XML 签名超过 XML 现有签名
XML Signature over XML with existing signature
我想签署一个 XML 字符串,如下所示:
<Foo>
<ds:Signature Id="REC">
<ds:SignedInfo>
<ds:CanonicalizationMethod />
<ds:SignatureMethod />
<ds:Reference>
<ds:Reference URI="">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/TR/1999/REC-xpath-19991116">
<ds:XPath>not(ancestor-or-self::ds:Signature)</ds:XPath>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod>
<ds:DigestValue>
</ds:Reference>
<ds:Reference /> etc.
</ds:SignedInfo>
<ds:SignatureValue />
<ds:KeyInfo />
<ds:Object />
</ds:Signature>
</Foo>
以便它添加另一个签名(具有相应的摘要值和签名值)并且它应该如下所示:
<Foo>
<ds:Signature Id="REC">
<ds:SignedInfo>
<ds:CanonicalizationMethod />
<ds:SignatureMethod />
<ds:Reference>
<ds:Reference URI="">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/TR/1999/REC-xpath-19991116">
<ds:XPath>not(ancestor-or-self::ds:Signature)</ds:XPath>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod>
<ds:DigestValue>
</ds:Reference>
<ds:Reference /> etc.
</ds:SignedInfo>
<ds:SignatureValue />
<ds:KeyInfo />
<ds:Object />
</ds:Signature>
<ds:Signature Id="PAC">
<ds:SignedInfo>
<ds:CanonicalizationMethod />
<ds:SignatureMethod />
<ds:Reference>
<ds:Transforms>
<ds:DigestMethod>
<ds:DigestValue>[DIGEST VALUE OF ALL THE PREVIOUS XML]</ds:DigestValue>
</ds:Reference>
<ds:Reference /> etc.
</ds:SignedInfo>
<ds:SignatureValue />
<ds:KeyInfo />
<ds:Object />
</ds:Signature>
</Foo>
进行转换的java代码是:
_TRANSFORM = "not(ancestor-or-self::ds:Signature)";
XPathContainer xpathC = new XPathContainer(doc2);
xpathC.setXPath(_TRANSFORM);
Transforms transforms = new Transforms(doc2);
transforms.addTransform("http://www.w3.org/TR/1999/REC-xpath-19991116",xpathC.getElement());
signature.addDocument("", transforms);
我应该使用什么 XPATH 表达式来消化整个 XML 而不仅仅是 "Foo"(就像我对前一个所做的那样)?
到目前为止我已经尝试过:
- 不是(祖先或自己::ds:签名[@Id='PAC'])
- (ancestor-or-self::Foo and not (ancestor-or-self::ds:Signature[@Id = 'PAC'])) or ancestor-or-self::ds:Signature [@Id = 'REC']
- 不是(祖先或自我::ds:签名[@Id='PAC'])或(祖先或自我::ds:签名[@Id='REC'] )
...运气不好。
感谢您的宝贵时间。
方法 not(ancestor-or-self::ds:Signature[@Id='PAC']) XPATH 获取除当前签名之外的所有 XML 是正确的(在在这种情况下,属性 'Id' 的值为 'PAC')我发现我误喂 XML 并且它有不同的值。
我想签署一个 XML 字符串,如下所示:
<Foo>
<ds:Signature Id="REC">
<ds:SignedInfo>
<ds:CanonicalizationMethod />
<ds:SignatureMethod />
<ds:Reference>
<ds:Reference URI="">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/TR/1999/REC-xpath-19991116">
<ds:XPath>not(ancestor-or-self::ds:Signature)</ds:XPath>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod>
<ds:DigestValue>
</ds:Reference>
<ds:Reference /> etc.
</ds:SignedInfo>
<ds:SignatureValue />
<ds:KeyInfo />
<ds:Object />
</ds:Signature>
</Foo>
以便它添加另一个签名(具有相应的摘要值和签名值)并且它应该如下所示:
<Foo>
<ds:Signature Id="REC">
<ds:SignedInfo>
<ds:CanonicalizationMethod />
<ds:SignatureMethod />
<ds:Reference>
<ds:Reference URI="">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/TR/1999/REC-xpath-19991116">
<ds:XPath>not(ancestor-or-self::ds:Signature)</ds:XPath>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod>
<ds:DigestValue>
</ds:Reference>
<ds:Reference /> etc.
</ds:SignedInfo>
<ds:SignatureValue />
<ds:KeyInfo />
<ds:Object />
</ds:Signature>
<ds:Signature Id="PAC">
<ds:SignedInfo>
<ds:CanonicalizationMethod />
<ds:SignatureMethod />
<ds:Reference>
<ds:Transforms>
<ds:DigestMethod>
<ds:DigestValue>[DIGEST VALUE OF ALL THE PREVIOUS XML]</ds:DigestValue>
</ds:Reference>
<ds:Reference /> etc.
</ds:SignedInfo>
<ds:SignatureValue />
<ds:KeyInfo />
<ds:Object />
</ds:Signature>
</Foo>
进行转换的java代码是:
_TRANSFORM = "not(ancestor-or-self::ds:Signature)";
XPathContainer xpathC = new XPathContainer(doc2);
xpathC.setXPath(_TRANSFORM);
Transforms transforms = new Transforms(doc2);
transforms.addTransform("http://www.w3.org/TR/1999/REC-xpath-19991116",xpathC.getElement());
signature.addDocument("", transforms);
我应该使用什么 XPATH 表达式来消化整个 XML 而不仅仅是 "Foo"(就像我对前一个所做的那样)?
到目前为止我已经尝试过:
- 不是(祖先或自己::ds:签名[@Id='PAC'])
- (ancestor-or-self::Foo and not (ancestor-or-self::ds:Signature[@Id = 'PAC'])) or ancestor-or-self::ds:Signature [@Id = 'REC']
- 不是(祖先或自我::ds:签名[@Id='PAC'])或(祖先或自我::ds:签名[@Id='REC'] )
...运气不好。
感谢您的宝贵时间。
方法 not(ancestor-or-self::ds:Signature[@Id='PAC']) XPATH 获取除当前签名之外的所有 XML 是正确的(在在这种情况下,属性 'Id' 的值为 'PAC')我发现我误喂 XML 并且它有不同的值。