WCF使用UserNameOverTransport安全性签署证书

时间:2012-04-02 19:35:15

标签: c# wcf wcf-security sign

我尝试连接到具有一些特殊安全要求的Java服务 它应该通过https,使用用户名身份验证,并且应该使用数字证书对正文进行签名。

消息应如下所示:

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:web="http://webservice.pines.colpatria.com/">
  <soapenv:Header xmlns:wsa="http://www.w3.org/2005/08/addressing">
    <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
      <wsse:UsernameToken wsu:Id="UsernameToken-12" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
        <wsse:Username>username</wsse:Username>
        <wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">CleartextPassword</wsse:Password>
        <wsse:Nonce EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">47uxAPDBQ9+08VQwMKpwBw==</wsse:Nonce>
        <wsu:Created>2012-04-02T16:44:56.652Z</wsu:Created>
      </wsse:UsernameToken>
      <wsse:BinarySecurityToken EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" wsu:Id="CertId-5B113CBB86C1CDE6BA133338509660810" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">MIIGRzCCBS+gAwIBAgIQEKUzpntcNVROheEPzOI11zANBgkqhkiG9w0BAQUFADCCAU8xcjBwBgNVBAkTaUNSIDcgTiAyNi0yMCBQIDE4IC0gaHR0cDovL3d3dy5jZXJ0aWNhbWFyYS5jb20gLSBURUxTIDU3LTEtNzQ0MjcyNyA1Ny0wMTgwMDAxODE1MzEgLSBpbmZvQGNlcnRpY2FtYXJhLmNvbTEPMA0GA1UEBxMGQk9HT1RBMRkwFwYDVQQIExBESVNUUklUTyBDQVBJVEFMMQswCQYDVQQGEwJDTzErMCkGA1UECxMiQ0VSVElDQU1BUkEgUy5BLiAtIE5JVCA4MzAwODQ0MzMgNzFFMEMGA1UEChM8Q0VSVElDQU1BUkEgUy5BLiAtIFNPQ0lFREFEIENBTUVSQUwgREUgQ0VSVElGSUNBQ0lPTiBESUdJVEFMMSwwKgYDVQQDEyNBQyBJTlRFUk1FRElBIERFTU8gQ0VSVElDQU1BUkEgUy5BLjAeFw0xMTA5MzAxNTMyMzFaFw0xMjA5MzAxNTMyMzFaMIHDMQswCQYDVQQGEwJDTzEPMA0GA1UEBxMGQk9HT1RBMSAwHgYDVQQKExdPTElNUElBIE1BTkFHRU1FTlQgUy5BLjEgMB4GA1UEAxMXT0xJTVBJQSBNQU5BR0VNRU5UIFMuQS4xLDAqBgkqhkiG9w0BCQEWHXNvcG9ydGVAb2xpbXBpYW1hbmFnZW1lbnQuY29tMRowGAYKKwYBBAGBtWMCAxMKOTAwMDMyNzc0NDEVMBMGA1UECBMMQ1VORElOQU1BUkNBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEApOZhKSdfp1rVBXoahaTyXcOlUfRy6aYYuX4YNhkt0vYWxXFfsLTYSZOVTKZnUvklNEGBV70nzyqN8ZSXy3/jJ1yp965wRjcLHEFHwR42ABe1PK3fQMwsdqlpWkWWz0Pg02VwpHbLwcmDR41YTlnHCmPXzokVrT5YeteKViaWsrhUS4OvSajD7Y9aQ17uHoQusxjtBapA2wF551wMViICfYWqCamcYZRwGb1AlnuAF7vbRNveThy8mgvhHKiLaK13PxvaoOFusc8/429Dxdj1HMwt00g9MY1Nr24YtwHtJn+kVY8ocnghe4kVsAlnJ2Y0evHAPozRaFLFxY2E2dy6dwIDAQABo4IBpjCCAaIwDAYDVR0TAQH/BAIwADAOBgNVHQ8BAf8EBAMCA/gwJwYDVR0lBCAwHgYIKwYBBQUHAwIGCCsGAQUFBwMEBggrBgEFBQcDATARBglghkgBhvhCAQEEBAMCBaAwHQYDVR0OBBYEFGVAMg3XiBrJPcjeOgXcA+6cGHHZMB8GA1UdIwQYMBaAFEM61wg0nEqdr0ZKhe9fFWthjbtoMIGQBgNVHSAEgYgwgYUwgYIGCysGAQQBgbVjMgFQMHMwKwYIKwYBBQUHAgEWH2h0dHA6Ly93d3cuY2VydGljYW1hcmEuY29tL2RwYy8wRAYIKwYBBQUHAgIwOBo2Q2VydGlmaWNhZG8gZW1pdGlkbyBwb3IgbGEgQ0EgRGVtbyBkZSBDZXJ0aWNhbWFyYSBTLkEuMDsGCCsGAQUFBwEBBC8wLTArBggrBgEFBQcwAYYfaHR0cDovL29jc3BkZW1vLmNlcnRpY2FtYXJhLmNvbTA2BgNVHR8ELzAtMCugKaAnhiVodHRwOi8vd3d3LmNlcnRpY2FtYXJhLmNvbS9jYWRlbW8uY3JsMA0GCSqGSIb3DQEBBQUAA4IBAQCVcPRROZHgjjMzY1rM/gTK0cjN0CcO4KLht/nNPFUGIlVXDy21zhy2qOe2xF/IFnvU1vdVIaBzKdamILamfHrpYgsIZS5qqUJayI0E9Y+6cKHVTBgKOS1Yj0u7v2BP5wx+43d4wr2EuAsiQgClSQjrG3HP4rx7vnl8e6vn7uiEGzDJD1H0wQXHpYIWJGaLgn6B1xnFNZEbH4PxlpIsTU+/0Y+Y/GHab8tVDGv18AxtGXTkasuRuoYa/oA8mJI/BpfHYTpoS07euKYqhj1ujbTc6Y5dCGxiYEub4xhRMjJBxTEfsDYqJKsYYGyrWMXcncpNwQHWNDj6OOwKvspC3jg2</wsse:BinarySecurityToken>
      <ds:Signature Id="Signature-10" xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        <ds:SignedInfo>
          <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
          <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
          <ds:Reference URI="#id-11">
            <ds:Transforms>
              <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
            </ds:Transforms>
            <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
            <ds:DigestValue>UQDWhRGwU6vhHsggA7k3IGEpShM=</ds:DigestValue>
          </ds:Reference>
        </ds:SignedInfo>
        <ds:SignatureValue>
          lDfT2Rol8AEjTq654f36HK7TwlEYJFMw/Q8PXRvoW12aLHdZkB9mndVTJvdsTdoW4C51qyjjsD0I
          xHaCtHgpbpnEe9vihLJuQs4tDkS1t/IjPeMdsgi2P3VxcKyeEJRc37TX+IX5jR42GrAXZGZ5GwSa
          rEpbpuWQSFhbJBQWRAInDbIpIkKV4jmiSbHHpeiI9Uvv8u6ZNXEx5vuoeia5AYtnCFtxkTcg0ukJ
          EZabIPiNIybYFnqBwFcPiIajfnAGl2QSm6Mdz9aiD4tVHXKGaySjY6/IoIomQ0lVMZzW/F3ZA8GA
          yvkZq4223hxCGcffvsAPePecFwun+QwcA9MR1Q==
        </ds:SignatureValue>
        <ds:KeyInfo Id="KeyId-5B113CBB86C1CDE6BA133338509660911">
          <wsse:SecurityTokenReference wsu:Id="STRId-5B113CBB86C1CDE6BA133338509660912" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
            <wsse:Reference URI="#CertId-5B113CBB86C1CDE6BA133338509660810" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/>
          </wsse:SecurityTokenReference>
        </ds:KeyInfo>
      </ds:Signature>
    </wsse:Security>
    <wsa:Action>http://myserveraddress/service/execCommandRequest</wsa:Action>
    <wsa:MessageID>uuid:948a7f98-42f2-422a-9b0f-07e74c6a7ce7</wsa:MessageID>
    <wsa:To>https://myserveraddress/service</wsa:To>
  </soapenv:Header>
  <soapenv:Body wsu:Id="id-11" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
    <web:execCommand>
      <arg0>1</arg0>
      <!--Optional:-->
      <arg1>1</arg1>
    </web:execCommand>
  </soapenv:Body>
</soapenv:Envelope>

我使用SoapUI成功测试了服务,但我需要使用WCF创建一个.NET客户端,但我不知道如何做到这一点。

我一直在尝试使用以下绑定,但它正确创建了用户名令牌(虽然它不会创建现时或创建的元素,但这不是问题)但它不会签署正文

<basicHttpBinding>
 <binding name="PinesPortBinding">
  <security mode="TransportWithMessageCredential">
   <transport clientCredentialType="None" proxyCredentialType="None" realm="" />
   <message clientCredentialType="UserName" algorithmSuite="Default" />
  </security>
 </binding>
</basicHttpBinding>

我如何使用证书以编程方式对身体进行签名,并验证响应的签名?

还有其他办法吗?

1 个答案:

答案 0 :(得分:1)

你可以这样做,但你需要从代码创建绑定。 此示例并不完全符合您的需要 - 但它向您展示了如何从代码创建绑定并将其定义为使用证书和用户名令牌。您还需要在合同上设置ProtectionLevel.Sign。您需要的用户名令牌格式还包含默认情况下WCF不会发出的随机数和时间戳。我认为它可能会起作用所以现在离开这个。

以下是代码,您可能需要对其进行自定义。

 var b = new CustomBinding();

            var sec = (AsymmetricSecurityBindingElement)SecurityBindingElement.CreateMutualCertificateBindingElement(MessageSecurityVersion.WSSecurity10WSTrust13WSSecureConversation13WSSecurityPolicy12BasicSecurityProfile10);
            sec.EndpointSupportingTokenParameters.Signed.Add(new UserNameSecurityTokenParameters());
            sec.MessageSecurityVersion =
                MessageSecurityVersion.
                    WSSecurity10WSTrust13WSSecureConversation13WSSecurityPolicy12BasicSecurityProfile10;
            sec.IncludeTimestamp = false;
            sec.MessageProtectionOrder = System.ServiceModel.Security.MessageProtectionOrder.EncryptBeforeSign;

            b.Elements.Add(sec);
            b.Elements.Add(new TextMessageEncodingBindingElement(MessageVersion.Soap11, Encoding.UTF8));
            b.Elements.Add(new HttpsTransportBindingElement());


            var c =
                new ServiceReference1.SimpleServiceSoapClient(b, new EndpointAddress(new Uri("https://www.bankhapoalim.co.il/"), new DnsEndpointIdentity("WSE2QuickStartServer"), new AddressHeaderCollection()));

            c.ClientCredentials.UserName.UserName = "yaron";
            //c.ClientCredentials.UserName.Password = "1234";

            c.ClientCredentials.ServiceCertificate.Authentication.CertificateValidationMode =
                System.ServiceModel.Security.X509CertificateValidationMode.None;
            c.ClientCredentials.ServiceCertificate.DefaultCertificate = new X509Certificate2(@"C:\Program Files\Microsoft WSE\v2.0\Samples\Sample Test Certificates\Server Public.cer");

            c.ClientCredentials.ClientCertificate.Certificate = new X509Certificate2(@"C:\Program Files\Microsoft WSE\v2.0\Samples\Sample Test Certificates\Client Private.pfx", "wse2qs");

            c.EchoString("1");