BinarySecurityToken未在响应SOAP消息中签名

时间:2014-07-19 09:06:59

标签: .net wcf soap ws-security

我最初的需求是使用特定的(在oracle产品中创建)ws-security策略从Java调用.NET创建的Web服务。 安全性声明标头应包含时间戳和X509证书,并且两者都应该签名。其他任何东西都不应该签名或加密。

我最终在服务器端进行了此配置:

绑定: 

public override BindingElementCollection CreateBindingElements()
{
    BindingElementCollection be = new BindingElementCollection();
    X509SecurityTokenParameters initiator = new X509SecurityTokenParameters(X509KeyIdentifierClauseType.Thumbprint, SecurityTokenInclusionMode.AlwaysToRecipient);
    X509SecurityTokenParameters recipient = new X509SecurityTokenParameters(X509KeyIdentifierClauseType.Thumbprint, SecurityTokenInclusionMode.AlwaysToInitiator);
    AsymmetricSecurityBindingElement element = new AsymmetricSecurityBindingElement(recipient, initiator);
    element.DefaultAlgorithmSuite = SecurityAlgorithmSuite.Basic128;
    element.AllowSerializedSigningTokenOnReply = true;
    element.SetKeyDerivation(false);
    element.SecurityHeaderLayout = SecurityHeaderLayout.Strict;
    element.MessageProtectionOrder = MessageProtectionOrder.SignBeforeEncrypt;
    element.MessageSecurityVersion = MessageSecurityVersion.WSSecurity11WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10;
    element.IncludeTimestamp = true;
    element.RequireSignatureConfirmation = false;

    X509SecurityTokenParameters x509Token = new X509SecurityTokenParameters(X509KeyIdentifierClauseType.Thumbprint, SecurityTokenInclusionMode.AlwaysToRecipient);
    element.EndpointSupportingTokenParameters.Signed.Add(x509Token);

    be.Add(element);
    be.Add(new TextMessageEncodingBindingElement(MessageVersion.Soap12, Encoding.UTF8));
    be.Add(new HttpTransportBindingElement());
    return be;
}

行为: 

<serviceBehaviors>
<behavior name="behavior0">
  <serviceMetadata httpGetEnabled="true" httpsGetEnabled="false" />
  <serviceDebug includeExceptionDetailInFaults="true" />
  <serviceCredentials>
    <clientCertificate>
      <certificate findValue="testClientCert" x509FindType="FindBySubjectName" />
      <authentication certificateValidationMode="None" />
    </clientCertificate>
    <serviceCertificate findValue="testClientCert" storeLocation="LocalMachine"
      storeName="My" x509FindType="FindBySubjectName" />
  </serviceCredentials>
</behavior>
</serviceBehaviors>

我创建了一个.NET客户端来测试服务: 

X509SecurityTokenParameters initiator = new X509SecurityTokenParameters(X509KeyIdentifierClauseType.Thumbprint, SecurityTokenInclusionMode.AlwaysToRecipient);
X509SecurityTokenParameters recipient = new X509SecurityTokenParameters(X509KeyIdentifierClauseType.Thumbprint, SecurityTokenInclusionMode.AlwaysToInitiator);
AsymmetricSecurityBindingElement asbe = new AsymmetricSecurityBindingElement(recipient, initiator);
asbe.DefaultAlgorithmSuite = SecurityAlgorithmSuite.Basic128;
asbe.MessageSecurityVersion = MessageSecurityVersion.WSSecurity11WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10;
asbe.AllowSerializedSigningTokenOnReply = true;
asbe.SetKeyDerivation(false);
asbe.SecurityHeaderLayout = SecurityHeaderLayout.Strict;
asbe.MessageProtectionOrder = MessageProtectionOrder.SignBeforeEncrypt;
asbe.MessageSecurityVersion = MessageSecurityVersion.WSSecurity11WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10;
asbe.IncludeTimestamp = true;
asbe.RequireSignatureConfirmation = false;

X509SecurityTokenParameters x509Token = new X509SecurityTokenParameters(X509KeyIdentifierClauseType.Thumbprint, SecurityTokenInclusionMode.AlwaysToRecipient);
asbe.EndpointSupportingTokenParameters.Signed.Add(x509Token);

CustomBinding myBinding = new CustomBinding();
myBinding.Elements.Add(asbe);
myBinding.Elements.Add(new TextMessageEncodingBindingElement(MessageVersion.Soap12, Encoding.UTF8));
myBinding.Elements.Add(new HttpTransportBindingElement());

var c = new ServiceReference1.Service1Client(myBinding, new EndpointAddress(new Uri("http://ipv4.fiddler:8733/Design_Time_Addresses/WcfServiceLibrary1/Service1/"),EndpointIdentity.CreateDnsIdentity("testClientCert")));
c.Endpoint.Contract.ProtectionLevel = System.Net.Security.ProtectionLevel.None;
c.ClientCredentials.ServiceCertificate.Authentication.CertificateValidationMode = System.ServiceModel.Security.X509CertificateValidationMode.None;
c.ClientCredentials.ServiceCertificate.DefaultCertificate = new X509Certificate2(Application.StartupPath + "\\cert.pfx", "123");
c.ClientCredentials.ClientCertificate.Certificate = new X509Certificate2(Application.StartupPath + "\\cert.pfx", "123");

c.Open();
string s = c.GetEntitiesAndCategories(1, false, 1, 1);
c.Close();

证书仅用于测试,因此已删除验证。

生成的请求如下: 

<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
   <s:Header>
      <o:Security s:mustUnderstand="1" xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
         <u:Timestamp u:Id="uuid-973e20be-a27f-4913-b09a-c6cb237d7269-1">
            <u:Created>2014-07-19T08:32:02.576Z</u:Created>
            <u:Expires>2014-07-19T08:37:02.576Z</u:Expires>
         </u:Timestamp>
         <o:BinarySecurityToken u:Id="uuid-f368e0c3-c3e4-4322-8917-6a72fa905925-3" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">MIICujCCAaKgAwIBAgIQIJZKpog...</o:BinarySecurityToken>
         <o:BinarySecurityToken u:Id="uuid-f368e0c3-c3e4-4322-8917-6a72fa905925-1" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">MIICujCCAaKgAwIBAgIQIJZKpog...</o:BinarySecurityToken>
         <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
            <SignedInfo>
               <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
               <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
               <Reference URI="#uuid-973e20be-a27f-4913-b09a-c6cb237d7269-1">
                  <Transforms>
                     <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                  </Transforms>
                  <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
                  <DigestValue>CS77SJrVwQeO...</DigestValue>
               </Reference>
               <Reference URI="#uuid-f368e0c3-c3e4-4322-8917-6a72fa905925-1">
                  <Transforms>
                     <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                  </Transforms>
                  <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
                  <DigestValue>8+XB5CeRS1Dg...</DigestValue>
               </Reference>
            </SignedInfo>
            <SignatureValue>yEOEi/I2UWgfpquf...</SignatureValue>
            <KeyInfo>
               <o:SecurityTokenReference>
                  <o:Reference ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" URI="#uuid-f368e0c3-c3e4-4322-8917-6a72fa905925-3"/>
               </o:SecurityTokenReference>
            </KeyInfo>
         </Signature>
      </o:Security>
   </s:Header>
   <s:Body>
      <GetEntitiesAndCategories xmlns="http://tempuri.org/">
         <CUniqueId>1</CategoryUniqueId>
         <UFlag>false</UpdateFlag>
         <BStatus>1</BankStatus>
         <MStatus>1</MOFStatus>
      </GetEntitiesAndCategories>
   </s:Body>
</s:Envelope>

看起来不错,除了2 BinarySecurityTokens(虽然我不认为这会是一个问题)

以下是回复: 

<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
   <s:Header>
      <o:Security s:mustUnderstand="1" xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
         <u:Timestamp u:Id="uuid-73af63b9-1209-4aa5-8f95-ccfc7d4b1aa6-1">
            <u:Created>2014-07-19T08:32:03.280Z</u:Created>
            <u:Expires>2014-07-19T08:37:03.280Z</u:Expires>
         </u:Timestamp>
         <o:BinarySecurityToken u:Id="uuid-2be01f1c-de54-4783-b66c-bbf12cc04f0f-2" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">MIICujCCAaKgAwIBAgIQIJZKpog4S...</o:BinarySecurityToken>
         <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
            <SignedInfo>
               <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
               <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
               <Reference URI="#uuid-73af63b9-1209-4aa5-8f95-ccfc7d4b1aa6-1">
                  <Transforms>
                     <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                  </Transforms>
                  <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
                  <DigestValue>JoS/7oKzJUjs...</DigestValue>
               </Reference>
            </SignedInfo>
            <SignatureValue>wzRP6QHSoj...</SignatureValue>
            <KeyInfo>
               <o:SecurityTokenReference>
                  <o:Reference ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" URI="#uuid-2be01f1c-de54-4783-b66c-bbf12cc04f0f-2"/>
               </o:SecurityTokenReference>
            </KeyInfo>
         </Signature>
      </o:Security>
   </s:Header>
   <s:Body>
      <GetEntitiesAndCategoriesResponse xmlns="http://tempuri.org/">
         <GetEntitiesAndCategoriesResult>You entered: 1, False, 1, 1</GetEntitiesAndCategoriesResult>
      </GetEntitiesAndCategoriesResponse>
   </s:Body>
</s:Envelope>

响应不包含BinarySecurityToken的签名,只签署时间戳。

- &GT;我怎样才能让它在回复中签名?

谢谢。

0 个答案:

没有答案
相关问题
最新问题