堆栈内存溢出
  简体   繁体   English

XML数字签名验证

[英]XML Digital Signature validation

 原文  2009-09-09 14:22:43       java/ xml/ digital-signature/ verify/ xml-signature

问题描述

I was trying to validate an XML signature. 我正在尝试验证XML签名。

The validation according to this tutorial works fine. 根据本教程进行的验证工作正常。

But I also tried to a second approach. 但是我也尝试了第二种方法。 To verify it with the verify method of the Signature class I extracted the signature and the certificate from the xml file, and I did the following: 为了使用Signature类的verify方法进行验证 ,我从xml文件中提取了签名和证书,并且执行了以下操作: 

    public static boolean checkSignedFile(byte[] data, byte[] sigToVerify,
        byte[] cert, String algorithm) throws CertificateException,
        NoSuchAlgorithmException, InvalidKeyException, SignatureException {
    CertificateFactory cf = CertificateFactory.getInstance("X.509");
    Certificate c = (Certificate) cf
            .generateCertificate(new ByteArrayInputStream(cert));
    PublicKey pk = c.getPublicKey();
    Signature sig;
    boolean verifies = false;
    sig = Signature.getInstance(algorithm);
    sig.initVerify(pk);
    sig.update(data);
    verifies = sig.verify(sigToVerify);
    return verifies;
}

the result was false. 结果是错误的。 The signature did not verify. 签名未验证。 What could be the reason for that? 可能是什么原因呢?

2 个解决方案

解决方案1
 2 已采纳  2009-09-09 14:44:36

You can't verify XMLDsig like this. 您不能像这样验证XMLDsig。 It wouldn't work. 这行不通。 The signature is not calculated over the raw XML. 签名不是通过原始XML计算的。 It has to go through canonicalization, digest etc. 它必须经过规范化,摘要化等。

What do you use for data[] ? 您用于data[]什么? To get it right, you almost have to rewrite the XMLDsig library. 为正确起见,您几乎必须重写XMLDsig库。

解决方案2
 0  2009-09-09 16:54:30

If data[] is the content of the signed XML file, what is sigToVerify? 如果data []是已签名XML文件的内容,那么sigToVerify是什么?

XMLSig creates a Signature-Element (SignedInfo) that contains the digest of each Element to be signed and meta-information like used canonicalization/transformation algorithms. XMLSig创建一个Signature-Element(SignedInfo),其中包含要签名的每个Element的摘要以及类似于所使用的规范化/转换算法的元信息。 Then the digest of this SignedInfo-Elemnt is calculated and signed. 然后,计算并签名此SignedInfo-Elemnt的摘要。

Hence, if sigToVerify is the signature created by a XMLSignature implementation it must not be equal to the signature of the complete XML file. 因此,如果sigToVerify是XMLSignature实现创建的签名,则它不得等于完整XML文件的签名。

Here is a more complete explanation. 是更完整的说明。 And if your interested, take a look at the specification . 如果您有兴趣,请看一下规范

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 使用XSLT转换时XML数字签名验证失败 - XML Digital Signature validation fail when using XSLT transform XML数字签名Java - XML Digital Signature Java 为大型XML文件生成数字XML签名 - Generate digital XML signature for large XML file XML签名验证 - XML Signature Validation coreValidity为假。 验证XML数字签名 - coreValidity is false. Verify XML digital signature XML签名验证在java中失败 - XML signature validation fails in java 如何在Spring Web Service中为不同客户实施数字签名验证? - How to implement digital signature validation in spring web service for different clients? JAX-WS,Websphere AS 8.5和XML数字标识 - JAX-WS, Websphere AS 8.5 and XML Digital SIgnature 为特定XML元素/节点创建数字签名的参考URI错误 - Reference URI error creating digital signature for a specific XML element/ Node 由于 XML 属性顺序更改导致数字签名损坏 - Broken Digital Signature due to altered XML attributes order
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM