Make friends: Apache CXF client + WSS4J + CryptoPro

Many of you who worked with government webservices know that the information passed to the service should be signed with GOST algorithm. This leads to the use of CryptoPro library. So here is the interesting part. What I have:

1. jdk 1.6.0.38 + JCP CryptoPro
2. ready to use keystore
3. wss4j 1.6.6
4. apache cxf 2.6.1 
5. XMLDSigRI.jar

Generate the client to webservice.
Then, configure the crypto.properties file for wss4j: org.apache.ws.security.crypto.provider=org.apache.ws.security.components.crypto.Merlin
org.apache.ws.security.crypto.merlin.keystore.type=HDImageStore
org.apache.ws.security.crypto.merlin.keystore.password=1234567890
org.apache.ws.security.crypto.merlin.keystore.alias=tester
org.apache.ws.security.crypto.merlin.keystore.file=c:/cert.store

Then, configure your client:

<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
       xmlns:jaxws="http://cxf.apache.org/jaxws"
       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
       xsi:schemaLocation="
          http://www.springframework.org/schema/beans 
          http://www.springframework.org/schema/beans/spring-beans.xsd
          http://cxf.apache.org/jaxws 
          http://cxf.apache.org/schemas/jaxws.xsd">
 <!-- The SOAP client bean -->
  <jaxws:client id="client"
                serviceClass="ru.my.IService"
                address="http://test/IService/IdentificationService.svc">
    <jaxws:inInterceptors>
      <bean class="org.apache.cxf.interceptor.LoggingInInterceptor"/>
    </jaxws:inInterceptors>
     <jaxws:outInterceptors>
         <bean class="org.apache.cxf.interceptor.LoggingOutInterceptor"/>
         <ref bean="wss4jOutConfiguration" /> 
     </jaxws:outInterceptors>
   </jaxws:client>
 <bean id="wss4jOutConfiguration" class="org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor">
  <property name="properties">
  <map>
  <entry key="action" value="Signature"/>
  <entry key="signaturePropFile" value="crypto.properties"/>
  <entry key="signatureKeyIdentifier" value="DirectReference"/>  
  <entry key="user" value="tester"/> 
  <entry key="signatureUser" value="tester"/>
  <entry key="passwordCallbackClass" value="ru.client.KeystorePasswordCallback"></entry> 
     <entry key="signatureDigestAlgorithm" value="http://www.w3.org/2001/04/xmldsig-more#gostr3411"/>
        <entry key="signatureAlgorithm" value="http://www.w3.org/2001/04/xmldsig-more#gostr34102001-gostr3411"/>       
      </map>
  </property>
</bean>
</beans>

Everything seems good, but your client won't work.
Here is the example of client:

    ClassPathXmlApplicationContext context = new ClassPathXmlApplicationContext(new String[]{"applicationContext.xml"});

        ru.IService client = (ru.IService) context.getBean("client");

        ru.CryptoPro.JCPxml.XmlInit.init();

        if(!JCPXMLDSigInit.isInitialized()){
            JCPXMLDSigInit.init();
        }

        Result res = client.callMethod(123);

For this to work I had to patch WSS4j. Download the sources for WSS4j 1.6.6 and edit the file org.apache.ws.security.message.WSSecSignature.java. Find the init method and replace it with this code:

  private void init() {
        Provider xmlDSigProvider = new ru.CryptoPro.JCPxml.dsig.internal.dom.XMLDSigRI();
        signatureFactory = XMLSignatureFactory.getInstance("DOM", xmlDSigProvider);//XMLSignatureFactory.getInstance("DOM");
        keyInfoFactory = KeyInfoFactory.getInstance("DOM", xmlDSigProvider);
    }

       
Compile the file and add the compiled class to the wss4j jar.
After this, I could successfully run the client.