> It output " Signature verified OK! " > > So, > > If Apache is right, then F5 is wrong. > If F5 is right, then Apache is wrong.
There are two Apache libraries. Assuming you generated the signature in something that's not the C++ library, then Apache has verified it with two different implementations, and there's a strong chance we're right and they're wrong. That's aside from the fact that looking at it, it strongly appears they are wrong and are confused about how c14n is done inside references. -- Scott
