签名验证失败，rsa签名未验证 - IBM Datapower

Question

我已经使用Spring-WS实现了一个Web服务客户端，并且要求对SOAP消息进行数字签名并将请求发送到IBM Datapower服务器（DataPower SOA设备）。但是客户端发送的签名SOAP消息被服务器拒绝，返回带有以下错误字符串的SOAP Fault：“签名验证失败，RSA签名未验证”。

目标IBM Datapower服务器位于客户端，我无权直接向其发送SOAP请求以便正确调试它。因此，我已经使用Spring-WS实现了一个Web Service服务器存根，以便测试签名的SOAP请求/响应，并且在我的测试环境中都能正常工作。

客户确认已在我提供给他们的服务器和客户端代码上正确配置了密钥库文件和证书，但签名验证错误仍在其环境中继续。

但是，如果在SOAP UI中使用相同的密钥库文件和证书来签署完全相同的SOAP消息，则请求将成功发送到Datapower服务器。

有人可以帮我解决这个问题吗？

也许我错过了一些东西，以便使用Spring-WS正确生成签名。

非常感谢提前！

这是我的Spring配置：

    <context:annotation-config />
    <sws:annotation-driven /> 

    <sws:static-wsdl location="classpath:/META-INF/schema/InfoService.wsdl" />

    <sws:interceptors>
        <sws:payloadRoot namespaceUri="http://www.mycompany.com/getInformation">
            <bean id="payloadValidator" class="org.springframework.ws.soap.server.endpoint.interceptor.PayloadValidatingInterceptor">
                <property name="schema" value="classpath:/META-INF/schema/getInformation.xsd" />
                <property name="validateRequest" value="true" />
                <property name="validateResponse" value="true" />
            </bean>
        </sws:payloadRoot>
    </sws:interceptors>

    <oxm:jaxb2-marshaller id="marshaller" contextPath="com.mycompany.ws.entity" />

    <bean id="messageFactory" class="org.springframework.ws.soap.saaj.SaajSoapMessageFactory" />

    <bean id="webServiceTemplate" class="org.springframework.ws.client.core.WebServiceTemplate">
        <constructor-arg ref="messageFactory" />
        <property name="marshaller" ref="marshaller" />
        <property name="unmarshaller" ref="marshaller" />
        <property name="defaultUri" value="http://localhost:8080/dummy-server-stub-ws/InfoService/" />
        <property name="interceptors">
            <list>
                <ref local="wsClientSecurityInterceptor" />
            </list>
        </property>
    </bean>

    <bean id="clientService" class="com.mycompany.service.impl.InformationServiceImpl" scope="prototype">
        <constructor-arg ref="webServiceTemplate" />
    </bean>

    <bean id="clientCrypto" class="org.springframework.ws.soap.security.wss4j.support.CryptoFactoryBean">
        <property name="keyStorePassword" value="${keystore.password}" />
        <property name="keyStoreLocation" value="file:${keystore.location}" />
    </bean>

    <bean id="clientTrustStore" class="org.springframework.ws.soap.security.wss4j.support.CryptoFactoryBean">
        <property name="keyStorePassword" value="${truststore.password}" />
        <property name="keyStoreLocation" value="file:${truststore.location}" />
    </bean>

    <bean id="wsClientSecurityInterceptor" class="org.springframework.ws.soap.security.wss4j.Wss4jSecurityInterceptor">
        <property name="securementActions" value="Signature" />
        <property name="securementUsername" value="${keystore.alias}" />
        <property name="securementPassword" value="${keystore.password}" />
        <property name="securementSignatureCrypto" ref="clientCrypto" />
        <property name="securementSignatureParts" value="{Content}{http://schemas.xmlsoap.org/soap/envelope/}Body" />
        <property name="securementSignatureKeyIdentifier" value="DirectReference" />
        <property name="securementSignatureAlgorithm" value="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
        <property name="securementSignatureDigestAlgorithm" value="http://www.w3.org/2000/09/xmldsig#sha1" />

        <!-- Validation config -->  
        <property name="validationSignatureCrypto" ref="clientTrustStore" />
    </bean>

以下是签名的SOAP请求：

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
  <soapenv:Header>
    <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" soapenv:mustUnderstand="1">
      <wsse:BinarySecurityToken EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" wsu:Id="X509-66A2E10F325D0DBA1114508766873871">MIIF9zCCBN+gAwIBAgIUfrwjhMFDFIxEtBqRCk6jAzDVD3MwDQYJKoZIhvcNAQELBQAwgZQxCzAJBgNVBAYTAk5MMRIwEAYDVQQHEwlBbXN0ZXJkYW0xJTAjBgNVBAoTHFZlcml6b24gRW50ZXJwcmlzZSBTb2x1dGlvbnMxEzARBgNVBAsTCkN5YmVydHJ1c3QxNTAzBgNVBAMTLFZlcml6b24gUHVibGljIFN1cmVTZXJ2ZXIgRVYgU1NMIENBIEcxNC1TSEEyMB4XDTE1MDkwMTIyMTE1M1oXDTE3MDkwMTIyMTE1MFowgeoxGzAZBgNVBA8TElYxLjQsIENsYXVzZSA4LjUuMjETMBEGCysGAQQBgjc8AgECEwJOWTETMBEGCysGAQQBgjc8AgEDEwJVUzEPMA0GA1UEBRMGNzY3NjU1MQswCQYDVQQGEwJVUzELMAkGA1UECBMCTlkxETAPBgNVBAcTCE5ldyBZb3JrMT8wPQYDVQQKEzZBbWVyaWNhbiBFeHByZXNzIFRyYXZlbCBSZWxhdGVkIFNlcnZpY2VzIENvbXBhbnksIEluYy4xIjAgBgNVBAMTGVRlc3RQLkUxLlNpZ25pbmcuYWV4cC5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCHR8MPZ6sijUp0DmCqhQVVS6qe986IgxQ8XyHIojPOnsS95hPPqGzHUKmQAUw4p0b9qo5XkGbBplFeZOdi8KpIgSwXtSnu9vPvVwk8TXbvjmbYkMWBzkaMo6R0sEogHMy5FqQjtpm1m3Tk8z0tMMmGGcR2hgScZbhlMgCLJjCwGQPMsj/I3obiS3hR8W1vuh6muAe3iSkNq0KCQ9bNUcGkQVm7CnSrvzD1JFCcPJRNjWjeiZFrWzZnJvmZKKeat+r4mzTCFXM7oO2waYzbv8KO+73GPkL9wacD9xG/6lVEyRcHTOtu95QehBjVO8Qf4tHNxS52wCj/Lt1iiAIJNCh3AgMBAAGjggHnMIIB4zAMBgNVHRMBAf8EAjAAME0GA1UdIARGMEQwQgYKKwYBBAGxPgFkATA0MDIGCCsGAQUFBwIBFiZodHRwczovL3NlY3VyZS5vbW5pcm9vdC5jb20vcmVwb3NpdG9yeTCBrAYIKwYBBQUHAQEEgZ8wgZwwLgYIKwYBBQUHMAGGImh0dHA6Ly92Y3NzZXYxNDIub2NzcC5vbW5pcm9vdC5jb20wNAYIKwYBBQUHMAKGKGh0dHA6Ly9jYWNlcnQub21uaXJvb3QuY29tL3Zjc3NldjE0Mi5jcnQwNAYIKwYBBQUHMAKGKGh0dHA6Ly9jYWNlcnQub21uaXJvb3QuY29tL3Zjc3NldjE0Mi5kZXIwJAYDVR0RBB0wG4IZVGVzdFAuRTEuU2lnbmluZy5hZXhwLmNvbTAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMB8GA1UdIwQYMBaAFNuNZOu5Tpln3H1rRTPW6uY6u53sMEAGA1UdHwQ5MDcwNaAzoDGGL2h0dHA6Ly92Y3NzZXYxNDIuY3JsLm9tbmlyb290LmNvbS92Y3NzZXYxNDIuY3JsMB0GA1UdDgQWBBQXsxcB/JPuf1P0k9D6WvDgo6L01jANBgkqhkiG9w0BAQsFAAOCAQEACKNQTAcrPTA6JpPSAkHbmK9wzSWRZ584L1JfXLteAf0y2ehXkq3CExVghx1GOSyNV2iNTz2st/Qy0Lim1GnB6jalnh1Tf6WUJnUHj5f5sgK7X70yrBoLdlRG68mpkBI0SJaq5GmOlkzs/GDE0vRR0RVPTup9M31rvMnLyXgmweJVVEG0A4j/hemrJakLHHGDQSjOeEYjkI7B4aBZXbZkOtaVdXg2bRlt/eyX8tnZDQRNRu2RLerfqhITuKNdTyb0cG3fmf0JEw0+iYHiVgUo7SH3JnCf59ZmT52opmX2bMiMhXWgZCalFizXtKDm3lh0tTcHir9aJdulUHhcEMWZYQ==</wsse:BinarySecurityToken>
      <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#" Id="SIG-2">
        <ds:SignedInfo>
          <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
            <ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="soapenc soapenv xsd xsi"/>
          </ds:CanonicalizationMethod>
          <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
          <ds:Reference URI="#id-1">
            <ds:Transforms>
              <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
                <ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="soapenc xsd xsi"/>
              </ds:Transform>
            </ds:Transforms>
            <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
            <ds:DigestValue>FJJvHvb8RcXnlzZWpTgDZkz+CxA=</ds:DigestValue>
          </ds:Reference>
        </ds:SignedInfo>
        <ds:SignatureValue>RR9EWs+m1Oo/kAwFWbEdRVtPzN+t7k5MDQF9BTCrIYVL0vbPH7W6B5yuzxFWvlBruL/JEx+3Gxa9iLI6GfmdmHD/NYIc2g01JH8kalbSP/D+F5RkdxNNRHOmLlddUOUfm4DC5QTeF8XMKNDaVEqTBg7hWyd3rFZyNC+nQY+J8jkByuMlqenXwMofxCf1yeP7dg+3U6TbV5dwe3qLUbfWxH1j3mwPhY6PICRFmBOPYRWmN9k57fCqvS5ar9/RYI+BZ6gSdkChx9WsmqI7jmnK/Jk7oBJOMDJSyiOjceKKAc8ZQ6ezo+7dR6UAojiHZEu27822gX70MxUgXW2jJnHCXw==</ds:SignatureValue>
        <ds:KeyInfo Id="KI-66A2E10F325D0DBA1114508766873942">
          <wsse:SecurityTokenReference wsu:Id="STR-66A2E10F325D0DBA1114508766873963">
            <wsse:Reference URI="#X509-66A2E10F325D0DBA1114508766873871" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/>
          </wsse:SecurityTokenReference>
        </ds:KeyInfo>
      </ds:Signature>
    </wsse:Security>
    <tns:TrackingHdr xmlns:tns="http://www.mycompany.com/ServiceHeader">
      <tns:RequestorInfo>
        <tns:MsgPostTime>2015-12-23 06:18:07.101</tns:MsgPostTime>
        <tns:MessageID>74f5448e4d354ba6918913a01c86d6927e4ed739664c4151</tns:MessageID>
        <tns:CorrelationMessageID>111111</tns:CorrelationMessageID>
      </tns:RequestorInfo>
    </tns:TrackingHdr>
  </soapenv:Header>
  <soapenv:Body xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="id-1">
    <ns5:getInformation xmlns:ns5="http://www.mycompany.com/getInformation">
        <ns5:Request>
            <ns5:GetInformationReqGrp>
                <ns5:RequestID>Request-000000</ns5:RequestID>
                <ns5:UserId>User1A</ns5:UserId>
                <ns5:InputElements>13</ns5:InputElements>
                <ns5:CommandRequest>5</ns5:CommandRequest>
                <ns5:Input>
                    <ns5:InputItem>
                      <ns5:Name>AAA_BBB</ns5:Name>
                      <ns5:Value>001</ns5:Value>
                    </ns5:InputItem>
                </ns5:Input>

                ...

            </ns5:GetInformationReqGrp>
        </ns5:Request>
    </ns5:getInformation>
  </soapenv:Body>
</soapenv:Envelope>

Answer 1

有许多问题可能导致验证失败，如果不访问数据电源的详细日志并测试不同的组合，则无法对其进行调试。在我的头脑中，我过去经历过不同的问题：

• 规范化代码中的错误（不在数据权限中但在另一端）
• 配置错误的证书设置
• 错误的时间戳
• 签名算法的不同配置
• 密钥编码的不同配置（无论是包含还是引用）

Answer 2

经过大量的研究和故障排除后，我设法通过在WebSphere 7上添加一些Java虚拟机自定义属性来解决问题。

默认情况下，WebSphere会忽略已部署的应用程序用于实现Web Service的所有库。它用自己的内部Web服务库/引擎覆盖它们。在我的例子中，问题主要涉及SAAJ库（Java Attachment API for Java）。

我回答了我自己的问题，因为对某些人来说解决类似问题会很有用。

以下是程序：

1. 登录Websphere Console
2. 点击服务器 - ＆gt;服务器类型 - ＆gt; WebSphere应用程序服务器 - ＆gt; [服务器 名称] - ＆gt; Java和流程管理 - ＆gt;流程定义 - ＆gt; Java虚拟机 - ＆gt;自定义属性 - ＆gt;新
3. 添加以下五个条目，然后重启WebSphere：

                      Name                                              Value

    com.ibm.websphere.webservices.DisableIBMJAXWSEngine      true

    javax.xml.soap.MessageFactory                            com.sun.xml.internal.messaging.saaj.soap.ver1_1.SOAPMessageFactory1_1Impl

    javax.xml.soap.SOAPFactory                               com.sun.xml.internal.messaging.saaj.soap.ver1_1.SOAPFactory1_1Impl

    javax.xml.soap.SOAPConnectionFactory                     com.sun.xml.internal.messaging.saaj.client.p2p.HttpSOAPConnectionFactory

    javax.xml.soap.MetaFactory                               com.sun.xml.internal.messaging.saaj.soap.SAAJMetaFactoryImpl

那就是它。

干杯，

Adianfer