XML签名中KeyInfo的目的 [英] Purpose of KeyInfo in XML signature

问题描述

我正在从 w3页面中阅读有关XML签名的信息

I am reading about XML signature from w3 page

根据我的理解，要签署XML：

As per my understanding, to Sign an XML:

1. 创建规范XML


2. 使用< DigestMethod /> 中提到的算法创建规范化XML数据的哈希（摘要）。 c $ c>。哈希将放入< DigestValue>


3. 上面的加密使用了< SignatureMethod /> ; 。此算法将使用发件人的私钥作为输入。签名将放入< SignatureValue>

1. Create a Canonical XML of the XML Data to be signed.
2. Create a hash (digest) of the Canonicalised XML Data using an algorithm mentioned in <DigestMethod/>. Hash will go inside <DigestValue>
3. Encrypt above has using algorithm mentioned in <SignatureMethod/>. This algorithm will take Sender's private key as an input. Signature will go inside <SignatureValue>

要进行验证（在接收方末端）：

To Verify (at receiver's end):

1. 在< SignatureValue>

2. 计算数据的哈希值（xPath /引用数据可在< Reference> 中找到）使用算法< DigestMethod>


3. 检查是否与< DigestValue>

1. Use the public key of the sender on the content of <SignatureValue> to get the hash.
2. Calculate the hash of data (xPath/referece to data can be found in <Reference>) using algorithm <DigestMethod>
3. Check if this has matches with hash in <DigestValue>

我的问题：

1. 我的理解正确吗？


2. < KeyInfo> 在验证发件人的公钥的情况下起什么作用？足以验证吗？

1. Is my understanding correct?
2. What is the role of <KeyInfo> in verifying signature given that sender's public key is sufficient for verifying?

推荐答案

根据我的理解，对XML进行签名：

As per my understanding, to Sign an XML:

1. 创建要签名的XML数据的规范XML。

1. Create a Canonical XML of the XML Data to be signed.

使用中提到的算法创建规范化XML数据的哈希（摘要）。哈希将放入

Create a hash (digest) of the Canonicalised XML Data using an algorithm mentioned in . Hash will go inside

使用上面提到的算法进行加密。此算法将使用发件人的私钥作为输入。签名会放入

Encrypt above has using algorithm mentioned in . This algorithm will take Sender's private key as an input. Signature will go inside

这是不正确的，请参见 3.1。 2您指向的链接的签名生成部分。

It is not correct, see 3.1.2 Signature Generation section of the link you pointed.

< SignatureValue> 是根据的规范化内容计算的< SignedInfo> 节点，其中包括< SignatureMethod> ，< CanonicalizationMethod> ; 和参考。 < Reference> 元素包含< DigestMethod> 和< DigestValue>

The <SignatureValue> is calculated over the canonicalized content of a <SignedInfo> node, which includes the <SignatureMethod>, <CanonicalizationMethod>, and the References. The <Reference> element contains the <DigestMethod> and the <DigestValue>

文档未加密，使用私钥签名。它涉及类似的加密操作，但填充机制不同。参见 https：// crypto .stackexchange.com / questions / 15997 / is-rsa-encryption-with-private-key-the-same-as-signature-generation

The document is not encrypted, it is signed with the private key. It involves a similar cryptographic operation, but the padding mechanism is different. See https://crypto.stackexchange.com/questions/15997/is-rsa-encryption-with-a-private-key-the-same-as-signature-generation

鉴于发件人的公钥足以验证< KeyInfo> 在验证签名中的作用是什么？

What is the role of <KeyInfo> in verifying signature given that sender's public key is sufficient for verifying?

它包含与用于签署文档的私钥相对应的签名证书。

It contains the signing certificate corresponding to the private key used to sign the document.

验证方可以使用签名者的公钥来验证签名，而无需从签名中提取签名< KeyInfo> 元素，但这意味着接收者已经存储了每个签名者的公共密钥。验证方通常具有受信任的证书颁发机构列表，并检查签名证书是否已由这些颁发机构之一颁发。

The verifying party could verify the signature using signer's public key without extracting it from <KeyInfo> element, but it implies that the receiver has stored the public keys of each signer. The verifying party usually have a trusted list of Certificate Authority and checks that the signing certificate has been issued by one of these Authorities.

请注意，对<的引用< SignedInfo> 部分中还包含KeyInfo> ，以确切地知道哪个证书签署了该文档（公共密钥可以包含在多个证书）

Note that a reference to <KeyInfo> is also included in the <SignedInfo> section, to know exactly which certificate signed the document (a public key can be included in several certificates)

这篇关于XML签名中KeyInfo的目的的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！