XADES 签名验证
[英]XADES Signature Verification
问题描述
I use below java code to verify XML signature using xades4j
我使用下面的 java 代码使用 xades4j 验证 XML 签名
NodeList nl = doc.getElementsByTagNameNS("http://www.w3.org/2000/09/xmldsig#", "Signature");
FileSystemDirectoryCertStore certStore = new
FileSystemDirectoryCertStore("cert/store/");
KeyStore ks;
try (FileInputStream fis = new FileInputStream("cert/store/myStore")) {
ks = KeyStore.getInstance("jks");
ks.load(fis, "password".toCharArray());
}
CertificateValidationProvider provider = new PKIXCertificateValidationProvider( ks, false,certStore.getStore() );
XadesVerificationProfile profile = new XadesVerificationProfile(provider);
org.w3c.dom.Element sigElem = (org.w3c.dom.Element) nl.item(0);
XAdESVerificationResult r = profile.newVerifier().verify(sigElem, null);
But I get the below exception and it says digest values are not equal.但是我得到以下异常,它说摘要值不相等。
xades4j.verification.ReferenceValueException: Reference '#xmldsig-xxxx-abc-object11' cannot be validated
Below is the XML file ( I replaced the actual data with mock data)下面是 XML 文件(我用模拟数据替换了实际数据)
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#" Id="xmldsig-abc">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
<ds:Reference Id="xmldsig-aee6fb07-8566-47eb-acb7-abc-ref0"
Type="http://www.w3.org/2000/09/xmldsig#Object"
URI="#xmldsig-xxx-abc-object11">
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<ds:DigestValue>XXXX</ds:DigestValue>
</ds:Reference>
<ds:Reference Type="http://uri.etsi.org/01903#SignedProperties"
URI="#xmldsig-xxx-abc-signedprops">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<ds:DigestValue>XXXXX</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue Id="xmldsig-xxxx-sigvalue">XXXXX
</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>xXxxxxxx
</ds:X509Certificate>
<ds:X509IssuerSerial>
<ds:X509IssuerName>xxxxx</ds:X509IssuerName>
<ds:X509SerialNumber>xxxx</ds:X509SerialNumber>
</ds:X509IssuerSerial>
<ds:X509SubjectName>xxxxx
</ds:X509SubjectName>
</ds:X509Data>
</ds:KeyInfo>
<ds:Object Id="xmldsig-xxx-abc-object11">
<ns2:Vehicle xmlns:ns2="xx:xx"
xmlns="xx:xx">
.................................
</ns2:Vehicle>
</ds:Object>
<ds:Object>
<xades:QualifyingProperties xmlns:xades="http://uri.etsi.org/01903/v1.3.2#"
xmlns:xades141="http://uri.etsi.org/01903/v1.4.1#"
Target="#xmldsig-xxx-abc">
<xades:SignedProperties Id="xmldsig-xxx-abc-signedprops">
<xades:SignedSignatureProperties>
<xades:SigningTime>xxxxxxx</xades:SigningTime>
<xades:SigningCertificate>
<xades:Cert>
<xades:CertDigest>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<ds:DigestValue>xxxxxxxxxx</ds:DigestValue>
</xades:CertDigest>
<xades:IssuerSerial>
<ds:X509IssuerName>xxxxxxxxxxx
</ds:X509IssuerName>
<ds:X509SerialNumber>xxxxxxxxxxx</ds:X509SerialNumber>
</xades:IssuerSerial>
</xades:Cert>
<xades:Cert>
<xades:CertDigest>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<ds:DigestValue>xxxxxxxxx</ds:DigestValue>
</xades:CertDigest>
<xades:IssuerSerial>
<ds:X509IssuerName>xxxxxxxxxx
</ds:X509IssuerName>
<ds:X509SerialNumber>xxxxxxxxxxxx</ds:X509SerialNumber>
</xades:IssuerSerial>
</xades:Cert>
<xades:Cert>
<xades:CertDigest>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<ds:DigestValue>xxxxxxxxx</ds:DigestValue>
</xades:CertDigest>
<xades:IssuerSerial>
<ds:X509IssuerName>xxxxxxxxxxxx
</ds:X509IssuerName>
<ds:X509SerialNumber>xxxxxxxxxxxx</ds:X509SerialNumber>
</xades:IssuerSerial>
</xades:Cert>
</xades:SigningCertificate>
</xades:SignedSignatureProperties>
<xades:SignedDataObjectProperties>
<xades:CommitmentTypeIndication>
<xades:CommitmentTypeId>
<xades:Identifier>http://uri.etsi.org/01903/v1.2.2#ProofOfOrigin</xades:Identifier>
<xades:Description>xxxxxxxxxxxxx
</xades:Description>
</xades:CommitmentTypeId>
<xades:AllSignedDataObjects/>
</xades:CommitmentTypeIndication>
</xades:SignedDataObjectProperties>
</xades:SignedProperties>
</xades:QualifyingProperties>
</ds:Object>
</ds:Signature>
I have two questions and trying to figure out.我有两个问题并试图弄清楚。
- The approach I use for this XML document verifcation is correct?我用于此 XML 文档验证的方法是否正确?
- The reason of getting " xades4j.verification.ReferenceValueException: Reference '#xmldsig-xxxx-abc-object11' cannot be validated" and digest values are not matched.出现“xades4j.verification.ReferenceValueException: Reference '#xmldsig-xxxx-abc-object11' cannot be validated” 的原因和摘要值不匹配。
Edit (14-11-22): I was able to resolve xades verification issue.编辑 (14-11-22):我能够解决 xades 验证问题。 Below are the two mistakes I did.下面是我犯的两个错误。
- Read the signed XML file from the disk.从磁盘中读取已签名的 XML 文件。 I think the file was altered or could not read correctly.我认为该文件已被更改或无法正确读取。 Instead reading from the disk, I validate the string returned from the API directly.我直接验证从 API 返回的字符串,而不是从磁盘读取。
- It turns out that I should use the root certificate for validation.原来我应该使用根证书进行验证。
Now i'm trying to valide XMLDsig using the below code.现在我正在尝试使用以下代码验证 XMLDsig。
NodeList nl = doc.getElementsByTagNameNS("http://www.w3.org/2000/09/xmldsig#", "Signature");
DOMValidateContext valContext = new DOMValidateContext(new KeyValueKeySelector(), nl.item(0));
XMLSignatureFactory fac = XMLSignatureFactory.getInstance("DOM");
XMLSignature signature = fac.unmarshalXMLSignature(valContext);
signature.validate(valContext);
It gives me the below exception它给了我下面的例外
om.sun.org.apache.xml.internal.security.utils.resolver.ResourceResolverException: Cannot resolve element with ID xmldsig-xxx-abc-signedprops
1 个解决方案
解决方案1
0 已采纳 2022-11-14 07:52:25
I was able to find the answer for the xades verification.我能够找到 xades 验证的答案。 Below are the two mistakes I did.下面是我犯的两个错误。
- Read the signed XML file from the disk.从磁盘中读取已签名的 XML 文件。 I think the file was altered or could not read correctly.我认为该文件已被更改或无法正确读取。 Instead reading from the disk, I validate the string returned from the API directly.我直接验证从 API 返回的字符串,而不是从磁盘读取。
- It turns out that I should use the root certificate for validation.原来我应该使用根证书进行验证。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.
相关问题
Xades4j验证信封签名 - Xades4j verification enveloped signature
XAdES4j签名验证-URI问题 - XAdES4j signature verification - URI issues
XADES4j-XML签名验证错误-未指定签名节点 - XADES4j - XML signature verification error - Signature node not specified
Xades4j - XML签名验证错误 - SignaturePolicyNotAvailableException - Xades4j - XML Signature Verification error - SignaturePolicyNotAvailableException
使用XADES4j验证XADES签名 - Validate XADES signature with XADES4j
Xades4j验证签名Xades-EPES:错误的XML签名 - Xades4j Verify signature Xades - EPES: Bad XML signature
验证文件上已分离的XAdES签名 - Verify detached XAdES signature on file
如何使用 xades 签名签署 xml - how to sign xml with xades signature
XAdES4j验证证书链 - XAdES4j verification certificate chain
关于XADES4J中的签名SignC - About the signature SignC in XADES4J
相关标签