“*Certificate not found* (from client)” when calling Web Service that requires signing

问题

I have a peculiar problem when calling a web service that expects the message to be signed using WS-Security. If I call using my client application (using Apache CXF) I get a HTTP 500 error message:

*Certificate not found* (from client)

while if I call the same service using SoapUI, configured for signing with the same key and key-store, it works as expected.

I noticed that the <KeyInfo> part of the call differs between CXF and SoapUI. With CXF (as below) the KeyInfo is a lot more detailed with <X509Data> sections etc while the SoapUI call contains just a simple <SecurityTokenReference>. I suspect that this difference might be the cause of the server not being able to identify the certificate used for signing.

Unfortunately I'm not in control of the server side thus I cannot do much investigation there. It would be nice to know if this is a known problem and if there are any workarounds?

Regards, Ola

CXF:

<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#" Id="KeyId-1007572087">
<wsse:SecurityTokenReference xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="STRId-1355509614"><ds:X509Data xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:X509IssuerSerial xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
    <ds:X509IssuerName xmlns:ds="http://www.w3.org/2000/09/xmldsig#">C=SE,O=Company,CN=Company Test Corporate CA 01,SERIALNUMBER=516406-0120</ds:X509IssuerName>
    <ds:X509SerialNumber xmlns:ds="http://www.w3.org/2000/09/xmldsig#">29382</ds:X509SerialNumber>
</ds:X509IssuerSerial></ds:X509Data></wsse:SecurityTokenReference></ds:KeyInfo>

SoapUI:

<ds:KeyInfo Id="KeyId-850CCDA383426C4A1E129683271974138"><wsse:SecurityTokenReference wsu:Id="STRId-850CCDA383426C4A1E129683271974139" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"><wsse:Reference URI="#CertId-850CCDA383426C4A1E129683271974137" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509PKIPathv1"/></wsse:SecurityTokenReference></ds:KeyInfo>

回答1:

Apparently the trick is to configure the WSS4JOutInterceptor's signatureKeyIdentifier property to "DirectReference" which creates a KeyInfo similar to SoapUI, i.e. it's accepted by the server.

            <spring:bean class="org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor">
            <spring:constructor-arg>
                <spring:map>
                    <spring:entry key="signatureKeyIdentifier" value="DirectReference"/>
                </spring:map>

回答2:

The server is expecting the clients public certificate to be embedded in the request, which is what the signatureKeyIdentifier value of DirectReference does. The other option is for the server to store all the client public certificates and for the request to have an identifier for the server to identify the correct public cert and validate the signature(your first case).

来源：https://stackoverflow.com/questions/4918987/certificate-not-found-from-client-when-calling-web-service-that-requires-s