XML Signature Core Validation Failure with Java and Apache Axis

Many people are using XML Digital signatures these days. Most of these are using the standard code snippet available on the web to apply digital signatures.

When tried independently, the snippet works fine, and core validation happens successfully. However, when integrated with Apache Axis, core validation fails.

The core validation failure may result from either signature validation failure or from validation failure of any of the references present.

A signature value validation failure implies that the signature tag added after applying digital signature has been altered.

A reference failure occurs when there has been some change in the signed data since the digest value for the data was generated.

A possible reason for these alterations could be the namespace declarations that XML parsers add automatically. For example, assume you use the code snippet as shown below:

NodeList nodelist = doc.getElementsByTagNameNS(   "", );Node nn = nodelist.item(0);DOMSignContext dsc = new DOMSignContext(   objKeys.getPrivate(), nn);//where objKeys is KeyPairXMLSignature signature = fac.newXMLSignature(si, ki); //where ki is key info an si is signed info// Marshal, generate (and sign) the enveloped signaturesignature.sign(dsc);

The generated XML will look like this:


However, if you then attempt to generate a SOAPBodyElement using Apache Axis, then the Signature and its child elements—which ideally should have used a default namespace—define a new name space. The new namespace tag gets embedded into the element as follows:


As you can see, the preceding XML gives the default namespace the prefix ns1, which ultimately leads to validation failure. The additions are difficult to identify. One possible workaround is to make the XML namespace-aware and give every element in the XML a namespace prefix beforehand, so that XML parsers won’t add such declarations on their own.

To achieve this you can add dsc.setDefaultNamespacePrefix(““) to the snippet while applying the digital signature. Now the code becomes:

NodeList nodelist = doc.getElementsByTagNameNS(   "", );Node nn = nodelist.item(0); DOMSignContext dsc = new DOMSignContext(objKeys.getPrivate(), nn);//to insert Prefix to namespace of signaturedsc.setDefaultNamespacePrefix("dsig");//where objKeys is KeyPairXMLSignature signature = fac.newXMLSignature(si, ki); //where ki is key info an si is signed info// Marshal, generate (and sign) the enveloped signaturesignature.sign(dsc);

That code deliberately asks the API to add a default prefix to the signature while generating the DOM context, so that other XML operations don’t add extra namespaces that can cause validation failure.

The XML will now look like:


That solves the problem. The preceding XML works just fine.

Share the Post:
Share on facebook
Share on twitter
Share on linkedin


The Latest

technology leadership

Why the World Needs More Technology Leadership

As a fact, technology has touched every single aspect of our lives. And there are some technology giants in today’s world which have been frequently opined to have a strong influence on recent overall technological influence. Moreover, those tech giants have popular technology leaders leading the companies toward achieving greatness.

iOS app development

The Future of iOS App Development: Trends to Watch

When it launched in 2008, the Apple App Store only had 500 apps available. By the first quarter of 2022, the store had about 2.18 million iOS-exclusive apps. Average monthly app releases for the platform reached 34,000 in the first half of 2022, indicating rapid growth in iOS app development.

microsoft careers

Top Careers at Microsoft

Microsoft has gained its position as one of the top companies in the world, and Microsoft careers are flourishing. This multinational company is efficiently developing popular software and computers with other consumer electronics. It is a dream come true for so many people to acquire a high paid, high-prestige job