WCF Soap 客户端无法解析签名中的 URI 以计算摘要

Posted

技术标签:

【中文标题】WCF Soap 客户端无法解析签名中的 URI 以计算摘要【英文标题】:WCF Soap client unable to resolve URI in signature to compute digest 【发布时间】:2018-04-19 06:18:38 【问题描述】:

我正在尝试从 WCF 客户端使用在 Oracle Web Logic 之上运行的 SOAP 1.1 Web 服务。该服务实现了标准的 Oasis WS-Security 1.2,具有正文签名和加密(加密前签名)和算法 Basic256Sha256,以及 LaxTimestampLast 配置布局。

我能够以预期的格式发送经过签名和加密的消息:

<s:Envelope 
    xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" 
    xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
    <s:Header>
        <o:Security s:mustUnderstand="1" 
            xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
            <e:EncryptedKey Id="_0" 
                xmlns:e="http://www.w3.org/2001/04/xmlenc#">
                <e:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p">
                    <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" 
                        xmlns="http://www.w3.org/2000/09/xmldsig#"/>
                </e:EncryptionMethod>
                <KeyInfo 
                    xmlns="http://www.w3.org/2000/09/xmldsig#">
                    <o:SecurityTokenReference>
                        <o:KeyIdentifier ValueType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1">h5cRJR6NnWrnf3PvAPJ4iB70Tow=</o:KeyIdentifier>
                    </o:SecurityTokenReference>
                </KeyInfo>
                <e:CipherData>
                    <e:CipherValue>fOgGM...Ixw==</e:CipherValue>
                </e:CipherData>
                <e:ReferenceList>
                    <e:DataReference URI="#_2"/>
                </e:ReferenceList>
            </e:EncryptedKey>
            <o:BinarySecurityToken u:Id="uuid-792fca62-dad8-442e-b720-d52f48768dd0-1" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3">MIIFf...O2A8=</o:BinarySecurityToken>
            <Signature 
                xmlns="http://www.w3.org/2000/09/xmldsig#">
                <SignedInfo>
                    <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                    <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
                    <Reference URI="#_1">
                        <Transforms>
                            <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                        </Transforms>
                        <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
                        <DigestValue>0OiBt3eXZek5bJ9d9CFsduwbtQVoFY3DvFqxfnQz7Dg=</DigestValue>
                    </Reference>
                    <Reference URI="#uuid-a1958c98-41b5-40d4-bdaa-2c0948d4f526-1">
                        <Transforms>
                            <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                        </Transforms>
                        <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
                        <DigestValue>PtcCDNfz7ocVM86qgSnDFnUUJnVz6E884Ll9QeV6Wfg=</DigestValue>
                    </Reference>
                    <Reference URI="#uuid-792fca62-dad8-442e-b720-d52f48768dd0-1">
                        <Transforms>
                            <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                        </Transforms>
                        <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
                        <DigestValue>SezODccgkQ2rfYtKfSxAC14igVpLxbfQtKChSddDf+c=</DigestValue>
                    </Reference>
                </SignedInfo>
                <SignatureValue>j6XPB.../ow==</SignatureValue>
                <KeyInfo>
                    <o:SecurityTokenReference>
                        <o:KeyIdentifier ValueType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1">D5Myi4vs+Af3Dg1ByUs1kCKm55E=</o:KeyIdentifier>
                    </o:SecurityTokenReference>
                </KeyInfo>
            </Signature>
            <u:Timestamp u:Id="uuid-a1958c98-41b5-40d4-bdaa-2c0948d4f526-1">
                <u:Created>2017-11-06T20:43:29.722Z</u:Created>
                <u:Expires>2017-11-06T20:48:29.722Z</u:Expires>
            </u:Timestamp>
        </o:Security>
    </s:Header>
    <s:Body u:Id="_1" 
        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
        xmlns:xsd="http://www.w3.org/2001/XMLSchema">
        <e:EncryptedData Id="_2" Type="http://www.w3.org/2001/04/xmlenc#Content" 
            xmlns:e="http://www.w3.org/2001/04/xmlenc#">
            <e:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc"/>
            <e:CipherData>
                <e:CipherValue>L7f+O...Rw7jHL</e:CipherValue>
            </e:CipherData>
        </e:EncryptedData>
    </s:Body>
</s:Envelope>

但是,当得到响应时:

<?xml version='1.0' encoding='UTF-8'?>
<S:Envelope 
    xmlns:env="http://schemas.xmlsoap.org/soap/envelope/" 
    xmlns:S="http://schemas.xmlsoap.org/soap/envelope/">
    <env:Header>
        <wsse:Security 
            xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" S:mustUnderstand="1">
            <ns1:EncryptedKey 
                xmlns:ns1="http://www.w3.org/2001/04/xmlenc#" Id="18iq0thuJbDO21Gk">
                <ns1:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p">
                    <ns2:DigestMethod 
                        xmlns:ns2="http://www.w3.org/2000/09/xmldsig#" Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
                </ns1:EncryptionMethod>
                <ns3:KeyInfo 
                    xmlns:ns3="http://www.w3.org/2000/09/xmldsig#">
                    <wsse:SecurityTokenReference 
                        xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" 
                        xmlns:wsse11="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd" 
                        xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsse11:TokenType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" wsu:Id="str_nczorGBwzUSf1PJG">
                        <wsse:KeyIdentifier EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1">D5Myi4vs+Af3Dg1ByUs1kCKm55E=</wsse:KeyIdentifier>
                    </wsse:SecurityTokenReference>
                </ns3:KeyInfo>
                <ns1:CipherData>
                    <ns1:CipherValue>VLX9L...jTQ==</ns1:CipherValue>
                </ns1:CipherData>
                <ns1:ReferenceList>
                    <ns1:DataReference URI="#XgzvGdpjeeFiU0AH"/>
                </ns1:ReferenceList>
            </ns1:EncryptedKey>
            <wsse11:SignatureConfirmation 
                xmlns:wsse11="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd" 
                xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="sigconf_gF2mG4MS0QT3gGyg" Value="j6XPB.../ow=="/>
            <dsig:Signature 
                xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">
                <dsig:SignedInfo>
                    <dsig:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                    <dsig:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
                    <dsig:Reference URI="#Timestamp_be1msZa7e60oVdtW">
                        <dsig:Transforms>
                            <dsig:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                        </dsig:Transforms>
                        <dsig:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
                        <dsig:DigestValue>mWxC8kSZIGKE1KTyVWbr2YgOmE1UqVNV3lS4vdM4kdM=</dsig:DigestValue>
                    </dsig:Reference>
                    <dsig:Reference URI="#Body_fr2ndXxiUtwuP3Y2">
                        <dsig:Transforms>
                            <dsig:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                        </dsig:Transforms>
                        <dsig:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
                        <dsig:DigestValue>ZztOfa8rAv2aaMUxxKaYAPgUbEfIZRe/1ZRgPacmAlc=</dsig:DigestValue>
                    </dsig:Reference>
                    <dsig:Reference URI="#sigconf_gF2mG4MS0QT3gGyg">
                        <dsig:Transforms>
                            <dsig:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                        </dsig:Transforms>
                        <dsig:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
                        <dsig:DigestValue>AfX4C1zXqAIX1pEHPw7PHEhf/g/8JWACJqgX7p63RkI=</dsig:DigestValue>
                    </dsig:Reference>
                    <dsig:Reference URI="#str_RLjzz112Lwz91VZF">
                        <dsig:Transforms>
                            <dsig:Transform Algorithm="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#STR-Transform">
                                <wsse:TransformationParameters>
                                    <dsig:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                                </wsse:TransformationParameters>
                            </dsig:Transform>
                        </dsig:Transforms>
                        <dsig:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
                        <dsig:DigestValue>gRa3zakGn13XISoKpekB3zl0iDqb/LmNy7+aMDtzKIY=</dsig:DigestValue>
                    </dsig:Reference>
                </dsig:SignedInfo>
                <dsig:SignatureValue>xlVJb...EPZg==</dsig:SignatureValue>
                <dsig:KeyInfo>
                    <wsse:SecurityTokenReference 
                        xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" 
                        xmlns:wsse11="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd" 
                        xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsse11:TokenType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" wsu:Id="str_RLjzz112Lwz91VZF">
                        <wsse:KeyIdentifier EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1">h5cRJR6NnWrnf3PvAPJ4iB70Tow=</wsse:KeyIdentifier>
                    </wsse:SecurityTokenReference>
                </dsig:KeyInfo>
            </dsig:Signature>
            <wsu:Timestamp 
                xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="Timestamp_be1msZa7e60oVdtW">
                <wsu:Created>2017-11-06T20:43:30Z</wsu:Created>
                <wsu:Expires>2017-11-06T20:44:30Z</wsu:Expires>
            </wsu:Timestamp>
        </wsse:Security>
    </env:Header>
    <S:Body 
        xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="Body_fr2ndXxiUtwuP3Y2">
        <ns1:EncryptedData 
            xmlns:ns1="http://www.w3.org/2001/04/xmlenc#" Id="XgzvGdpjeeFiU0AH" Type="http://www.w3.org/2001/04/xmlenc#Content" MimeType="text/xml">
            <ns1:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc"/>
            <ns1:CipherData>
                <ns1:CipherValue>GT08G...PqanY</ns1:CipherValue>
            </ns1:CipherData>
        </ns1:EncryptedData>
    </S:Body>
</S:Envelope>

客户端测试失败并出现以下错误:

Test Name:  TestMethod_CodedCustomBinding
Test FullName:  Integration.TestServiceClient.Tests.CodeClientTests.TestMethod_CodedCustomBinding
Test Source:    C:\Source\Integration.TestServiceClient.Tests\CodeClientTests.cs : line 207
Test Outcome:   Failed
Test Duration:  0:00:00.9372511

Result StackTrace:  
at System.IdentityModel.StandardSignedInfo.EnsureAllReferencesVerified()
   at System.IdentityModel.SignedXml.CompleteSignatureVerification()
   at System.ServiceModel.Security.WSSecurityOneDotZeroReceiveSecurityHeader.ExecuteMessageProtectionPass(Boolean hasAtLeastOneSupportingTokenExpectedToBeSigned)
   at System.ServiceModel.Security.ReceiveSecurityHeader.Process(TimeSpan timeout, ChannelBinding channelBinding, ExtendedProtectionPolicy extendedProtectionPolicy)
   at System.ServiceModel.Security.MessageSecurityProtocol.ProcessSecurityHeader(ReceiveSecurityHeader securityHeader, Message& message, SecurityToken requiredSigningToken, TimeSpan timeout, SecurityProtocolCorrelationState[] correlationStates)
   at System.ServiceModel.Security.AsymmetricSecurityProtocol.VerifyIncomingMessageCore(Message& message, String actor, TimeSpan timeout, SecurityProtocolCorrelationState[] correlationStates)
   at System.ServiceModel.Security.MessageSecurityProtocol.VerifyIncomingMessage(Message& message, TimeSpan timeout, SecurityProtocolCorrelationState[] correlationStates)
 --- End of inner exception stack trace ---

Server stack trace: 
   at System.ServiceModel.Security.MessageSecurityProtocol.VerifyIncomingMessage(Message& message, TimeSpan timeout, SecurityProtocolCorrelationState[] correlationStates)
   at System.ServiceModel.Channels.SecurityChannelFactory`1.SecurityRequestChannel.ProcessReply(Message reply, SecurityProtocolCorrelationState correlationState, TimeSpan timeout)
   at System.ServiceModel.Channels.SecurityChannelFactory`1.SecurityRequestChannel.Request(Message message, TimeSpan timeout)
   at System.ServiceModel.Dispatcher.RequestChannelBinder.Request(Message message, TimeSpan timeout)
   at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs, TimeSpan timeout)
   at System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCallMessage methodCall, ProxyOperationRuntime operation)
   at System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage message)
Exception rethrown at [0]: 
   at System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg)
   at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData& msgData, Int32 type)
   at Integration.ServiceClient.TestServiceClient.ServiceWs.notify(notifyRequest request)
   at Integration.ServiceClient.TestServiceClient.ServiceWsClient.Integration.ServiceClient.TestServiceClient.ServiceWs.notify(notifyRequest request) in C:\Source\Integration.ServiceClient\Service References\TestServiceClient\Reference.cs:line 994
   at Integration.ServiceClient.TestServiceClient.ServiceWsClient.notify(Int64 idNotification) in C:\Source\Integration.ServiceClient\Service References\TestServiceClient\Reference.cs:line 1000
   at Integration.TestServiceClient.Tests.CodeClientTests.TestMethod_CodedCustomBinding() in C:\Source\Integration.TestServiceClient.Tests\CodeClientTests.cs:line 212
Result Message: 
Test method Integration.TestServiceClient.Tests.CodeClientTests.TestMethod_CodedCustomBinding threw exception: 
System.ServiceModel.Security.MessageSecurityException: Message security verification failed. ---> System.Security.Cryptography.CryptographicException: Unable to resolve the '#str_RLjzz112Lwz91VZF' URI in the signature to compute the digest.

但是,URI 存在于 Signature > KeyInfo 标记内的 SecurityTokenReference 标记中。关于为什么在签名验证期间未找到此引用以及如何解决此错误的任何想法?

【问题讨论】:

【参考方案1】:

请注意:

您不能使用 CertificateOverTransport 并对邮件正文进行签名。

如果您这样做,WCF 将不允许这样做。

在这种情况下,尝试使用MutualCertificateDuplex 并将保护级别更改为无:ProtectionLevel.None,如果您对签署响应不感兴趣。

如果失败,请尝试将自定义绑定添加到您的 WCF:

<customBinding>
        <binding name="NewBinding0">
            <textMessageEncoding messageVersion="Soap11" />
            <security authenticationMode="MutualCertificateDuplex" includeTimestamp="false"
                messageSecurityVersion="WSSecurity10WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10">
                <secureConversationBootstrap />
            </security>
            <httpTransport />
        </binding>
</customBinding>

这将使您的证书被正确消化。

【讨论】:

以上是关于WCF Soap 客户端无法解析签名中的 URI 以计算摘要的主要内容,如果未能解决你的问题,请参考以下文章

WCF SOAP 1.1 和 WS-Security 1.0、客户端证书传输身份验证、消息正文签名的服务证书、用户名令牌、密码摘要、随机数

强制 Soap/WCF 使用 HTTP 而不是 TCP 协议

快速入门系列--WCF--03RESTFUL服务与示例

如何解析从文件加载的soap消息?

HTTP 标头或 SOAP 标头中的 WCF 肥皂操作?

WCF SOAP 服务忽略内容类型字符集