信封签名到底会发生什么变化? [英] What exactly does the enveloped signature transform?
问题描述
如果我想使用加密的签名对下一个XML代码进行签名:
If I want to sign the next XML code with envoloped signature:
<root>
<element>
<child>text node</child>
</element>
</root>
然后,签名XML代码在签名XML代码内部进行,如下所示:
Then the Signature XML code takes place inside the signed XML code, in the way shown below:
<root>
<element>
<child>text node</child>
</element><Signature xmlns="http://www.w3.org/2000/09/xmldsig#">...</Signature>
</root>
Notice: no line break nor single character is added outside Signature element since that would invalidate the signature.
XML封装的签名代码包括< Transform Algorithm>它指定了代码必须进行的修改,严格来说,无论是签名还是验证过程都必须完成。 <变换算法>是下一个:
The XML enveloped signature code includes a <Transform Algorithm> which especifies a modification the code has to suffer, which strictly speaking is done whether in signature or verifying proccess. The <Transform Algorithm> is the next:
<Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
在W3C网站(官方文档)中,将上面的表达式与下面的表达式进行比较。在两种情况下,都必须产生相同的输出。
In the W3C website (official documentation) the expression above is compared to the expression below. In both cases the same output have to be produced.
<XPath xmlns:dsig="&dsig;">
count(ancestor-or-self::dsig:Signature |
here()/ancestor::dsig:Signature[1]) >
count(ancestor-or-self::dsig:Signature)</XPath>
参考: http://www.w3.org/TR/xmldsig-core/#sec-EnvelopedSignature
转换前:
案例1(要签名):
<root>
<element>
<child>text node</child>
</element>
</root>
案例2(签名):
<root>
<element>
<child>text node</child>
</element><Signature xmlns="http://www.w3.org/2000/09/xmldsig#">...</Signature>
</root>
转换后:
<root>
<element>
<child>text node</child>
</element>
</root>
在两种情况下,都会产生相同的输出,这使我们可以验证签名数据是否真实。
In both cases the same output is produced, which allow us to verify that the signed data is authentic.
服务器仍然存在问题,说我的签名无效,有人可以确认我是否正确执行了转换?
I am still having issue with a server saying my signatures are invalid, can someone please confirm if I am doing the Transform correctly?
非常感谢
致谢
推荐答案
转换的确切作用是擦除整个Signature元素及其后代。一个实际的例子是下一个签名数据:
What the Transform does exactly is to erase the whole Signature element with its descendants. A practical example is the next signed data:
<root>
<element>
<child>text node</child>
</element>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">...</Signature>
</root>
转换必须产生下一个输出:
The Transform must produce the next output:
<root>
<element>
<child>text node</child>
</element>
</root>
请注意,签名外的每个字符都会被保留,包括每个换行符和空格键。如果我们用冒号表示空格键,则有下一个视图:
Notice every character outside Signature is preserved, including every linebreak and space bar. If we represent space bars with colons we have the next view:
<root>
::<element>
::::<child>text node</child>
::</element>
::
</root>
我建议访问下一个链接,从该链接可以消除我对该问题的所有怀疑:
http://www.di-mgt.com.au/xmldsig2。 html
I recommend to visit the next link from where I was able to clear up all my doubts about the issue: http://www.di-mgt.com.au/xmldsig2.html
链接的最好之处是它包含一个真实的签名示例,任何人都可以从中复制相同的DigestValue并确认文档(实际部分在学习过程中非常重要)。
The best of the link is that it includes a real signed example, from which anyone can reproduce the same DigestValue and confirm the documentations (the practical part is very important in the learning proccess).
这篇关于信封签名到底会发生什么变化?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!