More XML Signature debugging tips
In a previous blog entry, I discussed how to determine what caused an invalid XML Signature and provided some code snippets. But for some programmers, this information may not be enough, and you may want to know more details.
Well then, good news. The reference implementation of XML DSig has extensive logging support, that when enabled, will provide you with lots of additional information. The log messages use the JDK logging facility (
java.util.logging) so if you are familiar with how to format and configure that, you should breeze through the rest of my blog.
I'll show you two different ways to enable this logging, first if you are running your application from the command-line, and second if you are running it inside a J2EE container, in this case - Sun's Java System Application Server.
If you are running your application from the java command line, you need to configure the logging facility so that the XML DSig logging messages are emitted. You can do this by editing the JRE's default logging.properties file directly, or by creating your own file and set it with the
java.util.logging.config.file property, ex:
java -Djava.util.logging.config.file=logging.properties ...
where logging.properties contains:
handlers= java.util.logging.ConsoleHandler .level= INFO java.util.logging.ConsoleHandler.level = FINER java.util.logging.ConsoleHandler.formatter = java.util.logging.SimpleFormatter org.jcp.xml.dsig.internal.level = FINER com.sun.org.apache.xml.internal.security.level = FINER
This will emit XML DSig log messages of level FINER and higher to the console. All other components will emit log messages of level INFO and higher.
With Sun's Application Server, enable logging using the Application Server admin console:
- In the tree component, select the Application Server node.
- Click the Logging tab.
- On the Logging Settings page, click the Log Levels tab.
- Add a new property named "org.jcp.xml.dsig.internal" with value "FINER"
- Add a new property named "com.sun.org.apache.xml.internal.security" with value "FINER"
- Click Save to save the changes
The log messages will be written to the application server log file.
I won't describe each and every log message in detail, but some of the most helpful are the following:
[java] FINER: Pre-digested input: ...
This message displays the content of the referenced data just before it was digested.
[java] FINE: Expected digest: ... [java] FINE: Actual digest: ...
This message displays the expected and actual base64 encoded digest values of a Reference.
[java] FINE: Canonicalized SignedInfo: ...
This message displays the canonicalized SignedInfo element before it is signed.