[英]Apache CXF - configure WSS4J to extract server's x.509 certificate from SOAP header
[英]SOAP WsSecurity Digital Signing using CXF and WSS4J for X509Certificate
想在請求中發送帶有 X509Certificate 的出站請求,並使用 CXF 和 WSS4J 驗證響應中的數字簽名。 響應中的 WsSecurity 元素看起來像這樣。 有沒有辦法使用 cxf 和 wss4j 驗證以下格式的數字簽名? 嘗試了不同的東西,但沒有運氣。
<wsse:Security> <wsu:Timestamp wsu:Id="FA_TS-5a00885c-8507-4c5c-b66f-fb45eabcaad6"> <wsu:Created>2020-08-12T12:13:49Z</wsu:Created> <wsu:Expires>2020-08-12T12:18:49Z</wsu:Expires> </wsu:Timestamp> <Signature xmlns="http://www.w3.org/2000/09/xmldsig#"> <SignedInfo> <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /> <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" /> <Reference URI="#FA_RIV_1234567890"> <Transforms> <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /> </Transforms> <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" /> <DigestValue>t3/fyodY1azV8CYohUQ79Wi/n3o=</DigestValue> </Reference> <Reference URI="#FA_TS-5a00885c-8507-4c5c-b66f-fb45eabcaad6"> <Transforms> <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /> </Transforms> <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" /> <DigestValue>TDEn6ZGMf1HaBiLbCaSs7VzIGzs=</DigestValue> </Reference> <Reference URI="#FA_Body_1234567890"> <Transforms> <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /> </Transforms> <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" /> <DigestValue>hBHMEKU7O1eBvxlYlX/t4I9g/S8=</DigestValue> </Reference> </SignedInfo> <SignatureValue>n5tsEGaXzfnHFy0VvMDdgIGdTjyS3Uwu/b2BnDap0y1qrudSHbfRvA4/tFPEHHiAxFcYDBxcigci 46MBPA/t39pGza/JZfvyApg1VHrMub9d2eRNEJxLbcQTeokJP2Iex07x4cQfIG0N2bYRr1ShgRSI V4X8uVaTY1lwqInqHIgSD4WX7nw05V0R/nLAgJEqhxOD3qTRiOdymzlDil79+TjH8cvJpBu/k1Oy l9TMJDMKSUT6ShHHCpn6WBNqNOGewJxd8qUq3aj/LgGrj4BvP5xh7dTNUKxLplRzqGyzBz8ZbXpg ZeUZR+uTa95+qqgQOqVbwCGU3VGEo2lBjgADVQ==</SignatureValue> <KeyInfo> <X509Data> <X509Certificate>MIIEuzCCA6OgAwIBAgIBCjANBgkqhkiG9w0BAQUFADCBoTEcMBoGA1UEBRMTU0UxNjU1NjU5Njgy MDItMDAyNDEPMA0GA1UEAxMGZUZhIENBMQswCQYDVQQGEwJTRTESMBAGA1UEBxMJU3RvY2tob2xt MQwwCgYDVQQKEwNlRmExDDAKBgNVBAsTA2VGYTEzMDEGCSqGSIb3DQEJARYkZWZhX05PVEFSRUFM VVNFUkBlZmFfTk9UQVJFQUxIT1NULnNlMB4XDTE5MDExMTA3MjQ1NFoXDTI5MDEwODA3MjQ1NFow </X509Certificate> </X509Data> </KeyInfo> </Signature> </wsse:Security>
您可以使用Xades4j並迭代簽名標簽進行驗證。
public class AwesomeValidator {
public List<XAdESVerificationResult> validate(Source source) throws XmlValidationException {
try {
XadesVerifier verifier = buildVerifier();
SignatureSpecificVerificationOptions sigOptions = buildVerificationOptions();
NodeList nl = getNodeList(source);
List<XAdESVerificationResult> result = Lists.newArrayList();
for (int i = 0; i < nl.getLength(); i++) {
Element sigElement = (Element)nl.item(i);
try {
result.add(verifier.verify(sigElement, sigOptions));
}
catch (InvalidSignatureException | CertificateValidationException e) {
// throw new CustomException...
}
}
return result;
} catch (XPathExpressionException | XAdES4jException | IOException e) {
// throw new CustomException...
}
}
private XadesVerifier buildVerifier() throws XadesProfileResolutionException {
CertificateValidationProvider certValidationProvider = getAlwaysOkCertificateValidator();
XadesVerificationProfile p = new XadesVerificationProfile(certValidationProvider);
return p.newVerifier();
}
private CertificateValidationProvider getAlwaysOkCertificateValidator() {
return (certSelector, validationDate, otherCerts) -> new ValidationData(Lists.newArrayList(certSelector.getCertificate()));
}
private SignatureSpecificVerificationOptions buildVerificationOptions() {
SignatureSpecificVerificationOptions sigOptions = new SignatureSpecificVerificationOptions();
sigOptions.useResourceResolver(
new org.apache.xml.security.utils.resolver.ResourceResolver(new IdAttrNameResourceResolver()));
return sigOptions;
}
private NodeList getNodeList(Source source) throws XPathExpressionException {
Document document = XmlDocuments.asDom(source);
XPathFactory xPathfactory = XPathFactory.newInstance();
XPath xpath = xPathfactory.newXPath();
xpath.setNamespaceContext(getXadesNamespaceContext());
XPathExpression expr = xpath.compile("//ds:Signature");
return (NodeList) expr.evaluate(document, XPathConstants.NODESET);
}
}
此外,如果要提取證書信息,則需要與證書實體集成並更改CertificateValidationProvider
的實現。
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.