从SOAP安全头获取X509Certificate

Question

大家好，您好！

我有一个简单的存根客户端的cxf网络服务（春季应用程序）。它采用action = "Signature"这样一个WSS4JOutInterceptor，SOAP请求消息（头）：

Content-Type: text/xml; charset=UTF-8 
Accept: */* 
SOAPAction: "" 
User-Agent: Apache CXF 2.4.3 
Cache-Control: no-cache 
Pragma: no-cache 
Host: 127.0.0.1:8888 
Connection: keep-alive 
Content-Length: 1890 

    <soap:Header> 
    < wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" soap:mustUnderstand="1"> 
    <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#" Id="SIG-2"> 
     <ds:SignedInfo> 
      <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"> 
       <ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="soap" /> 
      </ds:CanonicalizationMethod> 
      <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" /> 
      <ds:Reference URI="#id-1"> 
       <ds:Transforms> 
       <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"> 
        <ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="" /> 
       </ds:Transform> 
       </ds:Transforms> 
       <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" /> 
       <ds:DigestValue>RJhc1ZVjXdUQEIwLTH356p7H0QY=</ds:DigestValue> 
      </ds:Reference> 
     </ds:SignedInfo> 
     <ds:SignatureValue>F0q0NV7kaSbAcsLHxVpYD1bQ1RAJcw6wPapDKAM9PIcs7EuS9S5PlE4cQMfAp1WgsKa91r3op1OQ5UrYmmdj/UneYawdPIYSaoFBGjndTXZnOCKp4YfRTQGZ2EVJRFHJbPsTsqHedPAyJLHhciViguTGeuA0hZAQN97KB/9ZLmY=</ds:SignatureValue> 
     <ds:KeyInfo Id="KI-92A4EB90A2868689DC13289669720792"> 
      <wsse:SecurityTokenReference wsu:Id="STR-92A4EB90A2868689DC13289669720823"> 
       <ds:X509Data> 
       <ds:X509IssuerSerial> 
        <ds:X509IssuerName>CN=1,OU=1,O=1,L=1,ST=1,C=RU</ds:X509IssuerName> 
        <ds:X509SerialNumber>1328891280</ds:X509SerialNumber> 
       </ds:X509IssuerSerial> 
       </ds:X509Data> 
      </wsse:SecurityTokenReference> 
     </ds:KeyInfo> 
    </ds:Signature> 
    </wsse:Security> 
< /soap:Header> 

我可以以某种方式创建该数据的证书？没有关于验证日期或公钥的任何数据。可能有一种方法在证书头中插入证书（不通过Reference/SecurityTokenReference标签）？

进展：

我读过，以使嵌入证书到它needded使用<entry key="signatureKeyIdentifier" value="DirectReference"/>的请求。因此，该请求变更为：

< soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"> 
< soap:Header> 
    <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" soap:mustUnderstand="1"> 
    <wsse:BinarySecurityToken EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" wsu:Id="X509-A3BCFAE87E12A8813813289737654441">MIICCTCCAXKgAwIBAgIETzVFkDANBgkqhkiG9w0BAQUFADBJMQswCQYDVQQGEwJSVTEKMAgGA1UECBMBMTEKMAgGA1UEBxMBMTEKMAgGA1UEChMBMTEKMAgGA1UECxMBMTEKMAgGA1UEAxMBMTAeFw0xMjAyMTAxNjI4MDBaFw0xMjA1MTAxNjI4MDBaMEkxCzAJBgNVBAYTAlJVMQowCAYDVQQIEwExMQowCAYDVQQHEwExMQowCAYDVQQKEwExMQowCAYDVQQLEwExMQowCAYDVQQDEwExMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCdwxyRNYlWADnTtzH9/s/ehhD2iFzvF2xI+tBNyhbBb98EQNiIFdEegwGPhtd3Cfe1lQqtddWdFX2uLqozMAgd1KzSEuH9lI5DPiir3RfVdy+Irs5ZYiD/H4/DcUMUNyVcWspf9oG25wNdwNHKY8Aqz2269uYMCCoIBuWt6POwFQIDAQABMA0GCSqGSIb3DQEBBQUAA4GBAGLgTXbn7h2rBjv++6OopDooRifc4e2k+9sSTpLNegs9OvQzR8DpmQ/6Vt0RFprIdXSv+IVMcmL8Q2dmI9v0R61NIhdEjzSVbO2+PF9h1ShUARzMawRC/EOdjwVjDsk1WMxF18+wvH9SQxBSK3H2WpJbDWBxZCOW5CK1N6AKKJiC</wsse:BinarySecurityToken> 
    <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#" Id="SIG-2"> 
     <ds:SignedInfo> 
      <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"> 
       <ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="soap" /> 
      </ds:CanonicalizationMethod> 
      <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" /> 
      <ds:Reference URI="#id-1"> 
       <ds:Transforms> 
       <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"> 
        <ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="" /> 
       </ds:Transform> 
       </ds:Transforms> 
       <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" /> 
       <ds:DigestValue>RJhc1ZVjXdUQEIwLTH356p7H0QY=</ds:DigestValue> 
      </ds:Reference> 
     </ds:SignedInfo> 
     <ds:SignatureValue>F0q0NV7kaSbAcsLHxVpYD1bQ1RAJcw6wPapDKAM9PIcs7EuS9S5PlE4cQMfAp1WgsKa91r3op1OQ5UrYmmdj/UneYawdPIYSaoFBGjndTXZnOCKp4YfRTQGZ2EVJRFHJbPsTsqHedPAyJLHhciViguTGeuA0hZAQN97KB/9ZLmY=</ds:SignatureValue> 
     <ds:KeyInfo Id="KI-A3BCFAE87E12A8813813289737654452"> 
      <wsse:SecurityTokenReference wsu:Id="STR-A3BCFAE87E12A8813813289737654483"> 
       <wsse:Reference URI="#X509-A3BCFAE87E12A8813813289737654441" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" /> 
      </wsse:SecurityTokenReference> 
     </ds:KeyInfo> 
    </ds:Signature> 
    </wsse:Security> 

也许是simplier摆脱这种类型的请求的证书。但如何做到这一点？

Answer 1

的解决方案是使用的BinarySecurityToken头的元素：

SoapMessage soapMessage = (SoapMessage) message; 
SOAPMessage doc = getSOAPMessage(soapMessage); 

Element elem = WSSecurityUtil.getSecurityHeader(doc.getSOAPPart(), ""); 
// get a BinarySignature tag 
Node binarySignatureTag = elem.getFirstChild(); 
BinarySecurity token = new X509Security((Element) binarySignatureTag); 

// a X509Certificate construction 
InputStream in = new ByteArrayInputStream(token.getToken()); 
CertificateFactory certFactory = CertificateFactory.getInstance("X.509"); 
X509Certificate cert = (X509Certificate)certFactory.generateCertificate(in); 

，你可以看到，你还需要使用org.apache.ws.security包。