签名验证失败,rsa 签名未验证 - IBM Datapower

Signature verification failed, rsa signature did not verify - IBM Datapower

我已经使用 Spring-WS 实现了一个 Web 服务客户端,要求是对 SOAP 消息进行数字签名并将请求发送到 IBM Datapower 服务器(DataPower SOA 设备)。但是客户端发送的签名 SOAP 消息被服务器拒绝,返回带有以下错误字符串的 SOAP Fault:"signature verification failed, RSA signature did not verify".

该目标 IBM Datapower 服务器位于客户方,我无权直接向其发送 SOAP 请求以对其进行正确调试。因此,为了测试已签名的 SOAP request/response,我还使用 Spring-WS 实现了一个 Web 服务服务器存根,并且两者都在我的测试环境中正常工作。

客户确认密钥库文件和证书在我提供给他们的服务器和客户端代码上均已正确配置,但签名验证错误在他们的环境中继续存在。

但是,如果在 SOAP UI 中使用相同的密钥库文件和证书来签署完全相同的 SOAP 消息,则请求会成功发送到 Datapower 服务器。

有人可以帮我解决这个问题吗?

也许我遗漏了一些东西以便使用 Spring-WS 正确生成签名。

非常感谢!

这是我的 Spring 配置:

    <context:annotation-config />
    <sws:annotation-driven /> 

    <sws:static-wsdl location="classpath:/META-INF/schema/InfoService.wsdl" />

    <sws:interceptors>
        <sws:payloadRoot namespaceUri="http://www.mycompany.com/getInformation">
            <bean id="payloadValidator" class="org.springframework.ws.soap.server.endpoint.interceptor.PayloadValidatingInterceptor">
                <property name="schema" value="classpath:/META-INF/schema/getInformation.xsd" />
                <property name="validateRequest" value="true" />
                <property name="validateResponse" value="true" />
            </bean>
        </sws:payloadRoot>
    </sws:interceptors>

    <oxm:jaxb2-marshaller id="marshaller" contextPath="com.mycompany.ws.entity" />

    <bean id="messageFactory" class="org.springframework.ws.soap.saaj.SaajSoapMessageFactory" />

    <bean id="webServiceTemplate" class="org.springframework.ws.client.core.WebServiceTemplate">
        <constructor-arg ref="messageFactory" />
        <property name="marshaller" ref="marshaller" />
        <property name="unmarshaller" ref="marshaller" />
        <property name="defaultUri" value="http://localhost:8080/dummy-server-stub-ws/InfoService/" />
        <property name="interceptors">
            <list>
                <ref local="wsClientSecurityInterceptor" />
            </list>
        </property>
    </bean>

    <bean id="clientService" class="com.mycompany.service.impl.InformationServiceImpl" scope="prototype">
        <constructor-arg ref="webServiceTemplate" />
    </bean>

    <bean id="clientCrypto" class="org.springframework.ws.soap.security.wss4j.support.CryptoFactoryBean">
        <property name="keyStorePassword" value="${keystore.password}" />
        <property name="keyStoreLocation" value="file:${keystore.location}" />
    </bean>

    <bean id="clientTrustStore" class="org.springframework.ws.soap.security.wss4j.support.CryptoFactoryBean">
        <property name="keyStorePassword" value="${truststore.password}" />
        <property name="keyStoreLocation" value="file:${truststore.location}" />
    </bean>

    <bean id="wsClientSecurityInterceptor" class="org.springframework.ws.soap.security.wss4j.Wss4jSecurityInterceptor">
        <property name="securementActions" value="Signature" />
        <property name="securementUsername" value="${keystore.alias}" />
        <property name="securementPassword" value="${keystore.password}" />
        <property name="securementSignatureCrypto" ref="clientCrypto" />
        <property name="securementSignatureParts" value="{Content}{http://schemas.xmlsoap.org/soap/envelope/}Body" />
        <property name="securementSignatureKeyIdentifier" value="DirectReference" />
        <property name="securementSignatureAlgorithm" value="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
        <property name="securementSignatureDigestAlgorithm" value="http://www.w3.org/2000/09/xmldsig#sha1" />

        <!-- Validation config -->  
        <property name="validationSignatureCrypto" ref="clientTrustStore" />
    </bean>

下面是签名的 SOAP 请求:

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
  <soapenv:Header>
    <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" soapenv:mustUnderstand="1">
      <wsse:BinarySecurityToken EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" wsu:Id="X509-66A2E10F325D0DBA1114508766873871">MIIF9zCCBN+gAwIBAgIUfrwjhMFDFIxEtBqRCk6jAzDVD3MwDQYJKoZIhvcNAQELBQAwgZQxCzAJBgNVBAYTAk5MMRIwEAYDVQQHEwlBbXN0ZXJkYW0xJTAjBgNVBAoTHFZlcml6b24gRW50ZXJwcmlzZSBTb2x1dGlvbnMxEzARBgNVBAsTCkN5YmVydHJ1c3QxNTAzBgNVBAMTLFZlcml6b24gUHVibGljIFN1cmVTZXJ2ZXIgRVYgU1NMIENBIEcxNC1TSEEyMB4XDTE1MDkwMTIyMTE1M1oXDTE3MDkwMTIyMTE1MFowgeoxGzAZBgNVBA8TElYxLjQsIENsYXVzZSA4LjUuMjETMBEGCysGAQQBgjc8AgECEwJOWTETMBEGCysGAQQBgjc8AgEDEwJVUzEPMA0GA1UEBRMGNzY3NjU1MQswCQYDVQQGEwJVUzELMAkGA1UECBMCTlkxETAPBgNVBAcTCE5ldyBZb3JrMT8wPQYDVQQKEzZBbWVyaWNhbiBFeHByZXNzIFRyYXZlbCBSZWxhdGVkIFNlcnZpY2VzIENvbXBhbnksIEluYy4xIjAgBgNVBAMTGVRlc3RQLkUxLlNpZ25pbmcuYWV4cC5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCHR8MPZ6sijUp0DmCqhQVVS6qe986IgxQ8XyHIojPOnsS95hPPqGzHUKmQAUw4p0b9qo5XkGbBplFeZOdi8KpIgSwXtSnu9vPvVwk8TXbvjmbYkMWBzkaMo6R0sEogHMy5FqQjtpm1m3Tk8z0tMMmGGcR2hgScZbhlMgCLJjCwGQPMsj/I3obiS3hR8W1vuh6muAe3iSkNq0KCQ9bNUcGkQVm7CnSrvzD1JFCcPJRNjWjeiZFrWzZnJvmZKKeat+r4mzTCFXM7oO2waYzbv8KO+73GPkL9wacD9xG/6lVEyRcHTOtu95QehBjVO8Qf4tHNxS52wCj/Lt1iiAIJNCh3AgMBAAGjggHnMIIB4zAMBgNVHRMBAf8EAjAAME0GA1UdIARGMEQwQgYKKwYBBAGxPgFkATA0MDIGCCsGAQUFBwIBFiZodHRwczovL3NlY3VyZS5vbW5pcm9vdC5jb20vcmVwb3NpdG9yeTCBrAYIKwYBBQUHAQEEgZ8wgZwwLgYIKwYBBQUHMAGGImh0dHA6Ly92Y3NzZXYxNDIub2NzcC5vbW5pcm9vdC5jb20wNAYIKwYBBQUHMAKGKGh0dHA6Ly9jYWNlcnQub21uaXJvb3QuY29tL3Zjc3NldjE0Mi5jcnQwNAYIKwYBBQUHMAKGKGh0dHA6Ly9jYWNlcnQub21uaXJvb3QuY29tL3Zjc3NldjE0Mi5kZXIwJAYDVR0RBB0wG4IZVGVzdFAuRTEuU2lnbmluZy5hZXhwLmNvbTAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMB8GA1UdIwQYMBaAFNuNZOu5Tpln3H1rRTPW6uY6u53sMEAGA1UdHwQ5MDcwNaAzoDGGL2h0dHA6Ly92Y3NzZXYxNDIuY3JsLm9tbmlyb290LmNvbS92Y3NzZXYxNDIuY3JsMB0GA1UdDgQWBBQXsxcB/JPuf1P0k9D6WvDgo6L01jANBgkqhkiG9w0BAQsFAAOCAQEACKNQTAcrPTA6JpPSAkHbmK9wzSWRZ584L1JfXLteAf0y2ehXkq3CExVghx1GOSyNV2iNTz2st/Qy0Lim1GnB6jalnh1Tf6WUJnUHj5f5sgK7X70yrBoLdlRG68mpkBI0SJaq5GmOlkzs/GDE0vRR0RVPTup9M31rvMnLyXgmweJVVEG0A4j/hemrJakLHHGDQSjOeEYjkI7B4aBZXbZkOtaVdXg2bRlt/eyX8tnZDQRNRu2RLerfqhITuKNdTyb0cG3fmf0JEw0+iYHiVgUo7SH3JnCf59ZmT52opmX2bMiMhXWgZCalFizXtKDm3lh0tTcHir9aJdulUHhcEMWZYQ==</wsse:BinarySecurityToken>
      <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#" Id="SIG-2">
        <ds:SignedInfo>
          <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
            <ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="soapenc soapenv xsd xsi"/>
          </ds:CanonicalizationMethod>
          <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
          <ds:Reference URI="#id-1">
            <ds:Transforms>
              <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
                <ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="soapenc xsd xsi"/>
              </ds:Transform>
            </ds:Transforms>
            <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
            <ds:DigestValue>FJJvHvb8RcXnlzZWpTgDZkz+CxA=</ds:DigestValue>
          </ds:Reference>
        </ds:SignedInfo>
        <ds:SignatureValue>RR9EWs+m1Oo/kAwFWbEdRVtPzN+t7k5MDQF9BTCrIYVL0vbPH7W6B5yuzxFWvlBruL/JEx+3Gxa9iLI6GfmdmHD/NYIc2g01JH8kalbSP/D+F5RkdxNNRHOmLlddUOUfm4DC5QTeF8XMKNDaVEqTBg7hWyd3rFZyNC+nQY+J8jkByuMlqenXwMofxCf1yeP7dg+3U6TbV5dwe3qLUbfWxH1j3mwPhY6PICRFmBOPYRWmN9k57fCqvS5ar9/RYI+BZ6gSdkChx9WsmqI7jmnK/Jk7oBJOMDJSyiOjceKKAc8ZQ6ezo+7dR6UAojiHZEu27822gX70MxUgXW2jJnHCXw==</ds:SignatureValue>
        <ds:KeyInfo Id="KI-66A2E10F325D0DBA1114508766873942">
          <wsse:SecurityTokenReference wsu:Id="STR-66A2E10F325D0DBA1114508766873963">
            <wsse:Reference URI="#X509-66A2E10F325D0DBA1114508766873871" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/>
          </wsse:SecurityTokenReference>
        </ds:KeyInfo>
      </ds:Signature>
    </wsse:Security>
    <tns:TrackingHdr xmlns:tns="http://www.mycompany.com/ServiceHeader">
      <tns:RequestorInfo>
        <tns:MsgPostTime>2015-12-23 06:18:07.101</tns:MsgPostTime>
        <tns:MessageID>74f5448e4d354ba6918913a01c86d6927e4ed739664c4151</tns:MessageID>
        <tns:CorrelationMessageID>111111</tns:CorrelationMessageID>
      </tns:RequestorInfo>
    </tns:TrackingHdr>
  </soapenv:Header>
  <soapenv:Body xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="id-1">
    <ns5:getInformation xmlns:ns5="http://www.mycompany.com/getInformation">
        <ns5:Request>
            <ns5:GetInformationReqGrp>
                <ns5:RequestID>Request-000000</ns5:RequestID>
                <ns5:UserId>User1A</ns5:UserId>
                <ns5:InputElements>13</ns5:InputElements>
                <ns5:CommandRequest>5</ns5:CommandRequest>
                <ns5:Input>
                    <ns5:InputItem>
                      <ns5:Name>AAA_BBB</ns5:Name>
                      <ns5:Value>001</ns5:Value>
                    </ns5:InputItem>
                </ns5:Input>

                ...

            </ns5:GetInformationReqGrp>
        </ns5:Request>
    </ns5:getInformation>
  </soapenv:Body>
</soapenv:Envelope>

有许多问题可能导致验证失败,如果不访问来自 datapower 的详细日志并测试不同的组合,则无法调试此问题。在我的脑海中,我过去遇到过不同的问题:

  • 规范化代码中的错误(不在 datapower 中,而是在另一端)
  • 配置错误的证书设置
  • 错误的时间戳
  • 签名算法配置不同
  • 密钥编码的不同配置(无论是包含还是引用)

经过大量研究和故障排除后,我设法通过在 WebSphere 7 上添加一些 Java 虚拟机自定义属性来解决问题。

默认情况下,WebSphere 会忽略部署的应用程序用来实现 Web 服务的所有库。它用自己的内部 Web 服务覆盖它们 library/engine。就我而言,问题主要涉及 SAAJ 库(Java 的 SOAP 附件 API)。

我正在回答我自己的问题,因为它对解决类似问题的人很有用。

程序如下:

  1. 登录 Websphere 控制台
  2. 单击服务器 -> 服务器类型 -> WebSphere 应用程序服务器 -> [服务器 name] -> Java and Process Management -> Process definition -> Java Virtual Machine -> Custom Properties -> New
  3. 添加以下五项,最后重启WebSphere:
                      Name                                              Value

    com.ibm.websphere.webservices.DisableIBMJAXWSEngine      true

    javax.xml.soap.MessageFactory                            com.sun.xml.internal.messaging.saaj.soap.ver1_1.SOAPMessageFactory1_1Impl

    javax.xml.soap.SOAPFactory                               com.sun.xml.internal.messaging.saaj.soap.ver1_1.SOAPFactory1_1Impl

    javax.xml.soap.SOAPConnectionFactory                     com.sun.xml.internal.messaging.saaj.client.p2p.HttpSOAPConnectionFactory

    javax.xml.soap.MetaFactory                               com.sun.xml.internal.messaging.saaj.soap.SAAJMetaFactoryImpl

就是这样。

干杯,

阿迪安弗