Troubleshooting problems on the 'Online XML Digital Signature Verifier' site

In this page we look at how to troubleshoot problems when verifying your documents with the Online XML Digital Signature Verifier, previously here.

The error messages are, how do you say, somewhat cryptic. So here we try to help you understand where the problem may be.

Just to be clear, we are only considering XML-DSIG documents signed using an RSA key and the RSASSA-PKCS1-v1_5 algorithm described in RFC 8017 (SignatureMethod Algorithm rsa-sha1 or rsa-sha256).

Possible reasons | Cross references | Example Files | References | Contact us

Success

RESULT: Signature is OK
---------------------------------------------------
= VERIFICATION CONTEXT
== Status: succeeded
== flags: 0x00000000

Your signature and all associated XML-DSIG elements are correct, and the XML is well-formed. Congratulations!

No KeyValue element in the KeyInfo

func=xmlSecOpenSSLX509StoreVerify:file=x509vfy.c:line=350:obj=x509-store:subj=unknown:error=71:certificate verification failed:X509_verify_cert: err=20; msg=unable to get local issuer certificate
func=xmlSecOpenSSLEvpSignatureVerify:file=evp_signatures.c:line=368:obj=rsa-sha1:subj=unknown:error=18:data do not match:details=EVP_VerifyFinal: signature does not verify
RESULT: Signature is INVALID
---------------------------------------------------
= VERIFICATION CONTEXT
== Status: invalid

Solution: You must include a <KeyValue>/<RSAKeyValue> element in the <KeyInfo> element (lines 2-10 below). Hint: Include this first in the KeyInfo element.

<KeyInfo>
  <KeyValue>
	<RSAKeyValue>
	  <Modulus>
	  4IlzOY3Y9fXoh3Y5f06wBbtTg94Pt6vcfcd1KQ0FLm0S36aGJtTSb6pYKfyX7PqCUQ8wgL6xUJ5GRPEsu9gyz8ZobwfZsGCsvu40CWoT9fcFBZ
	  PfXro1Vtlh/xl/yYHm+Gzqh0Bw76xtLHSfLfpVOrmZdwKmSFKMTvNXOFd0V18=
	  </Modulus>
	  <Exponent>AQAB</Exponent>
	</RSAKeyValue>
  </KeyValue>
  <X509Data>
	<X509Certificate>
    MIICLDCCAZWgAwIBAgIQRjRrx ...
	</X509Certificate>
  </X509Data>
</KeyInfo>

Note that other verifying servers may be satisfied with just the <X509Data> element, or may even complain about the <KeyValue> element. None of these elements is strictly required, and adding or omitting any of them does not affect the signature value. In practice, the Online Verifier requires the <KeyValue> element to work, unless the signing certificate was issued by one of its supported CA certificates.

X509 Certificate before KeyValue

func=xmlSecOpenSSLX509StoreVerify:file=x509vfy.c:line=350:obj=x509-store:subj=unknown:error=71:certificate verification failed:X509_verify_cert:err=20; msg=unable to get local issuer certificate
func=xmlSecOpenSSLX509StoreVerify:file=x509vfy.c:line=389:obj=x509-store:subj=unknown:error=71:certificate verification failed: err=20; msg=unable to get local issuer certificate
RESULT: Signature is OK
---------------------------------------------------
= VERIFICATION CONTEXT
== Status: succeeded

This succeeds but gives you a warning "certificate verification failed/unable to get local issuer certificate".

Solution: put the <KeyValue> element before the <X509Data>.

<KeyInfo>
  <!--NO!--> 
  <X509Data>
    <X509Certificate>
    ...
    </X509Certificate>
  </X509Data>
  <KeyValue>
    <RSAKeyValue>
      ...
    </RSAKeyValue>
  </KeyValue>
</KeyInfo>

→

<KeyInfo>
  <!--YES-->
  <KeyValue>
    <RSAKeyValue>
      ...
    </RSAKeyValue>
  </KeyValue>
  <X509Data>
    <X509Certificate>
    ...
    </X509Certificate>
  </X509Data>
</KeyInfo>

Input is not proper UTF-8

Entity: line 3: parser error : Input is not proper UTF-8, indicate encoding !
Bytes: 0xE9 0x78 0x69 0x63
  <Client>México y el niño</Client>
           ^
Error: unable to parse xml document (syntax error)

The browser interface does not cope when you copy-and-paste XML with non-ASCII characters in the input like é and ñ. There are two ways to fix this.

1. Convert file to Latin-1 (ISO-8859-1)

<?xml version="1.0" encoding="iso-8859-1"?>
<Invoice>
  <Client>México y el niño</Client>

You can do this using the Notepad++ editor.

Open the UTF-8-encoded file using Notepad++
Select Encoding > Convert to ANSI
Edit the first line to be encoding="iso-8859-1"
Save the file.

2. Asciify the document

Convert all non-ASCII characters to XML character references. For example é → é and ñ → ñ.

<?xml version="1.0" encoding="US-ASCII"?>
<Invoice>
  <Client>M&#xE9;xico y el ni&#xF1;o</Client>

You can use the --asciify option with our xmlsq utility to do this. See Dealing with non-ASCII characters.

Strangely, this only appears to be a problem with the extended Latin character set (Spanish, Polish, etc.). If you copy and paste XML containing UTF-8-encoded Chinese characters, it works OK.

<?xml version="1.0" encoding="UTF-8"?>
<Envelope xmlns="http://example.org/envelope">
<Body>
大卫中国
</Body>
...
</Envelope>

Whitespace before XML declaration

Entity: line 2: parser error : XML declaration allowed only at the start of the document
<?xml version="1.0" encoding="utf-8"?>
     ^
Error: unable to parse xml document (syntax error)

Solution: Remove any whitespace before the xml declaration.

Blank line before declaration

Missing DTD declaration for ID type

You get an error like failed:expr=xpointer(id('...')).

func=xmlSecXPathDataExecute:file=xpath.c:line=246:obj=unknown:subj=xmlXPtrEval:error=5:libxml2 library function failed:expr=xpointer(id('MyInvoice')); xml error: 0: NULL
func=xmlSecXPathDataListExecute:file=xpath.c:line=330:obj=unknown:subj=xmlSecXPathDataExecute:error=1:xmlsec library function failed: 
...etc...
Error: signature verification failed

This is caused when you have a Reference to a URI in the document like this.

<Envelope xmlns="http://example.com/invoice/">
  <Invoice MyId="MyInvoice">
    <Client>Marge Simpson</Client>
    <Amount>847.63</Amount>
  </Invoice>
  <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
    <ds:SignedInfo>
	  ...
      <ds:Reference URI="#MyInvoice">

Solution: You need to add a DTD declaration to tell the verifier that there is an attribute with an ID type (a document-unique ID). See lines 2-4 below.

<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE Envelope [
<!ATTLIST Invoice MyId ID #IMPLIED>
]>
<Envelope xmlns="http://example.com/invoice/">
  <Invoice MyId="MyInvoice">
    <Client>Marge Simpson</Client>
    <Amount>847.63</Amount>
  </Invoice>

This DTD declaration does not affect the signature value. In this case it states that the <Invoice> element has an attribute MyId with type ID. You will need to tailor the DTD to suit your particular XML structure. The DOCTYPE should match the root element of the document, in this case <Envelope>.

Note that your document may well validate OK on a different validator without this DTD. This is a specific requirement for the Online Verifier.

Signature is INVALID

There are usually two reasons why you get an error of the form RESULT: Signature is INVALID.

The <SignatureValue> is wrong. The wrong key has been used or the value has been computed incorrectly or corrupted. See Signature does not verify.

func=xmlSecOpenSSLEvpSignatureVerify:file=evp_signatures.c:line=368:obj=rsa-sha256:subj=unknown:error=18:data do not match:details=EVP_VerifyFinal: signature does not verify
RESULT: Signature is INVALID

One of the <DigestValue> values has been computed incorrectly. See Data and digest do not match.

func=xmlSecOpenSSLEvpDigestVerify:file=digests.c:line=279:obj=sha256:subj=unknown:error=12:invalid data:data and digest do not match
RESULT: Signature is INVALID

1. Signature does not verify

In this case, all the <DigestValue> values in the References are correct, but you have made a mistake in computing the <SignatureValue>. Perhaps you used the wrong key, or provided the wrong key in the <KeyInfo> element, or canonicalized the value of the <SignedInfo> element incorrectly.

If you trace down through the error messages, you will see that all the entries under "REFERENCE VERIFICATION CONTEXT" have succeeded.

= REFERENCE VERIFICATION CONTEXT
== Status: succeeded
== Id: "xmldsig-ref0"
== URI: "#MyInvoice"
...
= REFERENCE VERIFICATION CONTEXT
== Status: succeeded
== URI: "#xmldsig-keyinfo"
...
= REFERENCE VERIFICATION CONTEXT
== Status: succeeded
== URI: "#xmldsig-signedprops"
== Type: "http://uri.etsi.org/01903#SignedProperties"

Solution: In this example, there were three DigestValues to compute and one SignatureValue. You got the first three out of four correct. Go check your calculations for the <SignatureValue> over the <SignedInfo>.

2. Data and digest do not match

In this case, you got one of the <DigestValue>'s wrong. You can trace the error messages to find which one.

= REFERENCE VERIFICATION CONTEXT
== Status: succeeded
== Id: "xmldsig-ref0"
== URI: "#MyInvoice"
...
= REFERENCE VERIFICATION CONTEXT
== Status: succeeded
== URI: "#xmldsig-keyinfo"
...
= REFERENCE VERIFICATION CONTEXT
== Status: invalid
== URI: "#xmldsig-signedprops"
== Type: "http://uri.etsi.org/01903#SignedProperties"

Solution: Go fix the DigestValue for the Reference with URI="#xmldsig-signedprops".

Cross references

Hint	Possible reason
data and digest do not match	Data and digest do not match
failed:expr=xpointer(id('...'))	Missing DTD declaration for ID type
Input is not proper UTF-8	Input is not proper UTF-8
signature does not verify	Signature does not verify
unable to get local issuer certificate	No KeyValue element in the KeyInfo X509 Certificate before KeyValue
XML declaration allowed only at the start of the document	Whitespace before XML declaration

Example files

The following example files are available in xmldsigverifier-examples.zip (18 kB).

`env-sig1-ok.xml`	Valid. Enveloped-signature.	OK
`env-sig1-no-keyvalue.xml`	No KeyValue	Fails
`env-sig1-keyvalue-after-cert.xml`	KeyValue after CertValue	Warning, but OK
`env-sig1-nino-utf8.xml`	Enveloped signature with non-ASCII characters (é, ñ) in UTF-8 encoding.	Fails
`env-sig1-nino-latin1.xml`	Same as above but converted to ISO-8859-1 encoding	OK
`env-sig1-nino-ascii.xml`	Same as above with XML character references. US-ASCII encoding.	OK
`daiwei.xml`	Valid. UTF-8 encoded Chinese characters. Should copy-and-paste OK.	OK
`sig-id3-ok.xml`	Valid. Reference with ID	OK
`sig-id3-nodtd.xml`	Reference with ID but no DTD	Fails
`xades-bes1-ok.xml`	Valid. XAdES-BES, 3 references, with DTD.	OK
`xades-bes1-badsig.xml`	Bad SignatureValue.	Fails
`xades-bes1-baddigest.xml`	Bad digest value (3rd one)	Fails

TO TEST: open the XML file in a text editor (not in a browser - the white space will be destroyed). Then copy-and paste the entire document into the input box at Online XML Digital Signature Verifier. Click on the Verify Signature button.

References

[RFC8017] RFC 8017, PKCS #1: RSA Cryptography Specifications Version 2.2, K. Moriarty, Ed., November 2016.
[XML-DSIG] XML-Signature Syntax and Processing Version 1.1, W3C Recommendation 11 April 2013, <http://www.w3.org/TR/xmldsig-core/>. Version 1.0 republished as:
- [RFC3275] D. Eastlake 3rd, J. Reagle, D. Solo. XML-Signature Syntax and Processing, RFC 3275, March 2002,

Contact us

To contact us or comment on this page, please send us a message.

This page first published 20 March 2022. Last updated 9 April 2023