[xmlsec] Cannot validate W3C's XMLDSIG examples

Mak Kolybabi mak at kolybabi.com
Wed Feb 6 09:56:52 PST 2013


On 2013-02-05 19:47, Aleksey Sanin wrote:
> well, both examples reference an external entity
> ...
> May be someone changed it? :)

Seems you're right. Disappointing that the W3C would break its own examples. :(

Independently verified that they were broken using another implementation,
according to a tutorial[1].

> # uname -a
> Linux solomon 2.6.32-279.19.1.el6.i686 #1 SMP Wed Dec 19 04:30:58 UTC 2012 i686 i686 i386 GNU/Linux

> # yum install java-1.7.0-openjdk-devel.i686
> # curl -O curl http://docs.oracle.com/javase/7/docs/technotes/guides/security/xmldsig/Validate.java
> # javac Validate.java

> # curl -O http://www.w3.org/TR/xmldsig-core/signature-example-dsa.xml
> # java Validate signature-example-dsa.xml
> Signature failed core validation
> signature validation status: true
> ref[0] validity status: false

> # curl -O http://www.w3.org/TR/xmldsig-core/signature-example-rsa.xml
> # java Validate signature-example-rsa.xml
> Signature failed core validation
> signature validation status: true
> ref[0] validity status: false

[1] http://docs.oracle.com/javase/6/docs/technotes/guides/security/xmldsig/XMLDigitalSignature.html#wp511427

-- 
Mak Kolybabi
<mak at kolybabi.com>

() ASCII Ribbon Campaign | Against HTML e-mail
/\  www.asciiribbon.org  | Against proprietary extensions



More information about the xmlsec mailing list