我正在使用 xmlsec1 工具和 XML 数字签名 (XMLDSIG) 标准对 SOAP 信封进行签名。这是我正在使用的未签名 SOAP 信封。
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<Reference>
<Transforms>
<Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<DigestValue />
</Reference>
</SignedInfo>
<SignatureValue />
<KeyInfo>
<X509Data />
</KeyInfo>
</Signature>
<soapenv:Body>This is the body of the SOAP envelope</soapenv:Body>
</soapenv:Envelope>
我使用以下
xmlsec1xmlsec1 --sign --privkey-pem private_key.pem --output signed_test.xml test.xml
生成的签名信封如下
<?xml version="1.0"?>
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<Reference>
<Transforms>
<Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<DigestValue>mT/qq9iX2rvTrWOPfE8thFOKdbA=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>eZFngILLORe+r/07FupC9YPJEB3n3qhTyEi0+3J7Ivv/20rm7YNU5CllAiUmLUDJ
0A9/YLDo2BOokrNmAkpWtxU1xs83FH3NDecfqEj1hgIXsbkMhJLh2szssR6nRoff
ZV8FqWjQgUGS/IKLY0R9S/pxMxROKkiJ0J71hFHvuFphN/ZtpOGXdmX7oaS6EZmT
BeSu8R2jGiMVbGyf4+EBxkpSN6VF4tn3MWgfP+MV7ICw3MHHgNVd7Nqy7vS+kOtZ
hq2Tndg4b7O79XW2ni5tmpKJzHPDBfWFS+fEXHqkOFcPnb1rCk3oTOcaCqHOVZ1m
BbiB7r2bxyrKDL7uIA4suw==</SignatureValue>
<KeyInfo>
<X509Data/>
</KeyInfo>
</Signature>
<soapenv:Body>This is the body of the SOAP envelope</soapenv:Body>
</soapenv:Envelope>
我试图理解 和 是如何计算的。根据 SOAP 信封,我知道的是:
DigestValueSignatureValue当我使用
<soap:Body>sha1我在这个 github 存储库中检查了 xmlsec 的代码:https://github.com/lsh123/xmlsec我认为这是正确的。
我对C和密码学的了解很差,所以我无法直接向你解释。
但是通过在整个项目中搜索“SignatureValue”,我在第805行找到了这个文件https://github.com/lsh123/xmlsec/blob/master/src/gcrypt/signatures.c#L805,其中解释 SignatureValue 基于 DSA-SHA1 的评论,这里是:
DSA-SHA1 signature transform
http://www.w3.org/TR/xmldsig-core/#sec-SignatureAlg:
The output of the DSA algorithm consists of a pair of integers
usually referred by the pair (r, s). The signature value consists of
the base64 encoding of the concatenation of two octet-streams that
respectively result from the octet-encoding of the values r and s in
that order. Integer to octet-stream conversion must be done according
to the I2OSP operation defined in the RFC 2437 [PKCS1] specification
with a l parameter equal to 20. For example, the SignatureValue element
for a DSA signature (r, s) with values specified in hexadecimal:
r = 8BAC1AB6 6410435C B7181F95 B16AB97C 92B341C0
s = 41E2345F 1F56DF24 58F426D1 55B4BA2D B6DCD8C8
from the example in Appendix 5 of the DSS standard would be
<SignatureValue>i6watmQQQ1y3GB+VsWq5fJKzQcBB4jRfH1bfJFj0JtFVtLotttzYyA==</SignatureValue>
希望它可以帮助您找到您想要的东西。