golang/goxmldig – 签名验证失败

huangapple
go评论180阅读模式
英文:

golang/goxmldig - Signature Verification Failed

问题

我尝试对实体描述符文件进行签名,但签名始终不正确。xmlsectool指出预期摘要与实际摘要不同。

以下是我根据README示例在goxmldsig上创建的代码。完整示例在pastebin上(stackoverflow不允许我在这里发布)。

  1. xmlBytes := []byte(`<></>`)
  2. keyPair, err := tls.X509KeyPair(certBytes, keyBytes)
  3. failOnError(err, "无法加载密钥对")
  5. keyStore := dsig.TLSCertKeyStore(keyPair)
  7. signingContext := dsig.NewDefaultSigningContext(keyStore)
  8. signingContext.Canonicalizer = dsig.MakeC14N10ExclusiveCanonicalizerWithPrefixList("")
  9. err = signingContext.SetSignatureMethod(dsig.RSASHA256SignatureMethod)
  10. failOnError(err, "设置签名方法失败")
  12. readXMLDoc := etree.NewDocument()
  13. err = readXMLDoc.ReadFromBytes(xmlBytes)
  14. failOnError(err, "无法解析XML")
  16. elementToSign := readXMLDoc.Root()
  17. elementToSign.CreateAttr("ID", "id1234")
  19. signedElement, err := signingContext.SignEnveloped(elementToSign)
  20. failOnError(err, "无法签名")
  22. var signedAssertionBuf []byte
  23. {
  24.     readXMLDoc.SetRoot(signedElement)
  25.     signedAssertionBuf, err = readXMLDoc.WriteToBytes()
  26.     failOnError(err, "无法将文档转换为字节")
  27. }
  29. ioutil.WriteFile("/tmp/test/example.xml", signedAssertionBuf, 0775)

你可以在goxmldsig的README中找到更多信息,完整示例在pastebin上。

英文:

I have attempted to sign a entities descriptor file, but the signature is always incorrect. xmlsectool states that the signature is expected digest is not the same as the actual digest.

  1. xmlsectool-2.0.0/xmlsectool.sh --verifySignature --certificate saml.crt --inFile example.xml
  2. INFO  XMLSecTool - Reading XML document from file 'example.xml'
  3. INFO  XMLSecTool - XML document parsed and is well-formed.
  4. WARN  Reference - Verification failed for URI "#id1234"
  5. WARN  Reference - Expected Digest: D+SEh34cA7/atdQ8ojV9rzUcJcJSAslFZ0aOIwplGfI=
  6. WARN  Reference - Actual Digest: EYun0wngsN35ci20wRziCXs0Io7J4bZN+NYRnnTR5QM=
  7. ERROR XMLSecTool - XML document signature verification failed

I followed the README example on goxmldsig to create the following code. The full example is on pastebin(stackoverflow wouldn't let me post it here).

  1. xmlBytes := []byte(`<></>`)
  2. keyPair, err := tls.X509KeyPair(certBytes, keyBytes)
  3. failOnError(err, "invalided to load keypair")
  5. keyStore := dsig.TLSCertKeyStore(keyPair)
  7. signingContext := dsig.NewDefaultSigningContext(keyStore)
  8. signingContext.Canonicalizer = dsig.MakeC14N10ExclusiveCanonicalizerWithPrefixList("")
  9. err = signingContext.SetSignatureMethod(dsig.RSASHA256SignatureMethod)
  10. failOnError(err, "failed to set signature method")
  12. readXMLDoc := etree.NewDocument()
  13. err = readXMLDoc.ReadFromBytes(xmlBytes)
  14. failOnError(err, "cannot parse xml")
  16. elementToSign := readXMLDoc.Root()
  17. elementToSign.CreateAttr("ID", "id1234")
  19. signedElement, err := signingContext.SignEnveloped(elementToSign)
  20. failOnError(err, "failed to sign envelop")
  22. var signedAssertionBuf []byte
  23. {
  24. 	readXMLDoc.SetRoot(signedElement)
  25. 	signedAssertionBuf, err = readXMLDoc.WriteToBytes()
  26. 	failOnError(err, "failed to convert doc to bytes")
  27. }
  29. ioutil.WriteFile("/tmp/test/example.xml", signedAssertionBuf, 0775)

答案1

得分: 2

似乎问题与在某些元素中包含以下属性有关:

  1. xml:lang="en"

例如:

  1. <OrganizationName xml:lang="en">Your Identities</OrganizationName>

如果您删除所有元素中的 xml:lang="en",生成的签名将变为有效并正确验证。

据我所见,当您包含该属性时,实际 XML 文档中的元素似乎变成了这样:

  1. <OrganizationName xmlns:xml="http://www.w3.org/XML/1998/namespace" xml:lang="en">Your Identities</OrganizationName>

这使得签名无效。

英文:

It seems the problem is related to including this attribute in some of your elements:

  1. xml:lang=&quot;en&quot;

For example in:

  1. &lt;OrganizationName xml:lang=&quot;en&quot;&gt;Your Identities&lt;/OrganizationName&gt;

If you remove the xml:lang=&quot;en&quot; for all elements, the generated signature turns to be valid and correctly verified.

As far as I can see, when you include that attribute, the elements written on the actual XML document seem to turn into this:

  1. &lt;OrganizationName xmlns:xml=&quot;http://www.w3.org/XML/1998/namespace&quot; xml:lang=&quot;en&quot;&gt;Your Identities&lt;/OrganizationName&gt;

And that makes the signature invalid.

huangapple
  • 本文由 发表于 2017年8月13日 06:38:04
  • 转载请务必保留本文链接:https://go.coder-hub.com/45655516.html
  • go
  • xml-signature
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定