我极力尝试使用X509证书签署XML文档。 我必须在文档中签名多个元素,因此要提供对我的SignedInfo的引用列表。
我面临的问题发生在签名本身。我收到一个异常消息,说它无法解析具有我提供的ID的元素。
在研究寻找解决方案时,我偶然发现了这张票(这是OpenJDK 1.7的错误):https://bugs.openjdk.java.net/browse/JDK-8017171
我正在使用Oracle JDK 1.8,但仍然有问题。
XMLSignatureFactory fac = XMLSignatureFactory.getInstance("DOM");
DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
dbf.setNamespaceAware(true);
Document doc = dbf.newDocumentBuilder().parse(new FileInputStream(unsignedXml));
List<Reference> refs = new ArrayList<Reference>();
refs.add(fac.newReference(
"#TS",
fac.newDigestMethod("http://www.w3.org/2000/09/xmldsig#sha1", null),
Collections.singletonList(fac.newTransform("http://www.w3.org/2001/10/xml-exc-c14n#",(TransformParameterSpec) null)),
null, null));
SignedInfo si = fac.newSignedInfo(
fac.newCanonicalizationMethod(CanonicalizationMethod.EXCLUSIVE,
(C14NMethodParameterSpec) null),
fac.newSignatureMethod("http://www.w3.org/2000/09/xmldsig#rsa-sha1", null),
refs);
FileInputStream input = new FileInputStream(keystoreFile);
KeyStore ks = KeyStore.getInstance(KeyStore.getDefaultType());
ks.load(input, password.toCharArray());
Key key = ks.getKey(alias, password.toCharArray());
if (key instanceof PrivateKey) {
Certificate cert = ks.getCertificate(alias);
PublicKey publicKey = cert.getPublicKey();
keyPair = new KeyPair(publicKey, (PrivateKey) key);
}
KeyInfoFactory kif = fac.getKeyInfoFactory();
KeyValue kv = kif.newKeyValue(keyPair.getPublic());
KeyInfo ki = kif.newKeyInfo(Collections.singletonList(kv));
DOMSignContext dsc = new DOMSignContext(keyPair.getPrivate(), doc.getDocumentElement());
XMLSignature signature = fac.newXMLSignature(si, ki);
signature.sign(dsc);
OutputStream out = new FileOutputStream(signedXml);
Exception in thread "main" javax.xml.crypto.dsig.XMLSignatureException: javax.xml.crypto.URIReferenceException: com.sun.org.apache.xml.internal.security.utils.resolver.ResourceResolverException: Cannot resolve element with ID TS
at org.jcp.xml.dsig.internal.dom.DOMReference.dereference(DOMReference.java:431)
at org.jcp.xml.dsig.internal.dom.DOMReference.digest(DOMReference.java:359)
at org.jcp.xml.dsig.internal.dom.DOMXMLSignature.digestReference(DOMXMLSignature.java:496)
at org.jcp.xml.dsig.internal.dom.DOMXMLSignature.sign(DOMXMLSignature.java:379)
at testsig.testsig.Signature.sign(Signature.java:131)
at testsig.testsig.App.main(App.java:32)
Caused by: javax.xml.crypto.URIReferenceException: com.sun.org.apache.xml.internal.security.utils.resolver.ResourceResolverException: Cannot resolve element with ID TS
at org.jcp.xml.dsig.internal.dom.DOMURIDereferencer.dereference(DOMURIDereferencer.java:134)
at org.jcp.xml.dsig.internal.dom.DOMReference.dereference(DOMReference.java:425)
... 5 more
Caused by: com.sun.org.apache.xml.internal.security.utils.resolver.ResourceResolverException: Cannot resolve element with ID TS
at com.sun.org.apache.xml.internal.security.utils.resolver.implementations.ResolverFragment.engineResolveURI(ResolverFragment.java:89)
at com.sun.org.apache.xml.internal.security.utils.resolver.ResourceResolver.resolve(ResourceResolver.java:313)
at org.jcp.xml.dsig.internal.dom.DOMURIDereferencer.dereference(DOMURIDereferencer.java:126)
... 6 more
javax.xml.crypto.URIReferenceException: com.sun.org.apache.xml.internal.security.utils.resolver.ResourceResolverException: Cannot resolve element with ID TS
at org.jcp.xml.dsig.internal.dom.DOMURIDereferencer.dereference(DOMURIDereferencer.java:134)
at org.jcp.xml.dsig.internal.dom.DOMReference.dereference(DOMReference.java:425)
at org.jcp.xml.dsig.internal.dom.DOMReference.digest(DOMReference.java:359)
at org.jcp.xml.dsig.internal.dom.DOMXMLSignature.digestReference(DOMXMLSignature.java:496)
at org.jcp.xml.dsig.internal.dom.DOMXMLSignature.sign(DOMXMLSignature.java:379)
at testsig.testsig.Signature.sign(Signature.java:131)
at testsig.testsig.App.main(App.java:32)
Caused by: com.sun.org.apache.xml.internal.security.utils.resolver.ResourceResolverException: Cannot resolve element with ID TS
at com.sun.org.apache.xml.internal.security.utils.resolver.implementations.ResolverFragment.engineResolveURI(ResolverFragment.java:89)
at com.sun.org.apache.xml.internal.security.utils.resolver.ResourceResolver.resolve(ResourceResolver.java:313)
at org.jcp.xml.dsig.internal.dom.DOMURIDereferencer.dereference(DOMURIDereferencer.java:126)
... 6 more
我的问题可以通过以下至少一个答案来解决: 有解决方法吗? 还有其他签名XML文件的方法吗?
致谢
答案 0 :(得分:0)
最后,我找到了更多的解决方法,而不是解决方案。这个想法是使用DOM通过XMLHelper获取我需要的元素,并从元素获取ID Attr。然后,将带有setIdAttributeNode()的属性添加到我的Element中。 以这种方式操作Element时,向XMLSignatureFactory添加新的Reference时不会引发任何异常。
NodeList list = doc.getElementsByTagName("wsu:Timestamp");
Node node = list.item(0);
Element tempEl = XMLHelper.getChildElementsByTagName(doc.getDocumentElement(), "Header").get(0);
Element securityElement = XMLHelper.getChildElementsByTagName(tempEl, "Security").get(0);
tempEl = XMLHelper.getChildElementsByTagName(securityElement, "Assertion").get(0);
Attr attr = (Attr)tempEl.getAttributes().getNamedItem("AssertionID");
tempEl.setIdAttributeNode(attr, true);
String ref = "#" + attr.getValue();
List<Reference> refs = new ArrayList<Reference>();
refs.add(fac.newReference(
ref,
fac.newDigestMethod("http://www.w3.org/2000/09/xmldsig#sha1", null),
Collections.singletonList(fac.newTransform("http://www.w3.org/2001/10/xml-exc-c14n#",(TransformParameterSpec) null)),
null,
null));
在我看来,这不是理想的解决方案,因为它与XML的DOM过多相关。但是我想那是我能找到的唯一解决方案,并且可以解决JDK中的已知错误。