具有WS-Security，签名标头，身份验证令牌和正文加密的Web服务的WCF客户端

Question

我被分配为Web服务创建客户端。我以前没有Web服务的经验，我一直在尝试没有成功。 网络服务托管在https://ws.conf.ebs.health.gov.on.ca:1441/EDTService/EDTService 我能够使用Visual Studio 2012创建代理类，并创建一个被服务拒绝的基本客户端，因为它不包含服务所需的任何安全规范。 以下是文档摘录，可从http://www.health.gov.on.ca/en/pro/publications/ohip/default.aspx

获取

WS-Security部分包括： WSS 1.1的技术规范 •身份要求; •签署要求; •加密要求;和 •时间戳

IDP 为确保消息中敏感信息的机密性和完整性，发送方软件必须使用公钥技术对SOAP标头和正文进行签名。 签名证书可以是任何可用的证书，可以自签名。 如果指定任何响应数据被加密，则通过特定的Web服务技术规范，数据将至少使用AES128-CBC对称加密算法加密，该算法具有属于初始SOAP请求的签名者的公钥。可以基于特定的Web服务技术规范来增加加密算法。

我的目标是创建一个可以访问此服务的wcf客户端。到目前为止，这是我所做的，它不起作用： 此示例尝试将文件上载到服务器：

        EndpointAddress address = new EndpointAddress("https://ws.conf.ebs.health.gov.on.ca:1441/EDTService/EDTService");
        //MCEDT userID and password
        string userId = "abcdefg";
        string password = "password";
        //MOH Id
        string mohId = "123456";
        //Vendor Conformance Key
        string key = "1234abcd-eeee-aaaa-ffff-abcdef123456";

public void upload()
        {
            Console.WriteLine("Uploading....");
            //Specify the binding to be used for the client.
            WSHttpBinding binding = new WSHttpBinding(SecurityMode.TransportWithMessageCredential);          

            binding.SendTimeout = new TimeSpan(0, 10, 0);
            UsernameToken ut = new UsernameToken(userId, password, PasswordOption.SendHashed);

            EDTDelegateClient client = new EDTDelegateClient(binding,address);            

            //Capture before send and after receive events
            client.Endpoint.Behaviors.Add(new InspectorBehavior());            

            ebs_header EBS = new ebs_header();
            EBS.AuditId = "123456789";
            EBS.SoftwareConformanceKey = confomanceKey;

            //The MCEDT service will only support the IDP security model in its first release.
            idp_header IDP = new idp_header();
            IDP.ServiceUserMUID = mohId;

            msa_header MSA = new msa_header();
            MSA.UserID = userId;

            //data to upload
            //sample claim provided by OHIP
            uploadData data = new uploadData();
            data.description = claim_file;
            data.content = File.ReadAllBytes(@"..\..\" + claim_file);

            uploadRequest ur = new uploadRequest();
            ur.upload = new uploadData[1];
            ur.upload[0] = data;

            try
            {
                resourceResult result = client.upload(EBS, MSA, IDP, ur.upload);

            }
            catch (Exception e)
            {
                Console.WriteLine(e.Message);
            }
         }
    }

我相信我到目前为止所做的工作符合技术要求： “电子系统使用适当的值构造SOAP消息，并使用用户名和密码（对于WS-Security用户名令牌中的IDP）将EBS和IDP头插入SOAP消息头中。然后以数字方式将SOAP头和主体插入签名以保证消息的完整性和来源。如果指定任何请求数据被加密，则通过特定的Web服务技术规范，它将使用EBS系统的公钥。 但我不知道如何签署标题和正文以及如何加密数据。 证书提供了所有技术规范，我们有适当的用户和密码信息。只有我缺乏知识才能完成这个项目 在此先感谢社区的帮助。

编辑＃1：来自文档的示例消息：

<soapenv:Envelope
xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:msa="http://msa.ebs.health.ontario.ca/"
xmlns:idp="http://idp.ebs.health.ontario.ca/"
xmlns:edt="http://edt.health.ontario.ca/"
xmlns:ebs="http://ebs.health.ontario.ca/">
  <soapenv:Header>
    <ebs:EBS wsu:Id="id-4"
    xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
      <SoftwareConformanceKey>444361ee-277f-7732-c684-7a9923jfgh1b</SoftwareConformanceKey>
      <AuditId>124355467675</AuditId>
    </ebs:EBS>
    <idp:IDP wsu:Id="id-3"
    xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
      <ServiceUserMUID>1111222</ServiceUserMUID>
    </idp:IDP>
    <wsse:Security soapenv:mustUnderstand="1"
    xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
    xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
      <wsse:BinarySecurityToken
      EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary"     
      ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"
      wsu:Id="X509-04FD51796CB607011413612828891871">MIIF0zCCBLugAwIBAgIBAjANBgkqhkiG9w0BAQUFADCBzzELMAkGA1UEBhMCQ0ExCzAJBgNVBAgTAm9uMREwDwYDVQQHEwhraW5nc3RvbjEpMCcGA1UEChMgSGVhbHRoIFNvbHV0aW9ucyBEZWxpdmVyeSBCcmFuY2gxJTAjBgNVBAsTHEVsZWN0cm9uaWMgQnVzaW5lc3MgU2VydmljZXMxJzAlBgNVBAMTHkVCUyBUZXN0IENlcnRpZmljYXRlIEF1dGhvcml0eTElMCMGCSqGSIb3DQEJARYWc2Vhbi5jYXJzb25Ab250YXJpby5jYTAeFw0xMjA0MjkxNjAyMjNaFw0xNDA0MzAxNjAyMjNaMIGUMQswCQYDVQQGEwJDQTELMAkGA1UECBMCb24xETAPBgNVBAcTCGtpbmdzdG9uMSkwJwYDVQQKEyBIZWFsdGggU29sdXRpb25zIERlbGl2ZXJ5IEJyYW5jaDElMCMGA1UECxMcRWxlY3Ryb25pYyBCdXNpbmVzcyBTZXJ2aWNlczETMBEGA1UEAxQKRUJTX0NsaWVudDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMEEvvZ96t117651bJXIa8AaE69N1klliJvhrXFxtV2JcKoJHZG19Em6nFtxznvrfjHjQCOJXgREq0YLJmIHgIaIggug9g4oZhZoSXm11b0k+l9sI0uV1UQxSPvKZbptLw3JuY3E8iHoBTBY4TZDg0yfuuk5kpwT0JCqn8Pcoi2Oq2rQtEdnQ0TG5/lofJAMDRzBpK1ETnNOjzCeAkR3wHPec++q2nTuY9QFYntpOyk5JksRVuuIsR5OCW6rjFXTF7CJ84qxWloXmWl4M3yKDTi3ouD36Gplgo8fi2HLpNqVBDLCm7Acv8klkc0EyiFOpBzhEYWAVIIwC9ovybXRjg0CAwEAAaOCAfEwggHtMAkGA1UdEwQCMAAwEQYJYIZIAYb4QgEBBAQDAgSwMEsGCWCGSAGG+EIBDQQ+FjxTU0wgQ2xpZW50IGNlcnRpZmljYXRlIHZhbGlkIG9ubHkgZm9yIE1PSExUQy9IU0MgRUJTIFRlc3RpbmcwHQYDVR0OBBYEFKV6tGi2SztsTcIPYFkZcKr4yLJMMIIBBAYDVR0jBIH8MIH5gBT/qI53Ggvfsdz34whLQ2gDg+PhW6GB1aSB0jCBzzELMAkGA1UEBhMCQ0ExCzAJBgNVBAgTAm9uMREwDwYDVQQHEwhraW5nc3RvbjEpMCcGA1UEChMgSGVhbHRoIFNvbHV0aW9ucyBEZWxpdmVyeSBCcmFuY2gxJTAjBgNVBAsTHEVsZWN0cm9uaWMgQnVzaW5lc3MgU2VydmljZXMxJzAlBgNVBAMTHkVCUyBUZXN0IENlcnRpZmljYXRlIEF1dGhvcml0eTElMCMGCSqGSIb3DQEJARYWc2Vhbi5jYXJzb25Ab250YXJpby5jYYIJAOnNHCT34+b/MCEGA1UdEgQaMBiBFnNlYW4uY2Fyc29uQG9udGFyaW8uY2EwJgYDVR0RBB8wHYEbZGVyZXlrLmZlcm5hbmRlc0BvbnRhcmlvLmNhMA4GA1UdDwEB/wQEAwIFoDANBgkqhkiG9w0BAQUFAAOCAQEAJqCht181F8rUUNQ8jHa42kdKH+FDF0ISuklbg5MARHo+wt1laltaMeaXdESnLJBNGvcgxPZ4StYMdCH8mOEWYftCy5nkyGQCuOd2GpaJ3Hj50bjZ9vZUYyUBPUmwIEP2v75QQe62fHTqza/VjA0I5eMGMKa3URHsTdfNdnEJjtmHdxWRjAjjrHpHQWE0e1QtG+ZV1ved0f5OzDvdylbvrm4S0mgCifk8qEvZtNSoDp37MmSFr5fFmo91BqT23xAgzUKra428dw4T1EKJYEd6pNssNS4XCQ6bTx0Au3mW5iINtiaYQP8rlSykwaJ+dFAtBG00kdGpebf1prvq4H91eA==</wsse:BinarySecurityToken>
      <ds:Signature Id="SIG-6" xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        <ds:SignedInfo>
          <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
            <ec:InclusiveNamespaces PrefixList="ebs edt idp msa soapenv"
            xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/>
          </ds:CanonicalizationMethod>
          <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
          <ds:Reference URI="#UsernameToken-2">
            <ds:Transforms>
              <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
                <ec:InclusiveNamespaces PrefixList="ebs edt idp msa soapenv"
                xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/>
              </ds:Transform>
            </ds:Transforms>
            <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
            <ds:DigestValue>peTHpiEd5ujPqxNuKGN0k4p7up8c0dFPuRXbpQ+eMwI=</ds:DigestValue>
          </ds:Reference>
          <ds:Reference URI="#TS-1">
            <ds:Transforms>
              <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
                <ec:InclusiveNamespaces PrefixList="wsse ebs edt idp msa soapenv"
                xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/>
              </ds:Transform>
            </ds:Transforms>
            <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
            <ds:DigestValue>DqLqNQVHwzHRx7amwoYxEMwxN2g0/rND2I13WPP1Vhw=</ds:DigestValue>
          </ds:Reference>
          <ds:Reference URI="#id-3">
            <ds:Transforms>
              <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
                <ec:InclusiveNamespaces PrefixList="ebs edt msa soapenv"
                xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/>
              </ds:Transform>
            </ds:Transforms>
            <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
            <ds:DigestValue>K4IrndAA4zBmkumIfgKcluiKA8dmzwgGdKo5aq45LHg=</ds:DigestValue>
          </ds:Reference>
          <ds:Reference URI="#id-4">
            <ds:Transforms>
              <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
                <ec:InclusiveNamespaces PrefixList="edt idp msa soapenv"
                xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/>
              </ds:Transform>
            </ds:Transforms>
            <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
            <ds:DigestValue>o92xRJQNwGz0Hv7DX87vSYUScX0qHL/bFGE3GmtUzQg=</ds:DigestValue>
          </ds:Reference>
          <ds:Reference URI="#id-5">
            <ds:Transforms>
              <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
                <ec:InclusiveNamespaces PrefixList="ebs edt idp msa"
                xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/>
              </ds:Transform>
            </ds:Transforms>
            <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
            <ds:DigestValue>svNyvvP+MrjIYlZFsg+bgw//8IPNVvIO9px3vYUfW3I=</ds:DigestValue>
          </ds:Reference>
        </ds:SignedInfo>
        <ds:SignatureValue>
          qDSZlgY/aTFOzzo1C4tx+1E8ertrbmBySRxEK6sJ1JCt/77TLV5PBGnAme9Ttdmzf6h7/qb4rBGL 76LM0PaCQ9xm3DTsSQOz/So82G+/kX8M9TPY9D44+dvlB+cXm9rPn2BLMSVwtJf0kwI22SmRzMTR 6a6jfNYkGga6ZwZC9NLfG5/KTvsyZ39vOdO3T5GYc15RSjHKVBggoWmKm7x5PHrhU+3gClEbtHP8+Fgmmd9PJOtl9WunzR7NpY79xRNGxmDmL8hLvE4+uIc//b6TvrbGB2t8IWb5e5Wdz+ssHgMm0802 wFwGXlVxvSHpEJroHz5OvRgh7PKGlUSZP9fWkg==
        </ds:SignatureValue>
        <ds:KeyInfo Id="KI-04FD51796CB607011413612828892812">
          <wsse:SecurityTokenReference wsu:Id="STR-04FD51796CB607011413612828892813">
            <wsse:Reference
            URI="#X509-04FD51796CB607011413612828891871"
            ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" />
          </wsse:SecurityTokenReference>
        </ds:KeyInfo>
      </ds:Signature>
      <wsse:UsernameToken wsu:Id="UsernameToken-2">
        <wsse:Username>johndoe@examplemail.com</wsse:Username>
        <wsse:Password
        Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">****</wsse:Password>
      </wsse:UsernameToken>
      <wsu:Timestamp wsu:Id="TS-1">
        <wsu:Created>2013-02-19T14:08:08Z</wsu:Created>
        <wsu:Expires>2013-02-19T14:08:38Z</wsu:Expires>
      </wsu:Timestamp>
    </wsse:Security>
  </soapenv:Header>
  <soapenv:Body wsu:Id="id-5"
  xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
    <edt:upload>
      <upload>
        <content>
          <inc:Include href="cid:2341682853256" xmlns:inc="http://www.w3.org/2004/08/xop/include" />
        </content>
        <description>00123</description>
        <resourceType>CL</resourceType>
      </upload>
    </edt:upload>
  </soapenv:Body>
</soapenv:Envelope>

Answer 1

编辑：See here使用此EBS-EDT服务的详细解决方案

由于您同时拥有用户名auth和x.509签名，因此需要从代码创建绑定：

var sec = (AsymmetricSecurityBindingElement)SecurityBindingElement.CreateMutualCertificateBindingElement(MessageSecurityVersion.WSSecurity10WSTrust13WSSecureConversation13WSSecurityPolicy12BasicSecurityProfile10);
            sec.EndpointSupportingTokenParameters.Signed.Add(new UserNameSecurityTokenParameters());
            sec.MessageSecurityVersion =
                MessageSecurityVersion.
                    WSSecurity10WSTrust13WSSecureConversation13WSSecurityPolicy12BasicSecurityProfile10;
            sec.IncludeTimestamp = false;
            sec.MessageProtectionOrder = System.ServiceModel.Security.MessageProtectionOrder.EncryptBeforeSign;

            b.Elements.Add(sec);
            b.Elements.Add(new TextMessageEncodingBindingElement(MessageVersion.Soap11, Encoding.UTF8));
            b.Elements.Add(new HttpsTransportBindingElement());

然后你需要签名。假设您使用消息契约（而不是数据协定），其中标头使用MessageHeader属性显式标记，然后向其添加属性“ProtectionMode = ProtectionMode.Sign”。