Ký số tệp XML command

Giới thiệu


Lệnh này dùng để ký số tệp XML với CKS từ certificate X509.

Để kiểm tra tài liệu đã ký. Ta có thể dùng lệnh SPC.Crypto.Commands.VerifyXml.

Sơ đồ nguyên tắc ký số cho tệp dữ liệu Digital_Signature_diagram

Sử dụng


SPC.Crypto.Commands.SignXmlFile?$SigningId=SigningData&$SignatureElement=DSCKS/NBan
$SigningId
Là giá trị Id của thành phần XML cần phải ký. Nếu không chỉ định, toàn bộ tài liệu sẽ được ký.
$SignatureElement

Thành phần trong tài liệu XML, nơi chứa CKS sau khi ký. Nếu không chỉ định, CKS sẽ được thêm vào cuối tài liệu.

Hãy xem ví dụ tệp xml được ký số như bên dưới

<?xml version="1.0" encoding="UTF-8"?>
<HDon>
   <DLHDon Id="SigningData">
      <TTChung>
         <PBan>1.0.0</PBan>
         <THDon>Hóa đơn giá trị gia tăng</THDon>
         <KHMSHDon>BOOK6</KHMSHDon>
         <KHHDon>SER6</KHHDon>
         <SHDon>0000062</SHDon>
         <TDLap>2021-04-27</TDLap>
         <DVTTe>VND</DVTTe>
         <TGia>1</TGia>        
      </TTChung>
      <NDHDon>
         <NBan>
            <Ten>Cty CP CN San Phú</Ten>
            <MST>TEST0303430876</MST>
            <DChi>67 Mai Chí Thọ.</DChi>
         </NBan>
         <NMua>
            <Ten>Cty ABC</Ten>
            <MST>0303430876</MST>
            <DChi>67 Mai Chi Tho</DChi>            
         </NMua>
         <DSHHDVu>
            <HHDVu>
               <TChat>1</TChat>
               <STT>1</STT>
               <Ten>01-1AIE11Z. Academic IELTS Extra Assignmen</Ten>
               <DVTinh />
               <SLuong>1.00000</SLuong>
               <DGia>111111.0000</DGia>
               <TLCKhau>0</TLCKhau>
               <STCKhau>0</STCKhau>
               <ThTien>111111.00</ThTien>
               <TSuat>10</TSuat>
               <TThue>11111</TThue>
               <ThTCThue>122222</ThTCThue>
             </HHDVu>
         </DSHHDVu>
         <TToan>
            <THTTLTSuat>
               <LTSuat>
                  <TSuat>0%</TSuat>
                  <TThue>0</TThue>
                  <ThTien>0</ThTien>
               </LTSuat>
               <LTSuat>
                  <TSuat>5%</TSuat>
                  <TThue>0</TThue>
                  <ThTien>0</ThTien>
               </LTSuat>
               <LTSuat>
                  <TSuat>10%</TSuat>
                  <TThue>11111</TThue>
                  <ThTien>122222</ThTien>
               </LTSuat>
            </THTTLTSuat>
            <TgTCThue>111111.00</TgTCThue>
            <TgTThue>11111.00</TgTThue>
            <DSLPhi />
            <TTCKTMai>0</TTCKTMai>
            <TgTTTBSo>122222.00</TgTTTBSo>
            <TgTTTBChu>Một trăm hai mươi hai nghìn, hai trăm hai mươi hai đồng chẵn</TgTTTBChu>
         </TToan>
      </NDHDon>
      <SignDate>2021-04-27</SignDate>
   </DLHDon>
   <MCCQT />
   <DSCKS>
      <NBan>
         <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
            <SignedInfo>
               <CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315" />
               <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
               <Reference URI="#SigningData">
                  <Transforms>
                     <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
                     <Transform Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315" />
                  </Transforms>
                  <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
                  <DigestValue>vDnRLvIxgIQ6/Ua9HoRXCIhKmXGUrgS9NXPr1OeOsHE=</DigestValue>
               </Reference>
            </SignedInfo>
            <SignatureValue>h06EEh1OeWf0ikRHhDBKRpy3vvKAlP0aFNeSundCsB3vW0/YqiWQBpc84+ihFISc3n5yRAzPTNv+vTsNV6I27T1wPOUwHBa7ies4QTNK2ih1kmhkFBFnMxiPaQvG7L7JWmA3gtBEsFimYMeJYnHsjayQr7cVtCoZYgxRjEgCDvwpaw1MEB2oiBUJcBPmV8W9tOcNY/tTzWQTpvh/t1H0t2ZDO+Yp9ujg9ayDogWBgQCcp95EkpcIFVmxb3NTG73aLQwcLxQ3/IoNGPsE5/s62pk7DhWra5cuXcSXCw5ScbBFRR/DhF8sdMkv3QN+EMXPmnRwEa3lryalrYy1gmRA1g==</SignatureValue>
            <KeyInfo>
               <X509Data>
                  <X509Certificate>MIIFKDCCBBCgAwIBAgIQDiyqbO3XncxhqUPqvC7sbDANBgkqhkiG9w0BAQsFADByMQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3d3cuZGlnaWNlcnQuY29tMTEwLwYDVQQDEyhEaWdpQ2VydCBTSEEyIEFzc3VyZWQgSUQgQ29kZSBTaWduaW5nIENBMB4XDTE4MDcyNDAwMDAwMFoXDTIxMDcyODEyMDAwMFowZTELMAkGA1UEBhMCVk4xFDASBgNVBAcTC0hvIENoaSBNaW5oMR8wHQYDVQQKExZTQU4gUEhVIFRFQ0hOT0xPR1kgSlNDMR8wHQYDVQQDExZTQU4gUEhVIFRFQ0hOT0xPR1kgSlNDMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwIZC785enJT1oHyvxOh1RIyIE0o/sg3lz/87DC9iXcpl3R6kBfGgQHsmfMKdc1W5dUYX19EpT8pTvl2ks4TTPYhwVU+vDigXXbjMYyNRAQkuE8MNNsl+ZuMxwev8nQIAlK3te5i1Vnp5LwQeN2kVflCmkSXgwuXQVc1+U7hoQ3k7XqhANx4+mc7yeuWSROYlg26cuoGdxS33f6IRy9S3G5JzUcnIvu2j+F1hhdC4GaPiNAZBU1lrzvj9tRm649P+wB3J50DNRn5rPBQ1wpyaBK1WNy4ibMt9frH4SIh2QdUC4L5Qwx8BRid3r7jRnlFQ3Ru41wRuZGOpW0032sq/LwIDAQABo4IBxTCCAcEwHwYDVR0jBBgwFoAUWsS5eyoKo6XqcQPAYPkt9mV1DlgwHQYDVR0OBBYEFOMDaEx0YAJZwiQbDd0EKjai+d4FMA4GA1UdDwEB/wQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDAzB3BgNVHR8EcDBuMDWgM6Axhi9odHRwOi8vY3JsMy5kaWdpY2VydC5jb20vc2hhMi1hc3N1cmVkLWNzLWcxLmNybDA1oDOgMYYvaHR0cDovL2NybDQuZGlnaWNlcnQuY29tL3NoYTItYXNzdXJlZC1jcy1nMS5jcmwwTAYDVR0gBEUwQzA3BglghkgBhv1sAwEwKjAoBggrBgEFBQcCARYcaHR0cHM6Ly93d3cuZGlnaWNlcnQuY29tL0NQUzAIBgZngQwBBAEwgYQGCCsGAQUFBwEBBHgwdjAkBggrBgEFBQcwAYYYaHR0cDovL29jc3AuZGlnaWNlcnQuY29tME4GCCsGAQUFBzAChkJodHRwOi8vY2FjZXJ0cy5kaWdpY2VydC5jb20vRGlnaUNlcnRTSEEyQXNzdXJlZElEQ29kZVNpZ25pbmdDQS5jcnQwDAYDVR0TAQH/BAIwADANBgkqhkiG9w0BAQsFAAOCAQEA9yOCQxYthgkSDt5DL6eA2KsbZ2jOt0UBlpFoSch2Pe9PbeqMiuYma1gZ7+rFu6zfa0jygpndAmTjXhiFCvH+dDYcF2Iv7FdOC1DSGrLUOttMkFskCaXItvE9LpvRa77kJbEctCNNq3bcOUG7XS2J0b/GbsdEskdRJf6brushLu6CdTdH2+LVUVgFMOb1/o8WQK9nVQmzCLflQtIBL7z6MeF4tQp3FbQNWZcNmgn2BlPP5+MPUFz0BRT6ebtAiC6JXlOe8iCkyraWVNor4PO1fxEdmv+AeulR82C0ek8cfprE3MNedP5MGpCEdvQK1Lz5komIykyT8KIXA+4VNPMO/w==</X509Certificate>
               </X509Data>
               <KeyValue>
                  <RSAKeyValue>
                     <Modulus>wIZC785enJT1oHyvxOh1RIyIE0o/sg3lz/87DC9iXcpl3R6kBfGgQHsmfMKdc1W5dUYX19EpT8pTvl2ks4TTPYhwVU+vDigXXbjMYyNRAQkuE8MNNsl+ZuMxwev8nQIAlK3te5i1Vnp5LwQeN2kVflCmkSXgwuXQVc1+U7hoQ3k7XqhANx4+mc7yeuWSROYlg26cuoGdxS33f6IRy9S3G5JzUcnIvu2j+F1hhdC4GaPiNAZBU1lrzvj9tRm649P+wB3J50DNRn5rPBQ1wpyaBK1WNy4ibMt9frH4SIh2QdUC4L5Qwx8BRid3r7jRnlFQ3Ru41wRuZGOpW0032sq/Lw==</Modulus>
                     <Exponent>AQAB</Exponent>
                  </RSAKeyValue>
               </KeyValue>
            </KeyInfo>
         </Signature>
      </NBan>
      <NMua />
   </DSCKS>
</HDon>

Trong ví dụ trên khi ký hóa đơn ta chỉ ký phần của thẻ có id là SigningData. Sau khi ký, bất kỳ thay đổi nào của thẻ này sẽ làm Chữ ký số mất giá trị.

<DLHDon Id="SigningData">
...
</DLHDon>

Public key

Certificate của người ký (khóa công khai) được đính kèm vào nội dung dữ liệu ở thẻ

<KeyInfo>
   <X509Data>
<X509Certificate>MIIFKDCCBBCgAwIBAgIQDiyqbO3XncxhqUPqvC7sbDANBgkqhkiG9w0BAQsFADByMQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3d3cuZGlnaWNlcnQuY29tMTEwLwYDVQQDEyhEaWdpQ2VydCBTSEEyIEFzc3VyZWQgSUQgQ29kZSBTaWduaW5nIENBMB4XDTE4MDcyNDAwMDAwMFoXDTIxMDcyODEyMDAwMFowZTELMAkGA1UEBhMCVk4xFDASBgNVBAcTC0hvIENoaSBNaW5oMR8wHQYDVQQKExZTQU4gUEhVIFRFQ0hOT0xPR1kgSlNDMR8wHQYDVQQDExZTQU4gUEhVIFRFQ0hOT0xPR1kgSlNDMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwIZC785enJT1oHyvxOh1RIyIE0o/sg3lz/87DC9iXcpl3R6kBfGgQHsmfMKdc1W5dUYX19EpT8pTvl2ks4TTPYhwVU+vDigXXbjMYyNRAQkuE8MNNsl+ZuMxwev8nQIAlK3te5i1Vnp5LwQeN2kVflCmkSXgwuXQVc1+U7hoQ3k7XqhANx4+mc7yeuWSROYlg26cuoGdxS33f6IRy9S3G5JzUcnIvu2j+F1hhdC4GaPiNAZBU1lrzvj9tRm649P+wB3J50DNRn5rPBQ1wpyaBK1WNy4ibMt9frH4SIh2QdUC4L5Qwx8BRid3r7jRnlFQ3Ru41wRuZGOpW0032sq/LwIDAQABo4IBxTCCAcEwHwYDVR0jBBgwFoAUWsS5eyoKo6XqcQPAYPkt9mV1DlgwHQYDVR0OBBYEFOMDaEx0YAJZwiQbDd0EKjai+d4FMA4GA1UdDwEB/wQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDAzB3BgNVHR8EcDBuMDWgM6Axhi9odHRwOi8vY3JsMy5kaWdpY2VydC5jb20vc2hhMi1hc3N1cmVkLWNzLWcxLmNybDA1oDOgMYYvaHR0cDovL2NybDQuZGlnaWNlcnQuY29tL3NoYTItYXNzdXJlZC1jcy1nMS5jcmwwTAYDVR0gBEUwQzA3BglghkgBhv1sAwEwKjAoBggrBgEFBQcCARYcaHR0cHM6Ly93d3cuZGlnaWNlcnQuY29tL0NQUzAIBgZngQwBBAEwgYQGCCsGAQUFBwEBBHgwdjAkBggrBgEFBQcwAYYYaHR0cDovL29jc3AuZGlnaWNlcnQuY29tME4GCCsGAQUFBzAChkJodHRwOi8vY2FjZXJ0cy5kaWdpY2VydC5jb20vRGlnaUNlcnRTSEEyQXNzdXJlZElEQ29kZVNpZ25pbmdDQS5jcnQwDAYDVR0TAQH/BAIwADANBgkqhkiG9w0BAQsFAAOCAQEA9yOCQxYthgkSDt5DL6eA2KsbZ2jOt0UBlpFoSch2Pe9PbeqMiuYma1gZ7+rFu6zfa0jygpndAmTjXhiFCvH+dDYcF2Iv7FdOC1DSGrLUOttMkFskCaXItvE9LpvRa77kJbEctCNNq3bcOUG7XS2J0b/GbsdEskdRJf6brushLu6CdTdH2+LVUVgFMOb1/o8WQK9nVQmzCLflQtIBL7z6MeF4tQp3FbQNWZcNmgn2BlPP5+MPUFz0BRT6ebtAiC6JXlOe8iCkyraWVNor4PO1fxEdmv+AeulR82C0ek8cfprE3MNedP5MGpCEdvQK1Lz5komIykyT8KIXA+4VNPMO/w==</X509Certificate>
   </X509Data>
   <KeyValue>
       <RSAKeyValue>
           <Modulus>wIZC785enJT1oHyvxOh1RIyIE0o/sg3lz/87DC9iXcpl3R6kBfGgQHsmfMKdc1W5dUYX19EpT8pTvl2ks4TTPYhwVU+vDigXXbjMYyNRAQkuE8MNNsl+ZuMxwev8nQIAlK3te5i1Vnp5LwQeN2kVflCmkSXgwuXQVc1+U7hoQ3k7XqhANx4+mc7yeuWSROYlg26cuoGdxS33f6IRy9S3G5JzUcnIvu2j+F1hhdC4GaPiNAZBU1lrzvj9tRm649P+wB3J50DNRn5rPBQ1wpyaBK1WNy4ibMt9frH4SIh2QdUC4L5Qwx8BRid3r7jRnlFQ3Ru41wRuZGOpW0032sq/Lw==</Modulus>
           <Exponent>AQAB</Exponent>
      </RSAKeyValue>
   </KeyValue>
</KeyInfo>

Signature

Tạo bởi nội dung ký và khóa bí mật (private key) của Certificate:

 <SignatureValue>h06EEh1OeWf0ikRHhDBKRpy3vvKAlP0aFNeSundCsB3vW0/YqiWQBpc84+ihFISc3n5yRAzPTNv+vTsNV6I27T1wPOUwHBa7ies4QTNK2ih1kmhkFBFnMxiPaQvG7L7JWmA3gtBEsFimYMeJYnHsjayQr7cVtCoZYgxRjEgCDvwpaw1MEB2oiBUJcBPmV8W9tOcNY/tTzWQTpvh/t1H0t2ZDO+Yp9ujg9ayDogWBgQCcp95EkpcIFVmxb3NTG73aLQwcLxQ3/IoNGPsE5/s62pk7DhWra5cuXcSXCw5ScbBFRR/DhF8sdMkv3QN+EMXPmnRwEa3lryalrYy1gmRA1g==</SignatureValue>

Ở quá trình kiểm tra nội dung ký sẽ được hash và so sánh với kết quả giải mã kết hợp khóa công khai ở thẻ KeyInfoSignatureValue bên trên.

Nếu trùng nhau thì dữ liệu là toàn vẹn và không thay đổi gì từ thời điểm ký. Điều này chứng minh :

  1. Người ký là người chủ sở hữu của Certificate do chỉ chủ sở hữu mới biết private key
  2. Nội dung không thay đổi từ thời điểm ký.

Xem thêm



Updated on : 2021-07-10 06:53:52. by : . at T470-01.

Topic : . spc.crypto.commands.signxmlfile