Home/ Questions/Q 354459
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-12T11:55:34+00:00

I was trying to validate an XML signature. The validation according to this tutorial

  • 0

I was trying to validate an XML signature.

The validation according to this tutorial works fine.

But I also tried to a second approach. To verify it with the verify method of the Signature class
I extracted the signature and the certificate from the xml file, and I did the following:

    public static boolean checkSignedFile(byte[] data, byte[] sigToVerify,
        byte[] cert, String algorithm) throws CertificateException,
        NoSuchAlgorithmException, InvalidKeyException, SignatureException {
    CertificateFactory cf = CertificateFactory.getInstance("X.509");
    Certificate c = (Certificate) cf
            .generateCertificate(new ByteArrayInputStream(cert));
    PublicKey pk = c.getPublicKey();
    Signature sig;
    boolean verifies = false;
    sig = Signature.getInstance(algorithm);
    sig.initVerify(pk);
    sig.update(data);
    verifies = sig.verify(sigToVerify);
    return verifies;
}

the result was false. The signature did not verify. What could be the reason for that?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    You can’t verify XMLDsig like this. It wouldn’t work. The signature is not calculated over the raw XML. It has to go through canonicalization, digest etc.

    What do you use for data[]? To get it right, you almost have to rewrite the XMLDsig library.

    • 0