santuario-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Milan Tomic <>
Subject Re: Signature Verification Failed with tools.
Date Fri, 28 Apr 2006 09:18:50 GMT

Yes, tools like XML Spy often modify XML file, like pretty printing or replacing every new
character (ASCII 10) with a pair of new line and carriage return characters (ASCII 10 and
Such files are still valid XML files (well formed and conformed to its schema), but signature
not valid any more. I recommend using Notepad.exe for manipulating signed XML files, instead.

However, tool that you are using doesn't have to be source of your problems. Signature will
allways be invalid if you put signed document into some other document which have namespaces
the root element, for example) and you don't use exclusive canonicalization for both
<ds:SignedInfo> and references you are signing (see <ds:Reference> and <ds:Transformations>
documentation). Sometimes you have to take your signed XML out of the SOAP message to be able
successfully validate its signature.

Btw, if you have any chance to modify WSDL file of your web service, you should change it
accept Base64 encoded signed XML file, instead of XML Document (in the soap header). You will
yourself a lot of pain and interoperability troubles.

Hope it helps,

--- akkachotu <> wrote:

> I have generated a WS Security 2004 X509 Token Profile Signature using
> AXIS and it gets successfully verified by the provider. This I have
> tested using a standalone java program that uses AXIS 1.2.1 Final and
> uses XSS4J API for signing the soap message.
> However if I take the request soap message (which has signature in
> header and <Security> element in header) and paste in XML SPY 2006 and
> fire a request to the server then the signature verification on the
> provider is failing and I see in the server logs that <SignedInfo>
> element validity is failed and further <SignatureValue> element value
> is mismatched and digest values are mismatched in the process of
> validating the <SingedInfo> element.
> Does somebody have any thoughts like XML SPY may be somehow changes
> the soap message(may be adds some text formatting or something like
> the sort which I am unable to imagine) before it sends it to provider?
> Are there any free tools out there in which I can just page the soap
> message with WS Security 2005 X509 Signature and fire the request to
> the provider and get the response without any hassles as I am having
> hard time with XML SPLY.
> Thank you for your reply and time.

Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 

View raw message