XML 根元素的更改是否应该更改子元素的签名值?
Should a change in XML root element change the signature value for a sub element?
我试图用 camel 生成一个分离的 XML 签名文档。我注意到,如果我篡改名称空间的名称,文档将变得无效。例如。从 "soap" 更改为 "soap1" 命名空间会使文档无效。我得到一个:
org.apache.camel.component.xmlsecurity.api.XmlSignatureInvalidValueException:
Signature validation failed. The signature value could not be
validated by the public key. Either the message has been
tampered or the public key is not correct.
应该是这样吗?
<?xml version="1.0" encoding="UTF-8"?>
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
<soap:Body>
<anotherSample attr="1234"/>
<sample ID="sampleID"/>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
<ds:Reference URI="#sampleID">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<ds:DigestValue>....</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>...</ds:SignatureValue>
<ds:KeyInfo>....</ds:KeyInfo>
</ds:Signature>
</soap:Body>
</soap:Envelope>
来自 Canonical XML spec:By virtue of the XPath data model, XML canonicalization is namespace-aware. 所以是的,更改命名空间应该会导致签名发生更改。
我试图用 camel 生成一个分离的 XML 签名文档。我注意到,如果我篡改名称空间的名称,文档将变得无效。例如。从 "soap" 更改为 "soap1" 命名空间会使文档无效。我得到一个:
org.apache.camel.component.xmlsecurity.api.XmlSignatureInvalidValueException:
Signature validation failed. The signature value could not be
validated by the public key. Either the message has been
tampered or the public key is not correct.
应该是这样吗?
<?xml version="1.0" encoding="UTF-8"?>
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
<soap:Body>
<anotherSample attr="1234"/>
<sample ID="sampleID"/>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
<ds:Reference URI="#sampleID">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<ds:DigestValue>....</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>...</ds:SignatureValue>
<ds:KeyInfo>....</ds:KeyInfo>
</ds:Signature>
</soap:Body>
</soap:Envelope>
来自 Canonical XML spec:By virtue of the XPath data model, XML canonicalization is namespace-aware. 所以是的,更改命名空间应该会导致签名发生更改。