1

我设计了一个向供应商发送 SOAP 请求的 WCF.net 客户端。为了满足供应商 WS 安全要求,我必须创建一个自定义 SOAP 标头并将带有自定义标头的请求发送到供应商端的 Web 服务。所以我通过实现一个从 MessageHeader 派生的新类来创建一个自定义标题(见下文)

public class SignOnlyMessageHeader : MessageHeader
{
    private const string PREFIX_CP = "wsse";

    public string m_Username { get; set; }
    public string m_Envelope { get; set; }

    public SignOnlyMessageHeader(string Username, string Envelope)
    {
        m_Username = Username;
        m_Envelope = Envelope;
    }

    public override string Name
    {
        get { return "wsse:Security"; }
    }

    public override string Namespace
    {
        get { return null; }
    }

    public override bool MustUnderstand
    {
        get
        {
            return false;
        }
    }

    protected override void OnWriteStartHeader(XmlDictionaryWriter writer, MessageVersion messageVersion)
    {
        base.OnWriteStartHeader(writer, messageVersion);
        writer.WriteXmlnsAttribute(PREFIX_CP, "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd");
    }

    protected override void OnWriteHeaderContents(XmlDictionaryWriter writer, MessageVersion messageVersion)
    {
        writer.WriteStartElement(PREFIX_CP, "UsernameToken", null);
        writer.WriteAttributeString("wsu:Id", "UsernameToken-20");
        writer.WriteXmlnsAttribute("wsu", "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd");
        writer.WriteElementString(PREFIX_CP, "Username", null, m_Username);
        writer.WriteEndElement();
        SignXmlFile(writer);
    }

    public void SignXmlFile(XmlDictionaryWriter writer)
    {
        string certificatePath = "C:\\Users\\22428-cert.p12";
        System.Security.Cryptography.X509Certificates.X509Certificate2 cert = new X509Certificate2(certificatePath, "changeit");

        // Create a new XML document.
        XmlDocument doc = new XmlDocument();

        // Format the document to ignore white spaces.
        doc.PreserveWhitespace = false;
        doc.LoadXml(m_Envelope);

        // Create a SignedXml object.
        SignedXml signedXml = new SignedXml(doc);

        // Add the key to the SignedXml document. 
        //signedXml.SigningKey = Key;
        signedXml.SigningKey = cert.PrivateKey;

        // Create a new KeyInfo object.
        KeyInfo keyInfo = new KeyInfo();
        keyInfo.Id = "";

        // Load the certificate into a KeyInfoX509Data object
        // and add it to the KeyInfo object.
        KeyInfoX509Data keyInfoData = new KeyInfoX509Data();
        keyInfoData.AddCertificate(cert);
        keyInfo.AddClause(keyInfoData);
        // Add the KeyInfo object to the SignedXml object.
        signedXml.KeyInfo = keyInfo;

        signedXml.SignedInfo.CanonicalizationMethod = "http://www.w3.org/2001/10/xml-exc-c14n#";

        // Create a reference to be signed.
        Reference reference = new Reference();
        reference.Uri = "";

        // Add an enveloped transformation to the reference.
        XmlDsigEnvelopedSignatureTransform env = new XmlDsigEnvelopedSignatureTransform();
        reference.AddTransform(env);
        reference.DigestMethod = "http://www.w3.org/2001/04/xmlenc#sha256";

        // Add the reference to the SignedXml object.
        signedXml.AddReference(reference);
        signedXml.Signature.Id = "";

        // Compute the signature.
        signedXml.ComputeSignature();

        // Get the XML representation of the signature and save
        // it to an XmlElement object.
        XmlElement xmlDigitalSignature = signedXml.GetXml();

        // Check the signature and return the result.
        if (!signedXml.CheckSignature(new X509Certificate2(certificatePath, "changeit"), true))
        {
            Console.WriteLine("invalid signature");
        }

        xmlDigitalSignature.WriteTo(writer);
    }

因此,在创建自定义标头类之后,我覆盖了 IClientMessageInspector.BeforeSendRequest 方法来拦截传出请求并将我的自定义标头添加到soap请求中。请参阅下面的代码,

    object IClientMessageInspector.BeforeSendRequest(ref System.ServiceModel.Channels.Message request, IClientChannel channel)
    {
        request.Headers.RemoveAt(0);
        SignOnlyMessageHeader header = new SignOnlyMessageHeader("x509user", env);
        request.Headers.Add(header);
        return null;
    }

最终结果是我拦截了 SOAP 请求并用自定义标头正确替换了当前标头。在发出请求之前,我检查了更新的 SOAP 请求(放置了一个断点),该结构与供应商请求的完全匹配。但是在供应商端处理请求后,我收到一个错误。它只说“签名未通过核心验证”。我想我在“SignXmlFile”方法中正确地签署了整个信封。我什至检查了方法内的有效性(if (!signedXml.CheckSignature(new X509Certificate2(certificatePath, "changeit"), true))),该语句返回一个表明签名有效的假。

我究竟做错了什么 ?

4

1 回答 1

0

好吧,我尝试了又尝试,我拦截标头的方式以及在我注入带有签名的标头之后..验证失败。作为一种解决方法,我从我的 .net 客户端中删除了整个标头。我只用soap baod 将我的请求路由到XML 网关,我们将网关配置为拦截请求并添加必要的标头初始化并将请求转发给外部供应商。有效。

于 2011-09-04T04:55:23.303 回答