当前位置: 文江博客话题详情

xades4j 验证错误:参考“”无法验证

发布于 2025-01-15 03:37:44 字数 5983 浏览 3 评论 0原文

当我尝试验证 XADES 文件时,出现这样的错误:

xades4j.verification.ReferenceValueException: Reference '' cannot be validated
at deployment.mora.war//xades4j.verification.XadesVerifierImpl.doCoreVerification(XadesVerifierImpl.java:354)
at deployment.mora.war//xades4j.verification.XadesVerifierImpl.verify(XadesVerifierImpl.java:214)

要验证的代码是这样的:

    DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
    factory.setNamespaceAware(true);
    DocumentBuilder builder = factory.newDocumentBuilder();
    org.w3c.dom.Document doc = builder.parse(new InputSource(new FileReader(SIGNED)));
    DOMHelper.useIdAsXmlId(doc.getDocumentElement());

    NodeList nl = doc.getElementsByTagNameNS("http://www.w3.org/2000/09/xmldsig#", "Signature");

    FileSystemDirectoryCertStore certStore = new FileSystemDirectoryCertStore(CERT_FOLDER);
    KeyStore ks;
    try (FileInputStream fis = new FileInputStream(CERT_FOLDER + KEY_STORE)) {
        ks = KeyStore.getInstance("jks");
        ks.load(fis, PASS.toCharArray());
    }

    CertificateValidationProvider provider = PKIXCertificateValidationProvider.builder(ks)
                .checkRevocation(false)
                .intermediateCertStores(certStore.getStore())
                .build();
    XadesVerificationProfile profile = new XadesVerificationProfile(provider);
    org.w3c.dom.Element sigElem = (org.w3c.dom.Element) nl.item(0);
    XAdESVerificationResult r = profile.newVerifier().verify(sigElem, null);

XADES 内的签名元素如下所示:

<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#" Id="Signature-a0357d3c-02ff-4a71-888c-aab6fc2a8b1e">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315" />
<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />

<ds:Reference Id="Reference-bce06403-5236-41d2-876e-fa045b90290d" URI="">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
<ds:DigestValue>vj9jpZh17pKA28p7a34YsTC7rrwof55klvGjnf0bPPM=</ds:DigestValue>
</ds:Reference>

<ds:Reference Id="ReferenceKeyInfo" URI="#KeyInfoId-Signature-a0357d3c-02ff-4a71-888c-aab6fc2a8b1e">
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
<ds:DigestValue>GDh/QzYxs0rqhpR0pSmaJrsevT+OMoj/exTN0BvzlRw=</ds:DigestValue>
</ds:Reference>

<ds:Reference Type="http://uri.etsi.org/01903#SignedProperties" URI="#SignedProperties-Signature-a0357d3c-02ff-4a71-888c-aab6fc2a8b1e">
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
<ds:DigestValue>5q0IptSTJjVcURg4dQrEIKSBVHjP7sSmN5hwKzq2VZs=</ds:DigestValue>
</ds:Reference>

</ds:SignedInfo>
<ds:SignatureValue Id="SignatureValue-a0357d3c-02ff-4a71-888c-aab6fc2a8b1e">N2iKgDKSy...==</ds:SignatureValue>
<ds:KeyInfo Id="KeyInfoId-Signature-a0357d3c-02ff-4a71-888c-aab6fc2a8b1e">
<ds:X509Data>
<ds:X509Certificate>MIII8D...</ds:X509Certificate>
</ds:X509Data>
<ds:KeyValue>
<ds:RSAKeyValue>
<ds:Modulus>wgcwrorO+vOgKWGMzLCega0a/oNMdSHMTxmO6C7z7ISfU80ddnlODmutRl5OLaHLDgaRVCJ9KmNPpW8uW/c8KOvnCt6JMOyUb1yBnLJgl5YGgJSelLXmZrUNp3daRFqE46C1o53LS93ljQ63vWDlYQIdqaSBCMKYNpqBX0PBPHft8v8Od0NvuCEnRlWhOYXITo/Lu7p3mCuRNYiJ8MZHPf4faoalhMA5y9sFZHTqtr1XrDoM3D5UrTPbubVkKMFK1xQyDyb9Vj7m1NSwv63lgDpG2ouSK2t6ixzxgf/GTkN3el2Nx+6QhNro92IkicE3aRew9P756V5l3063PHyMzQ==</ds:Modulus>
<ds:Exponent>AQAB</ds:Exponent>
</ds:RSAKeyValue>
</ds:KeyValue>
</ds:KeyInfo>
<ds:Object Id="XadesObjectId-642b3de2-fb1a-424e-87a6-59be13fadf1f">
<xades:QualifyingProperties xmlns:xades="http://uri.etsi.org/01903/v1.3.2#" Id="QualifyingProperties-a522752d-2de4-4f5a-9d30-830370962953" Target="#Signature-a0357d3c-02ff-4a71-888c-aab6fc2a8b1e">
<xades:SignedProperties Id="SignedProperties-Signature-a0357d3c-02ff-4a71-888c-aab6fc2a8b1e">
<xades:SignedSignatureProperties>
<xades:SigningTime>2022-02-08T10:04:05+01:00</xades:SigningTime>
<xades:SigningCertificate>
<xades:Cert>
<xades:CertDigest>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
<ds:DigestValue>gb86Dv+uNj+Dsup33d2FvOx7f22G/jX7UstM7uH8i4c=</ds:DigestValue>
</xades:CertDigest>
<xades:IssuerSerial>
<ds:X509IssuerName>CN=AC Representación, OU=CERES, O=FNMT-RCM, C=ES</ds:X509IssuerName>
<ds:X509SerialNumber>81878359483328253772408023375514979749</ds:X509SerialNumber>
</xades:IssuerSerial>
</xades:Cert>
</xades:SigningCertificate>
</xades:SignedSignatureProperties>
<xades:SignedDataObjectProperties>
<xades:DataObjectFormat ObjectReference="#Reference-bce06403-5236-41d2-876e-fa045b90290d">
<xades:MimeType>text/xml</xades:MimeType>
<xades:Encoding>UTF-8</xades:Encoding>
</xades:DataObjectFormat>
</xades:SignedDataObjectProperties>
</xades:SignedProperties>
</xades:QualifyingProperties>
</ds:Object>
</ds:Signature>

XADES 不是使用 xades4j 生成的,但文件“通过”了多个验证在线测试人员(https://tools.chilkat.io/xmlDsigVerify.cshtml# generatedCodehttps://ec.europa.eu/cefdigital/DSS/webapp-demo/validationhttps://validator.fina.hr/eSigWebApp-web/#validate),所以我想我执行的 xades4j 验证在某种程度上更强...

我应该如何配置 CertificateValidationProvider 才能通过验证?我的意思是我只想检查XADES文件的完整性(确保内容没有被更改,基本上检查摘要和签名)

原文

I get an error like this when I try to validate a XADES file:

xades4j.verification.ReferenceValueException: Reference '' cannot be validated
at deployment.mora.war//xades4j.verification.XadesVerifierImpl.doCoreVerification(XadesVerifierImpl.java:354)
at deployment.mora.war//xades4j.verification.XadesVerifierImpl.verify(XadesVerifierImpl.java:214)

The code to verify is this:

    DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
    factory.setNamespaceAware(true);
    DocumentBuilder builder = factory.newDocumentBuilder();
    org.w3c.dom.Document doc = builder.parse(new InputSource(new FileReader(SIGNED)));
    DOMHelper.useIdAsXmlId(doc.getDocumentElement());

    NodeList nl = doc.getElementsByTagNameNS("http://www.w3.org/2000/09/xmldsig#", "Signature");

    FileSystemDirectoryCertStore certStore = new FileSystemDirectoryCertStore(CERT_FOLDER);
    KeyStore ks;
    try (FileInputStream fis = new FileInputStream(CERT_FOLDER + KEY_STORE)) {
        ks = KeyStore.getInstance("jks");
        ks.load(fis, PASS.toCharArray());
    }

    CertificateValidationProvider provider = PKIXCertificateValidationProvider.builder(ks)
                .checkRevocation(false)
                .intermediateCertStores(certStore.getStore())
                .build();
    XadesVerificationProfile profile = new XadesVerificationProfile(provider);
    org.w3c.dom.Element sigElem = (org.w3c.dom.Element) nl.item(0);
    XAdESVerificationResult r = profile.newVerifier().verify(sigElem, null);

The signature element inside the XADES is like that:

<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#" Id="Signature-a0357d3c-02ff-4a71-888c-aab6fc2a8b1e">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315" />
<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />

<ds:Reference Id="Reference-bce06403-5236-41d2-876e-fa045b90290d" URI="">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
<ds:DigestValue>vj9jpZh17pKA28p7a34YsTC7rrwof55klvGjnf0bPPM=</ds:DigestValue>
</ds:Reference>

<ds:Reference Id="ReferenceKeyInfo" URI="#KeyInfoId-Signature-a0357d3c-02ff-4a71-888c-aab6fc2a8b1e">
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
<ds:DigestValue>GDh/QzYxs0rqhpR0pSmaJrsevT+OMoj/exTN0BvzlRw=</ds:DigestValue>
</ds:Reference>

<ds:Reference Type="http://uri.etsi.org/01903#SignedProperties" URI="#SignedProperties-Signature-a0357d3c-02ff-4a71-888c-aab6fc2a8b1e">
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
<ds:DigestValue>5q0IptSTJjVcURg4dQrEIKSBVHjP7sSmN5hwKzq2VZs=</ds:DigestValue>
</ds:Reference>

</ds:SignedInfo>
<ds:SignatureValue Id="SignatureValue-a0357d3c-02ff-4a71-888c-aab6fc2a8b1e">N2iKgDKSy...==</ds:SignatureValue>
<ds:KeyInfo Id="KeyInfoId-Signature-a0357d3c-02ff-4a71-888c-aab6fc2a8b1e">
<ds:X509Data>
<ds:X509Certificate>MIII8D...</ds:X509Certificate>
</ds:X509Data>
<ds:KeyValue>
<ds:RSAKeyValue>
<ds:Modulus>wgcwrorO+vOgKWGMzLCega0a/oNMdSHMTxmO6C7z7ISfU80ddnlODmutRl5OLaHLDgaRVCJ9KmNPpW8uW/c8KOvnCt6JMOyUb1yBnLJgl5YGgJSelLXmZrUNp3daRFqE46C1o53LS93ljQ63vWDlYQIdqaSBCMKYNpqBX0PBPHft8v8Od0NvuCEnRlWhOYXITo/Lu7p3mCuRNYiJ8MZHPf4faoalhMA5y9sFZHTqtr1XrDoM3D5UrTPbubVkKMFK1xQyDyb9Vj7m1NSwv63lgDpG2ouSK2t6ixzxgf/GTkN3el2Nx+6QhNro92IkicE3aRew9P756V5l3063PHyMzQ==</ds:Modulus>
<ds:Exponent>AQAB</ds:Exponent>
</ds:RSAKeyValue>
</ds:KeyValue>
</ds:KeyInfo>
<ds:Object Id="XadesObjectId-642b3de2-fb1a-424e-87a6-59be13fadf1f">
<xades:QualifyingProperties xmlns:xades="http://uri.etsi.org/01903/v1.3.2#" Id="QualifyingProperties-a522752d-2de4-4f5a-9d30-830370962953" Target="#Signature-a0357d3c-02ff-4a71-888c-aab6fc2a8b1e">
<xades:SignedProperties Id="SignedProperties-Signature-a0357d3c-02ff-4a71-888c-aab6fc2a8b1e">
<xades:SignedSignatureProperties>
<xades:SigningTime>2022-02-08T10:04:05+01:00</xades:SigningTime>
<xades:SigningCertificate>
<xades:Cert>
<xades:CertDigest>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
<ds:DigestValue>gb86Dv+uNj+Dsup33d2FvOx7f22G/jX7UstM7uH8i4c=</ds:DigestValue>
</xades:CertDigest>
<xades:IssuerSerial>
<ds:X509IssuerName>CN=AC Representación, OU=CERES, O=FNMT-RCM, C=ES</ds:X509IssuerName>
<ds:X509SerialNumber>81878359483328253772408023375514979749</ds:X509SerialNumber>
</xades:IssuerSerial>
</xades:Cert>
</xades:SigningCertificate>
</xades:SignedSignatureProperties>
<xades:SignedDataObjectProperties>
<xades:DataObjectFormat ObjectReference="#Reference-bce06403-5236-41d2-876e-fa045b90290d">
<xades:MimeType>text/xml</xades:MimeType>
<xades:Encoding>UTF-8</xades:Encoding>
</xades:DataObjectFormat>
</xades:SignedDataObjectProperties>
</xades:SignedProperties>
</xades:QualifyingProperties>
</ds:Object>
</ds:Signature>

The XADES is not generated using xades4j, but the file "passes" the validation of several online testers (https://tools.chilkat.io/xmlDsigVerify.cshtml#generatedCode, https://ec.europa.eu/cefdigital/DSS/webapp-demo/validation, https://validator.fina.hr/eSigWebApp-web/#validate), so I suppose that the xades4j validation I perform is stronger in some way...

How should I configure the CertificateValidationProvider in order to pass the validation? I mean that I only want to check the integrity of the XADES file (ensure that the content has not been altered, basically check the digests and the signature)

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(1

缺⑴份安定 2025-01-22 03:37:44

问题是您只向验证器提供 ds:Signature 元素:

NodeList nl = doc.getElementsByTagNameNS("http://www.w3.org/2000/09/xmldsig#", "Signature");

虽然您应该提供完整的 XML 文档,但由于签名覆盖了封装内容,请参阅第一个引用 URI:

<ds:Reference Id="Reference-bce06403-5236-41d2-876e-fa045b90290d" URI="">

空 URI="" 意味着验证器需要取消引用包含当前签名的整个 XML 节点,在您的情况下,它会失败,因为它找不到封装内容。有关签名取消引用模型的更多信息,请参阅 XMLDSig

The problem is that you provide to the validator only the ds:Signature element:

NodeList nl = doc.getElementsByTagNameNS("http://www.w3.org/2000/09/xmldsig#", "Signature");

While you should provide the complete XML document, as the signature covers the enveloping content, see the first reference URI:

<ds:Reference Id="Reference-bce06403-5236-41d2-876e-fa045b90290d" URI="">

The empty URI="" means the validator needs to dereference the whole XML node containing the current signature, and in your case it fails, as it cannot find the enveloping content. See XMLDSig for more information about the signature dereference model.

回复 原文
~没有更多了~

关于作者

錯遇了你

暂无简介

文章
评论
27 人气
发私信

相关话题

更多

热门标签

操作系统 程序设计 IT运维 Linux系统管理 JavaScript 服务器应用 solaris C/C++ PHP Shell BSD Vue.js aix Oracle Python HTML 系统管理 HTML5 CSS 前端
更多

推荐作者

櫻之舞

文章 0 评论 0

弥枳

文章 0 评论 0

m2429

文章 0 评论 0

寻找一个思念的角度

文章 0 评论 0

野却迷人

文章 0 评论 0

我怀念的。

文章 0 评论 0

更多

友情链接

文江博客
    我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
    原文