dongsibao8977 2017-08-12 14:38
浏览 141
已采纳

golang / goxmldig-签名验证失败

I have attempted to sign a entities descriptor file, but the signature is always incorrect. xmlsectool states that the signature is expected digest is not the same as the actual digest.

xmlsectool-2.0.0/xmlsectool.sh --verifySignature --certificate saml.crt --inFile example.xml
INFO  XMLSecTool - Reading XML document from file 'example.xml'
INFO  XMLSecTool - XML document parsed and is well-formed.
WARN  Reference - Verification failed for URI "#id1234"
WARN  Reference - Expected Digest: D+SEh34cA7/atdQ8ojV9rzUcJcJSAslFZ0aOIwplGfI=
WARN  Reference - Actual Digest: EYun0wngsN35ci20wRziCXs0Io7J4bZN+NYRnnTR5QM=
ERROR XMLSecTool - XML document signature verification failed

I followed the README example on goxmldsig to create the following code. The full example is on pastebin(stackoverflow wouldn't let me post it here).

xmlBytes := []byte(`<></>`)
keyPair, err := tls.X509KeyPair(certBytes, keyBytes)
failOnError(err, "invalided to load keypair")

keyStore := dsig.TLSCertKeyStore(keyPair)

signingContext := dsig.NewDefaultSigningContext(keyStore)
signingContext.Canonicalizer = dsig.MakeC14N10ExclusiveCanonicalizerWithPrefixList("")
err = signingContext.SetSignatureMethod(dsig.RSASHA256SignatureMethod)
failOnError(err, "failed to set signature method")

readXMLDoc := etree.NewDocument()
err = readXMLDoc.ReadFromBytes(xmlBytes)
failOnError(err, "cannot parse xml")

elementToSign := readXMLDoc.Root()
elementToSign.CreateAttr("ID", "id1234")

signedElement, err := signingContext.SignEnveloped(elementToSign)
failOnError(err, "failed to sign envelop")

var signedAssertionBuf []byte
{
    readXMLDoc.SetRoot(signedElement)
    signedAssertionBuf, err = readXMLDoc.WriteToBytes()
    failOnError(err, "failed to convert doc to bytes")
}

ioutil.WriteFile("/tmp/test/example.xml", signedAssertionBuf, 0775)

展开全部

  • 写回答

1条回答 默认 最新

  • dongyi1748 2017-08-16 18:13
    关注

    It seems the problem is related to including this attribute in some of your elements:

    xml:lang="en"
    

    For example in:

    <OrganizationName xml:lang="en">Your Identities</OrganizationName>
    

    If you remove the xml:lang="en" for all elements, the generated signature turns to be valid and correctly verified.

    As far as I can see, when you include that attribute, the elements written on the actual XML document seem to turn into this:

    <OrganizationName xmlns:xml="http://www.w3.org/XML/1998/namespace" xml:lang="en">Your Identities</OrganizationName>
    

    And that makes the signature invalid.

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论
编辑
预览

报告相同问题?

悬赏问题

  • ¥15 访问url时不会自动调用其 Servlet的doGet()
  • ¥15 用白鹭引擎开发棋牌游戏的前端为什么这么难找
  • ¥15 MATLAB解决问题
  • ¥35 哪位专业人士知道这是什么原件吗?哪里可以买到?
  • ¥15 关于#c##的问题:treenode反序列化后获取不到上一节点和下一节点,Fullpath和Handle报错
  • ¥15 一部手机能否同时用不同的app进入不同的直播间?
  • ¥15 没输出运行不了什么问题
  • ¥20 输入import torch显示Intel MKL FATAL ERROR,系统驱动1%,: Cannot load mkl_intel_thread.dll.
  • ¥15 点云密度大则包围盒小
  • ¥15 nginx使用nfs进行服务器的数据共享
手机看
程序员都在用的中文IT技术交流社区

程序员都在用的中文IT技术交流社区

专业的中文 IT 技术社区,与千万技术人共成长

专业的中文 IT 技术社区,与千万技术人共成长

关注【CSDN】视频号,行业资讯、技术分享精彩不断,直播好礼送不停!

关注【CSDN】视频号,行业资讯、技术分享精彩不断,直播好礼送不停!

客服 返回
顶部