从具有格式x509'的BinarySecurityToken中提取证书链。哈希值与客户端不匹配

时间:2013-06-28 02:34:07

标签: wcf

如何调试此错误;'哈希值与客户端

不匹配

我的传出符合供应商样本

供应商样本

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:mhs="http://org/emedny/mhs/" xmlns:urn="urn:hl7-org:v3">
<soapenv:Header>
<wsse:Security soap:mustUnderstand="1" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<wsse:BinarySecurityToken ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="SecurityToken-e00c8062-83d2-4f04-88fc-996218e7bb3d">MIICeDCC....(eMedNY signed user MLS cert).......</wsse:BinarySecurityToken>
<wsse:BinarySecurityToken ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="SecurityToken-c0cc2cd4-cb77-4fa5-abfa-bd485afd1685">MIIDFj.....( eMedNY MLS web-service end-point public cert)........</wsse:BinarySecurityToken>
<wsse:UsernameToken xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="SecurityToken-970e9a80-00cc-4c86-8ec4-3ba16e029a5b">
<wsse:Username>....your_username.....</wsse:Username>
<wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">.....your_plaintext_password....</wsse:Password>
<wsse:Nonce>KNyu6MsXCkTg4DDyvwvEiw==</wsse:Nonce>
<wsu:Created>2010-09-15T18:00:30Z</wsu:Created>
</wsse:UsernameToken>
<xenc:EncryptedKey xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
<xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5"/>
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<wsse:SecurityTokenReference>
<wsse:Reference URI="#SecurityToken-c0cc2cd4-cb77-4fa5-abfa-bd485afd1685" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/>
</wsse:SecurityTokenReference>
</KeyInfo>
<xenc:CipherData>
<xenc:CipherValue>gpBAWt91pdwhKva............</xenc:CipherValue>
</xenc:CipherData>
<xenc:ReferenceList>
<xenc:DataReference URI="#Enc-0641b860-b16d-4941-91c0-d60bece67794"/>
</xenc:ReferenceList>
</xenc:EncryptedKey>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>    <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/>
<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<Reference URI="#Id-f10674fd-b999-47c9-9568-c11fa5e5405b">
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<DigestValue>wRUq.........</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>tBSsaZi........</SignatureValue>
<KeyInfo>
<wsse:SecurityTokenReference>
<wsse:Reference URI="#SecurityToken-e00c8062-83d2-4f04-88fc-996218e7bb3d" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/>
</wsse:SecurityTokenReference>
</KeyInfo>
</Signature>
</wsse:Security>
</soapenv:Header>
<soapenv:Body wsu:Id="Id-f10674fd-b999-47c9-9568-c11fa5e5405b" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<xenc:EncryptedData Id="Enc-0641b860-b16d-4941-91c0-d60bece67794" Type="http://www.w3.org/2001/04/xmlenc#Content" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
<xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc"/>
<xenc:CipherData>
<xenc:CipherValue>SQsTCAK6ZaVhojB8+Y.........</xenc:CipherValue>
</xenc:CipherData>
</xenc:EncryptedData>
</soapenv:Body>
</soapenv:Envelope>

这是我使用CustomBinding生成的外出肥皂

<s:Envelope xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns:s="http://schemas.xmlsoap.org/soap/envelope/">
      <s:Header>
        <ActivityId CorrelationId="06691695-887b-4f3e-a2c2-619ec48c82bb" xmlns="http://schemas.microsoft.com/2004/09/ServiceModel/Diagnostics">00000000-0000-0000-4000-0080010000fa</ActivityId>
        <o:Security s:mustUnderstand="1" xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
          <o:BinarySecurityToken u:Id="uuid-4c068bc9-bfff-4601-ad57-351c23524c38-2" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">Removed=</o:BinarySecurityToken>
          <o:BinarySecurityToken u:Id="uuid-4c068bc9-bfff-4601-ad57-351c23524c38-1" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">Removed</o:BinarySecurityToken>
          <o:UsernameToken xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
            <o:Username>LMWARD</o:Username>
            <o:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">Cardon0319</o:Password>
            <o:Nonce>wz6wpiWcKvX7bMj+LWlMaI7GmLg=</o:Nonce>
            <o:Created>2013-06-28T12:22:42.768Z</o:Created>
          </o:UsernameToken>
          <e:EncryptedKey Id="_0" xmlns:e="http://www.w3.org/2001/04/xmlenc#">
            <e:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5" />
            <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
              <o:SecurityTokenReference>
                <o:Reference ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" URI="#uuid-4c068bc9-bfff-4601-ad57-351c23524c38-1" />
              </o:SecurityTokenReference>
            </KeyInfo>
            <e:CipherData>
              <e:CipherValue>kCO2Mf7mGCyLkpnHNADnid9eby850qjLkaKGMdXljSiXoFYW8ndppyF+1FSP9/zFqx2nPprtFo8y+G9iV7ahqfokAzlnX6KoTNExiZ/bqtzlJL9INF5PXrK8XQl3MCPHUUkhRtT3OhvgB/5+ubzEafR4Ays7ezspMAWu/UJnCMY=</e:CipherValue>
            </e:CipherData>
            <e:ReferenceList>
              <e:DataReference URI="#_2" />
            </e:ReferenceList>
          </e:EncryptedKey>
          <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
            <SignedInfo>
              <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
              <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
              <Reference URI="#_1">
                <Transforms>
                  <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                </Transforms>
                <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
                <DigestValue>'l6kqP048t5INzJT3W8gxVSXplaE=</DigestValue>
              </Reference>
            </SignedInfo>
            <SignatureValue>gCwFapZ3D/vUXsvAShTQwNWJoA23ad54NRmUWXR7IBFbsr75HBdZUG5lO1Af+ncShzwJA2a6jJXJmw/1gKswyAP9QuZsa9D+6fGh8jwcVqjm5v/Sh9rgQxWjL6U1kkovP0IAqEjafRu6YgmauFVCHUrJ2QfIN96WYTPnYm9Puvs=</SignatureValue>
            <KeyInfo>
              <o:SecurityTokenReference>
                <o:Reference ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" URI="#uuid-4c068bc9-bfff-4601-ad57-351c23524c38-2" />
              </o:SecurityTokenReference>
            </KeyInfo>
          </Signature>
        </o:Security>
      </s:Header>
      <s:Body u:Id="_1" xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
        <e:EncryptedData Id="_2" Type="http://www.w3.org/2001/04/xmlenc#Content" xmlns:e="http://www.w3.org/2001/04/xmlenc#">
          <e:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc" />
          <e:CipherData>
            <e:CipherValue>Removed</e:CipherValue>
          </e:CipherData>
        </e:EncryptedData>
      </s:Body>
    </s:Envelope>

这是供应商日志中的其他内容

  Evaluating signature reference '_1'
trans(157350727)[request][12.23.28.110]: Current XPath expression '/*[local-name()='Envelope']/*[local-name()='Body']' covered by signature
trans(157350727)[request][12.23.28.110]: Signer status: 'Extracted the certificate chain from the BinarySecurityToken having format x509'
trans(157350727)[request][12.23.28.110]: Reject set: Hash values do not match.
trans(157350727)[request][12.23.28.110]: Hash values do not match: 'l6kqP048t5INzJT3W8gxVSXplaE='

EncryptedKey引用URI中的Digest值中的此哈希值= _1引用Body ID = _1

使用此自定义绑定

 private CustomBinding PeerCustomBinding()
    {

        AsymmetricSecurityBindingElement secBE = AsymmetricSecurityBindingElement.CreateMutualCertificateDuplexBindingElement();
        secBE.AllowSerializedSigningTokenOnReply = false;
        secBE.RequireSignatureConfirmation = true ;
        secBE.DefaultAlgorithmSuite = SecurityAlgorithmSuite.TripleDesRsa15;
       secBE.MessageSecurityVersion = MessageSecurityVersion.WSSecurity10WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10;
       X509SecurityTokenParameters x509ProtectionParameters = new X509SecurityTokenParameters();
       x509ProtectionParameters.RequireDerivedKeys = false;

       x509ProtectionParameters.X509ReferenceStyle = X509KeyIdentifierClauseType.SubjectKeyIdentifier;
       x509ProtectionParameters.ReferenceStyle = SecurityTokenReferenceStyle.Internal;
       x509ProtectionParameters.InclusionMode = SecurityTokenInclusionMode.AlwaysToRecipient;
       secBE.InitiatorTokenParameters = x509ProtectionParameters;
       secBE.RecipientTokenParameters = x509ProtectionParameters;
       secBE.MessageProtectionOrder = MessageProtectionOrder.SignBeforeEncrypt;
       secBE.RequireSignatureConfirmation = false;
       secBE.IncludeTimestamp = false;
       CustomTextMessageBindingElement enc = new CustomTextMessageBindingElement(Encoding.UTF8.ToString(), "text/xml", MessageVersion.Soap11);
        HttpsTransportBindingElement b = new HttpsTransportBindingElement();
        b.RequireClientCertificate = true;
        CustomBinding be = new CustomBinding();
        be.Elements.Add(secBE);
        be.Elements.Add(enc);
        be.Elements.Add(b);
        return be;       
}

编辑06-29 此自定义绑定不会产生随机数。所以我在CustomTextMessgaeEncoder

中添加了一个带有nonce的Usernametoken
 public override ArraySegment<byte> WriteMessage(Message message, int maxMessageSize, BufferManager bufferManager, int messageOffset)
        {
            MemoryStream stream = new MemoryStream();
            XmlWriter writer = XmlWriter.Create(stream, this.writerSettings);
            message.WriteMessage(writer);
            writer.Close();

        DateTime created = DateTime.Now;
        string createdStr = created.ToString("yyyy-MM-ddThh:mm:ss.fffZ");
            string phrase = Guid.NewGuid().ToString();
        var nonce = GetSHA1String(phrase);
            StringBuilder b = new StringBuilder();
            b.Append("<Nonce>" + nonce + "</Nonce>");
            stream.Position = 0;
            XElement xmlMessage = XElement.Load(stream);
            XmlDocument dc = new XmlDocument();
            dc.PreserveWhitespace = false;
            dc.LoadXml(xmlMessage.ToString());

                XmlNamespaceManager nsmgr =
                            new XmlNamespaceManager(dc.NameTable);
                nsmgr.AddNamespace("a",
                         @"http://www.w3.org/2005/08/addressing");
                nsmgr.AddNamespace("u",
                            @"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd");
                nsmgr.AddNamespace("s",
                   @"http://schemas.xmlsoap.org/soap/envelope/");
                nsmgr.AddNamespace("o",
                         @"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd");
                nsmgr.AddNamespace("e",
             @"http://www.w3.org/2001/04/xmlenc#");
                nsmgr.AddNamespace("sig", "http://www.w3.org/2000/09/xmldsig#");
                string xpathTime = "/s:Envelope/s:Header/o:Security/u:Timestamp";
                string xpathBSToken = "/s:Envelope/s:Header/o:Security/o:BinarySecurityToken[2]";
                string xpathUserToken = "/s:Envelope/s:Header/o:Security/o:BinarySecurityToken[1]";
                XmlNode xmlnodeBS = dc.DocumentElement.SelectSingleNode(xpathBSToken, nsmgr);
                XmlNode usernameTokenNode = dc.CreateNode(XmlNodeType.Element, "o:UsernameToken", "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd");
                XmlElement userElement = usernameTokenNode as XmlElement;
                userElement.SetAttribute("xmlns:wsu", "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd");
                //userElement.SetAttribute("xmlns:wsu:Id", DateTime.Now.Ticks.ToString());
                XmlNode userNameNode = dc.CreateNode(XmlNodeType.Element, "o:Username", "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd");
                userNameNode.InnerXml = "username";
                XmlNode pwdNode = dc.CreateNode(XmlNodeType.Element, "o:Password", "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd");
                XmlElement pwdElement = pwdNode as XmlElement;
                pwdElement.SetAttribute("Type", "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText");
                pwdNode.InnerXml = "password";
                XmlNode NonceNode = dc.CreateNode(XmlNodeType.Element, "o:Nonce", "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd");
                XmlElement NonceElement = NonceNode as XmlElement;
                NonceNode.InnerXml = nonce;
                XmlNode createNode = dc.CreateNode(XmlNodeType.Element, "o:Created", "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd");
                XmlElement createdElement = createNode as XmlElement;
                createNode.InnerXml = createdStr;
                usernameTokenNode.AppendChild(userNameNode);
                usernameTokenNode.AppendChild(pwdNode);
                usernameTokenNode.AppendChild(NonceNode);
                usernameTokenNode.AppendChild(createNode);
                XmlNode commonParent = xmlnodeBS.ParentNode;
                commonParent.InsertAfter(usernameTokenNode, xmlnodeBS);
}

谢谢 太阳

1 个答案:

答案 0 :(得分:0)

尝试使用:

secBE.MessageProtectionOrder = MessageProtectionOrder.EncryptBeforeSign

否则消息看起来真的一样。