如何解决使用CXF和WSS4J for X509的SOAP WsSecurity数字签名
希望使用请求中的X509Certificate发送出站请求,并使用CXF和WSS4J验证响应中的数字签名。响应中的WsSecurity元素看起来像这样。有没有一种方法可以使用cxf和wss4j验证以下格式的数字签名?尝试了不同的尝试,但没有运气。
<wsse:Security>
<wsu:Timestamp wsu:Id="FA_TS-5a00885c-8507-4c5c-b66f-fb45eabcaad6">
<wsu:Created>2020-08-12T12:13:49Z</wsu:Created>
<wsu:Expires>2020-08-12T12:18:49Z</wsu:Expires>
</wsu:Timestamp>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
<Reference URI="#FA_RIV_1234567890">
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<DigestValue>t3/fyodY1azV8CYohUQ79Wi/n3o=</DigestValue>
</Reference>
<Reference URI="#FA_TS-5a00885c-8507-4c5c-b66f-fb45eabcaad6">
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<DigestValue>TDEn6ZGMf1HaBiLbCaSs7VzIGzs=</DigestValue>
</Reference>
<Reference URI="#FA_Body_1234567890">
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<DigestValue>hBHMEKU7O1eBvxlYlX/t4I9g/S8=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>n5tsEGaXzfnHFy0VvMDdgIGdTjyS3Uwu/b2BnDap0y1qrudSHbfRvA4/tFPEHHiAxFcYDBxcigci
46MBPA/t39pGza/JZfvyApg1VHrMub9d2eRNEJxLbcQTeokJP2Iex07x4cQfIG0N2bYRr1ShgRSI
V4X8uVaTY1lwqInqHIgSD4WX7nw05V0R/nLAgJEqhxOD3qTRiOdymzlDil79+TjH8cvJpBu/k1Oy
l9TMJDMKSUT6ShHHCpn6WBNqNOGewJxd8qUq3aj/LgGrj4BvP5xh7dTNUKxLplRzqGyzBz8ZbXpg
ZeUZR+uTa95+qqgQOqVbwCGU3VGEo2lBjgADVQ==</SignatureValue>
<KeyInfo>
<X509Data>
<X509Certificate>MIIEuzCCA6OgAwIBAgIBCjANBgkqhkiG9w0BAQUFADCBoTEcMBoGA1UEBRMTU0UxNjU1NjU5Njgy
MDItMDAyNDEPMA0GA1UEAxMGZUZhIENBMQswCQYDVQQGEwJTRTESMBAGA1UEBxMJU3RvY2tob2xt
MQwwCgYDVQQKEwNlRmExDDAKBgNVBAsTA2VGYTEzMDEGCSqGSIb3DQEJARYkZWZhX05PVEFSRUFM
VVNFUkBlZmFfTk9UQVJFQUxIT1NULnNlMB4XDTE5MDExMTA3MjQ1NFoXDTI5MDEwODA3MjQ1NFow
</X509Certificate>
</X509Data>
</KeyInfo>
</Signature>
</wsse:Security>解决方法
您可以使用Xades4j并迭代Signature标签进行验证。
$ git reset --hard <OLD_B1_COMMMIT>
$ git merge --no-ff b2
此外,如果要提取证书信息,则需要与证书实体集成并更改
public class AwesomeValidator {
public List<XAdESVerificationResult> validate(Source source) throws XmlValidationException {
try {
XadesVerifier verifier = buildVerifier();
SignatureSpecificVerificationOptions sigOptions = buildVerificationOptions();
NodeList nl = getNodeList(source);
List<XAdESVerificationResult> result = Lists.newArrayList();
for (int i = 0; i < nl.getLength(); i++) {
Element sigElement = (Element)nl.item(i);
try {
result.add(verifier.verify(sigElement,sigOptions));
}
catch (InvalidSignatureException | CertificateValidationException e) {
// throw new CustomException...
}
}
return result;
} catch (XPathExpressionException | XAdES4jException | IOException e) {
// throw new CustomException...
}
}
private XadesVerifier buildVerifier() throws XadesProfileResolutionException {
CertificateValidationProvider certValidationProvider = getAlwaysOkCertificateValidator();
XadesVerificationProfile p = new XadesVerificationProfile(certValidationProvider);
return p.newVerifier();
}
private CertificateValidationProvider getAlwaysOkCertificateValidator() {
return (certSelector,validationDate,otherCerts) -> new ValidationData(Lists.newArrayList(certSelector.getCertificate()));
}
private SignatureSpecificVerificationOptions buildVerificationOptions() {
SignatureSpecificVerificationOptions sigOptions = new SignatureSpecificVerificationOptions();
sigOptions.useResourceResolver(
new org.apache.xml.security.utils.resolver.ResourceResolver(new IdAttrNameResourceResolver()));
return sigOptions;
}
private NodeList getNodeList(Source source) throws XPathExpressionException {
Document document = XmlDocuments.asDom(source);
XPathFactory xPathfactory = XPathFactory.newInstance();
XPath xpath = xPathfactory.newXPath();
xpath.setNamespaceContext(getXadesNamespaceContext());
XPathExpression expr = xpath.compile("//ds:Signature");
return (NodeList) expr.evaluate(document,XPathConstants.NODESET);
}
}
的实现。
版权声明:本文内容由互联网用户自发贡献,该文观点与技术仅代表作者本人。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌侵权/违法违规的内容, 请发送邮件至 dio@foxmail.com 举报,一经查实,本站将立刻删除。