我在XAdES格式中遇到签名验证问题。 我有两个文件,原始文件是docx格式,签名是一个分离的xml文件。我认为问题可能与文件URI有关。 这是我的分离签名文件:
<?xml version="1.0" encoding="UTF-8"?>
<ds:Signature
xmlns:ds="http://www.w3.org/2000/09/xmldsig#" Id="Sgn_2804249982172_0">
<ds:SignedInfo Id="SgnInfo_2804256168581_6">
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference Id="Ref_2804255147729_3" URI="inwo.docx">
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>+lf+CQUm2Q9AtpgUWtb3t1Es8fw=</ds:DigestValue>
</ds:Reference>
<ds:Reference Type="http://uri.etsi.org/01903#SignedProperties" Id="Ref_2804256109848_4" URI="#SgnProp_2804250190981_1">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>4Y0jeM8Wra5VbOOKmPyzUymtWdQ=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue Id="SgnVal_2804256158333_5">J1WDOfKDjuMCz3W8sXXJ2+Ez5yF3bBS3vHogdhckiVrX2hw9FxHADknZPDLsOuLP1TrQi3i2ryvyikVAU3TSw1/wTnVNWG92C4hCPLkL+ISpulzr7KB38dWbXjIC2mjEPGUoS2e1r57Vri9M+q46Ivm5eFRGw/N785GLdt+K8ZZjee5VxCI200G/2hgqq8rA/5vibZ1RjyQ5SU+Mrdlmjdlk5lSYfHYBPICAxQCt1kiuNezHwSb0KquQb//iymvijEFnJ9TzX+TvKJNaTnCE6gymJVupmaH+8xZjEN8oRJH/TjnfEdOtzwBZJt/G/Q2e22crv/Y91MlcBBCZYH1gBA==</ds:SignatureValue>
<ds:KeyInfo Id="Key_2804250972666_2">
<ds:X509Data>
<ds:X509Certificate>MIIELTCCAxWgAwIBAgIIB7QCvhKRfQwwDQYJKoZIhvcNAQEFBQAwfDEVMBMGA1UEBRMMTnIgd3Bpc3U6IDExMQswCQYDVQQGEwJQTDEeMBwGA1UECgwVRW5pZ21hIFNPSSBzcC4geiBvLm8uMTYwNAYDVQQDDC1DZW5DZXJ0IENlbnRydW0gQ2VydHlmaWthdMOzdyBLd2FsaWZpa293YW55Y2gwHhcNMTUwNjE4MTExMTIxWhcNMTcwNjE4MTExMTIxWjByMQswCQYDVQQGEwJQTDEQMA4GA1UEKgwHU2V3ZXJ5bjEVMBMGA1UEBAwMS8SZcGN6ecWEc2tpMR0wGwYDVQQDDBRTZXdlcnluIEvEmXBjennFhHNraTEbMBkGA1UEBRMSUEVTRUw6IDgzMTAwNjA5MjEyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA026nfGgo3+/dbUxdLNz1/zuBlx06tihDx7E2LvyzB6BfL3oIeif5n1O1WKEIhf9msp6BbBo4NOjSmPskk2u/EMmDZjEG6Bf2HZDeulMOroVGAzTcEGespT5A3Q6ctkI/8AbaHIy00JCJ9FOmuEN4vPbps/7vEMtAjYIZpGE1jA8478vP4Kh4vdk6K4gAgykj2hPUOhTvUpUa2s8M3X1M1Et6Y7+BhBvUrYi233oxXKqoPfKHHqMLGkT5RzyaqzHXbsdl50ghs1pN2dgQ1PkZw1IbEY6z5DyOez0wX46tgtQ9fFvoO+HcF48HLdPBmpotKQpzC7peRTTLD3UnrjyJvQIDAQABo4G8MIG5MA4GA1UdDwEB/wQEAwIGQDAMBgNVHRMBAf8EAjAAMB8GA1UdIwQYMBaAFE3zrov+vbeVhA/nLrYxzOD+ysC4MBoGA1UdIAQTMBEwDwYNKoRoAYb4EQEBCgEBAjAYBggrBgEFBQcBAwQMMAowCAYGBACORgEBMEIGA1UdHwQ7MDkwN6A1oDOGMWh0dHA6Ly93d3cuY2VuY2VydC5wbC9jcmwvZW5pZ21hX29zdGF0bmlfa3dhbC5jcmwwDQYJKoZIhvcNAQEFBQADggEBAJniiSmnCI/jdpt7QVTqEoJda6FQ8WU2Gxec8PrGXSnQizJAYvt9eC7iwmrmXQfL9fK+MneNWbnVdEwiLDuVaKLLbsfHlzD3nnuIQbLmcfPkxRAq7gbOuebeyV6rDqdlgl55dcDQGcGy3HikKDAdmUtwDTAZ/W4PXo7JIzYtIqnaMNEiZXMAmCOEiWcThJBr4vG8aG9eEuScwLqi71icPrbkaadqcQ6byT02c8S7JLvxNqEXeP+8e4+7iF50oKy9Pp4cU5QP/vCmXAv/GtK/wqO36/+gqiullNzkQbS6bh346XOvj/QIzj9p2TxveHsZ7McNrChRM5w5cKJG3Jwg1Hc=</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
<ds:Object>
<xades:QualifyingProperties
xmlns:xades="http://uri.etsi.org/01903/v1.3.2#" Target="#Sgn_2804249982172_0">
<xades:SignedProperties Id="SgnProp_2804250190981_1">
<xades:SignedSignatureProperties>
<xades:SigningTime>2015-06-29T10:50:04Z</xades:SigningTime>
<xades:SigningCertificate>
<xades:Cert>
<xades:CertDigest>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>v+nTdfEy11gU0HuH7HHr/YZvx6c=</ds:DigestValue>
</xades:CertDigest>
<xades:IssuerSerial>
<ds:X509IssuerName>CN=CenCert Centrum Certyfikatów Kwalifikowanych,O=Enigma SOI sp. z o.o.,C=PL,SERIALNUMBER=Nr wpisu: 11</ds:X509IssuerName>
<ds:X509SerialNumber>555071669451980044</ds:X509SerialNumber>
</xades:IssuerSerial>
</xades:Cert>
</xades:SigningCertificate>
</xades:SignedSignatureProperties>
<xades:SignedDataObjectProperties>
<xades:DataObjectFormat ObjectReference="#Ref_2804255147729_3">
<xades:MimeType>application/vnd.openxmlformats-officedocument.wordprocessingml.document</xades:MimeType>
</xades:DataObjectFormat>
</xades:SignedDataObjectProperties>
</xades:SignedProperties>
</xades:QualifyingProperties>
</ds:Object>
</ds:Signature>
这是我的堆叠例外:
xades4j.XAdES4jXMLSigException: Error verifying the signature
at xades4j.verification.XadesVerifierImpl.doCoreVerification(XadesVerifierImpl.java:285) ~[xades4j-1.3.1.jar:na]
at xades4j.verification.XadesVerifierImpl.verify(XadesVerifierImpl.java:188) ~[xades4j-1.3.1.jar:na]
at pl.comp.kbf.services.ejb.repository.pki.DigitalSignVerifierServiceImpl.verifyFileSignature(DigitalSignVerifierServiceImpl.java:99) ~[KBFPortalEJB.jar/:na]
at pl.comp.kbf.services.ejb.repository.pki.DigitalSignVerifierServiceImpl$Proxy$_$$_WeldClientProxy.verifyFileSignature(Unknown Source) [KBFPortalEJB.jar/:na]
at pl.comp.kbf.portal.documents.registered.FileSignatureBean.verifyXAdESSignature(FileSignatureBean.java:231) [FileSignatureBean.class:na]
at pl.comp.kbf.portal.documents.registered.FileSignatureBean.verifySignature(FileSignatureBean.java:195) [FileSignatureBean.class:na]
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[na:1.7.0_75]
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) ~[na:1.7.0_75]
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[na:1.7.0_75]
at java.lang.reflect.Method.invoke(Method.java:606) ~[na:1.7.0_75]
at com.sun.el.parser.AstValue.invoke(AstValue.java:289) [javax.el.jar:3.0.1-b03]
at com.sun.el.MethodExpressionImpl.invoke(MethodExpressionImpl.java:304) [javax.el.jar:3.0.1-b03]
at org.jboss.weld.util.el.ForwardingMethodExpression.invoke(ForwardingMethodExpression.java:40) [weld-osgi-bundle.jar:2014-06-18 10:59]
at org.jboss.weld.el.WeldMethodExpression.invoke(WeldMethodExpression.java:50) [weld-osgi-bundle.jar:2014-06-18 10:59]
at com.sun.faces.facelets.el.TagMethodExpression.invoke(TagMethodExpression.java:105) [javax.faces.jar:2.2.7]
at javax.faces.component.MethodBindingMethodExpressionAdapter.invoke(MethodBindingMethodExpressionAdapter.java:87) [javax.faces.jar:2.2.7]
at com.sun.faces.application.ActionListenerImpl.processAction(ActionListenerImpl.java:102) [javax.faces.jar:2.2.7]
at javax.faces.component.UICommand.broadcast(UICommand.java:315) [javax.faces.jar:2.2.7]
at javax.faces.component.UIViewRoot.broadcastEvents(UIViewRoot.java:790) [javax.faces.jar:2.2.7]
at javax.faces.component.UIViewRoot.processApplication(UIViewRoot.java:1282) [javax.faces.jar:2.2.7]
at com.sun.faces.lifecycle.InvokeApplicationPhase.execute(InvokeApplicationPhase.java:81) [javax.faces.jar:2.2.7]
at com.sun.faces.lifecycle.Phase.doPhase(Phase.java:101) [javax.faces.jar:2.2.7]
at com.sun.faces.lifecycle.LifecycleImpl.execute(LifecycleImpl.java:198) [javax.faces.jar:2.2.7]
at javax.faces.webapp.FacesServlet.service(FacesServlet.java:646) [javax.faces.jar:2.2.7]
at org.apache.catalina.core.StandardWrapper.service(StandardWrapper.java:1682) [web-core.jar:na]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:344) [web-core.jar:na]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:214) [web-core.jar:na]
at org.primefaces.webapp.filter.FileUploadFilter.doFilter(FileUploadFilter.java:105) [primefaces-5.1.jar:5.1]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:256) [web-core.jar:na]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:214) [web-core.jar:na]
at org.ocpsoft.rewrite.servlet.RewriteFilter.doFilter(RewriteFilter.java:205) [rewrite-servlet-2.0.12.Final.jar:2.0.12.Final]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:256) [web-core.jar:na]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:214) [web-core.jar:na]
at org.apache.catalina.core.ApplicationDispatcher.doInvoke(ApplicationDispatcher.java:873) [web-core.jar:na]
at org.apache.catalina.core.ApplicationDispatcher.invoke(ApplicationDispatcher.java:739) [web-core.jar:na]
at org.apache.catalina.core.ApplicationDispatcher.processRequest(ApplicationDispatcher.java:575) [web-core.jar:na]
at org.apache.catalina.core.ApplicationDispatcher.doDispatch(ApplicationDispatcher.java:546) [web-core.jar:na]
at org.apache.catalina.core.ApplicationDispatcher.dispatch(ApplicationDispatcher.java:428) [web-core.jar:na]
at org.apache.catalina.core.ApplicationDispatcher.forward(ApplicationDispatcher.java:378) [web-core.jar:na]
at org.ocpsoft.rewrite.servlet.impl.HttpRewriteResultHandler.handleResult(HttpRewriteResultHandler.java:41) [rewrite-servlet-2.0.12.Final.jar:2.0.12.Final]
at org.ocpsoft.rewrite.servlet.RewriteFilter.rewrite(RewriteFilter.java:268) [rewrite-servlet-2.0.12.Final.jar:2.0.12.Final]
at org.ocpsoft.rewrite.servlet.RewriteFilter.doFilter(RewriteFilter.java:188) [rewrite-servlet-2.0.12.Final.jar:2.0.12.Final]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:256) [web-core.jar:na]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:214) [web-core.jar:na]
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:316) [web-core.jar:na]
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:160) [web-core.jar:na]
at org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:734) [web-core.jar:na]
at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:673) [web-core.jar:na]
at com.sun.enterprise.web.WebPipeline.invoke(WebPipeline.java:99) [web-glue.jar:na]
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:174) [web-core.jar:na]
at org.apache.catalina.connector.CoyoteAdapter.doService(CoyoteAdapter.java:415) [web-core.jar:na]
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:282) [web-core.jar:na]
at com.sun.enterprise.v3.services.impl.ContainerMapper$HttpHandlerCallable.call(ContainerMapper.java:459) [kernel.jar:na]
at com.sun.enterprise.v3.services.impl.ContainerMapper.service(ContainerMapper.java:167) [kernel.jar:na]
at org.glassfish.grizzly.http.server.HttpHandler.runService(HttpHandler.java:201) [nucleus-grizzly-all.jar:na]
at org.glassfish.grizzly.http.server.HttpHandler.doHandle(HttpHandler.java:175) [nucleus-grizzly-all.jar:na]
at org.glassfish.grizzly.http.server.HttpServerFilter.handleRead(HttpServerFilter.java:235) [nucleus-grizzly-all.jar:na]
at org.glassfish.grizzly.filterchain.ExecutorResolver$9.execute(ExecutorResolver.java:119) [nucleus-grizzly-all.jar:na]
at org.glassfish.grizzly.filterchain.DefaultFilterChain.executeFilter(DefaultFilterChain.java:284) [nucleus-grizzly-all.jar:na]
at org.glassfish.grizzly.filterchain.DefaultFilterChain.executeChainPart(DefaultFilterChain.java:201) [nucleus-grizzly-all.jar:na]
at org.glassfish.grizzly.filterchain.DefaultFilterChain.execute(DefaultFilterChain.java:133) [nucleus-grizzly-all.jar:na]
at org.glassfish.grizzly.filterchain.DefaultFilterChain.process(DefaultFilterChain.java:112) [nucleus-grizzly-all.jar:na]
at org.glassfish.grizzly.ProcessorExecutor.execute(ProcessorExecutor.java:77) [nucleus-grizzly-all.jar:na]
at org.glassfish.grizzly.nio.transport.TCPNIOTransport.fireIOEvent(TCPNIOTransport.java:561) [nucleus-grizzly-all.jar:na]
at org.glassfish.grizzly.strategies.AbstractIOStrategy.fireIOEvent(AbstractIOStrategy.java:112) [nucleus-grizzly-all.jar:na]
at org.glassfish.grizzly.strategies.WorkerThreadIOStrategy.run0(WorkerThreadIOStrategy.java:117) [nucleus-grizzly-all.jar:na]
at org.glassfish.grizzly.strategies.WorkerThreadIOStrategy.access$100(WorkerThreadIOStrategy.java:56) [nucleus-grizzly-all.jar:na]
at org.glassfish.grizzly.strategies.WorkerThreadIOStrategy$WorkerThreadRunnable.run(WorkerThreadIOStrategy.java:137) [nucleus-grizzly-all.jar:na]
at org.glassfish.grizzly.threadpool.AbstractThreadPool$Worker.doWork(AbstractThreadPool.java:565) [nucleus-grizzly-all.jar:na]
at org.glassfish.grizzly.threadpool.AbstractThreadPool$Worker.run(AbstractThreadPool.java:545) [nucleus-grizzly-all.jar:na]
at java.lang.Thread.run(Thread.java:745) [na:1.7.0_75]
Caused by: org.apache.xml.security.signature.MissingResourceFailureException: The Reference for URI inwo.docx has no XMLSignatureInput
at org.apache.xml.security.signature.Manifest.verifyReferences(Manifest.java:414) ~[xmlsec-1.5.1.jar:na]
at org.apache.xml.security.signature.SignedInfo.verify(SignedInfo.java:259) ~[xmlsec-1.5.1.jar:na]
at org.apache.xml.security.signature.XMLSignature.checkSignatureValue(XMLSignature.java:724) ~[xmlsec-1.5.1.jar:na]
at org.apache.xml.security.signature.XMLSignature.checkSignatureValue(XMLSignature.java:656) ~[xmlsec-1.5.1.jar:na]
at xades4j.verification.XadesVerifierImpl.doCoreVerification(XadesVerifierImpl.java:278) ~[xades4j-1.3.1.jar:na]
... 70 common frames omitted
Caused by: org.apache.xml.security.signature.ReferenceNotInitializedException: Could not find a resolver for URI inwo.docx and Base null
at org.apache.xml.security.signature.Reference.calculateDigest(Reference.java:726) ~[xmlsec-1.5.1.jar:na]
at org.apache.xml.security.signature.Reference.verify(Reference.java:761) ~[xmlsec-1.5.1.jar:na]
at org.apache.xml.security.signature.Manifest.verifyReferences(Manifest.java:336) ~[xmlsec-1.5.1.jar:na]
... 74 common frames omitted
Caused by: org.apache.xml.security.signature.ReferenceNotInitializedException: Could not find a resolver for URI inwo.docx and Base null
at org.apache.xml.security.signature.Reference.dereferenceURIandPerformTransforms(Reference.java:621) ~[xmlsec-1.5.1.jar:na]
at org.apache.xml.security.signature.Reference.calculateDigest(Reference.java:705) ~[xmlsec-1.5.1.jar:na]
... 76 common frames omitted
Caused by: org.apache.xml.security.signature.ReferenceNotInitializedException: Could not find a resolver for URI inwo.docx and Base null
at org.apache.xml.security.signature.Reference.getContentsBeforeTransformation(Reference.java:434) ~[xmlsec-1.5.1.jar:na]
at org.apache.xml.security.signature.Reference.dereferenceURIandPerformTransforms(Reference.java:614) ~[xmlsec-1.5.1.jar:na]
... 77 common frames omitted
Caused by: org.apache.xml.security.utils.resolver.ResourceResolverException: Could not find a resolver for URI inwo.docx and Base null
at org.apache.xml.security.utils.resolver.ResourceResolver.getInstance(ResourceResolver.java:124) ~[xmlsec-1.5.1.jar:na]
at org.apache.xml.security.utils.resolver.ResourceResolver.getInstance(ResourceResolver.java:183) ~[xmlsec-1.5.1.jar:na]
at org.apache.xml.security.signature.Reference.getContentsBeforeTransformation(Reference.java:417) ~[xmlsec-1.5.1.jar:na]
... 78 common frames omitted
答案 0 :(得分:1)
您使用的是useDataForAnonymousReference,但文件参考不是匿名的。在匿名引用中,省略了URI属性(签名中最多只能有一个这样的引用)。
对于您的用例(相对URI),您应define the base URI使用SignatureSpecificVerificationOptions.useBaseUri()进行相对引用。提供的URI应该是本地目录的文件URI。
答案 1 :(得分:0)
据我所知,URI问题有点难以处理。
尽管如此,看看你粘贴的代码,
<ds:Reference Id="Ref_2804255147729_3" URI="inwo.docx">
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>+lf+CQUm2Q9AtpgUWtb3t1Es8fw=</ds:DigestValue>
</ds:Reference>
这是对docx文件的引用,它指向:
尝试将两个文件放在同一文件夹中并运行验证。如果它不起作用,您可以通过检查哈希值来手动检查签名是否正确。然后问题将依赖于XAdES4j在验证时的工作方式,您可以尝试检查其库javadoc以查看如何正确进行。