dongsibao8977 2017-08-12 22:38
浏览 141
已采纳

golang / goxmldig-签名验证失败

I have attempted to sign a entities descriptor file, but the signature is always incorrect. xmlsectool states that the signature is expected digest is not the same as the actual digest.

xmlsectool-2.0.0/xmlsectool.sh --verifySignature --certificate saml.crt --inFile example.xml
INFO  XMLSecTool - Reading XML document from file 'example.xml'
INFO  XMLSecTool - XML document parsed and is well-formed.
WARN  Reference - Verification failed for URI "#id1234"
WARN  Reference - Expected Digest: D+SEh34cA7/atdQ8ojV9rzUcJcJSAslFZ0aOIwplGfI=
WARN  Reference - Actual Digest: EYun0wngsN35ci20wRziCXs0Io7J4bZN+NYRnnTR5QM=
ERROR XMLSecTool - XML document signature verification failed

I followed the README example on goxmldsig to create the following code. The full example is on pastebin(stackoverflow wouldn't let me post it here).

xmlBytes := []byte(`<></>`)
keyPair, err := tls.X509KeyPair(certBytes, keyBytes)
failOnError(err, "invalided to load keypair")

keyStore := dsig.TLSCertKeyStore(keyPair)

signingContext := dsig.NewDefaultSigningContext(keyStore)
signingContext.Canonicalizer = dsig.MakeC14N10ExclusiveCanonicalizerWithPrefixList("")
err = signingContext.SetSignatureMethod(dsig.RSASHA256SignatureMethod)
failOnError(err, "failed to set signature method")

readXMLDoc := etree.NewDocument()
err = readXMLDoc.ReadFromBytes(xmlBytes)
failOnError(err, "cannot parse xml")

elementToSign := readXMLDoc.Root()
elementToSign.CreateAttr("ID", "id1234")

signedElement, err := signingContext.SignEnveloped(elementToSign)
failOnError(err, "failed to sign envelop")

var signedAssertionBuf []byte
{
    readXMLDoc.SetRoot(signedElement)
    signedAssertionBuf, err = readXMLDoc.WriteToBytes()
    failOnError(err, "failed to convert doc to bytes")
}

ioutil.WriteFile("/tmp/test/example.xml", signedAssertionBuf, 0775)
  • 写回答

1条回答 默认 最新

  • dongyi1748 2017-08-17 02:13
    关注

    It seems the problem is related to including this attribute in some of your elements:

    xml:lang="en"
    

    For example in:

    <OrganizationName xml:lang="en">Your Identities</OrganizationName>
    

    If you remove the xml:lang="en" for all elements, the generated signature turns to be valid and correctly verified.

    As far as I can see, when you include that attribute, the elements written on the actual XML document seem to turn into this:

    <OrganizationName xmlns:xml="http://www.w3.org/XML/1998/namespace" xml:lang="en">Your Identities</OrganizationName>
    

    And that makes the signature invalid.

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论

报告相同问题?

悬赏问题

  • ¥15 C++ 如何判断设置快捷键来实现隐藏/显示窗口
  • ¥15 关于#材料工程#的问题:有没有具有电子阻挡层和空穴阻挡层的电池仿真silvaco代码例子或者其他器件具有阻挡层例子的silvaco代码(最好还有相关文献)
  • ¥60 基于MATLAB的TAOD算法
  • ¥15 Groimp使用疑问
  • ¥15 MDK–ARM里一直找不到调试器
  • ¥15 oracle中sql查询问题
  • ¥15 vue使用gojs3.0版本,在nodeDataArray中的iconSrc使用gif本地路径,展示出来后动画是静态的,不是动态的
  • ¥100 代写个MATLAB代码,有偿
  • ¥15 ansys electronics 2021 R1安装报错,错误代码2,如图
  • ¥15 Dev-c++打字不出现中文,但出现日文