我正处于使用wss4j签署SOAP文档的阵痛中。我希望我看起来像 fig.1 。但是,它会像 fig.2 一样出现。也就是说, fig.1 有一个,它指向文档的BinarySecurityToken。而 fig.2 有一个,它引用了用于签署文档的原始证书。
A)现在, BinarySecurityToken 是提供者端使用的二进制值,用于在其密钥库中找到相应的证书链(用于验证消息)。
B)我认为 SecurityTokenReference 用于引用包含应该用于验证签名的公钥的二进制安全令牌。所以看起来我的挑战是让 fig.2 中的指针看起来像 fig.1 。
这是对的吗?如果是这样,wss4j中的切换是什么呢?生成 fig.2 的代码位于 fig.3 (Clojure代码)中。到目前为止,我一直在挖掘wss4j源代码以供参考(ReferenceTest.java,SecurityTokenReferenceTest.java,SignatureTest.java)。
<wsse:SecurityTokenReference wsu:Id="STRId-A96305E32CE45DAB06139999212441542"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<wsse:Reference URI="#CertId-A96305E32CE45DAB06139999212441540" <!-- this points to <wsse:BinarySecurityToken> -->
ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/>
</wsse:SecurityTokenReference>
图1
<wsse:SecurityTokenReference wsu:Id="STR-f9837b22-c073-45d2-92d0-2df67e823b2e">
<ds:X509Data>
<ds:X509IssuerSerial>
<ds:X509IssuerName>CN=*.***.com,O=<org>,L=<city>,ST=<state>,C=<country>
</ds:X509IssuerName>
<ds:X509SerialNumber><some-value>
</ds:X509SerialNumber>
</ds:X509IssuerSerial>
</ds:X509Data>
</wsse:SecurityTokenReference>
图2
(defn sign-soap [soap-string]
(let [
;; ===> pull in keystore & cerificate
ks (ks/keystore)
_ (ks/import-cert ks "server" (slurp "<mykeystore>"))
cert (.getCertificate ks "server")
keyEntry (.getEntry ks "server" nil)
;; ===> set Certificate on the signature object
builder (WSSecSignature.)
_ (.setX509Certificate builder cert)
;; ===> insert security header into the document
docu (soap/to-w3c-document soap-string)
secHeader (WSSecHeader.)
_ (.insertSecurityHeader secHeader docu)
;; ===>
crypto (CryptoFactory/getInstance)
bst (X509Security. docu)
cryptoType (CryptoType. org.apache.wss4j.common.crypto.CryptoType$TYPE/ALIAS)
_ (.setAlias cryptoType "mykey")
certs (.getX509Certificates crypto cryptoType)
_ (.setX509Certificate bst (first (seq certs)))
_ (WSSecurityUtil/prependChildElement
(.getSecurityHeader secHeader)
(.getElement bst))
;; ===>
timestamp (WSSecTimestamp.)
_ (.setTimeToLive timestamp 300)
createdDoc (.build timestamp docu secHeader)
;; ===>
encTimestamp (WSEncryptionPart. "Timestamp" WSConstants/WSU_NS "")
encBody (WSEncryptionPart. "Body" "http://schemas.xmlsoap.org/soap/envelope/" "")
parts (ArrayList.)
_ (.add parts encTimestamp)
_ (.add parts encBody)
_ (.setParts builder parts)
_ (.setUserInfo builder "myusername" "mypassword")
signedDoc (.build builder createdDoc crypto secHeader)
secHeaderElement (.getSecurityHeader secHeader)
timestampNode (.. secHeaderElement (getElementsByTagNameNS WSConstants/WSU_NS "Timestamp") (item 0))
_ (.setAttributeNS (cast Element timestampNode) WSConstants/XMLNS_NS "xmlns" WSConstants/WSU_NS)
wss (XMLUtils/PrettyDocumentToString signedDoc)]
wss))
图3
答案 0 :(得分:2)
好的,在相邻的SO问题WSS4j elements order during signing SOAP message中找到答案。
所以这个用户在问一个不同的问题时,有一个代码示例,它可以满足我的需要。特别是对builder.setKeyIdentifierType(WSConstants.BST_DIRECT_REFERENCE)的呼吁。我喜欢StackOverflow:)
builder.setX509Certificate(signingCert);
builder.setUserInfo(alias, new String(passphrase));
builder.setUseSingleCertificate(true);
builder.setKeyIdentifierType(WSConstants.BST_DIRECT_REFERENCE);
答案 1 :(得分:0)
使用wss4j AbstractWSS4JInterceptor的任何实现,可以使用以下任一方法将密钥标识符设置为直接引用:
this.setProperty(WSHandlerConstants.ENC_KEY_ID, "DirectReference");
this.setProperty(WSHandlerConstants.SIG_KEY_ID, "DirectReference");