您的位置: 首页  >  技术问答  >  无法使用证书(.cer)验证签名的XML

无法使用证书(.cer)验证签名的XML

分类: 技术问答 2022-04-02 15:18:30

无法使用证书(.cer)验证签名的XML

问题描述:

我正在尝试使用证书验证签名的XML(签名),但它始终返回false.请指教

I'm trying to verify signed XML(signature) with certificate but it always returns false. Please advice

签名的XML 

<?xml version="1.0" encoding="utf-16"?><LicenseEntity xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xsi:type="MyLicense"><AppName>QMS</AppName><ClientName>SBI</ClientName><UID>1HFELV6-15FTOEJ-SGKXQG-1YDT2I4</UID><Type>Single</Type><CreateDateTime>0001-01-01T00:00:00</CreateDateTime><LicenseValues><EnableFeatureKey>Transfer</EnableFeatureKey><EnableFeatureValue>true</EnableFeatureValue></LicenseValues><Signature xmlns="http://www.w3.org/2000/09/xmldsig#"><SignedInfo><CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315" /><SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" /><Reference URI=""><Transforms><Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" /></Transforms><DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" /><DigestValue>RT2AjddRXYe5urTO2XS0rsiQmkzqfrFFGQUInCb9xPg=</DigestValue></Reference></SignedInfo><SignatureValue>lWYs8T6LxkqLk9wh9CCR1KKlNWj0voXlB+E5cZDX3/IOKQpVCyS9PPsnqYsYjuKXyWnkldB10AIJdBRa1CSV3iW3j7wniKPl0FNItS+zNtSOBYz2vDQy+67p3JHXZaWCN+BAKmvGqyB9Kba4Xh0cCfa6OaExcW7axTad8E0ez2+hveNLXgKvKtDcaRk6h/RXzj3hMLMIeQEViyOzmlIxo5kIUPCPd1t4YIdr9U+7rcPP2PNp+p8GbXdBe6bsoTcF/hh8Wj78803hVjFE1hkymI6AiHXQohVTKEKdzNygEpN4SsilCulVKHJFhX4gavd0zJWUrtNKWBvXAvVkaST2hQ==</SignatureValue></Signature></LicenseEntity>

这是我要验证的代码

private boolean validateCertificate(String xml,String signatureValue){


    CertificateFactory certificateFactory = null;

    try {

        certificateFactory = CertificateFactory.getInstance("X.509");

        InputStream inputStream = requireContext().getAssets().open("licence-01.cer");
        Certificate certificate = certificateFactory.generateCertificate(inputStream);
        X509Certificate x509Certificate = (X509Certificate) certificate;

        RSAPublicKey rsaPublicKey = (RSAPublicKey) x509Certificate.getPublicKey();
       

        Signature signature = Signature.getInstance("SHA1WithRSA");
        signature.initVerify(rsaPublicKey);
        signature.update(xml.getBytes());
        return signature.verify(signatureValue.getBytes());

    } catch (CertificateException | IOException | NoSuchAlgorithmException | InvalidKeyException | SignatureException e) {
        e.printStackTrace();
        Utility.showLog(TAG,String.valueOf(e));
    }

    return false;
}

请提出我在做什么错.TIA.

Please suggest what I'm doing wrong. TIA.

您可以使用以下代码来测试行为.阅读签名的xml和公共证书以验证签名.原始签名xml中的任何最小更改都会使签名失效,您可以通过更改签名xml中的任何字符来轻松对其进行测试.

You can use the following code in order to test the behaviour. Read the signed xml and public certificate to verify the signatures. Any minimal change in the original signed xml will invalidate the signatures and you can test it easily by changing any character in the signed xml.

package com;

import java.io.FileInputStream;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import javax.xml.crypto.dsig.XMLSignature;
import javax.xml.crypto.dsig.XMLSignatureFactory;
import javax.xml.crypto.dsig.dom.DOMValidateContext;
import javax.xml.parsers.DocumentBuilderFactory;
import org.w3c.dom.Document;

public class ValidateUsingCertificate {
  
  public static final String SIGNED_XML = "response.xml";
  public static final String CERTIFICATE = "cert.cer";
  
  public static void main(String[] args) throws Exception {
    DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
    dbf.setNamespaceAware(true);
    
    FileInputStream fis = new FileInputStream(SIGNED_XML);
    Document doc = dbf.newDocumentBuilder().parse(fis);
    
    CertificateFactory fact = CertificateFactory.getInstance("X.509");
    FileInputStream is = new FileInputStream(CERTIFICATE);
    X509Certificate cert = (X509Certificate) fact.generateCertificate(is);
    boolean verify = verifySignature(doc, cert);
    System.out.println("verify :" + verify);
  }
  
  
  private static boolean verifySignature(Document doc, X509Certificate cert) {
    try {
      if (doc.getElementsByTagNameNS(XMLSignature.XMLNS, "Signature").getLength() == 0)
        throw new Exception("Cannot find Signature element");
      
      DOMValidateContext valContext = new DOMValidateContext(cert.getPublicKey(),
          doc.getElementsByTagNameNS(XMLSignature.XMLNS, "Signature").item(0));
      
      XMLSignature signature =
          XMLSignatureFactory.getInstance("DOM").unmarshalXMLSignature(valContext);
      
      return signature.validate(valContext);
    } catch (Exception e) {
      e.printStackTrace();
    }
    return false;
  }
  
}

相关推荐