使用StAX验证数字签名

Question

如何使用Java验证StAX上的数字签名。我已经知道如何使用DOM进行验证。我有一个非常大的XML文件，我需要一种使用StAX验证签名的方法。请帮帮我。

Answer 1

我找到了这个blog post，它指向一些演示StAX实现的代码：

要了解如何配置新的基于StAX的入站

签名功能，请查看测试使用的"verifyUsingStAX“方法。与创建签名一样，有必要创建一个XMLSecurityProperties对象，并告诉它要执行什么“操作”。此外，除非签名KeyInfo中包含完整的签名密钥，否则必须调用以下方法：

• properties.setSignatureVerificationKey(Key) -用于验证签名的密钥。

https://github.com/coheigea/testcases/blob/master/apache/santuario/santuario-xml-signature/src/test/java/org/apache/coheigea/santuario/xmlsignature/SignatureUtils.java#L201

/**
     * Verify the document using the StAX API of Apache Santuario - XML Security for Java.
     */
    public static void verifyUsingStAX(
        InputStream inputStream,
        List<QName> namesToSign,
        X509Certificate cert
    ) throws Exception {
        // Set up the Configuration
        XMLSecurityProperties properties = new XMLSecurityProperties();
        List<XMLSecurityConstants.Action> actions = new ArrayList<XMLSecurityConstants.Action>();
        actions.add(XMLSecurityConstants.SIGNATURE);
        properties.setActions(actions);

        properties.setSignatureVerificationKey(cert.getPublicKey());

        InboundXMLSec inboundXMLSec = XMLSec.getInboundWSSec(properties);

        XMLInputFactory xmlInputFactory = XMLInputFactory.newInstance();
        final XMLStreamReader xmlStreamReader = xmlInputFactory.createXMLStreamReader(inputStream);

        TestSecurityEventListener eventListener = new TestSecurityEventListener();
        XMLStreamReader securityStreamReader = 
            inboundXMLSec.processInMessage(xmlStreamReader, null, eventListener);

        while (securityStreamReader.hasNext()) {
            securityStreamReader.next();
        }
        xmlStreamReader.close();
        inputStream.close();

        // Check that what we were expecting to be signed was actually signed
        List<SignedElementSecurityEvent> signedElementEvents =
            eventListener.getSecurityEvents(SecurityEventConstants.SignedElement);
        Assert.assertNotNull(signedElementEvents);

        for (QName nameToSign : namesToSign) {
            boolean found = false;
            for (SignedElementSecurityEvent signedElement : signedElementEvents) {
                if (signedElement.isSigned()
                    && nameToSign.equals(getSignedQName(signedElement.getElementPath()))) {
                    found = true;
                    break;
                }
            }
            Assert.assertTrue(found);
        }

        // Check Signing cert
        X509TokenSecurityEvent tokenEvent =
            (X509TokenSecurityEvent)eventListener.getSecurityEvent(SecurityEventConstants.X509Token);
        Assert.assertNotNull(tokenEvent);

        Assert.assertTrue(tokenEvent.getSecurityToken() instanceof X509SecurityToken);
        X509SecurityToken x509SecurityToken = (X509SecurityToken)tokenEvent.getSecurityToken();
        Assert.assertEquals(x509SecurityToken.getX509Certificates()[0], cert);
    }