XML 数字签名验证
我试图验证 XML 签名。
根据此教程进行的验证工作正常。
但我也尝试了第二种方法。要使用 Signature类的验证方法 我从xml文件中提取了签名和证书,并执行了以下操作:
public static boolean checkSignedFile(byte[] data, byte[] sigToVerify,
byte[] cert, String algorithm) throws CertificateException,
NoSuchAlgorithmException, InvalidKeyException, SignatureException {
CertificateFactory cf = CertificateFactory.getInstance("X.509");
Certificate c = (Certificate) cf
.generateCertificate(new ByteArrayInputStream(cert));
PublicKey pk = c.getPublicKey();
Signature sig;
boolean verifies = false;
sig = Signature.getInstance(algorithm);
sig.initVerify(pk);
sig.update(data);
verifies = sig.verify(sigToVerify);
return verifies;
}
结果是错误的。签名未验证。原因可能是什么?
I was trying to validate an XML signature.
The validation according to this tutorial works fine.
But I also tried to a second approach. To verify it with the verify method of the Signature class
I extracted the signature and the certificate from the xml file, and I did the following:
public static boolean checkSignedFile(byte[] data, byte[] sigToVerify,
byte[] cert, String algorithm) throws CertificateException,
NoSuchAlgorithmException, InvalidKeyException, SignatureException {
CertificateFactory cf = CertificateFactory.getInstance("X.509");
Certificate c = (Certificate) cf
.generateCertificate(new ByteArrayInputStream(cert));
PublicKey pk = c.getPublicKey();
Signature sig;
boolean verifies = false;
sig = Signature.getInstance(algorithm);
sig.initVerify(pk);
sig.update(data);
verifies = sig.verify(sigToVerify);
return verifies;
}
the result was false. The signature did not verify. What could be the reason for that?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
您无法像这样验证 XMLDsig。这是行不通的。签名不是根据原始 XML 计算的。它必须经过规范化、摘要等。
data[]使用什么?为了做到这一点,您几乎必须重写 XMLDsig 库。You can't verify XMLDsig like this. It wouldn't work. The signature is not calculated over the raw XML. It has to go through canonicalization, digest etc.
What do you use for
data[]? To get it right, you almost have to rewrite the XMLDsig library.如果data[]是签名的XML文件的内容,那么sigToVerify是什么?
XMLSig 创建一个签名元素 (SignedInfo),其中包含要签名的每个元素的摘要和元信息,例如使用的规范化/转换算法。然后计算并签名此 SignedInfo-Elemnt 的摘要。
因此,如果 sigToVerify 是由 XMLSignature 实现创建的签名,则它一定不等于完整 XML 文件的签名。
这里是更完整的解释。如果您有兴趣,请查看规范。
If data[] is the content of the signed XML file, what is sigToVerify?
XMLSig creates a Signature-Element (SignedInfo) that contains the digest of each Element to be signed and meta-information like used canonicalization/transformation algorithms. Then the digest of this SignedInfo-Elemnt is calculated and signed.
Hence, if sigToVerify is the signature created by a XMLSignature implementation it must not be equal to the signature of the complete XML file.
Here is a more complete explanation. And if your interested, take a look at the specification.