JBOSS:无效的算法http://www.w3.org/TR/2001/REC-xml-c14n-20010315(InclusiveC14N) [英] JBOSS: Invalid algorithm http://www.w3.org/TR/2001/REC-xml-c14n-20010315 (InclusiveC14N)
问题描述
我正在使用JBOSS EAP 6.3.1-不允许在生产中使用wildfly。
I am using JBOSS EAP 6.3.1 - I am not allowed to use wildfly in production.
CXF版本2.7.11
CXF Version 2.7.11
我正在尝试构建安全的令牌服务,该服务可以使用X509证书进行身份验证时处理RequestSecurityToken请求。
I am trying to build a secure token service, which can handle a RequestSecurityToken request, while using a X509 certificate for authentication.
示例来自第三方应用程序的请求-可惜无法更改:
<SOAPENV:Envelope xmlns:SOAPENV='http://schemas.xmlsoap.org/soap/envelope/'>
<SOAPENV:Header>
<wsse:Security xmlns:wsse='http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd' xmlns:wsu='http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd'>
<wsse:BinarySecurityToken EncodingType='http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary' ValueType='http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3' wsu:Id='Token'>
MIIDMTCCApqgAwI....3aairt
93OqNtk=
</wsse:BinarySecurityToken>
<Signature xmlns='http://www.w3.org/2000/09/xmldsig#'>
<SignedInfo>
<CanonicalizationMethod Algorithm='http://www.w3.org/TR/2001/REC-xml-c14n-20010315'/>
<SignatureMethod Algorithm='http://www.w3.org/2000/09/xmldsig#rsa-sha1'/>
<Reference URI='#body'>
<Transforms>
<Transform Algorithm='http://www.w3.org/2000/09/xmldsig#enveloped-signature'/>
</Transforms>
<DigestMethod Algorithm='http://www.w3.org/2000/09/xmldsig#sha1'/>
<DigestValue>WbLbIc...k=</DigestValue>
</Reference>
<Reference URI='#Timestamp'>
<Transforms>
<Transform Algorithm='http://www.w3.org/2000/09/xmldsig#enveloped-signature'/>
</Transforms>
<DigestMethod Algorithm='http://www.w3.org/2000/09/xmldsig#sha1'/>
<DigestValue>z3q....9w=</DigestValue>
</Reference>
<Reference URI='#Token'>
<Transforms>
<Transform Algorithm='http://www.w3.org/2000/09/xmldsig#enveloped-signature'/>
</Transforms>
<DigestMethod Algorithm='http://www.w3.org/2000/09/xmldsig#sha1'/>
<DigestValue>ypE6U....slo=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>lW1....Tc=</SignatureValue>
<KeyInfo>
<wsse:SecurityTokenReference>
<wsse:Reference URI='#Token' ValueType='http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3'/>
</wsse:SecurityTokenReference>
</KeyInfo>
</Signature>
<wsu:Timestamp wsu:Id='Timestamp'>
<wsu:Created>2015-03-25T13:03:11Z</wsu:Created>
<wsu:Expires>2015-03-25T13:13:13Z</wsu:Expires>
</wsu:Timestamp>
</wsse:Security>
</SOAPENV:Header>
<SOAPENV:Body wsu:Id='body' xmlns:wsu='http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd'>
<wst:RequestSecurityToken xmlns:wst='http://schemas.xmlsoap.org/ws/2005/02/trust'>
<wst:TokenType>http://schemas.xmlsoap.org/ws/2005/02/sc/sct</wst:TokenType>
<wst:RequestType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/Issue</wst:RequestType>
</wst:RequestSecurityToken>
</SOAPENV:Body>
</SOAPENV:Envelope>
这些是我的政策设置:
<wsp:Policy wsu:Id="CertificateSecurityPolicy">
<wsp:ExactlyOne>
<wsp:All>
<sp:AsymmetricBinding>
<wsp:Policy>
<sp:RecipientToken>
<wsp:Policy>
<sp:X509Token sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient">
<wsp:Policy>
<sp:RequireIssuerSerialReference/>
<sp:WssX509V3Token10/>
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:RecipientToken>
<sp:InitiatorToken>
<wsp:Policy>
<sp:X509Token sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient">
<wsp:Policy>
<sp:RequireIssuerSerialReference/>
<sp:WssX509V3Token10/>
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:InitiatorToken>
<sp:AlgorithmSuite>
<wsp:Policy>
<sp:Basic256/>
<sp:InclusiveC14N/>
<!--<sp:InclusiveC14N11/>-->
</wsp:Policy>
</sp:AlgorithmSuite>
<sp:Layout>
<wsp:Policy>
<sp:Lax/>
</wsp:Policy>
</sp:Layout>
<sp:IncludeTimestamp/>
</wsp:Policy>
</sp:AsymmetricBinding>
<sp:SignedParts>
<sp:Body/>
<sp:Header Namespace="http://schemas.xmlsoap.org/ws/2004/08/addressing"/>
</sp:SignedParts>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
每个请求均引发以下错误:
Every request throws the following error:
原因:org.apache.ws.security.WSSecurityException:错误是发现
处理标头(指定了错误的
规范化算法 )在
org.apache.ws.security.processor.SignatureProcessor.checkBSPCompliance(SignatureProcessor.java:721)
[wss4j-1.6.15.redhat-1.jar:1.6.15.redhat-1 ]在
org.apache.ws.security.processor.SignatureProcessor.verifyXMLSignature(SignatureProcessor.java:405)
[wss4j-1.6.15.redhat-1.jar:1.6.15.redhat-1 ]
Caused by: org.apache.ws.security.WSSecurityException: An error was discovered processing the header (A bad canonicalization algorithm was specified) at org.apache.ws.security.processor.SignatureProcessor.checkBSPCompliance(SignatureProcessor.java:721) [wss4j-1.6.15.redhat-1.jar:1.6.15.redhat-1] at org.apache.ws.security.processor.SignatureProcessor.verifyXMLSignature(SignatureProcessor.java:405) [wss4j-1.6.15.redhat-1.jar:1.6.15.redhat-1]
这是以下问题:
如何使用CXF STS和X509v3 BinarySecurityToken
编辑1
我需要将属性 ws-security.is-bsp-complian t设置为false。然后,我又收到另一条错误消息:
I need to set the property ws-security.is-bsp-compliant to false. Then I get a another error message:
Caused by: org.apache.ws.security.WSSecurityException: An error was discovered processing the <wsse:Security> header
at org.apache.ws.security.components.crypto.AlgorithmSuiteValidator.checkC14nAlgorithm(AlgorithmSuiteValidator.java:77) [wss4j-1.6.15.redhat-1.jar:1.6.15.redhat-1]
at org.apache.ws.security.components.crypto.AlgorithmSuiteValidator.checkSignatureAlgorithms(AlgorithmSuiteValidator.java:95) [wss4j-1.6.15.redhat-1.jar:1.6.15.redhat-1]
显然,以下条件失败:
"http://www.w3.org/2001/10/xml-exc-c14n#" == "http://www.w3.org/TR/2001/REC-xml-c14n-20010315"
http://www.w3.org/TR/2001/REC-xml-c14n-20010315 正在从邮件中提取。
现在,如果我可以将REC-xml-c14n-20010315添加到允许的算法列表中...
"http://www.w3.org/TR/2001/REC-xml-c14n-20010315" Being extracted from the message. Now if I just could add REC-xml-c14n-20010315 to the allowed algorithm list...
编辑2
再次阅读规范后,我相信cxf会忽略元素 sp:InclusiveC14N
。我是否需要将其放置在wsdl中的其他位置?
After reading the specification once again, I believe that cxf is ignoring the Element sp:InclusiveC14N
. Do I need to place it somewhere else inside my wsdl
编辑3
org.apache.cxf.sts.SignatureProperties类将默认算法定义为 http ://www.w3.org/2001/10/xml-exc-c14n#
The Class org.apache.cxf.sts.SignatureProperties defines the default algorithm as http://www.w3.org/2001/10/xml-exc-c14n#
public class SignatureProperties {
...
private String c14nAlgorithm = WSConstants.C14N_EXCL_OMIT_COMMENTS;
private List<String> acceptedC14nAlgorithms = new ArrayList<String>();
public SignatureProperties() {
...
// Default c14n algorithms
acceptedC14nAlgorithms.add(c14nAlgorithm);
}
如果我只能重写它,它应该可以工作。
If I could only override this, it should work. How can it be done.
推荐答案
实际上,到目前为止,CXF / WSS4J不支持InclusiveC14N策略。我已在下一个版本(3.0.5 / 3.1.0)中修复了此问题: https: //issues.apache.org/jira/browse/CXF-6333
Actually, the InclusiveC14N policy was not supported in CXF/WSS4J until now. I've fixed this for the next release (3.0.5/3.1.0): https://issues.apache.org/jira/browse/CXF-6333
Colm。
这篇关于JBOSS:无效的算法http://www.w3.org/TR/2001/REC-xml-c14n-20010315(InclusiveC14N)的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!