我在验证 SOAP 消息时间戳和正文时遇到问题。
在开始编写任何代码之前,我试图自己验证它,这些是我验证时间戳所遵循的步骤:
1)提取时间戳标签,添加任何使用的命名空间并将其写入文件:
<u:Timestamp u:Id="uuid-cd1febd3-a76a-4148-8a3e-367aee62293d-1" xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<u:Created>2009-11-11T17:37:49.000Z</u:Created>
<u:Expires>2009-11-11T17:42:49.000Z</u:Expires>
</u:Timestamp>
2) 使用 xmllint 对其进行规范化
xmllint --exc-c14n timestamp.xml > timestamp.ext-c14n.xml
3) 使用 openssl 获取文件的 SHA-1 摘要
openssl sha1 timestamp.ext-c14n.xml
4)uudecode时间戳参考(jGZkqCNLTnUfbdpoFn19LSYkhts=)的base64 DigestValue并用十六进制编辑器打开
5) DigestValue的二进制值与规范化 xml 片段的 sha1 不同。
我究竟做错了什么?
这是完整的 SOAP 请求:
<s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<s:Header>
<o:Security xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" s:mustUnderstand="1">
<u:Timestamp u:Id="uuid-cd1febd3-a76a-4148-8a3e-367aee62293d-1">
<u:Created>2009-11-11T17:37:49.000Z</u:Created>
<u:Expires>2009-11-11T17:42:49.000Z</u:Expires>
</u:Timestamp>
<o:BinarySecurityToken EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" u:Id="uuid-ff111e4e-b184-493f-a3a7-1cb85013440a-2">MIIB/TCCAWagAwIBAgIQx9PrVMJZiohOMYoubtFJ4jANBgkqhkiG9w0BAQQFADAVMRMwEQYDVQQDEwpSb290Q0FUZXN0MB4XDTA5MTEwNTE1NTAzN1oXDTM5MTIzMTIzNTk1OVowGTEXMBUGA1UEAxMOdGVtcENlcnRDbGllbnQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAPXXm8nHsKY7jDaAJ2MVtgj0vd15D4kAFCVrflAGCBDGxku1zVGgTppv8n7i2nJLoXkMpi4HSj9+ci78YMQOKeRq0uIN3AV39hQbjjf5RkV7QY0PYprKYcVKZrWa/LYesI4jYz+ULDnpF7Q2Euk2XFYVLTWPaWU/Zys9K1wNT/n/AgMBAAGjSjBIMEYGA1UdAQQ/MD2AEHNg0Im3hcyQVTxOx1KtRZmhFzAVMRMwEQYDVQQDEwpSb290Q0FUZXN0ghDPzOoIMA8Rkkur9od1bScFMA0GCSqGSIb3DQEBBAUAA4GBAHeTK0GedKo51ZplEfAL+7+NqU5YL9yPhyGqeMUtNBJBJUdbXfvKMZNN+wMHG72boM0HV9jiSKgdjdFDaQ5cLrpLMc48wPs+PPK4KCZynQ/qBCj91w8Vvsprk4EwjGKROGeFhq8FOO8nwukKj1dMCZWELqOPutHjAKgtKpYu4zyt</o:BinarySecurityToken>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></CanonicalizationMethod>
<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"></SignatureMethod>
<Reference URI="#_1">
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></Transform>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></DigestMethod>
<DigestValue>GFOHIzFb+GV4fj8/sGWx2J5U7ag=</DigestValue>
</Reference>
<Reference URI="#uuid-cd1febd3-a76a-4148-8a3e-367aee62293d-1">
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></Transform>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></DigestMethod>
<DigestValue>jGZkqCNLTnUfbdpoFn19LSYkhts=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>Q6TsGUPlgzfvoh4obnpwTIM5+rG/MynC4Pr8DDkpsClkUBM4+VrR0i7bHdM51779lbLzqj01W1H3GfNehVKxwAi0c0aAKlcVUm0i3PeA2NzmdTPRHy6tHmX2yyLC5TDjhA+jmqRoU/VlWhShD7Komm/9zsyDhQKF4M92rPUo0To=</SignatureValue>
<KeyInfo>
<o:SecurityTokenReference>
<o:Reference URI="#uuid-ff111e4e-b184-493f-a3a7-1cb85013440a-2" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"></o:Reference>
</o:SecurityTokenReference>
</KeyInfo>
</Signature>
</o:Security>
</s:Header>
<s:Body u:Id="_1">
<sayHello xmlns="urn:iPhone.Server"></sayHello>
</s:Body>
</s:Envelope>