WCF中具有消息保护的相互身份验证

Question

我正在尝试与使用SOAP 1.1实现WS-Security的Web服务进行通信，并要求客户端在请求中同时签署正文和时间戳。在客户端，我正在使用WCF并且无法控制服务。代理接口有ProtectionLevel.Sign - 属性，应该是它们。

客户端还需要协商服务证书（TLS / SSL）并根据一些自定义规则验证服务签名证书。

到目前为止，我获得连接的最佳尝试是使用此绑定：

var b = new BasicHttpBinding(BasicHttpSecurityMode.TransportWithMessageCredential);
b.Security.Message.ClientCredentialType = BasicHttpMessageCredentialType.Certificate;
b.Security.Transport.ClientCredentialType = HttpClientCredentialType.Certificate;
b.Security.Message.AlgorithmSuite = SecurityAlgorithmSuite.Basic256Sha256;
b.TextEncoding = new UTF8Encoding();

它会产生以下请求，其中仅签署的时间戳 - 而不是正文。该服务响应签名无效。

我尝试使用CustomBinding和SecurityBindingElement.CreateCertificateOverTransportBindingElement - 函数来创建安全元素，但它产生了相同的结果。

使用SecurityBindingElement.CreateMutualCertificateBindingElement - 函数，正文和时间戳都已签名，但现在WCF要求我指定服务证书，该证书应在TLS / SSL握手期间协商。

请求：

<s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<s:Header>
    <o:Security s:mustUnderstand="1" xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
        <u:Timestamp u:Id="_0">
            <u:Created>2013-03-11T15:41:19.744Z</u:Created>
            <u:Expires>2013-03-11T15:46:19.744Z</u:Expires>
        </u:Timestamp>
        <o:BinarySecurityToken u:Id="uuid-75db13c1-3c82-4e31-8dbf-75af257850ac-1" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">..REMOVED..</o:BinarySecurityToken>
        <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
            <SignedInfo>
                <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                <SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
                <Reference URI="#_0">
                    <Transforms>
                        <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                    </Transforms>
                    <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
                    <DigestValue>z2Q9Bb/I1Mo7DJFZ3uXA42JSH0AJJguvIfnYMxlKBAg=</DigestValue>
                </Reference>
            </SignedInfo>
            <SignatureValue>FgvpaSy+Zg3PHul6q2//Wc1lp+z+tuPCFKcLFp5edYvApb8yDwVDhuRuYPfn5K2TdGpQQekV095WZofIpIUV5aA+VBzf0/qVMP9hvOCqloyjJF3FWiMC829yFE8ePrYT3c1VXWSZi1172E7iRTNetz5ZmRYKAlcy6t7MaIq++q6MlM0gkK/w/W5qWVLIvopf2MQc+V+PBBmx7nWKGzF4SxIgdD4JeGOUzIND68OozBYD7jrvHLeYUjUzmBCkrLKm2bXDDksrV9rJHZdoizKrC7C59uRPh+gG5pl2pMLYtimFnwot3L4lvysBG0apAftxXat091c5a4JtKAvuDiWOFQ==</SignatureValue>
            <KeyInfo>
                <o:SecurityTokenReference>
                    <o:Reference ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" URI="#uuid-75db13c1-3c82-4e31-8dbf-75af257850ac-1"/>
                </o:SecurityTokenReference>
            </KeyInfo>
        </Signature>
    </o:Security>
</s:Header>
<s:Body xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
    <Request xmlns="http://theurltotheservice">
        <Value>123456789</Value>
    </Request>
</s:Body>