问题
I'm trying to replicate a XMLDSig from a gSOAP webservice using WS-Security, but the signatures never match. The service uses rsa-sha1, and I have access to both, public and private key.
I'm grabbing the bytestring of the element via regex including the trailing tabs (b'\t'), so it is identical to the original byte-by-byte, and I'm trying to sign it using the same private key (alternatively, I've tried verifying the signature with the public key), but to no avail.
Currently I'm trying my luck with removing tabs (b'\t') such that it is all flush with the XML root:
def extractSigInfFromHttp(data):
f = io.BytesIO(data)
root = etree.parse(f)
data = c14n(nodes=root, algorithm='http://www.w3.org/2001/10/xml-exc-c14n#')
filtered = re.search(b'<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">\n([\s\S]+)</ds:SignedInfo>', data)
if(filtered):
sig = filtered.group(1)
newsig = re.sub(b'\t\t\t\t', b'', sig)
return newsig + b'</ds:SignedInfo>'
As you can see in the code, I am also doing c14n before signing / verifying.
But the signature never matches / verifies ... Could anyone tell me in which form gSOAP WSS or WSS in general process the element? The XMLDSig examples I could find online always show just the element as root, or never show what exactly is digested.
回答1:
After contacting gSOAP support, I've been told to use the unindented XML because the indented XML behaves pretty much unpredictably.
Furthermore, I ended up using signxml.XMLVerifier().verify and snatching the signedInfo variable before it gets verified. Basically, the way to go here is to build an etree over the xml and extracting the SignedInfo element there. No idea how exactly it differs from the byte(sub-)string, but this made the M2Crypto verification work.
来源:https://stackoverflow.com/questions/57411725/replicating-verifying-xmldsig-from-a-soap-request-in-python