XMLDSig debugging utility
XML Signature Digest & Canonicalization Inspector
Validate supported Reference digests and SignatureValue, inspect canonicalized SignedInfo and digest bytes, review KeyInfo, and see exactly which XML content a signature covers.
XML Signature debugger
Paste signed XML or a SOAP envelope
The tool validates supported same-document Reference digests, canonicalizes SignedInfo, and verifies supported RSA SignatureValue algorithms using public key material resolved from KeyInfo. It is a practical debugging aid, not a certified XML Signature or certificate-trust validator.
The XML stays in your browser and is not saved by this tool.
Canonicalized SignedInfo will appear here.
SignedInfo UTF-8 bytes will appear here.
Signed content coverage will appear here.
KeyInfo inspection will appear here.
Signature diagnostics will appear here.
Reference digests
Inspect each signed Reference
Canonicalized XML will appear here.
Canonical UTF-8 bytes will appear here.
Namespace details will appear here.
Reference diagnostics will appear here.
Supported in this version
Reference and SignatureValue debugging
Reference targets
Empty-document URIs and short same-document #ID references resolved from common ID-style attributes, including namespaced Id attributes such as wsu:Id.
Canonicalization
Canonical XML 1.0, Canonical XML 1.1, and Exclusive XML Canonicalization 1.0, including comments variants and Exclusive C14N InclusiveNamespaces PrefixList.
Digest methods
SHA-1, SHA-256, SHA-384, and SHA-512 through the browser Web Crypto API.
Signature methods
RSA-SHA1, RSA-SHA256, RSA-SHA384, and RSA-SHA512 using PKCS#1 v1.5 verification.
KeyInfo
ds:X509Certificate, ds:RSAKeyValue, and WS-Security SecurityTokenReference values that resolve to an X.509 BinarySecurityToken.
Deliberate limits
No private keys, certificate trust validation, revocation checks, external URI fetching, XPointer, XPath, XSLT, DSA, ECDSA, HMAC, or unsupported transforms. Unsupported processing is reported instead of guessed.
FAQ
XML Signature inspector questions
What does core validation show?
The tool separates Reference digest validation from cryptographic SignatureValue verification. A supported signature is marked valid only when all supported References match and SignatureValue verifies with supported public key material resolved from KeyInfo.
Why show canonicalized SignedInfo?
SignatureValue is calculated over the canonical form of SignedInfo. The SignedInfo view and byte preview expose the exact supported UTF-8 input passed to RSA verification.
What does “What is signed?” mean?
The tool lists the resolved Reference targets and their exact document paths. It also checks whether common SOAP Body, WS-Security Timestamp, and WS-Addressing Action, To, or MessageID elements are inside a resolved referenced node. Coverage is an inspection aid, not an application-specific security-policy verdict.
What are duplicate ID warnings?
Duplicate ID-style values make short same-document Reference resolution ambiguous and can be relevant to XML signature wrapping or substitution problems. The tool refuses to guess a target and shows every matching path.
Does a valid SignatureValue mean I trust the signer?
No. It only means the cryptographic SignatureValue verifies with a supported public key found in KeyInfo. The tool does not validate certificate trust chains, revocation, or signer identity.
Does O'BRIEN differ from O'BRIEN?
After XML parsing, O'BRIEN and a literal apostrophe represent the same text value. Literal ' represents different character data and remains visibly escaped in canonical XML. The diagnostics highlight suspicious double-escaped entity text in the raw XML.
Can I paste real healthcare messages?
No. Use synthetic or appropriately de-identified test data only.