当前位置: 文江博客话题详情

Java中从XMLSignature获取证书

发布于 2024-10-05 10:36:24 字数 2065 浏览 8 评论 0原文

我试图从 XMLSignature 中获取证书,获取它的 CRL DistributionPoint 并验证它是否有效。

我有一个数字文档和签名文件名,这就是我获取 XMLSignature 的方式:

ZipFile zipFile = new ZipFile(dataFactory.getDataReader().getFileAdoc(adocFileName));
ZipEntry entry = zipFile.getEntry(signatureFileName);
DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
dbf.setNamespaceAware(true);
Document doc = dbf.newDocumentBuilder().parse(zipFile.getInputStream(entry));
NodeList nl = doc.getElementsByTagNameNS(XMLSignature.XMLNS, "Signature");
if (nl.getLength() == 0)
{
    throw new Exception("Cannot find Signature element");
}
XMLSignatureFactory fac = XMLSignatureFactory.getInstance("DOM");
DOMValidateContext valContext = new DOMValidateContext(new X509KeySelector(), nl.item(0));
ZipFileURIDereferencer dereferencer = new ZipFileURIDereferencer(zipFile);
valContext.setURIDereferencer(dereferencer);

XMLSignature signature = fac.unmarshalXMLSignature(valContext);

现在,我如何获取证书或 X509Certificate?

我尝试过< X509证书>>部分:

NodeList sertificateNodeList = doc.getElementsByTagName("X509Certificate");
if (sertificateNodeList.getLength() == 0) {
    throw new Exception("Cannot find X509Certificate element");
}
String certPart = sertificateNodeList.item(0).getFirstChild().getNodeValue();
System.out.println(certPart);
InputStream is = new ByteArrayInputStream(certPart.getBytes());

CertificateFactory cf = CertificateFactory.getInstance("X.509");
Certificate cert = cf.generateCertificate(is);

但这给了我:

java.security.cert.CertificateParsingException: invalid DER-encoded certificate data

也许我只需要以某种方式编码 InputStream 是什么?

Signature.xml 包含:

<X509Certificate>
MIIKVTCCCT2gAwIBAgIOY7W3f/J6VnsAAQAInYYwDQYJKoZIhvcNAQEFBQAwgbsxCzAJBgNVBAYT
AkxUMUAwPgYDVQQKEzdHeXZlbnRvanUgcmVnaXN0cm8gdGFybnliYSBwcmllIExSIFZSTSAtIGku
...
FWxieiI3KtGsVPYZ1/C7QHLv0SRMaCm/+qHuPSWh+L5YIcjBxQbD4bU2Q9soW7QshkRNRJOWSonK
Rw/cD4gWZDPte3V42qj6SZazsjDrGTFaGBg3
</X509Certificate>

谢谢!

原文

I'm trying to get the certificate out of XMLSignature, get it's CRL DistributionPoint and verify if it's valid.

I have a digital document and signature file name, and that's how I get XMLSignature:

ZipFile zipFile = new ZipFile(dataFactory.getDataReader().getFileAdoc(adocFileName));
ZipEntry entry = zipFile.getEntry(signatureFileName);
DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
dbf.setNamespaceAware(true);
Document doc = dbf.newDocumentBuilder().parse(zipFile.getInputStream(entry));
NodeList nl = doc.getElementsByTagNameNS(XMLSignature.XMLNS, "Signature");
if (nl.getLength() == 0)
{
    throw new Exception("Cannot find Signature element");
}
XMLSignatureFactory fac = XMLSignatureFactory.getInstance("DOM");
DOMValidateContext valContext = new DOMValidateContext(new X509KeySelector(), nl.item(0));
ZipFileURIDereferencer dereferencer = new ZipFileURIDereferencer(zipFile);
valContext.setURIDereferencer(dereferencer);

XMLSignature signature = fac.unmarshalXMLSignature(valContext);

Now, how do I get Certificate or X509Certificate?

I have tried getting < X509Certificate > part:

NodeList sertificateNodeList = doc.getElementsByTagName("X509Certificate");
if (sertificateNodeList.getLength() == 0) {
    throw new Exception("Cannot find X509Certificate element");
}
String certPart = sertificateNodeList.item(0).getFirstChild().getNodeValue();
System.out.println(certPart);
InputStream is = new ByteArrayInputStream(certPart.getBytes());

CertificateFactory cf = CertificateFactory.getInstance("X.509");
Certificate cert = cf.generateCertificate(is);

But that gives me:

java.security.cert.CertificateParsingException: invalid DER-encoded certificate data

Maybe I just need to somehow encode that InputStream is?

The signature.xml contains:

<X509Certificate>
MIIKVTCCCT2gAwIBAgIOY7W3f/J6VnsAAQAInYYwDQYJKoZIhvcNAQEFBQAwgbsxCzAJBgNVBAYT
AkxUMUAwPgYDVQQKEzdHeXZlbnRvanUgcmVnaXN0cm8gdGFybnliYSBwcmllIExSIFZSTSAtIGku
...
FWxieiI3KtGsVPYZ1/C7QHLv0SRMaCm/+qHuPSWh+L5YIcjBxQbD4bU2Q9soW7QshkRNRJOWSonK
Rw/cD4gWZDPte3V42qj6SZazsjDrGTFaGBg3
</X509Certificate>

Thanks!

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(2

日裸衫吸 2024-10-12 10:36:24
InputStream is = new ByteArrayInputStream(**unbase64**(certPart));

嗨,Brutus,刚刚 unbase64 X509Certificate 值

InputStream is = new ByteArrayInputStream(**unbase64**(certPart));

hi Brutus, just unbase64 the X509Certificate value

回复 原文
垂暮老矣 2024-10-12 10:36:24

我已经设法获得某种证书(X509CertImpl)并通过使用我在网上找到的一些代码检查其有效性:

XMLSignature signature = fac.unmarshalXMLSignature(valContext);
KeyInfo keyInfo = signature.getKeyInfo();

Iterator iter = keyInfo.getContent().iterator();
X509CertImpl certImpl = null;
while (iter.hasNext()) {
    XMLStructure kiType = (XMLStructure) iter.next();
    if (kiType instanceof X509Data) {
        X509Data xd = (X509Data) kiType;
        Object[] entries = xd.getContent().toArray();
        X509CRL crl = null;
        for (int i = 0; ( i < entries.length); i++) {
            if (entries[i] instanceof X509CRL) {
                crl = (X509CRL) entries[i];
            }
            if (entries[i] instanceof X509CertImpl) {
                certImpl = (X509CertImpl) entries[i];
                try {
                    certImpl.checkValidity(signDate);
                } catch (CertificateExpiredException expiredEx) {
                    System.out.println("CERTIFICATE EXPIRED!");
                    return 1;
                } catch (CertificateNotYetValidException notYetValidEx) {
                    System.out.println("CERTIFICATE NOT VALID YET!");
                    return 0;
                }
                System.out.println("CERTIFICATE IS VALID!");                        
            }
        }
    }
}

I've managed to get some kind of certificate (X509CertImpl) and check it's validity, by using some code I've found online:

XMLSignature signature = fac.unmarshalXMLSignature(valContext);
KeyInfo keyInfo = signature.getKeyInfo();

Iterator iter = keyInfo.getContent().iterator();
X509CertImpl certImpl = null;
while (iter.hasNext()) {
    XMLStructure kiType = (XMLStructure) iter.next();
    if (kiType instanceof X509Data) {
        X509Data xd = (X509Data) kiType;
        Object[] entries = xd.getContent().toArray();
        X509CRL crl = null;
        for (int i = 0; ( i < entries.length); i++) {
            if (entries[i] instanceof X509CRL) {
                crl = (X509CRL) entries[i];
            }
            if (entries[i] instanceof X509CertImpl) {
                certImpl = (X509CertImpl) entries[i];
                try {
                    certImpl.checkValidity(signDate);
                } catch (CertificateExpiredException expiredEx) {
                    System.out.println("CERTIFICATE EXPIRED!");
                    return 1;
                } catch (CertificateNotYetValidException notYetValidEx) {
                    System.out.println("CERTIFICATE NOT VALID YET!");
                    return 0;
                }
                System.out.println("CERTIFICATE IS VALID!");                        
            }
        }
    }
}
回复 原文
~没有更多了~

关于作者

忆伤

暂无简介

文章
评论
25 人气
发私信

相关话题

更多

热门标签

操作系统 程序设计 IT运维 Linux系统管理 JavaScript 服务器应用 solaris C/C++ PHP Shell BSD Vue.js aix Oracle Python HTML 系统管理 HTML5 CSS 前端
更多

推荐作者

寻梦旅人

文章 0 评论 0

冰美式不加糖

文章 0 评论 0

m0_51416705

文章 0 评论 0

123456wqwqwq

文章 0 评论 0

qq_R47skh

文章 0 评论 0

hs1283

文章 0 评论 0

更多

友情链接

文江博客
    我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
    原文