Skip to main content

My XML Signature is invalid, now what do I do?

Posted by mullan on January 27, 2006 at 11:33 AM PST

When validating an XML Signature using the Java XML DSig API, it returns a simple boolean indicating if the signature is valid or not:

// Validate the XMLSignature
boolean coreValidity = xmlSignature.validate(valContext);

If it is valid, then great ... no worries. But what if it is invalid? How can you determine exactly what caused the failure? Perhaps you used the wrong key to validate the signature or perhaps the signed contents were modified. But maybe it is a much more subtle problem involving transformations or canonicalization of the data that is digested and signed.

The first thing you should do is determine if the validation failure was caused by an invalid reference or an invalid signature (or both). XML Signature core validation consists of 2 phases: reference validation and signature validation. Both phases must pass for the XML signature to be valid.

Reference validation is the verification of the message digest of each of the references in the XML Signature. Signature validation is the verification of the signature over the signed contents, or the SignedInfo element.

To check if it is a signature validation failure, call the validate method of the SignatureValue object:

if (coreValidity == false) {
    System.err.println("Signature failed core validation");
    boolean sv = xmlSignature.getSignatureValue().validate(valContext);
    System.out.println("signature validation status: " + sv);

This returns a boolean indicating if the signature validation phase was valid or not.

To check if one or more of the references failed to validate, iterate over the Reference objects and call the validate method on each:


    Iterator i = xmlSignature.getSignedInfo().getReferences().iterator();
    for (int j=0; i.hasNext(); j++) {
        boolean refValid = ((Reference) i.next()).validate(valContext);
        System.out.println("ref["+j+"] validity status: " + refValid);
    }
}

This code allows you to zero in on what part of the core validation caused the XML Signature to be invalid. But it still may not give you enough information. In subsequent blogs, I'll show you more debugging tips.

You can get the reference implementation of JSR 105 from the Java Web Service Developer's Pack v2.0, an early access snapshot of JDK 6 (Mustang), or GlassFish.

Related Topics >>

Comments

Hello Mullan, I am wondering if it is possible to sign ...

Hello Mullan,

I am wondering if it is possible to sign and verify XML signature when the input xml file has MIME data below the closing root element tag. MIME data here can be a jpeg in base64. We have EBAM XMLs in this format, which we have to sign and send out and also we have to verify the signature when we have such input file. The problem here is SAX parser fails to parse the XML because it has embedded base64 MIME content without being enclosed under any tag.

thanks in advance.
Jitendra