java - 如何在 WSS4J 2.2.3 中启用 RSA15 传输算法？

Question

我正在将 SOAP Web 服务客户端升级到 JDK 11 和 WSS4J 2.2.3(不带 CXF/Spring)。 java 代码使用“独立”方法来处理加密，并且无法解密传入的响应，因为它是使用 RSA15 加密的。从版本 2.0.0 开始，该算法默认被禁用，但迁移指南建议可以通过将 WSHandlerConstants.ALLOW_RSA15_KEY_TRANSPORT_ALGORITHM 属性设置为“true”来启用该算法。我该怎么做？？

我查看了 WSS4J 代码，可以看到 RequestData 对象是从 WSS4J 框架中的 WSSecurityEngine 类实例化的，但我没有看到允许我将allowRSA15KeyTransportAlgorithm 属性设置为“true”的 Hook 。我已经能够在 eclipse 中设置断点并更改值以确保它按预期工作并且确实如此。我在网上搜索过，我发现的最接近的是一个类似的问题，但这里没有明显的答案Allow the RSA v1.5 Key Transport Algorithm for WildFly / JBossWS / CXF / WSS4J stack 。我尝试将 WSS4J 恢复到允许该算法的版本 1.6，但随后失败并出现不同的错误“WRONG_DOCUMENT_ERR:节点在与创建它的文档不同的文档中使用”。当将 WSS4J 1.6 与任何版本的 jaxws(JDK 外部)一起使用时，似乎会发生这种情况。我能想到解决这个问题的唯一方法是侵入 WSS4J 2.2.3 依赖项并将 RequestData 类中的属性默认设置为“true”，但我真的不想这样做。

private void inboundWSSConfig(SOAPMessageContext context, Crypto crypto) throws WSSecurityException{

    log.info("Inbound Message...");

    KeystoreCallbackHandler keystoreCallbackHandler = new KeystoreCallbackHandler();
    keystoreCallbackHandler.addUsers((String)cryptoProperties.get("org.apache.ws.security.crypto.merlin.keystore.alias"), (String)cryptoProperties.get("org.apache.ws.security.crypto.merlin.keystore.password"));

    WSSecurityEngine newEngine = new WSSecurityEngine();
    WSSConfig config = WSSConfig.getNewInstance();
    config.setValidator(WSConstants.SIGNATURE, new SignatureTrustValidator());
    newEngine.setWssConfig(config);

    newEngine.processSecurityHeader(context.getMessage().getSOAPPart(), null, keystoreCallbackHandler, crypto);
}

返回的错误消息是...

Jul 17, 2019 11:42:56 AM ensurebill.client.handler.HeaderHandler inboundWSSConfig
INFO: Inbound Message...
Jul 17, 2019 11:42:56 AM ensurebill.client.handler.HeaderHandler handleMessage
SEVERE: ERROR in handleMessage
org.apache.wss4j.common.ext.WSSecurityException: An error was discovered processing the <wsse:Security> header
    at org.apache.wss4j.dom.processor.EncryptedKeyProcessor.handleToken(EncryptedKeyProcessor.java:131)
    at org.apache.wss4j.dom.processor.EncryptedKeyProcessor.handleToken(EncryptedKeyProcessor.java:90)
    at org.apache.wss4j.dom.engine.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:340)
    at org.apache.wss4j.dom.engine.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:221)
    at org.apache.wss4j.dom.engine.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:168)
    at org.apache.wss4j.dom.engine.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:127)
    at ensurebill.client.handler.HeaderHandler.inboundWSSConfig(HeaderHandler.java:160)
    at ensurebill.client.handler.HeaderHandler.handleMessage(HeaderHandler.java:61)
    at ensurebill.client.handler.HeaderHandler.handleMessage(HeaderHandler.java:1)
    at com.sun.xml.ws.handler.HandlerProcessor.callHandleMessageReverse(HandlerProcessor.java:311)
    at com.sun.xml.ws.handler.HandlerProcessor.callHandlersResponse(HandlerProcessor.java:184)
    at com.sun.xml.ws.handler.ClientSOAPHandlerTube.callHandlersOnResponse(ClientSOAPHandlerTube.java:133)
    at com.sun.xml.ws.handler.HandlerTube.processResponse(HandlerTube.java:144)
    at com.sun.xml.ws.api.pipe.Fiber.__doRun(Fiber.java:1117)
    at com.sun.xml.ws.api.pipe.Fiber._doRun(Fiber.java:1020)
    at com.sun.xml.ws.api.pipe.Fiber.doRun(Fiber.java:989)
    at com.sun.xml.ws.api.pipe.Fiber.runSync(Fiber.java:847)
    at com.sun.xml.ws.client.Stub.process(Stub.java:433)
    at com.sun.xml.ws.client.sei.SEIStub.doProcess(SEIStub.java:161)
    at com.sun.xml.ws.client.sei.SyncMethodHandler.invoke(SyncMethodHandler.java:78)
    at com.sun.xml.ws.client.sei.SyncMethodHandler.invoke(SyncMethodHandler.java:62)
    at com.sun.xml.ws.client.sei.SEIStub.invoke(SEIStub.java:131)
    at com.sun.proxy.$Proxy33.callNotificationInquiry(Unknown Source)
    at ensurebill.client.swing.MenuItemListener.sendRequest(MenuItemListener.java:109)
    at ensurebill.client.swing.MenuItemListener.actionPerformed(MenuItemListener.java:92)
    at java.desktop/javax.swing.AbstractButton.fireActionPerformed(AbstractButton.java:1967)
    at java.desktop/javax.swing.AbstractButton$Handler.actionPerformed(AbstractButton.java:2308)
    at java.desktop/javax.swing.DefaultButtonModel.fireActionPerformed(DefaultButtonModel.java:405)
    at java.desktop/javax.swing.DefaultButtonModel.setPressed(DefaultButtonModel.java:262)
    at java.desktop/javax.swing.AbstractButton.doClick(AbstractButton.java:369)
    at java.desktop/javax.swing.plaf.basic.BasicMenuItemUI.doClick(BasicMenuItemUI.java:1020)
    at java.desktop/javax.swing.plaf.basic.BasicMenuItemUI$Handler.mouseReleased(BasicMenuItemUI.java:1064)
    at java.desktop/java.awt.Component.processMouseEvent(Component.java:6632)
    at java.desktop/javax.swing.JComponent.processMouseEvent(JComponent.java:3342)
    at java.desktop/java.awt.Component.processEvent(Component.java:6397)
    at java.desktop/java.awt.Container.processEvent(Container.java:2263)
    at java.desktop/java.awt.Component.dispatchEventImpl(Component.java:5008)
    at java.desktop/java.awt.Container.dispatchEventImpl(Container.java:2321)
    at java.desktop/java.awt.Component.dispatchEvent(Component.java:4840)
    at java.desktop/java.awt.LightweightDispatcher.retargetMouseEvent(Container.java:4918)
    at java.desktop/java.awt.LightweightDispatcher.processMouseEvent(Container.java:4547)
    at java.desktop/java.awt.LightweightDispatcher.dispatchEvent(Container.java:4488)
    at java.desktop/java.awt.Container.dispatchEventImpl(Container.java:2307)
    at java.desktop/java.awt.Window.dispatchEventImpl(Window.java:2772)
    at java.desktop/java.awt.Component.dispatchEvent(Component.java:4840)
    at java.desktop/java.awt.EventQueue.dispatchEventImpl(EventQueue.java:772)
    at java.desktop/java.awt.EventQueue$4.run(EventQueue.java:721)
    at java.desktop/java.awt.EventQueue$4.run(EventQueue.java:715)
    at java.base/java.security.AccessController.doPrivileged(Native Method)
    at java.base/java.security.ProtectionDomain$JavaSecurityAccessImpl.doIntersectionPrivilege(ProtectionDomain.java:85)
    at java.base/java.security.ProtectionDomain$JavaSecurityAccessImpl.doIntersectionPrivilege(ProtectionDomain.java:95)
    at java.desktop/java.awt.EventQueue$5.run(EventQueue.java:745)
    at java.desktop/java.awt.EventQueue$5.run(EventQueue.java:743)
    at java.base/java.security.AccessController.doPrivileged(Native Method)
    at java.base/java.security.ProtectionDomain$JavaSecurityAccessImpl.doIntersectionPrivilege(ProtectionDomain.java:85)
    at java.desktop/java.awt.EventQueue.dispatchEvent(EventQueue.java:742)
    at java.desktop/java.awt.EventDispatchThread.pumpOneEventForFilters(EventDispatchThread.java:203)
    at java.desktop/java.awt.EventDispatchThread.pumpEventsForFilter(EventDispatchThread.java:124)
    at java.desktop/java.awt.EventDispatchThread.pumpEventsForHierarchy(EventDispatchThread.java:113)
    at java.desktop/java.awt.EventDispatchThread.pumpEvents(EventDispatchThread.java:109)
    at java.desktop/java.awt.EventDispatchThread.pumpEvents(EventDispatchThread.java:101)
    at java.desktop/java.awt.EventDispatchThread.run(EventDispatchThread.java:90)

Answer 1

经过一番追踪..我设法为你找到了它。

长话短说，您应该为自己创建一个 RequestData 对象，如下所示:

private void inboundWSSConfig(SOAPMessageContext context, Crypto crypto) throws WSSecurityException{

    log.info("Inbound Message...");

    KeystoreCallbackHandler keystoreCallbackHandler = new KeystoreCallbackHandler();
    keystoreCallbackHandler.addUsers((String)cryptoProperties.get("org.apache.ws.security.crypto.merlin.keystore.alias"), 
    (String)cryptoProperties.get("org.apache.ws.security.crypto.merlin.keystore.password"));

    WSSecurityEngine newEngine = new WSSecurityEngine();
    WSSConfig config = WSSConfig.getNewInstance();
    config.setValidator(WSConstants.SIGNATURE, new SignatureTrustValidator());
    newEngine.setWssConfig(config);

    RequestData data = new RequestData();
    data.setWssConfig(config); // probably
    data.setDecCrypto(crypto);
    data.setSigVerCrypto(crypto);
    data.setCallbackHandler(keystoreCallbackHandler);
    data.setAllowRSA15KeyTransportAlgorithm(true);

    newEngine.processSecurityHeader(context.getMessage().getSOAPPart(), data);
}

<小时/>

以下是我通过向后查找堆栈跟踪并查看源代码发现此解决方案的方法:

从抛出异常的地方开始

at org.apache.wss4j.dom.processor.EncryptedKeyProcessor.handleToken(EncryptedKeyProcessor.java:131)

public List<WSSecurityEngineResult> handleToken(Element elem, RequestData data, AlgorithmSuite algorithmSuite) {
    // ...
    if (WSConstants.KEYTRANSPORT_RSA15.equals(encryptedKeyTransportMethod)
        && !data.isAllowRSA15KeyTransportAlgorithm() // <=== because this is false, etc.
        && (algorithmSuite == null
          || !algorithmSuite.getKeyWrapAlgorithms().contains(WSConstants.KEYTRANSPORT_RSA15))) {
        LOG.debug(
            "The Key transport method does not match the requirement"
        );
        throw new WSSecurityException(WSSecurityException.ErrorCode.INVALID_SECURITY); // <=== this is where you die
    }
    // ...
}

它失败是因为 requestData 没有将 allowRSA15KeyTransportAlgorithm 设置为 true。但为什么没有设置为true呢？请求数据从哪里来？

at org.apache.wss4j.dom.processor.EncryptedKeyProcessor.handleToken(EncryptedKeyProcessor.java:90)
at org.apache.wss4j.dom.engine.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:340)
at org.apache.wss4j.dom.engine.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:221)

所有这些都只是传递在此方法中创建的requestData:

// line 208
public WSHandlerResult processSecurityHeader(
    Element securityHeader,
    String actor,
    CallbackHandler cb,
    Crypto sigVerCrypto,
    Crypto decCrypto
) throws WSSecurityException {
    RequestData data = new RequestData(); // creates RequestData but doesn't set `allowRSA15KeyTransportAlgorithm`
    data.setActor(actor);
    data.setWssConfig(getWssConfig());
    data.setDecCrypto(decCrypto);
    data.setSigVerCrypto(sigVerCrypto);
    data.setCallbackHandler(cb);
    return processSecurityHeader(securityHeader, data); // line 221
}

调用者:

public WSHandlerResult processSecurityHeader(
    Document doc,
    String actor,
    CallbackHandler cb,
    Crypto crypto
) throws WSSecurityException {
    return processSecurityHeader(doc, actor, cb, crypto, crypto);
}

您在 inboundWSSConfig 方法中调用它。

因此，因为您正在调用 processSecurityHeader(Document doc, String actor, CallbackHandler cb, Crypto crypto)，所以它正在初始化一个新的 RequestData 并在其上设置 Crypto 和 CallbackHandler，但从未设置 allowRSA15KeyTransportAlgorithm。