dsig验证

mnowg1ta  于 2021-07-03  发布在  Java
关注(0)|答案(0)|浏览(191)

我正在尝试验证带有封装签名的xml文件。下面是与签名相关的xml的一部分。将某些值替换为。。。

<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
<Reference URI="">
<Transforms>
<Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<DigestValue>fIbJuHy3HW8QCMIypx9wjsqYvt/aKoG7PtdW/6LEAsI=</DigestValue></Reference></SignedInfo>
<SignatureValue>U+LC67wRqEJIksKziJti2CTPeg/70JkIe1hFJ9kEgMDsVdaqfrBdkmnRd25UYmZBWpVhZtDDHtR1m8UIJtmIxPMIFIJTR5gMG86Uq9BVXQK1gPFKwl+DYraTomqwU90pkh1wrgzn5MPO02kEohm081kHea1BLIZuoxctRh8PoqtefIbl+hDR7HELziaeDCgbeISnw==
</SignatureValue>
<KeyInfo>
<X509Data>
<X509SubjectName>CN=...</X509SubjectName>
<X509Certificate>MIIGEDC.....I8Ic=</X509Certificate>
</X509Data></KeyInfo></Signature>

以下代码未按预期工作。我希望获得publickey,但它不属于这一行,因为它没有被视为x509certificate的示例(if(o instanceof x509certificate)),我不能100%确定为什么它没有被视为x509certificate。这个证书格式不对吗?还是我的方法错了?如果你能给我提供这方面的指导,我将不胜感激。

package com.test.xml.crypto;
import javax.xml.crypto.*;
import javax.xml.crypto.dsig.*;
import javax.xml.crypto.dsig.dom.DOMValidateContext;
import javax.xml.crypto.dsig.keyinfo.*;

import java.io.File;
import java.io.FileInputStream;
import java.security.*;
import java.security.cert.X509Certificate;
import java.util.Iterator;
import java.util.List;

import javax.xml.parsers.DocumentBuilderFactory;

import org.w3c.dom.Document;
import org.w3c.dom.NodeList;

/**
 * This is a simple example of validating an XML
 * Signature using the JSR 105 API. It assumes the key needed to
 * validate the signature is contained in a KeyValue KeyInfo.
 */
public class Validate {

    public static void main(String[] args) throws Exception {

        isXmlDigitalSignatureValid("DSig.xml"); 
    }
     /**
     * KeySelector which retrieves the public key out of the KeyValue element and
     * returns it. NOTE: If the key algorithm doesn't match signature algorithm,
     * then the public key will be ignored.
     */
    private static boolean isXmlDigitalSignatureValid(String filepath) throws Exception {
        // Instantiate the document to be validated
        DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
        dbf.setNamespaceAware(true);

        File fXmlFile = new File(filepath);

        Document doc =
                // dbf.newDocumentBuilder().parse(new FileInputStream(filepath));
                dbf.newDocumentBuilder().parse(fXmlFile);

        // Find Signature element
        NodeList nl = doc.getElementsByTagNameNS(XMLSignature.XMLNS, "Signature");
        if (nl.getLength() == 0) {
            throw new Exception("Cannot find Signature element");
        }

        // Create a DOM XMLSignatureFactory that will be used to unmarshal the
        // document containing the XMLSignature
        XMLSignatureFactory fac = XMLSignatureFactory.getInstance("DOM");

        // Create a DOMValidateContext and specify a KeyValue KeySelector
        // and document context
        DOMValidateContext valContext = new DOMValidateContext(new KeyValueKeySelector(), nl.item(0));

        // unmarshal the XMLSignature
        XMLSignature signature = fac.unmarshalXMLSignature(valContext);

        // Validate the XMLSignature (generated above)
        boolean coreValidity = signature.validate(valContext);

        // Check core validation status
        if (coreValidity == false) {
            System.err.println("Signature failed core validation");
            boolean sv = signature.getSignatureValue().validate(valContext);
            System.out.println("signature validation status: " + sv);
            // check the validation status of each Reference
            Iterator i = signature.getSignedInfo().getReferences().iterator();
            for (int j = 0; i.hasNext(); j++) {
                boolean refValid = ((Reference) i.next()).validate(valContext);
                System.out.println("ref[" + j + "] validity status: " + refValid);
            }
        } else {
            System.out.println("Signature passed core validation");
        }
        return coreValidity;
    }

    /**
     * KeySelector which retrieves the public key out of the KeyValue element and
     * returns it. NOTE: If the key algorithm doesn't match signature algorithm,
     * then the public key will be ignored.
     */
    private static class KeyValueKeySelector extends KeySelector {
        public KeySelectorResult select(KeyInfo keyInfo, KeySelector.Purpose purpose, AlgorithmMethod method,
                XMLCryptoContext context) throws KeySelectorException {
            if (keyInfo == null) {
                throw new KeySelectorException("Null KeyInfo object!");
            }
            SignatureMethod sm = (SignatureMethod) method;
            List list = keyInfo.getContent();
            PublicKey pk = null;

            for (int i = 0; i < list.size(); i++) {
                XMLStructure xmlStructure = (XMLStructure) list.get(i);
                if (xmlStructure instanceof KeyValue) {

                    try {
                        pk = ((KeyValue) xmlStructure).getPublicKey();
                    } catch (KeyException ke) {
                        throw new KeySelectorException(ke);
                    }

                }
                else if (xmlStructure instanceof X509Data) {
                    X509Data x509Data = (X509Data) xmlStructure;
                    Iterator xi = x509Data.getContent().iterator();
                    while (xi.hasNext()) {
                        Object o = xi.next();
                        if (o instanceof X509Certificate) {
                            pk = ((X509Certificate) o).getPublicKey();
                        }
                }
                }
                // make sure algorithm is compatible with method
                if (algEquals_(sm.getAlgorithm(), pk.getAlgorithm())) {
                    return new SimpleKeySelectorResult_(pk);
                }

            }
            throw new KeySelectorException("No KeyValue element found!");
        }

        static boolean algEquals_(String algURI, String algName) {
            if ((algName.equalsIgnoreCase("DSA") && algURI.equalsIgnoreCase(SignatureMethod.DSA_SHA1))
                    || (algName.equalsIgnoreCase("RSA") && algURI.equalsIgnoreCase(SignatureMethod.RSA_SHA1))) {
                return true;
            } else {
                return false;
            }
        }

}

    private static class SimpleKeySelectorResult_ implements KeySelectorResult {
        private PublicKey pk;

        SimpleKeySelectorResult_(PublicKey pk) {
            this.pk = pk;
        }

        public Key getKey() {
            return pk;
        }
    }
}

在调试期间,x509data.getcontent

[CN=... [
[
  Version: V3
  Subject: CN=...
  Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11

  Key:  Sun RSA public key, 2048 bits
  params: null
  modulus: 22624766518823786914768076276892179124061266472803802327962537730050622731971868226103077912360054203036548047768693018340973008948165074417415068642422254173783296158241810327774154541283999709698652631373374257529410695725863474147035068179570112689587535702854685425405034199529762500136771685393074916147110726325738992091485390822745013430816803373646236731829201162694382313928056649013335143174761924875931307817036424409988115419766382502626660451182378308573528278538622697204914438467861334534079655035586800317922124410638960962028471996076012141066179702642873856629717630895083566363032186053096063713483
  public exponent: 65537
  Validity: [From: Wed Jun 24 09:06:33 EDT 2020,
               To: Fri Jun 24 09:06:33 EDT 2022]
  Issuer: CN=...
  SerialNumber: [    3e00122e 0f9ad938 977e486b 46000000 122e0f]

Certificate Extensions: 10
[1]: ObjectId: 1.3.6.1.4.1.311.21.7 Criticality=false
Extension unknown: DER encoded OCTET string =
0000: 04 30 30 2E 06 26 2B 06   01 04 01 82 37 15 08 86  .00..&+.....7...
0010: FB CA 0F 87 D3 F3 44 81   C9 93 34 87 F6 A2 0B 83  ......D...4.....
0020: FF EF 6C 81 63 85 B7 0D   82 AA F5 16 02 01 64 02  ..l.c.........d.
0030: 01 0D                                              ..

暂无答案!

目前还没有任何答案,快来回答吧!

相关问题