XMLSec：签名有什么问题？（“URI 的引用没有 XMLSignatureInput”）

发布于 2024-10-18 17:57:03 字数 2578 浏览 1 评论 0原文

我正在使用 apache-santuario 1.4.4 生成此签名消息：

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:SOAP-SEC="http://schemas.xmlsoap.org/soap/security/2000-12">
  <soapenv:Header>
    <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
      <ds:SignedInfo>
        <ds:CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
        <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
        <ds:Reference URI="#DS-OM">
          <ds:Transforms>
            <ds:Transform Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
          </ds:Transforms>
          <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
          <ds:DigestValue>8nZkH.....99alYEU4=</ds:DigestValue>
        </ds:Reference>
      </ds:SignedInfo>
      <ds:SignatureValue>
        XSwt/8HzsnWewj.....8dHwY+FVCkhlg==
      </ds:SignatureValue>
      <ds:KeyInfo>
        <ds:X509Data>
          <ds:X509Certificate>
            MIID4TCCAsmgAwIB....WQuq/eiErGfyU9ZNmKFpA==
          </ds:X509Certificate>
        </ds:X509Data>
        <ds:KeyValue>
          <ds:RSAKeyValue>
            <ds:Modulus>
              zSmjLBHhvxfE03pEUaq8x.....D4b63mMF8p+3XAYmgw==
            </ds:Modulus>
            <ds:Exponent>AQBA</ds:Exponent>
          </ds:RSAKeyValue>
        </ds:KeyValue>
      </ds:KeyInfo>
    </ds:Signature>
  </soapenv:Header>
  <soapenv:Body SOAP-SEC:Id="DS-OM">
    <ns1:Servic xmlns:ns1="http://www.foo.es/Schemas">
      ...
    </ns1:Servic>
  </soapenv:Body>
</soapenv:Envelope>

当我将其发送到我正在使用的服务时，它回复如下：

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
  <soapenv:Body>
    <soapenv:Fault>
      <faultcode xmlns:ns1="http://www.foo.com/Schemas">ns1:DigitalSignatureError</faultcode>
      <faultstring>The Reference for URI #DS-OM has no XMLSignatureInput</faultstring>
      <detail>
         <string/>
      </detail>
    </soapenv:Fault>
  </soapenv:Body>
</soapenv:Envelope>

我已经用 google 搜索了很多，但几乎没有找到有关此错误的任何内容。引用是否声明为错误？可能出什么问题了？任何想法将不胜感激。

提前致谢。

原文

I'm using apache-santuario 1.4.4 to generate this signed message:

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:SOAP-SEC="http://schemas.xmlsoap.org/soap/security/2000-12">
  <soapenv:Header>
    <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
      <ds:SignedInfo>
        <ds:CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
        <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
        <ds:Reference URI="#DS-OM">
          <ds:Transforms>
            <ds:Transform Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
          </ds:Transforms>
          <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
          <ds:DigestValue>8nZkH.....99alYEU4=</ds:DigestValue>
        </ds:Reference>
      </ds:SignedInfo>
      <ds:SignatureValue>
        XSwt/8HzsnWewj.....8dHwY+FVCkhlg==
      </ds:SignatureValue>
      <ds:KeyInfo>
        <ds:X509Data>
          <ds:X509Certificate>
            MIID4TCCAsmgAwIB....WQuq/eiErGfyU9ZNmKFpA==
          </ds:X509Certificate>
        </ds:X509Data>
        <ds:KeyValue>
          <ds:RSAKeyValue>
            <ds:Modulus>
              zSmjLBHhvxfE03pEUaq8x.....D4b63mMF8p+3XAYmgw==
            </ds:Modulus>
            <ds:Exponent>AQBA</ds:Exponent>
          </ds:RSAKeyValue>
        </ds:KeyValue>
      </ds:KeyInfo>
    </ds:Signature>
  </soapenv:Header>
  <soapenv:Body SOAP-SEC:Id="DS-OM">
    <ns1:Servic xmlns:ns1="http://www.foo.es/Schemas">
      ...
    </ns1:Servic>
  </soapenv:Body>
</soapenv:Envelope>

When I send it to the service that I'm working with, it replies this:

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
  <soapenv:Body>
    <soapenv:Fault>
      <faultcode xmlns:ns1="http://www.foo.com/Schemas">ns1:DigitalSignatureError</faultcode>
      <faultstring>The Reference for URI #DS-OM has no XMLSignatureInput</faultstring>
      <detail>
         <string/>
      </detail>
    </soapenv:Fault>
  </soapenv:Body>
</soapenv:Envelope>

I've googled a lot but haven't found almost anything about this error.
Is the reference bad declared? what could be wrong? Any idea will be appreciated.

Thanks in advance.

分享到QQ

分享到微博

如果你对这篇内容有疑问，欢迎到本站社区发帖提问参与讨论，获取更多帮助，或者扫码二维码加入 Web 技术交流群。

发布评论

需要登录才能够评论，你可以免费注册一个本站的账号。

若能看破又如何 2024-10-25 17:57:03

“DS-OM”被定义为“SOAP-SEC:Id” - 我认为这就是导致这里问题的原因，可能是 SOAP-SEC:Id 不是正确的 xml:id 或者没有被正确识别为一个。为了避免这种情况，您可以使用 XPath 转换来声明您的 Reference：

<ds:Reference URI="">
      <ds:Transforms>
        <ds:Transform Algorithm="http://www.w3.org/TR/1999/REC-xpath-19991116">
           <ds:XPath xmlns:soapenv="&soapenv;" xmlns:SOAP-SEC="&SOAP-SEC;">
             //soapenv:Envelope[@SOAP-SEC:Id='DS-OM']
           <ds:XPath>
        <ds:Transform Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
      </ds:Transforms>
      ....
</ds:Reference>

"DS-OM" is defined as "SOAP-SEC:Id" - I think this is what's causing the problem here, it could be that SOAP-SEC:Id is not a proper xml:id or does not correctly get recognized as one. What you could do to circumvent this is to declare your Reference using an XPath transform instead:

<ds:Reference URI="">
      <ds:Transforms>
        <ds:Transform Algorithm="http://www.w3.org/TR/1999/REC-xpath-19991116">
           <ds:XPath xmlns:soapenv="&soapenv;" xmlns:SOAP-SEC="&SOAP-SEC;">
             //soapenv:Envelope[@SOAP-SEC:Id='DS-OM']
           <ds:XPath>
        <ds:Transform Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
      </ds:Transforms>
      ....
</ds:Reference>

回复收藏 0 原文

~没有更多了~