[xmlsec] Cannot validate W3C's XMLDSIG examples
Mak Kolybabi
mak at kolybabi.com
Wed Feb 6 09:56:52 PST 2013
On 2013-02-05 19:47, Aleksey Sanin wrote:
> well, both examples reference an external entity
> ...
> May be someone changed it? :)
Seems you're right. Disappointing that the W3C would break its own examples. :(
Independently verified that they were broken using another implementation,
according to a tutorial[1].
> # uname -a
> Linux solomon 2.6.32-279.19.1.el6.i686 #1 SMP Wed Dec 19 04:30:58 UTC 2012 i686 i686 i386 GNU/Linux
> # yum install java-1.7.0-openjdk-devel.i686
> # curl -O curl http://docs.oracle.com/javase/7/docs/technotes/guides/security/xmldsig/Validate.java
> # javac Validate.java
> # curl -O http://www.w3.org/TR/xmldsig-core/signature-example-dsa.xml
> # java Validate signature-example-dsa.xml
> Signature failed core validation
> signature validation status: true
> ref[0] validity status: false
> # curl -O http://www.w3.org/TR/xmldsig-core/signature-example-rsa.xml
> # java Validate signature-example-rsa.xml
> Signature failed core validation
> signature validation status: true
> ref[0] validity status: false
[1] http://docs.oracle.com/javase/6/docs/technotes/guides/security/xmldsig/XMLDigitalSignature.html#wp511427
--
Mak Kolybabi
<mak at kolybabi.com>
() ASCII Ribbon Campaign | Against HTML e-mail
/\ www.asciiribbon.org | Against proprietary extensions
More information about the xmlsec
mailing list