使用Apache Rampart进行签名，使用JKS和二进制安全性令牌密钥标识符

Question

我必须调用由客户提供的Web服务（出于这个原因，下面的某些信息被屏蔽）。我已经获得了一个java密钥库，其中包含我需要用来生成签名的私钥，该签名包含在我的请求的WSSecurity头中。

此外，我已经发送了一个正在运行的SoapUI项目，该项目使用适当的安全配置实现此服务。 soapUI中的传出安全性配置将“密钥标识符类型”设置为“二进制安全性令牌”

我正在尝试使用Apache Rampart在我的Java应用程序中设置此调用。我注意到OutflowSecurity配置中没有等效的“二进制安全令牌”密钥标识符，所以我正在尝试以下操作。以下是我的axis2.xml文件中的相关代码段：

<module ref="rampart" />
<parameter name="OutflowSecurity">
    <action>
        <items>Signature</items>
        <user>*******</user>
        <passwordCallbackClass>*******.PWCBHandler</passwordCallbackClass>
        <signaturePropFile>crypto.properties</signaturePropFile>
        <signatureKeyIdentifier>DirectReference</signatureKeyIdentifier>
    </action>
</parameter>

以下是我的crypto.properties文件的内容：

org.apache.ws.security.crypto.provider=org.apache.ws.security.components.crypto.Merlin
org.apache.ws.security.crypto.merlin.keystore.type=jks
org.apache.ws.security.crypto.merlin.file=C:/rampart/*****.jks
org.apache.ws.security.crypto.merlin.keystore.alias=******
org.apache.ws.security.crypto.merlin.alias.password=**********
org.apache.ws.security.crypto.merlin.keystore.password=********* (same as above)

问题是当我尝试使用此配置执行服务时，出现以下错误：

org.apache.axis2.AxisFault: Error during Signature: 
at org.apache.rampart.handler.WSDoAllSender.processMessage(WSDoAllSender.java:75)
at org.apache.rampart.handler.WSDoAllHandler.invoke(WSDoAllHandler.java:72)
at org.apache.axis2.engine.Phase.invokeHandler(Phase.java:340)
at org.apache.axis2.engine.Phase.invoke(Phase.java:313)
at org.apache.axis2.engine.AxisEngine.invoke(AxisEngine.java:262)
at org.apache.axis2.engine.AxisEngine.send(AxisEngine.java:427)
at org.apache.axis2.description.OutInAxisOperationClient.send(OutInAxisOperation.java:406)
at org.apache.axis2.description.OutInAxisOperationClient.executeImpl(OutInAxisOperation.java:229)
at org.apache.axis2.client.OperationClient.execute(OperationClient.java:165)
... (removed)
Caused by: org.apache.ws.security.WSSecurityException: Error during Signature: 
at org.apache.ws.security.action.SignatureAction.execute(SignatureAction.java:64)
at org.apache.ws.security.handler.WSHandler.doSenderAction(WSHandler.java:202)
at org.apache.rampart.handler.WSDoAllSender.processBasic(WSDoAllSender.java:212)
at org.apache.rampart.handler.WSDoAllSender.processMessage(WSDoAllSender.java:72)
... 13 more
Caused by: org.apache.ws.security.WSSecurityException: Signature creation failed
at org.apache.ws.security.message.WSSecSignature.computeSignature(WSSecSignature.java:558)
at org.apache.ws.security.message.WSSecSignature.computeSignature(WSSecSignature.java:478)
at org.apache.ws.security.message.WSSecSignature.build(WSSecSignature.java:384)
at org.apache.ws.security.action.SignatureAction.execute(SignatureAction.java:61)
... 16 more
Caused by: org.apache.ws.security.WSSecurityException: General security error (The private key for the supplied alias does not exist in the keystore)
at org.apache.ws.security.components.crypto.Merlin.getPrivateKey(Merlin.java:725)
at org.apache.ws.security.message.WSSecSignature.computeSignature(WSSecSignature.java:501)
... 19 more
Caused by: java.security.UnrecoverableKeyException: Cannot recover key
at sun.security.provider.KeyProtector.recover(Unknown Source)
at sun.security.provider.JavaKeyStore.engineGetKey(Unknown Source)
at sun.security.provider.JavaKeyStore$JKS.engineGetKey(Unknown Source)
at java.security.KeyStore.getKey(Unknown Source)
at org.apache.ws.security.components.crypto.Merlin.getPrivateKey(Merlin.java:711)
... 20 more

我已经尝试了所有不同的signatureKeyIdentifiers选项而没有任何运气。任何人都可以帮助我找出从这里调试这个问题的地方吗？

谢谢！

Answer 1

我不确定您的整体配置，但显而易见的问题是您用来从密钥库加载密钥的别名无效。也许您使用某些公钥的别名而不是私有？当没有提供别名时，Rampart将使用 user 作为关键别名，因此我将确保服务配置中的 user 和 alias 中的用户属性，设置为相同的值。

您可以使用JDK中的keytool列出密钥库内容来验证要使用的内容：

JDK/bin/keytool -list -keystore path/to/keystore

应该打印：

alias1, 13-May-2013, trustedCertEntry, (public key only, used to verify signature)
Certificate fingerprint (SHA1): *****
alias2, 13-May-2013, PrivateKeyEntry, (private/public key pair, used to sign messages)
Certificate fingerprint (SHA1): *****

Answer 2

问题： 1.我们是否需要进行策略文件以外的任何其他配置。 2.如果是，我们需要添加它。 3.您是否可以通过二进制安全令牌查看策略文件是否合适。

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          

        <ramp:RampartConfig xmlns:ramp="http://ws.apache.org/rampart/policy">
            <ramp:user>***</ramp:user>
            <ramp:passwordCallbackClass>com.sosnoski.ws.library.adb.PWCBHandler</ramp:passwordCallbackClass>

            <ramp:signatureCrypto>
                <ramp:crypto provider="org.apache.ws.security.components.crypto.Merlin">
                    <ramp:property name="org.apache.ws.security.crypto.merlin.keystore.type">JKS</ramp:property>
                    <ramp:property name="org.apache.ws.security.crypto.merlin.file">com/sosnoski/ws/library/adb/***.jks</ramp:property>
                    <ramp:property name="org.apache.ws.security.crypto.merlin.keystore.password">******</ramp:property>
                </ramp:crypto>
            </ramp:signatureCrypto>
        </ramp:RampartConfig>
    </wsp:All>
</wsp:ExactlyOne>

Answer 3

固定。我的密码回调处理程序中的用户名错误了。它无法找到用于访问密钥的密码..感谢您的帮助。抱歉回复晚了。之前我曾将它作为对原始问题的评论。