XML签名验证失败

时间:2019-01-28 04:38:00

标签: java xml signature

这是我要尝试验证xml签名的代码。对于一个包含用签名算法md2RSA证书签名的xml的xml文件,它可以很好地工作。但是另一个包含用签名算法SHA256withRSA的证书签名的xml的xml失败。

这是我要用来验证签名验证的代码:

 public static void main(String[] args)
            throws ParserConfigurationException, SAXException, IOException, XMLSignatureException, XMLSecurityException
    {
        File f = new File("F:\\workspace\\signeddocument2.xml");
        DocumentBuilderFactory dbFactory = DocumentBuilderFactory.newInstance();
        dbFactory.setNamespaceAware(true);
        DocumentBuilder dBuilder = dbFactory.newDocumentBuilder();
        org.w3c.dom.Document doc = dBuilder.parse(f);
        doc.getDocumentElement().normalize();

        Element sigElement = (Element) doc.getElementsByTagNameNS(Constants.SignatureSpecNS, Constants._TAG_SIGNATURE)
                .item(0);

        XMLSignature signature = new XMLSignature(sigElement, f.toURI().toURL().toString());
        boolean verified = false;

        verified = signature.checkSignatureValue(signature.getKeyInfo().getPublicKey());

        if (verified)
        {
            System.out.println("Signature verified successfully");
        }
        else
        {
            System.out.println("Signature verification failed.");
        }

    }

这是可以成功运行的xml文件:

<DocumentToSign ID="signme">
    <SubElement>
    </SubElement>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="#signme">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>pt/SfGyAXhfkEwmQUqlg5Dsczp8=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>
baPXBiRO+S96Fb6J1zllCe2SsjmUgkEMnGOVNkTAFa/97Dv365uVrHzfnekoAVgCojWXdQIMVBqi
+uJKjK9JmEH738ob0vkrSJiZgLqjnCnPxM0yDwGRHXrnVVLuKhfdDkp9Pevo/e8+X5wIiPaXHb/C
r1/5ZFk3raFdD6b72X/MsMp4m2894UOTw0jo/FHIYpOHib4P21aK/kIFGROJEXU7sKv+GswOFbuH
7zcmXldNV7z/mrqd3XZROGy3jFpp0C2pu3PSYUS8BQCabQQfaS97nh20TL1pFVDSi3UvG3TYa21d
aQZncnzKZsbXPy+642KgeXF71H7rQrmkhQKi+g==
</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>
MIICpjCCAY6gAwIBAgIEUYrX0DANBgkqhkiG9w0BAQIFADAVMRMwEQYDVQQDDApkZWZhdWx0a2V5
MB4XDTEzMDUwODIyNTYxMloXDTQzMDUwODIyNTYxMlowFTETMBEGA1UEAwwKZGVmYXVsdGtleTCC
ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJHzhGGL5JqZyMMuh09HJCWU4uNbOb10icw4
VuqgpHBc3A8v4sFOmiEQIf+CxWpPXhY+8THf+HWsXlrQ/UDUAQMOYQ998Mw1Er1fKrBosa0n0FRJ
+y8VVFc+uViykbGeLTjxkFJinLuQ1yBWuW+XCHXKP5HgFo9YnhPr/DZ/dF3wFRMQKzmJhp2j18VD
x20MNSWMyfL2hZRg1HnCES8ar/P4Qu7m2qn2YRLFdGMqs6OUrjbhLSgFX6sbmvbFVuNcmndQECoY
KLxJFcvW5fD430NbMsXeOXNqfGnTXE8Z5CGZNQxPe0KUtvQNSvb+hozj6AFeP/iOO1PZwD3h7wGY
1t0CAwEAATANBgkqhkiG9w0BAQIFAAOCAQEAg5ZyHyNFH6KIbSLRx67sHYS+rWCXoJogXFI7NyBx
ynZijN8tLjmZcQQPp94z9vSyx9U90EwfRtVMl632aD1ntc1LBMUKdZoz6hBubKrr7gB38aBh+VMY
iQ6c9BfbD6XqxMS9Vv3w58Mfpgi9Cqr3P6AXJz490LA6t+etgmzqOz3V6piiFwysaAeYQ3GQTaAI
mmsyj6++AlcJXHsOMc63oaKnziG3al/gfheUtp/KG0GT8X9UZdRNsWrfcpopp7+wHTaTO6U863FJ
WuNuk5ljTo5xk+DQQQfKmnGUO3y6Sb0IE7sgZn6/TvnoF4Es+xb8V6bL9q24lkm4mCdp3m7PhA==
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature></DocumentToSign>

这是签名验证失败的xml文件:

<DocumentToSign ID="signme">
    <SubElement>
    </SubElement>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
<ds:Reference URI="#signme">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces PrefixList="xsd" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" />
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
<ds:DigestValue>iG7dOuXItysItp3EXjvWcXssDgtidn/dX9ZSlBc96+s=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>
NiZcgh4DNGAkGPX3BKrBbkew7b8PitNArw4gRGU/7603pQRe+So31u3pSmuqLPerQ/gp6SqkSzmA
8pbldKYodf6cNHeO+rSTIS0dOJvqduhfYDDSLaXOGMeeiJG3en1mu4/ZajdYAtQd7YuwHNR4XgIA
O4DKltY4nHH/TKMe/8cr0boz+D8ttldX5CjcSCYqmmlG6sM/fbUgNT832Mwqp3N6dRr/OrKvl1Lt
JRioJ4+JOdw6mZkRvxl3ga5/CWGvCaBxNbuZKBFdrHf+SVrXpeg0/E1/E2Sd1L5bVWYR2M1q3eXr
RkutToCkHzRTQARS+90lx8pNaxiR8bcbfD4Oag==
</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>
**Some Certificate Value**
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature></DocumentToSign>

不确定第二种情况下我在做什么错。这是我针对第二种情况得到的错误消息:

org.apache.xml.security.signature.Reference verify
WARNING: Verification failed for URI "#signme"
Signature verification failed.

有人看到我想念的东西吗?

2 个答案:

答案 0 :(得分:2)

似乎您的xml中缺少标签。

我在这里找到了一些信息:https://www.w3.org/TR/2009/WD-xmldsig-core2-20091022/

如果您搜索“ signame”,则会看到该规范需要标签:<C ID="signme" xmlns="&baz;"/>有完整的规范:

<A xmlns:n1="&foo;">
     <B xmlns:n2="&bar;">
       <Signature xmlns="&dsig;">   ...
         <Reference URI="#signme"/> ...
       </Signature>
       <C ID="signme" xmlns="&baz;"/>
     </B>
   </A>

您的XML没有此标记。可能是原因。

答案 1 :(得分:0)

@JosemyAB-感谢您的回答。

我弄清楚了signature验证失败的原因。与我尝试验证XML的XML相比,我正在签名的signature具有不同的命名空间。 transformation导致signature失败。一旦找出了转换,signature验证就可以了。

相关问题
最新问题