时间戳

首页 > 解决方案 > 如何在 WSS4J 2.2.3 中启用 RSA15 传输算法?

java - 如何在 WSS4J 2.2.3 中启用 RSA15 传输算法?

问题描述

我正在将 SOAP Web 服务客户端升级到 JDK 11 和 WSS4J 2.2.3(不带 CXF/Spring)。Java 代码使用“独立”方法来处理加密,并且无法解密传入的响应,因为它是使用 RSA15 加密的。该算法在 2.0.0 版中默认禁用,但迁移指南建议可以通过将 WSHandlerConstants.ALLOW_RSA15_KEY_TRANSPORT_ALGORITHM 属性设置为“true”来启用该算法。我怎样才能做到这一点??

我查看了 WSS4J 代码,可以看到 RequestData 对象是从 WSS4J 框架中的 WSSecurityEngine 类实例化的,我没有看到允许我将 allowRSA15KeyTransportAlgorithm 属性设置为“true”的挂钩。我已经能够在 eclipse 中设置一个断点并更改值以确保它按预期工作并且确实如此。我在网上搜索过,我发现最接近的是一个类似的问题,这里没有明显的答案Allow the RSA v1.5 Key Transport Algorithm for WildFly / JBossWS / CXF / WSS4J stack. 我试图将 WSS4J 恢复到允许该算法的版本 1.6,但随后它失败并出现不同的错误“WRONG_DOCUMENT_ERR:一个节点用于与创建它的文档不同的文档中”。这似乎在将 WSS4J 1.6 与任何版本的 jaxws(JDK 外部)一起使用时发生。我能想到解决这个问题的唯一方法是侵入 WSS4J 2.2.3 依赖项并将 RequestData 类中的属性默认设置为“true”,但我真的不想这样做。

private void inboundWSSConfig(SOAPMessageContext context, Crypto crypto) throws WSSecurityException{

    log.info("Inbound Message...");

    KeystoreCallbackHandler keystoreCallbackHandler = new KeystoreCallbackHandler();
    keystoreCallbackHandler.addUsers((String)cryptoProperties.get("org.apache.ws.security.crypto.merlin.keystore.alias"), (String)cryptoProperties.get("org.apache.ws.security.crypto.merlin.keystore.password"));

    WSSecurityEngine newEngine = new WSSecurityEngine();
    WSSConfig config = WSSConfig.getNewInstance();
    config.setValidator(WSConstants.SIGNATURE, new SignatureTrustValidator());
    newEngine.setWssConfig(config);

    newEngine.processSecurityHeader(context.getMessage().getSOAPPart(), null, keystoreCallbackHandler, crypto);
}

返回的错误信息是...

Jul 17, 2019 11:42:56 AM ensurebill.client.handler.HeaderHandler inboundWSSConfig
INFO: Inbound Message...
Jul 17, 2019 11:42:56 AM ensurebill.client.handler.HeaderHandler handleMessage
SEVERE: ERROR in handleMessage
org.apache.wss4j.common.ext.WSSecurityException: An error was discovered processing the <wsse:Security> header
    at org.apache.wss4j.dom.processor.EncryptedKeyProcessor.handleToken(EncryptedKeyProcessor.java:131)
    at org.apache.wss4j.dom.processor.EncryptedKeyProcessor.handleToken(EncryptedKeyProcessor.java:90)
    at org.apache.wss4j.dom.engine.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:340)
    at org.apache.wss4j.dom.engine.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:221)
    at org.apache.wss4j.dom.engine.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:168)
    at org.apache.wss4j.dom.engine.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:127)
    at ensurebill.client.handler.HeaderHandler.inboundWSSConfig(HeaderHandler.java:160)
    at ensurebill.client.handler.HeaderHandler.handleMessage(HeaderHandler.java:61)
    at ensurebill.client.handler.HeaderHandler.handleMessage(HeaderHandler.java:1)
    at com.sun.xml.ws.handler.HandlerProcessor.callHandleMessageReverse(HandlerProcessor.java:311)
    at com.sun.xml.ws.handler.HandlerProcessor.callHandlersResponse(HandlerProcessor.java:184)
    at com.sun.xml.ws.handler.ClientSOAPHandlerTube.callHandlersOnResponse(ClientSOAPHandlerTube.java:133)
    at com.sun.xml.ws.handler.HandlerTube.processResponse(HandlerTube.java:144)
    at com.sun.xml.ws.api.pipe.Fiber.__doRun(Fiber.java:1117)
    at com.sun.xml.ws.api.pipe.Fiber._doRun(Fiber.java:1020)
    at com.sun.xml.ws.api.pipe.Fiber.doRun(Fiber.java:989)
    at com.sun.xml.ws.api.pipe.Fiber.runSync(Fiber.java:847)
    at com.sun.xml.ws.client.Stub.process(Stub.java:433)
    at com.sun.xml.ws.client.sei.SEIStub.doProcess(SEIStub.java:161)
    at com.sun.xml.ws.client.sei.SyncMethodHandler.invoke(SyncMethodHandler.java:78)
    at com.sun.xml.ws.client.sei.SyncMethodHandler.invoke(SyncMethodHandler.java:62)
    at com.sun.xml.ws.client.sei.SEIStub.invoke(SEIStub.java:131)
    at com.sun.proxy.$Proxy33.callNotificationInquiry(Unknown Source)
    at ensurebill.client.swing.MenuItemListener.sendRequest(MenuItemListener.java:109)
    at ensurebill.client.swing.MenuItemListener.actionPerformed(MenuItemListener.java:92)
    at java.desktop/javax.swing.AbstractButton.fireActionPerformed(AbstractButton.java:1967)
    at java.desktop/javax.swing.AbstractButton$Handler.actionPerformed(AbstractButton.java:2308)
    at java.desktop/javax.swing.DefaultButtonModel.fireActionPerformed(DefaultButtonModel.java:405)
    at java.desktop/javax.swing.DefaultButtonModel.setPressed(DefaultButtonModel.java:262)
    at java.desktop/javax.swing.AbstractButton.doClick(AbstractButton.java:369)
    at java.desktop/javax.swing.plaf.basic.BasicMenuItemUI.doClick(BasicMenuItemUI.java:1020)
    at java.desktop/javax.swing.plaf.basic.BasicMenuItemUI$Handler.mouseReleased(BasicMenuItemUI.java:1064)
    at java.desktop/java.awt.Component.processMouseEvent(Component.java:6632)
    at java.desktop/javax.swing.JComponent.processMouseEvent(JComponent.java:3342)
    at java.desktop/java.awt.Component.processEvent(Component.java:6397)
    at java.desktop/java.awt.Container.processEvent(Container.java:2263)
    at java.desktop/java.awt.Component.dispatchEventImpl(Component.java:5008)
    at java.desktop/java.awt.Container.dispatchEventImpl(Container.java:2321)
    at java.desktop/java.awt.Component.dispatchEvent(Component.java:4840)
    at java.desktop/java.awt.LightweightDispatcher.retargetMouseEvent(Container.java:4918)
    at java.desktop/java.awt.LightweightDispatcher.processMouseEvent(Container.java:4547)
    at java.desktop/java.awt.LightweightDispatcher.dispatchEvent(Container.java:4488)
    at java.desktop/java.awt.Container.dispatchEventImpl(Container.java:2307)
    at java.desktop/java.awt.Window.dispatchEventImpl(Window.java:2772)
    at java.desktop/java.awt.Component.dispatchEvent(Component.java:4840)
    at java.desktop/java.awt.EventQueue.dispatchEventImpl(EventQueue.java:772)
    at java.desktop/java.awt.EventQueue$4.run(EventQueue.java:721)
    at java.desktop/java.awt.EventQueue$4.run(EventQueue.java:715)
    at java.base/java.security.AccessController.doPrivileged(Native Method)
    at java.base/java.security.ProtectionDomain$JavaSecurityAccessImpl.doIntersectionPrivilege(ProtectionDomain.java:85)
    at java.base/java.security.ProtectionDomain$JavaSecurityAccessImpl.doIntersectionPrivilege(ProtectionDomain.java:95)
    at java.desktop/java.awt.EventQueue$5.run(EventQueue.java:745)
    at java.desktop/java.awt.EventQueue$5.run(EventQueue.java:743)
    at java.base/java.security.AccessController.doPrivileged(Native Method)
    at java.base/java.security.ProtectionDomain$JavaSecurityAccessImpl.doIntersectionPrivilege(ProtectionDomain.java:85)
    at java.desktop/java.awt.EventQueue.dispatchEvent(EventQueue.java:742)
    at java.desktop/java.awt.EventDispatchThread.pumpOneEventForFilters(EventDispatchThread.java:203)
    at java.desktop/java.awt.EventDispatchThread.pumpEventsForFilter(EventDispatchThread.java:124)
    at java.desktop/java.awt.EventDispatchThread.pumpEventsForHierarchy(EventDispatchThread.java:113)
    at java.desktop/java.awt.EventDispatchThread.pumpEvents(EventDispatchThread.java:109)
    at java.desktop/java.awt.EventDispatchThread.pumpEvents(EventDispatchThread.java:101)
    at java.desktop/java.awt.EventDispatchThread.run(EventDispatchThread.java:90)

标签: javarsawss4j

解决方案

经过一番追踪之后..我设法为你找到了它。

这是我通过堆栈跟踪向后工作并查看源代码发现的:

从引发异常的地方开始at org.apache.wss4j.dom.processor.EncryptedKeyProcessor.handleToken(EncryptedKeyProcessor.java:131)

public List<WSSecurityEngineResult> handleToken(Element elem, RequestData data, AlgorithmSuite algorithmSuite) {
    // ...
    if (WSConstants.KEYTRANSPORT_RSA15.equals(encryptedKeyTransportMethod)
        && !data.isAllowRSA15KeyTransportAlgorithm() // <=== because this is false, etc.
        && (algorithmSuite == null
          || !algorithmSuite.getKeyWrapAlgorithms().contains(WSConstants.KEYTRANSPORT_RSA15))) {
        LOG.debug(
            "The Key transport method does not match the requirement"
        );
        throw new WSSecurityException(WSSecurityException.ErrorCode.INVALID_SECURITY); // <=== this is where you die
    }
    // ...
}

它死了,因为requestData没有allowRSA15KeyTransportAlgorithm设置为真。为什么不requestData将此设置为true,请求数据来自哪里。

at org.apache.wss4j.dom.processor.EncryptedKeyProcessor.handleToken(EncryptedKeyProcessor.java:90) at org.apache.wss4j.dom.engine.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:340) at org.apache.wss4j.dom.engine.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:221)

所有只是传递requestData在这个方法中创建的:

// line 208
public WSHandlerResult processSecurityHeader(
    Element securityHeader,
    String actor,
    CallbackHandler cb,
    Crypto sigVerCrypto,
    Crypto decCrypto
) throws WSSecurityException {
    RequestData data = new RequestData(); // creates RequestData but doesn't set `allowRSA15KeyTransportAlgorithm`
    data.setActor(actor);
    data.setWssConfig(getWssConfig());
    data.setDecCrypto(decCrypto);
    data.setSigVerCrypto(sigVerCrypto);
    data.setCallbackHandler(cb);
    return processSecurityHeader(securityHeader, data); // line 221
}

由以下方式调用:

public WSHandlerResult processSecurityHeader(
    Document doc,
    String actor,
    CallbackHandler cb,
    Crypto crypto
) throws WSSecurityException {
    return processSecurityHeader(doc, actor, cb, crypto, crypto);
}

你在你的inboundWSSConfig方法中调用它。

因此,因为您正在调用 processSecurityHeader(Document doc, String actor, CallbackHandler cb, Crypto crypto)它正在初始化一个 newRequestData并在其上设置CryptoandCallbackHandler但从不设置allowRSA15KeyTransportAlgorithm.

相反,您应该RequestData为自己创建对象,如下所示:

private void inboundWSSConfig(SOAPMessageContext context, Crypto crypto) throws WSSecurityException{

    log.info("Inbound Message...");

    KeystoreCallbackHandler keystoreCallbackHandler = new KeystoreCallbackHandler();
    keystoreCallbackHandler.addUsers((String)cryptoProperties.get("org.apache.ws.security.crypto.merlin.keystore.alias"), 
    (String)cryptoProperties.get("org.apache.ws.security.crypto.merlin.keystore.password"));

    WSSecurityEngine newEngine = new WSSecurityEngine();
    WSSConfig config = WSSConfig.getNewInstance();
    config.setValidator(WSConstants.SIGNATURE, new SignatureTrustValidator());
    newEngine.setWssConfig(config);

    RequestData data = new RequestData();
    data.setWssConfig(config); // probably
    data.setDecCrypto(crypto);
    data.setSigVerCrypto(crypto);
    data.setCallbackHandler(keystoreCallbackHandler);
    data.setAllowRSA15KeyTransportAlgorithm(true);

    newEngine.processSecurityHeader(context.getMessage().getSOAPPart(), data);
}

推荐阅读