我正在尝试通过<NextMsg ID="Edoc">2019-09-20T14:57:46</NextMsg>到一个函数并使用根 <EDoc></Edoc> 中包含的数字签名对其进行签名标签
这是预期的结果:
<?xml version="1.0" encoding="UTF-8"?>
<EDoc>
<NextMsg ID="Edoc">2019-09-20T14:57:46</NextMsg>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#" Id="DS_A2B2112853C1478C8860CB8DC6FA23D2">
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
<SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
<Reference URI="">
<Transforms>
<Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<DigestValue>op0/fC+H5/0h7AGdUiEaNnNzd9WXs3VDouQQhRk8XgU=</DigestValue>
</Reference>
<Reference URI="#SP_A2B2112853C1478C8860CB8DC6FA23D2" Type="http://uri.etsi.org/01903/v1.1.1#SignedProperties">
<DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<DigestValue>Kv75qkIImVnf9H7PZV+1er1n8YIBY5yRGXdpWSUIAX4=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>=sign-value=</SignatureValue>
<ds:Object xmlns="http://uri.etsi.org/01903/v1.1.1#" xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<QualifyingPropertiesReference URI="http://www.test.com"/>
<QualifyingProperties Target="#DS_A2B2112853C1478C8860CB8DC6FA23D2">
<SignedProperties Id="SP_A2B2112853C1478C8860CB8DC6FA23D2">
<SignedSignatureProperties>
<SigningTime>2019-09-20T14:57:48+03:00</SigningTime>
<SigningCertificate>
<Cert>
<CertDigest>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<DigestValue>woG3fsImDUeqxznickzLkpeY9R4=</DigestValue>
</CertDigest>
<IssuerSerial>
<ds:X509IssuerName>XXX</ds:X509IssuerName>
<ds:X509SerialNumber>YYY</ds:X509SerialNumber>
</IssuerSerial>
</Cert>
</SigningCertificate>
<SignaturePolicyIdentifier>
<SignaturePolicyImplied/>
</SignaturePolicyIdentifier>
</SignedSignatureProperties>
</SignedProperties>
</QualifyingProperties>
</ds:Object>
</Signature>
</EDoc>
我的实际功能是这样的:
public static String getSignatureXadesTBes(String xmlrequest, PrivateKey pk, X509Certificate cert) throws
javax.xml.parsers.ParserConfigurationException, org.xml.sax.SAXException, java.io.FileNotFoundException,
javax.xml.transform.TransformerConfigurationException, javax.xml.transform.TransformerException,
javax.xml.transform.TransformerException, java.io.IOException, java.security.KeyStoreException,
xades4j.XAdES4jException
{
DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
InputSource is = new InputSource(new StringReader(xmlrequest));
Document doc = dbf.newDocumentBuilder().parse(is);
Element elem = doc.getDocumentElement();
DOMHelper.useIdAsXmlId(elem);
KeyingDataProvider keyingProvider = new DirectKeyingDataProvider(cert, pk);
DataObjectDesc obj = new DataObjectReference("")
.withTransform(new EnvelopedSignatureTransform());
SignedDataObjects dataObjs = new SignedDataObjects().withSignedDataObject(obj);
XadesSigningProfile p = new XadesTSigningProfile(keyingProvider);
p.withTimeStampTokenProvider(
new DefaultTimeStampTokenProvider(
new DefaultMessageDigestProvider()
));
BasicSignatureOptionsProvider sop = new DefaultBasicSignatureOptionsProvider(false, false, false);
p.withBasicSignatureOptionsProvider(sop);
AlgorithmsProviderEx ap = new DefaultAlgorithmsProviderEx() {
@Override
public String getDigestAlgorithmForDataObjsReferences() {
return MessageDigestAlgorithm.ALGO_ID_DIGEST_SHA256;
}
@Override
public String getDigestAlgorithmForReferenceProperties() {
return MessageDigestAlgorithm.ALGO_ID_DIGEST_SHA1;
}
@Override
public Algorithm getSignatureAlgorithm(String keyAlgorithmName) throws UnsupportedAlgorithmException {
return new GenericAlgorithm(XMLSignature.ALGO_ID_SIGNATURE_RSA_SHA256);
}
};
p.withAlgorithmsProviderEx(ap);
XadesSigner signer = p.newSigner();
XadesSignatureResult result = signer.sign(dataObjs, elem);
XMLSignature signature = result.getSignature();
Document docs = signature.getDocument();
OutputStream os = new FileOutputStream("..\\cfgFiles\\out_xades.xml");
XMLUtils.outputDOM(doc, os);
}
但结果是
<NextMsg Id="Edoc">2019-09-20T14:57:46<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#" Id="xmldsig-24f667da-ced7-4727-b107-0daa2be5b690">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
<ds:Reference Id="xmldsig-24f667da-ced7-4727-b107-0daa2be5b690-ref0" URI="">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<ds:DigestValue>8t2TvSeJ1iz7XTyYV7VHYJtTRLrbx/72Z35rkyEBGLs=</ds:DigestValue>
</ds:Reference>
<ds:Reference Type="http://uri.etsi.org/01903#SignedProperties" URI="#xmldsig-24f667da-ced7-4727-b107-0daa2be5b690-signedprops">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<ds:DigestValue>t6UMqsiPZoXoxf7wOOg+beyztdEjD4u5GjWMrlyS1nI=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue Id="xmldsig-24f667da-ced7-4727-b107-0daa2be5b690-sigvalue">
STjMdaycvdWLWYVMd2bCvxjIUxoI0/aOWFshihQ8lurmLnmAMlQGAt7yzYMcrywV/7t58Eip+xOp
fuU+S7UsB9b9cS9iy1m0U5fy9pGdud5HqKgDEeNjx//kAGKSZQP232PVTlZ5i+QB1kfotpfrZp6h
FAtwJGd4fijdJ5JuAYI=
</ds:SignatureValue>
<ds:Object>
<xades:QualifyingProperties xmlns:xades="http://uri.etsi.org/01903/v1.3.2#" xmlns:xades141="http://uri.etsi.org/01903/v1.4.1#" Target="#xmldsig-24f667da-ced7-4727-b107-0daa2be5b690">
<xades:SignedProperties Id="xmldsig-24f667da-ced7-4727-b107-0daa2be5b690-signedprops">
<xades:SignedSignatureProperties>
<xades:SigningTime>2019-09-20T20:21:33.956+03:00</xades:SigningTime>
<xades:SigningCertificate>
<xades:Cert>
<xades:CertDigest>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>woG3fsImDUeqxznickzLkpeY9R4=</ds:DigestValue>
</xades:CertDigest>
<xades:IssuerSerial>
<ds:X509IssuerName>cn=LB-LITAS-CA,ou=MSD,o=Lietuvos bankas,l=Vilnius,c=LT</ds:X509IssuerName>
<ds:X509SerialNumber>105704079740755226136574</ds:X509SerialNumber>
</xades:IssuerSerial>
</xades:Cert>
</xades:SigningCertificate>
</xades:SignedSignatureProperties>
</xades:SignedProperties>
<xades:UnsignedProperties>
<xades:UnsignedSignatureProperties>
<xades:SignatureTimeStamp>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
</xades:SignatureTimeStamp>
</xades:UnsignedSignatureProperties>
</xades:UnsignedProperties>
</xades:QualifyingProperties>
</ds:Object>
</ds:Signature>
</NextMsg>
我认为我搞乱了 xades4j 的封装或传递的参数。我真的不希望在被签名的元素中包含签名 - 我希望将签名包含在其中,就像在上述预期的结构中一样。有人能指出我在这里做错了什么吗?
最佳答案
XadesSigner.sign将添加签名作为所提供元素的子元素。既然你说你正在通过 <NextMsg>...在字符串参数中,输出是应该的。
要重现您想要的输出,您可能应该传递 <tDoc><NextMsg>...并将文档节点传递给 sign方法 ( <tDoc ),以便将签名附加到它。如果您需要更多控制,可以使用the sign overload允许指定将签名附加到文档的不同方式(例如 SignatureAppendingStrategies.lastChild )
旁注:您可能想让文档构建器工厂命名空间感知。
关于java - 使用 Xades Bes 时间戳封装签名,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/58032910/