我正在使用Spring-Boot和Spring WS开发客户端SOAP服务,它使用可信证书将SOAP消息发送到目标服务以加密请求消息。目标服务使用来自我生成的公钥 - 私钥对的公钥来加密响应。可信证书(用于加密请求)和私钥(用于解密响应)都在.jkt文件中。 请求由目标服务加密并正确处理,但我遇到了解密和验证响应的问题。这是我收到的错误消息。
DEBUG o.s.w.s.s.w.Wss4jSecurityInterceptor - Validating message [SaajSoapMessage {http://www.w3.org/2001/04/xmlenc#}EncryptedData] with actions [NoSecurity]
ERROR o.apache.wss4j.common.crypto.Merlin - Cannot find key for alias: [null] in keystore of type [jks] from provider [SUN version 1.8] with size [2] and aliases: {clientalias, serveralias}
WARN o.s.w.s.s.w.Wss4jSecurityInterceptor - Could not validate request: Cannot find key for alias: [null]; nested exception is org.apache.wss4j.common.ext.WSSecurityException: Cannot find key for alias: [null]
我正在使用Wss4jSecurityInterceptor,
@Bean
public Wss4jSecurityInterceptor securityInterceptor(Config c, CryptoFactoryBean cryptoFactoryBean) throws Exception {
Wss4jSecurityInterceptor securityInterceptor = new Wss4jSecurityInterceptor();
Securement securement = c.getSecurement();
// set security actions
securityInterceptor.setSecurementActions(securement.getActions());
// sign the request
securityInterceptor.setSecurementUsername(securement.getUsername());
securityInterceptor.setSecurementPassword(securement.getPassword());
securityInterceptor.setSecurementSignatureCrypto(cryptoFactoryBean.getObject());
// encrypt the request
securityInterceptor.setSecurementEncryptionUser(securement.getEncryptionUser());
securityInterceptor.setSecurementEncryptionCrypto(cryptoFactoryBean.getObject());
securityInterceptor.setSecurementEncryptionParts(securement.getEncryptionParts());
securityInterceptor.setSecurementSignatureKeyIdentifier(securement.getSignatureKeyIdentifier());
// decrypt the response
KeyStoreCallbackHandler keyStoreCallbackHandler = new KeyStoreCallbackHandler();
keyStoreCallbackHandler.setPrivateKeyPassword("xxxxx");
securityInterceptor.setValidationCallbackHandler(keyStoreCallbackHandler);
securityInterceptor.setValidationActions("NoSecurity");
securityInterceptor.setValidationDecryptionCrypto(cryptoFactoryBean.getObject());
return securityInterceptor;
}
如何正确使用.jkt中的别名私钥来解密响应?
编辑: 我必须在拦截器上设置actor以正确地从密钥库中获取密钥:
securityInterceptor.setValidationActor("clientalias");