时间戳必须在响应中签名错误

时间:2013-03-04 10:16:36

标签: wcf wcf-security

对于初学者,我知道你认为这是重复的,但如果你阅读它们,你会注意到有些人说删除时间戳会修复它而其他人则不然。

我正在尝试使用 .Net 3.5 连接到带有证书的Java SOAP Web服务,但是当我收到响应时会抛出错误:“安全标头元素'Timestamp'必须签署“Timestamp-984”ID。“

var b = new CustomBinding();
b.Name = "AVbinding";
b.CloseTimeout = new TimeSpan(0, 1, 0);
b.OpenTimeout = new TimeSpan(0, 1, 0);
b.ReceiveTimeout = new TimeSpan(0, 10, 0);
b.SendTimeout = new TimeSpan(0, 1, 0);

AsymmetricSecurityBindingElement security = new AsymmetricSecurityBindingElement();
security.IncludeTimestamp = true;
security.MessageSecurityVersion = MessageSecurityVersion.WSSecurity11WSTrust13WSSecureConversation13WSSecurityPolicy12;
security.RecipientTokenParameters = new X509SecurityTokenParameters(X509KeyIdentifierClauseType.Any, SecurityTokenInclusionMode.AlwaysToInitiator);
security.InitiatorTokenParameters = new X509SecurityTokenParameters(X509KeyIdentifierClauseType.Any, SecurityTokenInclusionMode.AlwaysToRecipient);
security.SecurityHeaderLayout = SecurityHeaderLayout.Lax;
security.DefaultAlgorithmSuite = System.ServiceModel.Security.SecurityAlgorithmSuite.Basic256Sha256Rsa15;
security.AllowSerializedSigningTokenOnReply = true;
security.AllowInsecureTransport = true;
security.EnableUnsecuredResponse = true;
security.RequireSignatureConfirmation = true;

security.SecurityHeaderLayout = SecurityHeaderLayout.Lax;

ExtensionElement extensionElement = new ExtensionElement();

b.Elements.Add(security);
b.Elements.Add(new TextMessageEncodingBindingElement(MessageVersion.Soap11, Encoding.UTF8));
HttpsTransportBindingElement httpsBinding = new HttpsTransportBindingElement();
b.Elements.Add(httpsBinding);

string certMapPath = Server.MapPath("~/App_Data");
X509Certificate2 cert = new X509Certificate2(certMapPath + "\\_CERTNAME_", "X");
X509Certificate2 serCert = new X509Certificate2(certMapPath + "\\_CERTNAME2_.cer");
AsymmetricAlgorithm key = new System.Security.Cryptography.RSACryptoServiceProvider();
key.FromXmlString("_KEY_");
cert.PrivateKey = key;

client.Endpoint.Contract.ProtectionLevel = System.Net.Security.ProtectionLevel.Sign;

问题是,我该怎么做?

我的要求:

<s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<s:Header>
<ActivityId CorrelationId="7d9e44cb-cecd-4c49-9a71-79a2ad04a2ec" xmlns="http://schemas.microsoft.com/2004/09/ServiceModel/Diagnostics">63bde0b8-8953-41b8-b5c2-a69c712346b6</ActivityId>
<VsDebuggerCausalityData xmlns="http://schemas.microsoft.com/vstudio/diagnostics/servicemodelsink">uIDPo3dbGZWnrwhDouJE+VgKu4MAAAAAzmpHur/flUSUy0rxOVAJ8Nk4GsFjc6xOg46yQ3o0ZMQACQAA</VsDebuggerCausalityData>
<o:Security s:mustUnderstand="1" xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<o:BinarySecurityToken>
<!-- Removed-->
</o:BinarySecurityToken>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></CanonicalizationMethod>
<SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"></SignatureMethod>
<Reference URI="#_2">
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></Transform>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"></DigestMethod>
<DigestValue>Z4OHoIS/bVCWIROLBFcxjfJuXv0ebA/SO8WQWuPTrQo=</DigestValue>
</Reference>
<Reference URI="#uuid-f52585e9-3358-46f6-8e9f-9a16b5c0f29b-1">
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></Transform>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"></DigestMethod>
<DigestValue>Pnp4gaKUnboMFE2LgLdsFzPBL+7fHqXacVg/MR7AS6c=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>NSE/peVOxXheXOqyNT1qx7uZPOhSms35fmJxlf4lBuODD9tz8/TCwzmAAdDArGwc6VJmdw1jVX5tNchYvAqignsPRgTwB+tSbMvUZ6UMwOgHZWRh8rXjYw34EhdEWWBzg0U1ves6ynY88vJW0oFyWiiFcNGkEuy140X7h/Ev+3I=</SignatureValue>
<KeyInfo>
<o:SecurityTokenReference>
<o:Reference URI="#uuid-da5ccb9b-2c40-4ede-9079-c94abf912843-2"></o:Reference>
</o:SecurityTokenReference>
</KeyInfo>
</Signature>
<u:Timestamp u:Id="uuid-f52585e9-3358-46f6-8e9f-9a16b5c0f29b-1">
<u:Created>2013-03-04T09:27:15.087Z</u:Created>
<u:Expires>2013-03-04T09:32:15.087Z</u:Expires>
</u:Timestamp>
</o:Security>
</s:Header>
<s:Body u:Id="_2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
<getAvailabilityRequest xmlns="_url_">
<userID xmlns="">_UserID_</userID>
<password xmlns="">_pass_</password>
<requestID xmlns="">_request_</requestID>
<SystemIdentifier xmlns="">?</SystemIdentifier>
</getAvailabilityRequest>
</s:Body>
</s:Envelope>

回应:

<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/">
<SOAP-ENV:Header>
<wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" SOAP-ENV:mustUnderstand="1">
<wsu:Timestamp xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="Timestamp-932">
<wsu:Created>2013-03-04T09:27:24.013Z</wsu:Created>
<wsu:Expires>2013-03-04T09:32:24.013Z</wsu:Expires>
</wsu:Timestamp>
<wsse:BinarySecurityToken>
<!-- Removed-->
</wsse:BinarySecurityToken>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#" Id="Signature-930">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:CanonicalizationMethod>
<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"></ds:SignatureMethod>
<ds:Reference URI="#id-931">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"></ds:DigestMethod>
<ds:DigestValue>+/NJN562AUh5U5T4VXGRbdU28+JLmW2bdHg1gLf/SWg=</ds:DigestValue>
</ds:Reference>
<ds:Reference URI="#SigConf-929">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"></ds:DigestMethod>
<ds:DigestValue>uzljMoX3dAm90+8P10b2/xE5OooNeP81NDtlefCBoc8=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>Fixb+0TnwQ2KfLqywusmwcKF8OvoBP/bLqIKfLadyV1U97+NZKzcMrSJjSD0a0sDhJZ+lo/KoHVE
KBY12ZZDP9xE+k9LHAlWZIq3a2gvBkTFR3p5NcYFQM4cbA/x/bvpEqDyzqYSoXnXMOG46DFn5klo
DO0PJkMiXKvLBhrCpZtM26AovD5WQlD694EeIXt4jey15zvGzKz88eNfHqNiYa1Wu2HuOTcnSJRv
hQKHmJKpDzn9+ZSohsULVR5xtGFQD7GWL6LLFEMqthD2a10KMan43Qd62SMUcB64o+l/M+l89+Oo
AbE0S2GXP3vvSa3ZoGduktWlyNlC7Qz/Iww0Qg==
</ds:SignatureValue>
<ds:KeyInfo Id="KeyId-83F04DBB53B92E8E1F1362389243499698">
<wsse:SecurityTokenReference xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="STRId-83F04DBB53B92E8E1F1362389243499699" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<wsse:Reference URI="#CertId-83F04DBB53B92E8E1F1362389243499697" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"></wsse:Reference>
</wsse:SecurityTokenReference>
</ds:KeyInfo>
</ds:Signature>
<wsse11:SignatureConfirmation xmlns:wsse11="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" Value="NSE/peVOxXheXOqyNT1qx7uZPOhSms35fmJxlf4lBuODD9tz8/TCwzmAAdDArGwc6VJmdw1jVX5tNchYvAqignsPRgTwB+tSbMvUZ6UMwOgHZWRh8rXjYw34EhdEWWBzg0U1ves6ynY88vJW0oFyWiiFcNGkEuy140X7h/Ev+3I=" wsu:Id="SigConf-929"></wsse11:SignatureConfirmation>
</wsse:Security>
</SOAP-ENV:Header>
<SOAP-ENV:Body xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="id-931">
<ns3:getAvailabilityResponse xmlns:ns3="_URL_" xmlns="">
<RequestID>_requestID_</RequestID>
<Status>Available</Status>
<Version>1.32.0</Version>
</ns3:getAvailabilityResponse>
</SOAP-ENV:Body>
</SOAP-ENV:Envelope>

1 个答案:

答案 0 :(得分:1)

请在此处发布完整的请求和响应消息(您可以从Wcf日志或Fiddler获取它们)。 通常,如果Wcf发送签名时间戳,并且响应包含时间戳,则必须对响应ts进行签名。根据确切的消息,有各种工作流程,包括不从第一个位置发送时间戳,或通过将其推送到处理程序中的消息来发送,或从响应中删除时间戳。