事实证明,我已经通过soapUI测试了一个Web服务,并使用我获得的pem证书配置了 keystore 。
当我应用传出 WSSE 签名时,我得到一个 wsse:Security 元素,如下所示:
<wsse:Security
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<ds:Signature Id="SIG-1C747258C55C77E5C5154835835043446"
xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces PrefixList="hal ns ns1 ns2 soapenv"
xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:CanonicalizationMethod>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="#id-1C747258C55C77E5C515483521292064">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces PrefixList="hal ns ns1 ns2"
xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>AfQsslNyqfZcR2GwBV+0vtAuO/c=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>
[THE SIGNATURE]
</ds:SignatureValue>
<ds:KeyInfo Id="KI-1C747258C55C77E5C5154835835043344">
<wsse:SecurityTokenReference wsu:Id="STR-1C747258C55C77E5C5154835835043345">
<wsse:KeyIdentifier EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentifier">VwDFSfuw3Zk0GeAG4PhV8YWZ2P4=</wsse:KeyIdentifier>
</wsse:SecurityTokenReference>
</ds:KeyInfo>
</ds:Signature>
</wsse:Security>
我有兴趣使用 Node.js 生成这个确切的 block 。我尝试使用soap包,但它总是返回错误“无法解析请求”,如果我用它替换签名 block 就可以了。
所以基本上我想知道手动签名正文和替换哈希值的步骤,然后在这个 block 中替换它们并做一个简单的帖子:)
我希望您不会觉得这个问题很天真(我对 SOAP Web 服务非常陌生)。
谢谢!
最佳答案
我放弃了用nodeJS来做,而是用java来做。我是这样做的:
import org.apache.ws.security.WSConstants;
import org.apache.ws.security.components.crypto.Crypto;
import org.apache.ws.security.components.crypto.CryptoFactory;
import org.apache.ws.security.message.WSSecHeader;
import org.apache.ws.security.message.WSSecSignature;
import org.apache.xml.security.algorithms.MessageDigestAlgorithm;
import org.apache.xml.security.signature.XMLSignature;
import org.w3c.dom.Document;
import java.io.StringWriter;
import java.util.Properties;
import static java.nio.file.Files.readAllBytes;
import static java.nio.file.Paths.get;
public class WSSecuritySign {
public static void signXml() throws Exception {
final String req = new String(readAllBytes(get("target/classes/test.xml"))); //the soap envelope to be signed without the security header
final Document soapDocument = XmlUtils.parseXml(req);
final WSSecHeader secHeader = new WSSecHeader();
final WSSecSignature wssSign = new WSSecSignature();
final Crypto wssCrypto = getCrypto();
secHeader.insertSecurityHeader(soapDocument);
wssSign.setSignatureAlgorithm(XMLSignature.ALGO_ID_SIGNATURE_RSA_SHA1);
wssSign.setSigCanonicalization(WSConstants.C14N_EXCL_OMIT_COMMENTS);
wssSign.setUseSingleCertificate(false);
wssSign.setDigestAlgo(MessageDigestAlgorithm.ALGO_ID_DIGEST_SHA1);
wssSign.setKeyIdentifierType(WSConstants.CUSTOM_KEY_IDENTIFIER);
wssSign.setUserInfo("keystore_alias", "a_password");
wssSign.setKeyIdentifierType(4); //Or Subject Key Identifier
wssSign.build(soapDocument, wssCrypto, secHeader);
final StringWriter writer = new StringWriter();
XmlUtils.serialize(soapDocument.getDocumentElement(), writer);
System.out.println(writer.toString());
}
public static void main(String... unused) throws Exception {
signXml();
}
public static Crypto getCrypto() throws Exception {
Properties props = new Properties();
props.setProperty("org.apache.ws.security.crypto.provider", "org.apache.ws.security.components.crypto.Merlin");
props.setProperty("org.apache.ws.security.crypto.merlin.keystore.password", "a_password");
props.setProperty("org.apache.ws.security.crypto.merlin.keystore.alias", "keystore_alias");
props.setProperty("org.apache.ws.security.crypto.merlin.keystore.file", "keystore.jks");
return CryptoFactory.getInstance(props, ClassLoader.getSystemClassLoader());
}
}
不要忘记替换您的 keystore 别名、其位置和密码(如果有),我认为如果您的 keystore 没有默认密码,则有一个默认密码,不记得它是如何命名的。
关于java - 使用nodejs模拟soapUI签名请求,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/54356541/