root命名空间被添加到<xades:signedproperties> </xades:signedproperties>中

时间:2012-11-08 17:09:47

标签: xml-signature xades4j

library:apache Santuario + xades4j。

使用xpath选择元素并签名。

如果我尝试在没有命名空间的情况下签署一个简单的XML并验证签名,那么它运行良好,但如果XML定义了一个名称空间,例如以下XML:

<ClinicalDocument xmlns="urn:hl7-org:v3">
    <element1tobesigned.../>
    <element2tobesigned.../>
</ClinicalDocument>

并在验证签名时发现异常


    858  WARN  [main] org.apache.xml.security.signature.Reference     - Verification failed for URI "#xmldsig-5fb20abe-b14c-4d84-a908-e22e776cd6f1-signedprops"
    858  WARN  [main] org.apache.xml.security.signature.Reference     - Expected Digest: q0WnWFf9j0kcT46t5cXmcPnVvu5o51oAcmej/SjCazQ=
    858  WARN  [main] org.apache.xml.security.signature.Reference     - Actual Digest: 41zXKVkRCsxUYpNZXW5b9KkZlTC9LM9WA8O7WHQz1Rg=

    xades4j.verification.ReferenceValueException: Reference '#xmldsig-5fb20abe-b14c-4d84-a908-e22e776cd6f1-signedprops' cannot be validated

原因是XML名称空间(urn:hl7-org:v3)被添加到xades:SignedProperties中,然后摘要变得不同了。

858  DEBUG [main] org.apache.xml.security.utils.DigesterOutputStream     - Pre-digested input
858  DEBUG [main] org.apache.xml.security.utils.DigesterOutputStream   - <xades:SignedProperties xmlns="urn:hl7-org:v3" ........./>

这是签名生成代码


    XadesTSigningProfile profile = new XadesTSigningProfile(keyProvider);
    profile.withTimeStampTokenProvider(TestTimeStampTokenProvider.class)
    .withAlgorithmsProviderEx(ExclusiveC14nForTimeStampsAlgorithmsProvider.class);  

    XadesSigner signer = profile.newSigner();   

    DataObjectDesc obj1 = new DataObjectReference("")
    .withTransform(new ExclusiveCanonicalXMLWithoutComments())
    .withTransform( new XPathTransform(xPath);

    SignedDataObjects dataObjs = new SignedDataObjects().withSignedDataObject(obj1);

changed 2012-11-20 begin

//  signer.sign(dataObjs, docToSign.getDocumentElement() ); 
       new Enveloped(signer).sign(docToSign.getDocumentElement());

changed 2012-11-20 end

这是验证码

NodeList signatureNodeList = getSigElement(getDocument("my/my-document.signed.bes.countersign.xml"));

for (int i = 0; i < signatureNodeList.getLength(); i++) {
    Element signatureNode = (Element) signatureNodeList.item(i);
    verifySignature(signatureNode, new XadesVerificationProfile(VerifierTestBase.validationProviderMySigs));
    log.info("successful validation");          
}

public static XAdESForm verifySignature(Element sigElem,
            XadesVerificationProfile p) throws Exception {
        XAdESVerificationResult res = p.newVerifier().verify(sigElem, null);

        return res.getSignatureForm();
    }

看起来Apache Santuario FAQ中有关于此问题的文档,

2.6. I sign a document and when I try to verify using the same key, it fails
After you have created the XMLSignature object, before you sign the document, you must embed the signature element in the owning document (using a call to XMLSignature.getElement() to retrieve the newly created Element node from the signature) before calling the XMLSignature.sign() method,

During canonicalisation of the SignedInfo element, the library looks at the parent and ancestor nodes of the Signature element to find any namespaces that the SignedInfo node has inherited. Any that are found are embedded in the canonical form of the SignedInfo. (This is not true when Exclusive Canonicalisation is used, but it is still good practice to insert the element node prior to the sign() method being called).

If you have not embedded the signature node in the document, it will not have any parent or ancestor nodes, so it will not inherit their namespaces. If you then embed it in the document and call verify(), the namespaces will be found and the canonical form of SignedInfo will be different to that generated during sign().

还有一个关于此问题的文档,如下所示

https://stackoverflow.com/a/12759909/1809884

看起来它不是xades4j的bug,而是xml签名问题。

- 添加2012-11-15

here is how to get the docToSign . in fact , i just reused the code in class  SignatureServicesTestBase . so i am sure that it is namespaceaware. 
static
    {
           DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
            dbf.setNamespaceAware(true);
           db = dbf.newDocumentBuilder();
    }
 public static Document getDocument(String fileName) throws Exception
    {
        String path = toPlatformSpecificXMLDirFilePath(fileName);
        Document doc = db.parse(new FileInputStream(path));
        // Apache Santuario now uses Document.getElementById; use this convention for tests.
        Element elem = doc.getDocumentElement();
        DOMHelper.useIdAsXmlId(elem);
        return doc;
    }

and docToSign  is return by calling SignatureServicesTestBase.getDocument()

Document docToSign = SignatureServicesTestBase.getDocument("my/cdamessage.xml"); 

和SignedProperties元素如下

<xades:SignedSignatureProperties>
<xades:SigningTime>2012-11-15T13:58:26.167+09:00</xades:SigningTime>
<xades:SigningCertificate>
<xades:Cert>
<xades:CertDigest>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<ds:DigestValue>4btVb5gQ5cdcNhGpvDSWQZabPQrR9jf1x8e3YF9Ajss=</ds:DigestValue>
</xades:CertDigest>
<xades:IssuerSerial>
<ds:X509IssuerName>CN=Itermediate,OU=CC,O=ISEL,C=PT</ds:X509IssuerName>
<ds:X509SerialNumber>-119284162484605703133798696662099777223</ds:X509SerialNumber>
</xades:IssuerSerial>
</xades:Cert>
<xades:Cert>
<xades:CertDigest>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<ds:DigestValue>vm5QpbblsWV7fCYXotPhNTeCt4nk8cLFuF36L5RJ4Ok=</ds:DigestValue>
</xades:CertDigest>
<xades:IssuerSerial>
<ds:X509IssuerName>CN=TestCA,OU=CC,O=ISEL,C=PT</ds:X509IssuerName>
<ds:X509SerialNumber>-46248926895392336918291885380930606289</ds:X509SerialNumber>
</xades:IssuerSerial>
</xades:Cert>
<xades:Cert>
<xades:CertDigest>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<ds:DigestValue>AUaN+IdhKQqxIVmEOrFwq+Dn22ebTkXJqD3BoOP/x8E=</ds:DigestValue>
</xades:CertDigest>
<xades:IssuerSerial>
<ds:X509IssuerName>CN=TestCA,OU=CC,O=ISEL,C=PT</ds:X509IssuerName>
<ds:X509SerialNumber>-99704378678639105802976522062798066869</ds:X509SerialNumber>
</xades:IssuerSerial>
</xades:Cert>
</xades:SigningCertificate>
</xades:SignedSignatureProperties>
</xades:SignedProperties>

另外,我使用xpath来获取要签名的元素,并且命名空间(xmlns =“urn:hl7-org:v3”)也会添加到结果中。

543  DEBUG [main] org.apache.xml.security.utils.ElementProxy     - setElement("ds:Transform", "null")
544  DEBUG [main] org.apache.xml.security.utils.ElementProxy     - setElement("dsig-xpath:XPath", "null")
658  DEBUG [main] org.apache.xml.security.utils.DigesterOutputStream     - Pre-digested input:
658  DEBUG [main] org.apache.xml.security.utils.DigesterOutputStream     - <component xmlns="urn:hl7-org:v3" Id="ES" contextConductionInd="true" typeCode="COMP">
        <section classCode="DOCSECT" moodCode="EVN">
          <code code="ES" codeSystem="2.16.840.1.113883.6.1" codeSystemName="SectionCode" codeSystemVersion="1.0" displayName="english"></code>
          <text>english</text>
        </section>
      </component>

xpath出了什么问题? xpath让我疯狂。我想我必须从现在开始研究xpath。

克里斯

1 个答案:

答案 0 :(得分:1)

您正在创建enveloped signature,但缺少包络签名转换!由于整个文档正在签名,因此必须排除签名节点本身,因为它的一些内容在签名计算后会发生变化。

在你提到Enveloped类之前,无法相信我没有看到它。顺便说一句,这个类只是一个实用类,用于简单,直接的封装信号。它甚至不应该在那里。您可以自己添加变换:

DataObjectDesc obj1 = new DataObjectReference("")
.withTransform(new EnvelopedSignatureTransform())
.withTransform(new ExclusiveCanonicalXMLWithoutComments())
...