“*未找到证书*(来自客户端)”当调用需要签名的Web服务时
当调用希望使用 WS-Security 对消息进行签名的 Web 服务时,我遇到了一个特殊问题。如果我使用客户端应用程序(使用 Apache CXF)进行调用,我会收到 HTTP 500 错误消息:
*未找到证书*(来自客户端)
而如果我使用 SoapUI 调用相同的服务,配置为使用相同的密钥和密钥存储进行签名,它会按预期工作。
我注意到 CXF 和 SoapUI 之间的调用的
不幸的是,我无法控制服务器端,因此我无法在那里进行太多调查。很高兴知道这是否是一个已知问题以及是否有任何解决方法?
问候,Ola
CXF:
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#" Id="KeyId-1007572087">
<wsse:SecurityTokenReference xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="STRId-1355509614"><ds:X509Data xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:X509IssuerSerial xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:X509IssuerName xmlns:ds="http://www.w3.org/2000/09/xmldsig#">C=SE,O=Company,CN=Company Test Corporate CA 01,SERIALNUMBER=516406-0120</ds:X509IssuerName>
<ds:X509SerialNumber xmlns:ds="http://www.w3.org/2000/09/xmldsig#">29382</ds:X509SerialNumber>
</ds:X509IssuerSerial></ds:X509Data></wsse:SecurityTokenReference></ds:KeyInfo>
SoapUI:
<ds:KeyInfo Id="KeyId-850CCDA383426C4A1E129683271974138"><wsse:SecurityTokenReference wsu:Id="STRId-850CCDA383426C4A1E129683271974139" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"><wsse:Reference URI="#CertId-850CCDA383426C4A1E129683271974137" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509PKIPathv1"/></wsse:SecurityTokenReference></ds:KeyInfo>
I have a peculiar problem when calling a web service that expects the message to be signed using WS-Security. If I call using my client application (using Apache CXF) I get a HTTP 500 error message:
*Certificate not found* (from client)
while if I call the same service using SoapUI, configured for signing with the same key and key-store, it works as expected.
I noticed that the <KeyInfo> part of the call differs between CXF and SoapUI. With CXF (as below) the KeyInfo is a lot more detailed with <X509Data> sections etc while the SoapUI call contains just a simple <SecurityTokenReference>. I suspect that this difference might be the cause of the server not being able to identify the certificate used for signing.
Unfortunately I'm not in control of the server side thus I cannot do much investigation there. It would be nice to know if this is a known problem and if there are any workarounds?
Regards, Ola
CXF:
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#" Id="KeyId-1007572087">
<wsse:SecurityTokenReference xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="STRId-1355509614"><ds:X509Data xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:X509IssuerSerial xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:X509IssuerName xmlns:ds="http://www.w3.org/2000/09/xmldsig#">C=SE,O=Company,CN=Company Test Corporate CA 01,SERIALNUMBER=516406-0120</ds:X509IssuerName>
<ds:X509SerialNumber xmlns:ds="http://www.w3.org/2000/09/xmldsig#">29382</ds:X509SerialNumber>
</ds:X509IssuerSerial></ds:X509Data></wsse:SecurityTokenReference></ds:KeyInfo>
SoapUI:
<ds:KeyInfo Id="KeyId-850CCDA383426C4A1E129683271974138"><wsse:SecurityTokenReference wsu:Id="STRId-850CCDA383426C4A1E129683271974139" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"><wsse:Reference URI="#CertId-850CCDA383426C4A1E129683271974137" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509PKIPathv1"/></wsse:SecurityTokenReference></ds:KeyInfo>
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
显然,诀窍是将WSS4JOutInterceptor的signatureKeyIdentifier属性配置为“DirectReference”,这将创建一个类似于SoapUI的KeyInfo,即它被服务器接受。
Apparently the trick is to configure the
WSS4JOutInterceptor's signatureKeyIdentifier property to "DirectReference" which creates a KeyInfo similar to SoapUI, i.e. it's accepted by the server.服务器期望将客户端公共证书嵌入到请求中,这就是 DirectReference 的签名KeyIdentifier 值的作用。另一个选项是服务器存储所有客户端公共证书,并且请求具有服务器的标识符,以识别正确的公共证书并验证签名(您的第一种情况)。
The server is expecting the clients public certificate to be embedded in the request, which is what the signatureKeyIdentifier value of DirectReference does. The other option is for the server to store all the client public certificates and for the request to have an identifier for the server to identify the correct public cert and validate the signature(your first case).