我正在使用 Java XML DSig api 对 XML 文档的一部分进行签名。我试图了解它是如何达到 Digest 值的。

我的文件是:

<?xml version=\"1.0\" encoding=\"UTF-8\"?><PurchaseOrder><foo>bar</foo></PurchaseOrder>

我的 xpath 表达式是:
PurchaseOrder/foo/text()

我试图做的是:
  • 调用Java DSIG 库,查看生成的摘要值。
  • 使用 MessageDigest (SHA-1) 类来消化值“bar”。
  • 验证 1 和 2 的摘要是否匹配。

  • 当我这样做时,1 和 2 会产生不同的摘要值。要么我的 DSIG 代码做错了什么,要么我不明白 DSIG 是如何工作的。有任何想法吗?

    这是我的测试代码(抱歉它太长了......我应该回到 perl):
    public class GenerateXmlSignature2 {
        private static final String xml = "<?xml version=\"1.0\" encoding=\"UTF-8\"?><PurchaseOrder><foo>bar</foo></PurchaseOrder>";
        private static final String xpath  = "PurchaseOrder/foo/text()";
    
        public static void main(String[] args) throws Exception {
            Base64 base64 = new Base64();
            // Create a DOM XMLSignatureFactory that will be used to
            // generate the enveloped signature.
            final XMLSignatureFactory fac = XMLSignatureFactory.getInstance("DOM");
    
            // Create a Reference to the enveloped document (in this case,
            // you are signing the whole document, so a URI of "" signifies
            // that, and also specify the SHA1 digest algorithm and
            // the ENVELOPED Transform.
            final List<XPathType> xpaths = new ArrayList<XPathType>() {
                {
                    add(new XPathType(xpath, XPathType.Filter.UNION));
                }
            };
            List<Transform> transforms = new ArrayList<Transform>() {{
                 add(fac.newTransform(
                    Transform.XPATH2,
                    new XPathFilter2ParameterSpec(xpaths)
                )
                );
            }};
            Reference ref = fac.newReference
                    ("", fac.newDigestMethod(DigestMethod.SHA1, null),
                            transforms,
                            null, null);
    
    
            // Create the SignedInfo.
            SignedInfo si = fac.newSignedInfo
                    (fac.newCanonicalizationMethod
                            (CanonicalizationMethod.INCLUSIVE,
                                    (C14NMethodParameterSpec) null),
                            fac.newSignatureMethod(SignatureMethod.RSA_SHA1, null),
                            Collections.singletonList(ref));
    
    
            // Load the KeyStore and get the signing key and certificate.
            KeyStore ks = KeyStore.getInstance("JKS");
            ks.load(new FileInputStream("mykeystore.jks"), "changeit".toCharArray());
            KeyStore.PrivateKeyEntry keyEntry =
                    (KeyStore.PrivateKeyEntry) ks.getEntry
                            ("mykey", new KeyStore.PasswordProtection("changeit".toCharArray()));
            X509Certificate cert = (X509Certificate) keyEntry.getCertificate();
    
            // Create the KeyInfo containing the X509Data.
            KeyInfoFactory kif = fac.getKeyInfoFactory();
            List x509Content = new ArrayList();
            x509Content.add(cert.getSubjectX500Principal().getName());
            x509Content.add(cert);
            X509Data xd = kif.newX509Data(x509Content);
            KeyInfo ki = kif.newKeyInfo(Collections.singletonList(xd));
    
            // Instantiate the document to be signed.
            DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
            dbf.setNamespaceAware(true);
            Document doc = dbf.newDocumentBuilder().parse
                    (new ByteArrayInputStream(xml.getBytes()));
    
            // Create a DOMSignContext and specify the RSA PrivateKey and
            // location of the resulting XMLSignature's parent element.
            DOMSignContext dsc = new DOMSignContext
                    (keyEntry.getPrivateKey(), doc.getDocumentElement());
    
            // Create the XMLSignature, but don't sign it yet.
            XMLSignature signature = fac.newXMLSignature(si, ki);
    
    
    
            // Marshal, generate, and sign the enveloped signature.
            signature.sign(dsc);
    
            // Output the resulting document.
            TransformerFactory tf = TransformerFactory.newInstance();
            Transformer trans = tf.newTransformer();
            trans.transform(new DOMSource(doc), new StreamResult(System.out));
    
    
    
            System.out.println("\n\n*** SHA-1 Digest ***");
            XPathExpression xpathExpression = XPathFactory.newInstance().newXPath().compile(xpath);
            String data = xpathExpression.evaluate(new InputSource(new StringReader(xml)));
            System.out.println("Xpath: " + data);
            MessageDigest md;
            md = MessageDigest.getInstance("SHA");
            byte[] sha1hash;
            md.update(data.getBytes(), 0, data.length());
            sha1hash = md.digest();
            String base64Sha1OfCanonicalXml = new String(base64.encode(sha1hash));
            System.out.println("Digest:   " + base64Sha1OfCanonicalXml);
        }
    }
    

    最佳答案

    按照以下示例: http://markmail.org/message/tdgioazns7l4yg6d#query:java%20xpath%20xml%20dsig%20bug+page:1+mid:tgw5kr7uscwkcran+state:results ,我发现我需要将 XPathType.Filter.UNION 更改为 XPathType.FILTER.INTERSECT 。这似乎解决了我的问题。 XML DSig 库现在正在使用我预期的正确值。

    10-06 06:59