本文介绍了如何验证.NET中RSA-SHA512 XML签名?的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

随着如果一个XML DSig的是正确的,我可以很容易地验证。如果使用了签名方法SHA1它完美的作品。



然而,当我收到的是SignatureMethod RSA-SHA512 (), CheckSignature()与CryptograhicException游: SignatureDescription不能对提供的签名算法创建的


$ b $。 b

好像CheckSignature()是无法核实RSA-SHA512签名。



有谁知道如何检查这类?签名



中的代码,请从MSDN站点采取的是:

 公共静态布尔VerifyXml(DOC的XmlDocument,布尔removeSignatureElement = FALSE)
{
//检查参数。
如果(文件== NULL)
抛出新的ArgumentException(DOC);

//创建一个新的SignedXml对象,并传递给它的XML文档类。
SignedXml signedXml =新SignedXml(DOC);

//查找签名节点,并创建一个新的XmlNodeList对象。
XmlNodeList中节点列表= doc.GetElementsByTagName(签名,Constants.NamespaceDSig);如果没有签名被发现

//抛出异常。如果
(nodeList.Count< 1)
{
抛出新CryptographicException(验证失败:没有签名的文件中找到。);
}

//这个例子只支持对整个XML文档的一个签名。如果一个以上的签名被发现抛出异常。如果
(nodeList.Count→1)
{
抛出新CryptographicException(验证失败:一个以上的签名被发现的文档);
}

//将第一<签署及GT;节点。
signedXml.LoadXml((XmlElement的)节点列表[0]);

//检查签名并返回结果。
布尔signedCorrectly = signedXml.CheckSignature(); //抛出异常!

返回signedCorrectly;
}



签署的XML是:



 <?XML版本=1.0编码=UTF-8独立=无>?; 
<通知的xmlns =HTTP://www.xxxxxxxxxxx.xx/xxxxx>
< xenc:XMLNS的EncryptedData:xenc =htt​​p://www.w3.org/2001/04/xmlenc#TYPE =htt​​p://www.w3.org/2001/04/xmlenc#内容> ...< / xenc:&的EncryptedData GT;
< D​​S:签名的xmlns:DS =htt​​p://www.w3.org/2000/09/xmldsig#>
< D​​S:SignedInfo中>
< D​​S:CanonicalizationMethod的算法=htt​​p://www.w3.org/TR/2001/REC-xml-c14n-20010315/>
< D​​S:是SignatureMethod算法=htt​​p://www.w3.org/2001/04/xmldsig-more#rsa-sha512/>
< D​​S:参考URI =>
< D​​S:变换>
< D​​S:变换算法=htt​​p://www.w3.org/2000/09/xmldsig#enveloped-signature/>
< D​​S:变换算法=htt​​p://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments/>
< / DS:变换>
< D​​S:DigestMethod算法=htt​​p://www.w3.org/2000/09/xmldsig#sha1/>
< D​​S:DigestValue中> WsHcyNL7Jh8HSzR9ArzTqomBkHs =< / DS:DigestValue中>
< / DS:参考>
< / DS:SignedInfo中>
< D​​S:SignatureValue所>
pWDatSEbypIUVQR9NFmLkB9kKWjMb6rKWGFFvGqT5tOUILeDhMHUqjCRB9v / g6yYdogC9TRWouhz
... VoZAIBs7EqCbLt7RgpB4GHWc9E3qp65NaCgluw ==
< / DS:SignatureValue所>
< D​​S:密钥信息>
< D​​S:X509Data>
< D​​S:X509证书>
MIIG + zCCBOOgAwIBAgIHAe2 + sRfTfDANBgkqhkiG9w0BAQUFADCBkTELMAkGA1UEBhMCQVQxDTAL
... tvawqBjOfkw1yeDzsDMJHfMuAcpYfrEL
< / DS:X509证书>
< / DS:X509Data>
< / DS:密钥信息>
< / DS:签字>
< /通知>


解决方案

您可以verfify RSA SHA512签名,但你必须要落实和自己注册签名说明



签名说明:

 公共密封类RSAPKCS1SHA512SignatureDescription:SignatureDescription 
{
公共RSAPKCS1SHA512SignatureDescription()
{
KeyAlgorithm = typeof运算(的RSACryptoServiceProvider).FullName;
DigestAlgorithm = typeof运算(SHA512Managed).FullName;
FormatterAlgorithm = typeof运算(RSAPKCS1SignatureFormatter).FullName;
DeformatterAlgorithm = typeof运算(RSAPKCS1SignatureDeformatter).FullName;
}

公众覆盖AsymmetricSignatureDeformatter CreateDeformatter(AsymmetricAlgorithm键)
{
如果(键== NULL)
{
抛出新的ArgumentNullException( 键);
}

无功反格式化=新RSAPKCS1SignatureDeformatter(密钥);
deformatter.SetHashAlgorithm(SHA512);
返回去格式化;
}

公众覆盖AsymmetricSignatureFormatter CreateFormatter(AsymmetricAlgorithm键)
{
如果(键== NULL)
{
抛出新的ArgumentNullException( 键);
}

变种格式化=新RSAPKCS1SignatureFormatter(密钥);
formatter.SetHashAlgorithm(SHA512);
返回格式;
}
}

在你的代码,就必须注册此说明与CryptoConfig:

 常量字符串XmlDsigRsaSha512 =htt​​p://www.w3.org/2001/04/xmldsig-more# RSA-SHA512 
CryptoConfig.AddAlgorithm(typeof运算(RSAPKCS1SHA512SignatureDescription),XmlDsigRsaSha512);



我与.NET 4.0测试了Windows 7的64位。


With the help of the MSDN site about SignedXml, I can easily verify if an XML DSig is correct. It works perfectly if the signature method sha1 was used.

However, when I receive the SignatureMethod RSA-SHA512 (http://www.w3.org/2001/04/xmldsig-more#rsa-sha512), CheckSignature() breaks with an CryptograhicException: SignatureDescription could not be created for the signature algorithm supplied.

It seems like CheckSignature() is not able to verify RSA-SHA512 signatures.

Does anyone know how to check these kind of signatures?

The code, taken from the MSDN site, is:

public static bool VerifyXml(XmlDocument doc, bool removeSignatureElement = false)
{
    // Check arguments.
    if (doc == null)
        throw new ArgumentException("doc");

    // Create a new SignedXml object and pass it the XML document class.
    SignedXml signedXml = new SignedXml(doc);

    // Find the "Signature" node and create a new XmlNodeList object.
    XmlNodeList nodeList = doc.GetElementsByTagName("Signature", Constants.NamespaceDSig);

    // Throw an exception if no signature was found.
    if (nodeList.Count < 1)
    {
        throw new CryptographicException("Verification failed: No Signature was found in the document.");
    }

    // This example only supports one signature for the entire XML document.  Throw an exception if more than one signature was found.
    if (nodeList.Count > 1)
    {
        throw new CryptographicException("Verification failed: More that one signature was found for the document.");
    }

    // Load the first <signature> node.
    signedXml.LoadXml((XmlElement)nodeList[0]);

    // Check the signature and return the result.
    bool signedCorrectly = signedXml.CheckSignature(); // throws the Exception!!!

    return signedCorrectly;
}

The signed XML is:

<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<Notification xmlns="http://www.xxxxxxxxxxx.xx/xxxxx">
    <xenc:EncryptedData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" Type="http://www.w3.org/2001/04/xmlenc#Content"> ... </xenc:EncryptedData>
    <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        <ds:SignedInfo>
            <ds:CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
            <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha512"/>
            <ds:Reference URI="">
                <ds:Transforms>
                    <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
                    <ds:Transform Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments"/>
                </ds:Transforms>
                <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
                <ds:DigestValue>WsHcyNL7Jh8HSzR9ArzTqomBkHs=</ds:DigestValue>
            </ds:Reference>
        </ds:SignedInfo>
        <ds:SignatureValue>
pWDatSEbypIUVQR9NFmLkB9kKWjMb6rKWGFFvGqT5tOUILeDhMHUqjCRB9v/g6yYdogC9TRWouhz
...VoZAIBs7EqCbLt7RgpB4GHWc9E3qp65NaCgluw==
        </ds:SignatureValue>
        <ds:KeyInfo>
            <ds:X509Data>
                <ds:X509Certificate>
MIIG+zCCBOOgAwIBAgIHAe2+sRfTfDANBgkqhkiG9w0BAQUFADCBkTELMAkGA1UEBhMCQVQxDTAL
...tvawqBjOfkw1yeDzsDMJHfMuAcpYfrEL
                </ds:X509Certificate>
            </ds:X509Data>
        </ds:KeyInfo>
    </ds:Signature>
</Notification>
解决方案

You can verfify RSA SHA512 signatures but you'll have to implement and register the signature description by yourself.

Signature description:

public sealed class RSAPKCS1SHA512SignatureDescription : SignatureDescription
{
    public RSAPKCS1SHA512SignatureDescription()
    {
        KeyAlgorithm = typeof( RSACryptoServiceProvider ).FullName;
        DigestAlgorithm = typeof( SHA512Managed ).FullName;
        FormatterAlgorithm = typeof( RSAPKCS1SignatureFormatter ).FullName;
        DeformatterAlgorithm = typeof( RSAPKCS1SignatureDeformatter ).FullName;
    }

    public override AsymmetricSignatureDeformatter CreateDeformatter( AsymmetricAlgorithm key )
    {
        if( key == null )
        {
            throw new ArgumentNullException( "key" );
        }

        var deformatter = new RSAPKCS1SignatureDeformatter( key );
        deformatter.SetHashAlgorithm( "SHA512" );
        return deformatter;
    }

    public override AsymmetricSignatureFormatter CreateFormatter( AsymmetricAlgorithm key )
    {
        if( key == null )
        {
            throw new ArgumentNullException( "key" );
        }

        var formatter = new RSAPKCS1SignatureFormatter( key );
        formatter.SetHashAlgorithm( "SHA512" );
        return formatter;
    }
}

In your code you'll have to register this description with CryptoConfig:

const string XmlDsigRsaSha512 = "http://www.w3.org/2001/04/xmldsig-more#rsa-sha512";
CryptoConfig.AddAlgorithm( typeof( RSAPKCS1SHA512SignatureDescription ), XmlDsigRsaSha512 );

I tested it with .Net 4.0 on Windows 7 64 Bit.

这篇关于如何验证.NET中RSA-SHA512 XML签名?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!

08-06 11:48