提前致谢。
我很多天都在挣扎。
当我使用自己的代码创建SignedXML并尝试验证它时。它工作正常但是当我从其他方获得SOAP消息时(我们已经验证了其他JAVA plaftform的完美工作。)SignedXml.CheckSignature总是给出错误的结果。我尝试了很多选项(包括用于检查SignedXML源代码的反射器)但是没有任何线索。
以下是我需要验证的带有WS-Security的SOAP消息的格式(不使用WCF框架)。
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
<soap:Header>
<wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" soap:mustUnderstand="1">
<wsse:BinarySecurityToken xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" wsu:Id="CertId-11465961">MIID+jCCAuKgAwIBAgICBrowDQYJKoZIhvcNAQEFBQAwPzELMAkGA1UEBhMCU0UxEjAQBgNVBAoTCVN0ZXJpYSBBQjEcMBoGA1UEAxMTU3RlcmlhIEFCIEVJRCBDQSB2MjAeFw0xMzA1MTMxMTE1MDdaFw0xNTA3MTMxMDMwMDNaMGUxCzAJBgNVBAYTAlNFMRwwGgYDVQQKFBNM5G5zZvZyc+RrcmluZ2FyIEFCMRMwEQYDVQQLEwo1NTY1NDk3MDIwMSMwDAYDVQQDEwVMRkxpdjATBgNVBAUTDDE2NTU2NTQ5NzAyMDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAumKsk/yZOfi9886w4GmTcCLdF9YE2Y97vB8Db77ifzABW3ovK3n+yC7ZI626j85hu9Elh08winNPXm9Tv6yU9PuOal18rwIHLer8zvcYgAmSCj7ND+dVezkOKSmNi6ZUGkk0vYaY6rD1bb+YOofcDnDy3TUlMwK8Ml3U9QR/VKsCAwEAAaOCAVwwggFYMB8GA1UdIwQYMBaAFJCAgCvzWv1A2zP4Uyk8pNbR7osoMB0GA1UdDgQWBBSL1qEqD6UDpPsfDRw/UQ3NkyMYJDAOBgNVHQ8BAf8EBAMCBkAwIwYDVR0RBBwwGoEYc3Nla0BsYW5zZm9yc2FrcmluZ2FyLnNlMBUGA1UdIAQOMAwwCgYIKoVwNgkCDQEwgZUGA1UdHwSBjTCBijBDoEGgP4Y9aHR0cDovL2NkcDIuc3RlcmlhLnNlL2NkcC9laWQvU3RlcmlhJTIwQUIlMjBFSUQlMjBDQSUyMHYyLmNybDBDoEGgP4Y9aHR0cDovL2NkcDEuc3RlcmlhLnNlL2NkcC9laWQvU3RlcmlhJTIwQUIlMjBFSUQlMjBDQSUyMHYyLmNybDAyBggrBgEFBQcBAQQmMCQwIgYIKwYBBQUHMAGGFmh0dHA6Ly9vY3NwLnN0ZXJpYS5zZS8wDQYJKoZIhvcNAQEFBQADggEBAGxhYvom44znVwgNWXZDnklcotlSAPo17C47aMJq9NylMXHSLqYhfjUwRL7Ig6K128StiBhMLG8KbLXE0hgUIEmT/+NYUnlWozC621fxZXIk8sjTFWfcECkXQ1B7sIEYHBiOHlJHyvYINQIetLZgLPzaO4wu2/HWvO/TfXRb0KK4Omix1733YswCylM0ZoZr+meZAmMVTdXkKwSLDw1+xa6IYLTPWNDcl1Ox0lkyYLraVw5R3ihZFLwvn6MApm0OXfuX8dOGiGpXvi8ejwp39Txy9RsBPUYsJcKXW+YQ8Vh9QqF/7Oizy3IW9tzb3IHm6ZYs8C5hH1BVmo4A2Ga8hBs=</wsse:BinarySecurityToken>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:CanonicalizationMethod>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"></ds:SignatureMethod>
<ds:Reference URI="#id-533766178">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></ds:DigestMethod>
<ds:DigestValue>9rVto1vy/hNACyla+vwnJIGExJk=</ds:DigestValue>
</ds:Reference>
<ds:Reference URI="#id-968960127">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></ds:DigestMethod>
<ds:DigestValue>T1jD9YbuXbf3l65Abuf9Xw8f6fE=</ds:DigestValue>
</ds:Reference>
<ds:Reference URI="#id-944359288">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></ds:DigestMethod>
<ds:DigestValue>O9rnP0RRV2Dcy70SRRmU1A7lqB4=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>
HACu8a2cc3fm2VDE7ri1vCSeT8ozENo0//BJTAt4RiNQYKxIeka1kWAMZHeHOhRu7V9rnNF+zlLt
/4fOnaMzEhruRQIJG/DCgUACnb070Mh2fwquAqFOsdpH98kc9We5tHYwfnDufoV8mZozomQ5ex2P
flcE25QjymvXodg5pP0=
</ds:SignatureValue>
<ds:KeyInfo Id="KeyId-1977405101">
<wsse:SecurityTokenReference xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="STRId-1938095182">
<wsse:Reference URI="#CertId-11465961" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"></wsse:Reference>
</wsse:SecurityTokenReference>
</ds:KeyInfo>
</ds:Signature>
<wsu:Timestamp xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="id-968960127">
<wsu:Created>2015-06-23T11:15:32.012Z</wsu:Created>
<wsu:Expires>2015-06-23T11:51:32.012Z</wsu:Expires>
</wsu:Timestamp>
</wsse:Security>
<ssek:SSEK xmlns:ssek="http://schemas.ssek.org/ssek/2006-05-10/" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="id-944359288" ssek:AsynchMethod="AsynchPush" soap:mustUnderstand="1">
<ssek:SenderId ssek:Type="CN">XXXX</ssek:SenderId>
<ssek:ReceiverId ssek:Type="CN">XXXX</ssek:ReceiverId>
<ssek:TxId>deadbeef-9a71-41ca-af2d-a7a333006de8</ssek:TxId>
</ssek:SSEK>
</soap:Header>
<soap:Body xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="id-533766178">
<testOk xmlns="urn:SSEKTestOk" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<hello>KUNDAN test</hello>
</testOk>
</soap:Body>
</soap:Envelope>
以下是我写的代码。
使用System; 使用System.Security.Cryptography; 使用System.Security.Cryptography.Xml; 使用System.Security.Cryptography.X509Certificates; 使用System.Text; 使用System.Xml; 使用System.Collections; 使用System.Collections.ObjectModel;
命名空间VerifyOnlySignature { 课程 { static void Main(string [] args) {
string Certificate = "CN=KundanKServer";
XmlDocument xmlDocument = new XmlDocument();
xmlDocument.PreserveWhitespace = false;
xmlDocument.Load(@"D:\kundan\RnD\BizTalkSSEK_POC\VarifySignature\SampleFiles\BizTalk_SSEK_Out_S_and_P.xml");
X509Certificate2 cert = GetCertificateBySubject(Certificate);
SignedXmlWithId signedXml = new SignedXmlWithId(xmlDocument);
XmlNodeList nodeList = xmlDocument.GetElementsByTagName("Signature", SignedXmlWithId.XmlDsigNamespaceUrl);
signedXml.LoadXml((XmlElement)nodeList[0]);
signedXml.SignedInfo.CanonicalizationMethod = SignedXmlWithId.XmlDsigExcC14NTransformUrl;
bool resultSign = signedXml.CheckSignature(cert, true);
Console.WriteLine(resultSign.ToString());
Console.ReadKey();
}
public static X509Certificate2 GetCertificateBySubject(string CertificateSubject)
{
if (null == CertificateSubject)
throw new ArgumentNullException("CertificateSubject");
X509Certificate2 cert = null;
X509Store store = new X509Store("My", StoreLocation.LocalMachine);
try
{
store.Open(OpenFlags.ReadOnly | OpenFlags.OpenExistingOnly);
// Get the certs from the store.
X509Certificate2Collection CertCol = store.Certificates;
// Find the certificate with the specified subject.
foreach (X509Certificate2 c in CertCol)
{
if (c.Subject == CertificateSubject)
{
cert = c;
break;
}
}
// Throw an exception of the certificate was not found.
if (cert == null)
{
throw new CryptographicException("The certificate could not be found.");
}
}
finally
{
// Close the store even if an exception was thrown.
store.Close();
}
return cert;
}
}
public class SignedXmlWithId : SignedXml
{
public SignedXmlWithId(XmlDocument xml)
: base(xml)
{
}
public SignedXmlWithId(XmlElement xmlElement)
: base(xmlElement)
{
}
public override XmlElement GetIdElement(XmlDocument doc, string id)
{
// check to see if it's a standard ID reference
XmlElement idElem = base.GetIdElement(doc, id);
if (idElem == null)
{
XmlNamespaceManager nsManager = new XmlNamespaceManager(doc.NameTable);
nsManager.AddNamespace("wsu", "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd");
idElem = doc.SelectSingleNode("//*[@wsu:Id=\"" + id + "\"]", nsManager) as XmlElement;
}
return idElem;
}
}
}
答案 0 :(得分:0)
全部谢谢, 它的工作正常。
问题:放在行下面
Xmldoc.PreserveWhitespace = true
请勿格式化xml文档,保持原样。
此致
Kundan