Posted by franknatoli
on January 16, 2008 at 3:34 PM PST
Below is an extract from the JWSDP-2.0 sample Validate.java. What does it mean when the core validity fails (returns false), and the signature validation status fails (returns false), but the reference validation succeeds (returns true) and there is only one reference?
// Validate the XMLSignature (generated above)
boolean coreValidity = signature.validate(valContext);
// Check core validation status
if (coreValidity == false)
System.err.println("Signature failed core validation");
boolean sv = signature.getSignatureValue().validate(valContext);
System.out.println("signature validation status: " + sv);
// check the validation status of each Reference
Iterator i = signature.getSignedInfo().getReferences().iterator();
for (int j=0; i.hasNext(); j++)
boolean refValid = ((Reference) i.next()).validate(valContext);
System.out.println("ref["+j+"] validity status: " + refValid);
System.out.println("Signature passed core validation");
Have some rather peculiar circumstances triggering the above problem. Have an API that generates two digital signatures, one detached and one enveloped, both inserted into a single XML file. When the API is tested via JUnit and ANT, the two signatures generate objects without any namespace prefix and both signatures pass core validation.
But when the API is invoked via a web GUI, the first [detached] signature bears a namespace prefix and fails core validation, fails signature validation but passes reference validation. The second [enveloped] signature bears no namespace prefix and passes core validation.
Have enabled logging for org.jcp.xml.dsig.internal and com.sun.org.apache.xml.internal.security. Curiously, the expected digest and actual digest for the detached signature that fails core validation match. But XMLDSIG provides no logging information between "verifying with key: ..." and the failure.
With reference validation passing, can I disregard failed core and signature validation?
Thanks for your time.