Java NPE，同時驗證我自己的XML簽名

Question

我有簽名的XML請求，由於簽名無效而被第三方拒絕。因此，我寫了自己的簽名驗證代碼來查看錯誤。但是，在驗證剛剛創建的XML簽名時，我正在獲得NPE。這裏是XML的樣子（我刪除了不相關的部分）：

<?xml version="1.0" encoding="UTF-8"?> 
<envelope xmlns:ns2="http://www.w3.org/2000/09/xmldsig#" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
      xsi:noNamespaceSchemaLocation="some_third_party.xsd"> 
    <header>...</header> 
    <body>...</body> 
    <Signature xmlns="http://www.w3.org/2000/09/xmldsig#" Id="MySignature"> 
     <SignedInfo> 
      <CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/> 
      <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> 
      <Reference URI=""> 
       <Transforms> 
        <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/> 
       </Transforms> 
       <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> 
       <DigestValue>AaV+ejxBF8GjJvIZA9Bonw81Z1Y=</DigestValue> 
      </Reference> 
      <Reference Type="http://www.w3.org/2000/09/xmldsig#SignatureProperties" URI="#SignatureProperties"> 
       <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> 
       <DigestValue>qcofYVnQ/n7sxKJPT5rG0+UYbjg=</DigestValue> 
      </Reference> 
     </SignedInfo> 
     <SignatureValue>XXX</SignatureValue> 
     <KeyInfo> 
      <X509Data> 
       <X509Certificate>XXX</X509Certificate> 
      </X509Data> 
     </KeyInfo> 
     <Object Id="SignatureProperties"> 
      <SignatureProperties xmlns=""> 
       <SignatureProperty Id="TimeStamp" Target="#MySignature"> 
        <TimeStamp> 
         <Date>2017-03-01</Date> 
         <Time>09:06:36.779+01:00</Time> 
        </TimeStamp> 
       </SignatureProperty> 
      </SignatureProperties> 
     </Object> 
    </Signature> 
</envelope> 

當我試圖驗證此簽名，我在註釋行獲得NPE（所以它解組簽名時實際發生之前，實際驗證）：

// Omitted: extract the X509 Certificate from the document 
DOMValidateContext valContext = new DOMValidateContext(cert.getPublicKey(), signature); 
XMLSignatureFactory factory = XMLSignatureFactory.getInstance("DOM"); 
XMLSignature xmlSignature; 
try { 
    // Null pointer exception here! 
    xmlSignature = factory.unmarshalXMLSignature(valContext); 
} catch (MarshalException e) { 
    // Handle exception 
} 

爲了完整起見，這裏是我如何創建簽名：

try { 
    XMLSignatureFactory xmlSignatureFactory = XMLSignatureFactory.getInstance("DOM"); 

    Reference ref = xmlSignatureFactory.newReference("", 
      xmlSignatureFactory.newDigestMethod(DigestMethod.SHA1, null), 
      Collections.singletonList(xmlSignatureFactory.newTransform(Transform.ENVELOPED, (TransformParameterSpec) null)), 
      null, 
      null); 

    Reference signatureRef = xmlSignatureFactory.newReference("#SignatureProperties", 
      xmlSignatureFactory.newDigestMethod(DigestMethod.SHA1, null), 
      null, 
      "http://www.w3.org/2000/09/xmldsig#SignatureProperties", 
      null); 

    SignedInfo signedInfo = xmlSignatureFactory.newSignedInfo(xmlSignatureFactory.newCanonicalizationMethod(CanonicalizationMethod.INCLUSIVE, (C14NMethodParameterSpec) null), 
      xmlSignatureFactory.newSignatureMethod(SignatureMethod.RSA_SHA1, null), 
      Arrays.asList(ref, signatureRef)); 

    XMLObject xmlObject = xmlSignatureFactory.newXMLObject(Collections.singletonList(new DOMStructure(timestamp)), 
      "SignatureProperties", null, null); 

    KeyInfoFactory keyInfoFactory = xmlSignatureFactory.getKeyInfoFactory(); 
    List<Object> x509Content = new ArrayList<>(); 
    x509Content.add(certificate); 
    X509Data xd = keyInfoFactory.newX509Data(x509Content); 
    KeyInfo keyInfo = keyInfoFactory.newKeyInfo(Collections.singletonList(xd)); 

    XMLSignature xmlSignature = xmlSignatureFactory.newXMLSignature(signedInfo, keyInfo, 
      Collections.singletonList(xmlObject), SIGNATURE_ID, null); 
    DOMSignContext signContext = new DOMSignContext(privateKey, document.getDocumentElement()); 
    xmlSignature.sign(signContext); 
} catch (InvalidAlgorithmParameterException | NoSuchAlgorithmException e) { 
    // Handle exception 
} 

任何想法，我做錯了什麼？

編輯：添加的堆棧跟蹤顯示，其中NPE正好拋出：

java.lang.NullPointerException: null 
    at org.jcp.xml.dsig.internal.dom.DOMXMLObject.<init>(DOMXMLObject.java:120) 
    at org.jcp.xml.dsig.internal.dom.DOMXMLSignature.<init>(DOMXMLSignature.java:171) 
    at org.jcp.xml.dsig.internal.dom.DOMXMLSignatureFactory.unmarshal(DOMXMLSignatureFactory.java:193) 
    at org.jcp.xml.dsig.internal.dom.DOMXMLSignatureFactory.unmarshalXMLSignature(DOMXMLSignatureFactory.java:150) 

編輯2：我還應該提到的是，SignedValue和X509證書內容有空格創建簽名，看起來怪我後。例如。

<X509Certificate>MIIG8DCCBdigAwIBAgIUJZSmBORuGuXyx48f04sNGHT+RhwwDQYJKoZIhvcNAQELBQAwWzELMAkG 
    A1UEBhMCQ0gxEzARBgNVBAoTClBvc3QgQ0ggQUcxDTALBgNVBAsTBFBST0QxKDAmBgNVBAMTH1BL 
    SSBTd2lzc1Bvc3QgTWFjaGluZSBBRVAgQ0EgRzMwHhcNMTcwMTI2MTIzMTQ0WhcNMjAwMTI2MTIz 
    MTQ0WjCBsTELMAkGA1UEBhMCQ0gxCzAJBgNVBAgTAkZSMSAwHgYDVQQKExdEaWUgU2Nod2VpemVy 
    ... 

Answer 1

經過一番調試後我發現了這個問題。 DOMXMLObject嘗試獲取SignatureProperties節點的本地名稱，該節點返回null。我稍微修改了我如何創建該元素，現在它工作正常。

我加入這段代碼的情況下，它是有用的人別人後面：

XMLObject xmlObject = xmlSignatureFactory.newXMLObject(Collections.singletonList(new DOMStructure(createTimestamp(doc))), 
       "SignatureProperties", null, null);