XAdES-BES 会签无法解决参考错误答案

【问题标题】：XAdES-BES countersignature cannot resolve reference errorXAdES-BES 会签无法解决参考错误
【发布时间】：2014-04-01 20:10:13
【问题描述】：

我为 XAdES-BES 实施了验证，经过测试，除了会签之外，现在一切正常。同样的错误不仅发生在使用 xades4j 签名的文件上，而且使用其他软件也会发生，因此它与我的副署实施中的任何错误无关。我想知道我是否应该实施额外的 ResourceResolver？我为某些私人条目here 添加了一个带有“已删除”的附签文件作为附件。

下面是验证码。 certDataList 是一个列表，其中包含来自 String 文档的所有证书，getCert 将返回 List。 DummyCertificateValidationProvider 返回 ValidationData 以及之前构建的 x509certs 列表。

    public boolean verify(final File file) {
        if (!Dictionaries.valid()) {
            return true;
        }
        certList = null;
        try {

            final DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
            dbf.setNamespaceAware(true);
            final DocumentBuilder db = dbf.newDocumentBuilder();

            final Document doc = db.parse(file);
            doc.getDocumentElement().normalize();

            final NodeList nList = doc.getElementsByTagName("ds:Signature");
            Element elem = null;
            for (int temp = 0; temp < nList.getLength(); temp++) {
                final Node nNode = nList.item(temp);
                if (nNode.getNodeType() == Node.ELEMENT_NODE) {
                    elem = (Element) nNode;
                }
            }
            final NodeList nList2 = doc.getElementsByTagName("ds:X509Certificate");
            final List<String> certDataList = new ArrayList<String>();
            for (int temp = 0; temp < nList2.getLength(); temp++) {
                final Node nNode = nList2.item(temp);
                certDataList.add(nNode.getTextContent());
            }
            certList = getCert(certDataList);

            final CertificateValidationProvider certValidator = new DummyCertificateValidationProvider(certList);

            final XadesVerificationProfile p = new XadesVerificationProfile(certValidator);
            final XadesVerifier v = p.newVerifier();
            final SignatureSpecificVerificationOptions opts = new SignatureSpecificVerificationOptions();

            // for relative document paths
            final String baseUri = "file:///" + file.getParentFile().getAbsolutePath().replace("\\", "/") + "/";
            LOGGER.debug("baseUri:" + baseUri);
            opts.useBaseUri(baseUri);
            v.verify(elem, opts);
            return true;
        } catch (final IllegalArgumentException | XAdES4jException | CertificateException | IOException | ParserConfigurationException | SAXException e) {
            LOGGER.error("XML not validated!", e);
        }

        return false;
}

这是堆栈跟踪：

21:31:48,203 DEBUG ResourceResolver:158 - I was asked to create a ResourceResolver and got 0 
21:31:48,203 DEBUG ResourceResolver:101 - check resolvability by class org.apache.xml.security.utils.resolver.ResourceResolver 
21:31:48,204 DEBUG ResolverFragment:137 - State I can resolve reference: "#xmldsig-5de7b1d0-be70-4dde-b746-3f4d4d6de39f-sigvalue" 
21:31:48,204 ERROR SignComponent:658 - XML not validated!

xades4j.XAdES4jXMLSigException: Error verifying the signature
    at xades4j.verification.XadesVerifierImpl.doCoreVerification(XadesVerifierImpl.java:284)
    at xades4j.verification.XadesVerifierImpl.verify(XadesVerifierImpl.java:188)
    at com.signapplet.sign.SignComponent.verify(SignComponent.java:655)
...

Caused by: org.apache.xml.security.signature.MissingResourceFailureException: The Reference for URI #xmldsig-5de7b1d0-be70-4dde-b746-3f4d4d6de39f-sigvalue has no XMLSignatureInput
Original Exception was org.apache.xml.security.signature.ReferenceNotInitializedException: Cannot resolve element with ID xmldsig-5de7b1d0-be70-4dde-b746-3f4d4d6de39f-sigvalue
Original Exception was org.apache.xml.security.utils.resolver.ResourceResolverException: Cannot resolve element with ID xmldsig-5de7b1d0-be70-4dde-b746-3f4d4d6de39f-sigvalue
    at org.apache.xml.security.signature.Manifest.verifyReferences(Manifest.java:414)
    at org.apache.xml.security.signature.SignedInfo.verify(SignedInfo.java:259)
    at org.apache.xml.security.signature.XMLSignature.checkSignatureValue(XMLSignature.java:724)
    at org.apache.xml.security.signature.XMLSignature.checkSignatureValue(XMLSignature.java:656)
    at xades4j.verification.XadesVerifierImpl.doCoreVerification(XadesVerifierImpl.java:277)
    ... 39 more
Caused by: org.apache.xml.security.signature.ReferenceNotInitializedException: Cannot resolve element with ID xmldsig-5de7b1d0-be70-4dde-b746-3f4d4d6de39f-sigvalue

编辑： 当我尝试验证随 xades4j 单元测试 document.signed.bes.cs.xml 提供的文件时，也会发生同样的错误。

Caused by: org.apache.xml.security.signature.MissingResourceFailureException: The Reference for URI #xmldsig-281967d1-74f8-482c-8222-ed58dbd1909b-sigvalue has no XMLSignatureInput
Original Exception was org.apache.xml.security.signature.ReferenceNotInitializedException: Cannot resolve element with ID xmldsig-281967d1-74f8-482c-8222-ed58dbd1909b-sigvalue
Caused by: org.apache.xml.security.signature.ReferenceNotInitializedException: Cannot resolve element with ID xmldsig-281967d1-74f8-482c-8222-ed58dbd1909b-sigvalue

【问题讨论】：

签名后一切正常。有柜台签名测试。我看到的唯一区别是，在测试中，根签名元素的 Id 属性设置为该元素的 XML ID。但我认为这不会影响参考解析。并且 ResolverFragment 声明它可以解析 ref...
我刚刚检查了 document.signed.bes.cs.xml 的验证（在 xades4j 测试资源中）并且我有同样的错误。看起来我必须在代码验证中遗漏一些东西。我在问题末尾添加了来自 document.signed.bes.cs.xml 验证的堆栈跟踪。

标签： bouncycastle xades4j

【解决方案1】：

问题出在 ds:Signature 上。在会签中，您将有多个 ds:Signature 条目。在我的验证方法中，我使用了 for 循环：

    for (int temp = 0; temp < nList.getLength(); temp++) {
        final Node nNode = nList.item(temp);
        if (nNode.getNodeType() == Node.ELEMENT_NODE) {
            elem = (Element) nNode;
        }
    }

如您所见，找到元素时没有中断，所以我最终得到了最后一个 ds:Signature，而不是第一个，因此无法找到之前的所有签名。

【讨论】：