终于成功了:
最终的 signedinfo 元素是:
<ds:SignedInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:CanonicalizationMethod>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"></ds:SignatureMethod>
<ds:Reference URI="#pfxffef2099-cc79-fd84-e7e8-5bdced364715">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"></ds:Transform>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></ds:DigestMethod>
<ds:DigestValue>YeKgITtMiXZjSnfQ1I+byM6aOoQ=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
我认为问题是提到了错误的规范化方法。
唱歌的密码是:
with open("mysaml_pr_key.pem", "rb") as key_file:
private_key = serialization.load_pem_private_key(
key_file.read(),
password=None,
backend=default_backend()
)
signature_before_64encode = private_key.sign(to_be_signed,padding.PKCS1v15(),hashes.SHA1())
signature=base64.b64encode(signature_before_64encode)
其中 to_be_signed 是 singedinfo 字符串的 .encode() 结果。