XML签名验证(XML Signature Validation)

XML签名验证(XML Signature Validation)

我有一个问题，我无法弄清楚如何解决。 我的应用程序收到（据称）签名的XML，我必须验证它是否正确。 这是XML中接收内容的签名部分

<Signature xmlns="http://www.w3.org/2000/09/xmldsig#"> <SignedInfo> <CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315" /> <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" /> <Reference URI="35121103220612000188550010000000131000009300"> <Transforms> <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" /> <Transform Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315" /> </Transforms> <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" /> <DigestValue>uLZ/66r6OoNLpj5v4cIsrv5zmyc=</DigestValue> </Reference> </SignedInfo> <SignatureValue>encoded</SignatureValue> <KeyInfo> <X509Data> <X509Certificate>encoded</X509Certificate> </X509Data> </KeyInfo> </Signature>

我在互联网上发现的所有内容都需要公钥。 但我没有。 我只有DigestValue。 您知道是否可以仅使用DiggestValue进行验证吗？

这是我到目前为止所拥有的。 问题是从哪里获取X509KeySelector的密钥

DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance(); dbf.setNamespaceAware(true); DocumentBuilder builder = dbf.newDocumentBuilder(); Document doc = builder.parse("/home/test.xml"); Node nl = doc.getElementsByTagNameNS(XMLSignature.XMLNS, "Signature").item(0); DOMValidateContext valContext = new DOMValidateContext(new X509KeySelector(publicKey), nl); XMLSignatureFactory factory = XMLSignatureFactory.getInstance("DOM"); XMLSignature signature = factory.unmarshalXMLSignature(valContext); System.out.println(signature.validate(valContext));

提前致谢。

I have a problem that I can't figure out how to solve. My application receives a (supposedly) signed XML and I have to validate if it is right. Here's the signature part of what a receive in the XML

<Signature xmlns="http://www.w3.org/2000/09/xmldsig#"> <SignedInfo> <CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315" /> <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" /> <Reference URI="35121103220612000188550010000000131000009300"> <Transforms> <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" /> <Transform Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315" /> </Transforms> <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" /> <DigestValue>uLZ/66r6OoNLpj5v4cIsrv5zmyc=</DigestValue> </Reference> </SignedInfo> <SignatureValue>encoded</SignatureValue> <KeyInfo> <X509Data> <X509Certificate>encoded</X509Certificate> </X509Data> </KeyInfo> </Signature>

Everything I found on internet to validate needs the public key. But I don't have it. I have only the DigestValue. Do you know if its possible to validate using only the DiggestValue?

Here's what I have so far. The problem is where to get the key for X509KeySelector

DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance(); dbf.setNamespaceAware(true); DocumentBuilder builder = dbf.newDocumentBuilder(); Document doc = builder.parse("/home/test.xml"); Node nl = doc.getElementsByTagNameNS(XMLSignature.XMLNS, "Signature").item(0); DOMValidateContext valContext = new DOMValidateContext(new X509KeySelector(publicKey), nl); XMLSignatureFactory factory = XMLSignatureFactory.getInstance("DOM"); XMLSignature signature = factory.unmarshalXMLSignature(valContext); System.out.println(signature.validate(valContext));

Thanks in advance.

最满意答案

您可以从嵌入式X509证书中获取X509密钥。

更新：

进行谷歌搜索“xml签名x509certificate”打开了这个页面 ，这似乎给你所需的所有答案。

You get the X509 key from the embedded X509 certificate.

UPDATE:

doing a google search for "xml signature x509certificate" turned up this page, which would seem to give you all the answers you need.