使用WS-Security消耗ASMX服务的WCF客户端

时间:2013-06-24 10:38:22

标签: wcf soap x509certificate ws-security digital-certificate

我有一个ASMX Web服务(SOAP 1.1),它需要使用WS-Security对带有证书(私钥)的所有SOAP请求进行签名。

当ASMX服务收到请求时,它将使用证书的公钥对其进行身份验证。 操作完成后,发送回客户端的响应将不会被签名!

这是安全要求......

我通过'添加服务参考'和客户端的app.config创建了代理:

<?xml version="1.0" encoding="utf-8"?>
<configuration>
  <system.serviceModel>
    <client>
      <endpoint
        name="endpoint1"
        address="http://1.1.1.1/Test.asmx"
        binding="wsHttpBinding"
        bindingConfiguration="WSHttpBinding_ITest"
        behaviorConfiguration="TestBehavior"
        contract="ITest" >
      </endpoint>
    </client>

    <bindings>
      <wsHttpBinding>
        <binding name="WSHttpBinding_ITest">
          <security mode="Message">
            <message clientCredentialType="Certificate" />
          </security>
        </binding>
      </wsHttpBinding>
    </bindings>

    <behaviors>
      <endpointBehaviors>
        <behavior name="TestBehavior">
          <clientCredentials>
            <clientCertificate storeLocation="LocalMachine" storeName="My" 
                               x509FindType="FindByThumbprint" findValue="xxxxxxxxxxxxxxx" />

          </clientCredentials>
        </behavior>
      </endpointBehaviors>
    </behaviors>
  </system.serviceModel>
</configuration>

根据我所描述的情景:

  1. 我使用的是正确的装订吗?

  2. clientCredentialType值应为“证书”还是“无”?

  3. 需要标签'serviceCertificate'吗?

    4.我的方案的配置是什么?

  4. 如果你知道一些适合我的方案的有用链接,请提供它们。

    提前致谢:)




    编辑#1:

    请求

    <?xml version="1.0" encoding="utf-8"?>
    <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"
        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
        xmlns:xsd="http://www.w3.org/2001/XMLSchema"
        xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing"
        xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
        xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
        <soap:Header>   
            <wsa:Action wsu:Id="Id-3beeb885-16a4-4b65-b14c-0cfe6ad26800">XXXXXXXXXXX</wsa:Action>
            <wsa:MessageID wsu:Id="Id-3beeb885-12a4-4b65-b14c-0tmj6ad21855">YYYYYYYYYY</wsa:MessageID>
            <wsa:ReplyTo wsu:Id="Id-10c46143-cb53-4a8e-9e83-ef374e40aa54">
                <wsa:Address>http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous</wsa:Address>
            </wsa:ReplyTo>
            <wsa:To wsu:Id="Id-17c40943-cs53-4a8e-9e83-ef374e40ab70">
                <wsa:Address>http://.../TestOperation</wsa:Address>
            </wsa:To>
            <wsse:Security soap:mustUnderstand="1" >
                <wsu:Timestamp wsu:Id="Timestamp-c0cc2cd4-cb77-4fa5-abfa-bd485afd1685">
                    <wsu:Created wsu:Id="Id-3beeb885-16a4-4b65-b14c-0cfe6ad26800">2002-08-22T00:26:15Z</wsu:Created>
                    <wsu:Expires wsu:Id="Id-10c46143-cb53-4a8e-9e83-ef374e40aa54">2002-08-22T00:31:15Z</wsu:Expires>
                </wsu:Timestamp>
                <wsse:BinarySecurityToken ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" 
                                          EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" 
                                          xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" 
                                          wsu:Id="SecurityToken-e00c8062-83d2-4f04-88fc-996218e7bb3d">MIICeDCC...kE9</wsse:BinarySecurityToken>
                <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
                    <SignedInfo>
                        <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" />
                        <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
                        <Reference URI="#Id-3beeb885-16a4-4b65-b14c-0cfe6ad26800">
                            <Transforms>
                                <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                            </Transforms>
                            <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
                            <DigestValue>wRUq.........</DigestValue>
                        </Reference>
                        <Reference URI="#Id-3beeb885-12a4-4b65-b14c-0tmj6ad21855">
                            <Transforms>
                                <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                            </Transforms>
                            <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
                            <DigestValue>8gIo.........</DigestValue>
                        </Reference>
                        <Reference URI="#Id-10c46143-cb53-4a8e-9e83-ef374e40aa54">
                            <Transforms>
                                <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                            </Transforms>
                            <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
                            <DigestValue>zx4h.........</DigestValue>
                        </Reference>
                        <Reference URI="#Id-17c40943-cs53-4a8e-9e83-ef374e40ab70">
                            <Transforms>
                                <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                            </Transforms>
                            <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
                            <DigestValue>UjdN.........</DigestValue>
                        </Reference>
                        <Reference URI="#Timestamp-c0cc2cd4-cb77-4fa5-abfa-bd485afd1685">
                            <Transforms>
                                <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                            </Transforms>
                            <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
                            <DigestValue>34ff.........</DigestValue>
                        </Reference>
                        <Reference URI="#Id-f10674fd-b999-47c9-9568-c11fa5e5405b"">
                            <Transforms>
                                <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                            </Transforms>
                            <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
                            <DigestValue>ss67.........</DigestValue>
                        </Reference>
                    </SignedInfo>
                    <SignatureValue>tBSsaZi........</SignatureValue>
                    <KeyInfo>
                        <wsse:SecurityTokenReference>
                            <wsse:Reference URI="#SecurityToken-e00c8062-83d2-4f04-88fc-996218e7bb3d" 
                                            ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" />
                        </wsse:SecurityTokenReference>
                    </KeyInfo>
                </Signature>
            </wsse:Security>
        </soap:Header>
        <soap:Body wsu:Id="Id-f10674fd-b999-47c9-9568-c11fa5e5405b">
            ...
        </soap:Body>
    </soap:Envelope>
    

    Respose:

    <?xml version="1.0" encoding="utf-8"?>
    <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"
        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
        xmlns:xsd="http://www.w3.org/2001/XMLSchema"
        xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing"
        xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
        xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
      <soap:Header>
        <wsa:Action>http://.../TestOperationResponse</wsa:Action>
        <wsa:MessageID>YYYYYYYYYY</wsa:MessageID>
        <wsa:RelatesTo>WWWWWWWWWW</wsa:RelatesTo>
        <wsa:To>http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous</wsa:To>
        <wsse:Security>
          <wsu:Timestamp wsu:Id="Timestamp-c0kjk2d4-o83d-4fa5-abfa-bd485afdjj80">
            <wsu:Created>2002-08-22T00:26:15Z</wsu:Created>
            <wsu:Expires>2002-08-22T00:31:15Z</wsu:Expires>
          </wsu:Timestamp>
        </wsse:Security>
      </soap:Header>
      <soap:Body>
        <Response>
          ...
        </Response>
      </soap:Body>
    </soap:Envelope>
    




    编辑#2:

    生成的请求:

    <?xml version="1.0" encoding="utf-8"?>
    <soap:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"
        xmlns:a="http://schemas.xmlsoap.org/ws/2004/08/addressing"
        xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
        <soap:Header>   
            <a:Action soap:mustUnderstand="1" u:Id="_2">XXXXXXXXXXX</a:Action>
            <a:MessageID u:Id="_3">YYYYYYYYYY</a:MessageID>
            <a:ReplyTo u:Id="_4">
                <a:Address>http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous</a:Address>
            </a:ReplyTo>
            <VsDebuggerCausalityData xmlns="http://schemas.microsoft.com/vstudio/diagnostics/servicemodelsink">uID...</VsDebuggerCausalityData>
            <a:To soap:mustUnderstand="1" u:Id="_5">
                <a:Address>http://1.1.1.1/Test.asmx</a:Address>
            </a:To>
            <o:Security soap:mustUnderstand="1" xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
                <u:Timestamp u:Id="uuid-c0cc2cd4-cb77-4fa5-abfa-bd485afd1685-1">
                    <u:Created>2002-08-22T00:26:15Z</u:Created>
                    <u:Expires>2002-08-22T00:31:15Z</u:Expires>
                </u:Timestamp>
                <o:BinarySecurityToken u:Id="uuid-e00c8062-83d2-4f04-88fc-996218e7bb3d-2"
                                       ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" 
                                       EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">MIICeDCC...kE9</o:BinarySecurityToken>
                <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
                    <SignedInfo>
                        <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                        <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
                        <Reference URI="#_1">
                            <Transforms>
                                <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                            </Transforms>
                            <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
                            <DigestValue>wRUq.........</DigestValue>
                        </Reference>
                        <Reference URI="#_2">
                            <Transforms>
                                <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                            </Transforms>
                            <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
                            <DigestValue>8gIo.........</DigestValue>
                        </Reference>
                        <Reference URI="#_3">
                            <Transforms>
                                <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                            </Transforms>
                            <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
                            <DigestValue>zx4h.........</DigestValue>
                        </Reference>
                        <Reference URI="#_4">
                            <Transforms>
                                <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                            </Transforms>
                            <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
                            <DigestValue>UjdN.........</DigestValue>
                        </Reference>
                        <Reference URI="#_5">
                            <Transforms>
                                <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                            </Transforms>
                            <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
                            <DigestValue>34ff.........</DigestValue>
                        </Reference>
                        <Reference URI="#uuid-c0cc2cd4-cb77-4fa5-abfa-bd485afd1685-1">
                            <Transforms>
                                <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                            </Transforms>
                            <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
                            <DigestValue>ss67.........</DigestValue>
                        </Reference>
                    </SignedInfo>
                    <SignatureValue>tBSsaZi........</SignatureValue>
                    <KeyInfo>
                        <o:SecurityTokenReference>
                            <o:Reference URI="#uuid-e00c8062-83d2-4f04-88fc-996218e7bb3d-2" 
                                            ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" />
                        </o:SecurityTokenReference>
                    </KeyInfo>
                </Signature>
            </o:Security>
        </soap:Header>
        <soap:Body u:Id="_1">
            ...
        </soap:Body>
    </soap:Envelope>
    

    此请求的问题是:

    1. Id格式:Id =“Id-3beeb885-16a4-4b65-b14c-0cfe6ad26800”(asmx代理)VS Id =“_ 2”(WCF代理)
    2. 'VsDebuggerCausalityData'标签存在。我该如何摆脱它?
    3. 时间戳ID格式:Id =“Timestamp-c0cc2cd4-cb77-4fa5-abfa-bd485afd1685”(asmx代理)VS Id =“uuid-c0cc2cd4-cb77-4fa5-abfa-bd485afd1685-1”(WCF代理)
    4. Timestamp中的'Created'和'Expires'标签没有Id属性。
    5. BinarySecurityToken Id格式:Id =“SecurityToken-e00c8062-83d2-4f04-88fc-996218e7bb3d”(asmx代理)VS Id =“uuid-e00c8062-83d2-4f04-88fc-996218e7bb3d-2”(WCF代理)

    6. 我调用ASMX服务时遇到的错误:

      <?xml version="1.0" encoding="utf-8"?>
      <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing"">
        <soap:Header>
          <wsa:Action>http://schemas.xmlsoap.org/ws/2004/08/addressing/fault</wsa:Action>
          <wsa:MessageID>YYYYYYYYYY</wsa:MessageID>
          <wsa:To>http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous</wsa:To>
        </soap:Header>
        <soap:Body>
          <soap:Fault>
            <faultcode>soap:Server</faultcode>
            <faultstring>
                System.Web.Services.Protocols.SoapHeaderException: Server unavailable, please try later ---> System.ApplicationException: WSE842: The service pipeline could not be created. ---> System.ApplicationException: WSE2012: X509TokenProvider is unable to provide an X.509 token. There are multiple certificates store that match the find value of 'xxx'.
                at Microsoft.Web.Services3.Design.X509TokenProvider.CreateToken(StoreLocation location, StoreName storeName, String findValue, X509FindType findType)
                at Microsoft.Web.Services3.Design.X509TokenProvider.GetToken()
                at Microsoft.Web.Services3.Design.MutualCertificate10Assertion.ServiceInputFilter..ctor(MutualCertificate10Assertion assertion)
                at Microsoft.Web.Services3.Design.MutualCertificate11Assertion.CreateServiceInputFilter(FilterCreationContext context)
                at Microsoft.Web.Services3.Design.Policy.CreateServicePipeline(PipelineCreationContext context)
                at Microsoft.Web.Services3.PolicyAttribute.Microsoft.Web.Services3.IPipelineProvider.CreateServicePipeline(PipelineCreationContext context)
                at Microsoft.Web.Services3.Pipeline.TryCreate(Type type, Boolean forClient)
                at Microsoft.Web.Services3.WseProtocol.CreateProtocolPipeline()
                at Microsoft.Web.Services3.WseProtocol.RouteRequest(SoapServerMessage message)
                at System.Web.Services.Protocols.SoapServerProtocol.Initialize()
                at System.Web.Services.Protocols.ServerProtocolFactory.Create(Type type, HttpContext context, HttpRequest request, HttpResponse response, Boolean& abortProcessing)
                --- End of inner exception stack trace ---
                --- End of inner exception stack trace ---
            </faultstring>
            <faultfactor>http://1.1.1.1/Test.asmx</faultfactor>
          </soap:Fault>
        </soap:Body>
      </soap:Envelope>
      

      我认为问题出在服务器上,因为“xxx”findValue与服务器关联,而不是与客户端证书关联。 我该如何解决这个问题?

1 个答案:

答案 0 :(得分:1)

尝试此绑定:

            <customBinding>
                <binding name="NewBinding0">
                    <textMessageEncoding messageVersion="Soap11WSAddressingAugust2004" />
                    <security authenticationMode="MutualCertificate">
                        <secureConversationBootstrap />
                    </security>
                    <httpTransport />
                </binding>
            </customBinding>

如果您不知道服务器证书只定义一个虚拟证书,则需要在wcf代理上定义客户端证书和服务器证书。您还需要更改代理的保护级别,使其不加密正文:

[System.ServiceModel.ServiceContractAttribute(ConfigurationName="ServiceReference1.SimpleServiceSoap", ProtectionLevel=System.Net.Security.ProtectionLevel.Sign)]

This post总结了您可能遇到的其他一些问题。