使用Apache XML Security Library(xsec)3.1.1版实现包络和分离签名的正确方法是什么?
我正在寻找一些很好的例子,却找不到任何好的例子。 apache website也列出了一个示例,但它仅用于创建Enveloped Signatures。
答案 0 :(得分:0)
我发现解决方案非常简单。
解析完文档后,以下内容将生成一个Enveloped签名(指定为here):
// rootelem contains the root element of the parsed document
XSECProvider prov;
DSIGSignature * sig;
DOMElement * sigNode;
sig = prov.newSignature();
sigNode = sig->createBlankSignature(xercescdom, CANON_C14N_COM, SIGNATURE_HMAC, HASH_SHA1);
// append the signature node to the document's element which is being signed, here
// it is the root element
rootelem->appendChild(xercescdom->createTextNode(MAKE_UNICODE_STRING("\n")));
rootelem->appendChild(sigNode);
rootelem->appendChild(xercescdom->createTextNode(MAKE_UNICODE_STRING("\n")));
// create the envelope reference and the signing key (e.g. HMAC Key)
// set the signing key
sig->setSigningKey(hmackey);
// other steps... Serializing the rootelem will generate an XML document with Enveloped Signature
以下将生成包络签名:
XSECProvider prov;
DSIGSignature * sig;
DOMElement * sigNode;
sig = prov.newSignature();
sigNode = sig->createBlankSignature(xercescdom, CANON_C14N_COM, SIGNATURE_HMAC, HASH_SHA1);
// append an "Object" element to the signature object
DSIGObject * object = sig->appendObject();
// in an enveloping signature, the "Object" element contains the data being signed
// so the rootelem can be appended as a child to this object element
object->appendChild(rootelem);
// AND you are done!
// now create the envelope reference and the signing key (e.g. HMAC Key)
// set the signing key
sig->setSigningKey(hmackey);
// Serializing the signature node (sigNode) will give you the required XML with Enveloping Signature.
类似地,可以通过一些努力生成分离签名。
以上示例涵盖了非常简单的案例。签署多个数据项和文档子集需要做一些努力。