Nayan Hajratwala wrote:
Quoting Sean Mullan <[EMAIL PROTECTED]>:
Scott Cantor wrote:
The output of my debugging shows the SignedInfo as:
Using email for this is pointless. Any whitespace will throw off the
result,
so you'd need to compare them byte for byte on your own.
Also, you are comparing it to what is in the Signature, this is wrong,
because that is the pre-canonicalized representation of SignedInfo. You
need to modify your signature generation application and dump the
canonicalized bytes (which is cached by the implementation) after you
generate the signature. Then do the same in your validation application
and compare the bytes.
--Sean
Unfortunately, the signature is being generated by a third party, and
after talking with them today, it turns out that the documents are
signed by an IBM xi50 appliance, so they don't have access to generate
the canonicalized SignedInfo.
Any other approaches that you can think of that I might take?
Not really, you will need to find out what is being done with the
signature from the time it is generated until you validate it. Are you
moving it to a different document where new namespaces may leak into the
signature, or are you converting it to/from DOM? The slightest change
can break the signature. Pretty printing or formatting the signature
(ex, adding whitespace, newlines) will break the signature.
--Sean
