如何验证.NET中RSA-SHA512 XML签名? [英] How to Verify a RSA-SHA512 XML Signature in .NET?
本文介绍了如何验证.NET中RSA-SHA512 XML签名?的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!
问题描述
随着 MSDN网站的帮助下约SignedXml 如果一个XML DSig的是正确的,我可以很容易地验证。如果使用了签名方法SHA1它完美的作品。
然而,当我收到的是SignatureMethod RSA-SHA512 的 ( http://www.w3.org/2001/04/xmldsig-more#rsa-sha512 ), CheckSignature()与CryptograhicException游: SignatureDescription不能对提供的签名算法创建的的
$ b $。 b
好像CheckSignature()是无法核实RSA-SHA512签名。
有谁知道如何检查这类?签名
中的代码,请从MSDN站点采取的是:
公共静态布尔VerifyXml(DOC的XmlDocument,布尔removeSignatureElement = FALSE)
{
//检查参数。
如果(文件== NULL)
抛出新的ArgumentException(DOC);
//创建一个新的SignedXml对象,并传递给它的XML文档类。
SignedXml signedXml =新SignedXml(DOC);
//查找签名节点,并创建一个新的XmlNodeList对象。
XmlNodeList中节点列表= doc.GetElementsByTagName(签名,Constants.NamespaceDSig);如果没有签名被发现
//抛出异常。如果
(nodeList.Count< 1)
{
抛出新CryptographicException(验证失败:没有签名的文件中找到。);
}
//这个例子只支持对整个XML文档的一个签名。如果一个以上的签名被发现抛出异常。如果
(nodeList.Count→1)
{
抛出新CryptographicException(验证失败:一个以上的签名被发现的文档);
}
//将第一<签署及GT;节点。
signedXml.LoadXml((XmlElement的)节点列表[0]);
//检查签名并返回结果。
布尔signedCorrectly = signedXml.CheckSignature(); //抛出异常!
返回signedCorrectly;
}
签署的XML是:
<?XML版本=1.0编码=UTF-8独立=无>?;
<通知的xmlns =HTTP://www.xxxxxxxxxxx.xx/xxxxx>
< xenc:XMLNS的EncryptedData:xenc =http://www.w3.org/2001/04/xmlenc#TYPE =http://www.w3.org/2001/04/xmlenc#内容> ...< / xenc:&的EncryptedData GT;
< DS:签名的xmlns:DS =http://www.w3.org/2000/09/xmldsig#>
< DS:SignedInfo中>
< DS:CanonicalizationMethod的算法=http://www.w3.org/TR/2001/REC-xml-c14n-20010315/>
< DS:是SignatureMethod算法=http://www.w3.org/2001/04/xmldsig-more#rsa-sha512/>
< DS:参考URI =>
< DS:变换>
< DS:变换算法=http://www.w3.org/2000/09/xmldsig#enveloped-signature/>
< DS:变换算法=http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments/>
< / DS:变换>
< DS:DigestMethod算法=http://www.w3.org/2000/09/xmldsig#sha1/>
< DS:DigestValue中> WsHcyNL7Jh8HSzR9ArzTqomBkHs =< / DS:DigestValue中>
< / DS:参考>
< / DS:SignedInfo中>
< DS:SignatureValue所>
pWDatSEbypIUVQR9NFmLkB9kKWjMb6rKWGFFvGqT5tOUILeDhMHUqjCRB9v / g6yYdogC9TRWouhz
... VoZAIBs7EqCbLt7RgpB4GHWc9E3qp65NaCgluw ==
< / DS:SignatureValue所>
< DS:密钥信息>
< DS:X509Data>
< DS:X509证书>
MIIG + zCCBOOgAwIBAgIHAe2 + sRfTfDANBgkqhkiG9w0BAQUFADCBkTELMAkGA1UEBhMCQVQxDTAL
... tvawqBjOfkw1yeDzsDMJHfMuAcpYfrEL
< / DS:X509证书>
< / DS:X509Data>
< / DS:密钥信息>
< / DS:签字>
< /通知>
解决方案
您可以verfify RSA SHA512签名,但你必须要落实和自己注册签名说明
签名说明:
公共密封类RSAPKCS1SHA512SignatureDescription:SignatureDescription
{
公共RSAPKCS1SHA512SignatureDescription()
{
KeyAlgorithm = typeof运算(的RSACryptoServiceProvider).FullName;
DigestAlgorithm = typeof运算(SHA512Managed).FullName;
FormatterAlgorithm = typeof运算(RSAPKCS1SignatureFormatter).FullName;
DeformatterAlgorithm = typeof运算(RSAPKCS1SignatureDeformatter).FullName;
}
公众覆盖AsymmetricSignatureDeformatter CreateDeformatter(AsymmetricAlgorithm键)
{
如果(键== NULL)
{
抛出新的ArgumentNullException( 键);
}
无功反格式化=新RSAPKCS1SignatureDeformatter(密钥);
deformatter.SetHashAlgorithm(SHA512);
返回去格式化;
}
公众覆盖AsymmetricSignatureFormatter CreateFormatter(AsymmetricAlgorithm键)
{
如果(键== NULL)
{
抛出新的ArgumentNullException( 键);
}
变种格式化=新RSAPKCS1SignatureFormatter(密钥);
formatter.SetHashAlgorithm(SHA512);
返回格式;
}
}
在你的代码,就必须注册此说明与CryptoConfig:
常量字符串XmlDsigRsaSha512 =http://www.w3.org/2001/04/xmldsig-more# RSA-SHA512
CryptoConfig.AddAlgorithm(typeof运算(RSAPKCS1SHA512SignatureDescription),XmlDsigRsaSha512);
我与.NET 4.0测试了Windows 7的64位。
With the help of the MSDN site about SignedXml, I can easily verify if an XML DSig is correct. It works perfectly if the signature method sha1 was used.
However, when I receive the SignatureMethod RSA-SHA512 (http://www.w3.org/2001/04/xmldsig-more#rsa-sha512), CheckSignature() breaks with an CryptograhicException: SignatureDescription could not be created for the signature algorithm supplied.
It seems like CheckSignature() is not able to verify RSA-SHA512 signatures.
Does anyone know how to check these kind of signatures?
The code, taken from the MSDN site, is:
public static bool VerifyXml(XmlDocument doc, bool removeSignatureElement = false)
{
// Check arguments.
if (doc == null)
throw new ArgumentException("doc");
// Create a new SignedXml object and pass it the XML document class.
SignedXml signedXml = new SignedXml(doc);
// Find the "Signature" node and create a new XmlNodeList object.
XmlNodeList nodeList = doc.GetElementsByTagName("Signature", Constants.NamespaceDSig);
// Throw an exception if no signature was found.
if (nodeList.Count < 1)
{
throw new CryptographicException("Verification failed: No Signature was found in the document.");
}
// This example only supports one signature for the entire XML document. Throw an exception if more than one signature was found.
if (nodeList.Count > 1)
{
throw new CryptographicException("Verification failed: More that one signature was found for the document.");
}
// Load the first <signature> node.
signedXml.LoadXml((XmlElement)nodeList[0]);
// Check the signature and return the result.
bool signedCorrectly = signedXml.CheckSignature(); // throws the Exception!!!
return signedCorrectly;
}
The signed XML is:
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<Notification xmlns="http://www.xxxxxxxxxxx.xx/xxxxx">
<xenc:EncryptedData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" Type="http://www.w3.org/2001/04/xmlenc#Content"> ... </xenc:EncryptedData>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha512"/>
<ds:Reference URI="">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>WsHcyNL7Jh8HSzR9ArzTqomBkHs=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>
pWDatSEbypIUVQR9NFmLkB9kKWjMb6rKWGFFvGqT5tOUILeDhMHUqjCRB9v/g6yYdogC9TRWouhz
...VoZAIBs7EqCbLt7RgpB4GHWc9E3qp65NaCgluw==
</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>
MIIG+zCCBOOgAwIBAgIHAe2+sRfTfDANBgkqhkiG9w0BAQUFADCBkTELMAkGA1UEBhMCQVQxDTAL
...tvawqBjOfkw1yeDzsDMJHfMuAcpYfrEL
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
</Notification>
解决方案
You can verfify RSA SHA512 signatures but you'll have to implement and register the signature description by yourself.
Signature description:
public sealed class RSAPKCS1SHA512SignatureDescription : SignatureDescription
{
public RSAPKCS1SHA512SignatureDescription()
{
KeyAlgorithm = typeof( RSACryptoServiceProvider ).FullName;
DigestAlgorithm = typeof( SHA512Managed ).FullName;
FormatterAlgorithm = typeof( RSAPKCS1SignatureFormatter ).FullName;
DeformatterAlgorithm = typeof( RSAPKCS1SignatureDeformatter ).FullName;
}
public override AsymmetricSignatureDeformatter CreateDeformatter( AsymmetricAlgorithm key )
{
if( key == null )
{
throw new ArgumentNullException( "key" );
}
var deformatter = new RSAPKCS1SignatureDeformatter( key );
deformatter.SetHashAlgorithm( "SHA512" );
return deformatter;
}
public override AsymmetricSignatureFormatter CreateFormatter( AsymmetricAlgorithm key )
{
if( key == null )
{
throw new ArgumentNullException( "key" );
}
var formatter = new RSAPKCS1SignatureFormatter( key );
formatter.SetHashAlgorithm( "SHA512" );
return formatter;
}
}
In your code you'll have to register this description with CryptoConfig:
const string XmlDsigRsaSha512 = "http://www.w3.org/2001/04/xmldsig-more#rsa-sha512";
CryptoConfig.AddAlgorithm( typeof( RSAPKCS1SHA512SignatureDescription ), XmlDsigRsaSha512 );
I tested it with .Net 4.0 on Windows 7 64 Bit.
这篇关于如何验证.NET中RSA-SHA512 XML签名?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
查看全文
