在WCF服务上实现X509安全性时,不对加密体进行加密

Posted

tags:

篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了在WCF服务上实现X509安全性时,不对加密体进行加密相关的知识,希望对你有一定的参考价值。

我为我的雇主实施了一个WCF服务和一个客户端应用程序,目前由于soap body元素而面临严重问题。问题是soap body没有加密,只有标头被加密。无论如何,肥皂请求,webconfigs以及我创建证书的方式都会提到你的参考......

WCF服务器配置......................

<bindings>
  <wsHttpBinding>
    <binding name="wsHttpEndpointBinding" >
      <security>
        <message clientCredentialType="Certificate" establishSecurityContext ="true"  />
      </security>
    </binding>
  </wsHttpBinding>
  <customBinding>
    <binding name="CustomBinding">        
      <textMessageEncoding messageVersion="Soap11" />
      <security authenticationMode="MutualCertificate"  requireDerivedKeys="false"
      includeTimestamp="true" keyEntropyMode="ClientEntropy" messageProtectionOrder="EncryptBeforeSign"        messageSecurityVersion="WSSecurity10WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10"
      requireSecurityContextCancellation="false">            
        <secureConversationBootstrap />

      </security>
      <httpTransport />

    </binding>
  </customBinding>
</bindings>
<services>
  <service name="mysvc.MySvc" behaviorConfiguration="mysvc.Service1Behavior">
    <endpoint address="" binding="customBinding" bindingConfiguration ="CustomBinding"  contract="mysvc.IMySvc"  />        
    <endpoint address="mex" binding="mexHttpBinding" contract="IMetadataExchange"/>
     <host>
        <baseAddresses>
             <add baseAddress ="http://localhost:8888/" />
        </baseAddresses>
     </host>
  </service>
</services>
<behaviors>
  <endpointBehaviors>
    <behavior name="inspectorBehavior">
       <consoleOutputBehavior />
    </behavior>
  </endpointBehaviors>

  <serviceBehaviors>
    <behavior name="mysvc.Service1Behavior">
      <serviceMetadata httpGetEnabled="true"/>
      <serviceDebug includeExceptionDetailInFaults="false"/>

      <serviceCredentials>

        <serviceCertificate findValue="WCfServerCert"
        storeLocation="LocalMachine" 
        storeName="My"
        x509FindType="FindBySubjectName" />

        <clientCertificate>              
          <authentication certificateValidationMode="None" />                       
        </clientCertificate>

      </serviceCredentials>

    </behavior>
  </serviceBehaviors>
</behaviors>  

WCF客户端配置.....................

<system.serviceModel>
    <bindings>
        <customBinding>
            <binding name="CustomBinding_IMySvc">
                <security defaultAlgorithmSuite="Default" authenticationMode="MutualCertificate"
                    requireDerivedKeys="false" securityHeaderLayout="Strict" includeTimestamp="true"
                    keyEntropyMode="ClientEntropy" messageProtectionOrder="EncryptBeforeSign"
                    messageSecurityVersion="WSSecurity10WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10"
                    requireSignatureConfirmation="false">
                    <localClientSettings cacheCookies="true" detectReplays="true"
                        replayCacheSize="900000" maxClockSkew="00:05:00" maxCookieCachingTime="Infinite"
                        replayWindow="00:05:00" sessionKeyRenewalInterval="10:00:00"
                        sessionKeyRolloverInterval="00:05:00" reconnectTransportOnFailure="true"
                        timestampValidityDuration="00:05:00" cookieRenewalThresholdPercentage="60" />
                    <localServiceSettings detectReplays="true" issuedCookieLifetime="10:00:00"
                        maxStatefulNegotiations="128" replayCacheSize="900000" maxClockSkew="00:05:00"
                        negotiationTimeout="00:01:00" replayWindow="00:05:00" inactivityTimeout="00:02:00"
                        sessionKeyRenewalInterval="15:00:00" sessionKeyRolloverInterval="00:05:00"
                        reconnectTransportOnFailure="true" maxPendingSessions="128"
                        maxCachedCookies="1000" timestampValidityDuration="00:05:00" />
                    <secureConversationBootstrap />
                </security>
                <textMessageEncoding maxReadPoolSize="64" maxWritePoolSize="16"
                    messageVersion="Soap11" writeEncoding="utf-8">
                    <readerQuotas maxDepth="32" maxStringContentLength="8192" maxArrayLength="16384"
                        maxBytesPerRead="4096" maxNameTableCharCount="16384" />
                </textMessageEncoding>
                <httpTransport manualAddressing="false" maxBufferPoolSize="524288"
                    maxReceivedMessageSize="65536" allowCookies="false" authenticationScheme="Anonymous"
                    bypassProxyOnLocal="false" hostNameComparisonMode="StrongWildcard"
                    keepAliveEnabled="true" maxBufferSize="65536" proxyAuthenticationScheme="Anonymous"
                    realm="" transferMode="Buffered" unsafeConnectionNtlmAuthentication="false"
                    useDefaultWebProxy="true" />
            </binding>
        </customBinding>
    </bindings>
    <client>
      <endpoint address="http://localhost:8888/" binding="customBinding" behaviorConfiguration ="CustomBehavior"
          bindingConfiguration="CustomBinding_IMySvc" contract="WCFProxy.IMySvc"
          name="CustomBinding_IMySvc" >

        <identity >
          <dns value ="WCfServerCert"/>
        </identity>

      </endpoint>
    </client>
  <behaviors>
    <endpointBehaviors>
      <behavior name="CustomBehavior">
        <clientCredentials>
          <clientCertificate findValue="WCfClientCert" x509FindType="FindBySubjectName" storeLocation="LocalMachine" storeName="My" />
          <serviceCertificate>
            <defaultCertificate findValue="WCfServerCert" x509FindType="FindBySubjectName" storeLocation="LocalMachine" storeName="My" />
            <authentication certificateValidationMode="None"/>
          </serviceCertificate>
        </clientCredentials>
      </behavior>
    </endpointBehaviors>
  </behaviors >
</system.serviceModel>

CERTIFICATE创建命令...............................

makecert -n“CN = WCFServer”-r -sv WCFServer.pvk WCFServer.cer

makecert -n“CN = WCFClient”-r -sv WCFClient.pvk WCFClient.cer

makecert -sk WCFServerCert -in d: WCFServer.pvk -n“CN = WCFServerCert”-i d: WCFServer.cer -sr LocalMachine -ss My -sky exchange on on

makecert -en WCFClientCert -iv d: WCFClient.pvk -n“CN = WCFClientCert”-i d: WCFClient.cer -sr LocalMachine -ss My -sky exchange on on

答案

这发生在我身上。我用来生成我的Web服务的工具(Web服务软件工厂)总是设置服务和操作的保护级别,并将它们设置为ProtectionLevel.None。最终的结果是我的svcutil配置文件将包含自定义绑定而不是简单的wsHttpBinding。

为了解决未加密的SOAP主体问题,我在操作和服务本身上将所有ProtectionLevel属性更改为EncryptAndSign。现在svcutil输出具有所需的wsHttpBinding(自定义绑定已消失)。使用fiddler测试显示正文已加密。

我本可以删除保护级别属性 - 对于wsHttpBinding,它具有相同的效果。但是由于这个代码是使用工具生成的,所以每次生成代码时我都必须这样做。

我希望这可以帮助别人。这个让我难过了一会儿。

另一答案

你在谈论请求或回复机构吗?在任何情况下,至少看起来你的服务的绑定配置是将<security>元素中的mode属性设置为Message(即):

  <wsHttpBinding>
    <binding name="wsHttpEndpointBinding" >
      <security mode="Message">
        <message clientCredentialType="Certificate" establishSecurityContext ="true"  />
      </security>
    </binding>
  </wsHttpBinding>

以上是关于在WCF服务上实现X509安全性时,不对加密体进行加密的主要内容,如果未能解决你的问题,请参考以下文章

WCF 添加X509证书加密

WCF、安全和证书

如何在 Azure 应用服务中将 X509Certificate2 与 WCF 一起使用

使用 X509 证书签署 BizTalk WCF 响应

使用 netTcpBinding 时,在 WCF 中实现加密的最简单方法是啥?

如何配置 WCF 以通过 Internet 使用 x509 证书?