如何使用CXF / JAXWS验证XML签名?

时间:2014-10-27 05:21:11

标签: cxf jax-ws x509certificate xml-signature wsse

我真的很难找到可以使用cxf验证xml签名的教程。

我有一个签名的xml请求,如下所示:(注意:签名值,摘要值和X509证书是虚拟值)

<?xml version="1.0" encoding="UTF-8"?><soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope" xmlns:ns="http://namespaces.gsma.org/esim-messaging/1">
    <soap:Header/>
    <soap:Body>
        <ns:Request>
            <ns:ParentNode>
                <ns:TobeSignedInfo>
                    <ns:id>010203</ns:id>
                    <ns:oid>1.3.6.1.4.1.31746</ns:oid>
                </ns:TobeSignedInfo>
                <ns:SampleAdditionalProperties>
                    <ns:Property key="myProperty" value="aValue"/>
                </ns:SampleAdditionalProperties>
                <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
                    <ds:SignedInfo>
                        <ds:CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments"/>
                        <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
                        <ds:Reference URI="">
                            <ds:Transforms>
                                <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
                            </ds:Transforms>
                            <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
                            <ds:DigestValue>rE7suDc1EdUOJx6auQsTp8kGfZEe+pq2zaDvsKDMc/A=</ds:DigestValue>
                        </ds:Reference>
                    </ds:SignedInfo>
                    <ds:SignatureValue>
                        NXwOjw6ZT3NJRGqOluY8lF5/dkrTE89OjgB3z+kI4qmnTka0/hU6y9uihiRsrP+BZAMowhbwnPfy
                        ThEmTvMr0GGVB/w2pp0635Y8R672KNxZf2j48yFuz6ksyC5eBXVRAEswAt9lRh2ikcC9sULzLnSr
                        eA6rHNWiEm5v8OH708uZ/GWq4NlxQc8oLkrR634OY53ghPr2K+84vN99yxtGzYDHlTEFFJAyTqif
                        aUjYEQqcszKcbvf/XvriNcjHlk3kM8AwaQMePngxJatY3rlYWbykZhmwdqBgWrknRkjr5GAWVPEU
                        Q3aRlfbRYi66LV0UeGrzkinV2z5pwmBNxqc9GNnWMsvq0sWyF0BLSDY7yIz4HZVaeySytmZC21fI
                        PktCIfv+NRmOtFznkg3utX27Iwmc4kYGfeBXxmPMLOIkhf3dItOtV/8KNA4jW5dJNxnOEXiVXEV+
                        FJZbeAIet4wBvAfQb6QXcrfuwBp2kCmoYtmObH5Y+AgEf5KxPiGb1kLX
                      </ds:SignatureValue>
                    <ds:KeyInfo>
                        <ds:X509Data>
                            <ds:X509Certificate>
                                MIIExDCCAywCCQC0bmU6MB8PuTANBgkqhkiG9w0BAQUFADCBozELMAkGA1UEBhMCUEgxEDAOBgNV
                                BAgTB0J1ZW5kaWExDzANBgNVBAcTBk1ha2F0aTEeMBwGA1UEChMVT2JlcnRodXIgVGVjaG5vbG9n
                                aWVzMSEwHwYDVQQLExhSZXNlYXJjaCBhbmQgRGV2ZWxvcG1lbnQxCzAJBgNVBAMTAk9UMSEwHwYJ
                                KoZIhvcNAQkBFhJlbWFpbEBvYmVydGh1ci5jb20wHhcNMTQxMDI1MDgzMzE5WhcNMTUxMDI1MDgz
                                MzE5WjCBozELMAkGA1UEBhMCUEgxEDAOBgNVBAgTB0J1ZW5kaWExDzANBgNVBAcTBk1ha2F0aTEe
                                MBwGA1UEChMVT2JlcnRodXIgVGVjaG5vbG9naWVzMSEwHwYDVQQLExhSZXNlYXJjaCBhbmQgRGV2
                                ZWxvcG1lbnQxCzAJBgNVBAMTAk9UMSEwHwYJKoZIhvcNAQkBFhJlbWFpbEBvYmVydGh1ci5jb20w
                                ggGiMA0GCSqGSIb3DQEBAQUAA4IBjwAwggGKAoIBgQDEaJeQaBruoMMG5LEdLc6D4aQq/4IXc6tk
                                kbEyO+2o3Ey3dU/WFSS7DNy86DKPWTG0VKinpFinwic+Be+A36K/eei8wyyv2YuhI1UuKWPsvmkV
                                mb/klra899jKvid1Jd0oMG8ViQGkpveYdoAfg5IR9k2NSgV1cn3ab26CmwwIpbDuPcMhW0bEXxG+
                                El67hrLQqpDjIuWRpbxs5prBdG4V79NrR6Pu1goLq9FmHsmKujPAu1gSnNmx61rab8zzVcEG19Fd
                                huG7ysilzDSeo2YTKs7Lzwp4Zu94T+IJYHYrV4iiB4jVLO7IQCUKB3T4y+9VYHI1fhasRGB1t8eR
                                CScsKg8IvtMMwjvKv4XK0EdBaLADzvpRVGAiV1hlo3sJ+D+tr/gkJ/ElVjC/90gIVxESwg5XQtPG
                                kQImde6GDZquEcT5URyvkq/WuMu+3J4NUSMpHDXeel2R8UkiSXs5ONxRyT3Ai3IjXUFhO9EGjFpe
                                eM1gqSYx3l6DyPSBF1rKHmkCAwEAATANBgkqhkiG9w0BAQUFAAOCAYEAaDkvLk/tzIMJA/3q2zJL
                                M+N5cPc+OVG8kPJK3aMInXciZRrY+uSyTflVaOpJJu038fN07kMzQePDyRJQENOZK0JsDz2bX1h5
                                6Z03b34/UdgFR5z3NC++iQNbBFaXjsfcAo45UgEgn7wPdqXQ8bdViHakmCMG43vPzLgp2ZSK0GMt
                                Pt1Q2qnbWz04Gkjog284RZZ4mpxSA3g8sVypoDTjw3HJhNRCPjq+tTXkOqWK4nNJH5tbwqq9uUjJ
                                6nTISN5WJ3OIvdLejPNmjMBBcaGVmFkGIBqlfyMZ+SuJiqMJfW/Ccqf640U3tyZDJNeTxMmaqerE
                                mnihf+sIdPf2RfwbdBPiHdLmmU65yi89b6Bz
                              </ds:X509Certificate>
                        </ds:X509Data>
                    </ds:KeyInfo>
                </ds:Signature>
            </ns:ParentNode>
        </ns:Request>
    </soap:Body>
</soap:Envelope>

如何使用cxf验证签名?我看到了WSPolicy和WSS4JInterceptors的实现,它认为它不适合这种情况,因为请求没有<wsse:Security>标记。任何想法都非常受欢迎..提前致谢

1 个答案:

答案 0 :(得分:0)

WS-Security标准要求XML签名必须位于请求的安全头中(而不是根据您的示例在SOAP Body中)。因此,最好的办法是获取SOAP Body(例如在SOAP Handler中),并使用Apache Santuario API自行验证签名。以下是一些示例代码,向您展示如何执行后者:

https://github.com/coheigea/testcases/blob/master/apache/santuario/santuario-xml-signature/src/test/java/org/apache/coheigea/santuario/xmlsignature/SignatureDOMTest.java

科尔姆。