1

我最近开始使用骆驼的 xml 安全组件来传递 XML 输入并对其进行签名。我发现输出 XML 是在非规范化的 XML 上签名的。当我在 response.xml 中包含一个空元素时,就会出现这种情况。“direct:detachedSign”路由的输出显示签名是根据元素计算的。

问:为什么签名路由输出有 CanonicalizationMethod 和 Transform 但仍然有非规范元素?

使用的输入response.xml

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<ns3:response xmlns:ns2="http://www.w3.org/2000/09/xmldsig#"
    xmlns:ns3="http://example.com">
    <sampleHolder ID="myUniqueID">
        <sample></sample>
    </sampleHolder>
</ns3:response>

带有非规范签名元素的签名路由的 output.xml

<?xml version="1.0" encoding="UTF-8"?>
<ns3:response xmlns:ns3="http://example.com" xmlns:ns2="http://www.w3.org/2000/09/xmldsig#">
    <sampleHolder ID="myUniqueID">
        <sample/>
    </sampleHolder>
    <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
        <SignedInfo>
            <CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments"/>
            <SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
            <Reference URI="#myUniqueID">
                <Transforms>
                    <Transform Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments"/>
                </Transforms>
                <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
                <DigestValue>...</DigestValue>
            </Reference>
        </SignedInfo>
        <SignatureValue>...</SignatureValue>
        <KeyInfo>...</KeyInfo>
    </Signature>
</ns3:response>

用于签名和验证的 SignAndVerifiyXmlSignatureRoutes.java

public class SignAndVerifiyXmlSignatureRoutes extends RouteBuilder {

    @Override
    public final void configure() throws Exception {
        // Detached signature
        from("direct:detachedSign")//
        .to("xmlsecurity:sign://detached"//
            + "?keyAccessor=#jksKeyAccessor"//
            + "&xpathsToIdAttributes=#xpathsToIdAttributesBean"//
            + "&schemaResourceUri=xsd/response.xsd"//
            + "&signatureId="//
            + "&prefixForXmlSignatureNamespace=" //
            + "&canonicalizationMethod=#canonicalizationBean" //
            + "&signatureAlgorithm=http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" //
            + "&digestAlgorithm=http://www.w3.org/2001/04/xmlenc#sha256"//
            + "&transformMethods=#transformMethodsBean" //
            + "&clearHeaders=false"); //

        from("direct:verify")//
        .to("xmlsecurity:verify://detached?keySelector=#jksKeySelector" + //
                "&schemaResourceUri=xsd/response.xsd");

    }
}
4

0 回答 0