.net - 无效的 WS 安全标头 - IRS ACA SOAP 请求

Question

我正在向RequestSubmissionStatusDetail美国国税局提交申请。

这是我的问题。在向 IRS 提交以下文件时，我总是收到“Invalid WS Security Header”。我不知道我的请求的哪一部分导致此提交不成功。

我已经用 VB 和 C# 编写了代码。我已经使用 Fiddler 拦截了请求，还使用 Altova XMLSpy 将原始 XML 请求发送到 IRS 端点。

这是代码，几乎是从 PDF 中逐行删除的，减去密钥和 TCC。

    POST https://la.www4.irs.gov/airp/aca/a2a/1095BC_Status_Request_AATS2016 HTTP/1.1
    Content-Type: text/xml; charset=utf-8
    VsDebuggerCausalityData: uIDPo1urdU71mo5BnU/TZ/Ji3p0AAAAAddUwh6B4CU6+F/jOewcN7JE6Ql8n+R1PofxFBfDEEg4ACQAA
    SOAPAction: "RequestSubmissionStatusDetail"
    Host: la.www4.irs.gov
    Content-Length: 4044
    Expect: 100-continue
    Accept-Encoding: gzip, deflate
    Connection: Keep-Alive

    <soapenv:Envelope xmlns:oas1="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:urn="urn:us:gov:treasury:irs:msg:irstransmitterstatusrequest" xmlns:urn1="urn:us:gov:treasury:irs:ext:aca:air:7.0" xmlns:urn2="urn:us:gov:treasury:irs:common" xmlns:urn3="urn:us:gov:treasury:irs:msg:acasecurityheader">  
        <soapenv:Header xmlns:wsa="http://www.w3.org/2005/08/addressing">   
            <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">    
                <ds:Signature Id="SIG-82E7E6716E615C14D6144736030986660" xmlns:ds="http://www.w3.org/2000/09/xmldsig#">     
                    <ds:SignedInfo>      
                        <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#WithComments" />      
                        <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />      
                        <ds:Reference URI="#TS-82E7E6716E615C14D6144736030986559">       
                            <ds:Transforms>        
                                <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"> 
                                    <InclusiveNamespaces PrefixList="wsse wsa oas1 soapenv urn urn1 urn2 urn3" xmlns="http://www.w3.org/2001/10/xml-exc-c14n#" />                                       
                                </ds:Transform>       
                            </ds:Transforms>       
                            <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />       
                            <ds:DigestValue>sgPiL73lIwOppVKHHUFkuWDEcLM=</ds:DigestValue>
                            <!-- DigestValue from Timestamp -->                 
                        </ds:Reference>      
                        <ds:Reference URI="#id-82E7E6716E615C14D6144736030986558">       
                            <ds:Transforms>        
                                <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"> 
                                    <InclusiveNamespaces PrefixList="wsa oas1 soapenv urn1 urn2 urn3" xmlns="http://www.w3.org/2001/10/xml-exc-c14n#" />        
                                </ds:Transform>       
                            </ds:Transforms>       
                            <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />       
                            <ds:DigestValue>S3OdSc3rZ8V1egoyPGzi31n8gq8=</ds:DigestValue>        
                            <!-- DigestValue from ACABusinessHeader -->                      
                        </ds:Reference>      
                        <ds:Reference URI="#id-82E7E6716E615C14D6144736030986559">       
                            <ds:Transforms>        
                                <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">         
                                    <InclusiveNamespaces PrefixList="oas1 soapenv urn1 urn2 urn3" xmlns="http://www.w3.org/2001/10/xml-exc-c14n#" />        
                                </ds:Transform>       
                            </ds:Transforms>       
                            <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />       
                            <ds:DigestValue>wOSkrI5NmQ5i5/wgjNEIoNODy+A=</ds:DigestValue>       
                            <!-- DigestValue from ACABulkRequestTransmitterStatusDetailRequest -->      
                        </ds:Reference>     
                    </ds:SignedInfo>    
                    <ds:SignatureValue>ddLCWffcBk5/PxqnJLMUM9lWWYWX7ucKQ4vPvM/qEj9IkJ0SVDytcjn0Az9Cge0nxOHI0NWCtAzbWzcUjHtUgt8A4rnxTTShQbIP3hPIX5UghS/Y6OEvOq8RvXL1S3R8nhX/nPrQSoPq6SpEz2HKq/ST5OrsstMvSpM0hCCinEKeLmLqkjfZw5wZVEeNwQIjghcsqQe7Q9crYhgdDwuvtixcoLw0JCgCiMr9yCmFsV4X+CklPuu4/bMUcuipE5fnSpqoZ6Sxp+UFlF3yzMXH6hKFRO7LRsXtwStN1kBwPJW5iPZ6b+X0Zlrc7gYTg1dHi3kcm3gLCRQ9ou+fZa7jnQ==</ds:SignatureValue>    
                    <ds:KeyInfo Id="KI-82E7E6716E615C14D6144736030986456">    
                        <wsse:SecurityTokenReference wsu:Id="STR-82E7E6716E615C14D6144736030986457">    
                            <wsse:KeyIdentifier  EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile1.0#X509v3">
                                removed
                            </wsse:KeyIdentifier>      
                        </wsse:SecurityTokenReference>     
                    </ds:KeyInfo>    
                </ds:Signature>    
                <wsu:Timestamp wsu:Id="TS-82E7E6716E615C14D6144736030985954">     
                    <wsu:Created>2016-01-07T20:31:49.859Z</wsu:Created>     
                    <wsu:Expires>2016-01-07T23:01:49.859Z</wsu:Expires>    
                </wsu:Timestamp>    
            </wsse:Security>   
            <urn:ACABusinessHeader wsu:Id="id-82E7E6716E615C14D6144736030986558"    xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">    
                <urn1:UniqueTransmissionId>d4121eb6-29e8-4ebe-a485-0b2bf55fcb67:SYS12:XXXXX::T</urn1:UniqueTransmissionId>    
                <urn2:Timestamp>2016-01-07T15:31:49Z</urn2:Timestamp>   
            </urn:ACABusinessHeader>   
            <urn3:ACASecurityHeader />   
            <wsa:Action>RequestSubmissionStatusDetail</wsa:Action>  
        </soapenv:Header>  
        <soapenv:Body>   
            <urn:ACABulkRequestTransmitterStatusDetailRequest    version="1.0" wsu:Id="id-82E7E6716E615C14D6144736030986559"    xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">    
            <urn1:ACABulkReqTrnsmtStsReqGrpDtl>     
                <urn2:ReceiptId>1094B-15-99700283</urn2:ReceiptId>    
            </urn1:ACABulkReqTrnsmtStsReqGrpDtl>   
            </urn:ACABulkRequestTransmitterStatusDetailRequest>  
        </soapenv:Body> 
    </soapenv:Envelope>

score 0 · Accepted Answer

如果要连接到 SOAPUI 中的 WS 标题，您需要设置：

这是因为使用了绑定（wsHttpBinding）：

<endpoint address="" binding="wsHttpBinding" bindingConfiguration="httpsBindingService" contract="Namespace.Contract"/>

我强烈建议不要走 wsHttpBinding 路线，而是更标准的 basicHttpsBinding 路线（如果您控制服务）。问题很多，特别是如果您有 java 客户端（使用 Eclipse）连接到您的服务。

<endpoint address="" binding="basicHttpsBinding" bindingConfiguration="DefaultHttpsBinding" contract="Namespace.Contract" />

score 0 · Accepted Answer

听起来我们在同一条路上；也许我们可以互相帮助。

我最终通过配置做安全：

<security 
    enableUnsecuredResponse="true" 
    authenticationMode="MutualCertificate" 
    messageSecurityVersion="WSSecurity10WSTrust13WSSecureConversation13WSSecurityPolicy12BasicSecurityProfile10"
 />

您还需要使用您的证书颁发给谁来覆盖端点的身份 DNS 值。把它放在你的<endpoint>标签里

<identity>
  <dns value="[Issued To]" />
</identity>

最后，当您创建客户端时，您需要使用ChannelFactory并设置适当的凭据。我的看起来像这样：

var factory = new ChannelFactory<BulkRequestTransmitterPortType>("BulkRequestTransmitterPort");
factory.Credentials.ClientCertificate.SetCertificate(StoreLocation.LocalMachine, StoreName.My, X509FindType.FindByThumbprint, "3164c4510490d2c0f16f1e4cffd76b708964fa7c");
factory.Credentials.ServiceCertificate.SetDefaultCertificate(StoreLocation.LocalMachine, StoreName.My, X509FindType.FindByThumbprint, "3164c4510490d2c0f16f1e4cffd76b708964fa7c");
var client = factory.CreateChannel();

如果您遇到其他问题，请告诉我。假设您的证书和应用程序状态正常，那么一旦您完成此操作，您可能会被我困在下一步（正确的 MTOM 编码）。如果您成功通过，请告诉我:)

score -1 · Accepted Answer

我想您的签名元素丢失或未对齐。

在文档中说：

发送者必须上传两个 xml 文件 1. 清单文件：创建请求清单 XML 文件：发送者应使用 Schema IRS-ACAUserInterfaceHeaderMessage.xsd 添加/创建“ACA 业务标题”和“请求清单详细信息” 2. 表单数据文件：（ 1094/1095-[B,C]) ‒ IRS-Form1094-1095BTransmitterUpstreamMessage.xsd ‒ IRS-Form1094-1095CTransmitterUpstreamMessage.xsd

在您提供的文档中，有一条线索说：

TPE1122无效的 WS 安全标头。请再试一次。

确保 SOAP 消息（包括 Manifest 文件）包含必要的签名 WS-Security 元素。

评论我的回答，告诉我们它是否与清单文件中的签名问题有关？

score -1 · Accepted Answer

我能够使用下面的 XML 克服 TPE1122 错误（已编辑与密钥和 TCC 相关的部分）。我不确定您实际上是如何签名的（我使用的是 SoapUI 工具而不是程序签名），但就我而言，我认为主要问题与命名空间的短名称有关（例如 oas、wsu、 ETC。）。我认为他们必须完全符合美国国税局的期望。另外，我看到您使用 wsa:Action 标记，而我没有，尽管这可能不会影响 WS-Security 标头。

POST https://la.www4.irs.gov/airp/aca/a2a/1095BC_Status_Request_AATS2016 HTTP/1.1
Accept-Encoding: gzip,deflate
Content-Type: text/xml;charset=UTF-8
SOAPAction: "RequestSubmissionStatusDetail"
Content-Length: 6088
Host: la.www4.irs.gov
Connection: Keep-Alive
User-Agent: Apache-HttpClient/4.1.1 (java 1.5)

<soapenv:Envelope xmlns:oas1="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:urn="urn:us:gov:treasury:irs:msg:irstransmitterstatusrequest" xmlns:urn1="urn:us:gov:treasury:irs:ext:aca:air:7.0" xmlns:urn2="urn:us:gov:treasury:irs:common" xmlns:urn3="urn:us:gov:treasury:irs:msg:acasecurityheader" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns:xd="http://www.w3.org/2000/09/xmldsig#">
<soapenv:Header>
    <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
        <ds:Signature Id="SIG-7570AFA8291320B0AC145394323250875" xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
            <ds:SignedInfo>
                <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#WithComments"/>
                <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
                <ds:Reference URI="#TS-7570AFA8291320B0AC145394323250671">
                    <ds:Transforms>
                        <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
                            <InclusiveNamespaces PrefixList="wsse oas1 soapenv urn urn1 urn2 urn3 xd" xmlns="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                        </ds:Transform>
                    </ds:Transforms>
                    <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
                    <ds:DigestValue>mvcVAijgkdnRTsyynwCzUHX39VM=</ds:DigestValue>
                </ds:Reference>
                <ds:Reference URI="#id-B123454679813489712349871234987123">
                    <ds:Transforms>
                        <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
                            <InclusiveNamespaces PrefixList="oas1 soapenv urn1 urn2 urn3 xd" xmlns="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                        </ds:Transform>
                    </ds:Transforms>
                    <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
                    <ds:DigestValue>5b2SAtep+3PvQj7hZnIGceu0RNg=</ds:DigestValue>
                </ds:Reference>
                <ds:Reference URI="#id-D123454679813489712349871234987123">
                    <ds:Transforms>
                        <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
                            <InclusiveNamespaces PrefixList="oas1 soapenv urn1 urn2 urn3 xd" xmlns="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                        </ds:Transform>
                    </ds:Transforms>
                    <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
                    <ds:DigestValue>iO0oIkBURxyOUPhrJ/j5YPeRLbQ=</ds:DigestValue>
                </ds:Reference>
            </ds:SignedInfo>
            <ds:SignatureValue>REDACTED</ds:SignatureValue>
            <ds:KeyInfo Id="KI-7570AFA8291320B0AC145394323250873">
                <wsse:SecurityTokenReference wsu:Id="STR-7570AFA8291320B0AC145394323250874">
                    <wsse:KeyIdentifier EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3">REDACTED</wsse:KeyIdentifier>
                </wsse:SecurityTokenReference>
            </ds:KeyInfo>
        </ds:Signature>
        <wsu:Timestamp wsu:Id="TS-7570AFA8291320B0AC145394323250671">
            <wsu:Created>2016-01-28T01:07:12Z</wsu:Created>
            <wsu:Expires>2016-01-28T01:07:13Z</wsu:Expires>
        </wsu:Timestamp>
    </wsse:Security>
    <urn:ACABusinessHeader wsu:Id="id-B123454679813489712349871234987123">
        <urn1:UniqueTransmissionId>5c953d6e-fb77-483f-89ee-5b824550d703:SYS12:RDCTD::T</urn1:UniqueTransmissionId>
        <urn2:Timestamp>2016-01-27T13:46:00Z</urn2:Timestamp>
    </urn:ACABusinessHeader>
</soapenv:Header>
<soapenv:Body>
    <urn:ACABulkRequestTransmitterStatusDetailRequest version="1.0" wsu:Id="id-D123454679813489712349871234987123">
        <urn1:ACABulkReqTrnsmtStsReqGrpDtl>
            <urn2:ReceiptId>1094C-00-00000000</urn2:ReceiptId>
        </urn1:ACABulkReqTrnsmtStsReqGrpDtl>
    </urn:ACABulkRequestTransmitterStatusDetailRequest>
</soapenv:Body>

.net - 无效的 WS 安全标头 - IRS ACA SOAP 请求

4 回答 4

Related

Reference