如何在 iOS 应用程序中验证 XML 签名?
我已经通过我正在从事的一个 iOS 项目进入了 XML 数字签名的世界;我需要验证 SAML 断言的数字签名。
我已经阅读了很多有关验证 XML 签名的内容,我想我已经了解了如何使用私钥对摘要进行签名的基础知识,并且我可以使用公钥(应该包含在 x509 证书中)对其进行验证,所以我可以确定 SAML 令牌的来源。
我找到了一个 C 库,xmlsec,看起来它有很多我的代码需要验证签名并一直在努力实现这一点。但是,我一直无法弄清楚。据我了解,我很确定我必须用我的代码编译该库。我已将源代码复制到我的项目中,但在编译过程中出现了有关未定义内容的错误。
在我花费无数时间走上这条道路之前,我想我应该联系社区,看看是否有人有验证 xml 数字签名的经验,以及他们是否可以提供有关在 iOS 项目中实现该签名的见解。
无论如何,以下是我从单点登录服务获得的 SAML 断言的一部分:
<?xml version="1.0" encoding="UTF-16"?>
<saml:Assertion ID="oQ2YZuHBspA_f91HM8o3.o6ZZla" IssueInstant="2011-05-06T00:51:40.733Z" Version="2.0" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:xs="http://www.w3.org/2001/XMLSchema">
<saml:Issuer>[...]</saml:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="#oQ2YZuHBspA_f91HM8o3.o6ZZla">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>zj4pCHBNMln+28Jq/v1YIScfiuw=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>[...]</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>MIIDVjCCAj6gAwIBAgIGAS67wkWCMA0GCSqGSIb3[...]7bgf</ds:X509Certificate>
</ds:X509Data>
<ds:KeyValue>
<ds:RSAKeyValue>
<ds:Modulus>[...]</ds:Modulus>
<ds:Exponent>AQAB</ds:Exponent>
</ds:RSAKeyValue>
</ds:KeyValue>
</ds:KeyInfo>
</ds:Signature>
I've been tossed into the world of XML digital signatures with an iOS project I'm working on; I need to verify the digital signature of a SAML assertion.
I've been reading a lot about validating XML signatures, and I think I get the basics about how it signs the digest with the private key and I can verify it with the public key (which should be in the included x509 certificate) so I can be certain of the SAML token's source.
I found a C libray, xmlsec, that looks like it has a lot of the code I need for verifying the signature and have been working on trying to implement that. However, I haven't been able to figure it out. From what I understand, I'm pretty sure I would have to compile the library in with my code. I've copied the source into my project, but I get errors during compile about things not being defined.
Before I spend countless hours heading down that path, I figured I would reach out to the community and see if anyone has had any experience verifying an xml digital signature and whether they could give insight on implementing that in an iOS project.
For what it's worth, here's a chunk of the SAML assertion I'm getting from the single sign-on service:
<?xml version="1.0" encoding="UTF-16"?>
<saml:Assertion ID="oQ2YZuHBspA_f91HM8o3.o6ZZla" IssueInstant="2011-05-06T00:51:40.733Z" Version="2.0" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:xs="http://www.w3.org/2001/XMLSchema">
<saml:Issuer>[...]</saml:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="#oQ2YZuHBspA_f91HM8o3.o6ZZla">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>zj4pCHBNMln+28Jq/v1YIScfiuw=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>[...]</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>MIIDVjCCAj6gAwIBAgIGAS67wkWCMA0GCSqGSIb3[...]7bgf</ds:X509Certificate>
</ds:X509Data>
<ds:KeyValue>
<ds:RSAKeyValue>
<ds:Modulus>[...]</ds:Modulus>
<ds:Exponent>AQAB</ds:Exponent>
</ds:RSAKeyValue>
</ds:KeyValue>
</ds:KeyInfo>
</ds:Signature>
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
为 iPhone 编译
xmlsec有点棘手,但可以完成。首先,一些一般注意事项:
xmlsec是一个使用 的 GNU 项目GNU 构建系统;构建一个这样的项目相当于运行一个脚本(配置),然后执行make。 configure 将创建一个针对您的具体系统配置量身定制的 Makefile,并允许您选择在构建中包含或不包含xmlsec的哪些选项;xmlsec有几个来自其他库的依赖项:libssl、libcrypto(openssl 的一部分)、libxslt、libxml2、libz和libiconv。 iPhone SDK 中只有libxml2和libz可用,您需要在您的系统上提供所有其他可用且已编译的文件。这些库都是 GNU 项目,您可以通过应用与我稍后描述的xmlsec相同的方法来编译它们。需要注意的是:libxslt。 Apple 在 iPhone SDK 中包含了 libxslt,但不提供 .h,因此不允许您链接到 iPhone SDK 附带的 libxslt.dylib,并且您必须在自己的设备上编译它。将源文件从
xmlsec导入 iPhone 项目是很困难的,除非您知道哪些文件适合xmlsec以及哪些是简单的依赖项(xmlsec) code> 源树包括 openssl、gnutls 等,这些不一定必须存在),但最重要的是,因为您无法控制要在构建中包含(或排除)的 xmlsec 的哪些可选功能,就像配置为您所做的那样;具体来说,为 iPhone 编译
xmlsec的步骤是:0 - 安装并编译所有依赖项;如果您找不到已为 iPhone 移植的它们,您可以(递归地)对它们应用相同的方法;
1 - cd 到 libxmlsec root 并执行命令:
CFLAGS=" -arch armv6 -std=c99 -isysroot; --with-libxslt=--with-openssl= /Volumes/ext/Developer/Platforms/iPhoneOS.platform/Developer/SDKs/iPhoneOS4.2.sdk”
CC="/Volumes/ext/Developer/Platforms/iPhoneOS.platform/Developer/usr/bin/llvm-gcc-4.2"
./configure --host=arm-apple-darwin10 --disable-shared --disable-crypto-dl
--with-libxml=
在上面的命令中,我假设编译器将找到 libxml 标头和可执行文件,因为它们是 SDK 的一部分。否则也包括它们。
2 - 配置将产生大量输出,如果一切顺利,您将能够执行命令:
3 - 这应该很好地运行完成并生成输出文件: src/.libs/libxmlsec1.a 您可以将其链接到您的 iPhone 项目中(以及所有其他依赖库)。
最后,一个 关于为 iPhone 编译 openSSL 的教程。
Compiling
xmlsecfor iPhone is a bit tricky but can be done.First of all, some general considerations:
xmlsecis a GNU project using the GNU build system; building one such project amounts to running a script (configure) and then executingmake. configure will create a Makefile tailored for your exact system configuration and will allow you to choose which options ofxmlsecto include or not in you build;xmlsechas several dependencies from other libraries:libssl,libcrypto(part of openssl),libxslt,libxml2,libz, andlibiconv. Onlylibxml2andlibzare available in the iPhone SDK and you will need to have all of the others available on your system and already compiled. Those libraries are all GNU projects that you can compile by applying the same approach as the one I describe later forxmlsec. One note:libxslt. Apple includeslibxsltin the iPhone SDK, but does not make the .h available, so you are not allowed to link to libxslt.dylib which comes with the iPhone SDK and you will have to compile it on your own.importing the source files from
xmlsecinto an iPhone project is difficult unless you know which files are proper toxmlsecand which are simple dependencies (xmlsecsource tree includes openssl, gnutls, etc that are not certainly necessary to be there), but above all because you cannot control which optional features of xmlsec you would like to include (or exclude) in your build, like configure does for you;the approach I preferred is, therefore, properly using configure so as to produce an iPhone-specific Makefile, and then build a static library (since you are not allowed to use external dylib on iPhone);
The steps, concretely, to compile
xmlsecfor iPhone are:0 - install and compile all the dependencies; if you cannot find them already ported for iPhone, you can apply (recursively) this same approach to them;
1 - cd to libxmlsec root and execute the command:
CFLAGS=" -arch armv6 -std=c99 -isysroot/Volumes/ext/Developer/Platforms/iPhoneOS.platform/Developer/SDKs/iPhoneOS4.2.sdk"
CC="/Volumes/ext/Developer/Platforms/iPhoneOS.platform/Developer/usr/bin/llvm-gcc-4.2"
./configure --host=arm-apple-darwin10 --disable-shared --disable-crypto-dl
--with-libxml=<path_to_where_libxml_is> --with-libxslt=<path_to_where_libxslt_is> --with-openssl=<path_to_where_openssl_is>
in the command above, I am assuming that libxml headers and executables will be found by the compiler since they are part of the SDK. Otherwise include them also.
2 - configure will produce a lot of output and, if everything goes right, you will be able to execute the command:
3 - this should run finely to completion and produce your output file:
src/.libs/libxmlsec1.athat you can link in your iPhone project (together with all the rest of depended upon libraries).Finally, a tutorial about compiling openSSL for iPhone.