与XML文档捆绑在一起的X.509证书的手动验证

这是对问题1的回答。

我在apache的基础上在kotlin中创建了一个部分工作的验证器 javax.xml.crypto.dsig.samples.Validate 例子。

不可否认,下面的代码有一个bug,其中 Digest 值与XML中出现的值不匹配(验证最终失败)。但是,这里有一些教育价值,因为所有必需的验证步骤都会显示和解释。

在Kotlin 1.2.50和JDK 9.0.1上进行了测试。

import org.w3c.dom.Element
import javax.xml.crypto.*
import javax.xml.crypto.dsig.*
import javax.xml.crypto.dsig.dom.DOMValidateContext
import javax.xml.crypto.dsig.keyinfo.*
import java.io.FileInputStream
import java.security.*
import java.security.cert.X509Certificate
import javax.management.modelmbean.XMLParseException
import javax.xml.parsers.DocumentBuilderFactory

/**
 * This is a simple example of validating an XML
 * Signature using the JSR 105 API. It assumes the key needed to
 * validate the signature is contained in a KeyValue KeyInfo.
 */
object Validate {

    //
    // Synopsis: java Validate [document]
    //
    //    where "document" is the name of a file containing the XML document
    //    to be validated.
    //
    @JvmStatic
    fun main(args: Array<String>) {
        // Instantiate the document to be validated
        val dbf = DocumentBuilderFactory.newInstance()
        dbf.isNamespaceAware = true

        val doc = dbf.newDocumentBuilder().parse(FileInputStream(args[0]))

        // Find Signature element
        val nl = doc.getElementsByTagNameNS(XMLSignature.XMLNS, "Signature")
        if (nl.length == 0) {
            throw XMLParseException("Cannot find any Signature elements")
        }

        // Find SignedInfo elements that have an "Id" property and explicitly set them to be 
        // of type "ID". Inspired by: https://stackoverflow.com/a/7466809/3372061
        val nd = doc.getElementsByTagNameNS("*", "SignedInfo")
        (0 until nd.length)
            .map { nd.item(it) }
            .filter { it -> it.attributes.getNamedItem("Id") != null }
            .forEach { it -> (it as Element).setIdAttribute("Id", true) }

        // Create a DOM XMLSignatureFactory that will be used to unmarshal the
        // document containing the XMLSignature
        val fac = XMLSignatureFactory.getInstance("DOM")

        // Create a DOMValidateContext and specify a KeyValue KeySelector
        // and document context
        val valContext = DOMValidateContext(KeyValueKeySelector(), nl.item(0))

        // Unmarshal the XMLSignature
        val signature = fac.unmarshalXMLSignature(valContext)

        // Validate the XMLSignature (generated above)
        val coreValidity = signature.validate(valContext)

        // Check core validation status
        if (!coreValidity) {
            System.err.println("Signature failed core validation")
            val sv = signature.signatureValue.validate(valContext)
            println("signature validation status: " + sv)
            // check the validation status of each Reference
            val i = signature.signedInfo.references.iterator()
            var j = 0
            while (i.hasNext()) {
                val refValid = i.next().validate(valContext)
                println("ref[$j] validity status: $refValid")
                j++
            }
        } else {
            println("Signature passed core validation")
        }
    }

    /**
     * KeySelector which retrieves the public key out of the
     * KeyValue element and returns it.
     * NOTE: If the key algorithm doesn't match signature algorithm,
     * then the public key will be ignored.
     */
    private class KeyValueKeySelector : KeySelector() {
        @Throws(KeySelectorException::class)
        override fun select(keyInfo: KeyInfo?,
                            purpose: KeySelector.Purpose,
                            method: AlgorithmMethod,
                            context: XMLCryptoContext): KeySelectorResult {
            if (keyInfo == null) {
                throw KeySelectorException("Null KeyInfo object!")
            }
            val sm = method as SignatureMethod
            val list = keyInfo.content
            var pk: PublicKey? = null

            for (item in list) {
                val xmlStructure = item as XMLStructure
                if (xmlStructure is KeyValue) {
                    try {
                        pk = xmlStructure.publicKey
                    } catch (ke: KeyException) {
                        throw KeySelectorException(ke)
                    }
                } else if (xmlStructure is X509Data) {
                    for (data in xmlStructure.content) {
                        if (data is X509Certificate) {
                            pk = data.publicKey
                            break
                        }
                    }
                }
                // make sure algorithm is compatible with method
                if (algEquals(sm.algorithm, pk!!.algorithm)) {
                    return SimpleKeySelectorResult(pk)
                }
            }
            throw KeySelectorException("No KeyValue element found!")
        }

        companion object {

            //@@@FIXME: this should also work for key types other than DSA/RSA
            internal fun algEquals(algURI: String, algName: String): Boolean {
                return (algName.equals("DSA", ignoreCase = true) &&
                         algURI.equals(SignatureMethod.DSA_SHA1, ignoreCase = true)) ||
                       (algName.equals("RSA", ignoreCase = true) &&
                         algURI.equals(SignatureMethod.RSA_SHA1, ignoreCase = true))
            }
        }
    }

    private class SimpleKeySelectorResult
    internal constructor(private val pk: PublicKey) : KeySelectorResult {

        override fun getKey(): Key {
            return pk
        }
    }
}