信封签名到底会发生什么变化？ [英] What exactly does the enveloped signature transform?

问题描述

如果我想使用加密的签名对下一个XML代码进行签名：

If I want to sign the next XML code with envoloped signature:

<root>
<element>
<child>text node</child>
</element>
</root>

然后，签名XML代码在签名XML代码内部进行，如下所示：

Then the Signature XML code takes place inside the signed XML code, in the way shown below:

<root>
<element>
<child>text node</child>
</element><Signature xmlns="http://www.w3.org/2000/09/xmldsig#">...</Signature>
</root>

Notice: no line break nor single character is added outside Signature element since that would invalidate the signature.

XML封装的签名代码包括< Transform Algorithm>它指定了代码必须进行的修改，严格来说，无论是签名还是验证过程都必须完成。 <变换算法>是下一个：

The XML enveloped signature code includes a <Transform Algorithm> which especifies a modification the code has to suffer, which strictly speaking is done whether in signature or verifying proccess. The <Transform Algorithm> is the next:

<Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>

在W3C网站（官方文档）中，将上面的表达式与下面的表达式进行比较。在两种情况下，都必须产生相同的输出。

In the W3C website (official documentation) the expression above is compared to the expression below. In both cases the same output have to be produced.

<XPath xmlns:dsig="&dsig;">
   count(ancestor-or-self::dsig:Signature |
   here()/ancestor::dsig:Signature[1]) >
   count(ancestor-or-self::dsig:Signature)</XPath>

参考： http://www.w3.org/TR/xmldsig-core/#sec-EnvelopedSignature

转换前：

案例1（要签名）：

<root>
<element>
<child>text node</child>
</element>
</root>

案例2（签名）：

<root>
<element>
<child>text node</child>
</element><Signature xmlns="http://www.w3.org/2000/09/xmldsig#">...</Signature>
</root>

转换后：

<root>
<element>
<child>text node</child>
</element>
</root>

在两种情况下，都会产生相同的输出，这使我们可以验证签名数据是否真实。

In both cases the same output is produced, which allow us to verify that the signed data is authentic.

服务器仍然存在问题，说我的签名无效，有人可以确认我是否正确执行了转换？

I am still having issue with a server saying my signatures are invalid, can someone please confirm if I am doing the Transform correctly?

非常感谢

致谢

推荐答案

转换的确切作用是擦除整个Signature元素及其后代。一个实际的例子是下一个签名数据：

What the Transform does exactly is to erase the whole Signature element with its descendants. A practical example is the next signed data:

<root>
  <element>
    <child>text node</child>
  </element>
  <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">...</Signature>
</root>

转换必须产生下一个输出：

The Transform must produce the next output:

<root>
  <element>
    <child>text node</child>
  </element>

</root>

请注意，签名外的每个字符都会被保留，包括每个换行符和空格键。如果我们用冒号表示空格键，则有下一个视图：

Notice every character outside Signature is preserved, including every linebreak and space bar. If we represent space bars with colons we have the next view:

<root>
::<element>
::::<child>text node</child>
::</element>
::
</root>

我建议访问下一个链接，从该链接可以消除我对该问题的所有怀疑：
http://www.di-mgt.com.au/xmldsig2。 html

I recommend to visit the next link from where I was able to clear up all my doubts about the issue: http://www.di-mgt.com.au/xmldsig2.html

链接的最好之处是它包含一个真实的签名示例，任何人都可以从中复制相同的DigestValue并确认文档（实际部分在学习过程中非常重要）。

The best of the link is that it includes a real signed example, from which anyone can reproduce the same DigestValue and confirm the documentations (the practical part is very important in the learning proccess).

这篇关于信封签名到底会发生什么变化？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！