dongsibao8977 2017-08-12 22:38
浏览 140
已采纳

golang / goxmldig-签名验证失败

I have attempted to sign a entities descriptor file, but the signature is always incorrect. xmlsectool states that the signature is expected digest is not the same as the actual digest.

xmlsectool-2.0.0/xmlsectool.sh --verifySignature --certificate saml.crt --inFile example.xml
INFO  XMLSecTool - Reading XML document from file 'example.xml'
INFO  XMLSecTool - XML document parsed and is well-formed.
WARN  Reference - Verification failed for URI "#id1234"
WARN  Reference - Expected Digest: D+SEh34cA7/atdQ8ojV9rzUcJcJSAslFZ0aOIwplGfI=
WARN  Reference - Actual Digest: EYun0wngsN35ci20wRziCXs0Io7J4bZN+NYRnnTR5QM=
ERROR XMLSecTool - XML document signature verification failed

I followed the README example on goxmldsig to create the following code. The full example is on pastebin(stackoverflow wouldn't let me post it here).

xmlBytes := []byte(`<></>`)
keyPair, err := tls.X509KeyPair(certBytes, keyBytes)
failOnError(err, "invalided to load keypair")

keyStore := dsig.TLSCertKeyStore(keyPair)

signingContext := dsig.NewDefaultSigningContext(keyStore)
signingContext.Canonicalizer = dsig.MakeC14N10ExclusiveCanonicalizerWithPrefixList("")
err = signingContext.SetSignatureMethod(dsig.RSASHA256SignatureMethod)
failOnError(err, "failed to set signature method")

readXMLDoc := etree.NewDocument()
err = readXMLDoc.ReadFromBytes(xmlBytes)
failOnError(err, "cannot parse xml")

elementToSign := readXMLDoc.Root()
elementToSign.CreateAttr("ID", "id1234")

signedElement, err := signingContext.SignEnveloped(elementToSign)
failOnError(err, "failed to sign envelop")

var signedAssertionBuf []byte
{
    readXMLDoc.SetRoot(signedElement)
    signedAssertionBuf, err = readXMLDoc.WriteToBytes()
    failOnError(err, "failed to convert doc to bytes")
}

ioutil.WriteFile("/tmp/test/example.xml", signedAssertionBuf, 0775)
  • 写回答

1条回答 默认 最新

  • dongyi1748 2017-08-17 02:13
    关注

    It seems the problem is related to including this attribute in some of your elements:

    xml:lang="en"
    

    For example in:

    <OrganizationName xml:lang="en">Your Identities</OrganizationName>
    

    If you remove the xml:lang="en" for all elements, the generated signature turns to be valid and correctly verified.

    As far as I can see, when you include that attribute, the elements written on the actual XML document seem to turn into this:

    <OrganizationName xmlns:xml="http://www.w3.org/XML/1998/namespace" xml:lang="en">Your Identities</OrganizationName>
    

    And that makes the signature invalid.

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论

报告相同问题?

悬赏问题

  • ¥15 (有偿)懂数值分析和含时变参数微分方程的来
  • ¥15 layui父页的数据表格如何用弹窗页提交后的查询数据来更新数据表格内容?
  • ¥15 abaqus随机生成二维颗粒
  • ¥15 安装ansys许可证管理器时出现了这个问题,如何解决?
  • ¥100 高价求算法,利用智能手机传感器计算车辆的三轴g值
  • ¥15 Blazor server 数据库操作异常,如何解决?(语言-c#)
  • ¥15 uni-app开发APP运行到浏览器访问接口跨域
  • ¥100 mfc消息自创建控件
  • ¥15 网页视频跳过后学习进度未增加
  • ¥15 研究生初试录取系统设计的c++