用X509证书实现WSSecurity npm'Soap'

问题的第一部分:

使用npm的肥皂,我试图做一个肥皂调用下面的端点var url

 var sslRootCAs = require('ssl-root-cas/latest') sslRootCAs.inject(); var soap = require('soap'); var url = 'https://ws.conf.ebs.health.gov.on.ca:1440/HCVService/HCValidationService?wsdl'; var args = {name: 'value'}; soap.createClient(url, function(err, client) { if (err) { console.log(err); } else console.log(client); }); 

我收到callback错误为:

 { [Error: unable to verify the first certificate] code: 'UNABLE_TO_VERIFY_LEAF_SIGNATURE' } 

上面的错误发生了什么,虽然我有Certs。

问题的第2部分:

我收到了以下信息:

***信息开始

  1. 点击WSDL链接: https : //ws.conf.ebs.health.gov.on.ca : 1440/ HCVService/ HCValidationService?wsdl

  2. 点击地址栏旁边的安全报告图标

  3. 点击查看证书

  4. 安装证书

你需要获得你自己的安全证书。 对于IDP模式,卫生部将接受自签名证书或由证书颁发机构颁发的证书。

a)您将使用您的证书的私钥签署HCV请求;

b)我们将收到请求并进行处理;

c)我们将发回由我们的证书(go-pki_cacert.arm)的私钥签署的回应。 这就是为什么您必须在您的信任存储区中拥有go-pki_cacert.arm证书(加上以前电子邮件中提到的其他两个证书)。

d)响应中的密钥将使用从您的证书中检索到的公共密钥进行encryption。 所以,你的相应的私人

密钥必须被用来解密它。 公钥的所有位都被使用。 然后您可以使用提供的密钥解密正文/消息内容。

信息结束***

我提供了所有凭据,还有一些示例请求也要发送。

以下是示例XML请求:

 <soapenv:Envelope xmlns:ebs="http://ebs.health.ontario.ca/" xmlns:hcv="http://hcv.health.ontario.ca/" xmlns:idp="http://idp.ebs.health.ontario.ca/" xmlns:msa="http://msa.ebs.health.ontario.ca/" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Header><wsse:Security soapenv:mustUnderstand="1" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"> <wsse:BinarySecurityToken EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" wsu:Id="X509-FF9156B4BEE23716A1142978895556413">MIIGQzC..truncated..CPo=</wsse:BinarySecurityToken> <ds:Signature Id="SIG-30" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"><ec:InclusiveNamespaces PrefixList="ebs hcv idp msa soapenv" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:CanonicalizationMethod><ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/><ds:Reference URI="#UsernameToken-26"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"><ec:InclusiveNamespaces PrefixList="ebs hcv idp msa soapenv" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transform></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><ds:DigestValue>nuqM1lGK6rOVruau3woc66AsvIs=</ds:DigestValue></ds:Reference><ds:Reference URI="#TS-25"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"><ec:InclusiveNamespaces PrefixList="wsse ebs hcv idp msa soapenv" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transform></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><ds:DigestValue>YHFurnR786jGnU0dmhB6AuZMWf0=</ds:DigestValue></ds:Reference><ds:Reference URI="#id-27"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"><ec:InclusiveNamespaces PrefixList="hcv idp msa soapenv" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transform></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><ds:DigestValue>4HrW5GODU3lE87D24YfwxjGwgCo=</ds:DigestValue></ds:Reference><ds:Reference URI="#id-28"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"><ec:InclusiveNamespaces PrefixList="ebs hcv msa soapenv" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transform></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> <ds:DigestValue>mfmdQegqmjMNvXyV0FYGiJwqrwc=</ds:DigestValue></ds:Reference><ds:Reference URI="#id-29"> <ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"><ec:InclusiveNamespaces PrefixList="ebs hcv idp msa" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transform></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><ds:DigestValue>HiE8JaUo37dckfkchYYve9S6LuQ=</ds:DigestValue></ds:Reference></ds:SignedInfo> <ds:SignatureValue>tAb..truncated..Q==</ds:SignatureValue> <ds:KeyInfo Id="KI-FF9156B4BEE23716A1142978895556414"><wsse:SecurityTokenReference wsu:Id="STR-FF9156B4BEE23716A1142978895556415"> <wsse:Reference URI="#X509-FF9156B4BEE23716A1142978895556413" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/> </wsse:SecurityTokenReference></ds:KeyInfo></ds:Signature> <wsse:UsernameToken wsu:Id="UsernameToken-26"> <wsse:Username>confsu141@gmail.com</wsse:Username> <wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">Your_Password</wsse:Password></wsse:UsernameToken> <wsu:Timestamp wsu:Id="TS-25"><wsu:Created>2015-04-23T11:35:55Z</wsu:Created> <wsu:Expires>2015-04-23T11:45:55Z</wsu:Expires></wsu:Timestamp></wsse:Security> <idp:IDP wsu:Id="id-28" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"> <ServiceUserMUID>011210</ServiceUserMUID> </idp:IDP> <ebs:EBS wsu:Id="id-27" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"> <SoftwareConformanceKey>b832708a-52a7-45bc-a221-7930267617db</SoftwareConformanceKey> <AuditId>Your_UniqueAuditID</AuditId> </ebs:EBS> </soapenv:Header> <soapenv:Body wsu:Id="id-29" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"> <hcv:validate> <requests> <hcvRequest> <healthNumber>1216070563</healthNumber> <versionCode>ML</versionCode> <feeServiceCodes>A110</feeServiceCodes> </hcvRequest> </requests> <locale>en</locale> </hcv:validate> </soapenv:Body> </soapenv:Envelope> 

我们如何使用Node.js来实现这个? 我已经通读了SOAP WS-security,但我不知道! 在node.js中实现

安装证书不起作用,因为它只是将证书保存到操作系统的可信存储区,但是您的节点程序不会读取它,因此您需要使用ssl-root-cas模块在内存中构build可信存储区,以便您程序可以读取。 对于通用的https请求,你需要使用require('ssl-root-cas/latest').inject()来加载一个可信任的存储所有的证书,但是由于你的端点需要特定的证书,所以你需要添加他们手动代替:

 require('ssl-root-cas') .addFile('[phyical path to root cert]') .addFile('[phyical path to chain cert]') .addFile('[phyical path to signing cert]'); //This one you don't need to read its wsdl.