Is there a way to debug why a signature is not valid?

[Wissperwind]

Hi,

I get a signed XML from our Java departement. They say it is valid and they can verify that with their Java implementation. But Signxml says that the signature is not valid. And now we are here not knowing what to do.

A thing that makes it even harder is that I can not post the XML code here because it contains personal information. And if I remove some information of course the signature is not valid anymore.

Are there any suggestions how to go on?

[kislyuk]

What kind of information would you find useful in debugging?

[Wissperwind]

For example:

• Is the XML file complete? Are all sections present? Are namespaces written down were expected.
• Is the check sum correct? So was the content changed? (Not checking certificates here)
• Is the x509 certificate valid? (Not checking the payload content here. So not checking if the the content was changed)

I hope with this information we will find out why signxml says "signature not valid". But the Java implementations says, "signature valid".

[kislyuk]

All of the conditions you listed already produce distinct errors in SignXML. If you receive an InvalidSignature error (I can only assume since you produced no debug output), that means the XML is syntactically valid and the signature is semantically valid up until the point it's verified. The validity of the certificate is verified before the validity of the signature (since the certificate contains the public key used to verify the signature).

As noted in the issue template, if you need help, you are asked to provide a complete, standalone reproduction of the issue.