我有一个ASMX Web服务(SOAP 1.1),它需要使用WS-Security对带有证书(私钥)的所有SOAP请求进行签名。
当ASMX服务收到请求时,它将使用证书的公钥对其进行身份验证。 操作完成后,发送回客户端的响应将不会被签名!
这是安全要求......
我通过'添加服务参考'和客户端的app.config创建了代理:
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<system.serviceModel>
<client>
<endpoint
name="endpoint1"
address="http://1.1.1.1/Test.asmx"
binding="wsHttpBinding"
bindingConfiguration="WSHttpBinding_ITest"
behaviorConfiguration="TestBehavior"
contract="ITest" >
</endpoint>
</client>
<bindings>
<wsHttpBinding>
<binding name="WSHttpBinding_ITest">
<security mode="Message">
<message clientCredentialType="Certificate" />
</security>
</binding>
</wsHttpBinding>
</bindings>
<behaviors>
<endpointBehaviors>
<behavior name="TestBehavior">
<clientCredentials>
<clientCertificate storeLocation="LocalMachine" storeName="My"
x509FindType="FindByThumbprint" findValue="xxxxxxxxxxxxxxx" />
</clientCredentials>
</behavior>
</endpointBehaviors>
</behaviors>
</system.serviceModel>
</configuration>
根据我所描述的情景:
我使用的是正确的装订吗?
clientCredentialType值应为“证书”还是“无”?
需要标签'serviceCertificate'吗?
4.我的方案的配置是什么?
如果你知道一些适合我的方案的有用链接,请提供它们。
提前致谢:)
编辑#1:
请求
<?xml version="1.0" encoding="utf-8"?>
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing"
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<soap:Header>
<wsa:Action wsu:Id="Id-3beeb885-16a4-4b65-b14c-0cfe6ad26800">XXXXXXXXXXX</wsa:Action>
<wsa:MessageID wsu:Id="Id-3beeb885-12a4-4b65-b14c-0tmj6ad21855">YYYYYYYYYY</wsa:MessageID>
<wsa:ReplyTo wsu:Id="Id-10c46143-cb53-4a8e-9e83-ef374e40aa54">
<wsa:Address>http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous</wsa:Address>
</wsa:ReplyTo>
<wsa:To wsu:Id="Id-17c40943-cs53-4a8e-9e83-ef374e40ab70">
<wsa:Address>http://.../TestOperation</wsa:Address>
</wsa:To>
<wsse:Security soap:mustUnderstand="1" >
<wsu:Timestamp wsu:Id="Timestamp-c0cc2cd4-cb77-4fa5-abfa-bd485afd1685">
<wsu:Created wsu:Id="Id-3beeb885-16a4-4b65-b14c-0cfe6ad26800">2002-08-22T00:26:15Z</wsu:Created>
<wsu:Expires wsu:Id="Id-10c46143-cb53-4a8e-9e83-ef374e40aa54">2002-08-22T00:31:15Z</wsu:Expires>
</wsu:Timestamp>
<wsse:BinarySecurityToken ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"
EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
wsu:Id="SecurityToken-e00c8062-83d2-4f04-88fc-996218e7bb3d">MIICeDCC...kE9</wsse:BinarySecurityToken>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" />
<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
<Reference URI="#Id-3beeb885-16a4-4b65-b14c-0cfe6ad26800">
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<DigestValue>wRUq.........</DigestValue>
</Reference>
<Reference URI="#Id-3beeb885-12a4-4b65-b14c-0tmj6ad21855">
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<DigestValue>8gIo.........</DigestValue>
</Reference>
<Reference URI="#Id-10c46143-cb53-4a8e-9e83-ef374e40aa54">
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<DigestValue>zx4h.........</DigestValue>
</Reference>
<Reference URI="#Id-17c40943-cs53-4a8e-9e83-ef374e40ab70">
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<DigestValue>UjdN.........</DigestValue>
</Reference>
<Reference URI="#Timestamp-c0cc2cd4-cb77-4fa5-abfa-bd485afd1685">
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<DigestValue>34ff.........</DigestValue>
</Reference>
<Reference URI="#Id-f10674fd-b999-47c9-9568-c11fa5e5405b"">
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<DigestValue>ss67.........</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>tBSsaZi........</SignatureValue>
<KeyInfo>
<wsse:SecurityTokenReference>
<wsse:Reference URI="#SecurityToken-e00c8062-83d2-4f04-88fc-996218e7bb3d"
ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" />
</wsse:SecurityTokenReference>
</KeyInfo>
</Signature>
</wsse:Security>
</soap:Header>
<soap:Body wsu:Id="Id-f10674fd-b999-47c9-9568-c11fa5e5405b">
...
</soap:Body>
</soap:Envelope>
Respose:
<?xml version="1.0" encoding="utf-8"?>
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing"
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<soap:Header>
<wsa:Action>http://.../TestOperationResponse</wsa:Action>
<wsa:MessageID>YYYYYYYYYY</wsa:MessageID>
<wsa:RelatesTo>WWWWWWWWWW</wsa:RelatesTo>
<wsa:To>http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous</wsa:To>
<wsse:Security>
<wsu:Timestamp wsu:Id="Timestamp-c0kjk2d4-o83d-4fa5-abfa-bd485afdjj80">
<wsu:Created>2002-08-22T00:26:15Z</wsu:Created>
<wsu:Expires>2002-08-22T00:31:15Z</wsu:Expires>
</wsu:Timestamp>
</wsse:Security>
</soap:Header>
<soap:Body>
<Response>
...
</Response>
</soap:Body>
</soap:Envelope>
编辑#2:
生成的请求:
<?xml version="1.0" encoding="utf-8"?>
<soap:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:a="http://schemas.xmlsoap.org/ws/2004/08/addressing"
xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<soap:Header>
<a:Action soap:mustUnderstand="1" u:Id="_2">XXXXXXXXXXX</a:Action>
<a:MessageID u:Id="_3">YYYYYYYYYY</a:MessageID>
<a:ReplyTo u:Id="_4">
<a:Address>http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous</a:Address>
</a:ReplyTo>
<VsDebuggerCausalityData xmlns="http://schemas.microsoft.com/vstudio/diagnostics/servicemodelsink">uID...</VsDebuggerCausalityData>
<a:To soap:mustUnderstand="1" u:Id="_5">
<a:Address>http://1.1.1.1/Test.asmx</a:Address>
</a:To>
<o:Security soap:mustUnderstand="1" xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<u:Timestamp u:Id="uuid-c0cc2cd4-cb77-4fa5-abfa-bd485afd1685-1">
<u:Created>2002-08-22T00:26:15Z</u:Created>
<u:Expires>2002-08-22T00:31:15Z</u:Expires>
</u:Timestamp>
<o:BinarySecurityToken u:Id="uuid-e00c8062-83d2-4f04-88fc-996218e7bb3d-2"
ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"
EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">MIICeDCC...kE9</o:BinarySecurityToken>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
<Reference URI="#_1">
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<DigestValue>wRUq.........</DigestValue>
</Reference>
<Reference URI="#_2">
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<DigestValue>8gIo.........</DigestValue>
</Reference>
<Reference URI="#_3">
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<DigestValue>zx4h.........</DigestValue>
</Reference>
<Reference URI="#_4">
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<DigestValue>UjdN.........</DigestValue>
</Reference>
<Reference URI="#_5">
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<DigestValue>34ff.........</DigestValue>
</Reference>
<Reference URI="#uuid-c0cc2cd4-cb77-4fa5-abfa-bd485afd1685-1">
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<DigestValue>ss67.........</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>tBSsaZi........</SignatureValue>
<KeyInfo>
<o:SecurityTokenReference>
<o:Reference URI="#uuid-e00c8062-83d2-4f04-88fc-996218e7bb3d-2"
ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" />
</o:SecurityTokenReference>
</KeyInfo>
</Signature>
</o:Security>
</soap:Header>
<soap:Body u:Id="_1">
...
</soap:Body>
</soap:Envelope>
此请求的问题是:
我调用ASMX服务时遇到的错误:
<?xml version="1.0" encoding="utf-8"?>
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing"">
<soap:Header>
<wsa:Action>http://schemas.xmlsoap.org/ws/2004/08/addressing/fault</wsa:Action>
<wsa:MessageID>YYYYYYYYYY</wsa:MessageID>
<wsa:To>http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous</wsa:To>
</soap:Header>
<soap:Body>
<soap:Fault>
<faultcode>soap:Server</faultcode>
<faultstring>
System.Web.Services.Protocols.SoapHeaderException: Server unavailable, please try later ---> System.ApplicationException: WSE842: The service pipeline could not be created. ---> System.ApplicationException: WSE2012: X509TokenProvider is unable to provide an X.509 token. There are multiple certificates store that match the find value of 'xxx'.
at Microsoft.Web.Services3.Design.X509TokenProvider.CreateToken(StoreLocation location, StoreName storeName, String findValue, X509FindType findType)
at Microsoft.Web.Services3.Design.X509TokenProvider.GetToken()
at Microsoft.Web.Services3.Design.MutualCertificate10Assertion.ServiceInputFilter..ctor(MutualCertificate10Assertion assertion)
at Microsoft.Web.Services3.Design.MutualCertificate11Assertion.CreateServiceInputFilter(FilterCreationContext context)
at Microsoft.Web.Services3.Design.Policy.CreateServicePipeline(PipelineCreationContext context)
at Microsoft.Web.Services3.PolicyAttribute.Microsoft.Web.Services3.IPipelineProvider.CreateServicePipeline(PipelineCreationContext context)
at Microsoft.Web.Services3.Pipeline.TryCreate(Type type, Boolean forClient)
at Microsoft.Web.Services3.WseProtocol.CreateProtocolPipeline()
at Microsoft.Web.Services3.WseProtocol.RouteRequest(SoapServerMessage message)
at System.Web.Services.Protocols.SoapServerProtocol.Initialize()
at System.Web.Services.Protocols.ServerProtocolFactory.Create(Type type, HttpContext context, HttpRequest request, HttpResponse response, Boolean& abortProcessing)
--- End of inner exception stack trace ---
--- End of inner exception stack trace ---
</faultstring>
<faultfactor>http://1.1.1.1/Test.asmx</faultfactor>
</soap:Fault>
</soap:Body>
</soap:Envelope>
我认为问题出在服务器上,因为“xxx”findValue与服务器关联,而不是与客户端证书关联。 我该如何解决这个问题?
答案 0 :(得分:1)
尝试此绑定:
<customBinding>
<binding name="NewBinding0">
<textMessageEncoding messageVersion="Soap11WSAddressingAugust2004" />
<security authenticationMode="MutualCertificate">
<secureConversationBootstrap />
</security>
<httpTransport />
</binding>
</customBinding>
如果您不知道服务器证书只定义一个虚拟证书,则需要在wcf代理上定义客户端证书和服务器证书。您还需要更改代理的保护级别,使其不加密正文:
[System.ServiceModel.ServiceContractAttribute(ConfigurationName="ServiceReference1.SimpleServiceSoap", ProtectionLevel=System.Net.Security.ProtectionLevel.Sign)]
This post总结了您可能遇到的其他一些问题。