2

我正处于使用wss4j签署 SOAP 文档的痛苦之中。我希望我的看起来像fig.1。但是,它会像图 2 一样出现。也就是说,图 1有一个 ,它指向文档的 BinarySecurityToken。而图 2有一个 ,它引用了用于签署文档的原始证书。

A) 现在,BinarySecurityToken是提供者端使用的二进制值,用于在其密钥库中定位相应的证书链(用于验证消息)。

B)我相信SecurityTokenReference用于引用包含应该用于验证签名的公钥的二进制安全令牌。所以看起来我的挑战是让fig.2中的指针看起来像fig.1

这个对吗?如果是这样,wss4j中可以做到这一点的开关是什么?生成fig.2的代码在fig.3(Clojure 代码)中。到目前为止,我一直在挖掘 wss4j 源代码以供参考(ReferenceTest.javaSecurityTokenReferenceTest.javaSignatureTest.java)。

        <wsse:SecurityTokenReference wsu:Id="STRId-A96305E32CE45DAB06139999212441542" 
                                     xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"> 
           <wsse:Reference URI="#CertId-A96305E32CE45DAB06139999212441540"   <!-- this points to <wsse:BinarySecurityToken> -->
                                    ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/> 
        </wsse:SecurityTokenReference>

图。1

        <wsse:SecurityTokenReference wsu:Id="STR-f9837b22-c073-45d2-92d0-2df67e823b2e"> 
          <ds:X509Data> 
            <ds:X509IssuerSerial> 
              <ds:X509IssuerName>CN=*.***.com,O=<org>,L=<city>,ST=<state>,C=<country>
              </ds:X509IssuerName> 
              <ds:X509SerialNumber><some-value> 
              </ds:X509SerialNumber> 
            </ds:X509IssuerSerial> 
          </ds:X509Data> 
        </wsse:SecurityTokenReference>

图2

  (defn sign-soap [soap-string]                                                                                                                                                                                                      

    (let [                                                                                                                                                                                                                           
          ;; ===> pull in keystore & cerificate                                                                                                                                                                                      
          ks (ks/keystore)                                                                                                                                                                                                           
          _ (ks/import-cert ks "server" (slurp "<mykeystore>"))                                                                                                                                                             

          cert (.getCertificate ks "server")                                                                                                                                                                                         
          keyEntry (.getEntry ks "server" nil)                                                                                                                                                                                       


          ;; ===> set Certificate on the signature object                                                                                                                                                                            
          builder (WSSecSignature.)                                                                                                                                                                                                  
          _ (.setX509Certificate builder cert)                                                                                                                                                                                       



          ;; ===> insert security header into the document                                                                                                                                                                           
          docu (soap/to-w3c-document soap-string)                                                                                                                                                                                    

          secHeader (WSSecHeader.)                                                                                                                                                                                                   
          _ (.insertSecurityHeader secHeader docu)                                                                                                                                                                                   


          ;; ===>                                                                                                                                                                                                                    
          crypto (CryptoFactory/getInstance)                                                                                                                                                                                         


          bst (X509Security. docu)                                                                                                                                                                                                   
          cryptoType (CryptoType. org.apache.wss4j.common.crypto.CryptoType$TYPE/ALIAS)                                                                                                                                              
          _ (.setAlias cryptoType "mykey")                                                                                                                                                                                           


          certs (.getX509Certificates crypto cryptoType)                                                                                                                                                                             
          _ (.setX509Certificate bst (first (seq certs)))                                                                                                                                                                            
          _ (WSSecurityUtil/prependChildElement                                                                                                                                                                                      
             (.getSecurityHeader secHeader)                                                                                                                                                                                          
             (.getElement bst))                                                                                                                                                                                                      

          ;; ===>                                                                                                                                                                                                                    
          timestamp (WSSecTimestamp.)                                                                                                                                                                                                
          _ (.setTimeToLive timestamp 300)                                                                                                                                                                                           

          createdDoc (.build timestamp docu secHeader)                                                                                                                                                                               


          ;; ===>                                                                                                                                                                                                                    
          encTimestamp (WSEncryptionPart. "Timestamp" WSConstants/WSU_NS "")                                                                                                                                                         
          encBody (WSEncryptionPart. "Body" "http://schemas.xmlsoap.org/soap/envelope/" "")                                                                                                                                          
          parts (ArrayList.)                                                                                                                                                                                                         
          _ (.add parts encTimestamp)                                                                                                                                                                                                
          _ (.add parts encBody)                                                                                                                                                                                                     
          _ (.setParts builder parts)                                                                                                                                                                                                

          _ (.setUserInfo builder "myusername" "mypassword")                                                                                                                                                                                

          signedDoc (.build builder createdDoc crypto secHeader)                                                                                                                                                                     

          secHeaderElement (.getSecurityHeader secHeader)                                                                                                                                                                            
          timestampNode (.. secHeaderElement (getElementsByTagNameNS WSConstants/WSU_NS "Timestamp") (item 0))                                                                                                                       
          _ (.setAttributeNS (cast Element timestampNode) WSConstants/XMLNS_NS "xmlns" WSConstants/WSU_NS)                                                                                                                           

          wss (XMLUtils/PrettyDocumentToString signedDoc)]                                                                                                                                                                           

      wss))

图3

4

2 回答 2

3

好的,在签署 SOAP 消息期间在相邻的 SO 问题WSS4j 元素顺序中找到了答案。

所以这个用户在问一个不同的问题时,有一个代码示例可以满足我的需要。特别是对builder.setKeyIdentifierType(WSConstants.BST_DIRECT_REFERENCE). 我喜欢 StackOverflow :)

builder.setX509Certificate(signingCert);
builder.setUserInfo(alias, new String(passphrase));
builder.setUseSingleCertificate(true);
builder.setKeyIdentifierType(WSConstants.BST_DIRECT_REFERENCE);
于 2014-05-19T18:33:30.460 回答
0

使用 wss4j AbstractWSS4JInterceptor 的任何实现,可以使用以下任一方法将键标识符设置为直接引用:

this.setProperty(WSHandlerConstants.ENC_KEY_ID, "DirectReference");
this.setProperty(WSHandlerConstants.SIG_KEY_ID, "DirectReference");
于 2019-10-01T07:12:22.320 回答