到目前为止,我对签名的XML几乎没有经验,现在我已经遇到了这个例外。 .Net代码几乎是你在每个相关问题中找到的,所以我假设问题是XML本身。从我在这里读到的内容中,某些元素(?)中的冒号可能存在问题,我可能需要扩展SignedXml类(https://stackoverflow.com/a/41723450/1228836),但我不知道是否会这样做&#39这真的是问题所在。
private static void ValidateSamlString(String samlString)
{
XmlDocument xmlDoc = new XmlDocument();
xmlDoc.LoadXml(samlString);
XmlNodeList nodeList = xmlDoc.SelectNodes("//*[local-name()='Signature']");
foreach (XmlNode node in nodeList)
{
XmlDocument doc = new XmlDocument();
doc.LoadXml(node.ParentNode.OuterXml);
XmlElement signature = doc.SelectSingleNode("//*[local-name()='Signature']") as XmlElement;
SignedXml signedXml = new SignedXml(doc);
signedXml.LoadXml(signature);
KeyInfoX509Data x509Data = signedXml.Signature.KeyInfo.OfType<KeyInfoX509Data>().First();
X509Certificate2 cert = x509Data.Certificates[0] as X509Certificate2;
X509Store store = new X509Store(StoreName.TrustedPublisher, StoreLocation.LocalMachine);
store.Open(OpenFlags.ReadOnly);
bool isVerified = signedXml.CheckSignature(cert, true); // EXCEPTION HERE!!!!
Console.WriteLine("Verified: {0}", isVerified);
}
}
整个XML:
<t:RequestSecurityTokenResponse Context="https://www.example.com/" xmlns:t="http://schemas.xmlsoap.org/ws/2005/02/trust">
<t:Lifetime>
<wsu:Created xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">2017-08-03T13:27:40.285Z</wsu:Created>
<wsu:Expires xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">2017-08-03T17:27:40.285Z</wsu:Expires>
</t:Lifetime>
<wsp:AppliesTo xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
<EndpointReference xmlns="http://www.w3.org/2005/08/addressing">
<Address>https://www.example.com/dev</Address>
</EndpointReference>
</wsp:AppliesTo>
<t:RequestedSecurityToken>
<saml:Assertion MajorVersion="1" MinorVersion="1" AssertionID="_7696ff3c-9291-4391-92a2-ed4255bde0ee" Issuer="http://www.latvija.lv/sts" IssueInstant="2017-08-03T13:27:40.285Z" xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion">
<saml:Conditions NotBefore="2017-08-03T13:27:40.285Z" NotOnOrAfter="2017-08-03T17:27:40.285Z">
<saml:AudienceRestrictionCondition>
<saml:Audience>https://www.example.com/dev</saml:Audience>
</saml:AudienceRestrictionCondition>
</saml:Conditions>
<saml:AttributeStatement>
<saml:Subject>
<saml:NameIdentifier Format="urn:ivis:100001:name.id-viss">PK:11111111111</saml:NameIdentifier>
<saml:SubjectConfirmation>
<saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:bearer</saml:ConfirmationMethod>
</saml:SubjectConfirmation>
</saml:Subject>
<saml:Attribute AttributeName="privatepersonalidentifier" AttributeNamespace="http://schemas.xmlsoap.org/ws/2005/05/identity/claims" a:OriginalIssuer="https://ivis.eps.gov.lv/test.sts/1.1" xmlns:a="http://schemas.xmlsoap.org/ws/2009/09/identity/claims">
<saml:AttributeValue>11111111111</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute AttributeName="givenname" AttributeNamespace="http://schemas.xmlsoap.org/ws/2005/05/identity/claims" a:OriginalIssuer="https://ivis.eps.gov.lv/test.sts/1.1" xmlns:a="http://schemas.xmlsoap.org/ws/2009/09/identity/claims">
<saml:AttributeValue>John</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute AttributeName="surname" AttributeNamespace="http://schemas.xmlsoap.org/ws/2005/05/identity/claims" a:OriginalIssuer="https://ivis.eps.gov.lv/test.sts/1.1" xmlns:a="http://schemas.xmlsoap.org/ws/2009/09/identity/claims">
<saml:AttributeValue>Doe</saml:AttributeValue>
</saml:Attribute>
</saml:AttributeStatement>
<saml:AuthenticationStatement AuthenticationMethod="urn:ivis:100001:am-idp40-wif" AuthenticationInstant="2017-08-03T13:27:40.082Z">
<saml:Subject>
<saml:NameIdentifier Format="urn:ivis:100001:name.id-viss">PK:11111111111</saml:NameIdentifier>
<saml:SubjectConfirmation>
<saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:bearer</saml:ConfirmationMethod>
</saml:SubjectConfirmation>
</saml:Subject>
<saml:SubjectLocality IPAddress="87.255.255.255" />
</saml:AuthenticationStatement>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
<ds:Reference URI="#_7696ff3c-9291-4391-92a2-ed4255bde0ee">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<ds:DigestValue>Oh+ibZRKLu3KtfKd7dSJ8m9GR84=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>W/uSsu0SzPHATCtXQzT8FgYNeelvBM+oRtqHH6wQcW2n2i84/kv9cqqylf5pBwps0oxhhr7KvOACu4w+gvR1KDCKvN2alu9/BglisqGoK48IjdjJ1Fi9P4OSyk/MRZrEXu13F9qAIYcklhdYH3Rpb7t3bLBNimQVpoWRqqWH7wC28WIAF/GincVCS0GMaLwYDSunqg6r8I12XWTvGKgz6/z+vyMUgltSCNfKpHg+FOLTH+Ze1/RO3GAv+6wSkyRbWoWMM9FyI/mIefCAMkGi/2ZC4Zw4KGzmRzk+S+ekdkbdOQAHt9XONW0Fqn9LL7/1kbEuZzY93kJFGYwWgA05KA==</ds:SignatureValue>
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<X509Data>
<X509Certificate>MIIF8TCCBNmgAwIBAgIKTaumsgACAAACOzANBgkqhkiG9w0BAQsFADBCMRMwEQYKCZImiZPyLGQBGRYDaW50MRQwEgYKCZImiZPyLGQBGRYEdmlzczEVMBMGA1UEAxMMVklTUyBSb290IENBMB4XDTE3MDEyNDA3NDE1MVoXDTQxMDMzMTA5MzcyNFowgYkxCzAJBgNVBAYTAkxWMQ0wCwYDVQQIEwRSaWdhMQ0wCwYDVQQHEwRSSUdBMQ0wCwYDVQQKEwRWUkFBMQ4wDAYDVQQLEwVWUElTRDEXMBUGA1UEAwwOVklTUy5MVlAuU1RTXzIxJDAiBgkqhkiG9w0BCQEWFWNpc3UuaGVscEB2cmFhLmdvdi5sdjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKAQefdkzkZKm/EjpQf/+H1bnE+6i8N5eBWL2fgwciHP8V1Vy8C5mLtLzeCa0Y/JoY1o0heN0F8OsNPmU5KiYyQu2uGW51y9ItLJHGLzrCRS23iC+lQqRCxMFs57ACRmNDU5PagzzTO4BAQ0nsHE5XFfdtFeK9840KMUvNHScgw7lb6JvOFDbZVLXFR7g7JVVXBYksy9bnDYw/iG/wrdw/HwvDeW94Y99s1ZXl8LIk0JPXTBgYmkOCi2XWMO5dLGmvK4Kwz+1bB8tKijNhQpcLcGqpZ/yeg2E0z5HM7256pZ+qAuh2ax7POAj01CmqDGQ1vUOcMrBv4I1UAvuyzBAP8CAwEAAaOCAp8wggKbMA4GA1UdDwEB/wQEAwIE8DATBgNVHSUEDDAKBggrBgEFBQcDAjAdBgNVHQ4EFgQU6zKtWDORxPazuCN0UxhZG9N16qAwHwYDVR0jBBgwFoAU5AKmo6l+36r4MSf1WLaxAsDWMM8wggEOBgNVHR8EggEFMIIBATCB/qCB+6CB+IaBtWxkYXA6Ly8vQ049VklTUyUyMFJvb3QlMjBDQSgyKSxDTj1EQzEwMCxDTj1DRFAsQ049UHVibGljJTIwS2V5JTIwU2VydmljZXMsQ049U2VydmljZXMsQ049Q29uZmlndXJhdGlvbixEQz12aXNzLERDPWludD9jZXJ0aWZpY2F0ZVJldm9jYXRpb25MaXN0P2Jhc2U/b2JqZWN0Q2xhc3M9Y1JMRGlzdHJpYnV0aW9uUG9pbnSGPmh0dHA6Ly9hdXNtYXRlc3Q4LnZyYWEuZ292Lmx2L1ZJU1MuQ1JML1ZJU1MlMjBSb290JTIwQ0EoMikuY3JsMIIBEgYIKwYBBQUHAQEEggEEMIIBADCBrAYIKwYBBQUHMAKGgZ9sZGFwOi8vL0NOPVZJU1MlMjBSb290JTIwQ0EsQ049QUlBLENOPVB1YmxpYyUyMEtleSUyMFNlcnZpY2VzLENOPVNlcnZpY2VzLENOPUNvbmZpZ3VyYXRpb24sREM9dmlzcyxEQz1pbnQ/Y0FDZXJ0aWZpY2F0ZT9iYXNlP29iamVjdENsYXNzPWNlcnRpZmljYXRpb25BdXRob3JpdHkwTwYIKwYBBQUHMAKGQ2h0dHA6Ly9hdXNtYXRlc3Q4LnZyYWEuZ292Lmx2L1ZJU1MuQ1JML1ZJU1NfVklTUyUyMFJvb3QlMjBDQSgyKS5jcnQwDAYDVR0TAQH/BAIwADANBgkqhkiG9w0BAQsFAAOCAQEAdQcO6+N/vzhkl9mb0bR9EacwMdqf0TpXrIsig8eNqtjlS5vwAWcUkeE+ICVAfCrSwD+ZCL/Bu/d3mxA9/pFsCi8lFovwv8sDYooqtxXkZZTGIVMjlL+xB55+xO6MZHCMBSgXPiHJVFmq4EY3v9+uZVbDU55P4KbpaMHcnQgIj65uuElo+ZKsQ+6PERuq+GEbTz1U5lruNDbLSxniIHx5A5hoUD+zHWaqvM7MaxLvqk4dlWYE1Im/QHVthU7R/OtTD4rIRVK4xOJvQaxU22L4XW4pU/5nP7Mxd9P3HzmNWVTz71h6HIY6yR4d3mKyEwFFqcvPd0A6Wwz1nQoJuF/7EA==</X509Certificate>
</X509Data>
</KeyInfo>
</ds:Signature>
</saml:Assertion>
</t:RequestedSecurityToken>
<t:TokenType>urn:oasis:names:tc:SAML:1.0:assertion</t:TokenType>
<t:RequestType>http://schemas.xmlsoap.org/ws/2005/02/trust/Issue</t:RequestType>
<t:KeyType>http://schemas.xmlsoap.org/ws/2005/05/identity/NoProofKey</t:KeyType>
</t:RequestSecurityTokenResponse>
我得到的例外是:
System.Security.Cryptography.CryptographicException: Malformed reference element.
at System.Security.Cryptography.Xml.Reference.CalculateHashValue(XmlDocument document, CanonicalXmlNodeList refList)
at System.Security.Cryptography.Xml.SignedXml.CheckDigestedReferences()
at System.Security.Cryptography.Xml.SignedXml.CheckSignature(AsymmetricAlgorithm key)
at System.Security.Cryptography.Xml.SignedXml.CheckSignature(X509Certificate2 certificate, Boolean verifySignatureOnly)