0

我有一个 wcf 客户端,我需要同时使用证书和用户名安全性。

在我输出的标头签名中,存在两个参考元素。一个映射(通过 URI)到 UsernameToken,我的理解是另一个引用元素应该映射到 SecurityTokenReference,但事实并非如此。

我传出的soap标头的安全部分如下

<o:UsernameToken u:Id="uuid-89f26492-f6ad-4e9d-9106-03ae8dfd6774-1"     xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
 <o:Username>xxxxxxx</o:Username>
 <o:Password o:Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-    profile-1.0#PasswordText">xxxxxxx</o:Password>
</o:UsernameToken>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
 <SignedInfo>
  <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
  <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
  <Reference URI="#_1">
   <Transforms>
    <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
   </Transforms>
   <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><DigestValue>FNjRLXvhojvaLY/4MhdtsK1cicE=</DigestValue>
  </Reference>
  <Reference URI="#uuid-89f26492-f6ad-4e9d-9106-03ae8dfd6774-1">
   <Transforms>
    <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
   </Transforms>
   <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><DigestValue>ZhCGi22F57ASm5YGVjLxe/s5wyY=</DigestValue>
  </Reference>
 </SignedInfo>
 <SignatureValue>CvxcSSur/epImkRyDh8AywiE3E6GabKzhQhGm/ISpHroWFEryIgpFCStZpGdvt6/QxXskgIiP39eQQILRm1CsTFBZkzP+mb1ktis2OlyiGOFfVNnOXVseOktMGt1WpeNlssFNk0prP9gy5EU3lWwxENvHFy8/IZZWCR8A4Cm+yA=</SignatureValue>
 <KeyInfo>
  <o:SecurityTokenReference>
   <o:Reference ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" URI="#uuid-89f26492-f6ad-4e9d-9106-03ae8dfd6774-3"/>
  </o:SecurityTokenReference>
 </KeyInfo>
</Signature>

您可以看到一个参考 URI 映射到 UsernameToken 的 Id,但另一个参考 URI 是 #_1,而我期望它是 #uuid-89f26492-f6ad-4e9d-9106-03ae8dfd6774-3(SecurityTokenReference 的 URI )

我创建自定义绑定的代码如下

    private System.ServiceModel.Channels.Binding GetBinding()
    {
        System.ServiceModel.Channels.AsymmetricSecurityBindingElement asbe = new AsymmetricSecurityBindingElement();
        asbe.MessageSecurityVersion = MessageSecurityVersion.WSSecurity10WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10;
        asbe.InitiatorTokenParameters = new System.ServiceModel.Security.Tokens.X509SecurityTokenParameters();
        asbe.RecipientTokenParameters = new System.ServiceModel.Security.Tokens.X509SecurityTokenParameters();
        asbe.MessageProtectionOrder = System.ServiceModel.Security.MessageProtectionOrder.SignBeforeEncrypt;
        asbe.SecurityHeaderLayout = SecurityHeaderLayout.Strict;
        asbe.IncludeTimestamp = false;
        asbe.SetKeyDerivation(false);
        asbe.DefaultAlgorithmSuite = System.ServiceModel.Security.SecurityAlgorithmSuite.Basic128Rsa15;

        asbe.EndpointSupportingTokenParameters.Signed.Add(new UserNameSecurityTokenParameters());

        CustomBinding myBinding = new CustomBinding();
        myBinding.Elements.Add(asbe);
        myBinding.Elements.Add(new TextMessageEncodingBindingElement(MessageVersion.Soap11, Encoding.UTF8));

        HttpsTransportBindingElement httpsBindingElement = new HttpsTransportBindingElement();
        httpsBindingElement.RequireClientCertificate = true;
        myBinding.Elements.Add(httpsBindingElement);

        return myBinding;
    }

有谁知道我需要更改哪些配置设置才能将参考成功映射到 SecurityToken?

请注意,这个问题实际上是我在如何使 WCF 客户端符合特定 WS-Security - 签名 UsernameToken 和 SecurityTokenReference中详细介绍的主要问题的子问题。看起来签署证书不是可以通过 ootb 配置或属性设置完成的,因此答案可能在于手动编写签名块。这就是我接下来要看的。

4

1 回答 1

0

终于解决了我在相关问题上发布的问题 -如何使 WCF 客户端符合特定的 WS-Security - 签署 UsernameToken 和 SecurityTokenReference

于 2012-11-07T00:02:56.003 回答