Language agnostic STR转换是如何工作的?
在使用WS-Security时,STR转换算法如何处理XML签名?我需要对用于SOAP消息签名的SecurityTokenReference进行签名,这是安全令牌所需的转换。我使用x509证书进行签名,因此安全令牌就是这个证书。但是,在消息中,我只需要对证书指纹的引用 这是我需要复制的签名结构,我唯一缺少的是对SecurityTokenReference的签名引用:Language agnostic STR转换是如何工作的?,language-agnostic,x509,ws-security,xml-signature,Language Agnostic,X509,Ws Security,Xml Signature,在使用WS-Security时,STR转换算法如何处理XML签名?我需要对用于SOAP消息签名的SecurityTokenReference进行签名,这是安全令牌所需的转换。我使用x509证书进行签名,因此安全令牌就是这个证书。但是,在消息中,我只需要对证书指纹的引用 这是我需要复制的签名结构,我唯一缺少的是对SecurityTokenReference的签名引用: <dsig:Signature xmlns:dsig="http://www.w3.org/2000/09/xmldsig#
<dsig:Signature xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">
<dsig:SignedInfo>
<dsig:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<dsig:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<dsig:Reference URI="#Timestamp_C1Ih1AB1vpPT5uG2">
<dsig:Transforms>
<dsig:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</dsig:Transforms>
<dsig:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<dsig:DigestValue>fVSyToUO8yS131cV8oT1h6fa69Jvtt+pKFeP4BFf1P4=</dsig:DigestValue>
</dsig:Reference>
<!-- Other signature references -->
<dsig:Reference URI="#str_U1sjQ5j8JtKnObLk">
<dsig:Transforms>
<dsig:Transform Algorithm="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#STR-Transform">
<wsse:TransformationParameters>
<dsig:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</wsse:TransformationParameters>
</dsig:Transform>
</dsig:Transforms>
<dsig:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<dsig:DigestValue>gRa3zakGn13XISoKpekB3zl0iDqb/LmNy7+aMDtzKIY=</dsig:DigestValue>
</dsig:Reference>
</dsig:SignedInfo>
<dsig:SignatureValue>ptO...E9Q==</dsig:SignatureValue>
<dsig:KeyInfo>
<wsse:SecurityTokenReference
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
xmlns:wsse11="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
wsse11:TokenType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"
wsu:Id="str_U1sjQ5j8JtKnObLk">
<wsse:KeyIdentifier
EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary"
ValueType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1">h5...ow=</wsse:KeyIdentifier>
</wsse:SecurityTokenReference>
</dsig:KeyInfo>
</dsig:Signature>
fVSyToUO8yS131cV8oT1h6fa69Jvtt+pKFeP4BFf1P4=
gRa3zakGn13XISoKpekB3zl0iDqb/LmNy7+aMDtzKIY=
ptO…E9Q==
h5…噢=
,来自第38页,但我无法理解如何在实践中应用它。好的,检查Oracle的WebLogic服务器调试和详细日志文件后,该文件具有一个工作的服务示例,并设置标志
-Dweblogic.xml.crypto.dsig.debug=true-Dweblogic.xml.crypto.crypto.keyinfo.debug=true-Dweblogic.xml.crypto.keyinfo.verbose=true-Dweblogic.wsee.verbose=*-Dweblogic.wsee.debug=*SecurityTokenReferenceKeyIdentifierBinarySecurityToken<wsse:BinarySecurityToken xmlns="" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3">CertificateBase64String</wsse:BinarySecurityToken>
它是按原样规范化和摘要化的,因此,如果通过删除空的xmlns命名空间或前缀命名空间或更改命名空间前缀来简化XML,则操作可能会提供错误的结果。xmlns=”“它被规范化并按原样进行摘要xmlns根据规范,BinarySecurityToken只包含ValueType属性。安全部分。感谢您的回复!
System.Security.Cryptography.SHA256 sha = System.Security.Cryptography.SHA256.Create();
byte[] hash = sha.ComputeHash(Encoding.UTF8.GetBytes("<wsse:BinarySecurityToken xmlns=\"\" xmlns:wsse=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd\" ValueType=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3\">MIIF...2A8=</wsse:BinarySecurityToken>"));
string digestValue = Convert.ToBase64String(hash);