Java 从SOAP安全标头获取X509证书
大家好 我有一个用于cxf web服务(spring应用程序)的简单存根客户端。它使用带有Java 从SOAP安全标头获取X509证书,java,security,spring,cxf,x509certificate,Java,Security,Spring,Cxf,X509certificate,大家好 我有一个用于cxf web服务(spring应用程序)的简单存根客户端。它使用带有action=“Signature”的WSS4JOutInterceptor,因此soap请求消息是(头): 内容类型:text/xml;字符集=UTF-8 接受:*/* SOAPAction:“ 用户代理:Apache CXF 2.4.3 缓存控制:没有缓存 Pragma:没有缓存 主持人:127.0.0.1:8888 连接:保持活力 内容长度:1890 RJhc1ZVjXdUQEIwLTH356p7
action=“Signature”
的WSS4JOutInterceptor,因此soap请求消息是(头):
内容类型:text/xml;字符集=UTF-8
接受:*/*
SOAPAction:“
用户代理:Apache CXF 2.4.3
缓存控制:没有缓存
Pragma:没有缓存
主持人:127.0.0.1:8888
连接:保持活力
内容长度:1890
RJhc1ZVjXdUQEIwLTH356p7H0QY=
F0q0NV7kaSbAcsLHxVpYD1bQ1RAJcw6wPapDKAM9PIcs7EuS9S5PlE4cQMfAp1WgsKa91r3op1OQ5UrYmmdj/UNEYAWDPIYSAOFBGJNDTXZNOCKP4YFRTQGZ2EVJRFHJBPSTSSQ工资总额97KB/9ZLmY=
CN=1,OU=1,O=1,L=1,ST=1,C=RU
1328891280
我可以用这个数据创建一个证书吗?没有任何关于验证日期或公钥的数据。是否有办法在标头中插入证书(而不是通过引用/SecurityTokenReference标记)
进展:
我读过,要将证书嵌入到请求中,需要使用
。因此,请求更改为:
< soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
< soap:Header>
<wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" soap:mustUnderstand="1">
<wsse:BinarySecurityToken EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" wsu:Id="X509-A3BCFAE87E12A8813813289737654441">MIICCTCCAXKgAwIBAgIETzVFkDANBgkqhkiG9w0BAQUFADBJMQswCQYDVQQGEwJSVTEKMAgGA1UECBMBMTEKMAgGA1UEBxMBMTEKMAgGA1UEChMBMTEKMAgGA1UECxMBMTEKMAgGA1UEAxMBMTAeFw0xMjAyMTAxNjI4MDBaFw0xMjA1MTAxNjI4MDBaMEkxCzAJBgNVBAYTAlJVMQowCAYDVQQIEwExMQowCAYDVQQHEwExMQowCAYDVQQKEwExMQowCAYDVQQLEwExMQowCAYDVQQDEwExMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCdwxyRNYlWADnTtzH9/s/ehhD2iFzvF2xI+tBNyhbBb98EQNiIFdEegwGPhtd3Cfe1lQqtddWdFX2uLqozMAgd1KzSEuH9lI5DPiir3RfVdy+Irs5ZYiD/H4/DcUMUNyVcWspf9oG25wNdwNHKY8Aqz2269uYMCCoIBuWt6POwFQIDAQABMA0GCSqGSIb3DQEBBQUAA4GBAGLgTXbn7h2rBjv++6OopDooRifc4e2k+9sSTpLNegs9OvQzR8DpmQ/6Vt0RFprIdXSv+IVMcmL8Q2dmI9v0R61NIhdEjzSVbO2+PF9h1ShUARzMawRC/EOdjwVjDsk1WMxF18+wvH9SQxBSK3H2WpJbDWBxZCOW5CK1N6AKKJiC</wsse:BinarySecurityToken>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#" Id="SIG-2">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="soap" />
</ds:CanonicalizationMethod>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
<ds:Reference URI="#id-1">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="" />
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<ds:DigestValue>RJhc1ZVjXdUQEIwLTH356p7H0QY=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>F0q0NV7kaSbAcsLHxVpYD1bQ1RAJcw6wPapDKAM9PIcs7EuS9S5PlE4cQMfAp1WgsKa91r3op1OQ5UrYmmdj/UneYawdPIYSaoFBGjndTXZnOCKp4YfRTQGZ2EVJRFHJbPsTsqHedPAyJLHhciViguTGeuA0hZAQN97KB/9ZLmY=</ds:SignatureValue>
<ds:KeyInfo Id="KI-A3BCFAE87E12A8813813289737654452">
<wsse:SecurityTokenReference wsu:Id="STR-A3BCFAE87E12A8813813289737654483">
<wsse:Reference URI="#X509-A3BCFAE87E12A8813813289737654441" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" />
</wsse:SecurityTokenReference>
</ds:KeyInfo>
</ds:Signature>
</wsse:Security>
MIICCCAXKGAWIBAGIBAGETZVFKDANBGKKQHK9W0BAQUFADBJMQSWCQYDVQGEWJSVTEKMAGGA 1EBBMTEKMAGGA 1ECBMTEKMGA 1ECBMTEKMGA 1EABMTAEW0xMJAYMTAXNJI4DBAW0xMJA1MTAXNJI4DBAMEKZZAJBGNVBAYTAYTALJVMCAYDVEKKKKKQEWCAYDVEKKKKKKKKKQEWCAYDVEKKKQQEWCAYLDEKKK9/KKKYLDWK92.ZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZOW5CK1N6AKKJ集成电路
RJhc1ZVjXdUQEIwLTH356p7H0QY=
F0q0NV7kaSbAcsLHxVpYD1bQ1RAJcw6wPapDKAM9PIcs7EuS9S5PlE4cQMfAp1WgsKa91r3op1OQ5UrYmmdj/UNEYAWDPIYSAOFBGJNDTXZNOCKP4YFRTQGZ2EVJRFHJBPSTSSQ工资总额97KB/9ZLmY=
从这种类型的请求中获取证书可能更简单。但如何做到这一点呢 解决方案是使用BinarySecurityToken头的元素:
SoapMessage soapMessage = (SoapMessage) message;
SOAPMessage doc = getSOAPMessage(soapMessage);
Element elem = WSSecurityUtil.getSecurityHeader(doc.getSOAPPart(), "");
// get a BinarySignature tag
Node binarySignatureTag = elem.getFirstChild();
BinarySecurity token = new X509Security((Element) binarySignatureTag);
// a X509Certificate construction
InputStream in = new ByteArrayInputStream(token.getToken());
CertificateFactory certFactory = CertificateFactory.getInstance("X.509");
X509Certificate cert = (X509Certificate)certFactory.generateCertificate(in);
如您所见,您还需要使用org.apache.ws.security包。Hi:)一句话:您无法从该操作推断证书。“签名”不应通过网络发送任何证书。密钥的公共部分(用于生成签名)应位于客户端公钥环中。在wsse:SecurityTokenReference
中传递的信息仅用于唯一标识此密钥。
SoapMessage soapMessage = (SoapMessage) message;
SOAPMessage doc = getSOAPMessage(soapMessage);
Element elem = WSSecurityUtil.getSecurityHeader(doc.getSOAPPart(), "");
// get a BinarySignature tag
Node binarySignatureTag = elem.getFirstChild();
BinarySecurity token = new X509Security((Element) binarySignatureTag);
// a X509Certificate construction
InputStream in = new ByteArrayInputStream(token.getToken());
CertificateFactory certFactory = CertificateFactory.getInstance("X.509");
X509Certificate cert = (X509Certificate)certFactory.generateCertificate(in);