我一直在閱讀與XML簽名有關的所有內容,這是一個痛苦而痛苦的世界,就像今天一樣。X509證書失敗的Ruby SOAP響應SignatureValue驗證
我能夠向遠程WSDL(https://tbk.orangepeople.cl/WSWebpayTransaction/cxf/WSWebpayService?wsdl)發出SOAP請求,我也應該驗證他們的響應(自然是!),但是我似乎無法弄清楚如何正確驗證XML SignatureValue。
我也無法驗證使用OpenSSL的(OpenSSL的0.9.8zg 14 2015年7月)上的終端(MAC OSX 10.11.1)這個簽名,雖然我沒有足夠的信心,我的文件輸入和命令是100%有正面結果的權利。
向我提供公證書的實體向我保證這是正確的,所以在那裏沒有運氣。我還創建了一個SoapUI項目,該項目正確配置了傳出&傳入WSS來備份此聲明。
對於那些好奇的人,我使用Signer和Nokogiri :: XML :: Builder爲我的請求生成簽名的XML,Savon自己處理請求,並在下面的代碼中使用Akami :: WSSE :: VerifySignature分別處理響應。
這是我到目前爲止有:
XML(響應):
<?xml version="1.0"?>
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
<soap:Header>
<wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" soap:mustUnderstand="1">
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#" Id="SIG-1426">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="soap"/>
</ds:CanonicalizationMethod>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="#id-1425">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList=""/>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>o6RiSp7nGmMWf01mYh3FGNpK80A=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>irR3w9BKEf64eN9FJRnCBqHEj5kWZu+Bn5QlNrBTxp/tbGxgU1ViTLFNu6kQJFfxEFB1AoN7Ks5c
QKOK5eBwbA3j6486XQPMoYOvOWxtr73PS09LVFp6P1aZ0y5wHTf7dQ89GJ35Zb0JemvkeSN0XWQt
X3USE7A6z4t04jx95FX+Me6dTAFyf3ealyISfrfYkIsasqU6W/orhRgyKunq6N1aTZ7HmphaSgtu
EEncUiKS6aEdvD0NjwKWXlTr/5NT5BQ7T9cmWS00QYjlRlF2SGww44SAehNojwqFy40SEpuVPVJv
DH9GH4ITsy72DeY/PXkHkaEpDIPM32EUfobE1zRM0zwPLGQysGcELSRfzAWR9QWO1NmPecABymZ8
qMNQRxUK5MkX2S/O29Jpmq/8q/VWQQhnMmj6YdL8NAE1RmjH11wNXdWHRM+3iLndMk5EpiDtFZSo
fDmtNBWhiBzE3g/OZYBbZVM9MvQjMj0x2aK8rZK/qRylbVjhYaJI8hEOiAJZeAHErwuynjP01ONI
bXeyqZik5x54zamdsQs5UlXaGYRAqVInKr1j4+trJTstAqP7C22cEUULyKO2jkBj/wWpRhucjbJH
4XXHuVHQWP2myvnImaOHuAC8TFSCsV6/hOx206G4Yd1cyHSfNM3XEQURVlOaO0an582OlFxFvnU=</ds:SignatureValue>
<ds:KeyInfo Id="KI-FBCFA2CE61C97ADD4A14467251913442138">
<wsse:SecurityTokenReference wsu:Id="STR-FBCFA2CE61C97ADD4A14467251913442139">
<ds:X509Data>
<ds:X509IssuerSerial>
<ds:X509IssuerName>CN=10,OU=ExperTI,O=ExperTI,L=Santiago,ST=Santiago,C=CL,1.2.840.113549.1.9.1=#16116a636572646140657870657274692e636c</ds:X509IssuerName>
<ds:X509SerialNumber>1401281826</ds:X509SerialNumber>
</ds:X509IssuerSerial>
</ds:X509Data>
</wsse:SecurityTokenReference>
</ds:KeyInfo>
</ds:Signature>
</wsse:Security>
</soap:Header>
<soap:Body xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="id-1425">
<ns2:initTransactionResponse xmlns:ns2="http://service.wswebpay.webpay.transbank.com/">
<return>
<token>e30965b17f7854b21bf77f313cb9a117214e62fb5d98c6ff2580e859d013ed32</token>
<url>https://tbk.orangepeople.cl/filtroUnificado/initTransaction</url>
</return>
</ns2:initTransactionResponse>
</soap:Body>
</soap:Envelope>
證書(certificate_server.crt):
-----BEGIN CERTIFICATE-----
MIIFhTCCA20CBFOF3SIwDQYJKoZIhvcNAQEFBQAwgYYxIDAeBgkqhkiG9w0BCQEW
EWpjZXJkYUBleHBlcnRpLmNsMQswCQYDVQQGEwJDTDERMA8GA1UECAwIU2FudGlh
Z28xETAPBgNVBAcMCFNhbnRpYWdvMRAwDgYDVQQKDAdFeHBlclRJMRAwDgYDVQQL
DAdFeHBlclRJMQswCQYDVQQDDAIxMDAeFw0xNDA1MjgxMjU3MDZaFw0xNjA1Mjcx
MjU3MDZaMIGGMSAwHgYJKoZIhvcNAQkBFhFqY2VyZGFAZXhwZXJ0aS5jbDELMAkG
A1UEBhMCQ0wxETAPBgNVBAgMCFNhbnRpYWdvMREwDwYDVQQHDAhTYW50aWFnbzEQ
MA4GA1UECgwHRXhwZXJUSTEQMA4GA1UECwwHRXhwZXJUSTELMAkGA1UEAwwCMTAw
ggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCX1t11QZSgfodg+NPwKdof
lakbpxsFmCvjbY3Vpp6/bTv56XIZe/Z3gBlU4zeGslEaqzs1k4cGAcdZPHxSMydC
oLxmyXpdS2hVFUZTYAeanXHhQzUKmNlgYj3uObprPEEQzD/vEuqpwz2/ZGyaHsWs
exu9aeuLAUUSNne0yqobrzRfEp2FqCp4sJB80cXgGfPA4Cr5jROHqUi8sVWpWRy5
ai5ZaiXRPo3YKF1336twuw9lRS3cRtJh9/AoJElGT7G7BMDpxyTTa08y1iRliDGu
mwWivQMHoKqEs0lCtF9Uz8cFdmiIoRPTt6McpmLoapL9v19xjNnim4lke6DPvtcg
uato7T+frDqA5Cj5GRP/8jbe90Y+YjHuJTkw+fkV6gDTRmJ3wCWDIw/07aY6nZ+H
24Imu6N2YBsMEsa8j9OW04mNgtppRC4dFBh0FIKXC35kJgN38y+6T7MsQThX1XZS
SlK0FygJJADVGelmxtsrRRfnp4yLYRjwdkRGExRjVs/+fkOyKI+fX0o68z6MEDyA
5epVHpgwJ/Yz3Lo7cgXy0hO5a/MfZc0Y0ofb29g8sJMJ8j/SSR85i4pFxudn+HH0
SmkkzE/P10adF/X+pqjscOE+aXwnX09lUUQ9TIlpYaR3hUhONsuefYJ2sHz2z+vt
K5btQwN7u9+QeXLgb20PMwIDAQABMA0GCSqGSIb3DQEBBQUAA4ICAQAqCepOSFi7
8d6lKTfWpMuj5ygpplBa3Bj81AKkNfSGDN7zkNX2sCbqn9aEjniIPtldG6I2fgCs
FYTZE9oEPNiuEuH7PNtAjTExIUi9Jzm7bqjCdSs7Ioek1cPePgst017zJ6NSTkaM
r7pUDaS3855xO92uaJskppAeegwz9Dv3d5wY+wVViqUki4pZyxa95IvBJz4NR1Xr
cO6XtUUT9M0wbd0jAkRp7DPQfkihZj8vLSvlUYTRdlF2swIBE/ME2T3NCa0/kt1c
IA1Aq/zn7t0yKvyaJ/O//LrHA1Lfa/uC61O/9P3t+eXDsYl73CeGQdSYZp2DAZmA
Ek3tzwhFa6HR+POIo8MptWMT3DQ0ISHH+EW1Xp8GHIGsk2ELsXuA6XTNwpfz9yvl
9d7IGsq4cdX88cNUCbXm4tj7F3s6i8pNWeCImaYcXKGCBdsLM+lbmqbuV7o3d1Ei
efbR1TQkCxRBNCMUI0pF7NW8PvY3QER9/jEnN52SX+tuQRVdpgl+PyTdSASr4FhV
+HHmgeOgeOewXDnZ7aA1F6f8+CY8Niv4FGZIAptdxTqdynY4nUy/wFowBouO3LEF
6nIcQ3Jx1pDXoEmcLa03JaL7qQNSHyqSe/YEl8E5fdDr7vApzw9pvpAjj1aslidL
bNd4l1YGlL2vbGsIXZlbdBLiblXRi78AyQ==
-----END CERTIFICATE-----
Ruby源代碼(少許修改,使用OpenSSL :: Digest :: SHA1.new代替消化器映射方法來簡化):
# load certificate
certificate_server = OpenSSL::X509::Certificate.new(File.read("certificate_server.crt"))
# CERT INFORMATION IS VERIFIED SUCCESSFULLY HERE
# DIGEST IS VERIFIED SUCCESSFULLY HERE
# certificate signature initialization
response_signature = Akami::WSSE::VerifySignature.new(response)
document = response_signature.document
namespaces = response_signature.namespaces
# retrieve Signature data & digest value
data = document.at_xpath('//wse:Security/ds:Signature/ds:SignedInfo', namespaces).canonicalize(Nokogiri::XML::XML_C14N_EXCLUSIVE_1_0)
signature = Base64.decode64(document.at_xpath('//wse:Security/ds:Signature/ds:SignatureValue', namespaces).text)
# check if Signature is valid
return false unless certificate_server.public_key.verify(OpenSSL::Digest::SHA1.new, signature, data)
true
這不僅不能在最後一行:
certificate_server.public_key.verify(signature_digester, signature, data)
如果任何人能發現錯誤/缺陷/缺碼,也許提供一個工作的例子,我將非常感激。
嘿!我在對同一個WSDL執行SOAP請求時遇到問題,您認爲您可以幫助我理解它應該如何完成?乾杯! – froysm