在 Spring 中使用 Wss4j 签署 SOAP header 抛出错误 "Caused by: java.security.UnrecoverableKeyException: Given final block not properly padded"

Signing SOAP header using Wss4j in Spring throwing errors "Caused by: java.security.UnrecoverableKeyException: Given final block not properly padded"

我正在使用 Spring Boot 实现 SOAP 客户端以进行以下配置以连接第三方 Web 服务器。下面是我的 WS-security 与 SOAPUI 客户端一起使用的传出配置。

时间戳和用户名配置如下

上面的配置我写了Wss4jSecurityInterceptor,如下

@Configuration
public class Config {

    private static final Logger LOGGER = LoggerFactory.getLogger(Config.class);

    @Bean
    public Jaxb2Marshaller marshaller() {
        Jaxb2Marshaller marshaller = new Jaxb2Marshaller();
        // this is the package name specified in the <generatePackage> specified in
        // pom.xml
        marshaller.setContextPath("co.yabx.bureau.wsdl");
        return marshaller;
    }

    @Bean
    public ExecuteStrategy executeStrategy(Jaxb2Marshaller jaxb2Marshaller) throws Exception {
        ExecuteStrategy soapClient = new ExecuteStrategy();
        soapClient.setDefaultUri("https://demo-abc/dummy/url");
        soapClient.setMarshaller(jaxb2Marshaller);
        soapClient.setUnmarshaller(jaxb2Marshaller);
        ClientInterceptor[] interceptors = new ClientInterceptor[] { wss4jSecurityInterceptor() };
        soapClient.setInterceptors(interceptors);

        return soapClient;
    }

    @Bean
    public CryptoFactoryBean cryptoFactoryBean() throws IOException {
        CryptoFactoryBean cryptoFactoryBean = new CryptoFactoryBean();

        cryptoFactoryBean.setKeyStoreType("PKCS12");
        cryptoFactoryBean.setKeyStorePassword("123456");
        cryptoFactoryBean.setDefaultX509Alias("1");

        ClassPathResource classPathResource = new ClassPathResource("\jks\exdemo.p12"); //
        // System.out.println(classPathResource.getURL());
        cryptoFactoryBean.setKeyStoreLocation(classPathResource);

        return cryptoFactoryBean;
    }

    @Bean
    public Wss4jSecurityInterceptor wss4jSecurityInterceptor() throws Exception {

        Wss4jSecurityInterceptor wss4jSecurityInterceptor = new Wss4jSecurityInterceptor();
        wss4jSecurityInterceptor.setSecurementActions("UsernameToken Timestamp Signature");

        // Sign the request

    wss4jSecurityInterceptor.setSecurementSignatureUser("alias"); // alias vale used in above screenshot
        wss4jSecurityInterceptor.setSecurementUsername("pqr");
        wss4jSecurityInterceptor.setSecurementTimeToLive(60);
        wss4jSecurityInterceptor.setSecurementPassword("lmn*");
        wss4jSecurityInterceptor.setSecurementPasswordType(WSConstants.PW_TEXT);
        wss4jSecurityInterceptor.setSecurementUsernameTokenNonce(true);
        wss4jSecurityInterceptor.setSecurementUsernameTokenCreated(true);
        wss4jSecurityInterceptor.setSecurementSignatureCrypto(cryptoFactoryBean().getObject());

        // Encrypt the request

        // wss4jSecurityInterceptor.setSecurementEncryptionUser("server-public");
        wss4jSecurityInterceptor.setSecurementSignatureKeyIdentifier("DirectReference");
        wss4jSecurityInterceptor.setSecurementSignatureAlgorithm(WSConstants.RSA_SHA1);
        wss4jSecurityInterceptor.setSecurementSignatureDigestAlgorithm(WSConstants.SHA1);
        wss4jSecurityInterceptor.setSecurementMustUnderstand(true);
        // wss4jSecurityInterceptor.setSecurementEncryptionUser(securementEncryptionUser);

        wss4jSecurityInterceptor.setRemoveSecurityHeader(true);
        wss4jSecurityInterceptor.setSecurementEncryptionCrypto(cryptoFactoryBean().getObject());

        return wss4jSecurityInterceptor;
    }

}

设置整个配置和 运行 应用程序后,它抛出错误,如下所示。

2020-04-20 15:45:21.826 ERROR 1172 --- [           main] o.a.wss4j.dom.message.WSSecSignature     : No message with ID "noPrivateKey" found in resource bundle "org/apache/xml/security/resource/xmlsecurity"

org.apache.wss4j.common.ext.WSSecurityException: No message with ID "noPrivateKey" found in resource bundle "org/apache/xml/security/resource/xmlsecurity"
    at org.apache.wss4j.common.crypto.Merlin.getPrivateKey(Merlin.java:722) ~[wss4j-ws-security-common-2.2.3.jar:2.2.3]
    at org.apache.wss4j.dom.message.WSSecSignature.computeSignature(WSSecSignature.java:558) ~[wss4j-ws-security-dom-2.2.3.jar:2.2.3]
    at org.apache.wss4j.dom.action.SignatureAction.execute(SignatureAction.java:166) [wss4j-ws-security-dom-2.2.3.jar:2.2.3]
    at org.apache.wss4j.dom.handler.WSHandler.doSenderAction(WSHandler.java:238) [wss4j-ws-security-dom-2.2.3.jar:2.2.3]
    at org.springframework.ws.soap.security.wss4j2.Wss4jHandler.doSenderAction(Wss4jHandler.java:63) [spring-ws-security-3.0.8.RELEASE.jar:na]
    at org.springframework.ws.soap.security.wss4j2.Wss4jSecurityInterceptor.secureMessage(Wss4jSecurityInterceptor.java:574) [spring-ws-security-3.0.8.RELEASE.jar:na]
    at org.springframework.ws.soap.security.AbstractWsSecurityInterceptor.handleRequest(AbstractWsSecurityInterceptor.java:210) [spring-ws-security-3.0.8.RELEASE.jar:na]
    at org.springframework.ws.client.core.WebServiceTemplate.doSendAndReceive(WebServiceTemplate.java:597) [spring-ws-core-3.0.8.RELEASE.jar:na]
    at org.springframework.ws.client.core.WebServiceTemplate.sendAndReceive(WebServiceTemplate.java:555) [spring-ws-core-3.0.8.RELEASE.jar:na]
    at org.springframework.ws.client.core.WebServiceTemplate.marshalSendAndReceive(WebServiceTemplate.java:390) [spring-ws-core-3.0.8.RELEASE.jar:na]
    at org.springframework.ws.client.core.WebServiceTemplate.marshalSendAndReceive(WebServiceTemplate.java:383) [spring-ws-core-3.0.8.RELEASE.jar:na]
    at org.springframework.ws.client.core.WebServiceTemplate.marshalSendAndReceive(WebServiceTemplate.java:373) [spring-ws-core-3.0.8.RELEASE.jar:na]
    at co.yabx.bureau.client.ExecuteStrategy.executeStrategy(ExecuteStrategy.java:18) [classes/:na]
    at co.yabx.bureau.BureauSoapServiceApplication.main(BureauSoapServiceApplication.java:34) [classes/:na]
Caused by: java.security.UnrecoverableKeyException: Get Key failed: Given final block not properly padded. Such issues can arise if a bad key is used during decryption.
    at sun.security.pkcs12.PKCS12KeyStore.engineGetKey(Unknown Source) ~[na:1.8.0_171]
    at java.security.KeyStore.getKey(Unknown Source) ~[na:1.8.0_171]
    at org.apache.wss4j.common.crypto.Merlin.getPrivateKey(Merlin.java:710) ~[wss4j-ws-security-common-2.2.3.jar:2.2.3]
    ... 13 common frames omitted
Caused by: javax.crypto.BadPaddingException: Given final block not properly padded. Such issues can arise if a bad key is used during decryption.
    at com.sun.crypto.provider.CipherCore.doFinal(CipherCore.java:991) ~[sunjce_provider.jar:1.8.0_171]
    at com.sun.crypto.provider.CipherCore.doFinal(CipherCore.java:847) ~[sunjce_provider.jar:1.8.0_171]
    at com.sun.crypto.provider.PKCS12PBECipherCore.implDoFinal(PKCS12PBECipherCore.java:399) ~[sunjce_provider.jar:1.8.0_171]
    at com.sun.crypto.provider.PKCS12PBECipherCore$PBEWithSHA1AndDESede.engineDoFinal(PKCS12PBECipherCore.java:431) ~[sunjce_provider.jar:1.8.0_171]
    at javax.crypto.Cipher.doFinal(Cipher.java:2164) ~[na:1.8.0_171]
    ... 16 common frames omitted

2020-04-20 15:45:21.827 ERROR 1172 --- [           main] o.s.w.s.s.w.Wss4jSecurityInterceptor     : Could not secure response: Error during Signature: ; nested exception is org.apache.wss4j.common.ext.WSSecurityException: Error during Signature: 
Original Exception was org.apache.wss4j.common.ext.WSSecurityException: No message with ID "noPrivateKey" found in resource bundle "org/apache/xml/security/resource/xmlsecurity"
Original Exception was org.apache.wss4j.common.ext.WSSecurityException: No message with ID "noPrivateKey" found in resource bundle "org/apache/xml/security/resource/xmlsecurity"
Original Exception was java.security.UnrecoverableKeyException: Get Key failed: Given final block not properly padded. Such issues can arise if a bad key is used during decryption.

org.springframework.ws.soap.security.wss4j2.Wss4jSecuritySecurementException: Error during Signature: ; nested exception is org.apache.wss4j.common.ext.WSSecurityException: Error during Signature: 
Original Exception was org.apache.wss4j.common.ext.WSSecurityException: No message with ID "noPrivateKey" found in resource bundle "org/apache/xml/security/resource/xmlsecurity"
Original Exception was org.apache.wss4j.common.ext.WSSecurityException: No message with ID "noPrivateKey" found in resource bundle "org/apache/xml/security/resource/xmlsecurity"
Original Exception was java.security.UnrecoverableKeyException: Get Key failed: Given final block not properly padded. Such issues can arise if a bad key is used during decryption.
    at org.springframework.ws.soap.security.wss4j2.Wss4jSecurityInterceptor.secureMessage(Wss4jSecurityInterceptor.java:577) ~[spring-ws-security-3.0.8.RELEASE.jar:na]
    at org.springframework.ws.soap.security.AbstractWsSecurityInterceptor.handleRequest(AbstractWsSecurityInterceptor.java:210) ~[spring-ws-security-3.0.8.RELEASE.jar:na]
    at org.springframework.ws.client.core.WebServiceTemplate.doSendAndReceive(WebServiceTemplate.java:597) [spring-ws-core-3.0.8.RELEASE.jar:na]
    at org.springframework.ws.client.core.WebServiceTemplate.sendAndReceive(WebServiceTemplate.java:555) [spring-ws-core-3.0.8.RELEASE.jar:na]
    at org.springframework.ws.client.core.WebServiceTemplate.marshalSendAndReceive(WebServiceTemplate.java:390) [spring-ws-core-3.0.8.RELEASE.jar:na]
    at org.springframework.ws.client.core.WebServiceTemplate.marshalSendAndReceive(WebServiceTemplate.java:383) [spring-ws-core-3.0.8.RELEASE.jar:na]
    at org.springframework.ws.client.core.WebServiceTemplate.marshalSendAndReceive(WebServiceTemplate.java:373) [spring-ws-core-3.0.8.RELEASE.jar:na]
    at co.yabx.bureau.client.ExecuteStrategy.executeStrategy(ExecuteStrategy.java:18) [classes/:na]
    at co.yabx.bureau.BureauSoapServiceApplication.main(BureauSoapServiceApplication.java:34) [classes/:na]
Caused by: org.apache.wss4j.common.ext.WSSecurityException: Error during Signature: 
    at org.apache.wss4j.dom.action.SignatureAction.execute(SignatureAction.java:174) ~[wss4j-ws-security-dom-2.2.3.jar:2.2.3]
    at org.apache.wss4j.dom.handler.WSHandler.doSenderAction(WSHandler.java:238) ~[wss4j-ws-security-dom-2.2.3.jar:2.2.3]
    at org.springframework.ws.soap.security.wss4j2.Wss4jHandler.doSenderAction(Wss4jHandler.java:63) ~[spring-ws-security-3.0.8.RELEASE.jar:na]
    at org.springframework.ws.soap.security.wss4j2.Wss4jSecurityInterceptor.secureMessage(Wss4jSecurityInterceptor.java:574) ~[spring-ws-security-3.0.8.RELEASE.jar:na]
    ... 8 common frames omitted
Caused by: org.apache.wss4j.common.ext.WSSecurityException: No message with ID "noPrivateKey" found in resource bundle "org/apache/xml/security/resource/xmlsecurity"
    at org.apache.wss4j.dom.message.WSSecSignature.computeSignature(WSSecSignature.java:615) ~[wss4j-ws-security-dom-2.2.3.jar:2.2.3]
    at org.apache.wss4j.dom.action.SignatureAction.execute(SignatureAction.java:166) ~[wss4j-ws-security-dom-2.2.3.jar:2.2.3]
    ... 11 common frames omitted
Caused by: org.apache.wss4j.common.ext.WSSecurityException: No message with ID "noPrivateKey" found in resource bundle "org/apache/xml/security/resource/xmlsecurity"
    at org.apache.wss4j.common.crypto.Merlin.getPrivateKey(Merlin.java:722) ~[wss4j-ws-security-common-2.2.3.jar:2.2.3]
    at org.apache.wss4j.dom.message.WSSecSignature.computeSignature(WSSecSignature.java:558) ~[wss4j-ws-security-dom-2.2.3.jar:2.2.3]
    ... 12 common frames omitted
Caused by: java.security.UnrecoverableKeyException: Get Key failed: Given final block not properly padded. Such issues can arise if a bad key is used during decryption.
    at sun.security.pkcs12.PKCS12KeyStore.engineGetKey(Unknown Source) ~[na:1.8.0_171]
    at java.security.KeyStore.getKey(Unknown Source) ~[na:1.8.0_171]
    at org.apache.wss4j.common.crypto.Merlin.getPrivateKey(Merlin.java:710) ~[wss4j-ws-security-common-2.2.3.jar:2.2.3]
    ... 13 common frames omitted
Caused by: javax.crypto.BadPaddingException: Given final block not properly padded. Such issues can arise if a bad key is used during decryption.
    at com.sun.crypto.provider.CipherCore.doFinal(CipherCore.java:991) ~[sunjce_provider.jar:1.8.0_171]
    at com.sun.crypto.provider.CipherCore.doFinal(CipherCore.java:847) ~[sunjce_provider.jar:1.8.0_171]
    at com.sun.crypto.provider.PKCS12PBECipherCore.implDoFinal(PKCS12PBECipherCore.java:399) ~[sunjce_provider.jar:1.8.0_171]
    at com.sun.crypto.provider.PKCS12PBECipherCore$PBEWithSHA1AndDESede.engineDoFinal(PKCS12PBECipherCore.java:431) ~[sunjce_provider.jar:1.8.0_171]
    at javax.crypto.Cipher.doFinal(Cipher.java:2164) ~[na:1.8.0_171]
    ... 16 common frames omitted

我也尝试使用属性创建 CrytpoFactoryBean,但仍然遇到同样的问题。下面是我试过的属性配置

        Properties properties = new Properties();
        properties.setProperty("org.apache.ws.security.crypto.provider", "org.apache.wss4j.common.crypto.Merlin");
        properties.setProperty("org.apache.wss4j.crypto.merlin.keystore.alias", "alias");
        properties.setProperty("org.apache.ws.security.crypto.merlin.keystore.type", "PKCS12");
        properties.setProperty("org.apache.ws.security.crypto.merlin.keystore.password", "123456");
        properties.setProperty("org.apache.ws.security.crypto.merlin.keystore.file",
                "\jks\exdemo.p12");
        cryptoFactoryBean.setConfiguration(properties);

        try {
            cryptoFactoryBean.afterPropertiesSet();
        } catch (Exception e) { // TODO Auto-generated catch block
            e.printStackTrace();
        }

我不明白我在做什么错误。任何帮助将不胜感激。

在上面的代码中,我同时为用户名、密码和签名添加了安全配置,相反,我必须将它们保存在单独的数组中,如下所示。

@Bean
public ExecuteStrategy executeStrategy(Jaxb2Marshaller jaxb2Marshaller) throws Exception {
    ExecuteStrategy soapClient = new ExecuteStrategy();
    soapClient.setDefaultUri("https://demo-servicesesb.datacredito.com.co/wss/DecisorWS/services/dummyService/MotorService");
    soapClient.setMarshaller(jaxb2Marshaller);
    soapClient.setUnmarshaller(jaxb2Marshaller);

    ClientInterceptor[] interceptors = wss4jSecurityInterceptor();
    soapClient.setInterceptors(interceptors);

    return soapClient;
}

@Bean
public Wss4jSecurityInterceptor[] wss4jSecurityInterceptor() throws Exception {
    // org.apache.xml.security.Init.init();

    Wss4jSecurityInterceptor wss4jSecurityInterceptor = new Wss4jSecurityInterceptor();
    wss4jSecurityInterceptor.setSecurementActions("UsernameToken");

    // Sign in the request

    wss4jSecurityInterceptor.setSecurementUsername("dummyUser");
    wss4jSecurityInterceptor.setSecurementPassword("dummyPassword");
    // wss4jSecurityInterceptor.setSecurementPassword("123456");
    wss4jSecurityInterceptor.setSecurementPasswordType(WSConstants.PW_TEXT);
    wss4jSecurityInterceptor.setSecurementUsernameTokenNonce(true);
    wss4jSecurityInterceptor.setSecurementUsernameTokenCreated(true);
    wss4jSecurityInterceptor.afterPropertiesSet();

    Wss4jSecurityInterceptor wss4jSecurityInterceptor1 = new Wss4jSecurityInterceptor();
    wss4jSecurityInterceptor1.setSecurementActions("Signature");

    wss4jSecurityInterceptor1.setSecurementSignatureUser("1");
    wss4jSecurityInterceptor1.setSecurementPassword("123456");
    wss4jSecurityInterceptor1.setSecurementSignatureKeyIdentifier("DirectReference");
    wss4jSecurityInterceptor1.setSecurementSignatureAlgorithm(WSConstants.RSA_SHA1);
    wss4jSecurityInterceptor1.setSecurementSignatureDigestAlgorithm(WSConstants.SHA1);
    wss4jSecurityInterceptor1.setSecurementTimeToLive(60);
    wss4jSecurityInterceptor1.setTimestampPrecisionInMilliseconds(true);
    
    wss4jSecurityInterceptor1.setSecurementSignatureCrypto(cryptoFactoryBean().getObject());
    

    wss4jSecurityInterceptor1.afterPropertiesSet();

    Wss4jSecurityInterceptor[] wss4jSecurityInterceptorArray = new Wss4jSecurityInterceptor[2];
    wss4jSecurityInterceptorArray[0] = wss4jSecurityInterceptor;
    wss4jSecurityInterceptorArray[1] = wss4jSecurityInterceptor1;

    return wss4jSecurityInterceptorArray;
}

@Bean
public CryptoFactoryBean cryptoFactoryBean() throws IOException {
    
    CryptoFactoryBean cryptoFactoryBean = new CryptoFactoryBean();
    Properties properties = new Properties();
    properties.setProperty("org.apache.ws.security.crypto.provider", "org.apache.wss4j.common.crypto.Merlin");
    properties.setProperty("org.apache.wss4j.crypto.merlin.keystore.alias", "1");
    properties.setProperty("org.apache.ws.security.crypto.merlin.keystore.type", "PKCS12");
    properties.setProperty("org.apache.ws.security.crypto.merlin.keystore.password", "123456");
    properties.setProperty("org.apache.ws.security.crypto.merlin.keystore.file",
            "C:\abc.p12");
    cryptoFactoryBean.setConfiguration(properties);

    try {
        cryptoFactoryBean.afterPropertiesSet();
    } catch (Exception e) {
        e.printStackTrace();
    }
    return cryptoFactoryBean;
}

wss4jSecurityInterceptor 作为一个数组保存 username/password 作为单独的数组,将签名作为单独的数组,对我有用。