- html - 出于某种原因,IE8 对我的 Sass 文件中继承的 html5 CSS 不友好?
- JMeter 在响应断言中使用 span 标签的问题
- html - 在 :hover and :active? 上具有不同效果的 CSS 动画
- html - 相对于居中的 html 内容固定的 CSS 重复背景?
我正在尝试连接到一个 soap 服务,它希望我的请求使用标准 XML 加密(根据文档)进行加密。我正在使用 Python 请求将请求发送到端点,但不幸的是,我不知道如何从原始请求发送到加密请求。
我有一些从 SoapUI 中提取的示例(如下所示),它们显示了加密过程前后的请求,但遗憾的是没有描述加密过程本身。我曾尝试使用 py-wsse 来加密信息,但它与所需的格式不匹配。我也曾尝试使用 OpenSSL 来加密来自请求的信息,但我对 Soap 加密的了解还不够多,无法以所需的格式构建它
从原始请求到加密请求的步骤是什么
我的尝试:
import uuid
import base64
import requests
from wsse import encryption
headers = {'SOAPAction': '"urn:CorporateService:activateServiceAgreement"',
'Content-Type': 'text/xml; charset=utf-8'}
url= "https://stest.bankconnect.dk/2019/04/04/services/CorporateService?wsdl"
csr_pem = "some generated CSR string without 'Begin' and 'End' tags, any string works for testing"
registration_number = '1234'
funtion_identification = '00123456789'
unique_id = uuid.uuid4().hex
activation_code = '1234123412341234'
path_to_cert = "some_cert.crt"
data = f"""<soap-env:Envelope xmlns:soap-env="http://schemas.xmlsoap.org/soap/envelope/">
<soap-env:Header>
<wsse:Security mustUnderstand="false"
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"/>
<ns0:technicalAddress xmlns:ns0="http://bankconnect.dk/schema/2014">
<ns0:ipAddress>{{http://bankconnect.dk/schema/2014}}technicalAddress</ns0:ipAddress>
</ns0:technicalAddress>
<ns1:activationHeader xmlns:ns1="http://bankconnect.dk/schema/2014">
<ns1:organisationIdentification>
<ns1:mainRegistrationNumber>{registration_number}</ns1:mainRegistrationNumber>
<ns1:isoCountryCode>DK</ns1:isoCountryCode>
</ns1:organisationIdentification>
<ns1:functionIdentification>{funtion_identification}</ns1:functionIdentification>
<ns1:erpInformation>
<ns1:erpsystem>{{http://bankconnect.dk/schema/2014}}erpInformation</ns1:erpsystem>
</ns1:erpInformation>
<ns1:endToEndMessageId>{unique_id}</ns1:endToEndMessageId>
<ns1:createDateTime>2021-12-07T11:08:25</ns1:createDateTime>
</ns1:activationHeader>
</soap-env:Header>
<soap-env:Body>
<ns0:activateServiceAgreement xmlns:ns0="http://bankconnect.dk/schema/2014">
<ns0:activationAgreement>
<ns0:activationCode>{base64.b64encode(str.encode(activation_code))}</ns0:activationCode>
<ns0:certificateRequest>{csr_pem}=</ns0:certificateRequest>
</ns0:activationAgreement>
</ns0:activateServiceAgreement>
</soap-env:Body>
</soap-env:Envelope>
"""
encryptedData = encryption.encrypt(data, path_to_cert) # this outputs a different format than needed (example below)
requests.post(url,data=encryptedData.decode(), headers=headers) # the request will fail as data is not in the correct format
我尝试生成的加密 SOAP(为了便于阅读而格式化):
<soap-env:Envelope xmlns:soap-env="http://schemas.xmlsoap.org/soap/envelope/">
<soap-env:Header>
<wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<wsse:BinarySecurityToken EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" wsu:Id="id-70b626c1-3e8f-4827-abc2-a3004f7f00ef">MIIEpjCCAo6gAwIBAgICE6AwDQYJKoZIhvcNAQELBQAwdTEnMCUGA1UEAxMeQkQgQmFua0Nvbm5lY3QgUHJpbWFyeSBDQSBUZXN0MRwwGgYDVQQHExNFcnJpdHNvZSBGcmVkZXJpY2lhMQwwCgYDVQQLEwNWQkYxETAPBgNVBAoTCEJhbmtkYXRhMQswCQYDVQQGEwJESzAeFw0yMDA0MTYwNzE1MzJaFw0yNTA0MTYwNzE0NDBaMHMxJTAjBgNVBAMTHEJEIEJhbmtDb25uZWN0IEJhbmtkYXRhIFRlc3QxHDAaBgNVBAcTE0Vycml0c29lIEZyZWRlcmljaWExDDAKBgNVBAsTA1ZCRjERMA8GA1UEChMIQmFua2RhdGExCzAJBgNVBAYTAkRLMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2uY58IUvzsFKqzfkO6AMEQ0VKSXTwy30CYNR95WO6cdbGBegkv4PEQtTDNDr95zR0LPROsarAITLt/2bg8YDRodgbSKJWoZkS2/GlVztLTQROv+ReZXCFOYR3ean5K1gaPtfobOJxUPRV8r6UyF6/BPCCE2EuVgDDplLfCAv7bhofajvtsfRAU7GclRXxvb6fPGsKQRDvwSg4NWfhLEhXUjMhsIOGd1XqtePRd63yowbB/MhFmAdXw3gz1tj12HTMZ4D7QELawfMTC+f+XQq3f1DZFdYcPdqBdRPeOEPIoma+2YvBmtTSWoRLpVmAHiEG5RLlV5iOEqGGbcXAMhtwwIDAQABo0IwQDAdBgNVHQ4EFgQUjm2b2Xh70dT09RSGxyhYhyLbfEowHwYDVR0jBBgwFoAUhDYWOyZP7phaO8f6tPt8Uw8MtokwDQYJKoZIhvcNAQELBQADggIBADCS8I41JG4QSmXk2lxZPGnXRm6fwz/tPcnRc08CPPfH9UyfUPD81cX9K3fr52YdF0i+QvjWbyv/uCRO7Sw8/Ln1OpTGC/zbGneec5UjpuHnaQ74gMbEIO5Utf9yDiM7PiTpZW6IPicUDqwL2MzipK4ru+qtKB9OhHr30AYakN3gXYglztixmig0N2G6RNJPvrUecjKYgQR8VbnmyG/apfuaAqsVJy0wFlzFznVZtOAgBP21d9oHZ6NpIaPxbphZKA8zS65YLSaH3FdLrRqrf5Cc8XSx1wDR6U6WV/Hll7Vj4C3sxb/A1KCWehqVTVc8dRq4tMC6Lvi21wOadYBV+GB5Z2YjP5gpZTsYAP8DXyCaca0R66ncnxaJHYUow1JCKFf+iIn4uZRLiE6w3p6jlUNyVyYAg+SeouWqvL0hrLSbqzKu6kKt2x1ShKESiRpMHFvNMLRM8Kb4a+guqDV4jspzp+dFI3FLIubUv3EOPxtR45LiDVW2B3WcVkSqUGy9T0Yhc0sejNWjT9qyuuEN0X/bH/nbf8kPDc15VJoIN6NxIfhU1NZ/2XnvX4UL+MrMwlX87WKTZnhglIuT+N6lNCK/hMRInMppzHwfcsPuXMLJc+GOhVZwHQQGBgwTGnBl3spCYNjj0yDmgeChI5c0A3/oinNj/N54Ewr6+9TnmDEk</wsse:BinarySecurityToken>
<xenc:EncryptedKey xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
<xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"/>
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<wsse:SecurityTokenReference wsse:TokenType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3">
<wsse:Reference ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" URI="#id-70b626c1-3e8f-4827-abc2-a3004f7f00ef"/>
</wsse:SecurityTokenReference>
</ds:KeyInfo>
<xenc:CipherData>
<xenc:CipherValue>L8/N579SnH/XPWsVvI8nVEvW67bFoV1wEaoRM3Bvpc0fS6Ihay90aonrvc8AJdEH 73z/UoUizrLhT4KPkqr3pLJ3UO42aKf6PRXyJ1pYaN5SbZH75kdL7VpiGBNjhaFK Zzn5SpIQElIjxrvVjbyDkTKzlzLaU8qzCvR08PHEgs452uIjDKuSEIPt49uAhExI /d7fRMGgXn9PpiH4jJGO/GfMUV3V2nNL/eB9jn00Dlz7vfEqeYwBaoegzq3ZyC25 nTSYXOkGvFU7dQAmrQ4QYEqYhmr3Sey3fEzcyb0lAPhZ3JBwDI5oo5GxbVXa+xVQ IL85p8Xrw0niGvLGbspXTQ==</xenc:CipherValue>
</xenc:CipherData>
<xenc:ReferenceList>
<xenc:DataReference URI="#id-a1155f0f-8c75-4de3-9bc2-c26e23ea1873"/>
</xenc:ReferenceList>
</xenc:EncryptedKey>
</wsse:Security>
<ns0:technicalAddress xmlns:ns0="http://bankconnect.dk/schema/2014">
<ns0:ipAddress>{http://bankconnect.dk/schema/2014}technicalAddress</ns0:ipAddress>
</ns0:technicalAddress>
<ns1:activationHeader xmlns:ns1="http://bankconnect.dk/schema/2014">
<ns1:organisationIdentification>
<ns1:mainRegistrationNumber>1234</ns1:mainRegistrationNumber>
<ns1:isoCountryCode>DK</ns1:isoCountryCode>
</ns1:organisationIdentification>
<ns1:functionIdentification>00123456789</ns1:functionIdentification>
<ns1:erpInformation>
<ns1:erpsystem>{http://bankconnect.dk/schema/2014}erpInformation</ns1:erpsystem>
</ns1:erpInformation>
<ns1:endToEndMessageId>some-uuid</ns1:endToEndMessageId>
<ns1:createDateTime>2021-12-06T15:18:25</ns1:createDateTime>
</ns1:activationHeader>
</soap-env:Header>
<soap-env:Body>
<xenc:EncryptedData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"
xmlns:ns0="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" Type="http://www.w3.org/2001/04/xmlenc#Element" ns0:Id="id-a1155f0f-8c75-4de3-9bc2-c26e23ea1873">
<xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc"/>
<xenc:CipherData>
<xenc:CipherValue>VBocX0ZNKgJ98E/1mZLQY6gJaFDIdxh+lLy38xyau3GYzT8G88XqVff7hSbBRCnt Z5zXa3sNhMl4e88GuuWnMrTe4j8QbcXuXrxVjCuZ+6TnKG1YIJ5t3L8myt+VI3+5 4FI15xQAOqATdxbtwE89xV0/n4szsxJ0nczBTK8pm/WL5rjks0Ks5o+F3wkBqwcF w+YYEE8zPD6ejlmAs+fye0gjsBAKF96RAe63kvT7gHrHKkj2GlEI5f2+bp7ebe2V U5PokQso22WBYidA8FdTBu9GGc8YD6gbTPq93GpOM1f6AV0fPd7vQCTw1d1F73HZ 9+NTZzPXqJb5RAPGSMEHlGgH3TYXOD7eBUgj0aZClGU5JsouusTmC7eiXWd5ys+b bN6LLkHvv6pPnAnm5Z7rgAK67sra1kCyFKgY3FHMOgE764MoRjBWroEmJokpnQ/q Do+D4iLbAsaGsVhdNZ+CelGUCTskvuIYHon33mdy5PHeMb0FUe8c3SDHqgyh0efp rcYUiT236jzpwBYP+ZgWzET2Mh2mdw8yVcUeyectayT6LhS8rqxExrQvMS120JST BY2pW+8WJVdu69/WplqktUCtOmYjdHEGgb63u2d139O2N5w+4ebSJxHEAzOgnCwg kpOQcD6hJm7UW0FG3AZTTcBAJfPCgtfyEPH+MGssIEFaeb9rsRGxbb/n8gfCyOjF d3LHYLezTRHCnbwqP4411BGK/1QUeX+ZI7W9/EHfPesYueCEoUZa0arInMlUdxeS nShBi3xnOo/NQNbwpUXmLTAnpg/GYyk9on2iIhFAKagevKB6XT3eN5QTpeQYYbcR KZSAE1KRhMJJWYSzElXUfZizHAAsIb470xc4MBDL6EKBZYt4E/7jPGgJO8/IbVL3 FaPjdEfx2Fo3G1FQfpzVMFav04RKCFZsGJ7mnBQnlWgraOa+hRsRed/koTBBxZ5n Dy9XQvIiko6nmXpcAQaUcNEx6/YJaOO5BXVHfS5QiTaJ7Ohe/20d7+fnivZgW7Es nm0tJS9yYX0IsE8c1Blft/T3iTOqsXuxPbrpE6TLy+9eINSqjzKDduwfx64IWju+ Bho13i71rKFZCVDvBMRwuFJwjZBYRMZc42MGrhBVMGDvyob0iHTrOQr3INDWYRSH DWYRxxboSU+xcgPAB6eXQfj8O2LWuGZSjhdt9p5dj75vc1OCGSrweZ/QXulXyxdK y2hkb01qUUoEFqdnr+gHouDWWyUgaO/tYF2eNkVMu/jagAtAZL6Yg5KApV/TzwIr ZsrxrCxgAls0oaiTJeoxk9O+WSzCiU9NBBQ30OfKii8Do1yDjFmqVkl4JPCusCXY Efq1na1OIwHnfCmOSMPk7uojztixxbgvhF5q4yv0gIGMqx/FutE42dIpXU5lqkbT OonGguy85c1q9R3Fx6E8T4GwumpO7wAxnbEu2MCl7mm0PeWGVRg6f5H+SnWslL96 88aYIBo+7wwnkC9JVCB8Sl/6eGYum58OrP1Hp01VqgkdMcrRwiyQPPN//Yk/N5oS cb30w2AdeKPMbjihDnfRCiRSzWQfBs7Fat1MWxp80H6gqnaVq0Paf/buMpMJYa9Z hqNGFtMUJkMd+PTconOxF5a1SUWwAj0Op/J24mOd3XFy39HZnZb67rWzNATuh34p 2G+XInAmKvkxBcKR94HGfajFAE1794q2L9O6mIIiZufuKnZM0JGoQeNEdP6TETX3 G5zl7F0Xn4iZgEFPRkMREf+66+CxSwxWnmi4m8W1SHXLmmuP5pyS8wPt+q4Lg3Jd 5G54J3he3g5dyhaJVj6WD1bPgwQkN+ha4aPl+2gVNLh79u7CL/uJWwBqrKfy1a64 mJbTWRAM4aNnPIcixdWxrHYM+J7rzBTmYSANEcdhCfv534Kjd8ZH8vL/47I8C+wG VV0x6P+yJCH63UZ4tQScxMdMPKl+INmEqI1bnpq9/vXnSTkoezY2pmtAx7VpgyZm Mp+rHiEmbjMMAaLmHtw7lqUf0PtrGzUEDyXanruaY68tKLFNJyFod1Ubgo8znAfD u0/iFcpruhNtvThwCP3AmgvTWjhoDPtXobxkR54akl4TWRaZNka8LfCATouaOGsu dWDqeIQikIhwNPsv144XVpF09JLfejOhUkARj+D1OSTRAtZ/lbia7g==</xenc:CipherValue>
</xenc:CipherData>
</xenc:EncryptedData>
</soap-env:Body>
</soap-env:Envelope>
预期的加密 SOAP 示例
<soapenv:Envelope xmlns:ns="http://bankconnect.dk/schema/2014"
xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Header>
<wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<xenc:EncryptedKey Id="EK-F3FCAC3C34D9D25B87163351066951111"
xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
<xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"/>
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<wsse:SecurityTokenReference>
<wsse:KeyIdentifier EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3">MIIEpjCCAo6gAwIBAgICE6AwDQYJKoZIhvcNAQELBQAwdTEnMCUGA1UEAxMeQkQgQmFua0Nvbm5lY3QgUHJpbWFyeSBDQSBUZXN0MRwwGgYDVQQHExNFcnJpdHNvZSBGcmVkZXJpY2lhMQwwCgYDVQQLEwNWQkYxETAPBgNVBAoTCEJhbmtkYXRhMQswCQYDVQQGEwJESzAeFw0yMDA0MTYwNzE1MzJaFw0yNTA0MTYwNzE0NDBaMHMxJTAjBgNVBAMTHEJEIEJhbmtDb25uZWN0IEJhbmtkYXRhIFRlc3QxHDAaBgNVBAcTE0Vycml0c29lIEZyZWRlcmljaWExDDAKBgNVBAsTA1ZCRjERMA8GA1UEChMIQmFua2RhdGExCzAJBgNVBAYTAkRLMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2uY58IUvzsFKqzfkO6AMEQ0VKSXTwy30CYNR95WO6cdbGBegkv4PEQtTDNDr95zR0LPROsarAITLt/2bg8YDRodgbSKJWoZkS2/GlVztLTQROv+ReZXCFOYR3ean5K1gaPtfobOJxUPRV8r6UyF6/BPCCE2EuVgDDplLfCAv7bhofajvtsfRAU7GclRXxvb6fPGsKQRDvwSg4NWfhLEhXUjMhsIOGd1XqtePRd63yowbB/MhFmAdXw3gz1tj12HTMZ4D7QELawfMTC+f+XQq3f1DZFdYcPdqBdRPeOEPIoma+2YvBmtTSWoRLpVmAHiEG5RLlV5iOEqGGbcXAMhtwwIDAQABo0IwQDAdBgNVHQ4EFgQUjm2b2Xh70dT09RSGxyhYhyLbfEowHwYDVR0jBBgwFoAUhDYWOyZP7phaO8f6tPt8Uw8MtokwDQYJKoZIhvcNAQELBQADggIBADCS8I41JG4QSmXk2lxZPGnXRm6fwz/tPcnRc08CPPfH9UyfUPD81cX9K3fr52YdF0i+QvjWbyv/uCRO7Sw8/Ln1OpTGC/zbGneec5UjpuHnaQ74gMbEIO5Utf9yDiM7PiTpZW6IPicUDqwL2MzipK4ru+qtKB9OhHr30AYakN3gXYglztixmig0N2G6RNJPvrUecjKYgQR8VbnmyG/apfuaAqsVJy0wFlzFznVZtOAgBP21d9oHZ6NpIaPxbphZKA8zS65YLSaH3FdLrRqrf5Cc8XSx1wDR6U6WV/Hll7Vj4C3sxb/A1KCWehqVTVc8dRq4tMC6Lvi21wOadYBV+GB5Z2YjP5gpZTsYAP8DXyCaca0R66ncnxaJHYUow1JCKFf+iIn4uZRLiE6w3p6jlUNyVyYAg+SeouWqvL0hrLSbqzKu6kKt2x1ShKESiRpMHFvNMLRM8Kb4a+guqDV4jspzp+dFI3FLIubUv3EOPxtR45LiDVW2B3WcVkSqUGy9T0Yhc0sejNWjT9qyuuEN0X/bH/nbf8kPDc15VJoIN6NxIfhU1NZ/2XnvX4UL+MrMwlX87WKTZnhglIuT+N6lNCK/hMRInMppzHwfcsPuXMLJc+GOhVZwHQQGBgwTGnBl3spCYNjj0yDmgeChI5c0A3/oinNj/N54Ewr6+9TnmDEk</wsse:KeyIdentifier>
</wsse:SecurityTokenReference>
</ds:KeyInfo>
<xenc:CipherData>
<xenc:CipherValue>2be8yrQGdq1KM7XYjcW+AeP4dPUUZLKdbIta1mnipSN5/p8u4Oj06jjFfTWHgZlMo846hGz2l25AJnrOo79aadH+ZLUiZyTTU6zZn8NbziOtB3gff7I0zvTiUTZBFFq7Pj2qQHV+uMBKzZzx8dVgWgu43jwqr8ub2fv32vZeYaYC39VxhZOiVOdcYNBoSXkk53bYvrP5Q/xO0KxgB99WspcozzslELyi0NpRC1W0wr+QcMpl/pX8dugnzRdE5w4IBejhvO/hPFMY8BptDpw9Jr360dbcqfA6SH8ldoqxm9qlHsm80OIhYSFhXWjnOei8Snls6PtcliR3f3DYcaivJw==</xenc:CipherValue>
</xenc:CipherData>
<xenc:ReferenceList>
<xenc:DataReference URI="#ED-F3FCAC3C34D9D25B87163351066951112"/>
</xenc:ReferenceList>
</xenc:EncryptedKey>
</wsse:Security>
<ns:activationHeader>
<ns:organisationIdentification>
<ns:mainRegistrationNumber>1234</ns:mainRegistrationNumber>
<ns:isoCountryCode>DK</ns:isoCountryCode>
</ns:organisationIdentification>
<ns:functionIdentification>00123456789</ns:functionIdentification>
<ns:erpInformation>
<!--Optional:-->
<ns:erpsystem>TEST</ns:erpsystem>
<!--Optional:-->
<ns:erpversion>1</ns:erpversion>
</ns:erpInformation>
<ns:endToEndMessageId>TEST</ns:endToEndMessageId>
<ns:createDateTime>2021-09-14T14:58:33.258+02:00</ns:createDateTime>
</ns:activationHeader>
<technicalAddress xmlns="http://bankconnect.dk/schema/2014"
xmlns:ns2="http://www.w3.org/2000/09/xmldsig#"/>
</soapenv:Header>
<soapenv:Body>
<xenc:EncryptedData Id="ED-F3FCAC3C34D9D25B87163351066951112" Type="http://www.w3.org/2001/04/xmlenc#Content"
xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
<xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc"/>
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<wsse:SecurityTokenReference wsse11:TokenType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey"
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
xmlns:wsse11="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd">
<wsse:Reference URI="#EK-F3FCAC3C34D9D25B87163351066951111"/>
</wsse:SecurityTokenReference>
</ds:KeyInfo>
<xenc:CipherData>
<xenc:CipherValue>cTBg4srW4xEOlz2/ycn8PLbBeh7FzZflqZ/k87oDClpaumzuAoiTUnRBSQJiaLXlnh4oS7/BlyC8JXMYr2m4N7RoWspUphDMkemA8/q0vF00J1Vf+MP+uOOQKOIBpHKsnMt8bqmFrCDXp0WUebLy6oEd/CVKlRFYkzw0lkj15NcL/wZMhKvRB2Qyz20W3gpzyz7eN2bg+fWvPsCVXLZJRTY8CEtGRvBsuddmt5pUiSSAAYbKXksKg9BgeywD2pRNghuhOcMYPrV6n1Oi7+183ShrBVZcO84PyNpsrwlCRC+Bnbl3HYOeLxAljXkxjbxkBCGYXaJWZ1IzQ2a0Sg/HLO6hDAMriqnnpLnRsbIkpGBjHFT7M0GeO7FEDHAg3LKyeCm4ivR9fTSxIOijZDXdAoy4pANRsYPyGLbGEYu+e+cPMlX5LE63T41C5mJ61qynla1HTbvxelsHVm3bXevj5Umq5HdVDlPD0kLSRQ4KPOlPGnLG9QTyzxAbSliBygQLDpdMM1zydEU7kcNfRUZQK1a536R0VyEcfFTvBKk4QBk87TtOuSAd+BhT/IlGp91xKToWLvLXc76m46rBRuTgt1LZzj07WucRFsvxpO3iDB889Oy+v7BKFJmrIR7i+QHHYpjD1/ZRSRZo+Hl9wXPOh2kXOZquc+6K8GsFa74OfS6otVduBM431vhzqL4jwKJYAXDgN9D/q7R/duIUE2MfvwyqFBNC/NTo9PQdielnyU6R7v1r/Xd7RgR/vWtSvfsDxGwV9uSr2N9/MiJZ7s3VK7o3BmMB3adHX7wiqy8fu+e2wZ4pJi9fvcxN/8dx6jrDnCUU7886CK8Etu4lUnCHUrOKnOyn3vq0qylw7aEhnyVzjG8eMPXWuRCP/SwB8RRQ604csZjYQDE1C1XHpw3d9iaR1UuKA6DgI0u4YASl22hb21CNGpUiMP4EUcUwHVONdhBlfnniRxyMi4m6V8/n9iMevIIfA27W3D4YSMAQ+oABdCscTC95rC8QK8X2jlfPQGbZmjIGV6xaHqU64K4xQDVCUQTHcycpPkJ59MpJ2/L4BhEHlPngrBLrZMrXkmh3qV8P9+Cgsm3qzwJI8KeSfeUKkEx+xFz34HFFbHDmuN5FohLUt/Z/ICmLtaSVzD6EIWLf2sLl9jk4xFfIHI3d/nmvE8tqnKh54VVDYkow1oBv5NM0M2I1U7NfkOneOj3g9yLItQM472HU7UQDY+xkwZ9N6Zj3Q/ipakXlD6/oDulPIwB/QhNKSMRHoczY32b/qjiBkvEC8eYT3XZgdsGQ1WUQo+g5AhuYNtEseu5hIYjXxp/SeLfKRIDtDiNOKlsIocAkJo9VXD77zTvt90ydUUp2sLkThZlxvn0XqrSEpowgKBOeVyH0Y1Ok4Sk/iP3IyJzg28izuo7eL5KxlTnGdr0Cr26J9C1H5+lN/9FFf+4bXAznkNUqOItMGP/jUIXr8MqnGS8us/F32qMjCnNJmYUvKNykY5U+Jjyiz3NUo5GZMQpx+kNEgr/WDbg54rHJmmyGVDD9XyvfIg1ZEMaJHHb/egn/bhIUjEAYj8ByYVruovKtUq6CLKFSvKrRg/2Zvr8J1vAsPrVgTOUFSuyVeTaH6xz+nc0fr+9kp6swuMp/pKs3xVWG0d/SqdcSyq9u</xenc:CipherValue>
</xenc:CipherData>
</xenc:EncryptedData>
</soapenv:Body>
</soapenv:Envelope>
虽然我假设我可以通过使用 openSSL 加密我的初始主体来获取密码数据,但我不知道如何构建安全 header ,以及如何获取参数(如 Id、URI 等)。正如我之前提到的,示例是使用 SoapUi 生成的。有没有办法在 Python 中做同样的事情?
最佳答案
是的,我建议只使用第三方 github lib并调用 WSE Encrypt,或者只使用此函数的特定代码。它将使用 X509 证书对其进行加密。
"""Functions for WS-Security (WSSE) encryption and decryption.
Heavily based on test examples in https://github.com/mehcode/python-xmlsec as
well as the xmlsec documentation at https://www.aleksey.com/xmlsec/. Some
functions from https://github.com/mvantellingen/py-soap-wsse.
Reading the xmldsig, xmlenc, and ws-security standards documents, though
admittedly painful, will likely assist in understanding the code in this
module.
"""
import base64
from lxml import etree
from OpenSSL import crypto
import xmlsec
from .constants import BASE64B, X509TOKEN, DS_NS, ENC_NS, SOAP_NS, WSSE_NS
from .xml import ensure_id, ns
def encrypt(envelope, certfile):
"""Encrypt body contents of given SOAP envelope using given X509 cert.
Currently only encrypts the first child node of the body, so doesn't really
support a body with multiple child nodes (the later ones won't be
encrypted), and doesn't support encryption of multiple nodes.
Expects to encrypt an incoming document something like this (xmlns
attributes omitted for readability):
<soap:Envelope>
<soap:Header>
<wsse:Security mustUnderstand="true">
<wsu:Timestamp>
<wsu:Created>2015-06-25T21:53:25.246276+00:00</wsu:Created>
<wsu:Expires>2015-06-25T21:58:25.246276+00:00</wsu:Expires>
</wsu:Timestamp>
</wsse:Security>
</soap:Header>
<soap:Body>
...
</soap:Body>
</soap:Envelope>
Encryption results in an XML structure something like this (note the added
wsse:BinarySecurityToken and xenc:EncryptedKey nodes in the wsse:Security
header, and that the contents of the soap:Body have now been replaced by a
wsse:EncryptedData node):
<soap:Envelope>
<soap:Header>
<wsse:Security mustUnderstand="true">
<wsse:BinarySecurityToken
wsu:Id="id-31e55a42-adef-4312-aa02-6da738177b25"
EncodingType="...-wss-soap-message-security-1.0#Base64Binary"
ValueType=".../oasis-200401-wss-x509-token-profile-1.0#X509v3">
MIIGRTCC...7RaVeFVB/w==
</wsse:BinarySecurityToken>
<xenc:EncryptedKey>
<xenc:EncryptionMethod
Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"/>
<ds:KeyInfo>
<wsse:SecurityTokenReference
wsse:TokenType="...wss-x509-token-profile-1.0#X509v3">
<wsse:Reference
ValueType="...-wss-x509-token-profile-1.0#X509v3"
URI="#id-31e55a42-adef-4312-aa02-6da738177b25"
/>
</wsse:SecurityTokenReference>
</ds:KeyInfo>
<xenc:CipherData>
<xenc:CipherValue>0m23u5UVh...YLcEcmgzng==</xenc:CipherValue>
</xenc:CipherData>
<xenc:ReferenceList>
<xenc:DataReference
URI="#id-094305bf-f73e-4940-88d9-00688bc78718"/>
</xenc:ReferenceList>
</xenc:EncryptedKey>
<wsu:Timestamp wsu:Id="id-d449ec14-f31c-4174-b51c-2a56843eeda5">
<wsu:Created>2015-06-25T22:26:57.618091+00:00</wsu:Created>
<wsu:Expires>2015-06-25T22:31:57.618091+00:00</wsu:Expires>
</wsu:Timestamp>
</wsse:Security>
</soap:Header>
<soap:Body wsu:Id="id-73bc3f79-1597-4e35-91d5-354fc6197858">
<xenc:EncryptedData
Type="http://www.w3.org/2001/04/xmlenc#Element"
wsu:Id="id-094305bf-f73e-4940-88d9-00688bc78718">
<xenc:EncryptionMethod
Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc"/>
<xenc:CipherData>
<xenc:CipherValue>rSJC8m...js2RQfw/5</xenc:CipherValue>
</xenc:CipherData>
</xenc:EncryptedData>
</soap:Body>
</soap:Envelope>
(In practice, we'll generally be encrypting an already-signed document, so
the Signature node would also be present in the header, but we aren't
encrypting it and for simplicity it's omitted in this example.)
"""
doc = etree.fromstring(envelope)
header = doc.find(ns(SOAP_NS, 'Header'))
security = header.find(ns(WSSE_NS, 'Security'))
# Create a keys manager and load the cert into it.
manager = xmlsec.KeysManager()
key = xmlsec.Key.from_file(certfile, xmlsec.KeyFormat.CERT_PEM, None)
manager.add_key(key)
# Encrypt first child node of the soap:Body.
body = doc.find(ns(SOAP_NS, 'Body'))
target = body[0]
# Create the EncryptedData node we will replace the target node with,
# and make sure it has the contents XMLSec expects (a CipherValue node,
# a KeyInfo node, and an EncryptedKey node within the KeyInfo which
# itself has a CipherValue).
enc_data = xmlsec.template.encrypted_data_create(
doc,
xmlsec.Transform.DES3,
type=xmlsec.EncryptionType.ELEMENT,
ns='xenc',
)
xmlsec.template.encrypted_data_ensure_cipher_value(enc_data)
key_info = xmlsec.template.encrypted_data_ensure_key_info(
enc_data, ns='dsig')
enc_key = xmlsec.template.add_encrypted_key(
key_info, xmlsec.Transform.RSA_OAEP)
xmlsec.template.encrypted_data_ensure_cipher_value(enc_key)
enc_ctx = xmlsec.EncryptionContext(manager)
# Generate a per-session DES key (will be encrypted using the cert).
enc_ctx.key = xmlsec.Key.generate(
xmlsec.KeyData.DES, 192, xmlsec.KeyDataType.SESSION)
# Ask XMLSec to actually do the encryption.
enc_data = enc_ctx.encrypt_xml(enc_data, target)
# XMLSec inserts the EncryptedKey node directly within EncryptedData,
# but WSSE wants it in the Security header instead, and referencing the
# EncryptedData as well as the actual cert in a BinarySecurityToken.
# Move the EncryptedKey node up into the wsse:Security header.
security.insert(0, enc_key)
# Create a wsse:BinarySecurityToken node containing the cert and add it
# to the Security header.
cert_bst = create_binary_security_token(certfile)
security.insert(0, cert_bst)
# Create a ds:KeyInfo node referencing the BinarySecurityToken we just
# created, and insert it into the EncryptedKey node.
enc_key.insert(1, create_key_info_bst(cert_bst))
# Add a DataReference from the EncryptedKey node to the EncryptedData.
add_data_reference(enc_key, enc_data)
# Remove the now-empty KeyInfo node from EncryptedData (it used to
# contain EncryptedKey, but we moved that up into the Security header).
enc_data.remove(key_info)
return etree.tostring(doc)
def decrypt(envelope, keyfile):
"""Decrypt all EncryptedData, using EncryptedKey from Security header.
EncryptedKey should be a session key encrypted for given ``keyfile``.
Expects XML similar to the example in the ``encrypt`` docstring.
"""
# Create a key manager and load our key into it.
manager = xmlsec.KeysManager()
key = xmlsec.Key.from_file(keyfile, xmlsec.KeyFormat.PEM)
manager.add_key(key)
doc = etree.fromstring(envelope)
header = doc.find(ns(SOAP_NS, 'Header'))
security = header.find(ns(WSSE_NS, 'Security'))
enc_key = security.find(ns(ENC_NS, 'EncryptedKey'))
# Find each referenced encrypted block (each DataReference in the
# ReferenceList of the EncryptedKey) and decrypt it.
ref_list = enc_key.find(ns(ENC_NS, 'ReferenceList'))
for ref in ref_list:
# Find the EncryptedData node referenced by this DataReference.
ref_uri = ref.get('URI')
referenced_id = ref_uri[1:]
enc_data = doc.xpath(
"//enc:EncryptedData[@Id='%s']" % referenced_id,
namespaces={'enc': ENC_NS},
)[0]
# XMLSec doesn't understand WSSE, therefore it doesn't understand
# SecurityTokenReference. It expects to find EncryptedKey within the
# KeyInfo of the EncryptedData. So we get rid of the
# SecurityTokenReference and replace it with the EncryptedKey before
# trying to decrypt.
key_info = enc_data.find(ns(DS_NS, 'KeyInfo'))
key_info.remove(key_info[0])
key_info.append(enc_key)
# When XMLSec decrypts, it automatically replaces the EncryptedData
# node with the decrypted contents.
ctx = xmlsec.EncryptionContext(manager)
ctx.decrypt(enc_data)
return etree.tostring(doc)
def add_data_reference(enc_key, enc_data):
"""Add DataReference to ``enc_data`` in ReferenceList of ``enc_key``.
``enc_data`` should be an EncryptedData node; ``enc_key`` an EncryptedKey
node.
Add a wsu:Id attribute to the EncryptedData if it doesn't already have one,
so the EncryptedKey's URI attribute can reference it.
(See the example XML in the ``encrypt()`` docstring.)
Return created DataReference node.
"""
# Ensure the target EncryptedData has a wsu:Id.
data_id = ensure_id(enc_data)
# Ensure the EncryptedKey has a ReferenceList.
ref_list = ensure_reference_list(enc_key)
# Create the DataReference, with URI attribute referencing the target
# node's id, add it to the ReferenceList, and return it.
data_ref = etree.SubElement(ref_list, ns(ENC_NS, 'DataReference'))
data_ref.set('URI', '#' + data_id)
return data_ref
def ensure_reference_list(encrypted_key):
"""Ensure that given EncryptedKey node has a ReferenceList node.
Return the found or created ReferenceList node.
"""
ref_list = encrypted_key.find(ns(ENC_NS, 'ReferenceList'))
if ref_list is None:
ref_list = etree.SubElement(encrypted_key, ns(ENC_NS, 'ReferenceList'))
return ref_list
def create_key_info_bst(security_token):
"""Create and return a KeyInfo node referencing given BinarySecurityToken.
(See the example XML in the ``encrypt()`` docstring.)
Modified from https://github.com/mvantellingen/py-soap-wsse.
"""
# Create the KeyInfo node.
key_info = etree.Element(ns(DS_NS, 'KeyInfo'), nsmap={'ds': DS_NS})
# Create a wsse:SecurityTokenReference node within KeyInfo.
sec_token_ref = etree.SubElement(
key_info, ns(WSSE_NS, 'SecurityTokenReference'))
sec_token_ref.set(
ns(WSSE_NS, 'TokenType'), security_token.get('ValueType'))
# Add a Reference to the BinarySecurityToken in the SecurityTokenReference.
bst_id = ensure_id(security_token)
reference = etree.SubElement(sec_token_ref, ns(WSSE_NS, 'Reference'))
reference.set('ValueType', security_token.get('ValueType'))
reference.set('URI', '#%s' % bst_id)
return key_info
def create_binary_security_token(certfile):
"""Create a BinarySecurityToken node containing the x509 certificate.
Modified from https://github.com/mvantellingen/py-soap-wsse.
"""
# Create the BinarySecurityToken node with appropriate attributes.
node = etree.Element(ns(WSSE_NS, 'BinarySecurityToken'))
node.set('EncodingType', BASE64B)
node.set('ValueType', X509TOKEN)
# Set the node contents.
with open(certfile) as fh:
cert = crypto.load_certificate(crypto.FILETYPE_PEM, fh.read())
node.text = base64.b64encode(
crypto.dump_certificate(crypto.FILETYPE_ASN1, cert))
return node
关于python - 用 Python 加密 SOAP 信封,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/70274092/
我正在尝试使用 PHP 的内置 soap 函数登录 API。我得到了这样的结果。 [LoginResult]=> false, [ErrorMsg] => Login failed with the
我将 Odata 添加到我的项目中,这样我就可以使用像 $filter 这样的 url-query-parameters 。使用演示类/ Controller ,输出现在如下所示: { "@oda
我有一个 SOAP 体,我需要根据此 wsdl 定义填充正确的元素。
我刚刚开始学习JSP,我需要发送一条soap消息,我将消息创建为 string 。我只想将其发送到 url,我找不到任何简单的示例,我创建了一个 jsp 页面和一个像这样的类:
我想知道无论如何要更改 WCF SOAP 请求的命名空间前缀? 正如您在下面的示例中看到的,信封的 namespace “http://www.w3.org/2005/08/addressing”带有
我在 Web 服务中使用 JaxWs/JaxB,但我不喜欢我的所有 xml 文件(无论是我发送还是接收的文件)都包含 SOAP 信封这一事实。我怎样才能摆脱那些? 我只需要一个干净的 xml 文件,W
当我尝试执行这段代码时: mmurl = 'http://server/_mmwebext/mmwebext.dll?WSDL?server=localhost' mmclient = Client(
我有以下方法: 字符串[] getEmployeeDetails ( int employeeNumber ); 关联请求如下所示: 1016577 此示例来自此链接 [ htt
我正在尝试为第三方库生成的信封添加日志记录。我正在修改下面的 updateMetadataField() 方法。 我正在像这样创建 $client: $client = new UpdateClien
我需要在ksoap2(安卓版)生成的信封中添加一个属性(xmlns:n0="urn:checkOTP")。 ... 转向 ... 错误代码是: W/System.er
我知道已经有类似的帖子,但没有一个对我有帮助。 我在反序列化/解码 xml 时遇到问题。 我的代码如下所示: public class SoapTest { public static Str
我正在使用 Camel 代理 Web 服务(我需要首先修改肥皂头)。我使用 CXF_MESSAGE 数据格式,因为它允许我轻松更改肥皂头。使用soapui发送肥皂消息工作正常,我可以看到它到达真正的网
我正在尝试连接到一个 soap 服务,它希望我的请求使用标准 XML 加密(根据文档)进行加密。我正在使用 Python 请求将请求发送到端点,但不幸的是,我不知道如何从原始请求发送到加密请求。 我有
我真的需要将某个命名空间添加到 WSDL 中未指定的 SOAP 信封中,出于某种原因我已经尝试在 SoapCliente 构造函数中使用“uri”参数,但它不起作用 如何将此命名空间添加到 SoapE
是否有一种简单的方法可以从 Dingo API 响应中删除“数据”信封。 当我使用这个 Transformer 来转换用户模型时: class UserTransformer extends Eloq
使用断点时出现此错误,并且进入catch异常。 httpTransport.call(SOAP_ACTION, envelope); 是httpTransport连接不应该是null吗? pu
我正在努力了解 SOAP 服务的工作原理。我的客户端使用 Java,服务使用 WCF(尽管理论上这并不重要)。如果给我一个 SOAP 信封示例并执行以下操作: -Build a SOAP envelo
我想将命名空间设置添加到我的 soap 信封中。我想在 IClientMessageInspector 的 BeforeSendRequest 中更改它,或者您有更优雅的方法。 例如 ws:
我正在使用 axis2 客户端调用一个 WebService,因为我使用 OMElement 添加了 header 。执行时我遇到异常。我只想打印并检查请求的整个 SoapEnvelope。 请建议我
我一直在尝试使用 node-soap 连接到 Web 服务,但不断收到错误“无法读取未定义的属性‘Body’”。我相信问题是由node-soap生成的SOAP信封不正确,需要使用ns1而不是tns。请
我是一名优秀的程序员,十分优秀!