2

我正在尝试对 SOAP 消息进行签名和加密,但出现此错误 -

签名或解密无效;嵌套异常是:javax.crypto.BadPaddingException:未知块类型

由于签名方法中没有明确提到填充,我假设这是加密方法中的错误。

这是我的密钥加密方法:

private String encryptKey(PublicKey pubKey, SecretKey symKey) {
    try {
        final Cipher cipher = Cipher.getInstance("RSA/ECB/OAEPWithSHA-256AndMGF1Padding");
        cipher.init(Cipher.ENCRYPT_MODE, pubKey);
        final byte[] encryptedKey = cipher.doFinal(symKey.getEncoded());
        BASE64Encoder b64 = new BASE64Encoder();
        return b64.encode(encryptedKey);
    } ...

并且body的加密工作类似(String s是soap body转换为字符串)

private String createEncryptedData(Key key, String s) {
    try {
        final Cipher cipher = Cipher.getInstance("AES/CBC/PKCS5Padding");
        cipher.init(Cipher.ENCRYPT_MODE, key);
        final byte[] encryptedData = cipher.doFinal(s.getBytes(StandardCharsets.UTF_8));
        BASE64Encoder b64 = new BASE64Encoder();
        return b64.encode(encryptedData);
    }
    catch (NoSuchAlgorithmException | NoSuchPaddingException | InvalidKeyException | IllegalBlockSizeException | BadPaddingException e) {
        e.printStackTrace();
        throw new IllegalStateException(
                "Java runtime does not support AES/CBC/PKCS5Padding (128)", e);
    }
}

我发现了这篇文章 - javax.crypto.BadPaddingException: unknown block type where conversion to string is known as an issue, 但我不知道如何在消息中发送 byte[] ......我试过了

byte[] encodedData = Base64.getEncoder().encode(encryptedData);

然后我在我的soap消息中传递了那个字节[](看起来像这样[B@6bf256fa),它给了我另一个错误decode.divisible.four。所以我想这不是合适的方法。

PFB 我的全部要求

      <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"
    xmlns:cdb="http://cdb.services.np.aek.seavus.com/"
    xmlns:sch="http://www.devoteam.com/a1/mk/np/schema">
    <soapenv:Header xmlns="http://www.w3.org/2005/08/addressing">
        <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
            xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
            <wsse:BinarySecurityToken EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" wsu:Id="X509Token">MIIBwDCCASmgAwIBAgIENDDwzTANBgkqhkiG9w0BAQUFADATMREwDwYDVQQDDAh2aXBfdGVzdDAeFw0yMDA0MjEwODU1NTZaFw0zMDA0MTkwODU1NTZaMBMxETAPBgNVBAMMCHZpcF90ZXN0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCe4AdGqUfUtsWfuwedrV8e0+rMC+nPM/kfeDcdvqXYEijIf5+BEKL/MU/WEq5LhQKPrOk1LIJPCwTT1lUwmBLQ9Q1aOd1ZrFVDTkk+RbUmeu6lst+FskJZm8G6rqAvERQEDR2TUCmNpeCHQ8nX80/ZpnUKAtIafSlw2BDoszrS4wIDAQABoyEwHzAdBgNVHQ4EFgQUrSuQYeUEdhMQrdbLHAfb/uBwhxMwDQYJKoZIhvcNAQEFBQADgYEANWPBnmmfbVgYlKr5TS53NT4CJZjry9bVivEcBCkopYdDZo2vg9N/HgSGPULGRYgcQM61+3l2cv1s+5XyNpceXaDHBcT7CQQa8kOR5WSd3vybQybgECwm1MWQZBxZqzD/piI1wDdbn1oUNlCL4bK61vjcoxah5VhRZwvsAum5jBQ=</wsse:BinarySecurityToken>
            <wsu:Timestamp wsu:Id="TS-1beccd19-ec76-4011-b72c-4c204c6439b5">
                <wsu:Created>2021-05-05T15:08:37</wsu:Created>
                <wsu:Expires>2021-05-05T15:09:07</wsu:Expires>
            </wsu:Timestamp>
            <xenc:EncryptedKey xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" Id="EK-1beccd19-ec76-4011-b72c-4c204c6439b5">
                <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5"/>
                <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
                    <wsse:SecurityTokenReference>
                        <ds:X509Data>
                            <ds:X509IssuerSerial>
                                <ds:X509IssuerName>CN=CDB</ds:X509IssuerName>
                                <ds:X509SerialNumber>1376307457</ds:X509SerialNumber>
                            </ds:X509IssuerSerial>
                        </ds:X509Data>
                    </wsse:SecurityTokenReference>
                </ds:KeyInfo>
                <xenc:CipherData>
                    <xenc:CipherValue>FaGhWE+rwBMqUnpMe5qh2n9X3bQYy8CDYCWjRFbfFsYBHso5jYSmwlX/Se4q3nFGABxkKcQlVY1ziiqxDoW2igw5W3M4mu2mk/togAPblhj+ZiAOXVBBYCc+HIbcWdipi96tSRCR0qLSd81obNA39hm6dZ4dvFOeBFzEjWFC9r8=</xenc:CipherValue>
                </xenc:CipherData>
                <xenc:ReferenceList>
                    <xenc:DataReference URI="#ED-1beccd19-ec76-4011-b72c-4c204c6439b5"/>
                </xenc:ReferenceList>
            </xenc:EncryptedKey>
            <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
                <ds:SignedInfo>
                    <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                    <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
                    <ds:Reference URI="#TS-1beccd19-ec76-4011-b72c-4c204c6439b5">
                        <ds:Transforms>
                            <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                        </ds:Transforms>
                        <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
                        <ds:DigestValue>dLT1OJDkyihjpBWglsiV3ScW/l0=</ds:DigestValue>
                    </ds:Reference>
                    <ds:Reference URI="#Body-1beccd19-ec76-4011-b72c-4c204c6439b5">
                        <ds:Transforms>
                            <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                        </ds:Transforms>
                        <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
                        <ds:DigestValue>736yosC1DeVBYsHfDiiSlfQOBGg=</ds:DigestValue>
                    </ds:Reference>
                </ds:SignedInfo>
                <ds:SignatureValue>kiPjx+N9WUJgXWtxPeFFM0GsK8AaQttpxC0hrZPFjGUYLj8S5fM0Eqp5DZPbRigRgbBw5GOmvZkV5wnrdu1IicRajxSYFbo3QVk8A/p5gb6u8E8F/igE0Vrsmg+krdHISWwplmSBzC2yFawh8A4YdLV2g0Ig3z0E7RBHjl2nay0=</ds:SignatureValue>
                <ds:KeyInfo>
                    <wsse:SecurityTokenReference>
                        <wsse:Reference URI="#X509Token"/>
                    </wsse:SecurityTokenReference>
                </ds:KeyInfo>
            </ds:Signature>
            <wsa:Action xmlns:soap="http://www.w3.org/2003/05/soap-envelope"
                xmlns:wsa="http://www.w3.org/2005/08/addressing" soap:mustUnderstand="1">http://cdb.services.np.aek.seavus.com/AssignedSubscriberNumber_WS/GetAllAssignedSeries</wsa:Action>
            <wsa:MessageID xmlns:soap="http://www.w3.org/2003/05/soap-envelope"
                xmlns:wsa="http://www.w3.org/2005/08/addressing" soap:mustUnderstand="1">uuid:048add69-81ff-4112-9798-7dbca65b39bb</wsa:MessageID>
            <wsa:To xmlns:soap="http://www.w3.org/2003/05/soap-envelope"
                xmlns:wsa="http://www.w3.org/2005/08/addressing" soap:mustUnderstand="1">http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous</wsa:To>
        </wsse:Security>
    </soapenv:Header>
    <soapenv:Body xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="Body-1beccd19-ec76-4011-b72c-4c204c6439b5">
        <xenc:EncryptedData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" Id="ED-1beccd19-ec76-4011-b72c-4c204c6439b5" Type="http://www.w3.org/2001/04/xmlenc#Content">
            <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"/>
            <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
                <wsse:SecurityTokenReference xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
                    xmlns:wsse11="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd" wsse11:TokenType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey">
                    <wsse:Reference URI="#EK-1beccd19-ec76-4011-b72c-4c204c6439b5"/>
                </wsse:SecurityTokenReference>
            </ds:KeyInfo>
            <xenc:CipherData>
                <xenc:CipherValue>Vk8ZqEmybLVqf4nd/gbw0KKss60BgbgNZHCg8/NSijU=</xenc:CipherValue>
            </xenc:CipherData>
        </xenc:EncryptedData>
    </soapenv:Body>
</soapenv:Envelope>

先感谢您!

4

1 回答 1

0

所以,对于所有有同样问题的人来说,这就是我的问题的根本原因——操作顺序!

我确信,首先,我们需要对整个消息进行加密,然后对它进行“最后的润色”。此外,我的一位资深同事证实,必须这样做。老实说,我在任何地方都没有找到这些信息!人们要么签署消息要么加密它,没有人同时做这两个(我搜索了一个looooot!)

顺序应该是:

  • 签约
  • 加密
于 2021-10-11T20:32:15.963 回答