我正在尝试验证带有封装签名的xml文件。下面是与签名相关的xml的一部分。将某些值替换为。。。
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
<Reference URI="">
<Transforms>
<Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<DigestValue>fIbJuHy3HW8QCMIypx9wjsqYvt/aKoG7PtdW/6LEAsI=</DigestValue></Reference></SignedInfo>
<SignatureValue>U+LC67wRqEJIksKziJti2CTPeg/70JkIe1hFJ9kEgMDsVdaqfrBdkmnRd25UYmZBWpVhZtDDHtR1m8UIJtmIxPMIFIJTR5gMG86Uq9BVXQK1gPFKwl+DYraTomqwU90pkh1wrgzn5MPO02kEohm081kHea1BLIZuoxctRh8PoqtefIbl+hDR7HELziaeDCgbeISnw==
</SignatureValue>
<KeyInfo>
<X509Data>
<X509SubjectName>CN=...</X509SubjectName>
<X509Certificate>MIIGEDC.....I8Ic=</X509Certificate>
</X509Data></KeyInfo></Signature>以下代码未按预期工作。我希望获得publickey,但它不属于这一行,因为它没有被视为x509certificate的示例(if(o instanceof x509certificate)),我不能100%确定为什么它没有被视为x509certificate。这个证书格式不对吗?还是我的方法错了?如果你能给我提供这方面的指导,我将不胜感激。
package com.test.xml.crypto;
import javax.xml.crypto.*;
import javax.xml.crypto.dsig.*;
import javax.xml.crypto.dsig.dom.DOMValidateContext;
import javax.xml.crypto.dsig.keyinfo.*;
import java.io.File;
import java.io.FileInputStream;
import java.security.*;
import java.security.cert.X509Certificate;
import java.util.Iterator;
import java.util.List;
import javax.xml.parsers.DocumentBuilderFactory;
import org.w3c.dom.Document;
import org.w3c.dom.NodeList;
/**
* This is a simple example of validating an XML
* Signature using the JSR 105 API. It assumes the key needed to
* validate the signature is contained in a KeyValue KeyInfo.
*/
public class Validate {
public static void main(String[] args) throws Exception {
isXmlDigitalSignatureValid("DSig.xml");
}
/**
* KeySelector which retrieves the public key out of the KeyValue element and
* returns it. NOTE: If the key algorithm doesn't match signature algorithm,
* then the public key will be ignored.
*/
private static boolean isXmlDigitalSignatureValid(String filepath) throws Exception {
// Instantiate the document to be validated
DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
dbf.setNamespaceAware(true);
File fXmlFile = new File(filepath);
Document doc =
// dbf.newDocumentBuilder().parse(new FileInputStream(filepath));
dbf.newDocumentBuilder().parse(fXmlFile);
// Find Signature element
NodeList nl = doc.getElementsByTagNameNS(XMLSignature.XMLNS, "Signature");
if (nl.getLength() == 0) {
throw new Exception("Cannot find Signature element");
}
// Create a DOM XMLSignatureFactory that will be used to unmarshal the
// document containing the XMLSignature
XMLSignatureFactory fac = XMLSignatureFactory.getInstance("DOM");
// Create a DOMValidateContext and specify a KeyValue KeySelector
// and document context
DOMValidateContext valContext = new DOMValidateContext(new KeyValueKeySelector(), nl.item(0));
// unmarshal the XMLSignature
XMLSignature signature = fac.unmarshalXMLSignature(valContext);
// Validate the XMLSignature (generated above)
boolean coreValidity = signature.validate(valContext);
// Check core validation status
if (coreValidity == false) {
System.err.println("Signature failed core validation");
boolean sv = signature.getSignatureValue().validate(valContext);
System.out.println("signature validation status: " + sv);
// check the validation status of each Reference
Iterator i = signature.getSignedInfo().getReferences().iterator();
for (int j = 0; i.hasNext(); j++) {
boolean refValid = ((Reference) i.next()).validate(valContext);
System.out.println("ref[" + j + "] validity status: " + refValid);
}
} else {
System.out.println("Signature passed core validation");
}
return coreValidity;
}
/**
* KeySelector which retrieves the public key out of the KeyValue element and
* returns it. NOTE: If the key algorithm doesn't match signature algorithm,
* then the public key will be ignored.
*/
private static class KeyValueKeySelector extends KeySelector {
public KeySelectorResult select(KeyInfo keyInfo, KeySelector.Purpose purpose, AlgorithmMethod method,
XMLCryptoContext context) throws KeySelectorException {
if (keyInfo == null) {
throw new KeySelectorException("Null KeyInfo object!");
}
SignatureMethod sm = (SignatureMethod) method;
List list = keyInfo.getContent();
PublicKey pk = null;
for (int i = 0; i < list.size(); i++) {
XMLStructure xmlStructure = (XMLStructure) list.get(i);
if (xmlStructure instanceof KeyValue) {
try {
pk = ((KeyValue) xmlStructure).getPublicKey();
} catch (KeyException ke) {
throw new KeySelectorException(ke);
}
}
else if (xmlStructure instanceof X509Data) {
X509Data x509Data = (X509Data) xmlStructure;
Iterator xi = x509Data.getContent().iterator();
while (xi.hasNext()) {
Object o = xi.next();
if (o instanceof X509Certificate) {
pk = ((X509Certificate) o).getPublicKey();
}
}
}
// make sure algorithm is compatible with method
if (algEquals_(sm.getAlgorithm(), pk.getAlgorithm())) {
return new SimpleKeySelectorResult_(pk);
}
}
throw new KeySelectorException("No KeyValue element found!");
}
static boolean algEquals_(String algURI, String algName) {
if ((algName.equalsIgnoreCase("DSA") && algURI.equalsIgnoreCase(SignatureMethod.DSA_SHA1))
|| (algName.equalsIgnoreCase("RSA") && algURI.equalsIgnoreCase(SignatureMethod.RSA_SHA1))) {
return true;
} else {
return false;
}
}
}
private static class SimpleKeySelectorResult_ implements KeySelectorResult {
private PublicKey pk;
SimpleKeySelectorResult_(PublicKey pk) {
this.pk = pk;
}
public Key getKey() {
return pk;
}
}
}在调试期间,x509data.getcontent
[CN=... [
[
Version: V3
Subject: CN=...
Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11
Key: Sun RSA public key, 2048 bits
params: null
modulus: 22624766518823786914768076276892179124061266472803802327962537730050622731971868226103077912360054203036548047768693018340973008948165074417415068642422254173783296158241810327774154541283999709698652631373374257529410695725863474147035068179570112689587535702854685425405034199529762500136771685393074916147110726325738992091485390822745013430816803373646236731829201162694382313928056649013335143174761924875931307817036424409988115419766382502626660451182378308573528278538622697204914438467861334534079655035586800317922124410638960962028471996076012141066179702642873856629717630895083566363032186053096063713483
public exponent: 65537
Validity: [From: Wed Jun 24 09:06:33 EDT 2020,
To: Fri Jun 24 09:06:33 EDT 2022]
Issuer: CN=...
SerialNumber: [ 3e00122e 0f9ad938 977e486b 46000000 122e0f]
Certificate Extensions: 10
[1]: ObjectId: 1.3.6.1.4.1.311.21.7 Criticality=false
Extension unknown: DER encoded OCTET string =
0000: 04 30 30 2E 06 26 2B 06 01 04 01 82 37 15 08 86 .00..&+.....7...
0010: FB CA 0F 87 D3 F3 44 81 C9 93 34 87 F6 A2 0B 83 ......D...4.....
0020: FF EF 6C 81 63 85 B7 0D 82 AA F5 16 02 01 64 02 ..l.c.........d.
0030: 01 0D ..
暂无答案!
目前还没有任何答案,快来回答吧!