0

我们正在创建一个必须符合预定义 WSDL 的 WCF 服务。要求之一是时间戳、所有 WS 寻址和消息正文都应该签名。

为此,我们添加了以下 CustomBinding;

        var secBE = (AsymmetricSecurityBindingElement)SecurityBindingElement.CreateMutualCertificateDuplexBindingElement(MessageSecurityVersion.WSSecurity10WSTrust13WSSecureConversation13WSSecurityPolicy12BasicSecurityProfile10);
        secBE.EnableUnsecuredResponse = true;
        secBE.MessageProtectionOrder = MessageProtectionOrder.EncryptBeforeSign;
        secBE.IncludeTimestamp = true;
        secBE.DefaultAlgorithmSuite = SecurityAlgorithmSuite.TripleDesRsa15;

        secBE.AllowSerializedSigningTokenOnReply = true;
        secBE.RecipientTokenParameters.InclusionMode = SecurityTokenInclusionMode.AlwaysToInitiator;

        //Create binding element for encoding
        var mtomBE = new MtomMessageEncodingBindingElement(MessageVersion.Soap11WSAddressing10, Encoding.UTF8);

        //Create binding element for transport
        var httpsBE = new HttpsTransportBindingElement();
        httpsBE.RequireClientCertificate = false;
        httpsBE.AuthenticationScheme = AuthenticationSchemes.Anonymous;

        CustomBinding binding = new CustomBinding();
        binding.Elements.Add(secBE);
        binding.Elements.Add(mtomBE);
        binding.Elements.Add(httpsBE);

使用客户端证书,但我们在 Azure 上托管端点,并且证书将移动到“X-ARR-ClientCert”标头,因此我们无法使用使用 RequireClientCertificate = true 启用的内置证书验证器.

我启用了跟踪,并且在收到来自客户端的请求时引发以下异常:

<ExceptionType>System.ServiceModel.Security.MessageSecurityException, System.ServiceModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089</ExceptionType>
<Message>The security header element 'Timestamp' with the 'wssecurity_signature_id_1803' id must be signed.</Message>

查看请求消息时,包含以下标头;

<MessageHeaders>
    <wsse:Security soapenv:mustUnderstand="1"
        xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
        xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
        <wsse:BinarySecurityToken>
            <!-- Removed-->
        </wsse:BinarySecurityToken>
        <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
            <ds:SignedInfo>
                <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
                    <ec:InclusiveNamespaces PrefixList="ds soapenc soapenv wsa wsse xsd xsi "
                        xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"></ec:InclusiveNamespaces>
                </ds:CanonicalizationMethod>
                <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"></ds:SignatureMethod>
                <ds:Reference URI="#wssecurity_signature_id_1799">
                    <ds:Transforms>
                        <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
                            <ec:InclusiveNamespaces PrefixList="soapenc soapenv wsa wsu xsd xsi "
                                xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"></ec:InclusiveNamespaces>
                        </ds:Transform>
                    </ds:Transforms>
                    <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></ds:DigestMethod>
                    <ds:DigestValue><!-- Removed--></ds:DigestValue>
                </ds:Reference>
                <ds:Reference URI="#wssecurity_signature_id_1800">
                    <ds:Transforms>
                        <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
                            <ec:InclusiveNamespaces PrefixList="soapenc soapenv wsa wsu xsd xsi "
                                xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"></ec:InclusiveNamespaces>
                        </ds:Transform>
                    </ds:Transforms>
                    <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></ds:DigestMethod>
                    <ds:DigestValue><!-- Removed--></ds:DigestValue>
                </ds:Reference>
                <ds:Reference URI="#wssecurity_signature_id_1801">
                    <ds:Transforms>
                        <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
                            <ec:InclusiveNamespaces PrefixList="p324 soapenc soapenv wsa wsu xsd xsi "
                                xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"></ec:InclusiveNamespaces>
                        </ds:Transform>
                    </ds:Transforms>
                    <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></ds:DigestMethod>
                    <ds:DigestValue><!-- Removed--></ds:DigestValue>
                </ds:Reference>
                <ds:Reference URI="#wssecurity_signature_id_1802">
                    <ds:Transforms>
                        <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
                            <ec:InclusiveNamespaces PrefixList="soapenc soapenv wsa wsu xsd xsi "
                                xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"></ec:InclusiveNamespaces>
                        </ds:Transform>
                    </ds:Transforms>
                    <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></ds:DigestMethod>
                    <ds:DigestValue><!-- Removed--></ds:DigestValue>
                </ds:Reference>
                <ds:Reference URI="#wssecurity_signature_id_1803">
                    <ds:Transforms>
                        <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
                            <ec:InclusiveNamespaces PrefixList="soapenc soapenv wsa wsse wsu xsd xsi "
                                xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"></ec:InclusiveNamespaces>
                        </ds:Transform>
                    </ds:Transforms>
                    <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></ds:DigestMethod>
                    <ds:DigestValue><!-- Removed--></ds:DigestValue>
                </ds:Reference>
                <ds:Reference URI="#wssecurity_signature_id_1804">
                    <ds:Transforms>
                        <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
                            <ec:InclusiveNamespaces PrefixList="soapenc soapenv wsa wsu xsd xsi "
                                xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"></ec:InclusiveNamespaces>
                        </ds:Transform>
                    </ds:Transforms>
                    <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></ds:DigestMethod>
                    <ds:DigestValue><!-- Removed--></ds:DigestValue>
                </ds:Reference>
            </ds:SignedInfo>
            <ds:SignatureValue><!-- Removed--></ds:SignatureValue>
            <ds:KeyInfo>
                <wsse:SecurityTokenReference>
                    <wsse:Reference URI="#x509bst_1805" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"></wsse:Reference>
                </wsse:SecurityTokenReference>
            </ds:KeyInfo>
        </ds:Signature>
        <wsu:Timestamp wsu:Id="wssecurity_signature_id_1803"
            xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
            <wsu:Created>2021-04-07T07:25:47.641Z</wsu:Created>
        </wsu:Timestamp>
    </wsse:Security>
    <wsa:To wsu:Id="wssecurity_signature_id_1802"
        xmlns:wsa="http://www.w3.org/2005/08/addressing"
        xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"><!-- Removed--></wsa:To>
    <wsa:Action wsu:Id="wssecurity_signature_id_1804"
        xmlns:wsa="http://www.w3.org/2005/08/addressing"
        xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"><!-- Removed--></wsa:Action>
    <wsa:MessageID wsu:Id="wssecurity_signature_id_1799"
        xmlns:wsa="http://www.w3.org/2005/08/addressing"
        xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">uuid:44bf184f-c7af-4efc-9385-cda168692d60</wsa:MessageID>
    <wsa:ReplyTo wsu:Id="wssecurity_signature_id_1800"
        xmlns:wsa="http://www.w3.org/2005/08/addressing"
        xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
        <wsa:Address>http://www.w3.org/2005/08/addressing/anonymous</wsa:Address>
    </wsa:ReplyTo>
</MessageHeaders>

我无法控制发送到我们的 WCF 服务的请求消息,因此所有内容都必须在服务器端进行修复。为什么时间戳未检测为已签名?

4

1 回答 1

0

我改变了一些东西,它开始工作了。首先是 AsymmetricSecurityBindingElement;

  • 将 EnableUnsecuredResponse 设置为 false。
  • 添加了默认为“Strict”的 SecurityHeaderLayout 并将其设置为“SecurityHeaderLayout.LaxTimestampLast”。

然后,我添加了一个实现自定义 MessageEncoder 的自定义 MessageEncodingBindingElement。这个编码器添加了 To 和 MessageID 标头,尽管我不认为这是问题所在。

于 2021-04-09T08:48:07.743 回答