是使用xades-bes签名完美签名的XML

时间:2015-04-14 19:10:14

标签: xml xml-signature

我有一个XML文件,应该使用openSSL中的证书进行签名。

<?xml version="1.0" encoding="UTF-8"?><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#" Id="PEMI-Signature-Id-1"><ds:SignedInfo Id="PEMI-SignedInfo-Id-1"><ds:CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"></ds:CanonicalizationMethod><ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"></ds:SignatureMethod><ds:Reference Id="PEMI-Reference-Id-1" URI="#PEMI-Object-Id-2"><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></ds:DigestMethod><ds:DigestValue>RQ307h+y/MFZlPFUzUCHJXMHj/8=</ds:DigestValue></ds:Reference><ds:Reference Id="PEMI-Reference-Id-2" Type="http://uri.etsi.org/01903#SignedProperties" URI="#PEMI-SignedProperties-Id-1"><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></ds:DigestMethod><ds:DigestValue>lHsgsg21VkEzqhKYSXUKHXo3npI=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue Id="PEMI-SignatureValue-Id-1">fZvu6Dz3ZEUVJ5YRDH8+x3C4QZKWQ4T1D4ZJ7g4gaBh4PIFHjkDvpguFYM37mnsJa/LkA6xOKr2Q
R9k+P8LhFA==</ds:SignatureValue><ds:KeyInfo Id="PEMI-KeyInfo-Id-1"><ds:X509Data><ds:X509Certificate>MIICfDCCAiagAwIBAgIJAMoeGlkfFg3DMA0GCSqGSIb3DQEBBAUAMF8xCzAJBgNVBAYTAlBMMRQw
EgYDVQQIEwttYXpvd2llY2tpZTERMA8GA1UEBxMIV2Fyc3phd2ExEDAOBgNVBAoTB1RFU1RPV0Ex
FTATBgNVBAMTDEphbiBLb3dhbHNraTAeFw0xNTA0MTQxNDM4MjNaFw0xODA0MTMxNDM4MjNaMF8x
CzAJBgNVBAYTAlBMMRQwEgYDVQQIEwttYXpvd2llY2tpZTERMA8GA1UEBxMIV2Fyc3phd2ExEDAO
BgNVBAoTB1RFU1RPV0ExFTATBgNVBAMTDEphbiBLb3dhbHNraTBcMA0GCSqGSIb3DQEBAQUAA0sA
MEgCQQC8A4PUzmx+NI1XltIP+OWtz70JhNUbRzs/+DWry0HpwXXfT6C4vsOb4rk3FlAZBSZyG3i/
U9D4qok16Yteo6HdAgMBAAGjgcQwgcEwHQYDVR0OBBYEFC4CMmNl8Zt+FJcSOOi7PRPt+ee+MIGR
BgNVHSMEgYkwgYaAFC4CMmNl8Zt+FJcSOOi7PRPt+ee+oWOkYTBfMQswCQYDVQQGEwJQTDEUMBIG
A1UECBMLbWF6b3dpZWNraWUxETAPBgNVBAcTCFdhcnN6YXdhMRAwDgYDVQQKEwdURVNUT1dBMRUw
EwYDVQQDEwxKYW4gS293YWxza2mCCQDKHhpZHxYNwzAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEB
BAUAA0EArFiZmSaQGpgRLH/xb2wr9BHAsehTkorBZE5XHa9aD5L7sy14LoH7GcvjLrpUu8ChbXr9
xeCVnvhhIm1ymaSZVQ==</ds:X509Certificate></ds:X509Data></ds:KeyInfo><ds:Object Id="PEMI-Object-Id-1"><xades:QualifyingProperties xmlns:xades="http://uri.etsi.org/01903/v1.3.2#" Id="PEMI-QualifyingProperties-Id-1" Target="#PEMI-Signature-Id-1"><xades:SignedProperties Id="PEMI-SignedProperties-Id-1"><xades:SignedSignatureProperties Id="PEMI-SignedSignatureProperties-Id-1"><xades:SigningTime>2015-04-14T14:45:56Z</xades:SigningTime><xades:SigningCertificate><xades:Cert><xades:CertDigest><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></ds:DigestMethod><ds:DigestValue></ds:DigestValue></xades:CertDigest><xades:IssuerSerial><ds:X509IssuerName>C=PL, S=mazowieckie, L=Warszawa, O=TESTOWA, CN=Jan Kowalski</ds:X509IssuerName><ds:X509SerialNumber>14564107215038713283</ds:X509SerialNumber></xades:IssuerSerial></xades:Cert></xades:SigningCertificate></xades:SignedSignatureProperties></xades:SignedProperties></xades:QualifyingProperties></ds:Object><ds:Object Id="PEMI-Object-Id-2" MimeType="text/xml"><A>
    <B>some data</B>
</A></ds:Object></ds:Signature>

当我尝试检查它是否签名良好时,一个软件说一切正常(http://www.pemi.org.pl/index.php/do-pobrania/31-aplikacja-protektor),当我尝试在其他地方验证时,它表示签名无效(http://sigillum.pl/pliki_do_pobrania.html )。有人可以验证签名吗?或者也许会告诉我如何100%确定。

2 个答案:

答案 0 :(得分:1)

我尝试使用Serenity(http://www.cryptolog.com/fr/produits/produits-serveurs/serenity-validation-de-signature-electronique)进行验证。它给出了以下报告:

  • 加密值(签名值)有效
  • 您的签名有两个引用(两个签名对象):
  • 1)URI =“#PEMI-SignedProperties-Id-1”有效
  • 2)URI =“#PEMI-Object-Id-2”无效

对于最后一个Reference,散列的预期输入是

<ds:Object xmlns:ds="http://www.w3.org/2000/09/xmldsig#" Id="PEMI-Object-Id-2" MimeType="text/xml"><A>
<B>some data</B>
</A></ds:Object>

答案 1 :(得分:0)

这个问题的目标是找出这是一个xades-bes签名。答案是肯定的不是。这就是为什么:

  1. 正如Moez所说,第二个参考无效
  2. 证书部分中的
  3. ds:DigestValue标记为空
  4. 用于生成签名的密钥是短(根据this