我设计了一个向供应商发送 SOAP 请求的 WCF.net 客户端。为了满足供应商 WS 安全要求,我必须创建一个自定义 SOAP 标头并将带有自定义标头的请求发送到供应商端的 Web 服务。所以我通过实现一个从 MessageHeader 派生的新类来创建一个自定义标题(见下文)
public class SignOnlyMessageHeader : MessageHeader
{
private const string PREFIX_CP = "wsse";
public string m_Username { get; set; }
public string m_Envelope { get; set; }
public SignOnlyMessageHeader(string Username, string Envelope)
{
m_Username = Username;
m_Envelope = Envelope;
}
public override string Name
{
get { return "wsse:Security"; }
}
public override string Namespace
{
get { return null; }
}
public override bool MustUnderstand
{
get
{
return false;
}
}
protected override void OnWriteStartHeader(XmlDictionaryWriter writer, MessageVersion messageVersion)
{
base.OnWriteStartHeader(writer, messageVersion);
writer.WriteXmlnsAttribute(PREFIX_CP, "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd");
}
protected override void OnWriteHeaderContents(XmlDictionaryWriter writer, MessageVersion messageVersion)
{
writer.WriteStartElement(PREFIX_CP, "UsernameToken", null);
writer.WriteAttributeString("wsu:Id", "UsernameToken-20");
writer.WriteXmlnsAttribute("wsu", "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd");
writer.WriteElementString(PREFIX_CP, "Username", null, m_Username);
writer.WriteEndElement();
SignXmlFile(writer);
}
public void SignXmlFile(XmlDictionaryWriter writer)
{
string certificatePath = "C:\\Users\\22428-cert.p12";
System.Security.Cryptography.X509Certificates.X509Certificate2 cert = new X509Certificate2(certificatePath, "changeit");
// Create a new XML document.
XmlDocument doc = new XmlDocument();
// Format the document to ignore white spaces.
doc.PreserveWhitespace = false;
doc.LoadXml(m_Envelope);
// Create a SignedXml object.
SignedXml signedXml = new SignedXml(doc);
// Add the key to the SignedXml document.
//signedXml.SigningKey = Key;
signedXml.SigningKey = cert.PrivateKey;
// Create a new KeyInfo object.
KeyInfo keyInfo = new KeyInfo();
keyInfo.Id = "";
// Load the certificate into a KeyInfoX509Data object
// and add it to the KeyInfo object.
KeyInfoX509Data keyInfoData = new KeyInfoX509Data();
keyInfoData.AddCertificate(cert);
keyInfo.AddClause(keyInfoData);
// Add the KeyInfo object to the SignedXml object.
signedXml.KeyInfo = keyInfo;
signedXml.SignedInfo.CanonicalizationMethod = "http://www.w3.org/2001/10/xml-exc-c14n#";
// Create a reference to be signed.
Reference reference = new Reference();
reference.Uri = "";
// Add an enveloped transformation to the reference.
XmlDsigEnvelopedSignatureTransform env = new XmlDsigEnvelopedSignatureTransform();
reference.AddTransform(env);
reference.DigestMethod = "http://www.w3.org/2001/04/xmlenc#sha256";
// Add the reference to the SignedXml object.
signedXml.AddReference(reference);
signedXml.Signature.Id = "";
// Compute the signature.
signedXml.ComputeSignature();
// Get the XML representation of the signature and save
// it to an XmlElement object.
XmlElement xmlDigitalSignature = signedXml.GetXml();
// Check the signature and return the result.
if (!signedXml.CheckSignature(new X509Certificate2(certificatePath, "changeit"), true))
{
Console.WriteLine("invalid signature");
}
xmlDigitalSignature.WriteTo(writer);
}
因此,在创建自定义标头类之后,我覆盖了 IClientMessageInspector.BeforeSendRequest 方法来拦截传出请求并将我的自定义标头添加到soap请求中。请参阅下面的代码,
object IClientMessageInspector.BeforeSendRequest(ref System.ServiceModel.Channels.Message request, IClientChannel channel)
{
request.Headers.RemoveAt(0);
SignOnlyMessageHeader header = new SignOnlyMessageHeader("x509user", env);
request.Headers.Add(header);
return null;
}
最终结果是我拦截了 SOAP 请求并用自定义标头正确替换了当前标头。在发出请求之前,我检查了更新的 SOAP 请求(放置了一个断点),该结构与供应商请求的完全匹配。但是在供应商端处理请求后,我收到一个错误。它只说“签名未通过核心验证”。我想我在“SignXmlFile”方法中正确地签署了整个信封。我什至检查了方法内的有效性(if (!signedXml.CheckSignature(new X509Certificate2(certificatePath, "changeit"), true))),该语句返回一个表明签名有效的假。
我究竟做错了什么 ?