java - 将 X509 证书标签值转换为数字签名 cxf wss4j 中的 base64 二进制编码
问题描述
我使用CXF 3.0.1进行肥皂实现和数字签名,我使用了 wss4j-WS-security-common 3.0.1和CXF-rt-WS-security 3.0.1。通过在非弹簧设置中添加 outinterceptor 以及 crypto.merlin 属性,我进行了数字签名。现在根据获得的输出,我的 Web 服务提供商要求X509Data标记的BASE64二进制值。总结一下,我想替换这个:
<ds:KeyInfo Id="...">
<wsse:SecurityTokenReference wsu:Id="...">
<ds:X509Data>
<ds:X509IssuerSerial>
<ds:X509IssuerName>C=...,O=...,CN=....</ds:X509IssuerName>
<ds:X509SerialNumber>70391139840......</ds:X509SerialNumber>
</ds:X509IssuerSerial>
</ds:X509Data>
</wsse:SecurityTokenReference>
</ds:KeyInfo>
有了这个:
<KeyInfo>
<X509Data>
<X509Certificate>MIIE4zCCA8ugAwIBAgI...</X509Certificate>
</X509Data>
</KeyInfo>
我目前的完整输出是:
<soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope">
<soap:Header>
<wsse:Security
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
soap:mustUnderstand="true">
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
Id="SIG-0ce2ba1e-9382-4b99-918f-40fe35c0bcd6">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"
PrefixList="soap"/>
</ds:CanonicalizationMethod>
<ds:SignatureMethod
Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
<ds:Reference URI="#id-f2a96bde-6b41-4283-9fcd-703eca4fd795">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces
xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"
PrefixList=""/>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<ds:DigestValue>nIHemuhLTu4c/drCPaK1is/.....</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>
R3Of2Bf60qeSHFyUf5Op7TCGIwJWnhuyHWTNUxNRNLzye6Qi0YeVXTwb0WF9Nesizs16Y...
</ds:SignatureValue>
<ds:KeyInfo Id="KI-38c8124d-967f-4075-99c3-dca94b7d15e9">
<wsse:SecurityTokenReference wsu:Id="STR-9defa6fa-794a-40a3-a57d-2bb1335cbfb6">
<ds:X509Data>
<ds:X509IssuerSerial>
<ds:X509IssuerName>C=...,O=...,CN=....</ds:X509IssuerName>
<ds:X509SerialNumber>70391139840......</ds:X509SerialNumber>
</ds:X509IssuerSerial>
</ds:X509Data>
</wsse:SecurityTokenReference>
</ds:KeyInfo>
</ds:Signature>
</wsse:Security>
</soap:Header>
</soap:Envelope>
我想要显示的输出:
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope">
<soap:Header>
<AuthHeader xmlns="http://tempuri.org/">
<UserName>*</UserName>
<Password>*</Password>
</AuthHeader>
</soap:Header>
<soap:Body>
...
</soap:Body>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315" />
<SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
<Reference URI="">
<Transforms>
<Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
<DigestValue>yPt/HXyJyVi1GFFoBb52sTwpaQscONr6QQ2wW....</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>u+XmtuZRW1pqfnIaExnheNGMgg...</SignatureValue>
<KeyInfo>
<X509Data>
<X509Certificate>MIIE4zCCA8ugAwIBAgI...</X509Certificate>
</X509Data>
</KeyInfo>
</Signature>
</soap:Envelope>
这是我的 Java 客户端代码:
org.apache.cxf.endpoint.Client client =ClientProxy.getClient(ServicesSoap);
client.getOutInterceptors().add(new SAAJOutInterceptor());
org.apache.cxf.endpoint.Endpoint cxfEndpoint = client.getEndpoint();
Map<String,Object> outProps = new HashMap<String,Object>();
WSS4JOutInterceptor wssOut = new WSS4JOutInterceptor(outProps);
cxfEndpoint.getOutInterceptors().add(wssOut);
outProps.put(WSHandlerConstants.ACTION, "Signature");
outProps.put(WSHandlerConstants.USER, "1");
outProps.put(WSHandlerConstants.SIG_PROP_FILE,"crypto.properties");
outProps.put(WSHandlerConstants.PW_CALLBACK_CLASS,
ClientPasswordCallback.class.getName());
outProps.put(WSHandlerConstants.SIG_DIGEST_ALGO, "http://www.w3.org/2001/04/xmlenc#sha256");
outProps.put(WSHandlerConstants.MUST_UNDERSTAND, "true");
outProps.put(WSHandlerConstants.SIG_ALGO, "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256");
outProps.put(WSHandlerConstants.USE_SINGLE_CERTIFICATE, "false");
outProps.put("SecurityToken", "wsse:Base64Binary");
加密属性:
org.apache.ws.security.crypto.provider=org.apache.ws.security.components.crypto.Merlin
org.apache.ws.security.crypto.merlin.keystore.type=JKS
org.apache.ws.security.crypto.merlin.file=/home/...
org.apache.ws.security.crypto.merlin.keystore.alias=1
org.apache.ws.security.crypto.merlin.keystore.password=...
解决方案
我已经搜索了很多关于这个问题的信息。解决此问题的两种方法是使用 Apache CXF-SAML,如果您想使用 wss4j,您可以使用您告诉他们的标签名称将您的请求发送给授权您的证书的人。
推荐阅读
- django - 如何在Django rest框架中嵌套抽象关系?
- regex - 如何在 PowerShell 中使用带有正则表达式的条件语句?
- embedded-linux - 嵌入式 Linux 的启动卡住了。如何调试?
- android - 如何获取文档 ID?Firestore 分页
- java - -129 != -129 在 Java 整数集合(集合
) - python - 使用其列转换 DataFrame
- php - add_shortcode(); php 是预定义的还是只有 WordPress 功能?
- jekyll - 什么 Jekyll 语法来过滤 Front Matter 中的键:值对?
- loops - Mips,连续的用户输入
- php - 传递给 Darryldecode\Cart\Cart::Darryldecode\Cart\{closure}() 的参数 1 必须是 Darryldecode\Cart\CartCondition 的实例