1

我收到来自第三方的签名 XML 并附有证书。我在本地也有此证书的副本,以验证序列号是否相等,因此我确定 XML 是由我在本地拥有的相同证书签名的。

但是 SignedXml.CheckSignature() 总是返回 false,所以验证总是失败。这是为什么?据我了解,签名的 XML 始终包含签名证书的副本,并且无参数方法尝试根据该证书验证签名。这不应该总是有效吗?

仅供参考:在每种情况下,使用本地证书副本验证签名也会失败。

编辑 2016 年 12 月 9 日

经过进一步检查,我发现签名的 XML 已使用两种转换进行签名,但在验证后,我只能指定一种规范化方法。下面附上了示例 XML。

问题可能是由 https://blogs.msdn.microsoft.com/alejacma/2010/08/18/creating-signatures-with-signedxml-following-ebxml-standard/ 中提到的 cid 前缀的引用引起的?这是一篇相当古老的文章,从那时起事情可能会发生变化。

<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
    <ds:SignedInfo>
        <ds:CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/RECxml-c14n-20010315"></ds:CanonicalizationMethod>
        <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"></ds:SignatureMethod>
            <ds:Reference URI="">
                <ds:Transforms>
                    <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#envelopedsignature"></ds:Transform>
                    <ds:Transform Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"></ds:Transform>
                </ds:Transforms>
                <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></ds:DigestMethod>
                    <ds:DigestValue>RJ2QdODr5ADUs9RAR9aT8NFdqds=</ds:DigestValue>
            </ds:Reference>
            <ds:Reference URI="cid:ebxhmpayload111@example.com">
                <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></ds:DigestMethod>
                    <ds:DigestValue>j1BG/SCN4Z74inL530u2SYGWKtE=</ds:DigestValue>
            </ds:Reference>
        </ds:SignedInfo>
    <ds:SignatureValue>ZRLxNWAWqxvW1d9vdtZhQ3cII02NhUk7H8ugAML0cIrP0noebUMikAOuX6fNIVTvi4kLAeb3FfQqBJD6heRWrM0lMZsA0rIHVOtH3fc6JqwUWRuiS9zzuKIx5ah8O0yU1ZkeS5b6fTJtX36+idO5KvTZc2az7fpWhPLcrfcyT4A=
    </ds:SignatureValue>
    <ds:KeyInfo>
        <ds:X509Data>
            <ds:X509Certificate>*redacted*</ds:X509Certificate>
        </ds:X509Data>
    </ds:KeyInfo>
</ds:Signature>

代码:

        var xmlDoc = new XmlDocument();
        xmlDoc.PreserveWhitespace = false;
        xmlDoc.LoadXml(xmlData);
        var signedXmlDoc = new SignedXml(xmlDoc);
        var signatureNodeList = xmlDoc.GetElementsByTagName("Signature");
        signedXmlDoc.LoadXml((XmlElement)signatureNodeList[0]);
        var signingCertificate = new X509Certificate2(sender.SigningCertificate);
        foreach (var ex in signingCertificate.Extensions)
        {
            if (ex.Oid.Value == "2.5.29.15")
            {
                var ext = (X509KeyUsageExtension)ex;
                if (!ext.KeyUsages.HasFlag(X509KeyUsageFlags.NonRepudiation))
                    throw new CertificateException("The signing certificate does not support non-repudiation.");
            }
        }

        var transmittedCert = new X509Certificate2(Convert.FromBase64String(xmlDoc.GetElementsByTagName("X509Certificate")[0].InnerText));
        if (transmittedCert.SerialNumber != signingCertificate.SerialNumber)
            throw new CertificateException("Serial numbers do not match. The message was signed by another certificate");

        var validSignature = signedXmlDoc.CheckSignature();
4

0 回答 0