我在使用证书服务器时遇到问题。我们需要有证书才能登录帐户。但是在最后一步中,它显示了一个错误“ 验证安全性时发生错误。”。按照以下XML顺序:
我的证书申请要求:
//
身体
第1部分
第2部分
第3部分
// end-body
请求正文分为三个部分:
第1部分:从先前的响应中追加subXml
<saml:Assertion MajorVersion="1" MinorVersion="1" AssertionID="SamlSecurityToken-dea1e2e7-34b4-496e-bf8b-fasdfasdf3232" Issuer="https://frade104fes08.infra.skypecontoso.com:4443/c9d99407-6015-5914-a662-fa9901e5c8d5" IssueInstant="2018-11-22T09:33:12.571Z" xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion">
<saml:Conditions NotBefore="2018-11-22T09:28:10.000Z" NotOnOrAfter="2018-11-22T10:32:39.571Z">
<saml:AudienceRestrictionCondition>
<saml:Audience>https://webpoolxxx104.infra.skypecontoso.com/</saml:Audience>
</saml:AudienceRestrictionCondition>
</saml:Conditions>
<saml:AuthenticationStatement AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:unspecified" AuthenticationInstant="2018-11-22T09:33:12.571Z">
<saml:Subject>
<saml:NameIdentifier Format="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/uri">sip:ts4b@contoso.com</saml:NameIdentifier>
<saml:SubjectConfirmation>
<saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:holder-of-key</saml:ConfirmationMethod>
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<e:EncryptedKey xmlns:e="http://www.w3.org/2001/04/xmlenc#">
<e:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#kw-aes256">
</e:EncryptionMethod>
<KeyInfo>
<KeyName>c9d99407-6015-5914-a662-fa9901e5c8d5:fhasdjfadffadsfa</KeyName>
</KeyInfo>
<e:CipherData>
<e:CipherValue>JDhG8O1Y/urdZ33sww+rtPwUnk0H0BDcYQs7LccW1i0uqgMvzuUuvw==</e:CipherValue>
</e:CipherData>
</e:EncryptedKey>
</KeyInfo>
</saml:SubjectConfirmation>
</saml:Subject>
</saml:AuthenticationStatement>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
</CanonicalizationMethod>
<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1">
</SignatureMethod>
<Reference URI="#SamlSecurityToken-dea1e2e7-34b4-496e-bf8b-fasdfasdf3232">
<Transforms>
<Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature">
</Transform>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
</Transform>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256">
</DigestMethod>
<DigestValue>XmAnnT5VPlQzU0+jMK9ZA6FrlcS09T2tKfrRYXsBQS4=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>K0ShGxZ5iILaylUN5TrgHhrNBEC5GKDkfrJomiIhTm2YtANUP9rnWJ+/GV4wjLsh60VqPTulOdCj91hL1CnopRxVn9KDv6/nXi8OnBiPz6ME2IiH3FtfayzgmEh+tICsyr3N9gEH74+rrlWIVniYYaI4JnLYQno96ZDIGbdfo9njcE8fCaqqf/ibDDssrx1Uv0AAxiYajDWaDKXErLnWL57MduS5hhetBZ9MtaM0EnaTxuMxl5PN6tyEWIRh5DrdeDbz0TmRh7xrPO1IfTF7/kvUEW/Tsrz95ezmmE/lEm5rgO7GOO4QJkc5dWuhRvAvoKr3Zh6VSczFYLF9Yx58bg==</SignatureValue>
<KeyInfo>
<o:SecurityTokenReference xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<o:KeyIdentifier ValueType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1">HmwS6r5TF08doWN+svuSBSg3PgU=</o:KeyIdentifier>
</o:SecurityTokenReference>
</KeyInfo>
</Signature>
</saml:Assertion>
第2部分:从signInfo计算摘要值并将其追加到正文
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#hmac-sha256"/>
<Reference URI="#_0">
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<DigestValue>hcBYb0x9HZZPoFA26VYdXhx1s6SGpqZvpxE41mYNZtQ=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>0WYUyA+SZ5rcMPWv1x8YzW/UeTa79wDCUoBvar4aATs=</SignatureValue>
<KeyInfo>
<o:SecurityTokenReference k:TokenType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1" xmlns:k="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd">
<o:KeyIdentifier ValueType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID">SamlSecurityToken-dea1e2e7-34b4-496e-bf8b-fasdfasdf3232</o:KeyIdentifier>
</o:SecurityTokenReference>
</KeyInfo>
</Signature>
第3部分:生成RequestSecurityToken并追加到正文
<RequestSecurityToken xmlns="http://docs.oasis-open.org/ws-sx/ws-trust/200512/">
<TokenType>http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3</TokenType>
<RequestType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/Issue</RequestType>
<BinarySecurityToken ValueType="http://schemas.microsoft.com/OCS/AuthWebServices.xsd#PKCS10" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd#Base64Binary" a:Id="DADD6184-8082-4E04-A373-5EFDEA64E1A2" xmlns:a="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"<!---Array base64 string---></BinarySecurityToken>
<RequestID a:nil="true" xmlns:a="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://schemas.microsoft.com/windows/pki/2009/01/enrollment"/>
</RequestSecurityToken>
完整的xml文件在这里
https://www.dropbox.com/s/gmvjqlw4qgfjw3u/xml_certificate.xml?dl=0
我们需要计算:第2部分的Digestvalue和SignatureValue,第3部分的BinarySecurityToken。
现在我们的问题是:
我不知道如何计算DigestValue,SignatureValue和BinarySecurityToken值,有人可以帮我详细解释算法,因为我使用的是curl(C语言)?
祝你有美好的一天,非常感谢