從SOAP安全頭獲取X509Certificate

Question

大家好，您好！

我有一個簡單的存根客戶端的cxf網絡服務（春季應用程序）。它採用action = "Signature"這樣一個WSS4JOutInterceptor，SOAP請求消息（頭）：

Content-Type: text/xml; charset=UTF-8 
Accept: */* 
SOAPAction: "" 
User-Agent: Apache CXF 2.4.3 
Cache-Control: no-cache 
Pragma: no-cache 
Host: 127.0.0.1:8888 
Connection: keep-alive 
Content-Length: 1890 

    <soap:Header> 
    < wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" soap:mustUnderstand="1"> 
    <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#" Id="SIG-2"> 
     <ds:SignedInfo> 
      <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"> 
       <ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="soap" /> 
      </ds:CanonicalizationMethod> 
      <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" /> 
      <ds:Reference URI="#id-1"> 
       <ds:Transforms> 
       <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"> 
        <ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="" /> 
       </ds:Transform> 
       </ds:Transforms> 
       <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" /> 
       <ds:DigestValue>RJhc1ZVjXdUQEIwLTH356p7H0QY=</ds:DigestValue> 
      </ds:Reference> 
     </ds:SignedInfo> 
     <ds:SignatureValue>F0q0NV7kaSbAcsLHxVpYD1bQ1RAJcw6wPapDKAM9PIcs7EuS9S5PlE4cQMfAp1WgsKa91r3op1OQ5UrYmmdj/UneYawdPIYSaoFBGjndTXZnOCKp4YfRTQGZ2EVJRFHJbPsTsqHedPAyJLHhciViguTGeuA0hZAQN97KB/9ZLmY=</ds:SignatureValue> 
     <ds:KeyInfo Id="KI-92A4EB90A2868689DC13289669720792"> 
      <wsse:SecurityTokenReference wsu:Id="STR-92A4EB90A2868689DC13289669720823"> 
       <ds:X509Data> 
       <ds:X509IssuerSerial> 
        <ds:X509IssuerName>CN=1,OU=1,O=1,L=1,ST=1,C=RU</ds:X509IssuerName> 
        <ds:X509SerialNumber>1328891280</ds:X509SerialNumber> 
       </ds:X509IssuerSerial> 
       </ds:X509Data> 
      </wsse:SecurityTokenReference> 
     </ds:KeyInfo> 
    </ds:Signature> 
    </wsse:Security> 
< /soap:Header> 

我可以以某種方式創建該數據的證書？沒有關於驗證日期或公鑰的任何數據。可能有一種方法在證書頭中插入證書（不通過Reference/SecurityTokenReference標籤）？

進展：

我讀過，以使嵌入證書到它needded使用<entry key="signatureKeyIdentifier" value="DirectReference"/>的請求。因此，該請求變更爲：

< soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"> 
< soap:Header> 
    <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" soap:mustUnderstand="1"> 
    <wsse:BinarySecurityToken EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" wsu:Id="X509-A3BCFAE87E12A8813813289737654441">MIICCTCCAXKgAwIBAgIETzVFkDANBgkqhkiG9w0BAQUFADBJMQswCQYDVQQGEwJSVTEKMAgGA1UECBMBMTEKMAgGA1UEBxMBMTEKMAgGA1UEChMBMTEKMAgGA1UECxMBMTEKMAgGA1UEAxMBMTAeFw0xMjAyMTAxNjI4MDBaFw0xMjA1MTAxNjI4MDBaMEkxCzAJBgNVBAYTAlJVMQowCAYDVQQIEwExMQowCAYDVQQHEwExMQowCAYDVQQKEwExMQowCAYDVQQLEwExMQowCAYDVQQDEwExMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCdwxyRNYlWADnTtzH9/s/ehhD2iFzvF2xI+tBNyhbBb98EQNiIFdEegwGPhtd3Cfe1lQqtddWdFX2uLqozMAgd1KzSEuH9lI5DPiir3RfVdy+Irs5ZYiD/H4/DcUMUNyVcWspf9oG25wNdwNHKY8Aqz2269uYMCCoIBuWt6POwFQIDAQABMA0GCSqGSIb3DQEBBQUAA4GBAGLgTXbn7h2rBjv++6OopDooRifc4e2k+9sSTpLNegs9OvQzR8DpmQ/6Vt0RFprIdXSv+IVMcmL8Q2dmI9v0R61NIhdEjzSVbO2+PF9h1ShUARzMawRC/EOdjwVjDsk1WMxF18+wvH9SQxBSK3H2WpJbDWBxZCOW5CK1N6AKKJiC</wsse:BinarySecurityToken> 
    <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#" Id="SIG-2"> 
     <ds:SignedInfo> 
      <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"> 
       <ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="soap" /> 
      </ds:CanonicalizationMethod> 
      <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" /> 
      <ds:Reference URI="#id-1"> 
       <ds:Transforms> 
       <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"> 
        <ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="" /> 
       </ds:Transform> 
       </ds:Transforms> 
       <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" /> 
       <ds:DigestValue>RJhc1ZVjXdUQEIwLTH356p7H0QY=</ds:DigestValue> 
      </ds:Reference> 
     </ds:SignedInfo> 
     <ds:SignatureValue>F0q0NV7kaSbAcsLHxVpYD1bQ1RAJcw6wPapDKAM9PIcs7EuS9S5PlE4cQMfAp1WgsKa91r3op1OQ5UrYmmdj/UneYawdPIYSaoFBGjndTXZnOCKp4YfRTQGZ2EVJRFHJbPsTsqHedPAyJLHhciViguTGeuA0hZAQN97KB/9ZLmY=</ds:SignatureValue> 
     <ds:KeyInfo Id="KI-A3BCFAE87E12A8813813289737654452"> 
      <wsse:SecurityTokenReference wsu:Id="STR-A3BCFAE87E12A8813813289737654483"> 
       <wsse:Reference URI="#X509-A3BCFAE87E12A8813813289737654441" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" /> 
      </wsse:SecurityTokenReference> 
     </ds:KeyInfo> 
    </ds:Signature> 
    </wsse:Security> 

也許是simplier擺脫這種類型的請求的證書。但如何做到這一點？

Answer 1

的解決方案是使用的BinarySecurityToken頭的元素：

SoapMessage soapMessage = (SoapMessage) message; 
SOAPMessage doc = getSOAPMessage(soapMessage); 

Element elem = WSSecurityUtil.getSecurityHeader(doc.getSOAPPart(), ""); 
// get a BinarySignature tag 
Node binarySignatureTag = elem.getFirstChild(); 
BinarySecurity token = new X509Security((Element) binarySignatureTag); 

// a X509Certificate construction 
InputStream in = new ByteArrayInputStream(token.getToken()); 
CertificateFactory certFactory = CertificateFactory.getInstance("X.509"); 
X509Certificate cert = (X509Certificate)certFactory.generateCertificate(in); 

，你可以看到，你還需要使用org.apache.ws.security包。