santuario-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Nayan Hajratwala <>
Subject Re: Core Validation Failing .. now what?
Date Thu, 28 Feb 2008 02:35:11 GMT

On Feb 27, 2008, at 2:44 PM, Sean Mullan wrote:

> Scott Cantor wrote:
>>> So what does this mean?  There are no References? That seems odd,  
>>> but
>>> i'm not sure what to do about it.
>> It means the corruption is inside the Signature element itself, not  
>> the
>> digest over the single reference that exists (ref[0]).
>> -- Scott
> And make sure you are using the right key to validate the signature.
> Also, try dumping the canonicalized bytes of the SignedInfo element  
> after signing and validation. You can do this by calling  
> signature.getSignedInfo().getCanonicalizedData(). This returns an  
> InputStream and you can use an InputStreamReader to read the bytes  
> and write them out. Look for subtle differences in the data from the  
> signing and the validating code. You should see something that is  
> different and this should hopefully give you some clue as to what is  
> wrong.
> Also, see
> --Sean

The info you provided is very helpful in getting me to understand what  
is going on, but it has not solved my problem unfortunately.

The output of my debugging shows the SignedInfo as:

<SignedInfo xmlns="">
   <CanonicalizationMethod Algorithm=" 
   <SignatureMethod Algorithm=" 
   <Reference URI="#Body">
       <Transform Algorithm=" 
     <DigestMethod Algorithm=" 

which seems to match what I have in the document.

The full Signature element is as follows:

<Signature xmlns="" xmlns:wsse="

   <CanonicalizationMethod Algorithm=" 
   <SignatureMethod Algorithm=" 
   <Reference URI="#Body">
       <Transform Algorithm=""/>
     <DigestMethod Algorithm=""/>


Ref. LIABILITY LTD.(c)97 VeriSign, OU=VeriSign International Server CA  
- Class 3, OU="VeriSign, Inc.", O=VeriSign Trust Network</ 

What occurs to me is that there is an empty X509Certificate element. I  
get a "DerInputStream.getLength(): lengthTag=127, too big." error if I  
leave it in, and I get the validation failure if i take it out.   
Perhaps this is the root of the problem?

View raw message