2

ライブラリ:apache Santuario+xades4j。

xpathを使用して要素を選択し、それらに署名します。

名前空間のない単純なXMLに署名して署名を検証しようとすると、うまく機能しますが、XMLが名前空間を定義している場合、たとえば次のXMLです。

<ClinicalDocument xmlns="urn:hl7-org:v3">
    <element1tobesigned.../>
    <element2tobesigned.../>
</ClinicalDocument>

署名の検証時に例外が見つかりました

    858警告[メイン]org.apache.xml.security.signature.Reference-URI「#xmldsig-5fb20abe-b14c-4d84-a908-e22e776cd6f1-signedprops」の検証に失敗しました
    858警告[メイン]org.apache.xml.security.signature.Reference-予想されるダイジェスト:q0WnWFf9j0kcT46t5cXmcPnVvu5o51oAcmej / SjCazQ =
    858警告[メイン]org.apache.xml.security.signature.Reference-実際のダイジェスト:41zXKVkRCsxUYpNZXW5b9KkZlTC9LM9WA8O7WHQz1Rg =

    xades4j.verification.ReferenceValueException:参照'#xmldsig-5fb20abe-b14c-4d84-a908-e22e776cd6f1-signedprops'を検証できません

原因は、XML名前空間(urn:hl7-org:v3)がxades:SignedPropertiesに追加された後、ダイジェストが異なったためです。

858  DEBUG [main] org.apache.xml.security.utils.DigesterOutputStream     - Pre-digested input
858  DEBUG [main] org.apache.xml.security.utils.DigesterOutputStream   - <xades:SignedProperties xmlns="urn:hl7-org:v3" ........./>

これが署名生成コードです

    XadesTSigningProfileプロファイル=新しいXadesTSigningProfile(keyProvider);
    profile.withTimeStampTokenProvider(TestTimeStampTokenProvider.class)
    .withAlgorithmsProviderEx(ExclusiveC14nForTimeStampsAlgorithmsProvider.class);  

    XadesSigner signer = profile.newSigner();   

    DataObjectDesc obj1 = new DataObjectReference( "")
    .withTransform(new ExclusiveCanonicalXMLWithoutComments())
    .withTransform(new XPathTransform(xPath);

    SignedDataObjects dataObjs = new SignedDataObjects()。withSignedDataObject(obj1);

変更2012-11-20開始

// signer.sign(dataObjs、docToSign.getDocumentElement());
       new Enveloped(signer).sign(docToSign.getDocumentElement());

2012年11月20日終了

これが確認コードです

NodeList signatureNodeList = getSigElement(getDocument("my/my-document.signed.bes.countersign.xml"));

for (int i = 0; i < signatureNodeList.getLength(); i++) {
    Element signatureNode = (Element) signatureNodeList.item(i);
    verifySignature(signatureNode, new XadesVerificationProfile(VerifierTestBase.validationProviderMySigs));
    log.info("successful validation");          
}

public static XAdESForm verifySignature(Element sigElem,
            XadesVerificationProfile p) throws Exception {
        XAdESVerificationResult res = p.newVerifier().verify(sigElem, null);

        return res.getSignatureForm();
    }

この問題に関するドキュメントがApacheSantuarioFAQにあるようです。

2.6. I sign a document and when I try to verify using the same key, it fails
After you have created the XMLSignature object, before you sign the document, you must embed the signature element in the owning document (using a call to XMLSignature.getElement() to retrieve the newly created Element node from the signature) before calling the XMLSignature.sign() method,

During canonicalisation of the SignedInfo element, the library looks at the parent and ancestor nodes of the Signature element to find any namespaces that the SignedInfo node has inherited. Any that are found are embedded in the canonical form of the SignedInfo. (This is not true when Exclusive Canonicalisation is used, but it is still good practice to insert the element node prior to the sign() method being called).

If you have not embedded the signature node in the document, it will not have any parent or ancestor nodes, so it will not inherit their namespaces. If you then embed it in the document and call verify(), the namespaces will be found and the canonical form of SignedInfo will be different to that generated during sign().

また、この問題に関するドキュメントが次のようにあります

https://stackoverflow.com/a/12759909/1809884

これはxades4jのバグではなく、xml署名の問題のようです。

--2012-11-15を追加

here is how to get the docToSign . in fact , i just reused the code in class  SignatureServicesTestBase . so i am sure that it is namespaceaware. 
static
    {
           DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
            dbf.setNamespaceAware(true);
           db = dbf.newDocumentBuilder();
    }
 public static Document getDocument(String fileName) throws Exception
    {
        String path = toPlatformSpecificXMLDirFilePath(fileName);
        Document doc = db.parse(new FileInputStream(path));
        // Apache Santuario now uses Document.getElementById; use this convention for tests.
        Element elem = doc.getDocumentElement();
        DOMHelper.useIdAsXmlId(elem);
        return doc;
    }

and docToSign  is return by calling SignatureServicesTestBase.getDocument()

Document docToSign = SignatureServicesTestBase.getDocument("my/cdamessage.xml");

およびSignedProperties要素は次のとおりです

<xades:SignedSignatureProperties>
<xades:SigningTime>2012-11-15T13:58:26.167+09:00</xades:SigningTime>
<xades:SigningCertificate>
<xades:Cert>
<xades:CertDigest>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<ds:DigestValue>4btVb5gQ5cdcNhGpvDSWQZabPQrR9jf1x8e3YF9Ajss=</ds:DigestValue>
</xades:CertDigest>
<xades:IssuerSerial>
<ds:X509IssuerName>CN=Itermediate,OU=CC,O=ISEL,C=PT</ds:X509IssuerName>
<ds:X509SerialNumber>-119284162484605703133798696662099777223</ds:X509SerialNumber>
</xades:IssuerSerial>
</xades:Cert>
<xades:Cert>
<xades:CertDigest>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<ds:DigestValue>vm5QpbblsWV7fCYXotPhNTeCt4nk8cLFuF36L5RJ4Ok=</ds:DigestValue>
</xades:CertDigest>
<xades:IssuerSerial>
<ds:X509IssuerName>CN=TestCA,OU=CC,O=ISEL,C=PT</ds:X509IssuerName>
<ds:X509SerialNumber>-46248926895392336918291885380930606289</ds:X509SerialNumber>
</xades:IssuerSerial>
</xades:Cert>
<xades:Cert>
<xades:CertDigest>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<ds:DigestValue>AUaN+IdhKQqxIVmEOrFwq+Dn22ebTkXJqD3BoOP/x8E=</ds:DigestValue>
</xades:CertDigest>
<xades:IssuerSerial>
<ds:X509IssuerName>CN=TestCA,OU=CC,O=ISEL,C=PT</ds:X509IssuerName>
<ds:X509SerialNumber>-99704378678639105802976522062798066869</ds:X509SerialNumber>
</xades:IssuerSerial>
</xades:Cert>
</xades:SigningCertificate>
</xades:SignedSignatureProperties>
</xades:SignedProperties>

また、xpathを使用して署名する要素を取得し、namespace(xmlns = "urn:hl7-org:v3")も結果に追加されます。 

543  DEBUG [main] org.apache.xml.security.utils.ElementProxy     - setElement("ds:Transform", "null")
544  DEBUG [main] org.apache.xml.security.utils.ElementProxy     - setElement("dsig-xpath:XPath", "null")
658  DEBUG [main] org.apache.xml.security.utils.DigesterOutputStream     - Pre-digested input:
658  DEBUG [main] org.apache.xml.security.utils.DigesterOutputStream     - <component xmlns="urn:hl7-org:v3" Id="ES" contextConductionInd="true" typeCode="COMP">
        <section classCode="DOCSECT" moodCode="EVN">
          <code code="ES" codeSystem="2.16.840.1.113883.6.1" codeSystemName="SectionCode" codeSystemVersion="1.0" displayName="english"></code>
          <text>english</text>
        </section>
      </component>

xpathに何か問題がありますか?xpathは私の狂気を駆り立てています。私は今からxpathを勉強しなければならないと思います。

クリス

4

1 に答える 1

1

You're creating an enveloped signature but the enveloped signature transform is missing! Since the whole document is being signed the signature node itself has to be excluded, because some of its contents change after signature calculation.

Can't believe how I didn't see it until you mentioned the Enveloped class. Btw, this class is just an utility class for simple, straightforward enveloped sigantures. It robably shouldn't even be there. You can just add the transform yourself:

DataObjectDesc obj1 = new DataObjectReference("")
.withTransform(new EnvelopedSignatureTransform())
.withTransform(new ExclusiveCanonicalXMLWithoutComments())
...
于 2012-11-21T19:35:25.110 に答える