Bulk validation

for i in *.wgt; do echo -n "$i "; curl -F "widget=@$i" -F "v=1" http://v.wacapps.net/upload.php; done

Source code

Note that this tool validates signatures, it DOES NOT check for revoked status via OCSP or CRL.

WAC 2.0 Author signatures

Key files used for generating WAC 2.0 author signatures are called Publisher IDs.

The key file uses the PKCS12 format and is protected by a password "secret", much like a ssh secret key.

In the keystore there is a private key as well as:

  1. public key (also known as the end entity certificate) of the secret key, signed by the intermediate key
  2. the intermediate CA public key (referred to as "L1 CA" by TC TrustCenter) signed by the root key
  3. (optionally) the root (also known as the trust anchor)

Ordering is important: Signer pubkey, then intermediate, then (optionally) root. You can gauge this by the Subject: attribute.

Signature schema validation

Notice that for the canonicalization Algorithm for WAC2 signatures are http://www.w3.org/2001/10/xml-exc-c14n#, yet the Transform algorithm is http://www.w3.org/2006/12/xml-c14n11. This is controversial and may change. This is checked in the RelaxNG schema:


Another further schema to check for TargetRestriction.

WAC 2.0 distributor signatures

In http://tests.wacapps.net/?p=wac2tests;a=tree;f=tools/keys/distributor; you will find "content ID" signing keys for every test.

We make a couple of assumptions here; that every test widget's id is of the form http://tests.wacapps.net/2.0/ + REQID, for example, http://tests.wacapps.net/2.0/WS-0070.

This assumption breaks when there are several tests testing one REQID. In that case we use the same key across the "a,b,c" tests. This also breaks when for example the WAC ACID3 tests several requirements, for which we don't distributor sign, because we don't know how best to handle this case yet.


We have an unstable OCSP server running at http://tests.wacapps.net:8080 which you can use to ensure the distributor signature has not been revoked.

This can be tested like so:

openssl ocsp -issuer ISSUER.pem -cert CERTIFICATE -url http://tests.wacapps.net:8080 -resp_text

The CERTIFICATE is embedded in signature1.xml in http://tests.wacapps.net/2.0/core/securityprivacy/SP-2152.wgt for example.

The second certificate embedded in the signature1.xml should be the ISSUER.pem. This is the public key of the certificate that issued the CERTIFICATE.

The response text contains the public key of the response signer, which vendors must chain back to the root trust anchor. In order to get the root you must agree to the Root Certificate Distribution Agreements or contact Craig Heath.

How pre-production test signatures are generated

As announced http://tests.wacapps.net/?p=wac2tests;a=tree;f=tools is the location of the tools to author and distributor sign the test widgets.