1
Я анализирую файл XML-DSIG, чтобы узнать, как написать мой фрагмент программного кода, который генерирует XML-DSIGnatures. У меня возникли проблемы с этой и отчаянно нуждаются в помощи ... я пытаюсь понять это немного от signatures0.xml (цит после этого бита):URI в XML-DSIG и вычисление дайджеста
<Reference Type="http://uri.etsi.org/01903#SignedProperties" URI="#SignedPropertiesElem_0" xmlns="http://www.w3.org/2000/09/xmldsig#">
<Transforms xmlns="http://www.w3.org/2000/09/xmldsig#">
<Transform Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<DigestValue>kOlNXyBs6oSP9hbh+4niZMNQ9OsOCzYhkSYYG4YdHQU=</DigestValue>
</Reference>
signatures0.xml:
<?xml version="1.0" encoding="UTF-8"?>
<document-signatures xmlns="urn:oasis:names:tc:opendocument:xmlns:digitalsignature:1.0">
<Signature Id="SignatureElem_0" xmlns="http://www.w3.org/2000/09/xmldsig#" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<Reference URI="metadata/signableMetadata0.xml" xmlns="http://www.w3.org/2000/09/xmldsig#">
<Transforms xmlns="http://www.w3.org/2000/09/xmldsig#">
<Transform Algorithm="http://www.w3.org/TR/1999/REC-xpath-19991116">
<XPath>ancestor-or-self::*[@ID='signature_0']</XPath>
</Transform>
<Transform Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<DigestValue>XIrOvoOM33rWvV5Fdckax/bNLOpR9RNIonkVQ22fczM=</DigestValue>
</Reference>
<Reference URI="1.docx" xmlns="http://www.w3.org/2000/09/xmldsig#">
<DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<DigestValue>LtTwOA0L3mL4mswjGL3JwkumufovE/A75M4MGSUm6PQ=</DigestValue>
</Reference>
<Reference Type="http://uri.etsi.org/01903#SignedProperties" URI="#SignedPropertiesElem_0" xmlns="http://www.w3.org/2000/09/xmldsig#">
<Transforms xmlns="http://www.w3.org/2000/09/xmldsig#">
<Transform Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<DigestValue>kOlNXyBs6oSP9hbh+4niZMNQ9OsOCzYhkSYYG4YdHQU=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>
EPuWjb6IeuYg32FT1tInmO7FPL1ISuluFvrPqzHdHyJ0ymgMFitaWPJQk0MV6ckgmvFwif6zpg5C
XLVJl4U+e/+AmS1AkwMf2TmnuIONuB8oLeYcDUCr+0xxlwgKSZoopzapD7ylZxIwCPTMr6BT3lx9
8EFHHVskC4wVihR0JsJWBl2YzGnBevCWpknGofa8t8vOHpTA2y9VSAu5ETXnKYF5Ms04kTy5NQ7G
kHcslw+HSAuaJolvfUd4EeqAXVFz9V7sE+akQ20fciw9QQH8gttF8bIous8dsv3/6Zmtclvbk17Q
79pI+2o7JKhZIh9ct0PHTMpU5KV6GEXxIrCb4g==
</SignatureValue>
<KeyInfo>
<X509Data>
<X509Certificate>
MIIKVTCCCT2gAwIBAgIOQNXCrd79knQAAAALm2IwDQYJKoZIhvcNAQEFBQAwgb0xCzAJBgNVBAYT
AkxUMUAwPgYDVQQKEzdHeXZlbnRvanUgcmVnaXN0cm8gdGFybnliYSBwcmllIExSIFZSTSAtIGku
ay4gMTg4NzU2NzY3MTEwLwYDVQQLEyhOYWNpb25hbGluaXMgc2VydGlmaWthdmltbyBjZW50cmFz
IChOU0MpMTkwNwYDVQQDEzBOYWNpb25hbGluaXMgc2VydGlmaWthdmltbyBjZW50cmFzIChJc3N1
aW5nQ0EtQikwHhcNMTQwMjA0MTM1NTUwWhcNMTcwMjAzMTM1NTUwWjBjMQswCQYDVQQGEwJMVDEZ
MBcGA1UEAwwQU0lHSVRBIFBVVFJJRU7EljESMBAGA1UEBAwJUFVUUklFTsSWMQ8wDQYDVQQqEwZT
SUdJVEExFDASBgNVBAUTCzQ4MjA5MjkwOTI5MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC
AQEAlsxbvBk8SKnC8MX9mJ01dsnVhdsaX/8RiSq9nxosZ5B/gtBEOPr+3WIZ6F5+RK9IN59ONip7
rOXVJLXZI5GbbCFtGYMy24KfBuoTvnqvLCKw9p2A5o3WVeM2LuEnT4X09UPZPcNrPyPs+z2IafTE
7eltUfP4EcdFqh4nCnGoj6iFiUiHHAB2VjF+b8R8e8y7+KenanhR7p8Fo1waBfY4h9dAm0ZcCxDQ
DEcQzsXY06yi0Im/G0496hOonOqi+HHX1tgWENIzsyIgMH0h+aI6dN26JxUkQ6z0Q47gvTcAs1lC
Pc/6lHm9nM/6nZhn9URbxg6vxFgr5m5yf9gfXqcvYQIDAQABo4IGqjCCBqYwDgYDVR0PAQH/BAQD
AgbAMB0GA1UdDgQWBBRTpqDcAOtayHSkdGcl+OUu+wYPMjBLBgNVHQkERDBCMA8GCCsGAQUFBwkD
MQMTAUYwHQYIKwYBBQUHCQExERgPMTk4MjA5MjkxMjAwMDBaMBAGCCsGAQUFBwkEMQQTAkxUMB8G
A1UdIwQYMBaAFHOCCdqDj7IH/YtgeHa+2t6EqsudMDYGA1UdHwQvMC0wK6ApoCeGJWh0dHA6Ly9u
c2MudnJtLmx0L2NkcC9Jc3N1aW5nQ0EtQi5jcmwwdwYIKwYBBQUHAQEEazBpMDQGCCsGAQUFBzAB
hihodHRwOi8vbnNjLnZybS5sdC9PQ1NQL29jc3ByZXNwb25kZXIubnNjMDEGCCsGAQUFBzAChiVo
dHRwOi8vbnNjLnZybS5sdC9haWEvSXNzdWluZ0NBLUIuY3J0MDwGCSsGAQQBgjcVBwQvMC0GJSsG
AQQBgjcVCIHOw3SEvLhBg8GdP8SQT5vla4EigZL6KIPyqCsCAWQCAQQwFQYDVR0lBA4wDAYKKwYB
BAGCNwoDDDCCBLwGA1UdIASCBLMwggSvMIIEqwYLKwYBBAGB+SgBAQEwggSaMIIEbAYIKwYBBQUH
AgIwggReHoIEWgBUAGgAaQBzACAAcwB0AGEAdABlAG0AZQBuAHQAIABpAHMAIABhACAAcwB0AGEA
dABlAG0AZQBuAHQAIABiAHkAIAB0AGgAZQAgAGkAcwBzAHUAZQByACAAdABoAGEAdAAgAHQAaABp
AHMAIABjAGUAcgB0AGkAZgBpAGMAYQB0AGUAIABpAHMAIABpAHMAcwB1AGUAZAAgAGEAcwAgAGEA
IABRAHUAYQBsAGkAZgBpAGUAZAAgAGMAZQByAHQAaQBmAGkAYwBhAHQAZQAgAGEAYwBjAG8AcgBk
AGkAbgBnACAAQQBuAG4AZQB4ACAASQAgAGEAbgBkACAASQBJACAAbwBmACAAdABoAGUAIABEAGkA
cgBlAGMAdABpAHYAZQAgADEAOQA5ADkALwA5ADMALwBFAEMAIABvAGYAIAB0AGgAZQAgAEUAdQBy
AG8AcABlAGEAbgAgAFAAYQByAGwAaQBhAG0AZQBuAHQAIABhAG4AZAAgAG8AZgAgAHQAaABlACAA
QwBvAHUAbgBjAGkAbAAgAG8AZgAgADEAMwAgAEQAZQBjAGUAbQBiAGUAcgAgADEAOQA5ADkAIABv
AG4AIABhACAAQwBvAG0AbQB1AG4AaQB0AHkAIABmAHIAYQBtAGUAdwBvAHIAawAgAGYAbwByACAA
ZQBsAGUAYwB0AHIAbwBuAGkAYwAgAHMAaQBnAG4AYQB0AHUAcgBlAHMALAAgAGEAcwAgAGkAbQBw
AGwAZQBtAGUAbgB0AGUAZAAgAGkAbgAgAHQAaABlACAAbABhAHcAIABvAGYAIAB0AGgAZQAgAGMA
bwB1AG4AdAByAHkAIABzAHAAZQBjAGkAZgBpAGUAZAAgAGkAbgAgAHQAaABlACAAaQBzAHMAdQBl
AHIAIABmAGkAZQBsAGQAIABvAGYAIAB0AGgAaQBzACAAYwBlAHIAdABpAGYAaQBjAGEAdABlAC4A
IAFgAGkAcwAgAHMAZQByAHQAaQBmAGkAawBhAHQAYQBzACAAeQByAGEAIABrAHYAYQBsAGkAZgBp
AGsAdQBvAHQAYQBzACAAcwBlAHIAdABpAGYAaQBrAGEAdABhAHMAIABwAGEAZwBhAGwAIABFAFMA
IABkAGkAcgBlAGsAdAB5AHYAbwBzACAAMQA5ADkAOQAvADkAMwAvAEUAQwAgAGQBFwBsACAAQgBl
AG4AZAByAGkAagBvAHMAIABlAGwAZQBrAHQAcgBvAG4AaQBuAGkAbwAgAHAAYQByAGEBYQBvACAA
cABhAGcAcgBpAG4AZABpAG4AaQFzACAAbgB1AG8AcwB0AGEAdAFzACAASQAgAGkAcgAgAEkASQAg
AHAAcgBpAGUAZAB1AHMAIABpAHIAIABMAGkAZQB0AHUAdgBvAHMAIABlAGwAZQBrAHQAcgBvAG4A
aQBuAGkAbwAgAHAAYQByAGEBYQBvACABLwBzAHQAYQB0AHkAbQEFAC4wKAYIKwYBBQUHAgEWHGh0
dHA6Ly9uc2MudnJtLmx0L3JlcG9zaXRvcnkwHQYJKwYBBAGCNxUKBBAwDjAMBgorBgEEAYI3CgMM
MCIGCCsGAQUFBwEDBBYwFDAIBgYEAI5GAQEwCAYGBACORgEEMA0GCSqGSIb3DQEBBQUAA4IBAQAf
PXZj6QagEgswUy+wit1MdCPMbKnF5LYszPtLG/PYbtuqXstBZljRR1tZVo8DRzoVRKwM7gpNNnWF
UEtZoaafJ4uWmWWZLNSVAyaZUAJ67s2rkDPTtNtb7W9QCZJNIU2klegoY3JvDqAQzheE+Mj9HXnh
0h21Qb8MWq4lHaL99/Vk9OXSlR9WYQfbEB5zbI5kp6nVePM2cf9uOZbhZRLdDAKbL/NrSGca3S40
WZevQ1m9sdMgmobSTyuqniDXYIa7sO+QOzbMPIFuTn/izO13IK63uUBFnTImW+99PAyDx3s4Y03t
EWpXA25hWn/NXH5xWC7ohKKeXzVUhnMN4WxT
</X509Certificate>
</X509Data>
</KeyInfo>
<Object>
<QualifyingProperties Target="#SignatureElem_0" xmlns="http://uri.etsi.org/01903/v1.3.2#">
<SignedProperties Id="SignedPropertiesElem_0">
<SignedSignatureProperties>
<SigningTime>2014-08-21T06:09:55Z</SigningTime>
<SigningCertificate>
<Cert>
<CertDigest>
<DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" xmlns="http://www.w3.org/2000/09/xmldsig#"/>
<DigestValue xmlns="http://www.w3.org/2000/09/xmldsig#">JQ0kZvd0mtXQPA/RTuYV9iuc346tznvN9MoAd/0jNyM=</DigestValue>
</CertDigest>
<IssuerSerial>
<X509IssuerName xmlns="http://www.w3.org/2000/09/xmldsig#">CN=Nacionalinis sertifikavimo centras (IssuingCA-B),OU=Nacionalinis sertifikavimo centras (NSC),O=Gyventoju registro tarnyba prie LR VRM - i.k. 188756767,C=LT</X509IssuerName>
<X509SerialNumber xmlns="http://www.w3.org/2000/09/xmldsig#">1315010063538360283821765366094690</X509SerialNumber>
</IssuerSerial>
</Cert>
</SigningCertificate>
<SignaturePolicyIdentifier>
<SignaturePolicyImplied/>
</SignaturePolicyIdentifier>
</SignedSignatureProperties>
</SignedProperties>
</QualifyingProperties>
</Object>
</Signature></document-signatures>
С я понимаю, первый цитированный бит относится к элементу SignedPropertiesElem_0 в том же файле. Я пытаюсь точно определить, на что это ссылается, - какой фрагмент кода должен быть выбран и использоваться позже для канонизации, а затем вычислять значение дайджеста. Является ли это так:
<SignedProperties Id="SignedPropertiesElem_0">
<SignedSignatureProperties>
<SigningTime>2014-08-21T06:09:55Z</SigningTime>
<SigningCertificate>
<Cert>
<CertDigest>
<DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" xmlns="http://www.w3.org/2000/09/xmldsig#"/>
<DigestValue xmlns="http://www.w3.org/2000/09/xmldsig#">JQ0kZvd0mtXQPA/RTuYV9iuc346tznvN9MoAd/0jNyM=</DigestValue>
</CertDigest>
<IssuerSerial>
<X509IssuerName xmlns="http://www.w3.org/2000/09/xmldsig#">CN=Nacionalinis sertifikavimo centras (IssuingCA-B),OU=Nacionalinis sertifikavimo centras (NSC),O=Gyventoju registro tarnyba prie LR VRM - i.k. 188756767,C=LT</X509IssuerName>
<X509SerialNumber xmlns="http://www.w3.org/2000/09/xmldsig#">1315010063538360283821765366094690</X509SerialNumber>
</IssuerSerial>
</Cert>
</SigningCertificate>
<SignaturePolicyIdentifier>
<SignaturePolicyImplied/>
</SignaturePolicyIdentifier>
</SignedSignatureProperties>
</SignedProperties>
Или это:
<SignedSignatureProperties>
<SigningTime>2014-08-21T06:09:55Z</SigningTime>
<SigningCertificate>
<Cert>
<CertDigest>
<DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" xmlns="http://www.w3.org/2000/09/xmldsig#"/>
<DigestValue xmlns="http://www.w3.org/2000/09/xmldsig#">JQ0kZvd0mtXQPA/RTuYV9iuc346tznvN9MoAd/0jNyM=</DigestValue>
</CertDigest>
<IssuerSerial>
<X509IssuerName xmlns="http://www.w3.org/2000/09/xmldsig#">CN=Nacionalinis sertifikavimo centras (IssuingCA-B),OU=Nacionalinis sertifikavimo centras (NSC),O=Gyventoju registro tarnyba prie LR VRM - i.k. 188756767,C=LT</X509IssuerName>
<X509SerialNumber xmlns="http://www.w3.org/2000/09/xmldsig#">1315010063538360283821765366094690</X509SerialNumber>
</IssuerSerial>
</Cert>
</SigningCertificate>
<SignaturePolicyIdentifier>
<SignaturePolicyImplied/>
</SignaturePolicyIdentifier>
</SignedSignatureProperties>
Или это:
<SigningTime>2014-08-21T06:09:55Z</SigningTime>
<SigningCertificate>
<Cert>
<CertDigest>
<DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" xmlns="http://www.w3.org/2000/09/xmldsig#"/>
<DigestValue xmlns="http://www.w3.org/2000/09/xmldsig#">JQ0kZvd0mtXQPA/RTuYV9iuc346tznvN9MoAd/0jNyM=</DigestValue>
</CertDigest>
<IssuerSerial>
<X509IssuerName xmlns="http://www.w3.org/2000/09/xmldsig#">CN=Nacionalinis sertifikavimo centras (IssuingCA-B),OU=Nacionalinis sertifikavimo centras (NSC),O=Gyventoju registro tarnyba prie LR VRM - i.k. 188756767,C=LT</X509IssuerName>
<X509SerialNumber xmlns="http://www.w3.org/2000/09/xmldsig#">1315010063538360283821765366094690</X509SerialNumber>
</IssuerSerial>
</Cert>
</SigningCertificate>
<SignaturePolicyIdentifier>
<SignaturePolicyImplied/>
</SignaturePolicyIdentifier>
Или какой-то другой его части?
Я попробовал первый, затем позволяя его через канонизации StylusStudio ИЛИ http://www.soapclient.com/xmlcanon.html (оба, кажется, возвращают одинаковые результаты), что приводит к следующим образом:
<SignedProperties Id="SignedPropertiesElem_0">
<SignedSignatureProperties>
<SigningTime>2014-08-21T06:09:55Z</SigningTime>
<SigningCertificate>
<Cert>
<CertDigest>
<DigestMethod xmlns="http://www.w3.org/2000/09/xmldsig#" Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"></DigestMethod>
<DigestValue xmlns="http://www.w3.org/2000/09/xmldsig#">JQ0kZvd0mtXQPA/RTuYV9iuc346tznvN9MoAd/0jNyM=</DigestValue>
</CertDigest>
<IssuerSerial>
<X509IssuerName xmlns="http://www.w3.org/2000/09/xmldsig#">CN=Nacionalinis sertifikavimo centras (IssuingCA-B),OU=Nacionalinis sertifikavimo centras (NSC),O=Gyventoju registro tarnyba prie LR VRM - i.k. 188756767,C=LT</X509IssuerName>
<X509SerialNumber xmlns="http://www.w3.org/2000/09/xmldsig#">1315010063538360283821765366094690</X509SerialNumber>
</IssuerSerial>
</Cert>
</SigningCertificate>
<SignaturePolicyIdentifier>
<SignaturePolicyImplied></SignaturePolicyImplied>
</SignaturePolicyIdentifier>
</SignedSignatureProperties>
</SignedProperties>
, а затем вычисления значения дайджеста с помощью этих инструментов: http://www.webutils.pl/index.php?idx=sha1 hash.online-convert.com/sha256-generator www.freeformatter.com/message-digest.html#ad-output
все они вернулись в тот же самый результат, но этот результат отличается от указанного в файле XML: kOlNXyBs6oSP9hbh + 4niZMNQ9OsOCzYhkSYYG4YdHQU =
Что я делаю неправильно? Какую часть документа xml следует скопировать и вставить в канонизатор, а затем в калькулятор для дайджеста? Я несколько дней пробовал разные вещи и искал ответы и ничего не получил ... Я уверен, что что-то пропустил, поэтому прошу о помощи.