使用 PEM 证书在 Powershell 中验证 XML 签名 [英] Verifying XML Signature in Powershell with PEM Certificate

问题描述

我正在尝试创建一个 Powershell 脚本，该脚本将使用 XML 文档中的数据.但是，在做任何工作之前，我需要通过验证签名来验证 XML 未被篡改.

I am trying to create a powershell script that will consume data with in a XML document. However, prior to doing any work I need to verify the XML hasn't been tampered with by verifying the signature.

我有一份用于以 PEM 格式签署 XML 的证书的公钥副本，但我不知道如何让 powershell 使用该证书.

I have a copy of the public key for the cert used to sign the XML in PEM format, but I can not figure out how to get powershell to use that cert.

我要让它工作的最后一步是以下代码......

The closes I have come to getting this to work is the following code...

$Path = "data.xml"
$Xmldata = new-object Xml.XmlDocument
$Xmldata.PreserveWhitespace = $true
$Xmldata.Load($Path)

add-type -AssemblyName system.security
$SignedXml = New-Object System.Security.Cryptography.Xml.SignedXml -ArgumentList $Xmldata

$XmlNodeList = $Xmldata.EntitiesDescriptor.Signature

$XmlNodeList

$SignedXml.LoadXml($XmlNodeList)

$CertPath = "cert.pem"
$Check = $SignedXml.CheckSignature($CertPath, $true)

但是，当它运行时，我得到以下异常...

However, when this runs I get the following exception...

使用2"个参数调用CheckSignature"的异常:无法为签名创建签名描述提供了算法." 在 line:34 char:1+ $Check = $SignedXml.CheckSignature($CertPath, $true)+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~+ CategoryInfo : NotSpecified: (:) [], MethodInvocationException+ FullQualifiedErrorId : CryptographicException

Exception calling "CheckSignature" with "2" argument(s): "SignatureDescription could not be created for the signature algorithm supplied." At line:34 char:1 + $Check = $SignedXml.CheckSignature($CertPath, $true) + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : NotSpecified: (:) [], MethodInvocationException + FullyQualifiedErrorId : CryptographicException

任何帮助将不胜感激.谢谢！

Any help would be appreciated. Thanks!

推荐答案

经过一些深入的额外搜索，我发现 SignedXML 不支持 http://www.w3.org/2001/04/xmldsig-more#rsa-sha256 算法，必须手动添加.在创建signedXML对象之前，我必须添加以下代码...

After some intense additional searching I found out that SignedXML does not support the http://www.w3.org/2001/04/xmldsig-more#rsa-sha256 algorithm and that had to be added by hand. I had to add the follow code before creating the signedXML object...

Add-Type @'
        public class RSAPKCS1SHA256SignatureDescription : System.Security.Cryptography.SignatureDescription
            {
                public RSAPKCS1SHA256SignatureDescription()
                {
                    base.KeyAlgorithm = "System.Security.Cryptography.RSACryptoServiceProvider";
                    base.DigestAlgorithm = "System.Security.Cryptography.SHA256Managed";
                    base.FormatterAlgorithm = "System.Security.Cryptography.RSAPKCS1SignatureFormatter";
                    base.DeformatterAlgorithm = "System.Security.Cryptography.RSAPKCS1SignatureDeformatter";
                }

                public override System.Security.Cryptography.AsymmetricSignatureDeformatter CreateDeformatter(System.Security.Cryptography.AsymmetricAlgorithm key)
                {
                    System.Security.Cryptography.AsymmetricSignatureDeformatter asymmetricSignatureDeformatter = (System.Security.Cryptography.AsymmetricSignatureDeformatter)
                        System.Security.Cryptography.CryptoConfig.CreateFromName(base.DeformatterAlgorithm);
                    asymmetricSignatureDeformatter.SetKey(key);
                    asymmetricSignatureDeformatter.SetHashAlgorithm("SHA256");
                    return asymmetricSignatureDeformatter;
                }
            }
'@
    $RSAPKCS1SHA256SignatureDescription = New-Object RSAPKCS1SHA256SignatureDescription
    [System.Security.Cryptography.CryptoConfig]::AddAlgorithm($RSAPKCS1SHA256SignatureDescription.GetType(), "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256")

此解决方案改编自 http://geekswithblogs.net/mkoerner/archive/2013/07/12/saml2-federationmetadata-validation.aspx.

这篇关于使用 PEM 证书在 Powershell 中验证 XML 签名的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！