我正在用 Java 实现 Web 服务客户端,它使用 wss4j 1.6.8 实现 WS-Security(为了更精确,我需要签署 SOAP 消息)。服务器端要求请求具有以下结构:
<Envelope>
<Header>
<wsse:Security mustUnderstand="1">
**<wsu:Timestamp wsu:Id="Timestamp-913ca68e-05ed-44e1-9d6c-b2f293da5a1d">
<wsu:Created>2012-12-21T11:37:31Z</wsu:Created>
<wsu:Expires>2012-12-21T11:42:31Z</wsu:Expires>
</wsu:Timestamp>**
<wsse:BinarySecurityToken>
MIID2jCCAsKg...
</wsse:BinarySecurityToken>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<Reference URI="#Timestamp-913ca68e-05ed-44e1-9d6c-b2f293da5a1d">
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<DigestValue>jdVY1HaDLusqO9UcxASE/GQHxyo=</DigestValue>
</Reference>
<Reference URI="#Body-e344eef1-2d8a-42d0-8a30-361ee61a8617">
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<DigestValue>L60mQelZERvXgLEgWlW50uJNqEA=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>
NmgACUqrYYc/Kp/F...
</SignatureValue>
<KeyInfo>
<wsse:SecurityTokenReference xmlns="">
<wsse:Reference URI="#SecurityToken-3f054298-711c-4090-95c3-105e1093f3ba" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/>
</wsse:SecurityTokenReference>
</KeyInfo>
</Signature>
</wsse:Security>
</S:Header>
<S:Body>
Body content...
</S:Body>
</Envelope>
我的解决方案对文档(正文和时间戳元素)进行签名,但出于某种原因,wss4j 将时间戳元素放在该部分的底部,<wsse:BinarySecurityToken> 之后和 <Signature>元素出了什么问题。请查看做签名工作的来源:
public static SOAPMessage signSoapMessage(SOAPMessage message, PrivateKey signingKey, X509Certificate signingCert, char[] passphrase) throws WSSecurityException {
final String alias = "signingKey";
final int signatureValidityTime = 3600; // 1hour in seconds
WSSConfig config = new WSSConfig();
config.setWsiBSPCompliant(false);
WSSecSignature builder = new WSSecSignature(config);
builder.setX509Certificate(signingCert);
builder.setUserInfo(alias, new String(passphrase));
builder.setUseSingleCertificate(true);
builder.setKeyIdentifierType(WSConstants.BST_DIRECT_REFERENCE);
try {
Document document = DanskeUtils.toDocument(message);
WSSecHeader secHeader = new WSSecHeader();
secHeader.setMustUnderstand(true);
secHeader.insertSecurityHeader(document);
WSSecTimestamp timestamp = new WSSecTimestamp();
timestamp.setTimeToLive(signatureValidityTime);
document = timestamp.build(document, secHeader);
List<WSEncryptionPart> parts = new ArrayList<WSEncryptionPart>();
WSEncryptionPart timestampPart = new WSEncryptionPart("Timestamp", WSConstants.WSU_NS, "");
WSEncryptionPart bodyPart = new WSEncryptionPart(WSConstants.ELEM_BODY, WSConstants.URI_SOAP11_ENV, "");
parts.add(timestampPart);
parts.add(bodyPart);
builder.setParts(parts);
Properties properties = new Properties();
properties.setProperty("org.apache.ws.security.crypto.provider", "org.apache.ws.security.components.crypto.Merlin");
Crypto crypto = CryptoFactory.getInstance(properties);
KeyStore keystore = KeyStore.getInstance("JKS");
keystore.load(null, passphrase);
keystore.setKeyEntry(alias, signingKey, passphrase, new Certificate[]{signingCert});
((Merlin) crypto).setKeyStore(keystore);
crypto.loadCertificate(new ByteArrayInputStream(signingCert.getEncoded()));
document = builder.build(document, crypto, secHeader);
return Utils.updateSoapMessage(document, message);
} catch (Exception e) {
throw new WSSecurityException(WSSecurityException.Reason.SIGNING_ISSUE, e);
}
}
能否请您帮助我阐明如何在签署文档之前更改元素的顺序? 谢谢!
最佳答案
WS-SEC 规范说“当元素被添加到标题 block 时,它们应该被添加到现有元素之前。”
因此,如果您首先添加时间戳,它将位于 ws-header 中任何现有子元素之上。由于您是在添加时间戳后签署消息,因此签名信息将再次预先附加到 header ,因此它将出现在时间戳元素上方。
如果你需要时间戳元素出现在最顶部,将它添加到头部作为最后的过程
关于java - 签署 SOAP 消息期间的 WSS4j 元素顺序,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/14054523/