库:apache Santuario xades4j。
使用xPathto选择元素并对其进行签名。
如果我尝试在没有命名空间的情况下签署一个简单的XML并验证签名,它会很好地工作,但是如果XML定义了一个命名空间,例如XML:
<ClinicalDocument xmlns="urn:hl7-org:v3">
<element1tobesigned.../>
<element2tobesigned.../>
</ClinicalDocument>
且验证签名时发现异常
858 WARN [main] org.apache.xml.security.signature.Reference - Verification failed for URI "#xmldsig-5fb20abe-b14c-4d84-a908-e22e776cd6f1-signedprops" 858 WARN [main] org.apache.xml.security.signature.Reference - Expected Digest: q0WnWFf9j0kcT46t5cXmcPnVvu5o51oAcmej/SjCazQ= 858 WARN [main] org.apache.xml.security.signature.Reference - Actual Digest: 41zXKVkRCsxUYpNZXW5b9KkZlTC9LM9WA8O7WHQz1Rg= xades4j.verification.ReferenceValueException: Reference '#xmldsig-5fb20abe-b14c-4d84-a908-e22e776cd6f1-signedprops' cannot be validated
原因是XML命名空间(urn: hl7-org:v3)被添加到xade:SignedProperties中,然后摘要变得不同。
858 DEBUG [main] org.apache.xml.security.utils.DigesterOutputStream - Pre-digested input
858 DEBUG [main] org.apache.xml.security.utils.DigesterOutputStream - <xades:SignedProperties xmlns="urn:hl7-org:v3" ........./>
这是签名生成代码
XadesTSigningProfile profile = new XadesTSigningProfile(keyProvider); profile.withTimeStampTokenProvider(TestTimeStampTokenProvider.class) .withAlgorithmsProviderEx(ExclusiveC14nForTimeStampsAlgorithmsProvider.class); XadesSigner signer = profile.newSigner(); DataObjectDesc obj1 = new DataObjectReference("") .withTransform(new ExclusiveCanonicalXMLWithoutComments()) .withTransform( new XPathTransform(xPath); SignedDataObjects dataObjs = new SignedDataObjects().withSignedDataObject(obj1); changed 2012-11-20 begin // signer.sign(dataObjs, docToSign.getDocumentElement() ); new Enveloped(signer).sign(docToSign.getDocumentElement()); changed 2012-11-20 end
这是验证码
NodeList signatureNodeList = getSigElement(getDocument("my/my-document.signed.bes.countersign.xml"));
for (int i = 0; i < signatureNodeList.getLength(); i++) {
Element signatureNode = (Element) signatureNodeList.item(i);
verifySignature(signatureNode, new XadesVerificationProfile(VerifierTestBase.validationProviderMySigs));
log.info("successful validation");
}
public static XAdESForm verifySignature(Element sigElem,
XadesVerificationProfile p) throws Exception {
XAdESVerificationResult res = p.newVerifier().verify(sigElem, null);
return res.getSignatureForm();
}
看起来在Apache SantuarioFAQ中有一个关于这个问题的文档,
2.6. I sign a document and when I try to verify using the same key, it fails
After you have created the XMLSignature object, before you sign the document, you must embed the signature element in the owning document (using a call to XMLSignature.getElement() to retrieve the newly created Element node from the signature) before calling the XMLSignature.sign() method,
During canonicalisation of the SignedInfo element, the library looks at the parent and ancestor nodes of the Signature element to find any namespaces that the SignedInfo node has inherited. Any that are found are embedded in the canonical form of the SignedInfo. (This is not true when Exclusive Canonicalisation is used, but it is still good practice to insert the element node prior to the sign() method being called).
If you have not embedded the signature node in the document, it will not have any parent or ancestor nodes, so it will not inherit their namespaces. If you then embed it in the document and call verify(), the namespaces will be found and the canonical form of SignedInfo will be different to that generated during sign().
还有一个关于这个问题的文档如下
https://stackoverflow.com/a/12759909/1809884
看起来这不是xades4j的bug,而是xml签名问题。
--添加2012-11-15
here is how to get the docToSign . in fact , i just reused the code in class SignatureServicesTestBase . so i am sure that it is namespaceaware.
static
{
DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
dbf.setNamespaceAware(true);
db = dbf.newDocumentBuilder();
}
public static Document getDocument(String fileName) throws Exception
{
String path = toPlatformSpecificXMLDirFilePath(fileName);
Document doc = db.parse(new FileInputStream(path));
// Apache Santuario now uses Document.getElementById; use this convention for tests.
Element elem = doc.getDocumentElement();
DOMHelper.useIdAsXmlId(elem);
return doc;
}
and docToSign is return by calling SignatureServicesTestBase.getDocument()
Document docToSign = SignatureServicesTestBase.getDocument("my/cdamessage.xml");
和SignedProperties元素如下
<xades:SignedSignatureProperties>
<xades:SigningTime>2012-11-15T13:58:26.167+09:00</xades:SigningTime>
<xades:SigningCertificate>
<xades:Cert>
<xades:CertDigest>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<ds:DigestValue>4btVb5gQ5cdcNhGpvDSWQZabPQrR9jf1x8e3YF9Ajss=</ds:DigestValue>
</xades:CertDigest>
<xades:IssuerSerial>
<ds:X509IssuerName>CN=Itermediate,OU=CC,O=ISEL,C=PT</ds:X509IssuerName>
<ds:X509SerialNumber>-119284162484605703133798696662099777223</ds:X509SerialNumber>
</xades:IssuerSerial>
</xades:Cert>
<xades:Cert>
<xades:CertDigest>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<ds:DigestValue>vm5QpbblsWV7fCYXotPhNTeCt4nk8cLFuF36L5RJ4Ok=</ds:DigestValue>
</xades:CertDigest>
<xades:IssuerSerial>
<ds:X509IssuerName>CN=TestCA,OU=CC,O=ISEL,C=PT</ds:X509IssuerName>
<ds:X509SerialNumber>-46248926895392336918291885380930606289</ds:X509SerialNumber>
</xades:IssuerSerial>
</xades:Cert>
<xades:Cert>
<xades:CertDigest>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<ds:DigestValue>AUaN+IdhKQqxIVmEOrFwq+Dn22ebTkXJqD3BoOP/x8E=</ds:DigestValue>
</xades:CertDigest>
<xades:IssuerSerial>
<ds:X509IssuerName>CN=TestCA,OU=CC,O=ISEL,C=PT</ds:X509IssuerName>
<ds:X509SerialNumber>-99704378678639105802976522062798066869</ds:X509SerialNumber>
</xades:IssuerSerial>
</xades:Cert>
</xades:SigningCertificate>
</xades:SignedSignatureProperties>
</xades:SignedProperties>
此外,我使用xpath获取要签名的元素,并且命名空间(xmlns="urn: hl7-org:v3")也添加到结果中。
543 DEBUG [main] org.apache.xml.security.utils.ElementProxy - setElement("ds:Transform", "null")
544 DEBUG [main] org.apache.xml.security.utils.ElementProxy - setElement("dsig-xpath:XPath", "null")
658 DEBUG [main] org.apache.xml.security.utils.DigesterOutputStream - Pre-digested input:
658 DEBUG [main] org.apache.xml.security.utils.DigesterOutputStream - <component xmlns="urn:hl7-org:v3" Id="ES" contextConductionInd="true" typeCode="COMP">
<section classCode="DOCSECT" moodCode="EVN">
<code code="ES" codeSystem="2.16.840.1.113883.6.1" codeSystemName="SectionCode" codeSystemVersion="1.0" displayName="english"></code>
<text>english</text>
</section>
</component>
xpath有什么问题吗?xpath快把我逼疯了。我想我必须从现在开始学习xpath。
克里斯
您正在创建一个封装签名,但缺少封装签名转换!由于整个文档正在签名,因此必须排除签名节点本身,因为它的某些内容在签名计算后会发生变化。
真不敢相信,直到你提到包络类,我才看到它。顺便说一句,这个类只是一个简单、直接的包络siganture的实用程序类。它可能甚至不应该在那里。你可以自己添加转换:
DataObjectDesc obj1 = new DataObjectReference("")
.withTransform(new EnvelopedSignatureTransform())
.withTransform(new ExclusiveCanonicalXMLWithoutComments())
...