[英]Validating digital signature using StAX
如何使用Java StAX API验证XML上的数字签名。 我已经知道如何使用DOM进行验证。 我有一个非常大的XML文件,我需要一种方法来使用StAX验证签名。 请帮忙...
我找到了这篇博文 ,其中指出了一些演示StAX实现的代码:
要了解如何配置新的基于StAX的入站XML签名功能,请查看测试使用的“ verifyUsingStAX ”方法。 与签名创建一样,有必要创建XMLSecurityProperties对象,并告诉它要执行什么“操作”。 此外,除非Signature KeyInfo中包含完整的签名密钥,否则必须调用以下方法:
- properties.setSignatureVerificationKey(Key) - 用于验证签名的密钥。
/**
* Verify the document using the StAX API of Apache Santuario - XML Security for Java.
*/
public static void verifyUsingStAX(
InputStream inputStream,
List<QName> namesToSign,
X509Certificate cert
) throws Exception {
// Set up the Configuration
XMLSecurityProperties properties = new XMLSecurityProperties();
List<XMLSecurityConstants.Action> actions = new ArrayList<XMLSecurityConstants.Action>();
actions.add(XMLSecurityConstants.SIGNATURE);
properties.setActions(actions);
properties.setSignatureVerificationKey(cert.getPublicKey());
InboundXMLSec inboundXMLSec = XMLSec.getInboundWSSec(properties);
XMLInputFactory xmlInputFactory = XMLInputFactory.newInstance();
final XMLStreamReader xmlStreamReader = xmlInputFactory.createXMLStreamReader(inputStream);
TestSecurityEventListener eventListener = new TestSecurityEventListener();
XMLStreamReader securityStreamReader =
inboundXMLSec.processInMessage(xmlStreamReader, null, eventListener);
while (securityStreamReader.hasNext()) {
securityStreamReader.next();
}
xmlStreamReader.close();
inputStream.close();
// Check that what we were expecting to be signed was actually signed
List<SignedElementSecurityEvent> signedElementEvents =
eventListener.getSecurityEvents(SecurityEventConstants.SignedElement);
Assert.assertNotNull(signedElementEvents);
for (QName nameToSign : namesToSign) {
boolean found = false;
for (SignedElementSecurityEvent signedElement : signedElementEvents) {
if (signedElement.isSigned()
&& nameToSign.equals(getSignedQName(signedElement.getElementPath()))) {
found = true;
break;
}
}
Assert.assertTrue(found);
}
// Check Signing cert
X509TokenSecurityEvent tokenEvent =
(X509TokenSecurityEvent)eventListener.getSecurityEvent(SecurityEventConstants.X509Token);
Assert.assertNotNull(tokenEvent);
Assert.assertTrue(tokenEvent.getSecurityToken() instanceof X509SecurityToken);
X509SecurityToken x509SecurityToken = (X509SecurityToken)tokenEvent.getSecurityToken();
Assert.assertEquals(x509SecurityToken.getX509Certificates()[0], cert);
}
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.