使用不同的密钥对同一文档中的 Xml 元素进行签名 [英] Signing Xml elements in same document with different keys

问题描述

业务场景:

• 更新可以包含包.
• 一个包可以包含更改.
• 每个包裹都必须经过某人的批准.
• 批准后，不得更改包.

要执行，更新必须具有 100% 批准的包.

To be executed, an Update must have 100% approved packages.

开发思路:

• 所有数据都保存为 XML 文件.
• Xml包"元素将在批准后签名.

问题:

无论我尝试和谷歌搜索什么，所有示例都是总是要对整个文档或使用整个文档的相同密钥签名子元素.但是我想用一个不同的 密钥对每个子元素(包)进行签名，该密钥是批准包的密钥.所以我需要每个元素一个签名.虽然所有 .NET Framework 函数似乎都支持这一点，但我得到了一些奇怪的行为.例如，在对元素进行签名时，您需要提供元素的 URI.如果我为所有包提供相同的 ID，它会验证，如果我为每个元素提供不同的 ID 并在各自的签名中引用此 ID，我只能验证第一个.首先，ID 的想法对我的场景没有意义，因为我的元素具有 1:1 关系的签名.

No matter what I try and google up, all examples are always about signing a whole document or signing sub-elements with the same key for the whole document. But I would like to sign every sub-element (Package) with a different key, the key of the one who approves a package. So I need one signature per element. While all .NET Framework functions seem to support this, I get strange behaviours. For example when signing elements, you need to give to URI of the element. If I give the same ID to all packages, it verifies, if I give a different ID to each element and refer to this ID in their respective signatures, I can only verify the first. The idea of an ID doesn't make sense for my scenario in the first place because I have the signature with my element in a 1:1 relationship.

我可以发布代码，但在发布之前，我想知道这样的事情是否可行?我没有看到任何会禁止我想做的事情，但我也没有看到任何迹象表明它应该起作用.有没有人这样做过，或者有人可以指出我尚未找到的资源吗?或者有没有人有更好的想法如何使用标准来实现需求?

I can post code, but before I do, I would like to know if something like this is possible? I have not seen anything that would prohibit what I want to do, but I have not seen any indicator that it should work either. Has anybody done this or can anybody point me to a resource I have not yet found? Or does anyone have a better idea how to implement the requirements using standards?

推荐答案

当然可以使用不同的密钥对同一 XML 文档中的不同元素进行签名.这基本上会向文档添加具有不同内部引用 (#) 的多个签名.
需要带 ID 的内部引用，标准不支持它.带有空或缺少 URI 的引用不表示要对父元素进行签名，而是表示要对整个文档进行签名.
如果您不能将 ID 添加到您的包中，您可以使用非标准方法来实现您的目标，方法是将每个包有效地视为一个独立的 XML 文档并将引用 URI 留空.但这意味着您的所有包的 XML 文档只能由您的程序验证，因为它必须在验证之前将 XML 文档拆分为多个文档.

It certainly is possible to sign different elements in the same XML document with different keys. This basically adds multiple signatures with different internal references (#<ID>) to the document.
The internal reference with the ID is required, there is no way around it that is supported by standards. A reference with an empty or missing URI does not indicate that the parent element is to be signed but that the complete document is to be signed.
If you can't add IDs to your packages you can use non-standard means to achieve your goal by effectivly treating each package like an independent XML document and leaving the reference URI empty. But that would mean that your XML document with all packages can only be verified by your program, because it would have to split the XML document into multiple documents before the verification.

在 .NET 实现中，如果将签名放置在应该签名的标签内，则它不起作用.这要么是因为我遗漏了什么，要么是因为一个错误.
将签名直接放在根元素内的顶层是可行的.
可以在我对您的其他问题的回答中找到一个有效的实现.

In the .NET implementation it doesn't work if the signatures are placed inside the tags that should be signed. This is either due to me missing something or due to a bug.
Placing the signatures at the top level directly inside the root element works.
A working implementation can be found in my answer to your other question.

这篇关于使用不同的密钥对同一文档中的 Xml 元素进行签名的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！