如何使用RSA-SHA1算法对xml元素进行签名？ [英] How to sign xml element using RSA-SHA1 algorithm?

问题描述

我需要使用RSA-SHA1算法对XML文档的一个节点进行签名（并最终验证）。 w3.org链接

I need to sign (and verify eventually) one of the nodes of an XML document using RSA-SHA1 algorithm. w3.org link

RSA-SHA1
URI：

http://www.w3.org/2000/09/xmldsig#rsa-sha1

指定于：

第6.4节。 [XMLDSIG-CORE2002]中的2个

RSA-SHA1 URI:
http://www.w3.org/2000/09/xmldsig#rsa-sha1
Specified in:
section 6.4.2 of [XMLDSIG-CORE2002]

我正在关注此示例，但是无法弄清楚如何将算法更改为必填。

I am following this example, however cannot figure how to change the algorithm to required.

签名生成发生在这里：

signedXml.ComputeSignature();

唯一带有参数的覆盖期望 KeyedHashAlgorithm ：

The only override with a parameter expects KeyedHashAlgorithm:

public void ComputeSignature（KeyedHashAlgorithm macAlg）; （链接）

KeyedHashAlgorithm （ link ）仅允许创建HMAC *和MAC *算法，而没有RSA-SHA1。

KeyedHashAlgorithm (link) in turn only allows creating HMAC* and MAC* algorithms and has no RSA-SHA1.

最简单的签名方式是.net中具有RSA-SHA1的XML？

What is the most painless way of signing an XML with RSA-SHA1 in .Net?

编辑：

I' m尝试使用X509证书提取密钥。证书的签名算法属性为 sha1RSA 。

I'm trying to use a X509 certificate to extract the key. Certificate's signature algorithm property is sha1RSA.

这是我的分配方式：

var signedXml = new SignedXml(xmlDoc);
...
signedXml.SigningKey = (RSACryptoServiceProvider)cert.PrivateKey;
...
signedXml.ComputeSignature();

生成的签名xml格式与预期的相匹配，但是摘要和签名的值无效。

The resulting signature xml format matches expected one, however digest and signature values are invalid.

推荐答案

在.NET中从.NET Framework 4.7到Framework 1.1，您只需将 signedXml.SigningKey 设置为RSA密钥对象即可获得RSA-SHA-1。

In .NET Framework 1.1 through .NET Framework 4.7 you get RSA-SHA-1 by simply setting signedXml.SigningKey to an RSA key object.

如果已安装.NET 4.7.1（当前处于预览状态），则根据 https://github.com/Microsoft/dotnet/blob/master/releases/net471/dotnet471-changes.md 。

If .NET 4.7.1 (currently in preview) is installed the default for RSA will change to RSA-SHA-2-256, per https://github.com/Microsoft/dotnet/blob/master/releases/net471/dotnet471-changes.md.

因此，如果您确实想要RSA-SHA-1签名，则需要

So, if you really want a RSA-SHA-1 signature you need to

a）设置 signedXml.SigningKey 到RSA密钥

a) set signedXml.SigningKey to an RSA key

b）设置 signedXml.SignedInfo.SignatureMethod = SignedXml .XmlDsigRSASHA1Url

（均在调用 signedXml.ComputeSignature之前（））

相反，如果您想在当前版本上做得比RSA-SHA-1好，请设置signedXml.SignedInfo.SignatureMethod到 SignedXml.XmlDsigSHA256Url 或更高。

Conversely, if you want to do something better than RSA-SHA-1 on current versions, set signedXml.SignedInfo.SignatureMethod to SignedXml.XmlDsigSHA256Url or better.

警告词：由于发现了冲突，SHA-1被认为出于加密目的已被破坏。尽管目前还不够广泛，以至于无法攻击任意XML，但它可能会发展到这一点。您确实不应该在任何新事物中使用SHA-1，并且在决定是否接受签名文档时应该考虑验证您的签名方法是否比基于SHA-1更好。

Word of warning: SHA-1 is considered broken for cryptographic purposes now that a collision has been found. While it's not generalized enough (at this point) to attack arbitrary XML, it may well grow up to that point. You really shouldn't be using SHA-1 in anything new, and should consider validating that your signature method is something better than SHA-1 based when deciding whether to accept a signed document.

这篇关于如何使用RSA-SHA1算法对xml元素进行签名？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！