如何使用SHA256和&amp ;;签署XML X.509正确吗?

时间:2017-07-11 10:04:12

标签: c# xml x509 sha256 xml-signature

我想使用自签名X.509证书使用SHA256签署XML。我受到了Stackoverflow中许多文章的启发并使用了这段代码:

X509Certificate2 cert = new X509Certificate2();
X509Store store = new X509Store(StoreName.Root, StoreLocation.LocalMachine);
store.Open(OpenFlags.ReadOnly);
foreach (X509Certificate2 cert2 in store.Certificates)
{
    if (cert2.Subject == "CN=TestCerificate")
    {
        cert = cert2;
        break;
    }
}

store.Close();

CryptoConfig.AddAlgorithm(typeof(RSAPKCS1SHA256SignatureDescription), "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256");
var exportedKeyMaterial = cert.PrivateKey.ToXmlString(true);
var key = new RSACryptoServiceProvider(new CspParameters(24));
key.PersistKeyInCsp = false;
key.FromXmlString(exportedKeyMaterial);

XmlDocument doc = new XmlDocument();
doc.PreserveWhitespace = true;
doc.Load("test.xml");

SignedXml signedXml = new SignedXml(doc);
signedXml.SigningKey = key;
signedXml.SignedInfo.SignatureMethod = "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256";

Reference reference = new Reference();
reference.AddTransform(new XmlDsigEnvelopedSignatureTransform());
reference.AddTransform(new XmlDsigExcC14NTransform());
reference.Uri = "";
reference.DigestMethod = "http://www.w3.org/2001/04/xmlenc#sha256"; 
signedXml.AddReference(reference);

KeyInfo keyInfo = new KeyInfo();
keyInfo.AddClause(new KeyInfoX509Data(cert));
signedXml.KeyInfo = keyInfo;
signedXml.ComputeSignature();

doc.Save("testSig.xml");

之后,生成了#34; testSig.xml"的签名XML部分。看起来像这样:

<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
    <SignedInfo>
      <CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315" />
      <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#dsa-sha1" />
      <Reference URI="">
        <Transforms>
          <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
        </Transforms>
        <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
        <DigestValue>ghOEPeYtAUs5Kb8VMOCIS3f2wIY=</DigestValue>
      </Reference>
    </SignedInfo>
    <SignatureValue>HANI0GrICbyc5tlmvtU9cB7txdxtuY4uDsntp5XVzaRQbts76ff3Qg==</SignatureValue>
  </Signature>

正如您所看到的,XML表示&#34; SHA1&#34;用于签署XML(参见节点&#34; SignatureMethod&#34;&amp;&#34; DigestMethod&#34;)。但我希望,必须在这些节点中声明SHA256-URL。这个假设是否正确?如果是,是否有人知道如何解决这个问题?我使用的是C#4.6.0。

最诚挚的问候, 迈克尔

1 个答案:

答案 0 :(得分:1)

虽然您成功调用了signedXml.ComputeSignature()只进行了计算,但它没有在文档中插入签名元素(您在构造函数中传递的XmlDocument就是文档GetXml()的节点将父母来)。

您需要调用signedXml.GetXml()(在ComputeSignature之后)获取计算出的ds:Signature元素,然后将其插入到您的文档中。

您的文档中已包含签名节点这一事实令人困惑。我的第一个想法是test.xml已经有了这个签名,但你的评论说它只是来自其他地方的一些oops代码。经验教训,我猜:)。

相关问题
最新问题