电信系统接口WebService SOAP消息的签名和校验

在使用WSSecurity消息进行签名前，首先要生成一个keystore。Keystore包含了进行数字签名所需要的身份信息，通过以下脚本来创建keystore：
1、创建keystore：
set SERVER_DN="CN=hellking-Server, OU=admin, O=admin, L=BEIJINGC, S=BEIJING, C=CN"
set KS_PASS=-storepass changeit
set KS_TYPE=-storetype JKS
set KEYINFO=-keyalg RSA
#生成服务器端keystore。
keytool -genkey -dname %SERVER_DN% %KS_PASS% %KS_TYPE% -keystore
server.keystore %KEYINFO% -keypass changeit
2、对SOAP消息签名：
创建SignAndVerifySoap类中包含了一个对XML进行签名的方法，它就是sign（），这个方法将对SOAP消息进行签名，然后输出和WS-Security兼容的SOAP消息。
import com.verisign.messaging.WSSecurity;
...
public class SignAndVerifySoap {

final String KEY_STORE = "server.keystore"; //1中的keystore
final String SOTE_PASS = "changeit";
final String KEY_ALIAS="mykey";
final String TARGET_FILE="signed.xml";//签名后的SOAP消息
final String SOURE_FILE="source.xml";//签名前的SOAP消息
final String KEY_TYPE="JKS";

/**
*对xml进行签名
*/
public void sign()
{
try
{
System.out.println("开始对SOAP消息进行签名，使用的密匙库：" + KEY_STORE + "\n");

// 获得私有key和相关证书，请参考JAVA安全编程相关书籍
FileInputStream fileInputStream = new FileInputStream(KEY_STORE);
System.out.println(java.security.KeyStore.getDefaultType());
java.security.KeyStore store = java.security.KeyStore.getInstance(KEY_TYPE); store.load(fileInputStream,SOTE_PASS.toCharArray());
PrivateKey key = (PrivateKey)store.getKey(KEY_ALIAS, SOTE_PASS.toCharArray());
X509Certificate certification = (X509Certificate)store.getCertificate(KEY_ALIAS);
// 读取XML源文件到文档中
Document source = readFile(SOURE_FILE);
SigningKey signingKey = SigningKeyFactory.makeSigningKey(key);
KeyInfo keyInfo = new KeyInfo();
keyInfo.setCertificate(certification);
WSSecurity wsSecurity = new WSSecurity();
wsSecurity.setPreferredNamespace("http://schemas.xmlsoap.org/ws/2003/06/secext");
//对SOAP消息进行签名
wsSecurity.sign(source, signingKey, keyInfo);
// 保存签名后的SOAP消息
writeFile(source, new FileOutputStream(TARGET_FILE));
System.out.println("把签名后的文件写入： " + TARGET_FILE + "，请查看结果！");
}
catch(Exception e)
{
e.printStackTrace();
}
}
说明：请将请把wssecurity.jar、source.xml和tsik.jar设置到类路径环境变量中。
3、签名前后的SOAP消息（source.xml）:
签名前：
<?xml version="1.0" encoding="UTF-8"?>
<soapenv:Envelope
xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<soapenv:Body>
<ns1:getTax soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"
xmlns:ns1="http://sitech.webservices.com/">
<op1 xsi:type="xsd:double">5000.0</op1>
</ns1:getTax>
</soapenv:Body>
</soapenv:Envelope>
签名后（signed.xml）：
<?xml version="1.0" encoding="UTF-8"?>
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<soapenv:Header>
<wsse:Security xmlns:wsse="http://schemas.xmlsoap.org/ws/2003/06/secext">
<wsse:BinarySecurityToken EncodingType="wsse:Base64Binary"
ValueType="wsse:X509v3" wsu:Id="wsse-ee805a80-cd95-11d8-9cf9-fd6213c0f8be"
xmlns:wsu="http://schemas.xmlsoap.org/ws/2003/06/utility">MIICUjCCAbsCBEDB0GIwDQYJKoZIhvcNAQE…VkTkPw==
</wsse:BinarySecurityToken>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="#wsse-ee5308f0-cd95-11d8-9cf9-fd6213c0f8be">
<ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>ZjRVnI2g7kcX0h9r4JtiltpYQPA=</ds:DigestValue></ds:Reference>
<ds:Reference URI="#wsse-ee4e4e00-cd95-11d8-9cf9-fd6213c0f8be">
<ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>moZ0d+8mH1kfNw0VEK39V0Td9EM=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>fPpYrf0uNP8W2XVVIQNc3OQt2Wn90M/0uJ0dDZTNRR0NxBBBX36wSXt7NfI5Fmh4ru44Wk34EGI7mqMAE5O0
/wtIlFRJt3zAvA6k3nhgcYj6tn/9kZwwxh1RkFTfTX9xdQ6Xn+P6m+YBm1YEEcTWkJd7XcxdyDEns2kYOhONx1U=
</ds:SignatureValue>
<ds:KeyInfo><wsse:SecurityTokenReference>
<wsse:Reference URI="#wsse-ee805a80-cd95-11d8-9cf9-fd6213c0f8be"/>
</wsse:SecurityTokenReference>
</ds:KeyInfo>
</ds:Signature></wsse:Security>
<wsu:Timestamp xmlns:wsu="http://schemas.xmlsoap.org/ws/2003/06/utility">
<wsu:Created wsu:Id="wsse-ee4e4e00-cd95-11d8-9cf9-fd6213c0f8be">2004-07-04T08:41:23Z</wsu:Created>
</wsu:Timestamp></soapenv:Header>
<soapenv:Body wsu:Id="wsse-ee5308f0-cd95-11d8-9cf9-fd6213c0f8be"
xmlns:wsu="http://schemas.xmlsoap.org/ws/2003/06/utility">
<ns1:getTax soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"
xmlns:ns1="http://hellking.webservices.com/">
<op1 xsi:type="xsd:double">5000.0</op1>
</ns1:getTax>
</soapenv:Body>
</soapenv:Envelope>
说明：在签名后的SOAP消息中，头部包含了签名信息以及验证SOAP消息所需要的key。<SignedInfo> </SignedInfo> 描述了已签署的消息内容。。<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>指出了签名算法，这个算法用来将规范算法的输出转换成签名值。keyInfo元素包含的部分就是数字证书本身。
4、对签名的SOAP消息进行验证
就是使用keystore的信息生成TrustVerifier对象，然后调用WSSecurity的vierifier方法经行验证。
验证签名后的SOAP消息
/**
*验证已经签名的SOAP消息
*/
public void verify()
{
try
{
System.out.println("开始检验SOAP消息，使用的密匙库：" + KEY_STORE + "\n");

// 获得私有key和相关证书，请参考JAVA安全编程相关书籍
FileInputStream fileInputStream = new FileInputStream(KEY_STORE);
java.security.KeyStore store = java.security.KeyStore.getInstance(KEY_TYPE);
store.load(fileInputStream, SOTE_PASS.toCharArray());

// 读取XML源文件到文档中
Document source = readFile(TARGET_FILE);
org.xmltrustcenter.verifier.TrustVerifier verifier =
new org.xmltrustcenter.verifier.X509TrustVerifier(store);
WSSecurity wsSecurity = new WSSecurity();
com.verisign.messaging.MessageValidity[] resa =
wsSecurity.verify(source,verifier,null,null);
System.out.println("检验结果：");
for (int len = 0; len < resa.length; len++){
System.out.println("result[" + len + "] = " + (resa[len].isValid()?"验证通过":"验证不通过"));
}
}
catch(Exception e)
{
e.printStackTrace();
}
}
执行SignAndVerifySoap的verify方法，结果附件所示：