Java 如何更正SecurityTokenReference,使用WSS4J对SOAP进行签名
我正在痛苦地使用它来签署SOAP文档。我想让我的看起来像图1。然而,结果就像图2所示。也就是说,图1有一个标记,它指向文档的BinarySecurityToken。而图2有一个参考文件,该文件引用了用于签署文件的原始证书 A) 现在,BinarySecurityToken是提供者端使用的二进制值,用于在密钥库中定位相应的证书链(用于验证消息) B) 我相信SecurityTokenReference用于引用二进制安全令牌,该令牌包含用于验证签名的公钥。看来我的挑战是让图2中的指针看起来像图1 这是正确的吗?如果是这样的话,有什么开关可以做到这一点?生成图2的代码位于图3中(Clojure代码)。到目前为止,我一直在挖掘wss4j源代码以供参考(,)Java 如何更正SecurityTokenReference,使用WSS4J对SOAP进行签名,java,soap,clojure,xml-signature,wss4j,Java,Soap,Clojure,Xml Signature,Wss4j,我正在痛苦地使用它来签署SOAP文档。我想让我的看起来像图1。然而,结果就像图2所示。也就是说,图1有一个标记,它指向文档的BinarySecurityToken。而图2有一个参考文件,该文件引用了用于签署文件的原始证书 A) 现在,BinarySecurityToken是提供者端使用的二进制值,用于在密钥库中定位相应的证书链(用于验证消息) B) 我相信SecurityTokenReference用于引用二进制安全令牌,该令牌包含用于验证签名的公钥。看来我的挑战是让图2中的指针看起来像图1 这
ValueType=”http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/>
图1
CN=*.**.com,O=,L=,ST=,C=
图2
(defn-sign-soap[soap-string]
(让[
;;;=>拉入密钥库和证书
ks(ks/密钥库)
_(ks/导入证书ks“服务器”(slurp“”)
证书(.getCertificateKS“服务器”)
keyEntry(.getEntry ks“server”nil)
在签名对象上设置证书
建造商(WSSecSignature.)
_(.SETX509证书生成器证书)
;;;=>在文档中插入安全标题
docu(soap/to-w3c-document soap字符串)
secHeader(WSSecHeader.)
_(.insertSecurityHeader secHeader文档)
;; ===>
加密(加密工厂/getInstance)
bst(X509Security.docu)
加密类型(cryptoType.org.apache.wss4j.common.crypto.cryptoType$TYPE/ALIAS)
_(.setAlias加密类型“mykey”)
证书(.getX509Certificates crypto cryptoType)
<wsse:SecurityTokenReference wsu:Id="STRId-A96305E32CE45DAB06139999212441542"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<wsse:Reference URI="#CertId-A96305E32CE45DAB06139999212441540" <!-- this points to <wsse:BinarySecurityToken> -->
ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/>
</wsse:SecurityTokenReference>
<wsse:SecurityTokenReference wsu:Id="STR-f9837b22-c073-45d2-92d0-2df67e823b2e">
<ds:X509Data>
<ds:X509IssuerSerial>
<ds:X509IssuerName>CN=*.***.com,O=<org>,L=<city>,ST=<state>,C=<country>
</ds:X509IssuerName>
<ds:X509SerialNumber><some-value>
</ds:X509SerialNumber>
</ds:X509IssuerSerial>
</ds:X509Data>
</wsse:SecurityTokenReference>
(defn sign-soap [soap-string]
(let [
;; ===> pull in keystore & cerificate
ks (ks/keystore)
_ (ks/import-cert ks "server" (slurp "<mykeystore>"))
cert (.getCertificate ks "server")
keyEntry (.getEntry ks "server" nil)
;; ===> set Certificate on the signature object
builder (WSSecSignature.)
_ (.setX509Certificate builder cert)
;; ===> insert security header into the document
docu (soap/to-w3c-document soap-string)
secHeader (WSSecHeader.)
_ (.insertSecurityHeader secHeader docu)
;; ===>
crypto (CryptoFactory/getInstance)
bst (X509Security. docu)
cryptoType (CryptoType. org.apache.wss4j.common.crypto.CryptoType$TYPE/ALIAS)
_ (.setAlias cryptoType "mykey")
certs (.getX509Certificates crypto cryptoType)
_ (.setX509Certificate bst (first (seq certs)))
_ (WSSecurityUtil/prependChildElement
(.getSecurityHeader secHeader)
(.getElement bst))
;; ===>
timestamp (WSSecTimestamp.)
_ (.setTimeToLive timestamp 300)
createdDoc (.build timestamp docu secHeader)
;; ===>
encTimestamp (WSEncryptionPart. "Timestamp" WSConstants/WSU_NS "")
encBody (WSEncryptionPart. "Body" "http://schemas.xmlsoap.org/soap/envelope/" "")
parts (ArrayList.)
_ (.add parts encTimestamp)
_ (.add parts encBody)
_ (.setParts builder parts)
_ (.setUserInfo builder "myusername" "mypassword")
signedDoc (.build builder createdDoc crypto secHeader)
secHeaderElement (.getSecurityHeader secHeader)
timestampNode (.. secHeaderElement (getElementsByTagNameNS WSConstants/WSU_NS "Timestamp") (item 0))
_ (.setAttributeNS (cast Element timestampNode) WSConstants/XMLNS_NS "xmlns" WSConstants/WSU_NS)
wss (XMLUtils/PrettyDocumentToString signedDoc)]
wss))
builder.setX509Certificate(signingCert);
builder.setUserInfo(alias, new String(passphrase));
builder.setUseSingleCertificate(true);
builder.setKeyIdentifierType(WSConstants.BST_DIRECT_REFERENCE);
this.setProperty(WSHandlerConstants.ENC_KEY_ID, "DirectReference");
this.setProperty(WSHandlerConstants.SIG_KEY_ID, "DirectReference");