(연관된 글이 1개 있습니다.)

안녕하세요.

왜 DigestVavlue가 다를까를 고민해 보다가
KIEC에서 "전자서명(스타일시트가 없는 경우) 처리 절차"에 첨부된 "XML Digital Signature Process.zip" 파일을
받아 단계별로 결과물을 비교해 보니 XmlDsigXPathTransform의 결과에서
.NET은 여전히 xml 형태를 유지하지만 (java결과의 xml파트에 없는 namespace가 포함됨),
java결과물은 첫 줄에 Document root에 있는 namespace를 추가하여
서로 상이 하더군요.
과연 어느쪽이 표준일 까요? 정말 java쪽이 표준일까 아니면 MS가 표준일까 하는 의문도 생기지만,
이걸 알아내기 위해서는 또 다시 w3c 표준문서를 봐야 하니 여기까지...

사실 제가 관련일을 않한지도 오래되고 현재 하고 있지도 않습니다만,
"SignedXml로 된 sample도 많은데 왜 테스트베드에서 통과 못하지?"란 단순한 의문에서
출발하여 잠안자고 혼자 뭐하고 있나 모르겠네요.
혼자 테스트 해보고 "오케이 됐군" 하고 묻으려 했으나
이것 때문에 무리하게 개발환경을 바꾸는 등의 일이 없도록 도움이 되고자
이 글을 작성합니다.

아래 코드는 오로지 "전자서명(스타일시트가 없는 경우) 처리 절차"에 나와 있는 결과에 대응하여
SignedXml을 사용하지 않고 써내려간 단순한 xml sign 코드 입니다.
테스트 결과 DigestValue가 일치하는 것을 확인 하였습니다.



{
    // 전자서명(스타일시트가 없는 경우) 처리 절차
    // http://gw.kiec.or.kr/etax/bod21ms003.jsp?m_left=E&BoardId=admin20091113153342343
    // http://gw.kiec.or.kr/etax/dwn30ac001.jsp?fileId=45&boardId=admin20091113153342343&type=reg
    using System;
    using System.IO;
    using System.Security.Cryptography;
    using System.Security.Cryptography.X509Certificates;
    using System.Security.Cryptography.Xml;
    using System.Text;
    using System.Xml;
    using NUnit.Framework;

    public class TestSign2
    {
        // 중요사항: utf-8, PreserveWhiteSpace=true, 정규화 시 white space (indentation, new line)까지 추가 되어 유지되어야 함
        // 반드시 UTF8
        readonly Encoding encoding = new UTF8Encoding();

        [Test]
        public void SignXml()
        {
            // ancestor-or-self::ds:Signature 는 아예 박아놨으니 여기서는 필요 없음
            string xpathString = "not(self::*[name()='TaxInvoice'] | ancestor-or-self::*[name()='ExchangedDocument'])";
            // 2. 전자세금계산서.xml 로드
            string invoiceXml = ResourceUtils.GetResourceString("XmlSign.Test.Resources.2. 전자세금계산서.xml", encoding);

            X509Certificate2 signCert = new X509Certificate2(Convert.FromBase64String(signCertB64));
            RSA signKey = new RSACryptoServiceProvider();
            signKey.FromXmlString(signKeyXmlString);

            //
            // 2. Invoice
            XmlDocument invoiceDoc = new XmlDocument
            {
                PreserveWhitespace = true // (note) 중요: 이 옵션을 true로 줘야 digest value가 정확하게 나옴!!!!
            };
            invoiceDoc.LoadXml(invoiceXml);

            //
            // 3. 정규화 (C14N: Canonical)

            XmlDocument c14nDoc = new XmlDocument { PreserveWhitespace = true };
            XmlDsigC14NTransform transform1 = new XmlDsigC14NTransform();
            transform1.LoadInput(invoiceDoc);
            using (MemoryStream ms = (MemoryStream) transform1.GetOutput(typeof (Stream)))
            {
                // “3. 정규화 Transform 결과.txt” 파일과 비교해 보면 <ds:Signature>…</dsSignature> 부분만 제외하고 동일
                // 어차피 hash에 안 들어가니 달라도 통과
                File.WriteAllBytes(@"D:\Temp\3. 정규화 Transform 결과(my).txt", ms.ToArray());
                using (TextReader reader = new StreamReader(ms))
                {
                    c14nDoc.Load(reader);
                }
            }

            //
            // 4. XPath Transform (여기서부터 가관임^^)

            var root = c14nDoc.DocumentElement;

            var transform2 = CreateXmlDsigXPathTransform(xpathString);
            transform2.LoadInput(c14nDoc);
            var list = (XmlNodeList) transform2.GetOutput();
            
            // stream을 얻기 위해 다시 한번 canonical transform 수행
            Transform c14nSecond = new XmlDsigC14NTransform();
            c14nSecond.LoadInput(list);
            string xmldsigxpathTransformResult;
            using (MemoryStream ms = (MemoryStream)c14nSecond.GetOutput(typeof(Stream)))
            {
                // SignedXml.ComputeSignature()의 DigestValue가 왜 다른지 보고 싶으면
                // 아래 주석을 풀어 저장하고 4.XPath Transform 결과.txt와 비교
                //File.WriteAllText(@"D:\Temp\4. XPath Transform 결과(문제).txt", target);

                // java가 만들어 내는 xpath transform 결과를 만들어 줌
                var buff = new StringBuilder();
                foreach (XmlAttribute attribute in root.Attributes)
                {
                    if (attribute.Name.StartsWith("xsi")) continue;
                    buff.Append($" {attribute.Name}=\"{attribute.Value}\""); // (note) SPACE로 시작
                }
                var xns = buff.ToString();
                xmldsigxpathTransformResult = xns;

                var body = encoding.GetString(ms.ToArray()).Replace(xns, ""); // namespace 제거
                xmldsigxpathTransformResult += body;
                File.WriteAllText(@"D:\Temp\4. XPath Transform 결과(my).txt", xmldsigxpathTransformResult);
            }
            var tbHash = encoding.GetBytes(xmldsigxpathTransformResult);

            //
            // Digest

            // http://www.w3.org/2001/04/xmlenc#sha256
            var hashAlgorithm = new SHA256CryptoServiceProvider();
            var digestValue = hashAlgorithm.ComputeHash(tbHash);

            // http://gw.kiec.or.kr/etax/bod21ms003.jsp?m_left=E&BoardId=admin20091113153342343
            // http://gw.kiec.or.kr/etax/dwn30ac001.jsp?fileId=45&boardId=admin20091113153342343&type=reg
            // 6. 최종 전자서명 결과.xml 파일의 DigestValue 비교
            // http://www.w3.org/2001/04/xmlenc#sha1
            var hashAlgorithm2 = new SHA1CryptoServiceProvider();
            var digestValue2 = hashAlgorithm2.ComputeHash(tbHash);
            var test = Convert.ToBase64String(digestValue2);
            var nipa = "fEcnFA8IvhshDzYHwO6uMaC2TIo=";
            Console.WriteLine($"{test} {(test == nipa ? "PASS" : "FAIL")}");

            //
            // RSA-SHA256 Signature 작성
            var signatureXml = GetSignatureXml(signKey, signCert, digestValue);
            root = invoiceDoc.DocumentElement;
            root.InsertAfter(invoiceDoc.ImportNode(signatureXml, true), root.FirstChild);

            string signedFileName = @"d:\temp\6. 최종 전자서명 결과(my).xml";
            using (var writer = new XmlTextWriter(signedFileName, encoding))
            {
                invoiceDoc.Save(writer);
            }
        }

        private XmlDsigXPathTransform CreateXmlDsigXPathTransform(string xpath)
        {
            XmlDocument doc = new XmlDocument();
            XmlElement xPathElem = doc.CreateElement("XPath");
            xPathElem.InnerText = xpath;
            XmlDsigXPathTransform xmlTransform = new XmlDsigXPathTransform();
            xmlTransform.LoadInnerXml(xPathElem.SelectNodes("."));
            xmlTransform.Algorithm = SignedXml.XmlDsigXPathTransformUrl;
            return xmlTransform;
        }

        XmlElement GetSignatureXml(RSA priKey, X509Certificate2 cert, byte[] digestValue, string halg = "sha256")
        {
            RSACryptoServiceProvider rsaCSP = (RSACryptoServiceProvider) priKey;//cert.PrivateKey;
            CspParameters cspParam = new CspParameters
            {
                KeyContainerName = rsaCSP.CspKeyContainerInfo.KeyContainerName,
                KeyNumber = rsaCSP.CspKeyContainerInfo.KeyNumber == KeyNumber.Exchange ? 1 : 2
            };
            RSACryptoServiceProvider aescsp = new RSACryptoServiceProvider(cspParam) {PersistKeyInCsp = false};
            byte[] signed = aescsp.SignData(digestValue, halg);
            var signature = Convert.ToBase64String(signed, Base64FormattingOptions.InsertLineBreaks);
            bool isValid = aescsp.VerifyData(digestValue, halg, signed);
            Console.WriteLine($"서명은 어때 ? {(isValid ? "OK" : "옳지않아")}");
       
            // 귀찮으니 replace로 처리^^
            var xmlstring = SignatureXmlString
                .Replace("<ds:DigestValue></ds:DigestValue>", $"<ds:DigestValue>{Convert.ToBase64String(digestValue)}</ds:DigestValue>")
                .Replace("<ds:SignatureValue></ds:SignatureValue>", $"<ds:SignatureValue>{signature}</ds:SignatureValue>")
                .Replace("<ds:X509Certificate></ds:X509Certificate>", $"<ds:X509Certificate>{Convert.ToBase64String(cert.RawData, Base64FormattingOptions.InsertLineBreaks)}</ds:X509Certificate>")
                ;

            XmlDocument doc = new XmlDocument() {PreserveWhitespace = true/*아름다운 xml을 위해*/};
            doc.LoadXml(xmlstring);
            return doc.DocumentElement;
        }

        private static string SignatureXmlString =
            "<ds:Signature xmlns:ds=\"http://www.w3.org/2000/09/xmldsig#\">\n" +
            " <ds:SignedInfo>\n" +
            " <ds:CanonicalizationMethod Algorithm=\"http://www.w3.org/TR/2001/REC-xml-c14n-20010315\"></ds:CanonicalizationMethod>\n" +
            " <ds:SignatureMethod Algorithm=\"http://www.w3.org/2001/04/xmldsig-more#rsa-sha256\"></ds:SignatureMethod>\n" +
            " <ds:Reference URI=\"\">\n" +
            " <ds:Transforms>\n" +
            " <ds:Transform Algorithm=\"http://www.w3.org/TR/2001/REC-xml-c14n-20010315\"></ds:Transform>\n" +
            " <ds:Transform Algorithm=\"http://www.w3.org/TR/1999/REC-xpath-19991116\">\n" +
            " <ds:XPath>not(self::*[name() = 'TaxInvoice'] | ancestor-or-self::*[name() = 'ExchangedDocument'] | ancestor-or-self::ds:Signature)</ds:XPath>\n" +
            " </ds:Transform>\n" +
            " </ds:Transforms>\n" +
            " <ds:DigestMethod Algorithm=\"http://www.w3.org/2001/04/xmlenc#sha256\"></ds:DigestMethod>\n" +
            " <ds:DigestValue></ds:DigestValue>\n" +
            " </ds:Reference>\n" +
            " </ds:SignedInfo>\n" +
            " <ds:SignatureValue></ds:SignatureValue>\n" +
            " <ds:KeyInfo>\n" +
            " <ds:X509Data>\n" +
            " <ds:X509Certificate></ds:X509Certificate>\n" +
            " </ds:X509Data>\n" +
            " </ds:KeyInfo>\n" +
            "</ds:Signature>\n";

        private static string signKeyXmlString =
            "<RSAKeyValue>" +
            "<Modulus>wmpGG0K0jxzAu86gCqs0Aeex4F2Rg66gDJ4xTTOxMXXeEr5QhhcWgyPfkHNQgmHTCAPneLE3Eix+OClRGoLC2TOAPAqw+hzY0n/zva7CQlEov4ySn0Er1EyDxgvfH+LG07rgHKXFGegjkyM6CeAQvzJglzn9hPxFCXmisZelTBs=</Modulus>" +
            "<Exponent>AQAB</Exponent>" +
            "<P>6Dm+PO9N17EdA7GcVtNqPlyU5HGvstDsCw0AipZ2TeONbT7lbb0N+CFsliDxk/H0etDbXws0JA4sLHauJqRwWw==</P>" +
            "<Q>1lGUnEJgtePpw8EN9GOMXfA3Ga5bs1zpvgNkU8vYGriMeVzVK35nmyzBzYm+oLiM7Kp3L6PESgfCbZzJnQlfQQ==</Q>" +
            "<DP>10Uv5KyxLFEy5Emw84vn4QdRvrLkfI7PQS88YTw5TtqyL6Muaxvl5y6UylafmtWgHHmf4esw2nuI127s4UVuIQ==</DP>" +
            "<DQ>dNWObUzmSeIQWs3QnKz0JXXBo/dgODxrlFFnDSNwEMkQk0yfTRGgy4AvuqvfxuA0uwQG62qcpDrsrDKv2jL0wQ==</DQ>" +
            "<InverseQ>zI0UASEE6PpsvRzsGVsaKitjObFVhOqr9H5QvM9hjsI85tfl80Rshgk++HgtTnZPt3dl+kN9I6bAR0jMs8Rmtg==</InverseQ>" +
            "<D>AUbub/Zntjrznygzz+4g+NQ7TGSA9LL8dSjC3SV2SANkso3SfJcBPFpLeSjwwfJ/juFrr1TGrlVhfN/0mu559i1cAH4lPmtSADAVlPmF7Djjav2oDgWVvorBgsVoOP4K8s6MpnI7ozs1baR+fhHMqaJAEEvpx62VbKFEURZt3UE=</D>" +
            "</RSAKeyValue>";
        //아주 오래전에 만료된 인증서
        static string signCertB64 =
            "MIIFazCCBFOgAwIBAgIDHf/dMA0GCSqGSIb3DQEBBQUAMGIxCzAJBgNVBAYTAktSMRIwEAYDVQQK" +
            "DAlDcm9zc0NlcnQxFTATBgNVBAsMDEFjY3JlZGl0ZWRDQTEoMCYGA1UEAwwfQ3Jvc3NDZXJ0IENl" +
            "cnRpZmljYXRlIEF1dGhvcml0eTAeFw0wOTEwMDYxMTU1MDBaFw0xMDAxMDYxNDU5NTlaMIGMMQsw" +
            "CQYDVQQGEwJLUjESMBAGA1UECgwJQ3Jvc3NDZXJ0MRUwEwYDVQQLDAxBY2NyZWRpdGVkQ0ExGDAW" +
            "BgNVBAsMD+yZuOu2gOyXheyytOyaqTESMBAGA1UECwwJ7YWM7Iqk7Yq4MSQwIgYDVQQDDBvsoJXr" +
            "s7TthrXsi6DsgrDsl4Xsp4TtnaXsm5AwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMJqRhtC" +
            "tI8cwLvOoAqrNAHnseBdkYOuoAyeMU0zsTF13hK+UIYXFoMj35BzUIJh0wgD53ixNxIsfjgpURqC" +
            "wtkzgDwKsPoc2NJ/872uwkJRKL+Mkp9BK9RMg8YL3x/ixtO64BylxRnoI5MjOgngEL8yYJc5/YT8" +
            "RQl5orGXpUwbAgMBAAGjggKBMIICfTBHBggrBgEFBQcBAQQ7MDkwNwYIKwYBBQUHMAGGK2h0dHA6" +
            "Ly9vY3NwMS5jcm9zc2NlcnQuY29tOjE0MjAzL09DU1BTZXJ2ZXIwgY8GA1UdIwSBhzCBhIAUD9ks" +
            "r4szsbK08RUcnXhhYuGbFCehaKRmMGQxCzAJBgNVBAYTAktSMQ0wCwYDVQQKDARLSVNBMS4wLAYD" +
            "VQQLDCVLb3JlYSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eSBDZW50cmFsMRYwFAYDVQQDDA1LSVNB" +
            "IFJvb3RDQSAxggInXjAdBgNVHQ4EFgQUNgeeBxV0jUyIGLJXLVzujw9+5Z4wDgYDVR0PAQH/BAQD" +
            "AgbAMIGDBgNVHSABAf8EeTB3MHUGCiqDGoyaRAUEAQMwZzAtBggrBgEFBQcCARYhaHR0cDovL2dj" +
            "YS5jcm9zc2NlcnQuY29tL2Nwcy5odG1sMDYGCCsGAQUFBwICMCoeKMd0ACDHeMmdwRyylAAg0UzC" +
            "pNK4xqkAIMd4yZ3BHAAgx4WyyLLkAC4wagYDVR0RBGMwYaBfBgkqgxqMmkQKAQGgUjBQDBvsoJXr" +
            "s7TthrXsi6DsgrDsl4Xsp4TtnaXsm5AwMTAvBgoqgxqMmkQKAQEBMCEwBwYFKw4DAhqgFgQUUHDf" +
            "JFnw8WLfdykln1n+BqjEGIMwfwYDVR0fBHgwdjB0oHKgcIZubGRhcDovL2Rpci5jcm9zc2NlcnQu" +
            "Y29tOjM4OS9jbj1zMWRwNHAxODk4LG91PWNybGRwLG91PUFjY3JlZGl0ZWRDQSxvPUNyb3NzQ2Vy" +
            "dCxjPUtSP2NlcnRpZmljYXRlUmV2b2NhdGlvbkxpc3QwDQYJKoZIhvcNAQEFBQADggEBAJIKpmib" +
            "OpbZSAPq99lKmbpkypR3yomnFd/qOUB+RSQAH3Oswx1CrucnYxQ5iG4sMrrRXhwDR5kphG3eyAO5" +
            "fhvHlL311/Onj31fuaBdqd/hppcu4YFSQtAAfu5o6X9lEdWgG/hAyHXhPzoqFhPMPJ2z1Vs5XPDr" +
            "k29qEI9Ww8Q7jqN+8DtR8qxssFX4cV5CCGyBxtn4KYIf4/8aF9zrnoTTljKCujc8deReKMSiWoan" +
            "kfa/u3pdIIFK1llgPXxDrlCTsp4hEogB9z4IG9JaZ66vpB4CAaY0x+z4uctQKkdkO49m39GLAcGP" +
            "FHRNTCERLSez1dnl6zmQKu80BkL8eEc=";
    }
}

---

• [다음 글] [답변]: ds:Signature 질문입니다.
• [이전 글] MariaDB - ASP.NET오류의 원인조차 못 찾고 있습니다..

[연관 글]

• .NET Framework: 541. SignedXml을 이용한 ds:Signature만드는 방법

---