加入收藏 | 设为首页 | 会员中心 | 我要投稿 李大同 (https://www.lidatong.com.cn/)- 科技、建站、经验、云计算、5G、大数据,站长网!
当前位置: 首页 > 百科 > 正文

xmlsec无法验证签名

发布时间:2020-12-16 23:29:45 所属栏目:百科 来源:网络整理
导读:我试图用xmlsec1实用程序验证 XML(附在问题的底部)签名.但是,在执行命令时 xmlsec1 --verify test.xml 我正在跟踪堆栈跟踪: func=xmlSecXPathDataExecute:file=xpath.c:line=273:obj=unknown:subj=xmlXPtrEval:error=5:libxml2 library function failed:exp
我试图用xmlsec1实用程序验证 XML(附在问题的底部)签名.但是,在执行命令时 

xmlsec1 --verify test.xml

我正在跟踪堆栈跟踪:

func=xmlSecXPathDataExecute:file=xpath.c:line=273:obj=unknown:subj=xmlXPtrEval:error=5:libxml2 library function failed:expr=xpointer(id(‘uuid-73c06e86-88d2-4204-91f4-3d484bc782cc’))
func=xmlSecXPathDataListExecute:file=xpath.c:line=373:obj=unknown:subj=xmlSecXPathDataExecute:error=1:xmlsec library function failed:
func=xmlSecTransformXPathExecute:file=xpath.c:line=483:obj=xpointer:subj=xmlSecXPathDataExecute:error=1:xmlsec library function failed:
func=xmlSecTransformDefaultPushXml:file=transforms.c:line=2411:obj=xpointer:subj=xmlSecTransformExecute:error=1:xmlsec library function failed:
func=xmlSecTransformCtxXmlExecute:file=transforms.c:line=1242:obj=unknown:subj=xmlSecTransformPushXml:error=1:xmlsec library function failed:transform=xpointer
func=xmlSecTransformCtxExecute:file=transforms.c:line=1302:obj=unknown:subj=xmlSecTransformCtxXmlExecute:error=1:xmlsec library function failed:
func=xmlSecDSigReferenceCtxProcessNode:file=xmldsig.c:line=1589:obj=unknown:subj=xmlSecTransformCtxExecute:error=1:xmlsec library function failed:
func=xmlSecDSigCtxProcessSignedInfoNode:file=xmldsig.c:line=822:obj=unknown:subj=xmlSecDSigReferenceCtxProcessNode:error=1:xmlsec library function failed:node=Reference
func=xmlSecDSigCtxProcessSignatureNode:file=xmldsig.c:line=563:obj=unknown:subj=xmlSecDSigCtxProcessSignedInfoNode:error=1:xmlsec library function failed:
func=xmlSecDSigCtxVerify:file=xmldsig.c:line=382:obj=unknown:subj=xmlSecDSigCtxSignatureProcessNode:error=1:xmlsec library function failed:
Error: signature failed
ERROR
SignedInfo References (ok/all): 0/1
Manifests References (ok/all): 0/0
Error: failed to verify file “test.xml”
“`

基于堆栈跟踪,我认为ID有问题.经过一番挖掘,我发现了执行

xmlsec1 --verify --id-attr:ID 
"urn:oasis:names:tc:SAML:2.0:protocol:Response" test.xml

产生以下堆栈跟踪

func=xmlSecOpenSSLEvpDigestVerify:file=digests.c:line=249:obj=sha1:subj=unknown:error=12:invalid data:data and digest do not match
FAIL
SignedInfo References (ok/all): 0/1
Manifests References (ok/all): 0/0
Error: failed to verify file “test.xml”

这是test.xml文件的修剪内容:

<saml2p:Response xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" Destination="http://localhost/login" ID="uuid-73c06e86-88d2-4204-91f4-3d484bc782cc" InResponseTo="_bbaf45ef713be7a8c8701e41118ec2278cbf32828f" IssueInstant="2016-02-29T14:16:31.142Z" Version="2.0">
    <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">idp-name</saml2:Issuer>
    <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        <ds:SignedInfo>
            <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
            <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
            <ds:Reference URI="#uuid-73c06e86-88d2-4204-91f4-3d484bc782cc">
                <ds:Transforms>
                    <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
                    <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                </ds:Transforms>
                <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
                <ds:DigestValue>H9ffPJ6/jq25p13BcziR0hNLkGg=</ds:DigestValue>
            </ds:Reference>
        </ds:SignedInfo>
        <ds:SignatureValue>FegjeG..pJEQ==</ds:SignatureValue>
        <ds:KeyInfo>
            <ds:X509Data>
                <ds:X509Certificate>MIIFIj..mV7A==</ds:X509Certificate>
            </ds:X509Data>
            <ds:X509Data>
                <ds:X509Certificate>MIIFDj..5uLcw=</ds:X509Certificate>
            </ds:X509Data>
            <ds:X509Data>
                <ds:X509Certificate>MIIE/z..3IDhA=</ds:X509Certificate>
            </ds:X509Data>
            <ds:X509Data>
                <ds:X509Certificate>MIIEkT..h5/WrQ8</ds:X509Certificate>
            </ds:X509Data>
        </ds:KeyInfo>
    </ds:Signature>
    <saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" ID="uuid-201bfc86-e7d7-4dca-bdb5-2263b2d27c22" IssueInstant="2016-02-29T14:16:01.175Z" Version="2.0">
        <saml2:Issuer>idp-name</saml2:Issuer>
        <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
            <ds:SignedInfo>
                <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
                <ds:Reference URI="#uuid-201bfc86-e7d7-4dca-bdb5-2263b2d27c22">
                    <ds:Transforms>
                        <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
                        <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                    </ds:Transforms>
                    <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
                    <ds:DigestValue>EJzD3pVZwkvFkh8IX0xyF7tmP2k=</ds:DigestValue>
                </ds:Reference>
            </ds:SignedInfo>
            <ds:SignatureValue>b3ONeh..zOEw==</ds:SignatureValue>
            <ds:KeyInfo>
                <ds:X509Data>
                    <ds:X509Certificate>MIIFIj..mV7A==</ds:X509Certificate>
                </ds:X509Data>
                <ds:X509Data>
                    <ds:X509Certificate>MIIFDj..5uLcw=</ds:X509Certificate>
                </ds:X509Data>
                <ds:X509Data>
                    <ds:X509Certificate>MIIE/z..3IDhA=</ds:X509Certificate>
                </ds:X509Data>
                <ds:X509Data>
                    <ds:X509Certificate>MIIEkT..5/WrQ8</ds:X509Certificate>
                </ds:X509Data>
            </ds:KeyInfo>
        </ds:Signature>
    </saml2:Assertion>
</saml2p:Response>

你能解释一下我在这里做错了什么吗?如何使用xmlsec验证签名的XML文件?

解决方法

我找到了一种正确的方法来验证这一点,所以这里是如何:

首先,必须指定ID属性:

xmlsec1 –verify –id-attr:ID
“urn:oasis:names:tc:SAML:2.0:protocol:Response”test.xml

对我的XML文件执行此命令导致错误无效数据:数据和摘要不匹配.

我一直在针对格式化XML的SAML Tracer(Firefox插件)返回的输出调用此命令 – 这会更改签名,因此xmlsec1会输出错误.

对原始(解密)内容调用xmlsec1工作正常.

(编辑:李大同)

【声明】本站内容均来自网络,其相关言论仅代表作者个人观点,不代表本站立场。若无意侵犯到您的权利,请及时与联系站长删除相关内容!
    相关内容
      推荐文章
        站长推荐
        热点阅读

          【免责声明】本站内容转载自互联网,其发布内容言论不代表本站观点,如果其链接、内容的侵犯您的权益,烦请提交相关链接至邮箱bqsm@foxmail.com我们将及时予以处理。

          建议您使用1920×1080分辨率、谷歌浏览器Google Chrome、Microsoft Edge以获得本站的最佳浏览效果

          Copygight © 2008-2022 https://www.lidatong.com.cn/ All Rights Reserved. 李大同