使用 CXF 和 WSS4J for X509Certificate 的 SOAP WsSecurity 數字簽名

Question

想在請求中發送帶有 X509Certificate 的出站請求，並使用 CXF 和 WSS4J 驗證響應中的數字簽名。 響應中的 WsSecurity 元素看起來像這樣。 有沒有辦法使用 cxf 和 wss4j 驗證以下格式的數字簽名？ 嘗試了不同的東西，但沒有運氣。

 <wsse:Security> <wsu:Timestamp wsu:Id="FA_TS-5a00885c-8507-4c5c-b66f-fb45eabcaad6"> <wsu:Created>2020-08-12T12:13:49Z</wsu:Created> <wsu:Expires>2020-08-12T12:18:49Z</wsu:Expires> </wsu:Timestamp> <Signature xmlns="http://www.w3.org/2000/09/xmldsig#"> <SignedInfo> <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /> <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" /> <Reference URI="#FA_RIV_1234567890"> <Transforms> <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /> </Transforms> <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" /> <DigestValue>t3/fyodY1azV8CYohUQ79Wi/n3o=</DigestValue> </Reference> <Reference URI="#FA_TS-5a00885c-8507-4c5c-b66f-fb45eabcaad6"> <Transforms> <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /> </Transforms> <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" /> <DigestValue>TDEn6ZGMf1HaBiLbCaSs7VzIGzs=</DigestValue> </Reference> <Reference URI="#FA_Body_1234567890"> <Transforms> <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /> </Transforms> <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" /> <DigestValue>hBHMEKU7O1eBvxlYlX/t4I9g/S8=</DigestValue> </Reference> </SignedInfo> <SignatureValue>n5tsEGaXzfnHFy0VvMDdgIGdTjyS3Uwu/b2BnDap0y1qrudSHbfRvA4/tFPEHHiAxFcYDBxcigci&#13; 46MBPA/t39pGza/JZfvyApg1VHrMub9d2eRNEJxLbcQTeokJP2Iex07x4cQfIG0N2bYRr1ShgRSI&#13; V4X8uVaTY1lwqInqHIgSD4WX7nw05V0R/nLAgJEqhxOD3qTRiOdymzlDil79+TjH8cvJpBu/k1Oy&#13; l9TMJDMKSUT6ShHHCpn6WBNqNOGewJxd8qUq3aj/LgGrj4BvP5xh7dTNUKxLplRzqGyzBz8ZbXpg&#13; ZeUZR+uTa95+qqgQOqVbwCGU3VGEo2lBjgADVQ==</SignatureValue> <KeyInfo> <X509Data> <X509Certificate>MIIEuzCCA6OgAwIBAgIBCjANBgkqhkiG9w0BAQUFADCBoTEcMBoGA1UEBRMTU0UxNjU1NjU5Njgy&#13; MDItMDAyNDEPMA0GA1UEAxMGZUZhIENBMQswCQYDVQQGEwJTRTESMBAGA1UEBxMJU3RvY2tob2xt&#13; MQwwCgYDVQQKEwNlRmExDDAKBgNVBAsTA2VGYTEzMDEGCSqGSIb3DQEJARYkZWZhX05PVEFSRUFM&#13; VVNFUkBlZmFfTk9UQVJFQUxIT1NULnNlMB4XDTE5MDExMTA3MjQ1NFoXDTI5MDEwODA3MjQ1NFow&#13; </X509Certificate> </X509Data> </KeyInfo> </Signature> </wsse:Security>

Answer 1

您可以使用Xades4j並迭代簽名標簽進行驗證。

public class AwesomeValidator {


    public List<XAdESVerificationResult> validate(Source source) throws XmlValidationException {

        try {
            XadesVerifier verifier = buildVerifier();
            SignatureSpecificVerificationOptions sigOptions = buildVerificationOptions();
            NodeList nl = getNodeList(source);
                
            List<XAdESVerificationResult> result = Lists.newArrayList();
            for (int i = 0; i < nl.getLength(); i++) {
                Element sigElement = (Element)nl.item(i);
                try {
                    result.add(verifier.verify(sigElement, sigOptions));
                }
                catch (InvalidSignatureException | CertificateValidationException e) {
                   // throw new CustomException...
                }
            }
            
            return result;
        } catch (XPathExpressionException | XAdES4jException | IOException e) {
              // throw new CustomException...
        }
    }

    private XadesVerifier buildVerifier() throws XadesProfileResolutionException {
        CertificateValidationProvider certValidationProvider = getAlwaysOkCertificateValidator();
        XadesVerificationProfile p = new XadesVerificationProfile(certValidationProvider);

        return p.newVerifier();
    }

    private CertificateValidationProvider getAlwaysOkCertificateValidator() {
        return (certSelector, validationDate, otherCerts) -> new ValidationData(Lists.newArrayList(certSelector.getCertificate()));
    }   

    private SignatureSpecificVerificationOptions buildVerificationOptions() {
        SignatureSpecificVerificationOptions sigOptions = new SignatureSpecificVerificationOptions();
        sigOptions.useResourceResolver(
                new org.apache.xml.security.utils.resolver.ResourceResolver(new IdAttrNameResourceResolver()));
        
        return sigOptions;
    }
    
    private NodeList getNodeList(Source source) throws XPathExpressionException {
        Document document = XmlDocuments.asDom(source);
        
        XPathFactory xPathfactory = XPathFactory.newInstance();
        XPath xpath = xPathfactory.newXPath();
        xpath.setNamespaceContext(getXadesNamespaceContext());
        
        XPathExpression expr = xpath.compile("//ds:Signature");
        return (NodeList) expr.evaluate(document, XPathConstants.NODESET);
    }

}

此外，如果要提取證書信息，則需要與證書實體集成並更改CertificateValidationProvider的實現。