从SOAP安全标头获取X509Certificate

从SOAP安全标头获取X509Certificate

本文介绍了从SOAP安全标头获取X509Certificate的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

每个人,您好!



我有一个简单的存根客户端用于cxf web-service(spring app)。它使用带有 action =Signature的WSS4JOutInterceptor 这样,soap请求消息是(header):

  Content-Type:text / xml; charset = UTF-8 
接受:* / *
SOAPAction:
用户代理:Apache CXF 2.4.3
缓存控制:无缓存
Pragma:no-cache
主持人:127.0.0.1:8888
连接:keep-alive
内容长度:1890

< soap:Header>
< wsse:安全xmlns:wsse =http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsdxmlns:wsu =http:// docs .oasis-open.org / wss / 2004/01 / oasis-200401-wss-wssecurity-utility-1.0.xsdsoap:mustUnderstand =1>
< ds:签名xmlns:ds =http://www.w3.org/2000/09/xmldsig#Id =SIG-2>
< ds:SignedInfo>
< ds:CanonicalizationMethod Algorithm =http://www.w3.org/2001/10/xml-exc-c14n#>
< ec:InclusiveNamespaces xmlns:ec =http://www.w3.org/2001/10/xml-exc-c14n#PrefixList =soap/>
< / ds:CanonicalizationMethod>
< ds:SignatureMethod Algorithm =http://www.w3.org/2000/09/xmldsig#rsa-sha1/>
< ds:参考URI =#id-1>
< ds:Transforms>
< ds:Transform Algorithm =http://www.w3.org/2001/10/xml-exc-c14n#>
< ec:InclusiveNamespaces xmlns:ec =http://www.w3.org/2001/10/xml-exc-c14n#PrefixList =/>
< / ds:转换>
< / ds:转换>
< ds:DigestMethod算法=http://www.w3.org/2000/09/xmldsig#sha1/>
< ds:DigestValue> RJhc1ZVjXdUQEIwLTH356p7H0QY =< / ds:DigestValue>
< / ds:参考>
< / ds:SignedInfo>
将DS:SignatureValue所> F0q0NV7kaSbAcsLHxVpYD1bQ1RAJcw6wPapDKAM9PIcs7EuS9S5PlE4cQMfAp1WgsKa91r3op1OQ5UrYmmdj / UneYawdPIYSaoFBGjndTXZnOCKp4YfRTQGZ2EVJRFHJbPsTsqHedPAyJLHhciViguTGeuA0hZAQN97KB / 9ZLmY = LT; / DS:SignatureValue所>
< ds:KeyInfo Id =KI-92A4EB90A2868689DC13289669720792>
< wsse:SecurityTokenReference wsu:Id =STR-92A4EB90A2868689DC13289669720823>
< ds:X509Data>
< ds:X509IssuerSerial>
< ds:X509IssuerName> CN = 1,OU = 1,O = 1,L = 1,ST = 1,C = RU< / ds:X509IssuerName>
< ds:X509SerialNumber> 1328891280< / ds:X509SerialNumber>
< / ds:X509IssuerSerial>
< / ds:X509Data>
< / wsse:SecurityTokenReference>
< / ds:KeyInfo>
< / ds:签名>
< / wsse:安全>
< /皂:页眉和GT;

我可以以某种方式从这些数据创建证书吗?没有关于验证日期或公钥的任何数据。可能有一种方法可以在标题中插入证书(不是通过Reference / SecurityTokenReference标签)???



进度:



我已经读过将证书嵌入到需要使用的请求中< entry key =signatureKeyIdentifiervalue =DirectReference/> 。因此请求更改为:

 < soap:Envelope xmlns:soap =http://schemas.xmlsoap.org/soap/envelope/> 
<皂:页眉和GT;
< wsse:Security xmlns:wsse =http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsdxmlns:wsu = http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdsoap:mustUnderstand =1>
< wsse:BinarySecurityToken EncodingType =http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64BinaryValueType =http ://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3\" WSU:编号= X509-A3BCFAE87E12A8813813289737654441 > MIICCTCCAXKgAwIBAgIETzVFkDANBgkqhkiG9w0BAQUFADBJMQswCQYDVQQGEwJSVTEKMAgGA1UECBMBMTEKMAgGA1UEBxMBMTEKMAgGA1UEChMBMTEKMAgGA1UECxMBMTEKMAgGA1UEAxMBMTAeFw0xMjAyMTAxNjI4MDBaFw0xMjA1MTAxNjI4MDBaMEkxCzAJBgNVBAYTAlJVMQowCAYDVQQIEwExMQowCAYDVQQHEwExMQowCAYDVQQKEwExMQowCAYDVQQLEwExMQowCAYDVQQDEwExMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCdwxyRNYlWADnTtzH9 / S / ehhD2iFzvF2xI + tBNyhbBb98EQNiIFdEegwGPhtd3Cfe1lQqtddWdFX2uLqozMAgd1KzSEuH9lI5DPiir3RfVdy + Irs5ZYiD / H4 / DcUMUNyVcWspf9oG25wNdwNHKY8Aqz2269uYMCCoIBuWt6POwFQIDAQABMA0GCSqGSIb3DQEBBQUAA4GBAGLgTXbn7h2rBjv ++ 6OopDooRifc4e2k + 9sSTpLNegs9OvQzR8DpmQ / 6Vt0RFprIdXSv + IVMcmL8Q2dmI9v0R61NIhdEjzSVbO2 + PF9h1ShUARzMawRC / EOdjwVjDsk1WMxF18 + wvH9SQxBSK3H2WpJbDWBxZCOW5CK1N6AKKJiC< ; /的wsse:的BinarySecurityToken>
< ds:签名xmlns:ds =http://www.w3.org/2000/09/xmldsig#Id =SIG-2>
< ds:SignedInfo>
< ds:CanonicalizationMethod Algorithm =http://www.w3.org/2001/10/xml-exc-c14n#>
< ec:InclusiveNamespaces xmlns:ec =http://www.w3.org/2001/10/xml-exc-c14n#PrefixList =soap/>
< / ds:CanonicalizationMethod>
< ds:SignatureMethod Algorithm =http://www.w3.org/2000/09/xmldsig#rsa-sha1/>
< ds:参考URI =#id-1>
< ds:Transforms>
< ds:Transform Algorithm =http://www.w3.org/2001/10/xml-exc-c14n#>
< ec:InclusiveNamespaces xmlns:ec =http://www.w3.org/2001/10/xml-exc-c14n#PrefixList =/>
< / ds:转换>
< / ds:转换>
< ds:DigestMethod算法=http://www.w3.org/2000/09/xmldsig#sha1/>
< ds:DigestValue> RJhc1ZVjXdUQEIwLTH356p7H0QY =< / ds:DigestValue>
< / ds:参考>
< / ds:SignedInfo>
将DS:SignatureValue所> F0q0NV7kaSbAcsLHxVpYD1bQ1RAJcw6wPapDKAM9PIcs7EuS9S5PlE4cQMfAp1WgsKa91r3op1OQ5UrYmmdj / UneYawdPIYSaoFBGjndTXZnOCKp4YfRTQGZ2EVJRFHJbPsTsqHedPAyJLHhciViguTGeuA0hZAQN97KB / 9ZLmY = LT; / DS:SignatureValue所>
< ds:KeyInfo Id =KI-A3BCFAE87E12A8813813289737654452>
< wsse:SecurityTokenReference wsu:Id =STR-A3BCFAE87E12A8813813289737654483>
< wsse:Reference URI =#X509-A3BCFAE87E12A8813813289737654441ValueType =http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile- 1.0#X509v3/>
< / wsse:SecurityTokenReference>
< / ds:KeyInfo>
< / ds:签名>
< / wsse:安全>


也许它更简单来自该类型请求的证书。但是怎么做呢?

解决方案

解决方案是使用BinarySecurityToken标头的元素:

  SoapMessage soapMessage =(SoapMessage)消息; 
SOAPMessage doc = getSOAPMessage(soapMessage);

元素elem = WSSecurityUtil.getSecurityHeader(doc.getSOAPPart(),);
//获取BinarySignature标签
节点binarySignatureTag = elem.getFirstChild();
BinarySecurity token = new X509Security((Element)binarySignatureTag);

//一个X509Certificate构造
InputStream in = new ByteArrayInputStream(token.getToken());
CertificateFactory certFactory = CertificateFactory.getInstance(X.509);
X509Certificate cert =(X509Certificate)certFactory.generateCertificate(in);

如您所见,您还需要使用org.apache.ws.security包。 / p>

Everybody, Hello!

I have a simple stub client for the cxf web-service (spring app). It uses a WSS4JOutInterceptor with action = "Signature" So that, the soap request message is (header):

Content-Type: text/xml; charset=UTF-8
Accept: */*
SOAPAction: ""
User-Agent: Apache CXF 2.4.3
Cache-Control: no-cache
Pragma: no-cache
Host: 127.0.0.1:8888
Connection: keep-alive
Content-Length: 1890

  < soap:Header >
    < wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" soap:mustUnderstand="1">
     <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#" Id="SIG-2">
        <ds:SignedInfo>
           <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
              <ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="soap" />
           </ds:CanonicalizationMethod>
           <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
           <ds:Reference URI="#id-1">
              <ds:Transforms>
                 <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
                    <ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="" />
                 </ds:Transform>
              </ds:Transforms>
              <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
              <ds:DigestValue>RJhc1ZVjXdUQEIwLTH356p7H0QY=</ds:DigestValue>
           </ds:Reference>
        </ds:SignedInfo>
        <ds:SignatureValue>F0q0NV7kaSbAcsLHxVpYD1bQ1RAJcw6wPapDKAM9PIcs7EuS9S5PlE4cQMfAp1WgsKa91r3op1OQ5UrYmmdj/UneYawdPIYSaoFBGjndTXZnOCKp4YfRTQGZ2EVJRFHJbPsTsqHedPAyJLHhciViguTGeuA0hZAQN97KB/9ZLmY=</ds:SignatureValue>
        <ds:KeyInfo Id="KI-92A4EB90A2868689DC13289669720792">
           <wsse:SecurityTokenReference wsu:Id="STR-92A4EB90A2868689DC13289669720823">
              <ds:X509Data>
                 <ds:X509IssuerSerial>
                    <ds:X509IssuerName>CN=1,OU=1,O=1,L=1,ST=1,C=RU</ds:X509IssuerName>
                    <ds:X509SerialNumber>1328891280</ds:X509SerialNumber>
                 </ds:X509IssuerSerial>
              </ds:X509Data>
           </wsse:SecurityTokenReference>
        </ds:KeyInfo>
     </ds:Signature>
  </wsse:Security>
< /soap:Header>

Can I somehow create a certificate from this data? There is no any data about validation dates or a public key. May be there is a way to insert a certificate inside a header (not via a Reference/SecurityTokenReference tag)???

Progress:

I've read that to embedd a certificate into a request it is needded to use <entry key="signatureKeyIdentifier" value="DirectReference"/>. So that the request changed to:

< soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
< soap:Header>
  <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" soap:mustUnderstand="1">
     <wsse:BinarySecurityToken EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" wsu:Id="X509-A3BCFAE87E12A8813813289737654441">MIICCTCCAXKgAwIBAgIETzVFkDANBgkqhkiG9w0BAQUFADBJMQswCQYDVQQGEwJSVTEKMAgGA1UECBMBMTEKMAgGA1UEBxMBMTEKMAgGA1UEChMBMTEKMAgGA1UECxMBMTEKMAgGA1UEAxMBMTAeFw0xMjAyMTAxNjI4MDBaFw0xMjA1MTAxNjI4MDBaMEkxCzAJBgNVBAYTAlJVMQowCAYDVQQIEwExMQowCAYDVQQHEwExMQowCAYDVQQKEwExMQowCAYDVQQLEwExMQowCAYDVQQDEwExMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCdwxyRNYlWADnTtzH9/s/ehhD2iFzvF2xI+tBNyhbBb98EQNiIFdEegwGPhtd3Cfe1lQqtddWdFX2uLqozMAgd1KzSEuH9lI5DPiir3RfVdy+Irs5ZYiD/H4/DcUMUNyVcWspf9oG25wNdwNHKY8Aqz2269uYMCCoIBuWt6POwFQIDAQABMA0GCSqGSIb3DQEBBQUAA4GBAGLgTXbn7h2rBjv++6OopDooRifc4e2k+9sSTpLNegs9OvQzR8DpmQ/6Vt0RFprIdXSv+IVMcmL8Q2dmI9v0R61NIhdEjzSVbO2+PF9h1ShUARzMawRC/EOdjwVjDsk1WMxF18+wvH9SQxBSK3H2WpJbDWBxZCOW5CK1N6AKKJiC</wsse:BinarySecurityToken>
     <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#" Id="SIG-2">
        <ds:SignedInfo>
           <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
              <ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="soap" />
           </ds:CanonicalizationMethod>
           <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
           <ds:Reference URI="#id-1">
              <ds:Transforms>
                 <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
                    <ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="" />
                 </ds:Transform>
              </ds:Transforms>
              <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
              <ds:DigestValue>RJhc1ZVjXdUQEIwLTH356p7H0QY=</ds:DigestValue>
           </ds:Reference>
        </ds:SignedInfo>
        <ds:SignatureValue>F0q0NV7kaSbAcsLHxVpYD1bQ1RAJcw6wPapDKAM9PIcs7EuS9S5PlE4cQMfAp1WgsKa91r3op1OQ5UrYmmdj/UneYawdPIYSaoFBGjndTXZnOCKp4YfRTQGZ2EVJRFHJbPsTsqHedPAyJLHhciViguTGeuA0hZAQN97KB/9ZLmY=</ds:SignatureValue>
        <ds:KeyInfo Id="KI-A3BCFAE87E12A8813813289737654452">
           <wsse:SecurityTokenReference wsu:Id="STR-A3BCFAE87E12A8813813289737654483">
              <wsse:Reference URI="#X509-A3BCFAE87E12A8813813289737654441" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" />
           </wsse:SecurityTokenReference>
        </ds:KeyInfo>
     </ds:Signature>
  </wsse:Security>

Maybe it is simplier to get a certificate from that type of request. But how to do that?

解决方案

The solution is to use a BinarySecurityToken header's element:

SoapMessage soapMessage = (SoapMessage) message;
SOAPMessage doc = getSOAPMessage(soapMessage);

Element elem = WSSecurityUtil.getSecurityHeader(doc.getSOAPPart(), "");
// get a BinarySignature tag
Node binarySignatureTag = elem.getFirstChild();
BinarySecurity token = new X509Security((Element) binarySignatureTag);

// a X509Certificate construction
InputStream in = new ByteArrayInputStream(token.getToken());
CertificateFactory certFactory = CertificateFactory.getInstance("X.509");
X509Certificate cert = (X509Certificate)certFactory.generateCertificate(in);

as you can see, you also need to use the org.apache.ws.security package.

这篇关于从SOAP安全标头获取X509Certificate的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!

08-27 06:01