none
XML签名的问题 RRS feed

  • 问题

  • <trust:RequestSecurityTokenResponseCollection xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512">
      <trust:RequestSecurityTokenResponse Context="http://XX">
        <trust:Lifetime>
          <wsu:Created xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">2015-07-10T05:50:33.041Z</wsu:Created>
          <wsu:Expires xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">2015-07-10T09:50:33.041Z</wsu:Expires>
        </trust:Lifetime>
        <wsp:AppliesTo xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
          <wsa:EndpointReference xmlns:wsa="http://www.w3.org/2005/08/addressing">
            <wsa:Address>urn:XXXX</wsa:Address>
          </wsa:EndpointReference>
        </wsp:AppliesTo>
        <trust:RequestedSecurityToken>
          <saml:Assertion MajorVersion="1" MinorVersion="1" AssertionID="_6b8d4d4a-a8d0-424b-b4f4-cc3650791828" Issuer="http://XXXX" IssueInstant="2015-07-10T05:50:33.267Z" xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion">
            <saml:Conditions NotBefore="2015-07-10T05:50:33.041Z" NotOnOrAfter="2015-07-10T09:50:33.041Z">
              <saml:AudienceRestrictionCondition>
                <saml:Audience>urn:XXXX</saml:Audience>
              </saml:AudienceRestrictionCondition>
            </saml:Conditions>
            <saml:AttributeStatement>
              <saml:Subject>
                <saml:SubjectConfirmation>
                  <saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:bearer</saml:ConfirmationMethod>
                </saml:SubjectConfirmation>
              </saml:Subject>
              <saml:Attribute AttributeName="upn" AttributeNamespace="http://schemas.xmlsoap.org/ws/2005/05/identity/claims">
                <saml:AttributeValue>XXXX</saml:AttributeValue>
              </saml:Attribute>
              <saml:Attribute AttributeName="CommonName" AttributeNamespace="http://schemas.xmlsoap.org/claims">
                <saml:AttributeValue>XXX</saml:AttributeValue>
              </saml:Attribute>
              <saml:Attribute AttributeName="role" AttributeNamespace="http://schemas.microsoft.com/ws/2008/06/identity/claims">
                <saml:AttributeValue>XXX</saml:AttributeValue>
                <saml:AttributeValue>XXX</saml:AttributeValue>
              </saml:Attribute>
            </saml:AttributeStatement>
          </saml:Assertion>
        </trust:RequestedSecurityToken>
        <trust:RequestedAttachedReference>
          <o:SecurityTokenReference k:TokenType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1" xmlns:k="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd" xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
            <o:KeyIdentifier ValueType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID">_6b8d4d4a-a8d0-424b-b4f4-cc3650791828</o:KeyIdentifier>
          </o:SecurityTokenReference>
        </trust:RequestedAttachedReference>
        <trust:RequestedUnattachedReference>
          <o:SecurityTokenReference k:TokenType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1" xmlns:k="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd" xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
            <o:KeyIdentifier ValueType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID">_6b8d4d4a-a8d0-424b-b4f4-cc3650791828</o:KeyIdentifier>
          </o:SecurityTokenReference>
        </trust:RequestedUnattachedReference>
        <trust:TokenType>urn:oasis:names:tc:SAML:1.0:assertion</trust:TokenType>
        <trust:RequestType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/Issue</trust:RequestType>
        <trust:KeyType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/Bearer</trust:KeyType>
      </trust:RequestSecurityTokenResponse>
    </trust:RequestSecurityTokenResponseCollection>
    

    这是一段的令牌中包含SAML 1.1用户声明的,是一段XML,也是XML文件的一部分,我需要用X509证书对其进行签名,但是由于没有ID字段,

    SignedXml signedXml = new SignedXml(Doc);
            
            //获取签名证书
                X509Certificate2 x = CertificateUtil.GetCertificate(StoreName.My, StoreLocation.LocalMachine, issuer);
            signedXml.SigningKey = x.PrivateKey;
    
            //引用
            //指定了在哈希运算之前应当如何对将要签名的数据进行处理。
            //URI属性标识要签名的数据,而Transforms元素指定如何处理数据。
            Reference reference = new Reference("#_6b8d4d4a-a8d0-424b-b4f4-cc3650791828");
                //reference.Uri = "#_6b8d4d4a-a8d0-424b-b4f4-cc3650791828"; //空字符串,它指定对整个文档进行签名并且包含签名,需要特别注意的是文档中如果已经存在<Signature>节点,在签名前将先被移除。
            XmlDsigEnvelopedSignatureTransform env = new XmlDsigEnvelopedSignatureTransform();  //使用包封式签名转换
            reference.AddTransform(env);
            signedXml.AddReference(reference);
    
            //向签名的接收方提供签名证书的信息,在验证签名的同时可以验证签名证书
            KeyInfoX509Data keyInfoX509 = new KeyInfoX509Data(x, X509IncludeOption.EndCertOnly);
            signedXml.KeyInfo.AddClause(keyInfoX509);
    
            //签名
            signedXml.ComputeSignature();
    用这段代码进行签名会提示Reference 元素的格式不正确。该如何对那段XML实现签名呢?


    ...

    2015年7月17日 8:51