Problem with conversion of org.dom4j.Document to org.w3c.dom.Document and XML Signature

限于喜欢 提交于 2019-12-10 13:06:24

问题


I have some classes that already use DOM4J to read XML files and provide getter methods to the data. Now, I need to add the possibility of checking XML digital signatures.

Using org.w3c.dom and following http://java.sun.com/developer/technicalArticles/xml/dig_signature_api/ everything works correctly.

So, I try to use DOMWriter to convert from org.dom4j.Document to org.w3c.dom.Document, but after this the signature validation doesn't work. I think it happens because DOMWiter is changing the XML tree (as doc4.asXML() seems to show).

I try to find something to set in order to mantain the integrity of the document, but DOMWriter don't have such methods.

Below is the code demonstrating the asymmetric conversion.

The file used for tests is http://www.robertodiasduarte.com.br/files/nfe/131090007910044_v1.10-procNFe.xml

Does someone know reasons/workarounds to this?

Thanks (and sorry my poor english).

package testevalidanfe;

import java.io.File;
import java.io.FileWriter;
import java.io.PrintWriter;
import javax.swing.JOptionPane;
import javax.xml.crypto.dsig.XMLSignature;
import javax.xml.crypto.dsig.XMLSignatureFactory;
import javax.xml.crypto.dsig.dom.DOMValidateContext;
import javax.xml.parsers.DocumentBuilder;
import javax.xml.parsers.DocumentBuilderFactory;
import javax.xml.transform.Transformer;
import javax.xml.transform.TransformerFactory;
import javax.xml.transform.dom.DOMSource;
import javax.xml.transform.stream.StreamResult;
import org.dom4j.io.XMLWriter;
import org.w3c.dom.Document;
import org.w3c.dom.Node;

public class Testevalidanfe {

    public static void main(String[] args) throws Exception {
        DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
        dbf.setNamespaceAware(true);
        DocumentBuilder db = dbf.newDocumentBuilder();
        Document d = db.parse("exemplo-nfe.xml");

        Node no = d.getElementsByTagNameNS(XMLSignature.XMLNS, "Signature").item(0);

        DOMValidateContext valContext = new DOMValidateContext(new X509KeySelector(), no);
        XMLSignatureFactory fac = XMLSignatureFactory.getInstance("DOM");
        XMLSignature signature = fac.unmarshalXMLSignature(valContext);

        JOptionPane.showMessageDialog(null, "Validation using org.w3c.dom: " + signature.validate(valContext));
        org.dom4j.io.DOMReader domreader = new org.dom4j.io.DOMReader();
        org.dom4j.Document doc4 = domreader.read(d);
        org.dom4j.io.DOMWriter domwriter = new org.dom4j.io.DOMWriter();
        d = domwriter.write(doc4);

        String after = doc4.asXML();

        PrintWriter writer = new PrintWriter(new File("after-convertion.xml"));
        writer.print(after);
        writer.close();

        no = d.getElementsByTagNameNS(XMLSignature.XMLNS, "Signature").item(0);

        valContext = new DOMValidateContext(new X509KeySelector(), no);
        fac = XMLSignatureFactory.getInstance("DOM");
        signature = fac.unmarshalXMLSignature(valContext);

        JOptionPane.showMessageDialog(null, "Validation after convert: " + signature.validate(valContext));
    }
}

package testevalidanfe;

import java.security.Key;
import java.security.PublicKey;
import java.security.cert.X509Certificate;
import java.util.Iterator;
import javax.xml.crypto.AlgorithmMethod;
import javax.xml.crypto.KeySelector;
import javax.xml.crypto.KeySelectorException;
import javax.xml.crypto.KeySelectorResult;
import javax.xml.crypto.XMLCryptoContext;
import javax.xml.crypto.XMLStructure;
import javax.xml.crypto.dsig.SignatureMethod;
import javax.xml.crypto.dsig.keyinfo.KeyInfo;
import javax.xml.crypto.dsig.keyinfo.X509Data;

public class X509KeySelector extends KeySelector {
    public KeySelectorResult select(KeyInfo keyInfo,
                                KeySelector.Purpose purpose,
                                AlgorithmMethod method,
                                XMLCryptoContext context)
    throws KeySelectorException {
        Iterator ki = keyInfo.getContent().iterator();
        while (ki.hasNext()) {
            XMLStructure info = (XMLStructure) ki.next();
            if (!(info instanceof X509Data))
                continue;
            X509Data x509Data = (X509Data) info;
            Iterator xi = x509Data.getContent().iterator();
            while (xi.hasNext()) {
                Object o = xi.next();
                if (!(o instanceof X509Certificate))
                    continue;
                final PublicKey key = ((X509Certificate)o).getPublicKey();
                if (algEquals(method.getAlgorithm(), key.getAlgorithm())) {
                    return new KeySelectorResult() {
                        public Key getKey() { return key; }
                    };
                }
           }
       }
       throw new KeySelectorException("No key found!");
    }

    static boolean algEquals(String algURI, String algName) {
        if ((algName.equalsIgnoreCase("DSA") &&
            algURI.equalsIgnoreCase(SignatureMethod.DSA_SHA1)) ||
            (algName.equalsIgnoreCase("RSA") &&
            algURI.equalsIgnoreCase(SignatureMethod.RSA_SHA1))) {
            return true;
        } else {
            return false;
        }
    }
}

For example, if the original XML starts with:

<nfeProc versao="1.10" xmlns="http://www.portalfiscal.inf.br/nfe">
<NFe xmlns="http://www.portalfiscal.inf.br/nfe">
<infNFe Id="NFe31090807301671000131550010001000216008030809" versao="1.10" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
...

doc4.asXML() return this:

<nfeProc xmlns="http://www.portalfiscal.inf.br/nfe" versao="1.10">
<NFe>
<infNFe xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" Id="NFe31090807301671000131550010001000216008030809" versao="1.10">
...

回答1:


I had a closer look at this, and it turns out that DOM4J DOMWriter is doing something odd w.r.t. namespaces that obviously confuses the canonicalization process. I haven't pin pointed the exact reason, but I think it has to do with DOMWriter inserting extra xmlns attributes in the DOM elements. You can see the effect if you turn on logging for the XML digital signature API (as described in the article you refer to), the canonicalized <SignedInfo> element lacks namespace declaration in the DOM document produced by DOM4J.

However, instead of using DOMWriter, you can produce a DOM document by transformation, using a DOM4J DocumentSource and a DOMResult.

/**
 * Create a DOM document from a DOM4J document 
 */
static Document copy(org.dom4j.Document orig) {
    try {
        TransformerFactory tf = TransformerFactory.newInstance();
        Transformer t = tf.newTransformer();
        DOMResult result = new DOMResult();
        t.transform(new DocumentSource(orig), result);
        return (Document) result.getNode();
    } catch (Exception e) {
        throw new RuntimeException(e);
    }
}

Using the resulting DOM document, the validation works.



来源:https://stackoverflow.com/questions/6872913/problem-with-conversion-of-org-dom4j-document-to-org-w3c-dom-document-and-xml-si

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!