XML 数字签名验证

发布于 2024-08-04 11:01:25 字数 1054 浏览 10 评论 0原文

我试图验证 XML 签名。

根据此教程进行的验证工作正常。

但我也尝试了第二种方法。要使用 Signature类的验证方法 我从xml文件中提取了签名和证书,并执行了以下操作:

    public static boolean checkSignedFile(byte[] data, byte[] sigToVerify,
        byte[] cert, String algorithm) throws CertificateException,
        NoSuchAlgorithmException, InvalidKeyException, SignatureException {
    CertificateFactory cf = CertificateFactory.getInstance("X.509");
    Certificate c = (Certificate) cf
            .generateCertificate(new ByteArrayInputStream(cert));
    PublicKey pk = c.getPublicKey();
    Signature sig;
    boolean verifies = false;
    sig = Signature.getInstance(algorithm);
    sig.initVerify(pk);
    sig.update(data);
    verifies = sig.verify(sigToVerify);
    return verifies;
}

结果是错误的。签名未验证。原因可能是什么?

I was trying to validate an XML signature.

The validation according to this tutorial works fine.

But I also tried to a second approach. To verify it with the verify method of the Signature class
I extracted the signature and the certificate from the xml file, and I did the following:

    public static boolean checkSignedFile(byte[] data, byte[] sigToVerify,
        byte[] cert, String algorithm) throws CertificateException,
        NoSuchAlgorithmException, InvalidKeyException, SignatureException {
    CertificateFactory cf = CertificateFactory.getInstance("X.509");
    Certificate c = (Certificate) cf
            .generateCertificate(new ByteArrayInputStream(cert));
    PublicKey pk = c.getPublicKey();
    Signature sig;
    boolean verifies = false;
    sig = Signature.getInstance(algorithm);
    sig.initVerify(pk);
    sig.update(data);
    verifies = sig.verify(sigToVerify);
    return verifies;
}

the result was false. The signature did not verify. What could be the reason for that?

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(2

饮湿 2024-08-11 11:01:25

您无法像这样验证 XMLDsig。这是行不通的。签名不是根据原始 XML 计算的。它必须经过规范化、摘要等。

data[] 使用什么?为了做到这一点,您几乎必须重写 XMLDsig 库。

You can't verify XMLDsig like this. It wouldn't work. The signature is not calculated over the raw XML. It has to go through canonicalization, digest etc.

What do you use for data[]? To get it right, you almost have to rewrite the XMLDsig library.

只等公子 2024-08-11 11:01:25

如果data[]是签名的XML文件的内容,那么sigToVerify是什么?

XMLSig 创建一个签名元素 (SignedInfo),其中包含要签名的每个元素的摘要和元信息,例如使用的规范化/转换算法。然后计算并签名此 SignedInfo-Elemnt 的摘要。

因此,如果 sigToVerify 是由 XMLSignature 实现创建的签名,则它一定不等于完整 XML 文件的签名。

这里是更完整的解释。如果您有兴趣,请查看规范

If data[] is the content of the signed XML file, what is sigToVerify?

XMLSig creates a Signature-Element (SignedInfo) that contains the digest of each Element to be signed and meta-information like used canonicalization/transformation algorithms. Then the digest of this SignedInfo-Elemnt is calculated and signed.

Hence, if sigToVerify is the signature created by a XMLSignature implementation it must not be equal to the signature of the complete XML file.

Here is a more complete explanation. And if your interested, take a look at the specification.

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文