signedXml

signedXml

关注
发信
关注(28)粉丝(399)

.net - SignedXml.CheckSignature引发异常:值不能为null。参数名称:名称

我正在编写一段代码来验证X509证书中的Xml签名,并在主题行中收到异常消息。

我的示例代码

        Dim cert As X509Certificate2 = GetCertificate("Certificate Name")

        Dim signedXml As SignedXml = New SignedXml(Me.samlResponseXml)
        If (signedXml.CheckSignature(cert, True)) Then
            ' The signature is valid
        Else
            ' The signature is invalid
            Throw New ArgumentException("Invalid signature found in Saml Xml.")
        End If


我已经从证书存储区成功加载了证书(代码的第一行)。
我已经成功填充了signedXml(代码的第二行)。

当我调用signedXml.CheckSignature(cert, True)函数时会引发异常。消息非常不清楚:


值不能为空。
参数名称:名称


知道这里有什么问题吗?

调用堆栈:


用户代码未处理System.ArgumentNullException
Message = Value不能为null。参数名称:name ParamName =名称
来源= mscorlib StackTrace:
在System.Security.Cryptography.CryptoConfig.CreateFromName(字符串名称,Object []参数)
在System.Security.Cryptography.Xml.SignedXml.CheckSignedInfo(AsymmetricAlgorithm键)
在System.Security.Cryptography.Xml.SignedXml.CheckSignature(AsymmetricAlgorithm键)
在System.Security.Cryptography.Xml.SignedXml.CheckSignature(X509Certificate2证书,布尔verifySignatureOnly)
在D:\ Projects \ MyProject \ Test.vb:第117行的MyNamespace.MyClass.MyFunction()


更新1
我打开了.Net Framework源调试,并且从SignedXml.CheckSignedInfo方法引发了异常,其中有一行代码

SignatureDescription signatureDescription = CryptoConfig.CreateFromName(SignatureMethod) as SignatureDescription;

显然,SignatureMethod是一个包装

    public string SignatureMethod  {
        get { return m_signature.SignedInfo.SignatureMethod; }
    }


m_signature.SignedInfo.SignatureMethod为空值。我在http://msdn.microsoft.com/en-us/library/system.security.cryptography.xml.signedxml.signaturemethod.aspx上再次从MSDN中阅读了SignatureMethod的解释,并检查了以下带有签名部分的Xml代码。我有一个带有值的SignatureMethod标记,但是为什么SignedXml无法处理它?

  <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
    <SignedInfo>
      <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
      <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
      <Reference URI="#_ea559faf-417b-407f-bdc2-bccc76dab76c">
        <Transforms>
          <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
          <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
            <InclusiveNamespaces PrefixList="#default samlp saml ds xs xsi" xmlns="http://www.w3.org/2001/10/xml-exc-c14n#" />
          </Transform>
        </Transforms>
        <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
        <DigestValue>fvQx+J90ZGKhwj8Mfhg6v/esOtI=</DigestValue>
      </Reference>
    </SignedInfo>
    <SignatureValue>Ft2mQEA3a39uRq5N94pDI8Y6B/UGLXHkZJ+/besOQmEtZoi630vBDzQfIxx5Djgg6YYeF/s67iF+KLgfvBrHxoe3E8xiqTwBigem41+PJdITlwgrOTkLo2sSdj4DaFdxeN+SCy6KfKXpDBvDyN4i/R0hBKodGwytfzK/DMeOhHU=</SignatureValue>
    <KeyInfo>
      <X509Data>
        <X509Certificate>MIICBjCCAXOgAwIBAgIQ3VhOVESMV71O0q5EttLxxDAJBgUrDgMCHQUAMBwxGjAYBgNVBAMTEUlkZW50aXR5UHJvdmlkZXIxMB4XDTExMDkwMTA1MDAwMFoXDTQwMTIzMTA1MDAwMFowHDEaMBgGA1UEAxMRSWRlbnRpdHlQcm92aWRlcjEwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMBVhtKneTweMOgmvwO+i8AvZ5p0/PGatzLKNXVctTROcXb48u3L9JR3sVPasAFNsafq086xqaWyuFM7jAHtYHTQg/oLt+wGCKd7w/n4s0crxM3NVahDmSUPnBW9RZM2XD4pOs9DTu8aEEQGN/p01jrIMgPYhdlVsTJSg43lLyzjAgMBAAGjUTBPME0GA1UdAQRGMESAEHDoTOJwf2lSgqgCU4TXI2ShHjAcMRowGAYDVQQDExFJZGVudGl0eVByb3ZpZGVyMYIQ3VhOVESMV71O0q5EttLxxDAJBgUrDgMCHQUAA4GBAKvsy5KkU9dDNWDRW55/+s7txFfl4ZmWw45AmZYXEA90g+xzALFtWbX/QGqCOx4C0h5fB5Oco084B7gJK/uf2a8oaYvxYGwlxgRxJ9Dq5XBx5ZhOuobT8G2xVy575cbaGnFbObG6/E33Mva1gAYdw7rvGaz/dYuBeChsEIvzROYU</X509Certificate>
      </X509Data>
    </KeyInfo>
  </Signature>

最佳答案

SignedXml需要两个步骤进行验证。第1步是构造,在该过程中向您提供将在其中找到已签名元素的文档或元素。第二部分是您必须通过LoadXml方法加载Signature元素(可能来自其他文档)。

the SignedXml MSDN page为例,但为证书进行修改:

public static Boolean VerifyXmlFile(XmlElement samlResponseXml, X509Certificate2 cert)
{
    // Create a new SignedXml object and pass it the XML.
    SignedXml signedXml = new SignedXml(samlResponseXml);

    // Find the "Signature" node and create a new XmlNodeList object.
    XmlNodeList nodeList = xmlDocument.GetElementsByTagName("Signature");

    // TODO: Error checking.  Was it found? Were too many found?

    // Load the signature node.
    signedXml.LoadXml((XmlElement)nodeList[0]);

    // Check the signature and return the result.
    return signedXml.CheckSignature(cert, true);
}


使用SignedXml时,请注意来自MSDN页面上“备注”部分的问题。特别是,确保签名密钥适合于签名内容(类似于在TLS会话期间执行主机名验证)。

10-05 23:26
Powered by LMLPHP ©2024 signedXml 0.029982