1

我正在尝试与使用 SOAP 1.1 实现 WS-Security 并要求客户端对请求中的正文和时间戳进行签名的 Web 服务进行通信。在客户端,我使用 WCF 并且无法控制服务。代理接口ProtectionLevel.Sign在它们应该在的地方有它的 - 属性。

客户端还需要协商服务证书(TLS/SSL)并根据一些自定义规则验证服务签名证书。

到目前为止,我获得连接的最佳尝试是使用此绑定: 

var b = new BasicHttpBinding(BasicHttpSecurityMode.TransportWithMessageCredential);
b.Security.Message.ClientCredentialType = BasicHttpMessageCredentialType.Certificate;
b.Security.Transport.ClientCredentialType = HttpClientCredentialType.Certificate;
b.Security.Message.AlgorithmSuite = SecurityAlgorithmSuite.Basic256Sha256;
b.TextEncoding = new UTF8Encoding();

它导致下面的请求,其中只有时间戳签名 - 而不是正文。服务响应签名无效。

我尝试使用 CustomBinding 和SecurityBindingElement.CreateCertificateOverTransportBindingElement-function 来创建安全元素,但它产生了相同的结果。

使用SecurityBindingElement.CreateMutualCertificateBindingElement-function,body 和 timestamp 都被签名了,但是现在 WCF 要求我指定服务证书,这应该在 TLS/SSL 握手期间进行协商。

请求: 

<s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<s:Header>
    <o:Security s:mustUnderstand="1" xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
        <u:Timestamp u:Id="_0">
            <u:Created>2013-03-11T15:41:19.744Z</u:Created>
            <u:Expires>2013-03-11T15:46:19.744Z</u:Expires>
        </u:Timestamp>
        <o:BinarySecurityToken u:Id="uuid-75db13c1-3c82-4e31-8dbf-75af257850ac-1" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">..REMOVED..</o:BinarySecurityToken>
        <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
            <SignedInfo>
                <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                <SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
                <Reference URI="#_0">
                    <Transforms>
                        <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                    </Transforms>
                    <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
                    <DigestValue>z2Q9Bb/I1Mo7DJFZ3uXA42JSH0AJJguvIfnYMxlKBAg=</DigestValue>
                </Reference>
            </SignedInfo>
            <SignatureValue>FgvpaSy+Zg3PHul6q2//Wc1lp+z+tuPCFKcLFp5edYvApb8yDwVDhuRuYPfn5K2TdGpQQekV095WZofIpIUV5aA+VBzf0/qVMP9hvOCqloyjJF3FWiMC829yFE8ePrYT3c1VXWSZi1172E7iRTNetz5ZmRYKAlcy6t7MaIq++q6MlM0gkK/w/W5qWVLIvopf2MQc+V+PBBmx7nWKGzF4SxIgdD4JeGOUzIND68OozBYD7jrvHLeYUjUzmBCkrLKm2bXDDksrV9rJHZdoizKrC7C59uRPh+gG5pl2pMLYtimFnwot3L4lvysBG0apAftxXat091c5a4JtKAvuDiWOFQ==</SignatureValue>
            <KeyInfo>
                <o:SecurityTokenReference>
                    <o:Reference ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" URI="#uuid-75db13c1-3c82-4e31-8dbf-75af257850ac-1"/>
                </o:SecurityTokenReference>
            </KeyInfo>
        </Signature>
    </o:Security>
</s:Header>
<s:Body xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
    <Request xmlns="http://theurltotheservice">
        <Value>123456789</Value>
    </Request>
</s:Body>

4

0 回答 0