithm(true); [3] if (keysSigning.get()==signingKey) { [4] return; [5] } [6] keysSigning.set(signingKey); [7] this._signatureAlgorithm.engineInitSign(signingKey); [8] } The lines 3-5 should be commented to solve above problem.
There is the same problem if you try to verify two signatures with the same public key but with different signature algorithms. [1] public void initVerify(Key verificationKey) throws XMLSignatureException { [2] initializeAlgorithm(false); [3] if (keysVerify.get()==verificationKey) { [4] return; [5] } [6] keysVerify.set(verificationKey); [7] this._signatureAlgorithm.engineInitVerify(verificationKey); [8] } The the code in lines 3-5 should be commented to solve the problem.
*** Bug 41519 has been marked as a duplicate of this bug. ***
Fixed in SVN head, fixed without removing the optimization or not reinitializing the Signer (a little expensive operation). Thanks for notifying and your patch. Can you test svn head to see if it works for you?
Closing old bugs. Fixed in 1.4.1