故障:X509Token:检测到不正确的 X.509 令牌类型
Fault: X509Token: An incorrect X.509 Token Type is detected
我正在尝试在我的 Web 服务上应用 WS 安全策略。要求是使用 X.509 证书对正文和时间戳元素(无加密)进行签名。我正在使用 SoapUI 来签名和发送 soap 消息。我使用 cxf wsdl 优先方法实现了 Web 服务。
我从服务器得到不正确的 X.509 令牌类型。有什么解决这个问题的建议吗?
政策
<wsp:Policy wsu:Id="BindingPolicy">
<wsp:ExactlyOne>
<wsp:All>
<sp:AsymmetricBinding>
<wsp:Policy>
<sp:InitiatorToken>
<wsp:Policy>
<sp:X509Token
sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
<wsp:Policy>
<sp:WssX509V3Token10 />
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:InitiatorToken>
<sp:RecipientToken>
<wsp:Policy>
<sp:X509Token
sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never">
<wsp:Policy>
<sp:WssX509V3Token10 />
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:RecipientToken>
<sp:IncludeTimestamp />
<sp:AlgorithmSuite>
<wsp:Policy>
<sp:Basic128 />
</wsp:Policy>
</sp:AlgorithmSuite>
</wsp:Policy>
</sp:AsymmetricBinding>
<sp:Wss10>
<wsp:Policy>
<sp:MustSupportRefIssuerSerial />
</wsp:Policy>
</sp:Wss10>
</wsp:All>
<wsp:All>
<sp:AsymmetricBinding>
<wsp:Policy>
<sp:InitiatorToken>
<wsp:Policy>
<sp:X509Token
sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
<wsp:Policy>
<sp:WssX509V3Token11 />
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:InitiatorToken>
<sp:RecipientToken>
<wsp:Policy>
<sp:X509Token
sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never">
<wsp:Policy>
<sp:WssX509V3Token11 />
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:RecipientToken>
<sp:IncludeTimestamp />
<sp:AlgorithmSuite>
<wsp:Policy>
<sp:Basic128 />
</wsp:Policy>
</sp:AlgorithmSuite>
</wsp:Policy>
</sp:AsymmetricBinding>
<sp:Wss11>
<wsp:Policy>
<sp:MustSupportRefIssuerSerial />
</wsp:Policy>
</sp:Wss11>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
<wsp:Policy wsu:Id="InputBindingPolicy">
<wsp:ExactlyOne>
<wsp:All>
<sp:SignedParts>
<sp:Body />
<sp:Header Name="Timestamp"
Namespace="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" />
</sp:SignedParts>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
<wsp:Policy wsu:Id="OutputBindingPolicy">
<wsp:ExactlyOne>
<wsp:All>
<sp:SignedParts>
<sp:Body />
<sp:Header Name="Timestamp"
Namespace="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" />
</sp:SignedParts>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
SOAP 请求消息
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Header>
<wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" soapenv:mustUnderstand="1">
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#" Id="SIG-83B479E74DEAAC133C142621373015110">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="bil soapenv" />
</ds:CanonicalizationMethod>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
<ds:Reference URI="#id-79B1EE1537BD34718D1426151592761356">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="bil" />
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<ds:DigestValue>5sx0CDCmVVk5rCL+H/a7ePT4JLE=</ds:DigestValue>
</ds:Reference>
<ds:Reference URI="#TS-83B479E74DEAAC133C14262137301466">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="wsse bil soapenv" />
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<ds:DigestValue>KhSCUclKK36KDo/34E0KN17d974=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>LHUjvdfQK0nvl3zwsLBfhfDMK856zXzCiqTnZX2QF5xPX+DA2GwSycZIqIx6gH3ofGUG67PqvHHYtczasH74RzLIO7V6Uq/t+r4NbcFhwVXV31tcYg/X+blCYvzhj31Y45qYQ/AlVcTy1Y2411V50T67HpAErt+Bj2C8PwxlB1LXhPBLSiD4pleUSlXEDtHE/tetC+FtAP7hNcFTHmp8M5amjLWsl52QdFHew8MIde8Xd/B6HatMEHUYmhI3urhuFoqrDXweL80gmI5njlWKUHIAFEPFjXfyEB2is9E4QQNiCbgT5L/VFnArc7uKjDt58Ctua/QB8QhEr3bMIlBJeQ=
</ds:SignatureValue>
<ds:KeyInfo Id="KI-83B479E74DEAAC133C14262137301508">
<wsse:SecurityTokenReference wsu:Id="STR-83B479E74DEAAC133C14262137301509">
<ds:X509Data>
<ds:X509IssuerSerial>
<ds:X509IssuerName>CN=client</ds:X509IssuerName>
<ds:X509SerialNumber>1166791595</ds:X509SerialNumber>
</ds:X509IssuerSerial>
</ds:X509Data>
</wsse:SecurityTokenReference>
</ds:KeyInfo>
</ds:Signature>
<wsu:Timestamp wsu:Id="TS-83B479E74DEAAC133C14262137301466">
<wsu:Created>2015-03-13T02:28:50.146Z</wsu:Created>
<wsu:Expires>2015-03-20T01:08:50.146Z</wsu:Expires>
</wsu:Timestamp>
</wsse:Security>
</soapenv:Header>
<soapenv:Body xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="id-79B1EE1537BD34718D1426151592761356">
<bil:Echo>
<parameters>
<Version>123</Version>
<CorrelationId>1234</CorrelationId>
<Message>hello</Message>
</parameters>
</bil:Echo>
</soapenv:Body>
SOAP 响应消息
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
<soap:Body>
<soap:Fault>
<faultcode>soap:Server</faultcode>
<faultstring>These policy alternatives can not be satisfied
{http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}X509Token: An incorrect X.509 Token Type is detected
</faultstring>
</soap:Fault>
</soap:Body>
</soap:Envelope>
政策规定发起者令牌(签名令牌)必须始终包含在接收者中。但是,您的消息仅通过 IssuerSerial 引用签名令牌。
冷
我正在尝试在我的 Web 服务上应用 WS 安全策略。要求是使用 X.509 证书对正文和时间戳元素(无加密)进行签名。我正在使用 SoapUI 来签名和发送 soap 消息。我使用 cxf wsdl 优先方法实现了 Web 服务。
我从服务器得到不正确的 X.509 令牌类型。有什么解决这个问题的建议吗?
政策
<wsp:Policy wsu:Id="BindingPolicy">
<wsp:ExactlyOne>
<wsp:All>
<sp:AsymmetricBinding>
<wsp:Policy>
<sp:InitiatorToken>
<wsp:Policy>
<sp:X509Token
sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
<wsp:Policy>
<sp:WssX509V3Token10 />
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:InitiatorToken>
<sp:RecipientToken>
<wsp:Policy>
<sp:X509Token
sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never">
<wsp:Policy>
<sp:WssX509V3Token10 />
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:RecipientToken>
<sp:IncludeTimestamp />
<sp:AlgorithmSuite>
<wsp:Policy>
<sp:Basic128 />
</wsp:Policy>
</sp:AlgorithmSuite>
</wsp:Policy>
</sp:AsymmetricBinding>
<sp:Wss10>
<wsp:Policy>
<sp:MustSupportRefIssuerSerial />
</wsp:Policy>
</sp:Wss10>
</wsp:All>
<wsp:All>
<sp:AsymmetricBinding>
<wsp:Policy>
<sp:InitiatorToken>
<wsp:Policy>
<sp:X509Token
sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
<wsp:Policy>
<sp:WssX509V3Token11 />
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:InitiatorToken>
<sp:RecipientToken>
<wsp:Policy>
<sp:X509Token
sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never">
<wsp:Policy>
<sp:WssX509V3Token11 />
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:RecipientToken>
<sp:IncludeTimestamp />
<sp:AlgorithmSuite>
<wsp:Policy>
<sp:Basic128 />
</wsp:Policy>
</sp:AlgorithmSuite>
</wsp:Policy>
</sp:AsymmetricBinding>
<sp:Wss11>
<wsp:Policy>
<sp:MustSupportRefIssuerSerial />
</wsp:Policy>
</sp:Wss11>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
<wsp:Policy wsu:Id="InputBindingPolicy">
<wsp:ExactlyOne>
<wsp:All>
<sp:SignedParts>
<sp:Body />
<sp:Header Name="Timestamp"
Namespace="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" />
</sp:SignedParts>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
<wsp:Policy wsu:Id="OutputBindingPolicy">
<wsp:ExactlyOne>
<wsp:All>
<sp:SignedParts>
<sp:Body />
<sp:Header Name="Timestamp"
Namespace="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" />
</sp:SignedParts>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
SOAP 请求消息
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Header>
<wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" soapenv:mustUnderstand="1">
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#" Id="SIG-83B479E74DEAAC133C142621373015110">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="bil soapenv" />
</ds:CanonicalizationMethod>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
<ds:Reference URI="#id-79B1EE1537BD34718D1426151592761356">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="bil" />
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<ds:DigestValue>5sx0CDCmVVk5rCL+H/a7ePT4JLE=</ds:DigestValue>
</ds:Reference>
<ds:Reference URI="#TS-83B479E74DEAAC133C14262137301466">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="wsse bil soapenv" />
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<ds:DigestValue>KhSCUclKK36KDo/34E0KN17d974=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>LHUjvdfQK0nvl3zwsLBfhfDMK856zXzCiqTnZX2QF5xPX+DA2GwSycZIqIx6gH3ofGUG67PqvHHYtczasH74RzLIO7V6Uq/t+r4NbcFhwVXV31tcYg/X+blCYvzhj31Y45qYQ/AlVcTy1Y2411V50T67HpAErt+Bj2C8PwxlB1LXhPBLSiD4pleUSlXEDtHE/tetC+FtAP7hNcFTHmp8M5amjLWsl52QdFHew8MIde8Xd/B6HatMEHUYmhI3urhuFoqrDXweL80gmI5njlWKUHIAFEPFjXfyEB2is9E4QQNiCbgT5L/VFnArc7uKjDt58Ctua/QB8QhEr3bMIlBJeQ=
</ds:SignatureValue>
<ds:KeyInfo Id="KI-83B479E74DEAAC133C14262137301508">
<wsse:SecurityTokenReference wsu:Id="STR-83B479E74DEAAC133C14262137301509">
<ds:X509Data>
<ds:X509IssuerSerial>
<ds:X509IssuerName>CN=client</ds:X509IssuerName>
<ds:X509SerialNumber>1166791595</ds:X509SerialNumber>
</ds:X509IssuerSerial>
</ds:X509Data>
</wsse:SecurityTokenReference>
</ds:KeyInfo>
</ds:Signature>
<wsu:Timestamp wsu:Id="TS-83B479E74DEAAC133C14262137301466">
<wsu:Created>2015-03-13T02:28:50.146Z</wsu:Created>
<wsu:Expires>2015-03-20T01:08:50.146Z</wsu:Expires>
</wsu:Timestamp>
</wsse:Security>
</soapenv:Header>
<soapenv:Body xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="id-79B1EE1537BD34718D1426151592761356">
<bil:Echo>
<parameters>
<Version>123</Version>
<CorrelationId>1234</CorrelationId>
<Message>hello</Message>
</parameters>
</bil:Echo>
</soapenv:Body>
SOAP 响应消息
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
<soap:Body>
<soap:Fault>
<faultcode>soap:Server</faultcode>
<faultstring>These policy alternatives can not be satisfied
{http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}X509Token: An incorrect X.509 Token Type is detected
</faultstring>
</soap:Fault>
</soap:Body>
</soap:Envelope>
政策规定发起者令牌(签名令牌)必须始终包含在接收者中。但是,您的消息仅通过 IssuerSerial 引用签名令牌。
冷