4

我已经签署与工作相关的 xml 快一年了,今天我发现我做错了(请原谅我的英语不好,这不是我的主要语言)

我为 php 使用 xmlseclibs 库,我希望签名是这样的:

<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod
Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315" />
<SignatureMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
<Reference URI="#XXXXX">
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<DigestValue>... </DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>... </SignatureValue>
<KeyInfo>
<KeyValue>
</KeyValue>
<X509Data>
<X509Certificate>... </X509Certificate>
</X509Data>
</KeyInfo>
</Signature>

以下示例应该可以帮助我演示我想要做什么。我们有以下 xml 文件:

<node1>
  <node2>
    somedata
  </node2>
</node1>

在我签名后,看起来像这样:

<node1>
  <node2>
    somedata
  </node2>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod
Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315" />
<SignatureMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
<Reference URI="#XXXXX">
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<DigestValue>... </DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>... </SignatureValue>
<KeyInfo>
<KeyValue>
</KeyValue>
<X509Data>
<X509Certificate>... </X509Certificate>
</X509Data>
</KeyInfo>
</Signature>
</node1>

现在,这就是我需要的结构,但是,当我这样做时,符号将应用于所有文档(节点 1 和节点 2),但我只想签署节点 2(这是我得到的错误,感谢 DigestValue,我注意到了)。

但是当我这样做时,我得到了以下信息:

<node1>
  <node2>
    somedata
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod
Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315" />
<SignatureMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
<Reference URI="#XXXXX">
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<DigestValue>... </DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>... </SignatureValue>
<KeyInfo>
<KeyValue>
</KeyValue>
<X509Data>
<X509Certificate>... </X509Certificate>
</X509Data>
</KeyInfo>
</Signature>
  </node2>
</node1>

我已经尝试了好几天,但我无法将签名放在我想要的位置(就在已签名的标签下方,而不是在里面)。

有什么想法吗?

我正在使用的功能是这样的:

function firmarEnvio2($xmlr){
$doc = new DOMDocument();
$xml = file_get_contents($xmlr);
$doc->loadXML($xml);
$doc->preserveWhiteSpace = true;
$doc->encoding = 'ISO-8859-1';

$objDSig = new XMLSecurityDSig(FALSE); 
$objDSig->setCanonicalMethod(XMLSecurityDSig::C14N);

echo "<pre>";
$options['prefix'] = '';
$options['prefix_ns'] = '';
$options['force_uri'] = TRUE;
$options['id_name'] = 'ID';

$objDSig->addReference($doc, XMLSecurityDSig::SHA1, array(XMLSecurityDSig::TR_ENV_SIG), $options);

/*
$objDSig->addReference($doc->documentElement, XMLSecurityDSig::SHA1,
array(
'http://www.w3.org/2000/09/xmldsig#enveloped-signature',
'http://www.w3.org/2001/10/xml-exc-c14n#'
),
array('id_name' => 'Id', 'overwrite' => false));


*/

$objKey = new XMLSecurityKey(XMLSecurityKey::RSA_SHA1, array('type'=>'private'));

$pass = "some string";
$pfx =   file_get_contents("someroute/certificate.pfx");
openssl_pkcs12_read($pfx, $key, $pass);

$objKey->loadKey($key["pkey"]);
$objDSig->add509Cert($key["cert"]);

$tag="x";

//the following is to compare the digest that i want with the one i always got
echo "<br><br>Digest1<br>";
print_r (base64_encode(sha1($doc->documentElement->C14N(), true)));

echo "<br><br>Digest2<br>";
print_r (base64_encode(sha1($doc->documentElement->getElementsByTagName($tag)->item(0)->C14N(), true)));

print_r ($firma);
$objDSig->sign($objKey, $doc->documentElement);


//print_r($doc);
$doc->save('test_s.xml');
return true;
}

有人知道该怎么做吗?

4

1 回答 1

2

我最近对 ​​xmlseclibs 库有同样的问题。这对我有用:

function signXML($xml) {

    $doc = new \DOMDocument('1.0','UTF-8');
    $doc->loadXML($xml);
    $objDSig = new XMLSecurityDSig('');
    $objDSig->setCanonicalMethod(XMLSecurityDSig::EXC_C14N);
    $node = $objDSig->addObject($doc->documentElement);
    $objDSig->addReference(
        $node, 
        XMLSecurityDSig::SHA1
    );
    $objKey = new XMLSecurityKey(XMLSecurityKey::RSA_SHA1, array('type'=>'private'));
    $privkey = $this->serverroot.'/certs/dev.key';
    $objKey->loadKey($privkey, TRUE);
    $objDSig->sign($objKey);
    $pubkey = $this->serverroot.'/certs/dev-pub.cer';
    $objDSig->add509Cert(file_get_contents($pubkey));
    $node->ownerDocument->encoding = "UTF-8";
    $node->ownerDocument->save(dirname(__FILE__).'/test.xml');

    return $node->ownerDocument->saveXML();
}

希望它能有所帮助。

于 2016-04-21T22:46:36.420 回答