This week's book giveaway is in the Servlets forum.
We're giving away four copies of Murach's Java Servlets and JSP and have Joel Murach on-line!
See this thread for details.
The moose likes Web Services and the fly likes Manual verification of XML Signature Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login

Win a copy of Murach's Java Servlets and JSP this week in the Servlets forum!
JavaRanch » Java Forums » Java » Web Services
Bookmark "Manual verification of XML Signature" Watch "Manual verification of XML Signature" New topic

Manual verification of XML Signature

John Castle

Joined: Feb 17, 2009
Posts: 2
Hello, I'm trying to do a "manual" verification of a XML-Signed message. The message is the following, taken as is
from the server.log:

This message was sent from a servlet deployed on JBoss 4.2.3GA and received by a WS-Security configured Web Service
deployed locally (on the same JBoss instance). All the automatic JBoss verifications are successful, here's the

2010-12-07 17:37:40,404 INFO [] Verification successful for URI "#element-1-1291739860070-11803898"
2010-12-07 17:37:40,405 INFO [] Verification successful for URI "#timestamp"
2010-12-07 17:37:40,417 DEBUG [] Verification is successful

Now I want to verify this manually, so I decrypt the SignatureValue content with the public key and I obtain:


I think I did this manual decryption well, because you can recognize the "ASN.1 BER SHA1 algorithm designator
prefix" ( in the first part of this hex string (3021300906052b0e03021a05000414).
So the second part (dccdb8570286d36c94bba8e5107faee91e0df088) should be my hash value, i.e. the SHA1 computation of the
canonicalized SignedInfo element, and in fact it's exactly 20 bytes long. But I can't get this hash value from the
SignedInfo element. I'm using for the canonicalization. Is there anyone
that can obtain this hash value and tell me the exact steps/tools/code used? Thank you in advance.

John Castle

Joined: Feb 17, 2009
Posts: 2
Solved, thanks to Thomas Pornin.
I'm using the for the canonicalization of the SignedInfo element, but the resulting string needs to be further handled:

- Remove all the leading spaces on each line;
- Get an hexadecimal representation of the string above and make sure that all end-of-lines use a single LF (0A).
It is sorta covered in the JavaRanch Style Guide.
subject: Manual verification of XML Signature
Similar Threads
WS-Security with XWSS and SoapUI
Configuring the SOAP Header in client
How to create a SOAP request Message from a sample XML
Rampart encrypting options: I can't encrypt parameters
Problem while Encrypting SOAP body using Metro