Perl的XML-Sig库向XML标记添加dsig元素

e5nszbig  于 2023-03-19  发布在  Perl
关注(0)|答案(2)|浏览(210)

我正在尝试使用Perl的XML::Sig库签署一个XML文档,下面的代码基于 metaCPAN示例页面中提供的示例。

my xml = '<?xml version="1.0"?><foo ID="abc"><bar>123</bar></foo>';

my $pkey = '/path/to/X509/private_key.pem';
my $cert = '/path/to/X509/certificate.pem';

my $signer = XML::Sig->new({
    key         => $pkey,
    cert        => $cert,
    x509        => 1,
    sig_hash    => 'sha256',
    digest_hash => 'sha256'
});

my $signedXml = $signer -> sign($xml);

print $signedXml;

应该会产生这样的结果:

<?xml version="1.0"?>
    <foo ID="abc">
        <bar>123</bar>
        <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
            <SignedInfo xmlns="http://www.w3.org/2000/09/xmldsig#" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
              <CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments" />
              <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
              <Reference URI="#abc">
                <Transforms>
                  <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
                </Transforms>
                <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
                <DigestValue>9kpmrvv3peVJpNSTRycrV+jeHVY=</DigestValue>
              </Reference>
            </SignedInfo>
            <SignatureValue>
              HXUBnMgPJf//j4ihaWnaylNwAR5AzDFY83HljFIlLmTqX1w1C72ZTuRObvYve8TNEbVsQlTQkj4R
              hiY0pgIMQUb75GLYFtc+f0YmBZf5rCWY3NWzo432D3ogAvpEzYXEQPmicWe2QozQhybaz9/wrYki
              XiXY+57fqCkf7aT8Bb6G+fn7Aj8gnZFLkmKxwCdyGsIZOIZdQ8MWpeQrifxBR0d8W1Zm6ix21WNv
              ONt575h7VxLKw8BDhNPS0p8CS3hOnSk29stpiDMCHFPxAwrbKVL1kGDLaLZn1q8nNRmH8oFxG15l
              UmS3JXDZAss8gZhU7g9T4XllCqjrAvzPLOFdeQ==
            </SignatureValue>
            <KeyInfo>
              <KeyValue>
                <RSAKeyValue>
                  <Modulus>
            1b+m37u3Xyawh2ArV8txLei251p03CXbkVuWaJu9C8eHy1pu87bcthi+T5WdlCPKD7KGtkKn9vq
            i4BJBZcG/Y10e8KWVlXDLg9gibN5hb0Agae3i1cCJTqqnQ0Ka8w1XABtbxTimS1B0aO1zYW6d+U
            Yl0xIeAOPsGMfWeu1NgLChZQton1/NrJsKwzMaQy1VI8m4gUleit9Z8mbz9bNMshdgYEZ9oC4bH
            n/SnA4FvQl1fjWyTpzL/aWF/bEzS6Qd8IBk7yhcWRJAGdXTWtwiX4mXb4h/2sdrSNvyOsd/shCf
            OSMsf0TX+OdlbH079AsxOwoUjlzjuKdCiFPdU6yAJw==
                  </Modulus>
                  <Exponent>Iw==</Exponent>
                </RSAKeyValue>
              </KeyValue>
            </KeyInfo>
       </Signature>
     </foo>

但是,我得到了这个奇怪的输出:

<?xml version="1.0"?>
     <foo xmlns:dsig="http://www.w3.org/2000/09/xmldsig#" ID="abc">
         <bar>123</bar>
            <dsig:Signature>
                <dsig:SignedInfo xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
                    <dsig:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                        <dsig:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
                        <dsig:Reference URI="#abc">
                            <dsig:Transforms>
                                <dsig:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
                                <dsig:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                            </dsig:Transforms>
                        <dsig:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
                            <dsig:DigestValue>FHuo2WkVLRpa7bNfiojdVEHxa0nrhC1/uKoRjnkWJ94=
                            </dsig:DigestValue>
                        </dsig:Reference>
                </dsig:SignedInfo>
                <dsig:SignatureValue>kgp/+lPtErMFmtYIVJ+vpzzABLYOa0UEz6I7/LjHu/X+45vqpfVNZdLMjDzqShITA38LnNe+KuY/ qmXUplBXFQd26dP9opiAlh9rzS8YQ/yiWXcpQKoM2Ssam9c84ELUDy64Dw5NHXJUaFCVfyuwth/m Fju7J3r42KOvzl3YSAduqEVotDmyVx2WGv3/vr9MAkUfSrlc5PtQP9NU3et2lCVp+4B7wWD7vrDd w4Qnz7NYlc1xcbMtcHGNWHqzoWRInJgJG/wawRp8LRgeyxYFUTV7+U6gzbkCIbgy1CKGmfqkoWgJ vVO2kwwu7cKcZ6peFDdVSKriN/EpZOUn7uC2DA==
                </dsig:SignatureValue>
                <dsig:KeyInfo>
                    <dsig:X509Data>
                        <dsig:X509Certificate>MIIIGjCCBgKgAwIBAgIITEy4wqEVR0kwDQYJKoZIhvcNAQELBQAwdDELMAkGA1UE BhMCQlIxEzARBgNVBAoTCklDUC1CcmFzaWwxNjA0BgNVBAsTLVNlY3JldGFyaWEg ZGEgUmVjZWl0YSBGZWRlcmFsIGRvIEJyYXNpbCAtIFJGQjEYMBYGA1UEAxMPQUMg VkFMSUQgUkZCIHY1MB4XDTIyMDgwMzE5MjkwMloXDTIzMDgwMzE5MjkwMlowggEn MQswCQYDVQQGEwJCUjELMAkGA1UECBMCU1AxDzANBgNVBAcTBlNVTUFSRTETMBEG A1UEChMKSUNQLUJyYXNpbDE2MDQGA1UECxMtU2VjcmV0YXJpYSBkYSBSZWNlaXRh IEZlZGVyYWwgZG8gQnJhc2lsIC0gUkZCMRYwFAYDVQQLEw1SRkIgZS1DTlBKIEEx MRYwFAYDVQQLEw1BUiBJTkZPUk1CQU5LMRkwFwYDVQQLExBWaWRlb2NvbmZlcmVu Y2lhMRcwFQYDVQQLEw4xNjY5NjA2MTAwMDE3NTFJMEcGA1UEAxNATUFYSU1VUyBE SVNUUklCVUlET1JBIERFIEVRVUlQQU1FTlRPUyBBVVRPTU9USVZPUzozNDMzMzIz MzAwMDEyODCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKtSXumD8s+I EutiXQuQqSiEXoIUvrsvgtOL4TbVlQTHwO/PXSitGdberioaYiQoC4ZKod48S9iJ 2X8gi+SUsrsvaVpNGEZFAbGHI0RD6NfUbuUZe3Ecq4NxJ7QxJNi34gkRHBrcOemd b8LtOtq6Ny0rujl6wvlNCQPFGGnjHCwzeO/qnGmiGLRedTr/xme2xD8wXwvyy1qR 1sYPzbUKCvAw74usAxN3aOGRwQgiMohsUysD3HcJyjCc5vLMFrgyRJ3aqujUXQj3 kOrfgo+w7fq2YG2RXjH0F7CpcKULXaNqCmmce9A764drrkq36Ty4cAXw3UnKWkw9 ZBk9UEYhItkCAwEAAaOCAvkwggL1MIGcBggrBgEFBQcBAQSBjzCBjDBVBggrBgEF BQcwAoZJaHR0cDovL2ljcC1icmFzaWwudmFsaWRjZXJ0aWZpY2Fkb3JhLmNvbS5i ci9hYy12YWxpZHJmYi9hYy12YWxpZHJmYnY1LnA3YjAzBggrBgEFBQcwAYYnaHR0 cDovL29jc3B2NS52YWxpZGNlcnRpZmljYWRvcmEuY29tLmJyMAkGA1UdEwQCMAAw HwYDVR0jBBgwFoAUU8ul5HVQmUAsvlsVRcm+yzCqicUwcAYDVR0gBGkwZzBlBgZg TAECASUwWzBZBggrBgEFBQcCARZNaHR0cDovL2ljcC1icmFzaWwudmFsaWRjZXJ0 aWZpY2Fkb3JhLmNvbS5ici9hYy12YWxpZHJmYi9kcGMtYWMtdmFsaWRyZmJ2NS5w ZGYwgbYGA1UdHwSBrjCBqzBToFGgT4ZNaHR0cDovL2ljcC1icmFzaWwudmFsaWRj ZXJ0aWZpY2Fkb3JhLmNvbS5ici9hYy12YWxpZHJmYi9sY3ItYWMtdmFsaWRyZmJ2 NS5jcmwwVKBSoFCGTmh0dHA6Ly9pY3AtYnJhc2lsMi52YWxpZGNlcnRpZmljYWRv cmEuY29tLmJyL2FjLXZhbGlkcmZiL2xjci1hYy12YWxpZHJmYnY1LmNybDAOBgNV HQ8BAf8EBAMCBeAwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMEMIHNBgNV HREEgcUwgcKBIGZyYW5jaXNjby5iYXJjZWxsb3NhZHZAZ21haWwuY29toDgGBWBM AQMEoC8ELTIxMTIxOTY2MDg0NzUxMDY4OTcwMDAwMDAwMDAwMDAwMDAwMDAwMDAw MDAwMKAwBgVgTAEDAqAnBCVGUkFOQ0lTQ08gQ0FSTE9TIERPUyBTQU5UT1MgQkFS Q0VMTE9ToBkGBWBMAQMDoBAEDjM0MzMzMjMzMDAwMTI4oBcGBWBMAQMHoA4EDDAw MDAwMDAwMDAwMDANBgkqhkiG9w0BAQsFAAOCAgEAEGcTeHal+ZqMse5zRXNDVO2T AAEWdOEfF4ssR0H67+R0KFy0RJ6NQa7QwnwHwaymw3TWd+lcRwEmp//6+v0xmBYm 7SiHjgsvVVZdC9WIN51BhskXZJltX+g8uTv1BafZ93YcEJiDJlj0Ng3GSwMOPg80 FXqjtAml5uas8KV2jI5r5Pm3gM2F+tbGFB8ybb4HgQfdvtUexgN/gTT+Mp4y9UsQ znuIu1XBNQHWSaYT1BKLh/cAdrE5hNwdwYkSuvHeiA20ak2m4fmdH8rhMsWHOtua kUh6fpoQCJXjJr5wxMD40boFSQQHdEasSRBPKOXNIbmmRWBVE9RhV+xxIwPDuZY+ E8W3H0mdOtzgXLgj/9y31jMNiQCymZ6MUxUJfwqIecOQsCVunREOPFD/u8fuIX+3 gpbcQudVTtD0duZMO5Uqa2z6hzMXuLR1/og4TnZoKJ4HrFijt5vrNKxIiJKDd9zz qOqFfvPOQ8AaBxmYfYzcn7V4NYSrU7wliGl92vdD1ZUC2HsgNzwAjEbI+Je+yWSM ria3Vr+f3X3qvoiARpZ7AuhpvUpVCdl0Khb7FlqFqfjebUZvvqqu2aREPmdPsagT DIu4BesHL8JIUs8nKEEqApYTHQukxMSq5Ixind9ZY8eaB69PqVO5a0qqfQxvOUwA AoF8N+KW4C8r5OvN6Mw= 
                    </dsig:X509Certificate>
                </dsig:X509Data>
            </dsig:KeyInfo>
        </dsig:Signature>
     </foo>

foo标签被标记为dsig元素,并且之后每个其他元素都引用它。这导致了问题,因为它改变了我期望签署的文档的结构,使其无法通过结构验证。为什么会发生这种情况?我如何删除这个dsig

iyfamqjs

iyfamqjs1#

我维护XML::Sig。如上所述,dsig是xml签名所需的名称空间,它可以是ds:但在某些情况下,您需要将应用程序中的命名空间设置为要使用的前缀。
您可以验证使用以下命令创建的文档:

xmlsec1 verify --verbose --lax-key-search --id-attr:ID "foo" --pubkey-cert-pem t/rsa.cert.pem --untrusted t/intermediate.pem --trusted-pem t/cacert.pem text.xml 
Verification status: OK
SignedInfo References (ok/all): 1/1
Manifests References (ok/all): 0/0

顺便说一句,您的示例中有一处打字错误:

use XML::Sig;

my $xml = '<?xml version="1.0"?><foo ID="abc"><bar>123</bar></foo>';

my $pkey = 't/rsa.private.key';
my $cert = 't/rsa.cert.pem';

my $signer = XML::Sig->new({
    key         => $pkey,
    cert        => $cert,
    x509        => 1,
    sig_hash    => 'sha256',
    digest_hash => 'sha256'
});

my $signedXml = $signer -> sign($xml);

print $signedXml;

我在XML中引用了私钥和证书::Sig git repo:

perl -I blib/lib test.pl > text.xml
jucafojl

jucafojl2#

<foo>
   <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
      ...
   </Signature>
</foo>

等同于

<foo xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">
   <dsig:Signature>
      ...
   </dsig:Signature>
</foo>

元素不仅仅通过它们的名称来标识;它们由名称空间和名称的组合来标识,下面我将使用{namespace}name表示法。
上面的代码片段创建了一个{}foo元素,该元素带有一个{http://www.w3.org/2000/09/xmldsig#}Signature子元素。
第一个代码段更改了默认名称空间,第二个代码段使用了前缀,但它们是相同的。

相关问题