webservice复杂加密签名(1)SoapUI

概述

WebService本来以为很简单,直到我遇到了万事达的一个对接项目,万事达提供的网关接口是WebService协议,而报文涉及到了WebService的加密,复杂到令人怀疑人生。例如下方两个XML报文,第一个XML报文是加密前的明文报文,而第二个XML报文则是加密签名后的报文。

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:com="http://common.ws.mcrewards.mastercard.com/" xmlns:diag="http://diagnostic.ws.mcrewards.mastercard.com/">
   <soapenv:Header>
      <com:identity>
         <com:appID>0</com:appID>
         <com:institutionName>cardinfolink</com:institutionName>
      </com:identity>
   </soapenv:Header>
   <soapenv:Body>
      <diag:doEcho>World</diag:doEcho>
   </soapenv:Body>
</soapenv:Envelope>
<soapenv:Envelope xmlns:com="http://common.ws.mcrewards.mastercard.com/" xmlns:diag="http://diagnostic.ws.mcrewards.mastercard.com/" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
    <soapenv:Header>
        <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
            <wsse:BinarySecurityToken EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" wsu:Id="X509-75772E58C9E43DD45C158624254101723">MIID8jCCAtqgAwIBAgIQJ0Ebry4sVHgJJ6WWt6tKODANBgkqhkiG9w0BAQsFADCBhTELMAkGA1UEBhMCQkUxHDAaBgNVBAoTE01hc3RlQ2FyZCBXb3JsZHdpZGUxJDAiBgNVBAsTG0dsb2JhbCBJbmZvcm1hdGlvbiBTZWN1cml0eTEyMDAGA1UEAxMpTWFzdGVyQ2FyZCBQUkQgTWVzc2FnZXMgU2lnbmluZyBTdWIgQ0EgRzIwHhcNMTkxMjE2MjE0NTQxWhcNMjMxMjE1MjEzNjEyWjCBgTELMAkGA1UEBhMCQ04xETAPBgNVBAgTCFNoYW5naGFpMSowKAYDVQQKEyFNYXN0ZXJDYXJkIFdvcmxkd2lkZSAtIFNpZ25pbmcgU1cxFDASBgNVBAsTC0NIUyAwMDA0ODg2MR0wGwYDVQQDExRtdGYuQ0hTLkNhcmRJbmZvTGluazCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAN06EuNnbt/Nnnji73POrIw5FAIuxtikgSplOv7fM7VJaMgzH1Ed3FpIugXafciOHovT44QlJLJeJuf0rgpY2ydVtImeVcUMcTcplluklDx63pVOjYiMgfBUa34ejjezbVtoP/f/C9hjLZHVIRIwEmwICiKEu0RXSUu5Copa8k4QZcza/SMC/8szilDg3ZWlv3zGl8+WJPzJkDNuuhElYDqonKBO1S6zIEhcf1/NtmcanwilJJXR4N/038C2wo7hWL2yURczx18R7Ysn0tWiZjHVKvjMVbE8LRkYCgR0nhJB/Y5Uo2zcJZUo7OdBfDe5C8Jh2N8U15SeCMdtciQhON8CAwEAAaNgMF4wDgYDVR0PAQH/BAQDAgeAMAwGA1UdEwQFMAMCAQAwHwYDVR0jBBgwFoAU66ASd4JT9FhYrwHp4f9kBT5H2aowHQYDVR0OBBYEFJtKSpdYD3UynkN70V/zsTcSrkeZMA0GCSqGSIb3DQEBCwUAA4IBAQCzM5gOylWXU/maOaCyxdFGrt8tTjoH9dWw40gW7/bwU1N7+vcFnUlyZi+XjClbcP38e8uiirM1nJe3cJWoQf+wcdOwmn20W7ZUdaqiXrwYKP2KHqOOZ1WIH5xbw/0Dd09gVuQAhcE3QxuH8D0Eb8tCCudEMNwfl8QI8SibLEyKreKuaXitcNSX1dP5pgCmeiu3sJHLVSjIYXbFv3HQDtswqG2Smd60e+nyRNxIVQVc2sM5uiDRSHUN/LR4ZX6IA2G6nwkp6oYlNp5fsxrkvr/nUpMR7cogUlp41RwbSRFk+IyG8MvuFWm2rIqkmAqTUv1YtUEghrqYoBhehdXm7GXT</wsse:BinarySecurityToken>
            <ds:Signature Id="SIG-75772E58C9E43DD45C158624254107928" xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
                <ds:SignedInfo>
                    <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
                        <ec:InclusiveNamespaces PrefixList="com diag soapenv" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                    </ds:CanonicalizationMethod>
                    <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha512"/>
                    <ds:Reference URI="#TS-75772E58C9E43DD45C158624254101622">
                        <ds:Transforms>
                            <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
                                <ec:InclusiveNamespaces PrefixList="wsse com diag soapenv" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                            </ds:Transform>
                        </ds:Transforms>
                        <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha512"/>
                        <ds:DigestValue>hfsb367zFUFCoRFxt5R7sOoW6U1pTFV7P+/ZGhz0AkIkNy8H33bKLr0/DobFrJXvmpEY9ZSWyKMG
AoudAOQk2w==</ds:DigestValue>
                    </ds:Reference>
                    <ds:Reference URI="#id-75772E58C9E43DD45C158624254101826">
                        <ds:Transforms>
                            <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
                                <ec:InclusiveNamespaces PrefixList="com diag" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                            </ds:Transform>
                        </ds:Transforms>
                        <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha512"/>
                        <ds:DigestValue>JY6P+ZgECfWf4/fo3RpN8vd5wiHQyw8+xRix4okJmXFZvwIiid6wL7CiJYpaMfMAVy++t2SOq3jw
wjPJYPEHQA==</ds:DigestValue>
                    </ds:Reference>
                    <ds:Reference URI="#X509-75772E58C9E43DD45C158624254101723">
                        <ds:Transforms>
                            <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
                                <ec:InclusiveNamespaces PrefixList="" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                            </ds:Transform>
                        </ds:Transforms>
                        <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha512"/>
                        <ds:DigestValue>Qkk5+Zl1TG1G2tphnMPt4ZIE9XJEHoJzjfJZwcZIO7AyDFJqIasjEnOg/OcNyDSxYc3S8IFdD8uW
517RJ5QEjw==</ds:DigestValue>
                    </ds:Reference>
                    <ds:Reference URI="#id-75772E58C9E43DD45C158624254102427">
                        <ds:Transforms>
                            <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
                                <ec:InclusiveNamespaces PrefixList="diag soapenv" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                            </ds:Transform>
                        </ds:Transforms>
                        <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha512"/>
                        <ds:DigestValue>RJlWhk0rPXrHVkNlVPISUAwYEHP6u/bMTrbtJ3xVTwMJ62CIfoEomoSX2hJWyOFm2cJezaXiWaW/
1r0NvFg8pQ==</ds:DigestValue>
                    </ds:Reference>
                </ds:SignedInfo>
                <ds:SignatureValue>1FdgK0XSZInwSgNjwB06SGHbzPLH+cwAwb3VqU3aejHL36/YGyquyyfzVSdFDpGTjro00S3Lr1n+
xaLbt61SGJQKCwVHV+TKCQruINEftGgJpTaddm4Kt3AH27WvGveKJobqzojqNpRlSKkcYMTOcltJ
jCSo62ME8W+JTVoDAXSoCuGLXo0O1tsDBgSHM3RHOk6xPATOGULYngE6Ll/CAP5KodzlVTEuLZI8
D/C0cvg8HTScErf6o6WeeEgkn3udsDtq5dVUWGP3NePVxVZ4mhvtAv2qhS9IXVCtIPJVt4BtJY90
Y+KoBvdUhZczqLPJXWkiz1F/AphpN2x7wbVjUA==</ds:SignatureValue>
                <ds:KeyInfo Id="KI-75772E58C9E43DD45C158624254101824">
                    <wsse:SecurityTokenReference wsu:Id="STR-75772E58C9E43DD45C158624254101825">
                        <wsse:Reference URI="#X509-75772E58C9E43DD45C158624254101723" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/>
                    </wsse:SecurityTokenReference>
                </ds:KeyInfo>
            </ds:Signature>
            <wsu:Timestamp wsu:Id="TS-75772E58C9E43DD45C158624254101622">
                <wsu:Created>2020-04-07T06:55:41Z</wsu:Created>
                <wsu:Expires>2020-04-07T06:56:41Z</wsu:Expires>
            </wsu:Timestamp>
        </wsse:Security>
        <com:identity wsu:Id="id-75772E58C9E43DD45C158624254102427" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
            <com:appID>0</com:appID>
            <com:institutionName>cardinfolink</com:institutionName>
        </com:identity>
    </soapenv:Header>
    <soapenv:Body wsu:Id="id-75772E58C9E43DD45C158624254101826" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
        <diag:doEcho>World</diag:doEcho>
    </soapenv:Body>
</soapenv:Envelope>

生成秘钥文件

1、HTTPS秘钥文件cilent.jks

  1. 调用方生成私钥文件MTFclient.key.pem
openssl req -new -nodes -newkey rsa:2048 -keyout cil_mtf_client.key -out cil_mtf_client.csr

openssl rsa -in cil_mtf_client.key -out MTFclient.key.pem
  1. 私钥文件MTFclient.key.pem发送给服务方,由服务方生成文件164063.crt
  2. 调用方通过文件MTFclient.key.pem164063.crt生成文件client.jks
openssl pkcs12 -export -name client -in 164063.crt -inkey MTFclient.key.pem -out Combined164063.p12

keytool -importkeystore -destkeystore cilent.jks -srckeystore Combined164063.p12 -srcstoretype pkcs12 -alias client

2、报文签名秘钥文件signing.jks

同理,生成报文签名秘钥signing.jks:

openssl req -new -nodes -newkey rsa:2048 -keyout cil_mtf_signing.key -out cil_mtf_signing.csr

openssl rsa -in cil_mtf_signing.key -out MTFsigning.key.pem

openssl pkcs12 -export -name signing -in 164064.crt -inkey MTFsigning.key.pem -out Combined164064.p12

keytool -importkeystore -destkeystore signing.jks -srckeystore Combined164064.p12 -srcstoretype pkcs12 -alias signing

示例文件如下,pkcs12.zip,HTTPS秘钥文件和报文签名秘钥文件的密码均为cil123

SoapUI

WSDL示例文件如下:wsdl.zip

  1. 打开软件SOAPUI,点击菜单栏File - New SOAP Project,选中文件DiagnosticService.wsdl,并选中所有复选框,然后一直点击确定按钮创建项目

在这里插入图片描述

在这里插入图片描述

  1. 项目创建完成后,如图所示

在这里插入图片描述

  1. 点击菜单栏File - Preferences - SSL SettingsKeyStore一栏选中HTTPS秘钥文件cilent.jks并输入秘钥密码

在这里插入图片描述

  1. 双击项目名DiagnosticService,在弹出的新窗口中选择WS-Security Configurations - Keystores,点击绿色按钮,选择报文签名秘钥文件signing.jks并输入秘钥密码

在这里插入图片描述

  1. 在弹出的新窗口中选择WS-Security Configurations - Outgoing WS-Security Configurations,点击绿色按钮并在弹出的输入框中输入MTF Sign后,点击完成

在这里插入图片描述

  1. 继续在该窗口,点击下方的绿色按钮并在弹出的下拉框中选中Timestamp,并修改右侧的值如图,修改Time to Live为60并取消选中复选框Milliseconds Precision

在这里插入图片描述

  1. 继续在该窗口,点击下方的绿色按钮并在弹出的下拉框中选中Signature,并修改右侧的值如图

在这里插入图片描述

keyvalue
Keystoresigning.jks
Aliassigning
Passwordcil123
Key Identifier TypeBinary Security Token
Signature Algorithmhttp://www.w3.org/2001/04/xmldsig-more#rsa-sha512
Signature Canonicalizationhttp://www.w3.org/2001/10/xml-exc-c14n#
Digest Algorithmhttp://www.w3.org/2001/04/xmlenc#sha512
Use Single Certification选中
NameNamespaceEncode
Timestamphttp://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdContent
Bodyhttp://schemas.xmlsoap.org/soap/envelope/Content
BinarySecurityTokenhttp://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsdContent
identityhttp://common.ws.mcrewards.mastercard.com/Content
  1. 双击doEcho方法下面的Request 1,点击最下方的Auth栏,再选中Authorization下拉框中的Add New Authorization,在弹出的窗口中选择Basic后点击确定按钮,并设置成如下图:Pre-emptive auth选择Authenticate pre-emptivelyOutgoing WSS选择MTF Sign

在这里插入图片描述

在这里插入图片描述

  1. 双击DiagnosticService,修改Service Endpoints中的Endpoint值为测试环境调用链接https://mtf.services.mastercard.com/mtf/MRS/DiagnosticService

在这里插入图片描述

  1. 双击doEcho方法下面的Request 1,修改请求XML报文。点击调用按钮发起请求成功,返回报文如下图

在这里插入图片描述

©️2020 CSDN 皮肤主题: 编程工作室 设计师:CSDN官方博客 返回首页