我试图通过只签署部分xml来做一些XML签名但是经过多次搜索后我找不到解决方案.
我使用java使用Xpath2转换和EXCLUSIVE规范化来签署XML.如果我有以下XML
<?xml version="1.0" encoding="UTF-8"?>
<msg xmlns="http://someaddress/ad/m1" xmlns:ns1="http://someotheraddres/ad/m2" xmlns:ns2="http://www.w3.org/2000/09/xmldsig#">
<header>
<id>wsfrwerwerwer</id>
<name>addr</name>
<somenode>
<trace>ND</trace>
</somenode>
</header>
<payload><ns0:addr xmlns:ns0="http://someaddres/ad/m3"><ns2:data xmlns:ns2="http://someaddres/ad/m3">
<ns2:name>somevalue</ns2:name>
<ns2:value>354</ns2:value>
</ns2:data>
</ns0:addr>
</payload>
</msg>
并签名,我得到以下输出(真实数据替换为虚拟)
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<msg xmlns="http://someaddress/ad/m1" xmlns:ns1="http://someotheraddres/ad/m2" xmlns:ns2="http://www.w3.org/2000/09/xmldsig#">
<header>
<id>wsfrwerwerwer</id>
<name>addr</name>
<somenode>
<trace>ND</trace>
</somenode>
</header>
<payload>
<ns0:addr xmlns:ns0="http://someaddres/ad/m3">
<ns2:data xmlns:ns2="http://someaddres/ad/m3">
<ns2:name>somevalue</ns2:name>
<ns2:value>354</ns2:value>
</ns2:data>
</ns0:addr>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
<Reference URI="">
<Transforms>
<Transform Algorithm="http://www.w3.org/2002/06/xmldsig-filter2">
<XPath xmlns="http://www.w3.org/2002/06/xmldsig-filter2" xmlns:ns0="http://someaddres/ad/m3" Filter="intersect">//*[local-name()='addr']/*</XPath>
</Transform>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<DigestValue>sdlfjdeklsdfngf</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>femhjgklnlkl</SignatureValue>
<KeyInfo>
<X509Data>
<X509Certificate>swerwerwrwerwerwe</X509Certificate>
</X509Data>
</KeyInfo>
</Signature> …是否可以创建jaxb marshaller,它自动将数字签名添加到xml内容中.
例如,如果我有一个定义的类:
@XmlRootElement
@XmlAccessorType(XmlAccessType.FIELD)
public class Test {
@XmlElement
private String info;
public String getInfo() {
return info;
}
public void setInfo(String info) {
this.info = info;
}
}
而我的由marshaller生成的xml看起来像:
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><test><info>value</info></test>
我希望它看起来像:
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<Security>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#WithComments"/>
<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<Reference URI="">
<Transforms>
<Transform Algorithm="http://www.w3.org/2000/09/xmldsig#envelopedsignature"/>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<DigestValue>4432kZ6c2JPwP3A=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>Mvbd4603knhh2LZTyE1MIiEF7N46b7GoTzxsqs5eyIXYNG96MFPIMo+P6okzIPzRKrL2obpf3V4D/F0gw5vM/UJwb2MvrCo/5JM5qvV0f09dzWLrgkPyShiQnFL2vzECwmMOrCA=</SignatureValue>
<KeyInfo>
<X509Data>
<X509Certificate>MIIEnjCCBAegAwIBAgIDJQDMA0GCSqGSICBMGSETU0VOMRgwFgYDVQQHEw82NTAwOCBXaWVzYmFkZW4xGjAYBgNVBkESE9MRElORyBBRzEiMCAGA1UEAxMZSW50ZXJuZXQgQmVudXR6ZXIgU2VydmljZTEqMCgGCSqGSIb3DQEJARbeVydmaWthdEBzY2h1ZmEtb25saW5lLmRlMB4XDTA5MDcyNzEwNTkyNVoXDTEwMDcyNzEwNTkyNVowgZsxCzAJdNVBATAkFMQLmRlMCYGfUdEgQfMB2BG3plcnRpZmlrYXRAc2NodWZhLW9ubGluZS5kZTAfsgkqhkiG9w0BAQQFAAOBgQB7DBly8bqksxrkwcmN2A/xfu3lm0IfGD6PoJ7JFgPq4aHBDWgdUW3EzvRE+cuFGjkoBvATKfcbF7ReTz+4C+dLJShYiN/HxUnxgiO7R2y4c/I4pNnmlfQT261/dNlQ8Wm8pyUeMcr32fxvtoY4dqlQy7GePmrHpR3HE/dMRAd6gA==</X509Certificate>
</X509Data>
<KeyValue>
<RSAKeyValue>
<Modulus>1EN/UxtM2fLYxxDmSxgjSd10AzCxvZtNGAER9j3+OMqZjBXG9uLiZR+GbtOXbsDz3fyiwEfu/FDeeGGESppYAL5foQ72t2ztV5w2GLtTH0K+wrlImmvoTdl6bsdC7RXAsXVxtlkoG0xL7HGwZLvM=</Modulus>
<Exponent>AQAB</Exponent>
</RSAKeyValue>
</KeyValue>
</KeyInfo>
</Signature>
</Security>
<test><info>value</info></test>
我希望marshaller有办法做到这一点?如果没有,也许还有其他简单的方法来签署一个xml?
提前致谢
我们可以使用RSA密钥创建XML数字签名.但是如何使用椭圆曲线键来签署xml文件?我收到错误消息,如 -
Exception in thread "main" java.security.KeyException: ECKeyValue not supported
at org.jcp.xml.dsig.internal.dom.DOMKeyValue$EC.<init>(DOMKeyValue.java:350)
at org.jcp.xml.dsig.internal.dom.DOMKeyInfoFactory.newKeyValue(DOMKeyInfoFactory.java:71)
at csr.ExtractEC.main(XMLSignatureECTest.java:57)
Caused by: java.lang.ClassNotFoundException: sun/security/ec/ECParameters
at java.lang.Class.forName0(Native Method)
at java.lang.Class.forName(Class.java:264)
at org.jcp.xml.dsig.internal.dom.DOMKeyValue$EC.getMethods(DOMKeyValue.java:367)
at org.jcp.xml.dsig.internal.dom.DOMKeyValue$EC$1.run(DOMKeyValue.java:343)
at org.jcp.xml.dsig.internal.dom.DOMKeyValue$EC$1.run(DOMKeyValue.java:339)
at java.security.AccessController.doPrivileged(Native Method)
at org.jcp.xml.dsig.internal.dom.DOMKeyValue$EC.<init>(DOMKeyValue.java:338)
... 2 more
我用下面的代码创建了SignatureMethod和KeyInfo -
String url = "http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha256";
SignatureMethod signatureMethod = factory.newSignatureMethod(url, null);
SignedInfo signedInfo = factory.newSignedInfo(c14n, signatureMethod, Collections.singletonList(reference));
PrivateKey privateKey = Utils.generatePrivateEC("e:\\certs\\ec\\ec.key.p8");
Certificate certificate = Utils.generatePublic("e:\\certs\\ec\\ec.cer");
KeyInfoFactory keyInfoFactory = factory.getKeyInfoFactory();
KeyValue keyValue = keyInfoFactory.newKeyValue(certificate.getPublicKey());
KeyInfo keyInfo = keyInfoFactory.newKeyInfo(Collections.singletonList(keyValue));
JDK - Oracle JDK …
我试图用xmlsec1实用程序验证XML(附在问题的底部)签名.但是,在执行命令时
xmlsec1 --verify test.xml
我正在跟踪堆栈跟踪:
func = xmlSecXPathDataExecute:file = xpath.c:line = 273:obj = unknown:subj = xmlXPtrEval:error = 5:libxml2库函数失败:expr = xpointer(id('uuid-73c06e86-88d2-4204-91f4-3d484bc782cc' ))func = xmlSecXPathDataListExecute:file = xpath.c:line = 373:obj = unknown:subj = xmlSecXPathDataExecute:error = 1:xmlsec库函数失败:func = xmlSecTransformXPathExecute:file = xpath.c:line = 483:obj = xpointer :subj = xmlSecXPathDataExecute:error = 1:xmlsec库函数失败:func = xmlSecTransformDefaultPushXml:file = transforms.c:line = 2411:obj = xpointer:subj = xmlSecTransformExecute:error = 1:xmlsec库函数失败:func = xmlSecTransformCtxXmlExecute:file = transforms.c:line = 1242:obj = unknown:subj = xmlSecTransformPushXml:error = 1:xmlsec库函数失败:transform = xpointer func = xmlSecTransformCtxExecute:file = transforms.c:line = 1302:obj = …
I'm try to verify signature like this (it's PARes from Mastercard) and receive false every time, but xml from VISA work ok
Mastercard
<?xml version="1.0" encoding="UTF-8"?>
<ThreeDSecure><Message id="89e8bafa-755d-4ae9-a357-8641f13f057f"><PARes id="PARes-3cz1Jjfc"><version>1.0.2</version><Merchant><acqBIN>521324</acqBIN><merID>100000000000020</merID></Merchant><Purchase><xid>Z0FSSEFabjE1MTU2NTg2MTAzODY=</xid><date>20180111 08:16:50</date><purchAmount>1000</purchAmount><currency>643</currency><exponent>2</exponent></Purchase><pan>0000000000002290</pan><TX><time>20180111 08:17:00</time><status>Y</status><cavv>jNsniZHx4MT1DxEhZAITCFAAAAA=</cavv><eci>02</eci><cavvAlgorithm>3</cavvAlgorithm></TX></PARes><Signature xmlns="http://www.w3.org/2000/09/xmldsig#"><SignedInfo><CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"></CanonicalizationMethod><SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"></SignatureMethod><Reference URI="#PARes-3cz1Jjfc"><DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></DigestMethod><DigestValue>8I/izdCJcp7wABf2YfFQbd4Ktxg=</DigestValue></Reference></SignedInfo><SignatureValue>IQuLAtGT8rEFp/a5bV9Wu8qiSXpTGtvkJaJCuPTrflwPFFwiSLuivfcInX8pzirmObPV9ue4Kn8YFu+ltiYg8g2sHMa6S9RfC330+/ntBL2XxNp6IO+s7anGsM5WOmd3Pt176Ft5DRDOpeJg8N9PtbhYPQ//TzzehApb9/EMnpFZKEnJbYYl5Wpa7gPV+iIJJryAdZF3CW3c6/ns/XzwQZ9Tfm9t24SRbF2U/Hkn7aD6MUug772hqNiOHQJ0gtdtDxR9KkQfh3aNq5EmS2MEgfoCkm8mUOO/fQEOMBy2fbgE4/JnDZ/7n2x/hDKZZn9oUv7BLvoM1IcjfYKRiEve7g==</SignatureValue><KeyInfo><X509Data><X509Certificate>MIIDzzCCAregAwIBAgIRAO6hkq6XAdKvA5IMAj3E95MwDQYJKoZIhvcNAQEFBQAwgYAxCzAJBgNVBAYTAlVTMR0wGwYDVQQKExRNYXN0ZXJDYXJkIFdvcmxkd2lkZTEuMCwGA1UECxMlTWFzdGVyQ2FyZCBXb3JsZHdpZGUgU2VjdXJlQ29kZSBHZW4gMjEiMCAGA1UEAxMZUFJEIE1DIFNlY3VyZUNvZGUgUm9vdCBDQTAeFw0xMjA2MjIwOTA4MzBaFw0yNTA2MjIwOTA4MzFaMIGAMQswCQYDVQQGEwJVUzEdMBsGA1UEChMUTWFzdGVyQ2FyZCBXb3JsZHdpZGUxLjAsBgNVBAsTJU1hc3RlckNhcmQgV29ybGR3aWRlIFNlY3VyZUNvZGUgR2VuIDIxIjAgBgNVBAMTGVBSRCBNQyBTZWN1cmVDb2RlIFJvb3QgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDptCms6aI22T9ST60k487SZP06TKbUBpom7Z1Bo8cQQAE/tM5UOt3THMdrhT+2aIkj9T0pA35IyNMCNGDt+ejhy7tHdw1r6eDX/KXYHb4FlemY03DwRrkQSH/L+ZueS5dCfLM3m2azxBXtrVXDdNebfht8tcWRLK2Ou6vjDzdIzunuWRZ6kRDQ6oc1LSVO2BxiFO0TKowJP/M7qWRT/Jsmb6TGg0vmmQG9QEpmVmOZIexVxuYy3rn7gEbV1tv3k4aG0USMp2Xq/Xe4qe+Ir7sFqR56G4yKezSVLUzQaIB/deeCk9WU2T0XmicAEYDBQoecoS61R4nj5ODmzwmGyxrlAgMBAAGjQjBAMA8GA1UdEwQIMAYBAf8CAQEwDgYDVR0PAQH/BAQDAgEGMB0GA1UdDgQWBBQqFTcxVDO/uxI1hpFF3VSSTFMGujANBgkqhkiG9w0BAQUFAAOCAQEAhDOQ5zUX2wByVv0Cqka3ebnm/6xRzQQbWelzneDUNVdctn1nhJt2PK1uGV7RBGAGukgdAubwwnBhD2FdbhBHTVbpLPYxBbdMAyeC8ezaXGirXOAAv0YbGhPl1MUFiDmqSliavBFUs4cEuBIas4BUoZ5Fz042dDSAWffbdf3l4zrU5Lzol93yXxxIjqgIsT3QI+sRM3gg/Gdwo80DUQ2fRffsGdAUH2C/8L8/wH+E9HspjMDkXlZohPII0xtKhdIPWzbOB6DOULl2PkdGHmJc4VXxfOwE2NJAQxmoaPRDYGgOFVvkzYtyxVkxXeXAPNt8URR3jfWvYrBGH2D5A44Atg==</X509Certificate><X509Certificate>MIIEXDCCA0SgAwIBAgIRANcgQkwhTlImGuZQ3AEXtKkwDQYJKoZIhvcNAQEFBQAwgYYxCzAJBgNVBAYTAlVTMR0wGwYDVQQKExRNYXN0ZXJDYXJkIFdvcmxkd2lkZTEuMCwGA1UECxMlTWFzdGVyQ2FyZCBXb3JsZHdpZGUgU2VjdXJlQ29kZSBHZW4gMjEoMCYGA1UEAxMfUFJEIE1DIFNlY3VyZUNvZGUgSXNzdWVyIFN1YiBDQTAeFw0xNzAzMzAwOTI4MDdaFw0yMTAzMjkwOTI2NTBaMFUxCzAJBgNVBAYTAlJVMRYwFAYDVQQKEw1KU0MgQWxmYS1CYW5rMR0wGwYDVQQLExQ2NDM0IC0gSlNDIEFsZmEtQmFuazEPMA0GA1UEAxMGTUNTaWduMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAnwIwC77LQtKfDk6FpFzUSP1EMpGc0YsxS3bYPzOo09mRNDl3UlGYyYFmKVG0/BiPNqBBzV50CEXYHljoO7o5V8iUs5rVA2mWR6fDSQdbZBEcTiJZxWUon4wh2Xgsg7nznFfljTKoszdbKdTc5JP3ESPR1jPsloBuOeVZQI4zkNhricSwP9cYWxWa+zUUvXe5HCaes0VnQqmiw9o+GIB3aiyUd8eogAQvyiG77RUUp+vid0k/Fcvx/3WlwLcZAxzHB36UHSsvlqbrDl1vFTh9sJ2OPiOAJbNEn0ru6ESkmyBQZmyOo7A6uTafO/319dtl5/TLos43e4Cy8biOYa1jvQIDAQABo4H0MIHxMIGmBgNVHSMEgZ4wgZuhgYakgYMwgYAxCzAJBgNVBAYTAlVTMR0wGwYDVQQKExRNYXN0ZXJDYXJkIFdvcmxkd2lkZTEuMCwGA1UECxMlTWFzdGVyQ2FyZCBXb3JsZHdpZGUgU2VjdXJlQ29kZSBHZW4gMjEiMCAGA1UEAxMZUFJEIE1DIFNlY3VyZUNvZGUgUm9vdCBDQYIQQ3EBfDozHhKp3pmzcHr6ZzAJBgNVHRMEAjAAMA4GA1UdDwEB/wQEAwIHgDArBgNVHRAEJDAigA8yMDE3MDMzMDA5MjgwN1qBDzIwMjAwMzI5MDkyODA3WjANBgkqhkiG9w0BAQUFAAOCAQEA0uVJnNTtR8rkR9v6hDfp4Myg3Fl/9fEmjnaTeZXnjS2Yh0hYDaWzOi2vN9GrTcZiTlmMu55+/EgseYOWoa4lPFL3pk9hWxlPW/ZUeoX1c39G08BVS4fKtf6OlBCOOVT2rF3Pz12L+Q2c89b1TKQ3+J5z4NMuSAudX2jZlS15GNpyyeBd+4iygSQfG3oYaCD6lv2hVmT2G7ZhLIagMt6bNikfpA1295RDAhXCuxVs+Eqy8Llr0FdOjge+L7htQjJtvSvidGjnod74HuafsTlu9yJKQxLHO9guOLgE74QYiN7xkrIZE5IfvCE+qV8T79jPyF3FG88LoWpno9YhV7zZfg==</X509Certificate><X509Certificate>MIIEgDCCA2igAwIBAgIQQ3EBfDozHhKp3pmzcHr6ZzANBgkqhkiG9w0BAQUFADCBgDELMAkGA1UEBhMCVVMxHTAbBgNVBAoTFE1hc3RlckNhcmQgV29ybGR3aWRlMS4wLAYDVQQLEyVNYXN0ZXJDYXJkIFdvcmxkd2lkZSBTZWN1cmVDb2RlIEdlbiAyMSIwIAYDVQQDExlQUkQgTUMgU2VjdXJlQ29kZSBSb290IENBMB4XDTEyMDYyMjA5MjIxNFoXDTI1MDYyMTA5MjIxNVowgYYxCzAJBgNVBAYTAlVTMR0wGwYDVQQKExRNYXN0ZXJDYXJkIFdvcmxkd2lkZTEuMCwGA1UECxMlTWFzdGVyQ2FyZCBXb3JsZHdpZGUgU2VjdXJlQ29kZSBHZW4gMjEoMCYGA1UEAxMfUFJEIE1DIFNlY3VyZUNvZGUgSXNzdWVyIFN1YiBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANaeBgfjTKIFls7ueMTzI2nYwAbocHwkQqd8BsIyJbZdk21E+vyq9EhX1NIoiAhP7fl+y/hosX66drjfrbyspZLalrVG6gYbdB2j2Sr8zBRQnMZKKluDwYv/266nnRBeyGYW3FwyVu8L1ACYQc04ACke+07NI/AZ8OXQSoeboEEGUO520/76o1cER5Ok9HRi0jJD8E64j8dEt36Mcg0JaKQiDjShlyTw4ABYyzZ1Vxl0/iDrfwboxNEOOooC0rcGNnCpISXMWn2NmZH1QxiFt2jIZ8QzF3/z+M3iYradh9uZauleNqJ9LPKr/aFFDbe0Bv0PLbvXOnFpwOxvJODWUj8CAwEAAaOB7TCB6jAPBgNVHRMECDAGAQH/AgEAMA4GA1UdDwEB/wQEAwIBBjAdBgNVHQ4EFgQUwTArnR3hR1+Ij1uxMtqoPBm2j7swgacGA1UdIwSBnzCBnKGBhqSBgzCBgDELMAkGA1UEBhMCVVMxHTAbBgNVBAoTFE1hc3RlckNhcmQgV29ybGR3aWRlMS4wLAYDVQQLEyVNYXN0ZXJDYXJkIFdvcmxkd2lkZSBTZWN1cmVDb2RlIEdlbiAyMSIwIAYDVQQDExlQUkQgTUMgU2VjdXJlQ29kZSBSb290IENBghEA7qGSrpcB0q8DkgwCPcT3kzANBgkqhkiG9w0BAQUFAAOCAQEA3lJuYVdiy11ELUfBfLuib4gPTbkDdVLBEKosx0yUDczeXoTUOjBEc90f5KRjbpe4pilOGAQnPNUGpi3ZClS+0ysTBp6RdYz1efNLSuaTJtpJpoCOk1/nw6W+nJEWyDXUcC/yVqstZidcOG6AMfKU4EC5zBNELZCGf1ynM2l+gwvkcDUv4Y2et/n/NqIKBzywGSOktojTma0kHbkAe6pj6i65TpwEgEpywVl50oMmNKvXDNMznrAG6S9us+OHDjonOlmmyWmQxXdU1MzwdKzPjHfwl+Z6kByDXruHjEcNsx7P2rUTm/Bt3SWW1K48VfNNhVa/WctTZGJCrV3Zjl6A9g==</X509Certificate></X509Data></KeyInfo></Signature></Message></ThreeDSecure>
My validation code
DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
dbf.setNamespaceAware(true);
DocumentBuilder builder = dbf.newDocumentBuilder();
final InputStream stream = new ByteArrayInputStream(xmlDoc.getBytes(StandardCharsets.UTF_8));
Document doc = builder.parse(stream);
NodeList nl = doc.getElementsByTagNameNS(XMLSignature.XMLNS, "Signature");
if (nl.getLength() == 0) {
throw new XMLSignatureException("Cannot find Signature element");
}
DOMValidateContext valContext = new DOMValidateContext(new …我正在为政府计费系统制定一些代码,经过几周的阅读后,我达到了死胡同.
我需要验证从服务器收到的xml文件中的至少两个签名,我已经根据公共MSDN制作了一些代码,以便在我使用证书文件或x509store签名时验证签名,并且工作正常,我可以毫无困难地根据他们的参考签署和验证每个签名.
但是,当我收到文件时我不知道如何验证它,因为我没有证书文件,我当然知道里面有标签,如果我得到该值并将其放在openssl.exe上,我可以验证签名者的身份,但idk如何检查签名是否正确
http://puu.sh/dypRH/c45e200202.png
在过去我用过
if (signedXml.CheckSignature(cert, true))
现在我尝试使用signedXml.CheckSignature())
每次都失败,我无法参考选择哪个签名,所以我做了一个
foreach (XmlNode node1 in nodeList)
{
testt = node1.OuterXml;
testt = testt.Replace(Environment.NewLine, string.Empty);
ttt.PreserveWhitespace = true;
ttt.LoadXml(testt);
testt = testt.Replace(Environment.NewLine, string.Empty);
signedXml.LoadXml(ttt.DocumentElement);
//if (signedXml.CheckSignature(cert, true))
if (signedXml.CheckSignature())
{
Console.WriteLine("The XML signature is valid.");
}
else
{
Console.WriteLine("The XML signature is not valid.");
}
#endregion
}
但他们仍然失败
我还根据xml文件制作了证书,
X509Certificate c = X509Certificate.CreateFromSignedFile("test.xml");
theCertificate = new X509Certificate2(c);
验证,但也失败了
我真的不知道现在该做什么,我有点绝望,这是xml文件
http://puu.sh/dyqcv/356dd289ae.xml
我需要验证签名,在此之后我必须制作一个响应文件并将其发送回服务器(它已准备就绪,但因为我无法验证签名,我不想出去)
哦,是的,我已经删除了名称空间,并在签名检查/计算之前将所有内容归化
public static XElement RemoveAllNamespaces(XElement e)
{
return new XElement(e.Name.LocalName,
(from …假设我有这样的xml:
<?xml version="1.0" encoding="UTF-8"?>
<CATALOG>
<CD>
<TITLE>Empire Burlesque</TITLE>
<ARTIST>Bob Dylan</ARTIST>
<COUNTRY id="123">USA</COUNTRY>
<COMPANY>Columbia</COMPANY>
<PRICE>10.90</PRICE>
<YEAR>1985</YEAR>
</CD>
<CD>
<TITLE>Hide your heart</TITLE>
<ARTIST>Bonnie Tyler</ARTIST>
<COUNTRY>UK</COUNTRY>
<COMPANY>CBS Records</COMPANY>
<PRICE>9.90</PRICE>
<YEAR>1988</YEAR>
</CD>
<CD>
<TITLE>Greatest Hits</TITLE>
<ARTIST>Dolly Parton</ARTIST>
<COUNTRY>USA</COUNTRY>
<COMPANY>RCA</COMPANY>
<PRICE>9.90</PRICE>
<YEAR>1982</YEAR>
</CD>
</CATALOG>
签字后我得到:
<?xml version="1.0" encoding="UTF-8"?>
<CATALOG>
<CD>
<TITLE>Empire Burlesque</TITLE>
<ARTIST>Bob Dylan</ARTIST>
<COUNTRY id="123">USA</COUNTRY>
<COMPANY>Columbia</COMPANY>
<PRICE>10.90</PRICE>
<YEAR>1985</YEAR>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-md5"/>
<ds:Reference URI="">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#md5"/>
<ds:DigestValue>C6i9GSNZ8seoXxfuFc482Q==</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>
d/ufAnYK35PKUdi+O6DUytV+36OGAr5meHXq2qoOUp+zO1Q5HbJvIs01qlPT9oKiBEi2QiAF3Sya
ZVwi4hEI9xHkLiewmOxPo1KgVfJ1Ir2RPpkdegFYFx9QCMR4Z1M7zTkijCKv9ncWR4MYjOAfDrKf
fbvUX3AbRHlUYJj6M4QcrQUuBPhSqo4TcxtfblNqmKUT+141+sLSsuM2xy24YeyF7NUff9tirCiP
KgBHpFGtiJAdxugAlzqHaR9CP2kRA2Sg046NBo2yO/nTDfUKqquZm4aaZsLWbvKJYvrgqD4YgH4M
FFpK5ChgYa4oi7f9BAYxOFcY9f1OCHsvpdCbpw== …我正在尝试使用数字签名验证 MS Word *.docx 文件。为了进行验证,我必须计算引用节点的摘要并检查它是否与签名(sig1.xml)中给出的摘要相同。我找不到有关如何实现关系转换以计算该摘要的信息。
签名XML(sig1.xml)部分如下:
<Object Id="idPackageObject" xmlns:mdssi="http://schemas.openxmlformats.org/package/2006/digital-signature">
<Manifest><Reference URI="/_rels/.rels?ContentType=application/vnd.openxmlformats-package.relationships+xml">
<Transforms><Transform Algorithm="http://schemas.openxmlformats.org/package/2006/RelationshipTransform">
<mdssi:RelationshipReference SourceId="rId1"/></Transform>
<Transform Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/></Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<DigestValue>1vWU/YTF/7t6ZjnE44gAFTbZvvA=</DigestValue>....(next ref node ....)..
<Reference URI="/word/document.xml?ContentType=application/vnd.openxmlformats-officedocument.wordprocessingml.document.main+xml">
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<DigestValue>s2yQEJrQSfC0YoRe1hvm+IGBpJQ=</DigestValue></Reference>.....More Reference Nodes.....
/_rels/.rels 文件本身:
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<Relationships xmlns="http://schemas.openxmlformats.org/package/2006/relationships">
<Relationship Id="rId3" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/extended-properties" Target="docProps/app.xml"/>
<Relationship Id="rId2" Type="http://schemas.openxmlformats.org/package/2006/relationships/metadata/core-properties" Target="docProps/core.xml"/>
<Relationship Id="rId1" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/officeDocument" Target="word/document.xml"/>
<Relationship Id="rId4" Type="http://schemas.openxmlformats.org/package/2006/relationships/digital-signature/origin" Target="_xmlsignatures/origin.sigs"/>
</Relationships>
所以我需要计算/_rels/.rels的SHA1,但在计算之前我必须应用关系变换和C14N。
当我计算没有关系变换的节点摘要时(例如,此节点的:)
<Reference URI="/word/document.xml?ContentType=application/vnd.openxmlformats-officedocument.wordprocessingml.document.main+xml">
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<DigestValue>s2yQEJrQSfC0YoRe1hvm+IGBpJQ=</DigestValue>
</Reference>
一切都很好,只需对引用的 URI(在这种情况下为 /word/document.xml)进行 SHA1,我就会得到与给定 int 签名节点相同的哈希值。但是当涉及到具有关系变换的节点时 - 计算永远不会给出与签名中所述相同的值。
我的问题一般是在哪里可以找到有关此关系转换的信息以及如何实现它?
谢谢,
乔治