我有一个问题,我无法弄清楚如何解决。 我的应用程序收到(据称)签名的XML,我必须验证它是否正确。 这是XML中接收内容的签名部分
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#"> <SignedInfo> <CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315" /> <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" /> <Reference URI="35121103220612000188550010000000131000009300"> <Transforms> <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" /> <Transform Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315" /> </Transforms> <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" /> <DigestValue>uLZ/66r6OoNLpj5v4cIsrv5zmyc=</DigestValue> </Reference> </SignedInfo> <SignatureValue>encoded</SignatureValue> <KeyInfo> <X509Data> <X509Certificate>encoded</X509Certificate> </X509Data> </KeyInfo> </Signature>我在互联网上发现的所有内容都需要公钥。 但我没有。 我只有DigestValue。 您知道是否可以仅使用DiggestValue进行验证吗?
这是我到目前为止所拥有的。 问题是从哪里获取X509KeySelector的密钥
DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance(); dbf.setNamespaceAware(true); DocumentBuilder builder = dbf.newDocumentBuilder(); Document doc = builder.parse("/home/test.xml"); Node nl = doc.getElementsByTagNameNS(XMLSignature.XMLNS, "Signature").item(0); DOMValidateContext valContext = new DOMValidateContext(new X509KeySelector(publicKey), nl); XMLSignatureFactory factory = XMLSignatureFactory.getInstance("DOM"); XMLSignature signature = factory.unmarshalXMLSignature(valContext); System.out.println(signature.validate(valContext));提前致谢。
I have a problem that I can't figure out how to solve. My application receives a (supposedly) signed XML and I have to validate if it is right. Here's the signature part of what a receive in the XML
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#"> <SignedInfo> <CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315" /> <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" /> <Reference URI="35121103220612000188550010000000131000009300"> <Transforms> <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" /> <Transform Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315" /> </Transforms> <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" /> <DigestValue>uLZ/66r6OoNLpj5v4cIsrv5zmyc=</DigestValue> </Reference> </SignedInfo> <SignatureValue>encoded</SignatureValue> <KeyInfo> <X509Data> <X509Certificate>encoded</X509Certificate> </X509Data> </KeyInfo> </Signature>Everything I found on internet to validate needs the public key. But I don't have it. I have only the DigestValue. Do you know if its possible to validate using only the DiggestValue?
Here's what I have so far. The problem is where to get the key for X509KeySelector
DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance(); dbf.setNamespaceAware(true); DocumentBuilder builder = dbf.newDocumentBuilder(); Document doc = builder.parse("/home/test.xml"); Node nl = doc.getElementsByTagNameNS(XMLSignature.XMLNS, "Signature").item(0); DOMValidateContext valContext = new DOMValidateContext(new X509KeySelector(publicKey), nl); XMLSignatureFactory factory = XMLSignatureFactory.getInstance("DOM"); XMLSignature signature = factory.unmarshalXMLSignature(valContext); System.out.println(signature.validate(valContext));Thanks in advance.
最满意答案
您可以从嵌入式X509证书中获取X509密钥。
更新:
进行谷歌搜索“xml签名x509certificate”打开了这个页面 ,这似乎给你所需的所有答案。
You get the X509 key from the embedded X509 certificate.
UPDATE:
doing a google search for "xml signature x509certificate" turned up this page, which would seem to give you all the answers you need.
更多推荐
发布评论