dousong5492
2016-06-14 15:51
采纳率: 100%
浏览 57
已采纳

SOAP主体的XML签名

I'm implementing a client for a WS which requires soap:body to be signed. The application is written in Go so I would prefer to avoid linking to C.

The biggest issue is: how to calculate SHA256? What should be the input of digest algorithm? I assume that "/CJj9686ARgbV/YmDrr+1yhcaJuXu022cADK/M8efQs=" is a SHA256 result that is later signed. I tried many variations of canonicalized XML but none of them results in this hash.

Here is an example of correct SOAP message

<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
    <SOAP-ENV:Header xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/">
        <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
                       xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
                       soap:mustUnderstand="1">
            <wsse:BinarySecurityToken
                    EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary"
                    ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"
                    wsu:Id="X509-16FE2A6FC1AFE42BE9146412186273511">
                MIID7DCCAtSgAwIBAgIEAQAABDANBgkqhkiG9w0BAQsFADBYMQswCQYDVQQGEwJDWjEaMBgGA1UEAwwRR0ZSIEVFVCB0ZXN0IENBIDExLTArBgNVBAoMJEdlbmVyw6FsbsOtIGZpbmFuxI1uw60gxZllZGl0ZWxzdHbDrTAeFw0xNjA1MTkxMjQ4MjVaFw0xODA1MTkxMjQ4MjVaMFQxCzAJBgNVBAYTAkNaMRMwEQYDVQQDDApDWjAwMDAwMDE5MRowGAYDVQQKDBFQcsOhdm5pY2vDoSBvc29iYTEUMBIGA1UEBRMLVDAwMDAwMDAwMDQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDFCIfnLl3YjNyxM3y2FAVovKQMetfyyj/lfLY3DoN1z/8gaVRfcqTZbwh9Btg0HafSmrWBvfgjEC/pG9HNawYZ9nPE+WIP9bXkoOfDTmmVtX4n6OLi2Di+U7+FmPJzykV0ujsOsfcGnQ0f63xZYoGJIwLJuz3gmAF//DfnOeTT7OUZeOKobBSYkQOKv1j05QqQZ7HP+5oq7+hNylFrjuEi5OAeVgJAYScE4COvcpqPKpb7OeR9f78knYFffg5zp/6bi6qkP5uGYEuuQvbW1mATjoqbAWz8c7HNA56uNFlz8V+z9bL0f/xwQjgy4d+5qelTX46tq0vJ2XM9dJaF8ytJAgMBAAGjgcEwgb4wHgYDVR0RBBcwFYETZXBvZHBvcmFAZnMubWZjci5jejAfBgNVHSMEGDAWgBR6WvwNy+w2pg3aaRlmjJvvgsOpNDAdBgNVHQ4EFgQU8oKPLNlNY0/h8jWEmz3EZ1O3bBMwTAYDVR0gBEUwQzBBBgpghkgBZQMCATACMDMwMQYIKwYBBQUHAgIwJRojVGVudG8gY2VydGlmaWthdCBKRSBQT1VaRSBURVNUT1ZBQ0kwDgYDVR0PAQH/BAQDAgbAMA0GCSqGSIb3DQEBCwUAA4IBAQBVulEYg6noEHqAW3DfNWLvW9XdHFZQj3L5EE3Nwdd0CtMZm4/RZ/CvSENkk+GWv0YCUqHPJzhcKs0NETMKW7L6CI+hY17rD5SHhuoCYzSMlcuMA6gZJr8wIxSWerQrvuZ4uAUMistWG9cgwETZjkGU9JK+H98wdAm2co7WaRweDsNx04aSXagUMDAmRY/jNe7c8/HvwIdnXftbIl56wbYlYiCIG2qS+6lVO+09EIEP40kz1PXlqFZbPLCSlT2YsYiqizfkCX/Ka+AebJykAQ3pOqD6PQ+Y2AMAIRX8AypcN6Yj9p+oof9rda8boA8rA7wwzlJs/+ipWt2ceqPPuL9x
            </wsse:BinarySecurityToken>
            <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#" Id="SIG-16FE2A6FC1AFE42BE9146412186273615">
                <ds:SignedInfo>
                    <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
                        <ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="soap"/>
                    </ds:CanonicalizationMethod>
                    <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
                    <ds:Reference URI="#id-16FE2A6FC1AFE42BE9146412186273614">
                        <ds:Transforms>
                            <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
                                <ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"
                                                        PrefixList=""/>
                            </ds:Transform>
                        </ds:Transforms>
                        <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
                        <ds:DigestValue>/CJj9686ARgbV/YmDrr+1yhcaJuXu022cADK/M8efQs=</ds:DigestValue>
                    </ds:Reference>
                </ds:SignedInfo>
                <ds:SignatureValue>
                    Ii+W0EB2V6GJo4jMGwK1HCRdt6+r9TkgfhXyAuY8FNCXhPOtfoUi/Bw31U4Hm7SLscM/8klrQI3Z2vSfdNe3oDi1cm2Qouv1sOBK17VSg/IgKN92BC8kUaoF5W5ZBEcZr0WHjDWasSYEerZQ3Q+ZIJzt6cbS+cLZfQkLFg1UDOi5qLUkWE1pQ9AVYCvwrOFj/hFQx5koQTpigyG/DPlyoh2xOh/DAh6U/P5p+IiQwwCMdo1Rh2czUVpRCr3Cnz97AlQ8G6IGAtWNykXorVYZ1tGnXEaRngzjsn5RE/zCcRkqRpFaiEQuYly1I6YtFOEYIPXskE5oMZkCLINebu1Law==
                </ds:SignatureValue>
                <ds:KeyInfo Id="KI-16FE2A6FC1AFE42BE9146412186273512">
                    <wsse:SecurityTokenReference
                            xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
                            xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
                            wsu:Id="STR-16FE2A6FC1AFE42BE9146412186273513">
                        <wsse:Reference URI="#X509-16FE2A6FC1AFE42BE9146412186273511"
                                        ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/>
                    </wsse:SecurityTokenReference>
                </ds:KeyInfo>
            </ds:Signature>
        </wsse:Security>
    </SOAP-ENV:Header>
    <soap:Body xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
               wsu:Id="id-16FE2A6FC1AFE42BE9146412186273614">
        <Trzba xmlns="http://fs.mfcr.cz/eet/schema/v2">
            <Hlavicka dat_odesl="2016-09-19T19:06:37+01:00" prvni_zaslani="false"
                      uuid_zpravy="9edeb22b-4234-4047-869c-3a76f86c20d3"/>
            <Data celk_trzba="34113.00" cerp_zuct="679.00" cest_sluz="5460.00" dan1="-172.39" dan2="-530.73"
                  dan3="975.65" dat_trzby="2016-01-05T00:30:12+01:00" dic_popl="CZ00000019" id_pokl="/5546/RO24"
                  id_provoz="273" porad_cis="0/6460/ZQ42" pouzit_zboz1="784.00" pouzit_zboz2="967.00"
                  pouzit_zboz3="189.00" rezim="0" urceno_cerp_zuct="324.00" zakl_dan1="-820.92" zakl_dan2="-3538.20"
                  zakl_dan3="9756.46" zakl_nepodl_dph="3036.00"/>
            <KontrolniKody>
                <pkp cipher="RSA2048" digest="SHA256" encoding="base64">
                    W7UlA4hXNsDLvCj/eeRAYeOAsNsgMSdltcJNIW98KQRsfspTMW0Lr/OGQgRHZfO5KjolZgzN3k9mgzrVoX2+N90fCNEnOri2kjrW5vzTgMK6OZ9IryAEg0xFZjjjCQ0qKsQsVi8OLQOn3ZnN/BUGG2SIduER+iIOrhfOmes7OXaa5/2jQSfPTHZHZ/Bxhqld3gL4PHvd7sevZYUupHpE1fM7Uw1+lu8i1YOdghZoMyOfKw7FcqvRJpHrW/JZL5Dr5iCgu5ClmhZrb3hZavsxlDG7P2cUhSQgmEVTxJ2n38q/Cf91KE8e52SODN4Q8BfncXpmtkQ7Go3KsRsY3xN7xg==
                </pkp>
                <bkp digest="SHA1" encoding="base16">1F1A2D90-4EAD34A8-411CFB0B-EB17616E-B2CE8114</bkp>
            </KontrolniKody>
        </Trzba>
    </soap:Body>
</soap:Envelope>
  • 写回答
  • 关注问题
  • 收藏
  • 邀请回答

3条回答 默认 最新

  • dongmei5168 2016-06-15 11:16
    已采纳

    Finally, I found how to get all values.

    1. Canonicalize XML element defined in <SignedInfo><Reference>. In this case it's the <soap:Body> element. Canonicalization adds just soap namespace and adds closing tags. I'm generating these in Go and Go never generates self-closing tags.
    2. Calculate hash from a string representation of canonicalized <soap:Body> as it will be sent in a request.
    3. Add calculated digest into <DigestValue> of corresponding <Reference>.
    4. Canonicalize <SignedInfo> and calculate hash of it.
    5. Sign this hash and add value to <SignedValue>.

    I know that this is not a general approach but it should work for me. C14N is not necessary because Go can produce the same result if you pay attention to attributes order and manually add namespaces.

    打赏 评论
  • douni1396 2016-06-14 20:50

    calculate sha256 like this

    import (
    "crypto/sha256"
    
    )
    
    var slice = []byte("test")
    
    return sha256.Sum256(slice)
    
    打赏 评论
  • duanbing8817 2016-09-02 14:11

    Referring to the XML example CZ00000019.valid.v3.xml (of the Czech Fiscal Authority EET) the canonicized SignedInfo is:

    var signedinfoCanon 
    = '<ds:SignedInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">'
    + '<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">'
    + '<ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="soap"></ec:InclusiveNamespaces>'
    + '</ds:CanonicalizationMethod>'
    + '<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"></ds:SignatureMethod>'
    + '<ds:Reference URI="#id-A72D6FD4C41B1F545F14700558808234">'
    + '<ds:Transforms>'
    + '<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">'
    + '<ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList=""></ec:InclusiveNamespaces>'
    + '</ds:Transform>'
    + '</ds:Transforms>'
    + '<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"></ds:DigestMethod>'
    + '<ds:DigestValue>4hn06sSS2yurIiUmWaV36JQJZrwbWf36sG9bOHH/ycM=</ds:DigestValue>'
    + '</ds:Reference>'
    + '</ds:SignedInfo>'
    
    打赏 评论

相关推荐 更多相似问题