我们需要创建一个WS客户端来与IRS进行交互。我们遵循IRS在其指南https://www.irs.gov/PUP/for_taxpros/software_developers/information_returns/AIR%20Submission%20Composition%20and%20Reference%20Guide%20TY2015.pdf
第31页中定义的步骤它看起来像WSS4J可以处理的标准WS-Security。但是当使用WS44J并点击IRS WS时,我们继续获得"无效的WS安全标头。请再试一次"
那么,有人可以告诉我,下面的WSS4J代码实际上是 (1) 计算元素的摘要ACABusinessHeader,ACATransmitterManifestReqDtl和Timestamp (2) 在SignedInfo元素 (3) 中收集这些引用元素,计算SignedInfo元素的摘要,签署该摘要并放置SignatureValue (4) 中的签名值将键控信息放在KeyInfo元素中:
public static SOAPMessage signSoapMessage(SOAPMessage message,
String keystorePassword, String irsPrivateKeyPassword,
char[] passphrase) throws WSSecurityException {
PrivateKeyEntry privateKeyEntry = getPrivateKeyEntry(keystorePassword,
irsPrivateKeyPassword);
PrivateKey signingKey = privateKeyEntry.getPrivateKey();
X509Certificate signingCert = (X509Certificate) privateKeyEntry
.getCertificate();
final String alias = "signingKey";
final int signatureValidityTime = 3600; // 1hour in seconds
WSSConfig config = new WSSConfig();
config.setWsiBSPCompliant(true);
WSSecSignature builder = new WSSecSignature(config);
builder.setX509Certificate(signingCert);
builder.setUserInfo(alias, new String(passphrase));
builder.setUseSingleCertificate(true);
builder.setKeyIdentifierType(WSConstants.X509_KEY_IDENTIFIER);
builder.setDigestAlgo(WSConstants.SHA1);
builder.setSignatureAlgorithm(WSConstants.RSA_SHA1);
builder.setSigCanonicalization(WSConstants.C14N_EXCL_WITH_COMMENTS);
try {
Document document = toDocument(message);
WSSecHeader secHeader = new WSSecHeader();
//secHeader.setMustUnderstand(true);
secHeader.insertSecurityHeader(document);
WSSecTimestamp timestamp = new WSSecTimestamp();
timestamp.setTimeToLive(signatureValidityTime);
document = timestamp.build(document, secHeader);
List<WSEncryptionPart> parts = new ArrayList<WSEncryptionPart>();
WSEncryptionPart timestampPart = new WSEncryptionPart("Timestamp",
WSConstants.WSU_NS, "");
WSEncryptionPart aCATransmitterManifestReqDtlPart = new WSEncryptionPart(
"ACATransmitterManifestReqDtl",
"urn:us:gov:treasury:irs:ext:aca:air:7.0", "");
WSEncryptionPart aCABusinessHeaderPart = new WSEncryptionPart(
"ACABusinessHeader",
"urn:us:gov:treasury:irs:msg:acabusinessheader", "");
parts.add(timestampPart);
parts.add(aCATransmitterManifestReqDtlPart);
parts.add(aCABusinessHeaderPart);
builder.setParts(parts);
Properties properties = new Properties();
properties.setProperty("org.apache.ws.security.crypto.provider",
"org.apache.ws.security.components.crypto.Merlin");
Crypto crypto = CryptoFactory.getInstance(properties);
KeyStore keystore = KeyStore.getInstance("JKS");
keystore.load(null, passphrase);
keystore.setKeyEntry(alias, signingKey, passphrase,
new Certificate[] { signingCert });
((Merlin) crypto).setKeyStore(keystore);
crypto.loadCertificate(new ByteArrayInputStream(signingCert
.getEncoded()));
document = builder.build(document, crypto, secHeader);
updateSOAPMessage(document, message);
} catch (Exception e) {
// throw new
// WSSecurityException(WSSecurityException.Reason.SIGNING_ISSUE, e);
e.printStackTrace();
}
return message;
}
private static Document toDocument(SOAPMessage soapMsg)
throws TransformerConfigurationException, TransformerException,
SOAPException, IOException {
Source src = soapMsg.getSOAPPart().getContent();
TransformerFactory tf = TransformerFactory.newInstance();
Transformer transformer = tf.newTransformer();
DOMResult result = new DOMResult();
transformer.transform(src, result);
return (Document) result.getNode();
}
//https://svn.apache.org/repos/asf/webservices/wss4j/branches/WSS4J_1_1_0_FINAL/test/wssec/SOAPUtil.java
private static SOAPMessage updateSOAPMessage(Document doc,
SOAPMessage message)
throws Exception {
DOMSource domSource = new DOMSource(doc);
message.getSOAPPart().setContent(domSource);
return message;
}
这是我们的输出:
<S:Envelope xmlns:S="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
xmlns:oas="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
xmlns:urn="urn:us:gov:treasury:irs:ext:aca:air:7.0" xmlns:urn1="urn:us:gov:treasury:irs:common"
xmlns:urn2="urn:us:gov:treasury:irs:msg:acabusinessheader" xmlns:urn3="urn:us:gov:treasury:irs:msg:acasecurityheader"
xmlns:urn4="urn:us:gov:treasury:irs:msg:irsacabulkrequesttransmitter"
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<S:Header>
<wsse:Security S:mustUnderstand="1">
<ds:Signature Id="SIG-2">
<ds:SignedInfo>
<ds:CanonicalizationMethod
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#WithComments" />
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
<ds:Reference URI="#TS-1">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces
PrefixList="wsse S ds oas urn urn1 urn2 urn3 urn4 wsse"
xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" />
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<ds:DigestValue>nTyiWyyyQd+JQZvU2QPY1QnInd4=</ds:DigestValue>
</ds:Reference>
<ds:Reference URI="#aCATransmitterManifestReqDtl">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces
PrefixList="S ds oas urn urn1 urn2 urn3 urn4 wsse wsu"
xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" />
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<ds:DigestValue>3pUoQp4S5sKXa6o9+MamJbji8vs=</ds:DigestValue>
</ds:Reference>
<ds:Reference URI="#acabusinessheader">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces PrefixList="S ds oas urn urn1 urn3 urn4 wsse"
xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" />
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<ds:DigestValue>9SvmkYlD+ItpUctUaQZTH5pGXjc=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>qgmh8LN8KwR0KZf508heS6whaM7ZGeW88dl/0awLYCd3lzle8THHUUstYKCaZJi6XF1DGJjDrIq81FEszUSp9Pa1akZ3r6rB8Oi2dOlgzHq6H+lYaHFVwYnMHHyFpEHRQJO36OaXKl25SILDHWxvrFRXf21NDnWszXKXnvvbSjrkzTTzWo4wRO2ftUQq2F69MPM3OsG981rmPWUd5z/KC5jVTsqELBtSM5L8ehOihXoJ0uNwdw1HZzh7xYXme6bXU++4w2I8x5vLjvnCcD1TIuNLvrK6HN414KylAEoxAUqAkWo69GJyx/18soLFXVaLKbwAhQkplkaJwcWKoEiRaw==
</ds:SignatureValue>
<ds:KeyInfo Id="KI-4E5E7B5A7DFD75103414509160809772">
<wsse:SecurityTokenReference wsu:Id="STR-4E5E7B5A7DFD75103414509160809783">
<wsse:KeyIdentifier
EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary"
ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3">removed
</wsse:KeyIdentifier>
</wsse:SecurityTokenReference>
</ds:KeyInfo>
</ds:Signature>
<wsu:Timestamp wsu:Id="TS-1">
<wsu:Created>2015-12-24T00:14:40.968Z</wsu:Created>
<wsu:Expires>2015-12-24T01:14:40.968Z</wsu:Expires>
</wsu:Timestamp>
</wsse:Security>
<ACATransmitterManifestReqDtl
xmlns:ns3="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
ns3:Id="aCATransmitterManifestReqDtl" xmlns="urn:us:gov:treasury:irs:ext:aca:air:7.0"
xmlns:ns2="urn:us:gov:treasury:irs:common">
<PaymentYr>2015</PaymentYr>
<PriorYearDataInd>0</PriorYearDataInd>
<ns2:EIN>blah</ns2:EIN>
<TransmissionTypeCd>O</TransmissionTypeCd>
<TestFileCd>T</TestFileCd>
<TransmitterNameGrp>
<BusinessNameLine1Txt>blah</BusinessNameLine1Txt>
<BusinessNameLine2Txt>blah</BusinessNameLine2Txt>
</TransmitterNameGrp>
<CompanyInformationGrp>
<CompanyNm>blah</CompanyNm>
<MailingAddressGrp>
<USAddressGrp>
<AddressLine1Txt>blah</AddressLine1Txt>
<AddressLine2Txt>3rd Floor</AddressLine2Txt>
<ns2:CityNm>blah</ns2:CityNm>
<USStateCd>CA</USStateCd>
<ns2:USZIPCd>12345</ns2:USZIPCd>
<ns2:USZIPExtensionCd>1234</ns2:USZIPExtensionCd>
</USAddressGrp>
</MailingAddressGrp>
<ContactNameGrp>
<PersonFirstNm>blah</PersonFirstNm>
<PersonMiddleNm>X</PersonMiddleNm>
<PersonLastNm>blah</PersonLastNm>
<SuffixNm />
</ContactNameGrp>
<ContactPhoneNum>1231231234</ContactPhoneNum>
</CompanyInformationGrp>
<VendorInformationGrp>
<VendorCd>I</VendorCd>
<ContactNameGrp>
<PersonFirstNm>blah</PersonFirstNm>
<PersonMiddleNm>X</PersonMiddleNm>
<PersonLastNm>blah</PersonLastNm>
<SuffixNm />
</ContactNameGrp>
<ContactPhoneNum>5556651212</ContactPhoneNum>
</VendorInformationGrp>
<TotalPayeeRecordCnt>1000</TotalPayeeRecordCnt>
<TotalPayerRecordCnt>1</TotalPayerRecordCnt>
<SoftwareId>blah</SoftwareId>
<FormTypeCd>1094/1095B</FormTypeCd>
<ns2:BinaryFormatCd>application/xml</ns2:BinaryFormatCd>
<ns2:ChecksumAugmentationNum>04ff9f93f9b797ae51ea2ac8bf9c24d2
</ns2:ChecksumAugmentationNum>
<ns2:AttachmentByteSizeNum>237018</ns2:AttachmentByteSizeNum>
<DocumentSystemFileNm>1000_form1094BUpstreamDetailType.xml
</DocumentSystemFileNm>
</ACATransmitterManifestReqDtl>
<urn2:ACABusinessHeader wsu:Id="acabusinessheader">
<urn:UniqueTransmissionId>1</urn:UniqueTransmissionId>
<urn1:Timestamp>2015-12-24T00:19:40.826Z</urn1:Timestamp>
</urn2:ACABusinessHeader>
</S:Header>
<S:Body>
<ns8:ACABulkRequestTransmitter xmlns="http://www.w3.org/2000/09/xmldsig#"
xmlns:ns2="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
xmlns:ns3="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
xmlns:ns4="urn:us:gov:treasury:irs:common" xmlns:ns5="urn:us:gov:treasury:irs:ext:aca:air:7.0"
xmlns:ns6="urn:us:gov:treasury:irs:msg:acabusinessheader" xmlns:ns7="urn:us:gov:treasury:irs:msg:acasecurityheader"
xmlns:ns8="urn:us:gov:treasury:irs:msg:irsacabulkrequesttransmitter">
<ns4:BulkExchangeFile>H4sIAAAAA</ns4:BulkExchangeFile>
</ns8:ACABulkRequestTransmitter>
</S:Body>
编辑这是改进的Java代码,它可以绕过臭名昭着的无效WS安全标头。请再试一次。&#34;信息。我们的堆栈是Apache CXF 3.1.4和WSS4J 2.1.4
https://stackoverflow.com/a/34959348/3724142
请参阅以上链接了解最新资讯