Unable to verify Signed XML with Certificate (.cer)

问题

The bounty expires in 13 hours. Answers to this question are eligible for a +50 reputation bounty. moDev wants to draw more attention to this question.

I'm trying to verify signed XML(signature) with certificate but it always returns false. Please advice

Signed XML

<?xml version="1.0" encoding="utf-16"?><LicenseEntity xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xsi:type="MyLicense"><AppName>QMS</AppName><ClientName>SBI</ClientName><UID>1HFELV6-15FTOEJ-SGKXQG-1YDT2I4</UID><Type>Single</Type><CreateDateTime>0001-01-01T00:00:00</CreateDateTime><LicenseValues><EnableFeatureKey>Transfer</EnableFeatureKey><EnableFeatureValue>true</EnableFeatureValue></LicenseValues><Signature xmlns="http://www.w3.org/2000/09/xmldsig#"><SignedInfo><CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315" /><SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" /><Reference URI=""><Transforms><Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" /></Transforms><DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" /><DigestValue>RT2AjddRXYe5urTO2XS0rsiQmkzqfrFFGQUInCb9xPg=</DigestValue></Reference></SignedInfo><SignatureValue>lWYs8T6LxkqLk9wh9CCR1KKlNWj0voXlB+E5cZDX3/IOKQpVCyS9PPsnqYsYjuKXyWnkldB10AIJdBRa1CSV3iW3j7wniKPl0FNItS+zNtSOBYz2vDQy+67p3JHXZaWCN+BAKmvGqyB9Kba4Xh0cCfa6OaExcW7axTad8E0ez2+hveNLXgKvKtDcaRk6h/RXzj3hMLMIeQEViyOzmlIxo5kIUPCPd1t4YIdr9U+7rcPP2PNp+p8GbXdBe6bsoTcF/hh8Wj78803hVjFE1hkymI6AiHXQohVTKEKdzNygEpN4SsilCulVKHJFhX4gavd0zJWUrtNKWBvXAvVkaST2hQ==</SignatureValue></Signature></LicenseEntity>

Here is my code to verify

private boolean validateCertificate(String xml,String signatureValue){


    CertificateFactory certificateFactory = null;

    try {

        certificateFactory = CertificateFactory.getInstance("X.509");

        InputStream inputStream = requireContext().getAssets().open("licence-01.cer");
        Certificate certificate = certificateFactory.generateCertificate(inputStream);
        X509Certificate x509Certificate = (X509Certificate) certificate;

        RSAPublicKey rsaPublicKey = (RSAPublicKey) x509Certificate.getPublicKey();
       

        Signature signature = Signature.getInstance("SHA1WithRSA");
        signature.initVerify(rsaPublicKey);
        signature.update(xml.getBytes());
        return signature.verify(signatureValue.getBytes());

    } catch (CertificateException | IOException | NoSuchAlgorithmException | InvalidKeyException | SignatureException e) {
        e.printStackTrace();
        Utility.showLog(TAG,String.valueOf(e));
    }

    return false;
}

Please suggest what I'm doing wrong. TIA.

回答1:

You can use the following code in order to test the behaviour. Read the signed xml and public certificate to verify the signatures. Any minimal change in the original signed xml will invalidate the signatures and you can test it easily by changing any character in the signed xml.

package com;

import java.io.FileInputStream;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import javax.xml.crypto.dsig.XMLSignature;
import javax.xml.crypto.dsig.XMLSignatureFactory;
import javax.xml.crypto.dsig.dom.DOMValidateContext;
import javax.xml.parsers.DocumentBuilderFactory;
import org.w3c.dom.Document;

public class ValidateUsingCertificate {
  
  public static final String SIGNED_XML = "response.xml";
  public static final String CERTIFICATE = "cert.cer";
  
  public static void main(String[] args) throws Exception {
    DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
    dbf.setNamespaceAware(true);
    
    FileInputStream fis = new FileInputStream(SIGNED_XML);
    Document doc = dbf.newDocumentBuilder().parse(fis);
    
    CertificateFactory fact = CertificateFactory.getInstance("X.509");
    FileInputStream is = new FileInputStream(CERTIFICATE);
    X509Certificate cert = (X509Certificate) fact.generateCertificate(is);
    boolean verify = verifySignature(doc, cert);
    System.out.println("verify :" + verify);
  }
  
  
  private static boolean verifySignature(Document doc, X509Certificate cert) {
    try {
      if (doc.getElementsByTagNameNS(XMLSignature.XMLNS, "Signature").getLength() == 0)
        throw new Exception("Cannot find Signature element");
      
      DOMValidateContext valContext = new DOMValidateContext(cert.getPublicKey(),
          doc.getElementsByTagNameNS(XMLSignature.XMLNS, "Signature").item(0));
      
      XMLSignature signature =
          XMLSignatureFactory.getInstance("DOM").unmarshalXMLSignature(valContext);
      
      return signature.validate(valContext);
    } catch (Exception e) {
      e.printStackTrace();
    }
    return false;
  }
  
}

来源：https://stackoverflow.com/questions/66117526/unable-to-verify-signed-xml-with-certificate-cer