使用不同的密钥在同一文档中签名Xml元素 [英] Signing Xml elements in same document with different keys
问题描述
业务场景:
- 更新可以包含软件包。
- 一个软件包可以包含更改。
- 每个软件包都必须经过某人的批准。
- 批准后,程序包可能不会更改。
- An Update can contain packages.
- A Package can contain changes.
- Each package must be approved by somebody.
- After approval, a package may not be changed.
要执行,请执行更新必须具有100%批准的软件包。
To be executed, an Update must have 100% approved packages.
发展思路:
- 所有数据均保存为XML文件。
- Xml包装元素将在获得批准后签名。
问题:
无论我尝试谷歌搜索什么,所有示例总是与对整个文档签名或对子元素使用整个文档的相同密钥签名。但是我想用一个 different 键(批准程序包的那个键)对每个子元素(程序包)签名。所以我需要每个元素一个签名。虽然所有.NET Framework函数似乎都支持此功能,但我还是有些奇怪。例如,当签署元素时,您需要提供元素的URI。如果我为所有软件包提供相同的ID,则它会进行验证;如果我为每个元素赋予不同的ID,并在其各自的签名中引用此ID,则我只能验证第一个。首先,ID的想法对我的情况没有意义,因为我的签名与元素之间的关系为1:1。
No matter what I try and google up, all examples are always about signing a whole document or signing sub-elements with the same key for the whole document. But I would like to sign every sub-element (Package) with a different key, the key of the one who approves a package. So I need one signature per element. While all .NET Framework functions seem to support this, I get strange behaviours. For example when signing elements, you need to give to URI of the element. If I give the same ID to all packages, it verifies, if I give a different ID to each element and refer to this ID in their respective signatures, I can only verify the first. The idea of an ID doesn't make sense for my scenario in the first place because I have the signature with my element in a 1:1 relationship.
我可以发布代码,但是在我这样做之前,我想知道是否可以这样做?我没有看到任何会阻止我想要做的事情,但是我也没有看到任何迹象表明它应该有效。是否有人这样做或有人可以指出我尚未找到的资源?还是有人对如何使用标准实施要求有更好的主意?
I can post code, but before I do, I would like to know if something like this is possible? I have not seen anything that would prohibit what I want to do, but I have not seen any indicator that it should work either. Has anybody done this or can anybody point me to a resource I have not yet found? Or does anyone have a better idea how to implement the requirements using standards?
推荐答案
当然可以在不同的元素上签名具有不同键的相同XML文档。基本上,这会向文档添加具有不同内部引用(#< ID> )的多个签名。
需要具有ID的内部引用没有标准支持的方法。 URI为空或缺少的引用不会 not 指示要对父元素进行签名,但要对整个文档进行签名。
如果无法添加ID对于您的软件包,您可以通过将每个软件包像独立的XML文档一样有效地对待,并将参考URI留空,从而使用非标准方法来实现您的目标。但这意味着您的XML文档和所有软件包都只能由您的程序进行验证,因为在验证之前必须将XML文档拆分为多个文档。
It certainly is possible to sign different elements in the same XML document with different keys. This basically adds multiple signatures with different internal references (#<ID>) to the document.
The internal reference with the ID is required, there is no way around it that is supported by standards. A reference with an empty or missing URI does not indicate that the parent element is to be signed but that the complete document is to be signed.
If you can't add IDs to your packages you can use non-standard means to achieve your goal by effectivly treating each package like an independent XML document and leaving the reference URI empty. But that would mean that your XML document with all packages can only be verified by your program, because it would have to split the XML document into multiple documents before the verification.
在.NET实现中,如果将签名放置在应签名的标签中,则该签名将无效。
将签名直接放置在根元素的内部有效。
一个有效的实现可以在< a href = https://stackoverflow.com/a/16519603/572644>我对其他问题的回答。
In the .NET implementation it doesn't work if the signatures are placed inside the tags that should be signed. This is either due to me missing something or due to a bug.
Placing the signatures at the top level directly inside the root element works.
A working implementation can be found in my answer to your other question.
这篇关于使用不同的密钥在同一文档中签名Xml元素的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
