堆棧內存溢出
  簡體   English   中英

WSS4j元素在簽名SOAP消息期間排序

[英]WSS4j elements order during signing SOAP message

 原文  2012-12-27 12:14:03       java/ web-services/ ws-security

問題描述

我正在用Java實現Web服務客戶端,它使用wss4j 1.6.8進行WS-Security(為了更加精確,我需要簽署SOAP消息)。 服務器端要求請求具有以下結構: 

<Envelope>
    <Header>
        <wsse:Security mustUnderstand="1">
            **<wsu:Timestamp wsu:Id="Timestamp-913ca68e-05ed-44e1-9d6c-b2f293da5a1d">
                <wsu:Created>2012-12-21T11:37:31Z</wsu:Created>
                <wsu:Expires>2012-12-21T11:42:31Z</wsu:Expires>
            </wsu:Timestamp>**
            <wsse:BinarySecurityToken>
                MIID2jCCAsKg...
            </wsse:BinarySecurityToken>
            <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
                <SignedInfo>
                    <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                    <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
                    <Reference URI="#Timestamp-913ca68e-05ed-44e1-9d6c-b2f293da5a1d">
                        <Transforms>
                            <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                        </Transforms>
                        <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
                        <DigestValue>jdVY1HaDLusqO9UcxASE/GQHxyo=</DigestValue>
                    </Reference>
                    <Reference URI="#Body-e344eef1-2d8a-42d0-8a30-361ee61a8617">
                        <Transforms>
                            <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                        </Transforms>
                        <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
                        <DigestValue>L60mQelZERvXgLEgWlW50uJNqEA=</DigestValue>
                    </Reference>
                </SignedInfo>
                <SignatureValue>
                    NmgACUqrYYc/Kp/F...
                </SignatureValue>
                <KeyInfo>
                    <wsse:SecurityTokenReference xmlns="">
                        <wsse:Reference URI="#SecurityToken-3f054298-711c-4090-95c3-105e1093f3ba" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/>
                    </wsse:SecurityTokenReference>
                </KeyInfo>
            </Signature>
        </wsse:Security>
    </S:Header>
    <S:Body>
        Body content...
    </S:Body>
</Envelope>

我的解決方案簽署了文檔(body和timestamp元素)但由於某種原因wss4j將timestamp元素放在該部分的底部,在<wsse:BinarySecurityToken><Signature>元素之后出錯了。 請查看簽約工作的來源: 

 public static SOAPMessage signSoapMessage(SOAPMessage message, PrivateKey signingKey, X509Certificate signingCert, char[] passphrase) throws WSSecurityException {

    final String alias = "signingKey";
    final int signatureValidityTime = 3600; // 1hour in seconds

    WSSConfig config = new WSSConfig();
    config.setWsiBSPCompliant(false);

    WSSecSignature builder = new WSSecSignature(config);

    builder.setX509Certificate(signingCert);
    builder.setUserInfo(alias, new String(passphrase));
    builder.setUseSingleCertificate(true);
    builder.setKeyIdentifierType(WSConstants.BST_DIRECT_REFERENCE);

    try {
        Document document = DanskeUtils.toDocument(message);
        WSSecHeader secHeader = new WSSecHeader();
        secHeader.setMustUnderstand(true);
        secHeader.insertSecurityHeader(document);

        WSSecTimestamp timestamp = new WSSecTimestamp();
        timestamp.setTimeToLive(signatureValidityTime);
        document = timestamp.build(document, secHeader);

        List<WSEncryptionPart> parts = new ArrayList<WSEncryptionPart>();
        WSEncryptionPart timestampPart = new WSEncryptionPart("Timestamp", WSConstants.WSU_NS, "");
        WSEncryptionPart bodyPart = new WSEncryptionPart(WSConstants.ELEM_BODY, WSConstants.URI_SOAP11_ENV, "");
        parts.add(timestampPart);
        parts.add(bodyPart);
        builder.setParts(parts);

        Properties properties = new Properties();
        properties.setProperty("org.apache.ws.security.crypto.provider", "org.apache.ws.security.components.crypto.Merlin");
        Crypto crypto = CryptoFactory.getInstance(properties);
        KeyStore keystore = KeyStore.getInstance("JKS");
        keystore.load(null, passphrase);
        keystore.setKeyEntry(alias, signingKey, passphrase, new Certificate[]{signingCert});
        ((Merlin) crypto).setKeyStore(keystore);
        crypto.loadCertificate(new ByteArrayInputStream(signingCert.getEncoded()));

        document = builder.build(document, crypto, secHeader);
        return Utils.updateSoapMessage(document, message);
    } catch (Exception e) {
        throw new WSSecurityException(WSSecurityException.Reason.SIGNING_ISSUE, e);
    }
}

你能幫我澄清一下如何在簽署文件之前改變元素的順序嗎? 謝謝!

2 個解決方案

解決方案1
 1  2013-10-24 08:40:17

WS-SEC規范說:“當元素被添加到標題塊時,它們應該被添加到現有元素之前。”

因此,如果您首先添加時間戳,它將位於ws-header中的任何現有子元素之上。 由於您在添加timstamp后簽名消息,因此簽名信息將再次預先添加到標頭中,因此它將顯示在timestamp元素上方。

如果您需要將timestamp元素顯示在最頂層,請將其作為最終進程添加到標頭中

解決方案2
 0  2017-05-18 19:48:57

構建簽名后,您可以添加以下行: 

timestamp.prependToHeader(secHeader);

它會將timestamp元素放在BinarySecurityToken元素之上。

暫無
暫無

聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.

相關問題 在Java中使用WSS4j簽名肥皂消息 使用WSS4J簽名SOAP消息 有沒有辦法在使用 WS-SecurityPolicy 方法時添加 WSS4J 攔截器來簽署 SOAP 請求? 首次簽名后,Coldfusion WSS4J Java肥皂簽名者證書消失了 使用 CXF 和 WSS4J for X509Certificate 的 SOAP WsSecurity 數字簽名 Signing SOAP header using Wss4j in Spring throwing errors “Caused by: java.security.UnrecoverableKeyException: Given final block not properly padded” 如何使用WSS4J對SOAP進行簽名來更正SecurityTokenReference 使用 WSS4J (SOAP) 在 CXF WebServices 中實現身份驗證 wss4j:1.6.5 - 將 BinarySecurityToken 添加到 SOAP 請求 簽署請求后,Java WSS4J證書從密鑰庫中消失
相關標簽
 
粵ICP備18138465號  © 2020-2024 STACKOOM.COM