WCF:传入的消息使用与用于加密正文的令牌不同的令牌进行签名。这不是预期的

时间:2018-04-02 15:31:12

标签: wcf wcf-security

我收到以下错误:

传入的邮件使用的令牌签名,该令牌与用于加密正文的令牌不同。这不是预期的。

我知道在我尝试他们所要求的一切之前已经问过这个问题。不确定我还需要做什么。

我认为它必须对我的app.config文件做一些事情:

<system.serviceModel>

        <diagnostics>
          <messageLogging
               logEntireMessage="true"
               logMalformedMessages="false"
               logMessagesAtServiceLevel="true"
               logMessagesAtTransportLevel="false"
               maxMessagesToLog="3000"
               maxSizeOfMessageToLog="2000"/>
        </diagnostics>
        <client>
          <endpoint address="https://xxxxxx/ESARWS/CORETransactionService"
            behaviorConfiguration="endpointCredentialBehavior" binding="customBinding"
            bindingConfiguration="esar" contract="ESAR.CORETransaction"
            name="CoreSoapPort">
            <identity>
              <dns value="xxxxx" />
            </identity>
          </endpoint>
        </client>
       <behaviors>
         <endpointBehaviors>  
            <behavior name="endpointCredentialBehavior">

              <clientCredentials>  
                <clientCertificate findValue="xxxxx"
                                   storeLocation="CurrentUser"
                                   storeName="My"
                                   x509FindType="FindBySubjectName"/>

               <serviceCertificate>
                 <authentication certificateValidationMode="ChainTrust"/>
                  <defaultCertificate findValue="xxxxxxxxx"
                                   storeLocation="CurrentUser"
                                   storeName="AddressBook"
                                   x509FindType="FindBySubjectName" />   
               </serviceCertificate>
              </clientCredentials>  
            </behavior>  
         </endpointBehaviors>  
      </behaviors>
        <bindings>


          <customBinding>
            <binding name="esar" closeTimeout="00:01:00" openTimeout="00:01:00"
        receiveTimeout="00:10:00" sendTimeout="00:10:00">

              <security 
                  defaultAlgorithmSuite="Basic128" 
                  authenticationMode="MutualCertificate" 

                   requireSecurityContextCancellation="false" 
                  allowSerializedSigningTokenOnReply="true" 
                  enableUnsecuredResponse="true" 
                  allowInsecureTransport="false"
                  requireDerivedKeys="false" 
                  includeTimestamp="false" 
                  securityHeaderLayout="Strict"
                   messageProtectionOrder="SignBeforeEncrypt"
                  messageSecurityVersion="WSSecurity10WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10">
                <secureConversationBootstrap />
                <localClientSettings detectReplays="false"/>
              </security>

              <!--<mtomMessageEncoding maxReadPoolSize="64" maxWritePoolSize="16" 
                messageVersion="Soap12" writeEncoding="utf-8" maxBufferSize="2147483647">
               <readerQuotas maxDepth="32" maxStringContentLength="8192" maxArrayLength="16384"
                  maxBytesPerRead="4096" maxNameTableCharCount="16384" />
              </mtomMessageEncoding>-->

              <!--<mixedMessageEncoding  messageVersion="Soap12"/>-->

              <swaMessageEncoding innerMessageEncoding="textMessageEncoding" />
              <httpsTransport />
            </binding>
          </customBinding>
        </bindings>

       <extensions>
         <bindingElementExtensions>
            <!--<add name="mixedMessageEncoding" type="CustomEncoderProject.MyNewEncodingBindingExtensionElement, CustomEncoderProject"/>-->
         <add name="swaMessageEncoding"
                 type="Microsoft.Austria.WcfHelpers.SoapWithAttachments.SwaMessageEncodingElement, Microsoft.Austria.WcfHelpers.SoapWithAttachments" />
          </bindingElementExtensions>
       </extensions>

    </system.serviceModel> 

2 个答案:

答案 0 :(得分:0)

如果服务器端是用java开发的,那么C#的实现就有区别。

我更喜欢使用SAOP UI尝试服务并检查成功请求/响应。然后使用工具(例如fiddler)记录C#流量并检查差异。通常C#以不同的格式发送证书,然后是java。

答案 1 :(得分:0)

您可以尝试使用自定义令牌身份验证器。如果您检查响应,则也许您将是BinarySecurityToken(#Base64Binary格式)的证书。这不是ssl证书。这是签名证书。然后,您可以将其用作凭据上的服务证书。

因此,请按照以下步骤操作:https://docs.microsoft.com/en-us/dotnet/framework/wcf/extending/how-to-create-a-custom-security-token-authenticator 然后自定义此代码:

Public Overrides Function CreateSecurityTokenProvider(ByVal p_oRequirement As SecurityTokenRequirement) As SecurityTokenProvider

Dim oRes As SecurityTokenProvider = Nothing
If p_oRequirement.TokenType = SecurityTokenTypes.X509Certificate Then
    Dim direction = p_oRequirement.GetProperty(Of MessageDirection)(ServiceModelSecurityTokenRequirement.MessageDirectionProperty)
    If direction = MessageDirection.Output Then
        If p_oRequirement.KeyUsage = SecurityKeyUsage.Signature Then
            oRes = New X509SecurityTokenProvider(Me._oCredenciales.ClientCertificate.Certificate)
        Else
            oRes = New X509SecurityTokenProvider(Me._oCredenciales.ServiceCertificate.DefaultCertificate())
        End If
    End If
Else
    oRes = MyBase.CreateSecurityTokenProvider(p_oRequirement)
End If

Return oRes 

End Function

我认为这会对您有所帮助。