Question

我正在尝试使用.NET 3.5 WCF客户端来使用外部Web服务（据我所知它是一个axis2 / apache服务）。

该服务期望使用x509证书对传入邮件进行签名和加密。到目前为止，签名和加密似乎都有效，但WCF在SOAP标头中添加了第二个<signature>元素，这会混淆远程Web服务。

我无法摆脱这第二个签名元素。我在研究此事时发现，该签名用于签署第一个签名。

我的WCF配置当前使用具有以下安全设置的自定义绑定：

<security messageSecurityVersion="WSSecurity11WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10"
     authenticationMode="MutualCertificate"
     securityHeaderLayout="Lax"
     defaultAlgorithmSuite="Basic128"
     includeTimestamp="false"
     keyEntropyMode="CombinedEntropy"
     requireDerivedKeys="false"
     messageProtectionOrder="SignBeforeEncrypt"
     requireSignatureConfirmation="true">

任何人都有一个想法，我必须改变它才能使这项工作？

我的客户端生成的示例SOAP请求如下所示：

<s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
    <s:Header>
        <o:Security s:mustUnderstand="1" xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
            <e:EncryptedKey Id="uuid-0a13788c-6cb3-4fe2-940b-1e220d15230e-3" xmlns:e="http://www.w3.org/2001/04/xmlenc#">
                <e:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p">
                    <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" xmlns="http://www.w3.org/2000/09/xmldsig#"/>
                </e:EncryptionMethod>
                <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
                    <o:SecurityTokenReference>
                        <o:KeyIdentifier ValueType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary"><!-- ... --></o:KeyIdentifier>
                    </o:SecurityTokenReference>
                </KeyInfo>
                <e:CipherData>
                    <e:CipherValue><!-- ... --></e:CipherValue>
                </e:CipherData>
                <e:ReferenceList>
                    <e:DataReference URI="#_2"/>
                </e:ReferenceList>
            </e:EncryptedKey>
            <o:BinarySecurityToken>
                <!-- Removed-->
            </o:BinarySecurityToken>
            <Signature Id="_0" xmlns="http://www.w3.org/2000/09/xmldsig#">
                <SignedInfo>
                    <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                    <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#hmac-sha1"/>
                    <Reference URI="#_1">
                        <Transforms>
                            <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                        </Transforms>
                        <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
                        <DigestValue><!-- ... --></DigestValue>
                    </Reference>
                </SignedInfo>
                <SignatureValue><!-- ... --></SignatureValue>
                <KeyInfo>
                    <o:SecurityTokenReference k:TokenType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey" xmlns:k="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd">
                        <o:Reference ValueType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey" URI="#uuid-0a13788c-6cb3-4fe2-940b-1e220d15230e-3"/>
                    </o:SecurityTokenReference>
                </KeyInfo>
            </Signature>
            <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
                <SignedInfo>
                    <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                    <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
                    <Reference URI="#_0">
                        <Transforms>
                            <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                        </Transforms>
                        <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
                        <DigestValue><!-- ... --></DigestValue>
                    </Reference>
                </SignedInfo>
                <SignatureValue><!-- ... --></SignatureValue>
                <KeyInfo>
                    <o:SecurityTokenReference>
                        <o:Reference ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" URI="#uuid-9618ae47-8bcd-4a96-b56e-800759a0ee57-7"/>
                    </o:SecurityTokenReference>
                </KeyInfo>
            </Signature>
        </o:Security>
    </s:Header>
    <s:Body u:Id="_1" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
        <e:EncryptedData Id="_2" Type="http://www.w3.org/2001/04/xmlenc#Content" xmlns:e="http://www.w3.org/2001/04/xmlenc#">
            <e:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"/>
            <e:CipherData>
                <e:CipherValue><!-- ... --></e:CipherValue>
            </e:CipherData>
        </e:EncryptedData>
    </s:Body>
</s:Envelope>

Answer 1

原来我使用了错误的messageSecurityVersion值。值为WSSecurity10WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10时，只有一个签名被添加到SOAP标头中。

之后服务器能够理解请求。对defaultAlgorithmSuite以及现在服务和客户的一些调整正在相互讨论和理解。

WCF SOAP请求中的两个签名

1 个答案: