Python使用BinarySecurityToken签署SOAP请求

时间:2017-10-27 11:03:43

标签: python soap suds wsse zeep

我正在尝试使用python签署带有证书的SOAP请求。我已经尝试了python-zeep及其Signature方法和泡沫与py-wsse。两者都没有给我预期的结果。

Zeep给了我:

<soap-env:Envelope xmlns:soap-env="http://schemas.xmlsoap.org/soap/envelope/" xmlns:wst="http://schemas.xmlsoap.org/ws/2005/02/trust" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
  <soap-env:Header>
    <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
      <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<Reference URI="#id-2790286f-721f-4f62-88bf-7e6b1f160e09">
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<DigestValue> DATA </DigestValue>
</Reference>
<Reference URI="#id-597e9b96-07e2-4ee8-9ba8-071d97851456">
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<DigestValue> DATA </DigestValue>
</Reference>
</SignedInfo>
<SignatureValue> DATA </SignatureValue>
<KeyInfo>
<wsse:SecurityTokenReference><X509Data>
<X509IssuerSerial>
<X509IssuerName> DATA </X509IssuerName>
<X509SerialNumber> DATA </X509SerialNumber>
</X509IssuerSerial>
<X509Certificate> DATA </X509Certificate>
</X509Data>
</wsse:SecurityTokenReference></KeyInfo>
</Signature>
      <wsu:Timestamp wsu:Id="id-597e9b96-07e2-4ee8-9ba8-071d97851456">
        <wsu:Created>2017-10-27T09:41:01+00:00</wsu:Created>
        <wsu:Expires>2017-10-27T10:41:01+00:00</wsu:Expires>
      </wsu:Timestamp>
    </wsse:Security>
  </soap-env:Header>
  <soap-env:Body wsu:Id="id-2790286f-721f-4f62-88bf-7e6b1f160e09">
    <wst:RequestSecurityToken>
      <wst:TokenType>http://schemas.xmlsoap.org/ws/2005/02/sc/sct</wst:TokenType>
<wst:RequestType>http://schemas.xmlsoap.org/ws/2005/02/trust/Issue</wst:RequestType>
    </wst:RequestSecurityToken>
  </soap-env:Body>
</soap-env:Envelope>

而suds python-wsse给出:

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:wst="http://schemas.xmlsoap.org/ws/2005/02/trust">
               <soapenv:Header>
                              <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
                                            <wsse:BinarySecurityToken EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" wsu:Id="id-86d39619-2654-4e09-a1bc-40e2822bf1c9"> DATA </wsse:BinarySecurityToken><xenc:EncryptedKey xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
<xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"/>
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><wsse:SecurityTokenReference wsse:TokenType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"><wsse:Reference ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" URI="#id-86d39619-2654-4e09-a1bc-40e2822bf1c9"/></wsse:SecurityTokenReference></ds:KeyInfo><xenc:CipherData>
<xenc:CipherValue> DATA </xenc:CipherValue>
</xenc:CipherData>
<xenc:ReferenceList><xenc:DataReference URI="#id-a14b401f-8353-46d6-a607-92ef23caca1e"/></xenc:ReferenceList></xenc:EncryptedKey>
<wsu:Timestamp>
                                                           <wsu:Created>2017-10-27T11:20:16.301Z</wsu:Created>
                                                           <wsu:Expires>2017-10-27T13:20:26.301Z</wsu:Expires>
                                            </wsu:Timestamp>
                              </wsse:Security>
               </soapenv:Header>
               <soapenv:Body>
                              <xenc:EncryptedData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" xmlns:ns0="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" Type="http://www.w3.org/2001/04/xmlenc#Element" ns0:Id="id-a14b401f-8353-46d6-a607-92ef23caca1e">
<xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc"/>
<xenc:CipherData>
<xenc:CipherValue> DATA </xenc:CipherValue>
</xenc:CipherData>
</xenc:EncryptedData>
               </soapenv:Body>
</soapenv:Envelope>

但是我需要一个看起来更像是两者混合的请求:

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:wst="http://schemas.xmlsoap.org/ws/2005/02/trust">
               <soapenv:Header>
                              <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
                                            <wsse:BinarySecurityToken EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" wsu:Id="X509-B0D6288D1BAB6D839515090888163762"> DATA </wsse:BinarySecurityToken>
                                            <ds:Signature Id="SIG-B0D6288D1BAB6D839515090888164186" xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
                                                           <ds:SignedInfo>
                                                                          <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
                                                                                         <ec:InclusiveNamespaces PrefixList="soapenv wst" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                                                                          </ds:CanonicalizationMethod>
                                                                          <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
                                                                          <ds:Reference URI="#TS-B0D6288D1BAB6D839515090888163021">
                                                                                         <ds:Transforms>
                                                                                                       <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
                                                                                                                      <ec:InclusiveNamespaces PrefixList="wsse soapenv wst" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                                                                                                       </ds:Transform>
                                                                                         </ds:Transforms>
                                                                                         <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
                                                                                         <ds:DigestValue> DATA </ds:DigestValue>
                                                                          </ds:Reference>
                                                                          <ds:Reference URI="#id-B0D6288D1BAB6D839515090888164135">
                                                                                         <ds:Transforms>
                                                                                                       <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
                                                                                                                      <ec:InclusiveNamespaces PrefixList="wst" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                                                                                                       </ds:Transform>
                                                                                         </ds:Transforms>
                                                                                         <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
                                                                                         <ds:DigestValue> DATA </ds:DigestValue>
                                                                          </ds:Reference>
                                                                          <ds:Reference URI="#X509-B0D6288D1BAB6D839515090888163762">
                                                                                         <ds:Transforms>
                                                                                                       <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
                                                                                                                      <ec:InclusiveNamespaces PrefixList="" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                                                                                                       </ds:Transform>
                                                                                         </ds:Transforms>
                                                                                         <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
                                                                                         <ds:DigestValue> DATA </ds:DigestValue>
                                                                          </ds:Reference>
                                                           </ds:SignedInfo>
                                                           <ds:SignatureValue> DATA </ds:SignatureValue>
                                                           <ds:KeyInfo Id="KI-B0D6288D1BAB6D839515090888164053">
                                                                          <wsse:SecurityTokenReference wsu:Id="STR-B0D6288D1BAB6D839515090888164074">
                                                                                         <wsse:Reference URI="#X509-B0D6288D1BAB6D839515090888163762" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/>
                                                                          </wsse:SecurityTokenReference>
                                                           </ds:KeyInfo>
                                            </ds:Signature>
                                            <wsu:Timestamp wsu:Id="TS-B0D6288D1BAB6D839515090888163021">
                                                           <wsu:Created>2017-10-27T07:20:16.301Z</wsu:Created>
                                                           <wsu:Expires>2017-10-27T07:20:26.301Z</wsu:Expires>
                                            </wsu:Timestamp>
                              </wsse:Security>
               </soapenv:Header>
               <soapenv:Body wsu:Id="id-B0D6288D1BAB6D839515090888164135" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
                              <wst:RequestSecurityToken>
                                             <wst:TokenType>http://schemas.xmlsoap.org/ws/2005/02/sc/sct</wst:TokenType>
                                             <wst:RequestType>http://schemas.xmlsoap.org/ws/2005/02/trust/Issue</wst:RequestType>
                              </wst:RequestSecurityToken>
               </soapenv:Body>
</soapenv:Envelope>

有没有简单的方法在python中使用BinarySecurityToken签署SOAP信封?第一个和最后一个信封之间是否存在适当的差异,或者两者都有效?

1 个答案:

答案 0 :(得分:1)

ignore null及其API提供了两个示例(请参见底部)来解决此问题。第一个使用Chicklat签署证书,第二个使用SecurityTokenReference签署证书。您不必依赖此API,因为它需要支付许可费用,您可以这样做,但是您可以使用其他库来执行此操作(在我发布替代方法的帖子中)。这些示例是了解 Chicklat API 的方式并使用自定义方法的理想起点。

在第一个示例中:

  • (#1)已加载 SOAP XML模板,该模板将使用 pfx 证书和BinaryTokenReference进行签名;
  • (#2-3)加载 pfx ,即一个包含受密码保护的证书及其私钥的单个文件,然后加载其私钥及其内部通过提供密码作为输入来提取证书,该密码是颁发证书时使用的密码;
  • (#4)一旦从pfx文件中提取了证书,它就会被 BASE64编码。在XML模板内部,BinarySecurityToken被此字符串替换为提供给BASE64_CERT的值;
  • (#5)构建wsse:BinarySecurityToken XML 。此XML是 KeyInfo a storage to contain your certificate private key, used to verify the signature
  • (#6)使用wsse:SecurityTokenReference XML 进行签名。

您可以通过使用第二个示例来改编第一个示例。可以通过执行以下更改来完成此操作:

  • 更改Chicklat XML Digital Signature Generator的构造方式。从sbXml开始的示例2 显示了一种执行此操作和设置参数的方法。输出XML结构将类似于使用chilkat.CkXml()的此模​​式:
BinarySecurityToken
  • 您可以使用OpenSSL.crypto管理提取私钥和证书的pfx文件;

  • 您可以使用SignXML生成<?xml version="1.0" encoding="UTF-8"?> <S:Envelope xmlns:S="http://www.w3.org/2003/05/soap-envelope" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:exc14n="http://www.w3.org/2001/10/xml-exc-c14n#" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsse11="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns:xs="http://www.w3.org/2001/XMLSchema"> <S:Header> <To xmlns="http://www.w3.org/2005/08/addressing" wsu:Id="_5002">https://XXXXXXXXX</To> <Action xmlns="http://www.w3.org/2005/08/addressing" S:mustUnderstand="true">http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Issue</Action> <ReplyTo xmlns="http://www.w3.org/2005/08/addressing"> <Address>http://www.w3.org/2005/08/addressing/anonymous</Address> </ReplyTo> <FaultTo xmlns="http://www.w3.org/2005/08/addressing"> <Address>http://www.w3.org/2005/08/addressing/anonymous</Address> </FaultTo> <MessageID xmlns="http://www.w3.org/2005/08/addressing">uuid:e9033251-4ff0-4618-8baf-4952ab5fd207</MessageID> <wsse:Security S:mustUnderstand="true"> <wsu:Timestamp xmlns:ns16="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ns17="http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512" wsu:Id="_1"> <wsu:Created>2018-05-23T02:38:27Z</wsu:Created> <wsu:Expires>2018-05-23T02:43:27Z</wsu:Expires> </wsu:Timestamp> <wsse:BinarySecurityToken xmlns:ns16="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ns17="http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" wsu:Id="uuid_43470044-78b4-4b23-926a-b7f590d24cb8">MIIEIjCCAwqgAwIBAgIDAmCRMA0GCSqGSIb3DQEBCwUAMIGFMQswCQYDVQQGEwJBVTElMCMGA1UEChMcQXVzdHJhbGlhbiBCdXNpbmVzcyBSZWdpc3RlcjEgMB4GA1UECxMXQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxLTArBgNVBAMTJFRlc3QgQXVzdHJhbGlhbiBCdXNpbmVzcyBSZWdpc3RlciBDQTAeFw0xNzAzMDEwMzQyMTBaFw0xOTAzMDEwMzQyMTBaMFYxETAPBgNVBC4TCDIwMDgwMTYxMQswCQYDVQQGEwJBVTEUMBIGA1UEChMLOTYwODU1MjE2MDYxHjAcBgNVBAMTFUNPUlAgVEFYQVRJT04gTUFOQUdFUjCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAs6zlEhQOOpPPXffUPgpmbPl6qtQ3QaYgYvSTGLOL2pxuwGlZc5oW93zTwh5yq0r5NAgouGx9Oo6pYBO/xEUst5g3VW5BmbuOyGk3UvKVLHTnWlt8KCaRwW/qOyya8ZYfJm8+OQHtmMZc0pjj/Pcn8lrN61BKyjAYwK3CTKa60gcCAwEAAaOCAUswggFHMAwGA1UdEwEB/wQCMAAwgewGA1UdIASB5DCB4TCB3gYJKiQBlzllAQcBMIHQMIGuBggrBgEFBQcCAjCBoRqBnlRoaXMgY2VydGlmaWNhdGUgbWF5IG9ubHkgYmUgdXNlZCBmb3IgdGhlIHB1cnBvc2UgcGVybWl0dGVkIGluIHRoZSBhcHBsaWNhYmxlIENlcnRpZmljYXRlIFBvbGljeS4gTGltaXRlZCBsaWFiaWxpdHkgYXBwbGllcyAtIHJlZmVyIHRvIHRoZSBDZXJ0aWZpY2F0ZSBQb2xpY3kuMB0GCCsGAQUFBwIBFhF3d3cudGVzdGFicmNhLmNvbTAXBgYqJAGCTQEEDRYLOTYwODU1MjE2MDYwDgYDVR0PAQH/BAQDAgTwMB8GA1UdIwQYMBaAFI0lJ7xfoJpx55N3+bAZYiyZdlr9MA0GCSqGSIb3DQEBCwUAA4IBAQBQoYVRGRf3QIkxFa4ecI2Kxph5vrUuTdzIaDm+mCnHyaamnAbBH7WCPymuK+ZFQo1lWcyMzQpf7N/6/e0sZH3OD0JIuBF3AKQbvwVLfJ5x/Xu2Cz9ZAkkonL0wIXXAmGIPNjZD1WwzPUYbUuZw+GqOIeSOYitIuz7N3y6vKIgLLzghVAcXBPPuMqqcL/PwSIQ9LRTqa4zhNy2Bn+CwR9QanS6jGTXfpOmetsbRckE+WgCwzMz5iqgTrP8AYwsDYxFBdmktrO+u1V0PrESeZFTbToRs2UUtEaYowIDEb/6KqKJxs7AZN+Nt5r1RaOfbsr6KJDOS5K+VRRtjAGwcXBXN</wsse:BinarySecurityToken> </wsse:Security> </S:Header> <S:Body> <RequestSecurityToken xmlns="http://docs.oasis-open.org/ws-sx/ws-trust/200512"> <RequestType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/Issue</RequestType> <wsp:AppliesTo xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"> <EndpointReference:EndpointReference xmlns:EndpointReference="http://www.w3.org/2005/08/addressing" xmlns="http://www.w3.org/2005/08/addressing"> <Address>https://XXXXXXXXX/services</Address> </EndpointReference:EndpointReference> </wsp:AppliesTo> <TokenType>http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0</TokenType> <Claims xmlns:i="http://schemas.xmlsoap.org/ws/2005/05/identity" Dialect="http://schemas.xmlsoap.org/ws/2005/05/identity"> <i:ClaimType Optional="false" Uri="http://XXXXXXXXX/2008/06/identity/claims/abn" /> <i:ClaimType Optional="false" Uri="http://XXXXXXXXX/2008/06/identity/claims/commonname" /> <i:ClaimType Optional="false" Uri="http://XXXXXXXXX/2008/06/identity/claims/credentialtype" /> <i:ClaimType Optional="false" Uri="http://XXXXXXXXX/2008/06/identity/claims/samlsubjectid" /> <i:ClaimType Optional="false" Uri="http://XXXXXXXXX/2008/06/identity/claims/fingerprint" /> <i:ClaimType Optional="true" Uri="http://XXXXXXXXX/2008/06/identity/claims/sbr_personid" /> <i:ClaimType Optional="true" Uri="http://XXXXXXXXX/2008/06/identity/claims/givennames" /> <i:ClaimType Optional="true" Uri="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname" /> <i:ClaimType Optional="true" Uri="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" /> <i:ClaimType Optional="true" Uri="http://XXXXXXXXX/2008/06/identity/claims/credentialadministrator" /> <i:ClaimType Optional="true" Uri="http://XXXXXXXXX/2008/06/identity/claims/stalecrlminutes" /> <i:ClaimType Optional="true" Uri="http://XXXXXXXXX/2008/06/identity/claims/subjectdn" /> <i:ClaimType Optional="true" Uri="http://XXXXXXXXX/2008/06/identity/claims/issuerdn" /> <i:ClaimType Optional="true" Uri="http://XXXXXXXXX/2008/06/identity/claims/notafterdate" /> <i:ClaimType Optional="true" Uri="http://XXXXXXXXX/2008/06/identity/claims/certificateserialnumber" /> <i:ClaimType Optional="true" Uri="http://XXXXXXXXX/2008/06/identity/claims/previoussubject" /> </Claims> <Lifetime> <wsu:Created>2018-05-23T02:38:27.906Z</wsu:Created> <wsu:Expires>2018-05-23T03:08:27.906Z</wsu:Expires> </Lifetime> <KeyType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/SymmetricKey</KeyType> <KeySize>512</KeySize> </RequestSecurityToken> </S:Body> </S:Envelope>

XML Digital Signature

参考示例

示例 1 Sign SOAP XML using a wsse:SecurityTokenReference

示例 2 Sign with BinarySecurityToken