登录
当前位置: 首页 > 知识库问答 >
问题:

JBOSS:无效算法http://www.w3.org/TR/2001/REC-xml-c14n-20010315(包括EC14N)

谈桐
2023-03-14

我正在使用JBOSS EAP 6.3.1-我不允许在生产中使用野蝇。

CXF版本2.7.11

我正在尝试构建一个安全令牌服务,它可以处理Request estSecurityToken请求,同时使用X509证书进行身份验证。

来自第三方应用程序的示例请求-遗憾的是无法更改:

<SOAPENV:Envelope xmlns:SOAPENV='http://schemas.xmlsoap.org/soap/envelope/'>
 <SOAPENV:Header>
  <wsse:Security xmlns:wsse='http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd' xmlns:wsu='http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd'>
   <wsse:BinarySecurityToken EncodingType='http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary' ValueType='http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3' wsu:Id='Token'>
MIIDMTCCApqgAwI....3aairt
93OqNtk=
</wsse:BinarySecurityToken>
   <Signature xmlns='http://www.w3.org/2000/09/xmldsig#'>
    <SignedInfo>
     <CanonicalizationMethod Algorithm='http://www.w3.org/TR/2001/REC-xml-c14n-20010315'/>
     <SignatureMethod Algorithm='http://www.w3.org/2000/09/xmldsig#rsa-sha1'/>
     <Reference URI='#body'>
      <Transforms>
       <Transform Algorithm='http://www.w3.org/2000/09/xmldsig#enveloped-signature'/>
      </Transforms>
      <DigestMethod Algorithm='http://www.w3.org/2000/09/xmldsig#sha1'/>
      <DigestValue>WbLbIc...k=</DigestValue>
     </Reference>
     <Reference URI='#Timestamp'>
      <Transforms>
       <Transform Algorithm='http://www.w3.org/2000/09/xmldsig#enveloped-signature'/>
      </Transforms>
      <DigestMethod Algorithm='http://www.w3.org/2000/09/xmldsig#sha1'/>
      <DigestValue>z3q....9w=</DigestValue>
     </Reference>
     <Reference URI='#Token'>
      <Transforms>
       <Transform Algorithm='http://www.w3.org/2000/09/xmldsig#enveloped-signature'/>
      </Transforms>
      <DigestMethod Algorithm='http://www.w3.org/2000/09/xmldsig#sha1'/>
      <DigestValue>ypE6U....slo=</DigestValue>
     </Reference>
    </SignedInfo>
    <SignatureValue>lW1....Tc=</SignatureValue>
    <KeyInfo>
     <wsse:SecurityTokenReference>
      <wsse:Reference URI='#Token' ValueType='http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3'/>
     </wsse:SecurityTokenReference>
    </KeyInfo>
   </Signature>
   <wsu:Timestamp wsu:Id='Timestamp'>
    <wsu:Created>2015-03-25T13:03:11Z</wsu:Created>
    <wsu:Expires>2015-03-25T13:13:13Z</wsu:Expires>
   </wsu:Timestamp>
  </wsse:Security>
 </SOAPENV:Header>
 <SOAPENV:Body wsu:Id='body' xmlns:wsu='http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd'>
  <wst:RequestSecurityToken xmlns:wst='http://schemas.xmlsoap.org/ws/2005/02/trust'>
   <wst:TokenType>http://schemas.xmlsoap.org/ws/2005/02/sc/sct</wst:TokenType>
   <wst:RequestType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/Issue</wst:RequestType>
  </wst:RequestSecurityToken>
 </SOAPENV:Body>
</SOAPENV:Envelope>

以下是我的策略设置:

   <wsp:Policy wsu:Id="CertificateSecurityPolicy">
    <wsp:ExactlyOne>
        <wsp:All>
            <sp:AsymmetricBinding>
                <wsp:Policy>
                    <sp:RecipientToken>
                        <wsp:Policy>
                            <sp:X509Token sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient">
                                <wsp:Policy>
                                    <sp:RequireIssuerSerialReference/>
                                    <sp:WssX509V3Token10/>
                                </wsp:Policy>
                            </sp:X509Token>
                        </wsp:Policy>
                    </sp:RecipientToken>
                    <sp:InitiatorToken>
                        <wsp:Policy>
                            <sp:X509Token sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient">
                                <wsp:Policy>
                                    <sp:RequireIssuerSerialReference/>
                                    <sp:WssX509V3Token10/>
                                </wsp:Policy>
                            </sp:X509Token>
                        </wsp:Policy>
                    </sp:InitiatorToken>
                    <sp:AlgorithmSuite>
                        <wsp:Policy>
                            <sp:Basic256/>
                            <sp:InclusiveC14N/>
                            <!--<sp:InclusiveC14N11/>-->
                        </wsp:Policy>
                    </sp:AlgorithmSuite>
                    <sp:Layout>
                        <wsp:Policy>
                            <sp:Lax/>
                        </wsp:Policy>
                    </sp:Layout>
                    <sp:IncludeTimestamp/>
                </wsp:Policy>
            </sp:AsymmetricBinding>
             <sp:SignedParts>
                <sp:Body/>
                <sp:Header Namespace="http://schemas.xmlsoap.org/ws/2004/08/addressing"/>
           </sp:SignedParts>
        </wsp:All>
    </wsp:ExactlyOne>
</wsp:Policy>

每个请求都会抛出以下错误:

原因:组织。阿帕奇。ws。安全WSSecurityException:在org处理标头时发现错误(指定了错误的规范化算法)。阿帕奇。ws。安全加工机签名处理器。检查BSP合规性(SignatureProcessor.java:721)[wss4j-1.6.15.redhat-1.jar:1.6.15.redhat-1]。阿帕奇。ws。安全加工机签名处理器。verifyXMLSignature(SignatureProcessor.java:405)[wss4j-1.6.15.redhat-1.jar:1.6.15.redhat-1]

这是以下问题:如何使用CXF STS和X509v3二进制安全令牌

编辑1

我需要将属性ws-security.is-bsp-兼容设置为false。然后我得到另一个错误消息:

Caused by: org.apache.ws.security.WSSecurityException: An error was discovered processing the <wsse:Security> header
    at org.apache.ws.security.components.crypto.AlgorithmSuiteValidator.checkC14nAlgorithm(AlgorithmSuiteValidator.java:77) [wss4j-1.6.15.redhat-1.jar:1.6.15.redhat-1]
    at org.apache.ws.security.components.crypto.AlgorithmSuiteValidator.checkSignatureAlgorithms(AlgorithmSuiteValidator.java:95) [wss4j-1.6.15.redhat-1.jar:1.6.15.redhat-1]

显然,以下条件失败:

"http://www.w3.org/2001/10/xml-exc-c14n#" == "http://www.w3.org/TR/2001/REC-xml-c14n-20010315"

“http://www.w3.org/TR/2001/REC-xml-c14n-20010315”正在从消息中提取。现在,如果我可以将REC-xml-c14n-20010315添加到允许的算法列表中...

编辑2

再次阅读规范后,我相信cxf忽略了Elementsp:包容C14N。我需要把它放在我的wsdl中的其他地方吗

编辑3

班级组织。阿帕奇。cxf。sts。SignatureProperties将默认算法定义为http://www.w3.org/2001/10/xml-exc-c14n#

public class SignatureProperties {
...
private String c14nAlgorithm = WSConstants.C14N_EXCL_OMIT_COMMENTS;

private List<String> acceptedC14nAlgorithms = new ArrayList<String>();

public SignatureProperties() {
    ...
    // Default c14n algorithms
    acceptedC14nAlgorithms.add(c14nAlgorithm);
}

如果我能覆盖这个,它应该会工作。如何做到这一点。

共有1个答案

何兴学
2023-03-14

实际上,直到现在,CXF/WSS4J中才支持InclusiveC14N策略。我已经在下一个版本(3.0.5/3.1.0)中修复了这个问题:https://issues.apache.org/jira/browse/CXF-6333

科尔姆。

 类似资料:

相关问答

添加xmlns:xsi=”http://www.w3.org/2001/XMLSchema-instance“到根元素“http://www.w3.org/2001/xmlschema-instance”的XSD文件在哪里?XSD架构错误:XmlSchema错误:Element http://www.w3.org/2001/XmlSchema:Element在此上下文中无效是否为http://www.w3.org/2001/XMLSchema命名空间导入XSD?jaxb如何像那样引用元素到http://www.w3.org/2001/XMLSchema

相关文章

如何使flexbox在计算中包括填充?计算包括假期在内的工作日NoClassDefFoundError:Selenium中的org / apache / http / HttpEntity for ChromeDriver吗?去template.ExecuteTemplate包括html什么是XML中的无效字符

相关阅读

8.11 大疆无线算法笔经美团无人机算法二面XML DOM方法大疆一面 无线通信算法Flask HTTP方法

相关工具

org-fragtogjekyll-orgorg-modeorg-formation-cliJBoss BRMS

相关文档

算法珠玑结构之法算法之道常用算法实现方法常规算法教程数据挖掘算法
快捷导航: 新手教程 算法原理 架构设计 Java进阶 数据库进阶 大厂专栏 面试经验 编程笔记 编程问答 所有专题 文档资料 工具软件 电子书籍 小牛导航
在线工具: 房贷计算器 个税计算器 Linux命令查询 Json格式化 正则表达式 颜色转换 AES加解密 SHA1加密 MD5加密 毒鸡汤 字数统计 随机密码生成 进制转换 Base64编解码 励志句子
Copyright © 2019-2024 小牛知识库@xnip.cn. All Rights Reserved.