65

我正在尝试使用 python 使用证书签署 SOAP 请求。我Signature用 py-wsse 尝试过 python-zeep 及其方法和泡沫。两者都没有给我预期的结果。

Zeep给了我:

<soap-env:Envelope xmlns:soap-env="http://schemas.xmlsoap.org/soap/envelope/" xmlns:wst="http://schemas.xmlsoap.org/ws/2005/02/trust" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
   <soap-env:Header>
      <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
         <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
            <SignedInfo>
               <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
               <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
               <Reference URI="#id-2790286f-721f-4f62-88bf-7e6b1f160e09">
                  <Transforms>
                     <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                  </Transforms>
                  <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
                  <DigestValue>DATA</DigestValue>
               </Reference>
               <Reference URI="#id-597e9b96-07e2-4ee8-9ba8-071d97851456">
                  <Transforms>
                     <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                  </Transforms>
                  <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
                  <DigestValue>DATA</DigestValue>
               </Reference>
            </SignedInfo>
            <SignatureValue>DATA</SignatureValue>
            <KeyInfo>
               <wsse:SecurityTokenReference>
                  <X509Data>
                     <X509IssuerSerial>
                        <X509IssuerName>DATA</X509IssuerName>
                        <X509SerialNumber>DATA</X509SerialNumber>
                     </X509IssuerSerial>
                     <X509Certificate>DATA</X509Certificate>
                  </X509Data>
               </wsse:SecurityTokenReference>
            </KeyInfo>
         </Signature>
         <wsu:Timestamp wsu:Id="id-597e9b96-07e2-4ee8-9ba8-071d97851456">
            <wsu:Created>2017-10-27T09:41:01+00:00</wsu:Created>
            <wsu:Expires>2017-10-27T10:41:01+00:00</wsu:Expires>
         </wsu:Timestamp>
      </wsse:Security>
   </soap-env:Header>
   <soap-env:Body wsu:Id="id-2790286f-721f-4f62-88bf-7e6b1f160e09">
      <wst:RequestSecurityToken>
         <wst:TokenType>http://schemas.xmlsoap.org/ws/2005/02/sc/sct</wst:TokenType>
         <wst:RequestType>http://schemas.xmlsoap.org/ws/2005/02/trust/Issue</wst:RequestType>
      </wst:RequestSecurityToken>
   </soap-env:Body>
</soap-env:Envelope>

而 suds python-wsse 给出:

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:wst="http://schemas.xmlsoap.org/ws/2005/02/trust">
   <soapenv:Header>
      <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
         <wsse:BinarySecurityToken EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" wsu:Id="id-86d39619-2654-4e09-a1bc-40e2822bf1c9">DATA</wsse:BinarySecurityToken>
         <xenc:EncryptedKey xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
            <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p" />
            <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
               <wsse:SecurityTokenReference wsse:TokenType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3">
                  <wsse:Reference ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" URI="#id-86d39619-2654-4e09-a1bc-40e2822bf1c9" />
               </wsse:SecurityTokenReference>
            </ds:KeyInfo>
            <xenc:CipherData>
               <xenc:CipherValue>DATA</xenc:CipherValue>
            </xenc:CipherData>
            <xenc:ReferenceList>
               <xenc:DataReference URI="#id-a14b401f-8353-46d6-a607-92ef23caca1e" />
            </xenc:ReferenceList>
         </xenc:EncryptedKey>
         <wsu:Timestamp>
            <wsu:Created>2017-10-27T11:20:16.301Z</wsu:Created>
            <wsu:Expires>2017-10-27T13:20:26.301Z</wsu:Expires>
         </wsu:Timestamp>
      </wsse:Security>
   </soapenv:Header>
   <soapenv:Body>
      <xenc:EncryptedData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" xmlns:ns0="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" Type="http://www.w3.org/2001/04/xmlenc#Element" ns0:Id="id-a14b401f-8353-46d6-a607-92ef23caca1e">
         <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc" />
         <xenc:CipherData>
            <xenc:CipherValue>DATA</xenc:CipherValue>
         </xenc:CipherData>
      </xenc:EncryptedData>
   </soapenv:Body>
</soapenv:Envelope>

但是,我需要一个看起来更像是两者混合的请求:

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:wst="http://schemas.xmlsoap.org/ws/2005/02/trust">
   <soapenv:Header>
      <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
         <wsse:BinarySecurityToken EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" wsu:Id="X509-B0D6288D1BAB6D839515090888163762">DATA</wsse:BinarySecurityToken>
         <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#" Id="SIG-B0D6288D1BAB6D839515090888164186">
            <ds:SignedInfo>
               <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
                  <ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="soapenv wst" />
               </ds:CanonicalizationMethod>
               <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
               <ds:Reference URI="#TS-B0D6288D1BAB6D839515090888163021">
                  <ds:Transforms>
                     <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
                        <ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="wsse soapenv wst" />
                     </ds:Transform>
                  </ds:Transforms>
                  <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
                  <ds:DigestValue>DATA</ds:DigestValue>
               </ds:Reference>
               <ds:Reference URI="#id-B0D6288D1BAB6D839515090888164135">
                  <ds:Transforms>
                     <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
                        <ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="wst" />
                     </ds:Transform>
                  </ds:Transforms>
                  <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
                  <ds:DigestValue>DATA</ds:DigestValue>
               </ds:Reference>
               <ds:Reference URI="#X509-B0D6288D1BAB6D839515090888163762">
                  <ds:Transforms>
                     <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
                        <ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="" />
                     </ds:Transform>
                  </ds:Transforms>
                  <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
                  <ds:DigestValue>DATA</ds:DigestValue>
               </ds:Reference>
            </ds:SignedInfo>
            <ds:SignatureValue>DATA</ds:SignatureValue>
            <ds:KeyInfo Id="KI-B0D6288D1BAB6D839515090888164053">
               <wsse:SecurityTokenReference wsu:Id="STR-B0D6288D1BAB6D839515090888164074">
                  <wsse:Reference URI="#X509-B0D6288D1BAB6D839515090888163762" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" />
               </wsse:SecurityTokenReference>
            </ds:KeyInfo>
         </ds:Signature>
         <wsu:Timestamp wsu:Id="TS-B0D6288D1BAB6D839515090888163021">
            <wsu:Created>2017-10-27T07:20:16.301Z</wsu:Created>
            <wsu:Expires>2017-10-27T07:20:26.301Z</wsu:Expires>
         </wsu:Timestamp>
      </wsse:Security>
   </soapenv:Header>
   <soapenv:Body xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="id-B0D6288D1BAB6D839515090888164135">
      <wst:RequestSecurityToken>
         <wst:TokenType>http://schemas.xmlsoap.org/ws/2005/02/sc/sct</wst:TokenType>
         <wst:RequestType>http://schemas.xmlsoap.org/ws/2005/02/trust/Issue</wst:RequestType>
      </wst:RequestSecurityToken>
   </soapenv:Body>
</soapenv:Envelope>

在 python 中有没有简单的方法来签署 SOAP 信封BinarySecurityToken?第一个和最后一个信封之间是否存在适当的差异,或者两者都有效?

4

1 回答 1

1

Chicklat它的 API 提供了两个示例(见底部)来解决这个问题。第一个使用 签署证书SecurityTokenReference,第二个使用 签署证书BinaryTokenReference。您不必依赖此 API,因为它需要支付许可费用,您可以这样做,但您可以使用替代库来执行此操作(在我发布替代方案的帖子下方)。这些示例是通过了解Chicklat API的执行方式并使用您的自定义方法来获得预期结果的良好起点。

在第一个示例中:

  • (#1) 加载了一个SOAP XML 模板,该模板将使用pfx证书和BinarySecurityToken;
  • (#2-3) pfx一个包含受密码保护的证书及其私钥的单个文件,被加载,然后通过提供密码作为输入来提取其私钥和内部证书,该密码是在颁发证书;
  • (#4) 从 pfx 文件中提取证书后,它是BASE64 编码的。在 XML 模板内部,BASE64_CERT被这个字符串替换为提供给的值wsse:BinarySecurityToken
  • (#5) 构建wsse:SecurityTokenReference XML。这个 XML 是一个KeyInfo一个包含您的证书私钥的存储,用于验证签名
  • (#6 )使用Chicklat XML Digital Signature Generator.

您可以使用第二个示例来调整第一个示例。这可以通过以下更改来完成:

  • 改变sbXml构建方式。示例 2从 开始chilkat.CkXml(),显示了一种方法和设置参数。输出 XML 结构将类似于要使用的此架构BinarySecurityToken
<?xml version="1.0" encoding="UTF-8"?>
<S:Envelope xmlns:S="http://www.w3.org/2003/05/soap-envelope" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:exc14n="http://www.w3.org/2001/10/xml-exc-c14n#" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsse11="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns:xs="http://www.w3.org/2001/XMLSchema">
   <S:Header>
      <To xmlns="http://www.w3.org/2005/08/addressing" wsu:Id="_5002">https://XXXXXXXXX</To>
      <Action xmlns="http://www.w3.org/2005/08/addressing" S:mustUnderstand="true">http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Issue</Action>
      <ReplyTo xmlns="http://www.w3.org/2005/08/addressing">
         <Address>http://www.w3.org/2005/08/addressing/anonymous</Address>
      </ReplyTo>
      <FaultTo xmlns="http://www.w3.org/2005/08/addressing">
         <Address>http://www.w3.org/2005/08/addressing/anonymous</Address>
      </FaultTo>
      <MessageID xmlns="http://www.w3.org/2005/08/addressing">uuid:e9033251-4ff0-4618-8baf-4952ab5fd207</MessageID>
      <wsse:Security S:mustUnderstand="true">
         <wsu:Timestamp xmlns:ns16="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ns17="http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512" wsu:Id="_1">
            <wsu:Created>2018-05-23T02:38:27Z</wsu:Created>
            <wsu:Expires>2018-05-23T02:43:27Z</wsu:Expires>
         </wsu:Timestamp>
         <wsse:BinarySecurityToken xmlns:ns16="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ns17="http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" wsu:Id="uuid_43470044-78b4-4b23-926a-b7f590d24cb8">MIIEIjCCAwqgAwIBAgIDAmCRMA0GCSqGSIb3DQEBCwUAMIGFMQswCQYDVQQGEwJBVTElMCMGA1UEChMcQXVzdHJhbGlhbiBCdXNpbmVzcyBSZWdpc3RlcjEgMB4GA1UECxMXQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxLTArBgNVBAMTJFRlc3QgQXVzdHJhbGlhbiBCdXNpbmVzcyBSZWdpc3RlciBDQTAeFw0xNzAzMDEwMzQyMTBaFw0xOTAzMDEwMzQyMTBaMFYxETAPBgNVBC4TCDIwMDgwMTYxMQswCQYDVQQGEwJBVTEUMBIGA1UEChMLOTYwODU1MjE2MDYxHjAcBgNVBAMTFUNPUlAgVEFYQVRJT04gTUFOQUdFUjCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAs6zlEhQOOpPPXffUPgpmbPl6qtQ3QaYgYvSTGLOL2pxuwGlZc5oW93zTwh5yq0r5NAgouGx9Oo6pYBO/xEUst5g3VW5BmbuOyGk3UvKVLHTnWlt8KCaRwW/qOyya8ZYfJm8+OQHtmMZc0pjj/Pcn8lrN61BKyjAYwK3CTKa60gcCAwEAAaOCAUswggFHMAwGA1UdEwEB/wQCMAAwgewGA1UdIASB5DCB4TCB3gYJKiQBlzllAQcBMIHQMIGuBggrBgEFBQcCAjCBoRqBnlRoaXMgY2VydGlmaWNhdGUgbWF5IG9ubHkgYmUgdXNlZCBmb3IgdGhlIHB1cnBvc2UgcGVybWl0dGVkIGluIHRoZSBhcHBsaWNhYmxlIENlcnRpZmljYXRlIFBvbGljeS4gTGltaXRlZCBsaWFiaWxpdHkgYXBwbGllcyAtIHJlZmVyIHRvIHRoZSBDZXJ0aWZpY2F0ZSBQb2xpY3kuMB0GCCsGAQUFBwIBFhF3d3cudGVzdGFicmNhLmNvbTAXBgYqJAGCTQEEDRYLOTYwODU1MjE2MDYwDgYDVR0PAQH/BAQDAgTwMB8GA1UdIwQYMBaAFI0lJ7xfoJpx55N3+bAZYiyZdlr9MA0GCSqGSIb3DQEBCwUAA4IBAQBQoYVRGRf3QIkxFa4ecI2Kxph5vrUuTdzIaDm+mCnHyaamnAbBH7WCPymuK+ZFQo1lWcyMzQpf7N/6/e0sZH3OD0JIuBF3AKQbvwVLfJ5x/Xu2Cz9ZAkkonL0wIXXAmGIPNjZD1WwzPUYbUuZw+GqOIeSOYitIuz7N3y6vKIgLLzghVAcXBPPuMqqcL/PwSIQ9LRTqa4zhNy2Bn+CwR9QanS6jGTXfpOmetsbRckE+WgCwzMz5iqgTrP8AYwsDYxFBdmktrO+u1V0PrESeZFTbToRs2UUtEaYowIDEb/6KqKJxs7AZN+Nt5r1RaOfbsr6KJDOS5K+VRRtjAGwcXBXN</wsse:BinarySecurityToken>
      </wsse:Security>
   </S:Header>
   <S:Body>
      <RequestSecurityToken xmlns="http://docs.oasis-open.org/ws-sx/ws-trust/200512">
         <RequestType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/Issue</RequestType>
         <wsp:AppliesTo xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
            <EndpointReference:EndpointReference xmlns:EndpointReference="http://www.w3.org/2005/08/addressing" xmlns="http://www.w3.org/2005/08/addressing">
               <Address>https://XXXXXXXXX/services</Address>
            </EndpointReference:EndpointReference>
         </wsp:AppliesTo>
         <TokenType>http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0</TokenType>
         <Claims xmlns:i="http://schemas.xmlsoap.org/ws/2005/05/identity" Dialect="http://schemas.xmlsoap.org/ws/2005/05/identity">
            <i:ClaimType Optional="false" Uri="http://XXXXXXXXX/2008/06/identity/claims/abn" />
            <i:ClaimType Optional="false" Uri="http://XXXXXXXXX/2008/06/identity/claims/commonname" />
            <i:ClaimType Optional="false" Uri="http://XXXXXXXXX/2008/06/identity/claims/credentialtype" />
            <i:ClaimType Optional="false" Uri="http://XXXXXXXXX/2008/06/identity/claims/samlsubjectid" />
            <i:ClaimType Optional="false" Uri="http://XXXXXXXXX/2008/06/identity/claims/fingerprint" />
            <i:ClaimType Optional="true" Uri="http://XXXXXXXXX/2008/06/identity/claims/sbr_personid" />
            <i:ClaimType Optional="true" Uri="http://XXXXXXXXX/2008/06/identity/claims/givennames" />
            <i:ClaimType Optional="true" Uri="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname" />
            <i:ClaimType Optional="true" Uri="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" />
            <i:ClaimType Optional="true" Uri="http://XXXXXXXXX/2008/06/identity/claims/credentialadministrator" />
            <i:ClaimType Optional="true" Uri="http://XXXXXXXXX/2008/06/identity/claims/stalecrlminutes" />
            <i:ClaimType Optional="true" Uri="http://XXXXXXXXX/2008/06/identity/claims/subjectdn" />
            <i:ClaimType Optional="true" Uri="http://XXXXXXXXX/2008/06/identity/claims/issuerdn" />
            <i:ClaimType Optional="true" Uri="http://XXXXXXXXX/2008/06/identity/claims/notafterdate" />
            <i:ClaimType Optional="true" Uri="http://XXXXXXXXX/2008/06/identity/claims/certificateserialnumber" />
            <i:ClaimType Optional="true" Uri="http://XXXXXXXXX/2008/06/identity/claims/previoussubject" />
         </Claims>
         <Lifetime>
            <wsu:Created>2018-05-23T02:38:27.906Z</wsu:Created>
            <wsu:Expires>2018-05-23T03:08:27.906Z</wsu:Expires>
         </Lifetime>
         <KeyType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/SymmetricKey</KeyType>
         <KeySize>512</KeySize>
      </RequestSecurityToken>
   </S:Body>
</S:Envelope>
  • 您可以使用OpenSSL.crypto来管理提取私钥和证书的 pfx 文件;

  • 您可以使用SignXML进行XML Digital Signature生成。

from lxml import etree
from signxml import XMLSigner, XMLVerifier

data_to_sign = "<Test/>" // Your XML
root = etree.fromstring(data_to_sign)
signed_root = XMLSigner().sign(root, key=PRIVATE_KEY, cert=CERTIFICATE)
verified_data = XMLVerifier().verify(signed_root).signed_xml

参考例子

示例1使用 wsse:SecurityTokenReference 签署 SOAP XML

示例2使用 BinarySecurityToken 签名

于 2020-06-11T10:51:25.070 回答